Just relax & look carefully
#room-hints
white salmon
Just looked & itβs same page as previous question
Okay, Iβll jump back into that room. Thanks, I appreciate it
ancient island
uid=0(root) gid=1000(james) groups=1000(james)``` finally!!thanks @stuck fractal for the such amazing box
buoyant adder
@ancient island do you have any hints for getting access to the james account?
coarse hornet
Has anyone solved hardening basics part 2?
ancient island
. this is all you need
astral smelt
Has anyone solved hardening basics part 2?
I have
white salmon
Just looked & itβs same page as previous question
Oh ffs lmao, I was looking for .exeβs and crap lol. Thanks, I found it
white salmon
. this is all you need
That is all you need for the user flag, I still fighting for the root one
nocturne vault
if you have the user flag, you are super close to the root flag
ancient island
if you have the user flag, you are super close to the root flag
yes
i was going to say that heheh
nocturne vault
hehe π
white salmon
indeed I finally got it!
thanks all for the hints
@stuck fractal thanks for all the fun! This was my first "real" room π
buoyant adder
i keep getting this message mount.nfs: requested NFS version or transport protocol is not supported
ive done the ssh stuff so idk
ancient island
@buoyant adder
ripe hedge
@buoyant adder the version may need to be set π
jaunty meadow
Anyone have any hints on how to speedup a full port scan?
Everytime i run it, i have to sit there for like half an hour while it scans.
night fractal
my preffered flags for nmap when looking for all open ports are -sS (this flag requires root access) and -T4
smoky hollow
Everytime i run it, i have to sit there for like half an hour while it scans.
If it's nmap, try --max-retries 0
jaunty meadow
Ok thanks guys. I'll try those.
mint copper
Hey people, with overpass3 I try converting ||pgp key|| to an ||ssh key|| but is not working.. is this a rabbit hole?
smoky hollow
Hey people, with overpass3 I try converting ||pgp key|| to an ||ssh key|| but is...
The keys don't work that way. ||They're used to unlock encrypted gpg files.||
mint copper
@smoky hollow can I DM you for one more question? Dont want to spoiled more.
smoky hollow
Go for it π
winged mist
Okay, Iβll jump back into that room. Thanks, I appreciate it
Lmk how it goes
winged mist
Oh ffs lmao, I was looking for .exeβs and crap lol. Thanks, I found it
Oh kek good job bud
waxen silo
I may need some reversing mentoring for the Intro to x86-64 room. Had no issues with everything up to the crackmes, but I'm hitting a wall
zenith compass
For overpass 3 I tried to port forward using ssh ||ssh -i id_rsa -L 2049:localhost:2049 paradox@<machine-IP>|| but when I try to mount it just gives error and showmount will also give an error clnt_create: RPC: Program not registered. Like how to port forward nfs exports? I'm really stuck
stuck fractal
Make sure you're specifying ||nfs version 4|| @zenith compass
Also, I had better results with 127.0.0.1 rather than localhost
zenith compass
For overpass 3 I tried to port forward using ssh ||ssh -i id_rsa -L 2049:localho...
@stuck fractal ssh port forwarding syntax is correct right?
waxen silo
I may need some reversing mentoring for the Intro to x86-64 room. Had no issues...
I solved the first one, but I feel like I got lucky, didn't do it the intended way
stuck fractal
<@252418040388517888> ssh port forwarding syntax is correct right?
That's basically what I have yes
zenith compass
Also, I had better results with 127.0.0.1 rather than localhost
Okay I'll try this
onyx crescent
As with everyone else, Overpass 3 is kicking my butt. For the user flag, I feel like I have ||Chisel|| set correct. And I feel I have my ||nfs|| command correct as well. Would someone be willing to check behind me? Please?
onyx crescent
Ugh. Just got user.flag on Overpass 3! Whew.
zenith compass
@onyx crescent Can I dm you about port forwarding? I'm stuck there. Can't figure out what's wrong
onyx crescent
<@486932857537822720> Can I dm you about port forwarding? I'm stuck there. Can't...
Sure thing. I'm no expert by any stretch! But will help if I can.
ebon cairn
can I also get some help on that port fowarding?
onyx crescent
can I also get some help on that port fowarding?
Sure! Like I told @zenith compass, I can't promise anything! LOL.
true widget
Need a nudge on ignite privelege escalation
oblique cliff
enumerate database files @true widget
true widget
Okk thanks for the hint
lusty locust
@onyx crescent hy can i dm u Im stucked with overpass3 port forwarding?
onyx crescent
<@!486932857537822720> hy can i dm u Im stucked with overpass3 port forwarding?
Sure thing. I've got about 5 minutes...then off to bed.
lusty locust
ohπ
lusty locust
Work is rapidly heading my way!
yeah happens
buoyant sapphire
Hello Everyone
Any hints to finding web flag on Overpass 3?
I've got a rev shell and checked everything for user 'apache'.
ripe hedge
look at the env vars
tulip axle
Hello Everyone
Any hints to finding web flag on Overpass 3?
I've got a rev shell...
it doesn't actually belong to apache. See if you can find files.
buoyant sapphire
Thank you.
tulip axle
I am not sure what I am doing wrong with my port forward on Overpass 3. I have tried the following to setup a port forward ssh -L 2049:127.0.0.1:2049 -i www/fakesshkey paradox@overpass3 and I am trying to mount using this : mount -t nfs4 localhost:/home/james /tmp/pe. I am not sure what I am missing. Any hints in the right direction are appreciated.
zenith compass
Look up fsid=0 it changes the path
stuck fractal
It doesn't exactly change the path. It's v4 not v3. It works differently.
tulip axle
Will do thanks. @zenith compass @stuck fractal
gusty kite
anyone doing the new crack the hash 2 and have had luck cracking the hashes in the last task? I have tried the hinted options but it has not given any usable results.
ripe hedge
look at the site from the vm as well
little sable
still stuck on task 29 of https://tryhackme.com/room/25daysofchristmas no idea what to do with the password given that ssh is using key auth
stuck fractal
Do you have a shell on the box?
gusty kite
look at the site from the vm as well
I have. I did generate wordlist with the mentioned names and border mutations but it is not giving me a result
stuck fractal
If not, exploit the services that are public facing
split steeple
OWASP Top10 room, Task 5, question "Print out the MOTD". I can infer what the correct answer is, but I want to figure out how to do this properly. Should I assume that I have to get onto the host through other means than just through the php page?
little sable
Do you have a shell on the box?
no. there's just ssh and ||elasticsearch|| but you can connect to that without a password anyway
stuck fractal
That's what you need to exploit
ripe hedge
I have. I did generate wordlist with the mentioned names and border mutations bu...
add more digits and symbols until you get it
gusty kite
add more digits and symbols until you get it
hmm ok I am up to 4 dig/sym before/after
jade bolt
any hint on Overpass3 after getting the xls file with the credentials? Just tried to use them on SSH and FTP, am I missing anything?
stuck fractal
One of those services will work
twin mesa
Hi I was doing cracking the hash level 2 & tried adding custom rules to jhon . But I'm getting error . Can anyone tell me how to add custom rules to John !
gusty kite
Hi I was doing cracking the hash level 2 & tried adding custom rules to jhon . B...
Just add them to a new file called /usr/share/john/John-local.conf or alternatively in a new file in the rules folder in the same location
glacial gust
if you have add the rule to john-local.conf, try adding "--config=/etc/john/john-local.conf", it was how I got mine to work
tulip axle
Can I post a password protected writeup for Overpass 3 ?
twin mesa
i worked but do i have to do it everytime ? @glacial gust
glacial gust
when I checked the john documents, its another method to get john to read different conf files
twin mesa
is there any way to automate this?
stuck fractal
Can I post a password protected writeup for Overpass 3 ?
As long as the password is either the root flag, or something else you provide when you want it checked on Sunday
tulip axle
As long as the password is either the root flag, or something else you provide w...
Ok. If I password protect the writeup with root flag then also I have to wait till Sunday ?
stuck fractal
You can post it before then, I suppose. But I won't approve any on the room until Sunday. It should not be public before Sunday. I'll let you post it as long as it's properly password protected with either the root flag or a password that you don't share.
Basically keep it private until Sunday.
tulip axle
You can post it before then, I suppose. But I won't approve any on the room unti...
Sure will do. Thanks.
solemn onyx
Well I was creating a write-up too... But when I tried the machine again it gave me this error
Address already in use
stuck fractal
You have something running on that port already most likely
solemn onyx
On my attacker machine it's nothing...
