im watching port 9999 every second so i can tell as soon as king changes
#koth
broken pilot
valid cairn
im watching port 9999 every second so i can tell as soon as king changes
dont mind if I borrow your figlet?
its a pretty cool thing
broken pilot
watch -n 1 "curl -sL http://10.10.235.218:9999 | figlet"
will show you who is king every second lol
naive goblet
so not watch -n 1 "cat /root/king.txt | figlet" ????
broken pilot
hahahaha how many times did you mount
valid cairn
i dont even remember at this point
bro I was just spamming mount read write/read only commands while trying to fix it
btw how are you looking at the things I have done
broken pilot
so not `watch -n 1 "cat /root/king.txt | figlet"` ????
this will work if you are running it on the system (but might slow it down a bit depending on whats running)... im watching from my machine
naive goblet
oooh that explains it a lot better... also shadows command requires that you have a root shell on the target machine
which someone could kill
realised that a short bit after posting shadows command
valid cairn
even if I am root all time, Ill still take the L so GG bro
naive goblet
still wanna do the nyancat spam onto some other user during a koth game
valid cairn
still wanna do the nyancat spam onto some other user during a koth game
lets play KOTH Soon
valid cairn
@fossil pecan can you read the /root/?
fossil pecan
Ah i missed this whole thread haha
fossil pecan
<@118749350795935744> can you read the /root/?
Was a min ago, I'll brb and check again 😉
fossil pecan
<@118749350795935744> can you read the /root/?
yup 🙂
omg im an hour late .. must have been from last game 🤣
valid cairn
omg im an hour late .. must have been from last game 🤣
btw what did you do to find?
it couldnt locate even 1 file
fossil pecan
btw what did you do to find?
some on this box are random names, a few named "flag" (none end with ".txt" tho 😉 ) ... the rest are just regular files like names of "games" (fortune/casino theme) 😛
valid cairn
some on this box are random names, a few named "flag" (none end with ".txt" tho ...
hmmmmmmmm....
your ip ends with 232
?
fossil pecan
your ip ends with 232
me? nope 😉
valid cairn
me? nope 😉
what have you done lmao? its showing my name while in king
fossil pecan
what have you done lmao? its showing my name while in king
testing my "YOINK" bash oneliner 🤣 ... the king points are scored 10pts/1min (every minute, on the minute ... i.e. * * * * * read king.txt cronstyle)
so i only take it end of minute, and give it back after
Thu 6 Apr 03:10:57 BST 2023 - YOINK
Thu 6 Apr 03:11:04 BST 2023 - KNIOY
Thu 6 Apr 03:11:57 BST 2023 - YOINK
Thu 6 Apr 03:12:04 BST 2023 - KNIOY
Bro your creativity scares me
fossil pecan
west seal
zenith agate
testing my "YOINK" bash oneliner 🤣 ... the king points are scored 10pts/1min (...
😈
i'm boutta get clapped
very new to KOTH
valid cairn
i'm boutta get clapped
lmao
zenith agate
are you allowed to have a script that puts your name into king.txt every x seconds
valid cairn
are you allowed to have a script that puts your name into king.txt every x secon...
No that might be a case of autopwning
fossil pecan
are you allowed to have a script that puts your name into king.txt every x secon...
Oh no that's definitely ok
valid cairn
I would recommend you rather do a loop
valid cairn
Oh no that's definitely ok
how is that okay?
valid cairn
if you are remotely accessing it and putting in name isnt autopwn?
fossil pecan
If it happens all automatically within 60s of game starting than ya
But pieces by themselves as scripts are fine
Some king fighting scripts or at least bash one line loops are essential for fighting king against a good player
valid cairn
are you allowed to have a script that puts your name into king.txt every x secon...
dont use scripts, use rootkits -f11snipe probably
zenith agate
🤔
valid cairn
🤔
KOTH is a hole that goes deep down
its gonna give you adrealine, dissapointment and stress
all at the same tme
valid cairn
it does feel good to win tho
its a good feeling.
fossil pecan
dont use scripts, use rootkits -f11snipe probably
Haha, rules do explicitly ok scripts and rootkits, just best to make sure they're stable and not destructive 😜
valid cairn
Some times I wonder if winning feels good, I am pretty sure its putting your name in king.txt that feels better
valid cairn
Haha, rules do explicitly ok scripts and rootkits, just best to make sure they'r...
Well in these summer vacations I am gonna be making one
fossil pecan
Autopwn rules are for people who automate everything to get in, get root, put name in king, and patch/shutdown services to keep everyone out ... When all that happens in first 1-3 minutes, game's no fun for everyone else rest of the hour 😂
valid cairn
Autopwn rules are for people who automate everything to get in, get root, put na...
psst send me the autopwning scripts
you know the good stuff
zenith agate
are you playing in this one snipe
fossil pecan
psst send me the autopwning scripts
haha, i have a bunch of simple scripts & little one-liners i'm putting together to share ... but some of the "big guns" will remain private
charred hare
koth is a gentlemen's game, just play fair
fossil pecan
koth is a gentlemen's game, just play fair
☝️ 😄
valid cairn
https://f11snipe.shop
so flags for scripts?
quite honestly that sounds like a fair trade to me -Drake definetly
fossil pecan
so flags for scripts?
i'm inventing my own F11[...] style flags haha, gonna start hiding them all over my f11snipe.XYZ domains and also might put them into like koth matches for ppl to find
zenith agate
what privescs are there for food other than vim.basic
valid cairn
you "mwahaha9" ?
They should make you a KOTH mod at this point
zenith agate
for the future
valid cairn
what privescs are there for food other than vim.basic
there is a custom script
wait not custom but you can find it online that will work for screen
quiet schooner
for the future
There's a public writeup from the creator of the box
zenith agate
👌
zenith agate
i'm inventing my own `F11[...]` style flags haha, gonna start hiding them all ov...
is there any result for finding them as of yet, or just easter eggs
fossil pecan
is there any result for finding them as of yet, or just easter eggs
ya if you find a valid flag it should redirect to the "prize" (usually a txt file or script/etc)
some ascii art
simple bash commands
zenith agate
hello friend
fossil pecan
gonna add more soon (hopefully haha)
zenith agate
cool concept 👍
fossil pecan
cool concept 👍
thanks 🙂
sour vectorBOT
Gave +1 Rep to @zenith agate
valid cairn
@proud moth bro Stop removing all perms for low privs users
thats against the rule
you keep removing sudo by changing the perms for /etc/sudoers
Your doing this for the second time now
proud moth
Thats the part of securing bruh. That's not against rules. Lol
valid cairn
Thats the part of securing bruh. That's not against rules. Lol
sudo is a binary
proud moth
I didn't messed with sudo.
valid cairn
changing perms for it so it cant execute is against the rules
proud moth
Wait.
valid cairn
I didn't messed with sudo.
You messed with /etc/sudoers
proud moth
proud moth
You messed with /etc/sudoers
sudoers permissions can be removed.
we cant disable ssh logins, user deletion, and removing any commands.
sudoers is a part of securing. and we can even modify configs to secure. from getting any command executions.
is sathas you ?? @valid cairn
valid cairn
and even removing flags are also agains the rules.
Ik that bro
valid cairn
sudoers permissions can be removed.
but not removing sudo binary for every user exept root
proud moth
sudo binary is there. i removed users from sudoers. from using sudo...!!
valid cairn
if I do 755 /usr/bin/ thats against the rules
valid cairn
sudo binary is there. i removed users from sudoers. from using sudo...!!
it is?
proud moth
!
valid cairn
wait I had cleared my terminal
I dont have the command on me
It said /usr/bin/sudo not found or something
proud moth
It said /usr/bin/sudo not found or something
😶
proud moth
oaky
proud moth
@valid cairn you removed wget, curl. 🤣 so how its legal to you to play
valid cairn
<@789868665071337524> you removed wget, curl. 🤣 so how its legal to you to pla...
I didnt remove them
nor did I change their permissions
They are right there
I dont break the rules.
charred hare
probably changed the PATH variable
median tapir
Why does Carnage keep breaking?
charred hare
probably changed the PATH variable
the only reason i know this was because I broke it my self once and had no idea why basic commands like echo, ls weren't working 
valid cairn
probably changed the PATH variable
nope I wont make it completely unusable for others
thats not fair play
valid cairn
Why does Carnage keep breaking?
Carnage being Carnage bro
charred hare
nope I wont make it completely unusable for others
thats not unusuable?
just export the path back
valid cairn
thats not unusuable?
