#room-hints

Introductory researching

room/introtoresearch

its about 13 years old

😅 i just started

the vulnerbility is 13 years old

2007 right

oh right

i just found it

good

thank you!

you're welcome

Hello

I m doing basic pentesting

There is I m typing this command

But it isn't retuning me which anonymous files

I completed it thanks😀😀😀

😄 ✌🏼

Anyone can help with Physical Security Intro Task 6 Q6/8?

hey, did someone try DevGuru box and could help me ? (https://tryhackme.com/room/devguru)

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done.

|| Room DevGuru

• I have just dump .git repository and recover files
  -I used to Adminer for access db and i got the frank's bcrypt password ,
  -I created another user and logged in cms after that i have impersonate frank ||

I am trying to access gitea with frank but I could not do that

Hi I'm stuck on owasptop10 task16 last question... if I reuse the XXE payload I sucessfully got out the /etc/passwd and replace the path to the ssh-key (answer I gave on that question was accepted), then the response is weird and breaks the html-page like so: <p style="font-size:2em;"> <root/> </p> and having looked at writeups it seems this should work.

Am I missing something? I've tried more fancy things like getting a reverse shell going without success, nor managed to upload stuff either

i am at the right direction as of now i but i am stuck at smth

okk can i go in u'r DM i think i'm less advanced than u?

I also tried to find nope.jpg and sftp-config.json but i didnt

or here if u want

add me and we can talk

okk

If I change to any other file that ought to exist like /etc/group I get nothing back

Is there any idea ?

@tardy basin i got the creds for adminer but i didnt know what to do then

they dont work

found em in database.php

How much time did it took for dumping .git ?

3m for me

It's taking way longer for me IDK what's wrong

just let it run

you can clone frank account and give him a password encrypted with bcrypt

ok ty

bruh the creds work now for adminer

@tardy basin what is the persist code

idk , i think it releated with october cms password storing mechanism

Duplicate entry 'frank' for key 'login_unique'

change it for frank2 , also you need to change email address

ty

I got access to October another way

But I’m stuck there 😂

Question , if we try to add a new user into database that gets suspended ?

no , i added new one , just you need to give password bcrypt format

Gonna need a little more context

Hmm ,okay

you can use cyberchef to create bcrypted password

Okay Thanks mate

lol same

i am in the admin panel

and i am trying to get a shell

does anyone know how to upload a shell to october once you are logged in?

Nope ,stuck on that part

devguru is pretty new everyone, we don't give hints for 72 hours on new challenge boxes, let alone outright spoilers like above!

The creator gave out hints

no one told me there was a 72 hour rule

ah, fair enough

You're good, you're the creator so you decide

I'm only one person, I can't give hints to all these people

@median compass Please remember rule 15, please don't enforce the rules as you're not a mod

how is reminding people about the 72 hours "enforcing the rules"?

literally everyone does it

It's part of Rule 13.

And you're wrong to apply it here as the creator is OK with it

But everyone is a volunteer.

fine, I'll just ignore everyone who asks for hints on new boxes from now, no worries, that'll be much better for them

Well the rules are ok just difficult at times

@white salmon i am not sure but i might have found a way

That's OK, that's your decision.

apparently it isn;t

if it's not ok for me to remind them that 72 hours should pass then what am I supposed to say?

If you have a problem with a moderation decision, please speak to muirland.

Wait for a moderator, or bring it to the attention of a moderator

I just have a problem with your constant need to reprimand me in public for simply trying to help, but don't worry, I'll get over it, all good

Way I see it, you're fine to say that you're not at liberty to give hints until after 72 hours has passed, unless the creator specifies otherwise. Just be very careful yo word it as an "Under rule 13, I cannot give..." rather than a "Under rule 13, you may not ask..." 🙂

understood. I feel that's exactly what I did before james decided to comment on my mini-modding, but i'll phrase it more clearly next time. thanks for the clarification

Great political answers

great box so far zayotic, enjoying it

Yup, great box 🙂

The outermost layers that you need to decode are base16

No

Reverse

5 times with 16, then 5 times with 32 etc

surround it with || front and back to mark it as a spoiler

s'ok, everyone gets spoilers wrong at least once 🙂

need little help with nmap script to work...can any1 help?

what room, task & question are you doing and what's going wrong?

you don't need an i+=1 in a for loop @woeful viper the for statement will give i an increasing value each iteration of the indented block

that's probably your issue as it means i reaches 5 too quickly and the necessary number of decoding steps isn't done

im doing learning path nmap scanning...im at very last where i need to scan ip which all ports are filtered.....task is to enter via FTP with snmap script ftp-anon but i just cannot get any open ports.....i got open/filtered with -sN

you'd want to manually increase the value of i if say you were using a while loop

you'll get the hang of it quick enough i'm sure 🙂

@median compass dm is also ok if have a min to spare.....

here is fine, just looking at a python script for a min

kk

Don't use the null scan

what do you get if you skip the encode(ascii)/decode(ascii) steps before and after each b16/32/64 decoding? I'm not sure they are necessary

i tryed without null scan too....after gettting tired of waiting i started to experiment just on port 21 to be faster what ever i put in the command i always get just filtered....filtered......

