1 00:00:00,630 --> 00:00:07,380 Hi, within this lecture, we're going to try and hack into this Windows machine so that we can see 2 00:00:07,380 --> 00:00:11,340 how it's done and also we can move on to privileged escalation part. 3 00:00:11,790 --> 00:00:14,700 So let me scan the map result over here. 4 00:00:15,030 --> 00:00:17,720 As you can see, we have some open ports. 5 00:00:17,730 --> 00:00:19,860 It starts with the twenty one. 6 00:00:20,070 --> 00:00:22,380 It's NFTE port over here. 7 00:00:22,890 --> 00:00:28,560 And it says that anonymous WP log in a lot, which is great for us. 8 00:00:28,770 --> 00:00:33,380 Of course, we are going to take leverage of that to see if we can do anything with the FTP. 9 00:00:33,990 --> 00:00:41,730 And over here, I believe you have to copy this if you don't know how to spell Anonymous because we're 10 00:00:41,730 --> 00:00:44,810 going to use it for the user name and password later on. 11 00:00:45,300 --> 00:00:50,180 And we also see that the system is windows and team, which is good. 12 00:00:50,640 --> 00:01:00,150 So for the 80 part we have over here, we have a Web server over here and in the same it's not the Apache 13 00:01:00,150 --> 00:01:07,900 server most probably has to do something with the Windows itself and aggressive operating system guesses. 14 00:01:08,790 --> 00:01:17,190 Guess that it's just Windows eight point one, or it may be something like a Windows server or a professional 15 00:01:17,190 --> 00:01:18,000 Windows version. 16 00:01:18,000 --> 00:01:24,900 Over here we are definitely against a Windows machine, OK, which is good because which is this is 17 00:01:24,900 --> 00:01:26,880 exactly what we want to practice. 18 00:01:27,180 --> 00:01:32,340 So I'm going to go for the ten or ten or ten, five, ten, ten, ten, five. 19 00:01:32,340 --> 00:01:34,020 I mean, and here you go. 20 00:01:34,050 --> 00:01:36,210 This is the Web server that is running. 21 00:01:36,570 --> 00:01:44,520 It says that a seven over here, which is great, but we don't see anything of her derri. 22 00:01:44,520 --> 00:01:49,110 So if you just click on it, it will just take us to this dot net. 23 00:01:49,600 --> 00:01:52,170 Oh, let me see the page source over here. 24 00:01:52,710 --> 00:02:00,150 So it doesn't seem that there is much over there as well, like it's a standard HDMI code with a little 25 00:02:00,150 --> 00:02:01,380 bit of success. 26 00:02:01,890 --> 00:02:03,600 So we have this link. 27 00:02:03,600 --> 00:02:06,870 If we click on the image, it will take us to that link. 28 00:02:07,560 --> 00:02:11,490 Let me try to open this like in a new window and. 29 00:02:11,490 --> 00:02:13,590 Yep, this is just an image. 30 00:02:14,190 --> 00:02:14,640 Great. 31 00:02:14,640 --> 00:02:18,810 So we don't have anything in the sauce over here. 32 00:02:18,810 --> 00:02:23,880 And I believe we don't have anything in the report, like in the Web server as well. 33 00:02:24,300 --> 00:02:30,900 So the definite part over here is that we have to go for the FTP because there is nothing over here 34 00:02:31,050 --> 00:02:32,880 and we have only two ports open. 35 00:02:33,150 --> 00:02:39,150 OK, so I'm going to go for the FTP port, so it's very easy to work with. 36 00:02:39,480 --> 00:02:46,770 All you got to do is just work within your own machine and run the FTP command in order to connect to 37 00:02:46,770 --> 00:02:47,450 that server. 38 00:02:47,460 --> 00:02:48,810 They FTP service. 