1 00:00:00,090 --> 00:00:01,090 All right. 2 00:00:01,170 --> 00:00:02,310 Two videos left. 3 00:00:02,310 --> 00:00:10,710 So now we're on to Grandpa and Grandpa lives at 10 dot ten 10 to 14 I think by this point if you're 4 00:00:10,710 --> 00:00:15,870 following along you can probably do this one on your own so if you haven't tried it already on your 5 00:00:15,870 --> 00:00:16,460 own. 6 00:00:16,590 --> 00:00:17,370 Give it a go. 7 00:00:17,370 --> 00:00:18,630 See what you can do. 8 00:00:18,630 --> 00:00:24,210 See if you can piece it together and if not if you you like to follow along. 9 00:00:24,270 --> 00:00:26,990 Get your scan ready and meet me in the next video. 10 00:00:27,000 --> 00:00:28,280 Same as before. 11 00:00:28,320 --> 00:00:30,030 So I will catch you over there. 12 00:00:30,030 --> 00:00:30,360 All right. 13 00:00:30,360 --> 00:00:33,090 Let's take a look at these scan results. 14 00:00:33,090 --> 00:00:35,220 And I swear this isn't intentional. 15 00:00:35,220 --> 00:00:41,610 This is probably the fourth week in a row I think that we only have one port open and that's again convenient 16 00:00:41,610 --> 00:00:42,050 for us. 17 00:00:42,060 --> 00:00:47,070 And I don't know if it's just an indicator of the easier machines having a smaller attack surface or 18 00:00:47,070 --> 00:00:54,710 what exactly is the what's going on here but to our benefit nonetheless so we look at this. 19 00:00:54,740 --> 00:01:01,230 And right off the bat we see that the version of the web server is Microsoft I guess six point zero. 20 00:01:01,230 --> 00:01:05,910 Now that is a incredibly old version of I guess. 21 00:01:05,990 --> 00:01:09,770 Don't quote me on this but I think there at least at 10 right now. 22 00:01:09,770 --> 00:01:14,990 So we know that we've already got a dated version here so that's interesting. 23 00:01:14,990 --> 00:01:20,560 The other interesting items here are the potentially risky methods. 24 00:01:20,660 --> 00:01:28,520 So it's got a bunch of different methods that are allowed here one of which is trace. 25 00:01:28,520 --> 00:01:34,930 And then the other which is put so with put potentially we could put a malicious file on the server. 26 00:01:35,030 --> 00:01:41,310 That's not always the case put has other uses other than just putting a malicious file on a server. 27 00:01:41,450 --> 00:01:47,470 And it's not always available to do so even if it is a method that's allowed. 28 00:01:47,870 --> 00:01:50,260 But it is potentially risky. 29 00:01:50,300 --> 00:01:55,220 The other one is trace and we may have talked about this in the past but there is something called The 30 00:01:55,220 --> 00:01:56,970 Cross site tracing. 31 00:01:57,130 --> 00:02:02,330 Now that is when you have a cross site scripting vulnerability and you have the capability of running 32 00:02:02,330 --> 00:02:09,140 trace can lead across site tracing it's a much older exploit but when you see potentially risky method 33 00:02:09,140 --> 00:02:10,470 of trace show up. 34 00:02:10,640 --> 00:02:11,960 This is why. 35 00:02:11,960 --> 00:02:16,510 And if I were to see this on a web app Penn test I'd probably say hey why are you running trace. 36 00:02:16,520 --> 00:02:17,500 What's the point of leaving. 37 00:02:17,930 --> 00:02:18,530 Leaving it open. 38 00:02:18,530 --> 00:02:20,940 And most people will just turn it off. 39 00:02:21,050 --> 00:02:26,720 Other than that we can look through here and see that the title is under construction so if we go to 40 00:02:26,720 --> 00:02:33,700 the Web we could see OK it is under construction and this is an older guess under construction page 41 00:02:33,700 --> 00:02:34,720 as well. 42 00:02:34,720 --> 00:02:38,420 So just got really that old feel to it. 43 00:02:38,560 --> 00:02:43,360 And another thing I should point out is if you're unfamiliar with the methods or if you're unfamiliar 44 00:02:43,360 --> 00:02:49,750 with like the response codes like a two hundred or four or four etc. It's best to just pick those up. 45 00:02:49,750 --> 00:02:51,990 It's only going to help you in your career. 