00:04
All right. So our next task, then, is to actually build the package. Now that we've modified some of the files created the payload,
00:11
and they're all the proper folders.
00:13
Ah, that the package
00:14
build process expects we can actually build or rather rebuild this package so that we can then have it sent to the victim
00:25
by putting it into the proper folder
00:28
of my Web server running on my Callie instance.
00:32
All right, so I'm gonna run the D package.
00:37
Deb Command, I was told I wanna build,
00:42
we're gonna call when I tell the folder where the
00:46
package files are located
00:53
on. And I want to call the chef. I have to use worked. Er that's where I have put everything.
01:00
So when a *** and found this folder and call created a package called Worked er, Doctor,
01:08
I don't really give my
01:12
or leave that name, so I'm gonna rename this
01:17
and I could just call something simple like ex bomb dot
01:23
Now this ex pop dot Exe bombed, Deb found needs to be put into the proper
01:30
And so what I can do is copy
01:38
too far dub dub Doug
01:41
html. This should be the default root of
01:44
my Apache Web server. Instance running on my
01:51
and I already have the Web server running.
01:57
I could double check that.
02:00
going to my local host and there's my
02:01
default page. So that's good. Always wanna double check that that's in place before you
02:07
try to do this work.
02:12
All right, So I already ran my MSF council command
02:22
the handler for the show.
02:25
So it's a quick review. MSF council. We ran it quiet mode.
02:30
The command I'm executing at the Dash X telling you to use the multi handler
02:36
with this particular payload for a Lennox River shell.
02:39
And then I just simply tell it what my local host addresses. What my book report is that it runs the exploit. Now we can see that it's listening on this I p address on this port,
02:53
then are my victim machine.
02:54
What I need to do here is to actually get the fun
03:02
which would be the you know, the same, the same as the
03:07
the link that you would present to the victim.
03:09
And I know that it's called ex bomb dot Deb.
03:14
So that would have to create the link to create that has the same text,
03:19
and we can see that it's connected to the Web server.
03:23
Notice a connected, imported. It really doesn't matter,
03:27
because it's a non s s S S L page
03:32
the port four for three years for the reverse shell.
03:35
And we want to use a port that is
03:38
commonly seen so that it doesn't look suspicious.
03:43
All right, so now the victim has the file on their machine,
03:46
and what I can do is ah, go ahead and install
03:55
my running D package dash I for install
04:02
So give me your message. Saying it could help my display. That's not really nothing too much to worry about.
04:09
Uh, the user probably would
04:11
try to figure that out. Why? That's happening,
04:14
But we can see back on
04:19
back on the attacker machine,
04:25
for to the victim machine, and I've got a command shell open between the victim and myself.
04:31
Notice it doesn't give me a prompt or anything of that nature. But Aiken type some simple commands to verify that I am indeed connected.
04:39
The I D command tells me I am logged in his route.
04:46
And because I'm route, I can run any commands. I like, uh,
04:49
for instance, I'm looking at
04:53
the root file system on that remote system. I can run the config command to double check.
04:59
Indeed, that I am on 1 28
05:01
That is the victim's machine.
05:04
So there are a few steps that we had to go through here. We first had to download the package. We had to extract it to get the directory structure and a local folder which we could work from.
05:18
Then I had to modify
05:21
or create a couple of the
05:30
the files that are also needed.
05:34
And those were the controls script,
05:36
which I will just review real quick.
05:40
It just gives parameters for the package itself
05:43
and then the post installation which changes the
05:47
and properly tries to run the game
05:51
as as it's built. When you do the install
05:56
and then on the victim machine, we gave them a link which would have
06:00
included this information. They download the file that tried to install it,
06:05
and we get our route shell.
06:09
And once you have the root shell, then you could do things like trying thio. Maybe use other tools
06:15
to create a perm or permanent presence like net cat, for instance, You could run that can't listener
06:21
and try to give yourself ah, shell on a permanent basis that you could return to this victim to machine anytime you wish.
06:32
You can see it's a debian eight and so I dont longer need this shelf for right now. So I'm just gonna go ahead and long out
06:41
and I get back to my prompt. I hope you enjoy this demonstration.
06:45
Stay tuned for the next segment. Where? Well,
06:48
don't try to do something similar with the window system.