1
1

00:00:00,940  -->  00:00:03,060
<v Narrator>Just like we did before, in the last video</v>
2

2

00:00:03,060  -->  00:00:07,620
we put five times back and then we put ETC password to
3

3

00:00:07,620  -->  00:00:09,560
access the password file.
4

4

00:00:09,560  -->  00:00:12,130
What we're going to do today is we're going to try to
5

5

00:00:12,130  -->  00:00:15,300
access a file located on a different server.
6

6

00:00:15,300  -->  00:00:18,480
So if you're doing this pentest on an actual
7

7

00:00:18,480  -->  00:00:21,630
webserver then you need to store the file that you want
8

8

00:00:21,630  -->  00:00:25,140
to access, needs to be stored on a place with a real
9

9

00:00:25,140  -->  00:00:27,690
IP address or with a domain name.
10

10

00:00:27,690  -->  00:00:30,770
I'm doing this on my local server so I'm gonna store this
11

11

00:00:30,770  -->  00:00:35,500
on the webserver on the Kali machine, on the 10.20.14.203.
12

12

00:00:35,500  -->  00:00:39,530
This is 10.20.14.204 and I'm gonna store my file on
13

13

00:00:39,530  -->  00:00:41,373
10.20.14.203.
14

14

00:00:42,730  -->  00:00:44,640
So that file, as I said, can be anything.
15

15

00:00:44,640  -->  00:00:47,870
It could be a web shell, it could be a payload.
16

16

00:00:47,870  -->  00:00:50,430
Well what I'm going to do is, I'm going to create a very
17

17

00:00:50,430  -->  00:00:52,690
simple php file.
18

18

00:00:52,690  -->  00:00:56,470
So this is just the php start and end of the file.
19

19

00:00:56,470  -->  00:00:58,810
And what I'm gonna put in the file, I'm gonna use
20

20

00:00:58,810  -->  00:01:02,550
a function called passthru and in that function,
21

21

00:01:02,550  -->  00:01:05,680
basically what this function does it executes
22

22

00:01:05,680  -->  00:01:07,380
operating system commands.
23

23

00:01:07,380  -->  00:01:11,940
So it executes Windows, Linux or, depending on the webserver
24

24

00:01:11,940  -->  00:01:14,623
it's going to execute commands related to that.
25

25

00:01:15,490  -->  00:01:19,850
So you put the command here between the two quotation marks
26

26

00:01:19,850  -->  00:01:22,000
and I'm gonna use the same command we used with the
27

27

00:01:22,000  -->  00:01:26,790
code execution vulnerability which was the netcat command
28

28

00:01:26,790  -->  00:01:30,180
which allowed us to get connection, a reverse connection
29

29

00:01:30,180  -->  00:01:32,250
from our target.
30

30

00:01:32,250  -->  00:01:34,520
So I'm gonna paste that here.
31

31

00:01:34,520  -->  00:01:37,130
So let's just have a first a look at this, so php
32

32

00:01:37,130  -->  00:01:39,730
and the end, these are just the start and the end
33

33

00:01:39,730  -->  00:01:43,330
of the file, of the php file.
34

34

00:01:43,330  -->  00:01:46,630
Passthru is a function that I'm gonna use which executes
35

35

00:01:46,630  -->  00:01:49,800
any command that's inserted between the quotations.
36

36

00:01:49,800  -->  00:01:52,460
And I'm using the same command that we used in the
37

37

00:01:52,460  -->  00:01:55,890
command execution vulnerability which will just do
38

38

00:01:55,890  -->  00:01:58,373
a reverse connection to my computer.
39

39

00:01:59,300  -->  00:02:02,070
So this is all good, now the next step is the most important
40

40

00:02:02,070  -->  00:02:04,550
step and it's storing this file.
41

41

00:02:04,550  -->  00:02:09,550
So as I said, if your target was a remote webserver
42

42

00:02:09,550  -->  00:02:13,180
then you should be storing this file in a place with a real
43

43

00:02:13,180  -->  00:02:16,860
IP where you can access it from the remote webserver.
44

44

00:02:16,860  -->  00:02:19,960
Now I'm gonna be trying to access this from my
45

45

00:02:19,960  -->  00:02:23,100
Metasploitable machine which is able to access files
46

46

00:02:23,100  -->  00:02:25,480
stored on the Kali machine because they're both
47

47

00:02:25,480  -->  00:02:26,830
on the same network.
48

48

00:02:26,830  -->  00:02:29,160
And I'm gonna be calling this, I'm gonna be storing it
49

49

00:02:29,160  -->  00:02:34,160
in my var, www html, so it's being stored on the Kali,
50

50

00:02:34,280  -->  00:02:36,110
not on the Metasploitable.
51

51

00:02:36,110  -->  00:02:37,643
And I'm gonna call it,
52

52

00:02:38,760  -->  00:02:41,977
reverse and I'm gonna save it as txt not php.
53

53

00:02:43,460  -->  00:02:46,227
And I'm doing this, if I store it as a php,
54

54

00:02:47,250  -->  00:02:50,270
it's going to be executed on the Kali machine.
55

