#junior-pentester-path

Hash cat is heavy af. You will need to allocate more ram and/or cpu cores for it to work. (I allocated 6 cores and 6 gb ram and it worked for a not so complicated hash)

@grave grove hashcat is GPU

You absolutely shouldn't be running it on CPU, no point

You can select using -d and gpu didn’t work for me

I think it doesn’t matter for small hash decryptions

been and away and have come back to it but still not able to so will leave it till i learn more but appreciate the help @steel nymph @deft rain

Trust me. It matters.

Also you can't decrypt a hash; they're not encrypted

Just don't use hashcat in a VM

Use john

yeah I used john once I figured out hash in vm sucks

But how do I get to know the format of the hash

Context

But you've told hashcat it's mode 0, so MD5...

There are a lot of formats suggested by john I don't really know which one to use to decode

You told hashcat md5, so you thought it was MD5 previously.

You're also not decoding anything

yeah but didn't help

Can I ask you that all the things we said you understood it perfectly right ??

I mean I have a hash I want to know what does it say

Then hashcat wouldn't have worked either.
Use context. Where did you get the hash from? What format would you expect to find there?

Cracking.

I am doing a machine

I got the hash from there so no clue about the format

Both of those questions were rhetorical

Where on the machine? That's your context

Okay thanks

yeah I changed the form method to POST and tried to stop the null byte from being encoded by opening it in dev tools but was probably doing something wrong, all good though

I think that method is kinda tricky or maybe dev tools aren't capable of that method but maybe maybe. Better to use curl if you're trying that method to test something in future. 🤍 And ☮️

Usually the start is the format (like it starts with $6 so it’s 1800 sha512 or something like that cant remember)

For crypt format hashes, which is a very small set

anyone else struggling with the NFS part from Linux privesc?

when i mount the drive and try to run the shell i get this error: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./code)

it's either this error , or the mount never happens, really frustrating

tried restarting the vm and now the mount doesn't work

Hi guys

I'm in "Subdomain Enumeration"

At DNS brute force

And, I have a question

I've done a wordlist with the words: blog, help and store, to use dnsrecon at tryhackme.com, just to test, but it doesn't find anything, is that correct? I've run this command:

dnsrecon -d tryhackme.com -D /root/Documentos/namelist -t std --xml dnsrecon.xml

Are you running that in the attackbox?

No, at my virtual machine

Task 3?

Let me see

Possibly not working as that part of the task is done on the static site.

Oops! Don't want to spoil the flag.

Nonono, I've done the question, but I'm just testing the dnsrecon tool at tryhackme.com, but it's not working at all

lol, i've done it

Others might not have. 🙂

Yeah, for sure

Guys I'm at task 11 of Linux privilege escalation. I'm trying since yesterday to mount from the attackbox to /home/ubuntu/sharedfolder but it just doesn't seem to work, whatever i try. Someone who is struggling with this or can help?

one second

this is on the attacker device

this is on victim machine (ping test to show that both devices can ping eachother)

this is the folder on attacking device

no output

no error message

compiling and mounting happens without errors

ok thanks

forgot to say i also mounted the /tmp folder

but also nothing to be found there

when fmount in target machine it doesnt show up

showmount

idk i guess i'll just cheat for the last answer lol

thanks for helping though

Bro so you're saying that you can't see files in the mounted directory right ??

On the target machine yeah @deft rain

On my attacking machine i can see them

Your own attacking machine or the attackbox ??

Thm attackbox

Have you tried this using your own attacking machine ??

Try that once

Yes i did it first on my own attacking machine.

Posted this a bit earlier

Okay so I think you have to uninstall mount from your attacking machine and then reinstall mount

And then try

You might face some errors in uninstalling mount please share screenshots of errors if you get some :)

Also first do
sudo apt update and sudo apt upgrade

@proven tulip try once by:
mount -t nfs X.X.X.X:/ /TMP/NFS

Thanks for all the answers. the sudo apt update did the trick. Thank you!

In windows privilege scalation I can't get reverse shell back in task 5 I double checked the IP and port I used to generate a service payload

I think I found the issue

I'll try again and report here

Naah I can't get reverse shell in task 5 i don't know why also double checked and done all the process twice with attackbox and my own attacking machine. And also this windows vm is now not letting me download the file

You're not specifying the port

So it's hitting port 80 which is used for the remote gui on the attackbox, it doesn't support GET requests

I just found that out when I thouroughly checked the command. Thank you though 🙂

Gave +1 Rep to @idle bison

I don't know why did I make that mistake 😂

But still can't get reverse shell though

nvm I got it fixed 🙂

What was the issue?

Uhh... Maybe it was related directory permission

Did nc listening on 0.0.0.0 cause any issues?

Finally completed the path!

Any suggestions for the next path to follow? I'm thinking about red team or cyber defense. What do you guys think?

or offensive pentesting

Yes i know that. Do you have suggestions?

Paths are easier to follow imo, i like the structure

i dont know how to find the other rooms

How can you get a connect back if listener is set to 0.0.0.0?

nvm found them

0.0.0.0 just points to your current machine ip i think

thx!

0.0.0.0 is not a real IP address. Use IFconfig/ipconfig to identify the IP address.

Networking is kind of a intense topic for discussion boards. Short answer: you’ll need to set the listener IP address to the machine IP address that you want to listen for incoming traffic/commands.

It's real enough

Listening on all interfaces makes it easy.

You typically only have one network interface

Ahahahahaha

Tryhackme, if you're using your own VM, adds one for the VPN.

Good evening, do you have any resource suggestions for pentest in the network domain? What topics should you look at?

sorry for my english 🙂

u can ask in here #resources

Hi, is there any mistake in the Linux Privilege Escalation room at the task 10 ? I don't understand how the "PATH" trick can work considering that the screens show the standard user "alper" first, and "root" user to create the binary file, so in this example, the user is already root...but if you're not, you would just get your standard rights and can't elevate anything with this, am I missing something ?

Or is it just an example to demonstrate that, in a case of you can execute a binary file owned by root and executable, you can use the trick ? 🤔

Or is it just an example to demonstrate that, in a case of you can execute a binary file owned by root and executable, you can use the trick Yes, but the binary has to be vulnerable

That room doesn't explain it very well, in my opinion. The deja vu room attempts to explain it better https://tryhackme.com/room/dejavu

getting network path error in windows privilege escalation room in task 6 when I enter copy command

Anybody got some idea ??

Thanks for the room I will check that. By vulnerable, you mean executable by someone else than root ? same group or all ?

