#room-hints

lel

kurisuti help me pls

?.

It takes very long because you crack in a VM!

ups...

🙂

Looking for help on Mindgames Priv Esc 😄
I don't know if I am missing something obvious but wow 😐
@mental osprey mee too need help

||must_practice_corrupt_file.mp3|| it's rabbit hole? 🤔

eventulally i will figure out the context structure to make this do what i want it to do on cage. know the path to cage, justneed to ... um... break it in a way i want to break it to do the thing i want it to do ... sometimes easy boxes make you feel really stupid when you can't make simple python do what you want it to do 😦

You can.

It's easy.

Do i need to find cage's info trough weston?

not really "info" per se

i mean the ||id_rsa||

I think you can grab that

@jade bolt you need privesc from weston to cage to get 2 flag

yeah i knew that but still thank you for helpiing!

I'm stuck between cage and root 🙂

Keep looking!

It's there man..

Hi Guys I Nedd A Hint Of Mr Robot Room CTF, The Second Flag

@white salmon the hint for break out the cage didnt worked for me..

im still stucked

What hint?

🙂

enum

I did not say enum.

which user are u currently @teal belfry

lol i didnt got the password yet..

oh so u are in the first question? so did u try to explore all the ports and see if anything is in them?

ftp server just but how to get into that...

google

what about me 🙂 I'm not concerned 😦

google ftp enumeration.

@stoic jewel u in the box?

for mr robot?

@hasty slate yeah

@teal belfry man..

so did u ran any enumeration checklist?

use metasploit.

@white salmon doesn't need it.

i did it the classic way but eh.

but there is a much easier way

maybe check for files that u can read :/

There's this hacker group that can enter everything

@hasty slate I did it this is for the first flag, I treid with wp-scan but there is nothing

they can help you. anon..

cannot say the name.

they will bomb my house.

shh...

🙂

🙂

yup, pretty similar face tho

so u said u are in the box, that means u are not @stoic jewel .. u are at the ||wp|| stage?

This doesn’t seem like the right place for this

they are a little worse than fsociety.

the guys with the weird white long masks.

use #general maybe?

@solemn smelt huh? this is a hint for @teal belfry

we are giving him anon ftp login hints.

😐 damn that's convoluted lol

@hasty slate soory I missed it I'm not yet

? I don’t see how but ok

can i dm you?

CHECK FOR ANONYMOUS LOGIN FFS @teal belfry

uhm

thats a way

god, some people never use their brains..

wow chill @white salmon lol .. also @stoic jewel u can consult the writeups as well..

@hasty slate I think this is a not a good idea right now

checking writeups?

why not?

yeah.. i mean u learn from writeups.. if u are stuck then u need to first learn.. then use that knowledge in the next box

@hasty slate i got the file with pass

n figured out it is a combo of base64 and something

is it right?

on the right track yeah

^

i already gave a hint in this channel or the community help.. maybe that will help u..

a lot of people have given a hint haha i got it because of them

lol it would have scrolled millions upwards

or maybe serach from: <username>

lol

kurisuti said something at 11:20

and mine was at 2:11 IST here

im low key still stuck as weston, and a linpeas scan hasn't given me anything big

@jade bolt check what files u can read/write

anyone familiar with pwntools?

doing the buffer overflow room and would appreciate some guidance

@hasty slate can i DM you?

sure

welcome to the party @jade bolt ... know what to do , just literally can't string what i want to do together 😦

yup

talking about Cage room?

yup

tired of working inside a parenthetical call commands

got weston password?

me, yes... been playign with coding languages, specifically tryign to get the thing to do what i want it to do.

@jade bolt you do not mind the appearance of broadcast messages in pts? find where they come from - it's the way to Cage.

yes i do and i have altered them

but

yeah

i will find a way!

omg :/

pfft that wasn't a hint.. that should be in #room-help lol

but i got it thanks 😉

hie can someone help me with cc pentesting [Task 4] [Section 2 - Web Enumeration] - gobuster i tried the dir search but there isn't any hidden file i found even after doing search from medium list

what wordlist do you use?

medium existing in dirb in kali

i even used small and common

but no luck

Hi, I need some hint for dogcat room. Is there RFI vuln?

@rose root no.. it's the other FI

@hasty slate thx

@slender umbra Run the gobuster on the root directory.

i'm running it on the root directory

Of the webserver

@slender umbra are you searching for the right extension for the hidden file?

okay i got it thank you so much for help @tidal sedge @jade bolt @toxic scarab

Can anyone dm me for a nudge on the foothold for Iron Corp? (dont wanna share spoilers 😄 )

hey people , can someone give me a hint about what to do after decoding the first cipher?

Enumrate harder ^

|| the website ? ||

cage - I can make it work locally.....just doesnt seem to work on the box. Huurrrrrumph.

@wintry crescent what room are you doing?

cage

maybe eat som baguette and drink some wine and take a break it will com to you

I actually decoded the text but i have no idea how to get the password tho

hey there guys can i get some nudge for Break out the cage root path? now i've read ||the email and i found a weird text that's i think it's a ciphertext for root password||

i've tried the ||common cipher breaker like caesar, vigenere, substitution, railfence|| but doesnt get any text that looks like a password

just wanted to know am i on the right path?

@wintry crescent i can only give you hints, if you really want help we need to go to #room-help

cage...break out.....whatever - Finally got the thing to do what I wanted it to. That took far far far too long trying to be far far far too clever 🙂

@dense marlin use spoiler tags

@dapper mauve did you finish? i'd be interested in knowing how you managed to get root. I don't think my path was the standard one.

