Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,090 --> 00:00:02,520 So we have gained root with Metis play. 2 00:00:02,540 --> 00:00:07,110 But now we need to gain root with some manual exploitation. 3 00:00:07,110 --> 00:00:15,350 So remember earlier we discovered that we had an exploit with our mod SSL and we're going to see what 4 00:00:15,350 --> 00:00:16,220 we could do about it. 5 00:00:16,550 --> 00:00:21,500 So we went to Google only research made SSL and we came up with something called open lock. 6 00:00:21,770 --> 00:00:23,170 If you remember that. 7 00:00:23,340 --> 00:00:32,240 So we clicked on this open lock here and this is the same as the one that is out there on X flight database 8 00:00:32,330 --> 00:00:34,120 but it is fixed. 9 00:00:34,220 --> 00:00:38,930 So remember the exploit database when it's broken so you'd rather use this one that is fixed. 10 00:00:38,930 --> 00:00:43,050 So we're going to do is we're going to follow the instructions here. 11 00:00:43,280 --> 00:00:44,860 And this is very well laid out. 12 00:00:45,260 --> 00:00:51,170 So it tells you to get clone this we need to do an installment SSL Dev library. 13 00:00:51,170 --> 00:00:53,180 We need to compile and then run the exploit. 14 00:00:53,720 --> 00:00:55,390 So very very straightforward. 15 00:00:55,400 --> 00:01:00,800 We're going to go ahead and do exactly what it says and let's go ahead and just copy this first line 16 00:01:00,800 --> 00:01:08,520 here and I'm going to just make this little smaller go into a terminal and I actually have a folder 17 00:01:08,520 --> 00:01:16,320 for the objects I'm going to see into it and then we're going to go ahead and just paste that line and 18 00:01:16,320 --> 00:01:18,990 it will get and everything if we last. 19 00:01:18,990 --> 00:01:21,030 Now we see that it is there. 20 00:01:21,300 --> 00:01:24,230 So let's see the end of that folder. 21 00:01:24,480 --> 00:01:35,010 The bad word folder will allow us and now you can see that there is just the c file here in the read 22 00:01:35,010 --> 00:01:35,730 me. 23 00:01:35,730 --> 00:01:39,760 So what we're gonna do is we need to install this live SSL Dev. 24 00:01:39,780 --> 00:01:48,380 So we're gonna say app install and then live SSL that Dev like this hit enter and then just hit enter 25 00:01:48,420 --> 00:01:55,180 because it says yes already this will take just a second to install and then once it does this we're 26 00:01:55,180 --> 00:02:00,940 going to use a tool looks like call GCSE which GCSE is a compiler. 27 00:02:01,000 --> 00:02:07,530 So if you've never used C or are familiar with C we have a c file but this isn't ready to use. 28 00:02:07,540 --> 00:02:10,570 We have to compile that c file in order to actually use it. 29 00:02:11,050 --> 00:02:15,100 So that's what we're doing here is we're downloading a little bit of stuff to actually build a compile 30 00:02:15,100 --> 00:02:17,370 that GC C is built in. 31 00:02:17,370 --> 00:02:20,020 And we just need some other things additionally. 32 00:02:20,050 --> 00:02:27,250 So now we're gonna do is we're going to say GCSE and typically you say dash 0 for the output so we can 33 00:02:27,250 --> 00:02:34,720 call it whatever we want we'll just call this open and then we'll just specify the file you can start 34 00:02:34,720 --> 00:02:39,820 typing it and then tab out and then it says this L crypto which is important. 35 00:02:41,750 --> 00:02:42,470 Hit enter. 36 00:02:42,940 --> 00:02:43,690 OK. 37 00:02:43,790 --> 00:02:51,920 And then hit LSI and you see now in pretty green green lighting up and saying hey we're executable we 38 00:02:51,920 --> 00:02:54,590 have are our executable. 39 00:02:54,680 --> 00:02:57,260 We have our script that we can run. 40 00:02:57,260 --> 00:03:06,080 So we could say dot forward slash open and run it and you can see in here all the different options 41 00:03:06,080 --> 00:03:06,930 that this runs again. 42 00:03:06,950 --> 00:03:10,760 So remember one is brute forcing the last one. 43 00:03:10,760 --> 00:03:16,190 When we saw the we saw the trans two open kind of doing brute force. 