#room-hints

I have to run the binary not cat the output

apologies

So guys, one more question. im at task 33. Ive created a dir called test with a file called test1234, where do I start searching from the binary shiba4?

Apologies for the dumb questions

Try switching directories/users

ok will do

thank you

@winged mist Hi Nerdy Elf, I tried creating the dir test and the the file test4. even tried creating the binary shiba 4 and running cat on it, no joy 🙂

Im I missing something here?

Thanks for the help

new to linux so learning as Im going along

There’s a directory you are told you look at yeah?

Oh so shiba 4 already exists

Ill find it

thanks man

||Find|| to your rescue

@lyric oasis you're actually really close, use a cyclic pattern, mona makes it easier, but it doesnt matter, you can search manually, just get what ends up in EIP and search your pattern for it

gonna write a program, thats the opposite to find, and call it lose, puts the file at a random location in your filesystem

actually I've used pattern_create.rb ..... i will try again 🙂

||makes me think of HTML headers, but I don't know which port and which headers since they all seem to not matter||

On WireShark 101 room task7 i don't get it " What 4 packets are Reply packets?" i found thos 4 packet but 😩 i'm stuck

it just wants the numbers of the packets, first column in the wireshark table

so e.g. 1, 2, 10, 99

it's the Flags in DNS ?

no, you have wireshark open right?

yes

and the main part of the screen is a big table, each row is a packet captured on the interface

and you have columns for destination IP, source IP, protocol etc

still with me?

yes

ok, what's the left-most column called?

info

LEFT-most

isn't info the right-most?

oups 🙂

No.

got the answer now?

oh c'mon it's just those No. for "Reply packets" ?

You got them correct the format is wrong

i had the same problem

dm me if u want

yeah, it's asking can you identify the packets, and that's how they're identified, with a unique number

yeah but the order of them has 2 be correct or it will say incorrect answer

😫 i been trying to find something else more complicate than this.

Thanks @median compass

hint on this question need to be made or ask the question on other form. Its hard when u don't get what is ask.

i get those packet but still wrong in the answer

||76.400.459.520|| i still don't get it

the 'Answer format' that fills the box before you start typing shows you a pattern for the answer

it's commas, not full-stops, between the numbers

yea he got it

he dmed me

Hi together,
i am doing wifi hacking 101 using aircrack-ng

first question on section 2 uses airmon-ng

but I somehow have only aircrack but not airmon on my kali machine

aircrack-ng is a suite I believe. It you have one of them, you should have all of them

yes

Since aircrack-ng is installed, you already have airmon-ng, but it’s in /usr/sbin so it’s not on regular users’ PATH. You typically need to run it as root: sudo airmon-ng

found this

thanks\

You did your own research while waiting for someone to answer. I like it

Yo all !!
Need some informations about Mr Robot chall

After how many iterations did you find right password to login ???
😅 😅 😅

you should only need one to get the password as far as I remember @fallow sapphire

@fallow sapphire if you're talking about the Mr Robot machine that is also available on vulnhub, its about the second or third last in rockyou

takes way more than 5 minutes

do all the machines use a password from rockyou?

isn't there a wordlist for the Mr. Robot room?

idk

if you have a room that needs a password to be cracked then it's usually in rockyou yes

ight thanks

some passwords are not meant to be cracked though

bc i have a passlist thats 14.5 gigs uncompressed

yea ik

The policy is brute forces should take 5 minutes maximum. For passwords, it should either be rockyou or a wordlist that's hinted/told somewhere

oh ight then

rockyou is kinda old tho isnt it

that's not really the point, the point is being able to crack, no one learns anything extra from spending 3 days running hydra, hence "should take 5 minutes maximum"

See how many of the linkedin breach passwords can be cracked with rockyou

That sort of thing shows you that rockyou is not useless

oh ok then i get the point

meh, i recovered my bosses password with rockyou
because he asked

man i thought rockyou was outdated

it probably is

but stupidity isnt

yea weak passwords

Please don't make statements like that, it breaks rule 9

Ok, I'd need more context but the quote makes make it seem very very sketchy

If it was an online service etc, then consent from the user isn't enough. You're attacking facebook etcs infra which is illegal.

i will hack my own server

its so easy

Yeah let's move the conversation either back on topic or to a different channel

tru

One 🤨
I tried actually more of 10k password 😅
(Fsociety.dic)

try rockyou in reverse

Okay lets try rockyou quickly

I think you're meant to remove duplicates from the list

👍 👍

https://tryhackme.com/room/mrrobot

this one?

sorry, when you said iterations I thought you meant you were doing it repeatedly, my bad. My point was only that once you have the username the password is in the wordlist, you only have to run that once and I don't remember it taking all that long

if you're trying the wordlist and not getting the password then make sure you have the right username

I'm also working on Mr Robot CTF (2nd flag). I thought... I obtained the username and password for the Wordpress site. But it's incorrect, I'm inputting what hydra provided. Any suggestions please?

Try wpscan or wpenum or whatever it's called

It bruteforces WP much better

ok, I just went and checked, the password is in there, but towards the end, you could try reversing the file and running it then @fallow sapphire, that will speed you up

@stuck fractal Thank you

@white salmon think about the TV series

there's no need to guess based on the show, you can extract both the username and password with tools

Yeah

I have the right username 😅 E*********

👍

Okayy reversing .....

@cedar axle- Cheers for the tip! I haven't watch it yet, but think I will now.

Thanks @median compass and @cedar axle

👍

I'm stuck on the same problem. Did you figure out the answer?

https://discordapp.com/channels/521382216299839518/690557518837186560/777602919440711700

@median compass I was totally banging my head against the wall looking at the CAR-2014-11-004 section...

got it now though?

@median compass Within seconds of looking at the correct article. Lol..

It's a great room and that was really the only confuzzled bit on it

hey, so i'm doing the ignite room right now and am having troubles getting a reverse shell going

i found the payload and can use it, but for some reason when i run the payload with my netcat listening, i don't get the shell

@tawny remnant just check ip address and port again bro or try another method like meterpreter.

i triple checked the ip addresses

i couldnt find anything for it on metasploit, only a payload on exploitdb

whats a website where i can submit text

so i can show the payload im using

@tawny remnant try another payload or other method . Can u give me room's name?

