#koth

If you are unable to play KoTH because the requirement of being Intermediate or Advanced, click on your avatar in top right corner, then click on Manage Account, then scroll down to Technical Ability and choose Intermediate or Advanced. after this you can start or join KoTH games

hmm i dont get it

guys, is koth hard ? I am a beginner and I dont have access to it, I would really be grateful if someone can tell me whats that (I am currently completeing junnior pentetration tester module rn)

Hi, look at @young bramble message just above, he explains how to do it.

Thanks, but I am asking if koth is like really hard or not , I saw a few streams on YouTube and I didn't understand a thing

Gave +1 Rep to @mystic oxide (current: #763 - 7)

some KOTH machines are easy

A good way to start is to create private games, (2 users required) and study each machine and take notes (scan ports, try services and vulnerabilities to find a way in, then escalate privs, and then start to find faster methods (ssh keys, crackable hashes, backdoors, exploitable services, etc) Take good notes on each machine and update notes with each game. Only 3 machines run scripts to change creds on startup (Fortune, Hackers, Hogwarts) the others are static with same passwords/keys for users

You can also find a lot of tips for each machine, if you search, but it's more helpful to find them yourself and learn practical enumeration and exploitation

After you get this, the fun part begins... Competing with others in the fight for king. Depending on your opponents, you might need in-depth Linux knowledge or even kernel development experience

If you need a reason to start, it's probably hard for you. But if your curiosity is pushing you to try and learn, then you have the right hacker mentality. Even if it's getting harder, it's not impossible. And you can always ask the community for help.

Thanks , will do

Gave 1 Rep to horatiu777 (current: #853 - 6)

That machenism is so funny

anyone up for some late night koth?

the vc seem dead these days sad

imagine deleting the flags

@timber vale

why ?

??

are you saying i deleted some flags?

i dont have to. i always win i dont even patch you can get root but you wont get king ....

Well yeah don’t act like koth is something big it’s easy all are beginner level you just automate putting your name in the king.txt

And you did delete the flags there were only one on the system but I find it funny how people think beginner level boxes are something massive to be proud of 😂

Rootkit in Koth has really made history, even frustrating players 🤣

I think that just like ch1, me, f11snipe, and other players, who use rootkits or some cool technique to protect king, just get root, put the name itself in king.txt and then leave the machine, and let others try

so there is no need to even patch the machine

It is more common to see players without experience in Koth when they are unable to be king doing this

I just dont really play koth

last time I really played was back in 2020-2021

No, @timber vale doesn't remove anything, he just has very good protection for his king. If you found just one flag, you probably didn't search properly.

brother dompriv

donut join the game i join, i am a tiny newbie and you're a sage

i don't want to be steamrolled again

I've been playing KOTH for a long time

i got 1 flag bro

😂

just now

you are shaniidev ?

yes sir

ok

i haven't learned ssh yet so it's difficult

https://zah.uni-heidelberg.de/it-guide/ssh-tutorial-linux

thank you

Gave +1 Rep to @mystic oxide (current: #702 - 8)

koth is all about king if you can protect the king.txt file and the koth service you dont need flags and you dont need to patch. if you cant find flags its just a skill issue

Skill issue? It’s just koth what are you on about 😂

Have more advanced things to worry about rather than koth and an actual career

not being able to find flags certainly shows how advanced you are

I didn’t care to find them 😂

You are making straight up assumptions on someone you do not know who would humble you 😂

I’m not gonna feed this childish koth rage bait anymore you have you’re fun man I know who I am that’s all that matters now I remember why I strided away from this discord server full of people who think their stuff better than anyone else 😂

if you didnt search for them why do you say i deleted them 😂 flags are hidden by nature

Again haven’t hopped on koth in around 3 years forgot how they had their flags setup 😂

Not just koth but thm in general

Their pay is pretty good too been with them since I was 18

Wow a synack member getting stomped on by a koth player, and a rootkit?

that's new

You clearly didn’t read my previous messages 😂

I didn't really read it, but putting something without context like synack in a koth conversation doesn't make any sense either, right? That's why I just replied to it 😄

Mentioned that I didn’t care to get the flags just wanted to revisit something from my past 3-4 years ago

Here you go then^

Didn’t care to actually play and again difference between koth and actual penetration testing it’s not something hard to grasp

Clearly, I'm also a red teamer and a malware researcher, CTI , but that doesn't mean I say what I work with, if I don't care about such a thing, or posting things that are out of koth here.

clearly koth and pentest are totally different, but it's a fun game, just like other battlegrounds like htb

you are frustrated with koth for nothing, besides, i think ch1 is under 18, and you are angry with him, and you lost to him x)

I never said I was angry with him you are just putting words in my mouth now 😂

Never got frustrated and why are we making this such a big thing it was done until you jumped in just adding more for no reason

https://tenor.com/view/skill-issue-no-skill-skill-massive-l-gif-1772992733160300208

He’ll now if we’re really going there I started working in the field at 18 for my first certification at 14 currently on my 4th like why are we making this a measuring contest now 😂

Just further proves my point on how y’all are childish I’m done here 😂

i started working in the field with 15y, first certification at 14, but I don't see that as a merit to tell everyone 🤷‍♂️

again, skill issue in koth 🤓. Even more so for someone who works at synack

https://tenor.com/view/windows-linux-linux-users-windows-users-windows11-gif-25304807

exiftool -b -W %t.bin synack.png

Damn I can see the pass now it's time to Hakka this pic and login

@opaque canopy @steep agate @timber vale

If you guys can't be nice in the server, you may lose access to speak in the server. 🙂

https://tenor.com/view/bye-felicia-hiding-humiliated-leave-me-alone-girl-bye-gif-21567771

Alright

cool

@serene lintel hi

Hello

For koth players who want to win against players that uses userland rootkit https://matheuzsecurity.github.io/hacking/bypass-userland-hooks/

@mystic oxide now 👀

How rude of you to give away the workaround to our rootkits /s

Also really nice detailing about it btw, nice work 🩶

thank you!

Gave +1 Rep to @boreal marlin (current: #196 - 44)

@frigid jolt hi

was chattr blocked?

when chattr is not available, use your own chattr

I tried to use chattr but I got permission denied

(as root)

use your own chattr

may I ask how?

you just have to upload your chattr to the machine and then you can use it

#koth message

https://www.google.com.tw/search?q=custom+chattr+binary

hello everyone i am back online and i want friends to join us

https://tryhackme.com/games/koth/123755

is there any problem with the machines ?

