1 00:00:00,120 --> 00:00:07,650 OK, so here we are in the box and we're going to compromise our next victim machine, and the first 2 00:00:07,650 --> 00:00:12,480 thing I want to show you is how to search for it so you can just click the machine name up here and 3 00:00:12,480 --> 00:00:15,270 we're going to try to break into access. 4 00:00:15,750 --> 00:00:20,760 We're going to try to access access that so you can see up in the machine results. 5 00:00:20,760 --> 00:00:26,760 I just click it and it will pivot me over to the machines profile so I could see it online. 6 00:00:26,910 --> 00:00:34,140 If I click the IP and copies it to my clipboard and I can always click this little green vertical line 7 00:00:34,530 --> 00:00:40,020 to expand or collapse, the left pavement shows only hack the box fun. 8 00:00:40,560 --> 00:00:43,190 All right, so we've got this box ready to go. 9 00:00:43,560 --> 00:00:46,730 One of the other things I'd like to do before I get started is to reset the machine. 10 00:00:46,980 --> 00:00:53,490 That way, you're starting your hacking journey with a victim that is in a pristine state. 11 00:00:54,150 --> 00:00:59,550 So now that we're ready to go, let's see if we can find I am currently connected to the VPN. 12 00:01:00,210 --> 00:01:03,510 You can see here and I do control a one. 13 00:01:04,020 --> 00:01:05,310 I'm back in the second tap. 14 00:01:05,310 --> 00:01:09,810 If you need help using Tmax or flipping between tabs or even configuring the VPN, just look at the 15 00:01:10,050 --> 00:01:11,670 initial videos in this course. 16 00:01:12,090 --> 00:01:12,500 All right. 17 00:01:12,570 --> 00:01:13,830 So let's get started. 18 00:01:13,830 --> 00:01:16,680 Let's just start with a simple adapter list. 19 00:01:17,160 --> 00:01:17,440 Right. 20 00:01:17,460 --> 00:01:22,680 So if I do see the IPA, show me all the adapters on this box. 21 00:01:23,100 --> 00:01:27,420 Right now, I have one that is a tunnel adapter, one tunnel adapter. 22 00:01:27,810 --> 00:01:32,340 If you notice issues where you can't pin your target, it could be because you have multiple tunnel 23 00:01:32,340 --> 00:01:32,850 adapters. 24 00:01:33,630 --> 00:01:37,680 If you see anything other than just a tunnel zero, like a tunnel one or ton two, that's a tunnel too 25 00:01:37,680 --> 00:01:38,010 much. 26 00:01:38,640 --> 00:01:45,660 So you would do pseudo IP link delete and then the adapter name and then you'd have to reconnect to 27 00:01:45,660 --> 00:01:46,170 the VPN. 28 00:01:47,310 --> 00:01:50,400 But we don't have that case here, so we have to worry about that. 29 00:01:50,830 --> 00:01:55,830 Let's go ahead and start by copying this IP address to a variable. 30 00:01:56,560 --> 00:01:57,900 This is our local IP. 31 00:01:58,590 --> 00:02:07,360 We're going to need it so we can say we can actually export it right to Garibaldi and then we could 32 00:02:07,360 --> 00:02:10,080 just do Echo l'Est and you can see it shows up, right? 33 00:02:10,580 --> 00:02:11,070 Very cool. 34 00:02:11,640 --> 00:02:17,550 So let's just try to ping the target to make sure our response is just essentially check. 35 00:02:18,100 --> 00:02:23,700 Of course, not all the target's going to respond to pain, but if it doesn't, you want to make sure 36 00:02:23,700 --> 00:02:27,400 it's because it's blocked, not because you have some problem with your VPN. 37 00:02:28,020 --> 00:02:30,660 So right now, I'm not responding to Ping, which is not good. 38 00:02:31,740 --> 00:02:32,970 So I'm going to reset the box 39 00:02:36,390 --> 00:02:39,120 and then we wait for this to finish and we should get access to the machine. 40 00:02:39,720 --> 00:02:41,280 Machine will be reset. 41 00:02:41,280 --> 00:02:41,780 Nice. 42 00:02:43,890 --> 00:02:46,800 Now it says it's resetting its way for this to finish. 43 00:02:47,440 --> 00:02:50,580 So it appears that the box is finally reset itself. 44 00:02:51,660 --> 00:02:53,820 Let's go back to the command line and see if we can ping it. 45 00:02:54,540 --> 00:02:56,040 Yeah, that's a great time. 46 00:02:56,820 --> 00:03:00,330 So the first observation one responds to being second observation. 47 00:03:00,420 --> 00:03:06,960 TTL is less than 128, greater than 64, which indicates that we are most likely dealing with a Windows 48 00:03:07,140 --> 00:03:07,680 target. 49 00:03:09,060 --> 00:03:13,650 Let's see if we can validate that hypothesis first, which is going to in Intermap map against the box, 50 00:03:14,970 --> 00:03:18,960 very verbose, which just means print out the results as the results come in. 51 00:03:19,260 --> 00:03:20,340 Don't wait until the end. 52 00:03:21,390 --> 00:03:23,790 Assuming the box is already playable, don't bother picking it. 53 00:03:24,780 --> 00:03:30,080 One default scripts, one version checks run the fastest game possible, showing the reason why any 54 00:03:30,090 --> 00:03:30,810 ports are blocked. 