Quickly growing addicted to this channel because the unscripted "fumbling" is exactly what a normal dev would have to do to fix their own little mistakes. And it's those tiny, "What did I forget?" Details that novices are going to be tripping over constantly. The fun part is watching your thought process unfold while you perform these tasks and help introduce us to various helpful tools and commands that we may use in our own explorations.
Hi John, great vid as always!! How about doing a blind room say once a month, but do it live. I'm sure a lot of people would enjoy that. I know I would. Keep up the good work!
These videos are worth like 100 tutorials I'm not kidding. The thinking process, seeing concepts that one may need to learn, explaining what you're thinking, and just seeing this type of thing in action. Soo helpful Privilege escalation has always been a big sore spot for me.
I don't know how to do a quarter of what you did in this video but I'm comforted by the fact that you run into the same hiccups as me. Like oh yeah there's dollar signs, or oh duh forgot a slash.
@U X I hope to god that my website doesn't do that I got some servers open to the web, and I know a friend of mine is really paranoid about leaving open ports and what not. But the more I learn about different ways people exploit and the more I get into the security aspect, the more I get confident about my practice. Though one thing I learned from this is the cron job part. I got two cron job that could give a hint as so what's going on the network, so I might need to check if there's some thing that a non root user might be able to see. *edit: looking at my crontab, nothing seems visible unless you're root :D I'm really relying on not having any major security issues based on the fundemental programs, rather then trying to implement too much on either security though obscurity, or sticking my head down the sand and hoping nobody notices me.
@@svampebob007 I've thought about setting up my own home-server with the same approach: keep things simple. Security by utilizing only the most simple, secure methods. nothing more or less.
Absolutely agreed that it is helpful to see you run into the stumbling blocks. There's nothing worse than following a tutorial for the first time and smashing headlong into some syntax error or in this case escaped special characters. Thanks for sharing.
Hey John, loving your content. I really enjoy how you explain and try different methods to gain privilege access, like changing the etc/passwd through the share drive in your container. Even if you struggle a little bit doing that, it really helps us understand the process and iteration you/we can go through while doing that. Keep up the good work!
Great video John. I learned some new things which were not so obvious to me previously. By the way, LXC/LXD and Docker stuff run most of the time as daemons - which means once you are in the group with regular user you are free to escalate privileges. This is a known flaw - at least in Docker world. Nowadays Docker could be run in rootless mode to avoid such situations. RHEL is doing the same with Podman if I am not wrong.
keep up man i, you are doing great work educating the new to the domain, in a more fun and friendly way, which makes learning easy....massive big thanks to you J.Hammond
On the topic of fumbling and figuring out what you've done wrong....this is the stuff that courses don't show you. In some ways, that problem solving is some of the most important parts of the video. Any idiot can make a "perfect" video. Only someone who knows what they're doing can make a "less than perfect video" and fix problems encountered during it - adding to the value and standing out as more than just a walkthrough. Great job.
Woah Great video! This looks like fun. Quick note, no need to put slashes before dollar signs, you could just quote the 'EOF' (then bash interprets the text inside as pure string, not evaluating vars:D) Great video, keep it up!
John the legend! Keep going man... I'm learning a lot of stuff from you as I'm sure everyone else does. You are truly helping and inspiring. Thank you.
I love this format. Its fast and straightforward. No "uhhms" or "eehhms" while over explaining. Other people stop at every step single step. "then i paste this text into here.... I will use CTRL... SHIFT... V... Then we ehhh need to eeeh saaaaaaaaave with ctrl + Oooooo.. No wait my bad, this is vim... So wee go and press esc, just to be suuuuure.. eeh... btw i prefer vim because jada jada jada." I spent to much time on this comment already but I have been bugged by how slow people tend to be...
I loved the vid John, i was thinking that perhaps for changing the users passowrd you could've chrooted into the root mount, anyways the vid was hella fun :)
John JOnhned ,it nice video. For me always your videos are one way stop for relaxing amazing john world needs great people like you to share knowledge. Lots of respect man !!!!!!!!
you can just cat > file, paste, the ctrl+d (which sends an EOF) . You will then write exactly what you pasted. The heredoc as you say is interpreted by bash, whereas if you effectively < stdin , which is what cat does, cat is reading not bash. Also checkout alt-.