Idk about that, PATH variable modifying altho thanks to letting me know Ill experiment with it 😉
sour vectorBOT
Gave +1 Rep to @charred hare
fossil pecan
Idk about that, PATH variable modifying altho thanks to letting me know Ill expe...
modifying PATH is pretty common and fairly easy (it's also a potential privesc method if misconfigured 😉 )
to alter for other users you'd probably make edits in ~/.bashrc , can dbl check that or use sh and export your own path from scratch to force it (i do this alot :P)
valid cairn
to alter for other users you'd probably make edits in `~/.bashrc` , can dbl chec...
thnx for telling me
i will surely research alot about this
fossil pecan
i will surely research alot about this
Here's a really basic "PATH reset" I typically use (includes all standard /bin and /sbin dirs)
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
so what does it do?
valid cairn
```
echo $PATH
```
thanks bro
sour vectorBOT
Gave +1 Rep to @fossil pecan
fossil pecan
so what does it do?
this just resets to generic/safe defaults ... the $PATH environment variable is what determines which commands are available in your shell without a prefix (i.e. nmap instead of /usr/bin/nmap )
full path to binary/executable should always work, but only ones within a directory specified in $PATH (separated by :) will be available as "global" aliases 👍 😄
valid cairn
Wow its simple but so much usage 👍
ahh shit here we go again lma
mathuez and Trap
this is gonna be hell of a match
broken pilot
why the reset tho?
broken pilot
why?
subtle python
rain junco
Is anyone want to play king of the hill right now?? 
rain junco
yeah
rain junco
https://tryhackme.com/games/koth/join/ed2b358cc522f07f5c07813d
its not opening
rain junco
https://tryhackme.com/games/koth/join/1a97bc57defd9c379808dc26
I hope it will be easy one... 
valid cairn
I hope it will be easy one... <:psyDuck:861274247438532639>
good luck 👍
broken pilot
@valid cairn when that happens try to vote rest on machine and ip should show up… it’s a weird bug happened to me a few times
valid cairn
<@789868665071337524> when that happens try to vote rest on machine and ip shou...
ikr
its super werid
other people werent reseting it
fossil pecan
broken pilot
radiant sun
Sup bois
valid cairn
https://tenor.com/view/dachshund-dog-relaxing-healing-chilling-gif-15692725
Its been ages since I have seen you in the KOTH scene.
where have you been
?
ionic phoenix
naive hull
Hey everyone, is there a way around if someone makes the file king.txt immutable and deletes chattr?
shrewd spire
Hey everyone, is there a way around if someone makes the file king.txt immutable...
Yeah bud. One way is to upload your own copy of chattr, e.g from busybox
Or a c script that invokes ioctl directly
austere obsidian
surely you can call ioctl from python?
valid cairn
Hey everyone, is there a way around if someone makes the file king.txt immutable...
Your gonna love it when You get used to chattr and mounting and than your gonna come head to head with a rootkit 😂
broken pilot
Aye rootkits can be beat too…
naive goblet
Aye rootkits can be beat too…
yeah obviously... though doubt most koth players have any idea on how
broken pilot
Try harder 🤣 hahahaha j/p but yea don’t give up keep trying.. there’s ways around em
valid cairn
yeah obviously... though doubt most koth players have any idea on how
There used to be a time when KOTH was well KOTH, Rn its literally a massacre for new players.
naive goblet
it was koth for shadow and @fast copper
shadow won by figuring out that chattr exists
valid cairn
But, Tbh rootkits add a new dimension to the game.
But learning them and making them is the harder part.
broken pilot
There used to be a time when KOTH was well KOTH, Rn its literally a massacre for...
Well that’s how you get better by challenging yourself…
naive goblet
Well that’s how you get better by challenging yourself…
unless the challenge is so large it becomes impossible to over come
valid cairn
its very possible to overcome.
But, its only hour long with every minute being a point.
so its really really hard to over come.
broken pilot
unless the challenge is so large it becomes impossible to over come
Ok valid point..
naive goblet
shadow is pointing at people giving up if the challenge becomes to large for them as then it feels like there is no point trying
broken pilot
But its also a mindset obstacle… hacking isn’t easy and you need to keep trying new things eventually something works
valid cairn
But its also a mindset obstacle… hacking isn’t easy and you need to keep trying ...
True.
plain nacelle
What are the Best learning path/modules to help get better at KoTH?
austere obsidian
But I had a similar question - where can you learn the skills which are specific to attack/defence ctfs and koth style challenges with multiple players fighting over a machine?
jovial field
for me it was learning by doing
just play some games and try to split the challenge in smaller parts like getting into the machine, escalating priviliges, protecting king.txt, defending against process killing ...
jade rapids
valid cairn
But I had a similar question - where can you learn the skills which are specific...
experience
valid cairn
Petition for more machines for KOTH.
naive goblet
Petition for more machines for KOTH.
go make some
valid cairn
go make some
KOTH machines?
naive goblet
KOTH machines?
yeah it would be like room creation but for koth
valid cairn
yeah it would be like room creation but for koth
hmmmmmmmmmmmm good idea
naive goblet
or are you asking for something else??
valid cairn
So I just design a vm and than hand it over to THM staff?
naive goblet
¯_(ツ)_/¯
think it starts the same way as normal room creation.... just it needs multiple paths to foothold and root
broken pilot
go make some
Won’t work we already tried they basically said it would cost money for someone to test the rooms….
naive goblet
Won’t work we already tried they basically said it would cost money for someone ...
huh
so then what is shadow doing as a room tester???
broken pilot
Even had people who said they wouldn’t mind doing it for free
naive goblet
well gonna leave it at that then
broken pilot
so then what is shadow doing as a room tester???
Not testing new koth rooms 🤣
naive goblet
Not testing new koth rooms 🤣
steep agate
think it starts the same way as normal room creation.... just it needs multiple ...
talking about room, i'll submit my machine to THM, privesc spoiler is involving rootkit + reversing XDD, btw, hope it gets approved, my machine is very good and fun for play
steep agate
Even had people who said they wouldn’t mind doing it for free
I would do it myself for free, just because I like the attacking and defense style game mode
short tusk
Won’t work we already tried they basically said it would cost money for someone ...
Says who?
That's not at all the reason, I'd love for you to name and shame whoever said that
broken pilot
Says who?
Ok 👌 …
Start of the same conversation….
Here was a suggestion to help with cost to review boxes… #koth message
But maybe with the new price increase…. 🤷♂️🤷♂️
short tusk
That’s how it used to be, now we have in-house testers to test machines and volunteers.
But it’s not the testing that’s the problem it’s the setup for the machines themselves
Currently, our teams are so busy with making sure the core of the website is the best it can be and pump out new content, KoTH boxes take a really long time to configure and they can only be configured by a few people
KoTH is due an update so maybe further down the line the process will be automated
I can’t say anything for sure
broken pilot
KoTH is due an update so maybe further down the line the process will be automat...
I’d be interested in helping out anyway I can to improve koth,whether it’s finding more bugs on koth, hosting events and/or official tournaments , helping create or test new boxes or even just suggesting new ideas to keep players engaged and continue using koth platform
short tusk
Currently we are focusing on updating the platform, if you have noticed the various pages being updated
There are no voluntary roles available, other than being a room tester (which only test the upcoming content), but you are welcome to apply to be an employee if you think you can help improve the platform
broken pilot
There are no voluntary roles available, other than being a room tester (which on...
Appreciate it. Would something like this fall under community manager??
short tusk
Not exactly
There isn't really one role, I don't know how much I can say, cc @sonic belfry any help so I don't expose all our company secrets? 😁
steep agate
how can we become room tester?
fossil pecan
There are no voluntary roles available, other than being a room tester (which on...
I would love to help out any way possible! Any chance for part-time jobs/contributions?
I know koth hasn't been a top priority recently, but I think it still has a lot of potential ... I have greatly enjoyed helping the community learn and grow positively as an "unofficial resource" haha ... so, please let me know if/how I could help in a more "official" way! 😄 🤞
short tusk
All jobs are on the career page
short tusk
how can we become room tester?
You’re selected by QA
broken pilot
All jobs are on the career page
Just need to know which one would be best to apply for as far as contributing to koth 🙂
sonic belfry
The implementation and execution of the testing effort depends on the planning/implementation of the expansion effort for KotH regarding machines. No news on that yet. 🙂
fossil pecan
The implementation and execution of the testing effort depends on the planning/i...
