1
00:00:00,360 --> 00:00:01,030
Welcome back.

2
00:00:01,620 --> 00:00:06,730
Time to gain access to our Windows 10 machine using the S&amp;P ghost vulnerability.

3
00:00:07,560 --> 00:00:10,350
For now, we managed to scan it to see if it's vulnerable.

4
00:00:10,350 --> 00:00:15,440
And we also managed to find a tool that we can use to crash the target system.

5
00:00:16,140 --> 00:00:18,960
But ideally, we don't want to crash it.

6
00:00:19,350 --> 00:00:23,090
Instead, we want to gain Shell on that target machine.

7
00:00:23,760 --> 00:00:27,170
Well, with this vulnerability, it is not that easy.

8
00:00:27,660 --> 00:00:31,900
There are some things that we need to know in order to be able to remotely exploit it.

9
00:00:32,610 --> 00:00:33,500
Let's see what I mean.

10
00:00:34,020 --> 00:00:38,880
The first thing that we must do is we must download the tool that we are going to use for the exploitation.

11
00:00:39,420 --> 00:00:41,670
And I will detect a few of them out.

12
00:00:41,670 --> 00:00:47,220
And they found the best working one to be this Zech Ops severe vulnerability.

13
00:00:48,330 --> 00:00:52,640
If you just type the same thing that we take from the previous video, which is the vulnerability name

14
00:00:52,650 --> 00:00:58,440
and then GitHub, you should find this Zachares link to be on the first page, click on it.

15
00:00:58,860 --> 00:01:01,260
And down here we can see the files that we get.

16
00:01:01,470 --> 00:01:05,140
And right here, we also see the usage of the tool itself.

17
00:01:05,580 --> 00:01:10,130
But before we get into all of this, let us first download the tool from GitHub.

18
00:01:10,770 --> 00:01:12,930
So let's go put the link right here.

19
00:01:13,560 --> 00:01:18,960
Cupie, go to our terminal and type git clone and then the tool link.

20
00:01:19,900 --> 00:01:25,600
Press enter and here it is, it finished downloading that this type else, and we will see a bunch of

21
00:01:25,630 --> 00:01:27,490
these directories with the same name.

22
00:01:28,060 --> 00:01:34,810
This one, however, has this extension of RC and then possie, which stands for remote code execution

23
00:01:35,020 --> 00:01:36,300
proof of concept.

24
00:01:36,700 --> 00:01:39,130
Let's change the directory to the directory.

25
00:01:40,750 --> 00:01:44,770
And if we type ulcerate here, we are going to see a bunch of files.

26
00:01:45,220 --> 00:01:49,560
So we get this dot bad file which runs on windows.

27
00:01:49,940 --> 00:01:57,190
If we get this SMB Ghost Assembly shall code for the 64 bit version and we get this python SMB bleeding

28
00:01:57,190 --> 00:02:00,100
ghost file, which is the exploit itself.

29
00:02:00,760 --> 00:02:04,560
But we don't really know how exactly do we combine all of these files.

30
00:02:04,900 --> 00:02:08,470
So let's go back to the page and check out the usage of the program.

31
00:02:09,510 --> 00:02:14,340
The first step right here tells us that make sure Python and Cat are installed.

32
00:02:15,150 --> 00:02:22,370
Then run this fall on the target computer and adjust the offsets at the top of the S&amp;P bleeding ghost

33
00:02:22,380 --> 00:02:25,590
dot peafowl, according to the script output.

34
00:02:26,230 --> 00:02:28,120
Hmm, what does this mean?

35
00:02:28,800 --> 00:02:31,470
Well, let's go to the Python file first.

36
00:02:31,470 --> 00:02:32,670
Let us know it.

37
00:02:34,420 --> 00:02:40,970
To see what offsets do they mean, and I assume they mean these offsets right here, as we can see,

38
00:02:40,990 --> 00:02:44,620
there are five of them and they have different offsets.

39
00:02:45,340 --> 00:02:46,810
But you might be asking.

