1
00:00:00,630 --> 00:00:07,380
Hi, within this lecture, we're going to try and hack into this Windows machine so that we can see

2
00:00:07,380 --> 00:00:11,340
how it's done and also we can move on to privileged escalation part.

3
00:00:11,790 --> 00:00:14,700
So let me scan the map result over here.

4
00:00:15,030 --> 00:00:17,720
As you can see, we have some open ports.

5
00:00:17,730 --> 00:00:19,860
It starts with the twenty one.

6
00:00:20,070 --> 00:00:22,380
It's NFTE port over here.

7
00:00:22,890 --> 00:00:28,560
And it says that anonymous WP log in a lot, which is great for us.

8
00:00:28,770 --> 00:00:33,380
Of course, we are going to take leverage of that to see if we can do anything with the FTP.

9
00:00:33,990 --> 00:00:41,730
And over here, I believe you have to copy this if you don't know how to spell Anonymous because we're

10
00:00:41,730 --> 00:00:44,810
going to use it for the user name and password later on.

11
00:00:45,300 --> 00:00:50,180
And we also see that the system is windows and team, which is good.

12
00:00:50,640 --> 00:01:00,150
So for the 80 part we have over here, we have a Web server over here and in the same it's not the Apache

13
00:01:00,150 --> 00:01:07,900
server most probably has to do something with the Windows itself and aggressive operating system guesses.

14
00:01:08,790 --> 00:01:17,190
Guess that it's just Windows eight point one, or it may be something like a Windows server or a professional

15
00:01:17,190 --> 00:01:18,000
Windows version.

16
00:01:18,000 --> 00:01:24,900
Over here we are definitely against a Windows machine, OK, which is good because which is this is

17
00:01:24,900 --> 00:01:26,880
exactly what we want to practice.

18
00:01:27,180 --> 00:01:32,340
So I'm going to go for the ten or ten or ten, five, ten, ten, ten, five.

19
00:01:32,340 --> 00:01:34,020
I mean, and here you go.

20
00:01:34,050 --> 00:01:36,210
This is the Web server that is running.

21
00:01:36,570 --> 00:01:44,520
It says that a seven over here, which is great, but we don't see anything of her derri.

22
00:01:44,520 --> 00:01:49,110
So if you just click on it, it will just take us to this dot net.

23
00:01:49,600 --> 00:01:52,170
Oh, let me see the page source over here.

24
00:01:52,710 --> 00:02:00,150
So it doesn't seem that there is much over there as well, like it's a standard HDMI code with a little

25
00:02:00,150 --> 00:02:01,380
bit of success.

26
00:02:01,890 --> 00:02:03,600
So we have this link.

27
00:02:03,600 --> 00:02:06,870
If we click on the image, it will take us to that link.

28
00:02:07,560 --> 00:02:11,490
Let me try to open this like in a new window and.

29
00:02:11,490 --> 00:02:13,590
Yep, this is just an image.

30
00:02:14,190 --> 00:02:14,640
Great.

31
00:02:14,640 --> 00:02:18,810
So we don't have anything in the sauce over here.

32
00:02:18,810 --> 00:02:23,880
And I believe we don't have anything in the report, like in the Web server as well.

33
00:02:24,300 --> 00:02:30,900
So the definite part over here is that we have to go for the FTP because there is nothing over here

34
00:02:31,050 --> 00:02:32,880
and we have only two ports open.

35
00:02:33,150 --> 00:02:39,150
OK, so I'm going to go for the FTP port, so it's very easy to work with.

36
00:02:39,480 --> 00:02:46,770
All you got to do is just work within your own machine and run the FTP command in order to connect to

37
00:02:46,770 --> 00:02:47,450
that server.

38
00:02:47,460 --> 00:02:48,810
They FTP service.

39
00:02:49,290 --> 00:02:50,880
So this is how it's done.

40
00:02:50,890 --> 00:02:54,960
FTP ten, ten, ten, five and it will ask for a name.

