Excellent walkthrough as always! I was able to get a good bit into this one without needing a guide, so we're getting there! Thank you again for your guidance, and for taking the time to answer questions from everyone....you're a blessing to the community! :D
@_CryptoCat
Жыл бұрын
Awesome! Thank mate 🙏🥰
@Californ1a
2 жыл бұрын
For the tools that have taken their releases out of the repo and moved to github's releases tab, there is a github releases API you can curl to get the list of binaries (assets) in the latest release, and then loop through those assets in the json response to get the download URLs and grab all those. Little more in-depth than just a git pull, but it can work.
@_CryptoCat
2 жыл бұрын
Thanks mate, will have to get that setup soon! I have a script which recursively updates all git repos, should be able to integrate it with that 😊
@_techwaves
2 жыл бұрын
great walkthroughs! I learned a lot from you
@_CryptoCat
2 жыл бұрын
awesome! thanks for the support mate 🥰
@Vex7eX
Жыл бұрын
Thank you for your selfless tutorial!!!
@GunZFoX
Жыл бұрын
If someone is stucked getting the reverse shell at the end, just try to log in via SSH as "Administrator" with the credentials Winpeas found. It's always worth giving it a try ;)
@philcrocker9358
Жыл бұрын
Did it take anyone ages to get the final net cat shell to come through? Every like 10 seconds the job.bat file obviously resets itself, but never connected back. A bit confused because whilst its the best bit, it's not a massively complex bit as most of the hard stuff had been done earlier. 😂 The walkthrough says its an unstable exploit so it might take many tries with failure, but I've legit written to the job.bat file about 90 times now, without it calling back to my listener. When it gets to 100 I may cry.
@_CryptoCat
Жыл бұрын
Did it work eventually?! 😅
@reu3437
Жыл бұрын
Im facing the same problem. My netcat is not getting the reverse shell also. Quite frustrating lol
@orvalz
Жыл бұрын
@@reu3437 I have the same problem haha
@Death_User666
7 ай бұрын
You have talent sir
@_CryptoCat
7 ай бұрын
🙏🥰
@kylejf9059
2 жыл бұрын
Again, I was pretty lost here. I was doing my xxe / xee a little wrong and I'd of been lost otherwise. Also, it didn't occur to me to look for the file after. Once again, learned a lot. *that* default password also worked but I still followed to the end as I wanted to see the point of what we were meant to learn rather than that shortcut. Many thanks:) Edit: I also tried to cheat and steal all the flags from Burp lol. It worked for one of them.
@_CryptoCat
2 жыл бұрын
Nice one mate, you're flying through them 😉
@kylejf9059
2 жыл бұрын
@@_CryptoCat thanks to a lot of help from yourself, just trying to build the experience and variety of stuff up so I can be somewhat 5% competent going forward. Thanks again 👍🏻
@_CryptoCat
2 жыл бұрын
np you are doing great! keep it up 🥰
@DoDo-uw2no
2 жыл бұрын
Hey, great walkthrough! I was wondering why you just didn't use the credentials winPEAS gave you to ssh as admin? That's what I did when I frist did the box. After looking at the official writeup and your video I am thinking that it might be a mistake from HTB to store credentails like that... since otherwise the privelege escalation seems too simple. What do you think?
@_CryptoCat
2 жыл бұрын
Honestly I can't remember it very well now, were you able to just login as Admin and skip the scheduled task bit at the end?
@DoDo-uw2no
2 жыл бұрын
@@_CryptoCat Yea haha. At 28:35 you find the password in the video. You could just ssh in as Administrator and finish the box. I guess it was a mistake on HTBs side...? But I'm not sure. Whatever it is. I just was a bit sad that I didn't have to do the "real" exploit when I read their write up and found out I finished on "easy mode". Just wanted to ask if there is a reason you didn't try. I thought you wanted to show the more "elegant" way to privesc instead of the bonobo way of just copy paste xDD
@_CryptoCat
2 жыл бұрын
@@DoDo-uw2no Haha yeh I'm guessing that was a mistake 😂 Nicely done though.. work smart, not hard 😉
@kazhiroma9736
Жыл бұрын
I might have to snatch that masscan and nmap Alias that’s quite creative. Correct me if I’m wrong but essentially you are using masscan to scan all ports since it is faster then feeding the open ports to nmap so nmap only has to scan ports that are open
@_CryptoCat
Жыл бұрын
Exactly! NMap is so slow with UDP, and rustscan doesn't do UDP at all so I use masscan to scan them all quickly. However, I have had plenty of occasions where masscan missed ports that were detected on a regular NMap scan, probably due to the speed. The script is here btw if you want to use it: github.com/Crypto-Cat/CTF/blob/main/pentesting/gen_nmap.py
@kazhiroma9736
Жыл бұрын
@@_CryptoCat appreciate the reply and the link man. Have you tried messing around with the timing on nmap at all like T5 for example? How would you say masscan compares in terms of accuracy/speed. Really appreciate it btw.
@_CryptoCat
Жыл бұрын
@@kazhiroma9736 Yeh, tbh you can get pretty good results with NMap on higher speed settings. You'll get better with rustscan, but only for TCP. I've just got a long habit of using the masscan + NMap script so I stick with it, most of the time. I also like Tiberius's autorecon project, it can be nice to kick that off when a new HTB machine comes out, then focus on manual enumeration while it's running in the background ☺
@MarcelN1980
Жыл бұрын
Perfect! Just one observation: since you've already got a password when running linpeas (the Autologon Credentials for Administrator), why didn't you just use that?
