#room-hints

^^

haha found it 🙂

that box annoyed me so much with the admin name... i was googleing anthem, the cms, post authors...

and then when i saw the thing, i didn't even need google 😦

haha, i'm sorry

Was a nice little thing to have in there. If I hadn't watched Gotham I wouldn't of got that at all

it was fun when it wasn't annoying, so you did a good job

i knew it from a movie

the accountant @blazing turtle

yeah, great movie

^^

I found the name in || a config file on the box ||

It's very obvious, it may seem like you can't do anything with in there but you can
@dusky vigil Soooo even though I can see a hidden dir with file, I can't open it. But you say you can somehow view the content of that file?

Indeed you can 🙂

Hmmm, okay 🙂

I'm still trying Tempus Fugit Durius, got on the box

Once you find the file it’ll be fairly intuitive as to what you need to do to open it @pine ermine

@dusky vigil Soooo even though I can see a hidden dir with file, I can't open it. But you say you can somehow view the content of that file?
@pine ermine think of misconfigurations

do I do a docker thing?

i got the first flag

I've rooted Anthem but cannot for the life of me find flag 4. I might be blind

^ Scratch that, got it. Very sneaky

ah yes flag four

you probably over looked it, it's similar to one of the previous

I definitely did. just found it 🙂 Fun room!

anyone wanna hint me with anthem task 3.3? I'm tunnelvisioned it seems. I'm looking for hidden, but still can't see it ...

You've likely overlooked it

You'll see something that sticks out which may have a misconfiguration

I looked at so many dirs and files. I just can't see it. maybe I just don't get the "most obvious location" thing 😦

It definitely stands out, you'll know when you see

Thanks also, @dusky vigil @steady stratus - I really should brush up on Windows. Somehow I keep skipping those boxes

It’s very easy to skip to Z rather then going through A->B->C for sure 🙂

I looked at so many dirs and files. I just can't see it. maybe I just don't get the "most obvious location" thing 😦
@marble dagger remember it's hidden

@dusky vigil yeah I ricked that option. and looked into those dirs. but maybe not hard enough

You might be looking too hard

Try avoid over complicating it

yeah I tend to overcomplicate things 😄

It's easily done

like you've done it on stream

you can't imagine how much fun i had

wich wordlist should i use for gobuster (vulvuniversity)

I've been known to overcomplicate boxes

@zinc plume dirb common, dirb big, dirbuster lists

Try a few

Shorter first

aight was going straight to rockyou

@zinc plume Rockyou is not a directory wordlist

It's a password wordlist

passwords are very different to directory names

SecLists/Discovery/Web-Content/big.txt is also really good

man it hurts how much time i wasted

SecLists is also really good
FTFY

Time learning isn’t time wasted

Well thats true

🙂

i just wished i knew this site earlier

Aye hehe. Glad you’re enjoying the content!

hell yeah i joined yesterday

Sweet - welcome! There’s plenty of free content to keep you busy at the very least 🙂

Regarding Anthem box. On Task 1 - #8 it's asking for email address of the admin. I have one address but doesn't work. I've tried also using other things to find it but can't seem to find the right one

there is only one address that is on the blog for the CV

could I get some hints from you peeps to find it?

@marsh violet check the hint button

https://tenor.com/view/sad-walk-of-shame-shame-shameful-head-down-gif-5548725

i didn;t find it either so I hydra it with a custom wordlist

and i'm also ashamed bc I'm still stuck on finding that "hidden" file on anthem. only a small hint maybe? I know it maybe hard without giving too much away

you can search discord history

@marble dagger start from the top

Start from the top ^ and take the given hint from the room quite literally :>

@short sphinx I don't really like doing that

@spring ember @steady stratus searching history here was the first thing I did actually 🙂 but well I'm slow. and yes I did start from the top. but one "obvious" thing I can't seem to be able to access

@marsh violet What's the pattern for the address?

Well try and get access to it @marble dagger 🙂

forget what I said. I'm a f*cking idiot

🙂

@marble dagger can you let yourself in?

it was right in front of me this hole time. Just saying, question #7

@spring ember with the password i don't have yet ... I just not used to windows boxes ... maybe I should try tomorrow again

@marble dagger might be super easy when you come back with fresh eyes but you can do what you need with your current account

Think about why you might not be able to access that file?

@spring ember well I think I can't access it because it is owned by admin ... oh and now the vm died on me ... again. maybe thats a sign I should stop 😄

WOW ... I got it ... should have looked at the permissions earlier ... damn 😄

ayyyy

Congrats! 🥳

Was going to say, if anyone is struggling with the "The Impossible Challenge". Big hint, The answer is literally on the room page and requires no bruteforcing.
@proven bridge

Can I DM you with a question?

@quiet musk What's the question?

Is the room graphic part of the challenge?

ok @white salmon may i get one hint thats gonna point me in a right direction 😄

Look for files belonging to each and every user

One of them has something suspicious

Use find

just did that hahahah

ok thanks

how can i find the first flag

of Anthem VM

@arctic kiln must be there, somewhere in the website

do you find the others?

@proven bridge

Can I DM you with a question?
@quiet musk Of course

@stuck fractal numbers from 1-1000? 😄

Not that one

kk

its irelevant?

I think so

@stuck fractal i made this it will maybe help me find it 🤷‍♂️

its better now

@short sphinx yes i find the others expect the first flag

Why wont it run, what am i doing wrong?

@zinc plume You put an asterisk for the login name

yeah bc i found this

i thought it is the username

for /login

user-agent is a browser thing

ohh i thought its a username

okay thx

@arctic kiln you will find it in the same way, maybe check for THM while loking for it

but what am i supposed to do with the file fsocity.txt? Isnt it a passwordlist?

It could be

but you'd need a username or list of usernames

okay

@stuck fractal Update : i got the password for the noot account but i think thats a false update 😄

Maybe the new users have more power

hmm yes

nope

sadly

Hmm, what about listing sudo permissions?

sudo -l

Good command to learn

yea did that

i like just typed su noot

and like guessed the password to be noot

Well, maybe there's other users

ill try to find the password for the nootnoot acount

Keep looking for files

on it chief 😄

im on the right track

i have found ||ZWxsaW900kVSMjgtMDY1mgo=|| thats not a key tho, is it decrypted or what am i should i do?

