A lot of comments about *gobuster not working* as shown in the video, this is probably due to the updated version (3.2.0) - github.com/OJ/gobuster/commit/03e7a4557c53764f411074dde74757adcc074def The solution in 3.2.0 is to use the --append-domain flag with gobuster which will "Append main domain from URL to words from wordlist. Otherwise the fully qualified domains need to be specified in the wordlist." Alternatively, use ffuf and filter by response code (rather than length)
Christ almighty what a goddamn nightmare of a Very Easy flag. As a beginner this makes me feel utterly helpless and clueless but I can't say I didn't learn anything. I owe it to myself to do a writeup of this to reinforce it honestly.
The official htb walkthrough was so confusing at the end for a beginner like me. They wanted to set up listening, then run a python server, all to use a reverse shell. Your solution was so much simpler. Earned a sub from me 🤙
@@_CryptoCat ditto from me, quick question if you see this, is that webshells collection that you took the shell.php from out of some collection? most of the included kali collections have much more complex things, but this simple shell is similar to what i created from scratch. just wondering if i can find a good collection somewhere
Hi, fantastic video that helped me a lot but I struggled getting a shell up and running following this video and following the HTB walkthrough. I've followed these as accurate as I can but I can't get a shell connected. I'll keep trying!
Thanks :) Solved this machine few days ago, steps were a bit different and your way is much simpler. Again, learned few new things from your video. Keep them coming ❤
Without reviewing the challenge/video, I think the s3 bucket was on a different subdomain to the php app? In this case, that's achieved with virtual hosting (rather than an actual subdomain).
When I put the IP address in the browser and click enter, it's taking a lot of time loading and it's not opening the website. However I have a very good internet connection. What should I do? how do I fix this issue?
Hmmm if your connection is OK, maybe the problem is with the instance of the box you're trying to hack (restart?) or with your VPN connection (reset? regenerate? change server?). Could also be some firewall related issue 🤷♂
You can have a look in /usr/share/wordlists but I'd recommend downloading this: github.com/danielmiessler/SecLists - you can either clone the git repo or might be able to just to "sudo apt-get install seclists" and then point gobuster to the chosen wordlist in /usr/share/seclists
Heei man - thanks for the walkthrough. in the walkthrough from hack the box it says: Let's create a PHP file to upload: echo '' > shell.php you did not di that - right? in my case i had to do it as well, i did not exactly that way but i also created ah file with nano with the string '' -in it... my question...where comes this string from? internet search?
Hey, check around 14:35 where I talk about shells and 16:07 you see I search for shells on my system, but you could also just google shells to copy/paste as well (or type it out since this one's short)
in my case webshells/shells.php with '' in it did not exist...thats why i had to create it... than i looked in the htb walkthrough and the htb walkthrugh says i have to create the shell.php file..then i just wondered how i was supposed to come up with this command ''
@@Hunti21 Basically the rule is; if you find a way to upload files to a website, try and get command execution by uploading a shell in whatever language the server understands. In this case it's a PHP server so you could just google "PHP shell" or "PHP payloads", but maybe next time it will be an ASP.net server and you'll need to google for an ASP shell. www.revshells.com is good for getting reverse shells for different languages.
This might be the first starting point machine that's used subdomains but it's super common on normal HTB. First 3 things I normally do on a new machine; port scan, directory busting, subdomain (vhost) enum.
How did you know bucket name is thetoppershtb instead of s3thetoppershtb after you find the sub domain, s3thetoppershtb ? And how did you know key id and secret key are "a", I try to create aws account to create those keys, but amazon web required me to submit credit card number then i gave up and stuck.
Hey mate good questions, I should of bit been clearer on this. for listing the bucket names you can do like: aws --endpoint=s3.thetoppers.htb s3 ls Which will show "thetoppers.htb" as the bucket name. As for the "a", those values can be anything; the aws bucket wasn't checking for valid credentials *but* those credentials can't be empty. You shouldn't need to setup any accounts I don't think.. Definitely don't pay for any aws products xD
@@_CryptoCat Oh, I have known why I couldn't submit random key value in aws configure, because I set valid region name in aws configure such as "us-west-2", then I did aws s3 command, it responsed me "The AWS Access Key Id you provided does not exist in our records.". And it misled me to consider whether I have to create a valid credentials (my second question). After I set random region name in aws configure, it works. Thanks for your reply.
I cannot get command execution in the box. It returns blank. I've tried so much. If anyone has had the same issue and found the solution, please let me know.