Gave +1 Rep to @idle bison

Vulnerable to path exploitation, and executable under increased or different permissions

If it's vulnerable to path exploitation but runs under your current user, well you've gained no additional access

I see, that's quite clear

hi guys how does sql conver tthe following

https://insecure-website.com/products?category=Gifts

this will get queried like

SELECT * FROM products WHERE category = 'Gifts' AND released = 1

now with injection

https://insecure-website.com/products?category=Gifts'--

'Gifts'--' AND released = 1

where does the --' quote come from

or another example

https://insecure-website.com/products?category=Gifts'+OR+1=1--

SELECT * FROM products WHERE category = 'Gifts' OR 1=1--' AND released = 1

why are the + signs needed and why is there a ' at the end of --

ran with attackbox and it worked 🙂 seems like a problem with my own attacking machine's impacket tools

when you enter information in a url bar, it usually need to be encoded. The "+" actually correspond to a space 🙂

the ' at the end of the final sql request comes from how the request was first formulated in the program.
What i mean is the request is "pre-made", following your example it would be like this:
"SELECT * FROM products WHERE category = '<your input>'AND released = 1"

now, if you insert "Gifts' OR 1=1--" in this request (replacing <your input> by the previous string), you'll notice there is indeed three ' in the final string:

• the first two that were already here
• the new one that you inserted

tell me if it makes sense 🤔

What i don understand

SELECT * FROM products WHERE category = 'Gifts'--' AND released = 1

if i type this query in my sql workbench, it is not even a valid query

Correct, your payload is wrong

Or it's not recognizing the comment

https://insecure-website.com/products?category=Gifts'--

SELECT * FROM products WHERE category = 'Gifts'--' AND released = 1

thats fromt portswigger

i dont understand why

Gifts'--

i need the 1 quotation mark here

damn

finally

im not the only one that was confused about that

but isnt that payload wrong

should it rather be

https://insecure-website.com/products?category=Gifts--'

https://insecure-website.com/products?category=Gifts-- -'

https://insecure-website.com/products?category=Gifts-- -

isnt that enough?

why do you need another '

not sure

-- - -> solves the whitespace problem

"TakeRep" command returned an error: strconv.ParseInt: parsing "-": invalid syntax

just for the mysql double dash thingy you do -- -

right

so you dont need a '

and its even on the wrong side

https://insecure-website.com/products?category=Gifts'--

SELECT * FROM products WHERE category = 'Gifts'--' AND released = 1

input is

'--

output ist

--'

or am i dumb?

https://insecure-website.com/products?category=Gifts'--%20-

jeah

the urls get automatically encoded

the whitespace will be %20 right

or whitespace gets urlencoded as %20

yuups

hello everyone can someone guide me a little, why when using gobuster with /usr/share/worldist/dirbuster/directory-list-2.3-medium.txt i don't find what im suppose to but with /usr/share/wordlists/dirb/common.txt i do? I'm looking for a directory called /.git/HEAD which common.txt find immediatly

i'm a newbie thanks for the reply, as simple as that ._. , i thought the medium one was like "better"

thx for your time ❤️

can someone please explain to me what is happening step by step in Logic Flaw Practical pls

You have to let us know what isn't making sense to you

Maybe

I am just surfing through a website, so whenever I am logging in it redirects me to another firefox page where url is locked and I can't make any changes
How do I stop this

Can you share some screenshots??

hi could someone explain me how this payload referrer=admin123' UNION SELECT SLEEP(5),2 where database() like 'sqli%';-- can be the same as this one referrer=admin123' UNION SELECT SLEEP(5),2 where database() like 'sql_____%';--

i cant understand this

Im in SQL Injections Task 8

" _ " represents any single character and "%" represents zero or more characters so...

but i mean

how could i know that the database name doesnt have a "_" if it is always positive

even when it doesnt have a"_"

You have to escape the underscore if you want to match a literal underscore character.

how i escape the underscore? what does it means?

\

Syntax would be \_

escaping live in action :D

Didn’t expect discord to actually parse my escape

Wonder if I’ll get a rep+ for helping

If they thank you.

so if the name is sql_data, i have to test like sql\_

Use double backslash to have it show on discord

\_

alright

thankyou

there it is

There what is?

what should i do to escape

the underscore

Backslash

.

yeah right

What’s the query you’re trying to do

.

Cause if it’s just querying a table you don’t need to escape strings

admin123' UNION SLEEP(5),2 where database() like 'sqli_four';--

but before understand how the "_" works, i was stuck because i write 'sqli____' and it was telling me that it was right

and then it wasn't

Have you tried escaping each underscore?

@humble lantern

no but with your help i understand it

thanks

Gave +1 Rep to @hoary vale

Awesome! Thanks

My first rep

But it says 'invalid-user'? what does this mean? :D

It's a bot cache thing.

can anyone give me a hand with linux privesc? I'm on the cron jobs section

cant get a reverse shell after editing one of the jobs I can edit

been waiting for a while now even restarted the box

so I made it executable and ran it on the target machine and the reverse shell worked, didn't get root tho as it wasn't executed by cron

got my shell now

well I figure because it wasn't executable type file before, I was kinda just blindly following the guide and they never mentioned it so I thought I had something wrong on my end or cron jobs wasn't working right

thanks @steel nymph

Gave +1 Rep to @steel nymph

http://10.10.87.140/customers/reset will not load. This is on Authentication Bypass - Logic Flaw. Is anyone else having this issue? I can't complete the room without accessing this page. Tried loading on Chrome and Firefox.

Are you using attackbox or your own VM?

I'm using attackbox.

alright I'm back with needing some help on linux privesc this time on NFS. I've mounted the drive created a nfs file with SUID bit set but when I got to run it on the target machine I get this error

I've googled a bit about it and all I've found from my understanding is that the glibc which I compiled my code with is a higher version than the one running on the target machine

for anyone who may have this issue in the future I was able to get the flag by doing the same steps on the attackbox. not sure exactly why it doesn't work on my own attacking machine other than glibc just being a higher version than that of the one installed on the target machine

is your program expects glic 2.34, it has problems on systems without this version

If you're curious to learn more, you'll want to look into how programs are loaded and dynamic libraries

Hi guys

anyone familiar with burpsuite?

So ive installed FoxProxy on Firefox and Burp

now when i dont have Burpsuite running

i cant connect to the internet anymore

and somehow

my traffic gets intercepted from burpsuite even without foxyproxy

hey i need help

currently, im doing Authentication Bypass room and i need help

.

