1 00:00:01,300 --> 00:00:09,010 Now we actually have complete bash shell so we can run any bash commands we want the exact same commands 2 00:00:09,010 --> 00:00:12,710 that we've seen in the Linux basic section at the start of this course. 3 00:00:13,000 --> 00:00:18,100 So when we go on about how you do man and how you do help to see how you use the commands I'm going 4 00:00:18,100 --> 00:00:23,440 to skip through that and I want to show you a few commands that are useful when you first gain access 5 00:00:23,440 --> 00:00:24,040 to a server. 6 00:00:24,040 --> 00:00:29,500 So the first thing you want to check is what's my privileges at the moment and the privileges depend 7 00:00:29,710 --> 00:00:31,550 on how you gained your access. 8 00:00:31,690 --> 00:00:35,620 So it depends on the page that you're getting your access through. 9 00:00:35,620 --> 00:00:41,830 So we got our access through this current page so dependent on what privileges This page is run and 10 00:00:41,870 --> 00:00:45,970 as we will get the same privileges when we get our first shell. 11 00:00:45,970 --> 00:00:47,020 Same goes for us. 12 00:00:47,140 --> 00:00:49,190 Same goes for everything really. 13 00:00:49,210 --> 00:00:50,750 So I'm going to do my 14 00:00:54,740 --> 00:00:58,500 and as you can see now my privileges are W.W. data. 15 00:00:58,580 --> 00:00:59,510 So I'm not rude. 16 00:00:59,540 --> 00:01:00,330 I'm not admin. 17 00:01:00,350 --> 00:01:03,240 I'm not MSF admin MWW data. 18 00:01:03,380 --> 00:01:08,720 And this is very important because when you're rude you can do anything you want on the server. 19 00:01:08,720 --> 00:01:15,380 When you are another user then you have less privileges or less permissions to do stuff on the current 20 00:01:15,470 --> 00:01:16,300 web server. 21 00:01:17,660 --> 00:01:23,150 So another thing that you want to check is the kernel version of the computer so you can do you name 22 00:01:23,150 --> 00:01:25,150 a. 23 00:01:25,350 --> 00:01:29,040 And this will display a lot of information other than the kernel version. 24 00:01:29,040 --> 00:01:32,930 So you see the computer name and you can see the version of the kernel. 25 00:01:32,970 --> 00:01:38,610 This is important if you're trying to run a local exploit to escalate your privileges to a higher privileges 26 00:01:38,610 --> 00:01:44,370 or maybe even get root privileges which will give you access to do anything you want on the on the whole 27 00:01:44,370 --> 00:01:48,320 server not only on this website. 28 00:01:48,340 --> 00:01:53,480 Now as I said you can run on and you know the commands that we learn so far. 29 00:01:53,520 --> 00:02:00,090 So you can do allow us to list the current files and we can see that there is help and index and source. 30 00:02:00,210 --> 00:02:09,150 You can do P.W. data to see where you are and we are currently at var w w w w o a vulnerability is an 31 00:02:09,150 --> 00:02:09,840 exec. 32 00:02:10,290 --> 00:02:15,280 So you can navigate through this exactly the same way you'd navigate with a normal index system. 33 00:02:15,480 --> 00:02:23,680 So we can do a CD that data go back do a PDB needed and we're at vulnerabilities again she did that 34 00:02:24,370 --> 00:02:26,750 and another she did that that. 35 00:02:26,800 --> 00:02:34,870 Now if I do a PDA you'll see that as var W W W and this is the document root at the moment. 36 00:02:34,900 --> 00:02:43,610 So if I do an l s l to get more information and note we can see here the permissions and before the 37 00:02:43,610 --> 00:02:44,150 permissions. 38 00:02:44,150 --> 00:02:50,330 Now if you see if you notice that there is a deal here that means that this is a directory it's not 39 00:02:50,330 --> 00:02:51,410 a file. 40 00:02:51,410 --> 00:02:54,080 And when you don't see that the that means it's a file. 41 00:02:54,080 --> 00:03:00,890 And here now you can see that we have access to all the other websites so we can access decie wiki website. 42 00:03:00,990 --> 00:03:08,600 We can also access demitted Today Web site and you can access the DVD right here. 43 00:03:08,610 --> 00:03:15,330 So what this shows you is if you managed to hack into any web site then most of the time you can actually 44 00:03:15,330 --> 00:03:18,300 navigate to the same websites on the same server. 