#room-hints

I really like that question

It's very humbling

Helps remind you that it's very easy to overthink

very true! it played with my mind and my search engine for about an hour

then I came here

anyone here do Jack? need help on privesc

@merry sonnet If you still need help you can pm me

huhu can someone give a hint about how to find the flag in the learn linux basic task43 bonus challenge?

Look for files belonging to every user

Which room should I prefer for metasploit

Rp: metasploit. Or ice

...

Also wrong chat @cloud kestrel 😄

Try #general

Hi All, I was wondering if anyone had a problem with Nessus room

Regarding the questions about versions PHP and Apacehe

@random berry i did , but if I remember I double check with dirbuster "received tab" and got the right answer from there , again if I remember well

I mean Zap *

Hey I am in gohostcat
Yep I just got the entry point in ghostcat
There are something like pgp private key in my home directory I cannot bruteforce the phrase
And seems nothing in another user's home directory
Don't know how I can move horizontal to another account

@keen lintel Use ||gpg2john|| to get a hash then crack it

I have tried I using rockyou.txt but do not get the key
However I will try it again , thanks for your help

Search for the key in keyserver and then add it to your machine and then decrypt the txt file.

hey everyone, i have a question regarding to CC: Pen Testing room

ask away

Salve

in taske 18 section 6 for sqlmap

Are the tables empty?

i entered the website but i am not sure what to write to see the tables

Oh

Use sqlmap

i tried but nothing or maybe im using it wrong

Send a screenshot pls

sqlmap -u <ip> -p the parametr which is i dont no --technique

sqlmap -u <ip> -p the parametr which is i dont no --technique=U

The parameter is what gets sent

You can use.multiple different methods to figure it out

im not sure what to type in the field msg:

Just use sqlmap

With msg as the param

To make sure that's right

You can view the html and look at the name

Use burp

Lots of things you can doo

i tried but no luck

You can also use --forms

It's in the sqlmap help page

Edit POST data [default: msg=] (Warning: blank fields detected):

i did
sqlmap -u 10.10.222.26 -p msgg --technique=U --forms

No

If you use --forms you don't need to specify param

this correct ?

I used sqlmap -u 10.10.222.26 --forms

Yeah

Now dump the db

im not sure how to use the command to dump it but can you refer me to some website that explains it

i watched a youtube video was doing it by using mysql

sqlmap --help

sure thank you 🙂

i did it by using --dump

thank you so much @white salmon

<3

Have a passphrase file doesnt want a passphrase am I missing something here or

Rooms tomghost ask if I need to elaborate more

@wise valley You need to import the key

hm thanks

@tidal sedge Thanks, that was it no idea how I didnt understand that lol

@wise valley I would suggest going and reading about it then. Understanding that it worked is a lot less important than understanding the process.

@wise valley import the key from the server like pgp.mit.edu and then try to decrypt

@inland onyx yes I understand that

Glad to hear it 🙂

I just get this one tracks mindset and its fricks me up

Can someone point me in a better direction for the CC: Pentesting (https://tryhackme.com/room/ccpentesting) room? I have read the writeup and it didn't help.

For which part?

Task 4, #14

@lone gale The writeup is for the exam

Ohh

Try extension .xxa and extension xxa

I have, and tried all the results

nothing worked

hello guys, i need a hint with this https://tryhackme.com/room/metasploit

the command about webcam_list

Oh wait, i ran it outside of the "secret" directory, and found more files!

meterpreter says it's unknown

It's a part of Post @icy heath

ok, i'll trying understanding more about post

metasploit post, more specifically

this error is because i'm doing something wrong, right?

nope I think that's metasploit being broken

IDK if we found a fix

so the webcam_list is depended on migrating to another session

or because it's broken it's not working

umm..I am tryng to solve the "lord of the root" ctf..stuck on the 6th ques..Which method is it?

what mean of "
How do we start entering text into our new Vim document?"

i don't undetstand

You're over thinking it

Once you're in insert mode, how do you get text in there?

Hey everyone! Hoper everything is fantastic :)
I'm having a little bit of trouble with the TASK 21 on LearnLinux Room

can somebody give me a hint?

for some reason I can't run the shiba2 binary

and can't echo the $test1234 also

Can't?

w8 let me try this again, I think I got it

yes I couldnt dont know why

im gonna try again

once again, i mean

just saying can't isn't very helpful

yeah sorry ninja

let me just try one more time
if I cant, ill let you know, but this time, with a little bit more details xD

@hollow holly check that you did all of the previous steps correctly. That's usually what causes me to get tripped up on stuff

shiba2@nootnoot:~$ ./shiba2
when i do this, I get no output

@stuck fractal by typing i don't undetstand what mean 😦

@north moat How do you get text into the vim document that you have open

with i

That's entering insert mode

Once you're in that mode, how do you get text in there?

It's a verb

exactly i don't understand what mean of get text

get text mean search ?

How do you put text in there? @north moat

How do you write in it

@stuck fractal i'm doing ./shiba2

and I get no output

also, i've done echo $test1234, and the variable doesn't exist...

You need to create the variable

yes already did

but I get permission denied

to cat the file

i did the export "valiable"=$USER

run the bin

and I got

cat: directory/example/example: permission denied

Huh

That binary doesn't use cat at all

I think I screwed the machine lol

Send ss

here?!

Ye

Uh

Could you upload it so discord posts it

wtf

@white salmon I think discord image embeds are dieing rn

Oh good, it's not just me

Ill copy the commands

shiba2@nootnoot:~$ export test1234=$USER
shiba2@nootnoot:~$ echo $USER
shiba2
shiba2@nootnoot:~$ ./shiba2
cat: /etc/shiba/shiba3: Permission denied
shiba2@nootnoot:~$

Oh

The suid broke somehow

so, do I turn the machine down and back up?