Then check your VPN

!vpnscript

well it saiz im connected normally to THM if that is what you mean .....i can maybe try restart vpn....and redeploy machine.....

lol, where in adminer?

Run the script

If you're getting filtered, something is wrong here

You never do anything with the results you get from decoding it

decode is discarded after each iteration of the loop

Just use the same variable

Also, 0,5 is the same as just putting 5

So just put 5, makes it simpler

But you need to use a variable that's outside the scope of each for loop

You could just print to console rather than writing to a file

And you could just read the file instead of iterating through it

not quite

if you insert a line before your first loop, something like decode = text.readline()

it saiz all is ok ninja

and then change your base16 loop to the same as your base32 then you should end up with the right value in decode at the end

finish with a print(decode) and you should have a flag

your text = open("encodedflag.txt","r") just opens the file and lets the name text refer to it, you still need to read the data out

python is like that, it takes a while before you learn to do things as simply as possible

decode = base64.b16decode(text) That's gonna give you issues btw

You're decoding the same thing 5 times, not decoding the result each time

http://devguru.local/adminer

ok so i fixed the problem it only needed redeploying the machine for some reason.....so i solved scanning part only script part remains......im getting a timeout - Can't get directory listing: TIMEOUT

ty

@pliant tapir There's something very wrong with your network connection to THM, I bet

its all ok i checked 🙂

ports are opened now

only nmap script i cant solve....i mean scrit is working i get ftp-anon: Anonymous FTP login allowed (FTP code 230) i am missing something in sintax i think....

I don't think you are

You need to answer yes or no, correct?

The message tells you

correct

You don't need to access the FTP server.

oh so i dont need to actually get into the machine....

omg.........so much time lost.....

You just need to answer yes or no...

-.-

Please Note: This machine is for scanning purposes only. You do not need to log into it ......so yea 😋 well.....at least iv spend 3 hours on learning nmap in DETAILS AS well it scripts 🙂

can anyone give any hints on why i am recieving back connection closed by IP address on port 22 when i am trying to SSH in ?

Often wrong username.

If you're using a key

yeah so i have dowloaded the id_rsa key from the smbclient onto my machine and changed the chmod of that key, then when trying to ssh in i have used the comant, ssh -i id_rsa administrator(amongst other usernames)@<ip address>

Room?

Network services?

Network Services yeah

exploiting smb

So yeah you need the correct username.

Username of the person that the profile folder belongs to

Remember unix usernames are always lower case.

is there a way to find that out through smb client ? when i have tried to open the .profile it says access denied

That's not what I mean

oh

The share is called profiles

Just have a read through the text file

You'll get a name

From there, make a couple educated guesses

I have the name, i shall give it a go 🙂 thanks james 😄

thought i had it for a second and got this :

The authenticity of host '10.10.240.171 (10.10.240.171)' can't be established.
ECDSA key fingerprint is SHA256:RZt+npRH1P+pLVe+/9mqAkepvpb20f+TzqgPAhYhHss.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.240.171' (ECDSA) to the list of known hosts.
Connection closed by 10.10.240.171 port 22

Wrong username still then

i found it in the end 😄

Yeah it's a challenge

So far i think thats one of the hardest i have done

Looking for potential usernames is a useful part of recon

Its definitely been a good room so far, this site and discord is honestly amazing

This should really be edited to have a spoiler tag

For those of you don't know, if you're typing something and it might contain critical steps, information, or files on a box that others may not have found yet but are part of the problem solving process, you can highlight your message you're typing and click the eyeball (far right, sorry for the low res) and itll mark it as a spoiler. This can be all of the text or just a portion of the text. It also works with images.

does anyone have a hint why the tcpdump on -i tun0 comes back with an error saying no such device exists when i am telnet into another computer?

Then you can highlight important pieces of info without disclosing it to others who may still want to solve it on their own. Like: the folder you're looking for is ||/secret/folderpath||

This might get more traction in #site-support

its in a room

I mean lots of rooms may still need tech support if you're running into errors haha. I'll DM you

thanks @sonic night 🙂

Are you attempting that on the Attackbox

yeah i am

Well, you won't have the tun0 interface on the AttackBox

You get it when you use openvpn to connect to THM Network, and AttackBox is already on the network

You'll want to use the eth0 interface, i.e., the interface you get your internet from

If the room was created before the attack box, since it looks like it might be an intro to networking type room (basic level) perhaps we need to update the language? People learning may not understand interfaces and how they work on VMs and VPNs yet

I dont understand what should I do

I'm guessing reference the question above it? Haha

Room, Question and Task?

Nmap room, Task 14

It's asking what responses there are

what do you mean, I looked at the hint what didn't understand anything

Very verbose mode like you're told 😉

Is it related to the previous question?

what ip should I use for that scan?

