1
00:00:00,210 --> 00:00:01,230
That's creator Xochitl.

2
00:00:04,500 --> 00:00:06,200
You know, in the south that.

3
00:00:10,320 --> 00:00:13,170
Until the Border Patrol has a down there a couple times.

4
00:00:15,410 --> 00:00:21,450
What we want is this is going all the way, so it's you know, I said.

5
00:00:42,860 --> 00:00:47,900
Equals 10, 10 to 15, 20 words because for three.

6
00:00:57,790 --> 00:00:58,800
Let's just go away.

7
00:01:00,990 --> 00:01:03,350
And the reason we're doing this is because nothing else which might work.

8
00:01:04,710 --> 00:01:07,610
So this is always the last resort entrepreneur.

9
00:01:08,270 --> 00:01:09,510
A team got particular.

10
00:01:11,170 --> 00:01:14,950
And it's for the next three to six, and he could have.

11
00:01:16,720 --> 00:01:18,710
Created specifically for 64 bit system.

12
00:01:18,820 --> 00:01:20,440
So if we go here.

13
00:01:22,250 --> 00:01:26,490
Control, you do you know, in the.

14
00:01:28,640 --> 00:01:29,860
List of.

15
00:01:34,320 --> 00:01:35,640
We want to do X.

16
00:01:38,400 --> 00:01:40,610
It's the architecture that is is compatible with.

17
00:02:03,400 --> 00:02:04,360
That's just park.

18
00:02:12,050 --> 00:02:13,760
You know, it's like now it wants the.

19
00:02:15,150 --> 00:02:16,320
Actual output.

20
00:02:22,330 --> 00:02:25,350
So we can do with less than a.

21
00:02:42,300 --> 00:02:43,750
And we see windows there.

22
00:02:43,800 --> 00:02:44,550
So let's try that.

23
00:02:49,540 --> 00:02:51,130
Platform windows.

24
00:02:55,030 --> 00:02:57,820
Incompatible with the payload salvado.

25
00:02:59,360 --> 00:02:59,570
In the.

26
00:03:10,000 --> 00:03:15,730
We want to also search for 64 and windows.

27
00:03:17,590 --> 00:03:23,710
So we're just filtering I say, OK, I all the people only lead to interpreter that I'm 64 in that name

28
00:03:23,710 --> 00:03:28,840
and only related to Windows, and she pulled the reverse in order to correct reverse.

29
00:03:33,800 --> 00:03:36,430
Know, Kate, let's see, what do we have?

30
00:03:38,570 --> 00:03:40,010
The first Tsipi, this one.

31
00:03:45,580 --> 00:03:49,270
And let's get out of this one right here.

32
00:03:51,220 --> 00:03:54,070
This one, the staged was more likely to get caught by.

33
00:03:55,540 --> 00:03:56,740
This one doesn't say it's staged.

34
00:03:56,740 --> 00:03:57,880
So let's try this one right here.

35
00:04:00,280 --> 00:04:05,680
Copy about a couple of times, control left a few times.

36
00:04:09,750 --> 00:04:12,780
Space space control should be.

37
00:04:15,800 --> 00:04:17,250
Right, that's pretty good.

38
00:04:21,240 --> 00:04:21,470
Sweet.

39
00:04:22,510 --> 00:04:22,930
We got it.

40
00:04:24,780 --> 00:04:28,000
That looks like it'll probably work until the Zella's amount.

41
00:04:28,230 --> 00:04:29,800
We're not doing that right now.

42
00:04:29,820 --> 00:04:32,430
We need to serve this to the user.

43
00:04:32,580 --> 00:04:33,930
We can certainly tell it to download it.

44
00:04:34,460 --> 00:04:34,850
A, control.

45
00:04:34,860 --> 00:04:36,950
B, it's going to Turkcell.

46
00:04:37,500 --> 00:04:38,280
Do we have a show?

47
00:04:40,500 --> 00:04:41,400
Looks like we lost it.

48
00:04:41,730 --> 00:04:42,230
That's OK.

49
00:04:50,120 --> 00:04:53,060
Let's go back and rerun the task.

50
00:04:55,720 --> 00:04:58,790
And I'm just going to refresh this to make sure it's like it's still here.

51
00:04:58,810 --> 00:04:59,270
That's good.

52
00:04:59,330 --> 00:05:05,920
So let's go back here and execute the one request against.

53
00:05:07,980 --> 00:05:10,490
Our show was triggered a reversal on the top paying.

