#room-hints

stuck at the privesc to root

Is anybody facing an issue in getting a reverse shell in Anonymous v6 CTF?

the commands are taking alot of time to work

please help if anyone has a better way to do it

@spark monolith I didn't face any issue

@spark monolith Don't pm me again without permission.

@tidal sedge sure

If you look at the log file, you'll see an entry for every 5 minutes

You should infer from it that something happens every 5 minutes 🙂

i have got the reverse shell but it's taking a lot of time to respond this is due to the cleaning of log files every 5 mins?

If the reverse shell has executed then it will persist

Any input lag will be your connection

oh okay thanks @steady stratus

You can always ping the machine to verify any drastic latency

any hints on root of Anonymous?

@tardy python what cron jobs do?

i dont see any crons of root

Have you ran automated scripts yet? Linenum,LinPEAS?

They pretty much tell you the answer

any hints on root of Anonymous?
@tardy python linEnum can tell you something interesting for the escalation.

any hints on root of Anonymous?
@tardy python

check for some "ID" i think u can easily "SU" that VM. that was an easy room. just basic PrivEsc knowledge needed!

anyone can give a hint for lord of the root task 2 question 6?

Hi all, I'm on task 7 of the Ice room. They say that you should be able to to use the c code from exploit-db to do the same thing but no matter what i run or install i can't seem to get it to compile successfully. Has anyone else achieved this? Can you let me know if there is an issue with the code i need to correct or if it's an issue with my compiler configuration? I don't have any c background so trying to avoid debugging the script itself unless i know for certain that's the issue. Many thanks.

aaa any hints on unreadable thing in peak hill the ||encoded thing or whatever||

the task description is a bit of a hint ;)

okay good sir thank you very muchy

I’m also on that room. I worked out what to do but it didn’t work so o feel I did it wrong somehow. I get an error suggesting about a MARK but I couldn’t fix it. Unsure what I need to do

@wooden mist mind if I shoot you a quick message please to see if I’m on the right track?

are you sure the word was mark? if yes, please explain what you did in DM

@frail ferry that was an error I got. Not a clue or anything.

but doing what? (DM to avoid spoils)

Any hints for Anthem room, rdp credentials ?

you will have every information you need if you replied to #1 -> #7

Hello, I dont want to spoil anything but if someone can help with gatekeeper that would be great, i have a shell and working on root yet i have a question on it. Thanks

anthem room i need 1-7

...that's all of it

what

Hi, Im working through the Intro to x86-64. I'm stuck on the task 4. I was able to see the variable on memory but it does not match the answer. I got all the other flags except for the first one.

@stuck fractal is that for me?

@primal linden 1 to 7 is like either all or most of the room

i dont get it

anthem room

@primal linden There's 8 questions in task 1

You asked for help with questions 1 through 7

i ened 7

need*

hint to get administrator

name

There's a famous poem that's incomplete.

T1Q7 would be a much clearer way of asking

i got his first name

@primal linden for admin name, google the poem.

ty guys

got it

Hey VV. I'm the creator. My recommendation is to enumerate harder. 🙂

Thanks i will try winPEAS again

I would enumerate a different way.

The challenge is meant to make you look passed your typical enumeration tools.

I'm streaming it in 8 minutes if you're interested. No pressure if you want to try on your own. Check out #thm-community-media for more info.

Rooted Anthem Room ❤️

hints for getting user/pass for anthem room? (i logged into umbraco but i dont think thats where i'm supposed to be >_>)

rdp credentials?

actually, that's exactly where u suppose to be, but there is nothing much about what u trying to find.

and... since now, everything u found is the ANSWER of what u looking for

Alright, I figured it out. Thx for the help 😄

Elf, why not use "internet" and a cute "cat" on peak hill

I alredy did use both multiple times

nc?

@viscid mason using it is only useful when you got through the first part, not sure if elf got through it yet

🤔 YEah! 😛 any hints from ur side szymex73?

nope im stuck in decoding the wierd stuff

try harder Elf! 😛

im doing it

look at the image in the description

Any hints on the first part? I am pretty certain about what to do with the weird part, but I am stuck enumerating things... well I am currently looking for things I have not enumerated yet.

there's one obvious thing that you should've picked up on a portscan

Any hints on (what I'm assuming is) the last part? Is there a specific thing I should look up? I'm regretting skipping python classes at college

I think I'm on the same part that you are @white salmon. You ever figure it out?

Yea it's the same idea that is used earlier in the room. Don't wanna go to deep into details

Gotcha

Hey for peak_hill it asks me to grow something any hints on that?

||total guess but look at the first 3 letters of the room?||

Hi, in anthem Taks 1 question 7, the hint says consult the oracle. but i can't seem to find the answer to the question, can anybody point me in a direction?

Hey guys

i need some help at the network service room

at the last question form task 10, where i need to get the ftp.txt file, i get the error that i have no permission to get it

although i logged in the ftp as mike

Hi, in anthem Taks 1 question 7, the hint says consult the oracle. but i can't seem to find the answer to the question, can anybody point me in a direction?
oracle means google in this case :)

yeah i got that far haha

anyone did that room?

network services

https://gyazo.com/dbe8bb967a8685667f04b82093d1e3c7

@normal totem Permission denied locally

exit /wordlists directory

and ftp from somewhere else

@glossy basin can you guide me a lietel biet in the direction you pointed me :S

Thank you guys

didnt realize the pwd influences this

didnt realize the pwd influences this
@normal totem You do know that pwd stands for print working directory?

wow

i thought its present

my bad

yup

does nc require sudo for reverse shell 🤔

@white salmon Depends on the port you're using

how so?

