1
00:00:00,460 --> 00:00:07,540
Now, let's look at another situation where Métis boy makes it very easy to backdoor the system using

2
00:00:07,540 --> 00:00:10,010
nothing more than the built in system tools.

3
00:00:11,230 --> 00:00:14,920
Now it helps you to make a remote desktop connection to the target.

4
00:00:15,890 --> 00:00:22,910
Interpretor has two options for this first one is interpretor script get gooey.

5
00:00:23,880 --> 00:00:30,120
And you can utilize that get gooey script, which enables remote desktop and creates a user account

6
00:00:30,120 --> 00:00:32,510
for you to log in with pretty convenient.

7
00:00:33,210 --> 00:00:38,790
And then the other one is a reliable post module and able RTP.

8
00:00:39,480 --> 00:00:41,010
So have a look at how to use them.

9
00:00:41,990 --> 00:00:46,430
So I have a interpreters session on medicine voidable three.

10
00:00:47,640 --> 00:00:53,280
And as you know, throughout the course, we have learned how to extract hashes and passwords.

11
00:00:54,240 --> 00:01:02,100
And now you have many credentials for Métis Voidable three, so you may want to make a remote desktop

12
00:01:02,100 --> 00:01:03,990
connection with one of these credentials.

13
00:01:04,750 --> 00:01:06,070
So that's what I'm going to do here.

14
00:01:06,960 --> 00:01:08,820
So let's open up a new tab.

15
00:01:10,430 --> 00:01:14,090
Now we use the vagrant user and password, so.

16
00:01:14,970 --> 00:01:19,410
Our desktop, you vagrant p vagrant.

17
00:01:20,480 --> 00:01:22,820
And the IP address is voidable three.

18
00:01:24,600 --> 00:01:25,230
Ed.

19
00:01:26,980 --> 00:01:30,760
And very good, you have a remote desktop connection on the target.

20
00:01:33,030 --> 00:01:42,240
But when I bring a target to my main screen, you can see that the actual user screen is locked and

21
00:01:42,240 --> 00:01:44,520
not a very good thing and it certainly isn't stealthy.

22
00:01:45,540 --> 00:01:53,850
And when this user on the target tries to log back in, my connection is going to be terminated as as

23
00:01:53,850 --> 00:01:54,550
you just saw there.

24
00:01:55,800 --> 00:01:58,250
So how do we avoid this situation?

25
00:01:59,410 --> 00:02:06,160
The interpreter script and post module are the best solution, so we're going to first start with script.

26
00:02:07,000 --> 00:02:14,140
Run, get gooey H gives a, hmmm, some brief information about the script.

27
00:02:15,120 --> 00:02:20,960
But run get gooey without parameters to see the options.

28
00:02:21,860 --> 00:02:26,510
And the options are clean, so now let's run, get gooey.

29
00:02:27,610 --> 00:02:33,010
You pen test one, P pen, test one.

30
00:02:35,410 --> 00:02:37,750
So the script enables our DP.

31
00:02:38,680 --> 00:02:47,650
Arranges firewall rules and as our user and then adds this user to remote desktop users and look at

32
00:02:47,650 --> 00:02:51,060
that, the script is executed successfully.

33
00:02:51,850 --> 00:02:53,890
So why don't we go to another tab?

34
00:02:54,770 --> 00:02:58,130
Our desktop, you can test one.

35
00:02:59,310 --> 00:03:01,170
P pen, test one.

36
00:03:02,200 --> 00:03:05,170
Tend tend to dot 10.

37
00:03:07,390 --> 00:03:09,820
The RTP session is open now.

38
00:03:09,830 --> 00:03:12,280
Let's bring the target to the main screen.

39
00:03:13,360 --> 00:03:20,140
And look at that, see, the current user is still on the machine and we can use it without being disturbed.

40
00:03:21,270 --> 00:03:22,620
And to verify the user.

41
00:03:24,150 --> 00:03:27,240
Open the command prompt on Métis, voidable three.

42
00:03:29,600 --> 00:03:33,110
Type net users to view the users.

43
00:03:34,660 --> 00:03:37,690
And here is the Pentax, one user.

44
00:03:39,970 --> 00:03:42,340
Net user pen test won.

45
00:03:43,560 --> 00:03:53,160
To get detailed information for Pantheist one, OK, so it's also in the users group, Purrfect.

46
00:03:54,710 --> 00:03:57,830
Now it's the post module's turn.

47
00:04:05,750 --> 00:04:11,090
So here we have the information about the enable our post module.

48
00:04:14,780 --> 00:04:15,380
Windows.

49
00:04:16,850 --> 00:04:17,630
Ménage.

50
00:04:18,620 --> 00:04:20,710
Enable our DP.

51
00:04:22,050 --> 00:04:25,020
Username equals Pentax to.

52
00:04:26,380 --> 00:04:29,560
Password equals Pentax to.

53
00:04:31,260 --> 00:04:33,810
So it does the same thing is they get gooey script.

54
00:04:35,560 --> 00:04:37,630
OK, so go to another tab.

55
00:04:39,500 --> 00:04:43,310
Make an R desktop connection with Pentax to.

56
00:04:44,630 --> 00:04:47,090
On this change, the ones to twos.

57
00:04:50,250 --> 00:04:55,080
So as you see, the current user on the target can still use the desktop.

58
00:04:56,320 --> 00:05:03,640
And to make it clear, open Windows command prompt net users and sure enough points to is on the list.

59
00:05:04,900 --> 00:05:05,650
And.

60
00:05:10,340 --> 00:05:12,890
It's also in the RTP users group.

61
00:05:14,720 --> 00:05:20,510
And now you can interact with a user's desktop, look for critical files and everything else that you

62
00:05:20,510 --> 00:05:20,900
want to do.