┌──(x㉿LAPTOP-01BHP5O4)-[~]
└─$ ping -c 3 10.10.130.83
PING 10.10.130.83 (10.10.130.83) 56(84) bytes of data.

--- 10.10.130.83 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2067ms

┌──(x㉿LAPTOP-01BHP5O4)-[~]
└─$ ping -c 3 10.10.130.83
PING 10.10.130.83 (10.10.130.83) 56(84) bytes of data.

--- 10.10.130.83 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2087ms

┌──(x㉿LAPTOP-01BHP5O4)-[~]
└─$

i am connected to open vpn

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.13.86.149 netmask 255.255.128.0 destination 10.13.86.149
inet6 fe80::55aa:18a2:a490:6bce prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 128632 bytes 5662992 (5.4 MiB)
TX errors 0 dropped 514 overruns 0 carrier 0 collisions 0

┌──(x㉿LAPTOP-01BHP5O4)-[~]
└─$

Yes, from time to time certain machines bug, we can't even ping them, even after a reset

https://www.youtube.com/watch?v=jz5H2SBjdEg

oooooh, seems very helpful for koth

Hi, for several days now, the Space Jam machine has not been working.

also can confirm 🙂

Same as Lion machine

ha we can be yes, I haven't done the lion machine yet at the moment

Even of we reset the ip still not working

ok i will also report back when i come across the lion machine

join a koth room

https://tryhackme.com/games/koth/join/103ffb26a9e3fe22e78a69a4

in 20min

Ah yes you're right, the lion machine no longer works either. I am on it and impossible for ping

Machine Space Jame and Lion no longer works.

@gusty urchin hi

huh, I thought it was working a few days ago, I guess something happened recently

I think they're working on it now 👌

It happened to me also last month, I thought it was something misconfigured with my account when I got both machines (Space jam & Lion) in 2 consecutive private games. Nothing worked, switching VPN servers, reset, AttackBox... The KoTH machines were unreachable. I reported this in may20.

is space jam still down?

yes, space jam does not work right now 🙂

alright, thx 🙂

no problem 🙂

@fossil pecan any hints on how i can bypass your method? for king.txt

maybe you can found some cool stuff here https://github.com/MatheuZSecurity/detect-lkm-rootkit-cheatsheet

This AI art hella cool ngl

Which one did u use?

Yeah, AI knows how to make pixel art very well

and I love it

gpt does this very well, just ask to do it in pixel art style, with a cyberpunk theme or whatever you want

Alr, thanks.

Gave +1 Rep to @steep agate (current: #119 - 71)

Hi guys I want to start playing KotH , any advices for a newbie here 😄 ?

https://tenor.com/view/nuclear-catastrophic-disastrous-melt-down-gif-13918708

rustscan

Rest you def know

Bruhhh

Someone is not allowing us to do anything on the target machine

Thats cheating

more specific?

when Ch1 joins, leave immediately

I'm joking, I would just say to do it like a ctf

find the vulnerabilites, get root access, enter your name into the king.txt in the root folder, and get the flags (usually there are minimum 6 flags)

without rustscan, you're doomed

I mean that guy called Ch1

He like to kick us from doing anything

Hi, no, Ch1 doesn't block anything on the machines, he just takes the king with good protection. That's the goal of the game, and he doesn't need a flag to win.

you also take the king with good protection

I think Ch1 makes the mounted disk readable only or smth

but, he sometimes does kick players out if they are connected to ssh, etc. (which is allowed, I believe)

No, Ch1 doesn't kill sessions, he doesn't need that to win.

yes, he doesn't need that to win, but he sometimes does

it happened to me

who has never killed another player's session 😉

Ch1 is simply a very good player.

once you get into a machine, it really isn't difficult to get into it again the next time

The most complicated thing is not to enter the machine, but to obtain the king and, above all, to succeed in keeping it.

yeah, keeping king is the most difficult part

no thats not true

i dont kick anybody or close any session

you can play the machine like normal and still get root & flags

but you wont get king

no i use a kernel module

yuppp

Idk tbh maybe its an issue with the openvpn sorry bro ma bad

If you can ping the IP addresses of the machines, your VPN is ok.

Ok what are the other possible things this can be

?

Last time i had this problem and fixed it

But forgot what i did its been a long time sisnce i made some koth

or maybe you're right maybe somone killed your session but thats not me just because i have king doesnt mean i am the only one on the machine since i dont patch also i only stay like 3-4 min in the machine then i close my shell

also spacejam and lion are not working so thats maybe the issue

you get the ip but you cant reach the machine

In fact, the Spacejam and Lion machines no longer work.

Good luck playing with you. If we ever manage to find that kernel module

Btw we were just in the same game and i still couldnt find it until the server closed for some reason

wait, will they be discontinued?

https://tryhackme.com/games/koth/join/0411b72bde6bf51687749409

@gusty urchin you kicked me out kill my session illegal process

Just to let you know, I have recorded everything, including screenshots, as evidence. What you’re doing is against the rules and possibly illegal. I will be reporting you immediately.

I believe that is allowed

Bo

No

how is it illegal?

it's koth

where in the rules does it say?

because I thought it was ok

no part of the rules stops someone to kill someone else's session:

6. Do not target other players
   • Attacks must be against the machine only—not against other participants.

yes, but it's not an attack on you

it's an attack on your session

it stops your session

How do you describe when im kicked out and he closed the port

if he kicked you out, that's fine, but if he closed the port (which I just now heard) is against the rules

it's against the rules, but not illegal

you can report this incident

Yes he closed the ports

ok, then that's against the rules

Thank you

its allowed to kill other sessions as long as its not automated with a script or smth

yeah, but they apparently also closed the ports

which is against the rules

he is allowed to change ports

he stopped the ports, not changed the ports

yeah thats against the rules

yeah

Yeah thats what i mean

Btw where can i learn how to kill sessions and change ports?

find the shell process and kill it you can do that by listing all connections and kill those PIDs with different ip than yours or just list all processes and find bash or sh processes that arent yours and kill them. you can list your shell pid by doing echo $$.

and to change the ssh port you need to change the ssh configuration and restart the sshd

Man it take you 2min to be the king then you lock king.txt no one can be king give us a chance im new here i started hate koth🤣

You can automate a lot of the breaching and securing process tbh

LD_PRELOAD rootkits are commonly used too iirc

LD_PRELOADs are easy to bypass... just use some static binary or busybox and that's it, in most cases, if it's in koth, it will work perfectly against those who have no idea what an LD_PRELOAD is.

the most effective way is to hook syscalls using LKM

and implement your own defense logic, whether returning -EPERM, etc , the amount of things you can do in kernel land is huge

but isn't that against the rules, like an autopwn?

