Just SPECTACULAR as usual! When U do boxes like that(with no prep or whatever) I just admit I learn much MUCH MUCH more 'cause you go through all the troubleshooting process to get things done and allows me to understand things that otherwise would not seem that obvious. Your working flow is amazing IPPSEC although I guess it 'irritates' you when videos get longer than what you expect....but honestly following you through all the steps in troubleshooting things THAT is SOMETHING ELSE! You have no clue how much MORE I learn!! AWESOME STUFF,JUST AWESOME!! thanks as usual for the time and effort in you put into it! BLESS U
hey ipp i was wondering how do you guys clean up machines you hacked after a assessment. Any methods you want to show on a next hackthebox machine? thanks for the great content ;)
I think there is a small issue with your code, if you were to get a CSRF error that password would never be tried against the login since the error is with the token not the credentials. The fastest way to fix this would just be to convert your wordlist into a list when it's imported and then: if r.status_code != 200: print("CSRF Error") wordlist.append(password) return False This way you would try it again after going through the rest of the list, and keep retrying any you got an invalid CSRF for. I could have missed something in your code though lol so sorry if I'm mistaken. Great video as always.
Wouldn't it be easier to get the CSRF token and instead of extracting the cookies just to set up r = requests.Session() and then it retains all the cookies?
I was so unbelievably stuck on root, I took TWO MONTHS (I mean I did take two long breaks because I got demotivated as fuck). I don't know how I managed to take this long, I even KNEW ABOUT THE SUDO BUG AND THE AFFECTED VERSIONS.
If you look through shauns files, u can find a hidden file called sudo as admin successful and screenshot of him escalating himself to root through hugos account
oddly enough this box doesnt need that clever bruteforce at all - the foothold password was right there on the page, guessed it on the first try. it really stands out because its missing some whitespace :)
1:09:08 Some Debian/Ubuntu based distros have some aliases to use ls commands la is and alias for ls -la and there are other ones like ll, l, lh and some more
I cannot upgrade shell. How can I upgrade this? I used metasploit for the file upload vuln python3 -c ‘pty;pty.spawn(“/bin/bash”)’ ctrl + z background channel 0? [y/N] y meterpreter> stty raw -echo Unknown command: stty So I background again and now in mfs6 exploit(linux…..blahblahblah)> I try stty raw -echo here and the lines go funny. Instead of a new line under, it is beside the old line. I try stty rows 16 columns 136 but nothing changes. fg also does not work… I cannot get stty raw -echo to work, and therefore export TERM=xterm does not work either I get it will work if I do the exploit manually, but i would like to know how to do this for future problems Thank you for your help everyone and thank you for the videos @IppSec
I just finished the video and i realised the only thing i needed to do was put best64 rules in hashcat. Thats so annoying. I even knew about the sudo part since there are hints in the box you can find with good enumeration. This was my first box aswell and i was so close to doing it
i never understandet x forworded for header when this header was wrinting in internet. i read some document its say proxy server write for follow ip addres but it should be different i think. does anyone can say how it is work. which application or layer write ip address write this hidden layer
It basically tells the server that this request was forwarded (or made) by this particular ip. Without this header, the server can just see the sender's ip on the request like the address on a letter. But specifying this leads some servers to believe it!
@@DHIRAL2908 thanks friend. İ am trying to understand when ip address wroten there and which application doing this job. When request go out browser or my machine this header didn't show. And we show also this video in burp this header can't seem. But he wrote manually
@@mehmetux4186 yeah that is because we can manually write the header in the request to confuse the server to think this was sent by someone else. Basically not the same ip as before leading to bypassing the ip ban!
@@DHIRAL2908 but when we didn't write manually also our ip address wroten by something because server know our original ip address when we didn't write manually. İ want to learn when and which app writing automaticly .
@@mehmetux4186 it's pretty rare to see a browser writing it automatically. It maybe happens if you have a proxy and the server wants your machine's own ip maybe to send something....
