Quickly growing addicted to this channel because the unscripted "fumbling" is exactly what a normal dev would have to do to fix their own little mistakes. And it's those tiny, "What did I forget?" Details that novices are going to be tripping over constantly. The fun part is watching your thought process unfold while you perform these tasks and help introduce us to various helpful tools and commands that we may use in our own explorations.
@U X I hope to god that my website doesn't do that I got some servers open to the web, and I know a friend of mine is really paranoid about leaving open ports and what not. But the more I learn about different ways people exploit and the more I get into the security aspect, the more I get confident about my practice. Though one thing I learned from this is the cron job part. I got two cron job that could give a hint as so what's going on the network, so I might need to check if there's some thing that a non root user might be able to see. *edit: looking at my crontab, nothing seems visible unless you're root :D I'm really relying on not having any major security issues based on the fundemental programs, rather then trying to implement too much on either security though obscurity, or sticking my head down the sand and hoping nobody notices me.
@@svampebob007 I've thought about setting up my own home-server with the same approach: keep things simple. Security by utilizing only the most simple, secure methods. nothing more or less.
I don't know how to do a quarter of what you did in this video but I'm comforted by the fact that you run into the same hiccups as me. Like oh yeah there's dollar signs, or oh duh forgot a slash.
These videos are worth like 100 tutorials I'm not kidding. The thinking process, seeing concepts that one may need to learn, explaining what you're thinking, and just seeing this type of thing in action. Soo helpful Privilege escalation has always been a big sore spot for me.
Absolutely agreed that it is helpful to see you run into the stumbling blocks. There's nothing worse than following a tutorial for the first time and smashing headlong into some syntax error or in this case escaped special characters. Thanks for sharing.
Hi John, great vid as always!! How about doing a blind room say once a month, but do it live. I'm sure a lot of people would enjoy that. I know I would. Keep up the good work!
Hey John, loving your content. I really enjoy how you explain and try different methods to gain privilege access, like changing the etc/passwd through the share drive in your container. Even if you struggle a little bit doing that, it really helps us understand the process and iteration you/we can go through while doing that. Keep up the good work!
keep up man i, you are doing great work educating the new to the domain, in a more fun and friendly way, which makes learning easy....massive big thanks to you J.Hammond
On the topic of fumbling and figuring out what you've done wrong....this is the stuff that courses don't show you. In some ways, that problem solving is some of the most important parts of the video. Any idiot can make a "perfect" video. Only someone who knows what they're doing can make a "less than perfect video" and fix problems encountered during it - adding to the value and standing out as more than just a walkthrough. Great job.
Great video John. I learned some new things which were not so obvious to me previously. By the way, LXC/LXD and Docker stuff run most of the time as daemons - which means once you are in the group with regular user you are free to escalate privileges. This is a known flaw - at least in Docker world. Nowadays Docker could be run in rootless mode to avoid such situations. RHEL is doing the same with Podman if I am not wrong.
John JOnhned ,it nice video. For me always your videos are one way stop for relaxing amazing john world needs great people like you to share knowledge. Lots of respect man !!!!!!!!
Woah Great video! This looks like fun. Quick note, no need to put slashes before dollar signs, you could just quote the 'EOF' (then bash interprets the text inside as pure string, not evaluating vars:D) Great video, keep it up!
I love this format. Its fast and straightforward. No "uhhms" or "eehhms" while over explaining. Other people stop at every step single step. "then i paste this text into here.... I will use CTRL... SHIFT... V... Then we ehhh need to eeeh saaaaaaaaave with ctrl + Oooooo.. No wait my bad, this is vim... So wee go and press esc, just to be suuuuure.. eeh... btw i prefer vim because jada jada jada." I spent to much time on this comment already but I have been bugged by how slow people tend to be...
