i will get root
#koth
fair adder
but this time it didnt go as default machine goes
even gev was sus of that
thats why
and no one had the shell other than me and gev and tanya
thats why
turbid narwhal
whatever
barren stream
@fair adder can you message in #talk-with-us-no-threading? I have muted you and will unmute you once we have talked π
stiff egret
Smart move.
gentle hatch
gg
stiff egret
Damnit, I joined in late
gentle hatch
me 2, first time getting panda as well
sudden tendon
haha yeah
gentle hatch
so many flags
sudden tendon
you guys were good tho
boreal flare
fair adder
joined, I accidentally got decaf today so I'll be off game rn
fair adder
if you're having a hard time finding flags:
|| find / -size 33c -exec grep -lP [a-f0-9]{32} {} \; 2>/dev/null ||
terse willow
Assuming no one has done anything like the yotf root flag π€·ββοΈ
fair adder
hasn't done YotF
terse willow
Oh, I split it up over about six lines
fair adder
oh
terse willow
And changed the order around
That also assumes that the flag will be a 32 character hash
As opposed to, uh, any other number
fair adder
very much, but the current machine's fortuna which, afaik, only uses 32 hex
winged charm
Oh, I split it up over about six lines
@terse willow this is why no one likes you
fair adder
wait they're md5s?
winged charm
Yur
quiet schooner
Often
terse willow
That's usually how they're made
winged charm
or you just do like me and mash on your keyboard for a bit
terse willow
I tend to use sha256, technically
alias flag-gen="echo THM{\$(head /dev/urandom | sha256sum | base64 | head -c 32)}"
ooh, kk sorry was searching them in hashkiller.io
ngl it would've been pretty cool had they actually meant anything
terse willow
Still waiting for someone to find the two I have hidden in my boxes which actually do mean something π
stiff egret
Which boxes you talking about?
@terse willow
π π π π π π π π π π π π π π π π π π π π π
Still waiting for someone to find the two I have hidden in my boxes
which actually do mean something π
π π π π π π π π π π π π π π π π π π π π π
fair adder
moved /root to /root2 and made my own /root, turns out that doesn't work either though the implications of having king move and not update... π
fair adder
gg
safe crescent
gg
sudden tendon
https://tryhackme.com/games/koth/join/e3a26d206c4dd1903ba98461
@sudden tendon @safe crescent @fair adder Do join if you guys are free
safe crescent
I've finished up for the day getting late
gentle hatch
get your own binary of chattr on the box and change it to a non-obvious name π
symlink the old version of chattr or rename it to keep people busy
ooh first time getting this box
glhf
sudden tendon
ooh first time getting this box
@gentle hatch second time in a day for me
gentle hatch
π I installed a really cool backdoor if anyone can manage to find it
machine is dead, reset
monster did you disable ssh before?
i had to re-enable it to get it up before, im gonna report this
pretty weird that web-services are down and ssh isn't working yet you're getting king lol
pls reset
sudden tendon
monster did you disable ssh before?
@gentle hatch no dude I thought you did lol
I thought you closed all the ports damnn
gentle hatch
the IP address on my browser didnt update after the reset lmfao, apologies
sudden tendon
lol it's okay
gentle hatch
good game!
gentle hatch
i know! i've never seen a game that close lol, I've never beat you until now haha
sudden tendon
π π’ It's my birthday and I wanted to win so bad but still couldn't lol
It hurts dude
gentle hatch
π¦ happy birthday!
sudden tendon
Thanks dudeπ₯°
gentle hatch
why do you guys keep resetting?
winged charm
Hey guys, weβve been fairly lenient on the resets. please donβt abuse this feature, and turn this into a problem. Thanks!
obsidian zinc
why do you guys keep resetting?
@gentle hatch bc one of us wants a chance at becoming king
@gentle hatch others want a chance
gentle hatch
thats not going to help if I already know the method to get root lol
obsidian zinc
I know to get root and become king you've just locked us out lol! Yes I uderstand thats the point
gentle hatch
i just chattrd king.txt no big secret
obsidian zinc
I know i cant un chatterd it
nova tide
@Droogy#0282bc one of us wants a chance at becoming king
@obsidian zinc That's not the purpose of KoTH. If one way you know is patched its better to find other possible ways in. instead of spamming reset.
gentle hatch
maybe i hid chattr π
nova tide
I know i cant un chatterd it
@obsidian zinc So its time to useman chattr??
Also you can always get your own chattr binary on the system.
With a different name, hide it in a different place?
obsidian zinc
Also you can always get your own chattr binary on the system.
