#room-hints

i tried every possible directory

did you look in ||/root||

yes

there is nothing

maybe someone deleted it?

i have no idea

then try to restart the box maybe

it should be there

Just got on, what room?

python_playground

ok im restarting it

@spiral stag no man still no file

what user are you?

on the box?

i'm connected as connor on the website

but i can read every file like /etc/shadow so i don't know why i cant find user.txt

:3

you need to get a shell on the system

thought there was no need since every import comes with an error 😛

ok then i'll try to get a shell

good luck 🙂

thanks man

ok got a shell that was easy 😛

:3

so i got user access in wonderland but might use a hint on moving forward, can't seem to move or replace that interesting file in home dir

read the python file carefully every line matters 😉

ok thanks

@eternal brook try with backslashes: \\\\ip\\share

doesn't make much sense still...

Which image shows a legit web-page? "anybody ?"

@spiral stag i've found 2 flags any help with the privilege escalation?

i hate poems lol

Can any1 help me off-topic with a python script?

I've been googling for hours without success..

Index out of range at ' url = ... '.

Trynna Make a fuzzer.

you need to read from the file first

also you don't need to loop throught the file content every time

>>> with open('/usr/share/wordlists/dirb/common.txt','r') as f:
...     print(f)
... 
<_io.TextIOWrapper name='/usr/share/wordlists/dirb/common.txt' mode='r' encoding='UTF-8'>  

what is the TextIOWrapper..?

The file object returned from the call to open()

https://docs.python.org/3/library/functions.html#open

I'm probably not getting it...

I already made a request handler, that will actually be a part of the fuzzer.

github.com/Kurisutii/Webby.

And that works perfectly, it was done in like 1 hour but this one is weird..

you need to read the file, something like wordlist.read()

hm...

I tought that it was cool making ya own tools, but it's so frustratiingggggg!

@eternal brook try with backslashes: \\\\ip\\share
@oblique cliff i tried it still doest work i tried various combination both the slashes the passwaord including the space without includeing the space[password: ()s{A&2Z=F^n_E.B'] it is not working...some of my commands

smbclient ////10.10.145.12//milesdyson

smbclient \\10.10.145.12\milesdyson

tried double slash too but still not logging in

Gotta cover your answer man. Post them as spoilers so you don’t ruin it for others

And it’s not working cuz you’re trying to log into the share as anonymous and using the password as the workgroup password

You need to log into the share as a specific user and then use the password for that user

@eternal brook

Guys!

At the Basic PenTest room, what do I use to brute the user-names?

ok i'm new to discord can someone tell how to hide spoiler?

In network services > exploiting smb > Task 8. I have downloaded the private key file and trying to do ssh -i "john cactus"@ip address but it doesn't work. Can someone give hint on this one

the syntax is probably wrong i suppose

@carmine scroll

man, is his username john cactus?

also you dont need -i i think

sorry the ssh -i <key file> "john cactus"@ipaddress

try diff username

i use 'ssh user@host'.

I have tried john cactus, james and john

are u sure about username?

i have tried three usernames which I got from the file present there

you are using the wrong username

also if you using -i make sure you have the right file

Actually i'm trying the nmap room and it says to find the OS running on the deployed machine
I tried nmap -O <ip of machine> and it gives many OS with different versions but stll it is giving wrong answer. Pls help.

@eternal brook || on both sides

use -T5 -O

@carmine ledge read the whole output and it’ll be in there somewhere

@carmine ledge -T5 -Pn

Try stuff.

@carmine scroll the username you’re using is wrong then, look around or take better educated guesses what it might be

@white salmon yep I've done nmap -O -Pn <ip>

How do I find SMB usernames with enum4linux?

@white salmon hey bro i have share the output with u. Can u pls tell what is wrong with it ?

@oblique cliff thanks man i got the smb share with ||smbclient //10.10.145.12/milesdyson -U milesdyson|| but can you tell why it was not working without that i spent my evening getting this just wanted to know why it works now ?

is it because earlier i was logging in as anonymous?

and now the user

Yes. -U indicates the user you want to log in with to the smb share

If you don’t specify it it tries to log in anonymously

@white salmon use the man page for enum4linux and research it

I used -a but it ran into internal errors.

damm it took my evening to get this 😂 anyways thanks for you help @oblique cliff

your

That’s how you learn homie it’s not an evening wasted, I bet you’ll now never forget that 🙂

ofcourse maynnn thanks alott

@white salmon that doesn’t specify usernames. Look through the man page and google it I have faith in you to figure that out

yes, but I need to find the usernames, I know them from @alpine kelp videos, but I wanna find them on my own.

I did the same thing but enum has internal problems...

Gj for keeping on at it @eternal brook and it might be an evening wasted tonight, but In the long run you’ll save a lot of time as @oblique cliff suggested (:

And the LazyAdmin Room machine crashes all the timeeeee.

And the EternalBlue keeps failing no matter what I try.

Only some of them work..

@steady stratus thanks mate it always feels really good when you find the solution on your own instead of looking for direct answers 🙂

@white salmon so try a different tool

For sure @eternal brook 👍

Guys, @white salmon I made it work, but It only gives 404's.

status_code is an integer, not a string.

try printing wordlist to see if it actually has the data you need

@white salmon

any hints for priv esc on skynet......i saw ||cronjob /home/milesdyson/backups/backup.sh || running as root but i do not have write permissions on the file mentioned is this the right path?

i also found a || config file with root password || but cant login with it anywhere neither on site nor with ssh

@eternal brook if the credentials are a dead end check out what that Cronjob is doing

i read that file i do not have write permissions on either files

if i cant write on those files how I'll escalate🤔

Well, what’s the file doing

something ||tar cf /home/milesdyson/backups/backup.tgz *|| reading about tar cf what it does

Then you’re on the right track so keep on researching 🙂

it's creating a gzip archive for with the name backup.tgz ||* || stands for wildcard does it mean it's creating backup for everything on the system as ||root||? i tried creating some files did not get root probably i'm thinking shitty i suppose😂

@oblique cliff

Research everything in that file

It’s running as root so chances are you’re supposed to exploit it

A specific word in your previous response is very important to how you can exploit it

ohk just noticed the cd command ill try something there

ok i know i can create some file and run them as root in html folder but i cant really get way to execute this process

i made a rev shell

it's not executing

Hello to all of you im new here

hey

hello Friends can someone help me i try to analise a cookie in the burp room with the sequencer but i can pass of this error

when i press Start Live Capture

Hey if anyone has done BP: Networking I am having some trouble with task 1 number 8, 9, 10. I have completed everything else but I can't seem to solve these questions and have been trying to figure it out for hours.