54
00:05:15,970 --> 00:05:17,470
We didn't get anything, let's try.

55
00:05:24,250 --> 00:05:24,750
All right, at the top of.

56
00:05:26,860 --> 00:05:28,570
Let's see if we can be certain to get this.

57
00:05:35,370 --> 00:05:42,030
So we look at the living off the land binaries here, I can certainly tell to actually.

58
00:05:45,930 --> 00:05:51,240
So this is abusing the legitimate functionality of a legitimate windows binary for nefarious purposes.

59
00:05:51,630 --> 00:05:55,020
That's what living off the land of binaries refer to this project right here.

60
00:05:55,140 --> 00:05:58,760
Elbaz living off the land, binaries and scripts.

61
00:05:58,770 --> 00:05:59,540
That's what it stands for.

62
00:05:59,590 --> 00:05:59,970
Let's do it.

63
00:06:02,650 --> 00:06:05,530
Certain zones, but you cannot you do so until.

64
00:06:07,460 --> 00:06:10,920
Absoluteness has split.

65
00:06:19,360 --> 00:06:21,340
Let's make sure we can put the right path on.

66
00:06:28,190 --> 00:06:28,960
That is the right path.

67
00:06:31,960 --> 00:06:36,880
Controlled editor calls it time control set the.

68
00:06:37,990 --> 00:06:42,660
I believe that is the right syntax and then we just need what it's going to take us.

69
00:06:43,030 --> 00:06:43,840
Let's say that I was like.

70
00:06:50,380 --> 00:06:53,770
So here he pulled it down from a Web server, successfully saved it.

71
00:06:54,190 --> 00:06:56,650
There are things you could pull a here.

72
00:06:58,160 --> 00:07:01,100
Now we need to set up our together so control.

73
00:07:05,610 --> 00:07:07,350
Scooter Libby.

74
00:07:09,780 --> 00:07:16,080
And this is going to catch them a show once we pop the box around the homestretch, guys.

75
00:07:22,330 --> 00:07:25,640
So at last night's.

76
00:07:28,350 --> 00:07:30,810
Set stage show options.

77
00:07:32,610 --> 00:07:38,680
Said, I'll post zero our says system, that's what we created in the show.

78
00:07:41,460 --> 00:07:42,840
This is what we used to write here.

79
00:07:47,460 --> 00:07:49,510
So you go back to that.

80
00:07:52,210 --> 00:07:55,010
Control should be so Hobsons.

81
00:08:00,200 --> 00:08:03,320
And it will change the exact function to threads that a process.

82
00:08:06,470 --> 00:08:12,170
That way, if the user happens to close the application, it won't just destroy the process, it'll

83
00:08:12,170 --> 00:08:16,670
just kill the threat inside of the process, which helps for persistance purposes.

84
00:08:17,700 --> 00:08:19,640
So let's go ahead on this.

85
00:08:20,860 --> 00:08:23,920
I got the handle set up on the correct IP port.

86
00:08:28,620 --> 00:08:29,760
Let's close this out.

87
00:08:29,790 --> 00:08:30,790
You need this money anymore.

88
00:08:31,520 --> 00:08:32,290
The three.

89
00:08:39,220 --> 00:08:41,480
Control the five got to show.

90
00:08:47,340 --> 00:08:52,800
See you running in 64 architecture and 64 bit version of Interpretor you can backgrounders.

91
00:08:54,730 --> 00:09:00,430
And so now we the session so we can bring our post exploitation models against it.

92
00:09:01,190 --> 00:09:02,770
Research suggests.

93
00:09:04,490 --> 00:09:06,890
Experts suggest there is no for.

94
00:09:07,630 --> 00:09:09,810
He's for options.

95
00:09:12,080 --> 00:09:15,530
Listen to the idea here, here, which is one.

96
00:09:16,850 --> 00:09:18,010
And then just like.

97
00:09:20,790 --> 00:09:21,750
And simply comes back with.

98
00:09:26,890 --> 00:09:28,800
Right, so we got a few options here.

99
00:09:30,510 --> 00:09:31,950
Which one do we use?

100
00:09:33,730 --> 00:09:37,060
These are newer exploits, so 16 of the year.

101
00:09:39,050 --> 00:09:41,510
And it might be vulnerable to these because look a little bit tinea.

102
00:09:42,930 --> 00:09:49,050
These two might also work, although something is deprecated.

103
00:09:51,320 --> 00:09:52,490
What's going to try this guy right here?

104
00:09:55,430 --> 00:09:58,310
If this doesn't work, we can go down the list, kind of like we did before.

