CompTIA Pentest+ PT0-002 – Section 22: Analyzing Scripts Part 3
March 20, 2023

213. Python Example (OBJ 5.2)

This time, we’re going to look at a Python script. So here on the screen, you’ll see the Python script. Now again, on the exam, they’re not going to tell you it’s a Python script, they’re going to expect you to be able to figure that out. Now, what are some dead giveaways for us that this is a Python script as opposed to something else? Well, for one, we have variables that don’t have a dollar sign or an underscore, so we know that it’s not going to be something like a PowerShell or a Ruby script. But how do we know it’s Python? Well, for me, it’s the print command. None of the other ones use print. They mostly use echo or puts, right? And so the fact that I see print in here tells me it’s Python. So what is this script doing anyway? Well, let’s walk through it. The first thing is import. It’s importing in a user library called user library 2. That’s just going to give us extra functions that we can use. We’re then going to define a function. So define get_public_ip from request_target. Next, we’re going to use grabber, which is going to equal URL library 2.build_opener, which is probably going to build some sort of an opening thing, right? It’s going to grab something.

That’s all we know at this point, right? Next, we have grabber.addheaders equals User-agent, Mozilla/5.0. What’s that got to do with anything? Well, Mozilla is a web browser, right? And addheaders sounds like it’s the header. If you remember the way web browsers work, they tell a website hey, I am Internet Explorer version six or I am Mozilla version 5.0 so they know what kind of language to send back to them and what the screen should look like. So in this case, whatever we’re trying to do here, we’re trying to impersonate the fact that we are in Mozilla 5.0 web browser. That’s what we’ve learned so far. Next, we’re going to try something. Try: This is basically a case statement, right? Try this, then that, then this, right? Except we’re going to use try, except, except, return. So when I try, public_ip_address equals grabber.opener, parentheses, target_url.read. What do you think that does? Even if you don’t know Python, you can kind of get an idea here because it’s pretty human readable, right? I’m going to read something and I’m going to use this grabber program that I’m using to open a target website, a target URL. Now, if I have an exception, an HTTP error, I’m going to give the error to the screen. Print, there was an error trying to get your public IP address.

And that’s going to be the error. Next, I would have if I have the error of a URL error. It’s going to say there’s an error trying to get your public IP address again. And then I’m going to return public_ip_address if I don’t have either of those two errors. So what do you think we’re doing so far? We’re trying to figure out our own IP address. That’s all we’re trying to do with this script. Okay? We’re going to use public_ip address equals none. We’re setting the variable to none. Target_url equals whatever that target is that we’re trying to use. In this case, we’re using ip.42.pl/raw. And then I have public_ip equals get_public_ip from that target_url, whatever that website is. So we’re trying to identify the public IP address for ip.42.pl. That’s what we’re trying to do in this script. Now, if not None, if the variable has been changed because it was successful, then we’re going to print your public IP address is whatever it is. Otherwise, we’re going to put out your public IP address was not found. That’s all the script does. It’s trying to determine a public IP address. It’s a lot of code for a very simple function. Now, how else could you find your IP address? Well, you can go to Google and say what is my IP? And it’ll pop it up. But this is the thing behind it that’s doing it. This is the Python code that’s doing something like that. And so you can see how we can read through this and how we identified that it was Python and what it was doing. That’s what you need to be able to understand for the PenTest+ exam.

214. Coding in Perl (OBJ 5.2)

In this lesson, we’re going to take a look at how you can start coding in Perl. Now, Perl is a language that is commonly used in Linux and Windows web servers and other web servers to run dynamic code for their services. For this reason, you’ll often find yourself, as a penetration tester, writing some exploits in Perl. You can upload the website, and then be able to gain access to a shell by using it. Let’s go ahead and take a look at some of the basics inside a Perl in this lesson. First, whenever you write a Perl script, you’re going to write it similar to the way you did Bash. It’s always going to start out with a hashtag, bang, slash, and the path to your Perl binary. In most cases, this will be slash bin slash Perl. Just like in Bash, if you want to comment a line, you’ll use the hashtag. So hashtag this is the first line of my script is a commented line. Next, we’re looking at variables. Now, in Perl, all variables are going to start with a dollar sign. For example, dollar sign variable equals value semicolon. Notice in Perl, all commands will end with a semicolon at the end of that line to signify you’ve reached the end of the line and the computer can go onto the next command. For example, if I wanted to define the variable customer name, I could use dollar sign customer name equals Jason semicolon.