Seems like I've hit the same snag...

good morning. Maybe somebody could help me with my question. I was wondering it there is a vnc server which could be run from a reverse-shell session on windows. My goal would be to get an entrypoint via gui even if remote desktop is disabled for the user. Any hints?

Is it related to room? If not then ask in #infosec-general .

yes its related to a room - but I don't want to spoil anything about it

pastebin, github gists...

hi

i was doing envizon but not getting idea what to do ?

all i see is login page and login page of admin

i tried some sqli payloads there but no use

can anyone guide me ?

no hints for the first 72 hours

ok

Not sure if this is a hint, but read the task description...

yeah i read description

Any you read the part, that this box should be testet in a whitebox scenario?

yeah

this counts as hints

all right - then I will remain silent

Hi im stuck at Linux Challenge, flag 16 "Flag 16 lies within another system mount." I did findmnt to see all mounts but i cant really find the flag

Have you checked for any mounted removable media @exotic echo

not sure what that is but will take a look into it

Have a look https://tldp.org/LDP/Linux-Filesystem-Hierarchy/html/

:)

found it 🙂

thanks dude

will still read it

Hi, im on the learn linux room, the last challenge is finding the hidden flag /root/root.txt. I tried the find function nothing showed up. Any hints?

I tried it on user shiba 1 to 4

it did say permission denied as well if thats of any help with the find results 🙂

you need another user

Ah I see

Thanks @white salmon ill try that

can i ask about hints for You're in a cave ?

It has passed the 72 hours new room period, so I guess you can

Okay thanks

I got a user but i think brute forcing pass is rabbit hole right ?

grep -R -E '^4bceb.{28}$' /

Find flag 26 by searching the all files for a string that begins with 4bceb and is 32 characters long.

what am i doing wrong?

Anyone ?

No, but you need to do it with the right wordlist

okey thank you buddy

thanks, i was having a complete brain fart

it's ok, happens to all of us

Anybody got a foothold on "inacave"

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

it's better just to ask your question @white salmon, if someone is around who knows the answer and has time then they'll respond, and use spoiler tags (surrounding your message with ||) if necessary

fellas , any hints how to bypass INVENTORY On "Inacave" (java app)

Bypass inventory?

Which part are you in?

holy hell elf binary debugging/analysis is crazy confusing 😦

im following a walkthrough and i am totally lost, is that normal?

Following writeups are great because it helps you learn where you go wrong and shows you new techniques you may have never seen before and you can apply them to other rooms, they help you find your strengths and weaknesses in the topic, it's completely normal to follow them there's nothing wrong with that

thanks, this is definitely a weak point for me at the moment

stuck in RPG

There's no other way than putting serielized objects in www , either can control the environment path

whatelse ?

Oh I see

There is a way of controlling the input of the service so you can send an serialized object to it

Check out the hint of the first question

which question ? i cannot find tt

The hint in the room

wait 2 requests in one ?

No

@woven mirage any more hints pls

@woven mirage i don't really get it

Okay, you found the vulnerability in action.php didn't you? It works with post, try to use the same vulnerability with get

but that's a complitely different thing

Not if you take a good look at RPG.java

i quite suck at java , but i do mybest trying

does it have to do with encoding ?

You don't need to understand much Java to understand most of the application

Well, the serialized object is encoded

yes

what's bothering me is , whether the input we give matters

hollycrap

i got it

@woven mirage Thankss for the idea , i appreciate it

can anyone help me in this room
https://tryhackme.com/room/uploadvulns
task :8

Remove the dash?

Run select first

Then upload

Nah it's just this, those are bullet points

any hint on inacave upon entrance? I still struggling with POST. I got some valid actions via dir bust, checked the output, and tested on the application port, but still cannot get /action.php work for a single action. annoying 400...

@timid sequoia Are you sorted now?

yes sir got it thanks 🙂 @stuck fractal

Great, good to hear

play with the request headers

hello physical security intro room
Task 5: padlock bypassing
question number 7
any help please... 😄

@pseudo wraith the type of pick you a included in the sparrows orion set

Look up Bosnianbill’s videos on YouTube

guys, total noob. I tried following @white salmon advice of adding a user in order to finish the last task of getting the flag for root/root.txt in the learn linux room. IT keeps saying I can use sudo to add a user and none of the shiba users have root access? I have tried the walkthroughs but prefer not to use them as doing it myself is better for actual learning.

cant use sudo

also, no idea where to find the root.txt file lol

used the find function but just lists all the files in the os

one of the things you should always do while enumerating a machine is do a find for each user you come across and look for files that seem out of place or otherwise interesting. Go back through all the users you found (i.e. become them) and try that

will do, thanks @median compass

@median compass one last question is how do I change the home directory to that of the user that I su into?

it seems to su into the proper user but doesnt change the home directory

there's a few ways, the easiest is to use su - <user> rather than just su <user>

ah that will help

or once in as that user you can cd ~ or just cd on it's own usually

thank you very much for the help

that can be messed up if some environment variables are not set correctly, so su - is probably the best way to go

welcome

Hey guys in Misguided ghosts, is there a sequence for the ports to knock?

There always is

yup, that's knocking

so after getting ports from the pcap file, we have to write a script?

well if you know the sequence you can use knock <port>...

cool

if you install knockd (i think the package is)

no need to specify tcp or udp

?

you can specify that yes

man knock

yea already installed

thanks

yea it worked woho

!rank

#bot-commands

Same reference kek

fellas , "inacave" the root path is it with cave or skeleton

Skeleton

Thanks dude btw this room is too hard for me .:(

@frozen oasis this room is really difficult

currently stuck in Task 5 & Task 6

@woven mirage i got in with unintended way , i never got cave user

Yeah, most people did unintended .-.

