1
00:00:00,150 --> 00:00:05,150
OK, so the next vulnerability that we're going to go over is local and remote following inclusion.

2
00:00:05,730 --> 00:00:11,220
So sometimes in the euro, for certain pages, you might see something like page equals or fire equals

3
00:00:11,460 --> 00:00:12,810
appended to the end of it.

4
00:00:12,990 --> 00:00:19,970
So if this exists, you might be able to conduct a directory traversal or file inclusion at site.

5
00:00:20,790 --> 00:00:26,610
So if the application is actually vulnerable to this, then you should be able to change any file on

6
00:00:26,610 --> 00:00:32,610
the host, like change the file to any file on the whole system and actually have that show, as I'll

7
00:00:32,610 --> 00:00:33,450
put it, in a browser.

8
00:00:33,660 --> 00:00:38,340
So this opens the door for you to learn everything that you need to know about the system and might

9
00:00:38,340 --> 00:00:41,130
even let you execute some commands remotely.

10
00:00:41,160 --> 00:00:44,190
So let's go ahead and check this on how we can do file inclusion.

11
00:00:44,430 --> 00:00:52,880
OK, so the back of the Linux machine, we can go over to file inclusion in the deep Web app.

12
00:00:53,520 --> 00:00:59,580
But before we do this, there's a change that we have to make on the most floatable machine that's going

13
00:00:59,580 --> 00:01:10,500
to allow us to actually do these like specific ones of these file inclusions so we can just go to our

14
00:01:10,530 --> 00:01:11,850
meta split-Level machines.

15
00:01:11,850 --> 00:01:13,020
So I have a right here.

16
00:01:13,210 --> 00:01:18,160
It's very ugly black and white interface, so we can just do a clear command really quick.

17
00:01:18,180 --> 00:01:24,310
So we're going to be pseudo nano sized P five.

18
00:01:24,330 --> 00:01:35,130
So I've seen guys like I and I and then I see sideburn password and massive admin and is going to I

19
00:01:35,130 --> 00:01:37,560
might have the wrong I myself am in.

20
00:01:37,740 --> 00:01:38,340
There we go.

21
00:01:38,340 --> 00:01:38,760
Cool.

22
00:01:39,540 --> 00:01:48,440
So we're going to type in so hit control w and then you're going to type in allow underscore you are

23
00:01:48,450 --> 00:01:52,380
L and just hit enter and now it's going to take us to where we need to be.

24
00:01:52,560 --> 00:02:00,270
So we want to make sure that allow you are open openness on and allow you to include is on.

25
00:02:00,270 --> 00:02:02,870
And when you change that it might be off-stage change.

26
00:02:02,880 --> 00:02:11,160
It's on the you can do a control o to actually save the file, enter and then control to exit and now

27
00:02:11,190 --> 00:02:11,940
we're good to go.

28
00:02:11,970 --> 00:02:22,150
So one last thing that we're going to need to do is just a pseudo slash UTC such and it decides to restart.

29
00:02:22,170 --> 00:02:27,770
So this is just going to restart the Apache server and allow these changes to be made.

30
00:02:27,780 --> 00:02:33,960
So these changes are going to allow us to actually, you know, take advantage of these files, inclusion

31
00:02:34,170 --> 00:02:37,970
vulnerabilities, just some settings that had to be changed really quickly, manually.

32
00:02:38,460 --> 00:02:43,650
So let's go back over to the machine and actually try this local and remote file inclusion.

33
00:02:43,830 --> 00:02:50,090
OK, so first, guys, make sure that you go and set the security back to low for right now and then

34
00:02:50,100 --> 00:02:51,990
go back over to follow the inclusion.

35
00:02:52,320 --> 00:03:00,690
And so it's saying to include a file edit the page equals indexed Piñero, it says include.

36
00:03:01,320 --> 00:03:04,770
But we could just like change like one letter on it and just say inertness.

37
00:03:04,770 --> 00:03:05,420
It was going on.

38
00:03:05,440 --> 00:03:06,720
So it was given as errors.

39
00:03:07,440 --> 00:03:09,390
So that's pretty, pretty interesting.

40
00:03:10,080 --> 00:03:17,070
And so we now we know that the directory structure of the machine, we kind of know what's going on,

41
00:03:17,070 --> 00:03:20,880
what piece P file is actually being reached out to.

42
00:03:21,030 --> 00:03:24,230
So let's go back and let's check out the source code.