It’s encoded @zinc plume

Investigate what that = at the end could mean 🙂

Has anyone done the new room anthem

Plenty of people -- best just asking

I'm stuck on task 7 what's the administrator name can you give me a hint besides Google

There are three tasks?

Oh

Task 1

Question 7

Yup

Yeah, use what you're given on the site. It's a "social engineering" style one. You've got to extrapolate from the data you've been given

I'm so confused sorry I've been up all night working and once I got home I decided to study up on this

Investigate what that = at the end could mean 🙂
@steady stratus i have no idea i only found Base64

@cloud perch The administrator's name is not on the website. You've got to use what you've been given to guess what it might be -- same with the email

You know that he's got a poem dedicated to him -- there's a name related to that poem

It's not directly on the website

That’s right - whether or not it’s of any value you’ll have to figure out @zinc plume

aight

The = or == is padding and is a really good way of identifying base64 (although not all base64 encoded strings have padding)

Got it thanks poem I new something was funny about that poem

Nice one!

hehe

i love to see people struggle

It's funny cause I checked everything I spent an hour trying to figure it out. The funny thing about it is when I first started on this room and saw that poem. I said to my self that this poem might come in handy but totally forgot about it.

@past night it's the only way we learn right?

Lol

does it matter if im using Hydra and the text "Username" isnt in the usernamebox , or do i have to use user_login?

bc when i run hydra i get like 20 pws

I don't understand what you're asking and hydra is like second nature to me

You're probably getting 16

And that means it can't detect the failures correctly

yeah i kinda tought so too but i put F (for false) as F=incorrect so it should work

That doesn't mean it can pick up that it's wrong

also im getting the error that the pw is incorrect

oh okay

so should i use ERROR as F= ?

https://redteamtutorials.com/2018/10/25/hydra-brute-force-https/

okay thank you

anyone here did the very secure protocol chall on hackback2? not sure if I understand the task well
The hashed PSK is 32 bytes. No password file has strings this long. If you find a password file(rockyou.txt), make sure the minimum length is 32 bytes(do this by copying the same string until it is 32 bytes).
this tells me that the PSK hash is 32 bytes but not sure if i need to repeat the string until it's 32 bytes too

@stuck fractal you here 😄

👋

ok im stuck like i went thru every file

cant find it

hint

pls

One of the users has a file that should have interesting content

username:password is a defacto standard in infosec

ok but its not in the /proc files right?

username:password is a defacto standard in infosec
@stuck fractal ^^

/proc is for internal stuff

so its not there right?

find / -user userNameGoesHere 2>/dev/null

ok so i am trying to find a file thats owned by someone and that file has username:password

All files are owned by someone

even if that someone is nobody

yea but by someone i mean like one of the users

what does 2>/dev/null do

wait how do you do that other kind of formating

on discord

backticks

2 is standard error

> is a redirection operator

/dev/null is THE VOID

Basically, send all error messages to the void

Hello everyone

oh ok tnx

Damn stuck again on anthom

I've never messed with this type of cms

You don't need to touch the CMS

@cloud perch What happened?

@inland onyx Yea

nah, only if you want to see how it feels using that CMS

but you got nothing hidden behind it

@final lark trying to figure out how to get into the server. I try doing rdesktop with the same creds as the admin. No luck.

@cloud perch You can DM me & we can discuss more

any tips on racetrack bank on transacting an huge amount of golds? i've been trying to manipulate the request as ||?success=Success!|| , at the end i get ||Success!|| but nothing happens. am i in correct way?

No

Clue is in the title

So does it related with directly purchasing the gold?

Nope

Ok i guess i need to enumerate more, thx Muirland ❤️

it’s probably more about knowing the attack, like Muir said the title is a big clue.

@inland onyx @wraith marsh ||race condition|| maybe 👀

If you get stuck, owasp is your friend.

thanks @wraith marsh

No spoilers

i tagged it as a spoiler

didnt i?

Still

Don't post passwords etc

Done with athem thanks for the hint guys

i think getting shell could be harder along with this frustrating gold step.. @wraith marsh

With Daily Bugle I got a reverse shell as ||apache|| is there something I can do with that or should I find another way in?

Yeah, keep enumerating @vestal igloo -- that shell is the way forward

thanks

@vestal igloo yeah that box was a little hard for me at first

@vestal igloo if you need a hint I'll give you one

hi can i get a hint on task 3 for the anthem box im having issues figureing out what the username and password to login into the remote desktop can anyone point me in the right direction i think i over looked something but for the life of me i dont know what it is

@wicked sluice use the info you get so far

ok i must be over thinking it lol

try some logins with the info you get from the other task

ok ty @short sphinx

it help thinking what credentials someone will assign for these people

stuck at anthem flag 4

i think i inspected all the pages

@tribal ginkgo Did you look at pages which aren't for humans? If you know what i mean.

Can anyone give me a nudge on flag 7(name of admin) of Anthem? i crawled the website, but couldn't find anything, Using dirbuster gives me false positives,

read the blogs

did read them, tried both author names

I have the key file but I'm not able to login through ssh ??

@obtuse charm content of the blog

What can be the username for ssh login ??

@tribal ginkgo thanks, got it

Network services room

Anyone upthere ??

hi any hints for this for hackpark

i tried running ps on meterpreter but seems i dont get an answer

Run PS command

anthem spot the flag-> flag4 any hints

don't know which file i missed

See source code of all the pages

I have the key file but I'm not able to login through ssh ??
@shy sinew anyone help ??

thanks don't know how i missed it before

anthem - rdp , I am using the credentials used to login to cms, but not working

cms is hosted on a domain, rdp is not, does that make sense?

@tribal ginkgo Flag4 is similar to another flag you already have, and you already have the RDP login, just don't over-complicate it

I have user.txt of anthem, but unable to find anything that could help me go further

Any hints , I've enumerated pretty much all interesting folders including the hidden files and folders

the thing you're looking for is located in a very obviously named folder

Should i limit myself to inetpub or search other parts of disk?

Hey guys.

