It's the first machine on release day i did. Was really proud for being in top 100 xD I liked the root of this machine very much but also your video explained me many concepts that are behind the machine (why stuff works). thank you for this videos always
I think the last PE would only work for something like `popen` or `execv` those open other processes. The bash script can work under popen('div-script ...snip...'). In other more common scenarios, bash scripts don't honour SUID for security reasons. Please correct me if I'm wrong. Thank you.
in the SQL " 'or 1=1 -- - " what does the last slash mean? i know double slashes are for comments and when I try it myself it only works if there is a space and another slash and i don't understand why.
A comment is two dashes and a space. Sometimes the webapp will append a and not , so if you don't do it will be inconsistent. In no situation will adding the hurt, it can only help. Just like when I do "bash -c' bash -i ..." its just a stability thing... The which i use for is just there so you can visually see the space.
Always interesting to see a different (far more technical) way of working. I just used exiftool to embed the php into a jpg and uploaded it to give me command exe.
Its best to step slowly through untill a revtcp, sometimes firewalls or routing tables are in place. Thus with a webshell you can step your way up. In practice its best to leak phpinfo() first and then enumerate which php functions are enabled/disabled. But then again this is a CTF machine so it wont be difficult :D
hope you or some die hard fan reads this: can we get a playlist where you go into a box blind? i would do it, but im not as familiar with your entire collection. when you go into a box blind, we hear the depth and breadth of your methodologies.
it is funny seeing this after the 9 year sudo vuln was release he said @ 37:00 cant exploit it because we dont have access to sudo....yes you do as we now know.
the content type was screwed up because of that uglish burp, which tends to pop up and become the main window even when you fcn don't ask it to. and all typing goes there spoiling everything. I've seen this so many times.
@@padaloni I just used 'exiftool -Comment {php code} image.png'. Notice that this only works with the png extension and not jpg or jpeg. I think it's a way easier method and I never would have thought about adding the magic bytes.
There's actually a second way to get to upload.php. While it's password protected, they're just doing a "Location:" redirect without exiting the script afterwards. So I just removed the redirect header from the response in Burp
Hi Ippsec few questions and advises you could give here hope not to bother, , am a big fun here am starting to support , and truing to get my build PC on I just want to have the same environment , Soo first I have 16 RAM should I put more RAM ? Other questions, you use the CRACKING u say is a different machine do you run a Linux base system on it or is other virtual machine? , And is it a Good idea to run Linux as a base system on a PC or not , hope you can understand my silly question hope to have advised Abt them thanks
I know you didn't ask my opinion but here ya go anyways. I have 32 GB and haven't really seen it all burn up yet (besides hashcat getting my CPU to 90 C) - last year with 16 it did slow down some. 16 is near perfect but 32 is flawless for me. Got into VPS and I love it especially with all the credits for free from aws and Google cloud etc, I use it for any web heavy directory fuzzing for bug bounties and the speed and lack of IP bans is great . Finally I use Kali as my main OS and it died a lot at first, then as soon as I finally start making 2-3 backups, no issues. It can be done but be prepared and back up stuff regularly, windows workarounds are kinda necessary sometimes so kinda wish I kept it as a dual boot instead of full Linux . Oh well!
"that's there because of... reasons" - Ippsec
I love this dude.
setuid + path injection was nice
@IppSec great job. I have been to your channel since I discovered. Am really learning a lot from Kenya. Kudos!!!👍👌
It's the first machine on release day i did. Was really proud for being in top 100 xD I liked the root of this machine very much but also your video explained me many concepts that are behind the machine (why stuff works). thank you for this videos always
Thank you for your efforts open sourcing knowledge.. great jov
I think the last PE would only work for something like `popen` or `execv` those open other processes. The bash script can work under popen('div-script ...snip...').
In other more common scenarios, bash scripts don't honour SUID for security reasons.
Please correct me if I'm wrong. Thank you.
My favorite and most enjoyable box so far !!!!!
Great as always! 🔥
i saw quite a few writeup, this one is cool
in the SQL " 'or 1=1 -- - " what does the last slash mean? i know double slashes are for comments and when I try it myself it only works if there is a space and another slash and i don't understand why.
A comment is two dashes and a space. Sometimes the webapp will append a and not , so if you don't do it will be inconsistent. In no situation will adding the hurt, it can only help. Just like when I do "bash -c' bash -i ..." its just a stability thing... The which i use for is just there so you can visually see the space.
cool. I like the theme of your terminal.
