#room-hints

Do whatever. Don't attack other platform users or any infrastructure.

So .. mostly speaking within reason, anything goes between you and the practice box, as long as its a consentual activity between you and that specific ip

You and that VM.

Don't DDoS or DoS the machine

consensual. blah

@white salmon False

Unless it's KoTH, you can do whatever you want.

?

I thought ddosing the machines was not allowed

You're not allowed to DoS machines in KoTH.

Outside KoTH, the only person you're affecting is yourself

does ddos mean intent to break / consume excessive resources. Like for example enumerating a 1.9M entry list

interesting

@fleet pike You are fine to do whatever if it's your instance that you're attacking

Go crazy with it

I thought it would impact THM servers because of the VPN and the fact that it's still kinda like a stress on AWS

Well w/in reason.. I imagine 1.9 million attempts at some thing will take a long time

Again, only person you're affecting is yourself

does ddos mean intent to break / consume excessive resources. Like for example enumerating a 1.9M entry list
@fleet pike Usually it's just some kind of coordinated and planned way of using up a server's resources or the network's resources

Thanks.. am running the gauntlet on enumerators for a windows box right now.. and it occurs to me what this is actually doing will consume a respectable amount of time/bandwidth

you are fine using a majority of enumerators and brute forces

wanted to make sure i didn't wreck my future ability to play 🙂

nah you're fine

sort like "Upload" 1GB rooms .. 😉 n hrs per week

just don't hack other people, and don't try too hard to break into THM's internal network

yessir

otherwise every machine that you deploy is literally your own playground/sandbox

I crashed the xss playground machine like 50 times while playing with bof

Mostly used either self hosted boxes, or hosted boxes have a no automated scanning/enumerating rule.

You're free to scan and enumerate and brute force as aggressively as you want

pretend like these are self hosted boxes

you can terminate and redeploy if you wish at will

you can terminate and redeploy if you wish at will
@white salmon as a note, this will completely reset the box state.

Boxes can be restarted without resetting them, but you kind of have to be on the box already with permissions for that

Anyone trying out Brooklyn99 box?

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

I've tried the primary steg but can't get past it. Positive that it is stego because I know I am missing something with the image.

Have you tried stegcracker

Trying out stegcracker. But why this tool specifically?

@trim haven Thanks for the help! Appreciate it ...

Stegcracker allows you to brute force other tools done

Anttime

Anytime*

Another key factor is just checking versions- a lot of Microsoft Windows SMB machines are vulnerable to it
@white salmon I'm counting 17 scanners available in metasploit just for smb.. is it common practice to run each one of them manually, or do you typically use some sort of automation (like this for example: https://kalilinuxtutorials.com/exploitivator-metasploit-scanning-exploitation/) ...?

@brave bloom It's different kinds of scanners with alternative methods of getting the version, but generally you'd probably use a more all-encompassing enumerater that can also check for smb version/exploit. The individual scan scripts are often used in the enumeraters themselves, or for other specialized exploits with checks.

Is it possible to have a false-positive answer to a hydra bruteforce request ?

Nevermind, I attacked the wrong port but still got a password

I guess it's a stonks

Hydra can give false-positive answers if you're doing it wrong

thank you for the info 😉

@strange river would it be ok if I pm you sometime? or you can PM when you have a moment I have had some issues with the jigsaw room and would like to discuss that with you please?

sure

hi everybody, I have some trouble with Tempus Fugit Durius. I found a hash for one user but I bruteforce with hydra for more than a hour and have nothing. I'm sure it's the good user. thank you

@strange river Are you in here? lol

yes

nice

hi guys i've a little question about the network services room task 7 #6 so my openvpn is set and running on my VM, I launch the tcpdump and try to ping but nothing comes should any ideas ? should I connect my Os to openvpn too ? seems strange too me

You have to start the listener with your tun0, on the vm as you say, and you have to ping the same tun0 ip in the next task, on the same vm

it's what i did i pinged the

4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.91.93/16 brd 10.8.255.255 scope global tun0

but nothing happened

same with the payload thats strange X) I'm doing smth wrong but I cant see what

10.8.91.93 this is your tun0 ip yes

what were your commands and what's the result

yup i confirmed it with the website on the acces page

i'll paste you the command

sudo tcpdump ip proto \icmp -i tun0 so this one is listening if i'm correct

Screenshot with the command and the error together would be better

I dont have any error I dont receive anything at all

the listener start but when i ping from telnet nothing pop

can you show me

yep

i tried to make a clean screenshoot if you dont see correctly i can retake one and zoom a little

and you are connected with vpn too ?

yep

Access page doesn't always tell the truth. Do you have openvpn running in a terminal or in bg

you haven't closed it yes ?

open and running Sir !

@rancid solstice Your port for ICMP might be closed

or rather* a firewall might be filtering it

hummm any idea to check that ?

uhh

ohhh

i'm on my 4G

nice

thats mb the pb

probably

duno if the french's providers didnt blocked the icmp

try cat /proc/sys/net/ipv4/icmp_echo_ignore_all to see if your ICMP is actually working

it should return 0 which means that you should respond to pings

trying asap

respond 0

perfect

yeah, check if you have any firewalls that might be preventing it from reaching your machine

will swap back to the internet connection to see if the pb is coming fro mthe 4G

Is your VM's network adapter set to NAT?

your VM sometimes won't receive inbound traffic from outside your network because it has to go through the host machine

https://www.virtualbox.org/manual/ch06.html

yep it's set to nat

my mac is providing the nat to the vm, quoted from vmware

i see

even with the box nothing

i start openvpn on the mac and on the vm to test = nothing too

I guess one last resort is to try and disable your firewall on your machine?

if that might possibly bet the issue

not your host machine but the VM*

i'll check if a firewall is up by default on kali

if i remember correctly i think one is up by default

yeah

it's sudo ufw

was on google to find the cmd thanks X)

but remember to turn it back on if you disable it

Thanks for engaging while I was gone smackhack. Well I went back and tried the room, it doesn't seem to work for me anymore too

alright welp I guess it's time for me to learn how to hack Windows machines

brb I'll try it in a sec too

ufw not working thats strange

oh wait it's not windows jk

hm, I completed it somewhat recently but I guess it could've broke inbetween then and now

my thoughts exactly, I completed it a couple weeks ago ig

ok ok my bad i write ufw with 2 f let's start again, i'll keep you informed ! thanks for the help btw @torn pine

or maybe it's my machine that's just acting out at the moment, give it a try smackhack

not working ... i'll try later guys i'm done and the pool is waiting me X) again thanks @white salmon

i'm back ! let's try again X)

ok guys i think i figured out the problem

when i ping the box with my VM the ping come back but when i ping it from my mac the ping respond with a timeout

my problem is mb related to that

ah

that's what I also was gonna go to for the last resort

that means your mac's firewall is blocking the ICMP request

think so yep i'll disable it and try again

holly molly the ping come back X)

Amazing!

