#room-hints

of the attackbox terminal

oh ok

are you logged into the linux host

not sure

You’re not

You need to use the window in the room

JAMES

NO

this is my screen

im using attackbox

thingy

you need to deploy the host for the room

how do i do that

??

in task 1 there is a button that says "Deploy", this will launch the host that you need to ssh to

ok

is that it

once you are ssh'ed to the host, create the noot file and then run the binary in the same folder

ok

i think i know what you mean

wait it says i need to log into the ssh

how do i do that

??

ssh shiba1@<ip of deployed host>

You don't SSH for that one

You get in-browser access

everything is so confusing

comarade do you want to go down to the voice chat Small Study Room?

maybe

ok

one sec

its locked

can anyone give me a hint on spice hut? I know it has to do with ||planner.sh and the variable|| but not sure what to do

hint on root

i got it but i dont understand how

you mean the room startup?

no the room start up

i mean spice hut lol

oh wait

start up youre right sorry

well, if you see, planner.sh is executing another file

and planner.sh is being executed as root in a cron job

yeah but when i cat /etc/crontab its not llisted there as a cron job

i ended up getting root like on accident lol

cuz my listener was running

not all cron jobs are in /etc/crontab

the best tool to identify cron jobs is pspy

it checks the processes that are starting in the machine

run pspy in the machine and you will see that the file is being executed once every couple seconds

oh wow cool yeah i do see that

is there a way to manually check that?

oh wait it says it in the readme

first time ive used that thanks

Room Linux: Local Enumeration
Task 6
How r we suppose to find the flag in such amount of files😩
I mean, what parameter could help?

I used "find -type f | grep .conf" in the "/" directory, but couldn't find a clue.

use the -name

find / -type f -name < name of the file >

@unique siren

Thanks!!!

room is network services im having issues. with telnet

what error u got

can u share a pic pls

i cant seem to run any commands with telnet

i followed the instructions to install the tcpdump

i was considering looking through a walk through but i wanted to ask in here first

@sonic axle read the instructions. You have to do it like .RUN ls this.

the usage of tcpdump is to make sure that the commands ran in the telnet session are actually executed when you do .RUN prefix like .RUN ping (attackbox) . Tcpdump listener on the interface is seeing ICMP (ping) traffic. That confirms it works. So next step is to create a reverse shell with this knowledge using msfvenom raw payload for cmd/unix

I had that issue some un-intentional logs look like thier generating after you log into the box, they should be a few minutes away from the rest of the events, filter for eventa by time and fin the last event that occured a few minutes before the rest and you'll be the right number

hi guys, someone has any hint on where should I look to get access to this machine?
ColddBox: Easy

tried to bruteforce 2 users passwords, no luck so far

what are you using to bruteforce and what users have you tried? Not sure that box is 72 hours old yet

I used hydra

against hugo and philip

and wpscan

||Http get or http post form?||

post form

you can (should) use spoiler tags around answers (double pipe | before and after) please

so i'd recommend using wpscan to brute the passwords, it's faster as it uses the XML-RPC interface, and there's one more user you didn't try

I gave up too early, hmm

this is the post i was suggesting spoiler tags for fyi

I see, Ok

I'm gonna try it, thanks!

is kali allowed here??

what do you mean? you can of course use kali to work on thm boxes yes

i mean like does this server help? since i joined a server and they said kali linux is not allowed

this server is associated with tryhackme.com, if you register there and learn your way through the rooms then you'll pick up how to use kali

alright thanks

this server is here to support in using that site

@median compass Can you recommend any word lists for the users in ColddBox? Either the box is being battered or my VM is not having a fun time with rockyou.txt 😂

i just used rockyou, for the correct user the password is within the first 1500 passwords, it should find it almost instantly

Huh, maybe I need to enumerate more then. ||I have four users in my username file currently||

show me what command you're using?

||wpscan --url 10.10.88.65 --passwords /usr/share/wordlists/rockyou.txt --usernames users --max-threads 50||

I'll give it another go, I think the combination of bruteforce in a VM and the box getting a bit toasty from the requests just requires a bit more patience

no, i think your problem is with your syntax. have a look at wpscan --help again and check out how to specify users to brute force

The brute force looks like it's cycling the users within the file just fine though 🤔

hmmmm, then i don't know, it should find it quickly, there are only 3 valid users to search

Time will tell 😄 Thanks for the help

Eyyyyyyy finally! Who knew that patience was a good quality for cybersec workers

nice

thanks, I was able to get the user's password

Thanks @eager bramble

@eager bramble I notice that there are two same question "What are the total number of events?"

I place the same answer as the first yet it is saying incorrect.

|| different set of logs, I missed this one first time around scroll down || @lone locust

@eager bramble Scroll down??

two two's let me boot the machine and check

|| yeah scroll down it's not in that section it's outside of the Microsoft folder it's called "windows powershell", the question above does state it but it also stumped me when i first came across it ||

😅 After the above and just re reading the question asked, while using a lot of brain cell muscle I was able to figure it out. Thanks again for the hint/assistant .

happens to the best of us 🙂

working through the nmap room right now, and i hit this question under the "practical" module, and i dont think im scanning it properly, since the result that i get is that ||all 5000 ports are filtered||, but ||saying that there are 0 ports open is not the correct answer, the syntax for the command im using is sudo nmap -sS -vv -p0-4999||

where am i going wrong here?

should probably send the question lmao

I just finished task 8 in Upload vulnerabilities. I was able to do the server side bypass based on info given on the task. I always like to look at the hint in case it was solved differently. I am a bit perplexed by the hint in this one "Commands do not start with a "-". Just use the word itself.
"
Anybody available to discuss it?

room link?

Hi there! I'm working on the tryouts

I have a question. How do I open the .bad files on task 7?

I would appreciate any pointers

What room is this?

it is the tryouts from TryHackMe

would you mind sending a link to the room?

