#room-hints

thanks

need some help on Tempus_Fugit_Durius specifically the initial foothold. any hints? (I've tried the burpsuite method and got filename too long, so I'm assuming I either need to encode it differently or it's not the intended path.

DM's are welcome

@stuck fractal That worked - you guys are awesome

@untold birch: did you identify the vulnerability?

@frail ferry no dice.

Hello, I am finding myself stuck at task 2, question 12 from RP: nmap.
The question says:
“How about if I want to scan every port?”
I thought the answer was somewhere along the line of -p0-65535 but I am wrong. The answer format is *** can anybody help a newbie out here?

the question is looking for 3 characters

you're providing

9 🙂

specifically: it's looking for the switch

Thank you for your help @steady stratus You mean there is a specific flag for nmap that makes it scan all ports?

An option for an existing switch, but yes

^

Found it! thank you.

nice one 🙂

hey, any hints for task 7 (Geolocating Images) ?

Well this is late @abstract apex however think about what direction you’re facing as well as what landmarks are around to identify where you are

I need help :3

Three picture, three hints: hide, comment and walk away

first is steghide, second is exiftool comment

what could be the third one

the information is stored in the picture, the hint is "walk away"

it was binwalk

Any suggestions on a password list for Jack? Rockyou is obviously too long. I have the user names already, and working through a 10,000 list from Github, but nothing yet.

@patent token I used rockyou, ngl

@solemn smelt i used the plate of the taxi, i found that the vehicule belongs to London, Borehamwood (formerly Stanmore) but i can't recognize the crossroad

Okie doke Ninja. Thanks!

@abstract apex that’s not task 7

Just look up the name of the crossroads you’ll be able to find it

@solemn smelt you are talking about task 4, i'm stuck in task7 (4.png)

Okie doke Ninja. Thanks!
@patent token Theres a fast er one thats quite small

oh?

took 10seconds

Remove this if not allowed ^^ || fasttrack ||

@abstract apex I honestly can’t remember that one could you send the pic?

Hello. I'm new and just starting and I'm following the beginner pathway. I've completed the introduction to research and lean Linux rooms. I'm currently stuck in room Linux challenges task 2 #8. Decompress and get flag 8. I've found the file I need to decompress but I'm logged in as Garry. Any hint would be appreciated

okay so im doing blaster and right now im trying to do the exploit with the hhupd but in order to do it the machine needs to be able to surf the web is there another way of doing it offline

okay so im doing blaster and right now im trying to do the exploit with the hhupd but in order to do it the machine needs to be able to surf the web is there another way of doing it offline
@cloud perch no, there's no need for that

it's going to work without global internet connection

@pallid bough you probs didn't read it but task 2 #2 says: Log into bob's account using the credentials shown in flag 1.

Mayor what can i research and how if i wanted to start with a phone number

@TheMayor speaking about Open intelligence sources

Hi everyone

I wanna ask something

Hi Darkstern

Is there a place where we can see the medals we won in a room we have already completed?

I don't fuckin know DarkStern

To be honest with you

?

you don't have to

I wanted to give you a straight answer

😄

Just kidding around

Sorry

There's better ways of phrasing it though @white salmon

(sorry for ping other user)

Of course there are, i already said i'm sorry

Only certain rooms have badges when you complete them - you can see them on your TryHackMe profile @summer vortex 🙂

Yeah I saw as I sent it, thanks for apologising.

you can also see all the available badges here: https://darkstar.will-never-love.me/GIqrG6oFvUFv.png

in the badges tab

@steady stratus First of all, thank you so much for your answer

So guys, what can i gather on the web and how and if there are with which tools

@wooden mist I already checked but i can not find even i already completed room

If i wanted to research on my phone number for example

@wooden mist for example "Basic Pentesting" room's completed badge

basic pentesting doesn't have a badge

hmm

well is there any kind of "completed" think

I'm not quite sure what the criteria for a room to have a badge exactly is

I'm started to penetration testing so recent and it was my first room which I completed

You have this on your profile if that's what you mean? @summer vortex

so I just wanted to share on linkedin

yes like these

when you completed a room generally it's shows automatically kind of badge if you want to share

I believe you can do that in the pop-up after you complete the room. But hindsight you don't get the pop-up again later on. Best you can do at the moment is use the "Share" button in the room

oh okay i got it

so it just shows 1 time

I believe that's the closest you'll get to a "I've completed this room" at the moment other then your profile. Maybe something for #544951750801752079 ? 🙂

i mean this

Yeah

but i got the answer

thank you so much :)

That's the only time that will popup - you cant get that to display again when you come back to the room in say a month or so

but i got the answer
@summer vortex coolio

hmm

thanks :)

^^

Hi there! Has anyone here done the 'The Impossible Challenge'?

I have decoded the text on that page and tried cracking the zip. But unsure where to go from here. Hint on the page is not very helpful (yet, I think)

@grizzled glacier you're looking for a very specific way to hide information.

interesting. even before i manage to extract the zip then?

any hints on how to identify what the encode was used for the text on impossible challenge

?

Network services room

@shy sinew can you please avoid posting answers

telling task and question number is enough for us to understand

Ohhhhk next time I'll take care of it

so, what was the question?

How to perform the ping on telnet session using .RUN

using the ping command after .RUN

it’s given there

But it's not working

did you set a tcpdump listener on your machine?

question 5

Yess I do

No response is shown there

In listener

did you get your tun0 for the ping?

it can be found in tryhackme.com/access

“Internal Virtual Ip address”

Yes I have mentioned the tun0 ip of mine

then you should be able to receive it

you are connected to vpn, right?

