1 00:00:00,360 --> 00:00:05,910 So with that being said, I have gone ahead and spun of a machine, so go ahead and get logged into 2 00:00:05,910 --> 00:00:09,540 your hack the box, a Web site into your account. 3 00:00:10,440 --> 00:00:13,540 Now, if you did not watch episode one, then you are behind. 4 00:00:13,560 --> 00:00:16,690 And again, we're going to repeat ourselves too much along the episode. 5 00:00:16,720 --> 00:00:20,580 So what we learned last time we covered enumeration numeration legacy. 6 00:00:20,760 --> 00:00:23,780 This time we're going to look at this box called lame. 7 00:00:24,330 --> 00:00:29,130 Now, lame is a Linux machine, as you see by the little penguin here next to it. 8 00:00:29,550 --> 00:00:33,210 And it's pretty easy on the difficulty side. 9 00:00:33,510 --> 00:00:40,040 We're gonna take a look at that seems a little bit maybe more difficult rated then legacy was. 10 00:00:40,380 --> 00:00:41,640 But no need to worry. 11 00:00:41,670 --> 00:00:43,200 We're going to walk through everything here. 12 00:00:43,530 --> 00:00:46,040 So this will be episode two, box two. 13 00:00:46,110 --> 00:00:49,470 I've gone ahead and hit the little start button on the machine. 14 00:00:49,500 --> 00:00:55,050 Yours should have spun up with my stalling now, and I'm going to go ahead and get this scanning. 15 00:00:55,100 --> 00:00:58,680 So we're gonna do is we're going to open up a new window. 16 00:00:58,800 --> 00:01:00,720 I'm going to make it nice and big for you guys. 17 00:01:01,410 --> 00:01:02,490 And this is ten. 18 00:01:02,490 --> 00:01:03,030 Not ten. 19 00:01:03,030 --> 00:01:04,240 Not ten, not three. 20 00:01:05,280 --> 00:01:11,070 So let's go ahead and just do our and map that we showed last time and we'll do 10. 21 00:01:11,120 --> 00:01:13,410 That turned out ten to three like this. 22 00:01:13,920 --> 00:01:14,780 We're going to let this scan. 23 00:01:14,780 --> 00:01:16,680 This could take anywhere up to five minutes. 24 00:01:16,890 --> 00:01:23,040 So in my stalling time, what I'm going to do is describe some different scanning methods. 25 00:01:23,610 --> 00:01:29,190 So last time I told you about how this is my methodology, if I want to scan a network, if I want to 26 00:01:29,190 --> 00:01:31,710 scan the machine, I'm going with this. 27 00:01:31,800 --> 00:01:33,570 And that is a 100 percent true. 28 00:01:34,170 --> 00:01:39,630 But there are other methodologies that are out there and maybe you find something that you like better. 29 00:01:39,630 --> 00:01:41,310 We kind of talked about that last time. 30 00:01:41,820 --> 00:01:45,780 One that I want to present to you and then I talk about quite a bit on my streams. 31 00:01:46,870 --> 00:01:49,240 Is the idea of scanning? 32 00:01:49,990 --> 00:01:51,350 There's two different ideas here. 33 00:01:51,370 --> 00:01:53,140 One is doing a quick scan. 34 00:01:53,650 --> 00:01:56,680 So we just say and map and we just say 10 to ten. 35 00:01:56,680 --> 00:01:57,610 Not ten, not three. 36 00:01:58,030 --> 00:01:59,450 We get rid of all this. 37 00:01:59,470 --> 00:02:04,960 We believe leave the speed in their T4 if we want, but we get rid of all this stuff here and we just 38 00:02:04,960 --> 00:02:05,710 scan this. 39 00:02:05,800 --> 00:02:06,850 Now, what is that going to do? 40 00:02:07,210 --> 00:02:11,470 Well, if you remember from last time, that's going to only scan the top 1000 ports because we're not 41 00:02:11,470 --> 00:02:12,310 scanning all. 42 00:02:12,340 --> 00:02:15,010 Sixty five thousand five hundred thirty five here. 43 00:02:15,760 --> 00:02:17,580 So we're only a scan, top 1000. 44 00:02:18,250 --> 00:02:22,450 Well, we can scan the top one thousand quickly and see what comes back. 45 00:02:23,630 --> 00:02:29,780 And in that theory, we can then go poke and prod around some things that might be there. 46 00:02:30,470 --> 00:02:32,540 It's generally pretty fast. 47 00:02:32,990 --> 00:02:34,340 So that's one theory. 48 00:02:34,790 --> 00:02:36,110 I don't like doing that too much. 49 00:02:36,140 --> 00:02:37,370 Some people like to go that way. 50 00:02:37,730 --> 00:02:40,700 Another theory or methodology to do that. 51 00:02:41,300 --> 00:02:50,720 I'm not opposed to honestly is to end map all open ports, speed achee for whatever speed you like and 52 00:02:50,720 --> 00:02:51,710 take out this dash. 53 00:02:52,790 --> 00:02:55,340 Now this dash, eh, is the speed killer. 54 00:02:55,370 --> 00:03:01,260 This is what takes as long as we're doing all those different enumerations against this machine. 55 00:03:01,280 --> 00:03:01,520 Right. 56 00:03:01,910 --> 00:03:08,000 We're doing the OSA numeration, the service version and numeration trace route, etc.. 57 00:03:08,060 --> 00:03:14,100 What we saw last time on the help menu or do all that stuff against all the parts on this machine. 58 00:03:14,720 --> 00:03:23,060 Now, maybe a wiser strategy and a faster strategy could be to take this out completely quickly, scan 59 00:03:23,210 --> 00:03:25,790 with and map for open ports on this machine. 60 00:03:25,820 --> 00:03:26,990 All sixty five thousand. 61 00:03:26,990 --> 00:03:27,250 Right. 62 00:03:27,690 --> 00:03:31,070 Scan for open ports and then see what ports return. 63 00:03:32,270 --> 00:03:33,710 Now, we could take that. 64 00:03:34,430 --> 00:03:39,010 Let's just copy this and let's go into a new tab and our scanner results back. 65 00:03:39,100 --> 00:03:44,400 Sighs Stalled successfully so we could take this and let's say something like port. 66 00:03:44,630 --> 00:03:50,300 Twenty one was open and Port 80 was open and for three was open. 67 00:03:50,870 --> 00:03:51,220 Right. 