an introduction of medicine plate
are learning objectives are to understand what the medicine framework is and how to use it become familiar with, how to search for modules, select them and then read info about them
and demonstrate how to run exploit modules.
So the Mets Play framework as a framework written for pen testers and ruby. And we've been using python a lot, but this is written
in ruby and there's a great introduction on the offensive security website. So go to offensive security and you should see the course Medicine polite unleashed. It's free, but they do ask for a donation,
go through it. Uh So, so this is where you're gonna have to plan your strategy and you can use the medicine played a module once, with the exception of multi handler, which you've seen me use a few times for like R. A. S. P. Shell. Um but you can only use a module once auxiliary exploit or post against one target.
So a lot of people shy away from getting to know medicine Floyd. And I was just talking to someone about this last week where we both have oh SCP and we were saying, hey we don't really know a lot about medicine Floyd because you try to stay away from it in preparation for SCP because if you become too reliant on it,
then you don't know how to look for exploit code and modify it, which is all the great things that oh SCP tries to teach you. So when it came time for me to do E. C. P. P. T. I was I was really over my head and when I came time to pivot, I was really didn't know what to do.
So when it comes time for you to prepare and look at me despite
have a familiarity familiarity with it. Um so that you do know how to use it. And my hope is that I can teach you how to do that. You're not going to become an expert in medicine Floyd unless you really work towards it and want to.
But as long as you know the basics of it, you should be able to use it in. Oh SCP. And I can tell you one of the scariest moments is when you decide, hey, um I want to use medicine Floyd and it doesn't work
because that's happened to me and and you know, relax, Take a step back. Maybe it's your payload that is incorrect and you need to change it. Maybe it's not a bind shell. Maybe it's a reverse shell that you need. Um Or maybe it's not Lennox it's is windows or you need to change the target.
So that's why you need to know how or have some idea of how to use medicinally.
All right. So finding an exploit module you may do. You may see this when you're searching and exploit DB where you come across a service and you search for it and it says this. This module requires, requires medicine plate.
That's a clue. Right? It's in the medicine plate framework.
I've heard of some people who know SCP have taken the ruby code and changed it and not used medicinally, but have used the code itself. I don't know enough about ruby to do that, but just be aware that that you will know when you're searching for these vulnerable services
that this will pop up and it will be a clue that you can use medicinally.
But as you can see with the economy Konica Minolta vulnerability, you can use medicine or there's public exploit code. So in that case, I would definitely go with the public exploit code.
So starting medicine, what you seem to use MSF console from the command line a lot, you can also run the database and they talk about that in the municipal it unleashed um, course,
but you can off the bat run the database with M S F D B run it runs this database for you that keeps track of all the searches that you've done all the loot that you found. So I think it's beneficial to run um the database off the bat
search and info. So you can see here that I'm searching Konica Minolta,
it found three different modules, noticed the first one is zero. So in programming, you know, we start with zero, not one
and you can interact with it a few different ways. You could do you zero or use one or used to or you can spell the whole thing out.
So you could do use exploit Windows FTp, etcetera, etcetera. Or use to I think used to is a lot easier.
Also, when you select the module in that case, always run info. I like to know what the module does and you should know what the module does as well. Because again, when you go to write the pen test report and I keep harping on the pen test report,
this will help you explain what the exploit was that worked.
So now let's do a demo,
so many M S F D B run, You can see the database is already running. I've already started this up
and I'm going to do D B N Math
1921681-4 to 4. To attack an aggressive scan
that looks for like operate the operating system
um as well as our typical SVS C scan.
So they this may take a little bit. But the thing that this is doing is putting this host and what info it finds in the database. So if I type hosts now, they can tell me the Mac address the name and the oS of this system.
And we can also see the fact that Port 21 is open with Konica Minolta.
again, I see I have three different modules so I could copy this and paste it here. Or I can just do use to
So you'll see here no payload configured defaulting to Windows and interpreter, reverse TCP. And this is what I'm telling you is sometimes the export you've selected is correct. Is the payload that you have wrong? Maybe it's a bind shell and that doesn't work. Maybe reverse TCP but a bind shell works instead so you can try messing around with that too.
and read what this module does.
I can see what the target is
and it looks like I just need to set my our hosts
so you could probably tweak your targets. In some case it may be different. And here we just have one target, but in other cases it really depends on the version and the service pack of windows.
So I like to show targets as well. So we'll set our hosts to 1921681242.
You can either do exploit or run.
and if you want to set this in the background, if I just hit run now, then it runs through it. I'll get an interpreter Shell open. Say if I want to do some other things, I can do tak J and make it a job
and you'll see an interpreter opened and if I hit enter again, I'm still here in medicine plate and can do other things. If I didn't do the tack J, it would just open to um interpreter session.
So I'll show you what that looks like too.
Otherwise here, I could just do sessions
Let me exit out of this
and I'll do run this time was to exploit
without doing attack J.
So you'll see I go right to my interpreter session here and I do sys info
And pay attention. The architecture architecture for this host is X 64 and arm interpreters. X 86. That may give us some issues later on.
If we're not in Oh, SCP land, you know, if we're doing a CTF and we can keep using medicine Floyd,
We want to change our interpreter to the architecture of this machine so that we can do things like post exploitation where we can escalate privileges, there's a module for that. And if we have it as the wrong architecture, if we keep this X-86, it's not going to work correctly.
So what you can do is PS
And you want to pick a process that is X 64 and probably something that's stable.
So I see a lot of runtime brokers, let's migrate, we're gonna migrate to 64 to 8,
Migrate 6, 4- eight.
And that might happen sometimes when you try to migrate processes,
it dies, in which case you have to go back again.
And sometimes your exploits will kill the service, in which case you have to go back and restart the box.
So let's run this again,
I don't know, it's kind of like rolling the dice here,
So I was finally able to migrate to a process. Um it took me a little bit of time, but 8104 This smart screen is X 64. So now if I do sys info
I see my interpreter
Shell is X 64 and my architecture is X 64 and that will make things a lot easier for us now with post exploitation and interacting with the shell.
So again, you need to be careful using medicine ploy because you can only use one module. So people are very, very careful with medicine ploy not to do too much. Of course my display is very robust and there's a lot of things that you can use in this now to get loot and crack hashes and and find passwords and things like that. But
um that's why people don't get very familiar with medicine point, I would say in preparation for SCP because people are very careful, at least I was very careful um once I got a shell not to do anything that would be considered using another module uh and losing out because if you use more than one, you have zero points for that box.
So use it sparingly understand medicine Floyd
um at a level where you can use it like this, you can get a shell in a box.
But again, you know, I would be careful with uh with how much more you do
just because you don't want it to be considered using another module.
But if you are preparing for other things or or do Cts and hack the box and things like that,
you you can become more familiar with medicinally and should.
So in summary, we should now understand what the Medicine plate framework is and how to use it become familiar with, how to search for modules, select them and then read info about them as well as demonstrate how to run exploit modules.