1 00:00:02,570 --> 00:00:07,820 So we already seen in previous lectures how we can run Linux commands on the target server or you have 2 00:00:07,820 --> 00:00:13,480 to do is just literally type in the command for example we can type in W.D. to see where we are. 3 00:00:13,640 --> 00:00:21,740 We can navigate back see the dot we can list what we have and we can do anything we want on the target 4 00:00:21,740 --> 00:00:22,420 server. 5 00:00:23,710 --> 00:00:30,160 Unfortunately this isn't always the case in many cases you might gain access upload your shell and have 6 00:00:30,180 --> 00:00:31,080 weekly work. 7 00:00:31,240 --> 00:00:34,150 But every time you run a command you want see the result. 8 00:00:34,180 --> 00:00:36,240 Or you might get permission denied. 9 00:00:36,460 --> 00:00:42,220 And this will happen because the server is configured in a way to prevent you from running commands 10 00:00:42,220 --> 00:00:43,870 on that server. 11 00:00:43,870 --> 00:00:48,680 So what we're going to do is we're going to use a function that comes in with we believe. 12 00:00:48,850 --> 00:00:54,040 So let's first type in help to see all the functions or the Kamaz that we can use and the function that 13 00:00:54,040 --> 00:00:57,050 we're going to use is called Shell SH. 14 00:00:57,160 --> 00:01:03,590 And as you can see in the description it says it allows us to execute shell commands so using the function 15 00:01:03,590 --> 00:01:09,640 is very simple all we have to do is type in Shell SH and then type the command that you want around 16 00:01:09,680 --> 00:01:15,300 so you can type in again PWT and you'll see the current working directory. 17 00:01:15,320 --> 00:01:19,950 Now this will just use the default way that we've been using so far anyway. 18 00:01:20,140 --> 00:01:24,660 So if the default way doesn't really work this will probably not work for you either. 19 00:01:25,580 --> 00:01:31,520 What I want to show you here is what this function allows you to do so it actually allows us to run 20 00:01:31,520 --> 00:01:34,830 Linux commands using a number of methods. 21 00:01:34,880 --> 00:01:42,200 So it's very similar to the idea of the ATC passwords when we read in it and in this case if you can't 22 00:01:42,200 --> 00:01:48,140 run commands on the target server then it's probably because your user is configured in a way that's 23 00:01:48,140 --> 00:01:50,410 not allowed to run bash commands. 24 00:01:50,420 --> 00:01:57,560 So what this function allows to do is run the command through a PH function or through a Python function 25 00:01:57,770 --> 00:01:59,650 or through a perl function. 26 00:01:59,660 --> 00:02:02,720 So this way you're actually not running the command directly. 27 00:02:02,780 --> 00:02:04,920 You're running a PH function. 28 00:02:05,000 --> 00:02:08,800 And then the function itself runs the command. 29 00:02:08,810 --> 00:02:14,150 Therefore if you don't have permission to run commands directly you'll be able to bypass this by running 30 00:02:14,150 --> 00:02:21,620 the command through APHC function so to see all the vectors or all the methods that we can use to run 31 00:02:21,620 --> 00:02:22,310 the command. 32 00:02:22,400 --> 00:02:30,590 We're going to do Shell S.H. followed by SH And as you can see the first thing you see is the general 33 00:02:30,590 --> 00:02:31,750 way of using the command. 34 00:02:31,750 --> 00:02:36,380 So you type in Shell SH And then you type where you want the command to be displayed. 35 00:02:36,380 --> 00:02:40,520 This is the redirection and we're not going to mess with that because we want it to be displayed on 36 00:02:40,520 --> 00:02:41,130 screen. 37 00:02:42,060 --> 00:02:44,490 After that you specify the vector. 38 00:02:44,490 --> 00:02:45,870 So this is what we're talking about. 39 00:02:45,870 --> 00:02:52,010 This is the methods that you can use to run the shell commands and you can see that you can run it using 40 00:02:52,010 --> 00:02:52,470 System. 41 00:02:52,470 --> 00:02:55,280 So this is the default way of running the commands. 42 00:02:55,290 --> 00:02:58,740 You can also use a pass APHC pass through function. 43 00:02:58,740 --> 00:03:03,670 So this is the one that we used to use when we were executing commands using P.H.. 44 00:03:03,670 --> 00:03:09,570 Remember in the code execution vulnerability is again you have a number of BHB functions. 45 00:03:09,570 --> 00:03:13,350 So if one of the functions is disabled you can use the other one. 46 00:03:13,410 --> 00:03:19,770 You can also run commands using Python through the python interpreter and you can run functions using 47 00:03:19,770 --> 00:03:21,410 the perl interpreter. 48 00:03:22,050 --> 00:03:28,710 So to use this we're going to use the same command shell SH followed by minus b just like we see here 49 00:03:28,710 --> 00:03:30,260 in the template so something else. 50 00:03:30,270 --> 00:03:34,620 First thing you type in is the command followed by the vector. 51 00:03:34,740 --> 00:03:41,500 And we're going to choose a vector to use and for the first one let's try the Perl system. 52 00:03:41,580 --> 00:03:44,980 So we're going to use ferral system. 53 00:03:45,040 --> 00:03:52,820 So this is the actual function that will execute the command that we specify and you can see here and 54 00:03:52,820 --> 00:03:58,620 the template so it's show SH followed by the vector followed by the command that we want to run. 55 00:03:58,640 --> 00:04:06,830 And let's run this time we're going to try to run who am I hit enter and as you can see this doesn't 56 00:04:06,830 --> 00:04:07,560 work. 57 00:04:07,910 --> 00:04:13,520 So we're going to go back and we're going to change the vector and let's try to use pass through and 58 00:04:13,520 --> 00:04:16,670 we know pass through works because we used it before. 59 00:04:16,670 --> 00:04:23,120 So again we were using passthrough as a vector and we're on in the command do I might hit enter and 60 00:04:23,120 --> 00:04:27,100 as you can see now the command got executed on the server. 61 00:04:27,130 --> 00:04:32,920 So again in our particular case here this doesn't seem very useful because we could run commands normally 62 00:04:33,090 --> 00:04:38,120 just we can just type in who are my but in our real case scenarios. 63 00:04:38,170 --> 00:04:43,660 You want to be able to run commands directly like this and using this function with the vector could 64 00:04:43,660 --> 00:04:44,770 be very useful. 65 00:04:44,800 --> 00:04:50,800 So all you have to do is just use the shell S.H. and experiment with all the available vectors until 66 00:04:50,800 --> 00:04:52,030 one of them works for you.