68 00:03:51,740 --> 00:03:56,980 Say you had something like this come back and there only three ports open. 69 00:03:56,990 --> 00:03:59,570 Why not just scan for three ports? 70 00:03:59,690 --> 00:04:01,850 Scan all everything for three ports. 71 00:04:02,330 --> 00:04:04,610 You could be wasting a lot of time here. 72 00:04:04,730 --> 00:04:06,320 Just scanning with the dash. 73 00:04:07,010 --> 00:04:12,110 Now, in a later video, I'll probably show you some other techniques revolving around this one that 74 00:04:12,110 --> 00:04:13,610 I've been introduced to recently. 75 00:04:13,610 --> 00:04:17,900 And I'm kind of maybe transitioning to I don't like to admit that I'm transitioning off and map ever, 76 00:04:17,930 --> 00:04:22,300 but there is a another tool called mass scan. 77 00:04:22,310 --> 00:04:27,260 I'm asking is incredibly fast for finding these ports for this purpose here. 78 00:04:27,560 --> 00:04:31,070 And then we can go back and just scan all against the parts of a fine. 79 00:04:31,460 --> 00:04:36,050 Now, if that's the way you want to go, we'll do it in one video just to show you guys you guys can 80 00:04:36,050 --> 00:04:39,240 make up your minds on whether or not you like to go out. 81 00:04:39,620 --> 00:04:40,610 Now, you can see this tech. 82 00:04:40,610 --> 00:04:42,050 One hundred and forty four seconds. 83 00:04:42,170 --> 00:04:43,430 That's really not that bad. 84 00:04:43,730 --> 00:04:49,400 If you're doing some kind of like first blood race or you're trying to, you know, get first in something 85 00:04:49,490 --> 00:04:54,890 four more points for whatever it is like capture the flag, then maybe, you know, this method is the 86 00:04:54,890 --> 00:04:57,230 better method you scripted out, do whatever. 87 00:04:57,920 --> 00:05:02,180 But if you're doing a PIN test or whatever, you know, you're going to be waiting on lots of stuff 88 00:05:02,180 --> 00:05:02,600 anyway. 89 00:05:03,020 --> 00:05:07,790 So in my opinion, there's no point in building up those few extra seconds. 90 00:05:07,880 --> 00:05:11,140 So it's really up to you and how you want to do it. 91 00:05:12,700 --> 00:05:14,470 OK, our skin is back. 92 00:05:14,500 --> 00:05:16,930 So we have a few things here. 93 00:05:17,530 --> 00:05:18,590 Let's talk first. 94 00:05:19,110 --> 00:05:20,650 Four twenty one is open. 95 00:05:20,850 --> 00:05:24,420 Twenty one is F t.P, the file transfer protocol. 96 00:05:25,030 --> 00:05:27,030 So we can see a few things from this. 97 00:05:27,040 --> 00:05:28,480 We see a version here. 98 00:05:28,540 --> 00:05:29,050 Perfect. 99 00:05:29,080 --> 00:05:30,400 We can Google that later. 100 00:05:30,760 --> 00:05:32,680 We see anonymous log in is allowed. 101 00:05:32,860 --> 00:05:33,640 Nice. 102 00:05:34,120 --> 00:05:34,510 OK. 103 00:05:34,570 --> 00:05:39,590 So this in itself, if we're doing a pen test may be a finding. 104 00:05:39,610 --> 00:05:39,940 Right. 105 00:05:40,600 --> 00:05:41,450 Why. 106 00:05:41,530 --> 00:05:43,010 Why is anonymous log in allowed. 107 00:05:43,030 --> 00:05:48,850 Why should anybody be able to access a server and put files on and take files off, especially if this 108 00:05:48,850 --> 00:05:50,050 is a public facing server? 109 00:05:50,080 --> 00:05:50,960 If it's internal. 110 00:05:51,010 --> 00:05:51,340 OK. 111 00:05:51,550 --> 00:05:54,900 Little bit more leniency on the external side. 112 00:05:54,910 --> 00:05:55,390 Why? 113 00:05:55,480 --> 00:05:56,110 You know why. 114 00:05:56,860 --> 00:05:58,270 So we've got that. 115 00:05:58,930 --> 00:06:00,520 We can see that they connected. 116 00:06:00,850 --> 00:06:02,620 And that's about it. 117 00:06:02,960 --> 00:06:05,080 OK, so we've got twenty one now. 118 00:06:05,110 --> 00:06:13,060 Twenty one by itself is not exploitable in the fact that you can put files and get files off of it. 119 00:06:13,480 --> 00:06:16,840 Now versions, versions might be exploitable. 120 00:06:17,360 --> 00:06:21,500 A very common one that I know of is the Konica Minolta. 121 00:06:21,540 --> 00:06:23,380 FCP has a buffer overflow. 122 00:06:23,710 --> 00:06:28,660 So something like a buffer overflow attack against a service version. 123 00:06:29,230 --> 00:06:29,770 Perfect. 124 00:06:29,770 --> 00:06:30,060 Right. 125 00:06:30,100 --> 00:06:31,510 That might be explainable. 126 00:06:31,720 --> 00:06:37,130 But by nature, typically, if we're looking at port twenty one and there's no version exploit. 127 00:06:37,690 --> 00:06:40,660 It's not really a vulnerability per say. 128 00:06:40,750 --> 00:06:41,620 It's a vulnerability. 129 00:06:41,650 --> 00:06:44,540 If you change some things like anonymous FPP, log in. 130 00:06:44,630 --> 00:06:45,770 OK, we're logged in. 131 00:06:45,790 --> 00:06:48,010 Now you can put some files on the server. 132 00:06:48,520 --> 00:06:52,210 But the second part of that is how do we execute the files on the server? 133 00:06:53,170 --> 00:06:57,380 Now, we're not going to see that today because there is going to be no way to execute these. 134 00:06:57,400 --> 00:06:58,270 But think about that. 135 00:06:58,600 --> 00:07:04,780 If I put a file on the server, I need to either be able to execute it myself or I need to get somebody 136 00:07:04,780 --> 00:07:06,070 to execute it for me. 137 00:07:06,340 --> 00:07:12,560 So I have to do some sort of social engineering trick, somebody into opening a file or if the files 138 00:07:12,580 --> 00:07:17,020 maybe on a Web server, I can go in and I can open it myself and exploit it. 139 00:07:17,320 --> 00:07:19,210 I have to have some kind of command execution. 