1 00:00:00,610 --> 00:00:03,210 List Matus voidable three services again. 2 00:00:04,890 --> 00:00:13,680 Now, here you can find an interesting HTP service, it's got a long description, and this time I'm 3 00:00:13,680 --> 00:00:17,220 going to use a port number to get information about the service. 4 00:00:19,320 --> 00:00:26,490 And nothing to view from the browser when I go to tend to tend to that 10 Colen 59, 85. 5 00:00:27,180 --> 00:00:28,030 It's kind of weird, huh? 6 00:00:28,260 --> 00:00:29,240 Would you expect something? 7 00:00:30,420 --> 00:00:33,300 So you've only got this information. 8 00:00:34,200 --> 00:00:42,710 A service runs on the port 59 85, the only meaningful thing here, of course, is the port. 9 00:00:42,720 --> 00:00:45,300 No, but it does mean a lot, so. 10 00:00:46,220 --> 00:00:52,100 Open your browser and search what Dysport number is typically used for. 11 00:00:56,970 --> 00:01:02,520 Now, when you look at that post, you're going to get some extra information, as this post says, 12 00:01:03,150 --> 00:01:10,860 this is a win R.M. service so you can search for when R.M. exploits. 13 00:01:12,070 --> 00:01:13,870 Search when R.M.. 14 00:01:15,700 --> 00:01:19,480 Ha ha, that's terrific, you see how you get some of those module's. 15 00:01:20,770 --> 00:01:25,270 So let's just use the first one when R.M. off Method's. 16 00:01:26,890 --> 00:01:27,910 So options. 17 00:01:30,240 --> 00:01:34,020 Set our host to tend not to duckpin. 18 00:01:34,910 --> 00:01:35,840 And we're on the module. 19 00:01:37,380 --> 00:01:38,970 All right, so let's do it from the beginning. 20 00:01:39,980 --> 00:01:42,890 Display the service on 59 85. 21 00:01:43,770 --> 00:01:47,400 And you see the information immediately that saved the host. 22 00:01:48,450 --> 00:01:51,300 And then list the winner in module's again. 23 00:01:52,510 --> 00:01:53,860 Let's use a second one this time. 24 00:01:55,190 --> 00:01:56,630 When R.M. Command. 25 00:01:58,640 --> 00:01:59,450 Show options. 26 00:02:01,340 --> 00:02:05,120 Set our host to Melissa Voidable three i.p. 27 00:02:06,300 --> 00:02:07,260 That username. 28 00:02:08,330 --> 00:02:09,020 The vagrant. 29 00:02:10,610 --> 00:02:11,690 Set password. 30 00:02:13,480 --> 00:02:15,040 The vagrant also. 31 00:02:16,240 --> 00:02:18,460 Show options to control. 32 00:02:20,320 --> 00:02:22,330 OK, then we're on the module. 33 00:02:23,970 --> 00:02:28,350 And look at that, that's a perfect result, so you can take advantage of this module. 34 00:02:29,810 --> 00:02:31,600 So let's have a look. 35 00:02:32,810 --> 00:02:34,640 Over the other modules again. 36 00:02:35,840 --> 00:02:38,480 All right, so there is only one exploit module. 37 00:02:39,600 --> 00:02:41,070 And let's use this now. 38 00:02:42,820 --> 00:02:43,690 Joe options. 39 00:02:46,200 --> 00:02:49,920 Set our host to ten point ten to ten. 40 00:02:51,010 --> 00:02:53,160 That username to vagrant. 41 00:02:54,240 --> 00:02:56,550 So that password to vagrant. 42 00:02:58,360 --> 00:03:00,550 And show available payloads. 43 00:03:02,820 --> 00:03:07,530 And I'll choose 64 bit reverse interpreter Tsipi as my payload. 44 00:03:09,160 --> 00:03:11,680 Set our host to my colleagues IP address. 45 00:03:13,340 --> 00:03:15,960 That airport to 59, 85. 46 00:03:17,620 --> 00:03:20,290 Let's have a look at those options one more time. 47 00:03:21,990 --> 00:03:24,780 So everything looks perfect, then exploit. 48 00:03:29,390 --> 00:03:37,940 And there it is, you got this session so even our export code migrates to another process. 49 00:03:39,260 --> 00:03:43,220 So let's quickly do who am I and where am I? 50 00:03:44,280 --> 00:03:52,440 And there we are in the metastable three with a system level user privilege, so let's send that session 51 00:03:52,440 --> 00:03:54,240 to the background unless the sessions. 52 00:03:56,620 --> 00:03:58,960 And we can move on to another service.