41
00:02:54,960 --> 00:02:57,750
So I'm going to type in Anonymous over here.

42
00:02:58,140 --> 00:03:02,340
OK, and for the password you can just type Anonymous as well.

43
00:03:03,060 --> 00:03:04,320
So here you go.

44
00:03:04,320 --> 00:03:10,200
We are not logged in today FTP so it doesn't mean that we hacked into system, we are just logged into

45
00:03:10,200 --> 00:03:11,640
the FTP service.

46
00:03:12,090 --> 00:03:19,320
Maybe we cannot even do anything with that anonymous user or and then the most login, so we're going

47
00:03:19,320 --> 00:03:20,060
to see it.

48
00:03:20,730 --> 00:03:23,850
So what do we do when we log into NFTE?

49
00:03:24,120 --> 00:03:25,800
We can run their comments.

50
00:03:25,800 --> 00:03:30,240
So Dear's stands for directory or something like that.

51
00:03:30,240 --> 00:03:34,650
I mean it's it's the equivalent of a less in the Linux.

52
00:03:34,650 --> 00:03:40,920
OK, so in Windows, if you want to see the available files and folders, you have to right there.

53
00:03:41,580 --> 00:03:46,680
So if you do this in a FTP again, you get the available files and folders.

54
00:03:47,130 --> 00:03:51,840
So over here we have this started out ASTM and welcome PMG.

55
00:03:52,170 --> 00:03:55,260
So these are all the files that we have seen over here.

56
00:03:55,530 --> 00:04:03,600
OK, so we are basically inside of the root directory of the Web server and we don't see much we don't

57
00:04:04,260 --> 00:04:06,240
actually see much over here.

58
00:04:06,780 --> 00:04:13,710
So what we can do, we can try to download these files and it won't do anything for us because we already

59
00:04:13,710 --> 00:04:15,390
see it in the Web server.

60
00:04:15,840 --> 00:04:24,570
And furthermore, we can just try to upload something and see if it gets uploaded and we can just upload

61
00:04:24,570 --> 00:04:28,820
a reverse shell or something like that and try to execute it on the Web server.

62
00:04:29,370 --> 00:04:32,190
OK, so what do we do over here?

63
00:04:32,850 --> 00:04:37,860
First, let me create a new file, just txi I'm going to call it until that.

64
00:04:37,860 --> 00:04:41,850
You see, I'm just going to create this as a test file, OK?

65
00:04:41,850 --> 00:04:47,100
You can just write your own name and save it with control or enter and control X.

66
00:04:47,580 --> 00:04:55,380
Now if I run SLA, I can see the until that is over here, I'm just going to try and upload this to

67
00:04:55,380 --> 00:04:57,960
the FTP service, OK, to the server.

68
00:04:58,200 --> 00:04:59,940
So all you got to do is just write.

69
00:05:00,000 --> 00:05:03,910
Put and I'm going to stay put until that taxi.

70
00:05:03,930 --> 00:05:04,920
And here you go.

71
00:05:05,400 --> 00:05:08,810
It seems that we managed to upload it and here you go.

72
00:05:08,820 --> 00:05:17,970
We see the hotel that you see before the start or company and it says it resides on in the root directory

73
00:05:17,970 --> 00:05:18,960
of our Web server.

74
00:05:19,000 --> 00:05:22,480
So I can just do this, OK, and here you go.

75
00:05:22,860 --> 00:05:23,940
So it's very good.

76
00:05:24,180 --> 00:05:30,840
And I believe it's very obvious what we should do and try next, because we can upload a file over here

77
00:05:30,840 --> 00:05:33,250
and we can just see it, OK?

78
00:05:33,660 --> 00:05:39,870
So, of course, I'm going to upload a reverse show and I will try to execute it and it will give me

79
00:05:39,870 --> 00:05:40,770
back a shove.

80
00:05:41,490 --> 00:05:43,310
So far, so good.

81
00:05:43,590 --> 00:05:44,540
The plan is good.

