#room-hints

||find / -type f -name "4bcbe*" 2>/dev/null what does this mean? when you type find / it is searching the whole system -type f: this means that the type is file and not a directory for directory you want to put -type d. -name "4bcbe*" this means that there is 4bcbe in the name but it continues so you put * 2>/dev/null this sends everything that is not what you are looking for to the /dev/null (look at the /dev/null as an blackhole. you send something and it doesn't come back)|| @worn cloud

I am on Peak-Hill right now. I have encoded the binary file to hex and then back to ascii. This is the file that I have. I'm not sure what to do with it now. Do I have to put it through one more encode/decode? :/

Still looks like garbage to me.

@white salmon I read the question again and i have to find a file that contains a string that stats with "4bcbe".

||grep -Ril "4bcbe"|| / is not working for me 😦

ahahaahah

thats sad 😂

can anybody nudge me on stage 5's virtual host on CTF 100?

@white salmon nearly, elf

did you find the hidden data in 10.jpg @viral mason? maybe look at that again?

The 2>/dev/null only redirects errors

ohhhh right. @median compass

happy hunting

thanks man

yes its putting errors to /dev/null (which is nothing i think? ) @stuck fractal

Yep, but the way you explained it implies that that part of the command was ignoring things you're not looking for

Which isn't right

does anyone know how to open this

file?

yeah i get this when i try

when I use sudo i get this

has anyone done priv esc for mindgames and can share a hint?

@twilit swallow file <filename>

ok ill try

well, now you know what it is

is there something i need to install

no, it's ASCII text

meaning it's a text file

wooow

so I could of vi <name of file> this entire time

🤦

thanks for the help

can you guys please tell me that what should i do with this port knocking order at the end of stage 5 on ctf 100? my brain kinda stopped..

you can't use it on stage5 right?

(I don't remember my whole playthrough)

what do you mean?

oh wait, port knocking order

i thought it might be ascii but probably it's not

yeah the one with 2x3 pairs of chars

||you got numbers from the respective sites, each 2 char pair corresponds to a specific site||

ohhh

now i see

thanks man o/

hi all , privesc on mindgames involve reversing or pwning ? thanks

Hi there,

Just doing the Peak-Hill room

But I'm not able to unpickle the creds file.

I have already to decoded it to ascii.

But unpickling it gives this error.

where'd you decode the binary

Binary to hex website.

and then hex to ascii

did you just copy the ascii to a file?

No I saved it.

I has all the non-printable characters in it.

🤔

what's the error?

Give me a moment.

i'd suggest decoding it on a different site (cyberchef maybe), downloading the output and trying again

Here is the file that I'm trying to unpicle.

oh

pls stop using python2

use python3

Ok, I'll try with python3

Maybe I need to carve out a pickle?

Maybe the real pickle is hidden within the file?

that should've worked afaik

🤔

i'd suggest decoding it on a different site (cyberchef maybe), downloading the output and trying again

seems like not all non-printable chars got through from what i see

I'll try and decode with cyberchef

pls remove, no spoilers

tbh also remove the prev file and the code

@white salmon no reversing or binary exploitation (buffer overflow etc) in mind games

@wooden mist done

try decoding again on cyberchef and downloading the input, that should return a valid file

Just downloaded. Unpickling now.

||oddrabbit@Wild-Dog-Pro:~/Documents/tryhackme/peak-hill/foothold$ python3
Python 3.8.2 (default, Apr 27 2020, 15:53:34)
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
import pickle
file_handler = open("hexdecode.txt", "rb")
print(file_handler)
<_io.BufferedReader name='hexdecode.txt'>
pickle.load(file_handler)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
_pickle.UnpicklingError: invalid load key, '\xc2'.
data = pickle.load(file_handler)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
_pickle.UnpicklingError: invalid load key, '\xc2'.
||

Ok there's the output after downloading from cyberchef

you sure that's the one you downloaded?

I just did this and it works perfectly

Really you were able to depickle it?

yes

without a problem

That's weird.

Let me try again.

Which one did you upload?

Did you upload the creds or the decodehex file?

creds

Ah uploaded the hexdecode.

Must have corrupted it somehow.

Maybe missed a charcter

Awesome, deserialized it successfully.

It's a list.

Thanks very much for your help. @wooden mist

👍

if you are copying the ASCII from cyberchef or some site I don't think it would work. Copy the hex, use unhexilify in python or use xxd to make the txt file. Then load it. also there is an option to load strings as well. not only file.

No, I downloaded the file.

didn't copy and paste.

I'm thinking that I must have missed a character when copying the cred file from my machine to the website.

anyone got a couple hints for Linux challenge

is there hint for room jurassic park?

well i did get the table name/databases.. somehow the users table lead to hole.. with column username:password

any1 can pm?

ah.. wrong query

||does priv escalation from hatter -> root has anything to do with cronjobs? (wonderland)||

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Linux - Privilege Escalation.md

@rancid crystal Thanks. Got root. 🙂

any help on breaking forget password mechanism

@white salmon for what?

after you have debugged something with r2 ("hitting a breakpoint") how do you restart the program if you want to run it againg inside r2 ?

can anyone give me a hint on python playground? I arrived at the page were the credential are but I can't figure it how to convert that string to the actual password

@white salmon for what?
@rancid crystal Owasp Juice shop

can anyone give me a hint on python playground? I arrived at the page were the credential are but I can't figure it how to convert that string to the actual password
@echo thunder RE it

Anybody got a hint for the last linux challenge? Im guessing i need to change to root user or use chmod but permission is always denied.

