Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,140 --> 00:00:02,310
Well I am excited.
2
00:00:02,610 --> 00:00:04,700
And let me tell you how excited I am.
3
00:00:04,740 --> 00:00:07,300
This is not the first time ever recorded this video.
4
00:00:07,350 --> 00:00:12,300
This is actually the second time recording this video because the first time I forgot to hit the record
5
00:00:12,300 --> 00:00:12,630
button.
6
00:00:12,630 --> 00:00:15,560
So now it's blinking red right in front of me.
7
00:00:15,600 --> 00:00:21,030
Guaranteed recording and I'm still as excited even the second time walking through this I'm so excited
8
00:00:21,060 --> 00:00:23,510
because this is what we've been building up for.
9
00:00:23,550 --> 00:00:29,910
This is everything we've been doing the scanning the enumeration even the Linux and the python.
10
00:00:29,940 --> 00:00:33,810
This is all building up to this and now we're ready to explain.
11
00:00:33,810 --> 00:00:39,330
We're going to get our first shell we're going to pop our first shell today and I'm so excited for both
12
00:00:39,330 --> 00:00:40,020
of us.
13
00:00:40,050 --> 00:00:45,990
So what we're gonna do is we're going to run Metis flight for this one and Metis but it's a little bit
14
00:00:46,030 --> 00:00:50,760
automated but that's OK in the next video we're gonna go ahead and cover it manually.
15
00:00:50,760 --> 00:00:57,690
So what we're going to do is we're going to attack SMB here and with SMB what we're gonna do is if you
16
00:00:57,690 --> 00:01:02,460
don't remember search like samba to point to.
17
00:01:02,460 --> 00:01:09,340
We found samba to point to point one a we searched around we went out to the inter webs we did search
18
00:01:09,340 --> 00:01:19,810
boy and we kept seeing this trans to open show up like here and here here here all down here right repeatedly
19
00:01:20,230 --> 00:01:23,620
and it meets the criteria everything seems to make sense.
20
00:01:23,740 --> 00:01:26,960
It had that IPC anonymous connection as well.
21
00:01:27,040 --> 00:01:32,690
So I think I think this is a winner and we're gonna go ahead and give it a try.
22
00:01:32,740 --> 00:01:37,760
So I'm going to copy this and we're going to go ahead and type an MSF console and load up medicinally
23
00:01:39,810 --> 00:01:44,790
once medicinally it loads we're gonna go ahead and just search for this guy and see if we can't find
24
00:01:44,790 --> 00:01:50,700
it now we know it exists because we did find that handy dandy rapid seven Web site that said it did.
25
00:01:51,000 --> 00:01:59,010
So we're going to search it here and we're given four options now these are all operating systems here
26
00:01:59,370 --> 00:02:08,280
but we have been good enumerators and good investigators researchers information gatherers etc. We could
27
00:02:08,280 --> 00:02:13,260
have willy nilly just saw one thirty nine said hey I'm going to try to find exploits against it and
28
00:02:13,260 --> 00:02:17,410
never looked at any other ports but that's thought us we went out to port 80.
29
00:02:17,430 --> 00:02:21,360
We saw that it was running red hat we discovered Linux on the machine.
30
00:02:21,360 --> 00:02:26,940
So we know we're going to pick the Linux module so we're gonna say use one as that corresponds to this
31
00:02:26,940 --> 00:02:35,060
module here and then we're gonna type in options and all we have to do is set a our host.
32
00:02:35,160 --> 00:02:39,960
So remember our host stands for remote host or the victim that we're attacking.
33
00:02:39,960 --> 00:02:50,450
So we're going to say set our hosts and 1 9 2 1 6 8 5 7 1 30 for and we're going to say options one
34
00:02:50,450 --> 00:02:54,560
more time make sure that that actually set in there and it did.
35
00:02:54,560 --> 00:02:58,360
Now one thing I'd like to do is type and show targets.
