About to say the same thing

Just Bold the command where it returns the error. for me _builtins_ (in get_flashed payload) always returned error. so i made it bold: {{ get_flashed_messages.globals. *builtins.open("/etc/passwd").read() }}*

@@neunzehnvierundachtzig Great, thank you!

Same here i got ssti on first place but never got the right font

I tried about 20 times playing with fonts. Then realized taking the screenshot directly from the webpage meant I could do it in 2 or 3

Its not an ippsec video if he doesn't have a typo and waste 5 minutes trying to troubleshoot it

@@Voskos hahaha

Guess you were to late bruv

what does it mean to be retired ? is it not good after retired or what ?

@@rajkaransinghgill2082 In Hackthebox, there's two categories of machines, active and retired. An active machine is a machine that's relatively new, this means there's no writeups or reviews available for you to see. A retired machine is usually a couple months old, and has writeups and reviews available. So the only difference is really release date.

Ippsec is an incredibly good hacker but he almost always has solved these boxes ahead of time. When you see him coasting through a box with zero downtime you aren't really seeing the true picture. In real life you don't always know what the next step is going to be. This is very important to realize since seeing someone else do these boxes so easily will lead to imposter syndrome. Ippsec is still going to get sucked into rabbit holes or whatever.

Basically whenever a user logs in via SSH it is configured to run "/usr/local/sbin/ssh-alert.sh" with root privileges. The sh script itself is just a standard script to alert the admin via email that an SSH login had occurred. The issue is however that our low-priv user has write privileges to this file. However, due to the attributes we can only append to the end of the file - we can't overwrite pre-existing contents. So as a result we append our command to execute at the end of the file with "echo 'COMMAND_TO_RUN' >> /usr/local/sbin/ssh-alert.sh". In this case he used a command to curl a reverse shell payload off his python webserver and pipe it to bash so it would be executed. Next was to make the script itself run. As noted previously, the script runs whenever someone logs in via ssh, so he got the id_rsa key for the current user then logged in via SSH using that. When the login was detected the ssh-alert.sh script ran, the command appended to the file executed, and the reverse shell was downloaded and executed.

If you mean the index.html basically you put the reverse shell code that works with bash inside index.html then you get the code with curl and pipe it to bash

def!! Just ask him some valid questions. he might reply here

He does. If you don't get a reply, just tweet @him.

He noticed that it was made with Flask. and Flask means SSTI mostly in CTFs.

You look at what the app is doing : it's converting a string meaning its potentially trusting user input. So SSTI to see if you can make it do mathz

If you put “id” inside id.sh and execute id.sh as root it will show root id and if you execute it as user it will show user id simple

That is the IP Address of my machine, we are telling the machine to reach back to my machine to get code to execute.

The room? 😂

@@flrn84791 aka "Box" ,"Machine", "instance". I hope you got the point.

It's a really cool idea and I like the recent emphasis on SSTI on HTB boxes. But man, was that text conversion crap annoying lol

If you have vip go for silo or mischief. These newer boxes with AI. It seems like everyone eventually knew attack method but the payload delivery was annoying. I saw the name of it and skipped it. I would have been trying to get a php Webshell on this thing forever tbh lmfao “python, php, Ruby, awk, php2-9, nmap? Nope. Baby’s screaming there’s a Saturday with nothing learned yayyy!!” Then we explain to the fam how much we appreciate them being understanding while you’re not working, not studying, no researching, or playing video games, but you’re angry and unsettled over a puzz… 3AM…wait a minute… SSTI?! Gonna sneak to the computer even though I told myself I’d never do that agai…YES! SSTI! Thanks Ippsec for the videos on ssti or I never would have thought of that. Wtf does this box have to do with time? Other than the quick overwrite at the end. It’s not a cron, pspy wasn’t needed, no “active users”, image to text converter -> shell -> ssh checker? I tip my hat to everyone who did this one. Great concept but still waiting on AI to get better before I start doing boxes with it. Just always seems aggravating. Voice, Books, Images, etc. I want to say Book was the other SSTI but was harder right?

You look at what you have. He tried ssti because he knew it was accepting input from an untrusted source. It also said that the app was made with flask, which supports this.

2. After you gain shell you do the same thing. What groups are you apart of? Can you read any ssh keys? What users and what groups are on the box? Did Nmap or 'ss' show you anything you haven't dealt with yet like mysql? Go check things like /var/ , /opt/ , try sudo -l, etc. If you have like mongodb ot mysql it's more likely that thays going to be apart of the next step. If not that, any custom bash scripts, cron jobs, etc. If there's nothing it's going to be permissions misconfigured somewhere

3. Think of it like tchekov's gun. These boxes are made to teach you something. If you see something there is almost certainly a reason why it is there. A box designer isn't going to make a bash script that deletes XYZ or an ABC that does whatever for no reason. Use what you have available and what is in front of you. Even something like the box name or an innocent mention like "made with flask" is done on purpose. Lastly, just practice. A lot of this is just putting in the time to get the experience.

@@somerandomwithacat750 i find expecting ssti here a big step. Normally you’d be piping data to some ocr program, then sending the response buffer out as a file. There is not reason to do any templating in that flow.

Watching back it does have html tags in there, so thats a small hint ig

Yeah a lot of the older boxes weren’t nearly as realistic, was a different time back then and the boot2root was more on the puzzle side than realism.