WEBVTT

00:00.780 --> 00:03.150
Hello everyone and welcome back to possibility of my land.

00:03.150 --> 00:10.050
Ethical Hacking course in this part we're going to look at code execution vulnerabilities so open up

00:10.050 --> 00:14.260
your column Linux machine and also open up your meet disputable to server.

00:14.560 --> 00:17.580
Now let me just reboot this to open so we go.

00:17.650 --> 00:25.410
Typing I have config on your meter splitsville server copy the IPA m sorry the IRS address and go back

00:25.410 --> 00:26.920
to the copy machine and connect to it.

00:27.520 --> 00:32.190
So citing the previous video we connected to it just type the IP address of your meta replaceable machine

00:33.740 --> 00:38.340
and you should see something like this then go on DV w way and lock in.

00:38.340 --> 00:42.610
So it's atonement for the username and password for the password.

00:43.020 --> 00:48.590
So then we need to go to security change it from high to low because we're still on low.

00:48.600 --> 00:54.430
Like I said once we progressed throughout this course will change it to high or medium than high.

00:54.540 --> 01:03.240
Good to command execution and this is what we're going to try and pin test now this is a vulnerable

01:03.240 --> 01:07.460
web app so it already has the vulnerabilities within it.

01:07.890 --> 01:13.920
But typically some websites might have something like this some genuine Web sites out there may have

01:13.920 --> 01:21.120
a feature like this so it could be it may not be like ping or an IP address but it could be like lookup

01:21.120 --> 01:25.520
an IP address or find the IP address of a Web site.

01:27.240 --> 01:32.510
So if we open up a terminal window now I'm using Terminator.

01:32.550 --> 01:42.330
You can use terminal and if you type ping and then type an IP address now or you in fact you can type

01:42.330 --> 01:44.260
in a Web site you are out.

01:44.280 --> 01:49.870
So I'm going to type Facebook dot com click into and as you can say it pings.

01:50.310 --> 01:54.990
So essentially what it's doing is it's just pinging the server to make sure it's life on if it gets

01:54.990 --> 02:02.020
a connection back signal back then it's it basically receives a pocket as you can see here.

02:02.330 --> 02:04.600
This is the IP address of Facebook seven.

02:04.610 --> 02:09.040
This might be different for you because it depends on your location in the world.

02:09.080 --> 02:10.750
This is the closest one to me.

02:11.980 --> 02:16.310
So that's why it's 31 13 19 38 for me.

02:16.540 --> 02:25.440
But essentially the servers live Facebook is Facebook is live so it's it's online but that is essentially

02:25.440 --> 02:30.780
what this web application is doing it's execute like terminal commands.

02:30.780 --> 02:37.440
So if we type an IP address in now it says enter an IP address so we're not going to a Web site because

02:37.440 --> 02:44.400
when you're using Web sites essentially a DNS domain name services what translates an IP address into

02:44.460 --> 02:50.700
a euro that is readable so like Facebook dot com because without it would have to remember the IP addresses

02:50.700 --> 02:53.610
of every single different Web site.

02:53.670 --> 02:57.310
It would get annoying because you know you can't just type in the name.

02:57.320 --> 02:59.400
But anyway let's just enter an IP address.

02:59.400 --> 03:06.010
No I'm going to enter an IP address that is my IP address of my copy machine and enter any IP address

03:06.010 --> 03:11.760
she wants but I'm just going to add to my wants so I'm going to type I have config and just copy my

03:11.760 --> 03:16.080
IP address and paste it right in there and then click submit

03:19.290 --> 03:19.950
and then we go.

03:19.950 --> 03:25.680
So they executed with the command it looks normal it's ping dates don't matter exactly what it says

03:25.680 --> 03:26.790
it will do.

03:27.270 --> 03:34.230
And we've got a packets received so it pings it three times make sure it's live which my computer is

03:35.190 --> 03:36.870
and then it receives the packets.

03:36.870 --> 03:43.050
So yeah it works the web applications fine but there is a major vulnerability within this.

03:43.140 --> 03:49.940
So when I talk about shells and I'm going to be talking about them quite often now a shell with a Web

03:49.940 --> 03:51.560
site or a server.

