Thank you John, I have been subscribed for a while, but not till recently have I really come to find so much value in every one of your videos, big respect. Thank you.
Sir, I like the way you are so swift while doing your hands on implementation, beside that your explanation is extremely intelligent, wish you could guide me on books you could recommend to me so that I can be like you?
What I have noticed more and more in recent years is that "hacker influencers / cyber security influencers" are increasingly commercializing the scene and making the greatest possible profit and it is no longer about the true art that everything is somehow related to money. you get suggested that you have to buy some courses to learn. Somehow I don't feel that way. I mean that in general terms and not aimed at John directly
I do hope that it rings true that I have not made any courses, and all of my content remains free and freely accessible. I do sponsored videos and run ads so I can continue this for the future, but at its core, my content is free. :)
@@_JohnHammond why do you need sponsors who pay you thousands of dollars to keep making the videos? I could make the same kind of videos without having to sign advertising contracts with third parties. I even know some who do exactly that after their regular work without product placement. I don't mean to attack you or anyone else in this scene, I just want to understand. I would look forward to an answer. if it is greed I would understand the answer too.
@@ahr0cdovlzk3my1lahqtbmftdw7 I wouldn't say that I "need" sponsors in order to keep making videos-- I would still be making videos without them, and the channel has been active and producing content for the first whole 10 years of its existence without any sponsored revenue. I certainly know other creators that aren't sponsored just as well, and I'd still encourage anyone to make videos with or without sponsorship. It's all about the passion and love of learning. Even without revenue, I would still be making videos. So I'd ask back at you, why do you do what you love to do? Why do you make money? Support friends and family and yourself? If you can be paid to keep doing what you love to do, why not embrace that opportunity, and do what you can to provide for your loved ones AND fulfill your passions at the same time?
the reason the first python attempt failed is likely because of single quotes, they act like raw strings in python, so no variable substitution occurs might be wrong tho
The algorithm brought me here, I got a hell of a rootkit, had some sort of a digital demon spawn with a photo.exe/ short cut virus and none of my of anti-virus programs can get rid of it so I guess I'm learning to computers now. I can send you a file or or usb or something lol. Mostly kidding, but can anyone eli5 or point me the way?
There's a lot of confusion on the internet about this but from the bash man pages, "IFS The Internal Field Separator that is used for word splitting after expansion and to split lines into words with the read builtin command. The default value is ``''." You can check this by going `man bash` then searching for IFS.
hey John, ever heard of this behaviour before? when I cat a file in bash, i get the output of the file but after this finishes printing to std out, the keyboard buffer gets flushed to the command line with GUACAMOLE displayed as if it was a command to execute some sort of weird buffer overrun? ROP to type that into the input buffer? i'm at a complete loss to explain this
This is not related to any buffer overflow or whatsoever, this is just the stdin buffer that spits back to stdout, nothing fancy. This most like a too large file to process for cat into memory. To me it sounds like a failover action, which is quite normal behavior
ok i didn't understand, He created a fake shell with python but at the same time He was able to get environment variables from Linux, am I misunderstanding something? I don't even know whether this doubt makes sense
He is getting the input from the user and then removing spaces, tabs and newlines and then passing that to subprocess.Popen(), which will just run any commands you give it, and then it returns the stderr and stdout to the user connecting to the service.
Feedback: Not really too big of a fan of the sound effects and stuff in the video. Idea: Could you maybe do a video on that subprocess.Popen(shell=True) thing?
Super appreciate the feedback, huge thanks! Are there other sound effects that would fit better, or just "don't use any sound effects at all"? And what other "stuff" do you mean by "stuff"? I can certainly try to put something more formal together on subprocess Popen!
