IppSec: it's really amazing how you create this stuff. I have no clue if I'll make it the next time I'm trying the OSCP exam, but you are really a master in explaining stuff while you're doing it. Hands-down the best training material. Thanks (also applies for all your other vids, I'm not really a TH-camr, but you're in my top-1-most-watched channels) ;-)
Your vids are easily the best resource for learning i've found, aside from actually working on vms etc. Learnt so much from these, much obliged! From a junior pentester about to sit the OSCP :)
I've improved more in the last 2 weeks from going through your videos than I did during 60 days of PWK labs. Exam in 2 weeks and, if I pass, massive credit would go to you!
@Alexandru Cucea Thats awesome ! . Congratulations man . Ive been doing hackthebox for about a month now . I guess I'll do the OSCP like boxes on hackthebox before i jump on the pwk labs . Its always about the enumeration Once you get a foothold , it gets easier. Do you recommend i take virtual hacking labs before i jump in to PWK ? Do you think I should spend a few more months on hackthebox before going in?
@Alexandru Cucea Thank you . I've just realized that I have no experience with buffer overflows or windows boxes. I'm going to stick with hackthebox and other resources for a while before I go in . Just do not want to rush the process and fail miserably :) . I really want to get into this awesome field of penetration testing .Even if I do pass the OSCP by rushing through , its going to come back and bite me in the future. Thank you for the advice my friend . Cheers!
I know this is an old vid so I’m necroposting here, but I’m pretty sure this box is pronounced “nin-ehva” not “nine-va” since it’s a reference to the ancient Assyrian city in the Bible whose destruction Jonah was sent to foretell. At 31:20 you can see there’s a file in /var/www/html called “ninevehdestruction.jpg” which supports the idea that this is a reference to that city. Just bringing it up because sometimes understanding the references helps with the solution of CTF boxes.
I love your videos. I've just gotten into pentesting as a hobby and I've learned a lot through these. Do you run Kali through a VM? That's what I've been doing, but I recently got a new laptop and wanted to try usb booting. However I'm having a horrible time getting it to recognize my gpu (e.g., hashcat). So I was just interested in hearing how you've set things up.
I do it from a VM. Don't really see a need to go baremetal, have a separate box for the cracking and such wouldn't want to do it on my main box as it tends to slow everything down. I dork around enough with stuff in kali, being able to revert to snapshot is a nice safety net. Additionally, some commercial tools are Windows only so need to be running VM's anyways.
Awesome videos! But can you increase that fonts of your terminal and web browser to make things easier to view for those watching on mobile devices, please?
A lot of new stuff I have learned with you. Thank you. Also had gaps with quotes, but could not understand the issue completely. Few clauses want to add: * manual view of processes (how I did) `top -d 1 -o %CPU` * there is knock tool, could be used as `knock 10.10.10.43 571 290 911 && ssh -i amrois-pk.key -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no amrois@10.10.10.43` (anyway your way was great, on a sockets level) * www.exploit-db.com/exploits/38775/ -- msf module for LPE, could be done with meterpreter session * cat /var/mail/amrois (short tip, that we faced with port knocking) * strings /var/www/ssl/secure_notes/nineveh.png (for a quick view, without right extracting)
Courses take a ton of time and it isn’t really fun to create super beginner content. Most of these videos I try to use tools/methods/etc that are new to me. This way the videos benefit me too, which makes it worthwhile. Unfortunately, I’ve never taken a burpsuite course so don’t know a good one
Hello IppSec , could you please giv us some informations about your rig ( crackmachine ) ? the number of GPU the graphic cards ?? i'm trying to build one , thanks :)
I'd recommend checking the Hashcat Forums for that type of information but in reality, no reason to copy people's build you can mix cards. Don't just blindly buy hardware, make sure you do something to verify it will be profitable.
I did not do the Holiday Hack this year, so I doubt I’ll put out any videos on it. That being said I’ll probably tweet all the videos I come across, few people did them last year.
