1
00:00:00,630 --> 00:00:07,200
High within the section, we're to solve another Windows machine from the hack, the bugs, which is

2
00:00:07,200 --> 00:00:08,350
called Arctic.

3
00:00:08,760 --> 00:00:14,780
OK, so if you don't have any VIP membership, just make sure you wash the section and not skip it.

4
00:00:15,300 --> 00:00:20,670
So if you come over here, you can search for Arctic and just find the machine yourself.

5
00:00:20,970 --> 00:00:27,960
OK, so this machine is considered easy, but and also, again, it's created by the chap.

6
00:00:27,960 --> 00:00:37,230
So I believe this is the guy that has been in our life because we have already sold one of his seats

7
00:00:37,230 --> 00:00:38,420
in the previous section.

8
00:00:38,730 --> 00:00:47,010
And if you take a look at this, you can see it represents the real life and it also leans toward the

9
00:00:47,010 --> 00:00:50,490
sea, we in the privileged escalation side.

10
00:00:50,850 --> 00:00:54,390
So that's why we're actually trying to solve this.

11
00:00:54,750 --> 00:01:02,220
So it actually includes a service called some kind of adobe service that is commonly used in government

12
00:01:02,220 --> 00:01:07,110
buildings or government facilities and also in some big corporations.

13
00:01:07,380 --> 00:01:15,510
So it's a good practice to solve this not only privileged escalation wise, but also getting access,

14
00:01:15,510 --> 00:01:17,160
gaining access wise as well.

15
00:01:17,190 --> 00:01:25,680
OK, so my IP address is going to be 10, 10, 10, 11 for this machine and my VPN is running on the

16
00:01:25,680 --> 00:01:27,720
Michael Linux as usual.

17
00:01:27,720 --> 00:01:30,500
So I'm connected to the hack the back servers.

18
00:01:30,780 --> 00:01:32,120
So let me see.

19
00:01:32,370 --> 00:01:32,910
Here you go.

20
00:01:32,910 --> 00:01:35,330
I can pick the machine now.

21
00:01:35,340 --> 00:01:36,150
It's very good.

22
00:01:36,390 --> 00:01:37,560
I can pick this.

23
00:01:37,560 --> 00:01:41,810
And as you can see, I have the same IP address in my turn zero over here.

24
00:01:42,360 --> 00:01:47,880
So what I'm going to do, of course, I'm going to go for and that you can do this with that map as

25
00:01:47,880 --> 00:01:48,420
usual.

26
00:01:48,690 --> 00:01:49,410
Or you can.

27
00:01:49,410 --> 00:01:53,250
I'm just going to go for the Internet scan that we have been doing so far.

28
00:01:53,700 --> 00:01:56,640
OK, you can just go for any of this, by the way.

29
00:01:56,640 --> 00:02:00,300
Like you can go for the old Tsipi parts or something like that.

30
00:02:00,300 --> 00:02:03,700
Or you can just go for the old parts if you want.

31
00:02:04,140 --> 00:02:07,980
OK, so it really doesn't matter at this point.

32
00:02:07,980 --> 00:02:10,590
You can just go for your custom and map.

33
00:02:11,220 --> 00:02:16,770
This is not on any map cause I assume you already have some experience on this.

34
00:02:17,220 --> 00:02:26,160
I'm just going to go far and map all parts with intense scan and with verbose, OK, and I'm just going

35
00:02:26,160 --> 00:02:26,900
to go for it.

36
00:02:27,330 --> 00:02:28,400
So here you go.

37
00:02:28,530 --> 00:02:31,920
Since I'm doing this for old ports, it's going to take some time.

38
00:02:32,070 --> 00:02:40,110
It's already started to find some things like I believe we have discovered open part 135 over here.

39
00:02:40,740 --> 00:02:48,750
So it seems like we don't have any eighty part or like a Web server, but maybe we have I don't know

40
00:02:48,750 --> 00:02:49,170
yet.

41
00:02:49,620 --> 00:02:55,440
So it's going to scan sixty five thousand five hundred thirty five ports.

42
00:02:55,440 --> 00:02:59,960
So it's going to take some time, as you can see, ten percent of the system.

43
00:03:00,240 --> 00:03:05,610
And again, why we are doing this, because we want to understand how to gain access to the Windows

44
00:03:05,610 --> 00:03:11,460
machines and after that, how to escalate our privileges in a way that we haven't seen before.

45
00:03:12,030 --> 00:03:15,570
And this represents real life in a good way.

46
00:03:15,570 --> 00:03:22,440
So that's why we are going for Arctic litmus if we have any kind of Web server going on over here while

47
00:03:22,440 --> 00:03:23,100
we wait.