Look for interesting log files 🙂

Jeez @steady stratus why are you up so early what time zone are you in

I’m in BST (:

It’s 11am but I get up really early anyways for work rota’s and things

Oh I take it back then it’s 6 am here 👀

Ahahha - I should be asking you then! 😛

I’m torn between two answers:
1 I’m asking myself the same thing
2 i sensed people needed my help so I was awoken by their silent calls from discord

Ah yes, those calls huh

They’re quite loud to the trained ear

Certainly a word for it 😂😂😂

Got anything exciting lined up today?

Just work as per usual

I decided actually to not do any hacking today and instead finish charting out 6 songs on bass that I’ve been putting off

You?

Ah nicee - been playing long? That’s kinda rad

Nothing exciting for me, in the middle of moving house so just doing odds and sods around the house ^^

For about a year

Oh cool! Kinda a bad time to be moving?

Or is it easier with the whole pandemic deal?

Look for interesting log files 🙂
@steady stratus Was that aimed at me?

ah yes - sorry @whole valley (:

Need some a hint to wonderlandr ||Got the executeable and gonna use r2 to alter it i can see in one of the string the are running /bin/echo if i want to alter another string how do then write it so the execuable doesn't output as a string" iie. simply prints out /bin/echo xxxxx||

@mild eagle think about what you might be able to control...

no need to alter the executable itself

no hints on rooting mindgames yet, eh?

only headaches

although i know where the root flag is

||/root/root.txt||

yeah well, that was given

xD

the obvious hint

I just saw an odd capability and a couple odd suid programs, but I can't seem to exploit that

yea, tried those aswell

so it's probably nothing

well, I hit a dead end anyways

https://tenor.com/view/pokemon-ditto-same-feeling-is-mutual-iagree-gif-4483001

James mentioned that he didn't include any rabbit holes in that one. So the odd capability must mean something, right? 🤔

probably

only 2 roots so far if the scoreboard is accurate

(That upvote was a hint btw)

JB's screenshot with the ||modified uid || also hints in that direction

😳

The plot thickens

oh hmm

the ||capa|| is probably what we need, but how the hell can we exploit that... not the easiest binary to exploit

maybe it is like the ||lighweight htb box(from researching)|| but cannot do anything 😦

No, it's really not the easiest one to exploit

As I said yesterday, I would have needed the writeup when I tested it if James hadn't dropped a brief hint earlier

@spiral stag thank you for the hint i Think i Can go On from here.

gl!

Who said you need to "exploit" it?

exploit in the abuse it sense

trying to figure out how to use it to run code but that might be the wrong way of thinking about it

Does someone finished the new "https://tryhackme.com/room/rpburpsuite" room? I'm stuck at the shortcut question. #4 "Take a look at the actions, which shortcut allows us to forward the request to Repeater?" The solution is displayed at the Action Button- Context menu in burp but my submit is wrong: "....+R"

If this is not the right channel, sorry. 8/

check the hint

This bad little button 😛 ?

not bad, but yes

Thank you.

What port is for the web server?{Anthem}

Enumerate using nmap 🙂

thanks but which ip

The anthem instance

Enumerating and discovering what ports & services are running is an essential step in pentesting

https://tryhackme.com/room/rpnmap

@steady stratus Thanks brother

have fun!

brother its free or paid

rpnmap is free ^^

ok bro

I feel like i am in a self-inflicted rabbit hole on escalation for mindgames 😦

i THINK i know the path forward... that or its completely wrong aand have looked into this for 6 hours now 😦

welcome to the club

is there a CVE attached to your rabbit hole?

we're probably stuck at the same place

no

or not

hydra, DM?

hey everyone

can anyone help me about a problem?

Don't ask to ask, just ask.

Can anymore give me a clue regarding the pickle Rick game

Idk where to log on to Rick's computer

I think I know the username and password but where do I enter them?

Please ping me when u answer

https://tryhackme.com/room/bpnetworking
and maybe
https://tryhackme.com/room/introtonetworking

I am attempting this puzzle now...I need to know if there is any way I can just enter the username and password and get into Rick's computer

There is... by learning how internet works, more or less.

Ok..so u mean this puzzle isn't for my level?

Then I'll just terminate it and learn the other stuff

Thx for letting me know

@gaunt herald i think your respone was irrelevant. here we help with rooms

@clever bane the username and password are used for SSH connection

that what you usually aim for - gain remote access

Ohh that made more sense

So..the IP is the machine IP that was deployed?

Understood!

exactly

IP of the machine

Ok

@gaunt herald don't get me wrong, you didn't do anything bad or so but this channel is for room helping

U think banner grabbing the IP with a different terminal a good idea

So that u know the OS

And can locate the password folder

maybe 🤷‍♂️

also, if you ever stuck you can easily check writeups for guidance

Is it possible to banner grab yourself? XD

Like our own IP?

not sure

If that doesn't work...
Doing an OS scan should...

yeah

And then u can locate the password folder and then give him his password

banner grabbing is not that important for THM but OS nmap scan is important

Ok gotcha

I prefer banner grab as it's passive...but here I guess it's fine to try an os scan

good luck

😄

@white salmon sure

What Binary do I need to run on room1 task21 "Binary - shiba2" I think I'm halfway trough the task, I just don't know what to run to get the password

room lfi basic ---task3 ques 6th can any body tell me the what to do in that ques.....i get bit confused in that

@glacial remnant it walks you through what things you need to run, try rereading the prompts

@oblique cliff It doesn't specify what Binary needs running

Binary - shiba2

So probably run the shiba2 binary

@oblique cliff Thank you so much! I really don't know why I didn't think of that

No problem 🙂

Hey umm

Can I ask for a help

For Alfred ?

hey any hint for the privesec in the Mindgames room!

