1
00:00:01,120 --> 00:00:01,819
Welcome back.

2
00:00:02,410 --> 00:00:10,300
Now that we learned what excess is in theory, let's see different examples of how we can use and exploit

3
00:00:10,300 --> 00:00:11,710
the excess vulnerability.

4
00:00:12,580 --> 00:00:16,239
We're going to start off, as usual, with our tri hacking platform.

5
00:00:16,870 --> 00:00:19,800
So I already have my machine started right here.

6
00:00:19,810 --> 00:00:24,340
I have navigated to task number 20, which says cross site scripting.

7
00:00:24,730 --> 00:00:29,360
And we have a couple of options right here or a couple of tasks.

8
00:00:29,380 --> 00:00:29,590
Sure.

9
00:00:29,590 --> 00:00:32,680
They say we have to solve all of these challenges.

10
00:00:33,490 --> 00:00:40,930
And I also advise you before you do that, that you can read through this theory part right here and

11
00:00:41,050 --> 00:00:44,070
maybe learn a thing or two more about access.

12
00:00:44,710 --> 00:00:52,030
Nonetheless, once you do that, copy the IP address of your virtual machine and paste it in your browser.

13
00:00:54,020 --> 00:01:01,070
OK, so we got a simple page that has a login form, a registered form, and it has some options right

14
00:01:01,070 --> 00:01:05,310
here where we can go to reflected access or stalled access.

15
00:01:05,930 --> 00:01:08,270
Let's see what our first task is.

16
00:01:08,750 --> 00:01:11,090
The first task is to deploy the VM.

17
00:01:11,090 --> 00:01:12,380
We already did that.

18
00:01:12,980 --> 00:01:19,490
The second task is navigate to our IP address in your browser and click on reflected access tab on the

19
00:01:19,520 --> 00:01:25,790
navigation bar craft, a reflected access payload that will cause a pop up saying hello.

20
00:01:26,850 --> 00:01:35,190
OK, this sounds like a simple task, so let's go right here and let's navigate to the reflected excess.

21
00:01:36,160 --> 00:01:41,620
As we can even see right here, our task is to create a payload that will pop up a message that says

22
00:01:41,620 --> 00:01:48,910
hello and we can do that with the help of a JavaScript alert function, the same one that we covered

23
00:01:48,910 --> 00:01:50,910
inside of our theory video.

24
00:01:51,820 --> 00:01:57,570
So all we have to do is let's first see what would happen if we might just test.

25
00:01:58,210 --> 00:02:01,090
So it will reflect it right here on the page.

26
00:02:01,090 --> 00:02:03,160
It will say you searched for test.

27
00:02:03,790 --> 00:02:10,750
Now, if we type our JavaScript code and the function that we used is once again alert in order to specify

28
00:02:11,350 --> 00:02:15,850
the alert message, in our case, the message will be hello, because that is our task.

29
00:02:16,600 --> 00:02:24,370
And we close the script tags, we click on search and here we have and access it when our JavaScript

30
00:02:24,370 --> 00:02:27,310
code and open this window that says help.

31
00:02:28,160 --> 00:02:29,710
OK, let's click on OK.

32
00:02:30,280 --> 00:02:32,930
And we get our flag right here.

33
00:02:33,130 --> 00:02:35,410
So this is the Flag Tower Challenge.

34
00:02:36,570 --> 00:02:38,130
Let's call it.

35
00:02:39,620 --> 00:02:43,310
Let's go back, specify right here and submit it.

36
00:02:43,850 --> 00:02:49,250
OK, let's close this and let's see what our second challenge is.

37
00:02:50,220 --> 00:02:57,450
So on the same reflective page, craft reflected EXIS payload that will cause a pop up with your machines

38
00:02:57,450 --> 00:02:58,230
I.P. address.

39
00:02:59,580 --> 00:03:05,940
OK, so we pretty much use the same user input, so we know it's vulnerable to access now we need to

40
00:03:05,940 --> 00:03:12,110
run a different JavaScript code in order to pop up an IP address of the virtual machine.

41
00:03:13,260 --> 00:03:16,590
We can do that by typing this script right here.

42
00:03:17,680 --> 00:03:21,660
And let me just zoom to just so you can see a little bit better.

43
00:03:24,150 --> 00:03:28,860
We run script and then inside the script tags, we type alert.

44
00:03:30,610 --> 00:03:39,610
And in between the brackets, we specify window, dot, location, dot, Postnet, and of course, at

45
00:03:39,610 --> 00:03:42,690
the end we close the script tax.

