I used the directory traversal exploit, logged into CF dashboard as admin, setup a backdoor scheduler web shell, used the webshell to execute a meterpreter shell to get a standard user account. I wish i knew your burpsuite tactics before hand. Also the x64 suggester vs x86 suggester was something you just taught me which net me admin. Thank you!
Really great video. The way you think is so eye opening. I'm just confused in one part. In Burp you discovered the null byte and jsp. What was Metasploit trying to do with the text file added onto the jsp path? You then ignored that and clicked the jsp location. Thank you
Thanks ippsec, I learn something new in every video..I knew about unicorn already but never used it before..port forwarding with burp interesting as well..you mentioned powerup..I'd like to see it in action in one of your videos if you get a chance to use it. Thanks for your videos.
something has changed in metasploit? ...by setting 100 to httpclienttimeout i am getting a windows shell ... when i background is its showing as linux shell ...local suggester is also sayting a linux shelll and MS10-092 also considers as linux shell .. not able to privesc
wow men, you are IT. Is it good to learn for a beginner like me to start learning python first before i get my feet wet in CTF's. I feel like i need to learn to program and learn networking concepts first. You are awesome
Hey Ippsec great job you are doing there as usual.I have one question,is there a way to get system without meterpreter,thus without using this unicorn tool?I mean after getting the reverse shell to try to escalate from there
You could probably (because I haven't tried) execute more than just "cmd.exe" in the initial exploit to launch a powershell agent connecting back to C2. Secondly, instead of nc listener, setup exploit/multi/handler with necessary windows reverse_tcp handler and sent the POST request again.
Hmmmm, if someone is doing this box, can you share me how you do the escalation part? I follow IppSec and noted the script generate by the Unicorn is quite different from the video one and it does not work. IppSec's unicorn script starts with -w l - while in my scrip all the - become / I follow the HTB writeups and noted it is not possible to download an exe msfvenom, cannot get a meterpreter..lol
Hi, Just in case you hadnt had any luck since. I was having the same issues with unicorn so I generated shellcode with msfvenom and instead of using the powershell method to transfer it onto the box i used certutil.exe instead. Got my payload onto the box and my handler picked it up! Super frustrating but learned a fair bit. Check out LOLBAS on github for some alternative methods for file transfers on windows. hope that helps.
If by any chance this section is still active, can anyone help with the powershell_attack.txt file? For me the encrypted code is not similar to the above; It comes under two different headers namely - 'AMSI bypass code' and 'actual Unicorn payload'. I have tried running it natively but the stager doesn't get sent. Any suggestions on how to edit the powershell_attack.txt file?
@@covertly_overt So you use msfvenom to generate payload. Upload it. And use the same expression to download and excuse it ( powershell "IEX(......)") And meanwhile with msfconsole multi handler listening ?
Η διαδικασία είναι πάνω κάτω η ίδια. Απλά την μαθαίνεις. Ξεκινάς με ένα nmap scan, βλέπεις τι υπηρεσίες τρέχει και ψάχνεις ανάλογα exploits. Από εκεί και πέρα θέλει λίγο περισσότερο ψάξιμο αλλά τα περισσότερα μαθαίνονται σε λίγους μήνες.
i have an issue where, once i get a meterpreter sessions and i interact with the session it just says Unknown command: sysinfo. anyone else have an issue like this? i even tried on my local test systems on vmware and it seems that with unicorn sessions i always get this issue.
End result is the same. How it gets there is different. Just look at the powershell code from Unicorn and Web Delivery and you'll see they are a bit different.
everytime I follow these walk throughs, it fails on my box :/ got nothing from burp... then I try the pdf walkthrough and get nothing but time outs when I try to upload the script.
dont feel too bad. i am doing this box now and i have the same issue. Burp wont return anything to me. in the other walkthrough my reverse shell never starts even though the coldfusion downloads my file from my python web server
@@roblou8222 it took several views for me to realize that the post was already populated in the burp 'repeater' request. that would have been there from a previous run. I thought you might be stuck on the same thing with burp.
@@seanconley104 Hi Sean. I have come back to Arctic again after some time and still the same issue. nothing in burp. Actually i just edited this post. you correct. so what ippsec done was send it to repeater first without sending it from the proxy tab. my response did come back to the proxy tab rather than repeater. Thank you.
They should cause of 'ownershipPercentage' param in counting points formula looks like that 'Formula: round((userOwnPoints + systemOwnPoints + challengeOwnPoints + userBloodPoints + systemBloodPoints) * ownershipPercentage)'
It's possible that ownership doesn't include retired, not sure there. If the owners change their stance I'll remove the videos, but as of right now I believe they do more good than bad. In the end points don't really matter and I know they've helped people learn.
Yes, when a box becomes retired all points are removed. That way new users can still get high on the leaderboard and it doesn't become a game of who has been around longer.
I used the directory traversal exploit, logged into CF dashboard as admin, setup a backdoor scheduler web shell, used the webshell to execute a meterpreter shell to get a standard user account. I wish i knew your burpsuite tactics before hand. Also the x64 suggester vs x86 suggester was something you just taught me which net me admin. Thank you!
How did you login into the dashboard, did you use hydra, and if you did, how long did it take?
@@raymondken9177 rpcdump shows a hash you can crack to get the coldfusion password
A brilliant well explained walk through . Explanation was clear and detailed and not rushed. Thank you sir
This method didn't work for me but there is always something new to learn from your videos. Thanks for your efforts Ippsec! :)
God bless you Ippsec, have years I enjoy watching your videos
This is really good, the techniques you are using is really easy completely understandable !
Ippsec is really awsome !
as always. awesome. the best CTF channel in the universe.
Thx ippsec, really enjoying the videos. Keep 'em coming
Incredible video!...i'm learning a lot. Thanks ippsec and keep up the good work.
Really great video. The way you think is so eye opening. I'm just confused in one part. In Burp you discovered the null byte and jsp.
What was Metasploit trying to do with the text file added onto the jsp path? You then ignored that and clicked the jsp location. Thank you
You are the best! Thank you for all of u do.
Is there a way to do the box without using metasploit? I feel like a script kiddie when I use it. I also heard that it's not allowed on the oscp exam.
you can use it for one time, and might want to save that for the most difficult box.
Thanks ippsec, I learn something new in every video..I knew about unicorn already but never used it before..port forwarding with burp interesting as well..you mentioned powerup..I'd like to see it in action in one of your videos if you get a chance to use it. Thanks for your videos.
Check Bastard out, that's a box I did without MSF and believe I used PowerUp.
Control + r ( in Burp to send to repeater)
Awesome tutorial! motivating to study!
Thanks ippsec
something has changed in metasploit? ...by setting 100 to httpclienttimeout i am getting a windows shell ... when i background is its showing as linux shell ...local suggester is also sayting a linux shelll and MS10-092 also considers as linux shell .. not able to privesc
You're a GOD dude. Love your vids.
Nice, you are a metasploit ninja. Great work.
You are the BOSS!! Thanks for sharing!
One question: Do you usually do these challenges for the first tine while recording, or do you solve them first and then record the solution?
I'm pretty sure it's the latter. He solves the challenges and then when he finds out which box is being retired he makes the video.
thank you so much. this is gold teaching
thanks brother for walkthrough
@ippsec how do you paste from xclip onto a vim editor? I tried SHIFT + CTRL + V but that didnt seem to work
shift+insert
Use the middle mouse click button.
wow men, you are IT. Is it good to learn for a beginner like me to start learning python first before i get my feet wet in CTF's. I feel like i need to learn to program and learn networking concepts first. You are awesome
精彩,非常精彩
Hey Ippsec great job you are doing there as usual.I have one question,is there a way to get system without meterpreter,thus without using this unicorn tool?I mean after getting the reverse shell to try to escalate from there
Yep. When i get around to doing the video on Bastard, I won't use Meterpreter (or Unicorn) -- Should be next week.
You could probably (because I haven't tried) execute more than just "cmd.exe" in the initial exploit to launch a powershell agent connecting back to C2.
Secondly, instead of nc listener, setup exploit/multi/handler with necessary windows reverse_tcp handler and sent the POST request again.
Who does IppSec watch when he wants to learn?
Youre really awesome!
Hmmmm, if someone is doing this box, can you share me how you do the escalation part?
I follow IppSec and noted the script generate by the Unicorn is quite different from the video one and it does not work. IppSec's unicorn script starts with -w l - while in my scrip all the - become /
I follow the HTB writeups and noted it is not possible to download an exe msfvenom, cannot get a meterpreter..lol
Hi, Just in case you hadnt had any luck since. I was having the same issues with unicorn so I generated shellcode with msfvenom and instead of using the powershell method to transfer it onto the box i used certutil.exe instead. Got my payload onto the box and my handler picked it up! Super frustrating but learned a fair bit. Check out LOLBAS on github for some alternative methods for file transfers on windows. hope that helps.
@@RespectableMan-ci2jb thanks! that was very useful tip
Impressive
Hey, how did u know that all???? I'am too want to start with HTB, but dunno what learn first?
really really nice..
I cannot get the unicorn payload to work for me....
If by any chance this section is still active, can anyone help with the powershell_attack.txt file? For me the encrypted code is not similar to the above; It comes under two different headers namely - 'AMSI bypass code' and 'actual Unicorn payload'. I have tried running it natively but the stager doesn't get sent.
Any suggestions on how to edit the powershell_attack.txt file?
same problem
@@asielezra8227 I could not figure out the problem with PowerShell file and hence created an .exe payload using msfvenom, which worked for me.
