#room-hints

do i need to escalate or something ?

which room is it?

@white salmon
I'm about to head to work, if you get stuck here are some spoilers
||find / -user USERHERE -type f 2>>/dev/null||

its https://tryhackme.com/room/25daysofchristmas

task 9

this user looks interesting ||shiba2||

i finished listing shiba1 files

@glossy crane [0-9] is correct, but the {2} does not belong there

will look into ||shiba2|| now

@white salmon 😉

really ?

i tried on this

@glossy crane instead of ||{2}||, use ||{1,3}||

but my ip pattern should be ??.?.?.??

thats why

(i tried it, doesnt find anything aswell), they said in home folder but there is nothing in there

open if REALLY stuck
||grep -rn '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}'||
sry I really gtg now hope this helps, running late

hey @boreal whale I got it!! Thanks man!

Uh...

@white salmon np

Meh, if it works 🤷‍♂️

ps..: \ infront and behind ||{1,3||

yea my machine must be glitched or something like that, i'll restart it a 3rd time 😢

omg

why do we have to \ before { ?

You shouldn't?

grep -E "([0-9]{1.3}[\.]){3}[0-9]{1,3}"

That would be my suggestion

uh

no

wait

||[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}||

this worked

No idea why you'd need to escape the curly braces

Either you need to escape the curly brackets for bash

It's Bash

Ah, not a grep regex?

Or you can put it in quotes

Nope, not a grep issue

It's a shell issue

Same with having $

That explains it 😆 -- they were talking about grep until now

That's weird

Hi, i think i'm loosing it - Linux Challenges , flag 23 - Locate, read and reverse flag 23.

i'm trying to reverse it but this is what i got : || xxd -ps -r flag23
_�%�0�Cz
OfPy%� ||

Hackpark: Task 4 #2
What is the OS version of this windows machine?
I can't seem to see what it's looking. Noting in the box's systeminfo output fits.. Anyone have any ideas?

Answer format: XXXXXXX XXXX XX XX.X XXXXX XXXXX

I'd advise using backticks for the answer format

workign on that

otherwise discord will format it

`format`

if anyone can point me in the right direction please pm me. feels bad after rooting the box I'm missing one question

can anyone help me with tomghost, I found skf**... but I feel like I'm in a rabit hole

I'm in the Metasploit room and can't get the reverse connection to work. https://tryhackme.com/room/metasploit
I'm on a Mac here at home and connecting this machine via VPN to the TryHackMe network. When I do "run -j" in the msfconsole, this happens:

msf5 exploit(multi/handler) > run -j

[-] Exploit failed: address family must be specified
[*] Exploit completed, but no session was created.

I set both options the exploit provided as described in the tutorial. Google isn't of help in this case.
I tried using a Linux machine. A cloud server connected directly to the Internet. I built my payload, uploaded it to the vulnerable Windows machine and executed it via accessing the file in the browser. But nothing happens. The port on the target machine is open, I checked with nmap. But even after several minutes no connection is being established. What am I doing wrong?
Oh, after a while the webserver is responding again, this is the content of the website:

/*

Icecast?

If so, you have to connect to icecast, not just multi/handler

Can you help me with the zip password? Im stuck on it i did the zip2john 8702.zip > hash.txt, and then the john hash.txt gives this output:

Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x])
No password hashes left to crack (see FAQ)
Im new to this sorry if the question is stupid,but i searched everywhere.

and it does not unhash anything

Agent sudo room

try --show

and nothing has changed

ooooo

yeah i see it

the smily made it harder

thank you very much!

wow

thanks!

imma delete that message as I think discord censored the password

Hi everyone - I'm possibly being extremely thick here but could someone help me with the box "alfred" please?

Just ask mate 😄

ok haha

thank-you . I'm really struggling with the first bit for some reason - it straight up asks me what the username and password is for the login page. Now I've tried enumerating everything, going to anything i found, viewing page source code - everything. + I can't find anything. I'm at the point now where I am fuzzing it with some enormous wordlist and I am certain it's wrong. PLEASE HELP! 😄

it's not default creds i've tried those

Pretty sure you're on the right lines

Just checking my notes to make sure I'm not mixing it up with Hackpark here..

But it should be default creds

hmmm wat

let me retry

Can you post the default creds you're trying inside a spoiler(||<text-here>||)?

I'll check 'em and delete in a second

I'll check my notes

But from memory

thank-you 🙂

One of those combos is right

Yep

One of those is right

ok that's very odd

Try again, and make sure there are no typos 😄

so things got weird - i just entered them into the field in the room - accepted them fine - not on the box though

think maybe the box worth terminating and restarting?

