#room-hints

tyty

Do not provide or ask for help or hints for magician room until 24th Feb, 7pm (GMT).

Well there's a : followed by a choice of true or false.

Hi all! Anybody passed cct2019?

for both same 😫

I just wanted to mention that magician room does not feel like an easy one, maybe tomorrow after some sleep it feels different

The foothold is something that will take more time to accomplish Im sure

Someone just did Yara room? got somequestions

What questions do you have?

all but the last question

I'm a bit stuck in my Nmap series, I'm at task 14 3rd question (maybe I'm just too tired).
Is there a friendly soul who can give a hint (in dm) to where I need to go with this 🙂

Did you read the hint?

Yea, it didn't give much info 😦

did you run nmap with that flag?

yea

Think carefully about which switches to use - is in the description of the task

Hmm, one second

@indigo bear check your dms

Is it an approved writeup on the room yet? @hardy thorn

They are not reviewed by admins. They're reviewed by the room creators.

If it's not approved on the room, DO NOT post it here. Especially not in the hints channel.

any nudge on Magician -- privesc?

Check channel pins

I was able to complete the room ... no nudge needed

@wet pollen ok so the format is / followed by the short version of the command ( beginning with l, not i ) a colon : then true or false (true)

hey guys, im stuck in the magician machine where i didnt upload any png file

and even i add the hostname to the host file

U can upload the files

no i didnt ... I tried it copule of times

Guys, stop talking about that machine. Check the pins.

omg i cant belive it i thinked all the time that is if not lf ..sory for the stupid question

No problems, we've all done it

what pins and where are they?

Middle icon, right there

Ok, got it. Anyway, not worth the trouble.

https://discordapp.com/channels/521382216299839518/690557518837186560/812787657247424593 <--- Thats what it referring to

Get it. Just lost interest now.

Oh thats a shame 😦 Don't give up on the first hurdle. Solving challenges is what makes us grow and become better

Been jumping hurdles for a month now, worked out very well. This might be a bridge too far for the moment. I'm sure there is a solution for everything. However, there are so many challenges to pick from. I might give it a try another time.

a month? The challenge was only released 2 or 3 days ago

I became member of THM a month ago, more or less running my own challenge. Missed the announcement of this event, probably too busy solving puzzles.

It's great that you are sticking with the site! If you want to be alerted when an announcement happens, pop into #bot-commands and type !notifyme

I love it! Learned so much already, looking forward to get better every day. But I still feel like a greenhorn.

We all feel like that - Theres always more to learn!

And that, my friend, keeps us young and fruity.

Nice one. Thanks.

@rich shard No. That room is under strict hints embargo as per the pins

Thank you James, could you give me an idea where I can have some help ?

You are not allowed

ok 🙂

Hello, I need some help please. I'm doing the inferno room. I was able to get a shell but after a while my shell gets disconnected, my shell gets an exit from somewhere. I tried to prevent it with alias and trap command but I didn't succeed

I believe that's deliberate

try set up some form of persistence

ROOm WIFi HACKING WHAT IF THE PASSWORD IS TO STRONG TO BE cracked by aircrack

Then rip

best way i stilll think is external wifi card

You don't crack it with aircrack

You crack it with hashcat

Cracking the password is 100% independent of what wifi card you use.

If the password is too strong, then you don't crack it. Same as regular hashes.

ohh thanks for the info

In Linux Agency I'm having an issue finding the 4th flag. Can anyone point me in the right direction? The hint seems like it's referencing cat but the flag.txt says that it was stolen... I have searched quite a bit and went back as previous users to no avail.

Don't believe it. Try not using cat

ooooooof I have spent way too long on that lol. The hint was more accurate than I thought. Thank you! I have the dumb today apparently...

Keep on going and make Agent 47 proud. 🙂

Will do! I've been breezing through but for some reason that clue did not register.

for linux agency im so confused on what the password for room one is

it is the the whole thing as in mission1{1234567890} or only the part inside the {}

i tried both and im having trouble logging in

you need to su to the next user i.e. mission1 using the flag/password you found for the first part

anddd it worked

thanks for the help i tried sshing using the username and every combination of the password and it didnt really work

Hi, I'm at the "overpass 2" room, and I wonder, how can I retrieve a function's parameter from debugging it

I can't upload an image, but I'm debugging an SSH backdoor, and it is handling some hash, a salt (Both are known to me), to compare with a password. But my RIP pointer is right now inside a function that uses this password, (func somefunction(hash, salt, password))

but since it's not in memory I can't acess this "password" as if it were a variable

can i get hint for linux agency mission 12 please

i googles evs and didnt get too far with it

Task 9 Binary - Shiba1 from the Linux Fundamentals relies on being in the AttackBox right?

its telling me to run shiba1, im guessing thats in the attackbox

no, on the box

Oh I see, it gives me a little environment

Thanks

mhm

no problem 🙂

https://tryhackme.com/room/ignite

I have accessed the machine but cannot find a way to get root

a sudo exploit might work but I don't even have access to the sudo password

I have upgrade from the basic shell

linpeas might help you

ok

let me try

You have the source. Don't do active RE.

hi

is there any problem with code upload the backup file on ftp but not working can someone help me in[Day 9] Networking Anyone can be Santa!

you don't ssh you need to su to the new users you only ssh as agent47

did you use the whole flag as the password? ie.. mission1{longhashvalue}

can you screenshot this?

idk works for me

and you're using the full mission1{} flag as password, and it was accepted in the room as correct?

what's the IP of your box?

no, the target

it's definitely working

ohhh did agent 47 have a .bash_history??

not sure, that just pops up as soon as you enter the room

never bothered to look for where it was coming from

no bash history

work away

still, it works, 100%, will you try it again?

no i was just thinking if .bash_history was no redirected to /dev/null check and see if he was typing it in right?

oh, no, it is -> /dev/null

oh well

wait a min

exactly what are you typing in for the password?

that flag is a free one, so it doens't matter if you post it here

only the hash?

not the WHOLE flag text?