@wet sorrel https://en.m.wikipedia.org/wiki/Broadcast_address

Read up on that. And then with that knowledge try a bit of googling for the other 2

Ok thank you

guys what is the key 3 in CC: Steganography

how can i find it

i havent done that room im sorry

@opal hornet its a2lsbHNob3Q

i founded bro

thank you

@white salmon I did, I retested, I believe the req.status_code doesn't want to change.

@white salmon Is the EternalBlue room broken?

Blue is not broken.

I've been trying since yesterday to get to exploit the machine.

haha

Well ya see

EternalBlue itself is a very finicky exploit

it may just not work sometimes

talked to CMNatic and could't get it..

I knoooowwww, I'm just annoyed.

Kuri

You seem like a smart guy

yes?

Thanks

So I recommend you step back for like 30 minutes, and take a break 😁. Being annoyed in general is a bad mindset for this kind of work

We'll be here when you come back, I don't sleep anyway ;-;

Yea, also did that yesterday 🙂 still kinda feel bad it won't let me exploit it :).

EternalBlue is just like that sometimes, Reset and pray seems like the best strategy, you can also try various github POC's

And the LazyAdmin room machine keeps crashing random.

That one, I got nothing

I'll browse github for exploits on it.

It's creator is likely here though

Good luck 😁

@white salmon Which os are you trying to hack from? 🤔

I'm on Ubuntu 20.05

04*.

Try downloading a kali/parrot/blackarch vm, because there might be an issue with your metasploit installation.
You could also use PoC's on GitHub.

I configured it myself for hacking, I find it easier to fix issues for.

I tried in a Kali VM.

Not working either,

I also use Ubuntu 20.04

Try using PoC's from GitHub.

I am , as we speak.

Also tried changing payloads.

Used https generic and meterpreter..

Hey, I'm in Vulnaversity. Just about to hit the GoBuster but, in my Kali, I don't have the wordlist directory under /usr/share/

Is there one that'll suffice for this exercise?

Go on github.

Search for dirbuster.

It has like 30 wordlists there.

@keen reef What kali version are you using? I'm pretty sure kali has that directory by default, you could also use seclists(https://github.com/danielmiessler/SecLists).

I'm on 2019.4?

It has like 30 wordlists there.
@white salmon

Seen, thank you

@tidal sedge

What?

For the payload on LHOST should I use my Private adress or the VPN one?

You should use the address provided by the THM vpn.

Ok.

Hope it'll work.

I re-ran it with meterpreter reverse tcp .

I did it!

YES!

🥳

with metasploit.

🙂

Ran GoBuster with all the word lists from dirbuster but couldn't reveal the directory that has the upload form page

Any ideas for a more fitting word list?

Hmm.

What wordlist did u use?

On LazyAdmin the Common one is fine, but you might need the Big.txt one.

I tried
/big.txt
/common.txt
/small.txt
/vulns/apache.txt
/vluns/test.txt

And a few others, just in case but, I'd have though they be the main ones

oh..

Try something else, other things.

Ah, the common one was there!

@tidal sedge Issue after issuee!

I just expected to see "upload" or something

Was internal 🙄

@white salmon What?

Probably gonna go in a VM cause I'm pissed.

Looks like an issue with your metasploit installation.

yes!

Don't use Ubuntu 🤷

Yep.

I realise, Kali is only good because the tools are completely working.

Soo, I'll go and figure out how to fix 100 wi-fi issues and another 100 on nvidia drivers.

@tidal sedge one question. If I connect OpenVPN in Ubuntu, will it be connected in my VM? And what adapter whould I use to be sure? Bridged?

No

Run the vpn on your vm.

ok.

UPDATE!

The issue is with metasploit itself.

The current version is bugged.

@tidal sedge

You guys think Ubuntu 18.04 has less pentest tool bugs than 20.04 because it's older?

Im thinking of downgrading

I'm stuck in BioHazard, Who is STARS BRAVO TEAM LEADER ? Anyone?

google it?

guys i can't exploit it from yesterday. Do you have any tip for flag3 aka privilege escalation on python_playground?

Yeah, When you got flag1, if you enumerated that part of the box you should have seen a connection. explore that.

ok thanks

@wraith marsh how can i enumerate that web with python when it does not even let me import modules? :/

Maybe it does allow them? maybe theres other ways of getting it to work 😉

hmmmmmm

ooookkk....

hi guys, im on Network Services Task 4 #8 - I was able to download the RSA key, i chmod to 600 like the instructions say, but now im struggling how to log in with the key and get the smb.txt flag. Any help would be appreciated

Have you got the correct username?

yeah, i think i got the correct one when i did the enum4linux

Show me the command you're using but please use sploiler tags with || either side of the command

smbclient //10.10.174.4/profiles -U ||cactus|| -p 139

im confused with the key though, like how i use it or do i need to decode it first

oh, you use that to login with SSH, its an SSH key 😉

rightttttt ok cheers... so now its asking for a password. I havent used SSH much. surely i dont just paste the entire key in haha

No no, theres a switch for SSH to use the id_rsa, I'll let you figure it out, if you need help googling "SSH login with id_rsa" or in the terminal man ssh will lead you in the correct direction 🙂

If you do some research and are still stuck just ping me again and I'll see if I can help a bit more 🙂

nice one mate. i'll dive into it a little further and try and work it out. 😃

got it haha that was fairly easy, just needed pointing in the right direction 😄

Does anyone know how isolate human readable text within a c compiled file

strings?

nvm

https://tryhackme.com/room/linuxctf task 4 # 7 i need command flags to find a specific character count also starts with a specific string of letters

@round patio look into regex's as well as using the find command with the grep command

regex?

yes

regex isn't a command allowed on the device by administrator

Anyone have hints for Ignite privesc? || I ran Linpeas and LinEnum and there was no interesting SUID files or anything else that I could see. The version of Ubuntu the machine is running isn't vulnerable to an exploit I found, out of other ideas||

regex isnt a command its a regular expression used within commands

@round patio not the command regex. How to use regex to search for something

@oblique cliff Check for config database files 😉

thanks 🙂

alright because ive tried find -name flag26* | grep 4bceb

but all are permission denied and can't find the place

and 2>/dev/null/ doesn't clear it

they didnt say the name of the flag was going to be flag26

and thats cuz you need to redirect the errors for both the find command and the grep command if youre going to pipe it

well it tells me /dev/null isn;t a dir

because its not

thats the whole point

alright

sorry im asking a lot of questions

im trying to not have an ego with it

@tidal sedge ugh || sql database creds, i suck with this time to look up how to use mysql lol|| can you tell me if thats the right track so i dont waste my time tripping over my own feet?

@round patio dont be sorry, we all start somewhere

@oblique cliff yes youre on the right path

thanks

@oblique cliff Just look who the creds are for 😄

ahhhhh i think i know what to do @tidal sedge

so would i do the find / -name flag26* to find it and then use grep -rnw /path/ -e (letters)

you would do that if you know the file is called flag26......

but you dont know that

so i got sent this find / -xdev -type f -print0 2>/dev/null | xargs -0 grep -E '^[a-z0–9]{32}$' 2>/dev/null

but i don't know what it does

so research each of the flags and commands and try to learn it 🙂

if you have questions ask, but try to research it first

Ive been trying for an hour

and im getting frustrated

so idk what to do

take a break

and come back when youre not frustrated

then research

youre not gonna learn too much if youre frustrated

ye so i gotta research regular statements

@tidal sedge so im pretty sure ive seen this privesc before, but i found one using ||raptor, but that one doesnt work since mysql has secure file priv turned on. I saw you could turn it off by changing the my.cnf file but i cant write to that so i dont think i can get the raptor exploit working|| is it something else? I thought when i saw this type of privesc before i used a different method but i cant for the life of me remember how

You are very much over complicating things.

The privesc is very simple.

@oblique cliff Have you ever heard of ||password reuse|| 😄

i havent looked at that spoiler but i got it right when you said youre overcomplicating things

thank you very much for the help 😄

disappointed, i shouldve looked for ||config files|| and then ||password reuse|| immediately after discovering that first part

ahhh maaan, that was outputted in linpeas too if i had only looked closer. bummer

Ater you've seen it as a possibility once, every time you get a www-data user you'll always go there first. 😛

true! worth banging my head the last couple hours 😄

If there's a config file, it's there for a reason in labs usually. 🙂

Noted. I thought they were always generated automatically so I didn’t pay much attention to it

Anyone have hints for flag 2 on mindgames?

The best hint I can give you is

😂 Nice hint haha

I'll try harder

@tidal sedge Any hints on Vulnversity last flag? I escalated from PHP Shell to Full User Shell, But no password nothing.

And the '/bin/systemctl' looks weird, like it's corupted

https://gtfobins.github.io/

Ohhhhhhh, thanks!

How is Carpe Diem tagged with graphql when ||error connecting to||

https://tryhackme.com/room/reverseengineering having trouble understanding crackme3, this section:

mov -0x28(%rbp),%eax
cltq
movzbl -0x20(%rbp,%rax,1),%edx
mov -0x28(%rbp),%eax
cltq
movzbl -0x23(%rbp,%rax,1),%eax
cmp %al,%dl

Wait, is that AT & T syntax? 👀

youre right, im a noob for posting unfavorable syntax, how dare i

Nah, I think Ashu uses AT & T syntax so the whole room is probably in AT & T.

so i understand cltq converts to a quad word, and i think movzbl loads a byte 0x20 (to most signifigant?) and im guessing pads the rest 0 bytes

id like to step thru and check registers but too noob to know what im doing, guess i should just give up or try harder

Is LazyAdmin broken?

I literally followed the walkthrough to make sure and it doesn't wanna escalate.

I followed 2 writeups to make sure.

i just did the room

no problems

Hmm...

didin't use a walkthrough tho

I dunno, maybe the write-up is broken.

Whatever.

The EternalBlue runs into issues because of latest metasploit update.

LazyAdmin

Is, uh... Linux...

IIRC

it is

So, no EternalBlue...

@inland onyx They were having issues with Blue earlier.

Ah, I see

Some rooms are harder than they say they are.

How did you guys get this good?

im not this good...

im that good 🙂

how to find return address from gdb ;_;

jmp esp?

or what?

i think im looking for esp??

tryna learn some bof :3

https://gist.github.com/rkubik/b96c23bd8ed58333de37f2b8cd052c30

u da best

<3

https://github.com/scwuaptx/Pwngdb

makes it somewhat better imo

tryna learn some bof :3
@obsidian cradle If you are interested in buffer overflows LiveOverflow has a playlist on his YouTube channel.

awesome thank you! i will for sure check it out @tidal sedge

so im doing binex task 3, it says ||Step 5: Read the stack or register RSP to find a suitable return address.||

so|| RSP is return address|| to use for my payload or no?

are you familiar with the stack?

not one bit

:3

I would recommend learning that first

https://www.youtube.com/watch?v=1S0aBV-Waeo

the stack

how assembler works in general

it's quite a steep learning curve

but so rewarding when that first bof works

there are some rooms for that as well

https://tryhackme.com/room/reverseengineering

https://tryhackme.com/room/introtox8664

i wil master bof by the end of today

FAmous last words

dies

lol

thank you though, will be doing big brain learning today

have fuin!

❤️

hey i was just trying Daily Bugle i got admin login page so i tried using ||sqlmap|| but it does not show the page vulnerable

i tried increasing the level

sqlmap is known for not working too well on that room

try looking for dedicated scripts that are related to that room

like look for a scanning script for daily bugle

or an alternative of sqlmap

not really an alternative to sqlmap but a tool for sqli

does zap detect sqli?

@eternal brook did you still need help

ZAP detects basic vulnerabilities. It's by no means a robust vuln scanner though. It's more looking for service banners with known vulnerabilities.

I'll give the machine a try tommrow couldn't find something that @wooden mist asked to look for.....had some shitty online assignments to be submitted 😂

Thanks @obsidian cradle I'll ask if I'm still stuck tommrow

Thanks @patent token appreciate it

hey

I have a question

I have to setup the VPN connection inside of my virtual machine

correct?

I mean the machine I will be using

which happens to be a virtual machine

yes download your vpn config file from thm in your virtual machine, and sudo openvpn yourvpnconfigfilename.ovpn ( itll be in your downloads directory )

@white salmon

alright thanks

Just finished Ice on my own, huh!

Oh and there's a bug on the Basic Pentesting, latest enum4linux version has issues finding users on SMB.

And metasploit on EternalBlue has bugs, latest version.

hey.. I need some hint on mindgame... whats the use of that server.. it just listening on some ports .. how do I make any request?

It's listening on Port 80 @indigo ridge

yeah.. I noticed.. also I can change the port by -p but.. there is nothing I could get from the browser

Any tips on Ignite?

I got the dashboard CMS creds.

Now what?

I'm trying to fuzz the upload form to upload a reverse shell with PHP but it ain't working.

Can you access the website @indigo ridge ?

Because that's all you need

Ive got the first flag.. I just need to escalate

Can you access the website @indigo ridge ?
@potent vale yes..

Did you enumerate the server?

i just jumped to get the reverse shell.. and then got first flag

So you're looking for a privilege escalation. Have you found an approach for that?

yep I think there is two weird thing.. which I got from linpeas

This is #room-hints we prefer to keep this chat spoiler free and only provide hints here, if you need more help then I suggest #room-help.

@potent vale @tidal sedge any tips on Ignite?

I'm stuck, I just bruted the creds for the admin page.

This is #room-hints we prefer to keep this chat spoiler free and we only provide hints here, if you need more help then I suggest #room-help.
@tidal sedge yes sure .

Now I got them, but idk what 2 do.

@white salmon You need to find ||an exploit for the CMS.||

I did, but I don't get how 2 exploit over reads...

I'm stuck, I just bruted the creds for the admin page.
@white salmon That's a rabbit hole, if I remember correctly.

I tried to fuzz the admin page uploads.

To upload and get a php shell.

That's a rabbit hole.

Damnn..

I'l go look for exploits.

But how do I use it? CVE-2018-16763?

Hi! I am doing webbappsec 101, on task 4 question 4 they ask "What is the username of a logged on user?" i looked at all the upload pictures and just guessed the correct answer. How should i have gotten the username of a logged on user? any hints/tips?

@tidal sedge https://github.com/SalimAlk/CVE-2018-16763- maybe helps?

That will work.

It doesn't.

I tried..

is anyone getting trouble to acces Plethora CTF?

@white salmon And what error does it return?

requests errror, i forgot, i just deleted the repo

i have requests installed but it has errors the script..

That exploit works, you need to run it with python 2.

If not, mirror the exploit from searchsploit.

Ok.

Installed requests for py2.

@tidal sedge worked! now that do I do? 'if I do id it gives me that I am in www-data

If I do sudo -l it says system

Same for cs

cd*

Ls works fine

Same for touch

@white salmon Get a more stable shell, and then privesc from there.

how?

Using php?

Ohhhh.

I know, wait.

I got it!

First flag.

@urban ember What room you need help on?

The room is Linux challenges

from learning pathways

Oh

I'm not subbed

I can help, what's up?

@urban ember what's your question

im brand new to cybersec (decent experience with linux)

ive looked around a lot and cant find a particular flag "Can you find information about the system, such as the kernel version etc.

Find flag 15."

i have used things from uname -a or -r
checked things like /proc/version
used dmesg | grep Linux
dmesg | grep Kernal

any hints or help would be great

system info is found in a release file in /etc directory

||cat /etc/*release|| <- if you are stuck

I'm using gobuster to detect the directory that has an upload form page so any idea which wordlist I should try if I'm on Kali??

/dirb/big.txt should be fine

or /dirbuster/directory-list-2.3-medium

dirb <LINK> -R I use it all the time.

Thanks alot Swafox, found flag 15 more specifically in lsb-release
Appreciate the help man ❤️

anytime 😄

Help

help

On the SimpleCTF room

I scanned target for vulns

CVE:CVE-2007-6750 is slowloris

it's vulnerable

but the thm room says wrong

Stop tagging people and just ask your question here, someone will help you.

slowloris is a DoS vulnerability

and for obvious reasons it's not the one used for exploitations

plus, it's got anonymous ftp login

that's wrong too it says

it's not a vuln

bad configuration

hmm

how am I supposed to scan it then?

nmap NSE scan

or CVE scan

or research about things the server is running; also their versions

im still not able to find a script for sqli in dailybugle room do i need to write one on my own?

I'm trying to write one but i dont i think i have that programming skills rn to write on rn

Google it HARDER.

My tactic, works 99% like Sanytol Disinfectant.

@eternal brook yeah you need to make your own

or take something similar as basis

damm i think then i need to practice some coding first

😦

in room HackPark I'm trying to crack the password using hydra but can figure out what is wrong with this ||hydra -V -I -l pennywise -P /usr/share/wordlists/rockyou.txt BOX-IP-GOES-HERE http-post-form "/Account/login.aspx:__VIEWSTATE=%2B9GQc0USxXlLq5vp9BVnaK%2FPFKWRRkzvGMkysqWtjAKbFZ%2FkeJiuB8vUVjeeohvrRHwf6K8ZGO4xg18cOKTcRMmHmiEMRZYE4IELBChZvpCx8F0L8MRtlzu2RDTPAvYdYedei6he1KBWweuaga7ETxfClWA88cPEOy%2BP2TLg8vsXifZO&__EVENTVALIDATION=P9Rbfaut5BQEScx5LttvnVHVdtfgdcsKFkjS5tzH6FJeGwhZyB1bQ2XAGOv%2Fxp%2B1VmUT%2FKm8qwzaKRtFBF8UNdMudvVaqkDguneh4EGDK2sDqRAk5KwzjI82t28Q%2F9%2Fm32vJh0OI%2BGrKJ9f6V32c36oqTmpEaJu%2B1SO%2FVBuIoURlJ3Eo&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed"||

@mild eagle using -l twice?

🙂

Just finished SimpleCTF yee

@rancid crystal one is "I" the other is L in lowercase 🙂

first one is capital i

@mild eagle Shouldn't need to use capital I, apart from that your request looks okay, maybe do some more research into possible usernames

@burnt cosmos tnx tnx the -I is only skip waiting in sessions 🙂

use -V -I after rockyou before ip

How can I check available shells on a system?

worked 4 me few times

Can anyone help?

@burnt cosmos tnx got it 🙂

@true widget cat /etc/shells

@spiral stag thanks man!

any hints for "Break Out The Cage" cipher??

Tried making script for cesar and rot13 and loop them around

but no luck

@wraith tapir is that for root?

no no the initial cipher

Ahhhh you have to use some other bit of info and you'll find it

I tried decoding cipher. Looks like I got a format of the encoded text, but could not get what I should do now.

thanks thanks

that last one got me stumped again

#nevergettingroot

there is another route

Enumeration is key

feels like im hitting a wall here

Magna, any nudge on the audio?

.mp3

Read the room tags

😉

Any hints for the cipher on new cage room? Can't see it

French man

Python, mail

I am confused tbh.

😅

French man
@quiet stump I still haven't started the box(got sidetracked into doing HTB) but I think I know what the cipher is 🤔

@quiet stump could I DM for a hint plz?

Go for it

Any hints for the cipher on new cage room? Can't see it
@warm schooner I need help too.. Can't figure it out at all

Hi @Magna need to extract from .mp3 ? Any hint

Room tags 🙂

and enumeration

both key

any hint how to go from weston to cage in escape the cage room?

investigate the quotes ;)

@quiet stump eyyyy got it 😄

im guessing the 2nd way 😛

GratZ 🙂

nice

still would like to know the intended way if someone wants to help 🙂

you can DM me if you want

I'm on Basic Pentesting (https://tryhackme.com/room/basicpentestingjt), I need to bruteforce a password but don't get the protocol in which to do it. I tried ||ssh|| but it keeps failing with ||protocol error||

@grand rune if its not ||ssh|| then try to take ||clues from the messages on the site with what other service is open from your scan||

anyone willing to give me a nudge on mindgames root?

been stuck on that for too long now

Where are you stuck?

finding a way to get root 🙂

i found the odd config

but no idea how to exploit

You can PM me if you want. Probably too spoilery to give hints here

thanks!

So im doing the Mr robot ctf, and im on the second key. i run this john robot.hash --wordlist.dic --format=Raw-MD5
i get the pswd (ABCDEFGHIJKLMNOPQRSTUVWXYZ), i run su robot on the rev. shell i got

But its 'incorrect'

@oblique cliff thanks for the hint, I actually failed because of ||wrong username||

@grand rune no problem, was it actually ||smb|| or ||ssh|| i decided to do that room after you asked that question ^^

It was ||ssh||, ||smb didnt recognise usernames|| and || I already had done stuff with smb ||

also the latter failed with the good ||username||

gotcha, thanks for the hints 🙂

Hi @quiet stump need to extract from .mp3 ? Any hint
@crisp wigeon audacity and special filter to extract text from .mp3.

This first cipher on cage is causing me all sorts of issues god damn, any idea how many times it needs to be decrypted? Or is that too much of a hint at this stage?

Shhhhhhhhhh

hints not spoilers mah man

@grand rune what wordlist did you use for this? cuz the || cybersec top 1000 list isnt getting anything||

||rockyou.txt||

it takes a while but it's there

bummer i was hoping to not use that

alright thanks

Let's keep this chat spoiler free, as this is #room-hints if you need further help I suggest moving over to #room-help.

Anybody did "Break the cage.1" new room?

yeah you're right

I am stuck at Network services> exploiting SMB > Task 8 (connecting through ssh). I have downloaded the file and changed the permission to 600. I have tried usernames as "john", "James", root, and "john cactus" but no success.

did u specify id_rsa in ssh

"ssh -i id_rsa"

I tried this

@carmine scroll notice that your -i is the id that you created

@carmine scroll double check the usernames youve tried. there are a couple from your short list that i would add

i mean, if your ssh is "aa", it should be smth like "ssh -i aa"

Check the user names you have tried

Will I get the username on the machine or random tries?

youre very close with the names youve guessed. guess a few more

try variants of his name,

So im doing the Mr robot ctf, and im on the second key. i run this john robot.hash --wordlist.dic --format=Raw-MD5
i get the pswd (||ABCDEFGHIJKLMNOPQRSTUVWXYZ||), i run su robot on the rev. shell i got
[5:48 PM]
But its 'incorrect'

are you sure thats the password you got?

also, please post answers as spoilers (or not at all)

yes, oh ok my bad

double check thats the password you got 🙂

root@kali:~# john /root/Desktop/robot.hash --wordlist=fsocity.dic --format=Raw-MD5
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (2020-06-15 14:09) 0g/s 14301Kp/s 14301Kc/s 14301KC/s 8output..||ABCDEFGHIJKLMNOPQRSTUVWXYZ||

check username 🙂

@oblique cliff @orchid bobcat will I get the username on the machine itself because I have tried some variants of his name John.c, jc, jcactus, johnc. j.cactus, johncactuspolo etc

its literally ||robot||

@white salmon use || crackstation instead to decrypt the password and see what you get||

ok

@carmine scroll whats the difference between the usernames you guessed ||James|| and ||john||?

@grand rune oh my goodness ||how deep does this go, im 4000 deep into rockyou||

||abcdefghijklmnopqrstuvwxyz|| same result, wait i think its because of the capitalization LOL

@oblique cliff ~15min for me

thanks bob

it finds it

thankyou @oblique cliff 😄

......

@grand rune my machine just expired at 4000 in lol

time to start over

I think ||hydra has a restore point||

lets get this to #room-help, we're leaking too much

What three letter abbreviation is the technical term for the "wifi code/password/passphrase"?

I'm so dumb I can't figure it out.

Help.

||PSK|| i guess?

❤️

I'm on a room completing spree rn.

🙂

Yeeeet!

@proven bridge, any hints for Carpe? Trying to read into the download but not getting anywhere 😦

I need another hint

@white salmon still mr robot?

Oh sorry nah im done with that, its the Burp Suite walkthrough.

read the blurb in that task

closely

still cant figure it out

at this point i feel like its a bug

@bitter shadow you got any hints ?

ping please, thx

sorry I'm kinda busy rn

its not a bug

read ||the blurb from the task, the answer is in there||

anyone available for hint on break the cage

the cipher part

Plenty of hints for that room if u scroll up 🙂

its not a bug
@oblique cliff issa joke....

read ||the blurb from the task, the answer is in there||
where is that im new to tryhackme

scroll up and to the paragraph youre supposed to read before the questions

@proven bridge, any hints for Carpe? Trying to read into the download but not getting anywhere 😦
@warm schooner I can’t give you any hints but you should have seen the message on the room that says the download section isnt part of the ctf

still cant figure it out

please just hint

@white salmon it's in the text, read it again

@wraith marsh then wth am i suppose to do with these ||keys||

@proven bridge, any hints for Carpe? Trying to read into the download but not getting anywhere 😦
@warm schooner the download is only required at the last step of the challenge.

@proven bridge do you mind if i dm for a sanity check on carpe diem ?

Other hint, no reverse shells required.

Sure @lusty wigeon

👀 duly noted

A third predominant address type is typically reserved for the router, what is the name of this address type?

WTF?

I've been looking for an hour now.

Any of you guys wanna help?

whats is your router ip named in ipconfig

wym?

How can I scan a box with namp with vpn?

What do ya wanna scan>

a box in tryhackme (for example king of the hill)

ok.

nmap <ip>

you need to be connected to the vpn

and then nmap {ip}

ok

but nmap closes the byme

what?

*by me

why>

nmap closes the by me

what does that mean

any hint for room break out the cage?

so then if youre on the vpn you can nmap 10.10.198.245 @white quartz

ok it works thanks

just wait a few minutes to make sure the box is completely deployed/booted

@oblique cliff not in the blob, I'm crying😫

hey this question is quite basic how do i know whether a machine has network file system that is shared...like is it somewhere given in nmap scan or we have to always check for using mount?

you mean Samba>

?

if someone could clarify

i suppose samba is for communication bw linux and windows

and we can point out samba/smb by seeing 139 and 445 open

but what about NFS how do i get to know they exist

or is the same thing?

Samba uses the SMB protocol for file sharing 🙂

NFS is file sharing too - but it doesn't use or work with SMB it's purely TCP & UDP

wasnt smb used earlier to communicate only bw windows and windows?🤔

then samba came for linux🤔

I believe NFS uses 111

that rcp i think

use enum4linux -a <IP>.

SMB is across both platforms - the software that uses SMB may not be

so when i see 111 open i should check for mounted folders right

You'll see all things SMB related.

yea i know that

@steady stratus Hello, look at the rank ❤️ finally 🙂

smbclient is also usefull

+1

smb not the issue

nfs is

emun4linux is an old old script

getting kinda confuse

Port mappings are a good indicator however they can't confirm for you. Don't assume a service corresponds to the port it is using

https://linuxize.com/post/how-to-mount-an-nfs-share-in-linux/

e.g. the default port for web servers is 80 but that's just a standard - you can anything on that

so you're saying it's good practice to check for mounted folder?

with showmount you can see all shares on the target

smb too?

well that's great

thanks for the tip 🙂

YES!

anyone will help me?

just ask

in room : break out the cage! just a hint..

enum

bro i did enumeration...........

and i dont know why dirbuster isnt working on that web..

dirb http:/...../ -R

wrestling with break out the cage - finally (slowly) getting there. 🙂

If it has FTP, use enum4linux -a IP

I believe NFS uses 111
@steady stratus What? Doesn't NFS use port 2049?(ignore )

yeaaa

just noticed the scan again

it has 2049 open

@tidal sedge

2049 NFS, 99% of the time.

Hmm, no, looks like NFS uses both port 111 and 2049.

111 is also open though

Yeah, it uses both ports.

@white salmon its not working..

use a bigger wordlist

any hint for cage -> root on Cage

Very similar to inital

Break from the cage....got a word out the thing....not sure what to do with it yet. Hanging the mouse up for the evening. Fresh eyes in the morning.

Best thing 🙂 best not to overthink

magna is there more than 2 ways of gaing root on your machine

There is more than 1, yes

ok, that's not how the spoiler tags work then...

you need to do || spoiler ||

fix it please

Spoilers mate blimey!

Can u remove please

ta

removed

I guess giving spoilers for fresh rooms isn't good

i was fixing! sorry about that

it's fine it's fine

just ask your question without your results

Tbf the box in it's majority is enum and the same throughout with a bit of python for good luck

That's as far as I'll go with hints/help

I'm just slow today, took way longer than it should to make progress! i'll stick at it

Good lad 🙂 u'll kick urself when u get it

lol, usually do 🙂

@quiet stump Thanks for the room, it was fun!