Seems like when I don't name the db or table with the keywords "nineveh" and "Notes" it give the "Note not found" error. So it maybe be looking for both strings in order to LFI
Hey IppSec, running into an issue. Doing this box for OSCP prac. I am at the video around 24:30 mark when you are moving the Post parameter around. I can't get mine to work like you have. I HAVE to have it `POST /department/manage.php?notes=/ninevehNotes/../var/tmp/hack.php` if I try to make it like yours and replicate it with `POST /department/manage.php?notes=/var/tmp/hack.php` I get nothing. Not even No note selected error
@@ippsec That didn't do it. I used the same $_REQUEST except I use zer for the key instead of ipp. it works until I do the change request method. Then I can't get it to work like you do. I don't know what is going on. I reset the box and it was worse. I then did the Change Request Method a couple times tring it and it finally worked, even though it's exactly the same request that wasn't working. I think this is going to confuse me. I also did not have a line break but right now it is working without it and if I add it after the zer=ls it fails.
@@ippsec And to make it worse I can't get portknocking to work. I typed out what you have and 22 stays filtered, the only difference that I can see is I have nmap 7.91 installed but I don't know why that would make a difference EDIT: I have tried your way, I have tried using knockd and knocking, I have also tried using telnet. They will not open 22 for me no matter what. I have asked for help on the hack the box discord
Unfortunately, not really. Anything within Starch Press, "Hackers Handbook", or "Hacking Exposed" series. Outside of that just pick up books in technologies you want to learn. Doesn't have to be geared towards hacking.
By the way , i had respected you on hack the box , i am new on it . I had a view on your bloods and challanges and i think you are a legend.i apreciate that you make videos for the retired machines .
the first login panel can be bypassed with setting the name as admin and sending the password as an array. if i remember correctly the hardcoded password was hinted in the comments of the login page.
Hey @ippsec and other folks, why did he directly jumped to hydra when he saw the login page. I meant, how would i know when to use sql injections and when to just brute force it ?? So please, if someone can explain to me the scenarios where looking at the login page i should check for sql injection or brute force it
Should always try everything -- I just don't show all my enumeration very time because it's very repetitive and would make almost every video over an hour long. The video isn't the very first time I've done the machine, so I know the path prior to recording. Think I say it in the video, but the method I used for user when the box was initially released got patched.
Does anyone know what the "ipp=" mean? I know when he adds the "ls" parameter after the ipp= it provides a directory list, but how did he know to use "ipp="?
In this box something is not clear I know it is old but someone help me here between 20:38 to 22:10 Ippsec was dealing with DB and renamed it to ninevehNotes but this name is pre defined in the box and if someone actually put another name it wont work like if the name is /var/tmp/shell.php it wont work I wonder how he knew that path.
![เปิด อาณาจักร หมื่นล้าน "สาระตั้ม" l [Nickynachat]](http://i.ytimg.com/vi/3XE0nPF4YkQ/mqdefault.jpg)
IppSec: it's really amazing how you create this stuff. I have no clue if I'll make it the next time I'm trying the OSCP exam, but you are really a master in explaining stuff while you're doing it. Hands-down the best training material. Thanks (also applies for all your other vids, I'm not really a TH-camr, but you're in my top-1-most-watched channels) ;-)
Your vids are easily the best resource for learning i've found, aside from actually working on vms etc. Learnt so much from these, much obliged! From a junior pentester about to sit the OSCP :)
The Yellow King did you take your OSCP?
@@momusau642 did you take ur OSCP
Well???? We're waiting!!
@@rickjames3034 lmao, yes I took it years ago and passed
@@m3lk0r83 Congrats! XDDDDDDDDDDDD!
Thank you for this post.
I tried following all the other guides to get the reverse shell, yours was the only one I could get working.
I've improved more in the last 2 weeks from going through your videos than I did during 60 days of PWK labs. Exam in 2 weeks and, if I pass, massive credit would go to you!
@Alexandru Cucea how did yours go ?
@Alexandru Cucea Thats awesome ! . Congratulations man . Ive been doing hackthebox for about a month now .
I guess I'll do the OSCP like boxes on hackthebox before i jump on the pwk labs . Its always about the enumeration
Once you get a foothold , it gets easier. Do you recommend i take virtual hacking labs before i jump in to PWK ? Do you think I should spend a few more months on hackthebox before going in?
