I'm feeling so nostalgic watching your video. The first time i watched your RUclips channel, i was a software engineer dreaming about knowing how to pwn boxes. 1 year after, i have oscp and currently work as a professional pentester. Thank you a lot for this amazing content, you have no idea how many of us consider you as our "hack daddy" 😂 !
@@ippsec still… the OCD kills me. Futher down the road: cookes 🤣🤣 Great content though, troubleshooting an exploit is hard for us script kiddies and you doing it live helps expand the mind map. Not just inserting print statements but showing us how a more functional exploit could be built on the back of what you found on searchsploit. BTW, ever thought of doing what John Hammond did and do a bit of reverse engineering on a video for the Kaseya ransomware code? With the level of detail you showcase it should be interesting to follow the thought process 🤷♂️ As everyone else has said: thank you for the content, I was itching for your video - even after a bike (motorcycle) ride as I am still struggling with the damn Writer box 😡
@@djjoaosarmento tbh it just shows that our insecurities are warranted. That’s why I am not fast. I check every command twice before hitting enter - most of the time still doesn’t yield the desired result because I got the wrong exploit but at least I know it’s not because of a typo
The end of the video with debugging the exploit is just awesome! I mean, how many of us stops after rooting the box to understand what could've been done different? Where did it fail and why? Where did it work and why? These extra steps is what almost everyone misses when trying to get better on this cyber sec world... KUDOS as always Ippsec... just love your videos it really teaches me tons!!!
I mentioned you in my AWS interview for a position on their RED Team. They knew who you were and asked me what I found so interesting about your videos. I told them your videos are like plugging into the Matrix and downloading vast amounts of information in a small amount of time.
Hi IppSec and guys, I am running into some issues while running WinPEAS (Basically on Windows). Just like you mentioned at 46:56, what are some other methods of executing it?
I think when using the 2to3 program, it shows the changes that should be applied to convert it to py3, but doesn’t actually write anything to the file, there’s a flag that I can’t remember you need to supply in order to actually write the changes
I think your idea of returning something from functions is just healthy programming. I can't imagine how painful it is debugging scripts that don't do that at scale.
I guess the video is old? I did the box the day before it was retired and on 06/05/2021 a new exploit (EDB 49843) was published that lets you bypass the admin authentication for the voting system. But this also means, that you miss the SSRF completely.
Great video!. I got foothold in a different way. I noticed there was a sqli in the login form, then I use sqlmap to spawn a shell. To get the complete location of the website in the file system, I had to generate an error in the login form.
Any idea why we can't execute msi files while connected via winrm? I found Phoebe's password in the web server config files and connected via winrm. I spent forever trying to execute an msi file while connected via winrm but it would not work.
Look up SSRF vulnerability. Nothing special about port 5000, it's just serving a HTTP webpage but port 5000 is forbidden, but not when the connection is from the internal network (that'd be SSRF).
A solution to your Google'ing problem, instead of going to google.com each time, you can press the down button on your keyboard, or click the google icon and it will search in google. Or you can start the searches with @Google Hope this helps a little
He have another week to fix his google search, guess he dont have the time tho. I think using scripts on the user exploit was a long travel in my eyes, the easyest thing here was just to upload a script manually imo. I didnt catch the root esc so just user for me on this one :/
The exploit uses a session.post, setting a proxy with a session is slightly different than with requests.post. That's why it didn't work. Really like your videos, but sometimes you are a bit hasty impatient.
I'm feeling so nostalgic watching your video. The first time i watched your RUclips channel, i was a software engineer dreaming about knowing how to pwn boxes. 1 year after, i have oscp and currently work as a professional pentester.
Thank you a lot for this amazing content, you have no idea how many of us consider you as our "hack daddy" 😂 !
congratulations man.
13:30 Does anyone else just scream “file!!! Not fule!!” at their screen? My wife asked me who am I arguing with 🤣🤣
20:12 cursor was right there!!!
ippsec and his tunnel vision :D
Thankfully that’s not the issue hahaha
@@ippsec still… the OCD kills me. Futher down the road: cookes 🤣🤣
Great content though, troubleshooting an exploit is hard for us script kiddies and you doing it live helps expand the mind map. Not just inserting print statements but showing us how a more functional exploit could be built on the back of what you found on searchsploit. BTW, ever thought of doing what John Hammond did and do a bit of reverse engineering on a video for the Kaseya ransomware code? With the level of detail you showcase it should be interesting to follow the thought process 🤷♂️
As everyone else has said: thank you for the content, I was itching for your video - even after a bike (motorcycle) ride as I am still struggling with the damn Writer box 😡
@@djjoaosarmento tbh it just shows that our insecurities are warranted. That’s why I am not fast. I check every command twice before hitting enter - most of the time still doesn’t yield the desired result because I got the wrong exploit but at least I know it’s not because of a typo
You know by putting both your time & effort making such content u will be forever in our hearts …. Keep it up champ ..
