Yeah. I wonder if it's possible to run some sort of anti-rootkit/backdoor software on the machine to clear it of backdoors or if that would violate the "no auto-scripts to harden the machine" rule
#koth
rose folio
steep agate
Yeah. I wonder if it's possible to run some sort of anti-rootkit/backdoor softwa...
In a way, it's very difficult for you to "defuse" an invisible rootkit, it's not easy... there are anti rootkits but most of them don't work
viscid torrent
gg @young bramble
jovial field
Yeah. I wonder if it's possible to run some sort of anti-rootkit/backdoor softwa...
I think you got the critics from my github post. The Thing is most people don't have enough time to build a working rootkit for every koth kernel and like @steep agate said it is pretty hard to remove them. It is possible to remove less sophisticated rootkits but there are hiding techniques where I doubt the "defuse" of matheuz would work. Without Rootkits it is more a "live" fight between players and not a fight against a rootkit that may take a few days or more
steep agate
I think you got the critics from my github post. The Thing is most people don't ...
I guarantee that "defuse" works, you will see it in my zine when it is released haha, I will also write in the zine some not very common detection methods
It's interesting research, but of course, as there will always be a bypass for an EDR/XDR, there will be a means of detection, the same with the trick I'm going to put in the zine
Use rootkits against strong opponents, but I think against normal players I don't know if it's worth risking using more advanced techniques
young bramble
It's interesting research, but of course, as there will always be a bypass for a...
π can't wait π
jovial field
yeah i am also interested with what trick you came up with
steep agate
so much so that this trick, in a test with @fossil pecan , I managed to defuse his updated lkm rootkit, so it's really worth playing against opponents like this, as it forces you to learn more things
north wolf
<@554994587614314509> using a custom koth binary for king? unacceptable
hey, I'm not touching /root/koth binary in any way
obsidian lark
yeah but your using a custom koth binary for king
north wolf
Just that name of my custom binary is also koth since I'm "playing" koth π compiled from koth.c
obsidian lark
bruh
north wolf
yeah but your using a custom koth binary for king
See, its cheating if I do anything with /root/koth binary or port 9999 which, I've not.
If you wish then, I can share you source code to koth.c
obsidian lark
nah i thought you took over port 9999 using another binary, cause /root/king.txt had my name
sorry anw gg
obsidian lark
kk lol i trust you
north wolf
oki then
it was fun though playing with you, normally i see 1 king change but this game was fun!
obsidian lark
lemme know if ya wanna play more, i didn't use any of my good tricks, too lazy haha
north wolf
nah, time for my lunch lol
rose folio
Are there any Macintosh KOTH boxes?
near lily
Doubt it.
rose folio
I imagine there's no appeal, but eh
near lily
You can't run MacOs on none Apple hardware.
rose folio
Hrm, not even on a VM?
near lily
Nope, it's against Apples EULA.
rose folio
I see. I know quite a few players dislike the windows boxes
sonic belfry
Are there any Macintosh KOTH boxes?
Costly, mac instance types on AWS are provisioned at a minimum cost of 24 hours, enforced by Apple's OS license requirements. So even when a mac target machine would be used for less than an hour for a KotH game, it would incur the cost of 24 hours.
sharp siren
<@554994587614314509> using a custom koth binary for king? unacceptable
Hey out of wonder which window manager you use?
it seems pretty good ngl
sour vectorBOT
Gave +1 Rep to @obsidian lark (current: #616 - 6)
elder rapids
Getting smoked lol, cant figure out how to properly set up for an upload vulnerability
north wolf
At least I'm still tied for last π
I'll share you something after the game ends.
elder rapids
I would really appreciate that
jovial field
xD
civic vortex
and naryal2580, spamming his koth binary and causes the machine to halt : /
north wolf
and naryal2580, spamming his koth binary and causes the machine to halt : /
bruh I'm not sure at all what's causing machine to halt plus I execute the binary only once
steep agate
bruh I'm not sure at all what's causing machine to halt plus I execute the binar...
while true; do ./koth; done &
north wolf
while true; do ./koth; done &
./koth & disown π¦
this time makes me wonder why didn't matheuz play π€
north wolf
while true; do ./koth; done &
actually, doing this would simply throw a lot of error on my face.
civic vortex
I liked the way you created the folder though, made me learn new thing
civic vortex
loads directly to memory maybe
north wolf
I've found user's binaries on other games but never on koth lol, I feel I'm the only one who runs being so exposed lol
civic vortex
I would like to know too
sonic night
koth is great, until you start looking threw the box and find folks messing around with cr4p rendering the usability of the box.
no bueno
steep agate
this time makes me wonder why didn't matheuz play π€
playing valorant haha
steep agate
koth is great, until you start looking threw the box and find folks messing arou...
what?
sonic night
Last game i played, the password to usernames were changed making initial foothold near impossible
steep agate
Last game i played, the password to usernames were changed making initial footho...
There is always more than one way to get into the machine, don't just rely on credentials
4-5 ways depending on the box
And that doesn't make the game impossible lol
sonic night
Correct, but the ports which were open would be good indicators for gaining access. From logging in to API access, vftp, or funky ports with nc
steep agate
Correct, but the ports which were open would be good indicators for gaining acce...
I didn't understand your point lol
sonic night
violet zealot
what was the box?
because i can confirm that without creds u can get a foothold on the machine
but yeah consider that most players change user passwords once root
sonic night
The box was hackers, ironically so
My understanding of rules was you can patch and such. But not make changes to application functionality or service changes
wind kite
huh
north wolf
happened to me yesterday too
Same but not yesterday lol
north wolf
<@554994587614314509> Bruh
You're free bug pts I'm in lol
sharp siren
You're free bug pts I'm in lol
well I did hunt for flags instead of root
sharp siren
happened to me yesterday too
Immediately shutdowned my pc
keen remnant
someone attacking other users or just trolling?
sharp siren
someone attacking other users or just trolling?
nope he ain't attacking me it a legal thing
idk how it works
xD
keen remnant
lmao π
craggy storm
nope he ain't attacking me it a legal thing
cat /dev/urandom > /dev/ptsX where X is the shell you are in
naive goblet
nyancat > /dev/ptsX
sharp siren
`cat /dev/urandom > /dev/ptsX` where X is the shell you are in
thanks ! mate
steep agate
`cat /dev/urandom > /dev/ptsX` where X is the shell you are in
ssh user@ip -T
violet zealot
ssh user@ip -T
what's this one?
violet zealot
gg @north wolf and the others that i can't ping
violet zealot
@civic vortex u are not supposed to delete /lib buddy 
civic vortex
<@346877537026179072> u are not supposed to delete /lib buddy <:NotLikeThis:6898...
I didn't, why you think I did?
violet zealot
because before u got king i could use chattr
and after u got it i tried chattr and got this
so idk what u using but it seems that u deleted /lib
civic vortex
I only assume someone did something after looking at command logs
I got king and go played my game
jovial field
<@346877537026179072> u are not supposed to delete /lib buddy <:NotLikeThis:6898...
nah this looks like someone loaded a usermode rootkit without building it on the machine
check /etc/ld.so.preload next time
(and the env var)
violet zealot
hmmmm okey idk about it
jovial field
for reference read the notice in my kirito rk on github. I encountered the same problem
violet zealot
for reference read the notice in my kirito rk on github. I encountered the same ...
im reading this thanks
sour vectorBOT
Gave +1 Rep to @jovial field (current: #700 - 5)
keen remnant
for reference read the notice in my kirito rk on github. I encountered the same ...
there is a solution by using an older glibc here https://github.com/0xleft/elf/blob/master/build.sh so you dont have to build it on machine
jovial field
sure this also works
i would still recommend statically linking the rk
because else you may break other binaries loading the older version of glibc and the newer version
keen remnant
staticaly linking glibc? π
jovial field
at the same time
obsidian lark
i compile my binaries on a ubuntu 18.04 vm and works fine with all koth and btg boxes
jovial field
nah either you build on the machine itself and use it's glibc
or you statically link it or you bring the glibc required with you
and sure you can compile on a similar machine and get lucky
civic vortex
Next time do something to fetch command logs before blindly blaming people 
keen remnant
glibc is backwards compatable you can use a very old and it will work on most machines
obsidian lark
<@346877537026179072> u are not supposed to delete /lib buddy <:NotLikeThis:6898...
hey /tmp/mk0 is easy to find lol
jovial field
glibc is backwards compatable you can use a very old and it will work on most ma...
what i mean is maybe the old glibc is setting some flag like abc=1 and the newer is using abc in another context or uses another value
it just isn't good practice
keen remnant
fair enough
just saying there is a way to avoid compiling on target and staticaly linking glibc
π
jovial field
sure thing definetly worth trying
steep agate
<@346877537026179072> u are not supposed to delete /lib buddy <:NotLikeThis:6898...
you compile your own chattr using --static?
