Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,140 --> 00:00:02,310 Well I am excited. 2 00:00:02,610 --> 00:00:04,700 And let me tell you how excited I am. 3 00:00:04,740 --> 00:00:07,300 This is not the first time ever recorded this video. 4 00:00:07,350 --> 00:00:12,300 This is actually the second time recording this video because the first time I forgot to hit the record 5 00:00:12,300 --> 00:00:12,630 button. 6 00:00:12,630 --> 00:00:15,560 So now it's blinking red right in front of me. 7 00:00:15,600 --> 00:00:21,030 Guaranteed recording and I'm still as excited even the second time walking through this I'm so excited 8 00:00:21,060 --> 00:00:23,510 because this is what we've been building up for. 9 00:00:23,550 --> 00:00:29,910 This is everything we've been doing the scanning the enumeration even the Linux and the python. 10 00:00:29,940 --> 00:00:33,810 This is all building up to this and now we're ready to explain. 11 00:00:33,810 --> 00:00:39,330 We're going to get our first shell we're going to pop our first shell today and I'm so excited for both 12 00:00:39,330 --> 00:00:40,020 of us. 13 00:00:40,050 --> 00:00:45,990 So what we're gonna do is we're going to run Metis flight for this one and Metis but it's a little bit 14 00:00:46,030 --> 00:00:50,760 automated but that's OK in the next video we're gonna go ahead and cover it manually. 15 00:00:50,760 --> 00:00:57,690 So what we're going to do is we're going to attack SMB here and with SMB what we're gonna do is if you 16 00:00:57,690 --> 00:01:02,460 don't remember search like samba to point to. 17 00:01:02,460 --> 00:01:09,340 We found samba to point to point one a we searched around we went out to the inter webs we did search 18 00:01:09,340 --> 00:01:19,810 boy and we kept seeing this trans to open show up like here and here here here all down here right repeatedly 19 00:01:20,230 --> 00:01:23,620 and it meets the criteria everything seems to make sense. 20 00:01:23,740 --> 00:01:26,960 It had that IPC anonymous connection as well. 21 00:01:27,040 --> 00:01:32,690 So I think I think this is a winner and we're gonna go ahead and give it a try. 22 00:01:32,740 --> 00:01:37,760 So I'm going to copy this and we're going to go ahead and type an MSF console and load up medicinally 23 00:01:39,810 --> 00:01:44,790 once medicinally it loads we're gonna go ahead and just search for this guy and see if we can't find 24 00:01:44,790 --> 00:01:50,700 it now we know it exists because we did find that handy dandy rapid seven Web site that said it did. 25 00:01:51,000 --> 00:01:59,010 So we're going to search it here and we're given four options now these are all operating systems here 26 00:01:59,370 --> 00:02:08,280 but we have been good enumerators and good investigators researchers information gatherers etc. We could 27 00:02:08,280 --> 00:02:13,260 have willy nilly just saw one thirty nine said hey I'm going to try to find exploits against it and 28 00:02:13,260 --> 00:02:17,410 never looked at any other ports but that's thought us we went out to port 80. 29 00:02:17,430 --> 00:02:21,360 We saw that it was running red hat we discovered Linux on the machine. 30 00:02:21,360 --> 00:02:26,940 So we know we're going to pick the Linux module so we're gonna say use one as that corresponds to this 31 00:02:26,940 --> 00:02:35,060 module here and then we're gonna type in options and all we have to do is set a our host. 32 00:02:35,160 --> 00:02:39,960 So remember our host stands for remote host or the victim that we're attacking. 33 00:02:39,960 --> 00:02:50,450 So we're going to say set our hosts and 1 9 2 1 6 8 5 7 1 30 for and we're going to say options one 34 00:02:50,450 --> 00:02:54,560 more time make sure that that actually set in there and it did. 35 00:02:54,560 --> 00:02:58,360 Now one thing I'd like to do is type and show targets. 