Kohsuke is the forename of the dude who built Jenkins
@err0r-completion6 жыл бұрын
This video is a goldmine for windows enumeration and reverse connections. I bashed my head around for about 7 hours running different jenkins jobs and just ended up with user flag lol. Thanks for putting this up.
@cvija9976 жыл бұрын
Well i decided to dig a bit deeper in this category of computer knowledge, but nowhere in any free course is much shown as you did in your single video, thanks for posting!
@jwouter6 жыл бұрын
To get the root you can simply do more < hm.txt:root.txt > output.txt
@audi1800G36C6 жыл бұрын
wow what a interesting way to get the first flag i executed groovy scripts to navigate to the user.txt file
@blcksmith4 жыл бұрын
Just a suggestion: to connect with the hash you also can use psexec.py instead of pth-winexe passing the hash with the parameter -hashes, like this: psexec.py administrator@10.10.10.63 -hashes aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00
@hamadahamada36006 жыл бұрын
Thank you dude for your time and your channel ... keep it up
@randymann29566 жыл бұрын
IppSec , please explain the reasoning behind taking one route or not taking another route in getting to shell and getting to root. Your video shows a different way to get to limited shell and I appreciate the teaching. Your method in getting to limited shell may not be the most straight forward in this Jeeves video but it is definitely enlightening and I think this is what many people hope to learn from your video. A different way or non standard way to get to limited shell. Another reason why your videos are popular is because you usually explain the reasoning behind taking one route or not taking another route in getting to shell. I wonder if you could explain your thinking behind not using the output of Windows Exploit Suggester for dealing with Jeeves since this Suggester tool looks like an important tool for dealing with Windows boxes. Is it because the output of Windows Exploit Suggester is a rabbit hole? And if yes, in the future please explain why the output of certain tools are sometimes rabbit holes while most of the times they are very useful so that we know what to look for in using those tools. Thanks a milllion.
@ippsec6 жыл бұрын
The real answer to the question is because if I did show the same tools/techniques in every video it would become very repetitive. I try my best to ensure that when you watch my videos on a weekly basis, you aren't seeing the same stuff every week (or even every month). The reason why I don't dig into the weeds and say things like, I'm using PowerUp instead of Windows-Exploit-Suggestor because it checks for Tokens. Is because most of the stuff you see here are still under development and by the time you watch it, the other tool may have that feature. In the end. The goal is to show how to exploit these boxes. It's up to you to spend the time to go the extra mile and take notes, or run the other tools you know of and see how the output differs.
@randymann29566 жыл бұрын
IppSec , thanks for the super fast reply. I was looking forward to learn how you would use Windows Exploit Suggester or equivalent in cracking Jeeves because this Suggester tool is the first tool that comes to my mind when dealing with Windows boxes. I am still trying to get the hang of using Windows Exploit Suggester. I have looked at close to 20 walkthroughs about Jeeves and so far only 1 of them uses Windows Exploit Suggester and that walkthroughs failed to show enough steps for me to learn from.
@GuiltySpark6 жыл бұрын
Yes thank you for using different tools and showing multiple routes it helps the learning
@PierreMandrou4 жыл бұрын
Hi during the write up of conceal (10.10.10.116), you used JuicyPotato to do the privEsc. It seems that I can't make JuicyPotato work to this machine even if the flag setImpersonatePrivilege is set to yes. In theory, everything that RottenPotato can powned should be pownable by Juicy Potato too, right ?
@PierreMandrou4 жыл бұрын
Edit : sorry it works like a charm ! Thanks for your write up !
@rouhani1332 жыл бұрын
@@PierreMandrou which command you ran? with JuicyPotato, it is only possible to add the user to Administartors group, but not possible to connect back to Kali, what do you think? Thanks
@frankkesel72526 жыл бұрын
Thx for the vid... Take care of u man. You seems a bit off /tired. Super appreciate it anyway.
@vladimirivanov27466 жыл бұрын
IppSec YOU ARE THE BEST :)
@buzzkill51906 жыл бұрын
man you should write a book on pentesting
@douglasmclainberdeaux15345 жыл бұрын
You can "yank" the line in `vim` with `yy` to copy an entire line :)
@deathfromthekrypt6 жыл бұрын
How much time did it take for you to finish the box?