.

-unmute @fringe hawk spamming will lead to you being permanently muted. Don't spam.

🔊 Unmuted nikunj_pathak#1297

Hello folks. I need some help with the final challenge in the "File Inclusion" room. Am trying to send a null byte in a curl POST request to trigger LFI but it doesn't really seem to be working. Anyone available to help? It is the only question in the challenge that I am not able to answer.

Solved it meanwhile ?

Not yet. Plan to give up and move on to the next room. Can I DM?

Depends what the DM would be for?
If it's about the file inclusion room, I would prefer to keep the conversation here, so others can benefit from it too

Ok then let's keep it here. The question is stuck on is the Task 8 - Challenge - Flag 3.

LFI using GET request is not possible, due to input validation. So I am trying with a POST request. Since the server seems to be adding a .php extension to the end of our input, tried adding a null byte to the end of the input, like /etc/passwd%00. That causes a curl error. So used the encoded form /etc/passwd%2500.

But that does not work either. The response is

code><br />
<b>Warning</b>:  include(/etc/passwd%00.php) [<a href='function.include'>function.include</a>]: failed to open stream: No such file or directory in <b>/var/www/html/chall3.php</b> on line <b>49</b><br />

the .php extension is still added

Curl command used => curl http://filab.thm/challenges/chall3.php -X POST -d 'file=/etc/passwd%2500'

If you url encode it, it's not getting interpreted as a null byte

What error did you get when using %00 in curl ?

This is what I get when I don't encode.

└─$ curl http://filab.thm/challenges/chall3.php -X POST -d 'file=/etc/passwd%00'       
Warning: Binary output can mess up your terminal. Use "--output -" to tell 
Warning: curl to output it to your terminal anyway, or consider "--output 
Warning: <FILE>" to save to a file.

I mean, it seems to be just a warning, not an error? Is that all you got as output ?
Just these 3 lines?

Output with -v flag

Let me try myself real quick, I did it with Burp iirc, but I guess it should work with curl too

Ok. So I actually read the "warning" this time. And tried added --output - to the command. Got the output

Why does curl think the output is binary I have no idea.

Ah alright, well then I guess that solved your problem ^^ ?

Yes. Still confused as to why curl behaved that way. Anyways, thank you for your time 🙂

Gave +1 Rep to @shadow echo

Ye, dunno, would have to search for it myself. But doing a google search with that warning might give you an answer to that 🙂

just a guess. the filename is reflected, so maybe there is still the nullbyte in the response

Just a matter of google search. So basically whenever you curl it outputs compressed data. Just try saving the output in a file and try to look for the file type you'll get " gzip compressed " so to look into it you've to decompress it. Try using '--compressed' option in request

Has anyone else had issues with Impacket in the Windows Privilege Escalation room?

What issues you are facing ?? Also first verify yourself

!docs verify

I apologize for the delay, I ended up calling it a night and have been slammed all morning. When I try to perform the secretsdump.py portion of the impacket workflow I get an attributeError: 'Registry' object has not attribute 'fd' and I have not managed to pin down the cause. Once my workday is wrapped up I can fire up my personal laptop and grab the full error message.

No issue. You can share the screenshot of the error whenever you're feasible to do so.

Thanks a ton, I just knew I was too frustrated with it last night and felt it best to call it a night and approach with fresh eyes today.

Hey guys first time here, I have a question in subdomain enumeration this command ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://MACHINE_IP how can I know the machine_ip ? Thanks

It always gives an error

:Progress: [40/1907] :: Job [1/1]
© req/sec :: Duration: [0:00:00]
:: Progress: [1295/1907] :: Job [1/1
1
:: 0 req/sec :: Duration: [0:00:001
::: Progress: [1907/1907] :: Job [1/
(1]
:: 0 req/sec :: Duration: [0:00:00
1
::: Progress:
[1907/19071 :
: Job [1
/1] :: 0 req/sec :: Duration: [0:00:0
0] :: Errors: 1907 ::

You are very likely trying to fuzz the wrong machine

Best to verify and show a screenshot

!docs verify

Thanks

When attempting to finish the windows privilege escalation room I keep having this error with Impacket and secretsdump.py no matter what I try.

Does anyone know the difference between the jr pentester and the offensive pentester pathways?

Junior as the word says, means that the rooms are easier and more basic knowledge than the offensive pentester path, as you're a junior to the topic, so this path holds some easier rooms and topics than offensive which holds some more challenge rooms and advanced topics

Great thanks!

You're welcome

Try this reinstall impacket tools or just first try from thm attackbox. If it works then it's an issue with your impacket tools

Have you read the error?

@vagrant glacier it cannot find system.hive in your current directory

My bad i didn't read this error i just read the earlier message of him

Sorry for that

'Tis dangerous to not read errors

I mean if he/she have tried the attack again from start he must've got the results but wouldn't be able to understand what was the issue

It's possible that it was a mostake copying the registry hives off the box, an incorrect file name etc

It could be sir

You're right

The files are in the directory, I triple checked that which is why it has me so stumped.

So the system.hive file is there but still it is throwing the "missing" error ??

Yep

I even restarted the machine cleared the directory from mine and went through it again to get the same result.

Might want to show a screenshot when listing these files in the directory as well

Yeah, I’ll do it as soon as I get a chance I’m starting project meetings this morning.

Hello, everyone
I'm wondering why we classify Blind SQLi as Time-Based and Boolean-Based, despite we can Exploit the same query as a boolean-based or time
for example:

1'-SLEEP(1) -- - 
1' OR 1=1 -- - 

both payloads works

• And if there are different could you please show me vulnerable query for each one

This is a demo of what I'm asking for

Sorry, I didn't get that

for a blind SQLi, I could confirm it by the request time (time-based) or by the query condition (boolean-based)

some times the server returns Internal server error, do you mean this message does not exist too ?

I think I get it, If there is nothing indicates that the condition is true or false we should try confirming it using the time

Thank You @steel nymph

Gave +1 Rep to @steel nymph

Hi all, I'm currently on the Authentication Bypass module and ran into trouble with the AttackBox. When I run the command to find usernames it skips over it a little bit? or at least thats what I found. I looked over some walkthrough videos and they had vital information given that I cant see. If anyone knows how to fix this let me know, im sure its just something small I missed but have been looking at getting nowhere so I thought id ask here

Heres a screenshot of what comes up

You can use the clipboard to copy paste commands when using the attackbox, just so you know, saves you time as well as missing something

It seems you missed to add the cpassword parameter

I didn’t know the clipboard worked like that, and you’re right it looks like that was what I missed

Thank you @shadow echo

Gave +1 Rep to @shadow echo

Has anyone been able to do the GameZone machine manually?

do you have a specific question?

