1
00:00:00,740 --> 00:00:01,340
All right.

2
00:00:01,370 --> 00:00:08,420
So now we're gonna need to do is we're going to need to download a file and that file is sitting on

3
00:00:08,420 --> 00:00:10,070
our windows machine.

4
00:00:10,100 --> 00:00:14,780
Now we need to transfer it from the windows vm to our county VM.

5
00:00:14,780 --> 00:00:21,200
You may have your favorite way of doing this but I'm going to just launch a quick FTB server in Python

6
00:00:21,590 --> 00:00:29,900
so I might do is I'm going to kill the python server I have now and I'm going to run Python dash M pi

7
00:00:30,030 --> 00:00:32,330
FCP D lib.

8
00:00:32,420 --> 00:00:40,910
Now if you don't have this you can run something like pip 3 install pi FCP D lib.

9
00:00:41,660 --> 00:00:42,320
And that will run.

10
00:00:42,970 --> 00:00:43,360
OK.

11
00:00:43,400 --> 00:00:52,330
So I'm going to run this on Port 21 and then I'm going to provide right access so you should say 0 0

12
00:00:52,450 --> 00:01:00,470
0 0 port 21 and then I'm going to go over to our machine over here and what we're going to do is we're

13
00:01:00,470 --> 00:01:09,580
gonna be transferring over this file in Tool's source so the source file here and I'm just going to

14
00:01:10,090 --> 00:01:21,040
shift and then right click open command window here and I'm going to say f T.P. tend 11th up for dot

15
00:01:21,190 --> 00:01:22,570
114.

16
00:01:22,930 --> 00:01:24,400
It's going to say OK we've connected.

17
00:01:24,430 --> 00:01:30,400
I'm going to provide anonymous log in and get connected really quick by typing anonymous and anonymous

18
00:01:30,400 --> 00:01:32,240
for the username and password.

19
00:01:32,260 --> 00:01:39,890
Now I'm going to do as I'm going to put the windows service dot see file.

20
00:01:39,910 --> 00:01:40,530
All right.

21
00:01:40,570 --> 00:01:48,960
So now if I come over to this machine here and you can see that it has written so I'm going to go ahead

22
00:01:48,960 --> 00:01:59,180
and control c I'm going to g at it this file windows service that she or dot see you could see right

23
00:01:59,180 --> 00:02:01,750
now that we're running a system command.

24
00:02:02,150 --> 00:02:08,270
If you do not understand C that's fine you don't have to understand any of this at this point.

25
00:02:08,270 --> 00:02:11,810
We just need to understand what we're modifying so we're modifying this.

26
00:02:11,810 --> 00:02:12,290
Who am I.

27
00:02:12,290 --> 00:02:13,410
Command.

28
00:02:13,430 --> 00:02:19,770
So instead of this who am I command we're going to grab this command here which is gonna say Hey Commander

29
00:02:19,850 --> 00:02:26,940
EMC I want to run a net local group administrators user add user being us.

30
00:02:26,960 --> 00:02:27,780
OK.

31
00:02:27,830 --> 00:02:29,680
So don't get that confused with the user.

32
00:02:29,690 --> 00:02:35,540
This is the username we want to add so we're gonna go ahead and come back into our text editor and I'm

33
00:02:35,540 --> 00:02:43,210
going to just replace this and I'm going to paste here and save.

34
00:02:43,430 --> 00:02:46,550
Now you need to compile this.

35
00:02:46,640 --> 00:02:50,440
So take a big caution on this note here.

36
00:02:50,570 --> 00:03:00,080
If you do not have Ming 32 or Ming WD 32 installed or Ming w 64 install go ahead and run this sudo apt

37
00:03:00,110 --> 00:03:08,330
install GCSE dash Ming w dash w sixty four command and it's a sizable files about seven hundred megabytes

38
00:03:08,330 --> 00:03:15,170
so go ahead and install that pause here if you need to and then come back OK.

39
00:03:15,180 --> 00:03:20,700
So moving on I'm going to go ahead and run this command and it's going to create this executable so

40
00:03:20,700 --> 00:03:27,290
we're going to say hey I want to take the C file compile it and I'm going to make it into X that easy.

41
00:03:27,390 --> 00:03:32,480
All right so let's go ahead and paste that.

42
00:03:32,490 --> 00:03:34,230
Sorry I didn't grab all of it.

43
00:03:34,290 --> 00:03:36,000
Go ahead and try this now and paste it

44
00:03:39,490 --> 00:03:39,800
OK.

45
00:03:39,830 --> 00:03:42,860
If we l s the X that is should be created.

46
00:03:42,860 --> 00:03:43,950
It is.

47
00:03:43,960 --> 00:03:51,220
I'm going to go ahead and just spin up my Python simple HP server and we're gonna be doing is we're

48
00:03:51,220 --> 00:03:53,680
going to move this to the temp folder.

49
00:03:53,860 --> 00:03:57,820
Ok we're gonna places in the temp folder in our windows vm so let's go ahead.

50
00:03:57,820 --> 00:04:03,760
Go back to the windows vm refresh here.

51
00:04:03,870 --> 00:04:05,030
Give it one more go.

52
00:04:05,190 --> 00:04:09,480
And then here is the X that you see so I'm going to go ahead download this.

53
00:04:09,480 --> 00:04:14,570
Save it and then let's go to see temp and we'll save it here.

54
00:04:19,880 --> 00:04:20,140
All right.

