TryHackMe! Tartarus - Website Password Bruteforcing
Vložit
- čas přidán 28. 08. 2024
- Hang with our community on Discord! johnhammond.or...
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: / johnhammond010
E-mail: johnhammond010@gmail.com
PayPal: paypal.me/johnh...
GitHub: github.com/Joh...
Site: www.johnhammond...
Twitter: / _johnhammond
Seeing your "mistakes" is arguably more helpful than the "actual" content :)
😎👍
John vold how is it going
"I dont need to say all those nines, thats the point of saying quad" lol, Good ole Hammond keeping it real
Seeing you stumble around and just go on a tangent is like such a vibe, just reminds me that you are like a chill dude under all that genius lol but yes good video very cool ty
It is like he is speaking my internal monologue as I'm working through problems lmfao
I found the coding portion of this tutorial fascinating. I would love to see more in depth tutorials on coding and its implementation in computer hacking!
Just wanna say thank you for your content, learning a lot. Best of luck always ;)
I'm glad you enjoyed the box 🤠
Love it when you try to solve stuff with python. Keep up good work!
"Hello everyone my name is john hammond"
I am a freshman in college in Pennsylvania and I would love a video just explaining some of the various programs and tools you use and how you know when to use them. I have been using your videos to learn about the terminal and practicing using the various commands. I would really love to get into hacking within the next couple of years and as someone who is willing to spend a couple of hours a day on it, I believe I can. That is why I think the video would be incredibly helpful. Also, if nothing else, can you tell me if tryhackme pathways would be worth my money?
I started this box yesterday and deliberately waited until I finished it today before watching this.
I used Hydra for the brute force, You reverse engineering the login and creating a custom brute force was interesting to observe.
Keep up the good work I am enjoying your video's :)
If he had called a nc to connect to his nc listener instead of adding the SUID to bin/bash, would he have still got root shell on his nc listener?
@@younesmohssen8158 yes he would, there is alot of ways
@@atomicsamurai403 thanks very much ahah. I was very new to hacking and was trying to make sense of why he done it that way; better opsec too than spawning a shell I’m assuming
I really enjoy watching your videos. I am in the process of learning about cybersecurity and your videos are very helpful! Thank you
I'd love to see more videos with you using pwncat! Great vid 👍🏽
Juicy work by any two guys.
clicked for inferno titan
Hey John! Thanks for the content, love your work! Best of luck
Great video!! well, as usual.. :D Glad to see you subs are rapidly growing, it's well-deserved!
And, btw, I did yelled when you forgot to replace the username :D
Very funny, thanks John
I spared no expense
i like your videos. amazing to see how it works and how much backdoors could be implemented in that system.
20:25 NOO.. You were the Chosen One! It was said that you would destroy HTB, not join them. Bring balance to the Infosec, not leave it in darkness.
If he had called a nc to connect to his nc listener instead of adding the SUID to bin/bash, would he have still got root shell on his nc listener?
Hi, Could you please do a video on your top 10-20-50 used tools.. and how to learn about the best tools for doing various CTF things... i am super new, and building my toolkit. and have learnt loads from your videos, but for example up till today, i didn't know about RustScan! where do you learn about these new tools!?
Hello John. I know I am bit late for the reply but I enjoy your content immensely as it is a great way to improve my general understanding of exploits and the thought processes. Can I know what song you are using for your outro or if is your custom order because it slaps REALLY hard.
Why am i just finding rustscan i like that thanks for that little nugge john
Love your videos :D really enjoy it
19:42 cat
Love you sir 😘. I am from India you and your video was amazing...
That was fun.
Going to look back at poor man's pentest. Teach that, if you're cool with it.
Very good video, with very good contents and well explained. Also learnt with your mistakes. 😀
Hacker man strikes again
Just started coding, don't always understand what's happening but I enjoy watching it!
Love your content. Can I ask, how did you achieve the neat animation for pwncat? Also, does the shell stabilization script dump chars into keyboard device file, or how does it work? So many questions... :D
Pwncat uses the Python library `rich` for some beautiful output/animations/loading bars. It uses either script -qc, or Python to stabilized the shell. The project is open-source and you are welcome to take a look at the code and how things work under the hood! All credit and kudos to Caleb for his genius and mastermind with the project: github.com/CalebStewart/pwncat
Thank you!
Perfect
Hello 🤩
@@il2626 hello schr0
I'm using your video to explain my clients why it's bad to have a password as "Password1234" :D
great video!
Good video, how about not just hacking the boxes but show what you can do to protect against the attacks you do. Like the bruteforcing you did of the username and password. How can you protect against that?
That's a good point -- I can certainly try and do that a bit more, for sure!
@@_JohnHammond Thansks for answearing! Yeah so the viewer get both sides of the situation.
@@_JohnHammond try Relevant room
Thanks again mr hammond!
Can you help me on how to stabalize shell
Great video
Yes indeed 😸
Good stuff thanks bro
I think this room has been removed. I can't find it =(
me too
Hi John! I completely understood "chmod +s /bin/bash". It allows us to run /bin/bash, with the priveleges of the creator/owner of the executable, which is root.
Here is the question though: why is "-p" is required?
Ive done my research and I think I figured it out:
Without the “-p” switch, bash compares real vs effective user id’s, and set the shell env accordingly (if effective and real uid’s are different: effective is set as the real one). But if “-p” is supplied, effective uid is kept.
Still have some minor questions though, I’d appreciate a more clear/detailed answer a lot
Awesome 👍
Could you start linking the respective web pages in the description? Like the Tryhackme Tartarus url
When using nc to listen for the reverse shell, which IP did you use? It was exposed?
