1
00:00:00,330 --> 00:00:00,780
All right.

2
00:00:00,780 --> 00:00:01,290
Unquote.

3
00:00:01,290 --> 00:00:01,980
Service parts.

4
00:00:01,980 --> 00:00:04,090
What is it unquote in service bad.

5
00:00:04,650 --> 00:00:11,280
So if you have a service executable which path is not enclosed in quotation marks and contains a space

6
00:00:11,850 --> 00:00:14,250
then you're going to have an issue.

7
00:00:14,280 --> 00:00:17,490
So let's go ahead and take a look and explain what that means.

8
00:00:17,490 --> 00:00:24,180
We scroll up just a little bit to these unquote IT service path that was identified here by power up.

9
00:00:24,180 --> 00:00:26,830
You could see and ignore this AWOL light agent.

10
00:00:26,850 --> 00:00:29,780
We're actually looking for this encoded service right here.

11
00:00:30,420 --> 00:00:31,290
So what do I mean.

12
00:00:31,290 --> 00:00:33,190
Well if you see the path see.

13
00:00:33,200 --> 00:00:34,370
Program Files.

14
00:00:34,360 --> 00:00:38,990
There's a space in the program files there's also a space in the past services common files.

15
00:00:39,240 --> 00:00:42,630
Lot of spaces here no quotes no quotes.

16
00:00:42,630 --> 00:00:45,060
And let's go ahead and take a look at what I mean by no quotes.

17
00:00:45,060 --> 00:00:51,030
If we go to reject it we just say Reg edit and hit enter in here.

18
00:00:51,090 --> 00:01:01,380
If you go down to the H KLM system current controls set services and I'll scroll up just a little bit

19
00:01:01,380 --> 00:01:02,680
for you.

20
00:01:02,700 --> 00:01:13,480
So we're in H K L L N H key local machine system current controls set services what we're looking for

21
00:01:13,480 --> 00:01:21,210
here is if we scroll down and we go to the unquote quoted service path unquote ID service right.

22
00:01:21,400 --> 00:01:27,380
Look at this path this image path here remember we discussed the image path look at it we've got no

23
00:01:27,380 --> 00:01:34,520
quotes around it meaning that we can modify this and get malicious because this isn't actually quoted

24
00:01:34,520 --> 00:01:41,270
OK so what's going to happen now is Windows is going to attempt to run this service and when they attempt

25
00:01:41,270 --> 00:01:47,390
to run the service it's going to look through each of the parts in order so it's gonna say Hey C program

26
00:01:47,390 --> 00:01:55,730
files or C program that E C C program files I c c program files and is going to look for unquote a taxi

27
00:01:55,740 --> 00:02:00,340
encoded path that you see unquote of service that you see so forth.

28
00:02:00,380 --> 00:02:06,080
So what we're going to do is we're going to put a file here that's called common dot XY and it's going

29
00:02:06,080 --> 00:02:11,420
to try to run that so again remember it's going to say hey because there's no quotes around this it's

30
00:02:11,420 --> 00:02:17,900
going to go see program that you see program files are XY encoded at XY all the way through.

31
00:02:17,930 --> 00:02:22,270
So we can place this file maliciously anywhere we want in here but we're gonna put it in common just

32
00:02:22,270 --> 00:02:27,050
a proof concept and you're going to see that common is going to execute before this unquote service

33
00:02:27,050 --> 00:02:31,380
path actually executes and we're going to get a shell off of this.

34
00:02:31,490 --> 00:02:34,270
So let's go ahead and attempt to do that.

35
00:02:34,310 --> 00:02:39,110
So what I want to do is I want to do another maternal critter type shell so we're gonna go in here and

36
00:02:39,110 --> 00:02:44,710
we're just going to call out and we're going to say something along the lines of we've actually got

37
00:02:44,710 --> 00:02:50,180
one here I'm going to exit off of this shell and I'm going to do a run in our multi handler actually

38
00:02:50,190 --> 00:02:51,250
I'll kill this for a second.

39
00:02:51,280 --> 00:02:56,760
Let me show the options our multi handler again same thing where we should have windows mature operator

40
00:02:56,770 --> 00:03:06,430
reverse DCP running here with our l host and then we can just do a run and this will get a mature British

41
00:03:06,430 --> 00:03:06,920
shell.

42
00:03:06,920 --> 00:03:10,660
Now if you don't want a mature British shell you can absolutely do this with something like net cat

43
00:03:11,000 --> 00:03:13,310
and get the same type of results.

44
00:03:13,370 --> 00:03:16,440
But for now we're just going to utilize the maturity or method.

45
00:03:16,460 --> 00:03:18,050
So we're going to come through here.

46
00:03:18,050 --> 00:03:22,100
I'm going to hit control c I'm going to generate the same thing I did before.

