Post Exploitation (part 1) File Transfer without and Interactive Shell

Video Activity

This lesson focuses on running post exploitation modules from an open session. Participants learn step by step instructions on post exploitation modules using the meterpreter command which allows programmers to set a payload. This lesson also covers how to exploit a database using the Kali Linux system.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
14 hours 26 minutes
Difficulty
Advanced
CEU/CPE
15
Video Description

This lesson focuses on running post exploitation modules from an open session. Participants learn step by step instructions on post exploitation modules using the meterpreter command which allows programmers to set a payload. This lesson also covers how to exploit a database using the Kali Linux system.

Video Transcription
00:04
we're in. Addition, post exploitation. I have some open sessions.
00:09
I have a mature earlier on X p
00:14
now systems. We used that emissary ater 67
00:18
I have just a regular admin user on 17 on and on the bunch. Do I have that S S h. So I am the user, Georgia, which is a suit to wear. But I don't have George's password, so I can't cto
00:33
the in law again.
00:36
All right, so let's just jump into one of the sessions I was jumped into the x p.
00:41
I do help. Wouldn't see our municipally interpreter commands. So we've seen, like, has don't previously.
00:50
You, like, take a picture from Web cams, record audio, things like that
00:56
and also have, like, upload and download. We can upload like
01:00
your share window's fine Aires
01:04
and that cat that you actually put it on the c drive.
01:15
You mean no such file in your directory?
01:21
Those windows. So does Brian. Aged There, you
01:26
likewise you Condell a toe. See some more options of how we can do file transfer early in the next video.
01:34
In the sections are we've seen t ftp we've seen neck out,
01:38
but We have a couple other options for file transfer
01:44
when we don't have an interactive shell. But Interpreter does really easy of living download
01:49
pulling files to and from
01:52
the system. We also have interpreter scripts. I've heard the interpreter grip. They're supposed to be phased out, and everything's supposed to turn into a post exploitation model. But, you know, there's still interpretive scripts right now, so, uh,
02:07
minus 12 issues them. I don't know if I'm getting accurate information.
02:13
I don't know if it's true or not. So if we go to interpreter scripts, you're just Ruby scripts that could be run in the material for your session.
02:22
For instance, was runs with a run and in the script name, get gooey,
02:28
give us health options. If necessary.
02:37
We could do dash you to enable only we already have a username. And positive word
02:44
ran this when I reported the video the first time, so it's obviously gonna work there, he said.
02:50
It creates a cleanup script. So we didn't see RC files in this
02:55
class. I don't think, but they're just basically scripts for menace. Boy. No special syntax required. It's just one command per line.
03:08
All right, so I encourage you to spend time trying out the different scripts. Different commands of Give you examples here.
03:17
Now let's get post exploitation modules. So that's what the mature British scripts are apparently going to turn into. You can run the post exploitation module directly from an open session
03:29
like that, but I prefer to do him this way too posed
03:34
and let's see. What example do I want to use?
03:40
Go
03:49
Quindio. Gather
03:54
Thanks
03:57
that doing there.
04:00
Newme logged on users.
04:05
We sure options here.
04:09
My session again. It's set from when I did this previously, sir.
04:14
That's that Session force appeared against my window. Seven system
04:19
on and these don't have payloads. They just need to be told the active session. You want to run it against the know our host l host anything like that.
04:30
There are current logged in user
04:32
is
04:33
Hey,
04:35
you have some other
04:38
users who've coming as well. It's like Administrator
04:42
Georgia to Martin
04:46
like that. We have had some previous users law again, but currently answers may
04:54
that's an example of a post. Exploitation modules are kind of like auxiliaries, except it's run on in open session.
05:01
We also have local exploits that
05:04
we'll work on a current session so we actually see that next.
05:09
Take a look at
05:12
privilege escalations over it of sessions
05:15
and start position one for you. Get you? I d on it.
05:19
Well, I already migrated. Position was open. That should say system. But if we do,
05:26
Pete just ups and move into another process outside of our server for system
05:34
where we did her emissary to 67 we saw this in our client sides. We could move into another one and become
05:43
regular user. Georgia. Georgia is a local admen there. She'll have some privileges.
05:49
Who we gonna d'oh
05:50
simply get system
05:55
and,
05:56
well, next pee. That should be pretty simple. To do that, we can become systems of the runs,
06:03
little privilege escalation techniques.
