#room-hints

It's says perform an aggressive scan, what flag isn't set under port 80

?

I need some hint on the room Gatekeeper.. portscan revealed something.. but what is that?

I connected to the ||elite|| port.. through telnet..

anyone completed dave blog room? I need help on root flag

#room-help

Who needs help on Jeff can PM me

For Advent of Cyber - Day 15 (metasploit) it seems like the flag should be in a very obvious place: flag-dir yet meterpreter says it is empty, even when searching for hidden files

Am I overlooking something very obvious

@brittle rock, I haven't done any of that room but maybe you can see if the filename has weird non-printable characters with python?

It's a directory

sorry

should have made that more clear

But you said that flag-dir might contain the flag right?

Well, the name would suggest it at least

I'm currently in a docker environment

and judging by the order of questions it looks like the flag should be inside of it

Yeah.

Hm

It's probably on the host machine then.

Well, I thought that

but you can find some ssh-creds in the docker environment

and THM asks for the ssh password after the first flag

so I assumed it would be in the docker environment at least

And you have done a 'ls -l' on that directory?

or 'ls -l -a'

Or ls -la

or ls -al

or ll -a

alright got it

I think that must have been a distraction

I tried using the command find but it wasn't on the meterpreter

so I spawned a shell

Nice.

then ran find / 2>/dev/null | grep "flag"

But thanks for all the help!

I tried. 🙂

Well I didn't really give you anything to go off haha

cheers for the sanity check 🙂

Yeah, it's hard without a screen share.

any hint on jeff, i enumurated ||admin|| and ||src code|| but wasnt able to find anything useful?

enumerate all with extensions.

tnx

try different wordlist to enum with... if you dont find anything usefull

Is there any good rooms to practice pivoting? I couldn’t find any room that has pivoting techniques! :/

#general

@sharp moat
https://tryhackme.com/room/borderlands

Jeff i can ||upload ftp|| but dont knw what to do with it, i know i am inside ||docker|| and need to escape from here. But may be i am not yet ready , shall i look for any perticular ||CVE|| like ||CVE-2019-5736|| or giveup ?

@keen willow ||look for a common linux privesc, for example in the PayloadAllTheThings cheat sheet||

It's blind though, so trial and error. You cannot know that it works before it works

It's blind though, so trial and error. You cannot know that it works before it works
@potent vale
Hope!! you just ignite the spark again.

Does anyone know why flag2 from Jigsaw2 is not accepted by the validator? Yes, I removed flag2{ and }

Does anyone know the login for the machine for the tmux room?

Hi, cant solve this question, already download the report but stuck from 4 hours, can you help me on that (Download the report attached to this task. What is the only critical issue?)
web application security room
task 13 question1

@blazing ruin there is no need to login in to the deployed machine the room only wants you to run scans against it

Looking at question 1) First things first, let's go ahead and install tmux. This can be done on Ubuntu/Kali with the command: apt-get install tmuxit is implied that I have my own machine?

yes that is run on your own machine

ok great! tbanks!

Hi guys. I am at burpsuite and I am supposed to send to sequencer the set cookie header. I let it run until 27000 tokens, but it shows zero live capture and I can't analyze the result because it is zero...help?

Btw it is a live capture for owasp juice shop

Nevermind, I got it :)

Thanks anyway

can anyone give a hint on OWASP Juice shop? I am at the injection but can't seem to find out the right injection

@jade bolt there's a bunch of different types of injections

@jade bolt have you gone through the burp suite rooms?

@jade bolt there's a task in one of the burp suite rooms that can help you with that

Ah thank you!

will be looking into it!

I want to access the root.txt but I don't have the permissions for it (pictures)... The perms don't work even with sudo.
Need help :c
Room: Learn Linux
Task: #43

@white salmon if you do sudo -l you can check if you have sudo priv. and to do what. that might be different on all the accounts 🙂 and look if any of the accounts have a file you have overlooked

So, I tried su shiba1 and switched to every user 1 by 1 and typed sudo -l but I always get the same message : Sorry, user shiba1 may not run sudo on nootnoot..
I tried to /root/root.txt on each user but again, I get the same type of message : bash: /root/root.txt: Permission denied

Only root can read that file

Root is the administrator user

I don't really get what I'm supposed to do! :c

There's one user on the box that has permissions to use sudo to run commands as root

Yes, but I give the password when they ask me for it

ahh

That doesn't mean you can run commands as root with sudo

otherwise hacking would be super super easy

su root

That would log you in as root, if you had root's password

On ubuntu, root doesn't have a password set by default

ahhh ok

@white salmon think of root as a admin user with full system permissions

Ok, I need to access the root.txt file... but in order to do that, I'd have to log in as root but I need the pass!...

Nope.

Sudo allows you to run commands as another user

Typically root

There's one user on the box that has permissions to use sudo to run commands as root
@stuck fractal

Well typically superusers

Typically root.

dependant on the sudoers file

Oh, so should I use something like find or grep to find the root.txt file?

Stop complicating this @unkempt tinsel

@white salmon You know where it is.

I don't :c

You're told

/root/root.txt

But I guess I have to search

No

yess

but

You're told the full file path

if you want to find a file go too /

You can't read it without being the root user

Yes

Permission denied

then type sudo find . -name root.txt

@unkempt tinsel Hey, can I ask if you're trying to help to give a) good advice and b) not complicate things if someone else is already helping

You're making this really difficult

sorry bro

Not your bro

@white salmon So, you need a user that has sudo as root permissions

There is one user on the box that has those

There is one user on the box that has those
@stuck fractal Which box 🤔

The Learn Linux VM

Or do you mean, one of the 4 userrs?

There's more than just the shibas on that box

hmm

I have to find those

And also find a way to gain access to those users

So, this is supposed to be a challenge... I see

Bonus Challenge yes

i am not able to execute the shiba binary 😦

Have you followed the instructions

sorry, england is not my mother tongue

so i may have a hard time understaning everything

I'm presuming you're on learn linux?

yes, that is correct

Task?

21

ohhhh, i managed to get it

Have you set the environment-

Make sure to keep trying ;)

Don't post answers.

sorry bro

Again, not your bro.

sorry pal

Not your pal either.

ok acquaintance

There is no need to refer to that at all. So don't.

i'm sorry if i have made you upset

Sinner just move on.

Since I'm in room "Learn Linux" too, for the Bonus Task, does it have something to do with task #36? Since I can see the creator creates some supermod user. I figured maybe it could have something to do with that

Nope.

Jaammess you're not giving me time to thinkkkk

I mean it's a yes or a no

hmm

I'm trying to come up with an excuse but I got nada

I can't figure out which user it can be, except shiba1,2,3,4!

How about

You try them all :D

I did :cc

Try harder

None of them has the permission

ahh ok...

Maybe there are more users than just those 4.