82
00:05:44,550 --> 00:05:46,530
Let me try to execute the plan.

83
00:05:47,040 --> 00:05:50,630
So how are we going to proceed?

84
00:05:51,180 --> 00:05:55,250
So should we create a reverse shell?

85
00:05:55,500 --> 00:05:58,340
Should we create a python reverse shell?

86
00:05:58,740 --> 00:06:03,720
Should we create a Batia reverse shell or what should we do in this case?

87
00:06:04,260 --> 00:06:11,310
Of course we are going to create a reverse shell, but this time it will be it has to be compatible

88
00:06:11,310 --> 00:06:12,660
with the Windows Server.

89
00:06:13,040 --> 00:06:18,520
OK, so again, we can try to run that in the Windows Server.

90
00:06:18,900 --> 00:06:29,180
OK, it's a bot, but the safer thing is that we have to run and aspects or a USB code.

91
00:06:30,510 --> 00:06:38,970
So it's good because Aspey is going to work with Windows most of the time.

92
00:06:38,980 --> 00:06:43,890
OK, not always maybe, but it's the most of the time working on Windows Server.

93
00:06:44,430 --> 00:06:51,090
So I'm going to search for reverse shall cheat sheet over here and I'm going to open that.

94
00:06:51,450 --> 00:06:56,350
And as usual, I'm going to say details and just ignore this, OK?

95
00:06:56,730 --> 00:06:57,900
And here we are.

96
00:06:58,080 --> 00:07:00,630
We have Dibadj, we have the Perl.

97
00:07:00,930 --> 00:07:05,790
We have everything over here like Python, B, Ruby.

98
00:07:06,300 --> 00:07:12,860
So you can try to do this with BHP or Tom, but it isn't guaranteed.

99
00:07:12,870 --> 00:07:21,330
OK, so it is not very compatible with Windows since we can't find any aspects code like this.

100
00:07:21,450 --> 00:07:25,920
OK, on line, as you can see, we get a lot of cheat sheets over here as well.

101
00:07:26,100 --> 00:07:26,640
Why not?

102
00:07:26,640 --> 00:07:31,820
We waste our time so payloads all the things reverse.

103
00:07:31,830 --> 00:07:32,800
Chelsie, cheat.

104
00:07:32,910 --> 00:07:34,110
Can you pour me.

105
00:07:34,320 --> 00:07:38,300
So I'm just going to try and open all of these things and that.

106
00:07:38,310 --> 00:07:42,540
Better yet, we can just try to do this with MSF, with them as well, by the way.

107
00:07:42,870 --> 00:07:45,840
So let me see if we can find a good one over here.

108
00:07:46,260 --> 00:07:48,510
Like interpretational.

109
00:07:48,510 --> 00:07:49,410
Very good.

110
00:07:50,220 --> 00:07:58,740
And it has to I it actually is a very good idea to get them interpretational back because it actually

111
00:07:58,740 --> 00:08:06,930
contains a lot of useful widgets or a lot of useful extensions for privilege escalation as well.

112
00:08:07,320 --> 00:08:13,170
So we're going to talk about what happens if we get them interpretational and what happens if we don't

113
00:08:13,170 --> 00:08:16,410
get one in the privilege escalation section.

114
00:08:16,410 --> 00:08:21,120
But again, it's always a good idea to get them interpretational if we can.

115
00:08:21,780 --> 00:08:26,070
So you can just try to find it from here.

116
00:08:26,100 --> 00:08:30,810
OK, let me just go over here and see Windows State University E.S.P.

117
00:08:31,170 --> 00:08:31,650
Oh, yeah.

118
00:08:31,650 --> 00:08:34,980
It's also give us the MSF, Brenham over here as well.

119
00:08:35,340 --> 00:08:37,140
So I believe we get to go with them.

120
00:08:37,140 --> 00:08:44,190
As a Wynnum, I tried to find the code over here rather than just type them as having them co command

121
00:08:44,190 --> 00:08:45,900
komando in my Linux.