Can u pls tell me the ping command (using .RUN)so I'll know that I'm sending right command or not!!

it is stated in the question 6

bold text

A note is written after the ques that -you need to preface with .RUN what is the use of that??

that means you need to put .RUN before the ping command

.RUN ping [tun0] -c 1
tun0 replaced with your IP value

👍

Hey, i would like to get a hint in finding the Joomla version on the Daily Bugle room

nmap?

if i -A, i get only the apache version

what other tools have you tried to use?

gobuster

also gobuster on the /administrator

and found out https://gyazo.com/6a175febfd7f99a17e0c9d028f2cc5ba but i think it is from something else

did you google? lots of ways to find it out and a simple google I just did returned many things to check from the first few results of google

on google, they said to go on the dashboard and i dont have access

clearly didn't google enough, google without access..

gobuster wouldn't tell you the version of joomla

that a directory bruteforce tool

hint: even without admin access there might be files you can read that have the version. it may be several directories deep so fuzzing it may not work. also for other things if they're opensource you can check through github etc

you need to find other tools that help with that or files on the system

information gathering. that's what you need to do

i used gobuster to see if there is a kind of info page

i'd recommend not using a tool and doing this manually but yes tools exist for stuff like this..

ah, i didt know there are tools for this

ill search deeper now

got it :)

thanks @warped fox, found a script that finds it in a directory

i was close but didnt look into that directory

nice but again I suggest getting comfortable googling stuff like that since while there's a tool for this there are hundreds of sites or cms that won't have automated ways and googling to find the right directory or cloning the repo and searching for it yourself will prove to be very handy 👍

okay :D

looking at the linux challenge room and stuck om flag 7 PS and top dont show any flags

a hint regarding question 3 task 1 in the Wifi Hacking 101 challenge

?

resolved

thanks

i did't think to much

figured it out missed a switch

Can anyone help me out to find the admin flag in pepega energy?

Please refer to my suggesting in the other channel.

You need to provide more information regarding your current position in the room/challenge.

@patent token channel name? I am new here so don’t know much

You replied to my comment in #thm-community-media as you were posting in the wrong channel. I recommended that you provide information about your current situation in the room/machine. Doing this will help folks want to help you, as we don't have to dig for answers that way.

Can you please provide context/information about your current situation in Pepega, so that we might be able to provide you with appropriate help?

i want a hint for a challenge. The challenge is plethora. I need a hint for the flag on juice shop if someone can help me please.

@echo thunder So, the RCE is broken for that as it runs in a docker container

ok

You can root the host, and find the flag via the files for the container

That's the only way we've found unless there's LFI or something

ok tahks

@stuck fractal can I ping you

?

You just did...

They are probably asking for permission to dm him.

can someone help me with a docker image please?

@echo thunder find / -type f -name "*flag*" 2>/dev/null

Thanks @stuck fractal

Can anyone help in network services room task 6 ques. 6 ??

can anyone help me, IM TRYING TO CONNECT MY SERVER WITH PUTTY BUT IT SAYS CONEXION REFUSED

Your server? That doesn't sound very THM related @white salmon

is openvpn server

of tryhackme.com

You are, uh, trying to connect to the Openvpn server with PuTTY?

yes

How about connecting to the openvpn server with openvpn, then the target machine with PuTTY?

i already connected to the server with openvpn, i want enter with putty

Have you deployed the target?

deployed the target???

what is that

Big green deploy button

ima try it

again

should i turn off firewalls?

Have you pressed the Deploy button?

oh ok

thx

u fixed

thx u a lot, i was 2 hours trying fix this problem

😀

Did you go through the Tutorial room @white salmon?

yes, the linux basics tutorial

i dont forget nothing of it yes? i said bcs im not paying

https://tryhackme.com/room/completebeginner

That

Have you completed that?

yep 🙂

That teaches you how to deploy machines and use the site

i forgoted, principiants errors xd

Maybe go do it again to refresh your memory

i will

thx

bye

Can I get a hint for https://tryhackme.com/room/ccradare2 final exam please

@burnt cosmos That is right -- please delete it 😁

@inland onyx Website says otherwise!

Try it without caps

Oh, no, sorry

Try it without the -

The caps won't make a difference

Just checking the format I used 😆

Amazing! Ty

Np 🙂

can anyone give me a hint for room The Cod Caper task 4? I'm not getting anything with sqlmap, trying to exploit a login form.

im supposed to get an admin username/password

@patent token in pepega , i have found all the answers but not the admin flag , last what i did was change the password of zachary by using the password_change command and loggied via rdp, i then came to know that zachary is the admin itself but couldn’t find any flag for the admin

Which # are you referring to having difficulty with?

Question 2 @patent token

@spark monolith (Creator here) If you managed to gain access to a friends computer, what is the first thing you would check? Think incognito mode...

dan, did you really hide it there? Nice.

how do i look for ssh password for my user?

@strange basin SSH password is the system password

oh welp

thank you

@strange basin If you're doing cod caper, then say

i am yes^

i said it 5 messages ago

@odd void I literally forgot that ,thanks
Will continue from there !

np!

@strange basin So, find might help you

But SSH password is the system password unless you have SSH keys set up

alright, thank you

i found the .ssh directory? is that it?

a bit lost here

.ssh is used to store ssh keys

But if you're looking for a password, a key isn't a password

okay thanks

pwndbg is not running on gdb (The Cod Cape)

just default gdb for me

anybody here?

Always

Just ask the question

Heya Ninja; I'm doing the advent christmas one and on task 11 I don't understand the first question

I've done the others, did everything I was supposed to

but I don't understand what the question is asking me..

I'm gonna be honest

sure

People are less likely to help you if we have to go and find the room and task and question

Yea was just thinking of that

Make it as easy as possible for people to help you.

yea yea

"what data was exfiltrated via dns?"

what does it mean by data?