55

00:02:50,270  -->  00:02:53,280
So it's gonna create a reverse connection from the Kali
56

56

00:02:53,280  -->  00:02:55,410
machine and I don't want that, I don't wanna hack
57

57

00:02:55,410  -->  00:02:57,600
the Kali machine, I actually already have access
58

58

00:02:57,600  -->  00:02:58,850
to the Kali machine.
59

59

00:02:58,850  -->  00:03:02,050
The one that I wanna hack is the Metasploitable machine
60

60

00:03:02,050  -->  00:03:04,830
and that one is stored remotely.
61

61

00:03:04,830  -->  00:03:09,410
So, in order to be able to include the php code
62

62

00:03:09,410  -->  00:03:12,690
and execute it on the remote machine, we're gonna use it
63

63

00:03:12,690  -->  00:03:16,750
as txt and get it executed on the Metasploitable machine
64

64

00:03:16,750  -->  00:03:19,770
instead of executing it on my Kali.
65

65

00:03:19,770  -->  00:03:23,510
So I'm storing it as a txt and I'm gonna say, save it
66

66

00:03:24,650  -->  00:03:26,090
and now let's just see here.
67

67

00:03:26,090  -->  00:03:27,860
So if I go to my local host
68

68

00:03:29,200  -->  00:03:31,020
and if I say
69

69

00:03:32,130  -->  00:03:36,910
reverse .txt we'll see our file right here.
70

70

00:03:36,910  -->  00:03:40,640
So again, this is on my local host which is
71

71

00:03:40,640  -->  00:03:42,270
not the Metasploitable machine.
72

72

00:03:42,270  -->  00:03:46,080
It's 10.20.14.203
73

73

00:03:46,080  -->  00:03:48,313
and the Metasploitable is on 204.
74

74

00:03:50,010  -->  00:03:51,750
So, how are we gonna run this?
75

75

00:03:51,750  -->  00:03:54,830
First let me just listen for connections like we did
76

76

00:03:54,830  -->  00:03:58,253
before, so it's just going to be netcat
77

77

00:03:59,466  -->  00:04:02,623
bvlp 8080.
78

78

00:04:04,730  -->  00:04:06,280
And then,
79

79

00:04:06,280  -->  00:04:09,710
right here instead of including a file on the same server,
80

80

00:04:09,710  -->  00:04:12,600
I'm gonna include the remote file and the command
81

81

00:04:12,600  -->  00:04:16,320
is going to be http, so it's just going to be the link
82

82

00:04:16,320  -->  00:04:17,240
to this file.
83

83

00:04:17,240  -->  00:04:20,290
So we can access the file here as txt,
84

84

00:04:20,290  -->  00:04:22,893
I'm gonna copy it and paste it here.
85

85

00:04:27,350  -->  00:04:31,130
And also in some case, you might need to add a ?
86

86

00:04:31,130  -->  00:04:34,267
to the end to get this file to be executed as php.
87

87

00:04:35,240  -->  00:04:38,450
So I'm just gonna go over this again for one more time.
88

88

00:04:38,450  -->  00:04:41,650
Including a remote file which is on a remote server,
89

89

00:04:41,650  -->  00:04:45,620
make sure the remote server is accessible by your target.
90

90

00:04:45,620  -->  00:04:49,030
And also make sure you store it as txt because if you
91

91

00:04:49,030  -->  00:04:53,270
keep it as php, this file the reverse file, will be executed
92

92

00:04:53,270  -->  00:04:54,310
on the remote server.
93

93

00:04:54,310  -->  00:04:57,870
So it will be executed on the 203 instead of being executed
94

94

00:04:57,870  -->  00:04:59,550
on the 204.
95

95

00:04:59,550  -->  00:05:02,820
And I'm keeping it as txt, this way it will be,
96

96

00:05:02,820  -->  00:05:05,820
it's gonna be executed on the 204 and it's gonna give me
97

97

00:05:05,820  -->  00:05:09,630
a remote connection this computer,
98

98

00:05:09,630  -->  00:05:11,283
to the Metasploitable computer.
99

99

00:05:12,120  -->  00:05:14,460
So if I come back here, as you can see we have
100

100

00:05:14,460  -->  00:05:15,780
a remote connection.
101

101

00:05:15,780  -->  00:05:17,360
If we do a uname -a
102

102

00:05:19,382  -->  00:05:22,000
you'll see that this is the Metasploitable machine,
103

103

00:05:22,000  -->  00:05:23,060
not the Kali machine.
104

104

00:05:23,060  -->  00:05:25,430
So we basically have full access to the Metasploitable
105

105

00:05:25,430  -->  00:05:30,430
machine through a remote file inclusion vulnerability.
106

106

00:05:30,500  -->  00:05:35,150
Now if we do an ls, we can do a pwd to see where we are
107

107

00:05:35,150  -->  00:05:37,910
and we can literally run any Linux command we want now
108

108

00:05:37,910  -->  00:05:40,230
on the machine and do anything we want.
109

109

00:05:40,230  -->  00:05:42,623
Basically we have full access to that machine.