@Alexandru Cucea Thank you . I've just realized that I have no experience with buffer overflows or windows boxes. I'm going to stick with hackthebox and other resources for a while before I go in . Just do not want to rush the process and fail miserably :) . I really want to get into this awesome field of penetration testing .Even if I do pass the OSCP by rushing through , its going to come back and bite me in the future. Thank you for the advice my friend . Cheers!
I failed the exam :( I will do more boxes before paid for a reexam next time
@Alexandru Cucea Sorry just seen this! I passed :) how did you get on??
Awesome video IppSec! Port knocking order was also in a mail at /var/mail/amrois :-)
I know this is an old vid so I’m necroposting here, but I’m pretty sure this box is pronounced “nin-ehva” not “nine-va” since it’s a reference to the ancient Assyrian city in the Bible whose destruction Jonah was sent to foretell. At 31:20 you can see there’s a file in /var/www/html called “ninevehdestruction.jpg” which supports the idea that this is a reference to that city. Just bringing it up because sometimes understanding the references helps with the solution of CTF boxes.
Oh. I get it. There is also a German TV show on Netflix called Dark. It has somewhat of a similar plot as well.
I love your videos. I've just gotten into pentesting as a hobby and I've learned a lot through these.
Do you run Kali through a VM? That's what I've been doing, but I recently got a new laptop and wanted to try usb booting. However I'm having a horrible time getting it to recognize my gpu (e.g., hashcat). So I was just interested in hearing how you've set things up.
I do it from a VM. Don't really see a need to go baremetal, have a separate box for the cracking and such wouldn't want to do it on my main box as it tends to slow everything down. I dork around enough with stuff in kali, being able to revert to snapshot is a nice safety net. Additionally, some commercial tools are Windows only so need to be running VM's anyways.
Awesome videos! But can you increase that fonts of your terminal and web browser to make things easier to view for those watching on mobile devices, please?
@ippsec where can i get a copy of the shells?
one question why was command exeucted as &cmd= instead of the usual ?cmd= ???
oh my god that's awesome thank you so much
Ur awesome
If you change the "ps -eo command" to "ps -eo user,command" in the procmon script, you'll be able to see which user the command is running as
Good call.
Can I use nc to do port knocking trick?
thanks ippsec! there is a hint for the ports that should be knocked in /var/mail/
the way you pronounce ninevah tells me you didn't watch veggie tales as a kid
A lot of new stuff I have learned with you. Thank you.
Also had gaps with quotes, but could not understand the issue completely.
Few clauses want to add:
* manual view of processes (how I did) `top -d 1 -o %CPU`
* there is knock tool, could be used as `knock 10.10.10.43 571 290 911 && ssh -i amrois-pk.key -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no amrois@10.10.10.43` (anyway your way was great, on a sockets level)
* www.exploit-db.com/exploits/38775/ -- msf module for LPE, could be done with meterpreter session
* cat /var/mail/amrois (short tip, that we faced with port knocking)
* strings /var/www/ssl/secure_notes/nineveh.png (for a quick view, without right extracting)
You are amazing!!! How bout starting classes to teach pentesting to beginners...What burp suite course do you suggest?
Courses take a ton of time and it isn’t really fun to create super beginner content. Most of these videos I try to use tools/methods/etc that are new to me. This way the videos benefit me too, which makes it worthwhile.
Unfortunately, I’ve never taken a burpsuite course so don’t know a good one
Hello IppSec , could you please giv us some informations about your rig ( crackmachine ) ? the number of GPU the graphic cards ?? i'm trying to build one , thanks :)
I'd recommend checking the Hashcat Forums for that type of information but in reality, no reason to copy people's build you can mix cards. Don't just blindly buy hardware, make sure you do something to verify it will be profitable.
i will check that , thank you again for your vidéos , you do a great job
There is actually a working kernel exploit for this box now. Published just around the time this video was released.
Hey @IppSec great video m8, just a quick question: will you be doing vids on the Sans HH challenge 2017? Cheers and have a good day
I did not do the Holiday Hack this year, so I doubt I’ll put out any videos on it. That being said I’ll probably tweet all the videos I come across, few people did them last year.