Quite possibly, yes

Windows boxes can be, temperamental, although Alfred should be fairly stable

yeah it's definitely buggered - just checked my wordlist for fuzzing and that combo absolutely is in there

restarting now 😄

thanks for your help

Np 😄

I have questions regarding metasploit smb eternalblue exploitation, yesterday I've done almost every tasks of blue room, I got meterpreter access to machine, just didn't done last 3 tasks which was to find a flag. Now I'm trying to exploit smb, exactly as I did it yesterday, and this happens:

||
`msf5 exploit(windows/smb/ms17_010_eternalblue) > run

[] Started reverse TCP handler on 192.168.1.10:4444
[] 10.10.32.206:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[] 10.10.32.206:445 - Scanned 1 of 1 hosts (100% complete)
[] 10.10.32.206:445 - Connecting to target for exploitation.
[-] 10.10.32.206:445 - Rex::ConnectionTimeout: The connection timed out (10.10.32.206:445).
[*] Exploit completed, but no session was created.
`||

Your IP Address is wrong

You need to set the LHOST as your TryHackMe VPN IP Address (i.e. 10.8, 10.9)

you can usually set the interface instead (tun0) but setting LHOST to your THM IP Address would be best imho

hmmm... thanks in advance, I'll check it out, but I don't remember I did it last time

nvrmnd, I'll check it out, thank you 🙂

"Started reverse TCP handler on 192.168.1.10:4444 " would be the IP address of the Kali VM / device you're on 🙂

yeah

and as the instances don't reach the internet (nor is your router hopefully port forwarding 4444), you need the openvpn IP 🙂

hmmm, allright

hmm lmao

is it ok?

That means you're not connected - but the tryhackme.com/access page isn't all that reliable. check ifconfig and you'll see something like 10.8 or 10.9

If you need help connecting: https://docs.tryhackme.com/docs/openvpn/connecting/openvpn-connecting/

hmm, I've run openvpn with --daemon, and it can be the case , it could not start at all

weird, but possible

check the output of ifconfig, if you don't get an IP address refer back to the documentation incl. troubleshooting. If that doesn't work, #site-support

thanks, it works now :), done thank you very much @steady stratus

Any time pal! Enjoy the content

hi there, stuck on https://tryhackme.com/room/commonlinuxprivesc task#4, question #6, "What critical file has had its permissions changed to allow some users to write to it?" || try to cat /etc/shadow as suggested by hint but no permissions ||

@signal perch you're close. You personally will be able to cat it, but only editing from a different user.

|| do I need to use LinEnum at that point || ?

@signal perch that task was answers from linenum so yeah?

well, im not sure to understand the relation there, but the tab says :Enumeration and that the beginning its talking about LinEnum

does that mean || i have to install it and try to launch then from the target computer ? ||

i'm so bad
I was ls in the wrong directory and was thinking why is there shiba1 but not shiba2, so I had to change to shiba2 directory to get the binary ;///
@boreal whale i think it's a not a very well written question (task 21 zthlinux)

last task

Can someone help me with the XSS room?

I have no idea what Task3 #4/#5 wants from me.

I've changed the page title, but I assume that;s not it

And I've posted the cookie stealer link, but jack never logins

Also, if I try to visit the page, I get automatically redirected to my cookie stealer

@gray cairn Could you already solve Task 4 #4 of Linux Challenges?

can anyone help me with tomghost, I found skyf**... in web.xml but I feel like I'm in a rabit hole

@thin valley why don't you check with the writeup?

is there a writeup for it yet?

@stuck fractal @vast hemlock I was stuck last night, It had no writeups, but I just checked there's a writeup now

thank you guys!

Weird, wouldn't have expected one so soon

Yeah I know, I was planning into writing one, but got stuck

my brain was ducked

😆

wait, that's weird, I got the credentials and tried to ssh with it too but it didn't work yesterday, that's weird

hi hackers am stuck at VulnUniversity room task 4 question 5 any hint

check the writeup

okey thanks

anyone able to help, trying to get flag 3, have used metasploit on a wordpress to run admin shell upload but once in the shell i dont have any permissions to open the flag3.txt

which room is that?

@tranquil wing If this is the coursework for UoP, we can't help

for a university one, so i think it might be a private one

oh damn

Other than escalate privileges if you can't read a file

Don't have permissions? Get permissions.

alright

Linux room, shiba3: how do I go about getting privileges to make a directory in the home directory?

what task are you trying to do?

32

32 or 33?
because 32 does not say anything about creating a directory

33 then

just go to your home directory cd ~ and mkdir test

Everytime I get "permission denied"

I've used chmod and chown, same result. Tried doing a link, same result

Your home directory, not THE home directory

``cd ~`

Okay, thanks

Got a bit confused there

you got me a bit confused too, not being able to mkdir in your ~ directory ;dd

hey room vulnuniversity, i have a reverse shell and it asks what user is running the webserver, how is the result of whoami not the answer?

nevermind lmao

got it

In steelmountain I cannot write the running service. If I stop the service and rewrite it I get an error as start. Is this the right path I am on?

Hi, i'm currently doing the room called "ice" and am on the step using metasploit.
Using the exploit bypassuac_eventvwr i am supposed to set session, then get more options to set

but still only see the option to set session, nothing more

it seems to run just fine with just 1 option set

aah no, it didn't create a session

running it makes options appear

@tawdry dove Does it stop after 30s or just not start?

@stuck fractal It does not start. I tried another aproach without modifing the original service file and putting it closer to root but I get an error

ERROR:     + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Restart-Service]
ERROR:    , ServiceCommandException
ERROR:     + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.RestartServiceCommand
ERROR: ```

Wait. Trying something else

Wierd. I ran the exe again with the correct format this time and possibly correct LHOST and I get the shell. But I still have an error in the powershell command

Ownd! Thanks James

CaN sOmEoNe HeLp Me WiTh ThE rEsEaRcH rOoM

thanks

What's a research

You put the reeeee in research @past night

no, for real

i'm stuck at task 1 #2

my answer doesn't work

@past night You troll, there's no task 1 question 2

damn

i was meaning #6 from Task 2

Really?