@dapper mauve dm me if you feel like sharing

there are atleast 2 paths that i am aware of

i gave up after finding one

can i dm you, stuck at getting root @hasty slate

sure

I think everybosy is stuck at getting root hahahaha

@hasty slate ok if I DM you?

sure

@hasty slate mind i dm you for nudge for break out the cage?

sure

Too many DMs 😄

imma ping you when i try to do this room 😄

lol no xD

sure :-p

Break out...Cage.....Done! Think I did the intended path. Spent ages over complicating it in the middle but actually turned out relatively straight forward (once you google the syntax of the command you're already using)....Great room!! 🙂

hmm that means most probably u didn't do the intended path lol

just wondering what was the intended part for root in cage ;|| creation or decryption ||

there are two ways to root it

is that a question or statement

there are two ways to root it.

don't mind @rancid crystal didn't understand your point at first instance

Hints not spoilers der bois

sorry sensei

don't mind @rancid crystal didn't understand your point at first instance
@covert basalt uhh about what?

there are two ways to root it
@rancid crystal .

there are two ways to get root in it as @hasty slate some where above here. havent rooted it myself just read that here

@hasty slate did that binary ||bees|| came handy?

check the first lines of that output :-p

cage

All hints for Cage are in here @indigo ridge, scroll up

@quiet stump thx for great box! 😏 liked it 😉

Thank you 🙂 means a lot to see everybody enjoying the box.

password saddened me 😕

@hasty slate logged in wp

what is the next step 🙂

@quiet stump thanks for the box - frustratingly fun. Plans for cage.2? I need to know who the master is!!

@toxic scarab you should go to #522158404614225920

stuck with breakoutthecage. After getting the ssh access. Do i need to privesc for both the flags?

Anyone got a hint for flag 74 of CTF 100?

ok

@toxic scarab Thank you 🙂 not currently, working on a room atm, maybe after 😉

anyone here finish breakoutthecage?

i just need root

Dude

delete that now

xD

ty

i have 2 flags

strong spoiler mah friend

i didnt even use the string for anything

?? i found westons password another way ig

i already exploited that

need root

i have found the gibberish string that sean wrote down

cage, from sean*

rot13?

well cause i been trying decode this damn string for an hour

xD deciphering is one of my weakpoints

if cyberchef dont do it its allll bad for me

hmm something criminal maybe

Took longer than expected but it was a good room. @quiet stump, great room. I look forward to the next one.

@halcyon lodge Easily to overthink it 🙂 glad u enjoyed it

i hate it here

does it have to do with the movie

Im doing the intro the python room. its got to decoding the file and decoding it to get the flag... im completely lost and dont even know where to begin.

look into python decoding

if you know how its encoded you can get more specific with your search

I'm trying to get going with the Break Out The Cage room but at the moment I'm kind of stuck.
I've been busy for a while now but nothing seems to get me any further.
Does anyone have a hint.

Tons of hints for Cage in here 🙂 have a search

@oblique cliff been reading some of the documentation but tbh it doesn't help. im still as lost as i was when i started aha

do you know how its encoded @stuck kernel ?

@oblique cliff yeah, 5 times encoded using base64, 5 time encoded using base 32, 5times encoded using base 16

https://docs.python.org/2/library/base64.html#base64.b64decode @stuck kernel

seems pretty relevant

im sure theres similar stuff for the other two as well

ive read through that, doesn't make any sense to me

Tons of hints for Cage in here 🙂 have a search
@quiet stump I've read through it but I must be overthinking something. I have no clue where to go from all the things I already did

:3

nothing 😛

just trying to exploit it another way

@oblique cliff have you done this intro to python flag. im so lost, i cant find anything online that comes close to helping..im sure when it works im probably going to slap myself in the face lol

have you tried using the stuff from the documentation i sent?

this is what ive got. i dont even know if im on the right tracks tbh

i quit. i have gone through just about every iteration i can on this to escape chars and inject code. i can't google anymore. i made it work on a local copy of the script using the text i put into a modded file, but when it comes to game time no dice. and that isn't even apprently the worst part of the box yet. I have done some boxes in my day but this easy box is well.. lets just say i have some words i woudl use that aren't very friendly to type right now

you need to take a break

frustration makes it more difficult

I have the same feeling. Not sure where to look anymore

are you stuck on break the cage?

@chilly canopy

yo tresh you can send me a pm... maybe just maybe i can get you 99% there

and you can get the last 1%

are you stuck on break the cage?
@obsidian cradle Yes totally stuck

stuck on root?

No on even the first question. I know it's humiliating.....

not humiliating!! its a challenge

that one is not too bad. a bunch of people up there said some stuff about some french dudes and wine and bagueetes and stuff

what steps have you taken to look for the password?

yams can i pm you. i legit need someon to tell me how this can run as an exact copy and provide 2 different results

actually anyone for that matter that has 2 mins to spare

about what

?

the spamming walls

want to show two screen caps and can't explain

sure pm

hi, im in the room ignite, and i have access to www-data, after a linpeas i found a file with 99% PE but i dont know what to do, can anyone point me in a direcvtion?

@white salmon did you find your answer?

@toxic scarab did you root break the cage?

yes

hi, im in the room ignite, and i have access to www-data, after a linpeas i found a file with 99% PE but i dont know what to do, can anyone point me in a direcvtion?
@jade bolt anyone?

i have everything i need besides the brainpower!! any hints?? everyone said emails and what not, your same answer?

yes, everything you need is in that directory

you are cage now?

i am not the user cage, no, but i have access to his directory

lol @obsidian cradle there are crazy amounts of hints in this channel

just scroll

trust i read them all

i am stupid or something

i literally dk

lol i mean this has been going for 1-2 days.. so there are literally 10-20hints here

ive read the emails over and over

check from where the emails are being sent

u are in weston right?

wdym in weston

i have westons password, ssh'd as weston, and have complete access to /home/cage/*

yea so check from where the emails are being generated

i am passed that part

you mean the broadcasts using wall, right?

what user are you?

weston

i never logged in as cage but i have access to all his files

so i have the user flag already, i just need to get root

i get that

if you have access to his files then you have everything you need to get root

exact

right, this is what im tryna tell yall

@jade bolt is sql on the box?

nope

i have access to everything i just dont understand what i am missing

read the emails

I DDIDIDIDIDID

look some more haha

you sure @jade bolt ?

