1
00:00:00,270 --> 00:00:03,890
Let's talk D.L. hijacking now.

2
00:00:03,900 --> 00:00:07,820
You should already be on your remote desktop machine with this spun up.

3
00:00:07,860 --> 00:00:08,910
If you're not.

4
00:00:08,910 --> 00:00:13,920
Go ahead and get that done while you're listening to my voice talk about what deal hijacking is.

5
00:00:14,400 --> 00:00:15,960
So what is the deal.

6
00:00:15,970 --> 00:00:19,830
Well and you've probably seen it before but you might just kind of ignore it.

7
00:00:19,920 --> 00:00:20,190
Right.

8
00:00:20,200 --> 00:00:25,560
It's it's a dynamic link library is what they stand for and you can think of it almost like an executable

9
00:00:25,590 --> 00:00:30,790
because they are like executable they're just not directly executable.

10
00:00:30,990 --> 00:00:36,600
Something to compare it to if you're familiar with Linux as a dot S.O. file and they're basically just

11
00:00:36,600 --> 00:00:38,010
these shared libraries.

12
00:00:38,010 --> 00:00:46,080
So the deal contain like classes and functions and resources variables all sorts of things.

13
00:00:46,230 --> 00:00:49,830
And you'll often see Dell ls run with executable.

14
00:00:50,430 --> 00:00:56,640
So what we're doing in the case of DL hijacking is we're looking for a specific instance.

15
00:00:56,940 --> 00:01:06,280
Now when Windows environment starts up a service or an application it looks for Dell's.

16
00:01:06,450 --> 00:01:11,220
Now if the DLR doesn't exist then we can get malicious with it.

17
00:01:11,230 --> 00:01:16,770
So if it's looking in a path that's right well and where the DLR does not exist that it's looking for

18
00:01:17,010 --> 00:01:18,350
we can get malicious.

19
00:01:18,420 --> 00:01:21,460
Now let's take a look at how we can do that.

20
00:01:21,570 --> 00:01:28,580
So I'm going to go ahead and just open up the tools folder and from here I'm going to open up Process

21
00:01:28,590 --> 00:01:32,510
Monitor and we're going to run Process Monitor as administrator.

22
00:01:32,510 --> 00:01:34,730
We're just going to simulate this here.

23
00:01:34,730 --> 00:01:42,740
So in a normal environment we might run something like power spoilt or we might try to take this process

24
00:01:42,740 --> 00:01:48,530
off line and read through it but we're just going to kind of look what happens in that way we can understand

25
00:01:48,530 --> 00:01:53,210
what's going on and why we're seeing DSL injections or hijacking and how we can do this.

26
00:01:53,690 --> 00:01:56,200
So let's take a look here.

27
00:01:56,390 --> 00:02:02,310
Type in our password of hacker 1 2 3 and we're going to load this.

28
00:02:02,340 --> 00:02:04,690
So now I've already got some configurations in here.

29
00:02:04,700 --> 00:02:13,280
But what I want you to do is I want you to come in to filter and I want you to add a filter that says

30
00:02:13,370 --> 00:02:20,030
result is and then name not found.

31
00:02:20,060 --> 00:02:25,940
And keep that under include and then hit add you can see I have that here.

32
00:02:26,020 --> 00:02:31,010
You can also see that path ends with DOT yellow.

33
00:02:31,030 --> 00:02:38,480
So let's go ahead and set path and then two ends with and we'll just do dot DL l.

34
00:02:38,630 --> 00:02:42,310
And then lastly I've got this deal hijack service in here.

35
00:02:42,350 --> 00:02:44,480
You see you don't have to worry about that.

36
00:02:44,540 --> 00:02:47,750
I'm going to hit apply and OK for now.

37
00:02:47,750 --> 00:02:54,050
And you could see that it's running through a list of events and it's just showing in here where there

38
00:02:54,050 --> 00:02:57,550
has been a name not found for a DSL.

39
00:02:57,570 --> 00:03:03,720
Now if these names are not found and it's looking for them we could possibly overwrite this DSL if we

40
00:03:03,720 --> 00:03:05,230
can control the service.

