The reason your reverse shell didn't work is because, if you look at the index.js, it is calling the log() function from the logger module, since the malicious logger module you made doesn't have such a function to be used, it crashes. Yet the command gets executes. Thats why you get a connection back to your netcat but doesn't respond to the commands. So to get a direct reverse shell, you would have to add a function called log() for to stop it from crashing.
Oh boy. I watch your videos every week, they're so well explained and touching the real core of the technique used. One remark is that I often see that you're making unnecessary mistakes, e.g. not copying the complete hash and later bump into a silly issue. Would really like to see that you take a bit more time to validate everything you did and not make those silly mistakes. You're still human after all, but a bit annoying to see these mistakes and have to skip forward in the video.
He’s making “unnecessary mistakes” because he is actively thinking and working during the videos. If he scripted out every correct command and every perfect methodology the videos would lose so much value because you would lose getting to view his thought process. People make mistakes, and then have to back track sometimes. I caught the hash copy paste too, and I laughed. Curious if it would cause him problems and how he would catch it in his process. You’d probably get more value from the videos trying to learn how to work through mistakes than being frustrated and skipping the video. Anyone can point out mistakes when watching someone else do the work.
@@WhatsSmackin these videos are totally not edited right? Me personally don't like to watch someone missing a character of a hash and later on struggling on an issue. I watch these videos to understand the technique and core essence of the box, not to see someone debugging.
@@boogieman97 If you read comments on other videos, you will find out people like his debugging thing. That is why he does not remove those debugging parts.
@Stefan .b haha oh man, I watch ippsec' videos already for a long long time. There is a big difference in debugging something that is actually explaining something uncommon or important to understand the core principle of a technique or debugging something silly. I mentioned very clearly that I don't like to see someone debugging something silly. Ippsec is a genius guy, everything he does is self taught. I do agree it adds a human factor in the video which is something others might relate to. Apart from that, it doesn't bring value to the video if the 'mistake' that you've made is something that you should have noticed, like not completely copying the full hash. It is fine by me if that is a part of the video. Although that feels like watching sqlmap to finish on a boolean blind / time based injection, in both situations you already know where it will head to.
Bro you doing fine, but if you just talk slowly and act some slow like John Hammond, you are shifting to directories and other things very fast, its ok for experienced peoples, but for beginners you have to explain some things a little bit, if you just consider my request and you can do alot better and we will learn very easy from you.... thanks for your kind
you just assume this is even intended for beginners... it is not. The pace at which he goes is rather perfect. If you lack understanding of what is going on you can always rewind or maybe even RTFM ;)
The reason your reverse shell didn't work is because, if you look at the index.js, it is calling the log() function from the logger module, since the malicious logger module you made doesn't have such a function to be used, it crashes. Yet the command gets executes. Thats why you get a connection back to your netcat but doesn't respond to the commands. So to get a direct reverse shell, you would have to add a function called log() for to stop it from crashing.
thanks
That's correct.
I spend hours on the reverse shell - didn't notice the "logger.log is not a function" error message.
Great machine, kavi!
You are the box creator. Static webpage links to a medium acc & github acc both of which have same username as you!
@@oscargarin1740 exactly
@@securiti Thanks man!
Thanks for the consistency. Box quality could have been better,just old school things
Amazing vid!
thanks man
OMG 🔥🔥🔥🔥
awesome
Nicee
32:53 why not just use a GUID for the file name?
what is shortcut key to be like this?
ssh>
www.sans.org/blog/using-the-ssh-konami-code-ssh-control-sequences/
Always save files in a database!
Hey Man! Great Box. I appreciate your work. Can you tell more about your yourself. How you started and the journey.
Just wondering but could it be possible to upload to escape the /files/ directory completely by doing "../" as the "stud_no"?
THANK YOU A LOT
that .htaccess trick is crazy shit
realy useful
Oh boy. I watch your videos every week, they're so well explained and touching the real core of the technique used. One remark is that I often see that you're making unnecessary mistakes, e.g. not copying the complete hash and later bump into a silly issue. Would really like to see that you take a bit more time to validate everything you did and not make those silly mistakes. You're still human after all, but a bit annoying to see these mistakes and have to skip forward in the video.
Caught that mistake too while copying the hash, missing one char 😂
He’s making “unnecessary mistakes” because he is actively thinking and working during the videos. If he scripted out every correct command and every perfect methodology the videos would lose so much value because you would lose getting to view his thought process. People make mistakes, and then have to back track sometimes. I caught the hash copy paste too, and I laughed. Curious if it would cause him problems and how he would catch it in his process. You’d probably get more value from the videos trying to learn how to work through mistakes than being frustrated and skipping the video. Anyone can point out mistakes when watching someone else do the work.
@@WhatsSmackin these videos are totally not edited right? Me personally don't like to watch someone missing a character of a hash and later on struggling on an issue. I watch these videos to understand the technique and core essence of the box, not to see someone debugging.
@@boogieman97 If you read comments on other videos, you will find out people like his debugging thing.
That is why he does not remove those debugging parts.
@Stefan .b haha oh man, I watch ippsec' videos already for a long long time. There is a big difference in debugging something that is actually explaining something uncommon or important to understand the core principle of a technique or debugging something silly. I mentioned very clearly that I don't like to see someone debugging something silly. Ippsec is a genius guy, everything he does is self taught. I do agree it adds a human factor in the video which is something others might relate to. Apart from that, it doesn't bring value to the video if the 'mistake' that you've made is something that you should have noticed, like not completely copying the full hash. It is fine by me if that is a part of the video. Although that feels like watching sqlmap to finish on a boolean blind / time based injection, in both situations you already know where it will head to.
how
Bro you doing fine, but if you just talk slowly and act some slow like John Hammond, you are shifting to directories and other things very fast, its ok for experienced peoples, but for beginners you have to explain some things a little bit, if you just consider my request and you can do alot better and we will learn very easy from you.... thanks for your kind
set playback speed to .5 . slow it down.
you just assume this is even intended for beginners... it is not.
The pace at which he goes is rather perfect.
If you lack understanding of what is going on you can always rewind or maybe even RTFM ;)
Ok Asad
too much talking get on withit