1 00:00:01,570 --> 00:00:09,630 OK, so now, as we have identified the target to be vulnerable to SRF potentially as it is making a 2 00:00:09,640 --> 00:00:14,860 request to the third party controlled domain, now we are going to escalate it. 3 00:00:15,400 --> 00:00:24,370 So what you can do basically is try to scan the internal network as well, identify both whatever services 4 00:00:24,370 --> 00:00:25,930 are running on different ports. 5 00:00:26,630 --> 00:00:30,040 But we're not going to do the usual thing over here. 6 00:00:30,250 --> 00:00:38,080 Instead, we are going to use different filters to identify more sensitive information and dump sensitive 7 00:00:38,080 --> 00:00:38,700 information. 8 00:00:39,280 --> 00:00:47,800 So I know the application runs on WordPress because when I was spidering the application, I have got 9 00:00:47,800 --> 00:00:54,220 this directly, which is the content which proves the target is running on a WordPress. 10 00:00:54,460 --> 00:01:03,280 Now, for those of you who know that whenever you make an application on WordPress, you have a login, 11 00:01:03,280 --> 00:01:11,140 which is the WP admin login, and there is a configuration file, which is WPE config, which is a WordPress 12 00:01:11,140 --> 00:01:12,220 configuration file. 13 00:01:12,940 --> 00:01:20,650 So what we are going to do into this video is we are going to retrieve the WP configuration file for 14 00:01:20,650 --> 00:01:27,340 this target, which contains extremely sensitive information like the database name, the secret keys, 15 00:01:27,580 --> 00:01:30,430 password or details, etc.. 16 00:01:31,840 --> 00:01:40,270 Now, in order to do that, we are not able to retrieve files by just giving the name of the file. 17 00:01:40,300 --> 00:01:45,520 So let me just show you let me go to my board again and now. 18 00:01:48,210 --> 00:01:51,720 Let me just copy the final from here. 19 00:01:56,280 --> 00:02:03,560 OK, so now I want this file, which is what press configuration, not BHP. 20 00:02:04,020 --> 00:02:08,970 Let me just hit send and you can say it is unrecognized call. 21 00:02:09,360 --> 00:02:17,840 So smouldered BHP, which is this end point, does not understand what exactly is WPE config. 22 00:02:18,210 --> 00:02:23,970 Let us try to navigate inside some directories and now let's see if you are able to get it. 23 00:02:24,180 --> 00:02:30,030 And still we are not able to retrieve the file now. 24 00:02:30,900 --> 00:02:35,050 Folders come handy in place and we are going to use that. 25 00:02:35,070 --> 00:02:40,590 So let's say I'm going to use the BHP filter this time and I'm going to try to get the file. 26 00:02:40,740 --> 00:02:43,940 And you can see it still gives me the same error. 27 00:02:46,780 --> 00:02:56,000 All right, so now I'm just going to use the exact same payload to identify the website is vulnerable. 28 00:02:56,710 --> 00:03:04,300 So now we are going to use the BHP filter and the resource file or the resource data that we want from 29 00:03:04,300 --> 00:03:08,200 the target server, which is the bloody conflict at BHP. 30 00:03:08,770 --> 00:03:16,150 Let me just hit send and you can see we are successfully able to get the WordPress configuration file 31 00:03:16,510 --> 00:03:23,910 and you can see the DBI name is White Lab one to white lab one to the password. 32 00:03:23,920 --> 00:03:31,180 So they have not kept any DB password, which can be only retrieved or connected from the localhost. 33 00:03:31,480 --> 00:03:38,710 And you can see a lot of more sensitive information like authorisation, key sigatoka logged in, key 34 00:03:39,010 --> 00:03:41,820 nonskid, logged in salt, etc.. 35 00:03:42,190 --> 00:03:49,270 So now this is very sensitive information and can be reported to the target bug bounty program, which 36 00:03:49,270 --> 00:03:53,140 will be flagged as a critical security vulnerability. 37 00:03:53,800 --> 00:04:02,500 Now, as we can see over here, we have used a couple of dot slash just to navigate from the directories. 38 00:04:02,720 --> 00:04:07,520 And if I do not use this, we will not be able to retrieve the result. 39 00:04:07,930 --> 00:04:15,910 This is because we are going one step, two step three steps and into the full step back to navigate 40 00:04:15,910 --> 00:04:21,490 into the directory where this file lays, which is WP config, not BHP. 41 00:04:21,790 --> 00:04:26,230 And in a similar manner, you can download any sensitive files from the target. 42 00:04:26,620 --> 00:04:32,470 If you want to see what other files can be downloaded from a WordPress configuration, you can just 43 00:04:32,470 --> 00:04:38,800 go and have a look at the official WordPress documentation, but then you can see what are the other 44 00:04:38,800 --> 00:04:42,430 files which contains sensitive and juicy information. 45 00:04:43,090 --> 00:04:49,810 I have shown you the WP config that BHP, which is the most critical file as we have seen it, contains 46 00:04:49,810 --> 00:04:54,600 the information about the database as well as the art keys. 47 00:04:55,480 --> 00:05:00,900 So I hope you guys understood how we are able to retrieve this using the BHP filter. 48 00:05:01,480 --> 00:05:08,410 Now, just a quick side note that you should remember sometimes instead of BHP filters, you can also 49 00:05:08,410 --> 00:05:14,080 use these filters like File, DECT, SFP, Ghafoor, etc.. 50 00:05:15,720 --> 00:05:24,560 Many times these filters are also helpful in retrieving sensitive information from the target of a war. 51 00:05:24,840 --> 00:05:31,020 So you should always give a try with these filters as well whenever you have identified necessary to 52 00:05:31,020 --> 00:05:34,830 retrieve sensitive information from the target from application. 53 00:05:35,310 --> 00:05:36,640 I hope you guys understood. 54 00:05:36,810 --> 00:05:37,410 Thank you.