Okay, so let's let's get into discussing
It's kind of interesting. Word has a Medicine Floyd
feel to it, and the interpreter is a payload
that once it's delivered, you get a very highly functional shell on that remote system, and you can do all kinds of other things. I'm interpreter basically on Lee
will exist in memory on the target system,
so this gives you a lot of stealth options as well, since you're not necessarily writing to disk if you're careful and you're choosing the correct options.
So I've got my minutes portable instance
already booted up. I know that there's a particular vulnerability, which I'm just going to exploit really quickly. We can explain a little bit more about it later,
but for the sake of demonstrating the interpreter shell, I'm gonna go ahead and connect.
hair back command Sea witch
are good in my medicine portable workspace. Now I know that the display table has a post GREss database,
just like Kelly does, actually,
and lucky for us through some experimentation and scanning,
I've discovered that the default
log in and password for post grass is in place
and That means that the user name and password of both post post dress Ah, lot of software applications will do this.
You install the software database a web server, What have you and you get a default credential set.
So what I'm gonna do is
do a quick search for post GREss exploits
because I'm not sure if I remember exactly what the exploit is called.
I've got a nice window here,
and I believe the one that I want is this guy right here. The post crest payload.
As we can see, this is rated as a an excellent
So that gives me a good idea that the
the payload will work.
One thing I want to do beforehand is do a set G four Molly remote host
that we don't have to type this in every time.
I know that my disposable instance
is 0.1 29 something. Go ahead and do that.
You could do set, Dash G, if you wish. I think said she's just a little bit easier to deal with.
Okay, so now I want to use this particular exploits. All type my use command.
Copy and paste this.
Now I'm in the context of the Post Press payload.
So if I show my options,
I can see that it's got a default database to search
rather for authentication purposes.
And my user name is already pre populated with post grass.
I know that the password is supposed to be
post grass based on my research.
So what I can do is Aiken set
Another thing I meant to point out earlier is that you noticed for the options for each module. They are not case sensitive.
Your your entries, the settings Air case sensitive. If I put in something, that's upper case, it's supposed to be lower case. It's always there. Not gonna work
my password. I know that it's supposed to also be post crests. I'll go ahead and set that.
If I verify my options, I can see that everything looks good to go.
I noticed that the target is showing me a Lennox X 86 which is good because that's appropriate for this particular,
I could also check to see if there's any advanced options, and there are.
We don't need any of these for this particular exploit, but it's good to just poke around when you're looking at an exploit to see what it's
capabilities are targets.
You see the X 86 or 64 bit X 86. I've got two different options there,
but the woman I've got selected should work. So I'm gonna go ahead and type exploit.
You can't run as well as a command too,
Uh, actually execute the exploit.
I like exploit better because it's more descriptive. Okay, so let's let's look at what we have here.
I started my reverse handler on my local system.
So I'm listening, my Callie, Instances listening on Port four for four.
So that's what my, my, uh,
local port will be. It's not shown here. In my options. It's pre defined as part of the exploit.
Some of them are like that. You just have to explore each exploit as you use it in order to find the right one.
So we've connected to the target system on port 5432 This is also a default port. That post crest listens on
and we can see that we've got a banner grab.
So I got some really good information here. I know this is post crest version 831
I can see that it's running on Lennox.
And I can see a colonel, uh, information here, a boon to 4 to 3.
So I'm also getting some good information about the target in addition, to be able to connect.
So, uh, I've transmitted my stager.
And if you remember from our previous discussion, stager is
a component of the next point that helps you to
than the stage itself
gets sent. So we see that there's, ah,
one point off for nine meg worth of data
on the stage, actually. Is the
the Pete the component of the the exploit that actually builds a connection?
Now I can finally see that I've opened my I'm interpreter session
my remote system reserved my local system 1 31 of the remote system 1 29
And of course, we know that the interpreter work because I've got, um, attributed prompt now,
like you would expect, I can type to help command
to see what options I've got available within motor Peter and was quite a few here.
Looks for the majority of these throughout our course. I would expect that you would poke around and try some of these options on your own as well, because you want to understand what interpreter can do for you.
But some really easy things to think about.
Uh, one of the commands that I always liked Thio
to think about early in the session is to use the background command,
put a session in the background and then return to it later
so I can run background.
So it tells me Session one has not been sent to the background, and this is good because now I can the session still alive. But I can get back to the context of my exploit if I want to run some other commands
first. Since I could run the Sessions Command
and this shows me my active sessions, I may have multiple sessions acted with different systems, any given time or even multiple sessions active with same target system.
I can see I've got a session I d here session idea of one
tells me the type of show
and some other information
about the the system and my connection itself.
Now, if I want to go back into interacting with this session's command Earth. With this session,
you'll notice I can use the dash. I option
I can kill my sessions. I can list them and so on. I can run scripts or some other advanced features, but for right now, what I want to do
is go back to the session I've already creates. I'll do a Sessions dash I
with the one because that's my session I d.
Now I'm back in my motor prettier shell.
Once I'm in the interpreter shell, I can do lots of different things
my core commands, I already showed you background.
I can also kill scripts
that are running in the background. I could list of scripts running in the background, can close channels.
I can look at info about a particular module.
I can load more extensions into my interpreter. So this is a beautiful thing about interpreter and acts as sort of a toehold on that remote system. Once you've got connected with motor pretty shell. Now you've got a very flexible on interactive environment to bring other information in other tools and auxiliary models, and so on
are extensions I can do those things. In order to enhance my ability to
interact with this system,
I can still use and load modules and extensions just like you'd expect.
I can even interact with the final system. I can cat a file.
let's let's first see what what I'm running under.
Oh, I'm thinking I'm in a command line shell. That's why I'm
the royal commands there.
But one thing I can do is try to see if I can look at, for instance, at maybe I've
tried to compromise the system and now I want to see if I can look at the password file
so you can see I I've been able to look at this
password file has, uh,
some information that that might be useful,
but it really doesn't have any
And so I'm trying to run the sea shadow for tryin'to show the That's the shadow file,
and that's not let him to do that. So I may not have
the permission that I would like.
One thing I can do, however, once I've got the motor pretty shell established
is I can run the shelter man to try to get a command shell. You'll notice I'm not root on this command shell. So that's why I could not run.
I am logged in his post crypts, which we saw from the
options that we set up originally.
Well, go ahead and exit that command shell. I don't need to be there,
Control C to terminate that channel. My interpretive shell is still valid, but that command shell that I launched
is is now terminated.