Now, if I wanted to get the value out of that customer name, I would simply type in dollar sign name in whatever command I’m using, and it will know to substitute that with its value, which is Jason. Now, in Perl, you do not need to declare variable types because it doesn’t support that. So you don’t have to say this is an integer or a floating point or a string. By default, Perl is going to be able to figure that out for you based on the data you give it. If you want to be a able to set a constant though, you can do this in Perl. To do that, you’re going to type in use constant, the name, which will be all uppercase, and then the assignment, which is an equal to greater than sign and the value you want and a semicolon. So use constant, capital P capital I, equal greater 3.1459 semicolon will assign the value of pie to 3.14159. Now, anytime you want to reference pi, you can simply type in capital P capital I inside your script, and it will substitute in that value for pi. Next, let’s talk about arrays. Arrays are going to be defined by using the @ sign. So @tempArray equals parenthesis value one value comma two value comma value three parenthesis semicolon would be a complete statement. Now, if you’re using numbers, you do not have to use quote signs around it. So @ages equals parenthesis 18 comma 21 comma 25 comma 30 end parenthesis semicolon would be a full and a correct statement. But if you’re going to use some kind of strings, you have to put quotes around them. So @names equals parenthesis quote Jason comma quote Susan comma quote David comma quote Tamera parenthesis semicolon would be the correct way to write this. If you want to be able to get information out of an array, you’re going to use dollar sign just like you would with a variable. So you’re going to do dollar sign tempArray, bracket position, end bracket. For example, dollar sign names bracket three end bracket would give me the of Tamera. Next, let’s talk about named arrays or associative arrays. To do these, we’re going to use a percent sign in front of the name. For example, %people would be the named array people.

 So I might use %people equals parenthesis, quote John comma 19, comma quote Melinda comma 35, comma quote Jonni comma 25. end parentheses, semicolon. This says, I now have three key pairs, with John being 19, Melinda being 35, and Jonni being 25. Now, if I wanted to, I can add additional people to my array, but because I’m not defining a new array anymore, I’m going to use the dollar sign. And because I’m using keys, I’m going to use curly brackets. So in this case, I would use something like dollar sign people, curly braces, quote Alex quote, end the curly braces, equals 18 semicolon. This says the person Alex is 18 years old. Now, if I wanted to get information out of this, I would simply type in something thing like dollar sign people, curly brace, quote, and the name of the person. In my case, Jonni. And then end quote, end curly braces, and now, the value would be substituted of 25 because that’s what matches inside of this array for Jonni. Next, let’s talk about comparisons. Now, in Perl, you’re going to use different comparisons if you’re doing numbers or strings. If you’re dealing with numbers, you’re doing numeric comparisons.