@_CryptoCat
Жыл бұрын
Thanks! It's been a while.. didn't I try it in the video? 😅 If not, I'm pretty sure I tried it in my first run through the box (before recording) and it was incorrect.
@ismailmatrix1
2 жыл бұрын
How do you automatically get the intercepted request on Burp Suite without having to press Forward multiple times? Usually I turn on FoxyProxy and on Burp, I put "Intercept" to "On" and then when I login the browser hangs because Burp Suite intercepts it, but then I press Forward to make the POST request, get the response, press Forward again, etc
@ismailmatrix1
Жыл бұрын
I got it now. It automatically tracks requests in the Proxy > HTTP History whether you turn Intercept on or not
@axelvirtus2514
2 жыл бұрын
cant do reverse shell,wevtutil not running and not in the tasks
@_CryptoCat
2 жыл бұрын
Don't think I used a reverse shell for this one? Which part of the video are you stuck at?
@axelvirtus2514
2 жыл бұрын
@@_CryptoCat wevtutil its not running on my system and no connection when i use nc nvlp port
@_CryptoCat
2 жыл бұрын
@@axelvirtus2514 Can you give me the timestamp of where you are stuck in the video? I don't remember using a netcat reverse shell on this one, I thought solution was SSH? I don't have time to review the whole vid, if you can point me to the part you're stuck at it will help.
@axelvirtus2514
2 жыл бұрын
@@_CryptoCat tnx already did this with ssh
@axelvirtus2514
2 жыл бұрын
@@_CryptoCat Hey Crypto i need help from you, exercise ecdsa weakness from pentesterlab.Do you use any social media?
@Darkres700
Жыл бұрын
How did you get the last shell? It keeps me rewriting the job.bat file and I havent been able to get a shell
@_CryptoCat
Жыл бұрын
Been a while since I did this so I'd advise just double check the video steps and/or official PDF walkthrough. Probably some small thing somewhere 😆
@oliverludwig6148
2 жыл бұрын
I often speed up educational videos to maintain focus. This time I'm slowing it down, so I don't have to micromanage time, and can actually follow, what's going on.
@_CryptoCat
2 жыл бұрын
Great! Hope it helps 😊
@net_setup
Жыл бұрын
hello, I was stuck on this box for the last few days because I could not get the shell to connect after I did the echo to change the job.bat file. it would not connect for me at all. so I uploaded the winPEASx64.exe ....I ran that and was able to see the Administrator password...so I tried logging in using the SSH and was able to get to the root.txt file. hope that helps anyone if they are stuck.
@thomashedrick8446
7 ай бұрын
Had trouble sending the XML payload in the POST request. It would not display the file contents ive tried so many times.
@thomashedrick8446
7 ай бұрын
I spent hours trying to get the payload to work I feel stupid.
@_CryptoCat
7 ай бұрын
Did you get it working? If you're using burp repeater, make sure the content-type header is correct (for XML) and that you have a newline at the bottom of the request.. If you are still having issues, timestamp the video where you're stuck and let me know what the response is, e.g. 200 OK? Any error messages?
@thomashedrick8446
7 ай бұрын
@@_CryptoCat I did indeed get it working, I feel bad for using the walkthrough but I will say that is a tough box for being rated as "Very easy" I am still stuck on the box Im trying to get a reverse shell now it called back to my attacker machine but it wasnt a elevated shell.
@_CryptoCat
7 ай бұрын
@@thomashedrick8446 Don't feel bad mate! It's always best to spend some time on a challenge before referring to the walkthrough but eventually it becomes counter-productive if you aren't making progress. Then you are best of checking the solution and learning from it for future. How much time you should spend before checking hint/solution will depend from person to person but instantly checking walkthroughs or refusing to ever check walkthroughs are both bad approaches 😉
@manolete1516
2 жыл бұрын
take your like boss!!!
@_CryptoCat
2 жыл бұрын
🙏🥰
@reu3437
Жыл бұрын
On the last part, when i use ps while in powershell, i dont see wetvutil running. Is this normal?
@_CryptoCat
Жыл бұрын
Hey, it's been a while since I did this box. I would suggest to double check the official PDF writeup if the steps in the video aren't matching up.
@丁泽楠
Жыл бұрын
I found it interesting that if you access the box directly using the IP address without adding the IP address and domain name to the hosts file, the PHP file is always "index.php" when viewing the source code. I can't understand it.
@丁泽楠
Жыл бұрын
You can try using ip to access the box and then look at the source code.
@_CryptoCat
Жыл бұрын
It might show index.php in the address bar but you shouldn't be able to see PHP code using "view source"
@丁泽楠
Жыл бұрын
@@_CryptoCat I see. Thank you for your answer. But in that case, the source code is different from the video, and Daniel is not in the source code.
@markphillip4811
2 жыл бұрын
Do u hav a telegram channel?
@_CryptoCat
2 жыл бұрын
Nope!
@DoDo-uw2no
2 жыл бұрын
@@_CryptoCat What about a discord server? Any plans for that in the future?
@_CryptoCat
2 жыл бұрын
@@DoDo-uw2no Also nope! 😂 I can't really keep up with discord groups as it is, let alone creating my own 😬
Пікірлер: 63