You sure?

very sure

Least we're being honest!

Nickname checks out

hehe

why did i give you guys ideas

TT_TT

;-;

You only have yourself to blame...

it's not fair

i'll pull my secret french move

Not my fault you threatened one of the people who actually can change nicknames 🤷‍♂️

french

you're not french

🏳️

🇷🇴

i was asking how to

yeah, that's my home country

^

How to?

.. there's a research room now?

There is

It was released earlier

You're welcome

oh, just released

what the Boris is custer

General Custard

Research, Chev, research!

you owe me a beer.

first of all

True...

then we discuss

Get yourself up to Securi-Tay next year, I'll get you that beer 👍

What is they keyword

Boris

yeah, if i'm still in England sure

Any reason you wouldn't be?

moving to NL

NL?

or spain

netherlands

Ah, fair enough. This got something to do with Brexit?

||with corona, i can at least buy a cheaper property||

True...

nah, i got my presettled status

Fair enough

Also #thm-community-media 😛

Dont know if this is the more appropriate channel, but I need some help. I'm in the ice room and trying to get the escalation exploit to work but it will not take and start the second session. I have restarted the box and my root twice with the same results. I have set the session and the lhost to tun0 before running. I watched and followed the walkthroughs but it still didnt take. Can anyone help me with what I am missing?

@terse basin you still here?

make sure you have ||LPORT 4444||

PM me and I'll try to help you out 🙂

in privilege escalation of linux,task 6,challenge 2> is there any trick,i have read,overead,cant get the answer 🙂

got it,thx

Hey guys
Kinda stuck on the final task of the linux machine
getting access to root.txt to get the flag
can someone help please ?

@lavish solstice look through different users files

I did !

Let me check again

Thanks 😄

to be more specific files that are own by those users

not in their home directory

you'll have to use a command to find 😉 files that are owned by different users

I kinda see where youre getting

Let me try

VERY SPOILER ALERT------------ @lavish solstice ONLY use if you get REALLY stuck!!!
||find|| ||/|| ||-user shiba2|| ||-type f|| ||2>/dev/null||

O damn

That's like

Maximum spoiler

Yes! Indeed!

I find your profile picture adorable

yours too 🙂

😁

hi im stuck in introtoresearch task 2 question 4. anyone have an idea where i should be looking?

okay

so

it searches for files owned by shiba2 and showing only files ? not directories ?

and what is that part of the find command ? 2>/dev/null
@boreal whale

yes :)
2>/dev/null ignores errors

when it was looking for files, did you find some file that looked interesting?

cough cough ||top|| of the search

haha still didnt white out the black part

let me check

that ignore error is amazing

I tried using find alot and all the permission denied really annoyed me

yea when i found out about it I was amazed ;d

@royal badger hang in there budd, im looking ;d

data-piping in general are amazing

give us an example of a data-pipe :?

find / -name "cake" 2> /dev/null

2> means "write the error data-stream to"

aaaaa

i only knew that 2>/dev/null ignores error and that is it lol

/dev/null is a special device that just ignores everything you tell it

@boreal whale ill try looking harder, untill idk

I see

Thats awesome to know !

Thanks a bunch

@boreal whale found the credentials to nootnoot

😉

my man

how did you know to run -user shiba2 ?

and not

shiba1,3,4?

It's a spoiler

i've completed the room

He knew that because he already found it

I know

I mean

you just have to look around

and get hints from us here

Actually there is an intended way of figuring it out

I should;ve just done the find -user for every user ?

Thats what i ment @white salmon

wait so I still didnt finish

Im at user nootnoot

Just do some thonking

ok

do sudo -l

what can you do?

Well now come on @boreal whale

Im done 😄

i've found out that noot is a sudo

sudoer

😉

cause of the . file

in his home directory

just didnt have his creds

thanks alot guys 😄

first room completed

o i solved it @boreal whale

also sudo -l shows that you can do ALL

@royal badger you did 😮

i ended up guessing

alot

😄

hopefully you learned why that is the answer, ONLY then is okay to guess

im looking into it now to see why thats the answer 🙂

hey @boreal whale

Question about the sudo -l

I saw that I got ALL

But what does that mean ? I first tried sudo cd root/

It didnt let me cd

only sudo cat root/root.txt

ALL means the commands I can run as sudo ?

to my understanding is that you can run sudo on commands without getting message like 'you are not a sudoer user', etc

you can still fail to run sudo on other things because you are not root yet

right now you are just priviledged user

though some commands don't make sense to sudo. Such as cd'ing into /root/ or sudo /bin/bash -- those you still can't do

I see, but other than those I can do anything with sudo like im logged into root ?

hey @lavish solstice
do you want to become root?

On the linux room machine ?

yes

Yeah 😄

I downloaded with scp the script that someone told me

ok so you have nootnoot's credentials right

linpeas

yeah

type
whoami
first

I

AM

NOOTNOOT

24601

ok

type
sudo vi

are you there?

