18:00 Using python instead of the recommended tool reminds me those teachers really explains the answer to you rather than tell you that is the answer.

I just wanna say, your the only channel I have with notifications turned on. I'm part of a security group but upper management. Basically I get the reports. Iv grown a large interest in how my subordinates conduct their pen testing. Watching you has 1. Impressed me and 2. taught me how my subordinates conduct their pen testing. Kudos with the python script.

I had been struggling to escalate my privileges and you taught me how to do that in such an easy manner. You're amazing. Thank You!

Bro, thank you very much for this detailed walk through. I just finished a homework with a privilege escalation exercise. This solidified everything I did and more. Keep the great content coming!

Thanks John! Been watching your videos for a month or so now and with a little help in that last bit (stabilizing the shell and actually running the service using systemctl) I just finished my first TryHackMe room. Sweet Victory!

A half hour video and I will be spending hours taking notes. I really enjoy learning from you. Thanks.

Just finished Vulnversity. Your python script blew my mind! Got me wanting to ramp up my python skills. Thanks man!

THANK YOU I WAS STUCK AND THIS HELPED ME SO MUCH!!! Your explanations and everything were clear, concise, and super helpful. A+ Thank you!!!

It really helps when you have a solid understanding of networking, programming & basic linux fundamentals. I'm pretty sure a couple years ago i would of shat bricks and thought you were gandalf, even though you are basically gandalf, thank you

John, thank you for such a comprehensive explanation and a fascinating adventure! It's a pleasure to watch your videos, I am really waiting for more your episodes of try hack me!

Just did this box today, it was interesting to see the other ways we can use to address the challenges. Great Video!

Thanks for this, I had waited to finish the room before I watched this, and find your approach very helpful and instructive, especially replacing burp with a python script!

Watching your video and actually understanding keeps me smiling. Thanks for the great explanation!

Loved the alternative ways you showed us. Thanks as always

Thanks for your videos man !! They are actually educational and like it makes sense so like thanks man ♥️♥️

Love it! Please do more of these

Watching you code the Python script was super helpful. Thank you!

dude you are so humble, I just love your videos and personallity!

Thank you for the content! I just got into cybersecurity. I can't wait to see more. -Cheers

I actually enjoyed these videos even though I'm just a newbie in this field. I look forward to seeing more of these!

It feels great to find that I can understand more of what you are doing lately!

Thank you so much for the walkthrough. I was struggling so much with the systemctl step. I didn't realize I needed to stabilize the shell to make the GTFO script to work.

Thanks John, I really liked that method you showed to get a fully functioning reverse shell. I look forward to trying it out.

this is amazing to watch, even i don't understand any of this (actually a bit), but its interesting to watch, seriously i never skip the vid xD

I got stuck on the last step, ran out of the ideas, find similar approach to what you used but I didn't know the trick with stty so input gave me a lot of pain, so I eventually gave up :/ Now I can finally complete it! :D Great video, as always! :)

Perfect Technique John, thanks for your sharing. Love your clear explanation I am new in OSCP. Those skill helps me a lot.

So I have absolutely no idea what you’re doing, but it’s presented in such a way that I feel like I do. Either way, thoroughly enjoyable!

Did this box like an hour before watching this! Awesome video

nice explanation, got here bcuz been stuck on that privesc part for several hours, got to learn something new, thanks

19:10 man did that shit escaladed quickly lolll good stuff!

Congrats to hit 100k in very advance !.

Hey, man! Thanks for explaining that python script, I would rather use python as well as it also helps to keep touch with the language or else we tend to forget things. These niche things like slapping the python script and explaining it makes me wanna watch these videos... Keep it up.. learning a lot

Really hand trick i didn't know about stabilising the shell using Python will be sure to use that a lot more often. Completed the room before watching your video as i like to do them without help. Awesome content regardless, I learn a lot from the way you think thanks for sharing :)

Great video, thank you. I learned a lot from you.