@woven mirage the root way is pretty hard, i've been enumerating the whole day yet go nothing but /bin/kill 😦

and docke

r

Enumerate harder

Pretty sure linpeas finds one interesting thing

But I'm not 100 sure

Hopefully i'll find something

any hint for getting root in Misguided ghosts?

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done.

Have you ran linpeas?

2 routes

1 found with linpeas, the other you already passed

Linpeas one is easier @royal mirage

I kinda found this /usr/sbin/visudo

Yes

So try some stuff out if you’ve found something

I tried to play with visudo

Well if nothing is working then run linpeas again and read the output closer

yeah cool

Just escaped "in a cave", insane headache xD ! thx @woven mirage

Glad you liked it hehe

at beginning i hated it. :p

but after all, you made a good one 😉 ! all details count

i know that some parts are maddening 👀

@zinc dome @woven mirage its a heck of a machine, the root part is insane I'm still stuck at it.
pls some help would be appreciated it.

you are skeleton right?

Ye

Yes

look for an interesting file

that's the issue, i've been looking all day for something and i can't notice anything interesting

how are your docker skills @white salmon? You might try pausing cave for a moment and doing the new docker room, armed with leet docker skillz you might have more joy rooting cave then

@median compass Thanks For letting me know but i'm determined to finish this one first.

yeah, but the docker skills

you need to know docker, that's the hint

Boy it was in front of my eyes the whole time

ps -ef is quite usefull

alot

@woven mirage @median compass well it's quite a ride, i got root an hour ago in docker yet still enumerating for any interesting things that can lead me escalate to the host, am i missing something ?

just my last hint again i'm afraid, keep at it, you'll find it

@ember gazelle That's still a brand new room, please wait 72 hours from room release before asking questions. As your question contains somewhat of a spoiler, I'm going to delete it.

Oops sorry. I am new here so did not know about it 😬

It's covered under Rule 13

Could I get a hint for what to do after getting a shell in room "Chill Hack"? I've done several things but I just can't get it

@marsh violet As I said just above, that's a brand new room so please wait 72 hours before asking for help or hints.

Hello guys,
Physical security room
Task 6 Question no. 3 & 5.
I am stuck at this stage

need some hint on the mr robot ctf second question
I used hydra to crack the password, but its been like 15 min and still going

i use the file downloaded from the robot page

can you tell us what you did? like the command

or your approach

hydra -l username -P file IP http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:The password you entered for the username" -t 30

Can you show screenshot?

Looks alright to me. It shouldn't take that long. Try redeploying the box.

ok ill try

maybe im doing it wrong

Try with wpscan.

wpscan --url http://10.10.133.101 --wordlist /location/of/wordlist/fsocitysortunique.dic --username elliot

Any help on how to escalate privilege in CHILL HACK Room but anurodh?
I found out that /home/apaar/helpline.sh can be run by www-data but I don't know what to do
Any help?

I'm stuck there too right now but it's a brand new room so we need to wait 72 hours from release for things like hint

pleas help me any one (

In the Burp Suite Program that ships with Kali Linux, what mode would you use to manually send a request (often repeating a captured request numerous times)?
)tell me the answer of any easy way to reach the answer

@next granite oh gotcha thanks ,if you get any idea please ping me

@white salmon @next granite its a new room. No hints or help are allowed till 72 hours passes. 🙂

my bad @stuck fractal . Didn't realize it was new. I've been away for a couple of weeks

though I figure it out I believe

Analyze the script

I also get stucked in this machine now 😄

I m doing room Agent sudo
There he is asking to change the user agent to codename but after changing the user name I m still not getting anything.
I have tried reading writeups too but there is also no hint but they are getting some redirection after changing user agent

Do you use any Firefox Extension, or Burp Suite to change User Agent?

Or you can try with curl

I tried both! Non of them works

This gives error
Unable to solve mozila

Check User-Agent Switcher and Manager from Firefox Extensions

morning

Okay, I need help, in order to get a flag in a room, i need to listen to a mp3 file, and i have trouble figuring out how to listen to a mp3 in the terminal in the room. i know this must be simple but it is breaking my brain atm

what room what task

Linug Challenges - 32

task 5

cause nothing is installed on that "box" so i cant listen from there, or what, i dont get it 😦

you need to download the file to your machine

Okay thanks.

My brain is so full even the simplest task become hard, I have succeded, thanks for the hint!

you're welcome

Hey guys, have anyone tried chillhack room. Can I have a hint on the privesec part.

no hints for the first 72 hours

Alright I understood. Thanks @white salmon

any hints for Chill Hack room?

https://tryhackme.com/room/chillhack

That's still a new room

Please wait 72 hours before asking for help on brand new rooms

Got a shell, but am now stuck lol

This is a good one

Yea im stuck on getting root as well

Yeah i feel i exhausted everything i know lol been researching past hour or 2

Pretty sure when i find it, ill feel dumb lol

Ikr

I m doing room willow

Can anyone give me a hint for decrypting the random numbers given on website?

@pallid siren I just find out to Bypass the filter😐

do you mean the numbers you see on port 80?

No@median compass

Something like this

those numbers you got by connecting your web browser to port 80 then?

try cyberchef

Ook let me try it

Hey folks, just looking at the Kenobi room with Samba. Once I get the file, am I correct in thinking that I need to follow all of the instructions found within? Asking only because it's a lot

Just looking for a hint on the cmd input for Upload Vulns Room - Task 8 please. Ive tried just about every cmd input (from "help") going to upload a file but keep getting "invalid command" no matter what. Not sure if im over complicating this at all but any help appreciated.

If you feel like you're over-complicating, you probably are. From the viewpoint of a recursive over-complicator

Remove the -

The - are like bullet points

🤦‍♂️ Legend. Thankyou.

@stone oyster, that's not instructions, it's a log file of some user actions, it's showing you the time the user made their ssh key and where it's stored and then it's showing you the contents of the ftp server config file

And then I search using that info.

rty

ty

This is a free room, which means anyone can deploy virtual machines in the room (without being subscribed)! 504 users are in here and this room is 53 days old.