39 00:02:49,290 --> 00:02:50,880 So this is how it's done. 40 00:02:50,890 --> 00:02:54,960 FTP ten, ten, ten, five and it will ask for a name. 41 00:02:54,960 --> 00:02:57,750 So I'm going to type in Anonymous over here. 42 00:02:58,140 --> 00:03:02,340 OK, and for the password you can just type Anonymous as well. 43 00:03:03,060 --> 00:03:04,320 So here you go. 44 00:03:04,320 --> 00:03:10,200 We are not logged in today FTP so it doesn't mean that we hacked into system, we are just logged into 45 00:03:10,200 --> 00:03:11,640 the FTP service. 46 00:03:12,090 --> 00:03:19,320 Maybe we cannot even do anything with that anonymous user or and then the most login, so we're going 47 00:03:19,320 --> 00:03:20,060 to see it. 48 00:03:20,730 --> 00:03:23,850 So what do we do when we log into NFTE? 49 00:03:24,120 --> 00:03:25,800 We can run their comments. 50 00:03:25,800 --> 00:03:30,240 So Dear's stands for directory or something like that. 51 00:03:30,240 --> 00:03:34,650 I mean it's it's the equivalent of a less in the Linux. 52 00:03:34,650 --> 00:03:40,920 OK, so in Windows, if you want to see the available files and folders, you have to right there. 53 00:03:41,580 --> 00:03:46,680 So if you do this in a FTP again, you get the available files and folders. 54 00:03:47,130 --> 00:03:51,840 So over here we have this started out ASTM and welcome PMG. 55 00:03:52,170 --> 00:03:55,260 So these are all the files that we have seen over here. 56 00:03:55,530 --> 00:04:03,600 OK, so we are basically inside of the root directory of the Web server and we don't see much we don't 57 00:04:04,260 --> 00:04:06,240 actually see much over here. 58 00:04:06,780 --> 00:04:13,710 So what we can do, we can try to download these files and it won't do anything for us because we already 59 00:04:13,710 --> 00:04:15,390 see it in the Web server. 60 00:04:15,840 --> 00:04:24,570 And furthermore, we can just try to upload something and see if it gets uploaded and we can just upload 61 00:04:24,570 --> 00:04:28,820 a reverse shell or something like that and try to execute it on the Web server. 62 00:04:29,370 --> 00:04:32,190 OK, so what do we do over here? 63 00:04:32,850 --> 00:04:37,860 First, let me create a new file, just txi I'm going to call it until that. 64 00:04:37,860 --> 00:04:41,850 You see, I'm just going to create this as a test file, OK? 65 00:04:41,850 --> 00:04:47,100 You can just write your own name and save it with control or enter and control X. 66 00:04:47,580 --> 00:04:55,380 Now if I run SLA, I can see the until that is over here, I'm just going to try and upload this to 67 00:04:55,380 --> 00:04:57,960 the FTP service, OK, to the server. 68 00:04:58,200 --> 00:04:59,940 So all you got to do is just write. 69 00:05:00,000 --> 00:05:03,910 Put and I'm going to stay put until that taxi. 70 00:05:03,930 --> 00:05:04,920 And here you go. 71 00:05:05,400 --> 00:05:08,810 It seems that we managed to upload it and here you go. 72 00:05:08,820 --> 00:05:17,970 We see the hotel that you see before the start or company and it says it resides on in the root directory 73 00:05:17,970 --> 00:05:18,960 of our Web server. 74 00:05:19,000 --> 00:05:22,480 So I can just do this, OK, and here you go. 75 00:05:22,860 --> 00:05:23,940 So it's very good. 76 00:05:24,180 --> 00:05:30,840 And I believe it's very obvious what we should do and try next, because we can upload a file over here 77 00:05:30,840 --> 00:05:33,250 and we can just see it, OK? 78 00:05:33,660 --> 00:05:39,870 So, of course, I'm going to upload a reverse show and I will try to execute it and it will give me 79 00:05:39,870 --> 00:05:40,770 back a shove. 