I would directly think of shiba5

but since I get the same No passwd entry for user 'shiba5' or shiba99 or shiba1000 :c

I don't know if it is shiba

maybe you need to look for something else before the user

hmm

Finish this room off! What is the root.txt flagWhat is the meaning of "flag" here?

it's just ctf terminology, user.txt and root.txt are referred to as flags to get

Ok, well thanks for the help. I'll try again tomorrow with a fresh mind

Hey all, for hackpark, i assume rockyou.txt is the word list to use?

If a wordlist is required for anything for that room, yes @silk dagger

any hints for where to start for flag2 of Ra?

On same place where you found flag1 @toxic scarab there are some other files there

@random grail thanks. i'll keep looking there

there's just so much stuff on this box it's hard to know where to start

You saw other files there?

yeah

Google it

And you will find something interesting

i've already been down that road a bit, but can't get anything to work the way I'm thinking it should. I'll just try harder

think i got something finally. thanks for the hint

Could I get a hint for Advent of Cyber - Day 13, the privesc. I think it involved the hhupd file which is left out, but I've spent a while on it, and people suggested that google chrome should be a present application, when it isn't on the RDP service.

Could I get a hint for Advent of Cyber - Day 13, the privesc. I think it involved the hhupd file which is left out, but I've spent a while on it, and people suggested that google chrome should be a present application, when it isn't on the RDP service.
@brittle rock Has your IE stored some browsing history ?

Yup, I looked into the vulnerability

But from everything I saw, it needs chrome at least?

On ubuntu, root doesn't have a password set by default
@stuck fractal I tried leaving the password blank when they asked me for it, it says su: Authentication failure. I also tried random passwords like "admin", "password", etc...
Is my objective to log onto root, right now?

Sorry for the mention, figured since you already know my problem you could help me

Agent sudo room, second flag. I don't know how to continue, but i discovered ||server-status|| site

its getting hard on jeff, one thing i need (i guess?) do i need to do something in ||ftp|| or in ||docker|| ? please dont say both 😦

You need to do something in || ftp ||

You need to do something in || ftp ||
@rain oasis I know thanks you

i didn't read the ||user-agent part||

that was a response to @keen willow 😛

xdxdxdxdxdxdxdxd

guys

is anyone on Intro to x86-64 room?

I have a doubt and would like to be cleared

Don't ask to ask, just ask

huh?

Ask your question..

thanks

so as you can see here, at the 1st breakPoint we can see that it will jump if great or igual to that specific address after comparing if var_4 with eax

by comparing it, my compiler simply jumped to the address which is right

because: var_4 is equal to 4 and eax is equal to 3

but in the room it says it shouldnt jump, I dont understand why it shouldnt

i'm confused

the order is to compare the var_4h to eax and not eax to var_4h

Look at the jge instruction

I think your confusion comes from reading the cmpl operands backwards. It checks if eax >= var_4, which as you said, it isnt.

@stuck fractal I tried leaving the password blank when they asked me for it, it says su: Authentication failure. I also tried random passwords like "admin", "password", etc...
Is my objective to log onto root, right now?
@white salmon Don’t know if you missed my message :c

(Again, sorry for the mention, U really need help)

@white salmon it's not just me that can help.

I believe I've told you before, by default root doesn't have a password set so you can't log in with su from a different user.

I've given you all the information I'm willing to give you

Look at the jge instruction
@stuck fractal yes it says to jump if cmpl values are greater or equal...

but shouldnt that be if var_4h >= eax instead?

Oh okkk, so I need to set a new password!

@stone blade If it were Intel syntax, yes, but in AT&T syntax (which r2 uses by default) the operand order is reversed

@white salmon no

You can't do that

@stone blade If it were Intel syntax, yes, but in AT&T syntax (which r2 uses by default) the operand order is reversed
@rain oasis Now I got more confused... I know:

AT&T:instruction = source + destination
Intel: instruction = destination + source

right?

yes

then its the way i'm reading it now

I don't really get it, I'm supposed to log in with root user so i can access root.txt so I assume I need to su root. When I do that, it's asking me for a password... I don't get what I need to do.

so its comparing if var_4h is greater or iqual to eax which has 3 as value.

then its the way i'm reading it now
@stone blade

and its right, right?

well, you said eax == 3 and var_4 == 4, right? so in that case it's checking if 3 > 4

@white salmon you need to get root permissions.

The room has told you how you can do that

I've told you how you can do that.

@stone blade In AT&T syntax, a cmpl compares the second operand to the first, not the first to the second (that Intel syntax)

Which is rather confusing 😛

@stone blade In AT&T syntax, a cmpl compares the second operand to the first, not the first to the second (that Intel syntax)
@rain oasis oh now its really confusing

yah u are right its confusing since its AT&T and not Intel, Intel compares operands like this and not AT&T

you can get r2 to use intel syntax if you prefer it, or just keep in mind that the operands are reversed. Either way, that's why the jge isn't jumping.

The room has told you how you can do that
I'm sorry if I don't get it...

You're still asking for hints. I've given hints. You can get someone else to give you different hints if you want, but I don't want to give any more hints

Fine, I just don't get your hints yet

Read back over the task covering sudo

you can get r2 to use intel syntax if you prefer it, or just keep in mind that the operands are reversed. Either way, that's why the jge isn't jumping.
@rain oasis but thats the problem, its jumping to the address pointed if var_4 is greater than eax which i think its right, but room says it shouldnt, thats what´s confusing me hahaha

according to your screenshot it isnt

wait

any hints on how to search for a file in meterpreter. 'search' and 'find' wont work 😦

google

or help as james said earlier

help doesnt have anything

google will have something

@rain oasis check here

ive set 2 breakpoints

check here

its working as it should, ´jge´ compared if var_4h(4) is >= than eax (3), which is, then it going straight to the address pointed at the jge and program exits

No, it doesnt.

your second breakpoint is one instruction BEFORE the jge destination

but, room says it souldnt jump

if jge jumped, you wouldn't hit the second breakpoint, and the program would exit

check last screenshot

Yes, i see you've paused the program at 0x...18

if jge jumped, it would've gone from 0x...12 to 0x...1a, never reaching 0x...18 in the first place

yes yes now makes sense to me

now what am I not seeing here?

the room says jge shouldn't jump, right? And according to your screenshots, it is doing exactly that, not jumping. So.. works as intended?

yes you were right

gosh it makes super sense now

let me redo this again

this is amazing I did it again and could understand better now

@rain oasis U are The Man

hi can someone give me hint regarding room jack i have found ||Usernames from wpscan and i think brute forcing will not work as hint given in the task itself no to user tools. I tried going through the given hint too but no luck ||

You need to do something in || ftp ||
@rain oasis i thought, i ||upload|| a ||php-rev-shell|| on ||ftp|| and would trigger by ||jeff.thm|| but all i found is ||/files|| folder on ||ftp|| which doesn't mapped to anywhere.

am i lost ?

@keen willow have you done the cmess room i Think you would get some good pointers from that room or you could try something similar 🙂

@keen willow have you done the cmess room i Think you would get some good pointers from that room or you could try something similar 🙂
@mild eagle alright, cmess here i come.

hi can someone give me hint regarding room jack i have found ||Usernames from wpscan and i think brute forcing will not work as hint given in the task itself no to user tools. I tried going through the given hint too but no luck ||
@slender umbra you partially misunderstood the hint.

