TryHackMe GAMING SERVER - LXD Privilege Escalation

Подписаться 1,9 млн

Просмотров 163 тыс.

50% 1

Hang with our community on Discord! johnhammond.or...
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: / johnhammond010
E-mail: johnhammond010@gmail.com
PayPal: paypal.me/johnh...
GitHub: github.com/Joh...
Site: www.johnhammond...
Twitter: / _johnhammond

Опубликовано:

5 окт 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 235

@bruh_5555 4 года назад

John Hammond cracks John user's password with John the ripper

@RicondaRacing 4 года назад

While sitting on the John eating Johnny cakes

@harshbakori 3 года назад

sounds like he forget his gmail password and trying to hack in lol

@softicecreamer 4 года назад

Plot twist: John Hammond secretly developed John the ripper solely for cracking into the John user

@atanki5682 4 года назад

John inception

@moneyworks4375 3 года назад

@@atanki5682 johnception

@tannisk 2 года назад

He also do singing l love his song perfect

@Vixikats 3 года назад

Quickly growing addicted to this channel because the unscripted "fumbling" is exactly what a normal dev would have to do to fix their own little mistakes. And it's those tiny, "What did I forget?" Details that novices are going to be tripping over constantly. The fun part is watching your thought process unfold while you perform these tasks and help introduce us to various helpful tools and commands that we may use in our own explorations.

@simeondermaats 3 года назад

Of the six thousand languages on earth, you chose to speak Facts

@abisrug4898 4 года назад

need more of this fumbling.......fumbling makes it incredibly interesting

@padaloni 4 года назад

totally agree. it's the fumbly bits that I enjoy. mistakes are where the learning is at.

@clemsonfan53089 4 года назад

Yes! The fumbling makes it real life and shows how easy mistakes are. It's like bloopers, love it.

@SebPineda 4 года назад

Lots of Johns in this one haha

@jd-raymaker 4 года назад

That troubleshooting was the most interesting I've seen! Here's a *boop* from me

@_JohnHammond 4 года назад

Thanks for the boop! xD

@CriPPle358 4 года назад

You can disable bash expansion with cat by adding single quotes around the first EOF rather than going through and escaping everything. i.e. cat

@_JohnHammond 4 года назад

Ooooh, that's a good call! That would do the trick too. Thanks!

@svampebob007 4 года назад

@U X I hope to god that my website doesn't do that I got some servers open to the web, and I know a friend of mine is really paranoid about leaving open ports and what not. But the more I learn about different ways people exploit and the more I get into the security aspect, the more I get confident about my practice. Though one thing I learned from this is the cron job part. I got two cron job that could give a hint as so what's going on the network, so I might need to check if there's some thing that a non root user might be able to see. *edit: looking at my crontab, nothing seems visible unless you're root :D I'm really relying on not having any major security issues based on the fundemental programs, rather then trying to implement too much on either security though obscurity, or sticking my head down the sand and hoping nobody notices me.

@cdellio 4 года назад

@@svampebob007 I've thought about setting up my own home-server with the same approach: keep things simple. Security by utilizing only the most simple, secure methods. nothing more or less.

@benstech726 3 года назад

@@cdellio just chipping in to point out that hosting on a free low resource cloud alternative would be much more recommended.

@l0pher 4 года назад

Hi John, great vid as always!! How about doing a blind room say once a month, but do it live. I'm sure a lot of people would enjoy that. I know I would. Keep up the good work!

@softicecreamer 4 года назад

good idea!

@bluesquare23 4 года назад

I don't know how to do a quarter of what you did in this video but I'm comforted by the fact that you run into the same hiccups as me. Like oh yeah there's dollar signs, or oh duh forgot a slash.

@jadesanford2857 4 года назад

thats just the linux (and friends) experience in general

@frollard 4 года назад

Absolutely agreed that it is helpful to see you run into the stumbling blocks. There's nothing worse than following a tutorial for the first time and smashing headlong into some syntax error or in this case escaped special characters. Thanks for sharing.

@uniquechannelnames 3 года назад

These videos are worth like 100 tutorials I'm not kidding. The thinking process, seeing concepts that one may need to learn, explaining what you're thinking, and just seeing this type of thing in action. Soo helpful Privilege escalation has always been a big sore spot for me.

