You actually can. Ippsec reached this level by pure determination, tons of trial and error, a lot of reading, putting it into practice and most of all be curious and have the passion
+1 to @boogieman97 keep in mind I’ve been doing videos weekly for 5+ years. Which isn’t a long time at all, but more frequent than the average person. If you create a plan and stick with it I’m sure you’ll be near this level
@@ippsec next to that correct me if I'm wrong, I've heard in one of your earlier videos that your carreer is far most autodidactic. Apart from that that might not be "long", it is about dedication and willingness to commit. Thats why I am highly appreciating Ippsec and of course subscribed, so if you agree folks do so as well 😃
Hi Ippsec I was wondering if you could help? I am attempting this machine and I get into the activemq user initially through a meterpreter reverse tcp, then I get an interactive shell (python3 -c 'import pty;pty.spawn("/bin/bash")'. But when I try to edit the nginx.conf file with vi, the vi editor doesn't work properly and I can enter/exit insert mode or move around the text in the file with the arrow keys
sometimes, it depends on the shell size I guess. To overcome that You can create a new conf file on your attacking machine, then put that file into the /tmp directory of the victim machine and change the conf path to the /tmp/nginx.conf using the '-c' command. And I always prefer to not open a vi editor in the victim's box.
I didnt think to try entity encoding the xml and resorted to the curl command. Nice to know about that now. My question is did we have to have all three lines in the xml? Or could it have been done with one? Great video as usual!
So basically is it a vuln in the class - ClassPathXmlApplicationContext which is part of the Spring framework? And this being used by ActiveMQ made it vuln as this class loaded a crafted XML config file
I have reset this box and gone through the same steps (i think) and there is no /root directory in /crontabs, also any file that gets uploaded doesnt have execute permissions(i changed permissions before uploading just in case). I uploaded the ssh keys just to login as root and check. Did they change the box?
Im maybe late but i had the same problem. you have 404 because your poc-linux.xml file is on the CVE folder and your http server cant find it. just move poc-linux.xml to /home/[your account]/ i guess you started you http server on home directory like me :'(
Ippsec you said on a earlier podcast that you were going to start doing videos on the basic foundations of Hackthebox. Is that still in the works? Thanks.
I want to, just can't get the motivation. If you look at the technique videos, I think I've started covering things just not from a foundation perspective.
I did a completely different technique for privesc using share object .so (Files), since we can modify the prefix with nginx i just needed to craft a .so files in a module directory, rename it correctly (ngx_http_echo_module.so), run with sudo ===> got error but BAM suid /usr/bin/bash -p
Man you are awesome. I love the way you handle and understand things like it is nothing to you . I Wish i reach this level of professionalism.
You actually can. Ippsec reached this level by pure determination, tons of trial and error, a lot of reading, putting it into practice and most of all be curious and have the passion
+1 to @boogieman97 keep in mind I’ve been doing videos weekly for 5+ years. Which isn’t a long time at all, but more frequent than the average person. If you create a plan and stick with it I’m sure you’ll be near this level
@@ippsec next to that correct me if I'm wrong, I've heard in one of your earlier videos that your carreer is far most autodidactic. Apart from that that might not be "long", it is about dedication and willingness to commit. Thats why I am highly appreciating Ippsec and of course subscribed, so if you agree folks do so as well 😃
Cron Job Priv Esc learnt today, Great video.
Hi Ippsec I was wondering if you could help? I am attempting this machine and I get into the activemq user initially through a meterpreter reverse tcp, then I get an interactive shell (python3 -c 'import pty;pty.spawn("/bin/bash")'.
But when I try to edit the nginx.conf file with vi, the vi editor doesn't work properly and I can enter/exit insert mode or move around the text in the file with the arrow keys
sometimes, it depends on the shell size I guess. To overcome that You can create a new conf file on your attacking machine, then put that file into the /tmp directory of the victim machine and change the conf path to the /tmp/nginx.conf using the '-c' command. And I always prefer to not open a vi editor in the victim's box.
wow the dav method and cron are amazing
its not even weekend wow love it
First .. now let me watch 😁
I didnt think to try entity encoding the xml and resorted to the curl command. Nice to know about that now. My question is did we have to have all three lines in the xml? Or could it have been done with one? Great video as usual!
You are crazy good man 👍👌
So basically is it a vuln in the class - ClassPathXmlApplicationContext which is part of the Spring framework? And this being used by ActiveMQ made it vuln as this class loaded a crafted XML config file
❤❤❤
I have reset this box and gone through the same steps (i think) and there is no /root directory in /crontabs, also any file that gets uploaded doesnt have execute permissions(i changed permissions before uploading just in case). I uploaded the ssh keys just to login as root and check. Did they change the box?
Hey Ippsec thanks for the awesome video as usual. Are you planning to make videos on new HTB-Sherlocks when they’ll retire?
I have not decided yet.
@@ippsecI would appreciate a lot! Or if you know someone that you trust to make them also
Do you have a tutorial or can you recommend one on getting more comfortable with Vi/Vim?
Nice way of opening a shell using cron job. :)
thumb up💯
In this box the port 2112 lists archive system of the machine with elevated privileges on the navegator
Thanks for the tutorial!
I got a 404 message not found error when I sent the file I tried send the packet without the poc xml and got a got a 200 get from server idk why
Im maybe late but i had the same problem. you have 404 because your poc-linux.xml file is on the CVE folder and your http server cant find it. just move poc-linux.xml to /home/[your account]/
i guess you started you http server on home directory like me :'(
Awesome ippsec!!
I can't find the challenge on HTB? (yes I'm looking under retired)
You may have a filter on your search.
Thanks ippsec ❤
the privesc feels amazing
Push!
Thanks
Thanks Ippsec
ipp u are GOAT, can you explain logic behind changing nginx?
Ippsec you said on a earlier podcast that you were going to start doing videos on the basic foundations of Hackthebox. Is that still in the works? Thanks.
I want to, just can't get the motivation. If you look at the technique videos, I think I've started covering things just not from a foundation perspective.
thanks@@ippsec
Nothing
I did a completely different technique for privesc using share object .so (Files), since we can modify the prefix with nginx i just needed to craft a .so files in a module directory, rename it correctly (ngx_http_echo_module.so), run with sudo ===> got error but BAM suid /usr/bin/bash -p
❤