#room-hints

It’s the same @trim haven

Ah is it

Well there are tools specifically made for windows

@wanton epoch there are 2 privesc methods on that box (that I know of)

One is mentioned in a CVE in the room tags (I think?)

Yes there are two

The other can be found be using some enumeration tools

Congrats on rank up btw

I miss the yellow tho

Haha

There isn’t a CVE in the tags

But google some windows priv esc checking tools and see if you can find any

Or enumeration tools as Bob said

If you’re still stuck @ me and I’ll see if I can give a few suggestions :3

okay thanks!

yeah no CVE in the tags

im just trying to formulate a methodology for windows privesc as that's what bites me the most

Maybe knowing the ||OS version || will help you :0

i see

Is retro the one that’s supposed to have something in the history?

Cuz if so just look at Blaster tags and that CVE is what would’ve been in the history

If not ignore that ^

🤦‍♂️ i didnt even bother opening up chrome on the box

that would've solved a lot of things!

🙂

i can't find the documentation of the pensive notes app in owasp top 10 task 20

any hint

Google harder

Try things

Anyone tell me where we find traitor password in biohazard room i got root access and i find all the flags only that one is left plz help i didn't able to find it

any hints on the overpass priv esc part!?! I have tried nothing and I am out of ideas!!

Check the room tags

I have checked the pkexec vuln's in searchsploit,

nothing

Try some privesc enumeration scripts

Thanks, I will have a look

@trim haven for the exploit in retro, when i click the link, i'm unable to select a browse to open it up for priv esc. i saw how to execute the payload but not getting the same results

Is it the one where you can still view the certificate page?

I mean

Where you have to*

yeah

Okay when you open the certificate page

It doesn’t load

i cant even choose a browser to open it with

That sounds very strange

Are you able to open a webpage normally?

@wanton epoch is retro the one with chrome installed?

on the box

yup

tried setting defaults and all but no dice

@trim haven yes i am able to open my python served webpage

thats intended

oo

extra hurdle for you

heh

Thanks bob

So, in the overpass I am guessing it is something to do with the buildscript.sh, but I cannot edit that file as it is in a folde rI don't have access to

Something wrong with OWASP XXS reflective... Shows Cannot GET /reflective

#site-bugs

Yes it's a typo in the room

It's been addressed

@odd idol Run some privesc scripts. Work out what you can control.

james I’m getting quicker now I just need to add context to my rambles

The bug is fixed if you refresh

Try things

Mark stuff as spoilers

You are expected to actually try things yourself before you ask for help

||what iis approx time for job...||
@stuck fractal

If you have an idea, follow that idea

@indigo ridge wat

in overpass..cron

Where i can find thw writeups of vulnversity

Now its some other error TypeError: Cannot read property 'includes' of undefined

@ancient cypress Press “help” in the top right

Or use the bot in discord

@indigo ridge You can answer that question yourself. Try harder.

It's incredibly easy to answer that question yourself

Thanks @trim haven

@indigo ridge You can answer that question yourself. Try harder.
@stuck fractal btw that .. authentication thing was pretty easy.. I was just overlooking things.. Thanks

Best resources to learn hackibg

Wrong channel @ancient cypress

i helped myself with source code of js

@stuck fractal i joined this discord today

Ok

I am new to this

Which section is the most active

This channel is for hints for rooms

Or #?

Not general questions

Please read the channel titles and topics, and use the correct channel

Okay

Having some I'm assuming syntax issues with XXE. on the "OWASP TOP 10 " I'm trying to navigate and view directories.. but doesn't seem like|| !ENTITY read SYSTEM 'file:////etc/passwd'|| lets me view directories ... any hints on RCE? iv tried ||expect://|| for PHP module but nada.

@winter plover Get the SSH key

Log in to the system

one of the questions is ... where is the ssh key located.. how might I solve that one without viewing directories?

@stuck fractal

What is shell in linux terminal?

#general and try googling It

wooohoooooooooo

@stuck fractal figured it out thanks.. I didn't realize it just wanted the default path... over thought that one...

@oblique cliff @trim haven so i managed to get root with another CVE exploit for retro. curious to know, is it still possible to get root with the CVE that was part of the history?

That’s awesome :3
I’m pretty sure it is but I haven’t tried tbh

@winter plover Read the tasks, and you find out

@wanton epoch yes, but its buggy so its not worth it imo

Task said.. "where is falcon's SSH Key located? ... I can place an SSH key anywhere.. was a poor question... but looking "/" it was obvious where... @stuck fractal

It's not a poor question

There's one place where SSH keys are normally stored

then that should be the question....

Any hints on how to bypass that login page in Overpass please ?

I recommend trying to work out how the login works @limber iron

I see that it's requesting /api/login

true ?

Trust yourself

I'm out of leads to be honest

No shame in moving on

Can i dm you ?

I won't spoil my box

no you maynt

But you can ask questions

I just can't promise answers

Seems like the OWASP XSS challenge has an issue with the /reflected endpoint. It's throwing a server error.

Just register and you'll have options for reflective and stored xss

That's how i fixed at least

Oh word! Thanks! : )

try this [BOX IP]/reflected?keyword=Term%20from%20URL...

for some reason just the path errors out but adding the keyword param moves it along

no no no

Hey there, little question, for owasp-10-days day6 shall we use a proxy (zap or burp) or is not necessary?
@woeful viper

it's easier than you think

do a research on a famous code-sharing website

OWASP Day 7 i can get the ip to come up in a pop up but i dont know what i should be seeing in the way of an answer?