@obsidian cradle DM me

when i do sql as www-data i get not found

mysql?

omg xD

im stupid

yes there is sql

can i privesc with sql?

??

possibly. There may also be ||config files for the sql database that you might wanna check out||

Anyone around who's done CTF Collection Vol2? I fancied brushing up some of my ctf type skills but i'm stuck on 2 where i'm sure i've got the answer but i'm either making a dumb mistake or there's some odd trick to it (or the box is broken but lets be honest, probably the first option!) It's flags 15 & 20 if you have a clue for me

gottem

Hi yall, I am stuck. The Cod Caper, can not run LinEnum on target, i scp the file over to target/tmp but i get denied when i try to run it. if i try to copy it, also denied

@dull palm did you try using python server + wget within the box itself?

he already got it onto the machine i believe @sick coyote

ah my bad

@dull palm did you make it executable?

yes and the perm are messed up --x--x--x

i will re copy it and try chmod again, Thanks yall

soooooooooo anyone have a hint about the ||bcrypt|| task in Crack the hash other than waiting until tomorrow for hashcat to compare hashes to passwords in rockyou? CyberChef does NOT like that hash.

yea just wait till tomorrow

that's 1.4 is it @wispy bloom ?

Sigh - I might cheat and grep all the characters from rockyou that match the length of the flag just to save time

@median compass yes

yeah, i cracked that one by letting it run over night

welp - I'll try my grep first. Gotta be faster

the plus side of letting your GPU crank all night is a lovely warm office in the morning... 🙂

oh god I'm in the SW USA - I don't need help with that at all

lol fair enough

grep and be happy

can anyone give a nudge on ctf 100 task #7

@sick coyote If I remember right, you should be able to root the box, then go back and find flag 74

guys, i ahve a doubt about how privilege scalation works. Why attacking the files belonging to adm escalates privileges? how the computer interprets that? thanks in advance

what do you mean by attacking files

If youre changing a file that runs as an administrator youre running the commands that you put inside of that file however as the administrator so for example if you have a reverse shell inside of a file that runs as an administrator then the reverse shell inherits the permissions of the administrator

ohh, so the revershel script runs inside any kind of file system right? thats why i first need the exploit and then the shell? sorry i am so new at this.

theres so many different ways to priv esc and abuse the file system its just something youre going to eventually pick up if you want to learn my I would check out the rooms linux priv esc and windows priv esc arena however if youre new that may be a bit much to begin with

thanks buddy. Is there any section oh machines that u would recommends me start with?

if youre a beginner learn linux is a good place to start

its not going to be any exploits or anything but it will give you good knowledge to start with

https://tryhackme.com/room/zthlinux

thans very much!

I have a question about mind games. Is anyone willing to give a hand. Need to verify something regarding root.

@halcyon lodge I might be able to help - DM me if you want

@toxic scarab, thanks for reaching out. I’m dm’ing you right now.

anyone done with advent of cyber?

anyone know how to do Task 9 question 4 ? im stuck for 2 hours lol

@fervent plover check writeups

HI ALL
Network Services Room
[Task 6] Enumerating Telnet
#6 Based on the title returned to us, what do we think this port could be used for?
#7 Who could it belong to? Gathering possible usernames is an important step in enumeration.

what can I do more than ?

ty

ty?

How long has the box been up?

Give it a few minutes I don’t think its spun up quite yet

40 minutes more or less..

I work around only because i know is telnet (for the room) so i try to login and i find the answers.

Weird. Try to reboot it? I think the service showed up for me

I mean ty for @viral mason

@oblique cliff is it possible a different version of nmap?

Doubtful @woeful frigate

eny one here ?

https://tenor.com/view/crazy-insane-stewie-family-guy-finals-gif-5655336

sup

can you help with that problem

k

how do i do that i forgot

in kali

bye

Can anyone help me with the cage room? Don't want to spoil too so anyone I can DM real quick? 🙂

Need hint for rooting cage. Finally got user but seems I’m too tired to think properly.

I'd say its easier that getting Cage. Enum, enum!! 🙂

I'd say its easier that getting Cage. Enum, enum!! 🙂
@dapper mauve I found the location of broadcast but what should I do..

well, check out the broadcast source, maybe there is a way you can make it execute your own code?

yes I have checked it I tried some command injection

Have a look what command it is running to achieve what its doing and where its getting its input....hard to give a hint without spoilers...you're very close though.

yep I understand what you are saying because I am just trying that its just that my command is not running.. i think I can't escape the previous command..

Have a look what command it is running to achieve what its doing and where its getting its input....hard to give a hint without spoilers...you're very close though.
@dapper mauve

Have a look what command it is running to achieve what its doing and where its getting its input....hard to give a hint without spoilers...you're very close though.
@dapper mauve if you don't mind I would like to dm you.

You're really overthinking it

Take a step back

Then go back in with a fresh head and re-read it

hello im new to ctf i wanna decrypt some code which looks like bas64 encoded but when i decrypt it dosent looks like what i want

can i share the encrypted code?

btw Magna big fan

Don't share the code here no, look how its formatted, especially if u were in France. Haha thanks buddy 🙂

There's a ton of hints for Cage in here, if ur uber uber uber uber stuck and you'll fully burnt out there is a guide on the site too.

im dumb to understand what u said master @quiet stump

Hey @proven bridge Can I PM you about carpe diem? I'd like to know if one of my ideas for flag2 is the right direction. Both get me nowhere right now 😄

can anyone help me with a hint on break out the cage room?