Please let me know if there's anything else I could do to contribute there! Lots of ideas over here 😉
worthy geyser
I was on a game and I was unable to write to king.txt because someone set the filesystem as read-only root@host:~# echo wyldgoat > king.txt -bash: king.txt: Read-only file system Does anyone know what I could do to circumvent this? I tried running mount -o remount,rw , but no success
worn island
Hey I’m new and I had some questions. How do I get started? Do I watch videos or just play? How did you experts start
fossil pecan
Hey I’m new and I had some questions. How do I get started? Do I watch videos or...
can get started anytime! it's good to be somewhat comfortable with challenge boxes and the terminal in general
😄
👋
charred bobcat
I was thinking about doing KoTH again...
fossil pecan
I play KoTH on stream a lot @worthy geyser i went over read-only mounts a while back 😉
https://f11snipe.live
I'm happy to host or join private matches for practice anytime 👍
charred bobcat
We should do a session. I'm always willing to. Just @ me. I like practicing.. because I'm no where near as good as F11
worthy geyser
I play KoTH on stream a lot <@445404725962080259> i went over read-only mounts a...
thanks, will check it out!
sour vectorBOT
Gave +1 Rep to @fossil pecan
charred bobcat
F11 is pretty Fing epic fr...
broken pilot
I was on a game and I was unable to write to king.txt because someone set the fi...
There were a few different techniques going on at the same time but yea I mounted on top of king.txt so that was the error you were seeing.. and one reason you could not echo > king …
median tapir
Is deleting chmod allowed?
short tusk
Is deleting chmod allowed?
median tapir
Well someone did last night in the Lion machine.
short tusk
Check pins
charred hare
Well someone did last night in the Lion machine.
are you sure its deleted?
median tapir
are you *sure* its deleted?
The error said " Chmod not installed, contact admin to install coreutils" and it was working fine a minute before
broken pilot
The error said " Chmod not installed, contact admin to install coreutils" and it...
if people are playing like that you can always use this link and wget your own static binaries onto the machine just incase
broken pilot
https://tryhackme.com/games/koth/join/71f06550153f1169efa36569 15 mins to join
or if you want to spectate https://tryhackme.com/games/koth/72313
median tapir
if people are playing like that you can always use this link and wget your own s...
i did but couldn't figure out how to make it executable unlike the time i used the chattr binary
onyx dust
how much do the koth hosts vary? are they mostly windows?
willow raptor
!docs koth
pearl gladeBOT
TryHackMe
willow raptor
@onyx dust this should tell you most basics about koth
and here's the pool of machines
onyx dust
and here's the pool of machines
thanks!
sour vectorBOT
Gave +1 Rep to @willow raptor
austere obsidian
mostly linux, which is good
need to watch some youtube videos of people doing koth to get some handle on what to do
peak peak
need to watch some youtube videos of people doing koth to get some handle on wha...
Do you know any good channels for this?
fossil pecan
Do you know any good channels for this?
I stream KoTH sometimes, have some regular videos too 😁
fossil pecan
Anyone Up for friendly Koth Game?
next game in 15min 🙂
https://tryhackme.com/games/koth/join/f8714cbafda4d3b48b04b661
wintry gust
next game in 15min 🙂
https://tryhackme.com/games/koth/join/f8714cbafda4d3b48b04...
Plz Wait for me
i am so stuck with this Koth lol
fossil pecan
Plz Wait for me
Somebody needs to join in 5 min before it expires 😜
fair adder
7 minutes
fair adder
wow I just realized I'm in the koth room and the message above mine was sent yesterday. I thought I was in general
l
o
l
unborn ice
how do I fix this error while using my own chattr in target machine ?
nova igloo
Yo what's up people
I haven't done anything related to cyber security for about a year now
naive goblet
so you don't just upload busybox then????
then again that might be a bit bloated but it should work
nova igloo
excuse me?
naive goblet
was refering to @steep agate
nova igloo
oh haha my bad
If anyone is interested in a friendly 1v1 or so...
I'm gonna join the vc
steep agate
so you don't just upload busybox then????
no haha
steep agate
was refering to <@745672959804571742>
I just copied and pasted the command I had put here in the chat last year, but it works the same way XD
.
naive goblet
yeah you are just making a static chattr binary
steep agate
yes
naive goblet
busybox has a lot of other binaries bundled together
hence might be a bit bloated for this purpose
steep agate
busybox has a lot of other binaries bundled together
i know haha
steep agate
hence might be a bit bloated for this purpose
ya
wow, I could have sworn that this new THM event, was something related to KoTH because of the crown hahaha, it wasn't this time, F
naive goblet
then again people might be looking for files called chattr instead of files called busybox
naive goblet
wow, I could have sworn that this new THM event, was something related to KoTH b...
nope it is for a new network with real life feeling
steep agate
nope it is for a new network with real life feeling
yes I know, I'm even playing with it now haha
unborn ice
```wget https://raw.githubusercontent.com/posborne/linux-programming-interface-e...
thanks
sour vectorBOT
Gave +1 Rep to @steep agate
swift laurel
Is it possible to play koth with the attack box ?? I’m bored at work with no VM lol
weary tangle
broken pilot
Whatever helps you learn.. it’s a good idea to take notes as you’re playing as some of the machines have the same credentials and ports opened… I would also keep notes on any flags that you find because those are static as well…
broken pilot
It all depends on what you want to focus on… me personally I don’t patch the machines I might make them more vulnerable to allow more players on the box and let’s fight for king.. other players might patch the boxes.. but if I get in before you then you’ll have to find all my back doors and patch those as well… other players have rootkits and use koth as a testing ground… it all depends on what you choose to focus on @lavish lance
sour vectorBOT
Gave +1 Rep to @broken pilot
fossil pecan
Flags can be submitted anytime (if you hover over the flag icon next to input, it'll say how many total flags are available on that box 😉)
So you can hunt for the rest! 😁
sour vectorBOT
Gave +1 Rep to @fossil pecan
short tusk
@broken pilot ... have you been promoting your Discord server on KoTH?
short tusk
Please respond or I will have to take action^
broken pilot
<@485135593249177610> ... have you been promoting your Discord server on KoTH?
@fossil pecan has been streaming koth & thm content, and we've been inviting excited and promising players to come join the community because we love thm & koth! Apologies if this is not ok, we can refrain unless there is an ok way to share our common interests with friends 🙂
short tusk
<@118749350795935744> has been streaming koth & thm content, and we've been invi...
Mind if I dm?
broken pilot
Mind if I dm?
sure
fossil pecan
<@485135593249177610> ... have you been promoting your Discord server on KoTH?
Hey, sorry we're not trying to start any trouble ... I'm available for DM / more info if needed also
ember lodge
is it fair to kill apache or make 403 in place of patching the vuln on a box have only ssh and apache open?
3 reset, 2 appache kill and maybe 1 chmod on root folder
this is my first time , i want to know if i can do that too (break service in place of patching them) ?
ember lodge
@steep agate are you MatheuZSec ?
someone can tell me why with a root shell i can't chmod +w king.txt please?
and how people do to write and flood on my shell please
broken pilot
<@745672959804571742> are you MatheuZSec ?
someone can tell me why with a root ...
There could be several reasons why the king.txt file was not writable.. could’ve had an immutable attribute , or mounted over, or a while loop …
As far as flooding your shell that could be /dev/urandom .. it’s hard to know exactly.. if you want to check if a file has any attributes set you could run lsattr and that will list attributes for all the files in your current directory
broken pilot
<@745672959804571742> are you MatheuZSec ?
someone can tell me why with a root ...
