#web-application-pentesting-path

🥳

🥳

Great pathway

Thanks TryHackMe, look I did not finish El Bandito room in this path, nice reminder, let me check it so I can finish this new path.😎

5th. 🎉

Thanks @THMStaff for this, I have been waiting for this path for long long time.

🙏🏻

loving it already.. thank you. ❤️

i can't paste into the attackbox 😦 from the task, am i the problem or did something change with the site? 😆

thanks tryhackme for creating this path.

🤯 thank you!

Gave +1 Rep to @blissful oyster (current: #1 - 3009)

are there any prerequisites that should be met before taking this path ? previously I had completed jr pentest and web fundamentals learning path. I also have a little experience in webdev (python) but I never learned Javascript before. am I good to go ? or should I finish cybersec 101 first before taking this path ?

HTML and CSS basics so you can understand web pages functions, and familiarity with vulnerabilities XSS CSRF or OWASP top 10 should be enough

You may want to skim through just so you can fill in any gaps

If you don't want to use clip board just allow thm site to access your clipboard and it will let you copy paste normally (Might ask for access in start when you open attackbox)

a week ago i was doing a bunch of research on it and now you make a path. thanks 🫶

Try Ctrl + Shift + V

🥳

ok. thanks for the advice :3

Gave +1 Rep to @opal oar (current: #237 - 26)

Hi

Hi , welcome 😄

Thank you so much for everyone who participated in making this awesome pathway, It will definitely be on my next TODO after cybersec 101 ❤️

Hey there!!

Hi

guys, if anybody has started bug bounty recently, could you please guide me as well that what all skills did you acquired to get started with it?

Have a look around #bug-bounty

okay Thanks

Gave +1 Rep to @blissful oyster (current: #1 - 3091)

i have just finished the OAuth room from the web app pentest path and guess what i have loved it. The way they have implemented the OAuth provider and multiple clients helps me better understand the protocol. it's definitely worth it🔥

hello! 👋

in Enumeration & Brute Force: Task 5 Exploiting HTTP Basic Authentication... I got a 301 instead of 200 HTTP status with Burp Suite due to my url not having a / trailing. I waited a bit too long using intruder to discover my mistake. 😉

just thought I'd share

this was a good tip "The attack will take a little less than 2 minutes."

hydra 0m1.439s 🙂

On NoSQLi in the "Bypassing the Login Screen" why I don't see the result injection on burp and only on the browser?

Advanced SQL Injection: "Let us know your thoughts on this room on our Discord channel or X account. See you around." I really liked it, and learned a lot. I had fun being creative providing SELSELECTECT 😄

Putting the hammer room in this path is crazy

Room Enumeration & Brute Force - Task 5: I solved it with Burp and now i am trying to solve it with hydra. Why does this command not work?

hydra -l admin -P ./500-worst-passwords.txt -f enum.thm http-get /lab/basic_auth/

It returns 123456 as the guessed password.

The format may not be compatable

I used this command (different wordlist) and it worked for me.

Thanks for the response. Ok, but the same wordlist works with Burp Intruder. Why doesn’t it work with Hydra?

Gave +1 Rep to @blissful oyster (current: #1 - 3193)

I also tried with rockyou.txt but i recive the same output
[80][http-get] host: enum.thm login: admin password: 123456

Oh no! I forgot the ‘s’ (lab)s
/labs/basic_auth/.
Now it works!

Have you added domain to /etc/hosts ?

Yes, I had forgotten the “s” in labs.

Ah ok , my bad , didn't saw your previous comment , silly me 😄

not a big issue or thing but a typo maybe you guys might wanna fix this

Client Credentials Grant on the OAuth module

HTTP Request Smuggling > Task 7 Walkthrough: I keep getting this from Burp Suite "The basic request does not contain a blank line, and so is not a valid HTTP request." upon trying to "Start attack" with intruder. The pasted data from the example visually seems correct. Could this be a \r\n issue?

I have tried both Kali Linux and the AttackBox VMs

Yes it could , press \n button to see whitecharacters in Burp Repeater

ah! ok thanks I'll give that a try 😉

that is all it was, pasted in \n instead of \r\n, thanks for the help

Gave +1 Rep to @gritty prism (current: #4 - 1861)

Hey, not sure if this is the best channel to post this but I'm around 20% of the way through this path and I'm wondering what you guys are doing regarding the practice rooms that aren't directly in the paths so far. I did a couple of them but I felt like I needed to learn more theory to really get as much out of the rooms as I could but I also know I learn best by doing so those rooms look really good in that sense. Are you guys doing a bit of theory and a few rooms here and there or are you waiting to finish the red teaming path before tackling the rest of the rooms? What are you finding to be the best balance? Thanks in advance.

theory + practice = best combo 😄 . I would recommend you to finish Cyber101 path if you haven't done so already . Also try to start with easier/guided CTFs at the beginning and then move to some more advanced 😄

Thanks for the advice 🙂

Gave +1 Rep to @gritty prism (current: #4 - 1978)

Also if you ever encouner a problem when solving a room feel free to send a message here or in https://discord.com/channels/521382216299839518/522158539129618453 channel 🙂

not finding this pathway the most fun tbh,

this OAuth room is a bit confusing and messy imo

What's the problem 🙂 ?

https://trufflesecurity.com/blog/millions-at-risk-due-to-google-s-oauth-flaw

injectics should be rated hard imo. That second flag is pretty mad.

why is this posted in this channel and not #resources or #research

my thoughts initially was it connected to the path content relating to OAuth, you believe this was not the right place to post this

thanks for the insight

nah think it would get noticed more if posted in those channels and this sounds like useful knowledge

not wrong to post it here

just want more eyes on the topic

the payload was definitely annoying

You used the wrong IP address in the hosts file.

Is 10.10.233.147 The ip of the attackbox?

Thanks Scrubz

It is a step up in difficulty and will take some time to get used to. If you are aware or can read javascript/python it helps. You may need to refer to outside resources as well as sometimes one room on a topic aint going to be enough to understand it, especially if its a hard topic.

Task 6 prototype pollution needs http://10.10.95.130:8080/getFlag.php at the very bottom of the instructions not http://10.10.95.130:8080/ this directs the individual to the wrong page. Pretty sure I can QA check these rooms at this point, there is always something missing 😅

Yeah I did the red teaming pathway & the Jr pentester before this was released, the quality of labs in this pathway just don't seem near the same as in the red teaming pathway in my opinion

Also there's so many words that I lose focus very quickly

its definitely better than HTB. All their academy modules is like a book.

This happens to me as well. I don't try to do it all in one go. I try to split it and do the theory tasks for a particular part of the day and then the practical side the other part of the day and that helps me focus and finish the room.

almost done now 🙏

http smuggling remains!

I am on that bit as well, and its the last bit for me to finish the path. I believe it to be the hardest section

It is imo 🙂

Hey guys anyone with an idea of how to poison the auth.log server with php script on web server with ssh I’m having difficulties with that

I am going to have to supplement it with Portswigger academy. Pretty sure I am going to have to spend 2 months learning this properly, just like I did with binary exploitation 😆

If you are referring to a specific room in this path have u checked a write up?

Portswigger's academy + this path = great combo for web app pentesting 🙂 . As someone who completed both , I would say that they complement each other in the best possible way 🙂

u used any automated tools for smuggling and if so do they work? I found one from portswigger github and another from dephram called smuggler, and I installed the burp extension http request smuggler.

