1
00:00:00,140 --> 00:00:02,310
Well I am excited.

2
00:00:02,610 --> 00:00:04,700
And let me tell you how excited I am.

3
00:00:04,740 --> 00:00:07,300
This is not the first time ever recorded this video.

4
00:00:07,350 --> 00:00:12,300
This is actually the second time recording this video because the first time I forgot to hit the record

5
00:00:12,300 --> 00:00:12,630
button.

6
00:00:12,630 --> 00:00:15,560
So now it's blinking red right in front of me.

7
00:00:15,600 --> 00:00:21,030
Guaranteed recording and I'm still as excited even the second time walking through this I'm so excited

8
00:00:21,060 --> 00:00:23,510
because this is what we've been building up for.

9
00:00:23,550 --> 00:00:29,910
This is everything we've been doing the scanning the enumeration even the Linux and the python.

10
00:00:29,940 --> 00:00:33,810
This is all building up to this and now we're ready to explain.

11
00:00:33,810 --> 00:00:39,330
We're going to get our first shell we're going to pop our first shell today and I'm so excited for both

12
00:00:39,330 --> 00:00:40,020
of us.

13
00:00:40,050 --> 00:00:45,990
So what we're gonna do is we're going to run Metis flight for this one and Metis but it's a little bit

14
00:00:46,030 --> 00:00:50,760
automated but that's OK in the next video we're gonna go ahead and cover it manually.

15
00:00:50,760 --> 00:00:57,690
So what we're going to do is we're going to attack SMB here and with SMB what we're gonna do is if you

16
00:00:57,690 --> 00:01:02,460
don't remember search like samba to point to.

17
00:01:02,460 --> 00:01:09,340
We found samba to point to point one a we searched around we went out to the inter webs we did search

18
00:01:09,340 --> 00:01:19,810
boy and we kept seeing this trans to open show up like here and here here here all down here right repeatedly

19
00:01:20,230 --> 00:01:23,620
and it meets the criteria everything seems to make sense.

20
00:01:23,740 --> 00:01:26,960
It had that IPC anonymous connection as well.

21
00:01:27,040 --> 00:01:32,690
So I think I think this is a winner and we're gonna go ahead and give it a try.

22
00:01:32,740 --> 00:01:37,760
So I'm going to copy this and we're going to go ahead and type an MSF console and load up medicinally

23
00:01:39,810 --> 00:01:44,790
once medicinally it loads we're gonna go ahead and just search for this guy and see if we can't find

24
00:01:44,790 --> 00:01:50,700
it now we know it exists because we did find that handy dandy rapid seven Web site that said it did.

25
00:01:51,000 --> 00:01:59,010
So we're going to search it here and we're given four options now these are all operating systems here

26
00:01:59,370 --> 00:02:08,280
but we have been good enumerators and good investigators researchers information gatherers etc. We could

27
00:02:08,280 --> 00:02:13,260
have willy nilly just saw one thirty nine said hey I'm going to try to find exploits against it and

28
00:02:13,260 --> 00:02:17,410
never looked at any other ports but that's thought us we went out to port 80.

29
00:02:17,430 --> 00:02:21,360
We saw that it was running red hat we discovered Linux on the machine.

30
00:02:21,360 --> 00:02:26,940
So we know we're going to pick the Linux module so we're gonna say use one as that corresponds to this

31
00:02:26,940 --> 00:02:35,060
module here and then we're gonna type in options and all we have to do is set a our host.

32
00:02:35,160 --> 00:02:39,960
So remember our host stands for remote host or the victim that we're attacking.

33
00:02:39,960 --> 00:02:50,450
So we're going to say set our hosts and 1 9 2 1 6 8 5 7 1 30 for and we're going to say options one

34
00:02:50,450 --> 00:02:54,560
more time make sure that that actually set in there and it did.

35
00:02:54,560 --> 00:02:58,360
Now one thing I'd like to do is type and show targets.