06:06
They're just like
06:10
our client side attacks or even our network based attacks. It could be some vulnerability locally on our windows or lank systems. There's also because the local exploits so
06:24
going to be exploration and windows on local
06:28
and one that we could try in
06:33
so certainly are yet system doesn't have every possible
06:39
local put privilege escalation exploit so we can try additional ones.
06:46
Probably already sent my options here. Indeed I did. So you want to set session again? Just set session to one
06:56
exploit. So what's interesting about these areas are already running a system. Yeah, that would stop it. You need to move back to being Georgia.
07:04
Um,
07:05
what's interesting about these is that rather than taking the open session and escalating it to system the way get system does well actually run a payload.
07:15
And
07:17
you didn't actually see one set here from where I already ran this one. When I made the video without sound
07:25
on, they were created. New session of systems. You'll still have the original session, so that could be a little bit conceiving. Get system just escalates. The one that you have,
07:34
like going thio.
07:39
I would do seven to get you ready. Why me? But he would get system. It actually isn't going to work.
07:47
Lost because of something called you a see. It certainly is possible that they could be patched and have the
07:56
global setting set to the point that you can't privilege escalate. But typically that's not going to be the case, right? I mean, if you got this far on a system chances are there are some vulnerabilities lying around.
08:09
So with Windows seven on Oliver, other newer Windows operating systems You've probably seen you a see it comes up and says, Do you want to allow this program to make changes? And you know, you have to run things as administrator even though you're an administrative user.
08:26
If you want to sit up or start up the command line and you want to run privilege things, you have the right click and you run as administrator,
08:35
which was not the case on experience
08:37
that makes it a little bit harder to do things like this.
08:41
Naturally,
08:43
Packers came up with ways to stop this. So there is a model
08:48
for bypassing U. S. A.
08:52
There's exploit windows level by vast USC,
08:58
and it does run a payload on. We need to set. The sessions are again. Are you said it? The floors do set session
09:09
or
09:11
and you can sort of the payload or live in default.
09:16
You need to be a local admen for this to work.
09:24
I already did. This wants it may actually
09:26
what hurt
09:37
work, but where
09:41
Just shot this.
09:54
All right. I guess it doesn't want to do it twice. That's
09:56
fabulous.
10:00
I don't have the anti virus on you do after
10:03
essentially of the anti virus off. Some of this stuff the work.
10:07
But it definitely worked from her, Did it? Chicken two girls.
10:13
So what you can do is run this bypassed us. See, it will open a new session to interact with that new session. You're still going to be the regular user, but then if you do and get system, it will work because we bypassed us. Cease little, no honor. Block it. So you should be able to get system.
10:31
All right, we're gonna try something a little bit different on our 12 system.
10:39
So we are the use of Georgia who is a suitor. But we don't have our password to do our suit doing.
10:46
We're gonna take a look at using a public exploit from exploit database.
10:52
We do have exploit data ways locally on our Callie system and use your share exploit devi
11:03
so we can use w get to pull things down if we just put him on our web servers Are online access really eating you to do our
11:11
file transfer
11:13
so we can get some information about this guy so we can do it. Let's be underscore. Released.
11:22
He's really
11:24
a So this is a bunch of 8.10. Intrepid is a bit out of date. Bigger ones also have vulnerabilities. Looking some classes age 11 point has
11:35
vulnerability as well.
11:39
I generally keep up with these because
11:41
I do android exploitation. So a lot of the same ones that come up in Android come up in Lenox proper since it is
11:50
the Lenox
11:52
Colonel,
11:52
some changes of the fork.
11:56
So the one we're gonna do here came up in Android as well is the 1 11.10
12:01
So we can also get information about the Colonel
12:05
What we do some searching
12:07
this version of the bunch. You does have a vulnerability in the Udo model.
12:20
I always have to look this up. It's like something about Ugo.
12:28
This is a very specific. So let's see
12:33
what
12:33
you do have.
12:43
I could probably haven't seen
12:46
a d. A m.
12:48
Most clues.
12:52
All right, so
12:54
it's not done. We are their version.
12:58
So beautif Evan tells us the version of you tive is 1 24 and anything.
13:07
And then there's died
13:13
and anything that is
13:16
1 40 or earlier believe does have an issue. It is a logic issue, so it's not memory corruption, which makes it nice
13:26
for working with the exploit. We don't have to worry about switching out shell code or anything like that.
13:35
We're actually gonna do this one that see right here
13:41
looking cat platforms, Lennox
13:45
Local
13:48
8572 don't see
13:50
so there is no shell code, basically is creating a Net link message and sending it.
