1 00:00:00,600 --> 00:00:07,800 All right, so now we are going to compromise this box, we are connected to the BBM control the zero 2 00:00:08,280 --> 00:00:11,640 antisense initialise initialization sequence complete. 3 00:00:12,090 --> 00:00:13,710 And let's just move into the second phase. 4 00:00:13,710 --> 00:00:20,080 I just press control, be one to move over to this tab and you can see the star prefix to the top name. 5 00:00:20,490 --> 00:00:25,920 So let's just start with that map right to zero in map, and I'm going to press the right arrow key 6 00:00:25,920 --> 00:00:27,540 to autocomplete where I typed before. 7 00:00:27,840 --> 00:00:29,010 But let me tell you what this does. 8 00:00:29,610 --> 00:00:31,670 So first, we're in map scans. 9 00:00:32,280 --> 00:00:32,910 They verbose. 10 00:00:32,910 --> 00:00:37,170 I want to see everything printed out as it's discovering I'm open ports. 11 00:00:37,590 --> 00:00:42,150 If you need this off, then you won't necessarily see the ports that are being discovered until after 12 00:00:42,150 --> 00:00:46,800 the scan complete gives you sort of a real time discovery of ports as they're being found. 13 00:00:47,510 --> 00:00:48,870 DASHTY This is the speed. 14 00:00:49,050 --> 00:00:50,210 T5 is the fastest. 15 00:00:50,450 --> 00:00:54,840 So since I've got to hide, then we think this is going to go by pretty quickly. 16 00:00:55,110 --> 00:01:00,560 Pian means don't ping the host, just assume it's active because we know it's active because you know, 17 00:01:00,630 --> 00:01:07,260 we spun it up and we pinged in the previous lecture AC run all different default scripts. 18 00:01:07,710 --> 00:01:12,930 The scripts are sort of like Nessus, it's sort of like a check that you run against the target. 19 00:01:13,650 --> 00:01:14,730 You have to see if it's vulnerable. 20 00:01:15,360 --> 00:01:18,360 There's a default list of safe scripts and that's what SC does. 21 00:01:18,360 --> 00:01:24,990 And then dash the lowercase S and capital B does a version check to make sure that, you know, to see 22 00:01:24,990 --> 00:01:26,310 if you can write the version. 23 00:01:26,640 --> 00:01:28,980 So what I did is I just concatenated both the S. 24 00:01:29,340 --> 00:01:35,670 C and the ASV together as one flag, but it's actually doing two different tasks here, if that makes 25 00:01:35,670 --> 00:01:36,020 any sense. 26 00:01:36,030 --> 00:01:36,630 I hope it does. 27 00:01:37,770 --> 00:01:39,450 And then here I'm just running a full port scan. 28 00:01:39,660 --> 00:01:41,970 The some people tell you to run like dash p dash. 29 00:01:42,510 --> 00:01:45,110 This is great, except it doesn't scampers zero. 30 00:01:45,120 --> 00:01:48,390 Sometimes point zero is open in very rare cases and a lot of people don't know this. 31 00:01:49,080 --> 00:01:50,430 And this is a tip that you learned here. 32 00:01:50,910 --> 00:01:57,510 But that's why I always do dash P zero, dash six five five three five, scanning all TCP ports, including 33 00:01:57,510 --> 00:01:58,140 the zero port. 34 00:01:58,680 --> 00:02:01,590 And then I'm going to put it in map format to this file. 35 00:02:02,310 --> 00:02:05,850 And I also want to see the reason if it's blocked and this is the target host. 36 00:02:06,000 --> 00:02:06,270 Right. 37 00:02:07,510 --> 00:02:09,150 And right now I'm running Pseudolus. 38 00:02:09,150 --> 00:02:12,230 I need to enter my password and then let it run. 39 00:02:12,510 --> 00:02:18,990 Now, while the map is running, you can actually press the spacebar key to to see exactly what's happening. 40 00:02:20,370 --> 00:02:23,850 So you can see here, every time I press spacebar, you can see it's it's making progress, but it's 41 00:02:23,850 --> 00:02:24,490 running kind of slow. 42 00:02:24,490 --> 00:02:30,660 So let me just go ahead and put him at his press control B and then shift quotation mark. 43 00:02:31,290 --> 00:02:35,010 Now, the quotation marks right next to anarchy is the double quote quotation mark. 44 00:02:35,550 --> 00:02:38,370 And when I want to do now is I just want to do a pseudo whoops. 45 00:02:38,530 --> 00:02:39,570 Sorry about that ping. 46 00:02:40,290 --> 00:02:40,560 Right. 47 00:02:40,560 --> 00:02:45,240 Arrow going ping that for time just to make sure I stop it is so that means we're connecting to the 48 00:02:45,240 --> 00:02:48,120 VPN and the host is actually active exit to close. 49 00:02:50,100 --> 00:02:51,570 So we need to let this one go. 50 00:02:51,570 --> 00:02:51,740 Right. 51 00:02:51,750 --> 00:02:54,300 So let's put this right and then I will come back once this scan finishes. 52 00:02:55,630 --> 00:02:55,950 Right. 53 00:02:55,950 --> 00:02:56,920 So the scan finished. 54 00:02:56,950 --> 00:02:58,470 Let's see what we have in this directory. 55 00:03:00,150 --> 00:03:01,020 We have one file. 56 00:03:01,290 --> 00:03:02,400 We can get this. 57 00:03:03,300 --> 00:03:06,930 Let's see the results so we can see port one. 58 00:03:06,930 --> 00:03:10,710 Thirty five is open for eighty five hundred and forty nine. 59 00:03:10,710 --> 00:03:14,620 One fifty four turning based on these versions AAPC. 60 00:03:14,640 --> 00:03:15,990 This is most likely Windows box. 61 00:03:16,830 --> 00:03:24,120 Also the TTL is the TTL is between sixty four and one twenty eight. 62 00:03:24,510 --> 00:03:28,450 It's a Windows machine if it's less than 60 for us most likely when witness box. 63 00:03:28,950 --> 00:03:34,080 I mean if it's above 128 it's usually a device like a network device. 64 00:03:34,470 --> 00:03:38,080 This isn't like cut and dry, but this is typically the case touch. 65 00:03:38,100 --> 00:03:39,840 Just a little bit of insight there. 66 00:03:39,840 --> 00:03:43,260 In case you didn't realize that, that's another way you can fingerprint the host. 67 00:03:43,590 --> 00:03:45,060 So let's go and look at this. 68 00:03:45,060 --> 00:03:46,470 Eighty five hundred for like, what is this. 69 00:03:47,430 --> 00:03:51,960 So in press control, B, C it will be comma. 