Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
Hello, everybody, and welcome to the episode number 16 Up the RC Speakers. Vitamin Pearl Scripts. My name is Hal Ham, Georgina, and I'll be your instructor for today's session.
00:11
The Learning Operative system to say Understand how Fighting and Pearl can help us to gather information and create an executed scripts to help us in our penetration testing process.
00:23
So let's get a starter.
00:26
Well, first, this Let me do the meet,
00:31
tells you. In that scenario, I need I have and you can. You know we can go from that and create a script from from scratch.
00:40
First, let's say that we went to find all the files in within specific extension because we already let's say that we already had a bag dirt for Alina's machine. And let's say that this that this is actually the term in up from from Lennox back there we have. So
00:57
we can, you know, just create a file here. And but it's like, you know,
01:03
So I bury that Pai Tun
01:04
um and then we can import,
01:08
um,
01:10
these two modules
01:12
and, you know, we can tell, uh, ch dear to actually go to this specific location,
01:22
which is rude
01:23
Gosh,
01:25
gosh, look at me forward slash that stop
01:27
files.
01:30
And in that location close this in that location for filed in glove, Doc glove. And we tell him Thio, we want to actually get any file with a t X t extension.
01:46
Okay. And then just print
01:49
who's
01:49
Yeah,
01:52
but, you know,
01:53
print,
01:55
um,
01:56
fire.
01:57
And that's it.
02:00
We can close this,
02:02
and we have to use each mode here to give it execute permissions.
02:10
And they just called Titan
02:15
and Sigh Berry,
02:17
that fighter,
02:20
There's a problem here. Oh, I didn't put I'm sorry.
02:23
Let's go back as this is a Ford. I have to
02:27
often in with it
02:30
and just
02:32
executed.
02:35
Okay, I have a least files here
02:37
were list that 61st. Name the 60. We used these files for previous video I Pierre I p's look t x t tested. Tested, You know, you get idea. So, yeah, we did actually find files, but this will only find files in that specific location.
02:55
What if we actually want to traverse directories and let's say that we actually want to find
03:02
files in entire always system or in the tire fire file system for for Arlene us. So we can just,
03:12
uh
03:13
shall we modify this or Korean You? Let's just create a new one
03:17
and 70
03:19
two
03:21
and, you know, again import us
03:24
and four root.
03:29
There's files in the OS dash. I'm sorry. That walk.
03:36
And what's the directory again? From the root.
03:39
Oh, this will take away. Ah,
03:45
Ford
03:47
files
03:50
fire in files.
03:53
We up in the four cycle?
03:55
3456
03:59
Um,
04:00
if filed, that ends with
04:03
and we actually went to find again
04:06
the ex D
04:09
Oh, sorry.
04:11
Ends with that T x t.
04:13
1234567 Night, Day 789 dot Didn't judge me. You know, I don't like to use staffs. They go away, uh,
04:23
out of proportion when writing in terminal or when you see Nana. So I like to use a spaces, so yeah, unjust.
04:30
Print us the path that
04:34
join
04:36
and root the Kama file
04:41
close on its seafood. Worse if the worse. It will be the first time in history for me. I will work without any any profits.
04:51
So let me just
04:54
you execute permissions
04:56
heighten
04:57
and savory
05:00
two.
05:01
And there you go. You see? It never works for me at first, right?
05:08
Ah, I forgot once again.
05:11
This enough I No way.
05:15
I think my brain just
05:16
don't want me to see that
05:18
today
05:19
and executed in a lot of information came back. I mean, I have a lot of t x t files, so, uh, but eventually went well, that will be useful. I mean, we can actually even grab that,
05:34
for example. Uh, oops.
05:38
Sorry about that. For example. What happens if we actually grab? I don't know.
05:45
Fires that
05:46
contains the word open.
05:51
And we'll get a better list for that. Uh,
05:56
yeah, I I heard you saying I don't want to do it in in the terminal, because this is called I am. I'm sort of pipeline and pearl scripts. I want to do it in Pearl. Okay, invite. Um, sorry. Okay, let's modify.
06:11
Um, the disc will be half
06:14
to include search for specific ward.
06:17
So we have no way we can just the same. Because at the end, we're just,
06:24
uh
06:27
you know, get we're getting the same information. So we way actually file ends with we'd be risky. There is his line,
06:35
and
06:43
and we can actually still with open west dot
06:47
Um, but that join Groot file
06:54
close, close us f.
