1 00:00:01,960 --> 00:00:08,740 Now let's see how we can upload files to the server so uploading files can be very useful because you 2 00:00:08,740 --> 00:00:14,960 can use it to literally upload anything you want so you can upload any ph rescript that you want. 3 00:00:15,120 --> 00:00:19,570 Ph.D. scripts can be used to do anything you can use it to gain a reverse show. 4 00:00:19,630 --> 00:00:22,150 You can use it to execute commands on the server. 5 00:00:22,240 --> 00:00:28,840 You can use it to connect to the database and browse through the files and you can even use it to exploit 6 00:00:28,840 --> 00:00:32,730 local vulnerabilities such as buffer overflows and code execution. 7 00:00:33,600 --> 00:00:36,760 So the possibilities are endless really. 8 00:00:36,960 --> 00:00:41,100 One thing to note is that now when I check my privileges. 9 00:00:41,100 --> 00:00:48,620 So if I do who am I to check the current user you'll see that the w w w data and the current website 10 00:00:48,690 --> 00:00:51,480 is running under that user. 11 00:00:51,480 --> 00:00:58,410 So basically I can do anything I want on this website because I am the owner of this website at the 12 00:00:58,410 --> 00:01:04,710 moment and a lot of the cases depending on how you gained your access to the Web site your privileges 13 00:01:04,710 --> 00:01:05,940 might be nobody. 14 00:01:05,940 --> 00:01:12,310 So when you do your WHO A-MEI instead of get in WWE The only data you'll be who you'll be nobody. 15 00:01:12,780 --> 00:01:15,780 And when you're nobody you can't upload anywhere you want. 16 00:01:15,780 --> 00:01:24,210 You can only upload to directories that has 777 permissions so to directories that basically allow anybody 17 00:01:24,450 --> 00:01:26,380 to upload to them. 18 00:01:26,400 --> 00:01:35,130 So if you do ls L.A. you can see that we have or all of our files and we see that all of them are owned 19 00:01:35,130 --> 00:01:38,160 by the data which is me. 20 00:01:38,190 --> 00:01:41,960 So this is the parent directory and this is the current directory. 21 00:01:42,240 --> 00:01:46,250 And these are just normal directories and files in the current working directory. 22 00:01:46,410 --> 00:01:49,110 And you can see that all of them are owned by me. 23 00:01:49,110 --> 00:01:51,300 Therefore I can upload anywhere. 24 00:01:51,390 --> 00:01:55,790 But what we're going to do in this lecture we're going to pretend that we can't upload anywhere. 25 00:01:55,980 --> 00:01:58,000 We're going to pretend that I'm nobody. 26 00:01:58,290 --> 00:02:05,310 And if I wanted to upload something while being nobody we have to upload it to a place where everybody 27 00:02:05,310 --> 00:02:11,600 is allowed to upload files and that place which should have a 777 permissions. 28 00:02:11,970 --> 00:02:13,520 So these are the permissions here. 29 00:02:14,530 --> 00:02:19,560 And what they look like is they should look like this. 30 00:02:19,590 --> 00:02:25,440 So there should be no minuses in it and it will basically mean that everybody can do anything they can 31 00:02:25,440 --> 00:02:28,930 read write and execute. 32 00:02:28,960 --> 00:02:35,350 So we can see from the director is here now the director is start with and the permission so he can 33 00:02:35,350 --> 00:02:39,790 see that from the directories is here we have nothing with 7 7 7 permissions. 34 00:02:40,030 --> 00:02:44,260 So we actually have to look around. 35 00:02:44,280 --> 00:02:52,280 I'm sorry I clicked Control-C there so I'm just going to go back and connect back to Evely So again 36 00:02:52,280 --> 00:03:00,860 we're going to do PWT and we're we're in Vire WWE w the VW 8 and where I want to go is we can see our 37 00:03:00,860 --> 00:03:03,440 interesting director here called Haikerwal. 38 00:03:03,500 --> 00:03:07,040 So let's go in it and then let's see what's in there. 39 00:03:07,040 --> 00:03:12,820 So we're going to go into hackable use and see the command. 40 00:03:13,170 --> 00:03:15,150 And then again we're going to do ls l 41 00:03:26,720 --> 00:03:30,150 and again there's nothing really interesting here so let's go back. 42 00:03:31,790 --> 00:03:34,170 And we're going to navigate back again. 43 00:03:36,360 --> 00:03:43,760 And if we list here you'll see that we are in the root directory and we can navigate to different Web 44 00:03:43,760 --> 00:03:44,160 sites. 45 00:03:44,160 --> 00:03:49,070 Now and if you notice we have a directory called drive here. 46 00:03:49,390 --> 00:03:54,700 Now this directory doesn't belong to us it actually belongs to the root user so it doesn't belong to 47 00:03:54,700 --> 00:03:59,740 w w w o data which is us but we can actually upload stuff here. 48 00:03:59,740 --> 00:04:00,520 Why. 49 00:04:00,520 --> 00:04:04,950 Because it has the permissions that allow everybody to upload. 