The deploy in the room?

That's the target...

the "virtual-ip"?

No?

Click the green deploy button in the room if you haven't

The ip at the top of the page?

No. That's your IP.

Deploy the machine with the deploy button

Use the IP under active machine information

do you mean to deploy the virtual machine?

Yes. Click the deploy button.

Not the attackbox. The attack box is seperate.

okk

I still cannot understand the question, what should I do?

I did the scan with the -vv flag as the hist says

ok, then in the output of that command you should see a reason given

ha

ok, makes sense

generally we try to hint more than straight out give the answer, just FYI

Sorry I slipped my hands for the answer

@acoustic steppe Please do not post answers.

I'm sorry

Can someone DM me about initial foothold on devguru? I think I'm on the right path but I might be an idiot. I'm connecting to the ||repo|| and it connects but doesnt ||clone||

i am on the room devguru and i am at ||gitea|| site but idk how to proceed

#room-hints message

This comment and the few below may help nudge

i already have access to the machine

i am talking abt ||Gitea||

not .git

Tried to DM you but its blocked, can you shoot me a DM so I can talk through my process and you can tell me if I'm a moron

accept req

@sonic night I get ego death all the time from boxes mannn

I just want this ||gitconfig|| path to ||clone||! Is that so much to ask?! haha

Thanks for the fun box so far

Got access to the cms on this room, but can't find a way in. @zayotic could you give me a nudge?

@white pike i can help if i am allowed to

i have access to the machine but idk what to do now in order to privesc

lateral?

why is that? [on the Metasploit room]

looks like your db isn't initialized on msfconsole?

I tried, msfdb init

but nothing

did you do it from terminal, outside msfconsole, with msfconsole exited?

I dont know, ill try

db has to be initialized prior to launching for this to work, I believe

I think it says that this is already configured,

@fiery moth Could you point me to the right direction in gaining access to machine , I have access to cms

But I'm not sure what to do with || Gitea ||

@sonic wigeon ight add me and i will give you a hint

Ok

Man I dont know what to do with that 😦 I am sorry

ok, thank you anyway

guys i need help

I'm stuck at the room blue

task 3

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

Hello, I'm stuck with this question: Why are NULL,FIN and Xmas scans generally used ? (room : further nmap, task 8) can you help? I did not understand what you said

Look at the last paragraph

oo thank you

ı got ıt

Room: Linux Fundamentals 3 Task: 7- Binary Shiba3

I'm a little unsure about how this Binary question is completed. I used the command find / -name shiba4 I used the mkdir and touch commands to make the neccesary files. However, it says no such file exists or that I dont have permissions. Any help is much appreciated!

Any help is much appreciated...

@brisk moat show us where you're getting that error and what you're doing

ok one sec

i get a permission denied after running find / -name shiba4

I made the test folder in home directory and made the file inside test1234...am I missing something?

Honestly these results are a little different than what I was getting last night, either way couldnt find it.

Yes, you're getting permission denied

Because find is trying to look in folders that you don't have permission to look in

You can filter that out

Append 2>/dev/null to the end

How would I know to do that? Did I miss something?

I just said how you'd do that

Append that string to the end

find whateverArgs 2>/dev/null

I get that, I was asking If I had missed that info somehow. My apologies, wasnt questioning your method

That info is easily found with some google

linux how to supress errors

Thanks for the help

I’m sure this gets asked a bunch but I guess I’m stuck. I’m on the hydra room and have very little experience with it. I brute forced the SSH creds easy enough. But can’t get the web one

Used both rockyou and fasttrack. And hint says I’m doing something wrong with rockyou lmao

Can you show us what you're doing?

Yea one sec

I did the same with the fasttrack list as well which popped a bunch of false positives like Spring2017 etc.

That's web, not SSH?

Oh

You're sending the data to the wrong placw

Intercept a legitimate request, see the path it's submitted to.

You're also missing an =

Ahh. Okay! I will go try. Thanks

Oh hey ninja, can you take my eJPT/CEH/sec+ stuff of my name. I thought it was cool but I don’t lmfao

Not easily.

Ah then nvm.
That worked man thanks

Going through the Advent 2019 challenges today. Got to the RE exercises. I still don't know what I'm even looking at ... anyone else feel the same the first 100 times they look at RE stuff?

Hey all, I'm a Python n00b and wanted to see if I could get some help with the Intro to Python Task 12 challenge. It says to use from base64 import * but when I do and I use base64.b64decode(line) in my code, I get a undefined variable 'base64' should I only use import base64 instead?

Night guys, I'm doing devguru and got access to the cms, but I need a nudge with foothold. Can you help me pls?

@boreal pond Yes, that will fix that error

from module import * means you use the functions and stuff from the module without module. in front of them

Thank you

you're running a distro that's not using systemd as it's init system and msf probably tries to startup the database using systemd utilities which results in failure to start it up

If you're using WSL, don't.