46
00:03:42,970 --> 00:03:48,850
So this is how our script would look like in order to prop up the IP address of the virtual machine.

47
00:03:49,390 --> 00:03:50,470
Let's click on Search.

48
00:03:51,430 --> 00:03:54,100
And here it is, we get it right here.

49
00:03:55,170 --> 00:04:00,900
Click on OK, and we will get our flag, which is specified as a result for our challenge.

50
00:04:01,770 --> 00:04:06,860
Let's go right here, paste it submitted and that one is correct as well.

51
00:04:07,770 --> 00:04:15,750
The second thing or pardon me, the third task that we have is navigate to the same IP address in your

52
00:04:15,750 --> 00:04:20,620
browser and click on Staat Access and we also need to make an account.

53
00:04:20,670 --> 00:04:22,110
So let's do that real quick.

54
00:04:22,770 --> 00:04:26,090
Let's close this navigate to store access.

55
00:04:26,880 --> 00:04:31,520
Remember, the reflected Exercice only reflected our JavaScript code on the page.

56
00:04:31,530 --> 00:04:33,450
It didn't store it on the server.

57
00:04:34,050 --> 00:04:39,640
With the stored access, we're going to see an example of our JavaScript code being stored on the server.

58
00:04:40,080 --> 00:04:47,160
But before we do that, let's register as a user with type test and as a password we can use test.

59
00:04:47,190 --> 00:04:48,380
One, two, three, four.

60
00:04:48,930 --> 00:04:50,040
Let's register.

61
00:04:51,540 --> 00:04:55,360
And we are currently signed in as a test user.

62
00:04:55,830 --> 00:05:02,370
Now, we could have maybe used an excess on this part right here as a username because it does get reflected

63
00:05:02,370 --> 00:05:02,960
on this page.

64
00:05:02,970 --> 00:05:04,680
But this is not a part of the task.

65
00:05:05,040 --> 00:05:08,070
That is something that you can try after we finish this video.

66
00:05:08,500 --> 00:05:11,130
For now, we want to navigate to store the access.

67
00:05:11,610 --> 00:05:16,620
And it appears that we have a simple Commons application if we type hello right here.

68
00:05:17,610 --> 00:05:18,480
Post a comment.

69
00:05:20,120 --> 00:05:25,540
Here is our username and we said hello in the chat or in the comments.

70
00:05:26,510 --> 00:05:32,780
Now, let's see what our first task is, we want to add a comment and see if we can insert some of our

71
00:05:32,780 --> 00:05:37,630
own HTML so we are already comfortable with HTML and an injection.

72
00:05:37,670 --> 00:05:41,090
So this is probably something that we know we can try to type.

73
00:05:42,350 --> 00:05:46,100
Open header, text test and close header text.

74
00:05:47,670 --> 00:05:57,210
And here it is, we also have the HDMI injection and the answer for this question is this html t for

75
00:05:57,430 --> 00:05:58,080
G.S..

76
00:05:58,590 --> 00:06:00,780
Let's specify as the answer right here.

77
00:06:03,230 --> 00:06:06,680
And let's move on to the last two challenges in this video.

78
00:06:07,430 --> 00:06:14,420
So on the same page, create an alert popup box, appear on the page with your document cookies.

79
00:06:16,310 --> 00:06:19,460
Well, we already know what we're going to use the same alert function.

80
00:06:19,820 --> 00:06:21,530
So let's open our script tags.

81
00:06:22,130 --> 00:06:31,010
And in between the alert brackets, we want to specify document dot cookies in order to alert us with

82
00:06:31,010 --> 00:06:31,940
our cookie values.

83
00:06:32,850 --> 00:06:35,350
We, of course, need to close the script tags.

84
00:06:35,570 --> 00:06:41,900
And once we submit this comment, we get our cookies right here.

85
00:06:43,280 --> 00:06:51,320
And this is also stored access, we will get our result rebel flag right here, which for some reason

86
00:06:51,350 --> 00:06:52,930
I can't seem to copy.

87
00:06:53,720 --> 00:06:56,120
Let's try it like this pasted.

88
00:06:57,460 --> 00:07:05,800
And it works now if I refresh this page, you will notice that due to this being a store excess, this

89
00:07:05,830 --> 00:07:12,580
will pop up every time I refresh the page in, not only every time I refresh the page, but every time

90
00:07:12,580 --> 00:07:19,300
someone else visits this exact same page, they will get a pop up with their cookie value.