I managed to decode the root password from the email

but is not workling when trying to connect as root

Try switching to root using su -?

can I ping you

?

No.

thanks malware

@tidal sedge thank you

@potent vale did you able to get anything outta ||leaked ip||?

@lusty wigeon No and I try to get something from ||.10|| but apparently ||CORS is an issue.||

yea same. i kind a gave up that room 😅

@vague parrot You can DM me if you need that much help. UwU..
@white salmon can I DM as well? I still can't figure out the password... Decoding is fine

Dm nighthawk or me

Cheers

@vague parrot, sent friend req as I have DM's turned off

Yay I wasn't being an idiot, stupid clipboard messed up and decoded 1/3 of the password

@warm schooner Sure mate!
@white salmon Cheers, not needed anymore 🙂

Yeah, all good. Issue with VM, I have a fresh VM now and no issue

Hi everyone, I have a question regarding the exploit of the machine for "RP: PS Empire" room. As I'm completing the questions (Task 5 - #9), I'm trying to get the credentials of the remote computer. But when I set the module on powershell/credentials/mimikatz/lsadump, even if I set the agent name, and run the module, I didn't get any credential. Do you have an idea why ?

I don't think I actually ran the module. Empire is wonky nowadays, so I just answered the question and moved on.

Hey @proven bridge Can I PM you about carpe diem? I'd like to know if one of my ideas for flag2 is the right direction. Both get me nowhere right now 😄
@potent vale Sure!

anyone can give little hint on carpe diem 1? in order to start

Yeah, @echo thunder XHR in 🍪 for localstorage

base64 encoded

opk thank you

good evening guys

can somebody please give me a hint on the admin password on Anthem

Enumerate the webpages

I looked everywhere, yet I don't seem to know where to look

I'll do that

thanks

🙂

@inland onyx I tried to use pydump7 to get a hashdump then crack it offline

no chance with deffender

I tried to get a reverse shell with a meterpreter,

no chance as well

Oh, Admin password -- sorry, misread that

You're already RDP'd in

yeah

The password is in plaintext, somewhere hidden on the machine

It's not buried down in system files either -- should be relatively easy to find if you keep your eyes open and look through the user files

i'll try again

Task#5 in blue machine says if exploit doesn't work, you can try to reboot the machine and run the exploit but how can i reboot the machine because it will give option of terminate only

hey i am on rp burp suite room the sequencer part i run 10k requests but cannot see any results in summary and i cannot click on analyse now

i chose the right req which had set cookie on response

@carmine scroll terminate and redeploy is rebooting

@eternal brook try it again? If you were able to analyze it there should be a summary. Did you pause it?

i did it again first time burp hanged

this time i cannot click on analyse now

i paused it too

In #room-help can you post a pic of what’s happening

Ohk thanks

im having trouble with "Learn linux" task 21

anyone willing to help?

[Task 21] Binary - shiba2

This challenge is pretty simple. The binary is checking to see if the environment variable "test1234" exists, and if it's set equal to the current $USER environment variable.
#1

What is shiba3's password

damn thats quite a hint

been there done that

doesnt create a new binary

its not supposed to create a binary

read what its telling you to do

export test1234=$USER

?

ik

im sorry

Very well @white salmon

A) Let's stop bashing and B) All for help & hints but giving answers isn't productive for anything

@white salmon not to tell answers but try helping them to think of the answers?

bash: ./shiba2: No such file or directory

Also, let's not use that word please @white salmon

srr

@white salmon no worries man we were all there at some point dont feel bad

check in which directory you are right now. you must be in shiba1 foler and runningg shiba2 binary

For sure (:

@white salmon calm thyself

if youre going crazy then stop reading the channel

Indeed before someone steps you away

Many people make mistake in this room that they dont realize they are in shiba1 folder and move along the tasks. if you are going to run shiba2 binary you should be in shiba2 folder.

ohhhh

that explains a lot

thanks guys (:

have fun (:

@steady stratus you are great

Can anybody give a hint where to look for the flag in room "Post-exploitation basics". I checked every folder in the Users section, but could not find anything related to be a flag.

v wholesome but random @lone pivot :3

can anybody give me a hint to priv. escalate ssh of "break the cage out" room

@slender vigil Have a scroll up, plenty of tips 🙂

It's very similar to intial

||"2"||

once again im here asking for your support

Linux walkthrough, task 33

The first step is actually finding the binary, I'm not heartless though, so I'll give you the name of the binary. The name of the binary is shiba4.The first step is actually finding the binary, I'm not heartless though, so I'll give you the name of the binary. The name of the binary is shiba4.

how does one search for binaries...

i know that its "find"

hi guys i have a problem in pickle rick, can somebody give me a hint pls

@white salmon one of the tasks right before that showed how to search for files

at private or something

i have logged in the page, but i dont know how can i read files

@toxic scarab did a bit more reading and found it. Ty (:

@white salmon one thing that this room doesn't cover is the use of 2>. when using find and/or grep, you will sometimes end up with a lot of permission errors that you want to ignore. so find / -name somefile will list a LOT of permission denied results. if you did find / -name somefile 2>/dev/null instead, it would take the stderr output (which is that '2' in that line) and send it to /dev/null (basically garbage) instead of to the screen

what's the final rick ingredient 😦

think about where your command execution is @real plinth

@white salmon if you complete the room thefindcommand thatll be very useful 🙂

@oblique cliff i found a way to do it

hehehehe

sweet!

wondering why HaskHell is a medium

Doing haskell now and getting internal server error when uploading files, even when it's a haskell file. Is this meant to happen or should I restart the machine?

