1 00:00:00,150 --> 00:00:03,000 OK, here we are, we have another box to pop. 2 00:00:03,270 --> 00:00:08,640 This one is going to be awesome and I'm going to learn a lot of new tricks along the way, including 3 00:00:08,640 --> 00:00:11,570 like environment variables, exporting those using S&P map. 4 00:00:12,270 --> 00:00:17,550 We're going to use a bunch of different tools and techniques to, you know, actually going to go deep. 5 00:00:17,550 --> 00:00:18,240 A crack map. 6 00:00:18,240 --> 00:00:18,810 Exactly. 7 00:00:19,500 --> 00:00:25,620 So that's going to be fun to get to learn a lot of Basche scripting sort of commands using cut in crap 8 00:00:25,620 --> 00:00:26,930 and unique and sort. 9 00:00:27,330 --> 00:00:32,250 And we're going to use tools like Kerberos and Cool and Hash Cat to generate word lists. 10 00:00:32,490 --> 00:00:33,420 We're going to use Hijrah. 11 00:00:33,420 --> 00:00:35,010 I mean, there's going to be a lot of cool stuff. 12 00:00:35,020 --> 00:00:35,580 LDAP search. 13 00:00:35,610 --> 00:00:36,360 It's going to be awesome. 14 00:00:37,000 --> 00:00:40,640 Let's just go ahead and dig in and get started in our exploitation phase. 15 00:00:41,040 --> 00:00:43,200 So where are we right now? 16 00:00:43,530 --> 00:00:43,950 Here we are. 17 00:00:44,640 --> 00:00:46,080 So let's go and make a directory 18 00:00:48,870 --> 00:00:50,100 and we'll pop in the directory. 19 00:00:53,070 --> 00:00:53,520 Nice. 20 00:00:54,750 --> 00:00:55,400 Here we are. 21 00:00:56,760 --> 00:00:59,070 And I think what I should do is make this box big. 22 00:01:02,250 --> 00:01:03,630 OK, so we are ready to go. 23 00:01:03,630 --> 00:01:08,430 The first thing we need to do is obviously we need to export the target. 24 00:01:09,360 --> 00:01:14,190 This might not be obvious, but if we export it here, the target variable that contains the IP, then 25 00:01:14,190 --> 00:01:18,180 we can access it among all the panes in our session. 26 00:01:18,210 --> 00:01:19,440 So we're going to do that. 27 00:01:19,440 --> 00:01:23,130 First export target is the IP of our target. 28 00:01:25,350 --> 00:01:32,580 And of course, if we just did like Echo Target here, it works, but it also works if we join the session 29 00:01:33,540 --> 00:01:38,490 with VPN go target right now. 30 00:01:39,750 --> 00:01:42,030 Let's go ahead and connect to the VPN 31 00:01:48,000 --> 00:01:48,510 suite 32 00:01:51,420 --> 00:01:56,910 and let's make sure that we can ping the target. 33 00:01:57,480 --> 00:01:58,230 So I can say this. 34 00:01:58,260 --> 00:02:00,090 You don't want to see for 35 00:02:04,080 --> 00:02:05,180 such good. 36 00:02:05,310 --> 00:02:07,320 Good of one 127. 37 00:02:07,320 --> 00:02:17,790 We know it's a Windows box because it's between 64 and 128 and our local IP is 10, 10, 14, nine. 38 00:02:18,090 --> 00:02:27,150 So we should exploit this variable as well conjunctive see if we do export, let's call it almost equal 39 00:02:27,150 --> 00:02:28,770 to that variable. 40 00:02:29,160 --> 00:02:32,100 And the echo just shows up here. 41 00:02:32,100 --> 00:02:32,410 Right. 42 00:02:32,640 --> 00:02:37,410 And if I open a new pane and I do echo alost, we don't get anything. 43 00:02:38,350 --> 00:02:39,120 So why is that? 44 00:02:39,810 --> 00:02:42,930 That's because we actually need to define this session in two months. 45 00:02:43,320 --> 00:02:49,430 Let's go back here and let's do a Tmax, actually. 46 00:02:49,520 --> 00:02:51,250 Yeah, we can do a show in this. 47 00:02:51,330 --> 00:02:52,950 Show us all the environment variables. 48 00:02:53,820 --> 00:03:05,700 But if we do, Tmax set and we can set our host to the IP of our local machine and then we can export 49 00:03:05,700 --> 00:03:05,850 it. 50 00:03:08,910 --> 00:03:16,060 And then we can echo it right now, if we go back to the second plane, we should be able to echo. 51 00:03:17,400 --> 00:03:21,710 I think we may have to close this plane first until X Y actually. 52 00:03:21,720 --> 00:03:24,320 You see Echo Alost. 53 00:03:24,930 --> 00:03:25,410 There we go. 54 00:03:26,430 --> 00:03:27,090 Any pain? 55 00:03:27,390 --> 00:03:32,240 Echo, almost echo target. 56 00:03:32,760 --> 00:03:33,500 Everything's there. 57 00:03:33,870 --> 00:03:34,370 Sweet. 58 00:03:36,180 --> 00:03:40,890 OK, so now we can start some awesome stuff. 59 00:03:42,790 --> 00:03:43,540 What should we do next? 60 00:03:43,830 --> 00:03:45,520 Go ahead and kick off in my obsession. 61 00:03:46,530 --> 00:03:47,340 Let's clear this out. 62 00:03:47,350 --> 00:03:51,100 Zero in my favor both soon. 63 00:03:51,190 --> 00:03:52,590 The house is already active. 64 00:03:53,130 --> 00:04:01,160 Run the fastest scan that we possibly can, run safe ships and make sure we do version numeration. 65 00:04:01,730 --> 00:04:07,260 So the reason why the port is closed, if is closed, only show open ports because probably we probably 66 00:04:07,260 --> 00:04:11,660 don't need reason if we're going to only show open ports. 67 00:04:11,670 --> 00:04:13,650 Actually, what I want to do is I want to pick out open 68 00:04:16,710 --> 00:04:17,310 that what we can see. 69 00:04:17,310 --> 00:04:22,290 The reason why our ports blocked six five, five, three, five and then one output it. 70 00:04:22,380 --> 00:04:28,050 Let's just call it fuse that EMAP and we'll send it to our target immediately. 71 00:04:28,050 --> 00:04:30,360 We can see we've got some ports open. 72 00:04:30,900 --> 00:04:31,850 One thirty five. 73 00:04:32,310 --> 00:04:37,740 This is the usually this RBC along with four, four or five and one thirty nine. 74 00:04:37,740 --> 00:04:40,590 So these are usually like SMB like net bios stuff. 75 00:04:42,990 --> 00:04:45,560 One thirty nine four four five one thirty five. 76 00:04:46,080 --> 00:04:51,630 So the first thing I would do when I see this is I just want to, you know, see if we can connect via, 77 00:04:51,630 --> 00:04:53,070 you know, no authentication. 78 00:04:53,130 --> 00:04:58,230 So control a let's just go here and let's see if we can disconnect it. 79 00:04:58,890 --> 00:05:02,640 Zero SMB map, see what options we have with us and be map. 80 00:05:06,890 --> 00:05:12,860 OK, so there are a lot of options here, I'm going to go back to easy but the screen. 81 00:05:15,850 --> 00:05:21,280 I guess control easy was useless because I'm back where I was before, but anyway, we go up, we can 82 00:05:21,280 --> 00:05:22,650 look at some of the things we can do here. 83 00:05:22,660 --> 00:05:32,080 So if I type forward slash, no username is permitted, no section is assumed and it gets the only option 84 00:05:32,080 --> 00:05:32,570 for now. 85 00:05:33,310 --> 00:05:37,120 So what we could do is to see if we could authenticate using the authentication. 86 00:05:37,120 --> 00:05:37,390 Right. 87 00:05:38,020 --> 00:05:42,040 Let's go back here to see the SMB map. 88 00:05:44,590 --> 00:05:46,480 So we just need to omit the user. 89 00:05:46,480 --> 00:05:50,620 And then I think we need a host, which I believe is tech H. 90 00:05:51,910 --> 00:05:53,380 It is IP host 91 00:05:56,110 --> 00:05:57,070 and that's the target. 92 00:06:03,280 --> 00:06:03,920 See what we get. 93 00:06:04,680 --> 00:06:05,070 All right. 94 00:06:05,080 --> 00:06:06,160 So we didn't get anything here. 95 00:06:06,160 --> 00:06:08,530 No error messages, nothing really meaningful that came back. 96 00:06:10,510 --> 00:06:11,040 What can we do? 97 00:06:11,050 --> 00:06:14,230 Let's try to authenticate using RBC client. 98 00:06:17,650 --> 00:06:18,250 Client. 99 00:06:20,760 --> 00:06:21,970 Let's just switch this around, right? 100 00:06:22,000 --> 00:06:26,850 So clear, the RBC client. 101 00:06:34,380 --> 00:06:41,750 See, your username filled in here, username said the network username, so I don't think it's another 102 00:06:41,760 --> 00:06:45,210 indication flac your password or password. 103 00:06:46,160 --> 00:06:57,180 We could do is we could say to our PC client, which is do like this with your username and we'll say 104 00:06:57,990 --> 00:06:58,740 no password. 105 00:06:59,420 --> 00:07:01,740 Just try to see if we can get anything with no authentication. 106 00:07:05,310 --> 00:07:05,640 No. 107 00:07:10,350 --> 00:07:23,770 If we do this oh, so now we've got something interesting potentially to help us go back to all the 108 00:07:23,770 --> 00:07:28,420 different things that we can type a lot of different commands at our quiet. 109 00:07:30,670 --> 00:07:32,760 And what I'm looking for really is just enumeration. 110 00:07:32,780 --> 00:07:36,910 So let's see if there's any, like, enum commands. 111 00:07:37,840 --> 00:07:40,720 So we've got one Reg enum key. 112 00:07:42,100 --> 00:07:44,050 We've got so many great computer names. 113 00:07:45,610 --> 00:07:46,640 What else can we do. 114 00:07:46,640 --> 00:07:49,540 Not sharing them all enumerate all shares. 115 00:07:52,900 --> 00:07:53,320 What else. 116 00:07:53,320 --> 00:07:54,130 What else. 117 00:07:55,960 --> 00:07:58,810 Net sharing the whole net connections. 118 00:08:02,130 --> 00:08:04,680 All right, so let's see 119 00:08:07,710 --> 00:08:11,820 Inamine printers, Inam forms. 120 00:08:16,780 --> 00:08:23,860 A lot of stuff, you know, Domain's know Hamdam users, I mean, this is probably a good start, right? 121 00:08:23,870 --> 00:08:34,220 This numerators domain users so we could take this Joseph C to control the entire access denied. 122 00:08:34,250 --> 00:08:34,660 Great. 123 00:08:34,910 --> 00:08:37,100 So it was worth a shot with our permission. 124 00:08:37,130 --> 00:08:37,760 Right now I do that. 125 00:08:39,380 --> 00:08:44,630 What we should do now is let's just go back to EMAP since it finished. 