13:56
Who had explained appear? Another reason I like this example is it does explain how to use it and what's going on.
14:03
Those Udo, before 1.4 point one, does not verify whether a net link message originates from Colonel Space, which allows local users to gain privileges by sending in that link message from user space.
14:20
So what that means basically is, Well, you don't have it basically loads device drivers like, for instance, when you plug in a USB, it will load up of the drivers. For that, they will run as roots or go to you Dev's job, basically so before 1.4 point one
14:37
one android and on the next proper
14:41
well you didn't have you down for the process. Work the same way
14:45
on Android.
14:48
Basically, it allows if you send it the correct kind of message, which you can look up the specs and figure out how to send the correct kind of message. Even if you're not
14:58
the from Colonel Space, you can send it this message, and it will gladly run as root whatever code you tell it to you as though it was your device driver. So that's exactly what this exploit dozes creates
15:11
correct kind of message and sends it and says, Run this for me.
15:16
Does it tested on Intrepid? So that's what we have
15:20
on uses, says past the P I. D of the UT F D Net link socket just listed in Prague. Net Net link
15:28
and usually is the UT f d P i. D. Minus one as RV one, which in see that their first command line argument.
15:35
So we need to find some information to pass to it.
15:39
No says the exploit will execute temple run as route should throw whatever payload you want in there. A lot of your local privilege escalations will basically just take over the current process and just execute been badge and you'll be running his route in this case just because this is
15:58
logics law of the particular kind that it is
16:03
that it's just going to run code on your behalf as though it's a device driver going to have to be a little bit more
16:10
creative about it. My solution certainly isn't the only one, but it works. So you're welcome to try something else.
16:17
You just have to put something in temporal on
16:19
which we should have access to. Everybody should have access to Tamp.
16:26
All right, first things first. We need to find that p i d of you, Dave The Net link socket. It says it's listed in Prague. Net link.
16:40
Please read access to Wi do. Here's the P I. D's
16:44
1234 It looks like there's four of them. I'm not sure which one is this.
16:48
You have d net link socket.
16:51
Maybe I could try and figure out what the S K things are and figure it out, but I don't know enough about lax girls be able to tell you,
17:00
but it was me. Another hint. It's usually the you'd have d P I d minus one. I know how to find a process. I d
17:07
PSR grip you, Davey.
17:11
Like it might grow up itself. And here's Espen, you div di dusters. Damon
17:17
to 512 is its process. Eddie,
17:22
here's to 5 11
17:23
says it's usually the p i. D. If you have a D minus one. So this is 12. This is 11.
17:30
25 11. Looks right to may.
17:33
We also need to put something in that. Tim run those. Maybe our payload
17:38
Kansans. I already just recorded this. If I looked when I put there,
17:45
this is going to be
17:48
executed in her shell. So we need our house bang been bashed to tell these your bash commands.
17:55
Then I just do a net cat
17:57
i p address of Cali, which these did change. I tried really hard to keep them the same I p's throughout the entire class, which, as much as I travel has not been easy.
18:08
But I've finally failed. So choose you to to support and execute been bad show. We saw this same sort of thing in our
18:18
the next injury section.
18:22
I was just going to be our payload.
18:26
Naturally, we need
18:30
to catch it overhears or in a listen on Callie doing to you too.
18:37
So we need to do whatever you get. So while we need to copy it over already did Thio
18:45
So on the copy.
18:48
This file too.
18:51
Are you
18:53
cure Web servers running
19:03
and turn this back on?
19:07
No. W get
19:15
fivesome cute upstate. W get makes it easy. It was already on there, so it made it a one. We do typically have GCC for compiling. See files
19:26
on Lennox, which is also nice.
19:27
Thank you. She
19:30
8572 Don't see her out with Colin Exploit
19:37
exploits. And we created our temp run. So it's hard coded to run that for us.
19:42
And we need that
19:45
25 11 of our argument.
19:49
So it looks like we got a connection over here that we don't have a prompt.
19:53
We do it. Who am I? I'm route
19:57
Kano and see Shadow. We got passports, badges. We sell those in password cracking already.
20:07
That's just a little intro to
20:11
local privilege escalation and using public exploits again, I encourage you to spend the time to read any public exploit, replace anything like Shell Co that you can't read.
20:22
Yes, You never really know
20:25
Otherwise, it doesn't really have the same oversight that we have on some of our others,
20:30
like man displayed.
Up Next