#room-hints

Enumerate port 22

@wraith pivot @hazy sequoia Try googling "grep example regex"

okay but enumerate it how lol

ive tried to implement ssh enumeration on my own boxes

and the scripts fail every time

Try to log in to it?

See how it responds.

oooooooooooooo

okay yeah uh

shush

well now im stuck even more lol

||The port knock requirement on this machine doesn't work.||

||nmap -p- -v ipaddr should show you what you're looking for||

||or threader3000||

shamelessplug

still no results using that scan bruh

and i can get to ||the ssh banner but thats it||

You don't see ||1337||?

What's your room IP?

nowi have it

but its just images lol

Yea. I'm not a fan of LOTR. Very CTF'y.

unless i can curl them and stego

@verbal wedge yes it’s just images. Enumerate

@wraith pivot @hazy sequoia Try googling "grep example regex"
@white salmon so the issue i think i'm having is with searching ALL the files. System hangs when it gets to particular files as if either they are so large it's taking forever to search or i'm just stuck.

have you tried waiting

search takes so long the server times out

That usually means you have to refine your search to be less broad.

@hazy sequoia it’s trying to go into mounts and stuff it’s unable to go into. You need to pass a flag that prevents it from going into mounts

If you’re doing what I think you’re doing

@oblique cliff im not sure what else to enumerate lol

Usually whenever I use find, I always pass -xdev and 2>>/dev/null

those are almost required for using find in a humane way

If you’re doing what I think you’re doing
@oblique cliff i bet you i am. i havnt been able to find a flag that stops it from going too deep. I remember you had suggested that earlier but the information keeps eluding me, gonna take another look around

You have a web server @verbal wedge

Enumerate that as you would normally.

web isnt necessarily my strong suit

i usually just run wfuzz adn hope i get lucky

Ok. So maybe try that?

You can always refine a find command deeper- you can narrow it down to file only, text files only, in certain directories, etc.

||You also have a picture that you can try some of the words on as a subdirectory||

I uh

found this ||THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh||

Good. Right track.

What does it look like?

CyberChef says Base 64 and it says ||Closer!||

not sure if thats a pw or not lol

Should be something with that as well.

Right before ||Closer!||

ehhhh

||Lzk3ODM0NTIxMC9pbmRleC5waHA= Closer!||

Yep.

What does that first value look like?

base64?

Try it?

ugh son of a --

🙂

ugh

hydra sucks

||Maybe hydra isn't the way||

so dont need to brute force it?

What do login forms communicate with?

php?

the server?

aliens?

Where is user information stored?

database

o

And what do you know about data sanitation and user input?

something something sql?

🙂

nothing seems to be injectable

Does this line in owasp10 "There may or may not be another hint hidden on the box, should you need it, but for the time being here's a starting point: boxes are boring, escape 'em at every opportunity." means that I've to get shell in order to obtain voucher?

What command did you try for the injection?

The voucher is claimed.

i used sqlmap

That's okay as long as I get it.

checking the POST parameters username and password

@wicked kettle you can't get the code

It's been claimed. There is no voucher for you to get.

It's no longer possible

||try sqlmap Nameless||

i did lol

||use --level 3 as it's a cookie injection I believe||

wtf is that

It's just an additional flag. The command should be pretty easy. ||sqlmap -r ipaddr --dbs --level 3||

But the voucher must be written somewhere like flag, Right?
It's okay if it's claimed. As long as I reach there, like flag, i guess.

It's not written somewhere

It is no longer obtainable.

im still lost lol

ok, no worries.

me too lol

What command have you run specifically Nameless?

I can help better if you share it.

||sqlmap -u http://10.10.169.202:1337/978345210/index.php --level 3 --dbs
||

@wicked kettle You'd have had to email the email on the main page to "access the beta". The email now no longer replies with the sub code

I actually gotta go. I'll give this a shot over the weekend or tmrw

Oh ok.

I used a write up for it the first time honestly.

Some good things to learn there.

@stuck fractal Oh, I see so it was kinda first come first serve.
I thought I'd bypass the admin panel and pop up the shell.

lol

As I said, not written anywhere and is no longer obtainable

Understood sensei

@patent token ah I see. I didn't know you could copy an entire burp request and save it like that

Good to know

🙂

Is john the ripper an ideal way to solve an NTLM hash in the c4ptur3th3fl4g room?

IIRC you'll be cracking for a very very long time

That is what i figured - my hardware is old & small for that sort of job

I mean it really doesn't matter about the hardware here

BUT - where am i supposed to go if i am not expeted to crack it myself?

Maybe try some rainbow tables.

**expected?

OOOooo

TY~

Hello all, doing the CC: steganography room. Stuck on the last question of the final exam

@patent token is the privesc path for gatekeeper to be done with ||Potato.exe ||? or is there something else that i'm missing?

lmao for the owasp thing I was confused asf actually contemplating whether we need to send something to that email address but it's already been claimed rip

also in that hint what does ||subcode|| actually refer to because I just changed my ||login|| cookie via burp from the one in the ||sqlite file||

Subcode = subscription code

Anyone completed filter evasion task in Cross-site scripting lab ??

What do you need help with?

Challenge 4

Could you give a little more information than that please? Which Task, what methods have you already tried and exhausted etc.