The first 1024 ports require sudo

huh. thx for the info

do I need to specifically look at the one port in Peak Hill for a way in?

||ssh_pass||

@jaunty ember at some point, yes

anyone available for a little nudge on peakhill ? ||i have the all the ssh_user and ssh_pass things and i tried a bruteforce with all of this and also with a username i found (on ssh), but feel like i'm missing something - probably to do with that other port asking for a username/password||

i meant to put that in spoiler tags not that hahaha

can someone help my with anonymous v6? I edited ||clean.sh|| on the ||ftp-server|| but either i did something wrong or ||the script doesn't get executed by a cronjob||. am i missing something?

@sweet relic What did you add to the script?

@digital iris in what form do you have ssh_user/pass?

cat whoami > whoami
i wanted to test for execution firs

correction: whoami > whoami

@wooden mist so it had like ssh_userRandomCharacters and ssh_passRandomCharacters so i tried them like that and i also tried stripping the ssh_user and ssh_pass off it but that didn't work either

@sweet relic You did something wrong.

Did it the lose execute bit?

but in what form do you have it? do you have it as a file or a ||deserialized array||?

Would he need to put the full filepath?

@stuck fractal Ooooh...of course it did 🤦‍♂️

@solid sphinx For what?

@sweet relic Don't delete the file. put with the same name

as a file

@stuck fractal thank you 🙂

nevermind

can i have a hint lmao

Dude

oh sorry

I literally just asked you not to post answers

had the asnwer

yeah sorry

https://gyazo.com/7ce4911b56de3e9eaa018a8015316e77

hint?

man ls

man is really really wonderful

i cant find it

Also, a google search would have worked

ls long list format flag

Learn to do some research, rule 13

https://gyazo.com/f012bf18da255dee13b346b07fe95301

what kinda shell?

Have you tried googling it before asking here?

idk exactly what to google

There is no point in doing the room if youre asking us all of the questions

kk

@compact locust It's specifically for su

what is?

the shell?

The question

It's talking about su

yeah

man su

learn to use the man pages

yeah i saw that

but like

whats a shell

that was my question

That

Is also a google question

@compact locust sup

What is the value of the home environment variable

ive googled

ive lookd

i cant find it

Dolla sign

no like

I think

/----/------

this is the format

Read the $ Task

Ahhh

Learn how to view variables

i have

Oh lol yeah

I got it

im 100% certain of the answer

but it says its incorrect

@compact locust You haven't if you can't find the value of that thing

let me dm it to you

Did you switch user when you were told to?

No

Don't DM me

ok i found it

There ya go

Just checked myself and found it on the first page that was highlighted by Google.

Oh wait, you found it.

Nvm

Yeah I did too

@verbal wedge your new machine is cracking my head 😄

You got this

I'm an idiot and made it so you got it

What's your box @verbal wedge

Anon

Easy box

Yeah relatively

Nudge? getting cve for simple ctf?

I'll give it a bash when a get a free sec.

Might be a little too much for my level at the minute.

anyone know what this is doing in python? myvar = "A" * 0xA00 If I print it, it's a bunch of "A" chars, not sure what it's doing. I'm used to seeing lines like "A" * 100 to quickly create a var w/ 100 'A' chars but haven't seen the like of the first one before

hey anyone has a hint for me I'm stuck in flag75 "ctf 100"

@sharp mason 0xA00 is hexadecimal for 2560, so myvar would be equal to 2560 "A"s

ahh, thanks @stark pelican

am i on the right track ? i got into the panel for umbraco on the ANTHEM box am i sopposed to look around there for creds for R** or do i need to somehow spawn a shell then get creds that way??

@graceful sun look at your nmap scan again and see where you can use those creds

i got it already lol my bad guys

No worries

thank you!

any hints on The Impossible Challenge ?

Any hints on Peak Hill? I'm stuck at a string with a bunch of ssh_pass/ssh_user

^ ditto

I feel like there is more hidden in there

join vc, were discussing it

anyone awake that could provide a hint for pickhill?

only if you mean peakhill

^

yes

i blame it on being tired :/

where are you stuck at?

|| have found the .creds file in ftp and know it is pickled, unsure if i should decode it from binary first before trying to unpickle it, and either way, cant figure the right command to unpickle it correctly, guessing it involves setting the protocol.. been at this for 3 hours now ||

not really a command, it's better if you write a script to decode it :)

@pine orbit I haven't done the box, but I can tell you that ||pickle reads/writes in binary data rather than plaintext||

thats what i meant 🙂

that's also I was thinking Ninja! 😸

if you're not sure if you should decode the 1/0 before passing it to the decoder then why not try it with/without decoding the 1/0 prior to decoding the data itself

it will tell you if there's something wrong :)

i have tried it both ways, @wooden mist mind if i dm you about it so were not flooding this channel (ill send you some of the decoding things ive tried)

flooding the channel isn't a problem but this would probably go to #room-help though

Can anyone give me a hint on peak hill ||i've unpickled the data, and ordered the user and pass in the right order, but what am i supposed to do now. I've tried the creds on ftp ssh and the 7321 port but they dont work||

ssh

if they don't work then you did something wrong

🤔

Ah i found the bug in my python script

Thannks 😄

Peak hill, I have a password but I don't got a username

wait nvm

am dumb

cancel

hey anyone has any hint for me I'm stuck on flag75 "ctf 100"

Peak hill, I have a password but I don't got a username
https://youtu.be/53zkBvL4ZB4

I had to do it 😄

hello im in need of help once again i did get creds and now i don't know what to do with them

use them for ssh

i did

come watch stream

i can't

okay

https://github.com/rocky/python-decompile3

this might help

pickhill is reallly one hell of a room, isnt it?

it truly is

nah

it's a great room

just takes time

wdym decompile

@tardy python

check for some "ID" i think u can easily "SU" that VM. that was an easy room. just basic PrivEsc knowledge needed!
@viscid mason how do you exploit somthing without sudo password.