@@_JohnHammond "Stuff" was referring to the visual effects that accompany the sound effects, and the random text and images that pop up on screen sometimes. Like the X that goes with the buzzer sound or the random wastebasket emoji and one liner jokes in text that visually popped up. For the content presented I would prefer no sound effects, because I feel like they don't add anything useful (or even entertaining in my opinion) to the video. I think sound effects should be used when appropriate, and sound effects like that ROBLOX "oof" sound shouldn't be forced into a video that seems to be more focused on education than entertainment. Educational content should probably be optimized for educational value rather than entertainment value! Audiovisual effects are probably best used for emphasis, so if, for example, you add an infobox when presenting a bit of information, you could add a sound effect for that infobox appearing (and disappearing) to give it some emphasis and make it feel less empty (this is why people tend to play "woosh" sound effects when using fly-in text, for example) As an example for such an infobox, you could use one to explain the command line flags you use in the recording for common commands like nc and nmap, so people who know how it works can look past it and just watch the video continue, while the people who don't can read the relevant information. Such an info box could also be made full screen, which is best accompanied by voice over in my opinion - you could explain something like normal in the live recording, and then you could add a temporary full screen visual explanation of what you are talking about so people don't stare at a static command line while you talk - this should also help with keeping up video engagement. (So it might be worth trying out- even outside of the ad reads where you already do something similar) I think that's enough rambling from me, I ended up going on for too long about this infobox while that was actually supposed to be about the sound effects... Apologies for the huge text dump 😅
@@centdemeern1 Nothing to apologize for, this is great constructive criticism -- huge thanks! We'll think more on sound effects or visual effects and try to find a better balance on educational vs. entertaining. Very good to know when we miss the mark, though, and can course-correct. Thanks again!!
@@centdemeern1 Woo hold up! relax, as far as you are getting the whole content right, be chill and appreciate...Shouldn't you be focusing on the content or something like that rather than minute details yet the content is top notch.
Ahh, classic JH Speedrun. 🤣 Joking aside, Love the long form videos where we can watch you struggle. Seeing the thought process is so helpful
All of my videos are 1000% perfect and I make no mistakes at all, ever.
@@_JohnHammond you r greatest of all time
This whole video was just showing off your old github repo. Nice one!
I have a coworker who talks just like you. I work in a SOC and he talks about how "garbage" elastic is.
I an shouting at the video, "exec takes a string!", which is making me frustrated, but also smart. Thanks!
The beats on that PlexTrac ad though 😅
An easier way to kill the root passwd entry would be to use sed inline: `sed -i 's/root:x/root:/g' /etc/passwd`
Thank you John, I have been subscribed for a while, but not till recently have I really come to find so much value in every one of your videos, big respect. Thank you.
I've made a similar CMD challenge with somore bad filtering, and submitted it to my friends, they can't get their head around it ! 😈
Cool, i learn some new things. Thanks
Sir, I like the way you are so swift while doing your hands on implementation, beside that your explanation is extremely intelligent, wish you could guide me on books you could recommend to me so that I can be like you?
Thanks mr hamond if tou can do video explain how you make this challenge
ly john
ly 2 rye
15:14 why try put $var in single quoted string? Do it into double quoted one!
Yeah - obviously he then needed to escape a bunch of double quotes, but this was staring in my face as well xD
20:15 maybe its trailing newline but presets
You might not be able to use vim in visual mode, but you could use vim in ex mode like a real hacker ;)
You could have used __import__('os');ifs=os.getenv('ifs');
20:10 uhhh I'm new to IT but i think you put an extra ")" in the last part of line
Amazing. 🎉
Cool video as always. Good job john
awesome video good job
love this kinda video
Amazing
U can even check the linux version and Exploit it easily if ther was virnubility in that Flag system
Nice 😎
🤯
love how theres a challenge called "dont hack my d"
I was expecting you to use Villain
6:34 random oof
I'm lost so if you put a space in the command line it runs a python
What I have noticed more and more in recent years is that "hacker influencers / cyber security influencers" are increasingly commercializing the scene and making the greatest possible profit and it is no longer about the true art that everything is somehow related to money. you get suggested that you have to buy some courses to learn. Somehow I don't feel that way. I mean that in general terms and not aimed at John directly
I do hope that it rings true that I have not made any courses, and all of my content remains free and freely accessible. I do sponsored videos and run ads so I can continue this for the future, but at its core, my content is free. :)
@@_JohnHammond why do you need sponsors who pay you thousands of dollars to keep making the videos? I could make the same kind of videos without having to sign advertising contracts with third parties. I even know some who do exactly that after their regular work without product placement. I don't mean to attack you or anyone else in this scene, I just want to understand. I would look forward to an answer. if it is greed I would understand the answer too.
@@ahr0cdovlzk3my1lahqtbmftdw7 I wouldn't say that I "need" sponsors in order to keep making videos-- I would still be making videos without them, and the channel has been active and producing content for the first whole 10 years of its existence without any sponsored revenue. I certainly know other creators that aren't sponsored just as well, and I'd still encourage anyone to make videos with or without sponsorship. It's all about the passion and love of learning. Even without revenue, I would still be making videos. So I'd ask back at you, why do you do what you love to do? Why do you make money? Support friends and family and yourself? If you can be paid to keep doing what you love to do, why not embrace that opportunity, and do what you can to provide for your loved ones AND fulfill your passions at the same time?