but I asked you that

you need the FULL flag

including the mission1 part

and the {}

yeah

try again to be sure?

good stuff, good luck with the rest of it

hi
guys i'm solving skynet room and i'm literally stuck at the first question , i have the wordlist i know i need to use hydra but squirrel mail keeps redirecting me so i can't use the F=error or S=Location in hydra

what should i do?

what are you hydra'ing, screenshot it maybe?

||hydra -l miles -P /home/enigma/thm/skynet/logs/log1.txt 10.10.163.188 http-post-form "/squirrelmail/src/login.php:login_username=^USER^&secretkey=^PASS^:F=redirect" -IV||

here's the full command

maybe think of a different service you might be able to hydra

oh

what mission# is that?

sorry, scratch that lol

misread

i haven't done that one I don't think, at least I don't seem to have notes for it

actually I have done it, must've been before I got in the note-taking habit

you got a message when you connected right?

try this firefox add-on https://addons.mozilla.org/en-US/firefox/addon/user-agent-string-switcher/

or use burpsuite to intercept the request and make changes

I don't think you have the right username???

it's still the same problem
what should i assign the value of F/S?

hydra outputs all the passwordss and says 16 passwords found

did you try cracking the other services?

as the hint says you need to change your user-agent and this might not work in firefox
try changing it using curl

you don't really need to use hydra but i normally use Login=Login:[faild_response_message]

with the plugin i linked it will work

there's 2 shares and one of them has a password on it

lol sorry. i didn't read my own notes fully lol

just for the sake of trying
can you give me the full command pls i tried it and there's no output

here's the full command

did you get the right username? it's not miles

i tried milesdyson

doesn't work

im on my cellphone so i dont have access at the moment to the room

and don't use the login.php link, what's the page called that the error message comes back on? watch the process in burpsuite

so I don't know what the error response is

but like i said you don't really need to use hydra

all you need is to cat the log1.txt file

success?

no
i didn't get lucky 😔

i knew his password through THM's answer syntax
but i need to know what is the legit way to do ir

hydra is the way

morning all

I am having some slight troubles on easyCTF

I found ssh running on port 2222

I also found a user mike in robots.txt

I tried cracking his pass with seclists as the hint says, but no luck. So my thought is maybe its a different user

just to confirm, that's this box right? https://tryhackme.com/room/easyctf

ok, that's Simple CTF, a link is always good when asking for help as sometimes the names in the URL don't match the proper name of the room

How can I enumerate potential ssh users on port 2222 without enum4linux? I can code this if needed but i imagine there is a tool? or maybe I am going about it the wrong way?

so have you enumerated the rest of the box?

when you say enumerated, you mean the shares with enum4linux?

no, I mean gone through all the ports, looked at web pages etc.

tried to find out what's running

bruteforcing should be last

oh well I think so, let me elaborate and maybe you could just give me a hint to dig more or something vague

I have ran/ am still running dirb

lots of stuff mostly looking emtpy so far but I did find that user name

I looked for ports with nmap

where did you say you got your user name?

/robots.txt

what did that contain?

saw something saaying mike and I tried ssh into that, asked for password so that means real user I believe

The whole string at the top is interesting but I figured that just formatting

can you show that here?

I also saw on nmap that ftp is open on port 21

ok, did you enumerate that?

no not yet, I should tho now that I think about it haha

yup

ok let me take some time and get back to you lol the other trouble is idk what CVE they want me to attack with, so I have been hoping maybe there is a hint along the road

for now ill find some ftp pentesting software

you can just use ftp, should be on your box already

do the ftp, then check the results of dirb and you'll find something in one of those - google that

good luck

appreciate that thanks

is anyone else having trouble with the magician room

I know what to do but I cant upload anything

I intercepted with burpsuite and im apparently sending an option request

I even looked at writeups 😦

from the pins above:
"Esqy02/21/2021
Do not provide or ask for help or hints for magician room until 24th Feb, 7pm (GMT)."

its not hints

its broke

that room is still too new for us to help

then first redeploy

ok fair enough

lol ....

and if it's still broken then #room-bugs

but I don't think it is, it's just a pain

i figured it out just listen anyway dont worry about the error lol

2>/dev/null am i right LOL

yes, it's possible that you'll see errors, from a part you don't care about though so its ok

It's a bloody nightmare!

Reading the Splunk manual is more satisfying.

The magician reminds me of a room in the Overlook Hotel.

Any moment Jack Torrance can come through the door.

lol @slow slate

Hi all! Anybody can help me with task3 CCT2019 room?

hey everyone

task

it is not working for me

?

I am stuck on task 3 CCT2019 room. Already exhausted. I found the password to the hidden archive, where there was a file with the words of a famous character, but I can’t go any further. Tell me where to look next?

@shrewd raven #room-hints message

👍

my bad

no worries

hi please help

I cannot connect to a deployed machine

I am in this page on tryhackme:

https://tryhackme.com/room/networkservices

I get the following message when i copy the IP address into firefox:

Error code: 405

Message: Method Not Allowed.

Error code explanation: 405 - Specified method is invalid for this resource.

I have watched the video on youtube here:

https://www.youtube.com/watch?v=ROO2pDPgja4&t=314s

@neat kraken please don't post the question across multiple channels like that

405 generally means that the HTTP method you're trying isn't supported by the endpoint

ie trying to GET when it expects a POST

for example

They were answered in #site-support

hey everyone! I've been doing HackPark lately and it's been a while that I'm stuck at it's priv esc part. I'm running winPEAS.bat where I should be getting the running processes but it's output isn't covering all info neither is it covering abnormal services. Can anyone help?

Hi I wanted a small hint for tomghost

I found that there is websocket there

But don't know what to do next

Where are you at in the room?