55 00:03:31,510 --> 00:03:33,900 Skimpiest zero two six five five three five. 56 00:03:35,040 --> 00:03:40,770 Right the output to a file named access to a map and scan this particular target 57 00:03:43,830 --> 00:03:50,700 and almost immediately we get back pre results put eighty eight point twenty one is FTP import twenty 58 00:03:50,710 --> 00:03:54,870 three is of course tell that. 59 00:03:55,470 --> 00:03:56,550 I was playing that for a second. 60 00:03:56,940 --> 00:03:58,560 So let's just check out Port Eighty. 61 00:03:58,560 --> 00:03:58,800 Right. 62 00:03:59,370 --> 00:04:04,230 Let's open a new tab here that's called Discover Discovery. 63 00:04:05,040 --> 00:04:12,540 Discovery, NASA spell it and let's just head on over actually open up berp and see if we can filter 64 00:04:12,540 --> 00:04:14,190 everything through berp as we open it up. 65 00:04:15,060 --> 00:04:16,110 So here we go. 66 00:04:16,140 --> 00:04:17,880 And we can make sure intercept is off. 67 00:04:17,880 --> 00:04:18,240 It is. 68 00:04:18,840 --> 00:04:23,250 Let's go back here and we are going to proxy everything through berp. 69 00:04:24,180 --> 00:04:26,250 And this is type in the IP. 70 00:04:27,390 --> 00:04:28,020 See what we get. 71 00:04:29,360 --> 00:04:29,850 All right. 72 00:04:29,850 --> 00:04:31,260 First of all, I don't know what that is. 73 00:04:31,290 --> 00:04:32,340 It looks like some kind of server. 74 00:04:34,740 --> 00:04:39,870 We could Google this to see if Google knows there might be some kind of industrial control system. 75 00:04:40,620 --> 00:04:42,500 Yeah, a lot works. 76 00:04:42,510 --> 00:04:44,340 IP Server, User's Guide. 77 00:04:44,340 --> 00:04:47,190 So we might OK, it's owned by MEGACORP. 78 00:04:47,190 --> 00:04:50,130 So this might be something like icks owned by some large corporation. 79 00:04:51,990 --> 00:04:53,730 What can we do if we flip over to berp? 80 00:04:59,090 --> 00:05:02,870 And I think that's because there's really nothing on this page, right? 81 00:05:04,130 --> 00:05:04,880 Go back to berp. 82 00:05:05,390 --> 00:05:09,500 This is all Google stuff, which is completely out of scope is the latest. 83 00:05:12,930 --> 00:05:16,680 There we go, there's the box, but why isn't it capturing this one? 84 00:05:19,960 --> 00:05:26,620 Eighty, eighty, right, that's the interface you go back here, we're looking at the options. 85 00:05:28,940 --> 00:05:31,980 From three seven zero zero one and it. 86 00:05:34,360 --> 00:05:36,490 Oh, yeah, there is the port 80 80. 87 00:05:38,260 --> 00:05:39,160 That's totally right. 88 00:05:42,630 --> 00:05:44,340 So I'm not sure what's going on here. 89 00:05:45,420 --> 00:05:49,380 Yeah, for some reason it's not showing up here, but that's fine. 90 00:05:49,390 --> 00:05:50,830 We don't even need to spider it that way. 91 00:05:51,870 --> 00:05:53,910 Well, we do want to see is what's going on with that. 92 00:05:53,910 --> 00:05:55,950 So let's copy this image location. 93 00:05:57,070 --> 00:05:58,550 You get to put down. 94 00:05:59,880 --> 00:06:00,720 You know, we get. 95 00:06:07,580 --> 00:06:20,990 We have a jpeg, it is a jpeg, according to File Strings XXXIV tool against it, and we can see that 96 00:06:20,990 --> 00:06:22,560 it was created in twenty eighteen. 97 00:06:22,700 --> 00:06:27,080 It's an image jpeg and they're not really saying anything interesting in here. 98 00:06:30,290 --> 00:06:31,310 We can look at the source. 99 00:06:33,320 --> 00:06:34,640 Nothing too interesting here either. 100 00:06:36,140 --> 00:06:43,160 Could look for stuff like robots that text, but instead of manually doing that we could just fire up, 101 00:06:43,160 --> 00:06:44,920 go back to yourself or do research. 102 00:06:45,920 --> 00:06:47,510 Let's see if we can locate their search. 103 00:06:49,490 --> 00:06:50,370 You might already have it. 104 00:06:52,040 --> 00:06:52,610 Yeah, we do. 105 00:06:52,850 --> 00:06:53,240 All right. 106 00:06:53,690 --> 00:06:54,140 So 107 00:06:59,340 --> 00:07:07,610 because these pseudo opt, their search, their search and get a list of some things that we can something 108 00:07:07,610 --> 00:07:10,610 that we can run on this box. 109 00:07:11,090 --> 00:07:19,940 OK, so we're going to run search and let's see how we're going to formulate this command. 110 00:07:20,580 --> 00:07:27,980 By the way, you can get their search easily from GitHub if you just go to Google and you type their 111 00:07:27,980 --> 00:07:28,550 search. 112 00:07:28,580 --> 00:07:30,860 It's like the first link and get up there, search. 113 00:07:32,450 --> 00:07:34,460 You know, it's kind of like robust air. 114 00:07:34,490 --> 00:07:35,450 I like a little bit better. 115 00:07:36,930 --> 00:07:44,120 You just grab this, calling the repository and you'll be able to use this webapp scanner, which you 116 00:07:44,120 --> 00:07:45,130 can use for first browsing. 