1
00:00:00,710 --> 00:00:05,420
‫Now, with a previous video, we started to look for known vulnerabilities and box.

2
00:00:07,510 --> 00:00:13,930
‫And the next few videos, we're going to cover these problems and so much more, so here's another one.

3
00:00:15,480 --> 00:00:20,430
‫Now, within your reconnaissance phase, let's say that we discover the rescue like directory.

4
00:00:21,870 --> 00:00:23,640
‫And when you follow.

5
00:00:26,430 --> 00:00:31,470
‫This page will open it is, and ask you like manager interface.

6
00:00:32,630 --> 00:00:36,800
‫And you can easily get the version information from the upper part of the page here.

7
00:00:37,480 --> 00:00:38,840
‫OK, so that's how it got.

8
00:00:40,060 --> 00:00:44,440
‫Now, after detecting a version, we'll look for public exploits.

9
00:00:45,480 --> 00:00:54,330
‫So go to exploit that divide, come check verified exploit and type in the search box as you light.

10
00:00:56,650 --> 00:00:58,690
‫OK, so the exploits here are listed.

11
00:00:59,890 --> 00:01:05,050
‫Now we need to find exploits that match our escalate version on our target.

12
00:01:06,740 --> 00:01:11,360
‫So I think this local fire conclusion correlates to our version.

13
00:01:13,140 --> 00:01:14,790
‫And this is the content.

14
00:01:16,540 --> 00:01:20,470
‫And the current theme, cookie is vulnerable to Elfy.

15
00:01:21,980 --> 00:01:24,740
‫And they viewed the magic file.

16
00:01:25,620 --> 00:01:26,520
‫That's just a pelo.

17
00:01:27,550 --> 00:01:29,980
‫There are no extra files or anything else.

18
00:01:31,050 --> 00:01:33,090
‫So let's go to the manager page.

19
00:01:34,130 --> 00:01:36,080
‫Then enable Foxe proxy.

20
00:01:39,320 --> 00:01:40,940
‫From the main menu, choose something.

21
00:01:43,190 --> 00:01:47,540
‫And it will automatically request so open burb.

22
00:01:48,810 --> 00:01:54,360
‫And the request is like that, but there's no cookie information that we look for.

23
00:01:55,290 --> 00:01:56,430
‫So we'll forward it.

24
00:01:57,540 --> 00:01:59,010
‫And the response comes.

25
00:02:00,420 --> 00:02:02,950
‫And look what we have here.

26
00:02:03,960 --> 00:02:08,370
‫The server set askew, right, manager, current theme cookie.

27
00:02:09,060 --> 00:02:10,770
‫So that's great.

28
00:02:10,950 --> 00:02:11,580
‫Forward it.

29
00:02:12,520 --> 00:02:15,430
‫And now the page will request other components.

30
00:02:16,610 --> 00:02:19,940
‫And that's where we the browser, will send the current theme cookie.

31
00:02:21,520 --> 00:02:25,120
‫OK, so let's delete this value and add this one.

32
00:02:26,540 --> 00:02:31,490
‫But now I want to point out an important thing here, the null character at the end of the payload,

33
00:02:32,030 --> 00:02:34,120
‫if you don't put it in, it's going to fail.

34
00:02:35,400 --> 00:02:37,800
‫So when we look at the code, you'll know why.

35
00:02:38,850 --> 00:02:39,870
‫OK, so forward it.

36
00:02:41,090 --> 00:02:44,540
‫OK, it was very nice, we get the content of our magic file.

37
00:02:46,120 --> 00:02:48,220
‫Now, we've already seen this file, so.

38
00:02:49,280 --> 00:02:50,630
‫It's really no big deal.

39
00:02:50,650 --> 00:02:51,900
‫You don't have to see it again.

40
00:02:53,920 --> 00:02:57,370
‫So we validate and then exploit the vulnerability.

41
00:02:58,640 --> 00:03:02,750
‫Now, go to terminal, go to rescue directory.

42
00:03:03,880 --> 00:03:06,370
‫And there are files and folders here.

43
00:03:07,730 --> 00:03:14,020
‫Now, to analyze it so quickly, you can run a grip command, so tight grip as you might manage your

44
00:03:14,030 --> 00:03:18,290
‫current theme are and I and run.

45
00:03:22,140 --> 00:03:25,650
‫So this text is used five times in two different files.

46
00:03:27,170 --> 00:03:28,970
‫Now view the first file.

47
00:03:33,220 --> 00:03:35,470
‫And have a look at this part of the code.

48
00:03:36,480 --> 00:03:46,710
‫If theme variable in post request is set, the application sets the current theme cookie if the current

49
00:03:46,710 --> 00:03:48,550
‫theme cookie is already set.

50
00:03:48,570 --> 00:03:52,320
‫The application sets its value to the local theme cookie.

51
00:03:52,930 --> 00:03:54,420
‫OK, go back.

52
00:03:55,720 --> 00:03:58,150
‫And now I'm going to look for local theme.

53
00:04:00,990 --> 00:04:06,990
‫And of course, it takes a little more to analyze manually, but, you know, I'm used to it and you'll

54
00:04:06,990 --> 00:04:07,710
‫get used to it.

55
00:04:09,540 --> 00:04:12,090
‫But I think look here, the last line is interesting.

56
00:04:12,970 --> 00:04:15,900
‫It has and include function as well.

57
00:04:17,190 --> 00:04:18,780
‫So go to this file.

58
00:04:22,280 --> 00:04:25,190
‫And this line, it is here.

59
00:04:26,290 --> 00:04:32,560
‫So the application includes the value and the local theme once and the known characters we put after

60
00:04:32,560 --> 00:04:34,690
‫the payload, eliminate the rest.

61
00:04:36,170 --> 00:04:42,710
‫OK, so now you know how to get a full shell over an Alphie vulnerability.

62
00:04:44,480 --> 00:04:50,780
‫We practiced in the 11th section, I know you remember it well, that's why I'm leaving the rest for

63
00:04:50,780 --> 00:04:51,110
‫you.