 All righty, good morning. How you guys doing? Cool. This is cool. Well, thank you for coming to hang out, for coming to my talk. I don't like to say like coming to my talk, because that's under the premise that I actually succeed in delivering the talk to you. So thanks for coming to hang out. That's really the better move. This is a poor man's penetration test or automating the manual. It is titled that way intentionally, because this is kind of a cheesy trick or technique that your mileage may vary with. I'll have a little showcase or demo or try to. I'll give it a vessel or some means to actually showcase what this thing is. But if you want to use this in a real enterprise network, big scale thing, again, I can't promise or tell you everything that might be particularly handy. I think it's a simple, unique thing. We just dive into it, yeah, automating the manual. So first of all, obligatory introductory slide. Hi, I'm John Hammond. During the day, my day job is a red team cyber operator, so supposed to be pen testing and offensive security and cool stuff like that. Previously, I was a cybersecurity instructor with the Department of Defense Cyber Training Academy. Now I'm with the Defense Threat Reduction Agency, so guvvy military sort of stuff. But the instructor side was a lot of fun, and I hope helped with this sort of thing. So hopefully I can keep you guys awake and we'll see. If I end up asking you any questions or like, hey, this is rhetorical thing, I want you to answer. But forgive me if that's stupid or annoying. That's just my instructor side coming out. At night, in my free time, I like to do some capture the flag stuff. I actually have a capture the flag event that's running happening right now here for B-Sides Delaware. That's been online since the start of yesterday. And it's seemingly kind of nice and kind of fun. If you guys want to play, that's online, accessible anywhere. It's just that JH, digital IO link. And you'll be able to play some challenges with some good stuff. With that, with that cybersecurity capture flag flare, I like to do a lot of war games over the wire, hack the box, some training exercises, stuff like that. And I have a cheesy YouTube channel to showcase some of those videos or walkthroughs or guys to do that. Here's an agenda. Here's what I hope we can talk about. And there are a lot of you, so we'll see how we do. First, I want to kind of propose, hack the box. You guys heard of that? And you guys play hack the box stuff? Cool, fun. I want to use that as a driver and vessel for really what I'm going to showcase here. First of all, because it gives us a really good means to get some quick remote code execution. Some quick, easy. All right, we're on a box. We've got a victim. We've got a target. We can interact and flip and play with. Then, obviously, that's done with a reverse shell most often. So I'll showcase how we can, OK, just quick, get a callback. Now we're working with the machine. We'll stabilize it. And then I want to get into XTE. And that is really the premise of really kind of what this talk is, using that small utility that can help us automate some of the interactions that we have with our computer and that victim or that target. We'll get to that when it comes. But we'll talk about some regular pentest stuff, too. We'll talk about enumeration. We'll talk about exfiltration, a little bit of examples for persistence, what you could do. I wanted to throw in some lateral movements. It'd be cool to throw in some privilege escalation. But we only have so much time. Hopefully, we can still make this worthwhile. And obviously, there's more you can do. I leave it to you. There's any kind of homework or extracurricular year in the mood for it. We'll open it for questions. And if you want to reach me, you can do that, too. All good? So hack the box, right? What is this? What am I doing? And you don't have to answer me whatever. I got an IP address for a machine bashed. And that's a retired machine. So you might need that VIP account to be able to reach it or play with it. It's a Linux machine. That's really going to be my target, kind of my scope for this talk, Linux machines. I'm running a Linux machine. I'm on Ubuntu right now, just Ubuntu 19.04. I know, hey, normally we'd want to just use Kali. I tend to do stuff from my hosts, which may be good and bad. But Ubuntu will be handy for our repositories and some of the tools and techniques we're just going to grab real quick. So all I've done is added that bashed machine, gave it a quick domain name, threw it into my et cetera post file so I can use bashed.htb to get to the machine real quick. You will need to, of course, be using an open VPN key to get in there. So you make that connection, make sure you can connect to it, and you'll see Hack the Box on its web page here. And there is that bashed machine if you guys are interested or have you guys, is anyone that has already compromised this machine? Is this totally easy or new for anyone? Do you have any access code to get into Hack the Box? Yes. Yeah, the VPN key, if you need to, on the left-hand side, there's an access tab that will let you download those VPN key connections. Has anyone done this bashed machine before? Okay, okay, whatever, no worries. The bashed machine is simple. On their front-facing web page, you know you do your typical NMAT scan to see what ports and services are open, port 80 is open. So you've got Apache or Nginx running some web server that says, hey, we've got a blog for you, and there's PHP Bash. There's some nifty utility that this