1
00:00:00,600 --> 00:00:03,960
Greetings, I'm Professor Kay, and you you a video presentation.

2
00:00:04,530 --> 00:00:09,900
We're going to take a look at how we go about completing the walk through for the Capture the Flag exercise

3
00:00:09,900 --> 00:00:11,700
sequel injection to show.

4
00:00:12,620 --> 00:00:17,570
And this video walk through, you will be showing how do you sequel injection to help in the creation

5
00:00:17,570 --> 00:00:19,340
of a reverse TV show?

6
00:00:20,360 --> 00:00:26,040
The lab requirements for this CTF are one installation, a virtual box, one virtual install of County

7
00:00:26,120 --> 00:00:30,760
Lining's one virtual install of the Target sequel injection to Shell.

8
00:00:31,550 --> 00:00:37,520
And before we begin to walk through, make sure that both of your machines, your Caleigh and your target

9
00:00:37,520 --> 00:00:38,450
are up and running.

10
00:00:39,590 --> 00:00:44,540
You need to also ensure that both of your machines are on the same network and that they can see each

11
00:00:44,540 --> 00:00:44,870
other.

12
00:00:45,940 --> 00:00:49,250
So the first thing we've got to do is discover our target machine.

13
00:00:49,270 --> 00:00:51,270
Now, to do this, I'm going to use net discover.

14
00:00:51,850 --> 00:00:57,190
So I've typed in net discover space dashi, which stands for Interface Space.

15
00:00:57,520 --> 00:01:02,230
Now I'll give it the name of the interface that I want and that discover to use to discover all the

16
00:01:02,230 --> 00:01:05,410
available machines or devices on this network.

17
00:01:05,410 --> 00:01:06,460
And go ahead, hit enter.

18
00:01:07,440 --> 00:01:12,630
And after a short scan, it comes back up and it tells me the results that it has found on my network,

19
00:01:12,960 --> 00:01:15,420
I cannot control see to break the sequence.

20
00:01:16,690 --> 00:01:22,210
I've got a couple of IP addresses of interest here, but the one that I'm really interested in is the

21
00:01:22,210 --> 00:01:24,370
10 year old to 13.

22
00:01:25,430 --> 00:01:29,210
And that's going to be our target now that we have discovered our target.

23
00:01:29,240 --> 00:01:34,660
Let's go ahead and scan before any vulnerable ports or services that may be running on that device.

24
00:01:35,150 --> 00:01:42,350
So at the prompt, I'm typing in maps based dash capital, a space that small the space, the IP address

25
00:01:42,350 --> 00:01:43,060
of my target.

26
00:01:43,490 --> 00:01:44,780
I want to go ahead and hit enter.

27
00:01:46,200 --> 00:01:52,980
And what I like about this dash capital ace, which is that it launches the end map scripting engine,

28
00:01:53,340 --> 00:01:58,680
and you can see here that it ran one hundred and fifty one scripts and it ran those scripts against

29
00:01:58,680 --> 00:01:59,630
that target.

30
00:02:00,000 --> 00:02:01,320
And here's what it came up with.

31
00:02:02,310 --> 00:02:04,830
We can go down here and we see that we have.

32
00:02:06,280 --> 00:02:10,880
And we can go down here and you can see that we have a couple of ports that are actually vulnerable.

33
00:02:10,900 --> 00:02:18,370
We have the S.H., but we also have our HTP running on Port 80, and that's going to be our low hanging

34
00:02:18,370 --> 00:02:18,760
fruit.

35
00:02:18,760 --> 00:02:20,170
And that's where we're going to start.

36
00:02:21,820 --> 00:02:28,390
Let's go ahead and close out our terminal and let's bring up a Web page, go here to the application

37
00:02:28,390 --> 00:02:31,150
launcher and I'll click on Web browser.

38
00:02:32,520 --> 00:02:38,790
In the address bar of my browser, I'm going to type in the IP address of the Web server that we discovered

39
00:02:38,970 --> 00:02:41,480
running on my target machine.

40
00:02:42,920 --> 00:02:48,320
And now that we're here at the home page for this, my awesome photo blog, you see that we have a number

41
00:02:48,320 --> 00:02:51,670
of additional URLs that we can click on.

42
00:02:51,920 --> 00:02:57,140
We have Home Test, Roxxon 2010, all pictures and admin.

43
00:02:57,930 --> 00:02:59,120
Let's click on Test.

44
00:03:00,050 --> 00:03:06,720
And up your address bar at the very front of it, let's type in a single quote.

