1
00:00:00,390 --> 00:00:01,250
So here we are.

2
00:00:01,260 --> 00:00:04,870
We have our end that skin back and we have three ports open.

3
00:00:05,040 --> 00:00:10,130
We've got FCP we've got telnet and we've got HP.

4
00:00:10,260 --> 00:00:11,150
That's it.

5
00:00:11,400 --> 00:00:18,060
So we can go out really quick to the inter webs and see if HP has anything for us.

6
00:00:18,080 --> 00:00:23,930
Subs create a new tab hit enter and we've got this mega corp that's it.

7
00:00:23,940 --> 00:00:29,790
We've got this page here you can view the source and see if there's anything here.

8
00:00:29,790 --> 00:00:30,870
I've got it selected sorry.

9
00:00:30,870 --> 00:00:32,470
View the page source.

10
00:00:32,550 --> 00:00:33,900
There's nothing really here.

11
00:00:33,900 --> 00:00:39,750
If there is an exploit this way we're gonna have to look into either what's running on the back end

12
00:00:40,380 --> 00:00:46,560
here we could see seven point five windows server maybe there's directory busting we need to do etc.

13
00:00:46,830 --> 00:00:48,870
but we're going to explore the other parts first.

14
00:00:49,290 --> 00:00:53,720
So what I'm gonna do is I'm gonna open up a new tab and I'm just going to see if FCP is open.

15
00:00:53,880 --> 00:00:58,620
So we'll FCP to this machine and I'm going to try anonymous log in

16
00:01:03,530 --> 00:01:07,520
and the only other option is we could try logging you with telnet and seeing if we can get in that way

17
00:01:07,910 --> 00:01:12,800
but here we have anonymous log in so I'm going to go ahead and just say Alice and we could see we've

18
00:01:12,800 --> 00:01:16,430
got a backups and an engineer folder here.

19
00:01:16,430 --> 00:01:22,790
So I'm gonna switch over to binary when we go into FTB we are typically in ASCII by default.

20
00:01:22,790 --> 00:01:28,910
Now we have transfer issues sometimes with ASCII so it's always good to just switch to binary when you're

21
00:01:28,910 --> 00:01:30,590
transferring files.

22
00:01:30,650 --> 00:01:36,410
Now we can't do the recursive on I actually try that and it's saying hey invalid commands a reason to

23
00:01:36,410 --> 00:01:40,770
go into both of these and we're just going to grab the files that are in them.

24
00:01:40,880 --> 00:01:49,550
So if we l s there's a backup that M.D. B so we could say Get backup that MDC just like that you know

25
00:01:49,550 --> 00:01:54,160
grab the file and then we're going to do this again for the other file.

26
00:01:54,170 --> 00:02:02,970
So we'll see and then we're going to go into C.T. engineer L S and we're gonna grab this access control

27
00:02:02,990 --> 00:02:07,290
so let's say access control that zip.

28
00:02:07,760 --> 00:02:10,680
Just like that and now we have both of those.

29
00:02:10,730 --> 00:02:14,050
So let's go ahead and explore what we just grabbed.

30
00:02:14,090 --> 00:02:21,900
If I go to my files and my downloads I've got this access control that zip and I can see that there's

31
00:02:21,920 --> 00:02:24,710
a PSAT here which is a.

32
00:02:24,710 --> 00:02:25,480
Email file.

33
00:02:25,480 --> 00:02:25,790
Right.

34
00:02:25,820 --> 00:02:31,730
So this is commonly associated with something like Microsoft Office but it doesn't have to be.

35
00:02:31,820 --> 00:02:34,040
Now this can be opened with other tool.

36
00:02:34,040 --> 00:02:35,900
Same thing with this MDT.

37
00:02:35,900 --> 00:02:39,200
This is a access database or a database.

38
00:02:39,200 --> 00:02:44,920
Now the way I'm going to access these here coming up is going to be using Microsoft Office.

39
00:02:44,960 --> 00:02:47,870
However there are alternatives and I will present those to you.

40
00:02:47,880 --> 00:02:51,410
They're not installing Cal you'll have to take that your own path.

41
00:02:51,890 --> 00:02:58,640
So what you can utilize is you can utilize to read this backup file here can utilize a tool called and

42
00:02:58,640 --> 00:03:06,500
I'll type this out for you so you can utilize a tool called M D B dash Eskew L and just run it against

43
00:03:06,500 --> 00:03:13,290
backup that MTV and then you can also use a tool for the PSG of read PSG.

44
00:03:13,430 --> 00:03:17,810
So those are the two tools that you should use if you want to use it in a complete Linux format.

45
00:03:17,800 --> 00:03:22,430
Otherwise as long as you have access to opening these files you should be OK.

46
00:03:22,430 --> 00:03:28,040
So what I've done is I've taken these files and I move them over and I'm just going to show you what

47
00:03:28,040 --> 00:03:29,230
they look like opened up.

48
00:03:29,300 --> 00:03:34,770
So let me open up the access database which is the backup database.

49
00:03:34,850 --> 00:03:41,020
I'm going to bring this over and you're gonna see there's a bunch of tables in here.

50
00:03:41,020 --> 00:03:44,580
Now you have to kind of enumerate through these tables and see what you can.

51
00:03:44,680 --> 00:03:52,270
You can find but if we scroll through there is the off the user table here and it gives us a few different

52
00:03:52,600 --> 00:03:56,650
categories it gives us the username password last log in etc..