Glad it ended up working out :)

ah wait talked to fast X) the ping is working on the mac and the ip respond np but when i telnet and ask to ping the ping never comes X)

smell like a curse don't you think 😢

Are you running the VPN directly in Kali?

Are you prefixing the command with .RUN?

yep in kali

run ? for a ping ?

The telnet needs a prefix in order to get it to run a command

Just entering ping myIp won't work

That's something specific to this telnet

.RUN ping myIP is what you need.

if it's that i'm really dumb X)

the little pb are the most hardest ones X)

ok so guess what

the RUN was here

but the little . was missing ^^'

rly sorry @white salmon make you loose a lot of time

Haha, nah you didn't make me lose anything

Glad you fixed your issue

thanks for your help 🙂

I am doing the box DVWA. I think I am gonna need to bruteforce it

correct?

if so what program can I use? Since I have followed this https://blog.tryhackme.com/going-from-zero-to-hero/ I haven't used Burp yet

Depends which login

You're given creds for the like, initial login

there are username and password fields in the body of the post request

Again, depends which login

http://10.10.74.143/login.php it is the index page

There's one for access to the whole webapp, then there's one designed to be brute forced

That's the one for the whole webapp

You don't brute force that one

could you give me a hint?

You are definitely given the credentials for that login

DVWA has things like RCE flaws. Of someone could get into DVWA without permission, they could easily get access to the machine

That's what the initial login is for

hi

as suggested i search for rwpositories with simple title like :: github notes,github notes with java script ,github system misconfiguration , and so on

@broken cloud No

Literally the title of the webapp

It's like. Right in front of your face.

And has been all this time.

i have done that to pensive

You haven't done it right

😅

The title of the webapp will give you the source code

You have have to actually use the whole title

you mean ip address?

No

If I meant IP address, I would have said IP address

kk

i think i am making thing complex that it has to be

Very much yes

The title of the webapp is "Pensive Notes"

yes i search that tooo

So try things like "Pensive notes" or "pensivenotes"

ooh man i get that

Shhhh don't spoil it

now i am emmbered after this much help i was not able to get that😫 😅

did that message got deleted?

Not by me, but maybe

Yes you deleted it

yes i did i was not aware that will that be deleted from me or from all .. that's why i asked

@stuck fractal Thanks for the support...😇 ⭐ Very thanks for the effort of making the room .for a beginner like me it is like a blessing...💯

I didn't make the room

The room was made by a bunch of the official creators, different tasks by different people

heartily thanks from myside to them all.

Hi, at Post-Exploitation Basics, Task 4-2 It asks for Machine2 hash, I enter it exactly but it won't accept it. Why?

You’re probably entering it wrong but the room may also be broken. Let me check.

Thx

I am copying / pasting it

What are the first 3 characters of the has you’re entering

c4b

That’s incorrect.

That's the hash I got, well I will try again

To get the hashes

Try restarting the room I haven’t heard of any issues with it.

Ok, I'll try that

It worked by reseting the machine... weird

I got another hash for that account

Thank you

Anytime :)

Where do I find the videos of the sessions to rewatch?

Head over to the TryHackCIT discord

Thanks Ninja*

I am trying to do the room "Ra".
After having struggling a bit with connecting to the Spark server, I tried reading up on the writeup. It seems as if I am doing the correct thing.

As info to spark i am entering:

username: lilyle
password: REDACTED
domain: <IP>

I am getting the following error:

javax.naming.NameNotFoundException: DNS name not found [response code 3]; remaining name '_xmpp-client._tcp.windcorp.thm'

The dns is however registered in /etc/hosts. I can connect using 'smbclient //windcorp.thm/Shared -U lilyle --password REDACTED'

If anyone has similar problems I would love to know of it.

Hi lasse, have you tried adding a couple of entries to your /etc/hosts file? Not just the domain but the host machine names too?

That's a subdomain so yep it needs seperate entries

I'm doing Wgel CTF room I got ||id_rsa file|| and the blog site tried some users to from the blog but none of them works...

How do I find the user tried users on the blog but none works

I have added the following:
10.10.97.18 fire.windcorp.thm
10.10.97.18 windcorp.thm

Sorry I am a bit confused how is this not enough?

The subdomajn in what you copy pasted

you should redact those usernames, too. finding the username is part of the challenge @humble nexus

'_xmpp-client._tcp.windcorp.thm'

Sorry for that. Thanks for heads up

I am doing Common Linux Privesc room. How should I use msfvenom because this command is not found?

Ok, msfvenom is a hacking tool, right?

It's not going to be installed on the target machine

but I understand the task to be that autoscript.sh should execute this command on this machine or not?

Hello guys Need help in Blaster room

the way of exploitation show in video is need internet in machine how can i do it

The rdp connection i have doesnt have net connection

is your next step in that exploit saving the webpage? you don't need the web request to complete successfully to get to the save dialog box, right?

@winged isle you're talking about Task 8 in Common Linux Privesc Room ?

Yes

Did you try to use msfvenom on the target machine or on your host machine ?

@toxic scarab ye bro my nest step is saving the webpage

I am installing right now metasploit on my machine:) @simple shoal

Ok, tell us if it works after installing metasploit ^^ It should

👍

@pseudo hamlet so just save the error page. the exploit has nothing to do with the webpage, it's just a way to get to the cmd executable with elevated privileges

ok

so @toxic scarab if i try to save any other web page it happen with that also

no

you need the permission context from the dialog box you were in when you clicked that link to pass those permissions to the browser that opened (even though it couldn't get to the page), which essentially transferred the same permissions to cmd.exe when you opened it from the save as dialog box

Hi everyone!

im at /attackingkerberos room

in task 3, with Rubeus

when im harvesting tgt's im waiting a lot and not having a response. Is this correct?

how long did you set your interval for?

did you get the rubeus header?

@grand pivot

30

yes, i get it

can I see a screenshot of your output

it says displaying the working tgt cache every 1200 seconds... thats 20 minutes im doing something very wrong right?

oh i think i know

i use /internal instead of /interval

I'm on agent sudo, and I got the password of the ssh correct, and I found the user. I checked it with the writeups but I'm still getting permission denied from the ssh

Are you sure you got the password for the user?

