I did the privesc slightly differently actually at that dir /usr/src i created a symlink for /etc/passwd and after owning that one i changed the id of the user sec to 0 and thats how just got root
Awesome videos. Keep them coming. Would love to see more explanations on things and alternate methods for all aspects (enumeration and attack vectors). Thanks!
How you figured out that audio clip last couple of seconds contained password....is hinding key inside audio file always has similar hiding method in ctf boxes.??
I tried to make a python script that set the euid to 0: '''' import pty import os os.seteuid(0) pty.spawn('/bin/bash') ''' I changed it's permissions to 4755. and set owner to root. when I run it with python i get : OSError: [Errno 1] Operation not permitted Is there a way I can do the privesc with python?
thanks very informative! the part I don't get is, how did you determine that the chmod was applied every x minute(s) on that /usr/src directory? I see that the cronjob file was edited, but you cannot read the contents right?
@ippsec dude i saw some of your earlier videos in which you there was an unauthorised password reset vulnerablity on some of the machines that had WordPress on them but you didn't show it as because the mail function was disabled can you please make a video on that exploit?
Probably won't happen anytime in the near future, don't know of any fun boxes that utilize that exploit. I don't really do tutorials on specific exploits because I don't want to attract the crowd that searches for things like "How to hack wordpress".
How exactly did you figured out that the cron job is chowning in that directory, at around 22:00? I understood the video so far but you lost me when you magically knew what the cronjob did
Unfortunately, I don't believe there's a good way to know. If you followed my other videos, you may have been able to see /root/chown starting through monitoring processes. Was one of those things where it just took a lot of time playing around and eventually I noticed a process change ownership. Then guessed at what was happening. I don't think you needed to give the file a setuid bit for the cron to take ownership. Didn't play around with it enough prior to recording, so just went with what I had in my notes.
Does anybody know a way to get better in penetrating os webs im kind of new and i nearly owned bash(root is hard but the user is super easy) btw your videos are very helpful but i just need to think 🤔 more❤️🌹👍🏻
Nice one! Thanks, i current working on my OSCP and your videos are very helpfull. Thks from Brazil !
Thanks for sharing the incident response bit, very helpful!
I did the privesc slightly differently actually at that dir /usr/src i created a symlink for /etc/passwd and after owning that one i changed the id of the user sec to 0 and thats how just got root
Awesome videos. Keep them coming. Would love to see more explanations on things and alternate methods for all aspects (enumeration and attack vectors). Thanks!
awesome ir stuff, i think i should be doing this on every box from now on
How does your executable not lose it's sticky bit after the cronjob? Everytime I try this the sticky bit gets removed.
There is a hint for the cronjob. Do some research on the journalctl command and you'll see
How you figured out that audio clip last couple of seconds contained password....is hinding key inside audio file always has similar hiding method in ctf boxes.??
I tried to make a python script that set the euid to 0:
''''
import pty
import os
os.seteuid(0)
pty.spawn('/bin/bash')
'''
I changed it's permissions to 4755. and set owner to root.
when I run it with python i get : OSError: [Errno 1] Operation not permitted
Is there a way I can do the privesc with python?
adding #!/usr/bin/python in first line would help?
thanks very informative! the part I don't get is, how did you determine that the chmod was applied every x minute(s) on that /usr/src directory? I see that the cronjob file was edited, but you cannot read the contents right?
Hi ippsec, sorry for the stupid question, but how did you know the key was encrypted with an elliptic curve cipher?
I don't believe there was any clues to that. Just lots of trial and error.
@ippsec dude i saw some of your earlier videos in which you there was an unauthorised password reset vulnerablity on some of the machines that had WordPress on them but you didn't show it as because the mail function was disabled can you please make a video on that exploit?
Probably won't happen anytime in the near future, don't know of any fun boxes that utilize that exploit. I don't really do tutorials on specific exploits because I don't want to attract the crowd that searches for things like "How to hack wordpress".
Does anyone in the comments have a link to where i can improve me hacking skill or some pdf's or sites?
ATRIX if you know and want to get better hack the box will get your level i didnt even finish easy(having root i just got user)😂😭
thanks
there was no hint on cronjob and what it does. anyway i needed others help to do it. didnt played around much. j payo tei.
How exactly did you figured out that the cron job is chowning in that directory, at around 22:00? I understood the video so far but you lost me when you magically knew what the cronjob did
Unfortunately, I don't believe there's a good way to know. If you followed my other videos, you may have been able to see /root/chown starting through monitoring processes.
Was one of those things where it just took a lot of time playing around and eventually I noticed a process change ownership. Then guessed at what was happening. I don't think you needed to give the file a setuid bit for the cron to take ownership. Didn't play around with it enough prior to recording, so just went with what I had in my notes.
IppSec ah alright thanks :)
Your burp is cracked? If yes please whete I get ?
02:00 you have forgot open firefox)))
Very very annoying machine!
Does anybody know a way to get better in penetrating os webs im kind of new and i nearly owned bash(root is hard but the user is super easy) btw your videos are very helpful but i just need to think 🤔 more❤️🌹👍🏻