Right click on the pcap file download link and copy the link in instead of the placeholder there

Right click on the pcap file download link and copy the link in instead of the placeholder there
@inland onyx exactly , the room says i should be getting a other file via wget which is not equal to download

Eh? You're using wget to download the file

That's, uh, literally what wget does

i know, but i keep getting the same file

@inland onyx exactly , the room says i should be getting a other file via wget which is not equal to download
You can directly download and start analysing, no diff file via wget i guess

Well there we go -- you don't even need to use wget.

yup , thats what i am saying, there are no writeups for that room too

Its a new room so..

That's because it was just released

As I said before, we don't really give out help for new rooms

thats sad, old rooms have solutions

They do indeed. Ask in a week or so 🙂

There will be solutions posted soon enough -- whenever @digital iris decides he wants them released

(Hint, Jake, the ping was querying when that is)

i’ll probably accept writeups on monday :)

I need a hint for smag 😅 I tried a lot of things to get a reverse shell from ||the admin command pannel|| but it seems blocked... Wget is working but I can't access the downloaded files with my browser

What do you mean

Also you wont get any direct hints for such a newly released room

not a hint but you can't open .pcap files on your browser

I mean I'm not sure what he asked. That's why I said what do you mean

@idle flame just try some stuff. As quantum said we don’t give hints until after a week of a box’s release

@oblique cliff Don't worry I successed it

Helps to have a process/methodology laid out, like a game plan.
@white salmon Agreed. I was just to the point where I was too tired to work through my process.

Well, just to quote James, a break and well rested mind is important too haha

does anyone know how to get the "root.txt" flag in "bounty hacker" room?

Hints aren't being provided for rooms in the first week of release.

Can someone help me with LazyAdmin plz ?

(should i move to #room-help ?)

Don't ask to ask, feel free to ask your question and the issue that you're encountering

I'm stuck at root flag

https://discordapp.com/channels/521382216299839518/690557518837186560/735862137158893589

What enumeration tools or strategies have you tried?

Do you know how you would even figure out how to get the root flag?

Thx I'm taking a look at it !

What enumeration tools or strategies have you tried?
@white salmon SUID bins

Do you know about https://gtfobins.github.io/

I've tried SUID3nums but nothing popped up at gtfo bins

What other linux enumerators have you tried?

There's also linpea.sh and linenum.sh

I didn't run linpeas for instance

Im doing the smag grotto room and ||ive already got a reverse shell into the system as www-data but im having trouble getting into jake's account, so i need a hint for that||

Maybe I'm wrong but ||I'm trying to access the itguy user/group with www-data as long as he has access to sudo||

Im doing the smag grotto room and ||ive already got a reverse shell into the system as www-data but im having trouble getting into jake's account, so i need a hint for that||
Try linpeas or linenum

ok

There’s a rule, if a room has been released within 7 days we’re not allowed to help so keep that in mind

ah alright

Do you know about https://gtfobins.github.io/
@white salmon This link should be a go to for everyone when doing priv esc.

Haha, oh yeah

it's very useful

Now that is a site which i love

Hey guys, um... I'm having a small trouble with linux privilege escalation in the very new room "bounty hunter". Can someone please give me a little hint?

We aren't providing hints for newly released rooms.

We can chat about enumeration however. What are you using to try to enumerate the machine?

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Linux - Privilege Escalation.md
This is my absolute favourite privesc resource

Was trying to get that direction.

Do you know about https://gtfobins.github.io/
This link has helped me rn. Nvm

but for info, I had run LinEnum, few python scripts, etc. and I was completely lost

I have made a little enum and thanks to @white salmon's link I have it

I'm an idiot with smag. Overthought it. Took me too long for foothold then did user and root in sub 20 minutes. Get more sleep, people.

What resource do you use for managing all these reference links

Rooted Bounty Hacker in 15mins😱 have my skills increased 😂 great box though:)

What resource do you use for managing all these reference links
@fleet pike Chrome autocomplete

so you are using a carbon based ram stack 😛

Best knowledge bomb I've ever seen

truth

someone can help me with Smag Grotto? trying to get the user being in shell.. i found a dir but I don't know if is rabbit hole

after 9 hours ... i complete smag room 😆

@daring mantle Usually, you won't get help for a newly released room from this discord, just try different things, and Im sure you'll nail it 😉

i will do it, thanks.

Hello, i'm in Wgel CTF. I found a directory and inside a id_rsa. I'm trying to connect via ssh but the key is not working (i think is a rabbithole). I get stucked, any hint?

Maybe i have to add wgel.thm to my /etc/hosts ?

what is the message you get when you try to login ?

invalid key

Try copying it and pasting it again

I didn't copy paste it. i save the page

What's the name of the key?

id_rsa

can you show us the content of your file ?

Sure

whats your ssh command ?

ssh -i id_rsa user@ip

Have you changed the permissions of the key

either permissions are not right or the user or the ip

yes, to 400

forget about the ip

600 is better

600

ok

now is working

But the username is incorrect

Thanks to all

Also could you remove the screenshot some people are really lazy...

Yes

(Of the key)

Thanks

Guys

Hello

The machine in ssti challenge in the zth obscure web vuln room doesnt seem to be up

Explain?

Nmap scans are blank

Plus cant load the website

Explain blank?

All ports are filtered

No ports are open

-Pn if is windows

Try using -Pn and make sure you’re waiting long enough for the machine to boot

I tried

All 10000 ports are closed ¿¿

Ok... have you read the hints of the room or the description? Sometimes you will need to add the machine to your /etc/hosts

Very uncommon

It doesnt say that

Yaa ikr luls

What machine gives negative to nmap

Have you terminated and redeployed

^web tutorial ones

Yaa i did

Have you checked your VPN

Yaa

But its showing tun3 tho

It should be tun0

There’s probably your issue

Try this

Ill restart the pc then

Nono

Just type

killall openvpn

Then start the openvpn script again

Okay ill do that

Done guyss

Thanks 🤩

Awesome sauce!!

@daring mantle Usually, you won't get help for a newly released room from this discord, just try different things, and Im sure you'll nail it 😉
@open storm I finally got it, the failure was in not looking well and trying to go fast 🙂

grah, recovery is annoying me but I don't really want to leave it as I don't want to redo everything 😦

missing flag 2

you don't have to re-do everything

you just missed one step or did it out of order

I nuked a few files the first time

oops

but I'm missing a step, that's for sure

right that was it

but the site's down so I can't put in the flag >.<

ok when I did that last time it failed, but that was because I stupidly ran the program I wasn't supposed to and it overwrote the legit file

thanks for rubber-ducking, @wooden mist

https://giphy.com/gifs/sesame-street-yeah-its-a-thing-bathtub-party-day-s3nW8VjUiKkjC

@wooden mist

@wooden mist In new box for decrypting the files did you run the malware once again? I guess it should work because a^b^b = a. I got root but only two flags ://

no

you shouldn't have to run the malware

There are only two ports ssh and http, and I logged in through ssh using the private key. Now I have the user level access and dont know the passsword of the user. Any ideas on How to priv esc?