44 00:03:16,190 --> 00:03:18,310 In theory this is what it could do as well. 45 00:03:18,320 --> 00:03:22,710 But here we have to pick a return address based on our machine. 46 00:03:22,730 --> 00:03:24,900 So we're going to look at the usage. 47 00:03:24,920 --> 00:03:31,820 I always like to do the application without any usage to see what the usage is and we need to use target 48 00:03:31,820 --> 00:03:34,980 box which is one of these down here. 49 00:03:35,270 --> 00:03:36,750 We need to select a port maybe. 50 00:03:36,920 --> 00:03:40,400 It says For SSL connection we're not going to be using and SSL connections. 51 00:03:40,400 --> 00:03:41,670 Don't worry about that. 52 00:03:41,780 --> 00:03:42,880 And then a dash see. 53 00:03:42,890 --> 00:03:43,890 No. 54 00:03:43,970 --> 00:03:46,460 And it says use range 40 to 50. 55 00:03:46,580 --> 00:03:47,650 If you don't know. 56 00:03:47,720 --> 00:03:52,790 So our syntax is going to look something like dot forward slash open one of these offsets that we're 57 00:03:52,790 --> 00:04:03,000 gonna pick and then it's going to be a dash C probably 40 with the box IP address in between. 58 00:04:03,020 --> 00:04:06,020 So how do we find what we're looking for. 59 00:04:06,230 --> 00:04:12,590 Well I'm a cheat just a little bit until you guys to scroll down down down down down and if we look 60 00:04:12,650 --> 00:04:23,000 at six b here remember we were up against a patchy one point three point two zero C enumeration comes 61 00:04:23,060 --> 00:04:25,580 into play big time. 62 00:04:26,300 --> 00:04:28,910 So Apache one point three point two zero. 63 00:04:28,910 --> 00:04:30,320 Now there are two we can run against. 64 00:04:30,380 --> 00:04:36,320 I'm picking this one I believe it's the more stable one so we could pick either one but I would choose 65 00:04:36,320 --> 00:04:43,730 B I think a doesn't work all the time so let's choose B here and a patchy one point three point two 66 00:04:43,730 --> 00:04:48,500 zero is the indicator and again Red Hat Linux that's another indicator. 67 00:04:48,740 --> 00:04:55,580 So let's copy this so we don't forget it and we're just going to scroll down and we're gonna say hey 68 00:04:56,260 --> 00:05:05,770 stop forward slash open and we're going to paste that 0 x 6 B and then we're going to run this against 69 00:05:06,010 --> 00:05:09,280 the IP address because it said box was next. 70 00:05:09,280 --> 00:05:17,620 So one thirty four and then remember we had to give a dash C of 40 so that is the syntax. 71 00:05:17,890 --> 00:05:24,160 Sometimes you have to follow along and it's I don't I don't think most of them are as confusing as this 72 00:05:24,190 --> 00:05:30,580 item when you say this is confusing I would say it's pretty lengthy for a exploit because you have to 73 00:05:30,580 --> 00:05:37,490 go through all the different offsets here to find the offset and actually fire this off but you know 74 00:05:37,480 --> 00:05:43,690 you have the opportunity here to actually be able to read usage and just understand your your way through 75 00:05:43,690 --> 00:05:43,840 it. 76 00:05:43,870 --> 00:05:48,810 So once you get this little syntax and all this part down it's really not that bad. 77 00:05:48,820 --> 00:05:53,890 So to check off the list we've got the target we've got the box IP address we don't need the port because 78 00:05:53,890 --> 00:05:59,140 we're not running against SSL we're just gonna run this against Port 80 and then we're going to run 79 00:05:59,140 --> 00:06:01,470 dash C of 40. 80 00:06:01,660 --> 00:06:06,090 So let's go ahead and try to fire that off and see what happens here 81 00:06:10,080 --> 00:06:11,850 and this may just take a second 82 00:06:16,460 --> 00:06:18,810 OK says it's finding a shell. 83 00:06:18,810 --> 00:06:27,350 Now we wait for the SCADA let's scroll up just a little bit while we're waiting here to see so it looks 84 00:06:27,350 --> 00:06:31,550 like it sent the shell code and its bond to shell. 85 00:06:31,640 --> 00:06:33,970 It says hey we have no job control in this shell. 