@brisk moat i am also doing same box

me 2

you want a hint?

wsl uses sys-vinit sudo service postgresql start

talking with me?

both of u

yes pls

the page executes php code

you need to add a page

https://octobercms.com/forum/post/running-php-code-on-pages

like that?

yeah

thanks !!!! :)

nice

np

I am stuck on privesc of this machine

I'm working on the Intro to Python exercise. I'm getting close, but can't figure out why my while loop isn't iterating through the line more than once. What am I doing wrong?

file = open("test.txt", "r")

def run_decode():
    for line in file:
        base64_bytes = line.encode('ascii')
        message_decode = base64.b64decode(line)
        message = message_decode.decode('ascii')
        return(message)

x = 0
while x <= 5:
    print(run_decode())
    x += 1```

I'm using a test double encoded message, it decodes it once from the file and this is the output I am getting

None
None
None
None
None```

are you running through a flag that has multiple lines or is it just one long line?

When writing code dealing with file pointers, pay special attention to variable scope and exit conditions.

It's just one long line

Thanks for the hint, I will check this out

How much time did you guys spent to brute elliot's password using hydra on Mr. Robot CTF's room? It took so long on my attempts, the machine is almost expired now

Looking for a hint! in the CC: Pentesting room, task 10. Found the dir but cant open, cant download.. what else.. must have to be done with msf?

@tall rain can't imagine it should take that long. what's your command look like?

hydra -P fsocity.dic -l elliot 10.10.184.242 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=The password you entered for the username' -V -t 30

It have 800000 entries .. just make each line unique .. so u can shorten it to almost 110000 Words

With a Py script or something..

use wpscan

here is a hint :You dont even have to brute force the password,one of my friends just googled " mr.robot wiki elliot alderson" and the password was somwhere in his fandom page 😉

Can someone give me a hint for devguru i got till the cms page and got the username to login but i cant find the password

wpscan brute time is even worse lol

gotcha, i double-checked on the dict and moved it to the upper part so that it was able to scanned faster with hydra lol

#room-hints message
This comment helped me quite much. Anyway, ||frank|| is the username, am i right?

Yeah right

You created new user in gitea? Last time i checked the register feature is disabled. Would you please elaborate the way you got his bcrypt password?

At the Metasploit room, I did what I told to do, and I dont see nothing

Try to run it with -Pn maybe

Also check that if your vpn is connected

it didn't scan because it through the host was down

You need to re-run with -Pn like the message tells you

why is that?

ok

because it didn't respond to an ICMP echo request (ping)

Windows machines generally don't, due to the firewall

It works, thanks

Thx man!

np

In Linux Fundamentals Task 9, it wants me to change the USER variable to test1234. I used export $USER=test1234 and ran the shiba2 binary and it's not working. It's still showing the $USER variable as shiba2. Not sure what I'm doing wrong.

sorry it's Linux Fundamentals 2^

@valid zealot It doesn't change the value of the variable

The binary performs a check

And you've misread the task

It asks you to set test1234, not change $USER

hello guys, could somebody give me hints for the room introresearch?

Just ask directly

Although 99.9% of the content in that room comes under Rule 13

I'm stuck at the Task 3

Vulnerability Searching

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

|| Did you access gitea db ? ||

I have accessed that but not getting any further

|| After the access to gitea db you can duplicate frank user as frank2
And you need to supply hashed password with true combination ||

Yeah I'm struggling with that

@tardy basin have you got any further
i have access to the machine but idk how to privesc

Have you done Linux PrivEsc room ?

yeah

yes, me too

it's hard

|| linepeas ? ||

yeah tried that too

i saw some ports open though

linpeas just show interesting files

||8585 which is gitea and ssh but on ssh i get access denied and idk what to do in gitea||

i am logged on gitea, but i'm stuck

how did you find it

. with this

the login is in somewhere

|| Do you have app.ini.bak ? ||

yes

|| which algorithms can be use with gitea db password hashing ? ||

this answer is in the app.ini.bak, i don't know if i can speak

arent you supposed to do that for just accessing the cms backend?

I don't wna to give it away, but I think I am understanding now. I typed test1234=$USER and ran shiba2, but it gives me an error Segmentation fault (core dumped)

You haven't actually set the variable then

Look back at the task explaining how to set variables

fellas , any work around on ssh in devguru ?
help is very appreciated .

stewie needs help

yeah , indeed

i've accessed the gitea site but idk what to do now

@pseudo tapir #778305825797177374 please

Sorry, ninja!

@fiery moth you should comeback and read the config

ok

It is set. I checked with set | grep test1234 and I get back test1234=shiba2 which is the current user, but I still get that error.

It is not set if you are getting that error

You can argue, or you can do what I suggested

One way leads to me ignoring you.

Yo Fellas, Some Help

same

Sorry I did go back and look. I typed export $test1234=$USER I even tried env test1234=$USER I'm really lost here. The instructions say that export <varname>=<value> will set the environmental variable.