I loved the vid John, i was thinking that perhaps for changing the users passowrd you could've chrooted into the root mount, anyways the vid was hella fun :)
John the legend! Keep going man... I'm learning a lot of stuff from you as I'm sure everyone else does. You are truly helping and inspiring. Thank you.
you can just cat > file, paste, the ctrl+d (which sends an EOF) . You will then write exactly what you pasted. The heredoc as you say is interpreted by bash, whereas if you effectively < stdin , which is what cat does, cat is reading not bash. Also checkout alt-.
Plain http might be faster? It's a bit more user friendly as you don't need to authenticate, then again with an ssh key it shouldn't be an issue. However the key is pass protected so unless the password is stored in a keyring you would have to bother to type the password. It all comes down to personal preference.
@@Sfhgscvg you could also change the password of that key since you now know the ssh passkey: ------------------------------------------- ssh-keygen -p -f sshkeyfile ------------------------------------------- it will ask for the current password, then you can just leave it blank. if you have to connect a lot of times with ssh, you could add something to the .ssh/config Host client client.example.com HostName client.example.com IdentityFile ~/.ssh/client_rsa # private key for client (like "sshkeyfile" in my previous example) User remoteusername Host otherclient other.example.org HostName other.example.org IdentityFile ~/.ssh/otherclient_rsa # different private key for other client User otherremoteusername ------------------------------------------- then you can just use ssh otherclient or scp files client:~/ really useful if you don't want to always have to add the -i option, or if you want to set a custom name for that connection and have it separated with multiple id files. on another note you could also add it as an alias in the .bash, but that's up to you, the point is that you can simple remove the passkey once you know the passkey and then use it as a regular key withough password.
Nice video, cool LXD PE, personally I would have modifed the /root/.ssh/authorized_keys and I would have sshed as root without needing any pwd. Then you can change it easily with passwd. :)
I've definitely done that SOCKS proxy trick while at a former job. Had to install our software on a machine in the UAE without the box having any internet access. Worked a treat. Just remember you also have to tunnel over dns as well or you are gonna have a bad time.
Why does changing etc/passwd in the container changes etc/passwd in the host file system? Shouldnt the container be separate and not influence the host?
You can mount directories from the host inside the container. This is done for example to have persistent data since the container isn't. Since / is a directory and the container is run with root privileges (privileged container) / can be mounted in the container. Same thing also applies to docker. The documentation warns you or it should at least.
I would like to see it using via socks proxy for learning experience so why not! Since it's a good idea and that's why I subscribed your channel so I understand more about proxychains.
Easier than changing the root password. Enable passwordless sudo for the user since they are already a member of that group. Changing the passwords are a good way to be discovered.
season/year is a common result from making users change their password every x months, forcing users to come up with a unique password every couple of months is a bad practice and doesn't make anything more secure (unless you have a data breach every couple months spilling all passwords used, but at that point you have bigger issues)
I keep finding on other machines that i have lxd but when I reach the init part it says there's no storage pool. Does this mean that the machine isn't vulnerable?
Is there a reason you didn't use SCP to transfer the alpine container to the attacker machine? I assume something to do with logging and leaving fingerprints, but I feel running wget would leave the same type of fingerprint, but maybe I'm missing something. I'm just a software dev interested in this kind of stuff. Keep up the great content!
nc -nvlp 1234 > linpeas.sh --> after this command in the attacker machine, the linpeas.sh file gets empty. Though the transfer takes place but file remains empty on both the ends. Its the same for every type of file. Any help?
Hey John, have you tried 'naabu'? It's also a port scanner, written in Go, and they claim it's fast. I haven't tried it... Do you prefer rustscan over naabu?
yo my man, why do you use guake for sending the linpeas? why cant you just split your terminator screen and do it in that pane? You know what would be good - Doing a video on your workflow. How you set everything up, your terminator shortcuts, they way you use guake, little scripts you use to make things easier.