I am going to try el bandito this afternoon with some of these tools and see if it makes it easier

Uh , when it comes to request smuggling i prefer it manually 🙂 although i tried request smuggler

any luck with smuggler? or false positives?

I try to use automation where automation works and manual when automation does not work.

Worked fine for me when i tried but like any automation it will probably give some false positives sometimes 🙂

like I did like 80% of sql injection labs on portswigger with sqlmap and managed to solve it 😆 . I try to learn the union attacks to do manually and then the rest was able to do with sqlmap. Sqlmap was pretty bad back then but its getting better

All done. Frustrating last box , managed to get first flag but needed a walkthrough for the second

That's all paths completed. Going to start side quest 2024, although I am hoping they will split them into separate rooms soon because I honestly cannot be bothered going back and finding the individual key cards 😆

Congrats on completing the path 🙂 🚀 🔥

Hey Guys, I'm completly lost, in Prototype Pollution Task 5, i found on the Internet 2 WriteUps also with the answer for the questions, but I would like to understand the last question:

Create a new property with the name isBanned with default value true. What is the flag value after creating the property? Visit http://MACHINE_IP:8080/getFlag.php to get the flag.

could any of you assist me to understand ? because when I try to set this property "isBanned" with "true" it wont work also the AI fails with some "tries and errors" on this task.

bitstaar: 8 Rep (#660)

I got it now after a long period of frustration :-D, If you have the same question here is a hint ||http://machine_ip:8080/getFlag.php is the website where you check the status you don't need Burp on this site! just click on the buttons to check if the flag is there. But you don't have to use Burp on the website with port 5000 as well (http://x.x.x.x:5000) . You JUST need to follow the manual which is described on the Task5 Page and then check the status on http://machine_ip:8080/getFlag.php|| feel free to contact me if you are stuck here.

It isn't related to this topic but when it comes to proto pollution I would recommend you to check out DOM Invader Burp extension 🙂 . It is very useful Burp extension and it should be available in Burp community edition also , it works great from my experience and speeds up the process significantly .
https://portswigger.net/burp/documentation/desktop/tools/dom-invader

ok I will check this in the CTF after Prototype Pollution Room

guys, can you suggest me some lfi attack challenge rooms?

This one 🙂
https://tryhackme.com/room/lofi

thank you

Gave +1 Rep to @gritty prism (current: #2 - 3320)

In the MFA room task 7, there's Python code that does a brute-force. There's a section:

def try_until_success():
    otp_str = '1337'  # Hardcoded OTP```

How did the hardcoded OTP come about? Like what did the attacker do to get the OTP?

what a sigma

hello

please i am kinda stuck in this owasp learning path

where one is meant to bypass the authentication system i have registered the user name and logged in but on login in the page is blank and i am meant to fish out the flag from a blank page im kinda lost

Can you share the room link and task number?

Where should I start the web pentesting journey

Check the link at the top of the Discord channel.

You can start with this path
https://tryhackme.com/path/outline/web

Thank you

FYI - On the Server Side Template Injection room. For Task 7 - Automating the Exploitation, SSTImap.py won't run because the provided procedure doesn't result in the mechanize library being installed. You can mitigate this by running python3 -m pip install mechanize before you run python3 sstimap.py. Once I did that the tool ran just fine.

hey guys ....iterating through directories with go-buster is somehow slow is there any way to make it go faster ...any tips maybe?

Try to increase thread number

whats the max

dont it overload the server doe?

You don't need to worry much about that in lab environment 🙂

ohhhhhhhhh

nice

so tell me whats the max

i can use

i have a good build

That doesn't have anything to do with your hardware . Use deafult values

50

alright

hello im curious which word list i should use to search for vhost in gobuster

been enumerating for hours now and i havent found a single one please help

is used sec list top million word list also used the dirbuster word list but nothing

subdomains-top1million-110000.txt could be good

i used that with the vhost flag

andit showed me nothing

Provide some screenshots so we can try to troubleshoot the issue 🙂

@blissful oyster

Hi Guys, I'm encountering multiple technical issues across different VMs, which are significantly affecting my learning progress. Here's a detailed overview of the problems:

VNC Error:

Error Message: thmVNC encountered an error: Promise timed out. a@ @webkit-masked-url://hidden/:2:124550

This occurs while using the clipboard feature, making it extremely difficult to copy and paste text, which is very time-consuming.

CompTIA Pentest+ (Attacks and Exploits Room - OWASP Juice Shop Task 3):

I captured the following flag: 169940f83378cc420ae4fdeb9c1f73631a2baee6, but it isn't accepted even after retyping it manually.

Breaching Active Directory (CompTIA Pentest+ - Attacks and Exploits Room):

The Network Manager is not working.

The VPN folder is not downloaded, which leads to DNS configuration errors and makes the THMDC ping test fail (IP 10.200.4.101 is unreachable despite the VPN status showing as connected).

I would greatly appreciate your assistance in resolving these issues, as they are hindering my progress. Please let me know if you require additional information or logs.

Thank you for your support!

For Breaching AD, the 10.200.4.101 network is in the stopped state. Are you able to start it?

Hi Timtaylor, Thanks for your reply! I just tried pinging 10.200.4.101, and it worked fine. The network's up and running. I added the IP as a nameserver with this command: sed -i '1s|^|nameserver 10.200.4.101\n|' /etc/resolv-dnsmasq. But even after adding the IPv4 addresses (10.200.4.101 and 8.8.8.8) manually, it still doesn't show up in NetworkManager. Here's the output of the ping and nslookup commands: root@ip-10-10-211-121:~# sed -i '1s|^|nameserver 10.200.4.101\n|' /etc/resolv-dnsmasq
root@ip-10-10-211-121:~# ping 10.200.4.101
PING 10.200.4.101 (10.200.4.101) 56(84) bytes of data.
64 bytes from 10.200.4.101: icmp_seq=1 ttl=127 time=2.83 ms
64 bytes from 10.200.4.101: icmp_seq=2 ttl=127 time=2.58 ms
64 bytes from 10.200.4.101: icmp_seq=3 ttl=127 time=1.69 ms
64 bytes from 10.200.4.101: icmp_seq=4 ttl=127 time=2.38 ms
64 bytes from 10.200.4.101: icmp_seq=5 ttl=127 time=2.56 ms
^C
--- 10.200.4.101 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4007ms
rtt min/avg/max/mdev = 1.689/2.405/2.825/0.385 ms
root@ip-10-10-211-121:~# nslookup thmdc.za.tryhackme.com
Server: 127.0.0.53
Address: 127.0.0.53#53

Name: thmdc.za.tryhackme.com
Address: 10.200.4.101

root@ip-10-10-211-121:~# nslookup tryhackme.com
;; communications error to 127.0.0.53#53: timed out
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
Name: tryhackme.com
Address: 172.67.27.10
Name: tryhackme.com
Address: 104.22.54.228
Name: tryhackme.com
Address: 104.22.55.228
;; communications error to 127.0.0.53#53: timed out
Name: tryhackme.com
Address: 2606:4700:10::6816:36e4
Name: tryhackme.com
Address: 2606:4700:10::6816:37e4
Name: tryhackme.com
Address: 2606:4700:10::ac43:1b0a

Edit: same issue was reported here -> #room-help message

Is this for the breachingad network room?

elbandito is really really unstable

guys, can you suggest me some idor/bac challenge rooms?