Created by Anurodh

#announcements

It says the room is 53 days old

it is still a newly released room

Cool then! Lets wait 🙂

I need someone to point me in the right direction.

In the Kenobi room, using netcat to scan port 111 for the version....once I get nc to work I tried running nmap from there and it just closed.

Did I miss a step?

What just closed?

netcat

it said it succeeded, then sat there. Anything I try to input closes to a new prompt.

-sV?

Are you asking if I've used -sV?

You're trying to get the version

So use the flag for service version?

Not all services give you a version string when you connect

Yeah. Was looking and trying.

which task and question are you doing @stone oyster?

Kenobi 3-1

which port did nmap say was the FTP port? you put the answer for this into task 2 question 3

111

Are you sure?

Screenshot your scan

task 2 q3 didn't accept 111

cause that's not the port

dang it...

the task is talking about 111 so much I didn't even think about that

sorry

ty

no need for sorry, good luck from there

Hello everyone, I have a question about the machine Hardening Basics Part 1 (https://tryhackme.com/room/hardeningbasicspart1), Task 15 "What is the last rule that should be added to an access control list?" As I understand, the last thing to do is to block or delete everything. However, the format of the answer does not match. Can someone give me a nudge in the right direction?

Search the question up it will be the first result

thx., i solve it

the question is strange ...

I'm trying to search thru and find the first low level room that had a hashcrack.

anybody recall which room that was?

Could you be more specific?

A lot of rooms have hashes you need to crack

Sorry. I wish I could tell you, but then I would know the name of the room.

It had Bob, I think, as the user. We need to find the hash, crack it, use it.

I wanted to look at it as an example, but I can't find it.

🤔

@stuck fractal do you know which room he's talking about by chance

Looks like a new room. 👀

There's dozens of Easy rooms with a basic hssh crack

but what about with the username Bob

I can only think of one room, Linux Challenges

Is it the The Blob Blog room 🤔

blob != bob

Blob is here

Hmmm

thank you for defending my honor @woven mirage

Blob is not much here anymore

also henlo

boi

i was moving

@final mortar

I am back now

So

you'll never go

If it is Linux Challenges I can't get in there anymore. need to pay to get in .

i mean, im sure other stuff might happen in my life

So whatever I've done is inaccessible.

For right now I'm gonna' go use my hands for work and see about building a shed,

Ya'll have fun.

blob != bob
@woven mirage gotcha 😁

room is new, sadly no hints yet

No one here will be able to help you out with a new challenge room within 72 hours of it's release

Yep

can i get a few hints on the chill hack room?

Not yet, it's still a brand new room

Rule 13, please wait 72 hours from release

how new is it?

Only came out last night

#announcements

Hello. In https://tryhackme.com/room/smaggrotto, does the ||admin page|| on the ||development sub-domain|| actually bring back any ||command output|| or it's supposed to remain blank?

iirc it remains blank

@digital iris are you alive

no

blob hiiiiii

miss u love u

yes it remains blank, it’s a blind type of execution

@digital iris luv luv

I am having an issue with question 4 on "Investigating Windows"

Am I supposed to be looking at Amazon E2c Launch?

Amazon Ec2 Launch

lfi walk is bugged room i think

what room? I don't have a room "lfi walk"

me yep

Use the link to the room

ok, i'm not gonna hunt for the room, if you'd like help then post the link cause that might be the name that pops up when you deploy it but it doesn't help me find it

hey, i got the problem with owasp juice shop

task 5, #3

i downloaded the file, but i cant find the flag

i read it , i give permission 600 to the key

No

Provide the link to the room

Or the room title

https://tryhackme.com/room/lfi

do a cat id_rsa for me @red sandal please

hello? gone?

one thing you might check is if you copied the key directly from the web page or switched to the source view and copied it from there

i capture the request with burp i have the key lol

Did u copy all of it? Sometimes when i click/drag to highlight, ends up only copying half lol

well i can't see what you've done so if you want to lol and not show me then i guess you're on your own, have fun @red sandal

Any hint for envizon?

where are you stuck sonym?

and Envision been live for long enough?

i think so...

yeah 96+ hours ish

someone help me

im in chill hack room

i stay in the console i try upload shell in /tmp but i can't execute it

that room is too new still @blazing star, no hints for the first 72 hours

aa ok so sorry, i dont know this rule

thanks

no worries, keep at it, I'm sure you'll get it

TY bro

i'm stuck at the begining of "Upload Vulnerabilities" room task4

i don't get it what website do i have to get on ?

Did you tried overwrite.uploadvulns.thm ?

did you hit the 'Deploy' button in task 1 and follow the instructions there?

yep

if so then you have a machine running and the hostname overwrite.uploadvulns.thm in your /etc/hosts file

so that's the site to surf to

ooohh

i gonna check

Chill Room, Great Box thank you @torn zealot Please do more!!!! xD

VM doesnt work for this room ?

yes it does, have you connected to the VPN?

In Internal room, I got rev shell as ||jenkins| in docker env,|| what am I supposed to do after that..any idea?

careful with spoilers @royal mirage, you can surround text that gives part of the solution with || on either side

Sorry man xD

no need for sorry 🙂

looking at my notes I think you just have to enumerate from there

do the usual hunt for 'interesting' things

To escape ||docker|| and get root right??

kinda, enumerate and you'll see

Cool thanks :)))

i'm on thm-attack the box , do the instruction and still don't get nothin in etc/host or on a web overwrite.uploadvulns.thm

i'm redictect to google search

/etc/host__s__

Add it manually

so you're using the web browser based attack box yes?

With your favourite text editor (vim/nano/emacs/...)

show me a screenshot of what happens when you execute the command cat /etc/hosts @white salmon

Rooted thanks :))

hoo! i see the hosts

not host

but host😆

ty @median compass

good luck from here 👍

so when i need to acess to the website overwrite.uploadvulns.thm

where i go ?

i stiil dont get it

you launch the browser in your attackbox, then surf to http://overwrite.uploadvulns.thm

i don't understand how that work now but

i try this adress many times

i think i miss those "http://"

👀

tx again

hanx again

thanks

Hey, can anyone help me with ToolsRus, when i try to bruteforce the password for ssh in hydra it pops up a message that this is an unknown service

Your hydra command is wrong

what it should be like?