105
00:10:01,700 --> 00:10:03,240
Should be placed into.

106
00:10:05,350 --> 00:10:06,690
Snow options.

107
00:10:10,930 --> 00:10:14,530
Our host is set to meet the doctors, not tell 070 to change that.

108
00:10:18,440 --> 00:10:20,450
And it should be said that van.

109
00:10:28,010 --> 00:10:29,510
Especially to one.

110
00:10:33,250 --> 00:10:35,360
I see sessions that show.

111
00:10:36,280 --> 00:10:44,000
It's one that we should have everything at once, it does work on 28 excellent targets to achieve.

112
00:10:44,100 --> 00:10:44,380
Again.

113
00:10:46,930 --> 00:10:51,370
Exploit this puppy for four four four four, assuming that the firewall allows this out.

114
00:10:57,250 --> 00:10:59,740
Because the truth are we system.

115
00:11:01,640 --> 00:11:06,890
We are excessively asking to escalate our privileges on this box, and I think it was pretty difficult,

116
00:11:07,280 --> 00:11:08,720
but we got through it and we made it home.

117
00:11:09,380 --> 00:11:16,250
Next thing I like to do is I like to be able to go into the box and then we will finalize it.

118
00:11:24,770 --> 00:11:27,930
I forget which exact command we used to do this, but get going.

119
00:11:27,950 --> 00:11:29,510
We can use this to, first of all.

120
00:11:32,080 --> 00:11:39,600
Anybody, RTP and then actually connected remotely so to get lead E to anybody.

121
00:11:40,690 --> 00:11:42,120
Sorry, but typically.

122
00:11:52,150 --> 00:11:59,820
And right to that post the hole through the firewall and we can create our account, we can get.

123
00:12:07,690 --> 00:12:15,550
You should be able to do this, since we are a system great until D.C., until they come up our desktop.

124
00:12:16,030 --> 00:12:19,300
Let's do X free desktop.

125
00:12:23,270 --> 00:12:25,370
It's free, I think, what it's called.

126
00:12:25,610 --> 00:12:26,390
Yeah, that's it.

127
00:12:27,590 --> 00:12:32,090
So I can see the usage options here.

128
00:12:34,250 --> 00:12:38,750
I believe there is something for auto recycling Web sites.

129
00:12:41,480 --> 00:12:46,160
Now, as you can see, this smart sizing, what it's going to do is it's going to scale the remote desktop

130
00:12:46,160 --> 00:12:47,680
window to publicize.

131
00:12:48,650 --> 00:12:50,360
So we should have everything we need to connect.

132
00:12:53,360 --> 00:12:55,560
That's right, zero extra.

133
00:12:56,510 --> 00:12:58,840
These are Bonnie.

134
00:13:04,820 --> 00:13:05,940
See Justice Sandra.

135
00:13:09,550 --> 00:13:12,390
And smart and see if that works.

136
00:13:17,690 --> 00:13:18,920
We trusted the birth certificate.

137
00:13:19,280 --> 00:13:19,800
Yes, I do.

138
00:13:19,820 --> 00:13:20,540
This is Arctic.

139
00:13:42,090 --> 00:13:46,420
I'm super OCD, so I've got to make this try to preserve the aspect ratio as much as possible.

140
00:13:47,700 --> 00:13:48,270
So here we are.

141
00:13:48,270 --> 00:13:52,040
Here's a severely compromised looks like it was the Athens time zone.

142
00:13:54,010 --> 00:13:57,280
And we could see everything dead.

143
00:14:07,840 --> 00:14:09,550
It's the directory that we walked out of.

144
00:14:27,930 --> 00:14:31,470
And you could easily just drag them over now and look what happens, you'll see actually why some of

145
00:14:31,470 --> 00:14:32,280
the stuff didn't work.

146
00:14:33,320 --> 00:14:34,700
Example, if I direct this over.

147
00:14:40,790 --> 00:14:42,190
Saying that it's not compatible.

148
00:14:55,170 --> 00:14:59,000
We clicked hematuria disappears really fast so we could just try to figure out what's going on there.

149
00:15:13,540 --> 00:15:19,450
And you can see here it's telling us the appropriate usage, we didn't see this, you know, when we

150
00:15:19,450 --> 00:15:24,040
did this from the show on our Tucker machine, but this is shown here on this interactive window, which

151
00:15:24,040 --> 00:15:25,000
I like kind of interesting.

152
00:15:36,510 --> 00:15:37,670
Something did happen.