Meant to happen

Your files are wrong @fast swan

@white salmon because it's too easy or too hard?

easy

Cuz it’s harder than easy and easier than hard @white salmon

Sweet! cheers, will get back to it then

i wouldn't count that box as easy but not exactly medium either, the initial foothold is a bit obscure - that's what makes it harder from an easy box

maybe I dit it "wrong"?

||should prof be world readable?||

intended

the trinary difficulty system doesnt really lend itself to nuance, so i set it to medium for the reason mentioned above

can I dm my write up?

For sure

anyway I like the box

thanks!

I'm in, cheers for the hints @oblique cliff

Ofc

@rotund furnace I was just gonna submit write up through thm, any purpose of doing it through dm?

You'd dm it just for the author to check it

To get it on the site submit it there

Gotcha

yeah you can DM it to me if you want but what he said

Hey guys does anyone know if i need to write any haskell code in the haskhell room?

Box just came out. Might wanna wait a bit before asking any question 😅

ok

Is there anyone I can dm about Haskhell. I need to verify something?

still playing around with that room still have a little idea but not much

can i pm anyone on haskhell, jus to make sure i did the intended way

Sure @atomic shuttle

@wooden mist, what wordlist did you use for HaskHell?

Have used big.txt and 2.3-medium

Found the actual upload page but can't find the dir they are stored in

raft-large-directories

Hey guys, Can someone give me a hint for the bonus challange in the Linux learn room ? 🙂

It is this one 🙂

I know where the folder is located, but i have no root access on the machine (I think it is the challenge to get there). So if someone finished this room can give me a little hint where i can find the roots password ? 🙂 because all of the shibas does not have root permissons

You can always check the writeup if you're stcuk

raft-large-directories
@wooden mist I always forget to use seclists

dont we all

I stick with raft lists because they usually get what I need and are much smaller then the others

Still can't find where the asset files are kept lmao

I stick with raft lists because they usually get what I need and are much smaller then the others
@wooden mist Will keep that in mind

@spiral stag Thank you !

Good morning guys, hope you're alright, yesterday I was a bit stuck with ||Anthem|| in the privesc section, and my idea was to hashdump with ||pydump7|| yet it kept getting caught with windows defender, I tried also to get a ||meterpreter|| in order to use a ||privesc suggester|| yet it caught again. I was thinking about this situation, how does one make his ||payload|| undetectable ? using Shikata Ga Nai ? Any good ideas are welcome, especially practical ones 😉

Did you try meterpreter ||hashdump|| rather than ||pydump7||?

@rose moss Everything you need to privesc is already on the computer

Anthem is a ctf room

there's no privesc

(technically there is but it's not an exploit or anything like that)

Check the write-ups if you are stuck

||https://swafox.com/anthem/||

@warm schooner Sorry body I did not understand

I uploaded pydump7 on the webserver, then got it in RDP, however impossible to use it

deffender blocks it

also when I did the same thing with a payload, I could see that I get no reverse shell

cause deffender blocks the meterpreter

I could see it in its log

@glossy basin I did not think that ||changing premission of the file would work||, so I though more of tying to really hashdump the passwords

alright

Any way, what do you think about Shikata Ga Nai ?

haven't tried it 🤷‍♂️

I'll dig deeper into it, I'm trying to get Anthem differently and that defender is in the way, I'll figure something out

good luck!

you can make a writeup if you get it differently!! would be interesting to read

Anyone got hints for root on haskhell?

anyone got hints for root at break the cage??

anyone got hints for root at break the cage??
@true widget check the cage directory

i dont have the permissions

I havent figured out the password for cage yet

@indigo ridge

then you have to look around the directries and find the broadcast messages location

then you have to look around the directries and find the broadcast messages location
@indigo ridge okk I ll try

Do it has something to do with cronjob?

go ahead you are going good

help for Haskhell: do I need to use haskell lang in it..?

go ahead you are going good
@indigo ridge I navigated to /etc/crontabs/

which one to exploit?

@indigo ridge I navigated to /etc/crontabs/
@true widget did you check the permissions for crontabs?

What looks interesting?

(rhetorical question)

crontabs are just meant to run the jobs..

which one to exploit?
@true widget

@indigo ridge I have read permissions

upon doing sudo -l I found that I can run /usr/bin/bees/ as root

i can just say that.. keep searching there must be something interesting.. and don't forget to use 'ls -la' it helps

okk I lltry

Hi hackers, Hoping you are doing well I'm stuck with this challange any hint how to exploit that

This is from Wonderland Room

And you can run python as rabbit.

Do you have rabbit user's password?

nope

I'm in alice

@white salmon That is incorrect, read the output of sudo command more carefully, they can not run the command as root, rather they can run it as the ||rabbit|| user.

@tidal sedge yeah That's true

Misread, my bad.

Try using it to escalate ro rabbit .

How can you alter that script?

@tidal sedge when I exploit that I'll get into rabbit user

@white salmon yeah that's what I'm trying to do

@stoic jewel Indeed, now go exploit it.

It is similar to the Break Out Of The Cage room.

@tidal sedge this is why I'm here 🙂 to get some hints

that script has not write perm

||You don't need to write to it.||

not enough yet 😦

It would be highly convenient to be able to run ||arbitrary code as the user you want to escalate to||.

Can I ask dm someone question about Haskhell? I want to make sure I’m on the right track.

yea sure

@stoic jewel Rule #1, you can ask here anytime

sure, it's about privilege escalation

with that script

Sure thing. What's the question?

@stoic jewel Please respect rule 1 in #rules.

Sorry i missed it

@steady stratus well, I'll be back once I downgrade Kali. See ya.

👍 gl with it

Thanks bud!

pass it 😉

now it's time for BOF

sure

hey can somehelp with a hash it has 6 = in the end

someone

i tried googling no help..