50 00:04:05,110 --> 00:04:10,360 So it has 777 permissions which looked like this. 51 00:04:10,360 --> 00:04:12,580 So we're going to navigate into that place. 52 00:04:15,180 --> 00:04:22,000 So we're going to list to see if there is anything already there and we can see that there is no files 53 00:04:22,000 --> 00:04:23,090 whatsoever there. 54 00:04:23,290 --> 00:04:28,780 So we're going to upload our file and we're going to use a function called file upload 55 00:04:31,690 --> 00:04:35,720 we're going to do the minus like you like usual. 56 00:04:35,960 --> 00:04:41,070 And he can see that the way you use this function is you type in file upload first. 57 00:04:41,300 --> 00:04:48,270 You can use the minus F to force override to overwrite the file if it exists already. 58 00:04:48,390 --> 00:04:55,110 You can specify the file content and you can specify the vector and again the vector is the method of 59 00:04:55,110 --> 00:04:57,190 how the file is going to be uploaded. 60 00:04:57,330 --> 00:05:01,160 And I'm going to keep this to default so I'm not going to use the minus vector. 61 00:05:01,300 --> 00:05:03,160 And then we give the local Poth. 62 00:05:03,310 --> 00:05:11,020 So where the file is stored on your current computer on our Callimachi and followed by the remote path. 63 00:05:11,050 --> 00:05:16,090 So where do you want the file to be stored on the target server. 64 00:05:16,240 --> 00:05:19,860 So the file that I want upload is located in my root. 65 00:05:19,960 --> 00:05:26,740 So if we go to the file manager you'll see that I have the file in the root and it's just called testor 66 00:05:26,770 --> 00:05:30,720 THC it's actually a shell but it's just called test dirty XTi. 67 00:05:30,730 --> 00:05:32,610 So I will try to upload that. 68 00:05:33,220 --> 00:05:43,780 So our local directory is going to be route test the XTi and we want to upload that to the remote path 69 00:05:44,110 --> 00:05:44,970 of the current path. 70 00:05:44,970 --> 00:05:49,930 So if you want to specify the current place the current working directory where you are you just have 71 00:05:49,930 --> 00:05:52,320 to put adult followed by a forward slash. 72 00:05:52,450 --> 00:05:55,800 So this is where we want to upload it and then we have to give it a name. 73 00:05:55,810 --> 00:06:07,890 So I'm going to call a shell or test show uploaded the T XTi just the name so we know that the file 74 00:06:07,890 --> 00:06:09,420 has been uploaded correctly. 75 00:06:10,870 --> 00:06:14,390 So again the command is very simple as file upload. 76 00:06:14,650 --> 00:06:19,960 You specify where the file is stored on your current machine and mine is stored in root and it's called 77 00:06:19,960 --> 00:06:21,390 testor XTi. 78 00:06:21,640 --> 00:06:23,870 And then you specify where you want to upload it. 79 00:06:23,920 --> 00:06:26,310 And I'm going to upload it to the current working directory. 80 00:06:26,320 --> 00:06:30,750 That's why I have added forward slash and then followed by the name that I want to call it. 81 00:06:30,760 --> 00:06:38,220 I'm going to call it a test shell uploaded that the XTi I'm going to hit enter and it can see that it's 82 00:06:38,220 --> 00:06:42,300 giving us a true statement which means that the file has been uploaded. 83 00:06:42,340 --> 00:06:43,290 If we do an ls 84 00:06:46,540 --> 00:06:51,610 you'll see that the file has been uploaded to this particular directory. 85 00:06:51,670 --> 00:07:01,270 So now we can go to our Web browser and we upload it for the file to a directory called Dove and then 86 00:07:01,270 --> 00:07:06,520 we call that test shell uploaded that XTi. 87 00:07:06,750 --> 00:07:12,270 And as you can see now we can see the file has been uploaded and this is the actual content of the file 88 00:07:12,270 --> 00:07:14,450 it's encrypted Chell. 89 00:07:14,550 --> 00:07:17,810 So it has been uploaded perfectly or correctly. 90 00:07:18,120 --> 00:07:24,270 And again we uploaded it to a directory that doesn't belong to us but the main idea is the directory 91 00:07:24,390 --> 00:07:26,730 has to have 7 7 7 permissions. 92 00:07:26,730 --> 00:07:33,990 And that way even if you have a nobody even if you are nobody you can upload to that directory if the 93 00:07:33,990 --> 00:07:39,150 directories have your permissions like the debris there will be data here all these directories we can 94 00:07:39,150 --> 00:07:45,590 upload to them regardless of the permissions they have because we are doubly W.W. data. 95 00:07:45,600 --> 00:07:51,750 So what I showed you here is just an example of how you would upload files if you had nobody permissions.