I am solving SSTI challenge from zthobscurewebvulns, I got root but there isn't any flag.🤔

@obtuse charm What you are looking for is hidden

@burnt cosmos I'm looking for hidden files and folders as well, but nothing till now,

Maybe I'm enumerating the wrong directory

Currently enumerating the entire sg user folder

hey guys. is there a python module like exiftool?

@sweet relic https://smarnach.github.io/pyexiftool/

thanks. i got it

Check the meta data of webpages

anthem spot the flag-> flag4 any hints
@tribal ginkgo

search for poems "Born on a Monday,
Christened on Tuesday,
Married on Wednesday,
Took ill on Thursday,
Grew worse on Friday,
Died on Saturday,
Buried on Sunday." on the internet
Can anyone give me a nudge on flag 7(name of admin) of Anthem? i crawled the website, but couldn't find anything, Using dirbuster gives me false positives,
@obtuse charm

@obtuse charm What you're looking for is in plain sight, when you find the file you may have to do something else with it

On 25 Days of Christmas, Day 8 -~~ Privesc~~ hacking is super new to me, ||I managed to get a bash shell worked out that 'find' is controlled by igor using the assist doc. But I'm not really sure where to go from here, actually interacting with shadow is still denied||

Scratch that, got it, I should've just ||skipped gaining user and just opening the .txt||

Good morning everyone. When I try to execute the Rejetto exploit on Steel Mountain room, it says "Exploit completed, but no session was created".

Hey guys. I am new in this field and started going pratical. And i tried to do the cmess machine. So everything was going well. Discovered the admin password and tried a upload a reverse php shell from pentest monkey. But whenever I started listening connection in my Hacker machine. It couldn't connect i am stuck here

I put the correct lhost and lport

But netcat listening on other side doesn't get incoming connections

I think something is wrong with my netcat. I don't know the correct settings. I guess vm is blocking my incoming connection. I run in Bridge mode. Can someone please help me regarding this

I couldn't figure out

Hey guys I'm in need of a bit of help I'm doing a smbclient task and I've figured it out however there is one question I have no idea about
here is a screen shot https://gyazo.com/0bbed124e70f2a0c2454021f5dba4368

@limpid vine Have a look on the file system you end up in

You should find the remaining answer there

you just end up in / dir

and I think I have the username but I don't know the correct way to format the answer.

@limpid vine can u pls help me in ques no. 8 ssh login I'm unable to login using -ssh -i key file username@ip

But I don't knkw the usrname

*know

I'd refer back to question #4 if I were you.

I tried the same but it's asking password and @limpid vine managed to get the ques 8 without the ques. 4

Hi would anyone be able to help me with the Tony the Tiger room?

In particular trying to get the shell

@fresh kelp Just ask the question, don't ask to ask

@fresh kelp just use the exploit given in the materials

read about the CVE also

so you get the usage idea

• you can always check the writeup to see how it's done

I’ve had issue with the exploit in the task so I decided to use the jexboss.git repo

When running it I get the message “successfully deployed code”

But then it error outs and I get a attribute error

“None type” object has no attribute “groups”

@fresh kelp What issues did you have with the first exploit?

can you also screenshot? i can't reproduce any error

the jexboss issue sounds like a python version issue - not totally sure with that exploit technique

But aye a screenshot would be useful 🙂

I’m getting an error about “argument —proto: invalid choice: ‘http://10.10.16.227:8080’

@fresh kelp A screenshot would be helpful...

One sec I’m on my phone trying to log in into my laptop

The output of that tells you what’s wrong

Look at the syntax it’s expecting

^

Hello can any one give hint on the anthem room rdp username

@sinful plaza Lateral thinking. Use the stuff on the website to piece it together

ok @inland onyx thanks

Thanks for the help guys, I guess I was just looking at it all wrong. Took a break and saw my mistake

Is this Tony the Tiger?

Looks like it

I don't remember using all of that extra stuff in my command.

(MrRobot)Im insite the Wordpress account as elliot, whats the next step do i have to interact with the pictures or switch to the other account bound to alliots account? (mich05654 her bio is another key?)

Try to get a shell from there

check for wordpress exploits

Don't go for OSINT! It will be a rabbit hole

Mr.robot was an easy room

don't wander a lot

# script.sh count port delay 

function main()
{   
   if [[ -z "$1" || -z "$2" ]]; then
      echo "Not all parameters specified"
      exit 1
   fi

   count=$1; shift
   port=$1; shift
   delay=

   if [[ -z "$1" ]]; then
      delay=$1
      shift
   fi

   for i in $(seq 1 $count); do
      echo "Iter: $i"

      nc -lvp $port &
      pid=$!
      sleep $delay
      kill $pid

      if [[ $i -eq $count-1 ]]; then
         nc -lvp $port
      fi
   done
}

main $@ ```

#room-help since you're not asking for a hint please.

Anonymous: I have all the files from 2 services but still can't find any user specific information. Any hint as to what to do from here?

Anonymous: I have all the files from 2 services but still can't find any user specific information. Any hint as to what to do from here?
@white salmon In one of those services there's a bash script that runs, it appears to be on a cron.

What should you do?

I've tried now to edit the script, configure how it affects the log file, and still the same result. Any chance you can link a resource that could help?

Why would you configure how it affects the log file?

It's a shell script that's running off a Cron job.

@verbal wedge i tried overwriting the script but it doesn't seem to be running

You can do whatever you want to it

What did you replace it with

Like what's the script

nc connecting back to me

Yeah there's a reason for that

There's another shell that will work

And it's not nc

hm ok thanks

Good luck!

Hello community ! 🙂 I have a question. I am at the challenge in the "Intro to Python" room. Challenge gave me a text file named "encodedflag.txt". This is a multiple encoded file with base64, base32, and base16. I decoded the first time with base64 the given file. It gives me an output like this ->

b'\xdf}\xf7\xdf}\xf7\xdf}\xf7\xdf}\xf8\xdf}\xf7\xdf}\xf8\xdf}\xf7\xdf.......'

But I cannot decode this string by base64. How can i do that ? Anybody could you give me a hint ?