I’m happy to help if you need assistance .. could host a private game and let you practice just hit me up…
broken pilot
i mean sure in private games.... im sure people can get around that script tho 😉 .. let me kno if you want to test it out
i was talking about you trying it against me....😎
fierce halo
sup
swift laurel
🤣
swift laurel
how are you
Good how about you ?
fierce halo
pretty good
swift laurel
That's great news
fierce halo
zho is the root now
swift laurel
I failed miserably to get persistence🤣
fierce halo
i failed qlso to put the god damn password
swift laurel
for what ?
broken pilot
<@485135593249177610> bro stop closing ssh session damn
i didnt close anything
i just snatched king
swift laurel
Please forgive me guys , I have sinned 🤣 leave me alone now
fierce halo
ding i repeted same cmds for 8 times
of you guys killing the session hahaha
9
im done see you guys later
steep agate
🤣 🤣 🤣 🤣 🤣
WTF
sudo chmod -x /bin/systemctl
sudo chmod -x /usr/bin/wget
sudo chmod -x /usr/bin/chmod
sudo chmod -x /bin/chmod
sudo rm -rf /usr/bin/rm```this literally and certainly is VERY prohibited and results in a nice ban
fossil pecan
this literally and certainly is VERY prohibited and results in a nice ban
At least he has a disclaimer on GitHub README 😜
steep agate
At least he has a disclaimer on GitHub README 😜
ya
fossil pecan
https://tryhackme.com/games/koth/join/ad6982eb083b150e0901b4d5 all alone 😦 ... i'll wait for someone to join pls 🙏
do you want to try my kingme challenge?? 😄
nova tide
It definitely is not and I would not recommend anyone using these. I have removed the link and please don't use these in public games it can result in a ban.
ember lodge
someone can explain me why? please
gilded roost
@ember lodge yes, because I figured it out. I'm not sure what they did is within the rules
they changed the working directory of the koth process to /etc/trace, which had its own king.txt
ember lodge
<@204281582591148032> yes, because I figured it out. I'm not sure what they did ...
how you get it back, i have see you have succes grab it one more time
ember lodge
they changed the working directory of the koth process to `/etc/trace`, which ha...
ok thx
gilded roost
To me that sounds pretty iffy from a rule 4, perspective: "Do not attack, modify or stop the service(king/KoTH service) on 9999 (this includes a 'KoTH' binary placed by default in /root and things like changing service locations.)"
plus, someone that round removed execute permissions from a whole bunch of stuff including chmod
ember lodge
plus, someone that round removed execute permissions from a whole bunch of stuff...
was me i can do that?
i have upload a chmod and chattr on another folder
gilded roost
"8: Do NOT delete system binaries (except chattr) or change executable permissions on them (or their directory)."
so changing exec permissions on anything but chattr is off limits
ember lodge
ok thx, i have started koth yesterday, someone have made me the same yesterday, i was thinking was intended sry
nova tide
they changed the working directory of the koth process to `/etc/trace`, which ha...
That is def against the rules. You may send an email at koth@tryhackme.com with the information. 🙂
nova tide
was me i can do that?
i have upload a chmod and chattr on another folder
You should not 🙂
gilded roost
That is def against the rules. You may send an email at ``koth@tryhackme.com`` w...
At first I thought this would require actually attaching a debugger to koth to chdir, but actually you can just move /root somewhere can put a copy in place
That actually doesnt seem to violate the rule to me
nova tide
It is up to the participants if they want to report or not.
gilded roost
I mean, does a mv /root /somewhere violate the rules?
It doesn't actuallyseem like it to me and I'd like to know so I know whether I can do it or not
nova tide
It would be somewhere in the grey area, but I still would not recommend doing it.
gilded roost
Hm
Yeah it's a weird case where it's hard to see a rule it clearly violates, especially when you put a copy in its place. It feels sort of like putting a mount over /root where the koth process is in a directory that isn't at /root anymore
nova tide
If people won’t stop breaking the rules it might start soon.
fierce halo
we whant new kind of games on THM like koth
its hard to win against some one ho just played 1 or 2y on koth haha
dingo
ember lodge
i have play with you yesterday for my first day in koth, you have kill apache in place of sanitising the vuln it was against the 2nd rule, is realy unfair
and on another box, instant change password after reset, with no time to connect on it like using a aupown script
2 time in a raw ...
on the third one you have chmod -w the upload folder
i got 403 on upload on the third reset, the fairr path was to sanitise the upload php file i mean, dont break it
we will see the next time you will be in front of me
fierce halo
oooooohhhhhh i like that
ember lodge
ember lodge
https://discord.com/channels/521382216299839518/695343809726513292/1111264974199...
and the worst in that is using another acount to manipulate the reset vote 😅
maybe is not you H3X.007 ? my apologie in this case ....
on my first game you have intentionaly break it ...
fierce halo
bruuuh stop you both go and play a clean koth room you 2 a privite room
and show us who is the king
ember lodge
if you take permission to wast 30 min (+ 1h waiting the end) off my time waiting to enter in a room and instant break it , i mean i have permission to say what i want too
ember lodge
next time i will
ember lodge
guys how can i exit vim
esc => :q!
if you want to write esc => :wq!
fossil pecan
Let me know when! You can pick any Linux machine, and we can join a private match to see if you can break my king challenge 😎
fierce halo
sup guys
someone post link to koth room shrek noz
now
@steep agate drop the link man i like the shrek room
short tusk
Hey everyone,
Please do not post your social media/ use various tools to spam users with your social media (Twitch, Discord, other) during KoTH. Users want to have a game of KoTH, not follow your Instagram page.
If users are promoting their socials in your game, please ping me (or any of the KOTH staff) in Discord or drop me an email at koth@tryhackme.com.
fierce halo
@fossil pecan can i DM
fossil pecan
<@118749350795935744> can i DM
Sure!
fossil pecan
haha nice! I'm curious to check it out again, but I didn't save the link to repo before ... can you DM it to me again?
gilded roost
How often are new koth boxes added?
@fair adder I'm not sure it's kosher to remove the setuid bit from pkexec. That fundamentally breaks the functionality of pkexec rather than patching a hole
remounting the root filesystem readonly is almost certainly also not kosher due to breaking anything on the machine that wants to write a file
fossil pecan
remounting the root filesystem readonly is almost certainly also not kosher due ...
the entire FS yes, but can mount RO subdirectories / etc that won't break any machine functions 😉
gilded roost
the entire FS yes, but can mount RO subdirectories / etc that won't break any ma...
sure, but the offending line from @fair adder 's script is sudo mount -o remount,ro /dev/sda1
fossil pecan
yes hahahaha that's not kosher 🤣
gilded roost
it also won't work on many of the machines because their root device isn't /dev/sda1, but still
jovial field
right, the rest of the stuff is already known, nothing new
this is not allowed
I mean it is easy to undo but still not allowed
gilded roost
Yeah it's akin to temporarily taking down a service which is also not allowed
What's the variance in difficulty on the koth targets like btw? I've done panda, food, and Tyler so far and they were all pretty easy
fossil pecan
What's the variance in difficulty on the koth targets like btw? I've done panda,...
ya H1-Hard is probably the most technically challenging box ... Hogwarts & Hackers are fun and a bit more challenging than others too, since they are more randomized and require more active steps each game instead of just remembering or reusing stuff 😛
Carnage can be a bit tricky for some too 😉
gilded roost
ya H1-Hard is probably the most technically challenging box ... Hogwarts & Hacke...
Good to know, I'm sure I'll see them at some point. thinking about this, a system that randomly generated koth boxes seems both possible and awesome
fossil pecan
Good to know, I'm sure I'll see them at some point. thinking about this, a syste...
I've been imagining similar possibilities for the future! 😛 🤞
steep agate
right, the rest of the stuff is already known, nothing new
@jovial field intercept syscalls worked, do you want to join me to make it stronger? DM
gilded roost
<@583579616749420545> intercept syscalls worked, do you want to join me to make ...
LD preload or rootkit?
steep agate
LD preload or rootkit?
rootkit xD
but my LD_PRELOAD is almost ready too, maybe I'll make a video explaining how to make one from 0, or a post
stiff egret
they changed the working directory of the koth process to `/etc/trace`, which ha...
'Modify' covers everything, to make it clear, follow the right hand thumb rule, anything related to the koth service is off limits. I didn't realise people will not understand that Modify covers everything.
gilded roost
'Modify' covers everything, to make it clear, follow the right hand thumb rule, ...
So mv /root /somewhere is not okay? Another thing I was questioning is whether hooking read syscalls kernel side, which sounds also not okay?
The mv case is weird to me because it sounds like mounting something atop /root actually is okay, even though it results in something extemely similar: the working directory of the koth process no longer living at /root
stiff egret
Exactly, though the kernel side is in the gray area. But I can confidently comment on moving the root directory. Directly or indirectly you are messing with koth service, which is not allowed.
gilded roost
Exactly, though the kernel side is in the gray area. But I can confidently comme...
Wait, so is it also off limits to mount something atop /root and shadow it?
fierce halo
and why you are moving the root like
stiff egret
Exactly lol.
fierce halo
maybe he got a dark secret tho
stiff egret
Wait, so is it also off limits to mount something atop `/root` and shadow it?
Okay, I will say this again, as clear as I can " Do not modify the koth service, directly or indirectly. "
gilded roost
I've not done either of these things, I've just been in koths where someone else has
I brought up both those examples because they aren't clearly modifying the koth service directly or indirectly to me. Like, if you mount something on top of root, the koth service still has its original working directory and is still reading the same king.txt it was before, it's just that that directory is no longer at /root in the fs hierarchy (in the shadowing case it's nowhere).
I'm actually sort of surprised you said the kernel hooking is grey though because that's an absolutely clear indirect modification of the service to me
gilded roost
and why you are moving the root like
In a game I was in someone moved /root and then copied it back, with the end result that everything looked fine and the flag was still there but the koth service was now reading a different king.txt than /root/king.txt. It took me like 30 minutes to figure out what was going on an I ended up stracing the koth process and realizing it was using relative paths, then did a search and found the moved king.txt
fossil pecan
Okay, I will say this again, as clear as I can " Do not modify the koth service...
Safe to say the primary goal is: "The system should continue to function 100% normally"?
fossil pecan
Okay, I will say this again, as clear as I can " Do not modify the koth service...
Some users affect this by accident, but intentional/repeated is def not ok 😕
gilded roost
Also, just from a clarity and understanding perspective, "Modify covers everything" doesn't actually clarify anything, because the question is about what counts as a direct or indirect modification. Re-emphasizing that you can't do any such modifications doesn't help clarify where the line is as far as what's an indirect modification to the koth service and what's a wider allowed modification to the system
fossil pecan
I try my best to fix and help people understand rules and how to abide without breaking stuff 😜
fierce halo
In a game I was in someone moved `/root` and then copied it back, with the end r...
hmmmm gotcha
gilded roost
(really, that experience made me feel that the koth service should be using absolute paths, as that would alleviate this whole issue)
But currently it just opens "king.txt" so it's working dir dependant
fossil pecan
(really, that experience made me feel that the koth service should be using abso...
differs by machine
some are absolute
gilded roost
Well, at least I have a pretty good idea of what I can do that definitely okay...I'm going to see if I can write a tiny rootkit this weekend. I have an idea that would me it very subtle and maddening
fossil pecan
Well, at least I have a pretty good idea of what I can do that definitely okay.....
I'll be streaming some KoTH tomorrow (around 6pm UTC), I've covered some basic starter rootkit stuff in the past too ... feel free to DM me if you want more info 🙂
gilded roost
I'll be streaming some KoTH tomorrow (around 6pm UTC), I've covered some basic s...
Sure, though I'm not sure if I'll need basic starter level stuff. I've never written one or done Linux kernel programming, but I have done lots of C, ring 0 x86 stuff, Linux systems programming, and have plenty of professional swe experience.
fossil pecan
Sure, though I'm not sure if I'll need basic starter level stuff. I've never wri...
awesome! you'll probably pick it up pretty quick then 😄
this is a great blog series going over all the basics to orient building LKMs, you can probably knock out a handful of the parts together if you can follow the lower level C/memory stuff 👍
https://xcellerator.github.io/posts/linux_rootkits_01/
gilded roost
It seems the standard approach is a kernel module, which makes total sense. Roughly it seems like the process is actually rather similar to writing a DLL injected game hack, actually
fossil pecan
idk much about windows hacking still haha ... been too deep in linux for many years 😆
steep agate
this is be very useful too -> http://books.gigatux.nl/mirror/networksecuritytools/0596007949/networkst-CHP-7-SECT-2.html
7.2. Intercepting System Calls
gilded roost
idk much about windows hacking still haha ... been too deep in linux for many ye...
You use a debugger to inject a shared library load, and in your DLL open function inject code into the target process memory and hook functions
The thing I'd really like to do if I could is move the code out of the module after loading though, so that the module doesn't need to stay loaded and could even instantly unload itself. I'll have to look into that
fossil pecan
ah ya, i can follow concepts ok haha, but haven't been "hands on" windows enough
I've been playing with process injection/hollow stuff on linux, pretty cool
gilded roost
And that could get weird I expect because there isn't really a legitimate reason to do that. Have to find some executable place to put it and ensure its relocatable assembly etc
So that'll be some interesting research
fossil pecan
ya sounds interesting
gilded roost
Yeah it'll mean researching more generally about how kernel modules work and how the Linux kernel does memory management
fossil pecan
Yeah it'll mean researching more generally about how kernel modules work and how...
I would love to explore more with you if you want! I've been pretty deep in it the past several months, really curious about exploring some more of those edge use cases 🤔
gilded roost
I would love to explore more with you if you want! I've been pretty deep in it t...
Sure! My initial research indicates you can probably do this with vmap to create executable pages in virtual memory that alias non-executable memory allocated with more conventional lkm interfaces. That + a separate C file compiled as position-independent code + normal syscall hooking is probably enough
Effectively the module would allocate memory, copy the hook fn to it, create an executable alias for it with vmap, hook syscalls into it, and then somehow unload itself and effectively leak the memory it allocated
broken pilot
is it chatrr -ai
🤣 no
broken pilot
oh to unlock king? yea it was ... I thought you were asking was it illegal to chattr -ia
its not even locked right now
broken pilot
echo username > king.txt
fierce halo
nah cant
broken pilot
why not??
broken pilot
i just echo X3.A > king.txt now your king
broken pilot
something you have runned
i had just chattr +i king.txt && cp nyancat $(which chattr)
fierce halo
and i could not unlock it by chattr -ai
broken pilot
and i could not unlock it by chattr -ai
nope.... you can always wget a static chattr to the box
fierce halo
cmd
fierce halo
yea it was loked in first 6 minits
broken pilot
you can run lsattr to list attributes
broken pilot
yea it was loked in first 6 minits
yea i locked it ... and copied nyancat to chattr so when you tried to unlock you got nyan'd but then i unlocked it after some time to make it fair
broken pilot
im just new on this so my brain is
my bad.... good learning process though..
gilded roost
@fossil pecan one thing I'm sort of surprised about reading on hook methods is that none of the common ones seem similar to what I used to see in game hacking and all seem quite detectable. What I expected to see was replacing the beginning of the original function with a jmp to the hook (or a wrapper since it'll be weird asm not-really-a-function stuff and you probably want the hook body in conventional C) and putting whatever you replaced with jump near the end of the hook, followed by a specially crafted ret to return into the original syscall in a way that's fairly invisible (no intermediary stack frame for your hook, for instance)
broken pilot
yea that script isnt going to work anymore.... @fierce halo your goin to have to actually echo X3.A > king.txt if you want any points
gilded roost
<@118749350795935744> one thing I'm sort of surprised about reading on hook meth...
This way the syscall still lives at the same place in memory (and so the call table is unaltered) and there are no tracking data structures for ftrace or whatever. You'd have to do an integrity check on the actual ASM of the syscall it catch it
fierce halo
@broken pilot are you the creator of shrek machine
what is cmd to serch flags i just what to win @broken pilot damn
i didnt understand this room well
i need to replay it later
broken pilot
<@485135593249177610> are you the creator of shrek machine
no i didnt create any of the koth games... you could try find / -type f -name flag* 2>/dev/null
fierce halo
thanks you
gg well played @broken pilot if it was just unlocked on first it was a win
thanks for the fun im going to eat and chill out
broken pilot
GG
fierce halo
wooo i losed by 10 points hahaahahahaha
steep agate
no i didnt create any of the koth games... you could try `find / -type f -name f...
i think this oneline would be little better for all koth linux machines ```
find / -name "flag" -exec cat {} ;
or
grep -r "THM{" / | xargs cat | grep "THM{"
@fossil pecan how do you deal with all the old kernel versions hanging around the koth boxes? Do they all have what's needed for compiling out of tree modules? Compiling against a local kernel tree seems hellish for old kernel versions because of the dependency on gcc versions
steep agate
on some koth machines, the kernel is 3x, or others that don't have gcc, and others that don't have make installed @gilded roost
what makes it harder
fossil pecan
<@118749350795935744> how do you deal with all the old kernel versions hanging a...
Oh ya, I have a bunch of local vms i used to simulate and compile with the needed headers and a lot of testing to make sure my hooks were solid enough to not crash the box under heavy king load haha
gilded roost
yeah I figured that was the only real solution. So I'm gonna need a bunch of ancient ubuntu VMs I guess
fossil pecan
yeah I figured that was the only real solution. So I'm gonna need a bunch of anc...