It you want hints, specify the room

Basic Pentesting

Enumeration enumeration enumeration

There's hints provided in the room that wre helpful

sure

Trying to solve Smag Grotto, I have got a shell and now needs to get Jake user access to read user.txt any hints i did wireshark and got login page. Is there anything to do with wget also as i am not understanding if there is and how to do it?

if you’ve got a shell then you’re done with the wireshark, enumerate the box :)

There is a hint in the question @compact helm

Oh you mean root. I read shell

Anyways we can't directly help with newly released rooms

Good options is to always run sudo -l, some manual stuff like password files, and suid's, some scripts if you want

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Linux - Privilege Escalation.md

Just pin this if you can. I have to go all the way to my browser to recommend this if I ever want to 😅 and it's always good

Just took a look at Recovery. That is not a 10:30 PM room. I'll dig into that when I have more time tomorrow. 😫

To be honest, I'll probably have to come back for a nudge on that one.

ohk ...

i found something but doesnt know how to work with it can i ping someone about Smag grotto

New room, I recommend coming back on a couple days

Hi there, Does recovery envolves brute force?

@compact helm It's a new challenge. Please wait and try yourself before asking for help

And especially avoid spoiling the box like that if you can

xD

What kinda recovery?

The new room

Which room?

i will try harder by myself
@compact helm at least give it a few days

https://tryhackme.com/room/recovery

Oh👍

Maybe don't tag anyone whenever you want 🙂

@compact helm The box hasn't been out long. Wait a bit, try things yourself. Ask for hints in a couple days if you're still stuck

@compact helm I rejected the friend request once. Please don't spam me with them. Last chance.

Going back and deleting your messages doesn't change that 😉

Hi, quick question, I'm in 25daysofchristmas: Task 20, LFI. Is there any tool that I could use to automate the check of relative and non-relative %2Fetc%2Fshadow urls? I couldn't find the way with gobuster, dirb or dirsearch. Thx!

Try using burp intruder with a wordlist

Many wordlists are available on github

@dusky citrus

I think seclists might have some lfi payloads

You could probably generate some specific to shadow or passwd with python if you need

How do we start entering text into our new Vim document?

Think literal. Once you're in insert mode.

I get into insert mode with i and then I can type any text I want

but how does that answer the question?

You've nearly answered it there

I am confused. Wanted is a 6-digit word. i, insert, "text" does not solve the task

What action are you preforming when you write "text"

Oh man I get it 😅 🤦‍♂️

one question for recovery v2 room, is there any docker containers running inside?

It's a new room, we won't provide hints for a few days to give people a fair chance to complete it

aaa i didnt notice it just released

its been quite a while since my previous visit

sorry @stuck fractal , will 'try harder' xD

some thing regarding recovery! I am root... but I seem to encounter some trouble in the webpage part! Just getting the headers... is that intentional? Hope there aren't any spoilers

New box, no hints yet. Give it a couple days

okay! np!

Hello, i am doing intro to python , last challange where i need to decode file content encoded in base64 times, base32 and base16, the issue i have is that after the first decode base64 , i get b' ' , an empty byte string

which i can not further decode

Outermost layers are base 16

You're decoding backwards

thanks for hint, it looks like you are correct

Having seen the issue dozens of times before, I often am

The order given is the encoding order. Decoding order is the reverse

Can anyone help me with the python challenge please, I keep getting: 'Non-base32 digit found'. I've read enough tips to realise the order of decoding is reversed.

You're decoding the same thing 5 timed initially, not decoding the data then decoding that result

The first loop is wrong

thanks - I finally got it!

Lol, I got Flag 0,1 and 5 for recovery! but not the others! Am I an exception or did this happen to you guys too?

Done! Recovery was fun!

Took me a while to get flag 2

decrypted the files but not getting the last flag

recovery is interesting so far, still missing flag 2 and 5 though

Hi, in the xss room - task 5. i craft the correctly payload, i steal my cookie. But not the cookie of jack 😦 i wait but nothing, something to do?

It works a lot better if you host your own HTTP server on your attacking machine, and then redirect the user to it (with the cookies sent over as part of the request)

yeah i used a Python SimpleHTTP

when i returne to xss stored page, i am automatically redirected to my server.

yeah- that's normal

look at which one is your cookie/requests

and then see if you can notice one that's different whenever you go onto that page

you might have to do it a few times

or navigate around the other parts of the website

yep, i tried with another account but nothing happens 😦 , i just get my cookie one more time

i followed your instructions, but jake is sleeping

lmao

😂

yeah idk it was kinda weird

to be honest the XSS room is kinda lame and doesn't work properly

I'm actually developing a much better and modernized version

expect it eventually

oh okay ! good job and good luck :p

question about room scripting. I can't get the first message from the server. I tried udp and tcp and 1337 and 3010 as first port. Still I don't get an answer from the server. Does anyone have a nudge for me?

and I tried with nmap to get the open ports of the server but it seems that the server blocks such requests

Is this for Task 2?

@mossy obsidian I tried the same approach but not getting the flag for base64 task, can you help me

@white salmon yes

You have to do a HTTP tcp request to port 3010

and then it'll tell you which port is open in there

only one port is open at a time, and it randomly changes

it will eventually cycle to 1337, but if you want, you can do a faster method by just finding the current open port via 3010

@nova steppe honestly my image is 99.9% of the solution. My mistake was in the first loop, just look at the variable names and make it simpler again.

@mossy obsidian I changed a bit , is that something wrong I'm doing

your algorithm is wrong because it needs a total of 15 loops

oh wait

i see

have you tried doing it in the other direction

Yes no luck with other direction

That’s definitely the right order

are you sure the text file is correct and hasn't changed in some way

The thing is I'm not getting any result back just empty line

Ponspector is right though check the no of loops

no he does an initial set that already does 1 iteration of decode

so it's 15 total times of decoding

it might be something with your text file- what's the full line of your file read?

Can we please use the screenshot tool rather than a cell phone image?

^

Please and thank you.

It's not only a good habit to get in to, it also shows that you're willing to put in a bit of effort when you're asking for others to put in effort to assist.