Those are raw bytes. Implies you're doing something wrong

so neither ||nc|| nor|| python rev-shells|| are working on this script @verbal wedge

@viral mason Remember, python won't be installed on most ubuntu 1804 boxes

It'll be python3

And nc -e rarely works

shit i didnt think of python3

In summary

There's others you haven't tried too

let me try and i'll hit you in 5 mins because of the cron ¯_(ツ)_/¯

Lol I should change that haha

please man

please change it

Those are raw bytes. Implies you're doing something wrong
@stuck fractal
I got what i am doing wrong 🙂 Thank you 🙂

shit i didnt think of python3
@viral mason did you try bash ? 🧐 worked for me

tried but i guess i did something wrong @wraith marsh

i guess i have to try another bash

I'm doing VulnUniversity but I'm a little confuse towards the end.
So, first, why should /bin/systemctl have stood out? Looking at the permissions on the other files around it look similar, is it simply because it's known to be able to be exploited for priv escalation?
Second, I'm pretty unsure what to do from here. I've never done a priv escalation before, so I don't really know what I should be doing. Do I use gtfobins? Usually to make a script on a remote session I'd use nano but that seems to be blocked, so I'm as little unsure what I should be doing

@south apex You don't have nano because you're in a reverse shell

nano needs a proper shell, you can't even use the arrow keys

I see, I'd noticed the lack of bash history but didn't attribute it to that.

systemctl runs with higher privilieges and it can be used to run arbitrary commands in a way

Okay so it is just something I need to know is easier to use to run arbitrary commands.

Thank you

@south apex Yes use GTFOBins

Thank you

i really was a dumbass, i got the shell @verbal wedge

unsure if this is the right room for this. Has anyone done the Shodan.io box? I have 2 tasks that I am unable to complete and im convinced its due to a change on shodan

I'm pretty lost still. How do I Get the exploit onto the box using a reverse shell?

@south apex The exploit is a systemd service file, you can create a file.

And put content into it

If you can't, I'd recommend doing this room https://tryhackme.com/room/zthlinux

I have a modifed systemd service that should give me a reversed shell with root, just unsure how to write the file without access to nano. Thank you for the direction to check. I'll follow through that since I'm not seeing how to make the file

@south apex You can echo into a file

echo "string \> with \> multiple \> lines"

The shell will add the > when you don't close the quotes

I see thank you

@stuck fractal Can I DM you?

@quiet musk Why?

Hey guys

I was an doing anonymous room

Is their any hints to get user.txt ?

I managed to get root. Thank you @stuck fractal
That's an awesome feeling.

@wraith marsh is pe related with vim.basic?

or should i go for that ||cron which is executed by root||

@wraith marsh is pe related with vim.basic?
@viral mason I found 3 ways to priv esc. there’s a much simpler way. Which happens to be the intended way

hmm

It's about to be only 2

Jb had a very unintended way lol

So I'm patching it haha

There isn't a Cron executed by root that im aware of

The Cron that's running the clean.sh is executed by namelessone

Root privesc is much simpler

No

Good on you for finding that

Removed just in case, 😂

Do you have an article for they other method?

I don't get it

There isn't a Cron executed by root that im aware of
@verbal wedge i saw in pspy lol

uid was 0

Yes, give me a minutes I’ll grab it and DM you if that’s okay?

Aye

Jb had a very unintended way lol
@verbal wedge free pentesting service lol

Root privesc is much simpler
@verbal wedge yea took a break i'll look on it

my new thumbnail for the new video coming what ya guys think yay or nah

Seems nice dude

@cloud perch Wrong chat?

@verbal wedge can i pm?

Aye but response may be delayed

trying to work out dinner

okk

hey 0x you got root?

Now I'm curious what the unintended way is

^^

Now I'm curious what the unintended way is
@woeful tide its.. a little bit tricky

do I really need to wait an hour in Anonymous?

Probably not

||The thing is every 5mins||

to anyone who has done the room anonymous

does privesc have to do with ||f||

do I really need to wait an hour in Anonymous?
@white salmon its on ||each x5s and x0s||

yeah I see it now

does privesc have to do with ||f||
@restive kestrel what's f?

ok nvm then if you don't recall f HAHA

😄

yeah I see it now
@white salmon its a bit painful to wait that one

it lost its +x somehow, fixed it

Whoever solved the box "Anonymous". How much would you rate it outta 10?

@final lark 9/10 fun, 4.5-5/10 difficulty

Okay great !

I'll also solve it today

ooh just finished the room, i think it's relatively easy

good luck with that!

as nike says, just do it

I'm doing the first lvl buffer overflow room(bof1). I'm trying to see what's happening in the code execution using gdb. The guide talks about looking at the values of registers like esp and ebp but when I look at the registers in gdb using the 'inspect registers' command all I see are registers that start with 'r'. Anyone know how I can view the esp edp registers?

@restive kestrel yeah easy for a guy who is relatively experienced but medium for general as it stated in the box itself

well if i can finish it i'd say it's easy HAHA

@sharp mason ...you're not on ARM are you?

https://en.wikibooks.org/wiki/X86_Assembly/X86_Architecture#General-purpose_registers_(64-bit_naming_conventions)

Oh, you're only seeing the general purpose registers

https://stackoverflow.com/questions/5429137/how-to-print-register-values-in-gdb

@stuck fractal thanks, I guess I need to specify the eax or esp etc registers I want to see. for whatever reason, all the guides I've found are showing the 'e*' registers by default when they run inspect registers

@sharp mason those are the common ones

I need to read up on general vs common register types

Common isn't a special word here

Common just means frequently used

gotcha

so I found there's also a gdb command info all-registers

surprised that the output still doesn't include any of the 'e*' registers that I'm looking for

@sharp mason Hang on, you know x86 prefixes right?

the stack pointer and stack frame seem important, I think I'm missing something

I do not

Is it showing you RSP?

yes

is that equivalent to esp?

RSP is 64bit ESP

RAX is 64bit EAX

ohhhhh

AX is 16bit EAX/RAX

that's what I'm missing! Thanks @stuck fractal

x86 is a mess.

lol, understood

On anonymous room, ||idk what rev shell should i use, if i put like 3-4 line after line, one should execute and others should interupt anything, right? ||

@white salmon If you find the correct reverse shell it will work.

as i thought, thanks

No problem.

finally got anonymous, took me way to long

didn't even got root shell

I'm stuck on Root on Anonymous if anyone can lend a hand. I have a shell and the user flag. I've been looking at linpeas and other things, including the crontab. Not seeing anything specific.