OWASPtop10 Day7 - Task 21 (XSS) - #4 "see if you can insert some of your own HTML"... I have inserted a new list, a new div, even a basic marquee html tag, but still no flags. what am I missing? 😄

OWASP Day 7 i can get the ip to come up in a pop up but i dont know what i should be seeing in the way of an answer?
@heavy sky The hint is pretty good actually, look at other methods of ||window.location||

Seems that room is a bit buggy right now, but people have been able to clear it. I'd read the hint and make sure you're not hard coding the response it wants, then see if there are any other ways to get that XSS to appear

@wanton epoch yes, but its buggy so its not worth it imo
@oblique cliff ah okay. thanks for that!

yea no problem

Thanks for the help on the Day 6 OWASP challenge. I was looking everywhere in the source code for Pensive but I didnt think to search where it was pointed out. I'll keep that in mind.

try this [BOX IP]/reflected?keyword=Term%20from%20URL...
@hazy finch Thank you so much!

Day 7 is so cool I have all month been wanting to learn this and you guys just pop it out!! love it, thanks

I tried to use a trick from a previous lesson I am signed in as admin (not sure if admin or just bogus login) it does say || You are currently signed in as admin. ||

that was boss, Quite like the XSS stuff

I solved all the challenges in day 7 but in last one I was able to change the title to "I am a hacker" but didn't know what to write for the answer..

Which title did you change?

The HTML one, or the document title?

Needs to be the HTML one

Then it will give you the flag on the page

the XSS playground

That doesn't answer my question

You need to change the one on the page, not the title of the document/tab

I changed the one in the page of course

Then you have a flag on the webpage

Next to the task

In bold

I tried getElementById and it worked and then the hint also worked but didn't know the answer

Nope no flag

Then you haven't done it right

use query selector

hmm is it case sensitive?

I mean it worked😂

Use the correct case

You're told the case to use

OK let me try the query selector again

finally It showed this time but in this time I actually went to the main page and then returned back to sorted page..

Just rooted overpass, learned a lot from this one! That priv esc was really cool. Thanks for the box @stuck fractal

yep, Overpass was fun. I had to remind myself it was an easy box several times to stop overthinking things.

can someone give me a hint for day six on owasp top 10

Specify what you’re stuck on

the hint their says to view the source code, so i am viewing all the javascript files and i cant seem to find any documentation or any kind of default password and username

Hmm

I didn’t do it that way

Have you tried googling the name of the webpage

yes

i found some other websites

the hint their says to view the source code, so i am viewing all the javascript files and i cant seem to find any documentation or any kind of default password and username
@spring void That's not the source code

That's clientside stuff

Authentication should never happen clientside

So you're looking at the wrong code

ah ok

thanks

use your OSINT skills

in the linux room on task 21 for getting shiba3's password, i dont know what to start with or what to do

It's telling you what the binary is doing

You need to make that check pass

Then you get the password

ok thank you

but if i were to do say
export test1234=$USER
and then do
./shiba2
i get a permission denied from shiba3

I’m sure you need to restart the room

It means you’ve messed up somehow

how do i go about doing that?

I’m sure you need to restart the room
@trim haven

Just terminate

Then press deploy

gotcha

Then once it’s all loaded

Yeeee

aay that worked

thx

so im assuming i have to like search for pensive notes and stuff then find the actual source code somewhere but i cant find anything on pensive notes anywhere

Try harder

it's out there

Try a popular website used to share source code for open source projects

Instead of saying that. Why don't you try it?

yeah i found it now

thanks

Try Harder.

So for today’s xss challenge for Owasp 10, it was asked to add your own HTML to the page. I thought you would script a document write for any old HTML element but not getting a flag. Advice?

You're overthinking it

Try literally putting html tags in your comment

I’ll give it a shot @stuck fractal . Thanks!

On Overpass, got foothold, run enum script, highlighted a ||cronjob|| can't work out where the file is saved to edit it. tried locate and find, no luck if anyone can point me in right direction. or my alternate thought is replace what is calling this file instead?

Hey all, I am trying to do the **Source **box. May someone please provide a hint of how I would run a dir scan on a site that is using a SSL cert(https). In addition, a site that is not using the traditional port of 80. Thank you.

man gobuster @grave totem

gobuster dir --help

Thank you @stuck fractal ! Is the scan suppose to run like this?

Probably not

@unborn thicket keep enumerating. You won't be able to manipulate the PATH for cron.

Got the flag @stuck fractal. Thanks for the tip.

how do we inject payload on a website ?

Room?

Vulnversity

Follow the walkthrough.

If you're still struggling, ask a more specific question that someone can actually help you with

ok

I recommend doing a ||gobuster or dirbuster scan||

Working on the Basic Pentesting room, stuck on Task 5. The hint says to enumerate the users with SMB.