46 00:02:52,090 --> 00:02:59,470 So and it's probably probably web app one on one is just to cover you know the different response codes 47 00:02:59,470 --> 00:03:03,830 and understanding the different methods you may be asked about those in an interview. 48 00:03:03,880 --> 00:03:10,230 So definitely pick those up and understand what they mean looking through here we also see that there 49 00:03:10,230 --> 00:03:13,630 is a Microsoft Windows 2003 possibility. 50 00:03:13,650 --> 00:03:16,950 That's how old I am six point zero is. 51 00:03:16,950 --> 00:03:21,950 It could also be 2008 server XP or 2000. 52 00:03:22,050 --> 00:03:27,680 So let's go ahead and just take a peek at this first let's just copy the service. 53 00:03:27,690 --> 00:03:31,800 The other thing that we could do is since there's nothing here we could run door buster and see if there's 54 00:03:31,800 --> 00:03:35,450 anything hiding behind this Web server but because it's so old. 55 00:03:35,460 --> 00:03:38,780 I just want to look at the service and see what kind of exploits might be out there for it. 56 00:03:38,820 --> 00:03:43,860 Let's go ahead and just go out to the Google machines and we'll paste this and then we'll the search 57 00:03:43,860 --> 00:03:47,720 for exploit because it knows us you could tell. 58 00:03:47,720 --> 00:03:54,180 I've navigated out to this once before in the past but let's open up this i s six point zero web dev 59 00:03:54,780 --> 00:03:59,750 and see what we can do with it. 60 00:03:59,810 --> 00:04:07,670 Now you can see that web dev SC storage path from your l I'm going to go ahead and just copy this but 61 00:04:07,740 --> 00:04:10,050 description here is this a buffer overflow. 62 00:04:10,100 --> 00:04:11,750 OK. 63 00:04:12,140 --> 00:04:21,800 And it's capable in the web DAB service in a six point zero in Microsoft Server 2003 allows remote attackers 64 00:04:21,800 --> 00:04:28,970 to execute arbitrary code via a long header so we need to meet a few requirements here we have to have 65 00:04:28,970 --> 00:04:30,110 the Web DAB service. 66 00:04:30,110 --> 00:04:31,550 I think that's a check. 67 00:04:31,550 --> 00:04:32,870 We have a six point zero. 68 00:04:32,870 --> 00:04:33,740 That's a check. 69 00:04:33,740 --> 00:04:36,810 And then Microsoft Windows Server 2003. 70 00:04:36,950 --> 00:04:42,080 We're not sure but it's good possibility that we have it and we could take a look at the code and just 71 00:04:42,080 --> 00:04:43,450 see what they're doing. 72 00:04:43,640 --> 00:04:48,010 Looks like this is Python and they're just importing a socket. 73 00:04:48,020 --> 00:04:52,850 So they're gonna say Hey connect over and we're going to connect over to this. 74 00:04:52,840 --> 00:04:57,610 We're gonna send this along header and then they're gonna have a payload This is the payload and they're 75 00:04:57,600 --> 00:05:02,330 kind of shell code and they're just gonna say Hey connect back to us. 76 00:05:02,330 --> 00:05:03,340 And that's pretty much it. 77 00:05:03,350 --> 00:05:04,870 If you seen a buffer overflow before. 78 00:05:04,870 --> 00:05:08,170 This looks very very similar and very basic. 79 00:05:08,240 --> 00:05:13,430 So let's go ahead and go back to the scan window here and I'm just gonna do a search for it really quick 80 00:05:13,520 --> 00:05:18,400 on this and see what's available to us. 81 00:05:18,750 --> 00:05:23,190 So Python that is 4 1 7 3 8 which is this one. 82 00:05:23,220 --> 00:05:28,710 OK it's already on our machine but we also have the ruby module so Ruby means Meadows boy Midas Boyd's 83 00:05:28,710 --> 00:05:29,310 our favorite. 84 00:05:29,310 --> 00:05:33,810 Let's go ahead and just use the medicinally here of the MSF console. 85 00:05:37,470 --> 00:05:39,600 And we're gonna give this a go. 86 00:05:39,600 --> 00:05:46,500 So let's go ahead and search for that one more time OK. 87 00:05:46,500 --> 00:05:53,010 And a trick somebody sent in is you can say use and then the number next to it which I do not know. 88 00:05:53,010 --> 00:05:56,900 So thank you for sending that trick in very useful information. 