70 00:03:52,680 --> 00:03:53,640 Name this discovery. 71 00:03:54,610 --> 00:03:55,590 Let's take a look at this box. 72 00:03:55,710 --> 00:03:58,950 So I'm getting in C right. 73 00:03:58,950 --> 00:04:00,900 Arrow was trying to connect to this port. 74 00:04:03,330 --> 00:04:08,790 Now if I just like, you know, type it like help was trying to get some idea of what is running on 75 00:04:08,790 --> 00:04:15,390 this port because in control, the one wasn't able to identify the version. 76 00:04:15,510 --> 00:04:15,650 Right. 77 00:04:15,750 --> 00:04:16,200 It's empty. 78 00:04:16,590 --> 00:04:21,450 And it says something about FTP that we couldn't like Google that. 79 00:04:22,350 --> 00:04:28,290 But before we do that, I just want to see what we can find out without you will be too easy. 80 00:04:28,290 --> 00:04:28,810 I typed help. 81 00:04:28,880 --> 00:04:29,850 Nothing's really happening. 82 00:04:31,260 --> 00:04:36,780 You know, it could just be that the box is slow, which is very common in the real life Pinterest engagement. 83 00:04:36,780 --> 00:04:41,850 Oftentimes you'll have legacy hardware, legacy devices on the network and it can be a pain when you 84 00:04:41,850 --> 00:04:43,620 need to run attacks against them. 85 00:04:43,620 --> 00:04:49,350 And that's why I really like this this test and why I really wanted to present this box to you, because 86 00:04:49,350 --> 00:04:52,260 you're going to see this is very much like a real live engagement. 87 00:04:53,010 --> 00:04:54,300 We're going to take it step by step. 88 00:04:54,950 --> 00:04:56,190 I'm going to show you exactly what to do. 89 00:04:56,190 --> 00:04:59,130 So, you know, we're not getting anything back here. 90 00:05:01,270 --> 00:05:05,580 I must go ahead and just terminate this for you, Jose. 91 00:05:07,210 --> 00:05:09,280 I should see if we could open up a Web browser to it. 92 00:05:09,730 --> 00:05:11,010 So let's go here. 93 00:05:12,550 --> 00:05:14,470 Newtown, HDB. 94 00:05:14,470 --> 00:05:15,400 Ten, ten, ten. 95 00:05:15,830 --> 00:05:16,750 Eleven, eighty. 96 00:05:16,750 --> 00:05:17,830 Five hundred. 97 00:05:19,860 --> 00:05:22,730 Let's see if we get really, really slow. 98 00:05:24,430 --> 00:05:29,460 Now, this is where you will need to have patience because, like I said, a real and real engagement, 99 00:05:29,470 --> 00:05:30,640 you can have issues like this. 100 00:05:30,820 --> 00:05:33,120 And one thing we could do is we could try starting a berp. 101 00:05:33,700 --> 00:05:38,980 I'm actually in incognito camp right now, so I don't have a way of using Foxe proxy to intercept the 102 00:05:38,980 --> 00:05:39,580 request. 103 00:05:39,910 --> 00:05:43,960 So I'm going to do is press controlled w to kill this until to kill this as well. 104 00:05:44,430 --> 00:05:49,300 I'm going to go back to Cali, go to the Web browser so that it's not in a private tab. 105 00:05:50,140 --> 00:05:55,540 You can see I've got my Foxley proxy thing set up and what I'm going to do is I'm going to click on 106 00:05:56,230 --> 00:05:56,590 Berp 107 00:05:59,590 --> 00:06:02,500 Proxy by traffic through back to the way I have a set up. 108 00:06:02,680 --> 00:06:07,570 If you just go to Google and you search for proxy proxy 109 00:06:10,780 --> 00:06:13,450 as that proxy proxy. 110 00:06:14,650 --> 00:06:14,980 Right. 111 00:06:15,880 --> 00:06:16,570 Grab that. 112 00:06:20,080 --> 00:06:22,750 I then you just install it manually installed, that's why I said remove. 113 00:06:23,320 --> 00:06:33,550 Once you install it, you click it, you go to options and then you can click, add to the color, name 114 00:06:33,550 --> 00:06:39,460 it something like my bourbon and put the the port which is one twenty seven zero zero one. 115 00:06:39,460 --> 00:06:41,290 Sorry, that's the IP and the port is eighty eighty. 116 00:06:41,750 --> 00:06:42,470 You click save. 117 00:06:43,130 --> 00:06:44,050 I've already done that. 118 00:06:45,220 --> 00:06:47,230 Which is why you see this if I click on edit. 119 00:06:49,070 --> 00:06:51,530 I'm going to be saying so here now what I can do. 120 00:06:54,610 --> 00:06:59,500 It's pretty straightforward, so I'm going to close this out and I'm going to go back to berp. 121 00:07:02,110 --> 00:07:03,010 All right. 122 00:07:06,310 --> 00:07:12,600 So Fiorillo and the settings are like too large or too small, one of the ways to fix it is to go to 123 00:07:12,610 --> 00:07:14,810 use user options display. 124 00:07:15,580 --> 00:07:16,230 You can change this. 125 00:07:16,240 --> 00:07:18,580 I'm going to scale this down to like 15. 126 00:07:19,000 --> 00:07:22,670 Let's get this down to 15 quick, OK? 127 00:07:23,890 --> 00:07:25,240 And then close it out. 128 00:07:27,900 --> 00:07:31,860 Yep, click burp again, complete, I fixed it. 129 00:07:34,320 --> 00:07:34,740 There we go. 130 00:07:34,750 --> 00:07:36,790 That's better next Starbright. 131 00:07:38,910 --> 00:07:39,750 That's a lot better. 132 00:07:40,050 --> 00:07:41,850 So again, I got a proxy options. 133 00:07:41,860 --> 00:07:45,430 I want to make sure that I'm intercepting responses as well as several response. 134 00:07:46,080 --> 00:07:48,960 Make sure that an intercept is disabled. 135 00:07:49,440 --> 00:07:51,980 And then I go to Target. 136 00:07:51,990 --> 00:07:52,770 You know, look here. 137 00:07:52,980 --> 00:07:58,320 And the reason I took the intercept off is because when it intercepts the request, it actually stops 138 00:07:58,590 --> 00:08:00,060 the flow of the Web traffic. 139 00:08:00,060 --> 00:08:01,020 And I want to do that. 140 00:08:01,020 --> 00:08:06,310 I just want all the traffic to flow through to its target tab so it automatically map out passively 141 00:08:06,330 --> 00:08:08,600 on passably map map of the target. 