1
00:00:00,390 --> 00:00:01,080
Welcome back.

2
00:00:01,650 --> 00:00:08,160
Let's continue with exploiting government's political machine, so we already found three vulnerabilities

3
00:00:08,160 --> 00:00:13,320
regarding Telnet, FTP and the shell with no authentication.

4
00:00:14,270 --> 00:00:22,110
Let us see what else can we find and what they got in mind for now is this Sambor open port right here.

5
00:00:22,490 --> 00:00:27,440
Matter of fact, these two open ports, one three nine and four, four, five.

6
00:00:28,650 --> 00:00:29,250
Why then?

7
00:00:29,790 --> 00:00:36,450
Well, because it seems that we do not have the exact version of Sambor right here, it tells us that

8
00:00:36,450 --> 00:00:40,120
Sambor is between three point something to four point something.

9
00:00:40,770 --> 00:00:45,350
So let's see how we will figure out what to use and how to find it.

10
00:00:46,310 --> 00:00:50,790
Here's a small hint we don't need to Google it to be able to find it.

11
00:00:51,080 --> 00:00:58,310
We have everything we need right here in clinics, so don't use Google to find it since it is cheating

12
00:00:58,310 --> 00:01:00,960
and you will most likely find it on the first link.

13
00:01:01,760 --> 00:01:04,390
Let's see whether we can figure it out by ourselves.

14
00:01:05,150 --> 00:01:09,800
So right here in our can we have this Sambor version right here?

15
00:01:10,010 --> 00:01:16,280
Not the exact version, but it does give us some information about in between which range does the version

16
00:01:16,280 --> 00:01:16,880
belong to.

17
00:01:17,270 --> 00:01:21,020
And that is something we all see that supports hosting.

18
00:01:21,030 --> 00:01:23,720
These are one three nine and four four five.

19
00:01:24,620 --> 00:01:27,770
So we do get some information what now?

20
00:01:28,310 --> 00:01:32,610
Well, let's just search Semba inside of search flight and see what comes up.

21
00:01:33,230 --> 00:01:34,780
So I got this right here.

22
00:01:35,060 --> 00:01:37,070
I got my MSF counsel right here.

23
00:01:37,310 --> 00:01:41,480
And I will open a third terminal and type Searsport Semba.

24
00:01:45,500 --> 00:01:53,570
Well, it seems that we get a lot of results and these are exploits for a bunch of different Senba versions,

25
00:01:53,810 --> 00:01:54,910
as we can see right here.

26
00:01:55,610 --> 00:02:01,580
Now, if we could just try all of them out to see whether they will work or we can try to figure out

27
00:02:01,580 --> 00:02:07,670
the December version first and then narrow down our expert search and see whether we find something

28
00:02:07,910 --> 00:02:09,320
for that specific version.

29
00:02:10,310 --> 00:02:17,510
So how are we going to find out the samba version of and Mexican didn't manage to do it?

30
00:02:18,480 --> 00:02:24,330
Well, luckily, and map is not the only scanner that we can use for these types of things.

31
00:02:24,840 --> 00:02:31,380
Remember that in metal framework, besides having all of these experts and payloads, we also get those

32
00:02:31,380 --> 00:02:37,260
auxiliary modules and those auxiliary modules can sometimes be scanner's.

33
00:02:38,580 --> 00:02:47,820
Let's search and see whether we can find a scanner for this, if we just type in demetris search sambar

34
00:02:48,540 --> 00:02:52,210
and press enter, we get some of the results right here.

35
00:02:52,800 --> 00:02:55,250
Matter of fact, we don't get a lot of the results.

36
00:02:55,320 --> 00:02:56,010
Once again.

37
00:02:56,890 --> 00:03:03,490
Some are experts, some are auxiliary modules, and down here, I believe there is one post exploitation

38
00:03:03,490 --> 00:03:10,750
module and if we go to the auxiliary modules, it'll only give us two auxiliary scanner modules.

