That autocorrect on globals tho. I was screaming internally when it happened
@denic68612 жыл бұрын
About to say the same thing
@kenshinjo54722 жыл бұрын
I struggle so hard with this one but watching this video and seeing how you did it makes me want to go back with to the box again.
@burekhacks2 жыл бұрын
Tried so many times with different fonts and sizes and never worked so I gave up after a while.
@neunzehnvierundachtzig2 жыл бұрын
Just Bold the command where it returns the error. for me _builtins_ (in get_flashed payload) always returned error. so i made it bold: {{ get_flashed_messages.globals. *builtins.open("/etc/passwd").read() }}*
@burekhacks2 жыл бұрын
@@neunzehnvierundachtzig Great, thank you!
@pratiksawant81192 жыл бұрын
Same here i got ssti on first place but never got the right font
@cipher39662 жыл бұрын
I tried about 20 times playing with fonts. Then realized taking the screenshot directly from the webpage meant I could do it in 2 or 3
@IvesvanderFlaas2 жыл бұрын
You make it look so easy. I spent time looking for exploits for tesseract and the Python tesseract package but didn't find any that worked. I feel stupid now.
@gwerneckpaiva2 жыл бұрын
The text to image process was a nightmare!
@velomeister2 жыл бұрын
this machine was a pain in the ass
@Ms.Robot.2 жыл бұрын
Very well done. 🤩
@upup51332 жыл бұрын
Amazing description XD
@shiffterCL2 жыл бұрын
great work!
@cipher39662 жыл бұрын
For the image part. After more than 20 attempts I realised that it worked much more easily if I took the screenshot directly from the webpage example rather than my own text editor
@Landee2 жыл бұрын
11:54 you rename it with the right click, it remove the "s" 12:55 that's where the error come from
@Voskos2 жыл бұрын
Its not an ippsec video if he doesn't have a typo and waste 5 minutes trying to troubleshoot it
@Landee2 жыл бұрын
@@Voskos hahaha
@tic9772 жыл бұрын
I did the priv esc with a cron job that was possible to run with a badly set PATH
@cipher48732 жыл бұрын
W youtuber
@texastitan6567Ай бұрын
15 is crazy I was on my 86th screenshot before getting code execution 😂😂
@laurenlewis41892 жыл бұрын
I'm fuming that Comic Sans worked when I installed like a dozen non-default fonts to try out different monospace and dyslexic-friendly fonts
@javamiya19802 жыл бұрын
❤❤❤
@matheusdesouza8056 Жыл бұрын
These root was very cool
@and_rotate692 жыл бұрын
For root flag, append chmod u+s /bin/bash then login with ssh then bash -p
@edwardwhite82532 жыл бұрын
Goddamn it, this box is already retired? I was planning on doing it a week ago
@damuffinman6895 Жыл бұрын
Guess you were to late bruv
@rajkaransinghgill2082 Жыл бұрын
what does it mean to be retired ? is it not good after retired or what ?
@damuffinman6895 Жыл бұрын
@@rajkaransinghgill2082 In Hackthebox, there's two categories of machines, active and retired. An active machine is a machine that's relatively new, this means there's no writeups or reviews available for you to see. A retired machine is usually a couple months old, and has writeups and reviews available. So the only difference is really release date.
@MoofyYT2 жыл бұрын
nice that you've converted to flameshot.
@democsrf27932 жыл бұрын
Lessgoo
@memedaddyz2 жыл бұрын
I didnt get the part with ssh and curl as a user
@purya25952 жыл бұрын
Could you share this box docker image ?
@LolLol-dj1tf2 жыл бұрын
how are you so good? Like you complete vuln boxes so quickly? How do you always find the next clue? teach us pls
@somerandomwithacat7502 жыл бұрын
Ippsec is an incredibly good hacker but he almost always has solved these boxes ahead of time. When you see him coasting through a box with zero downtime you aren't really seeing the true picture. In real life you don't always know what the next step is going to be. This is very important to realize since seeing someone else do these boxes so easily will lead to imposter syndrome. Ippsec is still going to get sucked into rabbit holes or whatever.