@nova tide did not know that
Thanks
gentle hatch
same directory just different name if thats okay?
nova tide
Google: busy box binaries
obsidian zinc
@nova tide thanks. I appreciate the tip. @gentle hatch did you kick me out lol
gentle hatch
no sir I did kill a shell like 10 mintues before but only bc someone killed mine >.<
obsidian zinc
hmm @gentle hatch I cant get into the machine. Technically im a ma'am
gentle hatch
apologies
obsidian zinc
@gentle hatch all good
gentle hatch
i swapped ports on some services
i just left a cool backdoor on the regular http server if someone can find it (no foolin i promise)
obsidian zinc
@gentle hatch hmmm okay
dreamy rune
obsidian zinc
https://tryhackme.com/games/koth/join/2b05b6fb21566b2aff4431d1 if anyone wants to join
sudden tendon
Thanks for the link @obsidian zinc
obsidian zinc
you are welcome @sudden tendon π
sudden tendon
π€ 
gaunt cradle
crisp needle
Is anyone doing "King of the Hill"?
winged charm
Just join a public game it will toss you in a match thatβs getting ready to start, you can then share the link here and invite people to join
crisp needle
crisp needle
Is it necessary to have something installed to solve King of the Hill challenges?
winged charm
kali should be all that is necessary
crisp needle
I don't know why I could not solve any challenge
tepid berry
I don't know why I could not solve any challenge
@crisp needle the machine was patchedπ
crisp needle
So did I have to find the password of that machine?
quiet schooner
Each machine is different
tepid berry
So did I have to find the password of that machine?
@crisp needle find vulnerabilities on the machine to exploit
crisp needle
I am in, but I don't know if I will score
crisp needle
Yes, cannot access the website by IP address
sly turret
did you started your openvpn
crisp needle
Does not work
quiet schooner
Yes, cannot access the website by IP address
@crisp needle Nto all of them run webservers
crisp needle
Do I need to hack the target machine?
runic quail
!docs koth
pearl gladeBOT
TryHackMe
sly turret
anyone on the box rn ?
crisp needle
I am trying
sly turret
try to search for a password and a username
crisp needle
Can you show how you managed to become King and how you found easy flags?
gentle hatch
ur free to patch but if you wanna have a gentleman's agreement to not kill shells I'll take it
either or tho I dont really mind play however you want π i dont kill shells anyway unless someone starts with me lol
crisp needle
What does killing shells mean?
gentle hatch
kill -9 <PID of shell>
sly turret
ll
gentle hatch
kicks you off the machine
sly turret
kk no shell killing
crisp needle
And how to get an easy flag?
gentle hatch
if you get a foothold check user directories
no foothold, check webapp
thats basically it
sometimes an anon ftp server
ahhhhhhhhhhhhhhhhhhhhh
i hate offline
but we
crisp needle
I guess that for koth, it cannot be streamed
verbal comet
Yeah
sly turret
is anyone already inside
sly turret
i dont like windows
crisp needle
I use dual boot
gentle hatch
yeah i just gotta brush up on my persistence techniques for windows, its a pain tho for sure
at least theres only like a 1/10 chance of getting Offline
at least I found where some ssh passwords are hiding c:
GG
sly turret
another one ? but pls not windows
gentle hatch
im down send link
gentle hatch
oo haven't done this one
verbal comet
Me too
gentle hatch
i play one more then finally go to gym π
gentle hatch
yes sir then i cleared permissions on it
very rarely you have to utilize capabilities for KotH if ever
sly turret
k
gentle hatch
i think there was a suid binary left in there the whole game tho
hopefully you guys didnt get stuck in that python sandbox lol
gentle hatch
yeah I removed SUID permissions on vim which got me in initially
verbal comet
lol
gentle hatch
I briefly made bash a suid to privesc some redundant shells but that was just like a minute
verbal comet
i was searching for getting root
if I have seen the vim getting root would be easy
then
sly turret
i dont get it when i search for suid file i get a list ... than i check with ls -la ... but when i want to use it with sudo -u root it says i have no permission
clear pawn
anyone wana hop in the public lobby
gentle hatch
you're attempting to execute a command as a lower-privileged user as root which is a big no-no
run whoami
if ur not root then you can't execute a command as root
and if ur not given permissions in the sudoers file then you also can't execute commands as other users
sly turret
so when my user is not in the sudoers file i cant use Suid binarys
sweet spade
How you are so fast? You became king within 3 minutes.
gentle hatch
i literally just did this box last game π
you can @sly turret but double check if SUID bit is set on binary
sweet spade
You just closed every thing in the box..