@@_JohnHammond excellent response!
the reason the first python attempt failed is likely because of single quotes, they act like raw strings in python, so no variable substitution occurs
might be wrong tho
So cool!
The algorithm brought me here, I got a hell of a rootkit, had some sort of a digital demon spawn with a photo.exe/ short cut virus and none of my of anti-virus programs can get rid of it so I guess I'm learning to computers now. I can send you a file or or usb or something lol. Mostly kidding, but can anyone eli5 or point me the way?
Zip up the fole with password infected (if you can) and send it to the malware submission link in the description!
I'm not a Linux pro, but I *do know* that IFS stands for Input Field Separator.
There's a lot of confusion on the internet about this but from the bash man pages, "IFS The Internal Field Separator that is used for word splitting after expansion and to split lines into words with the read builtin command. The default value is ``''." You can check this by going `man bash` then searching for IFS.
hey John, ever heard of this behaviour before?
when I cat a file in bash, i get the output of the file but after this finishes printing to std out, the keyboard buffer gets flushed to the command line with GUACAMOLE displayed as if it was a command to execute
some sort of weird buffer overrun? ROP to type that into the input buffer? i'm at a complete loss to explain this
This is not related to any buffer overflow or whatsoever, this is just the stdin buffer that spits back to stdout, nothing fancy. This most like a too large file to process for cat into memory. To me it sounds like a failover action, which is quite normal behavior
ok i didn't understand, He created a fake shell with python but at the same time He was able to get environment variables from Linux, am I misunderstanding something? I don't even know whether this doubt makes sense
He is getting the input from the user and then removing spaces, tabs and newlines and then passing that to subprocess.Popen(), which will just run any commands you give it, and then it returns the stderr and stdout to the user connecting to the service.
Feedback: Not really too big of a fan of the sound effects and stuff in the video.
Idea: Could you maybe do a video on that subprocess.Popen(shell=True) thing?
Super appreciate the feedback, huge thanks! Are there other sound effects that would fit better, or just "don't use any sound effects at all"? And what other "stuff" do you mean by "stuff"?
I can certainly try to put something more formal together on subprocess Popen!
@@_JohnHammond "Stuff" was referring to the visual effects that accompany the sound effects, and the random text and images that pop up on screen sometimes.
Like the X that goes with the buzzer sound or the random wastebasket emoji and one liner jokes in text that visually popped up.
For the content presented I would prefer no sound effects, because I feel like they don't add anything useful (or even entertaining in my opinion) to the video.
I think sound effects should be used when appropriate, and sound effects like that ROBLOX "oof" sound shouldn't be forced into a video that seems to be more focused on education than entertainment.
Educational content should probably be optimized for educational value rather than entertainment value!
Audiovisual effects are probably best used for emphasis, so if, for example, you add an infobox when presenting a bit of information, you could add a sound effect for that infobox appearing (and disappearing) to give it some emphasis and make it feel less empty (this is why people tend to play "woosh" sound effects when using fly-in text, for example)
As an example for such an infobox, you could use one to explain the command line flags you use in the recording for common commands like nc and nmap, so people who know how it works can look past it and just watch the video continue, while the people who don't can read the relevant information.
Such an info box could also be made full screen, which is best accompanied by voice over in my opinion - you could explain something like normal in the live recording, and then you could add a temporary full screen visual explanation of what you are talking about so people don't stare at a static command line while you talk - this should also help with keeping up video engagement. (So it might be worth trying out- even outside of the ad reads where you already do something similar)
I think that's enough rambling from me, I ended up going on for too long about this infobox while that was actually supposed to be about the sound effects...
Apologies for the huge text dump 😅
@@centdemeern1 Nothing to apologize for, this is great constructive criticism -- huge thanks! We'll think more on sound effects or visual effects and try to find a better balance on educational vs. entertaining. Very good to know when we miss the mark, though, and can course-correct. Thanks again!!
@@centdemeern1 Woo hold up! relax, as far as you are getting the whole content right, be chill and appreciate...Shouldn't you be focusing on the content or something like that rather than minute details yet the content is top notch.
@@ewaat well I’ve been watching John’s videos for a while and he never had these sound effects, they suddenly got added
Medium difficulty. oof.
24:39 you could've just use `sed` or something, *sed -i "/^root:/ s/:x:/::/g" passwd*