This happens because you need to compile your binary statically, otherwise it will obviously give errors with lib and compatibility
violet zealot
nope i already have it on my machine and curl it on the koth
violet zealot
This happens because you need to compile your binary statically, otherwise it wi...
okey i didn't know about this
steep agate
nope i already have it on my machine and curl it on the koth
execute: file chattr
[
@violet zealot
violet zealot
steep agate
If you compile something on your machine, most likely, especially on koth machines that are very old, it won't work, you always have to compile chattr, etc., statically in order for it to work
violet zealot
okey so i have to curl the c program and then compile it on koth machines?
steep agate
you have to compile your binaries statically
violet zealot
thx i'll check that for next games
steep agate
nice
violet zealot
im trying to get as much documentation to write my own script
btw ur demonizedshell is pretty cool, didn't try all features
steep agate
thanks! There are still more features to add, I'm just a little lazy to update some things haha, even so, it's a good script to learn persistence and use them.
civic vortex
TBH, I would just google the error message, reporting someone for that stupid issue looks like a skid
short tusk
TBH, I would just google the error message, reporting someone for that stupid is...
Hey, please do not be rude :>
civic vortex
Hey, please do not be rude :>
Sorry, he/she reported me for something I didn't do, and did not apologize like nothing happened. As a human being, I will get mad
short tusk
Sorry, he/she reported me for something I didn't do, and did not apologize like ...
Did they report you? It looks like they addressed it appropriately and was informed kindly that what you did wasn't against the rules.
I appreciate that you can get upset but it's important to treat everyone respectfully here.
If you did nothing wrong, then the report will be denied after our team reviews it :)
civic vortex
Sure, I will keep that in mind
copper olive
for reference read the notice in my kirito rk on github. I encountered the same ...
Hi Terraminator, can you please send the link to your github?
keen remnant
his username on github is the same as discord π
jovial field
Hi Terraminator, can you please send the link to your github?
you can also click on my profile there is also a link to my github
copper olive
Thank you!
violet zealot
gg @verbal viper
sharp siren
any one online? been waiting in lobby for 1 hour
violet zealot
@steep agate afk ?
steep agate
<@745672959804571742> afk ?
yeah
sharp siren
Hey correct if I'm wrong should I be posting this here or at #site-bugs
I'm not a part of this game and still able to see the machine's ip
violet zealot
i think someone just fucked up the game with rootkit abuse or whatever
sharp siren
i think someone just fucked up the game with rootkit abuse or whatever
i doubt it maybe technical issues?
violet zealot
i doubt it maybe technical issues?
idk we had a few bugs during this game, while the king file was empty but someone was still king...
sharp siren
idk we had a few bugs during this game, while the king file was empty but someon...
maybe someone missed with /root/koth binary?
sharp siren
well we can't say for certain maybe it is just a technical issue
violet zealot
maybe he did something?
sharp siren
maybe he did something?
i think the box brokent
broken*
@violet zealot the port 80 is borken no?
crimson atlas
Ive had a handful of machines just have either some ports that should be open, closed or all ports closed when some should be open
sharp siren
Ive had a handful of machines just have either some ports that should be open, c...
this is a lion machine (koth). I did play it quite few times. and I do remember that port 80 was open. now it is either down. or blocked by a firewall(which is again the rules in both ways).
crimson atlas
this is a lion machine (koth). I did play it quite few times. and I do remember ...
Actually speaking of is chmodding the king.txt against the rules? People keep doing it but its not technically in the rules
sharp siren
Actually speaking of is chmodding the king.txt against the rules? People keep do...
u talking abt chattr binary?
crimson atlas
u talking abt chattr binary?
Idk what chattr is
sharp siren
Idk what chattr is
it allows you to block anyone from editing a file
even root
or admins
crimson atlas
So just kill chattr should fix?
sharp siren
So just kill chattr should fix?
haha no
u need to unlock the file first
then you can remove the binary
sour vectorBOT
Gave 1 Rep to m4lisio (current: #1024 - 3)
steep agate
<@1120130055914389554> the port 80 is borken no? <:NotLikeThis:68984772596924417...
@violet zealot
once playing koth, they did this redirect traffic (which is certainly against the rules), it could have been the same thing that happened to you in that game
.
steep agate
I'm not a part of this game and still able to see the machine's ip
this is a known bug in koth
sharp siren
once playing koth, they did this redirect traffic (which is certainly against t...
never encountered some dirty player like that xD
violet zealot
Damn
obsidian lark
and why do my king time dont move while im king?
This issue arises intermittently due to heavy traffic on /root/king.txt. This traffic overload can happen when loops that write or manipulate /root/king.txt run without a condition or a sleep. As a result, conflicts may arise over the rightful king.
north wolf
If anyone's got issue with koth game, write it down here. I don't personally like to cry the moment someone does something horrible while playing I've just ignored it (except for the first time).
It helps us find the person really behind mischief than someone else being accused.
short tusk
If anyone's got issue with koth game, write it down here. I don't personally lik...
Please make sure you are reporting rule breakers to support@tryhackme.com
north wolf
Please make sure you are reporting rule breakers to support@tryhackme.com
or the chat thingy on the bottom right, thank you for pointing where ro report.
sour vectorBOT
Gave +1 Rep to @short tusk (current: #6 - 1219)
slender frost
How is Matheuz locking the root.txt I can't modify it even if I have root perms
bash: king.txt: Permission denied
obsidian lark
Prolly he's using chattr
slender frost
How to counter this ?
naive goblet
the immutability bit from chattr most likely
slender frost
How can I get my name in king.txt with the chattr activated ?
obsidian lark
How to counter this ?
One of the attributes it can set is called the "immutable bit." When the immutable bit is set on a file, it prevents anyone, even the root user, from modifying or deleting that file.
slender frost
So I can't put my name ?
obsidian lark
How can I get my name in king.txt with the chattr activated ?
First check if chattr is present in the system which chattr, then run chattr -i /root/king.txt; echo "younick" > /root/king.txt to remove immutable bit
If chattr is not in the system, upload your own to the box
slender frost
Didn't wotk
work
Matheuz name is still in king.txt
Even after I removed the immutable bit
obsidian lark
what was the error message
obsidian lark
oh it's prolly a rootkit then
slender frost
And how to counter this ?
obsidian lark
Haha, check out dmesg! Mathuez is quite the clever cookie; he won't let his rootkit show up that easily!
obsidian lark
type yeah
slender frost
maybe it's a userland rootkit try `cat /etc/ld.so.preload`
cat: /etc/ld.so.preload: No such file or directory
@obsidian lark
obsidian lark
hmm, it hides from lsmod as well
slender frost
hmm, it hides from lsmod as well
So what should I do ?
obsidian lark
So there's almost nothing you can do, other than enumeration within the box. Mathuez is good with kernel stuff, he's rks are almost unbeatable. But, you can still try, there are some places on the system where rootkit's data is visible ig. Tools like strace and ltrace can also help. Good Luck!
sharp siren
guys what can it be ?
obsidian lark
guys what can it be ?
prolly a loop
you gotta find the loop's pid and kill it or you can remove the binaries (only ones that are uploaded) the loop is using
jovial field
you gotta find the loop's pid and kill it or you can remove the binaries (only o...
but removing the binaries wont stop the process
obsidian lark
but removing the binaries wont stop the process
letβs say the loop is using chattr, if we delete the chattr binary. The loop will produce a bunch of errors, breaking the whole process. (This is what iβve seen, im pretty sure it works)
true valve
I don't know, it would probably be wiser to hide the binary somewhere because you would have to rebuild chattr, or upload a statically compiled binary in the future. Someone else will just find a way to set (and remove,) the immutable bit, and you would most likely require chattr to remove it again.
obsidian lark
I don't know, it would probably be wiser to hide the binary somewhere because yo...
