TryHackMe GAMING SERVER - LXD Privilege Escalation
Рет қаралды 163,383
Күн бұрын
@bruh_5555 4 жыл бұрын
John Hammond cracks John user's password with John the ripper
@Recon_Racing 4 жыл бұрын
While sitting on the John eating Johnny cakes
@harshbakori 4 жыл бұрын
sounds like he forget his gmail password and trying to hack in lol
@softicecreamer 4 жыл бұрын
Plot twist: John Hammond secretly developed John the ripper solely for cracking into the John user
@atanki5682 4 жыл бұрын
John inception
@moneyworks4375 3 жыл бұрын
@@atanki5682 johnception
@tannisk 2 жыл бұрын
He also do singing l love his song perfect
@Vixikats 3 жыл бұрын
Quickly growing addicted to this channel because the unscripted "fumbling" is exactly what a normal dev would have to do to fix their own little mistakes. And it's those tiny, "What did I forget?" Details that novices are going to be tripping over constantly. The fun part is watching your thought process unfold while you perform these tasks and help introduce us to various helpful tools and commands that we may use in our own explorations.
@simeondermaats 3 жыл бұрын
Of the six thousand languages on earth, you chose to speak Facts
@abisrug4898 4 жыл бұрын
need more of this fumbling.......fumbling makes it incredibly interesting
@padaloni 4 жыл бұрын
totally agree. it's the fumbly bits that I enjoy. mistakes are where the learning is at.
@clemsonfan53089 4 жыл бұрын
Yes! The fumbling makes it real life and shows how easy mistakes are. It's like bloopers, love it.
@SebPineda 4 жыл бұрын
Lots of Johns in this one haha
@jd-raymaker 4 жыл бұрын
That troubleshooting was the most interesting I've seen! Here's a *boop* from me
@_JohnHammond 4 жыл бұрын
Thanks for the boop! xD
@bluesquare23 4 жыл бұрын
I don't know how to do a quarter of what you did in this video but I'm comforted by the fact that you run into the same hiccups as me. Like oh yeah there's dollar signs, or oh duh forgot a slash.
@jadesanford2857 4 жыл бұрын
thats just the linux (and friends) experience in general
@CriPPle358 4 жыл бұрын
You can disable bash expansion with cat by adding single quotes around the first EOF rather than going through and escaping everything. i.e. cat
@_JohnHammond 4 жыл бұрын
Ooooh, that's a good call! That would do the trick too. Thanks!
@svampebob007 4 жыл бұрын
@U X I hope to god that my website doesn't do that I got some servers open to the web, and I know a friend of mine is really paranoid about leaving open ports and what not. But the more I learn about different ways people exploit and the more I get into the security aspect, the more I get confident about my practice. Though one thing I learned from this is the cron job part. I got two cron job that could give a hint as so what's going on the network, so I might need to check if there's some thing that a non root user might be able to see. *edit: looking at my crontab, nothing seems visible unless you're root :D I'm really relying on not having any major security issues based on the fundemental programs, rather then trying to implement too much on either security though obscurity, or sticking my head down the sand and hoping nobody notices me.
@cdellio 4 жыл бұрын
@@svampebob007 I've thought about setting up my own home-server with the same approach: keep things simple. Security by utilizing only the most simple, secure methods. nothing more or less.
@benstech726 3 жыл бұрын
@@cdellio just chipping in to point out that hosting on a free low resource cloud alternative would be much more recommended.
@l0pher 4 жыл бұрын
Hi John, great vid as always!! How about doing a blind room say once a month, but do it live. I'm sure a lot of people would enjoy that. I know I would. Keep up the good work!
@softicecreamer 4 жыл бұрын
good idea!
@th3hunt3r85 4 жыл бұрын
Thanks, it is fun watching you doing all these cool stuff, plz keep the good work coming
@uniquechannelnames 3 жыл бұрын
These videos are worth like 100 tutorials I'm not kidding. The thinking process, seeing concepts that one may need to learn, explaining what you're thinking, and just seeing this type of thing in action. Soo helpful Privilege escalation has always been a big sore spot for me.