I would take that initial decode out and make the variables consistent

i honestly don't even know if you're reading the file correctly

because the rest of the line is cut out

if you get a blank input, that means that something went wrong there

Why wouldn’t you put the script inside the file with the flag

Also

Yeh checking that

There’s some off the side of the screen that I can’t read

But I don’t think it’s necessary

i honestly don't even know if you're reading the file correctly
because the rest of the line is cut out
if you get a blank input, that means that something went wrong there

Have you tried doing a print after reading the file to make sure it is read?

I almost kinda can guess what went wrong

in networking basics there is a questiont that seems do not accept any proper answer:

What kind of protocol is TCP?

it doesnt accept connection-oriented

or realiable

chances are you probably read the file wrong- and you haven't converted it to a single string, and instead is trying to pass an array into the decode

nothing of sorts

@mossy obsidian yeah changing a bit

It’s in the information @white salmon

As well as that it’s on google, try reading it all again

maybe my input is somewhat wrong

yet wiki says its connection-oriented

^^

Remove the answer possibly?

This is specifically for hints :)

Yeah, glad you found it out, but you don't have to write it out

Awesome!

Thank you :D

ok i removed it

sorry

still the inputs are quite strange sometimes

not very precise

Sometimes you need to show your understand rather than just repeat what someone has already told you

@mossy obsidian got the flag, thankyou

@nova steppe nice one, well done!

I am at room "Scripting"/Task 2. I did the task not with python sockets but with python requests. I can connect to the server and read the first two ports. But I get an error after 2 - sometimes after 3 - requests.get(...): "Connection refused". Even if I add a time.sleep(10), the error occurs. What should I do?

Need helpin recovery machine

got 3 flags after that i am stuck

@winged isle That means that you might've done something wrong with your logic in the code.

We aren't providing hints/help with Recovery for several more days to allow folks an opportunity to solve the machine first.

Sorry Manitorpotterk.

@white salmon Can I send you a PM?

sure

Hey can somebody help me with the Cross-site scripting room? I'm stuck on the first question of Dom based xss. I tried different payloads even one from the write-up but still it's not working

Are you putting it in the right place?

I guess so even writeup says so

hello guys im in room smaggrotto idk how to stablise shell

python

Python is not on that box as far as I remember

Try python3?

any hint for root in "Year of the Rabbit" ? 😄

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

nvm # id uid=0(root) gid=0(root) groups=0(root) #

= Root User

$ = Non-Root User

(Just so you can identify them without using commands) ;)

Hello, I'm doing the Mr. Robot room, searching for key #2, and I'm not sure what to do when it comes to the payload I should use on the xmlrpc.php sniper attack

I'd appreciate any tips

@trim haven mm thanks, but why do you say it?

It’s a tip so you can tell the difference in the future ;)

Room: CTF collection vol 2, Task 4 - I have successfully performed the ||time based sql injection using sqlmap -r login.req --dbs|| and i am getting some ||tables||. My question is, how can I interact with them? The output of ||sqlmap|| is just text so I am not sure what I need to do to actively browse those ||tables|| - any suggestions?

Question from noob... I am trying Basic Pentesting room.. I have discovered the hidden directory "development" and I am now trying to determine how to go about brute-force the username

I am unsure what direction this is going, any guidance?

Don't brute force the username

Do some enumeration

The next step suggests brute forcing the username & password but it does seem kind of out of left field to begin brute force here

It doesn't suggest brute forcing the username

is there a way to do the Jack room without using burp? the hint says ||ure_other_roles||, assuming this was a ||URL parameter|| i tried to input ||?updated=1&ure_other_roles=administrator|| which returned "profile updated" but no plugins tab shows.

You can use browser devtools

You need to actually understand what the vuln needs tho

Same with using burp

thanks ill research more of that

Am I missing something really obvious for the privesc on the learnlinux room?

Nope

it's not obvious

It's pretty well hidden- but it's not entirely hidden

It's still visible fairly easily, but you have to really be observant on things that look out of the norm

I'm trying to work out how to abuse the SUID files, is that the right direction or have i fell down the rabbit hole 🤣

i need a hint for Recovery

because i tried every thing iknow

but nothing

ant help

y

You're on the right track- but you might be going down the wrong hole

is this a hint!!?? 😆

oh that was for @gleaming salmon

sorry

my bad

I actually haven't done Recovery yet, so sorry

lol

But have you tried enumerating everything, or looking at what files you have access to already?

yeah, I'm not sure which user to use for context

I want access to root or nootnoot

They say they wont give us hints for recovery

why

Becasue is a new room

May be in a few days

we just need a comman to stop the loop

d

but how

Right now i'm obssesed with that room

xD

haha

I mean, the title of the room is "Recovery"

so that might give some insight on the kind of tools and strategies you'll have to use

think forensics and steganography possibly

@gleaming salmon Identify which one is the "easiest" to access- and then try and single out everything about them, such as files owned or permissions

Indeed

I'm trying to work out how to abuse the SUID files, is that the right direction or have i fell down the rabbit hole 🤣
@gleaming salmon You can't abuse the suid perms

They have a setuid() call before the unquoted path, so you get the next user up the chain but don't get root

@timid iron try to think about what could cause that loop to run, then it will be easier to circumvent it

@stuck fractal I was looking through what files they accessed to see if I can redirect the execution. But I'm pretty sure there isn't a way with those files.
I've definitely over engineered this 😆

Yep you have

Just look at who owns certain files

@gleaming salmon which CTF you are talking about?

Am I missing something really obvious for the privesc on the learnlinux room?

@ripe rock

@oblique cliff which task?

The final one

The challenge

okay i will check

@oblique cliff message me to help

...?

@gleaming salmon is the one who needs help. I was helping him

oh okay

sorry

No sorry necessary

Just got a chuckle out of it 🙂

@gleaming salmon message me to help

@oblique cliff the challenge when i first did it is quite easy

Hi! someone already completed the Splunk room? I'm very confident that in Task 2 #21 the aswer is rename but I receive wrong

#692465827143876689 search for it, it's not rename

@ripe rock ???

Hello, I am stuck on the Cod Caper room. I am up to task 5 #3. I am using find as it says but I can not find anything more than ||the SSH key. When I copy this key to my machine and try to hash it with ssh2john I get the message id_rsa has no password!"|| I cant see anything else pointing towards what I am after. Anyone able to supply a hint?

The ssh key is a complete rabbit hole

Keep looking for stuff that's out of place on the box

Thank you

Just to be clear youre not meaning ||/opt/secret/root||?

I don't remember precisely, but it's fairly guided

Still cant find the ssh password with how guided it is lol

@ashen matrix One question the challenge requieres ssh2john?