There are privilege escalations that don't involve sudo.

i ran linpeas and got somthing seem exploitable. try with SUID env but no success...

any hint?

@wanton gate There's caveats for GTFOBins

@viscid mason how do you exploit somthing without sudo password.
@wanton gate

that's the main role of PRIVILAGE Escalation. when u don't have password or anything, and u just go on wild and figure out things, I already gave u hint for this specific thing, u just need to figure out!

how do you exploit somthing without sudo password.
@wanton gate just test your things without sudo

thanks for your help. ❤️

any hints on privesc?

for peak hill? it's a pickle farm, grow some pickles obviously

base64

base64 pickles best pickles

pickled base64

try gib farm a base64

what is that xD

base64 a thingy xD

try to give base64 input to that python file

OMG!

why u search words that r not "..."

what is he doing 😹

xD

i don't know

yah i tried

think bro think

see

i tried xD

:|

😐

;-;

i legit don't have control over this

python + pickle + base64 + os + /bin/bash = root!

smh

python + pickle + base64 + magic = root

iii still don't understand

what am i missing 😦

@white salmon Get a nice shell first

Makes it easier

yah im trying to do that now

cuz this is really bad

+1

step 1: get user flag
step 2: get root flag

it isnt that hard

XD

x D

@stark pelican it took me almost 1 day to get that user 😄

yikes

hello, i have question about owasp juice shop

i read an article about it and writer solved broken auth part %50 guess

Finally done Peak Hill, I was making so many little mistakes

%50 techincal

Always trying to overcomplicate things

aaaa hint pls

Feel free to PM, I wont give too much away though!

can anyone please help me with flag 1 and 4 of anthem

use the source, luke

Want to start HackPark but don't want to spoil the 1337 users :p

hard decision to make

at least we have proof it was achieved

I can't live with being the one to ruin it, so I've chose another box :p

Now join, @faint trail

Someone needs to.

@hollow gazelle Try writing a Python script that finds the flags for you. Atleast that's what I did. Regex + beautiful soup.

Or just CTRL+F your way through lol

@faint trail should i decode-something in Peak Hill

anyone done Peak rooms

need hint for decode some creds

@sick sun the first ones?

@blazing turtle ?

are you asking about decoding the first set of creds you can get?

@blazing turtle yes right man

can i DM you ?

sure

Any hints on Peak Hill? ||I've broken out of the CMD shell and have access as dill on the box, not sure how to interact or reverse this binary in /opt||

@viscid bramble ls -lah in the dir, see what's up with it

Maybe try... running it?

I have done both, I don't know how to grow

Anyone give me a hint how to decode from binary string

Peak hill room

@sick sun You're going to have to provide more information, is this for a THM room? If so which one? Which task and question?

Before initial shell, Peak Hill

Ah, I haven't done that one, through I've heard good things about the box

@sick sun The room page is full of hints

nice room this pickleboi was, but frustrating at times

hi could someone help me with the admin hidden password for Anthem room?

You've likely already overlooked it

Think how systems may have misconfigured permissions

@dusky vigil i found it thanks for your help

Anyone able to give nudge on how to escalate from www-data to jjamesonon Daily Bugle ?

Sure. Check the directory you initially land in in your shell for www-data. Investigate those files.

ty

Welcome.

Got root now ^^

hello can i have a hint on inoculation

aa yk small lil hint

no

😦

it's a hard room for a reason

ok no hints

but small

litlle

😦

there is one hint from the room's creator hidden deeeeeeep in one of the channels history on this discord

it can help but idk if you're on that stage yet

aaa no hints

What critical file has had its permissions changed to allow some users to write to it?

how to check?

i was already in etC/passwd

wat

i

don't understand

@onyx wadi ?

Hi all!

Here

i was already in etC/passwd
@frozen osprey wat

Can anyone give me a hint at task 43 of 'Learn Linux' room?

i did

don't mind me james

thanks got the resolution

priv esc

@old root Look for files belonging to each and every user.

Thank you!

any other hint? I think i'm stuck

anyone help for blogengine ?

@cinder bluff What room?

@cinder bluff Please respect Rule 1. Don't DM people without making sure it's OK first.

Additionally, this is for help with THM rooms.

HackPark uses blogengine right?

@patent token They DM'd me unsolicited, then told me it wasn't a THM room, got angry at me for asking them to please follow rule 1, and then left.

Oh ok. Understood.

hey so where do i find the admin password do i wanna be looking into RDP for it ? like in files maybe? i did a winpeas didnt get much still looking lol any hints

Can you please share a good deal more information about that please?

What room, task, etc.

Ok, I feel sorta stupid but I can't figure out the last question in the Linux room (task 43)

I think I'm on the right track for what the vulnerability is

but I'm not sure how to escalate with it

@hollow bay It's not really a vulnerability

This isn't a traditional box

Hey @hollow bay try to look for files belong to each and every user

Am I correct in noticing the || files with the SUID bit ||?

And somehow changing one of those since I can write to them?

Or am I way overcomplicating this

It's way more simple than that

@hollow bay For reference, if you write to a SUID file then it loses it's SUID bit

@stuck fractal Yeah I learned that the hard way by trying to cat a shell script and > into the file

Look for files belonging to each and every user

Investigate suspicious ones

it is the anthem room task 3 Q 3 looking for the admin PW

nvm found the file

yo i need help with Obscure Web Vulns has anyone completed it?