I just had a really weird dream! a woman doesn't like me, she step back and grab a screen out of her purse, that screen has a red warning background with some lines of code on it, she flash the screen in front of my eye, and all of a sudden my eye hurt then go blind and i fall onto the ground and start shaking then i wake up 😂 the first thought i have is being very pissed at myself: "why the heck would you execute that!"😂lol
i can't quite remember why that woman doesn't like me :/ we were relaxing at some beautiful park then i asked something resembling "so what hashes do you like"😂😂😂😂
Love your videos, but man this one was agonizing to get through. You were flying way too fast and making so many mistakes with typing. Missing the alias for 'la' and so on. It's the first time I wanted to stop watching one of your videos. With all that said, still big ups to you for working through this and posting it. Just remember that slow is smooth and smooth is fast.
Taking my OSCP tomorrow, wish me luck!
Thanks for the video
Good luck!!!
you should get wasted first, then take it. it numbs the pain from the boxes that you'll have absolutely no idea about.
Fail fail fail = p455!
How did it go?
So how did it go ?
Just SPECTACULAR as usual! When U do boxes like that(with no prep or whatever) I just admit I learn much MUCH MUCH more 'cause you go through all the troubleshooting process to get things done and allows me to understand things that otherwise would not seem that obvious. Your working flow is amazing IPPSEC although I guess it 'irritates' you when videos get longer than what you expect....but honestly following you through all the steps in troubleshooting things THAT is SOMETHING ELSE! You have no clue how much MORE I learn!!
AWESOME STUFF,JUST AWESOME!!
thanks as usual for the time and effort in you put into it!
BLESS U
You have a lot of patience! 😁
Amazing video as always!❤️
Blunder was my first box :)
Solved it yesterday
Copied everything from RUclips
But it's a great deal
;)
That's how you learn buddy ;)
@@mayankdeshmukh8752 :)
That's gonna get you banned from the platform
@ippsec: thanks for the Github issues trick. That was very insightful. You mentioned it at 01:01:53
First view first comment, i always learn from your videos, thank you
hey ipp i was wondering how do you guys clean up machines you hacked after a assessment. Any methods you want to show on a next hackthebox machine? thanks for the great content ;)
I think there is a small issue with your code, if you were to get a CSRF error that password would never be tried against the login since the error is with the token not the credentials. The fastest way to fix this would just be to convert your wordlist into a list when it's imported and then:
if r.status_code != 200:
print("CSRF Error")
wordlist.append(password)
return False
This way you would try it again after going through the rest of the list, and keep retrying any you got an invalid CSRF for. I could have missed something in your code though lol so sorry if I'm mistaken. Great video as always.
Wouldn't it be easier to get the CSRF token and instead of extracting the cookies just to set up r = requests.Session() and then it retains all the cookies?
That three tens Dude! I laughed and screamed!
NOOOO, I just started with this box. I even found the csrf bruteforce method.....
Ohh well, I'll just have to watch this....
Well done! Bravo! 😍💝 applaud, applaud.
One day i will come to your channel and do all machines ❤️Thankyou love from pakistan.Now working on basics.
I was so unbelievably stuck on root, I took TWO MONTHS (I mean I did take two long breaks because I got demotivated as fuck). I don't know how I managed to take this long, I even KNEW ABOUT THE SUDO BUG AND THE AFFECTED VERSIONS.
If you look through shauns files, u can find a hidden file called sudo as admin successful and screenshot of him escalating himself to root through hugos account
oddly enough this box doesnt need that clever bruteforce at all - the foothold password was right there on the page, guessed it on the first try. it really stands out because its missing some whitespace :)
Way to be Mr.Crundle, nice 👌 cavêąt👍
Didn't notice that. Someone recommended I use Cewl to build a password list. Was about to try that.
Someone just told me it’s camel cased. This method however is so much more unique and interesting.
1:09:08 Some Debian/Ubuntu based distros have some aliases to use ls commands la is and alias for ls -la and there are other ones like ll, l, lh and some more
‘la’ is probably an alias on the box. I think most RHEL/CentOS machines come with some aliases like ll and la.
Should check out the aliases on parrotOS, there are some nice hidden gems in there ;)
@@redpanda31337 the 'sudo' have some very good aliases
I cannot upgrade shell. How can I upgrade this?
I used metasploit for the file upload vuln
python3 -c ‘pty;pty.spawn(“/bin/bash”)’
ctrl + z
background channel 0? [y/N]
y
meterpreter> stty raw -echo
Unknown command: stty
So I background again and now in
mfs6 exploit(linux…..blahblahblah)>
I try stty raw -echo here and the lines go funny. Instead of a new line under, it is beside the old line.