It does not.

@ripe rock It doesnt state it. It says to use 'find' to find the ssh password but ive only found the old ssh rsa_id

As I've said, SSH key is a rabbit hole

Ninja i already know that the challenge it doesnt requiere that , i am trying to tell that dont focus on one thing like you said think outside of the box

could anyone help me out with ignite? ive been stuck for probably 2 hours on trying to get a damn reverse shell

im using the guided path but I literally can not see any -type f file that has a password in it

@ashen matrix can you tell me the find parameters are you using?

I am fairly new, as you can tell, but I think youre meaning this? ||find / -user 'pingu' 2>/dev/null||

I have expanded that to include -type f so it only shows files, and i searched under the second user

In burpsuite room I am attempting to start an attack. The question states:
"What is the first payload that returns a 200 status code?"

However, the only status codes I return are 401 and 500.

I have made sure that encoding was disabled.

The picture is how I have my positions set up.

What am I doing wrong?

Think you're not meant to have both selected, only the username from memory. I will check my burpsuite to confirm

Ill try!

Sorry I should of given you more of a hint than that. apologies about that mate

still returning 401 & 500

just username is selcted

Maybe a setting is ticked that shouldnt be

check the question 1 up from the one youre working on

yeah I stated in the post that I had my encoding turned off

So am confused LOL

What is the payload list you are using?

xplatform-shortened.txt

@ashen matrix Checking my notes,you find parameters have something wrong

OK thank you tecno

@ashen matrix Did you find the file?

Caught up with kid ill search shortly

@ripe rock found it. thank you

@ashen matrix NP we are here to help

under linux challanges there is a question Flag 16 lies within another system mount. , i have found it but it really does not make any sense

i am trying to understand how is this another system mount

it is not shown as mounted anywhere also how is it another system (filesystem?)

neither findmnt neither lsblk , fstab

nowhere i can see that its another mount

or another filesystem

what am i missing here? i have the flag, but i dont understand

Is it even possible to access the last flag in the Learn Linux room without the use of sudo? Starting to run out of ideas lol

@obtuse sentinel None of the shibas have sudo rights. Maybe someone else does.

🤔

(I've completed the room, I'm not misleading you here)

I thought I got it for a second by logging into the user noot, but it still doesn't have sudo perms😢

There's more users

Keep looking

@white salmon try asking in general chat? Maybe someone there could answer.

Alright so now I'm pretty sure that the user is nootnoot, but is the password given at all? I thought it was "root" because of the linked image, but it came back as authentication failure.

root there is the output of the command

Keep looking on the box. Look for files that are out of place.

alright

Question about room CC:Pentesting, Final exam
Can the final exam task be completed by all the information provided in the room itself, without having to use any other tools?

I'm pretty sure yes

I have a doubt. Like if we use motd/00-header and edit it with a NC reverse shell to attacker's system. Then if we reconnect via SSH again will we have a root shell?

What room?

I was doing the bounty hacker. I completed it tho. But I was wondering

If we can use 00-header for nc

Have you considered trying it yourself?

You have the environment for it

I did try but I had some error with the

Like is it possible? At all?

You have the resources to try it out

Alright i will try that😅

wrong LHOST

Are you not connected to the vpn

!vpn

Your machine and the target can only comminicate over the VPN

So all the addresses involved need to be VPN addresses

Don't trust the access page

use the ip from your tun0 interface if you have it

If you don't have a tun0, make sure you're running the VPN directly on kali

Hey

Anyone tried this cowboyhacker ?

ftp:// not loading ..

really love the "recovery" room so far. it is something different and I really like it. still missing flags 3 and 4. thought I found all the damage done and reverted it. But I guess I did it wrong or just missed it .... hmmm

@final mortar are u quantum from telegram ?

Ah yes I'm the same

🤨

Wait. IndianAnons ?

This is not room related, so we can't talk here @ocean tendon

This is not room related, so we can't talk here @ocean tendon

Ok

You probably did something wrong

Terminate the room and try again

If you mess up the service file etc it won’t start

And that is what it seems like

You’re doing something wrong then

anybody help me out in smag grotto room ...i have got the user name and passwd and host name from ||pcap|| file

I can’t read your errors it’s too hard for me to read. I’ll have to wait until I get on my computer or someone else will have to help you, Adigeefe1907

Anyone tried cowboyhacker 😐 let me know please

```ftp://.........../lock.txt``| not opening

i got the data from pcap bro @subtle kindle .....what to do next .....i can't able to go to login.php page

Hi , in the room "Recovery" , I'm bruteforcing the ssh password for the other username. ,am I doing great?

i got the data from pcap bro @subtle kindle .....what to do next .....i can't able to go to login.php page
@sharp sage what about setting a host

how to do that ....thats what i can't getting....

Is anyone who's struggling through Intro to x86-86 want to do so together?

is that from etc/host

nano /etc/hosts

U should be sudo btw

*root

Your machine and the target can only comminicate over the VPN
@stuck fractal
Can you explain why it is like this?

In order to increase privacy and safety (and also gives THM the ability to scale up almost infinitely), THM wants everybody to access their machines/network via one inlet, instead of trying to put all their machines out on the public where a lot of bad things can happen.

You use a VPN which basically is like telling your computer "Hey, you're part of this local area network so you can talk with these machines as if they were right next to you"

even though the machines may be really far away from you.

It's all via the internet still as well, but you're able to be on the same "logical" network if that makes sense.

Ya I got that but I want to know what exactly has been done so that we can only access machines through vpn

You'll have to research that more on your own. Try looking up "VPN Server"

Ok thanks

```ftp://.........../lock.txt``| not opening
@ocean tendon
It is locks.txt

😏

Yeah bro.. Not loading

https://imgur.com/KorBWTO

login to ftp , ftp <ip>

Damn ! Ok !

also I think you can't read files through ftp you can only share files using ftp so if you want to read locks.txt then you'll have to download it on your machine first

finally completed the recovery room. And I LOVED it. Is there other rooms like this, where you have rather to repair things, than just trying to get in? Would love to do more rooms like this https://tryhackme.com/room/recovery

yeah a great room, Stuck at flag5 tho

@marble dagger #522158404614225920

yeah a great room, Stuck at flag5 tho
@wraith tapir the hint i gave you wasn't enough?