@patent token for anonymous?

Yea, just realized I missed saying the room.

in your linpeas you should see something that will show you what you need to do

Ok. I'll take another look. I know I poked at it earlier and what I saw then doesn't exist now due to a patch I think.

vim suid was fixed

That was an unintended

Yea but some other things should stand out

@ashen plover Hey, Can I DM you?

@final lark sure

||for instance, I see I'm in the sudo group, but naturally can't do much due to not knowing the user password.

I've tried /usr/bin/env, but again, no sudo no bueno.||

I'm gonna have to try this box

I'm not a fan of CTF's, so the struggle is very much real.

@patent token You're in the right place there

With the command you tried

@patent token take a look at what you have and i would take look at GTFObins if your unsure of something

^^

I just keep getting requests for passwords.

¯_(ツ)_/¯

Don't sudo it then 😆

I just get the same user

I've tried this

What command are you trying?

||/usr/bin/env /bin/sh||?

That one as well

Thought I clicked spoiler.

Ah, yep. You're missing a switch

That will work

Ok one sec

https://gtfobins.github.io/

I'm there.

type in what you wanna look up and see what they have done

||Just tried -p with no luck. I've tried -i as well.||

skip the first line

I'm not sure what that means. I'm only using one line commands

r u looking at sudo or suid?

lame. I can view the file with the command but can't escalate.

worked for me tho

@patent token ||REDACTED -- NO ANSWERS ||

Try that

That gives me the same user

||Using env cat/root/root.txt gave me the hash.||

u could always try to escalate another way via the lxd group

Seems like I should be able to do more than just that.

Curious. I just tried it on my own computer with the same conditions set

Worked for me

I know other people have managed it on that box

i had same issue once i reset my box it worked

but i was getting some major lag on that box so could have just not taken the command?

Guess I need to pay better attention

Hehe, that looks like a root shell to me 😁

Been sitting here root for 5 minutes. 😐

L2lookpassedthefirstUID

🤣

I don't CTF

whoami, then id

Best combination

lmao

I've been root since before I asked for help.

Followed by python -c 'import pty;pty.spawn("/bin/bash")

...

As an added bonus

Community Mentor too.

😐

Fired!

Thanks for the help everyone. ❤️

i usually go with whoami, upgrade shell then sudo -l as my first three but id is also a good one

I'm gonna get smoked on Linux when I take OSCP I guess.

¯_(ツ)_/¯

nah

its not bad

I'm an eCPPT. So I already have an actual pentesting certification. Just need to git gud at CTF

OSCP is not really CTF

it is in the sense of your gathering flags

I've heard the opposite

they updated this year

I've heard from people who've taken it recently that it's very CTF

Yea me too. I've never heard anything about it being anything close to lifelike.

actually have AD stuff in it now

@ashen plover Nope

PWK has AD stuff

I have the materials. They completely lack context because it doesn't directly relate to labs.

The exam does not.

well yea im not talking about the exam

It's just 800 pages of examples you can't practice.

Then you're talking about PWK

Yea, PWK is not OSCP.

Or so I'm told.

¯_(ツ)_/¯

semantics.

the exam is slightly more CTF with certain things for sure. The course itself is okay

but I mean i dont take cert to take an exam so thats why I say OSCP is also PWK but sure you could argue both ways

The worst part about the exam is the proctors IMO they love bugging you during the test 😛 ruined my flow so many times

Anyways. Prolly should keep this channel for #room-hints. I've hijacked it enough. 🙂

Any hint for Anthem username for connecting through RDP

https://tenor.com/view/please-cat-pretty-please-gif-10675419

You have the username already. 🙂

but it doesn't work 😫

Need a bit more information about than what you've offered honestly. But if you are on Task 3 and answered ALL of the questions before that, I promise you that you have the username and password already.

got it 😋

Any initial access hints for anonymous? on the ftp server, can edit and upload files but can't figure out how to get a rev shell

Ah yes. Love bash scripting.

anthem

sorry

how i can find the name of the Administrator on anthem chall :/? i got no idea

@humble mountain What was the thing mentioned about admin on the website?

@humble mountain read the blogs

i found it, thanks @tribal ginkgo @final lark

Hi sorry to be a bother, but im struggling on this question a bit. Could anyone give me a hint on where to look.

this is common linux priv esc *

This is what i think it is based on the question but its doesnt match the amount of chars Echo /bin/bash > ls

But then the name of the executable is script so i must be well wrong

you have two "chars" missing

@humble mountain That's Great!

you have two "chars" missing
@dusty pebble thank you so much! i thought those were just in the example i didnt know i needed them for the command!!!

You're welcome, you will have to use quotes in a lot of commands

Working my way through the Shodan room and it's asking for the 3rd most popular country for MySQL servers in Google's ASN. A quick search reveals it should be ||Hong Kong (HK)|| but it doesn't seem to work. Any ideas?

the room needs updating i think

anyone can give me a hint on how to find first flag on anthem challenge

?

@echo thunder you need to check the html source code

I have checked

I saw the flag

also on the other page get it

if looked on all the pages

tags,search, etc

Look through the website

You'll find all of them just by inspect the website

i'm probably blind but i can't find it too, i have all the others flags except the first one

/archive/-------------/
check meta tag

Any hint for admin password on Anthem

Hint says it is hidden. Therefore, see the hidden files. @summer wave

Don't go deep. It's easily accessible. Most obvious location & name.

@final lark its been a day, i tried everything

@woven pumice this is the 4th right ? Or i'm really missing something

@summer wave What have you done yet ? (spoil your response)

@dusty pebble run gobuster and try to visit every page flag is in meta tag.

