#room-hints

I'd guess 80, 8080, and 8888 in that order off the top of my head

How are you searching for it on Shodan?

Shodan might say otherwise

One of those 3 are right.

server:nginx

8000 is also common

Take away "server:"

Just type nginx and search.

Just nginx should be enough

they seem to match

it worked thanks

Oh yeah 443

Uhh, might want to hide those answers

How is 8081 more popular then 8080?

Who are these monsters?

That's what I thought when I did it. haha.

it is under the spoiler tag, but just to prove that the answer matched, i can just delete it

And 5000?! Why?

Some people want to watch the world burn.

Looks like there's a lot of synology stuff which defaults to 5000

What is meant with account status?

Windows fundamentals 1

Use lusrmgr.msc

That was for you.

Yes I am inside the menu but cant really find anywhere which displays status of the account

Ok, I'mma boot up

Look closer, there is something about account status

right click and hit properties when you're highlighting guest

That is what I did but still having a hard time to find the answer

It is probably right infront of my eyes but cant see it

ah wait

got it

😄

Starting TryHackMe with Buffer Overflow Prep. I’ve already noticed one of the ruby scripts it mentions for generating a length string, is not included in the snapshot (usr/share/metasploit-framework/tools/exploit/pattern_create.rb). Additionally, the stated length 600 for crashing the first program is not sufficient, and 2000 characters are required.

I can understand if the snapshot is accidentally missing the appropriate ruby script, but to state the incorrect length for the buffer overflow on the very first challenge in an easy series for buffer overflows just seems cruel 😔

#room-bugs if you think it's an issue with the room

Cheers, I'll take a look.

.

CVE-XXXX-XXXX,CVE-XXXX-XXXXX,CVE-XXXX-XXXXX

Losing my mind on Task5 for https://tryhackme.com/room/googledorking
I had to re-read the prompt many times but I'm fairly confident it's aksing for a ||5-letter|| ||google dork|| keyword... right?
or is it ||4 letters + :||

Yep - thanks for the confirmation - but I've still tried every keyword I could find 🤦‍♂️
it's case-insensitive, right?

I think you misunderstand the question, because the answer is not a google dork keyword.

what keyword, then..?
tried all ||the 5-letter codes from the sitemap.xml||
with and without ||'<' '>'||

got it. 😓

(It normal that I can't react to posts? Is that blocked unless I boost??)

Has anyone completed the pyramid of pain room? I am stuck on the very last task and I can't tell what is wrong. I am basically matching the answers to the tasks. but it doesn't make a difference.

https://tryhackme.com/room/xssgi i think this last task is broken (Task 8), I'm not getting any staff session token, i've waited for hours , tried different hook method and all i can get is my own cookie.

Use NC and the attackbox.

Anyone can give me a hint in: https://tryhackme.com/room/wonderland

Here is where I'm at: || I managed to enumerate the webserver and found alice's ssh creds. After enumerating the machine for a bit I found that alice has perms to run walrus_and_the_carpenter.py as rabbit. However I'm stuck on understanding how I can exploit this. Should I try a different vector of attack? or is this the way to go? ||

nvm, managed to solved it, I didn't notice a very important fact

what does that means?

DM me if you want to go in more depth on this stuff

Shouldn't share text or pics with answers in public channels 😜

Anyone doing the tech support room?

I got a shell but I can't elevate to root, any tips?

Hi I am in the room in Living off the land and struggling to get right answers in file operations section tried running every command still wrong , can anyone help me out in this
I am struggling in all 2 questions for the right answers

#964586054327873717 there's a couple of hints there already :)

after search the cve in metasploit on nax i got ||exploit/linux/http/nagios_xi_authenticated_rce|| but it says its incorrect

a good idea, is matching the number of characters and trying other possible exploits listed in msfconsole

i think it could be my msf version too bc in the hints it says use 6+

i updated metasploit and it worked

Any hint for room ccpentesting, on task 24 find hidden dir

doing Holo live, i have to the admin password, but its not working to admin portal... does anyone face the same issue... whats the workaround or fix for it ?

k, as i was sayin on general

i have a problem with q4

idk how to acces

like, i acces framework changelog but, i dont find the zip file

can you link the room :)

how?

share the room link?

https://tryhackme.com/room/walkinganapplication

this?

yeh

kay

yeh, so basically follow the instructions in the room and you'll find it

like i said, i followed the instructions but, nothing, im stuck

If you read the documentation bit, you'll see a file mentioned in version 1.3

XDDD, yeah, i just saw it, im stupid, sorry

so I'm in the "Uploading Vulnerabilities" rm, task 7 and none of my uploads are going thru

can't even upload a regular PNG file

yes

trying to use method 3

I'm getting a "File sucessfully uploaded" message

and if you look at the filter script its says PNG, not JPEG as in the example

it sounds like you haven't actually done the room yourself

thanks

How dare you give advice when you haven't done the room.

not trying to be rude but when you ask me if I've read the task text...lol

BTW.

Have you tried uploading a jpg/jpeg?

yes, it says "invalid file type"

Have you edited the hex?

if you look at the filter script it's looking for a PNG file

Is it?

I mean, you're right, there is a p in the extension...

lol

I still have my rev shell from that room.

And that screenshot is lifted straight from the task 😂

thank you lassi

@lucid junco
if (file.type != "image/png"){
upload.value = "";
uploadMsg.style = "display:none;";
error();

that's from the script on the actual page

not the example

Are you doing it on demo.uploadvulns

or Java.uploadvulns.thm ?

jave

java.uploadvulns.thm

!docs verify

oops. Ok, so I'm uploading a shell with a .png extension

and then in Burp I'm changing it back to .php

but even I try to upload a legit .png file it still doesn't show up in the /images folder

HTTP/1.1 302 Found

Server: nginx/1.14.0 (Ubuntu)

Date: Mon, 18 Apr 2022 21:54:00 GMT

Content-Type: text/html; cherset=utf-8;charset=UTF-8

Content-Length: 1221

Connection: close

location: /?submit=success

Front-End-Https: on

<!DOCTYPE html>
<html>
<head>
<title>Java!</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="shortcut icon" type="image/x-icon" href="favicon.ico">
<link rel="stylesheet" type="text/css" href="assets/css/style.css">
<link rel="stylesheet" type="text/css" href="assets/css/icons.css">
<link rel="stylesheet" type="text/css" href="assets/css/indieflower.css">
<script src="assets/js/jquery-3.5.1.min.js"></script>
<script src="assets/js/script.js"></script>
<script src="assets/js/firstload.js"></script>