This one 🙂
https://tryhackme.com/room/neighbour

okay, thank you

I solved this lab, can you suggest me more medium level labs for practice, which covers more idor and file upload vulnerabilities. Because its a bit difficult to search for specific vulnerability challenges in THM

This one has a task around it
https://tryhackme.com/room/nahamstore
Also check out new hacfinity challenge and its Notepad task 🙂

i think the insecure deserialisation room is broken

answer format is like this

however this is what i got

5.15.0 instead of x.x.xxx....

Let me check for you.

Can you please try again?

just tried again it seems like its still the same

as before

also tried running it on the playground.php trugh a php wrapper payload and i got the same output as before

The new answer should work now, pointing to 5.15 instead of 5.04.

anyone doing room "Prototype Pollution"? tried override with {"__proto__":{"toLocaleString":"a"}} but failed, what do I did wrong?

has anyone done the "include" challenge ?

im stuck on the API part cant seem to figure it out in guessing its SSRF but

not sure how to actually proceed

can anyone give a hint pleeease

Yeah it is ssrf , try to use it to reach some internal ( localhost ) urls 🙂

hello everyone

I need help

What's the problem 🙂 ?

Which room is that ?

just a question

We can't help you with that , sorry 😦

thank you

Can someone just give me a point in the right direction to discover the contents of the txt file in SSTI - Task 5? I can get the payload to display the contents of the directory and my brain has completely forgot what to do next. I don't need the answer to the question, but I do need a point in the direction to find it.

What is your payload ?

#{root.process.mainModule.require('child_process').spawnSync('ls', ['-lah']).stdout}

I get the name of the file, but have forgotten how to read it using a payload

cat <file-name>

Thanks!

Gave +1 Rep to @gritty prism (current: #1 - 4649)

I don't know if it because I am tired or just dumb, but I can't figure out how I need to put the cat command in. Can you give me an example that I can study to understand?

instead of ls use cat

ok thanks!

Gave +1 Rep to @gritty prism (current: #1 - 4651)

What's wrong with my code?

#{root.process.mainModule.require('child_process').spawnSync('cat 7f58571b42d8c477a2f3efa69a681ac3.txt', ['-lah']).stdout}

What do you get as output ?

It is just blank. I get nothing back.

Try to input file name inside of [] where -lah is currently

Ok. That makes sense. It is working now. I was thinking too much into it.

Yeah that field is probably for arguments 🙂

Would Jinga be the same way, just in a different syntax?

Yeah , visit hacktricks , they have a collection of payloads for every framework 🙂

Looking at it now.

what's the correct URL for it? I tried hacktricks.com but it didn't work.

nvm. I got it

https://hacktricks.boitatech.com.br/pentesting-web/ssti-server-side-template-injection

Thanks!

@KGB - I have looked over several CVE sites to figure out Task 8. What site is the best to use? I found one that I could use to replicate the issue, but it is throwing an error when I try it.

which error

I manually typed stuff in again to recreate the error, but it went through that time. So I solved some of it. I am getting ready to head to work so the rest will have to wait until tonight or in the morning.

Feel free to reach out later if you still need help 🙂

@KGB - I am stuck on a task in a different room now. It is task 7 of the Insecure Deserialisation Room. I am trying to follow along but it doesn't appear (at least when following the directions) that PHP Gadget Chain is not installed on the Attack Box as stated in the text. I have tried to follow instructions for getting it installed, but I keep getting an error.

type which phpggc

when I type it in, it acts like it did something, but goes right back to the main prompt.

which ggc

It does the exact same as phpggc

php phpggc -l

I was able to at least follow along with part of it and actually get it to look like the screenshots in the roon until I got to this point. Any suggestions as to what I am doing wrong?

Why does this not work? This is task 4 in the SSRF room. I have followed along pretty easily but I can't get the desired outcome.

What are you trying to do ?

This part of the task

Try to intercept request in burp and change it there

OK. I'll try that now.

That worked and I am finished with the SSRF room.

Congrats , great job @maiden turret 🔥 🚀 🙂

I went back to the other room from earlier today Insecure Deserialisation and Made it this far this time. It is the curl command right before the section on Ysoserial for Java. I am not understanding how to run the uname -r command after this?

Thanks!

Gave +1 Rep to @gritty prism (current: #1 - 4677)

Can someone point me in the right direction to get the THM flag for Task 7 in the insecure deserialistion room? I have followed the room guide down to the YSOSerial for Java section, but don't understand how to get the uname -r command to work.

Run php phpggc Laravel/RCE3 {payload here } | base64

Then use the output of that and encrypt it with the APP_KEY. After that, you can run curl {IP}:8089 -X POST -H 'X-XSRF-TOKEN: {Your Encrypted Token}'| head -n 2

I suggest reading from the heading Exploiting a Web Application in task 7 down to Ysoserial for Java again. The instructions are clear.

EncryptCookies is middlewear that b64-decodes and decrypts the X-XSRF-TOKEN

Idk if this is clear it's 4:30 am for me. Sorry if it doesn't make sense

Thanks for the reply. I was actually able to figure it out and got it right.

Gave +1 Rep to @spark iron (current: #1409 - 3)

i am trying to access http://mybank.thm:8080 in the csrf room i get isBanned cookie error, does anyone faced this issue or solved it? Pls help me out in this.

can anyone help me on https://tryhackme.com/room/whatsyourname

there is nothing on ther worldmap.thm
no directory, just blank

can you provide a shot please

Hello, how are you?

Could someone please give me the flag of the 3rd question of task 7 in the "Insecure Deserialisation" room?

can you provide a shot of nmap scan ?

room instructions tell you to add worldwap.thm to hosts not worldmap.thm 🙂

😂 wow, my bad
thanks for the help

Gave +1 Rep to @gritty prism (current: #1 - 4897)

https://tryhackme.com/room/httprequestsmuggling

TASK 7 Walkthrough

I am trying this for hours
I cannot get smuggled request of other users.

payload is not defined right

the one on thm i believe is wrong or uncomplete

you should do §test§ instead of just one §

it does work like that

and also you shouldnt request resources on the website while doing the attack as it creates requests just leave it alone for like 10 mins or so

not working

I noticed that the Python script for h2csmuggler in Task 8 of the HTTP/2 Request Smuggling room was kinda broken, so I went ahead and fixed it. If anyone else is encountering the same issue, you can find the updated version here: https://github.com/1kb2/h2cSmuGGl.

your second content lenght is too long ??? try and set it to 300 and you gotta wait like a decent amount of time

just copy the payload that’s on the room

I did the same and not working too, plus only 20 request after 20 minutes. I think the intruder rate limit is one of the issue too

also the content length is 500 in the payload given

I even tried with caido
Still not working

check out white characters , maybe you have some in places where ypu shouldn't

I did check them in repeater tab, and they are all \r\n too

all status code 200, is it normal?

should we keep the § at the end of request?

Yes you need a payload spot on the query argument

At around the 42’ish request i got the flag

tried 100+ request still nothing though...(paused attack to refresh)

you didn’t define a payload position on this screenshot

it has to be on the query argument after the =

I did add payload position, else burp does not allow proceed to next step, and since payload is set to null, of course nothing left after =. The Content-Length is set to 500, wasn't the 2nd request the so-called "prefix" to another user's request?

payload position same as this

Thank you

Gave +1 Rep to @fast oar (current: #2891 - 1)

I've been experiencing the same issue.