Im trying to do the sql portion manually

ok. go for it 🙂 (just did it manually) so feel free to ask if you have a question

Really? I mean basically how did you do it without sqlmap

Im trying to learn to do things manually

I figured out that there are 3 columns? I think using a sql command.

But idk how to find tables, users, dump hashes etc

On the search video game area of the box

sounds good so far. Can you get any data out of the db with this? then: databasesystems have a "meta" database with information about tables and stuff. information_schema. There you should find what you are looking for

Yeah actually! I was thinking about that information schema thing but idk how to access it

I read something about that but dint know how to find it

Maybe if you want to share your screen in a vc sometime? Or idk point me in the right direction i pwned the box already but im trying to go back and do it manually

Did you already understand how your current SQLinjection works? And how you could use this to extract data if you know the name of a table/columns?

Not really i know it does things like SELECT * WHERE USER stuff…

Im still really new to manual sql i been using sqlmap since I started pen testing

(want to PM?)

Sure 👍

yes, it's great to learn it manually and always good to understand what your tools are doing.

If you run a program that is in two different directories, for example, /bin/find and /tmp/find, and the path is /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/tmp, will it stop looking for the find program once it reaches /bin/find or will it also execute /tmp/find?

Hello! I am doing the Burp Suite Intruder module following the CSRF Token Bypass.
As per the guide...
"We have the same username and password fields as before, but now there is also a session cookie set in the response, as well as a CSRF (Cross-Site Request Forgery) token included in the form as a hidden field. If we refresh the page, we should see that both of these change with each request: this means that we will need to extract valid values for both every time we make a request."

Using intruder with the macro set and unset, it is not updating the session cookie nor loginToken, is it supposed to behave this way?
I was expecting to see both values change with each intruder request.

I got the user and password, however for all the requests, the Cookie: session and loginToken stayed the same.

You probably went wrong somewhere, hard to tell with just that screenshot

If I would have to make an assumption, I would guess it's about the target scope option

Thank you very much @shadow echo !! 🙂
It was indeed the Target Scope option

Gave +1 Rep to @shadow echo

Hey guys

I need help with Overpass 2 - hacked

im attempting to ssh into the box, after getting the credentials on the port 2222 backdoor

but Im getting this error

Unable to negotiate with 10.10.206.92 port 2222: no matching host key type found. Their offer: ssh-rsa

ssh james@10.10.206.92 -p 2222

hold on let me try resseting the box

still getting the same error, can anyone help out? What am I missing...

-oHostKeyAlgorithms=+ssh-rsa

got it

you need to add this to the ssh command for some reason

did you just google the problem and pick the solution without reading why said solution works????

yeah pretty much

is it important should I know?

yeah it is important

you should probably read up what said param does and why it is needed

okay

can you explain it to me if not ill look it up

i learn better when its put in simple words

hostkeyalgorithm is how ssh encrypts the data between you and the ssh server
what happens if one of those algorithms become old and should no longer be used because it is less secure then the alternatives???
simple you stop supporting it and remove it from the standard options
for backwards compatibility you leave a way to still access said algorithms

very very cool

thank you friend

so basically that command allows you to use an outdated shh

not an outdated ssh as everything basicly works like it should with a new ssh client for a old ssh server

the only difference is using another host key algo that is outdated and less secure.... everything else works as it would with newer stuff

okay cool

should i learn burpsuite before actually progressing in the file inclusion room? challenge 1 (at the end) of it stumped me basically right away and i cant tell if im just missing something i should know already or if i should go learn other stuff first

Yeah it would be better if you learn burpsuite first :)

ended up figuring out the room but definitely gonna go back and do burpsuite because it was a lot of stumbling in the dark for trying to get it

any one help me a interview Question and Answer

Hey guys, how do I bypass this. Im on tryhackme Relevant. I tried incognito, and after research learned I had to use PrintSpoofer.exe

I managed to upload the file unto smb and find it in the shell

but Im getting this error when I try to run it

Im getting a this is basically a malicious file error

and it wont let me run it

Does anyone know the solution?

Antivirus is not letting me run it...

Idk how to get around things like this?

Is it because im using this payload windows/x64/powershell/reverse_tcp?

It always hangs on the connect stage of the reverse shell whenever im using a generic shell but maybe im not waiting long enough?

So my next room is to practice buffer overflows? I wasnt even taught yet how or what is a buffer overflow lol

There are rooms on thm to learn buffer overflow if you want :)

Hi, I m using gobuster to search dns name of an organization, grabbing wordlist from https://github.com/danielmiessler/SecLists. My question is how to find dns name that has hyphen (-) in the dns like If I do gobuster -d mysite.example.com -w wordlist.txt, It listed dns name like xxx.example.com or yyy.example.com but it is not able search dev-zzz.example.com or sandbox-xxx.example.com . How can I achieve this ?

I may be wrong on this but maybe use ffuf? ffuf -u http://FUZZ-dev.example.com

Have anyone ever had a problem with the runas /savecred command? On a deployed machine ?

What problem ??

figured it out after a while, had to restart the machine. As I figured. ( Correct me if i'm wrong. ) The runas /savecred /user:{username} {patchtoprogram} is relying on that the user actually did use the cmd before I started hammering in other ppls logons and pass, that I've found. facepalm.

So you're saying that the user already should have run the runas command then it should work when we use it ??

In last task of walking an application room.. Did anyone get the right flag?

Burp Suite: The Basics Task 13. For some reason I can't open http://10.10.50.228/ , I turned on Allow Burp's browser to run without a sandbox in Project options and in the browser Chromium on the top: You are using an unsupported command-line flag: --no-sandbox. Stability and security will suffer.

Yep, you need help with that?

Yes... In network tab I got the flag in xhost header

But it's saying wrong anwser

Not the right flag

It says flag will be in header

Which task?

Task 6

Where does it say something about a header?

In hint, it says check the response

The header is not the same as the response

Got i

It thought it said about header

As the flag was there

I'm sure this will be really stupid, but i'm a complete beginner, please tell me why i am not able to type 's' on the terminal

Its not assosciated with any shortcut

Just a single 's' but all other characters work ? And outside the terminal it works as well?