Yeah

ok, thank you so much man! 😄

😁

hack park - the answer i have for what OS version, doesn't match the ***** stars. Anyone else had this problem?

its the *. that doesn't make sense

I did, it depends where you get the version from

You can run it from meterpreter or run it within the reverse shell

tired systeminfo, sysinfo in meterpreter and also windows exploit su

none of them match

I used sysinfo from meterpreter and it worked

there's a star star dot star part which matches none of them

@dense brook, DM me the version you are getting and I'll try to help you

in hack park... task 4 , #3 what the hell is abnormal service???

haha poked randomly and found it

any hint for skynet question-3

@hearty zodiac don't let it become self aware

any small hint ??

@hearty zodiac if I had one I'd give it to you but just wanted to poke fun at you. What's the question about?

Like what's it asking?

:-), its about skynet quetion-3, which service to exploit, the samba share are readonly. and cant get shell. so just understand i looking for right thing.

Can you get access to an account that allows chmod?

If I read that correctly, otherwise I might just not understand what it is asking .

its samba share, and the 2 pass are not working for shell.

Hm idk

hey guys

having trouble w avengers room

not sure what to do put with the sql injection

What have you tried so far?

' 1=1

' 1=1

1=1--

i tried the whole statement given

nothin worls

works*

'OR '1'='1

that'd be saying PASSWORD' or true

then the statement closes

I'd recommend taking a look at this: https://portswigger.net/web-security/sql-injection if you wanna learn SQLi better. Portswigger is a real cool platform for learning web. By the creators of Burpsuite.

is a really good resource for web attacks, can confirm

sweret thanks ill check it out

nothin will scan it

QR code needs contrast

It probably is

Stego veritas that shit @scarlet saffron

ah ive been using sonic visualizer to get this outta the sound

oi

bad mod

Excoos me

pars is my daddy its ok

parsy good mod 🙂

Yep it works

@stuck fractal also thanks man, ima try to edit the image or somethin

I played with it in image editing software

Is this for a THM room?

ah cool, good, yep its for musical stego

Ah

plz delet image

mild spoiler

I never doubted you for a second @scarlet saffron

OH MB

HAHA thx sweety <333 👨‍❤️‍💋‍👨 @white salmon

ur classic sentence XD

when u actually do doubt me

jk jk

@stuck fractal u on Win or Lin? i usually just use online tools cuz less hastle since im on lin

GIMP will do it

I just prefer Paint.NET

Pars was right tho

Stegoveritas

tru tru, i used paint.net only on windows, never got into GIMP even after the full switch 😅

ok sweet i think i have it

literally just been trying to do it via samsung QR reader XD

QR codes need a lot of contrast

gosh i aint gettin a good setting

that black at the bottom left is overtaking the whole part when upping the darn contrast

GOT IT

thanks man ❤️

hey guys I have a question about smbmap and smbclient i have done all the tasks but get stuck in this question > Given the username "admin", the password "password", and the ip "10.10.10.10", how would you run ipconfig on that machine

How would you run IP config

Not how would you SMBMap it.

Look at smbclient, the man page and the help page

SMBMap is for enumeration, smbclient is for actually interacting

i did looked

but i will look again

both have the same Question

huh?

Given the username "admin", the password "password", and the ip "10.10.10.10", how would you run ipconfig on that machine

this one for smbmap

How do you run the command "ipconfig" on the target machine > smbclient

What room?

cc:pentesting

Ok, well look at the man pages and help for both of them

if you look at the last 3 things it says it

It says what?

it says i should do
smbmap -u jsmith -p password1 -d workgroup -H 192.168.0.1

Does it?

Or are you perhaps misreading it

They are just example commands

Not instructions

but admin has 6 charecter

true

i change what i need to change

i mean the ip - pass - user

yea, and the example commands aren't for running ipconfig on the target machine

got you

Look at the man pages

I can 100% promise you it's in there

thank you i will do ❤️

anyone competed harkpark

im stuck

I completed it @dull comet

How do we start entering text into our new Vim document?

i still don't understand !

when i go to vim , with i enter to Insert mode and start typing what it mean

@north moat you answered your own question

You just don't realize it

@white salmon Hmm ! it's really bad question i really stuck on it

Yeah that question is pretty dumb

But think about it

When you enter text into a document

What are you doing

It's very litteral

ahh Done ! it's Really Dump :)) @white salmon

Anybody got a tip for the way of thinking for linux challenge flag26? I found the other flags and eventually I did look at the write-up for flag26 but I don't get the reasoning behind it

If a password hash starts with $6$, what format is it (Unix variant)? , format = type ?

try using hashid

i think it will tells you if am not wrong

i found the type of hash , but my answer seems wrong

Sha512

Try hashcat using mode 1800

Yeah you need to add a suffix to it

Keep googeling and you’ll find it. Don’t know if I’m allowed to give a better hint ;-p

I'm stuck in room BP: Volatility on the last question where do i find which malware the sample is infected with?

you and me both, i cant find any information on vt/ha

jep

hey guys can anyone help me with routing?

anyone got tip for inoculation ?

i can't get metasploit shell in https://tryhackme.com/room/ccpentesting

is something wrong on machine ?

What's happening or not happening?

[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Exploit completed, but no session was created.```

Can I get you to read this: https://discordapp.com/channels/521382216299839518/522158539129618453/694551215039578172

your LHOST is wrong for definite

its okey

im using Local kali

The tryhackme kali?

yes

Then you might be doing something else wrong

Still, the guide I posted

What task and question?

