1
00:00:00,700 --> 00:00:05,070
OK, components with known vulnerabilities.

2
00:00:05,720 --> 00:00:10,880
This is a really interesting vulnerability because it's a really, really big one.

3
00:00:11,550 --> 00:00:16,160
We're going to take a look at the example of it in our tri Hackney platform.

4
00:00:16,170 --> 00:00:20,990
So just navigate to your own top 10 and you will have it on task.

5
00:00:20,990 --> 00:00:24,950
Twenty seven, twenty eight and task twenty nine.

6
00:00:25,960 --> 00:00:29,200
So what exactly is this vulnerability?

7
00:00:30,100 --> 00:00:37,570
Well, applications can run on certain software and this can be any software from Tomcat to WordPress

8
00:00:37,810 --> 00:00:43,120
to using to using different types of databases and all of that.

9
00:00:43,630 --> 00:00:50,160
And all of the software is had some type of vulnerabilities in the previous versions of them.

10
00:00:51,550 --> 00:01:00,170
Now, what happens is that many websites and many companies don't regularly update their software.

11
00:01:00,790 --> 00:01:07,750
So a good example here is that it says, let's say that the company hasn't updated their version of

12
00:01:07,750 --> 00:01:09,760
WordPress for a few years.

13
00:01:10,360 --> 00:01:15,430
And using a tool such as VPs, can you find its version four point six?

14
00:01:16,060 --> 00:01:24,550
Some quick research will reveal that WordPress four point six is vulnerable to an unauthenticated remote

15
00:01:24,550 --> 00:01:26,170
code execution exploit.

16
00:01:26,860 --> 00:01:32,980
So many of these software's well-known softwares have known Mobility's for previous applications, and

17
00:01:32,980 --> 00:01:39,820
this winnability occurs once an application is running the software that is outdated and that has unknown

18
00:01:39,970 --> 00:01:40,600
vulnerability.

19
00:01:40,960 --> 00:01:46,390
Now, this is a big topic that doesn't really have anything to do with bug bounty, but we're covering

20
00:01:46,390 --> 00:01:50,110
it nonetheless because this is also something that you want to search for.

21
00:01:50,890 --> 00:01:57,220
So in this example, I have already started my first time machine and you can start it on task number

22
00:01:57,220 --> 00:01:58,240
29.

23
00:01:59,170 --> 00:02:05,310
The task that we have is how many characters are in slash at slash stability file.

24
00:02:05,770 --> 00:02:08,830
We can use this command to determine that.

25
00:02:09,750 --> 00:02:10,810
So let's give it a try.

26
00:02:11,100 --> 00:02:17,760
Let's call the IP address of our machine and copy it straight into the browser.

27
00:02:19,130 --> 00:02:23,780
OK, so it opens this application that's called online C.

28
00:02:23,780 --> 00:02:25,240
S E bookstore.

29
00:02:26,430 --> 00:02:32,310
And since we already know what type of vulnerability this is, we would actually try to scan it for

30
00:02:32,400 --> 00:02:39,030
different technologies that this application runs, what Web server it has, what programming languages

31
00:02:39,300 --> 00:02:40,650
use and all of that.

32
00:02:40,890 --> 00:02:44,780
But particularly we also want to check out the application name.

33
00:02:45,090 --> 00:02:50,970
So, for example, this online bookstore could be something that is used widely and that actually has

34
00:02:50,970 --> 00:02:52,130
some abilities.

35
00:02:52,710 --> 00:02:55,490
How can we determine whether it has no abilities?

36
00:02:55,920 --> 00:03:00,800
Well, we can just copy its name and try to find something on Google.

37
00:03:01,440 --> 00:03:07,680
Now, make sure that you don't confuse this vulnerability with the vulnerability where we covered with

38
00:03:07,680 --> 00:03:11,660
default credentials, default credentials or something else.

39
00:03:11,880 --> 00:03:16,580
That is the mistake of the owner that they didn't really change their default credentials.

40
00:03:16,590 --> 00:03:22,200
It's not a software vulnerability, however, this might have a software vulnerability.

41
00:03:22,650 --> 00:03:26,570
And by the results that it gets, it does indeed have the.

42
00:03:27,760 --> 00:03:35,560
We get two results or even three results right here, but only the first two are on famous exploit website,

43
00:03:35,560 --> 00:03:38,200
which is called Exploit Dash DBE dot com.