Anytime buddy 🙂 glad u enjoyed it

phew, got it, thanks @quiet stump, great room!

not sure i'd tag it as easy though 🙂 of course I think Carpe needs a level above hard though lol

Thanks mate 🙂 we'll see what u think of my medium difficulty 1 coming up 😉

hey hint for cipher of cage

can i ask you a quick q by pm before I put it away @quiet stump, curious if my route was the route

Go for it 🙂

Can I slide back in Magna, just wanna check my path was the intended 🙂

Ice room
||Task 4 - Step 10 Now that we've set our session number, further options will be revealed in the options menu. We'll have to set one more as our listener IP isn't correct. What is the name of this option?||

Am I missing something here? I don't see the additional options

I know what the answer is for that flag... but still doesn't explain why that option is for this particular exploit isn't there. And of course, I can't set it if it isn't an option

Nevermind. I figured it out. ||I reentered the meterpreter session, backed out to the exploit module and it shows up correctly now.||

@wispy bloom You’ll find That happens often in Metasploit. ||So you usually have to set the listening stuff a few times before it actually works ||

@oblique cliff Good to know. Thank you 👍

any cipher hints for breaking the cage?

It might be something French

@sick coyote never heard of this cipher; I appreciate it. One more for the tool box.

@low venture I dont know if you know this toolset, but I think it contains most of the decodings: https://gchq.github.io/CyberChef/

@sick coyote I appreciate it

break out the cage was a bit rougher than i expected. I'm certain I didn't follow the intended path, so I look forward to seeing some writeups to see how others did it

@toxic scarab any hints on getting into cage user?

did you go trough 'CC: Steganography' ?

any cipher hints for breaking the cage?
@low venture the cipher needs a key. First step is to find a key.

@lyric steeple I was able to past the cipher, thankfully. Logged into the machine, now I'm trying to figure out how to escalate.

@low venture good luck 🙂

any hints for carpe diem ? Found some interesting data but have no idea how to move forward

Anyone can give a hint to escalate to user cage?

@low venture just keep beating your head against the wall ||hey, where are all those movie quotes coming from?!?||

@toxic scarab I did come across that; still beating my head against the wall, haha

@toxic scarab bless your soul! That gave me an idea.

im on hacking powershell task 4 question 11.. Search for all files containing API_KEY? anyone have an idea what this is asking for?

@wispy bloom what is the name of your font from that picture?

It’s a code tag

‘ subject ‘

Without spaces

Back tics though not single quotes.

I’m on Mobile

@dull comet it’s telling you to search through all the files on the machine for a file that contains the word API_KEY in it

I am doing the strings from malware series and i can't find the answer of the first question "what is the name of the account that had the passcode of 12345678 in the intellin account disscussed above"?can somebody give me a hint?

Can someone please help me with Break Out The Cage? I’m having some difficulty with privilege escalation. ||I tried replacing the .quotes file with some text and piping in another command but that didn’t work. E.G. FLAG | ls -lah /home/cage||

I need help with the room Break Out The Cage. I have got access to the machine, spawned a reverse shell and got the first flag. I have the second cipher text. How should I proceed further ?

What's happening to my VPN?

it exited due to a fatal error

Yes, I know.

How do I fix it? I tried regenerating,

and switching servers.

safe the ovpn file in /etc/openvpn

Switched server again nvm.

ok

Worked somehow. 🙂

@gritty spire DM me. I was able to figure it out

Tips on the cipher key on break the cage?

@white salmon some french guy

I KNOW

what key?

how do I get it?

google.it

the cipher key?

it's a variable.

enumerate the machine

did that

you should have found some interesting stuff

I have, but i'm tsill trying

what files have you found sofar?

i got the exploit for priv escalation

how do I set spioiler?

||spoiler||

|| I used dirb, i got file hash from the FTP, i got scripts and contracts, and privesc vulnerrability.||

|| i know the hash is base64 -> vigenere ||

||i'm now running hydra on ssh and dirb on server and trying to get a shell||

no need to bruteforce

ok

if you decipher

It all makes sense

|| get pass -> ssh -> exploit -> root -> end ||

The killchain is a tad bit longer

pls don't post answers here

and for which key?

||vigenere||

for what user?

WHAT?

|| i got the key for the 2nd cipher||

i hate vim, any hints ?

@placid drift you hate vim?

kinda

you are such a smart person.

nano > vim.

hi y'all, im a bit stuck, im doing break out of the cage. I got a file with some sort of encoding (i think) and now im stuck :/ CyberChef can't make anything out of it. Any hints?

Yes, google.

Google the encryption type.

i always try to see a text and check if it is english or not(spaces, words, sentences, exclamation, questionmark, fullstop etc give u hints). And if it is english then it has to be some kind of substitution cipher. use any online cipher detector.. and then if it is keyed cipher use a solver. honestly most of the time u don't even need to know the key the solver will detect it.

Try and learn what something is before throwing it into an automated tool.

did someone tried break out the cage? I am stuck after getting the directories. I have some encoded data from ftp but that is of no use for now anywhere. Can someone give a hint to move forward?

@carmine scroll you got weston password?

Enum enum

^

More like stego stego(As the room tag suggests)

did someone tried break out the cage? I am stuck after getting the directories. I have some encoded data from ftp but that is of no use for now anywhere. Can someone give a hint to move forward?
@carmine scroll decode the weird thingy text.

i tried base64 decoder but I don't think it is b64

I think it is base64 with something else, after basse64 it looked very much like the content was there but the words are not words

https://tenor.com/view/oui-french-yes-gif-15070937

but thats where im stuck hahahaha

yes

@jade bolt

When you decode it it looks like there are numbers on the left ||one. two. three. four. five.||

Magna throwing gif hints

yeah i got it 😄 but there are loads of options

not really 😛 I also started it yesterday and that gif hint got me into the machine. will try again to privesc today

Also read the room tags

Can i dm you to see if i got the hint?

umm sure

maybe they should listen when they enum?