Is this a private room? If so, this channel is meant for publicly available rooms

looking for a little nudge in the right direction - currently working on windows privesc (https://tryhackme.com/room/windows10privesc) task 9. Its asking us to find:

 What was the admin password you found in the registry? 

I ran the command

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"

From what i understand, i should be looking for a "defaultpassword" flag with the password set there, however my output doesnt not list such a source. Im just looking for a gentle nudge of where i should be looking if this isnt correct

how bizare, i checked using regedit and it appears that the password is just not even set on here.....

welp, i just guessed the pass 🙃

We are a bunch last couple of days that could not find any password there. So something is weird

Glad to know I’m not going too crazy! I ended up calling it quits for the night - for some reason when I would transfer the Sam and system files off it would force close the rdp session and not let me reconnect, so strange

I had to reboot the machine some times when rdp got too upset too

@zinc oyster #room-help message

Yeah I couldn't find the password either.

Let’s hope that box gets fixed soon! Would love to be able to fully complete the complete beginner line

I'm getting a 500 server internal error when doing a POST request on the xml-rpc.php on ColddBox: Easy
am i down a rabbit hole? ( i found a dir with some usernames in it which suggests pw can be bruteforced. I would've thought xml-rpc requests would be a good method)

ok. did some more research and ||wpscan has a bruteforcer function built-in, i guess xml-rpc was a rabbit hole||

https://tryhackme.com/room/uploadvulns

Oh nice to know it wasn't in there in some unexpected way. The wording really sent me searching for quite a while but I learnt a thing or two on the way

Hi, I'm working on glass box and I managed to || find the valid port by pursuing the "higher" and "lower" responses, and I got shell on the box, however when I reboot the box to elevate the my privileges I don't a shell, this is not the problem here, my problem is after rebooting the box I try to find the valid port again since I found it's randomized, but all the ports just say "Lower", even the lowest open port ||, is this normal ? the ports act normally again after I restart the box but I need to get in without restarting so I can debug the reverse shell problem

lower means you're lower

It's mathematically impossible that it doesn't have a correct port.

this was a very stupid moment 😂, I thought I should go lower

thanks

Hi #room-hints, I need help with task 3 of https://tryhackme.com/room/networkservices2. I am able to do the showmount but then I cannot mount it due to acess denied. any hint?

@teal marten run the VPN directly in your kali VM

AHHHHHH Makes sense!! Im not forwarding all ports to the vm

It's not worth it

Run the VPN in the VM

Port forwarding NFSv3 is pain

I agree

thanks!

in room motunui I've got a shell but when trying to run a cmd ie. (id, or other) nothing happens shell/cmd-line is not repsonding I've looked at writeups and used the same route as them.

May I DM you @cursive star , I don't think I have any chance of solving your room but I would like to know if I am even in the right area 😄

@wicked bolt My DMs are open

To the creator of Enterprize: I hate you so much, I've been stuck for hours

u got some @cedar palm ?

Still at step 0

👀

@proven bridge can tell if its about typo?

am still thinking about it.```
I'm pulling my hair out trying to search for the foothold.
All I know is that the OS is ||Ubuntu 18.04.5 LTS||

Im here to ask for help about Linux Fundamentals Part 2. On 'Section 4' I cant find the answer to the second question

The question is What is the value of the home environment variable

It's similar to $PATH

? Im new to linux all together

I never read anything about $PATH

It's in part 1/2

would it be ./usr?

Stuck on Task 26 https://tryhackme.com/room/owasptop10

@cedar palm would it be home/shiba2

No, I'm talking about the $PATH environment variable\

?

so to access that I type echo $PATH

Yea

Now do the same for $HOME

ooohh

Okay thank you

so the answer is /home/shiba2?

Task 29 https://tryhackme.com/room/owasptop10
Executing RCE returns 404 from script. No write permissions. Can't connect to DB.

Match all of these emails while also adding the username and the domain name (not the TLD) in separate groups (use \w): hello@tryhackme.com, username@domain.com, dummy_email@xyz.com

Room Regular Expression

(\w+)@(\w+).com i tried to used this but it showing me that this is wrong answer even though it works in regex101

in tryhackme answer format it having 12 characters before the dot show i try to use ^(\w+)@(\w+).com but this also not work

anyone know how to solve it??

https://tryhackme.com/room/catregex

this Task 5 Question 8 (last one)

Same, I got some bits but yeah, If I haven't seen it before, I've only been doing this stuff for less than a month so unlikely I'll find it

I had a dream about it this morning; I thought i had an Inception moment but my brain was dreaming of bruting a mysql password over ssh somehow 😆

ive found the thing he told as a hint but no idea where to go from there

I don't know enough to figure out what is old and what isn't. ||an out of date version of something? sure. There are a few things like that. An old page? icons/readme?|| I'm not sure if what i'm putting here is 'illegal' for this 2 weeks so let me know if i should delete

I don't think we should say anything else about that here, except if we move to another place.

||There has to be a hidden website, why would they put that there then?
But then again, the default installation of apache2 has those installed. Probably just a honeypot||

Hey can anyone help me with anonymous room?

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

Currently I'm working on anonymous room.I have done enumration and I'm currently on exploiting stage but can't get any hints for exploiting I have got two images from smb shares but they are protected by passphrase and got three files from ftp but they are also not usefull for exploiting phases so how should I got user flag?

did i spoil too much?

Hey guys, is someone already on the new enterprize room? Any hints?

Can anyone help me out on Blue? I'm running the exploit but it keeps failing and as far as I can see everything appears to be correct.

Hey blinkz! I had the same issue....sometimes you have to redeploy the machine. Have you tried that already?

Post a screenshot please

ya i've redeployed it a few times. I've tried over the course of the past few days off and on thinking I might be doing something wrong but in the end I'm running the same exploit that they marked as correct on the previous question.