You added a $ in the export command

Don't do that

oh

Ok I ran ./shiba2 and now I get no error, but still not sure where the password is. Thanks

If you have the variable set correctly, you will get the password

Screenshots. Show us what you're doing. Show us what happened.

ok

Same : (

I got it. Thanks for your help. 🙂

@strange river some help dude

@white salmon which part

the ssh part

|| There is no SSH part ||

👀

xDD

so for the last 50min i'm struggling with something is not included xd

Any hints for getting flags for unbaked pie. Already have reverse shell but stuck ?

@white salmon It can't be as hard as building that time machine

@strange river at least i know what i should do now, Thanks

nonickid - Thats a new room, so no hints for 3 days after release 🙂

@simple mountain ok, understand. Thanks. So continuing my fight 🙂

Keep at it, You'll get it 🙂

lmaooo, misunderstanding

In devguru I got into the machine and somehow managed to get credentials to access || gitea || database. And now I am stuck,can someone help me?

Same here...

i cant find the creds for gitea

escalating to frank is a pain

Have you ran || linpeas|| it shows some interesting output

i have

imma run it once more tho to make sure

didnt find anything

Yea this will help you @fiery moth

i only found a hash

@fiery moth you got the config ?

there are a lot of configs

there's one specific config that is very obvious related to gitea

im still stuck on the login fields😫 i found the ||october login with the frank user|| and the || gitea login site|| but im absolutely clueless as to what to focus on next.. tried guessing, brute forcing and enumeration with gobuster but im out of ideas already

I know what you're talking about! And I haven't been able to "set" it, if thats the right route

You enumerated it with dirb or something like it right?

Yes

dirb yes

@grizzled brook ||adminer.php||

no it's not meant to edit it

damnit .. searched for|| php extensions|| but apperently the wrong wordlist.. will try that later!

So there shouldve been a result in there that has some information about the machine, like a...|| place where you might get all the code or something of the sort ;)||

Hello everyone 🙂 , I'm on the room DevGuru and I'm a bit stuck 😦 I founded a|| git repo|| and I downloaded it but it didn't give me more info than that. Someone have a hint ? 🙂

i really appreciate the hint.. i will try again later, thank you!

Did you use automated tools to get the repo ?

@sonic wigeon yes I used gittools for that

You have only downloaded it , try to dig more into that reporistory

i got the logs and I have a username ( more a confirmation ) and a TTOOONNN of files

shall I brute force something or more dig in the folders like you sugest

Not brute force but try to use || extractor|| that comes with gittools

😮

got it ( I think 😄 )

@white salmon i think i found it

Nice

@sonic wigeon OMG DUDE !! thanks for the help !!

I had some REALLY cool stuff to check 😄

nvm

hello, i got stuck on devguru room, i successfully login to cms on port 80 and trying to exploit them but its didnt work. what I have been doing is right? *sorry for my bad english

@zinc echo you can execute php code on a page

on port 80?

Yes

@zinc echo : gg I'm stuck to login on it 😭

thanks! @fiery moth @sonic wigeon

Check the files when you extract something out of it 😉

what login

yeah , is what I'm doing now

try to check rge file and get osme info from there

?

what is everyone stuck on?

i need the creds for gitea

to clone the repo

@fiery moth || overwrite or create ||

@fiery moth wait

I extract the comit from git and I have a lot of file and I try to find credential on it but I can't 😦

you're trying to clone it?

@midnight spindle git restore

@strange river yeah but it asks for creds so i need the creds

@midnight spindle once you dumped the .git you need to use the extractor from gittols

@fiery moth what have you done so far

yep this is what I did

i am on the machine and i am trying to privesc

@midnight spindle check the config file

you will find an interesting file there

really cool stuff here but I can't find some creds ! ^^

@fiery moth ok I will double check

Use grep

thanks

grep -lr 'password'

something like that

dirb / gobuster maybe you can something interesting @midnight spindle

@strange river can you give me a hint on where the creds can be for gitea

@fiery moth do you have a shell yet?

yeah

@fiery moth || replace them ||

ok lemme try

gitea is open source, keep in mind

docker experience would be good here

thanks for the help guys , I will continue to dig

dont have much expereince in docker but i will do my research
@strange river also the room is good af nice

I'm going to ask around and see if someone can make a walkthrough video on this machine sometime

videos like ippsec always help me see it clearly and learn from it

yh ippsec explains things in depth

That's it for me doing DevGuru today gonna try to crack on it tomorrow xD

I'm just glad a lot of people are learning something from it 🙂

Yeah man it's very challenging box and so far learned a lot from it 👍

@strange river is it ||app.ini.bak||?

omg I found some creds but it dosn't work 😦

cuz

you're using them wrong

Hmm

yeah I think so

because I found the creds for the database itself but not to the website

there u go , you answered your own question

haha yes but I'm back to the starting point. I can't connect to this DB because is use a specific port and this port is close on the server

so I guess , it's a wrong way to go/think

no

No your on the right track

that's were

enumeration

comes in hand

hey, i trying to bypass ext when rename it, but its doesnt work, i read that exploit from google. am i doing right?