If it has 6 = that doesn’t sound like a hash to me

i'm new to crpto i dont know what we say that..maybe encoding...

have you tossed it into cyberchef and see what it thinks

dont we need to give it an operation first?

i just started it today sorry if i am asking dumb ques

cyberchef can guess sometimes it’s not able to but most of the time it can there is a little magic wand right in between the input and output in cyberchef that will appear if cyberchef can guess what it is if you click it then it will automatically pull everything you need

yea i see a magic operation that right?

yes

in favourties

no there is no operation for it you just input your text and it will show up on it’s own if possible

it does not show recipe😫

i need help with the Blue room metasploit

When I exploit, it keeps on failing

then that means it can’t identify it you can either use an encryption identifier or play around with base encoding because generally = is a base encoding

@still lily what is your lhost set as

4446

alright thanks

@still lily lhost not lport

oh sorry. How do I check? Im kinda new to this. Thanks for the help

options

it is set to my private ip address

change it to your vpn address

the tun0 address

check it using ifconfig

ohhhh... thanks. I am going to try that.

Hey guys i am stuck in a task

sorry it failed again

Errno::ECONNRESET: Connection reset by peer

unable to execute the payload using msfvenom

that means you stopped it I believe @still lily

@queen verge you just showed us the payload. you havent said or shown what youve tried to do and what happened when you do it

I didn't kill it though...

you have to put the payload on the victim machine

@still lily it’s s finicky exploit just run It again

ok

@oblique cliff I have managed to telnet into the target machine anonmosly

did you put the payload on the machine yet

As per room instructions it says to execute the msfvenom payload

I dont understand how am i going to put that payload and why is it even asking to execute the msfvenom on my local machine

what room is this because that’s a really odd payload choice

Its Network Services in absolute begineers path

The exploit is failing again. Even though I have my LHOST set to my vpn ip address.

did you set the rhost right

yes

It is the ip address given to me from the deployed machine

@queen verge could you should us how youre running the command over in #room-help

@oblique cliff ok

just let it chill run it again and don’t stop it if it fails again twice either look at a writeup and check all of your settings or reset the machine

ok

Hint for CC:Ghidra task 4.2?

hey, i'm doing the basic pentesting room but i'm having trouble completing step 5: getting the username. i know the hint says ||that i could/should use samba to find a username, but I have no familiarity with samba. I saw that there are two open ports for it, but not sure how i could use those to my advantage||

https://www.samba.org/samba/docs/current/man-html/smbclient.1.html @white salmon

see i've found that and even tried connecting, but i'm not sure how i can find the usernames from it

||Ebgngr zr 13 cynprf!|| got this hash hash identifier says it is bifid i tried using bifid on cyberchef not no result it is asking a keword i think

That's not a hash.

cipher

?

Don't assume it's a hash when you can't read it

Try some basic things

is it those traditional ciphers ||caesar|| or ||subsition||?

Have you considered trying things before asking for help?

You can try every possible caesar cipher key manually in like 3s

It's called ROT in cyberchef.

i just started learning it today sorry i asked..

i'll take care next time

Ask for a hint when you've run out of things to try

Not before you've tried things.

yea i did not know it is called rot in cyberchef

There are other tools you could have used for caesar ciphers

see i've found that and even tried connecting, but i'm not sure how i can find the usernames from it
@white salmon enumerate samba server ||nmap||

You should be beyond nmap here

The automated enumeration doesn't always work

Try some manual enumeration

just to get a overview of what it is

Try cipher identifiers.

i am, and by very carefully scrolling in a writeup i found that i could use ||enum4linux||, but i'd love to learn more about manual enumeration, is there any suggested reading on it (telling me to google is perfectly ok too)

That one is not a hash. @white salmon

@white salmon Metasploit has manual modules you can use.

That one is not a hash. @white salmon
@white salmon ||monoalphabetic|| is a cipher

@white salmon connect to the share, browse the files

Its just not as simple as it seems @white salmon

Sorry, confused you with @eternal brook .

NP

how am i able to connect to the share if i dont have the username/password for it?

Enumerate it.

Look for public shares.

Like ones named 'anonymous'.

They are similar to the FTP ones.

oh hehe i did spot that and noted it down 😅

yeah... enumerate

Try checking that out! @white salmon

'Anonymous' can get you in to a lot of shares

As a username

Not a share name

neat, good to know

@white salmon 👍 .

Hi guys, can someone help me? I'm at Steel Mountain room, I did the upload of PowerUp.ps1 file, but, I can't execute it, I tried with (.\PowerUp.ps1) and (./PowerUp.ps1)

You don't want to execute it, you want to load it probably

Also, "can't execute it" is far too vague

Be less vague and we can help better

the task tell to execute it

"To execute this using Meterpreter, I will type load powershell into meterpreter. Then I will enter powershell by entering powershell_shell:"

Ok, notice what it's doing

It's loading it

. .\

Dot space

Yap, I tried too

Then you need to show us what's going wrong or what's not happening

Otherwise we can't help

We don't know what you're doing, and we don't know what's not happening or what is happening

I'm receiving a error

You didn't download the script

You downloaded the github webpage

yes, I did

You need to wget the raw.github not the webpage

No, you downloaded the webpage

I've seen this before, I can see what you've done wrong

uaheuh

sorry, you're right

Now, if you'd just posted the screenshot to start with, it would have taken about half the time

Ok, I'm sorry and very thanks

Hey Guys, so I'm working on RP: PS Empire room and for some reason I can't figure out the answer to this question:
#7 In addition to changing our browser profile, we can change what our server appears as. What option can we set to change this?

When I look at what options I have I don't think mines is showing the correct options. I was just wondering if maybe it was because the room is outdated or something.

It's 'Headers' from that image

But the room is outdated as empire keeps changing

Dark is fixing it soon

That's what I first figured but Headers isn't the answer

Do you know what the answer is from the old PSEmpire?

That one was annoying

Look it up in the writeup

Will do. That's the only one that I'm missing.