The room is new please wait at least 72 hours from release before asking for hints

I shot you a screenshot @astral smelt . Didn't want to post any spoilers

Make sure you're asking for permission before DMing users

hello im doing LFI Basics room and at the end im stuck on getting a shell on my listener....i input a code in burp and forward it....then open a listener on a port....in browser when i go wget to call a my script i get a response in first listener...but when i actually start the script i cannot get a shell.....any1 who can mabe tell me where is my mistake?

oops, sorry!

If I type 'sudo -l' and it asks for a password, does that mean I have no sudo privileges?

not necessarily, it could be that you'll be shown some command you can execute with sudo after typing in the correct password

thanks. i'm not positive but I feel like other times it just lists my privilege's but maybe I ran another sudo command before trying it.

it depends on the configuration of the sudoers file - commands that have the option "nopasswd" set will be shown without typing in a password

https://apple.stackexchange.com/questions/53065/why-does-sudo-ask-for-a-password-in-terminal

Yeah, that's I'm guessing. Thanks for the clarification!

I'm in the owasptop10 room doing task 20 cross site scripting.
I'm supposed to craft a reflected XSS payload that will cause a popup with your machines IP address.
What I tried: ||Hardcoding the machine IP to an alert, it alerted but no flag was given. I've also tried making a request to checkip.amazonaws.com (displayed my public ip) and api.ipify.org?format=jsonp&callback=getIP (requested rejected by client).||
Any ideas?

Nvm

On the network services room with the exploiting smb part at the end it wants you to login via ssh. Everyone i do it closes the connection. I downloaded the one file and changed permissions to 600 but still it won't let me login in when trying: ssh (what i assumed the username was)@ip address -i (name of the id file)

you're using the username found at the end of the public rsa file, right? should be ______@polosmb

I had the username wrong and fixed that but it keeps asking for password even though im using the other file and changed permissions

double check that you have the entire private key, including the little dash '----' notations at the top and bottom. Won't read the key correctly without the proper syntax. Other than that, change your syntax on ssh to:
ssh -i [file.txt] [username]@[ip]

Still wouldn't work so i terminated machine ill reboot and try again

@opal dagger i found out what i was doing wrong i kept the whole polosmb part in the username. Must have looked over something so simple like 30 times anyways thanks for the help

np 👍
Had similar 'oops' issues dozens of times, it happens

so I get this info about mysql from an nmap scan:

but when I try to set sql 5.7.29 or 5.7.29-0ubuntu0.18.04.1 then run exploit, it trips on that parameter

so am I inputting the wrong format or something?

what room, task & question are you attempting? what exploit are you running?

ah sorry, I'm in Network Services 2, task 9, running mysql_sql module of metasploit

I don't think you're meant to set that option...

it still fails if I unset the sql parameter, and the error references sql

so you set PASSWORD, RHOSTS and USERNAME right?

can you screenshot those options?

The SQL option is the sql command to run

Not the version

so what do you get when you run this, cause I just did it and it gave the expected output

[-] Auxiliary failed: Msf::OptionValidateError One or more options failed to validate: SQL.

ok, that's because you unset SQL

do set SQL select version() again

and then exploit

and you'll get the version returned from the server

ah ok, so unset puts in a null value instead of default?

seems to yes

when you check options it shows the default but it's not really there

gotcha, thanks for that clarification. Setting it back worked, btw

there is a mistake in that room @stuck fractal, that question says "select module()" but the command it defaults to is really "select version()"

hey yall is there anybody online that has completed the Attacking ICS Plant #1 room that can DM me and explain what the creator is asking for in Task2 questions 1&2

I just answered them correct right now...have you analyzed the code of the scripts? They are asking for the name of a specific function.

hi

Hey, I'm working through linux: local enumeration room and hitting a bit of a snag. I've managed to get onto the computer and use python command to stabilise the shell (I think) but as the manager user I don't seem to have sudo privledges. So when it comes to section 2 I can't run some of the commands but by section 4 I can't access the password file.

Any suggestions on where I am failing here? I've looked for the shadow file and can't access to see hashes, I've checked the ssh folder for a rsa key but the folder is empty.

have you privescd?

run whoami

who are you logged as

Manager

That's what I'm struggling to do at the moment, which is why I was looking for root hash to crack... Or find an rsa key to ssh into, but no dice yet

So I've managed to upload linenum to run and get more information on the system

I've tried generating my own idrsa and moving it over but there is no autorized key file... So I think ssh is out

I've found a video online of someone working through this same box from December and they seem to have sudo privledges... From linenum I've seen the suoders info and manager does appear to have some sudo rights but cannot locate a password for them

Hello. In the room https://tryhackme.com/room/nax, I found the username and password and filled in all the appropriate options for the Metasploit exploit module, but I can't login with those details. Is there something I'm missing?

use -Pn

what task is this?

anyone to help on this? ☝️

what the diference of #room-help and this channel?

This is for where people want hints in which direction to go and don't want to look at the writeups whereas #room-help is for people that have checked the room writeups but still need help

one is for a gentle hint

the other is full on help

Anyone give me hint on network services 2 where to find the root flag for NFS I've good root shell and everything just cant seem to find the flag

cd /root && ls

Appreciate it

Can anyone give me a nudge on the new EnterPrize room? I can't find anything.

No hints allowed yet.

Why though?

Check rule 13.

I just finished the Metasploit room but there are some things I don't understand yet. Why do we use icecast at the beginning?

hey there , i am doing the brooklynctf room and the image i got here has a passphrase ; can someone guide me to break that passphrase !

You're exploiting a service running on the machine

The machine is running Icecast, a media streaming service

You're exploiting a vulnerability in that, using a metasploit module designed to exploit that flaw.

can some one help me at #room-help

Don't be impatient.

ok sorry

||i am doing the lian_yu room in which i found this link at a certian level . this link no longer has the video contained . so can i know if there was something supposed to be in this video which i cant access now ! https://www.youtube.com/embed/X8ZiFuW41yY||

And how could I know this? I found icecast2.exe (or something similar) once I had access to that machine, but until then, I had no idea that machine had icecast

Your Nmap scan told you it

When you did nmap -sV

Oh okay! I did the nmap yesterday and I didn't remember a port had that service

So when I scan the ports, the next thing I should do (in general) would be to check if a service matches an exploit?

you are doing the Ice room, right?