I need that hint

flag5 is pretty easy if you understood what the ||malicious library|| is actually doing

Done with recovery too. Got bitten by the good ol' python2/python3 differences 😅

flag5 is pretty easy if you understood what the ||malicious library|| is actually doing
oh wait let me join the room first

very nice room indeed

i'll be making a writeup for that one soon™, just need to take care of few things beforehand

Question about the metasploit room: I have metasploit version 5 (checked it with version command) but if I type db_status the connection type is http instead of postgressql

@final mortar thanks 🙂

@winged isle is that the latest version

@oblique cliff If I type version in msfconsole I get: "Framework: 5.0.102-dev- Console : 5.0.102-dev-" so I think yes

Hrmm

Danged metasploit

Hi, im stuck at Recovery room, should i bruteforce the hash i found?
it's not even in the rockyou.txt :/

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

We politely ask you to respect the competitive nature of newly released challenges and to allow at least a week before asking for hints and/or help. This rule should be used as a guideline when providing help to others.

Hi, im stuck at Recovery room, should i bruteforce the hash i found?
it's not even in the rockyou.txt :/
@topaz mason no

@topaz mason no
@wooden mist Thanks

finally completed the recovery room. And I LOVED it. Is there other rooms like this, where you have rather to repair things, than just trying to get in? Would love to do more rooms like this https://tryhackme.com/room/recovery
@marble dagger can I dm u ?

Keep in mind folks that the Recovery room is brand new. Hints and questions for new rooms should be held off for the first few days of each release before asking.

a week

There is no current hard date. But thank you.

Rule 13 does say at least a week, maybe I'm confusing things

Guys any help with flags 2 and 5 on recovery ? Got the rest.

Guys please help with burp suite room, task 12 about estimated entropy?

Going to need a little more information please.

Like what infos? It's on task 10, question #6 and #7. Can I dm?

We can chat about it here :D
I help with many rooms so it all becomes a blur, I just need to understand what you're stuck with so I can help you

Task names etc are really useful

Like what infos? It's on task 10, question #6 and #7. Can I dm?
@silk prairie The answers are right where they are expected to be

The answer to #6 can also be extracted by reading the #7 carefully

At this point you need to provide more information about what isn't working for you and also to establish the fact that you are even trying

hello guys any hint on the haskell room found the hidden dir to upload file all the extensions i try is not working

any hint pls

??

What have you tried? @sinful plaza

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

It tells you the type of file you need to upload

Guys flag 2 and 5

What have you tried? @sinful plaza
@oblique cliff i try changing some extensions to get a reverse shell but no luck

https://tryhackme.com/room/haskhell

did you read what the webpage says

cuz it says pretty clearly what the back end of the server is doing to the files youre uploading

Your file will be compiled and ran and all output will be piped to a file under the uploads directory.

do you know how files are compiled

do you know how files are compiled
@oblique cliff no

i will look into it

no

stop

how do you compile a C file?

@sinful plaza

gcc -o program yourcode. c . example

is it the same to compile a C++ program?

no

cool

Hey guys, has somebody done the room "JVM Reverse Engineering"? Could I ask hints of the task 6 and 7?

so now, it tells you what kind of files its compiling

so you need a file that will compile with how its trying to do that

ohk i get it i will check on ||how haskell file is complie ||

right track??

you dont need to know how its compiled

you just need to know that its compiling ||haskell|| files

so you need to write something in ||haskell||

hey! i just started the room recovery. Can someone have any clue for me? Idk why there are ||2 ssh running|| and the ||http is encrypted|| thanks in advance. 🙂

No clues for new rooms unfortunately.

Give it a couple of days yet before we'll start allowing hints, etc. on it.

okay 🙂 Understandable

@empty widget Task 5 + google gives you everything you need to solve it.

can i ask my doubt in room help for this?

No

No help is being given for questions on new rooms within the first several days of release.

okay got it

thanks btw

You're welcome.

Did someone notice that in Blaster's Room you can actually "also" hack the machine across CMS wordpress, interesting

hey btw why does the recovery room ssh always keep disconnecting is it a part of the room or is it just technical issue

Technical issue probably

Check your vpn and network connection

!vpnscript

I did not type "logout". Can someone explain this?🤔 if it is vpn issue I shouldn't be able to reconnect right?

Who typed it then?

now its really annoying i keep disconnecting. I tried regenerating my ovpn and restarting the machine

Perhaps the box is trolling you?

hello, i'm currently at the final task(24) in cc:pentesting. found the required hash,gotten the password.. tried to ssh into the machine but i keep getting "permission denied, try again"

please, what could be the problem ?

Wrong password, wrong username, wrong box. Password could be for something else.

it didn't ask for a username, just the password. also had to get the hash from a hidden dir. on the web server. tried leaving the room, reconnecting the vpn connection but issue still persists.. also checked through the writeup

...

You need a username in order to ssh

true!! silly me, thanks

ssh will use your local username if you don't set it explicitly

Technical issue probably
@trim haven not technically issue thats part of the box

@trim haven not technically issue thats part of the box
@white salmon thanks for clarifying

oh gods that part was annoying

but yeah it's intended

until you fix it

there's also a workaround

don't use bash?

does it have something to do with ||ssh_config||?

hehe

pretty much

not that file

Hi, i'm on the Bounty Hacker room, task 5. I know i'm supposed to brute force SSH with hydra, but iv'e tried cracking passwords for all the usernames I saw on the box, and got nothing. Any advice?

did you use the right password list?

I was just using rockyou

Hi, i'm on the Bounty Hacker room, task 5. I know i'm supposed to brute force SSH with hydra, but iv'e tried cracking passwords for all the usernames I saw on the box, and got nothing. Any advice?
@tender swan you have to use the password file given

yeah that won't work

dig around a bit

Thanks alot

not that file
@ripe hedge okay

try to figure out what exactly the util is doing

aside from merely being obnoxious

one of the tasks asks you for username iirc

^ That's for @tender swan

can someone help me resolving this?

is this the right channel to ask this?

Have you tried searching for the error online?

I'm guessing you need to update Ruby on your machine.

yes god know what all things i have done with ruby

i tried installing many gems to that i found...various soln on stalkoverflow n all

i'll try updating..

Have you searched for that critical error?

