1
00:00:00,300 --> 00:00:01,070
Hello everybody.

2
00:00:01,110 --> 00:00:05,460
And I had to split the tutorial out of technical problems.

3
00:00:05,460 --> 00:00:08,340
So right now let us just continue from where we stopped.

4
00:00:08,430 --> 00:00:14,840
So I will just run my reverse shall once again or pardon me my server in order to listen the connection.

5
00:00:14,850 --> 00:00:17,400
So let me just run it.

6
00:00:17,610 --> 00:00:25,760
It prints out listening for incoming connections several enlarge this but it's not there it's here.

7
00:00:25,760 --> 00:00:32,260
So zoom in and right now this is the file that we received after we compiled it.

8
00:00:32,390 --> 00:00:39,050
And after we added the echo of that image and also once we run this this should actually run the image

9
00:00:39,050 --> 00:00:39,750
first.

10
00:00:39,860 --> 00:00:46,080
So we should be opening this image and also opening our a reversal in the background.

11
00:00:46,100 --> 00:00:53,360
This should also also instill a persistence right away in the roaming folder and also the mayor registry

12
00:00:53,360 --> 00:00:55,490
key in our Windows registry.

13
00:00:55,490 --> 00:00:58,100
So let us go right here.

14
00:00:58,130 --> 00:01:00,500
Go to the command prompt first before we run it.

15
00:01:00,500 --> 00:01:02,360
In order to check everything worked well.

16
00:01:02,690 --> 00:01:08,180
So it could be data roaming and we can enlarge this.

17
00:01:08,270 --> 00:01:14,860
We can also go to the registry it's run and rag at it.

18
00:01:14,970 --> 00:01:15,680
We click here.

19
00:01:15,690 --> 00:01:16,780
Yes.

20
00:01:16,920 --> 00:01:23,400
And we can see that there is nothing named backdoor right here so let us run this program.

21
00:01:23,520 --> 00:01:32,520
We click on it and hopefully it will open the image and also it will create a registry key for us in

22
00:01:32,520 --> 00:01:33,640
the registry.

23
00:01:33,660 --> 00:01:39,790
So let us wait for this to open.

24
00:01:39,860 --> 00:01:42,530
It doesn't seem to actually open anything.

25
00:01:42,530 --> 00:01:45,600
So if that doesn't work we'll have to redo this.

26
00:01:45,710 --> 00:01:49,130
But sometimes some images won't really open.

27
00:01:49,130 --> 00:01:55,490
Let's see if at least our registry was added and we can see our registry is added right here.

28
00:01:55,700 --> 00:01:59,290
So reverse shell that you see.

29
00:01:59,330 --> 00:02:01,930
Let's see if we receive the connection we did.

30
00:02:02,510 --> 00:02:07,080
But for some reason our our image didn't open.

31
00:02:07,080 --> 00:02:09,360
So let us try something else.

32
00:02:09,360 --> 00:02:14,580
Let me just uh go to my desk manager so I can delete the

33
00:02:17,550 --> 00:02:19,440
or close the program and can just find it.

34
00:02:19,440 --> 00:02:20,890
Here it is.

35
00:02:21,220 --> 00:02:22,740
I am desk.

36
00:02:23,000 --> 00:02:26,880
Now let's actually delete this as well and try to compile once again.

37
00:02:26,880 --> 00:02:30,720
So let me just go right here.

38
00:02:30,720 --> 00:02:33,590
You remember that we turned our image to be an icon.

39
00:02:33,600 --> 00:02:41,910
So we should just be good to go right now so wine route to wine drive see python scripts by installer

40
00:02:43,010 --> 00:02:48,600
that the AKC that we had the data for the image since we want to open it.

41
00:02:48,630 --> 00:02:56,040
We go to the root python programs reverse and then this image right here but before we do that let's

42
00:02:56,040 --> 00:03:01,080
see if we correctly specified the name of the image itself in the reverse shell.

43
00:03:03,450 --> 00:03:09,020
So before we run this let me just close this and go to the reverse shall that be why.

44
00:03:09,590 --> 00:03:15,010
Let's see if there is any problem right here for why our reverse Shell didn't really work.

45
00:03:15,270 --> 00:03:16,740
And there seems to be the problem.

46
00:03:16,740 --> 00:03:24,690
So we need to have a forward slash right here in order for it to be able to find our directory with

47
00:03:24,690 --> 00:03:25,860
our image.

48
00:03:25,860 --> 00:03:31,550
So right now we added the forward slash right here and the name of our image in our directory.

49
00:03:31,560 --> 00:03:33,610
So let us save this.

50
00:03:33,610 --> 00:03:36,160
And right now let us continue with these comments.

51
00:03:36,180 --> 00:03:43,230
So remember after the specification of the image path you need to specify here dot and comma and then

52
00:03:43,320 --> 00:03:52,550
dot after that what we want to do is we want to actually go and specify other things as well such as

53
00:03:52,550 --> 00:03:54,360
one file and no council.

54
00:03:54,970 --> 00:04:02,390
And we also want to add the icon that we converted in the previous tutorial so rude downloads I believe

55
00:04:03,410 --> 00:04:06,670
and then drag on that Iko.

56
00:04:06,920 --> 00:04:11,300
This is the path to where we saved our image icon.

57
00:04:11,300 --> 00:04:16,940
And right now we want to specify the name of the file and we should be good to go so I will click here.