140 00:07:19,210 --> 00:07:20,500 Right, in order to do that. 141 00:07:21,520 --> 00:07:25,420 So putting a file onto a server, not malicious enough. 142 00:07:25,870 --> 00:07:30,580 We need a second part of that, typically, unless there's some sort of version exploit. 143 00:07:32,030 --> 00:07:36,040 OK, so downward, we've got 20 to open. 144 00:07:36,270 --> 00:07:38,190 Twenty two is as age. 145 00:07:38,970 --> 00:07:40,130 So S.O.S age. 146 00:07:40,190 --> 00:07:47,900 In my opinion is not what we're looking for when we're trying to trying to run exploits. 147 00:07:47,930 --> 00:07:54,150 Now, SS age can be exploitable ie in the wild and really an even CTF. 148 00:07:54,160 --> 00:07:58,220 I have never seen a version exploit for SS age. 149 00:07:59,300 --> 00:08:07,520 So with that being said, some options that we have are brute force attacks or gathering credentials 150 00:08:07,520 --> 00:08:11,630 and trying to log in that way right now when I am doing a test. 151 00:08:11,750 --> 00:08:14,660 Of course I'll check and see if there's any sort of vulnerability here. 152 00:08:14,660 --> 00:08:17,120 There are vulnerabilities with SS age. 153 00:08:17,450 --> 00:08:19,460 I'm just saying I've never encountered them personally. 154 00:08:19,460 --> 00:08:20,240 I have seen them. 155 00:08:21,540 --> 00:08:30,170 So the the SS age thing, if I'm doing a PIN test and you can consider this maybe last resort or, you 156 00:08:30,170 --> 00:08:36,230 know, you're going to brute force it anyway, you're going to say I'll send an attack at route with 157 00:08:36,230 --> 00:08:38,690 like five hundred or a thousand bad passwords. 158 00:08:39,350 --> 00:08:41,950 And there's reasoning behind this one. 159 00:08:42,020 --> 00:08:47,830 If I log in with a bad password or top 1000 password, why did that happen? 160 00:08:47,840 --> 00:08:49,340 How bad is your password policy? 161 00:08:49,340 --> 00:08:56,090 Right to if I got a thousand times under way and nothing blocked me, no alerts were given to the client, 162 00:08:56,390 --> 00:08:58,850 then there's an issue with the SIM, right. 163 00:08:59,250 --> 00:08:59,530 What? 164 00:08:59,670 --> 00:09:01,020 What's wrong with their alerting? 165 00:09:01,040 --> 00:09:02,270 Why are they not catching this? 166 00:09:02,280 --> 00:09:03,800 Do they have some sort of detection? 167 00:09:03,860 --> 00:09:04,530 If they do? 168 00:09:04,550 --> 00:09:06,440 Why is it not seeing brute force attacks? 169 00:09:07,190 --> 00:09:08,870 So I like to hammer away. 170 00:09:09,250 --> 00:09:13,200 I am very, very loud, very intentionally noisy pen duster. 171 00:09:13,520 --> 00:09:17,510 Now, that is completely different from the red team side where you're trying to be as quiet as possible. 172 00:09:18,150 --> 00:09:23,360 And my belief as a pen tester, if I am loud and you catch me great, I'll start getting quieter and 173 00:09:23,360 --> 00:09:23,840 quieter. 174 00:09:24,470 --> 00:09:26,060 But if I'm being loud, you're not catching me. 175 00:09:26,090 --> 00:09:30,650 This helps me identify your weakest spots, which is your SIM, which helps with the detection. 176 00:09:30,920 --> 00:09:33,590 So I will bang on the SS H door if I have to. 177 00:09:34,750 --> 00:09:35,000 OK. 178 00:09:35,060 --> 00:09:40,850 So another thing, as we pointed out here is a lot of times in these CTF machines, and I consider hack 179 00:09:40,850 --> 00:09:47,300 the box ETF is when you see SS age like this, you're going to gather credentials likely from some other 180 00:09:47,300 --> 00:09:52,820 aspect, some other exploit, some place you're going to find them, stumble upon them, and then you're 181 00:09:52,820 --> 00:09:56,060 going to use SS age to log in and get your lower shell. 182 00:09:56,660 --> 00:09:58,460 That happens quite frequently. 183 00:09:58,880 --> 00:10:03,410 In fact, a lot of the boxes that we're going to encounter are something like Port 20 to open and Port 184 00:10:03,470 --> 00:10:04,220 80 open. 185 00:10:04,670 --> 00:10:06,080 And that's all you got. 186 00:10:06,320 --> 00:10:12,560 So, you know, you have to probably exploit Port 80 to get into port twenty two because Port 80 is 187 00:10:13,070 --> 00:10:14,030 way more chance. 188 00:10:14,090 --> 00:10:17,680 The higher chance of being exploitable and twenty two is OK. 189 00:10:17,870 --> 00:10:19,160 So going down the list. 190 00:10:20,340 --> 00:10:23,250 We have got one thirty nine and four forty five. 191 00:10:24,670 --> 00:10:28,140 Now, these relate to Sambar, we talked about this last time, right? 192 00:10:28,170 --> 00:10:33,210 SMB file shares known vulnerabilities all across the board. 193 00:10:33,240 --> 00:10:35,110 So many bad things with S&P. 194 00:10:35,160 --> 00:10:35,750 Oh, my God. 195 00:10:35,760 --> 00:10:36,830 S&P is the worst. 196 00:10:36,840 --> 00:10:37,120 Right. 197 00:10:37,680 --> 00:10:40,770 So we need to look into this. 198 00:10:40,830 --> 00:10:46,500 Samba SMB D 3.0 point zero version and see if there's any kind of exploit for it. 199 00:10:47,550 --> 00:10:48,720 And then lastly, this. 200 00:10:48,810 --> 00:10:49,350 Thirty six. 201 00:10:49,350 --> 00:10:49,850 Thirty two. 202 00:10:49,860 --> 00:10:55,410 I actually don't know dis CCD is I know somebody is going to comment and tell me what it is because 203 00:10:55,410 --> 00:10:56,760 that happens all the time. 204 00:10:57,150 --> 00:10:59,100 So please do comment and tell me what this is. 205 00:10:59,370 --> 00:11:05,940 I have no friggin idea, but depen testing methodology behind this is to Google what this version one 206 00:11:05,940 --> 00:11:11,290 is and this maybe four point two four and is if there is an exploit behind this. 207 00:11:11,310 --> 00:11:11,610 Right. 