I'm kinda struggling on answering the questions here:

What is the value of var_8h before the popq and ret instructions?

I've checked the value of var_8h by issuing the command ||px @rbp-0x8|| and the output shows offset 0 as 08 and when I go to answer the the 1st question as 08 it says its not right

any hint?

0x8 isn't the value

so by incrementing 5 into var_8h which was 3 turns into 8

Endianess and variable size

pardon?

Endianess: Which way you read bytes

Variable size: The number of bits/bytes that the variable is

confused

Then I recommend doing some reading

what I mean is not getting your explanation

It's not an explanation

It's a hint

You're in the hints channel

yes I got it

I'll try my best here

thanks

trying to do the "Steel Mountain" room, for task 2.3 we need to get the user flag, i tried to cat the flag, but the first 2 characters aren't shown, simply show up as the icon for unsupported character. Can anyone give a hint as to how I could make it readable? 🙂

download file and open it locally.

@thorn plume

don't know how I didn't think of that

thanks haha

don't know how I didn't think of that
@thorn plume i am drinking coffee

@rain oasis i am getting download ||login.php|| on jeff on ||http://jeff.com/admin/login.php|| instead of randering, is it okay ?

That file is a ||rabbit hole||

That file is a ||rabbit hole||
@rain oasis whenever i think its climax, i come to know there's more mystery left. i try to transport something from it.

anyone doing jigsaw2 because im having some issues with the box

noob here, need some help with Common Linux Priv. Esc. how do I see what cron is running? I tried crontab -l, but it doesnt have the info i need

There are several crontabs

Recently, they switched to seperate crontabs for each user sot hat you don't have to be root to add a cron job

/etc/crontab is the system wide crontab, it's only meant to be writable for root.

ok, I've gone through the various /etc/crons. Can't see what I need anywhere

The hint is that it's on the user's desktop

durp

got it

Over thinked it. Thanks for helping @stuck fractal

Actaully, it's funny cron got brought up. I'm currently on Day 25 of the Advent room (Cronjob Privilege Escalation), and I was having trouble figuring out which element of crontab is exploitable. There isn't much to go on for the problem definition text, and everything that's in the actual crontab isn't suseptable to the two attacks I've found, namely: Custom Script Overwriting and Wildcard Injection. Any clues?? Thanks in advance!

UPDATE: the GTFOBin entry for run-parts didn't seem to do the trick either.

You can't read the crontab that you'd need to

But you can read ||the thing that crontab runs|| and maybe exploit that

Hmmm.... yeah, that was the path I was wandering recently. Still coming up empty, but at least I know I'm in the right area, thanks!!

Could someone help me out with xss room task 3 #3. I did inspect element and in the console tab I wrote alert(document.cookie). but it isn't correct. could someone give me a hint of what I need to do?

That is not XSS

I'm not sure what to do. the question is "Create an alert popup box appear on the page with your document cookies." Edit: I get it!! thanks @stuck fractal

You need to do that via XSS

Not via inspect element

Task 3 covers how to do a basic XSS

DEBRIEFING: I figured out ||which script I needed to edit|| for my problem, but I only knew ||that script was getting triggered by cron|| because it is part of problem I was working on. However, I have no idea how I was supposed to find out initially ||that script was getting triggered ||when I would be enumerating an actual target because, even as root, ||the crontab is the default on everything. No special script added.|| This reminds me of a similar problem I had with a previous Advent challenge where you have to ||XSS the admin's cookie. The admin never seemed to log on!|| Still looking for an answer there. But anyway, I got through this one, haha. Thanks, y'all! (I hope I used the censoring better!)

https://github.com/DominicBreuker/pspy

Hey guys I am stuck on the icecast room. for task number 8 it ask which task is being run on port 8000 and the nmap scan says its http-alt, but when I type that in the task says the answer is incorrect.

@vital raptor ask here

@jagged current port numbers don't directly map to service names. You can run any service on any port. Nmap service version detection can be enabled using a flag. That might help you.

hello ! this sounds like a silly question i know, but I was going through the burp suite room on tryhackme and on question 1 on task 13 it asks "Download the report attached to this task. What is the only critical issue?" I downloaded the report and read through it and found the issue, but I cant get the answer for the question.

Copy and paste it exactly as it appears as a heading @trim frigate

Exactly as it is on the doc

ah i got it! thanks :)

Can i ask hint for jeff room?

i was doing wonderland room.......i got the ssh key ..and now login to ssh....but can't get how to escalate to root now......i have a python file in that

@sharp sage there are no SSH keys.

sry ssh credentials of alice....

Have you done any enumeration at all?

Do some ultra basic privesc enumeration.

sry ssh credentials of alice....
@sharp sage i have writeup for that room, do you want to see?

They're all on the room now

@white salmon i escalate from user alice to user rabbit......now i'm not gettting how to move further......

Enumerate!

Hey can someone help me with jeff room?

yeah go ahead

@white salmon i escalate from user alice to user rabbit......now i'm not gettting how to move further......
@sharp sage you might want something for refreshment.

I run kali on my vm in my laptop should i need rasberry pi 4 🤔

Wrong channel.

So which channel should I go with??

#general. This channel is for hints on rooms.

Thank you

guys anyone doing Task6 crackme 1 Intro to x86-64 room?

I need some hints

So I'm having trouble enumerating jeff. I'm presuming I'm supposed to find an interesting file served or the ||wordpress|| installation, but can't seem to find either, and have tried every conceivable interesting extension I can think of together with directory-list-2.3-medium.txt

@stone blade go on.

@devout palm what tool you are using?

@keen willow gobuster

@keen willow gobuster
@devout palm gobuster does a lot of other tasks too. you might wanna check them out.

@keen willow Aight, thx

@keen willow lol, now I feel stupid

@stone blade go on.
@keen willow finding the password is kinda hard to me

I've set the breakpoints but its kinda confused lol

I've set the breakpoints but its kinda confused lol
@stone blade you might wanna look for different approach to see whats inside address, instead of the one given in task.

If I can run apache2 as sudo how can I escalate my priveleges to root

Server version: Apache/2.2.16 (Debian)

I tried exploring apache2 -help and explored some commands but I can't really get any of them running

keep getting this error "apache2: bad user name ${APACHE_RUN_USER}"

You can read system files if I remember correctly

@stone blade you might wanna look for different approach to see whats inside address, instead of the one given in task.
@keen willow I'll watch some videos then

@white salmon Well, if the sudo allows you to run Apache as root, what would be the implications of that?

Can I run php code

And execute code?

@white salmon First step ought to get it running, judging from your error message it interprets ${APACHE_RUN_USER} literally and doesn't expand the variable to a specific user.