Data is information

Filter the packet capture to just DNS

See the suspicious one(s)

See what you can do with that

I did that too but didn't find anything relevant. I'll try again 🙂

thanks for the hint buddy

@next glen Some research gets you a long way https://blogs.akamai.com/2017/09/introduction-to-dns-data-exfiltration.html

lol that's literally the first one I had searched. Thanks, will read that

tbh that sounds really noisy

Kinda confused about the goal of JWT

Like what are you trying to do

With JWT, or the challenge in the room?

Challenge in the ocscure web exp room

Ah I haven't got there yet so I can't really help

Like I have the new signature, and the modified header, but I'm just confused as to what the goal is, and what to change the content to

And how that would help me get a flag anyways

JWT are used for auth

So you're breaking the auth on whatever you're attacking

True, there's not like a visible user object in the body tho

Hopefully to get a flag

I could just like

@white salmon

@wary ocean what part of JWT are you stuck on?

I just don't know what I need to change in the body of the token

Do I just change it in general?

section 3 or 3.5?

3's challenge

token's body contains a data portion

Right

there's one thing that imo is obvious you should change

Yeah I reread the question, I thought I had to change it to something specific

i changed it to the first thing that came up

Never fear para is here

the first logical thing

To destroy jwt and everything it holds dear

jwt

I hate jwt so much

You don't know the pain that went into writing those sections

lmao

I finished the jwt section in like 3 minutes

I read the JWT RFC da*n it

Para you are my god, JWT is seriously the worst thing to exist ever

besides EternalBlue

I hate it too

Para you are my god, JWT is seriously the worst thing to exist ever
@wary ocean you haven't seen bad codebases you need to somehow change without breaking stuff, that's the worst thing that exists on this world

Agree

Random use of global variables when you don't need to

That affects the state of an internal function

static's everywhere

Variables not accessed outside of the main() function

so like

i successfully didn't screw it over to the point it broke everything, but it didn't work

what do i need to set for the data?

Somewhat reassuring?

I guess read the RFC

so if you have noot in the data section it gives you noots, maybe change the noot to something you want to recieve?

tbf i didn't run it beforehand to know what it did, that probably would have been a good idea

Changing it to flag or flags doesn't help

are you editing the key like the room shows?

Running the commands that are in PayloadsAllTheThings

try using the token editor auth0 has
http://jwt.io/

Has an error with header

Nevermind, I fixed it

Sending me an error about an invalid signature, is it alright if I dm you my procedure?

Sure

hello,

is the binary file the way to get root or just the ||job || (Racetrack Bank) :d

Both together

o:

the server deploy on task 6 in ZTH: Obscure Web Vulns is not working

the button is working

but I cannot access any page

@echo thunder #site-bugs

i posted here because maybe I am the only one that is having this issue

anyone to help with the Buffer Overflow room ? https://tryhackme.com/room/bof1. Im stuck at task 7 and don't find any information anywhere

can anyone ping me ? I need a little hint for the ZTH: Obscure Web Vulns

guys i need help, Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

it puts in putty

and i have one thing in putty when i conect the server, 11packages can be updated

Instances that you deploy don't have access to the internet @white salmon

there's no need to update apt 🙂

shiba1@nootnoot:~$ apt
apt 1.6.12 (amd64)
Usage: apt [options] command

apt is a commandline package manager and provides commands for
searching and managing as well as querying information about packages.
It provides the same functionality as the specialized APT tools,
like apt-get and apt-cache, but enables options more suitable for
interactive use by default.

Most used commands:
list - list packages based on package names
search - search in package descriptions
show - show package details
install - install packages
remove - remove packages
autoremove - Remove automatically all unused packages
update - update list of available packages
upgrade - upgrade the system by installing/upgrading packages
full-upgrade - upgrade the system by removing/installing/upgrading packages
edit-sources - edit the source information file

See apt(8) for more information about the available commands.
Configuration options and syntax is detailed in apt.conf(5).
Information about how to configure sources can be found in sources.list(5).
Package and version choices can be expressed via apt_preferences(5).
Security details are available in apt-secure(8).
This APT has Super Cow Powers.
shiba1@nootnoot:~$ install
install: missing file operand
Try 'install --help' for more information.
shiba1@nootnoot:~$

wtf is that

Like I said

there's no need to update apt 🙂
@steady stratus

and the conection failed?

please read above

Instances you deploy on THM do not have access to the internet

hence the failure to connect when you're trying to apt update (of which there is no need respective of whether or not it can connect )

ok

now i can learn echo command

im noob in this xD

gl hf!

im in linux basics, and i need help, im learning the man comand, so i put echo man and im in good way, but later
No previous regular expression (press RETURN)

and i need to get "

How would you output hello without a newline"

i dont understand nothing....

im a hacker

so is -n echo hello

but rlly i dont understand wtf is -n

Then use the manual for echo or --help

What flag outputs things in a "long list" format

i dont understand this

[command] --help

guys, how to add text to a .txt

like when i put cat b.txt

cmd can show me whats inside

so i want add text to .txt to test the command cat .txt

Google it

xD

Yeah, questions like that can be very quickly researched. It's an attitude we really encourage here.

Complete this room to get familiarized with the Linux commands https://tryhackme.com/room/zthlinux

is cat > sample.txt

that's one of many ways

any idea how to achieve a buffer overflow like python -c "print 'A' * 64 + '\x24\x84\x04\x08'" | ./stack3 without using python., maybe with xxd? i tried but can't make it work

@sharp bolt you need something to print your raw bytes

In theory, you should be able to use a file

how to know in wich directory im saving the .txt files?

in home, currently directory of before directory

for put direferents path

or*

have you looked at the https://tryhackme.com/room/zthlinux room?

im on it

It will teach you all the basic commands you need to know like that

im on it but how to know in wich directory the files saves

is a curiosity

Wherever you tell it to.

when u write touch b.txt

By default, your current directory

how it is called

home?

No

Current directory can be anywhere you move to

okey thx

How do you specify which shell is used when you login?

it is $0 ???

im google

It's specifically for su

And you're asking for more than a hint

incorrect solution

bcs im noob

and im puting all things i find

Stop. Research.

i was a noob too

Man pages. Help options. Use them.

