and then you realise that he doesn't understand the await operator, so he puts it even when he calls the async function LOL (line 13 on VC @46:30), also he could have read the error message, it says right there.
Wow nicely done! I really like the way you have used classes in Python. The reason why asynchronous works so well, is because it tells the CPU to switch threads while there is slack time when it isn't really processing something, so it jumps to another thread within the process and it does that constantly. If you're cooking you're also not going to stop and do nothing while the oven is preheating. 😅 👏
Ooh and a const in a loop is not possible, since it is a constant and of an immutable type which can only be declared ones and not updated within a while loop.
@31:00 the best way to try js code is not the console prompt, but by clicking the icon that it's on the far right of the console prompt, called: multi-line editor mode.
Great video as always, been looking forward to this one. Btw I'm not sure if you're aware, but in the converter web app it's also possible to get RCE by uploading a file with the extension .recipe which contains python code. Apparently the calibre converter will happily run any python code in .recipe files :)
Isn't the requests.Session() an instantiated object and therefore mutable? So wouldn't it be passed by object reference, meaning you wouldn't have to return anything to make changes to its data? I may be wrong, thoughts?
One more question: when we identify SQL injection in GenLab and you mentioned that ‘it is not giving any new privileges,’ considering this binary runs with sudo, wouldn’t executing a system command through SQL injection grant us a privileged shell? I mean without needing ps2pdf, I might be mistaken, but I’d like to find out.
Running through SQL would still be a SQL User not root. So having the option to exploit SQL or the Injection to PDF Generator... I go for PDF Gen since that is running as root.
Hi IppSec, there's something I'd like to clarify to ensure I'm not misunderstanding. We observed the "script-src 'self'" directive in the HTTP response, which, as I understand it, allows scripts to run only from the same origin as the webpage. However, we also made an attempt to provide our IP address (10.10.14.8) which is different origin. Am I missing something? confused me because you also said that "I dont know what is blocking us"
I believe it blocks the page itself from running Javascript on itself, which is why the Alert() did not work, and there's something that's blocking you from loading scripts externally, so you can't just directly point it at yourself. Which is why I needed to host the script on the server through Avatar. I never run code from a server on my own IP, I just exfil data there. That said, in hindsight, I never tried to just point the javascript back to myself then do the malicious things there. I don't think it would work, but its possible would be a good thing to try out yourself and see why it does or doesn't work.
Maybe that's a silly question, but, in the last piece when we try to write the key for root, we cannot just modify the entry in the database with the postscript payload and re run the script, pretending there was no sql injection in the python script? Sorry about my probable grammar errors in that sentence 😅 . Great video as always, we love IppSec.
@@ippsec I'm sorry i didnt meant to point it out because i want to say that was a better way, that was no my intention at all, i was just wondering if that was possible, and to test my level of understanding 🤣. You show anyways that the script was vulnerable to sql injection, and how to benefit from that, so definitely your way is the best for us and for the sake of learning, as the purpose of your videos are sharing knowledge. As always you re the goat, thanks for all your videos.
@@ippseci totally get the sarcasm. I'm happy to know that modify the entry was an option that could work, I'm still learning and see that maybe I get something right make me willing to learn more and definitely you're the right place to learn, your approach to solve the boxes is amazing, the explanations of the steps you take to find the informations and the beyond root part is gold.
@@MusicDimensionTH-cam I believe it's not possible to write to the file /root/.ssh/authorized_keys doing what you suggested because each injectable column can contain only up to 20 characters: Injectable columns: name, addressLine1, addressLine2, town, postcode MariaDB [(none)]> desc bookworm.Users \G *************************** 2. row *************************** Field: name Type: varchar(20) *************************** 6. row *************************** Field: addressLine1 Type: varchar(20) *************************** 7. row *************************** Field: addressLine2 Type: varchar(20) *************************** 8. row *************************** Field: town Type: varchar(20) *************************** 9. row *************************** Field: postcode Type: varchar(20) So, if you tried to change one of those columns to the PostScript payload, you would get an error saying you tried to insert too many characters on a column.
Nope, when they launched we got off on the wrong foot and I also didn’t enjoy their content. I feel there’s less effort put into making sure it’s quality content. Could have changed now; but I have no reason to check them out. Also I do work for HackTheBox now, did not for the first few years of doing videos. So not only would I be highlighting a site I don’t support, I’d also be highlighting a competitor
@@ippsec in terms of content quality, you're absolutely right. TryHackMe seems to be making very "small" boxes in comparison to HackTheBox. so I understand your point.
Too Many Joke About Javascript In Programming Memes , Call That Javascript Is Drunken Language 😂😂 Async Await Just Work On Function 😅 That's What I Know, Im From Java Dev 😂
0:35 I fully expected that sentence to continue with "and by the end of the day, I had created my own Javascript framework".
and then you realise that he doesn't understand the await operator, so he puts it even when he calls the async function LOL (line 13 on VC @46:30), also he could have read the error message, it says right there.
Wow nicely done! I really like the way you have used classes in Python. The reason why asynchronous works so well, is because it tells the CPU to switch threads while there is slack time when it isn't really processing something, so it jumps to another thread within the process and it does that constantly. If you're cooking you're also not going to stop and do nothing while the oven is preheating. 😅 👏
Ooh and a const in a loop is not possible, since it is a constant and of an immutable type which can only be declared ones and not updated within a while loop.
Thanks that makes total sense
That was some voodoo! I understood about 10% at best. But i really enjoyed watching this. Great job as always!
