Это видео недоступно.
Сожалеем об этом.
HackTheBox - Shocker
HTML-код
- Опубликовано: 3 авг 2024
- If you want some more details about the actual ShellShock exploit, check out the Beep Video.
00:39 - Begin Nmap, OS Enum via SSH/HTTP Banner
05:00 - GoBuster
07:08 - Viewing CGI Script
08:50 - Begin NMAP Shellshock
09:50 - Debugging Nmap HTTP Scripts via Burp
11:10 - Fixing the HTTP Request & nmap script
14:45 - Performing Shellshock & more fixing
18:25 - Getting a reverse shell
21:19 - Running LinEnum.sh
23:00 - Rooting the box
Loved how this was all manual exploit without using Metasploit. Learned a lot, especially as I'm getting ready to take another swing at the OSCP. Really truly enjoy your videos. Thank you for all of these.
how is ur progress going,do u have OSCP now?
I am a beginner, never thought that we should enumerate files in forbidden directories. this video inspired me to understand the box completely and just getting the flags is not important to me anymore.
Couldn't figure out how to do shellshock for this machine. PrivEsc seems simple enough. Thanks for the video
rigth now the nse script is modified a bit, so without editing it, you can just simple run like this: nmap -sV -p8081 --script http-shellshock --script-args uri=/cgi-bin/user.sh,cmd=echo\;/bin/ls 127.0.0.1
U gonna get new subscriber
Really awesome video with lots of informations keep it up
Waiting for more videos 😍😍
For priv esc. I just echo'd a little perl script in tmp exec '/bin/sh'; and then ran it with the perl path and was dropped into root. Thanks for the help on getting shell. Modifying NSE script never crossed my mind.
thank you fot doing it, i'm only a beginer. love your channel!
Really helpful man. I went through the same process but still learned a lot of new things. Keep it up.
Thanks fo all Videos, im learn to much !.
The newline thing on Vim is something I had issues with as well. The way to insert new line is to replace with
instead of
, which is counter-intuitive but works
Hey Ippsec, great content as always. Can you do videos on DVWA or Mutillidae, I know there are already videos out there on these but rarely on the high difficulty levels and they don't explain it the way you do. Cheers!
Thanks for the video, really helpful.
I have a question. At around 9:40 when the nse script comes back with a negative result, how do you know that you need to stay on this trail still and investigate further?
Thanks for bailing me out again on another box! lol Awesome videos!
Very fun box!
Tyvm for all ur videos, help a lot.
What about a stream doing an old box? Or just a full video so we can see ur real steps.
Have a good day!
Few things that make it difficult. The main issue of doing a "Live Recording" is finding a backlog of good machines to do that I'm not already familiar with. Since there isn't a point to do the stream if I know the path beforehand. VulnHub doesn't really have consistent quality or a rating system, so in order to identify if the machine is good to stream; I need to familiarize myself with is.
The reason why I don't really stream is it's just too hard to keep a schedule. I don't want to just go live at random times and can't just block 2 hours of time every to do a stream.
That's like 5-6 month wait, no way will I like me from 6 months ago. Constantly improving ha.
we would love to see it though; even if it was a 10 hr video. I'll gladly add YT Timestamps in the comments for the impatient peeps. Again: Thank you for what youre doing :) some of my career is thanks to your vids
Thats the easy one? phew..........
@Nate Ward I really hope he responds, I wanna know if this stuff ever gets any easier
@@thecast9864 It gets easier if you abandon trying to hack and focus on coding. I don't care what language so long as you stick to mastering one of them. Recommendation: Python+MySQL+GoLang in that order. This should take you, realistically, 2 years of consistency to become highly proficient. By Consistent, I mean learning something every day and spending not less than 1 hour a day up to 18 hours a day working on it.
These tutorials are for people that know the language already, so if you watch and you don't know at least kinda, sorta what comes next, go back to the beginning of what I just wrote.
Good luck! There's half a million jobs in the US alone waiting for more (you)'s.
@@zigginzag584 ouuu. you're one that I looking for as friend. thanks man.
@@sefterm-zade9744 You're welcome. If you're more of a visual learner than an auditory, maybe go with JavaScript to start and you will learn HTML/CSS in the process as you build web apps. Like I said, it doesn't really matter which language you focus on, but consistency is key. You can find Black Hat Python or Violent Python ebooks for free and they're both written in Python2 so once you get the hang of Python, you can learn a lot by re-writing those "hacking" programs into Python3. I don't know why so many people try to learn hacking before coding, I guess it's more sexy, but it's like trying to learn language syntax before learning basic conversation skills. Good luck.
@@zigginzag584 I'm web dev and know js, javascript, vue, java. I have a job.But I want learn hacking. For this purpose I subscribed hackthebox and here I'm
Awesome
really good video, you were trying to get full shell with that python code at the start of the video i had the same issue at first to over come it go to the base directory cd ../(many times) and then type the code there and it worked- seen this issue on a couple machines
Thanks. Definitely will try that next time.