Thanks i had fun making the box
The end of the video with debugging the exploit is just awesome! I mean, how many of us stops after rooting the box to understand what could've been done different? Where did it fail and why? Where did it work and why? These extra steps is what almost everyone misses when trying to get better on this cyber sec world... KUDOS as always Ippsec... just love your videos it really teaches me tons!!!
I always feel like a Fule when I notice I have a typo in a command....
IppSec you have been my teacher since i started with htb! Trank you for all your Videos
Awesome video. I have stopped wasting my time on social media and Started watching your videos. You are awesome
Thank you for all the good content! Stay safe and well!
I love your videos man, keep up the good work ;)
Thanks for all your content and tips, will definitely keep your words in mind for next time.
3:21 This is the syntax.
sed -z 's/
/\,/g'
You have to specify the -z flag
You can use tr (translate) command for getting ports in a line. tr "
" ","
I mentioned you in my AWS interview for a position on their RED Team. They knew who you were and asked me what I found so interesting about your videos. I told them your videos are like plugging into the Matrix and downloading vast amounts of information in a small amount of time.
Awesome, great to hear! Hope you get the job!
Hi IppSec and guys, I am running into some issues while running WinPEAS (Basically on Windows). Just like you mentioned at 46:56, what are some other methods of executing it?
What’s the error or issue you are having?
I think when using the 2to3 program, it shows the changes that should be applied to convert it to py3, but doesn’t actually write anything to the file, there’s a flag that I can’t remember you need to supply in order to actually write the changes
53:58 why using MSI? its because AlwaysInstallElevated is automaticly use System / administrator to installed MSI?
Living-off-the-land.
I think your idea of returning something from functions is just healthy programming. I can't imagine how painful it is debugging scripts that don't do that at scale.
I guess the video is old? I did the box the day before it was retired and on 06/05/2021 a new exploit (EDB 49843) was published that lets you bypass the admin authentication for the voting system. But this also means, that you miss the SSRF completely.
what i learn from this video is the phrase _"speak of the devil"_
Great video!. I got foothold in a different way. I noticed there was a sqli in the login form, then I use sqlmap to spawn a shell. To get the complete location of the website in the file system, I had to generate an error in the login form.
not sure why `cme` doesn't work like yours.
You could use rustscan to speed up your nmap enumeration.
Any idea why we can't execute msi files while connected via winrm?
I found Phoebe's password in the web server config files and connected via winrm. I spent forever trying to execute an msi file while connected via winrm but it would not work.
Could someone please explain why we fuzzed those ports using the file scanner request and the significance of port 5000?
Look up SSRF vulnerability. Nothing special about port 5000, it's just serving a HTTP webpage but port 5000 is forbidden, but not when the connection is from the internal network (that'd be SSRF).
Ty🙃
Thank you so much ❤️
Super video...❤️❤️🤟
Respect.
Scan+Fule?
Nice one btw for removing newlines you can use tr
A solution to your Google'ing problem, instead of going to google.com each time, you can press the down button on your keyboard, or click the google icon and it will search in google. Or you can start the searches with @Google
Hope this helps a little
Could you have uploaded the magic bytes to an image and then uploaded a reverse shell that way
He have another week to fix his google search, guess he dont have the time tho.
I think using scripts on the user exploit was a long travel in my eyes, the easyest thing here was just to upload a script manually imo. I didnt catch the root esc so just user for me on this one :/
File , Not Fule
First View!!
Lmao our legend still haven't fix his google search
Keep us waiting huh?
The exploit uses a session.post, setting a proxy with a session is slightly different than with requests.post. That's why it didn't work. Really like your videos, but sometimes you are a bit hasty impatient.
ok
>still hasn't fixed his google
/votingsystem/ == /
Fuff faster your Fules.
ippsec when ı broke up my girlfriend.