1
00:00:00,330 --> 00:00:00,770
All right.

2
00:00:00,770 --> 00:00:05,010
Our scan is back and you can see we have quite a few ports open.

3
00:00:05,030 --> 00:00:12,540
So we've got port 80 open and it looks like a default IRS type page one thirty nine for forty five and

4
00:00:12,540 --> 00:00:20,630
also one thirty five for the RBC so we've got S&amp;P open we've got 3 3 8 9 open we've got this fifty nine

5
00:00:20,660 --> 00:00:28,680
eighty five which says HDP but I know that to be win our M and we've also got port 880 which says HP

6
00:00:28,700 --> 00:00:29,960
file server.

7
00:00:29,960 --> 00:00:33,320
Two point three HMS vial server.

8
00:00:33,320 --> 00:00:43,490
So the H of X is a really really well known vulnerable application that I have seen time and time again

9
00:00:43,580 --> 00:00:45,870
on a lot of these Capture the Flag type site.

10
00:00:45,890 --> 00:00:48,500
So this one just gets my wheel spinning.

11
00:00:48,500 --> 00:00:54,430
However if you're newer you don't know that this exists then you can just say hey I see that there's

12
00:00:54,470 --> 00:01:00,370
a file server I see something here on Port ADT might be worth enumerating where I'm port 80.

13
00:01:00,380 --> 00:01:04,400
There's nothing here we might have to render buster or something along those lines.

14
00:01:04,580 --> 00:01:06,170
One thirty nine for forty five.

15
00:01:06,170 --> 00:01:08,120
We'd probably look for a service version.

16
00:01:08,120 --> 00:01:14,660
We'll see if there's any type of samba vulnerability there or if we can enumerate the the session or

17
00:01:14,660 --> 00:01:16,440
the shares that are in here.

18
00:01:16,520 --> 00:01:21,500
But for now when I see something like this this is kind of where my mind goes so I'm going to go ahead

19
00:01:21,500 --> 00:01:24,640
and just navigate out to this machine over on Port 88.

20
00:01:24,650 --> 00:01:26,590
And we'll see how this works.

21
00:01:26,690 --> 00:01:34,840
So let's go ahead and just do this and then we'll do port 80 80.

22
00:01:34,920 --> 00:01:35,370
All right.

23
00:01:35,370 --> 00:01:39,670
And we are given this page here.

24
00:01:39,960 --> 00:01:43,450
Now if we see that there is the HMS.

25
00:01:43,470 --> 00:01:50,760
Two point three we could quickly just do a search on this like a search point we can go into a new window.

26
00:01:50,830 --> 00:01:56,080
And I would just do something like search boy and just paste that see if that comes back and then I'll

27
00:01:56,080 --> 00:01:57,190
start deleting from it.

28
00:01:57,220 --> 00:01:58,570
That's nothing.

29
00:01:58,570 --> 00:02:03,570
We might try HMS 2 or something along those lines and see if we can find it.

30
00:02:03,740 --> 00:02:09,880
And it does show up as this rigid O H TGP file server and then we see a Ruby here.

31
00:02:09,880 --> 00:02:14,950
So Ruby always tells me hey we've probably got a Metis VoIP module.

32
00:02:14,950 --> 00:02:21,940
So what I'll do is I'll just boot up Meadows VoIP and I do have met a split still open and running from

33
00:02:21,940 --> 00:02:22,840
our past.

34
00:02:22,840 --> 00:02:26,910
So I'm going to go ahead just close that or get rid of this one here.

35
00:02:27,160 --> 00:02:34,690
And so let's go ahead and just search for HMS Earl see if it shows up which it does.

36
00:02:34,720 --> 00:02:41,070
So we have this exploit windows HP Riggio and we'll just say use one and we'll do info.

37
00:02:41,080 --> 00:02:44,640
We'll make sure that we're actually attacking something that we need to be.

38
00:02:44,980 --> 00:02:45,250
OK.

39
00:02:45,280 --> 00:02:52,980
So this is vulnerable to remote command execution due to poor Reg X in the file parser lived up past.

40
00:02:53,020 --> 00:02:59,650
So it says this has been tested successfully on each of us two point three B Bravo over Windows XP Service

41
00:02:59,650 --> 00:03:02,640
Pack three windows 7 and Windows 8.

42
00:03:02,650 --> 00:03:06,460
Let's see if we have any information on our windows machine.

43
00:03:06,520 --> 00:03:12,460
It looks like it is a Windows Server 2008 which shouldn't scare us away here.

44
00:03:12,570 --> 00:03:14,550
We are seeing the two point three.

45
00:03:14,560 --> 00:03:17,120
We're not seeing necessarily that this is a B.

46
00:03:17,170 --> 00:03:21,470
So this may or may not work for us but I think we should give it a go.

47
00:03:21,490 --> 00:03:28,180
So what we'll do is we'll say options and we could see poor 80 80 is a server port.

48
00:03:28,290 --> 00:03:36,370
Our port of 80 and what we're gonna do is we're going to just set this up where we say set our port

49
00:03:36,790 --> 00:03:37,780
of 80 80.

50
00:03:37,780 --> 00:03:45,520
Because we're not over port 80 and we're also going to provide here the IP address which is the our

51
00:03:45,520 --> 00:03:46,260
host.

52
00:03:46,300 --> 00:03:52,150
So we'll say that our hosts to 10 that turned out one forty eight that one thirty nine.

53
00:03:52,210 --> 00:04:00,490
Make sure that you set your whole host to tunnel 0 and let's go ahead and run this see if it works sometimes

54
00:04:00,490 --> 00:04:01,830
it doesn't work on the first go.

55
00:04:01,840 --> 00:04:03,350
We'll see if we get lucky here.

56
00:04:05,210 --> 00:04:08,890
And we've got a return pretty session.

57
00:04:09,130 --> 00:04:14,090
So hit Enter way for this to run through may or may not delete it did.

58
00:04:14,090 --> 00:04:19,490
OK so we'll get our new I.D. here and you can see we are good old Bill.

59
00:04:19,570 --> 00:04:20,640
So now we're Bill.

60
00:04:20,650 --> 00:04:24,690
We're going to have to do some privilege escalation and see what we can do.

61
00:04:24,730 --> 00:04:30,940
So let's go ahead and pause here in the next video what we're gonna do is we're going to take this and

62
00:04:30,940 --> 00:04:34,390
we're going to escalate or attempt to escalate.

63
00:04:34,930 --> 00:04:40,060
And just a little hint unquote quoted service pass if you want to give this a go and see if you can

64
00:04:40,060 --> 00:04:43,000
find the encoded service path and escalate it that way.

65
00:04:43,030 --> 00:04:43,990
Feel free.

66
00:04:44,110 --> 00:04:46,870
But from here we're gonna do the unquote service back in the next video.