Was my map for KoTH haha
gilded roost
https://f11snipe.sh/koth/kernels.txt
that's a lot of variance. What sort of compatibility range does each build have? E.g. are you able to use 1 binary for all the 4.4.0s?
steep agate
https://f11snipe.sh/koth/kernels.txt
I was looking for this, thanks
sour vectorBOT
Gave +1 Rep to @fossil pecan
fossil pecan
No every unique version gets it's own build, but not a whole lot of difference in the code ... My new ones are much cleaner lol 😆
I needed to install all headers for each, super easy with apt on Ubuntu within a generation
Others were harder to get source and build off versions
gilded roost
Others were harder to get source and build off versions
yeah...what does it look like for CentOS?
fossil pecan
Found the headers . RPM s and actually ended up bringing and installing live in game i think haha ... For some reason had trouble on those with local VM
Def trickier haha
reef osprey
@steep agate GG
steep agate
<@745672959804571742> GG
GG
steep agate
what about that script?
I didn't use script to defend king.txt
reef osprey
I didn't use script to defend king.txt
I know, that script "nayl" will run if I execute chattr
reef osprey
I didn't use script to defend king.txt
How did you stop me from changing perms on king.txt ? (chattr!)
steep agate
I know, that script "nayl" will run if I execute chattr
idk script "nayl"
steep agate
How did you stop me from changing perms on king.txt ? (chattr!)
I didn't use chattr, I was testing my LKM v1.0, it's in the testing phase, I need to improve it
reef osprey
I didn't use chattr, I was testing my LKM v1.0, it's in the testing phase, I nee...
how it's working?
jovial field
I didn't use chattr, I was testing my LKM v1.0, it's in the testing phase, I nee...
can you already flip file flags?
gilded roost
I don't see why you'd need to remove it. It's just a shell alias
charred hare
I don't see why you'd need to remove it. It's just a shell alias
its not needed, it'd only be affecting the person who ran the script which would be irritating for them anyway
gilded roost
Guess it's time for me to set up LKM build VMs for all these targets...ugh
gilded roost
I wonder how many people are putting GPL as their module license and thus obliging themselves to give their rootkit source code to anyone who ends up with a copy of the binary module in a koth :P
reef osprey
i think this oneline would be little better for all koth linux machines ```
find...
What is the equivalent of these commands in windows?
naive goblet
well dunno but think the powershell findstr will be in there somewhere
steep agate
What is the equivalent of these commands in windows?
findstr /s /m "THM{" C:\* | type
you can use findstr
reef osprey
Thanks
ember lodge
restive folio
anybody wanna play some KoTH?
ember lodge
anybody wanna play some KoTH?
restive folio
plugging in mic rn
ember lodge
anybody wanna play some KoTH?
gilded roost
Managed to finish a first version of my rootkit over the weekend and built it for all targets except h1-hard.
steep agate
Managed to finish a first version of my rootkit over the weekend and built it fo...
nice ❤️
anxious
gilded roost
it's not very featureful, given that it's basically a weekend project. But it has the essential features I wanted. But yeah it's kernel space
steep agate
nice!
gilded roost
it's not particularly resilient or persistent though. That's not where I spent the time. It'll be v2 stuff
opal lagoon
Anyone up for a game?
narrow shadow
short tusk
@steep agate Mind if I dm?
steep agate
<@745672959804571742> Mind if I dm?
no problem, you can message me in dm
short tusk
Thanks
fair adder
Thank you @steep agate
sour vectorBOT
Gave +1 Rep to @steep agate
steep agate
Thank you <@745672959804571742>
😄
steep agate
Its a trap
it's not a trap xD, I put SUID in bash, you probably must have been my persistence in .bashrc
muted wigeon
@steep agate HUGE respect for you friend on your defense strategy once the box is rooted 👏 One day I'll figure it out . . . until then I'll keep getting nynynynynynynynynyny'ed 🤪
fair adder
do you have to have a certain level to play KOTH
somber marsh
do you have to have a certain level to play KOTH
no certain level, but you do need to set your experience level in your profile under "about you", it has to be set to intermediate or advanced
fair adder
no certain level, but you do need to set your experience level in your profile u...
Is it against the rules to change the password for the admin account of a login page?
nova tide
Is it against the rules to change the password for the admin account of a login ...
Changing passwords is allowed.
fair adder
Ok good. I did it and then afterwards I was wondering if I broke the rules haha
fair adder
nova tide
https://tryhackme.com/games/koth/75176
If you want to invite other people, try to share the invite link as this is the spectators link.
fair adder
If you want to invite other people, try to share the invite link as this is the ...
OH LR THX FOR LETTING ME KNOW
sour vectorBOT
Gave +1 Rep to @nova tide
fair adder
(didnt mean to put caps)
twin valley
hm do i also have the attack machine on koth, or do i need to vpn with my own?
naive goblet
hm do i also have the attack machine on koth, or do i need to vpn with my own?
dunno if there is split screen and ability to open the attackbox from the koth page but yeah you can use the attackbox if you open it in another room and then make it have its own window... as the vpn is the same for koth and normal rooms and stuff
twin valley
dunno if there is split screen and ability to open the attackbox from the koth p...
ok, ty. ill try 🙂
tropic harness
hi, i've got a question about KOTH
there is 3 of us in the room and none of us scored any flag. Why one of us is getting points for being "King"?
jagged flicker
he probably has his name in the /root/king.txt and just forgot to get the root flag
or can't access it
jup
that's how koth works
north sky
hi, i've got a question about KOTH
When your name is in king file you do get points every minute .
broken pilot
Anyone up for koth???
Can jump on later after work if you’re still looking to play later
north sky
yea ofc that will be a lot fun : )
steep agate
I'm about to stop playing koth, and I want to leave a memory for KoTH players, leave my tricks that I used in koth, so I could make a github, with all the machines teaching how to patch the machines, protect the king in many ways, web app's, etc ? Or would that be too much against the rules? @short tusk
or would it be better to simply write a blog/article, where I talk about the tricks of defending crates, patching a webapp, protecting the king, etc.
broken pilot
I'm about to stop playing koth, and I want to leave a memory for KoTH players, l...
I don’t think that would be against the rules since there are already GitHub walkthroughs and more for the koth boxes… I would like to see your windows tricks 😉😉 though..along with some of your lkm’s 😎.. proper patching would be helpful also
stiff egret
or would it be better to simply write a blog/article, where I talk about the tri...
Hey, that is one excellent idea, as of right now, we support and have no issues with players publishing writeups of machines.
Feel free to make blogs and spread knowledge about this.
stiff egret
I'm about to stop playing koth, and I want to leave a memory for KoTH players, l...
It would be a big spoiler for anyone who is starting out, so maybe add a note saying, 'heyo it's a spoiler ' but other than that I don't think it can be of any problem.
@nova tide any thoughts that I missed?
steep agate
ohh, nice!!
sure
I'm going to start writing the posts, and when it's ready I'll send it to you
broken pilot
@steep agate#0 I would also include ways to stop some of your king techniques…. Just to make it fair… cuz imagine if everyone had F11’s v4 lkm with no way to stop it…. Would probably kill koth as people would probably abuse it….
steep agate
<@745672959804571742>#0 I would also include ways to stop some of your king tech...
My syscall write intercept is similar to F11's, but if you read the code, research and study more, I'm sure it will be stronger than F11's, besides, I'm going to put a command that completely blocks the insertion of any LKM, and for you to be able to put LKM again, you would have to restart the machine and that is against the rules, but for that, you would have to be faster than F11snipe, because if it loads first, it won't do much good 😄
broken pilot
Maybe…. But honestly I think F11’s will have it beat every time only cuz I know which syscall he is hooking and without spoiling too much I think his trumps the write syscall
But the lkm blocker would be helpful if you could load it first…
steep agate
But the lkm blocker would be helpful if you could load it first…
There is the LKM that blocks the insertion of new modules, however, this LKM basically breaks the entire koth machine, and there is another way to block LKM's using a command that I will leave on github later, but for this to work, you would have to be very fast to the point of running the command first that f11 enters
steep agate
Maybe…. But honestly I think F11’s will have it beat every time only cuz I know ...
yup, although my syscall write intercept is weaker, it works, and it's worth reading the code to understand and start researching
broken pilot
But just being able to read and analyze your code for the write syscall would be helpful also… let me know when you release this I will take a look at it @steep agate
steep agate
I still have to see when I'm going to release this, because I haven't even started writing yet 🤣
broken pilot
We gotta get that rematch in before you quit playing also 🎉🎉.. maybe one last tournament or something… @steep agate
steep agate
ya hahaha
jovial field
I stopped playing a while ago too. Maybe i will drop a github repo with my scripts and tricks too
jovial field
btw. Matheuz i will propably drop the killswitch for rootkits so they become completly useless
steep agate
btw. Matheuz i will propably drop the killswitch for rootkits so they become com...
right
low dagger
@stiff egret any guidelines AGAINST setting up community events and tournaments for KOTH
stiff egret
<@580609268261191680> any guidelines AGAINST setting up community events and tou...