First i don't think you can specify a username with -u

yeah i see

-l

nevermind

About the protocol aswell

?

Try to find how to specify the protocol with hydra

(ssh)

I might be wrong, i never tried this way.. but doesn't looks correct

i did that

Don't put the protocol before the IP adress

Check hydra's man page

man hydra | grep protocol

i tried something like this

it didnt work out as well

try it this way @tribal olive hydra -l/-L <user> -p/-P <pass> <IP> <service>

This time your command worked properly, but tells you, you can't login with password so you need another way to identicate you

actually yes, didn't read it, it did work, well spotted kana

SSH supports several different authentication mechanisms.
And as your error says target does not support password authentication your target probably supports keyboard-interactive and not password authentication.

Beat me to it @white salmon 😄

any tips what to do next then?

since i have no idea

more likely that the target wants a keyfile no chika?

Try to find a id_rsa key

And login with

Yeah RSA authentication type comes under keyboard-interactive Authentication

yeah, but so does password

so that doesn't really separate them

The password authentication mechanism has the client send the password to the server as a password. The more-common keyboard-interactive authentication mechanism opens a channel between the client and an authentication process on the server. The client allows the user to directly interact with the authentication process, which is usually just a password prompt

But is he's doing ToolRus room, I don't even think SSH is an entry point

from https://www.ssh.com/manuals/server-admin/44/User_Authentication_with_Keyboard-Interactive.html

Keyboard-Interactive is a generic authentication method that can be used to implement different types of authentication mechanisms. Any currently supported authentication method that requires only the user's input can be performed with Keyboard-Interactive.

Currently, the following methods are supported:

password
PAM (see note below)
RSA SecurID
RADIUS
Methods that require passing some binary information, such as public-key authentication, cannot be used as submethods of Keyboard-Interactive. But public-key authentication, for example, can be used as an additional method alongside Keyboard-Interactive authentication.


Note: PAM has support for binary messages and client-side agents, and those cannot be supported with Keyboard-Interactive. However, currently there are no implementations that take advantage of the binary messages in PAM, and the specification may not be cast in stone yet```

no, i think that's why it won't hydra

Yeah so password under keyboard-interactive works a little bit differently

also i got the problem with the question: What directory has basic authentication?. Since my gobuster didnt find any different directories than guidelines

The snippet above your that I sent explains that

What wordlist did you use

i used the directory-list-2.3-medium.txt

from dirbuster

Well, the directory is in that wordlist

ill re-do then

Also, when you find that directory

You will get to use Hydra 🥳

just found /server-status

but thats not the case i think

99% not

Try gobuster from another directory

One you found previously

im doing that already

Wait no you don't need, the directory you are looking for is in the home

Just found it in a sec with dirb/common.txt

hey guys! yoto root part, any hints ?

enumerate everything, look everywhere

and dir -Force is your friend

that was for me ?

yup

ok thanks buddy

hi guys

how do you work with given salt and no. of rounds , while using hashcat

do you know the hash protocol, is it bcrypt?

Is this for the sha512crypt on Crack the Hash?

-m 1800

yup
sha512crypt $6$, SHA512 (Unix)

They are lying to you about the rounds

It's the default

It returned a token length exception

I ran this command , very simple -

Then you have specified it incorrectly.

hashcat -m 1800 t4.txt /usr/share/wordlists/rockyou.txt --force

that t4.txt has that hash

Do not use --force

And you have specified it incorrectly in the file if you're getting that error

It worked fine everytime except this one

nope, I just copied who hash, and pasted it in the new file

Ok, you can ignore what I'm saying or you can work with me

Is it working? No

So why not listen to me?

I am listening to you,

And you have specified it incorrectly in the file if you're getting that error

I am actually doing that without --force

alright

Nope I give up

I hate being ignored.

Asking for help and then ignoring and arguing about it is something I will not tolerate.

... I was refreshing my THM , its web based attack machine

its session freezed, so i got there, now I made a new file and then gonna execute it without --force

can you do a cat t4.txt @noble locust?

yup I can

well I meant can you show it to me...

the new file is named q2.txt and here we go -

$6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02

ok, the hash has a . at the end

that's not a full stop, it's part of the code

I intentionally avoided that :/

yeah, don't do that 🙂

be aware this one will take a long time

if you have a GPU on your host you should consider downloading hashcat for your host OS and running it there

it runs MUCH faster on a GPU

I have poor 4GB RAM, no GPU ...

ok, well it'll get there in the end

you can try https://gpuhash.me/ too, they can crack in the cloud for you, it's good to learn hashcat too of course, but this is an option

when i do the burpsuite room i never get the SET-Cookie

can somebody help

Are you looking for it in requests or responses?

Gpuhash.me bad, colabcat good

That’s the one I meant 🙂

gpuhash.me is limited on word list, hash type, and syntax

👍 ty cry

can we ask for help with bookstore yet

It just came out today

So no?

Hey guys,

Looking for some hint on this room (https://tryhackme.com/room/networkservices) task 4.

Last Task in 4, to get the flag.

I got the username, howerver, when I use smbclient to connect, any credentials are working.

So I currently have no idea where to connect to with that user and the key that I gathered before.

Ah wait I now have an idea

🙂

got it! finally... thought all the time I have to somehow connect over SMB. But in hindsight it makes no sense.

Has anybody done year of the dog, I need a little nudge

hi

Hi everyone, can someone tell me how can I run shellbags in Volatility 3?

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

Take a look at the cookies in your request

Thanks I realised what I need to do😅

The first thing I tried was admin.tryhackme.com 💀

Hopefully this doesnt break any rules.

are this is allowed to ask Bookstrore Room ?