@cloud perch don't ask to ask, just ask

im stuck on task 9. "what parameter allows us to generate a poc(acttual exploit)" for csrf

have you read the tool's help page?

type xsrfprobe -h and you'll find it

thanks

hello everyone, I am doing this room Anthem(https://tryhackme.com/room/anthem) I cannot find the admin password in the windows machine.. can someone provide me some hint please.

@indigo ridge https://varvy.com/robottxt.html

read this ^

i hope you get the idea

@indigo ridge https://varvy.com/robottxt.html
@glossy basin I am asking about the windows administrator password.. I have got that domain admin password.. and I am in the RDP

last second task in the room

oh

you better specify the task next time

sure

so, did you do anything about the hint in the task?

'it is hidden'

yeah.. I tried show all the folders and files with folder options

great

I found some backup folder but I cant's access them

you can access the folder, but i guess you couldn't read the file

right?

yes

my hint would be to look into file permissions :)

I guess you'll find your way around now

okay thanks!

did you check the robots.txt

@indigo ridge the hint is in the poem

@indigo ridge pm me

okay thanks!
@indigo ridge
@indigo ridge the hint is in the poem
@cloud perch I got it.. Thankyou very much

It was permissions

aaa small little hint

for Inoculation

no

Room Network Services TASK 7 # 11 still not receive ping respond

For Gatekeeper, is digging into ||gatekeeper.exe via strings|| worth my time or am I missing another way in? I've tried ||uploading my own executables via SMB on the User share|| but am not getting a hit on my listener...

is it bug ?

I have some doubts on authenticating the RDB in Anthem box, can i get some help?

M3talhead, there is only one way on to that machine. Uploading to the SMB isn't it unfortunately. It's a nice try though. 😊

@vernal ridge if you've done the previous tasks you should already have the credentials, read the questions carefully

yeah i did , but the creds didnt work!

they do

you just didn't read the first question from task 3

i did read, but dint get it , can i pm, i dont wana be a spoiler

feel free to say it over here between ||

hi all.. any chance of a clue for "Linux Challenges 5.4" - Using SCP, FileZilla or another FTP client download flag32.mp3 to reveal flag 32.?? I've SCP'd the file locally but now stuck!

what does .mp3 imply

||i used umbraco exploit to access the machine, but i couldnt find any creds to enumerate, but everyone said abt RDP to access the machine, but the creds i used to complete task 1, but i didnt got any access to RDP||

there is no exploit for you to run

Umbraco exploit?

^

Exactly

you already have the credentials to access the machine

Umbraco exploit?
@tidal sedge yeah!

And did the exploit work?

what does .mp3 imply
@past night So I tried playing it but nothing...

i got less prev shell using it

@past night Fix 🙂

fix what lol

Seems like they found an exploit

what exploit

🤷

Ask them

7.12 shouldn't work

it gives only less prev shell

mind sharing a link

you made me curious

https://www.exploit-db.com/exploits/46153, this one!

That's an authenticated exploit

hmm, that's unintended

it shouldn't be picking it up

That means you already have the creds

hmm, that's unintended
@past night 😢

it's nothing to do with exploiting a vulnerability

you are overcomplicating it

That means you already have the creds
@tidal sedge yeah! for umbraco , not for RDP

read this

@vernal ridge Have you ever heard of ||password reuse 🙄||

i dint type any domain name

are you getting the ding ding ding?

no dude!

lol. read what malware said

@vernal ridge Have you ever heard of ||password reuse 🙄||
@tidal sedge i know, also i am compelled to use the only creds i got

what does domain mean to you

also, if it's after an hour the machine might've closed itself down (it's a bug)

whenever i was asked to login using RDP, it asked a user , password and domain, i left the domain unfilled

also, if it's after an hour the machine might've closed itself down (it's a bug)
@past night 👀

that's not what it means

oh

OHH, got it buddies

please fix the exploit ||the exploit gives me a low privilege, and also gives me chance to look what is the user name,jzt now everything ring a bell on what i saw when i got a shell ||

Mhm it's pretty interesting you got an exploit - it's unintentional in the sense that I don't think it needs to be fixed?

However your thoughts are welcome @past night ^^

i need to check that @steady stratus

i haven't completed my room yet

M3talhead, there is only one way on to that machine. Uploading to the SMB isn't it unfortunately. It's a nice try though. 😊
@patent token That being the case, is the vulnerable dialect the way in then? It was the first thing I thought of after I got a full enumeration. I'm familiar with ||the MS17_010 family of exploits||, but none are landing ||(even though NSE output indicated that SMBv1 is default)||. If this is a rabbit hole, it's a good one...

There are no kernel exploits. The executable you found is the answer. It associates with a port running on the machine.

That said, this portion is somewhat advanced and requires knowledge in that type of exploitation.

Right. The right enumeration returns a lot of information about that port. I can see in strings where the executable makes the call to that port as well. I'll dig deeper in the exe.

@vernal ridge not sure how you got the exploit working, lol:

wait !

the exploit it for 7.12.4 and the website is running 7.15.4

actually the right execution made it work

M3talhead, you won’t glean much information from that outside of a link I didn’t know existed.

The secret isn’t inside the executable, it’s what you do to it.

oh shoot

yeah, just checked the services and it actually runs

yeah it doess

and you can see the who are user(s)

M3talhead, you won’t glean much information from that outside of a link I didn’t know existed.
@patent token Thanks! I just fired up the debugger and was about to deepdive. lol

yeah i consider the impact is minimal so it should be fine @vernal ridge so i'll leave it as it is

kinda yes!

i'll let people struggle with it haha

😆

@patent token ...when you say it's what you "do" to the file, you're not talking about modifying it offline and replacing it, right? Just asking for clarification since you mentioned in a previous reply that uploading isn't the way in. It's probably something stupid simple, I'm just overthinking it.

||it’s a buffer overflow exploitation||

Nice rabbit hole! I noticed the ||\VBOXSVR\dostackbufferoverflowgood...|| in strings and the debugger but was going for the low hanging fruit first.