Not sure for this CTF but generally it's kinda "how automated is it?"

Yes, It's against the rules for KoTH.

It's kinda vague, is writing an automated web password brute force script + one liner to get shell consider as autopwn? idk

any one wanna paly koth

i've never played it before

btw

i'll try my best

and also need suggestion how can i give it best

participants players can also be hack ? in koth ?

what do you mean?

no, it is against the rules for players to hack other players

it can be hack or not

i mean honeypots

what are honeypots?

like to trap the people

could you give me an example?

well nvm

wanna play with me koth i've never play it

you can make the machine more difficult/impossible to get into, but you cannot stop ports, modify, attack, or stop the service on 9999, use scripts, attack other players, etc.

not right now

and ones i have fuly recognized machine struture then i can do auto make attacks?

you cannot automate attacks

you must do them manually

like using scripts and stuff

Like a trap server a Hakka man thinking that he pawned a server but it turns out to be a honeypot while the owner is watching what you doing inside his honeypot.

You can just YouTube koth you'll get a lot of information from f11snipe streams, matheuz and others.

yh so basically there is no firewall between players and machines there is only between players so someone could take your ip when you play koth with him then he would create a private machine for himself or even use boxes challenges and he would be able to interact with your machine

so you could get hacked by playing koth if that is what you're asking

well I definitely know of a player who uses scripts wasn't even 2 minutes and he had already got king status.

and there is a difference between closing ports and setting up firewalls on all ports right?

Ch1?

lol

i played 2500+ games do you expect me to take 10 min for king 😂

also i dont even change ports let alone close them because i dont have to you can get root and all but you cant bypass my rootkit to get king

you maybe talking about lion or spacejam cause those machines dont even work they have been like that for a while. you cant even ping them

can't bypass your rootkit eh? hmmmmm sounds like a challenge.

oh thanks well i also got some tips from chatgpt
🛡️ Tip for You:

When playing KoTH:

Use iptables or ufw to block incoming connections if needed.

Don't run a reverse shell listener on all interfaces (0.0.0.0), bind it only to 127.0.0.1.

Always close ports and remove shells once you're done.

Gave +1 Rep to @timber vale (current: #1923 - 2)

🔐 Example: Defend Your Kali During KoTH

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 4444 # if you're expecting reverse shell on this port
sudo ufw enable

Now, no one else on the VPN network can scan or attack you — only connections you allow will go through.

what is this hes telling you to listen for a reverse shell on 127.0.0.1 😂. you wont get any lol

yeah thats why i send it here

well your rootkit is tough......I'll figure it out

@timber vale wasnt lying....can't get the king.txt..........but I will figure it out.....eventually.......

if you are faster than most players on koth, you can simply disable module loading, and then to be loaded again, the machine would need to be restarted, which is forbidden to reboot machines in koth

don't leave your python server open someone can crawl it if they know your koth IP, worse they can see your parent directory and the scripts/files that you had and stole it 😁

@steep agate rootkit channel on his tag.

With ch1's advance haki for 10 seconds so impossible their chance is to have forensics like yours or double the knowledge that you had in Linux rk 😆

The only problem is that Koth machines are very limited, and so there are many detection tricks that would be easily detected that cannot be tested on Koth machines.

yeah not much fun when someone has a rootkit script running preventing any change to the king.txt constantly creating the file to keep his name in it. Clever but I can't find a workaround. Why even play when you go in and set your rootkit.....it's like bullying I think.......BUT i am still interested in figuring it out.

no one is stopping you from creating one. infact thats the reason i made one, i used to be "bullied" by matheuz and F11

join matheuz rootkit server there is a lot of content that you can benefit from, also check out the xcellerator blog

well it's not cheating but it kinda is like the same thing and takes the fun out of it although the real challenge is actually trying to break it.....so I guess everytime you run it I will try to find a way to defeat it. I know its kinda impossible once you run it but its stoppable if I can just get in before you do but that is the real challenge. getting in before you do.....which I know how on panda now but still........you suck....lol

I have one created but you always beat me getting inside.....

Are you allowed to load LKMs or patch kernel memory?

for example hidden processes of ch1 can be found, I once found the hidden process of the kernel thread it uses

and among other things, which I didn't mention, but in fact, because it's a CTF and koth machine, it's quite limited and you can't test many things

Yes, maybe it's even good for other people, or it sparks curiosity and a desire to learn about Linux malware.

@steep agate Are you allowed to load LKMs or patch kernel memory?

yes

yeah

okay just checking

you can try to write your own module that detects lkm rootkits hidden, but, it may not work against ch1 because maybe it hooked into init_module / finit_module, which, with implemented logic, your LKM simply does not get loaded

yh i did hook both of those syscalls

https://youtube.com/@crr0ww?si=lSagkfuRXpRjLzx-

https://youtube.com/playlist?list=PL2-MHfTy2uA2m_iGnbwCtjbeMUJ7mKvIL&si=ljIDkvwJZlZSX1ZK

https://youtube.com/@nirlichtman?si=Dcq9yGZnfDMGDLlT

https://xcellerator.github.io/posts/linux_rootkits_01/

this is a series of 11 articles or so

https://youtube.com/@lowleveltv?si=IkHq11xZAN0Uorza

https://youtu.be/87SH2Cn0s9A?si=s8LzONHuSnB1lC7Z

these are the sources i mainly learned malware dev from. in addition to articles online ... if more people learn malware dev koth will be challenging and fun which will makes us all benefit and i push those who already know to innovate to keep up

io_uring could maybe bypass your rootkit, but it was only introduced in a more "recent" kernel version

I was thinking of writing some malware using io_uring just 4fun

This is huge, thanks!