It's something inside the victim machine that won't shutdown
Kill won't work
Earlier that night when I tried this worked perfectly... I just can't seem to reproduce those steps..
winter leaf
Can someone give me hint about getting user flag on overpass 3 ||i have shell and got into paradox i ran linpeas.sh and i have writable path that i can abuse but it dosent seem useful (maybe im wrong) neither no root squashing on /home/james||
winter leaf
can i || mount there ?||
stuck fractal
Why don't you find out?
onyx crescent
Finished Overpass 3 last night. Best, and most challenging box I've done yet! Many thanks to @stuck fractal for an AMAZING box.
winter leaf
James could u give me another hint ;d ? || i cant mount to /home/james it just hangs after i try to run it is syntax wrong ? sudo mount -t nfs <machine IP>:/home/james /tmp/mount or just my mounting is being blocked by firewall because 2049 is filtered/closed i also tried to mount locally on victim machine but only root can mount||
stuck fractal
You know what you might need to do
But also pay attention to versions, because that's not how you use that version
winter leaf
||port knocking ?||
stuck fractal
No.
winter leaf
or ||v4||
stuck fractal
||port knocking ?||
That's security by obscurity, and generally not great.
The OS has a default firewall, that you can't change
runic oak
NinjaJc01, i rooted the box yesterday and have finished my first writeup..π im informed that no writeups before sunday.. what time on sunday are we allowed? I have written my writeup at medium.com and dont want to breake any rules by publishing it before the regulation.. Thanks for a good challanging box, learned alot from it!!
stuck fractal
NinjaJc01, i rooted the box yesterday and have finished my first writeup..π im ...
Make sure it's private on medium right now. 7pm GMT on Sunday. Make sure there's no flags or passwords in there.
runic oak
No problem no passwords or flags are visible.. only locations ππ½ππ½ its private at medium (not published) ππ»
mighty birch
Any hints for Overpass 3 on escalating privileges? I got the user flag and now I'm really stuck on the root flag.
ebon cairn
@mighty birch run linpeas. it's really obvious
real lynx
I could not enumerate enterprize for the life of me
stuck fractal
I think that's still under hints embargo
low bone
Can anyone give me a hint for the wireshark 101 task 11 asking for the full uri in packet 18
ashen scaffold
I think that's still under hints embargo
Will mentioning a tool be part of that?
jade bolt
Can anyone give me a hint for the wireshark 101 task 11 asking for the full uri ...
you have to literally copy the full uri, it includes the color_border= in the end
jade bolt
Can anyone give me a hint for the wireshark 101 task 11 asking for the full uri ...
maybe you just found the correct answer, but didn't paste the full uri
low bone
Okay, I'll try that. It's been driving me nuts.
jade bolt
I got ftp access on overpass3 vm with ||paradox|| user but I don't know what should I do from here, any hint?
trim haven
Can't you just use spoiler text for spoilers: ||spoiler||
jade bolt
Can't you just use spoiler text for spoilers: `||spoiler||`
ahh, tks
ripe hedge
Any hints for Overpass 3 on escalating privileges? I got the user flag and now I...
If you have the user flag, the root flag isn't too far
lofty girder
I got ftp access on overpass3 vm with ||paradox|| user but I don't know what sho...
Enumerate what sort of permissions you have on the FTP server, pay attention to file structure as well - some files will look familiar
ripe hedge
I got ftp access on overpass3 vm with ||paradox|| user but I don't know what sho...
Look around and see if anything is familiar
sweet hound
I need a quick hint for Overpass3, I have a shell as parad...., but how do I go on? Haven't found the web flag yet
azure pecan
I need a little guidance for hackpark task 4- ||the hint says that I can copy my payload with my preexisting netcat session, how would I go about doing that?||
Oh, nevermind
white salmon
Somebody please give a hint on PE in overpass3, I've been stuck like 2 days now.
reef elm
i need help on Nmap Switches task 3 how do i activate scripts i have tried everything
white salmon
@reef elm look up nmap's man page
lofty girder
I need a quick hint for Overpass3, I have a shell as parad...., but how do I go ...
web flag doesn't really matter if you have para already + is relatively trivial to get so I would focus on lateral/vertical movement
lofty girder
Somebody please give a hint on PE in overpass3, I've been stuck like 2 days now.
do you have a shell yet? have you gone through the regular enumerations on the box and if so, what have you tried?
some regular enumeration scripts will suffice
white salmon
I'm on the ||james|| user rn, ran linpeas, ran lse ran everything I can, searched almost every directory, checked crontab and other common misconfigs. @lofty girder
I'm missing something really stupid.
lofty girder
ah so this involves thinking outside the box (literally - and pun intended)
reef elm
@white salmon I see βscript βhttp-*
lofty girder
think about what you did to get to the james user and what you can do with that exploit
reef elm
Nnmap room task 3: Script=default does not work
lofty girder
that syntax is kinda wonky for nmap --script "vuln" generally works for me
white salmon
What question? @reef elm
white salmon
This one How would you activate all of the scripts in the "vuln" category? ??
reef elm
yes that one and How would you activate a script from the nmap scripting library (lots more on this later!)?
and how do you put it in that format?
white salmon
How would you activate a script from the nmap scripting library (lots more on this later!)? Requires you to put just the name of the parameter (no arguments) that activates NSE
I said earlier look up man nmap or Droogy's reply above.
reef elm
you just put the question in a dark box when you sent that message. how do you do that format? yes both those questions i am stuck on
white salmon
Surround your text in three backticks (`)
actually six if i can count correctly
Dunno how do i put it for you to see it.
ripe hedge
Close enough
sweet hound
web flag doesn't really matter if you have para already + is relatively trivial ...
Wow that box is really messing with me here lol. Ran a popular enum script, but didn't find anything interesting. Still have to move to the james user though
white salmon
@lofty girder I just realized how stupid I was, thanks man.
reef elm
i got answer to
How would you activate a script from the nmap scripting library (lots more on this later!)?
finally got that one
π
white salmon
@reef elm gj it's not that hard
digital girder
Anyone facing problem while uploading the correct file on rootme box??
The page crashes whenever i do thay
Any idea?
reef elm
@white salmon still stuck on ```How would you activate all of the scripts in the "vuln" category?
--script = "vuln" doesnt work
white salmon
Remove the space and quotes.
sweet hound
Wow that box is really messing with me here lol. Ran a popular enum script, but ...
Found the web flag - doesn't help, but its something haha
jade bolt
Enumerate what sort of permissions you have on the FTP server, pay attention to ...
I know this is the website directory, but what I don't understand is how to get a revshell on this, I'm noob with FTP to be honest
lofty girder
Wow that box is really messing with me here lol. Ran a popular enum script, but ...
which script did you try?
sweet hound
linenum
lofty girder
FTP is dead simple
okay it does show up in linenum but not highlighted like some other enum scripts would be
sweet hound
hm... gonna try linpeas
agile jewel
linux privesc room is good against ninja π
lofty girder
I know this is the website directory, but what I don't understand is how to get ...
see what sort of permissions you have on the FTP server
jade bolt
||drwxrwxrwx || on the main folder
jade bolt
you mean the ports?
ripe hedge
not only that
Nikto gave me something interesting, though I suspect a curl -v will too
rose root
Hi. I've just started
https://tryhackme.com/room/enterprize
Found some clue in nikto. Is CVE-2003-1418 is a good trail?
jade bolt
Nikto gave me something interesting, though I suspect a curl -v will too
so simple, I didn't check it by myself because the wapanalyser was saying the server was not using it
thank you guys
ripe hedge
have fun
ripe hedge
Hi. I've just started
https://tryhackme.com/room/enterprize
Found some clue in n...
as there's no publically known exploit for this, it's probably not that
rose root
damn
stuck fractal
Hi. I've just started
https://tryhackme.com/room/enterprize
Found some clue in n...