Lookup the ghostcat vulnerability

A year after I joined and tried "inoculation" and failed I'm back, but the room is gone. Is there an ISOsomewhere or a config script for whatever the hell that machine was about? I'd like to try it :(

need a help on room Windows Event Logs

one of the questions is: What are the total number of events if you filter on Event ID 4104?

if i filter it on event id it shows 133 events but it doesn't accept as answer

what's the catch ?

i also see that events on the machine are increasing, so how can i put the correct answer ?

try omitting the events that you created

i have ommited the events from when i logged to the machine and it says 169 but still doesn't accept as answer

Is it possibile to get some help on Hacker of the Hill room? I am not sure because it is an ongoing competition. I am stuck in the hard challenge. Thanks in advance

Check pins, no help is available until after the event

Understandable

Hey guys im doing easyCTF: https://tryhackme.com/room/easyctf

Im having troubles finding the CVE the want me to use against the webapp for privelege escalation

Any hints on where to find it? Im already ssh'd in as mitch, and I logged into the site admin page also

Use exploitdb and search for the name of the exploit

@astral smelt was there a hint throughout the challenege that would have told me that, or just something i should have had tucked away in my knowledg?

It's just researching, it's a part of hacking

Lmao i found other CVEs but they didnt ask me for one the wanted a specific one 😭

Thanks for that one lol

hey i'm on this : Hacker of the Hill #1

Can someone help me ? 🤓

see pinned messages

ohh 27/02 ok ok sorry 🙂

@astral smelt its not exploitdb lol im just gonna check the write up

It is on explitdb

damn I see now,

the CVE is the specific bug?

exploitdb looks for the CVE?

CVE is for the vulnerability

ExploitDB is a collection of exploits

Exploits will target a vulnerability (Or I believe sometimes a chain of seperate vulns)

mmm ok that makes more sense. I was thinking at first that the CVE was the program itself lol appreciate that clear up

This room is good for you
https://tryhackme.com/room/introtoresearch

explaining what the CVE is, exploit-db is.

@rare dust sweet, ill do that one next

Take a look at html source

hi
guys i'm doing the juice shop room
but i'm stuck in task 7 question number 2
when i use burp i don't have the parameter True-Client-IP
how can i edit the paramater?

Add it?

i did but it didn't work

What did you add, exactly?

True-Client-IP=<iframe src="javascript:alert(xss)">

I thought it was X-True-Client-IP?

And you used backticks rather than single quotes

I'd use single quotes because you're not templating

oh amma try now

no it didn't work
it keeps showing my ip address

can anyone help me with a question on cmess

why doesnt the reverse shell show up when i go to that directory? but when i go to the directory/myshell it works?

can anyone give me nudge on Lunizz CTF

Yes.
Lunizz CTF

can i dm you

on the Lunizz CTF --- is it normal to get root before user?

that is a ||rabbit hole||

stuck in Lunizz place, any hint?

I am on that box but stuck on user

||got root.txt but no user||

There's normally an embargo on hints for new rooms

I would like to have a sanity check on Lunizz - can someone DM me please?

@normal tusk hi

We have stuck on place questions answer. Any help here

Anyhint on rooting lanizz CTF?

No - I am stuck before. Maybe in a rabbit hole.

Got shell as www data.any nudge on getting user and root

@still coral hi could you please provide any hint.

The room is still under embargo (too new). No hints.

I think we are stuck at the same level😋

Got a shell too

i am on wifi hacking 101 task 2 i am not able to find last 3 answers i tried seeing aircrack-ng --help but i didnt got anything or is it there and i am not able to find it can i get a hint

You can get the answers with research and manuals

The room is under embargo, do not provide help or hints.

Ok sry

you mentioned in the hints help is it aircrack-ng --help

I've said this before and I will say it again

Try things

Lanniz?

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.

was it for me

for the guys asking for Lunizz room

finally

ohh ok thanks

Not asking for the complete solution just asking the direction

same. no hints allowed during embargo

And the room is 79 days old more than a month

Okay

lunizz room less than a day old

That's when the room was created not released

Oh okay

Do not provide or ask for help or hints for Lunizz room until 27th Feb, 7pm (GMT).

Hello, I cannot find the answer for question 2 task 8 of the "nmap" room. I know why these scans are used but I can't find the answer in the form requested, Thanks.

It's in the last paragraph of the text

Thanks, i was writing bypass.

Hi! need some help please with Task4 (Exploiting SMB) of the Network Services Room

So, I manage to smb the machine, I get the id_rsa file to my local, change the permissions to 600 but then I can't understand what exactly I am required to do

Use the key to authenticate to the remote machine using SSH

thanks a lot @stuck fractal . Now I will research how to do that☺️

Can I ask someone about archangel task 2 please? I understand what I need to do but I can't pull it off

I can try to help. Feel free to DM me.

https://stackoverflow.com/questions/8567368/eventlogquery-time-format-expected/8575390

Go for it 🙂

I can't run commands, there must be a mysql column that controls command executer? anyone know this?

Can't help for that room yet

see pinned post

Okie sorry

When can I submit my write up vid for the lunizz ctf room ?

See pins: Do not provide or ask for help or hints for Lunizz room until 27th Feb, 7pm (GMT).

Guess writeup can be provided then.

Preferably keep it unlisted until it's accepted on the room

But submit it whenever

It's not displayed until it's approved by the creator.

TIL: hydra on the command line without verbose output is ca. 3 times faster than the hydra X GUI with verbose logging 🙃 still, seeing "to do in 1806:33h" is a bad feeling and I don't know whether I'm on the correct path and should wait a bit or totally wrong direction, break it and look for some other way

how's everyone doing?

https://tenor.com/view/the-big-bang-theory-sheldon-gif-14785307

Hey guys, I am doing the Mr .Robot ctf: https://tryhackme.com/room/mrrobot

I have just a couple quiestions

1. I found the admin dir.. ip/admin.. but it just continuously reloads. Bug or part of the ctf?

2. In one of the video clips, it mentions whoismrrobot.com. Is this site actually part of the ctf? Ive been over there for hours messin around, but key one I found using dirb

It is not.

Don't attack that site

lol ok cause once that site led me to ecoin I was like man I should stop 😆

do you know if the /admin/index.html should be constanly glitcing/reloading? or is that a bug?