142 00:08:08,910 --> 00:08:12,000 They'll see what I'm talking about the moment set off. 143 00:08:12,180 --> 00:08:12,840 Let's go back here. 144 00:08:14,880 --> 00:08:19,860 Let's go to our domain 10 to 15. 145 00:08:21,060 --> 00:08:23,770 We got to the burb now. 146 00:08:23,770 --> 00:08:29,060 I should be going through our center again, go back to check on target tab. 147 00:08:29,890 --> 00:08:31,200 Sometimes it takes a moment to filter. 148 00:08:31,200 --> 00:08:32,340 And so you just have to be patient. 149 00:08:35,180 --> 00:08:35,730 Sweet, sweet. 150 00:08:35,840 --> 00:08:37,140 Now, we have a result here. 151 00:08:37,160 --> 00:08:40,190 Looks like it's just an index, a directory index. 152 00:08:40,190 --> 00:08:43,190 So this, of course, if this were a real engagement, this will be a finding where you don't want to 153 00:08:43,190 --> 00:08:46,340 have this exposed to the outside. 154 00:08:47,090 --> 00:08:47,240 Right. 155 00:08:47,240 --> 00:08:51,820 Click Sorry, I hit alt tab. 156 00:08:51,830 --> 00:08:55,670 It brings me here and you can see now the site map is starting to build itself out. 157 00:08:56,840 --> 00:08:57,110 Right. 158 00:08:57,740 --> 00:09:01,040 So go ahead and I'll type back, explore some things. 159 00:09:01,220 --> 00:09:03,800 Let's go to see if I eat documents. 160 00:09:03,810 --> 00:09:04,520 It's like just dogs. 161 00:09:04,520 --> 00:09:07,100 I don't care about dogs, but it sounds interesting. 162 00:09:08,570 --> 00:09:10,210 And again, this is really slow. 163 00:09:10,370 --> 00:09:10,790 You know. 164 00:09:11,370 --> 00:09:17,360 You know, if this were a real life engagement, you know, that's often something that you will encounter. 165 00:09:17,690 --> 00:09:21,980 And attackers don't care if it's ever slow, if the server has sensitive data that they would like to 166 00:09:21,980 --> 00:09:29,390 expose or link to Internet or possibly bribe the target organization by saying, we've got your data 167 00:09:29,390 --> 00:09:31,760 sort of like ransomware, they don't care. 168 00:09:31,910 --> 00:09:33,890 They have unlimited resources and unlimited time. 169 00:09:34,790 --> 00:09:37,240 So this is this is very real world. 170 00:09:38,660 --> 00:09:39,580 So just try to be patient. 171 00:09:40,010 --> 00:09:42,370 I know it's annoying, right? 172 00:09:42,530 --> 00:09:45,200 It's finally loaded and we can see a bunch of different files here. 173 00:09:45,890 --> 00:09:52,460 Wizards' You know, it has nothing to do with it's with magical hats and stacks of this most likely 174 00:09:52,460 --> 00:09:56,700 has to do with setup wizards, his installation script, images, administrators. 175 00:09:56,800 --> 00:09:57,430 I'm against this now. 176 00:09:57,440 --> 00:09:58,700 This would also be a finding. 177 00:09:58,700 --> 00:10:02,090 So, you know, you wouldn't want to hit this with real life. 178 00:10:02,090 --> 00:10:07,760 You would hit the Windows key screenshot right now. 179 00:10:07,760 --> 00:10:14,120 You'd want to take a screenshot of this, maybe select a region, click, OK, and then just pretty 180 00:10:14,120 --> 00:10:20,300 much copy this to a clipboard or whatever and then paste it into some document that you were you would 181 00:10:20,300 --> 00:10:21,020 send to the client. 182 00:10:21,830 --> 00:10:24,650 But it's going to click on administrative because that looks very interesting. 183 00:10:26,780 --> 00:10:28,960 I know we can do as well as this thing loads. 184 00:10:29,360 --> 00:10:33,710 Oh, by the way, you did notice now that the site is starting to get built out, built out as we continue 185 00:10:33,710 --> 00:10:35,180 to browse different parts of the application. 186 00:10:35,690 --> 00:10:40,400 While we wait for that, let's go back to the Web app and you can see it loading something here. 187 00:10:40,400 --> 00:10:41,720 So this is interesting. 188 00:10:42,050 --> 00:10:44,330 We're at some important was a couple of things we can do here. 189 00:10:44,570 --> 00:10:49,330 Since the application is so slow, brute forcing this path is probably not going to be a good idea if 190 00:10:49,340 --> 00:10:51,590 we could try like admin admin to try to get in that way. 191 00:10:52,700 --> 00:10:56,000 If we press control you, we can scroll through. 192 00:10:56,000 --> 00:11:04,280 And I'd like to do control f less than sign greater than Bing Bing to look at all the comments, OK, 193 00:11:04,350 --> 00:11:07,430 because sometimes comments will give you credentials, you know, leak, stuff like that. 194 00:11:07,450 --> 00:11:08,090 The source code. 195 00:11:08,660 --> 00:11:09,620 I see any of that here. 196 00:11:09,920 --> 00:11:12,260 Let's go ahead and do a search for like your password. 197 00:11:15,620 --> 00:11:16,790 OK, so there's a couple of things here. 198 00:11:16,790 --> 00:11:17,960 Now, this is kind of interesting. 199 00:11:18,890 --> 00:11:19,790 It's login form. 200 00:11:20,090 --> 00:11:25,610 Looks like when you submit the request, it sends a post request, which is normal, but it takes the 201 00:11:25,610 --> 00:11:36,830 value of this filled S.F. admin password, which if I let's see here, if I duplicate this tab is out, 202 00:11:38,200 --> 00:11:40,400 that is essentially just the password filled. 203 00:11:40,970 --> 00:11:48,500 And what it's doing is it is actually taking that value, running it through a QA Qaa one algorithm 204 00:11:49,580 --> 00:11:55,640 that is taking a seat at seeding it with a salt value and then running into an H makeable, which is 205 00:11:55,640 --> 00:12:01,670 sort of like a shot some, but it also includes a key to that. 206 00:12:01,670 --> 00:12:08,030 It's the the client can actually authenticate the authenticity of the device that it's authenticating 207 00:12:08,030 --> 00:12:08,480 against. 