#room-hints

@red sandal read through the source of the script

Read on the nmap website about this script, probalby easier

Done 🙂 thank you 😄

Hello y'all, has anybody done the CC-Ghidra room? I have having trouble understanding what the last question is asking for. The question is "What outputs the good job message? " and the answer is 7 characters long. What type of answer is it looking for? A variable or address or something else? I think I understand how the function works, I just a little confused as to what the answer type is. Thanks, and Merry Christmas

Nvm, I got it. If anybody references this later, it is asking for what value is being compared, so that if local_1a is equal to it, it will print "good job!!!"

Hey everyone, anyone who's done the 'cave' room know how to access the service on port 3333? I can connect to it in my browser but I can't interact with it. Is there a more interactive way of connecting to it?

You can use netcat

Hey guys, super noob here. im working on the beginner NMAP room, and have had to use the walk through for Task 3 on the last question. but even putting the walk through answer on there, still says ive got the wrong answer!
the switch should be --script vuln
i believe anyways, and thats what all of the walk throughs say, but its still showing as a wrong answer!

so i got an answer in tech support, saying the answer doesnt have a space in it, but every single walk through ive looked at, has the same answer! so i'm scratching my head here haha

yea i realized the same thing smh lol

did you end up finding a solution ?

yes

thanks!

np

For room NMAP task 14 > Wireshark, I don't have the premium version of thm, how would I go about doing it?

Huh?

I did a tcp connect scan using highest verbose, and on wireshark set the ip.dst to the target ip, but I get no packets

Why do you think you need a subscription?

?

This

For a walkthrough?

Let me check the room

okay

Make sure you're capturing on tun0

😲 thanks a lot it worked!

hi guys! good afternoon, im very stuck in the room of network services, in task 7, it's about telnet, i cant stablish the net cat

You crashed it with that ping command

It's still running the ping command and not responding to other commands

There's a reason you were told to use -c 1

it works!! thank so much!!!! kudo

s

@merry beacon whatcha stuck on?

My ans ||smbmap -u 'admin' -p 'password' -h 10.10.10.10 -x 'ipfonfig /all'||

tell me where I'm wrong

Okay, I'm looking at your answer. Doublecheck the command you're submitting, especially spelling.

directly copy pasted so I don't thing spelling mistake has any chance

I'm looking at your answer that you copy-pasted and there is a spelling mistake

ok got it

Good luck 🙂

Updated ||smbmap -u 'admin' -p 'password' -h 10.10.10.10 -x 'ipconfig /all'|| still invalid answer

Okay, you're close. Remember that ' and " are two different characters.

got it thanks

one question

Sure

why its with single quotes

Its in smbmap -h

May I PM you?

yep

Thanks my friend

struggling a bit in https://tryhackme.com/room/blaster i got into the box, but then it says to search the browser history and I only see IE and there is no history data. Am I missing something? ||I have started searching eventviewer now, but that is very slow on the windows box and I don't think it's the right answer||

tryhackme internal -
i got to the stage where i made a ssh tunnel to access jenkins on my localhost after that i tried bruteforcing the login page
||
martin@martin-Blade:~/thm/wordlists$ hydra -l admin -P rockyou.txt localhost -s 6969 http-post-form "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password"

[6969][http-post-form] host: localhost login: admin password: 1234567890
[6969][http-post-form] host: localhost login: admin password: hannah
[6969][http-post-form] host: localhost login: admin password: amanda
[6969][http-post-form] host: localhost login: admin password: loveyou
[6969][http-post-form] host: localhost login: admin password: pretty
[6969][http-post-form] host: localhost login: admin password: basketball
[6969][http-post-form] host: localhost login: admin password: angels
[6969][http-post-form] host: localhost login: admin password: playboy
[6969][http-post-form] host: localhost login: admin password: flower
[6969][http-post-form] host: localhost login: admin password: tweety
[6969][http-post-form] host: localhost login: admin password: hello
[6969][http-post-form] host: localhost login: admin password: elizabeth
[6969][http-post-form] host: localhost login: admin password: andrew

||
it detected all these password but when trying to login with them none of them work
i also tried changing the grep filter at the end but all it does is that it detects different passwords which also dont work.
what could be the issue?

Your command is wrong

what do you mean?

Hydra is incorrectly detecting whether the username and password is wrong so you're getting false positives

okay but what should i change it to? i already tried everything that was on the login page

@white salmon the 3rd section "stuff:stuff:here"

yes i get that but what should i change it to? this is the whole login page

i just used wfuzz and filtered by size

in ZAP?

you could use that too

okay ill give it a try thanks

hello guys , im solving unbaked pie room , and i deleted the payload.png by accident , the PE part need that image ,any way to create something like this image work with the pytesseract lib

hey guys, i am currently doing the networks services room. Task 4, last question and i am facing a problem. I am really close of solving it but when i ssh into cactus i dont know the password and i have no clue how to find it. Can someone give me a hint

hey guys i m stuck on the CCT2019 room any hints ???

finally cracked it with burpsuite the password was: || spongebob|| 😄 anyways thanks for the help

@white salmon👍

Did you download alredy the id_rsa? thats the authentication keys for solving, then when you get it,

i solved it, thank you man for replying

i had to use id_rsa key

sure, good day bro!

nice! its hard sometimes but not impossible! good day!

I remember doing a thm room, in which we have to do something with a tmux session in /tmp/tmux-* ... can someone point me to it or the exploit used there...

still struggling here. Anyone have any advice?

Hello everyone! Does anyone know how to crack a salted password? i have the salt hash and the password hash.

what room?

Simple CTF - https://tryhackme.com/room/easyctf

i have these values. I just need to crack it

anyone else got stuck at binary - shiba2?

or do i just suck?

I struggled a bit with that one.

which task was that?

so task 18 from 25daysofchristmas is apparently the entire ||blaster room||. So the place I got stuck on the task is the same in the other bit. Has anyone done either and can give me some kind of hint?

@little sable You need to say where you're stuck

Otherwise no one knows if thry can give you a hint

I'm stuck on task 3, first question of ||blaster|| or task 18 third question of 25daysofchristmas. I checked for the ||browser history|| according to the hint, but that seems to be cleared and so I don't know where to look. I've started hunting through the ||event viewer|| but that seems like the wrong direction

The CVE is pinned in #room-help

The history contains searches for 'how to patch CVE-whatever'

the history contains nothing that I can find...

it's blank

am I doing it wrong?