47
00:03:22,100 --> 00:03:27,350
So if you tap up a couple times you should have the same type of payload I'm using to call this common

48
00:03:27,350 --> 00:03:33,230
that e XY and I'm just showing this for proof of concept since we've already got it on the machine a

49
00:03:33,230 --> 00:03:37,820
few times but just repeating the process over and over.

50
00:03:37,820 --> 00:03:43,880
Now if you wanted this to not be a Windows interpreter you could totally do just a Windows and then

51
00:03:43,880 --> 00:03:50,390
say something like reverse DCP and do that and then you would get your shell as well so you would just

52
00:03:50,390 --> 00:03:53,390
run that cat with that instead of running the interpreter.

53
00:03:53,390 --> 00:03:58,760
Now I challenge you to try to do that see if you get a shell back but we're going to utilize this one

54
00:03:58,760 --> 00:04:02,000
more time so go ahead and start up your simple server.

55
00:04:02,000 --> 00:04:10,170
I'm going to load up this and navigate out to ten eleven forward at 114 when I download common that

56
00:04:10,190 --> 00:04:11,250
EMC.

57
00:04:11,510 --> 00:04:19,800
I'm going to save it and I'm going to actually save it to C program files encoded path service and then

58
00:04:19,800 --> 00:04:21,770
we're just in call it common that you see.

59
00:04:21,900 --> 00:04:23,990
Now you could see common files is in here.

60
00:04:24,000 --> 00:04:33,190
We're going to Trickett and go come and see first hit save and close that out and now if we restart

61
00:04:33,190 --> 00:04:39,050
the service or we actually start the service you'll see that we go ahead and execute this.

62
00:04:39,050 --> 00:04:47,950
Let's do a command at XY and then I'm just going to say SC start unquote quoted service

63
00:04:51,480 --> 00:04:58,050
and if we check our shell over here we just got a mature procession get you idea and you see we are

64
00:04:58,050 --> 00:04:59,740
authorities system.

65
00:04:59,940 --> 00:05:06,810
So we do not have to be anybody here we can be the regular user and we're abusing this path because

66
00:05:06,810 --> 00:05:09,990
this path is going to run as the system when it starts.

67
00:05:10,560 --> 00:05:18,600
So we just took full control of this because of a basic basic mistake with the path quoting now again

68
00:05:18,600 --> 00:05:23,760
you would expect to see it in the registry here and you're going to catch this very very easily with

69
00:05:23,760 --> 00:05:25,320
something like power up.

70
00:05:25,350 --> 00:05:28,160
Now this eight of us light agent is actually not intentional.

71
00:05:28,170 --> 00:05:29,190
So don't attack this.

72
00:05:29,190 --> 00:05:34,170
I think this has to do with the labs but this looks like it could be on its own something that we could

73
00:05:34,170 --> 00:05:40,350
write to as well if this directory was right able say it's going out and checking program files.

74
00:05:40,350 --> 00:05:40,620
Right.

75
00:05:40,650 --> 00:05:46,620
So we could write maybe to Amazon that EMC or even programmed out EMC and drop it in C we could write

76
00:05:46,620 --> 00:05:49,590
in to see and put program we might be we'll take over this as well.

77
00:05:49,620 --> 00:05:53,760
So think about that when you're thinking through this from here.

78
00:05:53,760 --> 00:05:56,970
Congratulations we've made it through pretty much all of the lab.

79
00:05:56,970 --> 00:06:04,120
What I want to show you really quick is that we have a few down here that are included in this lab that

80
00:06:04,120 --> 00:06:05,770
you can take advantage of.

81
00:06:05,800 --> 00:06:11,920
Now there are the kernel exploits hot potato and then there's some password mining exercises we've already

82
00:06:11,920 --> 00:06:15,200
covered all of this so I'm not going to go back and cover this again.

83
00:06:15,460 --> 00:06:20,470
However I do encourage you to come through here click on it and kind of just follow your way through

84
00:06:20,500 --> 00:06:26,230
and exploit this have fun with this lab completed all the way through and enjoy your experience here.

85
00:06:26,380 --> 00:06:31,630
From here we're going to move on and we're going to actually perform a couple more boxes.

86
00:06:31,630 --> 00:06:37,330
So we're gonna do two more boxes and we're going to use try to hack me to do that.

87
00:06:37,330 --> 00:06:41,850
The next box is going to be a encoded service path escalation.

88
00:06:41,980 --> 00:06:43,690
So great practice.

89
00:06:43,690 --> 00:06:47,610
So we're gonna meet you in the next video and we're going to talk about the next box so we're gonna

90
00:06:47,630 --> 00:06:49,570
cover and we'll walk through that one.

91
00:06:49,630 --> 00:06:51,040
So I will see you in the next video.