The smuggling works with my requests, but I can't get other user's password

I've been trying for hours with Burp and even tried a python script to be more aggressive

With the search here on discord I've found a few people asking about it in the last few days. Is it possible something got recently changed in the room that affects the result?

Bet, my take it mimic the victim, login using the password yourself and call it a day, I wait for 24h, really annoying

lol I had this message typed in this channel for like 2 months but then did not send coz I wanted to do it myself. But it seems impossible........

Like I said above, I figure we should just mimic the victim

Really annoying indeed. I've had problems before where I think there might be something wrong but then I realize I was doing something wrong. With this one I don't know. Every helpful comment I've seen doesn't help fix the issue.

Best thing I've got from this is that I started looking at Caido

So, I know the attack sometimes get my requests, but I wasn't sure if it would catch requests from others, so I tried this to check if my attack was correct:

• Set the attack on my own machine
• Spawn an Attack Box
• Do the requests from there

It does intercept the requests!

It's a weird attack because, on one hand, if one intercepts all the requests from other people, it turns the wepapp unusable and people wouldn't even get to login (I got two requests loading the login.php page). But, on the other hand, the chances to catch a login attempt with a low rate attack are quite low.

Maybe I learn about that in other rooms, but. How effective is this attack really?

For rooms httprequestsmuggling, it seems that the problem might be the so called victim is not set to send a request, thus we receive no request. I suggest someone should raise a bug report post since there are quite some people including myself not able to get the flag, and not due to skill issue. (I am confident enough the technique used is correct, which is simply smuggled an incomplete request with content-length set to something enough to include another request from other user)

In the Upload Vulnerabilities room, Task 5 - Remote Code Execution, I am unable to run a Gobuster scan. Every time I try, I get the following error.
Can anyone help me figure out what I’m doing wrong?

You probably tried to install/update gobuster on AttackBox , don't do that , it will break it 🙂

Terminate that attackbox instance and start a new one

gobuster is pre-installed , you can start using immediately

Yes, I tried to Terminate and start the attack box and Machine both then followed the same steps from the task 1 to task 5 still it gives me the same error in gobuster.

Don't try to install gobuster on attackbox

it is already installed

Ok let me try one more time thank you 🙂

has anyone done El Bandito ?

i saw the other domain that s a Webskt but it is offline and unreachable as it seems is it normal or am i missing something also the source on the burner doesn’t ring any bells ….

other than how the path is constructed

Hi All, I'm having issues with the JWT Security room in this path. Specifically when trying to do Practical Example 4 of Task 5. No matter which web decoder/encoder I use (I've tried to do it manually as well with CyberChef as I've seen other people posting about JWT.io being hit and miss) or which browser I use it isn't working. So I've gone back to basics and simply requested the token then tried to authenticate with it (I didn't try this first so have wasted a lot of time trying to forge a new token before I've realised) and even that isn't working. What preposterously stupid thing am I doing wrong?

PS. I didn't have any issues when using JWT.io with the other tasks preceding this one.

add . at the end of your jwt token

I'm just supplying the token I was given by the first request (Which is a valid 3 part token) but in case I've misunderstood what you mean I've tried that anyway and just get
{
"message": "JWT could not be read: Invalid payload padding"
}

it is not valid , even if it isn't signed and uses none as alg value , it must have trailing dot at the end

This is for example 4?

As in the weak signature task that I've successfully cracked using hashcat and am now trying to forge an admin token but am having issues doing that.

this token isn't signed and it doesn't have proper formatting

The one in my screenshot? As in there is a problem, or is that by design of that task?

You don't have trailing dot , it is mandatory

That's what I get when I put an extra trailing dot but that would signify a 4th section to the JWT?

This is example4 , you need to find secret and sign the token with that secret

you don't have signature

Indeed I am doing Example 4. I do have the signature and have tried to re-encode the JWT using JWT.io but it isn't being accepted.

I have also simply requested a token from the API and tried to authenticate with it as can be seen in my screenshot above but that doesn't even work, should that not work too as I'm just sending the JWT that the API sent me?

This is the token the API sends me:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InVzZXIiLCJhZG1pbiI6MH0.yN1f3Rq8b26KEUYHCZbEwEk6LVzRYtbGzJMFIF8i5HY

I don't know if I'm simply misunderstanding but I thought once I had the secret I could simply go to JWT.io, put the token in supplied by the API, modify the payload entries to admin and 1, put the secret in and re-encode and it should work?

Also, I'm confused as to why the API won't just accept the token it has given me without modification.

OK so I've just gotten to the bottom of this and its cos I had taken the definition of [JWT Token] in the sample command literally and so had my JWT enclosed in square brackets. This syntax works for the first 3 examples but then stops working at example 4. Just posting here in case anyone else makes the same mistake I did which doesn't become an issue until task 5 example 4.

I am doing the "Exploring Insecure Session Management" exercise in Session Management section. I am not able to do some of the instructions here. Not sure if there is an issue with the test website. Here are the 2 issues.

1. After creating a student user and logging in, I get the stats 500 message. When I select modules, I don't see any students enrolled, even after I click on enroll.
2. There is an instruction to update the role from student to lecturer, but I dont see where I can update the role. I went to account, but I dont see an option there to update. I also tried to create a lecturer account, but that cannot be done without a verification code and there is no verification code in the exercise.
   So I am stuck in completing the exercise.
   Will be glad if someone can sort this out.

After you log in as student and get 500 error open up developer tools and edit cookie value

After I login there are no cookies in the 500 request. In the login POST request there are cookies, however they cannot be edited. I assume perhaps it is not the current request.

Go to storage tab and edit cookies there

Yesterday I had the same problem, I used the pro version of burp, to improve the attack performance, however I spent almost 10 hours trying, it's really sad

It's hard to know if it's an issue with the machine or if there is stuff that we are not taking into account.

It had happened to me in other machines that I thought I was doing everything right and the machine was broken, but in reality I just had been missing something very silly.

I think I'll go back to this machine sometime in the future to see if I can do it without self intervention

That's right, my friend, I'm still trying because I'm following the learning path in parallel, I'm trying other machines, so far I've had many problems only with this one.

hi, in the insecure deserialization room, in the 7th task, how the output is working in the end of the task (before Ysoserial for Java's part), or is it just wrong?

because in the last part i tried every Laravel script, all 20 and still couldn't get the uname -r

even the first script which is the whoami didn't work with me

Unable to use the site in island orchestration room

Use http instead of https

I did

But goes to https and

Nmap scan show only port 22 is open

Can you provide a room link ?

https://tryhackme.com/room/islandorchestration

This room is temporary not working

Oh

It has been reported to staff , should be fixed soon hopefully

Ok

All I left is this unsolvable room httprequestsmuggling. Tried once again recently, still not catching any request during smuggling. I guess it's time to move on to other path anyway...

does anyone seen this new startup company XBOW which is automating all the sast and pt

I am going to start with this path, hopefully I can solve that room

Hey has anyone tried the JWT security recently? Did tasks 4 & 5 work for you? I have been running into "signature could not be verified" a few times. Is it just me?

those tasks are working properly during my time. Could you be more specific which example you are having issue?

task 4, is working!

as you get the JWT token back, decode it. I tried cyberchef

for task 5, example 2, change your token, add the 1, and make sure to add =admin instead of =user

looks like only this one insn't working

Nvm. I tried with John and is working.