@khanhhnahk12 жыл бұрын
Hi, can someone explain detailed for me about the reverse shell part? Thank you so much guys!
@-bubby9633 Жыл бұрын
Basically whenever a user logs in via SSH it is configured to run "/usr/local/sbin/ssh-alert.sh" with root privileges. The sh script itself is just a standard script to alert the admin via email that an SSH login had occurred. The issue is however that our low-priv user has write privileges to this file. However, due to the attributes we can only append to the end of the file - we can't overwrite pre-existing contents. So as a result we append our command to execute at the end of the file with "echo 'COMMAND_TO_RUN' >> /usr/local/sbin/ssh-alert.sh". In this case he used a command to curl a reverse shell payload off his python webserver and pipe it to bash so it would be executed. Next was to make the script itself run. As noted previously, the script runs whenever someone logs in via ssh, so he got the id_rsa key for the current user then logged in via SSH using that. When the login was detected the ssh-alert.sh script ran, the command appended to the file executed, and the reverse shell was downloaded and executed.
@khaloodkj886 Жыл бұрын
If you mean the index.html basically you put the reverse shell code that works with bash inside index.html then you get the code with curl and pipe it to bash
@DeepanshuSingh_2 жыл бұрын
Box is late.
@oni13502 жыл бұрын
Do IppSec answers to subscribers ?
@cimihan48162 жыл бұрын
def!! Just ask him some valid questions. he might reply here
@SSHad0w__2 жыл бұрын
He does. If you don't get a reply, just tweet @him.
@vishnup5080 Жыл бұрын
make a video on redpanda pls
@skyone92372 жыл бұрын
Honestly I had no idea what to do with this box...how ippsec straight away decided to try SSTI??? Well he is very much experienced but this kind of box won't make sense to beginners like me.. 😂
@neunzehnvierundachtzig2 жыл бұрын
He noticed that it was made with Flask. and Flask means SSTI mostly in CTFs.
@somerandomwithacat7502 жыл бұрын
You look at what the app is doing : it's converting a string meaning its potentially trusting user input. So SSTI to see if you can make it do mathz
@takeshikovacs10812 жыл бұрын
so the reason you became root is because the pam module runs ssh-alert script as root ? not entirely understand that last part
@khaloodkj886 Жыл бұрын
If you put “id” inside id.sh and execute id.sh as root it will show root id and if you execute it as user it will show user id simple
@tg79432 жыл бұрын
Push!
@hondatech50002 жыл бұрын
Took me about a hundred more uploads. I ran linpeas and was looking into exploiting the env path couldn’t figure it out. Totes missed the append tried all kinds of stuff missed out on root:/
@rajkaransinghgill2082 Жыл бұрын
At 14:21 , why are we using the IP address 10.10.14.8 ? The IP for the host was different. Please someone clear this doubt.
@ippsec Жыл бұрын
That is the IP Address of my machine, we are telling the machine to reach back to my machine to get code to execute.
@nectius1232 жыл бұрын
Ipssec did in 15, I did in 45… Does that mean I worth 1/3*Ippsec ? If so, hell yeah!!?? Progress!!
@sand3epyadav2 жыл бұрын
I have done this; but reading ssh key 1 hour
@declanmcardle2 жыл бұрын
Warning: the support telephone number is country code 234 = Nigeria. 🙂
@neunzehnvierundachtzig2 жыл бұрын
The Only frustrating part was the OCR foothold. And the name doesn't suit the room though.
@flrn847912 жыл бұрын
The room? 😂
@neunzehnvierundachtzig2 жыл бұрын
@@flrn84791 aka "Box" ,"Machine", "instance". I hope you got the point.
