#room-hints

echo $0

i assume thats what you want? also i must tell that this could have been found by googling something like "linux show running shell"

it is showing wrong ans

ok

If you want a straight up answer Google can give it to you.

man

ok thanks

Hey, could someone help me with Task - 18 #6 of CC: Pen Testing. I have already found the databases but the entries are showing as <blank>, I am not understanding what is the flag all about. I will also share a screenshot. I am just looking for a hint

This is the question, I completed the previous questions and found the tables and databases

But the sqlmap result is showing as <blank>

Hello. [Task 18] [Day 13] Accumulate of "Advent of Cyber". So, I got access to Windows Machine using rdp program. Now, i need to escalate privileges. I found a program 'hhupd', when i click on it's certificate link, i can't open it via any browsers even though i have set my default browser to IE.

yea it's a bug/configuration thing I believe. Hint: why is it popping up and how can you make it so it doesn't have to choose between multiple apps?

asking myself those questions led me to trying something out that worked.

I'll think about it. Thank you !

It's intended 🙂

It's part of the challenge

very well haha

https://discordapp.com/channels/521382216299839518/650425164894568455/662661391068561409

https://discordapp.com/channels/521382216299839518/650425164894568455/662661875686965265 ^^

also, take my hint with a grain of salt because I just checked it out again retraced my steps and didn't work xD so I may have gotten lucky 😅

luck plays quite a big part in one of the workarounds for it

mhmm but I just tried the "consistent" fix that Dark mentions and it also did not work for me this time around..

@tranquil dagger can i pm for tempus?

Sure

@summer snow By consistent, you mean opening Chome and IE and then run the exploit ? That doesn't work for me.

Steps from the writeups I found online doesn't work. I'm stuck lol.

Terminate, redeploy

I realllyy want to find out what's stopping me from clicking that goddamn okay button

I did that too ninja

Hacking isn't 100%

Yes. That's right.

.. Sauna?

Is that a THM room?

HTB?

Ah

@urban glacier That's an HTB machine

This is the THM discord server...

wrong server 😄

Discord not doing gifs, nice

maybe it's not a gif

lol

can someone help me? room: Geolocating Images[Task 6] I know it is ||Paris Observatory|| but it doesn't fit ?

vulnversity Task4-#5 the answer I have doesn't match which means I'm wrong. I got the reverse shell and ran ||ps aux | grep apache2|| and got ||www-data||

@keen zealot Read very carefully

It's not who the webserver is running as, it's who's running the webserver

Was? As in past tense?

Derp

Thank you

Who is running it

Thank you for the hint

Can I have a hint for linuxctf flag 26, please?

also there is a typo there the all files

OWASP Juice-Shop, broken authentification part.

I need some hint lol

jim@juice-sh.op, the hint is "can you find more info about jim ?"

the website allows brute-force, can someone skillful help me in dm on this one (just give me hint, ask me questions ect)

@amber magnet No DMs, but finding more info on Jim here is OSINT

Look at things like product reviews, then hunt Jim down

Héhéhé thanks

Anyone done ironcorp ?

hi guys, anyone knows why when I try to creat payload with nsfvenom on privesc tutorial room with user 4 I get order not found?

@torpid geode Screenshot?

order not found???

command not found, sry

@stuck fractal any idea?

Yeah, think about it

What is msfvenom?

It's a hacking tool

Would the hacking tool be installed on the machine you're attacking?

No.

Ok thx

I have to do it on my pc right?

Somewhere that msfvenom is installed

Normally kali

Whatever you're attacking from really

Im on it

Thx James

zthlinux || Executing shiba2 returns permission denied, even though I changed the $USER variable ||

@subtle crag You skipped a step

And you're not meant to change $USER

Hmm okay

Read what the binary is checking for very carefully

And you forgot to use su after getting the password for shiba2

Oh? whoami returns shiba2

Maybe that's reading $USER

It's not reading $USER

wait

IDK, you've skipped part of the room if you're getting permission denied

I'm going to revert the box and zoom through shiba1 and see if I can fix it

Yeah no, right back into the same issue.

If you're doing it right, it works fine

Can anyone give me a hint on Christmas Challenge Task 9 Day 4 #7?

@idle pebble in the supporting material, there's a sentence. Something like important system files are sometimes backed up with extensions like .bak

ty

How about a hint on Christmas Challenge Task 10 Day 5 #2 https://bit.ly/3flearr

Stalk her

Hunt her down everywhere you can.

Anyone knows how to exploit ssrf to rce ?

Hunt her down everywhere you can.
@stuck fractal well this probably isnt her XD https://bit.ly/2L00lR9

👌

how do i find php?id= for a website?

huy guys, can someone help me with the avangers room #task 4? 🙂

i mean with a hint 😄

@twilit junco you look through the webpage manually

@dark zinc [Task 4] Enumeration and FTP ?

@shrewd skiff yeah so i went into the machine with ftp and was able to connecct

and wanted to ssh also into the machine to use the find comand

but it only worked once, and now i get the :Permission denied (publicky)

"error"

in i dont know how to look for the flag only with ftp

DId you read the room hint?

yes - the passiv mode

Did you do it?

so i did enable it

yeah, but nothing changed

or at least, i didnt see any change

anyone can give a hint on how to find first flag?

@echo thunder First flag of what?

sorry

there are plenty of first flags on thm

tempus fugit durius

you need to get a shell

i mean, it says "entering passiv mode (10,10,82,101,194,221) - it didn't say thatt before @shrewd skiff

@dark zinc so what is the problem? im not sure

i don't know how to search for the flag now

Like looking in a folder etc?

Maybe try "ls"

sorry, yeah i mean i did that

and i got a couple of ~ directories like drwxr-xr-x (which i thinks are the permissions) 2 1001 1001 4096 Oct 04 files

but not quite sure what to do now 😄 - sorry, i think im kinda bad at describing i guess

if you are telling me that you do not know how access the directory [files] then doing this room is wrong

its with lcd (in ftp) i guess, but okay, ill just try a little bit more

it's just i got every other task finished already, just wanted to complete the room 😄

yes

xD thanks anyway

yea.. so its really simple.. im sure you´ll find it

my hint is: ls and cd

Hey guys! Someone one I can DM a quick question about Tempus?