Cool. Worked for me aswell
good job bro
Do you plan to publish more video's then just retired boxes?
Idk. If I did they’d either be purely defensive related or not be free. Hard to find the time to do more
❤️
interesting, shelly is also a part of the LXC group, allowing priv esc that way (creating a linux container in LXC and mounting the host machine onto the container). was that an unintended path or is there just more than one path in this case?
Which kind of mechanical keyboard do you have?
Can someone explain why the script in the cgi-bin executed the html parameters. How like how would you be able to tell that it would call it
When you split the terminal screen what command or package are you using? 21:20 - 21:30
Jonathan Turnquest he uses tmux. Go check his first video on htb solutions and you will see.
It's easy but I got really really caught up with the extensions, I didn't think to use .sh as an extension.. :(
Can anyone tell me how to get a shell in flux capacitor
How do you copy/paste in tmux?
I just solved this box yesterday. I might be too late but I dropped a root shell using the kernel exploit.
How is that an easy one? Jeez...
Hey I have a question about using the cmd.php shells with $_REQUEST when I try to curl to the page using a POST parameter to execute the command I get a 405 Not Allowed (nginx webserver). Here's the command I'm using:
curl -i -X POST "10.10.12.54/uploads/banner.png?0=shell_exec" -d "1=id"
could it be because of a .png extention? The server automatically renamed to a .png
This isn't about shocker btw!
10.10.12.54? What are you trying to do?
Hey it's a different server but I'm trying to execute commands to test if the shell is working. I'm using this code here: github.com/jgor/php-jpeg-shell/blob/master/shell.php
I got the image uploaded but the site renamed the file back to a .png - when I try and send a post parameter to it the webserver responds 405 Not Allowed.
Love your videos!
ok, i see why my choice of wordlist (/usr/share/wordlists/dirbuster/directory-list*) wasn't finding "cgi-bin" even though this was in the list. usually you get a redirect to the directory in question, so /cgi-bin (expecting redirect to "/cgi-bin/" ) but nope, it sends a 404. This is good to be aware of. is there a good way to make gobuster try each item in the list with a trailing "/"?
-- edit -- HA! nevermind. I found it. append "-f"
I'm new to this. Does anyone know why executing the reverse shell as sally gives root privileges? What does it have to do with NOPASSWD on /usr/bin/perl?
She does not have root, but permissions to run Perl under the context of root (sudo). You could imagine a lazy, real life admin giving somebody access to run a command under sudo because it's required (tcpdump for example). This is easily exploited because Perl can run system commands, a reverse shell, etc, which will then be under the context of root.
im shocked by the shocker T.T
whenever you have time can you do a short video on your setup of Burp Suite? I appreciate your videos and normally follow along with my kali but I'm not getting the same output at the 10:56 min mark. I see all request expect for the shell shock request. I have my listener set to 127.0.0.1 on port 8081 w/ redirect to 10.10.10.56. the namp script I am running is nmap -sV -p8081 --script http-shellshock --script-args uri=/cgi-bin/user.sh,cmd=ls 127.0.0.1 then turn intercept on but no shell shock ;-(
nevermind....reran it again for the third time and now I get the shell shock...anyway love the videos...learning alot...keep them coming
For some strange reason, it took 3 tries for nmap to send the actual shellshock
2 questions, if you dont mind:
1) How did you figure out that the nmap script has a "nothing" header that causes it to fail on this box?
2) why doesnt the nmap script try each vector individually, rather than all at once? i suppose its a question for the developers of nmap.
1 - I'm not sure, I believe I just looked at a pcap of nmap and saw what was happening.
2 - No idea, there isn't much QA on pentest scripts. That's why I try to show how to debug/find things and often show some type of troubleshooting when running scripts.
@@ippsec Thank you sir. I appreciate the knowledge share.
any one know how ippsec knew how to get to /dev/shm ?? realy wanna know.....watched a few times but cant figure it out.
cd /dev/shm
Lol, I know how to cd. I just couldn't figure out how he knew that was a good location.. I know now that it's something you need to know. Steep learning curve.
@@demiscuzz6427 haha sorry my bad. When you asked how to get to /dev/shm stupid me thought other wise. But yeah whenever I get on to a Linux box I go there to transfer any files . Happy hacking :)
🖒🖒🖒🖒
I don’t get what about this is easy
So easy, what a shocker... [*_*]
i couldn't get the root and it retired... it was so simple damn.
I could not, for the love of god, figure this one out.
Hopefully showing the status code check, and how to debug some nmap scripts was helpful then. I believe those are the two main issue's people may have run into.
IppSec Yup, learned a lot. Thanks for making these videos BTW. Really informative.
shocker was easy
HACKER R4J Remember me ? The guy who always comments on your videos.
Did you solved flux capacitor ? If yes then how did you get the shell ?
I can't find a way to get a shell in flux capacitor. Please help me
Love your channel. This was quick.
P.S. It's /uɓúːntu/ like ooboontoo.
This was an easy box but this guy just over complicates it. Disliked.