Hello John. I have a pretty dumb question, but... why do you prefer sublime over editors such as vim or emacs ? I'm personally a vim guy... but I'd like to know your points on sublime and/or against vim (you seem to choose nano when exploiting machines, and I dont think that is because you don't know how to exit vim :p)
Hey there, not a dumb question at all :) I just tend to use it out of habit, that's what I like to use. I don't have all the Vim keybindings memorized, and I like the magic tricks I can do with Sublime Text for multiple line cursors and find and replace without typing out the full s///g regex etc. I've tried Vim more than a few times, but always end up just going back to Sublime, I guess ahaha. Totally whatever the user likes to use, I'd say :)
@@Xbotto add for @navneet Anand so when the machine reboots your files or in this case traces are gone :) (correct me if i'm wrong.. i'm also still learning ;))
John Hammond cracks John user's password with John the ripper
While sitting on the John eating Johnny cakes
sounds like he forget his gmail password and trying to hack in lol
Plot twist: John Hammond secretly developed John the ripper solely for cracking into the John user
John inception
@@atanki5682
johnception
He also do singing l love his song perfect
Quickly growing addicted to this channel because the unscripted "fumbling" is exactly what a normal dev would have to do to fix their own little mistakes. And it's those tiny, "What did I forget?" Details that novices are going to be tripping over constantly.
The fun part is watching your thought process unfold while you perform these tasks and help introduce us to various helpful tools and commands that we may use in our own explorations.
Of the six thousand languages on earth, you chose to speak Facts
need more of this fumbling.......fumbling makes it incredibly interesting
totally agree. it's the fumbly bits that I enjoy. mistakes are where the learning is at.
Yes! The fumbling makes it real life and shows how easy mistakes are. It's like bloopers, love it.
You can disable bash expansion with cat by adding single quotes around the first EOF rather than going through and escaping everything. i.e. cat
Ooooh, that's a good call! That would do the trick too. Thanks!
@U X I hope to god that my website doesn't do that
I got some servers open to the web, and I know a friend of mine is really paranoid about leaving open ports and what not.
But the more I learn about different ways people exploit and the more I get into the security aspect, the more I get confident about my practice.
Though one thing I learned from this is the cron job part.
I got two cron job that could give a hint as so what's going on the network, so I might need to check if there's some thing that a non root user might be able to see.
*edit: looking at my crontab, nothing seems visible unless you're root :D
I'm really relying on not having any major security issues based on the fundemental programs, rather then trying to implement too much on either security though obscurity, or sticking my head down the sand and hoping nobody notices me.
@@svampebob007 I've thought about setting up my own home-server with the same approach: keep things simple. Security by utilizing only the most simple, secure methods. nothing more or less.
@@cdellio just chipping in to point out that hosting on a free low resource cloud alternative would be much more recommended.
That troubleshooting was the most interesting I've seen! Here's a *boop* from me
Thanks for the boop! xD
Thanks, it is fun watching you doing all these cool stuff, plz keep the good work coming
I don't know how to do a quarter of what you did in this video but I'm comforted by the fact that you run into the same hiccups as me. Like oh yeah there's dollar signs, or oh duh forgot a slash.
thats just the linux (and friends) experience in general
These videos are worth like 100 tutorials I'm not kidding. The thinking process, seeing concepts that one may need to learn, explaining what you're thinking, and just seeing this type of thing in action. Soo helpful
Privilege escalation has always been a big sore spot for me.
Lots of Johns in this one haha
Absolutely agreed that it is helpful to see you run into the stumbling blocks. There's nothing worse than following a tutorial for the first time and smashing headlong into some syntax error or in this case escaped special characters. Thanks for sharing.
Hi John, great vid as always!!
How about doing a blind room say once a month, but do it live. I'm sure a lot of people would enjoy that. I know I would.
Keep up the good work!
good idea!
I love the fact that John checks out funny/unrelated image/video files. 👍
You and ippsec are very good learning resources. Thank you for taking your time to post these videos.
