1
00:00:00,090 --> 00:00:02,520
So we have gained root with Metis play.

2
00:00:02,540 --> 00:00:07,110
But now we need to gain root with some manual exploitation.

3
00:00:07,110 --> 00:00:15,350
So remember earlier we discovered that we had an exploit with our mod SSL and we're going to see what

4
00:00:15,350 --> 00:00:16,220
we could do about it.

5
00:00:16,550 --> 00:00:21,500
So we went to Google only research made SSL and we came up with something called open lock.

6
00:00:21,770 --> 00:00:23,170
If you remember that.

7
00:00:23,340 --> 00:00:32,240
So we clicked on this open lock here and this is the same as the one that is out there on X flight database

8
00:00:32,330 --> 00:00:34,120
but it is fixed.

9
00:00:34,220 --> 00:00:38,930
So remember the exploit database when it's broken so you'd rather use this one that is fixed.

10
00:00:38,930 --> 00:00:43,050
So we're going to do is we're going to follow the instructions here.

11
00:00:43,280 --> 00:00:44,860
And this is very well laid out.

12
00:00:45,260 --> 00:00:51,170
So it tells you to get clone this we need to do an installment SSL Dev library.

13
00:00:51,170 --> 00:00:53,180
We need to compile and then run the exploit.

14
00:00:53,720 --> 00:00:55,390
So very very straightforward.

15
00:00:55,400 --> 00:01:00,800
We're going to go ahead and do exactly what it says and let's go ahead and just copy this first line

16
00:01:00,800 --> 00:01:08,520
here and I'm going to just make this little smaller go into a terminal and I actually have a folder

17
00:01:08,520 --> 00:01:16,320
for the objects I'm going to see into it and then we're going to go ahead and just paste that line and

18
00:01:16,320 --> 00:01:18,990
it will get and everything if we last.

19
00:01:18,990 --> 00:01:21,030
Now we see that it is there.

20
00:01:21,300 --> 00:01:24,230
So let's see the end of that folder.

21
00:01:24,480 --> 00:01:35,010
The bad word folder will allow us and now you can see that there is just the c file here in the read

22
00:01:35,010 --> 00:01:35,730
me.

23
00:01:35,730 --> 00:01:39,760
So what we're gonna do is we need to install this live SSL Dev.

24
00:01:39,780 --> 00:01:48,380
So we're gonna say app install and then live SSL that Dev like this hit enter and then just hit enter

25
00:01:48,420 --> 00:01:55,180
because it says yes already this will take just a second to install and then once it does this we're

26
00:01:55,180 --> 00:02:00,940
going to use a tool looks like call GCSE which GCSE is a compiler.

27
00:02:01,000 --> 00:02:07,530
So if you've never used C or are familiar with C we have a c file but this isn't ready to use.

28
00:02:07,540 --> 00:02:10,570
We have to compile that c file in order to actually use it.

29
00:02:11,050 --> 00:02:15,100
So that's what we're doing here is we're downloading a little bit of stuff to actually build a compile

30
00:02:15,100 --> 00:02:17,370
that GC C is built in.

31
00:02:17,370 --> 00:02:20,020
And we just need some other things additionally.

32
00:02:20,050 --> 00:02:27,250
So now we're gonna do is we're going to say GCSE and typically you say dash 0 for the output so we can

33
00:02:27,250 --> 00:02:34,720
call it whatever we want we'll just call this open and then we'll just specify the file you can start

34
00:02:34,720 --> 00:02:39,820
typing it and then tab out and then it says this L crypto which is important.

35
00:02:41,750 --> 00:02:42,470
Hit enter.

36
00:02:42,940 --> 00:02:43,690
OK.

37
00:02:43,790 --> 00:02:51,920
And then hit LSI and you see now in pretty green green lighting up and saying hey we're executable we

38
00:02:51,920 --> 00:02:54,590
have are our executable.

39
00:02:54,680 --> 00:02:57,260
We have our script that we can run.

40
00:02:57,260 --> 00:03:06,080
So we could say dot forward slash open and run it and you can see in here all the different options

41
00:03:06,080 --> 00:03:06,930
that this runs again.

42
00:03:06,950 --> 00:03:10,760
So remember one is brute forcing the last one.

43
00:03:10,760 --> 00:03:16,190
When we saw the we saw the trans two open kind of doing brute force.