@shrewd skiff got it, was actually quite simple (did it with filezilla, so it was more obvious)

@dark zinc super 🙂

Hum maybe something else should be hinted for Advent's [Task 18] [Day 13] Accumulate? The original PE is really buggy in this environment.

Quick question for Tempus. Is going for ||ispell|| the right way?

Indeed 🙂 @white pike

Thanks 🙂

is linenum and linpeas both do the same work?

@sharp sage They're different scripts both written by their respective authors, but they both enumerate Linux machines for potential privilege escalation vectors and sensitive files.

@tidal sedge okie thanku....

How to use spoiler tag?

@wintry yarrow Surround the text you want to spoil with four vertical bars(|).

Okay thanks.

Remove that picture. It contains some anwers.

Oops thats why I marked it as spoiler.

|| words and stuff ||

I need help to solve this.

How about this one?

This one is better🙂

@wintry yarrow~~ Have you tried looking at the man page?~~

it's not about man

you just have to read the task text properly

and make notes

so it's easy to create commands then

@glossy basin If they don't know the flags, they can't write the command.

Man is so huge so I used the --help. Also, this room provided some commands like cheatsheet.

all the needed flags are stated in room itself

Right.

For the first question I think I'm using wrong permissions.

all the needed flags are stated in room itself
@glossy basin Ah you're correct I apologize, it's been a while since I done this room. 🙂

it's fine it's fine

I'm using this ||find / -type f -perm -666 -name "*.sh"||.

I took notes while reading and it was much easier then

I'm also taking notes on cherrytree. 🙂

Anyone done ironcorp ?

Need hint on a***n

I need help to solve this.
@wintry yarrow I solved the first and last one. Need hint for permissions on 2nd one.

I'm thinking the command will be something like this || find /usr/bin -type f -user root -perm -777 ||.

@wintry yarrow for the second one?

-777?

Try investigating what the suid permission bit is

Okay.

I just put it there I don't know the correct answer.

So this is the perfect time to do some research. What is the suid bit? Who does it apply to? What's the symbolic form for it for find? If you answer those, you'll get the answer

Okay, thank you for the tip Ninja.

Now, I'm thining ||find /usr/bin -type f -user root -perm 2000||.

correct me if i am wrong but i think there should a - before 2000?

They have only 4 stars for the position thats why I'm not using -.

oh ok

@wintry yarrow Use symbolic format

Solved it thanks.

Hey, I'm currently working on agentsudo and trying to find a way to figure out how to do Task 4.2, I thought about downloading the file to my machine but am clueless on how to do so, or even if that's the right way to go. Any tips you guys could give?

@burnt cosmos if you want to copy the image from the that VM to your machine, use "scp" command.

How do you specify which shell is used when you login?

never seen a two char command to do that!

It's specifically asking about su

It's not a command

It's something you can do with su

gotcha

ty

anyone a lead on investigatingwindows for the task name
im either blind or i cant seem to find it

i know what file it runs, cant seem to find the task name

@red minnow That's something i tried but I didn't have permissions to copy the file on ||james||

Can I get a hint on https://bit.ly/2L1R62X (Advent of Cyber Tsk 12 Day 7 #4)

Have you enumerated?

No

Enumerate

Find out what's running

Try and interact with it

Enumeration is the first stage in hacking

👍

regarding the investigating windows room: is the last opened port a troll?

Was feeling pretty good today until I hit a roadblock on Juice Shop and sql injection

Being lost in the complete beginner learning path feelsbadman.jpg

oof

isnt that one a manual sqli

Hi guys, I'm doing day8 of Advent of Cyber. I need to find a way for privilege escalation with SUID bit set binaries. Can anyone give me a hint about which binary executable I should investigate? Was able to do it through find only for different user, but not sure what to do for the root.
List of binaries: https://pastebin.com/nCNjzWH0

@white salmon the task just says "use basic SQL injection" and the hint is Think of how SQL queries are written to check if a user existsx2F;has the right password. How would you break out of this query? and I'm sitting here like

yeah im pretty sure juiceshop uses manual SQLi

as other users have had issues with it

@civic jungle maybe cross reference that list with the usual root suid binaries on an ubuntu system

Do you know regular SQL @granite ferry

don't remember what you have to do but that hint sounds pretty helpful @granite ferry google how to check if a user exists lots of different payloads to do something like that

@white salmon I do not, so I appear to know less than a complete beginner

yeah I've been researching will keep at it

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection

may help you

Owasp is great

owasp is bae

they make a great tool called zap

we have a cow who's the leading zap expert

❤️ @white salmon

@stuck fractal Thanks a lot for a great hint ❤️

@white salmon I'm reading through this, getting somewhere thanks. Generated an error. Not sure about SQL still but I registered myself as an admin just with a post req

Nice

ok much simpler than I figured

Hey there, someone can help me with the Intro to x86-64 task 7? I already have the secret.txt file, but have no idea where to go from here

Already tried to find something with radare but got no luck

There was a forum post, but that didn't helped me

nvm i just got it

but just because of the hint, i didn't understood the reason of the answer

Feel like an idiot even asking this, but in the Blue Primer Networking room question # 6 it asks for the second common private home range IPv4 address. For the life of me, nothing I put in the box is accepted as the correct answer. I'm guessing that I have missed something painfully obvious here. Can someone point me in the right direction?

@stone valley It's kinda like the first one

Most of the providers use a /24 for home networks

Alright awesome. That got me to it. Thanks.