Gave +1 Rep to @timber vale (current: #1454 - 3)

np

but that's against the rules

if it was seconds, then it is a different story, but 2 minutes is apparently not the quickest time

yes it is

so technically speaking, they possibly could hack into your machine, but it is against the rules, and if they do, they will be banned from KOTH

i know, he was asking if it was possible

yeah, but I was just explaining that it is against the rules

and also illegal in a sense

You can get hacked from any point in the THM network.

true, but it is illegal and against thm rules

Doesn't mean the risk won't be there.

also true 🙂

that's also why you shouldn't use your main computer as your attackbox

👀

i think its exclusive to koth cuz a player cant interact with othet players on the network. but all machines can interact with all players and someone needs to know your ip so to get hacked you have to have played koth before and someone got your ip and he know can use anyother box even private or room boxes to target you

yes, but what if they find an ip from the network?

another person's ip?

so you could be hacked outside of koth

the other website that we are not supposed to talk about doesnt let any machine interact with you or let you interact with any machine that you aren't part of.

You could also scan the entire vpn range.

the other website that we are not supposed to talk about

Nobody said you can't discuss Hackthebox.

of course not, but "bad" hackers can hack others when connected to the network

to find a person ip he needs to have played koth cuz you cant interact with other players directly

You can scan the network

👀

you don't necessarily need koth to find ips

i thought people get muted for that

why would they get muted for saying hackthebox 🤣

Not at all.

you cant just scan the network like i said your vpn does not allow you to reach other players directly and you will notice that when you try to ping them from your own machine so you need to know the ip another way and the only way is koth or some one sending it in a screenshot. then you can reach them from any other machine

mmm, not according to scrubz

and I trust him more

also, of course you can scan the network, it's a network 🤣

Man try scanning your network rn

thats fine. you dont need to believe me im saying what i know is true you can agree or disagree you have free will

its against the rules

Scanning isnt

he meant your network, not thm's network

Scrubz, you can be hacked at any moment if connected to thm's vpn, right?

but theoretically that would allow you to discover all koth boxes even private ones cuz they always start by 10.10.xxx.xxx so you only have 255x255 possibilities

Yes.

Its a network full of hackers

Ofcourse you can be hacked

yeah, exactly

All THM* machines start with 10.10

*Except two.

Jellyfish?

yes but this is if someone already has your ip and used another machine to target you

The vpn is 10.xxx.xxx.xxx

Yeah.

yes, and they can find your ip

koth machines

The otherone?

we're not just talking about koth tho

we're talking about the whole network

im saying if someone finds your ip he can hack you from anywhere in the network using other machines like private machines or machines in rooms. but the best way to find someone ip is koth. and if yiu scan the network you wont find peoples ip you would just find other machines, and theoretically if you scan this range 10.10.0.0/16 you will find mostly koth machined then you can deanonmize the game by finger printing the box and have access to private games without being a member but ofc this is just theory 🙃

You won't find mostly Koth machines on 10.10

All target machines launched on THM will be on 10.10 or 10.103 if there is too many.

every koth machine ip starts with 10.10 you can test it out i played 2500+ koth games

As does most target machines on THM.

theoretically you can finger print them all koth machines have port 9999 💀

You can finger print all target machines

There also won't anywhere near that many of KoTH games running on THM.

It's just not that popular.

Yup

and they reuse the same http server for port 9999 code so some stuff in headers are gonna be similar so using this you can deanonimuze every private game adding to this the fact that you can see every private game in koth and what machine it is and who is king from your browser if you just keep incrementing the game_id from the latest public game this will allow you yo pinpoint the exact machine but ofc this is just theory 💀

and you can attack that private machine and see what they are doing even tho youre not a member but ofc this is just theory 💀

How many other machines also use port 9999?

I mean, I use it for alot of things I do.

i would imagine not that many. and they dont use the same http sever for king

Doens't need to be used for king.

thats what im saying in theory if you send a request to all those machines that you got from the finger print you can find a name in king and match it against the name from that private game and you would have access without even being in that private game

💀

No, I'm saying that you declared you can only find Koth games on the network as they only start with 10.10 as wrong.

When all machines start with 10.10

10.103 if there is too many.

no i said you will mostly find koth machines on there cuz i imagine other machines having the same subnet

No, you'd find more target machines than Koth machines.

As it feels like there is only 10-15 of you who play KoTH.

And probably > 300 machines booted up at any one time.

to summurize scanning that range (10.10.xxx.xxx) and fingerprinting machines with port 9999 and the same http server as koth machines and sending a request to that port and getting an html reponse with a name but not an html page will reduce the pool to mostly koth machines then to figure out which machine belongs to which game you can fingerprint the machine type and the person who is king and use that to deanonimise the private game and get its ip but like i said this is just theory.

It would work, you'd get caught and possibly banned.

THM monitor the network.

yeah. all im saying its theoretically possible idk if you'd get caught .but i take precautions anyway i always compile my lkm on my own vms not koth private games

Yeah, you'd get caught.

ok.

but you guys should fix that in your vpn servers and and only allow accesss to people in the machine and let the machine reach only people in the game. this would fix your security problem cuz if the people are on the same machine they would mostly see if another person tries to attack them from it

that other website does this

doesnt Hackthebox free account, use a shared machine?

yes you all need access to the shared machine in any platform but you dont need access to another machine that you arent in and that machine shouldn't be able to reach you. thats is were that other website shines amongst other things

also no player should reach any other player this one thm does already

so on htb i cant do 2 boxes at the same time?

basically this needs to happen to improve the security of everybody. and ensure fair play

Hmmm oki

read what i said i didnt day that 🤓

Oki

if you are in a machine like joined from the website you should have access to it, otherwise you shouldn't and that machine shoudn't be able to reach you so nobody can hack you

except from the shared machine and you should be able to see that if someone tries to use it to hack you

also thm needs to improve its bug bounty experience i reported a bug before that gives you access to the ip of any game that you were in and quit and now you are not part of. and you would get the ip and all game info as soon as the ip gets released and as soon as a reset happens without needing to scan anything and they fixed it in their newest version of koth but it took them 2-3 weeks to even reply about the bug and they didnt give me anything not even a 1month premium also @broken pilot have had a very bad experience with them when he tried to report a bug before and he says they threatened him.

