Wow 17:30 - 18:05. I never knew you could set stty (to get tab complete, also support watch) + setting terminal evn var (to clear, backspace, and use up history commands). This is great. I have been using rlwrap for a while, which is a quick way to be able to do everything that your use of stty does, BUT I could never tab complete. This rules! BTW I tested to see if rlwrap would work with stty, it does not. Your tmux window will go on the fritz.. You must perform a plain ol' nc -nlvp, without rlwrap to utilize stty properly. Also note, if you do use stty with tmux, your pane size matters. Try not to adjust the size too much. Lastly to actually exit the nc session with stty enabled I had to reset my tmux pane. Just some caveats I wanted to share. Thanks for sharing this! :D
Ipp! Thank you for the videos they are great help and motivation while working on my OSCP. I have a question as unfortunately I have no connections in the field. How much different is your methodology and approach while on an actual pen test?
They are pretty different. If you want to see what a traditional pentest is like check out Rastalabs or Offshore. A lot less bug hunting and a lot more lateral movement and hunting for interesting things. The easiest way I can explain it is imagine you’re on a sports team. Your practice isn’t just grinding out games. It’s a bunch of small drills to focus on specific mechanics that help improve your overall skill. These machines are drills. Not direct 1:1 but when hiring I’d prefer a junior that does CTFs, over a senior pentester that does not. Primarily because i enjoy working with people who enjoy solving puzzles and arent in it for the money. Not saying people who don’t do CTFs are in it for the money, just a probability thing.
If you're struggling to get WPScan to show the plugins, I believe its due to WPScan changes here: blog.wpscan.org/wpscan/deprecation/2019/11/25/old-wpscan-deprecation.html. I updated my WPScan (gem install wpscan) to 3.7.7, signed up for an API-Key and ran the command: wpscan --url 10.10.10.88/webservices/wp -e p --api-token --plugins-detection aggressive . I'm not sure if update was required (or maybe just the plugin-detection setting) but this worked for me.
13.23 , you can see there is a readme file location just above the highlighted line, which says that the version was changed from 1.5.3 to 2.3.10 to trick wpscan and thats what gives away the actual version of this plugin.
I used a Path Traversal Vulnerability to upload a PHP Reverse Shell to the parent directory of Monstra using the file uploader. I didn't even look at the WordPress because I thought it was a rabbit hole ;)
I would like to know how you did it? Since there wasn't any write permission for apache user in web root directory so how you uploaded file? The WP plugin RFI vulnerability also didn't upload the file itself but executed code remotely.
@@NomanRiffat Same, I also tried path traversal to wp-content (hoping it would be writable) but since there were no write permissions for www-data I couldn't do it.
There is a file uploader in Monstra. You could set the upload path in the GET parameter to the parent directory. To do this you had to bypass the insufficient security mechanism that should've prevented that. Here's my advisory to this: www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2018-027_monstra_cms.txt
Hi there. Can you tell me how you manage to using Google to find this particular vulnerabilities? I can't seem to find it, trying to sharp my google-fu as well if you don't mind sharing!
Im a big fan but the RFI was lame honestly!! Momstra has a LFI that is lit and u just passed the git issues of bug report and didn't see the most important one that lets u go back to a writeable dir to upload the file with php7 extension.. thats how I did it !
@@ippsec and I also missed the WordPress way because I found that way of monstra easier and faster but still is file inclusion either way 😅 Respect for you man I really like the way you do things. 👏👏
You copy the Pleasesubscribe file and make the tar.gz folder and copy it into the hash file which the script makes. But when the script performs an integrity check , wont that check fail ? since the victim machines orignal /var/www/html folder wont have the PleaseSubscribe file ? and when it fails the script deletes the files it created in the /var/tmp folder.
The gobuster syntax has changed...gets me every time
try feroxbuster, it is better
Wow 17:30 - 18:05.
I never knew you could set stty (to get tab complete, also support watch) + setting terminal evn var (to clear, backspace, and use up history commands). This is great. I have been using rlwrap for a while, which is a quick way to be able to do everything that your use of stty does, BUT I could never tab complete. This rules!
BTW I tested to see if rlwrap would work with stty, it does not. Your tmux window will go on the fritz.. You must perform a plain ol' nc -nlvp, without rlwrap to utilize stty properly. Also note, if you do use stty with tmux, your pane size matters. Try not to adjust the size too much. Lastly to actually exit the nc session with stty enabled I had to reset my tmux pane. Just some caveats I wanted to share.
Thanks for sharing this! :D
Does OSCP exam has boxes like this ? :O like the priv esc part ?!
I too would like to know.
Absolutely stellar explanation!
Thanks Ippsec, great video. Fantastic box and I learned so much.
Ipp! Thank you for the videos they are great help and motivation while working on my OSCP.