153
00:15:39,380 --> 00:15:40,990
I saw this window back here on Flicker.

154
00:15:41,930 --> 00:15:45,080
Look at the last modified time.

155
00:15:47,440 --> 00:15:50,000
Of course, the problem is we're already system, so let's it this.

156
00:15:56,510 --> 00:16:02,090
Users, user accounts and let's look at.

157
00:16:33,390 --> 00:16:35,190
That's right, because I'm not a member of the.

158
00:16:38,040 --> 00:16:38,610
High school.

159
00:17:11,130 --> 00:17:14,330
And then the minister said, I can't add him to the desktop U.S..

160
00:17:23,660 --> 00:17:24,230
Groups.

161
00:17:25,470 --> 00:17:30,450
And as he told us, this is Thomas.

162
00:17:33,570 --> 00:17:35,700
Yes, we need to put him in remote desktop.

163
00:17:39,060 --> 00:17:40,920
There it comes from a desktop users.

164
00:17:41,760 --> 00:17:42,190
There we go.

165
00:17:50,860 --> 00:17:53,950
And let's try it again as Thomas.

166
00:17:59,700 --> 00:18:04,830
Sweet is a U.S. flag for the top of the flag portion of this.

167
00:18:15,610 --> 00:18:16,310
Still like this.

168
00:18:30,950 --> 00:18:32,330
Described in that part.

169
00:18:59,370 --> 00:19:02,820
It was a drive and it's just the opening running of the stuff.

170
00:19:25,390 --> 00:19:26,790
You see, you know, it just hangs.

171
00:19:28,180 --> 00:19:32,470
So, I mean, I just want to say there's another way we can get there through this path and it doesn't

172
00:19:32,470 --> 00:19:33,490
look like it actually works.

173
00:19:36,200 --> 00:19:36,420
Right.

174
00:19:36,440 --> 00:19:42,500
So that's it for this this is privileged escalation technique, if you actually want to look at my dad

175
00:19:42,500 --> 00:19:45,830
to see what we did in minor.

176
00:20:07,190 --> 00:20:12,360
It's the enterprise is what we used and we gave initial access.

177
00:20:14,760 --> 00:20:22,160
Not through a drive by compromise, but a combination of exploiting a public facing application because

178
00:20:22,170 --> 00:20:26,800
of the display vulnerabilities while the underlying operating system was patched.

179
00:20:27,370 --> 00:20:30,990
So that actually escalated our privileges, but we gained initial access through.

180
00:20:37,080 --> 00:20:44,040
And we use the administrators hash to get into the operating system or into the web, and then we're

181
00:20:44,040 --> 00:20:47,340
able to escalate our privileges once we do that.

182
00:20:53,500 --> 00:20:56,500
You can see there's a bunch of different things here, this list out there, but.

183
00:20:59,310 --> 00:21:04,150
This is basically how we were able to compromise the application to the recommended mitigation would

184
00:21:04,150 --> 00:21:08,380
be the patch if the if the server were patched and weren't running.

185
00:21:08,450 --> 00:21:14,020
Remember, version of it will be a cold fusion, then make this task significantly harder.

186
00:21:17,360 --> 00:21:19,670
And also, I you know, any viruses running.

187
00:21:21,720 --> 00:21:22,670
We can check that liquid.

188
00:21:33,410 --> 00:21:34,500
So any any grass.

189
00:21:39,190 --> 00:21:39,870
Even stalled.

190
00:21:41,440 --> 00:21:42,960
Because pottage is completely naked.

191
00:21:48,300 --> 00:21:50,190
Yeah, there's like nothing here.

192
00:21:51,870 --> 00:21:57,510
So it's like somebody just installed it and threw it on the Internet, so yeah, antivirus ideas and

193
00:21:57,510 --> 00:22:04,620
maybe having like a saw a security orchestration and automated response tool would also help.

194
00:22:05,700 --> 00:22:06,950
But there's nothing on this box.

195
00:22:06,990 --> 00:22:10,140
That's also what that company is letting led to it being compromised.

196
00:22:11,460 --> 00:22:11,700
All right.

197
00:22:11,700 --> 00:22:12,180
So that's it.

198
00:22:12,180 --> 00:22:16,560
In the next lecture, we will talk about problems, escalation, and we will continue to move forward

199
00:22:16,890 --> 00:22:18,030
on our next system.

200
00:22:18,270 --> 00:22:18,530
All right.

201
00:22:18,540 --> 00:22:19,710
So you go by.