1
00:00:00,150 --> 00:00:02,700
Welcome ladies and gentlemen to walk through Number 10.

2
00:00:02,700 --> 00:00:07,100
We are at the last walk through this box is called Net mine.

3
00:00:07,230 --> 00:00:14,680
So if you are scanning and following along go ahead and go to IP address ten dot ten that ten that once

4
00:00:14,680 --> 00:00:21,240
they D2 to get your scan started while that's going on I do have a few words to say since this is last

5
00:00:21,240 --> 00:00:24,180
episode in this capstone.

6
00:00:24,180 --> 00:00:30,650
If you are feeling overwhelmed or you're feeling like you're just not getting everything that's 100

7
00:00:30,660 --> 00:00:32,220
percent OK.

8
00:00:32,310 --> 00:00:33,850
Rome wasn't built in a day.

9
00:00:33,930 --> 00:00:36,540
Neither is your pen test career.

10
00:00:36,540 --> 00:00:42,150
So please if you feel like you're overwhelmed just take a deep breath go back and watch some of the

11
00:00:42,150 --> 00:00:43,140
videos again.

12
00:00:43,410 --> 00:00:48,420
If you feel like you're struggling also utilize all the resources available to you.

13
00:00:48,420 --> 00:00:54,080
Remember from the beginning there is a disco channel Please utilize the discord channel.

14
00:00:54,090 --> 00:00:55,700
We are there to help.

15
00:00:55,830 --> 00:01:00,330
So if you're struggling know that it's ok you will make it through.

16
00:01:00,330 --> 00:01:04,260
Take good notes go back and try all these again if you need to.

17
00:01:04,260 --> 00:01:09,600
With that being said I have full confidence in you and I'm ready to move on to the last video.

18
00:01:09,600 --> 00:01:13,680
I'm very excited about it because we start to get into exploit development after this and we start to

19
00:01:13,680 --> 00:01:16,090
get into Active Directory which is my favorite.

20
00:01:16,500 --> 00:01:19,080
So we're going to go ahead and move on.

21
00:01:19,140 --> 00:01:20,820
Hopefully your scans ready.

22
00:01:20,820 --> 00:01:23,250
I'll catch over with you scan.

23
00:01:23,280 --> 00:01:23,680
All right.

24
00:01:23,710 --> 00:01:25,760
So let's look at our scan here.

25
00:01:25,890 --> 00:01:33,470
We have a report back that says Port 21 is open which means we have FTB the file transfer protocol.

26
00:01:33,600 --> 00:01:38,810
And right away FCP anon it says anonymous FTB log in is allowed.

27
00:01:38,820 --> 00:01:45,270
This means that we can log in as the user anonymous and gain access to the file share.

28
00:01:45,480 --> 00:01:50,670
Not necessarily a big deal except if you look at where it's placing us look at the printout of this

29
00:01:50,760 --> 00:01:51,850
already.

30
00:01:51,870 --> 00:01:54,750
This to me looks like we are in the C drive.

31
00:01:54,780 --> 00:01:55,400
Right.

32
00:01:55,410 --> 00:02:05,360
So see a user's folder a windows folder etc. So this not so great if you're a sysadmin and you allowed

33
00:02:05,370 --> 00:02:13,590
this open on top of this we scroll down a little bit and we see OK port 80 is open or 80 has something

34
00:02:13,590 --> 00:02:16,800
called indeed HPD eighty point one blah blah blah.

35
00:02:16,800 --> 00:02:24,000
You see this parser PR Teague's Bandwidth Monitor network monitor net mine which is what the Xbox is

36
00:02:24,000 --> 00:02:26,490
called box always gives you a good hint.

37
00:02:26,520 --> 00:02:27,510
Right.

38
00:02:27,540 --> 00:02:35,140
So we know we're up against this probably some root of exploit through net mine at least at least somewhat.

39
00:02:35,160 --> 00:02:35,700
Right.

40
00:02:35,700 --> 00:02:37,290
Usually there's a hint there.

41
00:02:37,290 --> 00:02:39,530
So we'll go check that out.

42
00:02:39,690 --> 00:02:45,930
We've got our P.C. open which we expect when we have one thirty nine and four forty five we see from

43
00:02:45,930 --> 00:02:52,770
four or forty five that's telling us that this machine is a two thousand eight are two or two thousand

44
00:02:52,760 --> 00:02:53,250
twelve.

45
00:02:53,250 --> 00:02:58,140
We'll see how right that is and a little bit and then you see a bunch of RBC open up here.

46
00:02:58,160 --> 00:03:05,300
There's also a web server open looks like on fifty nine eighty five and forty seven 0 0 1.