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

able to go through all the phase of OWASP top 10 sensitive data exposure but the voucher was already claimed 😆

@wanton epoch something You’re missing

Hello guys, i need some help with the challenge blog. I have a shell as user www-data, but I am completely lost. I don't know where to go to privesc. Am i in a rabbithole? Can someone give me a hint lol
I have tried to linpeas... find command, don't now where to go

Hello guys, i need some help with the challenge blog. I have a shell as user www-data, but I am completely lost. I don't know where to go to privesc. Am i in a rabbithole? Can someone give me a hint lol
I have tried to linpeas... find command, don't now where to go
@lilac totem linpeas & linenum will help you out

btw.. a lot of hints are in this chat..just scroll up.. or use ctrl+f

ah thank you didn't see that

sorry

btw.. a lot of hints are in this chat..just scroll up.. or use ctrl+f
@indigo ridge okay i can't find anything to help lol. I have the wordpress database tried to do something iwth the hashed password of bjoel but nothing :/

is the mysql database somewhere to start something I have missed?

no

forget bjoel

go for root

thats what I thought since the root flag is showed first

yep

but I really don't have a clue of what I'm missing here lol

I think it is really easy but I can't find....

just use ctrl +f and type the room name

you will get plenty of hints..whats the point of explaining same thing again.. just try it..

any hints for Blog's Priv Esc ?

any hints for Blog's Priv Esc ?
@edgy gorge same for you

thanks you darkrider

you are right

people had asked the same question.. including me.. how to privesc.. so there are answers just here in this chat

um where

btw.. a lot of hints are in this chat..just scroll up.. or use ctrl+f
@indigo ridge .

So I guess in Blog it's the ||checker|| SUID
@shut pollen

I think this one

with the tag reverse engineering

lol

try

Done and Dusted son @lilac totem

yes exactly what i'm gonna do, my message was for @edgy gorge

ahah lol

@indigo ridge omg I feel so dumb

this room trolled me till the end

yeah

this room trolled me till the end
@lilac totem

The file is pretty obscure but it reinforces the fact that you should enumerate a lot- and look hard

Anybody did Blog here ?

|| for reversing the binary in blog|| we cannot download it? I guess need to use gdb?

Many did where u at

I cannot find the credentials for the wordpress login

found usernames?

You don't need to download and RE it

Try something simpler on the the target machine.

No, I'll check deeper

|| aight trying strings and strace || on it

||Ghidra|| works well

Also unnecessary in this instance.

@white salmon Found usernames

Do I need to brute force ?

You can run it in background while looking for something else maybe it gets something

|| for reversing the binary in blog|| we cannot download it? I guess need to use gdb?
@white salmon you can download it

Hi! Im having problem with room 11, I have created the noot.txt and trying to run ./shiba1 but all I get is -bash: ./shiba1: No such file or directory

Did you check if it exists in the current directory?

You need to find where it is

I have checked the current directory and sub, but havnt moved up the tree

also, the room doesnt tell me I need to go searching for the binary or where it could be :/

@wooden mist Hey do you mind if I DM you for a hint regarding flag2 for carpe diem? I have no idea where to go from there...

sure

What is the user's shell set as?

Just this left any hints

@wooden mist ye I did and rooted now 😄

@edgy gorge which room?

OWASP 10

Which task?

What is the user's shell set as?
@edgy gorge can anyone help with this ?

@edgy gorge Every user starts out with a specific shell by default- you should try seeing if that's maybe stored in a list somewhere.

👍

@rotund cedar I think you're looking at the wrong program- the questions require analysis of the bin if2, not if1

The ASM in your picture looks like the ASM for if1

np

hey there, how are u people?. looking how to popup machine ip addr from browser with js.., if someone can give a me a hint

Have you tried googling it?

yes

actually- if you're doing the XSS Playground room, the hint for that question should give you the exact function that makes it pop up.

yea

thanks

dont know how i didnt see that 😬 sorry

np- I had the same issue too 😅

Owasp Top 10 [Task 12] [Day 3] hidden hint for a 1 month voucher. I have skimmed the web code and haven't found anything. I am not sure how deep I should be looking since this is a beginner challenge but should I be using any tools to find this or is it more obvious than I assume?

You can't get the sub code anymore

oh damn

thank you!

lol

It wasn't on the box though.

Well since it's gone now, where was it?

Out of curiosity?

You had to email the address on the main page and ask

omg lol, I love it. Thank you!

Hello world, any idea regarding the wordlist to use for the webgramming room, enum part ?

For directory enumeration?

Hello, i need a hint for the #6 challenge in the room c4ptur3-th3-fl4g. ||Ebgngr zr 13 cynprf!||

Have you considered some basic CTF techniques?

What?

There are common things people do to text for CTFs.

Have you tried some?

No

There's your hint then

Very easy xdd

The next is like wtf

@glossy basin yup, trying medium.txt so far but doesnt look like a success so far

Dirbuster 2.3 medium would be my next step up

yes thats the one im using

Need help with owasptop10 day 2 challenge

Logged in as " darren" but cant see the flag

How can i decrypt md5 hashes?

I tried hashcat and john but nothing

You can't

How can i decrypt md5 hashes?
@white salmon just google it

Sorry crack

xd

They are not encrypted

Maybe try some online tools

I'm trying and nothing

I'm using rockyou wordlist

Maybe it's not in rockyou.

Use some online tools

For example?

I used crackstation, md5decrypt, dcode.fr and nothing

Room, task, question

Help me with owasptop10 day 2 task 8

Worked for me

Try terminating it and doing it again

Tried 3 times

Then you're repeatedly doing something wrong

For example?
@white salmon What room, task and question?

@limpid hatch you just need to follow the explanations step by step

All i did as instructed in text register user darren with quote space name qoute and then logged in with same user which i registered

Don't use quotes

You weren't meant to use quotes.

Ok thanks

Much much easier to work out what you're doing wrong when we know what you're doing

hey I have a question
please may someone point me in the correct direction as I cannot seem ti find the answer to this no matter how much I look
What is the very first CVE found in the VLC media player?

Have you looked on CVE details for VLC?

surely it should be the first one

You're on exploitdb

Exploitdb doesn't list CVEs

ye

It lists exploits

Try other places

it has a CVE tho

im so confused

sry

the room tells you to look on e-db for all the prev questions

try cvedetails.com i guess

it doesn't tell you to look on exploitdb

oh ty

i appreceaite ur time

i can spell lmao

If you are in kali use searchsploit

i'm on learn linux task 21. i'm not really sure what i am supposed to do here. i tried doing export test1234=shiba2 but i think it was stupid move, because when doing echo $test1234 shiba2 shows up.

I mean, that appears to be correct

What's the issue here?

password for shiba3 isn't showing up

read the rest of the task instructions

i did

Did you run the binary?

i did run ./shiba2 it gave me access denied.

what user are you?

shiba2

Can you provide screenshots?

