TryHackMe! Metasploit for beginners - Post Exploitation

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right so welcome back to another mediafraid video here and for hack me we gotta try and learn the one called exploitation [Music] now this video is an actual um continuation of the past video about me this point I just created so treat this as a second video so we already learned how to use metasploy to a certain degree but now we need to learn more about the actual exploitation but we're going to take you through all the different tasks here on try hack me and the very first one is the introduction where you should download these task files let me just go ahead and do that it's image part word list so I'm going to download that so in this particular room we're gonna learn use metisploit for scanning vulnerability assessment and exploitation so that kind of go hand in hand with what we talked about in the first video that made us probably is an exploitation framework in this video we're gonna look more on how we're going to use that framework for that actual you know reconciliation scanning assessment availabilities and of course exploitation now the very last part of exportation is of course a result of all your hard work so please make sure to do the hardware hard work first before we do actual expectation because that is what really is going to take most of the time the very first introduction fan here is all about more specifically to cover we're going to use uh first of all MSS msf Venom which is a program that is shipped with Middleford it's a standalone binary file you can program it when I call it that you can call and create a payload and with that payload you can obtain a midterm decision and as we talked about before the whole thing about my display is to get a midterpreter session because when you have a majority session May display God is it owned environment programs to interact with that show through meters product with a lot of different tools and you know built-in features and functionalities you just don't want to miss so we're going to talk about how to scan a system with Metasploit to use database for features to use and conduct a vulnerability scan and of course exploit vulnerable services on target system and of course use msf Venom so please involve a question required alert list the Brute Force attack will be using word list on the attack bot to find the following path so we're not using the attack box we're using let me displayed uh word list the text that we downloaded here on the bottom as you see the same name so we're going to use our own machine we are of course connected to the Omi pen as we usually are it's the ton serial network card we have so I'm gonna start the attack box and run this product using msf console so I'm not using the attack buff we're just gonna type NS msf console and press enter so now do that we're gonna complete the first task and we are done second task is the actual Act of scanning I already go ahead and went ahead and started the machine so be ready for this video and let's talk about Mr has a number of modules to scan for all important taxes Network you can list potential Port scanning module available by using the search port scan commands let's go ahead and use to lose that search port scan and let me just put this a few times so we got this the kind of scans as we talked about before the auxiliary modules are the modules Is Not Really Gonna you know two actual exploits but more like scans and verifications different kind of things now which kind of scam I'm going to use for this particular machine is not yet you know out in the open so what we see here is the same image as before if you want to use one of these socket scans we will still interact with the module by the index for example type use and number seven and we're going to use this port scan right here now example number seven is is not that Port scanner because it's not a part of my system right here so um sap router let me see where it's it's for me it is actually number two for my case so sometimes you know they change you know the index number and stuff like that no worry about that just look that is also another really important part we're going to learn something like metasploid or other hacking programs or just in general how to do exploitation is to pay attention to details the next thing we're going to do is uh Port scanning modules require you to set a few options so did they choose one they used the auxiliary scanner Paul scan TCP now they didn't say that in this particular um but you know we can see that here so it's going to be the TCP one so we're gonna do go back here the TCP is number five for me as well so use five enter show options now present a few times a bit I can see it so you can see here that everything is required you can read the different description for the different options here just Concur and see it's up to 10 yes required is set so fine so the default number set here is okay just to leave now one thing you need to do set is the remote host you're gonna go ahead and do that that's going to be the IP address right here so copy paste that go and go ahead and type set ah post put the IP in and press enter alright so next thing is to consider the amount of threads how many threads do we want to scan it says Max one per host okay so let's leave it for you one and we have a timeout so if the if the port is closed we gonna use a thousand milliseconds I would say yes that's fine and we're going to scan for Port one two eight ten thousand so if you've got a port on ten thousand one and Beyond We're not gonna find it unless we change this but so far let's see what they want us to do I want us to keep the settings so they also explain the same thing here concurrency Port are hosting threats and I guess they want us to we can go ahead and run this for example so once I run and when you run this you will see different kind of ports are open port 21 FTP Port 22 ssh139-445 some best yeah I think it is um and you see it's hanging right now so I can put it into a few times so it's still alive but at some point it's probably gonna return back so whenever it's done all the way up to a ten thousand it's gonna return and say okay so I'm done now that is one way