@dusty pebble which one exactly are you stuck on

@tribal ginkgo Just the first flag, i've done the rest of the box. I'm probably blind, i'll take a rest will gob is running as suggested and it should be good after 😁

😆 its in meta tags

Yup, it's probably in front of me x)

@dusty pebble i m stuck on admin password i tried every hidden files stuff

@dusty pebble search for pattern in source i

@summer wave that's a good one

😅

@summer wave not every obviously, you're on the right way, you've probably found the file, just search how to read it

@umbral flint Try going to properties.

i am still curious why people overcomplicate it

^

It's unintentionally a hard box ahah

I feel so dumb, i've seen it 50 times, i was sure i already used it

I mean it's still good irrespective don't get me wrong

people just make it harder :^)

should i put a disclaimer @steady stratus ? Like, do not overcomplicate it?

Yup, right, i've spend few hours on this box, and now that i've finished it, i just make it a lot harder than it was, good box btw !

thank you ❤️

much appreciated

@past night Definitely x)

i mean

@dusty pebble right about that

Mhm I'm not sure, it seems like people get it eventually. Not quite sure how you can word it without spoling

yeah, that folder name

also

why do people look on linux for backups folders

but not on windows

I think they're taking the other meaning of "hidden" rather then the technical term for it

looooool

But you can't really rewrite that other then using hidden 😛

Ahahaahahah!

Quick question on Anthem, is the foothold obtained via Umbraco LFI? Or is a password attack required?

none

Neither

:/

Take a closer look at the open ports

one will stand out

Will do, thanks

i've read about the umbraco lfi, but didn't get how to actually make it work

Yeah I wasnt having any luck with it, put it that way 😂

it's a diffeent version though

i think the current website is running on 7.xx latest version at the time the room was created

which is defo nowhere close the 7.15 lfi

how do u get the admin name? there's a real anthem.com site is it related?

@white salmon No it is not related to that.

Just see what is mentioned about admin on the target machine.

lol ok got it

can't find the first flag even tho i got the others...

@white salmon Hint says to see the source code. Simple. Just search in the source code of every page.

I really mean it. "Every Page"

Aha, same as me, just pay attention 😁

@white salmon Attention. That's it

do i need to fuzz it?

@white salmon No no, Just search for the flag in the Source Code.

^

Look INTO Source Code!

i read it whole lol

Read it again

lol wtf

@white salmon What is the format of Flag?

it's the same as others THM{

found it

Then just search for it.

😉

Suppose you are searching for a word in Notepad. How can you find a specific word?

@past night yes...

well now i gotta guess the credentials for the box, i guess

@white salmon Nope, don't guess, it's in plaintext somewhere

@past night Finally done the Anthem, seriously that hidden thing got me confused. Nice box BTW.

Nice one!

@summer wave that hidden thing was good

@summer wave Great Work! 🙂

can anyone give me a hint on how to get root on Anonymous challenge

?

check what has high privilieges?

Still web or rdp?

I've done it thru nc

enum scripts will give you a good hint

I use linepeas but I don't know exactly where to look

i think i used linpeas too, and linpeas is telling you that is interesting, then just search for this and u will be good

it is regarding that CVE

?

No CVE

it is on pkexec

you gotta try them out i guess

gtfobins 👍

on anthem tho is it through web or rdp?

rdp

hm ok thanks

cuz i got the web admin to login

oh i got it

Great @white salmon

now need to find them hidden files

Good Luck

hm access denied

@white salmon Keep Trying!

do we need to escalate privileges before finding the password?

@white salmon You cannot escalate privileges until, you find the password

Finished Anthem @past night. Fun box!

what am i looking for tho? i found a txt file which might be interesting and although the file owner is the current user i cant open it

Play with it until you can

cheers @signal needle ❤️

You got any more Windows boxes in progress? 😊

3 currently. 2 are part of a walkthrough

hey guys, im stuck on anonymous. Enumerated all the shares, found the interesting script, but dont rly know what to do with it from here on out. Any1 finished it already and could give me a push in the right direction? 😄

@past night Awesome, definitely need more Windows boxes. I’d like to see more AD related as well with the latest attacks etc.

dont give hints

There’s a applocker box on THM which is quite interesting. More of those type of boxes would be good.

@austere aspen this is literally a hints channel

#room-ideas

@left birch there's some logs there, have a look.

yeah, there is stuff going on but i got some priorities in life for now @signal needle ( UNI ASSIGNMENT IS A HECK) to be done in the next few days, after that i'll crack on

yeee I salvaged this 1 log on the share, but i either dont know what i can do with them or idk haha

The logs give you some info about the script

so i need some hints on how to read a file which the user is owner but access is denied on anthem, or am i looking in the wrong place?

tried to get more permission on powershell but no luck

yee i went through the ||clean.sh|| script but ther isnt too much i can do with it or im missing smth

@white salmon dont over complicate it, you're on the right way

@left birch find out what's happening.

wym overcomplicating?

i did haha but how can i use a script which i cant rly execute on demand to my advantage

You can open it without powershell or some weird stuff

@white salmon You dont need anything special. Just browse in and out of directories

Find the right file. Done!

@left birch Actually, you can, it's the goal 😁

nice room @verbal wedge Enjoyed it.

i really can't tried already with notepad, type, cat, path traversal..

Thank you!

@white salmon It's over complicate too ^^

@white salmon DM me for more help if you are stressed out.

@left birch the log files have entries every 5mins. That implies is being automatically ran right?

the log does not change with me

like "last edited"

im in the last part of ANTHEM any hints how to finde the admin username.

@signal needle the problem is a lot of ad attacks require networks so that limits us a bit until networks come out and then ad hasn’t changed a whole lot in terms of attacks because sys admins still don’t know how to secure their dcs so the same attacks work there should be plenty of windows content getting pushed out soon though

check for hidden secrets @dry pelican

@white salmon hmm im trying for like 45 minutes first parts are quit easy but this one im kindda clueless, still thank you for the help

try to find hidden stuff with the command prompt, you can try dumping them all or going one by one

u mean on the remote machine or main cause i have not yet connected the machine

Get a shell!

yes so i tried that and i got an error. im sorry im being quite annoying now thank you so much for the help ill just keep trying.

if you have user credentials try to login

anyone doing anonymous chall? im stuck at the number 5 :/, what should i do? already tried the smb share but only found some cutty pics

Anonymous room? @humble mountain

@final lark yes

Use pipe

@humble mountain You fell down the rabbit hole

what is that means :/ @stuck fractal

@humble mountain You are not going the correct way

A rabbit hole is something you will spend time looking at, and it won't get you anywhere

ahhh okay, thats why haha

From Alice in wonderland, ||when she falls down the rabbit hole into wonderland||