06:57
And
06:59
you know, if I go here and I say if
07:04
password
07:08
and
07:10
after I read
07:12
and we're basically telling here Oh, I
07:15
cut it this time.
07:17
We actually are telling here t to their pipeline script, too.
07:24
Open the file. You know, we already located to fire two op in it.
07:30
You know the file us f And if the possible, if the word password is in the file, where were you know, when we're reading it?
07:40
Let's go.
07:42
Let's do something about it.
07:46
Ah, we print.
07:48
I hate that path of sorry
07:50
path
07:53
that join Groot
07:55
file.
07:57
And let's see if this works
08:00
on the first try.
08:05
How did the word? So it is. Actually, I'm gonna cut it right here is actually telling us that this file, right? This the file right here contains the word password inside.
08:18
So this is kind of a big deal to us, because maybe we're trying to escalate privileges. Um,
08:26
and, you know, we're trying to get maybe receive the user to leave. Ah, file with the password. I mean, I have seen I have seen cases where the user. Just, uh,
08:39
half mean it doesn't have the common sticky note attached today or paste in the keyboard or in or in the monitor with the password. But it does have a t x T file with all the user name and password for all the system cast.
08:56
Uh, this is where, uh,
08:58
single sign on guns handy when you just have to learn. I really, really long pass phrase. But this pass phrase will work for several systems. Use your company. So, yeah, I've seen cases where the user name that the users have user name and password in a text e file. So
09:18
maybe this script will find it
09:20
and report back to us
09:22
just to make sure. Let's change the words to look for, um, you know,
09:31
just to see if this is actually working is not
09:35
returning false positives.
09:37
Uh,
09:39
this is not something you will find.
09:46
I hope you die right out correctly.
09:52
And he's finally finding finding, finding It doesn't seem that is finding something. Actually, it failed first.
10:01
Yeah, but you get the point. Um it's not something I will find in the inn here, so yeah, that can help us achieve several stuff that we went to a cheap. Um,
10:15
again, this is just an example how you can actually do that. But, um,
10:20
you can create your own port scanning tool with fightin. Maybe you don't want em up or h being to do the job, because there Now, I see they don't have the our options you want, and you just want to create your own ports cannon, and that's totally fine. You can actually create it
10:39
with pipe and pro,
10:41
or you just want to, you know, automate a task, maybe download a list of names and get that be from the list of names and then see those FBI are actually responding. Or maybe before much trace route
10:56
command.
10:58
For those I piece, I don't know. Whatever task your think about it, I let me assure you, you can actually, or maybe you can you can actually even use em up as you can. You know, call terminal commands or bash commands from from the Spuyten Strip. You can, you know, execute several commands from from from the pipe in strips.
11:18
And am I being one of them? And then maybe if you exploit Evelyn ability, maybe you want to already upload on it Got excusable to the victim or whatever
11:28
Whatever test will think about it, you can automate automated with, um ah, heightened strip. But, you know, let's switch to Pearl out.
11:35
So let me just create here a file,
11:39
Cy bury that pl
11:43
for peril. And, you know, first would tell it to executed with pearls
11:48
knotting friends here. Just tell it to go with Pearl.
11:54
Okay. Ah, use strict.
11:58
I'll just copy paste entire thing.
12:03
Yeah, Yeah, You know, I'm Lacey, but I don't want to waste your time.
12:11
Let me just explain to you you can see that it was, you know, a long strip just to write it by hand. Especially when I forget to pop to put all the fire, all the all the symbols And you know,
12:22
eso basically in this long Not that long, but you know, long enough script to write it myself. I'm just trying Thio, see? No execute. If I execute withdrew privileges, I can see that the files are winnable.
12:41
We're trying to find all the files that are readable
12:45
by a specific user, in this case by the current user.
12:48
Okay, Uh, this is just I'm just gonna leave you right there in, you know, little files for current user, and they will print off them.
12:58
Uh, but, you know,
13:01
let me just
13:03
go here, close this
13:05
and basically siege mode,
13:11
Execute permissions,
13:13
and you can also use seven. Remember day seven for the owner, then the group than the rest of the world in this living system, you know, 777 That's fine. I don't care.
13:28
Ah, Cyber re
13:31
pl
13:35
And if I just go here
13:37
executed, he will have quiet number.