Now everyone is sitting. hahaha
gentle hatch
naw there is still a route
webapp will definitely take a bit of effort now tho
pkexec is not SUID exploitable
sly turret
yeah ok but its suid so i should be able to run it as root right ?
sweet spade
yeah there is a input field with get parameter.
But I am not able to do anything with that.
gentle hatch
not unless you are in sudoers file with permissions to execute files as root
there are some vulnerable processes running tho
you can still submit on webapp, intercept in burp and figure out how to make a submit request
sweet spade
ok let me check.
gentle hatch
just think about how php forms process input
sweet spade
you added droogy is the best in that request.. hahaha
gentle hatch
gentle hatch
i got kicked out a few minutes ago something may have been patched :/
sweet spade
May be because you are king from starting of the game.. π
sudden tendon
gg guys
gentle hatch
gg everyone!
sudden tendon
you were great man @gentle hatch
gentle hatch
ahh tysm it was a little unfair since I just did this box before this game but always fun playing with ya π
sudden tendon
This was my first time on this box....I was a little cluelessπ but it was fun
gentle hatch
eh its offline no one is gonna wanna play this anyway
verbal comet
try -Pn
gentle hatch
no i mean like the box name lol
verbal comet
i am just practising on AD pls I wanna try on this.I chose this box specifically.
After this we will play it normal way
gentle hatch
i dont mind playing this im just saying most people avoid it lol
verbal comet
hey How do u got in?
gentle hatch
complete this room and you'll get all the practice you need π https://tryhackme.com/room/blue
verbal comet
Didnt thought it would be vulnerable to blue.I was thinking of GPP aka MS14-025 but sysvol was inaccessible.
crisp needle
Can someone stream how to play once the game is finished?
quiet schooner
There are writeups for 2 of the KoTH boxes, on the standalone rooms
I recommend getting some practice on those ones
crisp needle
I already know that I will end up with 0 flags
quiet schooner
Yeah, so practice
winged charm
yes, the box is booting that's normal, you're not a subscriber so you're getting a sample of the attackbox. If you want to use the attackbox more you need to subscribe
crisp needle
The issue is that I don't know how to use that AttackBox to achieve anything
crisp needle
M0N573R777, can you tell how to got the flags?
quiet schooner
There's a very important lesson here.
You need to learn the skills. Just having instructions to get the flags probably won't help much. I really really recommend completing some rooms before starting KoTH
stiff egret
if once I bypass by lazy-ness threshold, I'll complete the blog
crisp needle
Do you mean there? https://tryhackme.com/hacktivities
quiet schooner
Yes, that's a list of all the public rooms
crisp needle
The issue is that I do not even know where are the relevant files and scripts when I open a new AttackMachine like this
quiet schooner
It's basically Kali.
Everything is linked with shortcuts too. You need to practice to get familiar.
There's no way around it, you need to put the work in and practice.
teal raptor
echo "msg" > /dev/pts/$
clear pawn
ooo I know it wasn't with wall because it was "cleaner"
maybe it was the echo method
that's pretty cool
stiff egret
- that was me
- I used wall
- you should give
man walla read.
nova tide
@stiff egret Stop playing koth behind my back 
nova tide
Can you use kali browser from phone?? π
If yes i can play 2-3 games during my office hours
winter mauve
Hello there :), i just start a a new public KOT and i had only 404 error when i try to access the page of the session :/ any issue ?https://tryhackme.com/games/koth/12114
stiff egret
It's either that the game actually doesn't exist or Site was going through some troubles few minutes ago, maybe it is because of that. Either way, You can re-join a new game. π€·ββοΈ
winter mauve
humm ok must leave this one before creating a new one i guess
clear pawn
im waiting in the new public lobby rn
stiff egret
π
winter mauve
seems ok now ^^
terse willow
Aye, go for it @stiff egret
clear pawn
I was trying to brute force the "Hacker" machine's users for over 40min, what was I doing wrong?
is there another trick to it?
quiet schooner
@clear pawn someone might have patched it.
gentle hatch
if u were in the same KOTH game as me for that I think it was broken, I looked at a writeup after to make sure I wasn't crazy and I did everything right but got a foothold on the wrong user
no one got root
but maybe they updated the box idk
polar summit
anybody up for KOTH
crisp needle
Who is keen for a KOTH game later in the day?
silent pebble
first KOTH win!
dusty canyon
Nice
cerulean sparrow
cerulean maple
Which machine ?