Nothing solid that I know of but please make sure you have it in loop with Community Admin(s) so everyone is aware what you are going to do.
The overall question is rather vague so Just ping them directly, describe what do you mean by comm event and tourney (what you are going to do, how much THM will be involved etc ) and then if they see any issue, it can be closed off.
thoughts? cc: @nova tide @short tusk
short tusk
Yes^ please run community events by the community manager.
We need to ensure we can accommodate and keep an eye.
charred hare
Yes^ please run community events by the community manager.
We need to ensure we...
community manager
who is?
short tusk
You’ll find more information about that when the team is ready:)
short tusk
Hey everyone,
Please do not post your social media/ use various tools to spam u...
Hey @fair adder Have you read this?
low dagger
Nothing solid that I know of but please make sure you have it in loop with Commu...
No worries, was thinking about something for us like a competition, who is the best Koth player and all. So thought I’d check
broken pilot
@fossil pecan 
🤔 maybe we can get challenges into a community event?? Guess we just have to find the community manager…..
peak peak
when does koth usually have the most players?
i just tried to join one and nobody else was on
broken pilot
gritty cedar
jovial field
I stopped playing a while ago too. Maybe i will drop a github repo with my scrip...
@stiff egret can i post the reference to the github repo here? It doesnt contain flags or entrys or something similar. I hope this will give beginners the killswitch to stop some of the og's from just dropping their rootkits and leaving.
north sky
Can someone help me with this error please ‽ why am i getting that error : (
jovial field
<@580609268261191680> can i post the reference to the github repo here? It doesn...
ok i will just drop the link and hope I do nothing forbidden: https://github.com/Terraminator/thm-koth-tricks
broken pilot
Can someone help me with this error please ‽ why am i getting that error : (
Well which error are you referring too?? For the wget error did you have a http server running python3 -m http.server ? As far as the bash errors someone could’ve messed with the /bin/bash binary or you could be in a restricted shell 🤷♂️.. vpn looks connected but I see that message at the end… did you try to reset your vpn ??
north sky
Yes I'm talking about wget problem and that vpn thing
No I didn't reste it
How can I ?
jovial field
https://tryhackme.com/access
just hit regenerate on this site to reset
muted wigeon
ok i will just drop the link and hope I do nothing forbidden: https://github.com...
I have a lot to learn - thanks!
sour vectorBOT
Gave +1 Rep to @jovial field
rare hedge
Im a noob does anyone else want to try koth out?
violet moth
Im a noob does anyone else want to try koth out?
I’m down
stiff egret
<@580609268261191680> can i post the reference to the github repo here? It doesn...
Just saw it now, great blog, appreciate that you didn't entirely spoil everything for new players.
Cheers 🍷
broken pilot
proud moth
@stiff egret dude thm's openvpn os down or what ??
my vpn connection just stays for few sec's. and randomly again get ping back and it goes off after few ping requests.
game is gone entirely https://tryhackme.com/games/koth/76223 😂 due to connection issue.
btw i've tried all possible things to be done. tired regen vpn, tried new location, but nothing is working.
steep agate
I'm getting to the final parts, I'll update my repository as soon as everything is ready 😄
hasty hemlock
@broken pilot bro you are awesome. I really enjoyed it, how many years have you been playing ctf?
broken pilot
<@485135593249177610> bro you are awesome. I really enjoyed it, how many years h...
KOTH A few months ... under a year. Just started getting into actual ctfs
steep agate
Hello everyone how are you? Hope well 😄 . Well, after 2 years, I finally updated my tryhackme koth tricks repository with new tricks, I hope you like it, anything I'm available to help 🙂
charred hare
Nice work :)
steep agate
thanks 🙂
steep agate
Cool stuff. <:HappyOwl:506659434337140756>
thanks 😄
sour vectorBOT
Gave +1 Rep to @fast copper
fair adder
+rep @steep agate
sour vectorBOT
Gave +1 Rep to @steep agate
muted wigeon
Hello everyone how are you? Hope well 😄 . Well, after 2 years, I finally update...
Terrific post! You guys are awesome and certainly have skills. Thank you for the great information!
sour vectorBOT
Gave +1 Rep to @steep agate
stuck sierra
lets play in 15mins https://tryhackme.com/games/koth/76815
thorny tide
are koth beginner friendly ?
i mean i reached the easy-medium level on CTF in thm, can i dive into koth ?
broken pilot
i mean i reached the easy-medium level on CTF in thm, can i dive into koth ?
Sure you might just need to edit your experience level in the about me section of your thm profile.. it will need to be set to intermediate or advanced in order to join any games
thorny tide
Sure you might just need to edit your experience level in the about me section o...
thanks
sour vectorBOT
Gave +1 Rep to @broken pilot
elder cloud
hi every one
steel arch
visual phoenix
do the private games get listed under recent games
or in the https://tryhackme.com/games/koth/recent/games endpoint
short tusk
do the private games get listed under recent games
They shouldn't
prime steeple
Anyone want a game?
short tusk
@fossil pecan Mind if I DM?
fossil pecan
<@118749350795935744> Mind if I DM?
Sure! 👍
modern totem
Hey guys, the actual round of KotH is almost over... it was the carnage machine.. i found an img upload page which i think could be an entry point if i can somehow get around the restriction of pictures. May someone explain to me how that might work for the next time
@fossil pecan did you get it via the upload portal?
fossil pecan
<@118749350795935744> did you get it via the upload portal?
Yup! Feel free to DM me if you want to chat and ask more questions 🙂
fair adder
when should i start doing koths
fossil pecan
when should i start doing koths
Can start anytime! Helps to be somewhat familiar with challenge boxes in general, like scanning and initial access, then privesc, etc
I'm happy to help if you have any questions, or want to try out some private practice matches first! Feel free to DM me if you want 😁
fervent compass
obsidian lark
Hey bravosec, good game man, sorry for killing your session every time ... xD
alpine mango
Can start anytime! Helps to be somewhat familiar with challenge boxes in general...
But in Public koth games, the users are just directly exploiting the flaw, since they already have experience doing the box. it just ruins the fun for beginners who have no idea. I would prefer starting with private games with friends.
quaint remnant
hey any body there?
quaint remnant
Any body knows . which room this is?
steep agate
Any body knows . which room this is?
h1-hard
sour vectorBOT
Gave +1 Rep to @steep agate
quaint remnant
Any body playing rn?
quaint remnant
manic hawk
thorny tide
But in Public koth games, the users are just directly exploiting the flaw, since...
except if u dont have friends lol
fossil pecan
except if u dont have friends lol
thorny tide
looks like I have a new one
upbeat peak
Is there a way to find a chattr binary if it has been renamed or is the best way to get past a chattr binary simply to get your own version onto the box?
broken pilot
Is there a way to find a chattr binary if it has been renamed or is the best way...
It would probably be a lot easier to have your own copy of chattr … but even if you don’t have a copy of chattr , a chattr locked file can still be bypassed without unlocking the file..
upbeat peak
It would probably be a lot easier to have your own copy of chattr … but even if ...
From what I'm reading this involves having some sort of program having the CAP_LINUX_IMMUTABLE in the effective state? But wouldn't I still need a program like chattr to make this modification?
jovial field
From what I'm reading this involves having some sort of program having the CAP_L...
a program like chattr? sure you need to implement setting the immutable bit. Therefore you can read into the ioctl syscall. If you want an much easier way. Just get your own chattr binary from busybox.
upbeat peak
Oh of course I could just write something with ioctl() in C and perhaps even C++
broken pilot
Or python … or still bypass the chattr lock all together…
upbeat peak
How would one bypass it?
broken pilot
You could just mount over the chattr locked file… with an unlocked file
steep agate
mount —bind -o ro /tmp/king.txt /root/king.txt this will mount /tmp/king.txt over /root/king.txt and also make /root/king.txt a read only file…. This can be reversed by umount -l /root/king.txt
upbeat peak
You could just mount over the chattr locked file… with an unlocked file
Think I've figured it out. mount --bind source target.