58
00:04:16,940 --> 00:04:21,380
Enter and let it compile and in the meantime I look like in my use bead right

59
00:04:24,660 --> 00:04:27,610
now let's plug in the SB driving to the clinics.

60
00:04:32,760 --> 00:04:40,270
We should delete the previous reverse shall so we don't confuse these two.

61
00:04:40,310 --> 00:04:41,890
This one should work now.

62
00:04:41,900 --> 00:04:47,560
The previous one didn't open the image because we didn't specify the forward slash or the backwards

63
00:04:47,560 --> 00:04:49,990
slash in our reverse shall not be Y.

64
00:04:50,750 --> 00:04:55,440
So let us open this terminal and delete the reverse shall Dot.

65
00:04:55,490 --> 00:05:05,110
See now we can close this close this as well we can open this we can see that the compilation has finished

66
00:05:05,210 --> 00:05:08,230
that we just see by this terminal lead and close.

67
00:05:08,250 --> 00:05:09,570
OK.

68
00:05:09,620 --> 00:05:15,620
And right now we go to our this directory and move the reverse shell that the AKC into media route and

69
00:05:15,620 --> 00:05:20,300
then Kelly like once we move it we can now delete all of these files

70
00:05:25,270 --> 00:05:28,190
and we can start our server.

71
00:05:28,190 --> 00:05:30,770
Now we can unplug our USP drive as usual

72
00:05:35,140 --> 00:05:40,870
we open everything right here we paste it to desktop as we can see it looks exactly the same as in the

73
00:05:40,900 --> 00:05:41,560
previous one.

74
00:05:41,560 --> 00:05:47,170
Just this one should open the image now but before we actually do that we need to delete the previous

75
00:05:47,170 --> 00:05:49,430
backdoor that the AKC since is for.

76
00:05:49,500 --> 00:05:52,280
Since if we do not delete this and also the registry.

77
00:05:52,390 --> 00:05:58,580
This will not open an image since it only opens the image once it is being run for the first time.

78
00:05:58,600 --> 00:06:07,960
So let us delete the backdoor exit to the command prompt and also let us to leave the registry key so

79
00:06:08,020 --> 00:06:15,700
quick here delete delete this value and right now if we run this right now we should actually open the

80
00:06:15,700 --> 00:06:19,910
image itself as we can see it looks like a legit image.

81
00:06:20,000 --> 00:06:21,990
It just takes a few seconds to load

82
00:06:24,780 --> 00:06:25,930
so here it is.

83
00:06:26,010 --> 00:06:32,490
It opened the image and this should look pretty normal for our user or our target they click on the

84
00:06:32,610 --> 00:06:34,950
icon that actually has this image.

85
00:06:34,950 --> 00:06:38,160
They also double click it and it also opens this image.

86
00:06:38,160 --> 00:06:43,890
Now most of the users do not have their extensions on their P.C. so they will not be able to see that

87
00:06:43,930 --> 00:06:45,250
you see here.

88
00:06:45,420 --> 00:06:52,200
And even if they do see that they exceed most of the non technical people do not really know what executable

89
00:06:52,200 --> 00:06:58,620
means and they will probably think it is some glitch that and that this is an actual image but let's

90
00:06:58,620 --> 00:07:02,070
see did we receive the connection so we did receive the connection.

91
00:07:02,140 --> 00:07:09,000
Right now if we just take your mind we can see that we can execute the commands and the good part right

92
00:07:09,000 --> 00:07:15,290
here is that it actually doesn't open the image at the boot even though we got the registry right here

93
00:07:15,600 --> 00:07:16,100
here.

94
00:07:16,200 --> 00:07:21,030
We also install the registry and next time the system reports it will not open an image.

95
00:07:21,060 --> 00:07:24,090
It will just open the reverse shell which is good.

96
00:07:24,420 --> 00:07:32,430
So we got our fully working reversal right now which opens the image which also has the icon and which

97
00:07:32,430 --> 00:07:35,720
can actually trick some users into running it.

98
00:07:35,880 --> 00:07:40,830
Now the next thing we want to do in the next video is I will show you how you can actually check if

99
00:07:40,830 --> 00:07:45,750
the user ran your program or your backdoor on the administrator account.

100
00:07:45,930 --> 00:07:53,650
If they did run it on the administrator account we will we will we can actually put our registry key

101
00:07:54,040 --> 00:08:01,300
inside inside the local machine which will allow us to actually have a persistence on every account

102
00:08:01,360 --> 00:08:02,610
on that machine.

103
00:08:02,680 --> 00:08:09,280
The key in the current user registry actually only gives us the persistence if the user logs into the

104
00:08:09,280 --> 00:08:10,680
same account next time.

105
00:08:10,750 --> 00:08:16,150
But if they lock in for example into administrator account they will not we will not be getting the

106
00:08:16,210 --> 00:08:17,610
reverse shell back.

107
00:08:17,860 --> 00:08:23,920
So we want to first check out if the user is admin and if they are admin we will actually install it

108
00:08:24,010 --> 00:08:25,660
in the local machine.

109
00:08:25,660 --> 00:08:29,220
If they are not admin we will install it in the HK current user.

110
00:08:29,890 --> 00:08:32,650
So more about that in the next video.

111
00:08:32,650 --> 00:08:37,410
This was about it for now I hope I see in the next video and take care by.