208 00:12:09,080 --> 00:12:12,410 So, you know, all this stuff is happening inside. 209 00:12:12,410 --> 00:12:15,620 It's happening on the client in the browser. 210 00:12:15,620 --> 00:12:16,310 It's not on the server. 211 00:12:16,310 --> 00:12:20,990 So this might be something we can manipulate later if we do a search for salt. 212 00:12:21,920 --> 00:12:25,880 You can see there's a hidden form field that includes the value of its value. 213 00:12:25,880 --> 00:12:30,920 Might change every time, but it doesn't matter because we might be able to use this to our advantage. 214 00:12:30,920 --> 00:12:38,320 So let's just keep this in the back of our heads that the client is running these Mac and shot samples 215 00:12:38,330 --> 00:12:43,910 against the used the password field that that could be to our we could use that to our advantage a little 216 00:12:43,910 --> 00:12:44,360 bit later. 217 00:12:45,110 --> 00:12:45,920 So let's go back here. 218 00:12:46,610 --> 00:12:47,570 And if I right. 219 00:12:47,570 --> 00:12:53,780 Click and I press Q inspect the element, I can see it is named Claman. 220 00:12:55,040 --> 00:12:56,780 That's my great estimate. 221 00:12:57,680 --> 00:13:03,200 So what we can do now is we can first take off, we can Google like, you know, 222 00:13:06,200 --> 00:13:07,730 default Adobe passwords. 223 00:13:07,730 --> 00:13:07,970 Right. 224 00:13:08,480 --> 00:13:19,160 Google default default Adobe cold fusion password if we get any hits. 225 00:13:20,600 --> 00:13:23,600 You know, I'm not really seeing anything here. 226 00:13:24,710 --> 00:13:27,860 Another thing we could do is if we could just here's something here. 227 00:13:27,860 --> 00:13:30,470 This is cold fusion hackey look like this. 228 00:13:30,470 --> 00:13:31,700 This might give you something interesting. 229 00:13:32,630 --> 00:13:33,020 Let's see. 230 00:13:33,020 --> 00:13:33,770 Logging in. 231 00:13:35,750 --> 00:13:39,500 This is kind of this form felt that we had, right, and it's telling us that we might be able to log 232 00:13:39,500 --> 00:13:44,990 in and log into this device without even knowing the password. 233 00:13:45,920 --> 00:13:49,700 So let's keep this in the back of our heads and let's look at what version we're running. 234 00:13:49,700 --> 00:13:51,100 We're running cold fusion version eight. 235 00:13:51,900 --> 00:13:55,640 First thing I would do is just search search boy, to see if there's any known exploits against this 236 00:13:55,640 --> 00:13:59,180 version of cold fusion, which is ACTTAB. 237 00:14:00,630 --> 00:14:08,470 Let's go out and press control B, C, and then we can name is control big pharma, exploit this new 238 00:14:08,480 --> 00:14:13,520 search plate, dash each and see what we can do here. 239 00:14:13,910 --> 00:14:15,680 And you can see there's an update option. 240 00:14:15,680 --> 00:14:18,560 So a pseudo search like you should always update it. 241 00:14:18,560 --> 00:14:20,270 First update 242 00:14:25,160 --> 00:14:31,120 in search for an update, finished up twice to see what we can do here. 243 00:14:31,130 --> 00:14:37,420 Let's just do a search for it's cold fusion. 244 00:14:39,260 --> 00:14:39,680 All right. 245 00:14:39,680 --> 00:14:44,810 So we get a couple of hits as they search point cold fusion, eight point ninety eight point of Vergence. 246 00:14:45,170 --> 00:14:45,530 Right. 247 00:14:45,860 --> 00:14:46,580 Let's just do it. 248 00:14:50,110 --> 00:14:56,020 So the first thing I see is crosshatch scripting, not really relevant here because this requires the 249 00:14:56,020 --> 00:15:00,790 victim to interact with the target website. 250 00:15:00,800 --> 00:15:04,170 So there is, in fact, the box and I actually have that that ability. 251 00:15:04,210 --> 00:15:07,840 There's no real user interacting with it except for us, the attacker. 252 00:15:08,440 --> 00:15:09,910 So let's look at this directory traversal. 253 00:15:10,790 --> 00:15:12,550 The second thing is Python script. 254 00:15:12,580 --> 00:15:20,080 So what I can do is I can select this and select right. 255 00:15:20,080 --> 00:15:28,450 Click copy selection, search for it, search court documents to examine and control, shift to to paste 256 00:15:28,450 --> 00:15:31,180 in and erase that tappy part. 257 00:15:32,650 --> 00:15:38,710 And now we can see something really cool and seeing this get requests to give us access to this password 258 00:15:39,820 --> 00:15:40,220 file. 259 00:15:41,500 --> 00:15:48,470 And this might be able to it says Madobe confusion, unspecified directory traversal vulnerability's 260 00:15:48,490 --> 00:15:54,550 might be able to get us access to the the device or of the application as an administrator. 261 00:15:55,660 --> 00:15:59,740 This Python script, where does it basically said is that request to the host on the port? 262 00:16:00,400 --> 00:16:06,010 It sends the post request and then it just keeps looping until it gets all the data back from the device 263 00:16:07,840 --> 00:16:08,800 and then that's pretty much it. 264 00:16:08,830 --> 00:16:11,230 So the important part is this part here. 265 00:16:11,350 --> 00:16:14,200 I'm going to right click copy bank address tab. 266 00:16:14,980 --> 00:16:17,560 You go back here and control. 267 00:16:18,310 --> 00:16:25,780 Let's substitute server for 10, 10, 10, 11 eighty five hundred because that's our device. 268 00:16:25,990 --> 00:16:28,570 Let's see what we get this report back on. 269 00:16:33,240 --> 00:16:38,430 Interesting, and now that it returned about 30 seconds later, it's showing us something is this passport 270 00:16:38,430 --> 00:16:43,200 and we have some kind of hash since the admin user can be modified, this is probably the administrator 271 00:16:43,200 --> 00:16:46,110 password and it looks like it's Hashd when we can figure that out. 272 00:16:46,200 --> 00:16:51,040 If we select it right, click on a copy of tab back to this queue to get out. 273 00:16:51,540 --> 00:16:58,650 Let's just do hash by the ID and let's just piece it in there. 