00:03
>> Again, back to some file system commands.
00:03
I can go to different directories,
00:03
I can get my working directory,
00:03
will show files, I can make directors,
00:03
I can move files around,
00:03
I can remove directories.
00:03
Most of your basic command shell functionality
00:03
is enabled in meterpreter itself.
00:03
I've also gotten networking commands.
00:03
Even though I already know the IP address,
00:03
[NOISE] I can certainly list it again,129,
00:03
that's my remote system that's metasploitable.
00:03
Maybe I want to do something else.
00:03
Maybe I want to run netstat-RN,
00:03
and you'll look at my ports that are listening,
00:03
>> see some information about established connections.
00:03
and give me the same information.
00:03
I can also run other commands
00:03
like what's my routing table?
00:03
What's in my ARP cache?
00:03
The ARP cache right now I've only
00:03
been connected to from CAL instance, which is.131.
00:03
But if you were connecting to a system that
00:03
was being used by lots of other people,
00:03
just playing ARP cache is very useful because now
00:03
I can see other systems that are
00:03
connected because their IP address,
00:03
and the MAC address are saved
00:03
I can look at route information,
00:03
I can see what my default gateway is.2, in this case.
00:03
Ipv6 information is also
00:03
available if I was interested in that.
00:03
Being able to poke around in
00:03
the file system is pretty handy.
00:03
I can also do things like
00:03
uploading, and downloading files.
00:03
For instance, if I want to
00:03
now have to have the permission to read a file.
00:03
If I do an ls in my current directory,
00:03
I can see that I've got some globally readable files,
00:03
it looks like I can try to do something
00:03
like download server, research.
00:03
We can see that that actually
00:03
worked, and if this is a certificate file,
00:03
and we'll get into some of these things
00:03
later, and then that can be really useful.
00:03
Now, where does this file go?
00:03
I'll switch to my other command shell and if I go to
00:03
my Downloads directory [NOISE] on my given system,
00:03
that shuts not wear it when maybe it went
00:03
to root itself, there it is.
00:03
It did not go to my Downloads directory,
00:03
so goes to whatever directory you
00:03
launch your console from, and
00:03
I was already in route when I did that.
00:03
I don't need this file. I'm going
00:03
to go ahead, and delete it.
00:03
Controlled Page Up to switch back to my other tab.
00:03
Remember your shortcuts?
00:03
Uploading, downloading files,
00:03
I can also edit a file.
00:03
[NOISE] It's going to look like my certificates here.
00:03
This is probably my public cert.
00:03
Basically, throws you into like a vi type editor,
00:03
which is very handy if you don't
00:03
want to have to pull a file back,
00:03
add the file, push it back out.
00:03
That increases the odds of getting detected.
00:03
We want to always think
00:03
about taking the action that's required in the way
00:03
that creates the minimum amount of traceable events.
00:03
Other things to think about if I'm
00:03
in my meterpreter shell,
00:03
I also have the ability to
00:03
run all kinds of post exploits.
00:03
I can do that by using the run command, there it is.
00:03
Executing the script, executing
00:03
a post module for instance,
00:03
I might want to see if I
00:03
can get hashed dump from the system,
00:03
even though I know the Postgres password,
00:03
that's not the administrator password.
00:03
I might have to do some other work in order
00:03
get the root password, or some other valuable things.
00:03
Tab completion does not work
00:03
in a context like this unfortunately,
00:03
so I have to know what I'm typing in.
00:03
But I'm going to try to run edges,
00:03
not a Windows system.
00:03
That won't work. Let me do this real quick.
00:03
[NOISE] I'll background this session.
00:03
I'll do a search for posts,
00:03
this going to give me a lot of information,
00:03
but I might be able to find
00:03
posts for Linux if I scroll up here.
00:03
It's post for multi.
00:03
Looks like Linux gather hash tab might
00:03
>> be a good choice.
00:03
>> I'll go ahead, and copy that.
00:03
Might have been faster to do a
00:03
>> search for hashtab itself.
00:03
>> That's a shorter list.
00:03
I know that's what I want to do.
00:03
Now I can go through, and I can find
00:03
the one that I was interested in.
00:03
Now, I'm going to go back to session 1,
00:03
which is the one that I meterpreter session is
00:03
enabled and what I can do is I can try to run this,
00:03
hash., see if it actually works.
00:03
See, it doesn't work. I have to be root
00:03
nor for that one to work, which makes sense.
00:03
We're seeing some of
00:03
the limitations of the command shell that you have.
00:03
I have a meterpreter shell which is useful,
00:03
but it only lets me run
00:03
commands that the Postgres user account
00:03
is authorized to run, and this
00:03
traces us back to the idea
00:03
of the principle of least privilege.
00:03
I don't want to run Postgres as root,
00:03
if I did that and I'd also do not
00:03
change the password on with some other vulnerability.
00:03
Now, when I compromise
00:03
the application or compromised the command,
00:03
or rather the credentials,
00:03
if the Postgres ID has root type privileges,
00:03
now I can do other powerful things
00:03
that I wouldn't be able to do otherwise.
00:03
There's good reasons for
00:03
respecting the principle of least privilege.
00:03
You don't want to get overly
00:03
generous with doling out privileges when you're
00:03
building a system for obvious reasons.
00:03
I also might want to, for instance,
00:03
run some commands, and
00:03
see what processes are running on that remote system.
00:03
I just did a ps command,
00:03
and it basically gives you full ps output.
00:03
This way I can tell with
00:03
some detail what's actually
00:03
running on that remote system.
00:03
Process ID numbers, pair of process IDs,
00:03
the name, and any paths that are
00:03
irrelevant would all be shown here.
00:03
I notice I've got a bunch of things running.
00:03
I've got some applications,
00:03
disk CCD or rather distant CC, the demon for that.
00:03
I've got an Apache web server running,
00:03
I got some Ruby components
00:03
running. there's a lot of things.
00:03
Looks like I've got VNC running.
00:03
There's a lot of clues that
00:03
I've just uncovered for how I might
00:03
go about further compromising the system.
00:03
I haven't even done a scan yet.
00:03
I just happened to take a guess that
00:03
the Postgres database would have a default password
00:03
and it does so I'm able to get in and
00:03
get all this information.
00:03
Let's run our help command one more time.
00:03
Other things we can do,
00:03
I showed a few things like running a shell PS schematic,
00:03
I can kill the process if I have permission to do so,
00:03
I can execute commands.
00:03
I can even set up port forwarding,
00:03
which might be useful depending on
00:03
your needs at the time.
00:03
There are some other options I'm
00:03
looking at for like encoding, setting timeouts.
00:03
There are ways to try to get a picture from the webcam.
00:03
See that option in this context.
00:03
But other things to think about,
00:03
I can suspend a process.
00:03
the SAS info command to give me a concise output,
00:03
you name dash a command would do on a UNIX system.
00:03
Gives me some good details here for what I would be.
00:03
Other details I want to track for this remote system
00:03
to know that I've got something truly useful.
00:03
We'll definitely explore more features of
00:03
the meterpreter shell as we go
00:03
through some of the demonstrations,
00:03
but this is a good introduction.
00:03
See you in the next video.