No

It's a known issue with the room that's being fixed

oh thank you so much

I think the pin is gone.. I don't see it (read the pins 3 times)

Ok it should be a hint on the blaster room?

there's a youtube vid a few questions past where i am as a hint

that was enough, thanks

hey guys, i need some help here. Wifi hacking 101 room, task 2. I must put and interface wlan0

i have a wireless adapter but kali machine from tryhackme doesnt recognise it

Unless you have a wifi card on your kali machine, you won't have one.

The THM kali or attackbox isn't running on your machine

It can't have wifi adapters

It's a fully virtual AWS VM

ok, thanks man

that means i cant continue , right?

The room is theory

You can't attack an actual wifi network using THM's attackbox or kali, no

You can complete the entire room though.

You were told the requirements at the start of the room

You will need a monitor mode NIC in order to capture the 4 way handshake. Many wireless cards support this, but it's important to note that not all of them do.```

ok, thanks man

25daysofchristmas - Task 11 [Day 6] - What data was exfiltrated via DNS? < any hints on this. I have recovered the files via the pcap. I have cracked one of the file's passwords and answered Q2. I have extracted the hidden content for Q3. Just stuck a little on Q1. Perhaps overthinking it but a hint would be welcome.

Filter to just DNS traffic@blazing thorn

You were told exfiltrated via DNS. That's not anything to do with files.

@stuck fractal thanks, i did that for Q2/3.

I've read some writeups and have a hint

apologies for not looking at them first

I gave you a hint

ty ❤️

got it 🙂

Hey Hey. I'm in Room LinuxCTF. Having a hard time with this question:
Flag 16 lies within another system mount.
I can only find one file system mounted... any ideas?

@cosmic skiff If you plugged a USB into an ubuntu machine, where would you look for it? Look there.

thanks much! Wouldn't have found that in like a million years

I'm running mount lol

Hi some already did the Searchlight - IMINT

Im stuck

What question?

already done bro!

thanks anyway

No problem

the surname of the owners

of coffe shop

Ahh gotcha

need help with binary - shiba2

That's very vague

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

Gotchu

uuh

hey gents, im currently working through the windows privesc room in the beginner track, task 9 - checking the registry to find autologon credentials. I've looked the output of both commands provided, and can't find any entry for the autologin password. anything obvious I'm missing?

need help, doing OWASP-JuiceShop and i am on a part where you need to reset password for jim but i can't reset it, it doesnt allow me to input security question ?

you've misspelled the last part of the email juice-sh.op , I think it should be

or something like that

I'm wondering a bit about the https://tryhackme.com/room/encryptioncrypto101, the question about what company the TryHackMe cert is issued to, but when I inspect the cert it has no owner information at all. Only the url it is valid for. The current cert is also fairly new so is there something I'm missing or is the question broken?

Hi everyone I am trying this new room called onepiece where I have to use stegcracker to find the hidden username . I am using rockyou.txt but even after so many hrs I am not able to crack it . Can anyone suggest a shorter wordlist or hint ? It would be helpful

Never mind got it

Is there anyone who has completed ICE manual exploit recently

I have tried many times now and failed to get reverse shell. I did generate shell code correctly and it seems to execute without any errors but nc does not get any connection/reverse shell back.

I tried this one https://github.com/ivanitlearning/CVE-2004-1561/blob/master/568-edit.c

you might wanna check this out https://www.venafi.com/education-center/ssl/how-to-check-ssl-certificate

Hi everybody. I am working in the Room "The Year of the Rabbit" and I have to listen to a video. But on the attack box, I dont'have any sound. Can somebody help me please ?

Hello!
I'm trying to solve Room called: Basic Pentesting.
I'm trying to reach user j.. via ssh by this command:
ssh j..@IP_MACHINE
and I got a message after a while:
Connection closed by IP_MACHINE port 22.
SSH connection is needed in order to complete all tasks and to gain a password.
What am I doing wrong or how can I get connected?
I've tried ping, ping working nicely.
Can anybody help me with this, please?

I did and while the screenshots there are a bit outdated for FF it seems. I might also be blind, but my browser (sorry for swedish) is saying there's no owner in the cert

It is there

It's just not the 'owner of the certificate'

It's the verifying company

oh I must have entered an extra space or something. I tried that first a couple of variations/times but never got the green light

thanks

Hi!

I'm stuck on the room https://tryhackme.com/room/furthernmap (Nmap). On task 8 it says "Why are NULL, FIN and Xmas scans generally used?". I've read the information provided above the question, but I still can't figure it out. Anyone who would like to help out? 😄

It's in the text above

I'm stupid, I only read the very top section........ Thanks 🙂

I've run into something that is probably again just me mistyping something but on the encryption101 there's a gpg key that should be cracked with john and so I supposed I needed to run gpg2john on the tryhackme.key file but with john 1.9 at least this only gives errors which seems to indicate that the file has more than one key and that this is not allowed. Then I re-read and thought that perhaps I was only supposed to use gpg on the message with the key doing something like ||gpg --keyring /mnt/d/Hacking/THM/encryption101/tryhackme.key --decrypt /mnt/d/Hacking/THM/encryption101/message.gpg || but that just causes core-dump.

I'm stuck on the last question for Pickle Rick. Can someone help me out without spoilers?

You need to find a way to elevate privileges, I believe

I think thats what I needed. I'm just not familiar with a lot of privileged escalation methods except SUID. Do you have any suggestions of rooms that help with this? I might branch off, do that and come back.

Yeah there's a bunch of linux privesc rooms

Without giving it away, it is much simpler than you think probably, at least that confused me a while

thanks for the help.

I'm really stumped about gpg2john, I figured that perhaps it was a matter of this not wanting to work on windows so I transported the zipfile to the in browser attack box, but gpg2john only errors: ||# /opt/john/gpg2john tryhackme.key

File tryhackme.key
tryhackme.key contains plain RSA secret key packet!
tryhackme.key contains plain RSA secret key packet!
Error: No hash was generated for tryhackme.key, ensure that the input file contains a single private key only.||

Is this for advent of cyber 1?

no it's https://tryhackme.com/room/encryptioncrypto101 task 11

Are you sure the key has a passphrase?

You have the private key and some encrypted data. Unless the key has a passphrase you don't need to use GPG2john. You can just decrypt it using the private key

I tried that, though on ubuntu on windows and all I got was core dumped, but maybe I have better luck on the attack box

When you did what?

||# gpg --keyring ./tryhackme.key --decrypt message.gpg
gpg: Ohhhh jeeee: Assertion "node->pkt->pkttype == PKT_PUBLIC_KEY | node->pkt->pkttype == PKT_PUBLIC_SUBKEY" in have_secret_key_with_kid failed (../../g10/getkey.c:4498)
Aborted (core dumped)||

(it did some weirdness to the spoiler tag there)

Yikes

I got the same locally (had to b64 encode the zip to get it to the attackbox), not sure what I'm doing wrong

searchlight task 1 - do you understand the flag format? sl{yes} .... = wrong answer ?

