ppl say they are begginers and just started and enjoy the video and learn from it. But me as im working with Linux in shell, perform some pen test etc, Learned quite few things from the vid, and tricks. many obvious things but. enjoyed the vid even more. You are a good person to learn from.
Dude that tip about Firefox changing mtime - whereas wget will not.... Holy shit man I learn so much stuff from each one of your videos it isn't even funny. Just WOW! IppSec you provide more information than any college text book. keep up the awesome work!
Thank you ippSec, I appreciate your videos and you have helped me a lot, I hope one day ill be able to buy you a beer at one of the hacker cons to say thanks again.
Hey Ippsec! Could you clear this out for me, please? I tried finding more about "net cat stops listening on the port once it gets a connection" at 31:05 cuz it does not fit into my understanding of how communication works. My understanding is : The port is an endpoint of communication and ALL communication over the network needs to be through an actual port. But apparently I'm wrong. Could you point me to some resources that could help clear out my understanding. I cant find any. I do a bit of electronics and any physical data stream actually has to go through a port. That's adding more conflict to my understanding of how we can open two connections using the same port. Thanks for the videos!
Small mistakes at 4:17 it's HTTP GET variable, not HTML, at 12:09 it was \x7F, not a dot, 26:24 if check is not equal to zero, then the condition is false and the function returns
You should really make your own pentesting course because I would 100% pay for you to tutor me. I'm beginning to struggle a bit in the middle of my OSCP course, taking the exam some time around Jan/Feb
Btw I think the foothold is a bit over complicated. Once you get the backup and notice that upload.php includes lib.php, you can see that downloading one of the images in photos.php and put php shell as comment with exiftool it's trivial to get the shell
Wait why did the code execute after uploading even though there wasn't a .php extension? Shouldn't it just ignore it if there's a .gif extension by default?
He explains it at 38:40, but this is where I got stuck with the box too. I didn't even dare to think that a file with a gif extension would execute php, so I didn't even try... Also it's not hinted at anywhere in the source, so you'll just have to guess/try it.
I believe it has to do with the "export TERM=xterm" command he used at 23:13. Which as far as I know is setting your terminal as Linux. And from there ctrl l should work
@@ShabazDraee on the hack the box website, when you sign in (if you don't have an account you hack in to make one) go to the machines tab, go to retured machines, find the machine you want to start and press play! Activate the VPN and you're good to go :) you do need a paid membership to access retired machines
Wow. From 2:30 to 19:00 - I didn't find the backup file, found a way to use exiftool to embed a shell to bypass image upload restrictions, and carried on like that.
This is doing the same thing but you’re just skipping enumeration. It’s like doing a buffer overflow and skipping “bad character” checks. Nothing wrong with it but it’s important to know it for when skipping doesn’t work. For example I’ve seen code that just stomps all metadata to validate GPS cords aren’t in it. You can also just cat the shell to the end of an image, no need to do metadata
hey guys, I'm not sure I understand why the command injection worked. ippsec sent a file with the last extension as a gif so the server shouldn't be able to read it as a PHP code right? it should read it as a gif and also the mime-type of the file is a gif am I missing something? because when I tried it (almost identical to what he did I failed). thanks in advance for your response
Thats what he explained in the last part of the video. The apache configuration file was not properly configured thats why it was only checking if the filename has .php only and executing it.
As someone just starting out this content is so pleasing to watch
ppl say they are begginers and just started and enjoy the video and learn from it.
But me as im working with Linux in shell, perform some pen test etc, Learned quite few things from the vid, and tricks. many obvious things but.
enjoyed the vid even more.
You are a good person to learn from.
Dude that tip about Firefox changing mtime - whereas wget will not....
Holy shit man I learn so much stuff from each one of your videos it isn't even funny. Just WOW!
IppSec you provide more information than any college text book. keep up the awesome work!
Awesome! Starting this as a hobby and it's really interesting to see different techniques in action. Keep them coming! Cheers
Thank you ippSec, I appreciate your videos and you have helped me a lot, I hope one day ill be able to buy you a beer at one of the hacker cons to say thanks again.
excellent content and descriptions for beginners! thank you so much, this is pure gold..
the video details in the description are so much helpful!! thanks!
I was sorta sad that I‘d loose my points for this box.
But then I rooted Postman and Craft today and now I’m not sad anymore. :D
Thanks ippsec.. This is my first comment on your youtube channel..
I just wanna say, get well soon ..
Hey Ippsec! Could you clear this out for me, please?
I tried finding more about "net cat stops listening on the port once it gets a connection" at 31:05 cuz it does not fit into my understanding of how communication works.
My understanding is : The port is an endpoint of communication and ALL communication over the network needs to be through an actual port. But apparently I'm wrong. Could you point me to some resources that could help clear out my understanding. I cant find any.
I do a bit of electronics and any physical data stream actually has to go through a port. That's adding more conflict to my understanding of how we can open two connections using the same port.