@52.yusrilihsanadinatanegar79 4 года назад

I love the fact that John checks out funny/unrelated image/video files. 👍

@suvidsinghal1365 4 года назад

Hey John I am interested in the socks proxy video ;)

@cooliceman0001 3 года назад

Yes i was just going to post that

@levyroth 3 года назад

Me too plz

@JT-cm3ff 4 года назад

Not sure if I should get depressed or motivated seeing how awesome John is at this thing. Definitely impressed though.

@th3hunt3r85 4 года назад

Thanks, it is fun watching you doing all these cool stuff, plz keep the good work coming

@uimstar5254 4 года назад

Hey John, loving your content. I really enjoy how you explain and try different methods to gain privilege access, like changing the etc/passwd through the share drive in your container. Even if you struggle a little bit doing that, it really helps us understand the process and iteration you/we can go through while doing that. Keep up the good work!

@itsobj5013 3 года назад

watching you move through this so quickly n seamlessly just amazes me lol

@cscogin22 4 года назад

A socks proxy video would be fun to watch IMO, I was just lazy and scp'd it over to the box from my attacker platform

@satyamvirat3489 4 года назад

That was actually fun to watch. Quite educative for learning ❤️😂

@chrisbey8647 4 года назад

You and ippsec are very good learning resources. Thank you for taking your time to post these videos.

@lucha6262 3 года назад

You’re videos are awesome John!

@androidenthusiast2806 2 года назад

No matter who else does the show, we always love to see John Hammond doing these tutorials.

@ITachi_11.11 3 года назад

John the legend! Keep going man... I'm learning a lot of stuff from you as I'm sure everyone else does. You are truly helping and inspiring. Thank you.

@kartibok001 4 года назад

Great video. Was waiting for the writeups as I couldn't escalate for the life of me!! Learn something new everytime!!

@MartinMllerSkarbiniksPedersen 4 года назад

Just quote the EOF like cat

@_JohnHammond 4 года назад

Ooooh, that's a good call! That would do the trick too. Thanks!

@svampebob007 4 года назад

I had a script that busted my balls over this! I'll try to keep it in mind next time I creat a clusterfuc.. a script :)

@oh-lives 3 года назад

Another solution that IMO is simpler: cat > /mnt/root/etc/passwd Paste and then hit

@yossig7316 3 года назад

Thank you John for going the extra mile to show teach us !!

@website8362 4 года назад

Love seeing the TryHackMe vids 👾

@website8362 4 года назад

and watching the reworks when things go wrong 😂 #real-life

@HomelessDeamon 4 года назад

keep up man i, you are doing great work educating the new to the domain, in a more fun and friendly way, which makes learning easy....massive big thanks to you J.Hammond

@eclipsehunter22 4 года назад

Yes do the socket video!

@ARZ10198 4 года назад

Just did this box yesterday , john your amazing < 3

@aljazmedic375 4 года назад

Legend. Thanks for a great vid 👍

@kr4k3nn 4 года назад

Great work sir...Thank you so much for making videos.

@krisdoe 4 года назад

Great video John. I learned some new things which were not so obvious to me previously. By the way, LXC/LXD and Docker stuff run most of the time as daemons - which means once you are in the group with regular user you are free to escalate privileges. This is a known flaw - at least in Docker world. Nowadays Docker could be run in rootless mode to avoid such situations. RHEL is doing the same with Podman if I am not wrong.

@Child0ne 2 года назад

I’ve learned more from John Hammond than I think 12 years of schooling

@abdosama 4 года назад

Let’s go with the funneling internet to the box idea, it would be very interesting 🧐

@siddharthjohri2935 4 года назад

Another good video. You rock john.

@rakeshbabumulugu7517 4 года назад

Great work John.! 😇 learning Alot of stuff as a newbie through your way of approach.! You show us on how to think and compromise a machine.! 🙏

@RocketLR 4 года назад

I love this format. Its fast and straightforward. No "uhhms" or "eehhms" while over explaining. Other people stop at every step single step. "then i paste this text into here.... I will use CTRL... SHIFT... V... Then we ehhh need to eeeh saaaaaaaaave with ctrl + Oooooo.. No wait my bad, this is vim... So wee go and press esc, just to be suuuuure.. eeh... btw i prefer vim because jada jada jada." I spent to much time on this comment already but I have been bugged by how slow people tend to be...

@mumugs 4 года назад

I subscribed just because you had the problem with root password and nailed it.

@FrostByte112 4 года назад

This begs the question: why on earth would you dump a list of passwords and a private ssh key on your webroot... That's like hanging the key to your house on a hook, next to the front door visible from the street...

