Check out my new song! - "Prelude" kzitem.info/news/bejne/toufl5WccaSpnaQ
@michaelboyd9183
Жыл бұрын
Great walkthrough! This room had me stumped for a long time!
@sebastianwar7936
2 ай бұрын
Really feels like between start and end, we were missing 2-3 more learning modules.
@user-hu5xb3yw9q
8 ай бұрын
You made it look easy but from the comments I see I wasn't the only one struggling on this one
@Cashmeister96
Жыл бұрын
Thanks, this was a good learning resource you explain the concepts clearly.
@BrockRosen
9 ай бұрын
I try!
@jamest3145
8 ай бұрын
Excellent video. I don’t think the content on THM has enough help for people new to computing so this is very good to give some help. This is a hard room
@leonstone3443
5 ай бұрын
hey thanks! you helped me understand better and i finished on my own after the first question! edit. nvm, when i got the challenges part i crapped my pants and came back
@SeekingTech
Жыл бұрын
I wish to see your account florish, Great Help!!
@rowanmurphy5239
5 ай бұрын
I have absolutely no idea where you're getting FoxyProxy out of Burp Suite, I did exactly what you did, and it won't even open anything. Even after I handle the error message that tells me to change a setting. Nothing happens. It just sits there like I didn't press the Open browser button. And THM did not explain almost anything in this entire module.
@kanchanamarindagoda6039
10 ай бұрын
Thanks a lot, I got stuck in this room for a long time
@BrockRosen
9 ай бұрын
Glad I could help!
@mr.meatbeat9894
Жыл бұрын
Thanks man, this really helped. Great explanations. Enjoy the sub.
@BrockRosen
9 ай бұрын
Thanks for the sub!
@g91g91
Ай бұрын
For the challenge (lab2), that we can use the cookie to alter from Guest to admin I got on my own, and the file inclusion after you showed it could be done to the cookie. But could you explain why it is possible to alter the cookie to include the file? What triggers you to try that?
@Richard-zw9sl
14 күн бұрын
28:06 why did you do 5 ../? How do you know how many to use?
@Toad963
8 ай бұрын
Is it just me or is this room far more confusing than the others?
@BrockRosen
8 ай бұрын
It’s not just you! 😂
@____-tx6nl
6 ай бұрын
At the last challenge, I almost got to the point where I think I'm to dump for this shit I quit THM
@cptvasilyzaytsev9245
8 ай бұрын
Great video. I have spent hours on challenge #3 going down rabbit holes. I appreciate the simplicity of the answer now haha. Is there a specific reason as to why you specified a POST method in the -d (HTTP POST data) flag?
@BrockRosen
8 ай бұрын
All GET requests were being sanitized (what the hint was trying to tell us), so we only needed to change the method and kazaam, the flag pops out. Overall, POST requests are more flexible when a user submits data or files to a server whereas GET is great for saving and coming back to website parameters you've changed
@cptvasilyzaytsev9245
8 ай бұрын
Ok, thanks for clarifying! Does it matter if you specify the method with the -X option, or with the -d option?@@BrockRosen
@BrockRosen
8 ай бұрын
No, I don't think it matters. @@cptvasilyzaytsev9245
@cptvasilyzaytsev9245
8 ай бұрын
Ok, great. Thanks for confirming. I appreciate the comments!@@BrockRosen
@frybait0626
6 ай бұрын
On the Challenge lab#1 it says "The input form is broken! You need to send `POST` request with `file` parameter!" why is it that you're specifying again the method to "GET" ?
@recon0x7f16
9 ай бұрын
i dont follow at @19:35 i don't understand wdym by how php or file type to pass to the include function.
@daguru4089
4 ай бұрын
Can you set the cookie from the developer tools in the browser instead of using the burp suite?
@g91g91
Ай бұрын
Yes, I did that
@suhanichoudharry
6 ай бұрын
can u tell which editing software you used ?
@FettyHuang
11 ай бұрын
Is anyone else having problems with loading burpsuite? 38:15, I get an error message when I try to press open a browser. I fix that by allowing burp to run without a sandbox but when I turn on the burp from foxyproxy, my page cannot refresh. It's like I am disconnected from the internet when I turn on burp from foxyproxy. I did exactly what he did in the video but either some updates were made or something else cause I cannot access the burpsuite the same as this video.
@jameschatsshit
10 ай бұрын
I've ran into the exact same problem however once you start the browser sometimes you need to send the payload which is why it exists in the first place I believe. Pretty sure you've done all the hard work there, you can see "intercept is on" within the suite which means that it wont load the page until youve told it to. To fix that, every time the page refreshes with intercept, you need to click the "forward" button to connect to the next page within the browser.
@harshbali7377
7 ай бұрын
Bruh this lab reminded me of the movie Inception -..-
@g91g91
Ай бұрын
Another question for flag3 (I haven't really used burp that much before). I tried to use burp instead of curl in the terminal. When I alter the GET request and add the same directory, the error request i get back just says include(.php). (I've changed it to POST /challenges/chall3.php?file=../../../../etc/flag3%00 in burp
@user-dk9xn2ys6k
6 күн бұрын
Hello there. I ran into the exact same issue on flag 3. I did a bunch of digging and here is what I found ... (I was using postman not burp). In postman you can see the specific cURL command that the parameters that you set are generating. The postman cURL generated was: curl --location --request POST 'ATTACKBOXIP/challenges/chall3.php?file=../../../../etc/flag3%00' Instead of curl -X POST ATTACKBOXIP/challenges/chall3.php -d 'method=POST&file=../../../../etc/flag3%00' --output - The Key difference is that even though you said you wanted the request to be a POST via burp the URL is what contains the data which is still technically a GET request not a POST request. GET is getting filtered by the server. Using the cURL command line command allowed you to SPECIFICALLY say that you wanted the data to be sent as a POST request and not a GET request in the URL. Is there a way to do this via postman/Burp? Probably, but not as a default setting - I would need to learn more about the client settings for this.
Пікірлер: 34