126 00:08:46,220 --> 00:08:47,210 Let's see what we have here. 127 00:08:47,810 --> 00:08:51,200 So we have a few different open ports. 128 00:08:53,390 --> 00:08:59,750 We've got Port 53 and there's some tool called simple DNS plus that's running medially. 129 00:08:59,750 --> 00:09:03,260 The first thing I'm going to do is just go to switchboard. 130 00:09:04,250 --> 00:09:05,800 Oops, wrong window. 131 00:09:06,230 --> 00:09:06,880 Let's go back here. 132 00:09:07,820 --> 00:09:09,170 It's going to go to search Boyte. 133 00:09:11,030 --> 00:09:12,230 Let's check search points. 134 00:09:12,230 --> 00:09:16,190 You know, search and exploit simple DNS plus. 135 00:09:17,070 --> 00:09:17,490 All right. 136 00:09:17,510 --> 00:09:21,950 So we do have one exploit here, but this a denial service. 137 00:09:23,360 --> 00:09:27,800 This is not going to get us a shell or it might, but it's going to take some significant work. 138 00:09:27,800 --> 00:09:36,710 For example, if we did like search Boit minus X sixty fifty nine and you'll see that this is a remote 139 00:09:36,710 --> 00:09:38,150 and our service exploit that. 140 00:09:38,150 --> 00:09:38,940 Really interested in that. 141 00:09:39,980 --> 00:09:41,240 We don't want to knock the box offline. 142 00:09:41,240 --> 00:09:41,470 Right. 143 00:09:42,350 --> 00:09:43,580 We want to gain access to the box. 144 00:09:44,690 --> 00:09:47,810 So let's see what else we have from here. 145 00:09:49,010 --> 00:09:50,060 We do have 453. 146 00:09:50,060 --> 00:09:56,840 So usually the first thing I do when I see Port 43, besides, you're looking search point against the 147 00:09:56,840 --> 00:09:57,650 service that's listening. 148 00:09:57,650 --> 00:10:01,750 There is I just update my local DNS file. 149 00:10:01,760 --> 00:10:05,840 So if I do see them C resolved, I call. 150 00:10:08,900 --> 00:10:17,860 What I can do is I can to put in the new name server over ten, ten, ten one ninety three escape shifts. 151 00:10:17,870 --> 00:10:26,030 Easy because I want to have this name server, I want to have this remote target resolve any names. 152 00:10:26,480 --> 00:10:29,300 Obviously it can do that because it's a name server, so I'm going to let it do that. 153 00:10:29,300 --> 00:10:34,610 And sometimes it will get us access to resources that we wouldn't be able to get access to without this 154 00:10:34,610 --> 00:10:35,360 name resolution. 155 00:10:39,740 --> 00:10:40,760 What else do we notice here? 156 00:10:42,440 --> 00:10:47,190 Well, we see port editors listening, joining ISIS 10. 157 00:10:47,240 --> 00:10:50,930 So this is probably either Windows Server 2016, 2019 or Windows 10. 158 00:10:51,770 --> 00:10:56,390 Any one of those site doesn't have a title, so it looks like it might not be completely configured. 159 00:10:56,900 --> 00:10:59,810 They have Kerberos here. 160 00:10:59,810 --> 00:11:04,370 We have again one thirty five and one thirty nine and then we also have three eighty nine. 161 00:11:04,370 --> 00:11:05,960 So this is Active Directory. 162 00:11:05,990 --> 00:11:07,190 This might be a domain controller. 163 00:11:08,030 --> 00:11:11,720 You notice we also have this name here, Fabrique Corp, that local. 164 00:11:11,720 --> 00:11:13,370 So we should probably add this to our host file. 165 00:11:14,660 --> 00:11:17,420 You them Azzi hosts. 166 00:11:21,870 --> 00:11:22,860 It's going at that. 167 00:11:30,570 --> 00:11:33,320 So we've got that added, what else do we see here? 168 00:11:33,330 --> 00:11:37,500 We see we've got four, four, five, four, six four. 169 00:11:37,500 --> 00:11:38,450 I don't know what that is. 170 00:11:39,860 --> 00:11:42,740 Something to AAPC is five nine three six three six. 171 00:11:42,740 --> 00:11:45,380 Not sure because some more eldership stuff. 172 00:11:47,690 --> 00:11:52,760 Let's see some more web listening ports, some high level ports here look non-standard. 173 00:11:53,450 --> 00:11:56,630 And then we've got just a general check for Conficker. 174 00:11:57,380 --> 00:11:59,820 And here's the operating system with Windows Server twenty sixteen. 175 00:11:59,820 --> 00:12:04,790 That gives us the exact version along with some other things. 176 00:12:04,790 --> 00:12:07,730 We see a fully qualified domain name here so we can add this to our file. 177 00:12:09,140 --> 00:12:15,950 And you see that message signing is enabled and required, which means that we're not able to do any 178 00:12:15,950 --> 00:12:17,570 like assembly relay attacks. 179 00:12:17,900 --> 00:12:24,890 If there were multiple boxes and this was disabled and we might be able to essentially relay our intel 180 00:12:24,890 --> 00:12:25,910 and has to another system. 181 00:12:26,450 --> 00:12:27,320 That's not the case here. 182 00:12:27,320 --> 00:12:28,820 So we don't need to look at this part. 183 00:12:30,080 --> 00:12:34,390 Let's go ahead and add the fuse Fabrica. 184 00:12:34,520 --> 00:12:37,910 That will go to our post file. 185 00:12:44,930 --> 00:12:45,890 And I don't like the capital. 186 00:12:47,360 --> 00:12:48,920 I'm OCD like that. 187 00:12:49,670 --> 00:12:52,490 OK, and what version of Windows is this? 188 00:12:52,520 --> 00:12:53,990 To give us the exact version. 189 00:12:53,990 --> 00:12:56,750 So let's see Windows twenty sixteen standard. 190 00:12:58,810 --> 00:13:00,170 Let's see if we can Google that real quick. 191 00:13:03,920 --> 00:13:06,080 See what the Googles tells us about this version of Windows. 192 00:13:09,430 --> 00:13:14,420 All right, and immediately, the first thing I get is exploit. 193 00:13:14,990 --> 00:13:15,930 That is hilarious. 194 00:13:17,930 --> 00:13:23,890 This is not from my browser history because I'm using a completely new build off of callisthenics. 195 00:13:23,900 --> 00:13:29,930 So it's interesting that that came up and see exploit DB exploit turn blue, eternal blue. 196 00:13:30,910 --> 00:13:36,260 And so this target might be vulnerable to eternal blue and the right. 197 00:13:36,260 --> 00:13:42,620 You may not go for it, but we're going to try to avoid using that display in this particular engagement, 198 00:13:42,620 --> 00:13:45,110 because I want you to really learn how these tools work. 199 00:13:45,410 --> 00:13:49,040 And if you're studying for the LCP, this point is not allowed. 200 00:13:49,790 --> 00:13:52,580 So this is not something we're going to do here. 201 00:13:54,020 --> 00:13:54,680 So MS. 202 00:13:54,680 --> 00:13:56,150 17 zero 10. 203 00:13:59,430 --> 00:14:01,410 We might we might be vulnerable to this. 204 00:14:01,630 --> 00:14:02,640 Right, so that's good to know. 205 00:14:03,350 --> 00:14:04,050 Good to minimize it. 206 00:14:04,980 --> 00:14:08,310 Let's just go ahead and confirm that version and we can confirm it with crack map. 207 00:14:08,310 --> 00:14:08,790 Exactly. 208 00:14:09,750 --> 00:14:13,470 So because, you know, it's always good to validate what you see in one tool with another tool. 209 00:14:14,010 --> 00:14:19,950 And I like using crack crack map, except for this, because it's a really good job of fingerprinting 210 00:14:19,950 --> 00:14:21,570 us among a bunch of other things. 211 00:14:22,380 --> 00:14:26,100 So we go to Google Crack Map SEC. 212 00:14:28,110 --> 00:14:29,250 We'll get the latest release. 213 00:14:34,000 --> 00:14:39,310 Here we go right here, the nice thing about cracking up is that you can actually get the architecture 214 00:14:39,940 --> 00:14:43,950 of your target without any authentication, just using RTC calls. 215 00:14:44,980 --> 00:14:47,780 So that is a huge plus. 216 00:14:47,950 --> 00:14:49,990 So here we have the latest release. 217 00:14:51,040 --> 00:14:55,320 We have the crack map exactly from Boodhoo, which is a Damián Debian variant. 218 00:14:55,330 --> 00:15:00,940 And we also have the exact Beeby which stores the credentials that you gather. 219 00:15:01,300 --> 00:15:02,290 I'm using crack map. 220 00:15:02,290 --> 00:15:02,800 Exactly. 221 00:15:02,800 --> 00:15:05,080 So let's go and grab the computer release. 222 00:15:05,380 --> 00:15:06,580 It's going to copy that link. 223 00:15:08,170 --> 00:15:10,240 And let's go to the second pane. 224 00:15:10,600 --> 00:15:16,720 Name this discovery and see to it. 225 00:15:17,150 --> 00:15:18,190 Just grab that guy up. 226 00:15:19,840 --> 00:15:20,500 Put down. 227 00:15:24,060 --> 00:15:33,450 Zero, zip, see me, OK, and let's go ahead and remove that file down and file. 228 00:15:34,470 --> 00:15:35,370 It's a Python script. 229 00:15:36,960 --> 00:15:37,740 See if I do a head on. 230 00:15:37,740 --> 00:15:42,120 It looks like it's actually in a binary format, though, which is kind of interesting. 231 00:15:44,610 --> 00:15:45,270 There it is. 232 00:15:46,170 --> 00:15:52,650 So we can do pseudo python three cime that should launch the tool. 233 00:15:55,010 --> 00:15:56,450 In some areas, but that's OK. 234 00:15:56,780 --> 00:15:57,820 All right, we've got it up. 235 00:15:58,340 --> 00:16:01,520 Let's go ahead and run the S&P module. 236 00:16:01,550 --> 00:16:09,230 So up arrow to go back at our history and be there when I get the target from the operating system. 237 00:16:09,230 --> 00:16:09,590 That's all. 238 00:16:10,280 --> 00:16:13,360 And again, we get the operating system and we get something new. 239 00:16:14,300 --> 00:16:18,380 We get a name fuse to just fuse by itself. 240 00:16:18,380 --> 00:16:19,760 And we also have the domain fabric ripped out. 241 00:16:20,030 --> 00:16:23,120 So let's just add fuse to our hospital, 242 00:16:28,370 --> 00:16:31,190 fuse escape you. 243 00:16:32,900 --> 00:16:33,450 There we go. 244 00:16:34,820 --> 00:16:38,390 I just trust you to undo that fuse here. 245 00:16:40,040 --> 00:16:42,550 Was good escape, she easy. 246 00:16:42,940 --> 00:16:44,440 So now we know what version we're working with. 247 00:16:44,530 --> 00:16:52,060 That's pretty high chance that we're working with Windows Server 2016 standard because of what we're 248 00:16:53,140 --> 00:16:54,840 we're seeing here, 64 bit version. 