208 00:11:12,720 --> 00:11:16,800 So we'll we will look into it because that's not the path of the machine. 209 00:11:16,830 --> 00:11:21,210 But if it were if we were blind in this situation, we'd absolutely look into this. 210 00:11:22,230 --> 00:11:27,500 OK, so he come down, it gives us some OS best guesses and it guesses white Russian. 211 00:11:27,600 --> 00:11:28,710 Zero point nine. 212 00:11:29,310 --> 00:11:31,050 That is my favorite alcoholic beverage. 213 00:11:31,080 --> 00:11:34,080 But I don't think that's a Linux version we're seeing here. 214 00:11:34,080 --> 00:11:37,920 That is Bundu and his guest is coming to as white Russian. 215 00:11:38,730 --> 00:11:42,870 So as I told you last time, the best guesses are not always accurate. 216 00:11:42,900 --> 00:11:50,100 And here we can see that as we come down to the bottom, we can see some information around the actual 217 00:11:50,130 --> 00:11:51,190 SMB results. 218 00:11:51,210 --> 00:11:58,440 The OS discovery, it is running UNIX Samba 3.0 point two zero dash Debian OK. 219 00:11:58,800 --> 00:12:00,270 Workgroup, blah, blah, blah. 220 00:12:00,570 --> 00:12:00,990 Perfect. 221 00:12:01,050 --> 00:12:04,310 So we see that SMB is open. 222 00:12:04,410 --> 00:12:04,800 So. 223 00:12:06,160 --> 00:12:09,670 If we go through the steps as a refresher first time, let's go ahead. 224 00:12:09,730 --> 00:12:11,650 Let's start with SMB. 225 00:12:11,650 --> 00:12:13,180 SMB is fresh in our mind. 226 00:12:13,210 --> 00:12:14,830 We covered it in the previous episode. 227 00:12:15,400 --> 00:12:17,020 So we're gonna stay with SMB first. 228 00:12:18,200 --> 00:12:23,480 So what we're going to do is first things first, we're going to check with SMB client. 229 00:12:23,600 --> 00:12:24,970 Do we have any kind of log in? 230 00:12:24,980 --> 00:12:27,740 Right, SMB client Dash L. 231 00:12:27,920 --> 00:12:29,270 Just to list the folders. 232 00:12:29,360 --> 00:12:31,650 And I'm going to say ten, 10, 10. 233 00:12:32,330 --> 00:12:33,540 I believe this was three. 234 00:12:34,410 --> 00:12:35,450 I'll try to list it. 235 00:12:35,540 --> 00:12:36,950 Enter a password. 236 00:12:37,410 --> 00:12:37,930 OK. 237 00:12:38,030 --> 00:12:40,460 We can list a folder here. 238 00:12:40,490 --> 00:12:41,060 What. 239 00:12:41,420 --> 00:12:42,110 That's awesome. 240 00:12:42,110 --> 00:12:42,350 Right. 241 00:12:42,410 --> 00:12:50,600 So we can lissome folders and it looks like they're probably trolling us Ohno's here on the temp folder. 242 00:12:51,080 --> 00:12:57,710 So we've got the print IPC admin really ideally we're after like this folder, but we can enumerate 243 00:12:57,710 --> 00:12:59,300 here and see if there's anything. 244 00:13:00,080 --> 00:13:05,960 So one thing I can do is I can just delete this and we can try to connect to to say try to connect to 245 00:13:05,960 --> 00:13:07,970 the temple there with Anonymous. 246 00:13:08,000 --> 00:13:08,700 And then we say L. 247 00:13:08,710 --> 00:13:13,640 S and OK, there's there's nothing really here. 248 00:13:13,700 --> 00:13:13,970 Right. 249 00:13:14,000 --> 00:13:17,780 There's these files that there's I mean, we can we can grab this file. 250 00:13:18,030 --> 00:13:20,120 There's no no bite size on it. 251 00:13:20,570 --> 00:13:21,080 This J. 252 00:13:21,080 --> 00:13:21,820 SBC. 253 00:13:22,130 --> 00:13:25,190 There's nothing here in this temp folder. 254 00:13:25,760 --> 00:13:28,130 Now we can put something into the temp folder. 255 00:13:28,490 --> 00:13:31,400 And this is the same kind of idea as f T.P. 256 00:13:31,940 --> 00:13:38,230 But how are we going to execute it when we get to SMB and we get into these files shares? 257 00:13:38,290 --> 00:13:45,530 We're after numeration on top of that, as you'll find out at a later time, is if we get credentials 258 00:13:46,250 --> 00:13:49,580 and we have admin credentials to access his admin group. 259 00:13:49,850 --> 00:13:51,420 We're after Admon Shell. 260 00:13:51,470 --> 00:13:56,060 We can get a shell with something like Piesse Exact and in own this machine very fast. 261 00:13:56,090 --> 00:14:01,790 If we got the right credentials so we can run through these and see where we have access to. 262 00:14:01,820 --> 00:14:04,370 Now, this would be a finding on a pen test again, right? 263 00:14:04,400 --> 00:14:05,180 Like why? 264 00:14:05,600 --> 00:14:06,950 Why default credentials. 265 00:14:06,950 --> 00:14:07,400 Why? 266 00:14:07,690 --> 00:14:12,140 You know, anonymous log in or whatever into this as and B, it shouldn't happen. 267 00:14:12,980 --> 00:14:19,190 So we can say X it and then we can try to navigate into the OP's folder and see if it'll let us. 268 00:14:19,560 --> 00:14:21,470 And now you're seeing access denied. 269 00:14:21,740 --> 00:14:26,630 So off to be a more juicy folder to get some information on maybe what kind of programs they got installed. 270 00:14:27,320 --> 00:14:29,450 But obviously, we're not we're not getting there. 271 00:14:29,450 --> 00:14:35,010 And now we could check the Abin folder spray and pray here and you could see access denied as well. 272 00:14:35,060 --> 00:14:37,940 So we would need route's password to really get into this. 273 00:14:39,090 --> 00:14:46,050 And we we're at a little bit of a dead end here, so that's fine. 274 00:14:46,080 --> 00:14:51,030 The other thing that we talked about last time was that we could use my display to gather information 275 00:14:51,060 --> 00:14:55,950 SMB version about this exploit or about this this version. 