48
00:03:23,400 --> 00:03:26,250
So I'm going to go for ten, ten, ten, eleven.

49
00:03:26,820 --> 00:03:27,750
And let's see.

50
00:03:29,130 --> 00:03:33,930
Yeah, it seems like it's trying to connect, but nothing is happening over here.

51
00:03:33,960 --> 00:03:36,510
OK, so we are just waiting.

52
00:03:36,510 --> 00:03:37,680
We're just waiting.

53
00:03:38,340 --> 00:03:38,580
Yeah.

54
00:03:38,580 --> 00:03:44,430
I don't believe we have a web service, at least proper service right now.

55
00:03:44,700 --> 00:03:47,730
So I believe we're going to have to wait until this is done.

56
00:03:47,880 --> 00:03:51,540
So I'm going to post with video and wait for three minutes to come back here.

57
00:03:51,540 --> 00:03:53,190
So just do the same thing.

58
00:03:54,030 --> 00:03:54,990
So here you go.

59
00:03:54,990 --> 00:03:58,890
I waited for three minutes and this is our result back.

60
00:03:59,310 --> 00:04:01,920
So let's see what kind of pause our services are.

61
00:04:01,920 --> 00:04:03,680
We are we are dealing with.

62
00:04:03,990 --> 00:04:07,680
But before that, I'm going to just copy this as usual, OK?

63
00:04:08,160 --> 00:04:14,100
And I'm going to put this output into a file in my documents folder.

64
00:04:14,870 --> 00:04:16,890
I believe we have a folder.

65
00:04:17,100 --> 00:04:20,640
I'm going to create a folder called Arctic.

66
00:04:21,180 --> 00:04:26,360
I'm going to go into the Arctic and I'm going to neno a new node staticky.

67
00:04:26,730 --> 00:04:29,760
So I'm going to paste all the things that we have copied.

68
00:04:30,030 --> 00:04:34,200
And I'm going to save this by clicking control or enter control X.

69
00:04:34,830 --> 00:04:35,880
So far, so good.

70
00:04:35,890 --> 00:04:38,520
So now let me scan this a little bit.

71
00:04:38,850 --> 00:04:41,730
It started to scan it found some parts.

72
00:04:42,030 --> 00:04:42,780
Let me see.

73
00:04:42,810 --> 00:04:45,240
We have the one thirty five, which is Ms.

74
00:04:45,240 --> 00:04:54,540
AAPS, our P.S. sorry I we have something called FDM P but I don't know what we can do with that.

75
00:04:54,540 --> 00:04:58,650
Over here we have the windows as operating system.

76
00:04:58,650 --> 00:04:59,190
Yes.

77
00:04:59,890 --> 00:05:06,430
It's definitely Windows, we don't know the exact version or version over here, and it doesn't seem

78
00:05:06,430 --> 00:05:09,360
that we have too much information, right.

79
00:05:09,610 --> 00:05:16,890
So we're going to go for either of these like 135, maybe 500.

80
00:05:17,410 --> 00:05:22,180
So let's see, maybe we don't even know what is MSRA PC.

81
00:05:22,910 --> 00:05:29,860
OK, so we can just go for him as our PC exploit to see if we can find some kind of exploit that works

82
00:05:29,860 --> 00:05:31,780
for all our PC versions.

83
00:05:32,340 --> 00:05:38,010
OK, so as you can see, our PC is the Microsoft remote procedure call.

84
00:05:38,530 --> 00:05:46,180
OK, so if we come over here, we can see that kind of a service that lets us remotely do something

85
00:05:46,420 --> 00:05:47,670
on the target machine.

86
00:05:47,680 --> 00:05:54,930
So if it's not configured, then most probably we can get a callback or we can just execute a cold in

87
00:05:54,940 --> 00:05:56,110
a way that we want.

88
00:05:56,650 --> 00:05:57,910
But we don't know yet.

89
00:05:58,150 --> 00:06:05,140
We don't even know the service version over here in the version, as you can see, we only get those

90
00:06:05,140 --> 00:06:09,250
Microsoft Windows, our PC, but we don't get a particular version.

91
00:06:09,250 --> 00:06:12,220
Maybe we can try to run and map one more time.

92
00:06:13,180 --> 00:06:17,090
But before we do that, let me just search for the FTP as well.

93
00:06:17,620 --> 00:06:23,380
So what does that thumb tip its flight message transfer protocol?

94
00:06:23,530 --> 00:06:26,620
Let me just go for the exact part.

95
00:06:27,730 --> 00:06:29,410
So, as you can see, eighty five.

