This is much better than Netflix

Love the content dude! In a week I've gone from knowing nothing about hacking, very little about networking or scripting and not a huge deal about computers to successfully completing 2 HTB boxes using what I've learnt here! No walkthroughs! Keep up the great work, you're single handedly teaching me penetration testing!

I love how long it takes you to find the tomcat users file, when it was written at the bottom of the :8080 page at all times, you just never got around to reading the last paragraph.

Loved the wfuzz idea. ippsec also had trouble finding the exact path so you're in good company

you had me on the edge of my seat when you didn't think to view the tomcat user file with the file inclusion. best content ever

Thanks for the video, John.

Thank you for the awesome content. I find it very inspirational. :)

I often like to test path traversal for file=statement by using something like file=statement/../statement since if it actually is path traversal, then the path would be simplified to file=statement, which exists and returns a result ;)

Awesome content. Thanks for all the hard work.

Thanks John!

Awesome stuff man. Keep it up. Would like to see some more advanced techniques on harder challenges.

wfuzz part was cool... and pwncat gotta admit it's awesome.

Just like always you are the best bro.... Whenever there is a htb box release watch both your video and ippsec video....

I learned a lot from you,... thanks sir

These videos are amazing ,great work

excellent john!!

Hey John, would you consider a video walking us through your setup? It would be for other people that aren't running Kali that want to emulate your work flow. Things like install locations for apps and scripts (I see a lot of them in opt but I'm new to Linux and assume there would be some changes you'd have to make to permissions for that to work smoothly), essential tools, folder structuring, services you have either bookmarked or committed to memory (like gtfobins), the shortcuts you use in sublime, and what terminal multiplexer you use (and shortcuts for that)

Awesome, as always!

learning something new everyday from your videos 😁😁

you are the genuine ONE🥃

Great . Thanks

Awesome video, can you do some more Hack The Box machines? I just passed the eJPT and im starting the PWK for OSCP

fun to see the box I just finished :D (My first thing like this ever xD) also learned now some things thatI could have automated :) For example the fuzzing I did manually. And I never checked the admin vhost thingy. and I didnt use metasploit. a regular curl does the trick. Also should have used pwncat. that will help next time :D

also if you didnt notice at the bottom on the page for tomcat in the NOTES is shows the directory for the tomcat-users is located

TXT files is preparation for IAS, ssh is complicated fan page. Comment Box style modes. Collecting connection/cat files

I love this guy I've been following you for awhile love u

This should be good! Thanks JH, keep them coming, good Sir!!

Awesome Content!

The fastest exit of VIM I've ever seen. :D

(18:34) - docker container, look for same version of Tomcat and locate the conf file. (26:48)- Metasploit (28:22)- Pwncat (31:31)- fcrackzip

GOod.. continue..

Ohhh missed the starting gona watch when the video is done

So that's how you tell it to use the hostname and associate it with the IP!! Thanks!!

Shouting at my screen: read the last paragraph of the tomcat default page...

great video! :)

this is true entertainment

hey John i want to ask about your experience and your opinion using Kali on WLS2, is it worthy for beginner level and people who had limited resources on their computer?

Using wfuzz against an LFI is such an innovative idea but use the flags for filtering 😂. My OCD was triggered. Going to try the same with Feroxbuster tomorrow morning as with recursiveness and syntax I'm curious if it can LFI from a few directories above. On a side note, any update on paramiko for pwncat? Love the tool and want to use it in my standard environment without needing to go virtual env route.

Am I missing something or did you not spot the line at the bottom of the document mentioning the /etc/ path to the xml?

Aside from personal performance, any good reason for choosing Ubuntu over for instance, Debian, Arch, etc?

he knows exactly how many ../ to add to go to etc/ thats awesome

Damn read the last line!!

You actually don't need to use the ../ Php will accept absolute paths so you can just do /etc/passwd from anywhere for example

The most shocking for me is how complex is hacking framework(s)

Great Video! Around 10:15, how do you know how many steps you gotta go back with ../ , was it a specific amount?

Getting user was kind of similar to "Jerry"

💯

apparently this thing requires more patience than I thought.

do some more hackthebox walkthroughs

2 videos on this tabby

Elements Coming for this answer in elements is looking files prepare

John what is your OS

I missed the live premiere : (

Wow, great. Please help?? -] Exploit aborted due to failure: not-found: The target server fingerprint " ( 401-Basic realm="Tomcat Manager Application" )" does not match "(?-mix:Apache.*(Coyote|Tomcat))", use 'set FingerprintCheck false' to disable this check. [*] Exploit completed, but no session was created. I literally did everything the same... :(

So sad... And they had just updated their security xD

♥️

Having worked with tomcat it always bothered me that credentials were stored in plaintext in xml files. This video is giving me anxiety.

This would have taken me 45 days :P so 45min is pretty good i would say lol.

i could not get any info from nmap scan why is that

Good day John, I am new to the cyber field, I recently started the ceh course and your videos really help with the practical part. Thank you for making such great videos! I beg you, please could you make a video explaining how to make a wordlist for brute forcing passwords, is there a way to make a giant wordlist with all leaked passwords or how do you go about obtaining your word list for all your various projects.

What terminal do you use ? If anyone know i'm really interested . Thanks

Isn't that vulnerability called "directory traversal" rather than "local file inclusion"? You can't really include files seems to me :P

I don't get people calling people script kiddies just for using useful tools its dum btw i would say a script kiddie is someone that know nothing about coding or using the cool or good tools properly that's like calling a plumber that uses his tools a bad plumber

Man, I love watching you smash that hosts :).

Vrey Cool Vid :)

What are you exploiting I'm very curious

Sir im in very bad situation i need one help from you pls reply me

Algo

Wc~c how to use

I was like, ok you have the path of the tomcat user config and a way to view it, why the hell are you looking for default users?

Sir i need help from you pls reply me

man you are very talented indeed. could you teach me some important stuff when you free? I'm a hacker too man but in my country I don't have a good mentor.. could you be my mentor?

Love the videos. It would be interesting if TryHackMe or other sites would allow Red vs Blue team. Defenders could access tools like ELK and other tools to monitor and act.

is this ubuntu os?