45
00:03:07,400 --> 00:03:13,380
Now, what this does, it's going to tell us whether or not the secret database is vulnerable.

46
00:03:14,300 --> 00:03:15,770
So we've got that done now.

47
00:03:15,770 --> 00:03:18,170
We're just going to hit enter and down here.

48
00:03:18,170 --> 00:03:21,350
It says you have an error in your SQL syntax.

49
00:03:21,770 --> 00:03:23,180
And that's what we were looking for.

50
00:03:24,090 --> 00:03:30,450
So you take away from this little exercise should be that by just adding a single quote to the front

51
00:03:30,450 --> 00:03:37,980
of our Yahel, we can determine if the sequel database is vulnerable to a sequel injection.

52
00:03:38,990 --> 00:03:43,100
So let's go ahead and minimize our webpage and let's bring up another terminal.

53
00:03:44,300 --> 00:03:49,430
For this next step, we're going to see a map to show us all the available databases that are currently

54
00:03:49,430 --> 00:03:52,690
running on this installation of school.

55
00:03:53,450 --> 00:03:59,390
So I've typed in school maps based there, Deshu who who stands for you following you URL.

56
00:04:00,050 --> 00:04:07,070
And then we have at the end we have the dash, dash GPS space dash, dash back.

57
00:04:07,500 --> 00:04:08,900
Go ahead and enter.

58
00:04:09,290 --> 00:04:10,070
Give it a second.

59
00:04:11,080 --> 00:04:15,230
And down here, you see that we found two available databases.

60
00:04:15,460 --> 00:04:18,620
Now, the one that we're interested in is going to be that photoblog.

61
00:04:19,360 --> 00:04:21,580
So now we're going to see Comac one more time.

62
00:04:21,580 --> 00:04:26,110
But this time it's going to show us the contents of the photoblog database.

63
00:04:26,620 --> 00:04:32,870
So we're telling them to dump all and give us a batch of everything that's inside of this database.

64
00:04:33,310 --> 00:04:36,880
What we're looking for are course are usernames and passwords.

65
00:04:37,570 --> 00:04:38,740
Let's go ahead and hit enter.

66
00:04:40,100 --> 00:04:48,500
So Siecle was able to use a dictionary attack and crack those LMDs five hashes that were currently hiding

67
00:04:48,500 --> 00:04:56,660
all the passwords, and it was able to discover that the admin account had a password, a password that

68
00:04:56,660 --> 00:05:05,150
was spelt Capital P, the number four small letter SS, small letter W, number zero, small letter

69
00:05:05,150 --> 00:05:06,170
R and D.

70
00:05:07,250 --> 00:05:12,470
We can now log on to that Web server as admin with the admin password.

71
00:05:12,940 --> 00:05:18,650
So let's bring back up our website on the target and this time just click on Over Here, which has admin

72
00:05:19,490 --> 00:05:28,290
in the log and type in admin and then type in that password that we captured for this particular website.

73
00:05:28,880 --> 00:05:34,730
Let's hit Enter and you see on this next page that we have the capability of uploading a picture.

74
00:05:35,760 --> 00:05:39,870
So we're going to leave this right here and let's go ahead and minimize this, because what we're going

75
00:05:39,870 --> 00:05:42,510
to do next is upload a reverse shell script.

76
00:05:43,170 --> 00:05:47,100
So back over here on your county desktop, just open up your file system.

77
00:05:48,180 --> 00:05:55,400
And a scroll on down to we come to the USA directory, open it up, up inside the USA director.

78
00:05:55,470 --> 00:05:59,530
Let's click on the share directory once we're inside of the Shell directory.

79
00:05:59,550 --> 00:06:03,450
We're going to scroll on down until we come to the directory marked Web Shel's.

80
00:06:04,500 --> 00:06:10,110
Go ahead, double click that now inside the Web shells, you have all of these scripts now we're going

81
00:06:10,110 --> 00:06:14,640
to be looking for a script, so go ahead and open up your folder.

82
00:06:15,750 --> 00:06:19,610
And the script that we're looking for is the reverse shell.

83
00:06:20,250 --> 00:06:20,840
Go ahead and right.

84
00:06:20,910 --> 00:06:26,610
Click on this script and we're going to open it up with mousepad or you can use any text editor you

85
00:06:26,610 --> 00:06:27,030
want.

86
00:06:28,120 --> 00:06:33,400
Inside of the script, we're going to scroll down just past the comments until we come to this first

87
00:06:33,400 --> 00:06:40,930
section and we're going to insert the IP address for our county and the port that we want to listen

88
00:06:40,930 --> 00:06:41,170
on.

