Great content as always. But as you mentioned the ssh would only work if the /root/.ssh folder existed, but as we can see in 30:14, the sattrack binary created any folder if it didn't existed already. So, I think it would still work.
That is really interesting. I wonder if this raw SQL from the client is the same when other SQL servers are connected. Like I thought there was some built in database, and you could also specify another for some data. I could really see it happening where people didn't know this and connect to a database that accidentally has more important info. I had no idea about the copy command and that you could get bash command execution from it.
When I initially created the box I tested it with MySQL and it was exactly the same. The effect was not as dramatic as here but you are still allowed to query the database however you want.
Oh, Ipp, I regret not starting doing free retired boxes way earlier. Could've done them since at least February 2021. If I started back them I would have completed over 100 boxes! Probably would have enough knowledge to ace OSCP.
You don't have to but where my commands ran, I was already inside of a " and ' -- which means if I wanted to use those characters I'd have to escape them. I rarely get the syntax right the first time in that scenario. For example, escaping " could be \", or if i have to escape the \, it could be \\\", and its just painful to keep track of all the quotes/escapes. When that fails, there are multiple reasons why it failed and operator error is high on the list. So to make it easy, I first try encoding the command which removes the ". If it does fail, then the super likely reason to why it failed is that | is a bad character and I can move onto another way like using curl to drop a file and execute a file. If it failed with quotes there is just more troubleshooting I'd have to do as I don't know exactly why it failed.
As always, thanks for these videos !
Ippsec rocks! 🙂 Awesome video as always! I liked the end. I didn't know about the privileges with cron jobs either. Thank you for your content!
In 12:24 you can get raid of "==" by running echo -n
Thanks dude
Very cool man.. I can't beleive I never knew about the ~C dropping to ssh shell so you could port forward from there. Very handy thanks!
Great content as always. But as you mentioned the ssh would only work if the /root/.ssh folder existed, but as we can see in 30:14, the sattrack binary created any folder if it didn't existed already. So, I think it would still work.
I'm not getting rev shell in the zipping machine after bypassing the upload vulnerability...can anyone help me
sudo -l
Root was fun in this box 😮 and strange way to get shell😀 fun box thanks 🔥♥️
as always excellent video. I learnt zillions of things thanks to you !
That is really interesting. I wonder if this raw SQL from the client is the same when other SQL servers are connected. Like I thought there was some built in database, and you could also specify another for some data. I could really see it happening where people didn't know this and connect to a database that accidentally has more important info. I had no idea about the copy command and that you could get bash command execution from it.
When I initially created the box I tested it with MySQL and it was exactly the same. The effect was not as dramatic as here but you are still allowed to query the database however you want.
Oh, Ipp, I regret not starting doing free retired boxes way earlier. Could've done them since at least February 2021. If I started back them I would have completed over 100 boxes! Probably would have enough knowledge to ace OSCP.
Certainly would - With all the videos you have been watching, it wouldn't surprise me if you're in better shape for the OSCP than you think.
@@ippsec Thanks for the pep talk ❤
I could'nt see the /api/ds/query request in grafana when i did this box, not sure why but i think the request must be inconsistent or cached.
It's crazy ippsec is too much. It was so cool looked at the horizontal privilege escalation 😮
Thank you for awesome video 👍
We was missing your videos❤❤
This was well thought out.❤
Great vid my mentor.
16:38 how did u opened the ssh> prompt ? what keystroke ??
Hit enter then the first thing you type is ~c
Been always wondering why do you have to base64 encrypt when trying to get a reverse shell using burp? I mean all the commands before were plain text.
You don't have to but where my commands ran, I was already inside of a " and ' -- which means if I wanted to use those characters I'd have to escape them. I rarely get the syntax right the first time in that scenario. For example, escaping " could be \", or if i have to escape the \, it could be \\\", and its just painful to keep track of all the quotes/escapes. When that fails, there are multiple reasons why it failed and operator error is high on the list.
So to make it easy, I first try encoding the command which removes the ". If it does fail, then the super likely reason to why it failed is that | is a bad character and I can move onto another way like using curl to drop a file and execute a file. If it failed with quotes there is just more troubleshooting I'd have to do as I don't know exactly why it failed.
@@ippsec thanks for the Exploration
Push!