1
00:00:01,320 --> 00:00:03,670
‫For a fresh hack, you can start over.

2
00:00:04,200 --> 00:00:06,480
‫I'm just going to move on with the same request.

3
00:00:07,870 --> 00:00:15,880
‫So there are several ways to include a file which is stored local or on a remote server, and also there

4
00:00:15,910 --> 00:00:19,250
‫are several ways to execute the files that are executable.

5
00:00:19,390 --> 00:00:19,810
‫So.

6
00:00:21,030 --> 00:00:23,670
‫The first way is to contaminate a log file.

7
00:00:24,700 --> 00:00:28,660
‫Then include the contaminated log file and the page.

8
00:00:29,520 --> 00:00:31,410
‫OK, so just send the first request.

9
00:00:32,710 --> 00:00:33,850
‫Then go to be Bux.

10
00:00:35,070 --> 00:00:43,860
‫Open terminal and tight tail slash VA slash logger Pache to slash access log.

11
00:00:45,250 --> 00:00:49,900
‫So this log file contains they get requests that we sent.

12
00:00:51,230 --> 00:00:54,470
‫So now I'm going to contaminate this file with a script.

13
00:00:56,000 --> 00:00:57,440
‫So going back to Kelly.

14
00:00:58,440 --> 00:01:01,410
‫I'm going to paste this code.

15
00:01:02,720 --> 00:01:04,880
‫And it's a simple Michelle.

16
00:01:06,500 --> 00:01:13,010
‫It'll execute the value of a command parameter set over the wall as an operating system command.

17
00:01:14,760 --> 00:01:15,990
‫And send the request.

18
00:01:18,240 --> 00:01:24,450
‫There's nothing with a request, so go to be box run the same command in terminal.

19
00:01:25,880 --> 00:01:28,670
‫So here is a code that we sent over your URL.

20
00:01:30,650 --> 00:01:31,820
‫Now go back to Kelly.

21
00:01:33,660 --> 00:01:41,850
‫And delete this code and type slash bar, slash log, slash Apache to slash access to log.

22
00:01:42,890 --> 00:01:46,790
‫Ampersand command equals P W.D..

23
00:01:48,790 --> 00:01:50,040
‫All right, so, no, it doesn't work.

24
00:01:50,940 --> 00:01:53,470
‫The command is not executed.

25
00:01:53,850 --> 00:01:58,650
‫We got a permission denied error, so that just means we need to try something else.

26
00:01:59,670 --> 00:02:07,290
‫Now, there is a special file in the directory process itself and veteran.

27
00:02:09,190 --> 00:02:16,450
‫Now, in order to contaminate this file, we need to add this simple shell as the value of the user

28
00:02:16,450 --> 00:02:17,350
‫agent header.

29
00:02:18,520 --> 00:02:20,830
‫So I'm going to paste it in here.

30
00:02:21,700 --> 00:02:23,170
‫Now, send the request.

31
00:02:24,950 --> 00:02:26,120
‫And have a look at the response.

32
00:02:28,160 --> 00:02:30,600
‫No, it doesn't work as well.

33
00:02:30,650 --> 00:02:32,960
‫We got the same error.

34
00:02:35,140 --> 00:02:37,190
‫So, OK, we can try a different way.

35
00:02:38,460 --> 00:02:41,640
‫I need a clear request, so I'll go back.

36
00:02:42,590 --> 00:02:47,030
‫And I will change this payload to a rapper this time.

37
00:02:47,970 --> 00:02:52,080
‫So it's add BHP Coingate input here.

38
00:02:53,530 --> 00:02:59,830
‫And now pays the Shell script to the body of the request like this.

39
00:03:00,880 --> 00:03:03,430
‫All right, so now send the request.

40
00:03:04,750 --> 00:03:06,340
‫And look at the response.

41
00:03:07,280 --> 00:03:07,910
‫That's it.

42
00:03:08,840 --> 00:03:14,900
‫Yeah, this time the command works and OK, so change to the list command.

43
00:03:16,820 --> 00:03:17,970
‫And it works.

44
00:03:17,990 --> 00:03:22,880
‫So now let's go a little further and open a net catch, Shel.

45
00:03:23,790 --> 00:03:27,840
‫And B box, so the first thing we need to do here.

46
00:03:28,880 --> 00:03:32,930
‫As we need to learn where the net next binary is.

47
00:03:34,420 --> 00:03:42,090
‫Sometimes it can reside in different directories, so it's not too hard to find just type which percent

48
00:03:42,140 --> 00:03:47,710
‫signed 20 ency percent saying 20 is the URL encoded space character.

49
00:03:48,830 --> 00:03:49,880
‫And send it.

50
00:03:51,100 --> 00:03:54,970
‫And here is that cat under the bin directory.

51
00:03:56,350 --> 00:04:03,250
‫And here are the Basche commands to open a reverse shell from B box to Colly.

52
00:04:04,260 --> 00:04:06,630
‫So I'm going to copy the second one.

53
00:04:07,830 --> 00:04:11,880
‫Now, sometimes it doesn't work because of the difference between the versions of Netcare.

54
00:04:13,110 --> 00:04:16,280
‫So your version and the version on the target may cause problems.

55
00:04:17,340 --> 00:04:22,950
‫But in a situation like that, you can always use the third line as a reverse shell.

56
00:04:24,320 --> 00:04:25,910
‫OK, so I'm going to it here.

57
00:04:27,620 --> 00:04:28,460
‫And sended.

58
00:04:30,590 --> 00:04:32,390
‫Hmmm, I think something went wrong.

59
00:04:32,870 --> 00:04:35,030
‫I don't see a response, there's nothing in it.

60
00:04:35,330 --> 00:04:36,740
‫OK, so I found it.

61
00:04:37,730 --> 00:04:43,100
‫Yeah, it's for sure you, Erlend, code problem, so let's open up the decoder tool.

62
00:04:44,130 --> 00:04:45,110
‫Paste here.

63
00:04:46,290 --> 00:04:47,850
‫And code is your URL.

64
00:04:49,390 --> 00:04:52,450
‫OK, copy all of that wild output.

65
00:04:53,630 --> 00:04:56,210
‫And paste instead of this.

66
00:04:57,460 --> 00:05:00,760
‫Now, before sending their request open terminal.

67
00:05:01,670 --> 00:05:10,070
‫And of course, we should listen for the incoming Shell connection and see Dash and AVP four four three.

68
00:05:11,000 --> 00:05:12,380
‫Now go to burp again.

69
00:05:14,020 --> 00:05:15,160
‫Now, send the request.

70
00:05:16,760 --> 00:05:21,860
‫Now, I wait for this empty response pain in a previous attempt, so.

71
00:05:23,010 --> 00:05:24,600
‫I think we get the shell.

72
00:05:25,770 --> 00:05:30,810
‫Go to terminal and here is a connection, I.P. address of box.

73
00:05:32,000 --> 00:05:36,680
‫So this way, Ngarkat provides us a shell interface on PAYBOX.

74
00:05:37,750 --> 00:05:43,330
‫So now we can execute the Basche Shell commands on Beatbox.

75
00:05:44,580 --> 00:05:52,850
‫I'd like to see the current user and you can execute every command that your user is able to execute

76
00:05:53,550 --> 00:05:54,960
‫and what do you know?

77
00:05:54,960 --> 00:05:58,080
‫We can traverse between folders lissome.

78
00:05:59,980 --> 00:06:05,020
‫Now, from here on out, it's up to you and your imagination, what can you find?

79
00:06:06,000 --> 00:06:10,620
‫We are going to exploit the remote file inclusion in the next lesson.