1
00:00:00,060 --> 00:00:02,610
So that's our vulnerability is running now.

2
00:00:02,640 --> 00:00:08,600
Let's go ahead and find the IP address of this fantastic machine halfpipe config here.

3
00:00:08,810 --> 00:00:12,420
We got the IP address, so this is one zero two.

4
00:00:12,840 --> 00:00:18,200
So let's go ahead and write a simple Python program to interact with our machine.

5
00:00:18,810 --> 00:00:21,480
So let's see sequels to soccer.

6
00:00:28,600 --> 00:00:30,640
Soccer attacks, soccer tough as usual.

7
00:00:30,670 --> 00:00:35,830
We are going to create this piece and be watching for.

8
00:00:52,670 --> 00:00:53,420
Sorry for that.

9
00:00:58,120 --> 00:00:59,940
So I could not if I could just.

10
00:01:02,130 --> 00:01:04,540
Are going to create this, I'll be watching for antisepsis.

11
00:01:04,620 --> 00:01:08,240
OK, so let's go and connect to this expedition.

12
00:01:10,230 --> 00:01:12,100
So we need to pass that right.

13
00:01:12,180 --> 00:01:13,920
So that's our 92 dot.

14
00:01:18,740 --> 00:01:20,750
And the number is four lines.

15
00:01:22,890 --> 00:01:30,330
So now we have been granted permission and the server will send us, uh, banner, let's review that.

16
00:01:30,870 --> 00:01:40,800
Let's not receive off, let's say, just to zero for a debate to be less than one and be cool so we

17
00:01:40,800 --> 00:01:44,970
can move from rabbits to a city that has been on the screen.

18
00:01:49,370 --> 00:01:55,640
And after I just, uh, called this connection, so we were on this program.

19
00:01:59,230 --> 00:02:08,050
So it is welcome to another server and for her, oh, there is no option that's made by me that binary

20
00:02:08,070 --> 00:02:10,060
from our server side, remove the option.

21
00:02:10,630 --> 00:02:18,400
So now we need to just the representative of, let's say, junk is because, uh, we are sending a thousand

22
00:02:18,400 --> 00:02:20,470
years so you can do the fuzzing here.

23
00:02:20,470 --> 00:02:26,630
But I'm not going to do that because it takes so much time and it's very easy to junk.

24
00:02:26,710 --> 00:02:30,420
So I'm just arranging this anything to the parent.

25
00:02:30,800 --> 00:02:37,530
I, I want to encode this payload so that the characters in that, uh, string will not get changed

26
00:02:38,080 --> 00:02:41,110
and not Ancora.

27
00:02:42,340 --> 00:02:44,760
And I'm going to use this rather Unicode escape.

28
00:02:45,250 --> 00:02:49,720
So it won't these characters won't go any other, uh, changes.

29
00:02:50,080 --> 00:02:54,110
And it will be exactly, uh, what we are sent into the memory.

30
00:02:55,300 --> 00:02:59,260
So now this will automatically convert into bytes.

31
00:02:59,920 --> 00:03:08,390
So I we need to send as bytes so you can see just before and after sending we are discussing the connection.

32
00:03:08,410 --> 00:03:14,170
Let's go ahead and run this program and let's see whether our program crashes or not.

33
00:03:14,270 --> 00:03:17,650
So not crash and there is no order from this.

34
00:03:18,020 --> 00:03:20,770
Let me go ahead and increase this to two 2000.

35
00:03:24,460 --> 00:03:25,590
Let us run this again.

36
00:03:27,670 --> 00:03:34,590
So now there is over for obvious, uh, let me describe this E.S.P and follow in check.

37
00:03:34,810 --> 00:03:38,030
So this one is at the top of the stack, the DSP.

38
00:03:38,350 --> 00:03:46,690
So what you can do is from here on what you can of put the reverse shadow circle and can execute it.

39
00:03:47,230 --> 00:03:55,480
So before that, we need to determine how we we can, uh, how in the stack that is in that E.S.P,

40
00:03:56,950 --> 00:04:03,190
because sometimes you will have only 200 weights, but it still looks like more data and you can just

41
00:04:03,190 --> 00:04:07,440
simply paste it, uh, here and then we will execute it.

