OWASP

Course
Time
4 hours 32 minutes
Difficulty
Beginner
CEU/CPE
5

Video Transcription

00:01
Hey, everyone, welcome back to the course. So in the last video, we talked about using components with known vulnerabilities. So we talked about why it's important and what kind of impact it may have on the organization.
00:12
In this video, we're gonna go ahead and start our lab on the particular topic. Now, we're gonna use a couple different tools in this lab. So this lab will be broken up into different sections as we go through it to make sure we stay on track as faras keeping our time and within within the 10 minute golden mark.
00:27
So, really, he's a tool called Nick Toe. We're also gonna get into med exploit a little bit as well as running a couple commands with W get
00:34
I'm gonna make more sense as we actually do those things.
00:37
So as I mentioned, you need the cyber lab environment for this. I've already got the lab pulled up here. However, if you need to search for it, look in the catalogue for the whole lost labs and specifically you will want to select the using components with known vulnerabilities lap.
00:51
Keep in mind, as with many of these, that it may take around a minute or so for two. Fully open the lap might take anywhere from 30 seconds to a minute. Most cases I've been seeing it roughly about a minute or so to to launch the lab and fully pull it up.
01:06
Once it opens, you're gonna see the papa box like we always see in the background. You click on next and then okay to close that. And then again, you may see some random pop ups. Just go ahead and ex out of those.
01:15
It's gonna take us to the Cali Lennox log in screen. So just like we've done before, the user name and password here is gonna be student all over a case. And then the password is student all over cases. Well,
01:27
and that's gonna let us log into the Kelly desktop.
01:32
So while that's doing that will come back to our lab document here. So we've done Step five here. We've gone ahead and logged into Kelly with student and student for the user name and password.
01:41
Now, before we launch the terminal window here in step six, we're gonna go ahead and turn off the option where locks are screens will turn off the screen lock. The way we do that is we just click this little down arrow at the top of right here.
01:53
It's gonna open up a little menu for us. You know, I take a second since we just loved into Cali. There we go. And then we're gonna click the settings icon at the bottom left. So it looks like a screwdriver with a little monkey wrench with it.
02:05
Once we click on that, it might take about four or five seconds or so, but then we're going to see an option. It's gonna pull up a different window here. As we see now, we're gonna select the option of privacy on the left side here. And then we're just gonna click on screen lock
02:17
and then just turn off our screen luck by moving this top circle to the left.
02:23
So just like that, and then all we have to do just x out of that.
02:27
All right, Now let's go back to our lab documents. So now we're at step six year, we're gonna launch a terminal window. So the way we do that, we just click this little black box on the far left side here, so just click on that. And if you have your mouse over top, it'll show you that. Hey, this is the terminal.
02:40
Let me take just a couple seconds to pull up for us. So now we're at the command problem of the terminal window,
02:46
and we're gonna type in this command right here. So we're gonna type in Nick Toe Dash host
02:51
Mattila Day.
02:53
All right, so let's go and do that now. So we're attacked. Nick, toe all our case
02:57
Space dash host Space kill today,
03:00
and that is precedent here on the keyboard.
03:04
I'm gonna take a few seconds for soda, Ron, Probably about, you know, 10 to 15 seconds. We're specifically looking to see if we notice a robot start text file being found. So, uh, even now, I'll give you a hint. Even now, while it's still running,
03:19
you could see if this information is found or not in question one.
03:23
So we're gonna keep letting it run for just a moment or so here because we have some other commands to run, but it should be wrapping up. There we go.
03:30
All right. So let's look back at our window here. Do we see a robot, that text file, Do we see that that's been found. So on your end of things, look to see if you see it. I see it right here on my side.
03:39
So I see it's right there
03:43
now, basically, what the robots dot text file is if you're not familiar with it, is basically when you go to like a website, for example, the website may or may not have this in place, and what it's designed to do is tell Web browsers Web Web crawlers s over like, for example, Google's little Spider thing.
04:00
It tells him like, Hey, don't crawl these particular directories or the you know, these particular things
04:03
all the website. So if I'm an attacker and I could get access to the robots, that text file, it may tell me like interesting areas that I need to go look at