36
00:02:58,370 --> 00:03:02,930
Now there are no targets here but as you're going to see later on in the course there are often targets
37
00:03:02,930 --> 00:03:04,510
that we have to pick from.
38
00:03:04,520 --> 00:03:08,000
Not always is the first choice that's auto selected right for us.
39
00:03:08,210 --> 00:03:10,180
But in this instance there's only one choice.
40
00:03:10,250 --> 00:03:11,830
So it's the right choice.
41
00:03:11,870 --> 00:03:13,380
So now we have two options.
42
00:03:13,460 --> 00:03:19,580
Both are going to do the same thing for us like you type in run or we could type and exploit if we want
43
00:03:19,580 --> 00:03:20,330
to be cool.
44
00:03:20,330 --> 00:03:26,400
I want to be cool it's open next play so we're gonna run this and it's going to start this brute force
45
00:03:26,400 --> 00:03:30,320
attack here and it's going to start opening shells and closing shells what is going on.
46
00:03:30,870 --> 00:03:33,090
So let's control see if yours is doing this.
47
00:03:33,090 --> 00:03:35,810
Go ahead and control C interrupt this.
48
00:03:35,820 --> 00:03:36,960
Let's talk about what's happening.
49
00:03:38,340 --> 00:03:40,560
So you see it's trying this brute force attack.
50
00:03:40,560 --> 00:03:43,490
It's trying different different return addresses here.
51
00:03:43,530 --> 00:03:47,800
And finally it lands the one that works and it says hey I'm going to send this stage.
52
00:03:47,820 --> 00:03:48,810
This is always a good sign.
53
00:03:48,810 --> 00:03:50,580
By the way sending the stage.
54
00:03:50,580 --> 00:03:57,320
Then it says hey I've got this maternity session open because our payload has worked.
55
00:03:57,480 --> 00:04:01,340
And then this mature operator session closed reason died.
56
00:04:01,350 --> 00:04:02,570
That's not good.
57
00:04:02,580 --> 00:04:04,910
So it keeps going through over and over and over and over.
58
00:04:04,910 --> 00:04:06,840
And it is dying.
59
00:04:06,840 --> 00:04:07,860
What is going on.
60
00:04:08,700 --> 00:04:13,680
Well we've talked about this let's go into options again now.
61
00:04:13,820 --> 00:04:19,400
You don't see this the first time you do it but you see it the second time because metabolite says hey
62
00:04:19,430 --> 00:04:20,910
if you're pale it's not working.
63
00:04:20,930 --> 00:04:26,120
Maybe the payload is the issue and I'm going to give you payload options this time around.
64
00:04:26,120 --> 00:04:28,560
Now we see payload options here in the middle.
65
00:04:28,730 --> 00:04:30,320
That wasn't there before.
66
00:04:30,500 --> 00:04:37,830
We can see that we're running Linux X 86 interpreter forward slash reverse underscore CCP.
67
00:04:37,970 --> 00:04:38,870
What does that mean.
68
00:04:39,200 --> 00:04:42,220
Well that means that we are running a stage payload.
69
00:04:42,260 --> 00:04:48,170
Couple of other things to note while we're in here we see El host that is the opposite of our host El
70
00:04:48,170 --> 00:04:48,920
host is us.
71
00:04:48,940 --> 00:04:50,540
We are the listening hosts.
72
00:04:50,540 --> 00:04:55,450
So we sit here and we have our IP address sometimes it's auto selects correctly.
73
00:04:55,450 --> 00:04:56,570
Sometimes it doesn't.
74
00:04:56,570 --> 00:04:58,040
In this case it did.
75
00:04:58,190 --> 00:05:01,980
And then we have the airport which is by default all floors.
76
00:05:02,300 --> 00:05:03,980
So that's fine for now.
77
00:05:03,980 --> 00:05:08,660
It's fine for these lessons when you get into actually running this in the wild.
78
00:05:08,930 --> 00:05:14,390
All fours is probably going to get you picked up pretty quick because this is a default interpreter
79
00:05:14,450 --> 00:05:14,840
port.