13:43
Main files are actually readable by the by the AB
13:48
by the route user. But what happens if I switch? Ah,
13:56
users in Cali or, you know, yeah. If I switch users in college?
14:01
Uh, yeah, a sigh. Don't have let me see if I had another A different user. I can't remember.
14:11
Oh, no, you don't have. Okay, let's re one. Okay.
14:15
Barn was, uh, uh, extra bottles for this car for this session at the user.
14:22
Um,
14:22
it will be, you know,
14:24
uh, I'll hand drug. You know,
14:31
we created a buzz word. I know. Um,
14:35
My
14:37
bhai's word.
14:39
Once I actually know what I'm going to use a three. The simple password. That's 123
14:46
test. 123
14:48
Okay, full name hands with you now.
14:52
Route number one number. I don't know.
14:54
That's
14:56
yes.
14:56
Yeah,
14:58
Information is great. I guess so. Yeah, that's correct.
15:01
Okay, if I go to cut password. Did I have
15:03
the number? So as we see as we saw in the previous, you know, execution of the borough, man, I had a lot of information that was actually readable by me by the road user. Uh, you know, if I execute this, uh, with, uh, you know, I just suits you, sir.
15:24
I just my user and I have to know,
15:28
uh, Mexico, this
15:35
I can see that. Not that much file, but that's a point, you guys. I mean, we already we can know which files we can find locations. We can even final attention where you can write files too. I mean, you you will face several in your penetration testing process.
15:56
You will see that most of time
15:56
you will end up trying to find
16:00
where you can actually read, uh, say files or upload files or, you know, see what files can be actually, uh, modified but U s Oh, yeah, you can actually
16:14
right this type of code so you can actually get, um,
16:18
the information you're looking for And you know, later in this course, we'll see something called sticky bit. Um, where you know, there's a configuration problem. Um,
16:30
where you know, file it's execute evil. It will be executed with Ruth permissions, but it's actually can be modified and execute by by any any user in
16:44
in the college system or in the linear system. And this will help. It will help you to escalate privileges, but we'll see that later in the courts. But for now, you can see the magic of use in Piketon Peril Scripts for, you know, really, really scenarios like the one I just know
17:03
Chuck to you.
17:03
But that's the point. You can automate and execute all this, um, in an automatic way so you can make your life easier.
17:15
Post assessment questions eyes this information gathering technique considered to be passive or active Well, definitely active. Even some of this information gathering to Nick's can be executed once you're in the big game system. When you're in in the Big 10 system.
17:33
Uh, so yeah, it's definitely active.
17:34
How can you important modules and fightin. We'll just write the command import and the modular wants important That set
17:44
what is performed by the command sees mode at plus X Well, this actually to give execute permissions to the file you are looking for or do you want
17:55
be summary? In this video we saw some fightin Pearl scripts to perform several bed testing techniques that makes our task.
18:04
We executed sump item pearl scripts to understand how How can they help us in our pain testing process?
18:11
Supplemental material I found really useful. I mean, I found this page really useful. It has, ah, lot off information about how to execute pipes and commands or biting scripts, and it actually has some really life scenarios. You can you can help you with your to sharpen.
18:32
You're fightin
18:33
programming skills. Ah, and also to go to for perilous. You know, they were page Pearl that are, um, yeah, you can You can go there and find, you know, sharpened your pearl scripts. So most of the time I get the question they have to be a programmer to be a pin fester. Well,
18:52
kind off. I mean
18:53
you don't have to be a master in programming, are inviting more in peril. But, you know, knowing the basics on, you know, getting familiar with the scripts, languages and everything, it can help you because you sometimes we'll end up my fine
19:11
squibs said. We're already created to exploit a vulnerability,
19:15
and most in some of the time you will actually have to create your own scripts
19:21
to actually exploit will then ability. So, yeah, maybe you don't have to be a master, but you do have to, uh,
19:27
you had to be familiar with when they had programming languages. You will, you will be using. And it could be only one. I mean, you can go in a state with fightin, and that's perfectly fine. But some public exploits you'll see it will be written in peril
19:42
in Ruby on the other problem languages. So you just have to know the basics
19:48
off its programming language a list
19:51
and look forward in the next video. We'll cover Sambolin ability scanners. Well, that's it for today, folks. I hope you're the video and talk to you soon

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor