1
00:00:00,060 --> 00:00:05,190
So the next vulnerability that we're going to take advantage of is command injection, so command and

2
00:00:05,190 --> 00:00:11,280
injection pretty much involves exploiting a vulnerability that allows, you know, the execution of

3
00:00:11,280 --> 00:00:12,940
commands into a system.

4
00:00:12,960 --> 00:00:14,480
So this one is big.

5
00:00:14,790 --> 00:00:22,740
So take advantage of this type of vulnerability is usually possible when user input is taken, is not

6
00:00:22,740 --> 00:00:29,160
sanitized, and then is passed into a command that's actually sent to dismiss the systems command line

7
00:00:29,160 --> 00:00:29,730
interface.

8
00:00:30,270 --> 00:00:33,870
So let's actually go ahead and try this out with the DPW webapp.

9
00:00:34,260 --> 00:00:38,930
OK, so back in our Carlina's machine, let's click on command execution.

10
00:00:39,660 --> 00:00:40,870
So this loads up so.

11
00:00:40,900 --> 00:00:42,870
OK, so this is ping for free.

12
00:00:43,320 --> 00:00:48,030
So enter an IP address below and this is a button and it is a text box.

13
00:00:48,360 --> 00:00:53,540
So let's check out see this view the source.

14
00:00:54,450 --> 00:01:02,410
So the code on the back end doing a post request and then Isbel is taking it.

15
00:01:02,430 --> 00:01:03,410
So let's see.

16
00:01:03,420 --> 00:01:09,420
Did you do it's running a show and is running ping and then the target, which is what we passed in

17
00:01:09,630 --> 00:01:10,890
as IP.

18
00:01:11,790 --> 00:01:13,460
So that's pretty useful.

19
00:01:13,470 --> 00:01:19,640
So it doesn't look like it's doing anything to prevent us from putting another come in after.

20
00:01:20,520 --> 00:01:27,480
So what we know now is we can potentially use this.

21
00:01:27,480 --> 00:01:29,910
So let's try like I already have some things.

22
00:01:29,930 --> 00:01:31,470
And so one, two, seven.

23
00:01:32,910 --> 00:01:42,810
Zero to zero one, let's say NASA now is executing the command and hey, did it ping so it ping localhost

24
00:01:43,530 --> 00:01:49,610
went through these three pings and gives you the information like you would see, you know, in the

25
00:01:49,620 --> 00:01:50,010
command.

26
00:01:50,670 --> 00:01:55,290
So we know honestly, we know that this is running on Linux.

27
00:01:55,470 --> 00:01:57,480
So this is the meds political machine.

28
00:01:57,480 --> 00:02:01,320
And you probably would have found out that this is Linux anyway from your reconnaissance.

29
00:02:01,650 --> 00:02:09,870
So knowing that and that is not sanitizing input, if you think back to Linux fundamentals that we went

30
00:02:09,870 --> 00:02:15,440
over one of the earlier sections, so we know that we could change commands together in multiple ways.

31
00:02:15,690 --> 00:02:19,650
So one way we can do it is with the ansible so we can try the same command.

32
00:02:19,690 --> 00:02:27,810
So one two seven zero zero one and then we can put it in and maybe like we try and see what happens.

33
00:02:27,870 --> 00:02:30,690
So now we see that they're still executing it.

34
00:02:30,700 --> 00:02:31,530
So it went through.

35
00:02:31,530 --> 00:02:38,580
And actually, you can see right here is that it actually says, hey, the current user is done with

36
00:02:38,580 --> 00:02:39,320
that data.

37
00:02:39,330 --> 00:02:47,910
So now we know that we can actually in commands, put commands into this paintable and actually have

38
00:02:47,910 --> 00:02:48,780
them executed.

39
00:02:48,780 --> 00:02:53,580
In another way that we can do it is one two seven zero zero one.

40
00:02:53,850 --> 00:02:58,140
And we could do the vertical bars of pipe that's just doing my.

41
00:02:59,660 --> 00:03:01,670
I don't know if I hit the slash before dinner.

42
00:03:01,790 --> 00:03:02,340
There we go.

43
00:03:02,630 --> 00:03:09,110
So it does the Pinkman with this one and then it excuse this command and that's all that it gives its

44
00:03:09,110 --> 00:03:09,400
back.

45
00:03:09,410 --> 00:03:10,510
So it's pretty neat.

46
00:03:11,030 --> 00:03:16,280
We can execute any series of commands that we would like, maybe escalate our privileges, all kinds

47
00:03:16,280 --> 00:03:17,570
of different stuff that we can do.

48
00:03:17,870 --> 00:03:19,610
So pretty useful.

49
00:03:20,210 --> 00:03:20,990
Pretty nice to.