And yes, Apache is often configured with php module to serve php scripts

You can either run ||apachectl -M|| to give you information whether the php module is installed, or you can check the ||httpd.conf / main configuration file|| for included modules

I get that part. But I am not able to use the apache2 command in terminal

"-D name : define a name for use in <IfDefine name> directives"

this is confusing

Can you please provide exactly what command you're using and what room and task you're on?

ye I'll show

I'm trying like "apache2 -D root -X" to play around with the options of it but can't get them working.

Deleted the hint cuz idk how to add spoiler tag

@white salmon Not knowing which room you're on or what the intended solution is, spontaneously I see two options:
Either you ||try to override a setting that drops the webserver to a lower privileged user||
or
||start a webserver with your own configuration file||

You put two pipe | around the thing you want to spoiler-mark, as such: ||spoiler||

@devout palm thank you I'm trying that

@white salmon what room is this may I Ask

@final mortar https://tryhackme.com/room/linuxprivesc

Task6

You figured it out ig ?

I did not I moved ahead completing it than I'll try this with the hints mahriman gave but my problem is I am not able to do what the hint says like explore all the options in that service. Like can't get the correct syntax to run the apache2 commands

@white salmon There's a switch to override specific configuration values in the config file via the command line. Try to find that switch and what configuration directives you want to override. There's also a switch to supply your own configuration file if you prefer to use that instead.

Do note that I haven't done that room so I'm just guessing on what needs to be done. Normally Apache would be compiled not to allow it to be run as root I believe...

@devout palm thank you very I'm trying

@white salmon There's a switch to override specific configuration values in the config file via the command line. Try to find that switch and what configuration directives you want to override. There's also a switch to supply your own configuration file if you prefer to use that instead.

Do note that I haven't done that room so I'm just guessing on what needs to be done. Normally Apache would be compiled not to allow it to be run as root I believe...
@devout palm Apache has to run as root initially in order to bind to port 80. If you don't run it as root initially then you cannot bind to port 80. If you want to bind to some port above 1024 then yes, you can. to more specific Apache always needs to start as root, then it uses setuid to switch to user context of specified user in httpd.conf. Without root (uid = 0) you can not create listening socket on privileged ports (below 1024)

@keen willow You're right, I was referring to allowing the child processes run as root

Also there's ways to allow non-privileged users to bind to lower ports 🙂

but in this case I was talking about ||-DBIG_SECURITY_HOLE||

but in this case I was talking about ||-DBIG_SECURITY_HOLE||
@devout palm looks like i jumped in between without scrolling up 👀 , sorry guys, go on.

no problemo 🙂

any nudge on jeff, i am still stck on ||http://jeff.thm/admin/login.php|| after getting ||www-data shell and ftp credentials||

@keen willow this is a fake file. enumerate the network

@keen willow If you're really stuck, scroll up to ||July 3rd in this channel|| for a big hint

@keen willow See what you can do with the creds. Most of the stuff on jeff.thm/* I left there by accident and just went with it. I originally had a much harder idea to get the creds involving auditing/reversing & coding some assembly but decided against it 😛

Hey, i'm having trouble on one part of the Burp Suite lesson. Could someone help maybe?

just ask your question and if someone can they will @obsidian canopy

Okay.. It seems pretty simple, and I don't know why i can't find it, but i'm looking for a 'Set-Cookie' header, and i've gone through almost every single request without finding one lol.

The Set-Cookie header is only sent in responses, not requests

Hi , in Jeff room I did an allports scan and didn't get ftp to show , how am I gonna enumerate that ?

did you google exactly what you have highlighted? @wet imp https://stackoverflow.com/questions/55381711/msfconsole-pop-out-an-error-bundler-faild-to-load-cannot-load-such-file-b

I did and read that It looks like I had to remove sudo. Thanks

np

@keen willow If you're really stuck, scroll up to ||July 3rd in this channel|| for a big hint
@rain oasis i managed to ||upload shell to ftp but searching for how to trigger it.||

@keen willow See what you can do with the creds. Most of the stuff on jeff.thm/* I left there by accident and just went with it. I originally had a much harder idea to get the creds involving auditing/reversing & coding some assembly but decided against it 😛
@wraith marsh yeah i managed to ||upload shell to ftp but unable to trigger it, also , i guess i will get reverse shell inside docker if i upload my shell code on ftp and some how manage to trigger. is that correct ?||

I'm doing the metasploit room and im on the use ps to show services. Then I'm supposed to name the spool service and i dont know what they mean or what service is the spool service

windows what is the spool service into google

Thanks im so stupid

@keen willow try the cmess room it has a similar feel idea

You just need to learn to google

It's a skill like any other

Don't know what something is? Look it up

add keywords to refine your search

Like i just read the the service is named spooler and its display name is Print Spooler

@keen willow try the cmess room it has a similar feel idea
@mild eagle you meant after ||ftp||, correct ?

Like i just read the the service is named spooler and its display name is Print Spooler
@desert mica Keep going.

Research doesn't end after the first article.

@keen willow yes the escalation in cmess might be useful in Jeff

@keen willow yes the escalation in cmess might be useful in Jeff
@mild eagle well, someone suggested me that yesterday, so i did cmess today, but it looks like when i come to jeff, myy mind got bufferoberflowed.

@mild eagle well, someone suggested me that yesterday, so i did cmess today, but it looks like when i come to jeff, myy mind got bufferoberflowed.
@keen willow Might be me how did you escalate in cmess

@keen willow Might be me how did you escalate in cmess
@mild eagle ||wildcard inj.|| ?

@mild eagle ||wildcard inj.|| ?
@keen willow then try that...

@keen willow then try that...
@mild eagle i thought abt that, but one thing stopped me, i upload || wildcard inj. To ftp || and open a listner on || docker|| ? If yes then i wud need || ip of docker for reverse shell || and then i stopped ?

@keen willow You can quite easily find ||the ip of the docker container||, but you don't really need to. ||Why should the listener have to be in the docker container?||.

ugh... jeff... 😄

I feel like I'm missing something crucial

@keen willow You can quite easily find ||the ip of the docker container||, but you don't really need to. ||Why should the listener have to be in the docker container?||.
@rain oasis just realised that, things got messed up in my mind, needed a push. Will try and get bavk if needed. Thank @mild eagle and @rain oasis again.

I feel like I'm missing something crucial
@devout palm how far have you come ?

@keen willow ||managed to identify and upload to the files directory but have not idea where it is||

@keen willow ||managed to identify and upload to the files directory but have not idea where it is||
@devout palm lol, find me, you can see me right beside you.

rofl

I've tried locating my file on jeff.thm but can't seen to find it in any of the directories i've previously enumerated, so now i'm trying to figure out if there could be any directory that would be exposed in any kind of way or if it would be possible to do some kind of nullbyte termination or something. My head hurts.

They're not exposed, you need to do something else

See the messages above (between Warmup and maximusprime) for a hint

hey could someone help understand something. Not sure what I am doing wrong.

@rain oasis alright thanks, then i'm all out of ideas 🙂

@twilit swallow what is it that you have trouble understanding?

I'm following along with the write up for the year of the fox room.

and guide is using something called socat binary to get a shell on the machine

i followed is example but my didn't seem to work. I think it has something to do with my directories being different or I just did it completely wrong.

his*

What did you try and what went wrong?

I followed the steps from the writeup aswell, and it worked for me. Whats not working?

not sure i dont get a shell or anything just a message within burp

maybe I put the wrong IP address?

We can't really help unless you give us some more information. Maybe show a screenshot of what you tried?

also my text is green does that have a play in anything?

Asking about HackBack Task 10 (Bookface), trying to get some info at the start, so bruteforcing the ftp login with the user "jerry", can I get a sanity check, and if so how long the bruteforce attack should take

It's been running for about 2 hours now

A literal age

@twilit swallow Did you also have the ||web server set up to serve socat|| and a ||socat listener to catch the reverse shell||?

Notice how the python server isn't showing any file being requested?

that IP address doesn't seem right

10.0 isn't a VPN server

should I be using tun0 or eht0

tun0

always

Let me try

changed it but nothing happened

The IP address appears in your payload twice

maybe I have my files mixed up?

did it try to download socat?

(i.e. did your python server show a GET request?)

no get request

and yes I did downloaded the file

Read carefully

Alright, double check the syntax, you have a typo

it not I

roger checking my syntax

You mind me following up about the HackBack question?

You mind me following up about the HackBack question?
@brittle rock I did

A literal age

Oh sorry, must've missed it

as in

it takes

so long to run

Forever.

Have you tried fasttrack?

Yup

No luck with that at least

I'm onto rockyou now

ah

Forever.

is there something else I would be missing

I was thinking ||port knocking|| but I need to know the specific order I guess

I mean it just takes a very long time

but it's possible?

ugh

Yes

I tried with fast track

but that was only 250 words

so doubt it would be that

are you allowed to give me a rough hint, say it's 500k+ or something?

I mean, I don't know where it is

I just know that it used to be easy, and it was changed later on

why

No one knows

The new rule is 5 mins of brute force MAX

oh

so there must be another way then

huh

Alright, well thanks I guess

I mean

No

The new rule

Bookface predates that rule.

...

Is there a challenge author I can message

Complain to dark 😉

I don't mind letting bruteforce run for a couple of hours, but with the box resetting every hour

makes it pretty impossible to do it overnight

I don't wanna bring the wrath of Dark upon me

It doesn't reset every hour.

Is that for VIPs though?

No

Anyone can extend their VM

Don’t sleep

Well, you have to extend it every hour

Extend.

and I have not ascended to the level of no sleep yet.

sorry

Not refresh

*extend

yes

If you wake up of a morning and put it on, come back every 55 minutes to extend the time

still, say it is deep in rockyou, could take longer than a day

my wifi is quite slow.

No but seriously

Talk to dark

You know the brute-force is optional right?

Your wifi speed won't factor into it

You know the brute-force is optional right?
@rain oasis In bookface?

check the hint for flag 1

if it’s deep into rock you, start half way

Read harder

still, say it is deep in rockyou, could take longer than a day
@brittle rock Check the hint

Alright, thanks

||nmap + ftp||

hmm

No

Check harder

You're given the pass

https://tryhackme.com/room/bookface

...

well

thanks

1374429

in rockyou.txt

yeah... hence forever

1374429
14000000```

Eh, less than 10%

at a rate of... what.. 200 per minute?

FTP goes a lil faster than SSH

I've had 180/min happily on THM with 16threads SSH

would still take quite a while to get to 1.3 mil though 😛

Ah I had an extra 0

The classic backwards rockyou

nice

got to flag3

thanks a lot

Boom!

done it

@stuck fractal thanks for helping me get over that block, the rest of the room was really, really fun

Don't thank me

Thank the person that knew it was in the hint

Well, thanks for the sanity check anyway

@rain oasis appreciate it

Could someone please help me with xss room task 8 number 2? I have tried both of these <a onmouseover="&#x6A;avascript&#0000058&#0000097lert('Hello')">Hello</a> and <a onmouseover="eval(atob('YWxlcnQoIkhlbGxvIik='))>hello</a> they are both giving me popups but not the answer. It seems they are wanting a specific way to get the popup but I'm not sure which way.

Hey guys, doing the Juice Shop room - was trying to find the user Jims answer to their secret question, tried for ages with different SQL injection methods but no luck. Read a tutorial ||and the name happened to be from Star Trek||. Kinda was hoping to use a more technical method get a better understanding of web hacking - any suggestions of what I could try to get the same answer?

Finally, pwned jeff after a week of frustration and enumeration. But altogether a great machine. Really enjoyed. Thanks to author. @wraith marsh

I'll tag him here but #522158404614225920 is the best place for kind comments like that ^^

@wraith marsh

Good job on keeping at it

Sorry, didn't know that. Will post in feedback channel.

@pallid bough try with something else then an alert

@fluid field it may seem arbitrary but it isn’t. If you use SQL injection to log into Jim’s account, you will find some stored addresses in his profile. This gives you a hint as to where he lives, which happens to be on the USS Enterprise. Even though this is a fantastical example, this uses standard OSINT techniques to find the answer to his secret question. If this was a more real world situation, you might find that users social media profiles and mine those for the information instead.

hello, can someone help me out with challenge CrackMe2 on Intro to Assembly x86-64 please?

I´ve found the secret pass on a file but its not working

I'm brand new to all of this, having trouble getting out of the gate: Go to your machines website (http://machine_ip/) - What is the flag text shown on the machines webpage?

Press "deploy"

Wait 5 minutes

Get machine ip, put in browser

1-5 minutes

@ripe cloud So pressing the "Deploy" button creates a virtual machine for you on the TryHackMe network

In order for you to interact with something, it has to exist

ok, deployed, waiting as mentioned

That machine deploys fairly fast

It's a full virtual machine that's booting up at the moment

ok, it finished booting

public ip?

Private IP

It's a 10.10 IP address, which is a private IP

You need to be connected to the VPN in order to access any machines with a 10.10 IP address

I'm using the in-browser machine

does that matter?

That means you don't need to connect to the VPN if you use the browser inside that machine

But you still need to deploy the machine in the welcome room

And the IP address will be the 10.10 address in the welcome room

ok

It's worth mentioning now

Not all machines run a webserver

So you can't open the IP address in your browser and expect there to be a website

CTF collection Vol.2 ..task2...ques 20th ....i'm sending the post request and correct credentials but still its not showing the flag...anyone help pls

ok, thanks for the guidance, I need to stop for now and come back to it later

have to finish out my current career before I move to the next one

anyone?

Hello people 🙂 .. I have a question on [Task 18] [Section 3.5 - JWT]: Challenge for "ZTH: Obscure Web Vulns"

@sharp sage you sure you're sending it correctly?

After setting the token (Firefox > F12 Cookies > token > value) . .how do i 'reload' or apply this new token?