you can also do a direct perform in map scan from the image console and that would just be this particular um come on SO in map a Sim scan ss1012 uh that is just a particular IP address we're going to use this one here let's see if we hit done yes so Port 8000 is also open and it says you are completely done now so now that we have these ports open we can go ahead and go back and say we can also run the in-app scan now I'm not really going to do that because I already ran the other one so I know which part's open please pay attention to the fact that we did a TCP scan so we're gonna go back and see different kind of modules if you wanna you know verify UDP stuff there's no particular auxiliary module for that right here so you would probably need to use a map anyways but you know just for now it's not an in-app course I want to stay in Midas quite as much as you can we're going to use the module for now so it does also talk about uh UDP sweep and it's going to use that um I don't think I have that in my middle spot it's called scanner uh it's also a auxiliary module so I'm not really sure but we can go ahead and just copy paste the name which is what we learned in the first video and go ahead and type search just put the name in and see do we have a UDP sweep we do actually have you the P3 why didn't I see it in the first one was I extremely blind or something auxiliary scanner oh it's because we yeah okay we searched port scan I should have caused I should have caused you know if we go ahead and went ahead and type search scanner we would get all the different kind of modules uh that were a part of you know the sub directory scanner and as you can see it's got a lot of modules so that is also things to keep in mind let me just go ahead and kill the screen for you you want to go ahead and do a UDP scan for this particular one here now let's go back and say to the p-scan and do search this and then write u0 show options press enter and then set our hosts and then go ahead and just copy paste IP address just like before put it in and type run this is as easy it is in Metasploit now you're gonna see some things here it discovers sending 13 probes one host discovering it bias 1.137 the Acme IC support of course so really uh that is one discovery okay so it also talks about we got some metaphoric offices that are useful Australian modules that allow you to scan specific search but always sound for SMB Services which would be on Port 139 or 445. we can go ahead and do that it will tell us about the version this is called the SMB version so we can copy it and copy paste that name s p version now what I'm teaching you now is kind of the shortcuts to find modules so if you know in a way how they name the stuff so just you know view search and you can use it so show options again there we go and one more time I'm gonna go ahead and code paste the IP address set our hosts you can see we've got a pattern now type run and we're going to discover the different kind of versions only one version of course is to be detected and we're gonna get these inversions here yes yes through c311 also the main IP which we do have and the windows 6.1 Samba 476 Ubuntu interesting all right so now we're going to add some answers some questions how many parts are open on target system now the hint would say you can use the port scanner module if we're gonna do that we can uh go back to our oh let me see can I remember how many we did with the scan so let's see how many was it was it like six faucet I will just see whoops I think it was six now and then it's five yeah so you just need to count and take no it doesn't really matter too much you're throwing scanner what net buyer's name did you see net buyers so I think name so net buyers was the UDP scan with it and it was the Acme IC support if that is what they want we're just running on 0.8 000 now we don't really know but we'll go back here and check what is 8 000 so since we cannot go back we kind of need to let me just clear the screen we kind of need to go back and let's just say back it's gonna be out of the auxiliary and search in map and we can see that we can run different kind of in-map scans uh and the one we want to run is obviously the easy way it's the one they they show us here you usually don't use nmap in meters plot but we can just type in map and then do a syn scan to the IP address let me just take it go there clear screen in map and then do a obviously a version to take in for now because SV is in web trying to discover what kind of version of software running on the particular Port 8000 is a part of if not mistaken uh of the common ports so it's vsf httpd how much did you want me to answer the question uh uh five letters something so they want me to write this I guess http that's for the service I guess let me just put it there no um do they want this how much you want to sign what do they want oh they were to put um a slash no this is this this is the thing now I don't want to do they want to buy Web FS of HTTP I don't know I'm gonna put it there they want to write that okay yes yes what is Penny user SMB password used to wear this making the task so they want us to do a Brute Force attack and do that by using a SMB login module so go ahead and take the word so now we don't know anything we're just going to go ahead and say s p module called SMP login we're going to go ahead and type clear search please SMP login we're going to use that because we only have one we're going to write show options because this is what we do take a quick peek and say like yeah we need to do something with the let's see yes required aho so set our host go ahead and copy paste the IP address one more time and let's see yes for the port and we need to set username and password file up directly required which probably means that it's going to perform a Brute Force attack but we do get a let me see penny so let's go ahead and copy penny as a username and say set use of file um SMP user I guess would be I think they're gonna mean this let me just see and allow me to set the um user file containing users and pass oh let's just see what did we actually get when we downloaded that that chicken let's go to downloads we got the let's head out the top of the file it is where was it um meter