I didn't mention of the end of the last video, but your breath buster actually also found our ticky wicky so it wouldn't have found a particular vulnerability. We would have needed
or manual analysis and research to find that, but it would find the Tiki Wiki directory.
So speaking of manual analysis, that's always a good one as well. Sometimes there's just no tool in the world that's going to figure it out, so we might have to look at things manually. We did see that we had deserve it. 0.4 additional. What came out of the version scan on Port 32 32 on Windows X P.
However, we also know that it's really fragile. It fell down even with the version scan
independence. We may never see it again after that. Of course. We know how to turn it back on.
See if we can find anything about that. Deserve it. You're a point for
Got a couple things here at the source. Carried a source. Words.
Well, maybe the source code. It may just be inexcusable.
So that's actually cute. Herbal
Well, I thought maybe it had the source. We go into some source code, revere
a little ahead of ourselves.
If the source code is available and you have the time, why not?
It looks like we've got directory traverse. ALS also looks like some memory corruption, a buffer overflow. Since we know it's really fragile, I would generally steer clear of the buffer overflow there anything memory, corruption. Since we heard you know it's liable to fall down if we make a mistake.
Directory Traverse, along the other hand, might be an okay thing to work with will be using the
Web server as intended.
moving around of it. So what directory Traverse allows us to do is
and move out of our Web server directory? So access other parts of the final systems on the example here grabbing boot dot I and I
you could see if that works for us. If we do a neck at
you must not do, we could do it with that cat. Certainly must do it
So we want 1 91 to 8. I wonder suddenly, six
port is 32 32 we want
induction html Question mark.
Just do indoor start chemo.
down random. Awesome.
Didn't even talk to it yet.
C one explanation. Also, the sisters are in their starting chemo. Oh, cool.
The directory listening. So actually a most directory listening sure and bones so we can see
what hole is on. George is just up. Can we move out of it? We go up,
it doesn't want to let us go up. It's not gonna let us move to different directories. What? We can see what's on the desktop.
Cool, because we're all stuff I and sold. It's like
wounded up by an immunity de bugger for exploit development. Was I humped
all sorts of stuff lying around cool.
we do dot Do a question mark after index dot html and do, dot, dot, dot, dot, dot, dot dot is gonna move back the next director.
This is 12345 and that gets us to boot dot I and I
that's gonna be on Windows X P system, such as, basically has boots settings. It's not really all that interesting from a PIN test perspective, but it does prove that we're able to access other files. So on exploitation we can hopefully find something a little more interesting.
But we could at least to see if it works.
Index of hte email question Mark
How many was it? One. Do 345
shaved it to the desktop PC desktop that
that I and I. Sure enough,
So the only thing that may have been here is based on Where's Herb? It is installed. We just happened to get lucky here. That five was correct.
It might be in its own folder somewhere else besides the death stop.
So you may have to try a different dot dot numbers.
I wouldn't give up just because it didn't happen the right time. I might try six or seven sets of dot dots before I gave up.
Well, that's another thing we can potentially exploit.
If we can find some interesting files on here that we can access, it may not be able to access system files. It is started by the user, Georgia, which we wouldn't know that. But whoever started the Web server is we're going to have their access. So
unless it was started by system, we won't have access to all smiles. But we may be able to find something sensitive nonetheless.
So one last thing I want to d'oh
is I want to net cat to our wonder. Their fee on Port 25 remember that they're a fiver was enabled. When we looked at her in mount Scripting engine, It said that verify
we are. Why is enables if would you? We are f y Georgia
does. Georgia does exist.
So while this again isn't gonna give us access to the system, it does allow us to find valid user names that we might be able to use to well, again.
If you have just installed your pop three server or your brother your S o male,
um, the missile male has popped. Three enables. You could try and guess Georgia's password,
which probably guess what it is, um, through pop three if you wanted to. But again, that is going to go down after 15 days. So it's the wild goose chase vulnerability. Otherwise, we'll have other options for
being able to guess passwords. But is that top three system?
Her service is still up. You can try that as well.
That's what we're gonna do for vulnerability analysis. I do encourage you just in time with the different tools. Maybe try some other vulnerability scanners. If you can get a free trial or a home addition,
Emap scripting engine and such doorbuster or things like that, I encourage you become familiar with them.