No not yet

Please can I get a hint for owasp top 10 room task 19 (security misconfiguration)?
||i have looked through the application files and also after setting the session token cookie i was able to access the mynotes page.||

@waxen ridge, did you try googling for default credentials, always a good thing to try as lots of people don't think to change the defaults after installation

Nope @median compass i will try this. The task hint seemed to indicate that the answer lies in the application source code so I was looking for clues there

well it kinda does, you might find the source code by googling

remember that the source code you see in the browser has often been interpreted and changed before being sent to you

for example, the designer didn't hardcode the date into a page, a piece of code gets interpreted when you request the page and inserts the current date

so there's source code in your browser and the original source code which includes the coding magic in php or similar, and that you need to hunt for

Whoaa okay I didn't think of it that way at all. Thanks so much! I guess this is literally a thinking "out of the box" kind of question :D

research is a pretty massive part of infosec, every day there's a new thing and learning to google everything to hunt down answers is a big part of the process, enjoy! 🙂

Nope, it's all about what you're looking at. You only see the frontend code, because you're at that end of the process

Yeah actually...it never occurred to me that i could see the backend code as well in this case. Nice

You usually can't

At least you can't as an end user

Because it's running on the server

Yes thanks again :) i got the flag finally :D

hi guy!

dont know if this is the place but,.. anyways... I am trying to complete this room , and only 1 question left. https://tryhackme.com/room/hardeningbasicspart2 . Not looking for answers , just want to validate if there's any material I can read (beyond the book mentioned in Task#1) in order to anwser this question "This is a random, arbitrary number, used as the session key, that is used to encrypt GPG." Thanks!

it's subscriber only, can you send a screenshot (||they're probably speaking about salt||)

Probably not a salt seeing ss it's not a hash

hint: is a 5 letter word (tried everything even plurals)

What task is it? @crisp condor

It's a standard cryptography term

Look into cryptography session keys

Is this --> Task 2 ~~~~~ Chapter 3 Quiz ~~~~~

the tasks are out of order in that room @crisp condor, do task 3 and go back to the quiz then

I'll take a look

ahhhhh! found it!.. thanks @median compass !

Im on the google dorking room.

The question - Name the key term of what a "Crawler" is used to do has me stumpted.

Ive thought of a few words but all of them or over or under the 5 char answer format.

It's in the text

read the text in task 1 and see if anything pops out

Ight I got it. Thanks!

Having trouble with Physical Security Intro Task 5/7 "What type of pick takes advantage of lazy manufacturing practices by lifting all the key pins and driver pins above the shear line to bypass a lock?" pretty sure the answer is || r..e || or am I missing something as it wont accept it ?

i watched a lot of bosnianbill videos to find most of those answers @manic citrus

it's not rake i'm afraid

oh I know this one

thanks, will take a watch ..... tried most of the other picks I have used 😦 this room is anoying lol

It's a special tool for it, and it's named after what the tool looks like

there's still a couple I can't find tbh tony, and i watched a LOT of youtube

I am still missing 4/5 4/6 and 6/3 and 6/8 as well.... I have been reading as much as I can so now onto youtube

@inland onyx I am trying your new room, "Further Nmap" and it is really great!

However, I am stuck at one question, for no apparent reason. Specifically, in Task 13, question "There is a reason given for this -- what is it?" i can give no right answer. Can you give me a nudge? Thanks!

(That room isn't meant to be released yet -- the scheduler messed up earlier 😛)

Just stuck on the adams rite one now....... lots of videos/writeups on how to use the tool but can not find the correct wordage to protect against it 😦

goodnight everyone. im doing linux challenges task 3 find flag 15

i need a hint

thank you in advance

ive done uname -a

but i dont see the flag

also done uname -r to see the release like the hint says but no flag

any help would be appreciated

It's in a file

The hint provided in the room is a glob

forgive me i dont know that terminology. what is a glob? is it something meant to throw you off?

https://tldp.org/LDP/abs/html/globbingref.html

Does anyone know the answer to the “Further Nmap” -> There is a reason for this — what is it” question in the “Pratical” section? I cant figure it out and there is no hint or write-up! Thanks! @inland onyx i saw you responded earlier, anyway to help me finish? 😎

Apparently it is now meant to be released -- been a li'l bit of a mixup after the scheduling thing earlier and we've just decided to roll with it 😆

Did you try running the scan?

Hello! Haha its been a fun deep dive. Yes i did, i have all questions but this one left. Did i miss some verbose i was supposed to see?

Lemme try it and make sure it is showing

Actually, what's your machine's IP?

Quicker than deploying one myself

10.10.12.71

Thank you ninja

What switches did you use?

@stuck fractal thank you. you are a god send

Nmap -sX 10.10.12.71 -p 1-999 -Pn

Ah, throw in -vv

I'll add that to the hint

Ahh shouldve known better 😂

Apologies -- it's my default go-to. Didn't realise that others wouldn't think to use it 😆

No apology needed! Shouldve tried that first, running with extended verbose now

Got it! Thanks for the help! Fun room! @inland onyx

Flag 16 lies within another system mount. Room linux challenges, task 3. i ran the df command and also cat /proc/mounts and /proc/self/mounts. still not 100% sure. Any hints?

It's a little misleading. if you plugged a USB into an Ubuntu system, where would you want to look to find it?

no idea Sir James. Im 100% linux noob. Ive never even done that

but ill check into what you said

It was a rhetorical question

i feel like im burnt out after 3 questions lmao

maybe i need a break

Take a break then

No harm in taking a break

Burnout is a real risk

last time this happened to me i left tryhackme for 48 hours

then it came to me lmao

i found it lmao

Thanks @stuck fractal

im trying a command sed 2345 flag19 and its saying im missinga command

lmao i see my error now

ggwp

actually nope that wasnt the issue still stuck

okay i got it this time hopefully

got it

linux challenge task 3 Find the difference between two script files to find flag 13.

any hints please

There's a specific command to find the difference between two files

yeah i know that but will i find that flag comparing any 2 files?

its diff

what does a script file even look like

The specific two files

I think they're in a folder called flag13?

hmm

wow im definitely burnt out lmao

that was so simple

well im done with task 3

break time

Thank you again Ninja

Heya folks. Doing the Web OWASP starter course. I completed Task 29 but I didn't actually find a public exploit... I kinda worked my own way around it. Was curious if there was somewhere I can ask which vuln I was supposed to use for my own reference. Don't want to spoil anything by posting it all here.