44
00:03:16,190 --> 00:03:18,310
In theory this is what it could do as well.

45
00:03:18,320 --> 00:03:22,710
But here we have to pick a return address based on our machine.

46
00:03:22,730 --> 00:03:24,900
So we're going to look at the usage.

47
00:03:24,920 --> 00:03:31,820
I always like to do the application without any usage to see what the usage is and we need to use target

48
00:03:31,820 --> 00:03:34,980
box which is one of these down here.

49
00:03:35,270 --> 00:03:36,750
We need to select a port maybe.

50
00:03:36,920 --> 00:03:40,400
It says For SSL connection we're not going to be using and SSL connections.

51
00:03:40,400 --> 00:03:41,670
Don't worry about that.

52
00:03:41,780 --> 00:03:42,880
And then a dash see.

53
00:03:42,890 --> 00:03:43,890
No.

54
00:03:43,970 --> 00:03:46,460
And it says use range 40 to 50.

55
00:03:46,580 --> 00:03:47,650
If you don't know.

56
00:03:47,720 --> 00:03:52,790
So our syntax is going to look something like dot forward slash open one of these offsets that we're

57
00:03:52,790 --> 00:04:03,000
gonna pick and then it's going to be a dash C probably 40 with the box IP address in between.

58
00:04:03,020 --> 00:04:06,020
So how do we find what we're looking for.

59
00:04:06,230 --> 00:04:12,590
Well I'm a cheat just a little bit until you guys to scroll down down down down down and if we look

60
00:04:12,650 --> 00:04:23,000
at six b here remember we were up against a patchy one point three point two zero C enumeration comes

61
00:04:23,060 --> 00:04:25,580
into play big time.

62
00:04:26,300 --> 00:04:28,910
So Apache one point three point two zero.

63
00:04:28,910 --> 00:04:30,320
Now there are two we can run against.

64
00:04:30,380 --> 00:04:36,320
I'm picking this one I believe it's the more stable one so we could pick either one but I would choose

65
00:04:36,320 --> 00:04:43,730
B I think a doesn't work all the time so let's choose B here and a patchy one point three point two

66
00:04:43,730 --> 00:04:48,500
zero is the indicator and again Red Hat Linux that's another indicator.

67
00:04:48,740 --> 00:04:55,580
So let's copy this so we don't forget it and we're just going to scroll down and we're gonna say hey

68
00:04:56,260 --> 00:05:05,770
stop forward slash open and we're going to paste that 0 x 6 B and then we're going to run this against

69
00:05:06,010 --> 00:05:09,280
the IP address because it said box was next.

70
00:05:09,280 --> 00:05:17,620
So one thirty four and then remember we had to give a dash C of 40 so that is the syntax.

71
00:05:17,890 --> 00:05:24,160
Sometimes you have to follow along and it's I don't I don't think most of them are as confusing as this

72
00:05:24,190 --> 00:05:30,580
item when you say this is confusing I would say it's pretty lengthy for a exploit because you have to

73
00:05:30,580 --> 00:05:37,490
go through all the different offsets here to find the offset and actually fire this off but you know

74
00:05:37,480 --> 00:05:43,690
you have the opportunity here to actually be able to read usage and just understand your your way through

75
00:05:43,690 --> 00:05:43,840
it.

76
00:05:43,870 --> 00:05:48,810
So once you get this little syntax and all this part down it's really not that bad.

77
00:05:48,820 --> 00:05:53,890
So to check off the list we've got the target we've got the box IP address we don't need the port because

78
00:05:53,890 --> 00:05:59,140
we're not running against SSL we're just gonna run this against Port 80 and then we're going to run

79
00:05:59,140 --> 00:06:01,470
dash C of 40.

80
00:06:01,660 --> 00:06:06,090
So let's go ahead and try to fire that off and see what happens here

81
00:06:10,080 --> 00:06:11,850
and this may just take a second

82
00:06:16,460 --> 00:06:18,810
OK says it's finding a shell.

83
00:06:18,810 --> 00:06:27,350
Now we wait for the SCADA let's scroll up just a little bit while we're waiting here to see so it looks

84
00:06:27,350 --> 00:06:31,550
like it sent the shell code and its bond to shell.

85
00:06:31,640 --> 00:06:33,970
It says hey we have no job control in this shell.