sly turret
gg
hushed palm
sorry but yes π
hushed palm
wp π
quiet schooner
No spoil
gentle hatch
i just gotta learn how to avoid getting nyancatted, not sure where to start with that
luckily i had persistence but still
sly turret
@quiet schooner deleted the messages
crisp needle
The IP address of the target is not given?
gentle hatch
GG!
gentle hatch
gg π
sudden tendon
lol gg dude
nova tide
boring
@cerulean sparrow want me to join?
winged charm
I swear no one playing koth knows how to set up persistence
wasnt there just a room on persistence geez
stiff egret
clear pawn
how do you guys brute force hacker so fast
nova tide
custom wordlists or using -t 64
clear pawn
hmmm custom wordlists ey?
im using rockyou and it's gotten me no where hehe what wordlist are you using?
nova tide
the one i made for hackers.
clear pawn
alright
nova tide
rockyou would be enough though
but would take a little bit of more time
just use -t 64
crisp needle
crisp needle
Gg
grand hamlet
how much knowledge need to play koth ? is it for intermediate players ?
grand hamlet
..
tepid hornet
Try Playing a game
grand hamlet
yep..
grand hamlet
https://tryhackme.com/games/koth/join/71159ad527aef89b845d96c4
@hushed palm why so pro man .. i got one flag only ooof
hushed palm
@hushed palm why so pro man .. i got one flag only ooof
@grand hamlet keep trying there are multiple vulnerabilities
grand hamlet
@grand hamlet keep trying there are multiple vulnerabilities
@hushed palm yep i saw ..
300 points htf...
I mma out π
grand hamlet
@hushed palm you do bughunting?
hushed palm
no i dont
grand hamlet
okk
silk needle
delicate walrus
r
clear pawn
anyone wana play?
patent forge
public game in 10 mins β€οΈ https://tryhackme.com/games/koth/join/7ede72152cf63d14f687d496
crisp needle
Anyone keen for a game of koth?
sudden tendon
Yeah!I'm bored
crisp needle
Make an invite
jolly hornet
harsh obsidian
how's everything going?
harsh obsidian
If you post an invite link, I'll join. Probably won't play as I'm working on another room, but I'll join so you don't get the game cancelled.
clear pawn
wow thanks, link above
harsh obsidian
that's just the spectator link, I need the invite link
harsh obsidian
In the lobby, on the top right, click options. Copy and paste the Invitation Link
stiff egret
No, spectator link only allows user to see scoreboard, whereas to actually play in the game, you need invite link.
harsh obsidian
Make sure you scan for, and look at, all ports. Especially "non-standard" ones........
vocal shell
how could symlinks be used in red v blue environment (ex : koth)
quiet schooner
how could symlinks be used in red v blue environment (ex : koth)
@vocal shell #infosec-general
tribal wren
Hey, someone up for koth? Will be an easy one, its my firs ttime π
@fair adder Oh man one hour too late.. π
fair adder
Yeah, unfortunately
tribal wren
Got time for another round?
I'm in a public room right now π Starts in 25 minutes
tribal wren
It's my second time ever
tribal wren
Yeah why? π
fair adder
The webpage is killing me π
tribal wren
Haha yeah when I opened it the first time I was like: Oh my...
fair adder
yeah... Is there an option to stop gifs repeating?
tribal wren
There must be
fair adder
unfortunately i cant voice chat actually π¦ Would be fun
tribal wren
yep looking good
tribal wren
Got two yeah π
tribal wren
Where exactly?
fair adder
got a ||base64 string which should be a pkzip|| file. but i dont know how to get this file
stiff egret
Please avoid spoilers.
Use ||spoiler|| if necessary
fair adder
Hope thats better
tribal wren
You can DM me if you want. Then we don't have to spam the chat here π
mossy token
anyone up for koth ?
fair adder
At the moment there is a scheduled one open: https://tryhackme.com/games/koth/join/7645b32109206ff0b3e20be1
starts in 17m
fair adder
Who is modifying the flag in ||/home/ashu|| and deleting the ||server1.py|| in ||/home/skidy||? 
sly turret
... yeah rude π¦
i found something in server1 but i cleared my terminal and cant remember
fair adder
Maybe its part of harden the vm -.-
terse willow
Modifying flags and deleting files are both against the rules
fair adder
That happend here π¦
terse willow
Email koth@tryhackme.com with the game ID π
fair adder
Game ID is the number in the URL, right?
fair adder
@potent oyster do you know who deleted the file?
wraith geyser
who fork bombed
fair adder
idk
winged charm
whaaaaat
gloomy estuary
@wraith geyser did you delete the flags of fortune?
hazy zodiac
fair adder
@wraith geyser did you delete the flags of fortune?