To do an is equal to, you’ll use a double equal sign. So if parenthesis dollar sign A equal equal dollar sign B end parentheses would be a complete statement to test is A equal to B? If you want to do not equal, you’ll use the same format, but you’ll use the exclamation equal sign for not equals to. For greater than, you’ll use the greater than symbol. If it’s greater than or equal to, you’ll use greater than equal sign. If it’s less than, you’ll use the less than symbol. And if it’s less than or equal to, you’ll use the less than and equal sign. When you’re doing string comparisons, you’re going to use tech based versions of those instead. So for example, is equal to would be dash EQ. Is not equal to is dash NE. Is greater than is dash GT. Is greater than or equal to is dash GE. Is less than is dash LT. And is less than or equal to is dash LE. Another thing thing we should probably mention here is logical operators. You can combine multiple things together by using logical ands or logical ors in your comparisons. In Perl, using an and would be ampersand ampersand. To use an or, it would be pipe pipe. The pipe key on your keyboard is directly above your enter or return key when you hold down your shift key. It is the straight up and down lines. Next, let’s talk about conditional statements. Let’s start out with ifs. In Perl, you’re going to use if by doing if parenthesis, the condition you want to test, curly bracket, the commands you want to run, and then end the curly bracket. For example, if A is less than 20, print F, A is less than 20 slash N quote semicolon. Notice here the print F command is to print that to the screen. That slash N you’re seeing essentially is just the new line character. When we talked about some of the other languages, we didn’t bother to clean up some of our output. So if I type something like if A is less than 20, print F, A is less than 20 semicolon, that would be able to show an if statement. When I test that, if the value of A is less than 20, I’ll print that statement to the screen. If not, I would ignore that command. Next, we have the if else conditional statement. To write this out, you’ll use if parenthesis condition, end parenthesis, open curly braces, the commands you want to execute if the condition is true, end curly braces, else, open curly braces, the commands you want to execute if the condition is false, and end curly braces. So it might look something like this. Let’s say we wanted to test is A less than 20? And if it is, we’re going to print that A is less than 20 to the screen.

If not, we’re going to print A is greater than 20. To do this, we would use if parenthesis, dollar sign A less than 20 parenthesis, open curly brace, print F quote A is than 20, quote semicolon, closed curly bracket, else open curly bracket, print F quote A is greater than 20, end quote, semicolon, end curly brace. Next, we have our if, else if, else condition. In this case, we’ll use if, parenthesis condition one, end parenthesis, curly brace, the commands you want to execute when condition one is true, end curly brace, E-L-S-I-F or ELSIF, parenthesis condition two, end parenthesis, open curly bracket, anything you want to execute when condition two is true, end curly bracket, else, open curly bracket, all the commands you want to execute if the two conditions above or are not true, end curly bracket. So, what might this look like? Well, let’s say I wanted to see what a test score was and display that to the screen based on its grading criteria. I might have something that looks like this. If A equal equal 100, print F, A has a value which is 100. Else if A is less than 50, print F, A has a value less than 50. Else print F, A has a value greater than 50, and it isn’t 100. This is the idea of how you can use different conditional statements to have flow control inside of your programs. Next, let’s talk about looping. First, let’s talk about for loops. In for loops, we want to execute a condition until an increment has been reached. So it will take the form of for parenthesis init semicolon, condition semicolon, increment, end parenthesis, open curly braces, the statements you want to execute, semicolon, then a closing curly bracket.

Now, this might look something like this. For parenthesis dollar sign A equals one semicolon. dollar sign A less than six semicolon, dollar sign A equals dollar sign A plus one, parenthesis curly brace, print F quote dollar sign A, end quote, semicolon, closing curly bracket. Once you run this, on the screen, you should see 1, 2, 3, 4, 5 because A went 1, 2, 3, 4, 5 and when it became six, that no longer met the less than six condition so it stopped printing. The next one we have is the while condition. The while condition will perform a set of commands while that test is considered true. This will just be while, parenthesis condition, end parenthesis, curly brace, the commands you want to run, semicolon, and then the final curly brace. Now, when you run it, it’s going to look something like this. Dollar sign A equals one semicolon, while parenthesis dollar sign A is less 10 parenthesis, open curly brace, print F quote, dollar sign A quote semicolon, dollar sign A equals dollar sign A plus one semicolon, closing curly bracket. This would then present on the screen. 1, 2, 3, 4, 5, 6, 7, 8, 9, ’cause once we increment to 10, that condition is no longer true and will stop going through that loop. The final loop we have is the until loop. An until loop will perform a set of conditions until a test becomes true. This is written in the same basic format as the while. It’s going to say until, parenthesis condition, end parenthesis, curly brace, the commands you want to run, semicolon, and then the closing curly bracket. Now in this case, you’d have essentially the same thing, but with a different test condition. Let’s say we did dollar sign A equals one semicolon.