89
00:06:41,770 --> 00:06:43,510
So I'm a go ahead and change this here.

90
00:06:44,390 --> 00:06:48,100
To the address of my calling, she.

91
00:06:49,290 --> 00:06:56,880
I'm then going to change the port over to four four four four now when I have all that done and I know

92
00:06:56,880 --> 00:07:02,760
that it is correct, I'm going to go up here to file and I'm going to do a save as on his next screen.

93
00:07:02,760 --> 00:07:04,110
I'm going to click on the desktop.

94
00:07:04,980 --> 00:07:13,320
And up here where it says Dash, reverse, dash, shell, I'm going to change that to just Shell and

95
00:07:13,320 --> 00:07:17,940
once I'm ready to say that to my desktop, I'm just going to go down here to the lower right and I'm

96
00:07:17,940 --> 00:07:25,890
going to save my clothes out the script, close out my filesystem, and they're on my desktop is the

97
00:07:25,890 --> 00:07:28,780
script that we just saved to our desktop.

98
00:07:29,790 --> 00:07:35,340
Now, the next thing we have to do is open up a listener on our Caleigh machine to establish the reverse

99
00:07:35,340 --> 00:07:35,820
shell.

100
00:07:36,630 --> 00:07:38,580
To do this, I'm just going to open up a terminal.

101
00:07:39,970 --> 00:07:46,870
And I'm going to use Netcare to establish that listener that we need for when I launch that reverse

102
00:07:46,870 --> 00:07:48,730
shell script from my target.

103
00:07:49,630 --> 00:07:55,060
So I've taken ency for a net cash splash, dash L and P space.

104
00:07:55,360 --> 00:07:57,910
Forty four, forty four, which is the port number.

105
00:07:58,510 --> 00:08:01,060
So the small letter L stands for listening.

106
00:08:01,480 --> 00:08:03,760
The small letter V stands for Verbose.

107
00:08:04,330 --> 00:08:07,030
The N stands for no DNS domain.

108
00:08:07,030 --> 00:08:09,400
Look up and the P stands for port.

109
00:08:10,390 --> 00:08:15,310
And once you have that typed in correctly, just go ahead and hit enter and now Carly is standing by,

110
00:08:15,310 --> 00:08:20,780
listening for that connection over to the target once we launch that reverse shell script.

111
00:08:21,280 --> 00:08:21,660
Go ahead.

112
00:08:21,670 --> 00:08:23,410
Minimize your terminal.

113
00:08:24,590 --> 00:08:31,430
Now, let's return back on over to our Web page, so I'm back over here on the Web page of The Target.

114
00:08:32,270 --> 00:08:35,390
Now, we need to upload that script to do this.

115
00:08:35,450 --> 00:08:40,570
I'm going to use this, add a new picture feature that's on this admin page.

116
00:08:41,360 --> 00:08:42,460
You see it right here.

117
00:08:42,830 --> 00:08:44,090
Go ahead and click on that.

118
00:08:44,420 --> 00:08:46,790
And now I'm going to browse on over to my desktop.

119
00:08:47,900 --> 00:08:54,820
And I'm going to find that Shell script to double click it and then I'm going to click the ad button,

120
00:08:55,700 --> 00:09:01,250
there is a error and it says, no, Pull-Out, that's fine.

121
00:09:01,700 --> 00:09:04,410
Let's go and minimize our website.

122
00:09:04,880 --> 00:09:11,930
Let's go back to our Caleigh desktop and let's right click and rename this Shell Dot script.

123
00:09:12,830 --> 00:09:13,550
So I'm going to right.

124
00:09:13,550 --> 00:09:14,110
Click on it.

125
00:09:14,120 --> 00:09:23,060
I'm going to go to rename and I'm going to call this small letter P Capital Letter HP just like that.

126
00:09:23,720 --> 00:09:25,670
Let's go and rename it now.

127
00:09:25,670 --> 00:09:27,740
Let's go back on over to our Web page.

128
00:09:28,370 --> 00:09:30,860
And again, we're going to use the back button here.

129
00:09:31,160 --> 00:09:38,360
And again, we're going to browse on over to our desktop and attempt to load that shell one more time.

130
00:09:39,170 --> 00:09:40,870
So I've got the shell ready to load.

131
00:09:40,880 --> 00:09:42,170
I'm going to click the ad button.

132
00:09:43,010 --> 00:09:44,660
And now that was successful.

133
00:09:45,050 --> 00:09:47,510
Problem is, I don't have any way to launch it.

