Thanks for the walk through! I had struggled with getting shell on the machine but didn't think to try playing with the request parameters in Burp. This taught me a new technique to try out on this box. Also, the section on SETENV was great. I'll probs need to watch it a couple of times nad read up on it to really grasp it.
so the bracket solution was an intended one? - I mean did author of the box needed the 'enable' command for anything else except making the bracket solution possible?
Anyone got any learning module/course/reading material about the burpsuite file type part of this video? I got to this bit without watching the video but I don't understand how/why this exploit works.
Love the video as always however one thing I noticed was your Microphone popping, for future videos please can you turn down the gain ever so slightly? I only have my volume set to half and the pops are quite jarring.
Thanks for the feedback, gain is at the lowest setting. I had to re-install and lost my Obs settings and am having trouble recreating some audio filters I previously had.
Hats off to you Ippsec, i really like your content and appreciate the amount of work and dedication it got you to this level, would you every just explain your learning path and how did you start etc… ?
The wizard user is able to execute the /opt/cleanup.sh script, but with the SETENV privilege. That overrides the env_reset default. It's normally used so that you can set the environment variables for just a single command, but in this case we're able to get a path injection to exploit the lack of absolute pathing to the find binary, or as ippsec showed at the end, the cool exploit around the bash built-in being disabled in the .bashrc file that is called.
There is also another box where ippsec exploits the same vulnerability - this one is possible for a similar reason, it doesn't have env_reset set at all so again path injection is possible against binaries not using absolute paths - ruclips.net/video/LI9mw1rMKVw/видео.html
i see notification i click no matter what im doing .
Most consistent channel on YT, change my mind.
I like how you went over the find and the ability to attack the attributes on the download photos. thank you.
that stuff with built in bash stuff was wild! running [ as a program. Amazing, I love learning something new every single time I watch
Thanks for the walk through! I had struggled with getting shell on the machine but didn't think to try playing with the request parameters in Burp. This taught me a new technique to try out on this box. Also, the section on SETENV was great. I'll probs need to watch it a couple of times nad read up on it to really grasp it.
Thankyou for all your work it really helps
The builtins part was so interesting. Thanks Ippsec
My friend, can you make a list to explain the ways of thinking about hacking the machine?
Thank you ippsec i learnt alot from you...
Thank you. As always, the perfect cure. 🤩
Nice video as always 👍
Thank you ippsec!
so the bracket solution was an intended one? - I mean did author of the box needed the 'enable' command for anything else except making the bracket solution possible?
Anyone got any learning module/course/reading material about the burpsuite file type part of this video? I got to this bit without watching the video but I don't understand how/why this exploit works.
What bout the "secure_path" ? This is set in the sudoers file, i thought that it would take the priority to the path used by the user.
It takes priority over the path before sudo, but the SETENV line next to the command lets you set it after sudo resets it
Love the video as always however one thing I noticed was your Microphone popping, for future videos please can you turn down the gain ever so slightly? I only have my volume set to half and the pops are quite jarring.
Thanks for the feedback, gain is at the lowest setting. I had to re-install and lost my Obs settings and am having trouble recreating some audio filters I previously had.
@@ippsec I'm no microphone expert so maybe my gain suggestion is irrelevant. Hope you find the right filters eventually. Keep up the great work!
@@sirgravzy5853 Hey - I don't have a good way to message you but can you give my RainyDay video a listen and let me know if its fixed on your end?
@@ippsec Of course, I'll do so in about an hour!
@@ippsec Night and day difference! Sounds better - sounds, 'normal ippsec' if that makes any sense.
Hats off to you Ippsec, i really like your content and appreciate the amount of work and dedication it got you to this level, would you every just explain your learning path and how did you start etc… ?
Thank you for video
Ippsec rocks! 🙂
I winder why youtube recommended me this 😅
Tq for seach windows boxes lots of ad and how use jq..
I love or my fave ippsec.
Push!
SuperSec :))
Easy af
PipSec
I didn't quite understand how "sudo PATH=/dev/shm:$PATH /opt/cleanup.sh" works or why it avoids the env_reset. How does that work with SETENV exactly?
The wizard user is able to execute the /opt/cleanup.sh script, but with the SETENV privilege. That overrides the env_reset default. It's normally used so that you can set the environment variables for just a single command, but in this case we're able to get a path injection to exploit the lack of absolute pathing to the find binary, or as ippsec showed at the end, the cool exploit around the bash built-in being disabled in the .bashrc file that is called.
There is also another box where ippsec exploits the same vulnerability - this one is possible for a similar reason, it doesn't have env_reset set at all so again path injection is possible against binaries not using absolute paths - ruclips.net/video/LI9mw1rMKVw/видео.html
@@g0hm47 Thank you very much! I really appreciate the help