Task 10 Question 1 .... 10

after i run exploit i got [*] Started reverse TCP handler on 10.10.51.242:4444 [-] Exploit aborted due to failure: not-vulnerable: Set ForceExploit to override [*] Exploit completed, but no session was created.

i also did set ForceExploito override

Sounds like something is set wrong

Did you deploy the right machine?

and try again but not work

sure

im deploy machine in TASK 3

There's no machine in task 3

where is this task Machine ?

maybe i run wrong machine 🙂

Task 10, deploy button

oh its first time i saw different deploy on task , sorry 🙂

I'm doing the webgramming room and am stuck on the third task, enum

I wrote a simple script that looks like this

import string
import requests
from itertools import combinations
from itertools import permutations
import time
import re


url = "http://<machine ip>:1339/enumerate?help="

pattern = re.compile(r'\s+')
t0 = time.time()
i=1
while True:
    for ele in permutations(string.ascii_letters+"_-", i):
        boop = re.sub(pattern, "", ''.join(ele)).strip()
        r = requests.get(url + boop)
        print(r.status_code, boop)
        if r.status_code == 200:
            print(url+boop)
            break
    i+=1

is this the right idea?

hey guys, hope everything is good!
my terminal is freezing too many times and I'm not able to right anything on it
so I have to close it and make an ssh connection and start all over again

did this ever happened to you guys?

you at least, frequently

im running the last kali version, 2020.1b

Locally or thm?

@hollow holly

how do i approach day 10 of advent cyber?

has ssh/22, http apache tomcat/coyote JSP engine 1.1 (which is vulnerable) and rpcbind

Read the supporting material

alrighty

really should have read it cause i skipped it

thought it wouldn't be necessary

so uh
im stuck
can someone give me some hints(without breaking rules)
im at [Task 13] [Day 8] SUID Shenanigans
just gotten in

hey guys I have a question about LFI Basics
how can i run uname -r

i did like that but i can see any pass or users

@ripe needle what stage are you on?

have you gotten the /etc/passwd ?

the credit card ?

im in task 3 question 6

@prisma blade i was asking Aloo

or did you change an account?

if that what you mean

so you can't run uname -r ?

how can i do it

i did like http://<IP>/lfi/lfi.php?page=/var/log/apache2/access.log&lfi=

i did view page source

you have to put the command right after the link

yes

i did http://<IP>/lfi/lfi.php?page=/var/log/apache2/access.log&lfi=uname -r

you need to replace the space between uname and -r with a %20, i think

you can't just leave it like a space there

ah i will try

thank you

i doesnt show any user or pass

it*

Why %25 (-> '%') ? Shouldn't it be %20 (-> ' ')?

you mean i use '' after uname-r

no

you use %25 in between uname and -r

but it's supposed to be %20

i did 20 but i cant see anything

@ripe needle @prisma blade are you one person switching between two accounts? If so, why?

no just one account i just changed my email

and im not sure how to get my old user or why changed

Aloo and aloo11ca appear to be entirely different accounts?

no same account

i want to delete this one

That's in your Discord settings under "My Account"

i change it

not sure why i cant see my old msgs

What do you mean?

nvm 🙂

Hi everyone, is this the right channel to ask for help on rooms ?

Yes 😃

@empty nimbus If you want a hint then ask here otherwise ask in #room-help

I'm having trouble with the Learn Linux room, I'm at the last section (where you have to find the flag in /root/root.txt). I actually have a little bit of experience with Linux privesc (I did a few easy HTB boxes) but I'm stuck here

If I'm correct, there are 4 users to which you can connect (shiba1-4) but none of them has sudo privileges

@empty nimbus try seeing what the users have access to

"What flag do you use to set the BSSID to monitor?" can anyone answer this please

im guessing you're doing a wireless room -- id tske a look at airodumps man pages

Nudge for ignite please

priv esc

I know that there are write ups

But I don't want to get spoiled

Hello 🙂 I am stucked on the BP: Volatility room on the last Question, where i have to name the malware.. i uploaded the dll's but i only get answers what dont fit in. Answer is 6 chars long. i saw that many here had the same question but it never get answered? can someone help me out?

what i can say is look deeper on the evidence osint-wise

allright thx, i give it a shot 🙂

and dont be afraid to try things not mentioned in the class

I give up 😄 i cant find anything new on Virustotal or hybrid.

Perhaps the Question is misleading?
What malware has our sample been infected with? You can find this in the results of VirusTotal and Hybrid Anaylsis.
Results shows very less info, except you register to Virustotal or Hybrid. or am i looking in the wrong direction here at all?

dont get tunnel-vision in one track.
my mistake was to read to hard into how the question was formulated.

Hi fellas. I need hint for linux challenges flag 26

It only says "Locate and retrieve flag 26." nothing else

Hello guys! I am a beginner. Can you recommend me where to study penetration testing?

@fair marsh
Start from learning linux, https://tryhackme.com/room/zthlinux <- can help you with that
Then learn NMAP here: https://tryhackme.com/room/rpnmap
And continue with this: https://tryhackme.com/room/vulnversity

@wet shore (sorry a littlebit late) you'll need to find it .... go nuts, and try and use regex (you should know what these flags look like now)

Can anyone help I'm just going through the 'intro to curl' but I'm stuck on making a POST request to ctf/post with the body 'flag_please"? I have terminal open and I'm typing curl -X POST --data <"flag_please"> <server IP>:<port>/ctf/post is that correct or am I way off?

@white salmon maybe include headers?

Thanks for the heads up! 😄

@white salmon well I'm not quite sure if that helps as I've not done that room yet... But I do use curl 😛

Hmm

@white salmon curl normally adds this header to your request when POSTing: content-type application/x-www-form-urlencoded but if it's not urlencoded (like JSON for example) it wouldn't work

I've done all the other questions it's just this one that's kicking my ass for some reason, think I need more coffee.

can you share wich room (and task) exactly? I'll try and have a look 🙂

I've just figured it out.