276 00:14:55,980 --> 00:15:00,060 But you see here last time, the version wasn't provided for us. 277 00:15:00,120 --> 00:15:03,690 But this time the version of Sambar or SMB was provided for us. 278 00:15:04,170 --> 00:15:05,280 So this is really nice. 279 00:15:05,340 --> 00:15:06,570 And we can just copy this. 280 00:15:07,300 --> 00:15:11,780 We you take this over to Google and we can ask Google some stuff, right? 281 00:15:11,910 --> 00:15:13,750 We could say, hey, Google, hi. 282 00:15:13,920 --> 00:15:15,660 Look, it starts to know you. 283 00:15:15,900 --> 00:15:20,160 And it starts to know things about certain, like the samba. 284 00:15:20,520 --> 00:15:22,350 It probably knows we're looking for an exploit. 285 00:15:22,440 --> 00:15:24,690 But more and more that I Google stuff. 286 00:15:25,330 --> 00:15:26,160 It starts coming up. 287 00:15:26,220 --> 00:15:28,050 Exploit, exploit, exploit for everything. 288 00:15:28,520 --> 00:15:30,150 And you can see I've been in here before. 289 00:15:32,450 --> 00:15:36,620 So, again, from last time, we've got options, right? 290 00:15:37,100 --> 00:15:39,980 The first thing that comes up is Rapid 7th Love Rapid seven. 291 00:15:40,010 --> 00:15:40,400 Why? 292 00:15:40,420 --> 00:15:44,840 Again, because they make Matus Boy this is properly Amandus Boit module here. 293 00:15:44,900 --> 00:15:45,530 Perfect. 294 00:15:46,100 --> 00:15:48,200 We also have this here. 295 00:15:48,560 --> 00:15:57,260 Three point zero point to zero Debian exploit through 3.0 point to five using a map script that looks 296 00:15:57,260 --> 00:15:58,840 like it fits what we need. 297 00:15:58,850 --> 00:15:59,300 Right. 298 00:15:59,840 --> 00:16:01,130 So we can come in here. 299 00:16:01,190 --> 00:16:04,660 And this is just the Métis flight ruby module anyway. 300 00:16:05,060 --> 00:16:05,430 OK. 301 00:16:05,780 --> 00:16:08,410 So I thought maybe we'd have a manual exploit here. 302 00:16:09,080 --> 00:16:10,100 We we don't. 303 00:16:10,130 --> 00:16:12,080 There might be one out there for this. 304 00:16:12,470 --> 00:16:15,440 But what we're looking at is a Ruby module for Matus flight. 305 00:16:15,890 --> 00:16:17,270 That just means it's already built in. 306 00:16:17,350 --> 00:16:17,810 Anyway. 307 00:16:17,840 --> 00:16:19,250 Ninety nine percent of the time. 308 00:16:20,210 --> 00:16:25,670 So if we come in here, we review the exploit says this module exploits command, execution, vulnerability 309 00:16:25,670 --> 00:16:29,830 and samba version three point zero point to zero through 3.0 four to five. 310 00:16:29,890 --> 00:16:30,260 Check. 311 00:16:30,350 --> 00:16:37,760 We meet that when using the non default user name map script configuration option by specifying a username 312 00:16:37,790 --> 00:16:43,490 containing Shell Medek characters, attackers can execute arbitrary commands with no authentication 313 00:16:43,490 --> 00:16:44,180 is needed. 314 00:16:44,270 --> 00:16:45,200 This is perfect. 315 00:16:46,060 --> 00:16:46,330 OK. 316 00:16:46,430 --> 00:16:47,930 So I think this is money. 317 00:16:49,610 --> 00:16:50,390 We could try it. 318 00:16:50,660 --> 00:16:51,350 Give it a go. 319 00:16:51,410 --> 00:16:52,370 See what it looks like. 320 00:16:52,610 --> 00:16:53,440 So let's copy this. 321 00:16:55,570 --> 00:16:58,190 And let's go ahead and open up Métis. 322 00:16:58,420 --> 00:17:00,040 We can say MSF consul. 323 00:17:03,420 --> 00:17:10,800 Now it'll take a second to boot, if you wanted to boot faster and your newer, you can do something 324 00:17:11,310 --> 00:17:19,450 like service posts, grass, cue owls start or what is it? 325 00:17:19,540 --> 00:17:24,620 System CTO PostgreSQL QoL enable or enable PostgreSQL. 326 00:17:24,710 --> 00:17:30,870 Well, and that'll have the postgrad database running, which is what matters play runs off of every 327 00:17:30,870 --> 00:17:32,130 time your computer starts. 328 00:17:32,220 --> 00:17:36,780 I just don't mind a little five second wait or whatever that goes on in the beginning, so. 329 00:17:38,210 --> 00:17:38,610 OK. 330 00:17:38,730 --> 00:17:43,350 So anyway, we can say now we just pace this right. 331 00:17:43,410 --> 00:17:44,250 I think we copied it. 332 00:17:44,290 --> 00:17:46,140 So let's try to paste it. 333 00:17:46,590 --> 00:17:47,370 Boom. 334 00:17:47,990 --> 00:17:49,230 Say options. 335 00:17:50,230 --> 00:17:50,470 OK. 336 00:17:50,560 --> 00:17:53,830 We've got to set our house, remember, our host is the remote host. 337 00:17:53,850 --> 00:17:55,000 That is our victim. 338 00:17:55,000 --> 00:17:56,620 That is who we are attacking. 339 00:17:57,280 --> 00:17:57,990 Stand at ten. 340 00:17:58,100 --> 00:17:59,190 Ten to three. 341 00:17:59,800 --> 00:18:02,320 We always show targets just to be safe. 342 00:18:03,400 --> 00:18:04,240 Only one target. 343 00:18:04,290 --> 00:18:05,410 And that is automatics. 344 00:18:05,440 --> 00:18:07,650 Let's run this bad boy and see what happens. 345 00:18:09,840 --> 00:18:10,390 Boom. 346 00:18:10,420 --> 00:18:11,340 We just popped a shell. 347 00:18:12,580 --> 00:18:12,880 OK. 348 00:18:12,970 --> 00:18:20,350 So last time we popped a shell and we were in mature Sprouter in windows, this time we are in a Linux 349 00:18:20,350 --> 00:18:20,980 machine. 350 00:18:21,380 --> 00:18:22,840 Let's say, who am I? 351 00:18:23,500 --> 00:18:30,350 Hey, we are rude hostname print the working directory or present working directory. 352 00:18:31,160 --> 00:18:31,640 OK. 353 00:18:31,780 --> 00:18:37,210 And then we can see in2 or you do allus see all the options. 