Doing the youtube algorithm thing. Tho I actually came for the video.

So much knowledge in this video... Learnt a lot!

I loved the shoutout to Ippsec lol. Great channel man!

John, you are doing amazing job by creating these handholding sessions for Cyber Security professionals !! Many thanks to you. Keep up the great work!!

wow, that was a beautiful walk through and a top $ explanation as I was having an issue understanding the last part about systmctl privesc part but you made it so much easy and the python script is top pro man, as burp didn't work as it showed all .php files as status 200 including the .phtml., where your script nailed it 100%.

Thank you for the bin/bash hint!!!

AWESOME, i loved the python script, very instructive as always , thanks pal !!!

Just did the box yesterday , glad to see other way to get the allowed extension

pressed Like button four times, this is how much i liked your video)

Hmm thank god the youtube algorirthm showed your channel, I'm a web dev and i wasn't that interested in cyber security but you got me hooked ! Please continue on the TryHackMe site as it is very well made and really accessible, even to n00bs like me !

Definitely liked watching you do some "dirty coding" in python. And the "bash -p" trick was super clever, I never would have thought of that.

many thanks to you John for the embedded python lesson

This is the best YT channel, hands down.

Loved the Python script instead of BurpSuite - thanks for showing us that little trick!

thank you for the video, really interesting and valuable

I love it when you take some detours and present showcases in python :)

You are amazing bro!

Thanks for the video!

Gracias bro!, aprendí mucho

i appreciate your work very much. if we would have had these possibilities of learning 15 years ago, many things would have been easier

@JohnHammond I ve been following you sir for a very long time.. thank you for all the amazing help ur content has done not only to me but to so many..!!! you are just amazing at what you do.. and i wish this channel reaches over a million soon.so more people can benefit from your knowledge...!!! and also can you tell me how can i learn python specifically for cybersec.. i have good basics of python.. but cant script or understand exploits..can u help me where i can learn from.. thanks a lot..!!!!!!!

Tried at yesterday for the first time. Followed the same process untill I found systemctl. First tried to do prevesc using setuid but couldn't bcz I'm a massive noob. But then I exploited the vulnerability where systemctl can run process as any user to run bash as root and pipe it to my tun0. Then used netcat to reverse shell. But now I know where I did mistake while trying setuid stuff. THANK YOU.

Really enjoyed that python scripting I would love to see more challenges solved that way. Been wanting more coding projects and tasks, thanks m8!

I was struggling with burp, got to learn python and it was so much easier. Of course with your code :P baby steps...baby steps.... thanks man im hooked on your vids.

I enjoyed watching this. Thanks.

Hey John, thanks so much for this walk-through - awesome as always. I'm just wondering what was the though-process underpinning editing the standard script from GTFObins? I was able to do the whole machine blind until this part, and got stuck there for a good hour or so. very grateful for your insight but I feel like I cheated a bit by just copying your actions w/o understanding really what went into those edits. Thanks!

After watching this video , I am a great fan of you and want to become like you .

Great stuff! Appreciate that you are adding some extra hints which i did't get in writeups, same for python. I noticed you are not closing files stream in for loop where you are checking different extensions upload. During scripting very often I don’t bother also :P but as we know as good practice we can use context managers like with statement or, f.close(). This is not the case here - but I just wonder does such unclose files may be some kind of vulnerability? Did you came across on that during challenges?

Hi, thanks for this! What exactly happened in the privilege escalation method? That whole env variable and link to systemctl etc I didn't understand at all 🤔

Awesome video John! There was one thing I didn't quite understand, what did changing the ExecStart line do at the end? How come keeping the line the way it was wouldn't work?

I've been using Linux in some capacity since 1998 and this is the first I've truly understood SUID.

Lol I just did this room! I actually uploaded a . service file and used systemctl to start a reverse shell as root but your methods seem so much more efficient! Just one question: what were those commands you used to make the first shell more stable?