40
00:02:46,860 --> 00:02:50,550
Well, it tells us right here that we must run this on the target computer.

41
00:02:51,310 --> 00:02:57,100
And what's the point, then, of calling this an expert if there is a file that we must run on the target

42
00:02:57,100 --> 00:02:57,940
computer first?

43
00:02:58,420 --> 00:03:00,700
Well, let's go to the note down here.

44
00:03:01,030 --> 00:03:06,970
As it says, you might be wondering why it is necessary to run the DOT pedophile script on the target

45
00:03:06,970 --> 00:03:07,500
computer.

46
00:03:07,750 --> 00:03:12,940
And doesn't it defeat the whole point of the remote code execution being remote?

47
00:03:13,570 --> 00:03:15,090
Well, here is the explanation.

48
00:03:15,610 --> 00:03:19,450
These offsets are not random and are the same on all windows.

49
00:03:19,460 --> 00:03:21,610
Instances of the same Windows version.

50
00:03:22,300 --> 00:03:28,210
One could make the attack more universal by detecting the target Windows version and adjusting the offsets

51
00:03:28,210 --> 00:03:31,990
automatically or by not relying on them altogether.

52
00:03:33,810 --> 00:03:34,650
What does this mean?

53
00:03:35,010 --> 00:03:39,770
Well, these offsets right here are the same for the same Windows version.

54
00:03:39,870 --> 00:03:45,480
So, for example, this Windows version that we got right here, if we had a thousand machines that

55
00:03:45,480 --> 00:03:46,900
were running the same Windows version.

56
00:03:47,250 --> 00:03:51,750
Well, it is enough that we run this bed file on this one to check out the offsets.

57
00:03:52,020 --> 00:03:58,740
Then we adjust the offsets right here inside of our exploit, and then we can attack all the thousand

58
00:03:58,740 --> 00:04:01,740
machines without having to run the dot bed file on the.

59
00:04:02,720 --> 00:04:08,420
But a different version of this Windows machine might have a different offset, which will then make

60
00:04:08,420 --> 00:04:09,980
Overexploit not work.

61
00:04:10,220 --> 00:04:11,990
So we must check the offsets first.

62
00:04:12,410 --> 00:04:13,540
How we're going to do that?

63
00:04:14,090 --> 00:04:19,150
Well, as it says right here, we're going to run the bed file on the target system.

64
00:04:20,090 --> 00:04:23,910
So I already downloaded the tool right here on my Windows machine.

65
00:04:24,680 --> 00:04:26,240
Here it is on the desktop.

66
00:04:26,960 --> 00:04:31,850
And what you can do is you can just open the Windows 10 machine, open the Internet Explorer type,

67
00:04:31,850 --> 00:04:36,070
the vulnerability name, and then GitHub navigate to this Jakob's tool.

68
00:04:36,320 --> 00:04:43,790
And then if you click on it, click on this code error right here and click on download zip.

69
00:04:44,180 --> 00:04:49,260
This will download the tool for you and you should have it right here on the desktop right after it.

70
00:04:49,970 --> 00:04:50,390
Great.

71
00:04:50,690 --> 00:04:56,960
Once you do that, what we can do is we can navigate using our terminal to that tool.

72
00:04:56,960 --> 00:05:00,770
So the desktop and then see the CV.

73
00:05:01,250 --> 00:05:09,050
If I type there right here and I run the platform, of course you can run it using command prompt or

74
00:05:09,050 --> 00:05:10,700
you can just double click on this file.

75
00:05:12,100 --> 00:05:15,640
And double click on to calculate target offsets.

76
00:05:16,530 --> 00:05:23,760
As we can see, this will open another terminal and this will give us those five offsets for this particular

77
00:05:23,820 --> 00:05:30,420
Windows 10 version, what we must do right now is we must change these offsets to match inside of our

78
00:05:30,660 --> 00:05:32,330
python file right here.

79
00:05:32,940 --> 00:05:35,490
So let's check it out here.

80
00:05:35,500 --> 00:05:37,290
We got two one seven zero.