89 00:05:56,910 --> 00:06:00,240 And you guys teach me as much as I teach you. 90 00:06:00,270 --> 00:06:03,920 So here's here's a little tip or tidbit from a user. 91 00:06:04,380 --> 00:06:06,060 So use zero. 92 00:06:06,090 --> 00:06:09,900 Let's go ahead and you say options OK. 93 00:06:09,920 --> 00:06:11,320 The target your eye is correct. 94 00:06:11,320 --> 00:06:12,260 We're not changing that. 95 00:06:12,280 --> 00:06:14,170 Our port of 80 is correct. 96 00:06:14,170 --> 00:06:16,390 So all we need to add here is the our host. 97 00:06:16,450 --> 00:06:23,350 So let's just say set our host to turned to turned up 10 to 14 and then let's show targets and make 98 00:06:23,350 --> 00:06:25,720 sure there's no other targets. 99 00:06:25,750 --> 00:06:26,010 OK. 100 00:06:26,040 --> 00:06:31,330 So has to be two thousand three are to service pack 2 on x eighty six architecture. 101 00:06:31,390 --> 00:06:33,790 So fingers crossed let's hope this works 102 00:06:37,870 --> 00:06:40,030 play a little bit of Jeopardy music here. 103 00:06:41,240 --> 00:06:43,970 And it said no session was created. 104 00:06:44,030 --> 00:06:51,200 OK let's try running it again and it may take a couple of tries for this to actually function the way 105 00:06:51,200 --> 00:06:57,070 it should and let's try setting the El port to all fives as well. 106 00:06:57,060 --> 00:06:57,950 We'll see if that works 107 00:07:04,750 --> 00:07:06,170 if this doesn't work. 108 00:07:06,190 --> 00:07:08,980 We might have to reset the machine yours hopefully work. 109 00:07:08,980 --> 00:07:10,210 There goes. 110 00:07:10,330 --> 00:07:12,880 So very tricky exploit to get going. 111 00:07:13,210 --> 00:07:18,520 So even when you have the right exploit sometimes it doesn't work the first time. 112 00:07:18,520 --> 00:07:22,960 So please if you are if you have a hunch give it a go a couple times. 113 00:07:22,960 --> 00:07:25,210 Don't just give up on the first go. 114 00:07:25,440 --> 00:07:28,390 We've got it running so that's awesome. 115 00:07:28,390 --> 00:07:30,670 Let's take a look at who we are. 116 00:07:31,600 --> 00:07:38,970 And you could see that we're getting access denied okay let's say sis info we are x eighty six architecture 117 00:07:38,970 --> 00:07:40,560 X A6 interpreter. 118 00:07:40,560 --> 00:07:41,160 That's good. 119 00:07:41,160 --> 00:07:42,540 There's two logged on users. 120 00:07:42,570 --> 00:07:43,990 OK let's say. 121 00:07:44,010 --> 00:07:47,100 P.S. And look at some of the services that are running this. 122 00:07:47,100 --> 00:07:50,700 Give us an idea as to maybe who we are. 123 00:07:50,700 --> 00:07:54,440 You see the user here in this session is empty. 124 00:07:54,450 --> 00:08:01,410 So really we don't know who we are at the moment but we are not system. 125 00:08:01,410 --> 00:08:06,930 We can identify with that system one because that command is failing to because if we are a system we 126 00:08:06,930 --> 00:08:12,810 would see that we were capable of looking into any of these here. 127 00:08:12,840 --> 00:08:18,060 Var session is running here on these these services. 128 00:08:18,060 --> 00:08:22,900 So we're going to have to pick and choose one and see if we can't get it to work. 129 00:08:22,950 --> 00:08:27,600 So let's go ahead and migrate and see if we can get a user with the network service since we're not 130 00:08:27,600 --> 00:08:30,630 getting a user with the get you I.D. right now. 131 00:08:30,660 --> 00:08:36,210 So will the same migrate and we'll pick the first one 1788 and see if it works. 132 00:08:36,240 --> 00:08:37,280 Fingers crossed. 133 00:08:37,320 --> 00:08:42,540 Hopefully it works and it works so let's try and get you I.D. again OK. 134 00:08:42,560 --> 00:08:45,800 So now we're the authority network service. 135 00:08:46,190 --> 00:08:49,370 So let's background this and we're still not system. 136 00:08:49,370 --> 00:08:50,800 So we're gonna have to do some privacy. 