Always interesting to see a different (far more technical) way of working. I just used exiftool to embed the php into a jpg and uploaded it to give me command exe.
Thanks for the vids :) - Awesome content
Curious, if you had code exec through PHP, why do you go for a web shell first? Why not go directly to php rev shell?
Its best to step slowly through untill a revtcp, sometimes firewalls or routing tables are in place. Thus with a webshell you can step your way up. In practice its best to leak phpinfo() first and then enumerate which php functions are enabled/disabled. But then again this is a CTF machine so it wont be difficult :D
Kali 2020.4 getting zsh as default shell what's your opinion
Caught you at 11:22 99s 😜🤭
Haha lol was gonna comment it!
lol can you mind explaining?
i did it, i love it :)
hope you or some die hard fan reads this:
can we get a playlist where you go into a box blind? i would do it, but im not as familiar with your entire collection.
when you go into a box blind, we hear the depth and breadth of your methodologies.
A lot of the easy boxes, i go at it blind
@@ippsec thanks. should be no problem putting together a good playlist.
it is funny seeing this after the 9 year sudo vuln was release he said @ 37:00 cant exploit it because we dont have access to sudo....yes you do as we now know.
the content type was screwed up because of that uglish burp, which tends to pop up and become the main window even when you fcn don't ask it to. and all typing goes there spoiling everything. I've seen this so many times.
You can use the -b flag on strace to specify syscalls, i.e. strace -b execve.
There is actually an easier way of uploading a shell by using exiftool to write the code in a real image.
That sounds interesting. can you give me a simple example of how to do that?
@@padaloni I just used 'exiftool -Comment {php code} image.png'. Notice that this only works with the png extension and not jpg or jpeg. I think it's a way easier method and I never would have thought about adding the magic bytes.
Why you don't use kali?
Personal preference probably.
There's actually a second way to get to upload.php. While it's password protected, they're just doing a "Location:" redirect without exiting the script afterwards. So I just removed the redirect header from the response in Burp
Smart man, I went the unnecessary extra step by changing it to "200 OK" and really thought I was foolin' my browser 🤷♂️
@@jannmoon While I fooled mine, I guess yours was lot less confused about that response 🙃. But nice to see someone else caught this bug too!
Did the same :)
Thank You sweetheart 💗🥳
Love it!
Hi Ippsec few questions and advises you could give here hope not to bother, , am a big fun here am starting to support , and truing to get my build PC on I just want to have the same environment , Soo first I have 16 RAM should I put more RAM ? Other questions, you use the CRACKING u say is a different machine do you run a Linux base system on it or is other virtual machine? , And is it a Good idea to run Linux as a base system on a PC or not , hope you can understand my silly question hope to have advised Abt them thanks
I know you didn't ask my opinion but here ya go anyways. I have 32 GB and haven't really seen it all burn up yet (besides hashcat getting my CPU to 90 C) - last year with 16 it did slow down some. 16 is near perfect but 32 is flawless for me. Got into VPS and I love it especially with all the credits for free from aws and Google cloud etc, I use it for any web heavy directory fuzzing for bug bounties and the speed and lack of IP bans is great . Finally I use Kali as my main OS and it died a lot at first, then as soon as I finally start making 2-3 backups, no issues. It can be done but be prepared and back up stuff regularly, windows workarounds are kinda necessary sometimes so kinda wish I kept it as a dual boot instead of full Linux . Oh well!
@@jannmoon how do I get VPS? What's stands for
!!!! Magician !!
I ithought it was gonna be a magic video after he said " i am doing magic "
Could u just enter in the username “admin-” that should in Theorie do the job 🧐
How to setup the os you are using?
github.com/theGuildHall/pwnbox
I guess this what you’re looking for
It’s a collaboration between Hackthebox and parrotOS
@@MohmdSy5 thankyou
👍👌
Site vulnerable to the most basic sql injection in 2020 omegalul.
found the same broken login irl in 2018 kekw
I swear I've seen this one before... am I going mad?
Don't think so, he has done a bunch of magic byte trickery boxes in the past though
Thanks.
To semicolon be very nice
First?
can you tell me please , how to make parrot window screen !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
curl parrot.live 😛