I got the user.txt but am stuck since!

Welcome to the club

Embargo on hints for 2 days or so

embargo?

Only 3 people have rooted the box, and they aren't talking

Well notwithstanding the testers/reviewers

lol

I hope they don't help until after nahamcon. I'm out of ideas for now 😄

There was a small hint given a few hours ago @light dew ||apparently the unusual capability setting is relevant||

in ctf100.. am i supposed to use the port knocking sequence from stage 5 for stage 6? or am i missing something? doesn't seem to work. tried all iterations

There was a small hint given a few hours ago @light dew ||apparently the unusual capability setting is relevant||
@potent vale Thanks, I will look into it!

Mindgames is the perfect example to remind you that you SHOULD TAKE A BREAK!

@white salmon ask away my man no need to ask if you can

@hasty slate I've been trying to figure out how to get onto the box for the past half an hour and i already feel out of ideas!

ha ha .. I believe getting into the box is the easiest part.. after that it's kinda tricky.. and impossible if you are tired.

@stuck fractal you, sir, are an evil evil person

there is a rabbit hole though, contrary to earlier statements

hello, im currently attempting the Gatekeeper Room and so far i've scanned the open ports. I have managed to ||download gatekeeper.exe|| from ||the share USERS|| with the ||smbclient|| command but now im so clueless as to what i should do. I dont know if this has anything to do with ||reverse-engineering|| but if it does i don't know much about it. Could someone point me in the right direction??? Am i supposed to examine it with something??? im so lost?

How do I block out my text so I can give a basic mindgames hint?

still kicking myself for not seeing it earlier

Just pm me if you are stuck at the beginning and stuck on enumerating if you want a hint for mindgames

Use three pipes

But the boxes explicitly asks you not to share hints etc

||spoiler tags are like this||

@ripe hedge I didn't put a rabbit hole in there, so it's one that you've manufactured. DM me how you rooted it

@stuck fractal you blocked DMs, probably a good idea

@ripe hedge add me first

I'm on vacation from helping people, that's all

I know

you need a break

still kicking myself for not seeing it earlier
@ripe hedge same XD

I'm trying the mrrobot ctf and on the second flag. || I've got a username from the dic (removing dupes) and I'm currently enumerating it again for a password but I've been waiting for quite a while... is this a dead end? ||

@zinc oyster Nope

Thanks, I found one of the tools seems way faster than the others so instead of an hour or so of wait it might just be some minutes more

splunk room only missing question 21 in task 2 any one has an hint ?

@zinc oyster not a dead end BUT u missed some trivial thing on your previous steps.

||which couldve cut down the cracking to none||

@zinc oyster || make the dict only unique words ||

@obtuse osprey || you’re one the right track that you have to reverse engineer it! I’d recommend the x86/63 room and then the bof1 room to get an idea of how to do that. After that I’d watch a walkthrough of an actual BoF cuz it’s pretty systematic and the only way to learn it is to see one ||

I got into the machine now thanks for the help

I had no idea the || metasploit rpc user/password enumeration and the hydra way was about 10-50x slower than wpscan || lesson well learned

um, privesc on mindgames, i feel like i'm deep in a rabbit hole

a break might be a good idea 🤔

take a break

Take a break.

haha

🇧 🇷 🇪 🇦 🇰

🇹 🇦 🇰 🇪 ℹ️ 🇹

mind games 🤯

Why is it that a ping sweep with fping and nmap may give you a different number of alive hosts

Don't they do the same thing? Send ICMP packets?

is o*l is a right direction for PE in mindgame room? Looks like it have suid bit set ? Thank you in advance ?

@lyric steeple There are no (intended) rabbit holes in this room, so if you find something highly unusual it should be useful. That was also confirmed as a hint a few hours ago. Use the search or scroll up in this channel to read about it.

Thank you @potent vale

And with a few hours I mean like 9. I spent way too much time on that today 😩

@potent vale seem I found it but the reverse shell will not bring with root privileges. You mentioned it was not work for you and suddenly it starts. Will Try to figure out why. Thanks again

yeah it was a doozy

Good luck. I think I tried the same what you seem to be doing at the moment. You'll get there eventually.

yeah I tried that angle a few different ways as well

@potent vale thanks

finally got root on mindgames

ufffff

congratz haha i still struggling T_T

@eternal wadi if you find a door just try understand why your payload does not give you a root. What is missed? 🙂 Good luck.

Thank you! I will try again

hour 20somethign of my struggles with this esc. so close... just need to sort out that last little bit ... yet htat last little bit is the hardest part

any hints on the wonderland machine? I'm currently ||hatter|| and I'm just completely lost

look at how the various files you have access to work...

i don't wanna give too much of a crazy nudge and get yelled at

Def worth while to look at absolutes though

hmm, thanks

any hints on the wonderland machine? I'm currently ||hatter|| and I'm just completely lost
@bitter shadow I did wonderland after mindgames and becouse of mindgames i got root quite fast. LinPeas should help you with this machine.

any hints on mindgames privesc? I think it's something with the ca********** of the s***** file but can't figure it out

@white salmon run linpeas and try to find something which is unusual. It is a bit tricky to find it and also a bit tricky to use it to get root. First find a door, next check what you need to find a key. Another hint: Why the binary can help you with privilege escalation and why it is not on the list when you trying to find it. Hope it helps

@lyric steeple thanks man i think i know what you mean i'll take a break and try it in a bit

i need to ask someone about ||bind|| part on privesc for mindgames real quick, who can help?

