1
00:00:00,120 --> 00:00:00,490
All right.

2
00:00:00,510 --> 00:00:03,630
Let's talk about gaining shell access.

3
00:00:03,780 --> 00:00:09,900
Now this should be somewhat of a refresher video because we covered a lot of this in the mid course

4
00:00:09,930 --> 00:00:16,660
Capstone but I just want you to think about what you can do now that you have a credential.

5
00:00:16,770 --> 00:00:20,160
So so far all we have is a credential right.

6
00:00:20,250 --> 00:00:23,680
And we're going to see what we can do with that credential.

7
00:00:23,700 --> 00:00:30,750
So the first thing I want to do is I want to boot up Metis play and we'll say MSF console and if we

8
00:00:30,750 --> 00:00:39,600
have SMB open and we have a username and a password well then we can use that user and password and

9
00:00:39,600 --> 00:00:45,810
especially that user has a machine and their local administrator to get in a shell we can use that with

10
00:00:45,990 --> 00:00:54,840
P.S. Zach so we can search for P.S. Zach or if you know the windows exploit S&amp;P it's exact you can do

11
00:00:54,840 --> 00:00:55,610
that as well.

12
00:00:55,620 --> 00:01:03,450
So here it's used 10 line 10 right here and we'll just say options.

13
00:01:03,450 --> 00:01:10,850
Now what we can do is we could set the Argos so we know the F Cassel machine is that 1 9 2 1 6 8 fifty

14
00:01:10,850 --> 00:01:22,680
seven one forty one and then we have to say set SMB domain to marvel that local set SMB pass to password

15
00:01:22,680 --> 00:01:33,030
1 and set SMB user to EF Castle OK we could say options here and we could try to run this but we need

16
00:01:33,030 --> 00:01:37,560
to run this with the appropriate payload so let's go ahead and just set the payload right off the bat

17
00:01:37,590 --> 00:01:47,680
with set payload windows we're going to say X 64 interpreter and then reverse DCP and we'll go ahead

18
00:01:47,680 --> 00:01:48,620
and say options.

19
00:01:48,640 --> 00:01:50,200
Make sure everything looks set.

20
00:01:50,230 --> 00:01:52,210
Let's go ahead and set an L host as well.

21
00:01:52,210 --> 00:02:00,850
So let's set the outpost to Ethernet 0 here and we'll go ahead and give this a run and see what happens.

22
00:02:00,880 --> 00:02:06,250
Now this doesn't always authenticate on the first go and it always doesn't authenticate with the first

23
00:02:06,340 --> 00:02:07,810
automatic targeting.

24
00:02:07,900 --> 00:02:14,380
So we may have to give this a go with a second attempt or we may have to give this a go and see it's

25
00:02:14,380 --> 00:02:16,960
not working here we'll give it a go one more time.

26
00:02:16,990 --> 00:02:21,010
Looks like it's doing power shall power Shell might not work here we may have to try a different target.

27
00:02:21,400 --> 00:02:26,950
So it's always good to exploit targets here and guess exactly is one of those funky ones where either

28
00:02:26,950 --> 00:02:30,180
it's going to work or it's not going to work with that specific one.

29
00:02:30,190 --> 00:02:37,970
So let's show just show targets and we've got automatic power shall native upload and MF uploads.

30
00:02:37,990 --> 00:02:46,890
Let's go ahead and just set target of two and we'll run that and we've got a virus detected what happened.

31
00:02:46,920 --> 00:02:48,160
Oh no.

32
00:02:48,190 --> 00:02:51,760
So if we go to our Windows machine you may have heard the ding.

33
00:02:52,120 --> 00:02:55,090
We've we've got a virus detection here.

34
00:02:55,090 --> 00:03:05,500
So what's happening is that we are we are blocking this virus with the P S exact right.

35
00:03:05,580 --> 00:03:08,750
And somehow windows defender got turned back on.

36
00:03:08,760 --> 00:03:10,570
Don't know how that happened but that's OK.

37
00:03:10,580 --> 00:03:12,360
If you're s got turned back on that's fine as well.

38
00:03:12,360 --> 00:03:13,800
This is a good learning lesson.

39
00:03:14,220 --> 00:03:16,860
So P.S. exact getting blocked.

40
00:03:16,860 --> 00:03:17,730
So what if we can't.

41
00:03:17,760 --> 00:03:18,450
Yes exactly.

42
00:03:19,110 --> 00:03:21,870
OK let's try something different.

43
00:03:21,870 --> 00:03:26,430
Let's go ahead and let's try a new tool.

44
00:03:26,430 --> 00:03:31,970
So let's go ahead and let's try this exact pie and see if that works.

45
00:03:31,980 --> 00:03:34,710
Let's do a dash help just to see how this looks.

46
00:03:34,710 --> 00:03:36,560
This should be familiar to you.

47
00:03:36,560 --> 00:03:37,260
Right.

48
00:03:37,290 --> 00:03:43,410
We're just going to use the domain username and then password at the target name.

49
00:03:44,010 --> 00:03:48,470
So all we're gonna say is marvel that local.