Great video. Was waiting for the writeups as I couldn't escalate for the life of me!! Learn something new everytime!!
watching you move through this so quickly n seamlessly just amazes me lol
Great work sir...Thank you so much for making videos.
You’re videos are awesome John!
Hey John, loving your content. I really enjoy how you explain and try different methods to gain privilege access, like changing the etc/passwd through the share drive in your container. Even if you struggle a little bit doing that, it really helps us understand the process and iteration you/we can go through while doing that. Keep up the good work!
keep up man i, you are doing great work educating the new to the domain, in a more fun and friendly way, which makes learning easy....massive big thanks to you J.Hammond
Legend.
Thanks for a great vid 👍
As a fellow John, I can say this is a good video
Not sure if I should get depressed or motivated seeing how awesome John is at this thing. Definitely impressed though.
Love seeing the TryHackMe vids 👾
and watching the reworks when things go wrong 😂 #real-life
On the topic of fumbling and figuring out what you've done wrong....this is the stuff that courses don't show you. In some ways, that problem solving is some of the most important parts of the video. Any idiot can make a "perfect" video. Only someone who knows what they're doing can make a "less than perfect video" and fix problems encountered during it - adding to the value and standing out as more than just a walkthrough. Great job.
Thanks John ! Always fun and interesting !
Another good video. You rock john.
That was actually fun to watch. Quite educative for learning ❤️😂
Thank you John for going the extra mile to show teach us !!
Just did this box yesterday , john your amazing < 3
Great video John. I learned some new things which were not so obvious to me previously. By the way, LXC/LXD and Docker stuff run most of the time as daemons - which means once you are in the group with regular user you are free to escalate privileges. This is a known flaw - at least in Docker world. Nowadays Docker could be run in rootless mode to avoid such situations. RHEL is doing the same with Podman if I am not wrong.
I subscribed just because you had the problem with root password and nailed it.
No matter who else does the show, we always love to see John Hammond doing these tutorials.
It's totally fun! Thank you bro!
John JOnhned ,it nice video. For me always your videos are one way stop for relaxing amazing john world needs great people like you to share knowledge. Lots of respect man !!!!!!!!
Woah Great video! This looks like fun.
Quick note, no need to put slashes before dollar signs, you could just quote the 'EOF' (then bash interprets the text inside as pure string, not evaluating vars:D)
Great video, keep it up!
The proxy video would be interesting yeah, thanks man ^^
Nice channel .. sometimes he complicates things .. but it's very nice explained.
Hey John I am interested in the socks proxy video ;)
Yes i was just going to post that
Me too plz
I love this format. Its fast and straightforward. No "uhhms" or "eehhms" while over explaining.
Other people stop at every step single step. "then i paste this text into here.... I will use CTRL... SHIFT... V... Then we ehhh need to eeeh saaaaaaaaave with ctrl + Oooooo.. No wait my bad, this is vim... So wee go and press esc, just to be suuuuure.. eeh... btw i prefer vim because jada jada jada."
I spent to much time on this comment already but I have been bugged by how slow people tend to be...
Great work John.! 😇 learning Alot of stuff as a newbie through your way of approach.! You show us on how to think and compromise a machine.! 🙏
I loved the vid John, i was thinking that perhaps for changing the users passowrd you could've chrooted into the root mount, anyways the vid was hella fun :)
this videos rock! keep it up man ;D
Bro your content is da best
great video john..keep up the good work 💥💥
John the legend! Keep going man... I'm learning a lot of stuff from you as I'm sure everyone else does. You are truly helping and inspiring. Thank you.
I’ve learned more from John Hammond than I think 12 years of schooling
Fantastic explanation.
you can just cat > file, paste, the ctrl+d (which sends an EOF) . You will then write exactly what you pasted. The heredoc as you say is interpreted by bash, whereas if you effectively < stdin , which is what cat does, cat is reading not bash. Also checkout alt-.
