immersive labs

89 Topics

CSP Hash Incorrect Despite Correct Script and Hash (CSP Lab Issue?)
Hello all! I'm working on Introduction to Content Security Policy (CSP) Lab: Content Security Policy: Hashes exercise that requires generating the correct hash for an inline script like: <script>document.body.style.backgroundColor = "#ADDADE";</script> I’ve used both CyberChef and the SHA-256 JavaScript snippet to generate hashes like: sha256-+BWzTX+GJrse8ifajvHg6QFPdmE+JjXYmrYBn+kLITo= sha256-Msn/9dD1zBN7LGZyQyglKL9JMVyCsVqvZ7MAkmm/BpU= I've accounted for trailing newlines and whitespaces (CRLF, LF), used View Source (not dev tools), and verified that I'm hashing the exact script content. However, the lab continues to mark the answer as “incorrect.” Is this likely a glitch in the lab setup, or is there a common mistake I might be overlooking? Would appreciate any help or confirmation from someone who’s completed this lab or run into a similar problem
anressh
3 days ago Place Help
140Views
1like
3Comments
Defensive fundamental question three
Kindly help with the hint to question three of the defensive fundamentals
gabby1
4 days ago Place Help
18Views
0likes
2Comments
Having problems running the Python Expert Challenge 4 in OWASP Training: Access Control
Hi, I've just tried running the code in the Python Expert Challenge 4 in OWASP Training: Access Control. When I first tried to test the code, the error I saw in Preview said that I needed to add 1120418.proxy-http.us.immersivelabs.com to ALLOWED_HOSTS. I've added that but it's now giving me the message below. Could you tell me what I need to do to get the Preview working, please ?Thanks Dave ImproperlyConfigured at / The included URLconf '<module 'apps.siteadmin.urls' from '/app/rentaride/apps/siteadmin/urls.py'>' does not appear to have any patterns in it. If you see the 'urlpatterns' variable with valid patterns in the file then the issue is probably caused by a circular import.
DaveH
12 days ago Place Help
16Views
0likes
1Comment
Cyber Kill Chain: Reconnaissance
I'm stucked at question 7 (At what time did the attacker first start conducting their reconnaissance efforts? (Provide your answer in the format H:MM:SS or HH:MM:SS). The answer I get is 21:37:36 as shown in screenshot, but it's saying its wrong. PLEASE HELP
mathias
14 days ago Place Help
85Views
0likes
2Comments
TLS Fundamentals: Ep.8 – Final Challenge
TLS Fundamentals: Ep.8 – Final Challenge the 15th question Connect to the localhost using the answer from the previous task as the port. What is the six character token value embedded in the ticket name? The hint is : Hint Look at the session ticket data. The token is a random six character string that is prefixed with "TOKEN=". the answer from the previous task as the port is 64321, but no token with prefix "TOKEN=" I doubt there is no correct answer, looking forward your feedback. iml-user@secure-ops-wireshark-with-nginx:~$ openssl s_client -connect localhost:64321 CONNECTED(00000003) Can't use SSL_get_servername depth=2 O = TLS Fundamentals, CN = TLS Fundamentals Root CA verify error:num=19:self-signed certificate in certificate chain verify return:1 depth=2 O = TLS Fundamentals, CN = TLS Fundamentals Root CA verify return:1 depth=1 O = TLS Fundamentals, CN = TLS Fundamentals Intermediate CA verify return:1 depth=0 CN = admin.immersive.local verify return:1 --- Certificate chain 0 s:CN = admin.immersive.local i:O = TLS Fundamentals, CN = TLS Fundamentals Intermediate CA a:PKEY: rsaEncryption, 2048 (bit); sigalg: ecdsa-with-SHA256 v:NotBefore: Dec 5 12:16:11 2025 GMT; NotAfter: Dec 6 12:16:11 2025 GMT 1 s:O = TLS Fundamentals, CN = TLS Fundamentals Intermediate CA i:O = TLS Fundamentals, CN = TLS Fundamentals Root CA a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256 v:NotBefore: Dec 5 12:16:10 2025 GMT; NotAfter: Dec 3 12:16:10 2035 GMT 2 s:O = TLS Fundamentals, CN = TLS Fundamentals Root CA i:O = TLS Fundamentals, CN = TLS Fundamentals Root CA a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256 v:NotBefore: Dec 5 12:16:09 2025 GMT; NotAfter: Dec 3 12:16:09 2035 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIICwzCCAmqgAwIBAgIQMMvZLi8quT3QmIsn4NgfcDAKBggqhkjOPQQDAjBGMRkw FwYDVQQKExBUTFMgRnVuZGFtZW50YWxzMSkwJwYDVQQDEyBUTFMgRnVuZGFtZW50 YWxzIEludGVybWVkaWF0ZSBDQTAeFw0yNTEyMDUxMjE2MTFaFw0yNTEyMDYxMjE2 MTFaMCAxHjAcBgNVBAMTFWFkbWluLmltbWVyc2l2ZS5sb2NhbDCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBANZ3bl6LliwxKY10jKAMcpBEb/GqrQJugR3+ sUD7JarTRNYKPG3rGuDbDabVytl8Oc8/VnTQuzulPyPeFSufsxki+3WgrFGBcK+5 mxoQrR7zAl0p4l+jzR6uSxnh5vSoMaPpnlIGqW6Ipw5SR5SGTyp4jSh/xwbxDY4U 8vKeIu1fvgAADRDrZ4XzUAlNGw6nTBdEj/TV03cbE7RDJwrsahi/w9pDi3vkeQCW ftD/ZMV7vLFrl5MkeFmKV2guI8+HBUXRt9fx6ilu5016Atzl5VMGDOOkufXNnZGq Sh3J2PCcR5uheFFllk9dkgwfqdNevqBgzL5VZUyxKzbv3tY/86ECAwEAAaOBlDCB kTAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC MB0GA1UdDgQWBBRhm48B5yPrTvgjlo5f5bJPihOJ4TAfBgNVHSMEGDAWgBTVISkB T81TtwfzgFQI18fLxUMLIDAgBgNVHREEGTAXghVhZG1pbi5pbW1lcnNpdmUubG9j YWwwCgYIKoZIzj0EAwIDRwAwRAIgOf6y/oGxlmuKuLrGMzIjq+y2OgqVXThzXr2d x/CHgMICIFJhSxJSPeSIyobZKC0QmB+057ns1NI27oOMuR1fjax7 -----END CERTIFICATE----- subject=CN = admin.immersive.local issuer=O = TLS Fundamentals, CN = TLS Fundamentals Intermediate CA --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2219 bytes and written 373 bytes Verification error: self-signed certificate in certificate chain --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 19 (self-signed certificate in certificate chain) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: DF37EF25B8F57F8A61A64BE228EC58AC2B113B991479961CBDAFC029B9482892 Session-ID-ctx: Resumption PSK: E230CD3D18A2BB48A51A7C04EE16FDAF79EFBEEA3D8605B70FFC0DEB68098CF355060AF8DF360EACFBC480C5B3AFE462 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 4a ac bb b1 83 bd fc b7-ed 94 ea db b1 10 60 48 J.............`H 0010 - 82 38 28 98 95 e3 7b 18-6f e7 0c c8 54 ef 3d 1f .8(...{.o...T.=. 0020 - b9 2c aa b2 b2 57 d8 5e-4e aa e9 75 c0 68 7c ce .,...W.^N..u.h|. 0030 - 00 c6 85 ae 2c 96 26 44-54 88 a1 d1 b0 58 a9 d3 ....,.&DT....X.. 0040 - 88 1c 2a d8 85 a3 f1 a2-09 a8 33 9e 1f b1 db af ..*.......3..... 0050 - 84 f9 92 b3 78 2c 17 7e-11 87 12 1c 49 81 e1 2d ....x,.~....I..- 0060 - 08 79 00 e8 9d bf 7e fb-10 41 ec 93 c1 5e 30 a4 .y....~..A...^0. 0070 - 61 92 2a 79 a2 09 2d 66-97 f8 d9 fa bb b3 c8 a2 a.*y..-f........ 0080 - d3 e3 ab bd 45 36 68 00-11 98 0e 68 ea 1e 52 ee ....E6h....h..R. 0090 - 08 7b 2b aa 80 42 31 b0-ec 9b 51 ae b1 ca cf ee .{+..B1...Q..... 00a0 - d8 bd c5 31 dd b9 22 c3-8a 0b 76 c3 a6 ca 50 e2 ...1.."...v...P. 00b0 - 2a 85 f8 9e 68 0b 13 cb-bf 92 c7 0e 4f ad 49 ab *...h.......O.I. 00c0 - c5 57 20 55 c5 47 6a b1-34 f1 1d 19 c3 5f 6f dd .W U.Gj.4...._o. 00d0 - c8 38 01 7c 62 11 74 ef-f1 17 15 6d a7 7a 7c d5 .8.|b.t....m.z|. Start Time: 1764942947 Timeout : 7200 (sec) Verify return code: 19 (self-signed certificate in certificate chain) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 6D76BD7F89AB457ACE03494B528103EF5A71D03E1434867610C4751172D68E4A Session-ID-ctx: Resumption PSK: 0CDCF4F49EB91C1A74B76442B31D70C8976BD6EA6ECD52B47BC84A10EE151BD8EFA32134A678784FB138B0AAB2F4DB21 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 4a ac bb b1 83 bd fc b7-ed 94 ea db b1 10 60 48 J.............`H 0010 - c6 a4 ef 5d c9 62 7a 08-15 66 b9 8c 24 1e f3 17 ...].bz..f..$... 0020 - b1 1f 84 10 60 b0 fb c7-2b 03 1d 79 2e 97 ca 52 ....`...+..y...R 0030 - 14 5c d8 aa 8b 3a ae 37-93 c0 73 dd c5 b7 7f f0 .\...:.7..s..... 0040 - 2a 1f 6a 14 25 8b d3 ed-3c 60 33 fb 11 64 05 26 *.j.%...<`3..d.& 0050 - b3 9f 9c 8f 64 23 ca b5-5a 13 c5 d2 22 5f 92 b6 ....d#..Z..."_.. 0060 - fd 40 9e b4 f0 5e 42 40-79 d5 18 c6 ba 6a 0e fe .@...