50
00:03:48,990 --> 00:03:59,710
And we're going to say something like F castle and then we'll give it the password one at 1 9 2 1 6

51
00:03:59,790 --> 00:04:05,920
8 7 1 forty one run that apologies.

52
00:04:05,920 --> 00:04:09,650
It's a forward slash try that.

53
00:04:12,820 --> 00:04:14,640
OK look here.

54
00:04:14,670 --> 00:04:16,920
So my term printer got picked up.

55
00:04:17,340 --> 00:04:20,750
P.S. exact up pi did not OK.

56
00:04:20,820 --> 00:04:22,630
We got a show at this exact pi.

57
00:04:22,680 --> 00:04:25,370
Now this is a little bit more obscure.

58
00:04:25,410 --> 00:04:28,480
This is not infinitely more obscure.

59
00:04:28,530 --> 00:04:33,450
There are still antivirus is that you can pick this up at Windows Defender which I love Windows Defender

60
00:04:33,450 --> 00:04:40,520
Windows Defender did not pick it up right here so bad on Windows Defender but still here we are.

61
00:04:40,530 --> 00:04:42,530
We've got a shell in the system now.

62
00:04:42,570 --> 00:04:49,920
We could take this and we can get a little bit more quieter so we can say control C and kill this and

63
00:04:49,920 --> 00:04:53,340
we can go in and we can do SMB exact or w am I.

64
00:04:53,360 --> 00:04:58,960
Zac we can say S&amp;P exact like that and that one didn't work.

65
00:04:58,980 --> 00:05:01,870
OK let's try w my exact and see if we get that one to work

66
00:05:04,960 --> 00:05:11,330
in this one doesn't look like it's going to work either which is OK so we need other options and this

67
00:05:11,330 --> 00:05:17,960
isn't the first time you're seeing any of this right we saw this in the very last video of the midcourse

68
00:05:17,990 --> 00:05:23,350
Capstone where we can try us and be exact and w my exact and just be familiar with these tools.

69
00:05:23,350 --> 00:05:29,690
So what you have and what I'm trying to point out here is don't give up on the first tool you have at

70
00:05:29,690 --> 00:05:35,990
least four options I just provided you here and if you saw in medicinally we actually have more than

71
00:05:35,990 --> 00:05:41,270
that we have a power shelf feature as well please scroll up just a little bit there is a power shell

72
00:05:41,270 --> 00:05:49,010
version of P.S. exact as well so don't just give up at the first one and know that there are multiple

73
00:05:49,010 --> 00:05:56,900
options and if I all tap back into that you could see to that you know we we were able to get in with

74
00:05:57,020 --> 00:06:04,370
our P.S. exactly but we weren't able to get in with our with our W and my exact or we weren't able to

75
00:06:04,370 --> 00:06:07,770
get in with our P.S. exact on Metis flight either right.

76
00:06:07,790 --> 00:06:14,270
So it's important to know that we have all these different options available to us and that P.S. exact

77
00:06:14,300 --> 00:06:18,550
is one of the more noisy when it comes to antivirus.

78
00:06:18,550 --> 00:06:27,710
So I would avoid starting here my tip pro tip is to start with something like SMB exact or w my exact

79
00:06:27,710 --> 00:06:32,290
see if they work see if you can get a shell if you can what you can do.

80
00:06:32,290 --> 00:06:36,230
They're only like half shells is what they're considered they're not fully interactive but they're good

81
00:06:36,230 --> 00:06:41,210
enough to navigate around the C drive you can issue commands with these there's a lot of things that

82
00:06:41,210 --> 00:06:41,860
you can do.

83
00:06:41,870 --> 00:06:48,230
So what you need to do is you navigate around and you issue some commands and you say hey let me figure

84
00:06:48,230 --> 00:06:53,330
out what's I've antivirus if anything is running and then you once you figure out what's running try

85
00:06:53,330 --> 00:06:59,800
to see if you can't disable that antivirus so then you can run something more robust like Windows interpreter

86
00:07:00,170 --> 00:07:04,800
or mature printer on Windows because it just does so much more for us.

87
00:07:04,820 --> 00:07:09,800
So what we're gonna do is we're going to go back and we're going to disable that in defender.

88
00:07:09,800 --> 00:07:11,770
I'm going to make sure that that's all disabled again.

89
00:07:11,780 --> 00:07:16,090
If you're as re enabled just go ahead and disable it as well as we move forward.

90
00:07:16,100 --> 00:07:20,730
Make sure those are disabled so that we can perform some of these other attacks with medicinally.

91
00:07:20,960 --> 00:07:28,940
And again the tip here is to make sure you get in quietly first go in navigate around try to find the

92
00:07:28,940 --> 00:07:30,600
antivirus that's being used.

93
00:07:30,650 --> 00:07:36,760
Then attempt to use something like P.S. exact or even another method in Metis flight to get around it.

94
00:07:36,860 --> 00:07:40,660
So hopefully that all makes sense and you don't give up at the first failure.

95
00:07:41,240 --> 00:07:42,430
So that's it for this video.

96
00:07:42,440 --> 00:07:45,560
We're going to move on to ITV six attacks next.