Hold on

Lost connection to room

😮

yeah im there

connected to VPN again

it looks like a notepad thingy right?

where you would take notes

yeah

I know how to use vi kinda

except for nerds

type ||:!sh||

and ENTER

now
whoami

what the hell

xD

subshell

Explain ?

i dont know how it works, I just know it works 😄

do i have to run it through sudo vi ?

because i ran it as root ?

bread mind explaining :?

so when I call shell as sudo vi it calls it as root ?

you're running vi with sudo, meaning that you're essencially running vi as root, except on your user. :sh tells vi, for whatever demented reason, to create a new shell -- not go back to the one you came from.

because vi was launched as root, that new subshell will be logged in as root

So basically I can do it from any machine as a sudoer user ?

makes sense

I haven't actually tried it, but you should be able to, yes

there's not much you can do from root that you can't do with sudo - except for the odd stuff like cding into a folder only accessble by root -- mind you that you can still do stuff like sudo ls /root/ without actually being logged in as root

I remember that I could not get list files I had not permission to as unprivileged user with sudo and globbing

Or because of dir x permission I can't remember

hydra.restore
kali@kali:~/TryHackMe/OSCP/alfred$ sudo ls /root/*
ls: cannot access '/root/*': No such file or directory

Not sure why this is

you sure it's a linux box

@tawdry dove

it seems like they are doing it on their machine

because of the directory name ~/TryHackMe/OSCP/alfred

yeah still

if i recall from all the weird convos

alfred is a ||w-box||

that's why i am saying

so ls is not a command for listing directories

yup, but it's in kali@kali

/root/hydra.restore
kali@kali:~$ sudo ls /root/*
ls: cannot access '/root/*': No such file or directory
kali@kali:~$ sudo ls "/root/*"
ls: cannot access '/root/*': No such file or directory

Anyway. It's a small quirk. I wouldn't dwell much on it

can someone help me cc steganography key 3?

@white salmon what have you tried?

I have it completed by i don't remember the exact way

the name is qrcode.png and i tried zsteg and stegoveritas and nothing

have you opened the file?

what file? the png

yeah

oh i rember it now

you have to scan it

stegoveritas automatically changes all the colors and puts them in "results" folder

so you can scan it

thx!!

Any nudge for rooting zthlinux please?

nudge nudge you're gonna have to be a bit more specific than that nudge nudge

what are you looking for?

@bitter crane it's a pun, isn't it?

If so, I didn't quite get it lol

@wheat hollow check the writeup for guidance

It's a hint, but yes, quite vague :p

Yes, please check that writeup. I sacrificed my sanity writing up a tutorial room. Appreciate it if it didn't go in vain

do struggle a bit first, though ;D

Is it a room @glossy basin ? I cannot find it.

!writeup zthlinux

@wheat hollow ^^

Lol it's not listed in the write ups section

But thanks!

That push is coming

Currently "simple" rooms don't have a writeups tab

any hints on what to do after accesing the webserver in task 15 Advent of Cyber room

because it is a docker image, i cannot do find or grep. how can i find the flag without them

@white salmon Would that be Day 10, Metasploit?

@inland onyx Yess

Can you drop into a shell from metasploit?

shell?

yeah i am currently in the shell and i think i am root

but its a docker image

Are you in meterpreter, or shell?

meterpreter

Drop into a shell

isn't that the shell of the target machine?

From memory you can use find from that

Meterpreter is a metasploit shell

It's usually more powerful, but sometimes you need to execute commands directly onto the target system

how can i drop into a shell

shell

(From memory)

Ta @dusky vigil 😄

ohh yeah now i can run normal programs

Thanks @inland onyx

👍

what's a nice, nmap scan for a host that you know nothing about and the scan does not take 20 min ;/

nmap -sV -v -p-

He said that doesn't take about 20 min

@boreal whale you can try using --top-ports

Nmap by default uses the top 1000 ports iirc

If you want to try a bigger number you can use that flag

ok I'll try them out
i've been wait 17 mins for my nmap to finish scanning ;d

But using -p- will pick up every port

So it's still worth doing

Just to.make sure you don't miss anything

@white salmon Normally takes about a minute or something for me

Lucky

Mine average about 2 minutes

I think my fastest scan on THM was 5min

hit it with that T5 --min-rate 2500

Soon find speeds faster than a ket dealer on a peppa pig bike

Interesting mental image

somebody saw hostclouds i've got questions

usually i give it at least half an hour

jk

can anyone help me with ccpentesting
task 4
question 14
or recommend any wordlists?

🍗

hints?

Doing hackpark. A little hint on uploading a file to cmd? I have access to PowerShell but I could not get the file download via PS from cmd. I also tried to launch PS directly but it did not work

I was doing RP:Nmap, and in the final question, I'm asked to find a dos vulnerability, so I ran nmap --script dos, but then I get that: https://puu.sh/FrgjY/39f366d97c.png
Do anyone know what is going on, or a better way to find what I'm asked to ? (even if the answer is in the hint)

Could you link the room? I don't recall anything about dos

https://tryhackme.com/room/rpnmap

Doing hackpark. A little hint on uploading a file to cmd? I have access to PowerShell but I could not get the file download via PS from cmd. I also tried to launch PS directly but it did not work
@tawdry dove try ftp

@white salmon You're running the wrong script

okay, that explains it then

Ah i see. I forgot that question :p

read the question again ;)

I tried --script vuln just before, but it didn't find anything, so i tried dos

Oh i know

I ran vuln only on the 80th port

Okay, just ran vuln again and it found the dos vuln on the 80th port. I don't know why it didn't show up before, but now it worked. Issue solved!

nice!

also, be careful with dos scripts, even on THM.

it's a good way to get an angry email from your ISP

ahah okay, thanks for the tip

hello all

i have a problem with a room

What room are you in @echo thunder

now I am in XXE

XXE-2

Can you link the room? And tell the task you're stucked on? It will be much easier for people willing to help you

I finished the room

now

Allright, glad to hear it!