Did you already answer questions #1, #2, #3?

You can check if the SSH password is correct if it's the same thing as #5

Ye i've answered all the question

I also answered #5

I tried to copy paste, and write it by myself but still same output

Is it the correct IP that you're SSHing into?

as I understand it is the IP of the machine

and ye it is the ip of the machine

uhh

Did you mistype the user?

from his badly scribbles, I think that's the correct username

||james||

this is the user

Yeah

Try restarting the machine

Yea ok so you didn’t mistype it maybe you keep mistyping the password

Wait are you putting caps?

on the password?

no

Oh yea idk then

Have you restarted the machine and tried SSHing into it?

ye right now

still same output 😐

This is a shot in the dark, but it's possible maybe your keyboard has a different characterset and one of the characters doesn't match?

Are you using vm?

Type rr and ! for me

ye I'm with vm

rr!

hm

Because in my vm it’s weird my front slash is <>

but any other ssh that I've used before work

can you send the password in spoiler ill try to copy yours

The writeups have the password- we can't type in the password here

Make sure you're copy and pasting only the password and no extra blank space or anything I guess

ok give me a minute

ok it worked!

however it's weird because the password is different from the one on the answer

???

It shouldn’t be i did that room last night and worked fine

Can you DM me the password

and answer

It shouldn't be different

Are you sure you wansn’t using the wrong password

OH

I see

@astral smelt It's the answer's tolerance

Ohh

yeah

that's a #site-bugs

In BPT room #1.. is there a way other than blind user enumeration of all 3 character names or should i expect to make (26-52?)^3 possible queries (or until it finds what im looking for)

is it deducible ?

Do we have the password for the Room "Muscial Stego" Paste Bin page? It's a dead link.

haha nevermind

wow... The last time i ran this cmd it did not give me this output

Hey, someone solved
ROOM: top 10 owasp,
TASK 20: Security Misconfiguration
VM: Pensive Notes
???

Don't ask to ask

Just ask your question

i 'm stuck. couldn't find any information, and i guess i can brute force the usr and pass but i've tried with most common list of usr and passwords and nothing

any hint? 😁

Look online

You'll never get it by brute force, it was designed to prevent that

ok, that's why it tells me that all the pass are valid?

No

That's because your hydra command is wrong

But if you're brute forcing anything at all, you're doing it wrong

ok

hydra -L usr/top-usernames-shortlist.txt -P pass/10-million-password-list-top-10000.txt 10.10.179.229 http-get

Again

No brute force

And most definitely not http get

although i understand it's not brute forcing, i would like to know what's wrong with my hydra command

the method ?

uh basically everything after the IP

ok

There are rooms to teach you how to use hydra for HTTP

If you'd like to learn, do those. And find some guides online.

hi all, i have user flag on room Jeff i typed it as i found it and tried to do that thing that saidme between {} and nothing, any tip to make it works -- solved thanks @maiden flower

#site-bugs @lunar musk

on brooklyn99 room

how am i supposed to find the passphrase for the steghide on the website's image?

looking for a hint

What other options do you have?, think about it, sometimes we focus only on one thing

It helps from time to time to view the whole picture

im doing hydra and I have rockyou and hydra setup and its running but its done wayyy more than 30

is it http-post

what room is it?

hydra

is it http-post
@hardy matrix http-post-form
iirc

Hint on the user flag (brooklyn99) says Jake

so i guess thats the username
but without the hint, how do i find the username? bruteforce it?

doesnt seem like a great ideia (Please tag me if u respond)

@rough grove not bruteforce there's somewhere you can find it

i got it, thank you, i was too lazy to check everything i guess

Hello, i'm new here. nice to be here.

i am currently stuck on a task, task 21 to be precise on learn linux (a room created by paradox) wanted to ask if i could get any possible hints

thank you

You should probably take a look at "Environment Variables" in Linux

These are variables that basically, the system and any user can use at any time

oh okay, i'll get to it. Thank you

cough hints

@crystal aurora Please don't give the exact answer or method to get the answer away.

Its a Method

Yes, but this room is for people who don't want to be told how, just a hint.

#room-help is more appropriate for giving the actual steps to do something

https://discordapp.com/channels/521382216299839518/690557518837186560/735862137158893589

@crystal aurora Remove the message please.

I understand you want to help, but sometimes it's actually more helpful to give people a bone and let them do it for themselves, instead of holding their hands

Give a man a fish, and feed him for a day. Teach a man to fish, and feed him for a lifetime.

hello guys i can't get the sqlmap to run in the https://tryhackme.com/room/uopeasy

Task, Your command, resulting error

screenshot would be nice

ok

task 6
Using SQL injection, can you extract the username and password for this form? You may need the help of Burp's intruder function OR SQLMap.

...

sqlmap -u http://10.10.137.208/login.php --forms --risk=3 --level=5 --dbs

am getting nothing out

Try with less options

Some options are unnecessary

ok thanks

you’re not telling SQLmap the request for the login page

you need to use burp to get the request then put that request into SQLmap changing a few things around for formatting

hackpark’s video does a great job of demonstrating this

Hello. I am currently working on the 'Ignite' room and having problems getting the root.txt. I have acquired the user.txt. ||by using a form of SQLi + linux commands in the URL|| but am unable to see any way of escalating my priv. My question is 1. Did I get the first flag the correct way to be able to escalate from that vulnerability? 2. If it is any hints on where to begin? ||I have performed find / -perm -4000 on the machine and found what access I have but cant figure out if any of these commands could help||

If you got the user flag then you did it right

Doesn’t matter how you did it

Well im more meaning how can I move across to be able to get the root flag

was the way that i got the user sufficient to get the root as well, as I cant see a way to priv esc ||using the URL bar|| for it

Nope

It’s on the machine

It’s not an SUID

Enumerate a bit more

OK

thank you

Any time

In Vulnversity room, I am asked what common extension is blocked by the form where I have to upload files. The answer format is .***
But whatever I try to upload (.txt, .pdf, .zip, .php, etc.) it says that the extension is blocked 😭
Is it a #site-bugs or not ?

@simple shoal Could you take a screenshot of one of the responses from Intruder?

It asks you what's the most common extension for reverse shells , in other words

oh

wait

which also seems to be blocked

yeah

There's a very common type/form of reverse shell that often uses the same type as webpages.

