1
00:00:07,720 --> 00:00:13,790
All right, you guys, on the last lecture, we explored Broken Authentications and we accomplished

2
00:00:13,800 --> 00:00:18,370
complete account takeover of a victim user account, it was pretty cool.

3
00:00:18,660 --> 00:00:19,650
You haven't seen that one.

4
00:00:19,650 --> 00:00:21,660
Make sure you go back and check it out.

5
00:00:21,990 --> 00:00:26,580
But now we're going to explore sensitive data exposure.

6
00:00:27,330 --> 00:00:37,200
And one of the best ways to hunt for confidential or sensitive files on a web endpoint is to proxy all

7
00:00:37,200 --> 00:00:39,930
traffic through berp while browsing the page.

8
00:00:40,440 --> 00:00:46,020
So what we can do is make sure that berp is connected, in fact, proxy.

9
00:00:46,560 --> 00:00:50,400
And then I'll just refresh this guy to see if I can get it to show up in berp.

10
00:00:51,630 --> 00:00:52,170
And it is.

11
00:00:52,170 --> 00:00:55,650
Let's take off proxy, take out the history.

12
00:00:56,700 --> 00:00:57,900
I'm getting some stuff in here.

13
00:00:59,420 --> 00:01:00,020
That's good.

14
00:01:00,230 --> 00:01:05,660
Let's go to the target and you can see our target here and you can see the tree, right?

15
00:01:05,680 --> 00:01:07,340
So this is actually what we want to see.

16
00:01:08,210 --> 00:01:12,290
You can see all the endpoints in this webapp I can right.

17
00:01:12,290 --> 00:01:19,880
Click, expand branch and just expand everything and take a look here so you can see that there is,

18
00:01:20,420 --> 00:01:21,380
you know, products.

19
00:01:21,950 --> 00:01:23,180
There's this language thing.

20
00:01:23,900 --> 00:01:24,920
There's an admin folder.

21
00:01:25,280 --> 00:01:26,930
There's even application configuration.

22
00:01:28,130 --> 00:01:34,160
Which looks pretty juicy, but what we want to do is look for some sensitive files, so let's just click

23
00:01:34,160 --> 00:01:39,380
through the application and see if we can get brb to passively spider as we click and maybe we'll stumble

24
00:01:39,380 --> 00:01:41,060
across something interesting.

25
00:01:41,870 --> 00:01:45,680
So I'm just going to start at the top, I'm going to click the pancake menu and I'm just going to go

26
00:01:45,680 --> 00:01:46,820
to like customer feedback.

27
00:01:48,200 --> 00:01:54,780
See if there's anything in here, you know, you can press control you to look at the source, do you

28
00:01:54,840 --> 00:02:03,640
like control and certain key access password, things like that control w to close.

29
00:02:04,850 --> 00:02:05,580
Let's go back.

30
00:02:07,010 --> 00:02:08,480
Let's see about us.

31
00:02:10,350 --> 00:02:13,980
All right, corporate history and policy, blah, blah, blah, blah, blah.

32
00:02:14,280 --> 00:02:18,360
Check out our boring terms of use if you are interested in such lame stuff.

33
00:02:19,590 --> 00:02:20,910
All right, so let's click this.

34
00:02:21,720 --> 00:02:27,420
And that's kind of interesting, is prompting us to download a file and let's open that.

35
00:02:29,310 --> 00:02:30,490
We have some legal information.

36
00:02:30,510 --> 00:02:34,260
Now, this isn't confidential or sensitive.

37
00:02:35,360 --> 00:02:42,080
But I wonder where this came from, if you look at the link, you can see it says FTP for legal M.D.

38
00:02:42,560 --> 00:02:45,860
If we go to Berp, we now have the people there.

39
00:02:45,860 --> 00:02:49,820
Right, because Burb passively spidered it as we were clicking through the app.

40
00:02:50,930 --> 00:02:51,910
So now I'm interested.

41
00:02:53,250 --> 00:02:59,310
You know, I want to see what's in this folder, so let's click into the request control our control

42
00:02:59,310 --> 00:03:04,350
shift are to go to repeater control space to send and let's play with this.

43
00:03:04,710 --> 00:03:12,300
Let's take out the legal guarantee and see if we have a directory indexing vulnerability control space,

44
00:03:12,960 --> 00:03:20,310
if we can view the contents of this directory control EFF legal legal guarantee.

45
00:03:21,310 --> 00:03:22,440
So there's a legal term indeed.

46
00:03:22,440 --> 00:03:23,470
But there's some other files.

47
00:03:24,150 --> 00:03:24,650
Wow.

48
00:03:26,100 --> 00:03:27,060
There's a CDB.

49
00:03:27,480 --> 00:03:29,230
Do you guys know that is Hitbox?

50
00:03:29,850 --> 00:03:35,220
Yeah, that is I believe that's actually a a password vault file.

51
00:03:36,400 --> 00:03:39,190
And there's some other stuff here, too, there's a backup file coupon's.

52
00:03:40,830 --> 00:03:45,830
Suspicious errors, I mean, there's a lot I'm sure we've got something in here that's good quarantine,

53
00:03:45,840 --> 00:03:50,670
maybe this malware in there, you know, acquisition that indeed this is why he shouldn't run an FTP

54
00:03:50,670 --> 00:03:54,930
server on your Web server in the first place and you shouldn't have it exposed to the Internet in the

55
00:03:54,930 --> 00:03:55,530
second place.

56
00:03:56,040 --> 00:03:59,100
So let's see if we can access some of these files directly.

57
00:04:00,000 --> 00:04:01,020
Can we get to this power here?

58
00:04:01,680 --> 00:04:02,370
Aquisition?

59
00:04:05,040 --> 00:04:12,920
Copy that pasted in control space and yes, we did land acquisitions.

60
00:04:12,960 --> 00:04:14,770
This document is confidential.

61
00:04:14,940 --> 00:04:15,790
Do not distribute.

62
00:04:16,740 --> 00:04:22,220
So, guys, this is sensitive data exposure we just demonstrated here.

63
00:04:22,230 --> 00:04:23,670
Now, there is another way to find this.

64
00:04:24,270 --> 00:04:30,480
If you use a tool called Go Buster, which may not exist, but if you hit, why you can install it.

65
00:04:31,070 --> 00:04:38,010
And what this thing does is it will try to find a whole bunch of sensitive stuff and you've got to go

66
00:04:38,010 --> 00:04:39,120
bust through the homepage.

67
00:04:39,120 --> 00:04:44,240
You can see it's a directory file, DNS and we host busting tool and go.

68
00:04:44,880 --> 00:04:47,940
And since it's written and go, it is fast.

69
00:04:48,120 --> 00:04:48,990
Very fast.

70
00:04:49,560 --> 00:04:49,980
All right.

71
00:04:50,250 --> 00:04:54,150
And you know, we can brute force yourself directories and files and websites.

72
00:04:54,330 --> 00:04:59,380
It's kind of like Derb or a door buster, but it's the evolution of that, right?

73
00:04:59,460 --> 00:05:00,420
This is the new tool.

74
00:05:00,420 --> 00:05:03,570
It's not really the new tool, but it's the tool that you should be using if you're going to do this

75
00:05:03,570 --> 00:05:04,190
exercise.

76
00:05:04,980 --> 00:05:06,710
So let's see if we have combustor now.

77
00:05:07,020 --> 00:05:07,800
Oh, we do.

78
00:05:07,830 --> 00:05:08,510
Yes, yes, yes.

79
00:05:08,640 --> 00:05:11,700
So pseudocode buster tech age.

80
00:05:12,860 --> 00:05:13,170
Right.

81
00:05:13,170 --> 00:05:20,880
And then control the pain and build out our command.

82
00:05:22,110 --> 00:05:27,620
So what we want is let's say we want to do directory file enumeration.

83
00:05:28,350 --> 00:05:35,250
So I'll skip down to the bottom pane Diar and I'll do the same thing here.

84
00:05:39,090 --> 00:05:41,100
And now we have a new help file for DARPA.

85
00:05:42,360 --> 00:05:43,230
What are we going to do here?

86
00:05:43,530 --> 00:05:45,840
Well let's see.

87
00:05:45,870 --> 00:05:48,270
We can add Slasher's don't need to do that.

88
00:05:48,270 --> 00:05:48,810
Cookie's.

89
00:05:48,810 --> 00:05:49,590
Nope, nope, nope.

90
00:05:53,000 --> 00:06:01,520
Upon finding a file such for backup files, that looks kind of interesting at that, to discover backup.

91
00:06:03,710 --> 00:06:05,870
Expanded principal yourself.

92
00:06:05,900 --> 00:06:07,250
Yep, I want to see that

93
00:06:10,220 --> 00:06:16,100
expanded extension's file extensions to search for so we can actually brute force files.

94
00:06:16,130 --> 00:06:16,390
Right.

95
00:06:16,400 --> 00:06:20,360
So if we do something like indexed that HTML.

96
00:06:22,280 --> 00:06:32,630
We get this page right, if we do index up, we also get this page so we know these are some file extensions

97
00:06:32,640 --> 00:06:33,140
we can look for.

98
00:06:33,170 --> 00:06:34,250
What about aspects?

99
00:06:36,210 --> 00:06:37,140
That's kind of strange.

100
00:06:38,010 --> 00:06:42,870
Wait a second, what's going on here and the Kabani all right.

101
00:06:42,960 --> 00:06:49,950
And I think what's happening is this is a single page application and so it's just returning this home

102
00:06:49,950 --> 00:06:53,480
page regardless of the the endpoint that we put there.

103
00:06:54,390 --> 00:07:02,210
So I don't think we're really going to have a lot of success if we try to look for a specific file.

104
00:07:02,730 --> 00:07:03,070
Right.

105
00:07:03,120 --> 00:07:06,070
It's just going to give us a 200, OK, and we'll have a two hundred, OK?

106
00:07:06,070 --> 00:07:07,470
And we'll have tons of false positives.

107
00:07:08,700 --> 00:07:08,920
Right.

108
00:07:08,940 --> 00:07:13,230
So we'll skip that part of redirects and we let off for now.

109
00:07:13,650 --> 00:07:14,310
What else?

110
00:07:15,450 --> 00:07:19,860
Method's Password's random agents is a random agent.

111
00:07:19,900 --> 00:07:22,330
Stranger can do that and this is good.

112
00:07:22,350 --> 00:07:24,330
So now that, you know, you've got your separate set up.

113
00:07:24,330 --> 00:07:29,190
So, you know, we can use random user agent strings and then you can look at Splunk to see if you can

114
00:07:29,190 --> 00:07:37,210
discover, you know, this particular attack that is code will be overwritten.

115
00:07:37,230 --> 00:07:37,590
OK.

116
00:07:38,220 --> 00:07:40,580
But as you say, positives and negatives, that's codes.

117
00:07:41,550 --> 00:07:41,750
Right?

118
00:07:41,790 --> 00:07:42,630
We'll leave that alone.

119
00:07:42,630 --> 00:07:43,080
For now.

120
00:07:43,080 --> 00:07:44,520
You are out of the target.

121
00:07:45,240 --> 00:07:55,380
So we want obviously HDP juice, that carbon bike, that car, what else?

122
00:07:55,380 --> 00:07:59,250
We can do an output mile and the path toward list and threats.

123
00:07:59,760 --> 00:08:00,090
All right.

124
00:08:00,090 --> 00:08:04,680
So let's do an output file output.

125
00:08:05,930 --> 00:08:14,630
Do you go buster threads defaulters 10 don't want to crash this application, this is in your lap,

126
00:08:14,630 --> 00:08:21,130
so be careful what you said to 15 and then the wordlist path to the worthless.

127
00:08:21,140 --> 00:08:22,020
Which one will we use?

128
00:08:23,240 --> 00:08:25,380
User share worthless.

129
00:08:25,550 --> 00:08:30,540
I'm just completing and actually I want these to be cyclists.

130
00:08:31,860 --> 00:08:33,840
The Queen stole that earlier didn't we all.