134
00:09:47,930 --> 00:09:53,650
You see that I can launch these other images here, but I can't launch this HP script.

135
00:09:54,350 --> 00:09:59,060
So what we're going to have to do is figure out where I uploaded this script to.

136
00:09:59,060 --> 00:10:04,220
Now, to do this, we're going to go ahead and minimize one more time our Web page.

137
00:10:04,610 --> 00:10:06,670
Let's open up another terminal.

138
00:10:07,310 --> 00:10:14,600
And again, I'm going to use another tool called Dirch to find all the directories that are on the target

139
00:10:14,600 --> 00:10:15,230
Web site.

140
00:10:15,950 --> 00:10:23,000
And I should be able to discern from all those directories where my HP file was actually uploaded to.

141
00:10:24,100 --> 00:10:30,070
So once again, we're looking for all of the directories that are available up on this Web server to

142
00:10:30,070 --> 00:10:30,460
do this.

143
00:10:30,520 --> 00:10:38,290
I'm going to use dirt and I've typed in dirt, which is the command space, followed by the URL of the

144
00:10:38,290 --> 00:10:38,970
website.

145
00:10:39,380 --> 00:10:40,810
I'm going to go ahead, hit enter.

146
00:10:41,410 --> 00:10:44,710
So once NRPs has completed a scan, you'll see that I have a directory.

147
00:10:45,490 --> 00:10:50,170
It's up on the Web server inside of the admin folder.

148
00:10:50,210 --> 00:10:53,540
It's called Uploads and that's going to be our target.

149
00:10:54,430 --> 00:11:01,600
So we're going to go ahead and assume that my my reverse shell script is inside of that uploads folder.

150
00:11:01,630 --> 00:11:03,430
So let's go back on over to the website.

151
00:11:04,570 --> 00:11:12,310
So back on over here at my Web page, I'm going to type in the IP address, the correct IP address.

152
00:11:13,730 --> 00:11:16,760
And I'm going to hit enter to get up inside the upclose directory.

153
00:11:18,560 --> 00:11:24,110
Now, once you're up inside of the upclose director, you'll notice that the shell that filed that we

154
00:11:24,110 --> 00:11:25,140
uploaded is present.

155
00:11:25,490 --> 00:11:32,030
Now I have to do to get this reverse shell established, this double click, that grip and reverse shell

156
00:11:32,030 --> 00:11:32,930
will be completed.

157
00:11:33,260 --> 00:11:34,150
Let's go ahead and do that.

158
00:11:34,700 --> 00:11:37,210
So while I'm up here, I'm just going to double click it like that.

159
00:11:37,460 --> 00:11:40,280
And you notice that you get this error message on the next page.

160
00:11:40,310 --> 00:11:41,640
That's a good error message.

161
00:11:42,530 --> 00:11:48,320
So now I'm just going to go back over here to my shell and you'll see that the reverse shell has completed.

162
00:11:49,400 --> 00:11:56,660
So now you're able to type in Unix commands and communicate from your Caleigh machine over to the target

163
00:11:56,660 --> 00:12:04,160
machine using this reverse shell so I can type in LS and that's going to list all the directories and

164
00:12:04,160 --> 00:12:08,600
files that are currently available under w w w dot data.

165
00:12:09,260 --> 00:12:17,780
I can also type in lsh dash l a and that's going to show us all the file permissions that are currently

166
00:12:17,780 --> 00:12:21,920
assigned to the directory and files under route.

167
00:12:22,640 --> 00:12:28,910
Now if you'd like to know who you're logged on as, you can just type in Who am I and enter and it comes

168
00:12:28,910 --> 00:12:34,170
back and let you know that you are currently logged on as w w w dash data.

169
00:12:35,480 --> 00:12:42,800
So the purpose of this particular CTF was to you sequel injection to give us enough access so that we

170
00:12:42,800 --> 00:12:47,410
could establish a reverse shell from our target over to our cash machine.

171
00:12:48,320 --> 00:12:55,130
It was not to establish route, but if you would like to continue on with the process of trying to gain

172
00:12:55,130 --> 00:12:57,410
route access, by all means do so.

173
00:12:58,870 --> 00:13:03,700
And so that's going to conclude this short video presentation on how we go about completing the walk

174
00:13:03,700 --> 00:13:07,820
through for the CTF sequel injection to Shell.

175
00:13:08,110 --> 00:13:11,560
So if you have any questions concerns, don't hesitate to reach out.

176
00:13:11,560 --> 00:13:14,830
Contact your instructor and I'll see you in my next video.