    <script src="assets/js/client-side-filter.js"></script>
    
</head>
<body>
    <main>
        <div id="maintext">
            <h1>Café<span id=mug> S </span>Java!</h1>
            <button class="Btn" id="uploadBtn">Select File</button>
            <form method="post" enctype="multipart/form-data">
                <input type="file" name="fileToUpload" id="fileSelect" style="display:none">
                <input class="Btn" type="submit" value="Upload" name="submit" id="submitBtn">
            </form>
            <p style="display:none;" id="errorMsg">Invalid File Type</p>
            <p style="display:none;" id="uploadtext"></p>
            <p class="responseMsg" style="display:none;" ></p>
        </div>
    </main>
</body>

</html>

ah

I was looking in /assets/images/

oof

welp. I really appreciate the help

and also letting me know how to get verified

all right, well...off I go then . Have a great day @burnt rivet

https://tryhackme.com/room/linuxfundamentalspart3

Task 4 - I'm so confused here. When I run the http.server it's configured for 0.0.0.0 and then when I follow on and try to download the file I get a 404 error

!docs verify

Please follow those steps to verify with the bot, and then you can send a screenshot of what you're doing

It makes it a lot easier to spot what's going wrong

ok thanks

You need to set up the python serve first.

Then use Wget

I've SSHd as directed and then gone into the home directory. I have set up the python server as directed

Open a new terminal

And don't ssh in.

just use wget etc

It worked for me earlier.

Both attackbox and VM.

I've been trying for an hour

Now, use Python 3's "HTTPServer" module to start a web server in the home directory of the "tryhackme" user on the deployed instance.

so that doesn't mean make sure you're in the home directory?

sorry I don't get what you mean...

but aren;t I just doing what it says? I'm in the home directory of tryhackme user

I still don't understand lol

but that's not what the task says

if it had said find the file and then start the web server and then download it I'd know the directory to be in cos we establish you need to know the exact location

I get what you mean but I also think it's a bit ambiguous

but ok

thanks

oh I must have done cd ..

which then put me in the home and not the home/tryhackme

ok thank you

trouble using hashcat

hey in tryhackme it says there must bu a flash.min.js file

but in website there isn't

whats the problem

what room is this?

WEB - Walking an Application

.

i just check it

did you try reload the page with open debugger?

.

I just tried again but its not working

I mean is there a difference between open debugger and debugger ?

ig no, but it should work

ah man okay I understood, I have done this in Contact page it worked

thank you

did you visit /contact tab?

ahahhahah

yeah thats the thing

nice

thanks @woven token

Gave +1 Rep to @woven token

good luck

you too man

does someone knows why it doesn't spawn the reverse shell even does it injects the payload?

i have my listener but it doesn't get any connection

most likely that exploit need to be run with python2

already tried it with python2.7

what is the room name?

Plotted-EMR

are you sure this is correct exploit for it? @fickle thistle

yes i even checked different ones and saw the walkthroughs to confirm and they use the same one

did you found ||/management|| directory?

all i can remember from that room, i didn't even use any exploits to get a shell

it wasn't necessary || you're supposed to create a new page on the /portal/admin.php and it has a remote code execution vulnerability ||

i may well just see if i can create another PoC

i see, well sorry for not helping you on this one, i guess you need to ||try harder|| then

good luck

i will check the source code of the python script and see where the vulnerability is located and see if i can do it manually

Hi , im doing https://tryhackme.com/room/adana
im where i need to use sucrack to bruteforce hakanbey user ,i used the wordlist from the subdomain folder in task-1 ,and i modified it with every line start with 123...
no results at all ..

Add a bash -c before the oneliner

i need help

with task 1

i am not able to guess the cod

by using that tool

i solved the issue,|| i had to modify the python script and change the name of the site of the new site i created i also modified the cmd in the script to directly give me the reverse shell||

cool

@woven token this was what i did to solve it

now you can read how people found another way to get web low priv shelll

Hi
I'm stuck!
room: room/techsupp0rt1
I need just a hint
I'm sure I did everything right but got nothing
Maybe I missed something, so I need ur help!

There would be a dedicated channel for that room #964586054327873717

yeh, there's also other hints in that chat :)

I am struggling with the file inclusion room, challenge 3.

Been tinkering around on Burpsuite for hours and nothing works.

No flags

I hate that I can't share images lmfao

Woot!

Damn it, I didn't edit the IP properly. Whatevs

And then I get this and I want to cry lmfao

Post is working!

It worked fine through curl.

Weird, the curl one does not mention "file name" or anything like that.

I did this and boom, instant results.

Got it.

How can I get more points then the task allows? For example in the room Pickle Rick. 🤔 With 3 Questions answered u'd only get 90 points, but on the Scoreboard some have got 240 pts

ah, okay. Thanks. That was driving me nuts, searching for hidden dragons 😄

Gave +1 Rep to @burnt rivet

How can I give rep to @burnt rivet ?

Thanks!

sigh

Thanks.

smh

Thanks!

Gave +1 Rep to @burnt rivet

There we go. I am so tired.

did you found the flag?

Yep

I was this close to getting stuck on the very last XSS one, got the cookies, decoded it, didn't work. Apparently there's a bug?

Makes sense.

oh so you already passed the lfi of the burp screenshot you sent

I did. I wasn't the only one who was wondering what happened.

Hello can i please get help with Linux Fundamentals Part 3 task 6 q2

im real confused at what its asking

Have you opened the crontab?

yes

@reboot /var/opt/processes.sh

There you go.

thats the only proccess

but the answer isnt reboot

It is.

oh ffs its @rebot

But with something added.

😄

@reboot

god dammit

https://tenor.com/view/jensen-ackles-pointing-smiling-supernatural-dean-winchester-gif-13153687

Hello im on task 6 in linux privilege escalation room and im supposed to use one of the services listed by sudo -l to gain a root shell. I am confused on how these services can give me a root shell/ what to do

I went on gtfobins and almost all of them have the 'sudo' functtion

Well, those services are running with root privileges so anything you run wit them runs as root giving you root on the machine

wait so the point isnt to be able to run other commands as root?

besides the ones listed there?

in task 6 it doesnt ask to read any files, it simply asks to gain a root shell

dont think so

https://tryhackme.com/room/linuxprivesc

Oh there different

is the one im doing old? should i rather do the new one?

ok ill do both

so if youre saying i can read/write, would i use it to edit the files in one of these ?

