The little things like "stty raw -echo" to get tab complete to return to a local shell will never be forgotten. It's these little things that keep me digging through your videos along with the great clarity, simplicity, and comprehensive explanations you provide in your walkthroughs....Thanks!
Thank you so much for leaving in the "mistakes" or things that just don't work so that we can see your process and troubleshooting. It's extremely helpful.
Man, You have gained my respect in totality. Hats off to you man. Really appreciate it! It's people like you we need in the community so much. Thanks man!
I'm enough with uid and gid. Bcus I can directly get clean root from root's uid and gid. With these both..! I just watched this bcus you said you've explained more indepth about screen 4.5.0. but still loved it.
ippsec has to be the guy from My Little Toaster movie. The one with the big 4x4 who collects and works on electronics. Sounds exactly like him; and also works on computers.
Thanks for all your videos. I might be a little bit late, but at 27', C code needs to end with an empty line after the curly bracket it might be the reason why you have the error
For foothold I managed to get a restricted shell by sending a line feed to the curl command and executing commands, however failed to escalate it to a unrestricted shell. So ended up doing it the same way in the uploads directory.
I cannot get tis exploit to work no matter how closely I follow the directions. I wind up with some sort of corruption and I need to keep on re setting the machine
Hello) That is awesome what are you doing) You share not only the solution, but the way of thinking. Thanks! May I ask, where did you get all linux enum scripts for LPE ? Seems, you look for /opt directory) That is no default.
That is probably it. When doing privesc, new scripts may miss stuff on very old boxes. So it's nice to have legacy stuff around. New isn't always better, right tool for the job.
I know it's been a while since your comment, but after that command he presses "fg" on the keyboard to invoke the background process (the ncat) to foreground, then press enter and the enter again to get the proper shell
It's creating a pseudo-terminal for us. Think of it like a persistent session, without having it we send information get information back and close the session. Doing that breaks a lot of things, for example when you type something and it asks a question. Or use less/vi/etc. Having it always makes it easier so that's generally the first step after getting a reverse shell.
@IppSec when i run stty -raw echo it works fine for first time and when i try the second session from netcat it just hangs.. ctrl+z also doesnt work at this case.. Can you help me move on?
Yes. If there was no way to perform code execution or save files, I would be categorized as an SSRF. I generally ask myself: "can this be used to act like a proxy into their private network"? and if the answer is yes, I'd label SSRF. Whether or not that's correct or not, I have no idea there are countless labels for exploits.
SSRF doesn't directly allow for code execution and I don't believe any other services were listening on loopback. So I believe the answer is no. You'd mark it as a finding as it is indeed a SSRF-able but it does not get you anything.
Ok, clear!thanks a lot. The reason I'm asking is because I found a similar user input on another machine but there I cannot explanation exploit it with command injection
@@ippsec hello ippsec. thank you for the reply. i'm really really sorry. i installed bunch of gcc libs but didn't restarted my system to not lose shell... i tested today and it works well.. :( i'm really sorry for wasting your interest on my problem.
hey IppSec Why don't you upload a nice meterpreter php shell rather than doing it via nc and other things? meterpreter even has search features in it so why to let the victim know that you were there by using bash and getting every command logged in .bash_history
I just like netcat better. There aren't any post exploit meterpreter modules I'd want to use on linux, and I don't believe tab autocomplete works? As far as bash history, there are ways to prevent that without meterpreter.
The little things like "stty raw -echo" to get tab complete to return to a local shell will never be forgotten. It's these little things that keep me digging through your videos along with the great clarity, simplicity, and comprehensive explanations you provide in your walkthroughs....Thanks!
Thank you so much for leaving in the "mistakes" or things that just don't work so that we can see your process and troubleshooting. It's extremely helpful.
@@fisherahmad2781 neat, but maybe don't hack your SO's stuff... Those aren't building blocks for a healthy relationship 🤷♀️
Everytime i watch your videos my way gets more clear Thanks Ippsec 😊
He brings all the reading, courses, videos into one awesome chain of how it works together.. Love your work @ippsec :)
To compile on the box itself, just add the location of cc1 into PATH:
export PATH=$PATH:/usr/lib/gcc/x86_64-linux-gnu/5/
Thank you!! Super useful.
Bit late to the party, but in the PATH of www-data is a /. In the end, so would be enough to just cd into that directory maybe
Man, You have gained my respect in totality. Hats off to you man. Really appreciate it! It's people like you we need in the community so much. Thanks man!
I love watching your videos. I learn so much from them. Thank you for the effort.
You should have a lot more subs. I love watching your vids and learning about your thought process when tackling boxes.
I'm enough with uid and gid. Bcus I can directly get clean root from root's uid and gid. With these both..! I just watched this bcus you said you've explained more indepth about screen 4.5.0. but still loved it.
ippsec has to be the guy from My Little Toaster movie. The one with the big 4x4 who collects and works on electronics. Sounds exactly like him; and also works on computers.