Cheers!

it was a problem with the key importing

Doing hackpark. A little hint on uploading a file to cmd? I have access to PowerShell but I could not get the file download via PS from cmd. I also tried to launch PS directly but it did not work

I am still here. Can't get ftp to work (interactive is broken). Can't download via PowerShell (I don't get any errors back to term to see what's wrong). Any other hints?

I am still here. Can't get ftp to work (interactive is broken). Can't download via PowerShell (I don't get any errors back to term to see what's wrong). Any other hints?
@tawdry dove Try to see if you can write to a file then try redirecting stderr to a file to see if you get any errors.

hey guys , any hint for flag 25 room Linux Challenges?

!writeup zthlinux

@glossy basin This is for hints, not writeups (please?)

yes, but..

hinting on this room is pretty hard, honestly

yep I know about writeups that is cool but I would like to understand why

okay sure let me check

i'll hint

ty 😄

so you mean task 25?

and what's the question?

#7

Locate and retrieve flag 26.

@white salmon for the record, I deliberately wrote that writeup with as much explanation as possible

sry was a mistype

Uh, wait a second

https://tryhackme.com/linuxctf?

it's linux challenges

not learn linux

yep linux challenge

my sub expired 😦 i can't check my previous answers

@inland onyx do you have a sub?)

I do, but I'm on the phone

help pls

@ripe meteor Check the information above the task.

im stuck

What have you tried?

ya

i export $test1234=$USER

what does it say when you run that command

@trim breach nothing

so what happens when you then view the value of test1234

i types echo $test1234 and it shows shiba2

Okay thats good so now what do you think you should do

^

https://tryhackme.com/room/hackpark
For the hackpark is the service i am looking for to elevate privs in the list from exploit-suggester? Or is it a 32 party service?

Hello i'm struggling with the following sentence in the Room :" Introductory Researching"

Task 2 q4
What number base could you use as a shorthand for base 2 (binary)?

i'm not an english native

What three letter abbreviation is the technical term for the "wifi code"?

can you point me in the right direction?

Look at the standards and how wpa works @thin yew

I need a quick hint on username listing I use getent passwd yet cannot list the users! who can log in

@stuck fractal I think there may be an error with the wifi hacking 101 question or im just stupid

@thin yew there's not.

People get stuck on it

ahhhh

just one of thoes kina questions

It's really simple

But you will overlook it

Look at how the WPA handshake works

will do. thank you very much

is it case sensitive?

This is interesting

What do they mean by 'code'?

Wifi code

Is it the encryption, passohrase, or something else?

thats what ive been researching

can someone help me on the christmas room day 10?
on metasploit i get exploit complete but no session was created

What's the context? @thin yew

Yes case sensitive

@calm prism same thing. you have to select a payload

Code/password/etc

I selected everything and set up anything

What's your payload?

Do show payload

It has to match the OS

Windows for windows, Linux for Linux

ye its
linux/x86/meterpreter/reverse_tcp

and im on linux

It's not your host, it's your target that matters for arch

^

And what's your LHOST set to?

Bet you it's not quite right

I set this to the openvpn ip

is it the correct one?

Yep

What's the targeturi?

showcase.action

/showcase.action

I mean I don't think it makes a difference

But try

ok lemme try this

Sure

I don't know if Metasploit appends the slash

I think it is cause still no session created

Hmm

the RPORT and LPORT are the default one

Could you screenshot the output of show options

sure

And the lport can stay default

It's the lhost that has to match

can I send links here cause this is on my vm so I need to upload it to somewhere

O

Hm

do u mind if I send u this on dm?

Sure

sent you dm

got it @stuck fractal thanks

Anyone here can help me / hint me as per HackPark's bruteforce?

I've been bruteforcing for 1/2 an hour and no results.

Did you try empty password?

Or defaults?

@autumn ferry -- I'm using rockyou.txt, which takes forever to brute.

Yes, but also try some default credentials

admin:admin, admin:password, etc

Blank password too

I was brute forcing a file once

For sooo long

Turned out to be an empty password

@autumn ferry -- Did you root HackPark?

Okay, I'll try using a smaller wordlist.

No no, I mean first try default passwords and also try an empty password

Tried, empty password.

Rocking it with rockyou.txt but no luck.

The missions states to use Hydra.

Just wait then I guess. While you're waiting though check for other things you've found in that challenge that might be the password

Hm

Usually there are hints in the supporting material

Tried using a lesser dictionary, still no luck.

Anyone else can help?

Do you know the username(s) to use?

Yes...I do.

please delete spoilers

thanks

Any other hints?

Sadly not what I know. I haven't done HackPack yet -- just read a bit about it here and there

I see. I see.

Anyone around to help on steelmountain?

Ask the question, don't ask to ask :)

Alright thanks 🙂

Im doing the privesc and im trying to reboot the service but it says it wont respond in a reasonable time

is there any way around this?

Could you show me message where it says it won't respond in a reasonable time?

i blanked out the service to avoid spoilers

Yep so it dies after 30s right?