354 00:18:37,210 --> 00:18:37,600 Right. 355 00:18:38,320 --> 00:18:41,230 I could see these in the home less. 356 00:18:42,320 --> 00:18:44,150 So, you know, there's a lot of options here. 357 00:18:44,610 --> 00:18:45,350 c.D, Dad. 358 00:18:45,650 --> 00:18:46,790 We could see the entire route. 359 00:18:48,170 --> 00:18:53,170 And we can grab the route text if it has locate available. 360 00:18:53,180 --> 00:18:55,250 You could just say locate route dot text. 361 00:18:56,230 --> 00:18:58,420 Whether or not that comes back with anything, it doesn't. 362 00:18:58,480 --> 00:19:00,040 It has update D.V.. 363 00:19:00,400 --> 00:19:02,470 And then we could try locate root contacts. 364 00:19:04,030 --> 00:19:04,780 That works. 365 00:19:05,160 --> 00:19:07,870 Could also locate user dot text. 366 00:19:09,900 --> 00:19:13,270 And you could see that the other user is this my keys? 367 00:19:13,320 --> 00:19:14,190 Mochis? 368 00:19:14,400 --> 00:19:14,950 I don't know. 369 00:19:15,540 --> 00:19:18,360 But if you want to grab your flags here, your flags. 370 00:19:20,110 --> 00:19:26,050 OK, so a couple other things, we talked last time about the enumeration that we want to do in post 371 00:19:26,050 --> 00:19:28,240 exploitation right now, we are rude. 372 00:19:28,330 --> 00:19:31,600 So rude means that we have full access to this machine. 373 00:19:31,630 --> 00:19:34,900 We own this machine right now. 374 00:19:34,910 --> 00:19:36,350 Up until this point has been easy. 375 00:19:36,370 --> 00:19:38,230 There has been no privilege escalation. 376 00:19:38,260 --> 00:19:40,110 And that's OK in our books. 377 00:19:40,150 --> 00:19:42,030 We are we are dummies. 378 00:19:42,040 --> 00:19:42,720 We are newbies. 379 00:19:42,760 --> 00:19:44,290 We are going to build up into that. 380 00:19:44,320 --> 00:19:44,710 OK. 381 00:19:45,730 --> 00:19:50,170 So for now, take these easy wins and enjoy them. 382 00:19:50,770 --> 00:19:55,780 So as root and as post enumeration, some things that we can look at. 383 00:19:56,800 --> 00:20:02,440 We can take, for example, the Etsy file, Etsy shadow file, an Etsy password. 384 00:20:02,470 --> 00:20:04,720 So let's cat out the Etsy password. 385 00:20:06,100 --> 00:20:11,950 Now, you may have access to this and should have access to this as most users. 386 00:20:12,400 --> 00:20:16,750 So if we were to have a lower level shell, you could have access to this file. 387 00:20:17,170 --> 00:20:20,680 Now, what this is, is the password to file is misleading. 388 00:20:20,680 --> 00:20:22,540 There are no passwords in this file. 389 00:20:23,050 --> 00:20:24,760 You see this nice little X here. 390 00:20:25,030 --> 00:20:29,650 Now, back in the day, they used to put passwords in the password file, but they stopped doing that. 391 00:20:30,190 --> 00:20:33,520 Instead, they created what is called a shadow file as well. 392 00:20:33,550 --> 00:20:41,470 The shadow file will take the password and it will put it or the password hash and they'll put it in 393 00:20:41,680 --> 00:20:43,840 this X place holder here. 394 00:20:44,260 --> 00:20:45,700 So I'll show you that in a second. 395 00:20:45,730 --> 00:20:48,490 But what we can do is we can print this out. 396 00:20:48,520 --> 00:20:53,900 This shows you some information routes always at the top and then you start coming down the bottom. 397 00:20:53,920 --> 00:20:57,280 Your users, your real users are down at the bottom. 398 00:20:58,030 --> 00:20:59,890 The rest of these are service accounts. 399 00:21:00,340 --> 00:21:03,660 And I've seen that ninety nine percent of the time where it's like this. 400 00:21:03,670 --> 00:21:05,680 So you'll always see our users at the bottom. 401 00:21:05,710 --> 00:21:11,350 We only have this one user that is as Mockus user or McKees or however you pronounce it. 402 00:21:11,770 --> 00:21:15,900 So the other thing that we can do is we could say Cat Etsi Shadow. 403 00:21:16,560 --> 00:21:21,280 And this will give you that idea too, as to what accounts have passwords. 404 00:21:22,640 --> 00:21:25,220 And you could see there are a few accounts here with passwords. 405 00:21:26,720 --> 00:21:31,970 So now this password, this hash here, this hash will go in where the axe is. 406 00:21:32,390 --> 00:21:32,690 OK. 407 00:21:32,750 --> 00:21:39,860 So the root has that X this hash will go in there and that combines the whole file in order to be in 408 00:21:39,860 --> 00:21:40,280 one. 409 00:21:40,650 --> 00:21:41,690 This called Unshattered. 410 00:21:41,690 --> 00:21:42,970 One is unshattered. 411 00:21:42,980 --> 00:21:46,010 Like this, it's combined into one long format. 412 00:21:46,790 --> 00:21:52,850 Now there is a tool that we can get into if we go into what is going to a new tab here. 413 00:21:53,270 --> 00:21:57,530 So it is called Unshattered on Chatto. 414 00:21:57,740 --> 00:22:00,050 So let's do something first. 415 00:22:00,800 --> 00:22:02,690 Let's go ahead and copy here. 416 00:22:05,770 --> 00:22:08,470 Let's copy the ETSI password file. 417 00:22:09,620 --> 00:22:15,050 We'll say cat at the actually g it sorry password. 418 00:22:17,340 --> 00:22:18,600 I've got an old one in here. 419 00:22:18,660 --> 00:22:19,260 Perfect. 420 00:22:19,980 --> 00:22:24,070 I'll say this and then will just copy this other one. 421 00:22:24,350 --> 00:22:25,880 I show you what unshattered looks like. 422 00:22:28,480 --> 00:22:29,270 Copy this guy. 423 00:22:29,300 --> 00:22:30,280 Here, the shadow. 424 00:22:30,370 --> 00:22:31,240 We're going to get it. 425 00:22:31,360 --> 00:22:32,170 The Shadow. 