Yeah hiding chattr, is a good way to persist king. If ppl have no idea where you lock /root/king.txt, then king is yours (most probably)
jovial field
letβs say the loop is using chattr, if we delete the chattr binary. The loop wil...
i mean sure if you loop is referencing an external binary like chattr and you remove it this will break the loop
but lets say you have a binary witch sets the attributes via iocl linux doesnt care a bit if the binary still exists. The process will still do its thing
true valve
but lets say you have a binary witch sets the attributes via iocl linux doesnt c...
good point. This also shouldn't be overlooked. Additionally, some could just run 'find / -name chattr 2>/dev/null' and it would work, assuming you haven't renamed your chattr binary.
obsidian lark
but lets say you have a binary witch sets the attributes via iocl linux doesnt c...
haha! Great point
true valve
Rookie mistake there.
obsidian lark
Rookie mistake there.
Wdym?
true valve
Not renaming chattr if you are hiding it.
obsidian lark
good point. This also shouldn't be overlooked. Additionally, some could just run...
chattr can be find using itβs size (bytes) if itβs the original busybox binary.
the are more ways to hide like changing timestamps
true valve
Oh, I didn't know about that method.
obsidian lark
I use a custom ioctl binary as Terraminator mentioned
plus using a static bash will hide (bash scripts) from pspy/snoopy
true valve
I'll try these out in my next koth game.
obsidian lark
but lets say you have a binary witch sets the attributes via iocl linux doesnt c...
Maybe creating our own loop that runs faster than the other player. Their command might log onto Snoopy, but if we can find a way to make our loop quicker, we'll have the upper hand.
sharp siren
you gotta find the loop's pid and kill it or you can remove the binaries (only o...
thanks pall! did help me win a game.
sour vectorBOT
Gave +1 Rep to @obsidian lark (current: #562 - 7)
young bramble
some people just don't know how to lose a game
violet zealot
wym?
obsidian lark
some people just don't know how to lose a game
you found massco on a game? lmao
he stops services, moves/removes koth binary, and on top of all uses iptables to configure the firewall to not let other ips access the box
violet zealot
he stops services, moves/removes koth binary, and on top of all uses `iptables` ...
damn what a weirdo
violet zealot
look at his terminal
i just see a closed session so he could have just killed his shell
blissful kettle
If there is someone breaking the rules in koth you can report it to support@tryhackme with the session id
obsidian lark
damn what a weirdo
ikr most players have reported him but still he's there lol
violet zealot
yeah @steep agate is cheating too but still here
obsidian lark
If there is someone breaking the rules in koth you can report it to support@tryh...
Hey! I've reported quite a few times with evidence. However, still no response from THM
violet zealot
(im joking plz dont hit me)
obsidian lark
yeah <@745672959804571742> is cheating too but still here
nah mathuez is goated
violet zealot
*(im joking plz dont hit me)*
damn that was fast...
young bramble
i just see a closed session so he could have just killed his shell
in linux, poweroff does one single thing: Shutdown. And this is mentioned in the first rule of the game. Of course if you know how to read. It's not the first time we see Massco failing to obey the rules. I'm not mad at him, I was waiting for him to spawn reset, reboot, shutdown, flood the terminals or kill shells... but I was disappointed to see the methods he used after initial foothold, lack of fair-play and sometime lack of basic knowledge. For example you don't upload pwnkit if pkexec is not suid anymore. Just a waste of time
naive goblet
in linux, poweroff does one single thing: Shutdown. And this is mentioned in the...
upload pwnkit and use your own hidden suid bit polkit/pkexec
true valve
upload pwnkit and use your own hidden suid bit polkit/pkexec
Hmm, that works too. I didn't think about that.
young bramble
upload pwnkit and use your own hidden suid bit polkit/pkexec
suids are found easily I've recently found that giving capabilities to a binary can be a better method to have a hidden backdoor that is not suid but gives you root instantly
naive goblet
suids are found easily I've recently found that giving capabilities to a binary ...
true
but capabilites are also easy to find if the person knows what they are looking for
true valve
suids are found easily I've recently found that giving capabilities to a binary ...
Using find is going to find the suid bit on your hidden binary anyways, huh?
young bramble
how many search for that ?
naive goblet
how many search for that ?
shadow generally does nowadays
some few ctfs on tryhackme use caps
young bramble
Hackers machine on KotH has also a cap_setuid on python3.6 . This is where I got the idea of making my own password protected shell with setuid capability
violet zealot
who's a1mr?
he constantly logged me out from shell
im not saying hes cheating, just wondering what he did
i had to spam my commands again and again π«
never typed that fast on a keyboard
young bramble
spacejam has a dangerours initial foothold as root on port 3000. he can kill all your shells from there if you don't patch it
true valve
he probably went 'netstat -anp | grep ESTABLISHED' and did 'kill -9 YOURSHELLPID'
violet zealot
yeah i didn't patch cuz i had like 5sec shell every time
young bramble
when players don't know too many ways to protect king.txt, they are busy with other users's shells. This is a lack of fair-play
violet zealot
violet zealot
when players don't know too many ways to protect king.txt, they are busy with ot...
i just had to spam ssh root@ip > echo "mk0x" > king.txt
kicking my shell but didn't protect king file at all
young bramble
yeah i didn't patch cuz i had like 5sec shell every time
5 seconds are more than enough to kill his sessions too. if you know how to spot them and extract their pids (even of hidden ones). or if you are using a webshell, you can even pkill bash;pkill sh
violet zealot
yup i knew what his pid session was but didn't have enough time so i gave priority on keeping king.txt than kicking his shell
young bramble
You won, but I guess you did learn something from this. and next time you can be more prepared. In the end, it's not that important to win, but to learn and have more tools ready
I did once killed one user's shells because he sent /dev/urandom on all my terminals. And the one-liner script I wrote to kill all his shells every 5 or 10 seconds was something for the moment. But If paranoya hits you, or the user is so bad and toxic, you can easily change it to kill shells ever 1 second
violet zealot
yeah but i don't really want to add shell kicking to my script, cuz if nobody can log to the machine what's the point of playing koth ? π«
young bramble
exactly. This is only for those players that just don't understand the rules or the fun of playing the game. Having the one-liner ready doesn't mean you should use it in every game. And BTW you need to adapt to what binaries you have available on each machine (netstat, ss,lsof, etc.)
jovial field
lol would just have done something like cp /usr/bin/bash /tmp/jehsjyjcikmd && /tmp/jehsjyjcikmd
obsidian lark
lol would just have done something like cp /usr/bin/bash /tmp/jehsjyjcikmd && /t...
Yup i do the same
violet zealot
lol would just have done something like cp /usr/bin/bash /tmp/jehsjyjcikmd && /t...
why?
jovial field
why?
because he propably is just spamming something like pkill sh and this won't hit me like this
and as soon as I have a few seconds I would try to either create persistence by pulling my persistence script or i would try to find and kill his sessions
violet zealot
am i not supposed to be asked a passphrase?
sharp siren
am i not supposed to be asked a passphrase?
someone deleted public keys
violet zealot
i dont think so because the guy with me don't have any access
sharp siren
i dont think so because the guy with me don't have any access
bad perms then?
light relic
am i not supposed to be asked a passphrase?
Maybe adding this could work in the future
-oHostKeyAlgorithms=+ssh-rsa
why?
light relic
why?
AFAIK, sometimes for older SSH's you need to specify type of key encryption. Default one could be something else than ssh-rsa (like some aes or hmac). I've seen it once or twice even in tryhackme boxes
terse willow
am i not supposed to be asked a passphrase?
Depends on whether the SSH Daemon has been configured to allow password auth
Oh, wait, you did specify a key. Missed that. Ignore me lmao
terse willow
Depends on whether the SSH Daemon has been configured to allow password auth
Oh, actually, this could still be the case.
Disabling password auth and rotating the keys so you're using an invalid one would give you an output like that.
violet zealot
Oh, actually, this could still be the case.
Disabling password auth and rotatin...
ooooh okey maybe that's it
i'll try next time thx
young bramble
hackers machine is regenerating the ssh key and credentials every time it spawns. You cannot have initial aceces with a saved ssh key for user gcrawford because it is different. You have to login in another way, get the encrypted key /home/gcrawford/.ssh/id_rsa ... then crack the passphrase for the key (ssh2john & john+rockyou) and after that you can use ssh -i id_rsa gcrawford@hackers with the cracked passphrase
obsidian lark
hackers machine is regenerating the ssh key and credentials every time it spawns...
The fastest way to pwn is through /backdoor in the web server. A custom fuzzer or ffuf will find the password way faster than hydra.
violet zealot
The fastest way to pwn is through /backdoor in the web server. A custom fuzzer o...
That's what im doing now, but honestly i find hydra pretty quick on this one
obsidian lark
That's what im doing now, but honestly i find hydra pretty quick on this one
nah just try ffuf with more threads you get pwd in like 3-5 mins max
fair adder
Hi there. Is it in terms of hardening correct to change found weak credentials on an service? Or is this prohibited?
light relic
Hi there. Is it in terms of hardening correct to change found weak credentials o...
Yeah it's correct. That's actually one of the most popular hardening technique here
fair adder
@coral bloom How did you protect that king file xD didn't find any shell script or crontab.
light relic
<@733302241158758421> How did you protect that king file xD didn't find any shel...
Maybe there was something going on with chattr?
young bramble
@north wolf GG
violet zealot
i don't understand how to root carnage
i thought i had the privesc but nothing works
subtle python
i don't understand how to root carnage
gtfo find (shell)
sharp siren
i don't understand how to root carnage
depends on the user you have creds for.
For exemple find have the suid bit but only the user booba can use it
vim.tiny have the Suid bit also but only yooda can abuse it.
and lastely for the user Duku can use /usr/bin/netnetkit-ftp
fair adder
I was doing the po koth and was bruting the pass for po but wasnβt working. It was fine bc I used hydra instead but can someone explain why it didnβt work
blissful swallow
https
sharp siren
lol never seen a box have ssl in thm
@blissful swallow
@fair adderProblem with url i guess?
blissful swallow
<@636120643792011264>
try adding --disable-tls-checks
and look
or try with the domain instead of ip
fair adder
okay, will try all that next time i do panda koth
fair adder
<@456226577798135808>Problem with url i guess?
what arch dis do u use
(i see the arch logo thro the image u sent
also i like ur profile pic 
sharp siren
(i see the arch logo thro the image u sent
hahahaha that is kali with bsmw and i3. I dont got time to rice arch for pentesting
sharp siren
also i like ur profile pic <:coolguy:623334587086667786>
me too, (Elliot goated)
violet zealot
gtfo find (shell)
yeah my bad i did it wrong
obsidian lark
@violet zealot /boot/koth.sh π€£
violet zealot
?
violet zealot
i removed all your bs scipts
i only have 1 script and it's not that one
obsidian lark
i only have 1 script and it's not that one
you sure about that?
then what's check and guardian lmao
violet zealot
you sure about that?
pretty sure yeah
violet zealot
then what's `check` and `guardian` lmao
oh i see
but it's not mine
just let them in my script but i just curl them
obsidian lark
mounting and unmounting can cause it the machine to break and lag
obsidian lark
but it's not mine
you want proof?
violet zealot
but yeah im just doing some test with my script, that's why when it broke i let u on the game
obsidian lark
/bin/bash ./check mk0x
violet zealot
oh but that's what i said
obsidian lark
/bin/bash ./guardian 10.8.15.228
naive goblet
@short tusk should be able to clearify but would think it is against the rules too
violet zealot
idk because many people change binaries permissions so i guess it's okey
before doing it too i got in a few games where i couldn't curl anything because of that
short tusk
idk because many people change binaries permissions so i guess it's okey
Just because people do it doesnβt mean itβs okay ahha
violet zealot
anyway if it's against the rules i'll change my script, i don't really care
violet zealot
Just because people do it doesnβt mean itβs okay ahha
absolutely
but when i see some of the remaining players (even top players) playing against the said rules and keep staying here im a lil confused
but yeah if u tell me to change it then np i'll change it
sharp siren
anyway if it's against the rules i'll change my script, i don't really care
I'm okey with since just a simple command could solve it.
But idk if others are okey with
- every player from time to time break rules even if intentionally or not
violet zealot
@sharp siren why i couldn't kill ur shell?
sharp siren
<@1205843974561206292> why i couldn't kill ur shell?
I paided thm to not let anyone kill shell
xD
violet zealot
?
north wolf
I just got ghost pinged, may I know why?
violet zealot
I just got ghost pinged, may I know why?
my bad
violet zealot
meow.sh doesn't sound familiar?
yeah?
sharp siren
he was referring to your script xD
violet zealot
how to break someone symlink on king file?
do we have to find the linked file or do we have another method?
sharp siren
unlink <path-to-symlink>
this blog can help too https://www.freecodecamp.org/news/symlink-tutorial-in-linux-how-to-create-and-remove-a-symbolic-link/
north wolf
π€
echo -e "meow\nmeow" | passwd root
irony is that I found it here, a game without mk0
violet zealot
irony is that I found it here, a game without mk0
probably skoll he's a friend and i gave him my script (not the same one now but an older version)
naive goblet
π€
```sh
echo -e "meow\nmeow" | passwd root
```
@near lily
naive goblet
it could be any file <:NotLikeThis:689847725969244171>
generally you can list symlinks with commands
north wolf
probably skoll he's a friend and i gave him my script (not the same one now but ...
cool, now I too have it.
true valve
gg
steep agate
hehe
sharp siren
https://tryhackme.com/games/koth/join/d54a682cc5428ba23667e730
gl hf
fair adder
anyone wanna join in
broken pilot
gl hf
here's another one if you want https://tryhackme.com/games/koth/join/dda193be2662925a23f50f50
broken pilot
anyone wanna join in
yea, whats the link
sharp siren
here's another one if you want https://tryhackme.com/games/koth/join/dda193be266...
i was afk
true valve
who's killing my shells?
true valve
good game @sharp siren
sharp siren
good game <@1205843974561206292>
GG
strange hornet
Do You Passively Farm Points If You Join Late or What's Happening With Scoring System? (Given That Noone Has Flag)
broken pilot
Do You Passively Farm Points If You Join Late or What's Happening With Scoring S...
usually the last person to join the game will win if there is a tie
strange hornet
usually the last person to join the game will win if there is a tie
Isnt That Rigged? D:
broken pilot
it can be abused .... π€£ or dont go for ties. Usually when players are battling for king theres rarely a tie unless its intentional
but say no one got king or flags then last person to join wins..
violet zealot
cool, now I too have it.
idc lmao it's an old version
and honestly i don't hide that well my script, some people here may have it and it's okey
proud moth
you want proof?
he thought he can escape matrix. 
violet zealot
strange hornet
Every Flag Is Fixed For Every Challenge? I Played KoTH Food CTF As A Box And Now I Just Pwned The Flags D:
Also What's Up With Port 9999?
true valve
Also What's Up With Port 9999?
Port 9999 is the KoTH service π€£
broken pilot
Every Flag Is Fixed For Every Challenge? I Played `KoTH Food CTF` As A Box And N...