developer has created that helps a lot with pen testing, and that it's just a simple web shell. What you could do, and more of the route to compromise the machine, is do some more enumeration. Okay, can I brute force directories on that website? Can I run Durabuster or GoBuster or any of those things? And you'll find one dev, forward slash dev, like, oh, maybe the developer left some things on this machine, and you can see that PHP Bash actual script and utility that he left on there. I'll show you that here. So this PHP Bash script is an interactive web shell. I could run LS or ID or who am I, or anything I wanted to. It just immediately gave me code execution on the machine. So super simple, maybe not immediately applicable to real world, but a fine example and vessel for the premise of this talk. Does that work? Is that cool? So if we had some code execution on that box, just simply granted to us by that web shell, what would we wanna do? Maybe it's best to get a reverse shell or some better use of it than just that web shell. There are a lot of different ways you could do this. The language that you choose for a reverse shell can be anything that you actually have access to. If this is the Linux machine running Bash, maybe it has Netcat to use, probably has Python, which we could use. It's on a web server, but we could use PHP if it'll evaluate that, and we know that it's doing that right now. We actually see a directory that we have right access in that uploads directory. We could highlight that and say, oh, maybe that's a location target we can move into. Have you guys seen the pentest monkey reverse shell cheat sheet? It's an awesome resource, if you guys haven't seen it. Pentest monkey reverse shell cheat sheet, if you just Google reverse shell cheat sheet, you can pull this up. Again, the syntax for different languages actually get that reverse shell callback to you, varies, right? Depending if you're in Bash, or you're in Perl, or you're in Python, or in Ruby, or whatever the case may be. But the cheat sheet gives you small, super simple and compressed one-liners you could just copy and paste and slap right in. I had been nagled with this for a little bit. For some reason, Netcat wasn't coming out. We could do the PHP web shell, but the Python one seemed to work best. You do, of course, need a listener on your own machine, Cali or Ubuntu, so I'm gonna actually just stand by and catch that shell that comes back to you. So let's jam with that. What am I doing here? Can you see it, sorry? Yeah, yeah. What are those arguments? Do you guys know off the top of your head? I like to use N, because it says don't deal with domain names. Sometimes in some exercise environments we would try and pull some virtual machines that just had the wrong IP address and things were way, way broke. I'm just gonna modify this a little bit so I can grab my IP address in here, because we do need to supply, of course, our actual location in the port that we're gonna use. I like to use 9001, greater than 9000. That was a joke. We'll slap that in. And ideally, fingers crossed, we've got a shell on that box. I could run things like LS and ID, interact with it the same way that I would a regular shell, and that's what we wanna do. Because we're pen testers, we're doing that thing. We're operating on that machine. But this is kind of janky. Have you guys worked with the reverse shell before, right? Off the bat, you might be trying to use some commands and maybe you had a typo, LS tag, something, and you move your arrow keys back to modify that, or you wanna hit up arrow to go to your history. Or maybe you wanna cat some of the files that are in the current directory, but your tab auto-complete doesn't work. It's annoying and silly. So you do that every single time. You've got your reverse shell connection. Now you move on to the same technique some of you might know to stabilize that shell. And you do that every single time you get on a machine. Usually, if you're on Linux, you wanna stable shell. You guys know this magic trick? Python, open up a PTY, spawn bin bash, and you hit Control-Z, bring yourself back to your host. STTY, raw minus echo, that sets your terminal in raw mode so keystrokes are happening immediately. There's no buffering. It won't echo that out. Your foreground to get back into your reverse shell, and then you set a terminal environment variable. You do this every single time. So I thought to myself, well, this is dumb. It's just a little bit. It's just like four lines of code, right? But if I mistype, I'm gonna have to use the arrow key again and that's gonna break everything and I'll hit Control-Z and I'll lose my shell. So how can I automate that? The problem is we can't write a script because it's a new machine that we just broke into. We'd be writing the same thing. We'd literally do the act. We'd do that exact thing. Spawn that up real quick just so we're following along. We don't fudge this. Now I can tab autocomplete things. Now I can use the up and down keys to have my history. I can hit Control-Z and I won't accidentally kill my fragile shell. So that's nice for us. The issue is how can we do this every time without having to have to type that stupid thing over and over and over again? So that's the premise of XTE. And again, this is cheesy. Let's see what you guys think. XTE is a tool that comes with X automation and it's essentially letting you use your mouse and keyboard in a programmatic or scripted way. So it's like you type the keys on the keyboard but you didn't really, you had your program do