I don't remember

I have no recollection of that happening. sounds like a glitch

ya I am thinking the same.

the hints seem to not make any sense lol or maybe im dumb

Hint2: White coloured font.. well on main page hella font is white lol

select all?

Hint3: check nmap.. but the ssh port is closed

me?

yes

idk what you mean by select all? lol my bad

for the white text on white background

hmmm white background

im sorry I am trying to remember where i have even seen one on this ctf lol its all black

let me go through all the commands again

I cannot access the admin page tho so if anything is there that will be tough lol but if thats part of the challenge, cool

yo room: lunizzctfnd question: "
a folder shouldn't be.." I dont get this question

any help?

you know what , I found the solution, answer was right in front of me for 20 mins, just couldnt see it cause of the output format

The room is still under hints embargo, so we couldn't have helped you anyway.

Room: LFI Task 2 -- found the user's id_rsa file, and it appends it to the end of the webpage. Tried to copy the text into a blank file, and then chmod to 0600

based on what I'm finding on Google, it might be something with trying to copy & paste the key text?

That isn't an error really, it shouldn't stop you from logging in

I don't have a password though. I'm trying to use that id_rsa file for the login. Am I doing something dumb?

I'll clarify. It shouldn't stop you using the key to log in, seeing as you can get that error and succeed the login with the key.

Maybe try to crack with ssh2john

It's not asking for a passphrase

Therefore the key isn't passphrase protected.

Oh my bad

That message is just a warning. Usually it still lets you in. But you can check if there's extra line feed characters or something it doesn't like

sorry, was doing lunch... yeah, it's not letting me in with that. How do I know if there are characters it doesn't like?

That's what the invalid format means. Maybe you just need to clean it up. Check it with xxd command to see the details

Hello, im in the Network Services room task4 exploiting smb, i am on the server (question 4) but i don't know how to open the ./profile?. Can somebody help me? Thanks

You don't want the profile file

How i am supposed to know "Who can we assume this profile folder belongs to?" ?

Hi I need a hint for the magician room i know the exploit which to use but it doesn't seem to work

Read the files

Folder != file.

Ok, thanks.

I don't know how open file, i trying and searching how to do, but i can't open it?

Look into how to use smbclient

@stuck fractal i find a way to open the file but i don't know if it's the way that the room was waiting for?

You know, I have no idea what you're doing

So I can't tell you if what you're doing is right or not.

I just use "get" and open the file on my linux, i don't open it using the server command

That's fine

But is there another way to open the folder?

There's lots of ways to interact with an smb share.

smbclient is the one you're taught in the room, is it not?

I’m in the Linux challenges box and I’m haven’t trouble trying to find flag 12 I’ve tried using the find command to find where the MOTD’s are stored and going into the folder but I haven’t found flag12

Do not provide or ask for help or hints for REloaded room until 1st March, 7pm (GMT)

Anyone on "relevant" room? Stuck here, kind of hopelessly haha

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

Hello! I think I'm writting in the correct channel. I have an issue with the solution of a XSS room, can i have some help please? thanks.

Thank you. I'm stuck trying to figure out what are the credentials in the smb for. Rdp doesn't seem to work (or I am doing something wrong), and IIS is only a screen

Relevant room

I haven't done the room but there's a glaringly obvious thing I'd do RN with IIS?

At first I discarded iis as irrelevant because there are no directories or anything special in it appart from the main screen

Ok ok, I'm barking at the wrong trees. Will try a different approach

excuse me, any one in group solved all task room hard HOTH ?

That room is still under a total hints embargo

So please do not ask for any help or hints

oh no i dont just ask hint, i had problem: server room sometime down, 3-5 min and i can access link or anything. My network is OK. anyone same problems

!vpnscript

tks bro

Please don't call me bro, it's uncomfortable because you don't know me.

tks 😄

If anybody has done Linuzz CTF, I would like to discuss the way they got root, coz I know for sure I used the unintended way for root, feel free to DM me for discussing on the topic

is anybody solving simple ctf room

I don't understand how to find them using commands

What are you doing? & where are you stuck?

Same bro
I also curious about the intended way ( horizontal privesc then to root)

Coz I got to root directly

I couldn't figure out the thing on 8080 hence I decided to jump directly to root using the unintended way but I would like to know about that way as well

I know about it but I can't go any further with that

If you did lunizz the unintended way, feel free to dm me and I will tell you what the intended way was

how long is going to take to brute force the basic auth in inferno box

??

anyone??

May I?

Sure

guys im stuck at watcher room at task 3
the hint poins to a file upload but there's no directory where i can upload files
so how can i exploit the ||LFI||?

i got a question for high level web pentesters

If it's not for a tryhackme room, it doesn't go in this channel

okay sorry

It is already allow to ask hints for Lunizz ?

May I dm?

sure

Since we can ask for hints on Lunizz ctf since 4 minutes: I need one for the third question. I had a look at ||port 4444||, but it seems to be a rabbit hole. Then I found ||/whatever and /hidden||. The first one seems like a good way, but I can't figure out how to use it to get a shell or answer the question. I couldn't exploit the latter one so far... I also found the myqsl and used it to fully use ||/whatever||

The answer for the 3rd question is in the shell..

A folder with a strange name that we never see usually

And for the mysql part....update query is needed to see a change in /whatever

Yeah I got that one, hoped to maked that clear with the last sentence

Ahh...my bad

which room?

Can you please elaborate?

You need to update the column value

You have to update the db column value to get that code execution working

nice, I got it! Thanks for the help

the value in the table in the database is the lock that decides if you can use the website to run commands or not

you can see the website say somthing like mode:0 or similar.

you need that to be a 1 and that has to be changed in the db

Pretty much that

Heyyyyy about lunizz where should i focus on after getting shell of wwwdata

I did find find something on internally hosted but im not sure to proceed to mason or adam

I even tried completely the bcrypt script using the password as rockyou txt

But the salt gen function made the hash and salt new everytime so ....

Idk what to do next

Linpeas showed sudo version but im assuming thats not the intended way

In bcrypt you can use a hash to get the salt, which was used for encryption.