43
00:03:24,660 --> 00:03:30,210
So it seems like if you were to look at this, it literally just grabs whatever page is actually put

44
00:03:30,210 --> 00:03:33,400
into it and does not sanitize anything.

45
00:03:33,600 --> 00:03:39,450
So one thing that we might be able to do is a directory traversal outside, so.

46
00:03:41,530 --> 00:03:48,340
What we can do is like before we change that, and it caused an error that we found out, like the directory

47
00:03:48,340 --> 00:03:52,790
structure, so let's try this again and kind of see like where stuff is going on.

48
00:03:52,790 --> 00:03:59,810
And so it seems like right now we're over in this vulnerabilities directory.

49
00:04:00,130 --> 00:04:07,240
So what we're going to want to do, actually, is this F.L. FBI director.

50
00:04:07,240 --> 00:04:08,060
You kind of can't see it.

51
00:04:08,800 --> 00:04:11,770
So what we're going to want to do is actually try to back out.

52
00:04:11,950 --> 00:04:17,950
So if you remember back to our Linux fundamentals, if you do that, for its example, it allows you

53
00:04:17,950 --> 00:04:20,170
to, you know, back out a directory.

54
00:04:20,470 --> 00:04:32,200
So what we can do is actually like back out in the euro and actually go to whatever part of the system

55
00:04:32,200 --> 00:04:36,380
that we want to actually read the file and include it as output.

56
00:04:36,550 --> 00:04:38,860
So let's actually try that really quickly.

57
00:04:39,080 --> 00:04:40,510
So let's say page equals.

58
00:04:40,660 --> 00:04:48,340
So let's say we need to go back like five directories of data, slash, slash, slash, slash, slash

59
00:04:48,670 --> 00:04:52,630
and let's put ATC slash shadow or Apostolides.

60
00:04:52,630 --> 00:04:57,330
Sorry that we did my antivirus, blocked it.

61
00:04:57,340 --> 00:04:57,760
Great.

62
00:04:59,110 --> 00:05:03,290
So I need to get off of that bridge connection.

63
00:05:03,310 --> 00:05:03,790
There we go.

64
00:05:04,090 --> 00:05:05,900
So let's try this one more time.

65
00:05:06,340 --> 00:05:07,450
OK, so.

66
00:05:08,410 --> 00:05:12,730
Now, so, yeah, make sure that you're not on the corner if you have antivirus, make sure you're on

67
00:05:12,730 --> 00:05:17,710
the the host on the adapter I was on the one that merges it with my post.

68
00:05:18,010 --> 00:05:24,190
So as you can see, it included the shadow or the past, the password file.

69
00:05:24,310 --> 00:05:29,620
So now we know the usernames and maybe some hash and stuff like that, some good information that we

70
00:05:29,620 --> 00:05:29,950
can get.

71
00:05:29,950 --> 00:05:33,820
Like if you want to, like, print out, like the shadow follows something we can do, like the hashes.

72
00:05:34,390 --> 00:05:35,740
So it's pretty neat.

73
00:05:35,740 --> 00:05:37,190
So it printed all that out.

74
00:05:37,210 --> 00:05:43,480
So now we know that we can use this directory traversal and actually, you know, if you like, you

75
00:05:43,480 --> 00:05:47,380
know, any file pretty much on this system that this user is going to have access to.

76
00:05:47,680 --> 00:05:52,530
OK, so we did the local file inclusions and now let's try remote file inclusion.

77
00:05:52,720 --> 00:06:00,760
So it actually gives us the capability of it's vulnerable to actually allow us to load any remote file,

78
00:06:01,420 --> 00:06:02,440
you know, into the system.

79
00:06:02,470 --> 00:06:10,060
So what we're going to do is actually load something from our machine in the URL and it's going to display,

80
00:06:10,060 --> 00:06:11,750
you know, on the page first.

81
00:06:11,750 --> 00:06:15,190
To do that, we have to be hosting, you know, a Web server.

82
00:06:15,850 --> 00:06:19,300
So we're going to go back over to our colleague, Linux hosts.

83
00:06:19,810 --> 00:06:24,720
And one of the first things that we're going to do, so I have a folder.

84
00:06:24,760 --> 00:06:30,640
So if I were to I have a file in the e-mail folder.

85
00:06:31,090 --> 00:06:32,980
So cat so let's do that.

86
00:06:32,990 --> 00:06:33,810
So hack that.

87
00:06:34,360 --> 00:06:36,990
I put that into the directory for the Apache server.

