1
00:00:01,130 --> 00:00:04,010
Hello, everyone, and welcome to this video.

2
00:00:04,760 --> 00:00:12,320
So in this video, we are going to see how can we increase our impact from LFA when the ability to actually

3
00:00:12,320 --> 00:00:12,620
eat.

4
00:00:13,880 --> 00:00:23,790
So we have seen the law in how to identify LFA videos that how you can successfully find out any one

5
00:00:24,110 --> 00:00:32,090
parameter under the Web application and try to read the file from the server wherein you can also execute

6
00:00:32,090 --> 00:00:32,680
the file.

7
00:00:33,380 --> 00:00:40,490
But now we are going to increase the impact and the severity for this venerability so that if you are

8
00:00:40,490 --> 00:00:46,570
hunting this on any bug bounty program, you can increase the reward for this Ravelli.

9
00:00:47,850 --> 00:00:56,160
All right, so I have divided this process into a few parts so that you better understand how you can

10
00:00:56,160 --> 00:01:01,470
increase the impact of LFA vulnerability to remote code execution.

11
00:01:02,280 --> 00:01:11,260
So part one is obviously identifying the main floor into the application, which is LFA.

12
00:01:11,760 --> 00:01:19,730
So here is a live website, which is vehicle duty dot com, wherein there lies availability of elephant.

13
00:01:20,280 --> 00:01:26,640
As you can see, I was able to load and read the EDC past a bloody file from the server.

14
00:01:28,530 --> 00:01:40,860
OK, so let's move ahead, partook identification of slash progs, self slash and we're on this basically

15
00:01:40,860 --> 00:01:49,460
is the process file into any Linux system wherein I was able to read the custom user agent.

16
00:01:49,830 --> 00:01:57,710
If you look closely, the user agent equals two is the current request that has been sent to the server.

17
00:01:58,590 --> 00:02:07,220
If you look, the user agent is Mozilla and my computer's user agent, which is Macintosh, Intel,

18
00:02:07,350 --> 00:02:07,930
Mac.

19
00:02:08,280 --> 00:02:17,230
So I came to know that my custom user agent get saved into the Bruxelles environment variable.

20
00:02:17,790 --> 00:02:25,670
What if instead of this, if I tried to send a custom user agent because it is under my control.

21
00:02:26,460 --> 00:02:34,020
So part three, writing a custom user agent and saving it into the product itself environment.

22
00:02:34,920 --> 00:02:42,300
Now, if you look closely over here, I have written a BHP shell code here.

23
00:02:42,870 --> 00:02:50,760
I have base64 encoded the Shell code just because the server does not detect if a shell is coming.

24
00:02:51,390 --> 00:02:57,730
And you can see I am writing a file and the filename is Arcy by Elfy that BHP.

25
00:02:58,080 --> 00:03:02,020
So this simple reverse shell is getting uploaded.

26
00:03:03,480 --> 00:03:07,590
So the simple BHB shell is getting uploaded to the server.

27
00:03:07,890 --> 00:03:16,230
And when I had to go for this request, I'm able to see a 200 OK response, which basically means that

28
00:03:16,230 --> 00:03:21,870
my this custom user agent has successfully saved onto the target server.

29
00:03:22,290 --> 00:03:24,040
Now it's time to verify this.

30
00:03:25,320 --> 00:03:33,660
So part five, as you can see over here, the file that I tried to write on the server was Elfriede

31
00:03:33,660 --> 00:03:34,690
and Text.

32
00:03:35,130 --> 00:03:44,340
And you can see this was RC using Elfy job done, which means I was able to successfully write a file

33
00:03:44,340 --> 00:03:45,280
onto the server.

34
00:03:46,020 --> 00:03:50,400
Also, I can execute as many as commands I want.

35
00:03:51,090 --> 00:03:53,060
So I hope you guys understood this.

36
00:03:53,430 --> 00:04:02,610
Let's jump into the practical to see more in depth about how can we increase our impact for this vulnerability

37
00:04:02,610 --> 00:04:05,430
to turn from Elfy to RC.

38
00:04:07,050 --> 00:04:11,900
So as you can see over here, this is a life application we call duty dot com.

39
00:04:12,330 --> 00:04:19,500
I have identified that there exists to elevate vulnerability, which we have already discussed in one

40
00:04:19,500 --> 00:04:21,840
of the one parameter over here.

41
00:04:22,260 --> 00:04:22,650
All right.

42
00:04:22,650 --> 00:04:30,610
So let's identify the vulnerable parameter and the vulnerable parameter over here is B.G. equals two.

