I recommend for the next box either Minion or Tally. Also thanks for the video it better helps me understand how CTFs work which I'm finding very fun to do and less frustrating now.
m10x.de ya if you click on the machine it should say how old it is I cant remember how long until it's retired but the one on top of list gets close to being retired
@m10x.de nope. The announcement of new page is when the retired machine is set in stone. My "early information" isn't always correct, that's why I accidentally recorded Kotarak 2 weeks ago and was briefly posted before Node
I would like to know your understanding, if I would have done an all port scan using nmap I would have not thought of doing an all port scan again using ssrf, what makes you think "I should enumerate ports again using ssrf"?
There was listed a service AJP on port 8009. This might indicate that the website might be vulnerable to ghostCat - basically LFI. Can be exploited to get Tomcat passwords
I don't think this actually works in the box -- yes it is vulnerable to Ghostcat but the only file that should be able to be leaked is /WEB-INF/web.xml. Everything else is restricted.
what linux command tells you which version of a program you are running? more importantly, think about as an administrator when you might want to give users the ability to open ports but don't want to give that user full admin rights. Web server might be a common version of that.
@@CAlex-yk5bg I am having the exactly same wonder. Now, I thank you for point it out, I need a different view to think as an admin, that is a really awesome prospective to help me hacking. Thank you so much. BTW, what do you mean by your first sentence? Are you suggesting I should've check tomcat version where I can get a hint for authbind?
@@wutangdaug he is saying run "authbind --version" to answer "How would one know if authbind is installed?". Looks like authbind is a common program. It might've showed up if you ran LinEnum.sh or something.
But --version does not seem to print out the version of auth bind. "man authbind" shows the manpage. But there is no command to print its version. Anyhow the point was to find out if it exists on the system and just running the command "authbind" confirms that it is installed.
There's a video of yours that has a bit in where you're running an audio analysis on a file for steganography. I am trying to find it as I cannot remember the name of the tool you used for that?
It would help if you linked to the time. My best guess is the IP Address was set to the IP of eth0, however HackTheBox utilizes tun0. Setting it to 0.0.0.0 just says all interfaces.
You mentioned log poisoning when you get a callback from the server early on. You were running a python web server and mentioned that you didn't see a useragent so you deduced that log poisoning wasn't the solution. Python web server doesn't show useragents, iirc. Netcat does. If you want to test for usersgents or to get more info when a server calls back you should run both netcat and python
does SimpleHTTPServer tell you the user agent info? ua-cam.com/video/38e-sxPWiuY/v-deo.html i tried to my firefox to browse it, but it always return '- -' without user agent info.
I think the best way to do full port range scan is to use masscan tool, isn't it? I just wonder. You always use nmap for full port scan. masscan is much faster. Correct me if I'm wrong, I'm just a regular guy :D
Massscan can cause some issues in a VM and saturate network links. I generally use it if I'm looking for a particular service across a large network. However, for a port scan I prefer to do nmap which has retries and such built in to help ensure accuracy. For single hosts, I'd prefer to wait the few minutes and have an accurate scan.
I learn a lot with your videos. Nice job
Great stuff ! Thank you, Sir!
I recommend for the next box either Minion or Tally. Also thanks for the video it better helps me understand how CTFs work which I'm finding very fun to do and less frustrating now.
Only do retired machines, which is based upon difficulty/release date. The ones you mentioned are close to retiring but won't be next.
Is there a way to know which machine will be retired next, before the announcment when a new machine will come?
m10x.de ya if you click on the machine it should say how old it is I cant remember how long until it's retired but the one on top of list gets close to being retired
@m10x.de nope. The announcement of new page is when the retired machine is set in stone. My "early information" isn't always correct, that's why I accidentally recorded Kotarak 2 weeks ago and was briefly posted before Node
IppSec ah thanks dude
when trying to parse the ntds using impackets, for me gets stuck at the Target system bootkey and doesn't finish it off ....