It's the Web Fundamentals room and it's the mini CTF.

-d was required.

instead of --data? ah

well 🎉 @white salmon

sure thing 😉

So happy now, it's been bugging me for a couple of days, just shows you researching on google really does work 😛

And asking in here too 😛

you couldn't find it with --help?

I usually check there first then google and then just hit up random commands in https://explainshell.com/ <-- really good tool for checking commands from other people 😉

I did try but lack of coffee and the fact it was pissing me off probably made me just lose focus and not look properly.

Thanks for the link I'll give it a whirl.

I know that feeling 😦

It's a great page if you are looking at tutorials and people just paste commands like it's nothing (and they expect you to know what it does), I use it for work sometimes when I have to reverse engineer someone else's bash scripts or when I'm looking in someones history 😉 😛

(esp good for getting to know the sed awk commands that we all charish and love. Pretty good way to make oneliners but awful in readability)

Nice one!

Hey anyone doin new machine

I'm not.

Same

Over here just nooting

Hey guys, looking at the task from this one https://tryhackme.com/room/introtopython. It says that the text was encoded 5 times by base 16, 32 and 64. Does that mean it has to be decoded that many times to return to the flag? I've not spent much time with base64, so I'm finding it quite tough. @dusky vigil any tips, brah

Yes, that means it has to be decoded in each base 5 times.

right, I'm gonna have to read the base64 docs again, there must be an argument rather than looping through

Hello guys

Who has completed (Linux Challenges)???

I'm just starting them.

In skynet, am I supposed to break into the CMS in order to exploit the vuln I found? Just curious

anyone have issues with "joker" on task#18 the alias was there and then now it isn't showing up anymore

@merry sonnet Yes, you just have to re-exploit and hope that it works

@stuck fractal so just keep re-deploying it until I can get further

Yeah it's a pain

I tried on like 3 seperate occasions before I got it to work

ok ill keep at it, thanks for the heads up

im so confused by this question, and by hint as well 😄 I'm root, i know there is no requirments to run vi, but i cant seem to find the answer.

Hint is : no password

@ornate narwhal what does sudo -l say

Where it says you can run vi with no requirements

there you go

It literally tells ya mate, research what (ALL : ALL) ALL Within /etc/sudoers means

The hint is no password

What does sudo -l say about commands you can execute without a password

Research that

on it

got it.. need to get used to those shord words in linux

thanks

I'm pretty sure find the flag for "Basic Steganography" room question 3. but it doesn't accept flag. Anybody confirm my flag?

I look at the write ups and my flag is true. I think, there is some problem about room "Basic Steganography" question 3.

Yo so I'm on the learn Linux room, task 21. I am very, very lost.

please help im about to punch a hole in my monitor

Are you after a hint, or help @cedar path?

a hint! please!

The task is wordy. Split into direct tasks:

1) Create an environment variable called test1234 and set it to the value of the USER variable
1) Run the binary

That help?

OH I HAVE TO CREATE IT

Mhm

"The binary is checking to see if the environment variable "test1234" exists"

what does this mean then? in english

It's checking to see if it exists. In other words, right now it does not exist -- you have to create it for the binary to find it

Yeah but what is "it"

Like, okay.

The environment variable test1234

I think I'm confused as to what "The Binary" is

shiba2

A binary is an executable file -- like .exe files on windows

right

It's compiled code -- a program that does something

shiba2 is a user

shiba2 is also the name of the user, yes

oh f that's not confusing at all

it's like having two kids named 'bob'

ok let me try again, thank you

@white salmon -- room foodback for yah ^^

Np 😄

Anyone do skynet?

@inland onyx you are a God thank you sir

also, what would have happened if i ran this bin file if I hadn't met the conditions described? If i hadn't made those environment variables?

It would segfault

In the other challenges it wouldn't really matter -- it just wouldn't do anything

In this one it would be trying to access memory that doesn't exist

So it would give you a segmentation fault error

bless

ok

thank you, flowers are in the mail i hope you like tulips

😆

I heard he loves them

Haha -- I'm more a fan of Lilies myself, but 🤷‍♂️

lilies smell fantastic

That reminds me, I need to pick up some easter lilies for my grandmother. hopefully they didn't get the rona, too

Sicki fired it out

hey there im at Learn Linux room , i need hint with task nym 18

num*

let me see

task 18

thank you Swafox

yes, what question are you on?

i got the # question , but on the other one wich says "What is the value of the home environment variable

"\

so you are on Q1?

im on #2

so you have to read the value of home varuable

$HOME is the varuable

echo $HOME

value of the home environment variable

nether $HOME or echo fits

cat $HOME to be exact

you want to read it

yup, but the question is asking for the value of home varuable

so like, what's inside of it

not the command you use

cat $HOME to be exact

cat $HOME to be exact
@glossy basin I GOT IT!!
thanks man!

good :) u'r welcome

Hey!

I'm on the room https://tryhackme.com/room/ccpentesting at Task 18.
It ask me to dump the database so i used sqlmap like i always do (Command used: ||sqlmap -u [url] --forms --dump||) and i should retrieve the flag... and all i got i some ||<blank>|| value where it should (i guess) have the flag needed for the last question. (So as stupid as i am, i answer with ||<blank>|| and well, bad answer, i'm not surprised)
Well, seeing i have some blank value and i don't know what to do with them, i take 4 hour to dump-all (Command used: ||sqlmap -u [url] --forms --dump-all|| the database aaaaaand still ||<blank>|| values on the non-sys table (all sys table are filled)... I noticed some weird types for columns (like type "||a||") (can provide screenshots if necessary, i tried to hide as much as possible answers or hint not asked by someone)
Does someone know if its a bug? If not a bug, can i have a hint on what to do / flags i may have forget? Thanks 🙂

Hi !