You find what services are running, and their versions

No, I just finished the Metasploit room

Depending on what you find, you might look for exploits for the software

Or attack it otherwise

james could we also find it using searchsploit or something ?

Perfect, thank you!! It is much clearer now :)

Gents, there is a problem with the question of " What two services make up the KDC?" in the Attacking Kerberos room.. the correct answer is not accepted, right?

Potent room @stuck fractal - This is a mission :p

haha my name on thereeeee feeling psyched

it's hard though

i'm off to sleep

all the bestttt

@plush tapir indeed potent room

I'm out of ideas for now

As am I :"|

I think I'm going to sleep it off, let's see if tomorrow I have fresh ideas

I saw a couple of possibilities but none of them worked out

One I might explore more tomorrow...

yup :/ 0day got the 2nd and 3rd flag before the first

wonder how he did it

:3

is it too early to get a hint on overpass 3?

Entirely.

72 hours from room release

yeah fair play mate, this is a real head scratcher

Hey all | Room: tomghost || I have cracked the pgp password and got !!!josh14!!!.a6_123 no matter how I try I cannot get that to unlock the credentials.pgp || Any hint's would be the best please!

Nevermind, I was having some weird issues with Johntheripper that I figured out now.

I m stuck at Room: javascript basics .
Task 5 question 2. The answer should be "Red Blue but it's not accepting it.

Red blue isn’t the answer

im on BOLT. but cant find version of bolt Please tell me where can i find it

thanks

It's a very new room, please wait at least 72 hours (as per rule 13)

Wut

When did I say you did

All I did was tell you not to discuss the room

Hi guys does anyone played with the Splunk room using the OVA file? I can't get in using the provided credentials

-undelete -a

Up to 10 last deleted messages (last hour or 12 hours for premium):

12 minutes ago (Mon Jan 11 09:29:31 2021) Skynet#1028: But I didn't say anything bad, much less give hints -_-

40 minutes ago (Mon Jan 11 09:01:05 2021) Skynet#1028: I'm in the Overpass3 shell but I can't get any user's shell haha

Wtf

@coarse hornet Trying to delete messages that you have sent doesn't work here

Hahah

I don't understand now, can you avoid deleting messages? Haha

You don't

Lol

I really need help with questions in task 8 of the XSS Playground room. 😭 #room-help message

I'm finally taking a crack at Overpass 2, and I'm a bit stuck on ||analysing the code for the ssh-backdoor. I can't view the raw code on Github as it's too large, and the contents are gibberish as it's a compiled binary. Am I missing something obvious?||

yes

You're looking at the binary

You have the source right there

... You're right

Damn man, I feel silly now

Thanks! 😂

How did you even get shell? @_@

https://tenor.com/view/elmo-shrug-不造-i-dont-know-gif-5094560

i am so stuck to get second flag

hehe

me 2

Wait did you get the second flag?

nop

not yet

i think i know how to get, but i can't explore

please wait 72 hours from a rooms release to request hints

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.

i just got the web flag of overpass, its been 4 hours that i cant find second hahaha

Overpass3 was a super fun room. Thanks to creator 🙂

I'm glad you enjoyed it!

need a nudge on haskhell.

which part are you in?

i am in the enumeration phase

i tried to uplaod a||** reverse shell in haskell**|| but could not find the upload location

@woven mirage

iirc correctly the site sends you to the upload location after uploading the file

I got an internal server error

then probably there is something wrong with your reverse shell file

try some simple haskell things to see what works and what doesnt

will do some research on it

Hi all I'm doing the room Upload Vulnerabilities - Task 8 bypassing server side, file extension. I have found that the server accepts ||.jpg and .png|| for example it does not accept does ||.php or .jpg.php||, but seems to accept ||.php.jpg|| so I'm guessing that it checks that at the end of the filename it has that extension. I uploaded the payload ||payload.php.jpg|| I have tried different extensions but can't get the shell, any hints?

read the task again, it shows 2 ways of evading extension filters, you're trying just one of them

it shows 2, first using|| different php extension||, and then using|| jpg.php|| I have tried both

even mixing for example ||.phtml.jpg .jpg.phtml, .phar.jpg, .jpg.phar||

am I missing something?

Anyone done with Overpass 3 and would like to give a hint?

No hints allowed for 72 hours from release

Alright, cool.

Can anyone give me a nudge on the new EnterPrize room? I can't find anything.

Yo, I'm stuck on Overpass 3 for the web flag, I enumerated the web server with every tool I could think of but can't seem to find anything, can I get a hint pls?

same

Wow

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.

@sour vector

I'm stuck on the very beginnig of the linux room, I can;t even SSH, I've used the password 'shiba1' but it doesnt work. Anyone got any ideas?

well ty for not answering, I really didn't think hard enough whereas I had the answer in front of my eyes lol

it's Task 4 on Learn Linux Walkthrough if that helps. And i'm using windows and tried to SSH from the command prompt and putty.

C:\Users***>ssh shiba1@10.10.4.88
shiba1@10.10.4.88's password:
Permission denied, please try again.
shiba1@10.10.4.88's password:
Permission denied, please try again.
shiba1@10.10.4.88's password:
shiba1@10.10.4.88: Permission denied (publickey,password).

this is what I get ^

What password are you enterring

shiba1

I'm not jealous at all 😂

There r only 2 colour pills that I know of. ?

https://en.m.wikipedia.org/wiki/PHP

||Answer format = Color + pill||

Red + ? @winged mist

Lol

Kek

Delete please so mods don’t get mad

Thanks

No p

Finally finished the Investigating Windows room. Some questions were a bit tricky but manageable

is it an specific extension? should I try them all?

can someone give me hint for overpass 3 for user flag other then its in james directory

trying to escalate its been 3 hours and still no effects

Would be nice to try them all & find the right one Yunno

ok, will do, thanks

No p. Let me know how it goes

No hints for new rooms until after 72 hours from release

got it now thanks.. thought it was something else, I feel dumb 🤪

This is a free room, which means anyone can deploy virtual machines in the room (without being subscribed)! 469 users are in here and this room is 64 days old.

am i missing something ?