Yes that's right

in the room, when you do the cmdkey /list, it displays the latest user who has used its login credentials. (does not show password ) when you use the runas /savecred /user:{username} cmd.exe it jumps into the cmd.exe wihout you having to type in the password. But If you did like I did, tried every other account and password, before the runas command. It will not catch the former user that the task needs. For you to complete the correct answer to the {flag}.

Yeah I think you understood the concept completely

What's the issue ?? Can you explain it more ?? Have you tried typing s in any notepad programs ??

Yes, works everywhere. Just not on the tryhackme terminal

In kali terminal ??

Yes yes

Are you using zsh ??

Try other like bash or normal shell (sh)

Is it attackbox ??

Ya in the attackbox its not working

Did you try using bash shell ??

or the basic shell (sh) same thing happening ??

the Active Recon room telnet task is not working

I had tried both on my kali and attack box

neither is working

Is there a time delay in the middle there?

You need to send it something to cause an error, usually you'd send a malformed request

so, what i expect to get?

Huh?

i tried 8080 port and got a error syntax back

sorry, i didn't get your point

i think maybe the web which caused this?

this situation means connect successfully and immediately closing the connection?

same for the nc

but if i nmap the 80 port it showed the port is opened

It is, you're getting connection closed not refused.

yep, i get this

how can i find where goes wrong?

You got where you were wrong. He's saying you just have to send a malformed request to cause an error

Is port 8080 open for telnet service ??

it just immediately closing the connection

Can you share a screenshot of your nmap scan ??

wait a second

i just shut down my machine

Ohh...

Wow you just did a scan for specifically port 80

here is the telnet port

So is it immediately closing the connection ??

I think you entered the right telnet command

😂

must be something wrong with my network

Lemme check myself can you give me your target ip ??

10.10.198.142

i gonna give up on these simple tasks

it feels like just the network mess up

Wait a min sir/ma'am

Works for me

Just telnet targetip port(80)
Then enter GET /index.php HTTP/1.1 and then host: telnet

yeah, steps are easy

just the network f up

Try this

I don't think so if you're waiting for 1-2 mins then the connection automatically closes

nonono, it's really IMMEDIATELY😂

Sure ? 😂 Double check your get command

telnet will close the session if the session wait for a while

Yeah so send the get command and host request immediately

😂 this is the reason why i confuse

never mind

Did you send this get command ?? GET / HTTP/1.1

i don't have the time

Damn

oh, now i get the time delay

My session has timed out when I get the message that the connection is built

Screenshot ??

Please

same as this

connection closed or timed out ??

closed

how ?? try using attackbox ??

the order i thought might be this: connect successful -> wait for command (->because of time delay)-> when i get the message == session timeout

You don't have to wait if you've got the escape character ..... on your screen

don't wait for any connection successful or smn

so i just send the GET command following my telnet command?

No when you enter the telnet command this three will pop on your screen Trying 10.10.198.142... Connected to 10.10.198.142. Escape character is '^]'.

after this you can send the get request

i get you

but the problem here is the IMMEDIATELY following with connection closed

😂

same for attackbox ??

no ,just my vm

try attackbox

it's ok after i reboot my computer

but before that it's the same

that's why I am saying try attackbox

but where goes wrong

attackbox can get this right

I think it's a connection issue from your side

yep, i agree with you

thank you

for all your help

It's my fault for not describing the situation clearly😂

no worries. it's okay

hi i am currently on Cross-site scripting and i have this problem im on the last test practical exam and i get the cookie and everything i decode it and it's not accepting it

can someone help if its a room problem or if i did a mistake somewhere

i did the normal XSS payload as it was written there for nc

any screenshot?

Maybe because its your cookie? Use attackbox to solve that last task

You have to setup a request catcher for it and then you can capture the request and cookie

Probably because you're getting your own cookie

You don't always need to use the attackbox.

Some work without the attackbox.

Set up the NC, do the payload and wait.

Don't click on your support ticket you created.

Tbh, i didnt even get the cookie from my vm as well as attackbox😂

Staff or your own?

Staff

thank you all for help

i have a question about task 7 in the linux priv esc room that might be kinda dumb, if anyone has a minute.

i've managed to read the shadow file using base64, but i'm having a hard time figuring out how to unshadow. do i need to pull the files from the target machine onto the attack box?

just kinda need a nudge in the right direction. thanks in advance

figured it out and finished the task

did you find the unshadow possibility with john?

You don't actually need to unshadow anything. The shadow file has usernames and password hashes, that's all you need

yeah i kinda realized that after i completed it. thanks for following up guys.

hey everyone, is it possible and advisable to self-learn pen testing? it feels like college tuition is not worth it if i can just self learn and get some certs as alternative for the degrees

Yes, its possible. you just need the passion and proper pathway

yes that can be done and depending on where you are sometimes just getting the certs the companies that are hiring are after is good enough... though some will looks for degrees from different types of schooling too

Alright, working on Metasploit Exploitation Task 5, and I'm on the last question
I need to get the NTLM hash of the password for user "pirate"
I have a reverse shell, so I can run any command I need to, but I cannot find any way to extract the hashes I need

Does anyone have any suggestions for this?

wait, I think i got it, just have to change what attack I'm using

I’m doing what you’ve mentioned I’ve dropped out from my college and now focusing on Proper knowledge of Hacking and getting certs for job 😊

Hi all I'm having some issues with the privilege escalation task 11, using the attackbox, when I attempt to mount the share it says only root can perform this option. Could anyone give me any pointers/hints as to what I might be doing wrong?

Never mind I was running the command on the target box and not the attackbox. Got it working now

Hi. I just completed Jr Penetration Tester Path. But i can't get the Certificate and show message "Fetching certificate, Please wait. Please help

Can you verify yourself and then share a screenshot here. The staff will help you out on this

!docs verify

THX

Gave +1 Rep to @deft rain

Do you have adblocker enabled ??

OH. YES, THANKS

Hello, I’m having an issue with the Linux privilege escalation task 6: Sudo. I got the hash for Frank’s password after getting privileges, using cat /etc/shadow but it keeps telling me it’s wrong. I’m not sure what I’m missing or doing wrong

I’ve restarted the machine and got to the hashed password a second time and it still says it’s wrong. Any help would be greatly appreciated

!docs verify

verify yourself first and share a screenshot please with the password you found 🙂

Hello, I’m not getting flag in subdomain enumeration, task: Virtual Host. Try related option shown in description

But nothing comes is there anything I have to use in ffuf

verify yourself and share the screenshot 🙂

I’ve verified

Nope

I send messages!verify <ID >

to thm bot ??