@anthonyquattrocchi62522 жыл бұрын
This was one of the most annoying boxes i've attempted on htb
@somerandomwithacat7502 жыл бұрын
It's a really cool idea and I like the recent emphasis on SSTI on HTB boxes. But man, was that text conversion crap annoying lol
@T10811982 жыл бұрын
If you have vip go for silo or mischief. These newer boxes with AI. It seems like everyone eventually knew attack method but the payload delivery was annoying. I saw the name of it and skipped it. I would have been trying to get a php Webshell on this thing forever tbh lmfao “python, php, Ruby, awk, php2-9, nmap? Nope. Baby’s screaming there’s a Saturday with nothing learned yayyy!!” Then we explain to the fam how much we appreciate them being understanding while you’re not working, not studying, no researching, or playing video games, but you’re angry and unsettled over a puzz… 3AM…wait a minute… SSTI?! Gonna sneak to the computer even though I told myself I’d never do that agai…YES! SSTI! Thanks Ippsec for the videos on ssti or I never would have thought of that. Wtf does this box have to do with time? Other than the quick overwrite at the end. It’s not a cron, pspy wasn’t needed, no “active users”, image to text converter -> shell -> ssh checker? I tip my hat to everyone who did this one. Great concept but still waiting on AI to get better before I start doing boxes with it. Just always seems aggravating. Voice, Books, Images, etc. I want to say Book was the other SSTI but was harder right?
@puneethkpati6265 Жыл бұрын
That’s the coolest ssti I’ve ever seen.
@cybersecurity35232 жыл бұрын
First bro
@LolLol-dj1tf2 жыл бұрын
can you teach us how you always find the next step/clue?
@somerandomwithacat7502 жыл бұрын
You look at what you have. He tried ssti because he knew it was accepting input from an untrusted source. It also said that the app was made with flask, which supports this.
@somerandomwithacat7502 жыл бұрын
2. After you gain shell you do the same thing. What groups are you apart of? Can you read any ssh keys? What users and what groups are on the box? Did Nmap or 'ss' show you anything you haven't dealt with yet like mysql? Go check things like /var/ , /opt/ , try sudo -l, etc. If you have like mongodb ot mysql it's more likely that thays going to be apart of the next step. If not that, any custom bash scripts, cron jobs, etc. If there's nothing it's going to be permissions misconfigured somewhere
@somerandomwithacat7502 жыл бұрын
3. Think of it like tchekov's gun. These boxes are made to teach you something. If you see something there is almost certainly a reason why it is there. A box designer isn't going to make a bash script that deletes XYZ or an ABC that does whatever for no reason. Use what you have available and what is in front of you. Even something like the box name or an innocent mention like "made with flask" is done on purpose. Lastly, just practice. A lot of this is just putting in the time to get the experience.
@Wereld03 Жыл бұрын
@@somerandomwithacat750 i find expecting ssti here a big step. Normally you’d be piping data to some ocr program, then sending the response buffer out as a file. There is not reason to do any templating in that flow.
@Wereld03 Жыл бұрын
Watching back it does have html tags in there, so thats a small hint ig
@LetsFailYourGameDE Жыл бұрын
Did he just say "let's see what this fuc* owns"??? xD 19:23
@jaylal48997 ай бұрын
the initial foothold is way too far fetched. I tried so many payloads and couldn't get remote code execution... The priv esc looks fun.
@ippsec7 ай бұрын
Yeah a lot of the older boxes weren’t nearly as realistic, was a different time back then and the boot2root was more on the puzzle side than realism.
@mrman92792 жыл бұрын
Play
@AbacateSexy2 жыл бұрын
although fun in concept, the machine was quite boring :/
@krosec2 жыл бұрын
I did the same exploit for the foothold, but I got the id_rsa and accessed the machine as svc_acc via ssh, for the privesc was basically the same thing, I append a revshell to the file and ggwp