16:55 - Occurred to me afterwards the shell probably would of been OK, I just had two question marks instead of one question mark and one ampersand. Instead of: included.htb/?file=/var/lib/tftpboot/shell.php?cmd=ls I should of used: included.htb/?file=/var/lib/tftpboot/shell.php&cmd=ls
The distrobuilder was failing to build for me on the Linux escalation part, so i used the second method and that worked. ty for the vid been learning a lot of these tyvm
I haven't done much for two or three weeks but I got through "unified" last night on my own but found myself stuck here. Once again, thanks a lot! Note to others: at the "Create Container and add root path" section, where it has "--alias=a****e" (I've used **** to hide some info) that was making my command prompt go haywire, you don't actually need it if happens to you. As long as "--alias a****e" worked on the import. Small edit: I try to get over the area I'm stuck at without relying too much, but even just a pointer makes the difference when I'm lost, so again, much appreciated 👍🏻🤝🏻 Another small edit: I also saved the shell / terminal upgrading process, going to be a nice addition as I move forward!
Hi, thank you for your detailed guide. I like it so much. May I have a question: When I compile alpine from my own machine, I can not create one for x86_64. I am using a M1 Mac and I install a kali in UTM with same architecture. It is possible to do cross compile? I tried multiple methods and none of them work properly. Do I have to create a VM in x86_64 architecture for this issue?
Thanks and good question! The M1 Mac uses a different architecture (ARM/ARM64) so I know there are often issues with binary exploitation and reverse engineering challenges. Not sure about the alpine problems though, maybe it is related to the M1 chip as you suspect: medium.com/swlh/building-x86-64-docker-containers-on-apple-silicon-a6d868a18f37 I noticed somebody else had issues with the alpine builder script so you could try their approach: medium.com/@joemcfarland/included-has-been-pwned-8df0acb17523
I'm not too sure why it didn't work via address bar, maybe some issues with URL encoding.. Could of also play around with it in burp suite or base64 encode the payload to maybe fix it 🤔
What is t he webup command you utilize - or where exactly do you get it from? Seems a lot easier than systemctl start apache - and it can acces and copy files from anywhere?
"webup" is just an alias i have setup in ~/.bash_aliases so that whenever i type "webup" it runs "sudo python -m http.server 80" 😉 it will expose the files/dirs in current working directory to the HTTP server. if you want the HTTP server to be accessible via the internet (not just local), you can use a service like ngrok.
Alright, at the end of the day it did not break the box. I must have mucked something up along the way. I restored my VM to a golden image and started everything over (although I followed the install process from the git hub itself not that it mattered...) and then was able to use method 1 for priv escalation. Side note: you gotta be willing to research if you wanna get anywhere doing this stuff.
16:55 - Occurred to me afterwards the shell probably would of been OK, I just had two question marks instead of one question mark and one ampersand.
Instead of:
included.htb/?file=/var/lib/tftpboot/shell.php?cmd=ls
I should of used:
included.htb/?file=/var/lib/tftpboot/shell.php&cmd=ls
The distrobuilder was failing to build for me on the Linux escalation part, so i used the second method and that worked.
ty for the vid been learning a lot of these tyvm
I haven't done much for two or three weeks but I got through "unified" last night on my own but found myself stuck here.
Once again, thanks a lot!
Note to others: at the "Create Container and add root path" section, where it has "--alias=a****e" (I've used **** to hide some info) that was making my command prompt go haywire, you don't actually need it if happens to you. As long as "--alias a****e" worked on the import.
Small edit: I try to get over the area I'm stuck at without relying too much, but even just a pointer makes the difference when I'm lost, so again, much appreciated 👍🏻🤝🏻
Another small edit: I also saved the shell / terminal upgrading process, going to be a nice addition as I move forward!
Thank you! :)
Welcome! 💜
Hi, thank you for your detailed guide. I like it so much. May I have a question:
When I compile alpine from my own machine, I can not create one for x86_64. I am using a M1 Mac and I install a kali in UTM with same architecture. It is possible to do cross compile? I tried multiple methods and none of them work properly. Do I have to create a VM in x86_64 architecture for this issue?
Thanks and good question! The M1 Mac uses a different architecture (ARM/ARM64) so I know there are often issues with binary exploitation and reverse engineering challenges. Not sure about the alpine problems though, maybe it is related to the M1 chip as you suspect: medium.com/swlh/building-x86-64-docker-containers-on-apple-silicon-a6d868a18f37
I noticed somebody else had issues with the alpine builder script so you could try their approach: medium.com/@joemcfarland/included-has-been-pwned-8df0acb17523
17:02 you shouldve url encoded the command you provided
🙏
Don't know why the first shell does not work? Why we need to use the rev shell to replace it? I m confused,man😵
I'm not too sure why it didn't work via address bar, maybe some issues with URL encoding.. Could of also play around with it in burp suite or base64 encode the payload to maybe fix it 🤔
What is t he webup command you utilize - or where exactly do you get it from? Seems a lot easier than systemctl start apache - and it can acces and copy files from anywhere?
"webup" is just an alias i have setup in ~/.bash_aliases so that whenever i type "webup" it runs "sudo python -m http.server 80" 😉 it will expose the files/dirs in current working directory to the HTTP server. if you want the HTTP server to be accessible via the internet (not just local), you can use a service like ngrok.
Instead of lxd.tar.xz, I'm getting something called incus.tar.xz, which doesn't seem to work when I do "image import". What's wrong?
No idea on that one, sorry!
you and me are in the same boat haha
Alright, at the end of the day it did not break the box. I must have mucked something up along the way. I restored my VM to a golden image and started everything over (although I followed the install process from the git hub itself not that it mattered...) and then was able to use method 1 for priv escalation. Side note: you gotta be willing to research if you wanna get anywhere doing this stuff.
keep getting permission denied:
lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
Tried sudo?
Just re-traced all my steps and just successfully rooted the box. Not sure what it was.
@@xTheShady1x u need to be in the /tmp folder.
Getting error bin /distrobuilder not found after run this command --- sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.8.
i had the same error...how do u fix it ?
@@nizarismail8226 you need at least go 1.18 for this to work, and the current version in parrot repositories is 1.17