Also what is op a s tun0?
On another note I’m thinking about making a simple gui in python for beginners using nmap I’m aware there’s other applications but it would be a good little project for me to learn tkinker.
Thinking a few drop down boxes for type of scan
Ip range box
& option to save output to a txt file. All things that will be handy for myself to program and hopefully someone will find it useful for beginning. Thinking it will work on both Linux and windows but I’m unsure on windows with nmap as I’ve never used it.
Are you using a VM for your Linux ,dual-boot, or main OS?
Main os probably
@d4rckh cus he's a cool boiii
I think he actually uses it as his main, because first of all, GNU/Linux is just better than anything else (for experienced users at least) and second of all, he records in the same OS which he wouldn't do, if it was a VM.
EDIT: Yeah, just looked that last part up again, you can see the OBS Studio (I do not know how that is spelled, sorry) logo in the top right. He's using it as his main.
Yup, I have Ubuntu installed as my main operating system. Much much more fluid for work, seems to handle and behave a lot better than in a VM.
After watching @John I have shifted to Ubuntu too. And I am so happy. Just have tools which I use for pen testing and no more bloats.
you are ubuntu wizard
Lol hahah
yow john - i love your work.... but one thing just getting my nuts cracked all the time watching your newer videos....
get that pictures in the back fixed - they are not in a horizontal line :D
Do you exploit “stuff“ with Upnp ? .....can you make a video ? It would be great ✌️🤑
HOLY SHIT, I THAT A MOTHERFUCKING GD REFERENCE??
Can someone please explain why the when I tried to use the reverse php oneliner from testmonkey the cheat sheet it showed me the text of the file and didn't send me a shell?
hey jhon .. I am trying to build a new desktop setup for pentesting .. any advice ?
use a Kali VM. simple as.
Use Ubuntu and install tools as you need them
@@highvisibilityraincoat any hardware specific suggestions.. process ram mother board..❤️
One option if you're on the go is to make a bootable kali linux USB. If you intend to add persistent to it, I'd highly recommend investing in a large USB 3.0 model rather than the smaller and cheaper 2.0s, as the machine will move at a snails pace on shittier read/write speeds.
@@MindLeaker thank you David 👍👍
What OS version are u using
Whoaaah, u smart sir 😎👍
when I run the command "nc -lnvp 9999", it says : listening on any 9999 ... and doesn't do anything (I've the correct ip adress in the reverse-shell.php btw and refresh the page).
Does anybody has the same problem as me ?
This is so nice! 💗🙂
If he had called a nc to connect to his nc listener instead of adding the SUID to bin/bash, would he have still got root shell on his nc listener?
I know a little bit of hacking but soon ill be a great hacker!
After seeing this guy: Nope im done
Damn thank you , Even though im confused :D
I usually am im so happy this time it made more sense than ever. I guess its the pentest internship i scored
what programming language is this based on
Kali moving towards zsh. Are other distro's getting off bash?
Not afaik, bash is part of gnu
Well my arch install has zsh instead of bash...
Oh dang! I gotta get back on the zsh bandwagon, get my command auto-complete again ahaha
@John Zsh is really cool for that exact same reason...
buenos videos :D
my script only runs one user name help
Inferno titan? based mtg player
uh he didn't do it
dont use plural for variable names it is more error prone
It's fine to use plural names for variables that refer to collections or arrays.
@@davidfrischknecht8261 I find it as cause of many small error and unclear further down the line.
Can you do a video on your terminal tricks / shortcuts
We all want that.
How would you hack 2 factor authentication? thanks a lot for your videos
Which linux is he using?
he is owsome
*nmap? More like slowmap*
🐢
snailmap
Do some hack the box also
whats that? hydra......nope i'll create my own brute force with Python 😄
creating a python script instead of python3 .........aha..... i like these kind of crazy :)
We need more python scripting tutorials for web CTF's
oh my god, very2 powerfull hacker :D
hahaha, that login template!
I made a request to one site that hosted a "simple php login page" with the exact same login page
I told then about this exact problem of saying "incorrect password" or "incorrect username".
that's the edit I added:
$stmt->bind_result($id, $password);
$stmt->fetch();
if (password_verify($_POST['password'], $password))
{
session_regenerate_id();
$_SESSION['loggedin'] = TRUE;
$_SESSION['name'] = $_POST['username'];
$_SESSION['id'] = $id;
header('Location: home.php');
}
else
{
echo 'Try again';
}
Although my server gets you banned after 2 fails for around 2 month, so you might as well switch IP... unless drum roll please:
you're already in my network with the same key.
I really like watching those videos, it gives me a glimpse at what could go wrong in my security, and what I really don't need to worry about.
What I really see is a whole lot of leaving the password out there... what I don't see is figuring out what port or server does what.
the reason I say that is because I came a cross one example of a project from 2007 that hid the server by responding to every ports available as "[insert random server] [random port] [random service]" that project got shut down by a DMCA
Okays
Lol
Hey man i realy enjoy your videos, i have a question for you, with this codes and stuff can you baypas icloud iphones ?
john literally doing his ctfs with his custom scripts.. skid me who is using pentest tools invented by others:(
The sulky apple admittedly trade because germany namely terrify following a exciting exclusive calculator. glistening glorious, absent snowboarding
We need more python scripting tutorials for web CTF's
We need more python scripting tutorials for web CTF's
We need more python scripting tutorials for web CTF's
We need more python scripting tutorials for web CTF's
We need more python scripting tutorials for web CTF's
i hate you