39
00:03:11,710 --> 00:03:14,180
These aren't the scanners that we need.

40
00:03:14,950 --> 00:03:16,820
Let's try to find it ourselves.

41
00:03:17,350 --> 00:03:26,110
If I go down here, clear the screen and type use auxillary and then we search for a scanner and then

42
00:03:26,110 --> 00:03:31,290
SMB because that is the port that we are enumerating and then type device.

43
00:03:31,900 --> 00:03:36,130
These are all of the available exhilarate scanners that we have for Sambi.

44
00:03:37,260 --> 00:03:44,520
The one that we are particularly interested in is this assembly version, so let's scope it if I copy

45
00:03:44,530 --> 00:03:47,490
the entire comment right here, paste it.

46
00:03:51,260 --> 00:03:57,830
Let me just delete this, we type the comment twice, so use auxiliary scanner assembly and then some

47
00:03:57,950 --> 00:04:01,220
version and if we type show info right here.

48
00:04:02,260 --> 00:04:07,270
It will tell me in the description, this version information about each system.

49
00:04:08,160 --> 00:04:14,000
This looks like something that we need, let's type all of the needed information for this to run,

50
00:04:14,160 --> 00:04:18,270
so we are going to type show options first and we require our hosts.

51
00:04:18,540 --> 00:04:20,070
We got some other things as well.

52
00:04:20,340 --> 00:04:23,730
But these three things are not required, as it says right here.

53
00:04:24,700 --> 00:04:30,820
The threats will go live on one and the other hosts will be the IP address of our anticipatable.

54
00:04:31,240 --> 00:04:36,670
In my case, when I do that 168 that one that night, I will set this straight here.

55
00:04:37,390 --> 00:04:38,740
And if we run it.

56
00:04:41,790 --> 00:04:48,900
Well, it worked, even though it says right here he could not be identified in the brackets, we get

57
00:04:48,900 --> 00:04:54,420
the exact Semba version on the anticipatable, which is three point zero point twenty.

58
00:04:55,290 --> 00:04:55,590
Cool.

59
00:04:56,460 --> 00:05:00,780
Let's see what we can find from experts now that we know what version it runs.

60
00:05:01,170 --> 00:05:07,410
So we'll copy this three point zero point twenty and go back to my search point, clear the screen and

61
00:05:07,410 --> 00:05:08,670
type it once again.

62
00:05:08,910 --> 00:05:11,710
Just this time outpaced the entire version.

63
00:05:12,360 --> 00:05:17,370
Press enter and we managed to narrow it down to only five results.

64
00:05:17,880 --> 00:05:20,950
And it seems that these two are the same results.

65
00:05:20,970 --> 00:05:23,460
So it's actually four results in total.

66
00:05:24,510 --> 00:05:31,800
The first one seems to be some type of a security bypass, and it affects our version since it's between

67
00:05:31,800 --> 00:05:35,220
three point zero point ten and three point three point five.

68
00:05:35,790 --> 00:05:41,270
But it also seems to be a text file, which we really don't want to bother with right now.

69
00:05:41,370 --> 00:05:44,290
We want something that we can execute right away.

70
00:05:45,120 --> 00:05:52,580
The most interesting thing we have right here is this Sambor username map script or the command execution.

71
00:05:53,430 --> 00:05:53,830
Why?

72
00:05:54,300 --> 00:05:58,920
Well, it's a ruby exploit and it also belongs to metal plate framework.

73
00:05:59,340 --> 00:06:04,190
Plus, it also affects our version of Sambor, as we can see right here.

74
00:06:04,800 --> 00:06:08,660
These two down here are also text files not really interested in.

75
00:06:08,670 --> 00:06:11,610
And they also don't seem to actually affect our version.

76
00:06:11,910 --> 00:06:14,370
They only affect the versions below our version.

77
00:06:14,970 --> 00:06:20,520
And the last one, which is denial of service or DOS attack, seems to be affecting our version.