47
00:03:05,310 --> 00:03:06,420
Both of them were not found.

48
00:03:06,420 --> 00:03:09,000
So probably for all flooring of some sort.

49
00:03:09,000 --> 00:03:13,680
That doesn't mean that just because it's a for or for there can't be a web page sitting beyond these

50
00:03:14,250 --> 00:03:19,230
we could use door buster or look with dirt or whatever and tried to do some directory busting see if

51
00:03:19,230 --> 00:03:23,430
there's a hidden directory back here just because the index for of course doesn't mean that the rest

52
00:03:23,430 --> 00:03:25,310
of it's going to.

53
00:03:25,330 --> 00:03:28,600
So with that being said let's scroll back up and talk theory.

54
00:03:28,600 --> 00:03:35,770
So if we talk theory port 21 is open we have anonymous log in we already know the password we have access

55
00:03:35,770 --> 00:03:40,840
to the entire file system here there's also a web server running.

56
00:03:41,110 --> 00:03:45,970
So when we talk about port 21 being open and we've talked about this in the past with port 21 being

57
00:03:45,970 --> 00:03:47,730
open we can upload a file.

58
00:03:47,770 --> 00:03:50,430
There is no code execution there on its own.

59
00:03:50,440 --> 00:03:56,560
Now this is Microsoft FCP if it was a different file it files protocol FCP server maybe there's remote

60
00:03:56,560 --> 00:04:02,140
code execution already built in some sort of buffer overflow something allows us to you know get that

61
00:04:02,140 --> 00:04:03,090
shell back.

62
00:04:03,160 --> 00:04:10,600
But here with this FTC in particular it's not now FCP as a whole just from logging in all we have access

63
00:04:10,600 --> 00:04:13,140
to is to put files and get files.

64
00:04:13,210 --> 00:04:13,810
That's all it is.

65
00:04:13,810 --> 00:04:14,790
We're transferring files.

66
00:04:14,800 --> 00:04:19,620
It's a file transfer protocol because of this we cannot execute anything.

67
00:04:19,630 --> 00:04:21,920
We could put malware on here all day right.

68
00:04:21,940 --> 00:04:23,980
We could put anything malicious we want to.

69
00:04:23,980 --> 00:04:26,000
Doesn't mean it's going to get executed.

70
00:04:26,290 --> 00:04:30,290
On the other front we have a web page open.

71
00:04:30,430 --> 00:04:33,190
Now this Web page I'm guessing just a hunch.

72
00:04:33,190 --> 00:04:39,040
Not sure is likely running on this I net pub here.

73
00:04:39,040 --> 00:04:41,770
Now iiNet pub is ISIS.

74
00:04:41,770 --> 00:04:46,660
This is a Windows server so it's likely running I guess as a web server.

75
00:04:46,660 --> 00:04:51,940
Now again I could be wrong here it could be hosted somewhere else and these ISIS servers could be for

76
00:04:51,940 --> 00:04:52,630
this down here.

77
00:04:52,630 --> 00:05:00,160
I'm not sure but the instinct that I have here and what I'm seeing when I'm getting at is the first

78
00:05:00,160 --> 00:05:02,020
thing that I saw is OK.

79
00:05:02,020 --> 00:05:03,370
Port 21 is open.

80
00:05:03,370 --> 00:05:06,310
I have the ability to upload a file.

81
00:05:06,310 --> 00:05:10,750
Now I need the ability to execute a file while their social engineering right we can call up somebody

82
00:05:10,750 --> 00:05:15,910
say hey there's this file on this computer I'm helpdesk can you running for me the other option which

83
00:05:15,910 --> 00:05:21,810
we don't have in this instance is to say you know how to execute a file that I put on there.

84
00:05:21,820 --> 00:05:24,240
Well a web server is a fantastic way.

85
00:05:24,250 --> 00:05:31,510
If you guys remember you remember boxes in the past that we've done we've executed files via FCP upload

86
00:05:31,510 --> 00:05:32,380
into a web server.

87
00:05:32,380 --> 00:05:33,230
Right.

88
00:05:33,280 --> 00:05:39,040
So same kind of thought process here is if I can get this file on his Web server maybe I can execute

89
00:05:39,040 --> 00:05:40,800
that and get a reverse shell.

90
00:05:40,870 --> 00:05:46,900
Now I don't know if that's the boxes intention and when I went through those boxes actually a different

91
00:05:46,900 --> 00:05:49,580
path that seems even a little bit easier.