Not supposed to be a rabbit hole. 😛 I didn't make the path completely obvious, but there is truly ONLY one way onto the machine, and one way to escalate privileges.

Hi everyone, Room "Network Services" Task4/#8 "Now, use the information you have already gathered to work out the username of the account. Then, use the service and key to log-in to the server" > I have no clue on how to get John Cactus' password to ssh into the server.... any hints ? Did I miss something ?

@white salmon Do you know about SSH keys?

yes I got both of them

they are in .ssh

Do you know what they do though?

I think...i mean I tought

I have the id_rsa

Explain to me what you think

I have both John's public and private

I need the private to authenticate myself when I ssh

but I need a password right ?

Ok, so why are you asking how to get the password?

No

The SSH key authenticates you.

OK i have done something wrong then

Yep.

do you agree that sometimes you need a password to ssh no?

SSH keys can be passphrase protected

And you don't always have keys

right

There's a lot of ways you can authenticate to SSH

Username and password is one
Username and RSA key is another

I'm confused with the password vs passphrase

passphrase is for the RSA key

This key doesn't have it

A passphrase is for the cryptography. They're meant to be longer than a password.

right...and I always use RSA

that's why I am used to looking for a pass

That doesn't make sense

Ok I will rtfm. I think i am confused

thanks for your help

@white salmon You don't need a password to authenticate with an id_rsa

If you're being asked for a password, you're doing something wrong

If there's a big box that says permissions too open, make sure to actually read that and fix it

ok

@white salmon You don't need a password to authenticate with an id_rsa
@stuck fractal thanks to you I just discovered "ssh-add" > i was always asked for my passphrase when I was ssh-ing to my server, now I am not anymore 👍

@white salmon Passphrase is for the key

It just decrypts the key

Password is for the server

Yeah I know, but I think i never really paid attention to the difference between passphrase and password, and now I do

I think I have identified a potential issue : the "id_rsa.pub" file is understood as a Microsoft Publisher file

therefore it doesn't find the public key and asks for a password. It is what I understood from the verbose mide

mode

Ignore me, wrong channel, wrong topic 😆

no probs

Not supposed to be a rabbit hole. 😛 I didn't make the path completely obvious, but there is truly ONLY one way onto the machine, and one way to escalate privileges.
@patent token Good job regardless...😆... I've gotten to the point where I can abuse and connect to the exe when it's hosted on the local machine, but when I swap the local IP in the exploit for the target IP, the target doesn't connect. Have you had this happen before? Same exploit, same listener.

I can DM screenshots if that helps...

So, there's one tiny detail you're probably missing in your dump.

||https://www.twitch.tv/videos/626720054||

If you need help on that specific part.

You'll have to scroll forward to that point though.

God I'm an idiot...

@white salmon Nope

id_rsa.pub is the public key

You authenticate to the server with the private key

is binex broken?

is binex broken?
@night rivet I done it 2 weeks ago with no issue.

@wraith marsh Task 8 onwards is an excessive step

@wraith marsh Task 8 onwards is an excessive step
@stuck fractal I thought he was talking about the room called binex, my bad

Oh wait

@night rivet I might be wrong

The room called “binex” works perfectly fine if that’s what he’s on about

If I remember correctly bof1 is the one that's broken(still doable but not suitable for beginners) 🤔

Yeah, someone posted a write up for bof1. It looks like You have to rewrite the shell code.

Need help for this for order only for room ccpentesting task 20 subtask 9
I have all i need to create a command i tested command and command work but when i submit the flag its say is not good but i know its is. Anyone that can help me DM only. I will supply my command and i just wont to tell if i am missing anything or its parameter positioning

Ask for help here.

Ask your question.

It doesn't sound like it needs to be DMs

@silent wasp No one is going to dm, if you want help from the community then ask here.

OK

Given the username "admin", the password "password", and the ip "10.10.10.10", how would you run ipconfig on that machine
this is my answer and its not good but it is.
smbmap -u 'admin' -p 'password' -H 10.10.10.10 -x ipconfig

Change your quote type.

Question uses double quotes

So you should too

omg

guys stuck at unix varient with $6$ , any hints

@tribal ginkgo Those questions are specifically designed to be easily Google-able, so Rule 13: Keep trying 🙂

(If you get really stuck, try looking for example hashes for hash crackers)

i get that $6$ is for sha512 kind , that we can configure

do i need to find the varient that comes with this default

i guess i got it https://www.akkadia.org/drepper/SHA-crypt.txt

@inland onyx thanks

@patent token Wow...that was a brutal room. I admit that I broke down and had to follow your spoiler to get past the BOF detail I missed. Was chugging right along with normal privec stuff too...right up until I needed to use the last tool to get creds (I was staring at the objects I received, not knowing what I'm supposed to do next with them). Back to the video and it all clicked.

Thanks for a great room!

Thanks for the words! Glad you got it done. 🙂

Was it that one tiny detail that got it fixed for you M3talhead?

To get the callback, yes. I forgot about the payload path that was being used during testing. Was still using it when I was ready to hit the target.

After that, it was relatively smooth sailing until it came time to extract the final creds from the 4 loot artifacts. Might have gotten through it on my own with a little more time researching tools, but I was getting antsy and running out of time.

Hehe. Well, it doesn't matter if it's pretty or not. You got it done. Congratulations!

If you did it using the automated process, try doing it manually this time. 😉

If you want more of a challenge with those creds.

There's another way to collect them.

