1
00:00:01,030 --> 00:00:08,110
Just like we did before and the last video we put five times back and then put ATC password to access

2
00:00:08,110 --> 00:00:09,490
the password file.

3
00:00:09,640 --> 00:00:15,240
What we're going to do today is we're going to try to access a file located on a different server.

4
00:00:15,400 --> 00:00:21,850
So if you're doing this test on an actual web server then you need to store the file that you want to

5
00:00:21,850 --> 00:00:27,790
access needs to be stored on a place with a real IP address or with a domain name.

6
00:00:27,790 --> 00:00:33,280
I'm doing this on my local server so I'm going to start this on the on the web server on the Callimachi

7
00:00:33,340 --> 00:00:35,560
understand 20:14 two or three.

8
00:00:35,590 --> 00:00:44,000
This is 10:20 14:24 and I'm going to store my file on it and 20:14 two or three so that file as I said

9
00:00:44,000 --> 00:00:47,700
can be anything it could be a web shell it could be a payload.

10
00:00:47,960 --> 00:00:52,290
Well what I'm going to do is I'm going to create a very simple APHC file.

11
00:00:52,760 --> 00:00:56,280
So this is just a PH for you start and end of the file.

12
00:00:56,600 --> 00:01:00,960
And what I'm going to put in the file I'm going to use a function called pass through.

13
00:01:01,460 --> 00:01:02,630
And in that function.

14
00:01:02,630 --> 00:01:05,780
Basically what this function does it executes.

15
00:01:05,780 --> 00:01:07,240
Operating system commands.

16
00:01:07,460 --> 00:01:14,240
So it executes Windows Linux or depending on the web server it's going to execute commands related to

17
00:01:14,240 --> 00:01:15,540
that.

18
00:01:15,560 --> 00:01:21,500
So you put the command here between the two quotation marks and I'm going to use the same command we

19
00:01:21,500 --> 00:01:29,050
use with the code execution vulnerability which was the netcat command which allowed us to get a connection

20
00:01:29,120 --> 00:01:32,320
reverse connection from our target.

21
00:01:32,340 --> 00:01:34,580
So going to paste that here.

22
00:01:34,610 --> 00:01:36,290
So let's just first have a look on this.

23
00:01:36,290 --> 00:01:44,630
So BHP in and these are just the start and the end of the file of the BHP file passed through is a function

24
00:01:44,630 --> 00:01:50,570
that I'm going to use which executes any command that's inserted between the quotations and I'm using

25
00:01:50,570 --> 00:01:57,200
the same command that we used in the command execution vulnerability which will just do a reverse connection

26
00:01:57,350 --> 00:01:58,440
to my computer.

27
00:01:59,410 --> 00:02:04,630
So this is all good now the next step is the most important step and it's stored in this file.

28
00:02:04,630 --> 00:02:12,460
So as I said if your target was a remote web server then you should be starting this file in a place

29
00:02:12,670 --> 00:02:16,960
with a real IP where you can access it from the remote web server.

30
00:02:16,960 --> 00:02:22,720
Now I'm going to be trying to access this from my mentor deployable machine which is able to access

31
00:02:22,720 --> 00:02:26,660
files stored on the candy machine because they're both on the same network.

32
00:02:26,950 --> 00:02:30,150
And I'm going to be calling this I'm going to be storing it in my Vire.

33
00:02:30,280 --> 00:02:32,790
W w w Hastey I'm so sorry.

34
00:02:32,830 --> 00:02:39,890
It's been started on the Kalli not all demitasse floatable and I'm glad to call it reversed and I'm

35
00:02:39,890 --> 00:02:44,650
going to save it as cxxviii enough BHB and I'm doing this.

36
00:02:44,810 --> 00:02:50,310
If I started as a Ph.D. it's going to be executed on the Callimachi.

37
00:02:50,360 --> 00:02:53,860
So it's going to create a reverse connection from the Callimachi.

38
00:02:53,970 --> 00:02:56,090
And I don't want that I don't want to have the Callimachi.

39
00:02:56,130 --> 00:03:01,460
I actually already have access to the Callimachi machine the one that I want to hike is the Methos floatable

40
00:03:01,460 --> 00:03:04,900
machine and that one is stored remotely.

41
00:03:04,910 --> 00:03:12,650
So in order to be able to include the APHC code and executed on the remote machine we're going to use

42
00:03:12,650 --> 00:03:16,770
it as the XTi and get it executed on the Mutazz floatable machine.

43
00:03:16,830 --> 00:03:25,120
And instead of executing on my Kalee so I'm Stirling's as ATX D and I'm gonna say save that and now

44
00:03:25,120 --> 00:03:26,170
let's just see here.

45
00:03:26,170 --> 00:03:36,970
So if I go to my local host and if you say reverse that you will see our file right here.

46
00:03:36,970 --> 00:03:46,340
So again this is on my local host which is not the media's political machine it's 10 20 40 2 0 3 and

47
00:03:46,370 --> 00:03:48,730
the floatable is on to 0 4.

48
00:03:50,100 --> 00:03:51,840
So how are we going to run this.

49
00:03:51,840 --> 00:03:55,610
First let me just listen for connections like we did before.

50
00:03:55,650 --> 00:04:02,670
So it's just going to be netcat the LP 80.

51
00:04:04,850 --> 00:04:09,790
And then right here instead of including a file on the same server.

52
00:04:09,800 --> 00:04:14,570
I'm going to include the remote file and the command is going to be Heyse TTP.

53
00:04:14,570 --> 00:04:20,140
So it's just going to be the link to this file so it can access the file here as text.

54
00:04:20,340 --> 00:04:22,990
I'm going to copy and paste it here.

55
00:04:27,460 --> 00:04:33,640
And also in some cases you might need to add a question mark to the end to get this file to be executed

56
00:04:33,700 --> 00:04:34,970
as APHC.

57
00:04:35,350 --> 00:04:40,660
So I'm just going to go over this again for one more time on including our remote file which is on a

58
00:04:40,660 --> 00:04:41,740
remote server.

59
00:04:41,740 --> 00:04:48,880
Make sure the remote server is accessible by your target and also make sure you started as DXi because

60
00:04:48,880 --> 00:04:54,760
if you keep it as P-H with this file the reverse file will be executed on the remote server so it will

61
00:04:54,760 --> 00:04:59,360
be executed on the two or three instead of being executed on the two or four.

62
00:04:59,680 --> 00:05:02,880
And I'm keeping it 60 this way it will be.

63
00:05:02,890 --> 00:05:09,860
It's going to be executed on the two or four and it's going to give me a remote connection to this computer.

64
00:05:09,960 --> 00:05:12,190
Meet portable computer.

65
00:05:12,210 --> 00:05:15,650
So if I come by here as you can see we have a remote connection.

66
00:05:15,900 --> 00:05:23,130
If we do a you name age you'll see that this is dimittis political machine not the Callimachi.

67
00:05:23,130 --> 00:05:30,570
So we basically have full access to the exploited will machine through and remote file inclusion vulnerability.

68
00:05:30,600 --> 00:05:37,410
Now if you do an alliance we can do a PWT to see where we are and we can literally run any Linux commands

69
00:05:37,410 --> 00:05:40,310
we want now on the machine and do anything we want.

70
00:05:40,310 --> 00:05:42,680
Basically we have full access to that machine.