1
00:00:02,570 --> 00:00:07,820
So we already seen in previous lectures how we can run Linux commands on the target server or you have

2
00:00:07,820 --> 00:00:13,480
to do is just literally type in the command for example we can type in W.D. to see where we are.

3
00:00:13,640 --> 00:00:21,740
We can navigate back see the dot we can list what we have and we can do anything we want on the target

4
00:00:21,740 --> 00:00:22,420
server.

5
00:00:23,710 --> 00:00:30,160
Unfortunately this isn't always the case in many cases you might gain access upload your shell and have

6
00:00:30,180 --> 00:00:31,080
weekly work.

7
00:00:31,240 --> 00:00:34,150
But every time you run a command you want see the result.

8
00:00:34,180 --> 00:00:36,240
Or you might get permission denied.

9
00:00:36,460 --> 00:00:42,220
And this will happen because the server is configured in a way to prevent you from running commands

10
00:00:42,220 --> 00:00:43,870
on that server.

11
00:00:43,870 --> 00:00:48,680
So what we're going to do is we're going to use a function that comes in with we believe.

12
00:00:48,850 --> 00:00:54,040
So let's first type in help to see all the functions or the Kamaz that we can use and the function that

13
00:00:54,040 --> 00:00:57,050
we're going to use is called Shell SH.

14
00:00:57,160 --> 00:01:03,590
And as you can see in the description it says it allows us to execute shell commands so using the function

15
00:01:03,590 --> 00:01:09,640
is very simple all we have to do is type in Shell SH and then type the command that you want around

16
00:01:09,680 --> 00:01:15,300
so you can type in again PWT and you'll see the current working directory.

17
00:01:15,320 --> 00:01:19,950
Now this will just use the default way that we've been using so far anyway.

18
00:01:20,140 --> 00:01:24,660
So if the default way doesn't really work this will probably not work for you either.

19
00:01:25,580 --> 00:01:31,520
What I want to show you here is what this function allows you to do so it actually allows us to run

20
00:01:31,520 --> 00:01:34,830
Linux commands using a number of methods.

21
00:01:34,880 --> 00:01:42,200
So it's very similar to the idea of the ATC passwords when we read in it and in this case if you can't

22
00:01:42,200 --> 00:01:48,140
run commands on the target server then it's probably because your user is configured in a way that's

23
00:01:48,140 --> 00:01:50,410
not allowed to run bash commands.

24
00:01:50,420 --> 00:01:57,560
So what this function allows to do is run the command through a PH function or through a Python function

25
00:01:57,770 --> 00:01:59,650
or through a perl function.

26
00:01:59,660 --> 00:02:02,720
So this way you're actually not running the command directly.

27
00:02:02,780 --> 00:02:04,920
You're running a PH function.

28
00:02:05,000 --> 00:02:08,800
And then the function itself runs the command.

29
00:02:08,810 --> 00:02:14,150
Therefore if you don't have permission to run commands directly you'll be able to bypass this by running

30
00:02:14,150 --> 00:02:21,620
the command through APHC function so to see all the vectors or all the methods that we can use to run

31
00:02:21,620 --> 00:02:22,310
the command.

32
00:02:22,400 --> 00:02:30,590
We're going to do Shell S.H. followed by SH And as you can see the first thing you see is the general

33
00:02:30,590 --> 00:02:31,750
way of using the command.

34
00:02:31,750 --> 00:02:36,380
So you type in Shell SH And then you type where you want the command to be displayed.

35
00:02:36,380 --> 00:02:40,520
This is the redirection and we're not going to mess with that because we want it to be displayed on

36
00:02:40,520 --> 00:02:41,130
screen.

37
00:02:42,060 --> 00:02:44,490
After that you specify the vector.

38
00:02:44,490 --> 00:02:45,870
So this is what we're talking about.

39
00:02:45,870 --> 00:02:52,010
This is the methods that you can use to run the shell commands and you can see that you can run it using

40
00:02:52,010 --> 00:02:52,470
System.

41
00:02:52,470 --> 00:02:55,280
So this is the default way of running the commands.

42
00:02:55,290 --> 00:02:58,740
You can also use a pass APHC pass through function.

43
00:02:58,740 --> 00:03:03,670
So this is the one that we used to use when we were executing commands using P.H..

44
00:03:03,670 --> 00:03:09,570
Remember in the code execution vulnerability is again you have a number of BHB functions.

45
00:03:09,570 --> 00:03:13,350
So if one of the functions is disabled you can use the other one.

46
00:03:13,410 --> 00:03:19,770
You can also run commands using Python through the python interpreter and you can run functions using

47
00:03:19,770 --> 00:03:21,410
the perl interpreter.

48
00:03:22,050 --> 00:03:28,710
So to use this we're going to use the same command shell SH followed by minus b just like we see here

49
00:03:28,710 --> 00:03:30,260
in the template so something else.

50
00:03:30,270 --> 00:03:34,620
First thing you type in is the command followed by the vector.

51
00:03:34,740 --> 00:03:41,500
And we're going to choose a vector to use and for the first one let's try the Perl system.

52
00:03:41,580 --> 00:03:44,980
So we're going to use ferral system.

53
00:03:45,040 --> 00:03:52,820
So this is the actual function that will execute the command that we specify and you can see here and

54
00:03:52,820 --> 00:03:58,620
the template so it's show SH followed by the vector followed by the command that we want to run.

55
00:03:58,640 --> 00:04:06,830
And let's run this time we're going to try to run who am I hit enter and as you can see this doesn't

56
00:04:06,830 --> 00:04:07,560
work.

57
00:04:07,910 --> 00:04:13,520
So we're going to go back and we're going to change the vector and let's try to use pass through and

58
00:04:13,520 --> 00:04:16,670
we know pass through works because we used it before.

59
00:04:16,670 --> 00:04:23,120
So again we were using passthrough as a vector and we're on in the command do I might hit enter and

60
00:04:23,120 --> 00:04:27,100
as you can see now the command got executed on the server.

61
00:04:27,130 --> 00:04:32,920
So again in our particular case here this doesn't seem very useful because we could run commands normally

62
00:04:33,090 --> 00:04:38,120
just we can just type in who are my but in our real case scenarios.

63
00:04:38,170 --> 00:04:43,660
You want to be able to run commands directly like this and using this function with the vector could

64
00:04:43,660 --> 00:04:44,770
be very useful.

65
00:04:44,800 --> 00:04:50,800
So all you have to do is just use the shell S.H. and experiment with all the available vectors until

66
00:04:50,800 --> 00:04:52,030
one of them works for you.