Just hashcat isn't... maybe they need to review this room

have you tried adding --show after the hashcat command? like this: hashcat -m 16500 -a 0 jwt.txt jwt.secrets.list --show

yeah and still didn't work

I ended up using john and worked like a charm

yeah...hashcat is hard to use, I mostly use john too unless certain mode not available

yeah, I was looking at a walktrough but it doesn't seem to work anymore.

Should be able to work, I did this yesterday and got the secret

But then again, the hashcat start up was slower so I agree john would be better suited in this case

That is a fun room

Hi can anyone help me at the http/2 smuggling room? i dont get the flag at task 3 and here is my payload like the walkthrough descibed:

looks like the "prefix" (request body) ended with CRLF. click on the \n to reveal the special character and delete them

Hey I am working on the injectics room. And I am struggling to find information that would help me find which kind of injection are possible in the login form

Is there anyway I could find what DB is running in back-end ?

My guess for now is that I have to by pass the authentication at the normal user login page

Hi, my OpenVPN is successfully connected, but on TryHackMe it's still showing 'Machine Disconnected' for the target machine. Could you please help me figure out what’s wrong?

That page is broken ignore it 🙂

So what i do now

What do you mean?

Does anyone did the HTTP/2 Smuggling room last time?
Have same Problem with Task5. I didnt get any response

Thanks @clever leaf for the great room on Hammer. Not sure if I solved it intended but || I used the composer.json instead as a file for the kid ||

Gave +1 Rep to @clever leaf (current: #91 - 92)

press another Enter (crlf) before q=. Just compare them with the image carefully

what do I mean? you literally just did what I said

If you wonder the reason having 1 more CRLF, this is the format of http/1.1 request body

XXE Injection room has a some possible error on Task 5. The file upload page on Burp doesn't go to the submit.php. Instead it leads to upload.php. Or is it actually intended that way? I am not so sure.

I assume that you've already completed the room, but anyway, when i captured the request I also had upload.php, then i pressed orange "Forward" button then it went to submit.php. Hope this is helpful

finally !

this thing a bit complicated

There are 2. One is upload.php and the other is submit.php

I don't know why there are 2

hey, so am doing the jwt security room

facing some issue

stuck while downgrading the algo to none

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InVzZXIiLCJhZG1pbiI6MH0._yybkWiZVAe1djUIE9CRa0wQslkRmLODBPNsjsY8FO8

the token I got

then I changed the algo to none and set admin to 1

eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ1c2VybmFtZSI6InVzZXIiLCJhZG1pbiI6MX0

now when I am trying to use this token, I am getting this:

without the . I am getting this

any idea

how come he is getting successful message? and he is giving the signature while algo is none and still no error?

i changed the username to admin and still same issue

Hey

I need a help bro

when i send in repeater i get no response

Provide some screenshots

With 🙂 ?

Hey ! can someone help me on insecure deserialisation please. I can't succeed to forge the 2nd payload to put in the provided cve.php to get the right XSRF-token even with cyberchef : recipe I decoded the right 1st payload to simply replace the command and reencoded it but I can't get the right XSRF token

Hacking but it's tough for me

Hi ! did you succeed to Task 7. Q3 ?

What room are you in so I can go back through?

Hi, last time I got the answer from @gritty prism, since the machine version is mismatch with the answer. Looks like they still not resolve the issue till now. I suggest you ask help from him

thanks to be so quick to answer. Insecure Deserialisation like I said few messages above and I expose my cyberchef recipe to get the token

Gave +1 Rep to @maiden turret (current: #3042 - 1)

alright thanks. But before simply asking the flag I would, at least, find why I am unable to forge the payload. @gritty prism could you please help me ?

Pretty sure I got stuck on that as well. However, I did find this that helped workthrough it

https://medium.com/@RosanaFS/tryhackme-insecure-deserialisation-ca035812864c

Yeah I used it too but I can't get it right and the version is apparently a mismatch

Ok. Let me dig into what I did and I'll let you know.

This is the answer that I got. I had to fiddle with it to eventually get it to work

5.15.0-1075-aws

What exactly ?

thanks ! do you remember how did you find it ?

Gave +1 Rep to @maiden turret (current: #1998 - 2)

On hacking

Is there a way I can learn

You can start with this pathway 🙂
https://tryhackme.com/resources/blog/free_path

Give me a couple of minutes. I am stepping back through to remember how I did it.

I can't remember exactly how I did it, but if you have MS Co-Pilot, set it to think deeper and then use the string Tryhackme Insecure Deserialisation Task 7 step by step. It will help walk you through it.

alright I will get it back later but I don't understand how, even with cyberchef I can encode it properly 🙏 thanks a lot for your help

Gave +1 Rep to @maiden turret (current: #1510 - 3)

@hybrid wave have you able to exploit with the whoami command?

the command to generate the payload is very similar, just change the whoami to uname -r, then try to see if any php function is usable. My command to generate the payload: ./phpggc -b Laravel/RCE3 pasthru 'uname -r'

get the token with the payload and app key, then send the post request

I'm able to generate the payload but unable to use it. even when I follow exactly the walktrough. Plus I used the given whoami payload and it worked so I decided to modify it and encore it in b64 but finally I was unable to get the right csrf token

@gritty prism I decided to mainly focus on network, system hacking and red team operations. How much web hacking I need to know?

As much as you can , it definitely won't hurt anything to know more 🙂

@gritty prism Can I learn C in windows system exploitation or in malware development?

C can be used for DLL injection and more windows privilege escalation vectors.

But C also used for malware development

Like any other language C and its variations are used for a wide variety of use cases , like any other language C is used just as a tool to achieve your goals. Learning/getting programming mindset is much more important than learning syntax of some language

Hey all, I started the web app pen testing path but am stuck at jwt security module at task 2

Need your help as I keep getting the error message 'JWT could not be read: invalid crypto padding"

That indicates some problem with your signature

You probably forgot to remove the padding i.e. the = sign. JWT use Base64URL encoding, not base64.

Hello all, I am struggling on the task 7 of the httprequestsmuggling. I searched a bit on the discord and it seems that a lot of people get the same problem as me (i.e impossible to get a user password).
I would like to know if anyone knows how I could get the flag seems the room does not seems to work properly.

hi i need 1st flag El Bandito rooms

Hello everyone, @gritty prism,
It seems there is a bug on flag 3 task 5 of Web App Pentesting >Advanced Client-Side Attacks>CSRF. What should I put there ?
There is a dash and a curly bracket too many
because The cpoy-pasted flag does't match length. Do you have an idea why ?

That's not the correct flag for that task

help me i need el bandito 1st flag

This whole room was not working for me on the web app at least. Mailbox.THM is up but the rest of it is returning an error about the isBanned cookie. Same in Firefox, chrome and the attached Linux VM.

me included. task 7

@gritty prism @opaque lichen got it..appreciate the help

anyone else having issues connecting to the boxes from your own using vpn? I can only use the attack boox to complete rooms in this path

Which server are you using ? Try EU-regular 3 or 4

looks like US, let me try then...