So you've broken the binary

You ran a command with >> $USER on the end at one stage

Which I did warn you about, in #site-support

You need to terminate the VM and try again

about that mistake i di ?

did*

huh?

the one which i did earlier .. that you warned me about ?

I warned you not to run any commands with >> $USER or > $USER

Because you wrote to the binary

You'll need to terminate the VM, deploy it again and SSH back in

yah .. as i said earlier it was an unintentional mistake.

alright .. lemme try again now.

perfect .. it worked after termination 👍

@upbeat wren can you tell the room name

https://tryhackme.com/room/introtoresearch

In room anonymous || I figured out clean.sh is a cronjob|| and it is writing in the log file but if I delete || clean.sh file|| on the ftp server and upload my own, my file won't be executable? Because I need to chmod +x on the server? I don't see any other way to go with this room

Don't delete it

Simply upload a file with the same name

It will replace it

And keep perms

Oh thank you

Question: Is directory-list-2.3-medium.txt ok to be used against the webgramming room enum task ? It's running for a long time but still no 200 status code

Blaster Room - When I RDP'ed into the target machine, the IE is not showing the browser history. I am not able to move forward because of that. Is this an issue which I have to solve or is this a system issue?

I've googled this every which way possible but I think I'm looking for the wrong thing. Is "subcode" an abbreviated or shortened version of a larger term

Blaster Room - When I RDP'ed into the target machine, the IE is not showing the browser history. I am not able to move forward because of that. Is this an issue which I have to solve or is this a system issue?
@kind tree known issue

You can move forward, check write ups for the CVE number

Anyone offering hints for the OWASP Day 4 task?

Complete XXE room

Well, it's specifically about this challange answer format itself, not the fundamentals.

Refresh, it might be the question that was just updated

Ayyyy, danke!

Task 15 q3 <!entity> ? Isn't this correct

Case sensitive

<!ENTITY> is giving wrong too

Then maybe you're wrong

Try without angle brackets maybe

what

how is that right?

How is it wrong?

Use the answer format

oh

Any one completed owasp top 10 xxe task today?

Just ask your question...

Room: Cross-Site Scripting - Task 8: Filter Evasion - Question 3: "The word hello is filtered, bypass it." .. I can't seem to figure out how to evate the filter of "Hello", which also is what i need the alert box to say.. :/

Any pointers?

Have you tried this

https://owasp.org/www-community/xss-filter-evasion-cheatsheet

Yup

The closest of them i was thinking of, was the eval base64

you've tried EVERY method on that cheatsheet? wow

Well no.. I havent tried those that bypass the html tags directly, etc.

I don't know the answer of question 4 in task 14 and task 15> Any one completed owasp top 10 xxe task today?
@sterile robin

I tried the String.fromCharCode ||<img src=x onerror=alert(String.fromCharCode(72,101,108,108,111))>|| .. which gives me "Hello" as an alert.. but there doesn't come any alert afterwards with the answer :/

@sterile robin about Q4 read carefully the Syntax paragraph

both tasks?

You didn't say which Q in Task 15

Q4 too

There is not Q4

no*

Task 15 goes till Q3

oh I meant 17 sorry

Indeed.... No Q4 on task 15....

I know the answer but I can't seem to put it in there answer form

You know the username, since you answered Q3, so do you know where ssh files are located?

What have you tried putting in?

read SYSTEM /home/falcon/. ssh/id_rsa

Typo

im going through the rooms i have joined and i got 1 left on the c4pture th3 flag
11FE61CE0639AC2A1E815D62D7DEEC53

Whats an "shh" key 😮

I tried the String.fromCharCode ||<img src=x onerror=alert(String.fromCharCode(72,101,108,108,111))>|| .. which gives me "Hello" as an alert.. but there doesn't come any alert afterwards with the answer :/
@torn pine So it's looking for a certain payload, that's the issue

shh I don’t think they noticed their typo

Anyone that could help me?

@stuck fractal I guess i've got to try some other stuff then

Anyone that could help me?
@desert charm Try some rainbow tables in ophcrack if that's ||NT or NTLM||

read SYSTEM /home/falcon/. ssh/id_rsa
@sterile robin it seems that there's ** I can't figure out what I can write in it

Refresh your page and try again

Yep It works now..

Yeah they refreshed the room haha

well.. what about Q4 in task 14?

Uhhh what room

As said before.. Read the paragraf "Syntax" very closely

It is stated in there

OK.. let me see

"Above the line [..]"

silly me😂🤦🏽‍♂️

I've solved it

@stuck fractal This payload is killing me! Does the word "Hello" HAVE to be in it? Cause i've tried HTML entities and CharCodes, which both gives "Hello" in the alert, but the box clearly doesn't accept this.. :/

I don't know

The room is broken

Horrifyingly so

REALLY?! .. Well... **** me! 😦

I'll post it in #site-bugs then

It's been posted

Great, thx.. i'll leave the room open then, and return to it soon(tm)

yeah i could not finish that box also and I found atleast 3 ways to print hello in an alert

anyone complete "ZTH: Obscure Web Vulns" room, stuck on a question for csrf part (Task 9).

Does anyone have a hint for today's OWASP challenge question 5? I've completed the rest but haven't been able to get it to pass back the credentials. (Solved it) I forgot about the Owasp site.

nc <ip> <port>

@tardy geyser whats up

Maybe try some rainbow tables.
@stuck fractal Mkay - i spent the last day learning how to crack an LM hash with a rainbow table. Now that i've done that; I'm stuck on the availability of Downloadable rainbow tables which support 25+ characters

I know what the value of my flag is because i cheated & googled it. BUT how do i crack an NTLM hash with a passphrase 25 chars long?