80
00:05:15,080 --> 00:05:22,150
So some connection sees a or some antivirus or detection software sees 4 4 4 4 open up.
81
00:05:22,280 --> 00:05:24,200
This is going to trigger an alarm here.
82
00:05:24,410 --> 00:05:29,400
But anyway for this course you're not going need to worry about too much right now.
83
00:05:29,410 --> 00:05:31,370
We're going to go ahead and set a payload.
84
00:05:31,450 --> 00:05:32,800
We're going to say set payload.
85
00:05:33,430 --> 00:05:35,500
And how do we know what payload to pick.
86
00:05:35,530 --> 00:05:41,770
Let's just start typing out Linux and hit tab in the auto tabs out the x 86 part for us and those just
87
00:05:41,770 --> 00:05:44,660
hit double tab.
88
00:05:44,680 --> 00:05:44,890
All right.
89
00:05:44,920 --> 00:05:46,180
Now a double tab.
90
00:05:46,210 --> 00:05:46,810
That's great.
91
00:05:46,810 --> 00:05:48,220
Look at the payload options we have.
92
00:05:48,220 --> 00:05:55,330
We've got a bunch now we've got a bunch of interpreters but unfortunately they're all stage payloads
93
00:05:55,330 --> 00:05:56,150
here.
94
00:05:56,170 --> 00:05:57,750
I love a good interpreter shell.
95
00:05:57,790 --> 00:06:00,700
And you guys will understand why as we move forward.
96
00:06:00,790 --> 00:06:04,050
But as of right now it doesn't look we're gonna be able to use one.
97
00:06:04,330 --> 00:06:10,120
We come over to this right column here you can see that we've got other shells as well and we come down
98
00:06:10,150 --> 00:06:11,590
and finally down here.
99
00:06:11,620 --> 00:06:18,400
We've got a few options that are non staged so let's go ahead and try this shell reverse underscore
100
00:06:18,410 --> 00:06:26,220
T C P right here and you could just start typing that out and that should auto tab complete for you
101
00:06:27,000 --> 00:06:28,880
go ahead and hit enter.
102
00:06:29,220 --> 00:06:33,060
Hit options will more time to make sure that this actually works.
103
00:06:33,060 --> 00:06:40,550
You can see here that it actually picked up and now let's go ahead and try to run this and let's see
104
00:06:40,550 --> 00:06:45,460
if it happens fingers crossed a look at that.
105
00:06:45,470 --> 00:06:49,790
So we've got a shell now and this is Command shell session of five.
106
00:06:49,880 --> 00:06:56,210
Let's try my route hostname captures level one.
107
00:06:56,270 --> 00:07:03,500
We have successfully routed this machine route is the commander of the system we cannot go any deeper
108
00:07:03,500 --> 00:07:04,010
than this.
109
00:07:04,010 --> 00:07:05,940
We own this machine.
110
00:07:06,080 --> 00:07:07,950
Hands down it's our machine.
111
00:07:07,970 --> 00:07:09,810
So congratulations.
112
00:07:09,980 --> 00:07:10,990
You have made it this far.
113
00:07:10,990 --> 00:07:13,490
This is your first routed machine.
114
00:07:13,490 --> 00:07:14,600
You should be very proud.
115
00:07:14,600 --> 00:07:16,380
Pat yourself on the back.
116
00:07:16,460 --> 00:07:17,830
You're awesome.
117
00:07:17,840 --> 00:07:24,650
So from here we're going to go ahead and we're going to focus on port 80 and 4 4 3 in how we can exploit
118
00:07:24,650 --> 00:07:29,490
those manually and then we'll move on to some other exploitation techniques.
119
00:07:29,570 --> 00:07:31,240
But for now congratulate yourself.
120
00:07:31,250 --> 00:07:33,650
You have your first shell.
121
00:07:33,740 --> 00:07:35,250
I'm very excited for you.
122
00:07:35,330 --> 00:07:38,990
So I'll catch you over in the next video as you start some manual exploitation.
11748
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.