I somehow struggled my way through these challenges but didn't really feel like I understood the material. Your explanation was much better than the written material

I really loved to study cybersecurity for the past month but after I got to this point i gave up convincing myself that i am too stupid for all of this since i couldnt understand a single word they wrote on the site but after coming across this video and reading the comments i decided i am going to try again, thank you

I wouldn't be able to do this task without this video. good explanation

Thank you for a thorough and concise tutorial. There is no way I could have completed that challenge without your help. Now I just need to do it another five times and I might be able to remember how to do this! Keep up the GREAT work!

This room was the first room where i started getting problems. Thanks for this tutorial.

Well done, much better explanations than the provided material. I really think they need to revise or flesh out some of these labs, for example some of the tools that may be helpful such as burp suite aren't covered until later in the path. I ran into a similar issue when they were talking about decoding sha, md5, and base64, they gave you a link to help you with the later but not the base64, later in the path they provided a link. Funny enough it was the one I just happened upon to complete the lab.

This really helped me sir ! But I must say that this is a liitle too advanced for beginners.

انا لقيت اسمك عربي فسمحلي اكتب بالعربي فبجد مجهود رائع وشرح سهل ومبسط كمان اخر جزء في الفيديو كان رهيب. حقيقي فخور ان في مسلمين بالمهارة دي. اتمنى أوصل لمستوى حضرتك.

The only video you need to understand whole file inclusion concept!! Thank you so much for this. ❤❤

nice work on this one, really cleared up my mind. Thanks keep it up

love the videos man - so informative and plenty of time to pause and try out yourself out without blurting out the answers

thanks man! tried the challenges by myself for a while but had no chance. with your help I completed it while still learning a lot.

Thank you for this walkthrough! I could not wrap my head around this room. So much help!

thank you for activating the subtitles, it gives us the possibility to put the translation in French

This helped so much even after I'd read the written write up.

Thanks very much, the written tutorial for this was not particularly helpful but this is much better.

I thought it was well done! the best break down I've seen out here. I'm glad to have subscribed and will check out the rest of the vids. Keeo up the great work!

26:53 its already configured to POST right?(-->curl -X POST

thanks for the help brother. I didn't just want the answers so I'm happy I came across your channel so I could actually learn step by step. that made much more sense then the verbage they had.

thank you so much for this. This walk through is so much better then the room. And i was able to follow along as a mid level cyber learner. 💕

Thank you for sharing this video, I got a lil stuck on this one but you helped me finally understand what needed to be done/what I was supposed todo

New Subscriber! Awsome work, my brother! Keep them coming! You are explaining in such an easy way, its easy to understand! Natural talent! Keep it up! :))))

Amazing, this helps so much, you have no idea how great of a instructor you are. Muchas Gracias

Thank you! Challenge 3 was whooping my a** and this helped me through. Great explanation good sir!

loved the content and the way of explanation thanku brother i was lacking in this specific topic i think i am cleard with it now ❤‍🔥❤‍🔥❤‍🔥❤‍🔥❤‍🔥

Thank you!!! Really appreciate the time you put in to this. It was a big help with my limited time to study! I could not repeat the very last bonus challenge. My attack box is not using a TryHackMe accout, only root and I don't the same files and folder on it. I wonder why the attack boxes are so different. Thanks for doing it though.

Wow! Great video, very helpful... Thank you!

Very well done sir, I needed a little help with the final 3 questions and you're 'answers' were perfect. Using curl to switch the methods was a great idea, I tried it with Burpsuite but it wasn't working for some reason.

Thanks!

He sounds like a lawyer or a medic talking to a patient. Becoming surprised when hearing concerning details, but trying to keep you calm.

Thank you so much for letting us for this tutorial. And thanks for the php reverse shell XD It's really helpful for a beginner

Was stuck on Lab 3. Thanks for the help

This one is massively unclear in the room. I’ve never had such problems yet as this room.

I always like your video. well explained and clear

Hello Motasem, thank you for taking the time to make this video. I would have never finished without you help. The one thing that really confuses me is using burp on the THM vm. So I basically followed along from there. Is there a way to complete the challenge without burb? Thanks again, Ed

this is the best walkthrough on FI- Thanks for the post! One quick question : I cannot navigate to the tools>php.reverseshell to gain RCE, please assist if you can?

At 20:00 can someone explain me why he changed the get request to get when it was get already.

Thank you so much! Has been a great guide and help with this challenges!

What's your labs techno behind ? Kubernetes namespaces and PODs popping on-demand ? or static site ?

Thank you so much Motasem.

Thank you, this really helped 🙂

this was good. Thank you!

Great walk through. The question I have, is how does changing the cookie to a file path work. I saw you do it. But I do not understand how or why it works.

very coherent, earned my sub

you tell me why we could not do it with burp suite and we could do it with curl, and can you explain the commands you wrote in curl, I need to understand please :)

task 8, Capture Flag2 at /etc/flag2 starts from 00:20:41

Can you demonstrate how to use curl to do the cookie instead of burp?