249 00:16:55,000 --> 00:16:55,290 Right. 250 00:16:56,350 --> 00:16:57,280 So that is pretty cool. 251 00:16:59,020 --> 00:17:03,520 Now, let's go ahead and see what's important right now, because we learned from our recon that Port 252 00:17:03,550 --> 00:17:06,850 80 is open and this usually has the largest attack surface. 253 00:17:07,840 --> 00:17:09,040 Again, you know what we're seeing here? 254 00:17:09,040 --> 00:17:11,050 It looks like this doesn't actually have anything configured here. 255 00:17:11,050 --> 00:17:12,690 So this this page might be vulnerable. 256 00:17:12,710 --> 00:17:18,430 Looks like it might be a freshly set up Web page without much security in place. 257 00:17:19,010 --> 00:17:23,630 So I'm going to type views and I'm immediately redirected there. 258 00:17:23,680 --> 00:17:28,930 Before we dig into this, we need to make sure berp is open so we can spider this post passably in the 259 00:17:28,930 --> 00:17:29,350 background. 260 00:17:29,360 --> 00:17:30,400 This is part of my workflow. 261 00:17:30,610 --> 00:17:33,670 What I'm doing recon or I'm looking at lists, whether it's a bug bounty. 262 00:17:33,850 --> 00:17:34,540 Hack the box. 263 00:17:34,540 --> 00:17:37,240 Pentax to work through a team engagement doesn't matter what it is. 264 00:17:37,660 --> 00:17:41,950 You want to have berp logging your requests in the background. 265 00:17:43,060 --> 00:17:47,860 Then you can just go back through that log and you'll have a record pretty much of your assessment, 266 00:17:48,160 --> 00:17:49,520 which is a really, really nice. 267 00:17:50,320 --> 00:17:51,370 So let's go out and start burb. 268 00:17:55,340 --> 00:18:06,560 OK, Joseph P. intercept of good options, make sure we are requesting a civil response and go to the 269 00:18:06,560 --> 00:18:15,140 site map back here, put on some approximately berp and we know that we are, because if you go back 270 00:18:15,140 --> 00:18:23,630 to proxy options, you see that purpose listening on Port AT&T when localhost. 271 00:18:26,080 --> 00:18:31,180 So any traffic that we send to that port will be sent to berp, and that's exactly what this plugin 272 00:18:31,180 --> 00:18:33,750 is doing, a good options here. 273 00:18:35,200 --> 00:18:43,260 You'll see it's actually sending the traffic to 127 zero zero one and it is sending it to port 80. 274 00:18:43,600 --> 00:18:45,090 Right close. 275 00:18:46,070 --> 00:18:46,630 So we're good. 276 00:18:46,660 --> 00:18:47,370 So what do we have here? 277 00:18:47,590 --> 00:18:49,230 Some kind of printer site? 278 00:18:49,710 --> 00:18:52,360 It looks like it might be old, judging by the copyright, maybe. 279 00:18:52,370 --> 00:18:58,950 Could you search Searsport for papercut print logger just to see if we have anything in the background 280 00:18:58,950 --> 00:19:00,860 to create a new tab? 281 00:19:01,060 --> 00:19:08,290 Exploit search white paper cut search cloyed print logger. 282 00:19:11,560 --> 00:19:13,510 No, that's always good to do that. 283 00:19:13,810 --> 00:19:14,560 You never know. 284 00:19:14,560 --> 00:19:20,820 You might just get a quick easy when this page definitely looks old and we can learn here. 285 00:19:20,830 --> 00:19:26,260 Looks like this is a print logger free print logging program, which is probably open source, I'm guessing 286 00:19:26,260 --> 00:19:32,980 because of the freeness and it says live print ones are listed below an additional CSP is Excel logs 287 00:19:32,980 --> 00:19:40,390 are available here, so the software will only track printers locally attached to the system. 288 00:19:41,690 --> 00:19:42,220 So this is good. 289 00:19:42,220 --> 00:19:43,490 There's probably something interesting in here. 290 00:19:43,510 --> 00:19:48,280 Let's go to about just mousing over these links to see where they go. 291 00:19:49,240 --> 00:19:51,750 Are these are going back to the papercut and website. 292 00:19:51,760 --> 00:19:53,170 So that's not really interesting to me. 293 00:19:54,070 --> 00:20:05,470 If go back to print logs and I press control you, I can do a search for all the comments on the page 294 00:20:05,680 --> 00:20:11,410 just to see if there's anything in the comments that might sort of cawsey the application to leak sensitive 295 00:20:11,410 --> 00:20:12,040 information. 296 00:20:12,880 --> 00:20:17,140 Information disclosure is a thing and we want to make sure that we check that vector first. 297 00:20:18,370 --> 00:20:18,830 All right. 298 00:20:18,850 --> 00:20:20,260 So we've got a couple of things here. 299 00:20:20,890 --> 00:20:22,030 Let's just look at the data. 300 00:20:22,220 --> 00:20:22,570 Right. 301 00:20:25,130 --> 00:20:26,080 I want to look at it this way. 302 00:20:28,990 --> 00:20:30,520 Probably is going to download all these. 303 00:20:31,210 --> 00:20:33,680 So it was just one of them. 304 00:20:35,590 --> 00:20:36,220 So we're back. 305 00:20:36,890 --> 00:20:38,380 You see, everything's been downloaded. 306 00:20:40,360 --> 00:20:41,740 There's only five or six here. 307 00:20:41,740 --> 00:20:45,910 And I think that's because one of these is actually the same. 308 00:20:45,910 --> 00:20:46,680 These two are the same. 309 00:20:46,810 --> 00:20:49,470 The it's the same. 310 00:20:50,230 --> 00:20:52,960 So let's go ahead and extract these and take a look at what we're working with here. 311 00:20:53,980 --> 00:20:56,780 Locate actually should be no doubt whatsoever. 312 00:20:56,800 --> 00:21:00,460 There's a zero move download, start out CSP. 313 00:21:00,510 --> 00:21:01,780 We can do this folder. 314 00:21:04,310 --> 00:21:05,050 You got it right. 315 00:21:05,800 --> 00:21:06,640 Now, what do we want to do? 316 00:21:06,970 --> 00:21:07,660 You can get them. 317 00:21:10,300 --> 00:21:11,380 That's kind of hard to work with. 318 00:21:11,650 --> 00:21:15,370 You know, we need some way to get into this application and get into this box. 319 00:21:15,370 --> 00:21:17,110 And the authentication doesn't work. 320 00:21:17,110 --> 00:21:17,950 We've already tried that. 321 00:21:18,490 --> 00:21:23,920 We search, search VoIP, you know, against the DNS application, against this papercut thing. 322 00:21:23,920 --> 00:21:27,280 We're not saying anything, but I think any credentials here, there's not even a login for. 323 00:21:27,350 --> 00:21:32,350 And so we need to pass these these data fields to see if there's anything in here that can help us be 324 00:21:32,350 --> 00:21:33,100 able to wordlist. 325 00:21:34,000 --> 00:21:38,680 Because if we click on the HTML here and you can see it's actually showing, OK, this is the pointer 326 00:21:38,680 --> 00:21:40,390 name, here's a client. 327 00:21:40,480 --> 00:21:41,500 So we've got some of those names. 328 00:21:42,100 --> 00:21:43,000 We've got some usernames. 329 00:21:43,030 --> 00:21:43,360 Right. 330 00:21:43,970 --> 00:21:49,630 So this is the information we're going to want to build into our word lists so we can start trying to 331 00:21:49,630 --> 00:21:51,310 gain gain access into this environment. 332 00:21:53,470 --> 00:21:57,580 OK, so let's go ahead and go back to this and it's clean this up a little bit. 333 00:21:59,140 --> 00:22:03,070 First, one thing I'm noticing is there are usernames here, right? 334 00:22:04,540 --> 00:22:05,740 So let's just pass this out. 335 00:22:06,580 --> 00:22:09,850 Let's pass these names out and build a user user list. 336 00:22:10,540 --> 00:22:14,860 So what we can do the opera, let's just grep. 337 00:22:18,040 --> 00:22:20,110 And we don't want the means. 338 00:22:20,110 --> 00:22:21,040 Don't return this. 339 00:22:21,400 --> 00:22:24,370 I mean, case insensitive and the carrot. 340 00:22:25,750 --> 00:22:26,200 Where is it? 341 00:22:26,500 --> 00:22:29,350 This means I don't want any lines that have. 342 00:22:29,380 --> 00:22:30,130 Let's start with. 343 00:22:34,220 --> 00:22:40,700 You know, you noticed that went away before papercut was showing up in a line that's not right, an 344 00:22:40,700 --> 00:22:49,410 easier way to do this is probably just to say I want all the lines that actually have 20, 20 that start 345 00:22:49,410 --> 00:22:52,360 with 20, 20, because those are the lines that contain our usernames, right. 346 00:22:53,180 --> 00:22:56,150 To say grep space minus I, 20, 20. 347 00:22:58,020 --> 00:22:59,270 Now we've got all the lines returned. 348 00:22:59,480 --> 00:23:04,630 Now we need to clean this up a little bit so we can just cut in the delimiter. 349 00:23:05,210 --> 00:23:06,440 I think we can use a comma. 350 00:23:06,640 --> 00:23:06,980 Right. 351 00:23:07,520 --> 00:23:16,790 So the limiter we set to be limited to a comma and the field that we want, this would be field number 352 00:23:16,790 --> 00:23:21,050 one and this is field number two. 353 00:23:21,620 --> 00:23:25,650 So we want Phil to go and see what that looks like. 354 00:23:25,670 --> 00:23:25,880 All right. 355 00:23:25,880 --> 00:23:31,670 We've got a couple of duplicates in here, but we're getting better so we can actually see that to sort. 356 00:23:34,340 --> 00:23:36,100 And you should give us uniques. 357 00:23:36,720 --> 00:23:37,250 There we go. 358 00:23:38,750 --> 00:23:42,890 So let's go ahead and I'll put that to users that LSP. 359 00:23:44,340 --> 00:23:45,650 OK, permission denied. 360 00:23:46,760 --> 00:23:53,300 So we're trying to redirect the output from Standard out, which is usually a one. 361 00:23:54,500 --> 00:23:57,480 C, this is standard in this standard out. 362 00:23:57,500 --> 00:23:58,360 This is standard error. 