spread word list it is basically just passwords so let's go ahead and take the path it's gonna be that so no not I gotta take more than that let's go to this one here and we have to set user uh use a pass with a specified user why don't I see that use a file continue using info line so I'm using the pathway for all so it's a files containing users and password server by space um pass file there we go let's read it detail is everything put in the whoops no set pass file I'm gonna do like what was it again I keep forgetting homecated downloads so home Kelly downloads downloads download thank you made this Floyd I think that will be it in this way go ahead and run it and it's trying to encounter credentials now if I filled this up probably we're gonna try it and it's gonna find it and it should be it should be there let me just go ahead and clear screen and say show options did we fill this out correctly this is something that can miss you can miss easily you know using the um Metasploit so it says I put Penny as the s p user username to authenticate as yes focusing using one for line no we don't need that pass file would be yes and let me just see that we get the um all right so I think let me just close this window there from the logo of it we need to make sure yes domain name is domain for the use for authentication it's a DOT um yeah I don't remember that penny it should work it should work let's go ahead and tap one more time no active database fail fail fail fuel fill so let's see I'm gonna just run for a bit and see how far I'm Gonna Take It all right so we're back and the password was Leo one two three I don't know that was actually a part of that uh Kelly oh no oh yeah anyways Liu one two three was the actual password so let's go ahead and put that in now we have that you can go ahead to the uh whoa this one here and say penny got that password this is the typical rotation for how to store use on a password so we're gonna start this way now we're gonna go back now and say we did that and now we're gonna go ahead and do the Metasploit database Parts let me just scroll up here and let's get started with that all right so it talks about while it is not required written attacking the same time for hacking an actual pen testing engagement will actually have several targets so yes that might be true so Midwife database function to simplify project management to avoid possible confusion with setting up parameter values so we'll talk about it one more time we can go ahead and use the um what is the old name using metasployed for scan will be oh they called it midasploit module R2 at some point they even change the logo and everything it's it's good better now but take the image too so first of all in order to use a database we just started so that is running the system sheet cell start postgreasm postgrel command let's go ahead and just open a command prompt and say hoax progress there we go and then I'm gonna write my funky danky password Here ah so now that I started we have meta we have a post grease control started and then we can go ahead and initialize initialize the Metroid database by typing msfdb in it so let's go ahead and do that now we need to run some Roots so it's going to do that type password again and since they've always done this appears to already configured skipping in sensation so it is already started in my case but in case it might be different all right so we can go back here and go into Middlesbrough and type DB status let's go ahead and do that and see what it says clear screen let's say back back Clear TV status which is a really good way to check whether your database is connected or not and thus say that it is connected to a msf connection type postgresql which is the correct show whenever things is running as you can see right there now the best features also created workspace to isolate different projects now go ahead and type work whoops with this work work work work space like that you can see that um database is not connected that's very interesting um why is it not connected it does say it was connected so let's go ahead and just exit my display and do sudo Ms fdp in it and it appears to be started let's go ahead and running one more time now it doesn't work for me you know not to worry too much it should work for you but we should be able to create our workspace here by typing a workspace tag a and then the actual name of the workspace is going to give it like try hack me so I really want to do that so let's just see clear screen Works base attack a try hack me okay it's workspace it's working now I don't know why it wasn't working before but you know sometimes technical problems appear even when doing hacking so now we've created that workspace we will be able to store different things it also say that we notice the new database is printed in Redstone with a star symbol star symbol all right so we can go ahead and use the WordPress command navigate between the different kind of workspaces to to choose so we can go ahead and type workspace default and then it's going to be default that's going to be the one we're using so let's go ahead and just try that for fun and giggles that workspace and we're gonna now see that default is the one with the star we're going to go ahead and sign like workspace one more time and try to try heck me and just ultimately presenter and type work space inside default sorry tap autocomplete and then we still have that workspace anyways so now we're going to use the workfree tag 8 command to list available options for the workspace let's go ahead and do that workspace work space tag H I always see different kind of you know workspace commands we can use here we can add workspace to delete all workspaces help list them rename them search for them on this workspace for proceeding so the idea behind a workspace is that you can store the confirmation you can use on layer stage and you can even save them there so you can conduct pen tests you know with metasploids over time get back with the data and so on different from middle spot usage once metaphor is launched with database to help command will show you database backend commands menu let's go ahead and type that so help as you can see we should have the DB commands right here at this