1 00:00:01,090 --> 00:00:01,859 Welcome back. 2 00:00:02,630 --> 00:00:08,170 Let's try to solve these challenges inside of our command injection task. 3 00:00:09,060 --> 00:00:13,520 Now, this is something that we do as a bonus, it has very little to do with the vulnerability itself. 4 00:00:13,530 --> 00:00:17,280 It's more like what you're going to do after you find a vulnerability. 5 00:00:17,910 --> 00:00:21,510 And we're not going to be doing all of these challenges and try to hack the platform. 6 00:00:21,750 --> 00:00:26,320 However, we might do a few of them just to see whether we can solve them. 7 00:00:26,940 --> 00:00:32,400 So navigate to your command injection, which is task number five, make sure it's command injection 8 00:00:32,400 --> 00:00:32,970 practical. 9 00:00:33,660 --> 00:00:39,890 The requirements for this is that if you want, you can read through this and this part right here. 10 00:00:40,170 --> 00:00:44,900 And also you should have watched the previous video where we performed the command injection. 11 00:00:45,450 --> 00:00:49,520 Right now, let's use that command injection to solve these examples. 12 00:00:50,070 --> 00:00:52,230 Let's go with question number one. 13 00:00:52,710 --> 00:00:57,690 It asks what strange text file is in the website root directory. 14 00:00:58,550 --> 00:01:05,450 Well, we already know how we can do this to list all the files in that directory, all we can do is 15 00:01:05,450 --> 00:01:11,960 type URLs so we can type something like test to finish off the first comment, even though it's not 16 00:01:11,960 --> 00:01:14,260 necessary for this virtual machine. 17 00:01:14,270 --> 00:01:19,600 However, we just do it for practice and then semicolon and then we can type URLs. 18 00:01:20,000 --> 00:01:22,640 This will list all the files in the current directory. 19 00:01:23,210 --> 00:01:25,850 And let's get to the question again. 20 00:01:26,480 --> 00:01:29,010 We're searching for a strange text file. 21 00:01:29,510 --> 00:01:30,320 Let's go back. 22 00:01:30,530 --> 00:01:35,600 And pretty much the only text file that we have right here is Dr. Pepper. 23 00:01:35,780 --> 00:01:36,620 That's the text. 24 00:01:37,130 --> 00:01:38,900 So let's copy that name. 25 00:01:40,370 --> 00:01:44,630 And specified right here as a first enter. 26 00:01:46,510 --> 00:01:48,170 OK, it's correct answer. 27 00:01:48,220 --> 00:01:48,640 Awesome. 28 00:01:49,270 --> 00:01:52,140 Let's go to the second question now. 29 00:01:52,150 --> 00:01:57,910 It asks how many non root and non service non diamond users are there? 30 00:01:59,110 --> 00:02:06,020 Well, this might be a little bit tricky because for this we can do something like this, so test semicolon 31 00:02:06,020 --> 00:02:13,450 column and then we can get at sea and then pass that folder in order to see all of the users that the 32 00:02:13,450 --> 00:02:14,290 system has. 33 00:02:14,920 --> 00:02:19,120 Now, we are searching for nonvote and non service users. 34 00:02:20,050 --> 00:02:26,800 And if you take a look at this output that we get right here from the ETSI stability folder, well, 35 00:02:26,800 --> 00:02:33,940 pretty much we don't have any personal user outside of all of the other users tied to a service such 36 00:02:33,940 --> 00:02:38,450 as proxy, such as no log in, such as network and all of that. 37 00:02:39,250 --> 00:02:42,700 So the answers to this should be zero. 38 00:02:44,080 --> 00:02:45,010 Let's submit it. 39 00:02:45,890 --> 00:02:48,020 And that's also a correct answer. 40 00:02:48,560 --> 00:02:48,980 Awesome. 41 00:02:49,850 --> 00:02:56,120 The third question is the one that we already performed in the previous video, which is what user is 42 00:02:56,120 --> 00:02:59,720 this app running us so well, we did this in the previous video. 