Kek good job hommie. Keep grinding!!

It was released yesterday.

#announcements

ok thanks

are hints allowed for enterprize now? It’s been 72 hours from what I read earlier on.

hi again! I'm doing the next task, with the magic number. I was able to change the magic number and upload the shell, I found the directory in ||IP/graphics/payload.php|| I have tried all the extensions already.. any additional hint?

What’s the problem? Uploading file or not getting shell?

not getting the shell, is not recognising the file

I don’t think you changed the magic number right. Try runing file <reverse shell name>

the website requires a|| gif file,|| otherwise wont let me upload it

I have changed the extensions, this is the current one

Sure. But if you did change the magic number correctly you wouldn’t need to change extension

there are only two types of magic numbers for gif, is it expecting a specifc one?

Of ||shell.php||

I used the first

I did it with just .php and got the same output, that's why I tried changing extensions

magic number

regular extension

Try this;
Get your php reverse shell as .php
Include the 6 random letters on first line of reverse shell script
Change magic number to that of ||gif ||
Then upload

Overpass 3, fun box. Found the web flag last, though. :p

oh you mean like in the example when they use ||AAAA||?

Yes

That of gif isn’t 4 letters for the records

Anyone solve EnterPrize? If yes, can you please drop a hint?

we're not allowed to hint for 72 hours after the drop of a new box, sorry!

72 hours is over

how's that? didn't overpass3 only go live yesterday?

ahhh, lol, sorry, read it wrong

doh!

Nvm

i didn't finish enterprize yet, sorry

must go back and try again

0day did that too, first person to complete the whole room

got it now, thanks for the tip.. I believe that it's better if you add the first letters as placeholder, since I just changed it, it modified the initial tag of the script|| <?php|| therefore the website didn't interpreted as code.. learned one more thing today! thanks dude!

No worries bud. Pleased to help & learn too

anyone is working on overpass 3 room ?

yes

i hacked the machine but i cant find the flags any tips ?

try harder :d

too soon for hints on that one i'm afraid, not allowed for 72 hours after drop

Hi guys

haha the ugly part is i did the hard part and im in 😛

i would say the hard part is to priv esc not getting in

can anyone give me a hint on "Madness" ? i have a username, "ROTed" it and try to use the password i already used before to ssh on the machine. looks like the PW is wrong and i have no idea where to look

i know how to priv to root from james

but i cant find the apache flag

I found the apache flag but I'm not able to login as james 😦

i just can’t find privesc to james, i know how to get root, but not how to get james

or i am just wrong

Banging my head against the wall on Enterprize 😂 something small I must be missing

overpass 3 is new people, lets ask for hints and help after 72 hours have passed 😄

Web Fundamentals, task 5, question 3. I'm having trouble finding the flag. After doing the GET request for a cookie, I check in Firefox's dev tools but don't find anything helpful

send screenshot of your browser, showing the url and with devtools showing cookies

on the webserver running on the victim machine

don't show your cookies for other sites

This is from the browser-based AttackBox. Used curl for the get request, so the URL bar of Firefox should be irrelevant if I'm not mistaken (on default home page of THM)

if you used curl, the cookies wont be added to your browser

but you can probably see the set-cookie header in the response if you use the -v flag, to get more verbose

That did the trick, thanks!

ugh, now I'm struggling with question 4. The mozilla documentation on Set-Cookie seems to assume the format will be in HTML docs, so I'm not sure how to structure my curl command

For setting a cookie for curl?

yes

I uh

Googling is 90% of hacking

Get the practice in, get fast at it

good point, I should know better and I suppose my brain is just a bit lazy after the work day I had. Thanks for the reminder of a basic truth

Overpass 3

Man

already tried everything

Any reason why when I run hashcat to crack a service ticket, it runs but doesnt output the password?

I made sure my command is correct and all that

That room isn't up for hints yet. You haven't tried everything. The room will be up for hints 72 hours after release

James how to escalate to you)🙃

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.

Is this applying to me??

No.

what kind of service ticket

Kerberos 5 TGS-REP etype 23

could be the wordlist you are hashing against doesn't have your word

Im using the wordlist provided by cryllic which im guessing has the password

which room

Attacking kerberos

Kerberoasting section

you may have a wrong hash or formatting then, should work just fine

Okay ill check my hash formatting

can anyone help me for room Overpass 3

please wait 72 hours after a room release before requesting hints

ok

thanks

I think I know how to crack overpass 3 but I can't figure out how 😦

sudo su

ha

p much

naw, I found something interesting

oi

Yes james my luv?

but it's not working for me

I am 1/3rd in, the other 2/3 are messing with me

yeah

😦

but this room is gonna be full of questions in 2 days

good

I'm getting yelled at to go to bed

Yell back

haha

Tell them blob is telling you to be more blobular

And you do that by completing overpass3

maybe tomorrow, I'm missing something really stupid

I bang on it for a few hours, then THM tells me I'm outta for that box

has anyone done the new enterprize box?

try different wordlists with dirsearch if you haven't found anything

i swear like i've used 20 different wordlists from seclists and nothin:(

i looked and there's a handful of wordlists in seclists that should return results

yeah, 4 dirs which are forbidden, ran again on those and nothing showed up, imma try again harder, maybe put some extensions, who knows ^_^

have you added enterprize.thm to your /etc/hosts?

yup

try some more file extensions

php,rar,ssi,sh,old,txt,html,zip,htm,cgi that's what i've used

idk why's old there, but in thm boxes you never know lol

overpass3

omg!

im totally stuck after getting the web flag

and no writeUp yet

some hint?

for the user flag?