show to be connect analyze export in Pub in map execute that so now that we have database connected as I talked about in the first module of midasploit is that we can use in a map to store ports open port and scan for us in the database now that we have that database we can go ahead and run DPN map and it should actually store those so we have it and it will make it easier for us to work with our you know targets and and do pen tests that way and now we're going to run that so we're going to go ahead and run uh in map you can actually below so we're going ahead and copy paste the original IP address now and I'm gonna do a version scanning all port scan with a tech p tech let's go ahead and do DB let me just clear screen DB and map and map do a can I type there you go and all football scan football thank you and then the activist press enter it seems that I put a special character inside here so that's really an achievement I don't know what I did how do you do that I must I must have hit the ALT key in some way on my keyboard now the scan is run we can go ahead and go back here and see it's going to return with something for us as a Microsoft um pce within kind of portal problems and I'll reach different major problems to host instead of running on target system with a host and the service commands respectively so let's just wait a bit here and so we back uh we got a server here it's a Ubuntu Server it is not Windows Word group called ACM IC support we have Samba we have HTTP a pro Filipino thing I'm going to go ahead and type host now I will see the host the OS name is uh a name unknown the purpose is this device we can also go ahead and type the other command called services so let's do that oops so this is and I'm going to get different kind of services here so now that we are in this workspace we can always just easily navigate back and forth and see oh what what services was it oh I clear the screen sorry like there are Services again so you can also just recall that that is really good idea so I kind of like the idea behind this way of working with metal spots so everything is safe in the database that's really nice so now though we need to do the the ah to see the help command for those so let's go ahead and type uh with the first one it was hosts those check H and now we can see we can add host we can show only given column you know we can delete we can comment so you can also use metasprites to to actually collect information that you can print out in later stage to you know free report the same way goes for services Tech 8 you can also see you can add Services you can comment to them you can search for your support and stuff like that so services p21 uh let me see did I do something wrong [Music] um I think I've learned something wrong attack Port 22 unrecognized service okay let me just service us thank you 22 there we go let me go ahead and just type that and see what was the service again and get the one line instead of you know just Services just like that so that is you know also a very Nifty small tool to have so not spend too much time on the individual commands we can also go ahead and do what's information installed on database you can use host Tech capitalize command to add this value to the r host value parameter so we can go ahead and type host Tech R And now when you run something the our host should be set to this particular IP address which is really Nifty if we have to set it all the time that is also what some people do when they do capture the flags try hack me hack the Box you know King of the Hill they do say the environment variables to this particular IP address so that you're you know type the the IP address you know like that you know it's also pretty good idea so example workflow we're going to use will be to scan a module to find potential ms-17o 10 it's uh sambisher vulnerability using the auxiliary so we're going to go ahead and use that so we're going to do what they say just follow use it clear show options and as you see our host is already set to 1010 178.132 which is the IP address so run right now we can set that with the command for what we did we have typed show options and uh Jeff all value assigned creating example 10 10 1 3 8 to 2. it's the old IP address isn't it no earlier using the DB command I don't know why they have this averages here it's highly confusing anyways once all premises are set we launched exploit using run and a or exploited so as you can see here they ex execute the UC auxiliary module for um the sump share and use host tag R it's already set for me because we did it so it's remembering it's really good let's just type it and you can see that different kind of things are set but instead of just looking here let's go back to the command see this is set yes this is set yes this is set yes and that too let's go ahead and type one and it says host does not appear to be vulnerable that is really good you know information because then we don't use a lot of time you know to to verify the lipidencies on that particular share I'm gonna go down here and save more one if more if there's more than one host save database all that is reused when the hosts are commands is used in the typical pen testing engagement we have the following scenario finding available host with DB command DB internet command scanning these further availabilities open ports using Port scanner module and then the services the services command youth attack capital S parameters will allow you to search for specific services in the environment we already did that just with the small lowercase p for um for ports so we go ahead and type net buyers we should find something like that and so on and so on so you may look for low hanging fruits such as potential SQL injection or no code circution via the web page FTP could allow Anonymous login for example SMP could be vulnerable to like this particular exploit or maybe they just have you know public shares you could read SSH you have default or ease to get credentials or RDP remote desktop protocol could be available to Blue keep although the desktop access if we could just reused so that is really some of the things and let's talk about as you can see multiple has made features create engagement stuff like that but LS results