 Until parenthesis dollar sign A greater than five, end parenthesis, opening curly brace, print F, quote dollar sign A, end quote, semicolon, dollar sign A equals dollar sign plus one, semicolon, closing curly brace. On your screen, you would see 1, 2, 3, 4, 5 because we’re going to keep running this until we reach a value of six, when then, that condition of a being greater than five becomes true. Next, let’s talk about string operations inside of Perl. To do string operations, you’re going to set a value for a variable to a string. To do this, you’ll use dollar sign test string equals quote test space string end quote, as an example. If you wanted to print that string to the screen, you would use print F, parenthesis, dollar sign test string, end parenthesis, semicolon, and it will print that entire test string to the screen. Now, if you want, you can also take portions of that string like we’ve done in other languages. The easiest way to do this is to create a new variable, and then set the results of a sub string command into it. For example, I’m going to create two variables. These are called sub test string one and sub test string two. For sub test string one, I’m going to set that equal to sub string parenthesis, dollar sign test string, comma one, end parenthesis, semicolon. For sub test string two, I’m going to set that equal to sub string parenthesis, dollar sign test string, comma one, comma five, end parenthesis, semicolon. Now, if I decided to print sub test string one to the screen, what would I expect to get? Well, it’s going to print out position one from the test string, which was the lowercase E in the word test because that is in the first position, which makes it the second character in that test string. Now, if I wanted to print out sub test string two, I can do that, and what would I expect?

 Remember, I used the sub string with positions one and going out for five places. So I would expect to go from position one, which is the lowercase E, and counting out five places, I would get EST space capital S, which is the five character starting on the first position inside of my test string. It’s also important to note that you can count from the right hand side of the string if you want by using a negative number instead of a positive number. Next, let’s talk about taking input from the keyboard. To take input from the keyboard, we’re going to use the standard input. Now, in Perl, we call this less than sign, S-T-D-I-N, greater than sign, or the standard input. That is all written in capital letters. So if I wanted to prompt you, I might use something like print F parenthesis quote, please enter your name, colon, quote, right parenthesis, semicolon. That will print to the screen, please enter your name. Next, we’re going to use a string variable called dollar sign string and set that equal to the standard input of less than, capital S-T-D-I-N, greater than, semicolon. This will then wait for you to enter something at the keyboard. Let’s say you enter the word Jason. Then we want to print that back to you. So we’ll say print F parenthesis, quote, you entered colon, dollar sign string, quote, right parenthesis, semicolon. And this would print to the screen you entered colon Jason. Now, in Perl, you can also read and write to files. If I wanted to read from a file called read.log, I can do that by typing in something like open, parenthesis data one, comma quote, less than, read.log, quote, parenthesis, semicolon. Notice that I have that less than sign. That less than sign signifies this is opening that file in read only mode. If I want to write to a file, I’ll instead use open parenthesis data two comma, quote, greater than write.log, quote, parenthesis, semicolon.

That single greater than sign means I’m in write mode, and I will overwrite that file using this program. If I want to append to it instead, I’ll use a double greater than sign instead of a single greater than sign to append data to the end of the file. Now, notice I gave each of these a name. I called them data one and data two. If I want to call those in my program, I will refer to those as data one and data two with the less than greater than signs around it because that is essentially acting as an input. Now, if I wanted to do something like print the file contents to the screen, I can’t just call data one. Instead, I have to run through a while loop and read that entire file. To do this, I’ll use something like while parentheses, less than data one, greater than, parenthesis, curly brace, print F, parenthesis quote, dollar sign underscore, quote parenthesis semicolon, and then ending that curly brace. What this is doing is saying while data one is still open and being able to give me data, print each line you get onto the screen. Let’s say I wanted to read everything from data file one and then write it into data file two.

Well, I can do that by using this same type of while loop. But instead of printing to the screen, I’m going to print to a file. So I’m going to do something like while parenthesis, less than data one, greater than parenthesis, opening curly bracket, print data two, dollar sign underscore semicolon, and then the right curly bracket. This will write every line from data one into data two. Then if I want to close these files when I’m done with it, I’m going to use the command close. Close parenthesis data one, end parenthesis semicolon, close parenthesis, data two parenthesis, semicolon. And this will close those files safely. so there ready to be read to or written to again in the future the next time we open them. All right, that was a lot of information about Perl. Now, as I said, Perl is one of the ones that we don’t use nearly as often for our own testing and tools or automation inside of doing our penetration tests. But knowing Perl is useful when you’re going against web applications or web application servers because you may be writing some exploits or using some exploits you find online against those particular systems that are written in Perl.