80 00:05:41,490 --> 00:05:43,310 So far, so good. 81 00:05:43,590 --> 00:05:44,540 The plan is good. 82 00:05:44,550 --> 00:05:46,530 Let me try to execute the plan. 83 00:05:47,040 --> 00:05:50,630 So how are we going to proceed? 84 00:05:51,180 --> 00:05:55,250 So should we create a reverse shell? 85 00:05:55,500 --> 00:05:58,340 Should we create a python reverse shell? 86 00:05:58,740 --> 00:06:03,720 Should we create a Batia reverse shell or what should we do in this case? 87 00:06:04,260 --> 00:06:11,310 Of course we are going to create a reverse shell, but this time it will be it has to be compatible 88 00:06:11,310 --> 00:06:12,660 with the Windows Server. 89 00:06:13,040 --> 00:06:18,520 OK, so again, we can try to run that in the Windows Server. 90 00:06:18,900 --> 00:06:29,180 OK, it's a bot, but the safer thing is that we have to run and aspects or a USB code. 91 00:06:30,510 --> 00:06:38,970 So it's good because Aspey is going to work with Windows most of the time. 92 00:06:38,980 --> 00:06:43,890 OK, not always maybe, but it's the most of the time working on Windows Server. 93 00:06:44,430 --> 00:06:51,090 So I'm going to search for reverse shall cheat sheet over here and I'm going to open that. 94 00:06:51,450 --> 00:06:56,350 And as usual, I'm going to say details and just ignore this, OK? 95 00:06:56,730 --> 00:06:57,900 And here we are. 96 00:06:58,080 --> 00:07:00,630 We have Dibadj, we have the Perl. 97 00:07:00,930 --> 00:07:05,790 We have everything over here like Python, B, Ruby. 98 00:07:06,300 --> 00:07:12,860 So you can try to do this with BHP or Tom, but it isn't guaranteed. 99 00:07:12,870 --> 00:07:21,330 OK, so it is not very compatible with Windows since we can't find any aspects code like this. 100 00:07:21,450 --> 00:07:25,920 OK, on line, as you can see, we get a lot of cheat sheets over here as well. 101 00:07:26,100 --> 00:07:26,640 Why not? 102 00:07:26,640 --> 00:07:31,820 We waste our time so payloads all the things reverse. 103 00:07:31,830 --> 00:07:32,800 Chelsie, cheat. 104 00:07:32,910 --> 00:07:34,110 Can you pour me. 105 00:07:34,320 --> 00:07:38,300 So I'm just going to try and open all of these things and that. 106 00:07:38,310 --> 00:07:42,540 Better yet, we can just try to do this with MSF, with them as well, by the way. 107 00:07:42,870 --> 00:07:45,840 So let me see if we can find a good one over here. 108 00:07:46,260 --> 00:07:48,510 Like interpretational. 109 00:07:48,510 --> 00:07:49,410 Very good. 110 00:07:50,220 --> 00:07:58,740 And it has to I it actually is a very good idea to get them interpretational back because it actually 111 00:07:58,740 --> 00:08:06,930 contains a lot of useful widgets or a lot of useful extensions for privilege escalation as well. 112 00:08:07,320 --> 00:08:13,170 So we're going to talk about what happens if we get them interpretational and what happens if we don't 113 00:08:13,170 --> 00:08:16,410 get one in the privilege escalation section. 114 00:08:16,410 --> 00:08:21,120 But again, it's always a good idea to get them interpretational if we can. 115 00:08:21,780 --> 00:08:26,070 So you can just try to find it from here. 116 00:08:26,100 --> 00:08:30,810 OK, let me just go over here and see Windows State University E.S.P. 117 00:08:31,170 --> 00:08:31,650 Oh, yeah. 118 00:08:31,650 --> 00:08:34,980 It's also give us the MSF, Brenham over here as well. 119 00:08:35,340 --> 00:08:37,140 So I believe we get to go with them. 120 00:08:37,140 --> 00:08:44,190 As a Wynnum, I tried to find the code over here rather than just type them as having them co command 121 00:08:44,190 --> 00:08:45,900 komando in my Linux. 