363 00:23:58,880 --> 00:24:03,450 We're trying to redirect standard out from the terminal to a file with this redirection operator is 364 00:24:03,470 --> 00:24:09,620 saying permission denied and we could try to get permission denied. 365 00:24:10,160 --> 00:24:11,720 We could change the route that would fix it. 366 00:24:11,720 --> 00:24:18,010 But to go back up, you'll notice that part of the problem is this directory fuse is owned by route. 367 00:24:18,020 --> 00:24:26,330 We need to make it owned by we need to make this owned by Tester, which is who I am. 368 00:24:26,330 --> 00:24:26,650 Right. 369 00:24:26,880 --> 00:24:31,880 I don't have permission to overwrite to to basically write to this directory. 370 00:24:33,230 --> 00:24:40,400 It's the only route you can read and execute, read and execute and only route can write, which is 371 00:24:40,400 --> 00:24:40,760 what we need. 372 00:24:40,760 --> 00:24:41,660 We need the right permissions. 373 00:24:41,660 --> 00:24:51,380 So let's go take that change ownership, change it to pen tester finestra group and then we'll just 374 00:24:51,380 --> 00:24:53,630 make sure it's changed ownership on the effused folder. 375 00:24:56,000 --> 00:24:59,660 And now you can see we now own this folder. 376 00:25:00,320 --> 00:25:06,560 Let's go back and diffuse typically when I command and it looks like a completed it. 377 00:25:06,560 --> 00:25:13,610 Did you just that list and we've got a user list just like that, that is pretty sweet. 378 00:25:14,090 --> 00:25:16,460 So what I want to do right now is I just want to test these users. 379 00:25:16,860 --> 00:25:18,470 We can do that using a tool called Curb. 380 00:25:19,470 --> 00:25:20,810 So I'm going to go ahead, install it. 381 00:25:24,610 --> 00:25:28,430 This is a great tool just to check, you know, gets an active directory environment just to make sure 382 00:25:28,430 --> 00:25:30,980 that, you know, these names actually exist. 383 00:25:32,750 --> 00:25:35,030 We just want to validate what we're seeing from the CSP file. 384 00:25:37,300 --> 00:25:37,730 All right. 385 00:25:37,730 --> 00:25:39,250 So we should be able to type curve route. 386 00:25:39,710 --> 00:25:40,610 That's not what I wanted. 387 00:25:41,150 --> 00:25:42,170 Curb Groot. 388 00:25:46,280 --> 00:25:47,510 Why didn't it work? 389 00:25:49,010 --> 00:25:52,760 Zero curb or something didn't happen. 390 00:25:52,760 --> 00:25:53,120 Right. 391 00:25:54,200 --> 00:25:56,150 So saying the script cover was installed here. 392 00:25:56,990 --> 00:25:57,980 This is not in our path. 393 00:25:58,920 --> 00:26:03,710 So adding the directory to the path so we could do that much is make sure it's actually there. 394 00:26:03,710 --> 00:26:04,850 I'm not sure why do did this. 395 00:26:05,900 --> 00:26:09,590 Let's just go to that path screen. 396 00:26:11,150 --> 00:26:11,720 It is there. 397 00:26:12,380 --> 00:26:15,650 So what I'll do let's just do echo path. 398 00:26:18,150 --> 00:26:28,020 She's going to move this to our user local pen folder here, so these, you know, move it to that folder 399 00:26:29,100 --> 00:26:33,390 now for you, which Khirbet Shung is there. 400 00:26:34,440 --> 00:26:39,440 Now, we should just be able to type corporate because now it's in the path. 401 00:26:39,930 --> 00:26:44,160 This path basically means, hey, the terminal basically says, hey, I've got this command. 402 00:26:44,160 --> 00:26:46,200 I don't know what corporate is corporate. 403 00:26:46,890 --> 00:26:53,340 So I'm going to first check all these folders that's been I'm going to check a user, Espin. 404 00:26:53,340 --> 00:26:54,840 I'm going to check this Espin myself. 405 00:26:54,840 --> 00:26:56,220 I want to check user local bean. 406 00:26:56,670 --> 00:27:02,730 I'm going to check user bean and then just bean and then user local games and a game to see if there's 407 00:27:02,730 --> 00:27:03,920 a binary or executable. 408 00:27:03,920 --> 00:27:08,610 And there if it's not there, I can't run it and then I'll return an error. 409 00:27:09,240 --> 00:27:12,720 That's what we were seeing earlier right here. 410 00:27:12,930 --> 00:27:14,400 DSH is like the shell thing. 411 00:27:14,400 --> 00:27:15,330 I don't even know what that is. 412 00:27:15,330 --> 00:27:19,310 But once he moved it into a directory that was inside this path, it runs just fine. 413 00:27:19,980 --> 00:27:21,000 So I hope that makes sense. 414 00:27:21,810 --> 00:27:22,950 So now we should be able to run it. 415 00:27:23,130 --> 00:27:29,600 And we did see here, it looks like it's a version of it's implemented in impact, which is really cool. 416 00:27:30,510 --> 00:27:33,060 Let's go ahead and start this thing up. 417 00:27:33,060 --> 00:27:43,080 So let's just go see Dr. Bruton and you want to check the user's list and see we're looking here used 418 00:27:44,340 --> 00:27:46,920 user's file with users per line. 419 00:27:47,100 --> 00:27:47,810 That's what we have. 420 00:27:49,170 --> 00:27:53,670 So users list when the wrong directory lets go to the right directory, 421 00:27:58,050 --> 00:28:00,450 then we can say it's, you know, curb root 422 00:28:04,050 --> 00:28:09,270 users, users that list and let's put the domain in as well. 423 00:28:10,020 --> 00:28:12,930 You'll see there is an option for that. 424 00:28:14,430 --> 00:28:18,060 Since we have the domain, it makes sense to play, then it should increase our chances of getting positive 425 00:28:18,060 --> 00:28:22,350 results at Tricorp local. 426 00:28:26,990 --> 00:28:28,670 Let's see, can we have Python two this 427 00:28:36,410 --> 00:28:40,400 time to spell out Curb Purt? 428 00:28:46,720 --> 00:28:56,740 It's weird to consider how it works, so I don't know why I worked with that took out zero, but it 429 00:28:56,740 --> 00:28:57,250 did. 430 00:28:57,760 --> 00:28:59,170 That is a mystery to me. 431 00:29:01,150 --> 00:29:02,280 I really don't understand that. 432 00:29:02,290 --> 00:29:06,130 But anyway, we now can see that we've got valid user accounts for all these. 433 00:29:07,450 --> 00:29:12,240 So, Administrator, behold Martin S. Thompson tillable. 434 00:29:12,700 --> 00:29:15,850 So this is why now we know we're working with valid accounts. 435 00:29:16,490 --> 00:29:19,600 We've got, you know, these users, we know they work which need passwords. 436 00:29:19,960 --> 00:29:21,070 So there's a couple of different things we could do. 437 00:29:21,070 --> 00:29:21,330 Right. 438 00:29:21,340 --> 00:29:27,520 We could try to brute force these accounts using like the RockYou password list, or we could file much 439 00:29:27,520 --> 00:29:29,830 a CPU's try to crack it. 440 00:29:30,460 --> 00:29:35,260 But in this case, I think it makes more sense to build a custom word list. 441 00:29:35,260 --> 00:29:35,500 Right. 442 00:29:35,860 --> 00:29:42,760 We've already got those CSP files and we can scrape the Web page and pull them, put an additional key 443 00:29:42,760 --> 00:29:49,720 words and phrases, and then we can add some sort of variety using hash tag and build an ultimate word 444 00:29:49,720 --> 00:29:56,500 list that is perfectly tailored to our target and thus increase the probability of us getting into the 445 00:29:56,500 --> 00:29:57,940 system, into this network. 446 00:29:57,970 --> 00:30:03,610 OK, so let us go back and look at what we have with these Kafar. 447 00:30:03,640 --> 00:30:05,170 These are CSP files. 448 00:30:06,700 --> 00:30:07,660 All right, so we've got this. 449 00:30:08,320 --> 00:30:14,590 Let's work on a password list that's going to grab only the ones that start with 20/20. 450 00:30:15,460 --> 00:30:16,210 And we're going to do some. 451 00:30:16,810 --> 00:30:18,130 Bachchu, let's cut this up. 452 00:30:19,090 --> 00:30:24,820 Let's say everywhere there is a single tick. 453 00:30:27,430 --> 00:30:29,740 We want to get possible passwords. 454 00:30:29,740 --> 00:30:37,690 So using a using a comma as a delimiter, we can do one two. 455 00:30:37,700 --> 00:30:39,500 So I think we should use usernames and passwords. 456 00:30:39,500 --> 00:30:47,140 So we want this bill to filter and what else we don't care about that for know probably something interesting 457 00:30:47,140 --> 00:30:47,440 here. 458 00:30:47,440 --> 00:30:48,010 Five, 459 00:30:50,950 --> 00:30:54,760 maybe we can build this out or this from that six. 460 00:30:55,480 --> 00:30:56,920 Maybe even this seven. 461 00:30:59,560 --> 00:31:11,050 Eight and nine, so maybe five, nine, five through nine. 462 00:31:12,730 --> 00:31:13,890 OK, that's interesting, good. 463 00:31:13,910 --> 00:31:18,370 So we got some we got some text, but we need to clean up a little more so we can actually use this 464 00:31:18,370 --> 00:31:25,330 tool, which is the translator, delete characters and we can use this to rearrange or transform some 465 00:31:25,360 --> 00:31:26,500 of the characters in our stream. 466 00:31:28,300 --> 00:31:28,890 Go back up here. 467 00:31:28,900 --> 00:31:34,270 I can say TIAR Tactix and I just want to get rid of all the double quotes. 468 00:31:35,440 --> 00:31:35,680 Right. 469 00:31:35,800 --> 00:31:44,140 I don't care to use that in my passwords, so I'll clean those out the TR space minus D single take 470 00:31:44,140 --> 00:31:48,600 quote a single tick that's going to continue to build out this word list. 471 00:31:49,100 --> 00:31:52,660 It's also clean up any spaces. 472 00:31:52,660 --> 00:31:52,910 Right. 473 00:31:52,930 --> 00:31:55,660 I don't care about these spaces to clean them out. 474 00:31:57,340 --> 00:31:58,420 And what else can we do. 475 00:31:58,450 --> 00:32:02,350 We can start putting stuff on the lines now. 476 00:32:02,350 --> 00:32:08,350 So if we look for everything that's a dot like the extensions dot, I can break it here or turn that 477 00:32:08,350 --> 00:32:10,120 into a new line so it goes into another line. 478 00:32:10,120 --> 00:32:10,340 Right. 