that. It's like the visual basic script send keys that you guys know that old one. So if you're on Ubuntu, if you have it in your package managers, you can sudo apt install x automation and then to get a simple string, it's XTE, STR in the string you wanna type. You can hit keys like the enter key. You can even hit Control keys or shift keys or alt keys or super keys and you can kind of blend them with a key down and key up to maybe use a Control L or a Control C or send those signals that we might want in our terminal. I'll show you that real quick. XTE string LS, it's automatically there as if I were to type it. We tried that XTE return or any of those cases. Oh, sorry. It might hit the enter key that we maybe might not see with that speed. But those are some small primitives that maybe we could build out. You guys do some bash scripting. I've got a shebang line up front. Those are shell scripts. I'm just defining some functions, some convenience things that I might be able to pull down and use later in other scripts or other codes. What does that command function do? See that dollar sign one? Yeah, yeah, it's the argument to that function. So it'll type that, wait just a half a second. And run it if we're in a shell. Same thing with Control. Maybe we take an argument Control L or Control Z or whatever we want it to and then we'd send that right along. Small, right? Simple, kind of cheesy. Maybe it'll work for us. Maybe that'd be cool. Oh, I have that in my functions sh script that totally looks bad when I print it out. Sorry, that's a mess. But I could run command ID. It runs, which is weird. It's like a regular bash script, but it bridges the gap between me running it on my actual computer and inside the reverse shell on the target computer. So I could command LS. I could Control L. It'll clear the screen for me. Control C. You can see that keystroke's automated for me. Super small privatives. But now we could probably expand to something cool. Like, just that simple technique of stabilizing our shell. So here's a stabilize shell.sh script. First thing I do is source. What is that? Why do I use source? Yep, president working directory with some command substitution tells me where I am right now with all my other code. That source command? Why wouldn't I just run dot slash functions.sh? If I were to just dot slash functions.sh, it's gonna be in its own little bash encapsulated cage and I'm not having it in the current scope. So source will run that in the current scope so I can actually use that command function or that control function. I've got my little magic trick, the Python using that command function. So it types it out, runs it, rolls E, S-T-T-Y, raw minus echo, F-G in term. Same recipe as before, right? Do you guys have any thoughts? Is there still anything weird about this? That's a hope. One thing that I'm actually curious about now is that how can I run this script dot slash stabilize shell? Because that's gonna have to run on my machine, that's where it lives, but it's not gonna have the focus of inside of the reverse shell. I'm gonna have to switch, I'm gonna have to focus what window I'm actually working in. As I could run a dot slash stabilize shell, but that'll stabilize my own shell. I need that to actually happen for the reverse shell. Let me kind of continue that. So the solution that I wanna present or at least an option is a utility called quake. It's a terminal, that's all it is. It's a small, simple, little terminal emulator. Interesting thing is that it's a little heads-up display. Like it'll just kind of pop up at the top whenever you invoke it. And that way you can toggle whether or not that terminal is visible or not. You wanna use it. So if you were to install quake, you could modify some of the keyboard settings that actually allow you to invoke quake and bring it up. Have that heads-up display terminal shown. You can toggle with a simple keystroke to hide it. Small utility, but kind of handy. And now if we could actually use that keyboard shortcut, what's to stop us with XTE, run the script on our host, hide quake, suddenly take the focus of our reverse shell and run that as needed. So I set up my keyboard keystroke for quake as shift return. So just real quick, here's a terminal and a new scope that I can work with and run. Open and close that as needed. So if inside of our functions.sh script, we made a simple just hide quake, put it away. Run that key, shift return, shift enter. And every time we had a script that were to actually do something useful for us, stabilize the shell, we could just hide quake before we do anything. So it'll pop back to the focus of our reverse shell. If I can get another quick reverse shell for us. Showcase that. So now if I just had a reverse shell and I've created this stabilized shell script, it'll automatically type all those keys for us. Super simple. Stabilize shell, immediately hide quake, run those commands. And I'm just left at a new prompt where I have my tab complete, where I have my command history, where I don't accidentally kill my shell. That's kind of small, it's kind of simple. All we've really done is just bridge the gap between our host machine and the victim, the reverse shell. But what more could we do with that? Well, we could take a step back and automate getting the reverse shell. Maybe that's a hiccup. Maybe you're like, oh, I have to know what my IP address is currently. I need to know what port I'm gonna actually use. Sometimes that's stupid and annoying too. Like I've done this however many times. So how can we just have