Surely there's a post/issue somewhere about it.

ok i'll check again thanks 🙂

https://github.com/wpscanteam/wpscan/issues/1495 i even asked on this thread i remember i just had to quit using it i followed even the redit link but still the same ithink wp-scan is imp tool so i can't avoid it if you found something plz share

this was in may when i opened this thread they just said reinstall kali😩

you should hide that i suppose

@trim haven not technically issue thats part of the box
@white salmon When they just say "Keeps disconnecting" I have no information to go on, thanks for helping :)

Any hint for "Year of the Rabbit" room ? I couldn't get anything from the|| video ||and ||/sup3r_s3cret_fl4g/||
@subtle kindle you saw the hint ||disable javascript|| then do it

yup there's hint in that video keep watching it

you heard the msg in between I hope

@arctic crystal there is....???

i dont remember that. I remember the exact opposite

its kind of funny actually it says ||you are looking in the wrong place burp I have hidden it somewhere else||

or even the ||disable js|| msg can lead you that way

oh, yea i guess thats a hint, i didnt even realize until you now say that that it is a hint

sry, i'm a beginner and just need help for a basic thing 🙂

i just don't know where is the "binary"

Read the title

Read the task before

💔

so you can find the binary using the find command, which theres a great tutorial of in the room thefindcommand, or you can just look around the directory for it 🙂
@oblique cliff Nope, this is the first one, no need to use find yet

Find comes up later

Simple is better

ok fair 😦

oh, so i need to do touch noot.txt

i delete and go back to my cave

can i get a hint for the abnormal service running, question 3 from task 4 of hack park? i've listed the services, and searched through Program Files (x86). SystemScheduler seems interesting, along with Message.exe

i would say that that service is quite interesting 😄

you dont seem like you need a hint at all 😉

can i get a hint for the abnormal service running, question 3 from task 4 of hack park? i've listed the services, and searched through Program Files (x86). SystemScheduler seems interesting, along with Message.exe
@white salmon It's asking for the service name as given by sc

i thought i was on the right path lol

I think you are

i'm not very familiar with the sc, i found my processes through ps in my meterpreter shell

Processes and services are not the same thing

Processes and services are not the same thing
@stuck fractal ah hah! that was helpful thank you

Windows is hard, don't worry

lol especially when you've been using linux as your daily driver for the better part of a decade.

ive used windows my whole life and its still hard 🤓

thank you to @oblique cliff and @stuck fractal both, you guys always help me out in a pinch

thats we're here for ❤️

https://github.com/wpscanteam/wpscan/issues/1495 i even asked on this thread i remember i just had to quit using it i followed even the redit link but still the same ithink wp-scan is imp tool so i can't avoid it if you found something plz share
@eternal brook anyone who can help me with this?

is this for a specific room?

can someone help me resolving this?
@eternal brook .

It's regarding wp-scan

What room?

is this for a specific room?

We're gonna keep asking until you tell us

is this for a specific room?

👀

It's not for a specific room I've been enumerating WP sites manually but j think I need this tool it's not working for me... it's generally required in every WP site

It also appears to be a bug with a tool, which is massively outside the scope of #room-hints or #room-help really

@eternal brook This channel is for hints on rooms. #general

Yeah I asked it if I can ask it here...

Alright

So can I post this there?

it goes in #general as I just said

Remember, no one here is obligated to help you

Cause I posted on their GitHub too they just said reinstall kali

Yeah I understand

Can you tell some good alternatives if you've used any?

I've found some on the net but I don't know which one to try..

#general

what are we supposed to do on recovery? I've only managed to get one flag.

(I'm rooted atm)

youre supposed to get the other flags as well

I think I messed it up, I deleted the file.

I'm guess I am to RE it?

lol well youre probably not supposed to delete it if i had to guess

dam it,

i assumed but way to stop it..

but it did not work

so not i'm a bit lost hahah

havent done the room yet so idk.

i also dont know if the creator wants hints to be given out yet since its newly released

I'll try a reset

yeah its cool I wanted more to do more, I'm used to a root.txt or user.txt being about haha

Any hints for anothereasylevelctf? I can't figure out where to look for the ssh password. Or I can't have a hint because it released few hours ago? 🙂

we dont give hints/help for challenge rooms that just come out

Okay , so how many days is the cooldown period?

Around a week

at least I think

Arbitrary. Up to room creator really

Almost assuredly more than 24 hours tho

And after how many days are writeups allowed to go up on the challenges?

Again up to the room creator. They choose when they are accepted and shown

Okay ,thanks

Np

Is there a way to check wether a user is present on the ssh service or not?

Some ssh versions have username enumeration

But usually not

hi all, i'm stuck in room "Easy Peasy" for flag2 and the hidden dir. I found flag1 and flag3. is it possible to have an hint please?

@empty widget Task 5 + google gives you everything you need to solve it.
@white salmon I had goooglen how to solve it, but I encountered a problem after I decompiled the jar file

@white salmon I had goooglen how to solve it, but I encountered a problem after I decompiled the jar file
@empty widget I found that when I recompiled it after decompiled, it will output some unreadable characters, and those chars look like unicode

@white salmon we don’t give hints when the room just dropped

ok thank you

funny i rooted easy peasy but still couldn't find flag 2. i just skipped it and continue on with everything else. other then not finding flag2 the room was kina easy.

Flag2 was something

hurt my brain

Any hints for Learn Linux room - Bonus Challenge? I've tried navigating to all users' home dirs, tried searching for 'password'

|| None of the users except nootnoot has sudo, and I cant find a way to login as nootnoot ||

@cyan swift look for files owned by different users

One may stand out

Do you mean || ll or .sudo_as_admin_successful in nootnoot's home dir || ?

Nope

Use the find command to see which users own which files

@cloud perch What website did you use for cracking the ||GOST HASH||? I found one online ||but it was taking forever to crack, I kept thinking that the website could not crack it||

Can someone tell me what I'm supposed to type in for burpsuite task 13 #1? The answer is so long, idek what the heck to put.

Use the find command to see which users own which files
@oblique cliff Found it, for some reason I was not seeing the file name, maybe paid less attention

It ask for the "critical issue", from the downloaded report, but I don't know what to write. I think it's something to do with ||cache poisoning|| but... I honestly can find anything long enough to fit the number of asterisks.

Look at the category that critical issue is under

bruhhhh.... 🤦‍♂️

Thank you.

anyone give me a hint to decrypt GOST hash ?

New room

No hints yet

yes right

oh oke thanks

got shell as www-data in the room Smag grotto browsed some directory and used a script linenum but no success what am i missing?

@steady elm linenum some more lol

has anyone done the room Set? and if so can you give me a hint where i should start looking. i

be specific 🙂

@final mortar first flag

that's not specific

you should start looking through the stuff on the website

Maybe you can start with what you have already done and what do you think it can be

Hi everyone.

Linux Challenges, Flag 16: “The flag is within another system mount.”

Stumbled backwards into the location. Couldn’t see this mount point in df, mount or findmnt. Is there a “proper” way to discover the mount point? 🙂

I’m sure a system mount is usually like a flash drive or some sort of external drive 🤔

hi in easypeasy I'm using gobuster for flag1 but probably the wrong wordlist......just a hint...