81
00:05:37,860 --> 00:05:41,510
The first one is the same, three to one zero.

82
00:05:41,550 --> 00:05:42,970
The second one is also the same.

83
00:05:43,320 --> 00:05:45,650
The third one also appears to be the same.

84
00:05:46,200 --> 00:05:49,230
The fourth one is different here.

85
00:05:49,230 --> 00:05:53,790
It ends with three seven zero and here it ends with four one zero.

86
00:05:53,910 --> 00:05:55,500
So let's change that first.

87
00:05:57,430 --> 00:06:01,930
Let's type it three seven zero and the last one.

88
00:06:03,800 --> 00:06:04,620
Is also different.

89
00:06:04,650 --> 00:06:11,850
So here it is, B, a F A eight, and here if we change it, be a F eight.

90
00:06:12,090 --> 00:06:13,380
Now everything is good.

91
00:06:14,140 --> 00:06:19,620
So if we control OK to save this exploit now, we should have a working expert.

92
00:06:20,820 --> 00:06:24,230
We can close this, we don't need it anymore.

93
00:06:24,660 --> 00:06:25,830
We can also close this.

94
00:06:26,100 --> 00:06:32,250
And if I go back to the page to check out the next step, it tells us Ron and Kate with the following

95
00:06:32,250 --> 00:06:33,450
command line arguments.

96
00:06:34,050 --> 00:06:39,300
So the purpose of running and cat is because once we explain the target and we run the payload, it

97
00:06:39,300 --> 00:06:40,470
must connect to somewhere.

98
00:06:40,860 --> 00:06:46,220
Now, this listening for the incoming connection matters split framework did for us automatically.

99
00:06:46,470 --> 00:06:50,880
Right now we must do it ourselves and we're going to do it with the help of banquette.

100
00:06:51,330 --> 00:06:58,440
So to listen for the incoming connection, we can type and see and then dash LWP and then the number

101
00:06:58,440 --> 00:07:02,840
in this case legislation on Port four thousand four hundred and forty four.

102
00:07:03,540 --> 00:07:05,520
This will listen for the incoming connections.

103
00:07:05,670 --> 00:07:11,310
And once we run the exploit, the target machine will try to connect back to this port.

104
00:07:11,310 --> 00:07:13,400
No, right here on our IP address.

105
00:07:13,410 --> 00:07:17,970
Therefore, right after it, we should have a shell pop up right here and we should be able to execute

106
00:07:17,970 --> 00:07:19,290
commands on target machine.

107
00:07:19,950 --> 00:07:20,370
Great.

108
00:07:20,730 --> 00:07:21,990
Let's check out the next step.

109
00:07:22,740 --> 00:07:27,510
The next step is to run the dot p file while following the command line arguments.

110
00:07:28,050 --> 00:07:34,260
So the command that we must run is the file name, then the target IP address, then the Catalinas IP

111
00:07:34,260 --> 00:07:37,110
address and then the port that we are listening on.

112
00:07:37,590 --> 00:07:43,560
And this reverse shell IP is just the IP address of the machine that you're listening for the incoming

113
00:07:43,560 --> 00:07:47,400
connections and you get the explanation right here as well.

114
00:07:48,460 --> 00:07:54,340
So let's try it out, we are listening right here already and let us run the file right here.

115
00:07:54,520 --> 00:07:58,970
We're going to use Python three percent, be bleeding goes up.

116
00:07:59,410 --> 00:08:02,970
Then comes the target's IP address, which is, in my case, one.

117
00:08:02,980 --> 00:08:06,100
Add to that 168, that one that five, as it says right here.

118
00:08:06,940 --> 00:08:11,830
Then comes the IP address on McKellen's clinic's machine, and I'm going to check it out inside of a

119
00:08:11,830 --> 00:08:12,660
third terminal.

120
00:08:12,700 --> 00:08:13,330
Real quick.

121
00:08:14,410 --> 00:08:15,850
It is not one of the 12.

122
00:08:18,690 --> 00:08:26,070
So let's type it right here, and the last step is to specify the number that we are listening on and

123
00:08:26,070 --> 00:08:32,220
in our case, that is the port four four four four if I press enter.

124
00:08:34,340 --> 00:08:41,110
We get an error that says no attribute Vin Diesel and I knew this error will come up.

125
00:08:41,900 --> 00:08:46,570
The solution to this is to run the exploit from a Windows machine.

126
00:08:47,270 --> 00:08:53,000
So this file right here must be run from another Windows machine and then we can redirect the connection

127
00:08:53,420 --> 00:08:56,120
to this Linux machine to pop a shell.

128
00:08:57,360 --> 00:08:58,080
Why is that?

129
00:08:58,140 --> 00:09:03,720
Well, this type library has no attribute URL, which is only to be ran in a Windows environment, I

130
00:09:03,720 --> 00:09:04,080
believe.

131
00:09:04,380 --> 00:09:06,470
So let's test it out for this.

132
00:09:06,480 --> 00:09:13,650
I'm going to use my main Winterstein machine right here to run the exploit and I will redirect the connection

133
00:09:13,650 --> 00:09:19,380
once exploited to the cleanest machine that is already listening for the incoming connections.

134
00:09:19,800 --> 00:09:23,100
Now, I know it sounds a little bit complicated, but let's give it a try.

135
00:09:23,460 --> 00:09:26,230
I already downloaded the exploit right here.

136
00:09:26,760 --> 00:09:29,340
Here is the file containing all of the other files.

137
00:09:29,970 --> 00:09:31,920
And if I open my command prompt.

138
00:09:35,060 --> 00:09:38,660
Then I navigate to this directory right here containing the exploit,

139
00:09:43,550 --> 00:09:48,890
what I'm going to do is I'm going to run the exact same command that I ran previously on my Caledonius

140
00:09:48,890 --> 00:09:49,250
machine.

141
00:09:49,250 --> 00:09:53,720
Just this time, I'll be running it from my main Windows machine.

142
00:09:54,660 --> 00:09:59,940
So the IP address of the target is first, then comes the IP address of the machine that is listening

143
00:09:59,940 --> 00:10:01,200
for the incoming connections.

144
00:10:01,380 --> 00:10:07,050
And this might sound confusing, but this is still the IP address of our clinics machine if you want.

145
00:10:07,050 --> 00:10:09,870
However, you can also connect back to this Winterstein machine.

146
00:10:10,120 --> 00:10:16,670
But in that case, you must install Netcare for Windows and listen using that cat from a Windows machine.

147
00:10:16,860 --> 00:10:21,900
And then right here you would specify the IP address of the Windows machine that is running the exploit.

148
00:10:22,530 --> 00:10:28,710
Since there is no need for me to do that, I will just specify the Linux IP address and the port number

149
00:10:28,830 --> 00:10:30,480
is four four four four.

150
00:10:31,050 --> 00:10:31,440
Great.

151
00:10:31,710 --> 00:10:34,500
The comment is here and if we execute it.

152
00:10:36,920 --> 00:10:42,890
It will start to exploit and sometimes this exploit will crash the target, as we can see right here,

153
00:10:43,580 --> 00:10:47,660
the first try of running this exploit crashed our target machine.

154
00:10:48,320 --> 00:10:52,700
And this is something that you must get used to once running these type of exploits.

155
00:10:53,060 --> 00:10:58,640
So what I'm going to do is I'm going to control this to create this exploit.

156
00:11:00,080 --> 00:11:05,330
And then what I'm going to do, clear the screen using classic command, and I will run this command

157
00:11:05,330 --> 00:11:09,350
once again just to wait for this Winterstein machine to boot up once again.

158
00:11:09,830 --> 00:11:12,020
And we are going to give it a second try.

159
00:11:12,770 --> 00:11:14,020
And now we're locked in.

160
00:11:14,030 --> 00:11:16,040
I will run the command once again.

161
00:11:16,520 --> 00:11:20,390
Now, there is a chance that it will crash once again, but hopefully it will not.