@lyric steeple
@white salmon

@white salmon good luck

@viral mason enumerate more

wow, how couldn't i think of that

@viral mason still need help?

kinda @runic dune, can i pm?

yeah

yeah
@runic dune can i pm you? stuck on mindgames priv esc

hey i'm just starting and i tried to access shiba1@{machine_ip} and it says access denied because of my public key. any help would be appreciated 🙂

@merry oyster are you connected to the VPN?

yea open vpn. i checked my Network Information and my Internal Virtual IP Address is connected

I did the room not long ago. Perhaps you have some ssh configuration that demands the use of public keys? Google how to override that

Maybe that works

okay i'll look into it.

I literally just did that challenge and it worked for me. Maybe restart?

the vm

yea I have been looking to no avail i restarted the vm and it asked me to say yes to the key and then said denied again

Or PuTTy?

Mindgames has this very weird But very simple privesc .. any normal enum script like linpeas or linenum should point out the weird things

Hi guys, I am still on Peak-Hill but I just can't' understand the last program that we have to exploit. Not sure what input I should put in to that program to gain code execution.

What does wheat farm grow?
or what does corn farm grow?

wheat and corn?

ya exactly

so what does that farm grow?

food?

lol

idk

lol X farm grows X

Mindgames has this very weird But very simple privesc .. any normal enum script like linpeas or linenum should point out the weird things
@hasty slate still stuck. Been googling for hours now

maybe the first result(or the site we all go to for information regarding binary) u got was all u needed.

All of these people have made it onto the machine, yet i'm still trying to work that out lmao

@burnt cosmos You're pre-flag1? I guess we can give hints for that one by now.

yeah go and decode the fibonacci text

u'll figure it out

Btw I was PMed by multiple people over night who solved it minutes later. Someone seems to be giving huge hints privately.

The bit I'm stuck on at the minute is figuring what it's encoded in, at first i thought ||morse code|| but there's too many characters for it to work

maybe ctf100 can help you out with that.

👍

I'll take a look at that room before continuing

yeah.. u'll get it pretty fast tho .. cheers

or did u solve year of the rabbit?

@burnt cosmos

I haven't done Year of the Rabbit yet either

maybe u can check that out too.. it is shorter

Alright great, ty for the help :D

you have to know the encoding to recognize it...

but it's a well-known obfuscation

Working my way through Stage 4 of CTF 100, when ||extracting everything from 4.jpg ||, anything within the "Moreflag", all the files are empty but show as downloaded. Any tips for fixing it??

@bitter shadow I did wonderland after mindgames and becouse of mindgames i got root quite fast. LinPeas should help you with this machine.
@lyric steeple yea I just went to sleep last night

lol

@burnt cosmos it was in stage 1 itself tho

Yeah i went back and realised it, i got really into it though. Starting to make progress on Mindgames though

lol nice

hey i wanted help regarding the room jack-of-all-trades i can't really get anything out of it i scanned it using nmap and got ports ||22|| and ||80|| but ||22|| is ||http|| and another one is ||ssh|| so can't really open in web ,need help

yes

so open port ||22 in firefox||.. u have to change setting in ||about:config||.. google

okay i will check how to do it, thank you so much

Working my way through Stage 4 of CTF 100, when ||extracting everything from 4.jpg ||, anything within the "Moreflag", all the files are empty but show as downloaded. Any tips for fixing it??
@burnt cosmos You skipped a step, do that step and you'll get the files.

@tidal sedge I've downloaded all the files onto my system, I'll go back and have a look at it later

Off to a other day of that privesc. Let's see how many more times I can type in the same things today

hey there anyone mind giving me some nudge for wonderland? im stucked after following the rabbit. found a hidden paragraph in the source code but cant really figure it out what's that poem mean. Did some google search on it too and im lost now

@dense marlin After following the rabbit, check the ||source code||

@tidal sedge i'm not sure about that, i've did some research on the ||crocodile|| poem for past few hrs and cant really find out how to improve it's tail

||Focus on the rabbit.||

||poem is irrelevant||

i'll try and see thanks for the nudge

What is the name of the abnormal service running?

hackPark box

Run an nmap scan

i tried looking in Program files (x86)

Oh wait

nvm ignore me lol

tried this SysSch***

np mate

it's TASK 4 ques 3

@eternal brook It's going to be a process that's running, have you tried running something like winPeas?

yes i ran that...

i know the processs its'mess***.exe

but cant get the answer to abnormal service running

If you know the binary you need to exploit, then you know the abnormal service running

Think about how you got to where you are

its Sche*****?

sys**** Sche***** i guess but it's not aceptiing that ans the hint also point that way

points

Ack im stuck on hatter, and none of the previous hints has helped.

Hi just doing the RPBurpsuite and im stuck an a question. I have been reading through loads of burpsuite documentation and the Bit-level analysis tab on burp ad i cant seem to find what 5 letter word the rooms is after?