03:51.900 --> 03:55.370
Think of it like gaining access to the directory.

03:55.470 --> 04:04.290
So if you're a developer or a worker on a massive server and for example even a Google employee for

04:04.290 --> 04:07.830
example Shelly could you uses SS H.

04:07.920 --> 04:11.650
Now that's very secure because it has your own private keys.

04:12.060 --> 04:14.760
Maybe you'd get help before then you should be familiar with it.

04:14.760 --> 04:22.440
If you have if you've been employed to work on a project then you'll all use SS each to connect to the

04:22.470 --> 04:26.950
directory of the project and then you can all make changes to it.

04:27.090 --> 04:33.580
And SS H is just a gateway to being able to connect to that project.

04:33.600 --> 04:38.160
Think of it like a way of accessing the files.

04:38.160 --> 04:43.270
So a shell you probably use them before.

04:43.350 --> 04:45.640
The best one like I said is get help going to have a look.

04:45.670 --> 04:53.390
Ghetto by the way is just a Web site where you can upload code and there is SS each on the ball.

04:53.520 --> 05:00.030
We can use something called a reverse shell which is basically the opposite a shell.

05:00.030 --> 05:04.600
Think of the shell we are trying to connect or gain access to the server.

05:04.650 --> 05:09.780
Once that Shell is being created and connected successfully then we have access but a reverse Shell

05:09.780 --> 05:15.300
is basically listening for a connection and telling the server to connect to our attacking computer

05:16.290 --> 05:20.640
whereas the shell is just a server listening for a connection from our computer.

05:20.640 --> 05:25.620
That's why shells are so dangerous because if the server does connect to our listening computer then

05:25.620 --> 05:31.640
we have access to the director of the server.

05:31.650 --> 05:35.400
So let's start off with a basic command.

05:35.460 --> 05:41.620
So if you type TWD as you can see that tells us where we are currently in the directory or in the terminal.

05:41.700 --> 05:45.150
So in the root directory so if I type alas that's where exactly where we are.

05:46.140 --> 05:49.770
But let's go back to this command.

05:50.160 --> 05:57.840
This web app type in your IP address again this time at the end of the IP address at a semicolon then

05:57.840 --> 06:02.440
put a space and then type WD P WD while I've just shown you.

06:02.490 --> 06:10.820
And if you click submit you can say pings the IP address again which it should do but then it also executes

06:10.820 --> 06:12.590
the p WD command.

06:12.590 --> 06:13.700
So if you can see here.

06:13.700 --> 06:24.310
Var Toby Toby w DV Toby Ray vulnerabilities and then X in execute so that's currently where this is

06:24.310 --> 06:33.310
stored and that's correct because if you look up here you can see DV W.A. vulnerabilities E X you see.

06:33.400 --> 06:37.690
So we know that commands work because it says it right up there and we already know where in this directory.

06:38.570 --> 06:42.900
But this is where we can create more of a shell because it's actually execute commands.

06:42.940 --> 06:49.170
So the safe is reading these two separate commands and it's executing the first one which is ping the

06:49.170 --> 06:54.310
IP address which it does and then it's also executed the PDB D but this is where we can actually put

06:54.310 --> 06:55.660
our reverse shell into this.

06:56.230 --> 07:01.360
So if it goes to the link in the description for my website you can get this text file and essentially

07:01.360 --> 07:07.240
these are all reverse shells you can all use you can use each one of these one pen testing a server.

07:07.300 --> 07:12.700
So if you're an employee to pen test them then you can find out what the server is running so if it's

07:12.700 --> 07:19.880
Linux then you could use bash you can use pel Python page or Ruby it doesn't really matter.

07:19.880 --> 07:30.960
So typically Linux systems like Kelly Linux or just Linux itself or fedora they typically use bash pythons

07:31.000 --> 07:33.070
also used on most servers.

07:33.070 --> 07:37.350
Page Pate I know Facebook uses peach but not so much.

07:38.130 --> 07:41.590
Oh not many different Web sites use P2P anymore.

07:41.590 --> 07:44.650
There's also Ruby which has gotten quite popular.

