Dude, your HTB walkthroughs are seriously the best around. As a blue-team side person I find almost immediate REAL WORLD TTP’s in here that I can immediately take back to my SIEM.
I've learned more from your videos than any of the paid resources out there. This was the first box I managed to get without help, and it was neat watching how you went about it. I also love when you show multiple ways of getting in. Thanks for all these great videos!
The bash history password was the wrong case (we all know what it like to leave Caps Lock on)... switch it around and you have root.. although it’s always nice to see the other routes.... Once again, Great video!
you make awesome videos, you speak clearly, direct no scratching around in os and settings that is not related, i am still a complete rookie in pentest and use your videos to learn, and i love your indexing below each video so professional and easy to use. sorry my currency is bit flat but will contribue to your fund someday. keep videos coming please.
The privesc didn’t even require a kernel exploit. The password you showed in the .bash_history file was actually a really big hint. It was capitalized wrong, so it simulated a CAPS lock being active. If you were to type it instead of copy-pasting and inverted the case, you could escalate to root.
ahh thank you! Ive been stuck on trying to figure out how to query the json page and I often see this same page on other boxes and google didnt make much sense to me, learned a lot on this one.
For the time exploit for user shell i just changed my date & time to be same as the box and it worked fine, also changed the time to wait for the file detection just in case. Overall great box !
Thanks for making such a really instructive video! I have one question: at around 21:12 you say for ground with 'fg n', although this does not appear on the console line. When I try to use this I seemed to get each line tabbed. eg when I hit return on a command my shell has moved roughly one tab place away from its place on the above line. Thus a few returns in and my cursor is at the other edge of the screen. Have I misheard what you said and if so what should I be typing?
Me too. I think I used "curl -v" to get the server time. I remember, I was able to use introspection in graphql to find some creds that allowed be to log into the help app, that gave me a time zone. But the time in the app had nothing to do with the server time. Rabbit hole, But I learned so much about data leakage.
I am so furious with myself. After getting the user shell 1st thing that came to my mind was to maybe look for a kernel exploit as it was an old box. Don't know why I started to try everything else but to search for a kernel exploit as I completely forgot about it. Got so close at getting root. For the user shell, maybe I was lucky I did not face the server time issue and the exploit script worked without modifying anything.
I think the current epoch time is constant all around the world. There is not need of conversion. What you can do is change the timezone of the system to whatever you want and check the epoch time.
I guess the intended way was to get creds from graphql then use them to login and then change timezone on box then run the exploit, I missed the header though and banged my head lol
Dude, your HTB walkthroughs are seriously the best around. As a blue-team side person I find almost immediate REAL WORLD TTP’s in here that I can immediately take back to my SIEM.
Awesome to hear the videos have helped your organizations defensive posture! You are definitely doing Blue Teaming well, keep it up.
I've learned more from your videos than any of the paid resources out there. This was the first box I managed to get without help, and it was neat watching how you went about it. I also love when you show multiple ways of getting in. Thanks for all these great videos!
Congratz on your first solo box! It's a feeling like no other.
The bash history password was the wrong case (we all know what it like to leave Caps Lock on)... switch it around and you have root.. although it’s always nice to see the other routes.... Once again, Great video!
^ this
When I found the bash history password I tried immediately with Caps Lock on!!!! LOL :D
you make awesome videos, you speak clearly, direct no scratching around in os and settings that is not related, i am still a complete rookie in pentest and use your videos to learn, and i love your indexing below each video so professional and easy to use. sorry my currency is bit flat but will contribue to your fund someday. keep videos coming please.
Massive respect to you for these videos ...i did the unintended route without using time.
The privesc didn’t even require a kernel exploit. The password you showed in the .bash_history file was actually a really big hint. It was capitalized wrong, so it simulated a CAPS lock being active. If you were to type it instead of copy-pasting and inverted the case, you could escalate to root.
I changed my Kali time to server time from settings menu
😝😝
I've seen a bunch of people doing the split terminal like at 5:49. How do you do that?
Vim be magic :)
ahh thank you! Ive been stuck on trying to figure out how to query the json page and I often see this same page on other boxes and google didnt make much sense to me, learned a lot on this one.