137 00:08:50,810 --> 00:08:51,930 Let's do the. 138 00:08:51,950 --> 00:08:53,400 Suggest her. 139 00:08:53,610 --> 00:08:56,090 Now this should all be very very familiar to you. 140 00:08:56,090 --> 00:08:57,310 Right. 141 00:08:57,350 --> 00:09:04,260 Let's check options and we'll say set session to 1 run this Fatboy OK. 142 00:09:04,280 --> 00:09:06,050 So this should all be very familiar to you. 143 00:09:06,090 --> 00:09:11,750 The whole process of enumeration I think this machine is probably easier than optimum. 144 00:09:11,760 --> 00:09:13,500 Especially when it comes to privacy. 145 00:09:13,890 --> 00:09:21,090 Now optimum you know we saw that X 64 is not very reliable with the windows place the gesture but it 146 00:09:21,090 --> 00:09:25,500 should still be something that we're going to at least checking if we have a metal splint shell and 147 00:09:25,500 --> 00:09:28,920 we're doing capture the flag type box like this. 148 00:09:29,220 --> 00:09:37,020 This isn't super realistic when it comes to you know the real world honestly because we're probably 149 00:09:37,020 --> 00:09:39,840 gonna be looking at some sort of actor directory privacy. 150 00:09:40,080 --> 00:09:46,440 I can't even recall the last time that I've used a local privacy to actually get system on a machine 151 00:09:46,920 --> 00:09:52,480 other than maybe doing some limited stock assessments and even then get system from medicinal it worked. 152 00:09:52,620 --> 00:09:59,090 So we should always be you know keeping them on the back for mind but this methodology is good to have 153 00:09:59,100 --> 00:10:01,860 and good for a beginner mindset. 154 00:10:01,980 --> 00:10:08,040 So please do keep in mind and hopefully your mind went right to hey OK I got the shell and now I need 155 00:10:08,040 --> 00:10:10,680 that local exploit suggested to at least give it a go. 156 00:10:11,370 --> 00:10:11,570 OK. 157 00:10:11,580 --> 00:10:19,890 So now we've got three different options four five six seven eight nine potential options actually we 158 00:10:19,890 --> 00:10:23,230 can just copy these and try to go down the list and see if it works. 159 00:10:23,280 --> 00:10:31,620 So let's do let's say use and I'll paste that one if this one doesn't work we'll do the CPI piece I 160 00:10:31,620 --> 00:10:34,590 do know that works what's the options here. 161 00:10:34,590 --> 00:10:36,830 Set session to one. 162 00:10:36,840 --> 00:10:37,480 We're going to run it. 163 00:10:37,500 --> 00:10:43,460 It's going to fail because a look at tries you could see that it's on the wrong IP. 164 00:10:43,470 --> 00:10:45,470 So let's do that. 165 00:10:45,490 --> 00:10:49,860 I'll host to eat zero or tunnel zero sorry. 166 00:10:50,400 --> 00:10:51,750 And then options. 167 00:10:51,750 --> 00:10:53,160 Make sure that's correct. 168 00:10:53,250 --> 00:11:01,400 Let's try running it again and see if that actually explains hey OK let's see what we got CIS info get 169 00:11:01,400 --> 00:11:10,250 you Heidi we are authorities system we have routed this machine so let's go back and talk briefly about 170 00:11:10,310 --> 00:11:12,020 everything that just occurred. 171 00:11:12,020 --> 00:11:15,860 Well first of all we ran our scan we saw that the service is potentially vulnerable. 172 00:11:15,860 --> 00:11:18,660 There was some other stuff in the service too right. 173 00:11:19,130 --> 00:11:20,940 We saw potentially risky methods. 174 00:11:20,980 --> 00:11:25,130 I explained a couple of them that might be risky with the put in the trace. 175 00:11:25,130 --> 00:11:28,840 I do encourage you guys again to go back and learn these methods. 176 00:11:28,850 --> 00:11:31,000 The other thing that we saw was OK. 177 00:11:31,010 --> 00:11:35,340 They're using a default under construction page and there's I explain zero. 178 00:11:35,430 --> 00:11:37,780 This is probably the first thing we're going to target with a scan. 179 00:11:37,790 --> 00:11:42,670 If we didn't find anything malicious here then we would go back to the drawing board and probably run 180 00:11:42,670 --> 00:11:48,590 door buster or some sort of deeper enumeration into this Web site to see maybe if there's something 181 00:11:48,590 --> 00:11:49,820 hiding the back. 182 00:11:50,360 --> 00:11:53,070 But we did find a potential exploit. 