78
00:06:20,520 --> 00:06:24,840
But we are once again not interested in the denial of service attacks.

79
00:06:25,290 --> 00:06:31,470
But in a real penetration test, you would 100 percent write this on the report with the references

80
00:06:31,470 --> 00:06:32,560
to the possible attack.

81
00:06:33,120 --> 00:06:36,260
For now, let's just go with the math module that we found.

82
00:06:36,960 --> 00:06:41,490
Let's remember the name, username, map, script, command, execution.

83
00:06:42,090 --> 00:06:44,010
And if I search once again.

84
00:06:44,960 --> 00:06:48,170
In my mad despite search Semba.

85
00:06:50,020 --> 00:06:56,950
Let us try to find the expert that we found using search split, if I go up here, go through all of

86
00:06:56,950 --> 00:06:57,790
these results.

87
00:06:58,840 --> 00:07:06,430
And here it is under the 13 exploit multi user map script command execution.

88
00:07:07,090 --> 00:07:09,520
This is the same script that we saw right here.

89
00:07:11,930 --> 00:07:20,600
If I copy the script name, so exploit multimember user map, script and type right here, use then

90
00:07:20,600 --> 00:07:21,500
page the script name.

91
00:07:23,380 --> 00:07:30,370
It will set the default ballot to be command Eunuch's, reverse Nethercutt, and by the way, this Malti

92
00:07:30,370 --> 00:07:37,720
right here means that it can be targeted on multiple operating systems while as if you had only Windows

93
00:07:37,720 --> 00:07:39,820
or Linux specified right here.

94
00:07:40,350 --> 00:07:44,990
It would mean that only that specific operating system is vulnerable to this attack.

95
00:07:45,460 --> 00:07:51,580
So let's show information about this, exploit Allfirst, clear the screen and type show info and it

96
00:07:51,580 --> 00:07:57,340
will tell us this module exploits a command execution vulnerability in Sambor versions three point zero

97
00:07:57,340 --> 00:08:03,250
point twenty through three point zero point twenty five when using the non default username map script

98
00:08:03,250 --> 00:08:04,570
configuration operation.

99
00:08:05,090 --> 00:08:13,180
And if I also setup all of the things that we need to show options, it seems that we need one thing

100
00:08:13,180 --> 00:08:14,260
which is the our hosts.

101
00:08:14,260 --> 00:08:15,650
So let's set it up right away.

102
00:08:15,670 --> 00:08:19,620
This is the IP address on Anticipatable the port right here.

103
00:08:19,630 --> 00:08:22,690
We do not want to change since it is already set correctly.

104
00:08:22,690 --> 00:08:28,750
As we can see right here, Port one three nine is running sambar and down here is our payload, which

105
00:08:28,750 --> 00:08:30,190
is the reverse kit.

106
00:08:30,640 --> 00:08:37,330
We said the IP address of our clinics machine here and any port that we want, once all of this is ready,

107
00:08:37,450 --> 00:08:39,490
we can run our exploit.

108
00:08:40,840 --> 00:08:49,510
And here it is, we once again got Shell opened on target system using Sanba vulnerability, and we

109
00:08:49,510 --> 00:08:52,250
can, as usual, execute commence if I type, who am I?

110
00:08:52,300 --> 00:08:53,740
It will tell me we are rude.

111
00:08:54,370 --> 00:08:57,670
So we are already has privilege on that machine.

112
00:08:58,160 --> 00:08:58,560
Great.

113
00:08:58,930 --> 00:09:02,790
This is the fourth vulnerability we found to close the connection.

114
00:09:02,830 --> 00:09:04,390
We can just control c this.

115
00:09:05,690 --> 00:09:12,320
And click on Y and you would write this down as another successful exploit, if this was a real penetration

116
00:09:12,320 --> 00:09:18,740
test in the next video, we're going to cover a different type of the attack that we haven't performed

117
00:09:18,740 --> 00:09:22,370
yet, which is brute force attack on Port S.H..