215. Perl Example (OBJ 5.2)

In this example, I’m going to show you a basic Perl script, and this one is only 52 lines long. Now this is actually a very powerful Perl script that I have that we’re going to be using here, and we can use it as penetration testers. Now, as I’m going through this, I want you to think about what do you think this thing is doing, and see if you can guess the function. Now, before I go through it line by line, I recommend you pause the video, look at it on the screen, and see if you can guess. Now note, this script because it is 52 lines long, I have it split up into two columns. You start with the left from top to bottom, then go to the right from top to bottom. Go ahead and pause the video, and then come back when you’re ready to go for the explanation. All right, welcome back. Let’s go ahead and take a look at this script. The first line we have is going to be the #!/usr/bin/perl -w. Which just says, this script is a Perl script. Next, we’re going to do a couple of import modules. We have, use strict, use Socket, use FileHandle, and use POSIX. Now, you may not know what all four of those are, but you can probably guess a couple of them. For instance, socket sounds a whole lot like network socket. And that is actually what that is. It’s a library that allows us to talk to things over the network using Perl. FileHandle, that’s going to be for file handling, you guessed it.

And the fourth one is POSIX. Now POSIX, you may not be familiar with, or you may have seen this term before when working in Linux. POSIX is a type of terminal emulation software, and essentially, we’re importing its ability here. Now that we’ve done these four imports, we can then go and call any functions inside their libraries, and use them through the rest of our program without having to code them ourself. Next, we have a constant, and in this case it is the constant VERSION that we’re defining as VERSION 1.0. Which is just the version of my script. The next section you have is a whole section of variable declarations. Notice they’re all lowercase here. We have the $ip = and a hard coded IP there. We have $port = and a port there. We have $daemon = 1, $global page = blank, which is just an initiation of a variable. We have $fake process name = /usr/sbin/apache. Now, based on that variable name, you could probably guess that we’re going to use this as a way to hide ourself when we run this script. Then we have $0= httpd, which is the http daemon.

Okay, now that we’ve declared all of our basic variables, let’s get into some logic. Now we’re at the next statement, which says, if $daemon, and we’re testing is daemon a one or a zero? Is it true or false? If it’s true, we’re going to run the next command. Well, we just said daemon equals one above and our variables. So, we are going to run this command. What is the command? It’s going to establish a new variable called $pid, and set it equal to whatever comes back from the fork function call. Now, what exactly is the fork function call in Perl? Well, the fork function call is actually going to do the same thing as a Linux or Unix system call of the same name as fork. Essentially, we are going to try to clone a current process. Our Perl script will be run by our web server if we’ve uploaded it to this web server that we’re trying to victimize. And so in this case, we are trying to fork the web server daemon process. Now, when we try to fork a process, if we are successful doing it, we’re going to get a value of zero back from the fork function and store that into the pid variable. But, if we get some kind of an error and we can’t fork that function, we’re going to get a value of one. So the next line is going to test if pid equals one. If it was, we had an error and we want to run this new sub function called cgiexit, with a value of zero. Now we can run over to the right hand side towards the bottom of our screen, you will see there is a sub function called cgiexit. And that would actually be called if we had an error tried to fork this process. If we do, we are going to run two commands, cgiprintpage, which calls another function that’s down there at the bottom for that sub function. And then we are going to exit or terminate this entire process because we weren’t successful and we want to get rid of it. Now, what does cgiprintpage do? Well, it’s basically going to print to the page all the different information that we need to know of what the errors were. In this case, it’s going to be able to print the global page. You can see their under print, content length : . length of global page. What is the length of the global page? Well, right now our global page is nothing because we defined it as blank up in our initial variables. So, we’re going to get a length of zero. We’re going to get back connection close and we’re going to get back content type, text/html, and then whatever content we have in the global page, which in this case is going to be blank. So, this essentially is a way to handle error handling if we’re not able to fork the process, because that server is protected against our attack. Let’s go back to our left side and see what we’re going to do next. So, we’ve tried to fork the process. Let’s say we were able to fork the process, and in this case, that means our pid is zero. So, we’re going to skip the cgiexit line and move down to the next line. The next line says setsid. After that, we see chdir and we see umask 0. Now, what are all of those doing? Well, these are actually all Linux commands because we’re running on a Linux or Unix server if we’re running Perl here. And so setsid is going to create a new session for us and then set the process group ID to that of the person who’s calling it. So we forked a process and now we’re trying to create a session for that process and set its group ID.