Challenge 3 and the last challenge remote execution were very difficult. After spending over 1.5 hours, I decided just to use your answer so I can move on to the next stage. ..

In challenge 1, it was specified in the page that we have to use post req and yet we used get in this part of curl "-d 'method=get&file=/etc/flag1'. Why is it so? Can someone please explain this to me? Thanks!

how can one view the contents of flag1 with burn suite. I guess many of us can't use burp suite. A tutorial will be great. thanks

Thanks, it was very clear and useful!

On Challenge 2 why is my Burp Intercept Tab doesnt pick up anything whenever I try to reload the page?

Thanks for video! Somehow I am unable to execute RFI tasks - no code executed neither from my local web server nor from external ones, even the simpliest scripts or shells, according to server logs - vulnerable host not getting it from my server and showing blank "File content preview". Cheated to read /etc/hostname via simple LFI ;(

Thank you for a great walkthrough.

Thanks, I was really stuck on a couple of the challenges later. I tried and tried and it didn't work.

How would anyone who's a beginner be able to figure out these last few tasks without a video like this? They cannot possibly expect people to be able to solve these with such poor instructions. It makes me feel like I'm trying to tackle something that's just not possible.

Why do we change the method to post in the 3rd challenge and why do we not change the method in the first challenge ???

Where can I obtain that 'php-reverse-shell.php' file to gain access?

Very helpful. thank you

Thanks! Just a quick question about playground challenge. What is the difference between apache server and python3 that you used? And why is apache using my IP and python using VPN IP?

How do you get your console to split view like that?

when you used a reverse shell by netcat why you used 4545port instead 8000 ?

im just curious about this... you have to use without know anything Burpsuite? when the burpsuite room is on the next module? this room is a bit hard for people like us.

Is it possible to use the method as suggest in the Task? edit the method as POST in the Web Developer. I know Burp suit is an option, but this module comes after the RFI task are completed in the learning path

Every time I type the curl command verbatim it doesn't give me the flag. What is it that I'm doing wrong?

can u give us the repo directory? any github link or something else ??

Good walkthrough but you should put timestamps in video

What’s the code for that reverse shell?

Can you set cookies from the developer tools instead of using burp suite?

I'm not sure if challenge 3 was updated, but this method does not work for me to retrieve the third flag. I am completely lost.

did someone do LAB 5 and if yes what was the bypass

Just wondering what software or vm are you using?

could you please show me how to do with burpsuite? because that's the first thing I did by changing the request to POST but didn't get the page

I watched this whole video only to find out I forgot to use :8000 on the webserver when targeting my RCE. Good content though!

I thought I could do it in the developer options or is there no way?

Thanks, I change method and url by inspecting but didn't work 😞

Thank You!

TY brother

Firt view and first like

thanks so much

Wow, love your channel men. How can i get access to your notes, i need notes for web penetration

ty bro!

another comment: what icon set are you using in Kali? I want to try it out

man, why your recordings are on so low volume? Is so annoying when the commercial comes.

This is a great video, but every time I watch you go find and then copy and paste instead of typing "%00" I get a little anxious! :P

hi i am using THM attackbox to attempt the RCE challange , how do i start a webserver ?

Domu arigato, sensei

I need file shell.php:)

Please next time just volume up your voice. I cannot hear you clearly even I turn it on max volumn

This Room was the go for me to switch to HTB. This Room is dogshit sorry ...

thanks for the walkthrough. I think it could have been slightly more in-depth in describing why you did certain things. but wow, the low quality of this tryhackme lesson itself was mind-boggling and painful to go through.

for the last one, you could also just get the hostname by ../../../../etc/hostname lol

if if use this reverse shell: my nc shuts down as soon as the link is established, what is the reason

what the hell? this tryhackme module made 0 sense.

Was having a bit of trouble with the reverse shell at the end of the video. I'm using kali and ran the command 'locate webshells | grep php' to find where my php webshells were and then I ran the webserver from the directory that php-reverse-shell.php is in. But when I use that as the payload I got an error that said: WARNING: Failed to daemonise. This is quite common and not fatal. Warning: fsockopen() [function.fsockopen]: unable to connect to 127.0.0.1:1234 (Connection refused) in 10.13.49.109:8000/php-reverse-shell.php on line 100 I looked at the script at line 100 which says: $sock = fsockopen($ip, $port, $errno, $errstr, 30); If you scroll to the top of the script there's comments that tell you to edit the variables $ip and $port I only edited the ip to match my local IP on the 10.10.x.x network - the one you get when you run ifconfig. The port in the script is set to 1234 so I ran: nc -lvp 1234 as the listener. After I did all this the reverse shell worked for me.

thank you!