Yes do the socket video!
Keep up the videos! Love them
A socks proxy video would be fun to watch IMO, I was just lazy and scp'd it over to the box from my attacker platform
Just quote the EOF like cat
Ooooh, that's a good call! That would do the trick too. Thanks!
I had a script that busted my balls over this!
I'll try to keep it in mind next time I creat a clusterfuc.. a script :)
Another solution that IMO is simpler:
cat > /mnt/root/etc/passwd
Paste and then hit
Best troll in each TryHackMe video are those README files :D
When you can ssh into the box why don’t you just scp Linpeas and the container image?
my thoughts
Plain http might be faster? It's a bit more user friendly as you don't need to authenticate, then again with an ssh key it shouldn't be an issue. However the key is pass protected so unless the password is stored in a keyring you would have to bother to type the password.
It all comes down to personal preference.
@@Sfhgscvg you could also change the password of that key since you now know the ssh passkey:
-------------------------------------------
ssh-keygen -p -f sshkeyfile
-------------------------------------------
it will ask for the current password, then you can just leave it blank.
if you have to connect a lot of times with ssh, you could add something to the .ssh/config
Host client client.example.com
HostName client.example.com
IdentityFile ~/.ssh/client_rsa # private key for client (like "sshkeyfile" in my previous example)
User remoteusername
Host otherclient other.example.org
HostName other.example.org
IdentityFile ~/.ssh/otherclient_rsa # different private key for other client
User otherremoteusername
-------------------------------------------
then you can just use
ssh otherclient
or
scp files client:~/
really useful if you don't want to always have to add the -i option, or if you want to set a custom name for that connection and have it separated with multiple id files.
on another note you could also add it as an alias in the .bash, but that's up to you, the point is that you can simple remove the passkey once you know the passkey and then use it as a regular key withough password.
Nice video, cool LXD PE, personally I would have modifed the /root/.ssh/authorized_keys and I would have sshed as root without needing any pwd. Then you can change it easily with passwd. :)
Love the content!
Its cool. Thats master level, There are many ways to go to Rome.
+1 subscriber.
I've definitely done that SOCKS proxy trick while at a former job. Had to install our software on a machine in the UAE without the box having any internet access. Worked a treat. Just remember you also have to tunnel over dns as well or you are gonna have a bad time.
whew i can't believe you just saw my writeup xD at 33:09
Without the video, John, I would only have known how to obtain the root flag, Thanks a lot.
Why does changing etc/passwd in the container changes etc/passwd in the host file system? Shouldnt the container be separate and not influence the host?
You can mount directories from the host inside the container. This is done for example to have persistent data since the container isn't. Since / is a directory and the container is run with root privileges (privileged container) / can be mounted in the container. Same thing also applies to docker. The documentation warns you or it should at least.
@@Sfhgscvg so if i mount a directory from the host to a privileged container and write to that directory the changes are also being done in the host?
@@SpiderPigXL yeah, try it out, it's fun to play with and fairly simple to try.
John cracks John's password with john
I would like to see it using via socks proxy for learning experience so why not! Since it's a good idea and that's why I subscribed your channel so I understand more about proxychains.
My favourite way to get stuff into a file is cat > file. It never goes wrong. Ctrl+C to finish
Let’s go with the funneling internet to the box idea, it would be very interesting 🧐
Easier than changing the root password. Enable passwordless sudo for the user since they are already a member of that group. Changing the passwords are a good way to be discovered.
I wanted you to do this one... This CTF was awesome for me to complete
at 25:07 why not chroot to /mnt/root and run passwd as root?
32:00 The Hollywood hacker when he disables the security nanoseconds before timer runs out
movies and games are not even comparable with watching these videos..... wow,,,,,,,,i m in IT field since 2004, but learning process never stops....
20:14 cachemanifest for iptables?
