00:04
Okay, so let's let's get into discussing
00:10
It's kind of interesting. Word has a Medicine Floyd
00:16
feel to it, and the interpreter is a payload
00:20
that once it's delivered, you get a very highly functional shell on that remote system, and you can do all kinds of other things. I'm interpreter basically on Lee
00:31
will exist in memory on the target system,
00:35
so this gives you a lot of stealth options as well, since you're not necessarily writing to disk if you're careful and you're choosing the correct options.
00:44
So I've got my minutes portable instance
00:48
already booted up. I know that there's a particular vulnerability, which I'm just going to exploit really quickly. We can explain a little bit more about it later,
00:56
but for the sake of demonstrating the interpreter shell, I'm gonna go ahead and connect.
01:03
hair back command Sea witch
01:07
are good in my medicine portable workspace. Now I know that the display table has a post GREss database,
01:15
just like Kelly does, actually,
01:19
and lucky for us through some experimentation and scanning,
01:23
I've discovered that the default
01:27
log in and password for post grass is in place
01:30
and That means that the user name and password of both post post dress Ah, lot of software applications will do this.
01:38
You install the software database a web server, What have you and you get a default credential set.
01:45
So what I'm gonna do is
01:49
do a quick search for post GREss exploits
01:53
because I'm not sure if I remember exactly what the exploit is called.
01:59
I've got a nice window here,
02:00
and I believe the one that I want is this guy right here. The post crest payload.
02:08
As we can see, this is rated as a an excellent
02:15
So that gives me a good idea that the
02:20
the payload will work.
02:22
One thing I want to do beforehand is do a set G four Molly remote host
02:28
that we don't have to type this in every time.
02:34
I know that my disposable instance
02:38
is 0.1 29 something. Go ahead and do that.
02:42
You could do set, Dash G, if you wish. I think said she's just a little bit easier to deal with.
02:47
Okay, so now I want to use this particular exploits. All type my use command.
02:54
Copy and paste this.
03:00
Now I'm in the context of the Post Press payload.
03:02
So if I show my options,
03:06
I can see that it's got a default database to search
03:12
rather for authentication purposes.
03:14
And my user name is already pre populated with post grass.
03:17
I know that the password is supposed to be
03:20
post grass based on my research.
03:23
So what I can do is Aiken set
03:27
Another thing I meant to point out earlier is that you noticed for the options for each module. They are not case sensitive.
03:35
Your your entries, the settings Air case sensitive. If I put in something, that's upper case, it's supposed to be lower case. It's always there. Not gonna work
03:43
my password. I know that it's supposed to also be post crests. I'll go ahead and set that.
03:49
If I verify my options, I can see that everything looks good to go.
03:53
I noticed that the target is showing me a Lennox X 86 which is good because that's appropriate for this particular,
04:03
I could also check to see if there's any advanced options, and there are.
04:08
We don't need any of these for this particular exploit, but it's good to just poke around when you're looking at an exploit to see what it's
04:14
capabilities are targets.
04:16
You see the X 86 or 64 bit X 86. I've got two different options there,
04:21
but the woman I've got selected should work. So I'm gonna go ahead and type exploit.
04:27
You can't run as well as a command too,
04:32
Uh, actually execute the exploit.
04:36
I like exploit better because it's more descriptive. Okay, so let's let's look at what we have here.
04:42
I started my reverse handler on my local system.
04:45
So I'm listening, my Callie, Instances listening on Port four for four.
04:49
So that's what my, my, uh,
04:53
local port will be. It's not shown here. In my options. It's pre defined as part of the exploit.
05:00
Some of them are like that. You just have to explore each exploit as you use it in order to find the right one.
05:06
So we've connected to the target system on port 5432 This is also a default port. That post crest listens on
05:15
and we can see that we've got a banner grab.
05:19
So I got some really good information here. I know this is post crest version 831
05:24
I can see that it's running on Lennox.