183 00:11:53,240 --> 00:11:58,750 We ran that exploit and realized it takes a few times sometimes for an exploit. 184 00:11:58,760 --> 00:12:05,030 Got it to work went into this get your I.D. and saw something we haven't seen before which is access 185 00:12:05,030 --> 00:12:08,390 is denied because we weren't getting access denied. 186 00:12:08,390 --> 00:12:14,180 We can take a look at the piece which is a similar same thing as a task manager and just see that there's 187 00:12:14,690 --> 00:12:15,610 nothing here. 188 00:12:15,650 --> 00:12:19,430 There's not a service on this run dial all 32 or a user. 189 00:12:19,430 --> 00:12:26,110 So we migrated to a user that we can actually use if we were to attempt to actually use this suggestion 190 00:12:26,120 --> 00:12:28,440 here with a without this user. 191 00:12:28,440 --> 00:12:30,060 And I think we would run into issues. 192 00:12:30,290 --> 00:12:35,840 So it's always best to switch over if you can and migrate the process and then just kind of go from 193 00:12:35,840 --> 00:12:36,290 there. 194 00:12:36,950 --> 00:12:42,200 So we did that we ran the suggestion we picked the first one because we're a little bit of script kiddies 195 00:12:42,200 --> 00:12:46,010 that's OK we just grab the first one and gave it a go. 196 00:12:46,010 --> 00:12:48,070 Chances are more than one of these work. 197 00:12:48,080 --> 00:12:50,090 I know the TPP works as well. 198 00:12:50,840 --> 00:12:52,420 So we grab that. 199 00:12:52,490 --> 00:12:57,490 Set our standards and then ran it and got our authority system shell. 200 00:12:57,860 --> 00:13:04,280 So now you can go in into the shell and actually grab the root that tax user I'd text if you want and 201 00:13:05,120 --> 00:13:05,870 go from there. 202 00:13:06,320 --> 00:13:10,240 So now I'm going to go ahead and pause the video you showed positive video as well. 203 00:13:10,250 --> 00:13:17,210 I'm going to get the scan up and running for Granny and then we will meet back over in just a second. 204 00:13:17,210 --> 00:13:17,500 All right. 205 00:13:17,500 --> 00:13:21,770 The scan looks eerily similar to what we saw before. 206 00:13:21,800 --> 00:13:23,320 We've got port 80 open. 207 00:13:23,360 --> 00:13:24,650 We've got Microsoft. 208 00:13:24,670 --> 00:13:31,370 I guess HPD six point zero we've got some potentially risky methods we've got under construction and 209 00:13:31,370 --> 00:13:36,390 if you go out to the page it looks exactly the same. 210 00:13:36,400 --> 00:13:38,150 So here's my challenge. 211 00:13:38,710 --> 00:13:44,200 I'm actually not going to walk through this box because it's so similar it because I just gave you the 212 00:13:44,200 --> 00:13:49,090 methodology I want you to do this one on your own if you've not done this one your own this is your 213 00:13:49,090 --> 00:13:51,850 opportunity now to go and do it. 214 00:13:51,850 --> 00:13:54,100 Now the path is slightly different. 215 00:13:54,100 --> 00:13:58,210 You might have to find a different exploit to get into this machine. 216 00:13:58,210 --> 00:14:04,360 So don't just think you can copy the methodology precisely from the last one but you have a 90 percent 217 00:14:04,360 --> 00:14:05,890 similar overlap. 218 00:14:05,890 --> 00:14:12,430 So give this one a go take everything that you've learned in this lesson with the service enumeration. 219 00:14:12,430 --> 00:14:19,620 Do a little research on Google get those exploits go in and then figure out how to ask this machine. 220 00:14:19,690 --> 00:14:23,650 I have full faith in you guys and know that you can do it. 221 00:14:23,680 --> 00:14:26,630 So that is it for this lesson. 222 00:14:26,680 --> 00:14:28,780 So thank you everybody for joining me. 223 00:14:28,780 --> 00:14:29,760 Until next time. 224 00:14:29,800 --> 00:14:31,060 My name is TCM.