1
00:00:01,960 --> 00:00:08,740
Now let's see how we can upload files to the server so uploading files can be very useful because you

2
00:00:08,740 --> 00:00:14,960
can use it to literally upload anything you want so you can upload any ph rescript that you want.

3
00:00:15,120 --> 00:00:19,570
Ph.D. scripts can be used to do anything you can use it to gain a reverse show.

4
00:00:19,630 --> 00:00:22,150
You can use it to execute commands on the server.

5
00:00:22,240 --> 00:00:28,840
You can use it to connect to the database and browse through the files and you can even use it to exploit

6
00:00:28,840 --> 00:00:32,730
local vulnerabilities such as buffer overflows and code execution.

7
00:00:33,600 --> 00:00:36,760
So the possibilities are endless really.

8
00:00:36,960 --> 00:00:41,100
One thing to note is that now when I check my privileges.

9
00:00:41,100 --> 00:00:48,620
So if I do who am I to check the current user you'll see that the w w w data and the current website

10
00:00:48,690 --> 00:00:51,480
is running under that user.

11
00:00:51,480 --> 00:00:58,410
So basically I can do anything I want on this website because I am the owner of this website at the

12
00:00:58,410 --> 00:01:04,710
moment and a lot of the cases depending on how you gained your access to the Web site your privileges

13
00:01:04,710 --> 00:01:05,940
might be nobody.

14
00:01:05,940 --> 00:01:12,310
So when you do your WHO A-MEI instead of get in WWE The only data you'll be who you'll be nobody.

15
00:01:12,780 --> 00:01:15,780
And when you're nobody you can't upload anywhere you want.

16
00:01:15,780 --> 00:01:24,210
You can only upload to directories that has 777 permissions so to directories that basically allow anybody

17
00:01:24,450 --> 00:01:26,380
to upload to them.

18
00:01:26,400 --> 00:01:35,130
So if you do ls L.A. you can see that we have or all of our files and we see that all of them are owned

19
00:01:35,130 --> 00:01:38,160
by the data which is me.

20
00:01:38,190 --> 00:01:41,960
So this is the parent directory and this is the current directory.

21
00:01:42,240 --> 00:01:46,250
And these are just normal directories and files in the current working directory.

22
00:01:46,410 --> 00:01:49,110
And you can see that all of them are owned by me.

23
00:01:49,110 --> 00:01:51,300
Therefore I can upload anywhere.

24
00:01:51,390 --> 00:01:55,790
But what we're going to do in this lecture we're going to pretend that we can't upload anywhere.

25
00:01:55,980 --> 00:01:58,000
We're going to pretend that I'm nobody.

26
00:01:58,290 --> 00:02:05,310
And if I wanted to upload something while being nobody we have to upload it to a place where everybody

27
00:02:05,310 --> 00:02:11,600
is allowed to upload files and that place which should have a 777 permissions.

28
00:02:11,970 --> 00:02:13,520
So these are the permissions here.

29
00:02:14,530 --> 00:02:19,560
And what they look like is they should look like this.

30
00:02:19,590 --> 00:02:25,440
So there should be no minuses in it and it will basically mean that everybody can do anything they can

31
00:02:25,440 --> 00:02:28,930
read write and execute.

32
00:02:28,960 --> 00:02:35,350
So we can see from the director is here now the director is start with and the permission so he can

33
00:02:35,350 --> 00:02:39,790
see that from the directories is here we have nothing with 7 7 7 permissions.

34
00:02:40,030 --> 00:02:44,260
So we actually have to look around.

35
00:02:44,280 --> 00:02:52,280
I'm sorry I clicked Control-C there so I'm just going to go back and connect back to Evely So again

36
00:02:52,280 --> 00:03:00,860
we're going to do PWT and we're we're in Vire WWE w the VW 8 and where I want to go is we can see our

37
00:03:00,860 --> 00:03:03,440
interesting director here called Haikerwal.

38
00:03:03,500 --> 00:03:07,040
So let's go in it and then let's see what's in there.

39
00:03:07,040 --> 00:03:12,820
So we're going to go into hackable use and see the command.

40
00:03:13,170 --> 00:03:15,150
And then again we're going to do ls l

41
00:03:26,720 --> 00:03:30,150
and again there's nothing really interesting here so let's go back.

42
00:03:31,790 --> 00:03:34,170
And we're going to navigate back again.

43
00:03:36,360 --> 00:03:43,760
And if we list here you'll see that we are in the root directory and we can navigate to different Web

44
00:03:43,760 --> 00:03:44,160
sites.

45
00:03:44,160 --> 00:03:49,070
Now and if you notice we have a directory called drive here.

46
00:03:49,390 --> 00:03:54,700
Now this directory doesn't belong to us it actually belongs to the root user so it doesn't belong to

47
00:03:54,700 --> 00:03:59,740
w w w o data which is us but we can actually upload stuff here.