Use the right wordlist? I don’t know what you’re looking for.

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release, unless specifically allowed by the content creator.

hi in easypeasy I'm using gobuster for flag1 but probably the wrong wordlist......just a hint...
@white salmon I completed the room with /dirb/big.txt. No more hints

http://tryhackme.com/room/25daysofchristmas

Day 13
Question 3

Looking through writeup, says to open Google Chrome to find favourites. However Google Chrome is not installed.

Hint please.

I'll try resetting machine actually. Hold tight.

Hmm, still no chrome. :-(

Do you know what that exploit does?

Which? The one that is meant to be in chrome and isn't, so I don't know about it?

You don't actually need chrome, you can use IE.

No favourites in IE.

I'm trying to figure out how I should be finding the next step without a walkthrough

You need to set IE as default program

I don't think you understand

Without the walkthrough how would I know which exploit to use

You use your brain and the hints given

To blindly follow walkthroughs without understanding will probably not be very beneficial

Are you connected the the vpn

If you do an ifconfig do you see a tun0 interface?

Sorry misread the question

"Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up."

It's probably just not responding to ping

in the description for Alfred

Should t take more than 3 or 4 usually

If you can get to a webserver, then it's likely up

Did you use the option to not ping?

There's a switch that basically says I know the machine is up, don't bother pinging it

Try that

To blindly follow walkthroughs without understanding will probably not be very beneficial
@white salmon I was trying to understand the walkthrough. Checked a different one that suggests a different approach using hhupd. A useful hint from someone would have been look for an weird applications or exes.

Not saying you have no useful comment

Aimed at some of the other comments

Ahh I'm so sorry for my bad english, ı couldn't undertand, I will restart everything
@subtle kindle just saying that nmap --help might be helpful

I was messing with chmod and now im locked to move to my home directory. Any help guys? Room is recovery

some boxes drop ICMP packets

@subtle kindle They already told you that you can't ping this machine

I'm going to restart everything include vpn
@subtle kindle so try to use -Pn flag with nmap

You're missing a flag for nmap

you need to disable ping when using nmap

You used -Pn?

I was messing with chmod and now im locked to move to my home directory. Any help guys? Room is recovery
@gentle plume I used chmod -R +rwx alex. it worked. phew

Try again

Maybe the machine genuinely wasn't up when you did it the first time

Did some1 solve the 'Easy Peasy' room?

@somber crag The scoreboard says yes.

Xd

Rofl

can you paste your full nmap command here

Hi all. Currently in new room Easy Peasy. Have completed all quesions less: finding flag two #2 and flag three #3. I have gobustered each new directory and also check ed from a root perspectice but can't see anything more. A small pointer would be appeciated.

No hints for new rooms 🙂

LOL bugger 🙂

I was just so pleased I got to root.

If you have root, I suggest you to check the web server directory and also check source codes of pages you see

If you have root, I suggest you to check the web server directory and also check source codes of pages you see
@final mortar Thank you. Just found one - easier to read in a black background with green letters. Much appreciated.

quick, hide 😬 we did something illegal

#mylipsaresealed

hello i'm stuck for easy peasy because i don't have all the port open in my nmap scan

it is normal ?

use -p- to scan all ports

ok thank you

hi, I'm at task 21 at the Learn Linux page, I'm supposed to run a binary called shiba2 but it's not in the directory... a hint?

Just stay in room help since we’ve started there

okay

If anyone has done room Ra (room/ra) please dm me. Stuck on privesc

Just state your issue

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

scrap that, figured it out lol. Turns out I didn't read exactly how the script was reading ||hosts.txt||

room: Easy Peasy
I have got the second flag and the ||image|| but I'm stuck after that, I'm unable to extract anything form the ||image as it is in webp format|| I just want a little nudge can someone help?

@arctic crystal The image you are looking for may not come from an external site 🙂

room: Easy Peasy
I have got the second flag and the ||image|| but I'm stuck after that, I'm unable to extract anything form the ||image as it is in webp format|| I just want a little nudge can someone help?
@arctic crystal That's not the right image if it's in webp

ok but I scanned using gobuster and it only gave me one directory

@arctic crystal The image you are looking for may not come from an external site 🙂
@white pike it says jpg but when I save it in my machine it gets saved as webp

room recovery:
hello! im stuck after 1st flag. I found out the|| htdocs folder and the files are encrypted ||keeping them aside for now how can i modify ||sudoers list||

i used tar/nano/cat to read the file first but no luck

you are not root

those maybe not be suid bins or you are not allowed to sudo em

i can't even run ||sudo -l ||as im not in the ||sudoers list||

yes find some other way

So, I can leave the ||sudoers list|| right?

ye

thanks!

any idea on the encrypted files in ||htdoc||?

any idea on the encrypted files in ||htdoc||?
@gentle plume Theres a decryption key somewhere on the fs. Use a common binary to analyse the malware to find the encryption type and google search

okay. thank you 🙂

hello guys in the haskhell room when i upload ||reverse-shell.hs i still get Internal Server Error. Please try again. || what am i doing wrong pls

Hey guys, I'm having some trouble finding the 2nd flag on this challenge: https://tryhackme.com/room/easypeasyctf

I got the 3rd flag and the hidden directory as well but not the 2nd one

its weird but only a particular || website works to decrypt the flag2 ||

Oh I see

nah

Does it have anything to do with anything from within the hidden dir?

Or with the custom user-agent?

the second one

Remember this is the hints channel guys. At least make relevant info a spoiler

Oh shoot, my bad

@timid frigate delete or put your messages in || to mark them as spoilers

Hey guys, I'm having some trouble finding the 2nd flag on this challenge: https://tryhackme.com/room/easypeasyctf
@timid frigate delete pls

hello guys in the haskhell room when i upload ||reverse-shell.hs i still get Internal Server Error. Please try again. || what am i doing wrong pls
@sinful plaza nvm i have it lol

Hi y'all, im working on the room CC: Pentesting, and im looking for a hint on task 4 question 14 (the hidden file with extension xxa)

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

It's hard to direct a hint when I have no clue on what you've tried

apologies, the entire task is on gobuster. which i've used so far to list several hidden directories of which 1 can be accessed. the name of one of these directories is the answer to question 13

And what have you tried

e.g. commands etc

thx @trim haven 🙂

wut

was under the impression that gobuster dir would list both files and directories found. i altered the command with an extra switch and now it found the answer

hello, i'm on the task 2 in find command room.. for the first #1 was told to Find all files whose name ends with ".xml"

which i used this... find / -type f -name *".xml"

says its not correct..please any hint on this ?

