1
00:00:01,270 --> 00:00:08,020
I mentioned earlier that we really allow us to run a number of very useful functions on the target server

2
00:00:08,090 --> 00:00:11,250
if we managed to upload its shell to that server.

3
00:00:11,530 --> 00:00:17,620
So in this lecture We'll see how we can convert our basic shell access to a weekly show.

4
00:00:17,800 --> 00:00:26,320
So I'm going to create a first of all I actually have connection here coming from my as floatable machine

5
00:00:26,860 --> 00:00:33,500
and my privileges are just normal WW data as you can see.

6
00:00:33,860 --> 00:00:37,700
Now what I'm going to do is I'm going to create my weekly shop first.

7
00:00:37,700 --> 00:00:41,820
So we've done this in the file upload vulnerability.

8
00:00:41,990 --> 00:00:43,520
So it's very simple.

9
00:00:43,520 --> 00:00:52,260
All you have to do is just run willy and then generate to create a shell or create a backdoor and then

10
00:00:52,260 --> 00:00:58,920
we're going to have to set a password for that backdoor and I'm going to set it to 1 2 3 4 5 6 and then

11
00:00:58,980 --> 00:01:00,740
state where do you want to save it.

12
00:01:00,780 --> 00:01:09,780
And I'm going to save it en route and I'm going to call the Chell now and the file upload vulnerability

13
00:01:09,780 --> 00:01:13,200
we actually created the shell with PH pre-formed.

14
00:01:13,440 --> 00:01:19,560
Right now I'm not going to create it in PHC because I have to download it from the meta exploitable

15
00:01:19,560 --> 00:01:25,980
machine when P2P files are downloaded the source code will not be downloaded with them.

16
00:01:25,980 --> 00:01:31,710
So if I create it as BHB and downloaded from the Matthias bloater will machine it's not going to work

17
00:01:31,710 --> 00:01:33,430
properly as I want it.

18
00:01:33,540 --> 00:01:34,280
So what I'm going to do.

19
00:01:34,290 --> 00:01:40,620
I'm going to call it is I'm going to create it as the XTi and then rename it once I downloaded dimittis

20
00:01:40,620 --> 00:01:43,850
profitable machine.

21
00:01:43,920 --> 00:01:50,020
All I have to do now is upload it somewhere that is accessible by dimittis floatable machine.

22
00:01:50,040 --> 00:01:55,650
So in real life scenarios you want to be able to upload it to somewhere where you can directly access

23
00:01:55,650 --> 00:02:01,800
the shell in this lecture because we're doing it in our local and our local environment.

24
00:02:01,840 --> 00:02:07,210
I'm actually going to just put it in my web server in my Callimachi machine which is accessible by me

25
00:02:07,210 --> 00:02:08,420
to exploit people.

26
00:02:08,530 --> 00:02:13,420
So I'm just going to do C-p to copy and I'm going to copy it

27
00:02:16,860 --> 00:02:25,730
Shell dirty XTi and I'm going to copy it to Vire w w w Hastey Emma which is my document through it.

28
00:02:25,750 --> 00:02:31,670
And Kelly and I'm also going to start my web server so I'm just going to do a service

29
00:02:35,030 --> 00:02:35,910
Apache to

30
00:02:40,410 --> 00:02:46,250
now Apache is running so I literally have I basically have a web server now which contains this current

31
00:02:46,250 --> 00:02:46,850
file.

32
00:02:47,060 --> 00:02:48,680
Let's see if the file exists.

33
00:02:48,680 --> 00:02:50,030
So I'm just going to come here.

34
00:02:51,240 --> 00:02:56,790
And I'm going to go to my local host so pretty much I can just do local host when I'm going to put my

35
00:02:56,790 --> 00:03:08,430
IP which is 10 20 14 to 13 and we call that shell that takes the as you can see now we can see the code

36
00:03:08,700 --> 00:03:10,480
for the actual backdoor.

37
00:03:10,620 --> 00:03:16,350
This is very important so when you upload it to a server make sure that you can access the shell directly

38
00:03:16,350 --> 00:03:22,500
like this and make sure that when you access it you can see the code without anything on the sides with

39
00:03:22,500 --> 00:03:29,580
no odds with no banners with nothing showing up around it so you can literally access the barcode.

40
00:03:29,700 --> 00:03:32,060
Once you do that and you have this you're out.

41
00:03:32,250 --> 00:03:36,430
All you have to do is just download it from the meatiest floatable machine.

42
00:03:36,930 --> 00:03:40,210
So at the moment this is my potable machine.

43
00:03:40,350 --> 00:03:48,810
So I do a UNAMI just to confirm you can see that I'm actually connected and inside the political machine.

44
00:03:48,810 --> 00:03:52,560
So all I have to do is download it but I can't download it anywhere.

45
00:03:52,980 --> 00:03:59,870
I need to download it somewhere again accessible by my Tele machine so I can connect to it.

46
00:03:59,910 --> 00:04:04,590
So you want to you want to download it somewhere within the document root within the VAR.

47
00:04:04,590 --> 00:04:09,750
W W W or whatever document through your current website users.

48
00:04:09,750 --> 00:04:19,730
So if I do a b w d he can see the inside wired w w w w a vulnerability.

49
00:04:20,110 --> 00:04:28,660
So I'm going to see the back to go one one step back and if I do an ls here you can see the files that

50
00:04:28,660 --> 00:04:30,860
we have in this current directory.

51
00:04:32,370 --> 00:04:35,970
Now let's try to download the file and this current directory.

52
00:04:35,970 --> 00:04:41,970
Now sometimes you won't be able to download files depending on your privileges or permissions.

53
00:04:41,970 --> 00:04:44,340
So I'm just going to do a double you get.

54
00:04:44,460 --> 00:04:45,890
And this is the download command.

55
00:04:45,890 --> 00:04:50,400
So you get can be used on Linux systems to download any files.

56
00:04:50,400 --> 00:04:53,090
So you literally just do you get that.

57
00:04:53,190 --> 00:04:56,870
And then you put the you are all that you want to download.

58
00:04:56,910 --> 00:04:58,740
So do you are that we want to download.

59
00:04:58,740 --> 00:04:59,860
Is Hastey keep.

60
00:05:02,150 --> 00:05:10,580
Turn 2014 into 13 and then we called the file Shelder ATX the.

61
00:05:10,770 --> 00:05:16,330
Now I'm going to give it some time to download and then I'm going to do an Ellis again.

62
00:05:17,910 --> 00:05:21,720
And as you can see we have a file called Chell that XTi.

63
00:05:21,720 --> 00:05:27,500
Now this file is uploaded on dimittis floatable machine inside DVD DVD.

64
00:05:27,640 --> 00:05:32,810
A vulnerability is again if we do the melody you can see that we have DVD.

65
00:05:32,940 --> 00:05:39,610
Followed by vulnerabilities so let's go and try to browse it in here and make sure that it exists.

66
00:05:40,600 --> 00:05:47,010
10 2014 to 12 which is that's where our DVD is.

67
00:05:47,170 --> 00:05:57,610
And then we're going to go through vulnerabilities and our file is called Shell go to the but I didn't

68
00:05:57,610 --> 00:06:03,500
put the DVD right before it.

69
00:06:03,570 --> 00:06:10,150
As you can see we can access the file now which is uploaded inside DVD vulnerabilities.

70
00:06:10,320 --> 00:06:13,090
We can see our shell that the XTi.

71
00:06:13,110 --> 00:06:16,710
Now again this is not good enough because it's not getting executed.

72
00:06:16,710 --> 00:06:22,950
So now all we have to do is change its extension to PH HP again and again we're going to do that from

73
00:06:22,950 --> 00:06:25,140
our basic shell access right here.

74
00:06:25,200 --> 00:06:33,820
So we're going to do the Schelde TXU to Shelder BHP

75
00:06:36,720 --> 00:06:42,480
and then do allow us to make sure that the process was done properly and we can see that our shell is

76
00:06:42,480 --> 00:06:44,260
called Shelder ph.

77
00:06:44,700 --> 00:06:49,340
Now we can connect to the shell using our weekly client.

78
00:06:49,380 --> 00:06:53,750
So we're just going to do Weili give the shell.

79
00:06:53,790 --> 00:06:58,120
Are also our you are l the shell store now at Hastey therapy.

80
00:06:58,210 --> 00:07:01,130
So this is where you uploaded the show.

81
00:07:01,250 --> 00:07:08,990
So it's exactly the same as this but with Dot ph because we change the file extension I'm actually going

82
00:07:08,990 --> 00:07:09,620
to copy this

83
00:07:12,880 --> 00:07:19,320
and I'm going to said this to BHP and then we're going to put the password which is one two three four

84
00:07:19,320 --> 00:07:21,560
five six.

85
00:07:21,790 --> 00:07:26,510
Make sure we put the same password that you said when you created the backdoor hit enter.

86
00:07:26,530 --> 00:07:34,460
And as we can as you can see we're inside the target computer we're inside the target and we run all

87
00:07:34,460 --> 00:07:36,800
the commands that we allow us to do.

88
00:07:36,800 --> 00:07:46,300
So we can just do an ls IP W.D. and all the next commands plus all the commands that really allow us

89
00:07:46,300 --> 00:07:51,540
to do all the functions that we be allowed to do which we're going to have a look on in the next videos.