72 hours

Find all files in the /usr/bin directory (recursive) that are owned by root and have at least the SUID permission (use symbolic format)

If I'm right, I think it's find /usr/bin -type d -user root -perm ####

I don't know what the last 4 letters are

the # things

symbolic format = "-x=x" - ever seen this?

Nah

first time seeing that

Actually I may have seen it but I forgot it a long time ago

when you google suid permission symbolic format you will find something like this -> "-u=s"

Thx

I got the answer

👍

quick question

is this
wfuzz -c -z file,wordlist -d "date=FUZZ" -u 10.10.174.10/api/site-log.php --hc 200
the same as this
wfuzz -c -z file,wordlist 10.10.174.10/api/site-log.php?date=FUZZ --hc 200
?

Hey ya'll, working through EnterPrize and feeling a little bit at a stand still. Any nudges for foothold?

GET v POST

Anyone for PE on Delivery??

can I get a nudge on enterprize?

Hi all. I'm doing the owasp top 10...currently working on the injection practice... did anybody else have an issue with identifying shell and version of ubuntu?

what I've input is "wrong" but it's literally the output that I was given

Kind of scratching my head trying to figure out why that would be.. I match the format and all

Exploiting telnet
I have been following multiple walk throughs and none of the commands are working in the terminal, I am unable to connect via telnet using the following: telnet 10.10.63.130 8012
Error msg reads unable to connect to remote host: connection refused. Any tips will be much appreciated cheers.

any nudge on overpass 3

trying to perform lateral movement to ja*es user

@whole holly no hints or help are allowed for new rooms till 72 hours pass.

okey

Enterprize- there are some hints further up about trying different word lists and extensions. Don't know whether they get you anywhere. FWIW I have been looking at 403 bypasses and client-side authorisations for the port that sends a ACK-RST response as that's something the designer seems to have worked on, but from those hints I'm guessing those may be dry holes, and it's more a case of battering the word lists?!

I've only found 2 files, and I can do nothing with them.

That's two more than I've got, but then I'm at work and will have another go later.

I did find something interesting but I can't ... really do anything with em.

Interesting, thanks. Afraid I can't help with that till I've caught up!

Enterprize is killing me

What do I even look for?

I've thrown wordlists, a lot of them, but got back nothing interesting

A nudge please, dear room creator?

after the 15th wordlist i just gave up, fuzzing is my least favorite thing

if i can see the goal, ill figure the rest out

i would suck as a blind person

anyone doing overpass 3

Cannot give out hints until 72 hours after release :) @austere ingot

hahahaha damn its supposed to be teamwork

Same here :(

@austere ingot yes

anyone (else) having a problem with "nfs - no route to host" ... any advise on that, please 🙂

Overpass 3 by chance?

!rule 15

Whoops

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.

Yes. I think we are not breaking rules here as room is over 72 hours old ... I think ...

It says after release

I wouldn't bring up a rule if it did not apply ;)

Assuming it's allowed to set up a group to work on overpass3 together?

If a group of friends are working on a room, we cannot do anything about that. Whereas if someone is sharing hints without the owners permission, you may get in trouble.

Yeah that's fair, just thought as so many of us are stuck on the room might be cool to get together and give it a punt as a wider group

No

That's literally just the community working together

Oh bloody hell I just got a stupid idea for overpass

Which is the purpose of the help chats

And thus completely goes against the rule

Oh okay, fair enough :)

72 hours is not that long :D

Depends how eegar you are 😅😅😅

then can share hints about enterprize?

It says 1 week in the room

Not sure if that applies to hints

need respect 0day then him finish both in few times 👀

when exactly is it going to be 72 hours for Overpass 3? Currently it says that room is 64 days old.

tomorrow

#announcements message

darn, my idea isn't working 😦

+1

The room is not up for hints yet. Please follow rule 13. I will start banning people from the room if they don't have the patience to wait 72 hours from release

ha!

bash-5.1# id
uid=1001(paradox) gid=1001(paradox) euid=0(root) egid=0(root) groups=0(root),1001(paradox)

@stuck fractal you are bloody evil

and for those stuck, try harder 🙂

I don't know what you're talking about, no one is giving clues, I just put +1 it's not bad

Haha

They stopped when asked. You added to that. Please don't argue.

Calm bro, I don't want any problems, I won't do anything

Not your bro.

❤️

Yeah sorry for asking for hints as well before, hope you're well. It's a really intresting room, look forward to the write ups coming out

is this suppose to take this long? anyway around this?

that's an estimate time, it will change

its been 10plus minutes though

@soft geyser Ty refining your search; nmap -T4 -p- <MACHINE_IP, nmap -T4 <MACHINE_IP>

If the second one takes long, there's an issues with the attackbox/ box you are attacking.
These do not perform any type of detection although so you may wanna do another scan in the background while you are investigating the ports found.

doing the T4 did it instantly @trim haven

do you know why that is?

Hmm, which room is this?

And which command?

networkservices2

nmap -T4 ip

So that scan completes (iirc) 1000 ports

i was having the same issues in the onebefore this too.

And -T4 is the quickest you can make it without getting false positives

-p- scans 65,000 ports so that one usually is not instant

hm

ty!!

when can i get a hint for overpass?

3

in about 24 hours

thx

Hey guys/gals, anyone have any advice for foothold on Enterprize that I could pm?

Good luck and try harder

We're not allowed to divulge.anything for a while

As per the room creator's request

👀

What a strange mentality. To tell someone to try harder when you have no idea what they've even done is just rude. That childish l33t attitude is what will push people away who are actually here to learn with each other and not act like they are a god.

Hey @stable jay Please do not try to start drama.

creator explicitly forbade help until next week

Hydragyrum is respecting rule 13

if it's any consolation I'm throwing my face against that wall as well...