bypass doesn't work

find another way

hmmm, okayy

As expected ! 😦

@zinc echo|| https://octobercms.com/forum/post/running-php-code-on-pages||

@midnight spindle mysql is closed

didnt you scan for open ports at the start?

yes

there is another way to connect to the dtb

3 port are open

Yeah enumerate through the files where you got the creds

omg this room make me crazy 😄 thanks for the support guys ^^

^^^^^^^^

It's still making me and I think I am not half way through it xD

hahah

same i need to find the creds for gitea

I dont' understand something. The creds is link to "october" and on the webiste I found the "october login" BUT it doesn't work

||adminer||

OMG OMG !!

xD

it was FRONT of me !!! and I was sure this file look SO STRANGE !

@white salmon is thats the file i am supposed to look for?
||app.ini.bak||

privesc, hint please hahah

@ancient island which part

www-data to frank

i am in gitea

but i’m stuck

you found the creds?

|| Its a feature of gitea ||

yes, i know, but i couldn’t find this feature

Google for gitea CVE's and the method will show up

i searched a lot

oh

i only found an ssrf

i know now

I checked again, and I found it

Lots of documentation on this method exist

oh

i found it

rce

Its not really a CVE, more of a consequence of having access

it says its authenticated so i suppoose we need the creds

guys, I changed the password from ||frank|| and now it say that Frank has been suspended !

@fiery moth its hard to explain without spoiling it

@midnight spindle you need to|| clone|| it

@strange river np and ty for helping me out

why ?

cause you cant crack his hash

so you clone it

thats why I didn't crack the hash I just changed his PASSWORD ^^

and what kind of error did you get

also it needs to be hashed in bcrypt

aaahhhhh thats why !!

why does it say "User [frank] has been suspended."

same here , is because you used a texte without encryption

i cracked the password

ah

@white salmon you need to clone frank

okay! does git allows cloning of users?

we can clone only repos right?

not that kind of cloning

cloning his user in ||adminer||

but adminer is not accessible

with db creds?

xD

**without

OMG !! after 1h30 !!! I'm log IN backend !!!

@white salmon you can login to adminer

if you have the creds

so this means adminer creds are out in public..?

lmao

manjuice got root, you can ask him hints

woop woop

someone have a hint to get a reverse shell after log in to the backend/cms

?

because the page are not supporting PHP and we can't upload php ( maybe with changing the magic number )

https://octobercms.com/forum/post/running-php-code-on-pages

nice !

need to find the git creds then use the exploit for the gitea version

im pretty sure there isnt an exploit involved

besides user to root

||https://www.mageni.net/vulnerability/gitea-110-1125-rce-vulnerability-113773||

Mark as a spoiler

idk i didnt use any exploits for gitea

apparently frank uses strong passwords

i have found a repo but you need to be authenticated to clone it

yup, but frank has strong passwords

can i find the pass through a backup file or smth

not exactly a backup

well

yes a backup

but not franks

app.ini?

maybe

i found a secret key

nothing seems to work tho

remember the foothold into october cms?

OMMGG !! AFTER 2H !!!

nice nice :D

yea this rooms also made me hate october cms

what foothold

you got into backend right?

yh

yup, its the same thing essentially into gitea

idk if im giving away too much so ima cool it down for now

ok

@dull pulsar with adminer?

well you could use adminer

does it has to do with user_roles?

||clone a user and change his id into the publisher or dev||

nope

omg this room ! I just get the shell and boom stuck again ^^

but let's start diging ! 😄

lmao yea same i had to spam zayotic for hints as well

omg, this privesc is not easy

its hard af

but its actually realistic compared to other rooms

yup yup

i am trying understand how to do

its got something to do with gitea

yes, its very realistic

i have learned some new stuff so far

me too

same here ^^

even if is not done ( YET :p )

@dull pulsar can you give us some more hints

hm

where are you right now?

privesc

gitea

yh

www-data to frank

need to privesc to frank

i found the vuln

its all got to do with gitea

but it is hard to explore

i think

i need to find the creds i think and then clone frank's repo

yes, but in gitea, frank doesn't have repo

yup, its like yotd

nope

sad

not exist anymore

lmao

this repo

af

frank is running gitea

yes

i've been trying to complete this room for a day now lol

haha

I found an adminer.key , do you think is usefull ?

same in /tmp

but i doubt

its any useful

Same this was my second day to attempt it but got a further than yesterday

sadd

i will probs give up idk what to do

no don't ! we are here 😄

if it can help I found ||"app.ini.bak"|| I still looking to it

tried my best shot getting frank , the shell return as www-data -___-

i have already found that i found some secret keys on it

but idk what to do with em

JWT ?

yh

nope

i gotta go through the whole file ffs

it a json key

the pass?

no I don't know , I still on it ^^

ok I found a JWT CSRF but nothing that I can use 😦

I found something else but..yeah...

does it work

I don't know where and how to use them

doesnt work

OMG !