👀

Threatened

even the way they fixed my bug was not efficient. its like they didnt even fully read what i sent. they used websockets to emit updates when needed like at the game start or when a reset happened reducing bandwith and saving money on the cloud bill. i recommended they check if the current websocket user is in the userlist before emiting any new data to him (because the periodic updates emitted included users so they dont even need to add any additional requests ) and if the user is not on the list they should simply close the websocket connection. the bug was that the websocket connection is kept alive and receives updates even if you quit the game. when attempting to reconnect they should check if you are in the game again. (which they did) so that would have solved the bug efficiently. but instead of taking that recommendation now they are back to using the old system that they have used before now to get the ip and to keep up with resets your browser sends periodic request to the api backend to get the ip even if no reset happened which increases the cloud bill and if the user also doesnt have unlimitted internet (thankfully i do) they would spend more.

this touched down on another problem which is fake accounts. people could use those to exploit that design flaw

I think in hackthebox battlegrounds you could also be easily owned

but, the end of battlegrounds htb is near, on the 25th they will officially delete battlegrounds

womp

this works

Does koth require linux os or there is an attackbox

Hi, if necessary you can install Linux on a virtual machine

You can use both your box or AttackBox

ok so i joined a koth game with some dude but when it started i couldnt find attack box or even the ip

the status was running and the time was going

Sometimes I have to refresh the page to get the IP to show up

Two machines from the pool are broken

ok thx

hi, yes the lion and spacejam machine are broken down

@near lily new bug you guys have a race condition in the join implementation.

https://tryhackme.com/games/koth/125486

I'll forward on.

it can be used to join a lot of times before the record gets written to the database in this instance i only joined 5 times im sure it can be used to join more times than 5 ...

🤣 wtf

Looks like Ch1 wins 1st, 2nd and 3rd place prizes! /s

Reporting it to our team thank you @timber vale

Gave +1 Rep to @timber vale (current: #1171 - 4)

i should use vpn network or just virtual machine givign by thm ?

you can use the vpn or the attackbox but if you use the vpn. just make sure to have secure webserver with passwords that changes automatically. and if you have the ssh port or other services running on your vm just make sure to use a strong password for the ssh.

i dont use vm i use as OS

what i explained there is how you could get hacked from the thm network if you dont take precaution

main OS

@red olive kindly make documents to follow precautions

samething applies

all services are disable btw

in my machine

just make sure to have secure webserver with passwords that changes automatically.
why which web srerver thm vpn have also a webserver ?

when you solve machines in thm. alot of times you're gonna need a webserver. even in koth. and if that webserver isnt secured and someone knows your ip (like you played a koth game with him, or you sent a screenshot with your ip by accident) he could browse through the files served by that http server and if you have an ssh service with a weak password that could be a target too ...

but that message was talking about a different thing. it was talking about how a private game is not really private and anyone can get the ip

like example

i am testing it by my self

try to scan network by nmap but doesnt get response

go to dms

to summarize. players cant reach each other directly because of the firewall however, every box in the network can reach your machine and your machine can reach every box in the network. this means that anyone can use a machine in the network like a koth private game or a room machine to try and hack you if he knows your ip. and the other usage for this. is if you scan the 10.10.xxx.xxx range you can fingerprint koth machines. and deanonymize private games or even get access to public games that you arent a member of

Although you can find the IP, isn't the main point of a private game that you control who joins the game, and consequently can get points?

you're missing the point finding the ip is the main target. you dont necessarly need to be ranked in that game if you wanna be a silent observer this can be used for example if someone compiles an lkm or smth. you can steal it ....

So you mean like interfering in the game?

Since seeing private games is possible since forever as far as I know, just not the IP

this can be used to find the ip of the game without being in that game. whatever can be done afterwards is up to the person

you can see the users the king and the machine type but you cant see the ip normally. and those things that you can see are whats gonna help you to fingerprint the exact koth machine you want the ip for. you can filter for all machines with port 9999 that returns an http response but not an http page. and you can send a request to that port to find out whos king and match it against the game you want. and for example you can fingerprint the exact machine type like somemachines have fixed open ports with the same services and web pages ... there are many ways you can use to fingerprint the exact machine

True

The only good fix would be to put the KOTH machine and players on the same network though (or some IP-based rules, dunno about that).

So I don't think tryhackme will fix it, it means loads of work for a feature that isn't too popular anyway

only the players should have access to machines that they are part of like even if you find the ip of the other machine you shouldnt be able to ping it or reach it. also a machine should only be able to reach players in that game

true

What did you do to join the game 5 times?

used a script to join with 5 threads simultaneously

i could have used more threads ....

Also, how did you submit all the flags in 9 seconds?

using pyautogui. i write all the flags one by one automatically in the box and press the submit button and move the cursor on the box so the other flag gets written ....

Doesn't sound like fun to me. 😄

Adding yourself 5 times to a game also provides no gains for you though, I would recommend not doing it again.

yh i was just testing smth. i saw that when i press the join button and it redirect me to the page i dont see my name there its like i never joined. so i figured that i get the response before the record gets in the database. thats why i tried that race condition and it worked ....

That sounds like “autopwn”?

Saving the flags just to use a script to submit, iirc you recently were reported for cheating? 😄

do you know what autopwn is?

automatically submitting the flags is not autopwn

@fossil pecan hi i am on koth with u

@fossil pecan did u say welldone to me XD

how

thanks @fossil pecan 🙃

Gave +1 Rep to @fossil pecan (current: #137 - 64)

waht @fossil pecan

nyancat 😛

ah again u are playing with me

😦

well u are really a legend

how u bypass it

this one can be bypassed with regular system commands

and u use malware i know

to restrict me so that i couldnt modify king.txt lol

this isnt lkm king, just regular system command defense and bypass 😉

okay

@fossil pecan he is a true fan of mr robot just like me

@fossil pecan ah i see late README.txt

i tried to unmount then modify to file but shows read only permision

i forgot to change file permision after remount

dm me if you want, we could retry food on a practice private match if you want too

okay 🙃

Also you can see matches in the koth. Private matches and incoming matches 😁 there are only a few people who used this. For example they will try to surprise the players who are waiting in the room or they don't want their name to be in the room cuz some of the players may dodge them.
I do this often before. 5 seconds before the game starts i just hop in. There is no need to be in the room.

Thm can fix that by just making the room ID random and not in order.

