1
00:00:00,870 --> 00:00:07,770
OK, let's try and solve some command injection challenges on our own wesp virtual machine.

2
00:00:08,670 --> 00:00:14,550
So what you want to do is make sure everything started versity started, even though we're not going

3
00:00:14,550 --> 00:00:18,990
to use it, but we need it just in case maybe we are going to need it.

4
00:00:19,020 --> 00:00:22,500
Maybe we are not going to need we don't really know that also.

5
00:00:22,500 --> 00:00:25,260
Besides, perhaps it open your overspread machine.

6
00:00:25,500 --> 00:00:30,360
And once you have all that ready, we want to navigate to the overseas day to.

7
00:00:31,260 --> 00:00:40,140
Now, here on August 12, 13, we're going to see under the injection command injection right here and

8
00:00:40,140 --> 00:00:41,730
we can go with any one of them.

9
00:00:42,300 --> 00:00:43,980
Let's go with DNS lookup.

10
00:00:44,950 --> 00:00:52,870
If you open this simple page, so it says, who would you like to do a DNS look upon, enter IP or hostname,

11
00:00:53,560 --> 00:01:00,010
let's say, for example, we type in Google dot com and just so we can see everything better.

12
00:01:00,010 --> 00:01:01,690
And I'm going to zoom this in.

13
00:01:03,400 --> 00:01:08,380
Let's say we type W w w Google dot com and click on Look-Up DNS.

14
00:01:09,340 --> 00:01:15,700
And this is the output that we get and straightaway, just from the output, we should be able to notice

15
00:01:15,700 --> 00:01:18,870
that this output looks quite similar for us.

16
00:01:19,240 --> 00:01:23,340
It almost looks the same as the output from the end look up comment.

17
00:01:23,830 --> 00:01:30,880
And as we already know from our Linux knowledge and its look of command is used inside of the terminal.

18
00:01:31,360 --> 00:01:33,040
So if I typed W..

19
00:01:33,040 --> 00:01:39,850
W. W. Google dot com to DNS lookup, we would pretty much get almost the same response.

20
00:01:40,950 --> 00:01:48,240
So maybe this application is using its system to execute this command and give us the result back,

21
00:01:48,480 --> 00:01:52,550
and whenever this happens, we already know there might be a possible command injection.

22
00:01:53,190 --> 00:02:02,940
So let's type W w w Google dot com semicolon space and then let's type who might click on lookup DNS.

23
00:02:04,610 --> 00:02:06,210
And this is the output that we get.

24
00:02:06,860 --> 00:02:12,980
We have a combined injection, as we can see down here, it executed our WHO and my comment, we can

25
00:02:12,980 --> 00:02:17,780
do the same thing with ALS or any other comment that we can run in terminal.

26
00:02:18,020 --> 00:02:25,400
And it should also run, as we can see right here, our Ellis command gave the output of all the files

27
00:02:25,400 --> 00:02:26,960
in this current working directory.

28
00:02:28,150 --> 00:02:30,040
So this was rather easy.

29
00:02:30,070 --> 00:02:34,750
We found the command injection, but let's take it a step further.

30
00:02:34,760 --> 00:02:41,110
Let's try to establish a reverse shell with the target system, with the help of a command injection.

31
00:02:42,020 --> 00:02:48,800
And if we take a look at these outputs or these files that we got with our allies comment, it seems

32
00:02:48,800 --> 00:02:54,410
that the server is running BHB, which is most common, to be honest.

33
00:02:54,420 --> 00:03:01,660
So most likely servers will be running and maybe we can do something like a reverse shell.

34
00:03:02,420 --> 00:03:08,660
Now, even though we're not codders, this type of one line reverse shells are very easy to find online.

35
00:03:09,080 --> 00:03:15,950
And you just need to Google up one line shell or bash one line reverse shell, and it'll give you a

36
00:03:15,950 --> 00:03:21,450
single command that can be used to establish a virtual connection with our client machine.

37
00:03:22,010 --> 00:03:24,290
So I got one of those commands right here.

38
00:03:24,500 --> 00:03:27,470
It's written right here in my NENO editor.

39
00:03:27,830 --> 00:03:35,240
And all this command is doing is it's running code where it creates a socket object and socket object

40
00:03:35,240 --> 00:03:40,910
in programming language is something used to establish a network connection in the brackets between

41
00:03:40,910 --> 00:03:41,840
the double quotes.

42
00:03:41,870 --> 00:03:44,990
We have our callisthenics IP address.

43
00:03:45,020 --> 00:03:51,050
So this is my callisthenics IP address and here is the port that we wanted to connect to.