426 00:22:34,920 --> 00:22:36,510 And then we could save that one. 427 00:22:38,010 --> 00:22:39,640 And then we can say unshattered. 428 00:22:39,740 --> 00:22:44,160 And we run on Shadow that anything it's going to ask us say, hey, we want your password file. 429 00:22:44,670 --> 00:22:46,020 And we want your shadow file. 430 00:22:46,170 --> 00:22:49,110 So all you got to do is one shadow, password, shadow. 431 00:22:50,310 --> 00:22:50,910 Run that. 432 00:22:51,320 --> 00:22:52,550 And look what it does for you. 433 00:22:52,560 --> 00:22:56,460 It prints out a nice on shadowed file. 434 00:22:56,490 --> 00:22:59,790 See, the X now has been replaced with this hash. 435 00:23:00,330 --> 00:23:01,590 Now, why is this important? 436 00:23:01,620 --> 00:23:02,700 Why the heck do we care? 437 00:23:03,780 --> 00:23:10,020 Well, we can take this and we can try to crack these passwords in hash cat. 438 00:23:10,920 --> 00:23:11,280 OK. 439 00:23:11,340 --> 00:23:15,780 So you can tell your hash this is an empty five, I believe. 440 00:23:15,810 --> 00:23:16,380 Don't quote me. 441 00:23:16,380 --> 00:23:19,440 I'm pretty sure MDT five is dollar sign, one dollar sign. 442 00:23:19,770 --> 00:23:22,960 So the dollar sign, blank dollar sign is a good way to tell your hash. 443 00:23:22,980 --> 00:23:23,790 Some are five. 444 00:23:23,790 --> 00:23:24,780 Some are six. 445 00:23:25,520 --> 00:23:28,320 And that's a quick way to say, hey, Google, what's dollar sign? 446 00:23:28,320 --> 00:23:30,930 One dollar sign and a hash form. 447 00:23:31,050 --> 00:23:33,140 I'm 90 percent sure it's empty. 448 00:23:33,140 --> 00:23:33,380 Fine. 449 00:23:34,050 --> 00:23:35,580 So you can run this through hash cat. 450 00:23:35,640 --> 00:23:41,730 Unfortunately, I'm actually using my hash cat right now to work on an assessment, so I can't show 451 00:23:41,730 --> 00:23:45,340 you this, but I have made videos on cracking hash. 452 00:23:46,590 --> 00:23:52,770 If we come back in two, let's see my videos and we scroll through all of these. 453 00:23:52,800 --> 00:23:56,280 There is a hash cat video in here somewhere. 454 00:23:57,450 --> 00:24:03,240 So if you look through my videos, it is this one here cracking Linux password hashes. 455 00:24:03,840 --> 00:24:07,800 I will link this down in the description below, if you're curious. 456 00:24:08,100 --> 00:24:09,530 Very similar process. 457 00:24:09,570 --> 00:24:11,690 You just run hash cat against this ice planet. 458 00:24:11,690 --> 00:24:12,990 It more detail here. 459 00:24:13,320 --> 00:24:15,870 So if you're if you want to know and you have a little bit more research. 460 00:24:15,960 --> 00:24:16,470 There you go. 461 00:24:18,030 --> 00:24:18,250 OK. 462 00:24:18,540 --> 00:24:22,320 So we talked about post exploitation. 463 00:24:22,350 --> 00:24:24,870 We're gonna gather the first thing I'm after. 464 00:24:24,870 --> 00:24:25,140 Right. 465 00:24:25,200 --> 00:24:27,320 Is is gathering these hashes. 466 00:24:27,450 --> 00:24:31,620 I'm going to crack these hashes or try to crack these hashes and see where I can go from there. 467 00:24:32,370 --> 00:24:36,480 From that point, you know, I also want to gather networking information. 468 00:24:36,480 --> 00:24:37,890 We talked about that last time. 469 00:24:38,520 --> 00:24:39,870 What's the IAFF config? 470 00:24:39,900 --> 00:24:44,560 What is the what's the ah, what's the routing table etc. 471 00:24:44,770 --> 00:24:48,930 If you don't know what the heck I'm talking about when it comes to networking, you should probably 472 00:24:48,930 --> 00:24:53,820 look into learning a little bit more networking before you get too too far and depen testing. 473 00:24:54,240 --> 00:24:56,370 Having a good networking background goes a long way. 474 00:24:56,400 --> 00:24:58,440 You don't have to have a detailed networking background. 475 00:24:58,470 --> 00:24:59,910 Just understand the basics. 476 00:25:01,110 --> 00:25:06,870 So I'll look at those kind of things, you know, and and see what the connections are. 477 00:25:07,190 --> 00:25:08,160 Net stat as well. 478 00:25:08,180 --> 00:25:09,660 Just to see what kind of the connections are. 479 00:25:09,990 --> 00:25:15,150 But, you know, I'm mainly after this all look through user files, see if there's anything interesting 480 00:25:15,510 --> 00:25:21,720 and how we can access or leverage what we gain from this machine. 481 00:25:21,720 --> 00:25:25,740 How can we take this machine and use it to get other places? 482 00:25:26,100 --> 00:25:26,340 Right. 483 00:25:26,370 --> 00:25:30,360 That's all post exploitation is what information can we gather again? 484 00:25:30,870 --> 00:25:37,570 So there are renumeration is always key numeration prior to exploitation numeration. 485 00:25:37,590 --> 00:25:43,140 If you have a lower level user to try to get that higher level user and then a numeration once you have 486 00:25:43,200 --> 00:25:47,730 and have own the machine completely to move further, you're always looking for the next step. 487 00:25:47,760 --> 00:25:50,400 And the more information you can gather, the better off you are. 488 00:25:51,390 --> 00:25:57,540 Now, we won't talk about it for a very long time, but if you're saying, hey, what about the other 489 00:25:57,540 --> 00:26:01,980 machines that we were supposed to exploit or the other services we're supposed to exploit? 490 00:26:02,530 --> 00:26:02,800 OK. 491 00:26:02,880 --> 00:26:04,200 There is one other service here. 492 00:26:04,270 --> 00:26:06,310 Well, there's there's three, really. 493 00:26:06,330 --> 00:26:06,630 Right. 