96
00:06:30,000 --> 00:06:31,840
So what is that tbh?

97
00:06:32,540 --> 00:06:35,110
It's really flight message transfer protocol.

98
00:06:35,110 --> 00:06:39,040
So we are against a very different part over here.

99
00:06:39,250 --> 00:06:47,200
So I don't believe I have seen this one in previous CTS, not only in this course, but also all the

100
00:06:47,200 --> 00:06:48,840
previous codes combined.

101
00:06:49,210 --> 00:06:56,890
So as you can see this to enable the international operational requirements for the coordination and

102
00:06:56,890 --> 00:06:58,480
transfer of aircraft.

103
00:06:58,480 --> 00:07:01,690
So I don't know what we are going to do with those.

104
00:07:01,990 --> 00:07:02,490
Right.

105
00:07:02,860 --> 00:07:09,040
So if I come over here, we can see it can run on the part eighty five hundred really.

106
00:07:09,040 --> 00:07:14,830
And it's in its both, it can be both the TCP UDP apparently.

107
00:07:15,520 --> 00:07:24,910
Let me just try to connect to those like this, so let me see if it can work over here, if it's kind

108
00:07:24,910 --> 00:07:31,660
of sending a request or if you're getting a response back and I don't believe it's working, so let

109
00:07:31,660 --> 00:07:33,520
me go for the other ones.

110
00:07:33,880 --> 00:07:34,890
So let me see.

111
00:07:34,900 --> 00:07:39,340
We one thirty five and forty nine one five four.

112
00:07:39,880 --> 00:07:44,020
So in the eighty five hundred we have to thank.

113
00:07:44,040 --> 00:07:52,690
So let me come over here and if I click one of these, let me try to open another tab and this one as

114
00:07:52,690 --> 00:07:53,080
well.

115
00:07:54,580 --> 00:08:02,470
And for some reason, as you can see before we get a response, we are waiting for some minutes or some

116
00:08:02,890 --> 00:08:06,220
maybe ten seconds or let me see.

117
00:08:06,730 --> 00:08:08,920
Let me see if we get a response back.

118
00:08:08,920 --> 00:08:09,700
And here you go.

119
00:08:09,700 --> 00:08:13,180
We're waiting for some kind of internal over here.

120
00:08:13,180 --> 00:08:16,450
I don't know why it's happening or is is the buck.

121
00:08:16,810 --> 00:08:19,300
So we're going to see later on.

122
00:08:19,780 --> 00:08:21,310
So it happens everywhere.

123
00:08:21,310 --> 00:08:28,150
If we just click on one of these, as you can see, we wait until it's shown for a certain amount of

124
00:08:28,150 --> 00:08:28,600
time.

125
00:08:28,870 --> 00:08:31,540
And I believe this is how the server is configured.

126
00:08:31,780 --> 00:08:32,170
Right.

127
00:08:32,170 --> 00:08:34,690
For some reason, we don't know that reason yet.

128
00:08:35,380 --> 00:08:42,580
So under the Sieff docs that we have found, we have a lot of files and folders and we're going to have

129
00:08:42,580 --> 00:08:45,730
to see and understand what it does.

130
00:08:46,210 --> 00:08:49,840
So over here, we have some jetpacks or images.

131
00:08:49,840 --> 00:08:56,020
OK, so we have HDMI files over there, a lot of e-mail files.

132
00:08:56,020 --> 00:09:01,090
So we can just take a look at those if we want, like go into that events.

133
00:09:01,390 --> 00:09:02,920
I don't know what it does.

134
00:09:03,580 --> 00:09:07,330
So, of course, we can try to see the JPEG over here.

135
00:09:07,330 --> 00:09:09,820
I don't think we are going to get something out of that.

136
00:09:09,820 --> 00:09:13,600
But anyway, so we have a Sieff on file over here.

137
00:09:13,600 --> 00:09:16,690
We have a DB folder, database folder.

138
00:09:17,140 --> 00:09:24,040
Let me just try to broaden this a little bit, and it's annoying to have that thing that time out to

139
00:09:24,040 --> 00:09:24,510
me.

140
00:09:25,210 --> 00:09:30,550
And I believe it has a reason that they gave us this timeout.

141
00:09:31,150 --> 00:09:37,200
So if we just click on one of the images over here, it says that cold fusion.

142
00:09:37,900 --> 00:09:44,530
So this is a hint, but we don't see much more for that as well.

143
00:09:44,530 --> 00:09:52,000
I believe over here we have some kind of cold fusion documentation link again.

144
00:09:52,000 --> 00:09:56,800
And over here we have kind of new files and folders.

