Exploitation (part 3) Directory Traversal

00:04

All right, let's take a look at that. Deserve it. 0.4 we saw the thought was

00:09

pretty

00:10

fragile just from our in mops gown. With the versions can we managed to make it full down? Luckily, we know how to turn it back on,

00:20

but we can actually we saw do a directory traverse a ll just by talking to it directly through the Web servers were less likely to bring it down. In that case,

00:30

we're actually using it the way it was intended. So we found an example on exploit database.

00:38

We decided it was a belief fire directories back,

00:42

get to the C drive. Only did boot daughter. And I am sure enough of it says Save file. We found something otherwise, I'll say file not found.

00:51

So from there are other question is one. What can we see? We're not entirely sure

00:57

who were running as well. Of course we know since we started it as these Air Georgia running as an administrator. So it's not system.

01:06

It will have access to any of Georgia's files

01:10

if we happen to know the name of any of Georgia's files which may or may not,

01:18

but

01:19

we may have some other options we might want to go after. We know this is Windows expiate. We could find that out.

01:26

Mar scans

01:27

so we won't be able to access the database of passwords or the sam file directly. Won't have access to that, But on Windows X, p, we actually do have

01:38

Hey, back up

01:42

of the Sam file and see

01:45

Windows

01:47

System 32

01:49

config.

01:52

Sam is theory Jinnah ll but we want to do. We don't have access to that.

01:57

You see Windows,

02:00

the hair,

02:01

Sam.

02:04

You ever save that file,

02:07

Sam?

02:09

And in order to open that, we need

02:12

Sisisky out of this system hive

02:15

who's may not be entirely up to date march. Newer

02:21

passwords may not be in there. Or passwords may have been changed to this Mayor may not be helpful to us and knew a virgin. The winners are not gonna have this. It's not on window seven,

02:30

but if we are able to access his files towards the shot will use them during our password hacking section. We'll see. They're not as useful. Say, has stuff. Certainly, But there's something

02:44

so based on what other software we saw, we can do some Googling. I just gained some knowledge over time about other things we might be able to find. For instance, we know files L A f D P is on here is part of Zampa.

02:59

And so, by default, if we go to see Sam,

03:02

then file zilla

03:07

ftp

03:08

men file Villa Space

03:14

server

03:15

about XML But this file is a configuration file for files L. A and IT stores Password Hodges

03:24

for our users of the FTP czar

03:28

in Indy five format. So we'll see this during our password

03:32

guessing

03:35

cracking phase. We just maybe something we might be able to crack passwords. Indy five is gonna be

03:42

basically based on

03:44

being able to

03:46

used the correct word in our wordless to crack it. There have been things like collision attacks in such against MD five. It's not

03:53

perfectly secure. Algorithm, like some of the others were not as broken as Ellen Hodge that we'll see for legacy windows over them in your password hacking section. But

04:05

we download those. This is another file that might be useful to us.

04:11

Just call it, um uh,

04:15

now

04:17

does it are saving on the dust up, but fault with the course change that. We get a desktop, my cat out.

04:25

How's okla dot xml

04:28

can see. Here's Georgia

04:30

we remember from our traffic capture section. We actually captured Georgia's password in plain text, so we actually don't need to crack this, But we could certainly try, and we will in our password cracking section.

04:46

So also, this is a default account called New User and New User does have a password

04:51

similarly to our Web dove. We may or may not actually need to crack this one. We may be able to find out what the default password that's built in for new User is and

05:00

assume possibly that our users did not change this passwords. They didn't even know this account with their

05:08

gotta love software that installs with defaults and doesn't actively tell you about it. And there is anonymous.

05:15

We've seen that previously already that came up on our scans, and we're also sold that there might be something we want

05:20

and then anonymous ftp. There also might be something in Georgia's STP that we want.

05:27

No,

05:28

A few things. Their flu certainly aren't all the interesting files we might want to go after.

05:33

I'm just just to start. I mean, based on what's offers on there, you may have other options like this. I mean, there's laws of software that

05:42

stores some sort of

05:44

password hash.

05:46

Some of them even have ways to decrypt it. It's like

05:50

not sure what class it was some class I took where it was some program, and I was like, encrypted with Blowfish and you could just really easily get it back out. We're decrypting it,

06:01

Um,

06:02

it was like you just made a couple changes to the visual basic script that was actually part of the program. So I just know you'll see all sorts of stuff. It's certainly worth looking into these directory Traverse ALS were available, and in cases like this, where it's like if I touch it, it might fall down

06:21

using things as intended, like with our upload that we've been doing and