05:28
And I can see a colonel, uh, information here, a boon to 4 to 3.
05:32
So I'm also getting some good information about the target in addition, to be able to connect.
05:40
So, uh, I've transmitted my stager.
05:44
And if you remember from our previous discussion, stager is
05:48
a component of the next point that helps you to
05:54
than the stage itself
05:56
gets sent. So we see that there's, ah,
05:58
one point off for nine meg worth of data
06:01
on the stage, actually. Is the
06:05
the Pete the component of the the exploit that actually builds a connection?
06:10
Now I can finally see that I've opened my I'm interpreter session
06:15
my remote system reserved my local system 1 31 of the remote system 1 29
06:20
And of course, we know that the interpreter work because I've got, um, attributed prompt now,
06:27
like you would expect, I can type to help command
06:30
to see what options I've got available within motor Peter and was quite a few here.
06:34
Looks for the majority of these throughout our course. I would expect that you would poke around and try some of these options on your own as well, because you want to understand what interpreter can do for you.
06:50
But some really easy things to think about.
06:54
Uh, one of the commands that I always liked Thio
06:59
to think about early in the session is to use the background command,
07:06
put a session in the background and then return to it later
07:12
so I can run background.
07:15
So it tells me Session one has not been sent to the background, and this is good because now I can the session still alive. But I can get back to the context of my exploit if I want to run some other commands
07:27
first. Since I could run the Sessions Command
07:30
and this shows me my active sessions, I may have multiple sessions acted with different systems, any given time or even multiple sessions active with same target system.
07:40
I can see I've got a session I d here session idea of one
07:44
tells me the type of show
07:46
and some other information
07:48
about the the system and my connection itself.
07:54
Now, if I want to go back into interacting with this session's command Earth. With this session,
08:00
you'll notice I can use the dash. I option
08:03
I can kill my sessions. I can list them and so on. I can run scripts or some other advanced features, but for right now, what I want to do
08:13
is go back to the session I've already creates. I'll do a Sessions dash I
08:18
with the one because that's my session I d.
08:20
Now I'm back in my motor prettier shell.
08:24
Once I'm in the interpreter shell, I can do lots of different things
08:37
my core commands, I already showed you background.
08:41
I can also kill scripts
08:43
that are running in the background. I could list of scripts running in the background, can close channels.
08:48
I can look at info about a particular module.
08:52
I can load more extensions into my interpreter. So this is a beautiful thing about interpreter and acts as sort of a toehold on that remote system. Once you've got connected with motor pretty shell. Now you've got a very flexible on interactive environment to bring other information in other tools and auxiliary models, and so on
09:11
are extensions I can do those things. In order to enhance my ability to
09:18
interact with this system,
09:20
I can still use and load modules and extensions just like you'd expect.
09:26
I can even interact with the final system. I can cat a file.
09:31
let's let's first see what what I'm running under.
09:43
Oh, I'm thinking I'm in a command line shell. That's why I'm
09:48
the royal commands there.
09:52
But one thing I can do is try to see if I can look at, for instance, at maybe I've
09:58
tried to compromise the system and now I want to see if I can look at the password file
10:07
so you can see I I've been able to look at this
10:11
password file has, uh,
10:13
some information that that might be useful,
10:16
but it really doesn't have any
10:22
And so I'm trying to run the sea shadow for tryin'to show the That's the shadow file,
10:28
and that's not let him to do that. So I may not have
10:33
the permission that I would like.
10:35
One thing I can do, however, once I've got the motor pretty shell established
10:41
is I can run the shelter man to try to get a command shell. You'll notice I'm not root on this command shell. So that's why I could not run.
10:50
I am logged in his post crypts, which we saw from the
10:58
options that we set up originally.
11:00
Well, go ahead and exit that command shell. I don't need to be there,
11:05
Control C to terminate that channel. My interpretive shell is still valid, but that command shell that I launched
11:13
is is now terminated.