41
00:03:05,430 --> 00:03:12,330
And if the location is right able so common locations that are rivals like program files but in our

42
00:03:12,330 --> 00:03:13,590
case we have a temple there.

43
00:03:13,590 --> 00:03:14,220
That's right.

44
00:03:14,790 --> 00:03:21,680
So let's go ahead and just go out to a command line and we're going to run the service.

45
00:03:21,680 --> 00:03:30,990
Now we have a vulnerable service here and that vulnerable service is going to be SC start you're going

46
00:03:30,990 --> 00:03:36,770
to say DL l SDC OK if it says is already running.

47
00:03:36,770 --> 00:03:41,860
Go ahead and say stop DSL SBC and go ahead and give it a start

48
00:03:46,570 --> 00:03:49,500
and you should see some stuff come in here.

49
00:03:49,520 --> 00:03:49,900
All right.

50
00:03:49,940 --> 00:03:56,120
So things just happened and what we can see here is we've got names not found.

51
00:03:56,120 --> 00:04:00,410
We've got one in program files so potentially that's hijack a right there.

52
00:04:00,440 --> 00:04:05,570
We've also got another one here in the temp folder of a hijack me DOD DSL.

53
00:04:05,780 --> 00:04:08,000
So we see this hijack meet our DSL.

54
00:04:08,240 --> 00:04:13,310
We have a couple of paths that we can take now the path that we've been doing over and over and over

55
00:04:13,310 --> 00:04:20,330
again has been using Matar fritter or medicinally and getting a shell so we could generate a quick shell

56
00:04:20,600 --> 00:04:27,020
we could do a file and just put this as an executable and save it as a hijack meetup DSL and replace

57
00:04:27,020 --> 00:04:27,810
this.

58
00:04:28,100 --> 00:04:31,460
However we are just going to go a different path here.

59
00:04:31,490 --> 00:04:40,220
So what I want to do is I want to copy over this Windows DLC file that we've got in our our machine.

60
00:04:40,220 --> 00:04:50,710
So if we go into our folders here and we go back we go to source we've got these windows underscored

61
00:04:50,730 --> 00:04:52,500
Dale that see.

62
00:04:52,680 --> 00:04:54,600
So I just want to move this to my machine.

63
00:04:54,600 --> 00:04:58,740
So I'm going to create a FTB server temporarily.

64
00:04:58,890 --> 00:05:06,300
So all we're gonna do here is we're just going to say I'm going to move over to the transfer folder

65
00:05:07,020 --> 00:05:15,860
and I'm going to do something along the lines of Python dash am pi FCP lib port twenty one dash dash

66
00:05:15,870 --> 00:05:16,260
all right

67
00:05:20,090 --> 00:05:29,930
and then I'm going to spawn a command show here and I'm just going to FTB to my server anonymously ten

68
00:05:29,990 --> 00:05:33,760
not eleven not thought out one 14.

69
00:05:33,790 --> 00:05:43,060
I do believe they are going to stay anonymous and then anonymous and now we're just going to put the

70
00:05:43,060 --> 00:05:48,160
windows DL Al Ghazi

71
00:05:50,880 --> 00:05:51,130
All right.

72
00:05:51,160 --> 00:05:53,120
So now we should have it on our machine.

73
00:05:53,260 --> 00:05:55,700
You can see it came through over here.

74
00:05:55,720 --> 00:05:59,140
What we're going to do on our side of things is we're just going to get it.

75
00:05:59,140 --> 00:06:06,950
That Windows DL El and you can see there's a command in here and the command says hey let's run.

76
00:06:06,950 --> 00:06:09,980
Who am I put it to this deal out at Texas.

77
00:06:10,070 --> 00:06:11,710
We're going to improve upon this.

78
00:06:11,720 --> 00:06:22,400
We're gonna say hey let's run this command that says Nat local group administrators user add again user

79
00:06:22,400 --> 00:06:25,570
being us the user not just any user.

80
00:06:25,670 --> 00:06:27,470
So this would be our user name.

81
00:06:27,470 --> 00:06:31,170
We're going to say this and same thing that we did before.