36
00:02:58,370 --> 00:03:02,930
Now there are no targets here but as you're going to see later on in the course there are often targets

37
00:03:02,930 --> 00:03:04,510
that we have to pick from.

38
00:03:04,520 --> 00:03:08,000
Not always is the first choice that's auto selected right for us.

39
00:03:08,210 --> 00:03:10,180
But in this instance there's only one choice.

40
00:03:10,250 --> 00:03:11,830
So it's the right choice.

41
00:03:11,870 --> 00:03:13,380
So now we have two options.

42
00:03:13,460 --> 00:03:19,580
Both are going to do the same thing for us like you type in run or we could type and exploit if we want

43
00:03:19,580 --> 00:03:20,330
to be cool.

44
00:03:20,330 --> 00:03:26,400
I want to be cool it's open next play so we're gonna run this and it's going to start this brute force

45
00:03:26,400 --> 00:03:30,320
attack here and it's going to start opening shells and closing shells what is going on.

46
00:03:30,870 --> 00:03:33,090
So let's control see if yours is doing this.

47
00:03:33,090 --> 00:03:35,810
Go ahead and control C interrupt this.

48
00:03:35,820 --> 00:03:36,960
Let's talk about what's happening.

49
00:03:38,340 --> 00:03:40,560
So you see it's trying this brute force attack.

50
00:03:40,560 --> 00:03:43,490
It's trying different different return addresses here.

51
00:03:43,530 --> 00:03:47,800
And finally it lands the one that works and it says hey I'm going to send this stage.

52
00:03:47,820 --> 00:03:48,810
This is always a good sign.

53
00:03:48,810 --> 00:03:50,580
By the way sending the stage.

54
00:03:50,580 --> 00:03:57,320
Then it says hey I've got this maternity session open because our payload has worked.

55
00:03:57,480 --> 00:04:01,340
And then this mature operator session closed reason died.

56
00:04:01,350 --> 00:04:02,570
That's not good.

57
00:04:02,580 --> 00:04:04,910
So it keeps going through over and over and over and over.

58
00:04:04,910 --> 00:04:06,840
And it is dying.

59
00:04:06,840 --> 00:04:07,860
What is going on.

60
00:04:08,700 --> 00:04:13,680
Well we've talked about this let's go into options again now.

61
00:04:13,820 --> 00:04:19,400
You don't see this the first time you do it but you see it the second time because metabolite says hey

62
00:04:19,430 --> 00:04:20,910
if you're pale it's not working.

63
00:04:20,930 --> 00:04:26,120
Maybe the payload is the issue and I'm going to give you payload options this time around.

64
00:04:26,120 --> 00:04:28,560
Now we see payload options here in the middle.

65
00:04:28,730 --> 00:04:30,320
That wasn't there before.

66
00:04:30,500 --> 00:04:37,830
We can see that we're running Linux X 86 interpreter forward slash reverse underscore CCP.

67
00:04:37,970 --> 00:04:38,870
What does that mean.

68
00:04:39,200 --> 00:04:42,220
Well that means that we are running a stage payload.

69
00:04:42,260 --> 00:04:48,170
Couple of other things to note while we're in here we see El host that is the opposite of our host El

70
00:04:48,170 --> 00:04:48,920
host is us.

71
00:04:48,940 --> 00:04:50,540
We are the listening hosts.

72
00:04:50,540 --> 00:04:55,450
So we sit here and we have our IP address sometimes it's auto selects correctly.

73
00:04:55,450 --> 00:04:56,570
Sometimes it doesn't.

74
00:04:56,570 --> 00:04:58,040
In this case it did.

75
00:04:58,190 --> 00:05:01,980
And then we have the airport which is by default all floors.

76
00:05:02,300 --> 00:05:03,980
So that's fine for now.

77
00:05:03,980 --> 00:05:08,660
It's fine for these lessons when you get into actually running this in the wild.

78
00:05:08,930 --> 00:05:14,390
All fours is probably going to get you picked up pretty quick because this is a default interpreter

79
00:05:14,450 --> 00:05:14,840
port.