@ripe hedge @rose root I don't think this room is up for hints yet?
ripe hedge
it's not
mighty birch
Took me a little while but once I thought about how I had to think outside the box, it eventually came to me. Literally jumped up from supper to do this.
unkempt root
question for anyone, how would you identify NFSv4?
ripe hedge
you try it
stuck fractal
Check the difference in the exports file
Lack of RPC
Mounts under / rather than showmount
ashen scaffold
Jeez. I really need to read up on gpg >.>
warm spire
hi i get an error on overpass3 while ||mounting the nfs share || the error : ||mount.nfs requested nfs version or transport protocol is not supported||
stuck fractal
@warm spire then you're not mounting it correctly
warm spire
the thing is that i can easily mount it by using || sshfs || i can see all the shared folders but when i cd || home james|| it says ||permission denied||
stuck fractal
You can't mount it that way then
warm spire
||π’ ||
stuck fractal
You're gonna need to do something a little more complicated, and mount it properly
warm spire
thanks for help
hearty olive
cirt-default-usernames is not the correct answer?
someone? π€
pulsar harness
List -g username
viscid egret
could anyone help with ||overpass 3 what am i doing wrong? i have port forwarded with ssh and tried to access it with sudo mount -t nfs localhost:/home/james /tmp/pe -o nolock, but it doesnt work. any hints plz?||
woven mirage
try to discover the ||nfs|| version, and how can you ||mount|| with that version
native bison
HELP! NEED SLEEP kkkkkk Crack The Hash Level 2 -> Advice nΒ°3
astral smelt
That room is still new please wait 72 hours before asking for hints
native bison
ok =..(
ashen scaffold
Im quite certain im having a major brain freeze on Overpass3
||Got the encrypted file and pgp private key. It should be as simple as importing the key and -d the file. Or no?!||
I now have both public and private keys >.<
woven mirage
woven mirage
run some enumeration scripts
ashen scaffold
Exactly what Im doing
past mulch
lol
ashen scaffold
<https://www.gnupg.org/gph/en/manual/x110.html>
Im missing the secret or passphrase >.>
Thanks haha
ashen scaffold
I didnt think it did but it sure says secret key missing
woven mirage
send screenshot
past mulch
Do i need to get the james password ?
woven mirage
no
past mulch
interesting
glacial gust
you should already have the key, you just need to import it
past mulch
What should i do if i dont know lol
ashen scaffold
It saves the priv under pubring instead of secring. Not sure if that makes a difference
Output is still encrypted after
past mulch
that is the only hint for root??
ashen scaffold
Secret Key imported (checked)
Running gpg -d on file outputs the same encrypted file
cedar palm
Well, all I did was ||gpg --import priv.key&&gpg --decrypt CustomerDetails.xlsx.gpg||
cedar palm
I didn't need to use a passphrase or anything. What about in the AttackBox? Might be a problem with your machine
ashen scaffold
Didnt think of that. Worth a try
cedar palm
Or use an online decryptor if they exist
ashen scaffold
Maybe i need to purge this gpg and do a fresh install
cedar palm
Yea
ashen scaffold
Ive been banging my head on this haha
Im like....there is no other syntax for thisπ
cedar palm
Yeah you can also use WinGPG as a last resort
Or you can use my machine, I'm done with the room so my machine works
ashen scaffold
Ill try attackbox. Im pretty sure something is going on with this tool on my end
cedar palm
Yea
ashen scaffold
Thank you!
woven mirage
Output is still encrypted after
output looks encrypted but it isn't
check out the extension
ashen scaffold
Im reading thru it anyway
cedar palm
WSL2 works. Check the file extension tho π @ashen scaffold
ashen scaffold
Its an excel spreadsheet
cedar palm
If you can't open Excel, I can just screenshot it and encrypt it with the public key (from the private key) so you can decrypt it
cedar palm
Yeah no problem. I'm making a writeup (not gonna publish yet) so why not haha
past mulch
help me π¦
lofty girder
where are you stuck @past mulch and what have you tried
past mulch
im stuck trying to get root priv. i ran linpeas and i know it has to do PATH but idk what exactly
@lofty girder
lofty girder
you dont need linpeas if you are going for the root priv-esc
(unless theres an unintended way to get to that user)
what user are you currently?
lofty girder
okay then think about what you did to get to the james user and how you can further utilize that exploit
past mulch
i tried but nothing is being owned by root
lofty girder
what did you try exactly?
past mulch
a suid-shell.c
but its owned by james
so it wont workl
that's the only thing i thought of
idk what else
lofty girder
okay well you're heading in the right direction but .c files need to be compiled as binaries before you execute them
past mulch
yes i did that
gcc
and i gave it u+s
but when i ls -l
the owner is james
if the owner was root it would work
lofty girder
yes I understand that, if you control the file and can set permission bits then it follows that you would be able to change the owner
lofty girder
we all need a little nudge sometimes, its a weird room - you got to that point all by yourself so good job!
white salmon
Stats: 0:00:05 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 16.10% done; ETC: 04:45 (0:00:26 remaining)
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 22.36% done; ETC: 04:45 (0:00:35 remaining)
Stats: 0:00:13 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 22.89% done; ETC: 04:45 (0:00:40 remaining)
Stats: 0:00:15 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 23.42% done; ETC: 04:46 (0:00:49 remaining)
Stats: 0:00:31 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 26.30% done; ETC: 04:46 (0:01:27 remaining)
Stats: 0:01:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 31.43% done; ETC: 04:48 (0:02:15 remaining)
Stats: 0:01:19 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 34.03% done; ETC: 04:48 (0:02:33 remaining)
Stats: 0:02:13 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 37.78% done; ETC: 04:50 (0:03:37 remaining)
Stats: 0:02:42 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 39.84% done; ETC: 04:51 (0:04:05 remaining)
green minnowBOT
white salmon
no it's not stfu
white salmon
```bash
Stats: 0:00:05 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Steal...
why is it going up
and when will it stop?
nmap -p- -T4 <ip>```that's my command
It's been 8 minutes since I first executed the command
arctic quartz
It will take a while because -p- takes a very long time.
cedar palm
im james
Oh. 0verpass 3? ||I just compiled a basic C program that executes /bin/bash and set an SUID bit on it.|| Mods: feel free to remove this if this is too much of a spoiler
cold oracle
im stuck on the mounting part
regal tendon
Oh. 0verpass 3? ||I just compiled a basic C program that executes /bin/bash and ...
i just ||copied bash in there, chmod/chown||
sturdy folio
im stuck on the mounting part
Im stuck with mounting too...
regal tendon
if you want a soft hint, ||read up on the nfs export options and what they mean||
river path
Hey guys, I am currently doing the root me room and am having difficulty uploading a reverse shell. I have tried multiple ways of || bypassing the php filter|| yet they all give me the same error when I try and run the script on the site. ||array("pipe", "r"), // stdin is a pipe that the child will read from 1 || That is what it prints out (plus 10 more lines of the same thing) when I click on it and my netcat doesn't catch anything. Any tips?
winged mist
Hey guys, I am currently doing the root me room and am having difficulty uploadi...
If Iβm itβs what Iβm thinking then itβs either a wrong file extension
river path
@winged mist Those are all the files I have uploaded and none of them give me a reverse shell
I've made a new file as well with the source code from github to make sure I didn't accidentally corrupt anything and after that it was still the same result
river path
I tried php3 and it gave me the same result, I'll give the other php extensions a go though and see if iy gives me anything different
winged mist
I tried php3 and it gave me the same result, I'll give the other php extensions ...
Also ||.jpg.php||
Look at the source code & look at the filters & whitelists
river path
||tried the .jpg.php and that didn't work|| and there was also nothing in the source code that I could find, that's why I'm so stumped on this one...
white salmon
This may be a silly question sorry...I'm on the Nmap room and have no idea how to figure out what IP address the MACHINE_IP placeholder is supposed to refer to?
regal tendon
This may be a silly question sorry...I'm on the Nmap room and have no idea how t...
it should resolve after a minute - machine_up is just a placeholder while the machine loads
winged mist
||tried the .jpg.php and that didn't work|| and there was also nothing in the so...
Sorry lmao itβs ||phtml||
white salmon
I did an "echo $MACHINE_IP" but it came up blank, and the attackbox was running for a good 10 minutes already
regal tendon
I did an "echo $MACHINE_IP" but it came up blank, and the attackbox was running ...
try page refresh? π that too
winged mist
I did an "echo $MACHINE_IP" but it came up blank, and the attackbox was running ...
Did you click the blue bottom with βdeployβ?
white salmon
Ok thanks
winged mist
In the room
white salmon
Something like this
Oh crud, rookie mistake. Thanks!
river path
@winged mist Alright well that gave me a "failed to daemonise" I can work with this now. Thanks for the help!
winged mist
Oh crud, rookie mistake. Thanks!
No p
winged mist
<@!726000662739025961> Alright well that gave me a "failed to daemonise" I can w...
No p
sturdy folio
if you want a soft hint, ||read up on the nfs export options and what they mean|...