Also, RFC1918 (https://tools.ietf.org/html/rfc1918) if you want to be real die-hard

Was going to mention that but thought it was a bit too far

As I said. Die-hard 😉

It's good to be able to recognise a private IP

Most people don't recognize the 'middel' range, if you know what I mean 😉

172.16 is great

Fight me

haha

Why fight when you agree?

anybody on Network Services room? can't figure out Task 4 - Question 4 because ||Working From Home Information.txt|| file opening as empty, also i cannot download it

@viral mason How'd you connect?

||smbclient //<host>/profiles|| @stuck fractal

So you should be able to get it?

i tried that one

Huh, ok

SMB is weird

It worked when I tested it

giving me|| NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \Working||

It worked when I tested it
@stuck fractal i see mate

enumerated each file but still nothing

should i re-deploy the machine?

o

I see what you're doing

wut

So

It's trying to GET a file called Working

You need quotes or to escape the spaces

oh i see, let me try

still no, actually im doing it by hitting tab after typing get W

not manually typing it

So there should be backslashes?

i think about that now

let me try

that didnt work either, i tried ||"Working From Home Information.txt"|| instead of ||'Working From Home Information.txt'|| me being silly ¯_(ツ)_/¯

it worked

thx for help james @stuck fractal

Spaces and quotes will kill us all

yeah, i hate them lol

there's a reason people use file-name-with-dashes

totally agree, spaces are totally useless, but here we are ¯_(ツ)_/¯

Am I doing something wrong with environmental variables here?

Normally means you wrote to shiba2

Any of your commands have > $USER at the end?

yep. So clear the env variables from it then

Nope

if you run echo test1234 > $USER you're writing test1234 into the file called $USER

ah and echo overwrites

No

no?

> overwrites

echo just prints to stdout

> redirects stdout to a file

👍

You probably used >> to append

But by writing to the binary, it stops running as root so you can no longer get the password

I may have been a little haphazard in my environmental variable commands

Terminate the box, redeploy it

Doing it now - thank you

Someone did that yesterday, and it took us a while to figure out what happened

Lol I recently have been under the mindset of "screw it... whats the worst that could happen as long as I learn?"

so i'm trying to do Task 7, Question 2 on Network Services. its asking me the welcome message but all i got this?

am i missing something? btw, i entered these, both together and separately, not working..

Can you do any telnet commands?

I mean it says connected

what happens when you type in it?

.HELP maybe?

just this

yeah seems like it's working-ish lol

yeah it's bugged

There's issues with the room

yeah, room is kinda pain in the ***

some questions are ridicilous

Is there a board that has notifications about known bugs?

#site-bugs

Ok cool

Known room bugs should go onto the page but only the admins and creators can submit them

not exactly known bugs though just people bring up what they think are bugs but not confirmed in that room I guess submissions may be a bit more accurate as that means a mod has confirmed it? I think

Ok that's fine. I'll just be searching for stuff in those channels if I get stuck before posting

i typed another bug @stuck fractal , hope it will be solved, its 3rd time im asking for that bug :/

I can't fix it

It's waiting on someone to create the task

hmm, i see.. so is there any task coming up?

Yeah, someone's working on it

ok james thanks for your attention

@lavish notch pm

hey there pals

for convertMyVideo the secret directory auth, we need to enum to get the usrname or by using bruteforcing technique to get it?

just wanted to make sure bout it

been messing around with the convert box, i thought it's vulnerable to reflected file download

@idle pebble look in the windows schedule

@dense marlin You don't need to bruteforce, neither enum, use burpsuite to solve the problem.

@dense marlin use the burpsuite to get nice information

or ZAP 👀

hellp everyone, so im starting to use the burp suite, now im at task 7 #2 in Advent of Cyber, and it ask to find a password, so i found the hidden path now i need the password so i though that since in the task 7 it says "hidden information can be found in the headers,source code or cookies" and i couldnt find anything in the cookies nor the souce code i could try use the burpsuite but now i have another problem, the thing is when i click "Proxy-intercept-intercep is on" i should get the link data, but instead i get nothing, so i cant click Forward and i cant get the headers, any tips?

i have to make a get request so i can acces the logs and find a password there, is that right?

my bad guys i cant believe tht i didnt saw tht part

thanks guys really appreciate it

i stuck in linux basics task33 can anyone help me plss

i spent hours but didnt solve that

stuck with that

#3
What are automated tasks called in Linux?

Hint: Search for "automated tasks Linux"

I thought he may mean cron

but it aint cron tab

hi, i'm on HackPark, bruteforcing the password with hydra on task 2. The current speed is 32 tries per minute. which means it will take days with the rockyou word list. Is that speed normal or am i doing smth wrond?

wrong*

i was apple to increase to 128 tries per minute with t 64 option but that's the max. Would you say its normal speed for bruteforcing password with post requests and i just need to wait?

Find all directories whose name contains the word "exploits"....whats the answer for this?
find / -type d -name "exploits.*" i have tried this but it cant run

@idle pebble look in the windows schedule
@cloud perch Was I pinged on purpose?

@sharp sage contains the word exploits. You're currently searching for directories that are called "exploits.*"

Do machines normally block ping probes?

Im connected to the VPN but pinging the machine gives no result

Same goes for when i use nmap on i

tt

I believe that the windows machines block ping probes I would first go to the ip address itself to ensure that its up and running and then run an nmap scan with the switch pN

@solemn smelt what do you mean go to the IP address itself?

In firefox or whatever web browser your using go to the ip address to ensure its up

how is that ensuring it's up?

if you see some page it would mean it's up

simple

and if you don't see a page it might still be up... that's what I mean it's not a definitive test

just nmap with -Pn flag

and you'll see

majority of rooms have some sort of web server up its better than nothing because the pN switch will just waste your time because it doesnt stop even if there is no host

plss help me with linux basics Task 33

read the requirements, re-read the previous tasks

and complete the question

Hey guys, i think Attacktive Directory has a bug lol. Can someone help me

The submission form especially

It needs to be through PM, because it contains a spoiler

@last nova?

If it's a spoiler, I'll delete it.