Enum4Linux and SMBclient are throwing errors back.
||Used smbclient -L [IP] -m SMB2||
||Errors out with: SMB1 disabled -- no workgroup available||
Any idea if it's an issue with my machine?

hi everyone , im stuck on Task 10 question 2 burp suite , i not found header with name 'Set Cookie' on http history in proxytab

😦 Can anyone suggest to me which part of the site is located?

got no idea what to do after getting the comment in owasp top 10 day6:security misconfiguration...any help please so that i can google what can be done and how to do

Okay so

You’re looking for a username and password

You have the name of the website right?

i made it upto the souce code with comment yeah i've got the name of the website

*source

Okay so typing || pensive notes || into google doesn’t really show you what you’re looking for

But

If I helped refine your search, what if I said to look for ||repositories||

yeah gone through one of the repositoryas mentioned in the comment in the cookie found afterwards

||MIT|| one

So you found a repo?

yes

but got no idea what to do afterwards i made it up to the repo need some resource to study what can i do just suggest me

You will find some interesting info in the README of the correct repo @white salmon

thank you

^ or it does show on the main page

i got a cookie in home page

lol it made me feel like an idiot

Dont feel like that

Have you found your answer

not yet

got a readme file

from repo

Who’s the owner of the repo

||carhartl||

wha , wrong one

Yeah wrong one I’m sure

It’s the repo for pensive notes right?

||carhartl||
@white salmon scroll up.. there are plenty of hints..

@indigo ridge would do that thank you

use ctrl+f

Try searching pensivenotes, without a space

now i got into right repo

thank you all

has the default creds for pensive notes changed? I found the repo but it times out each time i try the creds. ive restarted the machine three times

No

You’re either typing them wrong or on the wrong repo

nvm had to enable javascript

Who’s the repo owned by

Oh

There you go haha

Hey guys, I'm sure I'm missing something.

I'm doing the enternal blue room, when I try and perform the metaspoit exploit I constantly get a fail after setting the rhosts value.

Gets stuck at triggering free of corrupted buffer.

What have I missed (the room hasn't said to do anything else)

Type

Show options into metasploit

Then screenshot the output

@noble tinsel stucked at the same situation but now completed try googling harder

@slate swift

Grabbing it now, even tried rebooting/expiring the VM and getting it again with dif IP.

Screenshot incoming

wrong image, hang tight

That’s not all of it??

Oh haha

Your LHOST is wrong

It should be set to your VPN IP

see i though that was the case, but it didnt even ask me to est it

*set

It shouldn’t

But that will fix your error

oh, so its just not picked it up correctly?

Basically it needs to return to you

But if you give it the wrong IP it’s not returning to you

The THM network can’t connect to your local host

It has to connect to your public VPN up

yeah i get that

confused why it did prompt for it or anything, just decided to use the internal address.

Because it doesn’t know you’re using a VPN

It just thinks that your using your local one

hmm, still failing

Is your metasploit updated

What’s your payload set to

Oh uhhh is the machine booted correctly

Wait 5 or so minutes and try again

payload is the default one it picks, but also manually set it to windows/x64/meterpreter/reverse_tcp

Does it say “session not created”

Or does it say “Fail0

“Fail”

it says fail

That’s most likely because the machine hasn’t had enough time to boot yet

Screenshots would help so I can see what you’re seeing :3

yeah, ill grab them shortly. the machine has been up for 40 mins :S

You might have to restart it

okay, ill reboot and advise.

@ me if it continues I’m currently out so I’m gonna lock my phone

Thanks

@trim haven
Also made sure i ran msfconsole with sudo.
new machine, been up for 20 mins.

Show me your options again

100% that’s your VPN IP?

yeah

And you’ve updated your metasploit right?

i can try, it was fresh setup etc just the other day.

Just see if it will update other than that the only idea I have is that it’s your VPN config file

Yeah try shutting down metasploit then regenerate your config file

Also check the pins in #room-help there’s payloads, it’s outdated but they might work

Sorry this is as far as my knowledge goes

thats cool, thanks.
Im sure its metasploit at fault.
reading about this error, its super super common.

Yup it is but it’s usually fixed by now

You can always do it manually if you want

ended up doing this and it worked: https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit/issues/22#issuecomment-503981477

You should always google before coming here ;)

i had googled a bit, people went through manually setting payloads and other things, i sort of figured if it needed any of that the room would advise.
Guess ill have to just play around more. hahaha

Hello everyone,
I have been stuck on the privilege escalation part of the overpass room can anyone give me any hint about how to get root?

I cannot get a foothold in room overpass. Can I get a hint please 🙂

I really do no want to bruteforce it 😦

@astral cedar it's given in the hint that do not brute force.

what about after finding the ||usename|| ||at source code||

11k tries I think same thing

Dm me with all the info you got on the room.

Hey can somebody please help me on the sublist3r room
I have answered all questions except
Development sites are often vulnerable to information disclosure or full-blown attacks. Two developer sites are exposed, which one is associated directly with web development?
I have been through the list of sub domains and have found dev, backend, app
but not sure what the correct answer is

You're on the right lines with dev.

ty

Maybe think about dev and a hyphen.

ty

top man

Can't believe I missed that!

Haha, I did the same.

Glad to hear you have got it.

can someone help me with the shell script link that can get all the information about the machine? i remember using it but i forgot now 😦

linenum?

linenum?
@jolly folio Yes thanks man.

is there a repo that has a list of all?

all?

i mean all the cheat codes like these

is linenum safe to run on a client machine for testing purposes?

Ye

I'm assuming you're running linenum to try and find a privesc path to take?

I'm assuming you're running linenum to try and find a privesc path to take?
@jolly folio yes is that safe?