a high level and quickly import and explore data let's complete this part here and go over to the next one it's called vulnerability scanning all right so are you excited now to do will be scanning I assure am so Mr Large to quickly Identify some critical vulnerabilities yes and this is a very interesting feature with metaspard that could be considered as the low hanging fruit so it kind of refers to easily identify and explore the vulnerabilities that can give us the foothold that we really want so that is what we would like to find so what we're going to do now is finally build for this product rely heavily on your ability to scan and fingerprint the target one more time do your footwork do your enumeration do your reconnaissance it's really important the better you are at these stages the more options Midas probably provides you for example if you identify a VNC service running a Target you may use search function on middle supply to list useful modules with solver obtain payloads and post modules the stage these results are not very useful because we have not discovered potential exploit yet so we are tasked to do this question now who wrote the module that allows us to check SMTP servers to for open relay and to also find that question we probably need to do a info on a module that is for sn2p for home relay so let's go ahead and just go here and type clear search SMTP open relay and we get this right here so let's go ahead and type use zero and write info and we do get the name here it's Campbell Murray I would say so let's go ahead and put that in and that is exactly what the name was so this is uh the way you should think when you're gonna search for modules now the actual vulnerability scanning of the low hanging fruits um you might think that metaphorite will do something like Auto fingerprinting for you but that's not really going to happen you know what will happen is you do a in map scan and with that you do um search for potential fast exploitable versions of software that is the way to go so now we have that we need to to do exploitation and to start the machine so let me just oh close the other one start the new one go back and type back clear go all out and we're going to go ahead and type workspace and we are still in the try hack me workspace that's really good very soon we're going to get a new IP address and I guess the good idea would be to let me just see what we're going to take through us we're going to take her through sorry it looks like well it's going to be something with eternal blue again and the questions are what is the flag and we also need to find the hash the nglm has which is the one they use on Windows we can just quickly go ahead to Google and type in tlm and that is um and tlm stands for I don't remember that um this is really that what it stands for well I guess I'm gonna see it am I blind NT Lan manager there's typical Windows also when they did like Windows new technology Windows NT I was like no they did it again anyways we're gonna go ahead and extract the the hash so there are some commands for go ahead and run so this is going to be very exciting now the we're going to do that is first get the initial foothold and then we're gonna go ahead and extract the hash and that's going to be very interesting so let's go back here now and see what we're going to take it through that you will tell us to do as name suggests and this bread is an exploitation framework it is um and Xbox are the most populated module category which is true as you can see um you can search by search and type in for the command to launch expert info or exploit to use it we know that most expert will have presets uh payload however you can always use show payload command to list the commands you use with the specific export and that is true um many payload sorry many exploits they do have a preset payload and in most cases it is a reverse shell but it doesn't really you know always that case you can change that maybe maybe the machine is not vulnerable to that particular one because they have a special kind of setup on there whatever firewall know who knows maybe let's try another one that is also something you need to do sometimes so let's go ahead which is side of it on the payload you can do set payload and make your choice that is the way to set it set payload and then a number of whatever payload here on under the hashtag the same as when you type use to use an actual exploit now um yes they then one more time talk about we can set the L host for the um particular host ourself logo host and then exploit the Thing by typing they type exploit I type run same same it's it's an Elias and then let's talk about when the session open you can background the timing Ctrl C or you can use Ctrl C set sorry or c I usually don't use these because it's easy sometimes to break something so I just tend to type background or something like that working with sessions we already covered that in the first video but you can go ahead and type says and tag it to get the help or sessions Tech I and then choose the actual session you want to interact with that is you sure love them all I guess as they're also into informal here the session is tag I and they type sessions get the decent active sessions and do sessions Tech eye one which is the first one running this particular machine here you have a reverse Shield running or a midterpreter in this particular case you're going to get a command prompt and that is also really good you can get a command prompt by typing I think it's shell in the perpeter and then you're gonna get a direct shell on the machine where you can run different commands so deploy Expo of the critical vulnerabilities in the Target machine now I get the hint it's going to take this ms-17 whatever we're going to go ahead and type completed so we're going to do is try and do these things one more time just within the tools we learn so it's going to have workspaces tag Edge all right workspace tag H and then workspace the leads try hack me uh uh why did I not spell that fireworks space there and then workspace Tech 8th add and do a new try hack me and then to work space one more time and we're using the default one which is totally new now let's go ahead and run a dbn map on this particular