I read up on it but I am stuck at ||mounting the share remotely, tried a few methods but all failed||
regal tendon
I read up on it but I am stuck at ||mounting the share remotely, tried a few met...
||one of the options changes how you mount it remotely, particularly with the nfs version being used||
ripe hedge
are we allowed hints on Theseus? I got into the first flag, but not sure exactly where to go from there. ||nmap|| isn't helping too much since ||we're stuck in a container and nothing seems to be open on the host||
rich shard
hi there!! I have a problem to submit an anwser for a question. The question "What's the payload you can use..." for the task 7 of Linux: Local Enumeration. I am pretty sure about the syntax but apparently it is not the good anwser. So far I have: ** grep '' /etc/... ** the problem here is with the ' " ', someone have an idea?
cunning quartz
hi there , actually im trying to get a reverse shell using the msfconsole in the machine named RELEVANT, but it stucks there only i doesn't give me the command prompt
i also tried the netcat but the same problem was also there
real lynx
||sudo mount -t nfs4 -o proto=tcp,port=2049 overpass.thm:/home/james /tmp/|| can someone tell me what I'm doing wrong coz I get connection timed out with this command, I have setup a local ssh tunnel as well for overpass3
ripe hedge
lookup how nfs4 mounts are specified
prisma blade
Dears I am stuck in question 3 task 7 for windows event log Iβm not sure how to find the cleared event log any help
ripe hedge
if a clear log is logged, where might it be?
ripe hedge
think about position
prisma blade
Iβve been trying so hard for the past 2 days but I couldnβt find anything π
ripe hedge
you can search for it
last trellis
Room:Crack The Hash Level 2 stuck at task 4 showing me error ||No "THM01" mode rules found in /etc/john/john.conf||
ripe hedge
you have to add them
ripe hedge
did you read the task?
last trellis
yes
trim haven
Is this a challenge room?
ripe hedge
it's the walkthrough part
trim haven
Is this a challenge room
last trellis
in same directory /etc/john
ripe hedge
read the task
trim haven
Iβm just going to take being ignored as a yes
last trellis
its walkthrough
ripe hedge
I'm not sure, there's a walkthrough part and a challenge part
ripe hedge
Rule 13 is a bit wierd on this one
there have been some hints given for the walkthrough part earlier
trim haven
By whom?
last trellis
point me im stuck since hour
last trellis
yep
trim haven
Everyone gets the same treatment no if or buts
ripe hedge
@trim haven am I allowed to screenshot the task?
prisma blade
Dear @ripe hedge I have seen an event log but still telling me my answer is wrong
trim haven
Hydragyrum if theyβre not reading the task properly thatβs their problem
last trellis
yes i know and its not working
ripe hedge
as in what file to edit and everything
prisma blade
ripe hedge
it works on a standard kali
prisma blade
Iβm sorry but Iβm not sure if I can share this or not
ripe hedge
sure, what does the task want?
last trellis
it works on a standard kali
it it should
ripe hedge
I think it's the Record Id from memory
do you have john-jumbo installed?
as asked for by the room
last trellis
do you have john-jumbo installed?
oh no no
ripe hedge
rtfm then
prisma blade
Record if from memory π
ripe hedge
missing a comma there
last trellis
ok
its alreasy there
oh thanks its twin brother thing @trim haven love you β€οΈ
@ripe hedge wordlistctl is not on kali ?
last trellis
i grabbed
ripe hedge
it might want sudo
mortal belfry
Hi guys I am doing overpass 3 room . I encountered a share but if I try to mount to it , it is showing "no route to host " but when I try metasploit to scan nfs share it is showing the mount. Can anyone tell how to solve this issue? Has anyone else faced it ?
last trellis
working on that
spring ember
Are Enterprize hints allowed yet? I don't know when it was added but the info tab says 12 days ago?
gusty kite
can anyone help check my custom rule for John The Ripper for the Chacking the Hash2 room? It seems to be quite big and it will take a looong time to run which is not common for this sort of rooms (hence, I think I have overdone it somehow)
cedar palm
hi there , actually im trying to get a reverse shell using the msfconsole in the...
Try to type ls there :)
past cargo
Hey people! I'm stuck on the Internal room and would very much appreciate a hint. just a subtle nudge in the right direction, as I'm banging my head against the wall for hours now but don't wanna "give up" and just read a write-up
My findings so far:
||- one can exploit the wordpress installation to gain a reverse_shell under the www-data user
- from there one can get credentials to the DB (however, that doesn't seem to reveal anything)
- there is a jenkins running in a docker container that can be exploited to gain a reverse_shell into the container under the jenkins user
(although I didn't find anything of interesting there)||
what i tried and didn't work:
||- the password for the wordpress and the jenkins cannot be used for the aubreanna or root user
- trying to mount the root or aubreanna home directory into a container using runc
- trying to escape the jenkins docker container ||
gusty kite
@past cargo did you check if jenkins could maybe give you a shell?
past cargo
||i did get access to a shell but it's running under the jenkins user, inside the container. or at least that's what I inferred||
but i take it that you encourage me to explore further into the jenkins direction, got it π
gusty kite
||maybe check files in the same place as where you might have found an important txt file on the wp related shell||
to put it differently: you are almost at the end π
past cargo
uuuh exciting, thanks a lot!
trim haven
Define "very first step"
white salmon
||Well I found the backup.zip and extracted using gpg, but it just looks like giberrish to me||
last trellis
@trim haven ||cewl -d 2 -w $(pwd)/example.txt https://example.org|| why this is giving me error when im copy pasting room: crack the hashes part 2
trim haven
Β―_(γ)_/Β―
white salmon
What looks like gibberish
||The contents of the file after the gpg decrypt||
trim haven
Of the ||xlsx|| file?
white salmon
Of the ||xlsx|| file?
Yeah
trim haven
Well what does it look like you have?
last trellis
other command i run working fine
trim haven
And are you opening it with spreadsheet software?
white salmon
And are you opening it with spreadsheet software?
Archive type not supported is the error
trim haven
AttackBox?
white salmon
And are you opening it with spreadsheet software?
||The commands used : gpg --import priv.key ; gpg -o filename.xlsx -d Custdetails.xlsx.gpg||
white salmon
AttackBox?
Kali in browser machine
trim haven
Yeah
that's a THM issue
The way I got around this is ||I crafted a python script to read the contents of the file||
white salmon
Or I could just upload the doc to my cloud and open it there?
trim haven
Sure
white salmon
Thanks! I've spent upwards of 2 hrs on this. Glad to know I was on the right track
last trellis
@trim haven anything on my issue
trim haven
Β―_(γ)_/Β―
last trellis
last trellis
Β―\_(γ)_/Β―
thanks
white salmon
Sure
||Kinda hit a dead end. Am cracking the image using stegcracker but looks like it can be a while||
white salmon
What image
||hallway.jpg||
white salmon
What if I said ||ftp||
||Used the paradox creds and got in. But looks like nothing to me.||
white salmon
Westworld reference. Get it?π
mortal belfry
Overpass 3 room . I got stuck in this stage. Can anyone give an hint ?
mighty birch
Overpass 3 room . I got stuck in this stage. Can anyone give an hint ?
Assuming you've checked the /etc/exports you'll notice there's something in there reminiscent of an ID. Check that out. And also check out how to connect to NFS v4.
white salmon
any alternatives to wget?
mortal belfry
Assuming you've checked the ```/etc/exports``` you'll notice there's something i...
You mean the fsid right?
cursive star
no hints until Jan 22
Regarding EnterPrize: I just talked to @minor bough and I will allow hints and release a walkthrough tomorrow night 9pm CET / 3pm EST (update). There will also be something special going on so make sure to watch #thm-community-media π
mortal belfry
Assuming you've checked the ```/etc/exports``` you'll notice there's something i...
The same problem exists even if I try "sudo mount -t nfs4 -o proto=tcp,port=111 boxip:/home/james /mnt/dir". It is showing no route to host error. Maybe port forwarding is required?
gusty kite
can anyone give hints on foothold on EnterPrize room ? Can't seem to find anything through enumeration
ashen scaffold
The same problem exists even if I try "sudo mount -t nfs4 -o proto=tcp,port=111 ...
Did you resolve it?
mortal belfry
Did you resolve it?
Nope what abt u ? Have u finished the room ?
ashen scaffold
Still messing with this nfs4
celest fox
Hey.. ..
Can anyone give me some hints on overpass 3 roomπ
onyx crescent
I finished Overpass 3 a few days ago...happy to give hings as much as I can for next 30 minutes or so.
ashen scaffold
I got the nfs4 mount to go thru w/o error but i dont see the directory on my local
candid nimbus
can anyone give hints on foothold on EnterPrize room ? Can't seem to find anythi...
Enterprize hints are embargoed until Jan 22, unless the creator takes pity!
ripe hedge
Hints tomorrow
candid nimbus
Hints tomorrow
Nice, ta
ashen scaffold
I finished Overpass 3 a few days ago...happy to give hings as much as I can for ...
If you dont mind throwing a bone
ripe hedge
Are you sure it mounted then?
ashen scaffold
I mean...yes and no
ripe hedge
I've had that happen to me as well
onyx crescent
I got the nfs4 mount to go thru w/o error but i dont see the directory on my loc...
What was your mount command (spoiler'd of course)? Or, feel free to DM me?
ashen scaffold
Ill dm instead
mighty birch
The same problem exists even if I try "sudo mount -t nfs4 -o proto=tcp,port=111 ...