117 00:07:45,130 --> 00:07:50,300 And a lot of people are using stuff for faster Ufuk, which is very popular these days. 118 00:07:51,260 --> 00:07:52,520 But you can also use their search. 119 00:07:52,520 --> 00:07:54,880 I'm kind of old school, right? 120 00:07:55,510 --> 00:07:55,860 All right. 121 00:07:55,890 --> 00:07:56,600 So what are we going to do? 122 00:07:57,830 --> 00:07:58,620 Any of the URL? 123 00:07:59,450 --> 00:07:59,840 So 124 00:08:03,650 --> 00:08:04,220 there we go. 125 00:08:04,820 --> 00:08:11,180 Extension's well, this is probably a Windows box based on the T.L., which means it's probably running 126 00:08:11,630 --> 00:08:16,060 like a dot net or Iosava, which means Aspey will be a common extension. 127 00:08:16,070 --> 00:08:18,350 So let's go ahead and look for those. 128 00:08:19,100 --> 00:08:24,740 We can say extension's equals ASPEY, SBX and maybe these TMO. 129 00:08:26,840 --> 00:08:29,030 What else we need to wordlist. 130 00:08:29,030 --> 00:08:32,390 We'll just use the built in wordlist for now thread's. 131 00:08:33,050 --> 00:08:37,310 We don't want to give it too many threads because then the application might crash, but we don't want 132 00:08:37,310 --> 00:08:39,030 to give it too little because then it will take too long. 133 00:08:39,050 --> 00:08:39,800 So let's start with. 134 00:08:41,550 --> 00:08:43,620 Fifty, that seems good. 135 00:08:45,210 --> 00:08:52,080 Anything else in here, I can use random user agents to bypass any controls that might be blocking based 136 00:08:52,080 --> 00:08:55,590 on the search user agent screen so we can put that in 137 00:08:58,290 --> 00:08:59,100 anything else? 138 00:09:01,240 --> 00:09:07,960 And the report will to a simple report, simple report, access to their search, 139 00:09:12,130 --> 00:09:14,590 trying to close the top. 140 00:09:17,190 --> 00:09:21,220 See what we get can't connect. 141 00:09:23,350 --> 00:09:24,550 We still connect to the VPN. 142 00:09:29,260 --> 00:09:30,300 Capping it anymore, though. 143 00:09:31,210 --> 00:09:32,050 So something happened. 144 00:09:36,830 --> 00:09:37,650 It's still up. 145 00:09:40,590 --> 00:09:42,210 Still not showing him berp. 146 00:09:44,830 --> 00:09:48,890 And Berp EMAP is taking a while to. 147 00:09:53,010 --> 00:09:54,100 Take it out of here for a second. 148 00:09:57,720 --> 00:10:01,530 OK, so I guess I was promising everything Grubert, which doesn't doesn't make any sense. 149 00:10:07,050 --> 00:10:12,260 And I guess it was passing all the traffic there were all right, so now we've got Deresiewicz running 150 00:10:13,130 --> 00:10:13,940 and we'll get this right. 151 00:10:13,940 --> 00:10:16,310 And let's go back to our recon results. 152 00:10:19,040 --> 00:10:23,690 Still running, but for 21 was also detected. 153 00:10:23,720 --> 00:10:29,600 So while we're waiting for the scan to finish, let's look at part 21, Apprendi tab. 154 00:10:31,300 --> 00:10:40,310 I'll call this discovery to try to FTP to the page because that's the protocol for it. 155 00:10:40,530 --> 00:10:41,080 FTP. 156 00:10:41,540 --> 00:10:45,740 So the FTP service is listening and we can try to log in. 157 00:10:45,740 --> 00:10:49,550 Anonymous, it says anonymous access is allowed. 158 00:10:49,880 --> 00:10:50,580 That's pretty cool. 159 00:10:50,600 --> 00:10:56,140 So it doesn't matter what password we type and we're logged in the IRR. 160 00:10:56,150 --> 00:10:57,800 Look around, we got two directories. 161 00:10:58,250 --> 00:11:00,200 Both were created in twenty eighteen. 162 00:11:00,200 --> 00:11:02,600 So let's see if we can get into those. 163 00:11:04,340 --> 00:11:10,280 So we have a backup file and that IMDB file, which is like six megabytes 164 00:11:13,310 --> 00:11:22,250 and we have an access control zip file which is about 11 K so we could try to pull this down with M 165 00:11:22,250 --> 00:11:29,000 get what I like to flip that around to a W and you w get instead just a little bit more flexibility 166 00:11:29,120 --> 00:11:30,440 that we all get from what you get. 167 00:11:31,070 --> 00:11:31,370 Wow. 168 00:11:31,370 --> 00:11:33,890 I said get a laugh at a joke and get it. 169 00:11:35,300 --> 00:11:36,440 Get that joke. 170 00:11:36,910 --> 00:11:37,620 Okay, that's really bad. 171 00:11:38,180 --> 00:11:38,510 All right. 172 00:11:38,510 --> 00:11:43,550 So let's control Zellous and let's see if we can get 173 00:11:47,120 --> 00:11:48,270 grap FTB. 174 00:11:49,710 --> 00:11:50,030 All right. 175 00:11:50,040 --> 00:11:53,360 So there are some FTP options here. 176 00:11:54,350 --> 00:11:59,180 And can we mirror the page to mirror the FTP site as if it were a page. 177 00:12:00,470 --> 00:12:00,920 We can. 178 00:12:02,270 --> 00:12:13,070 So let's try to use get here, see w get a mirror ftp anonymous username password. 