Thanks for the videos!
this is amazing and insightful content thank you so much
Thia is what I was just waiting for .
And get well soon !
Small mistakes at 4:17 it's HTTP GET variable, not HTML, at 12:09 it was \x7F, not a dot, 26:24 if check is not equal to zero, then the condition is false and the function returns
In what way this box is related to OSCP?
I find it on TJ_Null list
Should I be able to read source code in order to pass the OSCP?
i think it is about getting to know about bypass file upload and Code injection in privesc
Really informative video.
Thanks for another amazing walkthrough.
Keep up the good work, thanks for the video.
Thank you very much! You are the best
Why did you had to write please subscribe and then command injection.. am lil bit confused in that
How did you know to wait 3 minutes for the nc connection? Is it just a daily cronjob task and common knowledge?
From the crontab.guly file. If you look into how crons look like, you'll understand it happens every 3 mins
You should really make your own pentesting course because I would 100% pay for you to tutor me.
I'm beginning to struggle a bit in the middle of my OSCP course, taking the exam some time around Jan/Feb
Good luck!
how was that?
get well soon my dear ippsec
Btw I think the foothold is a bit over complicated. Once you get the backup and notice that upload.php includes lib.php, you can see that downloading one of the images in photos.php and put php shell as comment with exiftool it's trivial to get the shell
The magic bytes didnt work for me
is this system related ??
Wait why did the code execute after uploading even though there wasn't a .php extension? Shouldn't it just ignore it if there's a .gif extension by default?
He explains it at 38:40, but this is where I got stuck with the box too.
I didn't even dare to think that a file with a gif extension would execute php, so I didn't even try...
Also it's not hinted at anywhere in the source, so you'll just have to guess/try it.
dont say type pleasesub... again :)
you are a beast please keep it up
May i know How did u reset the terminal after exiting shell with stty raw -echo?
I believe it has to do with the "export TERM=xterm" command he used at 23:13. Which as far as I know is setting your terminal as Linux. And from there ctrl l should work
press "fg" then press enter twice
Which terminal you are using??? Its an alternative to terminator.
Tmux
great walkthrough. Just 1 doubt. How did you figure out that the cron runs every 3 mins?
It's there in the cron expression at 22:03. " */3 * * * *" means "every 3 minutes". Paste it in something like crontab.guru :)
thank for explaining root cause of apache file handling
Why does the php code execute even when the file extension is gif and not php?
Oh Ippsec asked the same question, or stated he didn't expect it to work. Will wait to look at the config file.
Because of the apache conf. It executed php code as long as there is a .php in the filename
bruh Easy mode in hackthebox is not easy.
Dang I felt like I was getting closer now its retired fml lol
hi, tnks for the video, is it possible to exploit the : exec("rm -f $logpath"); as rm is wildcarded ?
Don't think you can as $logpath is not under your control
can you still access the content on this machine, I can't seem to be able to ping the IP on HTB...
Make sure the box is active on your account by starting that machine and that you're vpn download is updated and connected
ShakaFPV where is the option to start that machine?
@@ShabazDraee on the hack the box website, when you sign in (if you don't have an account you hack in to make one) go to the machines tab, go to retured machines, find the machine you want to start and press play! Activate the VPN and you're good to go :) you do need a paid membership to access retired machines
Wow. From 2:30 to 19:00 - I didn't find the backup file, found a way to use exiftool to embed a shell to bypass image upload restrictions, and carried on like that.
This is doing the same thing but you’re just skipping enumeration. It’s like doing a buffer overflow and skipping “bad character” checks. Nothing wrong with it but it’s important to know it for when skipping doesn’t work. For example I’ve seen code that just stomps all metadata to validate GPS cords aren’t in it. You can also just cat the shell to the end of an image, no need to do metadata
Thanks for the vid! Get better!
To print arrays or other non-string variables, I usually use var_dump().
I.e. `var_dump(scandir('.'));`
Aw, now I lose my points for this one.
hey guys, I'm not sure I understand why the command injection worked.
ippsec sent a file with the last extension as a gif so the server shouldn't be able to read it as a PHP code right?
it should read it as a gif and also the mime-type of the file is a gif
am I missing something? because when I tried it (almost identical to what he did I failed).
thanks in advance for your response
Thats what he explained in the last part of the video. The apache configuration file was not properly configured thats why it was only checking if the filename has .php only and executing it.
thank you
Tfw I targeted this box bc I thought it would have rolled out after postman and saw my points disappear at 98.4% progress
learn how to break it then how to fix it
Only Ippsec will hack into a box just to fix its misconfiguration.
It took me like a f***ing year to realize that .php.gif works. This is so "engineered", in the real world this would never happen.... :D
This does happen in the real world.
@@martindimitrievski5703 sounds like you have configured a server like this before yourself :D.
@@YuKonSama More like I have encountered such server configs before, but suite yourself :)