here to a service standard script and Standard Version narration now if you don't know in map that well the tech s capitalize C is um trying to run different kind of scripts that is a part of nmap to discover different kind of easy low hanging through the express like um default credential stuff like that also um s uh uh to capitalize V is a version in relation it's going to try and enumerate the version of the service running on the particular port so we're running the command now I'm using DB in front of it because we're going to save it directly into the workspace database so we can use it so while this is running we go back and we're gonna we're gonna ask for what what flag is and the hinder is you can use the service Search Command when you have it because that is also really powerful interpreting is one of the most powerful shells you can get or ways to interact to get the ntml hash we're going to get back to that in a few seconds you can always just press enter if you have a H if you think that it's stopped or something that it's not the most fast response time here so what you could do if you if you suspect this is not responding back to pings just open new command prompt just type ping run it and you get a response back so it is responding to pings it's just a slow service enumeration this particular case the reason it is slow is because I'm running a version enumeration and a standard script it is almost done that's going to take some time if you just do a normal internet scan it's going to scan for the most common thousand use ports different kind of numbers not one to thousand but like different kind of numbers I don't have them all in my head uh when you do search generation you actually poke all the open ports and ask for banners and stuff like that so let's see how far we are so we really found out and we do see different kind of things let's start from the top we have Windows here we have a Windows 7 Professional uh which is kinda telling us that this might not be the best security of them all um It also says we have open port there and let's talk about different kind of names it's Jones piece is still and Target name and product version and some other ports we don't really know what that is but some remote desktop and you see some sample stuff going on here songs about message science but not enabled um Windows 7 Professional which kind of tells me that there might be an exploit Windows 7 so so that that might be um a case and let's see net bias so what we're gonna do now is like so how how to how to get further now you could you could have calls go to you know Google and type meet exploits and type Windows 7 exploit you know and just you know press enter and get the very first one and it's gonna say like how to check Windows 7 use me displayed and then you can learn some stuff about how to do this and how to do that now it's kind of already the very first start this is the point of this talks about eternal blue and this is of course one of the more uh critical exploits there is on the Windows machine so in order to get that you need to find a way to search for Eternal blue so they're probably going to take us through this at some point um you could probably well let's just let's just go ahead and just type clear and search Eternal blue we can do that and you will find something you're going to find this ms170 um which is a very high ranked one now I I kind of think we're gonna use that because it does say Eternal blue let's go ahead and type u0 clear screen show options and type host tag R show options one more time because now we set that our host should be remote host should be set sent in for 987 which is this one let's go back the localhost so if config is going to be 10 14 34 161 which is the one we have and everything is set let's go ahead and clear and type run now we did that we are seeing that a lot of green things are showing up it's going to try different kind of thing sending all the lasts so Hostess vulnerable we have ourselves a majority session win sessions sessions uh uh oh sorry we have the motor Shield right open here so we didn't type background that is of course the case we can go ahead and type search now here I'm gonna find a flag let's go inside flag um so it's going to be check if star and a star around that so let's search the system for some of the cold flag well they they did give us the the name I think it was flag.text to be honest to take the whole name save some time now I don't know they they use the search command but we we could probably go ahead and and just you know manually find it I guess it could be we can also just wait a bit here and see when it pops up so we kind of find it allow so we can just go ahead and take this and cut it out directly to the screen if I could copy paste you know it would be really good there we go and we're gonna get the uh system uh was it what is it again uh get download I tend to remember some of the commands uh download yes hmm so we're gonna type shell and we're gonna get a normal command Shield do type and this and we're gonna get the flag anyways so that's also another way to do it copy paste it take it now next thing I'm going to do is go ahead and get the hash for this user called pirate and it's going to say use hash stop so let's go back to the here let's say uh meter what is it like exit and we exit the shell go back to interpreter let's do hash uh clearly it cannot clear anymore okay so anyways uh ah that was not the command I was clearing so clear EV let's go ahead and then just now I did it so let me just Glide clear Evie is a command so we can use for beginners it says whenever inside with a Windows system all actions get recorded it eventually so we actually talk about cleaning up right now and we're not going to do that for now but I just kind of did it so anyways so we're gonna go ahead and type um cash dump presenter and I'm gonna get the hash for pirate I'm gonna take this hash here copy paste it put it in that should be no what is the answer of a hash of the password and she I I I feel I did put it in what is wrong so now we didn't get it directly it's not that long so let's go okay let's go to the latest flight the hash dump ntlm and then let's take the [Music] um uh the one there and see