You're so close. The FSID is key here
ripe hedge
Port looks odd too
ashen scaffold
It does
onyx crescent
The trick is with ||fsid=0|| and how it affects the ||path|| #overpass3
mortal belfry
The trick is with ||fsid=0|| and how it affects the ||path|| #overpass3
I did some Google search so fsid is like representing filesystem right ?
gusty kite
Ahh right. Forgot about that
ashen scaffold
Any hints on chisel
Got a tunnel going from local to the box....still cant mount dir to local
woven mirage
check out the ||nfs|| version, see how the ||mount|| command is different for that version
ashen scaffold
It mounts but doesnt show up on my local
ashen scaffold
||sudo mount -fstype=nfs4 -o proto=tcp, port=2049 overpass.thm:/home/james /tmp/pe -v||
ashen scaffold
As in port forward?
ripe hedge
yes
real lynx
Got the user flag for overpass3, it was really really confusing for a moment there, but a facepalm in the end cleared it up
ashen scaffold
You are right. Just changed to the listening port on chisel
Now to the nfs4 syntax
Hunt
ripe hedge
I don't think I ever logged in to the proper user on overpass 3
glacial gust
you need to use the user to get your shell hydra
ripe hedge
I used ||paradox||
I may have massacred some permissions on the home directory though ^_^;
fathom gazelle
can anyone help me with chisel? I'm stuck with the port forwarding
ashen scaffold
Everything i read points to -t nfs4 which is not right
ripe hedge
why not?
ashen scaffold
Errors out for me
ripe hedge
-t and --fstype are the same thing
ashen scaffold
One errors the other doesnt
ripe hedge
according to the doc they're the same
stuck fractal
Everything i read points to -t nfs4 which is not right
It is correct
ripe hedge
make sure you don't already have a mount up
woven mirage
ninja has spoken π
ashen scaffold
I do not. df -k no mount of that sort
ripe hedge
what's the error?
ashen scaffold
No route to host, which is due to 2049 not port forwarded
mortal belfry
No route to host, which is due to 2049 not port forwarded
I tried port forwarding 2049 but could not .
stuck fractal
Well you know what you need to do
ashen scaffold
Ive established a connection to forward the port but still no route to host
Ill come back to it later I suppose
stuck fractal
Ive established a connection to forward the port but still no route to host
Then you might not have done it correctly
nmap -sV -v -p2049 127.0.0.1
ashen scaffold
Its open
real lynx
Just ran linpeas and linenum for overpass3 as james user, didn't find anything interesting that could get me to root, maybe I'm unfamiliar with the OS
woven mirage
you can get root using the way you got james
real lynx
Ohhh ok ok ok I see
Got root on overpass3, this was really awesome box, thanks @stuck fractal really educating stuff 
agile halo
hey i have a quick question about the crackthehash room. Though technically it is more about JohnTheRipper. I currently try to create a rule to perform a border mutation for a password. And I would like for it to append either numbers or special characters at the end of the password.
so to do this i created the rule $[0-9$Β§!%&*+#]$[0-9$Β§!%&*+#]
and this works if the password is only made up of numbers, but it doesn't work for special characters
so e.g. it cracks alex12 but not alex2Β§
glacial gust
DaMich, that room is still under the 72 hours of Rule 13, I know the creator has asked us to respect it
agile halo
okay but i don't see how this is asking for a solution?
as i said it is more about johntheripper
i am just doing that room and noticed that I am not able to perform the mutation for whatever reason
so okay then
it's about an older room now, the question still applies
sweet hound
Quick hint please! In Overpass3 as the ||paradox|| user I found the vulnerability that you can write to some paths in the ||PATH|| table. So i can technically replace commands, but which one?
real lynx
@sweet hound usually the PATH exploit works when there is no absolute PATH set for a binary, for instance a script1 is executed by root, and the contents of the script includes curl www.google.com you can set the PATH= /tmp/something:$PATH and create a script2 by the name of curl which will include maybe a revshell payload or something, this will work because in script 1 there is no absolute PATH set for curl (i.e. /usr/bin/curl)
Hope that makes sense
If my explanation is confusing you can look at this link https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/ it explains really well
This is not at all related to overpass3 box, I'm just explaining how the PATH exploit works
viscid egret
any hints on ||where the web flag is in overpass3||
storm sphinx
Hi all, I'm working on GoldenEye room and stuck at reverse shell, tried both metasploit and python reverse shell still no luck keep giving me error response
fathom gazelle
any hints on ||where the web flag is in overpass3||
use some search on the shell
viscid egret
what am i doing wrong 
||sudo mount -t nfs4 -o nolock,proto=tcp,port=2049 localhost:/home/james /tmp/pe||
ripe hedge
any hints on ||where the web flag is in overpass3||
I got it from environment variables
storm sphinx
Hi all, I'm working on GoldenEye room and stuck at reverse shell, tried both met...
nvm figured it out ( Ν‘β’ ΝΚ Ν‘β’ )
balmy crane
Got the root, took way too long than i would like to admit. Hope i would get good at it someday.
solid edge
THANK YOU!
viscid egret
got root, finally! stupid ||nfs|| Thanks @stuck fractalfor the awesome room 
sonic wigeon
Finally xD
https://imgur.com/o0qqkz0.png
coarse hornet
-_-
zinc oyster
I'm probably banging my head against the wrong wall, but on Internal, I've managed to figure out that ||jenkins is running as the user on 8080|| and then I created a ||reverse ssh tunnel to my own 8080 port|| but it seams default credentials isn't enough, so I attempted to use hydra, but it refuses to connect though it is plainly accessible... any hint?
I my hydra attempt was ||hydra -V -t 16 -l admin -P /usr/share/wordlists/rockyou.txt localhost -s 8080 http-form-post '/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password'||
stuck fractal
Try 127.0.0.1
zinc oyster
it still says it can't connect unfortunately
but if I curl http://127.0.0.1:8080 i get the page
I wrote a python-script instead and that worked
weird though
regal tendon
weird though
usually when doing that sort of thing i wont use the same port locally
just helps avoid conflicts. not sure if thats your problem, but in that room i piped jenkins 8080 via local 1234, so i would curl/hydra 1234
ashen scaffold
@zinc oyster I did a write up on that box. What are you trying to do exactly. Nvm you got it settled :)
misty spindle
Hiya Im working on the linuxctf and I have a noob question. While searching for a file using find and grep and I can see it scroll by the red highlighted text but once the command is finished running I cant scroll back up 2 it. I'm using the attackbox.
stuck fractal
Increase your terminal scrollback, or get more specific with your search
misty spindle
I didnt know you could do that. Thank you
white salmon
any hints for overpass 3 privesc?
dull mantle
Hey all, I'm doing the room battery, and I've found ||2 web vulns on port 80||, one is a ||SQL Truncation Attack||, and the other is a ||XML External Entity Injection||, which when chained together can potentially lead to RCE.
But, I'm not sure how to exploit the first one. Can someone pls help me? Thanks!
ebon cairn
@white salmon Linpeas is really enough
tight halo
test
onyx sparrow
hi, i need some help in day 23 sql injection, I have read the support material but I think i don't get it at all. I try upload a web shell but it only show me the text, I tried bypassing it using </pre> and " but none worked
white salmon
<@456226577798135808> Linpeas is really enough
i keep staring at output and don't really see anything good gonna have to look at it again
ebon cairn
i keep staring at output and don't really see anything good gonna have to look a...
run a newest version of linpeas?
it is so obvious tho
ashen scaffold
There is a new linpeas version?π
white salmon
Hi guys, I am trying to get a reverse shell from a target machine to my attacking machine but doesn't seem to work.
I tried generating a raw payload and pasted it into telnet connection. I am also listening via a nc listener on the same port
white salmon
https://highon.coffee/blog/reverse-shell-cheat-sheet/#telnet-reverse-shell
Thank you. Looking at it now π
drowsy sequoia
I managed to get to the apache and the webflag in the overpass, ran linpeas but kinda struck at this point, any hints please
ashen scaffold
Whats your train of thought?
linpeas will scream at you with a 99.99% privesc vector
zinc tinsel
Hi!
Room MITRE
Task 7 Question 5 :
"Per the detection tip, what should you be detecting?"
I'm desperately looking for a hint on this one, I have been stuck all night on this.
I've read the associated page countless times, and all the external links aswell.
EDIT : I've found by myself ... I was probably too drowsy to efficiently search for the answer...
hint for future persons who will also check in the Discord history :
Browse through all links in the page and look for the answer, which can be responded with a copy/paste, no need to invent phrases to match the answer
ashen scaffold
@drowsy sequoia
zinc oyster
just helps avoid conflicts. not sure if thats your problem, but in that room i p...
Thanks, I had it on 8089 locally first but hydra kept giving false positives (some request got back with a bad port status) so I wondered if it mattered which port. I didn't really follow the intended path either as I found the user credentials last. So my tunnel was a reverse one. But all good since it worked with 6 lines of Python code.
drowsy sequoia
Whats your train of thought?