(big hint)

aaaaaaaaaahhhhhhhh

I see

Maybe the bug is my english haha*

Thanks guys !

If you're using Kali, try checking /usr/share/webshells/

and see if you notice a certain type of webshell that is in the list of filetypes ;)

I'll look at it ^^

the answer IS in the original message you posseted btw

Got it 😉

Thank you !

you’re not telling SQLmap the request for the login page
@solemn smelt --forms is a valid option and will work in this situation

I'm doing "Lian_Yu" a beginner CTF. The second question is my problem. The hint is "in numbers"... using Dirbuster, I don't get any folder named with numbers. I get two folders, but not one I can convert to numbers. I could read the writeup, but thats too easy. Anyone who can give me another hint ?

Ah I remember this

Try looking for wordlists online that contain only numbers

Make sure they're related to website busting and not just random numbers

Thanks 🙂 I just used the default and medium wordlist

Awesome Sauce

You will get the directory with 4 numbers all right. You have to enumerate further levels

cough they found the answer, i think

I go away

haha

medium 2.3 will give him the result btw

he's just busting at the wrong place ig

anyone completed the https://tryhackme.com/room/uopeasy room??

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

am in the https://tryhackme.com/room/uopeasy sqlmap part finding the admin username and password i was able to see just 2 username i was unable to locate the admin details

any hint will help

youre dumping the wrong database

wow

you mean i just spend 4 f$cking hours on the wrong database 😢

youre dumping the wrong database
@oblique cliff can you give more hint pls

I've got one

Dump the right database?

Guys need hint in Mr. robot CTF

but do you think am on the right|| link http://10.10.137.208/login.php||

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

@pseudo hamlet

found wp login page

im stuck in enumerating page didnt know how can i enumerate users

i used wpscan didnt find anything

@trim haven bro any hint on username enumeration

You get a wordlist if you do some scanning with gobuster , use that to bruteforce the login page @pseudo hamlet

If I remember correctly it says if the username is valid or not on the login page

on failed attempt

@sinful plaza yes youre using the right link, just dumping the wrong database. Whatever you dumped shouldve told you all the database options

correcto distorted

On room Daily Bugle.. sqlmap is going at it... but so far it's taken 30 minutes... am i doing something wrong, or just impatient?

Neither

Sqlmap takes egregiously long sometimes

You just have to wait unfortunately

alright I'm starting to feel like I'm overlooking something in "investigatingwindows" room

on task 11, I cannot find the log for this under security

can anyone point me around the time I should be looking? maybe I'm looking at wrong event IDs

got it

but I don't understand what distinguishes this log from the rest

looking at it again

@sinful plaza yes youre using the right link, just dumping the wrong database. Whatever you dumped shouldve told you all the database options
@oblique cliff ok bro need to cool off my head a little thanks

I GET username and password but i cant to connect to ssh on Smag Grotto

any hints ??

the room just came out, gonna have a tough time getting hints

I GET username and password but i cant to connect to ssh on Smag Grotto
@remote yarrow It may be that this user you found is not to connect via ssh

I'm avoiding these chats because Spoilers

ok i try to find more thanks

i find it

On the room Smag Grotto, was able to analyse the pcap and found a username and a password. Thought it was a ssh login. But it is not. Stuck. Need a few hints.

on pecap you will find your hint

easy

just focus

i found a URI as well.

I hope that is the hint im looking for.

Gah - I can download / view files on the server, but I can't upload anything

GAH - Got it

Any hint for how you moved on from finding the login in pcap file in smag?

there's obviously a pivot somewhere inside, and thus some form of redirect

I don't know 😦

no pivot

The room was just released...

but doesn't work

general question

'general question' would be 'subdomain doesn't work'

Just a heads up, I've updated rule 15 to state that we don't provide hints or help until a week after release

good shout

can i use an id_rsa.pub to my advantage? (i know i can use the id_rsa) not sure on the .pub

It's a public key, it's designed to be shared

ok, so a no i take it. thank you

oh i see, shared is good

It's public

Like, given out

Freely

aye but i read if i add to server i can just login

As opposed to the private key, which you do not share

got from this. A public key, usually named id_rsa.pub. The public key is placed on the server you intend to log in to. You can freely share your public key with others. If someone else adds your public key to their server, you will be able to log in to that server.

if you have the private key associated with that public key, then you can use it

But you need the private key

right ok

I don't understand ssh as much as i thought then, more research

It's not really SSH so much as crypto as a whole

Asymmetric crypto

exactly

So if i added someone else's pub key to my authorized_keys they could not just login ?

(i thought they could)

oh i think I see how now.. 🙂 missed it in linpeas first time round

I’m struggling with the Intro to Linux room by Paradox, specifically the challenge at the end. He says “everything you need to capture the flag is in the room”. Does that mean there is no need to learn PrivEsc methods to capture it, that is, that the password is hidden somewhere and needs to be found, or does the machine have to be scanned for vulnerabilities?

it means all the techniques you need are learned in the room

it means all the techniques you need are learned in the room
@ripe hedge okay, looks like I was overthinking it. Thanks!

that happens on that room

is there a way to avoid this situation at all?
Situation: You gain access to a box, get a shell.. (via webpage, php shell). When I kill the shell or run something that hangs.. Then the webpage hangs from this point on, meaning a full room reset and try again. Is there a way to stop that or? (obvs me not running incorrect commands helps)

Hi, can somebody give me an hint of the Smag grotto room? I already founded the credentials from the packets, and tried to use them with ssh, i already make directory brute force, but there is no login page, only login directories, but they have the same other pages, but without css, some hints pls?

is there a way to avoid this situation at all?
Situation: You gain access to a box, get a shell.. (via webpage, php shell). When I kill the shell or run something that hangs.. Then the webpage hangs from this point on, meaning a full room reset and try again. Is there a way to stop that or? (obvs me not running incorrect commands helps)
@odd panther when you navigate to the page, the server runs the php file.

Navigate again, it runs it again

no it does not.

not on smag anyway

not had an issue before

Then you've broken something, because that's how it works PHP wise

I see.. I got the login page, ran a php shell.. got it. lost it.. page is dead from this point. (have to restart)

What if anything would I have broken?

the shell is from pentestmonkey

Load the URL for the shell again

hangs

so does login and admin

It should.