what they do talk about so sometimes when using tutorial it's not doing exactly what it needs into find another way to find the knowledge and let's see they do talk about hashtag yes and then they do more than that no they don't um so that's not the answer let's go back then to the one offensive security that I actually use most of these and see what we did wrong so they do talk about using hashtop that is a particular box it's it's a post exploitation module we could do that so now we're going to learn something new um but I kind of feel that we got it so when also just cup paste all of it I guess and just but that is just a bit too long isn't it and they don't want the oh oh oh oh oh there's a colon right there let's just take the first part I think that's gonna be it no it's the second part I totally miss my until knowledge here I go typical rookie error there we go sorry for that guys now we did answer the questions and we did actually get um the users and go back and just say Okay so so um oh sorry it's um get uh uid gets system and we are running a system so there's also a command called migrate the migrate command is nothing thing that's covered in this tutorial but it is actually a command where we gonna list the different kind of processes and try and migrate onto another user to do privileged escalation which is not going to be covered in this video but I'm just gonna drop it right now but it's not that hard but it is really good thing to learn now the part here is about using msf Venom and the msf Venom is a really interesting command you can run it allows you to generate payloads let's just run this and close the other one and those payloads can be generated to different kind of endpoints like you're going to do Android or Apple iOS or PHP or Java or whatever Tomcat server so you can generate your own payloads you can do so regularly but those are mostly used in manual stuff you know not not the automated stuff we have the output format can be um listed with this command stuff like that so I don't know what they want us to do in this particular exercise not a huge fan of msf Venom but let's see they want us to launch the VM attached to this usually Murphy the password this you can connect the search the following Brown machine on the browser all right so I need to do a lot of stuff foreign payload in the elf format okay so we're gonna choose different kind of formats that is the the pi bits uh sorry you you set the F for the format and then you're basically gonna save that directly so let's take the IP address now let's close some of the windows here so we yes you can access it um not obvious what is this as long as the VM username Murphy in the past where you connect the SSH okay so let's open the new one here ping it and that's not the IP address let's go ahead and ping it yes so SSH Murphy I guess that is how they spell it yes and then the password would be this extremely bad password paste it and we should be in right now so uh IDE we are Murphy clear LS so we're going to do now is say we completed that and then they say creative return it's a payload in the elf format on the attack box your all your machine will attack off choice so we're going to go ahead and and take this particular line here in elf format so I'll take this line open a new browser new channel sorry and basically just say so we need to fill out different kind of things now the already shows the actual P for payload Force msf Venom is the binary file the P for payload as you already know from it just provides the same thing localhost is not that let's go ahead and just open a new window again and type sudo with config there we go and the load host is that for my IP address going back ah that that much back and then we're gonna go ahead and paste that in and the logo port's gonna be 444 it's gonna be an elf reverse chill if gonna press enter and because we are directing the stream it's generating if you just had this command it would put all the expert code to the screen now we didn't do that so we have the reversal the elf cool right here let's go ahead and say we completed that task transfer the uh transfer to the Target machine which is on the python web server with Python 3 just like that and we can do W get and so on and so on so let's go and do that crosstalk so we have too many so we can do like Python 3 start the web server the file is called ref shell the elf but I also need the IP address which is new and remember the new one that's a thing so we're gonna go wgets HTTP colon digit and IP address and it's on Port 9000 and it's called rev shell I think that is what they called it a no it is called the refs Shelf why oh yeah yeah so we're getting a kind of right there so you are positioned there so go ahead and position temp or is shim is is a gym usually you have better rights to to write files there so we're gonna get it and we have the elf uh file saved right there so next thing we're going to do is get him to have a shell on the target machine get a maturity session on the target machine and use post application module to dump the hashes so now I'm going to go ahead and and go back to uh metasploy let me just uh it died so type back back clear and we're going to take a clean slate start now so we're going to do is is think reverse now now we kind of need to have this file here you've been able to be executed so let's change the mod as to do plus X ref shell uh uh shell dot elf let's do a full list here and see that we have full control of this file right now so we can basically execute that and we can do that by running it but we need we need a midterminator that listens now for connection because when we run this we'll do it manually from like this way here we're gonna you know do ref shell then we need a midterm Association or middle part station waiting for that connection so we can get met explored the power back because then we are getting a lot of commands and good stuff we can use I hope you understand the whole point of this and by doing that I'm going to go ahead and type use exploit um and usually called a multi-handler and this is just something you kinda you know um need to know in a way to show payloads and thank you I'm gonna get a lot of different payloads that we can choose from and the wig