44
00:03:38,410 --> 00:03:43,930
On this website, you will have a bunch of different exploits for a bunch of different, outdated versions

45
00:03:43,930 --> 00:03:44,490
of software.

46
00:03:45,380 --> 00:03:48,020
Well, let's go with this first one first.

47
00:03:48,890 --> 00:03:53,690
It's called Online Bookstore Unauthenticated Remote Code Execution.

48
00:03:54,320 --> 00:04:01,700
This is really a serious vulnerability, and how this website works is it gives us the code to the exploit

49
00:04:02,300 --> 00:04:03,920
in this specific example.

50
00:04:04,160 --> 00:04:06,180
The code is written in Python.

51
00:04:06,860 --> 00:04:10,190
Now, we can download the code by clicking on this button.

52
00:04:10,400 --> 00:04:17,060
And what's good for us is that we don't really need to know what exactly this code does, even though

53
00:04:17,240 --> 00:04:19,920
that is something that you want to get used to.

54
00:04:20,120 --> 00:04:21,800
You want to get used to reading code.

55
00:04:21,800 --> 00:04:27,680
And even better would be if you were to learn some programming language, because you will need it sooner

56
00:04:27,680 --> 00:04:32,090
or later once you get into this field of ethical hacking and bug bounty.

57
00:04:32,980 --> 00:04:38,620
Nonetheless, we're not going to refer to this code that much because programming is not a topic for

58
00:04:38,620 --> 00:04:39,220
discourse.

59
00:04:39,220 --> 00:04:43,890
However, we're going to download this code and run it and see what it does.

60
00:04:45,700 --> 00:04:51,370
And that is also another reason why you actually want to learn programming, you don't want to be running

61
00:04:51,370 --> 00:04:53,320
any type of exploits on your machine.

62
00:04:53,710 --> 00:04:58,870
If you don't know what this quote does, then you won't really know what it will do on your machine.

63
00:04:59,050 --> 00:05:00,550
It might do something malicious.

64
00:05:00,550 --> 00:05:04,640
You never know, especially when you're downloading exploits from some sketchy site.

65
00:05:05,200 --> 00:05:12,240
Nonetheless, this exploit database dot com and it should have a working exploit for us.

66
00:05:12,250 --> 00:05:19,060
So let's open folder where we downloaded our python code and it's called for seven, eight, eight seven

67
00:05:19,060 --> 00:05:21,480
dot pi to run it.

68
00:05:21,490 --> 00:05:28,920
We can open terminal in this folder and we can simply type Python three and then the filename.

69
00:05:29,500 --> 00:05:33,940
Hopefully this will give us some help menu that will tell us how exactly can we run this program.

70
00:05:34,510 --> 00:05:37,510
In this case, the help menu says error.

71
00:05:37,870 --> 00:05:43,600
The following arguments are required euro, which is pretty common sense.

72
00:05:43,600 --> 00:05:47,050
We need to specify which target are we attacking with this exploit?

73
00:05:47,410 --> 00:05:50,650
And in our case, it will be this target.

74
00:05:50,770 --> 00:05:54,820
So it's Copi, the IP address to our online bookstore.

75
00:05:55,060 --> 00:06:01,930
And let's go back to our terminal and run our exploit like this.

76
00:06:03,640 --> 00:06:06,850
Let's paste, clipboard and press enter.

77
00:06:10,140 --> 00:06:12,160
Do you wish to launch a shell here?

78
00:06:12,420 --> 00:06:16,470
Let's specify why for us, and here it is.

79
00:06:16,860 --> 00:06:22,570
We opened a remote command shell and now we can execute the comments on the target system.

80
00:06:22,680 --> 00:06:26,340
If I type who am it will be the result if I type.

81
00:06:27,210 --> 00:06:28,710
It will also give me the result.

82
00:06:28,860 --> 00:06:31,100
And now I'm pretty much on that machine.

83
00:06:31,110 --> 00:06:32,670
I can do whatever I want on it.

84
00:06:33,450 --> 00:06:38,030
And this is the power of exploiting outdated version of software.

85
00:06:38,760 --> 00:06:43,230
We got the remote code execution vulnerability and now to finish it off.

86
00:06:44,170 --> 00:06:48,100
Let's go right here, let's copy the comment that they tell us to run.