179 00:12:13,080 --> 00:12:21,140 It doesn't matter blah blah blah because it's anonymous login which is enabled and see if we can connect. 180 00:12:24,620 --> 00:12:27,470 All right, so what happened, connection timed out. 181 00:12:28,660 --> 00:12:34,790 Wait, it looks like it actually logged in, but it couldn't initiate a passive transfer, whatever 182 00:12:34,790 --> 00:12:35,210 that means. 183 00:12:35,240 --> 00:12:36,680 Let's see if we can get the help for that. 184 00:12:39,710 --> 00:12:45,830 You know, what about research passive so we can possibly use this command to disable the passive transfer 185 00:12:45,830 --> 00:12:48,720 mode since it can't initiate passive transfers. 186 00:12:57,500 --> 00:12:59,130 Bam, bingo. 187 00:13:00,980 --> 00:13:02,150 Now we have the results here. 188 00:13:03,200 --> 00:13:08,840 We can rename this folder to FTP and then enter that folder. 189 00:13:11,490 --> 00:13:14,450 See, we have folders there. 190 00:13:14,920 --> 00:13:21,150 We can also run against it to see the file contents of each folder without actually looking into it. 191 00:13:21,830 --> 00:13:23,900 And if you don't have a tree, you can just do zero 192 00:13:26,600 --> 00:13:30,870 zero Apte install tree y, right. 193 00:13:31,700 --> 00:13:32,570 How do I know that? 194 00:13:32,570 --> 00:13:35,300 Because I did zero at the search tree. 195 00:13:41,030 --> 00:13:42,110 Of course you can spell things correctly. 196 00:13:42,110 --> 00:13:42,350 Right. 197 00:13:44,180 --> 00:13:53,360 And then when I did that I was able to see that there is a package here that displays the intent of 198 00:13:53,370 --> 00:13:55,070 directory tree in color tree. 199 00:13:57,650 --> 00:13:58,080 All right. 200 00:13:58,250 --> 00:14:01,430 So we can take a look at these. 201 00:14:02,300 --> 00:14:05,580 Let's just go and check on our skin from their search. 202 00:14:05,600 --> 00:14:07,340 You can see I didn't really find anything interesting. 203 00:14:08,330 --> 00:14:10,310 Only one 200 response for index. 204 00:14:10,310 --> 00:14:12,610 That e-mail, which we already know about. 205 00:14:12,950 --> 00:14:21,380 We could try using a bigger word list like Cycliste, but honestly, that's not really going to help. 206 00:14:21,560 --> 00:14:26,180 I don't think at this point, let's say we've already got some files we pulled down from the FTB server. 207 00:14:26,180 --> 00:14:27,980 Let's sharpen our attention on those. 208 00:14:30,860 --> 00:14:37,820 So let's go into this backup's directory and see what we have here and have a backup. 209 00:14:37,820 --> 00:14:39,620 That DBE. 210 00:14:40,310 --> 00:14:40,850 What is that? 211 00:14:41,890 --> 00:14:43,490 It's a Microsoft access database. 212 00:14:44,210 --> 00:14:46,420 OK, what can we do with it? 213 00:14:46,790 --> 00:14:49,370 Can we like you? 214 00:14:49,490 --> 00:14:51,860 It it's a binary file. 215 00:14:51,860 --> 00:14:52,100 All right. 216 00:14:52,100 --> 00:14:53,000 So we probably can't. 217 00:14:54,140 --> 00:14:54,590 Yeah. 218 00:14:54,710 --> 00:14:56,930 We can't read this subnet. 219 00:14:56,930 --> 00:14:59,810 Quit on that because I don't read binary. 220 00:15:00,890 --> 00:15:02,060 I'm not quite that good yet. 221 00:15:02,750 --> 00:15:09,200 Let's just see if we have any tools with the name IMDB in name because I type MSF tak you see all the 222 00:15:09,200 --> 00:15:16,490 commands in Micheli instance that are related to MSF Misplay Framework Database Management Framework, 223 00:15:16,490 --> 00:15:19,020 AITC Hunter Freemarket Venom. 224 00:15:19,550 --> 00:15:20,450 Great stuff. 225 00:15:20,450 --> 00:15:22,520 I do IMDB tag. 226 00:15:23,570 --> 00:15:28,160 I see all the tools that are related to IMDB, which I already have my box and one of them looks interesting. 227 00:15:28,160 --> 00:15:28,970 IMDB Seigle. 228 00:15:29,690 --> 00:15:35,200 So let's see if we can query the IMDB database, which is the access database as a single database. 229 00:15:36,350 --> 00:15:37,520 First, let me close this. 230 00:15:39,890 --> 00:15:44,060 And let me close this, too. 231 00:15:46,560 --> 00:15:53,270 OK, so let's go over to Mexico and I don't know how to run this one tech age and it says we just give 232 00:15:53,270 --> 00:15:53,780 it the file 233 00:15:58,340 --> 00:16:00,050 and let's try, like, list tables. 234 00:16:01,520 --> 00:16:02,890 Bam, we've got some. 235 00:16:04,430 --> 00:16:07,880 Now, if you didn't know that you could use that command, you could just Google around for it or you 236 00:16:07,880 --> 00:16:08,690 could look at the man page. 237 00:16:09,530 --> 00:16:12,740 But we already see some of the tables in here and this looks really strange. 