@pine gulch Your reactions also are not necessary. Please stop.

freedom of speech

even 0day said he had a little trouble with the host

yeah it's meant to be hard

nice hint

thank you

wat

Not in here there isn't. Don't be a twit and we have no problem

And just to make sure of that

Its an emote

-mute @pine gulch 5m Don't be rude

🔇 Muted pbot#9377 for 5 minutes

This is designed as a challenge box. As per the creator's wishes we are restricting the hints that get given on it for the time being. There are plenty of other walkthroughs and challenges available in the mean time. Hints/writeups will be released in due course for that one 🙂

As you say, there are definite gains to be made by working together with people to solve challenges -- this is one of the fundamental goals of the platform. As it stands, that particular box is not designed for that -- not yet

yeah I'm not good enough for that box yet 😦

finally god

Haha

@coarse hornet Overpass 3?

looks it

God what did AWS do to my hostname

Yep

Nice well done

Great Job @coarse hornet

+1

Thanks bro

I saw that, thought it was weird

it's the default aws thing iirc

might be due to the os

Yeah I think it's just AWS being mean

Congratulations Skynet

looks like it changes your whole host config too

huh?

aws, I was hoping to find a hidden gem for your room there

https://www.tryhackme.com/room/basicmalwarere

I can not unzip the zip files in this room (I click the zip files on Mac OS X with password input, but nothing happens.) Does anybody know what is wrong?

hey, anyone want to give me a hint for overpass 3's web flag?

i have user and root already, but cant seem to find the web flag haha

I don't think any of the files have passwords on them, just straight unzip

if you have root, it should be trivial to find

you would think so

But it says "Password for the ZIP is MalwareTech."

you should be able to find it

found it ha. the hint threw me off

the hint is actually wrong, says its owned by the apache user. it is not 😄

the hint is fine

sorry was thinking of the other room

that 'sorta' isnt good for find -user apache 😄

Should be super super easy to find from your initial shell, but no help or hints yet. Rule 13 says no help/hints for 72 hours from release

it's easy to find, just not that obvious

got it thanks. just out of interest, how is that 72 hours presented on the site? overpass 3's 'more' tab says its 65 days old

It's not presented on the site

72 h since release

#announcements

The 65 days is from when I created the room. Not uploaded the VM, not released it, but when I created the room on the site

ah

not sure if you host if removing the files as possible malicious

I don't know. But I try the command line. It seems that 'unzip` has some problem with the compression method of the zip file.

$ unzip -P MalwareTech strings1.zip 
Archive:  strings1.zip
   skipping: strings1.exe_           unsupported compression method 99

I see what you mean, I got them to unzip from the folder correctly

I did find this "The compression method 99 refers to Adavanced Encryption Standard encryption, which is not supported by unzip. However, you can use 7zip to unzip your password-protected file"

if you install 7zip you can unzip the files though

Has anyone solved jvm reverse engineering?

im on EasyCTF room and it says ssh is open however i cant even ssh to it. my syntax is right

its on port 2222

What happens when you do?

it just hangs

does nothing

ssh x.x.x.x -p 2222

hangs

ssh -p 2222 user@ip

The order matters, because anything after the IP is a command to run on the remote machine

still just hangs

Do you have creds?

not yet. however with ssh, if its opened, it woulda worked no matter what right? from my experience anyway thats how its been

Depends what you mean by that

I've used ssh user@host:port or ssh user@host -p <port>

Honestly I'd check your VPN but if other services are working then ¯_(ツ)_/¯

ok any other good ctf pentesting boxes thats not a peice of crap?

Why is it a piece of crap? Generally it's user error somewhere. There are lots of good ctf boxes.

My ssh worked on other boxes on my network. I can't figure out the ssh other than its not meant to be ssh into even tho nmap says it can@stable jay

Still opened to solutions ofc

did you try the other ssh formats I posted?

also, Right. I get that. So, I'm not commenting on the box you are on specifically but sometimes just because it's open doesn't mean you can access it

sometimes you'll need a key for example and will get permission denied if not

There is nothing wrong with the ssh on the box you are on, just need to try different things

Yeaaaaah, you need either creds or a key there mate. You can't just access it because it's open

yup

So generate a key?

Not yet

-mute @stable jay 20m Follow rule 13.

🔇 Muted professor-moody#3884 for 20 minutes

@mint copper Please stop asking

No problem

-undelete -a

@stuck fractal did he ask again?

Um whats happening lol?

Someone's in trouble

Ty so much everyone. I'll try it tomorrow. I'm worn out from cyber all day lol

someone already finished overpass 3?
I finished it, but I have a question about the priv esc

I did it

No hints or help are allowed for new rooms till 72 hours passes.

Can anyone gimme nudges of EnterPrize?

need wait more 7 days to give hints about enterprize

Let me see what I can do. I will get back to everyone here soon.

☝️

Hi Team I need one Hint on this - I cant find name of scan as such in Advance Tab of Nessus Room

FYI

Please Ignore Got it

Hi guys, I need help to find the right syntax
in the Task 7 of What the shell? room

I cannot figure out what I need to put in : (EXEC: ...)

my synthax so far => socat OPENSSL-LISTEN:53,cert=encrypt.pem, verify=0 EXEC:"...", raw, echo=0

your trying to get a shell so i would guesss thats where you would put the /bin/sh

or whatever shell you are trying to invoke

https://tryhackme.com/room/rust ~ Task 12, Question 2.

I simply do not understand what is being expected. I believe the answer lies somewhere in the result<> format, but i do not know what to put inbetween <>. The documentation is not clear (to me) about it.

Yes, there are examples mentioned with the <> symbols used, but i do not see the relation, nor the application for this question.

A nudge in the right direction or a page that clarifies this subject would be greatly appreciated!

Hey everyone

Im stuck in the overpass3 room . I would enjoy a little hint if someone can ! Thanks !