Check the last bit of task 1

ah, gosh

ty

so if im using the web based vm, and this room has local files ... theres no way for me to download these files to my machine and then analyize them on the vm ... right?

unless i log into my account inside the vm, which seems like not a great idea

Can anyone provide me a small hint for Wonderland? I found the page saying that i should open the door to enter wonderland, but I dont find anything with gobuster or in the source code. Thanks!

DM me

hello everyone i am at the networkservices room task 7 and the fifo won't work for me to exploit the skidy's backdoor ... hint ?

You forgot the .RUN prefix

this isn't specified ? in the task anywhere 😮

damn i didn't see it thanks !

@stuck fractal

It's in the help dialog

yeah i found it thank you men !

what question

try to look for the file that has the info in it

I am stuck on this one any help is welcomed 🙂

did you do a verbose scan, the reason is before the port list

Yeah i have found it my nmap was buggy

Doing the Linux Challenges. I've got everything finished except this one. "Flag 33 is located where your personal $PATH's are stored." I feel like I've looked everywhere a few times...

Does "PATH's" mean possessive or plural?

@wild pier where is $PATH stored?

@wild pier hint ||$PATH is a variable||

hmm

I'm probably overthinking it, everything else was simple

yeah, you are

what kind of variable is all upper case, by convention?

@cedar axle system set variables

@wild pier what file would you edit to set said $PATH on login

am I on the wrong user maybe @cedar axle ?

check the others

found it

swore i checked there, whatever lol, got it now thank you

I'm having issues on that one as well Sin and Pood

...question on Flag32. Do you need to listen to it?

@cosmic skiff yeah, its an audio one

any thoughts on how to listen to it on the attack box. or I need to VPN in for that one to pull the file down?

nevermind. Got the VPN and downloaded it :D. Now i'm left for my search for the beginning of one of the flags and the $Paths one still

and now i'm down to one

Find flag 26 by searching the all files for a string that begins with 4bceb and is 32 characters long. Any hints? Should I not be starting my search at /?

Hi @arctic compass, you can use the same exploit to crack it.

Hey im doing the room "Remux the tmux" and I cant find the answer for "How can you run the desired plugin after loading it?" can someone help me please? This is the last question I have left...

how do we specify which shell is used when we login?

It's asking specifically for su

So read the su manual

@twin heron iirc, the command should be after the set -g command (look in the screenshot)

you mean '@tepid wedgeugin'?

When exploiting NFS with the root_squash share do I save the file on the VM or on my actual computer?

@twin heron below, sorry.

No root squash?

I mean the bash exe

The suid bash needs to be on the NFS share.

I guess I’m stuck trying to figure out how to download the file properly

@chilly bane I still cant seem to find it..

What file? What roon?

The bash exe that you download in network services 2/task4

Raw?

I think so

Show us what you're doing

hey, anyone who has done the windows privesc's room? i have an issue with task 9

we need a bit more information

Room: Network Services, Task 4
Issue: When trying to view the file Working from home.txt using more I get the error "NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \Working". Trying to download the file using get I have the same issue.

Also side question. The lettering after each file, D,DH,N what are those? I tried looking it up in smbclient docs and couldn't find it

@old salmon directory, hidden

Spaces are used to seperate arguments

The file name has spaces

Escape them or use quotes

Thanks for that! I tried using both methods, am I formatting it wrong?

I got it! I forgot the slash at the end

it's ask for a passwd but when i execute that command i got no passwd

can't find that passwd here

not sure why it isn't showing there, you try to search HKU for password as well

OHsint room ...... question 3 ......can someone give me a hint .i dont want to see the writeups

I’m trying to figure out where I’m suppose to download this from. My main browser or inside the vm’s browser?

What VM?

My Kali machine

guys i am doing Overpass room, i am using burpsuite for the login and i'm getting ||POST /api/login||. the problem is that if i try to go to ||IP/api/login|| it gives me 404

Yes, download it to there. @zinc bronze

Yes

/api/login only accepts POST requests

If you go there with your browser, that's a GET request

😦

ooh ok thank you

How do I report that a hint is wrong/provides a dead link to the resource?

#room-bugs

Perfect thank you

Hello ... What would be the best channel to get some help on THM Xmas challenge ?

When I download it I get a writing.git file instead of bash?

The first one or second one?

@zinc bronze That button

The upload one

Click it

In advent of cyber 2 or advent of cyber 1?

i mean last advent of cyber

2

...last?

#778305825797177374

ok thanks

I got the file but it keeps saving in to my root folder how do I specify it to the Downloads directory?

Move it? Copy it?

It doesn't really matter where you save it, you're gonna move it after anyway

When I move it to my downloads folder it disappears?

You need to provide screenshots.

What

What are you trying to do

Because a) it's in downloads already and b) that's most definitely not how you use the cp command.

you are trying to copy the file to the directory that the file is already but you're doing it wrong

face palm I see what I did

hey

can i get a hint in mr robot room for key 2

This channel is not for pointing people to writeups. If someone does that in this channel, they're in the wrong.

okay

can you give a hint

idk where i have to search

can someone help me?

Go to their home directory

i was there, i saw the shiba3 dir

there was to file( i think files, idk) test and test 1234

why am i here

What user are you currently?

shiba2

Type in your terminal cd

ok

Then ls

cd on its own takes you back to your home directory

yes after ls there is this shiba2

marked in red

That's the binary

Now follow the steps on the task

ok

you mean export?

now there is shiba2

what now?

Follow the steps

then run the binary

stuck in lle playground task 6
Did you find a flag?
hint says its in .conf but cant seem to find it in the haystack of conf files

thx

what room is this? im not aware of an lle playground?

Linux Local Enumeration

I am stuck in task 11 of WIndows PrivEsc v1.0 room. I am trying to solve that with an alternative tool that I have found pre-installed in my Kali Linux. What's funny is that I see 6 different accounts but all the NTLM look exactly the same.

try searching files with that extension and grepping for "thm{"

Hello, I'm stuck in room Linux Strength training.. Final challenge.. I already found the password for the backup sql. My question is how to unzip the file 2020-08-13.zip.gpg of the sql database.. or am I missing a step? Thank you!

nada nothing

did grep -i thm{ test.txt

got the answer

i feel like for this particular task more hints should be given if needed

nice, i was gonna say check out how to pipe find output to xargs or using the -exec flag for find 🙂

the file name didnt have any thm{ inside

really? i was just basing it off the answer for Did you find a flag?

the file did contain thm{flag value }

but not the filename itself

ahh understood

the next step was gonna be -exec if i still didnt find the flag value

do you want me to pm you what just worked for me?

sure

Look at the file name carefully, as it is, you won't be able to read or open it as it is encrypted.

hi, I'm stuck in room Linux Challenges... flag 3 is supposed to be where bob's bash history is stored, i.e. in his homedir

Is that where Bash history is stored?

the file .bash_history is in ~bob

Is that a file?

ah

There we go 😄

I am enlightened 🙂 many thanks

I mean, in a sense... it IS a file... but it's only written to when logging out.. so yeah, I get it 🙂

I know I have to decrypt right? I used the gpg command to decrypt but won't work.. been stuck in this step for several hours.