Thanks for all your videos. I might be a little bit late, but at 27', C code needs to end with an empty line after the curly bracket it might be the reason why you have the error
For foothold I managed to get a restricted shell by sending a line feed to the curl command and executing commands, however failed to escalate it to a unrestricted shell. So ended up doing it the same way in the uploads directory.
How did you know to edit the rootshell.c file with a system command?
This is awsome video.Thanks IPPSec sir
Congrats on the Shocker first blood :)
I cannot get tis exploit to work no matter how closely I follow the directions. I wind up with some sort of corruption and I need to keep on re setting the machine
@19:29 Back to the roots, no GTFOBins at that time.
Hello) That is awesome what are you doing)
You share not only the solution, but the way of thinking.
Thanks!
May I ask, where did you get all linux enum scripts for LPE ?
Seems, you look for /opt directory) That is no default.
Google is your friend, search on filenames I use and generally you'll find them on github somewhere.
IppSec 2/3 scripts has been found. Except unIxprivsec, found similar but too old, more than 4 years.
That is probably it. When doing privesc, new scripts may miss stuff on very old boxes. So it's nice to have legacy stuff around. New isn't always better, right tool for the job.
IppSec , thanks for assist!
When I edit the request headers in repeater and hit go I'm getting nothing. What am I doing wrong?
@ippsec What you press to come back to the tty(with the reverse netcat), because after I execute "stty raw -echo" my terminal doesn't react.
I know it's been a while since your comment, but after that command he presses "fg" on the keyboard to invoke the background process (the ncat) to foreground, then press enter and the enter again to get the proper shell
great job thank you so much for sharing
i have a question which is the reason for typing import pty:pty spawn("/bin/bash")?
thanks again
It's creating a pseudo-terminal for us. Think of it like a persistent session, without having it we send information get information back and close the session. Doing that breaks a lot of things, for example when you type something and it asks a question. Or use less/vi/etc. Having it always makes it easier so that's generally the first step after getting a reverse shell.
thank you for respond ippsec
@IppSec when i run stty -raw echo it works fine for first time and when i try the second session from netcat it just hangs.. ctrl+z also doesnt work at this case.. Can you help me move on?
I'd recommend just getting another shell, changing to the user you want, then doing the tty trick.
what does stty raw -echo actually do ?
Watch either popcorn or the video after that, I explain it there. Hard to explain in text
Thank you mate
Hey! did I miss something or you didn't said where to get gobuster from ?
Github. But you can just do apt install gobuster now
@@ippsec deam i must have mistyped my search last time and commented too quickly sorry for that
Hello Ippsec,one question that might be irrelevant but i want to ask.Can this input on exposed.php be used as a ssrf exploit?
Yes. If there was no way to perform code execution or save files, I would be categorized as an SSRF. I generally ask myself: "can this be used to act like a proxy into their private network"? and if the answer is yes, I'd label SSRF. Whether or not that's correct or not, I have no idea there are countless labels for exploits.
IppSec actually I'm not asking how it can be labeled,but if it can be exploited with ssrf.sorry if I was not clear.
SSRF doesn't directly allow for code execution and I don't believe any other services were listening on loopback. So I believe the answer is no. You'd mark it as a finding as it is indeed a SSRF-able but it does not get you anything.
Ok, clear!thanks a lot.
The reason I'm asking is because I found a similar user input on another machine but there I cannot explanation exploit it with command injection
All my homies hate compiling exploits
Love you man.. keep going 😘
hello ippsec. i searched for an hour but i don't get any answer. i'm trying to execute exploit but my gcc throwing errors. which libraries do i need?
hard to know without the error mesages, saying what is missing
@@ippsec hello ippsec. thank you for the reply. i'm really really sorry. i installed bunch of gcc libs but didn't restarted my system to not lose shell... i tested today and it works well.. :( i'm really sorry for wasting your interest on my problem.
Why am I getting this error at the end */tmp/rootshell: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by /tmp/rootshell)*
Me too. Googling is not much help at the moment.
Hey IppSec how did you send the other request to the second tab of repeater at 9:23
Ctrl+R
and how did you decode de URL in to plain text?@@ippsec
@@Danielmofer Ctrl+Shift+R
@@Danielmofer ctrl+shift+U
IppSec and vap0r thanks thats great!
Great stuff.. as alwasy...
Thank you
you the best
i wonder why u didn't Lame, Legacy and Granny !
hey IppSec Why don't you upload a nice meterpreter php shell rather than doing it via nc and other things? meterpreter even has search features in it so why to let the victim know that you were there by using bash and getting every command logged in .bash_history
I just like netcat better. There aren't any post exploit meterpreter modules I'd want to use on linux, and I don't believe tab autocomplete works? As far as bash history, there are ways to prevent that without meterpreter.
Shhh…shhhhh
amore risky way that worked for me without crashing, not recommended for a pentest was - exploits/linux/local/44298.c
create a burpsuite curse