I'm wondering I'm in the second privilege escalation with no flag yet, any hints here (WonderLand Room)

@stoic jewel The hint on THM is very useful. But if you don't find the flag at the moment you will stumble over it eventually.

@stoic jewel You can get the user flag from alice.

can anyone give me a small nudge on year of the rabbit

yup

think about Wonderland a bit 🙂

@white salmon gotta be a bit more precise there

I am trying to intercept the request via burp, but am not able to get the ||intermediate directory||

I'm in the linux room doing a little review, but I can not seem to find the shiba4.bin file, can anyone help?(cmd i have been using: find . -name shiba4.bin)

what's your pwd?

it's probably not in the /home

@white salmon It's not a .bin

File extensions aren't real

also that

Windows cares, linux sees files for what they truly are

thank you

@stuck fractal I belive that the user.txt is in tryhackme home dir

@stoic jewel You're wrong.

The user flag can be accessed from Alice, or any other user with a shell

You need to find it though.

But find won't work

So you need to think

@ripe hedge can I dm you about year of the rabbit, I fear I might give some major spoilers here

haven't done that one

just that you should actually ask the question, instead of asking to ask

@stoic jewel the tryhackme directory is basically out of bounds

think about how Wonderland works, and I mean the Lewis Carroll version

I though that flag was the cutest part of that room

Wow I'll do my best rigth now

the hint is the location of the root flag

😉

@ripe hedge Lol This can't be happen bro, but why !!!!

eh?

@ripe hedge I'm going to get the bonus 😉

with hatter user

glhfdd

I've never come in a situation like that with no permission 😦

any hints as to the linux room root flag?

enumerate harder

like the env variables or?

files

ahh thank you

@ripe hedge just a question (from rabbit to root, or from rabbit to hatter then root !!)

hmm?

can't root from rabbit that I know of

hashcat --username --show -a 0 -m 1000 /root/Desktop/hash.txt /usr/share/wordlists/rockyou.txt For some reason I cant get hashcat to work. Its starting to drive me up a wall. can someone just take a peak at this

dammit and the room expired

or the VM

the --username and --show options seem out of place

@dim cedar Try JTR

Or simply use the correct syntax.

🙂

Is this not the right syntax?

Just try hashcat -a 0 -m 1000 /root/Deskthop/hash.txt /usr/share/wordlists/rockyou.txt

--show won't crack it

--show is once it's cracked

huh ok thank you

or read the console output

it'll generally tell you

I usually get that my hash is incorrect, and then I scream, pout, and do it in John instead.

^_^;

Right Ninja? 😛

John in VMs

Hashcat on GPUs

^

that

apparently WSL2 will get GPU support soonish 🙂

Ye but WSL2 is a VM

yes

It means hyperv and ew

¯_(ツ)_/¯

Hey just started on the box "blaster" and i found the username on the hidden dir but i cant seem to find the passwd.

The hint said that i should look for the comments on the hidden dir but i cant seem to find any

Could i get a bump here?

Will take a bit of OSINT/creative thinking.

If you found the username, something on that page has some reference to something else. Search for what that something else is, along with the username you have.

It's mildly cryptic, but if you try for a bit and can't figure it out yet, I'll drop a bigger hint. 🙂

thanks!

Well just finished blue

harder than I thought it would be mainly due to me not understanding syntax but overall 👍

@patent token Found it!

Interesting way of finding it

But got reminded since i watched the movie mentioned!

🙂

Hey so when i run rdesktop with the username passwd and ip i get this error

Autoselecting keyboard map 'en-us' from locale
Core(warning): Certificate received from server is NOT trusted by this system, an exception has been added by the user to trust this specific certificate.
Failed to initialize NLA, do you have correct Kerberos TGT initialized ?
Failed to connect, CredSSP required by server (check if server has disabled old TLS versions, if yes use -V option).

Try xfreerdp instead.

Probably need to apt install it

Thanks!

Got this error now

xfreerdp /u:xxxx /p:xxxxxxxx /v:xx.xx.xxx.xx

[01:00:26:540] [5397:5398] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr
[01:00:26:944] [5397:5398] [ERROR][com.freerdp.core] - freerdp_set_last_error ERRCONNECT_LOGON_FAILURE [0x00020014]
[01:00:26:944] [5397:5398] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[01:00:26:944] [5397:5398] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1

Try --enableNla

or --no-nla

it doesn't like the network level authentication

nah i didn't work

xfreerdp --no-nla /u:wxxxxxx /p:xxxx /v:xx.xx.xxx.xx

hmmm without turning on debug logging I can't be sure honestly

https://github.com/FreeRDP/FreeRDP/issues/2334

Alternatively, because the NLA is probably looking for a Windows host remote connection, you could whip up a windows VM and connect via that method after downloading OpenVPN client

May save you some time

yea, no im to lazy to do that

Haha I mean - bust your ass troubleshooting linux -> windows NLA connections or whip up a VM

NLA can be a rabbithole

IIRC remina works well

remmina is a good RDP client

@wispy bloom i dont think its a rabbit hole since the box is "blaster" and there are only 2 ports open

80 and 3389

No no - I mean getting NLA to play nice with an RDP linux connection

It's annoying

Try what the gurus are saying. Remina or whatever it's called. I haven't used that one before

ill try remina

good luck

looks like i got remina working!

psh no kidding. I'll have to add that one to my vm then

aaaand it crashed

😦

still got user.txt

but with remina u get the windows ui

and its a pretty clean interface

yea i could get like 2 mins of time before it crashed

so now i have to restart

can anyone help with blueprint please? trying to get a shell with this command, it connects but immediately drops the connection. would this be the correct php code to open a nc connection? I commented out the echo line because I assumed that was the reason why.

i tried to include <?php $cmd=$_GET['cmd']; system($cmd);?> but it returns an error saying system is disabled.