Hi there!

Can someone please help me figure out what I'm missing..
I'm doing the Searchlight room, and in task5 (the coffee shop) I can not find the surname of the owners.... Please give me a little bit of help here.

Hold on bro. I'm trying it now

Please don't give direct answers in a hint.

Or at all

can someone help me

Make the variable and set it's value

Run the binary

@white salmon look up in the explanation above carefully

Thanks for your help. I did

Oh the CC pen testing room task 4: and looking for the hidden file. My question is how do I know the path for the wordlist? I don´t see any reference on the writeups. Can anyone help?

@stiff siren use one that comes with kali

/usr/share/wordlists/

There's dirb and dirbuster lists

Thanks!

I'm working on Alfred. I created the payload. I have it uploaded. I have it executing. I'm getting a "Meterpreter session 1 opened" but then I can't type or do anything. I've already rebooted the AttackBox and the VM. Any ideas on why this happening?

Screenshot please

Stuck here. I got the connection but pressing enter doesn't give me a prompt. If I ctrl+c, it stops the "listener"

Yep

Stop the listener

Uh wait

It died

try sessions -i 3

I can't type anything until I ctrl+c. I'm probably doing something wrong but it's not obvious to me. To be honest, been playing with this all day and probably need a break!

Thanks for the help. Gonna try it again tomorrow for now.

@stuck fractal I figured it out. I had to try it last one time. It had to do with the way I was launching the meterpreter reverse shell.

The tool I have used is
||samdump2||, but I don't know if it is working or not...

||└─$ cat hash.txt.orig *disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: *disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: *disabled* :503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: *disabled* :504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: :1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: admin:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::||

https://tryhackme.com/room/windows10privesc

@umbral hatch samdump2 doesnt work on newer windows 10 sam's, notice all the hashes are the same?

Yes. I've noticed that, and the hash I received was for "empty", I think. I will try your advice in #room-bugs message.

@fickle pollen, I was able to get it by using Google.

Hi! Does anyone here already did the NIS - Linux Part 1?

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done.

hi looking for a hint and an explanation of what im doing wrong if possible
Room: Nmap

Task: 14

the question that asks you to perform a tcp SYN scan on the first 5000 ports

i need to find how many ports are open on the ip

command im entering is sudo nmap -vv -Pn -p1-5000 <IP>

and it says all ports are filtered - no repsonse

try -p- it will scan all of the ports (will take a bit time) instead of -p1-5000, (which is only scanning 5000 ports)

@solemn folio

Ty for the help potato!

I ended up restarting the machine and it ending up working

Not sure what happened but I prolly let it timeout and added an hour and didnt refresh

Have anyone completed 'Attacking Kerberos' room?

I remember having to restart the machine several times in that room, I think the firewall may be kicking in is the problem.

can anyone help me with the windows privesc room

i was trying to dump hashes using SYSTEM and SAM files through creddump

and I'm getting this

File "/opt/creddump7/framework/win32/hashdump.py", line 117, in get_bootkey
    class_data = sysaddr.read(key.Class.value, key.ClassLength.value)
AttributeError: 'NoneType' object has no attribute 'Class'

Hey, I'm stuck in Mr.Robot room, since I'm not really sure how to bruteforce the credentials

wpscan is usually easier than hydra for WordPress

Remove duplicates from the password list

can anyone give me a hint on getting root on Internal

I'm trying the nmap room and I'm stuck on the Task 14 Practical question There is a reason given for this -- what is it? ** *******

Anyone that can help me out I feel like I'm in a need and a haystack

the 2nd question?

3rd question

did you do the Xmas scan?

sudo nmap -sX -vv 10.10.9.248

That is what I just ran

so whats the reason theyre all coming back as open

Resets

right so ur not getting a what from the ports

no reply?

Sheesh

lol did u get it

I spent like 30 minutes on that lol

I think because I look at the stars I'm like no responses makes sense but there is a -

Thank you that was more just not reading mistake

np

Please don't post answers @kind mauve

is anyone available for a hint on root on Internal

@midnight swallow

• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

im stuck at privesc, im in as user right now. i tried sudo -l, looked for suid binaries, ran linpeas and looked through conf files, tried leveraging groups the user is in, i saw sudo was outdated so looked into exploits for that

I know the service running internally but no idea what to do with it

Did anyone try and solve the 'Binex' room? If yes, can you please help? With both ASLR and PIE enabled, predicting any address is impossible, and there's no usable gadgets.

What am I missing>?

Hello, does anyone know why I'm getting this weird output? I'm using web base kali linux.

@stiff siren You didn't extract the wordlist

It's still compressed

You need to extract it

Oh my bad I see it now! thanks!

what was the command you used?

Is it possible to diff more than 2 files can’t find an arg in man

Linux challenges task flag 13

Having more trouble with this one than I thought

In the question it references scripts I’m assuming it’s the ones that are in the update-motd file

Solved

anyone available to help me with attackive directory?

im at the step where i gotta use secretdump.py

but for somereason its not working

im putting the right password too

@white salmon did you add it to /etc/hosts?

the .py?

No

The domain

why would i need to?

Well, show me your command?

I can try explain @white salmon

within that impacket directory

@white salmon so how is your machine going to map that to an IP address?

It needs to use DNS because it's a name. It needs an IP.

ah so use the machine ip after the '@'?

So you either need to add the target as a DNS server (which is usual with DCs) or add it to /etc/hosts so it resolves.

thanks so much

i had a feeling that was the issue

i tried the machine ip '.local'

but never thought to try just the ip

Try it?

Cat that full path?

I'm gonna delete it as it's a huge spoiler for the room

Okay sorry yeah I can delete it

I was putting it backwards. Thank you

Hello. I am doing "Windows privEsc Arena" room and there is no info about how we have to send files on windows. Is the "shared folders" from remmina the intended way? Or is there another way we can do it? (ssh port is closed)

@true zinc easiest is probably going to be python http.server, followed by smbclient

Thx.
But why use smbclient? If I wouldn't be able to download file with http?