04:14
that being said a lot of websites and now we'll disable this s o that way. Ah, an attacker can't get the information. But it is something that, at least in our training purposes, there are still a lot of websites out there that are vulnerable to this.
04:28
So you are that have this. You know where you can freely look at the information.
04:31
All right, so we did find it. At least I did on my end. So let's move on to step eight. So now we're gonna retrieve that file.
04:39
All right, so we're gonna enter this command of the terminal. So this is our first w get we're gonna go ahead and run this so we'll do this step by step. Like we've always done throughout the lab so you can follow along.
04:47
So first things first things first. We're just gonna type w get that The terminal here,
04:53
we'll put a space, and then we're gonna type in you till a day. Ford slash robots dot t x t
05:00
So we'll type me till today.
05:02
Ford slash
05:04
robot
05:05
don t x t
05:11
You left my s off there, so we'll go back and correct. And the next we're gonna type dash capital. Oh, and then a dash.
05:16
Let me go back and add my s in there. That will definitely help us out. Here we go.
05:23
And so to navigate this, if you touch something wrong, you can either back out of it shaken backspace or you could just use the arrow keys to go over. And you want to highlight the, uh,
05:31
particular character right before where you want to add. So for example, if I wanted to add a X before the t x t, I want to highlight the t in that situation so I could put the X in front of it.
05:44
All right, let's keep moving on with tapping our commands here. So we'll put a space and then the dash in capital. Oh, so not a zero, but a capital O. We'll put another dash there, we'll put a space,
05:54
and then we're gonna put a to the greater than simple.
05:57
And then we'll come back and do the rest of the command here. So we'll put a to hear the greater than symbol.
06:02
And then now we want to do is just end out this. So we're gonna put a ford slash
06:06
dev ford slash No.
06:11
So let's go and do that now. So forth slash dad ford slash Know. And then just press enter into keyboard to run the command.
06:18
All right, so we stew see here that there is some information in the robot step text file All right.
06:25
So we see that question to actually just kind of answer that. But are there any items not allowed to be indexed by search engines? So, yes, we see right there that disallow tells us that that's what's not allowed. As we see, it's the C G I dash band. Ford's last status dot c g. I
06:40
are. So now we're gonna try to get the output from that particular script that's mentioned in the file there. So we're gonna type in this command here for w get So let's go ahead and do that again.
06:49
And we're gonna go step by step like we normally do. So w get space
06:55
and we're gonna type in me till today Ford slash
06:59
Until today,
07:01
ford slash
07:03
All right, now we're gonna type in CG I dash been ford slash status.
07:09
We're type in seedy. I dash been four slash status
07:14
and then finally will type c g i all over case
07:17
soul type c g I
07:19
so dot c g I Excuse me
07:23
And then the next step here we're gonna type that dash capital again in the morning. Type of two in the greater than simple.
07:29
So we'll type dash capital. Oh, and then when it's put a space will type two and a greater than symbol
07:34
and then we'll wrap up with same information we put before the ford slash Deb forward slash null
07:42
so forth slash dev four slash no, and that is pressing. Enter into keyboard to run the command.
07:47
All right, so we do see I'll put there. So question number three here is DC Any information about the operating system that's in news.
07:55
So let's take a look here.
07:57
Do we see an information here on our output about the operating system and use?
08:03
All right, so, yes, we see that Mobutu is being used and then we see, Actually, it's an older version of a boon to
08:09
okay, So based off the operating system and use, we may know that there is particular vulnerabilities for that operating system in that version of it, And that might allow us to do certain attacks,
08:20
which in this case, it does right. So we know that this'll particular older version of Lennox is vulnerable or potentially vulnerable to shell shock, which is an exploit. So we're gonna go ahead and actually used medicinally to run that particular export. So I'm gonna pause. A video here will jump back in in the next video and we'll go through actually launching them my medicine, Lloyd
08:41
counsel,
08:41
And then we'll walk through entering different commands and setting everything up.

Up Next

OWASP

Established in 2001, the Open Web Application Security Project (OWASP) offers free security tools and resources to help organizations protect critical apps. Cybrary’s OWASP training course covers the organization’s popular “Top 10” risk assessment.

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor