1
00:00:03,380 --> 00:00:10,460
‫We're going to use a Wasp Broken Web applications and co. for this demo, first go to a Wasp Broken

2
00:00:10,460 --> 00:00:16,520
‫Web applications page using its IP address or the domain name if you do find it in the host file.

3
00:00:17,690 --> 00:00:25,850
‫I use a Wasp Wacom domain name, which is mapped with the IP address of the host machine on the main

4
00:00:25,850 --> 00:00:27,890
‫page, I click Be Warp Link.

5
00:00:28,160 --> 00:00:30,530
‫Which brings you to an extremely buggy web app.

6
00:00:31,400 --> 00:00:32,720
‫Log in to the app.

7
00:00:33,380 --> 00:00:38,390
‫The username is B as in the insect and the default password is bug.

8
00:00:39,290 --> 00:00:47,780
‫Now there's a list inside the opened page Find Directory Traversal file item inside the list, select

9
00:00:47,780 --> 00:00:50,090
‫it and press the hack button at the bottom of the list.

10
00:00:52,350 --> 00:00:57,150
‫There's a message inside the open page that says try to climb higher Spidey.

11
00:00:57,420 --> 00:00:58,220
‫OK, let's try.

12
00:00:58,230 --> 00:01:02,850
‫Then when we look at the URL, we see the part page equals message dot text.

13
00:01:03,840 --> 00:01:07,440
‫Always be suspicious of these kind of input fields.

14
00:01:08,010 --> 00:01:12,840
‫Does the message not text file point directly to a file inside the server?

15
00:01:13,590 --> 00:01:18,870
‫What if I change the file name or path to understand what happens when I try to reach another file inside

16
00:01:18,870 --> 00:01:19,500
‫the web server?

17
00:01:19,510 --> 00:01:27,090
‫Let's make a little preparation before I go to OWASP Dash BW Virtual Machine, go to route using CD

18
00:01:27,390 --> 00:01:29,370
‫or CD slash Linux commands.

19
00:01:30,180 --> 00:01:32,130
‫I want to create a text file here.

20
00:01:33,280 --> 00:01:36,880
‫Echo Linux Command writes the text given as the parameter.

21
00:01:37,860 --> 00:01:42,060
‫Here are text is we have an alternative exclamation point.

22
00:01:42,720 --> 00:01:48,680
‫The greater then character redirects the output to the target, and I give the target as my message.

23
00:01:48,930 --> 00:01:49,360
‫Text.

24
00:01:50,340 --> 00:01:52,080
‫Check the file with the Cat Command.

25
00:01:52,620 --> 00:01:54,210
‫We see that it contains our message.

26
00:01:55,260 --> 00:01:59,720
‫Now, let's go back to the VWAP app and try to access this my message.

27
00:02:00,000 --> 00:02:06,480
‫Text file, I put the file to route, so I have to navigate to route first in Linux systems.

28
00:02:06,780 --> 00:02:11,280
‫Dot Dot slash characters are used to bring you to the outer folder.

29
00:02:11,760 --> 00:02:16,560
‫If you put enough numbers of Dot Dot slash characters, you can reach the root folder.

30
00:02:16,830 --> 00:02:20,040
‫What happens if you put tagged characters when you're at the root?

31
00:02:20,520 --> 00:02:21,600
‫Well, absolutely nothing.

32
00:02:22,080 --> 00:02:27,990
‫So you can put Dot Dot slashes in as many times as possible, then write the file name you want to access

33
00:02:28,320 --> 00:02:30,750
‫my message, dot, text and hit enter.

34
00:02:32,800 --> 00:02:35,200
‫As you can see, the text on the page has changed.

35
00:02:35,860 --> 00:02:41,500
‫We have an alternative that means we accessed an arbitrary file inside the web server.

36
00:02:41,830 --> 00:02:47,290
‫Now we can try to access the critical systems file since Dot Dot Slash worked fine.

37
00:02:47,710 --> 00:02:53,620
‫Well, assume that the operating system of the web server has a Unix or Linux or BSD based operating

38
00:02:53,620 --> 00:02:59,220
‫system because Microsoft operating systems use the backward slash instead of the forward slash.

39
00:03:00,100 --> 00:03:04,300
‫Let's try to access the password file under the Cedar.

40
00:03:07,540 --> 00:03:08,110
‫Voila!

41
00:03:08,500 --> 00:03:14,920
‫We could read the password file flash Etsy slash password is a text file that contains the attributes

42
00:03:14,920 --> 00:03:20,530
‫of each user or account on a computer running Linux or another Unix like operating system.

43
00:03:21,310 --> 00:03:24,100
‫What else can we reached the shadow file?

44
00:03:24,670 --> 00:03:31,750
‫The slash Etsy slash shadow file store's actual passwords in encrypted format for users accounts with

45
00:03:31,750 --> 00:03:34,150
‫additional properties related to user passwords.

46
00:03:34,960 --> 00:03:39,010
‫No, we cannot access the shadow file with the privileges of the card user.