1 00:00:00,840 --> 00:00:04,180 OK, so here we are on the box and now we're going to do some incident response. 2 00:00:04,200 --> 00:00:06,720 Let's take a look at what was going on behind the scenes here. 3 00:00:07,350 --> 00:00:11,160 So let's first see if the firewall was enabled. 4 00:00:16,530 --> 00:00:21,930 And let's see, it looks like it is on for the public setting and for the private 5 00:00:24,840 --> 00:00:26,340 where else and everywhere. 6 00:00:26,360 --> 00:00:26,840 So it's on. 7 00:00:28,860 --> 00:00:30,200 I'm seeing that it is on. 8 00:00:30,210 --> 00:00:34,890 So let's go ahead and turn it off since we are running as a system. 9 00:00:35,700 --> 00:00:36,010 Right. 10 00:00:37,530 --> 00:00:39,330 So we can do that by just doing this. 11 00:00:39,660 --> 00:00:40,620 Actually, that can go up. 12 00:00:40,630 --> 00:00:41,900 Oops, I can't go up. 13 00:00:42,480 --> 00:00:43,890 I don't have Earl wrap here. 14 00:00:45,850 --> 00:00:47,340 Maybe you should have done that first. 15 00:00:52,760 --> 00:01:03,980 A type of I just had this little flower ATV firewall set, all profiles, state of play. 16 00:01:04,040 --> 00:01:04,630 That's how you do it. 17 00:01:04,650 --> 00:01:05,090 Yes. 18 00:01:05,250 --> 00:01:10,260 OK, now let's go ahead and enable remote desktop 19 00:01:16,460 --> 00:01:25,170 inside the terminal server, and we're going to set the value to deny connections 20 00:01:27,780 --> 00:01:29,580 and the registered word instead of Arrow. 21 00:01:30,360 --> 00:01:31,410 What did I just do wrong? 22 00:01:37,190 --> 00:01:42,020 Something started right here at Kinnane. 23 00:01:47,000 --> 00:01:54,170 That's because that is a valid claim, each key local machine. 24 00:01:55,400 --> 00:02:00,800 Unfortunately, you have to type the whole thing out again, but maybe, you know, by doing this, 25 00:02:00,800 --> 00:02:06,800 you remember, the more you do things, the more comfortable, more comfortable you become. 26 00:02:07,400 --> 00:02:08,810 I'm doing it right. 27 00:02:16,460 --> 00:02:17,720 I did a part nice. 28 00:02:18,620 --> 00:02:20,690 So let's create a new user 29 00:02:30,170 --> 00:02:32,270 and let's add this user to administrators. 30 00:02:38,260 --> 00:02:41,420 And we've got Vonne on the box 31 00:02:46,220 --> 00:02:50,540 and we are a member of administrators, so we should be able to already put screen. 32 00:02:51,520 --> 00:02:52,100 Let's see. 33 00:02:53,870 --> 00:02:55,100 I just name this remote. 34 00:03:00,410 --> 00:03:00,980 Free RTP. 35 00:03:01,040 --> 00:03:02,210 I think that's the one I usually use. 36 00:03:15,190 --> 00:03:16,320 So kind of worked. 37 00:03:19,730 --> 00:03:21,110 It's the easiest target still. 38 00:03:24,830 --> 00:03:25,300 OK. 39 00:03:31,470 --> 00:03:35,970 Take out the password to a question mark, might be screwing stuff up. 40 00:03:42,460 --> 00:03:43,920 Let's put the password in quotes. 41 00:04:02,310 --> 00:04:06,840 Look at this, this is the index and you notice the slash is not there, so we probably have to put 42 00:04:06,840 --> 00:04:07,500 this in quotes. 43 00:04:15,170 --> 00:04:16,040 Now, what's the problem? 44 00:04:21,580 --> 00:04:26,470 And God's sake, Gil, what the heck is this thing talking about? 45 00:04:27,910 --> 00:04:31,990 Oh, I see the problem this. 46 00:04:34,380 --> 00:04:39,210 Target is specified using this B C to go up here. 47 00:04:40,350 --> 00:04:43,880 Sir Hosny, again, we weren't following directions. 48 00:04:45,450 --> 00:04:47,800 That'll get you got a read, right? 49 00:05:04,540 --> 00:05:11,950 Entertaining those like this box is running called the Corver in the Windows that I see a gooey. 50 00:05:22,360 --> 00:05:23,130 It's kind of interesting. 