45 00:03:18,420 --> 00:03:23,490 And this is what I said in the information gathering section I said it's very important because sometimes 46 00:03:23,610 --> 00:03:29,160 your target web site will not have any vulnerabilities but you might find something on the same server 47 00:03:29,580 --> 00:03:32,430 and from that you can navigate to your Web site. 48 00:03:32,430 --> 00:03:36,130 So for example we gained our access through DVD. 49 00:03:36,360 --> 00:03:41,160 And let's say Mattel today was our actual target but we couldn't find anything in it. 50 00:03:41,220 --> 00:03:44,050 So we hacked into the server through DVD. 51 00:03:44,310 --> 00:03:54,270 And I can navigate now to Mattel day so I can just see the Mathilde they and then I can do an ls l to 52 00:03:54,270 --> 00:04:00,720 see the files so you can remove files using the r.m command you can delete files you can do anything 53 00:04:00,720 --> 00:04:01,930 you want really now. 54 00:04:02,070 --> 00:04:07,650 And the other web site in Matilda even though we never actually got access to him until we got our access 55 00:04:07,890 --> 00:04:10,910 through D-B W.J.. 56 00:04:10,960 --> 00:04:17,890 Now one of the very important commands is cat which allows you to read files and one very important 57 00:04:17,890 --> 00:04:21,130 file that you always want to read is the easy password. 58 00:04:21,130 --> 00:04:26,190 Now we actually try to read this used in the local file inclusion vulnerability. 59 00:04:26,350 --> 00:04:27,460 But I want to show you now. 60 00:04:27,460 --> 00:04:37,740 So if you do a cat it is password you can see that we can read all the content of this file right here. 61 00:04:38,140 --> 00:04:46,000 And what this file has it shows you the users installed on the current computer and it shows you the 62 00:04:46,000 --> 00:04:48,160 directory for these users. 63 00:04:48,160 --> 00:04:56,100 Now in this particular set up all the Web sites are stored in wire w w w So they are sold and bar them 64 00:04:56,140 --> 00:05:03,640 with W and then you can put divi W to access the DVD website or you can post Matile a day to access 65 00:05:03,640 --> 00:05:04,440 Matilda. 66 00:05:04,780 --> 00:05:08,040 Most of the time you won't see this in most websites. 67 00:05:08,080 --> 00:05:14,620 They actually create a user for each website and the user usually corresponds to the website name. 68 00:05:14,620 --> 00:05:19,780 So for example let's say your example your target was Facebook then the user would be called Facebook 69 00:05:19,810 --> 00:05:23,010 or Facebook user or something similar to that. 70 00:05:23,020 --> 00:05:32,220 So what you want to be doing is you want to go through this file and see the path for that for your 71 00:05:32,220 --> 00:05:33,080 target website. 72 00:05:33,090 --> 00:05:39,670 So let's say you hacked into this Web site through Google and Facebook is on the same server. 73 00:05:39,720 --> 00:05:44,160 Then look for a user called Facebook and then just navigate to that file. 74 00:05:44,160 --> 00:05:51,460 Now you can see that the deputy the readably data user right here and you can see that it has its directory 75 00:05:51,460 --> 00:05:54,070 stored at bar w w w. 76 00:05:54,070 --> 00:05:57,320 Again if you open that you'll see all the Web sites in here. 77 00:05:57,640 --> 00:06:04,150 So if we just do see the bar then we can list whatever you want. 78 00:06:04,610 --> 00:06:11,300 So take a lesson from this is that on a reverse shell you can basically run any command any linux command 79 00:06:11,300 --> 00:06:17,480 you have dependent on the privileges that you have the privileges depend on the page or the source that 80 00:06:17,480 --> 00:06:19,810 gave you the access. 81 00:06:19,830 --> 00:06:25,230 So whatever privileges that resource is running you'll actually get the same privileges the same permissions 82 00:06:26,010 --> 00:06:29,570 and once you're in a server the server is just a computer. 83 00:06:29,580 --> 00:06:33,450 So once you gain access to that server you can increase your privileges. 84 00:06:33,480 --> 00:06:37,920 You can escalate them and try to access other websites on the same server. 85 00:06:38,040 --> 00:06:42,350 How you access the other web sites is in the ATC password you listed. 86 00:06:42,390 --> 00:06:48,000 And you see the user corresponding to your target website and just open their directory using the CD 87 00:06:48,000 --> 00:06:54,990 command I'm going to attach a list of the bash commands that you can run so that you can go through 88 00:06:55,030 --> 00:06:57,260 them try them and see how they work for you.