I am, its open

oh shxt you can click on them

😂

thanks @burnt rivet

Gave +1 Rep to @burnt rivet

someone have a link or something for hacker forum in deep web?

only for watch if programming and hacking is right for me

but is a fee site

if i want to learn i would to pay

!docs free-path

Outdated a bit but still a nice resource

for real, i want to try for play my city hall site, just for funny and try myself

hack*

okok i just joke

no snitch what do you do ro

someone know terminal-comand for mac ?

🤔

-warn @real kelp We are not helping you to hack anything illegally. That's a quick way to get yourself put in prison, and it's not something that we will condone in here, on grounds of both ethics and legality.
Equally, if you see making a moderator aware of someone causing trouble as "snitching" then I suggest you leave -- we have no time for miscreants or idiots.
If this happens again it will escalate to a ban :)

⚠ Warned rednail#2314

But the "snitching" part was said by another guy, not the one who got the warning

No, click on the name of the warning and the person who said it, it's correct

Oh they changed it

@cedar anvil the heck are you on about?

Gotta love the cache, dontcha

cache this

cache that

cache these hands

I went to an internet cafe the other day, they declined my card, said it was cache only.

I'll see myself out.

Thank you @inland onyx

Gave +1 Rep to @inland onyx

o7

dad jokes

Packets & Frames task 6: Terminate the static site lab deployed in tasks 3 and 5. What to do?

Oh

That isn’t too difficult

could I get some help with the reverse engineering rooms

https://tryhackme.com/room/reverseengineering

I don't know how to preoceed

Which task are you on?

i am stuck on first one

For Reverse engineering?

In terminal where you have the file file downloaded, strings *filename

Hi, Can i get some help on https://tryhackme.com/room/nahamstore blind XXE vulnerability. I am using 230-OOB, but not getting any outputs on my host

Hi, I'm currently doing room/networkservices "Enumerating SMB" For the challenge 1 it says "Conduct an nmap scan of your choosing, How many ports are open?" which I'm not really sure what they are asking me to do ..? Am I suppose to port scan of my choosing ( so any ip / website ? ) But won't that mean the number of open port might be different by my choosing ?

Thanks for the clarification ! Seems like I totally misunderstood the question ...

Gave +1 Rep to @burnt rivet

With "nmap scan of your choosing", it probably means the different scan techniques nmap is able to perform. I suggest reading the "Port Scanning Techniques" section : https://linux.die.net/man/1/nmap

Ah okay. That's another thing I misread

• nmap scan of your choosing --> Choose Port Scanning Techniques

• where to scan --> The ip provided on the top page.

Im in the network services room and I'm stuck on the question "What variant of FTP is running on it? "

where did they mention the variants, my guess would have been ftp and ftps - but the answer's longer than that

ok got it I turned on -A switch

-A is pretty much an overkill, you could have got the same result with doing a service/version scan on the open ports you found 🙂

I used: nmap -p 21 -A -vv IP, since I knew the port I was looking for, it was quick. But in a real scenario where I don't have the informaion like this, your suggestion is much better. Thanks

Hello

How are you doing boss

Hello.
I am doing room "Phishing Emails 1" task 6 "Enter the defanged URL".
I did follow a video tutorial to find out how to do it, but when I put the answer it tells me it's wrong.

An error on my part or on the page?

Yes boss

Can I Dm you or I should ask here boss

Ok sir

Lol 😂

Ok

I’m doing madeyes-castle room right nw

I found a login page which is vuln to sqli injection

Have tried so many sqli injection to bypass it but nothing still yet

!docs

!docs verify

Ok 👌

Thanks 🙏🏾 so much

OK, I'll start again 😉

I tried again, but it gives me the same result.

I found the correct URL. Thanks for the help

Gave +1 Rep to @burnt rivet

Anyone did battery here?

Lol

Anyone did battery here and can give me a hint on where to look, am logged in and testing for exploits but cant find an exploit

first time i write a writeup on github
https://github.com/a-nonymou-s/Agent-Sudo

Have you tried looking at the responses you get using burp or zap?

Yes, but not in depth, just a quick glance, I'll look at it more in depth

hey

anyone

i need help in burp suite room

Finally, click 'Start attack'. What is the first payload that returns a 200 status code, showing that we have successfully bypassed authentication?

i founf the ans as :a’ or 1=1—

but it says it wrong someone help

Uh-oh! Your answer is incorrect.

what to do

i cross cheched with several walkthroughs also the ans is crt but its not accepting

That last few characters look like they've been modified by a text editor or website

Did you copy it from somewhere that wasn't burp suite?

@stuck fractal i'm here now thanks a lot sorry for the confssion

Gave +1 Rep to @stuck fractal

Ok, and now please ask your question here

alright

What optional argument can the ftp-anon.nse script take?

i'm having an issue with the answer

it says that it's not correct but i'm pretty sure it is

can i type the answer i'm suspecting here?

#room-help would be more appropriate

Seeing as you've checked the writeups

alright

"easyctf" seems to have a problem with the exploit. If someone know why i have this problem ? It's about the
exploit : CMS Made Simple < 2.2.10 - SQL Injection

If you can give me an answer via private message plz

Just google that error and you'll find a fix quickly 🙂

ok thx ^^

you just didn't install requirements(exploits and tools usually come with file called requirements.txt, in this case you didn't have "requests" module installed). It clearly says "Import Error: No module named requests". Before you get into any exploitation, exploit modification and writing I recommend you to learn core python(and some important modules like requests, socket, etc...) so you can modify, debug and write exploits. I also recommend you to learn some C/C++, since some exploits are written in C/C++, especially kernel exploits and some low level exploits. You will also need it for reverse engineering(assembly too). IT IS REALLY IMPORTANT TO HAVE GOOD PROGRAMMING BASE FOR HACKING.

is it just me or does the owasp top 10 room have way harder questions then the rest so far in beginner pathway

Probably not just you. The OWASP top 10 room is designed to showcase each vulnerability within a task or so. Just enough information to get a grasp of what the vulnerability is and practice it.

The rooms in the beginner pathways (and other pathways for that fact) have a room dedicated to each topic - so are much more in-depth

Hello

hi guys, i was wondering if anyone has solved the brooklyn granny granny steganography challenge.