@52.yusrilihsanadinatanegar79 4 жыл бұрын
I love the fact that John checks out funny/unrelated image/video files. 👍
@uimstar5254 4 жыл бұрын
Hey John, loving your content. I really enjoy how you explain and try different methods to gain privilege access, like changing the etc/passwd through the share drive in your container. Even if you struggle a little bit doing that, it really helps us understand the process and iteration you/we can go through while doing that. Keep up the good work!
@frollard 4 жыл бұрын
Absolutely agreed that it is helpful to see you run into the stumbling blocks. There's nothing worse than following a tutorial for the first time and smashing headlong into some syntax error or in this case escaped special characters. Thanks for sharing.
@chrisbey8647 4 жыл бұрын
You and ippsec are very good learning resources. Thank you for taking your time to post these videos.
@itsobj5013 4 жыл бұрын
watching you move through this so quickly n seamlessly just amazes me lol
@kartibok001 4 жыл бұрын
Great video. Was waiting for the writeups as I couldn't escalate for the life of me!! Learn something new everytime!!
@HomelessDeamon 4 жыл бұрын
keep up man i, you are doing great work educating the new to the domain, in a more fun and friendly way, which makes learning easy....massive big thanks to you J.Hammond
@lucha6262 4 жыл бұрын
You’re videos are awesome John!
@krisdoe 4 жыл бұрын
Great video John. I learned some new things which were not so obvious to me previously. By the way, LXC/LXD and Docker stuff run most of the time as daemons - which means once you are in the group with regular user you are free to escalate privileges. This is a known flaw - at least in Docker world. Nowadays Docker could be run in rootless mode to avoid such situations. RHEL is doing the same with Podman if I am not wrong.
@JT-cm3ff 4 жыл бұрын
Not sure if I should get depressed or motivated seeing how awesome John is at this thing. Definitely impressed though.
@kr4k3nn 4 жыл бұрын
Great work sir...Thank you so much for making videos.
@satyamvirat3489 4 жыл бұрын
That was actually fun to watch. Quite educative for learning ❤️😂
@aljazmedic375 4 жыл бұрын
Legend. Thanks for a great vid 👍
@glen_nz 4 жыл бұрын
On the topic of fumbling and figuring out what you've done wrong....this is the stuff that courses don't show you. In some ways, that problem solving is some of the most important parts of the video. Any idiot can make a "perfect" video. Only someone who knows what they're doing can make a "less than perfect video" and fix problems encountered during it - adding to the value and standing out as more than just a walkthrough. Great job.
@yossig7316 4 жыл бұрын
Thank you John for going the extra mile to show teach us !!
@rakeshbabumulugu7517 4 жыл бұрын
Great work John.! 😇 learning Alot of stuff as a newbie through your way of approach.! You show us on how to think and compromise a machine.! 🙏
@hellomistershifty 3 жыл бұрын
As a fellow John, I can say this is a good video
@TheH2OWeb 4 жыл бұрын
Thanks John ! Always fun and interesting !
@website8362 4 жыл бұрын
Love seeing the TryHackMe vids 👾
@website8362 4 жыл бұрын
and watching the reworks when things go wrong 😂 #real-life
@siddharthjohri2935 4 жыл бұрын
Another good video. You rock john.
@ARZ10198 4 жыл бұрын
Just did this box yesterday , john your amazing < 3
@androidenthusiast2806 2 жыл бұрын
No matter who else does the show, we always love to see John Hammond doing these tutorials.
@mumugs 4 жыл бұрын
I subscribed just because you had the problem with root password and nailed it.
@cscogin22 4 жыл бұрын
A socks proxy video would be fun to watch IMO, I was just lazy and scp'd it over to the box from my attacker platform
@RomanAlbert-f9u 4 жыл бұрын
Woah Great video! This looks like fun. Quick note, no need to put slashes before dollar signs, you could just quote the 'EOF' (then bash interprets the text inside as pure string, not evaluating vars:D) Great video, keep it up!