494 00:26:07,740 --> 00:26:13,140 If we were to have done this box, if I were to have done this blind, I would have enumerated this 495 00:26:13,140 --> 00:26:13,920 version as well. 496 00:26:14,160 --> 00:26:19,950 And let's take a look at it so we can go out to Google and just go. 497 00:26:21,380 --> 00:26:28,970 Paste and look, Rapid Seven has one too rapid seven has a backdoor code execution on this. 498 00:26:29,390 --> 00:26:33,440 Now it says is introduced for this between Bob of law. 499 00:26:33,500 --> 00:26:39,980 Just gives us and says that, you know, this this exploit belongs to this version. 500 00:26:40,490 --> 00:26:45,300 So we could come in and we could use this, try to exploit it, etc.. 501 00:26:46,070 --> 00:26:51,020 Now, the owner of the box put this on here as a rabbit hole. 502 00:26:51,530 --> 00:26:56,150 So if you tried this if you've done this before, if you've looked at this box, you tried this, that's 503 00:26:56,150 --> 00:26:57,330 perfectly OK. 504 00:26:57,830 --> 00:27:00,530 I would have fallen down this rabbit hole as well. 505 00:27:01,520 --> 00:27:04,170 In fact, I am sure I did when I tend to the box. 506 00:27:04,190 --> 00:27:05,360 A long, long time ago. 507 00:27:06,320 --> 00:27:11,480 But once you get past the hey, I've attempted this however many times and it's not working. 508 00:27:11,900 --> 00:27:12,840 Time to move on. 509 00:27:12,860 --> 00:27:13,040 Right. 510 00:27:13,070 --> 00:27:15,440 Don't get stuck down the rabbit holes. 511 00:27:15,560 --> 00:27:17,780 A lot of boxes you're going to find have them. 512 00:27:18,410 --> 00:27:19,700 Don't waste too much time. 513 00:27:19,730 --> 00:27:20,780 That's really the lesson. 514 00:27:21,680 --> 00:27:24,710 The appropriate thing is to do your research as you just saw. 515 00:27:25,100 --> 00:27:30,050 Another thing that we should do, too, and I do not show you, is we should F.T. Paech of the machine. 516 00:27:30,160 --> 00:27:30,420 Right. 517 00:27:31,160 --> 00:27:33,230 What's in that file folder? 518 00:27:33,320 --> 00:27:35,240 If we can just type in anonymous here? 519 00:27:36,080 --> 00:27:38,240 I just always type Anonymous for the password. 520 00:27:38,570 --> 00:27:42,360 We could say less and say, OK, what's here? 521 00:27:43,280 --> 00:27:44,570 Well, there's nothing here. 522 00:27:46,610 --> 00:27:49,030 So and we're in the base directory. 523 00:27:49,130 --> 00:27:51,170 So there's there's literally nothing. 524 00:27:51,560 --> 00:27:53,660 Now, again, we could put a file in here. 525 00:27:54,090 --> 00:27:54,470 We. 526 00:27:54,710 --> 00:27:56,720 But where how we can access the file. 527 00:27:57,500 --> 00:27:58,430 And that's the issue. 528 00:27:58,460 --> 00:28:03,260 If this was like a Web server or something that we could go and access a file, ones have uploaded it, 529 00:28:03,740 --> 00:28:06,110 then we can start talking about how we can get malicious. 530 00:28:06,140 --> 00:28:08,930 But in this sense, we can upload the file. 531 00:28:08,960 --> 00:28:12,770 But unless we can get somebody to go open the file, there's nothing that we can do right now. 532 00:28:13,370 --> 00:28:16,040 So this is why we didn't spend a lot of time here. 533 00:28:16,070 --> 00:28:23,660 But I do know that when you get FPP, you've got to have a second form of getting that file to exploit. 534 00:28:23,690 --> 00:28:27,770 You can be malicious, but you have to have somebody exploit it for you or a way to exploit it. 535 00:28:28,430 --> 00:28:33,480 And if you're looking for the version, you see a version that's going to be your. 536 00:28:33,550 --> 00:28:34,220 Your exploit. 537 00:28:34,250 --> 00:28:36,980 This is gonna get you reverse shell before a file upload. 538 00:28:37,220 --> 00:28:40,750 Will, most likely you need to change here. 539 00:28:40,810 --> 00:28:41,630 Had to change. 540 00:28:41,930 --> 00:28:43,910 You need these two chains of attack here. 541 00:28:43,940 --> 00:28:46,790 And then you need one potential here. 542 00:28:47,240 --> 00:28:48,800 So we search for this exploit. 543 00:28:48,860 --> 00:28:51,380 It's just not it's not valid on this machine. 544 00:28:51,410 --> 00:28:54,470 But this is the right methodology, and that's really what we're after. 545 00:28:55,010 --> 00:28:56,000 Same thing here. 546 00:28:56,000 --> 00:28:57,140 We could search for this. 547 00:28:57,240 --> 00:29:01,670 There's, like I said, not a ton of exploits for SS age. 548 00:29:01,700 --> 00:29:07,400 SS age is usually a brute force or I found credentials somewhere logging in with that for a shell. 549 00:29:08,390 --> 00:29:08,750 So. 550 00:29:08,780 --> 00:29:10,880 And then lastly, we could search this as well. 551 00:29:11,360 --> 00:29:13,400 But on this machine, this does not lead anywhere. 552 00:29:13,430 --> 00:29:17,420 So if you're curious about it and you want to research it, you are more than welcome to do it. 553 00:29:18,290 --> 00:29:22,070 So for the sake of time, that is really, really it for this lesson. 554 00:29:22,130 --> 00:29:25,460 This is just another box, another way of seeing methodology. 555 00:29:25,820 --> 00:29:30,650 And what I wanted to do is I wanted to try to build off the previous lesson where we learned about SMB 556 00:29:30,950 --> 00:29:34,760 and now we got to see SMB again and we got to exploit it again. 557 00:29:34,790 --> 00:29:37,700 But we also saw some extra versions and stuff to enumerate. 558 00:29:38,420 --> 00:29:43,820 So next time I have a box in mind already that I'm going to take for us and we're going to build upon 559 00:29:43,820 --> 00:29:47,330 some of the things I talked about this time and just keep going in that methodology.