The guide isnt clear on this

It is applied

Oh.. I guess I have thw rong token then 😦

Thanks

I need a hint for the Linux Walk Through room, task 12. It's asking how to specify which shell is used when I log in. Other than making profile configuration changes, I don't know this one. Can anyone give me a hint?

If you read the task title, it's specifically asking about the su command

Yes, it does and the answer format even shows ** but it tells me my answer is wrong if I put in "su".

Let me rephrase it for you

How do you specify what shell is used when you're using su?

@white salmon Can you rephrase that question at some point?

Seems to confuse people because they don't read the task title

Ah, got it! I just needed to rtfm. LOL Thanks!

Always read the manual.

What's up?

@white salmon The question about Su

No one reads the task title

So they think it's not about su

.-.

I know, I know. You shouldn't have to cater for people who don't read..

And I'm not going to

I will not change a question because the people refused to read the bloody title

Add a hint "Read the title of this task"

James I get where you're coming from, I really do

But the command

Is litterally used in a picture

In that same task

Aswell as multiple examples of litterally exactly what command to run to switch users

Pars

The question is asking for an option for su

Correct

All I'm asking is for you to clarify that

grabs popcorn

Not everyone speaks english as a first language

I've made it very clear in previous tasks multiple times that if you're stuck on a question to read the man page for that command, I left it out so you would have to use some logic there

In a guided room where just about everything is handed to you on a silver platter, those little sections of logic are nice

Yes, it does and the answer format even shows ** but it tells me my answer is wrong if I put in "su".

Ok?

This makes me reee

Me reeeing is bad

It makes me reee too

One small change could prevent the reeeing

It's your room

It's a small change that would remove litterally any requirement of logic to solve the question

Just add a hint saying "Read the title"?

And questions about flags like that have been asked in the past

So it's not new

The command is used in the text body multiple times James

Even with a picture

I think people are ignoring the fact that the questions relate to the task text

And I don't think there's that much we can do

we are about to witness a school fight over discord

And that is not the responsibility of the room creator to make people figure out that the task body corresponds to the task question

It's likely to be someone's first or second room, that's the issue

i got the camera

I would agree if it was the first task

Both sides have good points 👀

There's 11 other tasks before it multiple of which ask for flags as answers

This is not new

Who will come out victorious

Obviously pars

Because I can't edit his room

The two of us are very stubborn @oblique cliff

Oh no james is losing ground!!

You can’t admit that James!

I can get muir to, but that's aboose

the "logging in" is the confusing part. It would make more sense if it said "How do you specify which shell to use when you switch users?", or "What option allows you to specify which shell to use when switching users?", especially since it isn't really a "login" without specifying --login as well. Then you aren't necessarily completely spoon feeding it, but you are short-cutting some of the confusion.

People see the question generically, and look at like chsh and etc passwd

That is outside the scope of that task

Pars, I will find and send shibes

Several shibes.

You make a tempting offer James

@toxic scarab's solution is really what I was aiming for

But I really, really don't think I'm asking a lot of the user by expecting them to figure out to read the su manpage and find the option that says shell

🍿

You don't even have to scroll down

The task isn't difficult

People make their own problems here

You don't even have to read the man page, su --help has it to, and using --help was established in the cat section

It's like, under a minute to add some changes that don't detract from the room

It's not about the time it would take, I'm litterally reading the section right now, I'm just expecting the room user to use a tiny bit of logic

That shouldn't be so much to ask James

Especially if they wanna do the rest of the rooms on the site

🥊 🥊

It's not about the time it would take, I'm litterally reading the section right now, I'm just expecting the room user to use a tiny bit of logic
@white salmon You and I both know you can't expect that

You still find the answer in the same way

Through research

And that is not my problem if they can't use the minimum level of logic to solve a very very easy question

They do use logic

But they don't understand that it's about su

It's in the title, it's in the task body as text, it's in the task body as a picture

has anybody here done the hashing crypto 101 room?? in particular the password cracing section?

I made it, what's up?

number 1 and 3, i have nearly finished running through rockyou and I am starting the think they are not in that list!!

they are the sha512 unix and bcrypt

They are in rockyou

They crack in under 5 minutes using the tryhackme kali.

mine has been going 24 hours now and they are nearly finished and still nothing!!

Then you're doing soemthing wrong 😉

Are you using hashcat or john?

hashcat

Are you using --force?

yeah, I have to, if not it won't run on my machine

Ok, so that's your problem

The room covers this

I swear

Thanks, I will have a check

--force gives you false positives and false negatives

basically meaning it can skip over the correct password

Use john

Don't use hashcat in VMs

thank you!!

Use hashcat when you have a graphics card.

aaah ok! Thanks for the info!

Hi guys, so i'm in the room called, linux challenges. I'm on Task 4 #7

Find flag 26 by searching the all files for a string that begins with 4bceb and is 32 characters long.

I run find at the root level, pipe grep -irl '^4bceb' *

the command runs, i see the search, my issue is the search freezes on files called "clear_refs" everytime! I mean is there something wrong with the room or am I just doing something wrong which causes the search to hang there?

@hazy sequoia look into not descending into directories on other file systems while using the find command. And also you’re grepping on the filenames that find outputs rn. Look into grepping the files of the find output

thank you, i'll see how i go about doing that

That flag is a tough one for sure!

Hello, just wondering if anyone can give me some pointers on the OWASP Juice Shop, [Task 7] Broken Access Control, #1. I have been stuck on this one for a few days and have decided to give in and ask for help (other than google that is!). Thank you in advance 😄

@dim ether are you stuck on the first question

Yeah ☺️

What is the name of the page <--- this is what you need to focus on

you have already been to the page if you have done the other tasks

Hope that helps you out

Okay, thank you ☺️ I will have another look at previous tasks.

I m solving the pickle rick room.when I try to login using the username ||R1ckRul3s|| through ssh I get permission denied public key

thanks in advance

Are you sure that's meant to be used to ssh and not || login to the webpage || ?

Are you sure that's meant to be used to ssh and not || login to the webpage || ?
@trim haven havent found any login portal on|| webpage|| so far.I m not sure whether|| R1ckRul3s|| is t be used for ssh.I ll keep enumerating

gobuster ;)

i m using dirb

Don't think it makes much of a difference

hi in this room https://tryhackme.com/room/thecodcaper i'm at task 5 and i found the id_rsa file then tried to use ssh2john but it says there is no password

So then try to log in with it and see if It’ll works without a password @livid quarry

no it still asks for a password

What wordlist are you using @livid quarry

i didn't use any wordlist i tried to extract the hash with ssh2john but it said there is no password

i m unable to change directories in the|| command panel at web server||

Explain

|| http://<Machine IP>/directory ||

here is my asd.txt

the hint|| says look around the file system for other ingrediant||but i m unable to change directories in the|||| command panel|||

@livid quarry You're not specifying a password list.

@true widget The webserver is not the file system. You've gotta somehow get onto the computer

as far as i understand i should first extract the hash with ssh2john and then use johntheripper to crack it

No you convert the hash to something john can understand

What wordlist are you using @livid quarry
@trim haven you get the ssh password in plain text, as I have already told him before

how long did it take you to crack falconfeast password on the LFI room?