I did it by writing my own script LMAO 😂, I remembered you when I saw John on src 😆😆
Pls continue making such kind of videos 💯💯❤️❤️
thats some PogU content mate!
Can you do year of the rabbit CTF
season/year is a common result from making users change their password every x months,
forcing users to come up with a unique password every couple of months is a bad practice and doesn't make anything more secure (unless you have a data breach every couple months spilling all passwords used, but at that point you have bigger issues)
Amazing you have great job sir😉👍🏻👍🏻🙏🙏
I keep finding on other machines that i have lxd but when I reach the init part it says there's no storage pool. Does this mean that the machine isn't vulnerable?
Is there a reason you didn't use SCP to transfer the alpine container to the attacker machine? I assume something to do with logging and leaving fingerprints, but I feel running wget would leave the same type of fingerprint, but maybe I'm missing something. I'm just a software dev interested in this kind of stuff. Keep up the great content!
I understand 0.001%of this but I keep watching.... you type the words you get the stuff hahaha
john , please do show how to do that proxy thing , its becoming a huge hurdle to my CTFs ,thank you in advance
nc -nvlp 1234 > linpeas.sh --> after this command in the attacker machine, the linpeas.sh file gets empty. Though the transfer takes place but file remains empty on both the ends. Its the same for every type of file. Any help?
Hey John, have you tried 'naabu'? It's also a port scanner, written in Go, and they claim it's fast. I haven't tried it... Do you prefer rustscan over naabu?
I have not tried naabu admittedly! I will have to give it a try. So far rustscan has been working great for me. Thanks for watching!
John Hammond thanks for your great videos too :) please inform me if you try naabu as well! Have fun ^^
For the upload_file_nc why is he using a different port each time we downloads it?
yo my man, why do you use guake for sending the linpeas? why cant you just split your terminator screen and do it in that pane? You know what would be good - Doing a video on your workflow. How you set everything up, your terminator shortcuts, they way you use guake, little scripts you use to make things easier.
watch this for the answer - th-cam.com/video/f2aSXGbD0NE/w-d-xo.html
Why use netcat for transferring a file instead of scp?
You have a very interesting Channel 🔥🔥
you are great man
Just curious why not chroot /mnt/root and do stuff there :)
Is lxd still this vulnerable? I figured a basic chroot exploit on a privileged container would be mitigated by this point
@16:55 ... apt -y install shellcheck
Hello John. I have a pretty dumb question, but... why do you prefer sublime over editors such as vim or emacs ? I'm personally a vim guy... but I'd like to know your points on sublime and/or against vim (you seem to choose nano when exploiting machines, and I dont think that is because you don't know how to exit vim :p)
Hey there, not a dumb question at all :) I just tend to use it out of habit, that's what I like to use. I don't have all the Vim keybindings memorized, and I like the magic tricks I can do with Sublime Text for multiple line cursors and find and replace without typing out the full s///g regex etc. I've tried Vim more than a few times, but always end up just going back to Sublime, I guess ahaha. Totally whatever the user likes to use, I'd say :)
Hey, when i leave the container and try to come back to it i get this : Error: Container 'privesc' already exists
what this means please ? ^^
sir, which linux distro do you use?
Plzzz make that video about setting up a socks proxy for internet access
how you guys learn that shit lol, where can I find ´hacking´ sources / lessons?
What does > dev/shm/ mean
Assuming you’re talking about the upload_file_nc.sh script, /dev/shm is where whatever file you upload lands.
@@highvisibilityraincoat its for /dev/SHaredMemory, its basically a /tmp that only saves in RAM
@@Xbotto add for @navneet Anand so when the machine reboots your files or in this case traces are gone :) (correct me if i'm wrong.. i'm also still learning ;))
I'm curious as to why upon having ssh access, why wouldn't just scp files over to the victim machine?
that's what I was thinking!
When you get a sh in the container you can just chmod +x /mnt/root/bin/bash and then out of the container bash -p