I was starting down the ||NT.dat|| rabbit hole and spent a good hour trying to pull out usable info before I saw your note about going back to the exe. It definitely got me out of my comfort zone and forced me to A) fix things that I'd been avoiding {Wine .dll errors} on Kali, B) re-introducing myself to ruby, and C) getting "outside" native Kali tools.

Not actually meant to be any rabbit holes on the machine honestly.

I actually started my callback attempts using raw methods before it became apparent that my conversations were not going to go anywhere.

Though when that wasn't working, I did jump back into MSF and run the usuals for that target.

It was around that time you mentioned that creating uploads was not the ECP.

Here's the most important question. Were you able to learn anything from it?

Without a doubt.

🙂

Hey any hints about flag1 and flag4 in the anthem box?

@light dew Funny you ask as I've just completed that box.

It's so f******** slow

Have you inspected the page in through detail?

As that's what I'd be doing.

😉

I am doing the final part

Oh I thought you said you were doing flags?

got a headache opening everything

that's why I am here for!

The final part isn't the flags? Do you need assistance with the flags or the getting into the box?

Flags

i am in the box

looking for things

Well user should be easy enough if your inside the box.

Guys any help on the Peak Hill machine, im close to root flag I think
I just need a nudge on the right way
im enumerating the file in opt

Find out what it does

what it does is it requires an input in base64

and I have supplied it with all the possbile input even making a python script, but I get that it can't be grown on the peak fill farm

I googled peak hill farm, and I dont want to travel there 😂

Peak hill is a pun on pickle

The box has a theme

I know that its something related to the python module PICKLE, we have done it in the very first step

but this peak_hill_farm file isn't doing any good, idk what to do im lost at it

You're in hints

Look at the python documentation for pickle

Like, the first page

im doing linux challenges, and on flag 32 you're supposed to ftp a file but it keeps refusing to connect, any hints please? :/

I'm on HackPark right now. Got a shell, got System but I'm too stupid to find the abnormal service. Any hints, please? 🙂

I don't want to be spoonfed
I ran ||ps and searched the output with regex [a-zA-Z0-9\\]{16}\.[a-zA-Z]{3} to match the answer pattern.|| But still no success 😦

can someone give me a hint about which wordlist to use on Lian_Yu i got the first two flags

Ok so i am very close to the root

@stuck fractal thanks for the helps

but I have just one last thing

and i cannot figure it out at all

Can't cat the flag?

i figured out the pickle payload

i cant get the flag

John made it hard.

I tried running the netcat

cat all files in the dir

i did

Wait do you have a root shell?

i did cat thee root.txt

no

i dont have the rootshell

Get a root shell.

so what I did was instead of using netcat to get a reverse shell on my machine

what I did was, i just did ls -la /root/ in the payload

and i can see the contents of the root directory, but I cannot cat it out

Get a root shell.

and I have done so many things with netcat but I cannot get a connection back

Don't use netcat

You're interacting with a command line program already

so i just get the shell using the payload in python ?

maybe sudo su - ?

No

It's running as root

yes it is

and i also tried sudo su -

and im in the root shell

but i cannot cat the root.txt

its weird file

You won't be able to cat it

yes idk why

John put dodgy characters in the filename

So you can't address the file name

exactly ive been enumerating that

and im stuck like what should I do ?

...

cat all the files

OMG

im so stupid

@stuck fractal Thank you

I JUST COMPLETED

hello, may i take a help to solve python challenge?

Don't ask to ask, just ask 🙂

@wispy verge Are you looking for help or hints?

help

#room-help

oki doki sorry

Lian yu, tried gobuster with dirb big and dirbuster medium and found a hidden page but nothing that matches what I'm looking for or gives me more info. And hints?

I'm in the same boat James is in.. any little tid bit would be greatly appreciated

ATM i'm just combining all the info I found

And getting nothing

I'm in the same boat... I found the webpage and I believe I can post something to it but not sure if I'm on the right track..

You're further along than me

I found the main page, and one other

I aint finding anything

im suck at a point in the new box Lian_Yu i have the ticket and i was forsure thinking it was a ||youtube|| ext but cant figure out wth to do with it i tried burp couldent find any fields that looked like it could be put im just really stuck lol

I found something!

Nice!

I found the dir with the numbers

So

Let's continue forever

That's where I'm at.

@graceful sun pls a hint on how to get the .ticket

How did you find the ticket?

I'm at that site

I continued to gobust

Forever

Eternal gobusting

Fair enough.. letting her run even longer lol

do same thing you did to get to the first page that was hidden but add something @white salmon

if someone wants to PM me they can also

at this point i might download new wordlists

@white salmon Dirbuster medium

i dont have that

i have big and common

Are you on Kali?

i try now

no

Ah

Get the wordlists

im on arch

i thought big contained all the medium ones

is it too early for me to be asking questions on Lian_Yu

Dirb wordlists aren't the same as dirbuster wordlists

@graceful sun You can always ask, you just might not get an answer

im suck at a point in the new box Lian_Yu i have the ticket and i was forsure thinking it was a ||youtube|| ext but cant figure out wth to do with it i tried burp couldent find any fields that looked like it could be put im just really stuck

You have the ticket?

You don't have to send anything to the server

found the ticket with the medium list

Again, IDK how people are finding tickets

I found the page with the vid

From there, I found the creds with some more gobuster

wait your working on the box right now as well?

yes i have the ticket

nvm i found some help , thanks yall

I feel like I'm overlooking something so simple.

