1
00:00:07,320 --> 00:00:16,310
All right, on the last lecture, we got HTP X working, and it is an excellent way of probing cumins

2
00:00:16,320 --> 00:00:18,470
and subdomains to see which ones are valid.

3
00:00:19,020 --> 00:00:25,830
And now we're going to go with go witness to also written in Go Go is just a very fast language.

4
00:00:26,340 --> 00:00:32,400
And if you scroll down, you'll notice that it doesn't really give you a lot of help when it comes to

5
00:00:32,400 --> 00:00:36,270
installing this like it go here, the documentation.

6
00:00:36,310 --> 00:00:37,560
That's actually what we're going to do.

7
00:00:38,280 --> 00:00:44,990
So we can go to the wiki here where we can go to the top and quick wiki scroll down, quick installation.

8
00:00:46,530 --> 00:00:51,930
And it says if you have to go in binary in your path, which we do, we can just run this.

9
00:00:52,830 --> 00:00:53,520
So let's do that.

10
00:00:57,170 --> 00:00:57,880
Give it a shot.

11
00:00:59,960 --> 00:01:05,090
All right, so now we should have go witness and we do very, very cool.

12
00:01:05,540 --> 00:01:13,040
So again, I'm going to create Dupain top is going to contain the instructions and the bottom we will

13
00:01:13,040 --> 00:01:14,300
build out our command.

14
00:01:15,170 --> 00:01:24,110
So first we're going to run, you know, go witness and we want to take the euro sourced from a file.

15
00:01:24,750 --> 00:01:27,650
We'll say, well, let's go here.

16
00:01:30,320 --> 00:01:38,330
Biotech age, and then we get more options with the file we need to tack F and then we can put the file

17
00:01:38,330 --> 00:01:40,730
containing the Urals, right.

18
00:01:41,680 --> 00:01:46,210
And then we can also use a number of threads to use and a few other things that we can do, and you

19
00:01:46,210 --> 00:01:49,090
can see here using this user agent string right here.

20
00:01:49,840 --> 00:01:54,380
So what we could do is we could do tech f people.

21
00:01:55,030 --> 00:01:56,490
And let me show you what I'm doing with the file.

22
00:01:56,770 --> 00:01:58,910
So I'm going to go back to HTP X.

23
00:01:58,930 --> 00:02:02,230
I ran another HDB X scan in this one.

24
00:02:03,550 --> 00:02:09,240
We used a combined file, and this time I'm using the silent flag so that we're only getting the domain's

25
00:02:10,060 --> 00:02:10,430
OK.

26
00:02:10,480 --> 00:02:14,880
And I bumped up the thread count the 200 and leaving it in a file called Powder HDB.

27
00:02:16,090 --> 00:02:17,800
So you just get a lot cleaner output.

28
00:02:17,810 --> 00:02:20,830
That's perfect for the input into your witness.

29
00:02:23,320 --> 00:02:25,570
OK, so now that we've got that file,

30
00:02:29,160 --> 00:02:33,970
which you can see is about eight thousand bytes, which is pretty cool.

31
00:02:34,480 --> 00:02:35,200
Let's go back here.

32
00:02:36,790 --> 00:02:37,570
Got that going.

33
00:02:37,570 --> 00:02:39,370
And where's it going to put these screenshots?

34
00:02:40,030 --> 00:02:41,710
Store path for screenshots.

35
00:02:43,080 --> 00:02:49,610
Use that use that for present working directory, we can keep it the way it is and I'll just put it

36
00:02:49,610 --> 00:02:51,530
in a folder called Screenshots.

37
00:02:52,580 --> 00:02:53,210
Let's give it a go.

38
00:02:58,460 --> 00:02:59,140
What happened here?

39
00:03:00,860 --> 00:03:02,780
Go witness command not found.

40
00:03:05,740 --> 00:03:06,640
Let's get rid of the CEO.

41
00:03:07,780 --> 00:03:12,430
You know, sometimes when it's it just you just got to know how to play with it.

42
00:03:13,990 --> 00:03:14,410
All right.

43
00:03:14,410 --> 00:03:16,380
So you can see we're getting some 200 status codes.

44
00:03:16,390 --> 00:03:16,930
You can see.

45
00:03:18,090 --> 00:03:23,070
Here are some of the stuff we saw in HTP X, but now we're actually able to look at it live and if we

46
00:03:23,070 --> 00:03:26,580
create another pain, let's move this guy up.

47
00:03:30,130 --> 00:03:34,070
Let's see if we can look in this folder, screenshots folder.

48
00:03:34,080 --> 00:03:36,900
Now, we've got some screenshots inherent

49
00:03:41,580 --> 00:03:42,570
in all we can do.

50
00:03:42,690 --> 00:03:44,140
You don't have a screenshot reader.

51
00:03:45,140 --> 00:03:47,390
I mean, obviously, we can't look at the screenshots here, right.

52
00:03:47,940 --> 00:03:55,170
So we're going to need to EKPE We can just sepi all these pages down to our host box and then open them

53
00:03:55,170 --> 00:04:00,720
up and like, you know, photos and, you know, take a look at what's behind each of these pages that

54
00:04:00,820 --> 00:04:04,740
that'll help us to determine, you know, where are we going to go next with our tax rate.

55
00:04:04,740 --> 00:04:07,290
So we'll let this run and we'll come back once it completes.

56
00:04:07,980 --> 00:04:08,460
All right.

57
00:04:08,460 --> 00:04:10,420
So everything is done and didn't take too long.

58
00:04:11,190 --> 00:04:14,160
Let's see if we can look at the folders that we have here.

59
00:04:14,490 --> 00:04:19,590
If got the screenshots or one three screenshot you can see.

60
00:04:20,900 --> 00:04:27,410
All of the screenshots we have, so we don't have everything, it's only returning the Urals that actually

61
00:04:27,410 --> 00:04:30,180
had some content on it or that it was able to take a screenshot from.

62
00:04:30,200 --> 00:04:30,710
So this is good.

63
00:04:30,710 --> 00:04:34,530
It narrows down our search dramatically when we look for bugs.

64
00:04:35,600 --> 00:04:36,770
So what are we going to do here?

65
00:04:37,190 --> 00:04:45,530
Well, we need to grab all of the pages in this folder before the right here.

66
00:04:45,980 --> 00:04:47,930
So we're going to do is we're going to set this stuff down.

67
00:04:49,190 --> 00:04:49,970
I'm going to exit.

68
00:05:04,720 --> 00:05:08,950
And we can run step on our host machine, right, so we can say,

69
00:05:12,790 --> 00:05:17,200
all right, S.P.I for our, you know, our private key.

70
00:05:18,790 --> 00:05:23,380
Loubani at sixty five to thirty eight.

71
00:05:24,940 --> 00:05:29,590
All right, let's put that directory in here and we'll put it in our current directory.

72
00:05:31,910 --> 00:05:38,200
Oh, that's right, because we need to grab all the star start up beings.

73
00:05:40,430 --> 00:05:41,020
There we go.

74
00:05:45,380 --> 00:05:50,710
We're just downloading all the images we captured from our digital ocean droplet to our physical host,

75
00:05:51,550 --> 00:05:56,230
and now we shall be able to open these up, see what they look like.

76
00:05:57,750 --> 00:06:02,550
And I just changed the view to extra large a double quick this.

77
00:06:04,240 --> 00:06:08,440
I can see the view here, so I've got a login form here that's interesting and I can just hit the right

78
00:06:08,440 --> 00:06:13,750
and left arrows right and left our keys to just, you know, page through all these pages.

79
00:06:15,240 --> 00:06:17,140
And some of the stuff looks interesting, right?

80
00:06:17,160 --> 00:06:17,730
What is this?

81
00:06:19,540 --> 00:06:23,340
And this domain is registered, but there's nothing here, you know, maybe there's a subdomain takeover,

82
00:06:23,840 --> 00:06:28,700
that this might be something you want to pass over to nuclei because nuclei has the most subdomain take

83
00:06:28,700 --> 00:06:31,910
over modules and we're going to get into that in subsequent lessons.

84
00:06:33,760 --> 00:06:35,510
You can see there's some pages here that.

85
00:06:37,260 --> 00:06:39,280
Some weird base64 string here.

86
00:06:40,270 --> 00:06:45,760
You know, I mean, there's just lots of lots of good stuff in here, I mean, OK, like, what the

87
00:06:45,760 --> 00:06:48,240
heck is that forbidden, right?

88
00:06:48,260 --> 00:06:51,550
Maybe you want to divorce browsing against this page to find out more.

89
00:06:51,640 --> 00:06:55,030
And if you want to know where the page is, just look at the file name and it tells you this is that

90
00:06:55,840 --> 00:07:02,770
colon whack whack API, that financing, that PayPal dot com, you know, in the file or or no input

91
00:07:02,770 --> 00:07:03,630
invalid argument.

92
00:07:03,910 --> 00:07:04,230
Right.

93
00:07:04,240 --> 00:07:06,820
So there's a lot of juicy stuff in here.

94
00:07:07,480 --> 00:07:11,710
And if you take your time and your patient, you're going to find some bugs that you can report.

95
00:07:14,260 --> 00:07:19,660
You know, I could already see a lot of really good ones in here that I want to dig into, but in the

96
00:07:19,660 --> 00:07:25,300
next election, I'm going to show you guys how to use D in Maskin so that you can now start scanning

97
00:07:25,330 --> 00:07:31,030
these domains for ports, running ports, games against them, because by default, Maskin takes IPPs.

98
00:07:31,030 --> 00:07:38,740
It doesn't take domains, but restacking actually wrapped the mass and binary in a custom Basche script,

99
00:07:38,950 --> 00:07:40,300
which will convert the domains.

100
00:07:40,300 --> 00:07:46,000
You feed it into IPS and then scan those and then you can, you know, run that into EMAP diversion

101
00:07:46,000 --> 00:07:50,380
scanning and then pass it down your automation sequence to get even more results, more information

102
00:07:50,380 --> 00:07:51,400
that you need to produce.

103
00:07:51,400 --> 00:07:55,620
A great book, Boundy Report to submit a hacker one or Warcraft.

104
00:07:55,960 --> 00:07:56,120
Right.

105
00:07:56,170 --> 00:07:59,640
So I'll see you guys in the next picture when we get into Dán Mascotte.

106
00:07:59,980 --> 00:08:01,150
See it a little bit by.