Thanks for the content, as i am prepping for OSCP, I find this invaluable. Love from Serbia
For the time exploit for user shell i just changed my date & time to be same as the box and it worked fine, also changed the time to wait for the file detection just in case. Overall great box !
Was a really fun box, keen to see how other people managed to get in
Thanks for making such a really instructive video! I have one question: at around 21:12 you say for ground with 'fg n', although this does not appear on the console line. When I try to use this I seemed to get each line tabbed. eg when I hit return on a command my shell has moved roughly one tab place away from its place on the above line. Thus a few returns in and my cursor is at the other edge of the screen. Have I misheard what you said and if so what should I be typing?
Fg
@@ippsec thank you! that's made things so much better :)
I manually changed my machine to match the servers time. Still need to learn some python I see :) Good vid like always.
Me too. I think I used "curl -v" to get the server time. I remember, I was able to use introspection in graphql to find some creds that allowed be to log into the help app, that gave me a time zone. But the time in the app had nothing to do with the server time. Rabbit hole, But I learned so much about data leakage.
I did the same thing but I got the timezone from GitHub I guess😂😂 didn't figured out that curl and burp can give you that as well
Haven’t even watched but thumbed it up anyway because I know it’s gonna be legit. Wish I could double subscribe
I been waiting for this, never figured this out
Server time! Ahh, now I know what I missed. At least I have learnt something new.
Congratz to 40000 subs!!
how the HELL is this supposed to be an EASY BOX! >.
if this is 'easy', then I first of all still have a long way to go, second I need to watch the insane ones
idk why but never thought to intercept a request from burp to find out what time a server is running thats clever
Great video as always! Thanks so much.
Hey can someone tell me how his "burp-addon" which is shown top right in his mozilla is called? Cant find it
Foxy Proxy
my terminal will get stucked when I typed "stty raw -echo".How?
I guess because you didnt enter python -c 'import pty;pty.spawn("/bin/bash")' on the remote machine
my fav "the way to abuse this"
Love the intended way
this is a thank you comment
I have a dumb question. How can he divide terminal in kali :)
Use tmux
30:25 Copy and paste it into a browser's address bar
I am so furious with myself. After getting the user shell 1st thing that came to my mind was to maybe look for a kernel exploit as it was an old box. Don't know why I started to try everything else but to search for a kernel exploit as I completely forgot about it. Got so close at getting root. For the user shell, maybe I was lucky I did not face the server time issue and the exploit script worked without modifying anything.
Priv esc s-nail??? Cve-2017-5899 anyone else do this?
Tried it.. didn't work for me..
Yup ! I did. Worked like a charm
Timezones shouldn't matter, because unix timestamps are universal and not timezone-dependent.
I think the current epoch time is constant all around the world. There is not need of conversion. What you can do is change the timezone of the system to whatever you want and check the epoch time.
The server time stamp isn’t in epoch - so you need to handle time zones, I may of explained it poorly.
I didn't even change the time on my machine or mess with it at all but it still worked. Not sure why that is.
If you tried it enough. Your time was off. Or other people uploaded script, you may just get lucky and hit a correct hash
yo that's dope
@5:29 laudanum is opium ;]
I guess the intended way was to get creds from graphql then use them to login and then change timezone on box then run the exploit, I missed the header though and banged my head lol
Yea, I assumed that was a rabbit hole. I tried this and the time I found there did not work. I ended up using curl -v instead to get the server time.
@@jimcolabuchanan6579 I guess the creater forgot to remove the time header in the server
You could've added the continue keyword after the print to speed up the script. Anyway, great video.
Failed to open normal output file nmap/help.nmap for writing
QUITTING! 🙁🙁
Probably need to create the directory
@@ippsec thank u very much sir ♥️
Keep going
I was shouting you forgot the and 😂
this IS NOT an easy box. the difficulty ratings are seriously upsetting. They destroy confidence.
First !
I guess these videos are for people that are familiar with all the commands? You very rarely explain why you are doing a command you are doing
Watch the older videos, try my first one like popcorn.
@@ippsec Ill have a look, thanks
I hated this box