Honestly, doesn't sound very feasible

Right?! i don't even know the theoretical size of a tableset that big - but i bet it's larger than my NAS

i was exploring generating my own with conveniently selected characters and punctuation.. but my CPU is so piddly. it could take months

@wheat copper which room are you working on?

https://tryhackme.com/room/c4ptur3th3fl4g

task 2, hash #4

https://tryhackme.com/room/ctf100 stage 6 flag79 I'm trying to crack hey_listen. I converted to a zip file, got the hash with zip2john, but the password is not in rockyou.txt

I confirmed that my syntax is correct, and the writeup for the one where we gotta crack molly's password says that it's like 900k lines far ahead in the original rockyou.txt =_= dafuq

Use the standalone Hydra room

It's the same flags

I did solve that one

It's on Dark's list of things to fix

Umm okay, so I'll just copy that flag for now.

@white salmon Flag 79 is not a bruteforce exercise.

It's on Dark's list of things to fix
@stuck fractal And what about the ssh one? Is that far ahead too?

Nope

SSH works just fine

On both

Alright, so I'm going through this then

The fix will just be copying over the VM, or copying and changing the background image back

Processed 3k+ passes... o_O

@hexed crescent can you give me a hint on how to get it?

Search for a hidden file that has the encrypted Vim file password. @white salmon

ok thank you

@stuck fractal
Over 7k passes and it still hasn't found it.
Shall I just copy and paste the other flag too? e.e

Do what you want

That sounds cold v_v

I endorse freedom

It worked for me on SSH

It was trying with the correct credentials and the IP, so my syntax had to be right.
I've solved it before and I just wrote the command again to make sure I'm not forgetting hydra's syntax, but it's taking forever and I can't launch the next box until I finish this one, can I? o.o

You can have up to three boxes running.

It was trying with the correct credentials and the IP, so my syntax had to be right.
I've solved it before and I just wrote the command again to make sure I'm not forgetting hydra's syntax, but it's taking forever and I can't launch the next box until I finish this one, can I? o.o
@real storm Terminate the box

You can have up to three boxes running.
@white salmon subscribers can

oh

oops

I actually didn't know that was a subscriber only thing 😅

stuck on question 14 under nmap room

What if I want to run all scripts out of the vulnerability category

got it nevermind

any hint for blog room

What Task? (Give the number!)
What question? (Number, maybe also basic details)
What have you tried?
What happened?
What didn't happen?
What did you expect to happen?
A picture paints a thousand words. Don't type a thousand words. Screenshots are awesome. Photos of your screen are not.
(If you want to paint a picture, we'll be impressed but a screenshot is really better)

Hey, need some help with ZTH room, Task 22 Q1 (XXE Challenge).
The question is "How many users are on the system?"
I was able to complete Q2 which was to read the /etc/passwd and got the username. but i can't for the life of me understand question 1... does it mean registered users? do i need to run an sql query? if so i am unable to use excpect://id , any idea how to answer it/

Also, there's been a lot of people who need help with the Blog room. If you search in this room, you might find a lot of hints already.

Also, there's been a lot of people who need help with the Blog room. If you search in this room, you might find a lot of hints already.
@white salmon will search

For sure! If you don't find a hint corresponding with your issue, then feel free to ask.

@ionic verge Registered users are often at the bottom of /etc/passwd. Try comparing your linux machine vs their machine and see if you can tell what users are "system users", which aren't the users that people normally use.

Hey, need some help with ZTH room, Task 22 Q1 (XXE Challenge).
The question is "How many users are on the system?"
I was able to complete Q2 which was to read the /etc/passwd and got the username. but i can't for the life of me understand question 1... does it mean registered users? do i need to run an sql query? if so i am unable to use excpect://id , any idea how to answer it/
@ionic verge damnnnnn never mind. just figured it out. its asking about the users in the /etc/passwd 🤦‍♂️

Yeah, /etc/passwd is a file containing all users on a Linux machine.

i was thinking about users registered in the db or something, because i saw there is a mysql user

😆

thanks @white salmon

np

i looked through the past messages and seem to find that i have to brute. I had been bruting the two usernames.Didn''t found anything

Are you sure your bruteforce parameters are correct? Maybe try using a different bruteforce program?

i am using wpscan

Bruteforce-able passwords on THM's machines are often aimed to be achievable in 5-15 minutes. If you don't get a hit after that, then that usually means the user is not brute forceable.

is there some script on the machine that will read the posts on blog

can someone please point me towards a correct direction in the blog room. I have two usernames and found some posts which are not visible on homepage though p paramter in url.

what can you do with the usernames?

Already told you that if one user's account takes more than 5-15 minutes to brute force, then maybe it's not possible to brute force that one user's account.

But, you have two users right?

for the learn linux bonus privesc thing do we have to exploit the suid function of the shiba files

Possibly, if it has a suidbit. But there's an easier way, you just need to look around a bit.

Maybe try looking at things from a different perspective :)

(that's a hint btw)

yaeh I sussed out all the files for the different users but can't find anything interesting

Maybe it's not files you need to be checking, what else can you check really easily as a user to see if you can escalate things?

maybe you can get -lucky

room Lord of Root: how do i know the sequence of port knocking...? or how to open some port?

https://tryhackme.com/room/lordoftheroot

emm, i surely didnt do this one

@indigo ridge

but if you have a set of numbers

i normaly run them against a permutation script to get all the possible sets

i use this guys here

#!/usr/bin/python3
# get all possible combinatins from a set of numbers
from itertools import permutations
import sys
import os

ports_list = sys.argv[1:]
perm = permutations(ports_list)

for i in list(perm):
        u = os.popen("echo '%s'|tr -d '('|tr -d ')'|tr -d ','" % str(i)).read()
        print(u.strip('\n'))

python3 permutation.py 444 333 555
444 333 555
444 555 333
333 444 555
333 555 444
555 444 333
555 333 444

thanks for this.. but here I don't even have a set

thanks for this.. but here I don't even have a set
@indigo ridge good luck with that

hey i have a question

last task on the introtoresearch

how would i go about cding into the root dir

as i do not have correct perms

Try searching up linux privilege escalation or linux enumerator

ohh we need to priv esc

my bad

np

/root folder usually requires root permissions

it only has stuff about linux basics

yeyeye

ty

hey @white salmon im still a bit stuck is there a website you could point ne to

Try https://gtfobins.github.io/ or https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS

For the second one, you'll have to upload that to the machine, then run the script

tyhanks alot

yh ive heard of linpeas

how would i go about uploading it?