Is it something related to ||nfs||
I saw some ||mounts||
ashen scaffold
Potentially
drowsy sequoia
Okayy
white salmon
Hello, are we already past the 72 hours to ask for a hint for crackthehashlevel2 ?
wintry yarrow
72 hours have not passed yet.
white salmon
ok, thanks
undone delta
Hi guys, do you need go to build chisel on the remote machine ?
astral smelt
Hi guys, do you need go to build chisel on the remote machine ?
Remote?
ashen scaffold
Yes
Chisel has 2 options (server and client)
By building you mean uploading executable?
undone delta
Yes
yes I'm to able to upload the chisel source code but no way to run the command for port forwarding
ashen scaffold
You dont need to upload source code
Download the chisel amd64.gz gunzip it to your local machine and chisel is ready
Upload that file to remote machine and make it executable
Then you can ./chisel
undone delta
You dont need to upload source code
wahoo thank you so much actuaL
ashen scaffold
Rename that long chisel name to something simple for sanity reasons
Especially if you dont have autocomplete in a shell
Chisel_amd64_gibergabber is too long lol
undone delta
Rename that long chisel name to something simple for sanity reasons
yes autocomplete not working I upgraded it with python3 but still the same
undone delta
Rename that long chisel name to something simple for sanity reasons
thanks a lot Actual God Bless you
ashen scaffold
Dont bless me :) Glad i could help
People help me, i return the favor. You should too, at some point.
undone delta
Yeah definitely !!!thanks for the lesson !
undone delta
https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html
great ressource ! let me read this too and master it , I don't want to spend days again with Chisel lol.
white salmon
can someone give a hint on enterprize, I have made a typo three times but I can't see what to do with it.
I keep getting 403
mortal belfry
I am trying the battery room . I am stuck in enumeration stage, can anyone give an hint?
mortal belfry
I used Nikto to scan and found it is Easy News version 4.3
So I searched for exploits but didn't work
candid nimbus
can someone give a hint on enterprize, I have made a typo three times but I can'...
You and everyone else, that's the room. Hints aren't allowed until tonight when the creator will reveal something!
mortal belfry
What have you tried so far?
I found one though but didn't work
I think it might be about race condition
Is it ?
mortal belfry
Ok
cursive star
can someone give a hint on enterprize, I have made a typo three times but I can'...
@white salmon Walkthrough and interview with @proven bridge today at 9pm CET / 3pm EST (we moved it back one hour from the original time)
white salmon
@cursive star sweet, thanks mate
cursive star
We want everyone to learn and I believe that is what TryHackMe is about. β€οΈ
So everyone can give it another shot for about 8 hours without any writeups out there AFAIK 
solar needle
Did you ever figure this out?
astral smelt
I am trying the battery room . I am stuck in enumeration stage, can anyone give...
No hints for 72 hours
agile jewel
i will be there @cursive star π
fathom dagger
Hey, currently doing the nmap room. Question "How would you activate all of the scripts in the "vuln" category?" I have tried: --script vuln , nmap --script vuln - no luck. What is the answer? Help appreciated!
acoustic steppe
Hey, currently doing the nmap room. Question "How would you activate all of the ...
Try googling for that u will get the idea
Or there is a man page for the same
fathom dagger
Try googling for that u will get the idea
I have already googled these are the two answers I get but come up as incorrect π
acoustic steppe
Try --script=vuln
fathom dagger
Try --script=vuln
It worked thank you!
trim haven
@real lynx Please do not give out hints for rooms that have no been released for 72 hours unless you are the room creator or have been given explicit permission.
real lynx
Will keep that in mind sorry @trim haven
ashen scaffold
It worked thank you!
Its a weird thing. Some of the scipts run without =
hollow arch
<@456226577798135808> Walkthrough and interview with <@!291298445048676353> toda...
@cursive star will that be on your twitch channel??
cursive star
<@!388579707815198720> will that be on your twitch channel??
Yes I will post it in #thm-community-media
hollow arch
Yes I will post it in <#644263827742916628>
Alright. Looking forward to that
stuck fractal
#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:
- What room you are on
- At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
- What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done
molten bridge
Can any one help me with overpass3 kinda stuck
Room: overpass3
2nd Stage: I got pgp priv key and gpg file but cant get any usefull data from
molten bridge
Decrypt the file.
I did that using
gpg --import privkey
gpg --decrypt gpgfile
but the problem its unreadble
ripe hedge
yeah, you can't just cat that type of file...
tardy pawn
Hi everyone! I am struggling mounting the share folder in Overpass 3 room. I established a tunnel via chisel on port 2049, checked that it is opened using nmap, but if I try to mount using BOX_IP it says no route to host. If I try to use localhost/127.0.0.1 -it shows 'trying text-based options ...' and shows nothing, this is my mount command - mount -t nfs4 -o proto=tcp,port=2049 127.0.0.1:/home/james /tmp/pe -v . Help me please!
stuck fractal
That's not how you use v4
And you can't use the box's IP because you can't interact with the service outside of the box
Half those mount options are incorrect
Look into how you use NFSv4
tardy pawn
ok, thank you!!
atomic marten
hey.. umm can anyone drop hints for the room "battery" ??
I cant seem to wrap my head around this.
But I dont know what else to do..
π¦
stuck fractal
hey.. umm can anyone drop hints for the room "battery" ??
Are you aware of rule 13?
!rule 13
proud scarabBOT
Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.
Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.
stuck fractal
That's a new room, please wait 72 hours before asking for help or hints
atomic marten
Okay okay
acoustic steppe
Post in #site-support
white salmon
Need a hint on /room/skynet
with root
there's || backup.sh || and its running as || cronjob ||
is it the right way to get root?
stuck fractal
Should be
stuck fractal
That's a bit more than a hint IMO
Look into what it's doing, and exploiting things there
midnight aspen
Hey there i need a hint for the Room Overpass3 i am logged in with SSH as user Paradox but i can't find a way to escalate. I dont find SUID / GUID / Cronjob / Kernel etc. i was trying for some time now to exploit the PATH but that doesnt work for me neither some small hints?
stuck fractal
Run linpeas
ripe hedge
Linpeas
midnight aspen
I did that .. Okay i will try again and make a output file maybe π thank you
whole lava
Hello someone on the new room battery ?
stuck fractal
!rule 13
proud scarabBOT
Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.
Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.
whole lava
Oh didn't know that ,thanks
midnight spindle
Hello guys , I'm on the Gatekeeper room , I manage ||to get a .exe file|| but someone know how I can run this exe file in kali ?
or maybe I'm competently on the wrong path
stuck fractal
Get a windows VM with immunity and stuff to debug it
midnight spindle
where I can get this ? because I did a room with those tool but I guess I can't use this one
stuck fractal
You can make your own?
pine ridge
any hints of how to become james in overpass3 ?
midnight spindle
true but how I can get the license for Windows
stuck fractal
any hints of how to become james in overpass3 ?
Linpeas.
pine ridge
Linpeas.
you just cant load anything , and thats what is the most difficult part about this
netcat , wget , git
doesnt work
stuck fractal
you just cant load anything , and thats what is the most difficult part about th...
Yes you can.
I know because I have done, and selinux is disabled which is the only thing that'd be preventing you.
pine ridge
but as far as i know selinux can be enabled only at rebooting
stuck fractal
but as far as i know selinux can be enabled only at rebooting
It's disabled
pine ridge
I know because I have done, and selinux is disabled which is the only thing that...
by this , i guess you are hinting me to enable it right , ?
stuck fractal
by this , i guess you are hinting me to enable it right , ?
Not at all.
SeLinux is disabled. If it was enabled, it might be preventing you. There is NOTHING preventing you running linpeas.
If you enable it, you're just going to make your life 100x more difficult.
pine ridge
right , so there are is only 1 way , there has to be a linpeas file in the system because you cant really import stuff
right ?
stuck fractal
right , so there are is only 1 way , there has to be a linpeas file in the syste...
No.
You CAN get linpeas.
It's not stopping you
There is nothing stopping you.
pine ridge
how sir ? π π
stuck fractal
Same way you would normally
If it's not working for you, you're doing something totally wrong
pine ridge
wget , netcat , doesnt work as i told you
stuck fractal
wget , netcat , doesnt work as i told you
And I said it does.