86 00:06:34,040 --> 00:06:36,910 And then it has a shell here bash 2.0 Fi. 87 00:06:36,920 --> 00:06:43,780 That is a shell and then it's going in and it's doing it's doing some w gets. 88 00:06:43,910 --> 00:06:50,490 Now if this is able to get out to the Internet it's going to go ahead and try to do w gets against these. 89 00:06:50,510 --> 00:06:55,230 It's going to keep downloading and it's going to get the response here OK. 90 00:06:55,520 --> 00:07:00,460 And now it's as we wait for the shell because it saved this dot c file here. 91 00:07:00,620 --> 00:07:03,190 And let's see if maybe we already have a shell. 92 00:07:03,200 --> 00:07:03,950 Who am I. 93 00:07:03,950 --> 00:07:04,520 Root. 94 00:07:04,520 --> 00:07:05,530 Look at that. 95 00:07:05,540 --> 00:07:12,920 So it looks like it downloaded something and allowed us to maybe privilege escalate here and let's say 96 00:07:12,920 --> 00:07:13,550 hostname. 97 00:07:14,620 --> 00:07:15,550 OK. 98 00:07:15,740 --> 00:07:22,310 So we've gone through and we've routed this machine with medicinally and now we've gone through and 99 00:07:22,310 --> 00:07:26,480 routed this machine with the manually downloaded exploit. 100 00:07:26,480 --> 00:07:34,520 So there's two options you're going to find out that Metis flight is a more robust and popular option 101 00:07:34,850 --> 00:07:37,100 especially as a penetration tester. 102 00:07:37,160 --> 00:07:47,780 Now there is a common misconception or thought process put out there by certifications the OSCE for 103 00:07:47,780 --> 00:07:50,540 example doesn't let you use a lot of. 104 00:07:50,550 --> 00:07:52,870 Boy only one instance of Metis play on their exam. 105 00:07:52,880 --> 00:07:58,100 So everybody thinks Man I really shouldn't use medicinally but you're going to see in this course how 106 00:07:58,160 --> 00:08:04,430 useful it really is and how robust it is and if you talk to a penetration tester they're going to use 107 00:08:04,430 --> 00:08:06,930 the best tools available to them. 108 00:08:07,160 --> 00:08:13,430 The certifications out there that do that are just making it harder to pass the exam intentionally than 109 00:08:13,430 --> 00:08:16,340 they are you know for practicality. 110 00:08:16,340 --> 00:08:18,890 This course is all about practicality. 111 00:08:18,890 --> 00:08:25,520 So from here now we can exploit it manually let's talk about a couple of things that we look for in 112 00:08:25,520 --> 00:08:31,310 post so post being post exploitation and we're going to cover this over and over and over again. 113 00:08:31,400 --> 00:08:37,190 We're not going to get into it fully right now I just want to give you an idea as to the thought process 114 00:08:38,340 --> 00:08:43,860 so the first thing to think about is what is our IP address. 115 00:08:43,860 --> 00:08:46,500 We could say I have config if it'll allow us to. 116 00:08:46,500 --> 00:08:52,440 It just depends on what kind of shell we're in and see this one is is a weird shell we could try IPA. 117 00:08:52,440 --> 00:08:58,630 It's still not going to be found if we try some some commands like r or root. 118 00:08:58,650 --> 00:09:03,870 I doubt they're going to be found right now either but we want to look at the routing table the ARP 119 00:09:03,870 --> 00:09:09,990 table we want to see if this machine is what's called dual homed and you're going to learn more about 120 00:09:09,990 --> 00:09:11,790 that when we get into the pivoting. 121 00:09:11,790 --> 00:09:17,820 But if this is this has to nicks and we're on one network in the nick is on a second network that we 122 00:09:17,820 --> 00:09:23,340 never saw before then maybe we can do something called pivoting and move into that new network. 123 00:09:23,340 --> 00:09:29,100 But we would be able to identify who the machine's talking to with an arc table or a route. 124 00:09:29,550 --> 00:09:34,180 We could also look at like sudo privileges so we could say things like sudo dash L but we are route 125 00:09:34,200 --> 00:09:40,680 so we can run as everybody so a pseudo user as we talked about in Linux. 126 00:09:41,010 --> 00:09:47,360 Linux lessons pseudo user is able to run commands as a elevated. 127 00:09:47,390 --> 00:09:50,180 But here is rule where are we obviously already elevated. 