@white salmon Please go and read rule 13 #rules

https://tryhackme.com/room/zthlinux task 12

Some basic research will give you the answer. @white salmon

isnt 0$

$0

im estressing

stressed

It's specifically for su. Do some research.

@white salmon Google it.

ok sry xdç

A really fundamental part of computing and hacking in general is research

ok sry sry

Don't ask to be spoonfed answers. That helps no one.

There's a reason we had to write it into the rules here

@sharp bolt did you take a look at pwntools ?

hi, no i havent

i'll look it up

you can use the "pack" function for your shellcode

hey guys. i'm stuck on a noob question. anyone here to help?

@sweet relic Just ask the question, don't ask to ask

There's almost always people here if you're patient

Of these addresses two are reserved, what is the first addresses typically reserved as?

i've tried everything that comes to my mind but nothing works

its about local ip addresses

Not sure I can hint that

Look at your ipconfig/ifconfig/ip a s

the answer has 7 letters and it is not 255.255.255.255 😉

That's not the first, is it.

no its not but its neither about gates nor loops

@sweet relic Perhaps it's another word for it

The device

that would be six letters then

Maybe you want the full name

Gate means nothing

i dont get it 😂

i'm an idiot. i've tried countless things and the obvious one was correct. thank you 🙂

did anyone complete ZTH: Obscure Web Vulns

?

@echo thunder Again, just ask the question

Don't ask to ask

I need a clarification regarding task 9 on ZTH: Obscure Web Vulns

Again

Ask.

what vulnerable site

There is no deploy button regarding CSRF

sorry section 2

@echo thunder have you tried... reading?

What parameter allows us to generate a POC(actual exploit)

Huh?

this is the question

on the task

and is asking for an answer

That's a parameter for the program

Try harder.

ok

thanks

for the The Caping of Cod machine can someone tell me what i shoul search for with the "find" command. i have a nc reverse shell but now im stuck

Interesting files belonging to each user

ahhh this is hurting my head ive looked everywhere haha, what is a .pub file?

public key maybe?

or a publisher file

Extensions are meaningless

ok cause there are two files that look interesting to me its id_rsa and id_rsa.pub and idk the diffrence

@lone widget RSA

Is a type of encryption

There's a public key and a private key

I'm on learn linux on task 33 logged in as shiba3 ; trying to find the shiba4 bin. I'm getting a lot of permission denied after running $sudo find / -type f -name "shiba4.bin"

ohhhhh thank you @stuck fractal

@wooden lava File extensions are meaningless on Linux

Why assume it's a .bin?

And also you don't have sudo

Even though it says "The first step is actually finding the binary, I'm not heartless though, so I'll give you the name of the binary. The name of the binary is shiba4." - If i run a search for shiba4 i thought it would come up with a load of directories and files ; I'll go back and see if i can work it out . Ty

@wooden lava File extensions are meaningless really, .bin is completely optional when creating a binary file

No one includes it

Because it means nothing

Okay, in Steel Mountain, I had problems starting the service for AdvancedSystemCareService9 (would get error 1053). I did this workaround that got me to system, but I was wondering if there is an issue doing it this way. Instead of doing the multi/handler exploit, I just ended up doing a netcat listener, which caused it to work. Any issues doing it this way?

You'll still get a 1053 error

1053 means the service didn't tell windows that it started

Because you replaced the exe with your own, it will always 1053

Yes, I did get that. But, the ncat listener pulled up a shell in system before it timed out.

So, I satisfied the box's requirement, but I am unsure if I am missing out on something by not doing it the other way.

The system kills your shell still

Unless you prependmigrate

You didn't exploit ti right

You weren't meant to replace the binary

Hm. Okay thanks!

please someone help me with the The Caping of Cod machine, i feel like im on the right track with using the rsa public/private key to log in, but i am strugling and i dont know how to do it. i have aready tried putting the privat key in my .ssh file and using ssh -i but nothing works. im trying to connect to pingu

@lone widget I said earlier

You're looking for a password

Not a key

ahhh ive spent so lonng doing something i didnt even need to do, thank you ill keep looking

im sorry for asking so many questions but i cant find anything. i have used find / -type f -user ("user") on pingu papa and root and i have found nothing

Those aren't the only users on the box

Also that's a really weird way of giving "find" the user

^^

gasp

but i looked at /etc/passwd

Mhm, and it will be in there

The "real" users aren't the only ones who can own files

how am i supposed to supply a user @stuck fractal

find -user userNameGoesHere or find -user 'UserNameGoesHere'

guys on the room "bpnetworking" im stuck on: "How many addresses make up a typical class C range? Specifically a /24". Can someone give me a hint?

I would recommend searching /24 subnet addresses

ip address classes

(i was about to answer before asking my question but you were quicker than me)
hm but Hello there, I am doing the uopeasy room, and got stuck on searching the spot for the blind injection.. like I know its an old room and there is nothing on it to give some hint, if anyone has a tiny hint on where to do this, I will be very grateful Thanks 😄

I would recommend searching /24 subnet addresses
@patent token thanks

I'm doing XXE (Task 22) on https://tryhackme.com/room/zthobscurewebvulns and trying to replicate the example: https://i.imgur.com/hATuDB6.png

This is a screencap of my burpsuite. It looks the same as the example, but the XXE is not working. Any suggestions as to what I am missing?

@viral crane try searching for directoris with comon extension

Yeah I just launched a gobuster on this, thanks 😉

I figured it was the last thing to do

Okay so.... I got nothing really interesting? what am I missing really

in OWASP Juice Shop while trying to find the user data, is there a good way to enumerate column names (of user table) using the union injection in the rest search area?

task 3 of webgramming is broken? nobody ever solved it except room's author

Hi! In kenoby room I get 11 ports open but it refuses my answer

resolved)

Anyone got time for quick time for question related to Skynet :)?