92
00:05:49,720 --> 00:05:56,830
So let's poke a little bit first before we go down this anonymous log and path and let's poke at port

93
00:05:56,920 --> 00:05:57,500
80.

94
00:05:57,550 --> 00:06:02,680
Now the other thing to note too is that if you have access to this machine as anonymous user you can

95
00:06:02,680 --> 00:06:06,310
likely grab the flag of the user already depending on the permissions.

96
00:06:06,460 --> 00:06:09,100
Even chances are you might go to grab the root flag.

97
00:06:09,100 --> 00:06:11,680
I highly doubt that seeing it that's a capture the flag box.

98
00:06:11,710 --> 00:06:13,300
They probably want to do something.

99
00:06:13,540 --> 00:06:18,020
So you can probably grab the user flag off Port 20 and we're going to ignore port 21 completely.

100
00:06:18,580 --> 00:06:23,950
Now if you wanted an adventure and you just want to play around a good idea here it would be to log

101
00:06:23,950 --> 00:06:31,360
into port 21 be a FTB anonymous log in and try to find this file server and see if you can't execute

102
00:06:31,360 --> 00:06:35,000
that against this year and get a reverse shell of some sort.

103
00:06:35,460 --> 00:06:39,550
Given ISP X reverse shall our ISP reverse shell we've done it in the past.

104
00:06:39,550 --> 00:06:44,440
I don't need to show you how to do it but think of that process through and you might go to get a virtual

105
00:06:44,440 --> 00:06:45,330
that way as well.

106
00:06:45,430 --> 00:06:48,980
But from here let's poke at this port 80.

107
00:06:49,000 --> 00:06:58,760
So let's go to our our PR team here and I definitely want Canadian because that car horn scared me so

108
00:06:59,220 --> 00:07:00,660
I said out there.

109
00:07:00,670 --> 00:07:07,490
Let's go to our tend to tend not 10 dot 152 and you see that we have a log in here.

110
00:07:07,600 --> 00:07:09,580
Now when I see a log in.

111
00:07:09,580 --> 00:07:16,270
There's immediate things that I want to do I want to google immediately party G network monitor default

112
00:07:16,270 --> 00:07:18,850
credentials let's do that OK.

113
00:07:18,860 --> 00:07:20,520
So we'll go out to the interweb.

114
00:07:20,540 --> 00:07:25,670
Go to Google and we'll say give for credentials.

115
00:07:25,700 --> 00:07:31,340
That's one thing I want to Google and we'll look here and see if there is.

116
00:07:31,350 --> 00:07:32,520
We'll go to this.

117
00:07:32,570 --> 00:07:39,500
This is from 2010 so PR TV and NPR t g AB and let's try it.

118
00:07:39,690 --> 00:07:43,530
It never hurts especially for doing an internal.

119
00:07:43,870 --> 00:07:49,450
Oh my God on internal assessments all the freaking time default credentials and it just ends up being

120
00:07:49,450 --> 00:07:50,440
bad.

121
00:07:50,530 --> 00:07:51,370
Okay.

122
00:07:51,460 --> 00:07:53,270
Credentials aren't default.

123
00:07:53,590 --> 00:07:54,460
Another thing.

124
00:07:54,460 --> 00:07:56,740
Let's talk about exploits.

125
00:07:56,740 --> 00:08:06,150
Let's look at exploits here and perhaps there is a remote code execution for us so let's open a few

126
00:08:06,150 --> 00:08:06,860
of these.

127
00:08:06,870 --> 00:08:14,770
Let's open this one command injection OK I'm opening well code watch.

128
00:08:15,380 --> 00:08:16,950
I don't know about code watch.

129
00:08:16,970 --> 00:08:19,090
Let's just open this one first.

130
00:08:19,620 --> 00:08:23,170
Party network monitor remote code execution.

131
00:08:23,180 --> 00:08:28,400
But it says authenticated eighteen point two point three eight.

132
00:08:28,490 --> 00:08:31,730
Does this tell us what it is down here.

133
00:08:31,730 --> 00:08:34,020
Eighteen point one point three seven.

134
00:08:34,070 --> 00:08:35,710
OK.

135
00:08:35,870 --> 00:08:43,670
Let's read the description here and see so remote code execution version eighteen point two point three

136
00:08:43,670 --> 00:08:44,080
eight.

137
00:08:44,960 --> 00:08:49,200
So this was on a later version.

138
00:08:49,340 --> 00:08:55,860
It doesn't say specifically in here whether or not this applies to earlier versions.

139
00:08:55,970 --> 00:09:01,490
Usually you'll see like a little greater than less than sign telling you're indicating it doesn't really

140
00:09:01,490 --> 00:09:07,640
hear what we can do is we can at least give it a go and see if it works we can download this and try.