36 00:02:58,370 --> 00:03:02,930 Now there are no targets here but as you're going to see later on in the course there are often targets 37 00:03:02,930 --> 00:03:04,510 that we have to pick from. 38 00:03:04,520 --> 00:03:08,000 Not always is the first choice that's auto selected right for us. 39 00:03:08,210 --> 00:03:10,180 But in this instance there's only one choice. 40 00:03:10,250 --> 00:03:11,830 So it's the right choice. 41 00:03:11,870 --> 00:03:13,380 So now we have two options. 42 00:03:13,460 --> 00:03:19,580 Both are going to do the same thing for us like you type in run or we could type and exploit if we want 43 00:03:19,580 --> 00:03:20,330 to be cool. 44 00:03:20,330 --> 00:03:26,400 I want to be cool it's open next play so we're gonna run this and it's going to start this brute force 45 00:03:26,400 --> 00:03:30,320 attack here and it's going to start opening shells and closing shells what is going on. 46 00:03:30,870 --> 00:03:33,090 So let's control see if yours is doing this. 47 00:03:33,090 --> 00:03:35,810 Go ahead and control C interrupt this. 48 00:03:35,820 --> 00:03:36,960 Let's talk about what's happening. 49 00:03:38,340 --> 00:03:40,560 So you see it's trying this brute force attack. 50 00:03:40,560 --> 00:03:43,490 It's trying different different return addresses here. 51 00:03:43,530 --> 00:03:47,800 And finally it lands the one that works and it says hey I'm going to send this stage. 52 00:03:47,820 --> 00:03:48,810 This is always a good sign. 53 00:03:48,810 --> 00:03:50,580 By the way sending the stage. 54 00:03:50,580 --> 00:03:57,320 Then it says hey I've got this maternity session open because our payload has worked. 55 00:03:57,480 --> 00:04:01,340 And then this mature operator session closed reason died. 56 00:04:01,350 --> 00:04:02,570 That's not good. 57 00:04:02,580 --> 00:04:04,910 So it keeps going through over and over and over and over. 58 00:04:04,910 --> 00:04:06,840 And it is dying. 59 00:04:06,840 --> 00:04:07,860 What is going on. 60 00:04:08,700 --> 00:04:13,680 Well we've talked about this let's go into options again now. 61 00:04:13,820 --> 00:04:19,400 You don't see this the first time you do it but you see it the second time because metabolite says hey 62 00:04:19,430 --> 00:04:20,910 if you're pale it's not working. 63 00:04:20,930 --> 00:04:26,120 Maybe the payload is the issue and I'm going to give you payload options this time around. 64 00:04:26,120 --> 00:04:28,560 Now we see payload options here in the middle. 65 00:04:28,730 --> 00:04:30,320 That wasn't there before. 66 00:04:30,500 --> 00:04:37,830 We can see that we're running Linux X 86 interpreter forward slash reverse underscore CCP. 67 00:04:37,970 --> 00:04:38,870 What does that mean. 68 00:04:39,200 --> 00:04:42,220 Well that means that we are running a stage payload. 69 00:04:42,260 --> 00:04:48,170 Couple of other things to note while we're in here we see El host that is the opposite of our host El 70 00:04:48,170 --> 00:04:48,920 host is us. 71 00:04:48,940 --> 00:04:50,540 We are the listening hosts. 72 00:04:50,540 --> 00:04:55,450 So we sit here and we have our IP address sometimes it's auto selects correctly. 73 00:04:55,450 --> 00:04:56,570 Sometimes it doesn't. 74 00:04:56,570 --> 00:04:58,040 In this case it did. 75 00:04:58,190 --> 00:05:01,980 And then we have the airport which is by default all floors. 