Forgot to say thanks for this, was a little stuck but got there nicely. You looked at the "RedPanda" machine? It's ridiculously difficult with priv esc. I spent an absolute stack of time on it and had to read up, it's VERY difficult (imo) for those beginning. Would be a worthy video for you to do. Thanks again 👍🏻
@@_CryptoCat first sorry bro i was really agressive , i still stcuking the s3 sub-domain doesnt appear to me even with --append-domain flag , i have gobuster v3.5
Good question! When we use ffuf to fuzz subdomains, we are actually using the original hostname, e.g. three.htb in the URL but setting the "Host" header to FUZZ.three.htb Basically this is because the subdomains are setup using virtual hosting, rather than actual subdomains. Hope that makes sense!
question im doing with the walkthrough right now but im stuck on at the end when you use burp but I dont see how to set it up how did you do that? I pasted the IP in the target but nothing is happening, what am i doing wrong?
If I get nothing else out of your video (and I got a lot!) the tldr command is gonna help me immensely!!! I don't think I can fully understand just how helpful that is going to be!!!!!
I recommend using www.revshells.com but you could also setup an alias for the plzsh() shell I use here: github.com/Crypto-Cat/CTF/blob/main/my_bash_aliases.md
My process for making these videos is generally: 1) solve the machine 2) review the PDF walkthrough 3) make a video When I make the video, I show how I solved it so it might not always be the same as the official walkthrough but I might mention some things I read in the HTB walkthrough if beneficial (and I remember). I always advise to flick through the HTB writeup after solving though 😊
@@_CryptoCat that's fine, but for someone entering into the field, I'm sure someone spent a long time writing the walk through to explain in detail the steps to follow, more for the reader to understand the concepts explained, I understand there are many ways to achieve the same result, but as an introduction it would be wise to follow the script so to speak. Thank you for your reply also, it is wonderful to see someone engaging with their audience, keep up the great work 🙏
I've been working on this machine since it released and havent been able to figure out what was wrong, so thank you so much for your hard work and videos because I was losing my mind
Hi, every starting point machine has a Walkthrough with steps and some info on the topic, You can find it just under the machine name, there is a green icon with download sign :) It will open in a new browser tab. I didn't notice it at first..If I get stuck for few hours, I check that step in there. Hope that helps
Thanks mate! Glad it helped 🥰 Good shout from Allie on the PDF walkthrough though, they explain things very well. I generally solve the box then flick through the walkthrough before making the video in case there's any extra info. Although I often forget to mention things when the time comes 😆
@@aliedora I was stuck enumerating the subdomain and was following every step on the walkthrough, yet was still unsuccessful with gobuster for some reason. Looks like /DNS needs to be in the thread in order for it to work for me
@@revivedXrevolver aah ok apologies then :) I also had an issue with subdomains..Used ffuf and amass at first, nothing came up and then gobuster worked ok for me even though I used the same wordlist. Once I had a problem with SSTI machine and the next day when I created a fresh one and tried again, everything was fine.
reading package lists... Done Building dependency tree... Done Reading state information... Done E: Unable to locate package subl Everytime I try running the subl command on my kali I get this error> Can you help me resolve this please?
the command you want is "sudo apt-get install sublime-text" for future reference, if you type "sudo apt-get install subl" and then hit the tab key, it will bring up a list of the available packages that begin with "subl" 😉
hello, I am having trouble after uploading the shell.php on s3 bucket. ls command is showing that bucket been uploaded but its not showing any output on cmd = ls , even repeater is not showing any output
Hmmmm are you using the shell.php (or one confirmed as working)? Have you checked for URL encoding issues? Does the official PDF walkthrough do something different you can try?
@@_CryptoCat omgg u replied .... > Yes it worked ...I tried everything from scratch 2 days ago from a calm mind...didn't know why it didn't work out last time > Second,if I can get your advice on this, I have been doing HTB, THM, pentesterLab since last 3-4 months ....reached almost script kiddie rank in HTB ....it's not much I know....There are a lot of inconsistencies in my knowledge.... But I want to... prepare for HTB CPTS cert....it's cheaper than comptia.....forges one for OSCP.. ..read reviews and all.... But time is of premium to me .....Is next 3-4 months enough time to prepare for it....or will it take atleast 6 months or so...I am ready to give atleast 2 hours for it... everyday Or is it hopeless and I should go for relatively easier ones
Great video!! This is the second or third time now that I just cannot get a reverse shell to work for me. I triple-checked that everything was done correctly from the walkthrough, but it just wont work for me....and it's really frustrating ;-(
I did some free academy modules ages ago and thought they were good. I'd love to do more but they get quite expensive 😆 Although I'm sure the quality is great, the same info will be available free elsewhere (just maybe not presented as well). As far as paid content goes, I think HTB is generally good quality.
HTB starting point is a good place to start xD This box is definitely challenging for beginners though, here's some of my other favourite resources for learning: github.com/Crypto-Cat/CTF#hacking-resources
It's hard to find the right balance, everyone has a different level of experience/knowledge so videos will always be too fast for some and too slow for others 😁 I've had many people comment the opposite, and say they watch the videos on 1.5-2x speed 😅
You could try ffuf again, I think where I went wrong in the video was @ 3:50 I filtered the responses by size and in this case they were all the same. I should of filtered by response code, as you can see at 6:45 the "s3" vhost came back with a 404, while all the others were 200.