those ingredients with our shell, with our shell script? We need our IP address, our attacker, our victim, our attacking machine. We need that port that we wanna listen on. We can just carve that information out. You guys might normally use like IF config, right? Or IP adder. Well, that gives you a bunch of output. This regular expression gobbledygook will parse that out and just grab only your IP address. In this case, I'm using ton zero as my interface. You might need to adjust that or change that for whatever you actually might be using. And in Bash, I can just get a random high port by taking random and adding some numbers to it. Random I think goes from zero to like 32,000 or something. So I just amped up a 3,000 after that so we know we're in a clear port range. Well, we have the exact same problem of focus. If I were to try and run, oh, reverse shell. Maybe I wanted to spawn a new window, a new terminal that would capture that reverse shell and catch it for me. But we need to be able to switch back to our actual code execution vantage point. So you can just, we'll bake a small alt tab function. Nice and easy. Literally exactly that. Hit alt, hit tab. And XTE will let you do that nice and easy for you. Which windows? That's small and simple. Now, we could use that functionality again. We know how we can grab our IP address in the scope of our own host. The scope of our attacker machine. Quickly grab a port to use, hide quake, because maybe we use that to invoke it. And I like to use Terminator, because that way I can split my screen as needed to if I need to do some other operations. Give it just a little bit to catch. Run my Netcat listener. Switch back to the context of the actual RCE vector. And maybe you could slap in that reverse shell code. And now you can use those variables. The bash figured out for you. You don't have to hand jam it in, like I did at the beginning of the talk. Again, super, super small. But maybe that will speed you up through some of the real things. I notice this has a little bit of a gimmick and limitation. XTE, typing a really, really, really long string. Maybe it'll miss some characters. So I haven't had as much success with the Python means, but the Netcat one is pretty simple. And that's just the syntax from Pentas monkey, that reverse shell cheat sheet for us. And I've also moved the IP address variable, just grabbing that, setting it. I've moved that into the functions.sh because that might be handy for us. We're probably gonna end up using that in just about everything that we would build out. But now we have a small simple tool. I would expect, in some cases, you might be able to grab it and just throw it into the actual vector on the machine that you're working with. That Python one, because it takes so long to type, for XTE to type with it, sometimes it doesn't work as well. If I had code execution already, in this case, this is, again, just an educational proof of concept. Bear with me. If I were to run that Netcat reverse shell, I would pop up a new window, grab the listener, wait for the connection, and just in that other window, now I have a new shell. Automate that capability for it. So we've got some stuff built. Small, tiny things that might speed us up. How can we take that further? How can we do real cool Pentas stuff with that? Like, Meturpreter has that nice upload and download functionality, but in a regular reverse shell, kind of doing it by hand, you don't have that nice and easy for you. But we can build it now. So we've got our reverse shell connection, kind of packaged in a small script, some poor man's means, same thing with stabilizing our shell. Now what else could we do on that box? Have you guys seen the clean enum utility? Trying to sprinkle in some resources for you. This is a script you can find on GitHub. It's a little bash script that we'll just do simple checks on the machine. What's the host name? What's the kernel version? What operating system is this? Is it connected to anything else? What processes are running? What services are there? Et cetera, et cetera. So it'd be cool, because this is another thing on your checklist. Every time I get in a box, I run this thing. It'd be cool if we could just automate that. Run through it, run through it. Of course, we need to get Leninum on the machine. How do you guys normally transfer files between your host and your target? You guys have any tried and true procedures? That was awesome. I heard a few protocols just thrown out. I thought I heard SFTP, if you've got that. W get, yeah? Curl, just to download stuff. The raw bare bone stuff is just using Netcat again, right? If you can, if you've got some of those outbound connections available to you. Again, I guess suspended disbelief. If we could create something that will grab our ports, our attacking IP address we already know, maybe take a file name on our machine, get a listener reading in from that file that we specified, and then automate on the actual reverse shell, pulling that down, quick and simple upload functionality. Putting that together. You guys know what that tack queue is for Netcat? Yeah, when it hits an end of file. Yeah, end of file, it says wait however many seconds, wait zero seconds. So once you see the end of file, just close it down. We don't need that anymore. Quick, on the fly, upload. What is a dev SHM? Yeah, shared memory. So for cool places to hide on a target, on a Linux machine, maybe some quick spaces, you got forward slash temp. That's always world writable. You also have dev SHM. No. That was awesome. I hope you're