122
00:08:46,170 --> 00:08:48,240
But again, I believe we have to do that.

123
00:08:48,240 --> 00:08:55,260
So I'm going to go for them as Wynnum payload windows and interpretor over here.

124
00:08:55,800 --> 00:08:59,450
But rather than e I don't even want any XY.

125
00:08:59,460 --> 00:09:01,330
Why would I want any agcy.

126
00:09:01,350 --> 00:09:03,000
I want an SBX.

127
00:09:03,570 --> 00:09:07,080
So let me just copy this and we will just change it.

128
00:09:07,530 --> 00:09:09,270
I'm going to paste is over here.

129
00:09:09,570 --> 00:09:17,130
So again I'm going to go for the MSF venom for the payload of course it will be windows from interpretor

130
00:09:17,370 --> 00:09:22,350
and for the connection type of course this can say versus E.S.P.

131
00:09:22,350 --> 00:09:23,730
There is nothing wrong with it.

132
00:09:24,060 --> 00:09:31,560
OK, we just have to change the host Al Port and the format of the file that we need.

133
00:09:32,220 --> 00:09:39,810
So for the AL hosts, let me come over here to another tab maybe, or you can just open a new tab over

134
00:09:39,810 --> 00:09:40,200
here.

135
00:09:40,560 --> 00:09:41,940
Let me run the config.

136
00:09:42,300 --> 00:09:48,720
So you're going to have to give your ten zero rather than your zero, obviously, because we are doing

137
00:09:48,720 --> 00:09:52,530
this in the outer network, not in that network.

138
00:09:53,100 --> 00:09:54,450
For the outpoured.

139
00:09:54,450 --> 00:09:59,850
You can go for whatever you want, but just take a note of that one, because we will need it later.

140
00:09:59,960 --> 00:10:08,440
On for the format of this file, we don't need any yaka again, I'm going to go for the aspects, OK?

141
00:10:08,780 --> 00:10:16,960
And I'm just going to put this under something called maybe until that aspects or something like that.

142
00:10:17,450 --> 00:10:25,030
OK, so make sure you execute this and wait until it's executed.

143
00:10:25,040 --> 00:10:28,130
Wait until until that aspect is created.

144
00:10:28,130 --> 00:10:31,220
Or you can just do it with your own name, obviously.

145
00:10:31,240 --> 00:10:35,740
OK, so this will create an SBX shell for us.

146
00:10:36,140 --> 00:10:42,800
And if I run the SLA and let me grab that because I mean my root directory, there can be a lot of things.

147
00:10:43,220 --> 00:10:43,940
Here you go.

148
00:10:44,360 --> 00:10:45,400
The other aspects.

149
00:10:45,680 --> 00:10:52,310
So if you kept that, we can actually see the shell itself because we can see all the things that is

150
00:10:52,310 --> 00:10:53,780
related with this code.

151
00:10:54,110 --> 00:10:56,870
But again, we are not very interested in this.

152
00:10:57,230 --> 00:11:03,770
We we are actually interested in delivering this to the server so that we can get a reverse shellback.

153
00:11:04,010 --> 00:11:05,300
Don't forget about this.

154
00:11:05,300 --> 00:11:08,180
Allport over here is four to four to OK.

155
00:11:08,600 --> 00:11:13,340
And if you change that, it's OK to just remember it so that we can get the shell back.

156
00:11:13,820 --> 00:11:16,340
So I'm going to go into the metal exploit here.

157
00:11:16,340 --> 00:11:24,140
I'm going to search just open the massive console and it will bring me the metal plate framework over

158
00:11:24,140 --> 00:11:24,550
here.

159
00:11:25,130 --> 00:11:30,320
So if you have taken this course, I believe you have worked with metal before.

160
00:11:30,560 --> 00:11:38,020
So it's a very wide framework that you can use for any kind of exploitation you want.

161
00:11:38,210 --> 00:11:41,630
So we're going to go for the use exploit multi over here.