@sportcodfb 3 жыл бұрын
I loved the vid John, i was thinking that perhaps for changing the users passowrd you could've chrooted into the root mount, anyways the vid was hella fun :)
@suvidsinghal1365 4 жыл бұрын
Hey John I am interested in the socks proxy video ;)
@cooliceman0001 3 жыл бұрын
Yes i was just going to post that
@levyroth 3 жыл бұрын
Me too plz
@eclipsehunter22 4 жыл бұрын
Yes do the socket video!
@RocketLR 4 жыл бұрын
I love this format. Its fast and straightforward. No "uhhms" or "eehhms" while over explaining. Other people stop at every step single step. "then i paste this text into here.... I will use CTRL... SHIFT... V... Then we ehhh need to eeeh saaaaaaaaave with ctrl + Oooooo.. No wait my bad, this is vim... So wee go and press esc, just to be suuuuure.. eeh... btw i prefer vim because jada jada jada." I spent to much time on this comment already but I have been bugged by how slow people tend to be...
@matiasm.3124 4 жыл бұрын
Nice channel .. sometimes he complicates things .. but it's very nice explained.
@ITachi_11.11 4 жыл бұрын
John the legend! Keep going man... I'm learning a lot of stuff from you as I'm sure everyone else does. You are truly helping and inspiring. Thank you.
@sentinalprime8838 4 жыл бұрын
John JOnhned ,it nice video. For me always your videos are one way stop for relaxing amazing john world needs great people like you to share knowledge. Lots of respect man !!!!!!!!
@R4yan- 4 жыл бұрын
whew i can't believe you just saw my writeup xD at 33:09
@mjuhasz 4 жыл бұрын
Best troll in each TryHackMe video are those README files :D
@abdosama 4 жыл бұрын
Let’s go with the funneling internet to the box idea, it would be very interesting 🧐
@Child0ne 2 жыл бұрын
I’ve learned more from John Hammond than I think 12 years of schooling
@fatcatgaming695 4 жыл бұрын
Fantastic explanation.
@ronakjoshi5093 4 жыл бұрын
great video john..keep up the good work 💥💥
@cryspwasp9288 4 жыл бұрын
I did it by writing my own script LMAO 😂, I remembered you when I saw John on src 😆😆
@000t9 4 жыл бұрын
It's totally fun! Thank you bro!
@dersg1freak 2 жыл бұрын
My favourite way to get stuff into a file is cat > file. It never goes wrong. Ctrl+C to finish
@MartinMllerSkarbiniksPedersen 4 жыл бұрын
Just quote the EOF like cat
@_JohnHammond 4 жыл бұрын
Ooooh, that's a good call! That would do the trick too. Thanks!
@svampebob007 4 жыл бұрын
I had a script that busted my balls over this! I'll try to keep it in mind next time I creat a clusterfuc.. a script :)
@oh-lives 4 жыл бұрын
Another solution that IMO is simpler: cat > /mnt/root/etc/passwd Paste and then hit
@ajiththiyar7609 4 жыл бұрын
Bro your content is da best
@harmtech3502 4 жыл бұрын
The proxy video would be interesting yeah, thanks man ^^
@softicecreamer 4 жыл бұрын
I wanted you to do this one... This CTF was awesome for me to complete
@crimson750 4 жыл бұрын
Keep up the videos! Love them
@aalekhmotani3877 2 жыл бұрын
Without the video, John, I would only have known how to obtain the root flag, Thanks a lot.
@kritagyagupta8619 3 жыл бұрын
John cracks John's password with john
@nishantsingh5341 4 жыл бұрын
32:00 The Hollywood hacker when he disables the security nanoseconds before timer runs out
@jose007108 2 жыл бұрын
this videos rock! keep it up man ;D
@hewfrebie2597 4 жыл бұрын
I would like to see it using via socks proxy for learning experience so why not! Since it's a good idea and that's why I subscribed your channel so I understand more about proxychains.