@oblique dagger ||A . in front of something related to computers has two meanings. Either a hidden file, or a file extension. Gobuster can do extensions||

Gosh dangit.. I knew i was overlooking something.. lol thank you

Got user

Got root

I'm hitting a wall on Task 3 in anthem, I feel like I'm running out of places to look for the RDP login, could I get a nudge in the right direction? I don't want a spoiler by any means

Anyone here tried the gatekeeper buffer overflow yet? I feel like I'm getting close but they have some memory protection stuff to work around

ASLR?

SEH i think

I mean I found a few articles about bypassing SEH

yeah same. i think i'll get it 🙂 learning a lot

@robust nymph you already have the details. Read task3 q1 carefully

@stuck fractal I've ran the medium wordlist on all three directories you find in the beginning with the ext but I still haven't gotten anything. Am I allowed to post my command here if I put it in a spoiler?

403 doesn't mean you got a folder

..

thanks..

@oblique dagger https://en.wikipedia.org/wiki/HTTP_403

@past night Okay, so it's from the creds I have, maybe I just have to modify it to work as a username?

@stuck fractal I've ran the medium wordlist on all three directories you find in the beginning with the ext but I still haven't gotten anything. Am I allowed to post my command here if I put it in a spoiler?
@oblique dagger dm if you need help with gobuster

oof third hand ping

i wasted 3 hours using the wrong wordlists

Dirbuster 2.3 medium works fine

yep

Thanks, with that little hint I was able to find the file I needed for the password. Much appreciated

In Task3 q1 is it suggesting RDP is not the way to go? I'm thinking I just don't understand domains and RDP enough

@robust nymph Ignore domains unless you're doing AD stuff

If you log in to a machine that is part of a domain, you need to use DomainNameHere\UserNameHere as your username

It's just saying don't worry about doing that

Username = username

Ahh okay that makes sense, but brings me back to my original wall now lol

For that question, it also means drop the domain from the email address

So rather than logging in with <user>@<domain>

You'd log in with <user>

Ohhhhh okay, so I'm probably just trying to login with the wrong user. Thank you both of you

Hello, i'm new to this site. Currently on the Learn Linux room, i'm stuck on the true ending task where i have to access the root/root.txt where i dont have the permission to.

1. I have tried to look for accessible file which has contains password as its name, find nothing useful here
2. I have tried to look for file contains root, find nothing useful too.
3. Tried to access the etc/shadow/ and etc/sudoers but apparently no permission to that too.
4. Tried to chmod the root folder, but still no good (have no permission)

Anybody could give me a hint on what might be to do?

Thanks!

@scenic bolt Look for files belonging to each and every user

Got it! Let me try out that one

Man... Idk if I was trying it totally wrong before. But after a fresh reset of the box the creds I failed with before worked like a charm. Finally RDP'd into the box

Sorry if thats out of place, just happy to finally get it lol

hey, i got the ticket on lian yu and i tried all the bases (even with rots) to decode it with no success.. any hint?

@jolly mantle You didn't try all the bases then

hello everyone

can you give me a hint for the new box lian_yu?

i cant find the directory for the first flag

i found one directory but is not what the flag needs

Hey James, I got the password, I'm in FTP and would I be on the right track if I needed to look at the files inside my users home folder? Am I on the right track?

gobuster in luan_yi is a bit pain in the ass i guess

@jolly mantle You didn't try all the bases then
@stuck fractal i will try again.. as far im concerned ive tried base[32,58,62,64,85]

@jolly mantle DM me

ok

@oblique dagger There's a few files, grab all the non default ones. Look for hidden as well

Ok cool I did. So I jsut need to keep attempting. Thank you

@viral mason ok, so i keep enumerating with gobuster

i guess

@grand pivot directories can have other directories inside them

@stuck fractal @grand pivot got something from medium in reaaaaaal white

i find the code word if thats what you mea

n

yeah

😄

but i guess is not useful yet

It comes in very handy

i need the... numbers?

yup, we need numbers

gobust the things you found

progress %44 on medium lol

Don't stop at 1 level

ok

thaks!

@stuck fractal what do you mean

that i have to be recursive

im not sure what i should understand from here lol

@viral mason https://tryhackme.com/games/koth for example

/games contains /koth

Gobuster would find games

yeah i got that

oohhhhhh

/koth would be a second command in gobuster

now we are on track

yeah

thanks james let me try it

im a bit sleepy i didnt understand at first sorry lol

yup, found it @grand pivot

yeah! me too

So I'm on the machine now, I'm lost trying to find the Admin password, I found ||/backup/restore.txt|| but do not have access, I turned on hidden files. Is it a file I'm looking for? or more of a privesc route?

Am stuck on the crackme2(task 7 of Intro To x86-64), any help would be appreciate

@white salmon nootnoot

I need a hint for the flag

@verbal wedge here's the hint: https://www.youtube.com/watch?v=a4VvRWTD3Ok&

@white salmon ^

@verbal wedge What box?

nootnoot not the password

can confirm

Learn Linux

no tag creator

just try harder

no tag creator?

oh

@stuck fractal any nudge for ftp username?

Don't tag the room creator because you're struggling

@viral mason Codeword should have been codename IMO

let me search further

What did para do

@stuck fractal

@white salmon the YouTube link. Open it.

LOL

everybody loves noot noot

[*] ret020 Cron jobs....................................................... yes!                     
---                                                                                                               
/etc/crontab:SHELL=/bin/sh            

This looks suspicious

@scenic bolt Look for files belonging to each and every user
@stuck fractal Thanks for the advice, solved it!