@dofw.mp4330 4 года назад

i mean it is hidden, so id say it is like putting it under a rubber footmat... with holes in it

@hellomistershifty 3 года назад

As a fellow John, I can say this is a good video

@softicecreamer 4 года назад

I wanted you to do this one... This CTF was awesome for me to complete

@sportcodfb 3 года назад

I loved the vid John, i was thinking that perhaps for changing the users passowrd you could've chrooted into the root mount, anyways the vid was hella fun :)

@mjuhasz 4 года назад

Best troll in each TryHackMe video are those README files :D

@TheH2OWeb 4 года назад

Thanks John ! Always fun and interesting !

@LepkaPlayGames 4 года назад

Woah Great video! This looks like fun. Quick note, no need to put slashes before dollar signs, you could just quote the 'EOF' (then bash interprets the text inside as pure string, not evaluating vars:D) Great video, keep it up!

@glen_nz 4 года назад

On the topic of fumbling and figuring out what you've done wrong....this is the stuff that courses don't show you. In some ways, that problem solving is some of the most important parts of the video. Any idiot can make a "perfect" video. Only someone who knows what they're doing can make a "less than perfect video" and fix problems encountered during it - adding to the value and standing out as more than just a walkthrough. Great job.

@aalekhmotani3877 2 года назад

Without the video, John, I would only have known how to obtain the root flag, Thanks a lot.

@hewfrebie2597 4 года назад

I would like to see it using via socks proxy for learning experience so why not! Since it's a good idea and that's why I subscribed your channel so I understand more about proxychains.

@kritagyagupta8619 3 года назад

John cracks John's password with john

@dersg1freak 2 года назад

My favourite way to get stuff into a file is cat > file. It never goes wrong. Ctrl+C to finish

@ddlsmurf 4 года назад

you can just cat > file, paste, the ctrl+d (which sends an EOF) . You will then write exactly what you pasted. The heredoc as you say is interpreted by bash, whereas if you effectively < stdin , which is what cat does, cat is reading not bash. Also checkout alt-.

@ajiththiyar7609 4 года назад

Bro your content is da best

@cryspwasp9288 4 года назад

I did it by writing my own script LMAO 😂, I remembered you when I saw John on src 😆😆

@R4yan- 4 года назад

whew i can't believe you just saw my writeup xD at 33:09

@matiasm.3124 4 года назад

Nice channel .. sometimes he complicates things .. but it's very nice explained.

@harmtech3502 4 года назад

The proxy video would be interesting yeah, thanks man ^^

@Simpfan45 4 года назад

I've definitely done that SOCKS proxy trick while at a former job. Had to install our software on a machine in the UAE without the box having any internet access. Worked a treat. Just remember you also have to tunnel over dns as well or you are gonna have a bad time.

@AsadAli-ye8ns 3 года назад

movies and games are not even comparable with watching these videos..... wow,,,,,,,,i m in IT field since 2004, but learning process never stops....

@BeinIan 3 года назад

You should have clicked on Draagan Lore, I'm curious about the details of this fictional fictional universe.

@nishantsingh5341 4 года назад

32:00 The Hollywood hacker when he disables the security nanoseconds before timer runs out

@yes-iz9ek 4 года назад

he looked at my write up :D

@xXLanyuzAnlunXx 4 года назад

@franromero1675 4 года назад

Hey, part of the lxd exploit was done by s4vitar, a great hacker who is also a youtuber, perhaps the best channel in Spanish, don't miss it!

@Vittoriouss42 4 года назад

if i could understand spanish i would definitely watch it ! but my spanish stops at Ola ketal ;)

@originalkhawk 3 года назад

season/year is a common result from making users change their password every x months, forcing users to come up with a unique password every couple of months is a bad practice and doesn't make anything more secure (unless you have a data breach every couple months spilling all passwords used, but at that point you have bigger issues)

@sebastiantillmann1669 4 года назад

When you can ssh into the box why don’t you just scp Linpeas and the container image?

@mrhusi 4 года назад

my thoughts

@Sfhgscvg 4 года назад

Plain http might be faster? It's a bit more user friendly as you don't need to authenticate, then again with an ssh key it shouldn't be an issue. However the key is pass protected so unless the password is stored in a keyring you would have to bother to type the password. It all comes down to personal preference.