Spoiling a book that's over 100 years old there

😭

I am currently solving Anthem , though I have completed the first two tasks but i am not able to find the password for the admin to rdp on the machine. can anyone help?

try rdp with other passwords

as in the other flags that have been collected? @white salmon

maybe you can login with a lower privilege user other than admin

😉

@spark monolith Try the possible password you found.

okay thanks @final lark @white salmon

@final lark i found 3 files, what should i do next with that files :/

Work out what they are

Why they're there

@humble mountain Figure out what's going on with them.

okay lemme try

@final lark @stuck fractal straight into privesc by putting some revshell?

wat

||Cron doesn't always run tasks as root|| @humble mountain

Try things before you ask. @humble mountain

is 4th question in xss room task 3 bugged? cant seem to get it

nvm, I got it lol

need some help with RP: Nmap. "What about 'very verbose' (A personal favorite)" where can i find the solution in nmap -h?

man nmap

what is the difference between nmap -h and man nmap?

@zinc plume man nmap contains a lot more detail.

man is a seperate program

alright thanks

man = short for manual

any hints for pentesting crash course ctf?

been running ffuf on /secret/ but nothing comes out

not sure if I remember right, but try extensions also

and dont focus on a single wordlist and go with that always, try different ones

.php .php3 .php5 .php7 .html .xhtml .json .asp .aspx are these anough?

txt?

right...

it's gonna be a txt for sure

maybe i should deploy the machine again after it expired right

That'd help

Just finished Anonymous. Was way overthinking it. Got down what I though was an obvious path but was just a rabbit hole. Fun room.

can somebody give me a hint for priv esc on tomghost ?

Read up on PGP keys

tnx ... so im looking in the right direction

tried john ... but no sucess so far

John will do it

tried another wordlist ... et voila

thanks

@simple schooner rockyou > others for most of THM

Especially if you're cracking a hash

thats the one that worked for me 😉

rockyou for ssh as well?

@white salmon Only if you're meant to brute your way in

Isn't very common

yea

any hint on anonymous privesc task? Im out of ideas, where should I look?

GTFO

bins

any hints for UltraTech's database task I'm lost even with the hint

Hey guys, doing the nessus room.
Completed all questions except the directory containing example documents. There is nothing related to this on nessus scan output. Also used dirbuster, no success.
Need a hint please

Need some help on lfi basics task 3 question 5, I don't know where to put commands

@quiet musk glad you liked it!

@arctic frigate web app scan I believe?

@crimson helm whatever you put in quotations to get command output put that after your directory traversal then an equal sign your command goes there

anyone here that already got ctf collection vol2? I'm stuck at easter 15. the hash is the same, but I still can't see the answer. any hints?

anyone able to do day 11 of Advent of Cyber? Having issues getting my FTP connection to server to work. Getting issue when issuing commands. Tried to research issue and fix but no luck. Errors im getting are: 500 Illegal Port command and ftp: bind: Address already in use

@verbal wedge Just finished Anonymous, really good box especially the privesc.

@signal needle Well Done!

@arctic frigate web app scan I believe?
@solemn smelt

Yeah I did that using nessus, didn't find anything related to this question

@final lark @stuck fractal thanks for your help, finally figured it out :>

@humble mountain Glad I was able to help 🙂

@signal needle thank you!!

Is rockyou.txt the correct wordlist for bruteforcing wordpress login in Jack CTF ?

or there is any other recommended wordlist which is more compact?

@spark monolith Rockyou is not the correct wordlist 🙂

any hints? @tidal sedge

The wordlist that you need is installed by default on Kali

got it thanks @tidal sedge

Any hint anthem root please?

Did you found the hidden directory ?

@dusty pebble hey im trying since yesterday to find the admin username but got nothing

@dry pelican It's on the website, you will need the help of google 😉

on the web app what i closed that and started using maltigo and im so close to using social engineering lol.

Don't overcomplicate it, there is a post for the admin, just pay attention to it and ask to google 😉

@vapid crown search for the hidden directory

thats the username i have it since yesterday i think can i send it to u in private please

Yup 😉

Daily Buggle room. How to escalate priviledge to root wiith gitfobins.. I can't understand. please help me.

Did you search for the appropriate one?

can anyone help with sqlmap for the OWASP Juice Shop i really want to understand how to use sqlmap to solve this puzzle..

I'm stuck on the bof1 Buffer Overflow room, task 8. This is the task where you are supposed to successfully get a shell by overflowing the buffer. I've tried running the example code they have provided but running it just gets a segmentation fault. I'm thinking maybe I need to provide a different memory address than the one that they have provided. I have the program attached inside gdb and I've been testing with different fuzzing strings etc but I can't seem to figure out what address that I'm looking for. The info I'm reading all references EIP as the instruction pointer that I'm trying to overwrite but the closest thing I see in gdb is RIP which is maybe the x86_64 equivalent?

@sharp mason Yeah, this is the prefixes again

E is 32bit, R is 64bit

You can access 32bit registers from a 64bit program, it's the same register

right, so the odd thing is that I can't get the value of RIP to change

Task 8 is a HUGE step up in difficulty

so, even if I feed 5k "A" chars as input, I can't get the value of RIP to change gdb --args buffer-overflow $(python -c "print('A' * 5000)")

I'm not a BoF guy, I just know some x86 assembly

People have a lot of trouble with it

I think maybe I'm missing something, this is supposed to be the easiest bof room

Not task 8 and 9

any hints on what I'm missing regarding how to control RIP?

in all the other examples I've seen for entry lvl bof, the teqnique is to fuzz until you can find the offset required to get data into the EIP/RIP

something is keeping the RIP from being overwritten

I haven't learnt BoF yet so I got nothing

Anyone done anonymous rooms ? Need hint privs esc

gtfobins

@sharp mason I don’t have a subscription so I haven’t done the room/ look at it however you’re right in saying you should find the offset maybe look for bad characters?