@velvet flint Ask the question, don't ask to ask

Know what to do for root, but need to escalate to second user

Ive got 3 different passwords and a password hash from database

Hi THM people! Just wanted to request for a kind advice regarding "CC: Steganography" room. I got stacked with flag 3 of the QR code. I have processed the image and obtained 50 files. Not sure what to do or how to proceed? Could someone help? Many thanks!

Can anyone help me with room/kenobi I really dont understand how thats works in task 3 from #3 can anyone give me hint?

@tidal copper did you try scanning the QR code?

Just doing the Network services room on task 4 question 4 where it asks if there is any interesting information from the smbclient session - I've found a document called ||working from home information.txt|| however I can't seem to access it nor can I get it - I keep getting a NT_Status_object_name_not_found message? is there something I'm missing?

@white salmon did you download the file? eg mget *

Yep, still get the same message.

Wrong share name?

Wrong username?

I've logged in as anonymous as it explains to do - when doing ls it shows the file there.

Is it the naming that is the issue - IE all the spaces in working from home information.txt

Quote it

Scrap that - I've done it.

Thanks anyway.

@remote gate was correct, I wasn't thinking literally - I figured the * was for the file name - not realising that it gives you the option to download everything in said folder.

cool and like james said you can quote it if you're using more to read the contents. in the future you could prompt off recurse on mget * and that should download everything you have access to

Thanks! 🙂

I'll try to scan it. Shall I use a specific app @sacred kayak

@tidal copper It needs to have contrast if it's a QR code

@tidal copper I just used Google lens on my phone. If you used stegoveritas, one of the extracted images should work. I just used MS Paint to change the colors to black and white (ducks)

I am trying to use google lens but not getting anything 😒

what can I be doing wrong? I used stegoveritas before...

just solved it guys, I simply downloaded the QR scan app for iOS

Hey all, in working on the vulnversity room and having trouble locating the web server user. Can someone DM so I can walk you through what I’ve done so far so I can get a hint?

@tranquil rain you're not looking for the user the server is running as -- you're looking for the user who must have started the webserver

I.e. the only real user on the machine

So I need to do some research on the users on the machine......

hello good morning yall

so which wordlists should i use in gobuster

just use dirb

whys that🤔

easier to use and less errors

do i have to select wordlist? in that as well?

nope

just the url

thats noice

aight thanks @wary ocean

any hints for finding the last flag on food?

@blazing turtle The flags aren't numbered, so there's no last flag. I know which one you probably didn't find, but IDK which you have and haven't

@stuck fractal can i dm so as not to spoil?

@blazing turtle Ye I made the box

did anyone solve golden eye?

Any hints on: "[Task 43] Bonus Challenge - The True Ending" of the "Learn Linux" rom?. I tried finding SUID executables but sadly I cannot find it.

The task is to read a .txt file in the root home directory." /root/root.txt" with a user not permitted to do so. It's a very basic room, but it should be possible with what we learned

@vague heart it is possible. Look for files belonging to each and every user

SUID would be a little too advanced

Investigate suspicious files

Yea that's what I thought... Investigating suspicious files is a good one thanks

It's just... I don't know what options I have left.

These are the directories with "root" in their name:

/snap/core/8689/root
/snap/core/8592/root
/root
/usr/src/linux-headers-4.15.0-88-generic/include/config/usb/ehci/root
/usr/src/linux-headers-4.15.0-76-generic/include/config/usb/ehci/root

The top 3 I don't have permission to read. The bottom 2 do not contain a root.txt file

find -name root -type f -perm u=r 2>/dev/null doesn't say much either

@vague heart Each and every user. Who said you're just looking for root? Files named root? Nah.

You know where the file is

That aint the problem

Yea I don't have the knowledge to understand that

@vague heart Go back to the find task

I did

See if you can work out how to find by file owner

Not file name

You know the flag is in /root/root.txt

Yes indeed. So why would I be interested in other files?

@vague heart Because you can't get access to it yet

You need to do recon

Search, look around, investigate

Okay thank you. I'll skip this for now as I don't know what to look for yet

@vague heart Look for files belonging to each and every user. Look at the results. Go from there.

🤷‍♂️

Thank you so much for trying to help me though

Don't just skip it because you don't know

That's the opposite of learning

@vague heart https://blog.sherlock.pink/posts/mindset/

Nice article, thanks!

I told you what to look for as a hint

All you gotta do is look for it

For someone with fundamental knowledge of pentesting things may seem easy, even basic. But I just learned how to echo "hello world" and pipe the output to a file and find that file again. There's a lot of information needed to go from that point to solving a pen testing puzzle with privilege escalation. You climb a mountain with training and step for step. Not with jumping as high as you can in the hope to reach the top. AKA: the task requires knowledge not yet obtained

There's nothing you haven't learned

You're skipping it because you think there is.

@vague heart You already have the knowledge, you just need to apply it.

Any pointers for The Impossible Challenge? Not too sure what steg-tools to use

Thank you @stuck fractal & @tidal sedge I found the answer! It was indeed possible with what we learned in the room, but I have to admit it's pretty far fetched... But I guess that's the definition pentesting 😛

It's not that farfetched

For me as a beginner it looks like it's farfetched, but I hope I'll one day agree with you.

@warm schooner I've only seen one steg tool online that does it

Could anyone give me a tip for this question on the poloprivescfinal box? i dont even know where to start searching for this info

Look at some standard system files @desert bramble

Specifically, one that could store data about user accounts

hmm ok ill have a look, thank you

damn i was trying to hard, i was looking within that file to see if something had changed

got it now though

Currently on task 21 of zthlinux and feel like i keep reading the question incorrectly. Are you asked to set the $test1234 variable to equal $USER then check shiba2? Or have i misunderstood something

@burnt cosmos Yes, but if you did >> $USER or > $USER then you broke it

And you'll need to redeploy

Damn

You wrote to the binary if you did that

As soon as you write to it, it breaks

@stuck fractal Am i okay to PM you?