@Connectme_ai 4 жыл бұрын
Love the content!
@Simpfan45 4 жыл бұрын
I've definitely done that SOCKS proxy trick while at a former job. Had to install our software on a machine in the UAE without the box having any internet access. Worked a treat. Just remember you also have to tunnel over dns as well or you are gonna have a bad time.
@ddlsmurf 4 жыл бұрын
you can just cat > file, paste, the ctrl+d (which sends an EOF) . You will then write exactly what you pasted. The heredoc as you say is interpreted by bash, whereas if you effectively < stdin , which is what cat does, cat is reading not bash. Also checkout alt-.
@geraldfeeney1410 3 жыл бұрын
Its cool. Thats master level, There are many ways to go to Rome. +1 subscriber.
@originalkhawk 3 жыл бұрын
season/year is a common result from making users change their password every x months, forcing users to come up with a unique password every couple of months is a bad practice and doesn't make anything more secure (unless you have a data breach every couple months spilling all passwords used, but at that point you have bigger issues)
@sebastiantillmann1669 4 жыл бұрын
When you can ssh into the box why don’t you just scp Linpeas and the container image?
@mrhusi 4 жыл бұрын
my thoughts
@Sfhgscvg 4 жыл бұрын
Plain http might be faster? It's a bit more user friendly as you don't need to authenticate, then again with an ssh key it shouldn't be an issue. However the key is pass protected so unless the password is stored in a keyring you would have to bother to type the password. It all comes down to personal preference.
@svampebob007 4 жыл бұрын
@@Sfhgscvg you could also change the password of that key since you now know the ssh passkey: ------------------------------------------- ssh-keygen -p -f sshkeyfile ------------------------------------------- it will ask for the current password, then you can just leave it blank. if you have to connect a lot of times with ssh, you could add something to the .ssh/config Host client client.example.com HostName client.example.com IdentityFile ~/.ssh/client_rsa # private key for client (like "sshkeyfile" in my previous example) User remoteusername Host otherclient other.example.org HostName other.example.org IdentityFile ~/.ssh/otherclient_rsa # different private key for other client User otherremoteusername ------------------------------------------- then you can just use ssh otherclient or scp files client:~/ really useful if you don't want to always have to add the -i option, or if you want to set a custom name for that connection and have it separated with multiple id files. on another note you could also add it as an alias in the .bash, but that's up to you, the point is that you can simple remove the passkey once you know the passkey and then use it as a regular key withough password.
@veryInteresting_ 4 жыл бұрын
at 25:07 why not chroot to /mnt/root and run passwd as root?
@flaviuscondurache2688 4 жыл бұрын
Nice video, cool LXD PE, personally I would have modifed the /root/.ssh/authorized_keys and I would have sshed as root without needing any pwd. Then you can change it easily with passwd. :)
@suyashjain3378 4 жыл бұрын
Pls continue making such kind of videos 💯💯❤️❤️
@AsadAli-ye8ns 3 жыл бұрын
movies and games are not even comparable with watching these videos..... wow,,,,,,,,i m in IT field since 2004, but learning process never stops....
@IllSkillz 4 жыл бұрын
thats some PogU content mate!
@jmjl2 4 жыл бұрын
When you get a sh in the container you can just chmod +x /mnt/root/bin/bash and then out of the container bash -p
@Prosth3tiks 4 жыл бұрын
I understand 0.001%of this but I keep watching.... you type the words you get the stuff hahaha
@davidmcclellan4621 3 жыл бұрын
Is there a reason you didn't use SCP to transfer the alpine container to the attacker machine? I assume something to do with logging and leaving fingerprints, but I feel running wget would leave the same type of fingerprint, but maybe I'm missing something. I'm just a software dev interested in this kind of stuff. Keep up the great content!
@BeinIan 3 жыл бұрын
You should have clicked on Draagan Lore, I'm curious about the details of this fictional fictional universe.