Try looking up the scp command

oki i will

tysm

hey

need help /introtox86 64 Task 4 - Question 1

What do you need help with?

icant figure out value of car_8h

i read instrucation again and again but still not getting anything

did you follow the steps it showed for if1?

yes

can you tell us what youve done in terms of setting breakpoints and inspecting the variables?

db value

than

dc

Take a screenshot please.

we know the commands, we want to know exactly where youre doing these things 😄

where you set the breakpoint, etc

popq

Screenshot

trust me, it'll make this a lot easier

yaa wait

See if you can take a screenshot of how you're trying to check the var_8h register.

and what breakpoints you've placed in @main

yea listen to him^

he knows what hes talking about

oof screenshot not phone picture plz

that hurts my eyes and my jowls

can u join genral talk

i can shyare my screen

no, ask here, this is hte purpose of the channel

Don't worry, I can see plenty enough from your screenshots.

thanks

Are you trying to check var_8h or var_4h, because your screenshot shows you displaying the variable for var_4h

@ rbp-0x4 is var_4h

Opps sorry

@white salmon how can you see that

your poor eyes

i squinted really hard

But i still not understand 😕

The question is asking you for var_8h, so try checking that value instead.

0x8

Yes, and the value will usually be at first address at the first byte.

Can i ping u Directly?

Try reading through the task again, the answer is pretty much given to you, it's just stored in a variable and you have to display it

Make sure your break point is before the popq so you get the right answer

That's not the right answer- you haven't gone through the program so the variable is still the initial value set.

Put a db at 0x560af5f9e637 and check again after reaching there.

Probably i miss something, thats why i can't get the right ans.

take screenshots not phone pictures

that too pls

Ok

oh thank the lord

that looks correct to me

keep in mind its in hex

You still haven't placed a breakpoint

@oblique cliff No, he's still looking at it before the final value

the task wants the final value that it gets set to

@white salmon no he's not, nothing happens to the value after he sets his breakpoint

yes

that is the final value of var_8h

its just in hex

oh

you need to convert it to decimal when submitting the answer

at both place hex values are same

wait yeah nvm you're right jk

i can't read R2 when I'm tired LMAO

the only thing that happens after that breakpoint is he writes to the eax, pops a value and returns the value

no changes are made to the variables

yeah sorry @oblique cliff is correct

Yup

that's the correct answer- but you just need to convert it from hexadecimal

Finally i solved

need hint on mrrobot room for second flag or to get into the box, i found ||fsociety.dict|| which looks rabbit hole, any clues ??

@keen willow not a rabbit hole

what are dictionaries usually used for?

what are dictionaries usually used for?
@oblique cliff i was doing it, looks like my connection is slow.

so i gave up. thanks, i try again.

on ||elliot|| username i guess ?

dont know, but you can find out

wpscan got nothing... ok i look for it.

what is the error message on the login page when you try to log in

||wordpress|| login right ?

yes

ERROR: The password you entered for the username ||elliot|| is incorrect. Lost your password? which means user is present.

🙂

Hey people, i'm on the blue room, but i can get through, i did everything until the command exploit, when i use it, i get lots of stuf, but it fails. Are there anything to change for it to work?

@slow tree show your options, update your metasploit

can you screenshot the options menu

options

if you dont have an updated metasploit

windows/x64/meterpreter/reverse_tcp
windows/meterpreter/reverse_tcp
windows/shell/reverse_tcp

If one of these do not work, we will be glad to help assist further```

Metasploit looks updated correctly

wrong lhost

I can see the issue from the first screenshot

^^

needs to be tun0

For those playing along at home, look for the line with Started reverse PAYLOAD TYPE handler on LHOST:LPORT

pin^?

oh, thanks 🙂

I don't think it's worth a pin as it's something for people who help to learn

Also, it's a pretty situational issue

It happens. A lot.

Like. A lot a lot.

should i change LPORT too?

no

oh, it worked, failed twice, but now i got a win, thank you 🙂

only need to change the lport if the one you have chosen is being used by something else 🙂

That’s EB for you

but in that case youll get an error saying that port is being used

I'm doing the blog room and currently have a meterpreter shell to the box. Am I supposed to upgrade the privilege's of the current w***-**** shell or use this access to find something I need to get in a different way?

Have you tried enumerating the machine?

I did a nmap scan.

Since you have access to the shell, you can enumerate a machine further from there for possible privesc opportunities.

ok thanks, let me try that a bit more

Try looking up linenum.sh or linpea.sh

or possibly, suid3num.py

hey i have a question

Maybe lead with the question rather than stating that you have a question

that would make sense

im so sry i just sorted it out

my bad

There's another good reason

?

If you'd asked the question rather than stating you have a question, it might help someone else in the future

I'm trying to get one of those privilege scripts uploaded and am having trouble. I did paste the whole script into vim but the escape key isn't working. I also tried upload through meterpreter but got the error operation failed.

Look into some other methods

if u press escape then :

There's hundreds of ways to get files onto a system

a colon should appear

then write q and press enter

or start a python server

Did you actually read their message?

I know how vim works 🙂

i meant press colon after trying to presss enter

thesame thing happaned to me

nice 🙂

btw im having a ton of trouble with

Now we're inside tmp, let's create an imitation executable. The format for what we want to do is:

echo "[whatever command we want to run]" > [name of the executable we're imitating]

What would the command look like to open a bash shell, writing to a file with the name of the executable we're imitating

apparently its not echo ~/bin/bash > ls

First that path to bash is very wrong

thats what the hint said

(i think)

Second the room answer expects the echo statement to be in quotes

(You think wrong then)

wait

oh

Waiting

im sry

I mean arguments for the echo command

i didnt realise

No sorry necessary

My recommendation is stepping back for a minute and re-reading the info

Whenever you get stuck on a walkthrough

fe

Iron?

fair enough lmao

btw the hint was

The command is actually just the path to the bash executable "/bin/bash".

