Time
14 hours 26 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

This video covers manual analysis of a system and using directory transversals. This involves the moving of files out of a web server directory and obtaining other parts of a file system.

Video Transcription

00:04
I didn't mention of the end of the last video, but your breath buster actually also found our ticky wicky so it wouldn't have found a particular vulnerability. We would have needed
00:13
*** really scanner
00:15
or manual analysis and research to find that, but it would find the Tiki Wiki directory.
00:24
So speaking of manual analysis, that's always a good one as well. Sometimes there's just no tool in the world that's going to figure it out, so we might have to look at things manually. We did see that we had deserve it. 0.4 additional. What came out of the version scan on Port 32 32 on Windows X P.
00:43
However, we also know that it's really fragile. It fell down even with the version scan
00:48
independence. We may never see it again after that. Of course. We know how to turn it back on.
00:55
See if we can find anything about that. Deserve it. You're a point for
01:08
Look, look.
01:11
Got a couple things here at the source. Carried a source. Words.
01:18
Well, maybe the source code. It may just be inexcusable.
01:23
Now. I'm curious.
01:27
That is a pro.
01:33
So that's actually cute. Herbal
01:34
Well, I thought maybe it had the source. We go into some source code, revere
01:40
a little ahead of ourselves.
01:42
If the source code is available and you have the time, why not?
01:47
It looks like we've got directory traverse. ALS also looks like some memory corruption, a buffer overflow. Since we know it's really fragile, I would generally steer clear of the buffer overflow there anything memory, corruption. Since we heard you know it's liable to fall down if we make a mistake.
02:05
Directory Traverse, along the other hand, might be an okay thing to work with will be using the
02:08
Web server as intended.
02:12
We'll just be
02:14
moving around of it. So what directory Traverse allows us to do is
02:19
and move out of our Web server directory? So access other parts of the final systems on the example here grabbing boot dot I and I
02:32
so
02:34
you could see if that works for us. If we do a neck at
02:38
you must not do, we could do it with that cat. Certainly must do it
02:43
like this.
02:45
So we want 1 91 to 8. I wonder suddenly, six
02:50
port is 32 32 we want
02:53
says
02:55
induction html Question mark.
02:59
Just do indoor start chemo.
03:01
It's not your thing
03:15
down random. Awesome.
03:17
Didn't even talk to it yet.
03:23
C one explanation. Also, the sisters are in their starting chemo. Oh, cool.
03:30
The directory listening. So actually a most directory listening sure and bones so we can see
03:38
what hole is on. George is just up. Can we move out of it? We go up,
03:43
it doesn't want to let us go up. It's not gonna let us move to different directories. What? We can see what's on the desktop.
03:50
Cool, because we're all stuff I and sold. It's like
03:53
wounded up by an immunity de bugger for exploit development. Was I humped
04:00
all sorts of stuff lying around cool.
04:03
But
04:05
according to this,
04:09
we do dot Do a question mark after index dot html and do, dot, dot, dot, dot, dot, dot dot is gonna move back the next director.
04:17
This is 12345 and that gets us to boot dot I and I
04:21
that's gonna be on Windows X P system, such as, basically has boots settings. It's not really all that interesting from a PIN test perspective, but it does prove that we're able to access other files. So on exploitation we can hopefully find something a little more interesting.
04:36
But we could at least to see if it works.
04:40
Index of hte email question Mark
04:45
How many was it? One. Do 345
04:54
Gupta on and I
04:58
we save file
05:00
Good bye, and I
05:03
shaved it to the desktop PC desktop that
05:09
that I and I. Sure enough,
05:12
So the only thing that may have been here is based on Where's Herb? It is installed. We just happened to get lucky here. That five was correct.
05:18
It might be in its own folder somewhere else besides the death stop.
05:24
So you may have to try a different dot dot numbers.
05:29
I wouldn't give up just because it didn't happen the right time. I might try six or seven sets of dot dots before I gave up.
05:38
Well, that's another thing we can potentially exploit.
05:41
If we can find some interesting files on here that we can access, it may not be able to access system files. It is started by the user, Georgia, which we wouldn't know that. But whoever started the Web server is we're going to have their access. So
05:57
unless it was started by system, we won't have access to all smiles. But we may be able to find something sensitive nonetheless.
06:11
So one last thing I want to d'oh
06:15
is I want to net cat to our wonder. Their fee on Port 25 remember that they're a fiver was enabled. When we looked at her in mount Scripting engine, It said that verify
06:31
we are. Why is enables if would you? We are f y Georgia
06:40
does. Georgia does exist.
06:42
Well, for James,
06:44
you're not local.
06:46
So while this again isn't gonna give us access to the system, it does allow us to find valid user names that we might be able to use to well, again.
06:56
If you have just installed your pop three server or your brother your S o male,
07:01
you'll see that,
07:04
um, the missile male has popped. Three enables. You could try and guess Georgia's password,
07:11
which probably guess what it is, um, through pop three if you wanted to. But again, that is going to go down after 15 days. So it's the wild goose chase vulnerability. Otherwise, we'll have other options for
07:28
being able to guess passwords. But is that top three system?
07:31
Her service is still up. You can try that as well.
07:36
That's what we're gonna do for vulnerability analysis. I do encourage you just in time with the different tools. Maybe try some other vulnerability scanners. If you can get a free trial or a home addition,
07:47
Um
07:48
Emap scripting engine and such doorbuster or things like that, I encourage you become familiar with them.

Up Next

Advanced Penetration Testing

The Advanced Penetration Testing course teaches the cyber attack lifecycle from the perspective of an adversary. Become more familiar with the most widely used penetration-testing tools, manipulate network traffic, and perform web application attacks such as cross-site scripting and SQL injection.

Instructed By

Instructor Profile Image
Georgia Weidman
Founder and CTO at Shevirah and Bulb Security
Instructor