Don't use hashcat in a VM

with john

Shouldn't take very long at all

Under 10 minutes

i'm at 10 already 😕

nevermind, the pass is commented

Hey guys I was trying out mr. Robot room ...it uses ||wp- 4.3.1 which is vulnerable to authenticated RCE || but I cannot find the login credentials any hints?

@eternal brook what have you done to try to get the log in credentials?

Some fuzzing looking for some directories...also tried some default credentials...

oops didnt realize you replied, @ me next time. you didnt find anything interesting when fuzzing the directories? @eternal brook

i'm off subscription these days don't know whether this is supposed to happen or not but when i run gobuster i get 2-3 dirs then comes the error messages i'm trying to run gobuster again now ....found some dir like || feed, atom wp-content || running scans in them now 🙂 @oblique cliff

also hydra is running but no success yet

brute forcing isnt gonna work unless you have the correct wordlist and username

subscription has nothing to do with it if youre on a free room

gobuster is gross use dirsearch

@eternal brook

Being a subscriber gives all VMs more resources

Nothing wrong with gobuster

alright ill switch to it

oh i thought maybe it had something to do with the vpn connection

nope

If it's a timeout, that points to a VPN issue normally

this?

If it does it with other tools, you'll want to fix your VPN

yeah ill download the connection again and try again

maybe the issue with vpn...not able to detect dirss

hello guys I m solving lazy admin room and i m unable to exploit the|| arbitary file upload|| vulnerability.thanks in advance!

the rest of my comment in #room-help still remains @true widget

be clearer

okkk i ll elaborate a bit

i m solving the lazy admin room and i have managed to log into the web server and upon lil research I found out that|| sweetRice version 1.5.1|| is vulnerable to|| arbitary file upload||.Upon enumarating the website I have found a feature(data import) which allows to import files.I tried uploading a ||reverse php shell|| but i couldnt execute it.I downlaoded the python exploit which allows us to upload a file on servers rinning on ||sweetRice version 1.5.1||.Upon running the exploit I entered the ip address of the machine but I got the following error.Any help would be appreciated!@oblique cliff

much easier to help now! @true widget

much easier to help now! @true widget

and in future, mark the pic as spoiler please

but anyway, that all looks good to me, have you looked at the error the exploit youre running is throwing?

New channel name 🥳

i ll make sure to spoiler for pic next time.I did search the error but found nothng useful

@oblique cliff i tried to upload ||php reverse shell|| here

the pic from before you were running an exploit and getting an error, did you read that error?

the pic from before you were running an exploit and getting an error, did you read that error?
@oblique cliff It told me to enter target url

I exploited it manually

i tried to do it manually by uploading a ||reverse php shell||

but even after uploading it I couldnt see the exploit in|| data import||

what could be the issue @stuck fractal

Did you research the exploit enough?

you can use the manual explit via searchsploit

||It's through ads||

like find it through that

btw how do i add my stuff as sploilers?

||message||

||It's through ads||
@stuck fractal i did read about it

thanks

shall i directly upload my code there?

yeaah

try that should work

@true widget you can do it that way, the exploit you were trying to use also works, if you read the error you may be able to debug why its not working when you enter the URL

@true widget you can do it that way, the exploit you were trying to use also works, if you read the error you may be able to debug why its not working when you enter the URL
@oblique cliff but how come can I enter the url for website in|| .com|| manner?

What do you mean. Try different things on how to enter it. Read the error

I have just cracked the passwords in crypto 101, in less than 5 seconds on the thm vm, on a vm on my computer I couldn't get them to crack, using hashcat and jtr

Ninjajc01 | james explained why the hashcat didn't work, but any idea why jtr won't run properly?

generally robots.txt is detected by nmap right?

generally robots.txt is detected by nmap right?
@eternal brook No?

Ninjajc01 | james explained why the hashcat didn't work, but any idea why jtr won't run properly?
@odd idol That's uh... Really weird

robots might be picked up with a script scan

But won't be picked up with most scan types

hmm i got that ||robots.txt|| in mr.robot room it was kiinda surprising for me cause earlier whenever there is ||robots.txt|| it is mentioned in nmap

yeah next time i'll check it manually

Nmap won't detect it with most scan types

first time for me when it's not detected

@odd idol That's uh... Really weird
@stuck fractal is there a way to run jtr in verbose mode? so I can see what is actually happening

man john

thanks 🙂

@eternal brook even if it’s not caught by nmap you should be directory busting and any directory buster will pick up robots

idky what's goin wrong with gobuster it's just showing that error messages that i posted earlier ...so i tried using dirsearch as suggested by you and got robots thanks @oblique cliff

man john
@stuck fractal found it in the config file! thanks

@eternal brook tag james to show him the inferiority of gobuster as illustrated by your success

hahah gobuster is good don't know what happened this time but dirseach also seems nice @oblique cliff ...it took me 2 hrs to detect that robot.txt cause of gobuster and nmap also detect it sad part😂

@stuck fractal i still could nt get the reverse shell.what am i doing wrong?

No idea, it's been a while

i get connection timed out error

also tried using the python reverse shell

Sounds like something is dodgy with your VPN setup or your listener

Try different payloads

tried everything but couldnt get a reverse shell

which room?

maybe i should look at the writeup

lazy admin

I have a writeup but it won't help you for this stage

okkk

I wanted to complete it without loking at writeups but i m stuck

i would say try harder looking at writeups don't give satisfaction... @true widget

@true widget ||have you looked to see if you can upload a file rather than put something in the ads code?||

there are dozens of ways to get a shell on that box

hello guys, i'm on the beginner path and I'm doing toolsrus, I'm using metasploit for the first time and I noticed no matter what it never tries the IP I set rhost to, but instead my default address, how do I change the address? (set "rhost, RHOSTS, rhosts and RHOST" don't seem to work)

oh wait nvm I just realised I lost connection to openvpn, oops, I'll leave this here anyways for documentation of my stupidity 😄

nvm, it still doesn't fix the issue

Show options in a screenshot here

And explain what you're doing a little more

Error: the server returns a status code that matches the provided options for non existing urls. http://10.10.14.29/83c87063-f9f7-4fe9-9242-32ed59709f59 => 200. To force processing of Wildcard responses, specify the '--wildcard' switch. Can someone help with this error. I am not able to use dirb or dirbuster as well and when i use -- wildcard switch then every page returns 200 code

gusy Im doing Burp Suite room im not understanding task6 #9 question plss help me

@stuck fractal ```msf5 exploit(multi/http/tomcat_mgr_upload) > set rhosts 10.10.144.xxx
rhosts => 10.10.144.xxx
msf5 exploit(multi/http/tomcat_mgr_upload) > set rport xxxx
rport => xxxx
msf5 exploit(multi/http/tomcat_mgr_upload) > run

[] Started reverse TCP handler on 192.168.xxx.xxx:4444
[] Retrieving session ID and CSRF token...
[] Uploading and deploying 9y9ezOi6jdDN3ob...
[] Executing 9y9ezOi6jdDN3ob...
[] Undeploying 9y9ezOi6jdDN3ob ...
[] Exploit completed, but no session was created.
msf5 exploit(multi/http/tomcat_mgr_upload) >

I get this every time

Wrong LHOST

That's an IP on your LAN

You need your VPN IP

🙇‍♂️ thank you

would that be set lhost?