131
00:08:33,890 --> 00:08:34,430
We didn't.

132
00:08:34,710 --> 00:08:40,280
OK, Toby, there's this app to install cyclists.

133
00:08:43,390 --> 00:08:47,710
All right, so we'll let this install and then when it finishes, we'll put the part to cyclists and

134
00:08:47,710 --> 00:08:49,390
then we'll jump into this attack.

135
00:08:49,770 --> 00:08:53,710
Let's see the updated locate cyclists.

136
00:08:54,670 --> 00:08:58,440
Yeah, sometimes you just have to do that control busy and you can see that we have it.

137
00:08:59,410 --> 00:09:01,180
So let's go ahead and exit this pain.

138
00:09:01,750 --> 00:09:06,050
And now we should be able to type complete, complete cyclists.

139
00:09:06,460 --> 00:09:07,150
So what do we want?

140
00:09:07,450 --> 00:09:08,190
We want discovery.

141
00:09:08,800 --> 00:09:09,550
What do we want here?

142
00:09:10,090 --> 00:09:12,730
Well, we want web content.

143
00:09:13,660 --> 00:09:14,470
What do we want here?

144
00:09:15,250 --> 00:09:16,660
Yeah, let's do that web content.

145
00:09:17,390 --> 00:09:21,340
We've got a bunch of stuff web lets you control.

146
00:09:21,340 --> 00:09:26,080
Beat the you guys see something interesting in here that might be relevant to what we're doing.

147
00:09:26,740 --> 00:09:28,150
What about directory lists.

148
00:09:29,830 --> 00:09:31,180
Medium lowercase.

149
00:09:31,180 --> 00:09:43,870
That might be good directory lists medium victory list two point three medium text and I think that's

150
00:09:43,870 --> 00:09:46,830
all we needed was fire it off, maybe fired off.

151
00:09:47,290 --> 00:09:48,030
Let's do it.

152
00:09:48,040 --> 00:09:48,850
What the heck.

153
00:09:49,660 --> 00:09:50,500
What did we get here?

154
00:09:51,490 --> 00:09:55,360
It says to continue, please exclude the status code.

155
00:09:56,740 --> 00:10:01,450
What the server returns, the status quo that matches the provided options for nonexisting euros.

156
00:10:01,490 --> 00:10:06,820
Yeah, yeah, we saw that earlier when I put in my VONNE Euro to continue.

157
00:10:06,820 --> 00:10:11,710
Please exclude the status code, the lengthways the wild card option.

158
00:10:12,610 --> 00:10:12,840
Right.

159
00:10:12,910 --> 00:10:17,680
I don't know if we're gonna be able to do this wild card that we're getting to hundreds for all this

160
00:10:17,680 --> 00:10:18,070
stuff.

161
00:10:21,040 --> 00:10:21,820
That's kind of annoying.

162
00:10:22,690 --> 00:10:26,650
So this is good, I mean, this shows you why different tools have different purposes here.

163
00:10:26,650 --> 00:10:31,870
We can see we're not able to use go buster because we're getting two hundred for everything, but we

164
00:10:31,870 --> 00:10:32,770
can still use berp.

165
00:10:34,630 --> 00:10:40,360
To find out sort of the anatomy of a Web application, guys, so I hope you enjoyed this lecture and

166
00:10:40,540 --> 00:10:45,520
the series right here we're going to get into next is the XML external entity.

167
00:10:45,940 --> 00:10:48,800
Vulnerability is awesome.

168
00:10:49,120 --> 00:10:50,860
Sexy is sexy.

169
00:10:51,260 --> 00:10:52,680
OK, all right.

170
00:10:52,720 --> 00:10:57,820
Sometimes it can lead to RC e remote command execution that I am singing.

171
00:10:57,820 --> 00:11:01,870
I am rapping, I am clapping because what you guys are about to see is amazing.

172
00:11:02,140 --> 00:11:07,210
All right, so let's jump into the next lecture when we get down and dirty with Xixi.

173
00:11:07,400 --> 00:11:09,040
I'll see you guys in a little bit piece.