86
00:06:34,040 --> 00:06:36,910
And then it has a shell here bash 2.0 Fi.

87
00:06:36,920 --> 00:06:43,780
That is a shell and then it's going in and it's doing it's doing some w gets.

88
00:06:43,910 --> 00:06:50,490
Now if this is able to get out to the Internet it's going to go ahead and try to do w gets against these.

89
00:06:50,510 --> 00:06:55,230
It's going to keep downloading and it's going to get the response here OK.

90
00:06:55,520 --> 00:07:00,460
And now it's as we wait for the shell because it saved this dot c file here.

91
00:07:00,620 --> 00:07:03,190
And let's see if maybe we already have a shell.

92
00:07:03,200 --> 00:07:03,950
Who am I.

93
00:07:03,950 --> 00:07:04,520
Root.

94
00:07:04,520 --> 00:07:05,530
Look at that.

95
00:07:05,540 --> 00:07:12,920
So it looks like it downloaded something and allowed us to maybe privilege escalate here and let's say

96
00:07:12,920 --> 00:07:13,550
hostname.

97
00:07:14,620 --> 00:07:15,550
OK.

98
00:07:15,740 --> 00:07:22,310
So we've gone through and we've routed this machine with medicinally and now we've gone through and

99
00:07:22,310 --> 00:07:26,480
routed this machine with the manually downloaded exploit.

100
00:07:26,480 --> 00:07:34,520
So there's two options you're going to find out that Metis flight is a more robust and popular option

101
00:07:34,850 --> 00:07:37,100
especially as a penetration tester.

102
00:07:37,160 --> 00:07:47,780
Now there is a common misconception or thought process put out there by certifications the OSCE for

103
00:07:47,780 --> 00:07:50,540
example doesn't let you use a lot of.

104
00:07:50,550 --> 00:07:52,870
Boy only one instance of Metis play on their exam.

105
00:07:52,880 --> 00:07:58,100
So everybody thinks Man I really shouldn't use medicinally but you're going to see in this course how

106
00:07:58,160 --> 00:08:04,430
useful it really is and how robust it is and if you talk to a penetration tester they're going to use

107
00:08:04,430 --> 00:08:06,930
the best tools available to them.

108
00:08:07,160 --> 00:08:13,430
The certifications out there that do that are just making it harder to pass the exam intentionally than

109
00:08:13,430 --> 00:08:16,340
they are you know for practicality.

110
00:08:16,340 --> 00:08:18,890
This course is all about practicality.

111
00:08:18,890 --> 00:08:25,520
So from here now we can exploit it manually let's talk about a couple of things that we look for in

112
00:08:25,520 --> 00:08:31,310
post so post being post exploitation and we're going to cover this over and over and over again.

113
00:08:31,400 --> 00:08:37,190
We're not going to get into it fully right now I just want to give you an idea as to the thought process

114
00:08:38,340 --> 00:08:43,860
so the first thing to think about is what is our IP address.

115
00:08:43,860 --> 00:08:46,500
We could say I have config if it'll allow us to.

116
00:08:46,500 --> 00:08:52,440
It just depends on what kind of shell we're in and see this one is is a weird shell we could try IPA.

117
00:08:52,440 --> 00:08:58,630
It's still not going to be found if we try some some commands like r or root.

118
00:08:58,650 --> 00:09:03,870
I doubt they're going to be found right now either but we want to look at the routing table the ARP

119
00:09:03,870 --> 00:09:09,990
table we want to see if this machine is what's called dual homed and you're going to learn more about

120
00:09:09,990 --> 00:09:11,790
that when we get into the pivoting.

121
00:09:11,790 --> 00:09:17,820
But if this is this has to nicks and we're on one network in the nick is on a second network that we

122
00:09:17,820 --> 00:09:23,340
never saw before then maybe we can do something called pivoting and move into that new network.

123
00:09:23,340 --> 00:09:29,100
But we would be able to identify who the machine's talking to with an arc table or a route.

124
00:09:29,550 --> 00:09:34,180
We could also look at like sudo privileges so we could say things like sudo dash L but we are route

125
00:09:34,200 --> 00:09:40,680
so we can run as everybody so a pseudo user as we talked about in Linux.

126
00:09:41,010 --> 00:09:47,360
Linux lessons pseudo user is able to run commands as a elevated.