Try US-WEST instead of EAST

@gritty prism yeah, that's it. I tried US-West VIP

This is SSRFHR

This looks good

Hello, has anyone been able to get the flag for Task 7 HTTP Request Smuggling recently. I have been on it for days. I checked and someone has also commented experiencing the same challenge in the bug-report channel here. Please is there a bug or not?

that jwt token room doe ...very hard kinda

I agree

I have the same experience. Does not work...In the submissions folder I only have text files with this content:

Name: test
Query: GET /submissions/ HTTP/1.1
Host: linkednginx.net
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:131.0) Gecko/20100101 Firefox/131.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg xml,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip
Cookie: PHPSESSID=31ef91d9a4d93b652580b2f4a59a703f
Upgrade-Insecure-Requests: 1
Priority: u=0, i
X-Forwarded-For: 10.10.252.210
Via: http/1.1 buildkitsandbox[

Can someone make a clear path for web pentesting it's so messy learning stuff like this

https://tryhackme.com/hacktivities

They really need to move that exam down below web fundamentals and web pen testing imo

Hi, I have a question. I solved the Enumeration & Brute Force task and it shows that the room is complete, but when I look at the path, it is only 88% complete. Is there a mistake?

Can you provide a shot ?

I am sending screenshots related to the problem:

https://freeimage.host/i/Fp82uln
https://freeimage.host/i/Fp82ASs
https://freeimage.host/i/Fp82TKX

Can you please verify and upload shots directly here 🙂 ?

Try to reset the progress and complete the room again

Thanks for the tip, but after resetting my progress and completing the room again, the problem still persists 🤔

Gave +1 Rep to @gritty prism (current: #1 - 5850)

I have the same problem on my side , probably some question was removed from the room . I will forward the issue to staff members 🙂

Thanks

Gave +1 Rep to @gritty prism (current: #1 - 5851)

Please is anyone into secure side review lately am looking for someone to do it with

What? Not sure what you are talking about

Sorry i mean secure code review

a bit late, but maybe it will help someone else looking for this. I just created the following cookie (key:value) "isBanned:false" and the web app works perfectly fine. "CSRF in Advanced Client-Side Attacks".

yeah this room csrfV2 is very unstable

Did you end up resolving? I can assist if not

nope, I didn't get time to do it

where was I going wrong?

Have just completed "Injectics" and found it quite challenging (much more than the previous "Hammer" room, and certainly spent more than 60 minutes) - wondering if anyone else felt the same

Thanks for the tip, was thinking of jumping into Injectics, as I got stuck with Hammer. 😅

Gave +1 Rep to @uncut moss (current: #3112 - 1)

the room /corsandsop has an issue. I am supposed to see an html code box in that page but on the attacker box and my own instance is blank.

task 6-7

Is it just me or this path has been a bit confusing and hard to process 😕

Have you created receiver.php on your box ?

Yeah and also did it on the attacker box. I did see it once, but I had to restart the machine. Then I killed it and stared it again. Nothing. I followed the instructions too. Added the ip to hosts file.

well it worked for me

for those of you still doing the room http2requestsmuggling task 7

Upload the myjs.js
create a script and add this to work properly. the one from THM isn't working anymore, the error is happening because ssl.wrap_socket() has been deprecated and removed in Python 3.12+.

This is my working script:

from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl

httpd = HTTPServer(('0.0.0.0', 8002), BaseHTTPRequestHandler)

# Create SSL context
context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
context.load_cert_chain(certfile="cert.pem", keyfile="key.pem")

# Wrap the socket with the context
httpd.socket = context.wrap_socket(httpd.socket, server_side=True)

httpd.serve_forever()

-follow the ssl cert creation for https...
-start your https server...
-intercept the GET request... (if you can't make sure .js is being captured in BurpSuite > go config > proxy > request intecerption rules > make sure ^js$| is added in the correct field.
-edit it using the instruction in burpsuite by THM
-make sure to add Pragma: no-chache, Foo: bar and then edit in inspector (see screenshot)
-Finally send it, twice. and you should the cookie in no time...

Please help me.
I can't get the password in the output via BurpSuite in any way. What am I doing wrong??
HTTP Request Smuggling
Task 7 - Walkthrough
I have rebooted the room several times.
I did everything as described. But there is no response, which should appear as in the screenshot.

@honest galleon read again my friend ^ you must be missing something 😄

you are almost there

Hi, I have a question about the Race Condition room. I’m unable to transfer money — has anyone else had this issue and managed to solve it?

ok guys. This is it. see you on Read teaming!

Send request to repeater put it in group with more than 20-30 requests and use last byte sync / parallel option to send it . Repeat it cross accounts and that's it 🙂 . Make sure that you don't send more than 30$-40$ in the initial transfer .

Congrats , great job , keep up the good work 🙂 🚀

Thank you @@gritty prism

Gave +1 Rep to @gritty prism (current: #1 - 5914)

Hi, I think there is a problem with the server. When I try to transfer money and click the button, it keeps loading indefinitely.

Make sure that interceptor in burp in disabeled

I did, i used without proxy and still the same problem

You figure this out? I've been having the same issue.

Welcome to web pentest

hi, I could not get the webserver showing the dashboard in Web Application Pentesting
Authentication
Session Management
Task 6
Anybody had the same issue?
I used the attack box from the tryhackme website.

Can you provide some shots ?

I am unable to upload screenshots in discord but all I see when clicking on the Dashboard link is:
Welcome to the Dashboard

Error loading stats: Request failed with status code 500

You need to verify to upload images , follow instructions from the link below . App should display status code 500 it's part of its defense mechanism , you need to find a way to bypass it 🙂

thank you for the instruction.

Gave +1 Rep to @mild crystal (current: #47 - 228)

Hi, when I logon with the student I created, I get the 500 error for the dashboard. My cookie looks a bit different from the one in the tryhackme room and I don't see the number of enrolled students - see screenshots above. If I change the cookie from student to lecturer I can see the dashboard. Still thinking what else I can do to see more information, can you give me any hint?

It's a known bug. #subscriber message

Good evening,

So, this message is to offer and ask for help during this path, i have almost finish but in case anybody is struggling i offer my help if needed. This way maybe we can meet more people and share. If anybody is interested let me know. I will start now HTTP Browser Desync and when finished with web application will start the red teaming path probably.

french / english and spanish

I started testing my school’s website (with permission) by first checking the root domain. I discovered seven subdomains, but only the main one is active — the others are either unreachable or not working.

I then used a JavaScript-related tool to search for any exposed secrets in the code, but everything I found returned “301 Temporarily Moved” responses.

Finally, I ran Eyewitness on the main website, which showed that it appears normal.

What should I do next?

Hi I might be late but yes it s buggy!

many thanks.

Gave +1 Rep to @proper prism (current: #567 - 12)

For the "Include" room - has anyone else struggled with the RCE via LFI part of the challenge? The log poisoning part of the challenge wasn't working for me. Is it just me?

I didn't have any issue however my solution could have been different to yours.

I tried performing mail log poisoning technique (like ones found here: https://swisskyrepo.github.io/PayloadsAllTheThings/File Inclusion/LFI-to-RCE/#rce-via-mail) because I noticed others had completed the room using them too. The poisoning injection failed & I was not able to utilize this method. May I ask, what method did you take to obtain the second flag?