Seems like when I don't name the db or table with the keywords "nineveh" and "Notes" it give the "Note not found" error. So it maybe be looking for both strings in order to LFI
Hey IppSec, running into an issue. Doing this box for OSCP prac. I am at the video around 24:30 mark when you are moving the Post parameter around. I can't get mine to work like you have. I HAVE to have it `POST /department/manage.php?notes=/ninevehNotes/../var/tmp/hack.php` if I try to make it like yours and replicate it with `POST /department/manage.php?notes=/var/tmp/hack.php` I get nothing. Not even No note selected error
I'm guessing the very end of your request does not have a line break.... Go to the very bottom right of your your request and hit enter than try again
@@ippsec That didn't do it. I used the same $_REQUEST except I use zer for the key instead of ipp. it works until I do the change request method. Then I can't get it to work like you do. I don't know what is going on. I reset the box and it was worse. I then did the Change Request Method a couple times tring it and it finally worked, even though it's exactly the same request that wasn't working. I think this is going to confuse me. I also did not have a line break but right now it is working without it and if I add it after the zer=ls it fails.
@@ippsec And to make it worse I can't get portknocking to work. I typed out what you have and 22 stays filtered, the only difference that I can see is I have nmap 7.91 installed but I don't know why that would make a difference EDIT: I have tried your way, I have tried using knockd and knocking, I have also tried using telnet. They will not open 22 for me no matter what. I have asked for help on the hack the box discord
is there a tmux-shortcut for sending panes to windows?
Not by default, check out my intro to tmux video -- covers pretty much everything i did.
hey man , big fan here.Do you have an idea about where can i read to perform my skills and my knowledge about penetration testing ?
Unfortunately, not really. Anything within Starch Press, "Hackers Handbook", or "Hacking Exposed" series. Outside of that just pick up books in technologies you want to learn. Doesn't have to be geared towards hacking.
By the way , i had respected you on hack the box , i am new on it . I had a view on your bloods and challanges and i think you are a legend.i apreciate that you make videos for the retired machines .
Super appreciate as usual...
Been looking for a way to spot cron / proccess . Love the proc mon ..... Definitely going in my tool box
Check out pspy, that's a good tool for it
keep going ur the best from algeria
the first login panel can be bypassed with setting the name as admin and sending the password as an array. if i remember correctly the hardcoded password was hinted in the comments of the login page.
Yeah You are correct. Missed the TypeConfusion vuln, good find!
how could we use that one ?
Hey @ippsec and other folks, why did he directly jumped to hydra when he saw the login page. I meant, how would i know when to use sql injections and when to just brute force it ??
So please, if someone can explain to me the scenarios where looking at the login page i should check for sql injection or brute force it
Should always try everything -- I just don't show all my enumeration very time because it's very repetitive and would make almost every video over an hour long. The video isn't the very first time I've done the machine, so I know the path prior to recording. Think I say it in the video, but the method I used for user when the box was initially released got patched.
Does anyone know what the "ipp=" mean? I know when he adds the "ls" parameter after the ipp= it provides a directory list, but how did he know to use "ipp="?
@El Queso Bandito that makes sense. Thanks man!
great stuff as always
you're a LEGEND!
i am not getting the LFI and m fked up.
how long does it usually take for you to exploit these machines for the first time?
Depends on the machine. This one was under 15 minutes but did it in an unintended way.
IppSec Thank you for the videos! learning a lot.
So, I hope you will help us to do the same! =)
And what is your average time for pwning the boxes? And what is the hardest box you faced with ?
nice video thanks
Thanks bro
Ok thanks
thanks :)
Ecscape eh. It's unlike a programmer to deliberately spell a word incorrectly ;)
😚😙😚😙😚😙
2024
nc -z 10.10.10.43 571 290 911
In this box something is not clear I know it is old but someone help me here
between 20:38 to 22:10 Ippsec was dealing with DB and renamed it to ninevehNotes but this name is pre defined in the box and if someone actually put another name it wont work like if the name is /var/tmp/shell.php it wont work
I wonder how he knew that path.
I glanced at the video, at 14:00 we see the app loading ninevehNotes. Pretty sure I'm just overwriting that file.
Yeah, I had to check again and got it thanks.@@ippsec