I got around this with prepend migrate with MSFVenom, basically migrates the shell to another process immediately so it doesn't matter when the original dies

I don't recall having this problem at all

I did

I think it depends what you replace

Right.

I didnt replace anything really I just dumped it into the writable folder

yeah, but you're replacing what gets launched :p

True

How would I do the prepend migrate in MSFVenom then?

That's magic talk to me.

I'd just try to do the migration real quick once it connects -- well.. if it connects

yeah it never does

Oh. So it doesn't just die

google msfvenom prepend migrate

Oh weird

My shell never opens

The service just won't start back up

you're listening to the right port with nc and all that, right?

just checking -- you never know

Im using multi/handler but its on the right port

ah, right

im a dumbass

I guess I just went for the simpler attack and made a reverse shell, no meterpreter

:///

yeah? Listening to the wrong port?

works just fine with nc

hehehe

I don't really know how the multihandler thing works

I didnt use a meterpreter shell when I generated it using msfvenom

I dunno why I bothered with the handler I've never had any issues with nc before

But this time I thought yeah lets use handler for once

fancy ideas sneak into our heads all the time :p

Bit stuck early on which is worrying, but I'm at this stage of the "Learn Linux" room, I've created the text file but I'm struggling to find the binary to run? I've tried opening the text file and stuff which gets me permission denied. Sorry for being dumb

It's probably good to learn how it functions. but yea, at least some of the time, just keep it simple :D

Go to your home folder and run

file *

binaries look no different on linux. No exe or anything and .bin is optional

I cant believe I wasted that much time :/

Done too many boxes today time for a break

sometimes you gotta stop and question the line of thinking you're on. "What am I really looking for" x)

but hey, you got the right stuff going -- it just didn't work

Got it that's embarrassing, thanks Bread, knew I was just being dumb

better being dumb than lost :p

and you're welcome

thanks for your help anyway bread Im off now

no problemo!

I've read answers above in this chat but they didn't help me

Hey chat, question for anyone who's done Steelmountain room -- have you had any issues starting the "service" I'm hit with a 1053 error "The service did not respond to the start or control request in a timely fashion"??

got it sorted... give me a shout if anyone has issues I'd gladly help.

Hey, has anyone got Flag 5 in the wordlists room?

I've followed all the steps and modified the special characters wordlist

We're just trying to crack the zip file

Also struggling with flag 6 after following the instructions

any hint for HackPark "What is the name of the abnormal service running?"

What real life example can "Sitemaps" be compared to?

question 2

task5

googledorks

hints?

It's in the text

Read the task

It's more or less directly on the text

lmao

thanks

didnt think of it that way

Name the keyword for the path taken for content on a website

hint?

@stuck fractal

index aint working

Again, it's in the text

i dont see it

name a keyword for the path taken

HA

SMART

the question not me

lmao

thanks

💯

@stuck fractal ok

this one im def stuck on

What critical file has had its permissions changed to allow some users to write to it?

common linux privesc

Stop tagging me every time you need help please

lmao sorry

its cool i guess ill eventually figure it out

The script picked it up

?

You were meant to run a script for enumeration

i did

Basically. Read harder.

hi friends, im very new and working on the learn linux room. I have completed everything except for the bonus where you need to get access to the /root/ folder for the final password. If someone could give a small hint to fill in the dots for me that would be great

Look for files belonging to each user @storm imp

will do!

thanks so much for the hint! completed my first room wooo!

WOO!!

test

1234

Any helpers?
What is the name of the technique that "Search Engines" use to retrieve this information about websites?

What is an example of the type of contents that could be gathered from a website?

Help on Node1

Again can anyone help on node..i am not able to download file ||backup||

Hello anyone there

Hello, looking for a hint in "The True Ending" of the Learn Linux room because i am stuck right now

@still fulcrum Look for files belonging to each user

Maybe with find

Ok, i had a second look at it because i already had found two intriguing files but i haven't manage to find use for them

There's more

Alright, got it, thanks for the help!

the ip of the vpn remains the same ?

regardless tp the new announcement ?

I think unless you change servers

^ Yes

I think my vpn is not working, can someone help me please

@past night i think sending me $5 can help

send me your address

127.0.0.1 @past night

o wait

0x3a8Ad7bEAa73f29A32f21c732e658855c07E9Dd7

Any writeups for juiceshop? I joined the room in order to learn about it but unfortunately it's not a walkthrough room.

@wheat hollow yeah, there's literally a book written on it

Should be over in #resources

The Web Application Hacker Handbook?

https://discordapp.com/channels/521382216299839518/554713196804440101/692545953017888828

https://discordapp.com/channels/521382216299839518/554713196804440101/692545953017888828
@inland onyx Nice exactly what I was looking for. Why isn't it listed in the write-ups section?

