Great video, I actually used that exact Kernel Exploit on a different box yesterday!! :-) to get around the constant crashing/resetting I modified what the script was doing and got it to spit out the root flag text as it crashed haha. (Thanks to Fooby for the tip to modify the script). As always though mate, your videos are a treasure chest of knowledge. Thanks for taking the time to make and post them.

Two years later I just rooted this box today by building a lxd alpine image and creating a container and mounting the entire filesystem in the container.

Thank's for the video and the PHP command.

Another great video - thanks

I rooted this box completely different. What I did first was some recon, including nmap, nikto, dirb etc. First ended up chasing the rabbit hole on FTP exploits but couldn't make anything work so I moved on. After that I checked which directories dirb found and enumerated through all of those and eventually found the java file in /plugin. Unzipped it, decompiled it and found the password. Then from my enumeration I remembered finding a PhpMyAdmin page and a Wordpress Login, tried the found password on both services and got a hit on PhpMyAdmin. There I found a database with Wordpress users and found user notch and his password. Then remembered that SSH was running so I tried logging in on SSH with user Notch and it worked. First thing I did next was sudo -i and specify the found 'root' password in the Java file and I was root. I wasted a lot of time trying FTP exploits but still managed to root the box in under 2 hours, it was a fun one! I now realize I'm writing this from my girlfriend's account lol.

Damn, that sponge.jar file was a big rabbit hole. Should always try obtained credentials with every user.

Thanks - another great walkthrough. Quick question: what password did you use for FTP access to notch @15:51? Same as the SSH password? Not sure how that benefits us here? (Or did I miss something?)

Another great walk-through, I'm getting used to it :-) This machine hammered me. I tried to escalate from www-data for a complete weekend. The one thing I did not like was the way you became WordPress admin. instead of changing the admin password you could have created a new admin account without much more effort (copy the existing row in table users and insert a row with 'a: 1: {s: 13:"administrator";b: 1;}' into wp_usermeta). This way other users do not get distracted by a changed password and it's a bit more real world because it's less noisy.

Thx for the videos! Is it possible to share with subscribers with your tools in /opt directory?

Awesome walkthrough! I got the sudo -l one right away but was stuck on how to proceed fell into a rabbit hole trying the start.sh file and modifying cron. Just starting out with these boxes and love all your vids! tmux one helped a lot. I followed along for the other ways to exploit this one and decided to use kernel exploit www.exploit-db.com/exploits/45010 instead for priv esc and idk if I got lucky or if this one is more stable because I got it to work first try and didn't crash. Always looking forward to your videos and no doubts they'll be of a lot of help as I start my journey towards oscp also, For some reason the netcat reverse shell didn't work for me. I tried both of the ones listed at pentestmonkey and the standard one called back to my listener but the connection closed right away i tried different flags like -lkp and -nlvvp but it didn't seem to want to work. I know I could've cat the file but decided to just upload a more complex php web shell that allowed me to traverse and see what I was doing. Anyone know what could have been the problem with netcat?

what were you trying to do with the stty command?

Ha! Nice. I did this box completely different from www-data.

This was an easy one. A quick nmap find web goto wiki with is what i think was running WordPress append ?author=1 drops the user name then in plugins from dirb found file just viewed as binary password was obvious then always try password reuse and bam was rooted in less then 6 minutes

Hi there IppSec. I tried HacktheBox today. However, I am able to hack 2 simple machines. It is kind of frustrated because I manage to root 28 machines in OSCP lab within two months. Does Hackthebox comparably harder? Or it is just becasue I overlooked myself?

Curious what tool you are using to show your VPN status at the bottom and how you are doing the panes?

Just wondering what version of kali linux are using? How do you get side by side terminals ?

Can some one guide me im not able to get success by putting id_rsa(.)pub from host to target machine ftp> put id_rsa(.)pub not connected where im mistaking ?

This guy works at NSA. Is a Fucking Genius

burp suite shortcuts I found useful Send to Repeater Ctrl+R URL-encode key characters Ctrl+U

I cannot run reconnoitre. I get Traceback (most recent call last): File "reconnoitre.py", line 7, in from .lib.core.input import CliArgumentParser ValueError: Attempted relative import in non-package

What terminal mutliplexer is using in his videos ? tmux ?

apparently i could not get any shell by following along on 24:24 by doing exactly the same steps, wired

Cool😎

Link to download the machine please !

👏👏🖒🖒

lol i crashed the box 3 times with that exploit before moving on :X

Run apt install seclists instead that’ll work as well

You could just `/usr/bin/sudo su ` and you'd be root with notch's password.

The scanner you used is about a billion times harder than any normal scanner. Everyone who has common sense should just use dirbuster and save yourself some headaches.

Ni