CVE-2023-4226 requires "authenticated attackers with learner role" In the Github example, it was completely unauthenticated. The description of the Github also shows that it was for CVE-2023-4220 which is a stored XSS attack (Which this very much is not). So - Which exploit was even used? Did a random Github repo for an unrelated authenticated exploit just happen to work unauthenticated? If so, that's one HELL of a misclassification, and results in quite the increase of the CVSS rating o_O
It's CVE-2023-4220. It's unauthenticated upload and has a CVSS of 8.1 Stored XSS is mentioned because if execution is disallowed from the uploads folder, you could still serve XSS out of it
When I ran the command ln -s /etc/sudoers, then the sudo /opt/acl.sh command, a few seconds later and my sudoers at /home/mtz was gone. I tried with the /etc/passwd approach as well, and the same thing happened, my stuff keeps getting deleted.
Hello ippsec can you help bloodhound is showing 0 percent upload while it works fine on other files i used windows to execute sharphound remotely and tried uploading it but got error can you help?
I’m two mos into learning pentesting and installed virtualbox & kali on a drive. I’m always getting “all ports are being ignored” messages when running nmap even tho I get an IP for my machine and a target IP. I hate pwnbox because they only give an hour per machine. Anyway, I’m stuck
@ what do you mean by “I’m not running nmap with sudo” if I’m connected to the VPN? You mean a command like [sudo nmap -sV etc..] won’t work when connected to the VPN?
@@lendumore You need to be connected with VPN (leave a terminal with that opened) to get access to the HackTheBox Machine (test you can reach it with `ping`command). If the ping is no succeed, the error is with the VPN connection. After you have tested you can reach the Machine, run `nmap`command (maybe you need to run it with sudo in front to get the required permissions) without closing the VPN (remember, the VPN is needed all the time to reach the VM)
Never really heard of this issue before, & at the same time not a big fan of Virtual Box. I would recommend you to try switching to VMware. I am pretty sure you won't face that issue.
is there any other way to root. (other than the symlink). I tried this but it failed (error: only files are allowed ...). export pwd=../../ this will make ~ = ../../ so when u do cd ~ this will be like cd ../../ it bypassed the first if but not the last );
Without knowing the version of a web application, how do you know what exploit to throw? Yes, you could just blindly use them until they work but without knowing the version you don't know if it should have worked. There are plenty of times when the public POC fails because the server configuration is slightly different. So if you pull the version, confirm it is likely vulnerable, you can be somewhat confident digging into the exploit when it fails won't be a complete waste of time.
No. Watch the video again please, I explain it. It’s not needed for this box, but it’s still a good skill to learn. Obtaining versions information of software simply helps troubleshoot or find vulnerabilities. Imagine you drive a car made in 2022. There’s a recall for models prior to 2021, since you know the version you can ignore the recall instead of wasting time with it. It’s there wasn’t a public exploit but you looked at the changelog for on GitHub and saw a security change you’d know if the webserver was vulnerable to it
The box content is pretty good , i already completed the machine, in the first day of realise
Ty for showing us the fingerprint with github, learnt how to make alias with a fantastic example ❤
Ipp, you are alright. Don't go to school tomorrow
Because tomorrow will be Sunday and the school's gonna be closed
Don’t go to school ever again.
So glad winter is coming. Hopefully we just get snow days and not white walkers.
will the happening forum post be posted tomorrow on HTB forums?
😭😭😭😭
Thanks alot bro, without your videos it would really not help me understand how and why everything worked.
Thank you for all your videos! ❤
CVE-2023-4226 requires "authenticated attackers with learner role"
In the Github example, it was completely unauthenticated. The description of the Github also shows that it was for CVE-2023-4220 which is a stored XSS attack (Which this very much is not).
So - Which exploit was even used? Did a random Github repo for an unrelated authenticated exploit just happen to work unauthenticated? If so, that's one HELL of a misclassification, and results in quite the increase of the CVSS rating o_O
It's CVE-2023-4220. It's unauthenticated upload and has a CVSS of 8.1
Stored XSS is mentioned because if execution is disallowed from the uploads folder, you could still serve XSS out of it
Why I feel so frustrated while watching his video? Brw thabsk for the great content
Thanks for the githunt
When I ran the command ln -s /etc/sudoers, then the sudo /opt/acl.sh command, a few seconds later and my sudoers at /home/mtz was gone. I tried with the /etc/passwd approach as well, and the same thing happened, my stuff keeps getting deleted.
Hello ippsec can you help bloodhound is showing 0 percent upload while it works fine on other files i used windows to execute sharphound remotely and tried uploading it but got error can you help?
I’m two mos into learning pentesting and installed virtualbox & kali on a drive. I’m always getting “all ports are being ignored” messages when running nmap even tho I get an IP for my machine and a target IP. I hate pwnbox because they only give an hour per machine. Anyway, I’m stuck
If you are connected to the VPN, chances are you aren't running nmap with sudo.
@ what do you mean by “I’m not running nmap with sudo” if I’m connected to the VPN? You mean a command like [sudo nmap -sV etc..] won’t work when connected to the VPN?
@@lendumore You need to be connected with VPN (leave a terminal with that opened) to get access to the HackTheBox Machine (test you can reach it with `ping`command). If the ping is no succeed, the error is with the VPN connection.
After you have tested you can reach the Machine, run `nmap`command (maybe you need to run it with sudo in front to get the required permissions) without closing the VPN (remember, the VPN is needed all the time to reach the VM)
Never really heard of this issue before, & at the same time not a big fan of Virtual Box. I would recommend you to try switching to VMware. I am pretty sure you won't face that issue.
@ ok. I’ll try it. I hear people talking more about VMWare anyway. Rookie mistake 🤷♂️
is there any other way to root. (other than the symlink). I tried this but it failed (error: only files are allowed ...).
export pwd=../../
this will make ~ = ../../ so when u do cd ~ this will be like cd ../../
it bypassed the first if but not the last );
King
Wow!
thanks
Push!
I Love Doing Attack Than Defend 😂
Why we use githunt?
how it is helpful?
Without knowing the version of a web application, how do you know what exploit to throw? Yes, you could just blindly use them until they work but without knowing the version you don't know if it should have worked.
There are plenty of times when the public POC fails because the server configuration is slightly different. So if you pull the version, confirm it is likely vulnerable, you can be somewhat confident digging into the exploit when it fails won't be a complete waste of time.
@@ippsec But you did not care about the version
you just used the first link
@fadiallo1 I showed the way I expected most people to solve it, then showed a more optimal way I would go about it.
@@ippsec And Second way is about know the version, and not first link?
But
No. Watch the video again please, I explain it. It’s not needed for this box, but it’s still a good skill to learn.
Obtaining versions information of software simply helps troubleshoot or find vulnerabilities. Imagine you drive a car made in 2022. There’s a recall for models prior to 2021, since you know the version you can ignore the recall instead of wasting time with it.
It’s there wasn’t a public exploit but you looked at the changelog for on GitHub and saw a security change you’d know if the webserver was vulnerable to it
First?