162
00:11:41,630 --> 00:11:45,200
We can use multi handler to set the payload for us.

163
00:11:45,410 --> 00:11:50,560
And in this case, our payload will be windows from Interpretor Reverse TCP.

164
00:11:50,750 --> 00:11:53,120
So this is the payload that we have chosen.

165
00:11:53,270 --> 00:11:56,830
Then we created our payload with metal deployed.

166
00:11:57,290 --> 00:12:06,110
So over here I'm going to say show options and I'm going to give my tongue zero over here as I'll host.

167
00:12:06,320 --> 00:12:09,590
And for the outboard I'm going to go four four two four two.

168
00:12:10,040 --> 00:12:16,400
OK, so next thing to do is actually go for the exploit, right.

169
00:12:16,400 --> 00:12:18,980
Because it will listen for our connection.

170
00:12:18,990 --> 00:12:24,560
So this is a coolant of doing this with Netcare, but in a much better way.

171
00:12:24,920 --> 00:12:31,520
So if you just do it with explode Jay-Z, it will bring this into background and it will start listening

172
00:12:31,520 --> 00:12:32,630
in the background.

173
00:12:33,230 --> 00:12:37,970
So I'm going to put the until that aspect is over here and here you go.

174
00:12:37,970 --> 00:12:40,380
It says that service is not available very much.

175
00:12:40,400 --> 00:12:42,440
So we're as close to connection.

176
00:12:42,680 --> 00:12:44,420
So I'm going to do this one more time.

177
00:12:44,840 --> 00:12:45,950
So anonymous.

178
00:12:46,760 --> 00:12:52,250
And let me do this anonymous as well and put until that aspects.

179
00:12:52,250 --> 00:12:53,210
And here you go.

180
00:12:53,690 --> 00:12:56,560
Now we see the tool that SBX over here.

181
00:12:56,900 --> 00:13:04,820
So what I'm going to do, I'm going to go over here to my Web server and just run until that aspects.

182
00:13:05,240 --> 00:13:06,230
And here you go.

183
00:13:06,230 --> 00:13:08,450
It seems like it has been executed.

184
00:13:08,720 --> 00:13:13,210
And here we have the interpreter station opened in here.

185
00:13:13,220 --> 00:13:14,150
OK, great.

186
00:13:14,150 --> 00:13:16,900
So we managed to hack into the Windows servers.

187
00:13:16,910 --> 00:13:18,890
I'm going to close everything down over here.

188
00:13:19,070 --> 00:13:22,760
I'm going to leave this open in case we lose the connection or something like that.

189
00:13:23,060 --> 00:13:25,010
I'm going to hit enter now.

190
00:13:25,010 --> 00:13:30,170
If I run Alsatians dash l, I can see all the available stations to me.

191
00:13:30,470 --> 00:13:31,670
I can run stations.

192
00:13:31,670 --> 00:13:36,130
They should run in order to interact with the first section.

193
00:13:36,440 --> 00:13:40,700
And if we run system info and since info.

194
00:13:41,030 --> 00:13:41,840
Here you go.

195
00:13:41,840 --> 00:13:48,770
Now we hacked into the double and the operating system is operating system seems to be Windows seven.

196
00:13:49,160 --> 00:13:53,420
OK, so architecture is X eight is six.

197
00:13:53,840 --> 00:13:57,520
So domain is hack the box and here you go.

198
00:13:58,070 --> 00:14:05,120
So if you're on there or else it really doesn't matter at this point because we are in the interpretation.

199
00:14:05,300 --> 00:14:06,650
I'm going to show you what I mean.

200
00:14:06,920 --> 00:14:10,490
We are inside of this listing over here.

201
00:14:10,490 --> 00:14:17,840
OK, now I can try to go back like code dot, dot, dot, dot, like exactly like in Linux.

202
00:14:18,170 --> 00:14:21,170
OK, I can run TWD over here.