@true zinc smbclient is probably the second most easy way to transfer a file

Hi all I am new to tryhackme. I started with the fundamentals and am stuck in the linux fundamentals part 2, task 11 - shiba2. I don't really understand the question. "This challenge is pretty simple. The binary is checking to see if the environment variable "test1234" exists, and if it's set equal to the current $USER environment variable." I need shiba3's password

so you have to create an environment variable called test1234 which is equal to $USER

read this page again

ok, I did the export test1234=$USER

but I don't see how this can lead me to another user's password

noww run the binary

yes! Got it heh. Thank you @cedar axle

👍

hey guys, room OWASP Top 10, task 11:"Use the supporting material to access the sensitive data. What is the password hash of the admin user?"

i try to sqlite, but when i type the commands i get no answers

can someone help me

@fossil cosmos , man you are asking for the answer to previous task ...
That's not a good practice ...

Try redoing previous steps and retyping all commands

what do you mean man

i say that it doesnt work

i got the previous answers

if you get to same result redeploy the vm and try again

ok, thanks

the task works i did-it yesterday 😄

big room

still nothing works

idk why it's happening

@fossil cosmos

• to open the db :sqlite3 <filename>
• to list tables : .tables
• to read value : SELECT * FROM <tablename>;

Mind the . and ;

i did that man, i am telling you it doesnt work for me

can you pm me with the file ?

can anyone help me? I am in a room and can't seem to get AD to work?

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

ok ty

I am in intro to windows room

deploying active directory room

the machine deploys, but can not see the AD at all ?

hope this makes sense

terminated machine and then redeployed machine still see nothing

?

...see nothing?

What are you expecting to see?

What do you mean here when you say AD?

Active Directory machine

Be specific here

What are you expecting to see?

I cannot find that room

maybee I am confusing myself

You're confusing me because you're not answering my question

sorry

Intro to Windows

An introduction to Windows

Be specific here What are you expecting to see?

task 6

So you click deploy

What are you expecting?

There's a single question I'm asking.

does this take you too acitve directory room

or to machine?

I'm giving up

You're refusing to answer that single question

And as such, I can't help you.

Users and Groups Management in Active Directory

Deploy the machine and authenticate using RDP (on Windows) or Remmina/Xfreerdp (on Linux) with the user: Administrator:tryhackme123!

when i deploy machine

You get an IP

That's all you need.

ok makes sense now

i do appologize

for confusing you

When someone asks a question to try to help you, it's best to answer it.

okie

Being ignored tends to frustrate people, and remember we can't see your screen or read your mind.

You need to explain to us and/or show people what you're expecting and what's happening

ok

not trying to do that at all

ty for your help

Hi Guys

I keep getting [Error 110] Connection time out when i tried to use impacket for kerberoasting in the Attacking Kerberos room. any hint on what might be issue. I've googled nothing useful

idk, but my problem was that I wasn't a sudo account

use sudo -i and then try to run that python script

**sudo python3 **etc didn't work for me

@balmy dock

I'm actually logon as root

hmm

what command are u using

python3 GetUserSPNs.py CONTROLLER.local/Machine1:Password1 -dc-ip 10.10.191.100 -request

I don't see any problem... wait for someone else to respond, I'm sorry

Thanks for the help

i think it was connection issue. terminated the machine and re-deployed it and everything worked fine

welp i need help on room Easy Peasy at task 2 question 2

i went on ||<ip>:65525/robots.txt|| and i see the ||user-agent is like a hash (?)|| but idk how to continue

Maybe try crack the hash if it's a hash?

can i hide an image ||like this||?

Yes

Mark it as a spoiler when you upload, or name it SPOILER_something

k

what am i supposed to do? ||manually invert it?||

||rot||

what's that?

Caesar

oh yeah i found out thx

doing the splunk room and im stuck on the ip 8000.. it pulled up a cyberchef website

Use the deployed machine's IP

Not your attackbox's IP

in the attackbox correct?

In the attackbox browser, or your own device if you're connected to the VPN

Ok.. I was connected to the VPN and it pulled up the attckbrowser and had a desktop, but I was unsure of where to go from there.. I am just starting out and this was the first room I tried is there a different one that I should start with?

Click the deploy button

The green one. In the room under an early task

ok... I always skip that task.. I have been on this room for 3 days.. Pulling my hair out...

I highly recommend avoiding skipping any tasks

I had done that on a previous task and left when my hour was up and forget to go back..

Hey, i am on the dogcat room. I tried ||for the view-GET parameter the following command, that paremeter should be vulnerable to LFI or RCE i think: ../../../../etc/passwd dog %00, so i think i bypassed the filter for dog or cat, it only seems to look if in the string is dog or cat and there is no php at the end. But i cant open from here any file. So per dirbuster i saw there is a flag.php inside, but i cant even open that, with reverse travel or not. || Would appreciate a small hint, researched a lot but didnt find anything useful for me. It responses something like ||"Warning: include(): Failed opening '../../../../etc/passwd ' for inclusion (include_path='.:/usr/local/lib/php') in /var/www/html/index.php on line 24"||

sometimes it just borkes, especially || if you have been screwing with the access log||

might have to re-deploy if the problem persists

hint:
||instead of null-terminating it, you could just include it at the start.||
||so something like cat/../../../../../../etc/passwd||
|| IIRC i used that||

@jagged gust

Hello guys , i got a problem with BOF preparation in first task , i can't see the offset in the log debugger , some hints?

I'm having a hard time exploiting with a private RSA key. I feel like I might be missing a vital step here. I have the privkey, I know what the username is, and the SSH key doesn't have a passphrase on it.

Room?

thecodcaper

https://tryhackme.com/room/thecodcaper

The key is a rabbit hole

It asks for an SSH password.

The key is a distraction

mf

fair enough

I even tried to add my pubkey in the authorized keys file but it was a no-go

Am I supposed to be able to complete this entire room in www-data? Because I was able to do so, with exception to finding pingu's pass

why would sudo -l tell me I can run these 2 commands with no password and then why i try to it prompts for a password

Did you have to enter a pass to use sudo -l ?

Screenshots

Sudo is incredibly strict on how closely you follow what you're allowed to do

And what are you running?

||sudo perl -e 'exec "/bin/sh";'||

Correct me if I'm wrong, but don't you need the whole path to the binary ?

even if i run it while in /usr/bin?

