I like the Python script to get all the contents of directories. I manually did it in burp lol. If there was a lot more content a script like this would have sped things up quite a bit. Thanks!
Hi ippsec, I have a question not related to this box. Is there a way to bypass false positives when url bruteforcing. When I try gobuster I get Wildcard response found, using of the -fw switch does not help Edit: Watched your node video, did not helped me, also burp spider did not get me anything
hi, btw may i know which repo u found that linux file list coz i been looking for it to keep it but wasnt able to, seen some linux files with 8k lines but mostly rubbish. and also how did you know that you would need to do an xxe attack on this box right of the bat? do u have some technique for it or u've just fuzzed it through your intruder which is faster? thanx and more power to ya!!!
Good one , didn’t write a script immediately went for the id_rsa , I spent way to much time on the database 😥 never though of changing the logon page ........
This makes my head spin. Makes me worry just how far I can get in HTB with my current skillset. Makes me wonder if I need more classes, but I'd spend a lifetime in training if I went that route.
If I recall correctly, I think I solved this box without backdooring the login. As www-data I renamed /var/www/html/zz_backup and then created a symlink called zz_backup pointing to /root. root user would then run the backups script every 5 minutes, and it copies /var/www/html/zz_backup (now pointing to /root or whatever) to /var/www/html/dev_wiki, make cliff finally chmod 777, basically sharing all his files.
I wonder why you specify gobuster full path everytime you run it, why not just doing gobuster without the path?, it works just fine. Thank you for the great content, keep 'em coming :)
When I first started using gobuster it wasn’t in Kali repo, so i left it like that to let people know I manually compiled it. Someone recently pointed out it was in the repo now so I will probably switch
Sure but your missing out on learning ways to enumerate. Going from LFI to a file in a users directory isn’t exactly something I’d try manually since it’s relatively rare. Two permissions and I believe a config file have to be dorked up
18:49 that didn't work because you created a function called getfile and assigned the variable inside it but you directly used the print command without executing the function. It would have worked if you typed something like print getfile('/etc/passwd') Cheers Ps: i saw later that u solved it
I am very grateful for all your videos. Thank you for teaching us😊
Thanks , i'm learning new things every time i watch a WT ^^
I like the Python script to get all the contents of directories. I manually did it in burp lol. If there was a lot more content a script like this would have sped things up quite a bit. Thanks!
Yeah, I manually checked aswell, although the RSA key was the second thing I tried so I got it pretty quick. Great box.
Oh god. You make it look so easy.
You're a majician! Can't thank you enough.
Feeling the Trap Card Spider Icon
Why does mine show “host seems down.if it is really up, but blocking pung probed, try -Pn” and it doesn’t display all that
Hi ippsec,
I have a question not related to this box. Is there a way to bypass false positives when url bruteforcing. When I try gobuster I get Wildcard response found, using of the -fw switch does not help
Edit: Watched your node video, did not helped me, also burp spider did not get me anything
Try with wfuzz using --hc, --hw params, it depends of the false positive
hi, btw may i know which repo u found that linux file list coz i been looking for it to keep it but wasnt able to, seen some linux files with 8k lines but mostly rubbish. and also how did you know that you would need to do an xxe attack on this box right of the bat? do u have some technique for it or u've just fuzzed it through your intruder which is faster?
thanx and more power to ya!!!
The file on the ftp server is a big hint. Web server is a subnet calculator with no input, and that text file is xml subnet stuff
it went out of my mind that you did download the file via ftp first so needed to watch it again. thanx :)
Thank you!
Good one , didn’t write a script immediately went for the id_rsa , I spent way to much time on the database 😥 never though of changing the logon page ........
This makes my head spin. Makes me worry just how far I can get in HTB with my current skillset. Makes me wonder if I need more classes, but I'd spend a lifetime in training if I went that route.
If I recall correctly, I think I solved this box without backdooring the login. As www-data I renamed /var/www/html/zz_backup and then created a symlink called zz_backup pointing to /root. root user would then run the backups script every 5 minutes, and it copies /var/www/html/zz_backup (now pointing to /root or whatever) to /var/www/html/dev_wiki, make cliff finally chmod 777, basically sharing all his files.
yes that also worked :)
God damn you are fast
I wonder why you specify gobuster full path everytime you run it, why not just doing gobuster without the path?, it works just fine.
Thank you for the great content, keep 'em coming :)
When I first started using gobuster it wasn’t in Kali repo, so i left it like that to let people know I manually compiled it. Someone recently pointed out it was in the repo now so I will probably switch
I see, it is actually more efficient to use it directly IMHO. Thank you for the clarification :)
You can skip out masses from this by looking for ssh keys straight away through the XXE file retrieval method for the first part.
Sure but your missing out on learning ways to enumerate. Going from LFI to a file in a users directory isn’t exactly something I’d try manually since it’s relatively rare. Two permissions and I believe a config file have to be dorked up
18:49 that didn't work because you created a function called getfile and assigned the variable inside it but you directly used the print command without executing the function. It would have worked if you typed something like print getfile('/etc/passwd')
Cheers
Ps: i saw later that u solved it
Hey ipp, can u do a video about your setup, how you make videos and what if any equipment u use. Thanks.
First!