@desert bramble it begins with a "T"

ok thank you ill see what i can find

What is the name of the abnormal service running?

stuck at this question frm hack park

saw the tasklist too

Hey all, new here but need some help
[Lateral Thinking] Which layer of the TCP/IP model will traceroute run on by default?

been half hour i got root user but stuck at this ques.....

@graceful parcel read the information given in task or try seeing the wireshark packect you'll find out

packet*

ok, and for your question i think you can run a command as root to find out

hello

I'm already gthe administrator ran tasklist cant find anything that matches the solution length

I have tried all seven layers in a ditch attempt but none have worked

it introductry networking room right?

yes

the answer is from the model only

ok got it

try giving ans from the tcp model

not osi

thank you.

np 🙂

Hi! I am new to tryHackMe, I am stuck on a question where I need to scan the box using nmap. But to scan where should I get the IP address of the box 😦

deploy the machine

I am using openvpn

look at top right corner of the task

ohh

browser version of kali?

it should probably be the same

oh got it, thanks:)

umm, any hints on how to get root on MindGames....?

research

^_^;

umm, did you do it?

@bitter shadow dm me to show me where you're at

yup

hi, im at room jack-of-all-trades im currently stuck at a ||jacks password list|| i tried different decoding at ||cyberchef|| but i was unable to decode it can someone help

hlo....anyone help me in lfi basic room

task 3 ques 7

use what you did earlier

you got Q6, right?

yes

same thing, different command

can i dm?

Can I get some help on the Linux room?

If there is anyone willing to help a noob.

Nevermind, got it. 🙂

hi, what is the typeof hash?
UEsDBAoACQAAAHZxzFBErFMkHwAAABMAAAAJABwAY3JlZHMudHh0VVQJAAMPf+NeD3/jXnV4CwAB
BAAAAAAEAAAAAIi0kLlrUTLl8MGzgkF3SBA8xSLb4lP6W1t17+l0EtJQSwcIRKxTJB8AAAATAAAA
UEsBAh4DCgAJAAAAdnHMUESsUyQfAAAAEwAAAAkAGAAAAAAAAQAAAKSBAAAAAGNyZWRzLnR4dFVU
BQADD3/jXnV4CwABBAAAAAAEAAAAAFBLBQYAAAAAAQABAE8AAAByAAAAAAA=

probably not a hash 🙂

hashes tend to be a fixed size, but also what he said

Definitely not a hash - there's encoding systems that use = as padding. It's a really big giveaway as to what encoding it is 🙂

thanks friends, so how to solve. do you have any idea? 🙂

Google what encoding systems uses an equals ||(as padding)||

thank you so much @steady stratus

base64.

@slender umbra what u mean decode? it's a list 😐 use hydra or some tool to bruteforce

PK
� ���vqPDS$������ ��creds.txtUT �^^ux�
��������kQ2AwH<"S[[utPKDS$������PK

� ���vqPDS$������ ������
�������creds.txtUT�^ux�
��������PK����
�
�O���r�����

this is the output of base64.

creds.txt.

look into that.

the header is more telling

hmmm..

@slender umbra I remember that one, it looks like one long string but switch instead to the source-code view and look at it then

aaah yeah. u don't have to decode it. use it as-is

@hasty slate thanks it helped

Need help privs esc on mindgames

we all do 😒

@spiral stag ?

||There's a suspicious capability ||which is a confirmed hint.

i've been starring at that one for 2 days now

Strange files on ||server.service||

I don't know how James planned the end of his 2 day embargo. Surely a better hint will be public soon.

im going to feel so stupid when he does

@spiral stag mindgames ?

its going to be something obvious

yea

Level insane in privileges escalation 😁

It's simpler than some approaches you had if you worked on this for two days

Actually not much harder than most "standard" privescs on THM. It's just like it was designed to make the usual approach fail.

yea, i usually overthink stuff

danmit

ffs

you rooted it @potent vale ?

Yes. You can also PM me with your currebt idea if you're totally stuck @spiral stag

thnx!

When do rank update here from the website?

You have to update it manually by re-dming the bot with your token @white salmon

It's manual for now, but will be automatic in the near future

Ok thanks!

hello.im trying to complete the room "Learn Linux" and im stuck at last task.Bonus Challenge - The True Ending.Can anybody give me a hint ?

Heey!

I can, it's actually pretty easy.

Try to look for the files that each users have access to.

ok.i will try this. thx 😄

If you need a write-up there is one on the top of the room page.

hi everybody. Somebody here for the CC: Ghidra. I'm stuck at task 4, the second question. I have all the other but can't find this one. Thank you!!!

hello guys, im a bit stuck doing "agent sudo"

im currently trying to complete "steg password" task

Explain a little what's going on there please.

oh that one

i used binwalk to extract the image

which outputs a zip

extracted the inside with john

sounds about right

ok.

and what's in there?

that text

?

the pass

for the zip file

hnmm...

ah

there's stuff that can crack those

sooo, how r u gonna crack it?

oh wait

I think john can

use hashcat maybe.. if you have a good gpu.

i figured it out, thanks

nice!

Any hint about Mindgames?

😉

any robots around here?

https://tryhackme.com/room/ctfcollectionvol1

task 17

literally can't hear a thing

Any hint about Mindgames?
@solar sage yeaaaa goodluck

Carpe Diem supposed to be the weekly challenge?