141
00:09:07,820 --> 00:09:14,120
We could see that it's just a batch script and then we just execute against a web page and we provide

142
00:09:14,150 --> 00:09:17,830
a little bit of information here it looks like just providing our cookies.

143
00:09:17,840 --> 00:09:23,300
So the big issue though that we have is that it is authenticated.

144
00:09:23,300 --> 00:09:25,830
So we need to be able to log into this.

145
00:09:25,880 --> 00:09:31,810
So we need to look for a database file or where that might be stored.

146
00:09:31,820 --> 00:09:42,050
Perhaps you can go to Google and say something like DV file location and see where it stores its data.

147
00:09:42,080 --> 00:09:46,870
So let's see where it is a store its data there is one.

148
00:09:46,870 --> 00:09:49,120
This one looks like it could be promising as well.

149
00:09:51,740 --> 00:09:59,450
And program files PR TV network monitor x eighty six party network monitor.

150
00:09:59,480 --> 00:10:05,480
And there's also program data application data so it looks like we might have to do a little bit of

151
00:10:05,480 --> 00:10:13,310
hunting around there's a log database configuration to do database there's backups.

152
00:10:13,310 --> 00:10:20,090
So the reason why I'm thinking about this is I'm thinking about this to say hey OK well where can we

153
00:10:20,090 --> 00:10:22,170
find this information.

154
00:10:22,460 --> 00:10:28,790
Maybe a credentials stored that's maybe what I'm after here is like can I find a credential that is

155
00:10:28,820 --> 00:10:30,200
on this system.

156
00:10:30,200 --> 00:10:32,770
Like where where might have we got to find that.

157
00:10:32,780 --> 00:10:39,980
So if they're in program files as a credential stored in a database move they can pull that down and

158
00:10:39,980 --> 00:10:42,960
we can access that right.

159
00:10:42,980 --> 00:10:49,010
So what we're going to try to do is we're going to try to look through the files we'll look through

160
00:10:49,010 --> 00:10:54,470
the users folder and try to find the the files now for time purposes.

161
00:10:54,470 --> 00:10:56,510
We're gonna go ahead and just kind of cheat a little bit.

162
00:10:56,540 --> 00:11:03,260
So I'm going to go ahead and go back out and we're gonna open up a new tab make it all pretty big here

163
00:11:03,710 --> 00:11:10,580
and we're just going to f teepee out to 10 that tend to end up of 32 and I'm back to being American

164
00:11:10,580 --> 00:11:13,940
with my out anonymous.

165
00:11:13,940 --> 00:11:15,890
Anonymous OK we are here.

166
00:11:15,890 --> 00:11:23,620
We could say less and you see we're in the C drive so let's go ahead and see these two users I can type

167
00:11:25,080 --> 00:11:30,000
and then Alice here and we are at the users folder.

168
00:11:30,000 --> 00:11:30,590
Ok.

169
00:11:30,630 --> 00:11:34,240
So let's see what else is here.

170
00:11:34,260 --> 00:11:34,990
Can we.

171
00:11:34,980 --> 00:11:36,650
Ellis L.A. this.

172
00:11:36,750 --> 00:11:44,220
Hey look there's some hidden directories so let's try to go to see all users see if that works.

173
00:11:44,340 --> 00:11:45,160
OK.

174
00:11:45,210 --> 00:11:50,390
See these all users alas again.

175
00:11:50,390 --> 00:11:53,360
Look there's that parser folder we saw.

176
00:11:53,360 --> 00:11:53,660
Right.

177
00:11:53,750 --> 00:11:55,330
So let's see into that.

178
00:11:58,550 --> 00:12:04,100
And actually let's let's back up one little LSD L.A. to make sure because there was an application data

179
00:12:04,100 --> 00:12:08,740
folder that we saw and I think actually that's where it resides.

180
00:12:08,750 --> 00:12:15,170
So if we come back through here all users profile application data parsers that's a little trick there.

181
00:12:15,200 --> 00:12:20,720
Let's see these into this application data and I'm guessing that there is a password folder in there.

182
00:12:21,410 --> 00:12:22,970
Oh access denied

183
00:12:33,150 --> 00:12:33,470
OK.

184
00:12:33,500 --> 00:12:38,880
So maybe we can't get to the application data folder but maybe we can get to the parser folder that

185
00:12:38,880 --> 00:12:39,940
we're after.