Yes most boxes are the same as the previous time you played them, there's a few that change ports and credentials tho.. take good notes on the boxes you play and It will help you save time next time you play it
strange hornet
o7
violet zealot
anyone have an issue with symlink?
in previous matches i had this issue where i get an error saying the file /root/king.txt already exist
when i first implemented this technique to my script it was working but seems now it doesn't, even if i try it manually
true valve
probably reduced privileges.
violet zealot
probably reduced privileges.
maybe but it's not supposed to be the case
i did this box a couple of times now and always could use sudo on tha one
terse willow
maybe but it's not supposed to be the case
You do realise that you're meant to patch the box when you get in, right? 
That includes removing dangerous sudoers entries.
i.e., just because it let you do it last time, doesn't mean someone hasn't patched that vuln this time
sharp siren
yes?
I dont know any php so decided to remove it to push you to explore others ways to get a foothold
steep agate
I dont know any php so decided to remove it to push you to explore others ways t...
?
lol, you delete all web pages on the machine, just because "you dont know what is php"?
sharp siren
No I dont know how to patch it
steep agate
anyway, this is against rules in public games
sharp siren
is it against rules? dont seem to find any thin
steep agate
No I dont know how to patch it
??
sharp siren
in rules
steep agate
wtf
If you don't know how to fix a path to root, will you remove all users or everything on the machine?
sharp siren
no
the service is still up.
didn't stop the service
idk what I did against rules.
If i did somethign wrong sorry
steep agate
the service is still up.
but still not accessible for other users
sharp siren
I apologize
sharp siren
but still not accessible for other users
i didn't use iptables or smthign that blocks users accessiblity
steep agate
steep agate
i didn't use iptables or smthign that blocks users accessiblity
the port that runs the web page is still active, but is not accessible to other users because there is simply no longer a point of entry into the web
sharp siren
is it against rules to delete web pages?
sharp siren
the port that runs the web page is still active, but is not accessible to other ...
i see thnks not going to happend next time.
thanks for poiting it out
sour vectorBOT
Gave +1 Rep to @steep agate (current: #148 - 47)
steep agate
is it against rules to delete web pages?
This is not directly in the rules, but clearly if you delete the web page, it will disrupt other players, making it inaccessible/unavailable, and this is against rules
sharp siren
I see i see
violet zealot
You do realise that you're meant to patch the box when you get in, right? <:Kekw...
nobody got in so i excluded this case
@sharp siren if u don't know anything about php it's okey, u can find patched versions on wu
sharp siren
<@1205843974561206292> if u don't know anything about php it's okey, u can find ...
haha. Did figure out how to prevent rce in that machine, but thanks
terse willow
nobody got in so i excluded this case
I mean, these machines deploy from golden images. They ain't gonna change between sessions (autogens aside -- and only one or two have those) unless someone breaks in and changes them.
So either someone broke in before you, patched it, and hid their session, or someone opened up an extra vuln the last time you had the machine.
I would say the first option is significantly more likely, but...
sharp siren
is this against rules since changing Permissions on flags in against rules?
machine:Panda
true valve
yes.
violet zealot
wtf is happening, i get disconnected every time i do this command
and it happens everytime on this machine
violet zealot
and the food machine is broken, it's been like 15mins im waiting
young bramble
and the food machine is broken, it's been like 15mins im waiting
yeah, me too. I guess someone was enumerating too hard, but after reset everything was ok.
violet zealot
yeah, me too. I guess someone was enumerating too hard, but after reset everythi...
i left the game at this point lmao
violet zealot
wtf is happening, i get disconnected every time i do this command
anyone has an idea about this issue?
this is definitely broken...
broken pilot
anyone has an idea about this issue?
Are you trying to escalate to root?
broken pilot
I think root would need to run that systemctl to actually have proper suid bit set on /tmp/bash... Not π― sure tho since you are making a copy of bash. Have you tried running the systemctl command already? Did it add suid bit to /tmp/bash?
If so try /tmp/bash -p
violet zealot
how am i supposed to run it?
broken pilot
./systemctl
violet zealot
because i never had this error before, i just had to change the path and get root
keen remnant
this is definitely broken...
does the restartserser binary restart the server?
violet zealot
does the restartserser binary restart the server?
idk about this, because it juste kick me out every time
violet zealot
I think root would need to run that systemctl to actually have proper suid bit s...
it just connect me to serv2 as expected
broken pilot
Then do ls -la /tmp/bash what are the permissions
violet zealot
broken pilot
So then root needs to run this first ... Check cronjobs
broken pilot
By changing the path I'm not sure if you would be able to start any other services using that systemctl .... I see what you are trying to do tho... But you will also need to make sure root is going to be starting or stopping services..
violet zealot
???
broken pilot
What about if you run find / -perm -4000 2>/dev/null are there any other easy wins since someone else is already root
violet zealot
what is this sorcery
broken pilot
Or even getcap -r / to check capabilities
violet zealot
already did that
steep agate
im already in /tmp
/tmp/bash -p
broken pilot
Yea but you are calling /bin/bash still
steep agate
already did that
This happens because you are calling bash, which is in /bin, and not the one in /tmp
violet zealot
This happens because you are calling bash, which is in /bin, and not the one in ...
bruh
steep agate
π€·ββοΈ
violet zealot
naaaaa π«
steep agate
I've played against players who did loops to remove the king, lol
violet zealot
i can't connect to my session
i get kicked out
bruh ok...
never thought about that
steep agate
bruh ok...
bruh, killing sessions or removing all binaries when you can't king is the skiddie thing I've ever seen in koth
violet zealot
i guess someone wants to be alone on the machine π«
steep agate
@violet zealot soon I'm going to release something I made
violet zealot
<@1120130055914389554> soon I'm going to release something I made
@severe hazel i see u π
severe hazel
<@857622644862353460> i see u π
me too
steep agate
<@857622644862353460> i see u π
send link for this game haha
violet zealot
join or spectate?
steep agate
join
violet zealot
steep agate
10.8.11.186:6666
lmao haha @severe hazel
fossil pecan
hoary mulch
Man. I got ssh into fortune but I couldnβt exploit the pico SUID for some reason.
violet zealot
Man. I got ssh into fortune but I couldnβt exploit the pico SUID for some reason...
maybe someone removed u from sudoers
light relic
Man. I got ssh into fortune but I couldnβt exploit the pico SUID for some reason...
Was suid bit still set?
hoary mulch
Yeah was still set. Nah donβt think anyone got in yet
hoary mulch
I could... can you get that machine when its not KoTH
hoary mulch
yeah i got Fortuna's password
hoary mulch
yeah ok, never played with the rootpass before.. how does that one work?
Yeah did try sudo Pico but it didnt work
hoary mulch
Is there any way to speed up the hydra scan? (KoTH Hackers) taking a very long time aha ||hydra -l gcrawford -P /usr/share/wordlists/rockyou.txt 10.10.228.111 ftp||
fading moat
Is there any way to speed up the hydra scan? (KoTH Hackers) taking a very long t...
I was in the same room, I could've easily won but I thought the usernames were for http πππ
Anyone up for a private room
violet zealot
Anyone up for a private room
yup
fading moat
Alr I'll make one and send u the link
fading moat
@severe hazel bruh I'm trying to get rce and connection times out
Lmfao I had 2 ways to get rce and it can't reach back
Idk why
severe hazel
<@857622644862353460> bruh I'm trying to get rce and connection times out
:8002
fading moat
Doesn't it work on 8000
In the admin panel
It runs code it just can't reach my machine
severe hazel
idk, use 8002
severe hazel
Is it same interface?
nop,
fading moat
Ah
severe hazel
and load reverse shell php
fading moat
Now my VPN tweaking
Hahaah
Worlds against me
Oh it's my internet connection
It times out
Fuck bruh
I was so hyped
rain junco
hello, today I'm playing Koth, after successfully becoming king (for the first time), another player first removed me then I joined again and I got a message from him on my ssh command line saying "You again, bye" and removed again, then changed the password for ssh... Anybody know how he did this??
steep agate
hello, today I'm playing Koth, after successfully becoming king (for the first t...
It's actually easy, there are a few ways, one of them is when you are in normal SSH, without logging in without TTY, a person can redirect a command or message to your PTY: echo test > /dev/pts/1 for example
Here are some techniques that I put together for koth, this will help you a lot against players who already play or have played koth before
rain junco
Here are some techniques that I put together for koth, this will help you a lot ...
oh wow, thank you......
sour vectorBOT
Gave +1 Rep to @steep agate (current: #139 - 49)
rain junco
one more thing, if someone continuously removes you and also changes ssh password how do you get root back..?
steep agate
one more thing, if someone continuously removes you and also changes ssh passwor...
using and creating persistence/backdoor on the machine
you can create your own script to create your persistence/backdoor on the machine
steep agate
is netcat reverse shell with crontab is also some type of backdoor
It is persistent, however, it is easy to find and remove
rain junco
oh ok thanks again...
steep agate
oh ok thanks again...
I have a tool that maybe can help you create ideas for your own persistence script: https://github.com/MatheuZSecurity/D3m0n1z3dShell
broken pilot
one more thing, if someone continuously removes you and also changes ssh passwor...
If you want to simulate this kind of player you can also check out this room to practice https://tryhackme.com/r/room/redisl33t .
rain junco
If you want to simulate this kind of player you can also check out this room to ...
Thanks
sour vectorBOT
Gave +1 Rep to @broken pilot (current: #114 - 56)
fading moat
If you want to simulate this kind of player you can also check out this room to ...
Looks awesome. Can't wait to try it tomorrow
sour vectorBOT
Can't give that much (max 1)
fading moat
Woops
sour vectorBOT
Gave 1 Rep to trapnatized (current: #112 - 57)
fading moat
@fossil pecan @bitter tree good job guys
fossil pecan
<@118749350795935744> <@1035594417844801538> good job guys
ya it's a good game, well played! π
fading moat
ya it's a good game, well played! π
I messed up so many times
Did you send the messages with wall
bitter tree
fading moat
Thanks :) well played
How did you send these messages, I wanna knoe
OH
lemme gueds
Dev/tty
broken pilot
If you were on a pts could be with wall 'message' or could be echo 'message' > /dev/pts/#
fossil pecan
- figlet for big font π
fading moat
This was my first koth win, can yall tell me if this strategy is good: after getting root, create a user and chown the flag to the user
Tried to do it but there was no point plus my python pty was tweaking
fossil pecan
This was my first koth win, can yall tell me if this strategy is good: after get...
don't edit/alter flags or perms on them (designed to be found at those levels of access)
fossil pecan
but king.txt can be edited as you want
fading moat
I see
I saw @steep agate talking about catching write syscalls with kernel modules. Super interesting
Also, can we stop services?
Except the 9999
fossil pecan
no
broken pilot
Depends on which services ....
fading moat
Ex. Apache2
fossil pecan
main rule is "machine continues as designed" ... so except for patching vulns, or removing other players shells/scripts - keep everything as is and functional (allowed to remove chattr binary only)
broken pilot
If I create a new service for persistence, I think that would be fair game.. but services like apache2 I don't think you should stop em... Just get good at taking king and can leave the box wide open for everyone π
fading moat
Ah okay
fossil pecan
Depends on which services ....
if another player adds a service for themselves as rev/web shell or something then you can (as patching them out) ... but anything "built into" the box should be kept alive (can be restarted if needed)
fading moat
I'm sorry it was like my first game which I managed to get root
steep agate
I saw <@745672959804571742> talking about catching write syscalls with kernel mo...
Yeah, you can stop @broken pilot hooking symlink syscalls (Oh you see what you do to her hahah this is interesting ) and F11snipe LKM for protect king. Then I will leave a code available to remove it from the machine and also make it unusable
hehe
this is super interesting
fading moat
The room was space jam, so I don't think apache mattered too much
There could've been some xss in the contact form though
Do there's that
broken pilot
Yeah, you can stop <@485135593249177610> hooking symlink syscalls (Oh you see wh...
Can you stop em all tho π
steep agate
Also, can we stop services?
You cannot stop any service on the machine (this also includes not removing binaries, not removing web pages, etc.)
fading moat
Yep most definitely broke the last one
violet zealot
The room was space jam, so I don't think apache mattered too much
u can patch the rce
fading moat
I'm sorry yall wont happen again
broken pilot
Yeah, you can stop <@485135593249177610> hooking symlink syscalls (Oh you see wh...
I'm still waiting to try out the new technique and see if I can bypass
violet zealot
I'm sorry yall wont happen again
np u are starting
fading moat
u can patch the rce
I was too stressed out I couldn't think about that
steep agate
I'm still waiting to try out the new technique and see if I can bypass
One of them you can do, but the other you can't haha
violet zealot
some people here knows the rules but.... π
fading moat
np u are starting
Turns out my win wasn't a win after all
I just fd the game up π€£
broken pilot
It's a part of learning
steep agate
I personally stopped playing koth lol, if anyone has any questions about protecting king, or anything like that in koth, my dm will be free
violet zealot
Yeah, you can stop <@485135593249177610> hooking symlink syscalls (Oh you see wh...
talking about symlink, since 2 weeks ago (or smthg like that) i couldn't symlink king.txt at all
any idea?
fading moat
u can patch the rce
Oh yeah about that, I tried fuser to see which pid ran it but it respawned after I killed it. Which script did that? Or I'd it a cronjob
steep agate
talking about symlink, since 2 weeks ago (or smthg like that) i couldn't symlink...
rm king.txt; echo test > ... ; ln -s ... king.txt like this?
broken pilot
Some players play dirty and rm -rf / when they can't take king.... But can always plan for that and still keep the game alive
violet zealot
```rm king.txt; echo test > ... ; ln -s ... king.txt``` like this?
yup something like that
fading moat
What kind of kamikaze tactic is thst lmfso
violet zealot
i just edited the one on ur github
broken pilot
```rm king.txt; echo test > ... ; ln -s ... king.txt``` like this?
I got a better one now π
steep agate
What I mean is that there is a way to create an LKM that can prevent any symbolic links in the king.txt file for example
fading moat
What I mean is that there is a way to create an LKM that can prevent any symboli...
Therefore koth becomes more of a speed challenge
Defending koth, mb
broken pilot
What I mean is that there is a way to create an LKM that can prevent any symboli...
Yea but u also need to plan for everything when doing this, because I can break the logic if I enumerate your lkm long enough
fading moat
Yea but u also need to plan for everything when doing this, because I can break ...
Is there enough time for that
violet zealot
Therefore koth becomes more of a speed challenge
yup but now everyone knows the machines, how to get in etc but im just waiting for the day when thm will (potentially) add new box
broken pilot
Is there enough time for that
Always
fading moat
Mhm interesting
steep agate
Therefore koth becomes more of a speed challenge
In fact, using LKM for any protection in itself is something very strong haha
fading moat
Yeah
violet zealot
In fact, using LKM for any protection in itself is something very strong haha
and u are only 2 to use it so...
violet zealot
im learning kernel and tbh it's less difficult than i thought
doing some secmalloc in school too
steep agate
Yea but u also need to plan for everything when doing this, because I can break ...
You can't haha, my other LKM didn't have many cool features (I was too lazy to put a version of Koth's kernel for each VM, compile, change functions, etc.) It just simple version of my lkm
fading moat
Any resources? I wanna stsrt learning too
violet zealot
Any resources? I wanna stsrt learning too
matheuz gave me this one for learning kernel -> https://xcellerator.github.io/tags/rootkit/
steep agate
yup but now everyone knows the machines, how to get in etc but im just waiting f...
I'll only play koth again when that happens one day haha
broken pilot
You can't haha, my other LKM didn't have many cool features (I was too lazy to p...
Well I want to go up against it ....
fading moat
Catching syscalls sounds fascinating and I don't have any idea on how thsts done
But I wanna learn
steep agate
I dont remember the command
sudo sysctl -w kernel.modules_disabled=1 , but that doesn't do much good, I'll give you an example, if someone loads any LKM or Rootkit before you run this command it won't work
violet zealot
but now im trying to understand the issue with my symlink, maybe @broken pilot could tell me more in dm? π
fading moat
sudo sysctl -w kernel.modules_disabled=1 , but that doesn't do much good, I'll ...