Post it here

just use spoiler tags with || text goes here ||

@white salmon If it's an incorrect answer that's accepted as correct, that's likely to be answer tolerance

No it's a correct answer, not accepted as correct lol

And i'm pretty damn sure my elementary counting skills are still good

oh it's the port question

Yes

I should just remove it tbh

I swear to god, each time it varies

Sounds bad

it is :x

How will i solve this?

windows

Uh?

Basically, they were saying they may just remove the question

Failing that, guess like +- 5 from what you counted

Yes but i want to know why it's wrong lol. Am i missing something here or is it just a bug

How does that answer vary everytime

Because windows

it's literally just because Windows.

Windows is the single screwiest operating system ever

Ah alright

I see

I actually managed to answer it by giving it another number lol

I think BrainStorm has the same issue regarding ports

only x showed up on nmap but was incorrect, had to guess in the end and it was twice as many :/

@wraith marsh Did you scan with -p-?

Yeah, I always scan with -p-, I tried with and without, plus various other flags

still only got what I got and not all that the room said

Room THE FIND COMMAND -->task 3 -->ques 6th Find all files with write permission for the group "others", regardless of any other permissions, with extension ".sh" (use symbolic format)

find / -type f -perm /g+w -name "*.sh"

What about it?

i have tried almost all type of symbolic format but cant getting

Two problems with that command 🙂
One, you've got the wrong symbol. / looks for any of the categories being able to write
Two, (and this is badly worded, I agree) you're not looking for a group called others, you're looking for others, as in, everyone

So not g, in other words

i have tried -g=w ,-g+w but they also are not right.....i am bit stuck over it

@sharp sage Do you know UGO?

yes ....but while doing this i am bit confused

Ok, so user, group, others

it doesn't mean group others as in a group called others

It means the collection of people that come under the category "others"

yes i got that......that not the confusion part.......but while changing the octal format to symbolic i cant able to do that.....

You're putting g

g is not o

o is others.

ohh okie i got that.......thanku....

i made it

Muri pointed that out to you before

ya .......but i was confused that time and dont get that hint

thanku both

What type of protocol is SMB

nwm

Hey everyone I have a question and need a hint for network services room task4 last question in the task

I have download the rsa file and tried to use ssh2john but it says the file has no password and can’t login

Ok, what do you know about SSH key authentication?

You mean the port number ?

Or you want me to write my command here if that’s fine

No

I want you to explain what you're doing and why

Because I think you might not quite understand

I know the user name @ip

Keep going

Ssh -i ...

And you get an error saying permissions are too open and then it asks for a password?

Yes

Ok, what should you do when you get an error message?

Before asking for help.

But the file says no password when I used ssh2john

It tells you it's ignoring the file.

Read.

But again

What should you do when you get an error message, before asking for help?

Google 😓

Yes.

Go do it. Rule 13

You will find a super simple fix and reason

I'd also recommend looking at ID_RSA that have passwords and those that don't

It's very very simple to tell them apart.

Let me see and thank you

@graceful nacelle https://github.com/rebootuser/LinEnum

reee don't delete immediately after posting

I’m not getting a environmental scan and I’m not seeing the kernal version

Direction state running ./LinEnum.sh as the usual.

It seems like the first part of the scans been cut off.

Are you in a terminal?

They have limited scrollback

Pipe the output into a file, use more or less or nano or vim to view it

user7@visual ginkgobox:~$ /etc/passwd new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:/root:/bin/bash
bash: /etc/passwd: Permission denied

That's not a command

hashes are stored in /etc/shadow

You're trying to run /etc/passwd

@last nova no

well, yes, but no

wffsdhawhw

Go back to the 90s

30 years ago

You can put hashes in passwd it's just insecure

It's a valid way of adding a backdoor user

ok i remeber that being mentioned in the

@graceful nacelle So. you're trying to run a text file

What do you think you're trying to achieve?

the question quite literally told me to plug that behind the ect/passwd

Not exactly

i was curious as well what woudl happen

but ill read some more

Tell me exactly what it tells you to do

It says append right?

Append to the file. Not to the path.

Great! Now you've got everything you need. Just add that entry to the end of the /etc/passwd file!

yes

Add it to the end of the file

Not append it to the path and run it as a command... smh

yep now i have a mess of logs in my passwrd folder

...

wat

You didn't do it on your own machine did you?

It's not a folder

Inside the VM

Again

Not a folder

If it's a folder, you broke everything

Well damn...

/etc/passwd is a file

/etc/shadow is a file

didnt mean to say folder

Someone be a dear and point me in the direction for initial foothold on ironcorp...

Been trying all sorts of dirb scans and not finding anything.

hi. so im doing XSS room, on task 2, im doing the exact thing it says and my payload executes successfully, but i cant find the flag lol

can anyone help?

That room isn't 100%

We haven't worked out why

oh i see

shit

Probably because there's many valid ways

It might be testing for a single solution

in question 2, what it wants is executing the payload with document.cookie , i did it and js executed

but flag is missing or i couldnt find it

Was it an alert with document.cookie?

Did you dismiss the alert?

i did ||document.cookie(alert("something"))||

its executing correctly

i even tried with my session cookie but still no flag

||try alert(document.cookie)||

document.cookie is not a function

So they payload that you're using doesn't make sense

Sorry Ninja, I'm in hints not help.

Do I need to pull that?

You're good I think?

@stuck fractal just a tinsy winsy hint on ironcorp if you please...

@patent token thanks, @stuck fractal im not so good at xss

@patent token can i pm real quick?

@radiant mauve New box. New hard box. You ain't getting a hint from a mod who hasn't done it.

Maybe I bit off more than I could chew

@viral mason It's JS more than XSS

I'd prefer we not DM if it's ok. If it's a spoiler we can try to manage it here.

I've not done that room, so I'm just shooting from experience. 🙂

@viral mason I heavily recommend learning some JS, I used https://www.sololearn.com/Course/JavaScript/ to learn so I can recommend

ok. so, when i do ||alert(document.cookie)|| , the js popup gives me the document.cookie value which stored under cookies, but neither output nor ||alert(document.cookie)|| is the answer for question, i couldnt figure it out

@stuck fractal thanks man i'll look for it

It's the XSS room? I'll look at it quick.

yeah

@viral mason Once you dismiss it, the page should give you the flag?