55
00:04:20,140 --> 00:04:23,110
Now from here we're going to need to run our command.

56
00:04:23,140 --> 00:04:25,850
So let's go ahead and copy this over here.

57
00:04:25,900 --> 00:04:28,870
Let's walk through what this actually is.

58
00:04:29,890 --> 00:04:38,570
So let's copy and we're going to pace this into a command someone say by here and I'm going to paste

59
00:04:40,700 --> 00:04:44,680
OK let's talk through this and I'm going to actually come over to the try Hackney site since it's a

60
00:04:44,680 --> 00:04:45,620
little bit bigger.

61
00:04:45,730 --> 00:04:51,700
So we're going to be adding to the registry here so you can see we've got Reg ad and then we're adding

62
00:04:51,700 --> 00:04:53,680
to this reg service.

63
00:04:53,680 --> 00:05:01,090
Now we're going to do a slash V in slash V is going to say hey what registry entry do I want to be added

64
00:05:01,090 --> 00:05:02,680
for this sub key.

65
00:05:02,710 --> 00:05:05,020
What's the value name in the value.

66
00:05:05,020 --> 00:05:06,690
Name is image path.

67
00:05:06,730 --> 00:05:13,590
Now image path is a registry key that contains the path of the drivers image file.

68
00:05:13,630 --> 00:05:19,600
So what happens is if we place an executable here when we tell the service to start in the image path

69
00:05:19,720 --> 00:05:25,890
it's going to run the executable for us when we tell the service a start if you can see here this SC

70
00:05:25,900 --> 00:05:30,820
down here is going to say Hey start the reg service and say hey when we service starts.

71
00:05:30,820 --> 00:05:32,130
Thank you to the image path.

72
00:05:32,260 --> 00:05:35,200
We're gonna go ahead and execute this executable.

73
00:05:35,890 --> 00:05:36,740
OK.

74
00:05:37,000 --> 00:05:40,530
On top of that we have a slash T which is the type.

75
00:05:40,540 --> 00:05:47,070
Now Reg expand SC all it is is saying hey we're going to run a string here.

76
00:05:47,080 --> 00:05:48,730
This is just a string value.

77
00:05:48,910 --> 00:05:53,410
So the string value is this slash D or a directory or a data.

78
00:05:53,410 --> 00:05:55,950
Actually this is our data we're executing.

79
00:05:56,200 --> 00:06:02,620
And this slash F is just saying hey don't prompt me for this I don't want any confirmation when I run

80
00:06:02,620 --> 00:06:05,330
this I just want this to go ahead and just execute.

81
00:06:05,350 --> 00:06:06,720
So that's what we're going to do.

82
00:06:06,730 --> 00:06:11,770
Let's go ahead and hit enter on this and you could see it completed successfully.

83
00:06:11,770 --> 00:06:13,750
Now all we're going to have to do is start it.

84
00:06:13,780 --> 00:06:22,380
So we're going to soon to say SC we're going to say start Reg service as DC before we do that.

85
00:06:22,390 --> 00:06:25,560
Let's open up a command prompt one more time.

86
00:06:25,570 --> 00:06:36,130
Now let's just say net local group administrative gay administrator are back doors there and TCM is

87
00:06:36,130 --> 00:06:36,720
there.

88
00:06:36,730 --> 00:06:40,130
Let's go ahead and run this gay.

89
00:06:40,140 --> 00:06:41,850
And it says Start is pending.

90
00:06:42,130 --> 00:06:45,080
It's going to go ahead and try to run it.

91
00:06:45,380 --> 00:06:46,220
Look what happened.

92
00:06:46,220 --> 00:06:47,690
The user got added.

93
00:06:47,690 --> 00:06:50,780
OK so let's go back on this.

94
00:06:50,780 --> 00:06:54,640
Remember we went here and we looked and we said OK.

95
00:06:54,830 --> 00:07:02,540
Well the access control list showed that the interactive had full control interactive full control of

96
00:07:02,540 --> 00:07:03,820
the registry key.

97
00:07:03,930 --> 00:07:05,100
So what does that mean.

98
00:07:05,120 --> 00:07:12,470
That means we we're able to generate a malicious executable use the executable here and we added that

99
00:07:12,470 --> 00:07:16,430
into the registry under the image path and said Here you go.

100
00:07:16,580 --> 00:07:21,500
And the image path allowed us to execute this file when we started the service.

101
00:07:21,500 --> 00:07:23,010
So we started the service.

102
00:07:23,030 --> 00:07:28,340
It executed the file for us and it added Our user to the local admin group.

103
00:07:28,820 --> 00:07:32,070
So there we go now from here.

104
00:07:32,090 --> 00:07:34,460
We're gonna go ahead and start moving on.

105
00:07:34,550 --> 00:07:39,330
So if we check out what's coming up next executable files are coming up next.

106
00:07:39,350 --> 00:07:46,680
Now what I want to do is I want you to terminate your machine and go ahead and re deploy your machine

107
00:07:46,680 --> 00:07:50,340
from step 1 and meet me over in the next video when you're ready.

108
00:07:50,340 --> 00:07:55,150
The only reason is I want to clear everything out and start over because we've done some escalation.

109
00:07:55,140 --> 00:07:59,790
So you're gonna have me telling you this a few times throughout the rest of these just so we clear out

110
00:07:59,820 --> 00:08:03,300
and we can re escalate escalate from different parts.

111
00:08:03,300 --> 00:08:07,680
So I will see over the next video we start talking about executable files.