So I have a question / comment. One thing you didn't show since you didn't use burpsuite is how you would find the /internal/uploads folder. It's nice that the THM site provided that for you in it's hints section, but if this were a blank box without that hint, using your python script how would you have been able to tell where the .phtml file uploaded to to be able to run it? What tool, other than burp, would you have used to find where your reverse shell landed?

John, the last 3 or 4 minutes of that video, I could swear you melted a few keys!

Damn you're so inspiring

thanks bro

thanks sir

Oh man Thnks so much

Gotta love that python demo ...

Your hair cut's great

Method question… when you find a file upload page is your first thought always a php reverse shell? And what drives the thought process? Thanks!

Quick question, why did you check the body response rather than the HTTP response code in your python script? For example checking if the response was 200 or something else, I'd imagine it would return a 401 if it didn't allow the extension.

i didnt quite get what u did to stabilize the shell. can u explain the ctrlZ part?

Hello John, it's been a while since that video but why does /bin/systemctl seems a little bit odd as you said?

💗I like your hairstyle too 💗

thanks alot

Hey John! Thanks for the video. At around 19:29, you said "Ctrl Z to foreground that" but it looked more like you were sending the NC php shell to the background instead, especially since you sent it back to foreground after you did "stty raw -echo". Did you mean background and you said foreground by accident?

I came for John's haircut... And was not disappointed.

John, please explain what you did at 19:17, I was able to replicate it, but I don't get it.

For some reason when i run gobuster i get a lot of `ERROR request canceled while waiting for connection` timeout errors clogging up the output. Any way to silence these?

So in order for your bin bash priv esc to work, you need another suid bit or something running as root to try and piggyback on?

I tried to use the privilege escalation method that you did but the services don't seem to load

Good job bro ♥️

Great videos as always. Only thing I could not get to work was the very last part. Copy & Pasting the code for systemctl. I did everything 3 times exactly as you did and every time I could not get it to get me root for whatever reason. I spent a couple hours banging my head and still couldn't get it to work. Lost for answers. Any ideas? I made sure that I had change to /home/bill dir before I copy&pasted. No idea. Thanks for making the videos!!

Heyy finally got thanks John

Well, when in Rome, smash the stack... wait, what? Sorry, wrong youtuber.... 👋 John. Welcome. Did u have time to unwind after VirSecCon? Amazing job. Thank you from the bottom of my heart. Sure the sentiment is worldwide but most of your followers are using this evening (official beginning of the extended Marvel Universe weekend! Wait, what? Not Marvel? Sorry wrong weeke... 🥳) to catch up with the mentioned CTF and other beautiful challenges. And since I cheated last challenge (privesc) in Vulniversity I’ll just download this video and retreat to my den... Nice, John, nice 👍...

I would use command: lsof -nP | grep -i listen -> to check which user is running on port 3333

awesome video 👍

Im currently in the room, and uhhh, using the recommended flag they have returns that the host is blocking ping probes and to try -Pn, and of course, when i use -Pn and any other number and combinations of flags, it just returns that all 1000 ports scanned are up, nothing else. ive been on this for 3 hours now xD ive tried, regular nmap, nmap -sC -sV ( -Pn ) ( -A) (-f) and each of those individually. ive reset my box twice now, did it break or am i just completely overthinking this?

For basic and amateurs . I like it

After you entered "stty raw -echo" what was your next step? It sounded like "specify fg"

can we do the same thing with other bin files there to gain root privileges.?

Wow, that was fun :)

LIKED!

Hi John - with regard to the part in 19:08/29:34 . How do know which url I should point to in order to trigger the phtml reverse shell. Im assuming if we do not know of the instruction - " :3333/internal/uploads/php-reverse-shell.phtml "

Any resource out there that would explain 26:28 ( "chmod +s /bin/bash") more? This is an awesome work around that is a time saver!