I think I GOT IT !

I will confirm you that in a bit^^

fr?

like french ? ^^

or for sure ? :p

for real?

haha w8 I will confirm you but I found something REALLY cool !

kk

any clue why my gobuster doesnt work?

You didn't mention the protocol

@tribal olive gobuster dir ......

Oh yeah also that xD

thank you @white salmon

OMMMG OMMMGG !! I GOT IT !! OMMMGG !!!!!!!!!

Hello, can someone give me a hint of what encryption is this?
*@F DA:? >6 C:89E C@F?5 323J C:89E C@F?5 Wcf E:>6DX
I'm doing c4ptur3-th3-fl4g room

how

How xD

MWHAHA !!

the hint is : check , double , triple check the .bak

and think about how you found the frist cred

app.ini

yep

So there is something else that we need to look for ?

hmm ( hard to no spoil ^^ )

ayy nice nice nice

I came across something but didn't try it , gonna try to look again xD

I'm stuck again xD omg this room !

what a nice room thanks @strange river

let's start diging !!

@white salmon thanks Stewie

yeah thanks a lot @strange river ! super room

Glad you liked it

It was a pain to get it released

no i'm talking suriously i already finished the room, it was quite a ride .
and the frank path huh that's new !

Really good one

Yea, I wanted to make something that I haven't seen done before

that would also be IRL

omg I have no idea what I supose to do that now I have acces to gitea with Frank

icba to go through the whole app.ini file

My OSCP was like that, just reading a big config file

whats with the thumbs up reactions haha

i will probs give the oscp in some years so i got time to prepare

@strange river any hint after get acces to gitea with frank ?

DevGuru is very similar to the way they make exam boxes

except they like windows a lot now

active directory?

I guess so

No, thats more PWK

Unless its changed

@midnight spindle || The config files mentions its enabled, and its a feature of gitea ||

ok thanks I will double/triple check that 😉

|| Its not suppose to be enabled by default, at least according to the example config provided by gitea ||

when you said " the confirm files is enabled" where you get this info ?

|| Its a well documented way to get RCE on gitea, you just have to find it ||

ok

@dull pulsar manjuice is suppose to give hints since I gave him hints

@strange river does it has to do with mysql?

@dull pulsar i'm joking haha

lmaooo

@fiery moth which part

getting into gitea

i got the creds

Thats the hardest part

for the dtb of gitea

i found mysql creds for gitea while reading thr config file

|| There might be other ways to do it, but the way I did it was taking advantage of gitea being open source and writing a reimplementation of their hashing ||

|| You don't have to do that, just use their software instead of writing it manually ||

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE2MDU3NTc1MjV9.TgIEm15weeIsUgo2aG-oL7JqzClHpdIVyn1ohFkYm7o

||; Password Hash algorithm, either "argon2", "pbkdf2", "scrypt" or "bcrypt"||

i found that

The config will specify it

That's just a comment

I didn't want to be mean and use || argon2 ||

i read the whole config file didnt find anything other than mysl creds which are no use

use grep

|| creds are very useful ||

@fiery moth try to grep with what you looking for

i am looking for a pass

for what ?

to login to gitea

ok you have it 😉

The DB or gitea directly ?

gitea or the db idc as long as i get to user frank1

@fiery moth how long have you been on this part?

a lot of hours

Wait so you need to find the creds and not add another user for || gitea ||

idk

Its hard to answer this stuff without spoiling

@sonic wigeon || you're on the right track ||

omg I think I have it !! about RCE in gitea !

there is an exploit for it yeah

authenticated rce

I am stuck with login itself.. it is always throwing error message.. hashed creds dont match

Yeah but that doesn't work I tried running it

same here

i cant even find the exploit for it

On cms ?

yea.. unable to login... hashed creds dont match error

you need to gen a bcrypt hash

Yes

i did that for my new user..

you need to clone frank

it is still saying the same.. what is persist_code?

and change everything unless the persist_code

from example from frank do frank1

and make sure there arent any spaces ahead in the bcrypt hash

okay.. let me try again..

on my first way, anyone can give me a short hint?
(This challenge is pretty simple. The binary is checking to see if the environment variable "test1234" exists, and if it's set equal to the current $USER environment variable.)

there are writeups

No

This channel is for hints

Not pushing people to writeups

no, i will go ahead by myself and with few hints, everything else is crap

You need to set the variable, then run the binary

OMMGG !! after 3h!

@midnight spindle congrats

I'm so GLAD and HAPPY omg ^^

i am stucked

@midnight spindle pretty satisfying

yeah ! and for me is meaning a lot ! because I really want to pass my OSCP and try to work on field so... yeah ^^

same

if someone need any help feel free ! 🙂 and @fiery moth your close dude ! try to make a small break and back to that 🙂

you just missed something ^^

i legit read the whole config file

@midnight spindle Damn , GG's man

I know we said that but focus on what you looking for and FOR WHAT ^^

@sonic wigeon thanks dude !