Look what you put and look at the hint

echo /bin/bash > ls?

or am i being dumb

Second the room answer expects the echo statement to be in quotes

I mean arguments for the echo command

Why would you be redirecting the output into ls?

thats what the exec file we're imitating is

*im imitating

Do single quotes instead

nah this works

Don't post answers

thanks so much

ma bad

i was just about to delete it sry]\

Answers/flags directly bad

yeye

We're not sure what room, task, and question you're doing so dunno if it's correct

it does work lol

I'd recommend just plain not doing it

its gone

🙂

brute-forceing mrrobot || wordpress|| credentials user ||elliot|| passwordlist ||fsociety.dict|| from last 30 mins. looks like a wrong direction.

@keen willow not wrong direction, did you look in that dictionary at all

yes i did.

ok, i give it another look.

did you notice anythin in that dictionary?

anything about the values that could possible help shorten the list? @keen willow

How can we specify XML version and encoding in XML document?

in owasp top10 has anyone done this question

google

very googleable

@tribal ginkgo I'm pretty sure that's already listed in the xml section.

yeah but the answer format is wiered

its

*** ******

anything about the values that could possible help shorten the list? @keen willow
@oblique cliff just figured that out. thanks mate.

how do you find what port the web server is running on?

Have you googled that question?

got it

yes it says windows

but thats not the anwser

how do you find what port the web server is running on?
@proven pier try nmap

i am using nmap

yes it says windows
@proven pier wat

but that dosent fit the format of the question

the question i need help with is from vulniversity task 2 reconnaissance question 7

look at all the output then and see if any of it fits the format of the question

That question doesn't ask you for the OS

Why are you saying it tells you it's Windows?

Windows isn't a port

In mr robot I’ve found || found a dictionary and found a username but it takes forever to Brute-Force the password for wp login || can someone confirm that ?

In dogcat room I got || ../html/dogs../flag || payload working basically can include file any hint on extension bypass? I tried || ../html/dogs../../../../../../etc/passwd%00|| also tried || ../html/dogs../../../../../../etc/passwd../..\.\..\ [repeated many times]|| and other variant of this payload.

@mild eagle Think about ways to reduce that time

@stuck fractal because u asked me if i google the question

Windows is not an answer to any question you've asked or I've asked

Might want to try again

@mild eagle Are you sure you have the right username?

@white salmon yes makes sense

@white salmon yup can see it on the login page

I guess optimize the wordlist or wait until it gets a hit

Should take anywhere between 5-15 minutes depending on network speeds

@stuck fractal then coold you clarafy because ure confuzing me

@stuck fractal then coold you clarafy because ure confuzing me
@proven pier What are you doing? What did you find on google? Have you learned how to use nmap?

https://tryhackme.com/room/rpnmap do this first

@mild eagle The password can also be obtained if you have watched the show and know elliots philosophy that if you watch people closely their password is like neon signs 😆

@stuck fractal yes i did

@stuck fractal the only thing is nothing fits the format of for what im looking for

@white salmon ||wpscan is much faster in bruteforcing wordpress|| compared to hydra

Then you're doing something horrifyingly wrong. What are you doing? What did you find on google?

What Room? (Link, Room title, room code from URL)
What Task? (Give the number!)
What question? (Number, maybe also basic details)
What have you tried?
What happened?
What didn't happen?
What did you expect to happen?
A picture paints a thousand words. Don't type a thousand words. Screenshots are awesome. Photos of your screen are not.
(If you want to paint a picture, we'll be impressed but a screenshot is really better)

@stuck fractal https://tryhackme.com/room/vulnversity [Task 2] Reconnaissance,
#7
What port is the web server running on?
i tried

What Room? (Link, Room title, room code from URL)
What Task? (Give the number!)
What question? (Number, maybe also basic details)
What have you tried?
What happened?
What didn't happen?
What did you expect to happen?
A picture paints a thousand words. Don't type a thousand words. Screenshots are awesome. Photos of your screen are not.
(If you want to paint a picture, we'll be impressed but a screenshot is really better)
@stuck fractal somebody pin it

@keen willow It is, but the questions are more tailored to the help chat

@proven pier You tried. What did you try?!?!

We can't help you if we don't know what you're doing

If you want help, you have to engage

It's a two way system, we need enough information to be able to help you. Help us to help you

nmap -Sv (ip), nmap -sC, nmap --script-trace, nmap -A -sC -sV

Ok, so?

What didn't happen?
What did you expect to happen?
A picture paints a thousand words. Don't type a thousand words. Screenshots are awesome. Photos of your screen are not.```

what happend is the name of 6 ports came up PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3128/tcp open http-proxy Squid http proxy 3.5.12
3333/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel, what did not happen it dident tell me the port the web server is running on

yes it does

Do some research

Look at your results

Learning how to use a tool includes learning how to read the results

@stuck fractal thank u for ure help i gtg im sorry if i sounded arragent im gonna take a look back at the room make sure i can read the results when i try the next time thank u again and again apologise, thank u for the clue

no worries pal you are always welcome. come back with more knowledge and doubts.

@white salmon ||wpscan is much faster in bruteforcing wordpress|| compared to hydra
@white salmon looks like wpscan selects potential passwords based on wordpress password policy and eliminates all other from the password file before starting attack. can anyone verify that.

interesting

I think it doesn't bruteforces the login page

There are options

It does to xmlrpc.php

XMLRPC, wp-login are two of them

yeah xmlrpc seems fast

Default is RPC

wp-login was fast enough for me

With hydra I tried wp-login page and it was very slow for me

Without filtering the word list ??

Or without optimizing the wordlists

With

am i missing something ? "Above the line is called XML prolog and it specifies the XML version and the encoding used in the XML document." --> the above line ---> <?xml version="1.0" encoding="UTF-8"?>

question:
How can we specify XML version and encoding in XML document?
*** ****** is it really not xml version? because its saying thats wrong but as far as the doc i can see its right?