43
00:04:31,090 --> 00:04:38,820
Now, I'm going to put the payload into this one parameter or the injection point and try to see if

44
00:04:38,820 --> 00:04:41,760
I am able to exploit Elfy vulnerability.

45
00:04:42,270 --> 00:04:48,360
I will just reload the application and try to identify if I'm able to see the EVC past.

46
00:04:48,360 --> 00:04:48,780
Absolutely.

47
00:04:48,780 --> 00:04:49,160
Fine.

48
00:04:49,800 --> 00:04:51,840
Let's wait for this to completely load.

49
00:04:52,140 --> 00:04:54,320
And you're I cannot see anything.

50
00:04:54,330 --> 00:04:59,370
So let's do again a hit and trial and move into one more part.

51
00:05:00,190 --> 00:05:02,690
Remember, this is totally Hattan trial.

52
00:05:02,700 --> 00:05:06,030
You have to navigate inside and out of directories.

53
00:05:06,390 --> 00:05:07,620
So yes, it worked.

54
00:05:07,950 --> 00:05:15,960
And now I'm able to see the past W.T. file, which contains the users that exist into the server, which

55
00:05:15,960 --> 00:05:18,190
is running Vical dude dot com.

56
00:05:18,810 --> 00:05:19,200
All right.

57
00:05:19,210 --> 00:05:21,290
So I have the possibility file.

58
00:05:21,300 --> 00:05:24,470
Now, let's try to read another file.

59
00:05:24,630 --> 00:05:33,240
So let's say we try to read the prompt self environment file and let's see what interesting thing we

60
00:05:33,240 --> 00:05:35,080
can identify from there.

61
00:05:35,820 --> 00:05:42,730
So I have to write slash, prop slash and we don't know when I try to load this.

62
00:05:42,750 --> 00:05:47,400
It will not allow me to load anything because you need to write self as well.

63
00:05:48,000 --> 00:05:52,260
Now, let's see if we are able to get any sensitive information from the server.

64
00:05:52,800 --> 00:05:53,950
All right, here we go.

65
00:05:54,330 --> 00:06:01,410
Here you can see we are able to see the processes that are being drawn, running and into the last request

66
00:06:02,250 --> 00:06:08,360
because that has been sent to the server HDB user agent has been saved over here.

67
00:06:09,060 --> 00:06:10,470
And what is the user agent?

68
00:06:10,770 --> 00:06:15,930
This is basically the last requested user agent to the server.

69
00:06:15,930 --> 00:06:25,470
And you can see it's Mozilla 5.0, Macintosh and Mac OS x ten point fifteen, which is basically my

70
00:06:25,470 --> 00:06:27,660
computer systems user agent.

71
00:06:28,170 --> 00:06:28,610
Perfect.

72
00:06:29,020 --> 00:06:39,060
So this means that any request that I send to the server saves my user agent and I can control my user

73
00:06:39,060 --> 00:06:48,480
agent, that basically means I can also try to save a custom user, user agent or custom modified code

74
00:06:48,480 --> 00:06:49,590
into the user agent.

75
00:06:49,800 --> 00:06:50,190
All right.

76
00:06:50,190 --> 00:06:57,720
So let's do this let's send this request to you and send this to Rubedo, because from here, we are

77
00:06:57,720 --> 00:06:59,890
going to use this request again and again.

78
00:07:00,450 --> 00:07:05,910
Now, let's try to read this file and we are able to successfully get a two hundred, OK, which means

79
00:07:05,910 --> 00:07:07,380
we are able to read this file.

80
00:07:07,960 --> 00:07:17,430
Now, as I discussed, we are going to modify the user agent as a user agent over here is this and this

81
00:07:17,430 --> 00:07:23,010
is exactly the same user agent that you can see onto the left hand side over here.

82
00:07:24,330 --> 00:07:30,060
Now, this is getting reflected into the response, which means this is getting saved onto the target

83
00:07:30,060 --> 00:07:30,450
server.

84
00:07:31,170 --> 00:07:36,390
Now, let's control this and modify this to a BHP shell.

85
00:07:36,810 --> 00:07:44,040
So I have written a BHP shell and I have base64 encoded the shell just to bypass any filters.

86
00:07:44,040 --> 00:07:51,330
If they try to block my payload, I'll just copy this and I'm going to pasted over there into the custom

87
00:07:51,330 --> 00:07:54,310
user agent field before pasting it over there.

88
00:07:54,630 --> 00:07:59,940
Let's do a breakdown of what exactly the Shalders as it is a BHP shell.

89
00:07:59,940 --> 00:08:06,960
It has to start with BHP and you can see I assign a variable equals to I'm going to post something.

90
00:08:07,440 --> 00:08:11,310
It is going to open a file which is denoted by F open.