I like how your videos have become reminders to release my season0 writeups lol
great work as always man
@31:00 the best way to try js code is not the console prompt, but by clicking the icon that it's on the far right of the console prompt, called: multi-line editor mode.
Ippsec I hope you start doing live boxes some times just for us to see your thought process and maybe get a glimpse of how you do in real engagements
Thank you for the video realy appreciate it !
Great video as always, been looking forward to this one.
Btw I'm not sure if you're aware, but in the converter web app it's also possible to get RCE by uploading a file with the extension .recipe which contains python code. Apparently the calibre converter will happily run any python code in .recipe files :)
I had no idea. That is cool
Hi, how did you find this out?
@@AUBCodeII just by reading the docs
@@malikkkk2679 I see. Thanks for the response
Loved this box! I used xhr api for the js script but I’ll definitely switch to fetch api in the future
I love what you do and learn a lot thanks ippsec❤
Thanks sirji for this video ❤❤❤
Isn't the requests.Session() an instantiated object and therefore mutable? So wouldn't it be passed by object reference, meaning you wouldn't have to return anything to make changes to its data?
I may be wrong, thoughts?
I think you are correct - However, that is now how my brain things code/functions/etc should work. So I avoid taking advantage of that.
@ippsec ah yeah, I get what you mean. I love python but the weak typing makes things really ambiguous sometimes.
what vs code extensions do you use? autocomplete looks awesome
That is Github Copilot
@ippsec when copying node source code, you can skip the node_modules. much lighter and faster.
One more question: when we identify SQL injection in GenLab and you mentioned that ‘it is not giving any new privileges,’ considering this binary runs with sudo, wouldn’t executing a system command through SQL injection grant us a privileged shell? I mean without needing ps2pdf, I might be mistaken, but I’d like to find out.
Running through SQL would still be a SQL User not root. So having the option to exploit SQL or the Injection to PDF Generator... I go for PDF Gen since that is running as root.
Hi IppSec, there's something I'd like to clarify to ensure I'm not misunderstanding. We observed the "script-src 'self'" directive in the HTTP response, which, as I understand it, allows scripts to run only from the same origin as the webpage. However, we also made an attempt to provide our IP address (10.10.14.8) which is different origin. Am I missing something? confused me because you also said that "I dont know what is blocking us"
I believe it blocks the page itself from running Javascript on itself, which is why the Alert() did not work, and there's something that's blocking you from loading scripts externally, so you can't just directly point it at yourself. Which is why I needed to host the script on the server through Avatar. I never run code from a server on my own IP, I just exfil data there.
That said, in hindsight, I never tried to just point the javascript back to myself then do the malicious things there. I don't think it would work, but its possible would be a good thing to try out yourself and see why it does or doesn't work.
Maybe that's a silly question, but, in the last piece when we try to write the key for root, we cannot just modify the entry in the database with the postscript payload and re run the script, pretending there was no sql injection in the python script? Sorry about my probable grammar errors in that sentence 😅 . Great video as always, we love IppSec.
Umm I hate myself right now, most likely you could totally do that 😂 I just didn’t think of it
@@ippsec I'm sorry i didnt meant to point it out because i want to say that was a better way, that was no my intention at all, i was just wondering if that was possible, and to test my level of understanding 🤣. You show anyways that the script was vulnerable to sql injection, and how to benefit from that, so definitely your way is the best for us and for the sake of learning, as the purpose of your videos are sharing knowledge. As always you re the goat, thanks for all your videos.
@@MusicDimensionTH-cam No i'm happy you did haha. Was more sarcastic
@@ippseci totally get the sarcasm. I'm happy to know that modify the entry was an option that could work, I'm still learning and see that maybe I get something right make me willing to learn more and definitely you're the right place to learn, your approach to solve the boxes is amazing, the explanations of the steps you take to find the informations and the beyond root part is gold.
@@MusicDimensionTH-cam I believe it's not possible to write to the file /root/.ssh/authorized_keys doing what you suggested because each injectable column can contain only up to 20 characters:
Injectable columns: name, addressLine1, addressLine2, town, postcode
MariaDB [(none)]> desc bookworm.Users \G
*************************** 2. row ***************************
Field: name
Type: varchar(20)
*************************** 6. row ***************************
Field: addressLine1
Type: varchar(20)
*************************** 7. row ***************************
Field: addressLine2
Type: varchar(20)
*************************** 8. row ***************************
Field: town
Type: varchar(20)
*************************** 9. row ***************************
Field: postcode
Type: varchar(20)
So, if you tried to change one of those columns to the PostScript payload, you would get an error saying you tried to insert too many characters on a column.
hey ippsec would you consider doing THM too?
Curious about this too.
Nope, when they launched we got off on the wrong foot and I also didn’t enjoy their content. I feel there’s less effort put into making sure it’s quality content. Could have changed now; but I have no reason to check them out. Also I do work for HackTheBox now, did not for the first few years of doing videos. So not only would I be highlighting a site I don’t support, I’d also be highlighting a competitor
@@ippsec in terms of content quality, you're absolutely right. TryHackMe seems to be making very "small" boxes in comparison to HackTheBox. so I understand your point.
@@ippsec you are HTB employee of the month (read this with Simeon Yetarian's voice)
Good point
Nice work ippsec, keep going
1:27:26 I love this "oh". This was so funny
when did you learn python ippgoat
Ippsec Is Python Charmer 😂
Push!
Ip, Ipp and Ippy
23:33
First
Too Many Joke About Javascript In Programming Memes , Call That Javascript Is Drunken Language 😂😂
Async Await Just Work On Function 😅
That's What I Know, Im From Java Dev 😂
1:14:55 ipp-womp-womp.mp3