122 00:08:46,170 --> 00:08:48,240 But again, I believe we have to do that. 123 00:08:48,240 --> 00:08:55,260 So I'm going to go for them as Wynnum payload windows and interpretor over here. 124 00:08:55,800 --> 00:08:59,450 But rather than e I don't even want any XY. 125 00:08:59,460 --> 00:09:01,330 Why would I want any agcy. 126 00:09:01,350 --> 00:09:03,000 I want an SBX. 127 00:09:03,570 --> 00:09:07,080 So let me just copy this and we will just change it. 128 00:09:07,530 --> 00:09:09,270 I'm going to paste is over here. 129 00:09:09,570 --> 00:09:17,130 So again I'm going to go for the MSF venom for the payload of course it will be windows from interpretor 130 00:09:17,370 --> 00:09:22,350 and for the connection type of course this can say versus E.S.P. 131 00:09:22,350 --> 00:09:23,730 There is nothing wrong with it. 132 00:09:24,060 --> 00:09:31,560 OK, we just have to change the host Al Port and the format of the file that we need. 133 00:09:32,220 --> 00:09:39,810 So for the AL hosts, let me come over here to another tab maybe, or you can just open a new tab over 134 00:09:39,810 --> 00:09:40,200 here. 135 00:09:40,560 --> 00:09:41,940 Let me run the config. 136 00:09:42,300 --> 00:09:48,720 So you're going to have to give your ten zero rather than your zero, obviously, because we are doing 137 00:09:48,720 --> 00:09:52,530 this in the outer network, not in that network. 138 00:09:53,100 --> 00:09:54,450 For the outpoured. 139 00:09:54,450 --> 00:09:59,850 You can go for whatever you want, but just take a note of that one, because we will need it later. 140 00:09:59,960 --> 00:10:08,440 On for the format of this file, we don't need any yaka again, I'm going to go for the aspects, OK? 141 00:10:08,780 --> 00:10:16,960 And I'm just going to put this under something called maybe until that aspects or something like that. 142 00:10:17,450 --> 00:10:25,030 OK, so make sure you execute this and wait until it's executed. 143 00:10:25,040 --> 00:10:28,130 Wait until until that aspect is created. 144 00:10:28,130 --> 00:10:31,220 Or you can just do it with your own name, obviously. 145 00:10:31,240 --> 00:10:35,740 OK, so this will create an SBX shell for us. 146 00:10:36,140 --> 00:10:42,800 And if I run the SLA and let me grab that because I mean my root directory, there can be a lot of things. 147 00:10:43,220 --> 00:10:43,940 Here you go. 148 00:10:44,360 --> 00:10:45,400 The other aspects. 149 00:10:45,680 --> 00:10:52,310 So if you kept that, we can actually see the shell itself because we can see all the things that is 150 00:10:52,310 --> 00:10:53,780 related with this code. 151 00:10:54,110 --> 00:10:56,870 But again, we are not very interested in this. 152 00:10:57,230 --> 00:11:03,770 We we are actually interested in delivering this to the server so that we can get a reverse shellback. 153 00:11:04,010 --> 00:11:05,300 Don't forget about this. 154 00:11:05,300 --> 00:11:08,180 Allport over here is four to four to OK. 155 00:11:08,600 --> 00:11:13,340 And if you change that, it's OK to just remember it so that we can get the shell back. 156 00:11:13,820 --> 00:11:16,340 So I'm going to go into the metal exploit here. 157 00:11:16,340 --> 00:11:24,140 I'm going to search just open the massive console and it will bring me the metal plate framework over 158 00:11:24,140 --> 00:11:24,550 here. 159 00:11:25,130 --> 00:11:30,320 So if you have taken this course, I believe you have worked with metal before. 