Yeah

You could check out https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/ as well
LinPEAS/WinPEAS seems to be pretty popular these days

Okay thanks a lot @jolly folio

@dense pike look here https://offensivenoob.blogspot.com/2020/07/thm-blog-billy-joel-made-wordpress-blog.html

any hints on decoding user flag of jeff

got it thanks

Who is the admin for owasp challenge, day 7

What you want to ask? @marble kiln

I just completed day 7 but first link i.e, reflected one is broken

I have to first go to stored link and from there I go to reflection link😅

If you think that's a bug submit that in #site-bugs

Okay dude

hey can someone help with the owasp top10 room day6

I am stuck at it

Overpass = rooted ✅

Sometimes, it's so obvious that you miss it at first, overpass was funny ahah

yes

but seems that the room have problems

i bypassed the login page yesterday and the same technique won't work today

@hollow gazelle you are Strange270 from THM?

@gilded flint i can

just google harder

Thanks

I have to first go to stored link and from there I go to reflection link😅
@marble kiln same with me

@rancid crystal yes. why?

@rancid crystal yes. why?
@hollow gazelle aah was just wondering.. i'm also from Pakistan

oh

good to hear

any one understand day7 question?

I could do it, but my answer didn't pass when I submit it

OWASP 10 room

do what?

craft a reflected XSS payload that will cause a popup... I answer using <..> alert(...) </..> but it says incorrect answer

which question are you stuck at?

Have you crafted it

Have you actually typed it on the browser and got the alert

yes

Because when you close the alert you created it should give you the flag on a second alert

did I do right?

if yes, how should I answer the question?

I got 2nd alert

but forgot to note it down

ah, 2nd pop up is the asnwer, I got it

:)

That will happen multiple times so be sure to read all pop ups

how about the comment one

?

I can add html tag such as bold my text

That one was an issue to me

But after restarting the machine and performing a simple header it worked

Thanks Jabba, I reset machien and it works now

:)

Can I get a hint on overpass? I didn't get in at all yet.

hi friend need help with ssh login in advant of cyber 4 mission it write permission denied /(publickey

What ssh command are you using? @limber urchin

Because you are using a password so I don't think you should be getting that error.

ssh mcsysadmin@10.10...

i know i also tried to edit sshd config with no success

Try restarting the machine.

ok thanks

works

https://tryhackme.com/room/zthlinux help last task 43 how could i get permission for /root/root.txt?

@ashen tangle There's actually a writeup for that.

oic

thanks

when people come to hints it’s because they want to see if they can do it without writeups

guys can anyone help me with the room overpass ??

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

and iam using kali 😐 someone help me

room: overthepass task 1 ||found port 80 and ran gobuster found /admin ran sqlmap did not work and tried to bruteforce with rockyou.txt did not work either, also found out the server is running off of golang so tried if i can pull an lfi no luck and i cant think of any other way|| any hint how to proceed

and iam using kali 😐 someone help me
@random thunder add python3 -m before it

Okay

@random thunder add python3 -m before it
@white salmon didn't help me 😦

thats not the module name ig

only type stegoveritas

🤭 okay.

you need to go where the package is installed and run that command in the package's folder

Also, #general

can someone help with the hydra room i have no clue what im doing wrong

What have you tried?

hydra -l molly -P rockyou.txt 10.10.51.234 http-form-post "/:username=^USER^&password=^PASS^:F=incorrect" -V -I

then the same but change all the usernames to anything i can think

and whats happening when you do that

you are on a right path, just specify the directory which you have to bruteforce after http-form-post

the /login part?

yes!

done it cheers

how do i get the ssh flag tho if ive got the login for it

you are ssh'ied into it right?

nah i got the login from hydra but ssh isnt liking it

The SSH and web passwords are different

im just typing ssh 10.10.51.234 in the terminal

ye i did the ssh hydra and got a seperate password

that's not wrong but you have to specify also the user

user@ip

ohhhhh

cheers

It'd say password for user@ip when you try to use it

Or something similar

im in now

So you should have noticed it said your username

still have no clue how to get this flag tho

check for the directories and files, usually flags are in files with .txt extensions

how do you read the txt tho

nvm

its vi

I mean

There's better ways

https://tryhackme.com/room/zthlinux Take some time to learn the linux command line

i will

cheers

Can we extract information with steghide without password?

It depends

If it was hidden with password then you can't

Can we extract information with steghide without password?
@random thunder Room, task, question.

https://tryhackme.com/room/ccstego - task 7 - q1

there is a stegbruteforce tool but I've never seen any problem requiring to bruteforce steg. Its called stegcracker if yo wanna try it

If it doesn't have a password, it will still ask

ye , happened to me on the sub code challenge ://

there is a stegbruteforce tool but I've never seen any problem requiring to bruteforce steg. Its called stegcracker if yo wanna try it
@white salmon link for the tool please.

is the xss room broken?

@random thunder

@gilded flint No

Well, yes, but no

@white salmon link for the tool please.
@random thunder First one ^^^ but see what james said , it is possible there is nothing in the file and this tool will run forever

i got the first two

but after that the comments section i am unable to get

i tried editing the html

@random thunder First one ^^^ but see what james said , it is possible there is nothing in the file and this tool will run forever
@white salmon Okay.

@stuck fractal anyhints how to fix the third part

i mean adding comments

You shouldn't be using devtools to XSS

I recommend learning what XSS is and how to do it

okay

@stuck fractal okay it was my fault i logged in as username <script>
password </script> 🤦🏻‍♂️🤦🏻‍♂️

@random thunder First one ^^^ but see what james said , it is possible there is nothing in the file and this tool will run forever
@white salmon that tool saved me thanks 😁

@white salmon that tool saved me thanks 😁
@random thunder I'm surprised it did but nice .

after all this

Am i missing something?