I try stty rows 16 columns 136 but nothing changes.
fg also does not work…
I cannot get stty raw -echo to work, and therefore export TERM=xterm does not work either
I get it will work if I do the exploit manually, but i would like to know how to do this for future problems
Thank you for your help everyone and thank you for the videos @IppSec
Hey ipp, why don't you try "hashid" tool, it gives jtr format and hashcat mode based on the hash ;)
legends dont buy , they hack them up .
TY for this videos!!!
Where can I download this parrot? I couldn't find it on the internet
Noice bruh!!!😏🏅🎃
For some reason this box is giving me different results. First Metasploit and meterpreter worked, then all of a sudden it didn't anymore. Weird.
i saw the first video on youtube with zero dislikes, NICE. I thought there are bot's which will just randomly dislike videos.
Thank you.
🛀 :~/$ wc
1:09:12 -> la is alias for 'ls -A'
which in in turn is output of "type la" :)
thank you so match
😇
Me (who spent hours on this machine and only managed to get a www-data shell) when you searched blundit :
What a fool
I just finished the video and i realised the only thing i needed to do was put best64 rules in hashcat. Thats so annoying. I even knew about the sudo part since there are hints in the box you can find with good enumeration. This was my first box aswell and i was so close to doing it
@@shayboual1892 i just searched the hash in google, first result was the password.
@@redpanda31337 huh, never thought of doing that
hahaha it happens
Nooo. I just started this box. Couldn't get the password. My list was not sufficient
@@johncollins9466 got the password but I got stuck at bruteforcing. Seems the CSRF token was the issue. Now watching this video
how is this box rated as easy?
Why don't you use cherrytree anymore? You made more notes in the last few vidos...
🍒 cherrytree got spanked. Its not the runner up anymore.
@@bugr33d0_hunter8 what you recommend better than that or equivalent to it?
@@cimihan4816 joplin
thank you
i never understandet x forworded for header when this header was wrinting in internet. i read some document its say proxy server write for follow ip addres but it should be different i think. does anyone can say how it is work. which application or layer write ip address write this hidden layer
It basically tells the server that this request was forwarded (or made) by this particular ip. Without this header, the server can just see the sender's ip on the request like the address on a letter. But specifying this leads some servers to believe it!
@@DHIRAL2908 thanks friend. İ am trying to understand when ip address wroten there and which application doing this job. When request go out browser or my machine this header didn't show. And we show also this video in burp this header can't seem. But he wrote manually
@@mehmetux4186 yeah that is because we can manually write the header in the request to confuse the server to think this was sent by someone else. Basically not the same ip as before leading to bypassing the ip ban!
@@DHIRAL2908 but when we didn't write manually also our ip address wroten by something because server know our original ip address when we didn't write manually. İ want to learn when and which app writing automaticly .
@@mehmetux4186 it's pretty rare to see a browser writing it automatically. It maybe happens if you have a proxy and the server wants your machine's own ip maybe to send something....
wow 😱😵
🤡🤯
😛
Uff! Finished just 3 days ago
I didn't even need to bruteforce i found the username in /todo.txt and the password was hidden in the first article. :)
@Pedro Abreu Yes, this would have been my go to plan but the password was hidden way to obvious, so no need for bruteforce.
'la' is an alias of 'ls -A' in .bashrc
Why would you use cewl instead of already known password lists like rockyou?
I think it will take long
Supreme, but I can teach you how to use Vim 😊
I just had a really weird dream! a woman doesn't like me, she step back and grab a screen out of her purse, that screen has a red warning background with some lines of code on it, she flash the screen in front of my eye, and all of a sudden my eye hurt then go blind and i fall onto the ground and start shaking then i wake up 😂
the first thought i have is being very pissed at myself: "why the heck would you execute that!"😂lol
i can't quite remember why that woman doesn't like me :/
we were relaxing at some beautiful park then i asked something resembling "so what hashes do you like"😂😂😂😂
@@csmole1231 interesting
Love your videos, but man this one was agonizing to get through. You were flying way too fast and making so many mistakes with typing. Missing the alias for 'la' and so on. It's the first time I wanted to stop watching one of your videos. With all that said, still big ups to you for working through this and posting it. Just remember that slow is smooth and smooth is fast.
Fucking painful to watch man... Seriously, slow down and make sure you're typing the right words.