1
00:00:00,890 --> 00:00:01,650
Welcome back.

2
00:00:01,940 --> 00:00:08,510
Let's cover our first example of command injection and as usual, we are going to start off with an

3
00:00:08,510 --> 00:00:09,260
easy example.

4
00:00:09,290 --> 00:00:15,350
First, this example will be the one from our tri hack me a WASP top 10 lap.

5
00:00:16,040 --> 00:00:20,210
So we already ran that virtual machine once we covered the HTML injection.

6
00:00:20,540 --> 00:00:22,640
And we want to do the same thing again.

7
00:00:22,680 --> 00:00:29,060
We want to run the virtual machine used to perform command injection in the lab that we covered inside

8
00:00:29,060 --> 00:00:30,230
of the tri Hackney platform.

9
00:00:30,830 --> 00:00:36,650
Now, since we already ran it once, I'm going to go through the process of running those virtual machines

10
00:00:36,650 --> 00:00:41,290
and setting up VPN one more time just so we can refresh our memory.

11
00:00:41,960 --> 00:00:47,390
So the first thing that we want to do once we open our tri hacking account is we want to make sure that

12
00:00:47,720 --> 00:00:53,870
perpetuities started and that intercept is turned off and then we want to run our VPN file.

13
00:00:54,770 --> 00:01:01,520
Remember, we downloaded it in the home and then our account and indeed downloads directory and all

14
00:01:01,520 --> 00:01:06,530
we have to do to run it is type pseudo open VPN and then the file name.

15
00:01:08,120 --> 00:01:11,340
Enter your password and it will start the VPN for you.

16
00:01:11,840 --> 00:01:18,650
Now if you open another terminal and type in, I recommend you should be able to see another interface

17
00:01:18,660 --> 00:01:24,110
right here that will give you the IP before address that will belong to the Tri Hack Me network.

18
00:01:24,800 --> 00:01:25,860
OK, awesome.

19
00:01:26,480 --> 00:01:32,270
Once you get that set up, you want to navigate to your dashboard, navigate to the learning tab.

20
00:01:33,300 --> 00:01:41,190
Scroll all the way down till we find our modules, which are right here, select Web hacking fundamentals.

21
00:01:42,320 --> 00:01:45,860
And under here, we want to go with a WASP top 10.

22
00:01:47,120 --> 00:01:54,320
OK, awesome, as we can see, we are connected to their network, here is our IP address, as it says

23
00:01:54,320 --> 00:01:56,230
even here that we are connected.

24
00:01:56,270 --> 00:01:57,370
We are open VPN.

25
00:01:57,530 --> 00:01:59,440
So everything is set up good.

26
00:02:00,080 --> 00:02:06,910
Now, if you don't connect from the first try, just try to restart both of your open VPN and your Trie

27
00:02:06,920 --> 00:02:10,610
Hackney platform just to refresh it after you start European again.

28
00:02:10,949 --> 00:02:12,640
And it should work perfectly.

29
00:02:13,130 --> 00:02:18,100
Now, once we navigate right here, we want to go to the task force and Task five.

30
00:02:18,410 --> 00:02:20,450
Both of these are command injection.

31
00:02:20,690 --> 00:02:23,030
Just this one is only theory.

32
00:02:23,540 --> 00:02:25,640
It allows you to read something about it.

33
00:02:25,640 --> 00:02:27,680
You can go through all of this if you want to.

34
00:02:27,980 --> 00:02:29,480
I do advise you to read it.

35
00:02:29,780 --> 00:02:35,340
And you can also read examples of command injection right here under the task five.

36
00:02:35,780 --> 00:02:38,280
But we are not going to be reading this at the moment.

37
00:02:38,300 --> 00:02:41,300
What we want to do is we want to start the machine.

38
00:02:42,730 --> 00:02:49,150
As we remember, it will take around one minute for our IP address of our vulnerable virtual machine

39
00:02:49,150 --> 00:02:50,750
to appear right here.

40
00:02:51,100 --> 00:02:52,360
So let's wait for that.

41
00:02:53,210 --> 00:02:58,810
And by the way, after we finish showing the command injection in the next video, we're also going

42
00:02:58,810 --> 00:03:03,230
to try to do these tasks or do these challenges right here.

43
00:03:03,700 --> 00:03:06,190
These are something like capture the flag challenges.

44
00:03:06,370 --> 00:03:11,910
So it will ask us to find something and we will try to do it with the help of command injection.

