5 hours 38 minutes
Okay, So now we've installed a persistent backdoor to our victim's system, and I showed you how to connect to it using Net cat. Another option that you can use is to just simply tell that
to that victim's system on the specified port.
It's for 45 And so there we go again. I am
connected as an administrator on this system.
Torment is a little bit easier to use the Net cat. Perhaps we may be more familiar with it, but you have two options.
Could you net cat dash V or simply just do it telling that.
Okay, uh, what I'm gonna do now is just a review
getting to the system level account
because we've done a bunch of models since that happened. And you may have
been disconnected, or you had to stop your work and reboot the system so on. So I'll just go through this process again so that you can
see one more time how that was done.
go back into your meself, counsel.
First thing we need to do is
start up our handler, so we'll do a use multi.
Sorry, I'm remembering myself. Use multi
My options should still be in here from last time,
and some of my local host is 1 29 and on port 4444
So I can just run, exploit
then on the victim's system.
They have to run the secret photos binary, which we move to their system. As I mentioned before, you probably would want to put this into a startup folder or some other location, maybe in a registry key, like we did with the Net cat listener
that we'll always be running
and you just waiting for a connection. It's better to have listener running first before starting the program. It seems to be well reliable that way. It probably will still connect, but it's not as predictable.
So go ahead and start that
switch back to Cali and we see that I've got my interpreter shelf.
And as you'd expect, I am administrator. But I'm not a system
level account, so
I need to put this process into the background
and I'll do a search for bypass USC.
That's the one we want,
and my options are set. As before.
Let's make sure my session number is still shut. Session number one you have to make sure of that because you do have to bind this to the correct session. If you've got multiple sessions open,
you need to double track.
You're setting so that you
this exploit to the to the session that you want.
All right, so, otherwise that make sure you specify your local host. Make sure you pick a different port
just to keep the sessions separate. A different ports better.
Uh, I've picked 5555 But choose whatever you like.
And now it can run, exploit
and the bypass user account controls running. I get a second
so it's open. Obsession number two.
but now I can run, get system.
And once that happens now I am the system love. Look up. OK, so that's our starting point for the last several modules and just a refresher to make sure we're all on the same page here.
All right, so for our next task, since we know we've got the
Annette cat back door, why not try to get remote desktop
running? Wouldn't that be something nice?
there is a command called Get Gooey, which is part of the interpreter show,
and we can specify username and password
or just turned that remote desktop on
couldn't afford the connection.
But the beautiful thing is that I can literally create a username and password to log into the system with which is pretty powerful stuff, if you think about it.
So I'm gonna go ahead and
use run, get gooey
for the user name. I'll call this our victim to password password, too.
And we can see that an additive user with this password
hidden from the windows log in screen it added me to the group remote desktop users.
And Victim two was also a part of the administrators group
because I'm a system level,
uh, shell access. Right now, I'm allowed to make those changes to the victim's system.
Also, it specifies a cleanup script.
This cleanup script the least the last portion here will get generated
each time you you run, get gooey, so make sure your copy and paste this exact
text when you want to do your cleanup.
All right, So in the meantime,
what I want to do is,
uh, open a
a new command shell
shift control T.
And from here, I can run our desktop, which is the built in Cali Lennox tool for
remote desktop connections.
User name is victim, too.
Password is password, too.
And then I specified in the I P. Address.
So one thing to be aware of this is a Window seven client. So that means that I can only connect a single user to the console at one time. If I was running a server or less like server 8 36,012 perhaps
then I would be able to get multiple connections. So it's gonna give me a message saying, If I continue, I will disconnect that that user
from the system.
So let's go ahead and do that
now, on the victim's system,
this is kind of tricky, right? Are you going to allow someone to connect your machine up with unexpected
session? Maybe, maybe not. Maybe someone's just
just see some hop up and just clicks, OK, absent mindedly. So this part of it could be a little bit tricky. You probably would have to combine this with some social engineering
to convince the, uh
the person that you're trying to connect that rather to convince the victim that the person who's trying to connect is
helps it hope to ask or tech support.
And there we go. There is my
remote desktop on the victim's system.
It's giving me a message about CeCe internals,
but this is the same system I was just launched into
And as we can see, if I run,
come in a show.
I am indeed, uh,
as we saw before that victim to identity or that log in is part of the administrators group.
All right, I'm gonna go ahead and long off.
Now, back on my
interpreter show, you noticed I'm still connected. Everything's fine. Nothing's changed there
cause this is a using a different ports, not using the same courts. That remote desktop would you? So it's completely separate.
But if you wantto be careful about covering their tracks, as I've mentioned several times before, we really should run
the cleanup script.
You make an error message when you run this,
Uh, can I found the file specified? I think it's it's, uh, probably a problem with this registry key. The way it's it's detailed in the script,
but I'm pretty sure it's still helping to clean up some tracks.
In fact, what we could do
is log in and just do a search for victim, too,
and see if it's ah
if it's in the registry. Still,
that would be a good
So run, run at it.
and I could just do a control. F.
Here's the registry key that we put in for the Net Cat listener
that was doing a search for Net Cat to make sure that worked.
And I will do a search for victim, too.
Okay, Looks like it did not do the clean up proper. So that's the cleanup script. May I have a bug in it?
Or it's possible that it's got some compatibility issues with Windows 7 32 bit.
that is there. That doesn't leave behind a little bit of evidence. If you were trying Thio cover your tracks
but still pretty powerful technique, regardless, because having a remote desktop allows youto interact completely with that victim systems at as if you were sitting right in front of it.
All right, that's it for this section. We'll see you in the next one. Thank you