238 00:16:13,220 --> 00:16:14,030 Finger vein. 239 00:16:14,780 --> 00:16:20,060 I have no idea what that means, but I'm going to copy to my clipboard control, see, and then I'm 240 00:16:20,060 --> 00:16:25,640 just going to sort of glance through these tables to see if any of them look like they might have credentials. 241 00:16:32,270 --> 00:16:39,170 Area admin looks like it might have credentials, any off base tables, especially off user, because 242 00:16:39,320 --> 00:16:42,320 there's probably probations or something in there related to authentication. 243 00:16:44,930 --> 00:16:50,590 They guilt's admin there might have something interesting in there. 244 00:16:51,410 --> 00:16:56,870 By the way, I noticed the jingle jangle the Web framework, and that might be the particular framework 245 00:16:56,870 --> 00:16:59,500 being used in this industrial control system. 246 00:16:59,960 --> 00:17:03,550 And if it's so, there might be a vulnerability that we might be able to exploit with such searchingly. 247 00:17:04,070 --> 00:17:07,790 I don't know if I should sit there and just looking through, you know, what we have here. 248 00:17:09,380 --> 00:17:12,950 And that's really all I see that look interesting at the moment. 249 00:17:13,670 --> 00:17:22,580 So let's quit this and see what other EMB things we have with NDB tables. 250 00:17:23,950 --> 00:17:24,580 What can we do with that? 251 00:17:24,590 --> 00:17:25,940 It's probably just going to list all the tables. 252 00:17:25,940 --> 00:17:29,720 Right, so IMDB files and tables. 253 00:17:29,720 --> 00:17:29,950 Right. 254 00:17:29,950 --> 00:17:33,260 So if I do this backup file. 255 00:17:34,640 --> 00:17:34,940 Yeah. 256 00:17:34,940 --> 00:17:35,750 Just print it out. 257 00:17:35,930 --> 00:17:36,830 Print it all out. 258 00:17:38,990 --> 00:17:42,680 What else can I do in export. 259 00:17:42,830 --> 00:17:48,710 Yes I want to export some stuff so maybe export file and then the table. 260 00:17:48,710 --> 00:17:54,560 We want to export software to maybe export the file and the table which have my clipboard. 261 00:17:55,820 --> 00:17:58,480 I can see all the column headers for the table. 262 00:17:58,490 --> 00:18:05,600 Now there's no data in the columns, but I now have a way to export each table so it's possible I can 263 00:18:05,600 --> 00:18:14,720 create a loop to basically execute this command and then pass it to pass each table name to IMDB export 264 00:18:15,470 --> 00:18:19,090 saved as a file and then we can grep through everything to see if we can find something interesting. 265 00:18:19,100 --> 00:18:19,330 Right. 266 00:18:20,240 --> 00:18:21,650 So let's try that approach. 267 00:18:23,300 --> 00:18:31,220 So let's do like let's say for AI and IMDB tables back up. 268 00:18:33,200 --> 00:18:38,650 I basically update's with each iteration through this list. 269 00:18:39,230 --> 00:18:42,740 So the first time through, you know, at some point I was going to be server log. 270 00:18:42,750 --> 00:18:46,850 That's going to be shift, it's going to be TBP, it's going to keep updating. 271 00:18:48,260 --> 00:18:53,060 And what I want to do is I want to just go at it to make sure my loop is working correctly. 272 00:18:55,340 --> 00:18:56,600 And it is easy. 273 00:18:56,600 --> 00:18:57,520 It is printed out everything. 274 00:18:58,400 --> 00:19:00,440 One Pearline, one table Pearline. 275 00:19:01,160 --> 00:19:01,670 That's good. 276 00:19:02,720 --> 00:19:03,800 Although it has these as well. 277 00:19:03,800 --> 00:19:04,670 That might cause a problem. 278 00:19:04,820 --> 00:19:05,960 Maybe we can get those out of there. 279 00:19:06,740 --> 00:19:11,960 Let's keep going and let's try to do now instead of just echoing it. 280 00:19:14,000 --> 00:19:19,250 Let's run that IMDB export come in on the current table. 281 00:19:21,420 --> 00:19:22,000 Very nice. 282 00:19:22,050 --> 00:19:25,500 So now we have everything being exported, so let's just write this to a file. 283 00:19:30,320 --> 00:19:32,170 So how can we do this, we can just 284 00:19:35,080 --> 00:19:36,130 write it to a file. 285 00:19:38,210 --> 00:19:41,340 Like, so permission denied. 286 00:19:41,620 --> 00:19:42,070 That's cool. 287 00:19:43,550 --> 00:19:48,610 You know, it looks like it's having an issue here. 288 00:19:48,800 --> 00:19:54,380 I think if you look at the permissions on this folder, yeah, it's focused on BIRUTE. 289 00:19:55,190 --> 00:20:05,000 So if we change the ownership to me and then go into that folder and then run the command without zero, 290 00:20:05,000 --> 00:20:05,510 of course. 291 00:20:09,040 --> 00:20:12,250 In my work, and now we're getting a different result. 292 00:20:12,280 --> 00:20:14,860 That's because the folder is owned by Rupert Varney is not. 293 00:20:15,670 --> 00:20:19,750 And that's why I couldn't write to a folder owned by Rupert and I didn't have permission. 