No

You have the correct amount of points

why do others have a lot more. i mean a lot lot more.

because now challenge and walkthroughs give different amounts of points per question

Okay.

i took the points too seriously and trying to brute force the password for the final image as well 😂 dumb me

Hi. I have a problem with OWASP top 10 - 24th task
"What is the name of the base-2 formatting that data is sent across a network as?" - its about OSI model??

Have you tried googling "base-2 formatting" yet?

or better yet- look at the picture right above the question

....

ok 😄

thanks

is there a problem with owasp XSS Challenge when i load up the page it says "TypeError: Cannot read property 'includes' of undefined" no box nothing just lines of errors

is there just 2 many people on the box?

That is not how tryhackme rooms work @graceful sun

When you click deploy, that's your own instance

You do not share it

There cannot be too many people on the box, because there can only be one

it told me to go to the page so i did "
Go to http://10.10.189.150/reflected and craft a reflected XSS payload that will cause a popup saying "Hello"."

oh thats right i forgot about that.

i got mixed up with HTB lol thats why i love THM so much you get your own instance. thanks for the help

Go to /

Then follow the link

OWASP TOP 10 Day 8 Task 26 I need to ||covert the cookie value from base64|| for the q#1 flag right?

never know if you dont try 🙂

Got it

I was coverting ||the encoded one whereas I have to convert the other||

anyone know what is meant by this?

Guys I'm not getting the tryhackme VPN id for the day 8owasp challenge

@cyan lotus It's not that hard

I'm using the in browser Kali linux

#site-support

You need to click deploy.

@trim haven lol I used duckduckgo and it gave no good answers, but with google it was easy - ty

question is weird tho, you can use any number base as as shorthand for base 2

Eh, there's typically one you use commonly

on the learn linux manual pages and flags the answer is echo -n Shiba

correct?

If your answer is not accepted as correct, it is not correct

If you'd like help, please state the room, task and question

The room is learn linux, the part is manual pages and flags and the question is
How would you output hello without a newline I cant get the question

Check the answer format

Yes, thats the thing I don't get.

So. It's asking for two characters?

Room, task, question

owasp room day 8 "Who developed the Tomcat application?" is this in real life or on the box? becuase in real life im seeing something diff

It'll require a bit of googling (:

It's not the box itself

ok thats all i need lol thanks!

👍

So I finally got into the remote shell

But can't get the flag.tx

Flag.txt

hey guys .. after i was stuck on room "learn linux's" last task, i went on to other rooms and did many tasks .. one of them is the "find command" room ... got my knowledge. went back to that dang room again "learn linux" and still stuck ... been stuck on it for 3 days now.

i don't even know what i am supposed to look for

Files belonging to each and every user

Some are out of place

can someone help me i paste the base64 coded payload in encoded payloded

still can't get a reverse shell

Yess @sterile robin let's switch over to #room-help as it sounds like you need more then a hint here 🙂

so it happens with every one?

A couple, but a lot more people have got it okay

Could be numerous things

hey guys .. after i was stuck on room "learn linux's" last task, i went on to other rooms and did many tasks .. one of them is the "find command" room ... got my knowledge. went back to that dang room again "learn linux" and still stuck ... been stuck on it for 3 days now.
@valid rune i still can't find anything .. any more hints ?

@valid rune i still can't find anything .. any more hints ?
@valid rune try googling some common linux priv esc

That won't help on this box

You sure? I remember doing it like that

Unless you try the ||LXD privesc|| which is very much not for beginners

No it was just a ||sudo|| command

At least from what i remember

In order to get there, there's things you need to find first

The issue is finding those things

i tried looking for files that are out of place in the /home for each user .. opened almost every file .. nothing.

It's not in /home

So that's where you're going wrong RN

Try searching the whole system

add 2>/dev/null at the end of a command to filter out error messages

yaahh i did that .. couldn't seem to find anything. but i'll look again.

that box is super challenging

Hello everyone!

Im at /postexploit room. And i have to find the flag inside Users

but i cant find anything. This is my command ||get-childitem -path C:/Users -include *flag * -recurse||

i also tried with user and txt

You are told how to do it

It's not inside the folder

It's a user on the box

OHH

sorry, thank you very much

So I have now complete EVERYTHING in the Linux Fundamentals except "Linux Challenges -->Task 4 --> #7" "Find flag 26 by searching the all files for a string that begins with 4bceb and is 32 characters long. "

The last command I passed which I was so sure would finally find it was "find / -name *.all | grep -irl "^4bceb""

That of course didnt work. Would someone mind pointing me in the right direction?

So, that command is searching through filenames

I really appreciate all the tips I have recieved so far but alas I am still stuck

Not file contents

Also... *.all?

wouldnt grep search the contents though?

the question said searching the all files

at first i thought it must be a typo but i figured why not try file ext .all

i mean i have tried everything else

Nope

because the output of find is the file names

wouldnt this portion of the command search contents? grep -irl "^4bceb"

you're piping the filenames into grep

Which is checking for that match

oh

I cant use just grep though, that freezes my search everytime

Yes

because you're brute forcing EVERY file on the system

it literally searches through EVERY file and just freezes

Looking through everything

Yeah

It's a broken question

so theres no solution?

There is

It's just next to impossible

so i had it right the first time when i was searching through the entire file system for the string? But your saying ythe system freezing everytime is going to keep happening

so how do i get to the flag

Freezes are because it's doing stuff

grep -irl "^4bceb" /bin/

would that work?

doing it on each directory like that?

thats what i'm going to try now

ok so im passing the command through /proc/ and it gets stuck where it always does

/proc/2457/task/2457/clear_refs: Permission denied

freezes right there no matter what i do

So skip /proc

Probably won't be in there

DOING IT NOW

sry for caps

ooooofffff i'm super frustrated from this task ... still can find anything yet. searched the whole system. nothing seems out of place.