Wondering the same thing, since I don't see anything on /releases

me neither

i would ping aadmin /mod but don't wanna get yelled at

@normal peak Carpe Diem meant to be on releases?

@normal peak Carpe Diem meant to be on releases?
@inland onyx I didn't release the machine today

also been 2 days.... looking for someone who wants to put up that sweet sweet writeup for mindgames 😄 (or just talk me through what the heck i am missing on the esk)

@tacit roost will know more about it:)

Ahh, fair enough 😄

Is that not automatic?

Didn't add it to releases

Will add it shortly

Auto release coming next week :))

anyone for carp diem ?

@sacred lynx top tip: it's uncommon for anyone to give hints for really new boxes. Best waiting a few days until the competition has died down.

now just weirdo behavior .. just want to confirm

||dcode.fr has a bad text2bf|| took me some time to realize

@inland onyx Figured out .. fresh mashin will help 😉

any recommended subs domain fuzzer? for cmess room

ermmm need better wordlist.. i will try first

wfuzz works well enough.

yea i used wfuzz.. been using gobuster but something wrong

Hi!

I'm on the EternalBlue room, the exploit keeps failing ,what am I supposed to do, I tried restarting the machine.

Make sure the ip/port is correct, your vpn is working fine and you’re using the correct exploit for external blue otherwise it could just be eternalblue being eternal blue in which chase just keep trying,

this ^

Then I suppose It's the eternal blue being weird..

Eternal blue is unreliable. Just reset the box and try again 🙂

I restared the machine again, now I'm rescanning to make sure everything's fine.

👍 it's a windows box so give it closer towards 5 minutes before sending the payload too

Also there’s a few different exploits in Metasploit for eternal blue make sure you’ve selected the correct one

Yep. The first time I waited like 15 mins.

I have, JB.

Let's give it a quick go again

Is it just not executing or are you not getting a reverse shell?

I did like 5 seconds ago, when 'triggering free of corrupted buffer' it fails.

It is not successfully executing , it fails at that point.

It's the second restart...

try again

took me 5 times to get it back in the days

😦

it's not TryHackMe's fault actually

the thing is unstable by itself

It's really 50/50

it's not TryHackMe's fault actually
@glossy basin Yea, I know..

Although it’s definitely unstable, the only time I’ve ever gotten a fail is when I tried popping a meter-Peter shell

It's really 50/50
fair enough

can we fix it? i don't think we can actually

Dark would have done it already

Nah

I saw that @alpine kelp video on EternalBlue, also took him some time.

It's with how the exploit works

yeah

or doesn't I guess

@white salmon whenever ol eternal blue isnt wanting to play nice, i just close metasploit and relaunch it and i feel i have better luck with it

@sweet socket I'll try that.

i may just be dumb and wasting more time doing it but i havent had to try more than twice doing it

I mean, I know how to do it, but it's annoying

its so much fun seeing that "C:(L)Users\ " prompt pop up though

i think the hack came from the NSA too or at least was based off an NSA hack that was leaked/sold online

I was so disappointed by the Mr.Robot ending.

They ruined the show in 2 episodes.

i still havent even finished season 2

Oh, then you'll love it until the end.

The show literally got me 'OH WOW THIS IS SO REALISTIC!'.

'HE DOESN'T HAVE A HACKER THEME AND A MATRIX SCREEEN WWOOOOOOW'.

im a bit more partial to the movie 'Hackers', this scene is much more accurate than anything in mr.robot

https://www.youtube.com/watch?v=IiX09kiodfs

pls no ban me if we cant post dumb videos in here

It's okay as long as they're a) PG-13 and b) in #general (:

btw, the exploit is still failing after every thing I redid.

Hackers is sick though

The most realistic is Hacker 2016.

With that carder kid.

I'm just trying and I've done it three times in a row with the THM Kali (not able to use mine atm)

Oh.

Damn.

I keeps failing...

I have an idea hang on

I take it you're not subscribed given your role (or lack of I guess)?

No. I'm Not.

I want to, but I'll probably subscribe later, when i feel like It will be necessary.

okies ty

of course (: plenty of free content too

Exactly.

can i get an elevated role here if im subbed?

DM the bot with your discord token from your THM profile in the "Other" tab @sweet socket

It'll sync your THM profile w/ your Discord

thx m8, saving people like me from reading the instructions everywhere

Stupid exploit, I'll try later..

Mhm yeah I can do it okay on my non-sub @white salmon I can only suggest confirming settings (which looked right)

Try this too

!multivpn

Ok, gotta go, thanks for the tips.

👍 hopefully it works next time around

hey guys i'm stuck on Blue Room at Task 4 #2

i dont know how to crack it

some1 can help me?

rooted mindgames, very good box, kudos to @stuck fractal

@steady stratus can u help me?

@teal hull just ask the question, no need to ping people

hey guys i'm stuck on Blue Room at Task 4 #2
i dont know how to crack it
some1 can help me?

what is the issue?

i dont know how to crack it

do you know about password crackers?

???

man i'm not idiot i know that i can hack it but i dont know how to hack

so task 1 is done?

you have the hashes

yes

google hashdump meterpreter

our friend john should be able to help 😉

@spiral stag the hint of the task is: use ur rockyou.txt file

yes

kali should come with that wordlist

i got it

i got that file

@spiral stag it says: No password hashes loaded (see FAQ)

wait

:3

now i got problem with the directory

😠

why this doesn't work?