I have a question as unfortunately I have no connections in the field. How much different is your methodology and approach while on an actual pen test?
They are pretty different. If you want to see what a traditional pentest is like check out Rastalabs or Offshore. A lot less bug hunting and a lot more lateral movement and hunting for interesting things.
The easiest way I can explain it is imagine you’re on a sports team. Your practice isn’t just grinding out games. It’s a bunch of small drills to focus on specific mechanics that help improve your overall skill. These machines are drills.
Not direct 1:1 but when hiring I’d prefer a junior that does CTFs, over a senior pentester that does not. Primarily because i enjoy working with people who enjoy solving puzzles and arent in it for the money. Not saying people who don’t do CTFs are in it for the money, just a probability thing.
doing this box right now. Very thankful to you.
If you're struggling to get WPScan to show the plugins, I believe its due to WPScan changes here: blog.wpscan.org/wpscan/deprecation/2019/11/25/old-wpscan-deprecation.html. I updated my WPScan (gem install wpscan) to 3.7.7, signed up for an API-Key and ran the command: wpscan --url 10.10.10.88/webservices/wp -e p --api-token --plugins-detection aggressive . I'm not sure if update was required (or maybe just the plugin-detection setting) but this worked for me.
This is nice, but for the OSCP can we use wpscan and priv esc? I know not everyone watching is doing OSCP but I just had that question.
Hey ippsec, can you please do some video on most common privesc methods and using burpsuite to do blindsql injection(no automated scanner)?
13.23 , you can see there is a readme file location just above the highlighted line, which says that the version was changed from 1.5.3 to 2.3.10 to trick wpscan and thats what gives away the actual version of this plugin.
I love this box and your content continue : -)
one of my favorite box
awesome video as always
on 16:22 how did you partition your terminal into 3 segments? I use terminal daily I always wanted to do it that way.
look at my tmux video
@@ippsec thank you for prompt reply.
Liked & subscribed. Great content 👌🏼
I've used tail to check logs, burp to check HTTP headers and payload looks ok, but I keep on connecting to myself when invoke "wp-load.php"
Got the box by unintended priv esc!was waiting for proper priv esc , Now I can sleep in peace :p
The new wpscan does not scan for the plugins, is it strange that after update tools get worse?
change the scan mode: --plugins-detection aggressive or mixed
Check the man page if you don’t know how to use the command.
I have updated my "wp-load.php" host and port accordingly but for some reason I keep on connecting to myself :(
I was waiting for this for a long time. Had user, but couldnt get root. Wasn't able to exploit it in that 30 sec. Window.
Great video! I was stuck at last part and try to figure out what can I do for diff command. Thank you IppSec.
Can someone suggest any videos or books to learn priv esc.
www.trustwave.com/Resources/SpiderLabs-Blog/My-5-Top-Ways-to-Escalate-Privileges/
after debugging my script for a while I noticed that php get executed into my machine used python simpleHTTP
I will check my apache logs to see if script gets execute on the victim machine :(
This box was literally hell I wanted to die the whole time I was doing it
Being all over the place is fine right? I mean, that's how it is in the real world the correct?
I used a Path Traversal Vulnerability to upload a PHP Reverse Shell to the parent directory of Monstra using the file uploader. I didn't even look at the WordPress because I thought it was a rabbit hole ;)
I would like to know how you did it? Since there wasn't any write permission for apache user in web root directory so how you uploaded file? The WP plugin RFI vulnerability also didn't upload the file itself but executed code remotely.
@@NomanRiffat Same, I also tried path traversal to wp-content (hoping it would be writable) but since there were no write permissions for www-data I couldn't do it.
There is a file uploader in Monstra. You could set the upload path in the GET parameter to the parent directory. To do this you had to bypass the insufficient security mechanism that should've prevented that. Here's my advisory to this: www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2018-027_monstra_cms.txt
I thought of doing that, but don't know which dir to write, but after seeing your comment again dig up, pretty nice way to get shell 👍
Hi there. Can you tell me how you manage to using Google to find this particular vulnerabilities? I can't seem to find it, trying to sharp my google-fu as well if you don't mind sharing!
Im a big fan but the RFI was lame honestly!!
Momstra has a LFI that is lit and u just passed the git issues of bug report and didn't see the most important one that lets u go back to a writeable dir to upload the file with php7 extension.. thats how I did it !
Nice! Completely missed that, background recon finished too quickly and i stopped looking at it.
@@ippsec and I also missed the WordPress way because I found that way of monstra easier and faster but still is file inclusion either way 😅
Respect for you man I really like the way you do things.
👏👏
You copy the Pleasesubscribe file and make the tar.gz folder and copy it into the hash file which the script makes. But when the script performs an integrity check , wont that check fail ? since the victim machines orignal /var/www/html folder wont have the PleaseSubscribe file ? and when it fails the script deletes the files it created in the /var/tmp folder.