Yeah it won't
Also noob linux question, can you "log out a session" if you kill their shell process
I tried it in the box idk if it work
broken pilot
but now im trying to understand the issue with my symlink, maybe <@4851355932491...
Sure shoot.
fading moat
@fossil pecan verify
violet zealot
Also noob linux question, can you "log out a session" if you kill their shell pr...
yep but they can connect back
fading moat
π€£
fading moat
yep but they can connect back
Yeah fs
steep agate
but now im trying to understand the issue with my symlink, maybe <@4851355932491...
SyS_symlink / SyS_symlinkat you know it @fossil pecan hehe
violet zealot
SyS_symlink / SyS_symlinkat you know it <@118749350795935744> hehe
oooh π
fading moat
yep but they can connect back
What if there's a cron job doing thst though. Like killing all bash instances and you run on a sh shell
steep agate
Also noob linux question, can you "log out a session" if you kill their shell pr...
with linux you can make all thinks haha, even spawn powershell.exe π
fading moat
ππ€©
I mean I figured it should work but I haven't appreciated how straightforward linux is if you understand it
violet zealot
What if there's a cron job doing thst though. Like killing all bash instances an...
never do that, it's not against the rules though but imo it's just unfair
u are gonna be alone on the machine, so not much interest
broken pilot
SyS_symlink / SyS_symlinkat you know it <@118749350795935744> hehe
Yea but won't hooking that break all symlinks...
fading moat
Yeah I'm just asking if it would work
That's super unfair and I can't learn anything if I use it
broken pilot
What if there's a cron job doing thst though. Like killing all bash instances an...
Yea that's a valid tactic... Can easily be stopped tho
violet zealot
but yeah in fact u can write a script that kill all sessions every 5 sec
fading moat
Yea that's a valid tactic... Can easily be stopped tho
Just switching the shell π
Yup
Whats usually your approach for defending king, like your goto
Besides patching vulns, I mean the file itself
broken pilot
Me?
fading moat
(Yes matheuz I've read your repo)
violet zealot
playing with chattr and other perms
fading moat
playing with chattr and other perms
Ah interesting
broken pilot
π€£
steep agate
Yea but won't hooking that break all symlinks...
if you say so haha, but there is a way to protect king
with symlink, rename, read, etc
broken pilot
Whats usually your approach for defending king, like your goto
Normally I won't patch anything,,, I will make the box more vulnerable cuz I like the challenge of fighting for king .. my techniques are usually based on the opponents skill... So I might start off with chattr. If u unlock I'll move to next tactic... If you are writing rootkits to take king, I'm looking for flaws or things you didn't expect
fading moat
Normally I won't patch anything,,, I will make the box more vulnerable cuz I lik...
Prerequisite: know your shit
broken pilot
Prerequisite: know your shit
It will come with time,,, you will start to know how certain players play and can adjust accordingly..
fading moat
I first need to understand linux better
I have a beginner to intermediate understanding
steep agate
I have a beginner to intermediate understanding
A simple little trick that can help is to see the directories of all processes, for example the process of the other player using bash is 1337, so you can check the directory it is in: ls -la /proc/1337/cwd
or view all proc dir
ls -la /proc/*/cwd
fading moat
Why 1337
steep agate
I already got several scripts from @broken pilot like this haha
broken pilot
Lol least you didn't do it like someone else .... @steep agate
fading moat
ah cool haxor
steep agate
I already got several scripts from <@485135593249177610> like this haha
and others players
fading moat
A simple little trick that can help is to see the directories of all processes, ...
I can't read lmfao sorry
My brain bugged
steep agate
btw, when you upload a file to the machine, don't leave your files in any folder haha, delete them immediately
fading moat
I'll keep that in mind
steep agate
I can't read lmfao sorry
like this
steep agate
How to patch the rce in space jam?
It's not very difficult, I recommend you read the source code, understand and fix it
fading moat
Alright when I stumble upon spacejam again I'll try
I couldn't find where the source was located tho
Do I check/proc/pid?
broken pilot
I already got several scripts from <@485135593249177610> like this haha
π€£ yea but those are mostly just static binaries and some trolls I bring to the box, nothing to important... Although u did manage to get my persistence script π
steep agate
Do I check/proc/pid?
you can try next time using the trick I sent up there haha
fading moat
Alr
steep agate
π€£ yea but those are mostly just static binaries and some trolls I bring to the ...
π
broken pilot
Need to update my scripts anyways... Going to make em interactive so I can change stuff up on the fly
I wrote those when I first started koth π€£
Kinda like the last script you got from me π
violet zealot
btw, when you upload a file to the machine, don't leave your files in any folder...
that's me π
steep agate
that's me π
oh haha i have your "cat".sh π€£
violet zealot
Need to update my scripts anyways... Going to make em interactive so I can chang...
i was thinking about this too
violet zealot
oh haha i have your "cat".sh π€£
but yeah some people have it, but nothing wrong cuz 1 - i dont care and 2 - im changing it frequently
@steep agate i saw u
steep agate
but yeah some people have it, but nothing wrong cuz 1 - i dont care and 2 - im c...
yeah, this make sense
broken pilot
If you ever want to practice dm me I'll jump in a private game and teach a few things I've learned
violet zealot
this time when lockbit was giving 5k$ to anyone getting a tattoo of their logo
violet zealot
If you ever want to practice dm me I'll jump in a private game and teach a few t...
open to it too
steep agate
this time when lockbit was giving 5k$ to anyone getting a tattoo of their logo
some people got lockbit tattoos π€£
violet zealot
some people got lockbit tattoos π€£
yeeeaaah
and the leader once offered a big amount to anyone who can find his name
steep agate
yeah
broken pilot
Playing koth has helped me learn a lot of new things.. I just jumped in not knowing much and lost alot, but I didn't quit so I just kept coming back until I could win, then just started working on sneaky techniques and improving my persistence..
violet zealot
tbh playing koth is really helping me in understanding linux, because u are up to use some commands that u dont need to use every day
broken pilot
and the leader once offered a big amount to anyone who can find his name
Hahaha yea just read today that they know who he is and is offering same reward for any information on his whereabouts.... So do the police get the money now π€£π€£π€£π€£
Do you have a subscription to THM? If so you can create a private game to any machine you want to practice on and I can see what you know for protecting king and go from there
Yea I sent u a dm
broken pilot
Oooo I saw u were watching a game with f11 π€£
violet zealot
https://github.com/a2o/snoopy
u can upload it on koth?
steep agate
Oooo I saw u were watching a game with f11 π€£
π€£
steep agate
u can upload it on koth?
yeah, you can use it in koth too
broken pilot
u can upload it on koth?
Yea
violet zealot
i'll try it thx
steep agate
There are a lot of cool tricks that you can use in Koth
violet zealot
yeah that's why im taking my time to learn all that
i was just recently focusing on my certifications
steep agate
i was just recently focusing on my certifications
I'm going to do the vulnlab AD labs, to try CRTO later
north wolf
I found this useful
$ file /proc/*/cwd
Yes, as I mentioned above, it is interesting to use this in koth
north wolf
Yes, as I mentioned above, it is interesting to use this in koth
tbh, I got to know about it from the above chat, But it was fun deleting .m and .t directories on random places on the server lol. Wherever/whatever opponent lands their payload its not gonna be there on drive after a while!
steep agate
tbh, I got to know about it from the above chat, But it was fun deleting `.m` an...
haha nice, I have other really cool tricks too, for using koth
north wolf
haha nice, I have other really cool tricks too, for using koth
It'd be great if shared here, making it more fun!
I lost my last match but it was fun, because it was!
am I the only one who actually likes being defeated on koth? π
steep agate
It'd be great if shared here, making it more fun!
Wouldn't it be cool if I shared all my tricks π
north wolf
Wouldn't it be cool if I shared all my tricks π
that'd be my dream come true for real π
whole plaza
staff? i have a question. I'm playing a room called hogwarts, in king of the hill. There are only 2 ports, 22 and 9999. 22 port is open, but when i try to connect it says "connection closed by server"
near lily
staff? i have a question. I'm playing a room called hogwarts, in king of the hil...