274 00:16:58,660 --> 00:16:59,400 Control should be. 275 00:17:01,260 --> 00:17:03,180 You can see that this is a shot one hash. 276 00:17:03,420 --> 00:17:13,530 Another way to do that is to do I think dash in control should be grap to work out a number of characters. 277 00:17:13,870 --> 00:17:17,890 You can see it's 40 characters and that is actually that corresponds with the hash. 278 00:17:17,890 --> 00:17:21,780 So now we have to administer the hash and you might think, oh sweet, let's just log in with it. 279 00:17:22,560 --> 00:17:23,990 Unfortunately it's not that easy. 280 00:17:24,000 --> 00:17:29,640 You can't just walk in with this hash, but we could do is we could Google it to see if someone's already 281 00:17:29,640 --> 00:17:30,150 cracked it. 282 00:17:30,780 --> 00:17:40,890 So if I go here to Google and let's go and take her off, turn her back to Google, pasting the hash 283 00:17:40,960 --> 00:17:44,400 there and you can see the password is happy day, right? 284 00:17:45,720 --> 00:17:47,550 So Controllability calls that. 285 00:17:47,910 --> 00:17:49,470 Let's just try happy day. 286 00:17:50,020 --> 00:17:50,610 And if we. 287 00:17:50,610 --> 00:17:50,850 Right. 288 00:17:50,850 --> 00:17:52,620 Click Priscu. 289 00:17:55,310 --> 00:17:57,680 I want to show you that's actually what we typed in here. 290 00:17:58,320 --> 00:17:59,450 We see the type says password. 291 00:17:59,480 --> 00:18:02,600 That's why the password is being masked by changes to text. 292 00:18:03,710 --> 00:18:07,970 Now, I can see the password right across the south and I'm going to click submit. 293 00:18:08,330 --> 00:18:09,010 Let's see if we get it. 294 00:18:10,940 --> 00:18:14,570 No, I don't know why I just changed the password back to a hash, could be that that's what's being 295 00:18:14,570 --> 00:18:16,220 sent over the wire. 296 00:18:16,220 --> 00:18:16,790 So if I right. 297 00:18:16,790 --> 00:18:19,640 Click sorry, I just timed out. 298 00:18:19,930 --> 00:18:20,870 Let's go and try it again. 299 00:18:21,110 --> 00:18:28,880 If all tab back to burp and I go seem to be history and look at the post request, you could see here 300 00:18:30,830 --> 00:18:35,000 that it's trying to send this right if you. 301 00:18:35,010 --> 00:18:35,180 Right. 302 00:18:35,180 --> 00:18:39,980 Click this and go to copy and see if you can figure out what this is. 303 00:18:43,190 --> 00:18:49,580 I'm not going to find it because remember the client said the client on the client side is taking that 304 00:18:49,580 --> 00:18:50,000 hash. 305 00:18:50,640 --> 00:18:53,840 It's taking the passwords, running through a hash, and then it's using a random thought and combining 306 00:18:53,840 --> 00:18:56,900 that with the Mac value, which is then being sent. 307 00:18:56,910 --> 00:19:01,430 So you're not going to see this this value correspond to anything on the Internet. 308 00:19:03,020 --> 00:19:05,090 So that's like the page is still having a difficult time loading. 309 00:19:05,100 --> 00:19:07,970 Let's just make sure that our virtual machine is still active. 310 00:19:08,420 --> 00:19:12,140 What tab ping right. 311 00:19:12,140 --> 00:19:19,520 Arrow to the IP dachsie count four times and still there you actually see through the terminal background 312 00:19:19,520 --> 00:19:23,000 that the login page is actually displayed. 313 00:19:23,000 --> 00:19:29,780 So time, happy day, enter, don't say see if this gets the same notice. 314 00:19:29,780 --> 00:19:38,750 I disabled the proxy through because I didn't want to slow anything down unnecessarily because it's 315 00:19:38,750 --> 00:19:39,430 already pretty slow. 316 00:19:43,340 --> 00:19:46,520 Interestingly enough, we could probably see what's being sent if we go to a developer. 317 00:19:46,520 --> 00:19:49,790 Tools, let's see network. 318 00:19:54,790 --> 00:19:57,100 You go here, you look at. 319 00:20:01,440 --> 00:20:05,940 Sometimes you can actually see the head, a request that's being sent, and I just want to see if it 320 00:20:05,940 --> 00:20:09,990 was actually hashing that password happy day and sending it with the eight back salt. 321 00:20:11,250 --> 00:20:14,340 But it looks like the applications are running a little bit too slow for that to happen right now. 322 00:20:19,640 --> 00:20:20,140 Here we go. 323 00:20:20,240 --> 00:20:27,620 You seem to get requests and sent you we have actually a post request. 324 00:20:30,150 --> 00:20:34,440 So it could just be that I didn't I opened up the developer tools after the post request is already 325 00:20:34,440 --> 00:20:34,700 set. 326 00:20:35,160 --> 00:20:35,880 It doesn't really matter 327 00:20:39,030 --> 00:20:41,950 if it is the post, there's no question here. 328 00:20:41,980 --> 00:20:42,450 Looks like. 329 00:20:46,520 --> 00:20:50,850 Yeah, so anyway, we have logged into the application, which is good. 330 00:20:50,870 --> 00:20:56,900 I was just checking here to see if there's a way to look for post requests, because I wanted to see 331 00:20:56,900 --> 00:21:04,310 if we could if we could see the password that was being sent that was being actually hashed. 332 00:21:04,520 --> 00:21:04,930 But it's OK. 333 00:21:04,940 --> 00:21:06,770 We don't need that because it's out. 334 00:21:08,810 --> 00:21:11,320 And let's go to stuff here. 335 00:21:11,330 --> 00:21:12,110 So we're logged in. 336 00:21:12,440 --> 00:21:13,340 What are we going to do? 337 00:21:13,760 --> 00:21:15,580 Well, this application is really slow, right? 338 00:21:15,590 --> 00:21:17,690 So we want to be very careful with it. 339 00:21:18,440 --> 00:21:21,020 You know, we could click through security in the different pages. 