The OWASP top 10 room?

Or maybe I actually did it correctly... not sure.

Yeah.

I found one fairly quickly by googling the exact words in the hint

Have you tried that one?

By fairly quickly, I mean it was the top result, and straight from exploitdb

Oh interesting. I looked up something else in exploit-db but this is essentially exactly what I did. But... a little less code involved 😄

Thanks!

stuck on furthernmap task 8 question 2, Why are NULL, FIN and Xmas scans generally used?, I know the answer is because they are stealther than SYN scans but I can't figure out how to word it so it fits into the answer format.

Xmas really isn't more stealthy

So that rules out your answer there

I can see the answer in the text

got the answer thanks james

so Xmas really isn't more stealthy? so the statement "All three (Null, FIN and Xmas) are interlinked and are used primarily as they tend to be even stealthier, relatively speaking, than a SYN "stealth" scan. " is not true?

Xmas scans derive their name from the set of flags that are turned on within a packet. These scans are designed to manipulate the PSH, URG and FIN flags of the TCP header. When viewed within Wireshark, we can see that alternating bits are enabled, or “Blinking,” much like you would light up a Christmas tree.

Not something that's going to be hard to detect

I am doing room ZTH: Obscure Web Vulns, in this I am having shell but not able to find the flag

~/flag is different than /flag FYI

regex room Match the string in quotes (use the * sign): "2f0h@f0j0%! a)K!F49h!FFOK" << tried every combination, have created very unique solutions, to fit the 9 character answer, but nothing is working... this is the last one remaning

Can anyone give me a nudge for priv esc on Rootme?

I've been stuck on the same one for few hours now 😄, @thin bison any chance on a hint for this one when you're online?

I'm stuck on this. I cant understand how should I solve this. I tried using ||[Ff]ile[^68]|| ; any hints for this question? Problem number 04 from task 02.

Almost there, pretend 6&8 were included as files

Everything you need for that is in the description above, just experiment a little with the commands. The thing I found for that one was not to think too complicatedly and kind of read it like a story. I am currently having problems with the question 3 below that one. With the string 2f0h@f0j0%! a)K!F49h!FFOK. If you can give me a tip on that one I would be grateful

Did you find this one out? I have been stuck on it for ages too, actually there are many different possibilities that work, but I have not hit paydirt yet 😦

I posted my response 20 minutes ago, if I found the answer I would've posted about it

seems it's the one single question people get stuck on since the completed user count didn't jump up since the room was released

I have to tap out, was stuck on it for hours ... need my sleep. 😦 I almost want to post the dozens of solutions that do work! 😉

😄 yeah i found few of those

I was looking for pattern repeats, but no {} in the answer portion.

I have maybe 6 or 7 different combinations that all work so far. I should have taken a note of them cos I think I am just repeating them now.

I have it down to a meta & a space and I used “” then thought maybe inside ... so many different combos

It is very satisfying to know that the #1 King of the Leaderboards is also having trouble on a room.

I amended the question, try again 🙂

should we include quotes in the answer? 🤔

||
************.****
(\w+)@(\w+.\w+)||
missing a char, but matches no problem?
so whats missing?

[\S\s]* definitely matches the string but doesn't match the 9 character answer hence my question about the quotes 😄

@cedar axle the question was rephrased, refresh the page

||[\w\W\s]*||

oh wait you're doing the email one right?

yeah im going off the *'s

yeah I'm going to answer this in a second

trying to make it fit

so with the email the TLD is static so don't make it a wildcard too

you're close to the answer for that one pood0g

basically it's stuff, space stuff, and more stuff

I might have to change more than the question in this one 😛

exactly, but I'm going to add a clarification for this nevertheless

so eitger ||[\d\s\D]* or [\w\s\W]*||

or the inverse

you're using charsets where you should be using groups, like before

but you're not supposed to put the whole thing in a group anyway

try to specify the static parts and then add metacharacters for the parts that change

@thin bison omg im going to have nighmares about this tonigh

if i even sleep

take a break and come back to it, I'm sure you'll do fine

I am getting there slowly, just 3 more questions to go. It is difficult, but if you read the questions and don't think about it too complicatedly it is not too hard. One thing is for sure, I will not forget how to use regex for long time, and I guess that is the aim of the room.

|| (\s|\S)* || yet again a match but missing something still

"[\S\s]*" just tried this but not working i think it might have to do something with the quotes since no other level before has the quotes

The quotes are just characters too, I don't see anything changing in the answer if they are there or not.

oh

sorry 😂

|| 2[\s\S]*K|| can anyone give me another hint?

uh, what is that

#room-hints message

oh

right there

A lot of the time you don't have to use charsets when using metacharacters

for example you can say \S*, this means, 0 or more non-whitespace characters

Hey, let’s not use that here @fierce stratus

oks sorry

i knew about + and * is kind of like at least one and as many as you like

i thought id put the 2 and the K so that it doesnt match any arbitary string

remember, the general hint is be specific but not too specific. and that string is literally gibberish, with a space in between.

tbh i totally overlooked the space so far but finally got it now

I've added more spaces to make it clear 😉

just though about that maybe being a good idea ^__^ the spacing with the '!' next to it makes the space kind of dissappear

yeah hopefully now it's more straightforward

thanks, i think i get it

maybe

when creating a room can you actually specify more than one correct answer apart from the case insensitivity? i sometimes press enter too early and it still accepts as valid or is it only stringcomparing up to the needed length ?!

There's an answers tolerance

I don't know how's the regex for it but it's nice

Always gets even if you write one character wrong

It's nice for flags that need a hash or things like that

nope

try again

makes sense thx ^__^

oh yay bout frickin time

\s matches whitespace (any number of spaces, tabs, and line breaks) this kept tripping me up

in partiular any number of spaces

stupid details

i would have gotten it about 40 mins ago

you're right, that was a mistake. fixing now.