160 00:11:30,560 --> 00:11:38,020 So it's a very wide framework that you can use for any kind of exploitation you want. 161 00:11:38,210 --> 00:11:41,630 So we're going to go for the use exploit multi over here. 162 00:11:41,630 --> 00:11:45,200 We can use multi handler to set the payload for us. 163 00:11:45,410 --> 00:11:50,560 And in this case, our payload will be windows from Interpretor Reverse TCP. 164 00:11:50,750 --> 00:11:53,120 So this is the payload that we have chosen. 165 00:11:53,270 --> 00:11:56,830 Then we created our payload with metal deployed. 166 00:11:57,290 --> 00:12:06,110 So over here I'm going to say show options and I'm going to give my tongue zero over here as I'll host. 167 00:12:06,320 --> 00:12:09,590 And for the outboard I'm going to go four four two four two. 168 00:12:10,040 --> 00:12:16,400 OK, so next thing to do is actually go for the exploit, right. 169 00:12:16,400 --> 00:12:18,980 Because it will listen for our connection. 170 00:12:18,990 --> 00:12:24,560 So this is a coolant of doing this with Netcare, but in a much better way. 171 00:12:24,920 --> 00:12:31,520 So if you just do it with explode Jay-Z, it will bring this into background and it will start listening 172 00:12:31,520 --> 00:12:32,630 in the background. 173 00:12:33,230 --> 00:12:37,970 So I'm going to put the until that aspect is over here and here you go. 174 00:12:37,970 --> 00:12:40,380 It says that service is not available very much. 175 00:12:40,400 --> 00:12:42,440 So we're as close to connection. 176 00:12:42,680 --> 00:12:44,420 So I'm going to do this one more time. 177 00:12:44,840 --> 00:12:45,950 So anonymous. 178 00:12:46,760 --> 00:12:52,250 And let me do this anonymous as well and put until that aspects. 179 00:12:52,250 --> 00:12:53,210 And here you go. 180 00:12:53,690 --> 00:12:56,560 Now we see the tool that SBX over here. 181 00:12:56,900 --> 00:13:04,820 So what I'm going to do, I'm going to go over here to my Web server and just run until that aspects. 182 00:13:05,240 --> 00:13:06,230 And here you go. 183 00:13:06,230 --> 00:13:08,450 It seems like it has been executed. 184 00:13:08,720 --> 00:13:13,210 And here we have the interpreter station opened in here. 185 00:13:13,220 --> 00:13:14,150 OK, great. 186 00:13:14,150 --> 00:13:16,900 So we managed to hack into the Windows servers. 187 00:13:16,910 --> 00:13:18,890 I'm going to close everything down over here. 188 00:13:19,070 --> 00:13:22,760 I'm going to leave this open in case we lose the connection or something like that. 189 00:13:23,060 --> 00:13:25,010 I'm going to hit enter now. 190 00:13:25,010 --> 00:13:30,170 If I run Alsatians dash l, I can see all the available stations to me. 191 00:13:30,470 --> 00:13:31,670 I can run stations. 192 00:13:31,670 --> 00:13:36,130 They should run in order to interact with the first section. 193 00:13:36,440 --> 00:13:40,700 And if we run system info and since info. 194 00:13:41,030 --> 00:13:41,840 Here you go. 195 00:13:41,840 --> 00:13:48,770 Now we hacked into the double and the operating system is operating system seems to be Windows seven. 196 00:13:49,160 --> 00:13:53,420 OK, so architecture is X eight is six. 197 00:13:53,840 --> 00:13:57,520 So domain is hack the box and here you go. 198 00:13:58,070 --> 00:14:05,120 So if you're on there or else it really doesn't matter at this point because we are in the interpretation. 199 00:14:05,300 --> 00:14:06,650 I'm going to show you what I mean. 200 00:14:06,920 --> 00:14:10,490 We are inside of this listing over here. 201 00:14:10,490 --> 00:14:17,840 OK, now I can try to go back like code dot, dot, dot, dot, like exactly like in Linux. 