It belongs to ||shiba2||

shiba2?

different task?

Not you.

i did all those before, this the one with greg, alice and bob

oh ok ok

I FOUND IT!!!!!!

@stuck fractal Thank You! Thanks to everyone else too, I just noticed what everyone has been saying

finnaaaaalllyyy finished it !! thanks for the help @stuck fractal

it's a really hard task tbf

it is .. though that file was right in front of me the whole time

and i tried opening it ALOT of times .. but it gives me access denied

You have to be the right user or have the right perms

i didn't i'd have to su to ||shiba2||

yaahh .. that was soo difficult to be honest.

but there is one good thing about it

i got stuck on it for 3 days .. i got to try A LOTT of commands

i got to finish rooms .. and went from not knowing linux .. to be very comfortable with working with linux

still need to get used to when to use the commands though .. but now i can navigate through linux without any problems.

hello everyone

im apparently stuck on task 12 learn linux

actually im fine lmao

Are you tho

🙂

and here comes task 21 sigh lol

how am i supposed to know the password

like amm im not psychic

it must be a in a file somewhere

evening all stuck at owasp10 reverse shell to find flag.txt. ive used 'find / filename' ' find . filename' cat'd every file and grepped to find anything with flag as maybe a reference in it. nada.advice?

you can also try doing find / | grep "filename"

Can someone help me with understanding this https://tryhackme.com/room/rpwebscanning ~ task 2 ~ #12

thank you. ill try it out

okay im actually stuck on task 21. any hints?

like what am i missing here

im sure im missing something

okay im actually stuck on task 21. any hints?
@wind peak which room?

@random thunder learn linux

You're told what check the binary is going to perform

If that check succeeds, it'll give you the password

If it fails, it won't

So make the condition true, then run the binary

Can someone help me with understanding this https://tryhackme.com/room/rpwebscanning ~ task 2 ~ #12
@random thunder @stuck fractal any help with this.

Don't just tag me because you need help

We're volunteers

@stuck fractal i tried doing export test1234=$USER and then running shiba2 and nothing

Then ya did something wrong

Something would have happened

okay

so i'm blaming it on staying up late but this is getting to me..... If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be? webapp_???/login. what set of rules am i failing to understand to not get what the 3 letter word should be?

uid? sid? etc??

well i literally dont know what else to do

maybe i need to go to sleep

Worth a try

definitely doing something wrong

im under the shiba2 user

but nothing

hey I actually know this one

@wind peak what is $ meaning in bash

its used to denote environment variables

Variables of any kind but ye

yeah this is really kicking my booty

If you'd like help rather than just hints, #room-help and provide screenshots

good lord i figured it out

that was not simple

not for me at least

going to sleep

work in the am

peace out ppl

Congratulations

Please any help me i am stuck at this question ZTH room

Questions is What parameter allows us to generate a poc(actual exploit)

Have you read the help file for the command?

Thank you I get answer

wait a minute apache isnt supposed to have been created by a cooperation ?

What do you mean?

like apache1 was created by a group of developper

It changed from that group to a foundation ig

ig ?

I guess

Boiler ctf any hint where is the interesting file , or whats it extension is I tried ,zip,bak,xml,txt,php

@white salmon is in ||txt extension||

try more

thank you thats helpful I'm about to do something crazy now

what do you do with an id_rsa

Use it to ssh

ssh -i id_rsa user@ip

I need help for Overpass

@white salmon do you think enumerating with directory-list-2.3-medium.txt will take a lot of time?

I don't understand because the login form is sending data to a non existent page

Ye the auth is broken, now just login somehow

Okay I don't know how to do that I'll check on google

@white salmon do you think enumerating with directory-list-2.3-medium.txt will take a lot of time?
@white salmon most of the useful things are at the top of the file so no, it won't take too long

@upbeat wren look at the hint

Its not that helpful

@white salmon I got some hint that there is something in || _files|| but it has been like 50% and I found nothing there

Google

@white salmon which room?

Ok nvm I got it

Wait

@white salmon which room?
@white salmon Boiler ctf

may i have a little help please

Gobuster on which folder?

ケンシロウーさん、げんきですか？

@white salmon on the _file one

@white salmon Does the broken login form has something to do with sessions id ?

@idle flame you are close

like 'gobuster dir -u ip/_file -w directory list..'

@upbeat wren man sorry i don't know japanese, i know only the nick lol

aight ran again

oh lmao

@upbeat wren which room you need help

https://tryhackme.com/room/rpburpsuite

question 6

*task 7

@white salmon without -x

ohk

I don't think it matters tbh

@upbeat wren i don't have subscription so idk

oh oof

oh my bad i thought u were staff for a sec

have you tried googling?

yee, just a aths paper comes up

*maths]

@upbeat wren lol no, i'm just helping, but i'm still bad

u dont seem bad doe

I'm tired of running gobusters on this box

thats the questiopn

Have you looked at the hint?

for the ignite room, using the vulnerability I get a "import error: no module named requests"

had the module name changed or am I doing sth wrong?

do you have the requests module installed?

dont think i learned how to do it, i'll look into it thanks

https://pypi.org/project/requests/ @worthy iris

its a python package

cheers buddy literally just installed pip then used it to install requests, thank you

no problem

anyone available to talk about initial stage of "Break Out The Cage" room, i have the decoded pass and the user, but i cant ssh in, thanks in advance.

sure! whats up @white salmon

@oblique cliff sorry to trouble you again, I get the cmdline b ut theres no output

someone pls i need hint on the ConvertMyVideo room i have the hidden page already but been searching for the username i have no idea wer to look again any hint will help thanks

@sinful plaza no hidden page matters in that room

@worthy iris can you show a screenshot? i dont remember exactly what the exploit does tbh

the exploit screenshot or my terminal?

both, why not

spoilers

Hi, I need hint for OWASP top 10 day 8, 1st flag (cookie value)

@worthy iris can you show the code of the script

@worthy iris I'm not sure if it's meant to give you output. Have you tried seeing if you can communicate back to your machine?

@sinful plaza no hidden page matters in that room
@oblique cliff you mean am just wasting my time with the hidden page i have

??

@modern stone it's in the question

i dont remember a hidden page on that room, so i would say yes @sinful plaza

Hi, I need hint for OWASP top 10 day 8, 1st flag (cookie value)
@modern stone decode cookie

maybe theres a vulnerability there i legit dont know

cuz i didnt do it that way

@worthy iris did you read that exploit code closely?

Hmm it is meant to give an output

But as I said

Just see if you can connect back to your machine

@trim haven No, theres an issue with his exploit, it wont give an output as is

@worthy iris did you read the exploit code?

print r.text is an output

I don't ever remember needing an output although

oh wait

i see it now

it wont give an output to his commands

thank you

Yeah

cuz i didnt do it that way
@oblique cliff ok thanks

how do u spoiler tag

You should only edit exploits if you are told to ;)

i still dont think itll work, but go ahead and try

|| spoiler ||

jabba if i dont comment out it shows the whole page html

why @trim haven ? you should always read the exploit and try to understand what its doing and change it if necessary

i just didnt really read it proper ^

whats wrong with showing the whole html page?

screen noise

I didn't say you shouldn't read the exploit. I'm saying for most of these rooms they will tell you what you should change

I mean, not for the challenge rooms that don't guide you

Easy challenge rooms, yes

I mean

The creator of the exploits tell you what to change in the easy ctfs

Because as you can see vorcha commented out parts of the exploit which rendered it unusable

I agree partly, I missed the output cos of all the html afterwards, trial and error i guess

thank you for the helps anyhow

Mhm

still stuck on the ConvertMyVideo room pls more hint

@sinful plaza what is your problem

@sinful plaza what is your problem
@white salmon am on the ConvertMyVideo room task 2 finding the username i have the dir already

have been stuck since

@sinful plaza open burp and inspect the page

you should get a reverse shell from there

stuck on overpass , any hints?

You'll need to let us know where you're stuck before we can give you a hint

l got api path

So you need a hint with initial access.

It's in the top 4 OWASP web vulns

https://tryhackme.com/room/introtopython I need hint for the last task please thanks

Room: Splunk
Hi all, I’m slowly going insane, courtesy of Task 2, Q21, the answer that seems obvious, rename, is wrong, can anyone point me in the correct direction? So I can close it out.

It's 16,32,64. Use 3 for loops. @ashen tangle

so do it like base64.b16decode first then 32?

oh great

done thanks

@icy fog have you downloaded the pdf file?

@white salmon Yes, and I'm getting close to trying every 6 digit entry in it

on the second page of the pdf is the answer

look there

@white salmon Thank you, you have saved my sanity, and i learned an important lesson about there being different ways to read a question

Hey in gatekeeper room I tried editing the|| exploit with my msfvenom payload with my lport but still it does not work the box seems vuln toh ms 09-050 also tried Metasploit way but that also did not work ||

Is this the right path or I need to enumerate more?

do you use id_rsa or id_rsa.pub?

depends what you're doing

hi, can someone give a nudge on xss task8 Q3/4?

been here the whole day, trying to figure out what um doing wrong but no success

I get popout but no flag submits at all

You probably didn't do anything wrong at all, just bad room

wow am I supposed to finish then?

It's functional

Check the hints on the webpage

Which room? The OWASP or the XSS room?

gimme one sec and I can figure out what proper payload can cause the flag to appear, but I think ||you can just type the filtered words prior to your payload and it'll bypass the filter||

this room is part of Path Learning (Web Fundamentals)

as per my knowledge, script from Q2 should also work on Q3 as well

Which room? The OWASP or the XSS room?
@stuck fractal XSS mate

Not your mate.

sorry

@eternal brook has anyone helped you?

sir**

I got the flag for Q3.

it's very simple

I already mentioned how to bypass the filter- once you bypass it, you can literally just put in a very standard XSS payload and it'll trigger the flag.

confused

The filter works in a very specific way, where once it's done its job, then it no longer does anything else and you're free to do as you please.

No not yet...@oblique cliff

I already DMed you exactly how it works actually, I think, so with that information, it should be very easy to craft a XSS payload that triggers the flag

which exploit are you talking about that youre editing?

You don't need to do anything fancy once you've bypassed the filter.

||ms09-050 40280.py||

is this to gain a foothold?

Python module

Yea

youre going down an unintentional rabbit hole

its not vulnerable to that

I also just got the flag with the same exact method for Q4.

