hello everyone welcome back in the previous video we have seen the theory of cryptographic failures which is also known as sensitive data exposure and it has been captured second place in the top vulnerabilities uh please check the previous videos for more information and in this video we'll be doing a demonstration of how the vulnerability works saying that let's jump into the video so you have to connect to try hack me and you have to search for the ovaspa top 10 and this is the machine for that so let's see how we can access it so this is the start machine so I already started it but I just want to show you like how we actually do it so this is a start machine button which you have to click so before that you have to connect with the servers so you have to go to the download section where your ovpn is there so if you go to the download section you can see here I have my uh foreign so we have to download we have to go to this specific location and then run the command so where you can find that so let's go to try me and uh it will be in Access sections so you can go to access and you have to just download your configuration file so once you have downloaded it you will be connected you can see this connect uh symbol here the right Mark so this is how it will be done so if you have still have any doubts or please do check the previous videos where I have explained about VPN connections so I hope it will be giving more idea about how exactly it works so saying that uh so we have to go to this download section and you have to use uh should openvpn as well as my uh file name which is 200949.0 VPN which I already used it so you can see I have already started the machine and it's running successfully so let's go to the machine and you have to just click Start so we have to just wait for like one minute and we'll be assigning an IP uh using that IP we can connect with the vulnerable machine where we can uh work on this sensitive data exposure so it is also known as cryptographic failures which is recently being changed uh from sensitive data exposure to a cryptographic failures so that is the reason for this specific overasp you can see it has sensitive data exposure so this is the basic introduction of uh sensitivity to exposure and it's also known as man in Middle attack so I mean the techniques like man and middle attack so let's see okay so let's say I have a physical machine let's say it has A1 and this is my router which is R1 and let's say this is an internet so whenever you search for some website XYZ website it will go through the router and then the router write it redirect you to the particular website but in this case hacker use specific commands where he'll be the router right this is the hacker he is the router here so based on different commands he will be compromising your router and instead of going to the router it will go in this direction so there will be a hacker in between who can view all the information that you are using like the web page that you're visiting or the images and so on so well there is a video in up and testing playlist you can visit that and you can know more about how her mind will attack works so just information apart from that uh we have other uh material one where we can access the database files so we'll be working it uh like in just a few seconds so this is the command that we'll be using it so you can see we uh you can use this following command and get the table information so basically this particular command uh is used to query the information about specific table the results that will contain one row for each column in the table column name and column type so as you can see here we have uh when you click the customers table we have got the information so it has different section it has different sections customer ID customer name credit card and password so whenever you get the information from the customers you can see the first one was related to customer ID the second one was customer name and the next was credit card information and then comes the password so this is the hash format so this is how we can get the information uh if if we were able to get the database access so saying that let's go to the second section which is uh so whenever you get the hash format we can uh decrypt it using uh the crackstation this is one of the application through which you can do it but on the other hand we have many applications like that where you can uh decrypt or crack the hashes so this is one thing so we'll be using all this uh in the task 11. so so this is the app so let's go to the IP address and let's see whether we can able to access it or not so well it's working perfectly so everything is going good we are connected with the machine successfully so we have login page but uh for this we have to have to use cinnamon password which we don't have right now let's try uh try to get those username and passwords by uh visiting the database here so let's go back so whenever you create a web page there will be multiple directories through which you can have maybe a CSS or HTML uh different sections where you can add these web pages so if you are a developer you will be knowing uh there will be let's say slash CSS see whether it works there is no CSS but uh to get this information we can go to Kali Linux and uh let's use uh there so using this we can get the information about uh the hidden directories so I have to get the IP address 20 10 point 10 point one two three Dot uh one just click enter so it will be running uh various you can see here this is my IP and it's searching for other directories which are like most used maybe let's say login page or sign up and so on so from this we can get the information about uh the hidden files so we have to just wait and we have to see whether uh there are some hidden files or not so that is the first task that we have to perform so so as I said you if you are a developer you will be knowing uh there usually there will be a folder where uh it is known as assets so let's check so you can see we have the search folder but we should not get access to that but we are getting that okay so these are different uh you can see CSS but I'm not sure why I did I was not able to access it so phones images so on so as you can see here we have uh the database file so if you check uh if you expecting soon okay if you check uh in the second one we can use the database uh connections we can use database commands and we can get the information so we'll be doing that in just a minute so so here you can see there will be asserts which will be popping up so we also have API so we'll just wait for that I just want to show you before uh let's how I got that so where is the file have file here let's download the web app dot DB so once I downloaded it let's use these commands so I have various commands uh here so let's go to Kali Linux and you can see we have got asset section so we have to use all these uh hidden directories and we can get the information about uh where can we find these uh database files and so on so you have to just check and it will take a lot of time though but uh yeah this how you can find the Box so let's go back and uh let's use other folder and uh let's go to the download section that we have downloaded you can also see the permissions about uh it is available there you go so you can see we have our web app and now let's try to access it using the commands are provided here so file DB can use it and let's exit by using sqlite3 so we entered and here we can get the tables information by clicking dot tables so we have two different tables sessions as well as users so I think users is a better option usually we go to so I'll be using this command where uh instead of customers I should replace it with users since here I have users uh uh files so users so you can see these are the different forms that we have so if you go back here we got the information about uh this one and now just we'll select from uh that particular table so let's uh select star from users so start is nothing but select all oh I got this information according to this particular format in this case I would require the password which is this one so I used to get the admin password so just copy this one and uh if you check there is a crack station which was mentioned here so we'll be going uh through crackstation I'm not sure why it's showing me expired expired is it expired no okay so let's uh go to the crack station mentioned here and uh let's try to add the oh I think I didn't copy that okay let's go here let's copy copy selection let's go to the crack station let's paste it and uh I'm not robot check the hash so we have got the result here so the password of admin is this is the password of admin that we are getting now so if I go back here so let's go back to that IP that we have and let's try to login so user is uh admin and forgot to copy the password let's copy the password and let's try to play start there you go so login so if you have got the flag so we are into the admin panel and we have got the flat so this is the end of uh uh the session where we have got to know about cryptographic failures or less sensitive data exposure in the video just a disclaimer this is uh this is just for the educational purpose so don't perform this operation on the real systems unless and until you have authorized so yeah uh I hope you guys have understood the concept of today's video if you have liked the video please click the like button below and if you're not subscribed to my Channel please do subscribe to my channel and please share the video thanks everyone