How have you been connecting to it?
charred hare
It's possible somebody has messed with the service
near lily
Nah, I think I know what the issue is.
I just need confirmation.
steep agate
staff? i have a question. I'm playing a room called hogwarts, in king of the hil...
I recommend you use rustscan in hogwars machine, or use nmap with -p-
near lily
I recommend you use rustscan in hogwars machine, or use nmap with *-p-*
Would they not already have, if they got port 9999?
whole plaza
second
whole plaza
ssh ip
near lily
Is it an SSH service
whole plaza
yes, 22
whole plaza
Is it an SSH service
wdym
steep agate
Would they not already have, if they got port 9999?
someone may have closed all the services too
whole plaza
someone may have closed all the services too
it's been 1 second
steep agate
it's been 1 second
try to use rustscan
near lily
What does nmap say?
radiant sun
Just because port 22 is default for SSH, it *might* not be SSH running.
thanks to @stiff egret for that
sour vectorBOT
Gave +1 Rep to @near lily (current: #1 - 2243)
near lily
thanks to <@580609268261191680> for that
Isn't that just standard practice for CTF's?
steep agate
try to use rustscan
rustscan is so much faster than nmap, using nmap at hogwarts sometimes cannot identify all ports
radiant sun
Isn't that just standard practice for CTF's?
yeah i just wanted to ping him
whole plaza
What does nmap say?
do you need ports?
steep agate
rustscan is so much faster than nmap, using nmap at hogwarts sometimes cannot id...
But that's it, either you didn't scan correctly with nmap, or someone closed the machine's services
near lily
do you need ports?
No, just service 22.
whole plaza
ssh
near lily
Let's see a screenshot, lol
steep agate
btw, on hogwarts machine, you cannot join in ssh on 22 port
radiant sun
yuh
whole plaza
btw, on hogwarts machine, you cannot join in ssh on 22 port
how then
there are only 2 ports
22 and 9999
steep agate
how then
As I said, try using nmap with more threads and on all ports, or use rustscan (which is much faster than nmap, and helps on the Hogwarts machine)
whole plaza
near lily
Well what do you know, lol.
radiant sun
nmap -p- -T4 hogwarts.thm
whole plaza
hogwarts.thm ?
radiant sun
just put ip instead of that
whole plaza
nmap -p- -T4 hogwarts.thm
what does that do
steep agate
nmap -p- -T4 hogwarts.thm
It's easier to use rustscan, it will identify the ports in a matter of seconds lol
radiant sun
it'll scan ports ranging from 0 - 65535
radiant sun
It's easier to use rustscan, it will identify the ports in a matter of seconds l...
yeah
whole plaza
It's easier to use rustscan, it will identify the ports in a matter of seconds l...
is it an ad ?)
radiant sun
i think refas is new to this
whole plaza
i am
near lily
They are.
whole plaza
they?
radiant sun
its alr, rustscan is must faster than nmap and good for ctf purposes
whole plaza
ok
radiant sun
that's all matheuz tryna tell u refas
steep agate
that's all matheuz tryna tell u refas
yeah lol
whole plaza
what's the difference between nmap and rustscan?
steep agate
If the player chooses to use nmap at Hogwarts, it will take a long time, and he will lose the advantage
near lily
its alr, rustscan is must faster than nmap and good for ctf purposes
*only for CTF's IMO.
steep agate
*only for CTF's IMO.
.
steep agate
what's the difference between nmap and rustscan?
rustscan is so much faster than nmap, it identifies the ports in a matter of seconds because it is faster, uses more threads, etc, but it only uses this in CTF, because it makes a lot of noise π
whole plaza
rustscan is so much faster than nmap, it identifies the ports in a matter of sec...
thx
fair adder
that's all matheuz tryna tell u refas
@steep agate uses RustScan?
waoh waoh
what we got in here?!!
steep agate
<@745672959804571742> uses RustScan?
in CTF, yes
fair adder
rustscan is so much faster than nmap, it identifies the ports in a matter of sec...
π€
whole plaza
rustscan is so much faster than nmap, it identifies the ports in a matter of sec...
is it a kali linux tool or a github?
radiant sun
fair adder
in CTF, yes
Use NimScan Bro..
steep agate
Use `NimScan` Bro..
π€
fair adder
https://github.com/RustScan/RustScan
whole plaza
https://github.com/RustScan/RustScan
thx
sour vectorBOT
Gave +1 Rep to @radiant sun (current: #390 - 12)
steep agate
whole plaza
Use `NimScan` Bro..
nah, im not studying another tool...
fair adder
fair adder
nah, im not studying another tool...
Tool? it's just a Tool bro.
steep agate
oh yeah, I saw this project on github, but I never got to test it
fair adder
study 
fair adder
oh yeah, I saw this project on github, but I never got to test it
don't do it.
north wolf
gg @broken pilot
broken pilot
gg <@485135593249177610>
GG. I'll be ready for the next one π
crystal flame
anyone have any tips on learning how to solve King of the Hill challenges on THM?
steep agate
anyone have any tips on learning how to solve King of the Hill challenges on THM...
I have repo about KoTH with tricks for defense king and patch machine
this might be useful for you
crystal flame
appreciate it π
cold bronze
Anyone wanna do some Koth while calling?
obsidian lark
im down
north wolf
GG. I'll be ready for the next one π
Sure!
broken pilot
Sure!
starts in 15 mins https://tryhackme.com/games/koth/join/6a557ef4869ccc84bdea02d8
sharp siren
Anyone wanna do some Koth while calling?
Would you like a game?
cold bronze
Would you like a game?
Sure man, @obsidian lark you also down?
broken pilot
8 mins ^^ public game
cold bronze
present
sharp siren
@broken pilotCan I get link for this game?
https://tryhackme.com/games/koth/98405
broken pilot
<@485135593249177610>Can I get link for this game?
https://tryhackme.com/games/k...
^^^^
sharp siren
join link
sharp siren
ty β€οΈ
north wolf
nobody is using LKM rootkit in this game lol, and someone just tried disabling LKM rootkit lolz
sharp siren
nobody is using LKM rootkit in this game lol, and someone just tried disabling L...
I did part of my script lol
north wolf
I did part of my script lol
cool!
broken pilot
GG
sharp siren
man the while loops are battling.
Last machine crashed cz of it
north wolf
man the while loops are battling.
Last machine crashed cz of it
yeah, these are fireing like anythnig π
broken pilot
yeah, these are fireing like anythnig π
lol yea thats wild's loop
north wolf
broken pilot
yea it was easy to break his loop just remove /tmp/.c/chatr
north wolf
why use busybox's chattr while you can chattr via your custom bin? 
sharp siren
lmao
broken pilot
why use busybox's chattr while you can chattr via your custom bin? <:big_think:7...
yea or a python script ... i have a few different ways to set/remove immutable bit..
north wolf
yea or a python script ... i have a few different ways to set/remove immutable b...
exactly! that's my point.
keen remnant
is that snoopy?
sour vectorBOT
Gave +1 Rep to @broken pilot (current: #109 - 59)
north wolf
is that snoopy?
pspy64
broken pilot
i kept killing every bodies pspy64... there was a few ppl watching processes
north wolf
i kept killing every bodies pspy64... there was a few ppl watching processes
ofc me I'd copied it to /usr/bin π
I was busy watching ya'll π
broken pilot
did you get the nyancat at the end lol
north wolf
nope, most probably its this; I didn't have a pty/pts idk tf's that
lmao its still running like anything π
broken pilot
lol yea i wasnt on pts so probably came through funny.... i have a game also but i need to figure out a way to let the ppl i send it too control the movements....
or make them trigger it themselves...
jovial field
actually this isn't too hard I think
either you go with https://github.com/hxlxmjxbbxs/pwntty and execute your binary for the user (only works if the user got a pts)
or you just go and inject your game as a shellcode into a running process
this is a bit trickier
I would recommend trying to use ptrace
jovial field
injected init process
yeah not that hard to do actually
I used that for a while to hide my main process
steep agate
I used that for a while to hide my main process
or you can spawn powershell too π
