Man, I was struggling with the privilege escalation and now from this video I've learned something new, thank you so much Ippsec, your videos are such great educational material.
When you discovered the admin_tasks.php, could you just have done command injection using the "tasks" parameter as part of the HTML request? @19:50 you might have been able to do like ?task=&& whoami or something like that?
This won't work because the parameter must be a literal number between 1 and 7. I tried a few different null terminators to get around this but it's a red herring.
I got the reverse shell to work on my first try using pty.spawn() where you had p=subprocess.call(), so there might have been an issue with subprocess's availability (I can't test it since I don't have a subscription). pty tends to be so much more reliable on top of being easy to work with, so it's always my first choice for a shell. Also, you can use *args if you don't know how many arguments the function you're hijacking has.
@@Eric-the-wise Perhaps we weren't blessed with your supreme knowledge of penetration testing techniques. Forgive us for being lesser beings, oh mighty Lord Eric. May we find HTB challenges as easy as you do, one magical day.
Hey there Ipp! Since your Patreon is paused due to the recent events: Is there any .way I can toss a few coins to you? I just want to thank you for the great content and all the things you've taught me so far :).
I think the lazy eval() approach would work if you wrapped the content of the function in single quotes, eval() evaluates a string (and there already were double quotes somewhere). Not that the reverse shell worked anyway.
Had a go at this box today but unfortunately it retired while I was going at it. Foothold was such a pain, I couldn’t find anything for hours. I even checked all the images for any stego.. I ended up trying different wordlists on the /admin-dir directory and finally found that juicy file with the ftp creds. Managed to login over ftp and wanted to grab the files but the box wouldn’t let me because it got retired that instant :-(
how do you split the console like that, you are like a keyboard wizard with shortcuts...I have tried forever to tab out the standard parrot terminal and I cant. Additionally, I had to use terminator and right click for tabs. any help would be greatly appreciated. Love the vids
@True Miller I have tried tmux before, but can't seem to figure out how to split the terminal, I google how to and it seems I keep messing it up in some way
One question, when you got the user waldo and understood that you can execute a file with a sudo perm, you chose to get a shell, but could you just write a bash script to copy the root.txt to a new txt file in the waldo home dir? is it possible? If anyone else can answer i will appreciate it.
Yes you can just: bash -c “cp /root/root.txt /tmp/root.txt” Instead of the command ippsec used, but why would you just want to copy the root flag if you can get a root shell and potentially just get a backdoor in the system for the long run? Speaking for a real-life engagement.
@@redpanda31337 yes, thank you, because this is a box and i know already where is the root flag, just dont wanted to mess up with the shell as he did, im lazy, i know
I don't mean to be spammy, but I wrote a python script for that pentest monkey page called insta_shell. You supply the type of shell, the ip, and port and it fills out the correct syntax for you. Its on github.If anyone wants to try it, I can provide more info. Saves you the time of actually going to the website and finding the right shell to modify
I always replace the reverse shell with "chmod +s /bin/bash" to just make /bin/bash and SUID instead of causing more egress traffic out... Hitting "bin/bash -p" then you are root... Reverse Shells are always buggy
I avoid doing things like that because of the insecurity it creates *especially* if you forget to clean anything up. Reverse shells are buggy but its a bit safer than just dropping an easily findable binary that lets anyone privesc.
@Aidan Collins Yeah I was stuck on that a bit myself, but I think it was pretty manageable. The other stuff, especially the getting onto the box due to the adminer exploit was pretty cool imo.
I really didnt like this box. It needed such a leap to run gobuster again on the utility scripts folder. and "the usual" wordlist didnt have what was required
I don't think its strictly for this box. He's showing examples of "how" to use the tool other than just typing the usual. The great thing about ippsec is that he teaches you little tips and tricks that you might need on other boxes or for a specific reason. This is a very simple method for showing a powershell way to filter output from one tool and use it with others.
I found this program called ShellGen github.com/thejoker3000/ShellGen where you can create shells automatically. I use it sometimes and it comes in handy when I need a new shell. Someone called Th3J0k3r made it. Might want to take a look at it.
Hi great explanation.. I know u r using parrot os .. i would like some help in tmux session.. u have ur ip address and u r running bash in zsh .. i would like to know how.. any help wil be great
Ippsec is using the Hack the box “pwnbox” that’s an in-browser parrot install for VIP users. There is a github repository showing how to set up your parrot to look the same Can’t remember the link now but just google: pwnbox site:github.com
Man, I was struggling with the privilege escalation and now from this video I've learned something new, thank you so much Ippsec, your videos are such great educational material.
@03:00: ORS = Output Record Separator! Wtf never even heard of that! Thanks @ippsec !
also available in powershell under "OFS:"
the sql part of the box is arguably the most difficult bit....Thanks Ippsec for the demo, it makes much more sense now.
“This is a easy box” 😂😂 gg ippsec u are the best!
When you discovered the admin_tasks.php, could you just have done command injection using the "tasks" parameter as part of the HTML request? @19:50 you might have been able to do like ?task=&& whoami or something like that?
This won't work because the parameter must be a literal number between 1 and 7. I tried a few different null terminators to get around this but it's a red herring.
@@lazula ah okay, cool thanks! I hadn't actually messed around with this box, it was just a thought I had while watching the vid.
i was preparing for Hollywood movie but i found better one :)
I got the reverse shell to work on my first try using pty.spawn() where you had p=subprocess.call(), so there might have been an issue with subprocess's availability (I can't test it since I don't have a subscription). pty tends to be so much more reliable on top of being easy to work with, so it's always my first choice for a shell. Also, you can use *args if you don't know how many arguments the function you're hijacking has.
It took way longer time in setting my own sql server to accept connections lol!
Yeah, I'd question why this machine was labelled easy, it was a medium for sure
@@pauliehorgan it was very easy...
@@Eric-the-wise Perhaps we weren't blessed with your supreme knowledge of penetration testing techniques. Forgive us for being lesser beings, oh mighty Lord Eric. May we find HTB challenges as easy as you do, one magical day.
@@CuteLittleHen I think what he meant is that the difficulty wasn't in the hacking, but the possible setup which can be new for some people.
@@CuteLittleHen eric the wise
Thank you ippsec as always amazing video 💪
Hey there Ipp! Since your Patreon is paused due to the recent events: Is there any .way I can toss a few coins to you? I just want to thank you for the great content and all the things you've taught me so far :).
I think the lazy eval() approach would work if you wrapped the content of the function in single quotes, eval() evaluates a string (and there already were double quotes somewhere). Not that the reverse shell worked anyway.
Had a go at this box today but unfortunately it retired while I was going at it. Foothold was such a pain, I couldn’t find anything for hours. I even checked all the images for any stego.. I ended up trying different wordlists on the /admin-dir directory and finally found that juicy file with the ftp creds. Managed to login over ftp and wanted to grab the files but the box wouldn’t let me because it got retired that instant :-(
Ooo the mic sounds crispy.
this was very interesting one
Balkans?
@@nonasuomynona1734 jes maj frend
@@lazarvukasinovic4878 epik
That's odd, I tried this box, but when I used nmap it showed me others ports open, like 25, and 80 was filtered
how do you split the console like that, you are like a keyboard wizard with shortcuts...I have tried forever to tab out the standard parrot terminal and I cant. Additionally, I had to use terminator and right click for tabs. any help would be greatly appreciated. Love the vids
@True Miller I have tried tmux before, but can't seem to figure out how to split the terminal, I google how to and it seems I keep messing it up in some way
One question, when you got the user waldo and understood that you can execute a file with a sudo perm, you chose to get a shell, but could you just write a bash script to copy the root.txt to a new txt file in the waldo home dir? is it possible? If anyone else can answer i will appreciate it.
Yes you can just: bash -c “cp /root/root.txt /tmp/root.txt”
Instead of the command ippsec used, but why would you just want to copy the root flag if you can get a root shell and potentially just get a backdoor in the system for the long run? Speaking for a real-life engagement.
@@redpanda31337 yes, thank you, because this is a box and i know already where is the root flag, just dont wanted to mess up with the shell as he did, im lazy, i know
@@pn_tedro3013 also, anyone else would be able to access the root flag as well.. so it's better to not spoil it!
Since when did TH-cam start adding two unskippable Ads???
I don't mean to be spammy, but I wrote a python script for that pentest monkey page called insta_shell. You supply the type of shell, the ip, and port and it fills out the correct syntax for you. Its on github.If anyone wants to try it, I can provide more info.
Saves you the time of actually going to the website and finding the right shell to modify
I always replace the reverse shell with "chmod +s /bin/bash" to just make /bin/bash and SUID instead of causing more egress traffic out... Hitting "bin/bash -p" then you are root... Reverse Shells are always buggy
I avoid doing things like that because of the insecurity it creates *especially* if you forget to clean anything up. Reverse shells are buggy but its a bit safer than just dropping an easily findable binary that lets anyone privesc.
@@ippsec Thanx a lot! makes sense, something one can forget very easily!
awesome video!
thanks again
Which linux distro are you using?
Parrot os
I really enjoyed this box. I do not understand it's relatively bad rating.
@Aidan Collins Yeah I was stuck on that a bit myself, but I think it was pretty manageable. The other stuff, especially the getting onto the box due to the adminer exploit was pretty cool imo.
Good video. Where can we get that wordlist?
SecLists
I really didnt like this box. It needed such a leap to run gobuster again on the utility scripts folder. and "the usual" wordlist didnt have what was required
See You next week!
That whole nmap "optimisation" thing at the start is totally uneccessary, nmap only runs scripts on open ports anyway
I don't think its strictly for this box. He's showing examples of "how" to use the tool other than just typing the usual. The great thing about ippsec is that he teaches you little tips and tricks that you might need on other boxes or for a specific reason. This is a very simple method for showing a powershell way to filter output from one tool and use it with others.
How to get so much knowledge like you
I found this program called ShellGen github.com/thejoker3000/ShellGen where you can create shells automatically. I use it sometimes and it comes in handy when I need a new shell. Someone called Th3J0k3r made it. Might want to take a look at it.
:)
Hi great explanation..
I know u r using parrot os .. i would like some help in tmux session.. u have ur ip address and u r running bash in zsh .. i would like to know how.. any help wil be great
Ippsec is using the Hack the box “pwnbox” that’s an in-browser parrot install for VIP users. There is a github repository showing how to set up your parrot to look the same
Can’t remember the link now but just google:
pwnbox site:github.com
@@jacquesmit502 thank u
Es q ell...oh boy
Fact: all great hackers are lazy, that's what makes them great
Keep telling that to yourself skiddie
@@Eric-the-wise Yeah and while everybody else is pwning anytjing left and right, you are writing your programs and waste your time. Deal? Deal.
@@Eric-the-wise your condescending nature shows you're the skid
You little skiddies are so cute 😊
@@Eric-the-wise ok boomer
I'm your admirer💋.