I would like to see it using via socks proxy for learning experience so why not! Since it's a good idea and that's why I subscribed your channel so I understand more about proxychains.
season/year is a common result from making users change their password every x months, forcing users to come up with a unique password every couple of months is a bad practice and doesn't make anything more secure (unless you have a data breach every couple months spilling all passwords used, but at that point you have bigger issues)
Plain http might be faster? It's a bit more user friendly as you don't need to authenticate, then again with an ssh key it shouldn't be an issue. However the key is pass protected so unless the password is stored in a keyring you would have to bother to type the password. It all comes down to personal preference.
@@Sfhgscvg you could also change the password of that key since you now know the ssh passkey: ------------------------------------------- ssh-keygen -p -f sshkeyfile ------------------------------------------- it will ask for the current password, then you can just leave it blank. if you have to connect a lot of times with ssh, you could add something to the .ssh/config Host client client.example.com HostName client.example.com IdentityFile ~/.ssh/client_rsa # private key for client (like "sshkeyfile" in my previous example) User remoteusername Host otherclient other.example.org HostName other.example.org IdentityFile ~/.ssh/otherclient_rsa # different private key for other client User otherremoteusername ------------------------------------------- then you can just use ssh otherclient or scp files client:~/ really useful if you don't want to always have to add the -i option, or if you want to set a custom name for that connection and have it separated with multiple id files. on another note you could also add it as an alias in the .bash, but that's up to you, the point is that you can simple remove the passkey once you know the passkey and then use it as a regular key withough password.
I've definitely done that SOCKS proxy trick while at a former job. Had to install our software on a machine in the UAE without the box having any internet access. Worked a treat. Just remember you also have to tunnel over dns as well or you are gonna have a bad time.
Is there a reason you didn't use SCP to transfer the alpine container to the attacker machine? I assume something to do with logging and leaving fingerprints, but I feel running wget would leave the same type of fingerprint, but maybe I'm missing something. I'm just a software dev interested in this kind of stuff. Keep up the great content!
Nice video, cool LXD PE, personally I would have modifed the /root/.ssh/authorized_keys and I would have sshed as root without needing any pwd. Then you can change it easily with passwd. :)
I keep finding on other machines that i have lxd but when I reach the init part it says there's no storage pool. Does this mean that the machine isn't vulnerable?
Why does changing etc/passwd in the container changes etc/passwd in the host file system? Shouldnt the container be separate and not influence the host?
You can mount directories from the host inside the container. This is done for example to have persistent data since the container isn't. Since / is a directory and the container is run with root privileges (privileged container) / can be mounted in the container. Same thing also applies to docker. The documentation warns you or it should at least.
Easier than changing the root password. Enable passwordless sudo for the user since they are already a member of that group. Changing the passwords are a good way to be discovered.
nc -nvlp 1234 > linpeas.sh --> after this command in the attacker machine, the linpeas.sh file gets empty. Though the transfer takes place but file remains empty on both the ends. Its the same for every type of file. Any help?
yo my man, why do you use guake for sending the linpeas? why cant you just split your terminator screen and do it in that pane? You know what would be good - Doing a video on your workflow. How you set everything up, your terminator shortcuts, they way you use guake, little scripts you use to make things easier.
John Hammond cracks John user's password with John the ripper
While sitting on the John eating Johnny cakes
sounds like he forget his gmail password and trying to hack in lol
Plot twist: John Hammond secretly developed John the ripper solely for cracking into the John user
John inception
@@atanki5682
johnception
He also do singing l love his song perfect
Quickly growing addicted to this channel because the unscripted "fumbling" is exactly what a normal dev would have to do to fix their own little mistakes. And it's those tiny, "What did I forget?" Details that novices are going to be tripping over constantly.
The fun part is watching your thought process unfold while you perform these tasks and help introduce us to various helpful tools and commands that we may use in our own explorations.
Of the six thousand languages on earth, you chose to speak Facts
need more of this fumbling.......fumbling makes it incredibly interesting
totally agree. it's the fumbly bits that I enjoy. mistakes are where the learning is at.
Yes! The fumbling makes it real life and shows how easy mistakes are. It's like bloopers, love it.
Hi John, great vid as always!!
How about doing a blind room say once a month, but do it live. I'm sure a lot of people would enjoy that. I know I would.