Where this makes the two files linked together. Which seems like a bypass
broken pilot
And matheuz command will download a static chattr for you
upbeat peak
So while it's mounted, the file in the example you gave /tmp/king.txt is the one that is actually being read instead of king.txt. Think i'm understanding it. Thanks guys!
broken pilot
So while it's mounted, the file in the example you gave /tmp/king.txt is the one...
Yea
jovial field
So while it's mounted, the file in the example you gave /tmp/king.txt is the one...
if you want to try out the mount trick you can read the command in here: https://github.com/Terraminator/thm-koth-tricks Matheuz got also a good repo for koth tricks
upbeat peak
Just looking at it now, Thanks a lot!
steep agate
waxen geyser
you can try ddos
waxen geyser
[free rootkit to destroy in koth](<https://www.nyan.cat/index.php?cat=original>)
why this link looked weired
jovial field
why this link looked weired
free rootkit and true wisdom you just need to press f11 when you see the screen of the virtual machine to establish a connection to f11snipes power
waxen geyser
CAN IT HARM MY PC
jovial field
no it is free and harmless for your PC
just press f11 when you visit the site as fast as possible to protect your pc
steep agate
you can try ddos
Yes because i'm a hacker 😎 😳
agile linden
guys i have just found 6 or 7 flags on (https://tryhackme.com/room/kothhackers) any ideas where do the rest located ? , btw i have done (find / -type f -name .flag 2>/dev/null)
radiant sun
rather than find use grep -ri "pattern" <dir> 2>/dev/null 😉
fast copper
rather than find use grep -ri "pattern" <dir> 2>/dev/null 😉
Or that. 
(It will take forever tho)
agile linden
rather than find use grep -ri "pattern" <dir> 2>/dev/null 😉
i didn't get what u mean but i did some like (cat * | grep -i thm)
on some folders which have files with txt,css,html etc....*
guys is this a flag
{plague august14 02c2704c036a25d997ca09461eaf8d92}
radiant sun
grep -rioE "thm{.*?}" /etc 2>/dev/null
radiant sun
{plague august14 02c2704c036a25d997ca09461eaf8d92}
no
radiant sun
ig total are 9?
agile linden
yuh 9 so still 2 left !!
radiant sun
```grep -rioE "thm{.*?}" /etc 2>/dev/null```
try this in /home, /root, /etc i m sure you'll find em
/var
agile linden
home,root,etc r all done but var has nothing
etc has one on the config file
yup var has one on the ftp which was the first one found it !!
radiant sun
etc has 2, and check after connecting to ftp , explore port 80 website pages
can't give more hints
agile linden
ok thnx
radiant sun
have fun 🚀
agile linden
{plague august14 02c2704c036a25d997ca09461eaf8d92}
y'all sure this is not a flag cuz till now found the 8th one n this looks like the 9th !
i tried to do something like
thm{02c2704c036a25d997ca09461eaf8d92}
haha
radiant sun
uhm all flags are in format thm{...}
agile linden
thnx all guys 🙂 ! , found all of them , last one was in .css 😉
thnx , especially u who gave this command grep -ri
steep agate
steep agate
steep agate
fallen owl
civic vortex
Can someone help? everytime I play the machine Offline, the king server is always not working
low dagger
Is anyone interested in a tournament for KOTH?
steep agate
sure
broken pilot
Is anyone interested in a tournament for KOTH?
When’s the tournament??
low dagger
When’s the tournament??
Still in the planning phases and all. Just got logistics and everything to sort. Maybe prizes (idk what I’m doing on that front yet)
broken pilot
Still in the planning phases and all. Just got logistics and everything to sort....
Dm?
karmic beacon
Im down too
fossil pecan
Still in the planning phases and all. Just got logistics and everything to sort....
I'd be happy to help anyway I can too, feel free to DM if you want 😄
light relic
I'm wondering, are there really 4 flags in KOTH Production machine? Or there are just 3 and I missed last one?
lavish haven
it is 4
light relic
Okay, thanks
swift laurel
👋 @fossil pecan
fossil pecan
👋 <@118749350795935744>
hey! sorry i got distracted and missed that game 😛 ... till next time 😄
prime steeple
Is anyone interested in a tournament for KOTH?
I would be interested in participating
leaden panther
Koth time koth time
toxic ice
in the rules it says
"Scripts that automatically hack(autopwns) and/or harden the machine are forbidden."
Does that include stuff like.. the vuln script on nmap or linpeas?
leaden panther
in the rules it says
"Scripts that automatically hack(autopwns) and/or harden t...
To my knowledge that would be a no. There are scripts out there that are created specifically to do enumeration and then from what it gains it starts automatically trying to exploit the system and then escalate. Those are the only types that are banned because it can be unfair or break a lot of things. Even programs like metasploit should be fine since they are not automatically trying to attack the system you still have to determine what attacks to use and how to use them.
toxic ice
To my knowledge that would be a no. There are scripts out there that are created...
Okay thank you. Looking to try my hand at a game soon when i have a bit more free time
sour vectorBOT
Gave +1 Rep to @leaden panther
leaden panther
Okay thank you. Looking to try my hand at a game soon when i have a bit more fre...
Never played a KOTH game on here, quite a bit of fun. Just finished my first game
violet moth
Is anyone interested in a tournament for KOTH?
is the tournament still going on I would like to join
slender frost
Hi I'm root in KOTH and I cannot add my username to king.txt
slender frost
<:kekw:658061932577816606>
I was in your game
broken pilot
I was in your game
Ohhh you were going up against matheuz…. It’s a little harder to take king from matheuz lol … it can be done but you will need more than a chattr lock lol…
slender frost
Ohhh you were going up against matheuz…. It’s a little harder to take king from ...
Can you help ?
broken pilot
Can you help ?
Sure … I can point you in the right direction.. but you will have to do your research to understand different techniques…
slender frost
Ok
slender frost
Sure … I can point you in the right direction.. but you will have to do your res...
Thanks
sour vectorBOT
Gave +1 Rep to @broken pilot
slender frost
So he's using what techniques ?
broken pilot
It would be hard to tell without being in the game but there are certain things you can look for that will let you know like what errors do you see when you try to put your name in king.txt
Usually with some of the better players the techniques used will be based off your experience…. For example why use a rootkit to take king if I can get the same results using a chattr lock… and then if you can take king from chattr lock the next technique might be used
slender frost
Usually with some of the better players the techniques used will be based off yo...
I don't understand
broken pilot
I don't understand
Basically the more you know , the more advanced techniques will be used against you…
slender frost
So if I'm against him again what do I do ?
broken pilot
Well it could be a number of things… it would all depend on what kinda errors you see… could be a script, could be a mount, could be a chattr lock, could be a rootkit, could be an Alias, could be a cronjob, could be a combo of these 🤷♂️. Dm??
Here’s a stream that explains one of those techniques along with a few more tricks for protecting king . https://www.youtube.com/live/wIDdrY-opPU?si=sDP_rC2VUZKZQYSI @slender frost
slender frost
Here’s a stream that explains one of those techniques along with a few more tric...
Thanks
sour vectorBOT
Gave +1 Rep to @broken pilot
slender frost
Well it could be a number of things… it would all depend on what kinda errors yo...
There are no error when I run echo "TheGamerYoyo" > /root/king.txt
But when I do cat /root/king.txt there is not my name
Can mention @ here ?
To invite to a private game ?
broken pilot
But when I do cat /root/king.txt there is not my name
Another good thing would be to read the tips matheuz released maybe he might be using a technique from there #room-help message
obsidian lark
There are no error when I run echo "TheGamerYoyo" > /root/king.txt
he's intercepting syscalls, once you got access to the box you gotta disable adding lkms to the kernel this can be effective with a script or a loop.
slender frost
he's intercepting syscalls, once you got access to the box you gotta disable add...
I didn’t understand but do you have a script for this ?
obsidian lark
I do DM
jovial field
yo @civic vortex are you bravosec? https://tryhackme.com/games/koth/80435. just wanted to join the game a bit late and only two ports are open it should definetly be more
PORT STATE SERVICE REASON
7777/tcp open cbt syn-ack
9999/tcp open abyss syn-ack
also ssh on port 7777 is denying any request
you are not allowed to shut nearly every service on the machine you know
jovial field
I still see no reboot