Change directory is simply going to change our directory. So chdir is a Linux command that is going to allow us to change our current working directory all the way back to the path that we want. In this case, the root of the drive. And then we have umask. Umask is a command that’s going to set the newly created files or directories with certain permissions. By using umask 0, we are going to cause all files that we create from this process that we forked to be created with permissions of 0666, which means they’re world writeable files. This is going to be a great thing for us because we can now touch things on that root file system. Next, let’s go to the top of the right hand side. We have socket, parenthesis, SOCK, PF INET, SOCK STREAM, getprotobyname parenthesis tcp. What do you think this does? Well, we’re using that socket module and we are creating a new socket called sock. And we’re going to do this using a TCP connection. Next we’re going to say, if parentheses, connect, parentheses, SOCK, sockaddress in parentheses $port, inet aton parenthesis $ip parenthesis parenthesis parenthesis parenthesis curly braces, and then some stuff. So what is our condition? Well, we’re seeing if we can make a connection using our socket to the address we specified. In this case, the IP address we set back in our variables, connecting to the port that we specified back in our variables. So, we’re trying to make a connection from this web server over to the IP address of 66.77.88.99, over port 443. If we can get a connection, then we are going to say cgiprint sent to ip: port, and then we’re going to do cgiprintpage. Now, what does that do? If you look down to the cgiprint subroutine, you will see that we have a variable called line that is equal to shift. And then we have line .= which is simply a way to append something into this variable as a longer array or list. And we’re putting what looks like an HTML tag of a paragraph marker, and then /n which is an new line. Then we are setting the global page variable to be appended with that line that we just created. So, essentially we’re adding to this file called global page so that whenever we exit or have an error, we can then print that to the screen using the cgiprintpage routine we already looked at. Let’s go back up to where we were.

Now, we’ve done cgiprint and we added this line to our file. Then we do cgiprintpage and we are now putting that page into service, so that we can actually read that page through a web connection if we wanted to and see what’s going on. Remember, because we’re using Perl, we don’t have an interactive shell with this machine yet. So we have to have a way to get information out and that’s exactly what we’re doing here. We’re writing it to a file based on that setsid change directory and umask. And now hopefully we’ll be able to read that file to see if our connections are working. Now, if we can’t make a connection, what do we do? That brings us to our else. Else cgiprint, and we’re going to put an error. Couldn’t open a connection to ip: port. And then we’re going to exit, which if we exit, that’s going to print out our cgiprintpage so then we’ll be able to see it. Next, we have a set of open commands, open parentheses STDIN, “greater than and (indistinct) SOCK” and parenthesis and then a semicolon. And we have that for standard in, standard out and standard error. What is this? Well, going back to your Linux studies, you should remember that standard in is input received, standard out is things that are going out of the machine. Normally, standard in is your keyboard and standard out is going to be your monitor. Standard air is also normally set to the monitor. But what we’re doing here is we’re opening all of those in right mode and sending them over to the socket. So anytime we have an input or output or error, we’re going to send it over the connection that we created up above using socket. Next, we have an environmental variable using an array that has HISTFILE. Then we’re going to set that to /dev/null.