Keep up the good work!
good idea!
These videos are worth like 100 tutorials I'm not kidding. The thinking process, seeing concepts that one may need to learn, explaining what you're thinking, and just seeing this type of thing in action. Soo helpful
Privilege escalation has always been a big sore spot for me.
I don't know how to do a quarter of what you did in this video but I'm comforted by the fact that you run into the same hiccups as me. Like oh yeah there's dollar signs, or oh duh forgot a slash.
thats just the linux (and friends) experience in general
That troubleshooting was the most interesting I've seen! Here's a *boop* from me
Thanks for the boop! xD
You can disable bash expansion with cat by adding single quotes around the first EOF rather than going through and escaping everything. i.e. cat
Ooooh, that's a good call! That would do the trick too. Thanks!
@U X I hope to god that my website doesn't do that
I got some servers open to the web, and I know a friend of mine is really paranoid about leaving open ports and what not.
But the more I learn about different ways people exploit and the more I get into the security aspect, the more I get confident about my practice.
Though one thing I learned from this is the cron job part.
I got two cron job that could give a hint as so what's going on the network, so I might need to check if there's some thing that a non root user might be able to see.
*edit: looking at my crontab, nothing seems visible unless you're root :D
I'm really relying on not having any major security issues based on the fundemental programs, rather then trying to implement too much on either security though obscurity, or sticking my head down the sand and hoping nobody notices me.
@@svampebob007 I've thought about setting up my own home-server with the same approach: keep things simple. Security by utilizing only the most simple, secure methods. nothing more or less.
@@cdellio just chipping in to point out that hosting on a free low resource cloud alternative would be much more recommended.
Lots of Johns in this one haha
Absolutely agreed that it is helpful to see you run into the stumbling blocks. There's nothing worse than following a tutorial for the first time and smashing headlong into some syntax error or in this case escaped special characters. Thanks for sharing.
Hey John, loving your content. I really enjoy how you explain and try different methods to gain privilege access, like changing the etc/passwd through the share drive in your container. Even if you struggle a little bit doing that, it really helps us understand the process and iteration you/we can go through while doing that. Keep up the good work!
Thanks, it is fun watching you doing all these cool stuff, plz keep the good work coming
I love the fact that John checks out funny/unrelated image/video files. 👍
You and ippsec are very good learning resources. Thank you for taking your time to post these videos.
Not sure if I should get depressed or motivated seeing how awesome John is at this thing. Definitely impressed though.
Great video. Was waiting for the writeups as I couldn't escalate for the life of me!! Learn something new everytime!!
Great video John. I learned some new things which were not so obvious to me previously. By the way, LXC/LXD and Docker stuff run most of the time as daemons - which means once you are in the group with regular user you are free to escalate privileges. This is a known flaw - at least in Docker world. Nowadays Docker could be run in rootless mode to avoid such situations. RHEL is doing the same with Podman if I am not wrong.
keep up man i, you are doing great work educating the new to the domain, in a more fun and friendly way, which makes learning easy....massive big thanks to you J.Hammond
On the topic of fumbling and figuring out what you've done wrong....this is the stuff that courses don't show you. In some ways, that problem solving is some of the most important parts of the video. Any idiot can make a "perfect" video. Only someone who knows what they're doing can make a "less than perfect video" and fix problems encountered during it - adding to the value and standing out as more than just a walkthrough. Great job.
watching you move through this so quickly n seamlessly just amazes me lol
Woah Great video! This looks like fun.
Quick note, no need to put slashes before dollar signs, you could just quote the 'EOF' (then bash interprets the text inside as pure string, not evaluating vars:D)
Great video, keep it up!
You’re videos are awesome John!
No matter who else does the show, we always love to see John Hammond doing these tutorials.
John the legend! Keep going man... I'm learning a lot of stuff from you as I'm sure everyone else does. You are truly helping and inspiring. Thank you.
That was actually fun to watch. Quite educative for learning ❤️😂
Great work sir...Thank you so much for making videos.
A socks proxy video would be fun to watch IMO, I was just lazy and scp'd it over to the box from my attacker platform
Great work John.! 😇 learning Alot of stuff as a newbie through your way of approach.! You show us on how to think and compromise a machine.! 🙏
Legend.
