Modifying the Code to Fit the Environment

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
21 hours 43 minutes
Difficulty
Intermediate
CEU/CPE
22
Video Transcription
00:01
modifying the code to fit the environment
00:04
are learning objective is to demonstrate how to analyze and then modify code to fit the environment.
00:10
So I've spoken about this before when we find exploit code and exploit DB or wherever it may be,
00:15
whoever authored that code doesn't know the environment we're working in. They will leave I. P. Addresses, whatever exploit that worked for them. They'll leave I. P. Addresses and assume that we know to change it to our environment. They leave ports
00:30
like FTP 21 whereas in our environment it could be port 5000, Who knows?
00:36
But in some cases you'll see the exploit code. They actually give us in the comments that it's a hard coded iP address.
00:43
Um even in pen test monkeys. PHP reverse shell.
00:47
You know, he'll say change this, change this. Very nice of him to do that.
00:52
But not everybody does that.
00:54
And that's the same with web requests. So Wordpress maybe in a directory called Wordpress and maybe in the root directory or it may be in some other name. Directory like WP.
01:04
So when you run your exploit, it may not work because you didn't have the correct directory structure. It's also the same with WP scan, right? If I use WP scan against a host, it will say it couldn't find wordpress. But if I specify the directory wordpress,
01:21
then it will find that you have to help these tools and these exploits and guide them
01:26
to find the right directory. And there have been times where I've missed a hard coded I. P. Address or I've missed a port or I've missed the correct directory structure and my exploit won't work. So with that in mind let's go to a demo.
01:41
So I'm gonna do my end map scan here
01:45
and I'm not going to do the full port scan because that will take a while. But I notice a few open ports so it may not just be that there's one open port and that's our vulnerable service. There could be many open ports and we have to kind of sift through that information and determine what's the lowest hanging fruit
02:02
because we could try to do things like brute force,
02:07
SMB
02:08
or RDP but I see here that FTP has anonymous login allowed and that is Konica Minolta FTp utility.
02:16
I wanna of course manually verify that FTP is allowed with anonymous login.
02:29
I can see that I logged in here
02:32
but I can also like I said google dork. So I would I would take the Konica Minolta
02:38
FTp utility information
02:44
and you could do something like google
02:50
site
02:52
exploit
02:54
db dot com
03:06
and we see that we have three here but let's choose the first one.
03:08
I can either download this directly from the website
03:12
Or I see it's 392 and five. I could use search split as well
03:17
so I could use search exploit
03:20
attack em
03:21
392 and five and that will download that to my desktop.
03:25
So if I analyze the code I'll open it with mouse pad now
03:30
be a little different than g edit
03:34
like I said it's very nice that we have the comments up here
03:37
and this is a buffer overflow so we should be used to seeing this code
03:42
this buffer here that this may look like our pattern create that we did in our
03:46
in our module
03:50
but we don't have to go through that whole process. Right. We already have a lot done for us by the author of this exploit.
03:55
We do see an MSF venom payload
03:59
that will have to change the L. Host to us.
04:02
We can we can leave the airport as well if we wanted to to 4444. We already see that all the bad characters are picked out here.
04:11
If we keep reading the code, we see that we have in hard coded ip and the author was kind enough to tell us that.
04:16
So we need to change this
04:19
to our host
04:21
And we know it's on Port 21 so we don't have to change that. And we also know anonymous login is allowed so we can leave that as well.
04:29
So now what we need to do is MSF venom.
04:40
So I will change this to us.
04:50
You'll see the architecture X 86. That might be different in our case. So
04:56
pay attention to that as well.
04:59
Sometimes it works, sometimes it won't work.
05:02
So I will change this code in here,
05:06
paste
05:24
now I'll split this vertically. I'll do Net Cat.
05:28
And what we'll see here is do we know if this is Python two or 3?
05:33
I could try to execute this and you'll see it's giving me all these errors.
05:40
Also, maybe I didn't commit it correctly. I didn't seem odd.
05:45
Plus X
05:49
39
05:51
So that might be the problem. Again, I have an error.
05:55
I have to figure out is this python two or 3?
05:58
I could do python to just because it looks like Python 2 to me
06:05
and we see it sent the buffer and now we've got our shell.
06:13
So that's how to find public, exploit code,
06:15
download it
06:17
modified to fit our environment. And ultimately led us to get us to get a shell and also understanding the version of python. Right then why our system may or may not work or we have to debug why something is or isn't working.
06:38
So in summary. Now we should be able to demonstrate how to analyze and then modify code to fit the environment
Up Next
Offensive Penetration Testing

The Offensive Penetration Testing course opens the doors to those wanting to begin a penetration testing career. This course will prepare learners to begin their pentesting career journey by understanding what tools, techniques, and resources are available for someone starting out in offensive penetration testing.

Instructed By