HackTheBox - Haircut

Рет қаралды 43,424

Күн бұрын

Пікірлер: 67

@tigermelissa 5 жыл бұрын

Thank you so much for leaving in the "mistakes" or things that just don't work so that we can see your process and troubleshooting. It's extremely helpful.

@tigermelissa 3 жыл бұрын

@@fisherahmad2781 neat, but maybe don't hack your SO's stuff... Those aren't building blocks for a healthy relationship 🤷‍♀️

@Clutchisback1PC 6 жыл бұрын

The little things like "stty raw -echo" to get tab complete to return to a local shell will never be forgotten. It's these little things that keep me digging through your videos along with the great clarity, simplicity, and comprehensive explanations you provide in your walkthroughs....Thanks!

@n1ckhacks697 7 жыл бұрын

Everytime i watch your videos my way gets more clear Thanks Ippsec 😊

@TechyTubeDotCom 5 жыл бұрын

He brings all the reading, courses, videos into one awesome chain of how it works together.. Love your work @ippsec :)

@gabrielalicea4803 5 жыл бұрын

I love watching your videos. I learn so much from them. Thank you for the effort.

@frankleitner 4 жыл бұрын

To compile on the box itself, just add the location of cc1 into PATH: export PATH=$PATH:/usr/lib/gcc/x86_64-linux-gnu/5/

@KM-tz2ef 4 жыл бұрын

Thank you!! Super useful.

@redpanda31337 3 жыл бұрын

Bit late to the party, but in the PATH of www-data is a /. In the end, so would be enough to just cd into that directory maybe

@MalikAbdullah-je9cp Жыл бұрын

Man, You have gained my respect in totality. Hats off to you man. Really appreciate it! It's people like you we need in the community so much. Thanks man!

@PR1V4TE Жыл бұрын

I'm enough with uid and gid. Bcus I can directly get clean root from root's uid and gid. With these both..! I just watched this bcus you said you've explained more indepth about screen 4.5.0. but still loved it.

@morvannozahic6575 4 жыл бұрын

Thanks for all your videos. I might be a little bit late, but at 27', C code needs to end with an empty line after the curly bracket it might be the reason why you have the error

@RowanSheridan 7 жыл бұрын

You should have a lot more subs. I love watching your vids and learning about your thought process when tackling boxes.

@mr.roboter 5 жыл бұрын

This is awsome video.Thanks IPPSec sir

@arty3514 6 жыл бұрын

ippsec has to be the guy from My Little Toaster movie. The one with the big 4x4 who collects and works on electronics. Sounds exactly like him; and also works on computers.

@SonOfABeach1997 4 жыл бұрын

For foothold I managed to get a restricted shell by sending a line feed to the curl command and executing commands, however failed to escalate it to a unrestricted shell. So ended up doing it the same way in the uploads directory.

@laurencedale3854 7 жыл бұрын

Congrats on the Shocker first blood :)

@krisrp0 4 жыл бұрын

I cannot get tis exploit to work no matter how closely I follow the directions. I wind up with some sort of corruption and I need to keep on re setting the machine

@lIlIllll1 3 жыл бұрын

How did you know to edit the rootshell.c file with a system command?

@akbarkp4216 7 жыл бұрын

@IppSec when i run stty -raw echo it works fine for first time and when i try the second session from netcat it just hangs.. ctrl+z also doesnt work at this case.. Can you help me move on?

@ippsec 7 жыл бұрын

I'd recommend just getting another shell, changing to the user you want, then doing the tty trick.

@Danielmofer 5 жыл бұрын

@ippsec What you press to come back to the tty(with the reverse netcat), because after I execute "stty raw -echo" my terminal doesn't react.

@IamFulgus 5 жыл бұрын

I know it's been a while since your comment, but after that command he presses "fg" on the keyboard to invoke the background process (the ncat) to foreground, then press enter and the enter again to get the proper shell

@thedawnofslayer 5 жыл бұрын

@19:29 Back to the roots, no GTFOBins at that time.

@evstefan6686 7 жыл бұрын

great job thank you so much for sharing i have a question which is the reason for typing import pty:pty spawn("/bin/bash")? thanks again

@ippsec 7 жыл бұрын

It's creating a pseudo-terminal for us. Think of it like a persistent session, without having it we send information get information back and close the session. Doing that breaks a lot of things, for example when you type something and it asks a question. Or use less/vi/etc. Having it always makes it easier so that's generally the first step after getting a reverse shell.

@evstefan6686 7 жыл бұрын

thank you for respond ippsec

@DavidThomsenPhD 6 жыл бұрын

When I edit the request headers in repeater and hit go I'm getting nothing. What am I doing wrong?

@hamdisaidani3231 7 жыл бұрын

Thank you you the best

@justaguy3158 7 жыл бұрын

Love you man.. keep going 😘

@dahaahk7624 7 жыл бұрын

IppSec and vap0r thanks thats great!

