WEBVTT 00:00.880 --> 00:04.420 Chapter 7 practical examples of remote attacks 00:08.330 --> 00:14.610 the unauthorized reproduction in whole or in part of this publication in any form is prohibited 00:36.040 --> 00:41.150 We will now copy the required files to the hard disk using the Diskin close to the set. 00:51.300 --> 00:57.240 If we do not have binary versions of the programs used we will now compile and install them in the system 01:47.060 --> 01:48.800 to start the compilation process. 01:48.800 --> 02:43.160 We give the make command. 02:43.390 --> 02:46.700 Finally we install the unmap program on the hard disk. 03:16.240 --> 03:31.150 We compile and install the netcat application. 03:31.330 --> 03:40.000 We use the scanner to check the services available in the victim computer now we will verify the versions 03:40.000 --> 03:46.320 of the services made available by the server analyzing greeting messages on the specific ports. 04:15.910 --> 04:21.520 As we have an account on the server being investigated we can check the configuration of the Apache 04:21.520 --> 04:24.720 server and the possibility of exploiting security holes 05:07.730 --> 05:15.700 as we can see it's possible to execute system requests through the script. 05:15.710 --> 05:24.910 We will now check the content of the w w w service on the server we are investigating. 05:25.050 --> 05:30.390 It is the PBB form version 2.0 dot 0 8. 05:30.540 --> 05:34.950 Let's search the internet to find out about the potential errors in the software. 06:03.780 --> 06:07.840 We did it by manipulating the value of the highlight paramita. 06:07.920 --> 06:24.830 It is possible to execute our own request. 06:24.840 --> 06:31.040 Now let's try to create our own exploit using the error in PBB for this purpose. 06:31.050 --> 06:35.450 We will now familiar lies ourselves with the basic instructions for the Python language. 07:11.700 --> 07:17.730 Python commands can also be run outside interactive mode by creating a file that contains a request 07:17.730 --> 07:18.120 set 07:46.890 --> 07:50.010 Python also allows us to use external libraries. 07:50.010 --> 07:52.670 For instance FGP LGB 08:45.090 --> 08:51.570 as we can see we can easily perform operations connected to the connection without worrying about technical 08:51.570 --> 08:52.620 details. 09:04.130 --> 09:11.820 The U R L L I B library helps us take advantage of the error using it we can easily generate queries 09:11.970 --> 09:13.980 to the H.T. TPD server 10:50.790 --> 10:52.650 after preparing a query. 10:52.740 --> 10:56.530 We start the connection and read the information returned by the server 11:11.910 --> 11:18.000 the content of interest to us will be located between the start and stop tags only this content will 11:18.000 --> 11:19.640 be shown on screen. 12:07.830 --> 12:10.910 We did it our request has been executed by the server. 12:18.690 --> 12:23.960 Now let's try to use the final version of the exploit created it should work equally well 12:36.640 --> 12:38.770 everything went according to plan. 12:38.770 --> 13:10.060 Now let's use the netcat program to create an independent connection with the server. 13:10.270 --> 13:16.070 The connection has been made correctly the system kernel is Version 2.0 for 20. 13:16.210 --> 13:18.850 Let's find out if it contains any errors. 13:44.270 --> 13:44.760 Voila. 13:44.780 --> 13:47.290 This version of the kernel contains a serious error. 13:47.330 --> 13:53.490 The local use of which can raise the privileges of a normal user led search. 13:53.490 --> 13:57.090 Therefore for a file with the exploit and put it to use 14:47.950 --> 14:56.400 after compiling successfully it is time to start up the exploit. 14:56.440 --> 15:02.280 We did it thanks to the use of the technique of inject the HP code and the exploit. 15:02.380 --> 15:06.610 We obtained full access to the system by granting ourselves administrator rights.