1
00:00:00,160 --> 00:00:04,960
At this point, we've already run our exploit and we have Notepad running on the Windows 10 system.

2
00:00:04,960 --> 00:00:12,800
And you can see that as PID 2420 in this particular instance. Now, one of the things that we can do,

3
00:00:12,800 --> 00:00:17,920
and I want to show this before we start getting too deep in the weeds as this course unfolds,

4
00:00:18,559 --> 00:00:24,480
is that sometimes we make a connection to our targeted system using our reverse shell,

5
00:00:24,480 --> 00:00:30,240
using the exploit like dummy, which is fantastic. But one of the things that this exploit will

6
00:00:30,240 --> 00:00:37,119
allow us to do is be able to pivot on the file system and hook our session onto something else.

7
00:00:37,680 --> 00:00:44,240
Now, you may be wondering, what? Well, so for instance, right, let's say we connect with dummy

8
00:00:44,240 --> 00:00:50,799
and that's found out because the file doesn't match, you know, or there's a digital signature

9
00:00:50,799 --> 00:00:58,959
on the file that may not be in existence because dummy doesn't have one. And one of the security

10
00:00:58,959 --> 00:01:03,360
folks sees it and they terminate the process and therefore our connection is gone. See, we want to

11
00:01:03,360 --> 00:01:08,720
hide under something that's a little bit more common. That's why we have Notepad opened up

12
00:01:08,720 --> 00:01:13,199
right now. Now, this particular exploit and the current configuration of Windows 10 will not let

13
00:01:13,199 --> 00:01:18,720
us elevate to admin rights. And I can show you that here real quick. We can actually go into

14
00:01:19,680 --> 00:01:25,599
Meterpreter and we just simply do that by going into the session that we're wanting to access. In

15
00:01:25,599 --> 00:01:32,400
this particular instance, I'm on session five and we can say, get a UID and you can see that I am

16
00:01:32,400 --> 00:01:41,360
still Desktop Eric and that's okay. Sorry, the lab reset on me due to inactivity. But we're taking

17
00:01:41,360 --> 00:01:46,320
a look here at session ID six and I'm going to go back over to the Windows 10 here real quick. You

18
00:01:46,559 --> 00:01:52,480
see the Notepad that we have running that we sent, which is PID 2420 in this instance. I'm going to

19
00:01:52,480 --> 00:01:59,839
go up and you can see that dummy is running at PID 3352 in this particular instance. Now, if I go

20
00:01:59,839 --> 00:02:06,559
back over here and go into the actual Meterpreter again, and this time I'm just going to say

21
00:02:06,559 --> 00:02:12,639
sessions six, since I had to reset you, I'll get my L and U this time, go in there and I'm going

22
00:02:12,639 --> 00:02:18,720
to use the command to migrate. And what this is going to do is allow us to be able to migrate from

23
00:02:18,720 --> 00:02:25,119
one process to another. Now, right now we're hooked on to dummy and even though this exploit's not

24
00:02:25,119 --> 00:02:32,320
given us full admin rights, it does allow us to be able to migrate to it. So remember, my process

25
00:02:32,320 --> 00:02:40,160
is 2420. Let's go ahead and go into migrate 2420 while I close that in the background.

26
00:02:41,119 --> 00:02:45,119
You can see right there, and I'm going to zoom in for you and show you what it was,

27
00:02:45,919 --> 00:02:53,759
migrating from 3352, which was that dummy to 2420 and it migrated completely or successfully.

28
00:02:54,559 --> 00:02:59,360
And that's really good because if we go back over, we see that we have Notepad opened up

29
00:02:59,360 --> 00:03:06,240
and we can also see now that dummy has disappeared. And this basically makes it to where now we're a

30
00:03:06,399 --> 00:03:12,160
little bit more stealthy in our process of being able to post-exploit the actual targeted system.

31
00:03:13,039 --> 00:03:18,479
So if a security administrator comes on the system and they're doing some browsing around,

32
00:03:18,479 --> 00:03:25,600
the only way they would truly be able to tell for 100% certain is if, one of two ways, is if they

33
00:03:25,600 --> 00:03:29,600
do a net stat and they're looking at all the traffic going back and forth from this one

34
00:03:29,600 --> 00:03:34,800
particular system, or you're just making a lot of noise on the network and this particular system

35
00:03:34,880 --> 00:03:37,919
and you get yourself caught because you're not wanting to be patient.

36
00:03:37,919 --> 00:03:40,880
And that's happened to me more than I'd like to admit.