There was salt and ... in the script

Ok lemme check

Not encryption but ok

There was only salt in the script but ...

The "salt" in the script may be more than just the salt

I believe cyberchef has a parse bcrypt module that will extract the salt

And then place that instead of gensalt ... ooh

And compare with the Salt

There's a checkpwd function for the python module

Be aware that bcrypt is sloooooooooooow

Can i dm you hydragyrum???

@ripe hedge

Is that bcrypt crackable? I tried rockyou, base64 of rockyou, and even including the b' that gets added to the b64 with python str

Im running it

And ik its gonna crash because of some characters that can’t be converted to ascii 😂

Yeah i just skipped those

But the b64 ends up looking like b'abcd123' before being passed to bcrypt because it is converting bytes to str

It takes forever, the room testing team have been discussing it with the creator

about what?

Nothing now😂

I got root on that box, seemingly a totally different way

I'm just stuck on "hi adam, do you remember our place?"

I just don't understand what it's asking.

yeah it's in adam's home dir

Lunizz, Salt from existing hash + rockyou.txt is the good way?

I've got that running, doesn't seem to answer the question though 😦

there's a note in there

it's not so much a place though

i hate riddles

there's a link to click

ffs

thanks

got it lol

yeah...

Can someone elaborate on the bcrypt

Can't get any further than looking at the damn script and not getting any further 😆

I dunno, I'm not getting anything after 100k passwords

Mines still running 😞

Good to know I had the right script for this Lunizz box... but it has to run for a couple hours and errors out

Errors out ... you mean the ascii conversation??

there is a string or two in rockyou that wont convert

so it runs for a bit and then cant go on

Skip them

it was VERY frustrating

i went unintended route

😂

it cracking bcrypt was the intent, it fell flat on that task

10 mins is about all the time I want to spend iterating through rockyou

Its actually slooooow

yea, like 30H/s

But im gonna wait tho

do it...

Yup

I learned a ton about bcrypt and python

so, in that, I feel like it offered something

but I still dont know the PW

haha

🤣

I'm trying the top 100k rockyou passwords....it's slowwwwwwwwwwwwwwww

used iconv to strip out the bad characters so I hope it's not one of those

Same but i did the unintended way. Trying to do it properly doesnt work

Hey guys I am doing the Mr. Robot room and trying to crack the wp-login user name with hydra

can someone help me see whats wrong with this code?

hydra -L fsocity.dic -p test 10.10.103.0 -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:F:Invalid username'

hydra runs, so I am guessing my issue is with the request

I found it lol I needed the redirect I guess in the request also

the script shows you the hash. Lookup how bcrypt works with python. Should be easy to add to the script and point it to a popular wordlist. Hope this helps.

currently in the linux challenges room. having trouble finding flag 4. the hint says "crontabs". i googled where cronjobs where created and everywhere says crontabs. i did try and check other directories but kept running into permission denied

There are other ways to edit/read crontabs

There are several different crontabs

OWASP Top 10 | Challenge Broken Auth | Performed the " darren" user registration. Logged in with that user. All I see is "You need to login with specific account to be able to find the flag." Entered that as the flag and no luck. Went into dev tools posted the cookie value that was created into flag. No luck with that. This is a beginner challenge, so I am assuming I don't do a dirbuster or something to see if there are directories I should be going though. Any tips?

Can I get a nudge for question 1 on Investigating Windows 2.0?

Did you register with the quotes or without the quotes? @amber glacier

WIth double quotes

Do it without.

hahaha, I'm dumb

30 minutes I will never get back... Ha! Thank you for the assist.

Have you tried reversing the rockyou list? Maybe if it's really far down, swapping it backwards could help?

you need to base64 encode the pw first

I've repurposed the script given as a fuzzer, tested it against passwords picked from rockyou and encoded using the script to check it works, run the hash against rockyou with and without/n, the song lyrics in many forms and a lyric pass wordlist from all the band's songs, and still nothing!

luckily this room has another vuln

yeah I think a lot of us have rooted it, it's just trying to do it the intentional way 🤷‍♂️

has anyone asked the room creator?

Are we allowed to discuss Hacker of The Hill yet? Stuck on Task 5. Found flag for container 4, but absolutely no idea how to move foward from there to get the other flags

don't think so @pallid siren, the prizes haven't been announced yet, so I presume hints will come after that

Are we allowed to ask today?

I’m pretty sure the contest has been extended, so it’s still live. @steady stratus is that accurate?

btw, is asking if something in "Hacker of the Hill #1" is a rabbit hole allowed ?

I think is you have to ask, it’s a hint. Sorry man.

Keep at it though, I know you can get it 🙂

Yes I discussed it with him. Correct way is to use python to get the salt for the password hash (disguised as "salt" in the script) and then use that salt as input for a modified version of the script that loops over rockyou, base64 encode and hash each word + compare it to the one in "salt" (matching one is the password).

That's a great idea, but, alas, I did not.

HOTH has ended, happy to talk anyone through the way I rooted all three of the machines if people are curious!

I've also created my own script and am trying to bruteforce the password, i left the script running for more than an hour and still no password was found... Should it be this difficult? I've also implemented multi threading so it is checking around 4-7 password a second rather than 1 a second .Here is my script: https://pastebin.com/gffn51Np , i am not sure what i am allowed to share this... LOL

@steady stratus were we supposed to use that fake lfias an oracle?

asking because I did .. and still messing with it

though I also have other ideas

including a sneaky sqli

for medium?

hard

medium I think I did an unintended

ahh right

you wanna pm?

I can detail my method for both

hey guys..need some please!

how long does usually a nmap take for all the ports on the machine at -T4 ?

@storm venture not yet still trying hard 🙂

@storm venture could I pm?

of course you can mate

good luck with it @near shoal

I've looped over the first 100k words in rockyou and no dice

actually even knowing the password I can't get it to match the hash... is this a version problem? I mean encoding with the same python code, I get different hash (same salt, and all) ... or never mind- I know the place - pass may be different.