@svampebob007 4 года назад

@@Sfhgscvg you could also change the password of that key since you now know the ssh passkey: ------------------------------------------- ssh-keygen -p -f sshkeyfile ------------------------------------------- it will ask for the current password, then you can just leave it blank. if you have to connect a lot of times with ssh, you could add something to the .ssh/config Host client client.example.com HostName client.example.com IdentityFile ~/.ssh/client_rsa # private key for client (like "sshkeyfile" in my previous example) User remoteusername Host otherclient other.example.org HostName other.example.org IdentityFile ~/.ssh/otherclient_rsa # different private key for other client User otherremoteusername ------------------------------------------- then you can just use ssh otherclient or scp files client:~/ really useful if you don't want to always have to add the -i option, or if you want to set a custom name for that connection and have it separated with multiple id files. on another note you could also add it as an alias in the .bash, but that's up to you, the point is that you can simple remove the passkey once you know the passkey and then use it as a regular key withough password.

@DevonBagley 4 года назад

Easier than changing the root password. Enable passwordless sudo for the user since they are already a member of that group. Changing the passwords are a good way to be discovered.

@sentinalprime8838 4 года назад

John JOnhned ,it nice video. For me always your videos are one way stop for relaxing amazing john world needs great people like you to share knowledge. Lots of respect man !!!!!!!!

@gabrielmoreira7265 4 года назад

Personally I prefer seeing you work through the problems you came across instead of going directly to the solution

@Connectme_ai 4 года назад

Love the content!

@ShimrraJamaane 2 года назад

I don’t know why he didn’t chroot inside the container. Then he would have been a full root process on the host system.

@Prosth3tiks 4 года назад

I understand 0.001%of this but I keep watching.... you type the words you get the stuff hahaha

@crimson750 4 года назад

Keep up the videos! Love them

@davidmcclellan4621 3 года назад

Is there a reason you didn't use SCP to transfer the alpine container to the attacker machine? I assume something to do with logging and leaving fingerprints, but I feel running wget would leave the same type of fingerprint, but maybe I'm missing something. I'm just a software dev interested in this kind of stuff. Keep up the great content!

@softicecreamer 4 года назад

Can you do year of the rabbit CTF

@000t9 4 года назад

It's totally fun! Thank you bro!

@flaviuscondurache2688 4 года назад

Nice video, cool LXD PE, personally I would have modifed the /root/.ssh/authorized_keys and I would have sshed as root without needing any pwd. Then you can change it easily with passwd. :)

@geraldfeeney1410 2 года назад

Its cool. Thats master level, There are many ways to go to Rome. +1 subscriber.

@rifqioktario5546 3 года назад

It's little bit confusing because there are two john lol

@jmjl2 3 года назад

When you get a sh in the container you can just chmod +x /mnt/root/bin/bash and then out of the container bash -p

@fatcatgaming695 4 года назад

Fantastic explanation.

@jose007108 2 года назад

this videos rock! keep it up man ;D

@ronakjoshi5093 4 года назад

great video john..keep up the good work 💥💥

@dstensnes 3 года назад

cat

@hiteshjoshi2736 4 года назад

I know nothing about pentesting but still enjoyed the video 😄😄

@cho-kocheng3577 4 года назад

Imagine you having root access and remove these file

@IllSkillz 4 года назад

thats some PogU content mate!

@anunayy 4 года назад

I would love to see the Socks proxy thing! one can possibly make a pwncat script for it?

@_JohnHammond 4 года назад

Definitely, I do want to bring that into pwncat ;)

@Luxgil 4 года назад

I'm up for the socks proxy stuff :)

@djcb4190 Год назад

Privileges... You can earn them or you can buy them

@aaronplace7923 4 года назад

Interested in why you chose to use 'cat' when 'nano' didn't work instead of something classic like 'vi'.

@suyashjain3378 4 года назад

Pls continue making such kind of videos 💯💯❤️❤️

@georgehammond867 4 года назад

that was not so easy at all. >nice to see some real problem solving skills in the video's ending. :]

@jwbulmer 4 года назад

I have absolutely no idea what's goiung on here, but I enjoyed the video all the same. Stuff like this has always interested me, but I have absolutely no understanding.

@hookthievess 4 года назад

yo my man, why do you use guake for sending the linpeas? why cant you just split your terminator screen and do it in that pane? You know what would be good - Doing a video on your workflow. How you set everything up, your terminator shortcuts, they way you use guake, little scripts you use to make things easier.

@hookthievess 4 года назад

watch this for the answer - ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-f2aSXGbD0NE.html