127
00:09:47,390 --> 00:09:50,180
But here is rule where are we obviously already elevated.

128
00:09:50,250 --> 00:09:56,190
So other things that we can do we can cat what's called the FC password file.

129
00:09:56,250 --> 00:10:01,780
Now this is very misleading because the FC password file used to be the password file.

130
00:10:01,770 --> 00:10:07,920
Now it just holds a place holder so you could see all the users that are on this computer route being

131
00:10:07,980 --> 00:10:08,940
this one.

132
00:10:08,950 --> 00:10:14,730
There's a lot of built in users here but if you always scroll down to the bottom and you start the five

133
00:10:14,730 --> 00:10:15,500
hundreds.

134
00:10:15,630 --> 00:10:16,890
That's where your user start.

135
00:10:16,900 --> 00:10:20,880
So there's actually two users in this computer as well one's named John.

136
00:10:20,880 --> 00:10:22,060
The other is named Harold.

137
00:10:22,890 --> 00:10:31,500
So we look at these users and we say OK well there's no password in this password file but there used

138
00:10:31,500 --> 00:10:34,440
to be back in the day there used to be that's why they called this.

139
00:10:34,680 --> 00:10:37,360
And now they moved it to this place holder of an X.

140
00:10:37,530 --> 00:10:42,960
And what we can do is we can come in here and we can say Hey cat Etsy shadow

141
00:10:45,470 --> 00:10:47,760
and now you see the hashes are in here.

142
00:10:47,870 --> 00:10:54,320
So these hashes are what the X is place holding for we can actually combine both of these files with

143
00:10:54,320 --> 00:10:57,550
the tool and go off line and try to crack these.

144
00:10:57,560 --> 00:10:59,710
We'll work on that later on in the course.

145
00:10:59,870 --> 00:11:05,870
But just for now like getting your wheels spinning as to what we can do with root level access we need

146
00:11:05,870 --> 00:11:11,600
to start enumerating again looking at files on the computer seeing what what's out there and what we

147
00:11:11,600 --> 00:11:12,500
can do with it.

148
00:11:12,740 --> 00:11:17,750
But we'll get into post exploitation techniques and thought process as we go through the active directory

149
00:11:17,750 --> 00:11:22,340
portion of the course because I think it plays hand in hand and we could talk about password cracking

150
00:11:22,340 --> 00:11:24,610
there and how to attack some of this stuff.

151
00:11:24,830 --> 00:11:31,730
But there will be a password cracking video on on the Linux as well when we get into the post exploitation

152
00:11:31,730 --> 00:11:33,090
phase of this.

153
00:11:33,350 --> 00:11:35,570
But that's really it for now.

154
00:11:35,600 --> 00:11:37,820
So we've got the we've got the shadow.

155
00:11:37,820 --> 00:11:39,990
We can take this off line try to crack it.

156
00:11:40,010 --> 00:11:41,870
We can enumerate files.

157
00:11:41,870 --> 00:11:48,110
We can try to you know break into user folders and see what they've got in there maybe they've got password

158
00:11:48,110 --> 00:11:50,790
files stored in there et cetera.

159
00:11:50,840 --> 00:11:55,990
So from here we have routed this machine twice.

160
00:11:56,090 --> 00:12:00,940
We've routed it with split we routed it manually and now we can start moving on.

161
00:12:01,010 --> 00:12:05,540
I do want to show you a few more attacks so here's what's going to happen over the next few videos we're

162
00:12:05,540 --> 00:12:08,840
going to talk about brute force attacks really quick on SS H.

163
00:12:08,840 --> 00:12:12,530
We're going to talk about credential stuffing we're going to revisit that concept that we talked about

164
00:12:12,590 --> 00:12:16,970
in information gathering and then we're gonna look at our notes and we're just going to compare notes

165
00:12:17,000 --> 00:12:23,000
and see where we're at with findings and everything else after that we're gonna get into what I like

166
00:12:23,000 --> 00:12:31,370
to call the mid course Capstone which is going to allow us to do a bunch of exploitation against a bunch

167
00:12:31,370 --> 00:12:33,410
of machines and it should be really fun.

168
00:12:33,410 --> 00:12:39,290
So Andrew spiel again I will catch you over in the next video as we talk about brute force attacks.