Ah this is a bash alias (shortcut command). You can add this line to your ~/.bash_aliases file: alias gobusterz='gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -u $1'
@@_CryptoCat just a suggestion: as much a possible don't use aliases during videos, as most of the viewers for these starting point boxes are beginners so they do not understand the concept of aliases. Other than that keep up the good work, I'm watching all your videos one by one on my HTB journey. Thanks for the free content!
I think where I went wrong in the video was @ 3:50 I filtered the responses by size and in this case they were all the same. I should of filtered by response code, as you can see at 6:45 the "s3" vhost came back with a 404, while all the others were 200.
I tried the exact same command in gobuster and even tried using the longer list (11000) but it still did not find the s3 domain. I am sure since I saved the output in a file and then searched the file. What I did find is that all requests came back with status 400. Is it possible that gobuster defaults to only this status somehow? And why would that happen to me and not to you if we use the same program and command? Or maybe I went wrong somewhere else? Any ideas would be greatly appreciated.
A few people have mentioned similar issues, I'm not too sure the reason 🤔 I just booted the machine again and tried to run: "gobuster vhost -u thetoppers.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt" and it does correctly show "s3.thetoppers.htb". I wonder if there is some discrepency with the gobuster version.. If I type "gobuster version", it shows me "3.1.0". Is yours the same?
@@_CryptoCat Mine is 3.2.0-dev.. I saw your pinned comment - I will try that again and hopefully it works. Thanks for the help! In the meantime, I decided to go ahead and just continue further with the machine. Then I ran into another problem. I am quite new to this so sorry if this is a dumb question. For some reason, I cannot get the shell to work. I created a .php file exactly like yours (when you did "cat ../webshells/shell.php"). It seems not to work. I get blank pages when I go to thetoppers.htb/shell.php?cmd=ls. I tried some other shells (that I found with "locate shell") but they require tuning (like setting the port and IP) and also require me to tune my kali VM accordingly. This is more complicated but I will try to figure it out. However, in case you have any idea why it doesn't work when I try the same shell code as you, I will be very thankful. By the way, great content :)
@@lyubenpetrov6430 Did you work it out? revshells.com is quite a handy tool for reverse shells as well. Just enter your VPN IP, a port (e.g. 1337) and select the language (PHP). To wait for the reverse shell, you can setup a listenin in kali like "nc -nlvp 1337". good luck! 🙂
Mine is 3.6 and i ahave the same problem as the other guy , cant figure it out already tried 2 different progeams to find the subodmain and i also have some bugs on them as well im going crazy@@_CryptoCat
Good question! Looking back I see the reason. Notice at 3:50 I filtered the responses by size and in this case they were all the same. I should of filtered by response code, as you can see at 6:45 the "s3" vhost came back with a 404, while all the others were 200. We can filter responses with web fuzzers is by size, response code or regex so it's worth checking all "three" 😁
Really nice tutorial showing your thoughts on the go! One question though, where did you get the crystal/webshells repository from? Would love to add that to my tools.
I think I just made a shortcut (symlink) to "/usr/share/webshells/" which is probably installed on your kali/parrot OS by default. You can try "locate webshells" command to check the location 😉
Huh 🤔 I'm not too sure what that's about.. Double check the steps in the video; are you using the same shell? same GET param (cmd)? Let me know if you work out the problem!
"gobusterz" is just a bash alias (shortcut) I have setup, you can find it here along with the many others I commonly use: github.com/Crypto-Cat/CTF/blob/main/my_bash_aliases.md Alternatively, you can accomplish the same with "gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -u"
I'm having problem with he shell part I created the shell uploaded it and checked using ls and I can see my shell uploaded but when I tried to navigate to s3.thetoppers.htb/shell.php it shows {} and when I try to execute cmd=ls or cmd=id I still get {} and nothing else please help me on this
Hmmm are you using the same shell.php? I would try a couple of things; see if you get the same result using a different tool, e.g. curl. Also, try a different PHP shell. If that fails, check the official PDF walkthrough and see if they did it differently 😊
I'm having the same issue found through another comment that it may have to do with the gobuster version 3.2.0 but i didn't found a way yet to downgrade it to 3.1.0
Ahhh thanks, I've been getting quite a few questions about this. I tested again a few days ago and it worked OK for me on 3.1.0. I wonder what the change is 🤔 edit: OK, I found it - github.com/OJ/gobuster/commit/03e7a4557c53764f411074dde74757adcc074def The solution in 3.2.0 is to use the --append-domain flag with gobuster which will "Append main domain from URL to words from wordlist. Otherwise the fully qualified domains need to be specified in the wordlist."
@@_CryptoCat Just wanted to write exactly this as i found the same solution about an hour ago. Thankfully now people don't need to go insane like me before finding this out xD.