I'm assuming it's not the same user

Well I think it depends on how many ports are open

it took about 10min with 3 ports open

ok thats way too long I think, is your vpn ok? try going on 10.10.10.10

i'm connected to the browser and attacking a deployed machine in a room. I guess that's why is so slow

Shouldn't be.

I used the -vv and stared at it. without a -vv the white pointer just frezees.

It's busy doing stuff.

No news is good news usually when it comes to commands.

I think that there is always a "\n" at the end of the string that gets hashed. I don't know if that makes a difference though.

I gave it another go. The first nmap found 3 open ports but apparently the question is expecting just one

i am on anonymous room i am stuck on question 4 i downloded the files from ftp server but i am not able to figure out how to continue any help would be appriated i tried login into smb by anonymous its asking for a password which i am not able to find

you can always put stuff in a ftp server 😄

i didnt get you sorry

can you explain a lil bit more

You can't 'always'. Super important to mention.

ah right . devil - in this box you can 🙂

maybe put your own malicious file in the ftp server using put file.txt

ohh ok

just make sure you are in the same directory where the mal file is stored

thats not a big of i deal i can mention the dir name

thanks for your hint though

Hint : For those still working on Lunizz, YES, you can get ad**'s password from the bcrypt script and the popular wordlist. Here is what i did, i removed all special characters that did not convert to ISCII , all numbers only passwords (because who does that?), all 6 characters or less (as a start , because of the first mysql password length, thought others will be long as well). This still took a long time but not as others.(edited)
[9:52 AM]
Another Lunizz hint on that password: Its a plaintxt for a known sha256 hash, so maybe skip all the other words in the wordlist and run against known shar256 hashes. My writeup is coming soon

what

Are you sure this is the password for this user and not the other one.

Yes, I guess is a pass but not for that hash 🙂

may I DM?

yeah of course

don't need to ask 😃

the password is like after 7.3 million in the list

thats gonna take a long time

well, it was quicker to crack the $6 hash, but now i have a working script at least

Hi everyone. I'm working on the Windows Priv-Esc room by Tib3rius, and I'm stuck on Task 9. The walkthrough indicates that I could find a username and password from the command output, but I could only get a username.

how would you crack it? base64 encode all the passwords in rockyou and then use that as wordlist?

sure

pretty sure i just guessed that one, also helps that i had done this room before it https://tryhackme.com/room/windowsprivescarena

Do not provide or ask for help or hints for JPGChat room until 3rd March, 7pm (GMT)

are we allowed to ask for hints for h1 hard box now? 🙂

All hacker of the hill boxes are open for questions 🙂

ok, if anyone would be willing to help out with the h1 hard box and helping me towards the right path it would be highly appreciated, I'm struggling with container 1 and 3

@lethal ravine that suggests you have container2 flag ?

yup

so your left with the privsc part ?

you should have a foothold if you have 2nd flag .

yeah, ooh, you can actually privesc on that one ? xD

I thought it was a dead end xD

thx then 😄

@lethal ravine maybe i am wrong because i had to get a shell from one place , and from there i did not switch any containers , just privsc and then all flags

ah, then you prob got container 1 I would assume?

maybe You can Dm me and explain me how you the foothold for container2 , because as far as i know you can get only 2 foothold , one is container 4 and another is the rest , so container4 is a dead end

Maybe DM me , we can talk better

sure, thx

Nope, i don't think so, i am doing password.rstrip() on line 17 so the \n gets stripped. Correct me if im wrong

I don't get where to find it

the hint was ____cry

Room?

https://tryhackme.com/room/introtoresearch task 2 question 5

This was posted in general but use the find command in your browser to find $6$

https://hashcat.net/wiki/doku.php?id=example_hashes

so by "find command" you mean to u find a specific word or phrase on a web page on your computer right?

Yes, if you press ctrl + f

ok ty imma look into that

yeaaa

I got it

looking for big chunk of hints of Hacker of the Hill

especially for the hard box. all feels so close but stuck there

May i DM someone for JPGChat room?

help and hints aren't allowed on that room until the 3rd of march, see the latest pin :)

any hints on lunizz yet how do i install chisel on the remote without sudo perms?

@pure thistle wget to the box

I mean...you can use tar to get the files too

yes but how do you install it with out sudo perms i have it on the box but now i need to install it itried git but permission denied i tried tar and dpkg again permission denied

the same with socat

You dont install it on the remote box

You just copy it from local

or maybe i should be asking how do i port tunnel with out the common binaries

ok again how do you get it to run once i get it on the remote???

mark as as executable and ./chisel or whatever you name it

bash: ./chisel: No such file or directory

Did you download latest release?

Onto your local machine?

https://github.com/jpillora/chisel

Follow the README

Anyone completed webOSINT room?

I'm stuck on task 3

yes i did but i gave up and just used curl to get root

What is the CVE for the 2020 Cross-Site Scripting (XSS) vulnerability found in WPForms?

I really don't know what to do here

Google mainly

mainly?

like search: mainly?

No

Google it basically

like what is a mainly

nvm

ohh so I search for the exact question

You search for the keywords.

2020 Cross-Site Scripting (XSS) vulnerability found in WPForms can be shortened a whole lot, gets you better results

2020 xss WPForms

ok ty for the help 🙂

oh so I had it I just forgot to put the cve at the start

Can we talk about hackerofthehill now?

Excellent

doing the year of rabbit room and just hit the rick roll section

any hints on what i can do?

Listen to the video

Try burp with intercept on

i did that and heard the message...

Introductory researching task 3 question 3 I searched for it I put it in the quesiton slot put it does not work

So for the hard room, i found the login info in the api for one container. If i had root there, i could have rooted the host because the docker socket was exposed, but i only had davelarkin user. So I was trying to get in to the other sites. The one with the hills, i found the XML feed could list files in other directories, and i feel like i should have been able to get lfi somehow with the /view?image=... but i couldn't quite figure it out

thanks for the little hint

The shop page seemed to be requesting API endpoints with curl when you view products, so i thought maybe command injection, but it only accepted numbers for the product

Was i at least on the right track with some of these

ok so I thought that I found the answer to the: What is the very first CVE found in the VLC media player? but it says no

idk why

I have this right now

That aint the first

no?