340 00:21:21,020 --> 00:21:27,480 Like administrator is probably a place to reset your password from, judging by the name of the resource 341 00:21:27,740 --> 00:21:28,550 admin password. 342 00:21:29,580 --> 00:21:31,700 So we've got a couple things here. 343 00:21:32,750 --> 00:21:33,590 Server settings. 344 00:21:35,990 --> 00:21:37,110 Let's hear mappings. 345 00:21:37,760 --> 00:21:38,990 What does that kidnapping's? 346 00:21:38,990 --> 00:21:39,900 I just control clicked it. 347 00:21:43,830 --> 00:21:49,710 All right, so mappings loaded and it's a couple of different things here, interestingly enough, I 348 00:21:49,710 --> 00:21:51,090 might be able to browse the server. 349 00:21:52,920 --> 00:21:54,540 Doesn't look like we're able to do that. 350 00:21:56,360 --> 00:22:01,910 Because you have Java enabled, there's some buttons over here, if I press control minus, you can 351 00:22:01,910 --> 00:22:05,060 see I can zoom out and see what that was, control zero to go back to normal. 352 00:22:05,450 --> 00:22:11,420 Let's go back and see that there are a couple of mappings here. 353 00:22:11,450 --> 00:22:14,380 This looks like this is the directory that the directory for the website. 354 00:22:14,540 --> 00:22:17,300 So that's going to probably play a role later. 355 00:22:18,500 --> 00:22:19,940 So this is, of course, not good. 356 00:22:19,940 --> 00:22:21,980 You don't want to have this exposed to the world. 357 00:22:23,300 --> 00:22:29,620 If we go back to administrator and see some other stuff in here, we go down to scheduled tasks. 358 00:22:29,920 --> 00:22:33,490 This might be a way for us to get something executed, you know, on a server. 359 00:22:33,500 --> 00:22:34,040 That's what we want. 360 00:22:34,040 --> 00:22:35,110 We want code execution. 361 00:22:35,130 --> 00:22:36,110 We're trying to get a show. 362 00:22:36,110 --> 00:22:39,020 We're trying to to breach this this Web server. 363 00:22:39,920 --> 00:22:40,540 It's a compromise. 364 00:22:40,550 --> 00:22:49,250 And so our initial access technique might be to, you know, upload some malicious file here. 365 00:22:50,780 --> 00:22:52,220 So this set of tests. 366 00:22:54,140 --> 00:22:58,230 See what we can do here, St. Louis special task and why we thought. 367 00:22:58,340 --> 00:23:05,690 Let's see if there's another method of getting code execution on this box if we do search. 368 00:23:05,720 --> 00:23:12,440 Boy, to stick up a little bit of confusion, wait and see what we have. 369 00:23:12,540 --> 00:23:15,950 We know there are some uploads like this arbitrary file upload. 370 00:23:17,290 --> 00:23:18,540 It's what else? 371 00:23:18,560 --> 00:23:20,120 Crosshatch scripting, process scripting. 372 00:23:21,470 --> 00:23:23,930 I've got this one here, upload and executes. 373 00:23:24,110 --> 00:23:27,650 There's probably a way of uploading something and getting code execution. 374 00:23:29,130 --> 00:23:30,080 What can we do? 375 00:23:30,830 --> 00:23:34,280 We could look at a script even though we're not going to we're going to try to avoid using at this point. 376 00:23:34,280 --> 00:23:35,090 We can still look at it. 377 00:23:35,780 --> 00:23:42,740 So we see that this is one six seven eight eight six point twenty six one six, seven, eight. 378 00:23:44,600 --> 00:23:46,520 And let's go ahead and scroll down a little bit. 379 00:23:49,660 --> 00:23:56,440 You can see the look at the X part for generating a random file with a duct tape extension to this might 380 00:23:56,440 --> 00:24:01,420 mean we might be able to use MSRA venom to generate our own shell so that we can bypass the display 381 00:24:01,420 --> 00:24:02,110 and get around that. 382 00:24:03,190 --> 00:24:04,630 But it's the GSP file. 383 00:24:05,530 --> 00:24:07,600 And what is it doing here? 384 00:24:07,630 --> 00:24:08,290 Let's see. 385 00:24:10,360 --> 00:24:11,260 Setting some headers. 386 00:24:12,310 --> 00:24:19,810 So it's X, that's Java Dash archive, and then it's creating the file in the path that includes that 387 00:24:19,810 --> 00:24:21,370 random filename, that text. 388 00:24:22,090 --> 00:24:27,330 And that looks like it's actually trying to upload it to this particular folder. 389 00:24:28,250 --> 00:24:36,500 Hurtful things could just be the root of the device and it just doesn't stand up, and then you can 390 00:24:36,500 --> 00:24:38,770 see here, this is when it tries to execute the shell. 391 00:24:39,770 --> 00:24:43,550 You know, whenever you upload a web shell, you need to find a way of executing it, which means you 392 00:24:43,550 --> 00:24:47,990 need to find a way to browse into the file path of that of that resource. 393 00:24:47,990 --> 00:24:48,530 You upload it. 394 00:24:48,860 --> 00:24:52,610 So here you can see this is how it's getting there. 395 00:24:52,820 --> 00:24:53,190 Right. 396 00:24:54,110 --> 00:24:57,650 And then page, you do forward slash page. 397 00:25:00,290 --> 00:25:01,210 This is where it's coming from. 398 00:25:04,670 --> 00:25:10,460 All right, and again, you know, if you notice that everything is just dying and nothing is working, 399 00:25:10,820 --> 00:25:15,950 you know, it's just reset the VM, which is what I think I will do in this case because it's just not 400 00:25:15,950 --> 00:25:16,430 functional. 401 00:25:21,580 --> 00:25:29,190 All right, so we got into the schedule tasks which could create one's own name upon start date at time 402 00:25:29,190 --> 00:25:36,400 and really care about that euro, oh, we want to use it to download our show. 403 00:25:36,790 --> 00:25:40,570 So the plan here is we're going to actually create a shell and have it connect back to us. 404 00:25:40,600 --> 00:25:41,340 Let me tell you what I mean. 405 00:25:42,700 --> 00:25:50,410 It's what we can do is we can put in the IP address of the attackers machine here and essentially get 406 00:25:50,410 --> 00:25:51,120 some communication. 