87
00:06:50,520 --> 00:06:58,620
Let's paste it right here and run it, and the output that we get is one six one one, let's kopi that

88
00:06:59,040 --> 00:07:02,910
specified right here as our answer and submit.

89
00:07:04,090 --> 00:07:05,770
And it's the correct answer.

90
00:07:06,660 --> 00:07:13,770
So you saw how serious this can be, you can be protected by all of these bugs, such as Eskil injections,

91
00:07:13,770 --> 00:07:18,890
such as access has injection, Xixi and all the others that we covered.

92
00:07:18,900 --> 00:07:24,480
But if you're running outdated software with a known vulnerability, there is most likely going to be

93
00:07:24,480 --> 00:07:31,860
a code out there online or an expert out there online that we can just download and run and get straight

94
00:07:31,860 --> 00:07:32,930
into that machine.

95
00:07:33,180 --> 00:07:37,950
We pretty much gained access to it in two seconds from running this exploit.

96
00:07:39,010 --> 00:07:44,350
But even when you find something like this, that's not where you want to stop, there could be other

97
00:07:44,380 --> 00:07:45,400
vulnerability as well.

98
00:07:45,790 --> 00:07:47,620
For example, we did notice.

99
00:07:48,980 --> 00:07:54,830
Let me go back, we did notice another link right here that is from Exploit DB.

100
00:07:56,410 --> 00:07:59,350
Oops, I have no idea where I went.

101
00:07:59,950 --> 00:08:05,620
Yeah, it's this link right here from Exploit DP and it could be another expert.

102
00:08:05,740 --> 00:08:08,250
So we want to take a look at that one as well.

103
00:08:10,130 --> 00:08:18,340
And this one seems to be in HDP request, let's read through it, CSC bookstore is vulnerable to end

104
00:08:18,350 --> 00:08:22,210
authentication bypass vulnerability on the admin panel.

105
00:08:22,730 --> 00:08:26,410
By default, the admin panel is located at Edmondo.

106
00:08:27,440 --> 00:08:34,539
And the administrator interface can be accessed by unauthorized users exploiting the ESKIL injection

107
00:08:34,539 --> 00:08:38,630
of vulnerability for already familiar with Tasco injection.

108
00:08:38,669 --> 00:08:39,740
So let's give it a try.

109
00:08:39,830 --> 00:08:40,500
Why not?

110
00:08:40,520 --> 00:08:46,610
Even though we found a vulnerability and finish the task, we still want to discover all the other vulnerabilities.

111
00:08:47,420 --> 00:08:53,630
So let's see, how can we access the admin panel without actually manually adding slash admin?

112
00:08:53,810 --> 00:08:55,990
And here is the admin login page.

113
00:08:56,180 --> 00:08:57,140
Let's click on that.

114
00:08:57,680 --> 00:08:58,820
We get the login screen.

115
00:08:58,830 --> 00:09:03,740
So let's try with the basic SSL injection test.

116
00:09:03,740 --> 00:09:13,320
Single quote or one equals one with single quotes and we use the same thing in the work.

117
00:09:13,580 --> 00:09:14,570
Let's submit this.

118
00:09:15,290 --> 00:09:15,800
Oops.

119
00:09:15,800 --> 00:09:17,540
Yeah, we're logging in as admin.

120
00:09:17,720 --> 00:09:22,130
We don't really want to use the actual injection as the name.

121
00:09:22,130 --> 00:09:23,930
We only want to use it as the password.

122
00:09:24,200 --> 00:09:32,270
So here we are simply going to type single code space or single quote.

123
00:09:32,270 --> 00:09:36,050
One single quote equals single quote one.

124
00:09:36,920 --> 00:09:39,950
Let's submit the query and here it is.

125
00:09:40,490 --> 00:09:48,500
Our escrow injection worked and we found the second vulnerability and now we're logged in as ad hoc

126
00:09:48,650 --> 00:09:54,980
is that we even use knowledge from some previous section to exploit another vulnerability on this page.

127
00:09:55,670 --> 00:10:01,370
Quote, Now that we covered this for long enough to cover one more thing in the next lecture, which

128
00:10:01,370 --> 00:10:04,940
is called Insufficient Logging and monitoring.

129
00:10:05,450 --> 00:10:06,050
See there.