No, it's not "XML Version"

Maybe try re-reading it

i'm hanging out here and waiting for the moment of realization that they just typed the answer as part of their question 🍿

There's a line between reading and understanding

true

For the ccpentesting room on Task 4 #14 I ran both big.txt and directorylist-2.3-medium.txt. Should those have found the file or is there a different list?

it's so common that it's in every list i've tried. my guess is you're doing something else wrong with the command you're using

ok good to know

@toxic scarab can I DM you the command I'm using?

sure

If you mark it as a spoiler, you're good to post it here

Or #room-help if you're pretty damn sure you're doing it right. No need for marking as a spoiler there

@stuck fractal Thanks good to know

in the blog room even though my image is being uploaded then also rce not trigerring

any ideas

What exploit are you using @covert basalt ?

cve 2019 8942

The metasploit module worked for me.

look at the room tags for a hint

i am working with a python script

The metasploit module worked for me.
@dense pike

look at the room tags for a hint
@toxic scarab they say about cve 2019 8943

i don't see much difference

ooh metasploit worked

also, @covert basalt !rule 1

i am sorry for that

it was midnight for me

Was that all for OWASP Day 5?

There's a machine

guys i'm on the flag part of learn linux room. is it considered cheating if googled how to get the flag ? (not find the straight answer, rather only the way to get to the flag).

You checked a writeup because you were stuck

If you learn something, you're fine.

i tried, and still trying to get together the way how to get to it through the explanations from the room, but it's a lot, and sort of confusing (but very beneficial) .. but for this job, i might find a better way if i googled it.

I'd say, as long as you actually practice and go through with the write-up, instead of just copy and pasting the answer.

And make sure you understand exactly how the author got that point as well.

was this answer for me ? @white salmon

Yeah, it was 🙂

I just found my answer anyway :p

@valid rune Yeah, it was for you

I honestly use write ups a lot to get a different perspective or alternative methods and solutions.

i wasn't intending of copy and pasting the answer at all. what i meant is to look on how to look for this specific situation exactly. (example: everytime i try to cd to /root .. what i do is sudo cd /root but it says shiba4 is not in the subdoers file. this incident will be reported

Sometimes, I don't even actually know the proper tools, and write-ups can help you answer that

Yeah, so a user has to be allowed to sudo

Most of the users are not

soo what i am saying is to google how to get to /root when in that case.

I mean, you're looking at privilege escalation

Which is a HUGE topic

soo you mean the write up would me much easier in this case ?

The writeup is specific to the box

gonna try my best with it .. after that i guess i'm gonna come for hints.

With priv esc, it helps a lot to have a checklist/process for your enumeration

It's a skill like any other

You develop it with time and practice

yaahh i guess ill have to learn that the hard way 😆

overpass initial ??

OWASP Top 10 Web Vuln @keen willow

No brute force

You don't have a username

i swear i did that before but it wasn't working.

🙂

can anyaone tell ETC IDOR challange ?

still stuck on the flag on learn linux .. does it have something to do with changing something with the sudoers file ?

You can't, unless you're root

damn .. i'm back to square one 😪

hello again, I'm doing the steel mountain room and I'm following the instructions but I get this error, anyone know whats causing it?

@worthy iris You have downloaded the web page, rather than the script

ahh

thank you

when you're downloading stuff from github using whatever, use raw.githubsomethingorother URLs

whats the cmd to get the script, do I git clone it?

oh

On the repo, get the file, click view raw

That's the URL you want

thank you

I should have inspected it, its only now I see the html tags - thank you

I found the binary and the panel (tried sqli) for Overpass but can't get info for access, can someone help me?

Have you looked at the JS?

Have you looked at the JS?
@stuck fractal yes, i see an api but the room says we dont need brute force xd

No brute force

@stuck fractal yes, i see an api but the room says we dont need brute force xd
@clear cargo you should check, how it works.

Any way to report spoiler in discord ?

?

Mark as a spoiler or?

https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline-

https://support.discord.com/hc/en-us/articles/360022320632-Spoiler-Tags-

I meant to report, so moderators cud take action.

im also stuck on overpass. when you say look at js are you talking about ||login.js||?

We don't enforce spoilers as heavily as HTB

The general rule is don't dump answers/flags, and try to keep it to just hints in this channel

im also stuck on overpass. when you say look at js are you talking about ||login.js||?
@rotund skiff there aren't so many.

I am working on the overpass aswell. I am slowly getting there

hello, me again, I've been stuck on this part for super long and I'm out of thoughts so can I get help again?

Steel Mountain room

So that's a fun one

You want the real solution or the hacky workaround?

both if you would kindly

@inland onyx I'd like you to fix this btw

So services have to let Windows know when they've started up properly. 1053 is when the service doesn't do that. You generated an exe payload, so it won't tell Windows because it's not a service

The proper fix is setting the payload to exe-service

The hacky alternative is using the Prepend Migrate payload option to get the payload to migrate before windows can kill the original process

i have user on brainpan 1. trying to privesc for root. based on the enumeration i think that ||winbindd|| is probably what will help me escalate privs. am i going down the right rabbit hole or is there's something else that i should be focusing on?

@wanton epoch you doing learn linux room ?

no i'm doing brainpan 1

brainpan no, they're not

i'm doing learn linux and still stuck at the last part which is the flag .. tried almost every thing, read most of the --help and manuals xDD

The last part is really tricky

it is .. this is why i'm super stuck on it .. and i'm pretty sure that the way to do it is super easy that i'm going to feel stupid not knowing it.