Thanks for a great vid 👍
Hey John I am interested in the socks proxy video ;)
Yes i was just going to post that
Me too plz
Another good video. You rock john.
I love this format. Its fast and straightforward. No "uhhms" or "eehhms" while over explaining.
Other people stop at every step single step. "then i paste this text into here.... I will use CTRL... SHIFT... V... Then we ehhh need to eeeh saaaaaaaaave with ctrl + Oooooo.. No wait my bad, this is vim... So wee go and press esc, just to be suuuuure.. eeh... btw i prefer vim because jada jada jada."
I spent to much time on this comment already but I have been bugged by how slow people tend to be...
Thank you John for going the extra mile to show teach us !!
As a fellow John, I can say this is a good video
Love seeing the TryHackMe vids 👾
and watching the reworks when things go wrong 😂 #real-life
I loved the vid John, i was thinking that perhaps for changing the users passowrd you could've chrooted into the root mount, anyways the vid was hella fun :)
John JOnhned ,it nice video. For me always your videos are one way stop for relaxing amazing john world needs great people like you to share knowledge. Lots of respect man !!!!!!!!
I’ve learned more from John Hammond than I think 12 years of schooling
Thanks John ! Always fun and interesting !
Just did this box yesterday , john your amazing < 3
Yes do the socket video!
you can just cat > file, paste, the ctrl+d (which sends an EOF) . You will then write exactly what you pasted. The heredoc as you say is interpreted by bash, whereas if you effectively < stdin , which is what cat does, cat is reading not bash. Also checkout alt-.
I subscribed just because you had the problem with root password and nailed it.
whew i can't believe you just saw my writeup xD at 33:09
My favourite way to get stuff into a file is cat > file. It never goes wrong. Ctrl+C to finish
Let’s go with the funneling internet to the box idea, it would be very interesting 🧐
Best troll in each TryHackMe video are those README files :D
Bro your content is da best
at 25:07 why not chroot to /mnt/root and run passwd as root?
Just quote the EOF like cat
Ooooh, that's a good call! That would do the trick too. Thanks!
I had a script that busted my balls over this!
I'll try to keep it in mind next time I creat a clusterfuc.. a script :)
Another solution that IMO is simpler:
cat > /mnt/root/etc/passwd
Paste and then hit
I would like to see it using via socks proxy for learning experience so why not! Since it's a good idea and that's why I subscribed your channel so I understand more about proxychains.
Nice channel .. sometimes he complicates things .. but it's very nice explained.
Without the video, John, I would only have known how to obtain the root flag, Thanks a lot.
season/year is a common result from making users change their password every x months,
forcing users to come up with a unique password every couple of months is a bad practice and doesn't make anything more secure (unless you have a data breach every couple months spilling all passwords used, but at that point you have bigger issues)
this videos rock! keep it up man ;D
32:00 The Hollywood hacker when he disables the security nanoseconds before timer runs out
When you can ssh into the box why don’t you just scp Linpeas and the container image?
my thoughts
Plain http might be faster? It's a bit more user friendly as you don't need to authenticate, then again with an ssh key it shouldn't be an issue. However the key is pass protected so unless the password is stored in a keyring you would have to bother to type the password.
It all comes down to personal preference.
@@Sfhgscvg you could also change the password of that key since you now know the ssh passkey:
-------------------------------------------
ssh-keygen -p -f sshkeyfile
-------------------------------------------
it will ask for the current password, then you can just leave it blank.
if you have to connect a lot of times with ssh, you could add something to the .ssh/config
Host client client.example.com
HostName client.example.com
IdentityFile ~/.ssh/client_rsa # private key for client (like "sshkeyfile" in my previous example)
User remoteusername
Host otherclient other.example.org
HostName other.example.org
IdentityFile ~/.ssh/otherclient_rsa # different private key for other client
User otherremoteusername
-------------------------------------------
then you can just use
ssh otherclient
or
scp files client:~/
really useful if you don't want to always have to add the -i option, or if you want to set a custom name for that connection and have it separated with multiple id files.
on another note you could also add it as an alias in the .bash, but that's up to you, the point is that you can simple remove the passkey once you know the passkey and then use it as a regular key withough password.