53
00:03:56,830 --> 00:04:04,560
Now we have admin admin backup admin admin and then we have engineer and access for you at security.

54
00:04:04,570 --> 00:04:08,070
So I'm going to copy this password and this is a lot of trial and error.

55
00:04:08,080 --> 00:04:12,580
So if you do this box on your own and it took you a while to find this that's absolutely fine.

56
00:04:12,580 --> 00:04:17,050
I remember doing this box back when it was a live box and hacked the box and it took me a couple of

57
00:04:17,050 --> 00:04:22,630
days to actually solve this just because there's a lot of the numerator to go through and it's not the

58
00:04:22,750 --> 00:04:26,170
easiest of boxes just because of the hurdles you have to go through.

59
00:04:26,230 --> 00:04:34,500
So let's go ahead and just minimize this and we're gonna go and try to access this other file.

60
00:04:34,630 --> 00:04:39,610
Now I tried to telnet originally and if you tried to telnet that's absolutely fine you could say hey

61
00:04:39,610 --> 00:04:45,540
add bean or security or whatever user I'm going to try to log in with them and see if it works.

62
00:04:45,610 --> 00:04:50,860
Unfortunately didn't work so I'm going to go into our files and then I'm going to go to the access controls

63
00:04:50,870 --> 00:04:57,220
zip and I'm going to try to migrate this access control over I'm going to paste this parser that we

64
00:04:57,220 --> 00:05:01,870
found and I've already got the file here but we'll just say replace.

65
00:05:01,870 --> 00:05:08,920
So then this access control that PSG comes in I've gone ahead and loaded that access control PSG into

66
00:05:08,920 --> 00:05:12,100
Outlook and I've just grabbed the file.

67
00:05:12,100 --> 00:05:18,250
So here is the email there's one email that was sitting in there from John at mega corp dot com to security

68
00:05:18,250 --> 00:05:23,320
at access control systems at com and it says the password for the security account has been changed

69
00:05:23,350 --> 00:05:28,840
to this password so please insurers pass on your engineers something to copy this password and now we

70
00:05:28,840 --> 00:05:31,900
know also that the username is security.

71
00:05:32,050 --> 00:05:35,260
So again kind of went through that little bit quick.

72
00:05:35,260 --> 00:05:42,460
But what has happened here is we had anonymous log in right anonymous log in on FCP permitted us to

73
00:05:42,460 --> 00:05:44,530
find these backup files.

74
00:05:44,710 --> 00:05:50,860
We found the backup files and we utilize the database to find the off table the off table allowed us

75
00:05:50,860 --> 00:05:53,540
to access this PSG here.

76
00:05:53,620 --> 00:05:58,060
We extracted the PSAT and inside the PSP was an email.

77
00:05:58,090 --> 00:06:05,290
So this box is called Access is just a hint that we had to use access to actually access that that's

78
00:06:05,290 --> 00:06:05,790
not to say.

79
00:06:06,100 --> 00:06:06,460
OK.

80
00:06:06,490 --> 00:06:10,750
So anyways what we're going to do now is we're going to telnet into the machine or at least attempt

81
00:06:10,750 --> 00:06:11,910
to telnet into the machine.

82
00:06:12,550 --> 00:06:21,850
So we'll say telnet and we're going to do do a dash L for the user name which is security we're gonna

83
00:06:21,850 --> 00:06:26,490
say 10 10 10 ninety eight OK.

84
00:06:26,490 --> 00:06:28,230
And it's a little slow as you can see.

85
00:06:28,230 --> 00:06:35,010
All right Let's paste the password now well let's actually just pace let's say security and then we'll

86
00:06:35,010 --> 00:06:36,600
paste the password.

87
00:06:36,600 --> 00:06:39,430
Say this lets us log in OK.

88
00:06:39,430 --> 00:06:40,180
We are in.

89
00:06:40,180 --> 00:06:43,110
So UCC users security.

90
00:06:43,170 --> 00:06:53,830
So this is the baseline here we have gotten a user account all we want to do in this escalation attempt

91
00:06:54,310 --> 00:06:59,780
for moving forward is we want to be able to get a shell.

92
00:06:59,800 --> 00:07:01,900
So this is your challenge for the next video.

93
00:07:01,900 --> 00:07:05,270
We want to get a complete Shell wants to take that shell.

94
00:07:05,290 --> 00:07:09,460
We want to do the enumeration of the credentials.

95
00:07:09,490 --> 00:07:15,250
So we're going to try to find that command key slash list in order to run that we need a full sea shell

96
00:07:15,730 --> 00:07:22,100
and then we'll go ahead and see if we can't download the root text that is really the challenge here

97
00:07:22,120 --> 00:07:27,520
we're not going to try to escalate as I feel like that's going to be out of the scope of this course

98
00:07:27,550 --> 00:07:34,170
at least the escalation into the administrative account is going to be out of out of scope but save

99
00:07:34,210 --> 00:07:37,480
as is very very in scope for the escalation here.

100
00:07:37,540 --> 00:07:44,620
So we're going to go ahead and try to utilize these save ads to grab the route that takes me off of

101
00:07:44,680 --> 00:07:47,980
the administrative desktop.

102
00:07:48,140 --> 00:07:51,710
So I will see you guys in the next video as we try to achieve that.