Drop a link to the room?

I might have done that part

i dismissed it but cant see anything

https://tryhackme.com/room/xss @patent token

i guess something is wrong

yeah so I've completed that question

So it worked for me

so executing ||alert(document.cookie)|| on console should give me the flag, right?

No

That's... uh

Not XSS

You're meant to inject javascript using forms etc

Not having done this room before, am I not supposed to know the login name?

just register

it'll login automatically

Okie doke

You're meant to inject javascript using forms etc
@stuck fractal for question2?

Yea so I just got it

For everything

oh i see

The JS console is not XSS

i got it..

ok thanks for all the help guys @stuck fractal @patent token

Welcome.

su

any hint for the flag in "Learn Linux"?

Were going to need more information than that there are 43 tasks in learn linux that's very broad

Sorry, the last one, it's the only one referred to as the flag.

Look for files belonging to each and every user

Find suspicious ones

ok, thanks! :D

https://www.youtube.com/watch?v=53zkBvL4ZB4

@stuck fractal got it! :D great hint!

can you guys give me a nudge on XSS room Task 5 (DOM-based XSS) Question 1? I couldn't figure out what I have to do. ||I think i need to alert my cookie by using <img src="' + imgURL + '" alt="Image not found.." width=400> but im not sure||

@viral mason https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS Injection

thanks man @past night

nay worries

@sick sun any progress with ironcorp? Been banging my head for a couple of days now... No clue where I should be looking for foothold.

@radiant mauve easy room man

@sick sun so no progress on your end either? Lol

@radiant mauve I got root this room man

Hi all, struggling a bit on the final part of Linux introduction room. Any hints/ pointers would be very welcomed. Thank you.

@thorny fog Which one?

There's like 4

Probably task 43

Learn Linux? @thorny fog

Hi @stuck fractal apologies for the poor direction. Yes Learn Linux task 43

Thank @white salmon

#thanks

Look for files belonging to each and every user

Investigate suspicious ones

Thanks. Being going at this for sometime and proving challenging. New to all of this, so the learning curve has been rather steep.

Privilege escalation is a HUGE topic

Thanks @stuck fractal I'll approach that rabbit hole :]

Privilege escalation is a HUGE topic
@stuck fractal

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Linux - Privilege Escalation.md

gtfobins ftw

@solemn smelt Do Hackers and tell me that again

😫

hi! can someone help me out with a nudge on the shell for iron corp? don't want to post spoilers, but if someone can DM me i'll share my progress

any hint for priv escalation in NAX room?? linenum didn't give me a clue...

There is no priv esc in NAX room

Was gonna say, I thought you immediately got a root shell on that

@flat ridge ...

no priv esc ?? im not a root ... hmm thanks for your help.. sudo -l crontab linenum sudo version ... all didn't work..

@flat ridge DM me what you used to get a foothold

Hello community, can we retrieve SSH username from the private key?

Rule 13

Google doesn't answered me, all info are to generate keys...

@gusty moth

Try harder

Damn!

Literally just google it

computer science is all about "how to google something"

Google scrawler just scrawl this website xD

Sorry for that, username word is more efficient than login, sure. Sorry for that

That's part of rule 13

Take the time to learn how to write queries

all right, i'll keep this rule in mind for the next times

thanks for your help

@regal trail: i'm stuck at the ssrf, maybe we can exchange ideas in DM? :^

Has anyone completed this part of the privsec course? I’m getting stuck here

That's gonna need to be in quotation marks

When you echo it in

cheers @frail ferry, messaging you now

guys i m struggling with networkservices room in telnet exploitation

i generated the msfvenom payload but how can i copy it to telnet session and run it

Hey friends, I'm in the Linux privesc room and I have ||successfully generated an encrypted password, and attempted to add a new root user to /etc/passwd per the instructions. I can see the user when I cat /etc/passwd, but when I try to su to the new user I keep getting an authentication failure.|| I'm not sure what I'm doing wrong, since I'm following the syntax on the task prior that it said was correct.

I've tried googling around for other options, but if anyone has a helpful tip/hint I'd appreciate it!

@weak owl You probably missed the quotes when using echo

Or used double quotes

You must use single quotes if the string has $ in it otherwise bash

Ah I did use double quotes! That's good to know for future reference too. Thanks!

Hi, I've a question about Buffer Overflow Room Task 8, it's broken?
I've tried everything and can't get the shell...

hello everyone , im having a hard time finding the score board over the juice shop i know where it spouse to be , can`t find it tho , may i pm to any of you discuss about this?
thanks

no need to pm what do you mean you're having a hard time finding the scoreboard

no need to pm what do you mean you're having a hard time finding the scoreboard
@solemn smelt

i know where it is spouse to be ||About us Page|| but when i inspect and Ctrl+F ||Score|| it finds nothing

Its a hidden directory I believe; try enumerating more

how?

i cant google enumerating its too big i understand the meaning

i saw youtubers do it

i cant redo their actions

are you talking about the scoreboard directory or the google dev tool

score board dir

i have no idea aboot the "google dev tool" , i haven`t got there yet

use inspect element and sources then try to find your directory from there

trying

||https://imgur.com/IqUoazW.png|| please view The Bottom Line

0/0

anyone completed tempus fugit durius challange? Please PM me

@true gazelle I think Cryillic meant 'use the tab sources'

That is correct

@echo thunder I have, it's a tough one.

@proven bridge I have the shell

Good!

I need a little hint if you can give one

@crude swan it does not work as the explanation suggests. It's unintentionally a much more involved problem. If you feel comfortable writing your own shell code in assembly, you likely have the necessary background to proceed.

@echo thunder Just DM me, since I don't remember exactly where you are.