I think I have to do it again

yessir

share your thm profile token to bot

Okay now I’ve

share the screenshot

Okay wait

this

I've tried this

command you used for ffuf ?? share it's screenshot too

this

You sure the filter size is 53 ??

recheck it again with running the same command again without fs option

also why are you matching the response code with 307 ??

Because all response code is coming 200 so i tried to match with 300

I mean you're already filtering the response with size

i've Tried without options and its showing zillions of lines of result

Now look for what size you have to filter from that

that's not mentioned actually.

that's why I’m not getting this

I think so it is

Then what should I do ? I've tried word count to 5 and 6 respectively Because answer is only 5 words

but still no answer, I'm getting it wrong

No you don't have to filter it according to answer. I think you have to re-read that virtual host task and how you can filter responses while enumerating

🙂

Okay Let me Try again

Oh you’re right now I’m getting proper result Thankyou

Hey guys. I have been working on File Inclusion Task 8 Challenge 3 all day (it takes way more research than the first challenges). I tried to piece together what I need to do from the hints in different threads but I always end up with an empty string for the filename ".php". What I have done so far is || change the request from GET to POST then add the file parameter in the body with the nullbyte.||I did this with burp proxy, repeater and with firefox inspector. I always end up with an empty string for filename. Am I missing something?

Might want to provide a screenshot to show what exactly you mean.
You will have to verify first to do so

!docs verify

this is a screenshot of the edited request and response

You have an extra empty line in your request body that shouldn't be there

Ah, I guess that's not the culprit there.
It's the parameter name

Sorry, got busy. Verified and here is the screenshot of the hash I have.

What did you copy paste as franks password hash ?

$6$2.sUUDsOLIpXKxcr$eImtgFExyr2ls4jsghdD3DHLHHP9X50Iv.jNmwo/BJpphrPRJWjelWEz2HH.joV14aDEwW1c3CahzB1uaqeLR1:18796:0:99999:7:::

That's more than just the hash

https://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/

Or more accurately: https://www.cyberciti.biz/faq/understanding-etcshadow-file/

That did it

thank you

I felt like I was going crazy for a few.

ahh I didnt notice the inspector generated an equals instead of a colon

but still the string is empty in the response :/

Mh? No, with wrong parameter name I meant that you named it File instead of file

yep that worked, I thought it has to be capital because the others were lol

Thanks alot!

guys, im on the linux priv escalation room. i already got the room, but im trying to solve task 12 in every way taught. right now im trying through the PATH variable

the script must be created by a root user?

im asking this because is kind of odd. the objective is gain a root shell, but if the script needs to be created by a root, there is no point in gain root in any other way and after that create a script to execute using a regular user to gain a root shell again

the image in task 10 shows the script being create using a root user

The image you're talking about is attacking machine

Experiencing the same issue here

went ahead and tinkered for a while came up with the solution seems to be correct

since I doublechecked by reading 2 different writeups

but it's not working

and the file parameter doesn't start with a capital letter

so I have no idea what I'm doing wrong

You are missing a header

If you capture the GET request in burp, use the right click function to change it to POST, that way it will add that header automatically

it worked thank you

but I don't get it

Why didn't it work when I changed the method value to POST

but I had to right click and change it instead

I mean ig burp works like that or sumthing but it still makes me question how that is any different than before

You could have added the content-type header on your own, it's just a convenient way so you don't have to do it manually.
So in the request shown in your screenshot, that header is missing

oh wait so I was missing the content-type header

wait one second that makes sense that rly went over my head

cuz it's a post request

Hey guys does anyone know how to fix this error when i try to bruteforce passwords using Hydra? ERROR] could not connect to ssh://<IP> - kex error : no match for method server host key algo: server [ssh-rsa,ssh-dss]

In Web Hacking Module, File Inclusion room Task 8 I have tried everything described but didn’t get flag

This challenges are very good and though as well. Can anyone help ?

one question, what the function or purpose of the file name in this URL , http://webapp.thm/get.php?file=userCV.pdf ? is there a file named get.php hosted in the server whose function is to retrieve files such as userCV.pdf which is also hosted on the web server?

There is a image mentioned, It gives you a broad view of the scenario 😊

which flag number you need help?

Yes, that's the idea. Although userCV isn't hosted exvept via that page

hmm k thanks

Gave +1 Rep to @idle bison

all of them I've tried but not get it

Actually I'm Pretty close with Flag2 reached on admin page but didn’t get the flag

Check the cookie

Hints are very useful.

Yeah

I've changed to Admin

Do you notice any change after changing values of cookie?

yeah I got access to web page as admin but there isn't any flag

|| try giving flag path as value ||

I'm looking for it

well Thank you got the flag

Gave +1 Rep to @rustic totem

cron job machine is buggy, I had to try 3 to get it complete

pretty sure not caused I did make sure they are executable, at one point I even tried 777, lol

maybe I got bad luck Brian that day but it is all good now

yeah Brian is so annoying.... should definitely kick him out of your room while doing work hacking stuff

I'm almost done, half-way through WPE!

What is the next recommended path?

SSRF Task 2 not getting flag

I've tried to modify server request but not getting flag

can any one help?

What did you try ??

Okay Now I got this

I was not pressing Enter key after modifying URL 🤦🏻‍♂️

I realized that. So I created the script in the attacking machine and transferred it to the target, but when I used the "ls -l" command, it showed the owner of the file was a regular user, not root

Which task you're on ??

I was on task 12 of the linux priv escalation room, trying to solve the challenge using the method of task 10

sorry for the delay in responding

And the machine of task 12 is having the same binary with suid bit set that's looking for a specific file as in task 10?

As if not, how are you supposed to do the same thing as in task 10 ?

the machine of task 12 has a folder in the PATH variable that we can write. shouldn't be possible to create a script in that folder and copy a binary like bin/bash and execute it as root?

How are you going to execute it as root if you are not root ?

through the script, like in task 10

Ye but task 10 has a binary that has the suid bit set, that's already there.
How are you going to create that binary as non root and give it suid for root?

so, the original binary need to have the suid bit set? there's a image in task 10 showing the "ls -l" of the copy of /bin/bash. the copy doesn't have the suid bit set

its the penultimate image

the copy of /bin/bash is called 'thm'. the image shows 'thm' doesn't have the suid bit set

That one doesn't need suid and it wouldn't even work, since suid doesn't work with scripts.
But it doesn't need it, since the path binary has suid, so once you execute the path binary, it's going to look for a file called "thm", since suid is set, it's already doing that with root perms, thus executing the thm script as root

The PATH variable comes into play so that it will find that thm file

got it. so the thing is the path binary has the suid bit set

but it was created using the root user, like in the attacking machine. in this case, the binary should be transferred to the target, right?