202 00:14:18,170 --> 00:14:21,170 OK, I can run TWD over here. 203 00:14:21,350 --> 00:14:25,880 I can still run some Linux commands because we are in the interpretation. 204 00:14:26,270 --> 00:14:29,030 I will run there and here you go. 205 00:14:29,030 --> 00:14:30,920 Now we see the user's folder. 206 00:14:31,250 --> 00:14:32,090 I'm going to run. 207 00:14:32,090 --> 00:14:33,020 Who am I. 208 00:14:33,650 --> 00:14:35,420 But it's not going to run. 209 00:14:35,600 --> 00:14:39,680 I'm going to run Shell and just put me inside of a windows shell. 210 00:14:39,950 --> 00:14:40,640 I'm going to run. 211 00:14:40,650 --> 00:14:41,320 Who am I. 212 00:14:41,540 --> 00:14:42,380 Yeah, here we go. 213 00:14:42,380 --> 00:14:44,740 We are something called ice I. 214 00:14:44,750 --> 00:14:45,890 S a pool. 215 00:14:46,370 --> 00:14:50,120 And if I run dear, I can see all the users over here. 216 00:14:50,300 --> 00:14:53,690 I'm going to go for the users and I will run dear. 217 00:14:54,110 --> 00:14:58,460 So like as you can see, we can see the administrator over here. 218 00:14:58,670 --> 00:14:59,470 But I, I. 219 00:14:59,770 --> 00:15:03,290 We cannot go into that and it will say access is denied. 220 00:15:03,520 --> 00:15:07,120 So administrator is the route in the windows. 221 00:15:07,150 --> 00:15:14,150 OK, so let me try to go into classic dot net apple and here you go. 222 00:15:14,170 --> 00:15:15,640 We cannot go over that. 223 00:15:15,670 --> 00:15:17,260 Let me go into the Babis. 224 00:15:17,470 --> 00:15:20,910 We cannot go over data as well, so we cannot do anything. 225 00:15:21,100 --> 00:15:26,280 We hacked into the windows, but we cannot see the things over here. 226 00:15:26,290 --> 00:15:31,680 I can, of course, go into the public directory and try to go into the documents or desktop. 227 00:15:31,690 --> 00:15:34,060 I don't think we have a desktop over here. 228 00:15:34,330 --> 00:15:36,040 So I'm going to go for the documents. 229 00:15:36,280 --> 00:15:37,780 I'm going to just run there. 230 00:15:37,780 --> 00:15:39,900 And as you can see, there is nothing over here. 231 00:15:40,450 --> 00:15:47,480 So we have to find a way to escalate our privileges so that we can become administrator user. 232 00:15:47,920 --> 00:15:52,090 OK, if you exit out of this, it will go into the interpretation. 233 00:15:52,390 --> 00:15:54,970 And I believe we cannot cleared that. 234 00:15:54,970 --> 00:15:56,050 For some reason. 235 00:15:56,320 --> 00:15:58,960 Clear doesn't seem to be working an interpreter. 236 00:15:59,350 --> 00:16:05,770 And any time you want to get out of the interpreter, you can run background and then you can interact 237 00:16:05,800 --> 00:16:09,160 with the sessions like we have seen over here with sessions. 238 00:16:09,820 --> 00:16:18,370 OK, so there are some differences between using the interpreter or the original Windows Show. 239 00:16:18,520 --> 00:16:25,930 As you can see, we got into the original Windows Show by running around and we got out of it by running 240 00:16:25,930 --> 00:16:26,530 exit. 241 00:16:26,920 --> 00:16:29,320 So we're going to talk about these differences. 242 00:16:29,320 --> 00:16:35,500 And also we're going to talk about Windows operating operating system command line as well, because 243 00:16:35,500 --> 00:16:37,060 we need to know the comments. 244 00:16:37,270 --> 00:16:45,190 We need to know how the command prompt works in windows so that we can get a hold of it and escalate 245 00:16:45,190 --> 00:16:47,320 our privileges in a way that we want. 246 00:16:47,770 --> 00:16:51,460 So let's do that within the next lecture together.