294 00:20:19,750 --> 00:20:22,330 So I just changed the ownership so that it belongs to me. 295 00:20:27,770 --> 00:20:33,020 Right now, I can read, write and execute, so we are good to go there. 296 00:20:33,080 --> 00:20:38,000 Let's go back into the folder and we have our files to intrigue. 297 00:20:38,000 --> 00:20:39,230 Instead, we see all of them. 298 00:20:39,980 --> 00:20:43,130 So let's do some magic to see what we can find in here. 299 00:20:43,880 --> 00:20:47,690 Let's just do like a recursive grep search case. 300 00:20:47,690 --> 00:20:48,230 Insensitive. 301 00:20:48,670 --> 00:20:49,610 That's what the eye means. 302 00:20:49,610 --> 00:20:50,180 The end means. 303 00:20:50,190 --> 00:20:56,930 Show me the file that you find matches in and let's just look for, like, any occurrence of the phrase 304 00:20:56,930 --> 00:20:57,480 pass. 305 00:20:59,940 --> 00:21:01,080 Already we've got a couple. 306 00:21:01,370 --> 00:21:02,780 So there's a table called authorizer. 307 00:21:03,500 --> 00:21:04,980 It has a password column. 308 00:21:05,380 --> 00:21:09,920 You should definitely check that out is a table called machines that contains the common password. 309 00:21:10,370 --> 00:21:11,360 Not too interested in that. 310 00:21:12,230 --> 00:21:14,810 There's also a user info table that contains a password column. 311 00:21:16,700 --> 00:21:18,470 So it's looking the author user's first. 312 00:21:24,770 --> 00:21:31,420 Bingo, we've got cards and we also have an advocate to all these cards is all good. 313 00:21:32,320 --> 00:21:34,970 So it's going to come clean this up. 314 00:21:35,990 --> 00:21:45,110 I think we can let's pipe this to OK and let's see a field separator. 315 00:21:45,110 --> 00:21:46,670 We can use a quote 316 00:21:50,240 --> 00:21:51,620 and then we can print. 317 00:21:53,630 --> 00:21:54,290 The 318 00:21:56,660 --> 00:21:57,290 second. 319 00:21:59,030 --> 00:22:06,020 Third, let's see, this is the first field, this is the second field, third field and the fourth 320 00:22:06,020 --> 00:22:13,400 Gilbert, the second or fourth fields to four going to work. 321 00:22:17,810 --> 00:22:18,360 There we go. 322 00:22:19,430 --> 00:22:20,980 I control should be. 323 00:22:22,640 --> 00:22:23,450 Let's go and put these in 324 00:22:29,090 --> 00:22:30,080 escape of these. 325 00:22:33,270 --> 00:22:34,890 I think we're done with that folder. 326 00:22:40,860 --> 00:22:42,960 Let's go into the engineer folder 327 00:22:46,170 --> 00:22:47,990 and we have what looks like a zip file. 328 00:22:49,200 --> 00:22:49,950 Let's see, 329 00:22:53,240 --> 00:22:57,160 it looks like it might be a zip file, even more trying to unzip it. 330 00:22:57,990 --> 00:23:01,590 We can use the nacelle option to list the files first. 331 00:23:05,070 --> 00:23:06,800 And you can see there's a file on here. 332 00:23:06,810 --> 00:23:08,430 So this is probably like a nail file. 333 00:23:09,090 --> 00:23:15,150 Maybe there's something in here that is interesting and let's just unzip it zero and zip. 334 00:23:18,270 --> 00:23:19,530 Unsupported compression method. 335 00:23:19,560 --> 00:23:24,340 All right, so it skipped didn't actually unzip it. 336 00:23:24,750 --> 00:23:29,580 Now we could Google what that means or we could try to use another tool like seven zip to get what we 337 00:23:29,580 --> 00:23:30,090 need out of it. 338 00:23:32,520 --> 00:23:33,360 Let's see here. 339 00:23:34,770 --> 00:23:43,650 If we do our little list, the contents of the archive, then we can also show the technical information 340 00:23:43,860 --> 00:23:45,120 for L for the list. 341 00:23:45,330 --> 00:23:45,650 Right. 342 00:23:46,390 --> 00:23:54,120 Just trying to get some metadata about this file seven zip el SRT Access Control. 343 00:23:56,130 --> 00:24:01,470 So all the stuff we already knew, one thing we didn't know was this a stupid. 344 00:24:01,870 --> 00:24:03,180 So it's file is probably encrypted. 345 00:24:04,620 --> 00:24:04,900 Right. 346 00:24:04,950 --> 00:24:10,570 So if I go unzip already did that, I do seven zip code. 347 00:24:10,820 --> 00:24:11,730 We try to extract it. 348 00:24:14,620 --> 00:24:18,700 OK, saying permission denied because they're trying to write the contents of the file to this drive, 349 00:24:18,700 --> 00:24:20,350 but it can't because it doesn't have permission. 350 00:24:21,100 --> 00:24:22,180 So let's just do sudo. 351 00:24:24,020 --> 00:24:30,710 All right, so what's the password, which we don't really have right now, so we have two approaches, 352 00:24:30,710 --> 00:24:39,140 we could try to crack it so we could try to convert this zip file to a hash and then, you know, use 353 00:24:39,140 --> 00:24:41,690 the word list to try to crack the edit file. 354 00:24:42,920 --> 00:24:49,130 Or we could try to use one of the credentials that we have already pillaged and use that to get in. 355 00:24:50,000 --> 00:24:56,540 So let's see if we can first convert it to a hash with zip to John. 356 00:24:59,780 --> 00:25:00,160 All right. 