I'm assuming that's the first in a list

ah

Go onto the site the room tells you about and look at CVEs for VLC

Sort by date/number

oh one of the sites in the text?

on cve.mitre.org?

😮

I got it right

Try things. It's research. Keep looking until you find it.

That's how hacking works

Just keep trying stuff that seems like it'll take you in the right direction

ah ok I follow you now

does anyone have problems getting the persistant xss flag from the owasp juice shop room? i got the xss window to appear but the flag is nowhere to be found 😦

Didn't see that, sorry. Yes rstrip removes the white spaces like \n

hey have you ever figured it out im currently stuck there as well

any hints on room REloaded . I could not find the flag for the third task

I found the flag but not the instruction modified

but I think the embargo is until tonight

I just finished jpgchat room by myself, first room I completed 100% on my own 🙂

@simple mountain #room-hints message there is no Feb 29th this year 😉

No idea what you are talking about.....

(Merci 🙂 )

😉

that was last year

I know last year didn`t happen, and that could be confusing

what debugger (preferebly free) would you recommend for windows for RE tasks like the REloaded room ? Right now I use x64dbg but it is not that good at representing the code for easy navigation. Often I have to open Ghidra to get an understanding of where something happens in the code and then find the address of the instruction and use that to set the breakpoint in x64dbg. patching functionality needed

i did the whole room with ghidra

ok but is there a way to run the app in ghidra ?

to get the output

i didnt even run the programs, which get detected by windows defender by the way

ok

i just read the decompiled code

I tried finding the flag for the one with xor (was it task 4 maybe) but could not get to a point where I could get to the place where the EAX value was inserted

only one question i made an educated guess, which was the one about which instruction did you patch

yeah that one I guessed too from the usual suspects

no 4 the programs encrypts the string, but it is stored unencrypted, just a little bit backwards but anyway

oh to answer your question you could use cutter which is a GUI for radare2

very powerful

cool will check that out. I do like radare but keep forgetting many of the commands when it starts to get a bit more technical than the initial investigation steps etc

I used Cutter tbh

||but everything was in plaintext||

I'm pretty sure I did an unintended on task 3

what made it hard was the obfuscation, which wasn't so much obfuscation as it was clutter, just a heap of pointless functions

yeah it was a mess

Pretty much anything with a decent process map and you should be able to spot the relevant function to look at. I used ida FWIW.

i used ghidra as well, as @cedar axle . started with searching for references to printf and then jumping around in calls.

usually finding the right spot where things happens is not the problem for me. it was getting back to where the initial string is located.

when will the be writeups for HOTH be released?

whenever people get around to making them

I'm in progress on one

look for the file that controls DNS resolution, if you don't know what that file is then you should be able to find out quickly with research

Ohh nice would love to read it, do lemme know if you release one

Also note that write-ups are reviewed by the room creator, prior to being approved and published in the room.

what's the best wordlist for cracking password on tryhackme? just to not using rockyou all the time..

grats on the green @storm venture

For lunizz CTF i'm using sudoers cve 😄

thanks sir ❤️ @ripe hedge

yup, it's the unintentional, although the intentional seems horrible so people will turn a blind eye 😉

hahaha thats right

Lunizz CTF is being revised.

what's that?

Yes, it should. the sudoers part must be changed immediately

I dunno I think I'm doing the crack correctly, but the top 200k in rockyou is giving nothing

that took 4 hours so I'm not trying more

When i was testing stuff i noticed the script casts the base64 output, which is bytes, to a string, so it ends up looking like b'asdf1234' and that's what gets passed to bcrypt

I don't know where to ask these kind of questions, but are unintended ways a reason to reject writeups?

since writeups are controlled by the room creator, it's ultimately up to them

Personally I wouldn't reject an unintended unless I'd patched it by that point, or the write-up for it was low quality

I discovered this recently unfortunately after my write up getting denied for the second time

I think the same. Ofc, it's up to the room dev to take the decision. But still, feels a lil unfair to reject the write up because of the unintended way :/

If the writeup doesn't reflect the current state of the box, I don't see much of a reason to accept it.

for lunizz ctf,
script + rockyou -> use encode('ascii', errors='ignore') to avoid break process by non-convertable charts

I'm cracking now. Estimated 12 hours

Anyone with a video card want to team up to crack this bcrypt

It is like ||7200000 +||

Ok thanks I'm trying to skip then

Anyone can give me a room hint for WireShark 101 - Task 7 - Question: What 4 packets are Reply packets?

SYN-ACK

Will have a relook

I thought this was a TCP connection

Isn't Reply packets an Arp

Break it down reply / request
Whats sent and received

Thanks py120, I figured out.

Nice gg

hey i cracked the lunizz password!

That was way too much though. I feel like hashes shouldn't be that hard unless the room was like about hashcat or something and came with a disclaimer that you need a video card and several hours

Yep. It breaks the THM password cracking/brute force policy.

hey can anyone help me with hacker of the hill easy machine

did you do a nmap scan ? @clear violet

I tried for about 5 hours using 1080 ti. I gave up.

@white owl did you use hashcat ? or you wrote a custom script ?

I used a script to convert rockyou to b64 lines, then ran that through hashcat

That would take 12 hours, but @crisp burrow recommended skipping a bunch

Also the base64 lines need to be surrounded by b' ... '

hmmm it didn't work for me

the bcrypt generated by that script was not "cracked" by hashcat after 13h

I would suggest another way to get the password. Get root via unintended way. Get the hash from shadow file then use hascat. It takes less time lol, then start again, go by intended way. I might sound silly tho.

eheh

can I DM you guys? I'd like a sanity check.. if it is ok

Check python bcrypt doc, you can figure out easily.