I've definitely done that SOCKS proxy trick while at a former job. Had to install our software on a machine in the UAE without the box having any internet access. Worked a treat. Just remember you also have to tunnel over dns as well or you are gonna have a bad time.
great video john..keep up the good work 💥💥
Is there a reason you didn't use SCP to transfer the alpine container to the attacker machine? I assume something to do with logging and leaving fingerprints, but I feel running wget would leave the same type of fingerprint, but maybe I'm missing something. I'm just a software dev interested in this kind of stuff. Keep up the great content!
Nice video, cool LXD PE, personally I would have modifed the /root/.ssh/authorized_keys and I would have sshed as root without needing any pwd. Then you can change it easily with passwd. :)
It's totally fun! Thank you bro!
movies and games are not even comparable with watching these videos..... wow,,,,,,,,i m in IT field since 2004, but learning process never stops....
The proxy video would be interesting yeah, thanks man ^^
John cracks John's password with john
I keep finding on other machines that i have lxd but when I reach the init part it says there's no storage pool. Does this mean that the machine isn't vulnerable?
Why does changing etc/passwd in the container changes etc/passwd in the host file system? Shouldnt the container be separate and not influence the host?
You can mount directories from the host inside the container. This is done for example to have persistent data since the container isn't. Since / is a directory and the container is run with root privileges (privileged container) / can be mounted in the container. Same thing also applies to docker. The documentation warns you or it should at least.
@@Sfhgscvg so if i mount a directory from the host to a privileged container and write to that directory the changes are also being done in the host?
@@SpiderPigXL yeah, try it out, it's fun to play with and fairly simple to try.
I wanted you to do this one... This CTF was awesome for me to complete
Easier than changing the root password. Enable passwordless sudo for the user since they are already a member of that group. Changing the passwords are a good way to be discovered.
Keep up the videos! Love them
I did it by writing my own script LMAO 😂, I remembered you when I saw John on src 😆😆
For the upload_file_nc why is he using a different port each time we downloads it?
nc -nvlp 1234 > linpeas.sh --> after this command in the attacker machine, the linpeas.sh file gets empty. Though the transfer takes place but file remains empty on both the ends. Its the same for every type of file. Any help?
Love the content!
20:14 cachemanifest for iptables?
Its cool. Thats master level, There are many ways to go to Rome.
+1 subscriber.
Can you do year of the rabbit CTF
Fantastic explanation.
john , please do show how to do that proxy thing , its becoming a huge hurdle to my CTFs ,thank you in advance
I don’t know why he didn’t chroot inside the container. Then he would have been a full root process on the host system.
Hey, when i leave the container and try to come back to it i get this : Error: Container 'privesc' already exists
what this means please ? ^^
You should have clicked on Draagan Lore, I'm curious about the details of this fictional fictional universe.
When you get a sh in the container you can just chmod +x /mnt/root/bin/bash and then out of the container bash -p
yo my man, why do you use guake for sending the linpeas? why cant you just split your terminator screen and do it in that pane? You know what would be good - Doing a video on your workflow. How you set everything up, your terminator shortcuts, they way you use guake, little scripts you use to make things easier.
watch this for the answer - ua-cam.com/video/f2aSXGbD0NE/v-deo.html
Is lxd still this vulnerable? I figured a basic chroot exploit on a privileged container would be mitigated by this point
cat
Personally I prefer seeing you work through the problems you came across instead of going directly to the solution
thats some PogU content mate!
just run "cat > passwd", paste, enter, ctrl + d. So "bash/zsh/..." dosn't mess with the input.
Why use netcat for transferring a file instead of scp?
how you guys learn that shit lol, where can I find ´hacking´ sources / lessons?
Plzzz make that video about setting up a socks proxy for internet access
Pls continue making such kind of videos 💯💯❤️❤️
I understand 0.001%of this but I keep watching.... you type the words you get the stuff hahaha
Hey John can you advise me in the steps you took from day one to get to where you are now ?
Just curious why not chroot /mnt/root and do stuff there :)
When did he find johns sudo passeord
Hey, part of the lxd exploit was done by s4vitar, a great hacker who is also a youtuber, perhaps the best channel in Spanish, don't miss it!
if i could understand spanish i would definitely watch it ! but my spanish stops at Ola ketal ;)
I'm curious as to why upon having ssh access, why wouldn't just scp files over to the victim machine?
that's what I was thinking!