Nmap script says that 🤔

automated tools arent always right

automated tools arent always right
@oblique cliff yes they can give you false positive

?

hence what i said...

look at all the ports that are open on the machine and what services are running @eternal brook

And I edited the that script so many times 😱

I'll enumerate more

Thanks for helping out :)

np

You became mentor mayn congrats @oblique cliff

You've always been helpful 👍👍

thanks 😄

oh whoops

wrong thing

not sure what they're asking for for#2

idk where they want me to look

this is from basic pentesting

im new to all of this btw

Okay so do you know what nmap is?

not really

https://tryhackme.com/room/rpnmap

Tadaa

Do this first

okay 😄 thanks

:D

Use ctrl+f and search the chats there are tons of hints

@trim haven wouldnt dirbuster or dirb be better than nmap for locating a hidden directory? 😉

Dirbuster won't find services.

ah... thought he already completed #2.. so it was meant for #3 :p

damn readonly colors 🙂

on owasp day 8, Who developed the Tomcat application? Could somebody point me in the right direction cause for some reason i just cant find the correct anwer

It's not really who, more than it is what team

this is making me feel so stupid, wauw

A bigger hint is that, it's asking for a company name.

ok thx , ill give that a go!

turns out i had the correct answer from the get go? but for some reason the asterix were wrong for the answer? weird

weird

But at least you figured it out!

yes, thx again !

Flag 16 lies within another system mount. tried looking into ||/etc/mounts|| but i couldn't find anything .. am i looking in the right place ?

i also looked into ||/etc/mtab|| and still nothing

@valid rune where would a USB go if you plugged it in?

Which directory

i don't know if it's the correct path or not but i tried doing ||cat /dev/stderr|| , ||cat /dev/stdin|| , ||cat /dev/stdout|| but it takes a while and nothing happens

...why would you do that?

https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard

because i thought those were the places for the usb's ?

No

stdin, stdout and stderr are completely unrelated

got it ! .. the hierarchy helped so much.

it's something you learn through practice fairly fast

All 4 paths completed. More paths please. 😄

All 4 paths completed. More paths please. 😄
@hexed crescent We're working on it;) Networks next tho

Cool. Looking forward to it.

well there we go im stuck again lol

task 43 linux walkthrough

i tried to like just access /root/root.txt

but its like saying denied lol

so i tried to sudo it no luck there

😢

then i checked the permissions for it and bam

but i dont know the password for that user

😢

gonna go play some videogames and come back when im not so frustrated

I'm working on game zone https://tryhackme.com/room/gamezone and I'm to the part of task 6 - priv. esc - and I have the ssh tunnel but anytime I try any of the exploits, they all fail. I could have the wrong exploit or I have something misconfigured. Cant tell which

atm I have rhosts=localhost lhost:tun0 and the ssh tunnel is: ssh -L 10000:localhost:10000 [user]@[ip]

@white salmon Show your options

Make sure you disable SSL

ssl is diabled

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     127.0.0.1        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      10000            yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       Base path to Webmin
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host

Don't you have to set some creds?

ya ok then I'm using the wrong exploit

I mean I might be misremembering

I just went through all the exploits I had for the service/version and none of them worked

ugh ok I got but.. I am confusion

why can I not execute msf exploit but I could get what I needed in browser

what's the actual name of the service we have to exploit for the new OWASP challenge, all I can find is bootstrap but idk if that's it

Read the title bar

Check the hint

nvm im stupid

dw

I'm stuck on Authenticate-2 room on the JWT Authentication question. I got the JWT token from burp suite, changed it as needed, but the <ip address>:5000 site, when I go to change the cookie value says "No data present for selected host". Any hints/help on this?

I also tried to work the solution found here: https://bugzilla.mozilla.org/show_bug.cgi?id=1467992 which creates a new profile for firefox but it still isn't returning anything

Im stuck at Day 10 of Christmas room. anybody pls help me.

on metasploit it shows exploit complete ,no session created

#room-help show a screenshot of your options

@tropic mountain which payload are you using?

@radiant dew meterpreter/reverse_tcp

Full payload path?

Because that doesn't tell us the OS

linux/

hello, i am trying to solve Blog and i did explore smb and found the txt telling me rabbit hole so i proceed back to port no 80 and enumerated apache version, wordpress version and users but no luck. Can you nudge me in any direction.

i got cve now

can someone help in owasp day 3 how to get free subscription please dm i have solved the room and found second hint please helpcan someone help in owasp day 3 how to get free subscription please dm i have solved the room and found second hint please help

Guys i have been stuck on Overpass login.js for the past 2 days .. I know which function (l***n) to focus on but i don't know coding that much and i don't know how to proceed

help please

@cold tulip subscription is already claimed

okay

How do i fix a out of band resource load on my web application?

however a simple command check failed to execute. Perhaps shell_exec is disabled? Try changing the payload.
i'm getting this problem in todays owasp challenge can anybody help?

however a simple command check failed to execute. Perhaps shell_exec is disabled? Try changing the payload.
i'm getting this problem in todays owasp challenge can anybody help?
@white salmon Well as the script says, you should try change the payload 😄

Look for other ways how can you execute a shell command from php

Ok

@sleek harness Use BurpSuite to login

@sleek harness Use BurpSuite to login
@crystal glade am confused people say u don't need burp for it. if you may, could u explain the method on how to exploit it , if there is any article that would help i would really appreciate it ..

@white salmon the script works just fine for me

but it is not working for me

i tried changing payload too

umm

where did you get that script?

ghdb

hi, its showing TooManyRedirects: Exceeded 30 redirects for me in todays owasp

read the hint carefully its not that hard