Now you know just try it for those who are new in koth 😁

you can't join private maches, but of course you can join public matches

But you can watch them I saw a lot of people doing matches in private practicing so I know they will use their practice in the public anytime soon

ok, you can look a private game, hurrah, great, good for you, but it isn't really that important if you see it or not

You don't get the point lol what's the advantage of it

Lol

Just read what I said at firdt

First*

Both public and private

public doesn't matter, there literally is a way to look at public games, they aren't hidden

if you do it randomly, what if you use the same number twice?

and it will be sooo confusing

You didn't get

It

Can you search what idor is

I'm at work now but I will make a example just for u using phone

I can see Mr f11snipe and trap waiting queue

But I can join in the match 5 seconds when it's start

ok, makes sense

that's fine

Not fine 🤣

You will see the advantage of it once you spam koth and win always

you can join whenever you want, just before the koth game starts

you spam koth?

4 months ago lol

how many times have you won using this method, curious

that was 4 months ago, how about now

Often

often means???

I just wait for someone to make match

ok, when they make a match, you join?

that's fine

what's wrong with that

you pounce

nothing wrong

Will comeback playing koth once they will revamped koth like no same creds

Dynamic machines

Or just make all machines like fireworks

You will never know what's the advantage of that to a player like ch1 🤣

CH1 is strong, can root the machine in 2 minutes

he pounces, advantage for him, good, what's wrong with pouncing

He has still a bug that he didn't report 🤣

Not even 2 mins lol

mm, 2 mins

1.5 maybe

If players like matheuz f11snipe and trap will have a hard time dealing with ch1 then none of us here will win against him that's the truth except for 2 windows machines and I forgot the other I think fireworks also.

Yea theres a few bugs, that havent been fixed yet... I reported how to "break into" those private games awhile back by just being able to observe the private match.... along with a few others that have been patched already... And if you were to chain a few of them together you could completely own KOTH games, public or private.... But yes ch1 is right if you really wanted to you could target certain players once you were able to get their ip.... Could be considered illegal tho... so probably not worth it... but i have had some players target my python http server to try to scrape any files i had in that folder, while we were playing. But what he's saying, is it can also be done from a normal machine, it would be harder to tell who did it because you're not currently playing with the person...

i guess you could always just get a new vpn config file and switch up your ip every now and then...

it would be harder to tell who did it because you're not currently playing with the person...

No, it would be really easy, your tun0 is assigned to you, and THM will know who boots what attackboxes.

Spacejam can be pawned if you're fast like 5 seconds then you can command this sudo sysctl -w kernel.modules_disabled=1 or
echo 1 > /proc/sys/kernel/modules_disabled to disable ch1 lkm

And guess what still he will win

Because he is

https://tenor.com/view/katakuri-whole-cake-island-future-gif-22188936

Do you know the ability of this guy? @viscid sundial 😁

uhuh, ok

Yeah could take at least an effort every time you want to change new ovpn cuz you'll change all your koth stuff into that ip.

https://tenor.com/view/charlotte-katakuri-katakuri-one-piece-gif-11987275

My G @timber vale rn:

The katakuri of koth 😆

who is this guy?

i dont watch a lot of anime

no need for an attackbox, you could join a normal room and once you solve that room and know the machine creds you can use that to do whatever you want afterwards and just extend the time by an hour before it runs out. or you can use a private koth room to do that and thats better ig because they cant know which of the people in the private room targetted the other person cuz they are using the shared machine

@timber vale imagine you woke up and you had your [Bounty Hunter] title like 0day? Or I'm wrong lol

You have to report 3 security vulnerabilities that get accepted to earn the title

https://help.tryhackme.com/en/articles/6495946-the-bug-bounty-program

@lunar jewel has been warned.

https://tenor.com/view/blackish-crying-cry-tears-sad-gif-5613528

@timber vale

Public KOTH with a lot of players is the best option, then it becomes hard to track after the machine went offline who used the machine as 'proxy'. Normal THM rooms should be linked to your account in the logs, and if you are the only player in a private match it's not difficult to track you down either😎

Although if thm keeps logs of what's send over the network, you could still be caught

if we do not count the network design flaw that allows you to de-anonymise private games that you arent part of and get their ip or even the ip of public games that did not join and it can be used to hack other players. if we do not count that then i have 2/3 cause i reported the websockets bug that allowed you to get the ip instantly even if you are not in the game and you didnt need to even scan the network for the ip (which takes time) it just sends it to you whenever the game starts or when a reset happens this one got fixed after i reported it with the support guy named blackout. the other one is the join race condition i sent yesterday so that makes 2/3 if we do not count the network flaw but if we do its 3/3

It’s not my decision, you will he contacted by support for a reward if a bug you report is applicable

hackers only has 9 flags i submitted 13

you guys should give this this title 🙏

wait i deleted the message i gotta send it again

@near lily new bug, race condition in flags
https://tryhackme.com/games/koth/125544

https://tenor.com/view/crying-asian-guy-with-cat-gif-1187717551369309065

i only have 7 flags on that machine

@timber vale

NO WAYYYYYYYYYYYYYY!!!!!!!!!!!!!!!!!!!!!!

i dont see it, your just messing with me 😂

You need to find 3 different bugs to get that.

i found 3 bugs

https://tenor.com/view/nobi-pintu-tokocrypto-nanovest-crypto-gif-26605558

15 flags

that means you have faster internet

nah i just inspect element it haha

damn that 13 flags only hackers machine?

so you didnt try the bug 😂
https://tryhackme.com/games/koth/125544

How do the points work then tho? Like the amount of points depend on which flag is submitted extra?

every flag is worth a predefined amount of points points. the harder to find the more points you get, i think the root flag is worth the most

Can you submit a flag x times, and then another flag x times as well? that would be wild😂

i tried to submit each flags simultaneously 5 times. but i didnt get 5*9 which means i only won the race a few times. i'll probably get another result depending on my internet

ahhh, race conditions

Me too, well 4 😢 ... And the race condition on flags is back 😢... I reported that like 2 yrs ago... Thought that already got patched........

I stopped hunting for bugs here since i had that debate over the free bug hunter role... I feel like a valid bug is still a bug.... I shouldnt need to provide a p1 to get a free role... Just my opinion though

Yea I guess, but what about alts and an extra VPN connection.... If someone really wanted to target you, it could happen... Sure that's a lot for a KOTH game but it's still a possibility...

https://tryhackme.com/games/koth/66264 10 flags... Machine only has 7.... Way back from 2023 😂

nice, it really just depends on your internet connection im sure you can get more with a better internet connection and optimized code

Ok I'll stop now... I'll go back into hibernation... 🫡

Yea I had a few with over 15 flags... I could've done more but went with a small count not to over do it... I still have the poc's I sent them for the other ones too....