Again, if you know a little bit about Linux, you know that the /dev/null is essentially a junk collector. And what we’re trying to do is set our environmental or history file, instead of saving all the history of what we’re doing, it’s going to just go into this junk file so nobody will see it. Then we have a system call. System parenthesis “w;uname -a; id; pwd ” parenthesis; So, what is all that doing? Well, the Perl system function allows us to execute a system shell command from within our Perl scripts. So at this point, we’re actually trying to run Unix commands or Linux commands on this system. When we deal with W, what is W? It’s a built-in tool that allows administrators to see who’s currently logged onto that system. So if we run W against this web server, we’ll see who is actually logged in, what are those different users? Then, we’re doing semicolon which says, run another command. Run uname- a as well. Well, uname is going to be a program that’s going to tell us what the name, version and other details of this current machine are, so we can figure out a little bit of enumeration. Are they running Linux? Are they running a certain version of Linux? And what else is on this system? Then we’re using ID. What’s the ID command do? Well, it finds out user and group names and numeric IDs, the user IDs and group IDs for any current user or other users on the system.

By simply typing ID, we’re going to get the user ID and group ID for the current logged in user that we have now gotten access to using this script. Then we have PWD, which is going to print out our present or current working directory. Now we should be at slash because that’s where we decided to set ourself when we did the change directory earlier on. And we’re just going to verify that here. Now, once we do that, we’re going to go to the next slide and we’re going to use the exec function. Now, what does the exec function do? Well, the exec function allows us to execute a system command just like we did with system, but instead of doing it through the Perl shell, we’re going to do it directly in the system itself and not return any information back to the Perl shell. Essentially, we want to be able to pass things through the standard shell of bin/sh instead of bin/perl. Now, what we’re doing here is we’re executing the command bin/sh which is going to launch a shell. We’re then going to give it a name called fake process name. That variable relates to /user/sbin/apache.

So if a system administrator is looking at the running processes, they should see that there is a bin/sh shell that is being run under the name /user/sbin/apache, instead of /bin/sh. Which allows us to be able to try to hide ourself a little bit better. And then the – I at the end setting this up as an interactive shell, so now we can send data to and from this shell and have full access to this system, because it’s going through that socket connection we established. So, now that we’ve gone line by line through it, what do you think this overall picture of this thing is? If you had to summarize it in a couple of words, what is the function of everything we just went through? Go ahead, pause the video here, think about it for a minute and then come back and I’ll give you the answer. All right, you’re back. Great, now, what is the basic function here? Well, it is a reverse shell. That’s right. What we are doing is whatever I set up as IP and port up on the left side, is going to be where my listener is set up. So, if my listener is at 66.77.88.99 on port 443, what’s going to happen is that when this Perl script is run on that web server, it’s going to run through these commands. And when it tries to create that socket, it’s making that call out to my server. And if my listener is there and awake, it’s going to go ahead and grab that connection and now we’re going to establish two-way communication using that system shell that we have in /bin/sh using our fake process name. Now, we have two-way communication because our standard input, our standard output and our standard error are all being redirected to and from the socket we created, between this Perl server and the call out that was made to us with a receiving listener, because this is a reverse shell. So, you can see how powerful this stuff can be especially when you’re using Perl. Because Perl is used for dynamic web pages on web servers, and so if you can get this uploaded into a directory that is writeable on a web server that’s running Perl, this script can be executed.

And you can then have a call out go back to you. This is a really simple example of what a reverse shell can look like using Perl, but it is a very powerful tool when you’re doing your penetration test. This is why I said learning Perl can be very useful if you’re doing a lot of web server assessments. Because you can write code like this and take advantage of those web servers as one of your initial attack vectors inside of your engagements. Now, for the exam, do you need to know Perl in depth? No, what are you likely going to see on the exam?

Well, they’re probably going to give you a couple of lines of code, maybe three to five to 10 lines at most, and then ask you what that function is doing. In the case of this script, I might have taken out the part that talked about the sockets and then asked you, what was that doing? Or, I might ask you about the system call that was being done, and how I chained together a couple of those exploits. This is the level of detail you’re going to need to know for the PenTest+ exam. But again, you don’t have to be an expert on Perl. Most of this, you can read and kind of make out what it means if you have some Linux background and experience.

Leave a Reply

How It Works

img
Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
img
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
img
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!