That shouldn't

again it does not

It didn't happen while I was testing the box

I know its not usually like that, why i asked

hahahaha

Classic.

was ok when i tried it

I ran through it a couple times

I can show you if you really like

i'm not crazy lol

Its not much of an issue etc, just thought its not normally like that at all

In the Basic Pentesting by Ashu .. I am trying to discover the alternate route (I presume it's the one that does not involve the very long password via su/sudo) I've copied some exploratory scripts up to probe vulnerabilities and i'm drawing a blank.. lucky0 isn't. Dirty certonwrite has been washed out. and most of the rest of the "possible" exploits are from 2016, since the kernel is from 2018 i'm pretty sure those are also no go. but i tried a few of the cve's by compiling the poc w/ static, uploading, and running... big fat nothing.

Check the forum

i checked the kernel patches from the successors to 4.4.0-119

There is an post

Maybe it help u

There is an post that talks about the alternate way

Did it help ?

hmmmm

I dont want to peek yet. i already had to peek regarding the primary entry password (My rockyou password list was sorted, resulting in an order that would have taken hundreds of hrs to match)

Mmm

If u need a new one, i recommend u to check github, and there u search rockyou.txt

i just found the xz i sorted originally and unpacked it, leaving it alone this time

I found rockyou was GOOD, but there were better options for locally hosted challenge boxes 😛

Hi folks, I have a ssh's public key, can I generate its private to use it to login ssh !!

No

Short answer: no.. long answer: How much time you got?

That'd break like, everything

Hey guys, is there a way to speed up port scanning on nmap?

Scan less ports, use a different scan type

nmap -sV -v -p- is pretty fast

I though I can analyse that public key, maybe it vulnerables to factorization

Isn't there a courtesy setting, allowing for less time between request and response... most people refer to it as insane... the opposite being what, stealthy/sneaky?

@stuck fractal actually I have tried night (Indonesian time zone) but the results are long, I played in the CTF Boiler room to find where the SSH service is running

I don't understand

you can try RsaCtfTool if it a weak public key

https://github.com/Ganapati/RsaCtfTool @stoic jewel

Thanks @white salmon I'm playing the smag room and I find a public_key of ssh

ah no that won't work 😛

lol so what !!

it will take a billion years to crack that key

hard_work enable 😉

look what you can do with public keys

operating system !!

how public keys work with ssh

Short question, with smag, u refer to the smag grotto room, no?

the new one

.?

I've got a rev shell on Smag Grotto and have been trying to ||get permission to access /home/jake/.ssh|| but I'm not finding anything, kinda stuck here

finally got root on smag, 6 hours over, i was so lost on something so simple

smag was fun

i found user so much worse, root was a 2min job lol

but i was being dumb so..

indeed

Some hint please

Im stuck

not allowed now

admin made it 15days from release..

i think

Ok

By now, im warching the packets, to se if there is something interesting

you know how to read them yeah? it was in a previous room

Yup

ok

I do

thats all you need

Ok

I’ll focus

you got this bro 🙂

Im shure that is something super easy but at same super dumb

xD

Its weird

It usually is I'm finding. I'm starting to learn to like take a 15min break have a coffee and a think etc, really helps

I ran nikto on /mail/index.php/login and its giving to me a lot of info

A lot

Im fine

Or lost

?

xd

Its an hiden service or kinda facade, its weird

I wonder if I can get linpeas on there

did you read the pcap?

Who

I?

(Me)

??

well both of us lol we doing the same room

Just a heads up, I've updated rule 15 to state that we don't provide hints or help until a week after release
@minor bough Its a week sorry, not 15 days

Ok ok

did you read the pcap?
@white salmon i did, but didn’t found the .php site (hope u understand)

ok no hints anymore then 😛

Okey

<

I’ll drink something

And back

I guess I’ll let it 4 tomorrow, i got to sleep early

i have a doubt on Smag, i did find something on the packet but seen it is not a ssh creds. did i am missing something?

yes, you missed the whole http request

there are only two http request protocol and 10 packets

google around more for how a http request is constructed

@digital iris with all respects the guy was downloading a file with a .xxx extension thats all i see

I think ill just wait for a writeup on Smog I cant get shit done after I get the revshell

at least you have user flag

if i have ssh login i could do the entire challenge in less that a minute @red arch but not even close

where to use the credentials found in a packet ? Room name: Smag Grotto

try open services

or website login if any

tried on ssh! nothing

and there is no login page

google around more for how a http request is constructed
You got a hint from the creator that will help you massively

I need some help in Smag Grott room, i found the login but couldnt find the proper login form..
any hint?

I just repeated the one from the creator

Just solved Smag Grotto
I want to say the creator and THM, a big thanks for this cool box.

#522158404614225920

Smag Grott: need hint on privesc.. I know the right path.. but I can't do it

can I dm someone?

any privesc hints for smag grotto

any privesc hints for smag grotto
@radiant sage use linenum..

@indigo ridge k thanks

@radiant sage @indigo ridge you don't need any enumeration. you can get root the way you got user

I know

@radiant sage @indigo ridge you don't need any enumeration. you can get root the way you got user
@lusty wigeon I just need a little thing

dm

Hey! Doing the Overpass room. Successfully got the user flag. But stuck at the priviledge escalation part. Help please?

What steps have you done already?

Have you tried enumerating?

Yeah did it using LinPeas. Still haven't found anything. I've decoded the user's password though. Am I missing something?

Figure out what you can and can’t control

Also look at the room tags that may be helpful

From looking at your level, I’m going to let you know that by any means this is not a beginner box. This is an intermediate box and will require more than basic knowledge. But you haven’t verified so I’m non the wiser.

Yeah!! Already on it!! Have got the root flag!!

I was trying to figure out why I can't get the reverse shell to work

Damn the BSD netcat xD

Hi. I got to the end of this room

https://tryhackme.com/room/zthlinux

and the last task says I'm supposed to get the flag in /root/root.txt and that the room has everything I need to access that file.

I tried id and sudo -l on every user available to me (shiba1, shiba2, shiba3, shiba4, noot) but they all don't have root access. Then there is nootnoot which is in the sudo group, but its password is unknown. And the root user also has an unknown password.

Am I missing something?

I went through the whole room a few times already.

You're absolutely on the right path.

And I can tell you that you're basically right at the edge of getting the answer

It helps to know everything about your target

In the smag grotto room I got some creds but do not know where to use them....tried bruteforcing SSH but nothing found ||/mail and trodd user in page source || can't find any sort of login page nor the creds are working on SSH...

I am stuck in smag grotto

https://tryhackme.com/room/smaggrotto

I know I am doing right but thing is not working

what step

@lusty wigeon can I dm you about smag grotto.

Can I dm it would be spolier?

@eternal brook read the whole request

The wireshark one ?
||development.smag/login.php||?

yeah

I tried visiting that

It's not opening...

you need to do something in your ||/etc/hosts|| file to visit it

I added it to hosts file

Yeah I already did that

I know what you are doing wrong but figure it out yourself

I tried using || curl || too still stuck

Ohk I'll try more I suppose...

Thanks anyway 👍

@eternal brook same page

Which page?

Where to look for Privesc in Smag room ?

Which page?
The one that you want to access

@eternal brook stuck at the same point got wireshark stuff dont know what to do

Yea I'm trying to use || curl on development.smag.thm/login.php used the creds with my curl command used curl cause site is not accessible || stuck at this point

for all those who are stuck with smag : look closely at the login.php request in the Wireshark capture , maybe you can get a new sub domain

@fallen sedge sure

I think I need to look into the way to deal with the subdomain I suppose @zinc current ..

and what about privesc once you're in ?

||tried the usual stuff with linpeas and pspy||

and what about privesc once you're in ?
@edgy gorge look carefully linpeas shows it, || crons ||

and what about privesc once you're in ?
@edgy gorge I don't think I can tell you that cause it's too easy 😅 Look closely

@final mortar do you think it can be also done with || dirtyc0w|| ? I kept trying it earlier lol

Hey guys, I need some help with room room/ra. I'm stuck on privesc. ||Found something that runs regularly and what group I am part of but can't seem to advance||

@final mortar do you think it can be also done with || dirtyc0w|| ? I kept trying it earlier lol
@white salmon Maybe , don't know for sure. Now you mention it, I can check it too if you want

Would really appreciate some help, been stuck on this room for a while now

@white salmon Maybe , don't know for sure. Now you mention it, I can check it too if you want
@final mortar Would be great if you do. I used || linux exploit suggestor|| and it lists || dirtyc0w|| don't know its reliability tho.

Any resources for ||reverse shell payloads||

???

I never ran any automated script xD. I always try to look manually first

Any resources for ||reverse shell payloads||
@rapid flower https://www.cybergoat.co.uk/cheatsheet/Reverse_Payload_Cheatsheet/

@minor geyser thanks!

np

It helps to know everything about your target
@white salmon
/etc/groups shows group a but I know nothing about it. No user is assigned that group and I can't change any user's groups anyway.

Try checking for any interesting files

maybe the user has some interesting documents or something lying around

Any resources for ||reverse shell payloads||
@rapid flower It's a simple googleable answer, not room related, so try to do your own research next time 🙂

Hey just ont doubt regarding smag || do I need to add development.smag.thm to etc/hosts or just smag.thm cause when I visit dev.smqg.thm it does not load ||

Anyone done this room --> tryhackme.com/room/ra? Would love some hints about privesc 🙂

maybe the user has some interesting documents or something lying around
@white salmon
I found ||/home/nootnoot/ll|| which contains numbers from 1 to 1000, not very useful.

Hey just ont doubt regarding smag || do I need to add development.smag.thm to etc/hosts or just smag.thm cause when I visit dev.smqg.thm it does not load ||
@eternal brook you need the one you want to visit 🙂 both if you need both

not very useful

you aren't trying hard enough

but that's not the right file

try looking for another file

it'll be a file that you've never really touched before

Dammm I got thanks @final mortar thanks alot

Maybe you could edit out the message where you mentioned the full subdomain name @eternal brook

@white salmon

hi

oops that was a mistake

Don't hurt me pls (T_T)

Sure

So scary

Any hints on how ti use the ||pub|| key... In smog?

We don't provide hints/help for newly released rooms.

Ohh np

I need a hint here in this beginner CTF. I need to find the folder, and the hint is "in numbers". I have created a wordlist going from 0000 to 9999, and used Dirb to run it. But it finds nothing. I guess I'm doing something wrong, since the name of the folder must be between 0000 - 9999

go up a level 😉

go up a level 😉
@final mortar My guess is that I should change something in this line "dirb http://x.x.x.x wordlist.txt" to go up a level ?

@spring tartan which room is it again?

oh lianyu

when i did it i just made a wordlist from google

You can try default wordlists too

It'd give you in few seconds

@spring tartan which room is it again?
@rancid crystal

I created my own wordlist with numbers from 0000 to 9999. But did not find anything

what was the command you were using?

Using Dirb or creating the wordlist ?

gobuster > dirbuster though

but it should give you the answer in between that though

dirb http://x.x.x.x wordlist.txt

dirsearch > gobuster > Dirbuster

Mayor waiting for your talk today

🙂

I love dirsearch but its default wordlist misses a lot

Manually >dirsearch > gobuster > Dirbuster

so coming back to the question. idk why its not giving the answer..

so coming back to the question. idk why its not giving the answer..
@rancid crystal Someone told me to go up a level. Not really sure how to

i didn't get what he meant by that either 🤔

Neither do I tbh lol

lemme try it myself

@final mortar

just a sec

I thought it meant something like "dirb http://x.x.x.x/../" instead of "dirb http://x.x.x./" But not finding anything still.

@white salmon
:o I found the file. I didn't expect that to be in there. The room is complete now. Thanks for giving me hope lol 🙂

I thought it meant something like "dirb http://x.x.x.x/../" instead of "dirb http://x.x.x./" But not finding anything still.
@spring tartan no it didn't meant anything like that

just a sec

@shell shale Haha, nice! Congratulations

yeah that file was fairly well hidden

Pretty much agreed. I wasn't aware of that dir at all. It was fun!

@spring tartan i tried it too but dirbuster didn't show anything with 200 threads 🤔

I guess it would be the same if I tried dirb or dirbuster ? Have only tried dirb

@final mortar My guess is that I should change something in this line "dirb http://x.x.x.x wordlist.txt" to go up a level ?
@spring tartan after you find a initial directory, scan it again

@final mortar that would be down a level FYI

no

Yea. Top level is home directory. You’re traversing down when you go in the subdirectories

if you look at it this way ...

In a general scan you can do something like x.com/FUZZ/FUZZ just another recursive level to your search

yeah get it.. you are not supposed to find that numbered directory before.. now by looking at going one level higher makes sense

You recurse down a tree, not up it

https://stackoverflow.com/questions/4939980/top-down-vs-bottom-up-recursive-data-definition

In a general scan you can do something like x.com/FUZZ/FUZZ just another recursive level to your search
@final mortar depends on perspective

Particularly “When you're defining something top-down, you are defining it recursively”

I'm a bit confused, but I guess I should look for the folder inside another folder ? like x.x.x.x/icons/ ?

When you go top down it’s the definition of recursive. When you go bottom up it’s iterative. Enumerating a subdirectory after you’ve found it is a recursive search. Therefore it’s top down

So down a directory

Thnaks 🙂 I found the folder, inside another folder 🙂

Recursively 👀

Ok makes sense @oblique cliff

but I just meant in the command perspective tho

Not trying to call you out, that’s just important if someone’s trying to understand recursion to not confuse that

guys any hint on windows priv esc by tib3rius... task 16
I've tried all options but to no avail

Not trying to call you out, that’s just important if someone’s trying to understand recursion to not confuse that
@oblique cliff ofc it's not a problem. You are even allowed to call me out mate but I just mean it in a loose sense

Tr0x, the user privilege is there if you type whoami /privs in. The terminal on that machine.

Hello I am sure I am doing right I put my ssh public key in smag groto but still the ssh is prompting me password

Can anyone help or else there is something wrong with my approach?

Your approach is right

Public keys do not substitute for SSH password.

Public keys are basically the "lock", and private keys are the "keys"

I put the public key and I am trying to login with private key which I generated

That's not what he said as far as I understood. @white salmon

Oh

Did you add the key to authorized keys

I put the public key and I am trying to login with private key which I generated
@lime needle yeah the approach is right as I said

you are just doing something wrong with the command ig

ssh -i id_rsa jack@ip

ahem I meant the generating part

Restart ssh and it should work.

^

Usually you have to restart it once you've added a new key

Ohh I just gen using ssh-keygen

Through I have to warn you, we don't provide help/hints for newly released boxes.

It's 48 hours minimum for hints isn't it

I mean it sounds like he might just be having an issue using SSH correctly

Yeah and we are helping him out too rn

It's 48 hours minimum for hints isn't it
@final mortar It will be extended to a full week soon.

I am not asking about any part regarding box I know the process but the thing is whenever I tried login it ask me password

If his problem is with the generating part, as I suspect, then there's nothing much we can do

@final mortar It will be extended to a full week soon.
sounds good

If his problem is with the generating part, as I suspect, then there's nothing much we can do
@final mortar
Alright I will try

so Smog Grotto got me all in a fuss I have logged into something but whatever i throw at it i get nothing in return. anyone able to throw me a nudge?

so Smog Grotto got me all in a fuss I have logged into something but whatever i throw at it i get nothing in return. anyone able to throw me a nudge?
@lethal zephyr You can take a test to check whether or not commands are being sent to the server, how about a simple ping test?

try ping -c 10 127.0.0.1 if the server hangs for 10 seconds, it means you have command execution

so Smog Grotto got me all in a fuss I have logged into something but whatever i throw at it i get nothing in return. anyone able to throw me a nudge?
@lethal zephyr

thank you @wraith tapir @merry helm I can see I have command execution. just hunting for the right command now 🙂

what about a reverse shell?🙂

what about a reverse shell?🙂
@wraith tapir yeah I am just trying to find one that works, got one to half work but the connection breaks

You will find the right one in reverse shell cheatsheet

got it 🙂

I get the connection but I don't have root privs

You can try perl

Shell

It works

got a shell now

But the privs is www-data

I get the connection but I don't have root privs
@gusty remnant the very first privesc command would do 🙂

Which one??

did you run linpeas

Yess

i will give it away if i tell the command

look carefully

Okk

Hi there. Can anyone give me advice what to do with downloaded flag32.mp3 in Linux Challenges room to get a flag?

You just have to listen to it 🤔

Is there a real info in the rick rolled video ? from the year of rabbit room ? or it's just a bait ?

There is never real info in that video

🙃 i was wondering if mb creator modify the vids or smthing like that 😂
Shit happen i got rick rolled 😦

@final mortar thank you 😂 I don't know why I was looking all around and I didn't think to listen to the file

xD happens

Hey their. Can anyone give advice me in which direction should i move in Smag Grotto . I found the pcap file but things aren't working ... could anyone give me a hint on what should i do

we dont give hints on box until a week after their release (will be added to the rules at some point)

root
smag
uid=0(root) gid=0(root) groups=0(root)```

nice!

feels good right @lethal zephyr

feels good right @lethal zephyr
@wraith tapir Yeah good box 🙂 nice and CTF'y

post in #522158404614225920 @jakeyee if you wanna give the creator some good feels 🙂

@lethal zephyr

wow.. this dictionairy file is like the worlds biggest prank

raw file > 858k lines.. sorted uniq .. 11.5k

?

Hi, I have two questions for the room "Common Linux Privesc"

1. With LinEnum we see: "[-] Can we read/write sensitive files: -rw-rw-r-- 1 root root 2694 Mar 6 07:08 /etc/passwd". My question: user3 is not in the root group, why can he still write to /etc/passwd? Because everyone else is only allowed to read the file because of the last "r".

2. If user7 is member of the root group, and I know the password for that user, why should I still create the new user "new"?

user3 can't write to /etc/passwd

How about the second common private home range?

user7's group is root but he is not root himself so he can't run root commands @winged isle

Thank you! 🙂

How about the second common private home range?
@random thunder sorry couldn't get you

https://tryhackme.com/room/bpnetworking ~ #6

its very comman almost all home routers have it set as defualt @random thunder

@heavy anvil can i DM you?

sure

To the creater of Smag Grotto... A huge thanks to you!!! This room gave me a new perspective at solving things... Especially the privEsc part😂😂😂

@rapid flower #522158404614225920 material!

Ohhh sorry... Didn't know about that

It's alright, but awesome that you like it!

#522158404614225920 is just where we'd like to keep all the nice things (or bad) about rooms and such

any hint for the smag room i can't access ||development.smag.thm/login.php|| even after adding it to /etc/hosts

that's weird

H3llo , has anyone completed Webgramming machine? i have some problem with task 3 and 8

Have you checked the Known Issues?

yes, but is for task 9

any hint for the smag room i can't access ||development.smag.thm/login.php|| even after adding it to /etc/hosts
@sinful plaza even after using a post request to send it also

any hints pls

@white salmon well bro I know how the ssh keys auth works, but I dont figure out it here

you know that you can login with a public key?

you have to put your pub key in authorized_keys

That's backwards

You log in with a private key

You authorise the public key that corresponds to the private key

If you have someone else's public key, you can't gain access to their machine

^

yes you're right

You can put the public key in the authorized_key, and then you can make a private key out of the public key you just inserted, to give yourself access

You can put the public key in the authorized_key, and then you can make a private key out of the public key you just inserted, to give yourself access
@white salmon You generate the public and private at the same time

It's a key pair

yea that

Is there some problem with smag as soon as I get a shell and somehow loose I need to reboot the machine to access the || command page|| it's not loading of I loose the shell once I have to deploy the machine again

Haven’t heard anything. Losing connection is usually a VPN/Network issue. Check your VPN by running the command !vpnscript in #bot-commands (you will have to download the resources and set it up)

Also please try regenerating your configuration file and change regions. On top of that make sure multiple instances of the VPN are not running, to check this type !multivpn in #bot-commands to get instructions on how to solve it.