479 00:32:11,080 --> 00:32:15,160 So transform this dot into a new line. 480 00:32:16,690 --> 00:32:17,260 See PDF. 481 00:32:17,260 --> 00:32:19,450 Now, that new line right here broke it right there. 482 00:32:20,680 --> 00:32:21,090 All right. 483 00:32:21,100 --> 00:32:21,860 What else do we want to do? 484 00:32:21,880 --> 00:32:24,550 We want to take everywhere. 485 00:32:24,550 --> 00:32:26,550 There's a comma, but then a new line. 486 00:32:26,920 --> 00:32:27,100 Right. 487 00:32:27,160 --> 00:32:28,000 So these comments right here. 488 00:32:28,720 --> 00:32:29,800 Let's put these on your lines. 489 00:32:31,090 --> 00:32:32,000 Sweet start. 490 00:32:32,000 --> 00:32:32,530 No good. 491 00:32:33,160 --> 00:32:35,920 We also want to take every place. 492 00:32:35,920 --> 00:32:40,360 There is a dash like this with that new line 493 00:32:42,880 --> 00:32:43,710 everywhere. 494 00:32:43,750 --> 00:32:45,160 There is a 495 00:32:48,130 --> 00:32:48,850 underscore. 496 00:32:49,790 --> 00:32:50,740 It's got a new line 497 00:32:54,250 --> 00:32:55,090 looking good. 498 00:32:56,690 --> 00:32:58,060 Now it's sort unique. 499 00:33:00,610 --> 00:33:03,130 And we can write that to a file called Passwords. 500 00:33:03,520 --> 00:33:08,170 The so it's looking good. 501 00:33:08,680 --> 00:33:09,640 Do a workout on that. 502 00:33:11,770 --> 00:33:13,120 Twenty five words so far. 503 00:33:13,120 --> 00:33:15,880 It's not that big, but we're starting. 504 00:33:15,880 --> 00:33:16,060 Right. 505 00:33:16,060 --> 00:33:19,540 We're starting we're starting to build this out that we can use a tool called Cool 506 00:33:23,920 --> 00:33:25,710 to get even more data. 507 00:33:26,320 --> 00:33:26,620 So if we. 508 00:33:26,630 --> 00:33:27,070 Tikku. 509 00:33:29,540 --> 00:33:32,150 It's going to ask us for stuff, so let's go and give it the help argument 510 00:33:34,970 --> 00:33:41,540 and let's see what can we do here is build out what we're going to do. 511 00:33:44,210 --> 00:33:44,840 All right, 512 00:33:48,410 --> 00:33:54,580 so we're going to see Cyro cool, and first thing we need to do, I think, is the depth, the depth 513 00:33:54,710 --> 00:33:58,660 despite her two of the default, how, Nesto do we need to get this page is very simple. 514 00:33:58,670 --> 00:34:04,100 We don't have a bunch of links nested, but I'm just going to sort of depth to five just in case there's 515 00:34:04,100 --> 00:34:05,660 some hidden links that we didn't discover. 516 00:34:06,920 --> 00:34:08,090 What else can we do in here? 517 00:34:09,170 --> 00:34:10,250 And a one word length. 518 00:34:10,250 --> 00:34:11,240 Right, Agent? 519 00:34:11,240 --> 00:34:17,000 We could change this thing if we wanted to with numbers except words with numbers in as well as just 520 00:34:17,000 --> 00:34:17,300 letters. 521 00:34:17,330 --> 00:34:18,980 Yes, because passwords can have numbers. 522 00:34:18,980 --> 00:34:21,830 So we want that with numbers. 523 00:34:24,200 --> 00:34:28,310 And then we want to put in the webpage right now. 524 00:34:28,370 --> 00:34:36,530 This one is got the homepage, start calling from there, Jocie Shaffi put that in. 525 00:34:38,150 --> 00:34:42,560 And we're going to do is we're going to put this double redirections so that we don't overwrite passwords 526 00:34:42,560 --> 00:34:47,120 that list, but we append what we find here to passwords that list really important. 527 00:34:47,840 --> 00:34:51,170 We just put one greater than you don't overwrite it. 528 00:34:51,530 --> 00:34:59,930 But now you go back up and we can show you clear that we double count minus L and Python passwords that 529 00:34:59,930 --> 00:35:00,410 list. 530 00:35:00,440 --> 00:35:00,970 We should have more. 531 00:35:00,980 --> 00:35:06,130 Yeah, we have 205 and you can see there's a lot more in here now, right. 532 00:35:08,150 --> 00:35:09,560 Well, this line looks kind of weird. 533 00:35:11,120 --> 00:35:12,920 I don't know why I put the banner inside. 534 00:35:12,930 --> 00:35:14,000 I guess I typed everything. 535 00:35:15,500 --> 00:35:23,280 I could just get rid of that real quick, see if it starts with cool. 536 00:35:28,230 --> 00:35:29,150 This should be a pipe 537 00:35:32,150 --> 00:35:36,380 and put that back and put this in a new file called Passwords to that list. 538 00:35:37,520 --> 00:35:43,820 OK, so I had to do that because I don't like those little things inside of my work list that are going 539 00:35:43,820 --> 00:35:50,360 to just bother me so as to remove our passwords that illest sweet. 540 00:35:50,450 --> 00:35:56,200 And then we can change those back passwords that list. 541 00:35:57,170 --> 00:36:03,500 OK, just make sure that we actually did that is still there. 542 00:36:04,340 --> 00:36:04,880 So I don't know. 543 00:36:05,270 --> 00:36:05,840 Let's just leave it there. 544 00:36:05,840 --> 00:36:06,320 Doesn't matter. 545 00:36:07,940 --> 00:36:08,300 All right. 546 00:36:08,930 --> 00:36:13,480 So we've got this for our list and we're going to top it off with Hashad. 547 00:36:14,000 --> 00:36:17,300 So hash tag is not just about cracking passwords. 548 00:36:17,300 --> 00:36:19,220 You can use it to build awesome password lists. 549 00:36:19,520 --> 00:36:24,980 And we're going to do that by adding some additional text into 550 00:36:27,980 --> 00:36:29,120 into our passwords list. 551 00:36:29,210 --> 00:36:37,970 So we're going to put some seasons into this file and you're going to see why in a second summer 552 00:36:42,110 --> 00:36:45,230 this spring and finally winter. 553 00:36:49,500 --> 00:36:51,380 So we do tell passwords that list. 554 00:36:53,270 --> 00:36:54,870 You see we've got these in here now, right. 555 00:36:55,280 --> 00:37:00,770 So what we can do is we can actually transform this so that we're actually add permutations to all the 556 00:37:00,770 --> 00:37:01,460 passwords in here. 557 00:37:01,460 --> 00:37:05,540 And we'll also include this because a lot of times you'll find passwords like, you know, fall 20, 558 00:37:05,540 --> 00:37:10,670 21 or winter 20, 22 includes, you know, the season and the year. 559 00:37:11,030 --> 00:37:16,310 And so by adding this to our file, we're adding or basically increasing the fidelity and efficacy of 560 00:37:16,310 --> 00:37:18,560 our brute forcing efforts. 561 00:37:19,640 --> 00:37:21,260 So let's go ahead and launch hash cat 562 00:37:26,300 --> 00:37:26,870 with help. 563 00:37:27,440 --> 00:37:27,880 Sure. 564 00:37:29,030 --> 00:37:29,450 OK. 565 00:37:30,940 --> 00:37:31,520 All right. 566 00:37:31,670 --> 00:37:33,740 So what can we do here? 567 00:37:34,370 --> 00:37:38,240 Well, we want to first at force. 568 00:37:38,750 --> 00:37:43,190 We just want to ignore any of the warnings, you know, normal Pinterest. 569 00:37:43,190 --> 00:37:48,020 I wouldn't do this, but since this is a lab environment and we're using them, we're probably gonna 570 00:37:48,020 --> 00:37:51,710 get some areas where we can safely ignore them and just continue to proceed them. 571 00:37:51,870 --> 00:37:53,280 We want to do is one of these the rules? 572 00:37:53,390 --> 00:38:05,210 So if I go back, for example, you can see it in a couple of times, tic tac rules, TAC file, the 573 00:38:05,210 --> 00:38:06,740 file that we need to specify. 574 00:38:07,370 --> 00:38:12,290 Multiple, multiple rules apply to each word from the word lists and you can see the best 60 for us. 575 00:38:12,620 --> 00:38:15,410 You can put the path and then best 64 that rule. 576 00:38:15,440 --> 00:38:16,280 So let's do that. 577 00:38:17,210 --> 00:38:22,100 So we're going to say rules file, right? 578 00:38:22,880 --> 00:38:27,540 And then we're going to set this to user share. 579 00:38:27,650 --> 00:38:38,510 I believe it's hash cat is hash cat, I think is actually in rules C cultic hash cat tattoff 580 00:38:40,880 --> 00:38:44,090 rules and I c best. 581 00:38:44,300 --> 00:38:45,840 Yes, right. 582 00:38:46,070 --> 00:38:48,920 And then we're going to say and we want to send it to standard out. 583 00:38:49,190 --> 00:38:53,570 So if we go down to the bottom, should be listed 584 00:38:56,870 --> 00:38:57,980 as I just said. 585 00:38:59,210 --> 00:38:59,570 All right. 586 00:39:00,380 --> 00:39:02,780 I stood out to that crack a hash instead. 587 00:39:03,200 --> 00:39:03,830 Candidates only. 588 00:39:03,830 --> 00:39:04,090 Right. 589 00:39:04,130 --> 00:39:04,940 That's what we want to do. 590 00:39:05,510 --> 00:39:06,740 We don't actually want to crack anything. 591 00:39:06,740 --> 00:39:07,780 We're printing it out. 592 00:39:09,380 --> 00:39:11,300 And where do we want to do what? 593 00:39:11,300 --> 00:39:17,340 We want to send this to a new file called like passwords to that team. 594 00:39:19,380 --> 00:39:21,650 And we're could close this one. 595 00:39:23,450 --> 00:39:29,690 And right now, I could have just did it to password's that I lost, but sometimes if you oh, I just 596 00:39:29,690 --> 00:39:35,390 realized we didn't actually specify the passwords file. 597 00:39:37,070 --> 00:39:37,550 This is the file. 598 00:39:37,550 --> 00:39:44,230 We're going to run this against the passwords that passwords I lost. 599 00:39:46,730 --> 00:39:48,710 Zero kill minus nine. 600 00:39:49,430 --> 00:39:49,970 What is this? 601 00:39:50,510 --> 00:39:53,510 Four four one one one six six 602 00:39:56,810 --> 00:39:57,050 good. 603 00:39:57,060 --> 00:40:00,530 So, yeah, and the reason why I put this second passwords out, because I don't want to clobber the 604 00:40:00,530 --> 00:40:01,110 original one. 605 00:40:01,580 --> 00:40:01,830 All right. 