HackTheBox - Bart

Поділитися
Вставка
  • Опубліковано 29 жов 2024

КОМЕНТАРІ • 63

  • @_crys_
    @_crys_ 6 років тому +3

    Great vid! On this box, you can also use Powershell's Invoke-Command to run commands as the admin, the catch is that you have to do -ComputerName 127.0.0.1 for it to work.
    Also, maybe you can do Enter-PSSession as well, but that shell was a bit funky for me, as it didn't execute anything, just kept giving me the prompt.

  • @abhishekchaudhari970
    @abhishekchaudhari970 6 років тому +6

    Thanks ...keep it going..we are learning A lot from you 😘

  • @pswalia2u
    @pswalia2u 3 роки тому

    Hashcat: cracking Hashes with salts :) is just awsome!

  • @ejnixon
    @ejnixon 6 років тому

    Thanks for this. I started the box right before it retired. Also for hydra post-form example you can use hydra -U http-post-form and it spits out formats. You should consider patreon id support it for your work.

    • @ippsec
      @ippsec  6 років тому +9

      I’ve considered it, in the end I just don’t want to deal with being obligated to do videos/answer questions/etc. It becomes actual work once I accept money, and work tends to not be as fun.

    • @ejnixon
      @ejnixon 6 років тому

      totally get that. Thanks for all that you do!

  • @d4rkz3n64
    @d4rkz3n64 5 років тому

    Nice bro!
    One hint: use the parcellite to save the history of ctrl+c to facilitate.

  • @rubyrose6869
    @rubyrose6869 6 років тому +1

    Our race needs more beings like you

  • @fsacer
    @fsacer 6 років тому +9

    Sysnative is a virtual folder, a special alias, that can be used to access the 64-bit System32 folder from a 32-bit application or script. That's why it won't be displayed cause it's alias and not a real folder. Maybe you could've run the 64-bit PowerShell from start but don't think I've explored that, irc I've run 64-bit meterp

    • @chefsputnik1
      @chefsputnik1 5 років тому +1

      Aliases have always been visible both via explorer and cmd. 'Sysnative' is a HIDDEN alias, another stupid M$ peculiarity.

  • @zwilliams1340
    @zwilliams1340 6 років тому +2

    Thank you. 10/10

  • @blackcat.mb.999
    @blackcat.mb.999 6 років тому

    I love all your videos :)

  • @Flyingnobull
    @Flyingnobull 6 років тому

    Ipp, what are you looking for when looking through the page code in 10th minute?

  • @franciscog7110
    @franciscog7110 6 років тому +1

    Nice video, I had all to finish this machinebut failed logging as admin with autologon creds. It was a fun machine. By the way why dont you use the burp extension CSRF Token Tracker or if you feeling fancy using burpsession macro? No need for scripting and itsfcrazy fast to use. Nice channel kudos

    • @ippsec
      @ippsec  6 років тому +6

      I believe that’s a paid feature and I try to stick with free stuff so everyone can follow along

  • @peytpeyt9113
    @peytpeyt9113 6 років тому

    Your are the best !!love u

  • @zn1x.gaming
    @zn1x.gaming 6 років тому +1

    Can you please share the list of scripts that you have under /opt ?

    • @ippsec
      @ippsec  6 років тому +4

      Sorry. Don’t make that public, changes weekly and don’t want to risk accidentally uploading something like an empire database that contains creds to rastalabs

  • @gazcbm
    @gazcbm 6 років тому +1

    Confused how the leap was made from the log poisoning using php in the user agent to adding a new parameter with powershell

    • @ippsec
      @ippsec  6 років тому

      A new parameter wasn't added with powershell, The web application was written in PHP and PHP Code was placed in the log file. The PHP Code pulled a new variable from the URL and executed it, that's where the powershell was placed.