Any idea what's wrong with john The ripper ?

If you are not root and your are going to transfer such a binary, it's not going to be owned by root, it's going to be owned by the current user you are logged in with (not talking about a case where you might be able to transfer it and keeping the root user, since that doesn't apply to that machine)

So the point is, you a very likely not able to do task 12 with the method shown in task 10

So you have to look for something else you can abuse and learned throughout the room

indeed, I tried that, and the owner of the file became a regular user, not the root

got it. I was asking all this because i thought the machine in task 12 was vulnerable in every way taught in the room

thanks, @shadow echo

Gave +1 Rep to @shadow echo

Sure that's fine.
Ye, it's not vulnerable to all the shown methods, but definitely to at least one shown throughout the room.
Maybe not in the exact same way, but with the same principle 🙂

helped a lot, man. thanks 🙂

At last, I've complete JrPT path 🤘

Congrat's

??

Was Trying to Crack a File and Getting This error Reinstalled It again But nothing helps (:
edit : Thanks anyways I fixed it .

Did you use just john as a command ??

no It's just to show the people .

As in what the error is

Ohh okay no worries

As in you can see now it's working perfectly fine 🙂

Yeah I thought you just used john for cracking 🙂 my bad no worries glad you fixed it

I appreciate your time . Thanks

Gave +1 Rep to @deft rain

No problem

Wrong architecture or corrupted binary or your computer doesn't support the required x86 extensions

congrats 🙂

Got it

I need help In Task 12; CSRF Token Bypass of Burp suite : intruder. I have configured all the things as shown in GIF and in Written formate also, still not getting valid 302 code when I Start Attack. I've tried all the things but not getting it.

Can you share some screenshots ??

Okay

I set Attack type to Pitchfork as shown

Let's see payload

It's okay I think

Now Project-options > session

this is macro i've created

session handling rules

Details

Scope

after this setting I've start attack

getting status code 403 which is not expected as mer module

*per

see

yeah you can see in screenshot

There are two GET requests and I've tried from both

Hmm. Eveything seems okay. But did you set session handling rule ??

yeah I've sharedd screenshot

shared*

But which two cookies have you set in the rule ?? Any typo in that !?

I've take one request in Macro then follow the process, session handling > rule > attack

then from another one but in both case i got no result

Did you set rule action ??

yeah

that was macro

Run Macro

Yeah after that you have to select update only selected cookie or something

not both of that ? from session handling >

?

Yeah both the session cookie and the login Token

Yeah I have done that

Recheck them. Even check for any typo

I entered loginToken and session cookie in respective field

In rules

Then it should work

Can you share screen in a vc ??

In the vulnerability capstone room none of my exploit scripts workedm I had to recode and debug them, but i did it on the attackbox and now i lost all my code, restarting it doesn't retain anything pfff frustrting it worked for other ppl right out of the b.ox and i had to debug the whole thing b4 the exoloit worked and i got the flag.

Do attackboxes akways reset to a clean install? cuz i lost my code

ahh bummer figured so, better back it up when using attachbox again

the prev challenge I failed on my local machine with %5 detection by the firewall, but on the attackbox I ran an nmao scan and got 15% detection but got the flag

I also once started a brute force attack cuz the instructions said so, which would take forever, what they meant was a dictionary attack, there's a difference

I'm just saying, Tryhackme,com has some unintentional bugs too it seems 😄

but best ctf site I've tried so far, fun and very noob friendly

Hi guys, please help I’m in burp suite: other modules: decoder hashing I need to know how to answer this:’Some joker has messed with my SSH key! There are four keys in the directory, and I have no idea which is the real one. The MD5 hashsum for my key is 3166226048d6ad776370dc105d40d9f8 -- could you find it for me? Here is what I did : copy -paste the key into decoder I get something like that 00000000 ba 78 e0 fe 50 89 a6 d2 fa how to turn it to something like that 3166226048d6ad776370dc105d40d9f8 ?

You need to get the md5 hash of the files

You're not meant to decode anything

In which format ?

What?

Hello all , I’m a seeing an issue with Time based blind SQLi in the SQL injection part

Here the table name is supposed to be USER but it also taking “analytics”

Since the task is to try all the characters and when somebody starts with a the request time is showing 5:002 which means true

https://website.thm/analytics?referrer=admin123' UNION SELECT SLEEP(5),2 FROM information_schema.tables WHERE table_schema = 'sqli_four' and table_name like 'a%';--

time stamp :5.002 which is true

https://website.thm/analytics?referrer=admin123' UNION SELECT SLEEP(5),2 FROM information_schema.tables WHERE table_schema = 'sqli_four' and table_name like 'u%';--

time stamp: 5:002 which is also true

if somebody starts with letter a then they will end up with table analytics which we cant use to get further answer and time consuming

I'm not sure if I understand what exactly the issue is?
A database can have more than 1 table, so ?

but what if we get into analytics table instead of USERS table

in order to level up we need to fidn the username and password which we can only find in the USERS table

https://tryhackme.com/room/sqlinjectionlm

Well then at some point you will notice that you didn't enumerate the tables well enough in the first place

If you go through all the characters in the first place, you will notice that there is more than 1 table

how can we find if we have more than 1 table ?

The same way you showed above, going through all the characters in your table_name like 'a%';--

So just go from a - z and you'll see there are more than 1 ?

datebase : SQLI_FOUR Tables : USERS , ANALYTICS ..my question when the challenge is to finds the usernames and passwords from a designated table we do we have anotehr table called analytics and it seems like there is nothing in that table ...which is kind of misleading and time consuming ....is ihe table "analytics" intentionally created or there accidentally ....correct me if aim wrong

I fully understand what you are saying, it's not misleading at all, it's a good lesson to do your enumeration well.
A database is very likely having more than 1 table, so if you did your enumeration well in the first place, you could have saved time.
E.g if you get a positive reply on the "a" and a positive reply on "u" you could guess that "u" will lead to users and went with that letter first.