I would like to know your understanding, if I would have done an all port scan using nmap I would have not thought of doing an all port scan again using ssrf, what makes you think "I should enumerate ports again using ssrf"?
Well if that's representative of OSCP exam's machines this is going to be tough
its not
I have been thinking the same thing... Did you ever sit for the OSCP?
I have a problem running impacket....it keeps telling me I need 4 arguments no matter how many arguments i put
tbh this was a nice and hard box
not what you are thinking :3
Awesome one
I feel like I saw this video just the other day... Briefly ;)
There was listed a service AJP on port 8009. This might indicate that the website might be vulnerable to ghostCat - basically LFI. Can be exploited to get Tomcat passwords
I don't think this actually works in the box -- yes it is vulnerable to Ghostcat but the only file that should be able to be leaked is /WEB-INF/web.xml. Everything else is restricted.
👏👏👏
after getting and upgrading the shell is anyone experiencing the shell freezing or slow in response?
Is "authbind" something that is commonly installed on tomcat servers? How would one know if authbind is installed?
what linux command tells you which version of a program you are running?
more importantly, think about as an administrator when you might want to give users the ability to open ports but don't want to give that user full admin rights. Web server might be a common version of that.
@@CAlex-yk5bg I am having the exactly same wonder. Now, I thank you for point it out, I need a different view to think as an admin, that is a really awesome prospective to help me hacking. Thank you so much.
BTW, what do you mean by your first sentence? Are you suggesting I should've check tomcat version where I can get a hint for authbind?
@@wutangdaug he is saying run "authbind --version" to answer "How would one know if authbind is installed?". Looks like authbind is a common program. It might've showed up if you ran LinEnum.sh or something.
But --version does not seem to print out the version of auth bind. "man authbind" shows the manpage. But there is no command to print its version. Anyhow the point was to find out if it exists on the system and just running the command "authbind" confirms that it is installed.
is your name ippSec because you wanted to make IPSec more secure by adding one more p (Protection)
Nope. Ipp's just a name i use online, but hard to register due to 3 characters either being registered or not allowed.
There's a video of yours that has a bit in where you're running an audio analysis on a file for steganography. I am trying to find it as I cannot remember the name of the tool you used for that?
Check out Shrek
Also, having a hard time understanding setting the listening IP to 0.0.0.0? Why is this viable for the exploit to work?
It would help if you linked to the time. My best guess is the IP Address was set to the IP of eth0, however HackTheBox utilizes tun0. Setting it to 0.0.0.0 just says all interfaces.
Thanks again for nee video
Ur every video teaching me something new.
Keep it up..👍👍
you are so smart
tmux in tmux ... we need to go deeper ! How about fibonacci spiral made of panes? ;)
good vid btw!
Whats that addon/extension for firefox you use for the proxy?
Found it, FoxyProxy
You mentioned log poisoning when you get a callback from the server early on. You were running a python web server and mentioned that you didn't see a useragent so you deduced that log poisoning wasn't the solution. Python web server doesn't show useragents, iirc. Netcat does. If you want to test for usersgents or to get more info when a server calls back you should run both netcat and python
is nc on the box? you literally just used it to send the files over :)
I’d guess Regular nc, not the one with a -e flag. Comes with tcpdump I believe
18:29 all you check is nc right?
does SimpleHTTPServer tell you the user agent info? ua-cam.com/video/38e-sxPWiuY/v-deo.html
i tried to my firefox to browse it, but it always return '- -' without user agent info.
I think the best way to do full port range scan is to use masscan tool, isn't it? I just wonder. You always use nmap for full port scan. masscan is much faster. Correct me if I'm wrong, I'm just a regular guy :D
Massscan can cause some issues in a VM and saturate network links. I generally use it if I'm looking for a particular service across a large network. However, for a port scan I prefer to do nmap which has retries and such built in to help ensure accuracy. For single hosts, I'd prefer to wait the few minutes and have an accurate scan.
how can i contact u