82
00:06:31,180 --> 00:06:34,620
Look I even has in here how to compile it for 64 bit.

83
00:06:34,720 --> 00:06:36,990
This is exactly how we're going to compile it.

84
00:06:37,090 --> 00:06:40,050
So I'm going to go ahead and just start typing that out.

85
00:06:40,090 --> 00:06:45,670
So you would just say X 86 underscore 64 WS sixty four main thirty two.

86
00:06:45,670 --> 00:06:51,220
You can auto tab this a little bit GCSE is what we're after and then.

87
00:06:51,380 --> 00:06:52,450
Yep so we're good.

88
00:06:52,450 --> 00:07:01,800
And then here we're gonna say Windows underscore a deal out at sea dash shared dash output of hijacked

89
00:07:01,810 --> 00:07:03,010
me that DL out

90
00:07:05,960 --> 00:07:06,980
OK that's good.

91
00:07:06,980 --> 00:07:18,050
Now all we have to do is hold this up in a simple H TGP server on port 80 ADR We already in use will

92
00:07:18,070 --> 00:07:18,970
just use eighty one.

93
00:07:18,970 --> 00:07:23,410
I've got a server spinning up somewhere and then we'll just navigate over here really quick

94
00:07:27,210 --> 00:07:30,740
and let's go ahead and say goodbye to our FCP server.

95
00:07:30,750 --> 00:07:36,690
We'll do a net local group of administrators.

96
00:07:36,690 --> 00:07:40,290
You can see that just TCM and administrator in here.

97
00:07:40,410 --> 00:07:48,310
So then I'm going to come into here at ten eleven and up for 114 on port 81.

98
00:07:48,420 --> 00:07:48,720
All right.

99
00:07:48,720 --> 00:07:53,010
Having issues connecting on eighty one side I just killed my other server that was running and brought

100
00:07:53,010 --> 00:07:58,800
up 80 and let's go here and just download the file.

101
00:07:58,830 --> 00:08:06,870
So we've got the DL under hijack need DSL and we're just gonna go ahead and save this into the temp

102
00:08:06,870 --> 00:08:08,110
folder why the Templar.

103
00:08:08,130 --> 00:08:12,790
Because we can write to the Templar and because that's where the call out is coming from.

104
00:08:13,300 --> 00:08:16,070
So remember in the proc mind we saw it going to the temple there.

105
00:08:16,080 --> 00:08:19,360
So we're going to save it there.

106
00:08:19,440 --> 00:08:21,960
We're gonna close this.

107
00:08:22,090 --> 00:08:32,420
We're going to go ahead and just SC stop the DL service and we're going to SC start the DL service

108
00:08:35,710 --> 00:08:36,190
all right.

109
00:08:36,240 --> 00:08:38,910
And then we're going to net local group administrators again.

110
00:08:38,910 --> 00:08:42,490
And look who is right here in the administrators group.

111
00:08:42,540 --> 00:08:43,920
It is the user.

112
00:08:44,250 --> 00:08:48,630
So that is DL L. hijacking and a very very basic nutshell.

113
00:08:48,630 --> 00:08:54,150
I can get much crazier than this but just understand the criteria.

114
00:08:54,150 --> 00:08:55,510
That's really what we need to know.

115
00:08:55,530 --> 00:09:04,710
We have tools that can look for this but you really just want to know the criteria here being that we

116
00:09:04,770 --> 00:09:13,290
are looking for a DL that's trying to load it has a name not found if we have a rival directory for

117
00:09:13,290 --> 00:09:20,580
that DL how we can hijack that DSL and have that run for us and do something malicious.

118
00:09:20,580 --> 00:09:20,810
All right.

119
00:09:20,820 --> 00:09:22,240
That's the big thing here.

120
00:09:22,260 --> 00:09:28,410
We're looking for the name not found with the deal itself and the directory we can hijack into.

121
00:09:28,410 --> 00:09:34,620
So that's it for this lesson from here we're going to talk about one of my favorite escalation paths

122
00:09:34,650 --> 00:09:37,320
which are service permissions and paths.

123
00:09:37,320 --> 00:09:39,030
So I'll catch you over in the next section.