IppSec: it's really amazing how you create this stuff. I have no clue if I'll make it the next time I'm trying the OSCP exam, but you are really a master in explaining stuff while you're doing it. Hands-down the best training material. Thanks (also applies for all your other vids, I'm not really a KZbinr, but you're in my top-1-most-watched channels) ;-)

Your vids are easily the best resource for learning i've found, aside from actually working on vms etc. Learnt so much from these, much obliged! From a junior pentester about to sit the OSCP :)

Thank you for this post. I tried following all the other guides to get the reverse shell, yours was the only one I could get working.

Awesome video IppSec! Port knocking order was also in a mail at /var/mail/amrois :-)

I've improved more in the last 2 weeks from going through your videos than I did during 60 days of PWK labs. Exam in 2 weeks and, if I pass, massive credit would go to you!

Super appreciate as usual... Been looking for a way to spot cron / proccess . Love the proc mon ..... Definitely going in my tool box

keep going ur the best from algeria

I love your videos. I've just gotten into pentesting as a hobby and I've learned a lot through these. Do you run Kali through a VM? That's what I've been doing, but I recently got a new laptop and wanted to try usb booting. However I'm having a horrible time getting it to recognize my gpu (e.g., hashcat). So I was just interested in hearing how you've set things up.

Awesome videos! But can you increase that fonts of your terminal and web browser to make things easier to view for those watching on mobile devices, please?

great stuff as always

Seems like when I don't name the db or table with the keywords "nineveh" and "Notes" it give the "Note not found" error. So it maybe be looking for both strings in order to LFI

Hey @IppSec great video m8, just a quick question: will you be doing vids on the Sans HH challenge 2017? Cheers and have a good day

you're a LEGEND!

thanks ippsec! there is a hint for the ports that should be knocked in /var/mail/

@ippsec where can i get a copy of the shells?

oh my god that's awesome thank you so much

I know this is an old vid so I’m necroposting here, but I’m pretty sure this box is pronounced “nin-ehva” not “nine-va” since it’s a reference to the ancient Assyrian city in the Bible whose destruction Jonah was sent to foretell. At 31:20 you can see there’s a file in /var/www/html called “ninevehdestruction.jpg” which supports the idea that this is a reference to that city. Just bringing it up because sometimes understanding the references helps with the solution of CTF boxes.

If you change the "ps -eo command" to "ps -eo user,command" in the procmon script, you'll be able to see which user the command is running as

Hey @ippsec and other folks, why did he directly jumped to hydra when he saw the login page. I meant, how would i know when to use sql injections and when to just brute force it ?? So please, if someone can explain to me the scenarios where looking at the login page i should check for sql injection or brute force it

one question why was command exeucted as &cmd= instead of the usual ?cmd= ???

hey man , big fan here.Do you have an idea about where can i read to perform my skills and my knowledge about penetration testing ?

A lot of new stuff I have learned with you. Thank you. Also had gaps with quotes, but could not understand the issue completely. Few clauses want to add: * manual view of processes (how I did) `top -d 1 -o %CPU` * there is knock tool, could be used as `knock 10.10.10.43 571 290 911 && ssh -i amrois-pk.key -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no amrois@10.10.10.43` (anyway your way was great, on a sockets level) * www.exploit-db.com/exploits/38775/ -- msf module for LPE, could be done with meterpreter session * cat /var/mail/amrois (short tip, that we faced with port knocking) * strings /var/www/ssl/secure_notes/nineveh.png (for a quick view, without right extracting)

Thanks bro

Can I use nc to do port knocking trick?

the first login panel can be bypassed with setting the name as admin and sending the password as an array. if i remember correctly the hardcoded password was hinted in the comments of the login page.

You are amazing!!! How bout starting classes to teach pentesting to beginners...What burp suite course do you suggest?

is there a tmux-shortcut for sending panes to windows?

Hello IppSec , could you please giv us some informations about your rig ( crackmachine ) ? the number of GPU the graphic cards ?? i'm trying to build one , thanks :)

I like this box. Basically, if you don't do enough enumeration, it punishes you by making you do more work :P. although, I took the "long" path and honestly I learned more doing that so 👍

thanks :)

There is actually a working kernel exploit for this box now. Published just around the time this video was released.

how long does it usually take for you to exploit these machines for the first time?

Hey IppSec, running into an issue. Doing this box for OSCP prac. I am at the video around 24:30 mark when you are moving the Post parameter around. I can't get mine to work like you have. I HAVE to have it `POST /department/manage.php?notes=/ninevehNotes/../var/tmp/hack.php` if I try to make it like yours and replicate it with `POST /department/manage.php?notes=/var/tmp/hack.php` I get nothing. Not even No note selected error

nice video thanks

Does anyone know what the "ipp=" mean? I know when he adds the "ls" parameter after the ipp= it provides a directory list, but how did he know to use "ipp="?

i am not getting the LFI and m fked up.

the way you pronounce ninevah tells me you didn't watch veggie tales as a kid

Ecscape eh. It's unlike a programmer to deliberately spell a word incorrectly ;)

Ok thanks

😚😙😚😙😚😙

2024

nc -z 10.10.10.43 571 290 911

In this box something is not clear I know it is old but someone help me here between 20:38 to 22:10 Ippsec was dealing with DB and renamed it to ninevehNotes but this name is pre defined in the box and if someone actually put another name it wont work like if the name is /var/tmp/shell.php it wont work I wonder how he knew that path.