But i didnt got creds user

@solemn smelt the part I'm stuck on is that I can't find the offset b/c I can't overwrite the RIP

seems like no matter how many chars I throw at the program, RIP never changes. I've tried up to 50k 'A' chars

Ohhhh that’s your problem I’m not sure how the room has you do it but I always use a pattern create as the offset

@stuck fractal if i run gtfo without sudo i just got user again

You need to understand the vuln @sick sun

@solemn smelt same, but you can't find the part of the pattern to find the offset unless the EIP/RIP gets overwritten

no you overwrite the eip after you find the offset unless the room has you do it some other way I’ve never heard of

How are you going to know where to overwrite the eip if you don’t know where the eip even is? That what finding the offset is doing

true, but if you can't overwrite the EIP, you don't know where the offset it is

Are you doing Bof1? If so, RIP wont overwrite with just A's

yes, I'm doing Bof1

Okay,so to overwrite RIP, the address needs to be in a specific range

why won't A's overwrite, are they bad chars here?

Because for 64bit the address of RIP needs to be in a specific range

google: "x64 buffer overflow"

theres a good article on medium that explains it

willdo

thx

np

@stuck fractal im stuck on priva esc

Yes.

You need to understand the vuln

And understand how to use it

Do some research

Hey, I could use some help with the anthem box.
I just can't find the name of the administrator and I have no idea what the hint is trying to tell me

Use the information on the site to piece it together @acoustic glen

That question (and the next one) are all about lateral thinking

@stuck fractal easy man hahahha

huh?

any hint on how to find the password for the admin on anthem. I found a hidden directory in C:\ but the file can be opened only by the administrator

but the file can be opened only by the administrator
@echo thunder You sure?

Hey! I'm pretty beginner to InfoSec and am having a little trouble with the Blue room.

I've got the explot set up to run, i'm setting the RHOSTS value to be the target IP, but I am getting "exploit success, but no session started" error message. I've tried resetting the room a few times with no luck. I've even followed a guide to see where I'm going wrong, but can't seem to find anything. Any help is appreciated 🙂

yes

can I PM you

?

I'd prefer not. My hint was enough.

I fully agree ^^

Also, RE me, im brand new to the discord so not sure if this is the right place to post the above message cause it's not quite a hint I'm asking for, so if there's a better channel please let me know

the txt file is readable only by admin and the ||.dat ||one is readeable also by me

@fleet flume that’s just eternal blue being eternal blue you just gotta do it a couple time

Thanks, @solemn smelt , ill bombard it a few more times and if I'm not successful ill come back 😂

If that doesn’t work some things that will prevent an exploit from working are the target you have set the default may not always work, and changing between a staged and non staged payload however I don’t believe any of those need to be change for it to work on blue

I noticed there are a few variants of eternal blue within metasploit, will others also work on this machine and should I try them if the first one asked for by the room isnt working?

Nope.

there’s only really two

But no the one that the room says to use should work just fine

hmmm, okay. will keep digging. thanks both

finally figure it out for antehm

anthem

it was the most stupid thing

Very easy to overcomplicate

Anyone solving New box "Gatekeeper"?

One person has made it beyond the first task which just requires starting the machine up.

I'm stuck and have no where to go....

Any hints for Gatekeeper?

🙂

Might be a lil soon for hints

The gate is only half the battle.

hi there can i get some hint for THM: anthem task 1: #4, i tried to crawl the pages with burpsuite, but i cant managed to find the .txt file

@dense marlin Burp spidering etc is only going to pick up stuff that's linked

so it's not linked you mean?

I don't know

the question did mentioned possible password in one of the pages web crawlers check for

i thought it might be linked

Nah

There are files that exist

That Google etc checks for when crawling

@dense marlin Robots are nice don't you agree?

i do checked the robots too @tidal sedge

It's there if I remember correctly

@stuck fractal so you mean the file might be out of the scope? like it might be outside of the machine ip?

like google github those link?

@dense marlin No

Spidering etc only looks at pages that are linked somewhere

ok i tried to perform fuzzing on the robots

what no

🤦

||robots.txt|| is a file that real crawlers will look for to tell them what they can and can't crawl

yea i mean the directories in robtos

*robots

fuzzing for files that might be potential contain in the directories that specified in robots

what

fuzzing for files that might be potential contain in the directories that specified in robots
@dense marlin This makes no sense.

sometimes some user might store their file in those directory like /config/password.txt or something else that's why they dont want you to crawl these directory?

ok my bad

i cant believe that im watching the exact answer for 2 hrs

i've overthink the whole thing

@stuck fractal @tidal sedge thanks for the hint

hey everyone can anybody help me in Anthem room task 1-7

hey there can anyone give me some nudge for anthem rdp login? i've tried different format of username for the first and last name that gathered with the password that found. the credential works when i login into the CMS but it seems that the credential for the rdp is different so i tried several type of username format for with the credential found. Im kinda lost right now

read the task

i can't put stuff in BOLD otherwise i would ruin the fun

actually i've read it
sorry bout it but i dont really understand it

Gatekeeper, am I on the right track?

Not sure what you mean

Should definitely ask your question more specifically please.

Being the Cryptic keeper since it is such a new room

Not at all

Happy to help being as I created it

But I would expect me to gatekeep it a bit. 🙂

Oh cool, mind if I pm you?

anywho, I noticed how leet this challenge was and wondered if a buffer overflow was in order

So, I recommend poking at it a bit and see what you get. If you've enumerated you may find something that you can use and test.

@past night my bad, i've literally overthink lots of stuff in ur room. Found the credential for rdp

I have a question that I want to check with you uys
guys*
I've just started the "Common Linux Privesc" room and it mentions downloading the Linenum shell which I did. the questions in the sections doesn't say anything about actually transferring it and using it on the machine so I just want to confirm that That is what I am supposed to do in order to answer the questions or if it's not something I'm supposed to do?
the instructions aren't terribly cleat
clear*

woops, wrong room 😦

apologies

how to find admin of anthem room in web site analysis task

Hi @vapid zenith

PM me

and I will be glad to help you

@dense marlin yup, we know. i told this at least 20 times about not complicating stuff

@echo thunder come in inbox bro

I found a restore file in anthem room but cant access it

how to check that

Google Windows file permissions

anyone finished the gatekeeper room

?