606 00:40:02,040 --> 00:40:06,620 We're basically saying read this file as input and then return this newfound output. 607 00:40:07,040 --> 00:40:08,810 But these names are the same then. 608 00:40:09,470 --> 00:40:14,210 And depending on when it reads and when it outputs, you might actually have it output the results, 609 00:40:14,990 --> 00:40:18,350 overwriting the input and thus clobber your file and get nothing. 610 00:40:19,010 --> 00:40:21,500 So it's always good just to try to avoid doing that. 611 00:40:22,220 --> 00:40:28,400 And I do that by renaming things and we have a new one so we can do like we count one as well. 612 00:40:29,360 --> 00:40:37,880 And we can do start at enlistee, let's see cat passwords 613 00:40:41,900 --> 00:40:46,790 or something that actually show us which files so we can't do it manually. 614 00:40:46,790 --> 00:40:47,240 It's OK. 615 00:40:48,650 --> 00:40:50,120 Passwords, not nasty. 616 00:40:51,920 --> 00:40:57,190 So the old one had 209 and the new one has sixteen thousand. 617 00:40:57,350 --> 00:40:57,650 Right. 618 00:40:57,660 --> 00:40:58,790 So if you take a look at it, 619 00:41:02,270 --> 00:41:03,550 I mean there's a lot of stuff in here. 620 00:41:03,580 --> 00:41:08,420 Look at all the stuff we got, you know, we had a small list and now we have this awesome worthless 621 00:41:08,420 --> 00:41:13,640 that's like custom tuned to our environment, greatly enhancing our our ability to actually get this 622 00:41:13,640 --> 00:41:14,180 password. 623 00:41:15,650 --> 00:41:18,080 So this is really, really, really good. 624 00:41:18,500 --> 00:41:19,860 And we're going to go ahead and run this. 625 00:41:20,660 --> 00:41:28,910 Go ahead and first remove the old passwords, list the file and then move it chasing me one to the old 626 00:41:28,910 --> 00:41:30,200 one, the old name. 627 00:41:34,460 --> 00:41:34,960 All right. 628 00:41:34,970 --> 00:41:38,510 So we've got both of them here, passwords that list and users that list. 629 00:41:39,170 --> 00:41:39,580 All right. 630 00:41:39,590 --> 00:41:42,110 So let's go ahead and start cracking. 631 00:41:42,500 --> 00:41:42,770 Right. 632 00:41:43,400 --> 00:41:52,850 These Hydra for this name, Hydra and Hydra has a complicated syntax. 633 00:41:53,150 --> 00:41:54,800 It's one of the reasons why I used to stay away from it. 634 00:41:54,800 --> 00:41:56,030 But it's very, very powerful. 635 00:41:56,450 --> 00:42:03,530 And one of the things we want to do is we want to, you know, crack these, but we need to make sure 636 00:42:03,530 --> 00:42:07,010 we specify the correct syntax for SMB. 637 00:42:07,400 --> 00:42:07,640 Right. 638 00:42:07,640 --> 00:42:13,130 So you can see that there is a module or a service called SMB Support Services SMB. 639 00:42:13,760 --> 00:42:18,110 And one of the ways you can do that is if you look at the service module usage details, you can get 640 00:42:18,110 --> 00:42:21,680 more information about how to use it so we can type like pseudo Hydra, 641 00:42:25,370 --> 00:42:29,150 Hydra, SMB dequeue. 642 00:42:31,130 --> 00:42:32,990 And now it tells us right. 643 00:42:33,230 --> 00:42:39,950 Help for the module SMB module be different value set to test both local and domain accounts using a 644 00:42:39,950 --> 00:42:41,870 simple password with entailing dialect. 645 00:42:42,270 --> 00:42:43,580 I'm not really sure what that means. 646 00:42:43,760 --> 00:42:47,570 The important thing that we really care about is this because we're using a domain. 647 00:42:48,830 --> 00:42:56,780 So we probably want to hit like a syntax that looks similar to this so we can do a pseudo hydra hydra 648 00:42:58,100 --> 00:43:02,720 and we want to specify the SMB service. 649 00:43:02,720 --> 00:43:03,310 How do we do that? 650 00:43:03,320 --> 00:43:08,870 Go back up here and see here, I think service colon whack whack server. 651 00:43:09,590 --> 00:43:20,480 So service, call them whack whack and then the server which would be targeted and we have a list of 652 00:43:20,480 --> 00:43:20,810 users. 653 00:43:20,810 --> 00:43:31,100 So how do we input a list of users and see if it tells us tackle file that looks like that might be 654 00:43:31,100 --> 00:43:31,850 what we want. 655 00:43:33,230 --> 00:43:33,650 Yes. 656 00:43:34,280 --> 00:43:39,560 Take a login or technical login with a login name or load several logins from a file. 657 00:43:39,660 --> 00:43:41,540 We want to do this load several log on a file. 658 00:43:41,540 --> 00:43:42,560 So Technofile. 659 00:43:44,960 --> 00:43:51,350 So we want to do, as you say, technol users and we want to do something similar for the passwords. 660 00:43:51,350 --> 00:43:52,220 I'm guessing it's TAPI. 661 00:43:53,690 --> 00:43:55,640 Let's scroll up and see. 662 00:43:56,060 --> 00:43:56,510 Yes. 663 00:43:56,510 --> 00:44:00,340 Tech capital P file load several parts of your file. 664 00:44:00,530 --> 00:44:03,370 So we want to do Hoopes entities in. 665 00:44:04,340 --> 00:44:04,790 All right. 666 00:44:05,090 --> 00:44:11,510 So we've got both in place and we want to make sure we put this little piece in right here so we can 667 00:44:11,510 --> 00:44:16,850 put in other domain and make sure we get maximum, maximum coverage here. 668 00:44:18,050 --> 00:44:18,890 Fabrique Corp, 669 00:44:21,800 --> 00:44:31,130 Fabric Corp, Fabric Corp, Fabric Corp, Cat Azzi hosts Varicorp. 670 00:44:31,130 --> 00:44:38,480 That local Quassey exit control of the. 671 00:44:39,830 --> 00:44:45,200 That looks good and I think we can present this one. 672 00:44:45,970 --> 00:44:52,290 It started at 13, 18 months in a VM, so it could take a while, but it's OK. 673 00:44:55,060 --> 00:45:02,420 Right, so we're back it took about 15 minutes on this VM team, my specs are on this thing, but took 674 00:45:02,870 --> 00:45:04,060 a bit of time to crack this. 675 00:45:05,180 --> 00:45:10,480 So, you know, if you had a be firebox, I'm not forgetting the ram on here to two processors. 676 00:45:11,440 --> 00:45:16,540 It's not really too beefy, but we eventually got something you can see here. 677 00:45:16,540 --> 00:45:23,020 It's saying Account B, halt passwords and the password is valid, but the password is expired and must 678 00:45:23,020 --> 00:45:24,490 be changed it on the next log on. 679 00:45:24,670 --> 00:45:26,460 So this is interesting. 680 00:45:27,190 --> 00:45:29,740 Can we log in with this account? 681 00:45:30,280 --> 00:45:32,470 That's the question, because it's expired. 682 00:45:33,160 --> 00:45:36,160 Now, if this were an interactive session, you know, Windows is probably just going to prompt us to 683 00:45:36,160 --> 00:45:37,270 change your password automatically. 684 00:45:37,270 --> 00:45:43,570 But, you know, because we're doing this, holding the command line from Linux, we might get a different 685 00:45:43,570 --> 00:45:44,130 result. 686 00:45:44,140 --> 00:45:46,320 So let's see what we can do here. 687 00:45:46,330 --> 00:45:49,750 Let's go and say that let's go back to Discovery 688 00:45:52,330 --> 00:45:59,890 and let's before we play with that password, let's see if we can use LDAP Search to get more information 689 00:45:59,890 --> 00:46:02,320 about the environment. 690 00:46:03,790 --> 00:46:05,510 OK, I can't contact the Observer. 691 00:46:05,530 --> 00:46:11,500 Let's just run help and that a bunch of different options here. 692 00:46:11,860 --> 00:46:15,160 But what I'm really interested in first is how do I specify the target? 693 00:46:16,480 --> 00:46:18,010 Usually it's like a dash h. 694 00:46:18,010 --> 00:46:18,370 Yeah. 695 00:46:18,850 --> 00:46:19,950 H host and observer. 696 00:46:19,960 --> 00:46:28,420 So we'll set the target as the old observer and we'll set the scope to base. 697 00:46:29,480 --> 00:46:30,320 What else can we do. 698 00:46:30,340 --> 00:46:34,370 We can also just use simple authentication. 699 00:46:34,400 --> 00:46:35,770 All right, so let's go and do this stuff. 700 00:46:35,770 --> 00:46:45,970 We go through that search and each is target base simplification. 701 00:46:45,970 --> 00:46:49,770 So we got some results back and I'm not even using at this point. 702 00:46:49,780 --> 00:46:51,190 It's just purely unauthenticated. 703 00:46:52,120 --> 00:46:57,840 There's nothing really when we got this fabric corp that look cool. 704 00:46:58,330 --> 00:47:02,230 See that as part of the sub schema sub entry. 705 00:47:02,680 --> 00:47:04,450 But we don't really have much more than that. 706 00:47:04,480 --> 00:47:12,110 If we could see this fabric corp, that logo in here, which we already knew about, nothing really 707 00:47:12,520 --> 00:47:13,060 else. 708 00:47:13,090 --> 00:47:15,930 So anyway, I just want to check that to see if we can find something interesting from that. 709 00:47:16,690 --> 00:47:20,280 So let's let's go out and see if we can use the S&P client to connect. 710 00:47:20,830 --> 00:47:22,810 OK, so if we do see the S&P client. 711 00:47:24,760 --> 00:47:26,770 We get some options, right? 712 00:47:27,340 --> 00:47:34,780 User equals behold, and I knew it was Tic-Tac easier because if you look in the options, you'll see 713 00:47:34,780 --> 00:47:35,530 that it's right here. 714 00:47:36,940 --> 00:47:39,130 Tic-Tac user equals and the username. 715 00:47:39,370 --> 00:47:39,730 Right. 716 00:47:40,360 --> 00:47:46,720 And then we want to make sure that we specify what do we want to do, what we want to list, the list 717 00:47:46,720 --> 00:47:53,430 of the shares on this target so we can use the I believe it's tagged out for this. 718 00:47:53,440 --> 00:47:56,380 I can never find where I want to go in here, you know. 719 00:47:56,380 --> 00:47:59,530 So what I can do here is I can say I think I can do this. 720 00:48:00,100 --> 00:48:03,210 I could buy list does not work that way. 721 00:48:03,940 --> 00:48:07,290 OK, so that wouldn't be too easy. 722 00:48:09,730 --> 00:48:10,240 There it is. 723 00:48:10,240 --> 00:48:13,510 Tactic list equals host tactic list equals. 