I'll dm you.

ty

guys, is there any problem with the machine in Session Management room? https://tryhackme.com/room/sessionmanagement
i tried to login as a normal user but cannot see the number of students enrolled as the doc mentioned

i even dont see the set-cookie and cookie in the header eventhough i use firefox in attackbox

thanks for your helps

You have to apply your knowledge received in this room. Check the "Application" tab in the "Developer tools"

I have a question about the HTTP/2 Request Smuggling room. Why am I only able to intercept (proxy) HTTP/2 requests using Burp Suite but not ZAP Proxy or Caido? Whenever I use the later, all requests are downgraded to HTTP/1.1 - despite verifying that HTTP/2 is enabled in ZAP. Is this part of the room design? or is it something else entirely?

Hey I am curious about resources and knowledge about common pitfalls when building with AI / Loveable / Gemini … or at least basic web application testing

Hello, I'm struggling on the task 5 of the JWT room for the example 5, I have generated the token with jwt.io, using the public key and the correct alg, but I receive an invalid request answer. The command I use if someone wants to check : curl -H 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InVzZXIiLCJhZG1pbiI6MX0.7jJBvWpF9JT4DdeUWnl0o7imBV0wa0HTDPRMavGbPyU' http://10.10.137.133/api/v1.0/example5?username=user

Anyone having the same issue ? Maybe I missed something

be sure to set the claims to admin and 1, and then also call it with the username admin , not user

but maybe you got it right already, it's been a couple of days 🙃

error I keep getting on JWT Security room: { "message": "JWT could not be read: When alg = \"none\", key value must be None." }

wHaT eLsE cOuLd iT bE asdkfmsalkmfksadf

I'm encoding the JWT at jwt.io with algorithm set to "none" and it doesn't even give me an option for a key. same problem if I directly base64 encode things

whyyyyyyyy does it hate meeeeeeeee

(this is for example3 btw)

ok, redoing it more carefully with CyberChef rather than jwt.io did the trick. still don't particularly know why the other site didn't work, but 🤷‍♂️

Just tried it again right now, it's working! I must have made a simple mistake. Though I'm not sure I was setting the username to admin for the previous questions, I was only the "admin" parameter set to 1. Anyway, thanks for the help!

Gave +1 Rep to @barren warren (current: #488 - 14)

Cannot find student x in session management room even after successful lecturer login

it's a known bug

I joined the discord server to understand why I could not find the sutdent X 🤣

Well, welcome 😃

Hi everyone, I'm new to THM. Burpsuit is not capturing my http traffic , is there some configuration i should do ?
I'm using the AttackBox
The firefox browser in the AttackBox is already configured to route to Burpsuite right?

Do you have foxyproxy enabled ?

G’Day! Hello @gritty prism! Is there an estimated time to fix Island Orchestration challenge?

I've reported it to staff but I haven't received any update since 🙁

@gritty prism, Thank you very much for your feedback!

Gave +1 Rep to @gritty prism (current: #1 - 5977)

just remembered this channel exists

I think the backend code listed in the prototype pollution is wrong.

let friends = [
  {
    id: 1,
    name: "Sabalenka",
    age: 25,
    country: "UK",
    reviews: [],
    albums: [{ name: "USA Trip", photos: "git.thm" }],
    password: "xxx",
  },
...
...
app.post("/submit-friend-review", (req, res) => {
  if (!req.session.user) {
    return res.redirect("/signin");
  }
  const { friendId, reviewContent } = req.body;
  const friend = friends.find((f) => f.id === parseInt(friendId));
  if (!friend) {
    return res.status(404).send("Friend not found");
  }
  try {
    const input = JSON.parse(reviewContent);
    _.set(friend, input.path, payload.value);
  } catch (e) { }
  res.redirect(`/friend/${friendId}`);
});

I think the author needs to change "payload.value" to "input.value" I was very confused reading this trying to understand where the "payload" variable came from until I came to the realisation that it must be an accident.

^ Just as an FYI doing that definitely clears things up a little bit for THM subscribers but the code still wouldn't work for normal use of the PoC web app, because if they don't supply JSON input and just instead supply a normal string for the review e.g., "normal" (pic related), the code wouldn't be able to do a JSON.parse("normal").

Yo I'm new to the field

@gritty prism Hello, I have been working on the Authentication module of the Web Application Pentesting path recently. I wonder if you can recommend a few more challenges related to this module. I want to use them to consolidate my knowledge in the Authentication module. Thank you.

Gave +1 Rep to @gritty prism (current: #1 - 5993)

https://tryhackme.com/room/hammer

I know this. This is in the Authentication module. I mean I want to find some challenges outside this module😂 😂

Did you check hacker101 ?

Is that what you mean, https://www.hacker101.com/ ?

Yup 🙂

Okay, I meant the challenges in THM. 😂

Bumping this for the fix! Tried doing this challenge today and it's still down.

Can anyone help me, I have completed the authentication bypass (Jr. Pentester) room in try hack but I completed that in the lab but how to test it in the real website using fuff tool, please anyone help me

Has anyone successfully implemented privilege escalation on the Hammer challenge?

Anyone passed the room where request needs to be changed FlagAuthorized: True? No matter how and what to change in the request I am getting the same page

I've passed it. However, I still have a question. Why we need "FlagAuthorised: True" in the body og GET reqeust?

can someone give me a web application pentesting roadmap only from tryhackme?

no priv esc needed in Hammer Challenge.

If I was to start over, this would be the way I learn.

Web Fundamentals
Burp Basics
SQLi
XSS
Session / Auth flaws
IDOR
LFI / RFI / SSRF
API security

Okay, do you have any recommendations for LDAP injection Thm challenge rooms? I've already completed the LDAP injection Thm walkthrough and want to solidify my understanding.🤓 🤓

@gritty prism

Windows privesc rooms / challenges usually have part based around ldap 🙂

Any beginner web pen testing course ?

Do check THM's #web-fundamentals-path

contact n DM

Hey i want to ask something
Can anyone tell me if they are good enough to answer my question?

just ask and I'm sure someone will pick it up 🙂

I can't ask here
Maybe they'll banned me so it's better to ask them in Dm

If you know about these things i would ask you

@gritty prism

TryHackMe rooms are not meant to be modeled from secure production systems, and multiple exploitation paths should always be expected. the exposed .py files appear to be an intentional alternate exploitation path rather than a "vulnerability" as you call it. while I agree the more intended path for this room is XSS/CSRF exploitation, it is not a "vulnerability" to have other methods to exploit a machine; maybe the more correct way to phrase this is a room suggestion?

I think this was done unintentionally, since it defeats the whole purpose of the room. And it takes just a few minutes to get through.

CTFs are not designed to enforce a single solution or a specific time requirement; finding a faster compromise through enumeration is how CTFs should be designed. there should be multiple methods of varying levels of understanding from various types of exploitation, and this is a “client-side exploitation” room, not a strictly XSS/CSRF exploitation room, so I do not agree it "defeats the whole purpose of the room"

🙂 ?

Vulnerability Report: Unintended Information Exposure (worldwap.thm)

Dear "Whats Your Name?" (https://tryhackme.com/room/whatsyourname) Room Creators,

I am providing feedback regarding an unintended exploitation path discovered in your room. While the intended chain is likely more complex, sensitive administrative credentials can be obtained directly through publicly accessible Python scripts.

Technical Details & Discovery The vulnerability was identified via directory brute-forcing. The following endpoints are accessible without authentication and contain hardcoded credentials for both Moderator and Administrator accounts:

Host: http://login.worldwap.thm/admin.py

Host: http://worldwap.thm/4.py

Exploitation Vector Using ffuf with extension fuzzing, I located these files: ffuf -u http://worldwap.thm/FUZZ -w common.txt -e .py,.php,.txt,.bak

Impact on the Learning Path The exposure of these scripts allows users to bypass the entire intended exploitation chain (e.g., upload logic or session management). This significantly diminishes the educational value of the challenge, as core security concepts can be skipped by reading the source code of these exposed files.

Recommendations To maintain the room's integrity, I suggest the following:

Restrict Access: Move sensitive .py scripts outside of the DocumentRoot.

Environment Variables: Avoid hardcoded plaintext credentials; use environment variables or a secure backend database.

Server Configuration: Configure the web server (Apache/Nginx) to deny access to .py source files.

I hope this report helps improve the room for future students. Thank you for your contribution to the community.

Best regards, 3ont

Gave +1 Rep to @gritty prism (current: #1 - 6060)

Hi, for the Room HTTP Browser Desync, can someone explain how the answer for this question is 3 instead of 2?

Task 3
How many HTTP requests are sent during a Browser Desync attack?

Anyone?

Also regarding the Challenge task, can someone help me to understand if the page /vulnerablecontact is supposed to be found by us, or was it given by default and to do so, we are supposed to check the Challenge Help section?

Currently Studying the Advanced SQLi Room but I can’t access the website MACHINE_IP/second/add.php (and yes i started the machine snd used the ip address for the target provided) did it twice on the AttackBox same issue.
Am i doing something wrong? Or is it a THM issue

If you can provide a screenshot on what you are seeing, folks can better assist.

Unfortunately i can’t post images
Don’t know why

You need to verify your account

@weary river

But could you check out the Advanced SQLi room for me
Check if you can access the website IP address/second/add.php

Ohh okay

This is what i see when i try to access the website

I’ve gotten a reply
Seems the room is broken
There is no open port to connect to the web server
If possible you can confirm to see if your machine has similar issues

have u added the ip of target machine

on

/etc/hosts

Yes i did
Still didn’t work
The problem is a THM issue

maybe

Ah I just wanted to ask for advice because I have the same problem with the room 🙄

The oldest report I’ve seen dates back to 21st December
It’s been like this since then no fix

Ah well thanks for the information. Nothing to do than skip the room for now then

If it makes you feel better I also cannot access the web application. Only port that is open is RDP and I don't seen instructions on needing to connect to it to complete the Advanced SQL Injection room.

Hello all, I have a question abut the request smuggling room in this path, if anyone could help me out that would be fantastic

Any progress yet mate? @twin frigate

Yeah I figured it out thank you

Gave +1 Rep to @inner sparrow (current: #3543 - 1)

why did I open a lab in the Server-side Template Injection room
task 8 I get an error

then I tried the attackbox, it appeared like this, and then I had to do something. Please help

Finally beat the Hammer 🔨 😎

.

Does the certificate of this path worth it?

The csrf vm is not working

Wen I input the url on my browser nothing happens

Can’t reach site etc

Any admin to respond to this please?

Need help
I am trying to play task 6 of the session management room https://tryhackme.com/room/sessionmanagement
I have changed the userRole and username both to lecturer, and reloaded I should see a user in the students page with the username X according the question but there is no such user
I was stuck here for a long time and looked for an online vid and followed the precise steps but still, no user with X
https://ibb.co.com/7xHdRp8f (since I can't upload files here)
Is it possible that some rooms of tryhackme do not work?

Exactly, same issue, many of the rooms DO NOT WORK

How can we report it?

It’s absolutely not funny THm should do better please

Sadly, this bug has been there for a long time https://discord.com/channels/521382216299839518/1367099141708058634

does the advanced sql room work?

#1333993673381253162

I checked some of the posts, what is its point anyways? No one seems to be replying to these posts or doing anything about the issues 🤷

Ave been able to fix the problem doe

It’s a networking issue

And host name resolution

Just put the vm machine up adress in your /etc/hosts file

Plus the host name you want it to resolve to

It worked for me

For example inside the /etc/hosts file

<vm ip> coffee.thm
<vm ip> bistro.thm
Save it

Access the website again it should work 🫰

not relevant to the issue im facing

In the Advanced SQL Injection room Task 3 Second-Order SQL Injection was anybody else unable to resist the urge to DROP TABLE books;-- and then have to terminate and start an new vm?? 😆

Guys I am stuck on hammer CTF

I found the first flag

But I keep getting an 401 unauthorized when I change de JWT

Enumeration & Brute Force room task 3, http://enum.thm/labs/verbose_login/ is this link working? can anyone check please?

Did you add it to your hosts file?

yeah but why its not working on browser even?

Did you point it to the correct IP, and you're on the Attackbox or VM?

Without the IP, we can't even check if it's open or not.

yeah got it now, didnt tried the ip. I checked direct from the description link. Thanks anyway

If you didn't see the IP, what did you add to your hosts file?

I tried the domain as its written. But it didnt work. Then tried the IP removing the domain then it worked. Changed enum.thm ( http://enum.thm/labs/verbose_login/ ) to the IP

Any website you find with .thm you'll need to add to the hosts file with the IP.

Oww! I used domain directly. Thanks

Guys help with Whats your Name please. I can't even get started. I added worldwap.thm to my hosts file and let nmap and ffuf run. I can open /phpmyadmin and /login.php. But only with the IP before that. And I cannot open worldwap.thm as if it does not exist at all. I also cannot see the landing site. (But heck, it is in the hosts file, I've done ot from three different machines) and I have no idea what to do to go on without getting on the registration site.

Just read the above post and will try that later. Dunno why it does not work.

Can you provide some shots ? Are you on your VM or AttackBox? Can you check your VPN connection? If you are using your VM please check VPN connection . If not please send a shot of hosts file and situation overall 🙂

Of course, thanks for the reply. I use the attackbox. But every worldwap.thm entry in firefox (does not matter if there is /index.php or /login.php) leads to being forwarded to google search, ergo not there. If I try with the IP, I get a blank page as landing site (but it has to be something there since I get this "<!-- login.php should be updated by Monday for proper redirection -->" from the page source. Like I said I can access IP/login.php and IP/phpmyadmin but IP/index.php stays blank. And I cannot enter worldwap.thm/xxx - so can have no chance of entering the needed register-site @gritty prism

Maybe you've got any idea- I'm gonna test it again tomorrow, unfortunately I have to head out now 🙂

Try to perform subdomain/vhost enumeration , that comment is a great hint 🙂 . Also perform directory enumeration with recursion maybe the lab intentionally presents you want a blank home page

Thanks, I'll try first thing tomorrow!

Gave +1 Rep to @gritty prism (current: #1 - 6107)

Please where can I access Kali Linux lab for practical

I need mentorship also

try this room https://tryhackme.com/room/kali

Hi guys, i do know how to locate ssh. When you ssh in the name of the folder ?

Can you clarify?

He Meant He Have download

downloaded* File how to locate ssh means how to connect

Hello guys

i need learn using exploit

in web server wordpress etc.

Normally, the exploit would come with instructions how to uss it like the ones published in GitHub, Exploit DB, even some in packetstorm security..

thx

Gave +1 Rep to @charred shore (current: #11 - 927)

Hello

web application pentesting and all modules referenced in said path seem to be inaccesible. anybody know what happened?

thats what im wondering too

was doing it yesterday fine

I have the same issue

Do any THM staff know? @marble nimbus

Please do anyone here knows how to track a lost phone?