44
00:03:51,860 --> 00:03:59,090
The second part of the command is what we wanted to execute once it connects and this entire part simply

45
00:03:59,090 --> 00:04:04,400
tells execute the best shell and make it run as much commands as we want.

46
00:04:04,790 --> 00:04:07,160
So this is the entire thing that this command does.

47
00:04:07,430 --> 00:04:15,740
It connects to our clinic IP on the specified port and it executes the best shell for us so we can execute

48
00:04:15,740 --> 00:04:16,399
the comments.

49
00:04:17,600 --> 00:04:24,230
But in order for the target machine, which in our case is always BBWAA, to be able to connect to our

50
00:04:24,230 --> 00:04:29,240
Kleenex machine, we must listen on an open port for the incoming connections.

51
00:04:30,280 --> 00:04:39,430
And we can do that easily by opening terminal and typing and see, which is not cat dash LDP and then

52
00:04:39,460 --> 00:04:47,070
the port that we want to listen to this dash, it simply stands for lesson on any interface that colonics

53
00:04:47,080 --> 00:04:47,380
has.

54
00:04:48,550 --> 00:04:54,460
So we're not specifying the exact injuries we're pretty much telling, except the connection on whichever

55
00:04:54,460 --> 00:04:56,270
interface that you get the connection from.

56
00:04:57,010 --> 00:05:00,400
So it's NC Dash, BP and then space.

57
00:05:00,400 --> 00:05:02,080
And here we need a port.

58
00:05:02,500 --> 00:05:05,980
And if we go back to our command, let me find it.

59
00:05:06,730 --> 00:05:08,920
In this command, we specify the port.

60
00:05:08,920 --> 00:05:09,850
One, two, three, four.

61
00:05:09,880 --> 00:05:13,270
So we must use the same port inside of our Netcare comment.

62
00:05:13,510 --> 00:05:18,460
So we will type and see that LBP and then one, two, three, four.

63
00:05:19,240 --> 00:05:21,390
And this is pretty much all we have to do.

64
00:05:21,400 --> 00:05:24,730
It says listening on any interface on port.

65
00:05:24,730 --> 00:05:25,510
One, two, three, four.

66
00:05:26,250 --> 00:05:28,990
Now we want to copy this command.

67
00:05:30,340 --> 00:05:36,400
And make sure that you get all of these single quotes and double quotes, right, because otherwise

68
00:05:36,400 --> 00:05:40,810
it will not work and then we want to execute it right here.

69
00:05:41,050 --> 00:05:45,810
So let's go down in time w w w Google dot com semicolon.

70
00:05:46,120 --> 00:05:49,150
And now let's paste the entire comment here.

71
00:05:50,040 --> 00:05:57,390
Click on Look-Up DNS and the first thing that you will notice is that it's loading the page, it's not

72
00:05:57,390 --> 00:06:01,250
outputting anything for us is just continuously loading.

73
00:06:01,800 --> 00:06:05,490
And if we go back to our NetJets window, here it is.

74
00:06:05,850 --> 00:06:14,430
We got our reverse shell opened and we're on that machine currently as w w w dash data user here, we

75
00:06:14,430 --> 00:06:18,020
can execute all the commands without having to go to the web page.

76
00:06:18,030 --> 00:06:19,290
We can just type who am I.

77
00:06:19,620 --> 00:06:20,190
We can type.

78
00:06:20,190 --> 00:06:22,590
I have config, we can type elsewhere.

79
00:06:23,250 --> 00:06:30,690
We can type W.D. to check current working directory right here and we can type anything that we can

80
00:06:30,690 --> 00:06:32,490
run from a normal terminal.

81
00:06:33,210 --> 00:06:37,980
We can even try to, for example, execute one of these files if we want to.

82
00:06:38,700 --> 00:06:45,180
So this is really good because now we have a reverse shell established on the target machine and we

83
00:06:45,180 --> 00:06:51,030
can do anything that we want, including deleting files, creating files, navigating through the system,

84
00:06:51,330 --> 00:06:54,150
downloading files, uploading files and all of that.

85
00:06:54,510 --> 00:06:55,620
So that's really cool.

86
00:06:56,830 --> 00:07:02,410
Even though you can do all of that with just typing in the comments right here, it's much easier once

87
00:07:02,410 --> 00:07:07,710
you have a reverse shell established where you can just type in the command in the command line.

88
00:07:08,840 --> 00:07:14,330
Now that we did that, we covered a little bit of a defense example of exploiting command injection

89
00:07:14,630 --> 00:07:20,360
and in the next video, we're going to take a look at one last example of command injection, which

90
00:07:20,360 --> 00:07:23,950
will be on our TV w a on our virtual machine.

91
00:07:24,570 --> 00:07:25,700
See you in the next video.