186
00:12:39,990 --> 00:12:45,780
So let's go ahead and just copy this and see if there's not an option just to go right into that folder

187
00:12:46,870 --> 00:12:51,130
so let's see and say paste here.

188
00:12:51,130 --> 00:12:55,570
Of course I forgot to copy a paste it now.

189
00:12:56,450 --> 00:13:04,090
Aha successful if at first you don't succeed pick yourself back up and try again right.

190
00:13:04,090 --> 00:13:07,780
Don't ever do that was Alia Ashanti one of the two.

191
00:13:07,870 --> 00:13:12,630
Anyway so now we're in here and look at this beautiful beautiful stuff.

192
00:13:12,640 --> 00:13:24,470
We've got this party configuration that the old got back and we can look through these and see you know

193
00:13:24,490 --> 00:13:25,600
what we can find here.

194
00:13:25,600 --> 00:13:28,630
So how about we we download these.

195
00:13:28,660 --> 00:13:35,020
So let's go ahead and just do a get and we'll download these three items submit a copy of them

196
00:13:37,740 --> 00:13:45,860
and paste OK and then I'm going to say get and I'm going to copy and paste again I'll switch that to

197
00:13:45,860 --> 00:13:50,390
old and then I'm going to get.

198
00:13:50,850 --> 00:14:00,540
And then we'll just paste or more time and we'll do all that back like that.

199
00:14:00,570 --> 00:14:00,810
OK.

200
00:14:00,840 --> 00:14:05,410
So we've got all the files now let's go ahead and hit by exit out.

201
00:14:05,430 --> 00:14:08,200
So I should have less.

202
00:14:08,220 --> 00:14:12,060
If we graft the BRT we should have the three in here.

203
00:14:12,060 --> 00:14:24,150
So let's try to cat out the party configuration and that and we'll just grab for that party admin because

204
00:14:24,150 --> 00:14:27,180
that was the user name that we used.

205
00:14:27,180 --> 00:14:27,520
OK.

206
00:14:27,540 --> 00:14:29,380
There's that there.

207
00:14:29,730 --> 00:14:34,260
Let's go ahead and let's get at this party.

208
00:14:34,380 --> 00:14:35,180
Let's see what's in there.

209
00:14:37,290 --> 00:14:41,950
And let's do a control H or control f I should say.

210
00:14:41,950 --> 00:14:53,200
Control Athens will say the R T G admin and there there's a one of 1 when we see a log in.

211
00:14:53,200 --> 00:14:54,320
We see a password.

212
00:14:54,320 --> 00:14:57,760
The password here has been encrypted.

213
00:14:57,860 --> 00:14:58,120
OK.

214
00:14:58,160 --> 00:15:00,280
So this one is not it for us.

215
00:15:00,320 --> 00:15:08,030
Let's go ahead and do a cat PR or we'll do a G at P R T G configuration.

216
00:15:08,120 --> 00:15:14,610
Old and we'll do a controlled fine let's search on password.

217
00:15:14,610 --> 00:15:18,460
That's not going to work but search on P R T G admin again.

218
00:15:18,730 --> 00:15:22,370
Let's look at that password that password is also encrypted for us.

219
00:15:22,570 --> 00:15:34,120
So let's try one more thing here let's try a last one of get it e.g. add in or that all that back to

220
00:15:34,170 --> 00:15:40,160
control F and we'll do PR e.g. admin there we go look at that.

221
00:15:40,170 --> 00:15:43,620
So of course somebody is driving by with a really loud car.

222
00:15:44,530 --> 00:15:51,450
OK so we've got PR TGA admin and we've got these credentials let's go try to log in shall we.

223
00:15:51,450 --> 00:15:52,650
So let's go here.

224
00:15:52,710 --> 00:16:04,320
Let's go paste and let's go one more where I can find my edit and we'll copy this and paste it now.

225
00:16:04,360 --> 00:16:05,680
This is gonna be realistic.

226
00:16:05,690 --> 00:16:07,920
Watch this log in.

227
00:16:07,940 --> 00:16:09,130
It's gonna fail.

228
00:16:09,210 --> 00:16:10,740
Okay let's do it one more time.

229
00:16:10,840 --> 00:16:17,990
G.G. Alvin I'm going to paste this I'm going to back out one and do it 20 19 I'm going to put a nine

230
00:16:17,990 --> 00:16:18,830
in there and hit enter

231
00:16:22,330 --> 00:16:25,060
and now things have changed OK.

232
00:16:25,070 --> 00:16:25,600
Why.

233
00:16:25,610 --> 00:16:26,680
Why is this realistic.

234
00:16:26,680 --> 00:16:28,760
Why do I say this is realistic.