Then you can't use system()

what about the nc line @stuck fractal

wat

the picture above that. I'm trying to open a socket to connect to but it drops immediately after connecting

No idea

im having issues finding how to find search history on internet explorer

WHO TF USES INTERNET EXPLORER

lol oh you'd be surprised

@ripe hedge owned

*rooted

i tried to include <?php $cmd=$_GET['cmd']; system($cmd);?> but it returns an error saying system is disabled.
@noble tinsel for anyone doing blueprint this php command worked for me ||<?php echo shell_exec($_GET["cmd"]); ?>||

yeah

can someone give me the syntax on how to copy and paste the pay to telnet session?

Select the output from msfvenom

copy it

type .RUN into telnet

Then paste it, then press enter

@bright steeple enough?

@stuck fractal yah thanks

maybe i missed typed a letter on first try

oh yah i typed @ when its 0 hahah

Why !!! can anyone explain to me!!

@stoic jewel you get more points if you are the first to answer a question.

You were not the first.

Emmm even if it was my first try !!

Yes.

Doesn't matter how many times you try

Szymex was the first person to answer, and therefore gets the bonus points

yeah that makes some sense

bookface ||ftp|| password, don't wanna wait 887:14h 🙄

can anyone suggest me how do I look for the LSB executable code???

Trying to complete the challenge at the end of into to python any hints to what i am doing wrong

it should base 16 decode not 14

and try to see how for loops work

good catch on the base 16 must have missed typed fixed that still getting a error name 'base64' is not defined thanks will go back and go over loops

that error is probably because u have space between base64. and b32decode

Trying to complete the challenge at the end of into to python any hints to what i am doing wrong
@safe kiln

Base16
Base32
Base65

You also have spaces between your base64 import and your function call, i.e base64. b64decode()

You're also using a separate output for each set of decoding

Decode the same object throughout

@safe kiln

Base16
Base32
Base65

You also have spaces between your base64 import and your function call, i.e base64. b64decode()
@warm schooner

it still wont work

bc data2 will always be one decoding of data1

and your loop will only go through operation 4

for i in range(0,4)

i will be 0,1,2,3

i m solving common linux privesc room.I m stuck at exploiting path variable challenge.Can anyone help me>

i m solving common linux privesc room.I m stuck at exploiting path variable challenge.Can anyone help me?

sure

what steps did u do?

i m stuck in #4

@solid patrol

we have to imitate ls right?

yea

and path is bin/bash

u need to put some command that will spawn shell into ls

is it ||echo "bin/bash/" > ls||

yes but syntax is wrong

okk I ll try

i tried|| echo "/bin/bash/" > ls ||.lts still wrong.

it worked

finally

@solid patrol where to use /bin/ls?

Ask your question without posting answers please

when

but when did I post answers?

In your screenshot

when u execute just ls

In your screenshot
@steady stratus pardon I didnt realised.

u should be able to get root

u should be able to get root
@solid patrol okk i ll try

u should be able to get root
@solid patrol I couldnt get root

what is your output of cmd 'which ls'

||/bin/ls||

so u didnt exploit path variable correct

i did|| export PATH=/tmp:$PATH||

and did u put your ls that u created in tmp

put it where?

in /tmp directory

i did echo ||"bin/bash" > ls||

then|| chmod +x ls||

u whant to change ls commnad so that when u use it it will spawn shell

with bin/bash u want spawn shell

u whant to change ls commnad so that when u use it it will spawn shell
@solid patrol where should I use ||/bin/ls|| in home directory of user5?

u need to us ls command that u created

to esclate privlages

just put directory in which u created ls command into path variable like in instutcion in task

and then which ls should give you directory in which u created ls

and from that just use ls

and u will get root

Hey so a question about Blaster. I have gotten into the machine using the tool "Remmina" but i cant seem to find the CVE. I have opened internet explorer on the box and looked in the search history but theres nothing there.

Could i get a bump here?

try saved page

thanks!

@solid patrol can i dm you?

yea

@solid patrol i cant find the "saved page"

it should be in bookmarked pages

i think its on google chrom on machine

nah internet exporer

@solid patrol theres nothing in the bookmarked pages

let me just boot machine

k

@solid patrol u booted it?

yea

i booted it

but it isnt in history

and shoud be there

yea

even hint say to look in history

yea ik

so what should i do ?

give me a sec to boot retro room

I think it's possibly in Internet Explorer from my memory?

to see if u can get it from there

@steady stratus it should be there

but it is not

Uh-oh! You have had your machine deployed for too long.
well congrats, you have an impossible room there 😅

@unborn bough u can get it from retro room

oh

can someone give me the ||ftp password for jerry|| in bookface so i can do this bugged room ?

It's not bugged

it is just search the discord 😄

If your bruteforce is taking a maximum of 10 minutes (the developer guidelines are maximum 5) but let hardware / network factor in too

@solid patrol this one? https://tryhackme.com/room/retrohttps://tryhackme.com/room/retro

https://tryhackme.com/room/retro

yea

@steady stratus bookface is older than that policy

Ah you're right

my apologies

just checked

its rated hard

blaster is just walkthrou of retro

im pretty new to this website so im not too sure on the diffuculty scale

have done HTB earlier tho

Having a look, people have used the ||fasttrack ||wordlist have you had any luck with that? @lusty wigeon

i will check now to see if it is in that list

yea i saw the writeup but seems that was before it got updated

Okay neat I'm just giving a whirl myself but that'll be much quicker I can imagine

thanks S1n

no it is not in that word list

I'm trying it as well.

if u use hint of flag1 u will see password

really ? i was doing hackback2019 version. hint is only "nmap+ftp" there

in bookface room hint for flag1 contains password for jerry

Mhm interesting, I wonder what wordlist has that. TIL

didnt try hackback2019 so for that it may be diffrent password

Ah got it

i think it is in rockyou.txt just around line 10M+

Yea it's quite a way down