51 00:05:29,820 --> 00:05:35,360 Which is interesting because normally the Corporation of Windows has a Windows Server, has a smaller 52 00:05:35,370 --> 00:05:40,140 tax office, but we were still able to exploit it regardless of that fact. 53 00:05:41,400 --> 00:05:43,280 Let's see how we can get it going back. 54 00:05:55,670 --> 00:06:02,410 I think it's called natto, I'm pretty sure it's now I don't need to check that, but you say insta 55 00:06:02,410 --> 00:06:05,020 goofy windows Nano. 56 00:06:12,060 --> 00:06:13,320 I don't even know if it's going to work. 57 00:06:14,800 --> 00:06:15,580 Let's try this. 58 00:06:20,240 --> 00:06:28,520 Can paystub and of course not, that would be too awesome store windows to feature a server, a 59 00:06:32,120 --> 00:06:32,800 server. 60 00:06:34,320 --> 00:06:36,320 We shall we start. 61 00:06:40,530 --> 00:06:45,450 Get Windows features like, OK, so these are the features. 62 00:06:47,520 --> 00:06:55,620 S&P one is the tables, that's a problem for the vulnerabilities there, what else? 63 00:06:58,850 --> 00:07:05,570 Our sites there, remote server administration tools, but I don't see you need the gooey stuff there. 64 00:07:05,900 --> 00:07:06,710 Let's keep going up. 65 00:07:07,100 --> 00:07:08,180 It was usually in the top. 66 00:07:12,490 --> 00:07:16,630 All right, turning the desktop experience, I'm not seeing and still. 67 00:07:19,030 --> 00:07:21,100 I are turning to the death experience. 68 00:07:21,610 --> 00:07:22,540 How do we enable it? 69 00:07:30,950 --> 00:07:32,640 This option is no longer available. 70 00:07:33,810 --> 00:07:34,830 We need to reinstall. 71 00:07:43,410 --> 00:07:44,700 We might not be able to do it. 72 00:07:54,660 --> 00:07:55,980 Yeah, this is it, right? 73 00:08:01,120 --> 00:08:04,510 So when does feature circle, we shall try that, do we try that? 74 00:08:10,010 --> 00:08:14,130 So we shall we start? 75 00:08:15,470 --> 00:08:18,680 Nope, your future is not valid. 76 00:08:19,130 --> 00:08:20,510 All right, so we can't do that. 77 00:08:26,690 --> 00:08:31,370 I guess, you know, if you really if you really wanted to work on this from Internet response perspective, 78 00:08:32,060 --> 00:08:37,130 what you would do is look for new accounts right now, user I, a new account here. 79 00:08:38,060 --> 00:08:41,690 And you would also want to look for suspicious binaries. 80 00:08:47,970 --> 00:08:51,960 Because you go in here, 81 00:08:55,410 --> 00:08:59,670 I forgot I have autocomplete, you'll see that cats in here, you see all these exploits are sitting 82 00:08:59,670 --> 00:09:00,220 on a box. 83 00:09:00,290 --> 00:09:07,920 That is a dead giveaway that you've got something going on and you can have all these files in here. 84 00:09:08,640 --> 00:09:10,560 Let's see if I like this to format table 85 00:09:14,970 --> 00:09:15,800 or slides. 86 00:09:16,380 --> 00:09:16,900 There we go. 87 00:09:17,460 --> 00:09:22,140 So you can see all these binaries, all the hashes, and you can have something like, you know, maybe 88 00:09:22,140 --> 00:09:29,910 Kolvenbach or Abaca or, you know, Windows Defender application card running that basically says, 89 00:09:29,910 --> 00:09:35,210 hey, only a certain set of binaries are allowed to run application white listing. 90 00:09:35,220 --> 00:09:40,410 So you can say, all right, you know, you have your set of approved binaries. 91 00:09:40,410 --> 00:09:45,000 And if you have any binary that doesn't match that set, meaning any of these, it would automatically 92 00:09:45,000 --> 00:09:45,590 fail to run. 93 00:09:45,600 --> 00:09:54,630 And so we would not be able to escalate our privileges via the the Cee Lo driver, a vector also when 94 00:09:54,630 --> 00:09:55,860 it came to the zero log. 95 00:09:55,860 --> 00:09:57,210 And all you have to do for that is Patch. 96 00:09:57,780 --> 00:10:00,300 Let's see, let's see what patches we actually had installed. 97 00:10:06,980 --> 00:10:07,660 Let's see. 98 00:10:11,250 --> 00:10:12,300 I think it affects. 99 00:10:17,100 --> 00:10:22,650 Yes, and we've only got a few hot fixes installed, basically not, and that's why we were able to 100 00:10:22,650 --> 00:10:24,000 exploit this box, was there a lot more? 101 00:10:25,440 --> 00:10:26,540 All right, so that's it. 102 00:10:26,550 --> 00:10:28,230 And it's actually we're going to MicroTech framework.