235
00:16:28,760 --> 00:16:38,420
This is realistic because we just changed one number off of a password and gained access password reuse

236
00:16:38,510 --> 00:16:41,520
is one of the biggest issues that we have in the industry.

237
00:16:41,780 --> 00:16:48,050
When we talk about like the fall 20 19 some are 20 19 people use that all the time.

238
00:16:48,050 --> 00:16:54,410
So if I see somebody is all password was somewhere 20 19 I'm going to try fall 20 19 or if I see somebody

239
00:16:54,410 --> 00:16:59,620
whose previous password was like Joe Bob twenty eighteen And now it's 20 19.

240
00:16:59,660 --> 00:17:01,830
Guess what I'm going to try 20 19.

241
00:17:01,850 --> 00:17:04,830
You have to think logically think of the year you're in and think that.

242
00:17:04,850 --> 00:17:07,400
OK well this passwords from a backup file.

243
00:17:07,400 --> 00:17:08,050
It's old.

244
00:17:08,060 --> 00:17:12,080
So we're gonna go ahead and just give it a go with the new year and see what happens.

245
00:17:12,080 --> 00:17:13,020
So we did that.

246
00:17:13,070 --> 00:17:21,350
We got the new year it worked out really well for us so from here I'm going to open up burp sweet and

247
00:17:21,350 --> 00:17:25,230
I'm going to close out of my other brb sweet OK.

248
00:17:25,260 --> 00:17:27,420
And we are on the free edition.

249
00:17:27,420 --> 00:17:29,130
Actually I'm on professionals still.

250
00:17:29,130 --> 00:17:30,740
I guess I have two professionals up.

251
00:17:30,840 --> 00:17:31,410
That's fine.

252
00:17:31,410 --> 00:17:34,710
You're gonna be able to do exactly what I'm doing on the free edition and mustard is removed on this

253
00:17:34,710 --> 00:17:35,340
one.

254
00:17:35,340 --> 00:17:38,210
So what we're gonna do is we've got our proxy setup.

255
00:17:38,400 --> 00:17:42,540
It's already grabbing stuff so we're gonna have our proxy setup.

256
00:17:42,570 --> 00:17:46,760
If you don't have your proxy setup already makes you intercept is on.

257
00:17:46,800 --> 00:17:48,170
You should be familiar with Bursley.

258
00:17:48,180 --> 00:17:50,400
I'm using Foxy proxy here.

259
00:17:50,430 --> 00:17:57,420
However if you want we can go into preferences and we can scroll all the way down and we can go to settings

260
00:17:57,870 --> 00:18:05,370
and you can also do the manual configuration here which would be 1 2 7 0 0 0 dot 1 or 80 80 and you

261
00:18:05,370 --> 00:18:10,100
should be Gooch fan so should be good to go once you have the up.

262
00:18:10,200 --> 00:18:14,910
All you have to do is set up your intercept and then try to refresh a page.

263
00:18:14,910 --> 00:18:16,920
So it should hang when you refresh it.

264
00:18:16,960 --> 00:18:17,360
Okay.

265
00:18:17,370 --> 00:18:19,950
And now what we're after is this cookie.

266
00:18:20,370 --> 00:18:29,340
So if you recall from the exploit we come through here and you see that we have your cookie that you

267
00:18:29,340 --> 00:18:32,660
need Once authenticated you grab your cooking use it with the script.

268
00:18:32,850 --> 00:18:35,600
So it's got a little bit extra here with the cookie.

269
00:18:35,730 --> 00:18:37,840
We don't have that we just have this octopus.

270
00:18:37,860 --> 00:18:41,700
So we're gonna take this octopus cookie and use it in our script.

271
00:18:41,700 --> 00:18:46,160
So what we're gonna do is we're just gonna copy this guy and there is a download feature.

272
00:18:46,160 --> 00:18:56,160
Delicious copy this and what we'll do is we will make a quick script so we'll come in here new tab and

273
00:18:56,160 --> 00:19:03,780
then we'll just say get a new age because this is a shell hit pace and then make sure you put it enter

274
00:19:03,780 --> 00:19:06,640
here at the top so it can declare this.

275
00:19:06,780 --> 00:19:09,300
I had issues earlier with it not declaring.

276
00:19:09,300 --> 00:19:14,670
So we'll go ahead and save this and then we're just going to run it via the parameters.

277
00:19:14,670 --> 00:19:15,900
So we're gonna run.

278
00:19:15,960 --> 00:19:20,880
I knew that s h u for you URL with the IP address and then see for cookie.