@gloomy estuary i have the same question
wraith geyser
i didnt delete the flags
they were all named flag not flag.txt
thats for the 1st 3
idk about the other 4
@fair adder @gloomy estuary
gloomy estuary
I don't want to know if they were renamed, just if it was you or not
whatever, just want to know who deleted it. Missing flags and some users in / home
gloomy estuary
all right, bro. I already played this room, and I remember having 2 more users on / home. Someone deleted
marsh perch
[root@tyler narrator]# cd /root
[root@tyler ~]# id
uid=0(root) gid=0(root) groups=0(root)
[root@tyler ~]# ls -la
total 7432
dr-xr-x---. 4 root root 221 Mar 27 2020 .
dr-xr-xr-x. 18 root root 272 Mar 25 2020 ..
lrwxrwxrwx 1 root root 9 Mar 19 2020 .bash_history -> /dev/null
-rw-r--r--. 1 root root 18 Dec 28 2013 .bash_logout
-rw-r--r--. 1 root root 176 Dec 28 2013 .bash_profile
-rw-r--r--. 1 root root 176 Dec 28 2013 .bashrc
drwx------ 4 root root 33 Mar 26 2020 .cache
-rw-r--r--. 1 root root 100 Dec 28 2013 .cshrc
drwxr----- 3 root root 19 Mar 25 2020 .pki
-rw-r--r--. 1 root root 129 Dec 28 2013 .tcshrc
-rw------- 1 root root 0 Mar 27 2020 .viminfo
-rw-------. 1 root root 1418 Mar 19 2020 anaconda-ks.cfg
-rw------- 1 root root 6 Oct 28 03:05 king.txt
-rwx------ 1 root root 7576048 Mar 26 2020 koth
-rw------- 1 root root 33 Mar 26 2020 root.txt
[root@tyler ~]# echo "itspossible9" >> king.txt
bash: king.txt: Permission denied
Why I can't write to king.txt file
marsh perch
cat /usr/bin/chattr
cat: /usr/bin/chattr: No such file or directory
Where is chattr binary?
locate chattr
mystic talon
someone prob deleted it lul
nova tide
its not always on the system. people upload it from their machine and rename it
mystic talon
ye
marsh perch
Oh I see
mystic talon
you can upload the one from your machine and run it
marsh perch
What's the user of that binary though?
nova tide
try checking out busybox binaries
mystic talon
you have to be root to use chattr
marsh perch
I was root
mystic talon
well what do you mean with "What's the user of that binary"?
cerulean maple
Google chattr
mystic talon
in this case the "immutable" attribute is being set
marsh perch
Oh I see
nova tide
or just man chattr on your local machine.
cerulean maple
Hmmm
marsh perch
Thank you all
cerulean maple
Now become king β€οΈ
marsh perch
lol I ran out of time
cerulean maple
oh xD
marsh perch
Rank User Country Flags King Time Points
1
pr1sm
6 54m 680
2
itspossible9
5 0m 115
3
mechboy
1 0m 15
Anyways you learned something
marsh perch
Yes
cerulean maple
that's all that matters
fair adder
Have a look here: https://tryhackme.com/games/koth
crisp needle
weary axle
are the koth machines down?
ote: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.03 seconds
its been 5 minutes
offline
tribal wren
Happened to me yesterday. Had to restart the VM...
fair adder
Is it allowed in koth to remove entries from /etc/sudoers and alter entries in /etc/passwd? Asking for a friend π
terse willow
As long as the functionality remains the same @fair adder
For example, if the permission in sudoers is for vim, you could change it to sudoedit over a specific file
Or set the target of a sudo command to something totally useless and very specific
fair adder
Changing the login from /bin/bash to /bin/rbash seems not really to be the same, right?
terse willow
I mean, technically throwing someone into a restricted shell isn't really changing the functionality. In the real world that's a protective measure π€·ββοΈ
It's also not impossible to escape something like rbash
fair adder
Okay. So I'm my friend is safe there.. But what about deleting lines from /etc/sudoers?
terse willow
If the user is meant to be able to change stuff with sudoers then that functionality should remain -- unless it's a very stupid security hole
fair adder
user could execute find with root perms... I think this is a security hole.