@burnt cosmos Why?

Was gonna ask for some help, but I just figured it out! Thanks anyway

We try to keep it out of DMs unless it's something excessively spoilery

I'm on linux challenges ; stuck on task 4. It says the flag is where cron jobs are created ; i've run "crontab -e" and theres no flag there.

Am I looking in the wrong area ?

maybe another user?

@wooden lava Look more into where cron scripts are ran

I feel really stupid to ask about hint for Learn Linux last task about privilege escalation

I think im overthinking it

can someone tell me little nudge ?

Look for files belonging to each and every user

Investigate those

aaa

thx u rememered me one thing

which i didnt wroted down

k found

🎉

i checked for last two users 😄

@delicate plaza All of them, not just the last two

k found
@delicate plaza

I mean that last time and now i was checking for only last two

but i found it

thx

@warm schooner did you get any further on the impossible challenge? i've been stuck for a while

learn linux room-task 18- question #2

what si that

is*

??

the 2 question of learn linux room

task 18

Mhm, what about it

what is that

im confused

Variables and Environment variables

....

Also, that

the answer

Yeah, we don't give out answers here -- keep reading

i dont want the answer, i want answer for understand what is that

....

o_o

That's a Google question

https://duckduckgo.com/?q=what+are+environment+variables+linux&t=vivaldi&atb=v131-1&ia=web

thx

Hi, i have a little problem with room /rptmux and #task3 - "All tmux commands start with a keyboard button combination. What is the first key in this combination?". standard answer like "default command key" (not literally 😛 ) doesn't work, I use tmux every day so it gives me a headache..

@white salmon Full name on an english/american keyboard

@stuck fractal Try to not be angry and talk to me slowly 😋 what you mean by "full name"

@white salmon The full, unshortened name of the key

Unabbreviated

damm

thank you veryy much 😄 Now i'm done with this and i can go sleep

I'm on task 5 question 4 on linux challenges where I used an FTP client to download flag32.mp3

So I've done that and I've transferred it to my virtual computer provided

how do i listen to it lol the audio doesnt work oops

is there a way I can configure audio in this browser embedded machine?

you can upload the file to an online text to speech 🙂

true!

Anyone able to give me a hint on how to find the third flag in Jurassic Park room?

LOL!

@steady stratus Thanks for the hint, I'll try to find some better website tho lol

@proven bridge 👀

Didn't mean to paste that lol

You're so quick

I'm not allowed to make a comment there

Was going to say, if anyone is struggling with the "The Impossible Challenge". Big hint, The answer is literally on the room page and requires no bruteforcing.

If you need further help, just ping me. I'd like others to learn this.

hi i'm doing the wirehsark CTF's room and i'm stuck at the last question Extract the RTP stream. What is the audio file from? I extracted an audio file with a boy yelling but i don't know what to answer

Haven't solved that yet, could be something with steganography?

Could be sstv

Unlikely if it's a voice 😉

Fair

You could try checking the spectogram

forget about that

thnx

it's not stego it's wireshark task

im doing https://tryhackme.com/room/dogcat and i got stuck i tried file inclusion to get access to /etc/passwd but i couldnt i also tried to access the log of apache but couldnt http://10.10.199.239/?view=../../../../../../../../../../../var/log/apache2/access.logcat i added the cat cause i noticed when the view doesnt contain cat or dog it doesnt let me get the file inclusion error

i just need some sort of small hint

try including the dog/cat in a different place

@deep girder This might be of interest to you. Also a great resource to keep bookmarked https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File Inclusion

Unfortunately due to the nature of the Kali Machine, bookmarking would be completely pointless

The kali machine that you need a web browser to access?

That one?

When I have the chance I want to write a bash script to send post requests in a loop with a delay to keep the box alive and just have that running in the background forever

@dusky vigil did yoiu try every method on the link?

and if not how did you pinpoint the right one to use

gtfobins is also pretty nice

Check sudo -l and find / -perm /4000 2>/dev/null for it

i watched the start of your video writeup cause i was so stuck and there is no way in hell i wouldve done that /cat/../

and you did it so easily

@wary ocean why... just get a 2nd hand laptop/desktop... set kali on it and you're done, it doesn't need to be THAT heavy/expensive or a VM

Can anyone see what is wrong with this /etc/passwd entry? i got the previous question right where i had to type out the entry and i just pasted it in and it says no password for user new. The hint is to escape the $ so i removed them and nothing happened

@desert bramble it won't be helping that you've not set a home directory, or gid, by the looks of things

anyone can give a hint for Ironcorp challenge?

How do I transfer a file from local machine to a windows machine that I have a shell of?

scp or ftp maybe?

hey guys, can I get help for christmas cyber advent, the one where I have to do privilege escalation. Whatever I do, when I run "whoami" all I get is "igor" and never "root"

although the suid bit is set as root

if the command/file is owned by root, why do I get igor instead??

I'm going crazy over here..

I was able to cat the first flag, since it is owned by igor

any hint on tempus fugit durius. I get the first shell when trying to upload file

anyone completed tempus fugit durius?

There's no need to ask multiple times, especially when your first request was also the last comment posted.

If someone is around that has done it and is willing to help, they will. 🙂

Can anyone help for the Innoculation Room ?

Ask your question not for help

alright sorry where can i ask for hints or any nudge when I am stuck in any room?

