Ippsec rocks! 🙂 Awesome video as always! I liked the end. I didn't know about the privileges with cron jobs either. Thank you for your content!
@c0ri11 ай бұрын
Very cool man.. I can't beleive I never knew about the ~C dropping to ssh shell so you could port forward from there. Very handy thanks!
@ImShivaMaharjan11 ай бұрын
Great content as always. But as you mentioned the ssh would only work if the /root/.ssh folder existed, but as we can see in 30:14, the sattrack binary created any folder if it didn't existed already. So, I think it would still work.
@_hackwell Жыл бұрын
as always excellent video. I learnt zillions of things thanks to you !
@SplitUnknown Жыл бұрын
Root was fun in this box 😮 and strange way to get shell😀 fun box thanks 🔥♥️
@TadakichiSan777 Жыл бұрын
Been always wondering why do you have to base64 encrypt when trying to get a reverse shell using burp? I mean all the commands before were plain text.
@ippsec Жыл бұрын
You don't have to but where my commands ran, I was already inside of a " and ' -- which means if I wanted to use those characters I'd have to escape them. I rarely get the syntax right the first time in that scenario. For example, escaping " could be \", or if i have to escape the \, it could be \\\", and its just painful to keep track of all the quotes/escapes. When that fails, there are multiple reasons why it failed and operator error is high on the list. So to make it easy, I first try encoding the command which removes the ". If it does fail, then the super likely reason to why it failed is that | is a bad character and I can move onto another way like using curl to drop a file and execute a file. If it failed with quotes there is just more troubleshooting I'd have to do as I don't know exactly why it failed.
@TadakichiSan777 Жыл бұрын
@@ippsec thanks for the Exploration
@NicolastheThird-h6m Жыл бұрын
I could'nt see the /api/ds/query request in grafana when i did this box, not sure why but i think the request must be inconsistent or cached.
@Ms.Robot. Жыл бұрын
This was well thought out.❤
@kosmonautofficial296 Жыл бұрын
That is really interesting. I wonder if this raw SQL from the client is the same when other SQL servers are connected. Like I thought there was some built in database, and you could also specify another for some data. I could really see it happening where people didn't know this and connect to a database that accidentally has more important info. I had no idea about the copy command and that you could get bash command execution from it.
@mateuszgierblinski Жыл бұрын
When I initially created the box I tested it with MySQL and it was exactly the same. The effect was not as dramatic as here but you are still allowed to query the database however you want.
@tntxqx8281 Жыл бұрын
In 12:24 you can get raid of "==" by running echo -n
@GajendraMahat Жыл бұрын
Thanks dude
@aniket4652 Жыл бұрын
I'm not getting rev shell in the zipping machine after bypassing the upload vulnerability...can anyone help me
@christopherthompson5457 Жыл бұрын
sudo -l
@solcloud Жыл бұрын
Thank you for awesome video 👍
@heapbytes Жыл бұрын
16:38 how did u opened the ssh> prompt ? what keystroke ??
@ippsec Жыл бұрын
Hit enter then the first thing you type is ~c
@sand3epyadav Жыл бұрын
We was missing your videos❤❤
@OmphemetseMokene Жыл бұрын
Great vid my mentor.
@AUBCodeII Жыл бұрын
Oh, Ipp, I regret not starting doing free retired boxes way earlier. Could've done them since at least February 2021. If I started back them I would have completed over 100 boxes! Probably would have enough knowledge to ace OSCP.
@ippsec Жыл бұрын
Certainly would - With all the videos you have been watching, it wouldn't surprise me if you're in better shape for the OSCP than you think.
@AUBCodeII Жыл бұрын
@@ippsec Thanks for the pep talk ❤
@berthold9582 Жыл бұрын
It's crazy ippsec is too much. It was so cool looked at the horizontal privilege escalation 😮