145
00:09:57,100 --> 00:09:59,320
Let me just go into the administrator.

146
00:09:59,400 --> 00:10:06,960
Folder, we have the application that CFM one more time, so let's click on that and see what happens.

147
00:10:07,680 --> 00:10:13,460
So cold fusion, by the way, is a service and adobe tool or a service.

148
00:10:13,470 --> 00:10:16,160
We're going to see how to work with that.

149
00:10:16,380 --> 00:10:25,890
But again, I believe this is a hint that lets us know that this server is capable of running cold fusion

150
00:10:25,890 --> 00:10:27,770
or actively running cold fusion.

151
00:10:28,170 --> 00:10:37,050
So if you search for cold fusion, OK, on Google, you can see a lot of searches for that already like

152
00:10:37,050 --> 00:10:39,030
exploit or something like that.

153
00:10:39,690 --> 00:10:43,530
You can just search for it and you will see that it's Adobe products.

154
00:10:44,070 --> 00:10:48,610
So it's a commercial web application development platform.

155
00:10:49,200 --> 00:10:56,270
So again, this is commonly used in government facilities or in big corporations.

156
00:10:56,670 --> 00:11:06,510
So if you see that there is this is OK, by the way, if it has the proper configuration or proper patches

157
00:11:06,510 --> 00:11:12,630
or proper security settings, but if it doesn't, maybe it can lead us somewhere.

158
00:11:12,930 --> 00:11:20,400
For example, over here we have found an administrator panner like this.

159
00:11:20,400 --> 00:11:25,250
So the user name is admin, apparently, and we have a password over here.

160
00:11:25,890 --> 00:11:32,230
So if we can find the password of this admin, then we can log into the cold fusion.

161
00:11:32,810 --> 00:11:40,140
OK, so this is under Sieff ID ACFID folder that we have found in the first place.

162
00:11:40,440 --> 00:11:44,150
And when I saw the administrator folder, I just clicked them.

163
00:11:44,160 --> 00:11:47,590
So if you cannot find it, just go and type this link.

164
00:11:48,060 --> 00:11:50,050
So let me just try this password.

165
00:11:50,850 --> 00:11:51,690
Here you go.

166
00:11:51,690 --> 00:11:57,600
I just give a single quotation mark to see if we have a basic sequel injection over here.

167
00:11:57,600 --> 00:12:05,970
But as you can see, it actually is kind of decrypts or encrypts the message or encrypts the password

168
00:12:05,970 --> 00:12:07,590
before sending the request.

169
00:12:07,860 --> 00:12:12,420
And the response gets the response back that we got is invalid password.

170
00:12:12,480 --> 00:12:16,460
OK, so what can we do over here?

171
00:12:16,860 --> 00:12:23,430
As you can see, we have found the administrative panel and we have to find a password of this admin

172
00:12:23,430 --> 00:12:23,970
user.

173
00:12:24,630 --> 00:12:26,970
So there are a couple of possibilities.

174
00:12:26,970 --> 00:12:34,290
We can go for a sequel injection, we can go for bruta farseeing and we can try to find the password

175
00:12:34,290 --> 00:12:41,460
or like in a hint or in any folder or file that we have been presented with, or we can just try to

176
00:12:41,460 --> 00:12:49,020
find if we have a vulnerability regarding to called wishe Friesian aides in the administrative panel.

177
00:12:49,470 --> 00:12:49,980
Right.

178
00:12:50,670 --> 00:12:56,610
So I believe the time out that we're getting is there because of the brute force.

179
00:12:57,420 --> 00:13:01,390
So I believe the CTF doesn't want us to do any brute force.

180
00:13:01,890 --> 00:13:07,400
OK, so there isn't any type in the Weezer's page as well.

181
00:13:08,130 --> 00:13:14,310
So what I have in mind is that we're going to have to search for the exploit of this cold fusion ET

182
00:13:14,760 --> 00:13:23,040
rather than try to brute force this because each passwords try will take like 10 seconds to complete

183
00:13:23,040 --> 00:13:25,650
and it will take ages to complete this.

184
00:13:25,650 --> 00:13:32,670
As you can see, once I refresh that, it will make me wait 10 seconds or something like that or maybe

185
00:13:32,670 --> 00:13:33,810
eight seconds, I don't know.

186
00:13:33,810 --> 00:13:40,230
But it's close to 10 seconds and it will then give me the response back.

187
00:13:40,560 --> 00:13:43,950
So we get to we're going to have to get creative over here.

188
00:13:44,490 --> 00:13:48,060
Let's stop here and do get creative in the next lecture.