42
00:04:07,450 --> 00:04:14,980
But it does not execute because maybe the stack of 300 weights and your may help 350, but so it will

43
00:04:14,980 --> 00:04:15,650
get error.

44
00:04:15,670 --> 00:04:19,360
So that's why we need to determine the stack before placing the circle here.

45
00:04:19,630 --> 00:04:22,260
So this is not about this one.

46
00:04:22,800 --> 00:04:25,630
You click on this one or Double-Click click on this address.

47
00:04:26,650 --> 00:04:29,570
So now it shows me the rate to offset.

48
00:04:30,070 --> 00:04:35,920
So I am currently at here and ready to accept to the same artosis.

49
00:04:36,610 --> 00:04:39,880
I mean, there is zero and it is the same.

50
00:04:39,880 --> 00:04:44,260
What if you go up you can see Dolomites for this is the current address.

51
00:04:44,260 --> 00:04:48,110
Current address if you subtract before you get the previous address.

52
00:04:48,430 --> 00:04:55,100
That way, if you can take a look at this one seventy minus four you see on it in hexadecimal the same

53
00:04:55,120 --> 00:04:58,050
way seven C plus for eighty four.

54
00:04:58,060 --> 00:05:01,310
That's so it shows me the current address rate to offset.

55
00:05:01,600 --> 00:05:05,950
So this year these four years are forward offset from this one.

56
00:05:06,550 --> 00:05:10,710
In that way you can determine uh, tax rates by going down.

57
00:05:10,990 --> 00:05:18,300
If you go down a bit, you can see there are so many years, I think this is enough for producing or

58
00:05:18,310 --> 00:05:25,530
Sherko, but in some cases you get all this sizable stack, so up to three, four.

59
00:05:25,630 --> 00:05:30,040
So you can see opportunity for you can have the uh, yes.

60
00:05:30,370 --> 00:05:34,990
I think you can also write a past to this three, four bytes.

61
00:05:35,200 --> 00:05:37,800
So let's go out to the total number of bytes.

62
00:05:37,810 --> 00:05:41,720
So you simply convert this treaty for into the decimal format.

63
00:05:41,890 --> 00:05:47,020
Let's go ahead and say hex to decimal.

64
00:05:50,070 --> 00:05:51,370
So let me go to this.

65
00:05:51,510 --> 00:05:59,350
You can also use a calculator, but it's, uh, it was struck when I use this START treaty before and

66
00:05:59,370 --> 00:06:08,040
if I can what I see 980, which so from starting so from starting out the E.S.P.

67
00:06:09,720 --> 00:06:17,990
Uh, I have 980 weights I can all throw up with the charcoaled that's more than enough for normal career.

68
00:06:18,500 --> 00:06:26,960
Uh, DCPI Schellekens, how to handle 350, 400 bucks, even though if you will, get 500 or 600 weights.

69
00:06:27,500 --> 00:06:31,580
So that's more than enough for placing the Chalco.

70
00:06:32,390 --> 00:06:37,180
So that is how you need to determine the success before placing call.

71
00:06:37,580 --> 00:06:41,840
That is one good habit to know that, uh, success so far.

72
00:06:41,850 --> 00:06:48,590
This you know, I hope you understood I didn't need to raise the this E.S.P and go far away down this.

73
00:06:48,770 --> 00:06:50,100
And if you can seize.

74
00:06:50,470 --> 00:06:51,000
Yes.

75
00:06:51,020 --> 00:06:56,200
And it's fine if you did not see it increase the number of years before we have put the two together.

76
00:06:56,240 --> 00:07:02,600
And if you did not say yes or increase them like here, there are no nailbiter here.

77
00:07:02,600 --> 00:07:09,560
Even if you try to put the three thousand if these three 030 cut off from it, yes.

78
00:07:09,950 --> 00:07:11,960
That means you can still Pashtoon.

79
00:07:12,680 --> 00:07:14,720
So that's a benefit for us.

80
00:07:15,410 --> 00:07:20,360
So the trouble is we will determine the taxes before you play the Chalco.