 What's up guys John Hammond here coming back at you with some more videos on Natus the over-the-wire wargame for web application security Just got the past before level seven We can probably clean up some of these comments here. They've been around for too long And I'm sure you're probably getting sick of looking at them We don't need actually we do want to keep printing the content in case We're ready to move on to the next level and we won't need to submit anything because we're not posting just yet Let's just get the page for a natus level seven and see what we're working with here I'll run this control B. And here is our Prompt here is the file and the web page that we return with Natus seven great In the content div we've got links here to page home and page about And there's a HTML comment here a hint password for the web user Natus 8 is an etc Natus web pass natus 8 So, hmm I'm sure you're probably wondering why are we passing variables to the index dot php page To refer to the page that we actually want to view like home and about um Are those actual Is home like a thing we can read or Is about a thing we can access Even in this current directory or something If I just reach that yes, okay, so that in itself is being included in the index page So I'll just kind of zoom out here so you can see this a little bit better Let's say we gave it this URL. Let's say we tried to read index dot php with a page variable being sent with the with the get variable Saying that we want to go to about okay. It gives us this is the about page So this text that we were able to see when we went to just straight about That must be the raw text of that file And about is its own file. So we must be reading a file that is being included in index dot php So index dot php must be able to read other files with that page Variable so when we went to home It gave us the links here. This is the front page And about this is the about page So if we can just access raw files Maybe the vulnerability here or the issue the gimmick we can take advantage of is called local file inclusion so local file inclusion lfi and You can probably see here in the Oh wasp security update and summary here Here's an example when you have a page or on a website that is Using a parameter or an argument typically at least most commonly in like a get request as to load another page We can then take advantage of that and kind of abuse it Make a request to a different file located elsewhere on the server Like we're gonna get set repassword if we back step through the file system a little bit because we don't know where In the file system We might be where the root directory of the file server might be Like we could be in var www html stuff if it's like an apache server or etc So we'll use the parent directory the two periods to keep moving up up up the file system Eventually get to the root directory. We can read other other files out of let's try that um I will use that as the attack here multiple Multiple parent directory symbols period period and then let's see if we can view it set repassword We can Okay, because that page is just straight up leaking it for us. It's including that file So we can get some local file inclusion and explore things in this In this website in this web server. This is actually pretty dangerous, especially if we get to like um The current process if we can get the process id I think it's prox self, right Command line, maybe that will yeah, we can see like, okay. How is this command started? um What memory maps does it have open the prox self? I'll check this out in a command line prox self file system that directory We'll let you see really interesting things for how the program is being run So since apache is serving this web page, we're seeing how apache was started with that But whatever we want to get to the password. We want to get to what we're really looking forward to move on in natus So let's Try this let's use that attack local file inclusion with et cetera natus webpass 8 natus 8 And we've got it right here. Cool We leaked out the password. So how can we steal this? um With a regular expression content Let's go Probably a new line character between a break um New line character New line character and then the hint started the hint comment Let's see if that will actually return for us Will that get it? It will awesome. So the new line character is just representing the breaks in the text there and Retrieve everything and use the html comments note to say that this is the very end of what we're trying to reach great So that's how we stole the password using some local file inclusion and legitimate vulnerability In a lot of web servers on a web applications Doesn't have a whole lot of security or mitigation techniques to prevent it because most commonly you'll see websites that will try and filter out these period periods or do kind of Peculiar things and how we can load some of the files or try and protect those things But obviously local file inclusion is a really bad vulnerability to begin with but it's pretty cool. So All right. Thanks for watching this guy. Uh, wow, I don't even know what I just said here. Thanks for watching this video guys Say a lot of say a lot of words Hope you guys are enjoying this series. Hope it's pretty cool I hope you're doing some neat hacker things and cyber skills and sublime text and python, but I'll see you in later video