45
00:03:12,400 --> 00:03:15,640
But for now, let's just get Commander Jackson to work.

46
00:03:15,670 --> 00:03:18,340
So let's wait once again for I.P. address to show.

47
00:03:19,890 --> 00:03:25,650
And here is my IP address, I'm going to copy it, and the first thing that they always do, which I

48
00:03:25,650 --> 00:03:33,360
already mentioned, is I try to ping the IP address in case you get a response like this where it is

49
00:03:33,360 --> 00:03:38,700
not able to ping it, make sure that you wait for a minute or two and then you should be able to ping

50
00:03:38,700 --> 00:03:42,320
it since it does take some time for the machine to set up.

51
00:03:42,870 --> 00:03:45,090
So let's control cities.

52
00:03:45,420 --> 00:03:48,360
Wait a couple more seconds and then we will try again.

53
00:03:49,420 --> 00:03:54,000
Let's give it a try again, and if I bring it now, we do get the response.

54
00:03:54,520 --> 00:03:55,510
OK, awesome.

55
00:03:56,160 --> 00:03:57,240
Let's go back here.

56
00:03:57,240 --> 00:04:03,170
And in our challenge, as we already saw previously, we do get this link right here.

57
00:04:03,450 --> 00:04:08,210
So this link is what we're going to use to try to perform command injection.

58
00:04:08,850 --> 00:04:10,020
Let's click on it.

59
00:04:10,500 --> 00:04:17,070
And it should open page called Evil shall not be on our target's IP address.

60
00:04:18,519 --> 00:04:21,490
And here we get a simple Web application.

61
00:04:22,500 --> 00:04:29,460
It only has this one input that allows us to enter a single comment, and if we type something like

62
00:04:29,460 --> 00:04:29,910
test.

63
00:04:30,890 --> 00:04:38,180
Well, nothing will appear, but what would happen if I type something like a test and then semicolon

64
00:04:38,300 --> 00:04:44,870
to separate documents and type URLs, which is the command to list all the available files in the directory,

65
00:04:45,410 --> 00:04:48,530
if I click on Submit now we get the response.

66
00:04:48,950 --> 00:04:53,230
We get all the files that are currently in this Web servers directory.

67
00:04:53,840 --> 00:04:57,830
So this input right here is vulnerable to the command injection.

68
00:04:58,730 --> 00:05:03,650
You can do this with any command that you want, you can type test and then semicolon and then, for

69
00:05:03,650 --> 00:05:04,690
example, who am I?

70
00:05:04,730 --> 00:05:12,850
And it will tell you which account is it running as currently it's running as w w w dash data circumvent

71
00:05:12,860 --> 00:05:15,010
injection works in this input.

72
00:05:15,920 --> 00:05:23,150
But there's one more thing that I didn't really tell you besides the command injection that reflects

73
00:05:23,150 --> 00:05:29,870
the output on the page, there is also something called blind injection or blind command injection.

74
00:05:30,740 --> 00:05:31,460
What does that mean?

75
00:05:32,420 --> 00:05:38,660
Well, it means that we can see the output of our comment on the page, even though it might be vulnerable

76
00:05:38,660 --> 00:05:39,710
to the command injection.

77
00:05:40,250 --> 00:05:46,490
OK, but you might be wondering, well, how can I then know if it's vulnerable if I can't see any output

78
00:05:46,490 --> 00:05:47,090
on the page?

79
00:05:47,780 --> 00:05:50,170
Well, we have to approach it differently.

80
00:05:50,390 --> 00:05:54,320
Now, let's imagine that this same page doesn't give us any output.

81
00:05:54,350 --> 00:06:01,400
Let's imagine that once we type test and then semicolon and then space and else, it doesn't print anything

82
00:06:01,400 --> 00:06:01,970
right here.

83
00:06:03,150 --> 00:06:08,220
If you didn't know about Blankman ejection, you would probably think that it's not vulnerable, but

84
00:06:08,220 --> 00:06:10,100
there is another test that we can perform.

85
00:06:10,590 --> 00:06:16,640
We can try to perhaps ping our Cal Linux machine from our target machine.

86
00:06:17,690 --> 00:06:24,950
It won't give us any output here, but if we try to intercept the requests using something like a Wireshark,

87
00:06:25,400 --> 00:06:30,530
then maybe we can see the packets that the target machine is sending in order to Pinchas.