What happens when you run that command ?

i get prompted for sudo password

No, you're not allowed to run that command

You're allowed to run, VERY specifically, that file with perl

Not perl as a whole

Just perl /home/itguy/backup.pl

Full path for perl is optional

oh

Not if it expands, via PATH

You do need the full path to the script tho

||I wonder if that script is modifiable... hmm...||
ALso what room is this ?

LazyAdmin

got it thanks guys,

Nice job 😄

Can I get hint for ccradare2 room..

I m stuck at this question

What character do you press to run normal Radare commands inside visual mode

Kindly tag me if u have a hint

Hello guys! I'm currently working on the "Windows PrivEsc" room, and I'm stuck on Task9, "Passwords - Registry". The Task needs me to find default login credentials, however for the admin autologin, there is no such key.

Never mind, guessed it

Hello, Anyone knows how to fix error in configure of openvpn?

Sat Jan 2 17:53:02 2021 TLS: Initial packet from [AF_INET]54.193.240.194:1194, sid=e0e195d8 798cdcfe
Sat Jan 2 17:54:01 2021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jan 2 17:54:01 2021 TLS Error: TLS handshake failed
Sat Jan 2 17:54:01 2021 SIGUSR1[soft,tls-error] received, process restarting
Sat Jan 2 17:54:01 2021 Restart pause, 5 second(s)

try #site-support @plain mango

room "DailyBugle" SQL injection
sqlmap takes long long time, is this normal (i used the sqlmap string from the joomla vulnerability - should be fine)
its testing and testing ... 15-30min now

normal?

ok looks normal, got the output now

I'm a bit confused by task 7 on https://tryhackme.com/room/windows10privesc , the reverse shell I get upon login, I am the same user as I originally was on the remote desktop so it didn't seem like any privesc

guys what is wrong in this

please help

Do you need quotes for all those params?

The question states double quotes

Try double quotes.

im on marketplace as user || michael|| and im having trouble owning root. i see interesting set of stuff to compose a docker container in ||/home/marketplace|| but im unsure if thats useful because it looks like it was possibly made to genuinely configure the box on startup. a nudge would be appreciated.

-p-

And give it time to boot

rustscan didnt do that

trying 🙂

hey guys in the room "What the Shell?" i'm having an issue on task 13

I created the new user, got it on admins group but i just can't login with it

am I missing anything here?

Looking for a hint on Linux challenges. Looking for flag 16 in the system mount. I have tried DF and gripping within the file systems I see with no luck

When you plug a USB into an ubuntu system, where would you find it?

Look there.

In the Splunk room the question "what is the website where you can find the Splunk forums at?" the answer is outdated. The current answer is 'answers.splunk.com' however the new website is ||community.splunk.com||

I am stuck in this particular part, if anyone can give me hint? Thanks 🙂

Name of the room: mitre

struggling a bit with https://tryhackme.com/room/25daysofchristmas task 25 (day 20). I got in with ssh and the password but I can't figure out how to use the cronjob to do the privesc bit. I don't seem to have permissions to ||write files to the path directories or the cron.hourly directory||

Does anyone finish One Piece

Just ask your question directly

I have been working my way through the https://tryhackme.com/room/linuxprivesc room but I can't seem to apply the same techniques here so I'm confused

in fact, according to the description, there should be a cron job that runs every minute, but there isn't one on the deployed vm...at least, not one that I can find

did you try overwriting /usr/local/bin/overwrite.sh and see?

that works fine in the linuxprivesc room, but there's nothing here and I can't write to the directory

and I mean, nothing

I legit see nothing I can change here

Try running pspy (32s) https://github.com/DominicBreuker/pspy

@little sable There's multiple crontabs

It's probably in root's personal crontab

I'd look around the system for a script, maybe even in your home dir

wait..how am I supposed to know that this thing is running every minute? (I did come across this script ages ago. But I even watched top and I had no idea it was being executed)

You're told to escalate via cron job?

Or pspy, as suggested.

I know what script it's going to be

just no idea how to know that the script is running every minute

yeah, definitely triggered it

no idea how I would've found out

pspy I guess, but it's not installed so I would've had to scp it to the machine or something

Can someone please assist me with the Windows PrivSec room, task 9, I'm missing the PW and have searched the noted path manually as well.

I'm stuck there too, I was wondering if that AutoLoginSID could dig up more info, but it seemed far-fetched

Hmm, im confused on https://tryhackme.com/room/scripting, i've tried sending bytedata 'add', number, etc but i wont get any proper resposne to the first port in the loop. Am i not supposed to send the starting number 0 to the first port? s.sendall(bytes([0])) ? And the first port is the port that is currently displaying on :3010

Nevermind...

Unclear instructions! 🙂

i am on linux privsec task 3

can anyone tell me whats wrong with this

did you unpack you rockyou wordlist

i tried it

but?

this happened

you need to unpack it before you use it with john

but i the room this cmd was only given

how to di it

do

gzip -d rockyou.txt.gz
run this command in the folder containing rockyou.txt.gz

thanks for your precious time

you're welcome

its taking some time is it common

yes

large file

so it will crack the hash from wordlist??

if you run john with the unpacked wordlist yes

what exactly is john

the command mentioned in the description above the texrt

i mean wht it does ???

cracking tool for passwords

dm

okay

Hey all, I was doing owasp top 10 room. I have a doubt regarding broken authentication section where you could re register a username with slight changes like "admin" to " admin"(space at first). I didn't get what can coz this issue. Doesn't adding space at first will make the username unique coz the database(say mysql) and backend(say php) will consider "admin" and " admin" to be different?

Not posting any spoilers just saying what's written in the Introduction.

@mild silo

hints please

Are you sure it's a suid escalation?

how do i make sure that

Nothing stands out to me there so I'd keep looking for different vectors

how to know whether its a suid escalation or different

If you can't find a suid privesc, then it's probably not a suid privesc?

kay

Anyone working on windowseventlogs room ? I think there is an error with answer for 5-4

I got the right command, that is the answer to 5-2 but if I copy&paste the part of the output requires I get wrong answer

ok, I just solved, there are some extra dots at the end of the output

Room: Blaster ||I know I am supposed to be looking in the browser history but it is dead empty. I have restarted the machine and still have the issue. Any ideas?||

Yep it's being fixed

Can i get pmed the answer?

and thanks for the response!

For the CVE?

Hello everyone! i am stuck with mitre rooms Task 7

Yes, If not I can go googling around for a walkthorugh that has it too.

What about?

Per the detection tip, what should you be detecting?

What platforms does this affect?

latest questions for this room

they aren't as obvious as you would assume but they are there.