/home/ricky/Scaricati/psw

“¯_(ツ)_/¯“

you copied the hashes into the psw file?

yes

i think

🤔

i've pasted them now

but i got error

it says: File or Directory not existing

then you are missing something somewhere

are you using kali?

yes

now osrry

wait

i did an error

lmao

f

i did an error

i says go to the download

and now desktop

f

thx

:3

guys i need help i'm on the blue room task 5 i need to find 3 flags but i don't know where to start, i've searched but nothing

@spiral stag can u help me?

you are admin on the machine?

yes

then start looking at documents :3

.doc?

then start looking at documents :3
@spiral stag i've tried but i got nothing

do 'man john'.

check that manual if you don't know how to use john.

taling with me?

Yes!

in meterpreter?

In Your terminal!

do you use linux on your computer?

kali

good!

open terminal, type 'man john'.

ok wait i gotta go

and you will see the manual for John.

se u asap

ok.

I'm working on The Blue room too, but I'm having issues with the exploit.

@steady stratus Btw, still having those stupid issues...

It's still failing.

Stupid EternalBlue ain't working.

hey I'm on skynet I got a log.txt file with a list of password i tried brute forcing it with username miles

but got a lsit of valid password that aint logging in with

3 Restarts of the machine, and msfupdate.

try decrypting again,

could be 2x ecrypted.

or you got the wrong encryption. (very less likely.).

its plain text

the log file

can you send a screenshot?

this the log file i found from smb

tried brute forcing with username mile and it returned these many pass .....but whne i tried to login it did not work

Look at what url it's attacking, I've got the same problem on other room
Maybe the hydra room could help a bit
Sorry, Swafox. I've helped once more in the hints channel (I'll ensure next time won't happen) :)

ok thanks mate i check it

I'm working on The Blue room too, but I'm having issues with the exploit.
@white salmon where is the problem

I sent a screenshot.

re send

did u fill up everything

in show options

the RHOST

and stuffs

r u connected to the vpn

?

@white salmon

He could nmap the machine so yeah

yes!

That's why I send also the nmap scan so you can see!

type sessions

in mfsconsole

and check if he creted session

no he dont

@white salmon db_nmap it

and then load the exploit and set stuffs

I did!

Can't you see in the screenshot..? 😫

It connects to target!

But the exploit fails at a point.

mmm

i got fails too

i've just waited

the machine still on?

yep.

have u tried change exploit?

what else should I use?

the windows 8 version?

let me check

The Win8 one is not working.

normal

its a wind 7

Sooo, I'll just quit it..

exploit/windows/smb/ms17_010_eternalblue did u tried this one?

@white salmon

that's what I'm using man!

ohh... goddd...

@steady stratus still not working...

payload/generic/shell_reverse_tcp i've got this payload on try with this

...

i don't think this will change

@white salmon I will have ago at it myself now see if It works, send me a picture of your msf options

I need to exploit the machine using 'exploit/windows/smb/ms17_010_eternalblue '/

try to unload the payload

don't use meterpreter payload

I could never get a shell with it

try setting the payload to generic/shell_reverse_tcp

that's what it is default, and I just popped a shell first attempt with it.

@wraith marsh can u help me? i got problem in the blue room task 5

i dont know where to start

I hit run. Brb.

@teal hull Did you check the hint?

yes but i don't understand it

my first time idk where to put hands on

which flag?

flag1?

yes

Okay, so the hint is can you C it?

Where would you find C on a windows machine 😉

main disk?

yep.

@wraith marsh exploit still not working.

Failing at the same step.

Did you try resetting the box?

Even with your reverse_tcp.

3 times.

and then do it again with generic reverse tcp

Restarting now.

Exploiting again now.

Still failing...

I'm so angryyy...

@wraith marsh i found the 1st and 2nd flags, but i'm checking manually

Just new to TryHackMe and I run into these stupid issues.

oww

i find all of THEM

nice!

freaking retarted i'm

I'll make a Kali VM and try over there again,

oh..

@white salmon wait 5-10 minuts and try again

Yea..

or

terminate and restart the machine

Yey, the fifth time.

Still not working?

Nope...

Hmm

terminate and restart the machine
@teal hull did u tried this?

5 times.

do u got anydesk

?

?

what?

anydesk is a software like teamviewer

ok, and?

you want me to give u teamviewer access?

hahah.

nice one...

no non on

i want to help u

cause for me work

and not for u

did u change the ip when restart the machine?

Yessssssssssssss!

I didd.

restarte ur pc.. 😂

Believe it or not, I did.

@wraith marsh i found the flags but how to open it?

I'm in a Kali VM exploiting Again...

Nope

Not working..

Been trying since this morning..

https://www.youtube.com/watch?v=IiX09kiodfs
@sweet socket favorite part of that scene is when he types "mess with thebest die like the rest" yet he types it at like ... 3 words per minute.. actually the whole thing he types at like 3 words a minute

Hi did anyone tried the Volatility room? Can't seem to find the type of malware in the report.

Damn I love that reference.

You a fan of Breaking Bad too?

Hey, guys. Can someone give me a small nudge about Wonderland? Can I privesc from rabbit to hatter without knowledge of reverse engineering and low level exploitation?

You can, yes

Look closely at what the script is actually doing

strings is enough to exploit it -- no advanced RE required

Can I get a quick tip on LazyAdmin Room?

Best just asking 🙂

?

As in, what exactly are you stuck with

Oh I just started and I'm a little confused where to start..

hy guys. any hint for ignite room 🙂 i am noob on PE.