407 00:25:51,130 --> 00:26:02,770 So if we put the same we put in, you know, the attackers IP here attacker, well, that's really sloppy. 408 00:26:03,760 --> 00:26:08,650 And then we have like Shell that GSP. 409 00:26:09,460 --> 00:26:09,790 Right. 410 00:26:10,330 --> 00:26:14,440 So we can have this web application which is here. 411 00:26:14,470 --> 00:26:15,550 Let's call this cold fusion. 412 00:26:16,770 --> 00:26:28,890 Confusion can reach out to our box the attacker and download this GSP app and save it so we can basically 413 00:26:28,890 --> 00:26:35,850 say save, I put to a file, I can save it here, which is the webroot of the application. 414 00:26:36,090 --> 00:26:40,230 And then once it saves that, they can execute it in memory and return the shell back to our attacker 415 00:26:40,230 --> 00:26:40,590 box. 416 00:26:40,890 --> 00:26:42,690 So that's basically what we're doing here. 417 00:26:42,690 --> 00:26:48,660 We're just going to go ahead and generate the shell and then host it on our attacker box and then execute 418 00:26:48,920 --> 00:26:49,030 it. 419 00:26:50,130 --> 00:26:57,120 So let's get our attacker IP, our attacker IP with the IP, a cabinet time in zero. 420 00:26:57,660 --> 00:27:06,150 We see we're at 10, 10, 15, 20 to 10, 10, 14, 22 Shalgam GSP. 421 00:27:07,260 --> 00:27:13,740 And then the final path will say the output to a file paste in the path of our mappings where we want 422 00:27:13,740 --> 00:27:14,220 to upload it. 423 00:27:23,830 --> 00:27:24,890 All right, very cool. 424 00:27:24,910 --> 00:27:25,540 That looks good. 425 00:27:26,830 --> 00:27:29,470 Now, of course, we're going to have to actually create this file. 426 00:27:29,890 --> 00:27:33,280 So let's submit this now while we wait for this to connect. 427 00:27:33,310 --> 00:27:34,750 Let's go ahead and generate this payload 428 00:27:38,260 --> 00:27:41,980 control B, C until the comma. 429 00:27:42,010 --> 00:27:54,040 And we call it exploit Dev so we can use it myself then to create our payload after studying for the 430 00:27:54,040 --> 00:27:54,570 OCP. 431 00:27:54,610 --> 00:27:56,440 You can also use them as I have been on the test. 432 00:27:57,340 --> 00:27:59,620 So this can also help you. 433 00:28:00,160 --> 00:28:03,520 So we're going to do sort of this example, right. 434 00:28:05,830 --> 00:28:07,980 Let's go to NSF with a payload. 435 00:28:08,110 --> 00:28:12,670 We need to see a list of all the payloads so that we can know which ones to use. 436 00:28:13,150 --> 00:28:18,700 If you remember the we discovered that it's attached to his payload from the Métis plate XPoint. 437 00:28:19,390 --> 00:28:22,060 So, you know, if we go back to three here. 438 00:28:27,360 --> 00:28:30,040 You can see here that they're actually trading this GSP page, right? 439 00:28:30,610 --> 00:28:36,350 So she was to exert that control the four and we know that's what we want. 440 00:28:36,370 --> 00:28:37,630 So let's go ahead and do Sido. 441 00:28:37,630 --> 00:28:38,410 And that's something that. 442 00:28:39,460 --> 00:28:42,720 And list Kayode. 443 00:28:47,850 --> 00:28:50,330 And let's go ahead and grab GSP, 444 00:28:54,240 --> 00:28:55,400 so we want to do a reverse shell. 445 00:28:55,600 --> 00:29:01,980 This means the target for the victim machine to connect back to us, the attacker. 446 00:29:02,910 --> 00:29:06,320 So this is all we're going to do this on purpose. 447 00:29:06,780 --> 00:29:12,720 Let's go to press control you to end it, control the shift, questionmark. 448 00:29:13,030 --> 00:29:14,940 They can try to split the pain of the control. 449 00:29:14,940 --> 00:29:21,000 B, holding that control and pressing the down arrow to make the bottom bit smaller than what we can 450 00:29:21,000 --> 00:29:31,230 do is we can do MSF then and here we can build our Creary here in the of the payload 451 00:29:34,920 --> 00:29:44,100 that we can just paste the same copy to the back. 452 00:29:44,850 --> 00:29:45,270 And I just. 453 00:29:45,280 --> 00:29:45,450 Right. 454 00:29:45,450 --> 00:29:49,530 Clicked it all the way to the right area because I already started typing this before. 455 00:29:49,980 --> 00:29:51,960 So the format we're going to want to use is raw. 456 00:29:51,990 --> 00:29:58,140 How did I know that our press control be up arrow to go back here to the top, pick that up ever again, 457 00:29:58,590 --> 00:30:01,500 to go back to the help file and see that there's a format? 458 00:30:01,500 --> 00:30:01,800 Right. 459 00:30:02,710 --> 00:30:08,760 And if we did pseudo MSF, then this format, 460 00:30:11,900 --> 00:30:13,290 you can see there's several options. 461 00:30:15,970 --> 00:30:16,300 Right. 462 00:30:16,660 --> 00:30:24,310 How do you control B and then the left bracket, which is usually to the right of Latapy, I can actually 463 00:30:24,310 --> 00:30:27,790 use the Upper Keys and page up to go back through my history. 464 00:30:28,780 --> 00:30:30,700 So you can see these are different format values. 465 00:30:30,700 --> 00:30:32,200 This jar's is everything else. 466 00:30:32,740 --> 00:30:38,250 And we're just going to use raw because it is the easiest to work with. 467 00:30:38,980 --> 00:30:39,290 Right. 468 00:30:39,580 --> 00:30:39,850 All right. 469 00:30:39,850 --> 00:30:42,440 Here, it's a cute exit out of that. 470 00:30:43,240 --> 00:30:49,660 Then we have out I go back to the helpful you can see it out is the resulting name. 471 00:30:50,290 --> 00:30:56,610 You have the name our shell that he has JFP, because that's what we put in the schedule task in this. 472 00:30:56,680 --> 00:30:58,720 It seems to be our actual IP address. 473 00:30:58,750 --> 00:31:04,060 So control by questionmark and actually split it vertically. 