terse willow
I would say try not to delete them, but if the line is something like: user ALL=(ALL:ALL) systemctl you could change it so they could only change something specific
Em, yeah, Ok, with something like find, given the exec, I think you'd probably be justified in removing that one
But ideally replace it with something equivalent, without the hole
grand ember
It's also not impossible to escape something like rbash
@terse willow unless you screw something up when setting up the env for it π
terse willow
Heh
nova tide
Oh koth-staff can even remove lead mod's messages
short tusk
You should be able to remove anyoneβs, even admins
winged charm
Hold up fr
thatβs mad
but only in here so big sad
Oh hold we can pin as well very cool Kanye
nova tide
@mint cargo come here now,i will show you my powers
wraith geyser
crisp needle
https://tryhackme.com/games/koth/12502
https://tryhackme.com/games/koth/join/fa1bec2ba0621ff567cce66d
7 mins
nova tide
@wraith geyser that's a spectator link
shy pasture
To Chmod93, of the koth : Good game ! You scared me, at the end ! π
mint cargo
@mint cargo come here now,i will show you my powers
@nova tide NO
u bully me naughty π¦
fair adder
heyya
winged charm
Hey
nova tide
Heyy
cerulean maple
Heyyy
fair adder
yyeeh
nova tide
@runic quail #announcements
runic quail
Aye, thank you @nova tide and @stiff egret . 
stiff egret
π
gentle hatch
So when are you guys going to make a blog post on your C2 infra and rootkits π
stiff egret
:never:
nova tide
^
gentle hatch
haha, great post tho btw, I saw a variation of that SSH trick in the operator's handbook except it also bypasses .bashrc and also hides from w and who
stiff egret
(we did leak about clobber)
gentle hatch
I just need to keep playing BG with ippsec, dude is always dropping nuggets like that
stiff egret
(only 20 )
gentle hatch
I have a quick question about nyancat'ing someone, are you binding the service to a port or having nyancat run whenever a user runs what they think is a legitimate service?
I've tried playing around with it on a VM but couldn't really get it
nova tide
Don't stop any service.. for nyancat you can just run it on their tty
nova tide
if you want to take it to next step try making them play tetris
spare crest
So when are you guys going to make a blog post on your C2 infra and rootkits π
Just look at the opensource Reptile (Kernel Module) or Vlany (ld-preload), are good for starting out.
runic quail
Nice blog post @nova tide and @stiff egret, also nicely explained. I guess I can win some matches now. π
winged charm
@weary axle shouldnβt take more than 5 if it does youre doing something wrong
weary axle
it takes real long
winged charm
You sure someone hasnβt changed the password
the point of the game is to defend and attack
stiff egret
@weary axle Don't post spoilers without hiding them, also, the machines have multiple entry points, you can always let hydra do its thing while you try to search for more entrypoints,
weary axle
was that a spoiler??
and how to make text spoler?
You sure someone hasnβt changed the password
@winged charm me and my other account are playing.
no one else
stiff egret
||<spoiler>||
nova tide
IIspoilerII
harsh obsidian
https://tryhackme.com/games/koth/join/e163cbcf213020e8025d83ed
@velvet nexus Have you enumerated the box with nmap? Did you look at the results of default scripts and not just what port numbers are open?
sly turret
https://tryhackme.com/games/koth/join/4370693c7f33727db7d040be
Beginner friendly not to much patching
sly turret
@fair adder nyancat is not patching π
fair adder
Did you have shell?
sly turret
not atm
fair adder
Okay
sly turret
zou changed the ssh port right ?
fair adder
zou changed the ssh port right ?
@sly turret Maybe xD
nova tide
If anyone wants to learn/Guidance about KoTH, they can always check out this blog post:
https://blog.tryhackme.com/guide-to-king-of-the-hill/
sly turret
changed or killed π€
fair adder
If anyone wants to learn/Guidance about KoTH, they can always check out this blog post:
https://blog.tryhackme.com/guide-to-king-of-the-hill/
@nova tide Nice!
changed or killed π€
@sly turret Nmap can answer your question
fair adder
What "cheaky" means? ;-;
sly turret
u crashed the Box ?
fair adder
u crashed the Box ?
@sly turret Sorry, i was testing the iptables
sly turret
k
fair adder
Try again
fair adder
Use of iptables on the KoTH boxes is banned, iirc
@terse willow lol
I didn't know, sorry @sly turret
terse willow
If it's a private game, go nuts. Use your own rules π
quiet schooner
*within reason
Attacking other user's machines is still off limits, because that's illegal.
fair adder
Attacking other user's machines is still off limits, because that's illegal.