So
Have fun with that. Try Harder.
pine ridge
π i am doing it since 3 hours . same place i a stuck lol
ok one last hint , then i try harder
what is this supposed to mean
stuck fractal
That you're doing something wrong
because I used netcat in my official writeup.
rlwrap is an external program, so that won't be installed
pine ridge
That you're doing something wrong
oh o ! then gotta do everything again π π
stuck fractal
oh o ! then gotta do everything again π π
I mean, I didn't say that
pine ridge
I mean, I didn't say that
uh uh π , man what do i dooooo , bro dis is gahhhhhhhh , i love it and hate it at the same time
btw when is your writeup getting released or its already released ?!
stuck fractal
No writeups will be released until tomorrow at 7pm GMT
regal tendon
quick question about battery, no hints: path to root seemed trivial. is there a bug there?
stuck fractal
pine ridge
james , may i ask how to get the shell , like just a rough hint
stuck fractal
Use linpeas
pine ridge
because the way i got , nothing works in here
no i mean how to get in the machine ,
because i got the rev shell and nothing seemed to work
so theres prolly another method to get in the machine , so what is it ? (just a rough hint )
stuck fractal
I don't want to, so no.
ashen scaffold
@pine ridge Linpeas will scream at you with a privesc
undone delta
I don't know if the problem came from my system but I spent 3 days on the User Flag (Overpass) it works only after I change my php shell to bash shell. do you have the same issue ?
ashen scaffold
First Overpass?
undone delta
overpass3
ashen scaffold
Whats the issue exactly
undone delta
I got so many timeout... issue
ashen scaffold
You got the flag...go for root
undone delta
You got the flag...go for root
Yes definitely I'm going for the root right now and then I can can go have a rest lolllll. thank you so much actuaL !!!!
ashen scaffold
You can do it!
undone delta
I hope so
cursive star
Official writeup of EnterPrize is now available!
Video will follow. Feel free to stream, give hints and post writeups β€οΈ
Stream recording is also available
tepid bane
I need help for the Stored XSS challenge
1.Add a comment and see if you can insert some of your own HTML. I am very lost i dont understand
undone delta
Finally I got it!
ashen scaffold
Great job!
true spruce
i really hate this and i'm not sure it counts too much as help but i got something trying to reverse a room challenge and i can't read it because it's apparently in chinese
is there anyone that i can sent this too to tell me if i'm in a rabbit hole
online translations are a bust
undone hinge
lol, I was just about to ask for a hint, while as I was typing the question I figured it out. Note to self- I should think out-loud more often π
true spruce
nice
stuck fractal
@true spruce what room?
onyx sparrow
1.Add a comment and see if you can insert some of your own HTML. I am very lost...
check the hint, it will be difficult if you dont know some oF JS
tepid bane
@onyx sparrow yeah i need my JS bases
past mulch
anyone done ra room?
brittle jay
Iβve been trying so hard for the past 2 days but I couldnβt find anything π
||Should there be any logs before they were cleard? ;)||
white salmon
Hi folks, quick question...how do I copy/paste the CTF flags from the AttackBox into the answer box?
(Using Chrome)
weary rune
Hi i'm doing the kenobi box but i keep running into an issue. When i try and mount the NFS share the server doesn't give me permission
i'm running kali linux from a virtual box
sudo mount 10.10.75.217:/var nfs 32 β¨―
mount.nfs: access denied by server while mounting 10.10.75.217:/var
ashen scaffold
Redo all the steps
balmy dock
Hi I'm trying to make a border mutation rule to prepend and append numbers, prepend and append special characters then both.
A0"[0-9][^&()+-={}|[]\;':,/<>?~*]" Az"[0-9][^&()_+\-={}|\[\]\\;':,/\<\>?~*]"
A0"[0-9][^&()+-={}|[]\;':,/<>?~*]"Az"[0-9][^&()_+\-={}|\[\]\\;':,/\<\>?~*]"
please is this the right syntax for this?
candid nimbus
Hi I'm trying to make a border mutation rule to prepend and append numbers, prep...
If (and it's a big if as I haven't cracked this one yet) I've understood right that will prepend a number followed by a special character etc, which I don't think you necessarily want to do. Good way to check your rule is use --stdout>test.txt
white salmon
@balmy dock I think that is not the right syntax, I'm also struggling with it, but if I test it with --stdout I can see that there is something wrong
balmy dock
If (and it's a big if as I haven't cracked this one yet) I've understood right t...
thanks, --stdout>test.txt revealed the generated wordlist contain nothing.
balmy dock
<@!758260951711088651> I think that is not the right syntax, I'm also struggling...
Used this
A0"[0-9][^&()+-={}|[]\;':,/<>?~*]" $"[0-9]$[^&()_+\-={}|\[\]\\;':,/\<\>?~*]"
$[0-9][^&()+-={}|[]\;':,/<>?~*]$[0-9][^&()_+\-={}|\[\]\\;':,/\<\>?~*]
and i think it output what it should be, i guess i'm now using the wrong wordlist which is why i still can't crack it
candid nimbus
I think I've used the same range of special characters (from the Korelogic rules), I've used 2 different thousand name lists, changed the cases in various ways and gone up to 5 variables in different combinations of appending & prepending and still nothing. I'm sure there's something small missing but can't see what it might be. It will come though!
ripe hedge
Used this
A0"[0-9][^&()_+\-={}|\[\]\\;':,/\<\>?`~*]"
$"[0-9]$[^&()_+\-={}|\[\]\\...
You look too be in the right track
Think about how someone would write the case of a name as well
white salmon
@ripe hedge I did something similar to @balmy dock /spoiler [List.Rules:PrependNumSpecial]
-[c:] a3 \p[c:] A0"[0-9][0-9][!$@#%.]"
-[c:] a3 \p[c:] A0q[0-9][0-9][^&()_+-={}|[]\;'":,/<>?~*]q -[c:] a2 \p[c:] A0"[0-9][!$@#%.]" -[c:] a2 \p[c:] A0q[0-9][^&()_+\-={}|[\]\\;'":,/<>?~*]q
but I have other rules for Append and for PrependAndAppend
but still no luck
ripe hedge
Spoiler tags are ||
There's probably more than one symbol then
Maybe like a birth year...
white salmon
mmm, then the advice are misleading in my opinion
slow lantern
CTH level 2 is a great room, got all hashes except 3,4,5,8
Hard stuff
cunning quartz
Hi there,Can anybody tell me about the freak and border mutation in the room crack the hash 2?
warped sinew
@balmy wedge @quartz ruin , did you ever find this solution to MITRE Task 7 Q5 & 6? I am also stick on these two, and have been for a week. I have followed every link in the ||https://attack.mitre.org/software/S0358/|| page, including references, to no avail. I know it is there somewhere, and I have probably seen it a bazillion times.
For #6, I am guessing the following: || ***, Azure, Azure AD, ***, Office 365, ADFS || but am struggling with the remaining TLAs. I may be completely wrong, too.
merry sonnet
anyone have issues on relevant privesc hanging?
balmy wedge
<@!194996899693068288> <@!666538330921369603> , did you ever find this solution ...
When I get home I can look to help you. I am about an hour out
warped sinew
When I get home I can look to help you. I am about an hour out
Thank you. At this point, I am in no hurry. Will be going shopping soon myself.
balmy wedge
Cool! I might do a write up on the room since a ton of people have asked for hints lol
warped sinew
Cool! I might do a write up on the room since a ton of people have asked for hin...
Thankfully, these two questions are the only ones I have been stuck on.
brave holly
who can help, what option with "curl" i should type, if i want to capture code to brute login page (hydra) like "username=admin&password=admin&Submit_in" . Without burpsuite or NetworkTab in browser
merry sonnet
nvm damn firefox blocking my downloads lol
dull mantle
Can I pls pm someone for privesc (to root) on overpass 3?
sonic wigeon
Can I pls pm someone for privesc (to root) on overpass 3?
Yes I can give you a hint
dull mantle
that'd be great, thanks!
balmy wedge
who can help, what option with "curl" i should type, if i want to capture code t...
I don't know of a way at the moment, have you check man pages? I think you're looking for something to do with the request. Maybe capture it in something like burp to see what it looks like if that's possible?
Then replicate it
brave holly
no i`m looking for method to capture "username=admin&password=admin&Sub_but" (but with curl for hydra ) without working with browser or burpsuite (not for room)
sour vector
Yo I'm stuck on the Investigating Windows room, I can't figure out what is the IP address the system connects to when it first start, can I get a hint on how to find it pls?
ripe hedge
who can help, what option with "curl" i should type, if i want to capture code t...
Like curl -v?
Curl only sends requests, it doesn't really capture responses. That said form params are usually in the source html which doesn't need anything special
Also there's no JS, nor events so no clicky buttons for you.
stuck fractal
no i`m looking for method to capture "username=admin&password=admin&Sub_but" (bu...
If it's not for a room, don't ask here.
red arch
I'm in overpass3 room and I just got a shell as apache any hint to continue? I think I'm stuck..
stuck fractal
Use knowledge you already have
ripe hedge
Try it
night current
Linux Fundamentals part 2 question Binary -shiba2 why can i not work this out? I have ls and found shiba2. When i cat shiba2 i can see the test1234 file but not when i ls at root. I am a noob so apologies for the stupid questions
night current
That's the binary
Im not sure what the variable or the binary is and i dont want to just parrot information i want to understand it. so outside of try hack me could you let me know any other reading sources or man pages i should read. And also let me know what I am missing fundamentally from answering this question.
stuck fractal
The first task tells you what a binary is.