Wat?

brooklyn nine nine sorry I forgot to rewrite

In brooklyn nine nine CTF there is a picture with hidden message but I couldn't find the message

Did you use steghide?

yes I did but I didn't find anything

let me write some tool I used

Did you figure it out?

Possibly could be a passphrase for the stevhide

steghide, strings, binwalk,stegoveritas, base64 and some scripts also try to open with some other tools

probably

Have you finished the ctf? I might have a go at it today and if i get it, ill hint you

yes the CTF was too easy but I can't figure out the steganography

Did the ctf require using steg?

I suggest checking out stegseek, it can brute-force the passphrase. Also if i remember correctly it is possible to complete that room without the steganography if you wish to do it that way.

Ill check out stegseek, thanks mate didnt know of that one

Gave +1 Rep to @vague pine

thanks

Gave +1 Rep to @vague pine

no you do not need to solve the steganography for the CTF

I finished the Brooklyn 99 CTF is 10 minutes, super duper easy but I couldnt get the steg, kept saying that the output was corrupted

i'm in the owasp room and doing [Severity 5] Broken Access Control (IDOR Challenge), but i don't really see here what should i do exactly to get the flag

should i change the url and walk up till i find the flag?

i think burp can help me in it if i'm right

in tryhackme/room/tutorial, when I try to paste the IP that it gave me in a different tab, it says that it takes too long to respond

attackbox

OH I FIXED IT

I did this

lol stupid mistake

Also

II don't know the correct help channel for this

so how do I stop the machine?>

I pressed terminate

but it still shows

oh

ok

I meant the attackbox but I did it I saw the button down that said terminate

after an hour's worth of attacking i found the flag...

thank you 🙂

i wanted to ask help but i stumbled upon the solution

windows internals task 5 question 2, im looking at the base address in procmon but the answer is wrong has anyone figured thisone out

I am in the walkinganaplication room. In task 3 I am viewing the page source. They want to know the flag from the HTML comment, and the hint is to go to the link mentioned in the comment. There is no link in the comment! The comment just says <!--
This page is temporary while we work on the new homepage @ /new-home-beta
-->

Ok, there's a path. Did you go to that path?

What do you mean by a path? (I'm new to this, just started 4 days ago)

new-home-beta. How do I go to that?

I don't know. I can't get the machine to connect to the site. I tried restarting it a couple times, and I am using the web-based Kali machine in my area (US-East-Regular-1).

You need to start the machine.

Lab_web_url won't work.

How many times do I need to start it before it works?

Just the once, there is a timer.

Are you on task one?

I did all the tasks, but could not solve tasks 3 and 6 so now I am trying again. Are you referring to this button?

No, you're looking for the "start machine one"

You'll need to start that button in every room there is one, to interact with that machine.

Sometimes it shows a split screen and I can see that button. Now the instructions are taking up the entire screen. How do I split it again?

You're using the attackbox?

It always switches back to that, and I try to remember to change it back to Kali before I start.

The kali web box is out dated, I wouldn't use it.

Oh, I thought attackbox was the free one, and it was better to use Kali.

Kali is best used as a VM on your host machine, OR using it as your host OS.

Attackbox is Ubuntu.

Still good if you can't get a VM on your system.

Using that will pop out the attackbox to a new tab in full screen mode.

pressing the - beside the shut down icon will *exit split view

Got it. I had been doing that when the machine was running and forgot that it needs to be fully running before seeing those options again.

Can you explain a little more? Kali is best used as a VM on your host machine, OR using it as your host OS.
Attackbox is Ubuntu.
Still good if you can't get a VM on your system.

I thought that as a paid subscriber it was best to access it using the browser.

It's preference, you can do it in the attackbox just fine, and I think I remember Tim saying that all the stuff should work on attackbox.

I'd rather use a virtual machine because I use it for other things also, if you're new to VM's it's just like having an OS in an application.

attackbox is ubuntu isn't really relevant, but it was just to show it was still linux *apolgies if you knew that.

still good if you can't get a VM, I'm not saying attackbox is bad, it's just I know some people prefer having the VM for same reason as myself, it's theirs.

Also with the attackbox it will revert back to the state you booted it up in, so if you mess anything (you can't important stuff) you'll be able to terminate the box and redeploy and it will be like you never done it

When you say a VM, do you mean using my local installation of VMware?

I thought all of this stuff was using VMs.

They're all VM's but they're not stored on your computer.

unlike your own vm which is.

wither it be Vmware or Virtualbox based.

Same problem now

Go down a little bit.

After two minutes it changes.

https://10-10-164-32.p.thmlabs.com/

That should be yours.

Thanks! Its working now. I didn't realize that there were 2 separate times I needed to wait 2 minutes. I thought that I had already done that.

So are you saying I can somehow run these machines on my own software like VMware or Virtualbox?

I use Kali Linux on Vmware, it's just like you see on the attackbox.

Any machines you need to interact with I use the ip address

How do you connect it to tryhackme's network? They look like local addresses.

Via vpn

https://tryhackme.com/room/openvpn

Thanks. Are the machines more responsive using a VM with VPN than using the browser? With the browser they are kind of slow even though I am using a machine in my area (US-east).

like Firefox opening when I click on it, as opposed to waiting 15 seconds for it to open. Sometimes only the top of an image will be shown, and I have to refresh the page to see the whole thing.

Thanks for all your help! Getting back to the original question, how do I find new-home-beta?

I don't remember. The machine timed out on me because it wasn't responding to me clicking on add time.

I have to go now. Thanks so much! I will try again tomorrow.

network services exploiting smb. I got into the share folder but im trying to open the working from home.txt doc how do i do this? i dont think the machine im in is linux or windows i pulled up the help and cant find a command to allow me to open it

try get

i got NT_STATUS_OBJECT_NAME_NOT_FOUND

but i hit tab and it autofilled so the file exists

can you send a screenshot

did you use get home.txt

oh was i supposed to do get .profile?

Bro use ' becos it have spaces after each word

where do i put the '

Like 'Working from Home....'

Check if that works

ahh i tried that and it gave me 'Working error instead of rjust \working

oh it got rid of my slash

Did you try autocomplete feature??

auto complete only worked without the ' and it autofilled with spaces

Btw which room are you trying to solve?

this one

Lemme see my notes, just a minute

Use "Working from..."

ahh that worked ty, but now how do i veiw the contents?

Exit the smb and cat it

Cat *

ohhh so the get just downloads the files

Yeah

can I choose what directory get sends the files to?