@cursive rover Not yet.

Come back in like 5-6 hours.

Oh okay

But why in 5 - 6 ? Something happens ? Or there is any rules ?

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.

That last bit.

72 hours from release - no help or hints.

Aaah yes that's right

We're still in that 72 hours

That's a new challenge I'm sorry

Forgot that fact

Thx anyway !

I'm lost on Task 29 of https://tryhackme.com/room/25daysofchristmas I managed to get the password but I don't know what to do with it. Any tips?

@little sable Perhaps u can use the password for another user on the system? (dunno)

facepalms.

what exactly am I supposed to do when the terminal tells me to fnum 1?

I'd look up the function of fnum

Checked it out - didn't understand a thing

Which THM room?

Network services; task 4; question 3

Honestly now that I'm asking about the whole thing, I'd rather ask in the room-help channel, because I need help (a lot of it)

anybody is available for a hint on Enterprize?

No hints yet the creator wants at least a week before giving hints please wait two more days

bruh

k

Can i have a nudge for Jeff? I found ||wordpress.jeff.thm|| i don't know what i can do

i haven't done it. was i right? :P

no idea. no time to look yet. work day

@white salmon Perhaps u can scan the Wordpress version for vulnerabilities, or perhaps login is another user?

I use wpscan and i don't find something interesting

what options are you using for your wpscan

I get reverse shell

I got stuck at Network services task 4 question 7
The instructions bellow said question say that ||the authorized_keys are to be downloaded|| However I lack the permissions to do so.
How am I supposed to bypass this?
(Pls tag me, for I won't be checking this channel, but will rather think of a solution to my problem)

I don’t think you need sudo or “any perms” to download the file really. Anyway you are in smb right? For clarity

Yes, smb

You should only change the permission of the file after you download to your machine

Yes, that's what's said in the task

However when I try it prints out the following:

Will insert screenshot in a moment

Yeah follow the steps in the task & change permission then use the file & get access through ||ssh||

Did you download the file from smb to your machine yet?

No, I'm being greeted by this upon trying

That’s weird. Any way can I get a full ss of this page as you sent it & of previous dir cus it’s been a while I solved the room

You want the ||Shares||?

The directory before this

Ah, nvm yes

Just a sec

Ok

And that's the ||ssh|| directory that you also asked for

Ok try moving to the ||.ssh|| dir then see the files there then get id_rsa <newfilename.txt>

@paper seal

What will that command do exactly?

It’ll get the file then rename it as the new filename you’d give

Also don’t forget to get the ||pub key too||

This one I don't know what to do with

I downloaded it a few minutes ago, but there's no software suited for reading it

Almost Same thing. Get, rename then inspect this one for an information

||cat||

Why am I like this...

Kek. Lmk how it’s going

Well

I ||cat-ed the pub one and found half of the infomation, rn I am looking for a password or someting in the other file...||

Wrong.

Big spoiler but I’ll minimize it kek

Ok

I am lost, so I've got no problem with that

The ||pub|| has a username for you. Also no need for password. Just change the perms of ||id_rsa || (ofc you renamed) then use it to ssh with the username you find in ||pub||

That makes sense

Why am I like this?

I was thinking earlier about some of that... but got confused and forgot about all this

Kek it’s ok. We learn

Gotta go now. Be back in a bit

You can ping me

Im having issues with task 4 of network services using smb client, I am putting in the correct info but I can't seem to get into the share

Which question?

Lets see if our interesting share has been configured to allow anonymous access, I.E it doesn't require authentication to view the files. We can do this easily by:

• using the username "Anonymous"

• connecting to the share we found during the enumeration stage

• and not supplying a password.

Does the share allow anonymous access? Y/N?

I'm on the exact same task

this is my syntax

smbclient//10.10.212.13/profiles -U Anonymous

Ah

I did the same

ive even tried to specify a port and nothing happened

You need to put a space between smbclient and /

smbclient //10.10.212.13/profiles -U Anonymous

that did it, thanks. linux is so picky haha

Just wait until you move down a few questions (I'm here because of them)

@winged mist , I didn't get something right with the ||id_rsa||

Spaces separate arguments. It's the same in windows

thanks for the info

youre right, im already stuck but ima try some stuff

May I get a hint for the user flag for Overpass3 if the 72 hours period is over pls?

what did you do to get the username

I ls to see the contents but I cant change dir

Dirs are changed with cd

i found it thanks

hey can I get a hint on how to get the user flag in overpass3?

got the webflag

having trouble with user

@ebon cairn Not quite yet

oh

Another hour or two.

sorry

okok

tyty

ill come back in one or two

👍

someone finished the hacker methodology?

ask your question

good room

Is that room public?

I'm about to finish but I'm stuck on question 2 of task 5 is the only one I'm missing

@winged mist, could you DM me, when you're back, because I'll also be going for some time and don't want the convo to be lost in time?

I can't get it

Oh it's brand new ok

Yep

read the task again, the answer is written in it somewhere like SSH ____

Yup I have it thanks room finished!

Henlo

I’m back now

You around ?

can you put it as a spoiler please hehe

how do i do that?

um || ||

like this

lol

i might have figured it out

ye

if not ill add it as a spoiler

i think when you upload pic there is a check button asking if you want to spoiler it

yep i see the option now, thanks

by the way || https://gchq.github.io/CyberChef/ ||

this should help you

with your problem

I am here now @winged mist

Ok how far now?

Well, I had (bc the VM has terminated itself) The User and the ||id_rsa with the permissions for me to read and write||

However I can't find use of it

Deployed new machine?

Just did so

Getting the files back

They're not dynamic

Yes, I'm just doing everything again

I'm doing as said in the task - ||ran chmod 600 id_rsa||. However I don't think that anything has changed for it

What do you think will change?

That i'd be able to view the file via cat or the GUI?

i have no clue what to do with this ||key||, honestly

It's an SSH key

Look for a way to ssh with a private key