Because it's not a write-up for the room

Juice Shop isn't something we made

Hi, I have a question on Steel Mountain. I've successfully rooted it, however I'm stuck at question 2.
Take a look at the other web server. What file server is running?
There are two http servers, one on it's deafult port 80 and one on 8080. The HTTP server on 8080 is HttpFileServer 2.3. However, that answer is wrong, any hint/help?

google http file server

lol, im an idiot

thanks

np

What SSH product does Google use? I'm stuck on this one i don't know what exactly to look for, and i can't search anymore on shodan i did to many searches.

and ofc on google

shodan.io is the room

Hello guys, i'm at Day13 of "25daysofchristmas" but i'm having some trouble.
I managed to find the admin credential for the wordpress panel and i find a way to inject my php code inside a webpage, but i can't manage to star a reverse php shell.
Every php_rev_shell i found are for linux and i still have no idea how to write them.

https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

for linux

could someone help me with the last step of the game zone room

@raw blade but what about that ($shell = 'uname -a; w; id; /bin/sh -i';) at line 54

i have the last hash but i cant brutefors the hash

*bruteforce

because i tried it a few times and it is giving me errors related to that command.

whats ment with number?

@raven prism it's basically a CVE identifier

where to find it in exploit db?

so every CVE has it's own number and you can distinguish between them

where to find it in exploit db?
@raven prism using 'search' button 🙂

@humble siren - ok - you are trying to exploit a windows server - you stated that you were looking for anything other than windows but I see you edited your comment 🙂

so thats CVE 2016-1240

what is number ? 1240?

and you're right that script isn't platform independent so it won't work

uname is not a windows command

CVE-2016-1240 is the complete name @raven prism

ohh okay thx

number is 1240 yeah

like it's said in the room

@raw blade yeah, sorry I've switched them, i only found them for linux based platforms and not for windows.

This is the only one i've found but it's not workinghttps://github.com/Dhayalanb/windows-php-reverse-shell

no problem...makes sense now

What SSH product does Google use?

sorry to interrupt

but i cant figur it out

SSH Open Server i suppose

better ask google for that

7 letters

yup, go ask google

i did

we do not give answers here directly

tell me what to look for

look for SSH product with shodan.io

i can't help you with a room which is basically based on personal research

i know,sorry but i hit the limit with shodan.in for today

im gone finish it tomorrow

ty

you can create a new account with a 10-minute mail

I'm gone do it now,thank you.

Hi all I was wondering if anybody could explain or hint in room Common Linux Privesc task #9 Step #4. its the one for creating an imitation executable. I keep trying different things but I guess I am not sure what its actually looking for. If anybody has any tips that could lead me in the right direction I would greatly appreciate it. Thank you.

If anyone could help me, I'm, on the last part on vulnversity. I have no idea what to do to escalate my privileges' to root

@restive cobalt It gives you the binary to escalate with right?

I've identified the unique SUID, unsure how to proceed

gtfobins.github.io

Single most useful tool for linux privesc you're ever going to find

(And the correct one here)

You need to try and understand the exploit though

I know im using the SUID to invoke temp privileges' that i can use to use root, is that accurate?

@restive cobalt So GTFOBins will help you get a shell or other things using the binary that you're given

suid means the binary runs as the owner

Lol its the first time i actually know what suid means

I feel kinda stupid now hahaha

I still feel stupid

Nah dude

You're cool. Everyone starts somewhere

Just invest your time researching what you do

It will come in handy one day or another

uper new to this... looking for some help with Linux Functionality Flag 16 lies within another system mount. I can see all the mounts but anyone want to nudge what I should do here? I'm such a lamer windows guy.

@muted tree If you can see them, look at what they contain

Actually has nothing to do with mounts.. but something else. Thinking too much like tech and not enough like CTF.

got it thanks

I'm doing the custom wordlists room and am stuck on flag 5 which states the password requirement of 1 special character. Now I'm supposed to use sed to modify rockyou.txt but I can't figure out how to save my life. Any nudge in the right direction would be greatly appreciated

https://tryhackme.com/room/ccstego

can someone give me hint about key 2 in cc stegnography box.

@spice harness have you tried using the tool from task 6?

what Unix/Linux config files that i might want to hid from crawlers?
google dorking task 4 question 5

@worthy ferry well, what is the extension of a config file for unix?

brub

im dumb

:^

have you tried googling it?

ya

I guarantee you will find the answer by googling just a lil bit better

As the creator

its 3am for me chief, just a bit tired

also really like the room so far, good job

Hehe it get that - it’s pretty easy to overlook. You’ll kick yourself. Perhaps get some kip and come back to it late? 🙂

And thanks!!

I’m glad to hear of it

<3 @steady stratus

Turns out

dog person, same

Android phones have an ultra dark mode

For discord

what???

that is very nice, only if it was on desktop

You can use better discord

@steady stratus Ok that was really cool, and as you said could be dangerous

What could be O.o

google dorking

Ah! Yes! 😇

could be dangerous aye

Android phones have an ultra dark mode
@white salmon how u do that

spam press dark in themes

OMG

thank you so much!

Hey all, having a bit of downtime and doing the metasploit intro room, im stuck on one of the questions

Last but not least, which module is used with buffer overflow and ROP attacks?

been googling for my life and cant seem to find it

you'll see it when you open up metasploit

unless you do -q then you won't see it

still dont see it, all I see is the banner then this

   =[ metasploit v5.0.81-dev-11da08a                  ]

• -- --=[ 1987 exploits - 1088 auxiliary - 339 post ]
• -- --=[ 559 payloads - 45 encoders - 10 nops ]
• -- --=[ 7 evasion

it is there

i can't tell you more than that

It is even in the presentation of metasploit architecture/modules in the room

im probably overthinking it

got it.......holy crap cant believe I missed that

I was looking for the actual name of an exploit rather than that

anyone succeeded with LFI ?