I'm gonna choose is the one called um uh it's called machine my node Linux meter Pizza something like that so let's do it's very important it's a Linux machine so ah this can be quite taunting you know um okay yes let me just do another way I know the one we're gonna use is called set payload it's gonna be the one called Linux called X 86 86 and it's gonna be called turbita and reverse uh come on TCP and type show options and we're just at our local IP address so we're gonna take that it's gonna be uh exits sudo with config gotta take the local IP address go back set it there and no oh did I just close it I didn't do that did I oh my oh that's um unfortunately I just closed my remote Services session all right so now it is close to mid-service decision we open it one more time no worries because this is just what happens really you can start the music for framework console upper case we're gonna go ahead and just two clear and time use exploit and then we're going to use the one called multi-handler and then this hits payload Linux X and then we're going to use midterm reversal TCP and I'm going to say show options more time show options I'm gonna set L host to this one I copy pasted just before and it's going to listen to Port 444 which is all the port that I chose when I created the the um the msf Venom payload because I've run now and now this is starting reverse CP Handler so we go back here and say run the script go back again and you see we have a material session voila we've done hash dump hash stop come on hash stop so it kind of says that command require proof extension below so load proof I'm going to download pref it is not found so now we have a problem let's go back and uh see what we're gonna need to do now now if we cannot run it directly from uh need to do the full path let me see what they um [Music] did write a hint here as well yeah this is actually what I was going to do so if you cannot run the command directly from hashtag I need to do the full path and the full path would then be this and no run the command run no I use the correct window run and post hashtag and then basically it should work post the board due to failure no access shutter file must be readable in order to dump hashes now we do have a problem now because we need to get um some higher privileges in some way in order to answer the question of getting the um the hashes now it kind of failed so what we could do is go ahead and type back background sorry and then instead of that go ahead and type you use and then take this particular post exploitation and type show options and it only says like the current session so let's go ahead and add sessions we have one so set session one and run it again now that is another way of exploiting it but we kind of need the the the um privileges in order to to to you know read the file that is not the problem so I think we should go ahead and say sessions one more time take i1 and go back to the midservice session as we could before run hashtam we could try run and then do like a post what is a Linux gather a hashtag now this should in theory work um I don't know why it's so so basically we can go ahead and say cats let's see shadow and that we cannot do so LS I'm gonna go ahead and type Who Am I by the way first of all we are IDs very who am I get uid we are Murphy all right so LS Etsy shadow and the shadow fight is not readable by Murphy so we kind of kind of have a problem here so we could go back to the to the other machine how we actually ran this and just killed it I guess and LS and then we also kill their own return Association that is okay that is okay we just do that let's go back and what we could do now is just we cannot do any commands we can go ahead and try and upgrade the shield now I don't think this machine should be like this in all honesty I don't feel like this is the right way but we gonna do it anyways so let's whoops paste in we have upgraded our shell a bit let's also make it possible to clear the screen by setting a terminal which is this one here whoops color paste and then now I need to copy paste and then let's go ahead and skip this screen and now let's go ahead and see if we can Elevate our privileges in order to you know use this particular exploits in Metasploit forms so is there any particular files with the suid sets and there are quite a good deal actually yeah so let's take a look at this uh okay just for the look of it we have password set and I think that is very normal if I'm not mistaken yeah it is so we can also go ahead and see if the file calls Sudo is also there it is not a part of the YouTube open so we're just trying some kind of things now pppd never heard of it what is that pvpd no so it doesn't seem like we have any particular account to shoot attack l I do have the password for Murphy somewhere it was given to us let's take this put it in and we can run all all so sudo hats shadow oh what am I doing pseudo cats let's see Shadow I'm outside now so now we've got all the hashes a different ways so what is the other uses password has the other one with another clear let's take clears all that paste it we done so that is another way of doing the exact same thing as we did not answer the question here what did I not answer oh there we go I don't know why you know middle spot didn't just do that for me but you know I wasn't privileged high enough anyways we have okay so no root we have everything there you know connected and and I guess can we do like this pseudo if rude that is another way you know we don't really care anyways post exploitation is made of Floyd with a combined skill of doing something yourself really hope you liked the video and you learned something in particular I'm really trying to stick to something that works already as a room and from that just give my Reflections and teach as much as I can to you guys so definitely have a very nice day and see you again online

Info

Channel: Security in mind

Views: 5,245

Rating: undefined out of 5

Keywords: metasploit, tryhackme, hacking, metasploit project, metasploit tutorial, linkedin e learning, udemy wordpress, codecademy, udacity, sans institute, linkedin learning

Id: GAOV71MmUTw

Channel Id: undefined

Length: 72min 25sec (4345 seconds)

Published: Wed Nov 02 2022