Part 7 - Remote Desktop Access with getgui

00:04

Okay, So now we've installed a persistent backdoor to our victim's system, and I showed you how to connect to it using Net cat. Another option that you can use is to just simply tell that

00:15

to that victim's system on the specified port.

00:21

It's for 45 And so there we go again. I am

00:27

connected as an administrator on this system.

00:31

Torment is a little bit easier to use the Net cat. Perhaps we may be more familiar with it, but you have two options.

00:37

Could you net cat dash V or simply just do it telling that.

00:42

Okay, uh, what I'm gonna do now is just a review

00:47

getting to the system level account

00:49

because we've done a bunch of models since that happened. And you may have

00:53

been disconnected, or you had to stop your work and reboot the system so on. So I'll just go through this process again so that you can

01:03

see one more time how that was done.

01:06

All right,

01:07

go back into your meself, counsel.

01:15

First thing we need to do is

01:19

start up our handler, so we'll do a use multi.

01:23

Sorry, I'm remembering myself. Use multi

01:30

handler.

01:33

My options should still be in here from last time,

01:36

and some of my local host is 1 29 and on port 4444

01:41

So I can just run, exploit

01:45

then on the victim's system.

01:48

They have to run the secret photos binary, which we move to their system. As I mentioned before, you probably would want to put this into a startup folder or some other location, maybe in a registry key, like we did with the Net cat listener

02:02

that we'll always be running

02:05

and you just waiting for a connection. It's better to have listener running first before starting the program. It seems to be well reliable that way. It probably will still connect, but it's not as predictable.

02:16

So go ahead and start that

02:20

switch back to Cali and we see that I've got my interpreter shelf.

02:23

And as you'd expect, I am administrator. But I'm not a system

02:29

level account, so

02:30

I need to put this process into the background

02:37

and I'll do a search for bypass USC.

02:42

That's the one we want,

02:52

and my options are set. As before.

02:55

Let's make sure my session number is still shut. Session number one you have to make sure of that because you do have to bind this to the correct session. If you've got multiple sessions open,

03:05

you need to double track.

03:07

You're setting so that you

03:10

connect

03:13

this exploit to the to the session that you want.

03:15

All right, so, otherwise that make sure you specify your local host. Make sure you pick a different port

03:22

just to keep the sessions separate. A different ports better.

03:25

Uh, I've picked 5555 But choose whatever you like.

03:30

And now it can run, exploit

03:36

and the bypass user account controls running. I get a second

03:39

interpreter show,

03:42

so it's open. Obsession number two.

03:45

I'm still

03:46

a demonstrator,

03:49

but now I can run, get system.

03:53

And once that happens now I am the system love. Look up. OK, so that's our starting point for the last several modules and just a refresher to make sure we're all on the same page here.

04:05

All right, so for our next task, since we know we've got the

04:09

Annette cat back door, why not try to get remote desktop

04:13

running? Wouldn't that be something nice?

04:15

Hopefully

04:17

there is a command called Get Gooey, which is part of the interpreter show,

04:26

and we can specify username and password

04:30

or just turned that remote desktop on

04:33

couldn't afford the connection.

04:35

But the beautiful thing is that I can literally create a username and password to log into the system with which is pretty powerful stuff, if you think about it.

04:44

So I'm gonna go ahead and

04:46

use run, get gooey

04:48

for the user name. I'll call this our victim to password password, too.

04:59

And we can see that an additive user with this password

05:03

hidden from the windows log in screen it added me to the group remote desktop users.

05:09

And Victim two was also a part of the administrators group

05:13

because I'm a system level,

05:15

uh, shell access. Right now, I'm allowed to make those changes to the victim's system.

05:20

Also, it specifies a cleanup script.

05:24

This cleanup script the least the last portion here will get generated

05:29

each time you you run, get gooey, so make sure your copy and paste this exact

05:34

text when you want to do your cleanup.

05:39

All right, So in the meantime,

05:42

what I want to do is,

05:43

uh, open a

05:46

a new command shell

05:47

shift control T.

05:49

And from here, I can run our desktop, which is the built in Cali Lennox tool for

05:57

remote desktop connections.

05:59

User name is victim, too.

06:00

Password is password, too.

06:03

And then I specified in the I P. Address.

06:13

So one thing to be aware of this is a Window seven client. So that means that I can only connect a single user to the console at one time. If I was running a server or less like server 8 36,012 perhaps

06:28

then I would be able to get multiple connections. So it's gonna give me a message saying, If I continue, I will disconnect that that user

06:38

from the system.

06:39

So let's go ahead and do that

06:49

now, on the victim's system,

06:51

this is kind of tricky, right? Are you going to allow someone to connect your machine up with unexpected

07:00

session? Maybe, maybe not. Maybe someone's just

07:03

just see some hop up and just clicks, OK, absent mindedly. So this part of it could be a little bit tricky. You probably would have to combine this with some social engineering

07:13

to convince the, uh

07:15

the person that you're trying to connect that rather to convince the victim that the person who's trying to connect is

07:23

helps it hope to ask or tech support.

07:26

And there we go. There is my

07:29

remote desktop on the victim's system.

07:33

It's giving me a message about CeCe internals,

07:38

but this is the same system I was just launched into

07:44

pretty cool.

07:46

And as we can see, if I run,

07:49

come in a show.

07:53

I am indeed, uh,

07:56

victim, too,

07:57

as we saw before that victim to identity or that log in is part of the administrators group.

08:05

All right, I'm gonna go ahead and long off.

08:13

Now, back on my

08:16

interpreter show, you noticed I'm still connected. Everything's fine. Nothing's changed there

08:20

cause this is a using a different ports, not using the same courts. That remote desktop would you? So it's completely separate.

08:26

But if you wantto be careful about covering their tracks, as I've mentioned several times before, we really should run

08:33

the cleanup script.

08:37

You make an error message when you run this,

08:39

Uh, can I found the file specified? I think it's it's, uh, probably a problem with this registry key. The way it's it's detailed in the script,

08:50

but I'm pretty sure it's still helping to clean up some tracks.

08:54

In fact, what we could do

08:58

is log in and just do a search for victim, too,

09:01

and see if it's ah

09:05

if it's in the registry. Still,

09:07

that would be a good

09:09

test.

09:13

So run, run at it.

09:16

Registry editor

09:18

and I could just do a control. F.

09:20

Here's the registry key that we put in for the Net Cat listener

09:26

that was doing a search for Net Cat to make sure that worked.

09:30

And I will do a search for victim, too.

09:35

Okay, Looks like it did not do the clean up proper. So that's the cleanup script. May I have a bug in it?

09:39

Or it's possible that it's got some compatibility issues with Windows 7 32 bit.

09:46

Either way,

09:48

that is there. That doesn't leave behind a little bit of evidence. If you were trying Thio cover your tracks

09:54

but still pretty powerful technique, regardless, because having a remote desktop allows youto interact completely with that victim systems at as if you were sitting right in front of it.