So no, I don't think the analytics table is accidentally there 🙂

got you ! since i started with I went into wrong table

Thanks ! That helps

*Since I started with A directly I went into wrong direction

Right and this won't be the last time you went down a rabbit hole, so expect that to happen more often, that happens to all of us 🙂

Perfect ! This is the question which we ( as a group learning together ) had ..That makes sense !

Thanks again !

Not an issue 👍

nfs , linux privesc

i know what to do know after looking at other peoples conversations

but WHY IS IT HANGING NOW

restarted my machine and target one multiple times

and now its not letting me fucking even cd into the directory

if i type out /tmp/backup

it will stop there

cant type the s

cant type anything

I think you should recheck your commands maybe ?? I mean you just entered the dir path here not a command in bash prompt

That wasn't the point I was just showing the fact it doesn't let me type more

Anything I type relating to the nfs share freezes

The nfs share was /tmp/backups

But it wouldn't let me type the full thing

Try restarting your attacking machine

Ill try again tomorrow

No worries you can ask if you face issues again here

Ok ty

Hi. I was doing task 11 Privilege Escalation: NFS in the Linux privilege Escalation module and I came across this error when I tried to execute my code I got an error: ./bad2: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./bad2). I'm not a programer so I was kinda clueless. I did a little googling and it seems to have to do something with the compiler. At the time I was using my kali box and I was able to mount the share and transfer the files between the machine, but the error only came up when I tried to run the program on the target machine. Well to make a long story longer I was able to spin up an attack box on the THM site, went through the same series of steps and this time it worked. So my question is: I couldn't seem to find an answer on how to compile my code using a different version of GLIBC on my kali machine. Is there a way to do that, or am I just going about this the wrong way? Thanks for the help.

hmmmm...... I will check that out. Thank you

Gave +1 Rep to @steel nymph

restarted it and it just froze here

ill leave it and see if it actually loads

Try copying something else

okay one sec il have to restart the machine

Also this backups folder was already there or you made it for the task ?? @steel yarrow

made it

Okay

it says mkdir /tmp/backups up there

if it was already made itd be highlighted in white like it is in the mount command

also if i mount to the sharedfolder again will i be able to see the fil uploaded

because

its on the target machine

i just need to make it executable

Damn zsh lessons

my bad 😭

So it's working right or not ??

I just restarted my machine

so one second

Also ssh into the machine it will be easy for you instead of doing it in split view

If you restart the target machine nope that file won't be available there

no no i meant my attacker machine

Ohh okay then it will be there

Why don't you use attackbox first for this attack ??

I tried it initially when i thought you had to compile it

but i only found out last night that ur not meant to compile it

also my machine boots faster than attackbox

so ive

done it right but i dont hve root shell

let me rejog my memory

thats right ?

and then i run ./bash -p

Yes

But you have to run it on the target machine

i did

So, what's the outcome ??

no shell?

Do you see that your bash binary has a size of 0 ?

oh

thats probably because it lagged while uploading *froze

Also is this nfs practice ??

its the nfs task on linux privesc

yes

You can make your own file too as instructed in the task too

it worked now?

strange

bro

Much more difficult unless you're using the attackbox

ill use the attack box i just really hate it

because its so iffy

Don't copy your bash. Copy the box's bash

Yeah I get that glib error

Then chmod +s from your kali

Ohhhh

permission denied though its not like i have root

Beside that, I think this task is providing you with a github link for a bash binary that you could use

What?

The box's

Network services does, does this one?

What?

nevermind

this is what i was following

Ah, I thought that's the network services room that they are doing

Same thing though, yeah

Ah

i followed him and got it

im sure i was doing the same earlier but maybe because it was on my own machine it wasnt working

man nfs is annoying

There's a small number of pitfalls, if uou avoid those then it's ok

I have a problem with Task 3 in Walking an application, can anyone help me please :)?

what's the problem?

i cant seem to get the flags when I view page source on the attach machine

attack*

so ive been struggling to get he answers :0

not even the comments one?

nope, the dont pop up when i click them

that's odd if the page source isn't even appearing for you then that sounds like a glitch.

yeah i had to restart the machine eirlier today to. how can i get past this?

this is more of a bug, check out #room-bugs and send some screenshots so a more experienced person can help you.

i would appreciate your help 🙂

hehe, where must i be?

sorry to ask but how exactly do i get there?

thanks, that helped! What do i do now?

Im totally new at this, so bear with me please - does /new-home-beta has anything to do with it?

Thanks 🙂

you're gonna have to help me with the directive listing flag please and lol. Its really the first time i ever looked at source code

more than once

company/staff/customer information.

Copy and pasting text i read three times is really not helping me @steel nymph

yes, its all gibberish to me

dears why sound not working inside the attack box

can you please help

Is it incorrect?

So are you going to advise me a little better?

thanks, your a real star !

Did you find all flags ?

I think because their purpose is just to practice what you've learnt. Why do you want sound though ? 🤔

hey guys, I hope you're fine all

I need support

in Virtual Hosts challenge i came accros this command

           
user@machine$ ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://MACHINE_IP -fs {size}

        ```

when I enter with appropriate size, I am getting 0 answers

https://prnt.sc/x_9IWQPmOAhG

any help is very appreciated

Hey, I can't seem to access the links in the learning modules... All my connections on my VM seem to time out.. ?

You might want to be more specific what exactly you are trying to access

For example this

On the AttackBox, open firefox and enter the url https://static-labs.tryhackme.cloud/sites/favicon/ here you'll see a basic website with a note saying "Website coming soon...", if you look at your tabs you'll notice an icon that confirms this site is using a favicon.

Are you subscriber?
If not, you don't have internet access on the attackbox

You mean premium meber?

member*

Yes

Ah that makes sense 🙂 thanks bud ill go premium then right 😄

thx 🙂

Gave +1 Rep to @steel nymph

Hi guys, i hope you doing good. i just need help with Task 6 Virtual host where i have to run ffuf command. i followed all the instruction but still there no answer. i'm running this cmd ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://Machine_IP

:: Method : GET
:: URL : http://Machine_IP
:: Wordlist : FUZZ: /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt
:: Header : Host: FUZZ.acmeitsupport.thm
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405

Any idea how can i solve this?

https://prnt.sc/UQ6wYbOOcvZi

Did you start the machine by clicking on that green button?

yes i did

Then use ip after -u

For example if my target ip is 10.X.X.X i would use -u http://10..X. X.X

i'm using -u but still no answer

it seems you don't have the machine started from task1 (green button) because even in your screen shot its showing your command is showing http://machine_ip instead of the actual machines Ip address