You’re in the right channel but just say what you need help with

I need help on how to abuse the webhook I researched on data exfiltration using webhook but nothing worked. So am i missing something

hhi

hello

do you have any questions?

yes

how can i hide payload

@glossy basin

where?

on the target machine?

me ?

yeah

where do you want to hide the payload

can i get a hint where i can get the password for shiba3 in the learn linux room?

from the binary

Solve the challenge that the binary is checking for

Then run it

Then you get the password

The Impossible Challenge Hint?

I dont know what those abcd's mean which are above the question

Please mention me while answering

Then run it
@stuck fractal cant im getting this "segmentation fault (core dumped)"

Hi... I got stuck for a while i the learn linux room... the room was explaining su command, and after that came question: How do you specify which shell is used when you login?... Could someone help me where to look for this? Thank you

Hi... I got stuck for a while i the learn linux room... the room was explaining su command, and after that came question: How do you specify which shell is used when you login?... Could someone help me where to look for this? Thank you
@mild apex google it

@zinc plume then you haven't satisfied the condition

@mild apex google it
@zinc plume Hi... thanks for answer, I'm trying to but i'm not sure if I don't get the question... I try to look up how to change default shell none of the commands have two characters

do you want the solution to the question?

do you want the solution to the question?
@zinc plume I found only ps and $0 ... I guess I could use the answer since this is coming to a dead end for me

you can enclose an answer in || so you can put it in a spoiler

fixed

oh so it was a part of su command ... thank you

@zinc plume don't post answers.

Guys, I'm stuck on flag11 for Linux Challenges. I've found the place where aliases are stored, but when I cat .bashrc in the /home/garry directory there's no flag11 alias nor is it in the cat bash.bashrc in the /etc/ directory... Am I missing something?

any hints for impossible room

@brittle kite Try a different user

Nevermind, I had a brainfart that worked out for me 😄

@neon zenith Try decoding the hint?

I've been stuck on it for days, and now it suddenly came to me

@inland onyx yea being trying figure out what that thing

the room said it's crypto

It is

Nothing unusual -- just some common techniques needing applied in a particular order

alright, thanks for info. i try googling for that

I'm currently on 'Cod Caper' task 3 where it asks you to run gobuster - which I am doing but all I get back is pages and pages of what look like links to things. It doesn't matter what extension I use .php, .txt, .html it all comes back the same? Is this correct or am I doing something wrong. If it's the latter any hints?

**sorry I meant to put the pic as 'mark as spoiler'

Anyone who's finished Anthem have a hint? I've successfully RDP'd to the machine, done what the hint suggests, however I cannot see the object necessary. Am I blind?

@patent token very likely

I don't see how honestly. 😐

what does the hint suggest

I've unhidden everything i can find.

👓

what locations did you check

I mean, I ran unhide on the entire machine

o.o it's a tickbox

Yea, I've been doing that too.

it's in the most obvious location

This be why I dont CTF

You will truly kick yourself

you'll

Yea, not getting it unfortunately.

just look at the most obvious location

it's easier in the file explorer

I've been in the file explorer for two hours.

i think you are definitely looking in the wrong place

if you need more dm me

I'm not sure how. I've gone through no less than 10 different directories now looking for whatever it is I'm supposed to find.

I'm manually unhidden everything. Tried changing perms. All of it.

it's easier to just message me, i can give you a better nudge

On anthem: I feel this is right in front of me but do we || use solomon/jane's login to the box or bruteforce the password?||

@white salmon If you have creds, try them

You should always try before asking

True. Just a sanity check while I was resetting my vm

About[Room:HackBack 2019,[Task 4] [Web Exploitation] [Medium] Jurassic Park,
#5 Locate and get the first flag contents.]

I log in as dennis and find "flag1.txt".
submit "b89**********************f",but dennied

Does anoone know how to solve it?

I'm on the last question of bpvolatility. Uploading the files to hybrid analysis and virustotal isn't much help to answer that last question, I've gone through it like 5 times. I see the malicious files, but nothing comes up that fits the 6 digit requirement for the question. Any help?

Nvm, I found it. Hybrid and VT were pretty useless.

can i pm anyone on where to look for the hidden file/folder in the anthem room?

been digging around for 1 hour already :/

Sorry I haven't done it yet

@restive kestrel Same here

@woven pumice I've already reported this bug, I believe Dark is working on fixing it.

Need help in Anthem room task 1 ques no. 7 ??

@shy sinew look at the poem and hints

And ques 8 ??

try to find clues look at hints

Thanks buddy

I'm unable to get the initial acces to the machine TASK 3 ques 2?

reminna or whatever rd you use

Username password didn't working?

it does?

Username password is same as for cms login ?

have you tried?

HELLLLLLLLLLLLLLLLLLLLLLLLP

Yes I tried

read the tasks carefully

otherwise you'll complicate stuff you shouldn't

I have given the usrname the email of admin and password found in the TASK 1??

read the task, you are complicating it

Can u pls give hint

??

i already gave you a pointer. read the task carefully

@past night any nudges on this hidden file??

i think you might be overlooking it

it's in the most obvious locaiton

Most obvious.. let me see

For anthem?

yes

Look at hidden files in Windows if you haven't already then the flag will be obvious 🙂

Look at hidden files in Windows if you haven't already then the flag will be obvious 🙂
@warm schooner i'm looking at the hidden files since the beginning

but couldnt find anything

as i mentioned before. it's easy to overlook as it might resemble something else

@past night, did you have to change the files ownership when getting the flag?

the flags have permissions by the user

but he's stuck between user and admin where there is a catch to it

Just finished that room, and all I can tell you @viral mason is do a little research

what makes you think it's not it?

improvise, adapt, overcome

@past night clearly i didnt think changing them perms would work lol

i got it thanks

hehe loool

@viral mason Can i DM you?

@warm schooner I also see a file but i dont have permission to open it. I dont know what to do

@final lark open the properties and go from there

Yes i did but....

Can I DM you If I get stuck?

@unkempt surge don't just DM please, ask here first

@final lark go for it 🙂

Okay

@final lark sure

When you say "hidden", do you mean with the hidden property? Or hidden in another file?