The task tells you what this binary does
You need to make the check succeed.
night current
The first task tells you what a binary is.
the binary is for putty
night current
The task tells you what this binary does
a way of installing on windows maybe
night current
You need to make the check succeed.
i need to run shiba2 as an exe file but im in inux so im srugling lol
stuck fractal
You can also use google. what is a binary linux
stuck fractal
i need to run shiba2 as an exe file but im in inux so im srugling lol
No, you don't
rose cape
Anyone for sanity check on Crack the Hash Level 2 room, last section, advice 1. Its a bit of a tricky situation and I am unsure of where to go from here, considering that we don't know the length of border mutation used on the password. This is what I've tried so far with it.
night current
What a binary is is explained there
ok this makes more sense, i have not read back yet but Im happy that Try Hack Me is making me use what has been previously learnt to solve current problems.....Which by the way I clearly haven't done and means i need to go back
night current
I still dont understand it?? Ive seen that the only file on the server is a run file when i cat it. but i cant see what the question is saying....shiba2 is a binary test1234 exists in that file as i can cat shiba 2 and see a password hashed out
stuck fractal
I still dont understand it?? Ive seen that the only file on the server is a run ...
No, you can't do that
Because that's not how it works
That's a compiled C program
...a "run" file?
What?
night current
but the question to me seems to not make sense
stuck fractal
That's because it's not a question
it's a statement followed by "What is the password"
night current
...a "run" file?
sorry stil talking wiindows
stuck fractal
Screenshot what you mean
night current
Screenshot what you mean
ok
night current
Because that's not how it works
Yeah I kind of know that's what it was and understand how coding works slightly. i went for the cat command as i literally couldn't work out how this answer was suppose to work
high hamlet
has anyone done this room? https://tryhackme.com/room/chocolatefactory. Is Charlie's password supposed to be brute forced? I've completed all other questions, just stuck on this one.
stuck fractal
!rule 13 @high hamlet
proud scarabBOT
Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.
Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.
serene hornet
I need a hint on relevant, or more so am I looking in the right direction to try and exploit the smb connection with MS17-010. It seems like it might be a rabbit hole as none of my payloads clap back. A yes smb is where it's add would be nice!
candid nimbus
Anyone for sanity check on Crack the Hash Level 2 room, last section, advice 1. ...
I'm not sure about that method, which is perfectly valid, but I recommend you go down the route of creating rules in the john local config file as you will need to append/prepend a fair few characters so doing it that way will just create a massive file. You have all the characters you need there, though and you can find good example rules if you search for korelogic rules or graceful security. You also need to check that your base wordlist might need to be reformatted.
Although I notice you have 3000+ in your list, so I'm guessing you have covered a few formatting options.
Just use the list you'd get by using the methods shown on the box and turn it into something sensible like how people write their names and you should be ok. (Sorry if this sounds patronising, I'm trying to help without taking away from the training objective)
stuck fractal
!rule 13 @red arch
proud scarabBOT
Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.
Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.
stuck fractal
@red arch As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.
red arch
Oh ok didn't noticed
stuck fractal
!rule 13@solar needle
proud scarabBOT
Sorry, the characters you have entered are blacklisted, instead of trying anything here, try some rooms.
stuck fractal
!rule 13
proud scarabBOT
Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.
Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.
stuck fractal
@solar needle Stop.
solar needle
@stuck fractal Sorry. It is a little confusing, the room description says "247 users are in here and this room is 108 days old.". A number of old rooms have been re-released recently, and that room does not carry a prominent warning like the other recently released hard room. Can the release date counter be reset to 0, and a notice added to the room please?
stuck fractal
<@!252418040388517888> Sorry. It is a little confusing, the room description say...
I can't do it. But I told you to stop 3 times, which is 2 too many by my count.
solar needle
Sorry, I did not see your warning immediately on the app.
stuck fractal
The warning was after those 3 times.
solar needle
Yes, that is all I saw come up, I did not see whatever action you took previously until I saw the warning appear.
balmy wedge
<@!194996899693068288> <@!666538330921369603> , did you ever find this solution ...
So what you're looking for isn't on the software page but on the group page. you want to monitor the activity of what could be compromised if you went to the cloud.
This is pretty vague so let me know if you are still struggling.
Question 6 was hard for me the first time too. it's not obvious but It's at the top of a page. You're looking for platforms it affects, think that. Don't be afraid to ctrl+f the pages and look for key words.
warped sinew
So what you're looking for isn't on the software page but on the group page. you...
Thank you.
balmy wedge
No problem, hope it helps!
empty flint
The room is implying I should be assuming telnet from this.
the room is enumerating telnet/network services
am i missing something?
stuck fractal
Telnet into it
empty flint
but if this was irl, how would i assume telnet from this
stuck fractal
That jumble of text is nmap trying to interact with it, and what it's getting back from it
That text isn't for you
It's for the developers.
empty flint
right but in the room, it seems like its implying i should know to try telnet from the nmap scan. maybe i'm looking to deep into it, but im not getting that besides the fact that the room is called enumerating telnet
stuck fractal
The task is called enumerating telnet
night fractal
but if this was irl, how would i assume telnet from this
if you see output like that which seems like random text just enumerate the port on your own, for example by trying to connect to it via netcat and telnet
empty flint
if you see output like that which seems like random text just enumerate the port...
so, knowing telnet is a tcp service, I should just assume it as a possibility?
empty flint
if you see output like that which seems like random text just enumerate the port...
in a real life scenario-ish
night fractal
basically, yeah
empty flint
gotcha
ashen scaffold
Port 23 by default. I dont why some one would use telnet nowadays
night fractal
yeah, it's not really encrypted so it's easy to collect the transmitted data
empty flint
Port 23 by default. I dont why some one would use telnet nowadays
in the specific scenario its on a weird port on like 8000. I'm just trying to get a little more than face value
stuck fractal
Port 23 by default. I dont why some one would use telnet nowadays
Widely used on network devices like Switches
empty flint
Widely used on network devices like Switches
good to know!
ashen scaffold
Yup
white salmon
Hi all, I'm stuck on the OWASP Top 10 room doing the broken authentication challenge...I have deployed the machine but cannot access it on http://10.10.158.117:8888...any ideas?
pseudo scroll
Hi all, I'm stuck on the OWASP Top 10 room doing the broken authentication chall...
10.10.158.117:8888
pseudo wraith
Hi all, I'm stuck on the OWASP Top 10 room doing the broken authentication chall...
ip:port π
ashen scaffold
Hi all, I'm stuck on the OWASP Top 10 room doing the broken authentication chall...
Did you connect to openvpn?
ashen scaffold
ip:port π
It usually how it goes ip:port, whats so funny?
dark karma
Can we talk about the new room battery now ?
obtuse birch
restive cloak
Quick one for Chocolate Factory - I have Charlie's details. I have tried both jtr and hashcat and other than leaving them for a long time (hours) to run, am on the right track? I did use rockme.txt and cewl from the wikipedia page. Thanks in advance
ripe hedge
It's in rockyou
ripe owl
Where to look for charlie password any hints?
white salmon
in choclate factory is bad name lead to password?
ripe owl
Booting VM one hour expired now
ripe hedge
you can extend the time
white salmon
free users can extend
ripe owl
No attack box is for only 1 hour
ripe owl
How much time it can take to crack this hash?
white salmon
||on crackthehash2 challenge 6_6 I tried with pnwgen, prefix 599 and length 9(+3 from prefix) and did not work. what am I missing ?||
read the hints on the website better
they mention a country
candid nimbus
||on crackthehash2 challenge 6_6 I tried with pnwgen, prefix 599 and length 9(+3...
There are other dial codes
candid nimbus
read the hints on the website better
He's looking at that country, just the wrong bit of it
white salmon
yeah google is giving the wrong answer π
@white salmon @candid nimbus Thanks for the hints
candid nimbus
π
ripe hedge
Yeah I ended up brute forcing everything with hashcat
Thankfully it wasn't a difficult hash to crack on the gpu
ripe owl
Is pentestmonkey. Down?
trim haven
Not related to room hints ^
candid nimbus
Yup, to be fair I hadn't even noticed that bit of the code, generated a billion numbers and nearly broke my machine! I did that one with a john rule since I'd got so good at them on qs1 & 2!
ripe owl
Not related to room hints ^
Doing chocaltemachine need a reverse shell
white salmon
Let's see if this new prefix works, and then I can go back to challenge 3 and 5
white salmon
Thankfully it wasn't a difficult hash to crack on the gpu
My kali VM is not that powerfull π
trim haven
Donβt crack in a VM then
ripe owl
Changing user to charlie giving authentication failure why is that??
bronze marsh
which user are you now?
ripe owl
Www data