Anymore issues please come back here and or tech support.

I've seen other people reporting it, but it's not something I noticed when I tested the box

I recommend properly stabilising your shell so that you don't kill it by accident

@sinful plaza even after using a post request to send it also
@sinful plaza ???

I would have said the same, James, but having to restart the machine sound strange.

i rooted smag grotto

it's very cool

Maybe leave a nice message in #522158404614225920 !

^

Nice

We love that you like it, #522158404614225920 is a good place for the creators to see it

Nice, I am in that @fickle jacinth

Its hard?

I think that yes

But it actually does?

#general

Hey guys, can someone give me a hint for Smag Goro, i got the revese shell but dunno how to escalating?

@fossil iris linpeas is your friend x)

tks man

Alright thanks :)

rooting smag grotto was easy for me. Getting the initial shell was the tricky part. Overall, fun and a good learning experience.

@thorny nest I'm glad you liked it! The creator would gladly appreciate it if you put your thoughts on it in #522158404614225920 (he looks there a lot)

i have problem in WebGramming task 3, im trying enumerate with wordlist, with cartesian product and permutation of some char, but every time after 40 mins connection goes down. hint?

Trying to spin up OWASP Zap Scanner...

You need to install it first

I'm stuck at the Priv esc part of smag I found the ||cronjob tried editing it with some rev-shells also tried adding things like /bin/sh -i|| but it's not working any hints?

Trying to spin up OWASP Zap Scanner...
@blazing ruin What OS are you using?

oh

haha

kali

I just didnt recognise the terminal

Guys I logged into ||login page of snag but am stuck , no command I enter returns anything|| , help ?

Go KDE ! r/unixporn

I'm stuck at the Priv esc part of smag I found the ||cronjob tried editing it with some rev-shells also tried adding things like /bin/sh -i|| but it's not working any hints?
@eternal brook anyone?stuck since long at this part..

@shut pollen try || rev shells you'll get your shell||

|| will bash shells from pentest monkey/highoncoffee do || ?

Yea

So, I'm curious about task #4 on common linux privsec (how many shells - and yes I know the answer already). Since a shell accepts input from the user and provides ouput, options like ||bash|| are correctly considered a shell, however, other options like ||false, & nologin|| can't accept input or generate output, so as far as I know, they can't be considered shells, this makes the expected answer for this question in correct. If that definition is used (and it's the most widely used definition of a shell ) shouldn't the answer be ||9 , 1 for each user (8 in total) and 1 for the root ) ? || Yeah I know, noob question. Still learning, what can I say ?

@eternal brook tried || bash reverse shells on admin.php || but doesn't seem to work man

try perl

|| nc worked for me||

@remote leaf there are no noob questions

^^^^^^^^^^^^^^

its not asking how many users can have a shell

||mkfifo|| one

its asking how many types of shells there are

@eternal brook @red arch you are good people

:P

Np mate :)

any hint for smag don't know what to with that cron job

No hints/help for newly released rooms.

Smag was fun box though loved it

@eternal brook can i dm you?

or can i dm somebody, im stuck on PE

pls

Seriously... "No hints/help for newly released rooms."

🙄

What's a newly released room? How new does it have to be to be considered as such?

A room that has been released within 48 hours.

Within the last 48 hours?

Yes.

Please talk about this in #general

The policy is a week

Bountyhacker was a fun box. I must be getting better only took me like 30mins!

Oh okay. I didn't expect that.
Yeah sorry.

The policy is a week
@stuck fractal Thought they were asking about the rule.

@trim haven I am too.

Oh is it 1 week?

Thought it was 48 hours, my bad, sorry.

Admin changes yesterday as it was a bit much everyone asking lol

like its only just out and people are asking for help.

enum, ENUM!!!! lol

Anyway. I'm working on this box's flags.

https://tryhackme.com/room/blue

But this question is rather more general.

What should I look for in Windows boxes? How to identify files as flags? Do they contain only one word or something, or are they named with some keywords?

files as flags? As in user.txt and root.txt?

Flags are typically in set locations on CTF boxes

On windows, normally desktops. One of the user, one of the admin. You're told where the flags are for that box

I didn't open the hints so I'm not told where they are.

When a box is out and done, how long before writes ups are typically added. I would like to make one in the future.

Just wanted some general overview about solving these CTF boxes.

Why not? Hints are there for a reason.

I would first try looking for something and if I wouldn't find anything, I'd use a hint.

When a box is out and done, how long before writes ups are typically added. I would like to make one in the future.
@odd panther Depends on the creator, I wait a week typically

But it looks like I'll use it anyway.

Thank you @stuck fractal 🙂

How can I Ctrl+C to kill a process running in cmd over meterpreter over msfconsole? O.o

Without killing the cmd shell.

Nevermind. Ctrl+C killed the cmd shell and put me back to meterpreter.

Finished Blue. Yay.
||Found out about meterpreter's search command.|| Very helpful.

how do you get the like website name from the IP? I'm trying to use Kerbrute but its asking for a domain name. I have the IP only and no info on how to get the name.

You're given the domain name often

Or you can get it from LDAP

Nmap can do it

Ok thank you, I will try these now, I think I have it but not working for me, I'll keep at it thank you

every time.. no wonder it stops working when the vpn goes off 🙂

Also again me... using wrong Ip.. had a 4 that should had been a 2.. my own worst enemy

forget there are write ups...

I'm doing that thing where I'm on an easy box - have something infront of me that should be simple - but with a tired brain I'm blanking

don't you love it?

Helps to have a process/methodology laid out, like a game plan.

Also no shame in taking a break

Grab some hydration, focus at different distances for a bit.

sharks live in water so water is bad D:

Smag Grotto room help to get pcap file via wget

anyone

@worn kite you're unlikely to find help for a newly released room, but try using wget <uri-of-file>