43 00:03:00,350 --> 00:03:03,230 We can type test semicolon and then who am I? 44 00:03:03,230 --> 00:03:07,550 And it will tell us the user that's currently running this Web application. 45 00:03:07,850 --> 00:03:11,160 In our case, it's w w w dash data. 46 00:03:11,300 --> 00:03:14,360 Let's copy that and submit it for the third answer. 47 00:03:17,100 --> 00:03:22,660 The fourth question is, what is the users shall set us? 48 00:03:23,490 --> 00:03:29,290 Now, this is something that you can also try searching inside of the Etsy past upload folder. 49 00:03:29,880 --> 00:03:33,120 Let me show you what I mean once you get the Etsy. 50 00:03:34,850 --> 00:03:35,840 Stability folder. 51 00:03:36,980 --> 00:03:44,300 It will give you this output and all you want to do right here is try to find it w w w dash data user 52 00:03:44,720 --> 00:03:49,130 and if we go and scroll a little bit, it's all right here. 53 00:03:49,970 --> 00:03:59,800 At the end of that users line, we should be able to find a path that says user has been no longer. 54 00:04:00,680 --> 00:04:01,710 Let's give it a try. 55 00:04:01,730 --> 00:04:04,690 Let's hope that this is the path that we get. 56 00:04:04,700 --> 00:04:11,000 And if I set it right here, let's see whether it's correct and it indeed is correct. 57 00:04:11,010 --> 00:04:17,990 So all we had to do is create the stability folder, find it w w w dash bayti user. 58 00:04:18,440 --> 00:04:21,260 And at the end of the line you will have the path. 59 00:04:21,440 --> 00:04:25,250 That is the answer to the question of what is the user's shall. 60 00:04:26,920 --> 00:04:27,950 OK, awesome. 61 00:04:28,460 --> 00:04:32,660 Now the fifth question is what version of a Bonta is running? 62 00:04:32,990 --> 00:04:37,500 And most of these questions are something that we can actually Google if we don't really know. 63 00:04:37,730 --> 00:04:42,370 So, for example, let's say that we don't know what command can we use to discover the Ubuntu version? 64 00:04:42,950 --> 00:04:44,360 We can try something like this. 65 00:04:45,170 --> 00:04:49,120 How to check open to version. 66 00:04:50,390 --> 00:04:53,840 Press enter and we can visit first or second link. 67 00:04:53,840 --> 00:04:54,900 It doesn't really matter. 68 00:04:55,310 --> 00:04:57,680 Let's go with this one. 69 00:04:57,680 --> 00:04:59,240 How to check your Ubuntu version. 70 00:05:00,770 --> 00:05:04,040 And ideally, we want a command that is used to do that. 71 00:05:05,080 --> 00:05:14,440 So let's scroll a little bit down and it says, use the LSP, release a command to display the Ubuntu 72 00:05:14,440 --> 00:05:18,100 version, so let's give it a try if we copy this command. 73 00:05:20,120 --> 00:05:27,890 And we run it inside of our evil Shell Subtests column and then let's paste the comment. 74 00:05:30,730 --> 00:05:36,400 OK, so we do get the output here is the Ubuntu version and which format are we looking at? 75 00:05:36,410 --> 00:05:38,350 We're looking at a no doubt. 76 00:05:38,350 --> 00:05:39,830 No doubt, no. 77 00:05:40,240 --> 00:05:49,750 So it's pretty much this 18 dot 04 dot for copy that this is the Ubuntu version and paste it right here. 78 00:05:51,340 --> 00:05:51,720 Awesome. 79 00:05:52,600 --> 00:06:00,490 Now, the last question is the trickiest, because it says print out the emoted, what favorite beverage 80 00:06:00,490 --> 00:06:01,000 is shot? 81 00:06:01,660 --> 00:06:02,650 Not pretty much. 82 00:06:02,650 --> 00:06:07,570 99 percent of you are going to take a look at this question and wonder what even these retasking. 83 00:06:07,570 --> 00:06:10,570 But I advise you to straightaway go to hint. 84 00:06:11,590 --> 00:06:19,150 So the hint tells us zero zero dash header, and this sounds like a foul perhaps, or something like 85 00:06:19,150 --> 00:06:25,820 that, so we can start off with that if we can try to locate a file that has this inside of the name. 86 00:06:26,560 --> 00:06:27,410 How can we do that? 87 00:06:27,850 --> 00:06:36,640 Well, we can use a locate command that most Linux systems support so we can test and then CENTCOM. 