@quiet schooner The fun is play nyancat on other player's machines
quiet schooner
That's different
sly turret
@fair adder you need that rainbow parrot thing its 100x better than nyancat
fair adder
@fair adder you need that rainbow parrot thing its 100x better than nyancat
@sly turret xD i will try
@sly turret Did you see nyancat on your terminal?
fair adder
/etc/ssh/sshd_config
@fair adder can you teach me how you changed the port and the name
@sly turret The name of what?
sly turret
before you changed it was named ssh on port 22 you changed the port and the name
fair adder
I just changed the port, maybe nmap identified it as another service
sly turret
aa ok
weary axle
anybody for koth?
||chattr +i /root/king.txt|| whats the opposite for this command?
nvm found it
for anyone else
it is
||chattr -i /root/king.txt||
anybody playing koth after 5 10 min ???
cerulean maple
KoTH anyone ?
Starts in 5min , machine is Hogwarts
https://tryhackme.com/games/koth/join/444d4e32736773b621cd6d3b
weary axle
join pls
patent forge
@hot bloom are u playing the koth?
hot bloom
Yep
patent forge
glhf π
hot bloom
Haha! Let's do it!
velvet nexus
hello guys
hot bloom
@patent forge did you give up?
compact hare
Can someone help with the hogwards KOTH?
I am stuck at a certain point
It would realy help a lot
gentle hatch
if you're having trouble just create a private game for it and lab it out
its not a very difficult box, just unique
compact hare
Thats what i did with a friend of mine
We are stuck on the login page
And we have 24 minutes left
So if you can hint me anything please do
gentle hatch
theres a much easier way that doesn't involve any web-hacking
make sure you enumerate all ports properly
gentle hatch
did you interact with every single port you found from your scan?
gentle hatch
the only thing I can say is that it's a very basic service
there's no need you'll get it π
hot bloom
Someone already playing?
stiff egret
Anyone up for KoTH, ping me too! It's weekend! KoTH night!
cerulean maple
In 5mins , Machine : Hogwarts
https://tryhackme.com/games/koth/join/f545421f30c4a6e73cf22a97
@stiff egret Do you want to play too ?
stiff egret
@latent shell it's like your wish come true
lol
@stiff egret Do you want to play too ?
@cerulean maple If you don't have any problem with that
cerulean maple
No problem at all , but for a fact I know that I'm going to lose xD
2 min remaining
stiff egret
@latent shell
latent shell
yaas
stiff egret
hop in
latent shell
joined
stiff egret
@nova tide I don't think you'll play? (don't it's for fun and we both fight)
latent shell
me ready 
cerulean maple
Oh umair form secarmy how are you
latent shell
ayy i am good hbu
cerulean maple
Fine !
noble wren
i can't talk on the voice sorry
stiff egret
hop in the game just started
cerulean maple
Yes game just started
noble wren
In 5mins , Machine : Hogwarts
https://tryhackme.com/games/koth/join/f545421f30c4a6e73cf22a97
@cerulean maple this?
cerulean maple
yes
nova tide
I'm playing siege for now
cerulean maple
Oh
stiff egret
NOICE
latent shell
nice port list you got there π€£
nova tide
hogwarts?
cerulean maple
yes
nova tide
you are not allowed to play it
stiff egret
Ik, but umair insisted
nova tide
good luck to him then
latent shell
no i didn't , he is abusing us with his machine
latent shell
FFS
noble wren
hogwarts i have already played that machine before
stiff egret
lies on the top of lies on the top of lies
cerulean maple
xD
stiff egret
LOL
noble wren
will you guys play another box after this
noble wren
that's better
noble wren
lol
stiff egret
@nova tide
nova tide
noble wren
damn 1 vote to reset the machine
noble wren
becuase you patched everything
stiff egret
what, no
nova tide
becuase you patched everything
@noble wren uhmm do you even know the rules??
stiff egret
I did this while sharing screen, I didn't patch one thing
nova tide
stiff egret
Yeah, tho I haven't patched, but patching is not against the rules, it is actually the purpose of this
noble wren
@nova tide lol then what is the purpose of playing it
nova tide
There's nothing patched.. you are not Trying hard enough
check the blog post/pin message if you want to know anything about KoTH
noble wren
bruh you aren't even playing
nova tide
But i know the rules and you should too
noble wren
lol, you know?
stiff egret
um, What do you mean?
stiff egret
GG
but just so you know,
Even tho I didn't patch anything on machine, as Naughty said, patching is one of the main purposes of this game, I didn't patch it so others can get a chance.
stiff egret
GN
nova tide
nuh. it's for @nova tide
@noble wren you even have any idea what you are even saying?