07:44.980 --> 07:46.050
And then there's net cat

07:48.650 --> 07:53.380
so what we're going to use is now net cost is quite popular as well.

07:53.390 --> 07:59.780
So we're going to use Net cat for this example open up a terminal window.

08:00.000 --> 08:02.420
I'm just going to take clear to get rid of a lot.

08:02.670 --> 08:07.710
I'm going to actually just listen out for a connection now because remember instead of reverse shell

08:08.250 --> 08:12.970
it's always listening for a connection from the safe and not the other way round.

08:13.080 --> 08:15.620
So we're going to listen for connection using that cut.

08:15.630 --> 08:21.360
Now this is I think that this is like using me to split when you listen for a connection when you type

08:21.420 --> 08:28.010
exploit say you use a payload of reverse TGP and you type exploit and listen for connection.

08:28.290 --> 08:33.930
That is what we're essentially doing care but we're going to use that cat instead.

08:33.930 --> 08:41.450
So always use that cut when using these reverse shells because if you use like meat's disposable then

08:41.460 --> 08:45.010
you have to use the specific payload and say use the bash script.

08:45.180 --> 08:54.170
So you create a bash script Save this script inside of it and then create the meta deployable listener

08:54.170 --> 08:55.090
for connection.

08:55.100 --> 09:05.560
The only problem with that is then that the file will have to be executed on the server and obviously

09:05.560 --> 09:06.880
you can't do that remotely.

09:08.710 --> 09:13.960
So we're going to look at ways of around sort of that sort of thing later on in the course when it gets

09:13.960 --> 09:21.570
a little bit more complicated but for now we're just going to use a simple net cut script.

09:21.760 --> 09:31.090
So type NC for that cat then hyphen v v for outputs then hyphen Al hyphen P for the port.

09:31.090 --> 09:33.660
So we'll listen on the port eighty eight.

09:33.940 --> 09:37.340
Click and send as you can see it says listening on any 88.

09:38.380 --> 09:42.880
So it's listening for connection from back from the server and because we know we can execute commands

09:42.880 --> 09:44.440
on this.

09:44.590 --> 09:49.720
What we can do is if we just open this text document though like I said the link in the description

09:50.200 --> 09:56.550
for this just click on it and download it or copy it into a new tax documents.

09:56.590 --> 10:05.890
I want to copy this and paste this here gonna remove all of this and then type the IP address in apologies

10:05.890 --> 10:10.210
and when to remove that because that's an IP address of an old device I've still got on this.

10:10.230 --> 10:11.790
So remove that.

10:11.790 --> 10:16.290
Basically what it says IP of attacking machine that we IP address of your colleague the machine will

10:16.290 --> 10:16.590
go.

10:16.590 --> 10:18.030
So I'm just going to type it here.

10:18.270 --> 10:19.810
So it's 1 9 2 1 6.

10:19.810 --> 10:22.650
I don't want to end up 1 2 way to believe.

10:22.650 --> 10:23.960
Let me just check.

10:24.000 --> 10:26.220
I've already forgot the IP address of this.

10:26.250 --> 10:28.120
I know that many different IP addresses.

10:28.130 --> 10:29.090
I completely forgot.

10:29.100 --> 10:35.470
0 1 3 1 so 1 3 1 There we go.

10:35.600 --> 10:42.940
So essential what we're doing here is we're executing this rebase shell to make the server listen out

10:42.950 --> 10:44.270
for connection.

10:44.270 --> 10:45.680
Sorry not listening for connection.

10:45.680 --> 10:52.160
Try to make a connection with our computer that's listening for connection but we can't just add this

10:52.160 --> 10:55.120
in and click submit because we need to enter an IP address.

10:55.640 --> 10:59.630
So we need to just enter an IP address knowing when to enter the same IP address it could be actually

10:59.630 --> 11:00.920
in the IP address here.

11:01.370 --> 11:06.250
But just just for the sake of it I'm just going to add hours or my won't.

11:06.620 --> 11:08.980
This is the IP just to kind of machine as well.

11:08.990 --> 11:12.020
And then I'm going to type a semicolon.

