Great vid! On this box, you can also use Powershell's Invoke-Command to run commands as the admin, the catch is that you have to do -ComputerName 127.0.0.1 for it to work. Also, maybe you can do Enter-PSSession as well, but that shell was a bit funky for me, as it didn't execute anything, just kept giving me the prompt.
Sysnative is a virtual folder, a special alias, that can be used to access the 64-bit System32 folder from a 32-bit application or script. That's why it won't be displayed cause it's alias and not a real folder. Maybe you could've run the 64-bit PowerShell from start but don't think I've explored that, irc I've run 64-bit meterp
Thanks for this. I started the box right before it retired. Also for hydra post-form example you can use hydra -U http-post-form and it spits out formats. You should consider patreon id support it for your work.
I’ve considered it, in the end I just don’t want to deal with being obligated to do videos/answer questions/etc. It becomes actual work once I accept money, and work tends to not be as fun.
A new parameter wasn't added with powershell, The web application was written in PHP and PHP Code was placed in the log file. The PHP Code pulled a new variable from the URL and executed it, that's where the powershell was placed.
IppSec sorry yes I meant a new url parameter that contained a powershell command to be executed. In the video the php code was running whoami from the UA string, you then replaced the UA string with generic text and added &pleasesubscribe=(powershell stuff here)
Sorry. Don’t make that public, changes weekly and don’t want to risk accidentally uploading something like an empire database that contains creds to rastalabs
Nice video, I had all to finish this machinebut failed logging as admin with autologon creds. It was a fun machine. By the way why dont you use the burp extension CSRF Token Tracker or if you feeling fancy using burpsession macro? No need for scripting and itsfcrazy fast to use. Nice channel kudos
You can use regular expressions in hydra to capture multiple failure cases. Something like hydra -l harvey -P /usr/share/wordlists/rockyou.txt internal-01.bart.htb http-form-post "/simple_chat/login.php:uname=^USER^&passwd=^PASS^&submit=Login:Invalid Username or Password|The Password must be at least 8 characters"
But this way you will have to makes sure you capture all possible error messages. I missed out the "password is required" error message earlier on. But not sure why hydra makes an attempt without a password.
The final command that worked is hydra -l harvey -P /usr/share/metasploit-framework/data/wordlists/common_roots.txt internal-01.bart.htb http-form-post "/simple_chat/login.php:uname=^USER^&passwd=^PASS^&submit=Login:Invalid Username or Password|The Password must be at least 8 characters|The Password is required"
Thank you for these contributions you make to the community, IppSec. Would you mind sharing the path you took to gain these skills? Any formal education? Online courses? Certs?
Thanks ...keep it going..we are learning A lot from you 😘
Great vid! On this box, you can also use Powershell's Invoke-Command to run commands as the admin, the catch is that you have to do -ComputerName 127.0.0.1 for it to work.
Also, maybe you can do Enter-PSSession as well, but that shell was a bit funky for me, as it didn't execute anything, just kept giving me the prompt.
Hashcat: cracking Hashes with salts :) is just awsome!
Sysnative is a virtual folder, a special alias, that can be used to access the 64-bit System32 folder from a 32-bit application or script. That's why it won't be displayed cause it's alias and not a real folder. Maybe you could've run the 64-bit PowerShell from start but don't think I've explored that, irc I've run 64-bit meterp
Aliases have always been visible both via explorer and cmd. 'Sysnative' is a HIDDEN alias, another stupid M$ peculiarity.
Thanks for this. I started the box right before it retired. Also for hydra post-form example you can use hydra -U http-post-form and it spits out formats. You should consider patreon id support it for your work.
I’ve considered it, in the end I just don’t want to deal with being obligated to do videos/answer questions/etc. It becomes actual work once I accept money, and work tends to not be as fun.
totally get that. Thanks for all that you do!
Our race needs more beings like you
Thank you. 10/10
Nice bro!
One hint: use the parcellite to save the history of ctrl+c to facilitate.
Confused how the leap was made from the log poisoning using php in the user agent to adding a new parameter with powershell
A new parameter wasn't added with powershell, The web application was written in PHP and PHP Code was placed in the log file. The PHP Code pulled a new variable from the URL and executed it, that's where the powershell was placed.
IppSec sorry yes I meant a new url parameter that contained a powershell command to be executed. In the video the php code was running whoami from the UA string, you then replaced the UA string with generic text and added &pleasesubscribe=(powershell stuff here)
At 34:10, the php code accepts any command.
IppSec yep there it is! Missed that completely, makes sense. Thanks dude
I love all your videos :)
Ipp, what are you looking for when looking through the page code in 10th minute?
Can you please share the list of scripts that you have under /opt ?
Sorry. Don’t make that public, changes weekly and don’t want to risk accidentally uploading something like an empire database that contains creds to rastalabs
What’s your Mozilla extension for proxys?
Abe Foxy Proxy
foxyproxy standard
Foxy proxy FTW
Nice video, I had all to finish this machinebut failed logging as admin with autologon creds. It was a fun machine. By the way why dont you use the burp extension CSRF Token Tracker or if you feeling fancy using burpsession macro? No need for scripting and itsfcrazy fast to use. Nice channel kudos
I believe that’s a paid feature and I try to stick with free stuff so everyone can follow along
Your are the best !!love u
You can use regular expressions in hydra to capture multiple failure cases. Something like
hydra -l harvey -P /usr/share/wordlists/rockyou.txt internal-01.bart.htb http-form-post "/simple_chat/login.php:uname=^USER^&passwd=^PASS^&submit=Login:Invalid Username or Password|The Password must be at least 8 characters"
But this way you will have to makes sure you capture all possible error messages. I missed out the "password is required" error message earlier on. But not sure why hydra makes an attempt without a password.
The final command that worked is
hydra -l harvey -P /usr/share/metasploit-framework/data/wordlists/common_roots.txt internal-01.bart.htb http-form-post "/simple_chat/login.php:uname=^USER^&passwd=^PASS^&submit=Login:Invalid Username or Password|The Password must be at least 8 characters|The Password is required"
Thank you for these contributions you make to the community, IppSec. Would you mind sharing the path you took to gain these skills? Any formal education? Online courses? Certs?
Primarily years as a sysadmin and just playing around with things to figure out how they worked.
to force your browser to dont use the cache make a shift+f5
Great video as usual. Does anyone know why all those techniques failed?
What you mean if anyone knows why all those techniques failed? He explains why in the video lol
@@s1ked_416yeah but do you know why they failed?
@@m3lk0r83-_- just watch the video again lol Also, it's been 5 years since you posted your comment, you should know the answer by now lol
@@s1ked_416I've been trying to figure it out for the last 5 years lol. Do you know why they failed?
thanks so mutch bro
You should write a book
Can i use this ip for training i only can tray in free server
Retired machines stay on the free server for two weeks.
IppSec aha okej man thanks
Patator equivalent of the hydra stuff:
patator http_fuzz url=internal-01.bart.htb/simple_chat/login.php method=POST body='uname=harvey&passwd=FILE0&submit=Login' 0=/usr/share/wordlists/metasploit/common_roots.txt -x ignore:size=365
just flush dns cache
ilu
You should Write a Book :)