724 00:48:13,840 --> 00:48:21,670 This is the host and let's see if we enter his password again. 725 00:48:21,700 --> 00:48:23,200 Says password must change. 726 00:48:23,380 --> 00:48:23,650 Right. 727 00:48:23,680 --> 00:48:29,470 If we try putting in an invalid password like bla bla bla bla bla bla bla, we get a lot in there so 728 00:48:29,470 --> 00:48:30,760 we know we have the right password. 729 00:48:30,760 --> 00:48:31,050 Right? 730 00:48:31,060 --> 00:48:31,300 It is. 731 00:48:31,320 --> 00:48:33,670 This is actually echo. 732 00:48:33,680 --> 00:48:36,340 This export 733 00:48:39,550 --> 00:48:44,260 password equals this because we need it. 734 00:48:45,250 --> 00:48:46,750 Echo password. 735 00:48:47,090 --> 00:48:47,460 Yeah. 736 00:48:48,190 --> 00:48:51,550 So how do we change a password. 737 00:48:53,590 --> 00:48:59,150 We need to change it somehow now we can see if there's any tools, SMB that let us do this, I just 738 00:48:59,150 --> 00:49:02,440 typed S&P in tab to see what what tools we have. 739 00:49:05,650 --> 00:49:08,210 Oh, look at that S&P password. 740 00:49:09,010 --> 00:49:09,700 Maybe this does it. 741 00:49:10,000 --> 00:49:12,370 I bet it does, man. 742 00:49:12,610 --> 00:49:12,970 Oops. 743 00:49:13,340 --> 00:49:14,350 Want caps man. 744 00:49:14,380 --> 00:49:15,700 SMB password. 745 00:49:15,700 --> 00:49:20,890 Let's just look at the man paid for it but look at that users SFB password. 746 00:49:21,130 --> 00:49:22,360 That's exactly what we want. 747 00:49:22,450 --> 00:49:28,090 OK, so let's go ahead and rock this rocket, this rocket, this rocket. 748 00:49:29,380 --> 00:49:33,580 We can say like zero python three. 749 00:49:34,840 --> 00:49:35,410 No sorry. 750 00:49:35,530 --> 00:49:42,900 We can say zero zero SMB password user is beholds. 751 00:49:44,740 --> 00:49:46,390 And what else do we need. 752 00:49:47,140 --> 00:49:47,800 The remote machine. 753 00:49:47,800 --> 00:49:48,040 Right. 754 00:49:48,280 --> 00:49:49,540 Our machine tech. 755 00:49:49,540 --> 00:49:52,560 Our probably target or password controls. 756 00:49:52,630 --> 00:49:57,100 The password I'm going to name it password. 757 00:49:57,100 --> 00:49:59,230 That's one, two three passwords changed. 758 00:49:59,260 --> 00:49:59,860 Very cool. 759 00:50:00,670 --> 00:50:01,390 Now what can we do. 760 00:50:01,420 --> 00:50:11,200 Well we can try to spread so we can do zero python, three semi SMB target, SMB target and we can do 761 00:50:11,200 --> 00:50:15,400 this user which is beholds actually what we want it. 762 00:50:16,180 --> 00:50:18,430 Oh yeah. 763 00:50:18,430 --> 00:50:22,510 Let's, let's spray this password, the one that we cracked across all the uses in our environment. 764 00:50:22,870 --> 00:50:31,570 So users list and let's just do this and we'll they continue on success. 765 00:50:35,890 --> 00:50:43,960 So all I did was I just took this password, the original one that we cracked and I sprayed it across 766 00:50:43,960 --> 00:50:46,240 all the users in this list. 767 00:50:46,240 --> 00:50:51,190 So I just tried this password against every single one of these users being SMB. 768 00:50:52,030 --> 00:51:00,370 And I got this purple dash password must change for behold, the password must change for tillable. 769 00:51:00,790 --> 00:51:04,300 Now, interestingly enough, I wasn't expecting it for behove because I just changed his password. 770 00:51:04,300 --> 00:51:06,340 So it looks like it might have reset back to the original. 771 00:51:06,790 --> 00:51:09,180 And if it did, that would be kind of interesting. 772 00:51:09,190 --> 00:51:10,960 We need to find out why that happened. 773 00:51:11,950 --> 00:51:14,260 So let's go ahead and reset the password again. 774 00:51:15,740 --> 00:51:19,350 Oops, I did that wrong by that. 775 00:51:19,600 --> 00:51:23,080 So here's the password on a clipboard and I'm going to type in any one 776 00:51:26,140 --> 00:51:27,780 and we get an error message. 777 00:51:27,790 --> 00:51:29,950 I tried the old one again, which was this. 778 00:51:31,840 --> 00:51:33,850 And for the new one, I just did this. 779 00:51:35,980 --> 00:51:39,010 But I got this error message and says the password was rejected 780 00:51:42,040 --> 00:51:44,530 because some password update rules were violated. 781 00:51:45,630 --> 00:51:45,910 All right. 782 00:51:45,910 --> 00:51:50,350 So there's probably like a password policy on this target that basically says you can't. 783 00:51:50,560 --> 00:51:55,030 It's probably remembering the passwords that I've used and it's not letting me use passwords that I've 784 00:51:55,030 --> 00:51:56,710 set within a certain threshold. 785 00:51:56,710 --> 00:51:58,360 So I probably need to change it to something else. 786 00:51:58,850 --> 00:52:06,060 That's what I'm going to do, is I'm just going to say, OK, password, and then I'm going to change 787 00:52:06,080 --> 00:52:06,450 password. 788 00:52:06,760 --> 00:52:09,430 One, two, three, four, password dash. 789 00:52:09,430 --> 00:52:10,170 One, two, three, four. 790 00:52:10,660 --> 00:52:11,140 That worked. 791 00:52:11,140 --> 00:52:11,820 OK, sweet. 792 00:52:12,190 --> 00:52:14,920 Now I'm going to see the RBC client. 793 00:52:15,730 --> 00:52:16,990 Let's see if we can 794 00:52:20,260 --> 00:52:24,250 authenticate as behold and password. 795 00:52:24,250 --> 00:52:27,940 That's what you do for Inamed users. 796 00:52:28,630 --> 00:52:30,880 Yes, that is huge. 797 00:52:31,280 --> 00:52:33,550 OK, let's see if we can query the display info. 798 00:52:35,320 --> 00:52:35,920 We can. 799 00:52:36,370 --> 00:52:37,680 So we're getting all these users. 800 00:52:37,900 --> 00:52:38,980 We have more user accounts now. 801 00:52:38,980 --> 00:52:44,740 We have more information and we do like the printers, the privileges. 802 00:52:46,030 --> 00:52:46,810 So we've got some accounts. 803 00:52:46,810 --> 00:52:50,560 What privileges as a personal privilege. 804 00:52:51,250 --> 00:52:54,760 Maybe there's an account that has that which would be allowed to escalate our privileges. 805 00:52:56,140 --> 00:52:57,370 There might be some others in here, too. 806 00:52:57,940 --> 00:53:04,400 But since we are looking at a printer, let's see if we can do like Emam printers, because remember 807 00:53:04,400 --> 00:53:06,130 on this page, this is a printer, right? 808 00:53:06,130 --> 00:53:08,490 So it makes sense to enumerate what we can from the printers. 809 00:53:08,890 --> 00:53:11,440 And by the way, I'm getting this from this help file, right? 810 00:53:11,440 --> 00:53:19,750 If I do control a bracket, you know, I'm just going to hear pressing in to go through the file every 811 00:53:19,750 --> 00:53:20,130 time I press. 812 00:53:20,140 --> 00:53:21,490 And it just shows me the next match. 813 00:53:22,150 --> 00:53:26,080 And basically I just went through here and I just, you know, I'm just enumerating the stuff that I 814 00:53:26,080 --> 00:53:28,960 thought would be interesting for the particular engagement. 815 00:53:28,960 --> 00:53:31,540 You can see here the matched versions come out. 816 00:53:32,530 --> 00:53:35,400 So enum drivers and printers and the printers. 817 00:53:35,410 --> 00:53:35,710 Right. 818 00:53:36,400 --> 00:53:38,190 Can also any drivers if I want to, 819 00:53:41,290 --> 00:53:44,830 which really isn't that interesting to me, but I do want to see the printers again. 820 00:53:46,720 --> 00:53:50,700 And so let's see, we've got this printer name, which we already knew M.F. TI does. 821 00:53:51,270 --> 00:53:52,180 Mufti's are one. 822 00:53:53,050 --> 00:53:54,550 I knew that, I believe from this page. 823 00:53:55,660 --> 00:53:58,990 Yeah, it's a pretty name I would out. 824 00:53:59,000 --> 00:54:03,070 So we've got the IP, so this is the share, right. 825 00:54:03,910 --> 00:54:09,400 And we see it's near it's going to Doc's passwords candidates. 826 00:54:09,830 --> 00:54:11,260 OK, so we've got clear text creds. 827 00:54:12,400 --> 00:54:15,290 So we just grab some more cards and we have that username list. 828 00:54:15,300 --> 00:54:17,470 So that's what we want to do to the school. 829 00:54:18,000 --> 00:54:18,670 Let's go back here. 830 00:54:20,440 --> 00:54:24,490 Let's grab these users. 831 00:54:25,210 --> 00:54:28,600 OK, so we got some more users and we want to make sure that we grab them. 832 00:54:30,390 --> 00:54:30,960 So it's good. 833 00:54:31,690 --> 00:54:37,560 I just presti control a left bracket to get into this mode where I can search through the terminal using 834 00:54:37,580 --> 00:54:40,630 up down our keys and then I'm going to go above the line. 835 00:54:40,630 --> 00:54:54,020 I want to copy it, spacebar down and enter in the receipt of them, go to users to I just you know, 836 00:54:54,100 --> 00:54:57,940 it's to control a right bracket to put them in their escape ships. 837 00:54:58,030 --> 00:55:02,030 Easy cat users to good. 838 00:55:02,110 --> 00:55:04,870 So let's just go ahead and clean this up a little bit. 839 00:55:04,990 --> 00:55:13,630 We can use OK, let's use the Fort Bragg as a or the last bracket as a filter separator and then we 840 00:55:13,630 --> 00:55:14,650 can just select 841 00:55:18,430 --> 00:55:21,160 the second field. 842 00:55:21,170 --> 00:55:21,440 Right. 843 00:55:21,580 --> 00:55:28,360 This will be the first field to be the second field and see this works. 844 00:55:31,360 --> 00:55:31,840 Whatever. 