🕕 🕓 ▶️ 🇫🇷

if this isnt enough...

i got this thing @white salmon but after 🇫🇷 > 🇬 translate> No success

what thingy?

come on #room-help ill tell you

i got this thing @white salmon but after 🇫🇷 > 🇬 translate> No success
@carmine scroll i would say you have solved half of the part other half is what Kurisuti or EvilMaid talking about.

hey guys

privilege escalation task in Agent-sudo room any Hints !!!

i'll take this deciphering on tonight

can anyone help me out with common linux privesc room?

@stoic jewel use linPEAS to check.

@stoic jewel https://tryhackme/room/sudovulnsbypass

@white salmon I'm beginner I want to do these stuffs manuly

@white salmon has my been generated?

@quiet stump just rooted your box, too much overthinking from my side, thanks for this awesome box!

@true widget YESS!

@true widget aftr payload, that line you should echo it into the autoscript.sh from the challenge.

Can't even find the user flag in the break out the cage room... Already ran into a wall but don't know what to do..

@quiet stump just rooted your box, too much overthinking from my side, thanks for this awesome box!
@opal river Glad u enjoyed it mah dude 🙂

Maybe this should be in here as I'm after a hint 🙂 - Hi all - maybe it is a long morning but in the Fowsniff Corp room i have the hashs from paste bin (task #5) and for the life of me I cannot reverse them. I have tried numerous types (recommended MD5) even double MD5 - all to no avail. Any pointers would be appreciated.

Magna , is it ok if i DM you?

or @white salmon

Yes, dm

Can't even find the user flag in the break out the cage room... Already ran into a wall but don't know what to do..
@true prairie Anyone here with a hint or open for a DM? Need just a nudge to continue 🙂

DM me!

Hello friend @steady stratus 🙂

I'm almost finishing the Cage room..

Good morning (:

I got ||lamerstocarepetd|| from Cage’s letter to his son, but I can’t connect it with anything. is it a rabbit hole?

How many flags do u got?

2

ok then idk.

i in cage with ssh id_rsa

so this is a rabbit hole or no?

NO!

it is really useful!

There's 1 rabbit hole, that's quite obvious

I finished it btw!

Me and @white salmon.

😄

hmm. ok, thx. I will continue to look for where to use it 🤔

But only 90 points. 😦 BOO.

i got this thing @white salmon but after 🇫🇷 > 🇬 translate> No success
@carmine scroll The cipher has a solver you can use, it brute forces the key - not literal french

i used that, and it was fine!

How do I report a BUG? In the THM website?

Is the bug about contents of a room or is it a security issue with the site?

How do I report a BUG? In the THM website?
@white salmon #site-bugs

A bug in the script that tells what rooms u are in.

#site-bugs would be the best bet in which case as WIll helpfully suggested (:

When you decode it it looks like there are numbers on the left ||one. two. three. four. five.||
@jade bolt Don't know where to go from here haha - I have an idea of the password but not correct

There are enough hints out and about hahaha

@carmine scroll The cipher has a solver you can use, it brute forces the key - not literal french
@warm schooner https://www.dcode.fr/vigenere-cipher this?

@warm schooner https://www.dcode.fr/vigenere-cipher this?
@carmine scroll ||https://www.guballa.de/vigenere-solver||

Oh @quiet stump it was ur box? It was awesome.. the first rabbit hole took my surprise tho :-p wanted to get first blood but szy beat me to it >.<

It was indeed 🙂 glad u liked it dude, my next room is gonna be 20x as fun 😉

uu nice .. doki doki

@quiet stump best room ever dude, best 5 hours of my life. 🙂

Hahah glad ya'll like it 😉 give it a thumbs up on the site, that'd be much appreciated

Sure do.

For all of you that are still trying..

No space

Damn.

Hello, i need to crack a sha1 hash and idk how to do it. I tried with hashcat and john but nothing, i think i'm doing something wrong

Chuck it in to crackstation.net

Thanks

🙂

I don't have any idea of why this happen

The hash you provided isn't in the correct format

are u sure the Rom at the end was part of your hash?

nope

Yes, is part of the hash

Try parsing the hash as a string 'hash' instead

i tried and nothing

If that doesn't work, you may have the incorrect hash

the same error

which box is this?

@warm schooner Thanks but how to identify these in future. experience??

@warm schooner Thanks but how to identify these in future. experience??
@carmine scroll Using a search engine helps tbf

The room is ||Crack The Hash and i'm in the bcrypt stage||

@white salmon dm me the hash

Done

Not relevant to #room-hints

WillGreen98 i dm you the hash

i'm stucked

: (

Give me 2 mins to boot my vm

Ah ok, thanks

Someone says bcrypt is uncrackeable

It is crackable, I've completed the room but can't remember how haha

I don't have any idea of why this happen
@white salmon You also forget to include the wordlist

🤦‍♂️

try ||hashcat -a 0 -m 3200 '$2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom' /usr/share/wordlists/rockyou.txt||

Seems fine for me, your hash is good

i'm stupid lmao

Thanks again

You had the right hash code

How much long i have to wait?

For CAGE room, i am stuck...have access to machine.....but cannot privesc....is there something to do with ||quotes which are appreaing again and again||

How much long i have to wait?
@white salmon That depends on how powerful your CPU us, hashcat should tell you an estimated time

my cpu is bad

But my gpu is good

Bcrypt is GPU resistant

What does mean?

omg 0.03% pls someone buy me a cpu

how bad could your CPU really be?

better question... how many hashes per sec you running?

@grizzled tapir Have a look and see

@quiet stump can i poke you with a chat?

Shouldnt need too buddy, read through the script

I have an id_rsa for Cage, two flags and no ideas as a privesc to root 🙂

28 days to finish

ajajajajaj

@rigid rose

what?)

are you still stuck?

yep)

look again for the encrypted password inside cage's files.

check every file has created, an then the ones he has acces to.

ok, i try

Looking for help on Mindgames Priv Esc 😄
I don't know if I am missing something obvious but wow 😐