76 00:05:02,300 --> 00:05:03,980 So that's fine for now. 77 00:05:03,980 --> 00:05:08,660 It's fine for these lessons when you get into actually running this in the wild. 78 00:05:08,930 --> 00:05:14,390 All fours is probably going to get you picked up pretty quick because this is a default interpreter 79 00:05:14,450 --> 00:05:14,840 port. 80 00:05:15,080 --> 00:05:22,150 So some connection sees a or some antivirus or detection software sees 4 4 4 4 open up. 81 00:05:22,280 --> 00:05:24,200 This is going to trigger an alarm here. 82 00:05:24,410 --> 00:05:29,400 But anyway for this course you're not going need to worry about too much right now. 83 00:05:29,410 --> 00:05:31,370 We're going to go ahead and set a payload. 84 00:05:31,450 --> 00:05:32,800 We're going to say set payload. 85 00:05:33,430 --> 00:05:35,500 And how do we know what payload to pick. 86 00:05:35,530 --> 00:05:41,770 Let's just start typing out Linux and hit tab in the auto tabs out the x 86 part for us and those just 87 00:05:41,770 --> 00:05:44,660 hit double tab. 88 00:05:44,680 --> 00:05:44,890 All right. 89 00:05:44,920 --> 00:05:46,180 Now a double tab. 90 00:05:46,210 --> 00:05:46,810 That's great. 91 00:05:46,810 --> 00:05:48,220 Look at the payload options we have. 92 00:05:48,220 --> 00:05:55,330 We've got a bunch now we've got a bunch of interpreters but unfortunately they're all stage payloads 93 00:05:55,330 --> 00:05:56,150 here. 94 00:05:56,170 --> 00:05:57,750 I love a good interpreter shell. 95 00:05:57,790 --> 00:06:00,700 And you guys will understand why as we move forward. 96 00:06:00,790 --> 00:06:04,050 But as of right now it doesn't look we're gonna be able to use one. 97 00:06:04,330 --> 00:06:10,120 We come over to this right column here you can see that we've got other shells as well and we come down 98 00:06:10,150 --> 00:06:11,590 and finally down here. 99 00:06:11,620 --> 00:06:18,400 We've got a few options that are non staged so let's go ahead and try this shell reverse underscore 100 00:06:18,410 --> 00:06:26,220 T C P right here and you could just start typing that out and that should auto tab complete for you 101 00:06:27,000 --> 00:06:28,880 go ahead and hit enter. 102 00:06:29,220 --> 00:06:33,060 Hit options will more time to make sure that this actually works. 103 00:06:33,060 --> 00:06:40,550 You can see here that it actually picked up and now let's go ahead and try to run this and let's see 104 00:06:40,550 --> 00:06:45,460 if it happens fingers crossed a look at that. 105 00:06:45,470 --> 00:06:49,790 So we've got a shell now and this is Command shell session of five. 106 00:06:49,880 --> 00:06:56,210 Let's try my route hostname captures level one. 107 00:06:56,270 --> 00:07:03,500 We have successfully routed this machine route is the commander of the system we cannot go any deeper 108 00:07:03,500 --> 00:07:04,010 than this. 109 00:07:04,010 --> 00:07:05,940 We own this machine. 110 00:07:06,080 --> 00:07:07,950 Hands down it's our machine. 111 00:07:07,970 --> 00:07:09,810 So congratulations. 112 00:07:09,980 --> 00:07:10,990 You have made it this far. 113 00:07:10,990 --> 00:07:13,490 This is your first routed machine. 114 00:07:13,490 --> 00:07:14,600 You should be very proud. 115 00:07:14,600 --> 00:07:16,380 Pat yourself on the back. 116 00:07:16,460 --> 00:07:17,830 You're awesome. 117 00:07:17,840 --> 00:07:24,650 So from here we're going to go ahead and we're going to focus on port 80 and 4 4 3 in how we can exploit 118 00:07:24,650 --> 00:07:29,490 those manually and then we'll move on to some other exploitation techniques. 119 00:07:29,570 --> 00:07:31,240 But for now congratulate yourself. 120 00:07:31,250 --> 00:07:33,650 You have your first shell. 121 00:07:33,740 --> 00:07:35,250 I'm very excited for you. 122 00:07:35,330 --> 00:07:38,990 So I'll catch you over in the next video as you start some manual exploitation. 11748