Like I said tho I just stopped hunting, I didn't feel like it was worth the reward, of nothing.... Not even a thank you.... And I still have all of the communication that took place 😉...

https://tryhackme.com/games/koth/join/9d8a7627a665dd5b5ab6b5a9

Hi Players

Hi i acces the mashine in KOTH and then i change user name of mashine and in king.txt i also change but in KOTH leaderboard my name doent show and so tell me beacuse i am new in KOTH

on which machine? Linux or Windows?

you don't need to change the username, you just need to put your THM nickname in the king.txt file

yee bro in offline maschine we play together whe i did this but

and bro nicname means username

For Offline, you must place your king.txt in: C:\Users\Administrator\king-server\

thankyou broo

we are playing together 😍

Hi @mystic oxide Please Broo can you teach me to How to create animated profile Picture and How To upload on TryHackme Please

Look on Google my Friend

download a gif then change the extension to png and upload it

@timber vale can I DM?

yes

Thankyou Guys @timber vale @mystic oxide

Hi guys, can someone help me out? Every time I get access to a machine and put my username in king-server/king.txt, my name still doesn't show up as King. Can anyone explain why this is happening? I'm new to KoTH

Because I think F11SNIPE to use the ICACLS DENY EVERYONE command , which even prevents the Koth service from being able to read the King.TXT file. This is why he has that 2 min from King Time

can i DM?

yes

is it right to do this in KOTH?

There is always a way to remove these rights, so I think that yes, it's fine.

can we break this

is it possible to break or stop this command or use other tecnique and @mystic oxide bro my english is very weak so please dont mind when i am say sonething wrong

I don't speak English either, I'm French

@timber vale wut u do here??? i can't write nothing?!?!? 😲

$ find / -type d -writeable 2>/dev/null
$ 

isn't breaking machine?

