00:03
>> Our next task then is to actually build the package.
00:03
Now that we've modified
00:03
some of the files, created the payload,
00:03
and they're all in the proper folders that
00:03
the package build process expects,
00:03
we can actually build or rather rebuild
00:03
this package so that we can then have it
00:03
sent to the victim by putting it
00:03
into the proper folder of
00:03
my webserver running on my Kali instance.
00:03
I'm going to in the d-package, deb command,
00:03
I will [NOISE] store what I want to build,
00:03
and we're going to tell the folder
00:03
where the package files are located.
00:03
I forgot, I have to use
00:03
workdir that's where I put everything.
00:03
I went again and found this folder
00:03
and Kali created a package called workdir.dab.
00:03
I don't know, really give my or leave that name,
00:03
so I want to rename this,
00:03
and I can just call it something simple like xbomb.dab.
00:03
file needs to be put into the proper folder,
00:03
and so what I can do is
00:03
copy xbomb.dab to var/dab/dab/dab/html.
00:03
This should be the default route of
00:03
my Apache web server instance running
00:03
>> on my Kali system.
00:03
>> I already have the web server running.
00:03
I can double-check that by just going into
00:03
my local host and there's
00:03
my default page, so that's good.
00:03
I just want to double-check that that's in place
00:03
before you try to do this work.
00:03
I already bring my MSF console command
00:03
to start the handler for the shell.
00:03
As a quick review, MSF Council for rent and quiet mode,
00:03
the command I'm executing as the -x,
00:03
target to use the multi handler
00:03
with this particular payload for a Linux reverse shell.
00:03
Then I just simply tell it
00:03
what my local host address is,
00:03
what my local port is,
00:03
and then it runs the exploit.
00:03
Now I can see that it's listening
00:03
on this IP address, on this port.
00:03
Then, my victim machine.
00:03
What I need to do here is to actually get
00:03
the font so I can run wget,
00:03
which would be the same as
00:03
the link that you would present to the victim.
00:03
I know that it's called xbomb.dab,
00:03
so that would have to create the link
00:03
that has the same text.
00:03
We can see that it connected to the web server.
00:03
Notice a connected on port a really doesn't
00:03
matter because it's a non SSL page.
00:03
the reverse shell and we want to use a port
00:03
that is commonly seen
00:03
>> so that it doesn't look suspicious.
00:03
>> Now the victim has the file on their machine.
00:03
What I can do is go ahead and install
00:03
xbomb.dab by running d-package-I for install xbomb.dab.
00:03
Give me an error message saying
00:03
it couldn't help my display,
00:03
that's not really a thing too much to worry about.
00:03
The user probably would
00:03
try to figure that out why that's happening.
00:03
But we can see back on the the attacker machine.
00:03
The stage was sent to the victim machine,
00:03
and I've got a command shell open
00:03
between the victim and myself.
00:03
Notice it doesn't give me a prompt
00:03
or anything of that nature,
00:03
but I can type some simple commands to
00:03
verify that I'm indeed connected.
00:03
The ID command tells me,
00:03
I'm logged in as root by
00:03
that route group and because I'm route,
00:03
I can run into commands I like.
00:03
For instance, I'm looking
00:03
at the root file system on that remote system,
00:03
I can run the fconfig command to
00:03
double-check indeed that I am on 128,
00:03
that is the victim's machine.
00:03
There are a few steps that we had to go through here.
00:03
We first had to download the package.
00:03
We had to extract it to get
00:03
the directory structure in
00:03
a local folder which we can work from.
00:03
Then I had to modify or create a couple of
00:03
the files that are also needed.
00:03
Those were the control script,
00:03
which I will just review real quick.
00:03
It just gives parameters for the package
00:03
itself and then the post-installation,
00:03
which changes the permissions and properly
00:03
tries to run the game
00:03
as it's built when you do the install.
00:03
Then on the victim machine,
00:03
we gave them a link which would
00:03
have included this information.
00:03
They download the file they try to install
00:03
it and we'd get our root shell.
00:03
Once you have the root shell,
00:03
then you could do things like try to maybe use
00:03
other tools to create
00:03
a permanent presence like Netcat for instance,
00:03
you can run Netcat listener and try to give yourself
00:03
a shell on a permanent basis
00:03
like you can return to this
00:03
victim machine anytime you wish.
00:03
[NOISE] You can see it's a O.bian.8.
00:03
I don't want to view the shell for right now,
00:03
so I'm just going to go ahead and log
00:03
out and I get back to my prompt.
00:03
I hope you enjoyed this demonstration.
00:03
Stay tuned for the next segment where
00:03
we'll try to do something
00:03
similar with a Windows system. Thank you.