Yes you can

Ask your question..

oh bloody heck that's why that didn't work for me

I wasn't able to crack the shadow though either

unless the actual password is b'base64'

apparently the password is halfway through rockyou @ripe hedge

it took 12 hours to crack

...

I presume that was threaded

yeah that's not allowed

yeah...

halfway through rockyou is like 7M

that's 5 days on CPU

well

about 14 hours on my gpu...

damn...

that's just calculating

about three weeks on my laptop

GPU was about 140 H/s

CPU was getting about 14

yeah ok nearly 6 days on CPU

if you really want to bruteforce bcrypt with rockyou, you keep it in the top 1000

or bottom 1000 if you want to troll

yeah

well

that was fun then

what next?

glad that sudo was vulnerable then

how did that room get accepted, i thought there was a policy for brute forcing of 5 minutes

There is. It's been discussed by the room testers.

if there was a question in the room about the actual password, then we would have had a hint on the length and this could strongly limit the length of the rockyou list

but it was fun (read: frustrating) to crack the password 😛

guys can i get a hint on how to get root in watcher

sec I need my notes

what have you tried?

i ran linpeas and found nothing

what user are you on?

there's no SUID or cronjob obv

will

id might help

he's in the admin group but i thiiiiiiiiink /var/log contains nothing

is it about lxd?

ok, naw

you try to find everything?

cuz lxd doesn't work on my laptop

The lxd alpine privesc is kinda broken RN because of mirrors

I don't think he has lxd access anyways?

but it's not lxd

but you can probably find a few things lying around outside the logs

i thought i did sth wrong with it

Yeah take the base64 of the password and surround with b'...'
If you copy the script and make it step through the file it should do that

yeah I was running it though with a subset

but I just base64'd using bash and tried hashcat on that

I learned how to parse text files with weird chars in them in python though, so it wasn't a wasted exercise

heh I used iconv

though with b64 you don't really need to worry about those

thx
i finally found it , ||it was in a whole different directory lol ||

told you you could find it!

thx man

(I hope you used find though)

I mean random directory trolling would have worked...

I always check /opt these days

bloody ctfs always hiding stuff in there

yup true

i think i need to get used to it

Check backups

thanks bro i just solved it

little late

but yeah

leaving thing like that lying around. bad admin

hahahahahah true

still I didn't crack this pwd! LoL

Lunizz?

yeah

I spent 13h GPU lol and still didn't get it lol

enough 😦

it's a bit broken

room creator has been notified from what I can tell

1h max could be still ok .. but more than that I lose interest for a ctf

The rules for THM are 5 minutes for brute force

Ideally tested on the attackbox

and how would you explain 12h bcrypt ? 😄

That it slipped past the tester?

I think even the Crack the hash had something for bcrypt for 5h

That was way before the rule was implemented, and you can cut the time down by a crazy amount because you know the length.

ok it makes sense, I didn't know the rule was a new one 🙂

I thought it was always like that

Crack the hash is one of the oldest rooms on the platform

yes but I believe that whole scope is to learn how to use the tools or write a script to crack the hash not spending hours waiting for the execution.. I might be wrong of course. 🙂

Netcat is a basic tool used to manually send and receive network requests.
What command would you use to start netcat in listen mode, using port 12345?

I type -l and it does not work

after: man netcat

What doesn't work? Where did you type that?

ok so I type this first

so I need to enter that?

Yes

ok

ty

I think lol

@lime violet Please do not post answers

That 100% defeats the purpose of giving hints, and I'd count it as cheating.

I did not had the time to write it lol

so it's ok

Apologies didn't realize that was considered an answer

it's good

ok so I typed: man netcat

so I see -l for listen mode

Ok so what's next?

What command would you use to start netcat in listen mode, using port 12345? The full command for it

and you'll be using nc not netcat

and do I write this here?

Write what where?

because I cannot write in this orange text

I will repeat my question

Write what where?

ok so you know that you so " man nc"?

and then it shows a bunch of things

do you write in this or do you write in a clear editor

Why are you trying to write things?

like the code

What?

I am so confused xDD

What code?

There is no code?

He means the command

ok let's restart

so first I type " man nc"

and then it shows all the commands for nc

and it shows that " -l " is the command for it

and I know that the port is 12345

-l listen mode, for inbound connects

nc -l ** 12345

ok I am missing something in the answer

Yes you are

Read the manual again

Not the command.

It's the option or flag to use listen mode

oh so it's not -l?

I didn't say that

ok so I need 2 switches

and I have one of them

But using the right words is super super important in hacking

Correct

nc is netcat, -l is one switch and 12345 is the port

You're so close lol

lol

So you need a flag that allows you to specify the port for listening

When you're connecting out (not listening) you don't specify a port

But when you're listening, you need to specify the port

ok so I know that it is - and then a letter but I just need to find which one

What does the manual say

-c string specify shell commands to exec after connect (use with caution). The string is passed to /bin/sh -c for execution. See the -e op‐
tion if you don't have a working /bin/sh (Note that POSIX-conformant system must have one).

-e filename specify filename to exec after connect (use with caution). See the -c option for enhanced functionality.

   -g gateway   source-routing hop point[s], up to 8

   -G num       source-routing pointer: 4, 8, 12, ...

   -h           display help

   -i secs      delay interval for lines sent, ports scanned

   -l           listen mode, for inbound connects

   -n           numeric-only IP addresses, no DNS

   -o file      hex dump of traffic

   -p port      local port number (port numbers can be individual or ranges: lo-hi [inclusive])

   -q seconds   after EOF on stdin, wait the specified number of seconds and then quit. If seconds is negative, wait forever.

   -b           allow UDP broadcasts

   -r           randomize local and remote ports

   -s addr      local source address

   -t           enable telnet negotiation

   -u           UDP mode

   -v           verbose [use twice to be more verbose]

   -w secs      timeout for connects and final net reads

   -C           Send CRLF as line-ending

   -z           zero-I/O mode [used for scanning]

   -T type      set TOS flag (type may be one of "Minimize-Delay", "Maximize-Throughput", "Maximize-Re