128 00:09:50,250 --> 00:09:56,190 So other things that we can do we can cat what's called the FC password file. 129 00:09:56,250 --> 00:10:01,780 Now this is very misleading because the FC password file used to be the password file. 130 00:10:01,770 --> 00:10:07,920 Now it just holds a place holder so you could see all the users that are on this computer route being 131 00:10:07,980 --> 00:10:08,940 this one. 132 00:10:08,950 --> 00:10:14,730 There's a lot of built in users here but if you always scroll down to the bottom and you start the five 133 00:10:14,730 --> 00:10:15,500 hundreds. 134 00:10:15,630 --> 00:10:16,890 That's where your user start. 135 00:10:16,900 --> 00:10:20,880 So there's actually two users in this computer as well one's named John. 136 00:10:20,880 --> 00:10:22,060 The other is named Harold. 137 00:10:22,890 --> 00:10:31,500 So we look at these users and we say OK well there's no password in this password file but there used 138 00:10:31,500 --> 00:10:34,440 to be back in the day there used to be that's why they called this. 139 00:10:34,680 --> 00:10:37,360 And now they moved it to this place holder of an X. 140 00:10:37,530 --> 00:10:42,960 And what we can do is we can come in here and we can say Hey cat Etsy shadow 141 00:10:45,470 --> 00:10:47,760 and now you see the hashes are in here. 142 00:10:47,870 --> 00:10:54,320 So these hashes are what the X is place holding for we can actually combine both of these files with 143 00:10:54,320 --> 00:10:57,550 the tool and go off line and try to crack these. 144 00:10:57,560 --> 00:10:59,710 We'll work on that later on in the course. 145 00:10:59,870 --> 00:11:05,870 But just for now like getting your wheels spinning as to what we can do with root level access we need 146 00:11:05,870 --> 00:11:11,600 to start enumerating again looking at files on the computer seeing what what's out there and what we 147 00:11:11,600 --> 00:11:12,500 can do with it. 148 00:11:12,740 --> 00:11:17,750 But we'll get into post exploitation techniques and thought process as we go through the active directory 149 00:11:17,750 --> 00:11:22,340 portion of the course because I think it plays hand in hand and we could talk about password cracking 150 00:11:22,340 --> 00:11:24,610 there and how to attack some of this stuff. 151 00:11:24,830 --> 00:11:31,730 But there will be a password cracking video on on the Linux as well when we get into the post exploitation 152 00:11:31,730 --> 00:11:33,090 phase of this. 153 00:11:33,350 --> 00:11:35,570 But that's really it for now. 154 00:11:35,600 --> 00:11:37,820 So we've got the we've got the shadow. 155 00:11:37,820 --> 00:11:39,990 We can take this off line try to crack it. 156 00:11:40,010 --> 00:11:41,870 We can enumerate files. 157 00:11:41,870 --> 00:11:48,110 We can try to you know break into user folders and see what they've got in there maybe they've got password 158 00:11:48,110 --> 00:11:50,790 files stored in there et cetera. 159 00:11:50,840 --> 00:11:55,990 So from here we have routed this machine twice. 160 00:11:56,090 --> 00:12:00,940 We've routed it with split we routed it manually and now we can start moving on. 161 00:12:01,010 --> 00:12:05,540 I do want to show you a few more attacks so here's what's going to happen over the next few videos we're 162 00:12:05,540 --> 00:12:08,840 going to talk about brute force attacks really quick on SS H. 163 00:12:08,840 --> 00:12:12,530 We're going to talk about credential stuffing we're going to revisit that concept that we talked about 164 00:12:12,590 --> 00:12:16,970 in information gathering and then we're gonna look at our notes and we're just going to compare notes 165 00:12:17,000 --> 00:12:23,000 and see where we're at with findings and everything else after that we're gonna get into what I like 166 00:12:23,000 --> 00:12:31,370 to call the mid course Capstone which is going to allow us to do a bunch of exploitation against a bunch 167 00:12:31,370 --> 00:12:33,410 of machines and it should be really fun. 168 00:12:33,410 --> 00:12:39,290 So Andrew spiel again I will catch you over in the next video as we talk about brute force attacks. 17499