I've watched that compilation too many times

@verbal wedge you're not going to get root on learn linux with linenum or linpeas

I mean

He theoretically could

yeah im stuck

@stuck fractal thx james got it

hello pls hint at ||hiden|| in room madness

@white salmon you mean the one with secret?

yah

@white salmon that was fast.

um after ||checking the source code, you can see that it's between 0-99||

then, you can either do basic python scripting

or manually try it

Can anyone help with the last task in INTRO TO x86-64

but i suggest you to do the scripting, it can teach you something if you dont know it

even you know it, it would be a nice practice on get requests

Yep I'm stuck on getting the flag here for Learn Linux

optional really did a great job with madness btw

i really liked that room but by the same time i really said you crazy .... when the rot thing happened lol

@verbal wedge i want to help but i dont remember what i did on that one

im really stuck

@verbal wedge which part?

getting the flag lol

dude

check muir's writeup

there's a writeup for that one

@verbal wedge look for files belonging to each and every user

so uh im stuck... i got the thing and now idk what to do with it .. hint ?

@white salmon ask questions better jeez

its done 😂

Saw a question a little bit ago about Gatekeeper. There are no ASLR memory protections in place on that machine/challenge.

If you're seeing that, you're doing something wrong.

@ruby chasm

No. But wrong channel. @viral mason

oh shoot i forgot i was on community-hints

sorry

He's not banned. Looks like he left though

thanks @inland onyx

could you give me a hint for the box [Lian_yu]
I got password for ssh, but I can't find the username...

@woven pumice there's a hidden file on FTP with a short story

A few potential usernames in there

ls -a to list hidden files works in FTP as well

@stuck fractal thanx! i didn't search hidden one

I'll try it!

You should always look for hidden files

Hi guys! What kind of hint could you give me for the room : Wgel CTF

I already have the ssh key

But can't connect to it. The ssh2john tell me there isn't any password

I'm sure I miss something else

thats good that means the ssh key doesnt need one just use it to ssh into the machine now

I tried

But it asks me for a password

I used the flag -i to specify the id_rsa file

@solemn smelt

As you can see on this capture

I believe you may have to change the premissions of the id_rsa

I did it too, set it to 600

oh you have to specify the user youre trying to ssh as

if you dont know I would suggest further enumeration

Ok, that's what I thought, I miss information

I'll continue to search for something like this

help with a flag in learning linux, i swear i have the answer but its not accepting it.

task 12 im switching shells to shiba2 but the password that was correct in task11 will not work.

"environment variable"

su automatically connects you to su (with the password)

try typing ls

and you'll see shiba2

@shut whale

but im doing su -s shiba2

and it asks for shiba2 pass

hello everyone,can you give me a hint for the new box lian_yu?
i cant find the file name with SSH password.

i got the pass from ./shiba2 but it says its wrong

@regal vessel did you do stegh to find SSH ?

any hints on "CC: Radare2" room on the_final_exam binery

need a hint on lian_yu for finding the SSH password. I can see the hidden files and got the pictures but I can't seem to get anything out of it. tried steghide, but I don't have the passphrase. any hints?

@marble dagger maybe you can guess or brute that passphrase

Please.. need some hints on task 2 of https://tryhackme.com/room/lianyu I tried with dirb but nothing came out

@neon acorn means Stegh not help to find ssh ?

need a hint on lian_yu for finding the SSH password. I can see the hidden files and got the pictures but I can't seem to get anything out of it. tried steghide, but I don't have the passphrase. any hints?
@marble dagger hey.. if you are doing the same room can you tell me something about the 2nd task..

Please.. need some hints on task 2 of https://tryhackme.com/room/lianyu I tried with dirb but nothing came out
@indigo ridge use gobuster

it's not the tool problem

try different wordlists

medium you know

@sinful plaza Stegh help us to find SSH ?

@sinful plaza Stegh help us to find SSH ?
@north moat which task are u stuck??

#5

it's not the tool problem
@glossy basin medium is the way forward lol

@indigo ridge did you try dirbuster or gobuster?

yeah, i know

#5
@north moat found images already???

im also on LianYU - for some reason the ||Leave_me_alone.png doesnt open...|| i think that may have something in but binwalk doesnt find anything file magic number
@potent quail

remove the spoilers

talking to @potent quail

remove the spoilers
@past night sorry done

ah sorry

yeah, it's fully related to the answer

ah ok

yeah, it's fully related to the answer
@past night I modified the file header of the image file, but only a little content is displayed, is this normal?

@sinful plaza i fix that file , its Mp4 but not play anything

@sinful plaza i fix that file , its Mp4 but not play anything
@north moat not mp4 it a image

is png right?

@north moat not mp4 it a image
@sinful plaza

yes , but i mean inside that png .

yes , but i mean inside that png .
@north moat ||go after jpg||

is png right?
@sinful plaza
@regal vessel ||go after jpg||

can i dm ?

sure bro

mind if i DM quick please?

sure Dm Me @potent quail

Do you know guys what a type of problem is it?

I dont know any file extensions that have 6 characters

So im not sure what to search with the dirb

You don't need dirb to find the extension, simple enumeration of a webpage will help you find the filetype

Oh i tried that but it was taking ahes

So i found task 1 and 2

For the file type, you only need fuzzing and inspect element

Ahh ok thanks

And I'm not sure what the code word is helpful for yet, but maybe it will be later lol

That will come in later, I think for Q5

Ah ok thanks

First time doing a medium level room aswell

Abit of a challenge so i thought y not lol

im done Lian_Yu Room

Oh dam everyone too quick

yeah! ❤️ community!

First time doing a medium level room aswell
@grand pasture It's ranked as an easy room

Oh,? I thought the thingy was orange rather then green

Oh no if its supposed to be easy then I think im not supposed to be stuck lol

@warm schooner What wordlist should i use with dirbuster to find the file? Because it's been going for a while and its still not found it 😣

I used 2.3 medium

Ok I was using small

The wordlist shouldn't matter too much as you're looking for numbers

Numbers?

Oh