    • @gazcbm
      @gazcbm 6 років тому

      IppSec sorry yes I meant a new url parameter that contained a powershell command to be executed. In the video the php code was running whoami from the UA string, you then replaced the UA string with generic text and added &pleasesubscribe=(powershell stuff here)

    • @ippsec
      @ippsec  6 років тому

      At 34:10, the php code accepts any command.

    • @gazcbm
      @gazcbm 6 років тому

      IppSec yep there it is! Missed that completely, makes sense. Thanks dude

  • @abeaugustijn
    @abeaugustijn 6 років тому +1

    What’s your Mozilla extension for proxys?

  • @yassineamor9300
    @yassineamor9300 6 років тому +1

    Thank you for these contributions you make to the community, IppSec. Would you mind sharing the path you took to gain these skills? Any formal education? Online courses? Certs?

    • @ippsec
      @ippsec  6 років тому +4

      Primarily years as a sysadmin and just playing around with things to figure out how they worked.

  • @mahmedahmedmansour
    @mahmedahmedmansour 6 років тому

    thanks so mutch bro

  • @shankaranarayana6568
    @shankaranarayana6568 4 роки тому +1

    You can use regular expressions in hydra to capture multiple failure cases. Something like
    hydra -l harvey -P /usr/share/wordlists/rockyou.txt internal-01.bart.htb http-form-post "/simple_chat/login.php:uname=^USER^&passwd=^PASS^&submit=Login:Invalid Username or Password|The Password must be at least 8 characters"

    • @shankaranarayana6568
      @shankaranarayana6568 4 роки тому

      But this way you will have to makes sure you capture all possible error messages. I missed out the "password is required" error message earlier on. But not sure why hydra makes an attempt without a password.

    • @shankaranarayana6568
      @shankaranarayana6568 4 роки тому

      The final command that worked is
      hydra -l harvey -P /usr/share/metasploit-framework/data/wordlists/common_roots.txt internal-01.bart.htb http-form-post "/simple_chat/login.php:uname=^USER^&passwd=^PASS^&submit=Login:Invalid Username or Password|The Password must be at least 8 characters|The Password is required"

  • @m3lk0r83
    @m3lk0r83 6 років тому +1

    Great video as usual. Does anyone know why all those techniques failed?

    • @s1ked_416
      @s1ked_416 7 місяців тому

      What you mean if anyone knows why all those techniques failed? He explains why in the video lol

    • @m3lk0r83
      @m3lk0r83 7 місяців тому

      @@s1ked_416yeah but do you know why they failed?

    • @s1ked_416
      @s1ked_416 7 місяців тому

      ​@@m3lk0r83-_- just watch the video again lol Also, it's been 5 years since you posted your comment, you should know the answer by now lol

    • @m3lk0r83
      @m3lk0r83 7 місяців тому

      @@s1ked_416I've been trying to figure it out for the last 5 years lol. Do you know why they failed?

  • @pjsmith4471
    @pjsmith4471 5 років тому

    to force your browser to dont use the cache make a shift+f5

  • @adamziane
    @adamziane 6 років тому +7

    You should write a book

  • @prohat7674
    @prohat7674 6 років тому

    Can i use this ip for training i only can tray in free server

    • @ippsec
      @ippsec  6 років тому

      Retired machines stay on the free server for two weeks.

    • @prohat7674
      @prohat7674 6 років тому

      IppSec aha okej man thanks

  • @robinhellsten8903
    @robinhellsten8903 6 років тому

    Patator equivalent of the hydra stuff:
    patator http_fuzz url=internal-01.bart.htb/simple_chat/login.php method=POST body='uname=harvey&passwd=FILE0&submit=Login' 0=/usr/share/wordlists/metasploit/common_roots.txt -x ignore:size=365

  • @j4ck_d4niels
    @j4ck_d4niels 4 роки тому

    You should Write a Book :)

  • @sowhatsupeirik
    @sowhatsupeirik 6 років тому +2

    ilu

  • @milesjake2067
    @milesjake2067 6 років тому +2

    just flush dns cache