TBH i dont have idea

But as per my obs the directory from which i get into smb, get command put into that dir

hi .. anybody can share a hint on task 6 in https://tryhackme.com/room/jvmreverseengineering feel like i spent way too much time on it already and still no luck ..

yeh, best to check the writeup cuz that part's way too advanced imo

i don't think there is one .. at least not on thm

Yes there is and on thm

Just click the cog/settings icon

dooh ... thanks for that 🙂

on the telnet room, i run the nmap and im not seeing where any possible username would be? i ran enum4linux and that didnt show anything either

nvm i got it,

hey guys i stuck at OWASP Top 10 room on task 11, it says i have to find the source code but i dont get it

Why, that's the issue with finding the source code? Just right click the page you are on and view it in inspector or the pure source code

this telnet room is gross

i have done that but idk, i will try it again

Look for comments on that page

i forgot to add the -c 1 to the ping command and broke it T_T

Then don't forget it next time 🙂

i had been trying this whole time figuring out how do i stop the ping and the only solution i was able to find is to just terminate the rooms and try again 😦

LOL my mistake was running a wrong machine XDD im so stupid anyways

Ye, for that task it probably is.
But shouldn't be a big deal, it's just waiting a couple of minutes until the target machine is back up

Well, running the wrong machine could lead to issues, right 😄

yeah its literally impossible finding the solution when running a wrong machine 😛

crap now im running into a new issue, the msfvenom command isnt working T_T

Best to show a screenshot, that's making things way easier

Look at the error, it seems to have something to do with the LPORT, then compare it to the command given in the task, it seems you have a typo there

welp

In case you didn't know, there is a copy paste clipboard in between the split view, which makes things way easier then to type everything on your own

that probably enough practice today if im making those types of mistakes

😮

how do I find a users shell

thank you im just not really sure how to read all this

Gave +1 Rep to @burnt rivet

thank you

ah the elusive /usr/sbin/nologin....

hi everyone. question - im on the intro to burpsuite module. on task 13 - it asks this:

but no machine is spawned or ip given

im an idiot

lol

i need a hint... room owasp top 10 task 16, how can i find the ssh key ?

It's where a user usually stores them 🙂

Got it! Thanks! Now I am trying to find the directory listing page. I looked all over for it and can't find it. Edit - found the answer here. #room-help message

Gave +1 Rep to @burnt rivet

There are 10,000 different combinations of codes we can enter. We could try increasing them one by one, 0001 then 0002, then 0003, but that will take forever.

Try inputting any random reset code.

someone help

Did you try putting in a random code?

Like pick a number and put that in.

no

oki

Well there's your problem

It tells you what to do, you need to read the instructions and follow them.

it incorrect :(

i did it

Ok, and keep reading.

oki

Use the BruteForce tool with a code min (1) and max (10,000) value.

@stuck fractal

what this mean

Look at what it says in the content

Read it

Take some time to understand it

DUDE

We cannot understand it for you, you have to read and understand yourself.

I TRIYING

Try more.

bruhhh

ok man

try smarter XD

you can do it

Lol

It will take work, but you need to put that work in

We cannot do the work for you, it's something you need to learn

bro im SO STUCK

and only you can put in that work.

IDK WHAT DO

Hacking isn't as easy as clicking a button that says hack

It's like exercise. If I exercise for you, you're not getting muscles.

Yes you do. You copy and pasted it, you just need to understand what it's telling you to do.

GOT IT

I DID IT

🥳

Code 0187 is correct!

lets goooo

See what happens when you put the work in?

Yea

i didnt see properly

like i didnt look properly

yeah, don't be afraid to take it slow. Slow sometimes let's you not skip stuff

And this is why you need to put the work in. You cannot give up as soon as you find it difficult.

it's probably one of the most common mistakes.. ppl skipping stuff and not reading carefully

Ok man

Yea 👍

anyone can help me at room owasp top 10 task 19 ? i can't find anything in source code

lol thx

hello

where can i start learning, anythin ?

like the basics

start with the pre security path on https://tryhackme.com

thank you

then continue with junior pentester

ok

which should get you very well into your ethical hacking journey

thanks a lot

no problem

ah found it xd

So I need help.

I am working on the OSWAP room and it asks me to go into a specific address.

But it won't load

SOS\

Are you connected to the VPN?

Yes

I am using the attackbox, as well.

How much time have you waited after the machine started ?

Haven't tried this on my Linux machine.

did you start the right machine?

Usually you should wait around 2min

Nevermind, I had the other machine from the exercise opened up.

Whoops!

Perfect then !

yeah happend to me too XD

Now it's loading. I am so tired lmfao

Have fun !

I'm on the attacking kerberos room (https://tryhackme.com/room/attackingkerberos) and having some trouble enumerating the users. Not sure why the Kerbrute tool isn't working or if the wordlist

the tool runs sucesffully but doesn't output any users?

not sure if i'm using the right word list but not even the default AD administrator account is popping up so not sure what's going wrong

Maybe the timeskew of your machine is not matching with the victim's

should that matter just for user enumeration? The tool is checking if the KDC responds back with pre-auth but it shouldn't be trying to de-crypt anything

this was nmap so i think the flag values should be accurate

did you add MACHINE_IP CONTROLLER.local to /etc/hosts

Ok I’m dumb lol

I admit the thought of how the tool was supposed to know which computer to attack crossed my mind

Missed the top part of the instructions lol

Thanks!

trying to run the http server to do escalation but im getting this error and not sure what to do

With python3, it's python -m http.server

With python2, it's python -m SimpleHTTPServer

ahh ty

i am here to ask for support again lol

i pulled and copied the id_rsa key and now im trying to crack the hash with john but none of the commands seem to be working

Put the hash in a txt file instead

i copied the text from the targets id_rsa file and made my own file and pasted it into my .ssh folder. when i went to ssh , it still asked for the password so i ran the ssh2john.py and turned the id_rsa to id_rsa.hash

fysa this is the basic pentesting room

the last step

yall ganna make fun of me hold the file says no directory found

im ganna rerun the ssh2john again with full paths

Well you have you answer now then lol

i hate that room omg finally finished it T_T

Yaaay

Hi guys. I'm working on https://tryhackme.com/room/dailybugle#. Trying decrypt hash passwork. Both john and hashcat suggest pass is starwars but room deny it. Any hints for me in this case? Thanks

Well,that password is wrong, did you get the hash from sqli dump?

sure, Extracting users from fb9j5_users
[$] Found user ['811', 'Super User', 'jonah', 'jonah@tryhackme.com', '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZu___ '',

john file_hash --wordlist= rockyou.txt

What are the contents of file_hash?

hashcat -m 3200 hash_file, wordlist file

$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZ__

I've just cracked it with hashcat and it gives the correct password

can you show your hashcat command?

(might want to delete the hashes too. as they count as room answers)

hashcat -m 3200 hash_pass.txt /usr/share/wordlists/fasttrack.txt

Session..........: hashcat
Status...........: Exhausted
Hash.Name........: bcrypt $2*$, Blowfish (Unix)
Hash.Target......: $2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p...BtZutm
Time.Started.....: Mon May 9 12:23:20 2022 (7 secs)
Time.Estimated...: Mon May 9 12:23:27 2022 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/fasttrack.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 21 H/s (8.24ms) @ Accel:2 Loops:64 Thr:1 Vec:8
Recovered........: 0/1 (0.00%) Digests
Progress.........: 222/222 (100.00%)
Rejected.........: 0/222 (0.00%)
Restore.Point....: 222/222 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:960-1024
Candidates.#1....: qwertyuiop -> starwars

Started: Mon May 9 12:22:35 2022
Stopped: Mon May 9 12:23:28 2022

use rockyou

found it. Thank you

Gave +1 Rep to @cedar anvil

On the OWASP room...

Apparently the answer is incorrect?

I did everything correctly.

not sure if what im doing is incorrect or if im just dumb. would like a pointer on this one. on linuxfundamentals3 room, task 4, im either not waiting long enough for my python3 http server isnt loading or something, i cannot seem to get the server to load for the wget command for question3 to continue. ive tried ^C to cancel and retry but it doesnt seem like its connecting. i can find it via ls -a then cat the file but thats not what im supposed to be learning here. Am i just dumb and not waiting long enough for the connection?

You need another terminal to use the wget

When you run the python command, you start a simple http server

Then open another terminal, use the wget command

Can someone PM me regarding the OSIRIS room. I managed to change the KP* password but it's still not working for some reason

That’s a hash you need to decrypt it

why is the 'a' automatically spawning

the problem persist even if i replace B with return address

Bro, I go to the bash now. There are two flag to go. I try privilege escalation to root but not yet success. Here is what I do

• Check crontab, not see any envident
• Check SUID. use find . -writable program. Not see any program can use SUID.
• check sudo - l. Not sucess
• nano and vi, gcc can not use anyway
• I think python2 may have good point. But still not success

Do I miss something? Any hints for me? Thanks, Bro

Gave +1 Rep to @cedar anvil

Check for passwords in common files , search where are passwords stored in joomla installations

It's joomla room https://tryhackme.com/room/dailybugle#

Yeh, but it's the same concept

That joomla version is vulnerable, look over exploitdb and github :)

hallo

hi

,maroc

yes

etats unis

Been trying to. MD5 and others don't work.

Crack it with John + rockyou

That's something I still haven't learned in Web Fundamentals.

Oh it’s okay, look at the John the ripper documentation, or you can ask for my help

I am so struggling with this. I will need a bit more help.

Are you using kali ?

Yep!

The AttackBox.

Okay so you do have John and maybe the rock you wordlist

I have both.

Do I need to create a text file with the keys I have to hash?

Yep

Are you sure about that? As I don't think that this is a hash he has to crack, it's simply the format of the flag you get in the owasp juice shop ?

Beside the above, that seems to be simply the wrong flag for the task you are on, considering the image in task 1, it's the same flag and it is about "Error handling"

Oh 😅

I did the Burpsuite thing and I got that flag, Weird.

But if I use SQL injection directly...?

I got the correct key.

Ummm

Task 3 completed!

I should be happy but I am mostly confused now. lol

Well sometimes, the answer is easier than it seems hahaha

And now the next step of the exercise leads me to this.

Which leads me to getting nothing but 200 OKs

Kinda sus ngl

There. Changed it and now it's running. Now I am not getting 200's.

But I am getting 500's

Did you also changed the HTTP Method?

NVM Had a typo. Fixed

Who would use "bitch" as a password? lmfao

I have user and pass of root, database mysql now (from config file joomla). But still not yet clear what to do. As far as I know, we can gain privilege by exploit my.cfn of mysql config to add toxic library of us. But I still stuck here:

• file python to exploit can not work, because of error not have library mysql.connector
• mysql not run under root. It run under mysql user (use: ps aux |grep mysql)

What can I do here? Thanks

Gave +1 Rep to @cedar anvil

Password re-use is very common, try the password found against the machine users

Big thanks. I completed room. Quite hard room for me. Thanks for support me.

Gave +1 Rep to @cedar anvil

doing wonderland and I cant even get a foothold, found that there is ||/r/a/b/b/i/t and /poem|| but this didnt get me anywhere

nvm found it

Hi guys, I need your help. In the room https://tryhackme.com/room/skynet. I got in the squirrel email and have smb password of milesdyson ( )s{A&2Z=F^n_E.**) But I can not login smb of this account use smbclient. Password have some special character and can not process
Command:
smbclient //<ip>/ -U milesdyson
Password for [WORKGROUP\milesdyson]:
Any hints for me? Thanks

You need to specify a share name

why everytime doing nmap keep saying file doest exit?

Can you please show us your command?

Needing some help with pwn101 room... I'm on the final pwn challenge (10) and have crafted my exploit, the only trouble is that I am getting a strange segfault in _dl_get_tls_static_info+21

Seems no matter what gadget I use to get the required value in RAX, I get a segfault.

Edit - room link https://tryhackme.com/room/pwn101

Check the specific channel for this room

Rgr. All good anyway I managed to solve it using a diff approach, gamblers remorse got me good though 😛

hey having a bit of trouble with https://tryhackme.com/room/postexploit
whenever i work on task 2 i'm able to ssh into the machine but the instructions, and instruction commands don't seem to work properly.
it wants my to start powerview using "..\Downloads\PowerView.ps1" which doesn't seems to work on the vm, as well as further commands like get-netusers and get-netgroup aren't working

i see, so i guess i missed the space on the . . then, thanks

cat id_rsa/root.

keep saying no directory,

cat /root/.ssh/id_rsa

Hey, which of the following is like johntheripper?

john/ 🥳

Oh, i really need to read more carefully, thanks

Hi. I'm new, and seem to be having a struggle!

For example - https://tryhackme.com/room/walkinganapplication

"What is the flag from teh HTML comment?"

What is a flag?

Ok figured it out. Flags are the THM{}

And they must include THM

OK, the intent is you spellunk the page, find stuff you need the page source for, and copy+paste the THM{} words you find in teh most suitable-sounding answer box

Hi guys, I'm in room https://tryhackme.com/room/relevant try to blackbox service website. I try some method include:

• Nmap discover vulscan/vulscan.nse -> not found vulnerable
• Gobuster -> not found any directory
• Check service vulnerable: port 80, 135, 139, 445, 3339 -> not yet found anything
  Do you guys hints me something? Thanks

Thank you for your hints. That help me complete the room.

Gave +1 Rep to @idle flume

I am so much stuck in this question: Cyber Defence room | Splunk 2 room
Task 6 | What unusual file (for an American company) does winsys32.dll cause to be downloaded into the Frothly environment?

anyone know why this isnt working?

The password authentication is not enabled in sshd_config maybe, thats why permission denied

If you are stuck at gaining foothold, then i would recommend you to bust directories

Hi - I'm on the Content Disc page: https://tryhackme.com/room/contentdiscovery#

How do I open http://MACHINE_IP/sitemap.xml?

I've run ifconfig, and tried that, but not working

eg http://10-10-110-208/sitemap.xml

Did you start the task machine?

Yes

Whats the IP of target?

http://<ip>

Standby; restarting machine

What?

Can you share screen shot what are you facing?

!docs verify

Works now; the machine restart worked, and the link was replaced with the actual IP

Good

The IP was 10.10.110.208.

Can anybody help me

I know, but he used - instead . Thats why i asked....

Thanks for your hinds. In term of enumerate, use nmap scrip, I found some smb directory include:
smb-enum-shares:
| account_used: guest
| \10.10.96.159\ADMIN$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Remote Admin
| Anonymous access: <none>
| Current user access: <none>
| \10.10.96.159\C$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Default share
| Anonymous access: <none>
| Current user access: <none>
| \10.10.96.159\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: Remote IPC
| Anonymous access: <none>
| Current user access: READ/WRITE
| \10.10.96.159\nt4wrksv:
| Type: STYPE_DISKTREE
| Comment:
| Anonymous access: <none>
|_ Current user access: READ/WRITE

nmap script also say that:
| smb-protocols:
| dialects:
| NT LM 0.12 (SMBv1) [dangerous, but default]
I search and find some one use eternal blue + mysmb.py but still not yet success. I guess I not yet have username and password require in file. My pipe name I use: 'nt4wrksv'

Any hints for me? Thanks

Gave +1 Rep to @burnt rivet

Ohh, My bad. I see report Anonymous access: <none> and don't even check it
Now I have user Bob, Bill and their password. But I can not access use smbclient with these account. It have error "tree connect failed: NT_STATUS_BAD_NETWORK_NAME". I use command
smbclient //10.10.209.60/C -U Bob
I guess the command need a Workgroup but I can't find it. I try nmblookup and enum4linux but not success
I try use IP as workgroup, still not success
So, what can I do now? Thanks

Gave +1 Rep to @burnt rivet

Nmap is showing all port closed in the network services/task 6 room. can anyone help?

Hello I need help with room Cross-site Scripting task 8. I could get my coockie with nc but not the staffs

If anyone is wondering about the RegEx room’s task 2 q5, the answer is [fF]ile[^7] and this worked for me.

Hi, is anyone here that can help me with the Snort Challenge - The Basics room?

I'm on task 3, and the question is "What is the FTP service name". Not sure how to find this in the log file.

do we need to know basics before studying introduction to honeypots room ??

why i keep getting no such file or directory? (sudo chown root bash)

https://tryhackme.com/room/networkservices2

task 4

I am stuck in this question
What is the syntax of the command to use Impacket's addcomputer.py to add a new computer to the lunar.eruca.com domain using the AD credentials of test:pass, with the LDAPS method, with the hostname of thmtest, and the password of computer1?

Hi, is anyone here that can help me with the Snort Challenge - The Basics room? I'm on task 3, and the question is "What is the FTP service name". Not sure how to find this in the log file.

Hi! I'm really new to all this so I have no idea how-
I need help with this question:

What is the syntax to ping 10.10.10.10?

It's for the what is networking room

What have you tried? And what are you using?

Start by running:
ping -h and see if you can figure it out from there

Hi. I am working https://tryhackme.com/room/linuxprivesc Task19 NFS following along on my Kali VM (using vpn). I keep getting the following error while trying to mount. "mount.nfs: requested NFS version or transport protocol is not supported"

Figured it out. It was ping.

Awesome great feel free to dm or ping me if you need more help🙂

:D

Walking An Application
Q3 - What is the directory listing flag?
Can anyone give me a hint? Super lost on this question
Also - I cant see anywhere "secr" as it advises

Help! Hi. I am working https://tryhackme.com/room/linuxprivesc Task19 NFS following along on my Kali VM (using vpn). I keep getting the following error while trying to mount. "mount.nfs: requested NFS version or transport protocol is not supported" These are the exact commands i copy/paste:
mount -o rw,vers=2 10.10.10.10:/tmp /tmp/nfs

That's the wrong IP

yes, i corrected the ip but still the same error

Run the VPN directly in your Kali VM

Not on your host OS

correct. did that. since yesterday getting this error. today just checked to see if the exploit even worked on the victim and it did (even though error seen on my kali vm).

I'm running RootMe, trying to shake down a few easy boxes for a class I am teaching this week. But for some reason I absolutely cannot catch the reverse shell. I've triple-plus checked the IPs and ports, redownloaded the pentestmonkey shell on my own VM and multiple AttackBoxes, reset the target multiple times, tried multiple extensions on the revShell file, sudo and non-sudo listener commands with varying tags (except -l of course)...no dice.

Anyone have an idea of what I might be missing?

I've tried about a dozen different ports, too, for the record.

Hey! I'm currently working on Task 10: Exploiting FTP in the Network Services room (https://tryhackme.com/room/networkservices). Initially when I tried to run Hydra on the target machine to get the login password it ran for an incredibly long time with no results. After suspecting that something may be going wrong, I read a write-up which showed that hydra was in fact attempting the correct password in the first batch of attempts but it was not being recognised as correct. What is going wrong here? I am using the same IP address that you use in the ftp command from the previous task as I am in the hydra command.