88
00:06:37,300 --> 00:06:43,330
So if I were to just do a pseudo service Apache to start.

89
00:06:45,390 --> 00:06:50,650
And they put a password in my might have typed the wrong.

90
00:06:50,670 --> 00:06:51,320
OK, now we're going.

91
00:06:51,390 --> 00:06:53,140
OK, so Apache's now started.

92
00:06:53,460 --> 00:07:08,430
So if I were to go in my browser to see localhost, see maximized, go to localhost, slash, hacked

93
00:07:08,430 --> 00:07:09,390
dot 60.

94
00:07:09,810 --> 00:07:10,970
So I press this out.

95
00:07:10,980 --> 00:07:11,870
You got hacked.

96
00:07:12,360 --> 00:07:16,520
So we're going to make this web application load that file.

97
00:07:16,830 --> 00:07:20,690
And the way that we're going to do that is simply just putting the directory to us.

98
00:07:20,720 --> 00:07:33,270
HTP as calling for us as far as large one nine two one six eight five six one zero seven slash hacked

99
00:07:33,360 --> 00:07:38,700
text and see, as you can see, I'll put it onto the page.

100
00:07:38,700 --> 00:07:46,800
So now we know that we can remotely include files, you know, into requests from from this Web application.

101
00:07:46,800 --> 00:07:51,930
So that opens the door for a lot of different things and a lot of malicious activity to actually be

102
00:07:51,930 --> 00:07:53,790
able to, you know, take place.

103
00:07:53,820 --> 00:08:00,660
So now let's actually bump up the difficulty a little bit and it's some medium.

104
00:08:00,670 --> 00:08:03,000
So let's try the media submit.

105
00:08:03,150 --> 00:08:05,100
Let's go back to file inclusion.

106
00:08:05,310 --> 00:08:11,040
OK, so we're at the final inclusion page, so let's look at the source code and see what's going on

107
00:08:11,040 --> 00:08:12,110
and make it different this time.

108
00:08:12,120 --> 00:08:13,350
So it's not just one line now.

109
00:08:13,500 --> 00:08:22,500
So it's the page that we give it and it says is replacing a CEDP calling for those forces with like

110
00:08:22,500 --> 00:08:23,400
a blank string.

111
00:08:24,510 --> 00:08:34,170
So if we understand kind of like what the string replace function for P does, it verbatim changes if

112
00:08:34,170 --> 00:08:42,540
it finds AEP calling for us as far as I will replace it with this or face it keeps calling for us.

113
00:08:42,540 --> 00:08:44,610
As far as I say, it will replace it with a blank string.

114
00:08:45,900 --> 00:08:50,030
So that will ultimately make us today cannot load our profile.

115
00:08:50,340 --> 00:08:56,730
So one thing that we can do, though, is we know that verbatim actually does that exactly as we can

116
00:08:56,730 --> 00:09:03,820
just change the case of the EDP so we can maybe H capital or the T capital and see what happens.

117
00:09:04,170 --> 00:09:06,920
So let's actually try it first.

118
00:09:06,930 --> 00:09:10,170
So let's do a SCDP.

119
00:09:11,340 --> 00:09:12,790
Let's try it first without it.

120
00:09:12,810 --> 00:09:13,710
So this is normal.

121
00:09:13,920 --> 00:09:23,290
So one nine two one six eight six dollars or seven slash tax that 60 copy this on the table again.

122
00:09:24,570 --> 00:09:26,860
So now it's actually not working.

123
00:09:27,150 --> 00:09:31,860
So what we can do is actually, like I said, verbatim copies.

124
00:09:32,360 --> 00:09:38,190
It verbatim looks for ACP calling for us as far as slash and removes that and puts a blank string there.

125
00:09:38,200 --> 00:09:42,440
So it's actually just put capital T and let's see what happens.

126
00:09:43,170 --> 00:09:45,460
And now it says you got hacked.

127
00:09:45,490 --> 00:09:50,560
So now you know, if you were to see that string replace function or if you were to see that, you know,

128
00:09:50,640 --> 00:09:55,440
it was actually getting replaced with like a blank string, maybe you can try this maybe is not actually

129
00:09:55,440 --> 00:10:00,110
looking for every, you know, iteration of, you know, how you can actually put it.

130
00:10:00,850 --> 00:10:08,070
And this is a very common way that people are able to bypass, you know, these security controls for,

131
00:10:08,340 --> 00:10:12,360
you know, file inclusion, especially in remote file closure, because that's dangerous.