279
00:19:21,270 --> 00:19:28,170
So what we need to do as always if they exploit we're going to add the plus X on the change mode so

280
00:19:28,170 --> 00:19:35,650
you can make it executable then we're gonna say new the S H and then we're gonna say HBP can backend

281
00:19:35,780 --> 00:19:36,240
10.

282
00:19:36,270 --> 00:19:40,710
I want to be two and we've got to provide that wonderful cookie that we have.

283
00:19:40,890 --> 00:19:42,840
Let's go ahead and just copy this guy

284
00:19:46,210 --> 00:19:51,740
and paste it and let this fire

285
00:19:55,020 --> 00:20:01,260
OK so this is going to go through and if it's successful it's going to try to create a user penned test

286
00:20:01,290 --> 00:20:05,160
and the minute Streeters group with the password a pen test.

287
00:20:05,160 --> 00:20:16,040
Now this is going to do it on the actual machine itself so we can try to connect to this.

288
00:20:16,420 --> 00:20:21,390
So what I've showed you in the past before is using something like P.S. Exactly.

289
00:20:21,790 --> 00:20:24,590
But I do want to point out and we've used that in maternity.

290
00:20:24,610 --> 00:20:29,260
I want to point out that you can use that without or with metal play but we can use it without midas

291
00:20:29,260 --> 00:20:29,770
fly here.

292
00:20:29,770 --> 00:20:30,720
Right.

293
00:20:30,790 --> 00:20:39,220
So there is a tool kit already built in to your Carly Kelly Linux but I want to actually show you a

294
00:20:39,220 --> 00:20:40,990
better way of using that tool kit.

295
00:20:41,290 --> 00:20:49,180
So if we go out to the Google machine and we go to Google and I still have my intercept on let's go

296
00:20:49,180 --> 00:20:53,080
ahead and turn our intercept off and we say impact it.

297
00:20:53,080 --> 00:20:54,200
Get hub.

298
00:20:54,540 --> 00:20:56,590
Now already had this installed on my machine.

299
00:20:56,590 --> 00:20:57,770
This is my pen test machine.

300
00:20:57,790 --> 00:21:04,450
But go ahead and click on this first link and let's go ahead and just do a clone or download here.

301
00:21:04,460 --> 00:21:12,070
You're going to copy this and what you're going to do is I want you to go into your opt folder.

302
00:21:12,070 --> 00:21:20,080
This is where I like to install things in my out folder say get a clone and paste that in mind shouldn't

303
00:21:20,080 --> 00:21:21,820
clone because I already have it.

304
00:21:21,820 --> 00:21:24,460
So lets users install a really quick.

305
00:21:24,460 --> 00:21:26,800
I'll stall here and talk for a second.

306
00:21:26,800 --> 00:21:32,710
Once it's already installed or downloaded at least go ahead and go to see the impact and it should just

307
00:21:32,710 --> 00:21:34,140
be a pip install.

308
00:21:34,150 --> 00:21:36,560
I believe is how you run this.

309
00:21:36,640 --> 00:21:39,070
So pip install period.

310
00:21:39,070 --> 00:21:49,270
So if you do not have Pip you can do Pip three I do believe or you can do apt install pip or Python

311
00:21:49,360 --> 00:21:50,170
Pip.

312
00:21:50,410 --> 00:21:53,430
Are the options and that will get you Pip as well.

313
00:21:53,440 --> 00:21:58,400
But you should just be able to do pip install period and that will install everything for you.

314
00:21:58,420 --> 00:22:01,990
Mine should have most of this already installed yet.

315
00:22:02,140 --> 00:22:04,880
And it says I need a newer version of Pip that's fine.

316
00:22:04,990 --> 00:22:07,750
So it did actually install some new stuff for me.

317
00:22:07,750 --> 00:22:15,790
But what's nice about this is that it will install this and allow things to run like I had to start

318
00:22:15,790 --> 00:22:19,390
typing and P.S. exactly and we could say yes exact pie.

319
00:22:19,390 --> 00:22:25,080
Now when it comes to pen testing this method is picked up a lot less than the Metis point method.

320
00:22:25,090 --> 00:22:31,030
They still upload some sort of reverse shell but Metis place picked up a lot easier by antivirus especially

321
00:22:31,030 --> 00:22:36,670
when you don't know what you're up against your against your first shell etc. Even better is something

322
00:22:36,670 --> 00:22:39,520
like SMB Zac or w am I.

323
00:22:39,520 --> 00:22:40,340
Exactly.

324
00:22:40,420 --> 00:22:46,900
All of those use the same syntax syntax are part of the same package SMB exact and w my executive picked

325
00:22:46,900 --> 00:22:51,000
up way less than yes exact does but I do like a good Yes exact.