845 00:55:33,140 --> 00:55:35,910 Oh, I put another curly brace here. 846 00:55:37,030 --> 00:55:37,460 There we go. 847 00:55:37,840 --> 00:55:43,330 And then on top of that last part goes, do it again, right bracket. 848 00:55:44,140 --> 00:55:48,420 It's probably a better way to do this, but this is working for us, so we're good. 849 00:55:48,790 --> 00:55:50,770 And then this time we're going to do the first field. 850 00:55:51,430 --> 00:55:51,760 Right. 851 00:55:53,590 --> 00:55:54,760 You see what I'm doing right now? 852 00:55:54,760 --> 00:55:58,450 The first field will be this one, because this is the separator. 853 00:55:59,770 --> 00:56:10,630 I specified here right now we've got we need of course, we're going to do sort my shoe and then what 854 00:56:10,630 --> 00:56:14,620 we can do is we can add that to users that list. 855 00:56:16,270 --> 00:56:26,010 And then I think, I don't know, actually users that I list, he might be some duplicates in there. 856 00:56:26,470 --> 00:56:26,980 There are. 857 00:56:28,120 --> 00:56:30,490 We can just we can see we can decide this. 858 00:56:30,490 --> 00:56:30,610 Right. 859 00:56:30,620 --> 00:56:31,690 We can see tillable. 860 00:56:32,110 --> 00:56:34,310 That's Thompson, Pimlott. 861 00:56:34,430 --> 00:56:40,540 And behold, I mean, it's basically everything in these top lines are duplicates, right? 862 00:56:40,540 --> 00:56:41,590 So we don't need those toplines. 863 00:56:42,160 --> 00:56:58,250 So Cyro, them users to use that one is there's one which is just users will say the w w w w w let's 864 00:56:58,300 --> 00:56:58,860 clean this up. 865 00:56:58,870 --> 00:57:00,400 I'm just pressing w escape. 866 00:57:00,670 --> 00:57:06,070 She was easy to remove users to that list, cat users. 867 00:57:06,070 --> 00:57:07,720 And we've got what we need right now. 868 00:57:07,720 --> 00:57:14,920 We can run Kurbanov against this again, make sure all these counts are still valid up. 869 00:57:16,150 --> 00:57:16,720 So we've got some more. 870 00:57:16,720 --> 00:57:18,160 But these are actually blocked disabled. 871 00:57:19,090 --> 00:57:19,780 Interesting. 872 00:57:22,000 --> 00:57:27,130 These accounts are blocked or disabled, but we've got some new ones and we've got this as faceprint 873 00:57:27,130 --> 00:57:27,550 account. 874 00:57:28,150 --> 00:57:31,780 So we've got this SBC scan account and we have a password over here. 875 00:57:31,780 --> 00:57:33,400 So let's not forget about that over here. 876 00:57:33,670 --> 00:57:38,530 Until Ezzy say this password said Prothese included. 877 00:57:38,950 --> 00:57:44,110 No, this privacy opens here and then ends there. 878 00:57:44,110 --> 00:57:45,850 So this is the password right here. 879 00:57:47,680 --> 00:57:51,130 Torrisi OK, sweetie, let's go back. 880 00:57:53,310 --> 00:57:54,300 I just still working. 881 00:57:54,330 --> 00:57:54,690 That's OK. 882 00:57:54,720 --> 00:57:55,470 We don't really need that. 883 00:57:57,150 --> 00:58:05,610 We want to now add another password so we can say export password to equals this. 884 00:58:07,650 --> 00:58:09,120 So let's see if we have both. 885 00:58:12,420 --> 00:58:13,180 That didn't work, right? 886 00:58:13,200 --> 00:58:18,210 I think it's because the shell is actually interpreting some of these characters. 887 00:58:18,210 --> 00:58:19,070 So we can't do that. 888 00:58:19,350 --> 00:58:27,810 You know, the easy way to do it is to do I go in without any lines and put this into a file called 889 00:58:30,480 --> 00:58:31,620 Let's see, Cretz. 890 00:58:31,830 --> 00:58:37,000 That text got creds, didn't work still. 891 00:58:37,440 --> 00:58:46,030 So let's make sure that we put a single tick over this cat creds. 892 00:58:47,160 --> 00:58:47,940 That looks weird. 893 00:58:49,450 --> 00:58:57,750 Let's just go ahead and move this file, start over, because I think we are screwed some things up. 894 00:58:57,900 --> 00:58:58,290 There we go. 895 00:58:58,290 --> 00:58:58,800 We've got it. 896 00:58:59,670 --> 00:59:00,210 Let's go here. 897 00:59:00,210 --> 00:59:01,500 Almost a CME. 898 00:59:02,220 --> 00:59:12,960 Sorry, Python, Python three me and we will run map and we'll say, all right. 899 00:59:13,530 --> 00:59:18,260 And we're going to do it against the target, get their needs are listed. 900 00:59:19,200 --> 00:59:25,760 And this time I'm going to spray this password and continue on success. 901 00:59:25,770 --> 00:59:27,960 This just means I don't want to stop on the front of our password. 902 00:59:27,960 --> 00:59:30,330 Keep going and look at that. 903 00:59:30,330 --> 00:59:33,750 We've got to here for SBC print. 904 00:59:33,750 --> 00:59:37,980 And as we see scan, looks like this printer printer password. 905 00:59:37,980 --> 00:59:39,480 These looks like service accounts, by the way. 906 00:59:39,480 --> 00:59:45,270 And these passwords are probably static and we might be able to get a shell as this particular account. 907 00:59:46,440 --> 00:59:50,270 But you notice it doesn't actually have a yellow pwned thing. 908 00:59:50,670 --> 00:59:56,520 So this means we can't get a shell this way because we don't have local admin access with these particular 909 00:59:56,520 --> 00:59:59,640 creds on this machine fuse. 910 01:00:00,660 --> 01:00:09,120 But we can try to use when our ran, because if you remember when we did this assembly was not the only 911 01:00:09,120 --> 01:00:15,990 protocol when our name is also one on own and when whatever we can own it using when our employees go 912 01:00:15,990 --> 01:00:21,360 up, take this guy out, see if we get. 913 01:00:25,760 --> 01:00:32,470 Pond pound, so now we've got local admin access via Wynnum with this service account, so I bet we 914 01:00:32,470 --> 01:00:37,570 can log in with it so we can use something called evil in our home, which we don't have. 915 01:00:37,600 --> 01:00:38,020 It's OK. 916 01:00:38,380 --> 01:00:43,690 We can use that to get a shot in the box and basically gain a foothold. 917 01:00:43,730 --> 01:00:44,230 Let's do that. 918 01:00:44,230 --> 01:00:49,120 Let's take the suburb, do a Google around for evil when R.M.. 919 01:00:51,940 --> 01:00:52,540 Let's see. 920 01:00:59,550 --> 01:01:01,040 That's the only one for Mac players. 921 01:01:02,970 --> 01:01:06,680 It's written in Ruby, so we can probably install this using a gym. 922 01:01:07,170 --> 01:01:08,080 I don't even need to look at this. 923 01:01:08,100 --> 01:01:11,300 I just do zero gym install. 924 01:01:11,550 --> 01:01:12,510 You'll win our M. 925 01:01:12,510 --> 01:01:15,480 I bet that's the stuff that's happening. 926 01:01:17,520 --> 01:01:19,440 While we wait for that, let's see how you install it. 927 01:01:22,860 --> 01:01:23,370 Look at this. 928 01:01:23,540 --> 01:01:25,560 Well, that is awesome. 929 01:01:26,160 --> 01:01:31,410 Reminds me of one of the froggies or Punter's from America Online, like back in the 90s. 930 01:01:32,400 --> 01:01:34,270 That is an awesome picture. 931 01:01:34,680 --> 01:01:38,960 So funny how to install this thing, Jim. 932 01:01:39,240 --> 01:01:43,310 And still, even when I am great and then just launch it, it's pretty straightforward. 933 01:01:44,220 --> 01:01:57,090 The second installed a pseudo evil that sward pseudo evil when R.M. and a target and see what it's saying. 934 01:01:58,470 --> 01:02:00,030 Target tech. 935 01:02:00,030 --> 01:02:01,170 I target tech. 936 01:02:01,170 --> 01:02:03,320 You name tech PD passwords. 937 01:02:03,330 --> 01:02:09,030 This is a post exploitation tor you use this after you've already achieved the credential access part 938 01:02:09,030 --> 01:02:10,110 of your kill chain. 939 01:02:10,680 --> 01:02:15,870 And so we're not going to use this to exploit, we're just going to use this after we exploit the box, 940 01:02:15,870 --> 01:02:19,980 which is what we're doing here, see what happens. 941 01:02:21,090 --> 01:02:24,180 Bam, you're now logged in 942 01:02:27,270 --> 01:02:34,920 as this user like a browser that if our system so you need to do now is see what are our privileges 943 01:02:35,940 --> 01:02:36,490 like to do this? 944 01:02:36,490 --> 01:02:38,820 It's one of the first things that you want to gain a foothold in the Windows box. 945 01:02:38,880 --> 01:02:39,720 What am I privileges? 946 01:02:39,720 --> 01:02:40,410 What can I do? 947 01:02:41,280 --> 01:02:42,060 And I've got a few. 948 01:02:42,060 --> 01:02:43,430 I can add workstations to a domain. 949 01:02:43,780 --> 01:02:44,730 You don't really care about that. 950 01:02:44,730 --> 01:02:46,200 That's going to help me escalate my privileges. 951 01:02:46,860 --> 01:02:50,010 I can load and unload device drivers. 952 01:02:50,010 --> 01:02:50,790 So that's enabled. 953 01:02:53,040 --> 01:02:54,420 That's generally a bad idea. 954 01:02:55,230 --> 01:02:56,790 Why can we do that? 955 01:02:57,120 --> 01:02:58,490 Let's go ahead and make a screen back. 956 01:03:00,750 --> 01:03:01,110 All right. 957 01:03:01,110 --> 01:03:03,090 So, yeah, we can load drivers. 958 01:03:03,870 --> 01:03:07,380 So what we're doing, the next lesson is we'll go ahead and exploit this and you'll see that there's 959 01:03:07,380 --> 01:03:10,800 a couple of steps that we need to do in order to achieve privacy on this box. 960 01:03:11,250 --> 01:03:18,360 And then we're actually going to try to prevent another way using the relatively recent zero log on 961 01:03:18,540 --> 01:03:19,290 as CD. 962 01:03:19,470 --> 01:03:20,520 So it's going to be really cool. 963 01:03:20,520 --> 01:03:24,210 You're going to get this box two ways and we're going to really have a lot of fun. 964 01:03:24,390 --> 01:03:28,590 So next lecture, we are going to take advantage of this vulnerability. 965 01:03:29,070 --> 01:03:29,490 All right. 966 01:03:29,490 --> 01:03:30,450 So I'll see in the next lecture.