FINALLY!!!

Damn GG's man (2) xD

@ancient island grats

@ancient island you been at it for a while, congrats 🙂

NICE !!!

thanks guys, without your help I wouldn't have made it

same here ! thanks a LOT guys 🙂

i've been stuck for hours now

Hahahah I feel you man

thx done

omg I'm stuck again 😭

someone know what "!" mean where is front of the sudoers cmd ?

hahahha

same

Not

!root means not root

hmm

hmm

like everyone can use it expect the root ?

like (ALL,!root ) NO PASS = everyone can use it without pass but not as root ?

i think it is

hmmm

@midnight spindle can you give me a hint

what did you 'grep" ?

passwd
password
pass
user

and some others

cool!!

ok le's making again ^^

what you looking for ?

omg @ancient island WELL DONE !

thanks @strange river for the machine. I learned a lot!!!

@ancient island noice

I'm still stuck with the !root 😄

@midnight spindle to access gitea

I'm trying tos start my machine -> (after deploy the one for linux3)
=> Uh-oh! You can only deploy a maximum of 3 machines at a time.

ok so what you have to grep ? 😄 ( is in front of you ^^ )

how can i shutdown running ones?

finnaly

hahaha

@midnight spindle ty

no problem dude !! KEEEPP GOINNGG !!

go to the active machine, and click "terminate"

i feel so stupid

ok thx, thought they will be terminated automatically after switchting to new lesson

@ancient island I'm wasting my time with this !root ? or 😄

@midnight spindle accept my req

no, this is interesting

ok

just

google

hahah

haha this is what I'm doing since 3h xD

hahaha me too

any hints for reverse shell exec?

stuck with it for a long time

gitea

OMG !!! THANKS TO @ancient island

pretty sure run_decode() can't see the file variable bc it's out of it's scope

@midnight spindle OP

@strange river I know that we already told you that but... thanks for this room ! it was hard but really nice !

Should it be leveled hard?

for me I will say yes ^^ but I don't know

ill let darkstar decide

Yes xD

its hard to understand the difficulty for me because its in hindsight from the beginning

for me, yes i think hahah

darkstar will change it if it is, he did that to daily bugle I think?

finnaly got into gitea

good!

and my machine expired

great

exactly as you said it

@night fractal thanks 🙂

but I saw you got the root so I'm guessing you found a way around the !root

yep 😄

weirdest thing about that CVE is that we only found it a while back ago

but I guess !root is not really a common way to configure sudo

@strange river any hints
i am on gitea rn

@fiery moth google everything you can on hacking gitea

k

i noticed it uses a vuln version but i cant find an exploit for it

136 Questions done for today (no writeup), yeah! beginners mood

I'm on the devguru room, I found the ||login|| page, running gobuster on the room ip makes it explode everytime (I have to restart the room everytime I do a directory scan), any hints?

@jolly snow free or VIP?

the room? room is Free

No, the VPN you on

VIP

Hi, I'm doing the furthernmap room, on task 8 it's asking "Why are NULL, FIN and Xmas scans generally used?" The answer it's relative stealth but it's not accepting it.. what am I doing wrong? thanks in advance for guiding

@jolly snow how many threads

I was trying 50, after a while the server crashes

yea don't do 50, it will overload the CPU since apache is in prefork

And its limited resources

I see, but any other tips rather than brute forcing for folders and files?

thanks btw

You can, just cause less load

ffuf should be fine

@normal olive check the task text, it explains

i am a bit stuck with the "DevGuru" room

it seems that the user|| "frank"|| was suspended 😦

I updated the ||backend table|| and I guess that I mess something with the DB

@somber crag || clone the user then change the username and some other stuff like from frank to frank1 and change the password which should be bcrypt
so take for example the string password hash it in bcrypt and use it as the pass||

I got this error|| A user was found to match all plain text credentials however hashed credential "password" did not match.||

Hey everyone, I'm in the Nmap room and been stuck on Task 14 question "Perform an Xmas scan on the first 999 ports of the target -- how many ports are shown to be open or filtered?". I've tried nmap -sX -p1-999 <IP> and I'm not getting any open or filtered ports. Am I entering it wrong?

check your bcrypt hash @somber crag cause you might have a space at the end

I checked it and I didnt have any spaces

want me to generate you one?

I am generating the hash here https://bcrypt-generator.com/

$2y$12$HgRvJSGWKlA1BtztdcIB1.qbqnCaJC1VGpddPFAH53ejyMYOnH3NK

use that

its pass in plaintext

wait

that worked xD

what I was doing wrong ?

you probs left a space at the end

idk, thanks

np

not stealth my guy, as has been said many times before, XMAS scans are super easy to discover, the answer lies in your nmap output, and is connected to the previous question

and @somber crag this is resolved if you select "encrypt" from the drop down and put in a plain text password. You do not have to generate a bcrypt