326
00:22:51,010 --> 00:22:55,750
So let's go ahead and just try this and what we're going to do is we're just going to use those credentials

327
00:22:55,750 --> 00:23:08,420
will say pen test and we'll just say P3 and T three s t exclamation like this and then we'll just say

328
00:23:10,260 --> 00:23:15,690
at 10 and 10 that one fifty two and let's see if this works

329
00:23:18,640 --> 00:23:23,630
so immediately we know we have an account here immediately because it's requesting to share and if found

330
00:23:23,640 --> 00:23:24,670
a writer will share.

331
00:23:24,790 --> 00:23:31,720
Now is trying to upload that file onto that share open this is SBC manager and hey let's say who am

332
00:23:31,720 --> 00:23:32,500
I.

333
00:23:32,500 --> 00:23:33,280
We did it.

334
00:23:33,300 --> 00:23:34,420
We're on there.

335
00:23:34,420 --> 00:23:36,930
We didn't use Betty's boy we got on here.

336
00:23:36,950 --> 00:23:41,330
Sol you people taking the OCP or wanting to take the LCP you yell at me about using my display.

337
00:23:41,350 --> 00:23:42,100
Look at this.

338
00:23:42,100 --> 00:23:43,340
It works OK.

339
00:23:43,480 --> 00:23:45,310
So now you can go find your flag.

340
00:23:45,580 --> 00:23:47,280
You'll be Gooch again.

341
00:23:47,290 --> 00:23:48,460
So what we're gonna do.

342
00:23:48,460 --> 00:23:50,130
We can control C out of here too.

343
00:23:50,620 --> 00:23:59,300
And just to prove point for a real pain test environment w my exact not a fully executable shell similar

344
00:23:59,320 --> 00:24:02,330
interactive so you will build a run some commands some you won't.

345
00:24:02,380 --> 00:24:06,490
But this is a good way to kind of navigate yourself around the network and just kind of see where you're

346
00:24:06,490 --> 00:24:07,420
at.

347
00:24:07,720 --> 00:24:10,240
Or you can see dir and see where we're at.

348
00:24:10,270 --> 00:24:10,590
OK.

349
00:24:10,600 --> 00:24:17,290
So you can see where you're at in in the system and kind of get a feel for that control see again and

350
00:24:17,290 --> 00:24:21,210
just to prove check out SMB exact and see if it works.

351
00:24:21,310 --> 00:24:27,130
So different ways of getting shells again semi interactive the fully interactive is the P.S. exact and

352
00:24:27,130 --> 00:24:33,130
I love the Mets boy or mature prettier version because you do get that extra benefit of having that

353
00:24:33,130 --> 00:24:38,940
C2 server and you you also have the benefit of having all the packages that you can load with maternal

354
00:24:38,950 --> 00:24:39,560
fritter.

355
00:24:39,910 --> 00:24:42,020
But here's a proof of concept that you can use.

356
00:24:42,020 --> 00:24:42,760
Yes exactly.

357
00:24:42,760 --> 00:24:47,680
And especially if you're up against antivirus or something then you can go to like program files or

358
00:24:47,680 --> 00:24:52,720
you can even look through you know you can query and see what kind of antivirus is in there what kind

359
00:24:52,720 --> 00:24:58,930
of firewall rules are in there and you kind of get the lay of the land with your SMB exactly w my exact

360
00:24:58,930 --> 00:25:04,960
or even P.S. exact before you actually try to attempt a return British shell and tip off on the antivirus

361
00:25:04,960 --> 00:25:05,500
side of things.

362
00:25:05,500 --> 00:25:08,440
So that is that is it for this lesson.

363
00:25:08,440 --> 00:25:14,600
Hopefully you guys found it interesting and understood the thought process that I have.

364
00:25:14,740 --> 00:25:20,080
And you know I do challenge you to start thinking outside the box in just thinking the little things

365
00:25:20,080 --> 00:25:24,940
don't like like good example is getting and finding that password and then trying it and then just being

366
00:25:24,940 --> 00:25:29,950
like oh well you know it didn't work I got to go look for something else you know increment the number

367
00:25:29,950 --> 00:25:36,790
it's 20 19 increment the number and see if it works just think think like a dumb user would think and

368
00:25:36,790 --> 00:25:38,440
you will be successful all the time.

369
00:25:38,440 --> 00:25:47,110
So thank you as always for for you know watching these videos and until next time I really do thank

370
00:25:47,110 --> 00:25:48,370
you for joining me.