^B@y....j.. 0070 - 7b 38 c5 9b 87 e9 b1 1b-e8 5d 98 7c a4 51 a6 9c {8.......].|.Q.. 0080 - d5 4a 75 40 22 b6 62 4f-00 b2 54 30 a1 3f 8d b8 .Ju@".bO..T0.?.. 0090 - 07 c2 6b 67 64 d2 c3 2d-e1 d1 ae 70 e3 0d 2b 54 ..kgd..-...p..+T 00a0 - f2 5f 4c 96 25 2c 77 43-1d a4 e8 67 0b 1e d0 10 ._L.%,wC...g.... 00b0 - 9f 40 cb 85 52 01 47 9d-07 0d c7 3c 7d 13 64 2f .@..R.G....<}.d/ 00c0 - ee 13 36 6e 7c 0b d7 16-d0 e6 94 ef f8 99 9e 16 ..6n|........... 00d0 - 95 c3 21 8a 3c af f4 4b-09 2d 14 a0 3d 22 58 db ..!.<..K.-..="X. Start Time: 1764942947 Timeout : 7200 (sec) Verify return code: 19 (self-signed certificate in certificate chain) Extended master secret: no Max Early Data: 0 --- read R BLOCK
shuqfan
15 days ago Place Help
61Views
0likes
1Comment
IoT & Embedded Devices: Certificate Underpinning
I am also stuck on Step 5 and having trouble with the trigger. I have self-signed certs, an HTTP server listening on 443 (bound to 0.0.0.0) as well as a sniffer for anything coming from the target. I have tried to trigger the target to connect using: for i in {1..5}; do echo '{"Update":"1","ClientId":"AXG1337VFXL","Server Ip":"<KALI_IP>"}' | nc -u <TARGET_IP> 8080; sleep 2; done Can anyone point me in the right direction?
struc
19 days ago Place Help
47Views
0likes
3Comments
Trick or Treat on Specter Street: Widow's Web
I am very stucked in Trick or Treat on Specter Street: Widow's Web I can't do none of the questions, but in any case I start by 4th that is the first answerable one Your first task is to simulate the loyal Crawlers. Run legitimate-crawler and inspect the output in Lab-Files to observe their behavior. To simulate the rogue Crawlers, you must discover the hidden paths on the website. Read the blog posts – they contain clues. Disallow these in Website-Files/robots.txt and run malicious-crawler. Inspect the output in Lab-Files. What is the token? I have created the robots.txt file since I understand that malicious-crawler goes expressedly there. My robots.txt contains all url's I can imagin Disallow: /secret Disallow: /treat Disallow: /hidden Disallow: /crypt Disallow: /warden Disallow: /rituals Disallow: /witch-secrets Disallow: /admin Disallow: /vault Disallow: /uncover Disallow: /post1 Disallow: /post2 Disallow: /post3 Disallow: /post4 Disallow: /contact Disallow: /drafts/rituals But the result of malicious-crawler.txt doesn't give me either a token nor a hint I have curl-ed all pages looking for words as token and nothing. I have found some key words in http://127.0.0.1:3000/witch-secrets as intercepted-incantations, decoded them and nothing. I have searched in spider-sigthings.log what hapened at 3.00 am but nothing Can someone gime me a hint?
jcberlan
22 days ago Place Help
262Views
0likes
7Comments
PowerShell Deobfuscation: Ep.10
I’ve been struggling with this script and I reached the point of VyN and key, but when I try to run it, I get an error as if the VyN function was not defined. But I don’t know how to define it Can anyone guide me on how to skip over this or how to solve this in CyberChef ?
Solved
domel44
25 days ago Place Help
36Views
0likes
1Comment
Trick or Treat on Specter Street: Morphy's Mansion Challenge
I understand that the move_logger is the vulnerable program, and tried a few methods to exploit it. However, where is the token.txt? Anyone managed to find it? "Whatever means necessary" is quite broad. Any hints from anyone?
Solved
PRABAKARANRAMAMURTHY
27 days ago Place Help
50Views
0likes
1Comment
Credential Access: Password Hashing Algorithms
Hi, I'm stuck on Question 10 for this lab: Using the HashID tool, what is the hashing algorithm for the hash $racf$*IMMERSIVE*5AA70358A9C369E0? HashID returns 'unknown hash' and the best I can find by cracking it in other tools is 'Half MD5' which is coming up as incorrect. Am I missing something for this one please? Thank you :)
Solved
Amie
29 days ago Place Help
56Views
0likes
2Comments