80
00:05:15,080 --> 00:05:22,150
So some connection sees a or some antivirus or detection software sees 4 4 4 4 open up.

81
00:05:22,280 --> 00:05:24,200
This is going to trigger an alarm here.

82
00:05:24,410 --> 00:05:29,400
But anyway for this course you're not going need to worry about too much right now.

83
00:05:29,410 --> 00:05:31,370
We're going to go ahead and set a payload.

84
00:05:31,450 --> 00:05:32,800
We're going to say set payload.

85
00:05:33,430 --> 00:05:35,500
And how do we know what payload to pick.

86
00:05:35,530 --> 00:05:41,770
Let's just start typing out Linux and hit tab in the auto tabs out the x 86 part for us and those just

87
00:05:41,770 --> 00:05:44,660
hit double tab.

88
00:05:44,680 --> 00:05:44,890
All right.

89
00:05:44,920 --> 00:05:46,180
Now a double tab.

90
00:05:46,210 --> 00:05:46,810
That's great.

91
00:05:46,810 --> 00:05:48,220
Look at the payload options we have.

92
00:05:48,220 --> 00:05:55,330
We've got a bunch now we've got a bunch of interpreters but unfortunately they're all stage payloads

93
00:05:55,330 --> 00:05:56,150
here.

94
00:05:56,170 --> 00:05:57,750
I love a good interpreter shell.

95
00:05:57,790 --> 00:06:00,700
And you guys will understand why as we move forward.

96
00:06:00,790 --> 00:06:04,050
But as of right now it doesn't look we're gonna be able to use one.

97
00:06:04,330 --> 00:06:10,120
We come over to this right column here you can see that we've got other shells as well and we come down

98
00:06:10,150 --> 00:06:11,590
and finally down here.

99
00:06:11,620 --> 00:06:18,400
We've got a few options that are non staged so let's go ahead and try this shell reverse underscore

100
00:06:18,410 --> 00:06:26,220
T C P right here and you could just start typing that out and that should auto tab complete for you

101
00:06:27,000 --> 00:06:28,880
go ahead and hit enter.

102
00:06:29,220 --> 00:06:33,060
Hit options will more time to make sure that this actually works.

103
00:06:33,060 --> 00:06:40,550
You can see here that it actually picked up and now let's go ahead and try to run this and let's see

104
00:06:40,550 --> 00:06:45,460
if it happens fingers crossed a look at that.

105
00:06:45,470 --> 00:06:49,790
So we've got a shell now and this is Command shell session of five.

106
00:06:49,880 --> 00:06:56,210
Let's try my route hostname captures level one.

107
00:06:56,270 --> 00:07:03,500
We have successfully routed this machine route is the commander of the system we cannot go any deeper

108
00:07:03,500 --> 00:07:04,010
than this.

109
00:07:04,010 --> 00:07:05,940
We own this machine.

110
00:07:06,080 --> 00:07:07,950
Hands down it's our machine.

111
00:07:07,970 --> 00:07:09,810
So congratulations.

112
00:07:09,980 --> 00:07:10,990
You have made it this far.

113
00:07:10,990 --> 00:07:13,490
This is your first routed machine.

114
00:07:13,490 --> 00:07:14,600
You should be very proud.

115
00:07:14,600 --> 00:07:16,380
Pat yourself on the back.

116
00:07:16,460 --> 00:07:17,830
You're awesome.

117
00:07:17,840 --> 00:07:24,650
So from here we're going to go ahead and we're going to focus on port 80 and 4 4 3 in how we can exploit

118
00:07:24,650 --> 00:07:29,490
those manually and then we'll move on to some other exploitation techniques.

119
00:07:29,570 --> 00:07:31,240
But for now congratulate yourself.

120
00:07:31,250 --> 00:07:33,650
You have your first shell.

121
00:07:33,740 --> 00:07:35,250
I'm very excited for you.

122
00:07:35,330 --> 00:07:38,990
So I'll catch you over in the next video as you start some manual exploitation.