With an IP yes

can I dm you?

Nope

Whatever it is, it can go in public chat

Unless it's a moderation issue

Help me with this

it starts from my lhost but then has the same error

Show us

show options and screenshot

the console?

In msf

show options after selecting the module

you haven't selected any module yet

@worthy iris

lhost is incorrect

put in the tun0 ip there

because I reset msf but even when its correct i had same issues

your vpn ip

@true widget ||have you looked to see if you can upload a file rather than put something in the ads code?||
@oblique cliff i uploaded got a shell but I have one question.How come we came to know that uploaded shell would be in ||ip/content/inc/ads||?

set rhost too

send ss after setting it up completely

@true widget research the version of the thing you're exploiting and eventually you'll find where the uploads go. I don't actually remember cuz its been awhile since ive done the box, but thats what i wouldve done

or just lookeed around

also make sure your module is correct @worthy iris

i've tried the other 2, i can retry them with a different lhost i guess

this is my earlier ss with it all set

probably wrong module i think it's lazy admin right?

not sure what lazy admin means but i'll try another module thanks

lazy admin is the name of the room, not the module

yah i was asking the room...

hey i am brute forcing the login page with the file found but it's been hours no result yet right path? @oblique cliff

i also used that list for dir bursting but no results

yes, it will take a very very long time because there are lots of duplicates in that list

already been 2 hrs i suppose 😩

if i had to guess itll take days unless you remove the duplicates

Working on the Intro To Python room and was wondering if anyone has any tips or resources for the base64,32,16 decoding? I’ve been stuck adjusting my code for a day and a half and can’t get it. Even downloaded pycharm to help see my errors easier, but no luck.

Outermost layers are base16

That should be enough

I can't figure out which user it can be, except shiba1,2,3,4!
@white salmon do you need help?

@white salmon do you need help?
@sage moth Thanks, I used some hints from the internet and I found the solution! 😅

@sage moth Thanks, I used some hints from the internet and I found the solution! 😅
@white salmon it took me some time, but I found three steps ||1) use find 2) find password 3) use sudo -u root ...||

sudo -u root... is the same as just sudo...

sudo -u root... is the same as just sudo...
@toxic scarab that is so true, thank you

@sage moth What I couldn’t figure out was, how could I find files from a specific user without having tons of files. ||I did find the answer on internet and then I could continue. The file had an admin user password so I could sudo /root/root.txt||

@sage moth What I couldn’t figure out was, how could I find files from a specific user without having tons of files. ||I did find the answer on internet and then I could continue. The file had an admin user password so I could sudo /root/root.txt||
@white salmon It wasn't easy. but it's satisfying once you know the solution. 🙂

Yep indeed 🙃🙃

@wooden mist || have you found the binary? ||

no, is it really used on this step? 😟

Yes

oof

I recommend LSE or LinEnum

You'll find it easy

the value of var_8h before popq and ret? I thought it was 60, but it is not being accepted as the answer!

I have ifnished the room, I am just stuck on this one!

Are you doing intro to x64-86

yes, sorry. I forgot to name the room!

if so try converting the value to decimal or hex

that doesn't seem to be it either

got it

anyone have a hint for blog? does it start with ||XSS in comments||? Trying that, but no luck so far.

and, nevermind. just found an alternative to that

nah

the tags are referencing a specific CVE which requires authentication

with enumeration + bruteforcing you can get the required credentials

yes, i was trying to get to that point by doing some XSS, but found creds after a while

and then binex? ugh...

nah

if you look closer it's way easier than it looks

Can confirm

Easier than it looks

Gdb is the most you'll need

XSS room task 3 #6, I have Jack's cookie, I'm trying to set it by ||running document.cookie={his cookie} in the developer tools and then leaving a comment, but it still comments as myself||

I also tried to use burp suite but that crashes the box every time for some reason. Can someone point my in the correct direction for how to actually set my cookie to someone elses to leave a comment as them?

XSS room task 3 #6, I have Jack's cookie, I'm trying to set it by ||running document.cookie={his cookie} in the developer tools and then leaving a comment, but it still comments as myself||
@oblique cliff You really shouldn't be touching the devtools for XSS

Because that's just editing the data clientside, rather than XSS

gotcha, so id tried to do it with burp but it crashed the box (twice)

am i just doing that wrong?

🙃

@stuck fractal so I got it by ||changing the cookie value in storage|| . Is that not part of the dev tools?

I think the goal was to XSS Jack into posting it

Watching the hint on the room it says to change the cookie via the dev tools. I believe the xss part of the challenge was just obtaining the cookie

how would you do it the way you’re describing? I’d like for to learn 🤓

payload would be something like

document.getElementById("messageBox").textContent = "yeet"
document.getElementById("submitButton").click()``` @oblique cliff

and thats in the comment that i'd do that?

wait, I'm on the part where I'm trying to impersonate Jack, I don't believe thats what youre showing, is it?

You wouldn't impersonate Jack at all

You'd XSS them, so you can run JS in the browser

@stuck fractal ?

So that's stealing the cookie

So you're just becoming Jack there

That’s not nice to steal someone else’s cookie

right, so is how I did it the correct way or is there a xss way to do it?

cuz my interpretation of it was that the xss part was getting the cookie, and then youre supposed to use the dev tools to impersoante

I think you're correct for the room

But be aware of more entertaining ways

i was trying to do a ||<script>Document.cookie="cookie"</script>||but that wasnt working

is there a different entertaining way that will work?

The one that I described earlier

right, im a bit confused how that would be impersonating someone else?

all youre doing is setting the messagebox as something and then clicking submit via javascript

where is the impersonation happening?

In their browser

You don't impersonate anyone

You have XSS

You can run JS in their browser

As them

I believe I understand what you're saying but i dont understand who the big "them" is. In this case, for example, I'm trying to do something as Jacky boi. How would the browser know to do something as Jack when it's not his app, he's just another user on the system

using your aforementioned method

So you want to do stuff as jack

You have XSS

You can run code in Jack's browser

You can run code in the browser of anyone who gets hit with the payload

ohhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh

ok, so youre talking a realistic situation

where you would store the payload

and whenstever jacky boi executes it, it would run as him

Or even this situation

If it's a webapp with a real user

Which I'm looking at building into a room for better XSS practice

ya as you can see I have 0 experience with it, so ill stick to this one for now lol

ok but circling back, how would jack ever execute this payload seeing that he's not a real person?

You remember the 25days XSS?

The admin visits the page

i havent done that yet

Well, you can automate browsers

my web app hacking skillz are lacking, to say the least