$ cd /tmp
sh: 2: cd: can't cd to /tmp
$ ls -al /tmp
total 8
drwxrwxrwt  2 root root 4096 Jun 28 02:08 .
drwxr-xr-x 23 root root 4096 Feb 15  2021 ..
$ ls -al /var/tmp
total 8
drwxrwxrwt  2 root root 4096 Jun 28 02:05 .
drwxr-xr-x 13 root root 4096 Feb 15  2021 ..
$ cd /var/tmp
sh: 5: cd: can't cd to /var/tmp
$ cd /dev/shm
sh: 6: cd: can't cd to /dev/shm
``` ... can i bypass this???

i didnt do anything to those directories. i have no interest in them

i can cd into them normally

Lol dont u shadow the thing

@mystic oxide GG i cant find the way in /root lul

hi, i think i won a koth game but nothing is happening

can someone help me ?

an official or private match?

public match

it was my first one, luckily im the only one who found a flag, the others couldnt find flags or PE

score is 25-0-0-0 (I also couldnt PE)

If you only have flags, it doesn't count as a victory, because you have to be root with the king for at least 1 minute.

noted, thanks !\

got into another public game ... llegends and guardians ... hahaha im doomed

level does not determine a skill

dw i was cooked, some guy called ch01 joined and got root in under 1 minute

he been doing that all day

Ch1 not ch01.

no way the boss is here

any tips ? love the pfp btw

for a begginner i would recommend this: https://github.com/MatheuZSecurity/Koth-TryHackMe-Tricks

but if you wanna get into malware and rootkit dev i sent the recourses i used here:
#koth message

also you can dm me if you have anything specific to ask abt

thank you so much, today was my first day trying koth hehe

I find it super exciting and it actually pushes me

https://tryhackme.com/games/koth/join/b0f2d1d4421fc8da4eb51832

any1 join with me

Get on my level.

1st koth was mad... i dunno how @mystic oxide got root in like 3 seconds

lul

@fossil pecan how... just how

im way outta my depth with these

did u just nyan me?

bros going hard

@fossil pecan very good

nice whoever changed that password

well im stuck again pahaha

the password john cracked is not working

Where can we download vpn for koth?

There is no separate VPN bundle for koth. Just use the one you use for normal machines

Thank you

hello anyone wanna play koth just for practice

this is prvate
https://tryhackme.com/games/koth/join/3a2aa2fabef74261f25d4373

do you accept newbies?

yep

no restrictions

just for practice

but to join on koth , u'll need to do some manual configuration

go to ur manage account setting and click on intermediete level

done

@winter talon sending u link

wanna do a call ? never played koth

https://tryhackme.com/games/koth/join/27728bcccf403aa7fb99e017

okay

do koth machines have access to the internet?

and also building for other machine but obviously i need to pawned them manually first

AutoPWN scripts are not allowed.

ahhh

okay

well for education purposes

https://tenor.com/view/ahoklollmao-noooo-nooo-noo-no-gif-17139315586294057944

it says go wild on private games ... so really @peak marsh

https://tenor.com/view/jevil-deltarune-undertale-crazy-i-can-do-anything-gif-16394661

on private koth 💀

wait

here look @peak marsh

Oh, maybe, I'm not sure. I just know it's generally not allowed.

autopwns are not allowed

https://tenor.com/view/its-great-for-educational-purposes-education-great-its-great-educational-purposes-gif-22409948

anyone wanna play koth

juniors welcome

i'll host private koth

and also seniors welcome , welcome to anybody

I just set up linux vm and connected with the vpn
Wanted to test if koth will work so i joined a game
So i cant leave and have to wait the game to end?

yeah once the game starts you cant leave

Ok

10 mins until next box.. lets go join up lets have fun

im new so have at it

im here to learn

hmmmmm....

I'm new too lol

That was my first koth...gg @alpine quarry

someone is working some magic in offline

im locked out.. i have no clue on how to fix.. pls nudge

Locked out?

not locked out as such.. just kinda cant go anywhere

https://tenor.com/view/batman-thinking-gif-18107621495886085895

seems massco knows what he's doing lol

Ima go back to training and get my weigh up

yh that guy is a wizard

I started 3 weeks ago lol

we all start at some point.. im new too

but it is fun

Yea it is...I was also not fully prepared as I just had to reinstall my borked kali vm, so I'm still kinda getting some things setup

ive borked so many kali vm's i finally got my build down tho..

anyone can help me on KOTH. LOL

the king is here...

how did you manage this i wanna know

play much game u will learn new tricks

challenge accepted friend

most boxes on KOTH has more than 4 ways to go. so if u solve 8 box u will learn more than 30 ways to exploit machine and priv escalation

it is a really fun way to learn

R0cgZnJpZW5kISBHb29kIEhhY2tpbmcgWEQgSG9wZSB5b3UgYXJlIGdvb2QgQG1hc3Njbzk5IExFR0VORA==

thanks bro

Gave +1 Rep to @deft echo (current: #2986 - 1)

i will leave the game go and enjoy

have a good day/night. it was nice to meet you

guys on fortune right now.. whos changed the password to ssh?

nvrmind im in idiot lul

Hi, it sometimes depends on fortune, sometimes the SSH password you remember is good and sometimes not, but there are several ways to enter the box

it was my mistake i was silly and didnt use the correct user

gg @fossil pecan

hi anyone up for a koth? im a newbie learner myself. all are welcome.

You’re asking the right questions lol I see what you’re doing and tbh it’s most realistic. Real hacks are scripted/automated so they happen fast & are harder to detect/remediate.

Scripts that automatically hack(autopwns) and/or harden the machine are forbidden. So why is it within 10 seconds on Hard machine which I KNOW takes a second to pwn.....all of a sudden a player has king AND has filtered all ports? you can't do it manually that freaking fast!

@fossil pecan

someone tell me Im wrong?

maybe Im wrong......Im learning Ill figure it out I guess.......

depends. yes an experienced player will be much faster than you especially because they have notes on the machine and automated some steps like install implants and run their king script which you are allowed to do but still this shouldn't mean the machine is pwned in 10s ofc depending on the machines difficulty

@summer burrow let's play private I just did 2 of them and did horrible

So yeah you basically don't know but in my opinion you shouldn't really care that much. Just try to learn by attempting to win. The win isn't that important

appreciate it......

I try hard to be first in to keep games open & boxes unpatched (not closing/filtering ports) so others can still play & learn ... lots of players will patch and break stuff very quickly, and isn't very fun or easy to learn for other players

I'm happy to play private practice anytime also, feel free to DM too if you want 🙂

is koth box lion live for players in the game? cant seem to connect

@fossil pecan are you on offline too?

lion & spacejam are currently broken, and won't actually boot up 😦

I am, but idk enough about windows to actually fight for king with someone else 🤣

47 mins of my life wasted lmao

next starts in 4min 😛

https://tryhackme.com/games/koth/join/91a6d5808abdffc9de7a9eca

ima join later on tonight

I managed to use ms17-010 vuln and log in but all flags were gone lol

gone?? nobody should be deleting flags lol 😂

yeah this guy suljov is mean

hmm don't remember exactly where all the flags are, but they're spread around all the different users and their home/user folders ... you had admin/system access? I think most are still named flag.txt

Can play private matches if you want to try again fresh haha

bruh not fun to start and someone is already king at 2 minutes in

gg @timber vale literally nothing i can do

https://tenor.com/view/sweats-gif-25346666

@timber vale

you can still play the machine like normal. i dont patch anything

Oh I thought u did, the user I was on didn't have any permissions 😭😭😭

you start with a normal user then you have to privesc

Yeah but as a normal user I couldn't cd into anything or ls anything

do you have the output?

Yeah I had it, right now taking a break, but I couldn't even ls home

I was rev shelled through the upload on port 82

maybe someone messed up permissions for binaries. which is against the rules. but thats not me

did you have a restricted shell?

Normal shell from NC -lvnp

Sth about suid being set to 0,-1,-1

I'm still new to this so it also might be a fk up on my end

I'll check it again after dinner

next game 20min 😄
https://tryhackme.com/games/koth/join/f3f0d0dc1d935a0cc153457e

why are you deleting flags @timber vale

i didnt delete any flags

i dont need to play dirty to win

but if i remember correctly in fortune flags arent in user folders except root maybe idk. you need to read that flagtips file it says smth like flags are hidden in files with game names. its been a while since i actually searched for flags. i have them all saved

ok

Any beginners want to join a private match?

I love koth but everytime @timber vale is here I get anxious lmao.. guy pwns boxes in 27 seconds

don't be i never patch any footholds or privescs i dont patch anything as a matter of fact. so you would still be able to play the machine like normal and take your time

ur good mate i just see ur name and think "guys gonna get king real quick"

anyone know why john isnt giving me the password for the hash? it loads the hash but dosnt give me anything after that

if you cracked the hash before, use "john <file> --show"

omg thank you

so weird i got the pass to ssh but i think i borked the key somehow

not 27 sec

in fact it does this in a matter of 2-3 seconds

jesus

for it to load a kernel module it needs root, that is, 2-3 seconds after the machine "boots", it already has root and automatically loads its rootkit, so there is no time to even copy the IP correctly 😄

this must be my rootkit automatically loaded after reboot. cuz that is not possible

anyway, a few seconds difference until the machine starts and until it loads its rootkit, I guess in 2/5 seconds

Actually no, you deleted the kernel logs, I recovered them, and I saw the logs of when it was loaded

You got caught

next time use shred or something better because there are still log remnants in the filesystem

lol your scared for your spot and tryna make stuff up.
this must be my lkm loaded after reboot like i said you can make it autoload.
and also yes i delete kernel logs like most people who use kernel rootkits.
and you didnt recover shit this was a left over of systemd in the /tmp dir

You yourself know that you do this in less than 10 seconds, I don't know why you're saying that it has persistence after reboot, in fact, something that is probably not even possible, since practically when you reboot a machine, a new IP is generated, and the original state of the box is loaded too.

no

I used debugfs to recover /var/log/kern.log and then I dumped its inode to tmp and saw the logs

f11 is approaching your spot and im approaching his. and you just dont want to put in the work thats why you are scared.

Even @fossil pecan knows you do this in seconds, come on, don't hide ch1, this is ugly 🙂

@fossil pecan wins against me a lot of times so that is not possible.

unless he is faster

The machine was not rebooted, as soon as you got root in the first few seconds, I got into the machine, got root, and the first thing I did was use debugfs to retrieve the inodes from kern.log, and then I saw how fast you really are with your "oneliners" 😄

I think you should be more cautious next time, just in case someone decides to punish you

thats not true. if you didn't edit the image or the terminal log that means the machine was rebooted cuz 3 sec is impossible