A good way to work out how commands work is by trying them

Use the command on your own terminal and see what it outputs

i ran it on my terminal and it gave the right input

i did actually

It gave the right input?

yes it did.. searched the whole filesystem and gave out files with ".xml" at the end

Usually when searching for all of something

You would need to encase the asterix

oh thanks it worked!!.. i'm still surprised the command ran on the terminal without encasing the asterix..

Can you actually show the output of the command you ran?

I’m curious

Same

I was just about to boot up my VM

Hi, in the room Easy Peasy i have found the first 3 flags, but the big folder is elusive, can you please legally give me a tip? Thank you

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release, unless specifically allowed by the content creator.

@white salmon not allowed to give hints or help for a few days as it's a new released room ^^

Oh yay the rule is updated

@astral smelt thanks for verifying woot

I understand

I got it from quantum

I didn't realise til he used it earlier

@final mortar 🔥

Room recovery. I have root access, solved flags 0 -4 and please need a little nudge for Flag 5

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release, unless specifically allowed by the content creator.

@white salmon particularly the bottom

It was "wait at least a week" till yesterday @oblique cliff

It was changed again today

yea i know, they left it arbitrary on purpose 🙂

!rule 34

Rule 34 does not exist.

just finished Recovery , AMAZING room ! (who is the creator?)

#522158404614225920, and it says on the site 🙂

will do thanx

Hey guys, I'm currently stuck on the second flag of the Easy Peasy room. I've solved every other task except getting the second flag. I only wish to know if it has something to do with the ||User-Agent||. Can someone give me a pointer?

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release, unless specifically allowed by the content creator.

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release, unless specifically allowed by the content creator.

lit

We aren't allowed to help yet

Alright, understandable. Thank you anyways 😃

Try harder?

Hey guys, I'm currently stuck on the second flag of the Easy Peasy room. I've solved every other task except getting the second flag. I only wish to know if it has something to do with the ||User-Agent||. Can someone give me a pointer?
@wide hatch btw that user agent IS the flag 😆 but we can't exactly give hints regarding it due to rule 13

wait what

its the flag?

si

Is there any problem in eu regular server 2 ??

i have deploy a machine but it is buffering for quite a while but didnt show any result

No

i have re login and tried again still the same

any suggestion

What exactly is the issue?

#site-support

@wide hatch btw that user agent IS the flag 😆 but we can't exactly give hints regarding it due to rule 13
@final mortar I am going to slap myself... I didn't even think about it. I finally solved the room. Thank you very much!

Can you give a indian in flag 2 in the newly arrived room

No, because it's a new room

Recovery, good one

When can I upload a writeUp? 😄

To the room itself

There’s a writeups tab

I think they mean when can they upload it as the room is still fairly new

To the room itself
there’s a writeup tab

@oblique cliff That's where, not when

Oh I misread his message twice 🤓

Is there a certain amount of time that should pass before making a walkthrough video on a new room for youtube?

Yes

When writeups in the room itself are released

ahh ok thanks guys

am i just missing something, or could steelmountain possibly be bugged?

last step, it wont let me rename, move, or overwrite the file that needs to be replaced

access denied

What are you trying to overwrite

In spoilers

I know of no bugs in that room

Been stuck for a few hours on the intro to x86-64 room, last task. I found s***et, there seems to be a call that does some kind of ||xor|| but I don't understand it. I set a ||beak point before the cmp call when it checks if the password is correct|| but looking at the rax register after that, I can see it's 0. Not sure where to go next with this. Any suggestions are much appreciated.

@robust lagoon looks at what it’s doing to your password

@white salmon man I swear to the lord

@robust lagoon looks at what it’s doing to your password
@oblique cliff it appears to run two functions on it that do some reloc operations and seems to ||divide a memory location by 8||? God this is Chinese to me lol.

Put breakpoints and dump the registers

You don’t need to understand the assembly at all

for this

I set a breakpoint right before the cmp call. Should I set one on each of those functions mentioned above?

In which function

last step, it wont let me rename, move, or overwrite the file that needs to be replaced
@river oasis if you are trying to replace the ||service executable|| make sure ||the service is stopped|| beforehand

That's also not how you're meant to do it, as that's not an unquoted path exploit

Replacing the binary works, but it's not the intended

but that's what it says in the directions, it says to replace the binary, is there a better way? and also @robust lagoon i did. i even killed the VM and spun it back up and tried again

The way to do it is by exploiting the ||unquoted path vulnerability||. You don't even have to ||replace the original executable||.

@oblique cliff popular demand for RE kek

Like I said there should be a bot that pings you any time that room is mentioned

Or just go make a walkthrough

Lmao is it that popular? To me the jump in difficulty is pretty daunting for anyone just starting out with RE but again I bet it's not even that hard. I'm just blind most likely 😅

I hacked it though! I just replaced the mysterious file with all a's and I got it to say 'Correct Password'. Take that challenge! "Cries in RE"

Incorrect- it's actually pretty hard

i didn't understand it on my first time around

But, although you managed to make it say the correct password, do you know what the program does still?

Ah, good to know at least. Will give it some more hours maybe I end up getting somewhere but it feels i need another course to get this one

I saw an xor operation but not sure if its what I think. Apart from that it seems to divide stuff and compare the remainder but I'm definitely not sure on that either

Well, I wouldn't consider it a success until you've reverse engineered the function of the program tbh

it's not as hard as you think it is though

Yeah was just kidding cause I won't get the flag by just making it say success 🤣 boosting my own morale here

if you want another crack at it, try to think of it in terms of a simple program in a higher level language

break down the program into its core functions in a broader scale- the assembly you're looking at is basically a broken down version of a normal program in say, C++ or Python

and it's a fairly simple program as well- you already know more than half of the program in a way

because you put in an input, and then it has a text that it does something to

the last question you just need to figure out is "what" is being done to the text

Often times, if you think about it, a lot of "processing" is actually just a loop that goes over something and does stuff to it, right?

so in the file, you can kinda see that there's "one main loop" that the file does a lot, and you can confirm this with breakpoints

It should stand out to you to put a breakpoint before the loop, and after the loop, (and possibly inside of it) and try to identify your inputs into the loop- look at the registers before the program does all its processing

then look at the registers after the program does the processing, and see what has changed

you might be able to figure out the algorithm just from that

so anything Smack says overrules me for this RE stuff. But my piece of advice is you don't need to worry too much about the assembly functions themselves, and instead set breakpoints and dump registers at various places and see whats happening to the input

Yeah

ASM wasn't written for our eyes

The point of Reverse Engineering isn't to understand the assembly

it's to understand the program

You don't need to know assembly to understand the program (but it helps a lot)