Best to show a screenshot of the command you used and the output of hydra you get, as well as a screenshot of the active machine information box on the room page

Machine info: https://imgur.com/tCPk0To.png
Command: https://imgur.com/T5cim2s.png
Output: https://imgur.com/uWi5fzm.png

Have you tried using it the same way as the task example aswell? So with the ftp at the end of the command?

I have, I even tried the command the same way as in the task example word for word, but still nothing

Can I try it myself for your target machine?

Of course, do you need me to provide you with anything else?

If it's still the same IP, then no

Okay, it's still the same IP

Mh, seems to work just fine, is your attacking machine a VM?

It is! I'm running Kali through VirtualBox

And openvpn is running directly inside your kali VM and not on your host machine?

I should have asked first, you are connected to the thm vpn, right?

Embarrassingly, it seems I was not. Between me doing a task earlier, leaving for a while, coming back, and trying another task it appears that the openvpn connection must have stopped when my laptop locked itself. Thank you (for both your help and your patience)

Gave +1 Rep to @left thunder

Happens 🙂
You are welcome

im having the same issue, were you able to figure it out?

Yeah, you have to click on the image link - then in the search bar delete the word image, so you in the folder - if that makes sense

and then you have to click on access i think

That worked, thanks so much! i was stuck on this for so long

yeah so was i lol

how to "Save the results from this command into a file called valid_usernames.txt which we can use in a later task and then answer the questions below"

ok ty

also is there an actual application on the machine called ffuf? i cant seem to see it , or just use "ffuf" into the terminal

anyone can assist with Authentication Bypass task 3? brute force, very stuck on this

ya

like where do i enter the "bruteforcing with ffuf" information?

ive tried that but it just does nothing

got the file saved , but when running the command it doesnt do anything

hi everyone i need help i'm stack on task 8

https://tryhackme.com/room/uploadvulns

shell.jpg.php 🥲

didn't worked for me

workoing on windows privilege escalation and trying to rdp to the windows machine, but getting an error

"Failed to connect , CREDSSP required by server"

this is the command i used rdesktop -u user -p Password1 x.x.x.x -g 60%

googled the error but not able to find the required answer to solve this issue

how to solve this issue?

It's failing to upload? Or it's failing to execute once it's uploaded? Does shell.jpg.php appear in the /uploads/ directory?

Did you try to use Freerdp? I know it was one of the google results at the top, but it was hidden a bit in the article. I've had some experiences in the past where one client worked and another didn't. Maybe try a few other clients, because the main way to prevent this is on the server side, which you can't do yourself.

no didnt try with freerdp. i will check with that. and yes the google articles mention about the server side fix. i had sent an email to THM support. no response yet.

Ok. Well maybe it will help. If not, there are a few others. Or just do RDP from a Windows VM or partition perhaps. Best of luck 🙂

👍

hi thank you so much, it worked with freerdp

Gave +1 Rep to @ember vale

Did you try to modify headers? Like content-type

yeah it failed to upload because there's filtre. however i was able to upload the file when i change it to shell.jpg.php5

in room Internal
how can i browse the internal port 8080 from my machine because i can't understand how can I use port forwarding that much

you can browse to a service on a different IP simply by putting a : then the port number. For instance 10.10.10.10:8080

For Safetygirl.

If you look through the images you'll find one that looks like this with the phone model & number.

Spoilers for Networkwork miner.

Thank you very much. I was looking at the wrong phone picture. BTW, whoever created the room, I love all the Ned Flanders pictures!

Gave +1 Rep to @lucid junco

No problemo!

Happy Hacking!

Also room creator is THM, think it was ujohn.

Well done ya muppet...

Hi, I need some help with Biblioteca. I managed to get a potential username but Hydra hasn't been able to help me with rockyou. Any hints would be helpful

Some pics are… inappropriate to say the least…

Yeah, sorry found it. Should have said so. Thanks for the reply

Gave +1 Rep to @burnt rivet

guys i'm hard stuck on vulnversity , need some help with the challengs

looked up the suid that had bits set, only /bin/systemctl had results on gtfobins

nothing

let me send a sc

enable --now $TF ?

or which

it should be /tmp/output ?

so ?

copying the content of root.txt to /tmp/flag ?

says permission denied

even with root

Lassi is showing you the way... Ignore this problem for a second, what command would you normally use to copy the content of one file to another? I don't think it's what you are trying. Might help if you make sure you are clear that this breaks down into two parts so be clear on what /bin/sh -c does and also what "/root/root.txt > /tmp/flag" does.

Hi guys! I need some help on the LinPrivEscNFS. I have mounted the share to a folder in my /tmp, and then go ahead and create and compile the binary that I want to run on the target, but when I run it on the target i get: ./nfs: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./nfs)

I'm not sure what I am doing wrong, can anybody give me a hint or point me in some direction?

I compile my binary on my system. Is the target system missing some dependencies?

I re-created the one in the task:

int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }

And then compiled that with gcc nfs.c -o nfs -w

are you compiling the binary on the target?

I am running the gcc from my machine, but inside the folder that is mounted in the target

check if gcc is on the target(if you have access to it), it might need a specific version or something

The target does not have gcc installed

😦

I now tried running them without compiling them first by setting the SUID on the nfs.c instead;
chmod +s nfs.c
chmod +x nfs.c

But when i try to run it from the target machine (have ssh access), i get a Syntax error :/ I don't know C to can't actually confirm that the syntax is correct.

./nfs.c: line 1: syntax error near unexpected token ('
./nfs.c: line 1: int main()'

I will give that a try instead 🙂 Thing is i've been following along with the witten material asociated with the lab, and I just assumed it would work. Now I now that in the real world I would need to be flexible, but in this case, following the written instructions has always worked :/

Will try with python or bash instead and see if I can manage to get it to work 🙂

I kept trying, but still don't succeed. I tried writing a tiny bash script that just cat out the content of the file /home/matt/flag7.txt, but I still get "Permission denied" :/

Hmm, okey, fair, i'll give that a shot 🙂

I also tried the method here: https://book.hacktricks.xyz/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe
But that didn't work either, got the same error as when i tried with my compiled binaries; ./nfs: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./nfs)

I'll report back when i've tried it on the attackbox instead 🙂

Doing the same thing (compiling the binary) from the attackbox instead of my local machine did it, it worked now 👍 Been pulling my hair in this one for 2 hours ^^