@DevonBagley 4 жыл бұрын
Easier than changing the root password. Enable passwordless sudo for the user since they are already a member of that group. Changing the passwords are a good way to be discovered.
@dstensnes 4 жыл бұрын
cat
@hiteshjoshi2736 4 жыл бұрын
I know nothing about pentesting but still enjoyed the video 😄😄
@SpiderPigXL 4 жыл бұрын
Why does changing etc/passwd in the container changes etc/passwd in the host file system? Shouldnt the container be separate and not influence the host?
@Sfhgscvg 4 жыл бұрын
You can mount directories from the host inside the container. This is done for example to have persistent data since the container isn't. Since / is a directory and the container is run with root privileges (privileged container) / can be mounted in the container. Same thing also applies to docker. The documentation warns you or it should at least.
@SpiderPigXL 4 жыл бұрын
@@Sfhgscvg so if i mount a directory from the host to a privileged container and write to that directory the changes are also being done in the host?
@Sfhgscvg 4 жыл бұрын
@@SpiderPigXL yeah, try it out, it's fun to play with and fairly simple to try.
@ShimrraJamaane 2 жыл бұрын
I don’t know why he didn’t chroot inside the container. Then he would have been a full root process on the host system.
@subalanaik6936 4 жыл бұрын
Amazing you have great job sir😉👍🏻👍🏻🙏🙏
@neilslater877 3 жыл бұрын
I keep finding on other machines that i have lxd but when I reach the init part it says there's no storage pool. Does this mean that the machine isn't vulnerable?
@mvmastrigt 4 жыл бұрын
Why use netcat for transferring a file instead of scp?
@franromero1675 4 жыл бұрын
Hey, part of the lxd exploit was done by s4vitar, a great hacker who is also a youtuber, perhaps the best channel in Spanish, don't miss it!
@Vittoriouss42 4 жыл бұрын
if i could understand spanish i would definitely watch it ! but my spanish stops at Ola ketal ;)
@usrbinsudorm5716 4 жыл бұрын
20:14 cachemanifest for iptables?
@dheylinantigua Жыл бұрын
You have a very interesting Channel 🔥🔥
@georgehammond867 4 жыл бұрын
that was not so easy at all. >nice to see some real problem solving skills in the video's ending. :]
@rifqioktario5546 4 жыл бұрын
It's little bit confusing because there are two john lol
@neilslater877 3 жыл бұрын
For the upload_file_nc why is he using a different port each time we downloads it?
@pfeilmann 4 жыл бұрын
just run "cat > passwd", paste, enter, ctrl + d. So "bash/zsh/..." dosn't mess with the input.
@gabrielmoreira7265 4 жыл бұрын
Personally I prefer seeing you work through the problems you came across instead of going directly to the solution
@hookthievess 4 жыл бұрын
yo my man, why do you use guake for sending the linpeas? why cant you just split your terminator screen and do it in that pane? You know what would be good - Doing a video on your workflow. How you set everything up, your terminator shortcuts, they way you use guake, little scripts you use to make things easier.
@hookthievess 4 жыл бұрын
watch this for the answer - kzbin.info/www/bejne/nGPEhIt9l6ljhKc
@nathanmccabe6308 4 жыл бұрын
Hey John can you advise me in the steps you took from day one to get to where you are now ?
@vamsikolati 4 жыл бұрын
Plzzz make that video about setting up a socks proxy for internet access
@neilslater877 3 жыл бұрын
When did he find johns sudo passeord
@softicecreamer 4 жыл бұрын
Can you do year of the rabbit CTF
@osamaahmed1716 4 жыл бұрын
you are great man
@FrostByte112 4 жыл бұрын
This begs the question: why on earth would you dump a list of passwords and a private ssh key on your webroot... That's like hanging the key to your house on a hook, next to the front door visible from the street...
@dofw.mp4330 4 жыл бұрын
i mean it is hidden, so id say it is like putting it under a rubber footmat... with holes in it
Kate Brush
Рет қаралды 45 МЛН
Gary Explains
Рет қаралды 2,5 М.