@jwouter6 жыл бұрын
This was a bit of an unstable box ... cracked it yesterday after playing with power shell for days, used the noisy method of getting a metepreter Shell On my initial scan, port 445 was closed so had to use port forward to execute the pass the hash attack to get root. Interesting box but to slow / unstable 😏
@michaelwatts118610 ай бұрын
@ippsec - Curious where is your lineage accent from?
@3rg1s6 жыл бұрын
Just to let you know you entered the CEH.kdbx as key file and not as the database at 30:08.
@locphan6205 жыл бұрын
I think so too, that's a key file
@Cygnus0lor6 жыл бұрын
Finally. I despise this machine. Made me rage quit so many times.
@snoopdeckin6 жыл бұрын
Wanted to watch video of tally.... Thought it would be available this Saturday.. please make tally...only you can make it.
@jeffstanley29723 жыл бұрын
Awesome content! Amazing tmux skills! Can anyone explain the difference between rotten potato and juicy potato for Windows priv esc?
@ippsec3 жыл бұрын
Been a while but I believe RottenPotato only abuses the BITS COM Object, JuicyPotato lets you pick different COM Objects incase the BITS one is not there.
@jeffstanley29723 жыл бұрын
@@ippsec thanks for your reply. You and your videos are a great asset to the cyber security community! Thanks for all that you do it is very much appreciated!
@t3jv1l376 жыл бұрын
THX for video ...but i was in Jevees when he retired :(
@nmkkannan12564 жыл бұрын
Hi, How did you identify the version of jenkins used
@JiyongShinful5 жыл бұрын
when do you do reverse_https and reverse_tcp when creating msfvenom??
@Kevin-vr2lg3 жыл бұрын
I think it really depends on the target box, if there is a firewall, you may only be able to work with a reverse shell coming back to the testing box at port 443 (HTTPS), otherwise, TCP connection is the preferred, and faster choice, imo.
@Kevin-vr2lg3 жыл бұрын
And if both connections are blocked by FW, you can always send a reverse shell back to DNS port 53 or using ICMP, which would be significantly slower methods described above.
@aharonmo41884 жыл бұрын
where I can download all the opt folder that you showing here?
@Pradeep-vl5yf6 жыл бұрын
Where to learn your skills in hacking
@pentestingarabiclanguage67176 жыл бұрын
hello again i gave a problem when i start scanning mith kali my connexion drop can you help me pleases?
@michaelyadidya87424 жыл бұрын
I use EvilRm PS instead of normal Powershell . Downloading and Uploading with it is very easy. I am binge watching all the windows machines IppSec why don't you use it in your videos?
@ippsec4 жыл бұрын
Because that tool was released March 2019 and this video came out May 2018. I don’t think I’ve used it in a video yet, because the one or two after March 2019 used a login method that at the time wasn’t supported, so I used a ruby module to make it easy to change login methods. Lastly, I’m pretty sure that tool was created because of HTB machines so it will probably always work great in HTB as that’s the test environment. Small configuration changes can throw it off so it’s important knowing how to do it the “supported way” by using MS products. Doing windows things from linux works 95% of the time but the 5% time it fails it’s just like “access denied” or “RPC error” when the error was really in impacket, winrm, etc.
@sirisonto4 жыл бұрын
cant find the script. could you type the entire name? cant transfer the db
@michaelyadidya87424 жыл бұрын
@@sirisonto Which script?
@sirisonto4 жыл бұрын
@@michaelyadidya8742 EvilRM PS
@michaelyadidya87424 жыл бұрын
@@sirisonto github.com/Hackplayers/evil-winrm
@CoachAcroTiger6 жыл бұрын
more < hm.txt:root.txt
@shankaranarayana65684 жыл бұрын
meterpreter > list_tokens -g [-] Error running command list_tokens: NoMethodError undefined method `config' for nil:NilClass anyone run into this issue?
@mayankdeshmukh87524 жыл бұрын
Did you run incognito before list_tokens command?