91
00:07:19,780 --> 00:07:22,870
And that is because this is a stored access.

92
00:07:23,230 --> 00:07:25,870
A stored exercise gets stored on the server.

93
00:07:25,880 --> 00:07:32,890
And this valde right here of our HTML injection and our value of our JavaScript injection or access

94
00:07:32,890 --> 00:07:38,800
vulnerability is also getting stored on the server and loaded every time someone opens this page.

95
00:07:39,670 --> 00:07:43,660
And that is the difference between the reflected exercise installed axis.

96
00:07:44,200 --> 00:07:49,390
This one we can say it's a little bit more dangerous because it's getting stored on the server.

97
00:07:50,630 --> 00:07:57,440
Now, let's go with our last challenge, it says Change Access Playground to I am a hacker by adding

98
00:07:57,440 --> 00:07:59,570
a comment and using JavaScript.

99
00:08:01,310 --> 00:08:07,140
We have the access playground right here and we want to change this into I am a hacker.

100
00:08:07,970 --> 00:08:09,450
This can be a little bit tricky.

101
00:08:09,650 --> 00:08:14,800
We want to find the idea of exercise playground and we want to change it to I am a hacker.

102
00:08:15,620 --> 00:08:19,850
We can find the ID by going to inspect element.

103
00:08:21,260 --> 00:08:23,840
Then we want to navigate to this part right here.

104
00:08:25,390 --> 00:08:34,020
And it's in the navigation bar, lower that, open our tip tags, open our attacks for the access playground

105
00:08:34,630 --> 00:08:38,710
right here, we should be able to find the idea of the access playground.

106
00:08:38,710 --> 00:08:40,150
And it's right here.

107
00:08:40,179 --> 00:08:45,770
In this light, the ID equals t h m dash title.

108
00:08:46,150 --> 00:08:47,390
So that is our ID.

109
00:08:47,950 --> 00:08:51,120
Now we want to call it with our JavaScript injection.

110
00:08:51,250 --> 00:08:54,940
So let's go down here, open our script text.

111
00:08:56,680 --> 00:09:07,420
Let's type document dot and we're going to use query selector, and in between the brackets, we specify

112
00:09:07,420 --> 00:09:10,650
the idea of our axis playground.

113
00:09:10,660 --> 00:09:15,310
Since that is what we want to change, we need to specify in between the single quotes.

114
00:09:15,310 --> 00:09:20,800
Then we add a hash and then the name, which is t h m that title.

115
00:09:23,240 --> 00:09:31,730
So we change it like this, then we had thought and then text content equals and now we specify what

116
00:09:31,730 --> 00:09:35,020
we want to change it for our challenge, we must change it to.

117
00:09:35,030 --> 00:09:36,830
I am a hacker.

118
00:09:38,010 --> 00:09:41,220
And at the end, we close the script tax.

119
00:09:42,230 --> 00:09:49,580
So this is our payload, if we specified everything correctly, it should change this axis playground

120
00:09:49,580 --> 00:09:50,620
into I'm a hacker.

121
00:09:50,960 --> 00:09:52,490
Let's click on comment.

122
00:09:55,070 --> 00:10:02,480
We get loaded with these values, and for some reason or never mind, it worked, we managed to change

123
00:10:02,480 --> 00:10:07,490
it and now it says right here, I'm a hacker and we successfully completed the challenge.

124
00:10:08,210 --> 00:10:12,790
If we take a closer look at this page, we also get this right here, which is our flag.

125
00:10:13,130 --> 00:10:17,030
This is a flag that means that we successfully completed this challenge.

126
00:10:17,420 --> 00:10:20,840
Let's specified right here and let submit submitted.

127
00:10:21,940 --> 00:10:23,150
OK, awesome.

128
00:10:23,770 --> 00:10:29,420
I do admit this last task was a little bit harder, but we managed to get through it.

129
00:10:30,010 --> 00:10:36,280
We use the Querrey selector and then we selected the idea of the thing that we want to change and we

130
00:10:36,280 --> 00:10:40,450
use the text content in order to write the I am a hacker sentence.

131
00:10:41,080 --> 00:10:41,490
Awesome.

132
00:10:41,950 --> 00:10:48,160
Nonetheless, we finished with Tritak, my example of access, and we're going to move to access example's

133
00:10:48,160 --> 00:10:50,910
inside of our BVA virtual machine.

134
00:10:51,520 --> 00:10:52,570
See you in the next lecture.