357 00:25:00,170 --> 00:25:00,740 Very cool. 358 00:25:01,700 --> 00:25:13,590 But this file in here and let's convert it to access control dot hash I mentioned tonight, even though 359 00:25:13,590 --> 00:25:20,360 I'm zero because I bet it's folder's on my route and it is. 360 00:25:20,510 --> 00:25:20,810 All right. 361 00:25:20,820 --> 00:25:23,690 So zero change ownership 362 00:25:26,270 --> 00:25:28,210 engineer the engineer. 363 00:25:29,960 --> 00:25:31,250 OK, let's run this again. 364 00:25:33,500 --> 00:25:38,750 And if we can get that for how we just convert it to a hash, we see it there. 365 00:25:39,310 --> 00:25:45,110 So now we can use John to crack this, but we don't have a word list yet. 366 00:25:48,320 --> 00:25:54,350 So we could use RockYou, we could just try to use the word list from the raw strings of that backup 367 00:25:54,350 --> 00:25:54,730 file. 368 00:25:55,490 --> 00:25:58,280 So we did like zero strings. 369 00:26:03,840 --> 00:26:12,830 You know, we're going to get a lot of data back from that, let's just output that well, let's sort 370 00:26:12,830 --> 00:26:15,470 it and all we want uniques. 371 00:26:17,960 --> 00:26:18,320 Good. 372 00:26:19,040 --> 00:26:23,900 And then let's write that to a file called Wordlist Dialyzed. 373 00:26:26,060 --> 00:26:26,320 All right. 374 00:26:26,330 --> 00:26:27,050 So now we have that. 375 00:26:28,200 --> 00:26:28,940 How big is that? 376 00:26:38,240 --> 00:26:39,770 It's six hundred three lines that. 377 00:26:39,770 --> 00:26:40,070 You bet. 378 00:26:41,240 --> 00:26:42,430 So it could do like zero. 379 00:26:42,440 --> 00:26:47,900 John, give it the hash of the zip file and then a word list 380 00:26:51,290 --> 00:26:57,770 and see if we get anything juicy back and look at that and actually cracked it. 381 00:26:59,060 --> 00:26:59,690 Pretty sweet. 382 00:27:00,680 --> 00:27:05,960 So says we can use tech tax show to display all the cracked passwords reliably. 383 00:27:06,800 --> 00:27:08,990 We take this off, we do show. 384 00:27:10,430 --> 00:27:12,170 We can see it right here. 385 00:27:13,250 --> 00:27:16,990 So now we have the password to this file. 386 00:27:17,180 --> 00:27:17,520 Right. 387 00:27:18,950 --> 00:27:20,930 So let's go ahead and grab this. 388 00:27:24,150 --> 00:27:24,810 Joseph C.. 389 00:27:28,730 --> 00:27:37,370 Let's clear this out, all right, and that file, I believe, is empty because it tried to extract 390 00:27:37,370 --> 00:27:40,310 it, but since we don't have the password, it didn't actually really extract it. 391 00:27:40,800 --> 00:27:43,100 So let's try to extract this now, now that we have a password. 392 00:27:52,130 --> 00:27:54,440 Saying, would you like to replace the existing file with zero bytes? 393 00:27:54,830 --> 00:28:00,310 Yes, enter the password until Shalvey and everything's OK. 394 00:28:00,830 --> 00:28:01,370 I like that. 395 00:28:03,110 --> 00:28:05,180 And now we look at the size. 396 00:28:05,900 --> 00:28:09,070 It is substantially larger than zero cabi. 397 00:28:09,080 --> 00:28:17,930 So now we can try to actually read this file once you start by seeing what kind of file it as it looks 398 00:28:17,930 --> 00:28:18,830 like as an outlook file. 399 00:28:19,780 --> 00:28:20,480 He's usually are. 400 00:28:20,780 --> 00:28:21,290 And it is. 401 00:28:21,290 --> 00:28:22,490 It's an outlook e-mail file. 402 00:28:23,720 --> 00:28:28,430 We could just try to read it straight up, but I think we're going to run into problems. 403 00:28:30,080 --> 00:28:31,100 Yeah, to binary file. 404 00:28:31,110 --> 00:28:33,980 So if we try to look at it, it looks like Google GOOG. 405 00:28:36,680 --> 00:28:38,930 But let's see if we use Xynthia on it. 406 00:28:43,880 --> 00:28:45,260 Xingdou doesn't even know what to do. 407 00:28:46,340 --> 00:28:54,800 We could try using repassed and that's what actually output it as a inbox file, which will be able 408 00:28:54,800 --> 00:28:55,250 to read. 409 00:28:58,010 --> 00:29:01,400 You see now there's this inbox file, which we can 410 00:29:04,040 --> 00:29:09,110 read quite easily this way, but I have a better technique. 411 00:29:09,530 --> 00:29:13,580 We can use mut zero app to search mut. 412 00:29:18,020 --> 00:29:21,800 It's really it's really basically a text based, text based email reader, 413 00:29:24,620 --> 00:29:28,510 and it's really cool to watch this like we already have one stop. 414 00:29:28,550 --> 00:29:29,530 Yeah, I already have it. 415 00:29:30,950 --> 00:29:31,610 So let's do 416 00:29:37,070 --> 00:29:37,360 it all. 417 00:29:37,370 --> 00:29:40,820 But see what flags we want to specify 418 00:29:43,370 --> 00:29:44,240 we want. 419 00:29:47,420 --> 00:29:48,170 What do we want? 420 00:29:51,790 --> 00:29:58,940 We want to open the mailbox and we'd only mode we don't want to modify anything, so say Takar, and 421 00:29:58,960 --> 00:30:02,920 we want to specify which mailbox to read, so check everything in the file. 422 00:30:03,840 --> 00:30:08,210 OK, it's that inbox power. 