I had to dig for those too

Oops ! GG

got it?

nope xD

link the page you are searching on

dm me

i need hints

for mitre room task 7 above questions

@quartz ruin You ever get it? I asked for a link to the page you're looking for the answers on. Send it over.

hello guys, I need help with the task 7 (Bypassing Client-Side Filtering ) of Upload Vulnerabilities. I am blocked there for hours. I am able to upload the shell.php and I can see the file in http://java.uploadvulns.thm/images/. However I am not able to reserve the shell with netcat. I am listining the port 1234. Someone can help me?

Have you tried a different port

It is a first time that I am doing the reverse shell. Should I set the port on the php script? I am using the script of the task 5

it is the first time** sorry

That's not a reverse shell payload

To use that payload, you'd go to /shell.php?cmd=ls for example

cmd is a parameter that PHP will take from the URL and run as a command

Hmm ok, so if I use something like that <?php
echo system($_GET["ls /var/www/"]);
?> I will be able see the file then cat it ?

No

$_GET["var"] is used to get a parameter from the URL in a GET request

You'd want to do something like curl ip/shell.php?cmd=ls%20/var/www/ and then curl ip/shell.php?cmd=cat%20/var/www/ThisIsASecretPasswordFile.txt

Thank you! I understood.

Can anyone help me with the last step of retro?

when i open hhupd.exe and click on certificate it pops up with two options ... to use default or to choose an app.. but both can't be clicked

??

I tried web based rev shell too... but returned can't daemonize

https://tryhackme.com/room/mitre

hello guys any hint on this question : What MITRE ATT&CK technique is associated with powershell/trollsploit/voicetroll ?

How would I go back to meterpreter from powershell? I am on Steel Mountain task 3 if it helps

No the mitre page lol

hey guys, on windows privesc room on task 3 I tried as the instruction says and nothing... tried different ways with the "" and " but I really don't know what to do.. can you help me?

Does anyone have any hint for this question? Room: https://tryhackme.com/room/mitre

hey guys, i am facing a small problem at OWASP-Juice-Shop-task4-Question #2: Reset Jim's password. Security question-Mother's maiden name

i put the name and nothing happens, i tried everything

You sure you got the correct “eldest siblings middle name”?

it doesnt ask me that

-Mother's maiden name

it's not Samuel

Is it not Owasp Juice Shop you are doing?

Task 4 aka “Who broke my lock?!”

yeah

& question 2 is reset Jim’s password

Right?

man, really now?

I’m tryna confirm the room you doing cus mine says Jim’s password

hey guys, i am facing a small problem at OWASP-Juice-Shop-task4-Question #2: Reset Jim's password. Security question-Mother's maiden name

The Star Trek thing

Can you screenshot the task?

@fossil cosmos read, all of jims posts and comments

^^

~I don’t think I did all that iirc~ I can’t remember KEKW

Just did smol googling & got it

you might need to OSINT aswell

what do you mean

do some googling about james kirks mother

winona

i have tried that

doesnt work

&

You got a middle name

keep looking

hint fandom.com

you give up too easily

thanks for your help anyways

my fault was the e-mail

....

low iq problems

You did it congrats GJ 🎉

lol

Hello, I have a question about the room https://tryhackme.com/room/windowseventlogs (Task 2, Question: What are the total number of events?) Is "Windows PowerShell log" identical to "Microsoft-Windows-PowerShell" (from Question 1)?

answer is no :)

@white salmon The Windows Powershell Log is the Log Name itself where as Microsoft-Windows-PowerShell is the provider name. When youre filtering with Powershell you can use either one to look through the events.

Hi All!
The Attacking Kerberos room:
Question: What two services make up the KDC?

I know the answer but can't seem to work out the order or what the question is expecting to see. Can someone please help me 😆

use the acronyms with a comma between them

thank you for saving me from that headache!

Can anyone please help me with BOF Prep Rm - TASK34 - OVERFLOW3?

I got the badchars but the system is not accepting them!

Ignore my prev question about mona.. i figured it out.. took me only 3hrs... :/

got a question for linux fundamentals, for "What flag outputs all entries" thats just ls right?

No

The command is ls

A flag is something you supply to the command usually after a -

.....thank you, i cant believe i overlooked that, i was literally going insane

Has anyone finished the "Windows Event Logs" room? In Question "Using Get-WinEvent and XPath, what is the query to find WLMS events with a System Time of 2020-12-15T01:09:08.940277500Z?" I already found 2 working queries, but they do not match the flag. Any hints?

@primal mantle it starts like this

you can see how to construct a query?

*/table/key[@subkey=data]

guys, there's no -u option in gobuster when i want to run gobuster -u

what can i do

what input do you have when you type " gobuster -h " in a terminal

nothing

gobuster -h will show u basic help manual

and what you have to do if you have to read about something in a descriptive way, is present in the help man

Yeah I know but it's weird that he doesn't have the basic -u command when running gobuster

no because it depends on what you are doing

gobuster is not limited to directory enumeration

directory bruteforcing might be a better term, so it goes like "gobuster what you want to do parameters"

Yeah it's true

@cedar axle thanks i queried the specified log via EventID +key/subkey and now i saw i had a typo in the timestamp🤦‍♂️

Did anyone ask question 6 of task 7 in the Windows Event Log room? The dates in the evtx file do not work as an answer to the question.

hi, i'm tackling simpleCTF --> 46635.py seems not to work on 2 machines i have, i think it's python related -- requests + termcolor modules correctly imported -- any help / suggestion is deeply appreciated

Increase the time in the exploit

It’s a time based sqli, so increase the time so it doesn’t get false positives

@glad briar

i tried as follows, editing the script --> 2, 5, 10, 60 ,120 ,6000 --> no changes whatsoever...

Are you pointing it to the correct directory

shame..done, thanks B10b

That worked?

oh yes, mispelled directory..noob mistake

Awesome

Hey, working on that one now. Did you have to edit the script to work with python3?

big hint - try other versions

Thanks

Thanks. I just needed to learn how to install modules on both version 🙂

no worries, great!

I'm a bit stuck on https://tryhackme.com/room/steelmountain task 4, doing the ||Rejetto|| exploit manually and doing it from either of the attack boxes. I haven't managed to figure out how to bind a webserver to port 80 on them (since it seems bound on various interfaces) so I hacked the exploit and added "%3A8080" after ip_addr in the vbs assignment. I can see that my 8080-server gets the correct requests for nc.exe, but nothing ever happens on my nc -lnvp 4444 (I updated local_port to match that port)

in investigating windows for the C&C IP where is the best place to look for it

In room “OWASP Juice Shop“ Task7 question #2 “Perform a persistent XSS” I’m struggling to get the flag. I’m quite sure, I did everything right 😅.
At least the xss alert occurs after logging in again. I’ve tried it several times ... with burp running and without but nothing.
It’s driving me crazy, since this is the only room left to close a path.

in room motunui I've got a shell but when trying to run a cmd ie. (id, or other) simply return kills the shell. I've looked at writeups and used the same route as them.