I'm also going to make the description more clear to reflect that metacharacters, while including large charsets, are used to match one character

for more, you have to use repetitions

thanks, deep down i probably knew that but i couldn't see past what was on my screen

bad habit

remember, I also suggested that you use regexr.com. you can paste text in the big box and test your expressions in the small one.

there's always the chance of finding a correct expression that is not the correct answer, but there was no other way

all good

thanks for making the room

it was good

they should have a rating feature

for rooms

maybe thats a bad idea

I'm looking for a hint on the Physical Security Intro room please. Task 4 question 5. I have managed to get all the other answers in this room, and some have them have been quite obscure given the question, but I'm drawing a blank on this question. Any hints appreciated 🙂

What's the question, to save us going to the room?

In the "lock anatomy" section the question is "What is the piece that allows locking lugs to retract when the core is turned?"

Oh ok I don't have that one yet

@feral anvil they're kinda like deadbolts

And you'll find them on most car doors.

Damn regex is confusing

I've been looking at Task 4 Q4&5 for a long time and still dunno the answer

on Q4 you can have between 1 and 3 of a,b,c followed by 4 of 0,1

In room goldeneye, task 2 question 2, ||I've bruteforced login with natalya as user and got password bird but looks like its a wrong answer for this question. I can login with it fine using telnet.|| Need hint on this.

and on Q5 you can have F or f, followed by ife, followed by 1 or 2 of any digit

Other users too I guess?

Yeah, I found ||xenia's password too which is RCP90rulez! but its wrong too.||

Got it. I didn't checked for ||boris user|| there. Thank you.

Room : Yara Task 11:Question 5
It asks for another extension other than .PHP that is recorded for file2
There's only 1 file extension shown on VT and Valhalla
Am I looking in wrong place?

You can find it in VT, search through all the sections of the page. You will find it

Found it! Thank You

In the OWASP room with command injections, why can’t we use all the CLI commands only some ?

what kind of commands work and which don't?

hey guys can someone help me with "nmap" room?
here it is

@shrewd raven please don't show answers

srry

here it is

got it

Hey everyone, I am trying to finish up last year's advent calendar before tomorrow and I am hard stuck on day 19 of XSS. I have tried writes, followed documentation. everything and I cannot get the admin account to push it's authid.

any hints or help is super appreciated.

I have been at this 1 question for a day now.

Make sure you reset your listener after every connection

Use a nc listener

ahh

okay

I'll try

I did use -k earlier, would that help?

No idea

But reset it every time to be sure

And once you've submitted the payload, do NOT touch the webpage. Do NOT reload it. Otherwise you'll get your own cookie.

That was my issue was I kept getting my own cookie

lol

Yeah, if you load the webpage then it'll run the JS

perfect, thank you so much man!

I hate xss

lol

room kiba, reverse shell part the payload doesn't seem to get executed properly

is there a something wrong with the box ?

What reverse shell payload did you try?

Because I'm pretty sure I completed it recently and it worked just fine

.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')```

it was a pain to do

i think the payload is correct

There's a couple on a github page

yes

Try a couple

tried them both

One worked for me, the other didn't seem to.

And make sure you follow the instructions super carefully

Okay thanks buddy

@limber iron is your site username the same?

if so, can I dm RE writeup?

yes

DM me please

Hey, I have a beginner's question, is this the right place to ask?

Are you asking for a hint with a specific room on tryhackme?

yes well I don't know if it's exactly a hint, I have trouble trying to use putty in the very first linux room

it doesn't seem to connect to the virtual machine

Are you connected to the VPN?

Can you provide a link to the room?

What IP address are you using? Where did you get it from?

I connected to a vpn but not yours does it make a difference?

sure task 4 of this room

https://tryhackme.com/room/zthlinux

You need to be connected to Openvpn

The THM VPN connects you to the THM network

It doesn't touch your internet traffic

ok that probably was the issue I'll give it a try

The VPNs that companies like Nord provide only touch your internet traffic. They're different in concept

Ok I think I understand thx

ThM VPN does'nt redirect all your traffic, it just adds the 10.*.*.*/17 network and route

Hey I'm still really stuck on the regex room on Task 4 Q4, I've tried ||[abc]{0,3}[01]{+}|| and it still won't work

In regexr.com it says it's valid

@cedar palm you're really close. just wanna be a little more specific on the times abc and 01 occur

Wait till you get to Q8, I found a good 10 variations that were valid in regexr.com, it is frustrating, keep experimenting you will get it. You are very close though.

Okay, thanks a lot guys

Oh wait, found it

hello, looking for some assistance with running exploit in task 29 of owasp top 10 room

fixed the exploit code but still wont run

havent changed a thing other than commenting line 10

hey, I'm doing the new regex room and honestly it's driving me crazy...

Task 3.2 I#ve tried this " [Cc]at? " but it won't accept, same with 3.4 and 3.6

could any1 pm me the correct solution?

From this ss there’s no Target ip & target port

Also python 2 or 3

3.2

that's not correct. read the task description again.

once you understand how to use the wildcards, you'll solve it

oh

I got it now

thanks

Need A little hint what to do next in Year of the Rabbit room .. reached till
||http://10.10.228.221//sup3r_s3cret_fl4g/||

Personally, I didn't use that specific exploit and I don't think it would work. But in this case you need an IP, a port, and a command. Try adding -h or --help

what specifically do you want a hint on @jagged scaffold?

what to do next ? reached a dead end

but where did you reach the dead end, did you get the ||ftp user & password|| for example? It is much easier to hint to you if I don't have to guess where you're stuck

there is ftp and ssh but dont know the credentials

yea lookin for ftp creds .. can u tell me where?

well what did you find in that directory?

some text and a video

try using burpsuite to look at what happens when you request the directory

Would appreciate a hint for the MITRE room. The question is "For the above analytic, what is the pseudocode a representation of?" Task4

did you read the CAR-2020-09-001 page you're pointed to @white salmon?

@median compass Got it. Thanks 👍