Wow, I really thought the admin session stealing was the intended way and Pwnkit was the unintended, the more you know! Thanks for the video!

Lots of love from a oscp dreamer boy from india...... 💌

Great video as always! Would recommend the tool 'q' for writing sql queries against csv-like files/output, very powerful! Nice tip with snmpbulkwalk, I just found what I wanted in the nmap sC output and stopped there. :)

Hey ipp, you've made quite some improvements in the way you present. Specially with the font size, If you can change the font to FIra Code Semi Bold the appearance will look much nicer. Moreover fonts like FIra Code, COmics Sans help people with dyslexia and astigmatism read more clear and reduce their chance of getting a head ache while watching your videos.

You deserve more than million subscribers 🙂❤️

why did you put "data"(id_usuario|s:5:"admin";) column in 3rd place(select 1,2,data). when sqlmap is clearly is showing it's 2nd column. Isn't it logical to follow correct column match. I struggled with it that's why asking. After matt login we can confirm that data is actually 3rd column in database, somehow sqlmap shows it in the incorrect order. Post root insights were useful for why this box was so weird.

That's really great video and the detail explain about the step, thanks for this video. but I have one question about the final step in create ssh connection, why the 'sudo -l ' can execute after ssh connect but it will failed when using php reverse shell ? thank you .

Loved so much this box

O.k. at 21:16 i have no idea what you did there... "if squiggly C is the first line on your ssh prompt"??? HUH? how did even get an ssh prompt there?

Thanks for the content, ippsec and for sharing your knowledge with the community! The machine was pretty straightforward. Personally, I've struggled with the inital foothold, because I've skipped the UDP scan in the enumeration phase. Finding the unauthenticated exploit / blog post the hardest part of the box imo. Interesting! Didn't know about the unintended path via admin session stealing. Cheers

I went and uncommented "EscapeChar ~" in my ssh_config file, and restarted the ssh session... however doing the ~C sequence simply leads to a message "commandline disabled"...

hey ippsec, you think you could install or create something that logs all the commands you do? sometimes i like to talk about you with some of my friends and showing what commands you use can be frustrating to find. thank you

how are you connected to pandora i cant figure out how to do this

Love u man

yes it is easy box :)

thanks a lot bro

thanks appsec you’re the best as always. is there a way to find 'id_usuario|s:5:"admin";' without sqlmap? since it is not allowed on the oscp.

nice

ok got my answer about ssh mode

First!

05:10 - Using nmap to scan NMAP you mean SNMP

"Easy" Box

Excuse me. I can't find the "Pandora Room". Please send me the Room ;)

so... i'm doing the port forward in my initial ssh command... we'll see how this goes... lol

yep. wonder wtheck is wrong with my escape character business..

When you dont have strings: grep -a -Eo '[[:print:]]{4,}' filename

usuario can be Spanish or Portuguese ;)

ayo

Haiio

Wawoo, blacklisted....

Please make shorter videos, 1 hr is huge 😥

Thank you for this and all your videos @IppSec. I am running into problems with the public-private key usage for the user matt. I have followed your steps multiple, but whenever I try (ssh -i matt matt@10.10.11.136) to ssh from my Kali machine to Pandora machine using the private key I created it always asks for a password. Has anyone else ran into this problem? Any help from anyone would be greatly appreciated.

yes snmp ! when printer has "Access" as "50 00 41 00 53 00 53 00 57 00 4f 00 52 00 44,00,00,00"