Vulnerability Scanning (part 6) Directory Transversals

00:04

I didn't mention of the end of the last video, but your breath buster actually also found our ticky wicky so it wouldn't have found a particular vulnerability. We would have needed

00:13

*** really scanner

00:15

or manual analysis and research to find that, but it would find the Tiki Wiki directory.

00:24

So speaking of manual analysis, that's always a good one as well. Sometimes there's just no tool in the world that's going to figure it out, so we might have to look at things manually. We did see that we had deserve it. 0.4 additional. What came out of the version scan on Port 32 32 on Windows X P.

00:43

However, we also know that it's really fragile. It fell down even with the version scan

00:48

independence. We may never see it again after that. Of course. We know how to turn it back on.

00:55

See if we can find anything about that. Deserve it. You're a point for

01:08

Look, look.

01:11

Got a couple things here at the source. Carried a source. Words.

01:18

Well, maybe the source code. It may just be inexcusable.

01:23

Now. I'm curious.

01:27

That is a pro.

01:33

So that's actually cute. Herbal

01:34

Well, I thought maybe it had the source. We go into some source code, revere

01:40

a little ahead of ourselves.

01:42

If the source code is available and you have the time, why not?

01:47

It looks like we've got directory traverse. ALS also looks like some memory corruption, a buffer overflow. Since we know it's really fragile, I would generally steer clear of the buffer overflow there anything memory, corruption. Since we heard you know it's liable to fall down if we make a mistake.

02:05

Directory Traverse, along the other hand, might be an okay thing to work with will be using the

02:08

Web server as intended.

02:12

We'll just be

02:14

moving around of it. So what directory Traverse allows us to do is

02:19

and move out of our Web server directory? So access other parts of the final systems on the example here grabbing boot dot I and I

02:32

so

02:34

you could see if that works for us. If we do a neck at

02:38

you must not do, we could do it with that cat. Certainly must do it

02:43

like this.

02:45

So we want 1 91 to 8. I wonder suddenly, six

02:50

port is 32 32 we want

02:53

says

02:55

induction html Question mark.

02:59

Just do indoor start chemo.

03:01

It's not your thing

03:15

down random. Awesome.

03:17

Didn't even talk to it yet.

03:23

C one explanation. Also, the sisters are in their starting chemo. Oh, cool.

03:30

The directory listening. So actually a most directory listening sure and bones so we can see

03:38

what hole is on. George is just up. Can we move out of it? We go up,

03:43

it doesn't want to let us go up. It's not gonna let us move to different directories. What? We can see what's on the desktop.

03:50

Cool, because we're all stuff I and sold. It's like

03:53

wounded up by an immunity de bugger for exploit development. Was I humped

04:00

all sorts of stuff lying around cool.

04:03

But

04:05

according to this,

04:09

we do dot Do a question mark after index dot html and do, dot, dot, dot, dot, dot, dot dot is gonna move back the next director.

04:17

This is 12345 and that gets us to boot dot I and I

04:21

that's gonna be on Windows X P system, such as, basically has boots settings. It's not really all that interesting from a PIN test perspective, but it does prove that we're able to access other files. So on exploitation we can hopefully find something a little more interesting.

04:36

But we could at least to see if it works.

04:40

Index of hte email question Mark

04:45

How many was it? One. Do 345

04:54

Gupta on and I

04:58

we save file

05:00

Good bye, and I

05:03

shaved it to the desktop PC desktop that

05:09

that I and I. Sure enough,

05:12

So the only thing that may have been here is based on Where's Herb? It is installed. We just happened to get lucky here. That five was correct.

05:18

It might be in its own folder somewhere else besides the death stop.

05:24

So you may have to try a different dot dot numbers.

05:29

I wouldn't give up just because it didn't happen the right time. I might try six or seven sets of dot dots before I gave up.

05:38

Well, that's another thing we can potentially exploit.

05:41

If we can find some interesting files on here that we can access, it may not be able to access system files. It is started by the user, Georgia, which we wouldn't know that. But whoever started the Web server is we're going to have their access. So

05:57

unless it was started by system, we won't have access to all smiles. But we may be able to find something sensitive nonetheless.

06:11

So one last thing I want to d'oh

06:15

is I want to net cat to our wonder. Their fee on Port 25 remember that they're a fiver was enabled. When we looked at her in mount Scripting engine, It said that verify

06:31

we are. Why is enables if would you? We are f y Georgia

06:40

does. Georgia does exist.

06:42

Well, for James,

06:44

you're not local.

06:46

So while this again isn't gonna give us access to the system, it does allow us to find valid user names that we might be able to use to well, again.

06:56

If you have just installed your pop three server or your brother your S o male,

07:01

you'll see that,

07:04

um, the missile male has popped. Three enables. You could try and guess Georgia's password,

07:11

which probably guess what it is, um, through pop three if you wanted to. But again, that is going to go down after 15 days. So it's the wild goose chase vulnerability. Otherwise, we'll have other options for

07:28

being able to guess passwords. But is that top three system?

07:31

Her service is still up. You can try that as well.

07:36

That's what we're gonna do for vulnerability analysis. I do encourage you just in time with the different tools. Maybe try some other vulnerability scanners. If you can get a free trial or a home addition,

07:47

Um