I'm currently resolving the cod caper but I have a problem : I'm stuck at the step where we are to decrypt the guy's password :

||ssh2john : pingu.hash has no password !||

Is the ||id_rsa file|| in the ||/home/pingu/.ssh directory|| the expected thing?

Or do I have to look at somewhere else ?

You may "find" something else 😉

yup i ran the find command but nothing show up even with ||find -user pingu||

Can we use a different VPN for the rooms?

(if i understood, it is the expected command)

Not exactly

@novel jackal it might not be that user...
Try all of them -- even the "fake" ones

oh i got it

thx guys ❤️

has anyone done the cod caper machine?
I am having some troubles and I could really use some help

What is the problem ?

so it asks me for an ssh password

I could find some rsa keys on the machine

@white fern Please post in one room. Read what each room is for.

@late patio my b

how do you guys black things out like this

yup i ran the find command but nothing show up even with ||find -user pingu||
@novel jackal

With 4 | chars

test||||

||||test||||

And you write the content between 2 |

got it

^^

another thing if i may

im at Linux Walk Through

TAst num 24

task number 24*

q #1

the answer is not 461? what exactly are they expecting?

||460|| i got it by myself this time ^^

I don't know i didn't do it :)

U may want to mask off the key values u put on Ur messages to avoid spoil ^^

https://imgur.com/aOLEKfB.png

hi, i'm stuck doing the hydra challenge, i can't find molly password either web or ssh after going trought the all rockyou passlist is there any writeup or hint for this one other then the "If you've tried more than 30 passwords from RockYou.txt, you are doing something wrong!" ?

The standalone hydra room or the christmas one?

the standalone one

I got a guide that I keep linking people for that room and other rooms with Hydra

Normally, if you're not getting the right password it means your syntax is wrong

Are you getting 16 or so "correct" passwords and then hydra exits?

i'm not getting any correct password ? hydra just go throught all the password in the passlist and nothing is correct

https://redteamtutorials.com/2018/10/25/hydra-brute-force-https/

yep doesn't get me any further i'm still stuck, and i don't have any idea on how to fix it

Be sure the box is up

Or deploy a new one

@true gazelle

"hydra -l molly -P rockyou.txt 10.10.169.223 http-post-form "/login:Username=^USER^&Password=^PASS^:F=incorrect" -V " is the command that i'm using even correct ?

You should use Hydra-GTK but at the first glance, nothing seems horrible out there

hydra-gtk ?

there is the wizard but it doesn't get me any further

@topaz snow F=inforrect seems wrong?

also, ` will let you do code formatting, like this

```language
Code here ``` will do syntax highlighting

ok thanks

and how f=incorrect is rong as

this is what pop-up when you enter a wrong pass

so idk

@topaz snow the F is part of the string it's looking for

If "F=incorrect" doesn't appear in the response, then it won't match

Oh i see

I'm dumb

Hello guys, i'm trying to perform the last task of the last day of Advent of Cyber.
I actually already managed to get the root.txt but i would like to complete the exploit according to the the CVE-2018-17246.
The exploit is based on being able to upload a file (a .js rev-shell) and then execute it.
However i can't find a way to upload a file, where should i look?

can someone help me here

@lone abyss It's a technique once you've breached a system

I feel like I know the answer but idk

I tried directory traversal too

It's not that

It's once you've got a shell really

hydra -l molly -P rockyou.txt 10.10.169.223 http-post-form "/login:Username=^USER^&Password=^PASS^:incorrect -V @stuck fractal something like this would work ?

Try it

it has been running for the past 2 min still nothing

and more then 10k pass test so the fact the hint is telling me that if it goes for more then 30 pass i'm doing something wrong so i'm doing something wrong but idk what

@topaz snow Christmas or standalone?

Oh standalone

yep standalone

uhh lemme check that room

i am stuck on bof1 room, could someone help me?

I'm still not sure if anyone actually has completed that

BoF specialists are rare here

i just register this site, which channel should i ask?

@topaz snow Taking a look now

@stone meadow Just saying you might not get any help when you ask, in order to help, people need to know the topic or the room well

yes sure

@stuck fractal no need to rush i've been stuck in this room for the past 3h i can wait xD

@topaz snow The parameters might be case sensitive

idk what that mean i don't have the best english

@topaz snow You also missed a closing quote mark

So case is A vs a

Capital letter vs regular

Upper case is A

oh ok gonna try other itération then

Your command is so close to being correct

Yeah so the case does matter, and you need the closing "

and i ran the command with closing quote just didn't copy it for some reason

The closing quote shouldn't include -V

incorrect" -V, not incorrect -V"

Otherwise it will look on the page for "incorrect -V" and never find it, so assume all passwords are right

hydra -l molly -P rockyou.txt 10.10.121.186 http-post-form "/login:username=^USER^&password=^PASS^:incorrect" -V like that ?

If the path to rockyou is correct there, that's almost exactly what I got working

the path to rockyou is correct, it's the almost that's going to make me go insane xD

I mean I had the path different

That was the only difference

I copied and pasted your command, changed the wordlist path and fixed the quotes and case and it worked

it finally worked just the 27k pass

Weird

Wasn't that bad for me

so the hint is kinda missleading or i have a weird rockyou passlist

Kali has rockyou predownloaded in /usr/share/wordlists

Although you may have to extract it

i'm on arch so i downloaded everything on my own

ahh

From naive-hashcat?

(For rockyou?)

anyway thanks a lot @stuck fractal ,and i'm gonna write a writeup when i'm done with the ssh flag, so other people don't get stuck on it for as long as i did

It shouldn't be 27k in unless it's the christmas one

That was a mad distance through

nop it was one i got at the time my school did a small ctf for fun

@topaz snow Dm me head -n 30 rockyou.txt and I'll tell you if it's the same order

hello to everyone!

im at Learn Linux Task 31

#1 : How do you find files that have specific permissions?

can anyone give me a hine please

@true gazelle man find

i`ve allready read the whole page

ive even used ||/|| to look for keywords

ive also tried ||perm|| without any hit

@true gazelle it's a flag, so - at the start

Oh

so im at Linux Challenge now , Task2 #4

"Flag 4 is located where cron jobs are created."

i tried ||find / -user cron|| but it replies me that there is no such user

find: ‘cron’ is not the name of a known user

cron isn't a user

@true gazelle As it's clear you haven't. How about google what a cron is

That will clear up a lot of your questiuons

yeah just started to read about it

Google before you ask questions in the future

good luck

thank you guys , after googling i`m still kinda stuck

i`ve benn inside ||/var/spool/cron|| no result , i have also visited ||/etc/cron|| without any thing out of the normal

no flags in both , or have i missed anything?

if checked all the daily,hourly and the others too

there are multiple areas crons are stored

e.g. ||/etc/crontab||

It's quite a misleading task and could be in a number of places

It's quite a misleading task and could be in a number of places
@dusky vigil allrighty i will explore

Hi all,anyone a hint in frequency analysis challenge from Crypto Funhouse?

there are multiple areas crons are stored
@dusky vigil can i ask why ||crontab(5) sucks|| ?

is this suppose to be another hint?

just

Is the SQLi room incomplete? I don't see any tasks or questions there.

ive been in both ||/usr/local sbin & bin|| folders without any find ||(ls -la)|| @dusky vigil am i close?

@azure nova it's a playground

proper SQLi room will be coming in the closest future

I'm currently doing the 'hashcat' room and I'm stuck when trying the bcrypt task (task 1 question 4). I've tried the command 'hashcat -m 3200 <hash> --force' am I missing something?

You should specify an attack mode

Thank you @unkempt skiff

So im on the Linux Challenge Task 2 q#4 ,

ive been in both ||/usr/local sbin & bin|| folders without any find ||(ls -la)|| @dusky vigil am i close?
@true gazelle

what am i missing

hints please

try harder

here

https://tryhackme.com/room/introtoresearch

Might be worth doing this box before you continue

Might be worth doing this box before you continue
@dusky vigil will do

thank you!

try harder
@dusky vigil try harder mindset

Very much so, there's a time and a place for asking questions. Usually once you have exhausted all routes of independent research

and there is no endto those routes

Nah sometimes there are ends

so far linux boxes are the easiest I guess, since retro pissed me off

^^

If it means anything Dark, the guy who created that box. Did it on stream a couple nights ago and couldn't do the priv esc

😂

Nah sometimes there are ends
@dusky vigil yeah

If it means anything Dark, the guy who created that box. Did it on stream a couple nights ago and couldn't do the priv esc
@dusky vigil i was there and oh god it was like bang bang bang

it motivated me though

if the pro stuck its something normal then

When I try to do "search server/socks4a in rpmetasploit it kept giving me an error saying I needed to give a directory or something

in room Crack the hash , Task1 #5 , password not include in rockyou is it okey ?

Can you help me with some hints for last challange in the Learn Linux Room?

i have to get the flag from /root/root.txt

i have to get what is inside the root.txt file?

yes

i opened the file with nano and it is empty

yeah

it is empty because i don't have the permision to root

i can't get past the need of permision

try harder
@dusky vigil does the answer inside this? if [ -x /usr/share/mdadm/checkarray ] && [ $(date +%d) -le 7 ]; then /usr/share/mdadm/checkarray --cron --all --idle --quiet; fi
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

the date of today is 9th so it runs at 00:57 on every Sunday,

Did you ask Google about it ?

I had no idea what cron jobs were prior to this, and I remember this one being a pain to do research on.

Just keep at it.

Just keep at it.
@static kiln thank you for cheering me up

i hope my answers rellays here

https://opensource.com/article/17/11/how-use-cron-linux

If I recall, there are multiple areas cron jobs are stored, but one main one.

That's what made it a pain, for me at least.

you're not supposed to create a cron

No, you're supposed to find one.

does the answer inside this? if [ -x /usr/share/mdadm/checkarray ] && [ $(date +%d) -le 7 ]; then /usr/share/mdadm/checkarray --cron --all --idle --quiet; fi

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
@true gazelle according to this formula?

No, you're supposed to find one.
@static kiln ^^ ?

Right I'm gunna politely ask you stop pinging me, as I've had like 5 pings in under an hour

I have very little idea what any of that means, but I remember when I found the right spot it kind of popped out.

i didnt know i was doing it im sorry optional

@true gazelle PM if you want

There are files that store cron jobs. I opened them in vim and nano until I found one that looked viable.

That's all.

There are files that store cron jobs. I opened them in vim and nano until I found one that looked viable.
cat wont work here? becuse im reading with cat

It should yes, but I found opening it like a text file and then closing it when I was satisfied better. Probably just personal preference.

Also helped get a bit more familiar with vim, which I imagine is probably a "better now than later" sort of thing.

It seems to be the main text editor on Linux systems.

ill keep looking , thank you all

Best of luck. Once you really feel stuck I'll try to offer a better hint without totally giving it away.

Much appreciated!

But like optional said, Try Harder.

If you're unaware, they're not just being a meanie. That's an OSCP thing.

https://www.offensive-security.com/offsec/say-try-harder/

If you're unaware, he's not just being a meanie. That's an OSCP thing.
@static kiln i dream to become one 🙂 i have much of respect to them , just walking thru beginners path hehe

when i try to do the zthlinux and connect, it just says connection timed out

@white salmon Screenshots please.

im using powershell because im using windows

I'm doing the common linuxprivsec room, and I can't become root from user 7

I did everything in task 2 correctly I think and am executing ||echo new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:/root:/bin/bash >> /etc/passwd|| to append that to /etc/passwd

but then I su new and enter 123 as my password and it gives me an auth failuer

Are you on the VPN @white salmon

Happy to be part of the tryhackme community, at work at the moment BUT AFTER. Can't wait excited haha 😁 Have a great day everyone!

fixed it thx

you too!

May I ask the problem, out of curiosity?

well, the room said I needed to install putty and I thought I needed to install it on windows (outside the vbox) so wasnt connected to the vpn as i am in vbox

(im a noob 🙂 )

Ah, no worries. Yeah, if you're on vbox I'd recommend you get a Kali image.

It'll help. A lot.

have a kali image just didnt know i could do that on kali

but now i do ^^

These tests are designed with the web-based Kali VM they have in mind.

So, everything should work on them I'd think.

yup thank you

@nimble onyx I think your command is missing a segment

@white salmon is it echo new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash >> /etc/passwd

@nimble onyx Looks better. Still missing 2 little things

hmm

I'm not sure

Wait, I think I see it

the previous question to "Verify" the command worked with jus that

idk

can u give me a hint?

"2 little things" is a hint 🙂

fair enough

I'll figure it out

thanks!

@white salmon wait, I got it to work by adding new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash directly to the end of /etc/passwd via nano

but when I echoed it in and used >> it didn't work

can ue explain why?

did you sudo in both cases?

What command did you use with echo? Did it have sudo in the beginning? We can't help you if you don't provide more information

sorry

so, I ran echo "new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash" >> /etc/passwd I didn't have sudo but I did have write privs and that did not work

then I edited /etc/passwd with nano, coppied the exact some thing, and it works

Any issues with the crontab room under common linux privesc? Says command not found

No

The room is common linux privesc btw, the task is crontab

It works fine

What command are you getting command now found for?

I ran msfveom -p and the rest of the command as indicated in the instructions as user4

Ok, think

What systems have metasploit installed?

Where don't you want to install metasploit?

You don't want to install metasploit on the target

I am an idiot...I took it literally going through directions. I am good to go

Thanks

@nimble onyx my hint was about the missing quotes :)

You ran the echo command without them at the beginning

ohhh lmao

according to "learn linux" room, How do you specify which shell is used when you login? what does it mean "which shell" ?

Hint: it is specified in a specific file.

according to the question and answer format of 2 chars. I guess its about the '@' symbol

but I think I didnt understand the question

which task is it?

12 - su

@white salmon

@keen tinsel it's referring to Su

How do you tell su what shell to use

@fiery juniper wrong quotes, delete answer

Also helps if you specify the room

@stuck fractal The thing that I dont know what it means what shell. Isn''t only one shell? I know that su user let you change the user but what is shell?

Rule 13

Google

what is a shell linux

you right... brb

@keen tinsel hey man sup

@white salmon found it

oh nice :)

Im doing http brute force with Hydra, page is redirecting to exactly same page whether login is successful or not.(Then real profile page.)

How can I differentiate the success or failure situations using hydra

Any idea?

I mean, capture a failed login request

See the response directly

Do u mean look at the responses via burp or sth else?

Or devtools

Is this for a room?

Yes

Which room?

Symfonos 6

Probably, this isnt the right way

o I can't help you then

just want to try

I haven't done it yet

thanks : )

in learn linux, task 33 i dont know how to find the binary, keeps saying permission denied

Check your current user rights

what can user do?

The find command is useful

yes im using find btw

You'll get permission denied unless you suppress that

It's possible to sift through the denied messages though. Anything where you have access kind of stands out.

ohh sorry, I mixed the questions

what can user do?
@lime junco

thank you found the solution

any body have same problem with ping restart on VPN ?

!multivpn

thanks for help

||learn-linux SPOILER
hi guys, Im on the last task to see the root.txt content. I found on nootnoot a file called .sudo_as_admin_successfull. is it supposed to help me somehow?||

No

Keep looking

And use || around your message to mark it as a spoiler

2 on each side

cool thanks

@stuck fractal if Im taking a file of root owner with editing for everyone and chane it into script. will it run as root or as the user that ran the script?

I'll give you 2 guesses @keen tinsel

as the user that ran it

First guess, nice

There's one condition where it'd run as the owner

And another where it'd run as the group

@stuck fractal
|| I found that shiba2 file is by root and with all permissions. so I tried to override it with something like cat /root/root.txt but I got permission denied. Any idea why? you said something about where it would run as a owner..... ok I will google about it ||

That's not useful here

Blindly changing files won't help you either

why? if it could print out the content of the file because the script is of root user

When you write to a file that has SUID, it loses that SUID

got you

It's also not the right strategy for rooting a box

Bunch of tracks left behind

^

v

@stuck fractal

I don't have too many tools. It is the only idea the comes to my mind to get an access to the root files -> using that file. This is the way? this file is the right way? or I missing something?

@keen tinsel You don't need any tools beyond the find command

ok

which task is it?

33?

34

34 is pretty easy

Oh, wait

43

No posting answers

i mean it was the task where you needed to just click i read it

but sry

that last one was a bit hard, at least for me

@stuck fractal
||is my direction right? looking for files owned by the root on home directory. found 2 files:
ll
shiba2||

No?

nop

Look for files belonging to each user.

well actually what you found its useful i think @keen tinsel

||the shiba2?||

Not for escalation it ain't...

well yes but its interesting

Ive tried but I couldn't find something that seems useful for me. I mean according to the learn linux step, the only strategies I can think of is like you said. using find to look for suspicious files, but most of the directores are denied. I've tried to look for files with names like "passwords" etc and even found a directory which contains passwords for all the shiba users but I already have it. mmm kind of lost

I mean, to be able to look in a root directory I should gain the root password right? because in this level I haven't learnt something else

You need to be root

There's a few ways to get there

I'm assuming new boxes (rabbit) don't get hints yet?

@inland onyx might be generous

@solid sphinx But i'll give you a hint, it starts out VERY ctf

I got that part... I'm further...

Got user?

Pretty straightforward from there

name yes...

Getting user = getting access as a user

Not getting a username

Am I missing something with gobuster, I'm trying to run a scan using the following command: gobuster -u http://<target IP> -w <location of wordlist> and I'm receiving unknown shorthand flag -u?

ye

right, I know, I have creds but...

@white salmon gobuster dir for bruting directories

Ah, thank you @stuck fractal

sorry, trying to be vague without being too vague

"if a password hash starts with $6$, what format is it (unix variant)?"

i cant find that lol

@solid sphinx DM -- I might be willing to give you a nudge

@white salmon That's the research room, it's easy to find with some targetted googling

That room is one I can say with absolute assurance that every question falls under Rule 13

That's literally the point 😁

are you talking to me muirland?

Mhm

finally got it lol

😩

@white salmon
Have you got to 43?

@keen tinsel we would usually keep these out of the hints channel, but I think this has escalated into help...

!writeup zthlinux

thanks bro

@keen tinsel yes

I answered a bit late sry

Did you make it?

Muirland made that writeup

Paradox made the room

I meant if he could do it with that >.<

I'm losing my mind trying to find the ssh pass on madness. hints anyone?

very helpful I wish I knew the 2>>/dev/null before

@ashen fox Remember that optional is a massive troll with the Bedlam series. Think completely out of the box

Hi guys. I think I'm running low on IQ points going through the Google Dorking Task # 2 lol.

Should I stick to the information provided from the lesson or am I suppose to use google?

Google in a room about Google Dorking does sound rather apt, wouldn't you say?

I'm having some trouble with yearoftherabbit, can someone maybe give me a nudge on the || core dump file || part?

Felt like I would be cheating for some reason lol

@pine basin Literally no one better to answer that than me

...and I have absolutely no idea what you're talking about 😆

DM me with what you're trying?

Sure

@broken kestrel Nah, Google is your friend. Google everything and anything you don't understand

It's the only way to move forward in this industry

Thanks, I'm getting the answers now :p

IKR!

I was reading the text provided like 10 times lol. Came to the point where I tried any word in the lesson that fit the answer length (not ashamed)

Good Times

Scripting is by far taking the most time for me, thus far.

uhh help on steel mountain

nvm could do it with netcat

tried to run it again? / use another reverse shell code

Oh

well

got the same issue earlier.. had to change and retry to get it working

yeah, thanks anyways

oof

hey everyone , so im at the OWASP Juice Shop [Task 4] , how exactly can i implement sql injection ?
i`ve read the whole page from w3s but noting applies on the machine , should i just go on or find somting?
this is the w3s i took my new sql injec. knowlage :
https://www.w3schools.com/sql/sql_injection.asp

i`ve tried to enter a few sql commands at the search bar , and where the login inputs are , does anything is suppose to show up?

@true gazelle Define SQL commands.

As in, what have you tried entering?

As in, what have you tried entering?
" OR ""=" , and more like (uName = getRequestString("username");
uPass = getRequestString("userpassword");

sql = 'SELECT * FROM Users WHERE Name ="' + uName + '" AND Pass ="' + uPass + '"')

Do you have any background with SQL prior or is that just snippets from online sources?

i have no background in sql .

Gotcha, so, the general idea of SQLi is to use SQL syntax on unsanitized input fields to trick the system into running arbitrary SQL, or more often, add additional conditionals.

im watching Hackersploit doing this machine rn ,or should i go into some room (lol)

So for a user or password field, you might want to inject something that will always return true

such as " OR ""="?

or
SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""=""

I suppose, I'm not sure what flavor that is as typically for SQL flavors I'm used to strings are surrounded by single ticks

But if it does what it looks like it's doing

Another common condition to try and inject is OR 1=1

So, we often start a SQL injection with whatever that SQL flavor uses for strings, because if the input isn't sanitized it will close off the string it's currently looking for, and you can go ahead and add arbitrary code

Then, it's typical to throw in -- at the end, as that's pretty standard syntax for commenting

So it would comment out anything that would usually come afterward on that line.

is there something i'm obviously missing in regards to the year of the rabbit?

Same, can't find anthing to get root..

knowing Boris i expect there is something obvious easy to overlook

I don't even know what I'm looking for, I have 0 leads :(

i'm just all over the place lol

mmm same here, got rick rolled twice, but got nothing

can someone tell me how do i get the password for questin 2 of Artic Forum from 25DOC ?

@inland onyx any chance we can grab a hint off you

@viral crane mind providing us with a hint :c

👀

last part of rabbit

priv escalation?

i literally have 5 h since i started working on it

yeah

got 2nd user

any pointers are welcomed xD

Search for a program version that may be interesting, this might not help you, but it's all I need to say

Can any one help in solving investigating windows task

hmm, i think i get it

need to confirm

I am not gonna confirm anything else its already a big hint

😛

hey there to every one
im at Linux Challenge Task 2 #5 "Find and retrieve flag 5."

i tried to run||find -name flag/5 | grep flag|| but i get alot of Perm problems ... any hints please?

@true gazelle https://askubuntu.com/questions/350208/what-does-2-dev-null-mean 😉

Also your find command don’t have the good syntax

@viral crane uh, can you DM me with your privesc?

damn lol, i'm still stuck

something a tad less cryptic that doesn't return me a list of 100+ services?