Hey there. I'm in a live stream trying to do the telnet exploitation. I've created the payload, connected successfully to Telnet, but I can't get a reverse shell. Any ideas?

Is this for the networking services room?

@patent token did the tcpdump work?

Yes

Which yes?

TCPDump worked. shell command did not

The msfvenom mkfifo?

Yes

Tried the pentest monkeys equivalent?

I did. That one is up there as well.

I;ll try it again later when I'm not on stream

It worked when I tested it

Oh that's two screenshots combined

No, top is telnet. Bottom is a horizontal split in same screen.

Mhm I'm yet to give it a try myself, will give it a whirl soon-ish

And I tried the payload with just R as well as with -f raw

I've got it sorted out. Gonna submit it as a bug/feedback

Can anyone give me some pointers for the Tempus Fugit Durius room

hello

I am stuck at using john the ripper:

just trying to crack basic md5 as examples on internet sais..i do:

and contents of file looks like:

but I get following error:

Have you looked at the FAQs?

did, it confuses me rather than give eloquent answer 😦

same thing I do work in other ppl videos so im not sure

faq tells me that unshadowing might be the answer..but i am working with custom made list

paste hash into file

@patent token Hey bro how did u get around that telnet problem as i m stuck at the reverse tcp / getting flag step

I think the room has enough instructions to complete it without help

just re-read carefully and try again from scratch

It does now

The issue The Mayor had is fixed

yup, I had it too

it was not DIRECTLY an issue

but it was annoying

ok thanks guys ❤️

It's absolutely an issue if you've never used FTP before and are following the guide. It's fixed now. 🙂

Could someone help a little noob? 🙃

with what?

with a question of a room

The section is about smbmap

Hello... I am one taks away from finishing the advert of cyber... I am stuck in Accumulate task where I have to get an administrator access using the hhupd exe

I have redeployed and tried opening the browser multiple times before opening the exex it still doesn't work... Can someone help me out please!

#650425164894568455 check the pins

I found hash file example for john, and I made hash in my file look like it:

still same error

hello everyone

Using default input encoding: UTF-8 │hashforjohn.txt hovno
No password hashes loaded (see FAQ)

I found hash file example for john, and I made hash in my file look like it:
@turbid veldt i recommend to try with jumbo version of john

John the Ripper 1.9.0-jumbo-1 OMP [linux-gnu 64-bit x86_64 AVX2 AC]
Copyright (c) 1996-2019 by Solar Designer and others
Homepage: http://www.openwall.com/john/

I have redeployed and tried opening the browser multiple times before opening the exex it still doesn't work... Can someone help me out please!
@devout stag what doesnt work?

it seems i got jumbo no?

The part where I have to get the browsers working... I tried the steps mentioned in the writeups but none of them worked for me...

The part where I have to get the browsers working... I tried the steps mentioned in the writeups but none of them worked for me...
@devout stag do you watched the youtube video?

it seems i got jumbo no?
@turbid veldt yes, idk about the format. Is correct to say that john isnt detecting any hash, so maybe changing the txt format

I read that there's a permanent fix to it, I googled in various ways but none of them lead to something similar. I have been trying to get this working from couple of days now.. :/

hi

@grand pivot changed the name and got rid of .txt still same error

anyone did year of the rabbit ?

@grand pivot changed the name and got rid of .txt still same error
@turbid veldt i mean the format inside the txt, the format of the text

Hi for the Music Stego challenge the sound file to continue is missing. Does anyone have a copy.

as md5 demonstration o yt i saw guy just throwing hash in there without any : and it works for him so idea what is wrong

thats what im trying to say

try just one clean hash inside a txt

i did, and i have still same error

i really dont know what to say. Out of ideas

thank you though, will keep trying something 😉

Hi there, I would need a hint for https://tryhackme.com/room/basicpentestingjt , final question task#10. || I found the other user on the machine when enumerate || but then I'm kinda stuck, I did check the hint telling me || apart from password, how a user can access a machine || and well .... I'm trying to understand what does that exactly mean , any suggestion ?

By the way I found something || from the 2nd user home folder , .ssh folder > id_rsa_pub with a long key finishing by == I Don't have to type long password anymore! || not sure if I can do something with that

Look up ssh2john

@signal perch

@wary ocean alright thanks!

@signal perch check the directory tree

@turbid veldt, had the same result. My problem was that the hash file was not readable (no read permission). Not sure if that's the problem in your case.

Any hint for the root part of Racetrack box ?? Thanks

I can't really give anything away here @coarse halo -- it's only been out for a few hours.
If @viscid dust wants to give you a hint, he's welcome to; otherwise, ask again in a day or so and I'll give you a nudge

Although even then I won't give much for a box I've tested, small warning

Ok Thanks

@coarse halo do you mind if i ask you a question about racetrackbank?

@pine orbit No problem, DM me

Hello, I'm trying to complete the room cc pentesting I am stuck on the last question on using sqlmap on a vulnerable web application, I am using sqlmap on ubuntu and when I dump the database it displays <blank> I found the table and the column I have to display for the flag but it doesnt display it I only get <blank> even when I precice those parameters. I also tried doing the sql manually. But nothing is displayed on the page. I also tried with kali linux and still no luck :c

Is someone available to help me with the beginner python room? I"m not sure I'm using the base64 library properly.

on Python Room why this code not work : @dusky vigil ```from base64 import *

#file = open ('encodedflag.txt', 'r' ).read()

with open ('encodedflag.txt') as f:
msg = f.read()

for i in range (5):
b16 = b16decode(msg)
print (b16)

Can I ask someone about Racetrack? I feel like I'm doing the first but inefficient/not the intended way

I can help, me good at python

Remember the flags in open statements

@north moat What is the task?

Task 12 @night cave

I mean what does it say?

nothing just i see my input file

seems its not encode to base16

@wary ocean i open flag file but seems its not encode to base16

I can't help actually, I'm simply good at python and don't know the actual challenge

^^

@north moat Read the task more carefully.

i did it manual , but i can't figure it out on python @tidal sedge

hi guys i need an hint help me https://tryhackme.com/room/zthlinux Task 43 plss help

Care to elaborate on what part?

got a problem with the hard scripting challenge
anyone here that can help ?

hard scripting?