@digital iris stop causing people pain^

loooool

uh

i have no idea why thta is beyond my brain power

can anyone give a hint on the windows events log room? I am pretty sure I have the right answer for Task 5 question 1 but it will not accept it.

@gusty kite If it won't accept, it's wrong. Look at the format they are providing you and make sure your command matches.

@barren rapids it looks like it matches.

it gives me a sane output on the deployed machine

@gusty kite One more hint, there was more than once where I thought I had the format correct and I was using the wrong words even though they were the same length

have you finished this room?

Yes

could I maybe send you my answer and maybe you could hint me on where it is broken

Sure

ahh nevermind. the format had a bit more that was hidden as it is such a long command.

I'm doing room Network Services, last question on task 4. I've downloaded the id_rsa file from the SMB share but can't figure out how to ssh in. I've tried ssh -i ./id_rsa [IP] which assumes I'm trying to access as root and asks for password. I've also tried ssh -i ./id_rsa john@[IP] and then it asks me for john's password. I thought the whole point of setting up ssh keys was to avoid using passwords for ssh. Am I just formatting it wrong?

Did you chmod the id_rsa file?

yes, did chmod 600 id_rsa

I guess you didn’t format the id_rsa file right. Or something else I’m missing cus missing ss

😄 I used developer tools to see the full line for all those

@white salmon

there was no formatting involved though; just a simple get from within the smb share which put it right in my /root

Ah right

Ok so do you have ss?

sorry what do you mean by ss?

Username is ||cactus|| not John

I meant Screenshot kek

John is the wrong username

It's always something ridiculously simple being overlooked in tech support. Thanks!

No problem

I have just found tryhackme-page.

I cannot really find how to login to the virtual machine. Is there a channel for this kind of questions or is it ok here?

i think it would be best fit in #site-support, but try to explain a little bit more what is wrong

and now I'm running into another issue 😕 same room, end of task 6. The question asks to which user could port 8012 (tcp - presumably about to use for telnet connection) belong. There's 5 stars as format hint, suggesting a username 5 characters long. The only username returned by enum4linux which is 5 long is guest, but the question rejects that answer. I tried all the other returned usernames (e.g. administrator, krbtgt, etc.) and none are accepted for answer. I also tried "admin" even though that's not a returned username

Look at your ||Telnet session|| welcome result

Ohhh, it hadn't occurred to me to try the connection already. But without any authentication I had no reason to wait

Enumerate enumerate enumerate they say

yeah I should also remember that just because one command (enum4linux) gives me some possible results, that doesn't necessarily imply complete info

interestingly, the room doesn't prompt us to try connecting until the next task

Iirc it’s in the Nmap scan as well or Enum4linux can’t remember clearly that

https://tryhackme.com/room/windowseventlogs > any guidance on Task 2 Q2... I'm not too familiar with Windows but it's saying 482 total events but does not seem to be the right answer 😐

so I killed the original deployed box and redeployed

got the correct answers this time

first time aroud there were logs from today in the event viewer which I'm guessing is throwing the # of logs off

I have no idea what to do with the second question on task 29 (day 24) of https://tryhackme.com/room/25daysofchristmas I followed the hint and looked for kibana cves, but I can't figure out how to use them and I can't find any examples online

Hey everyone!

I'm doing the windows10privesc room and can't get past task 9, the autologon credentials aren't listed. Am I missing something?

https://tryhackme.com/room/zthobscurewebvulns I'm having trouble with a JWT exploitation (Section 3 - JWT). What data am I supposed to forge exactly?

When I get the secret its much shorter than expected.

Not sure if i am missing something or if it's a bug. But i am not sure what else to do. I am not filtering (as far as i know) but the room won't take my input.

SPOILER ALERT

It would help if you put which room this is

Yes offcourse, stupid me. This is Windows Event Logs.

lol, it helps if one actually downloads the netcat binary and not just the webpage hosting the link to the binary. 🤦

I gave up on that one, I searched the entire registry for the correct credentials (you'll learn them in a later task). It seems broken to me at least. And someone else had same issues when I was doing it.

Have you solved this issue? I had the same problem. I ended up having to reload everything and start again as I kept getting different results.

I have not been able to resolve the issue. I cleared all filters but i am not getting different results. From what i see from the the size of my logs is way more than the 68kb that is mentioned in the room. I think this could be the issue.

I suppose i'll move this to bugs i guess.

@vagrant ibex

I'm still stuck on task 7. Let me quickly go back and have a look to see what answer I get now.

I didn't have this issue but I read right above you someone relaunched the machine. Apparently, powershell events for the day were added to their logs so it threw off the count.

Did you @white salmon get it to work? I restarted the machine and went directly to check it and got it done. The number in the top might apparently get stuck sometimes also. Filtered and selected the events and it told me how many I had selected. A workaround if it doesn’t change after filtering.

I did try to unfilter and filter in multiple instances, but i suppose you have to get lucky ^_^

I need HELP! I am working on a tryhckme room Windows Event Logs. I know the answer is correct, yet the I am getting incorrect

which question

Task 2 - Q2 : What are the total number of events?

are you using the number listed at the top of the winevent window

I did that. I correct incorrect when I submitted it

are you in the correct PowerShell logs?

I believe so Operational

Check the #subs-room-help channel. They are discussing this.

Hey guys. I'm pretty new here and I'm stuck on a task in the Linux Fundamentals room, in that I don't understand what the question is asking me to do

are you in that log

What's the matter?

I"m stuck on Task 11. It tells me the function of a binary and then asks me to find a password

And I'm not sure how I'm supposed to start, or honestly that I even understand the question

Hi @lone locust. This is a bug i reported in #room-bugs.

There are 3 Linux fundamentals

@winged mist I'm on Part 2, Task 11

You are to create an environment variable called test1234 which is equal to $USER & then run the binary

Ok I get it now

on to Part 3

@barren rapids Thank I will

Thanks @white salmon for the update on this

https://tryhackme.com/room/adventofcyber2 having problems with understanding wfuzz, I think I have the most part of the command in task 9, day 4
Question:

I have everything until the domain, but i dont know what to put after /

#778305825797177374 but normally when you fuzz you would have something added after the api.php

thats what i dont know, i supposed api.phpFUZZ but its not

Good eve. I managed to ssh and get inside the account in the NFS room, now I'm tryna exploit and it says I should download the bash executable! Where would I download that from? Thanks sm in advance