So let's walk through your logic so far. What have you looked at? The /root dir can only be accessed by root, so you need to become root.

yes .. and since i get the shiba4 is not on the sudoers list i tried going to the etc/sudoers to play with it a bit.

but again, i can't because i'm not Groot

So, maybe one user on the box is a sudoer?

i think i know that it's noot but trying to figure out how to log in it

There's noot and nootnoot

Maybe their password is on the box

i think i missed nootnoot

gotta check it out again .. thanks for the hints

@clear cargo there's no bruteforce on overpass, but look at what the JS does, and specifically what kind of response it's waiting for. Maybe we can guess that

@ripe hedge can i send u a msg?

sure

Well... I've tried pretty much everything I could think about, any hints?

try the k word?

james, I was still stuck, but it turns out I had my listener in the background and so couldnt use the root account when I started the service, still get the 1053 but I no longer need to use that terminal

I did :c

oops :<

uhh...

anyone?

did you check the key terms

Uhm, I found out the answer, thanks x)

no prblm

i'm now stuck on something really stupid

So 0 bf in overpass

Interesting

almost figuring out the flag .. just something really dumb.

hahah

F

something i can see .. but can't touch. literally that 😂

how is that? lol

because i can't open it 😢

okay i'm going crazy with this

Look for files belong to each user, take a look at ones that seem out of place

i did find something interesting and i believe it could be the answer. i found ||.sudo_as_admin_successful|| on /home/nootnoot/ when i did the comman ls -al

i just can't open it.

That file will be empty

is it a clue though ?

Eh, suggests that nootnoot might be a sudoer

i found another file which isn't hidden under the name of ||ll|| on the same directory

Keep looking

but that other file when i read it was number from 1 to 1000

doesn't seem like something useful .. but i don't know.

Yeah that's not useful

i think i think i sort of looked everywhere.

You haven't

Look for files belong to each user, take a look at ones that seem out of place
@stuck fractal

Use Find

thanks for the hint .. will do now.

any hints for overpass? I've got the user I'm not sure on the next pivot point.

Do some basic privesc enumeration

obv

why i'm asking..

nice

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Linux - Privilege Escalation.md have a resource

box expired haha thank you

i will check thanks

do we have to bruteforce the admin page for overpass

no

Its about do a ||sqli|| , right?

Its about do a ||sqli|| , right?
@hardy pewter no

Damn 😦

Damn 😦
@hardy pewter Read the JS files...

I'm a try root tomorrow on overpass tired can't find the way up lol

@green sorrel Don't use that word here

aight sorry

If you don't like the box, #522158404614225920

could i get help on the learn linux room task 18 question 2

@fleet yarrow if you ask a more specific question then sure 🙂

im not sure where im supposed to get the answer from

Find a list of environment variables

@fleet yarrow either do that^ or google how to view the value of an environment variable

Both will work

ok thank you

@stuck fractal the root for overpass is editing the file (||etc||) or there is another way?

New room

If you rooted it, you rooted it

@stuck fractal - the prize in the room has been claimed - lots of newbies like me trying to learn and scratching our heads. a walkthgouh would be very helpful in helping us progress. from your comments earlier i only see the main.js but not sure where to go next. Thanks in advance

You're not going to get a walkthrough

It's a challenge box

It's a new challenge box.

It's a brand new room and also yeah, a challenge/event

It's beginner/intermediate. It really shouldn't be your first THM challenge

(overpass is seperate)

10-4

(Sorry I thought he was talking about owasp top 10)

for some reason

yes i got redirected from owasp10 - which is quiet easy - but then this one is a different level for my experience

I plan to release the writeups for overpass a week after release. You can wait for then, or ask for a hint in a slightly different way

Remember. Challenge.

Have you done some basic web enumeration?

Looking for hidden directories, things like that.

Go from there.

thanks for the prompt replies @stuck fractal - i totally understand , yes i ran dirb and nmap but didnt come across much useful. the admin page etc but no BF

It's one of the top 10 vulns that's been covered so far

So i am doing day3 again and.... whats a subcode?

Subscription code.

No longer obtainable.

So its like whoever gets it first?

It was whoever got it first.

As was overpass

Alright. Thanks

I was just trying to solve the extra challenges

You can no longer get the subscription code from day 3, but you can for overpass

Really?!!!

You had to email the address on the homepage for Day 3

The subscription code for overpass is redeemed

But it's still on the box

Day 3, it was never on the box

Yeah i just landed on the page with the hint for day3

You can no longer obtain the code

All good. Thanks for the info 😀

I found the api which does stuff... but is not doing anything with the parameter I am supplying in day5 . Is that a rabbit hole?

why the http of room overpass is so slow.. directory like aboutus is taking so long to open..?

gobuster is also not working...

is this only for me?

hey guys im at the linux room at task 43 - the true ending and i just need to get into the /root/root directory and to do that i gotta have sudo permissions but unfortanetely none of the shiba users has it 😭 what can i do?

You checked all the shiba users, which is the right step for sure.

Try checking all users ;)

found the flag 🙂 tnx!

No problem, glad it worked out!

cam i pm you on ovepass? @green sorrel i have the ||api|| but have no idea what should i do next

sure

I found the api which does stuff... but is not doing anything with the parameter I am supplying in day5 . Is that a rabbit hole?
@white salmon nops its not, you just have to see something else too.

hey guys, is there any rooms that deal with stuff such as secret.txt?

hey guys, is there any rooms that deal with stuff such as secret.txt?
@worthy iris you mean CTFs

?

i meant, like how would i know what to do with it

tell us what room it is, what you were doing in there, what you were expecting ?

i haven't reached a room like that, I'm just playing around with a vulnerable machine I downloaded and found it - so I wanted to know if theres a walkthrough that has something similar so I can learn off it

That's usually what you have to figure out

Half the battle is knowing what to do with information that you find

secret.txt is quite a general term, and basically a hint to achieve your task. maybe a hashed secret, which you may have to crack.

yeah I figured, I'll keep looking around thanks lads

Can I PM you @keen willow for OverPass. I got some idea for the js but seems like not working haha

Can I PM you @keen willow for OverPass. I got some idea for the js but seems like not working haha
@eternal wadi sure

Room = Networking

Question = 10
||A third predominant address type is typically reserved for the router, what is the name of this address type?||

Source =http://www.highteck.net/EN/Network/Addressing_the_Network-IPv4.html

I have googled everyting i can think of the only thing i can find is the above source but i still steam to not be able to find the answer if someone can give me a hint or point me in the right direction it would be very helpful

@quiet yarrow A very big hint is, think of your own home router.