I've been wracking my brain over which it could be for the past 20 minutes

It's not visible

I've been wracking my brain over which it could be for the past 20 minutes
@burnt cosmos think simple, it's just hidden

what does hidden mean to you

Not visible

yeah

so, how do you see files which are not visible

By ticking "hidden items"

there you go buddy

Hey guys, what am I missing here? Nmap doesn't give me much

@round fog My scans for that box were super weird, i ended up running it with just one parameter, try it without the T5

Nothing really changed

@round fog what room?

I've tried a lot of different scans and still no information

Network Services

^ room name

@viral mason Yeah the answer was staring me square in the face! Thanks for the help

Try running, just an aggressive scan

@round fog, which task as you can deploy multiple VM's

Task 6?

He's doing telnet enum atm

Yes Task 6 @warm schooner

@burnt cosmos np bud

@round fog the answer isn't in the NMAP scan.

It's asking what you think you could use the port for - when people look for ways into systems they find something..

Your nmap results are correct 🙂

It's just the 1 port

It got me for a bit until it clicked.

Ok thank you @white salmon and @warm schooner !

Have you got it?

not yet 😄

guys any help regarding anthem finding admin password

Ok - want a clue? @round fog

i have been searching for a long time

Sure @white salmon 😄

So as I said above, you are looking for a way into the system, admins & creators sometimes leave them these things in so they can get back in anytime. It's something that you have on your house.

😉

It's a bit of an obscure question as it stumped me a little.

But I kicked myself when I got it

Thanks @white salmon I've got it. No idea how I would've figured it out without your hint.

I was the same.

Like I say it's a little obscure.

yeah

@round fog u got the answer for what that port is used for ??

Yes @shy sinew

Actually I didn't find it

@shy sinew Check the DarkFighter's hint

So as I said above, you are looking for a way into the system, admins & creators sometimes leave them these things in so they can get back in anytime. It's something that you have on your house.
@white salmon This one!

Got it

I’m on the same question and finally got the answer

Thanks for the help guys

Also do you not think they *s are a little off putting

Since they say the format is like “* ******”

It depends on your answer actually

because i've used all the *

My answer was only 8 letters long though

And it asked for 1 letter then space then 9 letters

but i've noticed that sometimes if a miss spell something the answer is still correct

@shy sinew Do not DM me unless you ask my permission first - I think you need to check the rules.

@shy sinew What is the issue you are having?

Ohkk

What exactly is the problem that you are struggling with?

help me ROOM Network services TASK 4 ques 4

Have you connected through smbclient to the box?

Yup

So what do you see that might help you?

There should be something that stands out?

See it?

A .TXT file

And few Directories

Ok so the name of the txt file should be shouting to you, so what do we need to do in order to view the file?

If your stuck I'd suggest using the help command in smbclient - the answer is in there.

Can anyone help me to find Q3 in uopleasy CTF ? , I am not able to understand the question

Got it yet @shy sinew

Not yet

We need to put the file on our local system so we need to use a command that would do that - think about downloading - there is a command.

It's not put.

It's the other...

^

@round fog by any chance have you got to the question about the ping command?

Ya I tried it but error is coming file not exists

a bit of googling will help out wonders 🙂

^^

Object name not found opening r.......

Ok, so there is something that we can add to the command to select all files rather than the one that you want.

@fresh kelp Make sure you've read the whole question

^^^^ I got stuck on that - you need to READ the whole question.

I thought I did but I’ll give it another once over

How are you getting on @shy sinew

Ya got it

Thanks a lot

Glad to hear it

Good job :^^

Unfortunately I’m still not sure what I’m doing wrong

Since I think I have the correct syntax for everything

You're adding the .run to your ping command right? Think about where it needs to be?

What’s the syntax that you’re trying

*preface it..

Yeah I’ve got the .run

But where have you put it in your command?

At the start of the ping command

Does the ping command need to be in quotes?

No.

so .RUN ping <blah blah> if you have that command then you need to check your netcat session?

try running .HELP

I was using quotes...

So I got the answer

Congrats

Thanks for the hints guys

No worries.

Much appreciated

If you get stuck give us a shout

brb need to sort something.

Hey bois, was wondering if someone could nudge me in the right direction on the flag task in linux walkthrough, very final one

All you need to solve it is within the task 🙂 there’s a certain use that owns an interesting file. How do you search for files by who owns them? (rhetorical) 🙂

Thanks, I'll keep lurking ❤️

It’s not exactly a traditional privilege escalation 🙂

Hello, I am stuck at the ccradare2 final challenge

Any hints to guide me?

@steady stratus have you done Cod Caper?

Yess! @white salmon

Mind if I DM you a sec, just need advice on one answer?

Go ahead 🙂 I might take a minute or so to reply but sure!

@vague moat What's up?

Hi guys i need a hint for the Hydra Challenge, where do i get the RockYou.txt?

/usr/share/wordlists/rockyou.txt

thank you

Stuck real hard on this struggle bus for Anthem searching for admin password (unhid files within explorer...) searched all folders within the user I'm logged in as.... a nudge would be greatly appreciated - DMs are open to all

it's in the most obvious location

hmm can I DM you Chevalier

"What flag deletes every file in a directory?" im stuck i thought it would be "rm *"

@zinc plume That's the current directory, and not a flag

ohh yeah thx

man rm

@forest token sure

can I have a hint for for the new Anthem box? ||I dir'd all hidden files but nothing shows up||

it's in the most obvious location

I disagree. 😛

hahaha, that's not true

You're the creator

I think there's some bias there

yeah, i know. it's easily overlooked, that's why i am saying

if you have not found it maybe your over looking something and should take a step back up

it's in the most obvious location
@past night I can back this up

It's very obvious, it may seem like you can't do anything with in there but you can