11:13.400 --> 11:16.570
So now it's going to execute this command and then also.

11:16.690 --> 11:18.750
Are a shell.

11:18.830 --> 11:23.010
So if I took some mis look at our terminal it's listening for connection there we go.

11:23.270 --> 11:25.970
We got connected to from unknown.

11:26.270 --> 11:29.860
Now it doesn't say anything else and it just starts blinking.

11:30.110 --> 11:32.850
The cursor starts blinking.

11:33.020 --> 11:38.240
So it looks like it's still nothing even though it says it's we've got a connection oh we've a shell

11:39.220 --> 11:40.790
is connected but we can take command.

11:40.790 --> 11:52.160
So p WD as you can see we're inside the directory we can go back to the VAR WW DV w way less.

11:52.330 --> 11:52.970
And there we go.

11:52.970 --> 11:54.890
So now we're back to our index page.

11:54.900 --> 11:56.500
People got full access to Web sites.

11:56.510 --> 12:08.420
We can upload files or delete them type help we can find out so commands so you can upload files.

12:08.420 --> 12:10.340
Let's try and find something.

12:13.570 --> 12:19.550
So there's the PDB today anyway and that's what we used to test a holy.

12:20.460 --> 12:24.010
All the commands or the useful ones will be in the description

12:26.730 --> 12:28.530
but essentially we've got access here.

12:28.650 --> 12:30.180
So we're on Linux.

12:31.440 --> 12:32.860
And basically that's it.

12:32.910 --> 12:36.600
So we've used our reverse shell we've got access to server.

12:36.600 --> 12:42.060
We can do whatever we like to and there's some extra commands here.

12:42.060 --> 12:43.460
Let's have a look.

12:43.500 --> 12:44.790
This kill we can kill.

12:44.840 --> 12:47.250
These are just basically blocks commands.

12:47.460 --> 12:49.080
But like I said there'll be an inscription.

12:49.410 --> 12:50.630
So I think we'll leave it there.

12:50.630 --> 12:54.210
I don't want to go on too long for this video but that's the general idea.

12:54.260 --> 13:00.080
Hopefully understand a little bit more of what a shell is now uninvolved you got to mention up with

13:00.080 --> 13:05.000
these you can use any one of these with the neck cut.

13:05.000 --> 13:11.960
So when you type and listen for connection from a server using the net cut which is this it's just a

13:11.960 --> 13:13.940
short version of net constancy.

13:14.480 --> 13:19.970
But you can use any one of these depending on what the server is using.

13:19.970 --> 13:27.820
So if you think back to when we started this Web up pen testing and we looked at technologies used and

13:27.830 --> 13:33.050
we looked at my Web site used as BHP so obviously them would look at pen testing with the page piece

13:33.070 --> 13:37.780
script so hopefully you get the idea of what you can do with this course.

13:37.990 --> 13:40.720
I'm going to leave this video here.

13:40.720 --> 13:44.750
Just remember that you can use any one of these with the neck cut.

13:44.770 --> 13:48.350
And this here is separate from this.

13:48.370 --> 13:55.770
So this command here I'm going to add this to the script as well and I'm going to put to listen for

13:55.780 --> 13:57.110
connection.

13:58.180 --> 13:59.940
Use that.

14:00.910 --> 14:05.740
So you can change the port but leave everything else the same.

14:05.740 --> 14:07.550
This just using neck cut.

14:07.700 --> 14:11.920
And this is also a neck truck neck cut reverse shell.

14:12.010 --> 14:17.970
This is a ruby reverse show page piece so I could of use the for example and copy and paste that in.

14:18.310 --> 14:24.910
I just want to mention that because I don't want any confusion because when I first learned that I thought

14:24.910 --> 14:29.560
you could only use the net cut with the neck cut listening but you can't say if I executed it that would

14:29.560 --> 14:32.870
also get a connection but you got the idea.

14:32.950 --> 14:34.500
So I'm going to leave it there.

14:34.810 --> 14:39.250
If this video did help please leave like comments if you stuck with anything I'll be happy to help subscribe

14:39.340 --> 14:42.280
for feature content and I will see well in the next video.