474 00:31:04,420 --> 00:31:07,990 So control the percent Ippei grip. 475 00:31:09,190 --> 00:31:16,090 And now we can see that we are at 10, 10, 14, 20 to exit Tintern 14 twenty two. 476 00:31:17,050 --> 00:31:17,770 And that looks good. 477 00:31:17,780 --> 00:31:21,250 We can use this port and get us what we need. 478 00:31:22,250 --> 00:31:23,830 Let's go ahead and run it through. 479 00:31:32,320 --> 00:31:37,470 This should generate the payload for us, which will be up at. 480 00:31:40,000 --> 00:31:45,240 And everything you can tell that GSP, you can see this is our Michelle Sweet. 481 00:31:46,940 --> 00:31:51,490 So now we've got our task created finally here and we've got a couple of things. 482 00:31:51,490 --> 00:31:52,020 We can delete it. 483 00:31:52,030 --> 00:31:52,780 We don't want to do that. 484 00:31:52,780 --> 00:31:53,410 We can edit it. 485 00:31:53,440 --> 00:31:54,280 We don't want to do that. 486 00:31:54,590 --> 00:31:57,070 The compositing want to run it before we run. 487 00:31:57,110 --> 00:31:57,990 Remember what we have to do. 488 00:31:58,390 --> 00:32:03,340 We need to host a Web server on our local box so that his application can download it from our machine. 489 00:32:04,240 --> 00:32:05,050 What's it downloaded? 490 00:32:05,450 --> 00:32:08,430 It will essentially execute the file. 491 00:32:08,860 --> 00:32:16,120 And then by following the code inside the file, it will initiate a connection to us on the part that 492 00:32:16,120 --> 00:32:19,620 we designated, which is actually part four for three. 493 00:32:20,110 --> 00:32:20,470 All right. 494 00:32:20,470 --> 00:32:22,330 So let's go ahead and start that up. 495 00:32:22,570 --> 00:32:26,530 So we're going to use our wrap to attach the shell. 496 00:32:27,070 --> 00:32:33,910 So we started a pseudo RL wrap and then in months in the LP forward three has to be a great place for 497 00:32:33,910 --> 00:32:40,290 us to catch a show that you could just do pseudo in C space minus in the LP for four three as well. 498 00:32:40,730 --> 00:32:47,500 The reason I use our Erap is because for Windows, if you pass net cat or rap, you actually get the 499 00:32:49,630 --> 00:32:54,610 describe this, but you basically compress the up and down Iraqis and go back through history. 500 00:32:55,390 --> 00:33:00,780 This means don't resolve names as the end means the means for both l means listen and support. 501 00:33:00,790 --> 00:33:01,660 We want to listen on this part. 502 00:33:01,690 --> 00:33:07,590 OK, so we're just waiting for connection on any interfaces on this on this port though. 503 00:33:08,090 --> 00:33:12,660 Now that's going to be for our show control be present. 504 00:33:13,000 --> 00:33:20,390 We need to also host our web server so that we can serve up the file that we created, write the Shell 505 00:33:20,630 --> 00:33:28,030 GSP so we can do pseudo Python three Bashkim SCDP seven point eighty. 506 00:33:31,990 --> 00:33:32,110 Right. 507 00:33:32,170 --> 00:33:35,770 So now we are listening on all interfaces, operating rights and how we should be good to go. 508 00:33:36,200 --> 00:33:40,840 Let's just go ahead and run it and let's see what happens. 509 00:33:41,050 --> 00:33:41,950 We should get a Shubat. 510 00:33:42,640 --> 00:33:43,590 It's going to take a while. 511 00:33:43,990 --> 00:33:49,470 Remember, according to the exploit just running, this isn't going to give us a shell, right? 512 00:33:49,480 --> 00:33:51,730 We're going to have to actually execute the shell. 513 00:33:52,180 --> 00:33:57,430 So if we go back to control B three to exploit, let's go back up to it again. 514 00:34:01,600 --> 00:34:07,810 You can see that we're going to have to find it, which it looks like it's here. 515 00:34:08,290 --> 00:34:08,620 Right. 516 00:34:10,090 --> 00:34:11,410 We might have to navigate there 517 00:34:14,500 --> 00:34:16,180 and see is saying there's an error here. 518 00:34:17,620 --> 00:34:19,060 The resource doesn't exist. 519 00:34:19,920 --> 00:34:23,410 Let's see if we did everything right before. 520 00:34:24,970 --> 00:34:26,050 That all looks good. 521 00:34:28,450 --> 00:34:33,400 Let's go ahead and go back to edit skittled test to make sure everything is set up correctly. 522 00:34:42,890 --> 00:34:43,150 OK. 523 00:34:50,190 --> 00:34:52,290 So you can see this if you click this in here, you click. 524 00:34:55,100 --> 00:34:59,450 I see, Michelle, there's loads, you know, that that path is right, actually, to go back now to 525 00:34:59,450 --> 00:35:03,850 the emergency request that came in, they came in from you. 526 00:35:03,890 --> 00:35:04,120 All right. 527 00:35:04,130 --> 00:35:08,120 So we know that the website is actually hosting it correctly, that. 528 00:35:21,200 --> 00:35:22,010 Amy Pond. 529 00:35:31,670 --> 00:35:35,970 That GSP save up to file. 530 00:35:38,730 --> 00:35:42,240 Oh, you know what, I put the past behind them and put the file in. 531 00:35:44,530 --> 00:35:45,900 Yeah, I think that was the problem. 532 00:35:46,990 --> 00:35:48,700 So this quick cement. 533 00:35:52,980 --> 00:35:53,300 Runit. 534 00:35:57,730 --> 00:36:03,820 Then we have our show, so we selected and now we should get a reverse show back. 535 00:36:05,790 --> 00:36:06,540 In this window. 536 00:36:11,350 --> 00:36:11,950 Showbizzy. 537 00:36:18,640 --> 00:36:20,050 You can see this is our username. 538 00:36:24,740 --> 00:36:27,170 And we are not a member of the administrators. 539 00:36:31,670 --> 00:36:36,980 All right, so that's what we have for the compromise piece in the next lecture, we're going to talk 540 00:36:36,980 --> 00:36:38,270 about the post exploitation. 541 00:36:38,340 --> 00:36:48,050 I'm going to show you how you can use Col exploits to escalate your privileges from a unprivileged user 542 00:36:48,050 --> 00:36:48,770 to an administrator. 543 00:36:49,130 --> 00:36:49,400 All right. 544 00:36:49,400 --> 00:36:49,760 See the.