Finding Exploits
Everybody, and welcome to the first video of the exploitation module in the red team blueprint.
Now we're going to do a quick test to kind of show you why using manual methods is sometimes good and sometimes not.
Now, in this example, we're going to be actually attacking a machine based on a vulnerable service, but we're not going to use Métis Boyd or any other exploitation tools that will give and that will make this easier for us, because there is some times where an exploit for service is available online, but not necessarily in a metastable module.
Now, if you've never used medicinally before, that's fine.
It's a it's just in a nutshell and exploitation framework that allows you to mix and match exploits in payloads with experts themselves, make them a little bit more stable.
And it's pretty well versed and a very common tool to use.
We'll have a whole mini module later in this this particular module around how to use them to display what it is, how it works, etc..
However, in this video, for those who are aware of Métis, boy, we're going to be doing this by hand so everybody understands the process of what happens when you need to do this yourself.
Yeah, we'll get rid of this Dropbox.
All right, so the first thing we want to do is we're going to want to run an maps again on our host, right?
So if we do and map and then map 20.
So if we go ahead and run a scan, we'll see.
There are quite a bit of things open.
However, let's see, we've got 21 and 22 open.
OK, we've got Ghafoor, which is filtered net bios.
So this is probably a Windows machine.
However, it identifies as Apple for some reason, which is probably incorrect because it says we have Microsoft DNS.
So let's take a look at S.H..
Right.
So if we do not count one, two, one, six, eight, 20 and 20 to.
So if we look here, it's got a Sage 2.0 CISAC as a sage version 1.0.
OK, so that's pretty interesting.
So that kind of gives us an idea that maybe this particular service is a lower version, such as 1.0, which might be vulnerable to something.
So go ahead and grab the name of the service.
Right.
So let's go ahead and.
Go ahead and open up a Web browser.
Do Firefox.
So this is why enumeration is important, because there's going to be some times where you just have to look at this manually, like, for example, what we've done so far as we've done it, and map scan, which is the first part of our reconnaissance here, and then we actually manually banner grabbed the port itself.
So now we've identified some sort of service, but we'll go ahead and close out of that.
So let's do the service and exploit exploit divisions is ran by offensive security, which has a very well versed set of exploits and payloads attached them that you can upload your own to some of verified, some are not.
So keep that in mind.
But if we look through here, we've got a file sharing overflow automation server, create folder, create create folder.
And then we've got OK, so we've got a user named Remote Buffer Overflow that kind of tells me this remote code execution for the most part.
So let's take a look at it.
We can see here exploit DB has verified this.
So if we scroll down to the bottom, there should be an image.
Perfect.
Well, too far.
So if we go and click on this image, OK, so it looks like if we run it with Python, the remote IP and the service S.H., it should launch then and then we do a net cat connection or psychic connection to port for four four four.
So let's see why that is.
So we can see here that it's issuing the connection to using Premi go.
That's fine.
So this tells me it's an egg hunter and an exploit, which is fine.
What's important here is it's a self-contained.
So everything is local to everything that's needed is local to the actual executable, which is great.
So we can see here, here's our OP code or our payload, and this is our identifier for Egg Hunter.
But what's important here is this.
We see here that this is the command, well, relatively old command because MSF payload isn't used anymore.
It's called MSF venom.
However, we'll go over that in the mini module for display.
However, this looks like the code that it was used to generate it.
So it's a buying shell, so it's not a reverse.
So we're going to have to connect to it.
This is the port that they set support for port for 444.
Rob, and it's going to encode it and it's 86 out from next.
OK, so that's fine.
So it looks like it's pretty straightforward.
Is there anything else in the instructions here?
Acts less than version five point five.
So this means we should be able to work with that.
So it's a pre authenticated remote code execution.
So we'll go ahead and download this.
This you I do this.
Go ahead and download and get the raw view.
Go ahead and copy this copy.
Go ahead and clear this out.
We'll do a get go ahead and download this call.
Oh, so we could see in here we've got the one eight five three five.
So if we do one eight five three five name is actually DCPI.
So if we do leave pad exploit dopy UI, we open this up.
Cool, everything looks fine, looks good to me.
So let's go ahead and close this.
So what this showed us is that it was a bind shell.
So open up a new tab because we're going to have to run this based on the image.
It looks like it's going to hang the executable.
So to use this python exploit.
So in this case, we ran it and we made sure that some of the the include.
So if we look back here at the file, including penname, go on, Calli, it should already be installed Osen system, our default to any python install, but penname goes not.
So make sure that that's installed.
If it's not installed, you're going to get an error right away.
When you when you run Python exploit Dopp UI and it'll go ahead and tell you.
So that's not what I want to do again.
Perfect.
So run that again takes a target and a port, so we know our target is one or two one six, eight to one to 20 and our port is 22.
So go ahead and run this.
OK, looks like it's hanging, so we'll go ahead and connected.
So port four four four four.
So if we go ahead and click enter, we should, if everything worked correctly, get our shelf or our windows machine and there we go.
So if we want to know, let's see.
We load it in the system 32, which tells me right away that this is a privileged or administrator account.
So we can confirm that with echo username.
Oh, oh, that's right, username is not set because of how he did this, so user.
So there's only guests and administrator on this system and based on this being in System 32, I can generally assume that we are administrators now.
This is good because this allows us to do even more and even more stuff later on when we get into the post exploitation and persistence phase.
So, for example, maybe we want to do we want to create a user net user see win at.
Oh, so we do not use her, we could see winds there, so if we add it to the local administrative group, that group the administrators win at Purrfect.
So we are successfully able to add our new user to the administrators group and then we could actually use a remote desktop is set up.
We could actually use this to log in to the system, or we can use other tools, which we'll talk about later, such as Pesek, that allow us to log in and actually execute a prompt as we want.
So it's important to understand that you can do this manually and sometimes you need to.
For example, this exploit might not be in Métis blade.
It might not be in your go to exploitation framework, however it's available.
So it's always good to double check manually.
And in most cases, you when you go to exploit DB or some other other sites, you're going to find that in most cases they just reference actual code for a metastable module, which is perfectly fine.
However, note that sometimes there is discrepancies where something is not an exploit B and it might not be a Métis boy and vice versa.
So it's always important to do this manually just to kind of test things out and make sure that you understand at a lower level what this is doing.
Because if this script failed, let's say from a python related issue, maybe the code that they when they typed it in or pasted in and they missed a character, you know, something as small as that, you should be able to see what the issue is and fix it yourself pending.
It's not the exploit itself that's failing, such as the return codes or the order of where the country was placed outside of stuff like that.
You shouldn't need you shouldn't need to worry about that right away.
We'll have a whole exploitation course that goes on how to fix this if you really had to, in a simulated environment.
So in this case, just keep this in mind.
This was just a quick example before we start getting into a little bit more depth on the exploitation side.