1
00:00:00,890 --> 00:00:07,000
So we've run our exploit on a Windows seven computer and now the Windows seven computer is phoning home,

2
00:00:07,010 --> 00:00:11,470
you see that we have a session open from our 10:00, not Odah three to four.

3
00:00:11,780 --> 00:00:15,140
That is my Windows seven virtual machine.

4
00:00:15,650 --> 00:00:18,980
So I'm going to set up an interactive session.

5
00:00:18,980 --> 00:00:22,160
So I'm actually going to set up a shell using that interpreter.

6
00:00:22,940 --> 00:00:26,970
And I'm going to say Sessions bash.

7
00:00:27,030 --> 00:00:28,760
I want an interactive.

8
00:00:29,700 --> 00:00:37,360
Console on session one sessions, dashi and mime session number will usually be one for the first machine.

9
00:00:37,360 --> 00:00:43,890
You compromise, but if you send this out to 10 PCs on your business's network with your boss's permission

10
00:00:44,340 --> 00:00:50,820
and five of the employees, click through the link and install the software you're going to see session

11
00:00:50,820 --> 00:00:52,350
one, two, three, four and five.

12
00:00:52,350 --> 00:00:57,470
And you can navigate between those with Sessions, Dashi space and the number of the session.

13
00:00:58,230 --> 00:01:03,240
And now I have a live interactive session with that guest computer.

14
00:01:03,750 --> 00:01:08,190
I can do P W.D. what is my present working directory?

15
00:01:08,190 --> 00:01:13,020
You can see I am in C users i.e. user desktop.

16
00:01:13,530 --> 00:01:23,640
I can CWD Space, Dot, Dot and then IWD to get my present working directory and I user I can see into

17
00:01:23,640 --> 00:01:28,590
downloads PWP and then else.

18
00:01:29,680 --> 00:01:37,750
And you can see I have my game file that I downloaded on my SI user's.

19
00:01:38,990 --> 00:01:48,050
I.e., user downloads folder, so I have I am on my Windows seven computer controlling it from Calli

20
00:01:48,050 --> 00:01:55,240
Linux using Interpretor and Métis Floyd, so I am running this interactive show.

21
00:01:55,610 --> 00:02:03,050
There are several things that I can do while I'm logged in to my Windows seven computer from this interpretor

22
00:02:03,050 --> 00:02:03,410
shell.

23
00:02:04,010 --> 00:02:05,060
Let's do a couple more things.

24
00:02:05,060 --> 00:02:06,080
Get you Edem.

25
00:02:07,820 --> 00:02:14,150
This will get the user ID that I'm logged in as I'm logged in, just as that ideate Windows seven IHI

26
00:02:14,150 --> 00:02:19,600
user, not a very powerful user, in fact, pretty restricted user, which is a good thing.

27
00:02:20,240 --> 00:02:28,700
Let's try to get the password hash file a running hash dump and you'll see the script requires the use

28
00:02:28,700 --> 00:02:35,060
of a system user context, not just a regular Windows seven user.

29
00:02:35,450 --> 00:02:41,790
So I'm going to need to escalate privileges to be able to do anything really interesting.

30
00:02:41,810 --> 00:02:50,330
That means I'm going to have to elevate myself from this windows, i.e. eight Windows seven user to

31
00:02:50,330 --> 00:02:54,770
a system level user or an administrator on the Windows seven box.

32
00:02:55,040 --> 00:03:03,740
And we're going to see how to root or escalate privileges using another exploit in Métis light.

33
00:03:03,920 --> 00:03:05,120
And the next lesson.