48
00:03:59,740 --> 00:04:00,520
Why.

49
00:04:00,520 --> 00:04:04,950
Because it has the permissions that allow everybody to upload.

50
00:04:05,110 --> 00:04:10,360
So it has 777 permissions which looked like this.

51
00:04:10,360 --> 00:04:12,580
So we're going to navigate into that place.

52
00:04:15,180 --> 00:04:22,000
So we're going to list to see if there is anything already there and we can see that there is no files

53
00:04:22,000 --> 00:04:23,090
whatsoever there.

54
00:04:23,290 --> 00:04:28,780
So we're going to upload our file and we're going to use a function called file upload

55
00:04:31,690 --> 00:04:35,720
we're going to do the minus like you like usual.

56
00:04:35,960 --> 00:04:41,070
And he can see that the way you use this function is you type in file upload first.

57
00:04:41,300 --> 00:04:48,270
You can use the minus F to force override to overwrite the file if it exists already.

58
00:04:48,390 --> 00:04:55,110
You can specify the file content and you can specify the vector and again the vector is the method of

59
00:04:55,110 --> 00:04:57,190
how the file is going to be uploaded.

60
00:04:57,330 --> 00:05:01,160
And I'm going to keep this to default so I'm not going to use the minus vector.

61
00:05:01,300 --> 00:05:03,160
And then we give the local Poth.

62
00:05:03,310 --> 00:05:11,020
So where the file is stored on your current computer on our Callimachi and followed by the remote path.

63
00:05:11,050 --> 00:05:16,090
So where do you want the file to be stored on the target server.

64
00:05:16,240 --> 00:05:19,860
So the file that I want upload is located in my root.

65
00:05:19,960 --> 00:05:26,740
So if we go to the file manager you'll see that I have the file in the root and it's just called testor

66
00:05:26,770 --> 00:05:30,720
THC it's actually a shell but it's just called test dirty XTi.

67
00:05:30,730 --> 00:05:32,610
So I will try to upload that.

68
00:05:33,220 --> 00:05:43,780
So our local directory is going to be route test the XTi and we want to upload that to the remote path

69
00:05:44,110 --> 00:05:44,970
of the current path.

70
00:05:44,970 --> 00:05:49,930
So if you want to specify the current place the current working directory where you are you just have

71
00:05:49,930 --> 00:05:52,320
to put adult followed by a forward slash.

72
00:05:52,450 --> 00:05:55,800
So this is where we want to upload it and then we have to give it a name.

73
00:05:55,810 --> 00:06:07,890
So I'm going to call a shell or test show uploaded the T XTi just the name so we know that the file

74
00:06:07,890 --> 00:06:09,420
has been uploaded correctly.

75
00:06:10,870 --> 00:06:14,390
So again the command is very simple as file upload.

76
00:06:14,650 --> 00:06:19,960
You specify where the file is stored on your current machine and mine is stored in root and it's called

77
00:06:19,960 --> 00:06:21,390
testor XTi.

78
00:06:21,640 --> 00:06:23,870
And then you specify where you want to upload it.

79
00:06:23,920 --> 00:06:26,310
And I'm going to upload it to the current working directory.

80
00:06:26,320 --> 00:06:30,750
That's why I have added forward slash and then followed by the name that I want to call it.

81
00:06:30,760 --> 00:06:38,220
I'm going to call it a test shell uploaded that the XTi I'm going to hit enter and it can see that it's

82
00:06:38,220 --> 00:06:42,300
giving us a true statement which means that the file has been uploaded.

83
00:06:42,340 --> 00:06:43,290
If we do an ls

84
00:06:46,540 --> 00:06:51,610
you'll see that the file has been uploaded to this particular directory.

85
00:06:51,670 --> 00:07:01,270
So now we can go to our Web browser and we upload it for the file to a directory called Dove and then

86
00:07:01,270 --> 00:07:06,520
we call that test shell uploaded that XTi.

87
00:07:06,750 --> 00:07:12,270
And as you can see now we can see the file has been uploaded and this is the actual content of the file

88
00:07:12,270 --> 00:07:14,450
it's encrypted Chell.

89
00:07:14,550 --> 00:07:17,810
So it has been uploaded perfectly or correctly.

90
00:07:18,120 --> 00:07:24,270
And again we uploaded it to a directory that doesn't belong to us but the main idea is the directory

91
00:07:24,390 --> 00:07:26,730
has to have 7 7 7 permissions.

92
00:07:26,730 --> 00:07:33,990
And that way even if you have a nobody even if you are nobody you can upload to that directory if the

93
00:07:33,990 --> 00:07:39,150
directories have your permissions like the debris there will be data here all these directories we can

94
00:07:39,150 --> 00:07:45,590
upload to them regardless of the permissions they have because we are doubly W.W. data.

95
00:07:45,600 --> 00:07:51,750
So what I showed you here is just an example of how you would upload files if you had nobody permissions.