GN
opal crown
ive never done a KOTH before, i might be an easy opponent
nice and windows decided to reject my activation key right as soon as i joined
opal crown
i definitely need to hone my skills before doing one of these in the future
im not giving up but i definitely wont be winning this lul
marsh perch
Hi @fair adder
fair adder
hi
marsh perch
Any hint for privesc?
marsh perch
tmux?
fair adder
idk xD
fair adder
You'll have to find out
I tried tmiux earlier but it wasn't working
@marsh perch There are others ways
marsh perch
I am not able to find anything on this box
@fair adder
I will appreciate if you can help little bit
fair adder
Do you have shell?
fair adder
Hmmmm....
I have patched the tmux EOP
So maybe you should take a look at the versions
fair adder
lol
dapper fern
winged charm
have you attempted to scour for a writeup
weary axle
hey guys
when i do ||echo myuid > king.txt||
and do ||cat king.txt||
i dont see anything
but when i do the echo id thing the other persons id id coming
why isnt my id coming??
someone resteted the machine now it is working
idk why it didnt
oak pawn
can someone give some tips on hogwarts? lot of ports and harry potter quotes
bright panther
can someone give some tips on hogwarts? lot of ports and harry potter quotes
@oak pawn find something to run sqli against
stiff egret
Usually I'd say enumerate harder, but It's sunday, so free hint: Check for services, one of them is very very common and that is the easiest way to get in the machine.
winged charm
theres a writeup somewhere for it
stiff egret
Cry, what did you do with your PFP
stiff egret
...
winged charm
false
short tusk
Haha
stiff egret
power abuse
stiff egret
Oh now I remember why I approved it
winged charm
if theyre actually playing with others that defend well the writeups can become useless
stiff egret
plus it only shows one method
winged charm
yerp
stiff egret
Once everyone is in machine, no point of writeup then
bright panther
BTW is it ok to kick others out of koth boxes. Like use kill?
bright panther
Or change password
stiff egret
That'll help a lot
winged charm
winged charm
If anyone suspects that someone is cheating in a KoTH match, please email: koth@tryhackme.com.
Please include your game ID, username, username of the player you think is cheating, what they did / any evidence you have of them cheating
winged charm
If anyone suspects that someone is cheating in a KoTH match, please email: koth@...
winged charm
https://docs.tryhackme.com/docs/koth/king-of-the-hill/
short tusk
If I started to play KOTH, I'd be reported 24/7 because I'm so 1337
stiff egret
OK one more pin and I'll report power abuse
stiff egret
Yeah, they all say that
short tusk
Yeah Skidy banned me from playing so I can't prove it π€·ββοΈ
winged charm
pinning pictures of my doja-chan
short tusk
Sorry I was predicting the future
Yeah Skidy banned me from playing so I can't prove it π€·ββοΈ
@short tusk
short tusk
lmao
crisp needle
https://tryhackme.com/games/koth/join/b748af93d9eb88a85611ed5d
23 mins
If anyone is interested
crisp needle
https://tryhackme.com/games/koth/join/73ba13f8b47a6cb0f1974cd6
24 mins
If anyone interested
fair adder
Take a look at gtfobins.github.io
weary axle
but at which step did u do it??
fair adder
Take a look at EOP tricks
fair adder
xD
velvet nexus
it is a public game bro
velvet nexus
okay
weary axle
pls tell me some tricks
velvet nexus
which room
bro
if i know i will help you
9 mins left
@weary axle are you still in the game ?
weary axle
velvet nexus
ok bro sorry
weary axle
np
@velvet nexus
which command did u run can u tell meπ
ik this sound like idiot
velvet nexus
i will say you in the private chat
velvet nexus
i just used the chattr +i
fair adder
Maybe someone has deleted the chattr
velvet nexus
but its opps is chattr -i
@weary axle is it even i don't this until now
weary axle
cause i did it and still perm denied
velvet nexus
but when i did echo it worked
fair adder
--------------e-- ./flag4.txt -----a-------e-- ./king.txt -------------e-- ./koth
Maybe the machine is in trouble
quiet schooner
Is clobbering disabled?
https://en.wikipedia.org/wiki/Clobbering
fair adder
Is clobbering disabled?
https://en.wikipedia.org/wiki/Clobbering
@quiet schooner No
weary axle
--------------e-- ./flag4.txt -----a-------e-- ./king.txt -------------e-- ./koth
@fair adder where u founf this
fair adder
lsattr
fair adder
Carnage
stiff egret
If only people would give the blog a read. smh.
fair adder
'-'
fair adder
Reset? xD
fair adder
did you mean busybox?