in the back just jamming through the CTF right now. That was awesome. Cool. Any thoughts or questions on that simple technique? That's just Netcat, right? But we could use something with HTTP. I heard Wget. We could do something with SMB. We could use impact it. Hell, Wget takes a little bit more work, right? Let's set up a terminator or another terminal shell for us. That's got a working directory where we currently are, because we probably want to upload a file that is just relative to us real quick. And I'm going to use that Python simple HTTP server. You guys, you see that one often? Python two, attack M, is the capital S simple capital HTTP, capital S server. And Python three, which we all need to migrate to now. 2020 is coming. Python three, we need to use HTTP.server. And specify a quick and easy random port for us. Hop over to the other machine. Wget that down, put it in dev SHM. But the poor man's means. Maybe we could have something to actually specify. Eh, do we really want to put it in dev SHM? We should let the script allow the user to choose where they want to put it. This is just an example. What's that alt tab control C at the very, very bottom? Can you tell what I'm doing? Yeah, I'm going to switch back to that other terminator that I just opened and closed that down. I don't need it. Now that we have that small upload primitive, let's just push lin enum over there. Make it executable, run the thing, pipe it to T so I get some output. Because I want that log file. I really want to know what it is and I don't want to have to deal with running that again. Sometimes it takes a long time. You have that file, but we need to download it. I realized when I needed to download something that, running out of just a quick local present working directory, you've seen that variable over and over again, it's tough to know where you want it to download to because you probably want it in your current working directory. And if you have a project set up for that target, well then you don't want to have all these other simple shell scripts that we've been building in there with that because you might have multiple projects. You're playing hack the box. Just again, that educational sense, you've got a folder for different machines. It's stupid to have all those duplicates there. So I thought, let's move these small tools into an actual location that can be their home, that can be their actual place to live and put that in our path. So I use just opt, I like to put my tools in opt and PMP for four man's pen test. I add that to my path, put that in my bash RC file and quick colluding some of these together because we ran that source command and all those scripts. We just have to change that real quick if you were tinkering. And let's bring them all into their home now opt. Now we could run them without needing that dot slash because it's no longer in our current directory. Now it's part of that path. Be my upload file, night cat in there. So our download file, that's tough. That is another little gimmick and gets to it because it needs to know the reverse shell, the target machine needs to know our IP address and we don't have a good means to tell it that when we need to run commands on it. So I've supplied that really as another argument. So target IP address will be the targets IP, right? 10, 10, 10, 68 in the case of this bash machine. The file name that we actually wanna pull on that and it'll come to us. What is that, tack w for net cat? I was struggling with this one because it does the exact same thing as tack q seemingly but in the other direction. Tack q is working. Yeah, yeah. Fleet for just a second, grab it, spit it to another file. Okay. Now we again have small, simple, poor man's, permatives to do some of that quick and easy stuff that we might need. What else though? Now that we've got that download capability, oh, let's just grab it, set it to a password real quick right off the bat. Let's check out the services, let's see if there's any directories in the home. What other users might have some sensitive files that maybe we could read, right? We haven't moved out of that dub, dub, dub data user in our example right now. Maybe some log files. Can I see Apache's access log or error log? Are there any SSH keys that I could just up and read? Grab that, pull that down. Figuration files, et cetera. Have you guys seen the Got Milk blog on basic Linux for the just creation, enumeration? More resources. This one isn't an automated script, an automated tool like Lynn Enum is but if you're scraping the bottom of the barrel, you're like, man, I don't know what to do, I can't find a foothold. It's worth it to look through this. They'll showcase the hand jam commands, like no processes, et cetera. That link is a log Got Milk. Again, Google simply Got Milk Linux for the just creation. But that's not all, right? There are other things that maybe we've learned about in our pen testing journeyman trajectory and growth. What if Shellshock is in there? What's that? Have you guys seen that one? Older version of Bash would just like let you run code through some environment variable. That UID binaries? Things that will take the privileges of another process. You can track those down. Lynn Enum will do that. That's handy for us. PSAUX checking out processes, Netstat. And again, there's another utility similar to Lynn Enum, the Linux privchecker that you could totally check that out with as well. That one is a Python script. So we could automate, just kickin' off our enumeration. We've automated the reverse shell, we've