203
00:14:21,350 --> 00:14:25,880
I can still run some Linux commands because we are in the interpretation.

204
00:14:26,270 --> 00:14:29,030
I will run there and here you go.

205
00:14:29,030 --> 00:14:30,920
Now we see the user's folder.

206
00:14:31,250 --> 00:14:32,090
I'm going to run.

207
00:14:32,090 --> 00:14:33,020
Who am I.

208
00:14:33,650 --> 00:14:35,420
But it's not going to run.

209
00:14:35,600 --> 00:14:39,680
I'm going to run Shell and just put me inside of a windows shell.

210
00:14:39,950 --> 00:14:40,640
I'm going to run.

211
00:14:40,650 --> 00:14:41,320
Who am I.

212
00:14:41,540 --> 00:14:42,380
Yeah, here we go.

213
00:14:42,380 --> 00:14:44,740
We are something called ice I.

214
00:14:44,750 --> 00:14:45,890
S a pool.

215
00:14:46,370 --> 00:14:50,120
And if I run dear, I can see all the users over here.

216
00:14:50,300 --> 00:14:53,690
I'm going to go for the users and I will run dear.

217
00:14:54,110 --> 00:14:58,460
So like as you can see, we can see the administrator over here.

218
00:14:58,670 --> 00:14:59,470
But I, I.

219
00:14:59,770 --> 00:15:03,290
We cannot go into that and it will say access is denied.

220
00:15:03,520 --> 00:15:07,120
So administrator is the route in the windows.

221
00:15:07,150 --> 00:15:14,150
OK, so let me try to go into classic dot net apple and here you go.

222
00:15:14,170 --> 00:15:15,640
We cannot go over that.

223
00:15:15,670 --> 00:15:17,260
Let me go into the Babis.

224
00:15:17,470 --> 00:15:20,910
We cannot go over data as well, so we cannot do anything.

225
00:15:21,100 --> 00:15:26,280
We hacked into the windows, but we cannot see the things over here.

226
00:15:26,290 --> 00:15:31,680
I can, of course, go into the public directory and try to go into the documents or desktop.

227
00:15:31,690 --> 00:15:34,060
I don't think we have a desktop over here.

228
00:15:34,330 --> 00:15:36,040
So I'm going to go for the documents.

229
00:15:36,280 --> 00:15:37,780
I'm going to just run there.

230
00:15:37,780 --> 00:15:39,900
And as you can see, there is nothing over here.

231
00:15:40,450 --> 00:15:47,480
So we have to find a way to escalate our privileges so that we can become administrator user.

232
00:15:47,920 --> 00:15:52,090
OK, if you exit out of this, it will go into the interpretation.

233
00:15:52,390 --> 00:15:54,970
And I believe we cannot cleared that.

234
00:15:54,970 --> 00:15:56,050
For some reason.

235
00:15:56,320 --> 00:15:58,960
Clear doesn't seem to be working an interpreter.

236
00:15:59,350 --> 00:16:05,770
And any time you want to get out of the interpreter, you can run background and then you can interact

237
00:16:05,800 --> 00:16:09,160
with the sessions like we have seen over here with sessions.

238
00:16:09,820 --> 00:16:18,370
OK, so there are some differences between using the interpreter or the original Windows Show.

239
00:16:18,520 --> 00:16:25,930
As you can see, we got into the original Windows Show by running around and we got out of it by running

240
00:16:25,930 --> 00:16:26,530
exit.

241
00:16:26,920 --> 00:16:29,320
So we're going to talk about these differences.

242
00:16:29,320 --> 00:16:35,500
And also we're going to talk about Windows operating operating system command line as well, because

243
00:16:35,500 --> 00:16:37,060
we need to know the comments.

244
00:16:37,270 --> 00:16:45,190
We need to know how the command prompt works in windows so that we can get a hold of it and escalate

245
00:16:45,190 --> 00:16:47,320
our privileges in a way that we want.

246
00:16:47,770 --> 00:16:51,460
So let's do that within the next lecture together.