423 00:30:08,230 --> 00:30:11,970 It wasn't even that access control. 424 00:30:12,880 --> 00:30:14,890 Oh, it was in the engineering folder, I think. 425 00:30:16,660 --> 00:30:18,220 FTP Engineering 426 00:30:20,650 --> 00:30:22,570 Access Control Inbox. 427 00:30:24,230 --> 00:30:24,830 I think that was right. 428 00:30:24,980 --> 00:30:25,430 I'm seeing 429 00:30:30,060 --> 00:30:31,160 some of this happening. 430 00:30:33,380 --> 00:30:33,890 Let's see, 431 00:30:38,480 --> 00:30:40,400 OK, this e-mail does not exist. 432 00:30:40,400 --> 00:30:40,880 Create it. 433 00:30:41,660 --> 00:30:42,140 Sure. 434 00:30:43,790 --> 00:30:44,390 And look at that. 435 00:30:44,900 --> 00:30:51,500 Now, we can actually see the email that came in from John at megacorp. 436 00:30:59,280 --> 00:31:05,250 And if I press enter, I can see it came from Janet Megacorp, it went to security at access control 437 00:31:05,250 --> 00:31:09,660 system, dotcom megacorp access control system, security account. 438 00:31:09,660 --> 00:31:14,250 So we have a new account and it says the password has been changed to this. 439 00:31:14,280 --> 00:31:16,550 Please ensure that it's passed on to the engineers John. 440 00:31:16,620 --> 00:31:18,360 Oh, thank you, John, for giving me credentials. 441 00:31:19,650 --> 00:31:23,820 So it's good copy that controls you see a quick queue to quit. 442 00:31:25,350 --> 00:31:27,350 And where's that credit file in? 443 00:31:27,360 --> 00:31:28,650 Here it is. 444 00:31:30,560 --> 00:31:32,130 So now you put this in here. 445 00:31:39,370 --> 00:31:45,550 I'm going to put a star next to this one, since we know how it works and we have more credentials, 446 00:31:45,880 --> 00:31:46,470 very cool. 447 00:31:46,480 --> 00:31:50,620 So let's go back to our reconceiving that finished it. 448 00:31:50,620 --> 00:31:54,970 Did it really tell us anything new? 449 00:31:57,310 --> 00:31:58,390 Just kind of strange. 450 00:32:01,880 --> 00:32:10,180 But we did know that in addition to 80 percent to Port 21, that Port 23 was also open, which is telnet. 451 00:32:11,440 --> 00:32:15,640 So we could just try to connect the dots on that. 452 00:32:23,560 --> 00:32:23,890 Right. 453 00:32:25,240 --> 00:32:27,620 And I'm not really satisfied with these EMAP results. 454 00:32:27,640 --> 00:32:29,290 I'm going to run in the map again in the background 455 00:32:33,790 --> 00:32:37,750 because it didn't show us any of the default scripts or the version checks, which is kind of weird. 456 00:32:39,250 --> 00:32:40,210 So I'll let that run again. 457 00:32:40,990 --> 00:32:43,810 Let's go back to Discovery and see if we can turn it into the box 458 00:32:47,710 --> 00:32:48,940 using some of these creds. 459 00:32:53,440 --> 00:33:00,640 It's taken a while, let's try it again and again, if you don't have the time I command, you could 460 00:33:00,640 --> 00:33:02,300 just do a little app installed on that. 461 00:33:04,180 --> 00:33:06,640 So let's try to bargain with admin admin first. 462 00:33:09,130 --> 00:33:12,220 All right, let's try this one next corpulence. 463 00:33:21,010 --> 00:33:27,640 Interesting Spotify user is not a member of the Telnet client group, so remonstrating was added to 464 00:33:27,640 --> 00:33:28,330 the above group. 465 00:33:29,800 --> 00:33:31,030 So we know the user is valid. 466 00:33:32,200 --> 00:33:33,070 That's an interesting error. 467 00:33:33,700 --> 00:33:34,390 This is what we do, right? 468 00:33:34,400 --> 00:33:37,240 We capture credentials and then we just spray them across the environment to try to get in. 469 00:33:38,980 --> 00:33:40,930 Let's try back up Admon next. 470 00:33:41,950 --> 00:33:43,240 Back up admin. 471 00:33:44,860 --> 00:33:45,430 Admin. 472 00:33:47,610 --> 00:33:47,850 Nope. 473 00:33:48,970 --> 00:33:50,190 Let's try this guy next. 474 00:33:50,200 --> 00:33:53,620 Security Security Controller. 475 00:34:03,790 --> 00:34:05,950 My session looks like my session locked up. 476 00:34:06,970 --> 00:34:07,270 All right. 477 00:34:07,270 --> 00:34:10,690 So it's locked up with to control a ex to kill the pain. 478 00:34:11,290 --> 00:34:12,280 Let's just try it again. 479 00:34:12,280 --> 00:34:15,460 Cat creds and let's fire up telnet 480 00:34:19,240 --> 00:34:20,320 and let's try to log in. 481 00:34:24,280 --> 00:34:26,410 And it looks like we've got to show. 482 00:34:30,070 --> 00:34:30,730 Very cool. 483 00:34:31,990 --> 00:34:34,810 So in the next lecture, we will look at escalating our show. 484 00:34:35,440 --> 00:34:37,150 I will see you in the next lecture.