162
00:11:20,610 --> 00:11:21,530
And here it is.

163
00:11:21,530 --> 00:11:22,760
It crashed once again.

164
00:11:22,770 --> 00:11:28,630
So I'm just going to restart it again real quick and then run the exploit for the third time.

165
00:11:28,730 --> 00:11:30,740
Hopefully the third time it will work.

166
00:11:31,710 --> 00:11:35,400
OK, here it is, and hopefully the third time will be our lucky run.

167
00:11:35,580 --> 00:11:37,050
Let's run the exploit.

168
00:11:39,420 --> 00:11:41,490
For now, everything seems to be working.

169
00:11:41,550 --> 00:11:47,150
We haven't reached this point in the past to try, so hopefully right now the target will not crash.

170
00:11:47,430 --> 00:11:53,550
And what we're looking for at the end of this is after the expert is done, we're looking to gain the

171
00:11:53,550 --> 00:11:56,720
shell right here inside of our colonics machine.

172
00:11:58,460 --> 00:12:00,530
So let's wait for this to finish.

173
00:12:01,820 --> 00:12:04,690
It tells us right here, wrote Chilkoot.

174
00:12:05,680 --> 00:12:12,610
And if I go to my Linux machine here, it is free, got the shell on our Windows 10 target machine,

175
00:12:13,180 --> 00:12:14,240
if I type, who am I?

176
00:12:14,800 --> 00:12:16,160
We are the system level account.

177
00:12:16,240 --> 00:12:22,690
So we are the highest level account possible if I type IP config just to check whether we have the same

178
00:12:22,690 --> 00:12:25,470
IP address and that indeed is the same machine.

179
00:12:26,020 --> 00:12:31,060
So we successfully exploited the Windows Ten Target machine just for this.

180
00:12:31,060 --> 00:12:36,630
We had to use Windows Machine to run the exploit because of some libraries inside of the Python file.

181
00:12:37,090 --> 00:12:43,390
And if you notice right here, it tells us that if we disconnect and if we exit this expert, the target

182
00:12:43,400 --> 00:12:44,360
will probably crash.

183
00:12:44,620 --> 00:12:48,940
So what we would want to do is we would want to execute all of the comments that we want to execute,

184
00:12:48,940 --> 00:12:51,220
do what we need to do on the target machine.

185
00:12:51,460 --> 00:12:57,280
And then after we've done and we've exited the shell, we can go right here, stop the exploit.

186
00:12:57,520 --> 00:13:03,250
And once this exploit has been disrupted, that will again crash the target machine.

187
00:13:03,280 --> 00:13:06,940
As we can see right here, just this time, we managed to run the shell.

188
00:13:06,940 --> 00:13:12,340
We managed to execute commands on the target machine for as long as we wanted before crashing the machine.

189
00:13:12,790 --> 00:13:18,580
So the goal right here is to first gain the shell and then the machine will crash and not crash the

190
00:13:18,580 --> 00:13:20,320
machine at the beginning of the exploit.

191
00:13:20,560 --> 00:13:22,870
But that is something that we do not have control of.

192
00:13:23,020 --> 00:13:27,490
So sometimes you will gain a shell and sometimes you might crash the target machine.

193
00:13:29,110 --> 00:13:29,980
OK, great.

194
00:13:30,010 --> 00:13:32,870
So we successfully exploited Windows 10 machine.

195
00:13:33,520 --> 00:13:37,480
We did it manually with the help of tools that we found online.

196
00:13:38,440 --> 00:13:44,200
We also set up our own listner that was waiting for the incoming connections, and right now that we

197
00:13:44,200 --> 00:13:49,180
covered all of these vulnerabilities, starting from the next video, we're going to see how we can

198
00:13:49,180 --> 00:13:52,140
attack targets that do not have any vulnerability.

199
00:13:52,300 --> 00:13:57,400
So we are going to see how we can generate our own payloads and how we can deliver them to the target

200
00:13:57,400 --> 00:13:57,800
machine.

201
00:13:58,270 --> 00:13:59,200
See you in the next video.