Room Game Zone , Last Task ```[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
[] Started reverse TCP double handler on 127.0.0.1:4444
[] Attempting to login...
[+] Authentication successfully
[+] Authentication successfully
[] Attempting to execute the payload...
[+] Payload executed successfully
[] Exploit completed, but no session was created.

your LHOST is wrong

yes thanks

@night cave yeah the hard one, but I figured it out, appreciate it anyway

@wary ocean I'm not gonna leave you without one final little parting gift. This is a penetration site, and it wouldn't feel right if I didn't hide a flag. There's one flag on this machine and it's in /root/root.txt, everything you need to get there is in this room, So I leave you with this. Good luck and have fun! :)

this one i tried everything

Anyone around to bounce ideas off regarding IronCorp?

what did you do so far?

Ill DM you.

can someone give me a nudge on joker?

Where are you stuck at?

sorry for being rude but #rules 1 @white salmon

I tried with Burp intruder, to brute force joker password

but no sucess, I used top 250 of rockyou.txt but took for ever, so now I am trying with hydra

but also no success

250 isn't a lot for the size of rockyou, we have a stipulation for things like bruteforcing to take around 5 minutes (aka not be stupidly far down the list)

I haven't done joker so can't tell you if that's the right wordlist or not - but I'd hedge a bet that it's most probably 😅

I know,but burp is slow becasue I don't have the pro version

It is a hard room so you might have to try a few different wordlists and things ^^

I see

@rancid crystal would you like to give me a nudge on this one?

haven't done joker yet

I see

Try more than top 250 passwords.

Hey, I've been trying to reverse shell the vulnversity room for a few days, but its timing out every time. Is there a way to make it more stable?

Would refreshing the vm help?

it depends of how you are doing your reverse shell but yeah, it won't hurt

what's your setup/payload/etc?

I'm past the payload. I've uploaded the reverse shell they link from within and changed tun0 and port. Its uploaded after a few attempts, but when I click on the file I've put in, it times out.

I have net cat listening on the port. Could that slow or down?

it's ok if the request to your uploaded file times out, as connecting to your server is a blocking operation and the http server may find that it's taking too long (i'm simplifying a bit)

however, if the payload you uploaded is correct, you should see a connection pop on your listening netcat

double-check that you provided the right IP address and the right port

Heya, anyone on Racetrackbank?
I know its a brand new room so if there is absolutely no hint on it I'll try harder later next week but It got me crazy I don't like express stuff related to exploit.. it is not something i've experience with

i can help for the first step

Thanks flan. Looks like my machine just moaning at everything today. Even the access page isn't loading. I'll try later

Any hint you can provide in DM ? just a tiny direction I can look towards ^^

@patent jacinth: using netcat to listen on a port should not be an issue even on a slow machine, i guess that you have networking issues

also, the hosts are not allowed to reach internet, make sure to connect-back over tryhackme's VPN

@viral crane, sure

Ekko, If you're really stuck, look at the hint on the user flag. It's a pretty good hint imo

Hey I am stuck in tweety ctf a nudge would be very helpful

can anyone give me a hint for christmas cyber advent / training?

how am I supposed to find the hash of the password if I don't have read permissions for /etc/shadow?

In the supporting material

There's a line "Sensitive system files are often backed up with extensions like .bak" or something similar

ohh, damn, I had overlooked that one. Thank you!

also, I realized it is possible to change the user password. Shouldn't be that disallowed?

I changed it and then changed it back. If someone else deploys that machine, wouldn't the password be different then?

No

Every instance is cloned from the template

There's no persistance

okay makes sense, thanks buddy 🙂

anyone can give a hint on Racetrack Bank?

@echo thunder Honestly, the hints that the room creator give are pretty much all you need. + some googling and a little enumeration

can I PM you

?

erm sure

I'm not giving much of a hint though, its a new box afterall 😛

hi guys , i'm in the XSS Playground room. I'm a bit stuck on challenge #3, where you need to comment and change the title using javascript

Any javascript gurus around?

howdy howdy - bluekeep room, trying to figure out why my answer of "cve--" isn't correct. not sure if I'm supposed to send it here, probably not lol

There's no room called bluekeep

sorry it's the blue room

Read the question carefully

is it asking for YYYY-Number or CVE-YYYY-Number

It's actually asking for ms**-***

Yea

Which is pretty straight forward.

Ah I got my js working.. wahoo!

I did read it carefully. And I don't want to be pendantic, but it's confusing. The text says "path ... (ex. exploit/.....)" and then the help text says something diff

formatted seems janky ... maybe I need more coffee

@late epoch Then you're looking for the metasploit module

yerp and I pasted it in there like so

Then make sure you're using the correct module

There's 3

that's it then

thanks

Ah

I thought it was the one asking for the actual vulnerability

yeah a little confusing ... just my lack of depth of understanding

I also now have no clue why my el33t handle now says "Changeme". this sounds like a noob punishment, which I do enjoy

Because your username is a bit offensive

I really don't care, but I guess that's how the Mods feel

ah

I assume that's just for discord, and not thm

yo @minor bough can a guy get a DM when you have a sec

nm ❤️

Is this the right place for help on one of the challenges?

If you want a hint, yes

More than a hint, you want #room-help

a hint should do.

I am working on CC: radare2. The final exam

I am looking at the strcmp function in C code

am I on the right track?

strcmp is a standard function

compares 2 strings

this I am aware of. I have a break point there. at the beginning of the program one of the params is -1 later it compares something else

Maybe I am way off. Only thing I have been able to find atm

a little nudge in the right direction would be appreciated

strcmp is normally a standard function

Trace the rest of the program

ok. Thanks.

hey... i don't understand something... ha joker ctf #18 ... alias is not defined by defalut.. then what is the purpose of question??