91
00:08:11,610 --> 00:08:18,990
And you can see post file file basically is the name of the file that I want the data to be written

92
00:08:18,990 --> 00:08:24,120
into, and the data will get written into the file and it will get closed.

93
00:08:24,480 --> 00:08:31,640
If you look over here, file equals to f open the filing that I want to be created onto the server.

94
00:08:31,920 --> 00:08:35,660
So I have given the name as RC by elevator BHP.

95
00:08:36,090 --> 00:08:39,170
So it is going to write into that file and close that file.

96
00:08:39,540 --> 00:08:45,660
The data, which you can see is basically for encoded is going to get written into the file successfully.

97
00:08:46,200 --> 00:08:46,680
All right.

98
00:08:46,980 --> 00:08:49,930
So let's copied and pasted over here.

99
00:08:51,090 --> 00:09:00,000
So this is the new user agent that I'm going to send to the server, which basically is a BHP shell.

100
00:09:01,110 --> 00:09:10,440
Now, let's try to send this request and verify that are we able to save our custom user agent onto

101
00:09:10,440 --> 00:09:14,050
the server into the proper self environment file?

102
00:09:14,790 --> 00:09:18,320
So I've written this and I'm going to send this now.

103
00:09:18,720 --> 00:09:22,320
So let's hit send and let's read together.

104
00:09:22,320 --> 00:09:22,860
Two hundred.

105
00:09:22,860 --> 00:09:25,500
OK, so we've got a 400 page request.

106
00:09:25,800 --> 00:09:31,770
Just because we messed up writing the custom user agent here, I need to write it this way.

107
00:09:32,010 --> 00:09:33,800
And again, let me send it.

108
00:09:34,260 --> 00:09:41,540
Yeah, again, it is a bad request because the data that we have pasted over here is not properly formatted.

109
00:09:42,000 --> 00:09:47,750
So let me just format it properly and remove any extra thing that has been copied by mistake.

110
00:09:48,180 --> 00:09:50,580
And now let's try to send this perfect.

111
00:09:51,750 --> 00:09:59,160
We haven't got a successful two hundred OK response, which means our file by the name are Sehbai el-Fadl.

112
00:09:59,160 --> 00:10:03,260
BHP should have been made onto the target server.

113
00:10:03,750 --> 00:10:04,850
Let's verify this.

114
00:10:05,280 --> 00:10:12,800
So for this we are going onto the server, which is very clear duty dot com and trying to open our file.

115
00:10:13,110 --> 00:10:17,480
So let's see if we are successfully able to open our file.

116
00:10:18,120 --> 00:10:27,480
So the filing that we made was asked by Elfy Dot BHP and you can see over here the file is successfully

117
00:10:27,480 --> 00:10:28,110
created.

118
00:10:28,860 --> 00:10:29,460
Perfect.

119
00:10:29,460 --> 00:10:35,660
So let's create a new file under the target's network and let's say we call the Filer's LFA, then the

120
00:10:35,670 --> 00:10:41,400
text and Righton shall go into this just for security reasons.

121
00:10:41,400 --> 00:10:43,770
We do not want to break anything into the server.

122
00:10:43,980 --> 00:10:46,000
I'm just writing a simple message.

123
00:10:46,020 --> 00:10:53,550
It says this was ACEEE using Elfy in Joplin and you can see it has been successfully completed.

124
00:10:53,820 --> 00:11:01,110
So after the request is fulfilled successfully, let's try to see if our shell has worked or the file

125
00:11:01,110 --> 00:11:02,040
has been created.

126
00:11:02,370 --> 00:11:08,130
So the file that we created was elevated in the text and try to open that file over here.

127
00:11:08,430 --> 00:11:13,680
And you can see a success message which says this was CEO using Elfy job.

128
00:11:13,680 --> 00:11:22,020
Then I hope you guys understand this, how we increase the impact of Elfy to Arcy and how we are able

129
00:11:22,020 --> 00:11:24,020
to completely take over the server.

130
00:11:24,840 --> 00:11:27,620
This was just a demonstration when we did not a.

131
00:11:27,700 --> 00:11:35,170
Secure any harmful good onto the server, but any attacker with malicious intentions can do a lot of

132
00:11:35,170 --> 00:11:42,100
harm to the server, including additions or deletion of files from the server, which can make it completely

133
00:11:42,100 --> 00:11:42,820
unusable.

134
00:11:43,420 --> 00:11:45,040
So I hope you guys understood this.

135
00:11:45,700 --> 00:11:50,830
This can be considered as a be1 critical vulnerability on many of the bug bounty programs.

136
00:11:51,160 --> 00:11:51,730
Thank you.