automated stabilizing that shell, we've automated pulling and downloading some files, putting stuff on there. Spit that Linux privchecker on there. Why not? If we know what machine we're working with, what our attacking machine is, maybe we could generate SSH keys real quick. Throw those on the box. Again, your mileage may vary. But you would do this. We could take advantage of some of that code that we've written to other things. Adding an SSH key? Here I use SSH key gen. I use tackf to create that file already. No password on that. That's that tack capital N empty string. And I was lazy, I just threw yes, y in there so it would overwrite stuff while I was testing. And this is when our upload file limitation of not choosing the directory, that might get in the way because it'll automatically put it in dev shm for us. We would have to actually take the contents and move it ourselves. Dot SSH authorized keys. Given we actually have write access to some users SSH key, but we might. We were able to do that enumeration with linear enum and find a foothold in another account. Thoughts on that one? How do you guys like to do persistence? Or do you? Silence. There's always the answer. True. Don't want to leave any artifacts. Maybe it'd be nice to have something like this that will automatically clear the logs for you or wipe your fingerprints. We could totally scale that out. Why not? Maybe if you're on a new target and you don't want to write that code over and over again, that's kind of why I thought this would be a neat trick. But this would be a neat technique. Adding a cron job. I use a simple thing. I set this variable F, the stupid name. It doesn't help us at all. But maybe that's a file name. Maybe that's a folder. I'm going to use it as both. I use an ellipsis there, a dot dot dot. Why do you think I use that? Yeah, sure. That works for me. Quick and easy to type in. I like the first period. Does that mean it's going to be a hidden file? And when you have an LSTAC LA output, you always see a period, a period period for the current directory and the parent directory. Maybe this will just, maybe that'll sneak under someone's radar. There's an extra period, period, period. I don't care. Stupid, but it might work. And I make a little bash script where I include that reverse shell syntax with my IP address and port. So, question. How come I'm able to use these variables, IP and port, when with the command function, they're running within the context of the target? We've got IP and port already pulled in from functions.sh. But we know the scope. But if we're typing out with XTE, that whole command, how come it's not typing literally dollar sign IP and dollar sign port? I might be messing that up. So, let me just, let me just give you the answer. The actual variable expansion within that string, double quotes are going to evaluate that variable value before XTE types it out. So, that way we have a quick means of helling our target. This is our IP address. This is our port. That way we can use variables like that, even though it's in the context of running on that other machine. Neat. And a stupid quick crontab runs a reverse shell every five minutes. I think there are other user crontabs, right? I think it's like var, spool, their username. This one, you might need a heavy gun. You might already need to be root to write to crontab. Or we could do other things, like add a bind shell. Maybe that's something that might be worthwhile. There are plenty of other means of persistence. These are some use cases. And these are some means to just whip that out. So you don't have to deal with remembering it. You've already got it written. What do you guys think? Got anything for me? Thanks, thank you. Last year I spoke here at B-Sides Delaware, so thanks for letting me come hang out again. The talk was the 10 steps to build and lead a cybersecurity or CTF team, if I like to play CTFs. And that was a super like high level soft talk. It'd be like inspire people, encourage people, do good things. What I want to like, let's do a technical talk. Let's do stuff that's on the keyboard. If my slides are literally bash code, I hope that was okay, I hope that was so cool. Ha ha ha ha. On my GitHub. GitHub forward slash, John Hammond. There is a poor man's pentest repository where you can grab all this code. I still need to add a readme. But all that code is in there if you want it for some reason. And the slides are in there as well. Nice. Yeah. Yeah, I hope that, again, it's kluge and weird because you're using XTE, which sounds like a baby thing. But because you have that fine comb as to what you want to run, and you're still automating it with just, I'm literally typing the command, but not. Maybe that helps. Python's simple HTTP server is only HTTP. You need to deal with some open SSL command and all that nonsense to quickly spin up a HTTPS server. There's documentation of guides to do it. Off the top of my head, I hate open SSL syntax. Ha ha ha ha. Yeah, no, there is, there is, good question. Thank you. Any other thoughts? I'm yours, yeah. And that is a limitation, right? Because we have the communication of our machine to the target, we don't have communication from the target back to us. We can't see from our shell the command output on that side without visibly looking at it with eyeballs. So that's a programmatic hiccup. Disclaimer, your mileage may vary, but maybe a technique just spits stuff there. You gotta test it. Any other thoughts? You guys stay awake? Do we do a good job? All right, sweet, thank you. Right on time, I think.