@neoXXquick 7 жыл бұрын

Great stuff.. as alwasy...

@somerandomwithacat750 Жыл бұрын

All my homies hate compiling exploits

@MrPakeryoko 7 жыл бұрын

i wonder why u didn't Lame, Legacy and Granny !

@tw3t3 7 жыл бұрын

Hello) That is awesome what are you doing) You share not only the solution, but the way of thinking. Thanks! May I ask, where did you get all linux enum scripts for LPE ? Seems, you look for /opt directory) That is no default.

@ippsec 7 жыл бұрын

Google is your friend, search on filenames I use and generally you'll find them on github somewhere.

@tw3t3 7 жыл бұрын

IppSec 2/3 scripts has been found. Except unIxprivsec, found similar but too old, more than 4 years.

@ippsec 7 жыл бұрын

That is probably it. When doing privesc, new scripts may miss stuff on very old boxes. So it's nice to have legacy stuff around. New isn't always better, right tool for the job.

@tw3t3 7 жыл бұрын

IppSec , thanks for assist!

@amjadhammoudeh7954 6 жыл бұрын

what does stty raw -echo actually do ?

@ippsec 6 жыл бұрын

Watch either popcorn or the video after that, I explain it there. Hard to explain in text

@amjadhammoudeh7954 6 жыл бұрын

Thank you mate

@DavidThomsenPhD 6 жыл бұрын

Hey IppSec how did you send the other request to the second tab of repeater at 9:23

@ippsec 6 жыл бұрын

Ctrl+R

@Danielmofer 5 жыл бұрын

and how did you decode de URL in to plain text?@@ippsec

@marcchamizogilabert5766 5 жыл бұрын

@@Danielmofer Ctrl+Shift+R

@kab3800 4 жыл бұрын

@@Danielmofer ctrl+shift+U

@JoshieRonark 4 жыл бұрын

hello ippsec. i searched for an hour but i don't get any answer. i'm trying to execute exploit but my gcc throwing errors. which libraries do i need?

@ippsec 4 жыл бұрын

hard to know without the error mesages, saying what is missing

@JoshieRonark 4 жыл бұрын

@@ippsec hello ippsec. thank you for the reply. i'm really really sorry. i installed bunch of gcc libs but didn't restarted my system to not lose shell... i tested today and it works well.. :( i'm really sorry for wasting your interest on my problem.

@malikbenkirane4462 6 жыл бұрын

Hey! did I miss something or you didn't said where to get gobuster from ?

@ippsec 6 жыл бұрын

Github. But you can just do apt install gobuster now

@malikbenkirane4462 6 жыл бұрын

@@ippsec deam i must have mistyped my search last time and commented too quickly sorry for that

@Nakul8007 3 жыл бұрын

Shhh…shhhhh

@panagiotismitkas5526 7 жыл бұрын

Hello Ippsec,one question that might be irrelevant but i want to ask.Can this input on exposed.php be used as a ssrf exploit?

@ippsec 7 жыл бұрын

Yes. If there was no way to perform code execution or save files, I would be categorized as an SSRF. I generally ask myself: "can this be used to act like a proxy into their private network"? and if the answer is yes, I'd label SSRF. Whether or not that's correct or not, I have no idea there are countless labels for exploits.

@panagiotismitkas5526 7 жыл бұрын

IppSec actually I'm not asking how it can be labeled,but if it can be exploited with ssrf.sorry if I was not clear.

@ippsec 7 жыл бұрын

SSRF doesn't directly allow for code execution and I don't believe any other services were listening on loopback. So I believe the answer is no. You'd mark it as a finding as it is indeed a SSRF-able but it does not get you anything.

@panagiotismitkas5526 7 жыл бұрын

Ok, clear!thanks a lot. The reason I'm asking is because I found a similar user input on another machine but there I cannot explanation exploit it with command injection

@Fatima-ug5rj 11 ай бұрын

Why am I getting this error at the end */tmp/rootshell: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by /tmp/rootshell)*

@looseandjanglingproductions 7 ай бұрын

Me too. Googling is not much help at the moment.

@metasploitation7847 6 жыл бұрын

amore risky way that worked for me without crashing, not recommended for a pentest was - exploits/linux/local/44298.c

@ajinkyapathare3308 7 жыл бұрын

hey IppSec Why don't you upload a nice meterpreter php shell rather than doing it via nc and other things? meterpreter even has search features in it so why to let the victim know that you were there by using bash and getting every command logged in .bash_history

@ippsec 7 жыл бұрын

I just like netcat better. There aren't any post exploit meterpreter modules I'd want to use on linux, and I don't believe tab autocomplete works? As far as bash history, there are ways to prevent that without meterpreter.