It is

It's just buggy

Doesn't always show up.

ok .. you mean no exact answer for #18 ??

No

The alias does not show up every time

re exploit and you will get it eventually

Like terminate and redeploy

ok.. i got your point~ thx

hi guys can anybody help me for djinn? I already got the "prize". Also i have all port scanned with a few opens.. but i dont know how to proceed.

I just submitted a write up for djin

I think next step is to check other services running

Get as much as you can fron those

may i dm you?

Hello there, I am messing around in Vulnersity and I have run into a bit of an awkward situation where the upload seems to be blocking my file types, but it is telling me I have the wrong answer...

@pine echo It blocks every file type except the correct one

The "common" file type is common in webapp pentesting

Go to DM so we don't give anything away?

"what common extension seems to be blocked?" seems all of them

The "common" file type is common in webapp pentesting

of the many find the best answer sort of deal

No

Common in webapp pentesting.

hmm got it, wording caught me off guard.

anybody on goldeneye? i need to ask smth about ||pop3||

nvm, got it.

@viral mason Congrats!

Hi i need some help with 25DaysOfChristmas Task 18 - Accumulate

What's your issue?

Hey look I'm here too

Oh hi :p

The last flag of task 18 is bugged

i cannot priv escalate because of the bug

Ope take out that last bit

Spoils a bit

check the writeup for room ‘retro’ to see a way around @wise field

its about a certificate link of a setup file. When i click the link, no browser options comes up

@glossy basin , i did! But no luck 😦 hence i had to ask here 😦

did you try a method with uploading files from your machine? i don’t remember the exact way but I did the priv esc without the exploit given there

How do i upload files. Its a windows machine with only port 80 and 3389 open.

did you get RDP access?

yes!

The fix for the bug in a walkthrough is as follows:
The fix presented by Darkstar is what we did to begin with: initialising both Google Chrome and IE before performing the exploit.

yeah, in general you can upload files onto target machine by using python SimpleHTTP server

but check all the write ups for Retro room

there is one different which works 100%

Oh okay ill look for something else

thank you @glossy basin ! 😄

anytime

Hey, I m trying to do the "c4ptur3-th3-fl4g" and the first task needs me to decode some encoded texts, but I have no clue as how to guess what is some of the text's encoding. I have tried googling it in many ways, but found nothing for the 7th, 9th and 10th. Someone have a clue for me please? 😭

@solar flicker about c4pture-th3-fl4g, the 10th, try to see all the message, not only the begining, maybe the last chars give you a hint about what is 😉

okay thanks 😄

@viral mason Congrats!
@late patio thanks man 👀

hint for the lpe on Tempus Fugit Durius? is it a "home-made" vulnerability or a public one?

There is only one part that I distinctly remember having to script for that box

Anyone I can ask some questions about the room Common Linux Privesc Task 9 #4?
I've read the hint and tried a bunch of things but can't seem to get the command syntaxt correct.

Which one is that?

"

Now we're inside tmp, let's create an imitation executable. The format for what we want to do is:

echo "[whatever command we want to run]" > [name of the executable we're imitating]

What would the command look like to open a bash shell, writing to a file with the name of the executable we're imitating"

Hint: The command is actually just the path to the bash executable "/bin/bash"."

So do you know what command you're imitating?

I know what a bash shell is. But I recognice the hidden syntax construction:
**** //*** * **

You need to know what command you're imitating

You're not imitating bash

You're spawning bash

You're imitating something else

yes.
It's the middlepart I can't figure out.
||echo something > ls || This is what I have figured out thus far.
Its the something I can't figure out. THe command to start bash.
I trid tha path to ||/bin/rbash|| but that wasn't correct

and also the other bash paths have I also tridc

Quotes.

echo "[whatever command we want to run]"

Needs to be in quotes

Thank you <3
Apparantly I know way to little about echo syntaxes.

I think you might be able to get away without practically

But the question says use quotes

So it's best to use quotes

Yeah you can get away without the quotes

Yes it does. I misstook them for the brackets at "being the same", as in thinking... Oh here you want to put your command.

I just thought they were a placeholder basically.

anyone done the splunk room ?

hey

so for RP: Nmap

i got the right answer

You can just post your question here rather then going to DM's 🙂 works best for all

but idk how

How so?

like no ports were open on port 1000

You would of performed a nmap scan right, you'd of got the answer from that?

yes

Port 1000 is a single port.

it asks for how many ports do we find open under 1000

also

Ports under 1000

omg

the photo's technically an answer

im so dumb

i thought it was how many on 1000

and i was baffled

i am so sorry

i shd just read next time

sorry

🙂

@exotic bane You're fine, dw

Hi guys, is someone available for giving me a quick help with Ignite room?

Ask your question - it works quicker for everyone that way ^^

hey ,i'm stuck in task 5 CC: Steganography exactly (How do you check for steghide hidden information) i tried all the flags from the man of stegoveritas and nothing is correct

its there

use the help menu

steghide -h the answer will be there

the task is about stegoveritas

If that’s the case then it’s still there stegoveritas has an option for extracting just like steghide just use the help menu for stegoveritas

i useed the help menu from github https://github.com/bannsec/stegoVeritas and nothing matches

think about what the question says exactly what the question says its there trust me

its not on that help menu though

@solemn smelt thanks , it's done

np

anyone do racetrack bank? my method is working, ish... would take hours to get enough of what I need even with my script. Could anyone give me a nudge?

nevermind got it! didn't optimize it very well haha

hey look a channel for people who want hints on a room

hm i should use this more often

Hey Room Can anyone assist me with the Intro to Python room?

@chilly lantern When asking for help, best thing is to just post which task & question you're stuck on. I haven't done the room yet but am sure someone will pipe up

Thanks

I need help with Room: Intro to Python - [Task 12] Challenge Time!

what help? be more specific, what have you tried and what code section is hard for you

I tried doing the bas64 but the output is blank

@chilly lantern Opposite order perhaps, see what the outside encoding is