Stumbled on the same problem, thanks for the tip!
@@covertly_overt So you use msfvenom to generate payload. Upload it. And use the same expression to download and excuse it ( powershell "IEX(......)")
And meanwhile with msfconsole multi handler listening ?
@@flamingoindigo4253 Yeah I too did the same and it worked. Thanks :)
Just trying to understand exactly why we used unicorn here. Was it to upgrade the simple reverse shell to a meterpreter session?
Yep. Unicorns a relatively reliable way to get Meterpreter up and running from a simple powershell command.
Thanks . Hadn't come across it before, will add it to the bag of tricks.
cooooooool
I got a question how do you make theese green tabs? I am pretty new to linux
Check the tmux video on my channel
I'm a noob and i have a question as to why you do all the commands from /Documents/htb/boxes/arctic instead of doing the commands from just root
Just to stay organized. If I want to save output it generally goes to the current working directory
wtf how you do all of this? i just signed in in hack the box.. and basicly i think i wont be able to do anything :P
Same scene for me lol 😂
@@karanjoshi7438 And now ? lol 7 month after
now ?
@@msphr7426 its just same
Η διαδικασία είναι πάνω κάτω η ίδια. Απλά την μαθαίνεις. Ξεκινάς με ένα nmap scan, βλέπεις τι υπηρεσίες τρέχει και ψάχνεις ανάλογα exploits. Από εκεί και πέρα θέλει λίγο περισσότερο ψάξιμο αλλά τα περισσότερα μαθαίνονται σε λίγους μήνες.
any better/other way to get a meterpreter shell from regular reverse shell?
-sC is for default script not safe scripts... i am pretty sure you know this and it must have been a slip of tongue.
i have an issue where, once i get a meterpreter sessions and i interact with the session it just says Unknown command: sysinfo. anyone else have an issue like this? i even tried on my local test systems on vmware and it seems that with unicorn sessions i always get this issue.
i could be wrong but i think sysinfo is for powershell, systeminfo works in cmd
Tried to do the walk through Arctic kept dying on me. Great tutorial s#ity VM.
Hey can we use that netcat trick in OSCP exam because I've heard that we can use msfvenom for all those 5 machines
I don't see why you wouldn't be able to, but I'd ask OffSec to be sure.
You can use msfvenom as many times as you want for OSCP. The instructions are pretty clear on the use of metasploit though.
can i use unicorn in oscp exam?
i want to know the same thing.
Did you finish your exam?
How do we know that we will use .jsp as shell extension? we could use asp, aspx etc since CF is using also that languages?
The metasploit module sends payloads in .jsp
How did you paste from xclip into vim? Ctrl+Shift+v didn't work for me.
when in insert mode, hit ctrl-r *
or type :set paste
bro can we do ms10-092 without metasploit ?
it was will be better if you solve it with out metasploit ... Thanks
haiiiiii
Hi, is there any difference between using unicorn.py or use the web_delivery module? At the end the two are powershell meterpereters right?
End result is the same. How it gets there is different. Just look at the powershell code from Unicorn and Web Delivery and you'll see they are a bit different.
everytime I follow these walk throughs, it fails on my box :/ got nothing from burp... then I try the pdf walkthrough and get nothing but time outs when I try to upload the script.
dont feel too bad. i am doing this box now and i have the same issue. Burp wont return anything to me. in the other walkthrough my reverse shell never starts even though the coldfusion downloads my file from my python web server
@@roblou8222 it took several views for me to realize that the post was already populated in the burp 'repeater' request. that would have been there from a previous run. I thought you might be stuck on the same thing with burp.
did you include jsp, xml or appropriate file types to intercept? I see some js codes there in the video
@@seanconley104 Hi Sean. I have come back to Arctic again after some time and still the same issue. nothing in burp. Actually i just edited this post. you correct. so what ippsec done was send it to repeater first without sending it from the proxy tab. my response did come back to the proxy tab rather than repeater. Thank you.
hey ippsec , i've seen in a video th\t you're using "john2ssh" on other machine could you plz share this machine specs ????
By the way, this vid shouldnt be on yt. Because of u i lost my points -_- AND THIS MATTERS XD
Not because of me. I post videos after they retire the box, which is when they lose points. Admins of the site have no problem with these videos.
They should cause of 'ownershipPercentage' param in counting points
formula looks like that
'Formula: round((userOwnPoints + systemOwnPoints + challengeOwnPoints + userBloodPoints + systemBloodPoints) * ownershipPercentage)'
It's possible that ownership doesn't include retired, not sure there. If the owners change their stance I'll remove the videos, but as of right now I believe they do more good than bad. In the end points don't really matter and I know they've helped people learn.
Ownership % calculates all machines including retired.
Yes, when a box becomes retired all points are removed. That way new users can still get high on the leaderboard and it doesn't become a game of who has been around longer.