@white salmon The one from AoC ?

the basic one ,room

hey yall. Im trying to solve the toolsrus room but on task 8 it asks for the server version. I couldnt find the answer for this myself so i looked at the writeup and found out that the /manager/html/WorkArea/version.xml has the version. However the directory is locked under 403. Can anyone guide me in the right direction to get through this

how have you checked ?

dear fellow hackers 🙂 i need some help with Common Linux Privsec Task 9 #4 ! i am stuck at what commands they want me to write

This is a good one

think simple

i did it 😛 i forgot the "

Make sure to use spoiler tags for answers

ah doh

😛

linux and me are slowly becoming friends

Learn Linux room = pwned

Very well put together for beginner content. I enjoyed it

@white salmon ♥️ ^^

Need help with Brainstorm
When I run the exe file, Immunity debugger is paused automatically

@slate scarab <3

😋

could someone help me see where i might be going wrong? im working on learn linux room challenge 21, trying to set two environment variables then run a binary, and even though the variables should be set the binary isnt running

It's not set 2 variables

It's set one variable to the value of the other variable

well im setting them equal to each other

Make sure it's the right way round

And then you need to run the correct binary

Hi guys!

thanks for the tip

I'm doing room CCpentesting

Task 18, in final task of sqlmap

"what is the value of the flag?"

I don't know what flag is

You have to find the flag

Capture the flag

it'll jump out at you when you correctly invoke sqlmap

I dump all tables and nothing

review your sqlmap command, the url you are testing against, etc

guys any hint on how to get a shell in LIF basic ?

i tried everything

You mean Inclusion @white salmon

@white salmon hey i cant access artic forum challenge site

Huh? @royal cave

I am stuck on privileges escalation of ghostcat
I got the first user but cannot identify the privilege esclatiaon vector

@keen lintel check what commands you can run as root without the password

and escalate from there

i think he just has the entry point in the system

Hello guys, what about the task3 of day13 in 25daysofchristmas?

I found about the file you're supposed to use, and the bug in w server 2016 but i can't manage to fix it

i tried setting both browser as default (one at a time ofc) for every single file/extention but i can't manage to get it work

Haha, exactly where I was confused too, couldn't get it to work either, but it just worked on the 15th try

check the first pinned post under #room-help

i got it on my 4th attempt i think

It literally worked for the first time right now

but i think i reached ~15 attemps and a few reboots

hehe

it's a @minor bough challenge

so expect this kind of clunky behaviour

I'm just appreciating your challenges @minor bough ^^

I am currently doing the Wifi Hacking 101 Activity and I am stuck at the 3rd question:

What three letter abbreviation is the technical term for the "wifi code"?

Maybe I am just dumb but I tried everything

Google

@uncut crypt Have a look at the types of WPA2

Ok

And what the technical term for the password etc is

Well I found it maybe the question is made a little bit weird or I am incompetent

can someone give me a nudge on "Jack" ? initial access I have located the WP login page, enumerated some usernames and have been brute forcing with rockyou.txt in hopes of finding good credentials.

Thanks

@uncut crypt If you can find a better way of wording it without spoiling it, I'm open to suggestions

Ok I will think about it 👍

Any hint on task 3,ch 6 ? from LFi basic?

@stuck fractal I think you should add a hint like the one you gave me. So something like: "Search for different types of WPA2". Or: "Look up how Encryption works in a small private Networks"

@uncut crypt Different types of WPA2 gives it away too easily IMO, and small private networks can be wired etc

@stuck fractal I mean you gave me a hint and the hint function is for hints. So yes it would give away too much when embeded in the question but not as a hint.

It's still meant to challenge your research skills

@stuck fractal Maybe just change the word "code" to password, key or something else not too obvious

If you google WPA2 password, it's in the google suggestions

Well I am based in Europe, Germany to be exactly and if i try googling wifi code I am not getting the results I need to find the answer. But if I try it with wifi key or wifi password I can find the answer not instantly but still fast. So maybe thats the problem I had. I know most users should be based in the USA

I'm in the UK, it's just a part of research

Duckduckgo allows you to specify country for your search!

google does the same

as long as you specify the .co.uk, .com, etc

Hi, Im doing the 25daysofchristmas day12 #3 and I am unable to brute force note2. What I have tried is using ssh2john with the private.key and then using john with a shortened version of rockyou (that contain the actual passphrase) but it never find the passphrase. Any hints?

@solar onyx Read the hint, you can't really brute force it

It's not an SSH private key, is it?

No, just seemed like one 😦

I've been reading and seems like you can't actually bruteforce rsa since there is no way to know if the resulted plaintext is what you where actually looking for

But openssl rsautl -decrypt give me an error when I enter a wrong passphrase

Not strictly true. You can bruteforce RSA, if the numbers used to generate it are low enough

An openssh key?

No chance

So there was no chance of solving that without the hint... All right thanks!

can anybody help me with one question in toolboxvim

@thin valley What's the question?

@stuck fractal Task2 question 2, I answered all of them, I feel like an idiot stuck with this only one 😩

Which one is that?

How do we start entering text into our new Vim document?

and the answer contain 6 char

It's a really dumb clever question

Think as simply as you can

I tried insert

Once you're in insert mode, how do you enter text?

it feels weird

that is weird

keyboard

verb

damn I feel dumb

thank you @stuck fractal