88 00:06:36,910 --> 00:06:41,260 And by the way, just so you don't get confused, you don't need to type test every time you can type 89 00:06:41,260 --> 00:06:41,860 anything. 90 00:06:41,870 --> 00:06:45,370 So pretty much anything at all, you can type test one, two, three. 91 00:06:45,790 --> 00:06:50,890 The word that you type before this column is really not important in this case. 92 00:06:51,310 --> 00:06:56,350 So you can type pretty much anything and then semicolon and then comes the important comment. 93 00:06:56,830 --> 00:06:58,060 So you want to locate. 94 00:06:59,200 --> 00:07:03,900 And what are we locating once again, we're locating zero zero dash. 95 00:07:04,360 --> 00:07:05,530 Let's copy that name. 96 00:07:06,470 --> 00:07:10,070 And let's paste it in our comment, click on Submit. 97 00:07:11,330 --> 00:07:18,920 And we get this output, which sounds like a path which is under the slash at sea slash update, emoted 98 00:07:18,930 --> 00:07:21,180 Dotti slash zero zero header. 99 00:07:21,800 --> 00:07:27,080 So let's try to cut this, but let's make even more complex command. 100 00:07:27,080 --> 00:07:35,270 Let's type test semicolon and then let's Khedive to slash Azzi slash update dash and all the. 101 00:07:36,230 --> 00:07:44,120 And let's get another comment, which we can do by typing two of these signs right here and then we 102 00:07:44,120 --> 00:07:47,100 can type Cat zero zero dash header. 103 00:07:48,230 --> 00:07:52,880 So here we are actually trying to execute three commands, the first command, which doesn't really 104 00:07:52,880 --> 00:07:58,430 matter what it is in this example of this virtual machine, you don't even need to use it because it's 105 00:07:58,430 --> 00:08:00,410 specifically made to execute commands. 106 00:08:00,710 --> 00:08:06,540 But in real life, you will have a first command that should be normal Web application usage. 107 00:08:06,980 --> 00:08:12,950 Then after that comes our command injection where we execute our first command and in this case, we 108 00:08:13,490 --> 00:08:14,360 at another command. 109 00:08:14,690 --> 00:08:20,450 After we said to this directory, we want to get the content of this zero zero dash header. 110 00:08:20,690 --> 00:08:21,710 Let's submit this. 111 00:08:22,610 --> 00:08:24,920 And this is the output that we get. 112 00:08:24,950 --> 00:08:27,020 So now let's go back to the question. 113 00:08:27,260 --> 00:08:29,440 What favorite Berridge is shop? 114 00:08:30,090 --> 00:08:30,370 Hmm. 115 00:08:30,890 --> 00:08:32,570 Let's go all the way down. 116 00:08:33,230 --> 00:08:38,960 And if we scroll, we're going to see something interesting right here that says Dr Pepper makes the 117 00:08:38,960 --> 00:08:40,659 world taste better. 118 00:08:41,450 --> 00:08:42,620 We can copy this. 119 00:08:45,920 --> 00:08:49,250 Go back here and paste it right here. 120 00:08:51,270 --> 00:08:53,190 So let's try it like this. 121 00:08:54,710 --> 00:08:57,300 Now, that doesn't appear to be the answer. 122 00:08:57,330 --> 00:09:03,730 So, oh, we should just copy Dr. Pepper, if I'm not mistaken, not the entire sentence. 123 00:09:03,740 --> 00:09:08,950 So let's go back and let's paste Dr. Pepper. 124 00:09:09,170 --> 00:09:10,310 And here it is. 125 00:09:10,490 --> 00:09:11,870 That's the correct answer. 126 00:09:12,560 --> 00:09:17,690 So this was just a little bit of a bonus video where we covered these tasks right here using different 127 00:09:17,690 --> 00:09:18,200 commands. 128 00:09:18,590 --> 00:09:24,480 And in the next video, we're going to take a look at how we can run a reverse shell with the help of 129 00:09:24,480 --> 00:09:28,000 a command injection on our always be able to machine. 130 00:09:28,850 --> 00:09:29,960 See you in the next lecture.