@shankaranarayana65684 жыл бұрын
@@mayankdeshmukh8752 Yes followed it exactly as he shows in the video.
@mayankdeshmukh87524 жыл бұрын
Maybe try on a different vm like parrot. Pretty sure it's metasploit error, because yesterday I myself used the same steps on Tally machine.
@komradz55776 жыл бұрын
cant we use notepad hm.txt:root.txt?
@ippsec6 жыл бұрын
Yep. There’s a bunch of ways to do it. Notepad would only work if you had a GUI thoe, so if you had reverse_vnc’d.
@komradz55776 жыл бұрын
IppSec yes sure maybe we can use more ,great video !
@isfk5 жыл бұрын
Do a video about you, and what you do. Put a face to Ippsec.
@ippsec5 жыл бұрын
I really enjoy going to cons/training/etc and not being recognized. It’s great to chat with people about HTB and have them recommend videos to me. Also it would suck to go meet with a CISO or something and have the security team recognize me, which then tells them a pentest is happening.
@wheeler905 жыл бұрын
This is seriously fucking frustrating... I've just started doing these retired machines only to find out that they have been changed so when I go looking for hints to help get past points of being stuck the fucking hints are no longer valid because it became a good idea to change the fucking configuration on the machines. Back to the drawing board now that I've gotten that off my chest. Or maybe I'm just tired it's after 3am and I've been up since 3am the morning before. Target machine won't connect to the smb share I created. HELP!!!! taking a nap maybe later in the morning I'll figure it out.
@wheeler905 жыл бұрын
I figured it out... had to use wget... for what ever reason IEX or IWR worked.
@dmknght89466 жыл бұрын
I hateeeeee this box
@RowanSheridan6 жыл бұрын
Man I went totally wrong on this box - here's where I got stuck offsecnewbie.com/2018/05/17/jeeves-hackthebox/
@shivangkumar66466 жыл бұрын
Bro please help me to decode the .Txt file in poison which is ecoded 13 times.. I tried many different things but I don't think I am on the right track😑
@shivangkumar66466 жыл бұрын
What type of encryption it is?
@hafidhzouahi71466 жыл бұрын
from base64 import b64decode s = [base64 encoded string here] while True: try: s = b64decode(s).decode() except: break print(s)
@fhlipZero6 жыл бұрын
you could... try harder?
@Exploitmenot6 жыл бұрын
I don't know you are awesome but you are overthinking these machines and can't do a straight forward walkthrough . As much I love your style,it's too hard to follow your videos.
@ippsec6 жыл бұрын
What part was hard to follow?
@Exploitmenot6 жыл бұрын
9:00-24:00 . It's much easier to gain reverse shell using groovy script directly then you can manipulate that file and do whatever you want without using NIshang and so on. I am not saying your video is not a good way to learn but it's too much information when you can do it straight forward. from point a to point b without making a whole story and resume
@Exploitmenot6 жыл бұрын
gist.github.com/frohoff/fed1ffaab9b9beeb1c76 boom and I won 15 minutes without typing so many commands and I have done same action like you. And you have done in 24 minutes I have done in 5 minutes.
@ippsec6 жыл бұрын
To be fair, it took 23 minutes because I broke it down in pieces to explain what is going on. Sure you could just google and find something that does it all for you. However, if you don't break it down in pieces you may miss vulnerabilities. What if there was a firewall? Or application whitelisting? I do like your method but there is also benefit in using universal methods like Nishang, as it works in more scenarios whereas pure-groovy is much more niche. In the end, it's best to know both a pure groovy way to download files and method to do code execution. So you could do things like "lolbins" to bypass application whitelisting.
@Exploitmenot6 жыл бұрын
I mean,in this case you don't have it. What are you saying: "You have a login page with default credentials but you are still trying 3,4 types of password attacks instead trying "default credentials/easy solution" :). This is just my opinion,I respect you!
@dilgarda Жыл бұрын
For me, potato attack does not work with the given tools in the video i.e. rottenpotato.exe, No impersonation tokens available always. But I manages to get a nc rev shell with juicy potato.