88
00:06:31,560 --> 00:06:37,590
If we do see those packets, that means we have a blind ESKIL injection, let me show you what they

89
00:06:37,590 --> 00:06:37,810
mean.

90
00:06:38,190 --> 00:06:44,460
So first thing, we're going to open a program called the Wireshark that is used to sniff packets and

91
00:06:44,460 --> 00:06:46,680
data over certain interfaces.

92
00:06:47,580 --> 00:06:50,850
We do ideally want to open it with pseudo.

93
00:06:51,990 --> 00:06:57,980
Just so we don't have any limitations to just type so the Warshak and then type in your password, it

94
00:06:57,990 --> 00:07:04,410
will open this user interface program where we are going to try to sniff our packets once we run the

95
00:07:04,410 --> 00:07:04,750
Pinkham.

96
00:07:04,800 --> 00:07:12,600
And so you will open a window that looks something like this and you will have multiple interfaces right

97
00:07:12,600 --> 00:07:12,850
here.

98
00:07:13,530 --> 00:07:21,060
Ideally, we want to select the interface that we use with our VPN and once again, you can figure out

99
00:07:21,060 --> 00:07:22,920
which interface that is by typing.

100
00:07:22,920 --> 00:07:23,720
I have config.

101
00:07:24,090 --> 00:07:28,780
And for me this is t u n zero interface.

102
00:07:28,980 --> 00:07:32,120
It has the IP address that belongs to the tri Haqqani network.

103
00:07:32,550 --> 00:07:35,760
So I'm going to select that one right here.

104
00:07:37,220 --> 00:07:44,900
And here it's going to sniff for all the packets that are coming to that interface now in order to discover

105
00:07:44,900 --> 00:07:53,420
this blind command injection, what we can do is we can type test and then ping our IP address.

106
00:07:54,550 --> 00:08:01,240
Said to check out what IP address we have, we can keep it from our config output right here.

107
00:08:02,240 --> 00:08:04,970
And we can paste it here.

108
00:08:06,140 --> 00:08:12,350
But before we run it, we want to be specifically sniffing for ping requests inside of our Wireshark

109
00:08:12,800 --> 00:08:16,550
and those packets are also called ICMP packets.

110
00:08:16,760 --> 00:08:19,490
So you can type in the search Bar ICMP.

111
00:08:20,580 --> 00:08:28,980
Press enter and it will only output any ICMP packets that are received right here, so let's give it

112
00:08:28,980 --> 00:08:31,370
a try with type test semicolon.

113
00:08:31,530 --> 00:08:36,710
Then we added space for the second comment and we typed pink and then the IP address.

114
00:08:37,230 --> 00:08:41,370
Now, also, since Linux systems Pink forever until you control.

115
00:08:41,380 --> 00:08:49,260
See, we also want to add Besch C option, which stands for count and we want to ping only five times.

116
00:08:49,290 --> 00:08:57,540
So we were going to type ping IP address then space that you see, and then five in case you don't see

117
00:08:57,540 --> 00:09:01,530
it really well, let me enlarge this and it looks something like this.

118
00:09:02,310 --> 00:09:09,360
Once we submit this request, you will notice that this page is loading consistently and after a few

119
00:09:09,360 --> 00:09:10,950
seconds we get this output.

120
00:09:11,850 --> 00:09:17,400
But if we go to our wireshark, we also get ICMP packets from the target machine.

121
00:09:18,320 --> 00:09:23,620
Now, imagine that we didn't get this output right here, we would think that there was no vulnerability,

122
00:09:23,630 --> 00:09:29,660
but if we opened our wireshark and saw the requests coming in, we would know that we have a case of

123
00:09:29,660 --> 00:09:31,250
blind command injection.

124
00:09:31,880 --> 00:09:32,750
How cool is that?

125
00:09:33,480 --> 00:09:34,640
OK, awesome.

126
00:09:34,880 --> 00:09:37,340
And this was the simple example of command injection.

127
00:09:37,850 --> 00:09:43,190
In the next video, we're going to take a look at these tasks right here, even though they don't really

128
00:09:43,190 --> 00:09:47,510
have much to do with the injection, but more like system navigation and something like that.

129
00:09:47,900 --> 00:09:52,370
But we're nonetheless going to do them just to show how you can approach these challenges.

130
00:09:53,090 --> 00:09:55,280
Thank you for watching and I'll see in the next lecture.