Rn I'm running hydra and dirb on the IP.

hy i have done lazyadmin, where are you stuck?

nmap says it's down..

but the apache web works.

and now I'm running hydra on ssh and dirb on apache.

but they also say it's down.

is your vpn working?

yep.

maybe your machine terminated and 1 hour has passed?

nope.

the apache web works.

nmap with -Pn works.

but hydra and dirb nope.

@inland onyx may can help

I need help in Ignite 😦

@buoyant hatch where are you stuck?

Still says it's downn....

I am noob on PE, so idk how to get root access there. Can you give me hint for that?

I already got user flag

Oh.

Escalate privilages.

do 'sudo -l'.

to see what you can do.

as a user.

and go from there.

search in files you will probably find something interestring

@white salmon try restarting your room

also check out Linux Privesc Playground.

sudo -l is empty haha

sure

@white salmon try restarting your room
@buoyant hatch It's ok now.

PE is basically just doing recon as a user instead of no user

if it is empty check files.

@plush estuary Thanks 🙂

use find and grep to see all the files you have access to.

@white salmon Thanks Myan

My tip is to find out-of date software and misconfigured binary

I like The Linux Privesc Playground Room, it has like 80 ways to escalate.

wtf is that carpe-diem room? Congrats on the guy that made it

the stupid target machine on LazyAdmin keeps crashing.....

any hints for hidden directory in skynet

cant find anything that matches answers using dirbuster

gobuster also check.

it not syuirrelmail right?

also use your brain, I mean check for words on the website that might be the names.

i tried gobuster too

There was the HackThisSite Level 11 Basic.

That had the name Elton on the website.

i have done hackthissite ill refer

thnaks

And you had to do like http://8.8.8.8/e/l/t/o/n/.

ohhhhh

thanks mate

You got it?

trying

You gave me an idea, rn I'm making my own dirbuster,

sooo.. yep.

I already made a request handler in python.

Thanks Guys, I am done with that room

so like now I go for dirb.

@buoyant hatch how did you escalate?

there was a file which gave me credential of root

oh, so easy.

Lesson: Never ignore any text LMAO

also check out that Linux Privesc Room.

@buoyant hatch yea lol :).

sure bro

^^^^

I found 3 ways to leak the flag.

cool

you doing Lazyadmin?

The machine is unstable.

I'm working on a directory buster in python.

I like making my own tools, it's cool.

?

have been putting off daily bugle for awhile because i am not a fan of SQLi, but went to do it and tried using ||the joomblah.py script|| but it errors out (issue posted on github but not fixed). anyone have an idea on how long ||sqlmap|| will take to || enumerate the db||??

Password: )s{A&2Z=F^n_E.B` i think password is encrypted can anyone tell how to decrypt it

any hints

have you tried to use it as it is?

it did not work

i tried

it clearly says this is the password so i think it might be encrpyted

what room is that from?

skynet

from the mail

smb password

That looks right. You should delete that line.

• saves password *

lol

It isn't encrypted

You probably aren't using the correct username

milesdyson is the only possible samba share available

i tried that pass on it only

i also found a binary file has it something to with this?

@eternal brook that password is not encrypted

@obsidian cradle try using the other python version. The script works for me. Sqlmap if doing time based sqli takes about an hour for me

On that room

@eternal brook you’re just getting the username wrong or using the password somewhere incorrectly. But that password is definitely correct

@obsidian cradle try using the other python version. The script works for me. Sqlmap if doing time based sqli takes about an hour for me
@oblique cliff what do you mean other python version?

i tried with python 3.8/3.7/3.5

So try with python 2

its not written in python2

What’s the error you’re getting?

traceback and type error

File "joomblah.py", line 186, in
sys.exit(main("http://IP:8080/joomla"))
File "joomblah.py", line 183, in main
pwn_joomla_again(options)
File "joomblah.py", line 147, in pwn_joomla_again
tables = extract_joomla_tables(options, sess, token)
File "joomblah.py", line 74, in extract_joomla_tables
result = joomla_370_sqli_extract(options, sess, token, "TABLE_NAME", "FROM information_schema.tables WHERE TABLE_NAME LIKE 0x257573657273 LIMIT " + str(offset) + ",1" )
File "joomblah.py", line 46, in joomla_370_sqli_extract
result += value
TypeError: can only concatenate str (not "bytes") to str```

thats not my error btw thats pulledd from github

but it is the same thing pre much

Can you humor me and try it with python 2

It worked with python 2 for me

hmm maybe something wrong w my brain gimme sec

smbclient //10.10.112.151/milesdyson im using this to login i also tried ssh but its not working @oblique cliff

it says access denied

2 tips....man page and delete or obfuscate spoilers

Where is @minor bough discord channel? The room says "DM me in my discord channel" but I don't see a dark discord channel.

Which room?

CTF100

I'm not responsible for that room, I believe it was created Deskel

Opps, sorry

I have no clue with regards to his discord channel

all good

probably meant private messages

Yeah

Deskel isn't active much anymore so it's going to be hard to get ahold of them

Oh yeah, my bad. For some reason, I thought it was your creation.

No worries

If you need any help just ask here or in #room-help as Deskel went offline few months back

Ok, will do. Thanks!

any hint for python_playground after i login? i have no idea what to do :/

what flag?

@white salmon

the first one

i can see that i can read every file in the system but i can't find any flag

there should be a user.txt

nothing man

dont know where that file is